Welcome to OWASP AppSec 2018 USA we look forward to seeing you in San Jose, CA

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Gold [clear filter]
Thursday, October 11


The Anatomy of a Secure Web Application in Java Using Spring Security and Apache Fortress
The Jakarta EE architecture provides the necessary enablement but most developers do not have the time or the training to take full advantage of what it has to offer. This technical session describes and demos an end-to-end application security architecture for an Apache Wicket Web app running in Tomcat. It includes practical, hands-on guidance to properly implementing authentication, authorization, and confidentiality controls using Java, Spring and Apache Fortress controls. In addition to finding out where the security controls must be placed and why, attendees will be provided with code they can use to kick-start their own highly secure Java web applications using Apache products and a few tricks.

avatar for Shawn McKinney

Shawn McKinney

Software Architect, Symas
Over twenty-five years as software developer and architect. Most of that time specializing in software security. Started an open source project called Fortress.
avatar for John Tumminaro

John Tumminaro

VP Technology, GlobalLogic
Passionate Enterprise & Security Architect. Experience/Roles include CTO, Chief Architect, Enterprise Architect, Security Architect & Solution Architect. Areas of specialty include: Transactional/BigData Systems, Integration, Performance/Scale/Resilience, Global Deployment, Cloud... Read More →

Thursday October 11, 2018 1:30pm - 2:05pm
  • NEW FIELD 1 Track 3


Are we using Java Crypto API Securely ?
Do you feel cryptographic libraries are just thrown over the fence for us developers and security professionals to understand and pray its used securely? Java Cryptography Architecture is one such famously used the library, laden by ambiguous documentation, over-abundance of algorithmic and key material choices, insecure defaults, and poor architectural choices. All these collectively make it highly probable to make an unfortunate choice and lands us with a flawed cryptographic system.
In this session, learn how to securely use each of the Java Cryptography Architecture’s primitives (Random Number Generators, Encryption/Decryption algorithms, HMACs, digital signatures etc.) using real-world code examples to highlight areas that require careful attention and difficult choices. Examine both good and flawed implementations, and learn how to spot mistakes. Then learn how to future-proof the crypto in your applications.  

avatar for Mansi Sheth

Mansi Sheth

Principal Security Reseacher, CA Veracode
Mansi Sheth is a Principal Security Researcher at CA Veracode Inc. In her career, she has been involved with breaking, defending and building secure applications. Mansi researches various languages and technologies, finding insecure usages in customer code and suggests automation... Read More →

Thursday October 11, 2018 4:15pm - 4:50pm
  • NEW FIELD 1 Track 3
Friday, October 12


Deserialization: what, how and why [not]
Insecure deserialization was recently added to OWASP's list of the top 10 most critical web application security risks, yet it is by no means a new vulnerability category. For years, data serialization and deserialization have been used in applications, services and frameworks, with many programming languages supporting them natively. Deserialization got more attention recently as a potential vehicle to conduct several types of attacks: data tampering, authentication bypass, privilege escalation, various injections and, ultimately, remote code execution. Two prominent vulnerabilities in Apache Commons and Apache Struts, both allowing remote code execution, also contributed to raising awareness of this risk.

We will discuss how data serialization and deserialization are used in software, the dangers of deserializing untrusted input, and how to avoid insecure deserialization vulnerabilities. The presentation will contain several code examples with live demos of bypassing security controls due to incorrect deserialization. The examples and demos will use Java and its native serialization, but the techniques can be extrapolated to other languages and formats.

avatar for Alexei Kojenov

Alexei Kojenov

Lead Product Security Engineer, Salesforce
Alexei began his career as a software developer. A decade later, he realized that breaking code was way more fun than writing code, and decided to switch direction. He is now a full-time application security professional, with several years of assisting various development teams in... Read More →

Friday October 12, 2018 11:45am - 12:20pm
  • NEW FIELD 1 Track 3