AppSecResearch2012

From OWASP
Jump to: navigation, search


AppsecResearch2012Banner.jpg

[edit]

We are happy to announce that the OWASP Greek Chapter will be hosting the AppSec Research 2012 in Athens Greece

This conference is practically the OWASP AppSec Europe. Every two years we add “Research” in order to highlight that we invite both industry and academia to participate, share thoughts, knowledge and insight on application security.

OWASP AppSec Research is the European conference for anyone interested in application security

This year it will be hosted by the Department of Informatics and Telecommunications of the University of Athens, Greece and will take place between July 10-13th.

The first OWASP AppSec Research conference was held in Stockholm in 2010.


AppSec Research 2012 Conference Website



@appseceu Twitter Feed (follow us on Twitter!)


The conference is expected to draw over 400 international attendees; all with budgets dedicated to web application security initiatives. Financial Services, Media, Pharmaceuticals, Government, Healthcare, Technology, and many other verticals will be represented.


Sponsorship Information can be downloaded here also you can find it online here


Sponsors

Platinum



Imperva 250x34.jpg

Gold



AppSec Research 2010 sponsor F5 logo.jpg

Silver



TrustwaveSpiderLabs.png

AppSecDC2012-Cigital.jpg

Syntax small.png

Other Sponsors



Watson.png

Gotham Logo.gif

BCC LOGO.jpg

Census.png

Communications Partner



Effect.png

Supporters



Isaca .jpg AppSecDC2012-ISC2.png

Eellak.png Emipee.jpg

Etee.jpg Linuxinside-logo.png



As part of AppSec Research 2012, on Wednesday, July 11 at 1:30PM-5:00PM, the Global Chapter Committee is organizing a chapter leader workshop for all the chapter leaders that attend the conference. Please note that this Workshop will take place on the day before the Conference starts.


Agenda

We plan to start with a 1.5 hour session run by experienced leaders (panel) on how to run a successful chapter. The second part of the workshop will be a roundtable discussion on regional issues and challenges, with a goal of working together to create solutions.


Are there other topics you would like to discuss? Please add them below:

  • Best practices of Chapter organization
  • How long should a leader lead a chapter?
  • Means of chapter fundraising and participation

Funding to Attend Workshop

If you need financial assistance to attend the Chapter Leader Workshop at AppSec Research, please submit a request to Josh Sokol and Sarah Baso by May 15, 2012.


Funding for your attendance to the workshop should be worked out in the following order.

  1. Ask your employer to fund your trip to AppSec Research in Athens, Greece.
  2. Utilize your chapter funds.
  3. Ask the chapter committee for funding assistance.


While we wish we could fund every chapter leader, due to the limited amount of budget allocated for this event, we may not be able to fund 100% to all the requests. Priority of sponsorships will be given to those not covered by a sponsorship to attend a workshop in 2011. Additionally, we are looking for new or struggling chapter leaders who need assistance kick starting their chapter.

After May 15, the Global Chapters Committee will make funding decision in a fair and transparent manner. When you apply for funding, please let us know why we should sponsor you. While we prefer that chapter leaders use their own chapter's funds before requesting a sponsorship, this is not a requirement for application. If your chapter has fund but will not be using them to sponsor your attendance, please include why you will not be using the funds for this purpose (i.e. what are the other plans for those funds?).


Participants

If you plan to attend, please fill in your name and chapter below:

  • Sarah Baso (OWASP Operational Support)
  • Tobias Glemser (OWASP German Chapter Leader)
  • Abbas Naderi Afooshteh (OWASP Iran Chapter Leader)
  • Ofer Shezaf (Founder and board member, Israeli chapter)
  • Seba Deleersnyder (OWASP Belgium Chapter founder and leader)
  • ...

Remote Participation

Join the Webinar Remotely

2011 Chapter Leader Workshops


Questions?

Contact us:
Josh Sokol, Chapters Committee Chair
Sarah Baso, OWASP Operational Support - Conference Logistics & Community Relations


The Call For Papers Is Now Closed!!!

Download Call for Papers in PDF format

OWASP AppSec Research 2012 July 10-13th, Athens, Greece

Aims and Scope The objective of OWASP AppSec Research 2012 is to discuss and demonstrate the importance of security risks, threats, and countermeasures in software applications. The majority of recent high-profile security breaches are mainly attributed to application-level vulnerabilities. Additionally, recent surveys indicate that government applications demonstrate increased vulnerabilities and at the same time elevated risk, as they store and process critical information such as PII, health information, national security data and furthermore operate critical systems. Traditionally, the focus of the security community has been mainly placed on the network perimeter, ignoring, to a large extent, the increased risk of insecure software. In addition, the proliferation of the use of web-based applications and services from traditional desktop-based browsers to mobile devices, or even the “cloud” has only increased the potential surface of attack and overall complexity. As a result, the challenges in the field of application security have only increased for those that build, test or defend software applications. OWASP AppSec Research focuses on new threats and vulnerabilities but also novel methodologies for testing and defending applications.

List of Topics We welcome the submission of both presentation proposals and research papers from the full spectrum of application security.

  • Application security
  • Security aspects of new/emerging web technologies/paradigms (mashups, web 2.0, offline support, etc)
  • Security in web services, XML, REST, and service oriented architectures
  • Security in cloud-based services
  • Security of development frameworks (Struts, Spring, ASP.Net MVC etc)
  • New security features in platforms or languages
  • Next-generation browser security
  • Security for the mobile web
  • Secure application development (methods, processes etc) and secure coding practices
  • Business risks of Application Security
  • Starting and Managing Secure Development Lifecycle Programs.
  • Privacy Concerns regarding applications and Data Storage
  • Threat modeling of applications
  • Vulnerability analysis and application security testing (code review, pentest, static analysis etc)
  • Countermeasures for application vulnerabilities
  • Metrics for application security
  • Application security awareness and education
  • Securing e-government applications and services
  • Government Initiatives & Case Studies
  • OWASP Tools and Projects
  • Anything else relating to OWASP and Application Security.

Important Dates Submission of papers by: April 15th, 2012 Notification of acceptance: May 18th, 2012 Camera-ready version of papers: June 3rd, 2012 Conference Dates July 12-13, 2012

Submissions

All papers and presentation/demo proposals should be submitted through:

http://www.easychair.org/conferences/?conf=appseceu2012

We accept the following types of submissions:

Presentation/Demo Proposals A presentation proposal should consist of a 2 page extended abstract representing the essential matter proposed by the speaker(s). Presentation slides and video takes will be posted on the OWASP wiki after the conference. A demo proposal should consist of a 1 page abstract summarizing the matter proposed by the speaker(s) and 1 page containing demo screenshot(s). Demos will have ordinary speaker slots but the speakers are expected to run a demo during the talk (live coding counts as a demo), not just a slideshow. Presentation slides and video takes will be posted on the OWASP wiki after the conference. Research Papers Authors are invited to submit original research papers offering novel contribution, written in English, with a very precise and concise presentation of no more than 12 pages in Springer LNCS style for "Proceedings and Other Multiauthor Volumes". Templates for preparing papers in this style for LaTeX, Word, etc can be downloaded from: http://www.springer.com/computer/lncs?SGWID=0-164-7-72376-0. Full papers must be submitted in a form suitable for anonymous review: remove author names and affiliations from the title page, and avoid explicit self-referencing in the text. Submission implies the willingness of at least one of the authors to register and present the paper. All papers will be anonymously reviewed by at least two members of the program committee. Full papers, presentation slides and video takes will be posted on the OWASP wiki after the conference.

Extended versions of the best research papers on the topic of “Security for E-Government Applications and Services” will be selected for publication on the Special Issue on “Security and Privacy of E-Government Applications and Services” of the International Journal of E-Government.

OWASP AppSec Research 2012 Co-Chairs Konstantinos Papapanagiotou, OWASP, Greece (Konstantinos@owasp.org) Vasileios Vlachos, TEI of Larissa, Greece (vsvlachos@gmail.com)

OWASP AppSec Research 2012 Program Committee Yiorgos Adamopoulos, TEE, Greece Andreas Fuchsberger, Royal Holloway, UK Panagiotis Georgiadis, University of Athens, Greece Giles Hogben, ENISA, EU Christos Ilioudis, TEI of Thessaliniki, Greece Vassilis Katos, Democritus University of Thrace, Greece Emmanouel Kellinis, UK Angelos Keromytis, Columbia University, USA Athanasios Kostopoulos, independent researcher, Greece Harry Manifavas, TEI of Crete, Greece Dimitris Mitropoulos, Athens University of Economics and Business, Greece Alex Papanikolaou, TEI of Larissa, Greece Carlos Serrao, ISCTE, Portugal Stelios Tigkas, FortConsult, Denmark Costas Vassilakis, University of Peloponnese, Greece John Wilander, OWASP, Sweden

Training

The OWASP Appsec Research 2012 conference is offering world class application security training courses for a variety of skill levels and interests. This year the available training modules address hot topics like mobile security and at the same time cover every aspect of software security: building, breaking and defending.

Time schedule for training sessions will be:

9:30 – 11:00: First Session 11:00 – 11:30: Coffee Break 11:30 – 13:00: Second Session 13:00 – 14:00: Lunch Break 14:00 – 15:30: Third Session 15:30 – 16:00: Coffee Break 16:00 – 17:30: Fourth Session

Room allocation:

Elite Web Defense – How to build robust and secure web applications: B Assessing and Exploiting Web Applications with Samurai-WTF: C Hack Your Own Code: Advanced training for developers: E Mobile Security: Securing Your Small, Smart Devices: ST


Mobile Security: Securing Your Small, Smart Devices

Trainer: David Wichers (Aspect Security) Audience Background: Technical Audience Skill: Intermediate Duration: 2 days – July 10-11, 2012

Training Summary:

Smart phones and tablets are everywhere these days. These small, smart devices provide as much functionality as a desktop or laptop. Chances of misplacing or losing these mobile devices are high. The risks of breaching an organization’s and/or user’s data are probable. Securing the applications and connectivity is crucial.

Because we believe that the best way to learn is by doing, much of the course’s content will be delivered in a lab environment. This approach enables students to have hands-on experience with attack tools and flawed applications so that they can learn how to identify vulnerabilities using real-world scenarios.


Attendee takeaways and key learning objectives:

Understand how mobile devices and applications can be easily attacked. Identify common vulnerabilities. Be able to use state-of-the-art mobile application security testing tools. Secure mobile devices across the enterprise. Think like an attacker so that students can be pre-emptive. Trainer Bio:

Dave Wichers is the Chief Operating Officer (COO) of Aspect Security (www.aspectsecurity.com), a company that specializes in application security services. Mr. Wichers brings over seventeen years of experience in the information security field. Prior to Aspect, he ran the Application Security Services Group at a large data center company, Exodus Communications.

His current work involves helping customers, from small e-commerce sites to Fortune 500 corporations and the U.S. Government, secure their applications by providing application security design, architecture, and SDLC support services: including code review, application penetration testing, security policy development, security consulting services, and developer training.

Dave holds a BSE in Computer Systems Engineering from Arizona State University and a Masters degree in Computer Science from the University of California at Davis. Dave is a CISSP and a CISM, is currently the OWASP Conferences Chair (www.owasp.org), and is a coauthor of the OWASP Top Ten.

Training Outline

1) Mobile Application Threat Model Section Overview: An explanation of high-level threats, attack techniques and the impacts associated with mobile computing.

1) Introductions 2) What is a mobile device? 3) Architectures 4) Threat Model 5) Malware 6) App Store Reality Check

2) Mobile Application Architecture

Section Overview: Different styles of computing in the mobile space, the core technologies involved, and how applications are built.

1) Security technologies in the platform 2) Architecture Controls

3) Securing the Device

Section Overview: We demonstrate how to harden mobile devices against attack and the issues related to managing security across an enterprise. We show students how to secure employee-owned devices

1) Mobile Device Management Applications

4) Securing Communications Section Overview: What are all the different communications technologies used by mobile devices and what security threats do they pose?

1) Threat: Unsafe wireless access points, sniffing, tampering

2) Review mobile protocols and platforms 3) Selecting data transfer protocols

5) Mobile Authentication

Section Overview: We explain how the user proves their identity to the phone, how server-side applications can authenticate the user, and how the phone can authenticate the services used.

1) Threats: lost/stolen phone, remember me, sniffing 2) Communicating credentials safely 3) Storing credentials safely 4) Handling sessions safely

6) Mobile Registration

Section Overview: How to register a device to a person and explain the need for mobile channel authentication.

1) Threats: lost/stolen device, remember me, lost/stolen credentials 2) Secondary method of authenticating the device

7) Mobile Data Protection

Section Overview: All of the different places that sensitive data can be stored on phones, and how it can be protected.

1) Where and how is data stored on devices 2) Hashing and encryption 3) Storing keys 4) HTML5 local storage

8) Mobile Access Control

Section Overview: The code-access security models in use in mobile devices, jailbreaking, etc.

1) Threat: app attacks phone, user attacks server 2) Sandbox and Security Manager, using Permissions 3) One client to support multiple roles 4) Managing entitlements on the server 5) Jailbreaking/rooting

9) How to Protect Against Cross Site Scripting

Section Overview: The threat of XSS in mobile applications is real based on heavy usage of webkit.

1) Understand XSS 2) Learn how to execute XSS 3) Identify XSS flaws in code 4) XSS Real world examples

10) Protecting A User’s Privacy

Section Overview: How the phone can be used to undermine user privacy without their knowledge

1) Using location services (GPS, cell triangulation, compass, hardware device key) 2) Accessing contacts, photos, maps, and other personal data 3) Accessing calls, SMS, browser, cell usage history 4) Using camera, microphone safely

11) Enhancing Legal Agreements

Section Overview: Device functionality can circumvent application security

1) Bookshelf 2) Screen shots 3) Secure storage mechanisms

12) Secure Mobile Development Process

Section Overview: We explain how the app store process works for developers and how they can ensure that their application doesn’t have security holes.

1) Optimizing the acceptance process 2) Using In-App Purchase features safely 3) Using static analysis tools 4) Testing with multiple devices at multiple OS levels 5) Keeping up with jailbreak and root technologies

13) Responding to Vulnerabilities Section Overview: What to do if your application gets hacked.

1) Create security@yourdomain.com 2) Publish security information 3) Acknowledge incidents and vulnerabilities 4) Engage with researchers immediately

14) Hack It and Bring It! Section Overview: A hands-on challenge for students to demonstrate what they have learned.

15) Wrap Up, Close and Thank You



Requirements

Windows laptop capable of running VMWare player or a Mac laptop with xcode for iOS labs

If students want to run Android labs on Mac, they will need VMWare  fusion, but that is not required.


Building a Software Security Program On Open Source Tools

Trainer:Dan Cornell (Denim Group) Duration: 2 days

Using the Software Assurance Maturity Model (OpenSAMM) as a framework, this course walks through the major components of a comprehensive software security program and highlights open source and other freely-available tools that can be used to help implement the activities involved in such a program. The focus of the course is on providing hands-on demonstrations of the tools with an emphasis on integrating tool results into the overall software security program. Featured tools include: ESAPI, Microsoft Web Protection Library, FindBugs, FxCop, CAT.NET, Brakeman, Agnitio, Arachini, w3af, ZAProxy, ThreadFix as well as other educational resources from OWASP. Attendees should finish the course with a solid understanding of the various components of acomprehensive software security program as well as hands-on experience with a variety of freely-available tools that they can use to implement portions of these programs.

Outline:

· So You Want To Roll Out A Software Security Program?

· The Software Assurance Maturity Model (OpenSAMM)

· ThreadFix: Overview

· Governance: Strategy and Metrics


o ThreadFix: Reporting

· Governance: Policy and Compliance

· Governance: Education and Guidance

o OWASP Development Guide

o OWASP Cheat Sheets

o OWASP Secure Coding Practices

· Construction: Threat Assessment

· Construction: Security Requirements

· Construction: Secure Architecture

o ESAPI overview

o Microsoft Web Protection Library (Anti-XSS) overview

· Verification: Design Review

o Microsoft Threat Analysis and Modeling Tool

· Verification: Code Review

o FindBugs

o FxCop

o CAT.NET

o Brakeman

o Agnitio

· Verification: Security Testing

o Arachni

o w3af

o ZAProxy

· Deployment: Vulnerability Management

o ThreadFix: Defect Tracker Integration

· Deployment: Environment Hardening

o Microsoft Baseline Security Analyzer (MBSA)

· Deployment: Operational Enablement

o mod_security


Assessing and Exploiting Web Applications with Samurai-WTF

Trainer: Justin Searle (Meeas Security) Audience Background: Technical Skill Level: Basic/Intermediate Duration: 2 Days

Pdf version:here

Training Summary: Come take the official Samurai-WTF training course given by one of the founders and lead developers of the project! You will learn the latest Samurai-WTF open source tools and as well as the latest techniques to perform web application penetration tests. After a quick overview of pen testing methodology, the instructors will lead you through the penetration and exploitation of various web applications, including client side attacks using flaws within the application. Different sets of open source tools will be used on each web application, allowing you to learn first hand the pros and cons of each tool. After you have gained experience with the Samurai-WTF tools, you will be challenged with a capture the flag event. This final challenge will give you time to practice your new skills at your own pace and experiment with your favorite new tools. This experience will help you gain the confidence and knowledge necessary to perform web application assessments and expose you to the wealth of freely available, open source tools.

Attendee takeaways and key learning objectives:

1. Attendees will be able to explain the steps and methodology used in performing web application assessments and penetration tests. 2. Attendees will be able to use the open source tools on the Samurai-WTF CD to discover and identify vulnerabilities in web applications. 3. Attendees will be able to exploit several client-side and server-side vulnerabilities.

Trainer Bio: Justin Searle is a Senior Security Analyst with InGuardians, specializing in the penetration testing of web applications, networks, and embedded devices, especially those pertaining to the Smart Grid. Justin is an active member of ASAP-SG (Advanced Security Acceleration Project for the Smart Grid) and led the Smart Grid Security Architecture group in the creation of NIST Interagency Report 7628. Previously, Justin served as JetBlue Airway’s IT Security Architect, and has taught courses in hacking techniques, forensics, networking, and intrusion detection for multiple universities and corporations. Justin has presented at top security conferences including DEFCON, ToorCon, ShmooCon, and SANS. Justin co-leads prominent open source projects including the Samurai Web Testing Framework, Middler, Yokoso!, and Laudnum. Justin has an MBA in International Technology and is a CISSP and SANS GIAC certified Incident Handler (GCIH), Intrusion Analyst (GCIA), and Web Application Penetration Tester (GWAPT).

Outline

Samurai-WTF Project and Distribution

 About the Project

Using the Live-DVD Joining the Project Web Application Assessment Methodology Pentest Types and Methods Formal Four Step Methodology Overview of Web Applications Security Vulnerabilities Reconnaissance Tools

Overview of Web Application Recon Domain and IP Registration Databases (Labs: whois) Google Hacking (Labs: gooscan, gpscan) Social Networks (Labs: Reconnoiter) DNS Interrogation (Labs: host, dig, nslookup, fierce) Mapping Tools

Overview of Mapping Port Scanning and Fingerprinting (Labs: nmap, zenmap, Yokoso!) Web Service Scanning (Labs: Nikto) Spidering (Labs: wget, curl, Paros, WebScarab, BurpSuite) Discovering “Non-Discoverable” URLs (Labs: DirBuster) Discovery Tools

 Using Built-in Tools (Labs: Page Info, Error Console, DOM Inspector, View Source)

Poking and Prodding (Labs: Default User Agent, Cookie Editor, Tamper Data) Interception Proxies (Labs: Paros, WebScarab, BurpSuite) Semi-Automated Discovery (Labs: RatProxy) Automated Discovery (Labs: Grendel-Scan, w3af) Information Discovery (Labs: CeWL) Fuzzing (Labs: JBroFuzz, BurpIntruder) Finding XSS (Labs: TamperData, XSS-Me, BurpIntruder) Finding SQL Injection (Labs: SQL Inject-Me, SQL Injection, BurpIntruder) Decompiling Flash Objects (Labs: Flare) Exploitation Tools

 Username Harvesting (Labs: python)

Brute Forcing Passwords (Labs: python) Command Injection (Labs: w3af) Exploiting SQL Injection (Labs: SQLMap, SQLNinja, Laudanum) Exploiting XSS (Labs: Durzosploit) Browser Exploitation (Labs: BeEF, BrowserRider, Yokoso!) Advanced exploitation through tool integration (MSF + sqlninja/sqlmap/BeEF)


Hack Your Own Code: Advanced training for developers


Trainer:David Byrne, Charles Henderson (Trustwave) Audience Background: Technical, Programmers Skill Level: Intermediate, Advanced, Programmers Duration: 2 days – July 10-11, 2012

Training Summary: This class provides developers an exciting chance to hone their programming skills while also learning to exploit common web vulnerabilities. Unlike most training, this will not use static demos based on pre-canned source code. Students will program small parts of a larger application during the class’s lab periods. After the component has been written, students will review the code for the vulnerability being focused on in the lab. Vulnerable code will be run on a class-accessible server while the instructor guides students through exploiting the vulnerabilities. After the vulnerability has exploited, students will be shown how their own code can be fixed (if it was vulnerable) and the best way to prevent the flaw in the first place.

This full process will be performed for all major code vulnerabilities in the OWASP Top Ten. Exploitation and patching labs (but not programming) will be held for other vulnerabilities, including logic flaws that are hard to represent on the Top Ten. Several labs will feature prizes for the students that first find or exploit the targeted vulnerability. Environments and examples will be setup for all major platforms requested by pre-registered students. Students should bring a laptop with them, preferably with VMWare Player already installed. A virtual machine based on the OWASP Live Boot CD will be provided for lab work. The virtual machine will include development tools, but students should feel free to bring their favorite programs too.

Attendee takeaways and key learning objectives:

How to prevent common vulnerabilities with secure development practices. How vulnerabilities can be exploited in the real world. How vulnerabilities can be located and patched in existing code. Trainer Bio:

David Byrne has worked in information security for over a decade. Currently, he is a managing consultant in Trustwave’s Application Security group. Before Trustwave, David was the Security Architect at Dish Network, one of the world’s largest satellite television companies. In 2006, he started the Denver chapter of OWASP. In 2008, David released Grendel (grendel-scan.com), an open source web application security scanner. David has presented at a number of security events including OWASP AppSec USA, OWASP Research Europe, DEFCON, Black Hat, Toorcon, FROC, the SANS penetration testing summit, and the Computer Security Institute’s annual conference.

Charles Henderson is the Director of Application Security Services of SpiderLabs at Trustwave. Charles Henderson began his career in computer security in 1993, specializing in penetration testing as well as security and vulnerability research. As Director of Application Security Services at SpiderLabs, he leads the team responsible for Application Penetration Testing, Code Review, Secure Development Training, and other elite application security consulting services. Prior to joining SpiderLabs, Henderson ran his own boutique application security testing firm. Henderson’s firm provided offensive security services to a wide variety of clients in the United States and Europe. Henderson speaks frequently at major industry events and conferences, including BlackHat, DEF CON, AppSec US, AppSec EU, SOURCE, and the International Association of Financial Crime Investigators convention.


Outline:

Introductions

Agenda Secure Development Lifecycle (SDLC) A cradle to grave development life cycle is outlined. Threat modeling is introduced as a means of ensuring that software design can meet policy needs.

Lab: Threat Modeling
Different application scenarios will be described and the class will verbally work through modeling threats to them. The primary goal is to get developers to think like an attacker, allowing them to anticipate threats to their own applications.
Principles of Secure Code

Focusing on code quality concepts, the practices that help to quantify secure coding are explored. Practical goals and approaches are reviewed, so that a consistent understanding of “secure” can be encouraged and measured appropriately.

Authentication & Authorization

The different aspects of authentication and authorization are covered. Pitfalls and common attacks against identity management are explored. Mistakes covered include insecure direct object references, failure to restrict URL access, and various types of other authentication and authorization bypass.

Lab: Access Control

Students will learn to attack several web pages that contain a variety of access control vulnerabilities, including Insecure Direct Object Access and Failure to Restrict URL Access. After the vulnerabilities have been exploited, the source code will be reviewed by the students to pinpoint where the flaw was introduced. Strategies will be discussed for preventing this type of flaw.


Mini-Lab: Weak Session Identifiers A variety of weak and some strong session identifiers will be provided to students, along with tools for gauging their strength.


Session Management

Due to the stateless nature of the web, the security implications of session generation and management are discussed. This includes both client-side token tracking and server-side session handling.

Lab: SQL Injection Students will finish a simple web page that generates a report based on user-supplied input. Student code (and vulnerable code provided by the instructor) will be deployed on the class web server and tested for SQL Injection vulnerabilities. Students will be shown how SQL Injection can be exploited to extract data and execute arbitrary system commands.

After the attacks are complete, vulnerable source code will be reviewed as a group to spot where the vulnerability was introduced.

Lab: Cross-Site Scripting

Students will finish two simple web pages that store user-supplied input for comments on a blog. Student code (and vulnerable code provided by the instructor) will be deployed on the class web server and tested for Cross-Site Scripting vulnerabilities. Students will be shown how Cross-Site Scripting can be exploited to control a victim user’s browser and supply arbitrary content on the website.

After the attacks are complete, vulnerable source code will be reviewed as a group to spot where the vulnerability was introduced.

Input Validation

The heart of securing software is dealing with user-controlled data to ensure that it doesn’t violate the integrity of a computer system. Improper input validation can allow for vulnerabilities like Cross-Site Scripting and SQL Injection, which are covered extensively. Where relevant, buffer overflow attacks will be covered. Less common input validation vulnerabilities such as XML Injection, XML Entity Expansion, XPATH Injection, and LDAP Injection are also discussed. The advantages of white-listing over blacklisting are explained, and examples are provided of when more flexible validation schemes are required.

Lab: SQL Injection Patching

The source code from the SQL Injection lab will be revisited and the vulnerabilities will be patched and tested.

Lab: Cross-Site Scripting Patching The source code from the Cross-Site Scripting lab will be revisited and the vulnerabilities will be patched and tested.

 Proper Encryption

Initialization vectors, key generation and storage, cipher selection, and decryption oracles will all be discussed. Hashing and secure password storage will also be explained.

 Mini-Lab: Hash Breaking

A set of insecurely generated password hashes will be provided to the students along with tools used for password attacks. Students will be shown how easy and fast it is to obtain plaintext passwords from insecure storage.

 Logic Flaws

Application logic flaws can be devastating, but may take no special technical skills to exploit. Preventing them during the design and implementation phases will be discussed, as will techniques for finding logic flaws in existing applications.

 Lab: Logic Flaw Exploitation

Students will be given access to several webpages with logic flaws on the class server.

Other Attacks

This module explores additional vectors of attack such as Cross-Site Request Forgery, insecure redirects, HTTP response splitting, browser specific issues, and rich media security. Compound and other advanced attacks are also covered in this module.

Mini-Lab: XML Attacks Students will be given the opportunity to interact with several webpages that accept XML input. A number of XML attacks will be possible, including XML Injection, XML Bombs, and XML System Entity Expansion.


Security Hygiene

Handling exceptional circumstances poorly can leak information about a system useful to an attacker, and in some cases be a source of compromise themselves. This module outlines a variety of concerns and best practices in the logging and communication of errors.


Final Lab: Hacking Contest

All remaining time will be used for students to test their skills against an intentionally vulnerable web application. The student that discovers the most vulnerabilities will receive the grand prize!


Application Attack Detection & Response – A Hands-on Planning Workshop


Trainer: Colin Watson (Watson Hall Ltd)

Audience Background: Either of Management, Technical, Operations

Skill Level Required: intermediate and/or advanced

Duration: 1 Day – July 10, 2012

Training Summary: A hands-on day-long workshop where participants will learn how to define, select and specify application-specific intrusion detection and protection (IDP). The training course uses a problem-centered approach where participants are encouraged to use their own knowledge and experience to apply the techniques learned in example paper-based lab projects. Most of the day will be spent working in small teams creating strategies and implementation plans, which could subsequently be used in development. The course does not involve any coding and is language/ framework agnostic. It is based on the concepts in the OWASP AppSensor Project. Full printed handouts are provided together with materials for all the exercises, so participants can take these away and apply the ideas within their own organizations. Previous delegates said “Good course content. Good exercises to work as a team.”, “Content was excellent. Can take this back to the office and apply immediately.” and “This course was worth the money”. Participants are encouraged to watch the following video presentation about AppSensor in advance of the training course: Automated Application Defenses to Thwart Advanced Attackers


Attendee takeaways and key learning objectives:On completion of the course, participants should be able to:

assess the business and user impacts of application IDP define application IDP strategies based on an assessment of risk create application IDP specifications The following printed materials will be given to each participant to take back to their place of work:

step-by-step planning guide course notes course exercises (notes and example solutions) Course Outline:

Course Introduction

Preliminary Requirements Application Logging Practices Standard Detection Points

Custom Detection Points
Model Creation
Model Optimization
Attack Analysis
Response Actions

Response Threshold Specification

Implementation Plan

Optional Course Assessment Test Exercises will be undertaken in small teams of between 4 and 6 people. Each exercise during the day will be the continuation of the previous one, so the teams build up a complete IDP plan for their example project.


Elite Web Defense – How to build robust and secure web applications

Trainer Name: Jim Manico and Eoin Keary (WhiteHat Security and BCC Risk Advisory) Audience Background: Technical Audience Skill: Intermediate Duration: 1 Day – July 11, 2012 (cost 495 €)


Training Summary: This highly interactive, intensive 1-day class provides essential web application security training for web application software developers and architects. The class is a combination of lecture, hands-on security testing and code review. Participants will not only learn the most common threats against web applications, but more importantly they will learn how to also fix the problems via control-based defensive code samples and review. Topics such as Authentication, Access Control, Crypto, Cross Site Request Forgery, Cross Site Scripting, Injection Defense, Clickjacking Defense, Session Management and other topics will be addressed from a defensive point-of-view.


For information on presentations please visit our site


Conference Day 1 – Thursday, July 12th, 2012

R = Research paper D = Demo P = Presentation


Builders Defenders Brakers
08:45-09:30 Registration/Coffee
09:30-10:00 [Welcome]
OWASP Foundation, Where we are… Where we are Going
OWASP Board
10:00-10:45 Keynote: Software Security Goes Mobile
Jacob West, CTO, Fortify Products, HP

Video | [Slides]

10:45-11:00 Coffee Brake
11:00-11:40 (P) Teaching an Old Dog New Tricks Securing Development with PMD

Justin Clarke
(Gotham Digital Science) Video | Slides

OWASP Top Ten Defensive Techniques

Jim Manico
(Whitehat) Video | [Slides]

(P) Screw You and the Script You Rode in On

David Byrne and Charles Henderson
(Trustwave) Video | [Slides]

11:40-11:50 Brake
11:50-12:30 Unraveling some of the Mysteries around DOMbased XSS

Dave Wichers
(Aspect Security) Video | [Slides]

(P) Breaking is easy, preventing is hard

Matias Madou
(HP) Video | [Slides]

What Permissions Does Your Database User REALLY Need?

Dan Cornell
(Denim Group) Video | [Slides]

12:30-12:40 Brake
12:40-13:25 Keynote: From EasySQL to CPUs

Duncan Harris, Director of Security Assurance, Oracle Video | [Slides]

13:25-14:25 Lunch Brake
14:25-15:10 Keynote: Finding Malware on a Web Scale

Ben Livshits, Researcher, Microsoft Research Video | [Slides]

15:10-15:20 Break
15:20-16:00 (P) Tricolour Alphanumerical Spaghetti

Colin Watson
(Watson Hall) Video | [Slides]

CISO’s Guide to Securing SharePoint

Tsvika Klein
(Imperva) Video | [Slides]

(P) I>S+D! – Integrated Application Security Testing (IAST), Beyond SAST/DAST

Ofer Maor
(Seeker Security) Video | Slides

16:00-16:15 Coffee Brake
16:15-16:55 (R) CSP AiDer: An Automated Recommendation of Content Security Policy for Web Applications

Ashar Javed
(Ruhr University Bochum) Video | Slides

Things Your Smartphone Does When Nobody’s Looking

Chris Eng
(Veracode) Video | [Slides]

(P) Achieving Sustainable Delivery of Web Application Security Virtual Laboratory Resources for Distance Learning

Adrian Winckles and Ibrahim Jeries
(Anglia Ruskin University) Video | [Slides]


16:55-17:45 Panel - PCI Security Standards and Application Security

Jeremy King (PCI Council) Video | [Slides]

20:00 Cocktail





Conference Day 2 – Friday, July 13th, 2012

R = Research paper D = Demo P = Presentation


Builders Defenders Brakers
08:15-09:00 Registration/Coffee
09:00-09:10 Announcements
09:10-09:55 Keynote: A Decade of Software Security: From the Bug Parade to the BSIMM

Gary McGraw, CTO, Cigital Video | [Slides]

09:55-10:05 Brake


10:05-10:45 (D) Development of Security Framework based on OWASP ESAPI for JSF2.0

Kachhadiya Rakeshkumar and Benoist Emmanuel
(Albert Ludwigs Universität Freiburg and Berne University of Applied Sciences) Video | [Slides]


(D) Benchmarking Web Application Scanners for YOUR Organization

Dan Cornell
(Denim Group) Video | [Slides]

(D) The “cree.py” side of geolocation. Weaponizing your checkins

Ioannis Kakavas
(IT Advisor) Video | [Slides]


10:45-11:00 Coffee Brake
11:00-11:40 Making Security Invisible by Becoming the Developer’s Best Friends

Dinis Cruz
(Security Innovation) Video | Slides

(P) Data Mining a Mountain of Zero Day Vulnerabilities

Chris Eng
(Veracode) Video | [Slides]

(P) Anticipating Surprise – Fundamentals of Intelligence Gathering

Fred Donovan
(Attack Logic) Video | [Slides]

11:40-11:50 Brake
11:50-12:35 Keynote:
12:35-13:10 Keynote: Fatal Injection (and what you can do about it)

Diomidis Spinellis, Professor, Athens University of Economics and Business Video | Slides

13:10-13:50 Lunch


13:50-14:30 (P) Real World Threat Modeling via the PASTA Methodology

Tony Ucedavelez
(VerSprite) Video | [Slides]

(P) Can Correlations Secure Web Application?

Ofer Shezaf
(HP) Video | [Slides]

(D) BDD for Automating Web Application Testing

Stephen De Vries
(Continuum Security) Video | Slides

14:30-14:40 Brake
14:40-15:20 (P) AppSec Training, Securing the SDLC, WebGoat.NET and the Meaning of Life

Jerry Hoff
(Whitehat) Video | Slides

(D) Using Hash-based Message Authentication Code Protocol to Reduce Web Application Attack Surface

Breno Pinto and Luiz Eduardo Santos
(Trustwave) Video | Slides

(D) Advanced CSRF and Stateless Anti-CSRF

John Wilander
(Svenska Handelbanken and Linköpings universitet) Video | [Slides]

15:20-15:30 Brake


15:30-16:10 (P) Anatomy of a Logic Flaw: Breaking the Myth

Charles Henderson
(Trustwave) Video | [Slides]

2012 Global Security Report

Tom Brennan
(Trustwave) Video | [Slides]

(P) The Invisible Threat – MitB (Man in the Browser)

Uri Fleyder
(RSA Security) Video | [Slides]


16:10-16:20 Brake
16:20-17:00 Keynote: Jackpotting Mobile Apps

Christian Papathanasiou Video | [Slides]

17:00-17:15 Closing Ceremony
17:45-20:30 Visit to Acropolis Museum




Teaching an Old Dog New Tricks Securing Development with PMD

Justin Clarke,Gotham Digital Science Thursday, July 12th, 2012 | 11:00-11:40 | Location: A1

Abstract:

With the recent rise in high-profile corporate web application attacks, many organisations have made it a priority to build security into their internal software development lifecycle. Using static analysis to identify software security bugs is a common element in virtually all software security programs. While there are numerous commercial static analysis products that focus on security, they often involve high price tags, complex/unreasonable licensing models, steep learning curves, and can be cumbersome to integrate with existing processes.

Luckily, using static analysis to identify software bugs is not a new paradigm. For years, developers have used static analysis tools to identifying code quality issues. While these tools may not be specifically designed for identifying security bugs, in many cases their underlying analysis engine can be adapted to do so with custom rules.

This presentation will discuss how custom security rules can be added to existing code quality tools to identify potential software security bugs. In many cases, developers are already familiar with these tools and run them during development on a regular basis. Armed with security rulesets, the tools can also be valuable to security code auditors and penetration testers. Writing custom software security rules for the popular Java code scanning tool PMD will be the focus of the presentation.


OWASP Top Ten Defensive Techniques

Jim Manico, WhiteHat Thursday, July 12th | 11:00 | Location: A2 Abstract: We cannot hack our way secure. Application programmers need to learn how to code in a secure fashion if we have any chance of providing organizations with proper defenses against web application layer attacks. This talk will discuss the 10 of most important security-centric computer programming techniques necessary to build low-risk web-based applications.


Screw You and the Script You Rode in On

David Byrne and Charle Henderson, Trustwave

Thursday, Julty 12th | 11:00 | Location: Auditorium

Abstract:


The only automated clients that most websites want are the search engine crawlers. Other than that, scripted access to a website could be a simple nuisance, competitors scraping data, spam-bots, or full-on DDoS attacks. Even when the script isn’t malicious, a rude script can easily slow down even a major website. There isn’t a good way of stopping this. CAPTCHAs are a common solution, but they suck; anyone who says otherwise is a cheat and a liar. Users hate them because the good ones are hard to read, and even the best can be decoded by clever programmers.In this presentation, an alternative technique will be demonstrated. Instead of relying on a single input to identify humans, it is possible to create a server-side baseline of normal access patterns to a website and identify automated access based on anomalous behavior. The nature of the automated tool can often be identified as well (search indexer, security scanner, etc).The tool being released uses a number of advanced techniques to benchmark human users, including website entry point, request rates, navigation sequence, navigation delays, web page dependency requests, and HTTP headers. While some of these are easy to forge (particularly headers), the heuristic criteria for human behavior is far more difficult to mimic over an extended period of time.The current application of these techniques is through static analysis (e.g. log files or packet captures) using a tool that will be released at the conference. Future plans are to incorporate this functionality into a real-time engine that can block content at a web server or application firewall.


Unraveling some of the Mysteries around DOMbased XSS

Dave Wichers, Aspect Security

Thursday, July 12th | 11:50 | Location: A1

Abstract:DOM-based XSS was first revealed to the world back in 2005 by Amit Klien, when it was an interesting theoretical vulnerability. In 2012, with the push towards Web 2.0 well into the mainstream, DOM-based XSS has become a very commonly uncovered and exploited vulnerability, but it’s poorly understood.

This talk will focus on the full range of issues around DOM-based XSS. It will start with a discussion of the technical details of the vulnerability, the true nature of the risk it introduces (both likelihood and impact), and some new terminology and updated definitions about what truly is a DOM-based XSS vulnerability as compared to the standard Stored and Reflected XSS that the community is well aware of. It will then discuss the difficulties that security analysts face when trying to find DOM-based XSS flaws, and provide recommended analysis techniques that help move DOM-based XSS discovery from an art towards more of a science. And finally, it will discuss simple techniques for avoiding DOM-based XSS issues in the first place as well as how to mitigate issues that are uncovered during a security review.


Breaking is easy, preventing is hard

Matias Madou and Jacob West, HP Thursday, July 12th | 11:50 | Location: A2 Abstract:Is security a losing battle? Breaking software seems to become easier over time, while protecting it seems to become harder and harder. The situation in 2011 was bleak: from Anonymous using simple SQL injection attacks against big targets, to Stuxnet and Duqu, all the way to external intrusions in to the Playstation network and RSA. In this talk, we explain this phenomenon and explore methods the industry might use to reverse the trend.The rules for the security game are simple: coders can’t make any mistakes, because attackers only have to discover one good vulnerability to win. Finding vulnerabilities in a target program becomes easier provided enough time, of which attackers have plenty. New kinds of vulnerabilities and novel techniques for finding old ones often leave defenders playing catch-up with the bad guys, but also provide an opportunity for defenders to capture and leverage ever increasing vulnerability knowledge in their vulnerability assessment efforts.Let us illustrate this opportunity with an example– the open source enterprise automation software Apache OfBiz. In 2010, a security research firm stumbled on a couple of vulnerabilities in the widely used project. As a proof of concept, the firm posted a video showing how easy it was to become an administrator by exploiting one of the XSS issues in the application. To remain credible, the OFBiz team reacted quickly and remediated the vulnerabilities. After that push, security improvements in the product stalled.

After the security push, a problem in Sun’s JVM was discovered that permitted attackers to perform a denial-of-service attack, (the so called “Parse Double” problem), against vulnerable installations. Around the same time, new gray-box analysis techniques were introduced to the market. We tested the post-security-push version of Apache Ofbiz for the parse double vulnerability (as well as other well-known vulnerability categories) using this new analysis technique. The conclusion? Only one year after the Apache Ofbiz development team undertook its major security push, the same code base thought to be secure was already vulnerable.

We kickoff the session by introducing Apache OFBiz and the security improvements implemented in its latest release. Next, we introduce the parse double denial of service vulnerability and a new assessment technique called gray-box analysis. Throughout the presentation, we dive into the internals of gray-box analysis and show how gray-box analysis can overcome some of the problems white-and black-box analyses face. Finally, we show a dozen new vulnerabilities in Apache OFBiz that have always been there, but were only identified using the latest security intelligence and assessment techniques.


Dan Cornell – What Permissions Does Your Database User REALLY Need?

Dan Cornell (Denim Group) Thursday, July 12th | 11:50 | Location: Auditorium

Abstract: Attaching web applications to databases as “sa” or “root” might be easy but it is also a horrible idea. This presentation provides a methodology as well as tools to create fine-grained database user permissions based on application-specific requirements. The negative impact of permissive database user account permissions is demonstrated alongside the potential benefits of constrained database user access. Tools for the automated creation of security-role-specific MySQL user permission policies will be demonstrated and these will be used as a model for making “least privilege” database accounts a standard practice in web application deployment.


Duncan Harris: From EasySQL to CPUs


Abstract: In 1994, Oracle suffered its first known product vulnerability and reacted by sending a patch to every customer on tape or those new shiny CDs. But Oracle’s dedication to security famously goes back to its first customer, the CIA. Some years and several product acquisitions later, Oracle’s approach to security assurance is still rooted in that history of putting protection of its customers first. As well as reviewing Oracle’s product vulnerability handling practices, this presentation will explain the core elements and challenges of Oracle’s Software Security Assurance program including:


Secure development processes and practices, and the foundation on which they’re built, Oracle’s Secure Coding Standards that include lessons learned from past experiences Comprehensive security analysis and testing Secure configurations with guides and utilities to identify deviation from known secure states Independent product security testing evaluations and validations Building a decentralised, delegated, internal security community Applying security bar-raising changes Introducing cultural and process change to new product acquisitions Speaker Bio: Duncan Harris is senior director of security assurance at Oracle, responsible for all product security vulnerability handling, for Oracle’s internal ethical hacking team, for formal product security evaluations such as Common Criteria and FIPS 140, and for defining, educating, evangelising and ensuring compliance to internal secure development standards. He provides broad security advice to Oracle information security, legal, HR, marketing, PR, internal audit and physical security teams, and takes an active role in defining new direction for security in Oracle’s core database and application server products, based on the weaknesses and vulnerabilities his team and real world hackers identify and expose. Duncan notably constructed the technical proof behind Oracle’s “Unbreakable” marketing campaign.

Over his 18 years at Oracle, he has also been the product manager for Trusted Oracle7, Oracle’s B1 multilevel secure database, now replaced by Oracle Label Security, and he has been involved with all Oracle’s product security evaluations and validations. Prior to Oracle, he worked as a UK government security evaluator and on various UK classified systems.


Ben Livshits: Finding Malware on a Web Scale


Abstract:Over the last several years, JavaScript malware has emerged as one of the most popular ways to deliver drive-by attacks to unsuspecting users through the browser. This talk covers recent Microsoft Research advances in finding internet malware on a very large scale using a variety of program analysis techniques. It highlights two tools: Nozzle and Zozzle. Nozzle is a runtime malware detector that focuses on finding heap spraying attacks. Zozzle is a mostly static detector that finds heap sprays and other types of JavaScript malware. Both are extremely precise: Nozzle false positive rate is close to one in a billion; Zozzle’s is about one in a million.

Both are deployed by Bing and are used daily to find thousands of malicious web sites. This talk will focus on interesting interplay between static and runtime analysis and cover what it takes to migrate research ideas into real-world products


Speaker Bio: Ben Livshits is a researcher at Microsoft Research in Redmond and an affiliate professor at the University of Washington. Originally from St. Petersburg, Russia, he received a bachelor’s degree in Computer Science and Math from Cornell University in 1999, and his M.S. and Ph.D. in Computer Science from Stanford University in 2002 and 2006, respectively. Dr. Livshits’ research interests include application of sophisticated static and dynamic analysis techniques to finding errors in programs.

Ben has published papers at PLDI, POPL, Oakland Security, Usenix Security, CCS, SOSP, ICSE, FSE, and many other venues. He is known for his work in software reliability and especially tools to improve software security, with a primary focus on approaches to finding buffer overruns in C programs and a variety of security vulnerabilities (cross-site scripting, SQL injections, etc.) in Web-based applications. He is the author of several dozen academic papers and patents. Lately he has been focusing on how Web 2.0 application and browser reliability, performance, and security can be improved through a combination of static and runtime techniques. Ben generally does not speak of himself in the third person.


Tricolour Alphanumerical Spaghetti


Colin Watson, Watson Hall Thursday, July 12th | 15:20 | Location: A1

Abstract:Do you know your “A, B, Cs” from your “1, 2, 3s”? Is “red” much worse than “orange”, and why is “yellow” used instead of “green”? Just what is a “critical” vulnerability? Is “critical” the same as “very high”? How do PCI DSS “level 4 and 5” security scanning vulnerabilities relate to application weaknesses? Does a “tick” mean you passed? Are you using CWE and CVSS? Is a “medium” network vulnerability as dangerous as a “medium” application vulnerability? Can CWSS help? What is FIPS PUB 199? Does risk ranking equate to prioritisation? What is “one” vulnerability? Are you drowning in a mess of unrelated classifications, terminology and abbreviations? If you are a security verifier and want to know more about ranking your findings, or receive test reports and want to better understand the results, or are just new to ranking weaknesses /vulnerabilities and want an overview, come along to this presentation. It will also explain why the unranked information-only (“grey” or “blue”?) findings might contain some of the best value information.


CISO’s Guide to Securing SharePoint”

Tsvika Klein, Imperva Thursday, July 12th | 15:20 | Location: A2

Abstract. SharePoint’s functionality was built for business users to share information. However, business users don’t typically recognize critical security considerations. This leaves security teams with the task of layering security onto SharePoint well after deployments, or worse, after a data breach. This presentation will show:

Highlight SharePoint use cases and potential security issues Offer best practices for SharePoint security planning and management Provide key mitigation steps that enterprises implement to minimize the odds of a data breach


I>S+D! – Integrated Application Security Testing (IAST), Beyond SAST/DAST

Ofer Maor, Seeker Security Thursday, July 12th | 15:20 | Location: Auditorium

Abstract:

The goal of this talk is to present a new technological approach for automatic application security testing which is capable of responding to many of today’s challenges. IAST, Integrated Application Security Testing (also referred to as Interactive AST), performs runtime analysis of an application, hooking into the application process, thus enabling the tracking of actual code execution, memory, data manipulation, etc. Based on this approach, IAST technology can identify many types of vulnerabilities previously not considered possible by automatic tools. The talk examines technological concepts rather than specific products or solutions, and includes an advanced technical drill down into the technology specifics. All three technologies (DAST, SAST, IAST) will be discussed and compared using specific vulnerabilities as examples, explaining how each technology detects these vulnerabilities, and its limitations. The talk will begin with a quick overview of SAST and DAST technologies, reviewing their advantages and limitations based on real-world experience of organizations using such solutions. The focus will be on actual detection capabilities rather than usability issues, which are outside the scope of this talk. We will then discuss recent developments in SAST/DAST correlation as a mean for resolving some of these issues. The second part of the lecture will provide explanations of the new IAST runtime technology concepts. After explaining the principles of this technology, we will provide technical explanations on how runtime analysis is performed, how it is used for application security testing, as well as code samples and real-time information from memory correlated to these tests to give the audience a better understanding of this technology. Finally, we will show how application data are being analyzed and the information that a runtime analysis engine can extract in order to accurately identify vulnerabilities. In the last part, we will examine several vulnerabilities (such as SQL Injection, Parameter Tampering, Persistent XSS) and analyze how each technology (SAST/DAST/IAST) is being used to detect these vulnerabilities, and the pros and cons of each approach.


CSP AiDer: An Automated Recommendation of Content Security Policy for Web Applications

Ashar Javed, Ruhr University Bochum Thursday, July 12th | 16:15 | Location: A1

Abstract: Content Security Policy (CSP) is a Mozilla proposal to provide website administrators with a way to state how content interacts on their web sites. To assist web site administrators, in this paper, we present the first automated approach for the recommendation of content security policies in web applications. Using our prototype implementation called \texttt{CSP AiDer}, we have contributed in the recommendation of CSPs of more than 10000 web sites. We informed a number of major web sites about the CSPs we identified, and our findings were confirmed by mainstream web sites such as Twitter.


Things Your Smartphone Does When Nobody’s Looking

Name: Chris

Surename: Eng

Abstract:Modern mobile applications run on devices that have the functionality of a desktop or laptop running a general purpose operating system. In addition, they’re designed around personal and communication functionality which makes the top mobile application risks different from the top traditional computing risks. In this presentation, Eng will outline the top mobile application risks, designed to educate developers and security professionals about the mobile application behavior — both maliciously designed or inadvertent — putting users at risk.


Achieving Sustainable Delivery of Web Application Security Virtual Laboratory Resources for Distance Learning

Adrian Winckles and Ibrahim Jeries, Anglia Ruskin University Thursday, July 12th | 16:15 | Location: Auditorium

Abstract:The purpose of this paper is to further evaluate and analyze the use of virtualization and associated cloud technologies to deliver traditionally resource intensive web application penetration testing (ethical hacking) training as a completely distance learning alternative to the traditional classroom experience.Previous work (Winckles et al (2010) and Williams et al (2010)) on remotely delivering network security on a distance learning basis, has successfully achieved the deployment of the necessary the building blocks for the use of virtualization techniques and remote laboratory front ends to enhance the traditional laboratory experience.The intention is to build upon our established body of research focusing on technical investigations into the use of virtualization and cloud computing to develop the concept of the Laboratory as a Service (LaaS) with complex security based scenarios which would otherwise require significant man hours to develop as physical resources

Three core approaches have been investigated as part of this research and then implemented and analyzed by volunteers from geographically dispersed locations against a set of evaluation criteria

• Creation of individual virtual machine (vm) images would be commissioned on an individual basis (similar to virtual desktop implementations) which can be reused for as required. For the simplest of scenarios a pair of different would be commissioned in a simple client server or attacker/vulnerable system scenario. Investigation utilised an Open Source Apache Virtual Computing Laboratory(VCL) in a network distributed environment (Vouk et al (2009)) for commissioning of reusable operating resources, providing a cloud computing based solution for network security laboratory teaching scenarios The major concern with this approach is that the whole approach needs the end user to coordinate both system commissioning and the testing scenario is visible to others on the “corporate” network.

• Creation of a “team” or network of independent of VM’s on a single PC based platform which is then virtualised itself that platform and offered as a single VM in the similar scenario as that above. In this way a learner can book a reservation for that vm image commissioned just for that booking but achieve a better form of sandboxed environment for application security testing The main issue is that The performance of 2 levels of virtualisation could hinder performance and the user experience.

• Creation of groups of VM’s commissioned in specific topologies within a sandboxed environment which can be commissioned and torn down as required. The key to this solution is the use of port groups to create groups of VM’s utilising temporary VLAN’s. The use of a proprietary off the shelf remote laboratory systems such as NDG’s Netlab can offer complex application security scenario based training offering virtual based solutions on demand.

Persistence versus snapshot issues are important. In essence this becomes an issue between preserving a students investigation or testing status or the status being lost when a student finishes their current session

The sustainable virtual laboratory inevitably always involves the initial resource investment in designing and implementing the “virtual” resource but once a suitable template is developed, it can provide the basis of almost limitless “instant” deployments which are only restricted by the capacity limitations of the cloud solution deployed.

Both VCL and Netlab solutions are capable of delivering an automated and self-maintained virtualised remote computing environment to cater for students need with very little ongoing administration. Whilst VCL provides a highly scalable, flexible and very cost effective solution, it is limited in the complexity of the solutions potentially offered. Netlab provides a more managed solution better able to provide the complexity that more advanced security courses may require.

References:

Vouk, M. et al. 2009. Using VCL Technology to implement distributed reconfigurable data centres and computational service for educational institutes. [Online]. Available though: ACM Digital Library [Accessed 15/7/2011]

Willems, C., Dawoud, W., Klingbeil, T. and Meinel, C. 2010. Protecting Tele-Lab – attack vectors and countermeasures for a remote virtual IT security lab. International Journal of Digital Society (IJDS). [e-journal] 1 (2), p.113.

Winckles, A., Spasova, K. and Rowsell, T. 2011. Remote Laboratories and Reusable Learning Objects in a Distance Learning Context. Networks. [Online] 14 January 2011. Available at:

http://www.inspire.anglia.ac.uk/assets/uploads/networks/issue14/networks_remot

e_laboratories.pdf [11/10/2011]


Panel: PCI Security Standards and Application Security

Introduction by: Jeremy King, European Director, PCI Council

Panelists:

Pravir Chandra, Security Architect, Bloomberg Josef Nedstam, Lead Developer, IKEA John Wilander, Software Developer, Svenska Handelbanken Panel co-ordinator: John Yeo, Director, Trustwave SpiderLabs EMEA

Agenda:

PCI Security Standards Council: history, lifecycle and vision The role of Application Security in PCI Security Standards Recent breaches and their implications in the financial services space Tools and Guidance for achieving and maintaining compliance Real-life experience with the PCI Security Standards



Jeremy King, the European Director of the PCI Security Standards Council (PCI SSC), leads the Council’s efforts in increasing adoption and awareness of the PCI security standards in the European region. In this role, Mr. King works closely with the Council’s General Manager and representatives of its policy-setting executive committee from American Express, Discover, JCB International, MasterCard Worldwide, and Visa, Inc. His chief responsibilities include gathering feedback from the European merchant and vendor community, coordinating research and analysis of PCI SSC managed standards in European markets, and driving education efforts and Council membership recruitment through active involvement in local and regional events, industry conferences, and meetings with key stakeholders. He also serves as a resource for Approved Scanning Vendors (ASVs), Qualified Security Assessors (QSAs), Internal Security Assessors (ISAs), Payment Application Qualified Security Assessors (PA-QSAs), PCI Forensic Investigators (PFIs), and related staff in supporting regional training, certification, and testing programs.

Mr. King brings extensive experience in the payment card security and high-tech industries to the PCI Security Standards Council. Most recently, he served as Vice President for the Payment System Integrity Group at MasterCard Worldwide, where he played an integral role in developing payment terminal and chip card security programs. He also spent more than 14 years working in the U.K. semiconductor industry and has a strong background in payments technologies, including contactless card, encryption, and mobile payment technologies.



Josef Nedstam is a software development consultant for Swedish consultancy ab1. He finished his PhD in 2005, “Strategies for Management of Architectural Change and Evolution”, at the Faculty of Engineering, Lund University, Sweden, after cooperation with some 20 software development companies and the Software Systems Research Group at NICTA, Sydney, Australia. For the last five years he has been assigned to IKEA IT as a WebSphere Commerce developer at the IKEA website. For the last three years he has been the lead security developer of the IKEA site, and has after the outsourcing of development to CAP Gemini been responsible for making sure the development team fulfils PCI DSS requirements.



John Wilander is a frontend software developer at Svenska Handelbanken, the second strongest bank in the world according to Bloomberg Markets. He has been researching and working in application security for ten years and recently organized the OWASP Browser Security sessions in Portugal, with participants from the security teams behind Chrome, Firefox, Internet Explorer, Flash, and PayPal. During his years in academia he was elected best computer science teacher twice and nowadays gives 5-10 professional talks per year.



John Yeo is the Director of Trustwave SpiderLabs for Europe, the Middle East and Africa (EMEA). SpiderLabs is the global, advanced technical security services team within Trustwave responsible for Security Analysis and Penetration Testing, Incident Response and Investigation, Research & Development.

At Trustwave John is responsible for the SpiderLabs EMEA operation. He has extensive professional information security expertise with a particular focus on application/network security programs and enterprise class penetration testing service delivery. He has run and managed multiple outsourced global security assessment programs for large enterprises. Prior to his management roles, John delivered technical security consultancy and led security testing assessments of major IT programs within both government and the private sector. He has a particular interest in dealing with the complexities of technical security objectives within the financial services sector.

John is an experienced and regular speaker at industry events, having spoken at events such as RSA Europe, Infosec Europe, the Merchant Risk Council, MasterCard Academy of Risk Management, and various PCI events across Europe. He is often invited to speak at closed-door security working groups and workshops on data security; sharing insights on the ever evolving threat landscape.


Day 2



Gary McGraw: A Decade of Software Security: From the Bug Parade to the BSIMM


Abstract: Only ten years ago, the idea of building security in was brand new. Back then, if system architects and developers thought about security at all, they usually concentrated on the liberal application of magic crypto fairy dust. We have come a long way since then. Perhaps no segment of the security industry has evolved more in the last decade than the discipline of software security. Several things happened in the early part of the decade that set in motion a major shift in the way people build software: the release of my book Building Secure Software, the publication of Bill Gates’s Trustworthy Computing memo, the publication of Lipner and Howard’s Writing Secure Code, and a wave of high-profile attacks such as Code Red and Nimda that forced Microsoft, and ultimately other large software companies, to get religion about software security. Now, ten years later, Microsoft has made great strides in software security and building security in—and they¹re publishing their ideas in the form of the SDL. Right about in the middle of the last ten years (five years in) we all collectively realized that the way to approach software security was to integrate security practices that I term the “Touchpoints” into the software development lifecycle. Now, at the end of a decade of great progress in software security, we have a way of measuring software security initiatives called the BSIMM . BSIMM is helping transform the field from an art into a measurable science. This talk provides an entertaining review of the software security journey from its “bug of the day” beginnings to the multi-million dollar software security initiatives of today.

Speaker bio: Gary McGraw is the CTO of Cigital, Inc., a software security consulting firm with headquarters in the Washington, D.C. area and offices throughout the world. He is a globally recognized authority on software security and the author of eight best selling books on this topic. His titles include Software Security, Exploiting Software, Building Secure Software, Java Security, Exploiting Online Games, and 6 other books; and he is editor of the Addison-Wesley Software Security series. Dr. McGraw has also written over 100 peer-reviewed scientific publications, authors a monthly security column for informIT, and is frequently quoted in the press. Besides serving as a strategic counselor for top business and IT executives, Gary is on the Advisory Boards of Dasient, Fortify Software (acquired by HP), Invincea, and Raven White. His dual PhD is in Cognitive Science and Computer Science from Indiana University where he serves on the Dean’s Advisory Council for the School of Informatics. Gary served on the IEEE Computer Society Board of Governors and produces the monthly Silver Bullet Security Podcast for IEEE Security & Privacy magazine (syndicated by informIT).

company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com personal www.cigital.com/~gem



Development of Security Framework based on OWASP ESAPI for JSF2.0

Names: Kachhadiya Rakeshkumar and Prof. Dr. Benoist Emmanuel

Abstract:

Modern web application frameworks have made it easy to develop high quality web application, but developing secure application, still requires the developer to possess deep understanding of security vulnerabilities and attacks. However, it is even difficult for an experience developer to find and eliminate all vulnerabilities. This demo represents JSF-ESAPI framework based on JSF2.0 and OWASP ESAPI. It helps the developer to write JSF based secure and lower-risk web application with minimal configuration, without having to possess extensive knowledge of web security. Moreover, it works as middleware and consists of four important modules.

The validation is the first module which verifies the user input as given in the XSS prevention cheat sheet. It consists of many user defined validator tags and generates appropriate error messages on invalid user inputs, in order to perform strong validation. We have also ported ESAPI Java Validator in a JSF-friendly new library which can easily be integrated in a page. We provide a new set of JSF-tags and some of these tags perform filtering of XSS enabled code from the input.

The File Based Authorization module simplifies the user’s role and it gives permission to visualize certain areas in the presentation layer as per the user rights.

We add in the filtering layer a new random token to each form for each http response. The layer validates the form token with the token stored in the session in each http request. If the token is changed or is missing, the application will generate the appropriate exception. This is particularly a protection against Cross Site Request Forgery (CSRF), since another page would not know the value of this token.

The last module is Render Response module which renders output after filtering XSS content and encodes the vulnerable characters such as <,>,”,’ etc. as given in the XSS prevention cheat sheet of OWASP.

This framework will help developers to prevent a myriad of security problems including Cross-site Scripting, Cross-site Request Forgery, Automatic Input Validation, and Automatic Output Validation with escaped “true” or without this parameter, File based Authorization etc.. All the features are included in one framework.

Advantages:- (1) Requires minimal configuration. (2) Retrofits security in the existing application. (3) Provides same performance as the JSF framework does. (4) Automatic filtering of XSS vulnerable code from output when escape = “true” or “false”. (5) Easy input validation without additional code. (6) Layered architecture, and leaves certain features that aren’t required. (7) Most security features included in one framework.

So far we have brought important security features under one framework in the first revised version and we would like to present it to both security specialists’ and programmers’ communities, in order to have feedback on possible improvements.


Benchmarking Web Application Scanners for YOUR Organization

Name: Dan

Surename: Cornell

Abstract:


Web applications pose significant risks for organizations. The selection of an appropriate scanning product or service can be challenging because every organization develops their web applications differently and decisions made by developers can cause wide swings in the value of different scanning technologies. To make a solid, informed decision, organizations need to create development team- and organization-specific benchmarks for the effectiveness of potential scanning technologies. This involves creating a comprehensive model of false positives, false negatives and other factors prior to mandating analysis technologies and making decisions about application risk management. This presentation provides a model for evaluating application analysis technologies, introduces an open source tool for benchmarking and comparing tool effectiveness, and outlines a process for making organization-specific decisions about analysis technology selection.


The “cree.py” side of geolocation. Weaponizing your checkins

Ioannis Kakavas, IT Advisor Thursday, July 12th | 11:50 | Location: Auditorium Abstract:Location Privacy is the often forgotten aspect of online privacy. Users tend to use social networking platforms and services that are location aware, not realizing

or not considering the dangers of that over-exposure. It’s a case of privacy infrigement that is also interesting from a social perspective as unlike the general rule, the victim is also the perpetrator. What does each one of your checkins, geo-tagged pictures, geo-tagged tweets etc tell about you? What are the patterns that emerge from the aggregation ? And more specifically how can they be used against you ? With the help of cree.py OSINT geolocation aggregator, we will go through a number of example scenarios of user “abuse” of location aware services and online over-exposure ,the consequences this abuse has on their locational privacy, and the personal and enterprize threats that stem from it.


Making Security Invisible by Becoming the Developer’s Best Friends

Name: Dinis Cruz

Afiliation: Security Innovation.

Title: Making Security Invisible by Becoming the Developer’s Best Friends

Abstract. We are currently missing a trick! Our job should be to make security invisible to (most) developers so that they are able to ‘code security by default’ and have real-time (i.e. on build) feedback when they create a security vulnerability. This presentation will show how the O2 Platform is able to create such environments using multiple tools (from static to dynamic) integrated into the developer’s IDE (including BDD-Security type activities). The key is to give tools, workflows and visualisations to developers which make them understand better how they app works and behaves (i.e. adding value to their world)


Data Mining a Mountain of Zero Day Vulnerabilities

Name: Chris

Surename: Eng

Abstract: Every day, software developers around the world, from Bangalore to Silicon Valley, churn out millions of lines of insecure code. We used static binary analysis on thousands of applications submitted to us by large enterprises, commercial software vendors, open source projects, and software outsourcers, to create an anonymized vulnerability data set. By mining this data we can answer some interesting questions. What types of mistakes do developers make most often? Are we making any progress at eradicating XSS and SQL injection? How long does it really take to remediate software vulnerabilities? Is anybody actually using ESAPI? We will address these questions and many others, giving you a deep dive into application security metrics at a scale that can’t be found anywhere else.


Anticipating Surprise – Fundamentals of Intelligence Gathering



Fred Donovan, Attack Logic

Friday, July 13th, 2012 | 11:30-12:10 | Auditorium


Abstact:

The foundation of intelligence gathering is a fundamental necessity to understand difficult situations or better evaluate factors or indicators of risk, evidence and context. Intelligence gathering is an organizational process but really is a product toward the end goal of a solution. This talk considers some well known historical examples of the successes and failures in Intelligence Gathering and broadens their context to the current challenges in cyber security. It is a high level process that supports high echelon decision making. Although difficult, it can be used to forcefully challenge the planning and directions of cyber security risk analysis and governance strategy.


Fred Donovan is an Intelligence Analyst and AppSec Researcher from New York. He has spent the last 12 years as an executive consultant for public and private industry corporations with a focus on information warfare and counterintelligence defenses. He graduated highest honors with a Masters in Intelligence from American Military University where he formulated and modeled a technique known as Counterintelligence Attack Theory.


Diomidis Spinellis: Fatal Injection (and what you can do about it)


Abstract: EnSign is an open-source suite of libraries that protect web applications from code injection attacks through the use of location-specific signatures. The signatures are unique identifiers that combine stable elements of a potentially vulnerable code statement, like its structure and keywords appearing in it, with features that depend on the statement’s execution context, such as stack traces and caller methods. During the system’s learning phase the libraries apply a cryptographic hash function on the combined elements and store the result in a table that the web application can access. When the application runs in a production setting the libraries create new signatures and use the table’s entries to validate the execution of vulnerable code statements. We have tested the EnSign libraries against more than 300 documented attacks on applications known for SQL, XPath, and JavaScript vulnerabilities. EnSign detected and thwarted all tested attacks.

Speaker bio: Diomidis Spinellis is a Professor in the Department of Management Science and Technology at the Athens University of Economics and Business, Greece. His research interests include software engineering, IT security, and programming languages. He has written the two award-winning “Open Source Perspective” books: “Code Reading” and “Code Quality” as well as dozens of scientific papers. He is a member of the IEEE Software editorial board, authoring the regular “Tools of the Trade” column. Dr. Spinellis has written the UMLGraph tool and code that ships with Mac OS X and BSD Unix. He holds an MEng in Software Engineering and a PhD in Computer Science, both from Imperial College London. Dr. Spinellis is senior member of the ACM and the IEEE and a member of the Usenix association.


Pravir Chandra:Everything you know about Injection Attack is wrong


Abstract: This casual talk will take a look at several mundane vulnerabilities that we all know about and ask a few deeper questions. What are the underlying mechanisms? Does our advice on preventing them *actually* work? Is there a better way when you think of software design patterns? By the end, we’ll challenge the audience to think past the surface of these code vulnerabilities and hopefully learn a little about how the right abstraction model can save tons of security headaches.

Bio: Pravir Chandra is a veteran in the security space and a long-time OWASP contributor, including his role as the creator and leader of the Open Software Assurance Maturity Model (OpenSAMM) project. Currently as security architect for the CTO of Bloomberg, he drives proactive security initiatives that demonstrate concrete value for the firm. Prior to this, Pravir was Director of Strategic Services at HP/Fortify where he lead software security assurance programs for Fortune 500 clients in a variety of verticals. He is responsible for standing up the most comprehensive and measurably effective programs in existence today. As a thought leader in the security field for over 10 years, Pravir has written many articles, whitepapers, and books and is routinely invited to speak at businesses and conferences world-wide.


Real World Threat Modeling via the PASTA Methodology

Name: Tony

Surename: Ucedavelez

Abstract:

Threat modeling gets a lot of sexy headlining – rightfully so, but nothing is a bigger turnoff when you’re burning for actionable, realistic models, and get more theoretical, pragmatic hype. Risk mitigation for web application environments is broken today as a result of many shortcomings in proper design, coding, security testing, and even governance efforts. This discussion, focused on web application environments aims to marry various concepts across various security disciplines, thereby proving to provide a utopia of relevance to all participants, regardless of technical role. The presentation will cover all the germane aspects to application threat modeling including Data Flow Diagramming, Trust Boundaries, and different approaches but will also address how to effectively build the necessary content for attack and vuln libraries in order to evolve beyond saying your practicing threat modeling and actually doing it.


Can Correlations Secure Web Application?

Name: Ofer

Surename: Shezaf

Abstract:


Nearly ten years ago I have designed a correlation engine for an early Web Application Firewall. At the time the assumption was that by combining several detection engines or by examining recurring events attack detection can be more accurate. Today most Web Application Firewalls offer a feature labeled “correlations” that builds on this promise. My design and most following ones suffer from several inherent limitations. Since a Web Application Firewall is a real time system, it needs to be fast and cope with ever increasing network bandwidth without adding latency. Moreover correlations are many times done over time contradicting the need to block attacks before they penetrate our systems.

For those reasons and others, correlations have stayed a hyped marketing term in the web application security field. Their contribution for attack mitigation is not well understood and at times not fully realized by the Web Application Firewalls.

In this presentation we will explore the current and the potential of correlations for web application security. Specifically, we will explore how the capabilities of full correlation engines such as those found in security event management systems (SIEMs) can help mitigate application level attacks.

BDD for Automating Web Application Testing

Name: Stephen

Surename: De Vries

Abstract:

Security Testing of web applications, both in the form of automated scanning and manual security assessment is poorly integrated into the software development lifecycle (SDL) when compared to other testing activities such as Unit or Integration tests.

Agile methodologies such as Test Driven Development advocate a test first approach, where the tests themselves form the specification for the software. These effectively form an executable specification that grows with the application. If the same approach could be taken with security requirements and testing, then the security domain could also benefit from the advantages of automated integration testing.

BDD is an evolutionary step from Test Driven Development and offers the ability to define the behaviour of an application in a more natural language. BDD is effectively a communication tool, allowing the business and security analysts to define functional and non-functional behaviour in a natural language, while still allowing that behaviour to be captured using automated tests written by developers.

Since many web applications share a common baseline of security requirements (for example, those contained in the OWASP ASVS), it’s possible to take a templated approach to defining this baseline security behaviour of common web applications. BDD-Security is an open source project aimed at doing exactly that. It’s built on JBehave and Selenium 2 (WebDriver) and includes a number of predefined security specifications for web applications. Since they’re written in JBehave these specifications are both understandable by non-security experts, and they’re executable as part of the build or testing process.

BDD-Security supports two broad classes of security tests: Functional and Non-functional. In general, the functional tests are implemented using WebDriver while the non-functional tests are implemented using the Burp Suite Security scanner. Since Burp Suite is aimed at manual testing, an interface had to be written to be able to control Burp remotely from a script. This interface is also released as an open source project.

The demo will consist of introducing the basic concepts and then using a vulnerable web application to build a working BDD-Security configuration from the ground up.

BDD-Security was released in March 2012, more information can be found at: - Introduction and overview: http://www.continuumsecurity.net/bdd-intro.html - Getting started tutorial with screenshots: http://www.continuumsecurity.net/bdd-tut.html - Video of complete execution: http://vimeo.com/38284219


AppSec Training, Securing the SDLC, WebGoat.NET and the Meaning of Life

Name: Jerry

Surename: Hoff

Abstract:


One of the most vital pieces of a secure SDLC is security training – not only for developers, but for Architects, QA and anyone else involved in the creation of software. Too frequently, this is minimized, overlooked or completely absent within an organization. In some cases, the very idea of application security is dismissed as unnecessary. This talk starts by making a strong argument for developer education, and how it fits into any organization’s SDLC. Training will be put into the context of NIST’s “Security considerations in System Development Life Cycle” Document, Microsoft’s Simplified SDL, BSIMM3 and OWASP Open SAMM.

From there, we discuss other OWASP resources and projects dedicated to developer education, and an in-depth discussion of OWASP WebGoat.NET – an ASP.NET specific re-design of OWASP which meets the needs and addresses the challenges of modern application security training programs.

Lecture will be delivered by Jerry Hoff, VP of Static Code Analysis Division at WhiteHat Security. Jerry is the leader of the OWASP Appsec Tutorial Series, WebGoat.NET and AntiSamy.NET. Jerry is a former developer, author, and has over 10,000 hours delivering technical training. Jerry holds a Masters degree in Computer Science from Washington University in St. Louis.

Key Points: - Developers need a better way to be education in AppSec - Equip participants with the tools and evidence they need make an irrefutable case for developer security training - Analysis of tools/docuemnts/videos that OWASP provides for training - Introduction of WebGoat.NET: OWASP’s latest tool to help education developers - Interactive demonstration of WebGoat.NET with full audience participation


Using HASH-based message authentication code protocol to reduce web application attack surface

Names: Breno Pinto and Luiz Eduardo Santos

Abstract:


For as long as companies rely on web sites to do business with their customers and partners, attackers will keep targeting these web applications searching for new (and old) vulnerabilities and trying to exploit them. Reducing the attack surface has been a good practice for quite some time, and hardening applications and web servers usually accomplishes this. In this paper we are presenting a cryptographic protocol to be implemented in a Web Application Firewall in order to reduce the attack surface with minimum impact to the users and zero changes on the web application itself. Basically, the proposed method consists in parsing HTTP Response data sent by the web application server and signing HTML elements of this response before it is sent back to the client browser, from that point on, the integrity of the communication between the client and the web application will be checked using the protected Uniform Resource Identifier (URI). With this mechanism, no modifications are allowed during a new HTTP Request using the signed URI, reducing quite a number of known web application attacks.


Advanced CSRF and Stateless Anti-CSRF

Name: John

Surename: Wilander

Abstract:

Cross-site request forgeries are often presented as blind, one-shot attacks. In this demo-based presentation we will look at how you can construct a multi-step, semi-blind attack using both HTTP GETs and POSTs. We will also look at CSRF against RESTful services with forged JSON. Protection against CSRF can be done without server-side state which is very attractive in modern web applications. We will look at stateless double and triple submit as anti-CSRF measures.


Anatomy of a Logic Flaw: Breaking the Myth

Charles Henderson,Trustwave July 13th | 15:25-16:05 | A1

Abstract:Traditional vulnerabilities like SQL Injection, buffer overflows, etc, have well established techniques for discovery and prevention. On the other hand, logic flaws are incredibly diverse and often unique to the specific application or business organization. Because of this, logic flaws have taken on a near mythical status. In the myth, logic flaws are nearly impossible to find until the elite of the elite hackers launch an attack to completely own the application.

The reality is far different; logic flaws are not the complex nightmare that many have made them out to be. This presentation will use real-world examples to show how logic flaws are typically introduced into an application, how they can be consistently detected during testing, and how they can be prevented during development. Instead of hoping for magic, repeatable processes will be outlined for each of those items. This will prove beneficial to anyone responsible for application security: programmers, architects, managers, and pen testers.


2012 Global Security Report

Name:Tom Brennan

Afiliation:Trustwave Abstract. The Trustwave 2012 Global Security Report identifies the top threats encountered by businesses over the past year. Based on an analysis of Trustwave data sources, including more than 300 incident investigations, 2,000 penetration tests conducted by Trustwave SpiderLabs, and 2 million network and application vulnerability scans, the report provides a roadmap for any organization that needs to improve and update their information security strategy.

The Trustwave 2012 Global Security Report highlights top data security risk areas, offering predictions on future targets based on analysis and perceived trends. By learning from others’ data vulnerabilities, and applying tactical and strategic change outlined in this report, any organization will be better able to reduce data threats and loss. Many OWASP projects will be highlighted in helping the attendee fight better.


The Invisible Threat – MitB (Man in the Browser)

Uri Fleyder, RSA Security

Friday, July 13th | 15:25 | Location: Auditorium

Abstract: During the introduction I will explain in general lines about the full process from the victim’s point of view: Infection campaign –> exploit kit –> spam and compromised websites –> drive-by infection –> HTML and JavaScript code injection into the browser by the Trojan (exploit’s kit predefined payload) –> victim logs in to his online banking account –> victim/MitB initiates money transfer to 3-rd side party –> MitB fetches available mule account from the C&C server –> MitB uses social engineering to get the required TAN/mTAN from the victim –> money transfer completed –> MitB manipulates the infected browser to display false account balance and false money transfers history to the victim.


Christian Papathanasiou: Jackpotting Mobile Apps


Abstract: Since unveiling the very first Google Android kernel-level rootkit at DEFCON 18, Christian has diverted his attention to something closer to the end-user experience – mobile applications themselves. The outcome of this research has been quite interesting and paints a very bleak picture of the current stance of mobile application security.

Christian will demonstrate 0day vulnerabilities relating to insecure mobile application development; the humorous and very much financially damaging implications of such attacks.

Common application security mistakes that have been transposed into the mobile application world provide rich pickings for security researchers bored of <script>alert(1)</script>.

Thankfully, the OWASP top 10 mobile application security controls for developers come to the rescue and provide the right backdrop to which we can demonstrate what developers should have done before unleashing their apps to the world in a rush to tap into uncharted blue oceans.

Speaker Bio: Christian is the Penetration Testing lead for global website security at a large financial services organisation.

Christian is a member of the OWASP Global Industry Committee and the OWASP Cyprus Chapter Leader, a contributor to the OWASP Mobile Security project and a contributing author of the European Network Information Security Agency (ENISA) Smartphone Secure Development Guidelines for App Developers.

Christian has presented at thought leading conferences such as Black Hat and DEFCON. His research has been featured by many news organizations including: Forbes, Reuters, Slashdot, Tech Herald, Computerworld, ZDNet, CSO Magazine, Dark Reading, Threatpost, CNET and eWeek.

Christian co-organises AthCon – the first and foremost technical IT Security conference in Athens, Greece. More info: http://www.athcon.org

Christian holds a MSc with Distinction in Information Security from the Information Security Group at Royal Holloway, University of London and a CISSP. Christian is also a qualified Chemical Engineer having graduated with a MEng(Hons) in Chemical Engineering from UMIST.


Uni Challenge

OWASP AppSec Research 2012 announces the OWASP University Challenge! The University Challenge is a competition among teams comprised of university students that will be held on July 10-11th. During the University Challenge teams will defend a vulnerable web application while solving Capture The Flag type challenges.

This year the OWASP University Challenge will be limited to 8 teams. Teams will consist of 4-8 students, with one team per University. Team openings are on a first come first serve basis. If multiple teams are received from the same university the second team will be put on a wait list.

All team members must be registered. Registration for the University Challenge event is free. Food and beverages will be provided during the challenge and all participants will get an OWASP University Challenge t-shirt. In addition, all participants that will register for the conference will get an additional discount on top of the discounted student price (an e-mail with the discount coupon will be automatically e-mailed ). Of course, the first three winning teams will get some awesome presents (to be announced).

To sign up: Please send an e-mail to appseceu@owasp.org using “University Challenge” as a subject and including the following information:

Name of Team University Professor name (and e-mail) Team Leader (and e-mail) Team Members (and e-mails) Each team member will need:

Your own notebook capable of running the following: BackTrack (CD-Rom or USB stick version – Download BackTrack) VMWare Player (Download VMWare Player) VirtualBox Player FTP Client (Download Filezilla) SSH Client (Download Putty) Wireshark (Download Wireshark) Nmap (Download Nmap) Firefox (Download Firefox) Firefox Add-ons: FoxyProxy, Cookie Editor, HackBar, Web Developper Toolbar, QuickJava, Tamper Data, Live HTTP Headers AndiParos Proxy (Download AndiParos Proxy) Hexeditor Cryptool (Download Cryptool) Your own testing tools


The conference will take place at the Department of Informatics and Telecommunications, University of Athens, Greece.

The Department of Informatics and Telecommunications is located in the University of Athens main campus, just a 15' walk from the Evangelismos metro station.

Travel Information is available online plus our suggestions


Greekchapterlogo.gif

Organizing Committee

  • Konstantinos Papapanagiotou (General Chair)
  • Panagiotis Georgiads (co-host)
  • Vasileios Vlachos (Vice-Chair)
  • Spyros Gasteratos
  • Stathis Mavrovouniotis
  • Emmanuel Kellinis
  • Stelios Tigkas

CFP Program Committee

  • Yiorgos Adamopoulos, TEE, Greece
  • Andreas Fuschberger, Royal Holloway, UK
  • Giles Hogben, ENISA, EU
  • Christos Ilioudis, TEI of Thessaliniki, Greece
  • Vassilis Katos, Democritus University of Thrace, Greece
  • Emmanouel Kellinis, UK
  • Angelos Keromytis, Columbia University, USA
  • Athanasios Kostopoulos, independent researcher
  • Harry Manifavas, TEI of Crete, Greece
  • Dimitris Mitropoulos, Athens University of Economics and Business, Greece
  • Alex Papanikolaou, TEI of Larissa, Greece
  • Carlos Serrao, ISCTE, Portugal
  • Stelios Tigkas, FortConsult, Denmark
  • Costas Vassilakis, University of Peloponnese, Greece
  • Vasileios Vlachos, TEI of Larissa, Greece
  • John Wilander, OWASP, Sweden



Contributions

The AppSec Research Conference Website's artwork was made by Mis Thaleia V. Mis Marianna Preen is the person who designed the icons

TimeTable

You Can download theMedia:Appsecschedule2012grfinal.pdf or view it online on our site here: [1]

Recruiting Event

Want to work with the brightest minds in software security?

Cigital is hiring at OWASP AppSec Research!


Who: Look for Julian Osei, Director of Talent Acquisition EMEA.

When: During lunch breaks on the 12th and the 13th and during the Conference Cocktail.

Where: There will be a dedicated room, so look for the Cigital logo.

If you would like your CV to be pre-screened by Julian and his team, send us a copy at: appseceu+cv@owasp.org

The challenges we offer are intellectually stimulating and you’ll be working side by side with some of the brightest minds in the industry. Our tremendous growth over the last few years is set to continue, and that means you can anticipate career advancement at the same electric pace. We’re looking for skilled and driven security consultants at all levels. We need entry-level, mid-level, and senior consultants – as well as more senior expertise.

Security Consultants

Come and pick up the tricks of the trade in application security from the people who do it best. You’ll learn the most effective ways to do penetration testing, static analysis and risk assessments, and you’ll learn fast. If you’ve got a solid background in modern development languages and you are thirsty for knowledge when it comes to app security, tell us! Relevant degrees, coursework, professional experience and dabbling in the field are what we want – what did you discover today?

Senior Security Consultants

For people more experienced in the field of application security who’ve built trusted advisory relationships with clients – we’d love to bring you on board, too. If you like brain-twisting challenges and travelling to exciting places, Cigital is where you want to be. We help our clients through some tricky situations, so your software security skills and problem-solving expertise are invaluable here. If you’re passionate – let’s talk!

Managing Consultants

Have charisma? You’ll need it to help expand our company into new areas and even greater market penetration. In this role, you’ll lead a region – this takes technical savvy and solid business development skills. If you care about clients and know how to manage people; if you can grow a team and attract new talent then this is the role for you – what’s your vision? Come and tell us.

There will be a number of socializing opportunities: Cocktail Party at the main auditorium of the university and the OWASP band performance you can find more: http://2012.appsec.eu/social-events/

Social Events

During OWASP AppSec Research we are organizing a variety of social events:


Tuesday July 10nth at 20:30 – Welcome drinks at Cafe Avissinia


OWASP Appsec Research team will be at Cafe Avissinia and would like to invite all trainers, trainees, uni challenge participants and anyuone else who happens to be in Athens to join us. Drinks at Cafe Avissinia have reasonable prices, the food is amazingly good and the view to the Acropolis magnificent. Cafe Avissinia is located at Avissinias Square near the Monastiraki Metro Station. For map and instructions please see here.

Wednesday, July 11th at 20:30 – OWASP Band Performance


No explanation required, the OWASP band feat. Gary McGraw will give a rare, outstanding performance as usual on the evening of Wednesday, July 11th at Ya cafe (for map and instructions please see at the end of this page).

For map and instructions please see here

Opening Act: The Weather Underground




Thursday, July 12th at 20:00 – Conference Cocktail

All conference attendees, sponsors and volunteers are invited to the Conference Cocktail at the “Kostis Palamas” building on Thursday, July 12th. The cocktail will start at 8pm.

The “Kostis Palamas” building was built at 1857 and at the time it hosted the university’s medical and physics labs. Nowadays, it has been renovated and it is used as a cultural center and a meeting point for the university community. It is one of the historical buildings of Athens, with characteristic architecture, design and decorations.


“Kostis Palamas” is located at 48 Academias str. and the nearest metro station is Panepistimio. To get there from Evangelismos station, you pick the line that goes towards Egaleo. You get off the next stop (Syntagma) and head to the red line platform that goes towards Aghios Antonios. You get off at the next stop, Panepistimio. Use the exit labeled as “Panepistimiou Str (Athens Academy)” to get of the station. Once you exit, head to your left, walking in between of the imposing buildings. Cross the first street you find (Academias str.) and you can find the Kostis Palamas building on your right.

Alternatively, at that time of the day, a taxi should need approximately 10′ to get from Divani Caravel to the Kostis Palamas building. Giving the taxi driver the exact address (48 Academias str.) is more than enough.

The music is provided by the student e-radio station: