Loading…
Welcome to OWASP AppSec 2018 USA we look forward to seeing you in San Jose, CA

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Regency Ballroom 1 [clear filter]
Thursday, October 11
 

10:15am

Domino's Delivery of a Faster Response was No Standard Order
Come listen to Domino's Pizza share how they transformed a complex, multi-ticket, time-consuming process into an Automated Application Security Engagement workflow. Using deep knowledge of Atlassian tools, a little ingenuity, and a lot of ITSM, a great partner in Forty8Fifty Labs, Security Enablement approach and DevOps best practices, Domino's Information Security Team responds faster than ever.

Speakers
avatar for Michael Sheppard

Michael Sheppard

Application Security Manager, Dominos
Mr. Michael Sheppard is a seasoned Application Security and Secure Software Development professional with over 10 years experience reducing business risk throughout the Development Lifecycle. He expertise's in building out complex, comprehensive, cobust, continuous Application Security... Read More →


Thursday October 11, 2018 10:15am - 10:50am
Regency 1

11:00am

Teach a man how to fish
So you were asked by a few devops teams to make them more secure. So you pick up their assets, review them and help them forward. But after that, when you leave them behind, more vulnerabilities get introduced. The question is: did your hacks bring long term value? Did you help them to get sustainable? Probably not. So how can you help them on the long term? How can you teach them how to fish instead of feed them?

Join us for a journey in how you can help teams to become sustainable in security when devops and agile are applied. We will start our journey with an assessment, then go through training the SRE, Devops and security teams, after we coach people to make better decisions. In the mean time we can do some sightseeing in automation, agile risk management and some darker pitfalls we fell for more than once.

Speakers
avatar for Jeroen Willemsen

Jeroen Willemsen

Principal Security Architect, Xebia
Jeroen Willemsen is a Principal Security Architect at Xebia. With a love for mobile security, he recently became one of the projectleaders for the OMTG project (MASV & MSTG). Jeroen is more or less a jack of all trades with interest in infrastructure security, risk management and... Read More →


Thursday October 11, 2018 11:00am - 11:35am
Regency 1
  • NEW FIELD 1 Track 1

1:30pm

My journey through building an advanced bot detection product
Bot activity represents a significant part of the overall Internet traffic. In the past, bots were concentrating on scraping content from ecommerce sites but in more recent years, bots are also being used to conduct fraudulent activity such as account checking, automated account creation, gift card or loyalty point theft.

As a web security product architect, my focus over the last 5 years has been to design and develop a comprehensive product that can detect and classify bots to protect the largest ecommerce and finance web site from the most sophisticated bots. Because taking over an account or stealing gift cards is lucrative, bot operators that focus on fraud are by far the most sophisticated, knowledgeable and motivated and as such, the most challenging to defend against. In this talk, I will discuss my journey through the product development life cycle and provide some insight into:

- The different type of bots I’ve come across

- The detection techniques developed over time

- How bot operators typically react (war stories from the trenches)

- The difficult challenge of accuracy

Detecting fraud for an organization is crucial but can also be a significant engineering effort. However, combining home-grown detection methods, commercial bot detection products, and good web design practices can dramatically reduce or eliminate the attack surface and discourage the attacker.

Speakers
avatar for David Senecal

David Senecal

Product Architect, Akamai Technologies
15 years of Network technology, web performance and web security support and consulting background from 50+ large scale projects for Global 1000 companies as well as start-up companies. Proven ability to conceive, develop, deploy and operate complex systems and applications.- Large... Read More →


Thursday October 11, 2018 1:30pm - 2:05pm
Regency 1
  • NEW FIELD 1 Track 1

2:15pm

Empowering the Employee: Incident Response with a Security Bot
As organizations scale, it can become increasingly difficult for a small security team to process the large volumes of alerts. In addition, the employee who triggered the alert frequently has the most context as to what transpired. At our organization, we use a Slack bot to engage employees after suspicious activity. Involving employees has the dual benefit of raising company-wide security awareness and lightening the load on our security team. Employees also give us valuable insight into why an alert was triggered, so we can take the appropriate action as quickly as possible. We’re here to share some of the lessons learned after using this system for one year. 

Speakers
avatar for Jeremy Krach

Jeremy Krach

Software Engineer, Pinterest


Thursday October 11, 2018 2:15pm - 2:50pm
Regency 1
  • NEW FIELD 1 Track 1

4:15pm

How to get the best AppSec test of your life
The Internet is full of advice on delivering a better pen test. That’s great but what if you are the one arranging or receiving the test? In this talk, I want to use my experience of scoping and delivering these tests (as well as feedback from test recipients) to suggest ideas on how to get the best value from AppSec tests. I will talk about how you can "hack your test" to better tailor it to your needs, how you can be best prepared for a smooth test and how you can make sure the report is focused and actionable.

Defenders/builders will hopefully leave this talk with ideas that you can apply today, tomorrow and in the future to ensure that AppSec tests aren’t just a compliance tick-box but rather deliver real value and make an application more secure. Breakers will hopefully leave this talk wondering whether you are ready to provide this level of value added application test. 

Speakers
avatar for Josh Grossman

Josh Grossman

Team Leader and Senior Consultant, Comsec Group
Josh has worked as a consultant in IT Security and Risk for over a decade and also as a Software Developer. He currently works as a Team Leader in Comsec Group's Application Security division where he leads and delivers web and mobile application security tests with the aim of not... Read More →


Thursday October 11, 2018 4:15pm - 4:50pm
Regency 1
  • NEW FIELD 1 Track 1
 
Friday, October 12
 

11:00am

Serverless Infections: Malware Just Found a New Home
We are seeing more and more organizations leverage the advantages introduced by serverless computing. But what does serverless computing entail when it comes to security? With no dedicated server, is the security risk higher or lower? Can malware live inside the code? These are critical questions every organization shifting to a serverless environment should be asking.

Our research team took on the challenge of implementing the first-ever RCE (Remote Code Execution) attack in a serverless environment that is both stored and viral. Using Amazon’s Lambda as the first test subject, we were able to build a PoC which showed how information extraction and exfiltration is done. We also demonstrated how the payload persists and can be injected into other non-vulnerable functions. We then went ahead and tested to see if the same would work on Azure and Google Cloud. Curious to know the outcome? The findings will be presented in our session along with best practices and tips for ensuring security prevails in a serverless environment.

Those who will join this talk will:

- Understand the architecture and advantages of a serverless computing environment

- Learn the security challenges entailed in working in a serverless environment

- View a live demo on how data is infiltrated, infected, and exfiltrated in a serverless environment

- See how we built self-duplicating attacks that survive persistently within the code

- Watch as the attack is executed on platforms running on serverless environments

Speakers
avatar for Erez Yalon

Erez Yalon

AppSec Research Group Manager, Checkmarx


Friday October 12, 2018 11:00am - 11:35am
Regency 1
  • NEW FIELD 1 Track 1

11:45am

Are You Trading Stocks Securely? Exposing Security Flaws in Trading Technologies
With the advent of electronic trading platforms and networks, the exchange of financial securities now is easier and faster than ever; but this comes with inherent risks. Nowadays not only rich people can invest in the money markets, but also anyone with as little as $10 could start trading stocks from either a website, a desktop application or a mobile phone

The problem is that this area of the fintech industry has not been fully under the cybersecurity umbrella. Sometimes we assume that a product is secure by its nature, such as technologies that are used to trade hundreds of billions per day, but security testing tells us a different story.

In this talk, vulnerabilities that affect millions of traders will be shown in detail. Among them are unencrypted authentication, communications, passwords and trading data; remote DoS that leave the applications useless, weak password policies, hardcoded secrets, poor session management, etc. Also, many of these applications lack of countermeasures such as SSL certificate validation and root detection in mobile apps, privacy mode to mask sensitive values, anti-exploitation and anti-reversing mitigations

Moreover, the risk of social trading will be discussed too as well as how malicious expert advisors (trading robots) and other plugins could include backdoors or hostile code that would be hard to spot for non-tech-savvy traders.

The analysis encompassed the following platforms, which are some of the most used ones:
- 30 Websites (7 focused on cryptocurrencies)
- 17 Desktop applications
- 34 Mobile apps

Finally, the gap between the security in online banking vs trading technologies will be clearly observed. There's still a long way to go to improve the security of the trading ecosystem, but the wheel is already invented and common security countermeasures could be applied.

Speakers
avatar for Alejandro Hernandez

Alejandro Hernandez

Sr. Consultant, IOActive
Alejandro Hernandez is a security consultant who works for IOActive, where he has had the chance to work in companies in different countries including Mexico, South Africa, Germany, China, Netherlands, United States, South Corea and England. As a research enthusiast, he had the... Read More →


Friday October 12, 2018 11:45am - 12:20pm
Regency 1
  • NEW FIELD 1 Track 1

1:30pm

Breaking fraud & bot detection solutions
Browser fingerprinting and user behavior tracking are powerful techniques used by most fraud and bot detection solutions. These are implemented via JavaScript snippets running in the user browser. In this presentation, we’ll demystify the signals these snippets collect and describe why these signals are unreliable. Using a realistic threat model, we’ll describe various attacks against defenses relying on these signals. Finally, we'll share war stories of architectural and implementation flaws we found in real world deployments.

Speakers
avatar for Mayank Dhiman

Mayank Dhiman

Security Engineer, Dropbox
Mayank is a security researcher with an extensive background in network security, fraud/abuse prevention, threat intelligence and authentication. His research on browser fingerprinting and passive network fingerprinting has helped build rule-based systems and ML models to tackle fraud... Read More →


Friday October 12, 2018 1:30pm - 2:05pm
Regency 1
  • NEW FIELD 1 Track 1

2:15pm

Flying Above the Clouds: Securing Kubernetes
Cloud-native architectures built using Kubernetes are composed of containerized microservices managed by an orchestration system. They are distributed systems that run on top of the cloud (or sometimes physical) infrastructure and abstract away details of platform integrations in order to promote portability. Automation, scalability, and resiliency are all important properties of cloud-native systems and all factor into design choices. Security touches every aspect of the architecture, at the application, container, orchestration, and cloud infrastructure layers.

In this presentation, we will explore the Kubernetes attack surface and present methods to keep your cloud-native systems resilient to attack. Building a secure architecture requires carefully considering authentication, authorization, network segmentation, storage, and logging/auditing. There are some no-brainer security controls to take advantage of for quick wins, while others require careful consideration and design-level choices. We will demonstrate how container runtime security factors into the equation as well as what we need to consider in our underlying cloud infrastructure. Microservice security will be discussed along with steps we can take to deploy secure services and meshes.

Our goal is to keep our engineers moving fast, but securely. At the end of the presentation, you’ll understand the cloud-native attack surface and how to approach building a hardened infrastructure and deploy secure services with Kubernetes.

Speakers
avatar for Jack Mannino

Jack Mannino

CEO, nVisium
Jack Mannino is the CEO of nVisium. Passionate about security and impossible to keep away from a keyboard, his expertise spans over 15 years of building, breaking, and securing software. Jack founded nVisium in 2009, and since then has helped the world's largest software teams enhance... Read More →


Friday October 12, 2018 2:15pm - 2:50pm
Regency 1
  • NEW FIELD 1 Track 1