AppSec California 2017

Organizations are reporting that they have more technical staff on hand then ever before. Interoperability of technologies are working seemlessly and world governments and critical infrastructures are better then ever before. This talk will remove the sugar coated and politically correct answers and provide straight talk, ideas and answers to the community about the road ahead. Bring your OWASP rockets and let's do this!

This talk highlights important lessons in scaling the software security touchpoints described in the book Software Security and making them work efficiently and effectively in a global software security initiative.  The talk will focus on the top three touchpoints, discussing tools, technology, people and processes for each:

• Code review with a static analysis tool.  What is better, a centralized factory model or tools on all developer’s desktops?  How do you set things up to fix what you find?  How do you avoid rejection of a complex toolset that requires real expertise to use?  What about frameworks that are in common use but stymie current commercial tools?  Are false positives a real issue?
• Architectural risk analysis. How do you even begin to scale something requiring so much expertise and experience to the enterprise?  What kinds of knowledge make this process more efficient?  How do you gather intelligence about threats?  What are the top ten security design flaws?
• Penetration testing.  What role should pen testing play in a software security initiative?  Is it best to develop capability in house or hire outside experts?  What kinds of access to design documents and source code should pen testers get?  Does pen testing scale?  How often should an application be tested?

These questions and others will be addressed head on using examples from the 95+ BSIMM firms and many years of real world experience.  (Firms in the BSIMM include, Adobe, Aetna, ANDA, Autodesk, Axway, Bank of America, Betfair, BMO Financial Group, Black Knight Financial Services, Box, Canadian Imperial Bank of Commerce, Capital One, Cisco, Citigroup, Citizen’s Bank, Comerica Bank, Cryptography Research, Depository Trust & Clearing Corporation, Elavon, Ellucian, EMC, Epsilon, Experian, F-Secure, Fannie Mae, Fidelity, Freddie Mac, General Electric, Highmark Health Solutions, Horizon Healthcare Services, Inc., HP Fortify, HSBC, Independent Health, iPipeline, JPMorgan Chase & Co., Lenovo, LGE, LinkedIn, Marks and Spencer, McKesson, Morningstar, Navient, NetApp, NetSuite, Neustar, Nokia, NVIDIA, NXP Semiconductors N.V., Principal Financial Group, Qualcomm, Royal Bank of Canada, Siemens, Sony Mobile, Splunk, Symantec, Target, The Advisory Board, The Home Depot, The Vanguard Group, Trainline, U.S. Bank, Visa, Wells Fargo, and Zephyr Health.)

When SPArring with the security of a Single Page Application (SPA) you need to be like a Mixed Martial Artist (MMA) fighter who understands several specialties to be successful.

In MMA, a fighter needs to be skilled in several martial arts styles, such as boxing, kickboxing, Muay Thai for the stand up portion of the fight. Then, he needs to know wrestling or judo to take the fight to the ground, and once he’s on the ground, he needs to know Jujitsu and Sambo to submit his opponent.

When doing battle with a SPA, a pen-tester must become an MMA hacker…A Mixed Multilayer Application Hacker. As an MMA Hacker, you need to understand the multitude of complex application layers that are only getting more complex and interconnected by the day.

This discussion will include MMA Hacker training on the following application layers:
• Interface layer: Become familiar with SPA frameworks (AngularJS, ReactJS). These SPA frameworks fundamentally change the browser communication that security experts have long understood.
• Backend layer: Dig into different REST API’s and learn how they are used and where to find the weaknesses.
• Network layer: Learn more about WebSockets and how they fundamentally change TCP/HTTP as you have always known it to be.
• Interconnectivity layer: Get to know how SPA’s are often interconnected with 3rd party API’s or presentation elements and how this can create security issues that get inherited from trusting the 3rd party.
• Tools: Understand what tools are available to help you address these challenges, and the potential gaps exist in the tools we all depend on.

Join this talk to start your MMA Hacker training today!

Serverless is a design pattern gaining a lot of traction in DevOps shops. The serverless pattern allows scale without managing the servers or processes running the application. This is done across the continuum of cloud--from storage as a service to database as a service but the center of serverless is Functions as a Service (FaaS). FaaS offerings on the market include AWS Lambda, Azure Functions, and Google Cloud Functions. Now processes run for milliseconds before being destroyed and then get instantiated for subsequent requests.

Security changes under serverless and our traditional modes of firewalling and hardening all the things just won’t cut it. Practices like vulnerability discovery, code scanning and intrusion detection change in a serverless architecture. Other changes for serverless include how applications are built and deployed to how teams are structured.

This session will focus on practical security approaches and the four key areas of serverless security: software supply chain, delivery pipeline, data flow and attack detection. Even if you don’t have any experience with serverless, don’t worry, in this session we will start with the basics. You will learn what serverless is (it’s still being defined) and practical patterns for serverless adoption.  

It's no secret that users are being tracked across the web via cookies, supercookies, and an ever-growing list of browser fingerprinting methods. This talk will go over common privacy attack vectors in the browser and discuss ways to prevent tracking without breaking websites.

Let's Encrypt has been a success for the open source community and for privacy in today's world. Running a certificate authority has a variety of challenges and maintaining an infrastructure with a goal of openness and security has required dedication and flexibility of a small team to turn techniques that "work in theory" to "work in practice." Now passing it's one year anniversary as a free, automated, and open certificate authority, this talk will cover Let's Encrypt's approach to mitigate security threats including physical separation of duties, network partitioning, and change control procedures.

Girls Who Code. Lean In. Grace Hopper. Women in Cybersecurity. Brain Babe. With so many targeted initiatives to increase the number of women in cybersecurity careers, what is really happening on the ground with girls and women entering and staying in the field of cybersecurity. Can we hope to get the balance of women/men to 50/50 or is this goal missing the point? Who is getting this right and how are they doing it? What efforts can each of us make to influence girls and women in our communities and organizations?

Machine Learning has seemingly become the latest shiny new object in cybersecurity. While machine learning holds great promise for improving our ability to detect and respond to threats, it is far from a panacea. This talk will provide a balanced view of the role that machine learning can play in cybersecurity, drawing upon a series of real life implementation and deployment experiences of machine learning techniques. Moreover, we will describe both best practices and pitfalls of applying machine learning in a cybersecurity context.  

An increasing number of organizations are using AWS or are migrating to AWS. Security teams with traditional datacenter security knowledge are trying to catch-up and grasp the new attack surface, security concerns, and develop defensive techniques. Developers are often given the power to deploy infrastructure in ways that were previously restricted without the traditional insight and controls security would normally implement. At the same time, AWS customers are being exploited in ways that are easily preventable but highly damaging to the customer's organization; this fact is well documented.

Fortunately, AWS does provide the technology to harden, monitor, and even recover should an incident occur. Unfortunately, these defensive practices are not widely discussed or well-known amongst both security professionals as well as developers.

In this talk, we discuss harnessing existing AWS functionality to strengthen your organization's AWS infrastructure against practical attacks. Ken will show you what attackers are looking for, how they are finding you, and how to secure your environment. Additionally, attendees will be given code that assists those using AWS in better understanding how their environment's IAM policies are configured and automate tasks like S3 bucket policy review, volume encryption statuses, and security group configurations.

Finally, this talk will delve deep into practical alerting/monitoring and demonstrate implementing notifications that are descriptive and pinpoint active attacks.

AWS Technologies discussed:

- Config
- CloudWatch
- CloudTrail
- SNS
- SQS
- IAM
- *(Other) Security features of other services

User IDs and passwords not only allow us to authenticate our accounts and online payments but also allow access to hackers and criminal elements. 76% of data breaches are from stolen login information. By eliminating passwords and using instant, automatic 2-Factor authentication, we can stop fraudulent activities and payments.

A pie in the sky idea? Not really. See how the latest technologies make it possible.

The standard approaches for web application security over the last decade and beyond has focused heavily on slow gatekeeping controls like static analysis and dynamic scanning. However, these controls was originally designed in a world of Waterfall development and their heavy weight nature often cause more problems than they solve in today’s world of agile, DevOps, and CI/CD.

This talk will share practical lessons learned on the most effective application security techniques in todays increasingly rapid world of application creation and delivery. Specifically, it will cover how to:

1) Adapt traditionally heavyweight controls like static analysis and dynamic scanning to lightweight efforts that work in modern development and deployment practices

2) Obtain visibility to enable, rather than hinder, development and DevOps teams ability to iterate quickly

3) Measure maturity of your organizations security efforts in a non-theoretical way

Certificate revocation is a messy problem; certificate revocation lists and mid-handshake OCSP checks have proven unworkable in practice. The dream of TLS certificate revocation is Must-Staple: an extension in a certificate indicating that it can only be used alongside a stapled OCSP (Online Certificate Status Protocol) response indicating that the certificate hasn’t been revoked. If a Must-Staple certificate is compromised, the attacker can only use it for the short time window until the current OCSP response expires. But is the world ready for Must-Staple yet? Unreliable OCSP servers, buggy stapling implementations, and client and network misconfigurations (from mismatched clocks to MITM proxies) all present challenges. This talk examines the state of the world of OCSP stapling and describes Dropbox’s implementation of OCSP Stapling. To gather real data on the feasibility of deploying OCSP stapling, we will discuss the data we gathered from a Chrome feature called Expect-Staple, which is a report-only version of OCSP Must-Staple that lets us evaluate how well OCSP Must-Staple might work in the real world.

The new world is fluid, it’s not static honeypots that are easily identified, it’s not virtual systems that are ignored, the defenders have taken a leaf out of Mother Nature and put an every changing deceptive environment in front of us. We have to somehow navigate through it without falling into the dynamic traps that learn from their surroundings and morph based on our behavior.