Loading…
Welcome to OWASP AppSec 2018 USA we look forward to seeing you in San Jose, CA

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Regency Ballroom 2 [clear filter]
Thursday, October 11
 

10:15am

Web application compromise mitigation with crypto anchoring
Today’s world of Equifax breaches is the same old data security problem. In the past you’d need a solid SQL injection to pull all the records of a database. Now days, you need an RCE on the application server. The root problem has not changed. The app server has keys to database, decryption, and a public presence. How do you protect data in this architecture. A solution is crypto anchoring paired with effective monitoring.

Speakers
avatar for Jon Debonis

Jon Debonis

Head of Security / CSO, Blend
Hi. I'm Jon. I study companies who've kept huge amounts of data secure, and try to replicate their success.


Thursday October 11, 2018 10:15am - 10:50am
Regency Ballroom
  • NEW FIELD 1 Track 2

11:00am

SDL at Scale: Growing Security Champions
If you’re tasked with securing a portfolio of applications it’s a practice in extremes. You’ve got a small team of security experts trying to help a multitude of developers, testers, and other engineers. You have to find a way to work with the team that’s been around forever doing Waterfall on one huge product, and at the same time, you have to support all the microservices that the new Agile and DevOps teams are building. And to make things extra exciting, those agile teams are pushing for production anywhere from once a month to several times a day. Even if your security team is fully staffed, there still aren’t enough security experts to go around. Do you focus all your attention on the highly engaged team, the noisy and demanding team, or the team that never replies to your emails? They all need you.

By partnering with your development organization to create a guild of Security Champions you can help them all. Establishing a Security Champion role on your development teams enables them to be more self-sufficient while maintaining and even improving their security posture. With careful selection and well-defined goals, you can train Security Champions that go beyond just interfacing with the security team but also handle a range of security activities completely within their teams, helping you scale your program.

This presentation will examine the value of the Security Champion role within the development team, which groups need to commit for the program to succeed, how to find good champions, and what benefits everyone involved can expect to gain. Based on lessons learned building a successful Security Champion program over the past 5 years, it will detail actionable steps you can take to bootstrap, monitor, and maintain a customized program that fosters these champions in your organization.

Speakers
avatar for Ryan O' Boyle

Ryan O' Boyle

Manager, Product Security, Veracode
Ryan O'Boyle is the Manager of Product Security at Veracode. Prior to joining Veracode, he helped create the internal penetration testing team at Fidelity Investments. He has presented at conferences including AppSec USA & EU, BlackHat EU, and RSA Europe. Throughout his career, Ryan... Read More →


Thursday October 11, 2018 11:00am - 11:35am
Regency 2
  • NEW FIELD 1 Track 2

11:45am

Identifying and Remediating Security Vulnerabilities in AI Assistant Based Applications
Intelligent assistants are and will be everywhere. You might be thinking that you cannot hack assistants because you can't say "What's the weather in Boston' or 1=1--" or your assistant is safe in your house.  Unfortunately, there are ways around both.  This talk helps you understand how assistant applications are attacked, work, and how to identify and address vulnerabilities in them.

Speakers
avatar for Abraham Kang

Abraham Kang

Senior Director Software, Samsung Research America
Abraham Kang is fascinated with the nuanced details associated with programming languages and their associated APIs. Kang has a B.S. from Cornell University. He currently works for Samsung as a Senior Director Software helping to drive security and development in Samsung. Prior to... Read More →


Thursday October 11, 2018 11:45am - 12:20pm
Regency 2
  • NEW FIELD 1 Track 2

1:30pm

Paving the road for Developers: Lessons from integrating third party library scanning in DevOps workflows
The necessity of securing third-party libraries and packages is not a new concept, however, not many organizations understand its importance in a world where open source is mainstream. There is an exponential growth in the usage of third party libraries and reusing code is the norm for developers. Adding a library can end up adding several other dependencies without the developer even being explicitly aware of them. Now combine this with the rapid pace of shipping new code on a daily basis, and the security challenge all of a sudden seems insurmountable.

In this talk, we will share our story of how we tackled this challenge head-on and leveraged DevOps tooling to build security that enables the developers. You should attend this talk if you want to learn about the technical and architectural choices of library scanning that worked for us at scale, and the ones that didn’t. You will learn how to drive automation while maintaining the consistency of overall developer experience.

And while you may have heard great talks about how DevOps (or DevSecOps) enables security, it also sets you up for losing credibility at DevOps speed if you’re not careful. We will give you tips and tricks, the Do’s and Don'ts that will enable you to implement third-party library security automation in your developer workflow, make it the path of least resistance and empirically measure success over time.

Speakers
avatar for Tim Champagne

Tim Champagne

Sr. Product Security Engineer, Medallia
avatar for Harshil Parikh

Harshil Parikh

Director of Security, Medallia
Harshil Parikh leads the security team at Medallia, Inc. He is currently helping democratize security within Medallia for functions like Secure Product Development Lifecycle, DevSecOps, Monitoring & IR.


Thursday October 11, 2018 1:30pm - 2:05pm
Regency 2
  • NEW FIELD 1 Track 2

2:15pm

Chromebooks and network motes to enforce security posture from the device to the cloud
Chromebooks and network motes to enforce security posture from the device to the cloud. Telling a developer they cannot have admin access on their local machine is not practical. We want them to get work done. For any company that doesn’t have an IT security team greater than 4 to 5 people, monitoring devices is not practical. How do we both provide secure access to production where the stakes are very high, and provide admin rights on personal devices? Our solution was to roll out chrome books, and it was fraught with technical challenges.

Speakers
avatar for Jon Debonis

Jon Debonis

Head of Security / CSO, Blend
Hi. I'm Jon. I study companies who've kept huge amounts of data secure, and try to replicate their success.


Thursday October 11, 2018 2:15pm - 2:50pm
Regency 2
  • NEW FIELD 1 Track 2

3:30pm

Mobile BDD security tests on steroids: A new framework to automate MSTG and MASVS in your CI/CD pipeline
In the era of Agile, DevOps and CI/CD, enterprises are constantly facing security challenges, especially in mobile where security is still underestimating. One of the main issues is speed and repeatability of security tests for each release/build. Being Agile means, being fast, flexible, being able to go to production continuously through continuous integration and deployment pipeline (CI/CD). This all applies especially to the development of mobile apps, where no common approach for automated security testing is defined yet.

As mobile development teams become more mature in terms of security, they have the need to release often and this requires changes in the traditional way of how security was handled. In order to reach the needed speed of deployment a new approach of how security fits into the process, automation and evidence of security tests become a valid option to facilitate this.

In the security maturity model, this maps to the DevSecOps teams and their capability to release faster. So, as security engineers, we have a few challenges to tackle:

- provide security at DevSecOps speed,

- detect vulnerabilities in early stages of development,

- have developers understand security,

- follow SDLC and

- have penetration testers focus on more sophisticated attack patterns against iOS and Android apps.
So, how do we get there? Let's look at the challenges:

1. Mobile security testing is complex if we consider the number of technologies, OS, security controls and libraries, and a different way of testing. Manual security testing alone is not an option anymore and automation frameworks must be adopted. OWASP Mobile AppSec Verification Standard (MASVS) and Mobile Security Testing Guide (MSTG), are becoming more and more the de facto standard for mobile application security testing but one of the biggest challenges of adopting MASVS is how to make the test automated, repeatable and scalable at the DevOps speed throughout the whole SDLC.

2. Mobile developers already test their apps using UI mobile automation frameworks such us Calaba.sh, Appium, Espresso and so on. In order to make their tests understandable by multiple profiles in the company (from the testers itself to the upper management), DevOps introduced BDD testing (Behaviour Driven Development) using Cucumber and the famous Gherkin language.


So, with this in mind what is the solution that would fit best the needs of stakeholders, developers and security experts? The developers already have UI testing in place. Even though this doesn't relate directly to security, at the end of the day it is just another way of testing where maybe security can fit. Imagine combining some of the features of the frameworks used by developers and adding a new set of security tests.

This talk introduces a new process and practical solution that achieves this – automation of mobile security tests. We are using a combination of existing penetration testing frameworks (Drozer and Needle), UI automation, underlying system commands available in the mobile OS for execution of tests and describe (write) tests in BDD fashion. In this way, you can cover all kind of security tests, such as testing for not encrypted PII, input validation, cryptography, network security, SQL injection and so on! Basically, the goal is to translate MASVS (and its sister project MSTG) into automated BDD security tests and give pentesters more time to focus on "crazy stuff"

After the talk, the audience will understand how to create security tests using different mobile UI automation frameworks and different languages (Java, Ruby). We will also show practical examples on how to write, execute and integrate these tests into a CI/CD pipeline, retrieve results of tests and kick-off automatic tests when a flaw is discovered in a manual penetration test. A GitHub repo will be available after the Open Summit in London and will be shared during the talk, in order to initiate a community effort, so people can contribute to this automation framework for the MASVS by sharing their automation scripts.

Speakers
avatar for Davide Cioccia

Davide Cioccia

Security Engineer, ING
Being in love with everything around computers, Davide Cioccia joined the cyber security scene few years back in 2009 when Stuxnet hit the nuclear plants of Iran. He developed a framework to understand how "diversity" in the assets in the plants, could stop the malware to reach its... Read More →


Thursday October 11, 2018 3:30pm - 4:05pm
Regency 2
  • NEW FIELD 1 Track 2

4:15pm

Threat Model-as-Code: A Framework to go from Codified Threat Modeling to Automated Application Security Testing
Threat Modeling is critical for Product Engineering Team. Yet, even in the rare event that it’s performed, its performed without actionable outputs emerging from the exercise. It is relegated to the status of what a “Policy/Best Practice Document”, which it shouldn’t be. I believe that Threat Models are playbooks of Product Security Engineering. I feel that the best way to do threat modeling is to integrate it into the Software Development Lifecycle (SDL). In addition, I believe that Threat Models should produce actionable outputs that can be acted up on by various teams within the organization. To address this lacuna, I have developed “Automaton” - An Open Source “Threat Modeling as Code” framework, that allows product teams to capture User Stories, Abuser Stories, Threat Models and Security Test Cases in YAML Files (like Ansible). With the help of Test Automation Frameworks (in this case, Robot Framework) Automaton allows the product engineering team to not only capture Threat Models as code, but also trigger specific security test cases with tools like OWASP ZAP, BurpSuite, WFuzz, Sublist3r, Nmap and so on. The benefits are three-fold. One - For teams to use Threat Modeling as a first-class citizen(with code). Facilitating Iterative and Updated Threat Models and Security Test Cases, as the product evolves (not a stationary document). Two - For Threat Modeling to become actionable. Product Teams can use this Framework to compose “Recipes” where User Stories (Functionality) leads to Abuser Stories (Threat Profiles) which lead to Threat Models (scenarios), that are used to create Security Test Cases (which kick off certain tools) based on the Recipes written for the Test Cases. Three - This approach leads to a convergence of Threat Modeling and Security Testing, allowing teams to improve both security testing and threat modeling based on results produced through this framework. 

Speakers
avatar for Abhay Bhargav

Abhay Bhargav

CEO, we45
Abhay Bhargav is the Founder of we45, a focused Application Security Company. Abhay is a builder and breaker of applications. He is the Chief Architect of “Orchestron", a leading Application Vulnerability Correlation and Orchestration Framework. He has created some pioneering works... Read More →


Thursday October 11, 2018 4:15pm - 4:34pm
Regency 2
  • NEW FIELD 1 Track 2
 
Friday, October 12
 

10:15am

Battle Tested Application Security
Building Application Security programs from scratch or dropping into existing organizations with some AppSec functions can be a war zone. As practitioners are on the front lines of implementing AppSec programs, there is no one-size fits all or a magic supplier who can come in and solve all opportunities. It takes a dedicated staff to drive an effective program beyond the check the box mentality, with a critical focus on security culture.

Through the talk, I'd like to provide insight into the nuances of dealing with different environments large to small and the associated lessons learned to help drive the culture of security to truly provide defensive capabilities and empower the organization. 

Speakers
avatar for Ty Sbano

Ty Sbano

Head of Information Security, Periscope Data
Ty Sbano is an Information Security leader with over 12 years of experience mainly in Financial Technology organizations. Ty’s career has been focused on developing application and product security programs for LendingClub, Capital One, JPMorgan Chase, and Target. Key areas of knowledge... Read More →


Friday October 12, 2018 10:15am - 10:50am
Regency 2
  • NEW FIELD 1 Track 2

11:00am

Open Source Security Tools for Kubernetes Applications
Cloud Native platforms such as Kubernetes help developers to easily get started deploying and running their applications at scale. But as this access to compute starts to become ubiquitous, how you secure and maintain compliance standards in these environments becomes extremely important.

In this talk, we'll cover the basics of securing Cloud Native platforms such as Kubernetes. We will also cover open source tools - such as Clair, Anchore, and Sysdig Falco - that can be used to maintain a secure computing environment. Attendees will walk away with a good understanding of the challenges of securing a Cloud Native platform and practical advice on using open source tools as part of their security strategy.

Speakers
avatar for Michael Ducy

Michael Ducy

Director of Community & Evangelism, Sysdig
Michael Ducy currently works as Director of Community & Evangelism for Sysdig where he is responsible for growing adoption of Sysdig’s open source solutions. Previously, Michael worked at Chef where we held a variety of roles helping customers and community members leverage Chef’s... Read More →


Friday October 12, 2018 11:00am - 11:35am
Regency 2
  • NEW FIELD 1 Track 2

11:45am

Security as a Service: Work where You Engineers Live
Product Engineers and Managers live in git, JIRA, and wikis to develop and release software, so why do security engineers use a fully different set of tools and dashboards to try to drive security fixes onto product teams' roadmaps?  

Our team decided to use the 'live where they work' approach to see if we could increase the effectiveness and measurability of our engineering teams' participation in the SDLC.  

In this talk, we will show you how our roots on the product engineering team inspired us to live where our engineers live, and leverage existing software development processes to enable our engineers to get security work done when and where it needs to get done, without the overhead of constantly trying to reinforce security-specific processes.  

We will talk through the case study of setting up our 3rd Party Library vulnerability detection program. The case study will highlight how we were able to create a zero-overhead approach by leveraging automation and processes that we in had previously put in place. The new system ensures we have an accurate view of the 3rd Party Libraries in use by our products at all times. We integrated this with our project tracking software to automatically file tickets with the team at the discovery of a vulnerability or a vulnerable library. This approach enables us to respond as quickly as possible to disclosure of a vulnerability in a library used by one of our 15+ products with tons of moving pieces. We will also talk about our vulnerability management program and strategy, which heavily leverages our JIRA project tracking system as our source of data, so we’re working from the same dataset as our engineers.

By working where our engineers live, we are able to immediately cut down barriers to getting security work done where and when it needs to be done, and consolidate the source of truth about se. We empower our engineers to know

Speakers
avatar for Julia Knecht

Julia Knecht

Manager, Security & Privacy Architecture, Adobe
avatar for Taylor Lobb

Taylor Lobb

Manager, Security and Privacy Architecture, Adobe


Friday October 12, 2018 11:45am - 12:20pm
Regency 2
  • NEW FIELD 1 Track 2

1:30pm

Security Culture Hacking: Disrupting the Security Status Quo
This session is an exploration into the world of security culture hacking. In the wake of the "data breach of the day", organizations claim they are more serious about security. The truth is that many still have weak security cultures. At the end of the day, how much actual security culture change occurs post-breach? The answer is not enough. This session describes how to change security culture from the inside out, utilizing best practices and real-world examples. With security culture disruption, the security team attempts to impact employees through positive security learning and experience.

The session begins by introducing the audience to the concepts of security culture and security culture hacking and then explains the security status quo. Security culture hacking is the skills and creativity necessary to disrupt an existing culture and redirect it towards a more secure future. Security status quo is the idea that companies move in a herd mentality and believe that their security must only be an average of their peers. To prove this point, we profile some anonymous organizations based on their external security story versus reality. Next, we'll discuss what makes a good security culture hacker, including the skills required for success in this type of endeavor.

The middle of this session includes a how-to of hacking security culture. Each section includes various tips and stories from real life experience about how to influence security culture. The phases of security culture improvement are explored, including awareness, big learning, and community. In addition, a discussion of organizational reach, marketing, rewards, recognition, and metrics surrounding security culture improvement are explored. It's time to make security fun.

At the conclusion, a plan is laid out for how a learner could put true security culture change into practice in their organization. Audience members receive a 30-60-90-1-year plan for how to implement true security culture change. 

Speakers
avatar for chris_romeo.1y2dtviu

chris_romeo.1y2dtviu

Security Journey
Chris Romeo is CEO and co-founder of Security Journey where he creates and deploys security culture influencing training, consults, and speaks. His passion is to bring security culture change to all organizations large and small through the creation and design of gamified security... Read More →


Friday October 12, 2018 1:30pm - 2:05pm
Regency 2
  • NEW FIELD 1 Track 2

2:15pm

Single Page Applications: Is your design secure?
In the current landscape of web development, Single Page Applications (SPA) have been utilized more frequently due to its versatile capabilities. Also, popularity of frameworks such as Angular and React have enabled fast paced development of SPAs. For that reason, even more traditional web applications have migrated to SPAs without considering the security implications this new paradigm introduces. In this presentation we will describe some of the security pitfalls that affect SPA applications and how to mitigate them.

Speakers
avatar for Rafael Dreher

Rafael Dreher

Security Software Engineer, Microsoft
Rafael Dreher is a Security Engineer at Microsoft and co-founder of OWASP Porto Alegre chapter. He is interested in ways to improve and scale static code analysis in large enterprises. Rafael spends most of his time digging into code of web applications to find interesting patterns... Read More →
avatar for Murali Vadakke Puthanveetil

Murali Vadakke Puthanveetil

Security Software Engineer, Microsoft
Murali Vadakke Puthanveetil works as a Security Engineer at Microsoft and a previous speaker at AppSec USA. He is particularly interested in figuring out authentication and authorization logic used by web applications. Murali spends most of his time digging into code of web applications... Read More →


Friday October 12, 2018 2:15pm - 2:50pm
Regency 2
  • NEW FIELD 1 Track 2