Loading…
This event has ended. View the official site or create your own event → Check it out
This event has ended. Create your own
View analytic

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Monday, June 27
 

08:00

Training Registration
Monday June 27, 2016 08:00 - 17:00
TBA

09:00

Day 1/2 - Assessing and Securing MEAN (MongoDB, Express.js, Angular.js, and Node.js)
MEAN is a free and open-source JavaScript software stack for building dynamic web sites and web applications and has gained momentum in the last years: 
- MongoDB, a NoSQL database 
- Express.js, a web application framework that runs on Node.js 
- Angular.js, a JavaScript MVC framework that runs in browser JavaScript engines developed by Google 
- Node.js, an execution environment for event-driven server-side and networking applications 
Every developer has heard of it and many organisations are moving their production applications to MEAN stack. 

This one day training will teach you how web application vulnerabilities change in the MEAN stack. We are going to explore these technologies and talk about the main issues you can encounter while either assessing or writing MEAN applications: 
1) Security Fundamentals and Implications of using MongoDB, Express.js Angular.js and Node.js 
2) OWASP Top 10 in MEAN 
3) Typical exploitation of MEAN and how to stop these attacks 
- NoSQL injections 
- Server-side JavaScript injections 

This course will be 50% hands-on using: 
- Secure Code Warrior (https://www.securecodewarrior.com), a platform where software developers use hands-on learning to build secure-coding skills and are benchmarked versus their peers. A month full access to the SCW platform is included in the training. 
- OWASP NodeGoat (https://www.owasp.org/index.php/OWASP_Node_js_Goat_Project) 

Trainer
avatar for Jaap Karan

Jaap Karan

Chief Singh, Secure Code Warrior
Jaap is coder, hacker and Chief Singh at Secure Code Warrior in Australia. After having done security testing at BAE Systems in Australia, he moved back to building great things instead of breaking them. He is one of the brains behind the Secure Code Warrior platform, mainly focussing on backend development using Node, Express and Mongo.

Monday June 27, 2016 09:00 - 17:00
Bramante 14

09:00

Day 1/2 - Hands on Web App Testing with Python
Hands on Web App Testing with Python is a two-day training class that provides students with basic, intermediate, and advanced python scripting essentials to perform website security testing exploitation. The class will prepare students to write their own Python tools to aid in performing web application testing against commonly found vulnerabilities. Class Requirements: Students must come to class prepared with the following: 1.    Laptop with at least 8GB of RAM, and a Quad-Core processor 2.    Virtualization platform (A Virtualbox and VMWare image of the Vulnerable Web App VM will be made available 1 month before the class) 3.    A Kali Linux VM with Python 2.7 or Python 3 configured and installed (all scripts will be developed in Kali to attack the VM) 4.    The Custom Vulnerable Virtual Machine image loaded and ready to go BEFORE the class starts. (a download link will be provided 1 month before the class) 5.    Additional Python libraries to be determined as necessary and communicated before the class (these must be installed b

Trainer
avatar for Michael Born

Michael Born

Security Consultant, Solutionary
I enjoy breaking into things more than defending, I love Python, can tolerate Ruby, and am always trying to improve at C and Assembly. My current security testing focus is network penetration testing, application penetration testing, and mobile application penetration testing.
avatar for Fred Donovan

Fred Donovan

Professor and Director of an MSCS program | Enjoy discussions on "hacking back" | Friend and brother to many

Monday June 27, 2016 09:00 - 17:00
Bramante 10

09:00

Day 1/2 - OWASP Application Security Verification Standard 3.0 Developer and QA
In 2015, OWASP released the Application Security Verification Standard 3.0. Andrew van der Stock and Daniel Cuthbert, ASVS Project Leads and noted presenters and trainers, will take developers and testers through all Level 1 and a few key Level 2 controls, with live labs using OWASP Security Shepherd to demonstrate the issues, and working on code fixes to resolve those issues. This training is suitable for all developers, quality assurance, code reviewers, and penetration testers, but a distinct focus will be on code security and how to build secure applications using the ASVS in real world scenarios.

Trainer
avatar for Andrew van der Stock

Andrew van der Stock

Andrew van der Stock is a long time OWASP contributor, project leader, and Global Board Member. Some of his projects include the OWASP Developer Guide 2.0, OWASP Top 10 2007, OWASP Application Security Verification Project 2.0 and 3.0, and ESAPI for PHP. He specialises in agile secure development lifecycle methodologies, aiming to embed in the development process itself working with developers day to day, producing immediate, tangible and... Read More →

Monday June 27, 2016 09:00 - 17:00
Bramante 11

09:00

Day 1/3 - Droid-Sec Exploitation
The Droid-Sec Exploitation workshop will enable attendees to master various android application penetration testing techniques and exploitation methods. The workshop focuses on practical hands-on exercises on several dedicated vulnerable apps, with the basic theory explained prior to the Do-It-Yourself mind-bending exercise

Trainer
avatar for Gordon Gonsalves

Gordon Gonsalves

Gordon Gonsalves Gordon Gonsalves is a Certified Ethical hacker and Certified Security Analyst from EC-Council and a Microsoft certified technology specialist. He has more than 10 years’ experience in IT, network and applications security testing and has been a speaker and trainer in INTEROP conference, India. He is interested in exploring security tools and enhancing security testing.
avatar for Blessen Thomas

Blessen Thomas

Security Consultant, EY
Blessen Thomas is an Independent Security Researcher & Security Consultant working in EY. He performs web application, mobile, network infrastructure penetration testing assessments.He has B.Tech in Information Technology degree from Anna University and holds certifications such as Offensive Security Certified Professional - OSCP ,EC-COUNCIL Certified Ethical Hacker (C|EH) and Computer Hacking Forensics Investigator (C|HFI).He has been listed and... Read More →

Monday June 27, 2016 09:00 - 17:00
Bramante 07

09:00

Day 1/3 - Exploiting Websites by using offensive HTML, SVG, CSS and other Browser-Evil
More and more web applications delegate business logic to the client. HTML.next, JavaScript, SVG, Canvas, ECMAScript 7/ES2016, AngularJS and ReactJS are just some terms that describe the contents of the modern web stack. But how does the attack surface look for those? What if there’s not GET parameters anymore that our scanner scan tamper with? What can we do when the server just delivers raw data and the rest is done by the browser? Classic web-pentests are “so nineties” in this realm. And keeping up the pace with progress is getting harder and harder.

But there is hope. The focus of this workshop is on the offensive and dangerous parts of HTML, JavaScript and related technologies, the nasty and undocumented stuff, dozens of new attack techniques straight from the laboratory of horrors of those maintaining the HTML5 Security Cheatsheet. We’ll learn how to attack any web-application with either unknown legacy features – or the half-baked results coming to your browser from the labs of W3C, WHATWG and the ES2016 mailing lists. Whether you want to attack modern web applications or shiny browser extensions and Chrome Packaged Apps – we have that covered.

Whoever works with or against the security of modern web applications will enjoy and benefit from this workshop. A bit of knowledge on HTML and JavaScript is required, but rookies and rocket scientists will be satisfied equally.

HTML is a living standard. And so is this workshop. The course material will be provided on-site and via access to a private Github repository so all attendees will be receive updated material even months after the actual training. All attendees are granted perpetual access to updated slides and material.

Speakers
avatar for Mario Heiderich

Mario Heiderich

Director, Cure53
Dr.-Ing. Mario Heiderich, handsome heart-breaker, bon-vivant and (as he loves to call himself) “security researcher” is from Berlin, likes everything between lesser- and greater-than and leads a small yet exquisite pen-test company. He commonly pesters peaceful attendees on various capitalist conferences with powerpoint-slides and profanities. Wherever Mario goes, bad weather and thunderstorms follow him. Doctors worldwide are clueless... Read More →



Monday June 27, 2016 09:00 - 17:00
Bramante 04

09:00

Day 1/3 - OWASP Top 10: Exploitation and Effective Safeguards
Video presentation of this training

The OWASP Top 10 web application vulnerabilities has done a great job promoting awareness for the developers. Along with many cheat sheets, they provide valuable tools and techniques to web developers. But such a great source of information could be overwhelming for the programmer who wants to learn about security. This course aims at providing all web developers deep hands-on knowledge on the subject.

To achieve this goal, participants will first learn the technical details about each OWASP Top 10 vulnerability. Then the instructor will give demos on how attacks are performed against each of them. After that, participants will use virtual machines and follow step by step procedures to launch attacks against a vulnerable web site. This step is key in understanding how exploitation works so they can later implement effective safeguards in their systems. Our experience is that participants who have had hands-on experience at exploiting vulnerabilities will always remember how to prevent them.

We will conclude the class with a Capture the Flag (CTF) event, where participants will be able to apply the techniques they have learned in a fun and friendly environment.

The course will cover the following topics:
  1. OWASP Top 10 web application vulnerabilities:
    A1 - Injection Attacks (Command Injection and SQL Injection)
    A2 - Broken Authentication and Session Management
    A3 - Cross-Site Scripting (XSS)
    A4 - Insecure Direct Object References
    A5 - Security Misconfiguration
    A6 - Sensitive Data Exposure
    A7 - Missing Function Level Access Control
    A8 - Cross-Site Request Forgery (CSRF)
    A9 - Using Known Vulnerable Components
    A10- Unvalidated Redirects and Forwards
  2. SSL Certificates
  3. Password Management
  4. OWASP Application Security Verification Standard (ASVS)
  5. Securing AJAX and Web Services (REST and SOAP)
  6. Web Application Firewalls (WAF)
  7. Using a Vulnerability Scanner
  8. Effective Code Review Techniques
  9. OWASP Enterprise Security API (ESAPI)
  10. Secure Coding Best Practices
  11. Effective Security Safeguards

Demos from the instructor
  1. SQL Injection
  2. Cross-Site Scripting
  3. Insecure Direct Object References
  4. Sensitive Data Exposure
  5. Cross-Site Request Forgery
  6. Blind SQL Injection
  7. Remote File Injection
  8. Using Known Vulnerable Components
  9. Unvalidated Redirects and Forwards

Hands-on exercises
  1. Session Initialization and Client-Side Validation
  2. Sniffing Encrypted Traffic
  3. Online Password Guessing Attack
  4. Account Harvesting
  5. Command Injection Attacks
  6. Using a Web Application Vulnerability Scanner
  7. Create Self-Signed SSL certificates (Root CA and Server certificates)
  8. Capture the Flag (CTF) - A longer exercise at the end of the last day where participants try to find hidden vulnerabilities by themselves using techniques they have learned in the class.  
Who Should Take This Course?
This course is designed to help intermediate to expert web developers and security professionals understand how to secure web applications. Candidates are expected to have basic knowledge of web technologies, but no experience in security is required prior to taking this course. However, security professionals who want to learn more about web security will benefit from this class.

What Should Participants Bring?
Participants are required to bring a laptop (Windows, Mac or Linux) with at least 3 GB of RAM, 20 GB of free disk space along with either VMWare Workstation Player (free), VMWare Workstation, VMWare Fusion or Oracle VirtualBox (free) pre-installed. They must also have an administrator/root account on their laptop. At the beginning of the course, participants will receive a USB thumb drive containing a pre-configured virtual machine.

Trainer
avatar for David Caissy

David Caissy

Penetration Tester, TRM Technologies Inc.
David Caissy is a web application penetration tester with in-depth developer and IT Security background spanning over 16 years. He has extensive experience in conducting vulnerability assessments and penetration tests as well as providing training globally, amongst numerous other teaching engagements. He has worked for a central bank, the Department of National Defense, various government agencies and private companies. David has been teaching... Read More →

Monday June 27, 2016 09:00 - 17:00
Bramante 05
 
Tuesday, June 28
 

08:00

Training Registration
Tuesday June 28, 2016 08:00 - 09:00
TBA

08:00

Developer Summit - Code Review Session
This is a hands-on working session to "get things done". Bring your laptop and be ready to code!

The OWASP Code Review Guide (v2) is attending the AppSec EU Project Summit in Rome during June 2016. At this summit we will be inviting participants to spend some of their time to review the Beta version of the guide.

High level agenda is as follows:

  • Copies of the guide will be available as PDF, either downloadable from the Internet, or on CD
  • Participants will be asked to scan the document ToC, determine a section they have experience in, and review.
  • Review comments will be collected and fed back into the beta review cycle.
  • As incentive, the Code Review Guide will bring a 10 year old Irish Whiskey, to be raffled among the participants taking part in the review.

8am -12 pm
OWASP Training PlatformsHackademic, Security Knowledge framework. For Hackademic: finish/polish the Binary exploitation course, add additional challenges. For SKF: Writing and reviewing secure code samples.
Pawel Sarbinowski

12pm-1pm Lunch

1pm-5pmCode Review Sessionhttps://www.owasp.org/index.php/OWASP_Code_review_V2_AppSecEU_Agenda Together, lets read parts of the document and review it!
Gary Robinson



Tuesday June 28, 2016 08:00 - 17:00
Bramante 15

08:00

OWASP Project Summit

OWASP is providing a platform for two full days prior to the APPSEC EU activities.  An open forum setting for ideas, innovations, gain contributors and share feedback for projects to advance to the next level.

This year the project summit will include the opportunity to work on some of the hot topics and initiatives being discussed with OWASP. Please give us your feedback on which of the following topics you’d like to see discussed at the summit:

  • Gaming OWASP projects and badges
  • OWASP code project bug bounties
  • Bringing OWASP documentation projects into github/markdown & sharing content

Use this opportunity to demo your project to others at the summit, promote for  sponsorship, gain feedback, or simply brainstorm some ideas and add a few features.


Tuesday June 28, 2016 08:00 - 17:00
Bramante 15

09:00

Day 1/1 - CISO training: Managing Web & Application Security - OWASP for senior managers
Managing and improving your global information security organization, Leverage OWASP and common best practices to improve your security programs and organization. Achieving cost-effective application security, bringing it all together on the management level. Presentation Type: training Duration: 1 day Language: English Target Audience: Management Skill Level: Beginner – Medium

Trainer
avatar for Tobias Gondrom

Tobias Gondrom

Global Board Member, OWASP
Tobias Gondrom is a global board member of OWASP (Open Web Application Security Project) and former chairman until December 2015. And until April 2015, he was leading a boutique Global CISO and Information Security & Risk Management Advisory based in Hong Kong, United Kingdom and Germany. He has over 15 years of experience leading global teams in information security, software development, application security, cryptography, electronic signatures... Read More →

Tuesday June 28, 2016 09:00 - 17:00
Bramante 08

09:00

Day 1/2 - Hands-on Threat Modeling

Threat modeling is the primary security analysis task performed during the software design stage. Threat modeling is a structured activity for identifying and evaluating application threats and vulnerabilities. The security objectives, threats, and attacks modeling activities during the threat modeling are designed to help you find vulnerabilities in your application and the supporting architecture. You can use the identified vulnerabilities to help shape your design and direct and scope your security testing.

Threat modeling allows you to consider, document, and discuss the security implications of designs in the context of their planned operational environment and in a structured fashion. It also allows consideration of security issues at the component or application level. The threat modeling course will teach you to perform threat modeling through a series of workshops, where our trainer will guide you through the different stages of a practical threat model.

This course is aimed at software developers, architects, system managers or security professionals. Before attending this course, students should be familiar with basic knowledge of web and mobile Applications, databases & Single sign on (SSO) principles. The students should bring their own laptop to the course.

 
Course topics  
Threat modeling introduction
  • Threat modeling in a secure development lifecycle
  • What is threat modeling?
  • Why perform threat modeling?
  • Threat modeling stages
  • Diagrams
  • Identify threats
  • Addressing threats
  • Document a threat model


Diagrams – what are you building?

  • Understanding context
  • Doomsday scenarios
  • Data flow diagrams
  • Trust Boundaries
  • Hands-on: diagram B2B web and mobile applications, sharing the same REST backend


Identifying threats – what can go wrong?

  • STRIDE introduction
  • Spoofing threats
  • Tampering threats
  • Repudiation threats
  • Information disclosure threats
  • Denial of service threats
  • Elevation of privilege threats
  • Privacy threats
  • Attack trees
  • Hands-on: STRIDE analysis of an Internet of Things (IoT) deployment with an on premise gateway and secure update service

Addressing each threat

  • Mitigation patterns
  • Authentication: mitigating spoofing
  • Integrity: mitigating tampering
  • Non-repudiation: mitigating repudiation
  • Confidentiality: mitigating information disclosure
  • Availability: mitigating denial of service
  • Authorization: mitigating elevation of privilege
  • Mitigating privacy threats
  • Hands-on: Threat mitigations OAuth scenarios for web and mobile applications


Practical threat modeling

  • Strategies for risk management
  • Selecting mitigations
  • Threat ranking
  • Risk acceptance
  • Validating threat mitigations


Threat modeling tools

  • General tools
  • Open-Source tools
  • Commercial tools


Attack libraries

  • Libraries and checklists
  • CAPEC
  • OWASP Top 10
  • Building your own library


Examination

  • Hands-on examination 
  • Grading and certification
 

Student package

The course students receive the following package as part of the course:

  • Each student will receive a hard copy of the book: Threat Modeling, designing for security by Adam Shostack (2014, Wiley)
  • Hand-outs of the presentations
  • Work sheets of the use cases,
  • Detailed solution descriptions of the use cases
  • Template to document a threat model
  • Template to calculate risk levels of identified threats
  • Receive certificate: Following a successful exam (passing grade defined at 70%) the student will receive certification for successful completion of course

Trainer
avatar for Sebastien Deleersnyder

Sebastien Deleersnyder

Managing Partner, Toreon
Sebastien Deleersnyder is Co-founder & managing partner application security at Toreon.com. Sebastien has helped various companies improve their ICT-, Web- and Mobile Security, including BNP Paribas Fortis, Atos Worldline, KBC, Nationale Nederlanden (ING), Isabel, Fluxys, OLAF, EU Council, TNT Post, Flemish Community, Agfa-Gevaert and ING Insurance International. Sebastien is the Belgian OWASP Chapter Leader, co-project leader of the OpenSAMM... Read More →

Tuesday June 28, 2016 09:00 - 17:00
Bramante 09

09:00

Day 1/2 - Web Service and Single Sign-On Security
Web Services and Single Sign-On belong to a group of most important Internet technologies. However, in recent years, it has been shown that these technologies allow for serious attacks. The attacks take advantage of the XML complexity and make it possible to read data from secured servers, authenticate as an arbitrary user in Single Sign-On scenarios, or decrypt confidential data. In this training, we will give an overview of the most important Web Service and Single Sign-On specific attacks. Participants will get the opportunity to carry out these attacks in a prepared virtual machine. The attacks will be first tested manually (e.g., with soapUI), in order to get a feeling for the attacks. Subsequently, we will present our penetration testing tool WS-Attacker, which will be used to execute the presented attacks automatically. For each of the attacks, countermeasures will be discussed, and it will be shown how to deploy them on widely used systems and firewalls, including IBM Datapower or Axway.

 Training attendees

The training is dedicated to two groups:

– First, developers who implement XML, Web Services and Single Sign-On in their applications. They learn the dangers that are combined with the usage of these standards and how to circumvent the resulting attacks. In addition, they learn how to automatically test their newly developed applications for the discussed vulnerabilities.

– Second, security researchers and penetration testers, who want to get familiar with  XML, Web Services and Single Sign-On. In this course, you will get a good overview of the most relevant technologies in this complex area, which will give you the opportunity to execute your first XML-specific evaluations.

There are no specific prerequisites for this course. However, basic knowledge of tools like SoapUI or Burpsuite, or some familiarity with Web Services or SSO technologies would be of advantage.

Contents

The course will contain the following topics. In each topic, the attendants will get the opportunity to execute practical evaluations using SoapUI, WS-Attacker, Burpsuite, or a different application:

  • • XML and SOAP-based Web Services
  • • XML Schema and WS-Policy
  • • WS-Addressing und WS-Addressing Spoofing
  • • XML parsing
  • • DTD and XML External Entity (XXE) attacks
  • • XSLT and XInclude attacks
  • • XML-specific Denial-of-Service attacks
  • • XML Security and WS-Security
  • • XML Signature
  • • XML Encryption and applied crypto attacks
  • • WS-Attacker
  • • SAML-based Single-Sign On
  • • OAuth
  • • REST-based Web Services
  • • Converting SOAP to REST: security dangers
Requirements

– A laptop with a recent version of “Virtual Box“ (the virtual machine will be provided). 
VMWare and other virtualization software should also work but cannot be supported.

– Proposed max number of participants: 15

– Duration: 2 days


Trainer
avatar for Christian Mainka

Christian Mainka

Security Consultant, Hackmanit GmbH
Christian Mainka is a PhD Student at the Ruhr University Bochum, Chair for Network and Data Security. Since 2009, he focuses on XML and Web Services technologies and develops his penetration testing tool WS-Attacker and has published several papers in the field of XML security related topics on scientific workshops and conferences. Nowadays, the tool contains a large collection of specific attacks, which can be automatically applied to SOAP-based... Read More →
avatar for Juraj Somorovsky

Juraj Somorovsky

Security Consultant, Hackmanit GmbH
Juraj Somorovsky finished his PhD in the area of XML Security in 2013. In his thesis „On the Insecurity of XML Security“ he analyzes various attacks on Web Services and presents practical countermeasures against these attacks, which were applied in XML Security specifications and in countless frameworks and applications. He presented his work at many scientific and industry conferences, including Usenix Security or OWASP Germany. Currently... Read More →

Tuesday June 28, 2016 09:00 - 17:00
Bramante 12

09:00

Day 2/2 - Assessing and Securing MEAN (MongoDB, Express.js, Angular.js, and Node.js)
MEAN is a free and open-source JavaScript software stack for building dynamic web sites and web applications and has gained momentum in the last years: 
- MongoDB, a NoSQL database 
- Express.js, a web application framework that runs on Node.js 
- Angular.js, a JavaScript MVC framework that runs in browser JavaScript engines developed by Google 
- Node.js, an execution environment for event-driven server-side and networking applications 
Every developer has heard of it and many organisations are moving their production applications to MEAN stack. 

This one day training will teach you how web application vulnerabilities change in the MEAN stack. We are going to explore these technologies and talk about the main issues you can encounter while either assessing or writing MEAN applications: 
1) Security Fundamentals and Implications of using MongoDB, Express.js Angular.js and Node.js 
2) OWASP Top 10 in MEAN 
3) Typical exploitation of MEAN and how to stop these attacks 
- NoSQL injections 
- Server-side JavaScript injections 

This course will be 50% hands-on using: 
- Secure Code Warrior (https://www.securecodewarrior.com), a platform where software developers use hands-on learning to build secure-coding skills and are benchmarked versus their peers. A month full access to the SCW platform is included in the training. 
- OWASP NodeGoat (https://www.owasp.org/index.php/OWASP_Node_js_Goat_Project) 

Trainer
avatar for Jaap Karan

Jaap Karan

Chief Singh, Secure Code Warrior
Jaap is coder, hacker and Chief Singh at Secure Code Warrior in Australia. After having done security testing at BAE Systems in Australia, he moved back to building great things instead of breaking them. He is one of the brains behind the Secure Code Warrior platform, mainly focussing on backend development using Node, Express and Mongo.

Tuesday June 28, 2016 09:00 - 17:00
Bramante 14

09:00

Day 2/2 - Hands on Web App Testing with Python
Hands on Web App Testing with Python is a two-day training class that provides students with basic, intermediate, and advanced python scripting essentials to perform website security testing exploitation. The class will prepare students to write their own Python tools to aid in performing web application testing against commonly found vulnerabilities. Class Requirements: Students must come to class prepared with the following: 1.    Laptop with at least 8GB of RAM, and a Quad-Core processor 2.    Virtualization platform (A Virtualbox and VMWare image of the Vulnerable Web App VM will be made available 1 month before the class) 3.    A Kali Linux VM with Python 2.7 or Python 3 configured and installed (all scripts will be developed in Kali to attack the VM) 4.    The Custom Vulnerable Virtual Machine image loaded and ready to go BEFORE the class starts. (a download link will be provided 1 month before the class) 5.    Additional Python libraries to be determined as necessary and communicated before the class (these must be installed b

Trainer
avatar for Michael Born

Michael Born

Security Consultant, Solutionary
I enjoy breaking into things more than defending, I love Python, can tolerate Ruby, and am always trying to improve at C and Assembly. My current security testing focus is network penetration testing, application penetration testing, and mobile application penetration testing.
avatar for Fred Donovan

Fred Donovan

Professor and Director of an MSCS program | Enjoy discussions on "hacking back" | Friend and brother to many

Tuesday June 28, 2016 09:00 - 17:00
Bramante 10

09:00

Day 2/2 - OWASP Application Security Verification Standard 3.0 Developer and QA
In 2015, OWASP released the Application Security Verification Standard 3.0. Andrew van der Stock and Daniel Cuthbert, ASVS Project Leads and noted presenters and trainers, will take developers and testers through all Level 1 and a few key Level 2 controls, with live labs using OWASP Security Shepherd to demonstrate the issues, and working on code fixes to resolve those issues. This training is suitable for all developers, quality assurance, code reviewers, and penetration testers, but a distinct focus will be on code security and how to build secure applications using the ASVS in real world scenarios.

Trainer
avatar for Andrew van der Stock

Andrew van der Stock

Andrew van der Stock is a long time OWASP contributor, project leader, and Global Board Member. Some of his projects include the OWASP Developer Guide 2.0, OWASP Top 10 2007, OWASP Application Security Verification Project 2.0 and 3.0, and ESAPI for PHP. He specialises in agile secure development lifecycle methodologies, aiming to embed in the development process itself working with developers day to day, producing immediate, tangible and... Read More →

Tuesday June 28, 2016 09:00 - 17:00
Bramante 11

09:00

Day 2/3 - Droid-Sec Exploitation
The Droid-Sec Exploitation workshop will enable attendees to master various android application penetration testing techniques and exploitation methods. The workshop focuses on practical hands-on exercises on several dedicated vulnerable apps, with the basic theory explained prior to the Do-It-Yourself mind-bending exercise

Trainer
avatar for Gordon Gonsalves

Gordon Gonsalves

Gordon Gonsalves Gordon Gonsalves is a Certified Ethical hacker and Certified Security Analyst from EC-Council and a Microsoft certified technology specialist. He has more than 10 years’ experience in IT, network and applications security testing and has been a speaker and trainer in INTEROP conference, India. He is interested in exploring security tools and enhancing security testing.
avatar for Blessen Thomas

Blessen Thomas

Security Consultant, EY
Blessen Thomas is an Independent Security Researcher & Security Consultant working in EY. He performs web application, mobile, network infrastructure penetration testing assessments.He has B.Tech in Information Technology degree from Anna University and holds certifications such as Offensive Security Certified Professional - OSCP ,EC-COUNCIL Certified Ethical Hacker (C|EH) and Computer Hacking Forensics Investigator (C|HFI).He has been listed and... Read More →

Tuesday June 28, 2016 09:00 - 17:00
Bramante 07

09:00

Day 2/3 - Exploiting Websites by using offensive HTML, SVG, CSS and other Browser-Evil
More and more web applications delegate business logic to the client. HTML.next, JavaScript, SVG, Canvas, ECMAScript 7/ES2016, AngularJS and ReactJS are just some terms that describe the contents of the modern web stack. But how does the attack surface look for those? What if there’s not GET parameters anymore that our scanner scan tamper with? What can we do when the server just delivers raw data and the rest is done by the browser? Classic web-pentests are “so nineties” in this realm. And keeping up the pace with progress is getting harder and harder.

But there is hope. The focus of this workshop is on the offensive and dangerous parts of HTML, JavaScript and related technologies, the nasty and undocumented stuff, dozens of new attack techniques straight from the laboratory of horrors of those maintaining the HTML5 Security Cheatsheet. We’ll learn how to attack any web-application with either unknown legacy features – or the half-baked results coming to your browser from the labs of W3C, WHATWG and the ES2016 mailing lists. Whether you want to attack modern web applications or shiny browser extensions and Chrome Packaged Apps – we have that covered.

Whoever works with or against the security of modern web applications will enjoy and benefit from this workshop. A bit of knowledge on HTML and JavaScript is required, but rookies and rocket scientists will be satisfied equally.

HTML is a living standard. And so is this workshop. The course material will be provided on-site and via access to a private Github repository so all attendees will be receive updated material even months after the actual training. All attendees are granted perpetual access to updated slides and material.

Speakers
avatar for Mario Heiderich

Mario Heiderich

Director, Cure53
Dr.-Ing. Mario Heiderich, handsome heart-breaker, bon-vivant and (as he loves to call himself) “security researcher” is from Berlin, likes everything between lesser- and greater-than and leads a small yet exquisite pen-test company. He commonly pesters peaceful attendees on various capitalist conferences with powerpoint-slides and profanities. Wherever Mario goes, bad weather and thunderstorms follow him. Doctors worldwide are clueless... Read More →



Tuesday June 28, 2016 09:00 - 17:00
Bramante 04

09:00

Day 2/3 - OWASP Top 10: Exploitation and Effective Safeguards
The OWASP Top 10 web application vulnerabilities has done a great job promoting awareness for the developers. Along with many cheat sheets, they provide valuable tools and techniques to web developers. But such a great source of information could be overwhelming for the programmer who wants to learn about security. This course aims at providing all web developers deep hands-on knowledge on the subject. To achieve this goal, participants will first learn the technical details about each OWASP Top 10 vulnerability. Then the instructor will give demos on how attacks are performed against each of them. After that, participants will use virtual machines and follow step by step procedures to launch attacks against a vulnerable web site. This step is key in understanding how exploitation works so they can later implement effective safeguards in their systems. Our experience is that participants who have had hands-on experience at exploiting vulnerabilities will always remember how to prevent them. Topics such as SSL Certificates, Password Management, the OWASP Top 10 web application vulnerabilities, SQL Injection Attacks, Broken Authentication and Session Management, Cross-Site Scripting (XSS), Insecure Direct Object References, Cross-Site Request Forgery (CSRF), Web Application Firewalls (WAF), Using a Vulnerability Scanner, Effective Code Review Techniques, Sniffing Encrypted Traffic, Online Password Guessing Attack and Account Harvesting will all be covered in this class.

Trainer
avatar for David Caissy

David Caissy

Penetration Tester, TRM Technologies Inc.
David Caissy is a web application penetration tester with in-depth developer and IT Security background spanning over 16 years. He has extensive experience in conducting vulnerability assessments and penetration tests as well as providing training globally, amongst numerous other teaching engagements. He has worked for a central bank, the Department of National Defense, various government agencies and private companies. David has been teaching... Read More →

Tuesday June 28, 2016 09:00 - 17:00
Bramante 05

09:00

University Challenge
The University Challenge is a competition among teams comprised of university students that will be held on June 28th and 29th 2016, during the training days of the conference. There is no admission fee for the University Challenge. However UC team members will have a 50% discount on the AppSec-Europe 16 student ticket!This years UC is a two stage challenge:
  • Day 1: Capture The Flag (CtF), solving hacking challenges.
  • Day 2: Offense/Defense (Blue/Red Team), defending your vulnerable web application whilst attacking the application of the other teams

This year the OWASP University Challenge will be limited to 10 teams.

Teams will consist of 4-8 students, with one team per university. All team openings are on a first come first serve basis. If multiple teams are received from the same university the second team will be put on a waiting list.


Tuesday June 28, 2016 09:00 - 17:00
Michelangelo Ballroom Sect. 1
 
Wednesday, June 29
 

08:00

Training Registration
Wednesday June 29, 2016 08:00 - 09:00
TBA

08:00

Developer Summit - Wiki and Secure Coding Sessions
8am -12 pm
OWASP Wiki Coding and Editing
Learn the ins' and outs' regarding how to effectively contribute to the OWASP Wiki. Help participate in a mini wiki edit-a-thon to help clean up some of the cruft!
Jim Manico & August Detlefsen

12pm-1pm Lunch

1pm-5pm
If this session we will review and raise awareness for various OWASP Secure Coding Projects including ESAPI, OWASP AppSensor, OWASP, Java Encoder, OWASP Logger, OWASP HTML Sanitizer and more. This session is especially valuable for Java programmers.

Jim Manico & August Detlefsen


Speakers
avatar for Jim Manico

Jim Manico

Author and Educator
Jim Manico is an author and educator of developer security awareness trainings. He is a frequent speaker on secure software practices and is a member of the JavaOne "rockstar hall of fame". He has a 17 year history building software as a developer and architect. Jim is also a Global Board Member for the OWASP foundation where he helps drive the strategic vision for the organization. He manages and participates in several OWASP projects, including... Read More →


Wednesday June 29, 2016 08:00 - 17:00
Bramante 15

08:00

OWASP Project Summit

OWASP is providing a platform for two full days prior to the APPSEC EU activities.  An open forum setting for ideas, innovations, gain contributors and share feedback for projects to advance to the next level.

This year the project summit will include the opportunity to work on some of the hot topics and initiatives being discussed with OWASP. Please give us your feedback on which of the following topics you’d like to see discussed at the summit:

  • Gaming OWASP projects and badges
  • OWASP code project bug bounties
  • Bringing OWASP documentation projects into github/markdown & sharing content

Use this opportunity to demo your project to others at the summit, promote for  sponsorship, gain feedback, or simply brainstorm some ideas and add a few features.


Wednesday June 29, 2016 08:00 - 17:00
Bramante 15

09:00

Day 1/1 - Bootstrap and improve your SDLC with OpenSAMM
Building security into the software development and management practices of a company can be a daunting task. OWASP OpenSAMM gives you a structural and measurable framework to do just that. The goal of this one-day training, which is conceived as a mix of training and workshop, is for the participants to get a more in-depth view on and practical feeling of the OpenSAMM model. The training has run successfully for several years now. The training is setup in three different parts. In a first part, an overview is presented of the OpenSAMM model and similarities and differences with other similar models are explained. This will incorporate the updates of the soon-to-be-published v1.1 of the model. Next, approx. half a day will be spent on doing an actual OpenSAMM evaluation of your own organisation (or one that you have worked for). In the same effort, we will define a target model for your organisation and identify the most important challenges in getting there. The final part of the training will be dedicated to specific questions or challenges that you are facing wrt. secure development in your organisation. In case you haven't started a secure software initiative in your organisation yet, this training should provide you with the necessary foundations and ideas to do so. Be prepared for a highly effective and applicable treatment of this large domain !

Trainer
avatar for Bart De Win

Bart De Win

Bart De Win has over 15 years of experience in software security. He has an extensive background in the field, including his Ph.D. and research work on methods and techniques for software protection.  Since 2009, Bart has been responsible for all application security services within Ascure & PwC Belgium.  He has extensive project experience in software testing and in assisting companies improving their secure software development... Read More →

Wednesday June 29, 2016 09:00 - 17:00
Bramante 08

09:00

Day 1/1 - Defensive Programming for JavaScript & HTML5

This one-day course helps web front-end developers understand the risks involved with manipulating JavaScript and HTML5 and apply defensive programming techniques in both languages.

Some of the topics covered include, but are not limited to, important security aspects of modern browser architecture (Document Object Model and Same Origin Policy), common web vulnerabilities, like XSS, CSRF, DOM manipulation, and new HTML5 technologies, like sandboxing iframes, Cross-origin Resource Sharing, Content Security Policy, Web Messaging, Web Storage, and specifics of using JSON.

The JavaScript section will talk about vulnerabilities in Node.js, Express.js and AngularJS

This course is structured into modules and includes exploitation and remediation exercises. The high-level topics for this course are:

•             The HTML5 and JavaScript Risk Landscape
•             Storage of Sensitive Data

•             Secure Cross-domain Communications (CORS, web messaging)

•             Protecting from Cross-site Scripting (CSP, JavaScript Execution Contexts, Output Encoding)

•             Implementing Secure Dataflow

•             Securing AJAX Requests and JSON Data

•             Securing Server-side JavaScript (Node.js and Express.js)

•             Securing Client-side JavaScript (AngularJS)

 

Objectives:

After completing this course, students will be able to:

•             Apply HTML5 Defensive Programming Techniques

•             Apply JavaScript Defensive Programming Techniques

•             Apply JSON Defensive Programming Techniques

 

Labs and Demonstrations:

If students bring their own laptops with internet connectivity, they will be able to access online Virtual Machines with labs. In lab sessions students will learn to fix issues related to localStorage, web messaging, sandbox attribute for iframes, CORS, CSP, parsing JSON data, JavaScript injections, and DOM-based cross-site scripting. The course also includes several interactive demonstrations showing how to tamper with client-side data, evade client-side filters, and work with Firebug. The labs are not compulsory to get the full value of the course but strongly recommended.

Video about the training: https://www.youtube.com/watch?v=p0LxLUMXntc  


Trainer
avatar for Ksenia Dmitrieva

Ksenia Dmitrieva

Associate Principal Consultant, Cigital
Ksenia Dmitrieva is an Associate Principal Consultant at Cigital with over six years of experience in securing web applications and five years of development experience. She performs penetration testing and code review for clients in financial services, entertainment, telecommunications, energy, and enterprise security industries. Her current concentration is on researching HTML5 technologies and new JavaScript frameworks, their security... Read More →

Wednesday June 29, 2016 09:00 - 17:00
Bramante 14

09:00

Day 1/1 - Hacking and Securing iOS Applications
Hacking and Securing iOS Applications" is a one day course focused on learning how to successfully perform a Security Assessment of modern and complex iOS Applications and provide appropriate remediations for all the vulnerabilities found. This highly practical course is designed around the security issues that were often observed by the trainers during their application security assessments. This up-to-date training will be also very useful for all the iOS developers that want to know the security best-practices that are mandatory to build an application that should be able to face modern threats. Attendees will get familiar with the following topics during the class (mostly based on the OWASP Top Ten): - A thorough overview about the iOS security model, updated to iOS 9; - How to setup a lab with all the tools needed to successfully perform iOS security assessments; - Checking for local storage vulnerabilities and learning on how to correctly save sensitive files on the device; - How to check and prevent unintended data leakages; - How to safely implement SSL Pinning and check for the most common SSL vulnerabilities; - How to take advantage of some of the most useful security assessment tools through practical examples (Frida, Cycript, Snoop-it, idb, etc.) - How to obfuscate iOS code and implement appropriate checks to detect jailbroken devices; - How to reverse engineering iOS applications and acquire knowledge about the inner details of the target application.

Trainer
avatar for Simone Bovi

Simone Bovi

Security Consultant, Minded Security
Simone Bovi is a Security Consultant at Minded Security where he delivers Web Application Penetration Test, Mobile Penetration Test (iOS and Android platform), Vulnerability Assessment and Network Penetration Test for several enterprise companies and financial institutions. He holds a Master of Science in Computer Engineering from the University of Padova and security certifications as eCPPT and eWPT. In March 2015, working with his colleague... Read More →
avatar for Davide Danelon

Davide Danelon

Senior Security Consultant, Minded Security
Davide Danelon is a Senior Security Consultant at Minded Security, where he delivers security assessments and penetration test of web and mobile applications. He also delivers courses about application security. Prior joining Minded Security, Davide was an Analyst at Deloitte Enterprise Risk Services gaining experience in the conduction of risk assessments and IT audits. Davide has a master’s degree in computer engineering and he holds GWAPT... Read More →

Wednesday June 29, 2016 09:00 - 17:00
Bramante 11

09:00

Day 1/1 - How to FIDO-enable your web-application for Strong-Authentication
Authenticating users with userid/passwords is simple, easy and well-understood. It is also notoriously vulnerable to attack. Most authentication schemes in use today such as passwords, OTP, KBA, biometrics have a fundamental flaw in their paradigm: shared-secrets. As long as the user and the server share a secret to authenticate the user, the user and the application are vulnerable to password-breaches and phishing attacks. The FIDO Alliance - a consortium of 250 companies worldwide - has been attempting to address the password-problem for the last two years and has created the Universal 2nd Factor (U2F) protocol Specifically designed for human authentication to web-applications, its goals were to eliminate password-based authentication and phishing attacks while using asymmetric-key cryptography coupled with hardware-based authenticators simple enough to use for consumers. A web-application, taking advantage of the U2F protocol and its Authenticators/Servers can protect itself the from attacks mentioned above. This training session will cover the following:
  • An overview of the FIDO Alliance, its mission and protocols;
  • The differences between the U2F, UAF and FIDO 2.0 protocols; 
  • The differences between FIDO and PKI; 
  • An in-depth presentation of the FIDO U2F protocol and its mechanics; 
  • A step-by-step tutorial on how to FIDO-enable a simple web-application using the simplest of the three protocols: U2F; 
  • A discussion of issues related FIDO-enablement: application design, performance, security, supporting users without FIDO Authenticators, dealing with lost/stolen Authenticators, etc. 
All attendees of this session will be given a FIDO Certified U2F Authenticator as part of the training session. The course will be based on the use of a FIDO Certified open-source U2F server, and other open-source tools.

Some FIDO related information from the author of this training:
https://alesa.website/ 
https://www.linkedin.com/pulse/all-biometric-authentication-equal-arshad-noor 

Trainer
avatar for Arshad Noor

Arshad Noor

CTO, StrongAuth, Inc.
Arshad Noor is CTO of StrongAuth, Inc., a Silicon Valley company that has been building open-source data-protection solutions for 14 years. With over 29 years in the IT industry, he has developed applications, managed systems and defined architecture for some of the world's largest companies. A member of FIDO Alliance, StrongAuth created an open-source FIDO Certified U2F server and is also the supplier/operator of the U2F Test Harness Site for... Read More →

Wednesday June 29, 2016 09:00 - 17:00
Bramante 10

09:00

Day 2/2 - Hands-on Threat Modeling

Threat modeling is the primary security analysis task performed during the software design stage. Threat modeling is a structured activity for identifying and evaluating application threats and vulnerabilities. The security objectives, threats, and attacks modeling activities during the threat modeling are designed to help you find vulnerabilities in your application and the supporting architecture. You can use the identified vulnerabilities to help shape your design and direct and scope your security testing.

Threat modeling allows you to consider, document, and discuss the security implications of designs in the context of their planned operational environment and in a structured fashion. It also allows consideration of security issues at the component or application level. The threat modeling course will teach you to perform threat modeling through a series of workshops, where our trainer will guide you through the different stages of a practical threat model.

This course is aimed at software developers, architects, system managers or security professionals. Before attending this course, students should be familiar with basic knowledge of web and mobile Applications, databases & Single sign on (SSO) principles. The students should bring their own laptop to the course.

 
Course topics  
Threat modeling introduction
  • Threat modeling in a secure development lifecycle
  • What is threat modeling?
  • Why perform threat modeling?
  • Threat modeling stages
  • Diagrams
  • Identify threats
  • Addressing threats
  • Document a threat model


Diagrams – what are you building?

  • Understanding context
  • Doomsday scenarios
  • Data flow diagrams
  • Trust Boundaries
  • Hands-on: diagram B2B web and mobile applications, sharing the same REST backend


Identifying threats – what can go wrong?

  • STRIDE introduction
  • Spoofing threats
  • Tampering threats
  • Repudiation threats
  • Information disclosure threats
  • Denial of service threats
  • Elevation of privilege threats
  • Privacy threats
  • Attack trees
  • Hands-on: STRIDE analysis of an Internet of Things (IoT) deployment with an on premise gateway and secure update service

Addressing each threat

  • Mitigation patterns
  • Authentication: mitigating spoofing
  • Integrity: mitigating tampering
  • Non-repudiation: mitigating repudiation
  • Confidentiality: mitigating information disclosure
  • Availability: mitigating denial of service
  • Authorization: mitigating elevation of privilege
  • Mitigating privacy threats
  • Hands-on: Threat mitigations OAuth scenarios for web and mobile applications


Practical threat modeling

  • Strategies for risk management
  • Selecting mitigations
  • Threat ranking
  • Risk acceptance
  • Validating threat mitigations


Threat modeling tools

  • General tools
  • Open-Source tools
  • Commercial tools


Attack libraries

  • Libraries and checklists
  • CAPEC
  • OWASP Top 10
  • Building your own library


Examination

  • Hands-on examination 
  • Grading and certification
 

Student package

The course students receive the following package as part of the course:

  • Each student will receive a hard copy of the book: Threat Modeling, designing for security by Adam Shostack (2014, Wiley)
  • Hand-outs of the presentations
  • Work sheets of the use cases,
  • Detailed solution descriptions of the use cases
  • Template to document a threat model
  • Template to calculate risk levels of identified threats
  • Receive certificate: Following a successful exam (passing grade defined at 70%) the student will receive certification for successful completion of course

Trainer
avatar for Sebastien Deleersnyder

Sebastien Deleersnyder

Managing Partner, Toreon
Sebastien Deleersnyder is Co-founder & managing partner application security at Toreon.com. Sebastien has helped various companies improve their ICT-, Web- and Mobile Security, including BNP Paribas Fortis, Atos Worldline, KBC, Nationale Nederlanden (ING), Isabel, Fluxys, OLAF, EU Council, TNT Post, Flemish Community, Agfa-Gevaert and ING Insurance International. Sebastien is the Belgian OWASP Chapter Leader, co-project leader of the OpenSAMM... Read More →

Wednesday June 29, 2016 09:00 - 17:00
Bramante 09

09:00

Day 2/2 - Web Service and Single Sign-On Security
Web Services and Single Sign-On belong to a group of most important Internet technologies. However, in recent years, it has been shown that these technologies allow for serious attacks. The attacks take advantage of the XML complexity and make it possible to read data from secured servers, authenticate as an arbitrary user in Single Sign-On scenarios, or decrypt confidential data. In this training, we will give an overview of the most important Web Service and Single Sign-On specific attacks. Participants will get the opportunity to carry out these attacks in a prepared virtual machine. The attacks will be first tested manually (e.g., with soapUI), in order to get a feeling for the attacks. Subsequently, we will present our penetration testing tool WS-Attacker, which will be used to execute the presented attacks automatically. For each of the attacks, countermeasures will be discussed, and it will be shown how to deploy them on widely used systems and firewalls, including IBM Datapower or Axway.

Trainer
avatar for Christian Mainka

Christian Mainka

Security Consultant, Hackmanit GmbH
Christian Mainka is a PhD Student at the Ruhr University Bochum, Chair for Network and Data Security. Since 2009, he focuses on XML and Web Services technologies and develops his penetration testing tool WS-Attacker and has published several papers in the field of XML security related topics on scientific workshops and conferences. Nowadays, the tool contains a large collection of specific attacks, which can be automatically applied to SOAP-based... Read More →
avatar for Juraj Somorovsky

Juraj Somorovsky

Security Consultant, Hackmanit GmbH
Juraj Somorovsky finished his PhD in the area of XML Security in 2013. In his thesis „On the Insecurity of XML Security“ he analyzes various attacks on Web Services and presents practical countermeasures against these attacks, which were applied in XML Security specifications and in countless frameworks and applications. He presented his work at many scientific and industry conferences, including Usenix Security or OWASP Germany. Currently... Read More →

Wednesday June 29, 2016 09:00 - 17:00
Bramante 12

09:00

Day 3/3 - Droid-Sec Exploitation
This is a 3 - Day Training Course 

The Droid-Sec Exploitation workshop will enable attendees to master various android application penetration testing techniques and exploitation methods. The workshop focuses on practical hands-on exercises on several dedicated vulnerable apps, with the basic theory explained prior to the Do-It-Yourself mind-bending exercise

Trainer
avatar for Gordon Gonsalves

Gordon Gonsalves

Gordon Gonsalves Gordon Gonsalves is a Certified Ethical hacker and Certified Security Analyst from EC-Council and a Microsoft certified technology specialist. He has more than 10 years’ experience in IT, network and applications security testing and has been a speaker and trainer in INTEROP conference, India. He is interested in exploring security tools and enhancing security testing.
avatar for Blessen Thomas

Blessen Thomas

Security Consultant, EY
Blessen Thomas is an Independent Security Researcher & Security Consultant working in EY. He performs web application, mobile, network infrastructure penetration testing assessments.He has B.Tech in Information Technology degree from Anna University and holds certifications such as Offensive Security Certified Professional - OSCP ,EC-COUNCIL Certified Ethical Hacker (C|EH) and Computer Hacking Forensics Investigator (C|HFI).He has been listed and... Read More →

Wednesday June 29, 2016 09:00 - 17:00
Bramante 07

09:00

Day 3/3 - Exploiting Websites by using offensive HTML, SVG, CSS and other Browser-Evil
This is a 3 - Day Training Course 

More and more web applications delegate business logic to the client. HTML.next, JavaScript, SVG, Canvas, ECMAScript 7/ES2016, AngularJS and ReactJS are just some terms that describe the contents of the modern web stack. But how does the attack surface look for those? What if there’s not GET parameters anymore that our scanner scan tamper with? What can we do when the server just delivers raw data and the rest is done by the browser? Classic web-pentests are “so nineties” in this realm. And keeping up the pace with progress is getting harder and harder.

But there is hope. The focus of this workshop is on the offensive and dangerous parts of HTML, JavaScript and related technologies, the nasty and undocumented stuff, dozens of new attack techniques straight from the laboratory of horrors of those maintaining the HTML5 Security Cheatsheet. We’ll learn how to attack any web-application with either unknown legacy features – or the half-baked results coming to your browser from the labs of W3C, WHATWG and the ES2016 mailing lists. Whether you want to attack modern web applications or shiny browser extensions and Chrome Packaged Apps – we have that covered.

Whoever works with or against the security of modern web applications will enjoy and benefit from this workshop. A bit of knowledge on HTML and JavaScript is required, but rookies and rocket scientists will be satisfied equally.

HTML is a living standard. And so is this workshop. The course material will be provided on-site and via access to a private Github repository so all attendees will be receive updated material even months after the actual training. All attendees are granted perpetual access to updated slides and material.

Speakers
avatar for Mario Heiderich

Mario Heiderich

Director, Cure53
Dr.-Ing. Mario Heiderich, handsome heart-breaker, bon-vivant and (as he loves to call himself) “security researcher” is from Berlin, likes everything between lesser- and greater-than and leads a small yet exquisite pen-test company. He commonly pesters peaceful attendees on various capitalist conferences with powerpoint-slides and profanities. Wherever Mario goes, bad weather and thunderstorms follow him. Doctors worldwide are clueless... Read More →



Wednesday June 29, 2016 09:00 - 17:00
Bramante 04

09:00

Day 3/3 - OWASP Top 10: Exploitation and Effective Safeguards
The OWASP Top 10 web application vulnerabilities has done a great job promoting awareness for the developers. Along with many cheat sheets, they provide valuable tools and techniques to web developers. But such a great source of information could be overwhelming for the programmer who wants to learn about security. This course aims at providing all web developers deep hands-on knowledge on the subject. To achieve this goal, participants will first learn the technical details about each OWASP Top 10 vulnerability. Then the instructor will give demos on how attacks are performed against each of them. After that, participants will use virtual machines and follow step by step procedures to launch attacks against a vulnerable web site. This step is key in understanding how exploitation works so they can later implement effective safeguards in their systems. Our experience is that participants who have had hands-on experience at exploiting vulnerabilities will always remember how to prevent them. Topics such as SSL Certificates, Password Management, the OWASP Top 10 web application vulnerabilities, SQL Injection Attacks, Broken Authentication and Session Management, Cross-Site Scripting (XSS), Insecure Direct Object References, Cross-Site Request Forgery (CSRF), Web Application Firewalls (WAF), Using a Vulnerability Scanner, Effective Code Review Techniques, Sniffing Encrypted Traffic, Online Password Guessing Attack and Account Harvesting will all be covered in this class.

Trainer
avatar for David Caissy

David Caissy

Penetration Tester, TRM Technologies Inc.
David Caissy is a web application penetration tester with in-depth developer and IT Security background spanning over 16 years. He has extensive experience in conducting vulnerability assessments and penetration tests as well as providing training globally, amongst numerous other teaching engagements. He has worked for a central bank, the Department of National Defense, various government agencies and private companies. David has been teaching... Read More →

Wednesday June 29, 2016 09:00 - 17:00
Bramante 05

09:00

University Challenge
The University Challenge is a competition among teams comprised of university students that will be held on June 28th and 29th 2016, during the training days of the conference. There is no admission fee for the University Challenge. However UC team members will have a 50% discount on the AppSec-Europe 16 student ticket!This years UC is a two stage challenge:
  • Day 1: Capture The Flag (CtF), solving hacking challenges.
  • Day 2: Offense/Defense (Blue/Red Team), defending your vulnerable web application whilst attacking the application of the other teams

This year the OWASP University Challenge will be limited to 10 teams.

Teams will consist of 4-8 students, with one team per university. All team openings are on a first come first serve basis. If multiple teams are received from the same university the second team will be put on a waiting list.


Wednesday June 29, 2016 09:00 - 17:00
Michelangelo Ballroom Sect. 1

18:00

Conference Registration
Wednesday June 29, 2016 18:00 - 19:00
TBA

18:00

OWASP Leadership Workshop
Moderators
avatar for Kate Hartmann

Kate Hartmann

OWASP Foundation, OWASP Foundation
Kate joined the OWASP Foundation May 2008 Kate's Ongoing Job Duties Kates work within the OWASP Foundation includes supervising and facilitating the completion of operationally critical tasks. She provides direction to the operational team by mapping out cross-committee objectives and identifying opportunities that promote the Foundation's short term and long term strategic goals. Current Initiatives include: Improving Foundation... Read More →

Wednesday June 29, 2016 18:00 - 21:00
Bramante 15
 
Thursday, June 30
 

08:00

Conference Registration
Thursday June 30, 2016 08:00 - 18:00
Foyer Tiziano

09:00

Member Lounge
Come recharge and join other OWASP Members in a quiet, comfortable, relaxed enviroment. Grab a snack and network with your peers. 

Thursday June 30, 2016 09:00 - 17:00
Foyer Michelangelo

09:15

Keynote - Bugs ruin everything
In this talk, I’ll briefly discuss some popular forms of finding vulnerabilities and why it is so difficult to find these flaws.  I’ll then walk through examples of some of my favorite bugs, including some of which I’ve discovered over the years, and discuss in these cases why they were particularly difficult to find, why common techniques may have failed on them, or why they were especially impactful.

Speakers
avatar for Charlie Miller

Charlie Miller

Charlie Miller is a senior security engineer at Uber ATC, a hacker, and a gentleman. Back when he still had time to research, he was the first with a public remote exploit for both the iPhone and the G1 Android phone. He is a four-time winner of the CanSecWest Pwn2Own competition. He has authored three information security books and holds a PhD from the University of Notre Dame. He has hacked browsers, phones, cars, and batteries. Charlie... Read More →


Thursday June 30, 2016 09:15 - 10:00
Plenary Sessions ( Michelangelo Ballroom Sec. 1+2)

10:15

Global Foundation Budget planning meeting
Thursday June 30, 2016 10:15 - 11:15
Bramente 3

10:20

OWASP AppSec Pipeline Project: Automate all the AppSec
How many applications are in your company’s portfolio? What’s the headcount for your AppSec team? Whatever your situation is, I am sure the numbers are not in your favor. This talk covers the OWASP AppSec Pipeline project which provides real world examples from AppSec programs at several different companies who have seen increases of 5x in productivity. Companies covered include Rackspace with approximately 4,000+ employees and Pearson with 40,000+. Both have an international presence and far more apps and developers that AppSec staff. The talk will also introduce the AppSec Pipeline toolbox, a community-driven collection of Agile, DevOps and automation friendly tools for your AppSec program. Also covered are the key principles to speed and scale up AppSec programs using an AppSec Pipeline as well as practical examples of these practices put into use. Start early and begin to buy down the technical security dept by leaving the traditional AppSec program thinking behind. Come to the talk and find out how to add the best of Agile and DevOps to your AppSec security work. 

Speakers
avatar for Aaron Weaver

Aaron Weaver

Application Security Manager, Cengage Learning


Thursday June 30, 2016 10:20 - 11:05
Room B (Tiziano Ballroom Sec. 1)

10:20

Systematically Breaking and Fixing OpenID Connect
OAuth is the new de facto standard for delegating authorization in the web. An important limitation of OAuth is the fact that it was designed for authorization and not for authentication. The usage of OAuth for authentication thus leads to serious vulnerabilities as shown by Zhou et. al. in [4] and Chen et. al. in [1].
OpenID Connect was created on top of OAuth to fill this gap by providing federated identity management and user authentication. OpenID Connect was standardized in February 2014, but leading companies like Google, Microsoft, AOL and PayPal are already using it in their web applications.

As part of our current research we provided the first in-depth analysis of OpenID Connect. We discovered seven novel attacks, which were not considered by any previous research. In addition, we adapted and extended already known attacks from other SSO protocols like SAML and OpenID on OpenID Connect. In summary, we came up with 15 different attacks resulting in Broken-End-User authentication, information leakage, Server-Side-Request-Forgery (SSRF) and Denial-of-Service (DoS). We categorized all attacks in five different classes:
- Malicious Endpoint attacks (four attacks) are based on a specification flaw in the Discovery and Dynamic Registration features of OpenID Connect, which allow an attacker to break user authentication, compromise user privacy, and enable SSRF, client-side code injection, and DoS.
- ID Spoofing (five attacks) result in an unauthorized access to the victim's account. During the attacks, the attacker is able to create maliciously crafted authentication tokens, which bypass the verification logic on the Client (also known as Relying Party).
- Signature Bypass (three attacks) allow changing the digitally signed authentication without invalidating the signature. Thus, an attacker is able to get an unauthorized access to the victim's account.
- Session Overwriting introduce a complex attack based on a specification flaw, which enforces the Client to send sensitive information like client_secret and valid code to a domain controlled by the attacker.
- Trivial attacks (two attacks) include Replay attacks and Token recipient confusion, which are already known and well studied.

Finally, we contacted the authors of the OpenID Connect and OAuth specifications. They acknowledged our attacks and recognized the need to improve the specification [3] and to address the existing threats. We are currently involved in the discussion regarding the mitigation of the existing issues and an extension to the OpenID Connect specification is currently created for this reason [2].

In our presentation we reveal novel insides and new security aspects of using protocols like OAuth and OpenID Connect. Additionally, we will present two of the new attacks discovered by our research and discuss the countermeasures. We conclude with the concept of a fully automated penetration testing tool developed in collaboration with the OpenID Connect working group allowing the flexible security evaluation of implementations.

[1] E. Chen, Y. Pei, S. Chen, Y. Tian, R. Kotcher, and P. Tague. OAuth Demystied for Mobile Application Developers. In Proceedings of the ACM Conference on Computer and Communications Security (CCS).
[2] M. Jones. Oauth 2.0 mix-up mitigation. IETF, January 2016. URL https://tools.ietf.org/html/draft-jones-oauth-mix-up-mitigation-00.
[3] openid connect. Discovery / Security Considerations: CSRF attack on user in-put identifier, 2015. URL https://bitbucket.org/openid/connect/issues/979/discovery-security-considerations-csrf. Accessed: 25.08.2015.
[4] D. E. Yuchen Zhou. Automated Testing of Web Applications for Single Sign-On Vul-
nerabilities. In 23rd USENIX Security Symposium (USENIX Security 14).

Speakers
avatar for Christian Mainka

Christian Mainka

Security Consultant, Hackmanit GmbH
Christian Mainka is a PhD Student at the Ruhr University Bochum, Chair for Network and Data Security. Since 2009, he focuses on XML and Web Services technologies and develops his penetration testing tool WS-Attacker and has published several papers in the field of XML security related topics on scientific workshops and conferences. Nowadays, the tool contains a large collection of specific attacks, which can be automatically applied to SOAP-based... Read More →
VM

Vladislav Mladenov

Ruhr University Bochum
Vladislav Mladenov is a PhD Student at the Ruhr University Bochum, Chair for Network and Data Security. He is interested in the security of XML-based services. Additionally, he investigates different Single Sign-On protocols like OAuth, OpenID, OpenID Connect and SAML. Other topics of interest are Identity Management and Cloud Computing.
avatar for Tobias Wich

Tobias Wich

Senior Consultant, ecsec GmbH
Tobias Wich works for ecsec GmbH since 2010 as senior consultant for IT-security with an emphasis on smart cards and identity management systems. He is also working on his PhD Thesis at Ruhr University Bochum as an external student. His recent works include research with respect to OAuth2 and OpenID Connect, the secure integration of electronic signature services based on OASIS-DSS with preservation systems based on BSI TR-03125 (TR-ESOR) as well... Read More →


Thursday June 30, 2016 10:20 - 11:05
Room C (Tiziano Ballroom Sec. 2)

10:20

Tell me stories about your appsec, let's skip the pentest
Capturing and describing S-SDLC problems is also possible based on interviewing managers and workers (instead of measuring the symptoms with dynamic and static methods). The participants of the development processes themselves most of the times are aware of the problems or they can tell stories from which a competent interviewer then can interpret the presence of appsec problems. We assume that this inteview-based method becomes more adequate and efficient when the requirements and principles of taking care about security are already present in the SDLC (since as we know the maturity is a relative characteristic and improving security can be a long process). 

The root causes of application security are mostly of organizational nature, not technical. For capturing and describing organizational problems there is a mature methodology -- qualitative interviewing. And there is a more specific variant of it, the narrative interviewing, meaning you make interviewees tell stories about their professional practice and the real life practices they follow and also about other rules of the development process in place. While burning substantially less efforts than a pentester a prepared interviewer can take a trustworthy picture of the state of the application security in a software manufacturing unit. Based on the interpretation of the professional stories told and other details of the oral account, that is based on the interview analysis an appsec consultant can competently advise his client how to improve with the S-SDLC. 

Interviewing may bring up the gaps between the security related goals and the actual practice, and may suggest what nuances of the organizational, workplace processes cause the inability to fulfill the existing S-SDLC targets, or the failures to act according to the methodological prescriptions. Or it may bring up the mismatch between the trainings and the areas of actual dissatisfaction with the security quality. Interviewing may also shed light on the difficulties of complying with advanced security policies within the frame of the time pressure created by business targets (which is a widespread problem however hard to communicate in the ethical hacker’s hat or in any other technological consultant role). These kind of findings you can expect from the interview-based audit are different from the pentest findings obviously, but it is also evident that the roots of the pentest findings may well be traced to the banal organizational failures and certain conflicting goals. 

It's nothing new about information gathering by interviewing persons at the client's organization. Regarding the application security the main idea of the speech is that the problems in the appsec field have similar nature to those observed by the organizational developers who aim to improve the workings of the organization units and whole institutions. Thus an application security consultant can reuse the instrumentation created for the organizational developers. 

The organizational appsec audit may not suffer from the usual problems of the VAPT audits where the findings are gibberish for the decision makers and are communicated via several redirections and filters and where there is a usual gap between the testers who does not speak the language of developers and the developers who are supposed to change their patterns based on the reports. In the organizational development (especially if based on competent interviews) the “auditors” speak the language of the management, and the findings are likely to be understood by the business. 

It is quite natural to step further from the organizational appsec audit to the appsec consultancy phase to improve the S-SDLC itself and certain organizational aspects having impact on the security quality, as well as to improve the rules of the decision-making surrounding software development.

Speakers
avatar for Timur Khrotko

Timur Khrotko

appsec co-producer, org researcher, secmachine.net
Timur spent the recent 14 years running a small IAM-focused ISV and an application security consulting firm. He holds a PhD in Business management. His research topics are stereotypes of thinking in general and behavioral patterns of executive managers in particular. More details: https://ru.linkedin.com/in/timurx


Thursday June 30, 2016 10:20 - 11:05
Room D (Tiziano Ballrom Sec. 3)

10:20

Framework Security: Have You Hugged A Developer Today?
For years security nerds like us have been saying the same thing: It’s *your* problem. Integrate security awareness throughout your SDLC, educate your developers, hire us at some expense to come in and tell you the same annually. Ultimately relying on developers to be infallible is an expensive loosing proposition. 

We’d like to present a different idea: It's our problem. Writing secure software shouldn't require developers to become security specialists. At Immunio we've been working on ways of modifying application frameworks to defend against common vulnerabilities automatically. We're trying to remove some of the burden on developers and make security a fundamental part of the stack. 

In this presentation we'll share with you our experiences extending these frameworks and discuss some of the strategies we've taken that have worked, the challenges we've had to face, and how a simple change of approach could change application security. 

Outline: 

- Introduction 
- The Problem: Frameworks make coding easy and security hard 
- Example: Rails helpers and safe_buffers 
- Example: Rails directory traversal 
- Application Defense In Depth 
- The trouble with WAFs 
- Security is a framework responsability 
- Perfect Code is a Pipe Dream 
- State Makes Hard Problems Easy(ish) 
- Today Security is an Afterthought 
- Building Self-Defending Frameworks 
- Problem: Command and Control 
- Everything You Know About XSS Defense Is Wrong 
- ESAPI is Crapy 
- HTML Is Machine Readable By Design! 
- Use The Source Luke! 
- Using Lexical Analysis To Escape On-the-fly 
- Lexing to Determine Context 
- Escaping 
- Problem: Application Interpolations 
- Dynamic Whitelisting 
- Problem: HTML Is a Horrible Mismash 
- Protecting Javascript 
- CSS 
- Problem: HTML Is Just Horrible 
- Browser Insanity 
- 'Developer' Insanity 
- DEMO 
- Generalizing The Approach 
- SQLi 
- Problem: String building 
- Bash 
- Everything Is Just Structured Data! 
- The Power of a Security Aware Framework 
- Attacker Identification 
- Active Response 
- Forensics 
- Conclusion 

Speakers
avatar for Oliver Lavery

Oliver Lavery

Oliver Lavery is VP of Research and Development at Immunio. He's a software developer, penetration tester, and consultant with over 15 years of experience in the industry. When not coming up with defensive algorithms, he enjoys making kernels involuntarily do his bidding, breaking mainframes, and generally causing playful chaos.


Thursday June 30, 2016 10:20 - 11:05
Room A (Michelangelo Ballroom Sect. 3)

10:20

Lightning Training - Using the OWASP HackAdemic Challenges Project
Participants will learn about: Installation, Basic Usage, Writing Challenges and using the project in a class environment

Speakers
avatar for Konstantinos Papapanagiotou, Spryros Gastreratos

Konstantinos Papapanagiotou, Spryros Gastreratos

Information Security Services Team Lead, OTE
Both trainers are Hackademic project leaders, long time OWASP members and application security professionals


Thursday June 30, 2016 10:20 - 12:00
Caravaggio 8

10:20

Capture the Flag
Capture The Flag

Do you hack websites? Do you like to solve puzzles? Would you like to compare your skills against other hackers?

Also this year a Capture the Flag event will be held during the AppSec Eu 2016 conference in Rome.

As always this event will be accessible for all attendees. The CTF prides itself to have a huge variety of challenges across multiple disciplines ranges from web- to network- and even cryptography challenges. All you need to bring is your laptop with all your favourite tools, a sharp mind and the patience to solve the challenges.

Next to the pride and joy of playing there will be prices for the top three players.

So come to AppSec Eu 2016 in Rome and try your skills – and luck – in this competition.

CTF rooms will remain available to participants thought the conference:

  • Thursday, June 30th 10.30am to 6pm
  • Friday, July 1st 10.30am to 3pm

Thursday June 30, 2016 10:20 - 18:00
Caravaggio 6 - 7

10:20

Exhibit
Thursday June 30, 2016 10:20 - 18:00
Foyer Tiziano

11:05

Coffee Break
Thursday June 30, 2016 11:05 - 11:35
Foyer Michelangelo

11:35

Security Project Management: how to be Agile in Security Testing projects
"Order or disorder depends on organization" wrote Sun Tzu centuries ago. Organization in managing Security Testing project is fundamental. Actually, the rise of Agile methodologies for IT Software Development and the continue Business Changes produces challenging deadlines for Deployment and for Security Testing. But because Security requirements have to be considered as a Must and have to be fulfilled or the software – often – will not have the “go” for production if there are vulnerabilities. The Secure Software Development Life cycle and the Team have to adapt to specific needs and planned accordingly defining priorities, skills and a sound Business Case for Security Testing. 
The role of the Project Manager - or Team Leader – is crucial. Practices like micro-management not work and it is counterproductive with skilled Penetration Testers. Project Manager has to be a servant leader and a facilitator who enables the Testers to work smoothly, facilitate the communication and remove impediments for the testing (and bureaucratic work) in order to meet the Security goals. 
The workshop will describe - by examples - how to combine Agile Project Management methodologies such as the DSDM Agile Project Framework tailored for Security Testing projects blending the OWASP Testing Guide, TOP 10 and other de-facto standards for IT and Information Security. Covering different aspects of the management of a Penetration Test such as the Business Case, Estimates, Risks and Quality. 

Speakers
avatar for Simone Onofri

Simone Onofri

Security Business Consultant, Hewlett Packard Enterprise
Simone is a Security Business Consultant for Hewlett Packard Enterprise and a Director of DSDM Consortium. Simone has a 13+ years of experience in the field if IT, serving customers in the EMEA area mainly for Security Testing and Incident Response projects with an innovative, practical and Agile approach to solve complex challenges. He focuses on applying Agile methodologies in different contexts such as Information Security and Entrepreneurship... Read More →


Thursday June 30, 2016 11:35 - 12:20
Room C (Tiziano Ballroom Sec. 2)

11:35

Using Third Party Components for Building an Application Might be More Dangerous Than You Think
Today, nearly all developers rely on third party components for 
building an application. Thus, for most software vendors, third party 
components in general and Free and Open Source Software (FOSS) in 
particular, are an integral part of their software supply chain. 

As the security of a software offering, independently of the delivery 
model, depends on all components, a secure software supply chain is of 
utmost importance. While this is true for both proprietary and as well 
as FOSS components that are consumed, FOSS components impose 
particular challenges as well as provide unique opportunities. For 
example, on the one hand, FOSS licenses contain usually a very strong 
"no warranty" clause and no service-level agreement. On the other 
hand, FOSS licenses allow to modify the source code and, thus, to fix 
issues without depending on an (external) software vendor. 

This talk is based on working on integrating securely third-party 
components in general, and FOSS components in particular, into the 
SAP's Security Development Lifecycle (SSDL). Thus, our experience 
covers a wide range of products (e.g., from small mobile applications 
of a few thousands lines of code to large scale enterprise 
applications with more than a billion lines of code), a wide range of 
software development models (ranging from traditional waterfall to 
agile software engineering to DevOps), as well as a multiple 
deployment models (e.g, on premise products, custom hosting, or 
software-as-a-service). 

In this talk, 
* we analyze and categorize the challenges and opportunities of 
the secure use of a FOSS components in building proprietary 
enterprise software, 
* we discuss the challenges in basing the decision in using FOSS 
on empirical research results, and 
* we discuss three different cost models for using FOSS in a 
commerical software development process: 
- the centralized model, where vulnerabilities of a FOSS component 
are fixed centrally and then pushed to all consuming products (and 
therefore costs scale sub-linearly in the number of products) 
- the distributed model, where each development team fixes its own 
component and effort scales linearly with usage 
- the hybrid model, where only the least used FOSS components are 
selected and maintained by individual development team 
* we provide, based on our experience, a clear recommendation of 
minimal actions that should be followed when using third party 
components as part of a software development process. 

Speakers
avatar for Achim D. Brucker

Achim D. Brucker

The University of Sheffield
Dr. Achim D. Brucker (www.brucker.uk) is a Senior Lecturer and consultant for software and systems assurance at the Computer Science Department of The University of Sheffield, UK. Until December 2015, he was a Research Expert (Architect), Security Testing Strategist, and Project Lead in the Global Security Team of SAP SE, where he defined the risk-based security testing strategy of SAP that combines static, dynamic, and interactive security... Read More →
avatar for Stanislav Dashevskyi

Stanislav Dashevskyi

PhD student, University of Trento
avatar for Fabio Massacci

Fabio Massacci

Full Professor, University of Trento
Fabio Massacci research interests are is the development of experimental and empirical methods for cybersecurity. Fabio has a PhD in computing from the University of Rome La Sapienza. He was the European coordinator of the Socio-Economics Meets Security (SECONOMICS; www.seconomics.org) project on security economics. He also works on a project on empirical validation of security risk assessment in aviation. Hi past research with Luca Allodi on... Read More →


Thursday June 30, 2016 11:35 - 12:20
Room D (Tiziano Ballrom Sec. 3)

11:35

Surviving the Java serialization apocalypse
The hidden danger of Java deserialization vulnerabilities – which often lead to remote code execution – has gained extended visibility in the past year. The issue has been known for years; however, it seems that the majority of developers were unaware of it until recent media coverage around commonly used libraries and major products. This talk aims to shed some light about how this vulnerability can be abused, how to detect it from a static and dynamic point of view, and -- most importantly -- how to effectively protect against it. The scope of this talk is not limited to the Java serialization protocol but also other popular Java libraries used for object serialization.

The ever-increasing number of new vulnerable endpoints and attacker-usable gadgets has resulted in a lot of different recommendations on how to protect your applications, including look-ahead deserialization and runtime agents to monitor and protect the deserialization process. Coming at the problem from a developer’s perspective and triaging the recommendations for you, this talk will review existing protection techniques and demonstrate their effectiveness on real applications. It will also review existing techniques and present new gadgets that demonstrates how attackers can actually abuse your application code and classpath to craft a chain of gadgets that will allow them to compromise your servers.

This talk will also present the typical architectural decisions and code patterns that lead to an increased risk of exposing deserialization vulnerabilities. Mapping the typical anti-patterns that must be avoided, through the use of real code examples we present an overview of hardening techniques and their effectiveness. The talk will also show attendees what to search the code for in order to find potential code gadgets the attackers can leverage to compromise their applications. We’ll conclude with action items and recommendations developers should consider to mitigate this threat.

Speakers
avatar for Alvaro Muñoz

Alvaro Muñoz

Principal Security Researcher, HPE
Alvaro Muñoz (@pwntester) works as Principal Software Security Researcher with HPE Security Research (HPSR). His research focuses on different programming languages and web application frameworks searching for vulnerabilities or unsafe uses of APIs. Before joining the HPSR team, he worked as an Application Security Consultant helping enterprises to deploy their application security programs.
avatar for Christian Schneider

Christian Schneider

Whitehat Hacker, Christian Schneider
Christian Schneider (@cschneider4711) writes software since the nineties, works as a freelance software developer since 1997, and focuses on Java since 1999. Aside from the traditional software engineering tasks he support clients in the field of IT security. This includes penetration testing, security audits, architectural reviews, and web application hardening. Christian enjoys writing articles about web application security (for the German... Read More →


Thursday June 30, 2016 11:35 - 12:20
Room A (Michelangelo Ballroom Sect. 3)

11:35

The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZAP: Attack Surface, Backdoors, and Configuration
There are a number of reasons to use source code to assist in web application penetration testing. Access to source code can help to make better use of penetration testers’ time by giving them access to answers about what underlying software is doing. In addition, access to source code provides penetration testers with deeper insight into the overall behavior of target systems. Finally, with the benefit of source code, penetration testing reports can help to highlight specific sections of code that are associated with identified vulnerabilities – allowing development teams to remediate vulnerabilities more efficiently. 

The United States Department of Homeland Security (DHS) Science and Technology (S&T) Directorate has funded some research that can be used by penetration testers looking to benefit from source code access during their testing engagements. This technology is currently available in the open source ThreadFix plugin for the OWASP ZAP and dynamic application security testing tool, and will be used throughout the presentation to provide practical examples attendees can use for their own penetration tests. 

This presentation walks through the “ABCs” of source code assisted web application penetration testing, covering issues of attack surface enumeration, backdoor identification, and configuration issue discovery. A web application’s attack surface refers to dynamically exposed endpoints where an attacker can control inputs to an application. These include the URLs an application will respond to as well as the entry points – parameters, cookies, HTTP headers – that the application uses that may change application behavior. Having access to the source lets an attacker enumerate all of these URLs as well as parameters and other entry points. Knowing these allows pen testers greater application coverage during testing. For example, some applications have page configurations such as landing pages that link back into the application, but where an application does not have outbound links. These would not be detected during a typical application crawl. Also, application with multi-step workflows may make it difficult for penetration testers to understand all steps in a workflow process. The presentation will walk through these scenarios and then demonstrate how the use the OWASP ZAP plugin to pre-seed the spidering process makes application scans more thorough. 

In addition to identifying legitimate attack surface that can be hard for penetration testers to find on their own, access to source code can help to identify potential backdoors that have been intentionally added to the system. These backdoors can represent hidden or secret inputs that an application will accept, but that have been obfuscated so that they can be hard or impossible for pen testers to find on their own. Having access to the source can help identify potentially suspicious attack surface endpoints such as hidden admin consoles or secret backdoor parameters. The presentation will then demonstrate how the results of attack surface seeding, when combined with the results from standard application crawls, can help identify suspicious inputs that can represent application back doors. 

Finally, the presentation will look at how access to source code can help identify configuration settings that may have an adverse impact on the security of the deployed application. Specifically, how misconfiguration in platforms allowing auto-binding can allow attackers extensive control over inputs to an application – beyond what even security-knowledgeable developers might expect. Having access to source code can identify and enumerate these potential issues in ways that would be either difficult or time-consuming for penetration testers to find on their own. Demonstrations of these scenarios will also be provided.

Speakers
avatar for Dan Cornell

Dan Cornell

CTO, Denim Group
A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As Chief Technology Officer and Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process.


Thursday June 30, 2016 11:35 - 12:20
Room B (Tiziano Ballroom Sec. 1)

12:25

Compression Bombs Strike Back
Network services often use data compression to reduce protocol message size. However, if data compression is not properly implemented, it can render entire applications vulnerable to DoS attacks. Abusing data compression to exhaust system resources is an old trick. For example, a zip bomb is a recursively highly-compressed file archive prepared with the only goal of exhausting the resources of programs that attempt to inspect its content. This attack was brought to the community attention in 1996 to mount DoS attacks against bulletin board systems.

While this may now seem an old, unsophisticated, and easily avoidable threat,we discovered that developers did not fully learn from prior mistakes. We looked at three protocols (i.e., HTTP, XMPP, and IMAP) and 11 network services including popular ones (e.g., Apache HTTPD, Tomcat, Prosody, and OpenFire) and discovered that the risks of supporting data compression are still often overlooked. 

In this talk, we will walk through data amplification attacks starting from the ever-green zip bomb and xml bomb attacks until our recent results. We will present the current use of data compression in several popular protocol and network services, and 12 common mistakes that we observed at the implementation, specification, and configuration levels. In this talk, we will also present already patched resource exhaustion vulnerabilities which could have been used to perform Denial of Service attack against popular services.

Speakers
avatar for Giancarlo Pellegrino

Giancarlo Pellegrino

Researcher, Saarland University
Giancarlo Pellegrino, is a post doctoral researcher of the System Security group at CISPA, Saarland University, in Germany. His main research interests include all aspects of web application security in particular security testing (black and white-box) and vulnerability analysis. Prior joining CISPA, Giancarlo worked at TU Darmstadt, Germany, and was member of the S3 group at EURECOM, in France. Until August 2013, he was Researcher Associate in... Read More →


Thursday June 30, 2016 12:25 - 13:10
Room C (Tiziano Ballroom Sec. 2)

12:25

Making OpenSAMM More Effective in a DevOps World
Software security maturity models such as OpenSAMM can be effective tools for organizations to use to understand the maturity of security practices within their development teams. But ambitious development timelines, limited resources, and a variety of competing priorities limit how frequently software security maturity models are actually used. Making matters worse, development cycles are being compressed in organizations where continuous integration or DevOps concepts are being embraced. Finally, organizations that have never conducted an OpenSAMM assessment are reluctant to spend so much time and energy to receive “zeros” on their OpenSAMM scorecard and confirm what they suspected in the first place – they have little or no security practices in their development environment. 

OpenSAMM is effective for some organizations while others may be moving so fast or have so little security in place that the assessment is of dubious value. How can OpenSAMM remain relevant in a world where development occurs at near light speed? What adaptations are needed to provide a range of options to organization looking to measure their maturity levels and to benchmark their activities against peer organizations? How can you show value to development teams and business units quicker and in a more agile fashion? 

Recent efforts to update OpenSAMM and to add benchmarking data are important and needed, but point to a greater need to streamline the process of assessments against the model. But organizations where speed is an imperative are demanding more flexible options the allow them to adapt the underlying concepts of the OpenSAMM, while minimizing the impact on software development production. The session will start with a quick overview of the status of the OpenSAMM project, including the efforts of the recent benchmarking initiative. These efforts are focused on updating the OpenSAMM model and providing comparative data that allows clients to understand their software security maturity compared to industry peers. The session will also provide a brief overview of where OpenSAMM can provide tremendous value in any application security program, when and where they should be used, and how security organizations should capitalize on their results. 

The bulk of the session will focus on how organizations have had recent successes using a variety of strategies to insert SAMM concepts where development is occurring at breakneck speeds and security teams simply have little authority to review every development team. One strategy to be examined will be the use of a two-stage, or iterative process, to identify the highest concentration of risky development practices, followed by a scaled assessment process that focuses the majority of assessing activities on the development areas of most perceived risk. 

In this approach, lightweight surveys are sent to multiple development teams to conduct a first-pass measurement of the riskiest development activities. This brief survey is followed by a quick risk ranking activity to identify which teams warrant priority assessments and to tailor the depth of follow-up assessments according to perceived risk. 

Another major strategy involves leveraging existing technologies such as application vulnerability platforms or source code repositories to “self report” maturity improvement activities, lessening the burden on development teams while providing consistent updates to the security team monitoring security improvement. The presentation will outline how one can automate reporting on team maturity by capturing metrics such as frequency of testing, prevalence of certain types of vulnerabilities, and mean time to fix application vulnerabilities. The session will highlight how one can publish data across development teams to provide visibility, increase accountability, and encourage security improvements across the organization.

Speakers
avatar for Dan Cornell

Dan Cornell

CTO, Denim Group
A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As Chief Technology Officer and Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process.


Thursday June 30, 2016 12:25 - 13:10
Room B (Tiziano Ballroom Sec. 1)

12:25

Open Source Approaches to Security for Applications and Services at Mozilla
At Mozilla, source exposure is a feature, not a bug. Adam Muntner discusses elements of Mozilla’s approach to securing the websites and services that support 400+ million Firefox users. These could be adopted by many types of organizations. 

- Why your bug bounty program is one of the best sources of intelligence for driving the future direction of your application security program. 
- Lessons learned from radical open sharing of design documentation. 
- Approaches to qualitative comparison of risk for an inventory of websites and services. 
- Using OpenSAMM in a DevOps organization. 
- Get non-security engineers help pentest by setting up a Red Team. 
- Maximizing the value gained from identified vulnerabilities. 

Speakers
AM

Adam Muntner

Security Engineer, Mozilla Corp
Adam Muntner works on the team that protects the websites and services which support 400+ million Firefox users. His current responsibilities include rethinking Mozilla's Application Security program, being Product Owner of Mozilla's Web Bug Bounty program, and breaking stuff. He has over 20 years of professional experience at software development, penetration testing, and security management. | Adam is the creator of FuzzDB... Read More →


Thursday June 30, 2016 12:25 - 13:10
Room D (Tiziano Ballrom Sec. 3)

12:25

Attack Patterns for Black-Box Detection of Logical Vulnerabilities in Multi-Party Web Applications
An increasing number of business critical, online applications leverage trusted third parties in conjunction with web-based security protocols to meet their security needs. For instance, many online applications rely on authentication assertions issued by identity providers to authenticate users using a variety of web-based single sign-on (SSO) protocols (e.g., SAML SSO v2.0, OpenID Connect). Similarly, online shopping applications use online payment services and Cashier-as-a-Service (CaaS) protocols to obtain proof-of-payment before delivering the purchased items (e.g., Express Checkout and PayPal Payment Standard). We refer to this broad class of protocols as security-critical Multi-Party Web Applications (MPWAs). Three entities take part in the protocols: the User (through a web browser B), the web application (playing the role of Service Provider, SP), and a trusted third party (TTP). The design and implementation of the protocols used by security-critical MPWAs are prone to logical errors. Several logical vulnerabilities have been reported in the last few years. For example, over 20% of the Alexa top 20,000 US websites have vulnerable Facebook SSO implementation (Zhou et al. 2014). The problem is exacerbated by the fact that most of the commercial automatic web vulnerability scanners have almost no support for logical vulnerabilities and the solutions proposed in security research papers for detecting logical vulnerabilities do not provide experimental evidence of applicability in more than one MPWA scenario (e.g., CaaS or SSO). 
In this presentation, we show a new approach towards automatic black-box detection of logical vulnerabilities in MPWAs. Our approach is based on an observation and a conjecture. The observation is that, regardless of their purpose, the security protocols at the core of MPWAs share a number of features: 
1) by interacting with SP (and/or TTP), User authenticates and/or authorizes some actions, 
2) TTP (SP, resp.) generates a security token, 
3) the security token is dispatched to SP (TTP, resp.) through the web browser, and 
4) SP (TTP, resp.) checks the security token and completes the protocol by taking some security-critical decisions. 
The conjecture is that the attacks found in the literature (and possibly many more still to be discovered) are instances of a limited number attack patterns. For instance, the incorrect handling of the OAuth 2.0 access token by a vulnerable SP can be exploited by an attacker hosting another SP (Wang et al. 2013). If the victim User logs into the attacker’s SP, the attacker obtains an access token (issued by TTP) from the victim and can replay it in the vulnerable SP to login as the victim. A similar attack was previously discovered (Armando et al. 2008) in the SAML-based implementation deployed by Google. (Here the SAML authentication assertion is replayed instead of the OAuth 2.0 access token) Similar attacks have also been detected in CaaS-enabled scenarios (e.g., Pellegrino et al. 2014, Sun et al. 2014). 
We selected 13 prominent attacks reported in real-world MPWAs and analyzed their similarities. This led us to identify 7 application-independent attack patterns (targeting 6 different replay attacks and a login CSRF attack) that concisely describe the actions performed by attackers while performing these attacks. These attack patterns are leveraged by a black-box security testing module that automatically collects and analyzes different HTTP traffic samples of the MPWA under test for selecting the appropriate attack patterns which in turn automatically generates attack test cases targeting logical vulnerabilities in the MPWA. 
We implemented our ideas on top of OWASP ZAP (the most popular, open-source penetration testing tool) and discovered 21 previously unknown vulnerabilities in prominent MPWAs (e.g., developer.linkedin.com, pinterest.com, open.sap.com, stripe checkout), including MPWAs that do not belong to SSO and CaaS families. 

Speakers
avatar for Alessandro Armando

Alessandro Armando

Associate Professor & Head of Research Unit, University of Genova & FBK
avatar for Roberto Carbone

Roberto Carbone

Researcher, Fondazione Bruno Kessler
Dr. Roberto Carbone is a researcher of the Security & Trust Research Unit of Bruno Kessler Foundation (FBK-ICT) in Trento, since November 2010. He obtained the MSc degree in Computer Engineering at the University of Genova in 2005 and received his Ph.D. from the same University in 2009. His PhD Thesis, titled “LTL Model-Checking for Security Protocols”, has been awarded the CLUSIT prize 2010 by the Italian Association for Information... Read More →
avatar for Luca Compagna

Luca Compagna

Researcher, SAP
Dr. Luca Compagna is part of the Product Security Research at SAP where is contributing to the SAP security research strategy. He received his Ph.D. in Computer Science jointly from the U. of Genova and U. of Edinburgh. His area of interests include security engineering, automated reasoning, security testing, and their application to the modelling and analysis of industrial relevant scenarios. Recently he focused more on DAST techniques for... Read More →
avatar for Avinash Sudhodanan

Avinash Sudhodanan

Early Stage Researcher, Fondazione Bruno Kessler
Avinash Sudhodanan is an Early Stage Researcher at the Security & Trust Unit of Fondazione Bruno Kessler and a 3rd year PhD student at University of Trento. He is focusing his research on Automatic Analysis of Browser-Based Security Protocols (in the context of the EU project SECENTIS). He spends 50% of his research time at SAP Labs France. Avinash received his Masters degree in Cyber Security (graduated in 2013) from Amrita Vishwa Vidyapeetham... Read More →


Thursday June 30, 2016 12:25 - 13:30
Room A (Michelangelo Ballroom Sect. 3)

13:10

Lunch
Thursday June 30, 2016 13:10 - 14:10
Botticelli Ballroom

14:10

Scanning with swagger: Using the Open API specification to find first and second order vulnerabilities in RESTful APIs
APIs support the complex web of interconnected things that exist today, yet they have also created significant challenges for security teams. Nearly every interconnected application has an API-based approach. These APIs are inherently vulnerable to most of the same potential vulnerabilities that applications face. As security teams scramble to figure out ways to get their arms around the risks that exists in their organizations’ APIs, these APIs are going completely untested, leaving vulnerabilities undiscovered.  Fortunately, several recent innovations, like the Open API Specification (formerly known as Swagger), are enabling effective API security testing at the largest attack surface. 

But how? Every user interface comes with known and unknown sets of local vulnerabilities because it communicates with local and remote service APIs. Similarly, every API is also potentially vulnerable to local and remote first order vulnerabilities. These can be observed via request and response; for example a crafted series of GET requests performing blind SQL Injection analysis can be considered a first order vulnerability. Additionally, services that support the function of the API, whether during the time of the request, or queued for latter computation, are considered a second order attack; an example of this could be  a data collection endpoint that consumes JSON, passes this payload to a Kafka broker, which in turn is consumed by a cluster service in Hadoop or Spark.  These payloads queue up into architecture that analyse and augment the data.  Injection and serialization vulnerabilities introduced in this manner are considered second order blind vulnerabilities. 

The Open API Specification is a relative newcomer in the history of  web service interface documentation.  It stands apart from its predecessors by not tying itself to a specific vendor technology, and aims to embrace all forms of RESTful HTTP.  Leveraging this powerful specification for automated scanning of APIs will save time by providing a straightforward mechanism to evaluate APIs without having to proxy traffic or manually build attack vectors. 
Join this presentation as Scott demonstrates novel approaches to using the Open API specification (formerly Swagger) to exhaustively scan API’s for first and second order vulnerabilities, and demonstrate the severity of findings left unfixed. 
Participants will learn: 
• Why APIs are serious challenges for security experts 
• How first and second order vulnerabilities can be left hidden in your APIs and micro services 
• How you can begin to understand, define and test your APIs in a structured manner 
• The latest techniques in API security testing 

Speakers
avatar for Scott Davis

Scott Davis

Application Security Researcher , Rapid7
Scott has been developing software professionally for over 15 years in a variety of contexts and technologies including wireless sensor networks, robotics, migration modeling & visualization, ERP, interactive projection art, product development and security services. Scott has spent as many years focusing more on the security aspects of these technologies, and has leveraged this background to lead the engineering security team at Webtrends... Read More →


Thursday June 30, 2016 14:10 - 14:55
Room C (Tiziano Ballroom Sec. 2)

14:10

Leveling up your application security program
In this talk, David will relay lessons learned from his time building the application security program and culture at Riot Games. 

David will give an overview of how Riot approaches application security in a fast paced, agile environment. This will include how Riot implements controls which do not negatively impact product development or player experience. David will explain how Riot provides secure coding guidance to software engineers, works with QA, and maintains an application security community of practice. This talk will also include demonstrations of custom security tools we’ve developed to help our engineers produce secure code. 

There are many options when it comes to understanding and improving an application security program. This talk will address Riot’s efforts in this regard.

Speakers
avatar for David Rook

David Rook

Senior Security Engineer, Riot Games
David Rook is a Senior Security Engineer and the product owner of Application Security at Riot Games. He has held various application security roles in the financial services industry since 2006 before moving into the computer games industry in early 2014. He is a contributor to several OWASP projects including the code review guide and the Cryptographic Storage Cheat Sheet. He has presented at leading information security conferences including... Read More →


Thursday June 30, 2016 14:10 - 14:55
Room B (Tiziano Ballroom Sec. 1)

14:10

OWASP CISO Survey Report – Tactical Insights for Managers
This presentation relates to the latest version of the OWASP CISO Survey report project and its findings, which conducted a survey of hundreds of CISOs and senior security managers around the world about the latest trends and risks to security and is compiling the OWASP CISO Survey Report 2015 based on that data. 

The main goal is to provide tactical intelligence, guidance and best practices on application and web security for senior managers. With a constantly evolving threat landscape threatening web applications tied to sensitive data and company information, CISOs are challenged on how best to mitigate these risks. Often risk decisions include the trade off between current and new web application security measures and where to invest. The proper investment in application security is critical to reducing security risks and meeting governance, security and compliance policies.

Speakers
avatar for Tobias Gondrom

Tobias Gondrom

Global Board Member, OWASP
Tobias Gondrom is a global board member of OWASP (Open Web Application Security Project) and former chairman until December 2015. And until April 2015, he was leading a boutique Global CISO and Information Security & Risk Management Advisory based in Hong Kong, United Kingdom and Germany. He has over 15 years of experience leading global teams in information security, software development, application security, cryptography, electronic signatures... Read More →


Thursday June 30, 2016 14:10 - 14:55
Room D (Tiziano Ballrom Sec. 3)

14:10

Bug Hunting on the Dark Side
A defender has to secure all entries to a system. If only one entry is not secured the system will eventually be owned. One single mistake is enough. This is often frustrating because everybody makes mistakes and defenders usually have to operate on the passive end. 

Fortunately, _everybody_ makes mistakes. Even the attackers. In this presentation, we are going to show a collection of bugs and mistakes that help to turn the tables on the adversary: 
* Simple typos that ruin the otherwise stealthy APT campaign. 
* Thoroughly planned command & control architectures that fall apart because of overlooked crypto dependencies. 
* Bugs in malware that render the functionality useless. 

There will be plenty of examples from the OWASP top 10 vulnerabilities that attackers and malware authors have run in to: SQL injections, remote file inclusion vulnerabilities, broken session management, server mis-configurations, broken random numbers generators, ... 

Hilarious, scary, and a lot of face palms

Speakers
avatar for Felix Leder

Felix Leder

Director Detection Technology, Blue Coat
Felix Leder leads the detection technology research at Blue Coat. Taking things apart has been a life time passion for him. His hobbies, like collecting bugs in malware and botnet takeovers, have resulted in successful take-downs of large malicious networks. As a member of The Honeynet Project, he is heavily involved in open source security and has been instrumental in developing a number of malware analysis solutions, including Cuckoo box... Read More →


Thursday June 30, 2016 14:10 - 14:55
Room A (Michelangelo Ballroom Sect. 3)

14:10

Lightning Training - Building a Software Security Program
This training will focus on basic steps development teams can take to build a software security program. This is done by using sample case scenarios of what works and what does not work by experience

Speakers
KH

Kuai Hinojosa

I am the President for the Minneapolis - St Paul OWASP Chapter in Minnesota. I have lead this chapter for two years (2008 - 2010). Meanwhile, I have become a faithful OWASP missionary. I am now a board member for NYC/NJ Chapter where I lead local OWASP Education efforts and I am also a member of the OWASP Global Education Committee where I lead similar efforts at a Global level.


Thursday June 30, 2016 14:10 - 15:40
Caravaggio 8

15:00

Making CSP great again!
Content Security Policy (CSP) is a defense-in-depth mechanism to restrict resources that can be loaded, embedded and executed in a web application, significantly reducing the risk and impact of injections. It is supported by most modern browsers, and it already is at its third iteration - yet, adoption in the web is struggling.

In this presentation we will highlight the major roadblocks that make CSP deployment difficult, common mistakes, talk about what works and what doesn't in different browsers, show how easy it is to defeat the whitelist-based model with some juicy bypasses, for example thanks to JSONP endpoints, by abusing a CDN and loading outdated versions of AngularJS.

Finally, we present a radically new way of doing CSP in a simpler, easier to maintain and more secure way based on nonces and making use of a new feature we contributed to CSP3.

We hope that after attending this talk you will understand how tricky it can be to deploy an effective CSP policy and what are the common mistakes to avoid, and as an attacker you will get resources and pointers on how well is CSP keeping up with modern web technologies, and how to break it. 
Fun is guaranteed!

Speakers
avatar for Michele Spagnuolo

Michele Spagnuolo

Information Security Engineer, Google
Information Security Engineer at Google Switzerland, Michele is a security researcher focused on web application security, and the Rosetta Flash guy. He is also author of BitIodine, a tool for extracting intelligence from the Bitcoin network.
avatar for Lukas Weichselbaum

Lukas Weichselbaum

Information Security Engineer, Google
Lukas Weichselbaum is an Information Security Engineer at Google. He’s currently working, among other stuff, on researching security enhancements and mitigations for web applications. Lukas graduated from Vienna University of Technology in Austria where he worked on dynamic analysis of Android malware. He also founded Andrubis – one of the very first large scale malware analysis platforms for Android applications.


Thursday June 30, 2016 15:00 - 15:45
Room A (Michelangelo Ballroom Sect. 3)

15:00

The Timing Attacks They Are a-Changin'
An interesting class of attacks is one where an adversary tries to obtain secret information not by directly abusing a programming flaw, but rather by inferring the secret from certain side-effects of applications. These so-called side-channel attacks originate from the world of cryptography, where side-effects such as power consumption or electromagnetic radiation are shown to sometimes leak information about a secret key. Interestingly, these attacks are not just limited to cryptosystems, but can be applied in the context of the web as well. However, the side-effects that can be observed in the context of the web, are often substantially different from what can be observed in cryptosystems. For instance, it can be generally assumed that an adversary does not have physical access to targeted machine, making attacks such as power-analysis, acoustic cryptanalysis and electromagnetic attacks impossible. 

Nevertheless, a side-effect that can be observed, and may leak private data, is timing information. By measuring the time required to perform certain actions, attackers can leverage this information to extract information that should be kept private. Although timing attacks in the web have been discovered well over a decade ago, they have received relatively little attention. The most probable reason for that is that these classic timing attacks may be quite unreliable as the timing measurements fully depend on the condition of the victim's network connection. This means that any network irregularity, or variation in latency at the side of the victim may prevent an attacker from learning any personal information using timing attacks. 

In our research, we explored methods that can be used by adversaries to perform timing attacks that are not limited to the restrictions of these classic timing attacks. More concretely, we found that various browser features expose sensitive timing information related to the size of resources when these are parsed. Furthermore, since the size of certain resources often reflect the state of the user, this new class of timing attacks allows adversaries to rapidly obtain information on a victim's state at numerous websites. Because the timing measurement starts _after_ a resource has been downloaded, the measurement is no longer influenced by network irregularities, resulting in a significantly improved performance. 

To evaluate the gravity of this new class of timing attacks, we evaluated several popular web services for the presence of timing attacks, as well as their ramifications. We found that an adversary can easily discover the personal interests, search history, and demographics (age, geographical location, gender, ...) of any unwitting victim within a few seconds. In our evaluation, we describe various attack scenarios where adversaries can leverage timing information on resources provided by some of the most popular websites to obtain this personal information from any user visiting an attacker-controlled web page. 

Finally, motivated by the severe consequences of these new timing attacks, we explored possible mitigations. We point out that countermeasures can be applied either on the side of the client, or that of the server. Unfortunately, the presence of the timing side-channels in browsers is inherent to their design, i.e. browsers are designed to process resources as soon as possible, and trigger an event to notify the completion. As a result, eradicating timing attacks at the browser-level would most likely require a drastic redesign of the browser architecture, which is unlikely to happen in the near future. Alternatively, mitigating timing attacks on the server side is currently a more viable option. By making the observation that, in essence, timing attacks are strongly related to cross-site request forgery (CSRF) attacks, one can prevent them in a similar fashion.

Speakers
avatar for Tom Van Goethem

Tom Van Goethem

Tom Van Goethem is a PhD student at the University of Leuven with a keen interest in web security and privacy. In his research, Tom likes performing large-scale security experiments, whether to analyze the presence of good and bad practices on the web, or to demystify security claims. In an attempt to make the web a safer place, Tom, on occasion, rummages the web in search for vulnerabilities, and has presented some of his findings at... Read More →


Thursday June 30, 2016 15:00 - 15:45
Room C (Tiziano Ballroom Sec. 2)

15:00

Building secure cloud-native applications with spring boot and spring security
In this talk Andreas will present how to build a secure cloud-native application using spring boot and spring security.
After a quick introduction the session starts with a live coding demo building a completely new web application already having a solid base level of security (including authentication, authorization, csrf protection and security headers) in just minutes.

Throughout this talk you will learn step-by-step how to 

- implement integration tests to verify both web- and method-layer authorization
- easily add ssl transport security already at development stage
- break up the application in "cloud-native" microservices using Rest calls 
secured by OAuth2
- extend the application with runtime application self protection (RASP) using 
the OWASP AppSensor

All steps will also be accompanied by short demos.

Based on a daily work experience of developing enterprise ready applications, best practices to integrate security in the agile development process will be presented as well.

Speakers
avatar for Andreas Falk

Andreas Falk

Managing Consultant, NovaTec Consulting GmbH
Andreas Falk (@andifalk, @agile_security) has more than twenty years of experience in development of enterprise IT projects. Currently he is working for NovaTec Consulting GmbH (located in Stuttgart, Germany) as a Managing Consultant. Since then he has been around in several projects in different roles as a consultant, architect, scrum master, coach, developer and tester. His focus is on agile development with Java EE and Spring, application... Read More →


Thursday June 30, 2016 15:00 - 15:45
Room B (Tiziano Ballroom Sec. 1)

15:00

SAASY SPLC
Speakers
avatar for Julia Knecht

Julia Knecht

Adobe
Julia Knecht leads SPLC for Adobe Digital Marketing. Over the past two years, Julia has been dedicated to creating an effective, engaged SPLC Program at Adobe. This effort has improved the level of security engagement among the Digital Marketing engineering teams by over 400%. Prior to her work on this team, she spent 3 years on the Adobe Digital Marketing Operations Security Team. Julia holds a Masters of Information Systems Management from... Read More →


Thursday June 30, 2016 15:00 - 15:45
Room D (Tiziano Ballrom Sec. 3)

15:45

Coffee Break
Thursday June 30, 2016 15:45 - 16:15
Foyer Michelangelo

16:15

Addressing Security Requirements in Development Projects
As the software development projects have been becoming more and more agile throughout the past years, the same thing has to apply for security teams in order to be understood as business enablers rather than as an obstacle. In this talk we aim to present a tool which we have implemented on the basis of 1&1's internal secure software development lifecycle, with the goal of increasing comprehensibility and automation/scalability of particular security-related activities in development projects. 

The core functionality of the tool is management and implementation support of two types of security requirements: 
- lifecycle requirements, describing security-related activities performed during the development 
- technical requirements, describing the desired security properties of systems/artifacts being built 

Other notable features are: 
- categorizing and filtering of requirements for systems with different properties 
- integration with JIRA, enabling to automatically create and monitor progress of tasks of dev teams 
- export of the requirement sets for external partners in order to align security of external and internal development 

The plan is also to release this application as an open source project and involve the security community in its further development.

Speakers
avatar for Daniel Kefer

Daniel Kefer

Head of Application Security, 1&1 Mail & Media Development & Techhnology GmbH
Daniel Kefer has been working in the application security field since 2007. Having started as a penetration tester, he soon became passionate about proactive security efforts and working closely with developers. Since 2011 he has been working for 1&1 where he focuses on design and continuous improvement of the internal secure SDLC process and its implementation in different development departments. Apart from 1&1, he also works as a volunteer for... Read More →
avatar for Rene Reuter

Rene Reuter

IT Security Consultant, Robert Bosch GmbH
René Reuter is a security engineer with over 4 years of experience in the application security field. At Robert Bosch GmbH, he works as an IT Security Consultant responsible for identifying vulnerabilities and design flaws that may impact Robert Boschs' applications and infrastructure. René holds a Master's Degree in Computer Science from the University of Applied Sciences Karlsruhe.


Thursday June 30, 2016 16:15 - 17:00
Room D (Tiziano Ballrom Sec. 3)

16:15

Don't Touch Me That Way
With over 3.1 million applications in the Apple AppStore and Google Play Store, and more than 7.5 billion mobile subscribers in the world, mobile application security has been shoved into the forefront of many organizations. One of the newly added features on mobile devices is that of a fingerprint reader. Both iOS and Android provide access to the hardware fingerprint reader through APIs. The fingerprint APIs can be used correctly and incorrectly. Join David and Jack as they show how the APIs work, how you can use them correctly and incorrectly, and how a malicious actor may attack the fingerprint APIs. This talk will involve code, tools and iOS and Android test applications to demo.

Speakers
avatar for David Lindner

David Lindner

Vice President of Solutions, nVisium
David Lindner is an experienced Application Security Professional with over 15 years of experience in the computer security industry. During this time, David has worked within multiple disciplines in the security field, from application development, network architecture design and support, IT security and consulting, and application security. David has specialized in all things related to mobile applications and securing them. David has supported... Read More →
avatar for Jack Mannino

Jack Mannino

CEO, nVisium


Thursday June 30, 2016 16:15 - 17:00
Room C (Tiziano Ballroom Sec. 2)

16:15

Automated Mobile Application Security Assessment with MobSF
Mobile Application market is growing like anything and so is the Mobile Security industry. With lots of frequent application releases and updates happening, conducting the complete security analysis of mobile applications becomes time consuming and cumbersome. In this talk I will introduce an extendable, and scalable web framework called Mobile Security Framework (https://github.com/ajinabraham/YSO-Mobile-Security-Framework) for Security analysis of Mobile Applications. Mobile Security Framework is an intelligent and automated open source mobile application (Android/iOS) pentesting and binary/code analysis framework capable of performing static and dynamic analysis. It supports Android and iOS binaries as well as zipped source code. During the presentation, I will demonstrates some of the issues identified by the tool in real world android applications. The latest Dynamic Analyzer module will be released at OWASP AppSec. Attendees Benefits * An Open Source framework for Automated Mobile Security Assessment. * One Click Report Generation and Security Assessment. * Framework can be deployed at your own environment so that you have complete control of the data. The data/report stays within the organisation and nothing is stored in the cloud. * Supports both Android and iOS Applications. * Semi Automatic Dynamic Analyzer for intelligent application logic based (whitebox) security assessment.

Speakers
avatar for Ajin Abraham

Ajin Abraham

Security Engineer, IMMUNIO
Ajin Abraham is a Security Engineer for IMMUNIO with 6+ years of experience in Application Security including 3 years of Security Research. He is passionate on developing new and unique security tools. Some of his contributions to Hacker's arsenal include OWASP Xenotix XSS Exploit Framework, Mobile Security Framework (MobSF), Xenotix xBOT, MalBoxie, Firefox Add-on Exploit Suite, NodeJsScan etc to name a few. He has been invited to speak at... Read More →


Thursday June 30, 2016 16:15 - 17:00
Room B (Tiziano Ballroom Sec. 1)

16:15

OWASP Security Knowledge Framework: Making the web secure by design
OWASP Security Knowledge Framework The OWASP Security Knowledge Framework is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. Education is the first step in the Secure Software Development Lifecycle. The 4 Core usage of SKF: - Security Requirements OWASP ASVS for development and for third party vendor applications - Security knowledge reference (Code examples/ Knowledge Base items) - Security is part of design with the pre-development functionality in SKF - Security post-development functionality in SKF for verification with the OWASP ASVS Check the online demo: https://securityknowledgeframework.org/demo.php

Speakers
GT

Glenn Ten Cate

Schuberg Philis
As a coder, hacker, speaker, trainer and security researcher Glenn has over 10 years experience in the field of security. Employed as a security engineer at Schuberg Philis in the Netherlands and speaking at multiple security conferences. His goals is to create an open-source software development life cycle with the tools and knowledge gathered over the years.


Thursday June 30, 2016 16:15 - 17:00
Room A (Michelangelo Ballroom Sect. 3)

16:15

Lightning Training - How to Use OWASP Security Logging
This presentation will provide an overview of the OWASP Security Logging project, a standard Log4j compatible  Java API to log security related events. The presenters will discuss the case for logging security events, what  types of events to log, how to use the API in your code, and provide examples of API features:  * Overview of the security logging API features/benefits   * Overview of SLF4J logger features from security perspective   * Security logging with log4j, log4j2, logback, and JDK logging   * "Hello World" with security logging   * Logging console application properties   * Logging servlet application properties with correlated data like User ID   * Filtering passwords from logs   * Customize filtering for removing SSN/credit cards from logs   * Adding interval logging to your project   * Customize interval logging   * Adding information classification (e.g., CLASSIFIED messages) to projects

Speakers
avatar for August Detlefsen

August Detlefsen

Senior Application Security Consultant, CodeMagi, Inc.
August Detlefsen (California) is a Senior Security Consultant who has presented at JavaOne (2008, 2012) as well as AppSec USA (2014, 2015) and is the co‐author of Iron‐Clad Java: Building Secure Web Applications. August also teaches customized secure coding classes for large and small clients.
SV

Sytze van Koningsveld

Sytze van Koningsveld (Netherlands) is Senior Java Developer at KLM Royal Dutch Airlines, and OWASP He is especially interested in open source projects and specialized in defensive security measures.
avatar for Milton Smith

Milton Smith

Sr. Principal Security Analyst, Oracle
Milton Smith (California) is an application security security principal at Oracle working strategically to improve application security. Milton is also a project leader for both the OWASP Security Logging Project and the DeepViolet for SSL/TLS scanner project. Prior to Oracle, Milton lead security for Yahoo's User Data Analytics property. For more information visit, https://securitycurmudgeon.com/ or follow Milton on Twitter(@spoofzu).


Thursday June 30, 2016 16:15 - 17:45
Caravaggio 8

17:05

The Tales of a Bug Bounty Hunter: 10+ Interesting Vulnerabilities in Instagram
Bug bounty hunting is the new black! During this technical talk, more than 10 interesting vulnerabilities identified in Instagram, the increasingly-popular photo-based social media platform, will be presented. All vulnerabilities were disclosed responsibly via Facebook’s Public Bug Bounty program over the course of 2015 and 2016, and will be discussed in detail. Required advanced Mobile Security attack techniques for this Research, such as Binary Modification, Dynamic Hooking and Burp Suite Plugin Development will be covered, among other trickery. The most interesting vulnerabilities were hybrid: Combinations of complementary vulnerabilities in different environments (e.g. Web and Mobile). The root cause(s) of all identified issues will be mapped onto the Software Development Life Cycle (SDLC), to analyze where they could have been prevented from materializing. Last but not least, the monetary rewards offered by Facebook for each vulnerability and general Bug Bounty Hunting advice will be shared with the community.

Speakers
avatar for Arne Swinnen

Arne Swinnen

IT Security Consultant, NVISO
Arne Swinnen is an IT Security Consultant at NVISO, a Belgian Cyber Security Consulting firm. He previously worked for Verizon in a similar position. Arne specializes in Application Security and Digital Forensics. He is also a member of NVISO R&D Labs, for which he conducts technical research with a focus on these topics. He co-organized the first edition of the Cyber Security Challenge Belgium in 2015, a National cyber security competition... Read More →



Thursday June 30, 2016 17:05 - 17:50
Room C (Tiziano Ballroom Sec. 2)

17:05

Using JIRA to manage Risks and Security Champions activities
Some of the challenges of an effective Application Security programme are: 

a) how to capture and process security bugs/flaws discovered (manually, security reviews, attacks, SAST/DAST tools, etc..) 
b) manage developer's security activities 
c) create networks of Security Champions 
d) assign application security risks to relevant business/products owner 
f) capture application security knowledge 

Over the past year, Dinis has been leading a number of Application Security teams in the UK and this presentation will provide detailed and technical information on how JIRA was used to create 'Application Security' workflows, management reports and all of the challenges described above. 

One of the key concepts of the proposed JIRA workflow is an 'official Accept Risk' action, which changes the dynamic of the Security teams from "...NO you can't do that..." to "...If you do that there are these risks which you have to accept..." and "...here are the risks that your application has, now chose which ones you want to fix or accept"

Speakers
avatar for Dinis Cruz

Dinis Cruz

AppSec, OWASP
Dinis Cruz is a Developer and Application Security Engineer focused on how to develop secure applications. A key drive is on 'Automating Application Security Knowledge and Workflows' which is the main concept behind the OWASP O2 Platform. After many years (and multiple roles) Dinis is still very active at OWASP, currently leading the O2 Platform project and helping out other projects and initiatives. After failing to scale his own security... Read More →


Thursday June 30, 2016 17:05 - 17:50
Room B (Tiziano Ballroom Sec. 1)

17:05

Time for Addressing Software Security Issues: Prediction Models and Impacting Factors
Authors: Lotfi ben Othmane, Golriz Chehrazi, Eric Bodden, Petar Tsalovski, and Achim D. Brucker.

Finding and fixing software vulnerabilities has become a major struggle for most software-development companies. While generally without alternative, such fixing efforts are a major cost factor, which is why companies have a vital interest in focusing their secure software development activities such that they obtain an optimal return on this investment.

We present in this talk our work on the major factors that impact the time it takes to fix a given security issue based on data collected automatically within SAP’s secure development process and we show how the issue fix time could be used to monitor the fixing process. We used in this work three basic machine-learning methods and evaluated their predictive power in predicting the time to fix issues. Interestingly, the generated prediction models indicate that the impact of vulnerability type has a small impact on issue fix time. The time it takes to fix an issue instead seems much more related to the component in which the potential vulnerability resides, the project related to the issue, the development groups that address the issue, and the closeness of the software release date. This indicates that the software structure, the fixing processes, and the development groups are the dominant factors that impact the time spent to address security issues.

Speakers
avatar for Lotfi ben Othmane

Lotfi ben Othmane

Head of Department Secure Software Engineering, Fraunhofer SIT
Lotfi ben Othmane is currently the head of the Department Secure Software Engineering group at Fraunhofer SIT. He received his Ph.D. degree from Western Michigan University (WMU), USA, in 2010 and the M.S. degree from University of Sherbrooke, Canada in 2000. He worked on several industrial and research projects since 1995 in Tunisia, Canada, USA, The Netherlands, Ireland, and Germany. Dr ben Othmane is currently investigating the use of data... Read More →


Thursday June 30, 2016 17:05 - 17:50
Room D (Tiziano Ballrom Sec. 3)

17:05

Calm down, HTTPS is not a VPN
We're writing year 2016. As far as the transport layer security is concerned during the past two years many bugs were found and squashed which makes most tech people probably feel better. 
Also especially for the most secured protocol in the internet -- HTTP -- security features like HSTS, HPKP, preloading, certificate transparency came up, one could be tempted now to think "mission accomplished", confidentiality and integrity issues on the transport layer for HTTP are solved now
-- albeit the mentioned security features could be more used.

But with respect to privacy there are often misconceptions: One is about the information security values: When is HTTPS a must, for which information security values and when it is not mandatory. Sometimes there even seems to be a current technical misbelief like switching on HTTPS is like a VPN or TOR -- last but not least sponsored by some big players in the internet.

This talk will clean up those fundamental misunderstandings and show how much privacy you really have against prying eyes while using HTTPS.

It will start with basics at the network layer, we're looking at the TLS encryption, at several browser fingerprints in the TLS handshakes and at current certificate validation strategies. Taking this alone identifies your browser and the site you're connecting to and often more. 

But what can an adversary tell about the content? 

Real world examples add a couple of bits to this as nowadays your browser often doesn't connect to a single server. Depending on the site (size, content), number of clients from an IP address, browser settings and browsing behavior of the user(s) more resources are needed to determine what
content is being request from the client. Here the talk will shed some light into it how good it is possible also while using HTTPS to tell something about the content transferred.

Speakers
avatar for Dirk Wetter

Dirk Wetter

Dirk is an independent security consultant which has more than 18 years experience in information security, even more in the world of Unix/Linux. He has also a profound networking knowledge from his past. He is engaged in OWASP Germany / Europe and chaired a couple of conferences. Whenever possible he's using Open Source Software. He developed an open SSL/TLS tester for the command line named testssl.sh which is using network sockets.


Thursday June 30, 2016 17:05 - 17:50
Room A (Michelangelo Ballroom Sect. 3)

19:00

Conference Dinner at Cinecitta

The social event will take place in the famous CineCitta, the italian Hollywood!

This will be a unique opportunity to meet the speakers, trainers and the attendees. Amongst these opportunities, the social dinner will once again prove to be a great moment of exchange, fun and relaxation!


The AppSec EU 2016 Gala Dinner will take place on Thursday, June the 30th from 19:45h on wards at CineCitta.  The Gala Dinner is a not-to-be-missed part of the Conference.

  • At 19h Conference buses will be leaving from the conference venue to Cinecitta. Please be prompt.
  • Social Event begins at 19.45 and ends 22.45h 
  • At 23h Conference buses will be leaving from CineCitta back to the conference venue
* The conference dinner is included in the registration fees. Companion tickets are also available during registration for 100 EUR (+VAT) if you like to bring a guest.

Thursday June 30, 2016 19:00 - 23:00
Cinecitta Via Tuscolana 1055, 00173 Roma - Italia
 
Friday, July 1
 

08:00

Conference Registration
Friday July 1, 2016 08:00 - 15:45
Foyer Tiziano

09:00

Member Lounge
Come recharge and join other OWASP Members in a quiet, comfortable, relaxed enviroment. Grab a snack and network with your peers. 

Friday July 1, 2016 09:00 - 14:00
Foyer Michelangelo

09:15

Keynote - Hardening the Web Platform
Like every large software project, browsers are accidentally broken. But put these unintentional bugs aside for the moment, and imagine an alternate universe in which the browser implements every relevant standard perfectly. Even in this sincerely mythical world, users aren’t safe, because from a security perspective the internet is in many ways broken by design.

Let’s talk about how we’re beginning to mitigate some of these platform-level risks by hardening the defaults, removing barriers to TLS deployment, and giving developers access to new APIs that can be used to lock themselves down even further.


Speakers
avatar for Mike West

Mike West

Mike is a philosophy student, cleverly disguised as a member of Chrome’s security team in Munich, Germany. Since it would be slightly more than difficult to make a living sitting under a tree reading Kant, he’s focused his energies on the web, which has proven itself to be a wonderful decision. Mike works on web platform security feature implementation in Chromium and Blink, and specifications in various standards bodies.


Friday July 1, 2016 09:15 - 10:00
Plenary Sessions ( Michelangelo Ballroom Sec. 1+2)

10:20

The Top 10 Web Hacks of 2015
Every year the security community produces a stunning number of new Web hacking techniques that are published in various white papers, blog posts, magazine articles, mailing list emails, conference presentations, etc. Within the thousands of pages are the latest ways to attack websites, Web browsers, Web proxies, and their mobile platform equivalents. Beyond individual vulnerabilities with CVE numbers or system compromises, we are solely focused on new and creative methods of Web-based attack. Now in its ninth year, the Top 10 Web Hacking Techniques list encourages information sharing, provides a centralized knowledge base, and recognizes researchers who contribute excellent work. 

This talk will be a summary of the Top 10 new Web Hacking Techniques that were put out in 2015. The list of candidates is community sourced and voted upon. The list gets trimmed down from between 50-100 to 15 in no order. That list of 15 techniques that get the most votes will go on to the panel of expert judges. They will pick the Top 10 and order them based on a group consensus after reviewing all the research. This talk will go through these 10 techniques and highlight the important points of what was done in the research and how to protect yourself or your organization if applicable. 

We will do a technical deep dive and take you through the Top 10 Web Hacks of 2015 as picked by an expert panel of judges.

Speakers
avatar for Jonathan Kuskos

Jonathan Kuskos

Senior Application Security Engineer, WhiteHat Security
@JohnathanKuskos is a Manager for WhiteHat Security where he is charged with the expansion of their Belfast, Northern Ireland Threat Research Center. After personally hacking hundreds of web applications over several years he moved into a managerial role so that he could contribute to mentoring younger security engineers. Johnathan is extremely passionate about teaching and sharing the security knowledge he’s attained. He’s also an active bug... Read More →


Friday July 1, 2016 10:20 - 11:05
Room C (Tiziano Ballroom Sec. 2)

10:20

A chain of trust: How to implement a supply chain approach to build and launch that rocket
A new entrant to the OWASP Top 10 2013 ranking was A9 - Using components with Known vulnerabilities. Increasingly, the compromise point of an application has not been due to code that has originated in house, the 2015 Data Breach Investigations Report states 97% of attack mediums can be traced to 10 CVES. Standards like PCI-DSS call for auditing and constant monitoring of the status of these components, but often this leads to controls outside the realm of what is scaleable. Luckily, security of can be and is a developer choice as much as a process. In this session we talk through what can be done to implement a process that helps lower compound risk from 3rd party suppliers as early in the software lifecycle as is possible, and how to help facilitate security as a part of the DevOps culture

Speakers
avatar for Ilkka Turunen

Ilkka Turunen

SE, Sonatype
Ilkka Turunen is a Solutions Architect working at Sonatype in Europe and Asia. His background is in software and systems engineering, acting as an architect for several commercial projects. He's helped define everything from the software design to web-scale infrastructure architectures and regularly works with companies across the world to understand and improve their software supply chain and continuous delivery pipelines.


Friday July 1, 2016 10:20 - 11:05
Room A (Michelangelo Ballroom Sect. 3)

10:20

Practical Threat Modeling with Microsofts Threat Modeling Tool 2016
Threat modeling has been a known and effective practice for identifying weaknesses within the application design for a while know. However, as with other security practices, it requires quite some security know-how and experience to create a proper threat model and derive countermeasures from identified threats. Therefore, most organizations that want threat modeling being conducted internal to improve their software security require a suitable tool that could assist developers, architects, etc. do create such a threat model. When it comes to threat modeling tools most will surely name Microsofts Threat Modeling tool that has been made freely available by Microsoft in different versions quite some time. But only the newest version comes with one decisive new feature that no existing tool had before and that have the potential to help organizations with using threa tmodeling internally a lot. It allows us now to not only investigate but also to change the existing threat logic and to build custom templates with own logic and shapes for new threat models. Based on a lot of practical experience with using this tool in a larger organization, this talk will show how organizations can use it to practically build their own threat modeling tool by mapping their specific security architecture (access management systems, security zones, etc.), custom threats and security requirements into it so that they are already considered in all new threat models created with this tool.

Speakers
avatar for Matthias Rohr

Matthias Rohr

CEO, Secodis GmH
Matthias Rohr (CISSP, CSSLP, CISM) has over 12 years of experience in architecting, developing and securing web-based applications. He is the founder and of Secodis, a security service and solution provider specialized on integrating security into the software development (Secure SDLC), including implementing application security test automation. Matthias has recently published a book on practical application security in German, is an active... Read More →


Friday July 1, 2016 10:20 - 11:05
Room B (Tiziano Ballroom Sec. 1)

10:20

Grow up AppSec: A case study of maturity models and metrics
How mature is your security practice? How do you show where your security services are weak and need to improve? We took a look at the current state of the art for security maturity models and were underwhelmed, they were either way too scientific, not scientific enough, or just didn’t feel right. We wanted a way to measure the maturity of the various services in our security organization, but hated everything out there. What were we to do? Like good security researchers, we decided to invent our own and put them to the test in a large enterprise organizational setting, while also trying to convince our friends and enemies that it was the best thing ever. 

This talks highlights the flaws in current maturity models and reveals a basic framework we have developed, using 7 critical measurements, to quickly assess a security program. We will talk through the pros and cons of our model, how we have adopted it, and where we see it going in the future. We will also take a specific deep dive into application specific maturity models and metrics with exciting graphs and dashboards, with open source code and fancy executive spreadsheets freely available to all who dare to follow. 

We require this to be a collaborative session, so we are anticipating and demanding feedback, criticism, praise, and drinks for our efforts – enjoy!

Speakers
avatar for Jon Rose

Jon Rose

Agile Security, Dun & Bradstreet
Jon has a unique combination of an innovative entrepreneur with the proven ability to lead Fortune 500 companies. With over 16 years of experience launching products, securing environments, training and educating technology teams, and building agile security organizations, Jon has a deep and wide understanding of organizational capabilities for both start-ups and large scale organizations.
avatar for Rohini Sulatycki

Rohini Sulatycki

Dun & Bradstreet
Rohini specializes in application security, application penetration testing, mobile penetration testing, virtualization security assessments, network penetration testing and security code reviews. Rohini has conducted Secure Development Training classes for clients worldwide. Rohini has been a technical reviewer and has presented at various security events including Black Hat and FROC. Rohini has served as the president of the Kansas City OWASP... Read More →


Friday July 1, 2016 10:20 - 11:05
Room D (Tiziano Ballrom Sec. 3)

10:20

Lightning Training - Security Automation using ZAP
The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications.  ZAP provides a rich set of APIs which allows the capability to interact with ZAP programmatically.  This lightning flash training will prove a kick starter for automating ZAP and would cover the following topics:  - Quick run through of ZAP GUI - Understanding what can be automated - How to integrate ZAP with automation scripts - Example scripts/Hands-on - Some delicate considerations

Speakers
avatar for Vaibhav Gupta

Vaibhav Gupta

Security Researcher, Adobe
Vaibhav Gupta is a security researcher with Adobe Systems. His interest and work fall under handling proactive and reactive application security assignments. His has a diverse exposure to InfoSec industry, primarily in security automation, security reviews, pen-tests and exploitation. He is co-leading the OWASP and Null community in Delhi region. | | LinkedIn:https://www.linkedin.com/in/vaibhav0


Friday July 1, 2016 10:20 - 12:00
Caravaggio 8

10:20

Capture the Flag
Capture The Flag

Do you hack websites? Do you like to solve puzzles? Would you like to compare your skills against other hackers?

Also this year a Capture the Flag event will be held during the AppSec Eu 2016 conference in Rome.

As always this event will be accessible for all attendees. The CTF prides itself to have a huge variety of challenges across multiple disciplines ranges from web- to network- and even cryptography challenges. All you need to bring is your laptop with all your favourite tools, a sharp mind and the patience to solve the challenges.

Next to the pride and joy of playing there will be prices for the top three players.

So come to AppSec Eu 2016 in Rome and try your skills – and luck – in this competition.

CTF rooms will remain available to participants thought the conference:

  • Thursday, June 30th 10.30am to 6pm
  • Friday, July 1st 10.30am to 3pm

Friday July 1, 2016 10:20 - 15:00
Caravaggio 6 - 7

10:20

Exhibit
Friday July 1, 2016 10:20 - 16:20
Foyer Tiziano

11:05

Coffee Break
Friday July 1, 2016 11:05 - 11:35
Foyer Michelangelo

11:35

Idiot proof is not enough, make it villain proof!

Product development companies are doing the best they can to reach the highest quality for an application within the time they are able to spend on it. Although they are aware that security measures should be taken, most of them don’t look at the application architecture the same way that a hacker will, once the application is launched.

This talk is about a few different subjects that will help an organization keep the villain in mind:

·           Embedding security mindedness in different steps of the software development process

·           Creating awareness with programmers, testers and managers

·           Convincing management with facts, to invest in security well before the software is close to being launched


Speakers
avatar for Liesbeth Kempen

Liesbeth Kempen

Project Manager, Fox-IT
Liesbeth Kempen studied Computer Science at the TU Delft and Artificial Intelligence at the VU Amsterdam in the Netherlands. | She started programming at the age of 9 and got her first job in IT as a network operator at 19. Since then, she has been working as a tester, programmer and software architect and she has been managing IT projects and software development teams for 10 years now. | She has worked on and seen software development... Read More →


Friday July 1, 2016 11:35 - 12:20
Room D (Tiziano Ballrom Sec. 3)

11:35

Attack tree vignettes for Containers as a Service applications and risk centric threat models
On the heels of platform virtualization comes the proliferation of containers - compartmentalized applications aimed at achieving greater efficiency in packaging, delivering and managing applications. With platform-level virtualization adoption still maturing, the rise of app level virtualization and isolation over shared platform resources is already intriguing many dev shops who are looking in greater efficiencies around environment management and deployment. Security concerns are abound, particularly as the theme of true isolation and priv escalation haunt many early instances of containers. During this talk we'll look at threat modeling vignettes based upon current implementations and industry use cases around Containers as a Service. We'll explore viable threat patterns around deploying and using containers as well as current and evolving countermeasures for threat mitigation. 

This talk will employ risk centric approaches to threat modeling around containers and tie in many of the more current threat and countermeasures covered from Docker15. The risk centric threat modeling approach will tie in well to security by design intents being fostered into evolving container related controls. This talk will not address in general the general precepts around threat modeling but rather dive into a few deployment scenarios around containers that have been analyzed for viable threat motives, supporting attack patterns, and effective countermeasure options for risk reduction.

Speakers
avatar for Tony UcedaVelez

Tony UcedaVelez

CEO/ Owner, VerSprite
Tony UcedaVélez is CEO at VerSprite, an Atlanta based security services firm assisting global multi-national corporations on various areas of cyber security, secure software development, threat modeling, application security, security governance, and security risk management. Tony has worked and led teams in the areas of application security, penetration testing, security architecture, and technical risk management for various organizations in... Read More →


Friday July 1, 2016 11:35 - 12:20
Room C (Tiziano Ballroom Sec. 2)

11:35

Game of Hacks: Play, Hack and Track
We created “Game of Hacks”– a viral web app marketed as a tool to train developers on secure coding – with the intention of building a honeypot. Game of Hacks, built using the node.js framework, displays a range of vulnerable code snippets challenging the player to locate the vulnerability. Within 24 hours we had 35K players test their hacking skills...we weren't surprised when users started breaking the rules. Join us to: • Play GoH against the audience in real time and get your claim for fame. • Understand how vulnerabilities were planted within Game of Hacks. • See real attack techniques (some caught us off guard) and how we handled them. • Learn how to avoid vulnerabilities in your code and how to go about designing a secure application. • Hear what to watch out for on the ultra-popular node.js framework.

Speakers
avatar for Amit Ashbel

Amit Ashbel

Product Evangelist, Checkmarx
Amit Ashbel has been with the security community for more than a decade where he has taken on multiple tasks and responsibilities, including technical and Senior Product lead positions. Amit adds valuable product knowledge including experience with a wide range of security platforms and familiarity with emerging threats. Amit also speaks at high profile events and conferences such as Blackhat, Defcon, OWASP, and others.


Friday July 1, 2016 11:35 - 12:20
Room B (Tiziano Ballroom Sec. 1)

11:35

Analyzing and Detecting Flash-based Malware

Adobe Flash is a popular platform for providing dynamic and multimedia
content on web pages. Despite being declared dead for years, Flash still
is deployed on millions of devices. Unfortunately, the Adobe Flash
Player increasingly suffers from vulnerabilities, and attacks using
Flash-based malware regularly put users at risk of being remotely
attacked. We present Gordon, a method for the comprehensive analysis and
detection of Flash-based malware. By analyzing Flash animations at
different levels during the interpreter’s loading and execution process,
our method is able to spot attacks against the Flash Player as well as
malicious functionality embedded in ActionScript code. To achieve this
goal, Gordon combines a structural analysis of the container format with
guided execution of the contained code—a novel analysis strategy that
manipulates the control flow to maximize the coverage of indicative code
regions. In doing so, Gordon significantly outperforms related
approaches when applied to samples shortly after their first occurrence
in the wild, demonstrating its ability to provide timely protection for
end users.


Speakers
avatar for Christian Wressengger

Christian Wressengger

TU Braunschweig
Christian Wressnegger is a full-time researcher at the Institute of System Security of the TU Braunschweig, Germany. Before joining academia to pursue a PhD, he has been working in Anti-Virus industry and in data analytics for computer security applications using machine learning. Christian's research interests revolve around the detection and prevention of malware and in particular, malware embedded in passive "containers" such as web pages... Read More →


Friday July 1, 2016 11:35 - 12:20
Room A (Michelangelo Ballroom Sect. 3)

12:25

Internet banking safeguards vulnerabilities
All internet banking applications are different but all of them share many common security features which are very specific to this domain of web applications, such as: 
- transaction limits, 
- notifications via SMS or e-mail, 
- authorization schemes, 
- trusted recipients, 
- two-factor authentication and transaction authorization, 
- pay-by-links, 
- communication channel activation (e.g. mobile banking or IVR). 
It is not very rare that these safeguards are incorrectly implemented leaving the internet banking application vulnerable. 

Last year at AppSec EU I was talking about common vulnerabilities in e-banking transaction authorization. As a follow-up to this presentation, OWASP Transaction Authorization Cheat Sheet was published and gained some attention from banks, developers and testers. This year, I want to continue and expand this work to other security mechanisms which are specific and common to internet banking applications. During my presentation I want to show some common mistakes made during implementation of the abovementioned internet banking safeguards. 
As a follow-up, I am planning to expand OWASP Transaction Authorization Cheat Sheet to Internet Banking Cheat Sheet which will include guidelines for secure implementation of all security mechanisms common to contemporary internet banking applications. At the end of my presentation, I also want to discuss the idea of expanding key OWASP materials such as ASVS, Testing Guide, Development guide by adding appendixes specific to group of applications (such as internet/mobile banking, e-commerce, etc.). 

Proposed agenda: 
* Security features of contemporary internet banking – quick overview. 
* Examples of vulnerabilities in implementation of these safeguards (logical and technical flaws) and recommendations, e.g.: 
- transaction limit bypass, 
- trusted recipients feature abuses, 
- transaction authorization vulnerabilities (quick recap from AppSec EU 2015 presentation), 
- notification blocking, 
- currency exchange rates manipulation (e.g.: oscillator, rounding errors) 
- unauthorized changes to safeguards configuration 
* Upcoming changes due to PSD2 implementation (Payment Initiation Services, Account Information Services, Strong Customer Authentication). 
* Future work announcement and invitation to cooperation (Cheat Sheet, ASVS / Testing Guide / Dev Guide modules). 

Speakers
avatar for Wojtek Dworakowski

Wojtek Dworakowski

Wojtek Dworakowski, SecuRing Managing Partner Wojtek is an application security consultant with over 10 years of experience and a managing partner of SecuRing, a company dealing with application security testing and advisory. Over last years he has been helping banks, major financial institutions, and software vendors to achieve proper level of application security, including ING, BNP, KBC, UniCredit Group, Sage, Sodexo. Member of Crisis... Read More →



Friday July 1, 2016 12:25 - 13:10
Room A (Michelangelo Ballroom Sect. 3)

12:25

AppSec Awareness: A Blue Print for Security Culture Change
How does an individual change the application security culture of an organization? By designing and deploying an application security awareness program that contains engaging content, humor, and recognition. Application security awareness is part security knowledge, part lessons learned from history, and action to improve security into the future. Each company has an application security culture, but most of them need a boost. 

This session is about exposing each audience member to a successful blue print for how they can build an application security awareness program of their own. The content is based on five years of real life experience implementing application security awareness in a large enterprise reaching 30,000 people. Go beyond traditional security awareness, and dive deep into changing the DNA of those who code, test, and deploy applications within their organization. 

The session uses the illustration of building a house, with six points used to show the ideal way to construct a successful application security awareness program. We move from answering what is application security awareness, to providing the details for how anyone can build a program of their own. This advice is from real life experience; this is how we did it, and how anyone in the audience can use this blue print to deploy their own program. 

The six blueprints are: 

Mission: how to define and build a team to support 
Program architecture: design a program that covers all roles and recognizes achievements, on a budget 
Curriculum: what to teach, and how to decide what to include 
Humor: how to use humor to engage the audience 
Content Creation: how to build application security learning that people want to enjoy 
Tools: things you can add to enhance the program's organizational visibility 

I'll share all that I have learned over the past five years on this topic, summarized into a 45 minute window. This includes best practices, lessons learned, and experience as a pioneer in the creation of this type of program. I've built a super successful program, and want to empower and enable others to build similar programs.

Speakers
avatar for Chris Romeo

Chris Romeo

CEO, Security Journey
Chris Romeo is CEO, Principal Consultant, and co-founder of Security Journey. His passion is to bring application security awareness to all organizations, large and small. He was the Chief Security Advocate at Cisco Systems for five years, where he guided Cisco’s Security Advocates, empowering engineers to "build security in" to all products at Cisco. He led the creation of Cisco’s internal, end-to-end application security awareness... Read More →


Friday July 1, 2016 12:25 - 13:10
Room D (Tiziano Ballrom Sec. 3)

12:25

SecDevOps: A View from the Trenches
DevOps practices have become the de-facto approach to deliver applications at rapid scale and unprecedented speed. However, any process is as fast as its biggest bottleneck and security is becoming the most pervasive bottleneck in most DevOps practices. Teams are unable to come up with security practices that integrate into the DevOps lifecycle and ensure continuous and smooth delivery of applications to customers. In fact, security failures in DevOps amplify security flaws in production as they are delivered at scale. If DevOps should not be at odds with security, then we must find ways to achieve the following on priority: 

- Integrate effective threat modeling into Agile development practices 
- Introduce Security Automation into Continuous Integration 
- Integrate Security Automation into Continuous Deployment 

While there are other elements like SAST and Monitoring that are important to SecDevOps, my talk will essentially focus on these three elements with a higher level of focus on Security Automation. In my talk, I will explore the following, with reference to the topic: 

- The talk will be replete with anecdotes from personal consulting and penetration testing experiences. 
- I will briefly discuss Threat Modeling and its impact on DevOps. I will use examples to demonstrate practical ways that one can use threat modeling effectively to break down obstacles and create security automation that reduces the security bottleneck in the later stages of the DevOps cycle. 
- I firmly believe that Automated Web Vulnerability Assessment (using scanners) no matter how tuned, can only produce 30-40% of the actual results as opposed to a manual application penetration test. I find that scanning tools fail to identify most vulnerabilities with modern Web Services (REST. I will discuss examples and demonstrate how one can leverage automated vulnerability scanners (like ZAP, through its Python API) and simulate manual testing using a custom security automation suite. In Application Penetration Testing, its impossible to have a one size-fits all, but there’s no reason why we can’t deliver custom security automation to simulate most of the manual penetration testing to combine them into a custom security automation suite that integrates with CI tools like Jenkins and Travis. I intend to demonstrate the use a custom security test suite (written in Python that integrates with Jenkins), against an intentionally vulnerable e-commerce app. 
- My talk will also detail automation to identify vulnerabilities in software libraries and components, integrated with CI tools. 
- Finally, I will (with the use of examples and demos) explain how one can use “Infrastructure as Code” practice to perform pre and post deployment security checks, using tools like Chef, Puppet and Ansible.

Speakers
avatar for Abhay Bhargav

Abhay Bhargav

Chief Technology Officer, we45
Abhay Bhargav is the founder and CTO of the we45, a focused Information Security Solutions Company. He has extensive experience with Information Security. He has performed security assessments for various enterprises in various domains like banking, software development, retail, telecom and legal. He is also the co-author of “Secure Java for Web Application Development” published by CRC Press, New York and is the author of “PCI... Read More →


Friday July 1, 2016 12:25 - 13:10
Room B (Tiziano Ballroom Sec. 1)

12:25

2016 State of Vulnerability Exploits
Yearlong study of new trends in vulnerability exploits to identify, prioritize and mitigate the most relevant issues. Exploits data from 20+ top exploit-kits including Angler, Nuclear, SweetOrange, Magnitude, Rig, Neutrino and others is included. Also included is data from numerous exploit frameworks like Exploit-db, Core security, Immunity, Qualys, DSquare, Agora, White phosphorous and others.

Speakers
avatar for Amol Sarwate

Amol Sarwate

Director of Vulnerability and Compliance Labs, Qualys Inc.
As Director of Vulnerability Labs at Qualys, Amol Sarwate heads a worldwide team of security researchers who analyze threat landscape of exploits, vulnerabilities and attacks. He is a veteran of the security industry who has worked for the last 15 years on firewalls, vulnerability scanners, embedded security at McAfee, Hitachi, i2 and other organizations. He has presented his research on various topics like Vulnerability Trends, Credit Card... Read More →


Friday July 1, 2016 12:25 - 13:10
Room C (Tiziano Ballroom Sec. 2)

13:10

Lunch
Friday July 1, 2016 13:10 - 14:10
Botticelli Ballroom

14:10

Practical Attacks on Real World Crypto Implementations
While the cryptographic community concentrates on designing provably secure cryptographic primitives, real world implementations still suffer from vulnerabilities presented more than a decade ago at scientific crypto conferences. In the recent years, we could for example observe resurrections of padding oracles, Bleichenbacher attacks, or invalid curve attacks. These examples prove the existence of a large gap between the crypto and security communities. 

This talk will give an overview of our recent attacks on cryptographic libraries. We will first discuss the application of Bleichenbacher's attack on various TLS implementations. We will give important insights about the side channels that allowed us to perform the attacks. In particular, we first show that there existed implementations allowing us to apply direct Bleichenbacher's attack. Second, we show that additional exception handling in object oriented languages could lead to timing side channels, which could be exploited over the network, in real conditions. 

We will then move to the description of invalid curve attacks (also know as invalid point attacks). These attacks were first described by Biehl et al. at Crypto 2000, and can be circumvented by simply checking whether an incoming point belongs to a correct curve. However, our recent study of various crypto libraries and Hardware Security Modules revealed that three of them were vulnerable to these attacks. This allowed us to extract EC private keys from Java servers or from the Utimaco HSM. 
At the end of the talk, a real attack against an Apache Tomcat server will be presented, and how it could be used to extract a private EC key. 


This talk is based on these publications: 
- Christopher Meyer, Juraj Somorovsky, Eugen Weiss, Jörg Schwenk, Sebastian Schinzel and Erik Tews. Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks. 23rd USENIX Security Symposium (Usenix Security 2014). 
- Tibor Jager, Juraj Somorovsky and Jörg Schwenk. Practical Invalid Curve Attacks on TLS-ECDH. ESORICS 2015. 
- Den­nis Kup­ser, Chris­ti­an Main­ka, Jörg Schwenk, Juraj So­mo­rovs­ky. How to Break XML En­cryp­ti­on - Au­to­ma­ti­cal­ly.Work­shop on Of­fen­si­ve Tech­no­lo­gies (WOOT), 2015 

Our papers are available at https://www.nds.rub.de/chair/people/jsomorovsky/

Speakers
avatar for Juraj Somorovsky

Juraj Somorovsky

Security Consultant, Hackmanit GmbH
Juraj Somorovsky finished his PhD in the area of XML Security in 2013. In his thesis „On the Insecurity of XML Security“ he analyzes various attacks on Web Services and presents practical countermeasures against these attacks, which were applied in XML Security specifications and in countless frameworks and applications. He presented his work at many scientific and industry conferences, including Usenix Security or OWASP Germany. Currently... Read More →


Friday July 1, 2016 14:10 - 14:55
Room C (Tiziano Ballroom Sec. 2)

14:10

From DTD to XXE: An Evaluation of XML-Parsers
Extensible Markup Language (XML) is extensively used today in applications, protocols and databases. XML has to be well-formed and can optionally be valid. If the document conforms to the grammar which is specified within the DTD, the document is called valid. DTDs also introduce enities which are basics storage units. This is problematic because entities introduce a series of vulnerabilities. Two of the most widely known constitute a denial-of-service (DoS) attack, called billion laughs, and an XML External Entity (XXE) attack. Both were first discovered back in 2002. With web services becoming more popular and other standards evolving, like XML Inclusions (XInclude) and Extensible Stylesheet Language Transformations (XSLT), other threats soon followed, like using XInclude in a similar way as XXE, URL Invocation to conduct Server Side Request Forgery attacks and encoding issues. Using XSLT and the security thereof is a (research) topic on its own. A quick Internet search quickly reveals that most of these threats are still active today and are further developed and automated. [1][2][3] At the time of writing the Common Vulnerability Database [4] reports a total of 168 findings for XXE and 15 for DoS using billion laughs attack. Therefore we assume that DTDs are still prevalent and widely activated. D.Morgan and Ibrahim [5] have investigated this matter in a structured way in 2014. Other news concerning security of XML seem to be spread all over the Internet [6][7][8][9][10].

This presentation delivers the following contributions. First we accumulate up to date knowlegde of XML security. Second we implement tests for a better understanding of entity processing. Third we implement an exhaustive set of tests to check the default settings of a plethora of parsers from different programming languages. Fourth we investigate the impact of features which govern the processing of DTD and entities in those parsers. Fifth we present a new attack using XML Attribute Value Normalization, which is a part of the XML specification.

Summray:
- We show how DTD attacks are working
- 28 parser of 6 languages were analyzed (Ruby, .NET, PHP, Java, Python, Perl.)
- A total of 1107 tests were executed to evaluate the security of all parsers
- We computed a score to measure the security of each parser, helping a developer choosing the best parser.


[1] Ssd advisory – zendxml multibyte payloads xxe/xee. [Online]. Available: https://blogs.securiteam.com/index.php/archives/2550
[2] Burp suite now reports blind xxe injection. [Online]. Available: http://blog.portswigger.net/2015/05/burp-suite-now-reports-blind-xxe.html?m=1
[3] Forcing xxe reflection through server error messages. [Online]. Available: https://blog.netspi.com/forcing-xxe-reflection-server-error-messages/
[4] Cve - common vulnerabilities and exposures (cve). [Online]. Available: https://cve.mitre.org
[5] Xml schema, dtd, and entity attacks. [Online]. Available: http://vsecurity.com/download/papers/XMLDTDEntityAttacks.pdf
[6] Nir goldshlager. [Online]. Available: https://twitter.com/Nirgoldshlager/status/618417178505814016
[7] Best xml library to validate xml from untrusted source. [Online]. Available: http://www.perlmonks.org/?node_id=1104296
[8] [Online]. Available: https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Processing
[9] [Online]. Available: https://media.blackhat.com/eu-13/briefings/Osipov/bh-eu-13-XML-data-osipov-slides.pdf
[10] [Online]. Available: http://lab.onsec.ru/2014/06/xxe-oob-exploitation-at-java-17.html

Speakers
avatar for Christian Mainka

Christian Mainka

Security Consultant, Hackmanit GmbH
Christian Mainka is a PhD Student at the Ruhr University Bochum, Chair for Network and Data Security. Since 2009, he focuses on XML and Web Services technologies and develops his penetration testing tool WS-Attacker and has published several papers in the field of XML security related topics on scientific workshops and conferences. Nowadays, the tool contains a large collection of specific attacks, which can be automatically applied to SOAP-based... Read More →
VM

Vladislav Mladenov

Ruhr University Bochum
Vladislav Mladenov is a PhD Student at the Ruhr University Bochum, Chair for Network and Data Security. He is interested in the security of XML-based services. Additionally, he investigates different Single Sign-On protocols like OAuth, OpenID, OpenID Connect and SAML. Other topics of interest are Identity Management and Cloud Computing.
CS

Christopher Späth

RUB
Christopher Späth is a PhD Student at the Ruhr University Bochum, Chair for Network and Data Security. He wrote his master thesis about the security implications of DTD attacks against a wide range of XML parsers. His first contact with XML security was back in 2011, when he wrote an XML Fuzzer in Java for arvato infoscore as his bachelor thesis. Homepage: http://nds.rub.de/chair/people/spaetc1k/


Friday July 1, 2016 14:10 - 14:55
Room B (Tiziano Ballroom Sec. 1)

14:10

Grip on SSD: Dutch government standard for outsourcing secure software

This talk presents the method ‘Grip on Secure Software Development’: the result of a continuous cooperation between Dutch security experts, large software suppliers and government organisations. This method provides guidelines for clients and software suppliers to coordinate application security: discuss it, agree on it and control it.

More than 20 organisations are involved in this initiative, including the Dutch Tax office, IBM, Cap Gemini, the Ministry of the Interior and the Software Improvement Group.



Speakers
avatar for Rob van der Veer

Rob van der Veer

Principal consultant, Software Improvement Group
Rob van der Veer has an extensive background in building software and running software businesses. IT security has been a constant theme in his career, from hacking into the British RAF in 1986, to building big data solutions for national security. As principal consultant at the Software Improvement Group, Rob is responsible for SIG’s services regarding software quality for security. Rob is one of the founders of the Grip on Secure Software... Read More →


Friday July 1, 2016 14:10 - 14:55
Room D (Tiziano Ballrom Sec. 3)

14:10

Securing AngularJS Applications
Since its birth, the Web evolved from a system to share and view scientific documents to a full-blown platform for sophisticated applications. While in the beginning most Web applications were implemented purely on the server-side, modern ones heavily rely on client-side components.

AnuglarJS is the latest addition in this process. Within an Angular application the server is merely a data storage facility with a few additional access checks. The core of the application is running on the client-side.

As Angular is specifically designed to work on the client-side, it attempts to remove the main points of friction for developers. By providing a templating system, two-way bindings and custom directives, DOM interactions can be reduced to a bare minimum.

From a security point of view this is very interesting as Angular removes the need for using some DOM APIs with very sharp edges (innerHTML, document.write). On the other hand, Angular introduces new ways of approaching application development that are largely unexplored in terms of security.

This talk provides an in-depth introduction to the security of Angular applications. It first introduces the core design ideas and security principles of AngularJS. Then, based on the experience of the Google Security Team, shows common security pitfalls that are specific to Angular applications. In general, the talk covers Angular's string interpolation functionality, strict auto-escaping templates, URL-based directives and insecure legacy APIs. All the presented issues are based on real-world bugs. The talk will demonstrate how to find and prevent these issues in practice.

Speakers
SL

Sebastian Lekies

Sebastian Lekies is an Information Security Engineer at Google and a PhD Student at the Ruhr-University Bochum. His research interests encompass client-side Web application security and Web application security testing. He graduated from University of Mannheim with a M.Sc. in Business Information Systems. At Google, Sebastian is part of the Security Test Engineering team that develops Google’s internal Web application security scanner and the... Read More →


Friday July 1, 2016 14:10 - 14:55
Room A (Michelangelo Ballroom Sect. 3)

14:10

Lightning Training - Getting started with AWS Security
Due to increasing adoption of Amazon web services (AWS) as a cloud service provider, security is of paramount importance. In this training, we will demonstrate the impact of misconfigured AWS infrastructure (pivoting from a vulnerable demo application) that will lead to multiple security impacting scenarios. We will then walk-through a series of defense-in-depth actionable steps that attendees will be able to apply in real-life deployments.

Speakers
avatar for Mukul Kullar

Mukul Kullar

Security, Linkedin
Mukul Khullar is a security researcher with over 7 years of experience in the application and network security fields. At LinkedIn, he works as a Senior Information Security Engineer responsible for identifying threats, vulnerabilities and design flaws that may impact Linkedin’s applications and infrastructure. Prior to that, Mukul worked as a Senior Security Analyst at Ernst & young’s Advanced Security Center, helping Fortune 500 companies... Read More →
RP

Rohit Pitke

Rohit Pitke is a security researcher with over 9 years of experience in the application and network security fields. At LinkedIn, he works as a Senior Information Security Engineer responsible for application security and penetration testing. Prior to that, Rohit has worked at multiple technology companies such as Adobe, Salesforce and Symantec. He also presented on Securing Cloud Deployments at AppSec USA-2015.


Friday July 1, 2016 14:10 - 16:10
Caravaggio 8

15:00

Big problems with big data - Hadoop interfaces security
Did "cloud computing" and "big data" buzzwords bring new challenges for security testers? 
In this presentation I would like to show that penetration testing of Hadoop installation does not really differ much from any other application. Apart from complexity of the installation and number of interfaces, standard techniques can be applied to test for: web application vulnerabilities, SSL security, encryption at rest, obsolete libraries bugs and least privilege principle. 
We tested popular Hadoop environments and found few critical vulnerabilities, which for sure cast a shadow on big data security. So as not to stop with CVE shooting, we would like to show you our approach of testing big data installations and few ideas of how to keep them secure. 

Outline: 
- big data installations architecture 
- attack vectors and surfaces 
- least privilege principle in popular Hadoop environments 
- more detailed attack vectors and possible risks: obsolete packages in popular Hadoop environments, vulnerabilities in web interfaces 
- more focus on administrative interfaces (Ranger, Ambari, Hue) 
- problems with user interfaces (e.g. Hue) 
- hints for pentesting Hadoop installations 
- hints for securing Hadoop installations

Speakers
avatar for Jakub Kaluzny

Jakub Kaluzny

Sr. IT Security Consultant, SecuRing
Jakub is a Senior IT Security Consultant at SecuRing and performs penetration tests of high-risk applications, systems and devices. He was a speaker at many internetional conferences: BlackHat Asia, OWASP AppSec EU, PHdays, HackInTheBox, ZeroNights as well at local security events. Previously working for European Space Agency and internet payments intermediary. Apart from testing applications, he digs into proprietary network protocols... Read More →


Friday July 1, 2016 15:00 - 15:45
Room C (Tiziano Ballroom Sec. 2)

15:00

Everything You Need to Know About Certificate Pinning, But Are Too Afraid To Ask
Pinning Certificates (“Cert Pinning”) trends perennially, coming to the fore with each new SSL hack. Security urges developers to pin certs and many mobile apps do — some applying pinning to problems it doesn’t solve while others do so entirely unnecessarily. What risks does pinning really reduce? What should a developer consider prior to deciding to pin certs? Are there tradeoffs? Once decided, how should they do it?

Taking a perspective useful to both developers and penetration testers, this presentation covers these tradeoffs; from how organizational maturity impacts viability, to the risk reduction offered by the choices developers make about which elements of the certificate and chain to validate. 
The presentation will quickly recap the basics of certificates, their chains, and SSL validation.

Expect to leave understanding common misconceptions and key subtleties of pinning that may in fact /decrease/ security or impose undue complexity. Expect to understand common developer mistakes in pinning, for example in mobile WebViews. By the end of the presentation attendees will understand organizational and operational complexities, relevant design, and implementation-level detail.

Speakers
avatar for John Kozyrakis

John Kozyrakis

Technical Strategist, Cigital
John Kozyrakis is a Technical Strategist at Cigital and his primary area of expertise is mobile application security. Over the years, he has been involved with penetration testing, reviewing source code, security architecture and reverse engineering. John works with software architects and developers daily, helping them build security into their applications. He has played a key role in Cigital's Mobile Software Security Team, where he helps... Read More →


Friday July 1, 2016 15:00 - 15:45
Room B (Tiziano Ballroom Sec. 1)

15:00

From Facepalm to Brain Bender - Exploring Client-Side Cross-Site Scripting
With the current generation of dynamic, client-side Web applications, the issues related to attacks against the client rise. Arguably the biggest problem is Cross-Site Scripting, which has been known for a number of years. Although studies have shown that at least one in ten Web pages contains a client-side XSS vulnerability, the prevalent causes for this class of Cross-Site Scripting have not been studied in depth. Therefore we present a large-scale study to gain insight into these causes. To this end, we analyze a set of 1,273 real-world vulnerabilities contained on the Alexa Top 10k domains using a specifically designed architecture, consisting of an infrastructure which allows us to persist and replay vulnerabilities to ensure a sound analysis. In combination with a taint-aware browsing engine, we can therefore collect important execution trace information for all flaws. 

Based on the observable characteristics of the vulnerable JavaScript, we derive a set of metrics to measure the complexity of each flaw. We subsequently classify all vulnerabilities in our data set accordingly to enable a more systematic analysis. In doing so, we find that although a large portion of all vulnerabilities have a low complexity rating, several incur a significant level of complexity and are repeatedly caused by vulnerable third-party scripts. In addition, we gain insights into other factors related to the existence of client-side XSS flaws, such as missing knowledge of browser-provided APIs, and find that the root causes for Client-Side Cross-Site Scripting range from unaware developers to incompatible first- and third-party code. 

In addition, we showcase several of the identified problems and discuss the often occurring well-meant, but ultimately ineffective countermeasures we discovered. We will end the talk with an overview of best practices that allow developers to avoid such problems.

Speakers
avatar for Bernd Kaiser

Bernd Kaiser

Netzkollektiv
SL

Sebastian Lekies

Sebastian Lekies is an Information Security Engineer at Google and a PhD Student at the Ruhr-University Bochum. His research interests encompass client-side Web application security and Web application security testing. He graduated from University of Mannheim with a M.Sc. in Business Information Systems. At Google, Sebastian is part of the Security Test Engineering team that develops Google’s internal Web application security scanner and the... Read More →
SP

Stephan Pfistner

Stephan Pfistner is an Information Security Engineer at Google. He holds a M.Sc. in IT Security from Technical University of Darmstadt. His research interests revolve around Web application and network security as well as security testing in those areas. As part of the Security Test Engineering team at Google, Stephan works on Google’s internal Web application security scanner and the externally facing Cloud Security Scanner... Read More →
avatar for Ben Stock

Ben Stock

CISPA, Saarland University
Dr.-Ing. Ben Stock is a postdoctoral researcher at the Center for IT-Security, Privacy, and Accountability at Saarland University. Prior to that, Ben finished his PhD at the University in Erlangen, researching the specifics of Client-Side Cross-Site Scripting. His research was published at major academic conferences and he has been a speaker and important non-academic conferences, such as OWASP AppSec and Blackhat. His research now focusses... Read More →


Friday July 1, 2016 15:00 - 15:45
Room A (Michelangelo Ballroom Sect. 3)

15:00

The Cool Factor: Security's Secret Weapon
What sets the security team apart from any other engineering team at a company? Why do Chris Hemsworth fans know about backdoors and payloads? How do you design a swag t-shirt that people would actually want to wear? These questions and more will be answered in this talk. 

The security team stands in a unique position in their company because of the rich topic area they deal with. Their caliber of talent will make or break the company in a day. The stakes are high. Security incidents as interesting as they are scary. We can use this to our advantage to roll out effective and popular security awareness campaigns that will move the needle towards a more secure environment. 

This talk will dive into examples of security awareness in pop culture, guidance for creating a security culture program, and the secret to the perfect t-shirt

Speakers
avatar for Marisa Fagan

Marisa Fagan

Sr Trust Engagement Manager, Salesforce
Marisa Fagan brings 9 years of experience building communities in the Information Security industry to her role as Senior Technology Program Manager at Salesforce. On the Trust Engagement team, she contributes to securing the human element of the the threat landscape. Previously, Mrs. Fagan worked on outreach programs for the security community at Bugcrowd, Facebook, and Errata Security. She has presented her work at conferences such as... Read More →


Friday July 1, 2016 15:00 - 15:45
Room D (Tiziano Ballrom Sec. 3)

15:45

16:15

Attracting and retaining women in Cyber Security

Having held technical roles all her life Jacky shares some of her experiences and thoughts on how we could alleviate the world Cyber resource shortage  by attracting and retaining more women in Cyber Security.


Speakers
avatar for Jacky Fox

Jacky Fox

Cyber & IT Forensic Lead, Deloitte
Jacky Fox: Cyber & IT Forensic lead, Deloitte Ireland. Jacky joined Deloitte in 2012 bringing 20 years of Irish and international IT consulting experience. Jacky previously worked with large American PC manufacturing corporations serving clients from both corporate and public sectors. She has a broad experience gained over three decades of the PC industry giving her an in depth knowledge of hardware, operating systems, application software... Read More →


Friday July 1, 2016 16:15 - 17:00
Room A (Michelangelo Ballroom Sect. 3)

16:15

Static Code Analysis of Complex PHP Application Vulnerabilities
PHP remains the most popular server-side language on the Web and the
favored language for Web attacks. Although developers become more aware
of traditional vulnerabilities types, such as XSS and SQLi, these flaws
still persist due to faulty security mechanisms or intricate language
features. Besides, more complex vulnerability types, such as
second-order vulnerabilities or PHP object injections, are comparatively
unknown and actively exploited by attackers.

The manual detection of such complex vulnerabilities in modern PHP
applications with hundreds of thousands lines of code is time-consuming
and expensive. With the help of static code analysis, security
vulnerabilities can be detected in an automated fashion and subsequently
remediated. However, previous research in this area focused only on the
shallow detection of traditional vulnerability types and dismissed more
complex occurrences or types of vulnerabilities.

This talk shows how to detect complex vulnerabilities automatically with
state-of-the-art code analysis techniques. The techniques are able to
precisely detect traditional security vulnerabilities in various markup
contexts, as well as second-order vulnerabilities and gadget chains for
PHP object injections. Further, open challenges and lessons learned
during the development and evaluation of the techniques are outlined.

Speakers
avatar for Johannes Dahse

Johannes Dahse

CEO, RIPS Technologies
Dr. Johannes Dahse recently finished his Ph.D. in IT security at the Ruhr-University Bochum, Germany. In the past four years, he explored new static code analysis techniques in order to assist his work as a security consultant. Since then, he is co-founder and the CEO of RIPS Technologies, a Bochum-based IT security company with focus on code analysis solutions for web applications.


Friday July 1, 2016 16:15 - 17:00
Room B (Tiziano Ballroom Sec. 1)

16:15

Why Hackers Are Winning The Mobile Malware Battle - Bypassing Malware Analysis Techniques
In the proverbial game of cat-and-mouse between endpoint security vendors and malware writers, malware attacks have recently grown more sophisticated. More enterprises are losing ground to hackers, who are able to outmaneuver static and runtime solutions by constantly changing their attack strategies. The team that uncovered iOS malicious profiles, WiFiGate, HTTP Request Hijacking and Invisible Profiles are taking it upon themselves to coach enterprises on how to regain control, and turn the tables on the hackers behind next-generation mobile malware. 

In their presentation, Yair and Adi will break down the current set of techniques (signatures, static analysis, dynamic analysis, social cyber-intelligence) used to identify malware on mobile devices, and identify the pros and cons of these approaches. They will also explain why attackers constantly succeed in fooling these technologies, and explore the problem of false positive/false negative tradeoffs in such solutions. 

During a live, interactive demo, Adi and Yair will create a mobile malware, meant to be undetected by all static and runtime analysis technologies. The new malware will then be scanned by public commercial mobile endpoint protection solutions. Audience members will be encouraged to participate, and opt into an ethical attack to witness the results in real-time.

Speakers
avatar for Yair Amit

Yair Amit

CTO & Founder, Skycure
Yair Amit is co-founder and CTO at Skycure, leading the company’s research and vision and overseeing its R&D center. Yair has been active in the security industry for more than a decade with his research regularly covered by media outlets and presented in security conferences around the world. Prior to co-founding Skycure, Yair managed the Application Security and Research Group at IBM, joining through the acquisition of Watchfire. At IBM, Yair... Read More →


Friday July 1, 2016 16:15 - 17:00
Room C (Tiziano Ballroom Sec. 2)

16:15

Running a bug bounty: what you need to know.
Having a bug bounty program is one of the most cost-effective and productive methods of finding security vulnerabilities today. Bug bounty programs provide substantial value in terms of findings, only require payment for valid results, and bring a level of depth via manual testing that goes beyond the capabilities scanners and other traditional pen-testing tools – often serving as a valuable complement to automated testing. But, as anyone who has tried to run a bug bounty program knows, it's no simple or small undertaking... 

Coming from the unique position of being professionals who have helped to create and manage hundreds of bug bounty programs, we're uniquely positioned to cover key bounty concepts, and provide advice on how to run a successful bug bounty program. Whether you're already running a bug bounty program, looking to run a bug bounty program, or are a researcher who participates in programs, this talk aims to deepen your knowledge on the subject. 

The talk will be broken up into two parts: 

1) The first segment will cover setting up a bug bounty program, including specific tips/guidance for creating a successful program. Having setup and run a range of bounty programs – some requiring more work than others – these are some invaluable insights into what it takes to make a program successful. Some of the key concepts and questions that will be covered include (but are not limited to): 

Scoping - how to focus researchers on the targets that matter to you. What considerations should you make when setting your scope? 
Compensation - how much should you pay, and what does that get you? 
Public vs. private bounties - is this open to the world, or only a select group? 
Managed vs. self-managed - are you planning on processing all the vulnerabilities yourself, or do you plan to outsource the initial processing of submissions? 
Getting the most out of your program - thoughts on what should be in/out of scope, standard exclusions, and other information to provide researchers with everything they need to be successful. 
Your promise to the researchers - response times, communication, and public disclosure. What do you bring to the table? 
Researcher engagement and participation - how do you keep researchers engaged and participating in your program? 
Access, etc - how will researchers be testing your app? Credentials/access/etc? 

2) The second segment will cover the validation and processing of researchers' submissions. Using the experience we've gained from having processed tens of thousands of researcher submissions, we will provide insight into the back end of security operations for a bug bounty program. Key topics include: 

Tips for evaluating researcher submissions - anyone who has done a bounty, knows the submission volume can be overwhelming at times. How do you deal with and process these submissions? 
What makes up a good report? - some thoughts for researchers, on how to write quality submissions. 
Communicating with researchers - how do you communicate with researchers, deal with unhappy researchers, etc? 
Thoughts on recommended vulnerability priority ratings - what priority level and payout should you give for any given vulnerability? 
Working with a team - some real-world learning experiences and tips for working as a team and applying those lessons to issues as they arise. 
And of course, some classic submission horror stories… 

By the end of the talk, attendees who managed to stay awake will have a behind-the-scenes understanding of how to successfully setup, run, and participate in a bug bounty program.

Speakers
SK

Shpend Kurtishaj

Shpend Kurtishaj occasional bounty hunter himself, and work for Bugcrowd (a crowdsourcing bug bounty platform), helping run and manage client’s bounty programs. He’s worked on hundreds of bounty programs, processed thousands of submissions, and have a litany of valuable insights to share in the world of bug bounties. Shpend works as an Application Security Engineer who helps process and validate incoming submissions to bounty programs. He... Read More →
avatar for Grant McCracken

Grant McCracken

Solutions Architect, Bugcrowd
Grant has been with Bugcrowd, a crowdsourced cybersecurity solution, for roughly two years - initially helping process bounty submissions as an Application Security Engineer/Analyst, and later transitioning to his current role of Solutions Architect. With a background in appsec, and an occasional bug hunter himself, he offers a unique perspective to Bugcrowd clients - helping them create, setup, and manage successful bounty programs across a... Read More →


Friday July 1, 2016 16:15 - 17:00
Room D (Tiziano Ballrom Sec. 3)

17:05

Keynote - Can Security Keep Up the Pace with Frictionless IT?
Public cloud services made personal IT incredibly fast and easy to use. And now consumers expect the same kind of frictionless experience from enterprise IT. The demand for “frictionless IT” is growing and will be the only acceptable IT for new generations of business users. This demand is reshaping how applications are designed, developed, and released. Is the security industry ready to support this revolution?

Speakers
avatar for Alessandro Perilli

Alessandro Perilli

Alessandro Perilli is the general manager for cloud management strategy at Red Hat and and is a widely respected authority on virtualisation and cloud computing. Prior to joining Red Hat, Alessandro was a Research Director at Gartner, leading the private cloud research program in Gartner’s Technical Professionals division. Here, Alessandro spent time consulting for large end-user organizations and cloud vendors, advising enterprises on... Read More →


Friday July 1, 2016 17:05 - 17:50
Plenary Sessions ( Michelangelo Ballroom Sec. 1+2)

17:50

18:00

OWASP Global Board of Directors Meeting
Friday July 1, 2016 18:00 - 20:00
Bramante 1