Loading…
AppSec Europe 2018 has ended
                                                                                    ***Content is subject to change.***
View analytic

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Monday, July 2
 

8:00am

3 day Training: Practical DevSecOps: Continuous Security in the Age of Cloud
Limited Capacity seats available

Ever wondered how to handle deluge of security issues and reduce cost of fixing before software goes to production ? How unicorns like Google, Facebook, Amazon, Etsy handle security at scale?  In Practical DevSecOps training you will learn how to handle security at scale using DevSecOps practices. We will start off with the basics of the DevOps, DevSecOps and move towards advanced concepts such as Security as Code, Compliance as Code, Configuration management, Infrastructure as code etc.,

The training will be based on DevSecOps Studio, a distribution for DevSecOps enthusiasts and various OWASP tools like SKF, DefectDojo, Mod Security Core Rule Set. We will cover real-world DevSecOps tools and practices in order to obtain an in-depth understanding of the concepts learnt as part of the course.

We will also cover how to use static analysis (SAST), Dynamic Analysis (DAST), OS hardening, Security Dashboards and Vulnerability management as part of the Secure SDLC and how to select tools which fit your organization’s needs and culture.

After the training, the students will be able to successfully hack and secure applications before hackers do. The students will be provided with slides, tools and Virtual machines used during the course.

This course will cover the following DevSecOps topics and techniques:
1. Introduction to DevOps and DevSecOps:
2. DevSecOps Tools of the trade including DevSecOps Studio
3. Secure SDLC and CI/CD pipeline
4. Amazon Web Services and its various security features
5. Container (Docker) Security
6. Configuration/Secret Management and its Security
7. SAST (Static Analysis) in CI/CD pipeline
8. DAST (Dynamic Analysis) in CI/CD pipeline
9. Runtime Analysis( RASP, IAST) and how to select tools.
10. Infrastructure as Code and Its Security
11. Vulnerability Management with custom tools
12. Virtual Patching and Application Security Dashboards
13. Automate compliance activities to achieve PCI/DSS/HIPAA compliance

Who should attend:
This course is aimed at anyone who is looking to embed security as part of agile/cloud/DevOps environments, like Security Professionals, Penetration Testers, Red Teamers, IT managers, Developers and DevOps Engineers.

Prerequisites:
The student should have some knowledge of basic linux commands like ls, cd, mkdir etc.,
The student should have some basic understanding of application Security vulnerabilities like OWASP Top 10.

Speakers
avatar for Raghunath Gopinath

Raghunath Gopinath

Security Researcher
Raghu is an information security enthusiast and primarily focused on Application security services from past 7.9 years. He presently works on security automation using DevSecOps practices. Also, he is a founder of null Hyderabad chapter and one of the lead for null Singapore chapter... Read More →
avatar for Mohammed Imran

Mohammed Imran

Senior Security Engineer, ZenDesk
Mohammed “secfigo” Imran is a seasoned security professional with 8 years of experience in helping organizations with their Information Security Programs. He has a diverse background in R&D, consulting and product-based industries with a passion to solve complex security programs... Read More →


Monday July 2, 2018 8:00am - Wednesday July 4, 2018 5:00pm
Albert - 2nd Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

8:00am

3-Day Training: Advanced Web Hacking
Limited Capacity seats available

This class focus on specific areas of app-sec and on advanced vulnerability identification and exploitation techniques (especially server side flaws). The class allows attendees to practice some neat, new and ridiculous hacks which affected real life products and have found a mention in real bug-bounty programs.
The vulnerabilities selected for the class either typically go undetected by modern scanners or the exploitation techniques are not so well known. This class talks about a wealth of hacking techniques to compromise web applications, APIs and associated end-points.
The following is the course outline:
  • Authentication Bypass
    • Token Hijacking attacks
    • Logical Bypass / Boundary Conditions
  • SAML / OAuth 2.0 / Auth-0 / JWT Attacks
    • JWT Token Brute-Force attacks
    • SAML Authentication and Authorization Bypass
    • XXE through SAML
    • Advanced XXE Exploitation over OOB channels
  • Password Reset Attacks
    • Cookie Swap
    • Host Header Validation Bypass
    • Case study of popular password reset fails.
  • Breaking Crypto
    • Known Plaintext Attack (Faulty Password Reset)
    • Path Traversal using Padding Oracle
    • Hash length extension attacks
  • Business Logic Flaws / Authorization flaws
    • Mass Assignment
    • Invite/Promo Code Bypass
    • Replay Attack
    • API Authorization Bypass
  • SQL Injection
    • 2nd order injection
    • Out-of-Band exploitation
    • SQLi through crypto
    • OS code exec via powershell.
    • Advanced topics in SQli
  • Remote Code Execution (RCE)
    • Java Serialisation Attack
    • Node.js RCE
    • PHP object injection
    • Ruby/ERB template injection
    • Exploiting code injection over OOB channel
  • Server Side Request Forgery (SSRF)
    • SSRF to call internal files
    • SSRF to query internal network
  • Unrestricted File Upload
    • Malicious File Extensions
    • Circumventing File validation checks
  • Miscellaneous Topics
    • HTTP Parameter Pollution (HPP)
    • XXE in file parsing
    • A Collection of weird and wonderful XSS and CSRF attacks.
  • Attack Chaining
    • Combining Client-side and or Server-side attacks to steal internal secrets
Delegates will be given access to hands on LABs for a majority of the above topics. Attendees will also benefit from a state-of-art Hacklab and we will be providing free 2 Weeks of lab access after the class to allow attendees more practice time.

Speakers
avatar for Sudhanshu Chauhan

Sudhanshu Chauhan

Associate Director, NotSoSecure Global Services
Sudhanshu Chauhan is an information security professional working as an Associate Director at NotSoSecure. He is one of the core contributors to Datasploit (Open Source OSINT Framework). Sudhanshu has written various articles on a wide range of topics including Cyber Threats, Vulnerability... Read More →
avatar for Sumit Siddarth

Sumit Siddarth

Director, NotSoSecure
avatar for Sunil Yadav

Sunil Yadav

Associate Director, NotSoSecure Global Services
Sunil is an information security professional with over 9 years of experience in application security, mobile security, and source code review. | He has delivered national and international training programs and seminars on web application security, threat modeling, mobile security... Read More →


Monday July 2, 2018 8:00am - Wednesday July 4, 2018 5:00pm
Olivier- 2nd Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

8:00am

3-Day Training: Exploiting Websites by using offensive HTML, SVG, CSS and other Browser-Evil
Limited Capacity seats available

More and more web applications delegate business logic to the client. HTML.next, JavaScript, SVG, Canvas, ES2016 & AngularJS are just some terms that describe the contents of the modern web stack. But how does the attack surface look for those? What if there’s not GET parameters anymore that our scanner scan tamper with? Classic web-pentests are “so nineties” in this realm. And keeping up the pace with progress is getting harder and harder.

But there is hope. We’ll learn how to attack any web-application with either unknown legacy features – or the half-baked results coming to your browser from the labs of W3C, WHATWG and the ES2016 mailing lists. Whether you want to attack modern web applications or shiny browser extensions – we have that covered.

HTML is a living standard. And so is this workshop. The course material will be provided on-site and via access to a private Github repository so all attendees will be receive updated material even months after the actual training.

Speakers
avatar for Mario Heiderich Keynote Speaker

Mario Heiderich Keynote Speaker

Founder, Cure 53
Dr.-Ing. Mario Heiderich, handsome heart-breaker, bon-vivant and (as he loves to call himself) "security researcher" is from Berlin, likes everything between lesser- and greater-than and leads a small yet exquisite pen-test company. He commonly pesters peaceful attendees on various... Read More →


Monday July 2, 2018 8:00am - Wednesday July 4, 2018 5:00pm
Victoria - 2nd Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

9:45am

Morning Coffee Break
Monday July 2, 2018 9:45am - 10:15am
Redgrave, Burton and Gielgud. 2nd floor Broad Sanctuary, London, UK

12:30pm

Lunch
Monday July 2, 2018 12:30pm - 1:30pm
Redgrave, Burton and Gielgud. 2nd floor Broad Sanctuary, London, UK

3:00pm

Afternoon Coffee Break
Monday July 2, 2018 3:00pm - 3:30pm
Redgrave, Burton and Gielgud. 2nd floor Broad Sanctuary, London, UK
 
Tuesday, July 3
 

8:00am

2-Day Training: Automated Defense using Serverless for AWS, Azure and GCP
Limited Capacity seats available

Monitoring for attacks and defending against them in real-time is crucial. Defending our cloud infrastructure during attacks can prove to nightmare even with the currently available solutions in the market. We live in cloud first era where the cloud is our first choice of deployment due to the convenience and scalability. In this training we will learn how to defend our cloud infrastructure using Serverless technologies and Elastic Stack. Elasticstack will collect, analyse logs and triggers alerts based on configured rule-set. Serverless stack drives the defence to perform automated blocking. It will be configured based on the use case and type of attacks. The currently solution works on AWS, Azure and GCP. It can be extended for other providers and custom solutions like in house firewalls, IPS, etc.
The world is advancing towards accelerated deployments using DevOps and Cloud technologies. Automated defence will solve the modern world security challenges using near real-time alerting system, serverless technologies and centralised monitoring system.
Participants will get
Step by Step Gitbook covering the entire training (html, pdf, epub, mobi) Custom Ansible Playbooks
Automated Defence Solution for AWS, Azure, GCP

Who Should Take This Course:
  • Security Engineers & Analysts
  • SOC Teams
  • DevOps Teams
  • Who is interested in automating security monitoring
Requirements:
  • Able to use Linux CLI
  • Basic understanding of TCP/IP
  • Security Experience would be plus
  • Understanding about different cloud providers will be advantage

Speakers
avatar for Madhu Akula

Madhu Akula

Automation Ninja, Appsecco
Madhu is a security ninja and published author. Madhu’s research papers are frequently selected for major security industry conferences including Defcon 26,24 , Blackhat USA 2018, Appsec EU 2018, All Day DevOps (2016, 2017), DevSecCon (London, Singapore, Boston), DevOpsDays India... Read More →
GL

Gwilym Lewis

CEO, Appsecco
Gwilym is the CEO of Appsecco, an application security consultancy with offices in the UK, Qatar, India, and the USA.Gwilym has long experience in delivering cyber security workshops, seminars and event presentations for technical and  non-technical audiences alike including to the... Read More →


Tuesday July 3, 2018 8:00am - Wednesday July 4, 2018 5:00pm
Chaucer- 4th Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

8:00am

2-Day Training: Pentesting the Modern Application Stack
Limited Capacity seats available

Continuous Build & Deployment tools, Message brokers, Configuration Management systems, Resource Management systems and Distributed file systems are some of the most common systems deployed in modern cloud infrastructures thanks to the increase in the distributed nature of software. Modern day pentesting is no more limited to remote command execution from an exposed web application. In present day scenario, all these applications open up multiple doors into a company’s infrastructure. One must be able to effectively find and compromise these systems for a better foothold on the infrastructure which is evident through the recent attacks on the application stack through platforms like Shodan paving  way for a full compromise on corporate infrastructures.

In this 2 day course we start by looking into red team tactics for pentesting modern application stack consisting of Databases,CI tools, Distributed Configuration & Resource management tools, Containers, Big Data Environments, Search technologies and Message Brokers.

Along with the training knowledge, the course also aims to impart the technical know-how methodology of testing these systems. This course is meant for anyone who would like to know, attack or secure the modern day stack. The students are bound to have some real fun and entirely new experience through this unique course, as we go through multiple challenging scenarios one might not have come across.

During the entire duration of the course, the students are expected to learn the following:
  • Look for vulnerabilities within the application stack.
  • Gain in depth knowledge on how to pentest the modern stack consisting of Continuous Build & Deployment tools, Message broker's, Configuration Management systems, Resource Management systems and Distributed file systems.
  • Security testing of an entire application stack from an end-to-end perspective.

Speakers
avatar for Francis Alexander

Francis Alexander

Security Engineer, Envestnet|Yodlee
Francis Alexander, Security Engineer for Envestnet|Yodlee has over 3+ years of experience in the application security industry, the author of NoSQL Exploitation framework and NoSQL honeypot. His area of interest include NoSQL databases, machine learning and cloud security. He has... Read More →
avatar for Bharadwaj Machiraju

Bharadwaj Machiraju

Senior Information Security Engineer, LinkedIn
Bharadwaj Machiraju is mostly found either building infosec tools or hunting bugs for fame. All tools are available at https://github.com/tunnelshade and all ramblings at tunnelshade.in/@tunnelshade_. He has spoken at few conferences and apart from information security he is interested... Read More →


Tuesday July 3, 2018 8:00am - Wednesday July 4, 2018 5:00pm
Shelley- 4th Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

8:00am

2-Day Training: Web Application Security Essentials
Limited Capacity seats available

In order to protect your web applications, you need to understand how hackers will attack them. This 2-days course combines theory and hands-on practical exercises which will allow participants to learn about common web vulnerabilities such as the ones described in the OWASP Top 10. Participants are given access to a purpose-built web application that contains vulnerabilities discussed during the course and are asked to exploit them using different open source tools and techniques.


Speakers
avatar for Fabio Cerullo

Fabio Cerullo

Fabio Cerullo is an official certified instructor for (ISC)², the global leader in cybersecurity education and certification. Fabio has over 15 years of experience in the information security field gained across a diverse range of industries ranging from financial and government... Read More →


Tuesday July 3, 2018 8:00am - Wednesday July 4, 2018 5:00pm
Keats- 4th Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

9:45am

Morning Coffee Break
Tuesday July 3, 2018 9:45am - 10:15am
Redgrave, Burton and Gielgud. 2nd floor Broad Sanctuary, London, UK

12:30pm

Lunch
Tuesday July 3, 2018 12:30pm - 1:30pm
Redgrave, Burton and Gielgud. 2nd floor Broad Sanctuary, London, UK

3:00pm

Afternoon Coffee Break
Tuesday July 3, 2018 3:00pm - 3:30pm
Redgrave, Burton and Gielgud. 2nd floor Broad Sanctuary, London, UK
 
Wednesday, July 4
 

8:00am

Project Review
Wednesday July 4, 2018 8:00am - 12:00pm
Burns- 4th Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

8:00am

University Challenge
Speakers

Wednesday July 4, 2018 8:00am - 5:00pm
Moore - 4th Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

8:00am

1-Day Training: Access Control for Rest API's
Limited Capacity seats available

REST services are very popular. Unfortunately, many are not secure.
The rise of REST services has been accompanied with the emergence of new standards and components for access control. This 1 day tutorial provides a hands-on overview of available building blocks and shows how these work together.
We argue that REST APIs are best protected by a self-contained JWT (JSON Web Token) issued by a central authorization server. OAuth and OpenID Connect (OIDC) are standards for obtaining security tokens widely supported by both authorization servers and client libraries. The former provide a means for an end user to delegate access privileges to partially trusted clients, the latter adds a simple layer on top of OAuth for disclosing identity information. JWT, OAuth and OIDC are shown in action and participants are invited to use them to protect simple APIs.

Target audience:
Developers of REST API producers and consumers. Consumer-side we will be covering mobile apps, traditional back-end web apps and Single Page Applications.

Training outline:
  • JWT - presentation
  • Overview of OAuth flows - presentation
  • OAuth Client Credentials and Resource Owner Credentials Grant - hands-on
  • Overview of OIDC flows with a link to the OAuth flows - presentation
  • Development of Single Page Application with OIDC Implicit Flow - hands-on
  • Security token validation - presentation
  • Development of an access controlled REST service - hands-on
  • Integrating back- and front-end - presentation
  • Integrating back- and front-end - hands-on

Speakers
avatar for Michael Boeynaems

Michael Boeynaems

Security Architect, Independent
I have a strong interest in cyber security matters, ranging from high-level architectural challenges to technical implementations. As an independent privacy & cyber security expert, I have the chance to prepare organizations end-to-end for future threats that are approaching quickly... Read More →
avatar for Johan  Peeters

Johan Peeters

security architect, independent
I currently mainly work on access control for REST APIs, but I am also interested in identity and access management, security operations center architecture and cloud security. | Apart from my commercial consulting and bespoke development activities, I also teach software security... Read More →


Wednesday July 4, 2018 8:00am - 5:00pm
Wordsworth- 4th Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

9:45am

Morning Coffee Break
Wednesday July 4, 2018 9:45am - 10:15am
Redgrave, Burton and Gielgud. 2nd floor Broad Sanctuary, London, UK

12:30pm

Lunch
Wednesday July 4, 2018 12:30pm - 1:30pm
Redgrave, Burton and Gielgud. 2nd floor Broad Sanctuary, London, UK

1:30pm

OWASP Leaders Meeting
Wednesday July 4, 2018 1:30pm - 3:30pm
Burns- 4th Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

3:00pm

Afternoon Coffee Break
Wednesday July 4, 2018 3:00pm - 3:30pm
Redgrave, Burton and Gielgud. 2nd floor Broad Sanctuary, London, UK

3:30pm

Board Meeting

Wednesday July 4, 2018 3:30pm - 5:30pm
Burns- 4th Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

4:00pm

ModSec CRS Community Summit
Limited Capacity seats available

OWASP ModSecurity Core Rule Set project (CRS) Communit Summit
There are three goals for this first come together of the CRS community:

  • We want to meet and you tell us how you use CRS in your setup!
  • Let’s talk about the status of the project, the road map and your feature requests!
  • Let’s start to build strong ties within the community!

So there are going to be presentation, but the essential part is the discussions and the networking. We want to understand how people are using CRS and where they think there is room for development.

This summit is for everybody who runs CRS and for all the other people who are interested in the project.
This is the program (still subject to change, probably until the last moment):

  • Welcoming address
  • Presentation I : Chaim Sanders: Upcoming CRS 3.1 release
  • Presentation II : Rodrigo Martinez: Machine Learning with ModSec/CRS3
  • Networking Session / Poster Session
  • Presentation III : Christian Treutler / Mirko Dziadzka : Rules Meta Language
  • Presentation IV : Tin Zaw: WAFLZ
  • Break
  • Presentation V : Adrian Winckles: HoneyPot project
  • Workshop: Future Plans
  • Group Photo
  • Planning Session: Call for hands

The summit is being moderated by Christian Folini.

Poster session: You are invited to bring along a poster, put it up on the wall in our room and we will give you time to present it to our audience. We are interested in use cases, success stories or unique approaches to integrating CRS3. Also ideas and pitches for new projects within our community are welcome. Standard flipchart format. Please be aware you should bring it along in physical form: we can’t print it on site. But we will have tape available for you.


Blogposts about this Community Summit:

Speakers
avatar for Christian Folini

Christian Folini

Partner, netnea.com
Christian Folini is a partner at netnea AG in Berne, Switzerland. He holds a PhD in medieval history and enjoys defending castles across Europe. Unfortunately, defending medieval castles is no big business anymore and Christian turned to defending web servers which he thinks equally... Read More →


Wednesday July 4, 2018 4:00pm - 8:00pm
Rutherford - 4th Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

6:00pm

Pre-Conference Reception
Appetizers, cold and hot finger foods, salads, bowl food, etc will be served as well as 1 complimentary drink (beer/wine/soda) cash bar will be available

Wednesday July 4, 2018 6:00pm - 8:15pm
Whittle and Britten rooms - 3rd floor
 
Thursday, July 5
 

8:00am

Capture the Flag sponsored by Netsparker
Speakers
SV

Steven van der Baan

Capture the Flag leader
AF

Anthony Ferrillo

Capture the Flag Assistant

Sponsors
avatar for Netsparker

Netsparker

It was frustration with false positives that, back in 2006, motivated penetration tester Ferruh Mavituna to find a better way to security scan the web applications he was testing. Working through the night in his spare time, Ferruh wrestled with a concept that he was sure could solve... Read More →


Thursday July 5, 2018 8:00am - Friday July 6, 2018 5:00pm
Moore - 4th Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

8:45am

Opening Remarks
Limited Capacity seats available

Open Remarks

Thursday July 5, 2018 8:45am - 9:00am
Fleming - 3rd Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

9:00am

The Perimeter Has Been Shattered: Attacking and Defending Mobility and IoT on the Enterprise Network
Limited Capacity seats available

Mobility and the Internet of Things (IoT) have disrupted the corporate enterprise network on the scale that PCs disrupted mainframes in the 1980s.  Yet most enterprises continue to approach security as if though there is still a hard perimeter with nothing but corporate-owned end points running against internal applications. Mobility, however, means employee-owned end points connecting over public carrier networks to cloud applications.  Traditional perimeter security simply doesn’t address this.
From mobile-based phishing to Bluetooth-based attacks, mobile and IoT have fundamentally changed the threat landscape. In this talk we will look at the modern threat landscape, the security controls currently available on the market (such as mobile threat defense and mobile application management), and provide real world examples of how they fall short under simulated attack. Finally, we will look at practical ways to improve enterprise security around mobile and IoT as well as cause the defensive products to evolve to be more robust. 

Speakers
avatar for Georgia Weidman Keynote Speaker

Georgia Weidman Keynote Speaker

Founder and CTO, Bulb Security LLC
Shevirah founder and CTO Georgia Weidman is a serial entrepreneur, penetration tester, security researcher, speaker, trainer, and author. She holds a MS in computer science as well as holding CISSP, CEH, and OSCP certifications. Her work in the field of smartphone exploitation has... Read More →


Thursday July 5, 2018 9:00am - 9:45am
Fleming - 3rd Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

9:45am

Morning Coffee Break
Limited Capacity seats available

Morning CB

Thursday July 5, 2018 9:45am - 10:15am
Britten or Whittle - 3rd Floor Broad Sanctuary Westminster, London, SW1P 3EE

10:00am

Member Lounge - Room 312
Limited Capacity seats available

OWASP Members Lounge
at AppSec Eu 2018

Thursday, July 5 10am-5pm &
Friday, July 6 10am-3pm
 
Looking for a place to recharge your electronics?  
Feeling a bit hungry or thirsty?  
Maybe you are looking for some cool OWASP Member Only swag?
Or just looking to take a break from the hectic conference atmosphere?

Head on over to the Members Lounge located on the 3rd floor in Room 312.

Here you can grab a snack, quench your thirst, recharge your electronics, kick up your feet, and network with other OWASP members all within a relaxed atmosphere.

Not an OWASP Member?  No problem!  Swing on over to the lounge, and you can sign up on the spot, or join here!

Look for the signs or ask a volunteer how to find us!

Thursday July 5, 2018 10:00am - 5:00pm
Third Floor The Queen Elizabeth II Centre

10:15am

Current Research and Standards for Security Automation
Limited Capacity seats available

Today, securing an enterprise involves collecting and sifting mountains of data to defend against attackers moving at network speed. Automating aspects of enterprise security is the only way to deal with this situation at scale, but the term "security automation" is frequently overhyped and the promised benefits are often hard to realize. This talk will provide an overview of several ongoing security automation efforts that are supported by the US government and international standards bodies. These efforts seek to provide concrete advances that can support a faster, more efficient, and more effective way to defend networks through automation with the creation and promulgation of open specifications that can be employed by all nations and vendors.

Speakers
avatar for Charles M. Schmidt

Charles M. Schmidt

Group Lead, The MITRE Corporation
Charles Schmidt is a Group Lead at the MITRE corporation, where he has worked for over 18 years in the field of cybersecurity. He has spent most of that time supporting security automation research and developing cybersecurity standards. He holds a Bachelors degree in both Mathematics... Read More →


Thursday July 5, 2018 10:15am - 11:00am
Abbey - 4th Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

10:15am

Unicode: The hero or villain? Input Validation of free-form Unicode text in Web Applications
Limited Capacity seats available

The most difficult fields to validate are so called free text fields", as the most frequent stereotype of web application input valiation goes, becomes even more complicated when the free text contains multi-language Unicode. Unicode is indeed complicated and tricky to get right on the first try, but for application defenders it's actually a great tool to get the input validation right. This talk will clear misconceptions about Unicode input validation, explain what Unicode normalization, canonicalization and character classes are, and how these can be used to make your input validation bulletproof rather than cause head aches.



Speakers
avatar for Paweł Krawczyk

Paweł Krawczyk

Senior Application Security Consultant, Kainos
Throught the years of architecting application security programs for Aon, Goldman Sachs, HSBC and others, I've been mostly interfacing between techies and senior management, while still being an active developer and hands-on infosec consultant.


Thursday July 5, 2018 10:15am - 11:00am
St James - 4th Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

10:15am

Making Continuous Security a Reality with OWASP’s AppSec Pipeline
Limited Capacity seats available

You’ve probably heard many talks about DevSecOps and continuous security testing but how many provided the tools needed to actually start that testing?  This talk does exactly that.  It provides an overview of the open source AppSec Pipeline tool which has been used in real world companies to do real security work.  Beyond a stand alone tool, the OWASP AppSec Pipeline provides numerous docker containers ready to automate, a specification to customize with the ability to create your own implementation and references to get you started.
The talk will also cover how to add an AppSec Pipeline to your team’s arsenal and provide example templates of how best to run the automated tools provided.  Finally, we’ll briefly cover using OWASP Defect Dojo to store and curate the issues found by your AppSec Pipeline.  The goal of this talk is to share the field-tested methods of two AppSec professionals with nearly 20 years of experience between them.  If you want to start your DevSecOps journey by continuously testing rather then hear about it, this talk is for you.

Speakers
avatar for Aaron Weaver

Aaron Weaver

Application Security Manager, NA Bancard
Aaron Weaver is the Application Security Manager at NA Bancard. Prior to that he was at Cengage Learning and Protiviti where he built out their secure coding practice. Aaron has managed application security programs at large organizations and leads OWASP Philadelphia. Aaron speaks... Read More →


Thursday July 5, 2018 10:15am - 11:00am
Westminster - 4th Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

10:15am

Mr Sandman: Time Lock Puzzles for Good and Evil
Limited Capacity seats available

Delayed execution is a concept of significant interest to attackers, who seek to use it so that their malware is able to bypass the analysis period of sandboxes and antivirus emulators. Historically, techniques used to delay execution have included Windows API calls, and short, simple loops involving assembly, counters, or loading libraries. However, security tools are increasingly able to detect and prevent these techniques, using methods such as accelerating time, returning false tick counts, intercepting API calls, and performing multipath execution. As a result, attackers are constantly striving to find new and creative ways to delay execution. Delayed execution is also of some interest to defenders, who try to implement it, in either manual or automated solutions, in order to frustrate the attack models of bots, botnets, and spammers.

Enter the timelock puzzle - a relatively unknown cryptographic construct whereby a puzzle is presented, the solution to which requires a certain amount of time or computational effort. Historically, timelock puzzles were proposed for benign applications, such as sealed auction bids, escrow, and the timed release of confidential information. However, they provide an interesting method of delayed execution which to date has been underexplored in security research, particularly as an offensive methodology. Specifically, they may present a significant challenge in malware detection and analysis, particularly for automated solutions such as sandboxes.

In this talk, I cover the history of timelock puzzles and their proposed applications for offence and defence, and examine some case studies. I then demonstrate several timelock puzzles which I have developed, including some novel constructions, and show through demonstrations how they can be weaponised - including both process hollowing within executables, and within VBA macros. For each construction, I explore the advantages and disadvantages for both attackers and defenders, and explain how they work, and why. I then turn to prevention and detection, presenting a heuristic model for generic detection of timelock puzzles, and cover the defender's perspective in the form of attacks against timelock puzzles, including parallelisation, predictability, and enhanced computational processing.

I then cover the challenges and feasibility of using timelock puzzles for good, discussing some of the models presented in previous work and a real-world case study where timelock puzzles could have been used to significant effect, break down a proof-of-concept defensive timelock puzzle I created, and some of the issues identified with it from an attacker's perspective.

Finally, I assess the practicality of timelock puzzles for both attack and defence, share some lessons learned from this research, and outline suggestions for future research in this area. 

Speakers
avatar for Matt Wixey

Matt Wixey

Vulnerability Research, PwC
Matt leads on vulnerability R&D for the PwC Cyber Security practice in the UK, working closely with the Ethical Hacking team, and is a PhD candidate at UCL, in the Department of Security and Crime Science and the Department of Computer Science. Prior to joining PwC, Matt led a technical... Read More →


Thursday July 5, 2018 10:15am - 11:00am
Fleming - 3rd Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

11:00am

IoT Stakeholder Role in Compliance of GDPR
Limited Capacity seats available

This talk will take GDPR compliance away from just the data operator and data controller and show how all stakeholders have a role to play in IoT device security and compliance. The device this talk will focus on are those related to smart buildings, smart cities, etc.
The talk will consider secure by design, privacy by design, secure procurement, secure installation, and secure configuration.
This talk will be based on some of the content from a White Paper I'm writing, to be available in early May, before the EU GDPR is due to be enforced.
As this talk is based on a White Paper, I can adapt it as necessary, but I believe that the focus should deviate from the fact that every stakeholder involved in supplying corporate organisations with "smart" solutions has a role to play in ensuring that not only is the solution secure at manufacture but has been installed and configured correctly for the environment it is operating in.

Speakers
avatar for Sarb Sembhi

Sarb Sembhi

CTO & CISO, Virtually Informed
I came into security from a development background. I researched into the vulnerabilities of network CCTV systems 10 before it became fashionable to do so. I have been involved with IoT related projects for many years especially Smart Building and Smart City projects. I'm very interested... Read More →


Thursday July 5, 2018 11:00am - 11:45am
Abbey - 4th Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

11:00am

Remediate The Flag - Practical AppSec Training Platform
Limited Capacity seats available

Developers aren’t born knowing how to code securely and appsec training is often boring and does not provide practical examples. For the business it is usually not possible to assess competency in secure coding and difficult to calculate ROI on security training.
This talk introduces, RTF an open source Practical Application Security Training platform that offers application security focused exercises.
Candidates manually find and remediate the code of a vulnerable application running in a disposable development environment accessed using a web browser. 100% hands-on training, no multiple choice questions involved.
The demo will show the following workflow:
Candidates select an exercise, the RTF platform provisions a dedicated environment accessed through a web browser. Candidates then find and manually remediate vulnerable code in the RTF instance by referencing the instructions.
Candidates can check in real time whether security issues were successfully remediated; they can take hints which affect their final score.
When the exercise is completed, the platform provides automated results including code diff and logs. An assessor reviews the exercise results and, if necessary (wrong remediation approach), provides additional feedback to the candidate.
It is possible to setup time-boxed tournaments specifying programming languages, developer groups (frontend vs backend, web vs non-web) and target vulnerabilities. Points are used to rank candidates on a “Leaderboard” so that they can compare themselves to their peers.
Full stats are provided at candidate, team and organisation level indicating remediation ratio and time spent on each type of vulnerability and aggregated on category types.
SDK makes easy to add new exercises, completely customisable to target specific organisation needs.

Speakers
avatar for Andrea Scaduto

Andrea Scaduto

Andrea is a Senior Penetration Tester and Software Engineer with an MSc in Computer Engineering and several IT Security certifications. | He enjoys breaking, building and securing web and mobile applications. He has an extensive knowledge of secure coding techniques and a focus on... Read More →


Thursday July 5, 2018 11:00am - 11:45am
St James - 4th Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

11:00am

Continuous Kubernetes Security
Limited Capacity seats available

Now that we have passed "peak orchestrator" and as Kubernetes eats the world, we are left wondering: how secure is Kubernetes? Can we really run Google-style multi tenanted infrastructure safely? And how can we be sure what we configured yesterday will be in place tomorrow? In this talk we discuss:
- the Kubernetes security landscape
- risks, security models, and best-practices
- how to configure users and applications with least-privilege
- how to isolate and segregate workloads
- persisting configuration across cluster rebuilds

Speakers
avatar for Andrew Martin

Andrew Martin

Co-founder, ControlPlane
Andrew has a strong test-first engineering ethos gained architecting and deploying high-traffic web applications. Proficient in systems development, testing, and maintenance, he is comfortable profiling and securing every tier of a bare metal or cloud native application, and has battle-hardened... Read More →


Thursday July 5, 2018 11:00am - 11:45am
Westminster - 4th Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

11:00am

Passive Fingerprinting of HTTP/2 Clients
Limited Capacity seats available

HTTP/2 is the second major version of the HTTP protocol. It changes the way HTTP is transferred “on the wire” by introducing a full binary protocol that is made up of TCP connections, streams, and frames, rather than a plain-text protocol. Such a fundamental change from HTTP/1.x to HTTP/2, means that client-side and server-side implementations have to incorporate completely new code in order to support new HTTP/2 features. This introduces nuances in protocol implementations, which, in return, might be used to passively fingerprint web clients.

Our research is based on more than 10 million HTTP/2 connections from which we extracted fingerprints for over 40,000 unique user agents across hundreds of implementations.

In the presentation, I intend to provide the following:

•HTTP/2 Overview
- Introduction into the basic elements of the protocol
- a review the different components chosen for the fingerprint format (alongside a discussion on those left out)
- Potential use cases of the proposed fingerprint
- Usage Statistics - prevalence of HTTP/2 usage on Akamai’s platform

•Examples of common HTTP/2 Implementations & Client fingerprints collected during the research

•HTTP/2 support (or the lack of) among common web security tools (Burp suite, sqlmap, etc.)

•Review of attacks over HTTP/2 observed on Akamai’s platform

References
ttp://akamai.me/2qWIqON - whitepaper published by Akamai’s Threat-Research Team. 

Speakers
avatar for Elad Shuster

Elad Shuster

Security Data Analyst, Akamai
Leading a team or security researchers, at Akamai's Threat Research group. | With over 10 years of data analysis experience across different industries, I am currently exploring new trends in the web security and bot detection, while helping maintain the defensive protections of Akamai's... Read More →


Thursday July 5, 2018 11:00am - 11:45am
Fleming - 3rd Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

11:45am

Deconstructing Threat Modeling
Limited Capacity seats available

Threat Modelling has now been recognized as one of the core foundations of a solid architectural security program. Yet as the technique has spread, so too has the confusion over what it actually entails. Contradictory methodologies and advice are everywhere, and it often seems like no two people have the same definition of threat modelling.
Yet out of this confusion there can come opportunity. The one thing these different approaches all have in common is that they are all giving benefit to everyone using them. Can we take advantage of that to break these approaches down and use the parts to build a process that suits our case, rather than trying to apply a "one size fits all" approach?
In this session we'll get back to basics on what a threat model is, and then look to see how we can apply different techniques to drive out threats. We'll also go into the different ways that threats can be organized and used once they've been identified, and how modern Agile testing techniques can help us verify our models.  Finally we'll apply this approach to an unorthodox situation for threat modelling, and see how being flexible can help you design a process to fit your situation, rather than try to force yourself to fit a process.


Speakers
avatar for Ciaran Conliffe

Ciaran Conliffe

Technologist, Liberty IT
Ciaran is a technologist at Liberty IT; a Belfast and Dublin based company that focuses on creating world class IT solutions for parent company Liberty Mutual. There he’s been working in the space between development and security for the last seven years, after ten previous years... Read More →


Thursday July 5, 2018 11:45am - 12:30pm
Abbey - 4th Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

11:45am

Secure Software Development Framework: Towards an SDL for all SDLCs
Limited Capacity seats available

The Security Development Life-cycle (SDL) is a process that helps developers to build more secure software. This is accomplished by embedding secure architecture, design, development and validation activities into the overarching Software Development Life Cycle (SDLC) process. Our research proposes an approach to secure application development that scales to the varied demands of modern software houses. In this work, we sought to develop an SDL that is suited to Waterfall, Iterative and Continuous Deployment methodologies of software development. Those SDLCs are abstractions that cover vast majority of SDLC types. We present an approach to SDL, the Secure Software Development Framework (SSDF) that is agnostic to the SDLC allowing organizations to combine development style flexibility with security in application development. SSDF also seeks to tackle the efficiency of the process by eliminating redundancy and clarifying requirements, making it easy for software developers and architects to adopt.

Speakers
avatar for Damilare D. Fagbemi

Damilare D. Fagbemi

Software Security Architect, Intel Corporation
Damilare D. Fagbemi is a Security Architect at Intel Corporation, where he has the pleasure of working with talented software teams to drive and improve product security in mobile, web, and IoT solutions. He is also a Chapter leader at the Open Web Application Security Project (OWASP... Read More →



Thursday July 5, 2018 11:45am - 12:30pm
St James - 4th Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

11:45am

Detecting and Preventing Malicious Domain Registrations in the .eu TLD
Limited Capacity seats available

In this talk, we report on an extensive analysis of 14 months of domain registration in the .eu TLD. In particular, we zoom in into domain names that are registered for malicious purposes (such as spam, phishing, botnets C&C, ...). The goal of our research is to understand and identify large-scale malicious campaigns, and to early detect and prevent malicious registrations.
Overall, the dataset of this study contains 824,121 new domain registrations; 2.53% of which have been flagged as malicious by blacklisting services. We explore the ecosystem and modus operandi of elaborate cybercriminal entities that recurrently register large amounts of domains for one-shot, malicious use. Although these malicious domains are short-lived, we establish that at least 80.04% of them can be framed in to 20 larger campaigns with varying duration and intensity. We further report on insights in the operational aspects of this business and observe, amongst other findings, that their processes are only partially automated.
 In the last past, we report on our most recent results. Based on the insights of the analysis, we have incepted and developed an automatic prediction system, that classifies at registration time wether a domain name will be used malicious or benign. As such, malicious domain registrations can already be detected and prevented before doing any harm. As part of the talk, we will present the first results of this prediction system, which currently runs in production at EURid, the registry of the .eu TLD.

Speakers
avatar for Lieven Desmet

Lieven Desmet

Research Manager, imec-DistriNet-KU Leuven
Lieven Desmet is a Senior Research Manager on Software Secure at the imec-DistriNet Research Group (KU Leuven, Belgium), where he coaches researchers in (web) application security and participates in dissemination and valorization activities. His interests are in security of middleware... Read More →



Thursday July 5, 2018 11:45am - 12:30pm
Westminster - 4th Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

11:45am

Secure Messengers and Man in The Contacts: The Ultimate Spear Phishing Weaponi
Limited Capacity seats available

In 2016, Man in the Contacts attack was published (MitC, https://www.securingapps.com/blog/ManInTheContacts_CYBSEC16.pdf) which consists in taking control of a smartphone's contacts with a legitimate application, then altering contact data to either
- impersonate a specific contact
- attempt to intercept communications by relaying messages through an additional device.
Despite sandboxing on most mobile platforms, contacts are shared between all applications and can be modified by any of them with sufficient permissions.

Building up from what was presented, we built and deployed a fully functional implementation.

Packaged within a game published on Google's Play Store without any validation issues, our MitC implementation allows us to fully control the contacts of the users by listening to our Command and Control server.

Since most modern messaging applications implicitly trust contact data, our implementation becomes a very efficient spear phishing weapon: user receives a message from someone he (thinks he) knows within an end to end encrypted (E2E) channel, so he is really confident. E2E also blinds messaging servers, not able to do anymore content filtering, making it easy to transfer malicious links.

Presentation Outline:
* Wrap up of Man In The Contacts attack
* Feedback from WhatsApp, Telegram and Signal: won't fix
* Implementing Man In The Contacts in practice
- Android game: social version of Rock, Paper, Scissors
- Command And Control server
- Web interface
* The spear phishing use case
* Live demonstration with volunteers from the audience
* Open sourcing the tool
* Possible mitigations 

Speakers
avatar for Laureline David

Laureline David

Freelance consultant, Self-Employed
Freelance Consultant, HEIG-VD Graduate (Security Engineering)
avatar for Jeremy Matos

Jeremy Matos

Software Security Expert, Securing Apps
Jeremy Matos has been working in building secure software for more than 12 years. | | With an initial academic background as a developer, he designed and helped implementing a breakthrough mobile two-factor authentication solution. He led code reviews and security validation activities... Read More →


Thursday July 5, 2018 11:45am - 12:30pm
Fleming - 3rd Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

12:30pm

OWASPWIA (Women In AppSec) will host a talk and luncheon for all the Ladies
OWASPWIA (Women In AppSec) will host a talk and luncheon for all  the Ladies on Thursday 5 July present at OWASP AppSec Europe, 2018

It will start with the  Panel / Q&A session followed by Open discussion. It would be really great to connect with Women in InfoSec and share expertise. We would also share what we do as part of OWASPWIA including all the sessions and webinars.

Thursday July 5, 2018 12:30pm - 1:30pm
Byron- 4th Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

12:30pm

Lunch
Limited Capacity seats available

Talk

Thursday July 5, 2018 12:30pm - 1:30pm
Britten or Whittle - 3rd Floor Broad Sanctuary Westminster, London, SW1P 3EE

1:30pm

Development to Risk Management Dashboard: Managing Cyber Risks in an Agile Environment
Limited Capacity full

One of the most challenging tasks Information Security management has in a competitive agile development environment is how to measure Cyber risks.
Following NIST standards on this subject, security teams assess risk using these frameworks but very little is explain how to do this in practice , such as :
  • How to asses cyber risks when teams use Agile methodologies?
  • How to do proper monitoring using Agile tools such as JIRA?
  • How to make use of SecDevOps pipeline tools to achieve this?
In this training, we will go from theory of the Risk management frameworks to real scenarios  and tools and how to apply practical solutions in an always changing, and agile environment.

Speakers
avatar for Johanna Curiel

Johanna Curiel

Security Engineer and Researcher, Mobiquity
Johanna Curiel is a security engineer and researcher with 18 years experience in programming, testing and quality control. Her early encounters with hackers and cybercrime was a turning point in her career to work in the area of Cyber security.Between 2005 and 2007, she worked as... Read More →


Thursday July 5, 2018 1:30pm - 2:15pm
Abbey - 4th Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

1:30pm

OAuth is DAC. What do you do for MAC?
Limited Capacity seats available

Such is the frustration of the development community with SAML, that most new projects requiring access control turn to OAuth. Yet the goals of the OAuth are completely different to SAML’s: the former gives the end user control over who has access to their resources, while the latter is mainly used to enforce compliance to security policy. Most projects need both, so vendors are building ad-hoc extensions to their authorization servers to meet the need for mandatory access control, many of which are RBAC-based. The emerging consensus on these extensions should, on the one hand, find its way into standards in the short term. In the long term, on the other hand, the industry would benefit from moving beyond RBAC, but this requires further attention from researchers and vendors and, eventually, standardization bodies.

Speakers
avatar for Johan  Peeters

Johan Peeters

security architect, independent
I currently mainly work on access control for REST APIs, but I am also interested in identity and access management, security operations center architecture and cloud security. | Apart from my commercial consulting and bespoke development activities, I also teach software security... Read More →


Thursday July 5, 2018 1:30pm - 2:15pm
St James - 4th Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

1:30pm

Don't Feed the Hippos
The security community is trying to solve insecurity caused by bugs and flaws in software for many years now, but with what success?
We almost never look in successes and failures experiences in other areas, but we could really learn from. This talk is inspired by Ernesto Sirolli’s TED talk “Want to help someone? Shut up and listen!” about failures in the aid program’s around the world. Listening to Ernesto Sirolli, you cannot miss the similarity with the security community trying to tell developers how to write secure code.  This talk points out common failures of the security community when communicating with developers, trying to solve their problems without understanding what their problems really are.
Using the hippo-analogy for security failures, during the talks those ‘(in-)secure hippos’ are identified, advice on how to avoid them are provided, by anecdotes and best practices from the experience of the past 10 years in the security field as a consultant.

Speakers
avatar for Martin  Knobloch

Martin Knobloch

Chairmain of the Board, OWASP Foundation
 


Thursday July 5, 2018 1:30pm - 2:15pm
Westminster - 4th Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

1:30pm

The Last XSS Defense Talk: Why XSS Defense has radically changed in the past 7 years
Limited Capacity seats available

Why are we still talking about Cross Site Scripting in 2018? Because it's painfully difficult to defend against XSS even to this day. This talk is a fundamental update to the 2011 AppSec USA talk "The Past Present and Future of XSS Defense". We'll address new defensive strategies such as modern JavaScript framework defense in Angular, React and other frameworks. We'll also look at how CSP deployment has changed in the past 7 years illustrating the progressive use of content security which supports CSP v1, v2 and v3 concurrently. We will then look at advances in HTML sanitization on both the client and server and focus on sanitizers and defensive libraries that have stood the test of time in terms of maintenance and security. We'll also look at interesting design topics such as how HTML injection is still critical even in the face of rigorous XSS defense and how HTTPOnly cookies are largely ineffective. This talk should help developers and security professionals alike build a focused and modern strategy to defend against XSS in modern applications.


Speakers
avatar for Jim Manico

Jim Manico

Founder and Lead Trainer, Manicode Security
Jim Manico is the founder of Manicode Security where he trains software developers on secure coding and security engineering. He is also a founding investor/advisor for Signal Sciences and BitDiscovery. Jim is also a frequent speaker on secure software practices, is a member of the... Read More →


Thursday July 5, 2018 1:30pm - 2:15pm
Fleming - 3rd Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

2:15pm

Threat Perspectives
Limited Capacity seats available

Jacky Fox - Cyber Lead, Deloitte Ireland & Gina Dollard – Cyber Threat Intelligence Lead, Allied Irish Bank

​G​ina and Jacky will share their perspectives on threat intelligence based testing and red teaming. Intelligence based tests mimic the tactics techniques and procedures (TTPs) of real attacks against high risk assets helping organisations focus their testing where it matters most. Jacky’s role leading the Deloitte Cyber practice in Ireland gives her insight into how organisations from multiple sectors are and can benefit from using threat intelligence to focus their testing and will share her thoughts on how to make this work. Gina leads the Cyber threat intelligence team for Allied Irish Bank and will share her experience of putting threat intelligence based testing into practice in a financial services organisation. The new TIBER-EU framework will bring common standards across Europe in this area and will accelerate the demand for this type of service.



Speakers
GD

Gina Dollard

Division Head Cyber Threat Intelligence, Allied Irish Banks (AIB)
Ms Dollard is Head of Threat Intelligence for AIB. In her current role she has established and manages the threat intelligence and security incident response functions. The Threat Intelligence Team provides actionable intelligence to highlight cyber risks to the business; performs... Read More →
avatar for Jacky Fox

Jacky Fox

Cyber & IT Forensic Lead | Risk Advisory, Deloitte
Jacky Fox, leads the cybersecurity and IT Forensic practice for Deloitte in Ireland. Jacky lectures on the MSc in Cyber Security for University College Dublin. She has 20+ years’ experience working in technology and security, and advises leading Irish and international organisations... Read More →


Thursday July 5, 2018 2:15pm - 3:00pm
Abbey - 4th Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

2:15pm

How Leading Companies Are Scaling Their Security
Limited Capacity seats available

The last decade has seen significant changes in how organizations develop and release software- fleets of servers are provisioned programmatically and new code is pushed to production dozens of times a day. Oftentimes, developers outnumber security engineers by 100:1 or more. How do you keep up?
Join us as we share pro-tips and actionable lessons learned from a number of San Francisco Bay Area software companies with mature security teams. Topics discussed will include:
* Effective ways to get buy-in for new security requirements from security management, security engineers, and developers
* High value engineering projects that can prevent classes of bugs
* An overview of static and dynamic analysis, fundamental trade-offs, and tips on building your own
* How and where to integrate static and dynamic analysis into the CI/CD process to find potential dangers quickly and reduce risk
* Monitoring in production tips - detecting users with malicious intent and adding telemetry to detect successful attacks
* Open source tools that help with one or more of the above, and more
 Attendees will leave with specific steps they can take to improve their organization's security posture, some perspective on how other companies have addressed common security challenges, and a few longer term, more ambitious security process goals

Speakers
avatar for Clint Gibler

Clint Gibler

Research Director, NCC Group
Dr. Clint Gibler is a senior security consultant and research director at NCC Group, a global information assurance specialist providing organizations with security consulting services. By day, he performs penetration tests of web applications, mobile apps, and networks for companies... Read More →


Thursday July 5, 2018 2:15pm - 3:00pm
Westminster - 4th Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

2:15pm

Medeival Castles in I.T. Security
Limited Capacity seats available

What can IT security learn from the construction of medieval
castles" The situation with IT security is pretty bad. The thesis of
this talk is that our discipline is so young, our ideas have not had
the time to proof themselves. The evolution has only just begun.
Let's look at other security architectures and see if we can learn
from it.  And given I have a PhD in Medieval History, castles spring
to mind.  I presented 20min version of this talk last week at the
European Forum Alpbach and the organiser thought it a huge success.

Speakers
CF

Christian Folini

Christian Folini is a medieval historian working as a security engineerand open source enthusiast. He holds a PhD in medieval history andenjoys defending castles across Europe. Unfortunately, defendingmedieval castles is not a big business anymore and therefore, he turnedto defending... Read More →


Thursday July 5, 2018 2:15pm - 3:00pm
St James - 4th Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

2:15pm

Testing iOS Apps without Jailbreak in 2018
Limited Capacity seats available

Penetration tests of iOS applications usually require jailbreak. On the other hand, software developers often enforce a new version of iOS to run the application. Unfortunately, as history shows, with the release of subsequent versions of the iOS system, pentesters have to wait longer and longer for a stable jailbreak. Finally, by testing iDevices, we become participants of the Russian roulette - remain with an out-of-date iOS with the hope that there won’t be an application requiring a newer version; or take the risk of updating and maybe never get the new jailbreak version? During my presentation, I will show you that it is not necessary to put iRevolver to the head and I will present the techniques of conducting the penetration tests without the need to have a jailbreak. The presentation will also include a live demo presenting the solution to the problem of access to protected application resources on the latest version of iOS.


Speakers
avatar for Wojciech Reguła

Wojciech Reguła

SecuRing
Wojciech is an IT Security Specialist employed at SecuRing. Professionally responsible for web and mobile security testing with particular emphasis on iOS. He is a creator of secure Ruby code examples for OWASP Security Knowledge Framework and founder of infosec student research group... Read More →


Thursday July 5, 2018 2:15pm - 3:00pm
Fleming - 3rd Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

3:00pm

Afternoon Coffee Break
Limited Capacity seats available

Talk

Sponsors
avatar for Jscrambler

Jscrambler

Jscrambler started as AuditMark, back in 2009, when developing a solution to fight click-fraud in advertising campaigns - a web traffic audit mechanism that was JavaScript dependent. There was no tool capable of protecting JavaScript in the market so the need was met and Jscrambler... Read More →


Thursday July 5, 2018 3:00pm - 3:30pm
Britten or Whittle - 3rd Floor Broad Sanctuary Westminster, London, SW1P 3EE

3:30pm

Board Meeting

Thursday July 5, 2018 3:30pm - Wednesday July 4, 2018 TBA
Chaucer- 4th Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

3:30pm

Adding Privacy by Design in Secure Application Development
Limited Capacity seats available

We will address the complex GDPR challenges for developers as part of a Secure Development Lifecycle.
This will cover:
• GDPR requirements covering design, data lifecycle, users and end of life aspects
• Privacy by Design challenge
• Including GDPR in the Secure Development Life Cycle
• Mapping OWASP SAMM to the GDPR
• Integrating privacy in application security classification, awareness training, guidelines, AppSec champions, threat modeling, 3rd parties, security testing and incident management
• Introducing GDPR risk patterns
The talk will focus on practical implementation aspects and demonstrations of real life use cases encountered in our software security and privacy projects.
Sebastien Deleersnyder (@SebaDele), Managing Application Security Consultant at Toreon, will share his practical secure development and privacy challenges experience. Sebastien led engagements in the domain of ICT-security, Web and Mobile Security with several customers in the private and public sector. Sebastien is the Belgian OWASP Chapter Leader, served as vice-chair of the global OWASP Foundation Board and performed several public presentations on Web Application, Mobile and Web Services Security. Furthermore, Sebastien co-founded the yearly BruCON conference.
(attached is version as delivered in Feb-2018 which will be updated for the AppSec Europe conference)
 


Speakers
avatar for Sebastien Deleersnyder

Sebastien Deleersnyder

Managing partner Application Security, Toreon
Sebastien Deleersnyder is Co-founder & managing partner application security at Toreon.com. Sebastien has helped various companies improve their ICT-, Web- and Mobile Security, including BNP Paribas Fortis, Atos Worldline, KBC, Nationale Nederlanden (ING), Isabel, Fluxys, OLAF, EU... Read More →


Thursday July 5, 2018 3:30pm - 4:15pm
Abbey - 4th Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

3:30pm

Injecting Security Controls into Software Applications
Limited Capacity seats available

SQL Injection was first mentioned in a 1998 article in Phrack Magazine. Twenty years later, injection is still a common occurrence in software applications (No.1 in latest OWASP Top 10 2017). For the last 20 years, we have been focusing on vulnerabilities from attacker’s point of view and SQL injection is still King. Something else must be done.
What if there is another way to look at software vulnerabilities? Can vulnerabilities be decomposed into security controls familiar to developers? Which security controls are an absolutely must-have, and which additional security measures do you need to take into account?
These are hard questions as evidenced by the numerous insecure applications we still have today. Attend this session to explore security vulnerabilities from a different angle. As part of this briefing, we examine how to decompose vulnerabilities into security controls that developers are familiar with and offer actionable advice when to use them in SDLC and how to verify for them.
After this session you will have a better understanding of what to consider when building an application security program in your organization and how to evolve it with time to take into account new attack vectors.
Recommended to all builders and security professionals looking to integrate security in their software applications.

Speakers
avatar for Katy Anton

Katy Anton

Principal Security Consultant, CA Technologies | Veracode Unit
Katy Anton is a security professional with a background in software development. An international public speaker, she enjoys speaking at both developers and security events about secure coding and how to secure the software. In her previous roles she led software development teams... Read More →


Thursday July 5, 2018 3:30pm - 4:15pm
St James - 4th Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

3:30pm

Docker 201 Security
Limited Capacity seats available

Docker containers offer several advantages for developers. Most notably they
fit perfectly in software development processes, they enable fast, reproducible
deployments and when properly done, with little change the same container can
run either in a test or production environment.

Despite threatening information out there Docker offers per se also several
security advantages. However it is important to make use of them and as a
minimum avoid the several security ops pitfalls.  In a worst case scenario this
can lead otherwise to less security or the security benefits which the containment
technology offers are not being used at all.

To avoid most common mistakes and to improve security beyond the default,
the speaker will present Docker Top 10 security bullet points which covers
  • important Do's and Dont's,
  • for advanced needs how to tighten security further,
  • how to check (partly) your Docker and Kubernetes security status yourself.
The talk is based on practical experiences at several costumers and on the
speaker's solid network and systems security expertise.

Speakers
DW

Dirk Wetter

Dirk Wetter (Ph.D.) is an independent security consultant with more than 20years professional experience in information security with a large technicaland information security management background.His primary focus nowadays is around web application security. He has also asolid background... Read More →


Thursday July 5, 2018 3:30pm - 4:15pm
Westminster - 4th Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

3:30pm

Attacking Modern Web Technologies
Limited Capacity seats available

In this talk, top ranked white-hat hacker Frans Rosén will focus on methodologies and results of attacking modern web technologies. He will explain how he accessed private Slack tokens by using postMessage and WebSocket-reconnect, and how vulnerable configurations in both AWS and Google Cloud allow attackers to take full control of your assets.
Listen to 60 minutes of new hacks, bug bounty stories and learnings that will make you realize that the protocols and policies you believed to be secure are most likely not.

Speakers
avatar for Frans Rosen

Frans Rosen

Security Advisor, Detectify
Dev/Security/Founder at @youngskilled/@detectify/@shipwallet


Thursday July 5, 2018 3:30pm - 4:15pm
Fleming - 3rd Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

4:15pm

Winning - the future perspective in the next 20 years!
Limited Capacity seats available

Speakers
avatar for Andrew  van der Stock Keynote Speaker

Andrew van der Stock Keynote Speaker

Synopsys
Andrew van der Stock is a long time contributor to OWASP dating back to late 2002 / early 2003. He was the project lead and lead author of the OWASP Developer Guide 2.0, OWASP's original project, the OWASP Top 10 2007, which established the methodology used to this day, and led the... Read More →


Thursday July 5, 2018 4:15pm - 5:00pm
Fleming - 3rd Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

7:00pm

Imperial War Museum - Networking Event
The event will provide attendees with heavy bowl Hors d’oeuvres, fun entertainment, networking and tours through the museum and a really relaxed enjoyable time in the heart of London. If you are interested in attending this wonderful event, then register for the conference - tickets to the event are included in the conference package for paying attendees. Also extra tickets can be purchased on line through the registration system.

Thursday July 5, 2018 7:00pm - 9:30pm
Imperial War Museum IWM London Lambeth Road London SE1 6HZ
 
Friday, July 6
 

8:45am

Open Remarks
Limited Capacity seats available

Talk

Friday July 6, 2018 8:45am - 9:00am
Fleming - 3rd Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

9:00am

XSS is dead. We just don't get it.
Limited Capacity seats available

XSS is about twenty years old by now and appears to be alive and
kicking. JavaScript alerts are still popping left and right and bug
bounty programs are drowning in submissions.

But is XSS really still a problem of our time? Or is it just an undead
foul-smelling zombie vulnerability from the dark ages of string
concatenation that doesn't wanna perish because we are just too fricken
stubborn?

This talk will be an hour-long rant (yes, swearwords, leave your kids at
home), paired with a stroll through the history of XSS and related
issues. We will go back into the year 1998 and see how it all started,
how things developed, what we tried to do against it and how hard we
failed every single time. We will also look at the future and predict
what is about to happen next. Mostly nothing - but good to know, right?

We will not only look at our own failures but also see how the entire
infrastructure and monetization of the web contributed to us being
simply not capable or even just willing to fix XSS. And we might as well
see if any of those behavioral and structural patterns can be compared
to other human failures - and see if there is something we all can
learn. Or, at least, agree that we knew it all along and are all on the
same page.


Speakers
avatar for Mario Heiderich Keynote Speaker

Mario Heiderich Keynote Speaker

Founder, Cure 53
Dr.-Ing. Mario Heiderich, handsome heart-breaker, bon-vivant and (as he loves to call himself) "security researcher" is from Berlin, likes everything between lesser- and greater-than and leads a small yet exquisite pen-test company. He commonly pesters peaceful attendees on various... Read More →


Friday July 6, 2018 9:00am - 9:45am
Fleming - 3rd Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

9:45am

Morning Coffee Break
Limited Capacity seats available

Friday July 6, 2018 9:45am - 10:15am
Britten or Whittle - 3rd Floor Broad Sanctuary Westminster, London, SW1P 3EE

10:00am

Member Lounge - Room 312
Limited Capacity seats available

OWASP Members Lounge
at AppSec Eu 2018

Friday, July 6 10am-3pm
 
Looking for a place to recharge your electronics?  
Feeling a bit hungry or thirsty?  
Maybe you are looking for some cool OWASP Member Only swag?
Or just looking to take a break from the hectic conference atmosphere?

Head on over to the Members Lounge located on the 3rd floor in Room 312.

Here you can grab a snack, quench your thirst, recharge your electronics, kick up your feet, and network with other OWASP members all within a relaxed atmosphere.

Not an OWASP Member?  No problem!  Swing on over to the lounge, and you can sign up on the spot, or join here!

Look for the signs or ask a volunteer how to find us!

Friday July 6, 2018 10:00am - 3:00pm
Third Floor The Queen Elizabeth II Centre

10:15am

A View from Above: How Organizations Are Managing their AppSec Program
Limited Capacity seats available

Assuring application security (AppSec) is much more than a technology problem – it requires coordinating the actions of numerous people, which means organization and process. Roles and responsibilities must be defined; budgets must be approved; people need to be hired, educated, and enabled to develop skills; culture needs to be created; tools need to be selected and acquired; and policies and processes must be defined.
Do you wonder how others are wrangling this challenge?
 In this presentation, we will present insights and observations from a study of AppSec program management. In 2017, we reviewed over 75 published articles and talks and interviewed 16 application security practitioners to understand the problem space AppSec practitioners face. We learned a lot and will share our observations of the boundaries used to define the scope of an application security program, the goals of the people responsible for assuring the security of application software, the metrics and measurements that they employ in the pursuit of these goals, and the tools that they used to measure and track application security metrics.

Speakers
avatar for Chris Horn

Chris Horn

Code Dx, Inc.
Chris Horn helps guide product development at Code Dx and is a Researcher at Secure Decisions, an R&D division of Applied Visions. Code Dx Enterprise helps teams prioritize and manage security vulnerabilities by providing a single set of correlated results in a powerful application... Read More →


Friday July 6, 2018 10:15am - 11:00am
Abbey - 4th Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

10:15am

Building Secure ASP.NET Core MVC 2.0 Applications
Limited Capacity seats available

Building secure applications is a difficult task, especially in combination with building it based on a new application framework. ASP.NET Core is a new open-source and cross-platform framework completely rewritten from scratch firstly released in 2016. It can run on Windows, Mac and Linux and the framework moved to a more modular based approach which gives more flexibility when creating solutions with it.
How secure is ASP.NET Core 2.0 by default? Do the API’s help the developer out doing a good job or is a mistake easily made? In this session, we're going to investigate how ASP.NET Core MVC and Razor Pages deal with the above questions related to e.g. Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) issues. How good are the default templates and how easy is it to adapt to newly introduced web standards? We are also going to see how we can validate an existing solution for the problems we’ve identified.

Speakers
avatar for Niels Tanis

Niels Tanis

Security Researcher, CA Veracode
Niels Tanis has got a background in .NET development, pentesting and security consultancy. He also holds the CSSLP certification and has been involved in breaking, defending and building secure applications. He joined Veracode in 2015 and right now he works as a security researcher... Read More →


Friday July 6, 2018 10:15am - 11:00am
St James- 4th Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

10:15am

Building an AppSec Program with a Budget of $0: Beyond the OWASP Top 10
Limited Capacity seats available

The premise of this session is how to build an application security program with a budget of $0. The session explores the OWASP universe, and how different open-source projects are connected together as foundational pieces of an application security program.
OWASP is famous for the top 10, but many do not understand the depth and breadth of the different projects. The projects are explained with a focus on how to implement each within a successful program. This talk is more than just a catalog of the OWASP projects. It is also a practitioner’s guide on how to implement the OWASP projects within an AppSec program. The projects are explained and broken into different phases to delineate between the improvements for a new program versus an established program that is adding new capabilities.
The first group of projects is training / awareness and program definition. These projects focus on high-level knowledge, methodology, and training for the application security program. This group includes OWASP Top 10, OWASP Proactive Controls, Software Assurance Maturity Model, and training apps (Juice Shop, DevSlop, and WebGoat). The process for raising awareness with knowledge / training and building out a program are discussed.
The second group is builder or developer. These focus on requirements, code review, best practices, development libraries, and building software without known vulnerabilities. This group includes Security RAT, ASVS, cheat sheets, threat modeling, Java encoder, and Dependency Checker. The end-to-end world of the developer is explored, from requirements through writing code.
The third group is breaker or tester. This group focuses on testing guidance/process and tools, including the testing guide, Offensive Web Testing Framework (OWTF), and ZAP. The testing approach and touch points are discussed, as well as a high-level survey of the tools.
The final group is the defender. These include tools that can be used to protect the application from attackers on the Internet, both at the edge and within the application. This group includes ModSecurity and AppSensor.
 All of these tools work together to form the basis of an application security program with a budget of $0 except for the people resources to implement, and I’ll discuss what is required from the human resources to make a program such as this successful.

Speakers
avatar for Chris Romeo

Chris Romeo

CEO, Security Journey
Chris Romeo is CEO and co-founder of Security Journey. We specialize in online application security training organized as a security belt program. | We guide our clients – many in tech, healthcare, and finance – to squashing vulnerabilities before they impact customers. We promote... Read More →


Friday July 6, 2018 10:15am - 11:00am
Westminster- 4th Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

10:15am

Outsmarting Smart Contracts - An Essential Walkthrough a Blockchain Security Minefields
Limited Capacity seats available

The most common blockchain-based application is Bitcoin - cryptocurrency worth a couple of thousands $ per BTC. But Bitcoin is built on the Blockchain 1.0. The second generation of blockchain opened a much broader field of application and is described as mechanism allowing programmable transactions. Smart Contracts, as they are called, are scripts that are executed and stored in the blockchain. Their code, storage and execution calls are all publicly available and verifiable. The execution and verification processes are held by miners what makes the decentralized ecosystem slow, but secure. Smart contracts have many applications from ICOs, through digital identity management, non-digital asset (diamond, real estate, IoT device, etc.) ownership management and tracing to almost anything you can think of.
An example of second generation blockchain platform that support smart contracts is Ethereum. The miners, who execute contracts and secure the platform, are paid with Ether, which is the Ethereum cryptocurrency (worth about $1k) and an incentive for hackers. Ethereum’s smart contracts are written in the Solidity language, which is similar to well-known high-level languages, and compiled to Ethereum Virtual Machine bytecode stored in blockchain. It is a complex software implementing new and often difficult to follow in every detail technology. Thus it makes an explosive mix with high potential for human mistake by developer. The problem is that even a very small coding mistake can lead to losses of millions of dollars.
The goal of this presentation is to shed the light on the security of smart contracts, its potential vulnerabilities and popular design and implementation security flaws. I will investigate flaws of Ethereum smart contract, both Ethereum-specific and known from other languages, that led to spectacular thefts. I am sure you have heard of these spectacular hacks, like $30M (now worth $130M) Parity, or another $150M blocked in smart contracts. Thanks to this presentation you will know how millions were stolen and how to avoid such mistakes.
I will also share my personal experience regarding responsible disclosure of such vulnerabilities. It is a way harder than submitting a bug in a traditional application, and involves non-obvious complications. First, the transparency principle leads to a real time race between white and blackhat hackers. Sometimes whitehat even has to actually steal from potential victims in order to prevent malicious theft. Moreover, in most cases there is no possibility to contact (especially urgently and securely) the smart contract owner and report the problem. In my case, after finding critical vulnerability that allowed me to empty whole exchange Ethereum token wallet, it required a solid investigation to find the right people to talk to, and took unnecessarily long time. To address this issue I propose a mechanism to notify contract’s owner. The message is securely kept on the blockchain and only owner of the contract can read it.
The audience will leave with a fair understanding of a pack of attack vectors and vulnerabilities specific for the concept of decentralized execution of publicly visible smart contracts. And what’s more, they will know how to find and avoid these vulnerabilities.

Speakers
avatar for Damian Rusinek

Damian Rusinek

Sr. Security Specialist, SecuRing
IT Security Specialist, since 2016 in SecuRing. | | Professionally responsible for web and mobile application audits and source code analysis. Software developer and analyst with 11 years of experience. Engaged in many projects, such as projects from energy industry or project bound... Read More →


Friday July 6, 2018 10:15am - 11:00am
Fleming - 3rd Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

11:00am

Threat Modeling for IoT Systems
Limited Capacity seats available

The Internet of Things (IoT) is an exciting and emerging area of technology allowing individuals and businesses to make radical changes to how they live their lives and conduct commerce. The challenge with this trend is that IoT devices are just computers with sensors running applications. Because IoT devices interact with our personal lives the proliferation of these devices exposes an unprecedented amount of personal sensitive data to significant risk. In addition, IoT security is not only about the code running on the device. These IoT devices are connected to systems that include supporting web services as well as other client applications that allow for management and reporting.
A critical step to understanding the security of any system is building a threat model. This helps to enumerate the components of the system as well as the paths that data takes as it flows through the system. Combining this information with an understanding of trust boundaries helps provide system designers with critical information to mitigate systemic risks to the technology and architecture. This presentation looks at how Threat Modeling can be applied to IoT systems to help build more security systems during the design process, as well as how to use Threat Modeling when testing the security of IoT systems.

Speakers
avatar for Dan Cornell

Dan Cornell

CTO, Denim Group
Entrepreneur, software developer and security professional. CTO at Denim Group. CrossFitty and Paleo-ish.


Friday July 6, 2018 11:00am - 11:45am
Abbey - 4th Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

11:00am

Usable Security for Developers: A Nightmare
Limited Capacity seats available

Abstract. The term "usable security" is on everyone's lips and there seems to be a general agreement that, first, security controls should not unnecessarily affect the usability and unfriendliness of systems. And,
second, that simple to use system should be preferred as they minimize the risk of handling errors that can be the root cause of security incidents such as data leakages.
But it also seems to be a general surprise (at least for security experts), why software developers always (still) make so many easy to avoid mistakes that lead to insecure software systems. In fact, many of the large security incidents of the last weeks/months/years are caused by "seemingly simple to fix" programming errors.
Bringing both observations together, it should be obvious that we need usable and developer-friendly security controls and programming frameworks that make it easy to build secure systems. Still, reality
looks different: many programming languages, APIs, and frameworks provide complex interfaces that are, actually, hard to use securely. In fact, they are miles away from providing usable security for developers.
In this talk, I will discuss examples of complex and "non-usable" security for developers such as APIs that, in fact, are (nearly) impossible to use securely or that require a understanding of security  topics that most security experts to not have (and, thus, that we  cannot expert from software developers).

Speakers
avatar for Achim D. Brucker

Achim D. Brucker

The University of Sheffield
Dr. Achim D. Brucker (www.brucker.ch) is a Senior Lecturer and consultant at The University of Sheffield, UK where he heads the heads the Software Assurance & Security Research Team (logicalhacking.com). Until December 2015, he was a Research Expert (Architect), Security Testing Strategist... Read More →


Friday July 6, 2018 11:00am - 11:45am
St James- 4th Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

11:00am

From Rogue One to Rebel Alliance: Building Developers into Security Champions
Limited Capacity seats available

Are you responsible for more than just AppSec? What do you do when you have more teams to support than security experts? How can you make security champions out of dissenters in the development team?
There just aren’t enough security experts to go around. You have to support the multitude of Agile and DevOps teams that are making production software changes anywhere from once a month to several times a day. The lack of resources coupled with the ever increasing responsibilities can make you feel like a rouge warrior in the battle against cybercrime. What’s a security professional to do? Whether you are a team of one or five, there aren’t enough hours in the day and even if there was more budget, good luck finding someone to fill that security role. What if I told you that through careful selection and good training it is possible to build your own army from the very people who own the development process?
What you will learn:
1. Who to recruit as security champions
2. How to train these champions in productive application security
3. How to measure success
4. How to build a scalable security program
 5. What to expect from champions (responsibilities)

Speakers
avatar for Pete Chestna

Pete Chestna

DevSecOps Transformation Consultant, CA Technologies
Pete Chestna has more than 25 years of experience developing software and leading development teams and has been granted three patents. Pete has been developing web applications since 1996, including one of the first applications to be delivered through a web interface. He led his... Read More →


Friday July 6, 2018 11:00am - 11:45am
Westminster- 4th Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

11:00am

Prepare(): Introducing Novel Exploitation Techniques in Wordpress
Limited Capacity seats available

WordPress is used by 30% of all the websites. Due to its wide adoption it is a popular target for attackers. Security vulnerabilities are actively exploited in outdated cores and plugins in order to compromise large amounts of installations. Although the Wordpress core is audited and reviewed daily by bug bounty hunters and its great community, security vulnerabilities still pop up due to the intrinsic features of the PHP language. Further, the wide adoption and extension of the WordPress core prevents to switch to modern best practices and enforces the maintenance of legacy code.
 In this talk we will look at a fundamental design flaw of the WordPress core which lead to a series of severe security issues. We will examine how a custom design of prepared statements did not only lead to SQL injection vulnerabilities but also to a new type of PHP object injection. We will analyze the characteristics of this specific occurrence and how to spot it in other PHP projects. The goal of this talk is to introduce a new and generic exploitation technique as well as guidance for WordPress and other developers on how to prevent the presented issues.

Speakers
RP

Robin Peraglie

Security Research, RIPS Technologies
Robin is a passionate bug hunter and security researcher at RIPS Technologies. Since he was young he experimented with web security, cryptography and lockpicking. He received a degree in IT Security at the Ruhr-University Bochum and collected industrial experience in penetration tests... Read More →


Friday July 6, 2018 11:00am - 11:45am
Fleming - 3rd Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

11:45am

Seconds out! When algorithms don’t play nice with our applications and lives.
Limited Capacity seats available




This talk isn’t a detailed technical talk and does not require prior knowledge of Machine Learning or Artificial Intelligence.  AI based algorithms have proved to be very successful at learning to do very complicated tasks including playing games like Chess, Atari games from the 80’s and Go. It is only a matter of time before these same techniques get applied on the offensive side to attack and exploit applications. On the flip side, there are a number of solutions that claim to use AI and Machine learning to defend against those pesky hackers, let alone those persistent computer algorithms. The reality is that the odds are stacked against the defenders with the AI and machine learning problem more suited to offensive than defensive applications. This presentation takes a high-level look at the state of the art in machine learning and AI with respect to Application Security examining how these may be used in both offensive and defensive applications. The presentation will examine how clever algorithms including reinforcement learning and math hacks may be used to trivially evade state of the art defensive applications. We also look at what our defensive options are. The presentation finishes by predicting where all this may lead and the impact on application security.

Key takeaways from the presentation are:
  • A very high-level understanding of key concepts
  • An introduction to the new threat models that AI & ML may introduce
  • Provide some insight to ask the right questions of your suppliers by hopefully imbuing  a healthy level of scepticism around some outlandish claims
  • Thoughts and practical examples on the type of problems  AI & ML can solve
  • Predictions on where I believe this is all going  by drawing analogies to the Cybersecurity world
  • A high-level roadmap on how to get up to speed with AI & ML as I believe this will  become as core to most jobs as computing is today
  • Make some suggestions for next steps every business should take

Warning: The presentation does contain gratuitous references and images of Zulus, cats, Zombies and Charlie Sheen.

Speakers
avatar for Etienne Greeff

Etienne Greeff

Founder & CTO, SecureData Europe
I became involved with information security industry long before it was a thing, having founded and grown a number of information security businesses over the past 20 years. It is with increasing bewilderment that I observe how computer science, mathematics and engineering are rapidly... Read More →


Friday July 6, 2018 11:45am - 12:30pm
Abbey - 4th Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

11:45am

Programming Language Agnostic Cross-Application CSRF Protection
Limited Capacity seats available

Xing is a European career-oriented social networking platform. While appearing as a single website to the visitors, internally it's more than a hundred of separate web applications interacting with each other, most of them built using Ruby on Rails.
We discovered that the Rails' built-in CSRF prevention mechanism doesn't work between multiple applications and causes too many exceptions affecting the visitors when combined with single page application frameworks like React.
 In the first part of the talk we'll explore the problems arising from applying a CSRF protection built for classic monolithic web applications to a single page application and microservice architecture. The second part is a detailed description of the alternative language agnostic self-recovering CSRF prevention mechanism we developed to address the issues, followed by a live demo.

Speakers
avatar for Egor Balyshev

Egor Balyshev

Software Architect, XING SE
Egor Balyshev has been developing software for 17 years, primarily focusing on web based applications. For the last 3 years he has been working as a software architect at XING, a career-oriented social networking website. | | His topics of interest include distributed systems, user... Read More →


Friday July 6, 2018 11:45am - 12:30pm
St James- 4th Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

11:45am

Gamifying Developer Education with CTFs
Limited Capacity seats available

CTFs are a staple of the security world. Nearly every conference has one, and the number of available CTFs (as well as competitors) is constantly growing. However, CTFs are rarely put to use outside of the security community. A frequent cause of security issues is human error, and countless incidents in the real world could have been prevented by a deeper understanding of vulnerabilities. CVEs, OWASP top 10, and other such vulnerabilities may now come naturally to security professionals, but this understanding is often left in our domain. We ran a CTF for our employees for a week during security awareness month in order to give hands-on lessons in offensive security concepts. In this talk we’ll go over the process, the challenges, the successes and failures, and how you can integrate a CTF into your security program.

Speakers
avatar for Max Feldman

Max Feldman

Slack
Max Feldman is on the Product Security team at Slack, where he works on the bug bounty and security assessments of Slack features, as well as the development of security tools and automation. He was previously a member of the Product Security team at Salesforce.
avatar for John Sonnenschein

John Sonnenschein

Red Team Lead, Slack
John works on the Vulnerability Discovery and Product Security teams at Slack, finding bugs before the bad guys do and developing security tools and automation to help


Friday July 6, 2018 11:45am - 12:30pm
Westminster- 4th Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

11:45am

FIESTA: an HTTPS side-channel party
Limited Capacity seats available

In the past few years, several attacks exploiting side-channel issues in TLS traffic have been launched with the aim of extracting information protected by HTTPS. CRIME, BREACH,, and TIME are all good examples of such attacks.  But they are known, and most Internet sites have introduced countermeasures to protect against them. Unfortunately, this is not enough to protect sensitive online information. HTTPS traffic has other side-channels that could be exploited in a similar way, exposing private information. It this paper, we present a new tool, called FIESTA, that will help us test this kind of issues. In addition, we release a new side-channel not used before, affecting the most important technology companies in the Internet.

Speakers
avatar for Jose Selvi

Jose Selvi

Principal Penetration Tester, Prosegur Cybersecurity
Jose Selvi is a Principal Penetration Tester & Security Researcher at | Prosegur Cybersecurity. His 13 years of expertise performing advanced | security services and solutions in various industries include mainly | penetration tests and information security research in new technologies... Read More →


Friday July 6, 2018 11:45am - 12:30pm
Fleming - 3rd Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

12:30pm

Lunch
Limited Capacity seats available

Talk

Friday July 6, 2018 12:30pm - 1:30pm
Britten or Whittle - 3rd Floor Broad Sanctuary Westminster, London, SW1P 3EE

1:30pm

The Consequences of Poor Security of the Hospital Sites
Limited Capacity seats available

Hospitals are attractive places for criminal hackers. With access to critical medical records and personally identifiable information, there is great opportunity to exploit the patients and the employee. I see vulnerabilities on all levels and in all roles and locations in the hospital – in site of the hospital, software, devices, and with humans. The consequences of bad security are huge and can cause harm, both to the patient and to employees. Criminal behaviour can go unnoticed for long periods. Without proper security controls, patient records can be manipulated. You can imagine the consequences that could happen. The site of the hospitals is used not just for sharing the informations about the hospitals but also for sharing the medical documents and communication between the patients self and the medics, but also for private, professional or educative talka, between medics from the inside, but also outside of the hospitals. Enough reasons to understand that we need a really good secured site. Sadly the situation isn't as good as we hope and want it to be. In this presentation we will like to present
1.The research of site of 97 hospitals in The Netherlands and 100 hospitals in USA, The research was on HTTP/HTTPS SSL certificate using Observatory by mozilla Ipv4/Ipv6
2. Re-research year later/the results In this research nmap was used too.
3. The tech info about what and how the infromation at the site can be manipulated, by Xavier Mertens and John Opdenakker. They will also show the demo
4. The organisation and communication problem Communication from outside (reports) with IT department trying to reach the people from infosec Organisation at the hospitals that should also care about security of the site
5. The consequences, for the patient and for the employee.
6. Connecting research to OWASP 10
 Security needs to be built from the ground up, starting with making the sites of the hospital secure and by that safe online environment in the healthcare

Speakers
avatar for Xavier Mertens

Xavier Mertens

Freelance Cyber Security Consultant, Xavier Mertens Consulting
Xavier Mertens, is a freelance cyber security consultant based in Belgium. His daily job focuses on protecting his customer’s assets by applying “offensive” (pentesting) as well as “defensive” security (incident handling, forensics, log management, SIEM, security visualisation... Read More →
avatar for Jelena Milosevic

Jelena Milosevic

Paediatrician and ICU nurse
Jelena Milosevic is a paediatrician and ICU nurse with a lot of experience, having worked at many different hospitals in the Netherlands since 1995, and before that having spent 10 years working in the ICU at the University Children's Hospital in Belgrade. | | Over the past three... Read More →


Friday July 6, 2018 1:30pm - 2:15pm
Abbey - 4th Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

1:30pm

A Methodology for Assessing JavaScript Software Protections
Limited Capacity seats available

JavaScript is a highly dynamic language. At runtime, functions, and event handlers can be redefined. New code can be parsed and executed. While these properties offer a lot of flexibility, they are a nightmare when it comes to security. First, they are powerful weapons for an adversary. But they also make building tamper-resistant and obfuscation techniques a lot harder. As a result, determining if a given protection is strong or weak is a daunting task for an application developer or security practitioner.
In this talk, we explore the peculiarities of protecting JavaScript and how it differs from protecting native code. We then dive into a couple of protected JavaScript examples and demonstrate different attacking techniques e.g. partial evaluation - and investigate their potential for reverse engineering and tampering. We’ll go through different tamper-resistant and obfuscation techniques and test their resilience against modern reverse engineering techniques.
We’ll propose a methodology to help security practitioners evaluate JavaScript code protection. The need to assess software protections has been recently recognized by the OWASP Mobile Security Testing Guide. We provide pointers on what to look on JavaScript code protection, what real value you can get from it, when it makes sense to use and when it doesn’t.
 Expect a highly technical talk, with several demos, including live reverse engineering of protected JavaScript. In the end, you will have learned how to assess the value of available JavaScript code protection techniques.

Speakers
avatar for Pedro Fortuna

Pedro Fortuna

CTO, Jscrambler
Pedro Fortuna is CTO and Co-Founder of Jscrambler where he leads the technical vision for the product suite and contributes with his cybersecurity knowledge for R&D. Pedro holds a degree in Computing Engineering and a MSc in Computer Networks and Services, having more than a decade... Read More →


Friday July 6, 2018 1:30pm - 2:15pm
St James- 4th Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

1:30pm

Building a Valid Threat Library for Cloud Based Applications
Limited Capacity seats available

Tapping the power of various inherent cloud monitoring and log components in order to build a dynamic threat library that can substantiate your threat model is very possible.  In this talk we'll look at both Azure and AWS compnents to leverage when adding threat context and ultimately an amazing threat library to your application threat model. We'll look at exemplifying these techniques across mission critical infrastructure in Energy and Transportation.

Speakers
avatar for Tony Ucedavelez

Tony Ucedavelez

CEO/ Owner, VerSprite
Tony UcedaVélez is CEO at VerSprite, an Atlanta based security services firm assisting global multi-national corporations on various areas of cyber security, secure software development, threat modeling, application security, security governance, and security risk management. Tony... Read More →


Friday July 6, 2018 1:30pm - 2:15pm
Westminster- 4th Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

1:30pm

Exploiting Unknown Browsers and Objects
Limited Capacity seats available

Browsers are embedded everywhere, from popular applications like Steam and Spotify to headless crawlers, IoT devices and games consoles. They execute JavaScript but you don't have a dev console and some don't even allow you to interact with them. Many add custom JavaScript objects and functions but how can you discover all this hidden treasure without any dev tools? My talk introduces a new tool for your arsenal that allows you to inspect and exploit these unknown entities. The Hackability inspector is the missing offensive dev toolkit for security researchers.

Speakers
avatar for Gareth Heyes

Gareth Heyes

Researcher, PortSwigger
Gareth works as a researcher at PortSwigger and loves breaking sandboxes and anything to do with JavaScript. He has developed various free online tools such as Hackvertor and Shazzer. He also created MentalJS a free JavaScript sandbox that provides a safe DOM environment for sandboxed... Read More →


Friday July 6, 2018 1:30pm - 2:15pm
Fleming - 3rd Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

2:15pm

Security is Everybody's Job... Literally.
Limited Capacity seats available

In DevOps everyone performs security work, whether they like it or not.  With a ratio of 100/10/1 for Development, Operations, and Security, it’s impossible for the security team alone to get it all done. We must build security into each of “the three ways”; automating and/or improving efficiency of all security activities, speeding up feedback loops for security related activities, and providing continuous learning opportunities in relation to security. While it may sound like the security team needs to learn to sprint, give feedback, and teach at the same time, the real challenge is creating a culture that embodies the mindset that security is everybody's job.

Speakers
avatar for Tanya Janca

Tanya Janca

Senior Cloud Security Advocate, Microsoft
Tanya Janca is a senior cloud security advocate for Microsoft, specializing in application and cloud security; evangelizing software security and advocating for developers and operations folks alike through public speaking, her open source project OWASP DevSlop, and various forms... Read More →


Friday July 6, 2018 2:15pm - 3:00pm
Abbey - 4th Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

2:15pm

Embedding Defense in Server-Side Applications
Limited Capacity seats available

Applications often rely on secure development practices and third-party defense mechanisms for protection. Whenever an application receives malicious payloads they are either dropped or executed by the affected application. Ignoring these situations aid attackers in performing deep analysis of applications until they are able to exploit existing flaws.
Standards, libraries and third-party defense systems developed to secure applications introduce opportunities for attackers. While some protections have already been implemented in applications and web firewalls, there is a whole spectrum of techniques not being analyzed. This research details how server-side applications can incorporate an extensive layer of defense to detect and protect against attackers.
Defense mechanisms will be presented in four different languages: .NET, Java, PHP and Python. Involuntary vulnerabilities present in secure coding guidelines from CERT will be used to exemplify how an embedded defense can protect applications from unknown attack vectors. By implementing the defenses laid out in this paper, attackers may unwittingly become the victims.

Speakers
avatar for Fernando Arnaboldi

Fernando Arnaboldi

Security Consultant
Fernando Arnaboldi is a developer and a security consultant who specializes in penetration testing and code reviews on multiple platforms. He has focused his research on breaking the security of different programming languages and has presented his findings in security conferences... Read More →


Friday July 6, 2018 2:15pm - 3:00pm
St James- 4th Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

2:15pm

Securing Containers on the High Seas
Limited Capacity seats available

It can be a difficult challenge for most organizations to migrate to containers and develop a secure strategy for implementation and management. Making the shift from legacy virtualization and monolithic deployments to containers requires a solid strategy for securely making the jump. Containers offer many security benefits but it’s important to adopt controls and good practices throughout the lifecycle, across all of the systems and interfaces with which they interact. From container registries, through development and deployment, it’s important to enforce security and eliminate risks as they’re easily introduced.
A robust enterprise container strategy requires focusing on infrastructure, architecture, tooling, policies, and processes. Hardening your containers and ensuring they remain free of known vulnerabilities is important, but this is not a comprehensive approach. Containers, their runtime behavior, and capabilities are influenced by other systems such as container orchestration platforms and schedulers. While organizations are focused on hardening individual containers and services, they also need to think about how to limit lateral movement and post-exploitation steps by attackers through sound architectural choices.
 This presentation will focus on scaling container security within an enterprise and building security controls at different layers to provide comprehensive coverage. We will discuss the modern container landscape including multiple container runtimes and standards such as Open Container Initiative (OCI) and Container Storage Interface (OSI) as well as their their impact on security moving forward. We will explore the container lifecycle from your developer’s laptop through your production environment and examine the key security problems to mitigate. By the end of the presentation the audience should confidently be able to develop a secure approach to their organization’s container strategy.

Speakers
avatar for Jack Mannino

Jack Mannino

CEO, nVisium
Jack Mannino is the CEO of nVisium. Passionate about security and impossible to keep away from a keyboard, his expertise spans over 15 years of building, breaking, and securing software. Jack founded nVisium in 2009, and since then has helped the world's largest software teams enhance... Read More →
avatar for Abdullah Munawar

Abdullah Munawar

Director of Professional Services, nVisium
Abdullah Munawar is the Director of Professional Services at nVisium who specializes in application security testing and helping clients build application security programs. He previously worked on the security teams for various federal and financial organizations, with over 10 years... Read More →


Friday July 6, 2018 2:15pm - 3:00pm
Westminster- 4th Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

2:15pm

WAF Bypass Techniques Using HTTP Standard and Web Servers’ Behavior
Limited Capacity seats available

Although web application firewall (WAF) solutions are very useful to prevent common or automated attacks, most of them are based on blacklist approaches and are still far from perfect. This talk illustrates a number of creative techniques to smuggle and reshape HTTP requests using the strange behaviour of web servers and features such as request encoding or HTTP pipelining. These methods can come in handy when testing a website behind a WAF and can help penetration testers and bug bounty hunters to avoid drama and pain! Knowing these techniques is also beneficial for the defence team in order to design appropriate mitigation techniques. Additionally, it shows why developers should not solely rely on WAFs as the defence mechanism.
Finally, an open source Burp Suite extension will be introduced that can be used to assess or bypass a WAF solution using some of the techniques discussed in this talk. The plan is to keep improving this extension with the help of the http.ninja project.

Speakers
avatar for Soroush Dalili

Soroush Dalili

Principal Security Consultant, NCC Group
Soroush is a Web Application Security expert and his field of expertise includes finding vulnerabilities in web applications, security source code review, and penetration testing. He has got 10+ years of experience in this area and has submitted many security advisories. Some of his... Read More →


Friday July 6, 2018 2:15pm - 3:00pm
Fleming - 3rd Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

3:00pm

Afternoon Coffee Break - Vendor Passport prizes drawing
Limited Capacity seats available

Talk

Friday July 6, 2018 3:00pm - 3:30pm
Whittle and Britten rooms - 3rd floor

3:30pm

Regular to Enterprise-Ready Apps with Cybersecurity APIs
Limited Capacity seats available

Generally, applications often struggle to break into the enterprise sector because they are missing vital compliance and data protection features. Without knowing what sensitive data their applications store and how it is used, they cannot meet the rigorous requirements needed by business applications.
The solution to this predicament is to, of course, include security features into applications, but that implies a lot of extra work and time going into the building process. But what if there was another, easier way to do it? APIs, cloud services and RAD methodologies have become common in development after all. Why not solve the problem through Cybersecurity APIs and well documented SDKs?
Firstly, because very few existed and even those that do, usually offer very limited applicability. Until now that is.
As Software Architect and Security Engineer, I lead the development of ground-breaking APIs for sensitive data analysis and classification that were born out of my vision for more data secure applications starting at platform level. These APIs allow developers to inject cyber security features at the core of tools and applications with full SDKs and language specific set of tools and helpers. They discover sensitive data with protection and compliance profiles for HIPAA, PCI-DSS, GDPR, and others and use a scanner to create a solid, risk-free application with minimum development effort. Personal and corporate owned data can also be separated through a classification module that uses advanced data modeling techniques and machine learning.
 In my presentation, I want to talk about and show attendees how these APIs can be added to existing applications using just language specific SDKs to simplify the road to enterprise-readiness and offer applications a boost in security.

Speakers
avatar for Ovidiu Cical

Ovidiu Cical

Security Architect, None Inc.
Ovidiu is a cybersecurity enthusiast and Software Architect @ EndpointProtector.com / CoSoSys with over 10 years of experience in the field of information technology, working with various programming languages and technologies, mainly in Cybersecurity related areas.At EndpointProtector.com... Read More →


Friday July 6, 2018 3:30pm - 4:15pm
Abbey - 4th Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

3:30pm

Patterns in Node.js Package Vulnerabilities: What You can Learn from 1000+ Advisories to Secure Your Node Apps
Limited Capacity seats available

What's hardest to get right with Node.js at the moment? A recent survey reveals that Security is one of the top concerns for most of the Node.js developers. In this regard, over thousand publicly published Node package vulnerabilities could be our best companion.
Analyzing these vulnerabilities reveals useful insights regarding common security mistakes done by the package authors. This presentation brings forth distilled findings that would help the audience avoiding security issues in their own application code, conducting security reviews, and vetting external project dependencies.
This presentation covers statistics and patterns related to:
* Frequently occurring vulnerabilities
* Distribution of vulnerabilities by severity
* Effectiveness of CLI tools to detect insecure project dependencies
Further, the presentation highlights common programming mistakes behind some of the top vulnerabilities.
The information gained from this presentation would help the audience to avoid common security issues when developing their own Node.js packages and applications; or identify possible security vulnerabilities when conducting security-focused code reviews and penetration testing for the Node.js applications.

Speakers
avatar for Chetan Karande

Chetan Karande

Chetan Karande is a full-stack web developer, a security researcher, the author of Securing Node Applications (O’Reilly), and a contributor to multiple open source projects. He is a member of the Open Web Application Security Project (OWASP) and a project leader for the OWASP NodeGoat... Read More →


Friday July 6, 2018 3:30pm - 4:15pm
St James- 4th Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

3:30pm

Jumpstarting Your DevSecOps Pipeline with IAST and RASP
Limited Capacity seats available

DevSecOps is so much more than "automating the scan button." In this talk, we will create a continuous, effective, and scalable DevSecOps pipeline using only *free* tools.  We'll use IAST (Interactive Application Security Testing) to accurately pinpoint vulnerabilities in real time without scanning. Then we'll set up RASP (Runtime Application Self-Protection) to gain comprehensive visibility of attacks in operations and prevent exploits.  And we'll integrate all of this security vulnerability and attack telemetry into the tools your teams are already using.  

* We will enable developers with real-time security feedback right in their IDE
* We will also ensure that libraries are frameworks are analyzed continuously for vulnerabilities
* We'll integrate security into the CI/CD process so that we can easily fail a build
* We'll identify application layer attacks and create a whole new level of visibility for your SOC
* We'll even prevent exploitation of newly discovered vulnerabilities in open source libraries

After this talk, you'll be able to establish your own DevSecOps pipeline immediately. This reference architecture can be adapted easily to almost any tools and processes -- even legacy applications and waterfall style projects.

Speakers
avatar for Jeff Williams

Jeff Williams

Co-founder and CTO, Contrast Security
I've been in security since the late 1980's and have been blessed with the opportunity to help start three great application security organizations: Contrast Security, OWASP, and Aspect Security (recently sold to EY). | | I'm coming to LASCON to meet *you*. I'm easy to find :-) and... Read More →


Friday July 6, 2018 3:30pm - 4:15pm
Westminster- 4th Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

3:30pm

Serverless Infections - Malware Just Found a New Home
Limited Capacity seats available

With Lambda by Amazon, Cloud function by Google, and Azure functions by Microsoft, we are seeing more and more organizations leveraging the advantages introduced by serverless computing. But what does serverless computing entail when it comes to security? With no dedicated server, is the security risk higher or lower? Can malware live inside the code? These are critical questions every organization shifting to a serverless environment should be asking.
We challenged our Checkmarx Research Team to implement the first-ever RCE (Remote Code Execution) attack in a serverless environment that is both stored and viral. Using Amazon’s Lambda as our first test subject, we were able to build a PoC where we showed how information extraction and exfiltration is done. We also demonstrated how the payload persists and can be injected into other non-vulnerable functions. We then went ahead and tested to see if the same would work on Azure and Google Cloud. Curious to know the outcome?
In this talk, we will present our findings along with some best practices and tips to ensuring security prevails in a serverless environment. The presentation will start by explaining serverless computing and its advantages. We will then start digging into the details of serverless computing and how the architecture is built by the different vendors.
Our next step will be to discuss how serverless computing impacts security and how functions can be leveraged to expose the platform to infections and data exfiltrations.
The presentation details the research we conducted and shows a step-by-step process of a completely new attack vector allowing attackers to exploit command injection to:
·         Gather sensitive information from the ephemeral machine
·         Persist a payload in a non-persistent environment (by leveraging S3 write permissions)
·         Infect co-located functions to get a viral effect of all-or-nothing in remediation efforts
We will demonstrate the attack steps on one or more platforms using a live web application.
People who will join this talk will:
·     Understand the architecture and advantages of a serverless computing environment
·     Learn the security challenges entailed in working in a serverless environment
·     View a live demo on how data is infiltrated, infected, and exfiltrated in a serverless environment
·     See how we built self-duplicating attacks that survive persistently within the code
·     Watch as the attack is executed on platforms running on serverless environments

Speakers
avatar for Amit Ashbel

Amit Ashbel

Cyber Security Evangelist
Amit has been with the security community for more than a decade where he has taken on multiple tasks and responsibilities, including technical and Senior Product lead positions. Amit adds valuable product knowledge including experience with a wide range of security platforms and... Read More →
avatar for Shimi Eshkenazi

Shimi Eshkenazi

Research Team, Checkmarx


Friday July 6, 2018 3:30pm - 4:15pm
Fleming - 3rd Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

4:15pm

Perimeter-less: Engineering the future of Defense
Limited Capacity seats available

In this talk, Allison Miller will discuss how today’s defenders are adapting to the new normal of our ever evolving ecosystem -- expanding exposure surfaces, complexity in every corner, continuous change, not to mention bigger big data and badder bad actors -- by focusing on designing and architecting more defensible systems. The modern defender can no longer depend on simple "castle and moat" style tactics, but must craft protections for platforms, applications, and services that operate in real-time at internet scale -- while at the same time protecting millions of customers, transactions, endpoints, and actions on any given day. We'll talk about the models and design approaches that we can add into our arsenals, and the technologies we'll need to launch the practice of defense beyond the perimeter.

Speakers
avatar for Allison Miller Keynote Speaker

Allison Miller Keynote Speaker

Senior Vice President Engineering, Bank of America
Allison Miller (@selenakyle) leads the engineering efforts for Bank of America's information security organization. With over 15 years of building teams and technology that protect people and platforms, Allison is known for her expertise in designing and implementing real-time risk... Read More →


Friday July 6, 2018 4:15pm - 5:00pm
Fleming - 3rd Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE