Upgrade to Pro — share decks privately, control downloads, hide ads and more …


October 19, 2015



October 19, 2015


  1. 1200+ ɹࢀՃऀ 60+ɹɹ εϐʔΧʔ 40 ɹɹ ηογϣϯ 9 ɹɹɹ 1࣌ؒͷτϨʔχϯάηογϣϯ

    9 ɹɹɹτϨʔχϯάίʔε 4 ɹɹɹύωϧσΟεΧογϣϯ(Fireside Chats) 3 ɹɹɹجௐߨԋ ɹɹɹɹProject Summit ɹɹɹɹChapter Leader Workshop ɹɹɹɹWomen in AppSec
  2. جௐߨԋ • The Moral Imperatives and Challenges for Modern Application

 Adapting AppSec for the Modern Internet, Alex Stamos, CSO, Facebook • Cybersecurity Partnership, Technology and Trust, Dr. Phyllis Schneck, DHS • 50 Shades of AppSec, Troy Hunt, Author, Pluralsite
  3. Adapting AppSec for the Modern Internet Alex Stamos, CSO, Facebook

    • The modern Internet is not what you think • How should AppSec adapt? • Use the word safety • Focus on real vs. potential harm • Accept non-optimal solution in non-optimal situations • Apps should protect themselves • Stop whining • Improve people’s lives
  4. ηογϣϯ(Topic: AppSec, 1/2) • Building your own large scale web

    security scanning infrastructure in 40 minutes (Bishan Kochar • Albert Yu) • Security as Code: A New Frontier (Shannon Lietz • Christian Price) • WebRTC, or how secure is p2p browser communication? (Lieven Desmet • Martin Johns) • Blending the Automated and the Manual: Making Application Vulnerability Management Pay Dividends(Dan Cornell • Steven Springett) • Customizing Burp Suite - Getting the Most out of Burp Extensions (August Detlefsen • Monika Morrow) • The Inmates Are Running the Asylum – Why Some Multi-Factor Authentication Technology is Irresponsible (Clare Nelson) • A New Ontology of Unwanted Web Automation (Colin Watson) • Practical Timing Attacks using Mathematical Amplification of Time Difference in == Operator (Mostafa Siraj) • Strengthening the Weakest Link: How to Manage Security Vulnerabilities in Third Party Libraries Used by Your Application (Krishnan Dhandapani) • Ah mom, why do I need to eat my vegetables? (John Pavone) • Efficient Context-sensitive Output Escaping for JavaScript Template Engines (Adonis Fung • Nera Wing Chun Liu • Albert Yu) • Secure Authentication without the Need for Passwords (Don Malloy) • Sinking Your Hooks in Applications (Richard Meester • Joe Rozner)
  5. ηογϣϯ(Topic: AppSec, 2/2) • Detecting and managing bot activity more

    efficiently (David Senecal) • Modern Malvertising and Malware web-based exploit campaigns (James Pleger) • Game of Hacks: The Mother of All Honeypots (Igor Matlin) • PHP Security, Redefined (Chris Cornutt) • The State of Web Application Security in SCADA Web Human Machine Interfaces (HMIs) ! (Aditya K Sood) • Cisco’s Security Dojo: Raising the Application Security Awareness of 20,000+ (Chris Romeo) • AppSensor: Real-Time Event Detection and Response (John Melton) • New Methods in Automated XSS Detection: Dynamic XSS Testing without Using Static Payloads (Ken Belva) • Providence: rapid vulnerability prevention (Hormazd Billimoria • Max Feldman • Xiaoran Wang)
  6. ηογϣϯ(Topic: Cloud) • Hack the Cloud Hack the Company: the

    Cloud Impact on Enterprise Security (Kevin Dunn) • Chimera: Securing a Cloud App Ecosystem with ZAP at Scale (Tim Bach) • Continuous Cloud Security Automation (Rohit Pitke) • Future Banks Live in The Cloud: Building a Usable Cloud with Uncompromising Security (Rob Witoff) • Going Bananas for Cloud Security - Auditing and Monitoring your AWS deployment with security_monkey (Patrick Kelley) • Cipher Text Says “MIID8zCCAtugAwIBAgIBAT” - Enterprise-wide SSL Automation w/ Lemur + CloudCA (Kevin Glisson) • Turtles All the Way Down: Storing Secrets in the Cloud and the Data Center (Daniel Somerfield)
  7. ηογϣϯ(Topic: DevOps) • Securing your application using Docker (Diogo Monica)

    • Practical Application Security Management- How to Win an Economically one-sided War (Dheeraj Bhat) • Doing AppSec at Scale: Taking the best of DevOps, Agile and CI/CD into AppSec. (Aaron Weaver)
  8. ηογϣϯ(Topic: Mobile) • QARK: Android App Exploit and SCA Tool

    (Tushar Dalvi • Tony Trummer) • 'SecureMe – Droid' Android Security Application (Vishal Asthana • Abhineet Jayaraj) • OWASP Reverse Engineering and Code Modification Prevention Project (Mobile) (Dave Bott • Jonathan Carter) • Threat Modeling the IoT Supply Chain (Aaron Guzman) • ShadowOS: Modifying the Android OS for Mobile Application Testing (Ray Kelly)
  9. 1࣌ؒͷτϨʔχϯάηογϣϯ(Lightning training) • Getting Started with ModSecurity • Protecting your

    Web Application with Content Security Policy (CSP) • Security Requirements Identification using the OWASP Cornucopia Card Game • Using the OWASP Benchmark to Assess Automated Vulnerability Analysis Tools • Security Shepherd Web App Lightning Training • Security Testing for Enterprise Messaging Applications • The Bug Hunters Methodology • Web Application Security Testing with Fiddler • Oh Yes, There is no more root detection for your Android App! - Reversing & Patching Binary”
  10. Using the OWASP Benchmark to Access Automated Vulnerability Analysis Tools

    Designed to evaluate the speed, coverage, and accuracy of automated software vulnerability detection tools and service • Static Application Security Testing (SAST) tools • Dynamic Application Security Testing (DAST) tools • Interactive Application Security Testing (IAST) tools
  11. Static Application Security Testing (SAST) Tools: Free • PMD (which

    really has no security rules) • Findbugs • FindBugs with the FindSecurityBugs plugin • SonarQube Commercial • Checkmarx CxSAST • Coverity Code Advisor (On-Demand and stand-alone versions) • HP Fortify (On-Demand and stand-alone versions) • IBM AppScan Source • Parasoft Jtest • Veracode SAST
  12. Dynamic Application Security Testing (DAST) Tools: Free • Arachni •

    OWASP ZAP Commercial • Acunetix Web Vulnerability Scanner (WVS) • Burp Pro • HP WebInspect • IBM AppScan • Rapid7 AppSpider