2018 BASC Workshops

We would like to thank our workshop leaders for donating their time and effort to help make this conference successful.

Join this live interactive tournament which is sure to a fun, challenging learning experience for all. Whether you are eager to prove your web application AppSec knowledge of the OWASP Top 10 and more….and watch as you climb to the top of the Leaderboard or simply want to learn more about how to code more securely – everyone is welcome and there will be prizes / SWAG for the winner(s).

The tournament will be conducted using the Secure Code Warrior platform, an innovative online, hands-on, gamified SaaS Learning Platform that actively engages developers to Learn & Build their secure coding skills. This approach is changing the way developers think and behave as they build & test software. Bring your laptop (not tablet), choose your preferred language/framework, whether it be C# (.NET) MVC, C# (.NET) Web Forms, Java Enterprise Edition, Java Spring, Python Django, Ruby on Rails, or Scala Play, and launch into the AppSec Wars Challenge!

Threat modeling is a way of thinking about what could go wrong and how to prevent it. Instinctively, we all think this way in regards to our own personal security and safety. When it comes to building software, some software shops either skip the important step of threat modeling in secure software design or, they have tried threat modeling before but haven't quite figured out how to connect the threat models to real world software development and its priorities. Threat modeling should be part of your secure software design process. Using threat modeling and some principals of risk management, you can design software in a way that makes security one of the top goals, along with performance, scalability, reliability, and maintenance.

Objective: In this workshop, attendees will be introduced to Threat Modeling, learn how to conduct a Threat Modeling session, learn how to use practical strategies in finding Threats and how to apply Risk Management in dealing with the threats. Depending on time, we will go through 1 or 2 Real World Threat Modeling case studies. Finally, we will end the day with common gotchas in Threat Modeling and how to watch out for them.

Laptop recommended for some labs, but not required. GitHub account recommended, but not required.

When conducting a penetration test for a web application, knowledge of technology-specific caveats becomes crucial. Knowing vulnerability basics is often insufficient to be effective. In this workshop, the latest XXE and XML related attack vectors will be presented. XXE is a vulnerability that affects any XML parser that evaluates external entities. It is gaining more visibility with its introduction to the OWASP Top10 2017 (A4). You might be able to detect the classic patterns, but can you convert the vulnerability into directory file listing, binary file exfiltration, file write or remote code execution? The focus of this workshop will be presenting various techniques and exploitation tricks for both PHP and Java applications. Four applications will be at your disposition to test your skills. For every exercise, sample payloads will be given so that the attendees save some time. Attendees must bring their own laptops with Burp Suite or ZAP pre-installed.

A properly positioned defense will increase strength while decreasing the effort needed to maintain position. For applications, the best defense is both in and around the application. Through instrumentation, defenders can map the attack surface from the inside and add defenses against the right threat at the right location. In this workshop, we will use freely available tools to map an application and describe how instrumentation saves a defender’s time through compatibility, performance, and security. Attendees require a laptop with internet connection and familiarity with coding, ideally in Java.

osquery is a powerful cross-platform, cross-virtualization, open-source endpoint agent that was released by Facebook in 2014. It has been growing rapidly in the past year, becoming one of the top security projects on GitHub, with major internet companies above and beyond Facebook adopting it as their endpoint tool of choice in place of commercial endpoint offerings. This workshop, offered by a seasoned engineer, who has been working closely with osquery since mid-2016, will provide information for security practitioners who: - Have EDR or IR endpoint needs, but don't always have the budget or other resources to purchase and deploy expensive black-box security products - Want the ability to freely customize the questions they are asking of their endpoints over time - Want the ability to collect and analyze data passively like they would with a SIEM yet have active investigation capabilities for the endpoint without having to deploy a separate tool. This workshop will be a combination of presentation and hands on learning. The presentations will consist of an introduction to the project, why osquery is significant and useful, and the design principles behind osquery; who’s using osquery currently, notable improvements (and expected improvements) in the past and upcoming year, and how attendees can get involved and/or contribute. The presentations will also include an overview of the tables included in osquery, including specific utility tables and the idea of extensions. The presentation will conclude with a summary of the learning so far, and the challenges of using osquery at scale. The hands-on portion will include installing and configuring osquery on linux, demonstrating how to run osquery in interactive mode, some basic osqueryi shell commands, how to use various facets of sql to write queries for osquery, how to configure osqueryi to listen for events and how to query events tables, and some examples of how osqueryi can be used to investigate a host. If time allows, additional lab sessions may be attempted.