Phoenix

OWASP Phoenix --
We restarted chapter activity in 2015 and are excited about the continued community participation in 2016. Join the mailing list for meeting announcements. Please also join the Meetup.com group and be sure to RSVP to chapter meetings. Your RSVPs allow us to ensure we reserve the proper-sized meeting space. http://www.meetup.com/owasp-phoenix

Local News
''Announcement: CactusCon 2016 will be a 2 day conference in Phoenix on May 6,7. Registration and CFP information can be found here:'http://www.cactuscon.com'''

OWASP Phoenix 2016 Meetings

Meetings are announced depending on speaker's availability and are held 6:30 PM - 8:00 PM. Check this page or join the meetup group at http://www.meetup.com/OWASP-Phoenix for updates.

Afterward, we'll head to a local watering hole for socializing and fun.

Every now and then we may change the venue or time in order to get participation from various parts of the community.

2016 Meetings Calendar
This calendar will be updated as meetings are announced.

Jan 28 (6:30PM-8:00PM): Seth Law

Location: Early Warning 16552 N 90th St Ste 100 Scottsdale, AZ 85260 https://goo.gl/maps/R8X2RdD2zr22

Title: DevOps and Security - A match made (and broken) in the cloud Abstract: DevOps is the new Agile, allowing organizations to move faster and deploy code quicker. Yet in the quest for continuous delivery, security can fall by the wayside, opening an organization up to data exposure and malicious exploitation. This talk will cover current security research into the technology behind DevOps, examples of failures, and how to prevent the same from happening in your organization. Technologies discussed will include AWS, Git, Hudson/Jenkins, and more. In the end, the presentation should help attendees understand the risks involved in running a DevOps environment.

Bio: Seth Law is the Director of Research & Development at nVisium and wrangles the research efforts into all areas of application security. An experienced Application Security Professional with years of security experience, Seth has worked in multiple disciplines, from software development to network protection, as a manager, contributor, and speaker. Seth explores the world of application security via @sethlaw.

Feb 17 (6:30PM-8:00PM): Jim Manico

Location: Early Warning 16552 N 90th St Ste 100 Scottsdale, AZ 85260 https://goo.gl/maps/R8X2RdD2zr22

The Beatles once sang, "I've got to admit it's getting better, a little better all the time, because it can't get more worse" and that applies directly to the field application security. The successes in building security into common application development frameworks is remarkable and has, in some ways, made secure coding less of an effort to the developer. While much needs to be done in this area, there are many very positive examples of security characteristics built correctly into frameworks. This talk with bring the positive vibe to OWASP Phoenix and highlight that things really are getting better in AppSec - all time - if you look in the right places."

Jim Manico is the founder of Manicode Security where he trains software developers on secure coding and security engineering. He is also the founder of Brakeman Security, Inc. and is a investor/advisor for Signal Sciences. Jim is a frequent speaker on secure software practices and is a member of the JavaOne rockstar speaker community. Jim is also a Global Board Member for the OWASP foundation where he helps drive the strategic vision for the organization. He is the author of "Iron-Clad Java: Building Secure Web Applications" from McGraw-Hill. For more information, see

http://www.linkedin.com/in/jmanico

April 12: Mike McCambridge will be speaking at a joint ISSA/OWASP meeting. See the ISSA page to register. Attendance to the OWASP portion of the meeting is free: http://phoenix.issa.org/event-details/

Mike McCambridge: Tunneling To Freedom

How often have you heard phrases like 'walled-off,' 'no access,' or 'air gap?' In this talk I will explore a few unexpected and unintended ways computers can communicate with one another. Learn how to discover potential tunnels or covert channels in your environment, evaluate risk, and develop defensive strategies.

Speaker Bio:

Michael McCambridge is a Penetration Tester at Early Warning. He entered the security field after graduate studies in Computer Science at the University of Arizona. A mechanical engineer in a former life, Mike finds pentesting to be wildly more fun – almost as fun as Minecraft.

June 29 (6:30PM-8:00PM): Adam Doupe - Everything You've Ever Wanted to Know About Black-Box Web Vulnerability Scanners (But Were Afraid to Ask)

Location: '''ASU Campus - BYAC 110 30 E. 7th St., Tempe, AZ

Please join us for our June meeting at ASU. Pizza will be provided. Make sure to account for time to find a parking spot http://www.asu.edu/map/interactive/?campus=tempe&building=BYAC

Black-Box web vulnerability scanners, such as Acunetix, AppScan, and WebInspect, attempt to automatically find vulnerabilities in web applications. These tools promise to bring pentesting skills to the average developer, and they are frequently used as part of the pen testing process.

However, despite their frequent usage, significant questions remain. How do these tools work? Are they effective at finding vulnerabilities? What research is being done to improve these tools? Can they handle modern client-side JavaScript web applications? In this talk, we'll cover all these questions and more!

Bio:

Adam Doupé is an Assistant Professor in the School of Computing, Informatics, and Decision Systems Engineering at Arizona State University. He was awarded the Fulton Schools of Engineering Best Teacher Award Top 5% for 2015 from Arizona State University. His main research focus is in the area of automated vulnerability analysis of web applications using static analysis and dynamic analysis. Prior to joining ASU in 2014, Adam completed his PhD at UC Santa Barbara, where he competed at DEFCON CTF for four years with team Shellfish.

July 07: Dan “AltF4” Petro

Location: Early Warning

Title: Reversing Video Games to Create an Unbeatable AI Player - Game over, man! Abstract: “Super Smash Bros: Melee.” - Furrowed brows, pain in your thumbs, trash talk your Mom would blush to hear. That sweet rush of power you once knew as you beat all the kids on your block will be but a distant memory as SmashBot challenges you to a duel for your pride — live on stage. SmashBot is the Artificial Intelligence I created that plays the cult classic video game Smash Bros optimally. It can't be bargained with. It can't be reasoned with. It doesn't feel pity, remorse, or fear. This Raspberry Pi monster won’t stop until all your lives are gone. What started as a fun coding project in response to a simple dare grew into an obsession that encompassed the wombo-combo of hacking disciplines including binary reverse engineering, AI research, and programming. When not used to create a killer doomsday machine, these same skills translate to hacking Internet of Things (IoT) devices, developing shellcode, and more. Forget about Internet ending zero-day releases and new exploit kits. Come on down and get wrecked at a beloved old video game. Line up and take your turn trying to beat the AI yourself, live on the projectors for everyone to see. When you lose though, don’t run home and go crying to yo Momma.

Bio: Dan is a Security Associate at Bishop Fox (formerly Stach & Liu), a security consulting firm providing IT security services to the Fortune 500, global financial institutions, and high-tech startups. In this role, he focuses on application penetration testing and secure development. Dan has presented at numerous conferences, including DEFCON, BlackHat, HOPE, and BSides, and is the founding member of the Pi Backwards CTF team. Prior to joining Bishop Fox, Dan served as Lead Software Engineer for a security contracting firm. Dan holds a Bachelor of Science from Arizona State University with a major in Computer Science, as well as a Master’s Degree in Computer Science from Arizona State University.

Wed, Oct 05 (6:30PM-8:00PM): Raymond Tu

Location: Early Warning 16552 N 90th St Ste 100 Scottsdale, AZ 85260 https://goo.gl/maps/R8X2RdD2zr22

Title: '''Everyone hates Robocalls: Why is it so hard to stop? Speaker: Raymond Tu''' Abstract: Today, the telephone network is rife with telephone spam, namely voice, voicemail, and SMS spam. Spam calls are significant annoyances for telephone users, unlike email spam, which can be ignored, spam calls demand immediate attention. Telephone spam is not only a significant annoyance, it also result in significant financial loss in the economy. According to complaint data collected by the FTC, Americans lost more than $8.6 billion due to fraud annually, and the vast majority of them (and still increasing) are due to phone communication. Despite various efforts that reduce telephone spam, scam and robocalls, complaints on illegal calls have been making record numbers in recent years. This situation is surprising, given the significant gains made in reducing the amount of email spam. This raises the question: are there any simple and effective solutions that could stop telephone spam? In this talk, we will cover the existing countermeasures and analyze why these countermeasures have so far failed at reducing the growth of telephone spam, followed by a discussion on what he believes to be the future direction of solving the telephone spam problem.

Bio: Raymond Tu is a PhD Student in the School of Computing, Informatics, and Decision Systems Engineering at Arizona State University, where he is advised by Dr. Adam Doupé. He was awarded a graduate fellowship award from Arizona State University and has recently published a paper at the IEEE Symposium on Security and Privacy (Oakland). His main research focus is in spam and scams in the telephony networks, and the goal is to develop simple, effective and deployable solutions in combating telephone spam, similar to what has been achieved in defenses against email spam. To know more information or to connect with Raymond, please visit:

http://huahongtu.me

Wed, Nov 30 (6:30PM-8:00PM): Jack Mannino

Location: Early Warning 16552 N 90th St Ste 100 Scottsdale, AZ 85260 https://goo.gl/maps/R8X2RdD2zr22

Title: Microservices Security - Challenges and Solutions   Speaker: Jack Mannino Abstract: Microservices offer a lot of benefits for deploying large-scale applications, but implementing a secure architecture that scales over time can be challenging. Services are highly decoupled from each other as well as producers and consumers of data moving throughout the architecture. Data contracts between services are often blurry, and data sharing between microservices require careful consideration around access patterns and boundaries between related services. New services come, new services go. Some are deployed to containers, some to servers, and some are serverless. Your developers, data scientists, and infrastructure team are all empowered to move quickly and ship new services. Your job is to make sure all of the above happens in a secure and sane way. In this presentation, we will discuss the challenges with securing microservices and present solutions to make security a seamless and frictionless part of scaling your architecture. Using real-world examples of successes and failures while building a microservice architecture, we will discuss what translates well from monolithic design to microservices, and the bad habits you should leave behind. We will demonstrate how to build authentication into a microservice architecture and how to implement a granular authorization scheme that will work effectively as you introduce new services. At the end of this presentation, you’ll understand what separates microservices from traditional monolithic applications and understand the problem space from a secure architectural perspective.

Bio: Jack is the CEO at nVisium and focuses on building solutions to make security and education scale in fast-paced software development organizations. He has worked with large software development teams to guide secure software from conceptualization to production. In his spare time, he enjoys digging into new frameworks and writes most of his (good) code in Scala. He has spoken at most of the other major conferences people generally list in their bios, too.

Reach out to Joaquin.Fuentes@owasp.org if you would like to speak!

Resources
Archived pages on Phoenix/Tools and Phoenix/ToolsProfile

This chapter is dedicated to bringing together local businesses, students, and web and security enthusiasts in order to discuss current events, trends, tools, and offensive/defensive techniques related to web application security. We currently hold meetings every other month, typically with one or two speakers at each meeting.

What talks would you like to see?
Please Update

Previous Meetings
Thursday, Nov 05 Title: Reverse Engineering Malware for Newbies Presenter(s): Joe Giron In this talk we're going to cover basic malware analysis, unpacking 101, dynamic analysis, memory analysis, where to get malware, basic x86/64 ASM, tools of the trade, setting up an environment, intro to the debugger, basic debugger usage, and reporting.

About the presenter: Joe Giron is a 29 year old security enthusiast and Phoenix native. When not hacking the planet, he can be found at home writing video game cheats or working on his truck. He also enjoys candle lit dinners and long walks on the beach.

Wednesday, Oct 14 Title: Hacking Corporate Em@il Systems Presenter(s): Nate Power In this talk we will discuss current email system attack vectors and how these systems can be abused and leveraged to break into corporate networks. A penetration testing methodology will be discussed and technical demonstrations of attacks will be shown. Phases of this methodology include information gathering, network mapping, vulnerability identification, penetration, privilege escalation, and maintaining access. Methods for organizations to better protect systems will also be discussed.

Nate Power is a Senior Security Penetration Tester working for Rapid7 Global Services. Nate is an expert at Web Application testing and seeking out vulnerabilities in common frameworks.



Tuesday, July 07 Title: Hacking Smart Safes: On the "Brink" of a Robbery Presenter(s): Dan “AltF4” Petro, Oscar Salazar Have you ever wanted to crack open a safe full of cash with nothing but a USB stick? Now you can! The Brink’s CompuSafe cash management product line provides a “smart safe as a service” solution to major retailers and fast food franchises. They offer end-to-end management of your cash, transporting it safely from your storefront safe to your bank via armored car. During this talk, we’ll uncover a major flaw in the Brink’s CompuSafe and demonstrate how to crack one open in seconds flat. All you need is a USB stick and a large bag to hold all of the cash. We’ll discuss how to remotely takeover the safe with full administrator privileges, and show how to enumerate a target list of other major Brink’s CompuSafe customers (exposed via configuration files stored right on the safe). At any given time, up to $240,000 can be sitting in each of the 14,000 Brink’s CompuSafe smart safes currently deployed across the United States - potentially billions of dollars just waiting to be stolen. We will also release a USB Rubber Ducky script to automate the whole attack, acting as a skeleton key that can open any Brink’s safe. Plug and plunder! So come ready to engage us as we explore these tools and more in this DEMO rich presentation. And don’t forget to call Kenny Loggins… because this presentation is your highway to the Danger Zone… Dan Petro is a Security Associate at Bishop Fox (formerly Stach & Liu), a security consulting firm providing IT security services to the Fortune 500, global financial institutions, and high-tech startups. In this role, he focuses on application penetration testing and secure development. Dan has presented at numerous conferences, including DEFCON, BlackHat, HOPE, and BSides, and is the founding member of the Pi Backwards CTF team. Prior to joining Bishop Fox, Dan served as Lead Software Engineer for a security contracting firm. Dan holds a Bachelor of Science from Arizona State University with a major in Computer Science, as well as a Master’s Degree in Computer Science from Arizona State University. Oscar Salazar is a Senior Security Associate at Bishop Fox (formerly Stach & Liu), a security consulting firm providing IT security services to the Fortune 500, global financial institutions, and high-tech startups. In this role, he focuses on application penetration testing, source code review, and secure software design. Oscar has presented at RSA, Bsides, and Adobe’s annual private Security Summit conference. Prior to joining Bishop Fox, Oscar served as a web security research engineer at Hewlett-Packard’s Application Security Center where he designed and developed security checks for the WebInspect web application security scanner. In addition, his research involved developing more effective methods of scanning Web 2.0 applications. Oscar holds a Bachelor of Science from the Georgia Institute of Technology with a major in Computer Science and a focus on Networking and Security.

June 09, 2015 Title: If you like it then you shouldn’t put a ring3 on it Presenter: Andrew Wilson Web applications are a primary means to breaching a company’s external network. It is a high-value goal for both malicious actors and security professionals to gain this valuable foothold. But how do you get from mere web application vulnerabilities to the compromise of a server? Common testing guidelines provide you a check list of items to test for, but very few show you how to utilize vulnerabilities to achieve testing goals.

Everyone knows that vulnerabilities have different levels of risk; But, what few talk about is the utility provided by vulnerabilities and how they can be used to achieve goals. Although some vulnerabilities are useful to note and impactful to a client, during a time gaped and scoped engagement they may not be able to be fully utilized. However, there are a handful of key direct vulnerabilities that can be leveraged to result in a compromise. These vulnerabilities, along with how to find them and how to leverage them for our needs, will be reviewed during this talk. Additionally, common attack strategies will be reviewed that can help a focus time and energies to maximize efforts in web server compromises. Bio: Andrew Wilson Andrew Wilson is a Senior Security Associate at Bishop Fox (formerly Stach & Liu), a security consulting firm. In this role, he focuses on application penetration testing, source code review, and secure application development. Andrew has presented at DEF CON, BSides, and AppSec. In addition to that, Andrew is the founder and lead organizer of CactusCon. He has been a guest on the PaulDotCom podcast, and his personal research and writing has been cited numerous times by OWASP. Andrew is recognized by Microsoft as an expert in application security, having been selected as one of only sixteen Developer Security MVPs in the world. May 05, 2015 Title: iOS App Attack and Defense (OWASP Mobile Top 10 Edition) Presenter: Seth Law Mobile apps are a fixture in today's digital world. Recent years have seen a explosion of apps in all areas of our lives, including health care, banking, social networking, and gaming. Learn about the OWASP Mobile Top 10 Risks and how to find, attack, and fix these flaws in today's app. Explore common mobile app vulnerabilities hands-on (or just follow along) through popular iOS App Store apps, as well as the new open-source, intentionally vulnerable Swift iOS application, Swift.nV (https://github.com/nVisium/Swift.nV). Bio: Seth Law is the Director of Research & Development at nVisium and wrangles the research efforts into all areas of application security. An experienced Application Security Professional with years of security experience, Seth has worked in multiple disciplines, from software development to network protection, as a manager, contributor, and speaker. Seth explores the world of application security via @sethlaw.

Nick Hitchcock 

This talk will take you from start to finish in a targeted social engineering attack. Using customized SE skills coupled with easy to use software tools, you will understand how real world attackers are infiltrating large organizations. Instead of bringing out “theoretical” scenarios, real world penetration testing examples will be discussed and demonstrated.

BIO at http://www.linkedin.com/in/nickhitchcock

Title: Steve Springett - - 'Introduction to OWASP Dependency-Check' 

Does your application have dependencies on 3rd party libraries? Do you know if those same libraries have published CVEs? Dependency-Check, an OWASP project, can help by providing identification and monitoring of application dependencies. The core engine can scan the libraries and will create an inventory of all the dependent libraries and whether or not there are any published CVEs. This talk will be provide an introduction to Dependency-Check. Bio: Steve Springett is an application security engineer at Axway. As part of the Product Security Group, he provides direction, best practices, education and tools to software development teams around the world. Steve has a software engineering background and is a contributor to OWASP Dependency-Check.

Title: Top Ten Web Defenses We cannot “firewall” or “patch” our way to secure websites. In the past, security professionals thought firewalls, Secure Sockets Layer (SSL), patching, and privacy policies were enough. Today, however, these methods are outdated and ineffective, as attacks on prominent, well-protected websites are occurring every day. Most every organization in the world have something in common – they have had websites compromised in some way. No company or industry is immune. Programmers need to learn to build websites differently. This talk will review the top coding techniques developers need to master in order to build a low-risk, high-security web application.

BIO: Jim Manico is the VP of Security Architecture for WhiteHat Security, a web security firm. He authors and delivers developer security awareness training for WhiteHat Security and has a background building software as a developer and architect for over 20 years. Jim is also a global board member for the OWASP foundation where he helps drive the strategic vision for the organization. He manages and participates in several OWASP projects, including the OWASP cheat sheet series and several additional secure coding projects.

June 4, 2013 About OWASP AppSensor - The future of Application Security, Dennis Groves OWASP Projects, Samantha Groves, Global OWASP project manager.

Dennis Groves is the co-founder of OWASP. He is a well known thought leader in application security who's work focuses on multidisciplinary approaches to information security risk management. He holds an MSc in Information Security from Royal Holloway, University of London. He is currently an expert for the UK mirror of ISO subcommittee 27, WG4.

Samantha Groves who is the Global OWASP project manager to speak briefly about the OWASP projects.

MS SQL Injection - Start to Finish

Scott White 

This presentation will be a live hacking session demonstrating reconnaissance, identification, and exploitation of SQL injection with Microsoft SQL Server as the back end database. SQL injection will be performed from start to finish, showing various techniques for obtaining data, and even fully compromising servers. Both basic and advanced exploitation techniques will be explored.

Scott White is a Principal Security Consultant for Cleveland-based TrustedSec. He has presented to organizations such as OWASP, ISSA, ISACA, FBI's Infragard, and others. He has also spoken at Defcon, and has been called upon by organizations such as the FBI and Secret Service as a subject matter expert. He is the technical reviewer for the popular book, "Metasploit: The Penetration Tester's Guide". He holds a bachelors degree in Computer Science and a master's degree in Network Security. He has held various past positions in support, system administration, web development, penetration testing, and application security for both public and private sectors with clients in both government and commercial spaces. His experience includes performing web application security assessments, internal, external, and physical penetration tests, source code reviews, social engineering, and web application security training. With over 10 years of programming experience coupled with offensive security testing, he has a thorough web application security understanding from both developer and attacker perspectives.

Dan Cornell, Using ThreadFix To Manage Application Vulnerabilities

Dan Cornell 

ThreadFix is an open source software vulnerability aggregation and management system that reduces the time it takes to fix software vulnerabilities. It imports the results from dynamic, static and manual testing to provide a centralized view of software security defects across development teams and applications. The system allows organizations to correlate testing results and streamline software remediation efforts by simplifying feeds to software issue trackers. This presentation will walk through the major functionality in ThreadFix and describe several common use cases such as merging the results of multiple open source and commercial scanning tools and services. It will also demonstrate how ThreadFix can be used to track the results of scanning over time and gauge the effectiveness of different scanning techniques and technologies. Finally it will provide examples of how tracking assurance activities across an organization’s application portfolio can help the organization optimize remediation activities to best address risks associated with vulnerable software.

Dan Cornell has over twelve years of experience architecting and developing web-based software systems. He leads Denim Group's security research team in investigating the application of secure coding and development techniques to improve web-based software development methodologies.

Dan was the founding coordinator and chairman for the Java Users Group of San Antonio (JUGSA) and currently serves as the OWASP San Antonio chapter leader, member of the OWASP Global Membership Committee and co-lead of the OWASP Open Review Project. Dan has spoken at such international conferences as ROOTs in Norway and OWASP EU Summit in Portugal.

Standard Android and iOS Tools for 2013

Andre Gironda 

Andre Gironda will be presenting on "Standard Android and iOS Tools for 2013" This is a follow-up to his 2012 talk.

Content Discovery and Link Extraction for Application Security Testing

Andre Gironda 

Andre Gironda, HP, will be presenting on "Content Discovery and Link Extraction for Application Security Testing". The talk will be focused on how to discover content the right way and make decisions before actual testing begins, as well as how to adjust needs during a on-going test. Most of the discussion will be tool agnostic, but it will help attendees if they have some prior experience with tools such as OWASP DirBuster or a commercial-grade crawler such as Netsparker Community Edition.

Andre Gironda is a mobile application security risk consultant for HP Fortify who lives in Tempe, AZ

Not the end of XSS

Michael Brooks 

XSS is by no means a solved problem. There is no silver bullet, function call or technology that makes you absolutely immune. This talk is focusing on bypassing Anti-XSS filters found in browsers as well as bypassing Content Security Policy (CSP) restrictions. This talk covers how these technologies are used to protect a web application and how they can be abused by an attacker.

Michael Brooks

Michael Brooks was in the top 1% of earners in the Google bug bounty program. He has written exploits for software you have probably used, patches have been written and we are all safer for it. A perfectly secure system can never be accomplished, test everything, trust nothing.

"Cool" Vulnerabilities

Lonnie Benavides 

Web application management software is often overlooked and can contain critical vulnerabilities. This talk will focus on four different publically known vulnerabilities within Adobe Cold Fusion. Exploitation of these issues results in a complete compromise of the underlying web server. Live demonstrations will be provided.

Lonnie Benavides is a penetration tester and the lead of the Boeing Red Team. Lonnie has been pen testing since 2003 when he joined an Air Force Red Team based out of McChord Air Force Base in Washington State. He has taken over military bases, aircraft, and banks. Lonnie and his family relocated from Seattle to Phoenix in February.

Sweet Pickles

Chase Schultz 

Sweet Pickles is inspired by a talk presented at Blackhat by Marco Salverio about practical pickle exploitation. Sweet pickles aims to address some of the concerns presented by Marco in his Sour Pickles talk. Using strong cryptography methods Sweet Pickles attempts to address the problem of confidentiality and authenticity of a python pickle while in transit. Sweet pickles utilizes Advaced Encryption Standard(AES) and Elliptic Curve Cryptography(ECC) to help secure Python's Serialized Objects(Pickles). Sweet pickles was first presented at the International Cyber Defense Workshop hosted by the Department of Defense by Chase. This presentation will be an elaboration on the research Chase has done on python pickles and his work to secure them.

Bio: Chase Schultz is currently a student at the University of Advancing Technology. He is majoring in Network Security and hopes to finish his degree in December of 2021(End of the world and all that aside…) Chase enjoy's application security and hunting bugs in software. He's spent time working for Stach & Liu as a web application penetration tester and also leads the [Buffer]Overflow Club at UAT. He developed Sweet pickles as a project in his free time to address the problems presented at Blackhat 2011 in the Sour Pickles talk. He is fluent in Python, C/C++, Assembly and random shit. Beyond playing with Python, Chase enjoys reverse engineering, and general software exploitation. Also enjoyed are Andre's random cocktails and IPA's.

Standard Android and iOS Tools for 2012

Andre Gironda

Abstract: This will be a talk that discusses the baseline toolchains around Android and iOS applications, whether trying to gain insight into in-app activities, OS activities, IPC, as well as standard networking protocols for both static and runtime.

Bio: Andre Gironda is a mobile application security risk consultant for HP Fortify who lives in Tempe, AZ

Application Security: More Than Just Secure Coding Practices

Scott White

Abstract: From a penetration tester's perspective, this presentation will examine a holistic approach to managing application security since attack vectors are not adequately mitigated using secure coding practices and traditional code reviews.

Bio: Scott is a Senior Information Security Engineer at Diebold, Inc., holding a bachelors degree in computer science, a master's degree in network security, and is well-respected in the information security industry. He manages the global application security process ensuring that new and existing applications conform to industry and secure coding best practices. Additionally, he heads up offensive security efforts within Diebold, continually testing its systems and associates through penetration tests, product reviews, and social engineering exercises. He has held various past positions in support, system administration, web development, penetration testing, and application security for both public and private organizations servicing clients in the government and commercial spaces. His experience includes performing web application security assessments, internal, external, and physical penetration tests, source code reviews, social engineering, and developer training. With over 5 years working directly with information security and over 10 years programming experience, he has a thorough web application security understanding from both developer and attacker viewpoints. He has spoken at Defcon, the world’s largest hacker’s convention, and has also been called on by organizations such as the FBI and Secret Service as a subject matter expert. He is the technical editor for the popular book, "Metasploit The Penetration Tester's Guide".

wxFramework (Web Exploitation Framework)

Ken Johnson

The project’s goal is to assist penetration testers in exploiting web application and web service weaknesses. Because exploitation of applications is rarely point and click and usually requires multiple steps, network exploitation frameworks often fall short of the goal. The framework is intended to assist attackers along their exploitation journey. During this talk we will preview the new graphical interface for the first time and demonstrate how it changes or enhances the reasons you may wish to try wXf.

Bio:

Ken Johnson is a Senior Application Security Consultant performing source code analysis and web application penetration testing. Ken is the primary developer of the Web Exploitation Framework (wXf) and contributes to various open source application security projects. He has spoken at AppSec DC, OWASP NoVA, Northern Virginia Hackers Association and is a contributor to the Attack Research team.

2011 Appsec Tools State-of-the-Art

Andre Gironda

Abstract: Every tool you should leverage during an app pen-test or secure code review will be discussed. The two best web proxies, Burp Pro (@portswigger) and Fiddler (@ericlaw) will be demonstrated along with the two best crawlers from @netsparker and WebInspect. The results from @sectooladdict will be discussed and the analysis demonstrated on @owaspbwa. Additional topics will be discussed, such as executive management reporting using dradisframework.org by way of imports from @w3af. There will also be topics for application developers, such as the new OWASP Data Exchange Format Project, as well as using CAT.NET, RIPS, LAPSE+, and Fortify to go from vulnerable sources to runtime analysis to full exploitation. Even esoteric tools from long-ago that have held their value will be discussed and potentially demonstrated

BIO: Andre works for the HP Application Security Center (ASC) doing application penetration-testing, secure code review, and reverse engineering. He has 9 years of direct experience with application security topics, has been using Burp Suite on pen-tests since early 2005, and runs his own tool benchmarks at home in Tempe, AZ.

Andrew Wilson &amp; Michael Brooks

Traps of Gold

Bio: Michael Brooks is on the Google Security Hall Of Fame. He works for the security company Sitewatch.

Bio: Andrew Wilson is a Security Consultant at Trustwave. He is a member of Trustwave's SpiderLabs - the advanced security team focused on penetration testing, incident response, and application security. He has over 9 years experience building and securing software for a variety of companies. Andrew specializes in application security assessment, penetration testing, threat modeling and secure development life cycle.

Obfuscating Search Queries with Hayst.ac

David Huerta

Hayst.ac, is a browser userscript to obfuscate search queries with machine-generated queries with the goal to be as close to indistinguishable from the human generated ones as possible. This is ultimately to discourage the use of search histories as a source of user profiling.

Bio: After arriving in Arizona from the posh, cosmopolitan enclave of southeastern Idaho, David founded the DeVry Linux User Group (DeLUG) in 2003, an originally student organization that drew members and activities from the greater West Valley Free software community, including students at GCC and ASU West. He also serves on the board of directors for HeatSync Labs, a hackerspace in Chandler.

OWASP O2 Platform Dinis Cruz

The O2 Platform is focused on automating application security knowledge and workflows. It is specifically designed for developers and security consultants to be able to perform quick, effective and thorough source code-driven application security reviews (blackbox + whitebox). In addition to the manual findings created/discovered by security consultants, the OWASP O2 Platform allows the easy consumption of results from multiple OWASP projects and commercial scanning tools. This allows security consultants to find, exploit and automate (via Unit Tests) security vulnerabilities usually dismissed by the community as impossible to find/recreate. More importantly, it provides security consultants a mechanism to: (a) "talk" with developers (via UnitTest), (b) give developers a way to replicate + "check if it's fixed" the vulnerabilities reported and (c) engage in a two-way conversion on the best way to fix/remediate those vulnerabilities. For more details see https://www.owasp.org/index.php/OWASP_O2_Platform, to download binary or source goto http://code.google.com/p/o2platform/downloads/list

Bio Dinis Cruz is a Security Consultant based in London (UK) and specialized in: ASP.NET/J2EE Application Security, Application Security audits and .NET Security Curriculum Development. For the past couple years Dinis has focused on the field of Static Source Code Analysis and Dynamic Website Assessments (aka penetration testing), and is the main developer of the OWASP O2 Platform which is an Open Source project that is focused on 'Automating Security Consultants Knowledge/Workflows' and 'Allowing non-security experts to access and consume Security Knowledge'. Dinis is currently focused on making the O2 Platform the industry standard for consuming, instrumenting and data-sharing between: the multiple WebAppSec tools, the Security consultants and the final users (from management to developers). (https://www.owasp.org/index.php/User:Dinis.cruz)

Improving your Fu - Andrew Wilson

Delivering high quality results is the goal and earmark of any serious security practitioner. Professional penetration testing requires a set of reliable skills that will enable him/her to deliver consistently. Tools simply aren't enough. This talk outlines 10 of the more important disciplines and practices you can do to build or grow that solid foundation.

Bio:

Exploitation Redux and Bug Bounties - Michael Brooks

Talk covered some of the recent vulnerabilities affecting Google and Mozilla, highlights such exploits as exploitation by email.

List of bounty winners and a lot of blog links: http://www.google.com/corporate/halloffame.html Interesting SMTP based XSS http://spareclockcycles.org/2010/12/14/gmail-google-chrome-xss-vulnerability/ XSS via event handlers: http://adblockplus.org/blog/finding-security-issues-in-a-website-or-how-to-get-paid-by-google Good examples of strange XSS: http://google-gruyere.appspot.com/ My Exploits (Including the Majordomo 2 Directory Traversal Vulnerability) http://www.exploit-db.com/author/?a=628

Bio: Michael Brooks is on the Google Security Hall Of Fame. He works for the security company Sitewatch.

SharePoint Hacking - Advanced SharePoint Security Tools and Tips     -Francis Brown

http://www.bishopfox.com/resources/tools/sharepoint-hacking-diggity/

Microsoft SharePoint products and technologies continue to grow in popularity and have become the core foundation upon which many organizations have built their web presence. Unfortunately, guidance concerning common SharePoint security issues tends to be overly complex and often misunderstood. Ultimately this results in insecurely configured and deployed SharePoint instances in production environments.

This demonstration rich presentation will cover our newly released SharePoint hacking tools and techniques that security professionals can easily use to identify and exploit common insecure configurations in SharePoint applications. Some of the areas we’ll attempt to tackle are: • Identifying vulnerable SharePoint applications using public search engines such as Google and Bing • Gaining unauthorized access to SharePoint administrative web interfaces • Exploiting holes in SharePoint site user permissions and inheritance • Illustrating the dangers of granting excessive access to normal user accounts • Pillaging Active Directory via insecure SharePoint services • Attacking 3rd party plugins/code within SharePoint • And much more…

Bio:

Appsec Design Reviews Reloaded - Andre Gironda The best place to start in the software lifecycle is during the design phase. Workflow tools exist for SDL processes, build servers, penetration-testing activities, and many other application security checkpoints. However, very few tools and techniques exist or are readily available when performing application security design reviews. The full process of application security should be agreed upon during the design phase by the security department and all relevant application development teams. The direction of the projects and the patterns used in the application architectures can also be augmented from an application security perspective. This presentation will provide discussion around how to solve many of these and other challenges in application security. The focus will be on web applications that use common technologies, such as managed code frameworks. Bio: Andre has contributed to many OWASP documents and has been working in the appsec space for almost 5 years. He is a local to the Phoenix area and has presented on application security topics recently at BSides, OWASP, and Toorcon events.

Professional Burping

Burp suite is by and large considered one of the de-facto tools for testing web applications for security flaws. This talk will cover many of the professional version only features and various advanced usages that can be done to really take advantage of all this tool has to offer. Topics will include a quick review of burp, effectively leveraging professional only tools, deep dive into intruder, and using 3rd party extensions. Andrew Wilson's Bio:

Debugger Basics: Software Cracking and Buffer Overflows Finding and exploiting a basic buffer overflow, start to finish including fuzzing to command shell. A small primer before "warez and keygens": bypassing a serial number based registration for software, the most basic form of software cracking.

Bio: Scott White is a Senior Penetration Tester for SecureState LLC, a pure play information securityassessment company based in Cleveland, Ohio. He is the web application security expert on the Profiling team. His day to day duties include web application security assessments, internal, external, and physical penetration tests, source code reviews, and developer training. Scott holds a bachelors of science in computer science and a master of science in network security. With over 5 years working with security and over 10 years programming experience, he has a thorough web application security understanding from both the developer and attacker viewpoints. He has spoken at Defcon, the world’s largest hacker’s convention held in Las Vegas each year, and has also been called on by organizations such as the FBI and Secret Service as a subject matter expert. Scott White Senior Penetration Tester www.securestate.com http://securestate.blogspot.com

Database Security and Encryption, Adrian Lane

Bio: Adrian is a Security Strategist and brings over 22 years of industry experience to the Securosis team, much of it at the executive level. Adrian specializes in database security, data security, and software development. With experience at Ingres, Oracle, and Unisys, he has extensive experience in the vendor community, but brings a pragmatic perspective to selecting and deploying technologies having worked on "the other side" as CIO in the finance vertical. Prior to joining Securosis, Adrian served as the CTO/VP at companies such as IPLocks, Touchpoint, CPMi and Transactor/Brodia. He has been invited to present at dozens of security conferences, contributed articles to many major publications, and is easily recognizable by his "network hair" and propensity to wear loud colors. Once you get past his windy rants on data security and incessant coffee consumption, he is quite entertaining. Adrian is a Computer Science graduate of the University of California at Berkeley with post-graduate work in operating systems at Stanford University.

masSEXploitation, Mike Brooks  This talk covers the use of chaining vulnerabilities in order to bypass layered security systems. This talk will also cover ways of obtaining wormable remote code execution on a modern LAMP platform. These attacks where developed by me, and they are very new. These attacks are as real as it gets, and the results are making the headlines.

Bio: I will be giving this talk at this years Defcon and it will 3rd year in a row that I spoken. According to the Department of Homeland Security I have found a vulnerability with a severity metric of 13.5 which makes it into the top 1,000 most dangerous of all time. I am the top answerer of security questions on StackOverflow.com (The Rook). I actively hunt for vulnerabilities on a verity of platforms. I write exploit code and make it public.

http://www.exploit-db.com/exploits/16103/ (Directory Traversal exploitable via email) http://www.exploit-db.com/exploits/15838/ (Exploit chain:captcha bypass-&gt;sqli(insert)-&gt;persistant xss on front page)

Involuntary Case Studies in Data Breaches, Rich Mogull, Securosis

It's absolutely bass ackwards, but while the bad guys constantly share details of their exploits, including techniques, when it comes to real incidents, actual defenders rarely talk about what worked, and what didn't. Our entire industry is built on anecdote and the few tidbits we can glean from press reports. Thus we, as an industry, don't link means and methods to actual security outcomes. Without this information we're like a bunch of blindfolded wannabe ninjas trying to catch rounds from a machine gun with our bare hands. In this session we'll name names as we build in-depth case studies based on publicly available information, some of which isn't overly public. We will combine these with the latest information from breach reports released by incident response companies and the Dataloss Database. The session will build a picture of how real breaches happen, which security controls really work, and which compliance checkboxes are a complete and total waste of time.

Application Security Tools  - Web Application Proxy Editors and Scanners - Andre Gironda  - Adam Muntner Risk Assessment Considerations for Web Applications (brief talk+discussion) - Erich Newell

 â and other web+network trust issues â Andre Gironda

In computing, the same origin policy is an important security measure for client-side scripting (mostly Javascript). It prevents a document or script loaded from one "origin" from getting or setting properties of a document from a different "origin". It was designed to protect browsers from executing code from external websites, which could be malicious.

XSS and CSRF vulnerabilities exploit trust shared between a user and a website by circumventing the same-domain policy. DNS Pinning didn't pan out exactly right, either. Can client-side scripting allow malicious code to get into your browser history and cache? Can it enumerate what plugins you have installed in your browser, or even programs you have installed to your computer? Can it access and modify files on your local hard drive or other connected filesystems? Can client-side scripts be used to access and control everything you access online? Can it be used to scan and attack your Intranet / local network? Does an attacker have to target you in order to pull off one of these attacks successfully? If I turn off Javascript or use NoScript, am I safe? What other trust relationships does the web application n-Tier model break?

Data@Risk â Protecting Web Applications Throughout the Development Lifecycle from Hackers - Brian Christian

Brian Christian, Co-founder and Application Security Engineer, S.P.I. Dynamics, Inc. discussed what Web application security is and why it is needed throughout the entire development lifecycle. We will discuss common vulnerabilities in the Web application layer and why they are so easily exploited. This session demonstrates how to defend against common attacks at the Web application layer with examples covering Web application hacking methods such as SQL Injection, Blind SQL Injection, Cross-Site Scripting (XSS), Parameter Manipulation, etc. We will also review how compliance and regulatory legislation such as PCI, GLBA, HIPAA, CASB 1386, and Sarbanes-Oxley, etc. specifically relates to and affects Web application security. Additionally, we will examine how security throughout the development lifecycle is essential to the security of Web application code and the protection of proprietary data.

Web Application 0-Day â Jon Rose

Learn about how to identify, exploit, and remediate some of the most common security vulnerabilities in web applications. Weâll be using real-world examples in a dynamic, fun, and open discussion using publicly available source code.

Discovering Web Application Vulnerabilities with Google CodeSearch

Building Application Security into the SDLC - Adam Muntner

Adam will share his experiences about how organizations can integrate application security into all phases of the Software Development Life Cycle, from the creation of functional specifications all the way through deployment, maintenance, and updates. He will explain how to "bake security in" rather than "ice it on."