Conference Program - OWASP AppSec USA 2011

More documents

Recommendations

Info

are very few publicly released auditing tools and little documentationon penetration techniques, especially in the areaof reverse engineering and fuzzing. This talk will cover ourresearch into existing blackbox Android application testingmethodologies and the new methods we developed. We willalso release our custom Android security tools suite. With thehelp of these tools and techniques we were able to find majorvulnerabilities in some of the industry’s top “Enterprise Class”Android Applications. During the talk we will walk the audiencethrough the steps we took, the vulnerabilities we found,and how they can do it themselves.Brakeman and Jenkins: The Duo Detect Defects inRuby on Rails CodeJustin Collins, Tin ZawRuby on Rails (RoR) is a popular web application developmentframework with support for Model-View-Controller architecture,“convention over configuration”, “don’t repeat yourself”or DRY principle, and test-driven development. The frameworkis designed to be resistant to web security exploits suchas cross-site scripting, SQL injection and cross-site requestforgery.Even with built-in protections, it is possible, and often witnessed,that security flaws get introduced in Ruby on Railscode. Brakeman, a static code analyzer for Ruby on Railscode, is designed and developed at AT&T Interactive by JustinCollins to detect such flaws during early phases of developmentcycle. To further reduce the burden on the developer,Brakeman is integrated into a continuous build and integrationserver called Jenkins, formerly known as Hudson.This talk will focus on basics of security features in Railsframework, advantages of using static analysis for discoveringsecurity issues, design and development of Brakeman,and how Brakeman and Jenkins are used together at AT&TInteractive to reduce security defects. The only static codeanalyzer for detecting security defects in Ruby on Rails code,Brakeman is available on GitHub under open source license.CloudSec 12-StepAdrian LaneDo you think cloud security is mainframe computing all overagain? Is Azure security just like Windows security? If so,then join me for CloudSec Anonymous, a 12-step program forthose of you who want to understand what’s different aboutcloud security. This presentation if for those of you who talkabout “The Cloud” and virtualization in the same breath, buthave never actually built your own cloud - much less tried tosecure it. For many, ‘The Cloud’ is just software running on8someone else’s machine, which you access from your browser.Still others only view the cloud as virtualized resources availableto the public. Go ahead, admit it: You don’t have a Rackspaceaccount and you have never spun up an AMI. Admittingyou don’t understand the cloud or cloud security is the firststep in figuring out how to secure services or securely deployyour applications. Cloud services are differentiated from traditionalIT through elastic, self-service, pay as you go computingmodels. But these characteristics don’t provide clues as tohow ‘The Cloud’ changes data and application security. Ratherit depends upon the service model, deployment model andplatform provider that you choose. In this presentation I’lldiscuss 12 areas where cloud security differs from traditionalmodels, focusing on platforms and services commonly usedfor custom web applications. Topics will include:••Redeployment of data encryption and keymanagement••Testing and deployment of cloud applications••Identity management for cloud applications••PaaS today, gone tomorrow: reliance on API’s••Infrastructure stack management••Tradeoffs between Platform as a Service andInfrastructure as a Service••Fundamental security differences betweenpublic and private clouds.
ESAPI 2.0 - Defense Against the Dark ArtsBeef (Chris Schmidt), Kevin WallIn this presentation Chris, joined by Kevin Wall and othermembers of the ESAPI team will highlight the latest GA releaseof <strong>OWASP</strong> Enterprise Security API 2.0. Key touchpointsof the talk will include:••What is ESAPI••Integrating Controls••Crypto Enhancements (Kevin Wall)••ESAPI Roadmap & Future (ESAPI Dev Team)••ESAPI Community LaunchWhat is ESAPI will feature an updated overview of what anEnterprise Security API is, why it is important, and how itis intended to be used. This will be a high-level overviewintended to raise questions from you about specifics that canbe addressed in the breakout session or over a cold beer.Integrating Controls will be a brief view into what it actuallytakes to build and integrate an ESAPI control into a web application.This demo will focus on solving a XSS issue on a smallvulnerable web application.One of the single largest enhancements to ESAPI 2.0 was acomplete overhaul of the Crypto component. Kevin Wall drovethis initiative from idea to completed project and will be highlightingthe hows, whys, and whats of the enhancements.Ghosts of XSS Past, Present and FutureJim ManicoThis talk will discuss the past methods used for XSS defensethat were only partially effective. Learning from these lessons,will will also discuss present day defensive methodologies thatare effective, but place an undue burden on the developer.We will then finish with a discussion of future XSS defensemethodologies that shift the burden of XSS defense from thedeveloper to various frameworks. These include auto-escapingtemplate technologies, browser-based defenses such asContent Security Policy, and Javascript sandboxes such as theGoogle CAJA project and JSReg.The Good Hacker - Dismantling Web MalwareAditya K Sood, Richard EnbodyThe talk sheds light on the new trends of web based malware.Technology and insecurity go hand in hand. With the adventof new attacks and techniques, the distribution of malwarethrough the web has been increased tremendously. BrowserExploit Packs (BEP) (BlackHole, Phoenix, Bleeding Life, etc.)are increasing infections day by day. Most of these BEPs areused in conjunction with botnets such as Zeus and SpyEyeto initiate infections across the web. The attackers spreadmalware elegantly by exploiting the vulnerabilities and driveby downloads. The infection strategies opted by attackers likemalware distribution through IFRAME injections, SEO poisoning,URL trickery, social network manipulations, and webvulnerabilities act as a launchpad for web malware. Third generationbanking malware such as SpyEye and Zeus has showndevastating artifacts. The question is, how we have to dealwith them? Are our protection mechanisms sound enough? Dowe need to hunt them back? All the answers will be providedin this talk covering the following points:••Tracing the malware entry points in-networkand hunting them••Building up methodologies like a hacker to hitback at malware domains••Analyzing trade and tactics of third generationbanking malware••Demonstrate the static, dynamic and behavioralanalysis of web malware including PCAPanalytics••Understanding the design and relevance ofBrowser Exploit Packs
Page 3 and 4: Welcome to OWASP AppSec USA 2011, a
Page 5 and 6: TALKS: Friday, September 23, 2011Ab
Page 7 and 8: MORE EVENTS:Tuesday, September 20,
Page 9: Application Security Debt & Applica
Page 16: surface and vectors to protect next
Page 22 and 23: Application Security,Risk, & Compli
Page 24: Web Application Security PayloadsAn
Page 28 and 29: Downtown Minneapolis26
Page 30 and 31: Platinum Sponsors:Security Innovati
Page 32 and 33: Silver Sponsors:Aspect Security spe
Page 34 and 35: Notes:32

Conference Program - OWASP AppSec USA 2011

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?