Difference between revisions of "2011 BASC Presentations"

From OWASP
Jump to: navigation, search
Line 47: Line 47:
 
will also delve into the best practices of rendering and parsing JSON, the security woes surrounding WebGL, and the
 
will also delve into the best practices of rendering and parsing JSON, the security woes surrounding WebGL, and the
 
state of creating and running a Node.js web server
 
state of creating and running a Node.js web server
 +
 +
{{2011_BASC:Presentaton_Info_Template|There’s an App for That|Michael Anderson| | | }}
 +
Theoretically, the security industry knows that mobile phones are an exposed attack surface. Practically,
 +
there has been very little attention paid to the subject. As an introduction, the resources that a
 +
mobile phone can provide to a hacker will be explained. These include persistent internet connections
 +
(providing an entry point to any physically near network) and a low profile(which assists in evading both
 +
physical security). Next, discussion will focus on the construction of the proof of concept: using chroot
 +
jails with qemu files compiled for the ARM processor architecture. With the proof of concept model in
 +
hand, the presentation will include discussion of practical threat modeling demonstrating the usage of
 +
the above benefits. Threats discussed in depth: -a targeted cyber attack/penetration test, leveraging
 +
a mobile phone as an entry point -using the phone as part of a less focused campaign to compromise
 +
poorly protected personal resources such as laptops or other mobile phones in coffeeshops. To
 +
conclude, focus will be placed on further work. Potential opportunities for further research include
 +
packaging the qemu files necessary to run an emulated Linux environment as a payload.
  
 
{{2011_BASC:Presentaton_Info_Template|WAFs - An Overview of Free Web Application Firewalls|Roy Wattanasin|13|13|2}}
 
{{2011_BASC:Presentaton_Info_Template|WAFs - An Overview of Free Web Application Firewalls|Roy Wattanasin|13|13|2}}

Revision as of 06:22, 30 September 2011

2011 BASC: Home Agenda Presentations Speakers


Platinum Sponsors (Listed Alphabetically)


Core Security Technologies

Rapid7

SafeLight Security

Security Innovation

Source Conference

Gold Sponsors (Listed Alphabetically)


NetSPI

Trustwave

WhiteHat Security



Silver Sponsors (Listed Alphabetically)


Fortify

Pwnie Express

Providence Web App Security Meeting Group

Stach & Liu


We kindly thank our sponsors for their support. Please help us keep future BASCs free by viewing and visiting all of our sponsors.
Sponsorships are still available.

Contents

Presentations

We would like to thank our speakers for donating their time and effort to help make this conference successful.

Keynote

Presented by: Rob Cheyne


Reversing Web Applications

Presented by: Andrew Wilson

Information gathering is not only the first step, but perhaps the most important repeated process within penetration testing. How well a tester is capable of learning the characteristics and nuances of an application can make all the difference in comprehensive testing and sophisticated attacks. Information gathering is far more than merely mapping an application.

This talk focuses on common pitfalls and misconceptions of information gathering, and how we can approach it better. Using strategies from reverse engineering and forensics, we will learn the skills and tools needed to find evidence, grok what it means, so that we can ensure ensure consistent & comprehensive understandings of how a site works. Specific things that will be covered include: Anti-patterns, learning behaviors of an application, reading exceptions between the lines, finger printing a website beyond HTTP headers, creating a working API for scripted attacking, and content discovery beyond throwing massive wordlists at the wall.

Tools which support these tasks, and counter measures that make this more challenging will be discussed throughout the talk.


Mozilla Secure World: Simple Ways to Secure Your Website

Presented by: HaoQi Li

MozSecWorld is a web security reference site. It can teach you simple ways that you can make your own websites more secure. You'll learn through diagrams, explanations, and best of all, live demos! :) If you are a web developer, you might find the open-source code for each demo helpful too.


OWASP Mobile Top 10 Risks

Presented by: Zach Lanier

This presentation will feature the recently unveiled, official OWASP Mobile Top 10 Risks. As many agree that mobile application security is in its infancy, this list is intended to help developers and organizations prioritize their security efforts throughout the development life cycle. Many of the same mistakes made over the past decade in other areas of application security have managed to resurface in the mobile world. There have also been many new security challenges introduced by mobile applications and platforms. Through the OWASP Mobile Security Project, the primary goal is to enhance the visibility of mobile security risks just as OWASP has successfully done for the web.

As the attack surface and threat landscape for mobile applications continues to rapidly evolve, arming developers with the tools they need to succeed is essential. Each environment presents very unique and different risks to consider. Our research and findings will be presented from a platform agnostic perspective.


The Perils of JavaScript APIs

Presented by: Ming Chow

Client-side development with JavaScript has grown significantly thanks to Ajax, the plethora of JavaScript libraries such as jQuery, and powerful JavaScript engines such as Google's V8. With the rapid push for HTML5 and the emergence of Node.js, JavaScript has become paramount. However, we are starting to move away from the same-domain policy. Currently, the XMLHttpRequest object in the latest versions of Chrome and Firefox now supports cross-domain communications to a degree. HTML5 has also introduced a number of features including WebWorkers, cross-document messaging, and WebSockets that are JavaScript-heavy and have raised a number of security issues. This presentation will also delve into the best practices of rendering and parsing JSON, the security woes surrounding WebGL, and the state of creating and running a Node.js web server


There’s an App for That

Presented by: Michael Anderson

Theoretically, the security industry knows that mobile phones are an exposed attack surface. Practically, there has been very little attention paid to the subject. As an introduction, the resources that a mobile phone can provide to a hacker will be explained. These include persistent internet connections (providing an entry point to any physically near network) and a low profile(which assists in evading both physical security). Next, discussion will focus on the construction of the proof of concept: using chroot jails with qemu files compiled for the ARM processor architecture. With the proof of concept model in hand, the presentation will include discussion of practical threat modeling demonstrating the usage of the above benefits. Threats discussed in depth: -a targeted cyber attack/penetration test, leveraging a mobile phone as an entry point -using the phone as part of a less focused campaign to compromise poorly protected personal resources such as laptops or other mobile phones in coffeeshops. To conclude, focus will be placed on further work. Potential opportunities for further research include packaging the qemu files necessary to run an emulated Linux environment as a payload.


WAFs - An Overview of Free Web Application Firewalls

Presented by: Roy Wattanasin

Web application firewalls (WAFs) are an additional security layer that can help protect against 'some' common attacks as from the OWASP top ten security risks list. By customizing the rules to your applications, many attacks can be identified and thwarted. However, this requires significant effort with testing and maintaining application change control. Participants will come away with the basics of web application firewalls, differences, best practices and learn some common characteristics of using them.


You can find out more about this conference at the BASC homepage: http://www.owasp.org/index.php/2011_BASC_Homepage.
Conference Organizer: Jim Weiler