AppSec Europe 2018 has ended
                                                                                    ***Content is subject to change.***

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Developer [clear filter]
Wednesday, July 4

4:00pm BST

ModSec CRS Community Summit
Limited Capacity seats available

OWASP ModSecurity Core Rule Set project (CRS) Communit Summit
There are three goals for this first come together of the CRS community:

  • We want to meet and you tell us how you use CRS in your setup!
  • Let’s talk about the status of the project, the road map and your feature requests!
  • Let’s start to build strong ties within the community!

So there are going to be presentation, but the essential part is the discussions and the networking. We want to understand how people are using CRS and where they think there is room for development.

This summit is for everybody who runs CRS and for all the other people who are interested in the project.
This is the program (still subject to change, probably until the last moment):

  • Welcoming address
  • Presentation I : Chaim Sanders: Upcoming CRS 3.1 release
  • Presentation II : Rodrigo Martinez: Machine Learning with ModSec/CRS3
  • Networking Session / Poster Session
  • Presentation III : Christian Treutler / Mirko Dziadzka : Rules Meta Language
  • Presentation IV : Tin Zaw: WAFLZ
  • Break
  • Presentation V : Adrian Winckles: HoneyPot project
  • Workshop: Future Plans
  • Group Photo
  • Planning Session: Call for hands

The summit is being moderated by Christian Folini.

Poster session: You are invited to bring along a poster, put it up on the wall in our room and we will give you time to present it to our audience. We are interested in use cases, success stories or unique approaches to integrating CRS3. Also ideas and pitches for new projects within our community are welcome. Standard flipchart format. Please be aware you should bring it along in physical form: we can’t print it on site. But we will have tape available for you.

Blogposts about this Community Summit:

avatar for Christian Folini

Christian Folini

Partner, netnea.com
Christian Folini is a partner at netnea AG in Berne, Switzerland. He holds a PhD in medieval history and enjoys defending castles across Europe. Unfortunately, defending medieval castles is no big business anymore and Christian turned to defending web servers which he thinks equally... Read More →

Wednesday July 4, 2018 4:00pm - 8:00pm BST
Rutherford - 4th Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE
Thursday, July 5

10:15am BST

Unicode: The hero or villain? Input Validation of free-form Unicode text in Web Applications
Limited Capacity seats available

The most difficult fields to validate are so called free text fields", as the most frequent stereotype of web application input valiation goes, becomes even more complicated when the free text contains multi-language Unicode. Unicode is indeed complicated and tricky to get right on the first try, but for application defenders it's actually a great tool to get the input validation right. This talk will clear misconceptions about Unicode input validation, explain what Unicode normalization, canonicalization and character classes are, and how these can be used to make your input validation bulletproof rather than cause head aches.

avatar for Paweł Krawczyk

Paweł Krawczyk

Senior Application Security Consultant, Kainos
Throught the years of architecting application security programs for Aon, Goldman Sachs, HSBC and others, I've been mostly interfacing between techies and senior management, while still being an active developer and hands-on infosec consultant.

Thursday July 5, 2018 10:15am - 11:00am BST
St James - 4th Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

11:00am BST

Remediate The Flag - Practical AppSec Training Platform
Limited Capacity seats available

Developers aren’t born knowing how to code securely and appsec training is often boring and does not provide practical examples. For the business it is usually not possible to assess competency in secure coding and difficult to calculate ROI on security training.
This talk introduces, RTF an open source Practical Application Security Training platform that offers application security focused exercises.
Candidates manually find and remediate the code of a vulnerable application running in a disposable development environment accessed using a web browser. 100% hands-on training, no multiple choice questions involved.
The demo will show the following workflow:
Candidates select an exercise, the RTF platform provisions a dedicated environment accessed through a web browser. Candidates then find and manually remediate vulnerable code in the RTF instance by referencing the instructions.
Candidates can check in real time whether security issues were successfully remediated; they can take hints which affect their final score.
When the exercise is completed, the platform provides automated results including code diff and logs. An assessor reviews the exercise results and, if necessary (wrong remediation approach), provides additional feedback to the candidate.
It is possible to setup time-boxed tournaments specifying programming languages, developer groups (frontend vs backend, web vs non-web) and target vulnerabilities. Points are used to rank candidates on a “Leaderboard” so that they can compare themselves to their peers.
Full stats are provided at candidate, team and organisation level indicating remediation ratio and time spent on each type of vulnerability and aggregated on category types.
SDK makes easy to add new exercises, completely customisable to target specific organisation needs.

avatar for Andrea Scaduto

Andrea Scaduto

Andrea is a Senior Penetration Tester and Software Engineer with an MSc in Computer Engineering and several IT Security certifications. He enjoys breaking, building and securing web and mobile applications. He has an extensive knowledge of secure coding techniques and a focus on reducing... Read More →

Thursday July 5, 2018 11:00am - 11:45am BST
St James - 4th Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

11:45am BST

Secure Software Development Framework: Towards an SDL for all SDLCs
Limited Capacity seats available

The Security Development Life-cycle (SDL) is a process that helps developers to build more secure software. This is accomplished by embedding secure architecture, design, development and validation activities into the overarching Software Development Life Cycle (SDLC) process. Our research proposes an approach to secure application development that scales to the varied demands of modern software houses. In this work, we sought to develop an SDL that is suited to Waterfall, Iterative and Continuous Deployment methodologies of software development. Those SDLCs are abstractions that cover vast majority of SDLC types. We present an approach to SDL, the Secure Software Development Framework (SSDF) that is agnostic to the SDLC allowing organizations to combine development style flexibility with security in application development. SSDF also seeks to tackle the efficiency of the process by eliminating redundancy and clarifying requirements, making it easy for software developers and architects to adopt.

avatar for Damilare D. Fagbemi

Damilare D. Fagbemi

Software Security Architect, Intel Corporation
Damilare D. Fagbemi is a Security Architect at Intel Corporation where he has had the pleasure of working with talented product teams to architect and build a secure Internet of Things (IoT), web, mobile, and thick client solutions. He also leads the Libraries Product Security Expert... Read More →

Thursday July 5, 2018 11:45am - 12:30pm BST
St James - 4th Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

1:30pm BST

OAuth is DAC. What do you do for MAC?
Limited Capacity seats available

Such is the frustration of the development community with SAML, that most new projects requiring access control turn to OAuth. Yet the goals of the OAuth are completely different to SAML’s: the former gives the end user control over who has access to their resources, while the latter is mainly used to enforce compliance to security policy. Most projects need both, so vendors are building ad-hoc extensions to their authorization servers to meet the need for mandatory access control, many of which are RBAC-based. The emerging consensus on these extensions should, on the one hand, find its way into standards in the short term. In the long term, on the other hand, the industry would benefit from moving beyond RBAC, but this requires further attention from researchers and vendors and, eventually, standardization bodies.

avatar for Johan  Peeters

Johan Peeters

security architect, independent
I currently mainly work on access control for REST APIs, but I am also interested in identity and access management, security operations center architecture and cloud security.Apart from my commercial consulting and bespoke development activities, I also teach software security at... Read More →

Thursday July 5, 2018 1:30pm - 2:15pm BST
St James - 4th Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

3:30pm BST

Injecting Security Controls into Software Applications
Limited Capacity seats available

SQL Injection was first mentioned in a 1998 article in Phrack Magazine. Twenty years later, injection is still a common occurrence in software applications (No.1 in latest OWASP Top 10 2017). For the last 20 years, we have been focusing on vulnerabilities from attacker’s point of view and SQL injection is still King. Something else must be done.
What if there is another way to look at software vulnerabilities? Can vulnerabilities be decomposed into security controls familiar to developers? Which security controls are an absolutely must-have, and which additional security measures do you need to take into account?
These are hard questions as evidenced by the numerous insecure applications we still have today. Attend this session to explore security vulnerabilities from a different angle. As part of this briefing, we examine how to decompose vulnerabilities into security controls that developers are familiar with and offer actionable advice when to use them in SDLC and how to verify for them.
After this session you will have a better understanding of what to consider when building an application security program in your organization and how to evolve it with time to take into account new attack vectors.
Recommended to all builders and security professionals looking to integrate security in their software applications.

avatar for Katy Anton

Katy Anton

Principal Application Security Consultant, Veracode
Katy Anton is a security professional with a background in software development. An international public speaker, she enjoys speaking about software security and how to secure software applications.In her previous roles, she led software development teams and implemented security... Read More →

Thursday July 5, 2018 3:30pm - 4:15pm BST
St James - 4th Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE
Friday, July 6

10:15am BST

Building Secure ASP.NET Core MVC 2.0 Applications
Limited Capacity seats available

Building secure applications is a difficult task, especially in combination with building it based on a new application framework. ASP.NET Core is a new open-source and cross-platform framework completely rewritten from scratch firstly released in 2016. It can run on Windows, Mac and Linux and the framework moved to a more modular based approach which gives more flexibility when creating solutions with it.
How secure is ASP.NET Core 2.0 by default? Do the API’s help the developer out doing a good job or is a mistake easily made? In this session, we're going to investigate how ASP.NET Core MVC and Razor Pages deal with the above questions related to e.g. Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) issues. How good are the default templates and how easy is it to adapt to newly introduced web standards? We are also going to see how we can validate an existing solution for the problems we’ve identified.

avatar for Niels Tanis

Niels Tanis

Security Researcher, Veracode
Niels Tanis has got a background in .NET development, pentesting and security consultancy. He also holds the CSSLP certification and has been involved in breaking, defending and building secure applications. He joined Veracode in 2015 and right now he works as a security researcher... Read More →

Friday July 6, 2018 10:15am - 11:00am BST
St James- 4th Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

11:00am BST

Usable Security for Developers: A Nightmare
Limited Capacity seats available

Abstract. The term "usable security" is on everyone's lips and there seems to be a general agreement that, first, security controls should not unnecessarily affect the usability and unfriendliness of systems. And,
second, that simple to use system should be preferred as they minimize the risk of handling errors that can be the root cause of security incidents such as data leakages.
But it also seems to be a general surprise (at least for security experts), why software developers always (still) make so many easy to avoid mistakes that lead to insecure software systems. In fact, many of the large security incidents of the last weeks/months/years are caused by "seemingly simple to fix" programming errors.
Bringing both observations together, it should be obvious that we need usable and developer-friendly security controls and programming frameworks that make it easy to build secure systems. Still, reality
looks different: many programming languages, APIs, and frameworks provide complex interfaces that are, actually, hard to use securely. In fact, they are miles away from providing usable security for developers.
In this talk, I will discuss examples of complex and "non-usable" security for developers such as APIs that, in fact, are (nearly) impossible to use securely or that require a understanding of security  topics that most security experts to not have (and, thus, that we  cannot expert from software developers).

avatar for Achim D. Brucker

Achim D. Brucker

The University of Sheffield
Dr. Achim D. Brucker (www.brucker.ch) is a Senior Lecturer and consultant at The University of Sheffield, UK where he heads the heads the Software Assurance & Security Research Team (logicalhacking.com). Until December 2015, he was a Research Expert (Architect), Security Testing Strategist... Read More →

Friday July 6, 2018 11:00am - 11:45am BST
St James- 4th Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

11:45am BST

Programming Language Agnostic Cross-Application CSRF Protection
Limited Capacity seats available

Xing is a European career-oriented social networking platform. While appearing as a single website to the visitors, internally it's more than a hundred of separate web applications interacting with each other, most of them built using Ruby on Rails.
We discovered that the Rails' built-in CSRF prevention mechanism doesn't work between multiple applications and causes too many exceptions affecting the visitors when combined with single page application frameworks like React.
 In the first part of the talk we'll explore the problems arising from applying a CSRF protection built for classic monolithic web applications to a single page application and microservice architecture. The second part is a detailed description of the alternative language agnostic self-recovering CSRF prevention mechanism we developed to address the issues, followed by a live demo.

avatar for Egor Balyshev

Egor Balyshev

Software Architect, XING SE
Egor Balyshev has been developing software for 17 years, primarily focusing on web based applications. For the last 3 years he has been working as a software architect at XING, a career-oriented social networking website.His topics of interest include distributed systems, user interfaces... Read More →

Friday July 6, 2018 11:45am - 12:30pm BST
St James- 4th Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

1:30pm BST

A Methodology for Assessing JavaScript Software Protections
Limited Capacity seats available

JavaScript is a highly dynamic language. At runtime, functions, and event handlers can be redefined. New code can be parsed and executed. While these properties offer a lot of flexibility, they are a nightmare when it comes to security. First, they are powerful weapons for an adversary. But they also make building tamper-resistant and obfuscation techniques a lot harder. As a result, determining if a given protection is strong or weak is a daunting task for an application developer or security practitioner.
In this talk, we explore the peculiarities of protecting JavaScript and how it differs from protecting native code. We then dive into a couple of protected JavaScript examples and demonstrate different attacking techniques e.g. partial evaluation - and investigate their potential for reverse engineering and tampering. We’ll go through different tamper-resistant and obfuscation techniques and test their resilience against modern reverse engineering techniques.
We’ll propose a methodology to help security practitioners evaluate JavaScript code protection. The need to assess software protections has been recently recognized by the OWASP Mobile Security Testing Guide. We provide pointers on what to look on JavaScript code protection, what real value you can get from it, when it makes sense to use and when it doesn’t.
 Expect a highly technical talk, with several demos, including live reverse engineering of protected JavaScript. In the end, you will have learned how to assess the value of available JavaScript code protection techniques.

avatar for Pedro Fortuna

Pedro Fortuna

CTO, Jscrambler
Pedro Fortuna is CTO and Co-Founder of Jscrambler where he leads the technical vision for the product suite and contributes with his cybersecurity knowledge for R&D. Pedro holds a degree in Computing Engineering and a MSc in Computer Networks and Services, having more than a decade... Read More →

Friday July 6, 2018 1:30pm - 2:15pm BST
St James- 4th Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

2:15pm BST

Embedding Defense in Server-Side Applications
Limited Capacity seats available

Applications often rely on secure development practices and third-party defense mechanisms for protection. Whenever an application receives malicious payloads they are either dropped or executed by the affected application. Ignoring these situations aid attackers in performing deep analysis of applications until they are able to exploit existing flaws.
Standards, libraries and third-party defense systems developed to secure applications introduce opportunities for attackers. While some protections have already been implemented in applications and web firewalls, there is a whole spectrum of techniques not being analyzed. This research details how server-side applications can incorporate an extensive layer of defense to detect and protect against attackers.
Defense mechanisms will be presented in four different languages: .NET, Java, PHP and Python. Involuntary vulnerabilities present in secure coding guidelines from CERT will be used to exemplify how an embedded defense can protect applications from unknown attack vectors. By implementing the defenses laid out in this paper, attackers may unwittingly become the victims.

avatar for Fernando Arnaboldi

Fernando Arnaboldi

Security Consultant
Fernando Arnaboldi is a developer and a security consultant who specializes in penetration testing and code reviews on multiple platforms. He has focused his research on breaking the security of different programming languages and has presented his findings in security conferences... Read More →

Friday July 6, 2018 2:15pm - 3:00pm BST
St James- 4th Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

3:30pm BST

Patterns in Node.js Package Vulnerabilities: What You can Learn from 1000+ Advisories to Secure Your Node Apps
Limited Capacity seats available

What's hardest to get right with Node.js at the moment? A recent survey reveals that Security is one of the top concerns for most of the Node.js developers. In this regard, over thousand publicly published Node package vulnerabilities could be our best companion.
Analyzing these vulnerabilities reveals useful insights regarding common security mistakes done by the package authors. This presentation brings forth distilled findings that would help the audience avoiding security issues in their own application code, conducting security reviews, and vetting external project dependencies.
This presentation covers statistics and patterns related to:
* Frequently occurring vulnerabilities
* Distribution of vulnerabilities by severity
* Effectiveness of CLI tools to detect insecure project dependencies
Further, the presentation highlights common programming mistakes behind some of the top vulnerabilities.
The information gained from this presentation would help the audience to avoid common security issues when developing their own Node.js packages and applications; or identify possible security vulnerabilities when conducting security-focused code reviews and penetration testing for the Node.js applications.

avatar for Chetan Karande

Chetan Karande

Chetan Karande is a security researcher, speaker, and author of Securing Node Applications (O’Reilly). He is the project leader for the OWASP NodeGoat project and contributor to multiple open source projects.

Friday July 6, 2018 3:30pm - 4:15pm BST
St James- 4th Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE