AppSec California 2020

TBD

Abstract
Organizations are rapidly moving towards microservice style architectures for their applications which has led to container and serverless technology being implemented and taking over at a rapid rate with a few organizations even leapfrogging containers by implementing serverless technology for scalability. Containers have risen in popularity and has been widely used because they help package and deploy consistent-state applications across multiple environments, and are also extremely scalable especially when they’re complemented with orchestration technologies.


Serverless on the other hand, seems to be taking over at a rapid rate with increased usage of micro-services and polyglot development of applications and services across organizations. Leading container technologies like Docker have risen in popularity and have been widely used because they have helped package and deploy consistent-state applications across multiple environments. Serverless and container orchestration technologies like Kubernetes help these deployments massively scale which can potentially increase the overall attack-surface to a massive extent, if security is not given the attention required. Security continues to remain a key challenge that both Organizations and security practitioners face with containerized and serverless deployments.


While containers continue to be vulnerable to security threats that plague any typical application deployment, they also face specific security threats related to the containerization daemon, the shared kernel and other shared resources like network, process and the filesystem. Serverless deployments face risks such as insecure deployment configurations, inadequate monitoring and logging of functions, broken authentication, function event data injection, insecure secret storage, and many more. Attacking applications leveraging container and serverless technology requires specific skill set and a deep understanding of their underlying architecture. This 2-day training is a practical approach with both Offensive and Defensive flavours making it ideal for security engineers, red-teammers, devops engineers and developers with a plethora of hands-on exercises that have been designed from real-world attacks and the security-specific challenges that we faced while implementing these technologies, helping them test and implement security in a scalable manner.


The training consists of, but not limited to the following focus areas in Container Security and
Serverless Deployment:
● Introduction to Container Technology
● Containerized Deployments and Container Orchestration Technologies
● Container Threat-Model
● Attacking Containers and Security deep-dive
● Introduction to Kubernetes
● Threat-Model of Orchestration technologies
● Attacking Kubernetes
● Kubernetes Defense-in-Depth
● Logging & Monitoring Orchestrated deployments
● Introduction to Serverless
● Deploying Application to AWS Lambda
● Serverless Threat-Model
● Attacking a Serverless Stack
● Serverless Security Deep-dive

Course Outline
Evolution to Container Technology and Container Tech Deep-Dive:
● Introduction to Container Technology: Namespace, Cgroups, Mount
● Setting up a Minimal Container with nothing but Namespaces and CGroups
Introduction to Containerized Deployments - Understanding and getting comfortable
using Docker.
● An Introduction to containers: LXC and Linux Containers
● Introducing Docker Images and Containers
● Hands-on: Deep-dive into Docker - Docker commands, Dockerfile, Images

Introduction to Basic Container Orchestration with Docker-Compose
● Docker Compose
● Hands-on: Application Deployment Using docker

Threat Landscape-An Introduction to possible threats and attack surface when using
Containers for Deployments.
● Threat Model for Containerized Deployments: Daemon-related,Network related, OS and
Kernel Threats, Threats with Application Libraries and Threats from Containerized
Applications
● Traditional Threat-Modelling for Containers with STRIDE

Attacking Containers and Containerized Deployments
● Hands-on: Attacking Containers and Containerized Deployments - Container Breakout,
Exploiting Insecure Docker Configurations, OS and Kernel level exploits, Trojanized
Docker images

Securing Containers and Container Deployments
● Hands-on: Container Security Deep-Dive - AppArmor/SecComp, Restricting Capabilities,
Analysing Docker images
● Hands-on: Katacontainers
● Container Security Mitigations
● Hands-on: Container Vulnerability Assessment - Clair, Dagda, Anchore, Docker-bench

Introduction to Scalable Container Orchestrators
● Introduction to Container Orchestrators
● Hands-on: Getting started with Kubernetes - Exploring Kubernetes Cluster, Deploying
application to Kubernetes

Attacking Kubernetes Cluster
● Threat Model and Attack Surface for a Kubernetes Cluster
● Hands-on: Attacking application deployed on Kubernetes, Exploiting a Vulnerable

Kubernetes cluster, Maintaining Persistent Access and Pivoting in the K8s Cluster
● Dissecting the K8s Attack and identifying Security Missteps
● Attacking a kubelet and gaining access to all configurations and secrets on the cluster

Kubernetes Security Deep-Dive
● K8s Threat Model and its counterpoint in Security Practices
● Hands-on: Ideal Kubernetes Security Journey - Pod Security, Access Control, Secret

Management
● Hands-on: Kubernetes Vulnerability Assessment - Kube-sec, Kube-hunter, Kube-bench
● Hands-on: Logging and Monitoring - Identifying security anomalies in a K8s Cluster
● Hands-on: Kubernetes Network Security Implementation - Network Security Policy, Service Mesh - Istio/Envoy

Serverless Introduction
● Understanding Serverless and FAAS(Function-As-A-Service)
● Quick tour of FAAS(Function-As-A-Service) and BAAS(Backend-As-A-Service)
● Introduction to AWS Lambda, S3, Open-FAAS and other Serverless options

Serverless Deep-Dive
● Introduction to the Architecture of Serverless Deployments
● Hands-on: Deploying a Serverless application

Attacking Serverless applications
● Serverless Architectures Security Top 10 - A Project similar to OWASP Top 10 for
Serverless Apps
● Hands-on: Function Data Event Injection Attacks against FaaS Implementations:
● Hands-on: Remote Code Execution attacks against Serverless Apps
● Broken Access Control
● Hands-on: Attacking Stateless Authentication and Authorization (JSON Web Tokens) -
Algorithm Confusion, Inherent JWT flaws - none signed token, etc, Attacks based on JWK and JWT Claims
● Hands-on: Attacking Identity and Access Management through Serverless
Implementations - View of IAM Sprawl and Permissions, Attacking with DynamoDB
Injection + IAM Permissions creep
● Hands-on: Extracting Secrets from FaaS Implementations
● Hands-on: Leveraging Vulnerabilities like ReDOS to perform Resource Exhaustion
Attacks
● Hands-on: Exploiting Function Execution Order for fun and profit!

Securing Serverless applications
● Securing Serverless applications - Identity and Access Management, Secret
management
● Hands-on :Secrets Management with AWS Secret Manager + Rotation
● Hands-on: Logging and Monitoring Functions - Using AWS X-Ray/Zipkin to leverage
tracing for security
● Hands-on: Serverless Vulnerability Assessment - Static Code Analysis[SCA], Static
Application Security Testing[SAST], Dynamic Analysis Security Testing[DAST]

Upon Completion of this training, attendees will know
This training has been created with the objective of understanding both offensive and defensive security for container orchestrated and serverless deployments. It will be a 2 day program that will detail through specific theory elements with extensive hands-on exercises that are similar to real-world threat scenarios that the attendees will understand and take part in and will also understand

Course Abstract
The major cause of webservice and web application insecurity is insecure software development practices. This highly intensive and interactive 2-day course provides essential application security training for web application and webservice developers and architects.


The class is a combination of lecture, security testing demonstration and code review. Students will learn the most common threats against applications. More importantly, students will learn how to code secure web solutions via defense-based code samples.


As part of this course, we will explore the use of third-party security libraries and frameworks to speed and standardize secure development. We will highlight production quality and scalable controls from various languages and frameworks. This course will include secure coding information for Java, PHP, Python, Javascript, and .NET programmers, but any software developer building web applications and webservices will benefit.


Student Requirements: Familiarity with the technical details of building web applications and web services from a software engineering point of view.


Laptop Requirements: Any laptop that can run an updated web browser and "Burp Community Edition".


The course will include several hacking and secure coding labs!


Syllabus
Day 1 of the course will focus on web application basics:- Introduction to Application Security
- Introduction to Security Goals and Threats
- HTTP Security Basics
- CORS and HTML5 Considerations
- XSS Defense
- Content Security Policy
- Intro to Angular.JS Security
- Intro to React.JS Security
- SQL and other Injection
- Cross-Site Request Forgery
- File Upload and File IO Security
- Deserialization Security
- Input Validation Basics
- OWASP Top Ten 2017
- OWASP ASVS

Abstract
Two days of happy hacking joy, learning by doing hands-on labs learning and attacking. A smile will spread across your face as you explore weaknesses in IT systems, applications and web apps, IoT devices, protocols and ICS/SCADA systems. If the ever-connected world gives you vulnerable targets, hack all the things. The OWASP Top Ten will be the focus over a variety of different types of vulnerabilities from a hacker perspective, moving beyond the white hat tester mentality. Threat modelling Underground economies and markets where intellectual property and data are sold.


Discussing the reality of the economic consequences of exploitable technology from terrorism to cyber warfare. Who knew software vulnerabilities could lead to some crazy nation on nation shi*t? You'll learn how to find some serious issues and exploit that code so hard the original developer or vendor will feel it.


You’ll jump right in and learn with a customized Kali pen testing operating system. Using OWASP ZAP,
BeEF, Metasploit, Nmap, Recon NG, Nessus, Nikto, Maltego, Shodan, Censys, alternative search
engines, OSINT, SpiderFoot and metadata tools. Finding exploitable systems, scanning, sniffing for
credentials, XSS reflected and stored attacks, attacking browsers via JavaScript, SQL injection, CSRF,
data leaks, replay attacks, exploiting vulnerable operating systems, applications, websites, embedded
systems and critical infrastructure ICS/SCADA. How attackers cover their tracks and take advantage of
insufficient logging and monitoring. How attackers discover then pivot from one weak system to
another, burrowing deep into an organisation to steal intellectual property, data or anything of juicy
value.


Expectations and Goals
Discover vulnerabilities, data leaks, insecure systems and devices using the tools and techniques in the
course.
Approach technology and security controls from an attacker and black hat hacker perspective.
Understand the OWASP Top Ten and threat modeling with IT, IOT and ICS/SCADA systems.
Recognize patterns in observations of weak and risky systems and applications and construct threat
models to explain the jeopardy.


Required Materials
Attendees must bring a curious mind and some technology. Caution, using a Windows 10 host operating
system can sometimes be problematic due to various auto-protection mechanisms in place by
Microsoft. Mac/Apple operating systems can be used as a host but try to use the VM Fusion 64-bit
version.

• Laptop with administrative privileges and 8 GB of RAM with 100 GB hard disk free
• Installation of VM Ware Player or Fusion
• Network connection, RJ45 and can be a USB to RJ45
• API keys and accounts setup in advance for the course
• Bring your own hoodie

Optional Materials
Want to add more tables to your document that look like the Course Schedule and Exam Schedule
tables that follow? Nothing could be easier. On the Insert tab, just select Table to add a new table.
New tables you create in this template are automatically formatted to match.

Required Text
OWASP Version 4 Testing Guide PDF, OWASP (Free)
Course Workbook (Provided) Print, Chris Kubecka
Hack the World with OSINT (Provided)

Course Schedule (Tentative)
Day 1
[Topics]
Day 1 Introduction to course & Attendees
Setup of lab machines
Hacker/Pen Tester/Nation State mentalities
OWASP Top Ten
Reconnaissance 1
OSINT tool setup
Reconnaissance 2
Reconnaissance 3

[Exercises]
Victim & attack machine(s), API keys
Document overview & mission objectives
OWASP Guide introduction with framework
Examples & introduction to methodology
OWASP ZAP, Metasploit, Nmap, SpiderFoot,
Nikto, Maltego, etc.
Hands-on passive OSINT
Hands-on direct OSINT

Upon Completion of this training, attendees will know
How attackers cover their tracks and take advantage of insufficient
logging and monitoring
How attackers discover then pivot from one weak system to another,
burrowing deep into an organization to steal intellectual property,
data or anything of juicy value
Basic understanding of IT/ IOT/ ICS protocols
Web application testing from a sophisticated attacker point of view
Nation-state attack techniques and tools

Course Abstract 
Managing comprehensive security for continuous delivery of applications across organizations continues to remain a serious bottleneck in the DevOps movement. The methodology involved in implementing effective security practices within delivery pipelines can be challenging.

This training is designed to give a practical approach of implementing Security across Continuous Delivery Pipelines by leveraging the plethora of cloud offerings and is backed by a ton of hands-on labs, original research and real-world implementations of DevSecOps that work.

The training starts with Application Security Automation for SAST, DAST, SCA, IAST and RASP, apart from Vulnerability Management and Correlation. Finally, the training concludes with leveraging Security Automation in the Cloud with detailed perspectives of implementing scalable security for cloud-native deployments. By the end of this 2-day training, attendees will have enough ideas and hands-on experience in-order to successfully kickoff DevSecOps implementations.

In addition, students will walk away with a powerful DevSecOps toolkit that can be used to integrate and orchestrate security tools This training has been very popular as a sold-out program in BlackHat USA 2019, CodeBlue Japan, as well as several OWASP events in the past.


Course Objectives 
* Practical and Scalable Application Security Automation Techniques that work across different segments of the Agile SDL or DevOps pipeline
* Integration of AppSec test activities in the CI/CD pipeline
* Leverage open-source tools and test automation frameworks to integrate SAST, DAST, SCA, IAST in the CI/CD Pipeline
* Leverage Automation Techniques to implement Security practices for Cloud Deploy

Training Syllabus 
Day 1
The Problem with the old models of Application Delivery
A Quick History of Agile and DevOps
The Coming of DevOps
The Need for Security in DevOps
Security in Continuous Integration
Security Integrations for Jenkins and other CI Tools
Introduction to Static Application Security Testing (SAST) for
Continuous Integration
Success Factors for SAST - Tool Focus
FindSecBugs
NodeJSScan
Bandit
Brakeman
MobSF (Mobile SAST)
Hands-on Labs - SAST Framework for CI Tools like Jenkins
Rolling out custom SAST Workflows – using Abstract Syntax Trees
and Regular Expressions
Hands-on SAST - Write your own AST checks for SAST
Dynamic Application Security Testing with Continuous Integration
Concepts of DAST with Security Testing
Security Automation Testing using BurpSuite Professional, OWASP
ZAP, w3af, Selenium, OpenAPI (Swagger)
Security Regression Tests - How to design and write them
Hands on Labs - Creating Parameterized Security Automation Testing
Scripts for w3af, OWASP ZAP, BurpSuite Pro and Selenium
Hands-on Labs: Leveraging Functional Test Automation with multiple
frameworks for Security Testing
Robot Framework
NighwatchJS
Tavern - REST API Testing
Puppeteer
Hands on labs - Integrating Custom Security Automation with Jenkins
and other CI Tools
Hands-on Automation for Security Regressions
Application Security Automation – Deep-Dive:
Hands-on:
OWASP ZAP Deep-Dive
Scan Policy
Extensions
Certificate Management
OWASP ZAP API Deep-Dive
OWASP ZAP Scripting Workshop
Create Active Scan Scripts for Custom Application Vulnerabilities
Create Zest Scripts for Authentication
OWASP ZAP API Testing with OpenAPI Specification
BurpSuite 2.0 API Deep-Dive
Scan
Leveraging Burp 2.x API with Selenium for testing browser-based
applications
Leveraging Burp 2.x API and (Tavern/RESTInstance/Chai) to test web
services and microservices
Scan Profiles with Audit and Crawl Profiles
BurpSuite Knowledge Definitions
Introduction to Robot Framework:
Introduction to BDD and ATDD Frameworks
Introduction to Robot Framework and its Declarative Syntax
Writing Application Security Test Recipes using Robot Framework
Hands-on: OWASP ZAP - Robot Framework Integration
Creating Parameterized AppSec Automation with Robot Framework,
Selenium, OWASP ZAP and BurpSuite Pro
Identifying Insecure Software Libraries in Continuous Integration
Hands-on Labs: OWASP Dependency Check and Dependency Track
Hands-on labs: RetireJS
Hands-on Labs: RoboNPMAudit
Hands-on Labs: Integrating Source Composition Analysis into the CI
Pipeline
Software Bill of Materials (SBOM) and Source Composition Analysis
Standardizing Software Metadata to identify security issues against
Third-Party Libraries
Hands-on Labs: Using CycloneDX and OWASP Dependency Track to
continuously track and monitor Software components in a CI Pipeline
with Jenkins/Gitlab
Hands-on: Using these techniques to create an "Continuous
Application Security Test Pipeline”
Introduction to IAST and RASP
Why IAST? Why RASP? And when to use it
A look at the tools for IAST and RASP
Hands-on Labs: Deploying IAST and RASP on an Intentionally
Vulnerable Java Application

Upon Completion of this training, attendees will know
A plethora of Implementation techniques and ideas with hands-on experience to be able to implement a full-fledged Application Security Pipeline

Battle-tested Application Security Automation Techniques + Practical Security Pipelines, with both conventional and unconventional techniques like leveraging AWS Lambda and Fargate

Detailed Cloud Security Automation coverage with Terraform and boto3. Tools that are extensively used to provision cloud environments. Gives participants immediate approaches to implement scalable cloud security

Attendees will be provided with (by trainer)
* Instructions for the Labs
* Slides for the entire session + Speaker notes
* Access to we45 cloud labs
* Code snippets used and the setup files to configure lab
environment post-training

Attendees should bring
* A Laptop with an SSH client and ability to connect to WiFi networks in class (Optional) BurpSuite License for 1 Lab around BurpSuite Automation
=> However, code will be provided for practice offline as well
* AWS Account with Administrative Access to the account. We will be using free-tier resources to provision and quickly deprovision resources through Terraform/boto3. Recommend to NOT bring work AWS accounts.

** Note on the Lab Environment **
The participants will be using our state-of-the-art lab management system that has evolved over the years based on the feedback received from our trainings across the world. This eliminates the need for participants to bring high-compute machines with third-party applications installed, that is typically required for most trainings. The lab management system provisions on-demand lab servers that can be accessed via. any browser providing a terminal interface, code-editor and all other dependencies that are necessary to run the labs.
This enables the participants to essentially walk into our trainings with any device that has a browser installed and they will be able to participate in all hands-on labs. All artefacts such as code snippets, slides and setup scripts used in the training will be available for the participants to download and use even after the training concludes!

Pre-requisites for attendees:
- Working knowledge of Application Security concepts and vulnerabilities (OWASP Top 10, Application Security concepts)
- Basic knowledge of Linux command line
- Basic knowledge of some (any) programming language
- Basic/Rudimentary understanding of Cloud concepts and services

Abstract
Organizations are rapidly moving towards microservice style architectures for their applications which has led to container and serverless technology being implemented and taking over at a rapid rate with a few organizations even leapfrogging containers by implementing serverless technology for scalability. Containers have risen in popularity and has been widely used because they help package and deploy consistent-state applications across multiple environments, and are also extremely scalable especially when they’re complemented with orchestration technologies.


Serverless on the other hand, seems to be taking over at a rapid rate with increased usage of micro-services and polyglot development of applications and services across organizations. Leading container technologies like Docker have risen in popularity and have been widely used because they have helped package and deploy consistent-state applications across multiple environments. Serverless and container orchestration technologies like Kubernetes help these deployments massively scale which can potentially increase the overall attack-surface to a massive extent, if security is not given the attention required. Security continues to remain a key challenge that both Organizations and security practitioners face with containerized and serverless deployments.


While containers continue to be vulnerable to security threats that plague any typical application deployment, they also face specific security threats related to the containerization daemon, the shared kernel and other shared resources like network, process and the filesystem. Serverless deployments face risks such as insecure deployment configurations, inadequate monitoring and logging of functions, broken authentication, function event data injection, insecure secret storage, and many more. Attacking applications leveraging container and serverless technology requires specific skill set and a deep understanding of their underlying architecture. This 2-day training is a practical approach with both Offensive and Defensive flavours making it ideal for security engineers, red-teammers, devops engineers and developers with a plethora of hands-on exercises that have been designed from real-world attacks and the security-specific challenges that we faced while implementing these technologies, helping them test and implement security in a scalable manner.


The training consists of, but not limited to the following focus areas in Container Security and
Serverless Deployment:
● Introduction to Container Technology
● Containerized Deployments and Container Orchestration Technologies
● Container Threat-Model
● Attacking Containers and Security deep-dive
● Introduction to Kubernetes
● Threat-Model of Orchestration technologies
● Attacking Kubernetes
● Kubernetes Defense-in-Depth
● Logging & Monitoring Orchestrated deployments
● Introduction to Serverless
● Deploying Application to AWS Lambda
● Serverless Threat-Model
● Attacking a Serverless Stack
● Serverless Security Deep-dive

Course Outline
Evolution to Container Technology and Container Tech Deep-Dive:
● Introduction to Container Technology: Namespace, Cgroups, Mount
● Setting up a Minimal Container with nothing but Namespaces and CGroups
Introduction to Containerized Deployments - Understanding and getting comfortable
using Docker.
● An Introduction to containers: LXC and Linux Containers
● Introducing Docker Images and Containers
● Hands-on: Deep-dive into Docker - Docker commands, Dockerfile, Images

Introduction to Basic Container Orchestration with Docker-Compose
● Docker Compose
● Hands-on: Application Deployment Using docker

Threat Landscape-An Introduction to possible threats and attack surface when using
Containers for Deployments.
● Threat Model for Containerized Deployments: Daemon-related,Network related, OS and
Kernel Threats, Threats with Application Libraries and Threats from Containerized
Applications
● Traditional Threat-Modelling for Containers with STRIDE

Attacking Containers and Containerized Deployments
● Hands-on: Attacking Containers and Containerized Deployments - Container Breakout,
Exploiting Insecure Docker Configurations, OS and Kernel level exploits, Trojanized
Docker images

Securing Containers and Container Deployments
● Hands-on: Container Security Deep-Dive - AppArmor/SecComp, Restricting Capabilities,
Analysing Docker images
● Hands-on: Katacontainers
● Container Security Mitigations
● Hands-on: Container Vulnerability Assessment - Clair, Dagda, Anchore, Docker-bench

Introduction to Scalable Container Orchestrators
● Introduction to Container Orchestrators
● Hands-on: Getting started with Kubernetes - Exploring Kubernetes Cluster, Deploying
application to Kubernetes

Attacking Kubernetes Cluster
● Threat Model and Attack Surface for a Kubernetes Cluster
● Hands-on: Attacking application deployed on Kubernetes, Exploiting a Vulnerable

Kubernetes cluster, Maintaining Persistent Access and Pivoting in the K8s Cluster
● Dissecting the K8s Attack and identifying Security Missteps
● Attacking a kubelet and gaining access to all configurations and secrets on the cluster

Kubernetes Security Deep-Dive
● K8s Threat Model and its counterpoint in Security Practices
● Hands-on: Ideal Kubernetes Security Journey - Pod Security, Access Control, Secret

Management
● Hands-on: Kubernetes Vulnerability Assessment - Kube-sec, Kube-hunter, Kube-bench
● Hands-on: Logging and Monitoring - Identifying security anomalies in a K8s Cluster
● Hands-on: Kubernetes Network Security Implementation - Network Security Policy, Service Mesh - Istio/Envoy

Serverless Introduction
● Understanding Serverless and FAAS(Function-As-A-Service)
● Quick tour of FAAS(Function-As-A-Service) and BAAS(Backend-As-A-Service)
● Introduction to AWS Lambda, S3, Open-FAAS and other Serverless options

Serverless Deep-Dive
● Introduction to the Architecture of Serverless Deployments
● Hands-on: Deploying a Serverless application

Attacking Serverless applications
● Serverless Architectures Security Top 10 - A Project similar to OWASP Top 10 for
Serverless Apps
● Hands-on: Function Data Event Injection Attacks against FaaS Implementations:
● Hands-on: Remote Code Execution attacks against Serverless Apps
● Broken Access Control
● Hands-on: Attacking Stateless Authentication and Authorization (JSON Web Tokens) -
Algorithm Confusion, Inherent JWT flaws - none signed token, etc, Attacks based on JWK and JWT Claims
● Hands-on: Attacking Identity and Access Management through Serverless
Implementations - View of IAM Sprawl and Permissions, Attacking with DynamoDB
Injection + IAM Permissions creep
● Hands-on: Extracting Secrets from FaaS Implementations
● Hands-on: Leveraging Vulnerabilities like ReDOS to perform Resource Exhaustion
Attacks
● Hands-on: Exploiting Function Execution Order for fun and profit!

Securing Serverless applications
● Securing Serverless applications - Identity and Access Management, Secret
management
● Hands-on :Secrets Management with AWS Secret Manager + Rotation
● Hands-on: Logging and Monitoring Functions - Using AWS X-Ray/Zipkin to leverage
tracing for security
● Hands-on: Serverless Vulnerability Assessment - Static Code Analysis[SCA], Static
Application Security Testing[SAST], Dynamic Analysis Security Testing[DAST]

Upon Completion of this training, attendees will know
This training has been created with the objective of understanding both offensive and defensive security for container orchestrated and serverless deployments. It will be a 2 day program that will detail through specific theory elements with extensive hands-on exercises that are similar to real-world threat scenarios that the attendees will understand and take part in and will also understand

Course Abstract
The major cause of webservice and web application insecurity is insecure software development practices. This highly intensive and interactive 2-day course provides essential application security training for web application and webservice developers and architects.


The class is a combination of lecture, security testing demonstration and code review. Students will learn the most common threats against applications. More importantly, students will learn how to code secure web solutions via defense-based code samples.


As part of this course, we will explore the use of third-party security libraries and frameworks to speed and standardize secure development. We will highlight production quality and scalable controls from various
languages and frameworks. This course will include secure coding information for Java, PHP, Python, Javascript, and .NET programmers, but any software developer building web applications and webservices will benefit.


Student Requirements: Familiarity with the technical details of building web applications and web services from a software engineering point of view.


Laptop Requirements: Any laptop that can run an updated web browser and "Burp Community Edition".


The course will include several hacking and secure coding labs!


Syllabus
Day 2 of the course will focus on API secure coding, Identity, and other advanced topics:

- Webservice, Microservice and REST Security
- Authentication and Session Management
- Access Control Design
- OAuth 2 Security
- OpenID Connect Security
- HTTPS/TLS Best Practices
- 3rd Party Library Security Management
- Application Layer Intrusion Detection

Abstract
Two days of happy hacking joy, learning by doing hands-on labs learning and attacking. A smile will spread across your face as you explore weaknesses in IT systems, applications and web apps, IoT devices, protocols and ICS/SCADA systems. If the ever-connected world gives you vulnerable targets, hack all the things. The OWASP Top Ten will be the focus over a variety of different types of vulnerabilities from a hacker perspective, moving beyond the white hat tester mentality. Threat modelling Underground economies and markets where intellectual property and data are sold.


Discussing the reality of the economic consequences of exploitable technology from terrorism to cyber warfare. Who knew software vulnerabilities could lead to some crazy nation on nation shi*t? You'll learn how to find some serious issues and exploit that code so hard the original developer or vendor will feel it.


You’ll jump right in and learn with a customized Kali pen testing operating system. Using OWASP ZAP,
BeEF, Metasploit, Nmap, Recon NG, Nessus, Nikto, Maltego, Shodan, Censys, alternative search
engines, OSINT, SpiderFoot and metadata tools. Finding exploitable systems, scanning, sniffing for
credentials, XSS reflected and stored attacks, attacking browsers via JavaScript, SQL injection, CSRF,
data leaks, replay attacks, exploiting vulnerable operating systems, applications, websites, embedded
systems and critical infrastructure ICS/SCADA. How attackers cover their tracks and take advantage of
insufficient logging and monitoring. How attackers discover then pivot from one weak system to
another, burrowing deep into an organisation to steal intellectual property, data or anything of juicy
value.


Expectations and Goals
Discover vulnerabilities, data leaks, insecure systems and devices using the tools and techniques in the
course.
Approach technology and security controls from an attacker and black hat hacker perspective.
Understand the OWASP Top Ten and threat modeling with IT, IOT and ICS/SCADA systems.
Recognize patterns in observations of weak and risky systems and applications and construct threat
models to explain the jeopardy.


Required Materials
Attendees must bring a curious mind and some technology. Caution, using a Windows 10 host operating
system can sometimes be problematic due to various auto-protection mechanisms in place by
Microsoft. Mac/Apple operating systems can be used as a host but try to use the VM Fusion 64-bit
version.

• Laptop with administrative privileges and 8 GB of RAM with 100 GB hard disk free
• Installation of VM Ware Player or Fusion
• Network connection, RJ45 and can be a USB to RJ45
• API keys and accounts setup in advance for the course
• Bring your own hoodie

Optional Materials
Want to add more tables to your document that look like the Course Schedule and Exam Schedule
tables that follow? Nothing could be easier. On the Insert tab, just select Table to add a new table.
New tables you create in this template are automatically formatted to match.

Required Text
OWASP Version 4 Testing Guide PDF, OWASP (Free)
Course Workbook (Provided) Print, Chris Kubecka
Hack the World with OSINT (Provided)

Course Schedule (Tentative)
Day 2
[Topics]
Scanning
OWASP #1 Injections
OWASP #2 Broken Authentication
OWASP #3 Sensitive Data Disclosure
OWASP #4 Security Misconfiguration

[Exercises]
Using scanning tools against targets
Hands-on SQL and other injection attack

Upon Completion of this training, attendees will know
How attackers cover their tracks and take advantage of insufficient
logging and monitoring
How attackers discover then pivot from one weak system to another,
burrowing deep into an organization to steal intellectual property,
data or anything of juicy value
Basic understanding of IT/ IOT/ ICS protocols
Web application testing from a sophisticated attacker point of view
Nation-state attack techniques and tools

Course Abstract 
Managing comprehensive security for continuous delivery of applications across organizations continues to remain a serious bottleneck in the DevOps movement. The methodology involved in implementing effective security practices within delivery pipelines can be challenging.

This training is designed to give a practical approach of implementing Security across Continuous Delivery Pipelines by leveraging the plethora of cloud offerings and is backed by a ton of hands-on labs, original research and real-world implementations of DevSecOps that work.

The training starts with Application Security Automation for SAST, DAST, SCA, IAST and RASP, apart from Vulnerability Management and Correlation. Finally, the training concludes with leveraging Se curity Automation in the Cloud with detailed perspectives ofimplementing scalable security for cloud-native deployments.

By the end of this 2-day training, attendees will have enough ideas and hands-on experience in-order to successfully kickoff DevSecOps implementations. In addition, students will walk away with a powerful DevSecOps toolkit that can be used to integrate and orchestrate security tools This training has been very popular as a sold-out program in BlackHat USA 2019, CodeBlue Japan, as well as several OWASP events in the past.

Course Objectives 
* Practical and Scalable Application Security Automation Techniques
that work across different segments of the Agile SDL or DevOps
pipeline
* Integration of AppSec test activities in the CI/CD pipeline
* Leverage open-source tools and test automation frameworks to
integrate SAST, DAST, SCA, IAST in the CI/CD Pipeline
* Leverage Automation Techniques to implement Security practices
for Cloud Deploy

Training Syllabus 
Day 2
Application Security Pipelines in Continuous Integration Suites
Approaches to Application Security Pipelines
Ground Truths and Challenges with Security Pipelines
Differences between traditional and security pipelines
“Breaking the Build” - Myth and Reality
False Positive Management
Types of Application Security Pipelines
Incremental Security Pipeline
Autonomous Security Pipeline
“Build-only” Security Pipeline
Hands-on Labs
Incremental Security Pipelines with Jenkins Pipeline Jobs
Autonomous Pipelines with ThreatPlaybook (Application Security
Automation Framework, built on Robot Framework) Recipes and
Jenkins/Gitlab
Asynchronous Security Pipelines with AWS Lambda and Fargate
Application Vulnerability Correlation and Management
Approaches to Vulnerability Correlation and Orchestron
Integrating Vulnerability Management with Bug Tracking/SDLC tools
like JIRA
Using Orchestron Community and Webhooks to manage and
correlate vulnerabilities as part of Continuous Application Security
DevSecOps - Cloud Focus
Intro to Cloud and Cloud Services
Intro to AWS and AWS Service Offerings
AWS Products and Service Offerings
Azure and Google Cloud
IaaS, PaaS, FaaS, and SaaS
Variation in Services Management
Security Services in the Cloud
AWS Security Services
Responsibility Matrix - AWS Services
Security Responsibilities of Users vs AWS
AWS Compliance and Security Implementations
PCI-DSS, HIPAA, SOC, GDPR
Common AWS Security Mistakes
Security Automation in the Cloud with Terraform and boto3
A Hands-on Introduction to Terraform and boto3 (Amazon SDK for
Python)
Hands-on: IAM => Roles, Policies, Groups and Users
Host and Network Security Practices:
Hands-on VPC, Security Groups, Private and Public Subnets
Hands-on: Host Security Assessment with Automated deployments
of Hardening tools like Lynis
Hands-on: Post-Deploy Vulnerability Assessment with Amazon
Inspector and Vuls.io
Hands-on: Security Configuration with AWS Config
Security Automation with Cloud-Native Environments
Hands-on: Leveraging AWS Lambda for Security Monitoring
Hands-on: AWS Step Functions
Hands-on: Code Pipeline and Azure DevOps
Vulnerability Assessment for Cloud Environments
Common Vulnerabilities in AWS environments
IAM Sprawl => Demonstrated with multiple examples, including
DynamoDB Injection
S3
Vulnerability Assessment for Cloud-Native environments:
Scout2
Prowler
CSSuite
Cloud-Custodian

Upon Completion of this training, attendees will know
A plethora of Implementation techniques and ideas with hands-on experience to be able to implement a full-fledged Application Security Pipeline

Battle-tested Application Security Automation Techniques + Practical Security Pipelines, with both conventional and unconventional techniques like leveraging AWS Lambda and Fargate

Detailed Cloud Security Automation coverage with Terraform and boto3. Tools that are extensively used to provision cloud environments. Gives participants immediate approaches to implement scalable cloud security

Attendees will be provided with (by trainer)
* Instructions for the Labs
* Slides for the entire session + Speaker notes
* Access to we45 cloud labs
* Code snippets used and the setup files to configure lab
environment post-training

Attendees should bring
* A Laptop with an SSH client and ability to connect to WiFi networks in class (Optional) BurpSuite License for 1 Lab around BurpSuite Automation
=> However, code will be provided for practice offline as well
* AWS Account with Administrative Access to the account. We will be using free-tier resources to provision and quickly deprovision resources through Terraform/boto3. Recommend to NOT bring work AWS accounts.

** Note on the Lab Environment **
The participants will be using our state-of-the-art lab management system that has evolved over the years based on the feedback received from our trainings across the world. This eliminates the need for participants to bring high-compute machines with third-party applications installed, that is typically required for most trainings. The lab management system provisions on-demand lab servers that can be accessed via. any browser providing a terminal interface, code-editor and all other dependencies that are necessary to run the
labs.
This enables the participants to essentially walk into our trainings with any device that has a browser installed and they will be able to participate in all hands-on labs. All artefacts such as code snippets, slides and setup scripts used in the training will be available for the participants to download and use even after the training concludes!

Pre-requisites for attendees:
- Working knowledge of Application Security concepts and vulnerabilities (OWASP Top 10, Application Security concepts)
- Basic knowledge of Linux command line
- Basic knowledge of some (any) programming language
- Basic/Rudimentary understanding of Cloud concepts and services

ABSTRACT
The Application Security Training is a “1 Day Hands-On Training”. This Training is intended for students/professionals interested in making a career in the Information Security domain. This training involves real world scenarios that every Security Professional must be well versed with. It involves decompiling, real-time analyzing and testing of the applications from security standpoint.

This training covers understanding the internals of web and mobile applications, Real-time testing of web applications and android applications and a strategic approach to analyze applications for OWASP Top 10 vulnerabilities (Web) security issues such as Injections, Cross Site Scripting (XSS), CSRF Attacks, Insecure API’s, Insecure logging, Insecure communication, Insufficient cryptography, Insecure authentication and Poor code quality and many more.

WHO THIS TRAINING IS FOR?
● Students interested in Application Security
● Security Analysts/Researchers.
● IT Professionals working in Web Application Development domain.
● IT professionals working in Information Technology-Security domain.

KEY TAKEAWAYS
● Understanding of manual & automated tools and techniques and when to apply them.
● Clear understanding of the Web Application Penetration Testing
● Ability to analyze a Web Application from a Security Standpoint
● Gain confidence in customizing your Application Security Testing Approach to suit the
application specific pentesting needs, by gaining clarity on the powerful features of Burp
Suite Tool
● Build a clear scope to prioritize your security testing

What will be covered

• Opening
  • about the class
  • about OWASP
• Introduction
  • Security Awareness/hacker mindset
  • Introduction to the training environment and tools
• Reconnaissance
  • Web application Reconnaissance
  • HTTP / HTTPS basics
  • Web application and Web server fingerprinting
• Most common vulnerabilities, detection, and exploitation 3 hours
  • XSS (HTML, Attribute, DOM)
  • SQLi
  • IDOR Vulnerabilities
  • XXE
  • SSRF
  • File Upload Vulnerabilities
  • Insecure API
• Where to go from here
  • Introduction cloud security (AWS, Azure)
  • SCADA
  • Embedded
• Recap

Prerequisites

• Laptop with
  • ### Workshop software installed and configured as specified in the PDF at the end of this page -- please do this BEFORE the workshop ###
  • make sure you have actually run a Virtual image before
  • minimal 4GB RAM
  • 10 GB free space
  • VMware or VirtualBox installed
  • If possible, administrator privileges
• Basic understanding of software development and or networking

Upon Completion of this training, attendees will know
● Understanding of manual & automated tools and techniques and when to apply them.
● Clear understanding of the Web Application Penetration Testing
● Ability to analyse a Web Application from a Security Standpoint
● Gain confidence in customising your Application Security Testing
Approach to suit the application specific pen-testing needs, by
gaining clarity on the powerful features of Burp Suite Tool
● Build a clear scope to prioritise your security testing

Attendees will be provided with (by trainer)
Training Deck
Virtual Machines
Answers Sheets
Help in revisiting the session challenges post the class

TBD

TBD

TBD

TBD

Test your skills on the CMD+CTRL Cyber Range
Security Innovation is proud to join OWASP AppSec California again in 2020 to host a unique and challenging CTF featuring our CMD+CTRL Cyber Range.

What is a Cyber Range?
CMD+CTRL Cyber Ranges are intentionally vulnerable applications and websites that tempt players to steal money, find out their boss’s salary, purchase costly items for free, and conduct other nefarious acts. Hundreds of vulnerabilities, common to most business applications, lay waiting to be exploited.
For each vulnerability you find you'll be awarded points (based on the level of difficulty) that will be charted on our live leaderboard. Top scorers get prizes, but all players have fun!

Free CTF Training
Along with the competition, we'll be offering free training lessons so that newcomers can also do some hands-on work even if they don’t feel ready to participate in the official CTF event.

Space is limited, so sign up to save your space today!


Training and CTF schedule

Day 1 - Thursday, January 23
Training Site – Beginner/Intermediate
10:10 - 10:30am Kickoff, overview and Thinking Like an Attacker
10:30 - 10:45am Cheat sheet and Cyber Range Walk Through
10:45 - 11:00am Hands-on Exploit Demonstrations
11:00 - 12:30pm Open Hacking
12:30 - 01:30pm Break
01:30 - 01:45pm Afternoon Kickoff
01:45 - 02:00pm Hands-on Exploit Demonstrations
02:00 - 05:10pm Open Hacking
CTF Site - Beginner/Intermediate/Advanced
10:10 - 10:20am Brief introduction
10:20 - 05:10pm Open Hack with periodic scoreboard displays

Both Cyber Range sites will turn off at 03:00pm and the CTF competition winners will be announced on Friday during the Closing Keynote at 03:10pm.

Want to learn how to attack IoT devices? We will have a network of new and old IoT products along with Cisco Meraki enterprise and medical devices to play with! A free virtual machine (VM) with vulnerable emulated firmware and tons of preloaded tools will be available for download. The IoT Village is hosted by Aaron Guzman and Walter Martín Villalba. You don't want to miss out!

Aaron Guzman / https://www.linkedin.com/in/scriptingxss/ / @scriptingxss
Walter Martín Villalba / https://www.linkedin.com/in/wmvillalba/ / @act1vand0

Introduction to RaiseMe and Career events for the remainder of the day.

The current "Shift Left" DevSecOps approach puts more and more responsibility on Developers. Taking into consideration the current shortage of cybersecurity specialists among software developers, that can end up with unintended consequences. In my presentation, I would like to focus on a solution that allows the decoupling of the application API security logic from business workloads utilizing the sidecar pattern. This design pattern provides developers an ability to describe the security of their services utilizing the declarative approach. Configuration artifacts representing security as a code can be then used as part of the DevSecOps pipeline and provide multilevel security for APIs, including micro-segmentation, multilevel authorization, communication channel security, as well as enabling the service identity. The presentation will include the theoretical concepts as well as the example of a real implementation.

This lightning talk will present an overview of the OWASP Threat Model Cookbook Project that is about creating and publishing threat model examples.

We will take a sneak peek into various examples in the form of code, graphical or textual representations. You will be able to see the resulting outputs of diverse technologies, methodologies and techniques.

For those who want to participate, we will quickly explain how to contribute on GitHub. https://github.com/OWASP/threat-model-cookbook

OAuth 2.0 is an authorization framework that enables third party applications to obtain temporary limited authorization to access a protected resource on behalf of a resource owner. The framework is defined by authorization interactions that are each restricted to the type of client obtaining authorization and the type resource owner that must grant access. Diverging from these defined restricted interactions can open up various interception and redirect attack vectors that can grant a malicious actor access to protected resources. For this talk, we will be discussing Public Clients vs Confidential Clients, User Authentication vs Client Authentication, Proof Key for Code Exchange (PKCE) for Public Clients, and how restricting certain OAuth flows to either Public or Confidential Clients is required to mitigate unauthorized access to protected resources.

Nowadays, JSON Web Tokens are everywhere. They are used as session tokens or just to pass data between applications or µservices. By design, JWT contains a high number of security and cryptography pitfalls. In this talk, we are going to learn how to exploit (with demos) some of those issues. After covering the basics (None and Algorithm confusion), we are going to move to kid injection, embedded JWK (CVE-2018-0114). Finally, we will look at jku and x5u attributes and how they can be abused by chaining vulnerabilities.

Are you prepared to respond to an epic clash between hackers that turns into a battle of survival? How does an intense, immersive experience builds critical cybersecurity skills throughout an organization? What happens when people, technology, organizations, & processes are tested under duress? Find out how US Services Members use battle-tested practices and apply them to cyber crisis response.

When I first started working with AWS, there were a handful of core services. Since then, AWS has been announcing hundreds of new services per year in dozens of regions around the world. With a rapidly changing landscape, relevant documentation, tutorials, and how-to's can be difficult to come by. AWS is its own beast and traditional Incident Response and Forensics techniques don't work. Try to perform full packet inspection between EC2 instances in the same VPC or use a write blocker while analyzing an EBS. Better yet, try to build a timeline with default log settings. Organizations are desperately looking for tools available to them to detect and respond to threats. This talk will provide a much needed summary of Continuous Cloud Security Monitoring (CCSM) strategies, techniques, and best practices so you don't have to spend the next 12 months reading AWS white papers. Takeaways from this presentation will be methods to immediately apply logging, monitoring, alerting, and Honey[Things] that can be applied in any AWS environment.

Credential Stuffing has existed since the first leaked password but has exploded in the past 3 years. Why? What has changed and where does it go from here?

The tools that enable credential stuffing attacks and other OWASP Automated Threats are converging on a single strategy, the complete imitation of user behavior and characteristics – real user behavior on real devices on real home networks. This level of extreme mimicry makes discerning good from bad difficult and the web is having a hard time keeping up.

This level of sophistication is not cheap and is only possible because the cost vs value of modern credential stuffing attacks is weighted dramatically in an attacker's favor.

After this session you'll:
- Understand the cost vs value of modern attacks and why the economics are driving greater sophistication.
- Learn how attacks have evolved and how attackers are bypassing all modern defenses.
- See how account takeover attacks are diversifying with other malware and why MFA is not a silver bullet.

Co-Taught by Lori Barfield and Merissa Villalobos
The Infosec industry is an eccentric field, and following standard job placement advice can put candidates in a stall. Whether you’re a security professional looking for a new situation, or just trying to break in, we’ll work with you in real time on your resume language and your job hunting situation. You'll learn about the job hunting dogma you need to avoid, and where the free online resources are for researching potential employers.

RaiseMe clinics are special because you’ll get group feedback and support-  some of the people who have met in these groups stay in contact with each other long after the event is over, and they return to give us good news about progress in their careers.

Serialized data is neither new nor exciting. Serialization and deserialization have been in use by countless applications, services and frameworks for a long time. Many programming languages support serialization natively, and most people seem to understand it well. However, many of us don’t fully understand security implications of data deserialization, and in the last couple of years this topic got an increasing focus in the security community, up to the point that insecure deserialization made it to the list of OWASP Top 10 most critical web application security risks! Needless to say high-severity vulnerabilities in some well-known applications as well as popular frameworks such as Apache Struts and Apache Commons Collections raised awareness of this risk.

In this session, we’ll discuss how serialized data are used in software, talk about different serialization formats and the dangers of deserializing untrusted input. We will review some real life vulnerabilities and related exploits. The presentation will contain lots of code examples with live demos of bypassing security controls by exploiting deserialization vulnerabilities. We’ll forge a session cookie, elevate privileges, alter execution flow, and even perform a remote code execution - all via insecure deserialization! The demos will use native Java and .NET serialization, as well as JSON, XML, and other formats. Of course, we’ll also talk about how to deserialize in secure way!

Next time you develop your awesome web or mobile app or a microservice, keep in mind how a clever attacker could create and supply malicious data to your application, and thinking like a hacker you could write more secure code!

OWASP Nettacker project was created to automate the information gathering, vulnerability scanning and in general to aid the penetration testing engagements. Nettacker is able to run various scans using a variety of methods and generate scan reports for applications and networks, including services, bugs, vulnerabilities, misconfigurations, default credentials and many other cool features - for example an ability to chain different scan methods. This relatively new (Summer 2017) and a lesser-known OWASP project has generated a huge amount of interest at BlackHat Europe 2018 Arsenal live demo gathering massive crowds of seasoned hackers and penetration testers eager to see this new tool in practice. This talk will showcase the OWASP Nettacker project giving an overview of its features including the live demo of the tool.

Microservices are social constructs: they can’t function without talking with other services. This also raises an interesting question: do we trust all of our microservices?

Not all microservices are the same: some are more sensitive - for example, services that handle personal user data or payment information. Others are user-facing and therefore riskier. We shouldn’t treat all services as equal. A robust mechanism that describes who can talk with who is required.

We have been dealing with this challenge for a while at Soluto. In this talk, I’ll share the journey we went through until we found a solution we’re happy with: a simple and declarative system that allows services to define who can access them. Any dev can request access to any service, and the service owner can review it. I’ll share how we build this solution (including all the technical details and live demos!), using open source tools like Open Policy Agent, so you can easily build something similar.

We invite this year's AppSec California attendees to join us for panel discussion on the importance of diversity and inclusion in information security, as well as shared experiences and best practices around building diversity and inclusion into the constantly evolving cybersecurity ecosystem.

Topics covered will include the following:

Professional learning (from both the educator and learning perspectives)
The importance of diversity on an AppSec team or organization
How executives and managers can best incorporate diversity and initiatives within their organization
Opportunities from open source projects and communities, like OWASP, for building industry-wide diversity and inclusion initiatives.


The selected panelists will include representation from all four groups, referenced in the National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework ( https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-181.pdf ):
Employers
Current and Future Cybersecurity Workers
Educators / Trainers
Technology providers

Lunch Poolside

Building security in has failed. After decades of attempts to improve software security, vulnerability rates are still staggering, attacks are increasing in volume and severity, development speed is increasing, and we have perennial talent shortages.  In essence, despite brilliant and well-intentioned efforts, we have been unable to push security into software through software development. Security keeps trying to constrain and correct software development with requirements, architecture, training, scanning. We spend enormous time and effort, yet we’re generating roughly zero assurance.
 
Let’s start with the end in mind. We need security code (tests, defenses, libraries) in our applications, but we can’t get it through development. Maybe there’s another way. In this talk, we’ll explore the use of software instrumentation to achieve this.  Software instrumentation is a surgically accurate way to add capabilities to applications without changing code, recompiling, or redeploying. Instrumentation is safe and proven – it’s been used at massive scale for over a decade and is part of most critical production applications – but security has only just begun to take advantage of this powerful technology.
 
Come learn the amazing things you can already achieve with security instrumentation. We’ll show how SAST, DAST, IAST, WAF, RASP, and SCA are all merging together into a unified security assessment and protection instrumentation platform that’s ideal for DevSecOps and modern software. We’ll also take a look into the future of software security. We’re only scratching the surface of what can be achieved with security instrumentation.

The focus of many application security programs has long been the OWASP Top 10 or SANS Top 25 vulnerabilities. While there are many SAST solutions that can identify these technical vulnerabilities such as SQLi, CSRF or XEE, SAST is not effective in identifying vulnerabilities that require context such as conditions leading to business logic, data leakage or hard-coded secrets.

While pattern-matching techniques can be used to identify the symptoms of an injection vulnerability across any code-base, pattern-matching is not sufficient for business logic, data leakage or hard-coded secrets because these issues are unique to each code-base. Manual code review or penetration testing can help, but neither scales to the pace of modern release velocities.

This presentation will cover:

1. Identifying sensitive data variables and mapping their flows across all sources and sinks
2. Finding the conditions leading to business logic flaws
3. Identifying hard-coded secrets and literals in source code such as usernames, passwords, tokens and API keys
4. How-to insert the above security checks into pull requests or builds w/o slowing releases down

Modern web architecture relies on enabling ‘third-parties’ to access the client-side (front-end) of a web application.  These third parties operate via largely unmanaged and unmonitored connections to provide richness (chat tools, images) or extract analytics (Google Analytics). Up to 70% of the code executing on websites today comes from such third parties. Website owners have great reason to care about leakage from vulnerable client-side connections since the business and financial implications of losing customer data has never been greater.

The three most important security considerations of any website or web application are the server (back-end), the network, and the client (front-end).
Regulatory mandates like GDPR and CCP and prescriptive frameworks such as PCI-DSS have driven significant adoption of WAF and HTTPS. While these strategies were sound in the past, they are no longer adequate to protect web applications against new and advanced attacks that focus on attacking the client-side (front-end). As defined above, there are three security considerations for safeguarding your customer’s end-to-end website experience. To follow the nomenclature defined in the widely considered PCI-DSS framework consider these as:
- Data at rest
- Data in motion
- Data origination
Today, security frameworks and most security practitioners consider only two of these three when evaluating security capability.

Data at Rest defines content that typically resides on owned servers protected by massive security perimeters and on company owned premises. This data includes PII, credit card numbers, financial information and credentials. WAFs, firewalls and the like are deployed to provide effective defense for data at rest. “Data in Motion” refers to data in transit. This is easily envisioned as this same sensitive data moving from a website form that captures PII, credit card information, credentials, etc. back to secure storage. Data in motion is often encrypted by HTTPS transactions. In fact, many security-savvy online consumers put a lot of faith in seeing the HTTPS designation as ensuring the end-to-end security of their online transaction.

Unfortunately, security specification for securing the point of “Data Origination” is largely missing. Data Origination is the point at which data is created as it is input into a website or web application. This data origination point is increasingly the browser as a site visitor or online shopper enters information into a form including user credentials, credit card numbers, healthcare data, financial data etc. Such datasets are hiwas found to exist on less that 2% of websites. Consider the extreme lack of deployed client-side security measures that would ensure protections for this point of data origination and it’s easily understood why attacks like Magecart, Formjacking and XSS are rapidly accelerating.

Do certain types of developers or teams write more secure code?

Some people are under the misconception that if they follow the OWASP top 10 that they will have secure web applications. But in reality, the OWASP Top Ten (and other top ten lists) are just the bare minimum that
at best provide entry-level general awareness. A more comprehensive understanding of Application Security is needed.

This talk with review the OWASP Top Ten 2017 and the OWASP Top Ten Proactive Controls 2018 and
compare them to a more comprehensive standard: the OWASP Application Security Verification Standard (ASVS) v4.0. OWASP's ASVS contains over 180 requirements that can provide a basis for defining what secure software really is.

The OWASP ASVS can be used to help test technical security controls of web and API applications. It can also be used to provide developers with a list of requirements for secure development with much more nuance and detail than a top ten list! You cannot base a security program off a Top Ten list. You can base an Application Security program off of the OWASP ASVS.

Ever wonder how digitally secure the aviation industry is? Take a peek inside the world's largest aircraft manufacturer Boeing as Chris takes you on a journey of surprisingly weak security which can potentially affect passenger and aircrew safety. XSS Exploitable vulnerabilities, email spoofing, bypassing authentication into the Aviation ID system for accessing flight control software live and test and the cabin viewing system with IoT camera in the cockpit. Chris will describe safety risks and struggles to coordinate disclosure and legal pressure by Boeing to keep silent.

Key takeaways
Boeing is in the IT business and happen to produce aircraft. Applications and software live and breathe throughout aerospace. Changing the way digital technology is regarded by industry is paramount.
Ever critical manufacturing involved with safety must have a functional coordinated disclosure program. Software affects safety system, especially when planes have already fallen out of the sky due to code errors.

As vital as open source is to building software in today’s world, it’s a mistake to think of it as a silver bullet. The ability to change the world with it is clear - but so is the significant room for error, when not properly managed.

A shifting battlefield of attacks based on OSS consumption has emerged. Five years ago, large and small enterprises alike witnessed the first prominent Apache Struts vulnerability. In this case, Apache responsibly and publicly disclosed the vulnerability at the same time they offered a new version to fix the vulnerability. Despite Apache doing their best to alert the public and prevent attacks from happening — many organizations were either not listening, or did not act in a timely fashion — and, therefore, exploits in the wild were widespread. Simply stated, hackers profit handsomely when companies are asleep at the wheel and fail to react in a timely fashion to public vulnerability disclosures.

Since that initial Struts vulnerability in 2013, the community has witnessed Shellshock, Heartbleed, Commons Collection and others, including the 2017 attack on Equifax, all of which followed the same pattern of widespread exploit post-disclosure.

Shift forward to today - and hackers are now creating their own opportunities to attack.

This new form of attack on our software supply chains, where OSS project credentials are compromised and malicious code is intentionally injected into open source libraries, allows hackers to poison the well. The vulnerable code is then downloaded repeatedly by millions of software developers who unwittingly pollute their applications to the direct benefit of bad actors. In the past 24 months, no less than 17 real-world examples of this attack pattern have been documented.

It’s become clear that we are in the middle of a systematic attack on the social trust and infrastructure used to distribute open source. In just a few years, we’ve gone from attacks on pre-existing vulnerabilities occurring months after a disclosure down to two days - and now, we are at the point where attackers are directly hijacking publisher credentials and distributing malicious components.

Open source developers are the front line of the new battle. Attackers have recognized the power of open source and are seeking to use that against the industry. We must not let them ruin the reputation of the things we’ve built. Or worse, the entire open source ecosystem.

Key takeaways:
Understand the details and the events leading to today’s “all-out” attack on the OSS industry - leading to more vulnerabilities in production applications
How the open source industry needs to change, given today’s new normal
How developers can step into the role of security, to protect themselves, and the millions of people depending on them
What enterprises can do to educate their developers on this growing trend of malicious attacks on open source
Why this is trend is only going to continue to grow - leaving more people more and more vulnerable if action isn’t taken

Co-Taught by Lori Barfield and Merissa Villalobos
Are you prepared to present your best self at your next interview, or do you experience interview anxiety? Are you frustrated by attending interviews over and over without getting job offers? We'd like to help, and this group clinic is an ideal setting.

Once the interview process is complete, are you comfortable with negotiating your offer? A well-understood negotiation is essential. The compensation parameters and working conditions have to be right in order for you to do what a company needs most- to commit for the long run. We'll also show you how to navigate the complexities of employee packages, so you can compare competing offers side by side. And we'll give tips to the hiring managers in attendance for how to successfully advocate for their new hires. This training is in a group environment to offer maximum support and feedback.

Stop by and take in the amazing view from the second floor Veranda at the historic Marion Davies Guest House.  And talk to Citrix, iHerb, LLC and Bird about their opportunities in Information Security!

The scheduled hours are 2pm to 4pm, however staff will be on-site throughout the day, so stop by and find out about the available job opportunities.

With how many apps are running in the cloud, hacking these instances becomes easier with a simple vulnerability due to an unsanitized user input. In this talk, we’ll discuss a number of different methods that helped us exfil data from different applications using Server-Side Request Forgery (SSRF). Using these methods, we were able to hack some of the major transportation, hospitality, and social media companies and make $50,000 in rewards in 3 months.

Outline:
- Intro
What is Server-Side Request Forgery (SSRF)?
What can you do with it?
SSRF via URI Schemes
JIRA CVE SSRF (CVE-2017-9506)
Jenkins SSRF (CVE-2018-1000600)
SSRF via Javascript (XSS)
SSRF via Styling
SSRF using (PDF Gen ‘0day’)
SSRF via DNS Rebinding
SSRF to XXE
Bonus: RCE via ERB Template Injection
SSRFTest (Tool)
Takeaways

I’ll begin with a brief survey of today’s privacy landscape: how it affects the software development industry now, and how it might in the future. Of particular interest are requirements imposed by recent regulations like GDPR and the CCPA, which require all processors of data to pay more attention to how they treat, store, and disseminate customers’ sensitive personal data.

Next, I’ll introduce the Privacy-by-Design (PbD) approach. With PbD, we hope to “shift privacy to the left” in the software development life cycle; similar to using the DevSecOps philosophy for security.

I’ll explore the challenges that organizations face in the new regulation-heavy climate, particularly in terms of taking into account privacy concerns in legacy software, which may have been written before privacy regulations became a significant factor.

Moving on, I’ll share what AI, more specifically Deep Neural Networks, can bring to the table in terms of assisting with a thorough review of the applications to make sure that they do not harbor privacy risks. Likewise, for all new developments, I’ll explore how AI can be harnessed to help ensure that privacy principles are successfully implemented.

I’ll then explore a reference application, specifically its dataflows, through which leakages of sensitive data that are not allowed by a privacy policy defined in a compliance context might occur.

Next, I will introduce an open source project (PrivAPI) that uses deep learning - mainly on top of Keras and Tensorflow - to detect sensitive data leakages, specifically within RESTful API communication.I’ll drill down on PrivAPI’s core architecture and design principles, as well as the use cases that it supports. I’ll explain how it can be integrated into the SDLC, as well as in production environments.

Finally, I’ll provide a live demo of PrivAPI (https://github.com/veridax/privapi), covering the detection capabilities with real world APIs communication.

In this talk, we will take an in-depth look at various mechanisms of attack detection, from signatures and regular expressions to machine learning. Attack detection is critical for most security solutions, whether we are talking about a load balancer-based (NIDS, WAF), host-based or in-application solutions (HIDS, RASP). Interestingly, regardless of the differences in architecture and data flow, most solutions use similar detection principles and techniques. We will explore how the detection architecture evolved over time and how the new generation of detection logic, such as the architecture implemented by some of the advanced application security tools, are principally different from that of the legacy solutions.

As a company scales, keeping track of user data becomes an increasingly hard problem to solve, as data is constantly generated and propagated across different data stores. With the rise of new privacy laws such as GDPR and CCPA, tackling this problem is more important than ever before. To address this challenge, we built a platform for data discovery and classification across all of our data stores, such as S3, MySQL and Hive, providing powerful privacy and security engineering capabilities. In this talk, we are going to share the experience we had building and operating this platform for Airbnb. We will present the high level architecture and technical specifics of the platform that allow it to leverage traditional algorithms and machine learning to scan petabytes of user data against growing numbers of data types, every single day.

One CISO’s journey from a Marine Corps Private (and eventually Sergeant) to Chief Information Security and Privacy Officer. The discussion will include steps I took prior to leaving the Marines and the steps taken outside of the military. This includes principles to live by, selecting a mentor and how to determine what you have as your real goal versus the components of your goal.

The talk will take the audience on a journey from the origin of the security architecture, the challenge of cloud security and the role of an architect in the dev-sec-ops world. The talk explains the difference between traditional command and control governance and the solution to avoid starving automation and innovation with traditional security governance. During the talk, we will look at modern SDLC and what should be deployed step by step in each stage. We will explore: Security Gates and why they do not always work in dev-ops Automation how-tos: How to deploy cybersecurity at scale Why is important to know how to deal with people Automation in the pipeline is the king How to secure the design phase (design and requirements) How to secure dev and test How to convert threat modelling in use stories How to Deploy in production ensuring that the artefacts have been reviewed Audience Take Away: How to build a cybersecurity programme with architecture at the heart How to avoid traditional architecture pitfalls how to do governance at pace and when to apply traditional security governance how to mix governance and agile development as well as dev sec ops how to extract patterns from existing design the value of design principle patterns and why they are key to go fast. how and when to use tools (SAST/DAST) and how to lead engineer into secure code analysis How to manage libraries and how to guide team during the triage

Everybody is talking about Kubernetes these days. Whether you are in DevOps, Development Security, you’re thinking about containers, micro-services and orchestrators. Kubernetes has become the standard orchestrator to manage containerized applications. Kubernetes is accelerating the move from monolithic applications to distributed, containerized applications. This technology shift is also forcing companies and people to adapt to organizational changes, for example adopting DevOps and CI/CD workflows, and the ever increasing decentralization of IT and development teams.

Security has to evolve along with these technology and process changes. Security requirements for monolithic applications must be translated to distributed micro-applications, it has to “shift left” to the developer teams to allow for continuous deployments, and new threats models have to be created. Unfortunately, most companies transitioning to Kubernetes are rightly concerned that their Security Teams are not ready to help them maintain the same level of security they had before.

In the past year, I have been working directly with many developers, DevOps, and Security teams to understand their security concerns and the new security issues they have faced. This talk explains the state of Security in Kubernetes, how to secure the different layers of this new infrastructure, what are the common threats and how to respond. I will share real-world examples of security issues and best practices that companies are putting in place, how Security Teams are changing to adapt, and how the responsibility for security is being split between different teams in the organization.

It is no secret that Appsec is hard to scale. We never have enough people, our methods and tools tend to be heavy, the training is lacking and sometimes we feel that the only way out of the security debt hole is to throw more people at it.

In this talk we would like to share the experience we have had with Continuous Threat Modeling applied to product teams over the last year, where it works and where it breaks, and what we are doing to solve the breakage in a way that scales up and allows the process to flow while keeping the sanity of the AppSec team.

Online verification of identity today extends across microservices, cloud providers, IoT devices, emerging systems, and end-user. In a brief study we conducted on 100 most visited websites, over 95% supported authenticated sessions with more than 97% of these are username and password-based. 81% of discovered breaches are due to broken authentication, indicate there is still a problem to solve and this is the focus of our talk.

Developers are generally aware of different authentication methods used for secure interaction between these entities, but most often miss out on best practices. In this context, we discuss popular authentication schemes like OAuth, token, magic links, adopted by developers today and emerging ones like WebAuthN. We will present incorrectly coded authentication patterns observed from our study and also highlight recurring mistakes like MFA bypass, token leakages, and other authentication misconfigurations. We briefly highlight our talk's evolution based on feedback provided by audiences at prior conferences. Finally, we provide secure blueprints that developers can leverage to bake security into their software development lifecycle.

Detailed Outline :
1. Introduce Authentication and various schemes used today
1.a.Token-based: Oauth, magic links, service to service
1.b. passwords, MFA
1.c. Password-less

2. Problem prevalence
2.a. Study overview: Major sites - selection category, login crawler and collect auth related data.
2.b. summary and dataset
2.c. disclosed reports and correlation with study data

3. Discussion on authentication pitfalls
3.a. Walkthrough password handling and MFA bypasses
3.b. Token-based misconfigurations: leakages, expiry, revocation handling.
3.c. Callouts to related artifacts: headers, cookies, storage
3.d. Password-less: potential pitfalls and contextual examples

4. How to fix this?
4.a. Walkthrough sample applications demonstrating best practices for authentication schemes discussed so far
4.b. Highlight corrected code patterns that address specific pitfalls identified earlier.

5. Comparison of best practice vs business case compromise
5.a. Highlight cases where documented best practices cannot be applied
5.b. Address how developers can use context to secure authentication workflow.

6. Closing Notes
6.a. Open source repo containing code samples and checklists
6.b. Any developer should be able to clone this and use it as a definition of done for commits related to authentication.

TBD

TBD

Eva Galperin is EFF's Director of Cybersecurity. Prior to 2007, when she came to work for EFF, Eva worked in security and IT in Silicon Valley and earned degrees in Political Science and International Relations from SFSU. Her work is primarily focused on providing privacy and security for vulnerable populations around the world. To that end, she has applied the combination of her political science and technical background to everything from organizing EFF's Tor Relay Challenge, to writing privacy and security training materials (including Surveillance Self Defense and the Digital First Aid Kit), and publishing research on malware in Syria, Vietnam, Kazakhstan. When she is not collecting new and exotic malware, she practices aerial circus arts and learning new languages.

Join us under the stars for an awesome evening of food, drink, music, and networking.

TBD

TBD

Modern web security is a mix of relatively recent frameworks, methods, languages, and abstractions. The age of injection bugs has come and gone. We are firmly in the age of assertions. This age is widely defined by business logic flaws. On a deeper level this age is governed by the security auditor's skill in creating and breaking assertions in the target. Assertions come from any source and they represent statements of security or functionality made by the target.

We'll talk about our experience auditing modern web applications over the last three years. We'll talk about the current state of web application security, how its evolved, and where its going. We give examples of assertions (big and small) created and broken during various security audits and the value this brought to the customer. Our goal is to introduce the age of assertions into the zeitgeist and provide auditors a more refined way of thinking beyond injection bugs.

During Summer 2019, two excellent interns (Ryan Slama and Matt Dwoncyzk) came to Slack to help us build a tool to scan for insecure, out-of-date open source dependencies. But this talk (mostly) isn’t about their tool - it’s about what happened after they wrote the tool and returned to school. We’ll tell you about how we took their awesome proof of concept and integrated it into our daily operations at Slack to help tackle the difficult and ongoing issues around including open source components in enterprise grade software. Along with the specifics of our situation, we'll also reflect on general lessons learned about integrating tooling into reality.

Gone are the days when breaches were rare and security could safely be put low on the priority list; product security is now a customer demand and cyber crime has reached epic proportions. Our idolization of hackers, penetration testing and ‘breaking’ has not resulted in secure software for our industry, only egos, stereotypes and unaffordable security models. Modern application security approaches need to address both offensive (red team) and defensive (blue team) approaches, as well as continuous learning and advocacy for developers. This means Purple Team. This talk will explore how to combine defence, offence, automation, empathy and continuous learning, all without the requirement of ever wearing a hoodie. The future of security is PURPLE.

In the era of modern computing, the phenomenon of app stores is becoming common place. A growing number of companies are creating entire ecosystems for vendors proving extensibility and customization of their core product. While third party apps provide additional features that customers value, they also come with an increased security risk.

Atlassian is a good example of a thriving Marketplace ecosystem https://marketplace.atlassian.com/. As such, we are responsible to provide a secure platform and also make sure that the marketplace apps are properly screened and scanned for security vulnerabilities. In this talk, we will go over some of the practices we have established at Atlassian to ensure that our customers can trust our Ecosystem.

We will cover some of the security policies that we enforce on third party apps, how we perform vendor and application security reviews, metrics obtained from running our bug bounty program on third party apps and the lessons learnt.

Test your skills on the CMD+CTRL Cyber Range
Security Innovation is proud to join OWASP AppSec California again in 2020 to host a unique and challenging CTF featuring our CMD+CTRL Cyber Range.

What is a Cyber Range?
CMD+CTRL Cyber Ranges are intentionally vulnerable applications and websites that tempt players to steal money, find out their boss’s salary, purchase costly items for free, and conduct other nefarious acts. Hundreds of vulnerabilities, common to most business applications, lay waiting to be exploited.
For each vulnerability you find you'll be awarded points (based on the level of difficulty) that will be charted on our live leaderboard. Top scorers get prizes, but all players have fun!

Free CTF Training
Along with the competition, we'll be offering free training lessons so that newcomers can also do some hands-on work even if they don’t feel ready to participate in the official CTF event.

Space is limited, so sign up to save your space today!


Training and CTF schedule

Day 2 - Friday, January 24
Training Site – Beginner/Intermediate

10:00 - 10:20am Day 2 Kickoff
10:20 - 10:45am Hands-on Exploit Demonstrations
10:45 - 12:30pm Open Hacking
12:30 - 01:30pm Break
01:30 - 03:00pm Open Hacking


CTF Site - Beginner/Intermediate/Advanced
10:00 - 10:10am Brief introduction
10:10 - 03:00pm Open Hack with periodic scoreboard displays

Both Cyber Range sites will turn off at 03:00pm and the CTF competition winners will be announced on Friday during the Closing Keynote at 03:10pm.

Want to learn how to attack IoT devices? We will have a network of new and old IoT products along with Cisco Meraki enterprise and medical devices to play with! A free virtual machine (VM) with vulnerable emulated firmware and tons of preloaded tools will be available for download. The IoT Village is hosted by Aaron Guzman and Walter Martín Villalba. You don't want to miss out!

Aaron Guzman / https://www.linkedin.com/in/scriptingxss/ / @scriptingxss
Walter Martín Villalba / https://www.linkedin.com/in/wmvillalba/ / @act1vand0

Forget stealing private keys. Recent attacks have seen attackers steal money by breaking the protocols underlying the integrity of the cryptocurrency itself. This talk will explore the tactics, techniques, and procedures used by attackers in three separate 51% attacks against three different cryptocurrencies: Bitcoin Gold (BTG), Vertcoin (VTC), Ethereum Classic (ETC).

Applied threat modeling moves beyond theory to expose the real attack vectors to containerized web applications. We dive deep into near real-time container threat detection, prevention, and management with an emphasis on automation to prevent the latest container and orchestration Common Vulnerabilities and Exposures from compromising a cloud deployment. Our container orchestration threat model is a reusable architecture design pattern that can enrich an organization’s cloud security model.

We take the practice of threat modeling and dive deep into a customize attack library for the Cloud that has been created to capture the cyber security and privacy risks associated with deploying and managing container and orchestration technologies. We investigate proof-of-concept exploits and validate them against an architectural design pattern that is resilient to attack and misuse.

Continuous Integration (CI) and Continuous Deployment (CD) is at the heart of DevOps, and by extension, DevSecOps. Traditionally teams have used traditional CI services like Jenkins and Bamboo to continuously deliver applications.

However, there are significant issues with running traditional, on-prem CI services like Jenkins, namely:
* Not suited for Cloud-Native Deployments
* Maintenance Overhead - On-Prem CI is hard to maintain and even harder to secure (vulnerable plugins)
* Unsuited for Container-Native workloads - Traditional CI tools are hard to orchestrate for containers.

This talk aims to showcase some innovative approaches to running DevSecOps pipelines with Cloud and Container Native approaches, including but not limited to:
* Leveraging services like AWS Fargate, Lambda and Step Functions for Security Orchestration and Security Workflows
* Leveraging JenkinsX for Security Orchestration in Kubernetes

The idea behind these approaches is to:
* Leverage ephemeral compute technologies to run CI services as opposed to persistent services, reducing overhead
* Leveraging State Machines to run more complex security workflows, especially in Micro-service workloads
* Running asynchronous security pipelines with feedback loops
* Leveraging query systems like AWS Athena to be able to achieve aggregation (and dare I say correlation)

OWASP SAMM (https://owaspsamm.org) is the prime maturity model for software assurance that provides an effective and measurable way for all types of organizations to analyse and improve their software security posture. Building security into the software development and management practices of a company can be a daunting task. There are many elements to the equation: company structure, different stakeholders, technology stacks, tools and processes, and so forth. Implementing software assurance will have a significant impact on the organisation. Yet, trying to achieve this without a good framework is most likely leading to just marginal and unsustainable improvements. OWASP Software Assurance Maturity Model (SAMM) gives you a structural and measurable framework to do just that. It enables you to formulate and implement a strategy for software security that is tailored to the risk profile of your organisation. In this talk, we give an overview of the new release of the SAMM model. After 10 years since its first conception, it was important to align it with today’s development practices.

We will cover a number of topics in the talk: (i) the core structure of the model, which was redesigned and extended to align with modern development practices, (ii) the measurement model which was setup to cover both coverage and quality and (iii) the new security practice streams where the SAMM activities are grouped in maturity levels. We will demonstrate the new SAMM2 toolbox to measure the maturity of an example DevOps team and how you can create a roadmap of activities.

Latest version delivered: https://github.com/OWASP/samm/blob/master/Supporting%20Resources/presentations/OWASP%20SAMM2%20Talk%20Global%20AppSec%20AMS2019%20vfinal.pdf

The best way to enable developers to create secure applications is to “shift left” in security. That means providing developers with the tools and techniques that help build more secure applications from the get-go. Developers may get security controls into their applications in different ways. They may write them from scratch following security training or guidance, they may use open source libraries, or they may use frameworks that have the security features built in already. In this talk we explore JavaScript applications that use different types of security controls implemented at levels ranging from developer code, to libraries and plugins, to different frameworks, and analyze which applications actually turn out to be more secure. This work is based on analysis of over 500 open source JavaScript applications on GitHub that use client-side frameworks and template engines to prevent XSS, as well as server-side frameworks (Express, Koa, Hapi, Sails, Meteor) and CSRF prevention mechanisms.
In conclusion, we provide data-driven recommendations for framework maintainers and application developers on how to develop and choose a framework that will actually make applications more secure.

There have been hundreds of blog posts and conference talks about DevSecOps and scaling security. As a busy security professional, it can be difficult to stay on top of the current state of the art.

Don’t worry, I’ve put in the time for you.

This talk distills the unique tips and tricks, lessons learned, and tools discussed in a vast number of blog posts, conference talks, and in-person discussions I've had with security engineers at tens of companies.

Using this info, I've created an opinionated guide to systematically scaling your company's security. This talk is about results: tools and hyped approaches that don't work will be called out.

I’ll cover:
* Principles, mindsets, and methodologies of highly effective security teams
* Valuable security primitives to invest in, upon which high leverage initiatives can be built
* Security metrics and creating a data-driven security program
* High value engineering projects that can prevent classes of bugs
* How and where to integrate security automation into the CI/CD process in a high signal, low noise way
* Useful open source tools

You’ll leave this talk with an understanding of the current state of the art in DevSecOps, links to tools you can use, resources where you can dive into specific topics of interest, and most importantly, an actionable path forward for taking your security program to the next level.

Integrating with fiat payments systems globally challenges the maturity of an entire security program. A security issue leads to identity theft and direct money loss, but integration is often a critical business priority. These payment systems span many types of architectures introducing more complexity and bugs. We’ll go over the typical API patterns and follow the lifecycle of an entire payment from pre-payment to reconciliation and map common payments vulnerabilities and remediation to their application security equivalents. We’ll go over how Coinbase has adapted traditional AppSec tools like 3rd party vendor reviews, threat modelling, static analysis, security champions, and bug bounties to the payments world to find and eliminate money loss and personal data loss bugs. We’ll even go through some of the privacy conundrums involved with interacting with the current financial system.

If you've noticed a surge in unwanted robocalls from your own area code in the last few years, you're not alone. The way telephony systems are set up today, anyone can spoof a call or a text from any number. With an estimated 85 billion spam calls globally, it's time to address the problem.

This talk will discuss the latest advancements with STIR (Secure Telephone Identity Revisited) and SHAKEN (Signature-based Handling of Asserted information using toKENs), new tech standards that use well accepted public key cryptography methods to validate caller identification. We'll discuss the path and challenges to getting this implemented industry wide, where this tech will fall short, and what we can do to limit exposure to call spam and fraud in the meantime.

TBD

Many of today’s automobiles leave the factory with secret passengers: prototype software features with undiscovered vulnerabilities, even if these features are disabled by the manufacturer, but still can be unlocked by clever hackers.

There is an increasing trend in the automotive industry towards integrating trusted third-party apps with In-Vehicle-Infotainment systems (IVI) via smartphones. But there has been little public analysis of the security of these protocols and the frameworks that implement these apps on the IVI. This raises the question: to what extent are these apps, protocols and underlining IVI implementations vulnerable to an attacker who might gain control of a driver’s smartphone?

In this work, we focused on gaining insights into this question by performing the first comprehensive security analysis on one of the standardized protocols, called MirrorLink (similar to Apple CarPlay), that enables seamless connectivity between smartphones and the car infotainment systems.

In this talk, I will explain the steps we took to conduct this security analysis and will demonstrate the discovered vulnerabilities in the MirrorLink protocol and IVI implementation that could potentially enable an attacker with control of a driver’s smart phone to send malicious messages to the vehicle’s infotainment system and, consequently, to the car’s critical components.

As a proof of concept, we have created a demonstration malicious app that exploits vulnerabilities discovered in the implementation of MirrorLink on the IVI.

Given our findings, we have some recommendations on how the security of these IVI app platforms can be made more resilient to these types of attacks. Our hope is that, this analysis will help motivate and spur more secure designs and implementations of smartphone to IVI platforms.

JSON Web tokens (JWTs) are used massively in API-based applications as access tokens or to transport information across services. Unfortunately, JWT are often mis-used and incorrectly handled. Massive data breaches have occurred in the last 18 months due to token leakage and lack of proper of validation.

This session focuses on best practices and real world examples of JWT usage, where we cover:

- Typical scenarios where using JWT is a good idea
- Typical scenarios where using JWT is a bad idea!
- Principles of Zero trust architecture and why you should always validate
- Best practices to thoroughly validate JWTs and potential vulnerabilities if you don’t.
- Use cases when encryption may be required for JWT

Published research shows that static code analysis cost-effectively catches security weaknesses before they become exploitable vulnerabilities. But finding the right code analyzers can be challenging.

This talk will discuss research funded by the U.S. Department of Homeland Security to deliver unbiased methods and information to assess and compare the performance of static analyzer products.

In this talk we introduce a new, freely-available website that presents the results of our research. We will discuss plans to track the types of weaknesses that analyzers can detect to help people quickly find the right analyzer and how to achieve good detection coverage of multiple weaknesses.

We’ll discuss the properties of analyzers important to consider when bringing one (or a few!) into your development pipeline. We’ll also cover plans to benchmark results quality using real code, not artificial data sets. Finally, we’re looking forward to audience feedback on what information or capabilities are important.

Traditionally, the OWASP ModSecurity Core Rule Set, an OWASP flagship project, has been hard to use. However, the release of CRS 3.0 in 2017 and the advancements made with CRS 3.1 successfully removed most of the false positives in the default installation. This improved the user experience when running the only general purpose open source web application firewall. The presentation explains how to run CRS successfully in high security settings. This includes practical advice to tuning, working with the anomaly thresholds, the paranoia levels and complementary whitelisting rule sets. This talk is based on many years of experience gained by using CRS in various high security settings, including the one by Swiss Post for it's national online voting service.

Browsers are an excellent and ubiquitous tool for accessing and sharing information. With their wide feature set, it's sometimes overlooked that they are in fact tools for remotely executing code on a user, or in our case, target's system, and can play a strong role in the overall infrastructure of a network. In this talk, we'll learn how an attacker can abuse the browser and network in order to remotely access any TCP/UDP service bound to that victim's machine, entirely bypassing the victim’s NAT and firewall, providing arbitrary firewall pinhole control, simply by the victim visiting a website.

TBD