2019 BASC Presentations

We would like to thank our speakers for donating their time and effort to help make this conference successful.

Maintaining secure versions of third-party libraries is a repetitive and tedious task at best. At worst, with many interdependent internal projects (think microservices) and dozens of layers of transitive dependencies, it is a logistical nightmare. A top-down, ad hoc approach is often used to resolve vulnerable third-party libraries, prioritizing high-severity vulnerabilities or internal projects critical to business functions, but failing to address the larger impact of vulnerabilities. TraceLink is taking a different approach, utilizing the graph structure of interconnected projects to perform security upgrades in an informed order from the bottom up. This process aims to automate third-party library version maintenance as much as possible, aiding in the completion of vital security upgrades and compounding the effects of each individual upgrade to reduce overall work done.

In moving to serverless, we shift some security responsibilities to the infrastructure provider by eliminating the need to manage servers. Unfortunately, that doesn’t mean we’re entirely absolved of all security duties. Serverless functions still execute code and can still be vulnerable to application-level attacks. As a new type of architecture, serverless presents new security challenges. Some are equal to traditional application development, but some take a new form. Attackers are thinking differently, and developers must do so as well to gain the upper hand.

In this talk, I will dive into the Top 10 risks of the OWASP Serverless Top 10 project. I will discuss why these risks are different from traditional attacks and how we should protect our application against them. I will also introduce OWASP DVSA, a deliberately vulnerable tool, aiming to assist both security professionals and developers to better understand the implications and processes of serverless security.

This session is an exploration into the world of security culture hacking. In the wake of the “data breach of the day”, organizations claim they are more serious about security. The truth is that many still have weak security cultures. At the end of the day, how much actual security culture change occurs post-breach? The answer is not enough. This session describes how to change security culture from the inside out, utilizing best practices and real-world examples. With security culture disruption, the security team attempts to impact employees through positive security learning and experience.

The session begins by introducing the audience to the concepts of security culture and security culture hacking, and then explains the security status quo. Security culture hacking is the skills and creativity necessary to disrupt an existing culture and redirect it towards a more secure future. Security status quo is the idea that companies move in a herd mentality and believe that their security must only be an average of their peers. To prove this point, we profile some anonymous organizations based on their external security story versus reality. Next, we’ll discuss what makes a good security culture hacker, including the skills required for success in this type of endeavor.

The middle of this session includes a how-to of hacking security culture. Each section includes various tips and stories from real life experience about how to influence security culture. The phases of security culture improvement are explored, including awareness, big learning, and community. In addition, a discussion of organizational reach, marketing, rewards, recognition, and metrics surrounding security culture improvement are explored. It’s time to make security fun.

At the conclusion, a plan is laid out for how a learner could put true security culture change into practice in their organization. Audience members receive a 30-60-90-1-year plan for how to implement true security culture change.

Security's most important skill is overlooked – critical thinking. Keeping up with the latest technical tools and trends is only one contributor to success. Security is a constantly evolving field. Long-term success requires that we think on our feet—regardless of technology—to understand tools and how to apply them to the changing landscape.

We often do not think about critical thinking. What does it feel like? How is "critical" thinking different from "normal" thinking? How do you develop these skills? And how do you apply them to security?

Critical thinking is part art, part science. It takes a combination of intuition, logic, and creativity to understand the 'why' and not just the 'how.' It should help us address the root cause of an issue and not just the symptoms. In security it means decomposing a problem, analyzing objectively, evaluating a hypothesis, and recognizing context. This session will explore how to apply critical thinking in your day-to-day job pulling from my experience and observations across academia, industry, and government.

Securing assets is a difficult job without the appropriate support, be it from your superiors or having access to resources: getting what you need can be challenging, but that is no excuse to not securing it. In small and medium companies where technology departments are service oriented, security is often overlooked in favor of ease of access, forcing IT to compromise on solutions and, potentially, leave the organization vulnerable.

This talk will explore the open source and open access tools available to the public, their pros and cons, the elements to consider when implementing and the hurdles along the way, covering basic aspects of security in a company: incident response, application security, network security, training, risk & compliance, among others. Analysts, engineers and technicians whose many hats may result in security holes benefit from the implementation of these tools… and managers from knowing alternatives to the increasingly costly solutions in the market.

Before that hacker slides into your brand’s DMs, how do you prepare your organization to talk to researchers and spot vulnerability disclosure? Today, poorly handled disclosures can cause the same reputational damage as a public security incident. As security continues to climb the ranks of importance, more decision makers and stakeholders are involved in interactions that were once solely owned by security teams. The vulnerability reports are coming. Ready or not. Everyone is on the front lines of security and this includes researcher interactions. Are your executives, legal, PR, and social media teams prepared?

Based on hundreds of hacker and company mediation request, this talk will look at common and extreme scenarios many are seeing for the first time. We will cover real-world communication failures, as well as the success stories you will never read about. Attendees will walk away with armed with practical tips to prepare their colleagues for the inevitable vulnerability report, starting with hacker motivations, what disclosure success looks like, and de-escalation tips. This talk will cover: Responding to vulnerabilities reported via social media; How to minimize the chances of your vulnerabilities ending up on Twitter; Tips for keeping the press out of your bug reporting workflow; Prepare your company to talk to a hacker who is requesting cash; De-escalation tips to find a happy f@%#&$* ending when tempers flare and you are caught in the middle; and How to advocate for security researchers without losing friends or your job.

Android is by far the leading operating system in smartphones. As of March 2019, 51% of US smartphone subscribers were using a Google Android device. This percentage is much higher in an international scale. Also, there are currently more than 2 million Android applications on the official Google Market, known as Google Play. As most of the functionalities of smartphones are provided to users via applications, this huge market with billions of users is tempting for attackers to develop and distribute their malicious applications (or malware).

Mobile malware has raised explosively since 2009. Symantec reported an increase of 54% in the new mobile malware variants in 2017 as compared to the previous year. This rise has happened for Android malware as well since only 20% of devices are running the newest major version of Android OS based on Symantec report in 2018. Thus, detecting malicious and potentially risky applications in the Android platform is of the utmost importance. During this talk, I will summarize different automated techniques proposed for Android malware detection and risk assessment. Along with this, I will discuss how adversaries have tried to bypass these mechanisms.

As nimble organizations deliver new innovations, adversaries are also upping their game; something we’ve seen in recent high profile and devastating cyber attacks. Bad actors have the intent and ability to exploit security vulnerabilities in the software supply chain - and in some cases plant vulnerabilities themselves. They have increased scale through automation and improved breach success through precision targeting. If we don’t fight back by doing the same - automating security directly in the DevOps pipeline - then we’ll always be at the hackers’ mercy. This session will provide new research on the above, and details on how to get started.

Key takeaways: Real-world examples of how large and small companies are implementing DevSecOps practices in their own delivery pipelines, and increasing developer awareness to risks; Key insights from the 2019 DevSecOps community report - including the top investments for automated security; A walkthrough of how security principles have been automated into a CICD pipeline and what standards for implementation are beginning to follow suite; Why DevSecOps is more than a buzzword, and why it’s vital to protecting your software supply chain; How automating security of policies makes it harder to ignore.

Machine learning has shown success in detecting known types of software vulnerabilities in recent years, but they mostly need extensive specimens to train their models.

As a new alternative to such approaches, we present a learning-based technique that can identify potentially buggy code snippets which deviate from most of the code snippets implementing similar functionalities. Our approach learns from a codebase itself without the need for the cumbersome task of gathering and cleansing training samples. The core idea is that various kinds of bugs can be viewed as inconsistencies that deviate from non-buggy code that implement the same or similar logic.

More specifically, we design a two-step clustering technique to find functionally-similar yet inconsistent code in software. We implemented our system on top of LLVM, which makes our approach language-agnostic.

We evaluated our tool on 4 popular open source security software codebases, such as OpenSSL, OpenSSH, WolfSSL, and Mbedtls. Our tool discovered 10 new unique deep bugs (some are exploitable), despite that some of these codebases are constantly undergoing vulnerability scans. All of the bugs have been confirmed by their developers and later fixed by either our pull requests or the developers.

How does the system work really? How easy to find bugs by our approach and how much manual effort does it need? What is a proper code granularity for detecting inconsistencies?

Ever gotten a pile of SAST findings and wondered - what now? How do you possibly trim the fat of uninteresting findings down to a manageable set and get to work making the world a safer place? We will talk about some easy tips on how to prioritize and isolate those results which matter the most to your organization.

Targeted and increasingly sophisticated attacks are growing in popularity. With spear-phishing, ransomware, and a slew of other user-oriented attacks, our information security, particularly our operational security, relies on having our users on board. But training end-users can be difficult, and our response to mitigating these attacks can sometimes come at a great expense to UX. This session delves into the User Experience of Information Security, and provides attendees with insights into how some of our best laid security measures might actually increase our vulnerability to future attacks.