2016 BASC Presentations

We would like to thank our speakers for donating their time and effort to help make this conference successful.

How does an individual change the application security culture of an organization? By designing and deploying an application security awareness program that contains engaging content, humor, and recognition. Application security awareness is part security knowledge, part lessons learned from history, and action to improve security into the future.

Each company has an application security culture, but most of them need a boost. Come and experience a successful blue print for how you can build an application security awareness program of your own. The content is based on five years of real life experience implementing application security awareness in a large enterprise reaching 30,000 people.

Go beyond traditional security awareness, and dive deep into changing the DNA of those who code, test, and deploy applications within their organization. The session uses the illustration of building a house, with six points used to show the ideal way to construct a successful application security awareness program. We move from answering what is application security awareness, to providing the details for how anyone can build a program of their own. This advice is from real life experience; this is how we did it, and how anyone in the audience can use this blue print to deploy their own program.

The six blueprints are:

Mission: how to define and build a team to support

Program architecture: design a program that covers all roles and recognizes achievements, on a budget

Curriculum: what to teach, and how to decide what to include

Humor: how to use humor to engage the audience

Content Creation: how to build application security learning that people want to enjoy

Tools: things you can add to enhance the program's organizational visibility

Virtually every site has some marketing javascript (aka tags) running on it to allow the analysis of user actions or to present the user with a customized page. Most commonly this javascript is delivered to the users browser directly from the 3rd party. What that means is the javascript never goes thru any of your security controls; no design review, no code review, no web application firewall. We will explain the tools and ecosystem used to create and deliver this javascript, show how they have caused actual Cross Site Scripting vulnerabilities in various well known sites, discuss some possible technical controls and present a simple page javascript architecture that prevents this XSS and is actually faster and is recommended by tag management services.

SAST, DAST, and WAF have been around for almost 15 years — they’re almost impossible to use, can’t protect modern applications, and aren’t compatible with modern software development. Recent studies have demonstrated that these tools miss the majority of real vulnerabilities and attacks while generating staggering numbers of false positives. To compensate, these tools require huge teams of application security experts that can’t possibly keep up with the size of modern application portfolios. Fortunately, the next generation of application security technology uses dynamic software instrumentation to solve these challenges. Gartner calls these products “Interactive Application Security Testing (IAST)” and “Runtime Application Self-Protection (RASP).” In this talk, you’ll learn how IAST and RASP have revolutionized vulnerability assessment and attack prevention in a massively scalable way.

Follow me through my discovery of Docker anti-patterns, stemming from a core misunderstanding of containerization. Understand my mistakes as they could be your own and figure out what the right and true solutions are.

We’ll explore anti-patterns such as the multiple-concerns container, latest is greatest and SSH for beginners, each of them a security concern. We’ll explore anti-anti-patterns, a.k.a. best practices with a slant towards the practical and realistic.

Everyone has the read the OWASP guides and understand the common security vulnerabilities that affect web applications. However, often what OWASP presents is very high level, basic, and don’t usually capture some of the advanced forms that vulnerabilities manifest in.

In this talk I look at XML Injection, what it is and cover a few basic examples. I then move onto a few real life examples of this vulnerability that I have exploited in the wild on real life Application Security assessments. I also will cover remediation and code review strategies to prevent the issues.

Musical equipment has begun to be able to connect to the internet, to set-up ad-hoc mesh networks, and to be updated over the air. We have seen similar capabilities in other IoT devices and there has been little to no security associated with these capabilities, which also the case here. What is different is that we have the opportunity to hack devices in unusual ways, one of which is by use of sound to overwrite the signal processing software on some guitar pedals. In this talk we will show how the software on a guitar pedal can be overwritten just using sound and how to reverse engineer this update process to create and upload arbitrary software of our own design onto the guitar pedal.

Does your organization rely heavily on vendor products/applications for streamlining your processes? Do you wonder what threats your data is being exposed to while handled by these applications? Are you a product company trying to assure your clients on the security of your application without divulging too much information? Have you faced situations where your client demands to run their own security assessment? This talk aims to help the audience understand:
 * What data you should be looking for in the assessment report
 * How to send or share information with people outside the organization
 * What you should be worried about in the assessment report and plans for remediation
 * Current practices among vendors

Involved Agencies: IWG, a behavioral health service organization, located in New Haven, Connecticut, is dedicated to collaborating and providing solutions for our clients. Primarily, IWG has done this by providing therapeutic interventions to individuals and families. Integrated Wellness Group EAP serves all employees, their spouses/partners and dependents. Further, we provide counseling by phone /telehealth for up to 5 sessions per year by experienced mental health professionals and self-assessments for common problems with written feedback. All of our services are based on trauma-informed approaches to treatment.

Statement of Need: It has been reported that approximately 5% of the U.S. population suffers from trauma and it is suggested that this number is three to four times higher for software developers (15 – 20%). Tech companies have been known to thrive on high expectations, frequent deadlines and a fast paced work environment which can produce stress-induced workers. The high demand to deliver top quality product often leads to stress, high anxiety and eventually burnout. However few are willing to admit they are overwhelmed and struggle in silence until it is too late. This stressful work environment can lead to PTSD like symptoms in individuals such as: depression, anxiety, isolation, sleep interruption among other things. All of which can negatively impact workplace productivity and satisfaction. For those companies that offer mental health resources, only 26% of individuals are aware of the company’s resource and how to seek assistance. Unfortunately, the majority choose to suffer in silence. Despite these statistics, mental health is a topic avoided widely in the tech community. Fear of stigma, social taboos, and lack of resources all impede our ability to have important conversations. Only 1.8% of total IT operating budgets contribute to behavioral health organizations which is far below the recommended 7-10% for safety net organizations.

Conference Proposal: The purpose of this proposal is to offer breakout sessions focused on reducing trauma and increasing wellness during conferences for employees that are facing a variety of emotional and mental health issues that can cause a lack of productivity in the workplace. In order to reduce the number of professionals reaching burnout and feeling stuck in stress induced environment, Integrated Wellness Group is offering to meet the client on site during the conference, provide a psychoeducational workshop, or meet in the office. Additional EAP Services for the Workplace: Integrated Wellness Group is dedicated to improving professional well-being by providing Employee Assistance Program (EAP) services to those in need. Services include wellness assessments, counseling, coaching, and referrals for additional services and follow-up visits. IWG will conduct interactive assessments that cover information from personal stress to substance abuse. Through the EAP, employers will see improved productivity, reduced workplace absenteeism, as well as reduced healthcare costs associated with stress, depression, and other mental health issues. Our proposed services are integrated in a way that ensures coherent and comprehensive solutions to problems assessed at first point of contact.

Being the Operating System with the largest user-base, the threat landscape for Android applications cannot often be ignored. While Android OS is being used in a wide variety of devices from smart watches to TVs, a large chunk of its user-base is concentrated to mobile phones. Popular services which were offered over web are also trying constantly to adapt themselves for the mobile environment. This raises a few important questions to Information Security enthusiasts.


 * 1) How similar or how different are the threats related to Android applications?
 * 2) How can we perform penetration tests on an Android application?

The presentation would cover the basic threat model for android applications and would provide a quick guide to perform penetration tests on android applications detailing how we can intercept android traffic and decompile the application package.

Bill's presentation will discuss the state of software product security: where we've been, why we're still struggling after over 30 years of trying, and what we must do, strategically, to improve.

EMC handles vulnerability management for over 70+ products. As volume of intake increases year by year, EMC Product Security Response Center had to take a systematic, proactive approach to guide the product units at all levels to work seamlessly in managing and responding to these vulnerabilities. We will share the chaos that we faced and discuss how order was restored to our command center.