2016 BASC Presentations

We would like to thank our speakers for donating their time and effort to help make this conference successful.

How does an individual change the application security culture of an organization? By designing and deploying an application security awareness program that contains engaging content, humor, and recognition. Application security awareness is part security knowledge, part lessons learned from history, and action to improve security into the future.

Each company has an application security culture, but most of them need a boost. Come and experience a successful blue print for how you can build an application security awareness program of your own. The content is based on five years of real life experience implementing application security awareness in a large enterprise reaching 30,000 people.

Go beyond traditional security awareness, and dive deep into changing the DNA of those who code, test, and deploy applications within their organization. The session uses the illustration of building a house, with six points used to show the ideal way to construct a successful application security awareness program. We move from answering what is application security awareness, to providing the details for how anyone can build a program of their own. This advice is from real life experience; this is how we did it, and how anyone in the audience can use this blue print to deploy their own program.

The six blueprints are:

Mission: how to define and build a team to support

Program architecture: design a program that covers all roles and recognizes achievements, on a budget

Curriculum: what to teach, and how to decide what to include

Humor: how to use humor to engage the audience

Content Creation: how to build application security learning that people want to enjoy

Tools: things you can add to enhance the program's organizational visibility

Virtually every site has some marketing javascript (aka tags) running on it to allow the analysis of user actions or to present the user with a customized page. Most commonly this javascript is delivered to the users browser directly from the 3rd party. What that means is the javascript never goes thru any of your security controls; no design review, no code review, no web application firewall. We will explain the tools and ecosystem used to create and deliver this javascript, show how they have caused actual Cross Site Scripting vulnerabilities in various well known sites, discuss some possible technical controls and present a simple page javascript architecture that prevents this XSS and is actually faster and is recommended by tag management services.

SAST, DAST, and WAF have been around for almost 15 years — they’re almost impossible to use, can’t protect modern applications, and aren’t compatible with modern software development. Recent studies have demonstrated that these tools miss the majority of real vulnerabilities and attacks while generating staggering numbers of false positives. To compensate, these tools require huge teams of application security experts that can’t possibly keep up with the size of modern application portfolios. Fortunately, the next generation of application security technology uses dynamic software instrumentation to solve these challenges. Gartner calls these products “Interactive Application Security Testing (IAST)” and “Runtime Application Self-Protection (RASP).” In this talk, you’ll learn how IAST and RASP have revolutionized vulnerability assessment and attack prevention in a massively scalable way.

Follow me through my discovery of Docker anti-patterns, stemming from a core misunderstanding of containerization. Understand my mistakes as they could be your own and figure out what the right and true solutions are.

We’ll explore anti-patterns such as the multiple-concerns container, latest is greatest and SSH for beginners, each of them a security concern. We’ll explore anti-anti-patterns, a.k.a. best practices with a slant towards the practical and realistic.

Everyone has the read the OWASP guides and understand the common security vulnerabilities that affect web applications. However, often what OWASP presents is very high level, basic, and don’t usually capture some of the advanced forms that vulnerabilities manifest in.

In this talk I look at XML Injection, what it is and cover a few basic examples. I then move onto a few real life examples of this vulnerability that I have exploited in the wild on real life Application Security assessments. I also will cover remediation and code review strategies to prevent the issues.

Join these panelists and bring your questions and get different perspectives as they talk about the future of information security and the Internet Of Things (IoT).

Musical equipment has begun to be able to connect to the internet, to set-up ad-hoc mesh networks, and to be updated over the air. We have seen similar capabilities in other IoT devices and there has been little to no security associated with these capabilities, which also the case here. What is different is that we have the opportunity to hack devices in unusual ways, one of which is by use of sound to overwrite the signal processing software on some guitar pedals. In this talk we will show how the software on a guitar pedal can be overwritten just using sound and how to reverse engineer this update process to create and upload arbitrary software of our own design onto the guitar pedal.

Does your organization rely heavily on vendor products/applications for streamlining your processes? Do you wonder what threats your data is being exposed to while handled by these applications? Are you a product company trying to assure your clients on the security of your application without divulging too much information? Have you faced situations where your client demands to run their own security assessment? This talk aims to help the audience understand:
 * What data you should be looking for in the assessment report
 * How to send or share information with people outside the organization
 * What you should be worried about in the assessment report and plans for remediation
 * Current practices among vendors

Being the Operating System with the largest user-base, the threat landscape for Android applications cannot often be ignored. While Android OS is being used in a wide variety of devices from smart watches to TVs, a large chunk of its user-base is concentrated to mobile phones. Popular services which were offered over web are also trying constantly to adapt themselves for the mobile environment. This raises a few important questions to Information Security enthusiasts.


 * 1) How similar or how different are the threats related to Android applications?
 * 2) How can we perform penetration tests on an Android application?

The presentation would cover the basic threat model for android applications and would provide a quick guide to perform penetration tests on android applications detailing how we can intercept android traffic and decompile the application package.

Bill's presentation will discuss the state of software product security: where we've been, why we're still struggling after over 30 years of trying, and what we must do, strategically, to improve.

EMC handles vulnerability management for over 70+ products. As volume of intake increases year by year, EMC Product Security Response Center had to take a systematic, proactive approach to guide the product units at all levels to work seamlessly in managing and responding to these vulnerabilities. We will share the chaos that we faced and discuss how order was restored to our command center.