2018 BASC Presentations

We would like to thank our speakers for donating their time and effort to help make this conference successful.

ModSecurity Evader (MSeVader) is a tool that assists offensive security testers in crafting payloads that evade ModSecurity WAF rules. A Burp Suite extension providing visual feedback in real time to rule violations, the attacker can tweak payloads before submitting them to the web server, ensuring they are not blocked. The demonstration of the tool will include techniques of fingerprinting the WAF, to determine specific threshold settings of the WAF rules, allowing the attacker to know whether the payload will be blocked without sending packets. This tool has been used to successfully discover WAF evading payloads to execute SQL injection, XSS, and inject web shells to a site behind a popular commercial cloud-based WAF solution, at maximum paranoia settings.

[[Media:PainlessThreatModeling.pptx|Slides]] According to OWASP, threat modeling is one of the most valuable activities to ensure secure web application design. Yet leading resources on threat modeling make it look like a massive and complex up-front effort. This presentation will outline a practical approach to threat modeling that can be started in just a few working days and can produce productive collaboration between development and security teams.

From the time we choose to rise each morning, to the time we finally rest our heads, almost every decision made in our daily lives, depends on something. When we understand these dependencies we can better control our responses. How a PSIRT manages its response is not black and white either, in fact the quality of a response correlates to the degree in which dependences are known and understood within the products which get released. As developers incorporate more open source and commercial third party components into their products, the complexity of these dependencies continue to increase which causes a downstream ripple effect on PSIRTs who are tasked with managing the responses for vulnerabilities reported in these dependencies. A framework for managing dependences is important so developers can understand the downstream impact of their decisions on PSIRTs while opening the door for PSIRTs to potentially shape those decisions. Further enforcing this dialogue through dedicated PSIRT controls, lays the foundation for a PSIRT response that truly shifts from reactive to proactive.

Bug bounties are a marketplace and like all marketplaces, there are good sellers (researchers) and buyers (programs), and there bad sellers and buyers. There are resources everywhere to help researchers get going in this exciting world of bug hunting, but there are few resources available to help those running programs. But it is far worse to be a bad program than it is to be a bad researcher. Let's have a conversation about how Upserve went from no bounty program to launching a public program (and beyond!). We'll talk about the speedbumps and the lessons learned along the way. And you'll learn about how managing a successful bug bounty program is more about managing expectations and clear communication then it is about fixing security bugs.

APIs present enterprises with new risks and challenges to security. In this presentation, I will discuss a methodology to secure your enterprise's APIs. This methodology will include: Discovery (Breaking down your APIs into basic groups, The difference between Web App Discovery and API Discovery); Risk and Prioritization (Rapid Risk Assessment); Testing (Tools, Vulnerabilities); Gateways, Serverless, Microservices (Gateway vs. Service, Unique Requirements of API Services Require Specialized Testing); Key Take-Aways on Securing your API Environment (Have an API discovery and risk plan, Tools that worked on Web Apps need more help with APIs, Newer technologies benefit from full stack testing techniques).

Workforce development is reliant on the combination of a subject-matter common language framework of projects and tasks. Job descriptions are then derived from this same framework of subject-matter project and tasks definition. A career development plan based on standardized projects and tasks; along with a culture that allows for psychological safety; will allow you to acquire and retain talent. When we combine daily processes of business operations derived from a subject-matter common language, in which all teammates know their role and the roles of others on the team (along with a culture that allows humans to think, feel and perceive without negative consequences) we can truly experience workforce development in any subject-matter profession. Come hear how in to achieve this success in cybersecurity. Between our technology and our theories we are showing that organizations can obtain cybersecurity talent in less than 60 days and retain them.

Modern applications require modern security and the OpenID Connect and OAuth2 security protocols are designed to meet this need. To achieve a modern security architecture you must then use something called a “security token service” that implements these protocols. In this session we will look at how applications are now architected to incorporate and use a token service for authentication thus providing single sign-on. We will also see how this same token service also provides tokens for securing Web APIs. We will be using ASP.NET Core and the popular open source framework IdentityServer to illustrate these concepts.

There is no silver bullet for a successful DevSecOps. Each organization has its own way of doing things and no two development groups are the same. The good news is you can learn from mistakes made by others, and avoid repeating those. In this session you will hear about their AppSec programs, their journey to shift their security to the left, their missteps, and the lessons learned.

Websites and mobile apps are the primary channel for how businesses communicate with customers and consumers. However, the significant risk they harbor continue to confound information security professionals for three reasons. First, a majority of website code is provided by unknown parties that execute outside the enterprise infrastructure. Second, these shadow IT resources are not addressed by app scanning services. Third, appsec teams don’t understand the composition of these digital assets and the risks posed to the enterprise. There’s a fundamental philosophy that these shadow IT resources are not part of websites and mobile apps, and therefore not appsec’s responsibility. And it shows. Digital-driven breaches occur with increasing regularity via compromised third-party vendors such as tag management systems, chat bots, content management systems, data management platforms, marketing analytics, video platforms, advertisements, and more. Making matters worse, bad actors leverage sophisticated targeting and obfuscation techniques to continuously evade security researchers and technologies. Considering that 50-95% of executing website code is typically delivered by third-parties, enterprises need to rethink website security. How can you secure code that application security tools—let alone, operations teams—don’t even see executing on the user’s device? A real-time review of five popular websites will demonstrate the complexity of the digital environment and why breaches will continue to dominate headlines.

The struggle is real before the pentest even starts; you have hundreds of web applications to test, dozens of managers looking for redacted pentest reports, and that one person who keeps coming to your desk for updates (daily). It’s a mad world. We’ve been there, so you don’t have to be! Join us as we present how we leveraged the power of Dynamic Application Security Testing (DAST), the concept of Tiering, and the power of automation to test what matters (and yes, everything matters – even internal applications). And how to use all that to make Pentesting Great Again! This is the one retrospective you won’t want to miss – key take-aways from working on AppSecurity for over 3 years. If you’ve been managing your issues in Excel, writing reports in Word, and are excited to spend your time actually testing applications, this talk is for you! We’re anticipating for a highly collaborative session and hope you’ll join - feedback, criticism and praise are all welcome!

You may have heard it said that security should work to enable the business. Easier said than done... how can a defensive practice provide growth through risk management? In this talk, we'll review three valuable roles security can play to fully integrate with the business it supports. Expect simple, quick-win strategies from our experience working with fellow defenders to translate between business needs, negotiate prioritization, and energize collaborative initiatives for new growth. Along the way, we'll cover realistic techniques to engage common obstacles and set course towards a security-driven enterprise.

This presentation is an overview of Android security. The topics of Android framework, common application vulnerabilities, as well as penetration testing methods will be discussed. This presentation caters to people who are interested in learning about the fundamentals of Android security.