Front Range OWASP Conference 2013/Presentations
Keynote Address: 08:30 - 09:30
Data Protection for the 21st Century
| Mr. Neal Ziring is the Technical Director for the National Security Agency's Information Assurance Directorate (IAD), serving as a technical advisor to the IAD Director, Deputy Director, and other senior leadership. Mr. Ziring is responsible for setting the technical direction across the Information Assurance mission space. Mr. Ziring tracks technical activities, promotes technical health of the staff, and acts as liaison to various industry, intelligence, academic, and government partners. As part of his role, he guides IAD’s academic outreach program, acting as a technical liaison to several universities that are participants in the National Centers for Academic Excellence - Research (CAD-R) program. His personal expertise areas include router security, IPv6, VM-based secure systems, cloud computing, cross-domain information exchange, and mobile code security.
Mr. Ziring received B.S. degrees in computer science and electrical engineering (1985), and an M.S. in computer science (1986), all from Washington University in St. Louis. Since then, he has also taken courses from Columbia University and University of Maryland Baltimore County.
Virtually Mr. Ziring’s entire government career has been based in the NSA Information Assurance Directorate. He joined NSA in late 1988, working on software tools and cryptosystem simulation. In the 1990s he began working in IA Evaluations and, except for brief tours, has been there ever since. From 2003 to 2005 he held the position of technical director for the IA Evaluations System and Network Attack Center (SNAC). Between 2006 and 2010 he was detailed to the NSA Mission Systems Development group as the security architect.
Mr. Ziring is maintains his Cisco Certified Security Professional (CCSP) certificates. Prior to joining NSA, Mr. Ziring was a member of technical staff at AT&T Bell Laboratories. In addition to work, Neal enjoys martial arts, running, and playing classical guitar. He holds a 3rd degree black belt in Shorinji Kempo.
Session 1: 10:00 - 10:45
DevFu: The inner ninja in every application developer
Many times we try to draw a distinct line between developers and penetration testers. This creates a barrier that developers often feel intimidated to cross. The truth is that developers have an innate ability and perspective to become great penetration testers themselves.
Developers in the security industry carry a unique toolset as ethical hackers / security consultants that sets them apart from traditional penetration testers. By incorporating these skills as developers and combining them with the understanding and experience of building applications, developers can take web application penetration testing a step further than the rest.
This presentation will go over the various aspects to the developer DevFu toolbox including: deep programming knowledge, ability to write scripts on the fly, common shortcuts and their pitfalls, speaking the language, and secure coding practices. We will go over specific examples of scripts that increase productivity and extend functionality of existing pen testing programs.
SIP-Based Cloud Instances
This presentation will demonstrate the practical applications of SIP protocol for local cloud instances and how to create secure connections the cloud using SIP forwarding. Further it will present methods of securing cloud and data by using a Linux firmware router to host local based cloud domains, as well as showing secure methods of deploying these systems. In addition, the talk will show secure methods of using PHP and databases using Sqlite and MongoDB while using distributing computing between a Linux server and a Linux based firmware network appliance.
Several practical applications presented will include:
- Using Cloud-based SIP as replacement for Samba for file sharing in a corporate environment with S3 and WebDAV
- Creating a local domain such https://cloud.router.sip.com
- Connecting to the cloud from a mobile phone using SIP forwarding with SSL tunneling
- Using SIP based domains on VPNs to create a private clouds with a single point of access
There will be a demonstration on how to properly setup a Linux server to host local based domains for secure deployment, including proper deployment of Cherokee and Apache web servers for hosting SIP domains. Finally, the presentation will demonstrate properly configuration of SIP domains to the Linux based firmware network appliance.
At the end of the presentation a viewer will know how to properly deploy Linux server for SIP domain hosting and how to create secure cloud instances with SIP.
Digital Bounty Hunters - Decoding Bug Bounty Programs
Amid the growing trend to "crowd source" services, a few progressive enterprises are taking a new approach to information security. A potential game-changer, these companies are shifting the traditional model of IT risk assessment by opening their doors -- and their wallets -- to freelance hackers who break in without fear of legal repercussions. Bug Bounty Programs pay cash money to hackers for responsibly disclosing security vulnerabilities on production applications and networks.
This presentation will examine who these freelance digital bounty hunters are, their motivations, and their perspective on the value of bug bounty programs. It is equally as important to understand the perspective of the individuals that run these programs, how the programs fit into a comprehensive, information security framework, as well as key successes and failures to date of this new crowd-sourced model. As part of this, the discussion will review metrics from an existing program and highlight some of the more interesting bugs discovered.
Ultimately, what is the future for these bug bounty programs? Will they disrupt the existing marketplace for professional security consultant services by offering a cheaper, more effective crowd-sourced approach? Or are these programs simply a tool for the most advanced, most daring companies to take their security programs to the next level?
Electronic Discovery for System Administrators
As the Federal Rules of Evidence have evolved over the last several years, and as the volume of information in digital format has overtaken traditional printed media, electronic discovery had become more important than traditional paper-based discovery in litigation. While vendors can help with production, system administrators play a key role in the acquisition and production of Electronically Stored Information (ESI).
This presentation is designed to present an overview of the discovery process, explain how it differs from traditional computer forensics, and offer tips for administrators and managers to better assist in the production of ESI in the event of litigation (and hopefully to reduce the costs associated with production).
Session 2: 10:55 - 11:40
Adventures in Large Scale HTTP Header Abuse
While the technique of sending malicious data through HTTP Header fields is not new, there is a conspicuous lack of information on the topic.
This presentation explores research and testing results of random auditing of 1.6 million websites. The speaker will address the history of HTTP Header attacks, the logic that went into the creation of an HTTP Header Audit tool, and the most interestingly the findings of the test run.
How many vulnerable websites were discovered? What attacks were they most susceptible to? Which Header fields are most likely to be vulnerable?
Finally, the presentation will discuss defensive techniques around HTTP header abuse and how to efficiently audit a sites HTTP Header fields for vulnerabilities.
How Malware Attacks Web Applications
Modern malware has outpaced the ability for traditional defenses to detect and contain the threats. The core of the presentation will address several techniques used by malware to attack web applications, including:
- WebInjects (aka Man-in-the-Browser)
The technique for capturing web form data within browsers.
- Session Hijacking
The ability to redirect control of a session to an attacker.
- Persistence and Stealth
How does the malware go undetected, for so long?
How to detect malware interacting with your web applications.
Linking Security to Business Value in the Customer Service Industry
The value of trust cannot be understated when discussing Superior Customer Service.
"The main benefit of trust is customer loyalty, which in turn leads to a longer term relationship, greater share of wallet, and higher advocacy or word of mouth. Results from our consumer survey show that emotional and rational trust drive between 22% and 44% of customer loyalty." - Study by ESCP Europe Business School
Privacy protection is a pillar of trust. Studies show PRIVACY is of paramount importance to consumers and is growing in importance. A 2012 Ponemon Institute study on the “Most trusted companies on privacy” found that while the importance of privacy has grown over the last seven years, the loss of control over privacy has also grown as well.
The Call Center industry is at the confluence of these competing social and business priorities. On the one hand, the customer service representative (CSR) must engender competence and trustworthiness and on the other hand CSR must ask the caller for a credit card number or social security number, the most private and personal valuable pieces of information a consumer possesses.
Where there is a gap in expectations between consumers and businesses, there is an opportunity for business to differentiate themselves and fill the gap and win market share. This opportunity is being realized by emerging technology designed to satisfy Compliance standards as well as real consumer demand for privacy protections.
Call Centers as well as other types of businesses that can address consumers demand for privacy protections can improve their long term bottom line through TRUST and customer loyalty.
Legal Issues of Forensics in the Cloud
Have you ever thought about how you would conduct a forensic investigation on your data if it was all in the Cloud; or, if your company suffers a data breach and all your data is in the Cloud how you would get the information you need to determine what happened and the extent of the damage? The Cloud presents many issues and new challenges. The best thing you can do is be prepared, but how?
This lecture will discuss the issues associated with attempting to deal with a data breach in the Cloud as well as conducting a forensic investigation in the Cloud. How do you prepare? What needs to be included in your contract or service level agreement? Finally, if you were not able to prepare, is all lost? What can you do, legally?
Session 3: 12:40 - 13:25
Angry Cars: Hacking the "Car as Platform"
Renault announced "what it describes as a 'tablet,' an integrated Android device built into its next range of cars, effectively opening the way to the car-as-a-platform. The car is becoming a new platform. We need developers to work on apps." Not to be left behind Ford has introduced the OpenXC platform, which it sees as a channel for collaboration between Ford and 3rd party application developers.
What role will security play in shaping this newly emerging technology, when your car can tweet it needs an oil change? Cars rely heavily on small embedded microprocessors running on a network that was never designed to be secure. This talk will look at the current technologies used CAN bus, OBDII, and tire pressure monitoring systems and demonstrate their inherent weaknesses. What should be considered in the future when most cars will be connected to the Internet?
Top Ten Web Application Defenses
We cannot 'firewall' or 'patch' our way to secure websites. In the past, security professionals thought firewalls, Secure Sockets Layer (SSL), patching, and privacy policies were enough. Today, however, these methods are outdated and ineffective, as attacks on prominent, well-protected websites are occurring every day.
Citigroup, PBS, Sega, Nintendo, Gawker, AT&T, the CIA, the US Senate, NASA, Nasdaq, the NYSE, Zynga, and thousands of others have something in common – all have had websites compromised in the last year. No company or industry is immune. Programmers need to learn to build websites differently.
This talk will review the top coding techniques developers need to master in order to build a low-risk, high-security web application.
Using SaaS and the Cloud to Secure the SDLC
This session will cover Software as a Service (SaaS) offerings and how they can be effectively utilized in web security development efforts. Over the last few years, cloud services (i.e. SaaS) have been increasingly used as both a starting point for application security efforts and as a full outsourcing of the appsec program. However, by the very nature of cloud outsourcing and delivery, it is difficult to evolve this approach into a mature secure development lifecycle. Developer involvement is a necessity, and the solution has been to bring vulnerability assessment technologies in house. But recently, organizations have started to deploy a mixture of on-premise and cloud appsec solutions as an alternative to the all or nothing paradigm of on-premise or SaaS.
Topics covered include:
- Overview of vulnerability assessment using SaaS
- Overview of on-premise vulnerability scanning in the SDLC
- Challenges of on-premise and SaaS implementations
- Private cloud variations of on-premise and SaaS offerings
- Hybrid on-premise/cloud implementations in the SDLC
- Use of automation and integration with development infrastructure to ease developer adoption of on-premise/cloud appsec implementations
- How organizations can use SaaS to get started with application security and mature into a robust software security assurance program featuring on-premise and cloud deployments.
CISPA Why Privacy Advocates Hate This Legislation
Reintroduced in the House of Representatives on February 13, 2013, the Cyber Intelligence Sharing and Protection Act (CISPA) is a proposed US law which would allow for the sharing of Internet traffic information between the U.S. government and certain technology and manufacturing companies. The stated aim of the bill is to help the U.S government investigate cyber threats and ensure the security of networks against cyberattack.
CISPA has been criticized by advocates of Internet privacy and civil liberties, such as the Electronic Frontier Foundation, the American Civil Liberties Union, and Avaaz.org. Those groups argue CISPA contains too few limits on how and when the government may monitor a private individual’s Internet browsing information. Additionally, they fear that such new powers could be used to spy on the general public rather than to pursue malicious hackers. CISPA has garnered favor from corporations and lobbying groups such as Microsoft, Facebook and the United States Chamber of Commerce, which look on it as a simple and effective means of sharing important cyber threat information with the government.
Some critics saw CISPA as a second attempt at strengthening digital piracy laws after the anti-piracy Stop Online Piracy Act became deeply unpopular. Intellectual property theft was initially listed in the bill as a possible cause for sharing Web traffic information with the government, though it was removed in subsequent drafts.
Session 4: 13:35 - 14:20
DevOps and Security: It's Happening. Right Now.
How do you integrate security within a Continuous Deployment (CD) environment - where every 5 minutes a feature, an enhancement, or a bug fix needs to be released? Traditional application security tools which require lengthy periods of configuration, tuning and application learning have become irrelevant in these fast-pace environments. Yet, falling back only on the secure coding practices of the developer cannot be tolerated.
Secure coding requires a new approach where security tools become part of the development environment – and eliminate any unnecessary code analysis overhead. By collaborating with development teams, understanding their needs and requirements, you can pave the way to a secure deployment in minutes. Steps include:
- Re-evaluate existing security tools and consider their integration within a CD environment
- Deliver a secured development framework and enforce its usage
- Pinpoint precise security code flaws and provide optimal fix recommendations
A Demo of and Preventing XSS in .NET Applications
This presentation will cover a variety of approaches toward discovering XSS vulnerabilities in .NET applications, including:
- Microsoft's Web Protection Library/AntiXSS
- OWASP's AntiSamy.NET project
Measuring Security Best Practices With OpenSAMM
Security is becoming a competitive advantage in the marketplace. How do we ensure that security is built into products for our customers?
Security vulnerabilities can be introduced at any phase of the software development life cycle (SDLC). The Open Software Assurance Maturity Model (OpenSAMM) is lightweight, flexible framework that helps prevent vulnerabilities and improve security during software development.
This talk advocates adopting OpenSAMM to measure security best practices and improve our security processes, tools, and knowledge.
Crafting a Plan for When Security Fails
A computer security incident, whether an exposed system with protected data or a hacked application, requires a planned response to quickly address and contain the threat. We exist in a world where having a plan is a necessity. Companies in various industries possess vast amounts of regulated and confidential data; this arrangement places a great amount of responsibility on the custodian. Unfortunately, in today's world, it is almost inevitable that you will be the target of an attack or mishandle data that may cause a potential exposure. Do you have a codified plan that helps guide your response?
CSIRPs are robust documents that are difficult to create. Developing a CSIRP that takes into account organizational culture and existing structure, creates buy-in from various departments, and is applicable in a wide array of emerging and existing threats while balancing substance and brevity may be a herculean task.
This presentation will provide the basis for the need for a CSIRP, discuss pitfalls and strategies when crafting CSIRPs, explore common ways they fail, and offer tips to create a healthy, viable, and useful process to use when confronting a computer security incident.
This presentation is geared towards those wishing to learn more about creating a viable computer security incident response plan (CSIRP).
Session 5: 14:30 - 15:15
Real World Cloud Application Security
This presentation will provide the audience with a case study of how real world organizations using the public cloud are approaching application security. Netflix, one of the largest AWS and public cloud users in the world, will serve as the subject of the case study.
The discussion will cover a variety of topics of interest to application security personnel, including:
- Automating and integrating security into CI/CD environments
- Large scale vulnerability management
- Continuous security testing and monitoring, including Netflix's Security Monkey and Exploit Monkey frameworks
- Cultural integration of security in DevOps/agile organizations
Data Mining a Mountain of Zero Day Vulnerabilities
Every day, software developers around the world, from Bangalore to Silicon Valley, churn out millions of lines of insecure code. This presentation evaluates an anonymized vulnerability data set derived from static binary analysis on thousands of applications belonging to large enterprises, commercial software vendors, open source projects, and software outsourcers.
By mining this data we can answer some interesting questions. What types of mistakes do developers make most often? Are we making any progress at eradicating XSS and SQL injection? How long does it really take to remediate software vulnerabilities? How secure are third party software components?
The discussion will answer these questions and many others, giving you a deep dive into metrics not found anywhere else.
Defending Desktop (.NET/C#) Applications: Mitigating in the Dark (A Case Study Remix)
This presentation is on the case study(s) of desktop applications undergoing a cracking/hacking/attacking life cycle. This is the summation of multiple software projects undergoing attacks from a detected and focused attacker. This presentation follows a Product Owner(s) and Coder(s) going from a self directed response.
Your software project has been going for years, your client base is growing, your making deadlines then one day some e-mail shows up and your world starts to crumble. Crack after Crack keeps coming out every version; Your new Upgrades/Code keep showing up in a competing product; Malware keeps hitting your clients. See the steps taken by day-to-day product Owner(s) and Coder(s) as they respond to security events that never crossed their minds as potential threats.
Information Control: The Critical Need for a Defensible Position - Securing the Information Ecosystem
Given an overview of Identity Theft, fraud and information exposure participants will discover that the liability of these issues is much broader than they are prepared to manage.
Given case studies and stories from field experience, participants will identify gaps in information compliance policies and practices that place every organization at risk beyond areas of commerce, compliance, and technology.
Upon completion of the session participants will recognize critical gaps in their information ecosystem that need to be addressed in order to create a defensible position in the case of a breach.
Friday Sessions (3/29): 09:00-13:00
Refine your skills at this expert-lead course (included in the price of the conference!). From junior developers to senior, this class is a Must for everyone who writes code.
Specific topics include remediation (in code) of:
- SQL Injection
- Password storage strategies
- Authentication best practices
- Multifactor authentication
- CSRF defense
- WAF/Virtual Patching
Speaker: Aaron Weaver
Capture the Flag: Postmortem
Ask questions about challenges from Thursday's competition, give suggestions on how to improve for next year, and participate in a FLOSSHack-style assessment of the CTF's underlying infrastructure. This gloves-off pen test will target the unintended and malicious acquisition of flags, keys, hints, and points. Cheating, lying, and dirty tricks are highly encouraged as we hack away at the scoreboard and the distributed VM.
Speaker: Mark Major