Welcome to OWASP AppSec 2018 USA we look forward to seeing you in San Jose, CA

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Regency Ballroom 1 [clear filter]
Thursday, October 11


Domino's Delivery of a Faster Response was No Standard Order
Come listen to Domino's Pizza share how they transformed a complex, multi-ticket, time-consuming process into an Automated Application Security Engagement workflow. Using deep knowledge of Atlassian tools, a little ingenuity, and a lot of ITSM, a great partner in Forty8Fifty Labs, Security Enablement approach and DevOps best practices, Domino's Information Security Team responds faster than ever.

avatar for Michael Sheppard

Michael Sheppard

Application Security Manager, Dominos
Mr. Michael Sheppard is a seasoned Application Security and Secure Software Development professional with over 10 years experience reducing business risk throughout the Development Lifecycle. He expertise's in building out complex, comprehensive, cobust, continuous Application Security... Read More →

Thursday October 11, 2018 10:15am - 10:50am
Regency 1


Teach a man how to fish
So you were asked by a few devops teams to make them more secure. So you pick up their assets, review them and help them forward. But after that, when you leave them behind, more vulnerabilities get introduced. The question is: did your hacks bring long term value? Did you help them to get sustainable? Probably not. So how can you help them on the long term? How can you teach them how to fish instead of feed them?

Join us for a journey in how you can help teams to become sustainable in security when devops and agile are applied. We will start our journey with an assessment, then go through training the SRE, Devops and security teams, after we coach people to make better decisions. In the mean time we can do some sightseeing in automation, agile risk management and some darker pitfalls we fell for more than once.

avatar for Jeroen Willemsen

Jeroen Willemsen

Principal Security Architect, Xebia
Jeroen Willemsen is a Principal Security Architect at Xebia. With a love for mobile security, he recently became one of the projectleaders for the OMTG project (MASV & MSTG). Jeroen is more or less a jack of all trades with interest in infrastructure security, risk management and... Read More →

Thursday October 11, 2018 11:00am - 11:35am
Regency 1
  • NEW FIELD 1 Track 1


Identity Theft: Attacks on SSO Systems
SAML is often the trust anchor for Single Sign-On (SSO) in most modern day organizations. This presentation will discuss a new vulnerability discovered which has affected multiple independent SAML implementations, and more generally, can affect any systems reliant on the security of XML signatures. The issues found through this research affected multiple libraries, which in turn may underpin many SSO systems.

The root cause of this issue is due to the way various SAML implementations traverse the XML DOM after validating signatures. These vulnerabilities allow an attacker to tamper with signed XML documents, modifying attributes such as an authenticating user, without invalidating the signatures over these attributes. In many cases, this allows an attacker with authenticated access to a SAML Identity Provider to access services as an entirely different user - and more easily than you’d expect.

This talk will also discuss another demonstrated class of vulnerabilities in user directories that amplify the impact of the previously mentioned vulnerability, and in some cases, can enable authentication bypasses on their own.

avatar for Kelby Ludwig

Kelby Ludwig

Principal AppSec Engineer, Duo

Thursday October 11, 2018 11:45am - 12:20pm
Regency 1
  • NEW FIELD 1 Track 1


My journey through building an advanced bot detection product
Bot activity represents a significant part of the overall Internet traffic. In the past, bots were concentrating on scraping content from ecommerce sites but in more recent years, bots are also being used to conduct fraudulent activity such as account checking, automated account creation, gift card or loyalty point theft.

As a web security product architect, my focus over the last 5 years has been to design and develop a comprehensive product that can detect and classify bots to protect the largest ecommerce and finance web site from the most sophisticated bots. Because taking over an account or stealing gift cards is lucrative, bot operators that focus on fraud are by far the most sophisticated, knowledgeable and motivated and as such, the most challenging to defend against. In this talk, I will discuss my journey through the product development life cycle and provide some insight into:

- The different type of bots I’ve come across

- The detection techniques developed over time

- How bot operators typically react (war stories from the trenches)

- The difficult challenge of accuracy

Detecting fraud for an organization is crucial but can also be a significant engineering effort. However, combining home-grown detection methods, commercial bot detection products, and good web design practices can dramatically reduce or eliminate the attack surface and discourage the attacker.

avatar for David Senecal

David Senecal

Product Architect, Akamai Technologies
15 years of Network technology, web performance and web security support and consulting background from 50+ large scale projects for Global 1000 companies as well as start-up companies. Proven ability to conceive, develop, deploy and operate complex systems and applications.- Large... Read More →

Thursday October 11, 2018 1:30pm - 2:05pm
Regency 1
  • NEW FIELD 1 Track 1


Empowering the Employee: Incident Response with a Security Bot
As organizations scale, it can become increasingly difficult for a small security team to process the large volumes of alerts. In addition, the employee who triggered the alert frequently has the most context as to what transpired. At our organization, we use a Slack bot to engage employees after suspicious activity. Involving employees has the dual benefit of raising company-wide security awareness and lightening the load on our security team. Employees also give us valuable insight into why an alert was triggered, so we can take the appropriate action as quickly as possible. We’re here to share some of the lessons learned after using this system for one year. 

avatar for Jeremy Krach

Jeremy Krach

Software Engineer, Pinterest

Thursday October 11, 2018 2:15pm - 2:50pm
Regency 1
  • NEW FIELD 1 Track 1


Defense in depth with semantic static analysis
Facebook employs a defense-in-depth approach to product security; we use a range of preventative and detection-based approaches to help ensure that our Hack/PHP codebase and its myriad backend services behave as intended. In this context, ‘preventative’ might refer to secure-by-default libraries for doing privacy-aware data fetching. ‘Detection’ might refer to the manual review by a security engineer, automated static analysis before the code is employed in production, runtime detection (e.g. Invariant Detector), or our bug bounty program.

In this talk, I will discuss a static analyzer that we built to surface potential security and privacy issues in the facebook.com codebase. We have developed a bottom-up, inter-procedural, abstract interpreter that focuses on security issues that are difficult to prevent using the type system (i.e., Hack) or secure libraries and frameworks. We designed the tool based on guidance from Facebook’s security engineering teams. When a new class of vulnerabilities is discovered, we evaluate whether it is amenable to static analysis. If that is the case, we prototype the new rule, refine it based on feedback from security engineers, and then evaluate the rule against the whole codebase. In some cases, we are able to generate a patch automatically. Concurrently, we run this tool on every code change, thus preventing the reintroduction of this type of issue.

I will also describe some of the advances in the static analysis that enable the tool to scale to thousands of changes per day in a codebase that measures tens of millions of lines of code with a very low ratio of false positives. 

avatar for Francesco Logozzo

Francesco Logozzo

Software Engineer, Facebook
I am a static analysis junkie. I wrote static analyzers for Facebook and Microsoft, published Academic papers full of Greek symbols, and gave keynote speeches at major conferences.I am also a theoretical and experimental cyclist.

Thursday October 11, 2018 3:30pm - 4:05pm
Regency 1
  • NEW FIELD 1 Track 1


How to get the best AppSec test of your life
The Internet is full of advice on delivering a better pen test. That’s great but what if you are the one arranging or receiving the test? In this talk, I want to use my experience of scoping and delivering these tests (as well as feedback from test recipients) to suggest ideas on how to get the best value from AppSec tests. I will talk about how you can "hack your test" to better tailor it to your needs, how you can be best prepared for a smooth test and how you can make sure the report is focused and actionable.

Defenders/builders will hopefully leave this talk with ideas that you can apply today, tomorrow and in the future to ensure that AppSec tests aren’t just a compliance tick-box but rather deliver real value and make an application more secure. Breakers will hopefully leave this talk wondering whether you are ready to provide this level of value added application test. 

avatar for Josh Grossman

Josh Grossman

Team Leader and Senior Consultant, Comsec Group
Josh has worked as a consultant in IT Security and Risk for over a decade and also as a Software Developer. He currently works as a Team Leader in Comsec Group's Application Security division where he leads and delivers web and mobile application security tests with the aim of not... Read More →

Thursday October 11, 2018 4:15pm - 4:50pm
Regency 1
  • NEW FIELD 1 Track 1
Friday, October 12


Better Deserialization Vulnerability Remediation with Automated Gadget Chain Discovery
Although vulnerabilities stemming from the deserialization of untrusted data have been understood for many years, unsafe deserialization continues to be a vulnerability class that isn't going away. Attention on Java deserialization vulnerabilities skyrocketed in 2015 when Frohoff and Lawrence published an RCE gadget chain in the Apache Commons library and as recently as last year's Black Hat Muñoz and Miroshis presented a survey of dangerous JSON deserialization libraries. While much research and automated detection technology has so far focused on the discovery of vulnerable entry points (i.e. code that deserializes untrusted data), finding a "gadget chain" to actually make the vulnerability exploitable has thus far been a largely manual exercise. In this talk I present a new technique for the automated discovery of deserialization gadget chains in Java, allowing defensive teams to quickly identify the significance of a deserialization vulnerability. This allows developers to properly prioritize remediation and weigh the tradeoff of potential exploits against refactoring an application's entire RPC mechanism. In this talk I will also present a FOSS toolkit developed to utilize this methodology and which has already been used to evaluate deserialization vulnerabilities in both internal applications and open source projects. 

avatar for Ian Haken

Ian Haken

Senior Security Software Engineer, Netflix
I'm a senior security software engineer at Netflix where I work on the platform security team to develop tools and services that defend the Netflix platform. Before working at Netflix, I spent two years as security researcher at Coverity where I developed defensive application security... Read More →

Friday October 12, 2018 10:15am - 10:50am
Regency 1
  • NEW FIELD 1 Track 1


Serverless Infections: Malware Just Found a New Home
We are seeing more and more organizations leverage the advantages introduced by serverless computing. But what does serverless computing entail when it comes to security? With no dedicated server, is the security risk higher or lower? Can malware live inside the code? These are critical questions every organization shifting to a serverless environment should be asking.

Our research team took on the challenge of implementing the first-ever RCE (Remote Code Execution) attack in a serverless environment that is both stored and viral. Using Amazon’s Lambda as the first test subject, we were able to build a PoC which showed how information extraction and exfiltration is done. We also demonstrated how the payload persists and can be injected into other non-vulnerable functions. We then went ahead and tested to see if the same would work on Azure and Google Cloud. Curious to know the outcome? The findings will be presented in our session along with best practices and tips for ensuring security prevails in a serverless environment.

Those who will join this talk will:

- Understand the architecture and advantages of a serverless computing environment

- Learn the security challenges entailed in working in a serverless environment

- View a live demo on how data is infiltrated, infected, and exfiltrated in a serverless environment

- See how we built self-duplicating attacks that survive persistently within the code

- Watch as the attack is executed on platforms running on serverless environments

avatar for Erez Yalon

Erez Yalon

Director of Security Research, Checkmarx

Friday October 12, 2018 11:00am - 11:35am
Regency 1
  • NEW FIELD 1 Track 1


Are You Trading Stocks Securely? Exposing Security Flaws in Trading Technologies
With the advent of electronic trading platforms and networks, the exchange of financial securities now is easier and faster than ever; but this comes with inherent risks. Nowadays not only rich people can invest in the money markets, but also anyone with as little as $10 could start trading stocks from either a website, a desktop application or a mobile phone

The problem is that this area of the fintech industry has not been fully under the cybersecurity umbrella. Sometimes we assume that a product is secure by its nature, such as technologies that are used to trade hundreds of billions per day, but security testing tells us a different story.

In this talk, vulnerabilities that affect millions of traders will be shown in detail. Among them are unencrypted authentication, communications, passwords and trading data; remote DoS that leave the applications useless, weak password policies, hardcoded secrets, poor session management, etc. Also, many of these applications lack of countermeasures such as SSL certificate validation and root detection in mobile apps, privacy mode to mask sensitive values, anti-exploitation and anti-reversing mitigations

Moreover, the risk of social trading will be discussed too as well as how malicious expert advisors (trading robots) and other plugins could include backdoors or hostile code that would be hard to spot for non-tech-savvy traders.

The analysis encompassed the following platforms, which are some of the most used ones:
- 30 Websites (7 focused on cryptocurrencies)
- 17 Desktop applications
- 34 Mobile apps

Finally, the gap between the security in online banking vs trading technologies will be clearly observed. There's still a long way to go to improve the security of the trading ecosystem, but the wheel is already invented and common security countermeasures could be applied.

avatar for Alejandro Hernandez

Alejandro Hernandez

Sr. Consultant, IOActive
Alejandro Hernandez is a security consultant who works for IOActive, where he has had the chance to work in companies in different countries including Mexico, South Africa, Germany, China, Netherlands, United States, South Corea and England. As a research enthusiast, he had the... Read More →

Friday October 12, 2018 11:45am - 12:20pm
Regency 1
  • NEW FIELD 1 Track 1


Breaking fraud & bot detection solutions
Browser fingerprinting and user behavior tracking are powerful techniques used by most fraud and bot detection solutions. These are implemented via JavaScript snippets running in the user browser. In this presentation, we’ll demystify the signals these snippets collect and describe why these signals are unreliable. Using a realistic threat model, we’ll describe various attacks against defenses relying on these signals. Finally, we'll share war stories of architectural and implementation flaws we found in real world deployments.

avatar for Mayank Dhiman

Mayank Dhiman

Security Engineer, Dropbox
Mayank is a security researcher with an extensive background in network security, fraud/abuse prevention, threat intelligence and authentication. His research on browser fingerprinting and passive network fingerprinting has helped build rule-based systems and ML models to tackle fraud... Read More →

Friday October 12, 2018 1:30pm - 2:05pm
Regency 1
  • NEW FIELD 1 Track 1


Flying Above the Clouds: Securing Kubernetes
Cloud-native architectures built using Kubernetes are composed of containerized microservices managed by an orchestration system. They are distributed systems that run on top of the cloud (or sometimes physical) infrastructure and abstract away details of platform integrations in order to promote portability. Automation, scalability, and resiliency are all important properties of cloud-native systems and all factor into design choices. Security touches every aspect of the architecture, at the application, container, orchestration, and cloud infrastructure layers.

In this presentation, we will explore the Kubernetes attack surface and present methods to keep your cloud-native systems resilient to attack. Building a secure architecture requires carefully considering authentication, authorization, network segmentation, storage, and logging/auditing. There are some no-brainer security controls to take advantage of for quick wins, while others require careful consideration and design-level choices. We will demonstrate how container runtime security factors into the equation as well as what we need to consider in our underlying cloud infrastructure. Microservice security will be discussed along with steps we can take to deploy secure services and meshes.

Our goal is to keep our engineers moving fast, but securely. At the end of the presentation, you’ll understand the cloud-native attack surface and how to approach building a hardened infrastructure and deploy secure services with Kubernetes.

avatar for Jack Mannino

Jack Mannino

CEO, nVisium
Jack Mannino is the CEO of nVisium. Passionate about security and impossible to keep away from a keyboard, his expertise spans over 15 years of building, breaking, and securing software. Jack founded nVisium in 2009, and since then has helped the world's largest software teams enhance... Read More →

Friday October 12, 2018 2:15pm - 2:50pm
Regency 1
  • NEW FIELD 1 Track 1