LASCON 2015

Any optimization outside the critical constraint is an illusion. In application security, the size of the security team is always the most scarce resource. The best way to optimize the security team is automation. This training will provide an overview of key application security automation principles and provide hands-on experience with creating an Application Security Pipeline augmented with automation. Over the course of two days, the students will cover the crucial aspects of where and when to add automation to their application security practices and gain experience with integrating APIs, automating security scanning, consolidate and de-duplicate security issues, automating submission of issues to defect trackers and generating reports/metrics in an automated fashion. Students should leave with an firm understanding of how to apply DevOps and Agile concepts to optimize their security programs. The labs consist of a series of exercises which build upon each other to construct an AppSec Pipeline. After discussing each fundamental part of the pipeline, the student will be provided a lab to construct that portion of their own AppSec Pipeline. While these will be somewhat scripted labs, they will provide working examples of all the key concepts needed in adding automation to an AppSec program allowing the student to have seen the concepts in action before returning to work and applying them to their particular situation. Who Should Take This Course? AppSec professionals who are running an internal AppSec program. This course is designed to demonstrate both the principals in theory and practice around the creation of an AppSec Pipeline, the benefits it brings and how it can help you do more with less. Multiple open source software packages will be used to setup an example AppSec Pipeline in a series of hands on labs. The concepts and techniques of this course can then be applied to their AppSec programs to build their own, custom AppSec Pipeline. What Should Students Bring? A laptop capable of running a VM in either VirtualBox, VMware Player/Workstation/Fusion or Parrallels. A custom VM will be provided to the students which contains all the necessary software for the labs.

Understand JavaScript and HTML5 Features to Secure Your Client-side Code

This full-day course helps web front-end developers understand the risks involved with manipulating JavaScript and HTML5 and apply defensive programming techniques in both languages.
Some of the topics covered include, but are not limited to, important security aspects of modern browser architecture (Document Object Model and Same Origin Policy), XSS, CSRF, DOM manipulation, Sandboxing iframes, Cross-origin Resource Sharing, Content Security Policy, Web Messaging, Web Storage, and JSON.

This course is structured into modules and includes exploitation and remediation exercises. The high-level topics for this course are:
• The HTML5 and JavaScript Risk Landscape
• Storage of Sensitive Data
• Secure Cross-domain Communications (CORS, web messaging)
• Protecting from Cross-site Scripting (CSP, JavaScript Execution Contexts, Output Encoding)
• Implementing Secure Dataflow
• Securing AJAX Requests and JSON Data

Objectives
After completing this course, students will be able to:
• Apply HTML5 Defensive Programming Techniques
• Apply JavaScript Defensive Programming Techniques
• Apply JSON Defensive Programming Techniques
There should be a maximum of 20 students.

Labs and Demonstrations
If students bring their own laptops with internet connectivity will be able to access online Virtual Machines with labs. In lab sessions students will learn to fix issues related to localStorage, web messaging, sandbox attribute for iframes, CORS, CSP, parsing JSON data, and DOM-based cross-site scripting. The course also includes several interactive demonstrations showing how to tamper with client-side data, evade client-side filters, and work with Firebug. The labs are not compulsory to get the full value of the course.

Note, the training has been recently updated with the latest information on CORS, CSP, and new lab exercises.

In this training, application security experts Dan Cornell and Josh Sokol will walk developers through some of the most common application security risks that are encountered. You will learn how to detect and prevent common vulnerabilities such as Cross-Site Scripting (XSS), SQL Injection, and Cross-Site Request Forgery (CSRF). No prior experience is assumed and content will be generically applicable to most programming languages.

To attend this training, you must register here > http://lascon.org/free-owasp-training/ 

Any optimization outside the critical constraint is an illusion. In application security, the size of the security team is always the most scarce resource. The best way to optimize the security team is automation. This training will provide an overview of key application security automation principles and provide hands-on experience with creating an Application Security Pipeline augmented with automation. Over the course of two days, the students will cover the crucial aspects of where and when to add automation to their application security practices and gain experience with integrating APIs, automating security scanning, consolidate and de-duplicate security issues, automating submission of issues to defect trackers and generating reports/metrics in an automated fashion. Students should leave with an firm understanding of how to apply DevOps and Agile concepts to optimize their security programs. The labs consist of a series of exercises which build upon each other to construct an AppSec Pipeline. After discussing each fundamental part of the pipeline, the student will be provided a lab to construct that portion of their own AppSec Pipeline. While these will be somewhat scripted labs, they will provide working examples of all the key concepts needed in adding automation to an AppSec program allowing the student to have seen the concepts in action before returning to work and applying them to their particular situation. Who Should Take This Course? AppSec professionals who are running an internal AppSec program. This course is designed to demonstrate both the principals in theory and practice around the creation of an AppSec Pipeline, the benefits it brings and how it can help you do more with less. Multiple open source software packages will be used to setup an example AppSec Pipeline in a series of hands on labs. The concepts and techniques of this course can then be applied to their AppSec programs to build their own, custom AppSec Pipeline. What Should Students Bring? A laptop capable of running a VM in either VirtualBox, VMware Player/Workstation/Fusion or Parrallels. A custom VM will be provided to the students which contains all the necessary software for the labs.

Understand JavaScript and HTML5 Features to Secure Your Client-side Code

This full-day course helps web front-end developers understand the risks involved with manipulating JavaScript and HTML5 and apply defensive programming techniques in both languages.
Some of the topics covered include, but are not limited to, important security aspects of modern browser architecture (Document Object Model and Same Origin Policy), XSS, CSRF, DOM manipulation, Sandboxing iframes, Cross-origin Resource Sharing, Content Security Policy, Web Messaging, Web Storage, and JSON.

This course is structured into modules and includes exploitation and remediation exercises. The high-level topics for this course are:
• The HTML5 and JavaScript Risk Landscape
• Storage of Sensitive Data
• Secure Cross-domain Communications (CORS, web messaging)
• Protecting from Cross-site Scripting (CSP, JavaScript Execution Contexts, Output Encoding)
• Implementing Secure Dataflow
• Securing AJAX Requests and JSON Data

Objectives
After completing this course, students will be able to:
• Apply HTML5 Defensive Programming Techniques
• Apply JavaScript Defensive Programming Techniques
• Apply JSON Defensive Programming Techniques
There should be a maximum of 20 students.

Labs and Demonstrations
If students bring their own laptops with internet connectivity will be able to access online Virtual Machines with labs. In lab sessions students will learn to fix issues related to localStorage, web messaging, sandbox attribute for iframes, CORS, CSP, parsing JSON data, and DOM-based cross-site scripting. The course also includes several interactive demonstrations showing how to tamper with client-side data, evade client-side filters, and work with Firebug. The labs are not compulsory to get the full value of the course.

Note, the training has been recently updated with the latest information on CORS, CSP, and new lab exercises.

Video to the talk

As our adversaries continue to gain speed and surpass the technologies
that protect our assets, we must change our mindset to think like the
bad guys.

In this talk, Robert Hansen and Matt Johansen will cover:
- Ways to counteract new rapid-paced hacking techniques
- How adversaries are gaining pace with new tools and tactics
- Why the old mantra of quarterly scanning to detect and patch will not work in the future

Link to the Video 

Unlike most analyst or vendor-related reports, this is an independent, critical assessment of authentication technologies and methods.

This talk covers multi-factor authentication, and what to look for if you are planning a product refresh, or implementing a solution for the first time. Since there are over 200 authentication vendors, it is not easy to select the best solution for your needs. This talk will arm you with questions to ask, plus identify some suboptimal technologies to avoid. Your feedback to vendors will help them provide better, more secure products and services.

Just say, “No,” or request alternatives for the following suboptimal choices in some multi-factor authentication products:
• 2D fingerprints, other already-hacked or easily hacked biometrics
• Quick Response (QR) codes
• Short Message Service One-Time Password (SMS OTP)
• JavaScript requirements
• Weak account recovery methods
• Overreliance on GPS
• Lack of mobile device risk analysis
• Lack of checks for OWASP Mobile Top 10 Risks for mobile apps
• Encryption with backdoors, or mysterious constants or “magic numbers” of unknown provenance.”
• Elastic definition of multi-factor authentication: there is a growing chasm between NIST’s definition and newer definitions from some vendors.

Video to the talk 

As "software eats the world", being in software engineering has never been more exciting. The promise of software-as-manufacturing is here and it's complex supply chains, virtual containers, and infrastructure-as-service have lead to huge advances in delivery, capability and availability. However it has also blurred the line of what a "developer" (and others) are responsible for. In addition, engineering organizations are faced with demands of "going faster" while at the same time improving quality and security. Rugged Software Engineering is a start of dialog on resolving this conflict. Proposed are practical additions to ensure your software lifecycle is both rapid and rugged.

Video to the Talk 

How many applications are in your company’s portfolio? What’s the headcount for your AppSec team? Whatever your situation is, I am sure the numbers are not in your favor. Its not time to find a new career, it's time to up your game. This talk will cover how to take your small merry band of AppSec professionals and scale it up to a virtual army. By taking the best of DevOps, Agile and CI/CD, you can iteratively up your AppSec game over time and begin your ascent out of the security hole you are in.

The talk covers real world experiences running AppSec groups at two different companies. Rackspace with approximately 4,000+ employees and Pearson with 40,000+. Both have an international presence and far more apps and developers that AppSec staff. The talk covers the key principles to speed and scale up AppSec programs as well as practical examples of these practices put into use. Example results? How about under a minute to provision recurring static scanning of an application? How about 24/7 remediation advice available to any developer - even while you sleep. Report generation - in minutes. Automation, Orchestration, ChatOps, its all in our AppSec Pipeline. Start early and begin to buy down the technical security dept which feels inevitable using traditional AppSec program thinking.

Watch the talk here

As security breaches increasingly move from operating system originated attacks to application-level attacks, a web application firewall (WAF) is becoming an increasingly indispensable tool in the arsenal of security-conscious website operators and hosts. Tools like ModSecurity provide knowledgeable website and network admins with useful WAF-like capabilities, but what if you are writing an application for large-scale deployment where the install environment is unknown? Integrating WAF-like capabilities directly into your PHP application can provide an additional layer of security that can be difficult for skilled admins to replicate using other methods. With a simple include and a few lines of code, your application can stop a variety of attacks before any potentially sensitive code is executed or a database connection is even made. This presentation will provide you with a skeleton security framework and introduce you to a way to give website owners insights into potential attacks as well as their authorized users' experience.

Watch the Talk Video here

Increased trust in an online identity = increased mitigation of the risk of fraud. As an enterprise interacts with a person via the Internet, it may be prudent, for certain transactions, to have more evidence of that person’s identity. Web Access Management systems include some proprietary features to force “stepped-up authentication.” But luckily, new OAuth2 profiles like UMA and OpenID Connect offer a standards based approach to achieve inter-domain trust elevation. This session will include a high level overview of the Enterprise UMA use case and some of the useful OpenID Connect features that can be leveraged to create centralized authentication policies.

Watch the Talk Video

What is Docker? Why is it such a big deal? How does it enable DevOps thinking and practice? What are some of the security concerns and solutions around this amazingly popular new form of system virtualization? The first third of the talk will describe Docker, the history of containers and the differences between containers and VMs (Hint, VMs are much more secure) The second third will talk about the potential benefits of Docker in particular and why it is so popular. The emphasis will be on why security minded folks might consider it time well spent for their company to see if Docker makes sense. The third part will highlight the notion of identity management as something completely missing from the Docker paradigm today and what is happening in Docker's larger ecosystem to address it. Additionally it will demonstrate Docker's first nod toward security with Notary (https://github.com/docker/notary)

Watch the Talk Video

In this session, we'll discuss how to test some of the latest application functions found in online store fronts, shopping carts, logic constrained workflows powered by AJAX and RESTful API's. We'll use a new open source test application, Hackazon.
We'll be sure to fill your shopping cart full of information about testing modern applications and we'll go deep in the DOM to do it. While we're there, we'll be sure to exercise those pesky and oft-overlooked RESTful API's where some of the sneakiest vulnerabilities (and bounties!) hide.
Join us to learn the following:
· Why are these modern application functions going untested?
· What vulnerabilities are hiding in those functions?
· How to begin systematically finding and validating those vulnerabilities

Watch the Talk Video

TLS/SSL is ubiquitous nowadays and is widely used to protect traffic on the Internet. Although TLS/SSL originated to protect web sites, it is now also being used for email, web services and VPNs among others. Yet, despite its widespread adoption, it is still difficult to keep track of the constantly emerging vulnerabilities that affect it. If not monitored, certificates can expire and new attacks are discovered even for mainstream ciphers and hashing algorithms. Add to that accidental server misconfigurations, unpatched systems, and flawed implementations, and the task of keeping systems current can become daunting. To make matters worse, commonly-used server configurations can be deprecated in major browsers/clients, breaking backwards-compatibility, providing a worse user experience for some, and leaving product maintainers scrambling to update certificates and settings quickly. For all these reasons, systems need constant vigilance to keep them up to date. This session will examine some steps which can be taken to keep up with the constantly changing landscape and demonstrate a few tools which can help manage and automate necessary updates to TLS/SSL endpoints.

Watch the Talk Video

Structural engineering analyzes various types of load stresses on materials as a means of improving building strength. One important requirement in the proper design of a structure is the flexibility of the applied material. Materials that are too rigid will likely crack over time due to stress which may compromise the integrity of the structure.

Proper software architecture also requires a certain amount of flexibility in order to maintain proper security during the software's lifecycle. Factors such as software errors, modified encryption algorithms, physical architectures, data requirements or even modified regulatory compliance requirements will likely require changes in the software. Like its physical counterparts, software that is initially designed as "inflexible" will be difficult to change which will increase the probability of introducing new vulnerabilities. Unfortunately, software is sometimes "quick and dirty" in the rush to production which poses serious risks to sensitive data. Higher level languages like Java are not immune to this issue.

A personal example in how "inflexible" software development added a considerable amount of problems that impacted the product's bottom line will be given and tips will be provided to help improve developers' skills in writing better code.

Watch the Talk Video

Let’s be honest, PHP has had a rocky history with security. Over the years the language has been highly criticized for it’s lack of a focus on security and secure development practices. In more recent years, however, a resurgence has happened in the language and community, bringing secure development back into focus. With PHP 7 on the horizon, the language is making even more strides to improve some of its wayward ways of the past and reinvent itself. I’ll share practical code examples, tools, libraries and best practices that are making it easier than ever to keep PHP applications safe.

Come along with me as I guide you through both the language improvements and community encouragement making PHP a more secure place.

Watch the Talk Video

The pervasive use of mobile devices and their integral role in accessing online services has created new opportunities for online authentication. At the same time this trendit poses significant challenges to provide a secure and usable mechanism for protecting sensitive data. There are several existing authentication methods with varying degrees of security and ease of use. For example, on one end of the spectrum we have systems that rely exclusively on passwords. These systems are easy to use but very insecure. Other the other end we can think of systems relying on traditional PKI based hardware tokens. These are hard to setup, and often equally hard to use., Between these two extremes we have a range of solutions such as one-time-code (OTC), one-time-password (OTP), SMS text, out-of-band (OOB) delivery of credentials. Each of these approaches has its own pros and cons in terms of user experience and security. In general, existing authentication solutions that are easy to use often lack in security and solutions that are very secure are invariably not so easy to use.

There is a need to have a secure authentication method with good user experience that leverages the existing available standards and technologies which make it easy to deploy. Mobile Connect is designed to address this need. Mobile Connect relies on existing standards, including OpenID Connect, and ETSI Mobile Signature Service, and is backed by GSMA, an international alliance of more than 800 mobile network operators worldwide. It enables mobile authentication with different levels of assurance. The technology behind Mobile Connect makes it possible for seamless rollout with minimal effort from Service Providers. For end users, the solution works on most if not all mobile phones, regardless of whether these are smart phones or feature phones.

In this talk we will introduce Mobile Connect, talk about deployment architecture and discuss various application use cases that address the security and usability needs of a world that is becoming increasingly mobile. We will also discuss how Mobile Connect and FIDO can complement each other and deliver solutions that break the traditional silos of authentication methods. In particular, we will cover the following topics:
1. Online authentication background, existing solutions and their limitations
2. Overview of Mobile Connect and the existing standards and technologies it relies on.
3. Example of how Mobile Connect can complement existing solutions
4. End user experience with respect to the use of Mobile Connect.
5. Technical as well as business related challenges that influence adoption of Mobile Connect.

Watch the Talk Video

Every software development organization on the planet relies on a software supply chain that is consuming a massive volume of open source and third-party components at extremely high velocity. To provide a much clearer perspective to this volume and velocity, we can see that a global population more than 11 million developers consumed over 20 billion components in 2014.

Those leading AppSec and DevOps practices who have pursued improved visibility, supplier choices, and control mechanisms across their software supply chains have boosted developer productivity by 15% - 40%, crumbled mountains of security debt, and shifted millions of dollars from sustaining operations to accelerating innovation.

Yet the vast majority of organizations developing software are blind to their free-for-all consumption volume, patterns, and velocity. Their software supply chain practices are silently sabotaging efforts to accelerate development, improve efficiency and maintain the integrity of their applications.

In June, I authored the 2015 State of the Software Supply Chain Report. It is a quantitative analysis of more than 106,000 "manufacturers" (software development organizations) consuming billions of open source and third-party software components from over 100,000 “suppliers” (open source projects).

While the average large organization in the study consumed 240,000 open source and third party software components in 2014, the study revealed:

- An average of 15,337 (7.5%) components consumed included known security flaws, impacting the integrity of operations

- 75% of organizations lack policies that control the use of open source and third-party components that are making their way through their software supply chains and into production

- An average application has 24 known critical or severe open source security flaws, electively built in by the development team

But this discussion is not intended to simply shed light on bad practices, it is about learning. Attendees will gain new visibility as to what’s happening in their own software supply chains, how to avoid these elective risks, and how leading technology, banking, and government organizations are applying proven supply chain principles from other industries toward improving their AppSec and DevOps practices.

Watch the Talk Video

Watch the Video

Yesterday the developer community was all about Javascript and node, and today everyone's talking about "Go", and perhaps writing applications and services in your enterprise using Go. In this talk, I'll cover practical advice to build more secure applications written in Golang, and cover best practices that all developers should be adhering to when building go apps.

Unlike ALL the other talks, you don't have to wait till LASCON 2015 to listen to this talk. As a part of the abstract, the 1st tip is free!

Best Golang security tip evar #1: use crypto/rand to generate secure random numbers
Remember when all your developers kept using java.util.Random and didn't realize it wasn't a secure random number? Well, golang makes this mistake a lot harder to make. A quick google search on "secure random number in golang" only gives you 1 result- use crypto/rand. The creators of Go realized that developers kept making this mistake, and added 1 solid way to generate random numbers. This lessened the need for other developers to create their own homebaked secure random number generators, and avoid vunerabilities.

Hear the rest of the content at the conference!

Watch the Talk Video

Security is becoming quite the thing now days, everyone wants to have one of them. The mantra that things should be built with security in mind and can't be plastered on later is a very important one, if you're based in Silicon Valley and are about to write "teh new hotness", but what happens if your company is older than say, 6 months. You already have some legacy systems and code. I'll be talking about how it's possible to unearth some of these things. What happens when you do uncover these things. How to stop them happening. And coping strategies for dealing with them.

Watch the Talk Video

Continuous Integration and Continuous Deployment (CI/CD) has become a must for many progressive organizations, and SAMI’s OpenCloud team is not an exception. While we are a part of a very big global company called Samsung, OpenCloud Dev and Security teams are rather small; the tasks and mission that we're trying to accomplish are anything but.

Come to our presentation to learn about our way of automating security that we dubbed as Threadfix-Centric Application Security Architecture. You will learn in this session:

1. Why and how the traditional approach to AppSec needs to be changed.
2. Why security testing is not the same as QA testing.
3. What requirements we considered when choosing tools and building security automation framework.
4. Why Threadfix is not just yet another security dashboard.
5. What is the making of security.

Finally, as a bonus we'll tell you how to use QA regression tests for even better coverage in AppSec testing.

Watch the Talk Video

Node.js is the drive-and-go language and its popularity is soaring. Five years after its debut, and the language’s framework boasts more 2M downloads a month.

Before accelerating too quickly, it is important to understand the power – and corresponding mishaps – of this language.

In this talk, we demonstrate new attack techniques against applications built on top of the Node.js language.

Attacks include:

· Application-layer DDoS attacks. Bringing a server to its knees with just 4(!) requests.

· Password exposure attacks. Leveraging the “Forgot My Password” feature of applications in order to reveal the passwords of all the application’s users

· Business logic attacks. Running malicious code on all machines of users of the applications when exploiting a weak business feature

Watch the Talk Video

The speed debates are back, this time with a Back to the Future theme.

Watch the Debates Video

Buzzwords about Agile are flying around in overwhelming speed, talks about Scrum, Kanban, XP and other methodologies and practices are thoroughly discussed while security is still left as a 'high level' talk or sometimes as understanding how to adapt from traditional development methodologies. Some best practices will leave you scratching your head, unsure what was the original intention and without understanding how to implement security in Agile, effectively. This lecture will bring the all the undocumented failures during such process, and best ways of avoiding them prior to experiencing them.

Watch the Talk Video

Watch the Talk Video

How do you verify and protect your APIs, REST and SOAP services, and custom interfaces? They’re everywhere in modern webapps, mobile, IoT, and more. And they're just as susceptible to injection, unauthorized access, account hijacking, and other attacks as traditional web applications. But traditional static (SAST) and dynamic (DAST) scanners simply don’t work on APIs. In this talk, Jeff will discuss techniques and challenges testing and protecting modern service-based web applications, like ones running Spring Security, Spring Boot, and Angular JS. Jeff will discuss the use of security instrumentation to identify vulnerabilities in APIs during development, and protecting those APIs in production. Instrumentation has revolutionized the field of performance management, which (like application security) used to be dominated by experts using expert tools to generate PDF reports. We'll explore how instrumentation can allow application security to work on APIs, work in conjunction with Waterfall/Agile/Devops, scale to entire application portfolios, and change the way we practice application security.

Watch the Talk Video

Watch the Talk Video

I've been building software security programs for nearly a decade, and continue to observe the same challenges. Adding security into the dev process relies heavily on dev's own processes which can make implementing a software security program difficult. This talk will communicate common challenges when building a software security program, tips and tricks for addressing them, and expectations you'll need to improve the security of your company's software.

Watch  the Talk Video

By 2019, there will be half a billion wearable devices in use every single day. These wearable devices track everything from your heart rate, number of steps taken, distance you have traveled, GPS locations, insulin levels, etc. Wearable security encompasses many facets of security, and includes the security of other devices and communication protocols. Device security, application security, and network security all play an important role in the overall security posture of said wearables. Part of being a security researcher is understanding how each of the security controls work, understanding potential threats to the wearables, and how the wearable devices interact with other connected devices. This talk will help listeners understand the threat landscape of wearable devices and what to think about when developing applications for wearables.

Watch the Talk Video

RESTful APIs are an increasingly common attack vector for applications. Despite this ever-present threat, open source and commercial vendor support for automatic API security scanners remains limited. With the rate at which APIs are developed, enhanced and deployed, this lack of security test automation creates a gap that at its best limits adoption, and at its worst may leave an application open to attack. To fill the gap in security testing efficiency, members of the Rackspace Quality Engineering and Security Engineering teams worked together to create an Open Source, automated API security scanner
.
Syntribos is a flexible, automated scanner that provides configurable test coverage for any RESTful API, and has significantly improved the security test workflow at Rackspace. In this talk, you’ll understand the potential for Syntribos automation in your security program as we

• Discuss the design and architecture details
• Illustrate the simple configuration requirements
• Lay out the painless steps for adding new test types
• Describe the plugin support

Learn how Syntribos enables you to test RESTful APIs in an automated way, helping to detect and eliminate common security vulnerabilities such as SQL injection, command injection, denial of service attacks, and more.

Watch the Talk Video 

All security professionals commit preventable workplace mistakes: We trust our intuition when impaired by cognitive bias, and we interpret the words and actions of others incorrectly, leading to ineffective communication. These mistakes lead to poor, inconsistent relationships with everyone involved in the development lifecycle. We can address them by understanding the behavior of others and by learning to architect objective decisions.

As we started to connect more devices and use Machine-to-Machine (M2M) communications in the IoT world, protocols better suited than HTTP were needed to make it possible. These protocols were designed for constrained devices with less processing power, less power consumption, and frequent communications. Like many protocols that have come before them, there is always a little bit of security gray area and the potential to introduce interesting security flaws into concrete implementations. Implementing these protocols across many different programming languages, frameworks, and device platforms adds to the complexity of developing secure real-world systems.

In this presentation we will explore two of the most commonly used IoT protocols, MQTT and CoAP. We will explore how they work, protocols they’re designed to work with, and common architectures. Attacks against the protocols and specific implementations will be demonstrated that can be used to impersonate other devices, knock systems offline, and potentially execute remote code. We will demonstrate how to mitigate these issues within your own code as well as library and framework issues to watch out for.

Most enterprise application security teams have at least one Static Analysis Security Testing (SAST) tool in their tool-belt; but for many, the tool never leaves the belt. SAST tools have gotten a reputation for being slow, error-prone, and difficult to use; and out of the box, many of them are – but with a little more knowledge behind how these tools are designed, a SAST tool can be a valuable part of any security program.

In this talk, we’ll help you understand the strengths and weaknesses of SAST tools by illustrating how they trace your code for vulnerabilities. You’ll see out-of-the-box rules for commercial and open-source SAST tools, and learn how to write custom rules for the widely-used open source SAST tool, PMD. We’ll explain the value of customizing tools for your organization; and you’ll learn how to integrate SAST technologies into your existing build and deployment pipelines. Lastly, we’ll describe many of the common challenges organizations face when deploying a new security tool to security or development teams, as well as some helpful hints to resolve these issues

In the rush to reap the benefits from Big Data projects, organizations frequent forget the importance of securing and protecting their "Crown Jewels". From a security and privacy perspective, Big Data differs from traditional data and requires a different approach. At the same time, it shares many commonalities. Existing methodologies and preferred practices can easily be extended to support Big Data. This talk will describe how and why Big Data is different, the data security and privacy challenges, and a set of best practices and recommended technical controls that will help you to secure and protect your organization's Crown Jewels.

Connected cars top the list on consumer Internet of Things (IoT) wish lists, and automakers are already delivering the first wave of products. As quickly as the automakers are adding features, security researchers are finding and exploiting flaws, largely for notoriety and attention from the press. But it won’t be long before cyber criminals find a financial motive for hacking vehicles, the surveillance value of installing malware is identified, and hacktivists realize the potential, as well.

We’ll look at some of the flaws already presenting themselves in connected vehicles, what automakers can do to get ahead of the threat before the threat actors cause damage, and how everyone can influence the safety and privacy of not just connected vehicles, but the Internet of Things.

ThreadFix is an open source application vulnerability management system that helps automate many common application security tasks and integrate security and development tools. This presentation looks at the components of the platform and how they work together to help developers and application security analysts build more secure software. In addition to being a platform, ThreadFix is also an ecosystem of users and volunteers and the presentation will look at several case studies of how these groups have worked together to extend and improve the ThreadFix platform.

This is not a talk about integrating ZAP with Jenkins ;). Security has fallen behind the automation used by the rest of the software industry, and I’ll show you how we can catch up. There are plenty of automated tools used in our profession. For mission critical applications, none of them provide the coverage we need to sleep easy. Manual testing can also be extremely time consuming. This talk will show you how to turn any manual assessment into an automated script. I’ll demonstrate how to solve the more difficult aspects of security automation like XSS validation by utilizing browser hooks. Finally, I’ll cover how to build robust automated security tests that are ready to be plugged into a continuous delivery system.

Security is comprised of people, process and technology. As security professionals we are naturally drawn to the new shiny thing. Yet, how important is the culture of security to the overall security posture of an organization. Is your industry a bigger target than others? Lets brainstorm together with a hot cup of java and share nuggets of security stories from our lives to see what works and what does not.

Over the years, application security (appsec) has made progress, but it has also made some considerable mis-steps. Appsec focuses almost solely on developer awareness and secure development training as remediation. This isn't sustainable and arguably does little good. There is a better way, but we have to separate ourselves from the core assumptions we have made that got us here. Lets journey together to find old truths and better approaches.

We will explore ways to make a change for the better across all levels of the development lifecycle, but we will focus on security testing early on in the development process. From this session, you will learn pragmatic approaches and tooling that will affect your development processes and delivery pipelines. You will walk away with code examples and tools that you can put into practice right away for security and rugged testing.

In this talk, you will join forces with Jedi RAPst4r (Reuben Paul), some cool pilots (parents & mentors), wookies (supporters), and possibly droids to show how the CyberUniverse can be saved from evil Dark inVaders (Cyber criminals, Cyberbullies ...). Come for a fun-filled, light-weight talk and learn about “what” and “who” is the … NEW HOPE and “why?”  

With a continued rise in the number of victims of violence in the United States, there has been a rise in organizations being formed to help the victims. According to a report published in January 2015, 20 people per minute fall victim to physical violence by an intimate partner. Today, victims of violence and the organizations chartered to help them are facing greater challenges with the emergence of powerful technologies and accessibility to the Internet 24 hours a day. This talk will explore how crisis organizations are now facing greater risks in the digital domain, but not just from attack but also in striking a clear and appropriate balance between information security, privacy and the law; an example that many non-profit organizations are facing.

iSEC Partners routinely carry out Attacker Modeled Penetration Tests that use any and all means possible to gain entry to a company. The goal is to test organizations against true-to-life attack and penetration activities that real attackers use in the breaches that make headline News (and the breaches that don't).
Organizations that use Cloud Services to provision an operating environment to support a product, or use Cloud Service Providers to outsource elements of traditional enterprise IT into the Cloud, can find those very aspects used against them in an attack. While the potential attack surface for a breach changes, in many ways the use of Cloud infrastructure can make it easier for an attacker to gain access to critical systems and data. In this session the speaker will describe methods of penetration used during recent tests, illustrating how Cloud Services are viable entry points that lead to significant compromises. The following areas will be discussed:
- Common mistakes in deploying Internet-facing Cloud infrastructure
- Replication and communication paths between Cloud and on-premises infrastructure
- Effective ways for attackers to gain access to the Cloud Service administration console
- How the use of Cloud Services is weakening enterprise IT security
- Methods for securing Cloud Services, closing vulnerabilities and protecting the company

Limiting application security tests to a single attacking host has left the industry using phrases such as “an attacker could” or “an attacker may be able to,” when referencing common attacks such as online attacks against user credentials, application-level denial of service and username enumeration. Attacks from a single host are not practical, and do not model real-world threats. The aforementioned tasks would benefit greatly from the ability to distribute across different hosts to properly demonstrate impact.

Httpillage is a tool designed to distribute HTTP(s) based attacks across multiple nodes, in similar fashion to a traditional botnet C&C server. Common attacks such as online password brute-force, denial of service, and application enumeration are entirely possible to distribute, increasing speed and effectiveness.

This talk will demonstrate the use of httpillage to launch common attacks across multiple nodes, including the ability to brute-force time-based password reset tokens. We’ll walk through scenarios that demonstrate how to provide proper impact demonstration, launching attacks that would not be successful during a traditional pentest.

Security has been trying to catch up with technology all this time, but the gap may well be increasing, particularly with the growth of consumer devices and the Internet of Things. The reason has to do with delegation and proxy activities online. Current IAM models are no match for the real world of legal, fiduciary and minor representation. In this session, we’ll talk about what needs to change so that both security and privacy are truly available to all members of society.

How can we really automate secure coding? Agile, DevOps, Continuous Integration, Orchestration, Static, Dynamic - There's an endless feed of Buzzwords, but how can we turn this into a practice that really works? In this session we will review real world examples of building a successful automation process for delivery of secure software in fast paced development environments.