Loading…
This event has ended. View the official site or create your own event → Check it out
This event has ended. Create your own
View analytic

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Tuesday, September 16
 

6:30am

Training Registration
Tuesday September 16, 2014 6:30am - 1:00pm
Registration Booth Denver Marriott City Center

8:00am

(Separate registration required) Advanced Web Penetration Testing (day 1 of 2)
This training course is separate from the AppSec USA general conference. Visit http://appsecusa.org/training/ for information about training registration.

Speakers
JG

Jason Gillam

Senior Security Consultant, Secure Ideas
Jason holds his GIAC Web-Application Tester certification. He has spoken at the UNC Charlotte Cyber Symposium, Charlotte ISSA InfoSec Summit, BSides Asheville, is the author of the open-source Burp CO2 project and is actively involved in others projects such as lyinbank.com, MobiSec, Laudanum, and Yokoso! Jason also enjoyes teaching, and has been involved in developing and conducting training sessions such as MobiSec, SamuraiWTF, Web Pen Testing... Read More →
avatar for Kevin Johnson

Kevin Johnson

CEO, Secure Ideas
Kevin Johnson is the Chief Executive Officer of Secure Ideas. Kevin has a long history in the IT field including system administration, network architecture and application development. He has been involved in building incident response and forensic teams, architecting security solutions for large enterprises and penetration testing everything from government agencies to Fortune 100 companies. In addition, Kevin is an instructor and author for... Read More →


Tuesday September 16, 2014 8:00am - 5:00pm
Denver Ballroom IV Denver Marriott City Center

8:00am

(Separate registration required) Cryptography for the Modern Developer (day 1 of 1)
This training course is separate from the AppSec USA general conference. Visit http://appsecusa.org/training/ for information about training registration.

Speakers
avatar for Timothy Morgan

Timothy Morgan

Tim is credited with the discovery and responsible disclosure of several security vulnerabilities in commercial off-the-shelf and open source software including: IBM Tivoli Access Manager, Real Networks Real Player, Sun Java Runtime Environment, Google Chrome Web Browser, OpenOffice, and Oracle WebLogic Application Server. Tim develops and maintains several open source forensics tools as well as Bletchley, an application cryptanalysis tool kit... Read More →


Tuesday September 16, 2014 8:00am - 5:00pm
Denver Ballroom II Denver Marriott City Center

8:00am

(Separate registration required) Malware Analysis Crash Course (day 1 of 2)
This training course is separate from the AppSec USA general conference. Visit http://appsecusa.org/training/ for information about training registration.

Speakers
CJ

Carrie Jung

Senior Consultant, Mandiant
Carrie Jung is a Senior Consultant in Mandiant’s Albuquerque, NM office. She specializes in reverse engineering and malware analysis research. Ms. Jung previously worked at Sandia National Laboratories where she worked in application, network and low-level systems based security and reverse engineering. Carrie teaches Malware Analysis to a variety of audiences including Black Hat.
RW

Richard Wartell

Consultant, Mandiant
Richard Wartell is a computer that makes malware go backwards for Mandiant/FireEye. He worked in binary rewriting, x86 disassembly, and binary transparency analysis.


Tuesday September 16, 2014 8:00am - 5:00pm
Denver Ballroom VI Denver Marriott City Center

8:00am

(Separate registration required) OWASP Top 10 – Exploitation and Effective Safeguards (day 1 of 2)
This training course is separate from the AppSec USA general conference. Visit http://appsecusa.org/training/ for information about training registration.

Speakers
avatar for David Caissy

David Caissy

Penetration Tester, TRM Technologies Inc.
David Caissy is a web application penetration tester with in-depth developer and IT Security background spanning over 16 years. He has extensive experience in conducting vulnerability assessments and penetration tests as well as providing training globally, amongst numerous other teaching engagements. He has worked for a central bank, the Department of National Defense, various government agencies and private companies. David has been teaching... Read More →


Tuesday September 16, 2014 8:00am - 5:00pm
Denver Ballroom III Denver Marriott City Center

8:00am

(Separate registration required) Ruby on Rails - Auditing & Exploiting the Popular Web Framework (day 1 of 2)
This training course is separate from the AppSec USA general conference. Visit http://appsecusa.org/training/ for information about training registration.

Speakers
JS

Joern Schneeweisz

Recurity Labs GmbH
Joern Schneeweisz is a Security Consultant over at Recurity Labs by day. As findings bugs ~ 8hrs a day is not enough for him, he digs for bugs in Ruby on Rails apps in his spare time as well. By that he can look back to almost 5 years of bug hunting in both Ruby on Rails applications and the framework itself. | | Talk to me about everything which is Ruby on Rails Security related of course. | Other topics of interest are: Web... Read More →


Tuesday September 16, 2014 8:00am - 5:00pm
Denver Ballroom I Denver Marriott City Center

8:00am

(Separate registration required) Securing Mobile Devices and Applications (day 1 of 2)
This training course is separate from the AppSec USA general conference. Visit http://appsecusa.org/training/ for information about training registration.

Speakers
avatar for Dan Amodio

Dan Amodio

Principal Consultant, Aspect Security
As a Principal Consultant, Dan manages and defines Aspect Security's line of Assessment Services-- helping organizations quantify their security risks from design to implementation. He works with staff and clients to develop the team members and deliverables. | | Dan holds a security clearance and directly supports a variety of client projects. He leads mobile security efforts, security architecture and design reviews, code reviews, and... Read More →
avatar for David Lindner

David Lindner

Managing Consultant and Global Practice Manager, Aspect Security
David Lindner, a Managing Consultant and Global Practice Manager, Mobile Application Security Services at Aspect Security. David brings 15 years of IT experience including application development, network architecture design and support, IT security and consulting, and application security. David's focus has been in the mobile space including everything from mobile application penetration testing/code review, to analyzing MDM and BYOD... Read More →


Tuesday September 16, 2014 8:00am - 5:00pm
Denver Ballroom V Denver Marriott City Center

9:00am

Open Workshops



Tuesday September 16, 2014 9:00am - 5:00pm
Gold Coin [Project Summit] Denver Marriott City Center

7:30pm

Bug Bash
The Bugcrowd Bug Bash is an application security hackathon where the targets are live and the prizes are real cash bounties! Bugcrowd hosts multiple well-known Bug Bounty Programs on their Crowdcontrol platform. In this event, conference attendees get together in teams in a room to hack together and learn about penetration testing and application security auditing, with the chance to win cash when they find as ecurity vulnerability. Participants may join Team OWASP, create their own teams, or work individually. Only one person per team will collect the reward. All earnings from Team OWASP will bedonated to *<to be determined>*.


Tuesday September 16, 2014 7:30pm - 11:59pm
Independence [Skills Lab] Denver Marriott City Center
 
Wednesday, September 17
 

6:30am

Training Registration
Wednesday September 17, 2014 6:30am - 1:00pm
Registration Booth Denver Marriott City Center

8:00am

(Separate registration required) Advanced Web Penetration Testing (day 2 of 2)
This training course is separate from the AppSec USA general conference. Visit http://appsecusa.org/training/ for information about training registration.

Speakers
avatar for Kevin Johnson

Kevin Johnson

CEO, Secure Ideas
Kevin Johnson is the Chief Executive Officer of Secure Ideas. Kevin has a long history in the IT field including system administration, network architecture and application development. He has been involved in building incident response and forensic teams, architecting security solutions for large enterprises and penetration testing everything from government agencies to Fortune 100 companies. In addition, Kevin is an instructor and author for... Read More →


Wednesday September 17, 2014 8:00am - 5:00pm
Denver Ballroom IV Denver Marriott City Center

8:00am

(Separate registration required) Malware Analysis Crash Course (day 2 of 2)
This training course is separate from the AppSec USA general conference. Visit http://appsecusa.org/training/ for information about training registration.

Speakers
CJ

Carrie Jung

Senior Consultant, Mandiant
Carrie Jung is a Senior Consultant in Mandiant’s Albuquerque, NM office. She specializes in reverse engineering and malware analysis research. Ms. Jung previously worked at Sandia National Laboratories where she worked in application, network and low-level systems based security and reverse engineering. Carrie teaches Malware Analysis to a variety of audiences including Black Hat.
RW

Richard Wartell

Consultant, Mandiant
Richard Wartell is a computer that makes malware go backwards for Mandiant/FireEye. He worked in binary rewriting, x86 disassembly, and binary transparency analysis.


Wednesday September 17, 2014 8:00am - 5:00pm
Denver Ballroom VI Denver Marriott City Center

8:00am

(Separate registration required) Managing Web & Application Security - OWASP for Senior Managers (day 1 of 1)
This training course is separate from the AppSec USA general conference. Visit http://appsecusa.org/training/ for information about training registration.

Speakers
avatar for Tobias Gondrom

Tobias Gondrom

Global Board Member, OWASP
Tobias Gondrom is a global board member of OWASP (Open Web Application Security Project) and former chairman until December 2015. And until April 2015, he was leading a boutique Global CISO and Information Security & Risk Management Advisory based in Hong Kong, United Kingdom and Germany. He has over 15 years of experience leading global teams in information security, software development, application security, cryptography, electronic signatures... Read More →


Wednesday September 17, 2014 8:00am - 5:00pm
Penrose 1 [Open Mic] Denver Marriott City Center

8:00am

(Separate registration required) OWASP Top 10 – Exploitation and Effective Safeguards (day 2 of 2)
This training course is separate from the AppSec USA general conference. Visit http://appsecusa.org/training/ for information about training registration.

Speakers
avatar for David Caissy

David Caissy

Penetration Tester, TRM Technologies Inc.
David Caissy is a web application penetration tester with in-depth developer and IT Security background spanning over 16 years. He has extensive experience in conducting vulnerability assessments and penetration tests as well as providing training globally, amongst numerous other teaching engagements. He has worked for a central bank, the Department of National Defense, various government agencies and private companies. David has been teaching... Read More →


Wednesday September 17, 2014 8:00am - 5:00pm
Denver Ballroom III Denver Marriott City Center

8:00am

(Separate registration required) Ruby on Rails - Auditing & Exploiting the Popular Web Framework (day 2 of 2)
This training course is separate from the AppSec USA general conference. Visit http://appsecusa.org/training/ for information about training registration.

Speakers
JS

Joern Schneeweisz

Recurity Labs GmbH
Joern Schneeweisz is a Security Consultant over at Recurity Labs by day. As findings bugs ~ 8hrs a day is not enough for him, he digs for bugs in Ruby on Rails apps in his spare time as well. By that he can look back to almost 5 years of bug hunting in both Ruby on Rails applications and the framework itself. | | Talk to me about everything which is Ruby on Rails Security related of course. | Other topics of interest are: Web... Read More →


Wednesday September 17, 2014 8:00am - 5:00pm
Denver Ballroom I Denver Marriott City Center

8:00am

(Separate registration required) Securing Mobile Devices and Applications (day 2 of 2)
This training course is separate from the AppSec USA general conference. Visit http://appsecusa.org/training/ for information about training registration.

Speakers
avatar for David Lindner

David Lindner

Managing Consultant and Global Practice Manager, Aspect Security
David Lindner, a Managing Consultant and Global Practice Manager, Mobile Application Security Services at Aspect Security. David brings 15 years of IT experience including application development, network architecture design and support, IT security and consulting, and application security. David's focus has been in the mobile space including everything from mobile application penetration testing/code review, to analyzing MDM and BYOD... Read More →


Wednesday September 17, 2014 8:00am - 5:00pm
Denver Ballroom V Denver Marriott City Center

9:00am

Open Workshops
Wednesday September 17, 2014 9:00am - 5:00pm
Gold Coin [Project Summit] Denver Marriott City Center

1:00pm

OWASP Media Project Conference Setup
In this session we will see how to operate the setup used to record and live stream talks during the conference. Chapter or Project leaders may assist to get knowledge on how to stream their event.

Objectives:
To train the staff of AppSecUSA 2014. To promote the live streaming initiative within OWASP.

Contact:
Jonathan Marcil jonathan.marcil@owasp.org

Wednesday September 17, 2014 1:00pm - 3:00pm
Gold Coin [Project Summit] Denver Marriott City Center

5:00pm

Early Registration
Wednesday September 17, 2014 5:00pm - 8:00pm
Registration Booth Denver Marriott City Center

6:00pm

WASPY Awards 2014 Ceremony
Wednesday September 17, 2014 6:00pm - 7:00pm
Colorado Ballroom [Assembled Conference] Denver Marriott City Center

6:00pm

Welcome Reception
Kick off your networking early at the private Welcome Reception sponsored by WhiteHat Security. Join us for cocktails, hors d’oeuvres, and a special opportunity to connect with speakers, colleagues, sponsors, and VIPs prior to the start of the conference.The Welcome Reception is open exclusively to AppSec USA attendees. Pick up your badge at the registration desk, then join us in the Colorado Ballroom. No RSVP necessary.


OWASP Jeopardy
OWASP welcomes back Jerry Hoff’s OWASP Jeopardy back for a second year in a row.  OWASP Jeopardy is a contest where the audience puts their knowledge of application security, secure codling and OWASP to the test. Questions will test builders, breakers and defenders.  Join us for a fun and informative session. 


Wednesday September 17, 2014 6:00pm - 10:00pm
Colorado Ballroom [Assembled Conference] Denver Marriott City Center

7:30pm

Bug Bash
The Bugcrowd Bug Bash is an application securityhackathon where the targets are live and the prizes arereal cash bounties!Bugcrowd hosts multiple well-known Bug Bounty Programson their Crowdcontrol platform. In this event, conferenceattendees get together in teams in a room to hack togetherand learn about penetration testing and application securityauditing, with the chance to win cash when they find asecurity vulnerability.Participants may join Team OWASP, create their ownteams, or work individually. Only one person per team willcollect the reward. All earnings from Team OWASP will bedonated to *<to be determined>*.


Wednesday September 17, 2014 7:30pm - 11:59pm
Independence [Skills Lab] Denver Marriott City Center
 
Thursday, September 18
 

6:30am

Registration
Thursday September 18, 2014 6:30am - 6:00pm
Registration Booth Denver Marriott City Center

8:00am

Keynote: Bruce Schneier - The Future of Incident Response
Network attacks are inevitable. Protection and detection can only take you so far, and response -- incident response -- is finally getting the attention it deserves. I look at the economic and psychological drivers the computer security industry, and describe how the future of incident response in this context. Unlike other aspects of security technology, IR needs to augment people rather than replace them. This requires a systems theory approach to IR, and I borrow one from the US Air Force: OODA loops. Understanding how IR works will be critical to maintaining network security in the coming decade.

Speakers
avatar for Bruce Schneier

Bruce Schneier

CIO, Co3 Systems, Inc.
Bruce Schneier is an internationally renowned security technologist, called a “security guru” by The Economist. He is the author of 12 books — including Liars and Outliers: Enabling the Trust Society Needs to Thrive — as well as hundreds of articles, essays, and academic papers. His influential newsletter “Crypto-Gram” and his blog “Schneier on Security” are read by over 250,000 people. He... Read More →


Thursday September 18, 2014 8:00am - 9:00am
Colorado Ballroom [Assembled Conference] Denver Marriott City Center

9:00am

Coffee Break
Thursday September 18, 2014 9:00am - 9:30am
Denver Ballroom [Sponsor Expo] Denver Marriott City Center

9:00am

OWASP ESAPI Bug Squash-a-thon
We will be squashing as many bugs as we can in preparation for a release.

Contact:
Chris Schmidt chris.schmidt@owasp.org
 
Attendees:
Chris Schmidt, Kevin Wall, Jeff Williams, Jim Manico 

Thursday September 18, 2014 9:00am - 5:00pm
Gold Coin [Project Summit] Denver Marriott City Center

9:00am

OWASP Project Summit
Volunteers
JM

Jonathan Marcil

Montreal Chapter Leader, OWASP
As the chapter leader of OWASP Montreal, Jonathan manages most of the events and do the online community management. He is filling up the chapter's agenda with continuous events. He teamed up with various student groups to be present in three universities. He also works to put most of the talks online using YouTube and Google Hangouts. | | Those implications leaded him to create OWASP Media Project, where we gather, consolidate and promote... Read More →

Thursday September 18, 2014 9:00am - 5:00pm
Gold Coin [Project Summit] Denver Marriott City Center

9:00am

Sponsor Expo
Thursday September 18, 2014 9:00am - 5:30pm
Denver Ballroom [Sponsor Expo] Denver Marriott City Center

9:00am

Capture the Flag
This from-scratch Capture The Flag project was created by the Boulder OWASP chapter exclusively for Appsec USA 2014.  Designed to test appsec and development chops of the brightest minds at AppSec USA, this CTF will be talked about for years to come.

Volunteers
CC

Chris Campbell

Security Engineer, Aerstone


Thursday September 18, 2014 9:00am - 6:00pm
Penrose 2 [WaspNest CTF] Denver Marriott City Center

9:30am

Building Your Application Security Data Hub: The Imperative for Structured Vulnerability Information
One of the reasons application security is so challenging to address is that it spans multiple teams within an organization. Development teams build software, security testing teams find vulnerabilities, security operations staff manage applications in production and IT audit organizations make sure that the resulting software meets compliance and governance requirements. In addition, each team has a different toolbox they use to meet their goals, ranging from scanning tools, defect trackers, Integrated Development Environments (IDEs), WAFs and GRC systems. Unfortunately, in most organizations the interactions between these teams is often strained and the flow of data between these disparate tools and systems is non-existent or tediously implemented manually. 

In today’s presentation, we will demonstrate how leading organizations are breaking down these barriers between teams and better integrating their disparate tools to enable the flow of application security data between silos to accelerate and simplify their remediation efforts. At the same time, we will show how to collect the proper data to measure the performance and illustrate the improvement of the software security program. The challenges that need to be overcome to enable teams and tools to work seamlessly with one another will be enumerated individually. Team and tool interaction patterns will also be outlined that reduce the friction that will arise while addressing application security risks. Using open source products such as OWASP ZAP, ThreadFix, Bugzilla and Eclipse, a significant amount of time will also be spent demonstrating the kinds of interactions that need to be enabled between tools. This will provide attendees with practical examples on how to replicate a powerful, integrated Application Security program within their own organizations. In addition, how to gather program-wide metrics and regularly calculate measurements such as mean-time-to-fix will also be demonstrated to enable attendees to monitor and ensure the continuing health and performance of their Application Security program.

Speakers
avatar for Dan Cornell

Dan Cornell

CTO, Denim Group
A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As Chief Technology Officer and Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process.



Thursday September 18, 2014 9:30am - 10:15am
Colorado Ballroom A-D [Mgmt/DevOps] Denver Marriott City Center

9:30am

IEEE Computer Society's Center for Secure Design - Helping You Design More Secure Software
The IEEE Computer Society's CSD (Center for Secure Design) was formed in 2014 with the goal of identifying common design flaws and creating tools or design patterns so architects and developers can avoid introducing those design flaws into software.

The CSD aims to create artifacts to aid in the analysis of software design and additional artifacts to aid in designing software for security. This presentation will outline the results of the first workshop convened in May of this year where the Top N design flaws were documented, and also discuss some of the goals of future IEEE CSD workshops.

Speakers
avatar for Jim DelGrosso

Jim DelGrosso

Principal Consultant, Cigital
Jim is a Principal Consultant at Cigital with over 30 years of experience working for software development and consulting organizations. At Cigital, Jim heads up the Architecture Analysis practice with the mission to analyze the architecture and design of systems to identify flaws and provide our customers contextual guidance to remediate or mitigate those flaws. His previous experience includes development of compilers, real-time embedded... Read More →



Thursday September 18, 2014 9:30am - 10:15am
Colorado Ballroom E [Defenders] Denver Marriott City Center

9:30am

Mobile Security Attacks: A Glimpse from the Trenches
Hackers today apply covert and persistent techniques to attack mobile devices. Attend this presentation to learn about the latest threats on mobile devices from the team who uncovered iOS malicious profiles and HTTP Request Hijacking. We will describe and demonstrate emerging mobile security threats: from physical, through network and up to application level. Hold on to your seats as we expose examples, statistics and insights about real-world attacks on mobile-devices around the world.

Speakers
avatar for Yair Amit

Yair Amit

CTO & Founder, Skycure
Yair Amit is co-founder and CTO at Skycure, leading the company’s research and vision and overseeing its R&D center. Yair has been active in the security industry for more than a decade with his research regularly covered by media outlets and presented in security conferences around the world. Prior to co-founding Skycure, Yair managed the Application Security and Research Group at IBM, joining through the acquisition of Watchfire. At IBM, Yair... Read More →
AS

Adi Sharabani

CEO, co-founder, Skycure
Mr. Adi Sharabani is a world wide security expert and the CEO of Skycure, a start-up focuses on providing solutions for securing mobile devices. In the past, Adi was a manager at Watchfire, another startup company which was a pioneer in the field of application security and was acquired by IBM in 2007. Among his roles, Adi was incharge of the security of many of the IBM software developed world-wide; lead the entire IBM application security... Read More →


Thursday September 18, 2014 9:30am - 10:15am
Colorado Ballroom F [Breakers] Denver Marriott City Center

9:30am

Modern Web Application Defense with OWASP Tools
To address security defects developers typically resort to fixing design flaws and security bugs directly in the code. Finding and fixing security defects can be a slow, painstaking, and expensive process. While development teams work to incorporate security into their development processes, issues like Cross-Site Scripting (XSS), Session Hijacking, and Clickjacking continue to plague many commonly used applications.

See how these vulnerabilities actually work and see live demos showing how various OWASP proects and tools can be used to mitigate common attacks.

Using an interactive approach that solicits audience participation, developers and architects will learn how to proactively prevent attacks from occurring and stop hackers from exploiting their applications.

Speakers
FK

Frank Kim

SANS Institute
Frank Kim is a security leader with 17 years of experience in information security, risk management, and enterprise IT. He has a passion for developing security strategies and building teams focused on practical solutions to business risks. He currently serves as the curriculum lead for application security at the SANS Institute and is the author and an instructor for the Secure Coding in Java course. Frank is a frequent public speaker at... Read More →


Thursday September 18, 2014 9:30am - 10:15am
Colorado Ballroom G-J [Builders] Denver Marriott City Center

9:30am

Birds of a Feather (topic to be determined at AppSec USA)
Meet with like-minded individuals to discuss issues of your choosing.

Thursday September 18, 2014 9:30am - 10:15am
Penrose 1 [Open Mic] Denver Marriott City Center

9:30am

Starting a chapter
This session covers everything you need to know about starting a local OWASP chapter: requirements, obligations, resources, and more.

Speakers
avatar for Kate Hartmann

Kate Hartmann

OWASP Foundation, OWASP Foundation
Kate joined the OWASP Foundation May 2008 Kate's Ongoing Job Duties Kates work within the OWASP Foundation includes supervising and facilitating the completion of operationally critical tasks. She provides direction to the operational team by mapping out cross-committee objectives and identifying opportunities that promote the Foundation's short term and long term strategic goals. Current Initiatives include: Improving Foundation... Read More →


Thursday September 18, 2014 9:30am - 10:15am
Matchless [OWASP Workshop] Denver Marriott City Center

9:30am

Zed Attack Proxy (Zap) 101
Speakers
CR

Chris Rossi

Director of Application Security, AppliedTrust
Chris graduated from Drexel University with a Bachelor’s degree in Information Systems, and immediately dove into the world of security at Protiviti in Philadelphia. Chris missed the mountains of Colorado too much to stay away for long, and moved back to Boulder in 2009, where he started his career at AppliedTrust. Beginning as a T1 Engineer, Chris now leads the Application Security practice. Chris specializes in web application security... Read More →



Thursday September 18, 2014 9:30am - 10:15am
Independence [Skills Lab] Denver Marriott City Center

10:30am

Anatomy of memory scraping, credit card stealing POS malware
Learn the nuts-and-bolts of how a memory scraping, credit card stealing point-of-sale (POS) malware works and identify strategies that you can implement to make it hard for the bad guys.

Sensitive information, like credit card numbers, are encrypting on disk and also during transit. But the one place where this information is vulnerable is in process memory and the bad guys have already found ways of stealing it from there.

This presentation has three parts. The first part will introduce RAM scraping techniques and how they were recently used in conjunction with point-of-sale (POS) systems to steal credit card data. The nuts-and-bolts of such malware will be studied to understand its behavior and working. This technique evades security measures including encryption on disk and encryption in transit as the information is available un-encrypted in process memory before or after encryption. The second part of the presentation will be a demo of such a home grown malware which will allow us to study how these techniques behaves under different circumstances. The demo will lead to the third part which will suggest methods that will make it hard on the malware. This includes various techniques including changing memory sizes or making it hard for the malware to identifying POS process or all together changing the attributes of the POS process so that it could be hidden. Finally we will also go over some techniques that will aid in finding RAM scraping malware and making it difficult for such malware to do it's job.

Speakers
avatar for Amol Sarwate

Amol Sarwate

Director of Vulnerability and Compliance Labs, Qualys Inc.
As Director of Vulnerability Labs at Qualys, Amol Sarwate heads a worldwide team of security researchers who analyze threat landscape of exploits, vulnerabilities and attacks. He is a veteran of the security industry who has worked for the last 15 years on firewalls, vulnerability scanners, embedded security at McAfee, Hitachi, i2 and other organizations. He has presented his research on various topics like Vulnerability Trends, Credit Card... Read More →



Thursday September 18, 2014 10:30am - 11:15am
Colorado Ballroom E [Defenders] Denver Marriott City Center

10:30am

AppSec Survey 2.0: Fine-Tuning an AppSec Training Program Based on Data
Measuring the effectiveness of any security activity is widely discussed – security leaders debate the topic with a religious fervor rivaling that of any other hot button issue. Virtually every organization has some sort of application security training effort, but data on training effectiveness remains scarce. Last year our research team delivered the first-ever survey that captured developer awareness of secure coding concepts and the impact of formal application security training on a developer’s ability to write secure code. We learned that most software developer were aware of certain application security concepts, yet when asked how to write more secure code, they faired poorly.

This year’s 600-developer survey provides more quantitative data on what software developers understand about application security, both concepts and practices. It dives most deeply into awareness of defensive coding practices, which most developers largely did not grasp in the 2013 survey. It also is separates respondents by roles, so we can better understand how architects, developers, and QA staff grasp key application security concepts and put them to work. It better captures how software developers learn in general, so one can tailor any security training effort to how software developers, in practice, actually learn. This information will provide data to application security managers responsible for corporate security training that should allow them them to make more fact-based decisions about security training.

Speakers
avatar for John Dickson

John Dickson

Principal, Denim Group
John Dickson is an internationally recognized security leader, entrepreneur and Principal at Denim Group, Ltd. He has nearly 20 years hands-on experience in intrusion detection, network security and application security in the commercial, public and military sectors. Dickson is a popular speaker on security at industry venues including the RSA Security Conference, the SANS Institute, the Open Web Application Security Project (OWASP) and at... Read More →


Thursday September 18, 2014 10:30am - 11:15am
Colorado Ballroom A-D [Mgmt/DevOps] Denver Marriott City Center

10:30am

Hacking .NET/C# Applications: Defend By Design
I will cover how to build an application to resist attacks.
This is not the MicroSoft SDLC!
This speech will cover the tasks developers should do in the design and development process to produce more secure applications. Such as Security-User-Stories Security-Unit-Tests.....
Tiny choices in the development process can impact the security of the end system, but what does this look like in practice. This will be done from the point of view of a developer and helpful-hacker.

Speakers
JM

Jon McCoy

Application Security Consultant, DigitalBodyGuard.com
Jon McCoy is trained in Classical Software Engineering and Live System Forensics. | He has released a number of tools and techniques for attacking/breaking/bending .NET Framework Application. He provides trainings in offensive and defensive software, consults on strategic policies and management, and provides outside security reviews for both Software and Infrastructure. | He founded DigitalBodyGuard.com a general digital security firm that... Read More →


Thursday September 18, 2014 10:30am - 11:15am
Colorado Ballroom G-J [Builders] Denver Marriott City Center

10:30am

Use After Free Exploitation
Use After Free vulnerabilities are the cause of a large number of web browser and client-side compromises. Software bugs residing on the heap can be difficult to detect through standard debugging and QA. This presentation will first define the Use After Free vulnerability class, and then dive deep into detecting the bug in a debugger and weaponizing it into a working exploit against Internet Explorer. We will also cover the concept of memory leaks which can allow for a complete Address Space Layout Randomization (ASLR) bypass.

Speakers
SS

Stephen Sims

Consultant
Stephen Sims is an industry expert with over 15 years of experience in information technology and security. Stephen currently works out of San Francisco as a consultant performing reverse engineering, exploit development, threat modeling, and penetration testing. Stephen has an MS in information assurance from Norwich University and is a course author and senior instructor for the SANS Institute. He is the author of SANS’ only... Read More →


Thursday September 18, 2014 10:30am - 11:15am
Colorado Ballroom F [Breakers] Denver Marriott City Center

10:30am

Birds of a Feather (topic to be determined at AppSec USA)
Meet with like-minded individuals to discuss issues of your choosing.

Thursday September 18, 2014 10:30am - 11:15am
Penrose 1 [Open Mic] Denver Marriott City Center

10:30am

Growing membership
An open, undirected brainstorming session surrounding successes and failures of growing your chapter. How do you promote your chapter? What demographics attend your events? What steps have you taken to grow?

Thursday September 18, 2014 10:30am - 11:15am
Matchless [OWASP Workshop] Denver Marriott City Center

10:30am

Nmap 101
This introductory guide is designed to introduce developers, testers, or anyone interested in learning the basics of network discovery and enumeration using the classic open-source network scanner – nmap.

nmap has been a mainstay for security testers and system administrators for years, generally for enumerating live hosts and discovering open ports and services.  The benefits of the scanner extend beyond security professionals and may be useful in other areas, such as the software testing and development fields.

The lab will cover the following topics.

  1. Downloading and Installing

  2. Basic Usage

    1. Discovery

    2. Enumeration

    3. Other Useful Options

      1. OS/Version detection

      2. Avoiding Firewalls/IPS

      3. NSE Scripts




Target Audience
The goal of this lab is to introduce the tool and demonstrate the basics of scanning and highlight some of the newer features to IT professionals with little experience with port scanning or who may not have considered having nmap as a standard tool in their toolkit. This lab will target IT professionals with the following roles:


  • Software Developers

  • Software Testers

  • Security Professionals

  • System Administrators



Throughout the lab, the instructor will draw upon real-world or “field” experience as a penetration tester to cite examples where nmap was a key tool in discovering flaws in web applications, mis-configured servers, and rouge hosts.  These security flaws and weaknesses were leveraged and exploited to gain authorized access.  Furthermore, the instructor will explain how simple scanning may have been used to identify these flaws before being reported as high risk findings in an audit report.

Objectives
The objectives of the lab will be:


  1. To demonstrate downloading source code and installing nmap.

  2. To show basic techniques using nmap to perform:

    1. live host discovery,

    2. service enumeration,

    3. OS detection,

    4. service version detection, and

    5. stealth scanning (avoid IPS detection)

    6. To demonstrate some of the Nmap Scripting Engine (NSE) scripts that automate a wide variety of networking tasks.

    7. Demonstrate Zenmap, the GUI interface for nmap.  Briefly show examples of scanning using the GUI version of nmap on Windows.



Hands-on Lab Requirements


  • Ability to connect to a wireless network

  • Must have a version of nmap (6.x preferred)

  • Basic experience with Linux or Unix-based platforms and command-line interfaces

  • General familiarity with basic TCP/IP concepts such as ports, TCP, UDP, and simple network protocols such as Telnet, FTP, DNS, SNMP, etc.

  • It is assumed the attendees do not have extensive experience with nmap, as this is an introductory lab.






Speakers
JP

Jon Pettyjohn

Security Engineer, Aerstone
Jon Pettyjohn is a Cybersecurity engineer at Aerstone and member of their security testing and mitigation team. Jon has a great deal of experience in IT security supporting Federal, DoD, and commercial customers. His areas of expertise include network and web application testing, SA&A, and PCI. Accomplishments include perfecting his homemade hot sauce and managing to finish a marathon a year.




Thursday September 18, 2014 10:30am - 11:15am
Independence [Skills Lab] Denver Marriott City Center

11:30am

Lunch
Thursday September 18, 2014 11:30am - 1:00pm
Denver Ballroom [Sponsor Expo] Denver Marriott City Center

12:00pm

Birds of a Feather (topic to be determined at AppSec USA)
Meet with like-minded individuals to discuss issues of your choosing.

Thursday September 18, 2014 12:00pm - 12:45pm
Penrose 1 [Open Mic] Denver Marriott City Center

12:00pm

Career Fair
Connect with recruiters and hiring managers for a wide range of positions. Check out the Career Fair page at http://appsecusa.org for more info.

Volunteers
JF

Joanna Foreman

Systems Engineer, State of Colorado


Thursday September 18, 2014 12:00pm - 5:00pm
Denver Ballroom [Sponsor Expo] Denver Marriott City Center

1:00pm

Open Mic (Riddle me this, Batman: DHS, Open Source and SWAMP)
Watch (or present!) a variety of topical sessions as voted on by AppSec USA attendees.


Thursday September 18, 2014 1:00pm - 1:45pm
Penrose 1 [Open Mic] Denver Marriott City Center

1:00pm

11,000 Voices: Experts Shed Light on 4-Year Open Source & AppSec Survey
In 2013, OWASP updated its top 10 list to include “(A9) Avoiding the use of open source components with known vulnerabilities.” The guideline was added as OWASP leaders came to understand that 90% of a typical application is composed of open source components.

In this session, a senior panel of application security experts will share and discuss the results of a four-year, industry-wide study on application security practices, drivers, and trends within the open source development community. To date, over 11,000 professionals have participated in the study.

Among the surprising survey responses, panelists will share their perspectives on:

 75% of organizations are not enforcing their open source policies
 Only 16% of participants must prove they are not using components with known vulnerabilities
 64% don't track changes in open source vulnerability data

This annual study in 2014 was run during the month of April, right in the wake of the notorious open source Heartbleed bug announcement. Over 3,000 participated in the 2014 study with results directly reflecting the state of organization's preparedness to react to Heartbleed and any future vulnerabilities.

Moderators
avatar for Derek E. Weeks

Derek E. Weeks

VP and DevSecOps Advocate, Sonatype
After flying to 40 countries and racing through a half-Ironman competition, Derek woke up one morning on the top of Kilimanjaro and saw the world in a new light. Soon after, Derek become a huge advocate of applying proven supply chain management principles into DevOps practices to improve efficiencies and sustain long-lasting competitive advantages. He currently serves as vice president and DevOps advocate at Sonatype, creators of the Nexus... Read More →


Thursday September 18, 2014 1:00pm - 1:45pm
Colorado Ballroom A-D [Mgmt/DevOps] Denver Marriott City Center

1:00pm

iOS App Integrity: Got Any?
iOS apps are vulnerable to static analysis and attack through binary code patching. Incorporating jailbreak and debugger detection algorithms can be rendered useless with a quick binary patch. Once patched the app can be further exploited, its app data stolen, and even cloned. The iMAS research team, the team that brought Encrypted CoreData (ECD) to Github open source, has your back! At this talk we will introduce open source Encrypted Code Modules (ECM) as a technique to protect sensitive enterprise iOS applications. Using ECM as the base we will demonstrate an iOS app anti-tamper technique that is considerably more resistant to patching. We will walk through this step-by-step process to make your iOS apps more secure and … authentic.

Speakers
GB

Gavin Black

Lead Software Engineer, MITRE
Gavin Black is a lead software engineer working for the MITRE Corp, a federal research and development center. Currently he has been focused on software security and systems defense. Part of those efforts include researching and developing controls to mitigate weaknesses in iOS mobile applications. He's also working with the Common Vulnerability and Exposures (CVE) analyst toolchain, attempting to streamline the process and modernize the... Read More →
avatar for Gregg Ganley

Gregg Ganley

Principal Investigator iOS Security Research, MITRE Corp
23+ software development and management experience Education: MSCS, BSEE. Active research and development in iOS security, Android development, Ruby on Rails web apps, and project leadership. For the past five years his passion has been in the mobile field and in particular mobile security where he is the Principal Investigator of iMAS (iOS Mobile Application Security) a collaborative research project from the MITRE Corporation focused on open... Read More →



Thursday September 18, 2014 1:00pm - 1:45pm
Colorado Ballroom G-J [Builders] Denver Marriott City Center

1:00pm

Project Monterey or How I Learned to Stop Worrying and Love the Cloud
At Netflix developers deploy code hundreds of times a day. Each code push could be a production canary taking only a percentage of the total requests or a test determining which new feature is improving customer experience the best. The large number of applications along with multiple concurrent code bases creates an environment that is impractical for manual security testing. This presentation will outline and demo Project Monterey as one of many solutions that the Netflix Cloud Security Team has been developing to secure Netflix’s large cloud deployment.

Monterey’s main goal is to automate as much security testing as possible. It provides a framework for deploying and running traditional tools in the cloud. Taking industry standard tools such as the OWASP Zap web application scanner, NMAP, nessus, etc. and allowing them to be run in a large distributed and scalable manner. By providing a plugin interface Monterey allows security professionals to create and integrate their own tools with ease. Monterey also enables tools to be chained together; with output of one tool acting as the input of the other.

An important part of Monterey’s automation is the capability to respond to the dynamic nature of Netflix’s deployment process and environment. This means automatically detecting new applications or new code pushes as they happen and detecting services that are newly exposed to the internet.

Prior work in this area includes projects such as minion and graudit.

This talk will include a demo of Monterey itself, cover current use cases that Netflix has leveraged, and propose future expansion ideas, including open sourcing the project.

Speakers
avatar for Kevin Glisson

Kevin Glisson

Senior Cloud Security Engineer, Netflix
When Kevin Glisson is not playing with security automation, new languages and python libraries he is an avid mountain biker and backpacker enjoying all parts of the Sierra's. Kevin is currently a Security Engineer at Netflix writing tools to help streamline security operations and make the cloud more approachable and secure. Kevin has previously worked on the Cyber Intelligence and Incident Response teams at J.P. Morgan Chase, working to... Read More →



Thursday September 18, 2014 1:00pm - 1:45pm
Colorado Ballroom E [Defenders] Denver Marriott City Center

1:00pm

Static Analysis for Dynamic Assessments
Today’s dynamic and static web vulnerability scanners are capable of analyzing complex web applications for security weaknesses. They automate testing of many common vulnerabilities. However, there is a gap between Static and Dynamic scanners. They find different vulnerabilities. So why aren’t dynamic testers running static tools? Typically, they don’t have source code.

In this session, Greg will explore ways dynamic testers can utilize static tools without source code. Greg will discuss a process for collecting and scanning client-side files. Furthermore, Greg will demonstrate a custom developed tool that automates this process from the Burp Suite.

The objective of running static analysis during a dynamic assessment is to reduce potential false-negatives by increasing the breadth of the assessment.

Speakers
GP

Greg Patton

Senior Security Consultant, HP Fortify
Greg Patton is a Sr. Security Consultant with HP Fortify on Demand based in Houston, TX. With nearly ten years of security experience, Greg specializes in application security with a focus on dynamic web and iOS mobile assessments. Greg started his career in software development, and he discovered a natural talent and interest in breaking applications.



Thursday September 18, 2014 1:00pm - 1:45pm
Colorado Ballroom F [Breakers] Denver Marriott City Center

1:00pm

CSRF 101
Speakers
avatar for Danny Chrastil

Danny Chrastil

Sr Security Consultant, HP Fortify



Thursday September 18, 2014 1:00pm - 1:45pm
Independence [Skills Lab] Denver Marriott City Center

1:00pm

Finding speakers and other meeting ideas
Speak with other chapter leaders about speaker solicitation, speaker sharing, and alternative (non-speaker) meeting ideas.

Thursday September 18, 2014 1:00pm - 1:45pm
Matchless [OWASP Workshop] Denver Marriott City Center

1:00pm

OpenSAMM Workshop Play-books, PCI-SAMM Matrix, Project QA
We will work try to complete mapping SAMM activities and PCI-DSS v3.0 requirements. In addition, work on cross functional charts desrcribing implementation of practices and provide QA session for the project and updates

Outcome:
SAMM guidance for PCI requirements and Provide guidance of SAMM implementation which can be included for the next version of OpenSAMM

Contact:
Kuai Hinojosa kuai.hinojosa@owasp.org

Thursday September 18, 2014 1:00pm - 5:00pm
Gold Coin [Project Summit] Denver Marriott City Center

1:00pm

OWASP .NET Project Planning and Content Creation
.NET Folks gather! Let's plan for content in the .NET project, discuss the planning that has happened so far, figure out disposition for older content, and more.

Objectives:
Go over Wiki cleanup efforts, vet the topics for new content, and perhaps create some content.

Contact:
Bill Sempf bill.sempf@owasp.org

Thursday September 18, 2014 1:00pm - 5:00pm
Gold Coin [Project Summit] Denver Marriott City Center

1:00pm

OWASP ASIDE Project Planning
This session is inteded to discuss wish list function for the next version of ASIDE.

Objectives:
1. Seek comments/inputs for current research. 2. Prioratize requirements for next verson.

Contact:
Bill Chu billchu@uncc.edu

Thursday September 18, 2014 1:00pm - 5:00pm
Gold Coin [Project Summit] Denver Marriott City Center

1:00pm

OWASP Reverse Engineering and Code Modification Prevention Project (Mobile)
In this hands-on session, I will introduce the project and highlight the roadmap and its history. I will highlight some of the key binary risks that this project addresses (reverse engineering, method swizzling, etc.). Participants will use jailbroken mobile devices / mac workstations (provided by me) to perform actual binary attacks.

Objectives:
1. Understand what the project is about;
2. Perform actual attacks on jailbroken devices;
3. Explore project contribution ideas;
4. Develop relevant mobile attack vectors

Contact:
Jonathan Carter
jonathan.carter@owasp.org

Thursday September 18, 2014 1:00pm - 5:00pm
Gold Coin [Project Summit] Denver Marriott City Center

2:00pm

Open Mic (WAF is not enought! Why your data is still at risk, even if you use web applications firewall)
Watch (or present!) a variety of topical sessions as voted on by AppSec USA attendees.


Thursday September 18, 2014 2:00pm - 2:45pm
Penrose 1 [Open Mic] Denver Marriott City Center

2:00pm

Lean Security for Small or Medium Sized Business
For a small or medium sized business (SMB) the fallout from a security or privacy incident can be at best a PR nightmare. At their worst it can cause irrecoverable damage and end your business by impacting sales or ad revenue. Your user base may take a hit. You may need to draft a blog post or email your customers describing the incident and asking them to change passwords. A key culprit is budget constraints – as a SMB you are allocating resources to innovating, creating, and improving your product. Security, while important, isn't always the primary objective.

Our talk will introduce a simple framework for SMBs to focus their security efforts. We will then discuss a common scenario applicable to most SMBs that employs our framework; and leverages it to introduce cheap and effective security mechanisms that provide prevention, limitation, detection, and response capabilities. The key take away will be the thought process and sample techniques that can enable a SMB to take their rag-tag security outfit and turn it into a business enabler.

Speakers
JC

Jonathan Chittenden

iSEC Partners
Prior to his employment with iSEC, Jonathan worked for the Air Force as a civilian. His roles consisted of reverse engineering malware for both signature and exploitation development. This experience enabled Jonathan to be comfortable working at a low-level with unknown protocols and binaries. During this time, he also assisted in the development of an open-source intelligence application to be used to identify indicators of compromise... Read More →
AG

Anson Gomes

Senior Security Consultant, iSEC Partners
Anson Gomes is a security researcher and consultant at iSEC Partners. He specializes in web applications and web services security, network security, mobile application security, and architecture reviews. He has led numerous assessments for applications written in languages such as Java, .NET, PHP, and Objective C. In his spare time, Anson spends his time researching cloud systems, custom protocols, and embedded devices. He is passionate about... Read More →



Thursday September 18, 2014 2:00pm - 2:45pm
Colorado Ballroom A-D [Mgmt/DevOps] Denver Marriott City Center

2:00pm

Red Phish, Blue Phish: Improved Phishing Detection Using Perceptual Hashing
While lacking the sex appeal of memory corruption based attacks, phishing remains a problem for many end users. Defenses against phishing have not advanced significantly. We will discuss current approaches to phishing detection, and present a new one along with accompanying tool.

We will discuss several perceptual hashing algorithms, and describe how we can leverage them to detect phishing sites masquerading as popular sites such as Paypal, Amazon, and others.

Code to collect and identify these malicious sites, and a browser extension leveraging will be explained, demonstrated and released for attendee use and study.

Speakers
avatar for Daniel Peck

Daniel Peck

Principle Research Scientist, Barracuda Networks
Peck is principle research scientist at Barracuda Networks, he is currently focused on studying uses of social networks as a medium for attacks. Previous research includes comparing content and non content based systems to identify malicious accounts on Twitter/Facebook, exploiting programmable logic controllers, and identifying/classifying malicious javascript. Peck has a Bachelor's of Science in Computer Science from the Georgia Institute of... Read More →


Thursday September 18, 2014 2:00pm - 2:45pm
Colorado Ballroom E [Defenders] Denver Marriott City Center

2:00pm

Runtime Manipulation of Android and iOS Applications
With over 1.6 million applications in the Apple AppStore and Google Play store, and around 7 billion mobile subscribers in the world, mobile application security has been shoved into the forefront of many organizations. Mobile application security encompasses many facets of security. Device security, application security, and network security all play an important role in the overall security posture of a mobile application. Part of being a pen tester of mobile applications is understanding how each of the security controls work and how they interact. One powerful way to test the security and controls of our applications is to utilize runtime analysis and manipulation. Many tools exist to manipulate how an application works, both iOS and Android.

This hands-on skills course will help students learn how to improve their mobile security toolbox. The skills course will utilize tools such as cycript, snoop-it, jdb, etc for runtime manipulation and memory analysis. After the course, students will be able to get better results from their mobile application security testing.

Speakers
avatar for Dan Amodio

Dan Amodio

Principal Consultant, Aspect Security
As a Principal Consultant, Dan manages and defines Aspect Security's line of Assessment Services-- helping organizations quantify their security risks from design to implementation. He works with staff and clients to develop the team members and deliverables. | | Dan holds a security clearance and directly supports a variety of client projects. He leads mobile security efforts, security architecture and design reviews, code reviews, and... Read More →
avatar for David Lindner

David Lindner

Managing Consultant and Global Practice Manager, Aspect Security
David Lindner, a Managing Consultant and Global Practice Manager, Mobile Application Security Services at Aspect Security. David brings 15 years of IT experience including application development, network architecture design and support, IT security and consulting, and application security. David's focus has been in the mobile space including everything from mobile application penetration testing/code review, to analyzing MDM and BYOD... Read More →


Thursday September 18, 2014 2:00pm - 2:45pm
Colorado Ballroom F [Breakers] Denver Marriott City Center

2:00pm

Your Password Complexity Requirements are Worthless
If you think password hashes are safe in a database, you are wrong.
If you think users choose good passwords, you are wrong.
If you think you KNOW what makes up a good password, you are wrong.
If you think that password complexity allows forces users to create stronger passwords, you are wrong.
If you think password strength meters force users to create strong passwords, you are wrong.
If you think I don't already know your password, you are wrong.

Let an actual password cracker prove this to you. Using real world examples from large enterprises. If you don't know how the password crackers are cracking 95% of site's passwords, how can you protect your users against that?

Finally, let me show you how to prevent your users from creating horrible passwords with a new Open Source tool.


1) Presentation Overview:
- Show the "old" way of password cracking. Older methods using markov. wordlists and rules
- Show the "new" way of password cracking. Based on "pattern" or "topologies"
- Ask "why is this important to be as a developer?"
- Show current password strength meters
- Discussing the types of passwords it causes users to create
- Prove that these passwords are NOT safer than the passwords they would create with out the password strength meter
- Prove this with REAL world examples (at least four).
- Compare password strength meters to password "complexity" requirements.

- Show how we SHOULD be implementing password strength meters.
- Demo new Open Source tool to prevent the types of problems introduced with password complexity requirements and/or password strength meters.

Speakers
avatar for Rick Redman

Rick Redman

Senior Security Consultant, KoreLogic
Rick, aka Minga, has over 16 years of experience as a penetration tester, and runs KoreLogic's Password Recovery Service. He also runs the annual "Crack Me If You Can" contest at DEF CON. He has provided numerous contributions to the password-cracking community, and has previously presented at DEF CON, DerbyCon, ShmooCon, PasswordsCon, Bsides, OWASP, ISSA, and ISSW.


Thursday September 18, 2014 2:00pm - 2:45pm
Colorado Ballroom G-J [Builders] Denver Marriott City Center

2:00pm

CMS Hacking 101
Speakers
avatar for Greg Foss

Greg Foss

Head of Global Security Operations, LogRhythm Labs
Greg Foss is LogRhythm’s head of Global Security Operations and a Senior Researcher with Labs – tasked with leading both offensive and defensive aspects of corporate security. He has just under a decade of experience in the information security industry with an extensive background in ethical hacking and penetration testing, focusing on Web application security and red teaming. Greg holds multiple industry certifications including the OSCP... Read More →



Thursday September 18, 2014 2:00pm - 2:45pm
Independence [Skills Lab] Denver Marriott City Center

2:00pm

Community outreach
Does your chapter give back to the local community? Should it? Share your experiences with your peers.

Thursday September 18, 2014 2:00pm - 2:45pm
Matchless [OWASP Workshop] Denver Marriott City Center

3:00pm

Open Mic (The 7 deadly sins of WordPress security)
Watch (or present!) a variety of topical sessions as voted on by AppSec USA attendees.


Thursday September 18, 2014 3:00pm - 3:45pm
Penrose 1 [Open Mic] Denver Marriott City Center

3:00pm

Blended Web and Database Attacks on Real-time, In-Memory Platforms
It is well known there is a race going on in the “Big Data” arena. One of the stronger competitors in the “Big Data” market is Real-Time, In-Memory Platforms. An interesting thing about this platform and, the one we will talk about specifically, is that it blends everything to increase performance. The database tables, webserver engine, webserver code, authorization, analytics engine, libraries, etc. are all optimized to, if possible, never touch the disk.

Surprisingly, this causes a perspective shift for the web and database application threat landscape and how security professionals should address it. For example:

* The resources are massive enough that the Database can store all previous versions of the table. We will introduce a new SQL Injection attack vector that abuses a “TIME TRAVEL” feature, providing access to previously deleted data.
* The Web Application code is stored in the database and not on the filesystem! Or to put it another way, web application code is executed though a web server engine by retrieving the code directly from the database. We will present Server-Side Javascript exploits performed using SQL queries.
* The Database is enhanced with special libraries to support advanced analytics and statistical features, such as integration with the R programming environment. We will demonstrate how, if implemented insecurely, this could lead to exploits “written in R”.
* The Web Application database queries are typically run in the context of the current users session. In other words, no database credentials are stored in the web application backend code. We will show how an attacker may need to resort to Social Engineering as a critical component of SQL Injection.

In this talk we will explore how an attacker might blend old attack vectors to obtain the same or novel goals in the industry-leading Real-Time, In-Memory platform: SAP HANA. We will present live demos of new vulnerabilities discovered by the Onapsis Research Labs team, as well as ways to ensure your platform is protected.

Furthermore, we will present a reference framework for professionals that need to assess the security of these unique platforms, as well as sample vulnerable applications for developers to understand how to avoid common pitfalls that would introduce security risks.

Speakers
avatar for Juan Perez-Etchegoyen

Juan Perez-Etchegoyen

CTO, Onapsis, Inc.
Juan Pablo is the CTO of Onapsis, leading the Research and Development teams that keep the Company in the cutting-edge of the ERP security field. Juan Pablo is fully involved in the design, research and development of the innovative Onapsis' software solutions. | Being responsible for managing the Onapsis Research Labs, Juan Pablo has also been actively involved in the coordination and research of critical security vulnerabilities in ERP... Read More →


Thursday September 18, 2014 3:00pm - 3:45pm
Colorado Ballroom E [Defenders] Denver Marriott City Center

3:00pm

Client-side security with the Security Header Injection Module (SHIM)
Client-side security headers are useful countermeasures for Man-In-The-Middle, Clickjacking, XSS, MIME-Type sniffing, and Data Caching vulnerabilities. In this talk, we will review several security headers (e.g. Strict-Transport-Security, X-Frame-Options, X-XSS-Protection, Content-Security-Policy, and X-Content-Type-Options) and the various options available for each header. We will then demonstrate a new open source Security Header Injection Module (SHIM) for ASP.NET (developed by the presenters) that can be configured to mitigate the vulnerabilities by setting the security headers for any web application. The SHIM tool will be officially released at AppSec USA.

Speakers
AC

Aaron Cure

Senior Security Consultant, Cypress Data Defense, LLC
Aaron is a senior security consultant at Cypress Data Defense, and an instructor and contributing author for the CDD Introduction to Internet Security in .NET course. After ten years in the U.S. Army as a Russian Linguist and a Satellite Repair Technician, he worked as a database administrator and programmer on the Iridium project, with subsequent positions as a telecommunications consultant, senior programmer, and security consultant. Other... Read More →
avatar for Eric Johnson

Eric Johnson

Senior Security Consultant, Cypress Data Defense, LLC
Eric Johnson is a Senior Security Consultant at Cypress Data Defense and the Application Security Curriculum Product Manager at SANS. Eric is a Certified SANS Instructor and is a course author for DEV544: Secure Coding in .NET, DEV531: Mobile App Security Essentials, and several Securing The Human Developer security awareness modules. His experience includes web and mobile application penetration testing, secure code review, risk assessment... Read More →


Thursday September 18, 2014 3:00pm - 3:45pm
Colorado Ballroom G-J [Builders] Denver Marriott City Center

3:00pm

Not Go Quietly: Adaptive Strategies and Unlikely Teammates
Don’t be a hero; assemble your team of avengers from unlikely allies. Nearly every aspect of our job as defenders has gotten more difficult and more complex—escalating threat, massive IT change, burdensome compliance reporting, all with stagnant security budgets and headcount. Rather than surrender, it’s time to fight back. This session will provide new approaches to finding financial and operational support for information security across the organization. Together we will highlight actual success stories and soft skills that make all the difference.

Speakers
avatar for Joshua Corman

Joshua Corman

CTO | Founder | Founder, Sonatype | I am The Cavalry | Rugged
Joshua Corman is a Founder of I am The Cavalry (dot org) and Director of the Cyber Statecraft Initiative for the Atlantic Council. Corman previously served as CTO for Sonatype, Director of Security Intelligence for Akamai, and in senior research & strategy roles for The 451 Group and IBM Internet Security Systems. He co-founded @RuggedSoftware and @IamTheCavalry to encourage new security approaches in response to the world’s increasing... Read More →



Thursday September 18, 2014 3:00pm - 3:45pm
Colorado Ballroom A-D [Mgmt/DevOps] Denver Marriott City Center

3:00pm

Top 10 Web Hacking Techniques of 2013
Every year the security community produces a stunning number of new Web hacking techniques that are published in various white papers, blog posts, magazine articles, mailing list emails, conference presentations, etc. Within the thousands of pages are the latest ways to attack websites, Web browsers, Web proxies, and their mobile platform equivalents. Beyond individual vulnerabilities with CVE numbers or system compromises, we are solely focused on new and creative methods of Web-based attack. Now in its eighth year, the Top 10 Web Hacking Techniques list encourages information sharing, provides a centralized knowledge base, and recognizes researchers who contribute excellent work.

In this talk, We will do a technical deep dive and take you through the Top 10 Web Hacks of 2013 as picked by an expert panel of judges.

This year’s winners are:
1 - Mario Heiderich – Mutation XSS
2 - Angelo Prado, Neal Harris, Yoel Gluck – BREACH
3 - Pixel Perfect Timing Attacks with HTML5
4 - Lucky 13 Attack
5 - Weaknesses in RC4
6 - Timur Yunusov and Alexey Osipov – XML Out of Band Data Retrieval
7 - Million Browser Botnet
8 - Large Scale Detection of DOM based XSS
9 - Tor Hidden-Service Passive De-Cloaking
10 - HTML5 Hard Disk Filler™ API

Speakers
avatar for Matt Johansen

Matt Johansen

Senior Manager, WhiteHat Security
Matt Johansen is a Sr. Manager for the Threat Research Center at WhiteHat Security where he manages a team of Application Security Specialists, Engineers and Supervisors to prevent website security attacks and protect companies’ and their customers’ data. Before this he was an Application Security Engineer where he oversaw and assessed more than 35,000 web applications that WhiteHat has under contract for many Fortune 500... Read More →
avatar for Jonathan Kuskos

Jonathan Kuskos

Senior Application Security Engineer, WhiteHat Security
@JohnathanKuskos is a Manager for WhiteHat Security where he is charged with the expansion of their Belfast, Northern Ireland Threat Research Center. After personally hacking hundreds of web applications over several years he moved into a managerial role so that he could contribute to mentoring younger security engineers. Johnathan is extremely passionate about teaching and sharing the security knowledge he’s attained. He’s also an active bug... Read More →



Thursday September 18, 2014 3:00pm - 3:45pm
Colorado Ballroom F [Breakers] Denver Marriott City Center

3:00pm

App Server Hacking 101 (clusterd)
This workshop is a hands-on demonstration of the tool Clusterd. Clusterd is a python based application server attack tool with modules for six major platforms. Attendees are encouraged to bring their own laptops with Virtualbox or Vmware and a running Debian based Linux VM (Kali recommended). The workshop will start with an overview of Clusterd features, then give attendees a hands-on opportunity to attack two virtual targets.

Speakers
BE

Brandon Edmunds

Security Consultant, Coalfire Systems, Inc.
Brandon is a security consultant with Coalfire Labs. Brandon currently is focused on learning development languages to help become a better asset to the Information Security community. When not learning to code or hacking, Brandon spends time with his family, grows his beard and eats cheeseburgers.



Thursday September 18, 2014 3:00pm - 3:45pm
Independence [Skills Lab] Denver Marriott City Center

3:00pm

Hosting a conference
Whether it is an OWASP Day, a regional events, or an AppSec global conference, event planning can be hard work. This discussion focuses on the Dos, Don'ts, and Lessons Learned of OWASP conference planning.

Speakers
avatar for Mark Major

Mark Major

Cybersecurity Engineer, Aerstone
By day Mark works as a cybersecurity engineer at Aerstone. By nights and weekends he organizes the Boulder OWASP chapter. | | Mark directs the annual Front Range OWASP Conference (SnowFROC) in Denver, CO. In 2014 he took a break from SnowFROC in order to chair AppSec USA. In these roles, Mark was integral in all areas of planning, including budgeting, venue negotiation, sponsorship, vendor management, catering, speaker and volunteer... Read More →


Thursday September 18, 2014 3:00pm - 3:45pm
Matchless [OWASP Workshop] Denver Marriott City Center

4:00pm

Coffee Break
Thursday September 18, 2014 4:00pm - 4:30pm
Denver Ballroom [Sponsor Expo] Denver Marriott City Center

4:30pm

Keynote: Renee Guttmann - CISO Perspectives: Aligning Secure Software Application Development with Business Interests
CISO Perspectives: Aligning Secure Software Application Development with Business Interests:

Software security is first, and foremost, a business problem. Attackers have learned that nearly all web applications can be exploited via application-level vulnerabilities. Using any one of a long list of common entry points, an attacker can make the software misbehave in a variety of ways, including granting access to unauthorized data. Security-conscious organizations recognize this threat and are making secure application development a business priority. By doing this, they are creating leading programs to help protect against reputational risk, brand damage, and to improve customer experiences.

 

During this presentation, you will learn:

·        How to create a vision of software security success aligned with business goals.

·        Activities that security practitioners can establish to improve application security.

·        Ways to think differently about the impact of application security so you can innovate change and be more successful with your program.

·        Techniques to address today’s risks and tomorrow’s opportunities.


Speakers
RG

Renee Gutman

Vice President, Information Risk, Accuvant
Renee Guttmann is an accomplished global information security and privacy executive with a proven track record of establishing internationally recognized information security programs for Fortune 500 companies. As vice president of information risk and member of the Office of the CISO for Accuvant, Guttmann is responsible for providing guidance to security leaders at enterprise-class organizations. Her council helps enable them to think... Read More →


Thursday September 18, 2014 4:30pm - 5:30pm
Colorado Ballroom [Assembled Conference] Denver Marriott City Center

7:00pm

Code Brew
Join us for an evening of all things homebrewed and celebrate one of Colorado’s most beloved traditions. With the state’s rich history of brewing and esteemed reputation in the national craft beer scene, no Denver-based conference would be complete without an homage to this longstanding local pastime. Code Brew will showcase the best of the best, created by brewers from near and far alike in the name of Rocky Mountain pride and some truly excellent beverages, so stop in to try all of crazy brews they've dreamed up!

Volunteers
JG

Jess Garrett

Security Engineer, Aerstone


Thursday September 18, 2014 7:00pm - 9:30pm
Colorado Ballroom [Assembled Conference] Denver Marriott City Center

7:00pm

Reception
The official AppSec USA 2014 networking social event!  This is a hosted happy hour, with hors d'oeuvres, and live music in which you can mingle with your fellow Attendees and participate in the main feature, a Colorado tradition called Code Brew.

Thursday September 18, 2014 7:00pm - 11:00pm
Colorado Ballroom [Assembled Conference] Denver Marriott City Center

7:15pm

Homebrewing 101
We write our own apps, customize our kernels, and automate our exploits for two simple reasons: because we can, and because it's better that way. Brewing applies all of your scientific and hacking instincts to beer. Not only will your beer taste better than what you buy in the stores, it will be cheaper, too.

If you want to know more about starting a hobby that all of your friends will love and envy, stop by our live demonstration. Learn about the necessary equipment and the brewing process from professional brewers.

Join us at Code Brew and dive into the world of beer hacking!


Thursday September 18, 2014 7:15pm - 8:15pm
Colorado Ballroom [Assembled Conference] Denver Marriott City Center

7:30pm

Bug Bash
The Bugcrowd Bug Bash is an application securityhackathon where the targets are live and the prizes arereal cash bounties!Bugcrowd hosts multiple well-known Bug Bounty Programson their Crowdcontrol platform. In this event, conferenceattendees get together in teams in a room to hack togetherand learn about penetration testing and application securityauditing, with the chance to win cash when they find asecurity vulnerability.Participants may join Team OWASP, create their ownteams, or work individually. Only one person per team willcollect the reward. All earnings from Team OWASP will bedonated to *<to be determined>*.


Thursday September 18, 2014 7:30pm - 11:59pm
Independence [Skills Lab] Denver Marriott City Center

8:30pm

Jason Alan Magic
When was the last time you gasped in astonishment? Shrieked with laughter? When have you done both at the same time? Come see Jason Alan's award winning magic and comedy show!

Artists

Thursday September 18, 2014 8:30pm - 9:30pm
Colorado Ballroom [Assembled Conference] Denver Marriott City Center
 
Friday, September 19
 

7:00am

Registration
Friday September 19, 2014 7:00am - 5:00pm
Registration Booth Denver Marriott City Center

8:00am

Keynote: Gary McGraw - Bug Parades, Zombies, and the BSIMM: A Decade of Software Security
Only thirteen years ago, the idea of building security in was brand new.  Back then, if system architects and developers thought about security at all, they usually concentrated on the liberal application of magic crypto fairy dust.  We have come a long way since then.  Perhaps no segment of the security industry has evolved more in the last decade than the discipline of software security.  Several things happened in the early part of the decade that set in motion a major shift in the way people build software: the release of my book Building Secure Software, the publication of Bill Gates's Trustworthy Computing memo, the publication of Lipner and Howard’s Writing Secure Code, and a wave of high-profile attacks such as Code Red and Nimda that forced Microsoft, and ultimately other large software companies, to get religion about software security.  Now, ten years later, Microsoft has made great strides in software security and building security in---and they’re publishing their ideas in the form of the SDL. Right about in the middle of the last ten years (five years in) we all collectively realized that the way to approach software security was to integrate security practices that I term the "Touchpoints" into the software development lifecycle.  Now, at the end of a decade of great progress in software security, we have a way of measuring software security initiatives called the BSIMM <http://bsimm.com>.  BSIMM is helping transform the field from an art into a measurable science.  This talk provides an entertaining review of the software security journey from its "bug of the day" beginnings to the multi-million dollar software security initiatives of today.

Speakers
avatar for Gary McGraw

Gary McGraw

Chief Technology Officer, Cigital, Inc.
Gary McGraw is the CTO of Cigital, Inc., a software security consulting firm with headquarters in the Washington, D.C. area and offices throughout the world. He is a globally recognized authority on software security and the author of eight best selling books on this topic. His titles include Software Security, Exploiting Software, Building Secure Software, Java Security, Exploiting Online Games, and 6 other books; and he is editor of the... Read More →



Friday September 19, 2014 8:00am - 9:00am
Colorado Ballroom [Assembled Conference] Denver Marriott City Center

9:00am

Coffee Break
Friday September 19, 2014 9:00am - 9:30am
Denver Ballroom [Sponsor Expo] Denver Marriott City Center

9:00am

OpenSAMM Workshop Play-books, PCI-SAMM Matrix, Project QA
We will work try to complete mapping SAMM activities and PCI-DSS v3.0 requirements. In addition, work on cross functional charts desrcribing implementation of practices and provide QA session for the project and updates

Outcome:
SAMM guidance for PCI requirements and Provide guidance of SAMM implementation which can be included for the next version of OpenSAMM

Contact:
Kuai Hinojosa kuai.hinojosa@owasp.org



Friday September 19, 2014 9:00am - 12:00pm
Gold Coin [Project Summit] Denver Marriott City Center

9:00am

OWASP Developer Guide Writing Session
A quick status update onsite, followed by a writing session.

Objectives:
1. Understand current status
2. Write more content

Contact:
Andrew van der Stock
vanderaj@owasp.org

Friday September 19, 2014 9:00am - 12:00pm
Gold Coin [Project Summit] Denver Marriott City Center

9:00am

OWASP Reverse Engineering and Code Modification Prevention Project (Mobile)
In this hands-on session, I will introduce the project and highlight the roadmap and its history. I will highlight some of the key binary risks that this project addresses (reverse engineering, method swizzling, etc.). Participants will use jailbroken mobile devices / mac workstations (provided by me) to perform actual binary attacks.

Objectives:
1. Understand what the project is about;
2. Perform actual attacks on jailbroken devices;
3. Explore project contribution ideas;
4. Develop relevant mobile attack vectors

Contact:
Jonathan Carter
jonathan.carter@owasp.org

Friday September 19, 2014 9:00am - 12:00pm
Gold Coin [Project Summit] Denver Marriott City Center

9:00am

OWASP WebGoat 6.0 Project Planning and Beyond
The new UI and Service layer are complete. Demo the recent work and discuss the future plugin architecture. We want to talk with you or your project about how we might collaborate

Objectives:
1. Show the WebGoat modernization.
2. Solicit help on how to best extract living content from other OWASP projects.
3. Understand the community needs for lesson content.

Contacts:
Bruce Mayhew
webgoat@owasp.org

Jason White
jsnsotheracct@gmail.com

Friday September 19, 2014 9:00am - 12:00pm
Gold Coin [Project Summit] Denver Marriott City Center

9:00am

Capture the Flag
This from-scratch Capture The Flag project was created by the Boulder OWASP chapter exclusively for Appsec USA 2014.  Designed to test appsec and development chops of the brightest minds at AppSec USA, this CTF will be talked about for years to come.

Volunteers
CC

Chris Campbell

Security Engineer, Aerstone


Friday September 19, 2014 9:00am - 4:30pm
Penrose 2 [WaspNest CTF] Denver Marriott City Center

9:00am

OWASP Project Summit
Volunteers
JM

Jonathan Marcil

Montreal Chapter Leader, OWASP
As the chapter leader of OWASP Montreal, Jonathan manages most of the events and do the online community management. He is filling up the chapter's agenda with continuous events. He teamed up with various student groups to be present in three universities. He also works to put most of the talks online using YouTube and Google Hangouts. | | Those implications leaded him to create OWASP Media Project, where we gather, consolidate and promote... Read More →

Friday September 19, 2014 9:00am - 5:00pm
Gold Coin [Project Summit] Denver Marriott City Center

9:00am

Sponsor Expo
Friday September 19, 2014 9:00am - 5:30pm
Denver Ballroom [Sponsor Expo] Denver Marriott City Center

9:30am

Bringing a Machete to the Amazon
Amazon Web Services (AWS) is billed as an amazingly secure and resilient cloud services provider, but what is the reality once you look past that pristine environment and the manicured forests give way to dark jungle as you start to migrate existing applications to the AWS Cloud or design new ones for AWS exclusively?

With concrete examples and new techniques this presentation will explore “full stack” vulnerabilities and their effect on security and how they create new pitfalls when migrating to and operating in an AWS world. From the simple (checking in your AWS credentials to github or embedding them in your app) the unexpected (XXE injection to expose AWS metadata), to the unintended (data leakage and service exposure to other AWS customers and 3rd party cloud management services). Many examples will be shared along side new techniques showing how easy it is to expose your applications and infrastructure to attack through misunderstanding, ignorance or bad actors.

To address these challenges this presentation will also reveal and demonstrate a free tool we have designed to assess full stack AWS applications, map out the interactions between infrastructure and code and help individuals and organizations get clarity and bring a machete to the Amazon Cloud.

Speakers
EP

Erik Peterson

Director of Technology Strategy, Veracode
Erik Peterson is the Director of Technology Strategy for Veracode with 17 years of security industry experience, including senior leadership and technology roles for HP, SPI Dynamics, GuardedNet and Sanctum. | | Erik has also held InfoSec roles at Moody’s and SunTrust Bank and IT roles for the U.S. Embassy in Vienna, Austria and the UN IAEA. Erik has spoken at numerous events including Security BSides, OWASP, ISSA, InfraGard and ISACA... Read More →



Friday September 19, 2014 9:30am - 10:15am
Colorado Ballroom E [Defenders] Denver Marriott City Center

9:30am

Ten Secrets to Secure Mobile Applications
Many high profile mobile apps have been in the news for failures to use encryption, bad web service design, and privacy violations against users. Join us to get a grasp on how to threat model mobile applications and what the top vulnerabilities and solutions are for them. This talk will use the OWASP Mobile Top Ten as a framework and will introduce developers, testers, and management to techniques that will expedite the task of securing mobile applications.

Speakers
avatar for Jason Haddix

Jason Haddix

Head of Penetration Testing, Fortify
I currently facilitate information security consulting at HP which includes developing test plans for Fortune 100 companies and competing in "bake-offs" against other top tier consulting vendors. My strengths are web, network, and mobile assessments. I write for my own infosec website (www.securityaegis.com) that reviews industry training, interviews security professionals, and provides anecdotal/practical advice related to offensive security... Read More →
avatar for Daniel Miessler

Daniel Miessler

Principal Security Architect, HP
Daniel Miessler is Principal Security Architect with HP based out of San Francisco, California. He specializes in application security with specific focus in web and mobile application assessments, helping enterprise customers build effective application security programs, and speaking with executives about how to best leverage technologies and processes to reduce real-world risk. In his spare time he enjoys reading and writing, programming... Read More →



Friday September 19, 2014 9:30am - 10:15am
Colorado Ballroom G-J [Builders] Denver Marriott City Center

9:30am

The DevOps of Things
The DevOps movement is going to celebrate it’s fifth anniversary this October.  I was fortunate enough to attend the inaugural event in Ghent in October 2009. Over the past five years I have been deeply involved with this movement as a practitioner, evangelist and all out junkie.  Although the movement started out as a problem statement to solve developer and operations collaboration, it quickly moved into other disciplines such as security, networking and storage. In this presentation we will take a look at the Devops affect on things like Converged Infrastructure, Software Defined Networking, Software Defined Data Center and of course IPSec.  We will start out with a quick overview covering the past, present and future of Devops.  Then we will end up with a comprehensive roadmap of how Devops is kind of becoming the core of everything happening in IT. 

Speakers
avatar for John Willis

John Willis

Docker
Willis, a 30-year systems management veteran, joined Stateless Networks from Dell where he was Chief DevOps evangelist. Willis, a noted expert on agile philosophies in systems management, came to Dell as part of their Enstratius acquisition. At Enstratius, Willis was the VP of Customer Enablement responsible for product support and services for the multi-cloud management platform. During his career, he has held positions at Opscode and also... Read More →


Friday September 19, 2014 9:30am - 10:15am
Colorado Ballroom A-D [Mgmt/DevOps] Denver Marriott City Center

9:30am

Warning Ahead: Security Storms are Brewing in Your JavaScript
JavaScript controls our lives – we use it to zoom in and out of a map, to automatically schedule doctor appointments and to play online games. But have we ever properly considered the security state of this scripting language?
Before dismissing the (in)security posture of JavaScript on the grounds of a client-side problem, consider the impact of JavaScript vulnerability exploitation to the enterprise: from stealing server-side data to infecting users with malware. Hackers are beginning to recognize this new playground and are quickly adding JavaScript exploitation tools to their Web attack arsenal.
In this talk we explore the vulnerabilities behind Javascript, including:
• A new class of vulnerabilities unique only to JavaScript
• Vulnerabilities in 3rd-party platforms which are exploited through JavaScript code
• HTML5 is considered the NG-Javascript. In turn, HTML5 introduces a new set of vulnerabilities

Speakers
avatar for Helen Bravo

Helen Bravo

Product Manager, Checkmarx
Helen Bravo is the Product Manager at Checkmarx. Helen has more than fifteen years of experience in software development, IT security and source-code analysis. | Prior to working at Checkmarx, Helen has worked in Comverse one of the biggest Israeli Hi-tech firms as a software engineer and product manager for security matters. Helen holds a B.A. in Economics and Business Administration from the Israeli University of Haifa and started her... Read More →



Friday September 19, 2014 9:30am - 10:15am
Colorado Ballroom F [Breakers] Denver Marriott City Center

9:30am

Birds of a Feather (topic to be determined at AppSec USA)
Meet with like-minded individuals to discuss issues of your choosing.

Friday September 19, 2014 9:30am - 10:15am
Penrose 1 [Open Mic] Denver Marriott City Center

9:30am

Starting a project
Friday September 19, 2014 9:30am - 10:15am
Matchless [OWASP Workshop] Denver Marriott City Center

9:30am

Welcome to Hackazon - Get your favorite app scanner ready!

Get your favorite dynamic application security scanner ready to try out Hackazon! Hackazon, is a modern vulnerable web application. Hackazon looks like an online storefront with a modern AJAX interface, strict workflows and RESTful API's used by a companion mobile app. Hackazon is here to replace the old Web 1.0 test apps (WebGoat, DVWA, Hackme Bank and Hackme Casino) that no longer mirror the applications we see in the wild. Will your application security scanner successfully test this site? Doubt it! Even manual pen testers will have their hands full testing their skills against it.

There are vulnerabilities scattered throughout Hackazon, and each vulnerable area is configurable so that users can change the vulnerability landscape to prevent “known vuln testing” or any other form of cheating. To find all the vulnerabilities in Hackazon it will require proper handling of not only classic web security, but will require testing RESTful interface formats that power AJAX functionality and mobile clients (JSON, XML, GwT, and AMF). It will also require tedious testing of strict workflows common in todays business applications.

Hackazon is an open source application that will ultimately be contributed to OWASP to be included with the other vulnerable test applications.

During this workshop, Dan will give you a sneak preview of Hackazon, and seek your input as to what you’re seeing in applications and would like to see in Hackazon.

Speakers
avatar for Dan Kuykendall

Dan Kuykendall

co-CEO and CTO, NT OBJECTives
Dan has been with NTO for more than 10 years and is responsible for the strategic direction and development of products and services. He also works closely with technology partners to make sure our integrations are both deep and valuable. As a result of Dan’s dedication to security, technology innovation and software development, NTO application security scanning software is often recognized as the most accurate because of its sophisticated... Read More →


Friday September 19, 2014 9:30am - 10:15am
Independence [Skills Lab] Denver Marriott City Center

10:30am

DevOps and Security: The Facts, The Myths, The Legend
DevOps (despite it's increasing popularity amongst both startups and now enterprises as well) still has a bad image with large chunks of the security community. While there are some challenges it brings, this negative reputation is largely undeserved and due to several critical myths around how DevOps breaks security or leaves security out of the equation. DevOps, when done right (and that is a key distinction) actually improves security of your applications. This is due to some very interesting, though initially counter-intuitive features of DevOps. We'll dismantle these myths, replace them with facts and perhaps generate a few legends of our own.

Speakers
DM

David Mortman

Chief Security Architect and Distinguished Engineer, Dell
David Mortman is the Chief Security Architect and a Distinguished Engineer at Dell Software and has been doing Information Security for 20+ years. Additionally he is a Contributing Analyst at Securosis and on the Global Board of Directors for BSides. Most recently, he was the Director of Security and Operations at C3. Previously, David was the CISO at Siebel Systems and the Manager of Global Security at Network Associates. David speaks regularly... Read More →



Friday September 19, 2014 10:30am - 11:15am
Colorado Ballroom A-D [Mgmt/DevOps] Denver Marriott City Center

10:30am

Hacking .NET(C#) Applications: The Black Arts (ASM attacks)
Attacking in live memory has been the area of highly skilled attackers with focused&costly tools. This presentation will cover new tools and techniques to allow attackers with basic entry level skill to attack .NET applications live in memory allowing for attacks on critical parts of applications such remolding games or banking software.
The new tools will give a live view on memory in a 3D-GUI that allows for point and click attacks.
The tools are free and the attacks are devastating and easy to carry out.

Speakers
JM

Jon McCoy

Application Security Consultant, DigitalBodyGuard.com
Jon McCoy is trained in Classical Software Engineering and Live System Forensics. | He has released a number of tools and techniques for attacking/breaking/bending .NET Framework Application. He provides trainings in offensive and defensive software, consults on strategic policies and management, and provides outside security reviews for both Software and Infrastructure. | He founded DigitalBodyGuard.com a general digital security firm that... Read More →



Friday September 19, 2014 10:30am - 11:15am
Colorado Ballroom F [Breakers] Denver Marriott City Center

10:30am

Reversing Engineering a Web Application - For Fun, Behavior & WAF Detection
Screening HTTP traffic can be something really tricky and attacks to applications are becoming increasingly complex day by day. By analyzing thousands upon thousands of infections, we noticed that regular blacklisting is increasingly failing and we started research on a new approach to mitigate the problem. Initially reverse engineering the most popular CMS applications such as Joomla, vBulletin and WordPress, which led to us creating a way to detect attackers based on whitelist protection in combination with behavior analysis. Integrating traffic analysis with log correlation, resulting in more than 2500 websites now being protected, generating 2 to 3 million alerts daily with a low false positive rate. In this presentation we will share some of our research, their results and how we have maintained WAF (Web Application Firewall), using very low CPU processes and high detection rates.

Detailed Outline:

- Current method of detection (We'll show how WAF operates today, allowing us to emphasize our unique approach)
- Reverse engineering a CMS application (In this step we'll show how we reverse engineered a CMS Application to understand its fragility and common attack vectors)
- Setting up honeypots (We'll share our work with honeypots which gathered data in real time during massive attacks on popular CMS applications)
- Identifying behavior (analyzing data to understand points to be considered when creating counter measures and evaluating the best approach to each type of attack type)
- Creating countermeasures (using behaviour information, CMS vulnerabilities and attack methods spreading in the wild, we'll show how we created better signatures specific to each CMS based on the knowledge acquired during research on each one of them)
- Live analysis (merging everything together and seeing the tool operate live, well-tuned, blocking specific attacks, with improving low false-positive rate in an effective and efficient manner)

Speakers
RM

Rodrigo Montoro

Senior Security Administrator, Sucuri Security
Rodrigo “Sp0oKeR” Montoro has 15 years experience deploying open source security software (firewall, IDS, IPS, HIDS, log management) and hardening systems. Currently he is Senior Security Administrator at Sucuri Security. Before Sucuri he worked at Spiderlabs as a researcher where he focused on IDS/IPS Signatures, ModSecurity rules, and new detection research. Author of 2 Patents pending in technology involving discovery of malicious... Read More →


Friday September 19, 2014 10:30am - 11:15am
Colorado Ballroom E [Defenders] Denver Marriott City Center

10:30am

Threat Modeling Made Interactive!
Threat modeling is an important part of any secure development process. By identifying potential threats early in the development, you can build effective mitigations into your system, rather than relying on costly patches and bug fixes.

Existing techniques for modeling threats involve a whiteboard or some form of diagramming, with a few specialized tools capable of generating a list of threats that may be applicable to your system. These tools are indispensable, but provide a limited form of feedback and interaction. You can't, for example, state a security policy that you care about and check whether it can be violated by an attacker's actions; specify a concrete design decision (allocation of functionality, component deployment, etc.,) and assess its security impact; or strengthen the system with a mitigation and observe how the attacker reformulates its strategy.

In this talk, I will present a demo of Poirot, a tool designed to assist developers in modeling and analyzing the security of their system during the design phase. With Poirot, you can specify your system and desired security policies, and perform an automatic analysis to generate attacks that may lead to the violation of a policy. The process is interactive; as you learn more about the system and its environment, you can modify the system model in Poirot and re-run the analysis to assess the impact of changes. Unlike existing modeling tools, where threats are treated as static entities, every threat in Poirot is represented by a dynamic agent that can actively perform actions and adapt to changes in a system. In addition, Poirot comes with a built-in, extensible database of threats that can be instantiated against a particular system, freeing you from the tedious task of enumerating a threat list. Finally, Poirot leverages recent progress in software verification to perform an exhaustive analysis that achieves a much stronger coverage than traditional testing. During this talk, I will demonstrate the application of Poirot to several web applications, and highlight the tool's strengths as well as limitations.

Speakers
EK

Eunsuk Kang

MIT
I am a PhD candidate and a member of the Software Design Group in the Computer Science and Artificial Intelligence Laboratory (CSAIL) at MIT. My research projects have focused on developing tools and techniques for software modeling and verification, with applications to security and safety-critical systems.



Friday September 19, 2014 10:30am - 11:15am
Colorado Ballroom G-J [Builders] Denver Marriott City Center

10:30am

Birds of a Feather (topic to be determined at AppSec USA)
Meet with like-minded individuals to discuss issues of your choosing.

Friday September 19, 2014 10:30am - 11:15am
Penrose 1 [Open Mic] Denver Marriott City Center

10:30am

Funding a project
Friday September 19, 2014 10:30am - 11:15am
Matchless [OWASP Workshop] Denver Marriott City Center

10:30am

Penetration testing code coverage

A continuous challenge facing penetration testers is ensuring adequate coverage of a target application. A purely black box perspective makes it almost impossible to accurately identify how much of the attack surface was tested for penetration during assessment. Glass box testing techniques significantly improve the insight that penetration testers have into the coverage and makeup of the applications they are targeting. This 45-minute session will start with brief introductory material and will then jump into a live demo using OWASP Code Pulse, a newly released real-time code coverage tool. Session attendees will learn about the benefits of real-time code coverage insight and will learn how to effectively use Code Pulse to improve the coverage in their penetration testing activities regardless of whether they’re relying purely or manual scans or automated scans by one or more DAST tools.


Speakers
HR

Hassan Radwan

Secure Decisions
Hassan Radwan is a developer by trade with a passion for consumable application security. He is the project lead on OWASP Code Pulse, a real-time code coverage tool, and leads the engineering effort on Code Dx, a commercial SAST correlation tool. Hassan has worked in the application security and quality field for the past six years at Secure Decisions and has a passion for representing application security information in a visual and consumable... Read More →


Friday September 19, 2014 10:30am - 11:15am
Independence [Skills Lab] Denver Marriott City Center

11:30am

Lunch
Friday September 19, 2014 11:30am - 1:00pm
Denver Ballroom [Sponsor Expo] Denver Marriott City Center

12:00pm

Birds of a Feather (topic to be determined at AppSec USA)
Meet with like-minded individuals to discuss issues of your choosing.

Friday September 19, 2014 12:00pm - 12:45pm
Penrose 1 [Open Mic] Denver Marriott City Center

1:00pm

Open Mic (Turing Tests and Account Takeover)
Watch (or present!) a variety of topical sessions as voted on by AppSec USA attendees.

Speakers
NM

Neal Mueller

Shape Security



Friday September 19, 2014 1:00pm - 1:45pm
Penrose 1 [Open Mic] Denver Marriott City Center

1:00pm

Auto-Scaling Web Application Security in the Cloud
Securing web applications has placed extreme demands on security professionals – in addition to understanding attack patterns and defense tactics, effectively protecting web apps requires some level of programming and database management expertise. With broad adoption of public clouds, this bar is rising once again. Today’s cloud enabled applications scale-up well beyond previous web applications. It is not unusual for cloud enabled web applications to have changing infrastructure footprint within minutes that scale to millions of users. This has placed a greater burden on securing these applications. How can you design auto-scaling security to match these rapidly scaling web applications? Older style web application defenses and security almost always fail. Additional web application security capacity added days or even weeks after the server farm has grown and began processing live transactions is not acceptable.

In this session the audience will learn several approaches to auto-scaling web application security, using practical examples built around Amazon Web Services. The audience will learn about:
• Common techniques and tools used to provide security for auto-scaling web applications including Chef/Puppet, CloudFormation, Elastic Load Balancer.
• Role of auto-scaling groups and common requirements for management APIs in automatically deploying web security infrastructure.
• Common scaling triggers and mechanics by which web application security infrastructure must scale to operate in lockstep with elastic web server farms.
• Impact Platform-as-a-Service (PaaS) services have on auto-scaling web application security and approaches to deploying application security controls embedded directly into web applications.
While this is a session primarily designed for an advanced audience with strong understanding of IP networking, web application security fundamentals and experience in managing security infrastructure in a public cloud environment, the information covered will also be of interest to intermediate attendees that set technology strategy and formulate requirements for cloud security controls.

Speakers
MG

Misha Govshteyn

VP of Technology Services, Alert Logic
Misha Govshteyn co-founded Alert Logic in 2002. Govshteyn is responsible for security strategy, security research and software development at Alert Logic. Prior to founding Alert Logic, Govshteyn served as a Director of Managed Services for Reliant Energy Communications. In this role, he developed and successfully launched five major product lines including Managed Intrusion Detection Services and Managed Enterprise Firewall/VPN Products. Under... Read More →



Friday September 19, 2014 1:00pm - 1:45pm
Colorado Ballroom E [Defenders] Denver Marriott City Center

1:00pm

Stop Chasing Vulnerabilities - Introducing *Continuous* Application Security
For too long, application security has been “experts-only” and practiced one-app-at-a-time. But modern software development, both technology and process, is mostly incompatible with this old approach and legacy appsec tools. Software development has been transformed by practices like Continuous Integration and Continuous Integration, and the time has come to bring these efficiencies to security. In this talk, Jeff will show you how you can evolve into a “Continuous Application Security” organization that generates assurance automatically across an entire application security portfolio. Jeff will demonstrate how open-source tools (including OWASP ZAP, Mozilla’s Minion, Gauntlt, and others) can be integrated to provide a comprehensive real time application security dashboard. With this approach, we can leverage the power of big data analytics to gain unprecedented insight into enterprise application security and finally focus on enterprise application security strategy rather than simply chasing the next XSS. Before you come to this talk, be sure to check out “Application Security at DevOps Speed and Portfolio Scale” for some background.

Speakers
avatar for Jeff Williams

Jeff Williams

CTO, Contrast Security
Jeff Williams is a co-founder and CTO of Contrast Security, the world's fastest and most accurate application security technology. Previously, Jeff was a founder and CEO of Aspect Security. He also served as Global Chairman of the OWASP Foundation where he created many open-source standards, tools, libraries, and guidelines – including the OWASP Top Ten, WebGoat, ESAPI, XSS CheatSheet, ASVS and more. Jeff welcomes hearing from you and... Read More →



Friday September 19, 2014 1:00pm - 1:45pm
Colorado Ballroom G-J [Builders] Denver Marriott City Center

1:00pm

When you can't afford 0days: Client-side exploitation for the masses
 A bag of fresh and juicy 0days is certainly something you would love to get
as a Christmas present, but it would probably be just a dream you had one of those drunken nights.

Hold on! Not all is lost! There is still hope for pwning targets without 0days.

We will walk you through multiple real-life examples of client-side pwnage, from tricking the victim to take the bait, to achieving persistence on the compromised system.

The talk will be highly practical and will demonstrate how you can do proper client-side exploitation effectively, simply by abusing existing functionalities of browsers, extensions, legacy features, etc.

We'll delve into Chrome and Firefox extensions (automating various repetitive actions that you'll likely perform in your engagements), HTML applications, abusing User Interface expectations, (Open)Office macros and more. All the attacks are supposed to work on fully patched target software, with a bit of magic trickery as the secret ingredient.

You might already know some of these exploitation vectors, but you might need a way to automate your attacks and tailor them based on the victim language, browser, and whatnot. Either way, if you like offensive security, then this talk is for you.

Speakers
avatar for Michele Orrù

Michele Orrù

Senior Security Consultant, Trustwave SpiderLAbs
Michele Orru a.k.a. antisnatchor is an IT and ITalian security guy. Lead core developer of the BeEF project, he mainly focuses his research on application security and related exploitation techniques. He is a frequent speaker at hacking conferences, including CONFidence, DeepSec, Hacktivity, SecurityByte, AthCon, HackPra, Semafor, Just4Meeting, OWASP, 44Con, EUSecWest, Ruxcon and more we just can't disclose. Besides having a passion for hacking... Read More →



Friday September 19, 2014 1:00pm - 1:45pm
Colorado Ballroom F [Breakers] Denver Marriott City Center

1:00pm

Where the Security Rubber Meets the DevOps Road
DevOps is a natural evolution of Agile, Lean, Continuous Integration and other patterns common amongst high performers and continuous process improvement. As someone who has helped dozens of organizations get started with DevOps patterns and tool chains, we will explain where people get started – and therefore where security can inject and support sound practices for the bulk of the adoption curve. This will also serve as a great hand-off to the next talk about the bleeding edge trends and trajectories.

Speakers
avatar for Damon Edwards

Damon Edwards

Co-Founder and Vice President of Solution Advocacy, SimplifyOps
Damon Edwards is a Co-Founder and Vice President of Solution Advocacy for SimplifyOps, a provider of support and services for Rundeck users. Damon Edwards is also a co-founder of DTO Solutions, a consultancy where his focus is business and technology alignment and applying Lean and Agile principles to improving operational processes. Damon has spent over 14 years working with both the technology and business ends of IT operations and is noted for... Read More →


Friday September 19, 2014 1:00pm - 1:45pm
Colorado Ballroom A-D [Mgmt/DevOps] Denver Marriott City Center

1:00pm

Customizing Burp Suite - Getting the most out of your extensions
The objective of this lecture is to give pentesters and tool developers an overview of the APIs available to extend the Burp Suite intercepting proxy. Using open-source examples developed by the author we will illustrate a number of key areas for anyone wishing to create extensions for Burp Suite:

- Passive scanning
- Active scanning
- Identifying insertion points
- Request modification

The presentation will include code samples and links to actual open source Burp Suite plugins developed by the author. 

Speakers
avatar for August Detlefsen

August Detlefsen

Senior Application Security Consultant, CodeMagi, Inc.
August Detlefsen (California) is a Senior Security Consultant who has presented at JavaOne (2008, 2012) as well as AppSec USA (2014, 2015) and is the co‐author of Iron‐Clad Java: Building Secure Web Applications. August also teaches customized secure coding classes for large and small clients.



Friday September 19, 2014 1:00pm - 1:45pm
Independence [Skills Lab] Denver Marriott City Center

1:00pm

Marketing a project
Friday September 19, 2014 1:00pm - 1:45pm
Matchless [OWASP Workshop] Denver Marriott City Center

1:00pm

OWASP Mobile Top Ten Project Planning and Call for Input
This session will present project status and future activities/goals.

Objectives:
1. Provide project status and an overview of future goals and activities.
2. Solicit feedback regarding project target audience
3. Call for help

Contact:
Chad Butler
chad.butler@gmail.com

Friday September 19, 2014 1:00pm - 5:00pm
Gold Coin [Project Summit] Denver Marriott City Center

2:00pm

Open Mic (The Myth of .NET (ASP) Authentication Expiration)
Watch (or present!) a variety of topical sessions as voted on by AppSec USA attendees.


Friday September 19, 2014 2:00pm - 2:45pm
Penrose 1 [Open Mic] Denver Marriott City Center

2:00pm

Catch me if you can: Building a Web Malware Analyzer using Machine Learning
With close to 10,000 new, legitimate websites being added to the Google malware blacklist every day, its clear that infecting websites to spread malware has become the go-to choice for malicious hackers. In this talk I will focus on how the problem is evolving, how websites are getting infected and what gets injected into websites. I will also focus on how to use machine learning to quickly build a system that can scale far beyond what AV engines can catch.

This talk will show a live demo and will be a mix of powerpoint slides that educate, inform and enable the audience to understand web malware trends and set up mechanisms to catch non obvious pieces of web malware.

Speakers
avatar for Anirban Banerjee

Anirban Banerjee

Systems Engineer, CloudFlare Inc.
Anirban was a co-founder and technical lead at StopTheHacker, acquired now by Cloudflare. Anirban holds a Ph.D. in Computer Science from the University of California at Riverside. For the last 6 years he has been active in various security circles and working groups that focus on eradication of web-malware and has presented lightning talks at various conferences.



Friday September 19, 2014 2:00pm - 2:45pm
Colorado Ballroom E [Defenders] Denver Marriott City Center

2:00pm

From the Ground Up
This project started by a challenge given to me at Appsec EU conference in Hamburg as I said that it should be possible to do dynamic source-sink analysis in basic Java applications. My challengers then told me: "Prove it". It took a while, but fairly soon I had a simple setup in which I demonstrated simple Log manipulation on the commandline and that it was detectable. This project is the continuation of that proof and is aimed at developers to help them detect security vulnerabilities using live source-sink analysis. It is dependent on the code coverage and not aimed to be used in a production environment.

Speakers
SV

Steven van der Baan

Principal Consultant, 7Safe
Steven van der Baan is a Principle Consultant at 7Safe, an information security organisation based in Melbourn, UK. Steven van der Baan is a passionate Security Consultant and Software Architect, with a broad history in software development and architecture. Steven has a varied background in developing complex systems, mainly in Java. He has the capability to analyse problems and provide sound advise on possible solutions. He can also design a... Read More →


Friday September 19, 2014 2:00pm - 2:45pm
Colorado Ballroom G-J [Builders] Denver Marriott City Center

2:00pm

Hacking the Oracle Application Framework: A case study in deep-dive pen testing
The Oracle Application Framework (OAF) is the base of dozens of Oracle’s web-based business applications (the eBusiness Suite) and is used by many other organizations to develop their own in-house applications. Last year, the speaker published a major vulnerability (CVE-2013-xxxx) in the framework that allowed inspect inspection of run-time data. Unpublished at the time, the vulnerability also allowed unauthenticated attackers to impersonate any user with an active session, including administrators.

Why had such a critical vulnerability in a major application framework gone undiscovered for so long? The OAF has a huge install base in large companies, so it had undoubtedly been tested and scanned many times before. Attack complexity wasn’t a factor; once documented, the exploit was profoundly simple to use. In fact, while the functionality was poorly documented, the vulnerability was actually DESIGNED as part of OAF.

So, again, why did it take so long to discover? The answer can be found by looking at how most application testing is performed. Traditional black-box testing is only capable of discovering vulnerabilities that sit on the surface of the user interface. A relatively simple application, such as a blog or online store, will have limited functionality beyond the obvious user interface. This is radically different in enterprise-scale applications that must support complex integration with other applications and platforms.

Additionally, while superficial penetration testing of the user interface is sufficient to protect an application against casual attackers, a dedicated attacker will certainly dig deeper. This easier with off-the-shelf software (like OAF) that can be downloaded, evaluated, or pirated by attackers.

To fully test a complex application, advanced techniques are required. Static reverse engineering, mock environment creation, and dynamic monitoring are all essential components in any comprehensive application test. Using the Oracle Application Framework as a case study, deep-dive techniques will be explained and demonstrated in this presentation. A live environment will be provided for attendees who want to hack along with the presentation and during the rest of the day.

Speakers
DB

David Byrne

Principal Consultant, SpiderLabs
David Byrne has worked in information security for 14 years. Currently, he is a Managing Consultant in SpiderLabs, Trustwave’s advanced security team focused on application security, penetration testing, and incident response. David’s primary responsibility is setting SpiderLabs’ global standards for delivery of application security services. Before Trustwave, David was the Security Architect at Dish Network, one of the world’s... Read More →


Friday September 19, 2014 2:00pm - 2:45pm
Colorado Ballroom F [Breakers] Denver Marriott City Center

2:00pm

Implications & Opportunities at the Bleeding Edge of DevOps
Ever Onward… as DevOps keeps evolving, this session will show you how the newest DevOps patterns and technologies (e.g. Docker) trends continue to change and morph the opportunities and risks for security. It’s more exciting than scary… once you get over the shock

Speakers
avatar for Chris Swan

Chris Swan

CTO, CohesiveFT
Chris Swan is CTO at CohesiveFT, a cloud networking company founded in 2006 that he joined in early 2013. He was previously at UBS where he held a number of CTO roles and represented the bank as a Director on the Steering Committee of the Open Data Center Alliance (ODCA). Before joining UBS he was CTO at a London based technology investment banking boutique Capital SCF. Chris previously held various senior R&D, architecture and engineering... Read More →



Friday September 19, 2014 2:00pm - 2:45pm
Colorado Ballroom A-D [Mgmt/DevOps] Denver Marriott City Center

2:00pm

Introduction to Golismero (The Web Knife)
Speakers
avatar for Mike Landeck

Mike Landeck

Cyber Security Strategy Consultant, CyberSecOlogy
Mike Landeck led the security implementation and then operationalized the Country’s largest Medicaid Management Information System (MMIS) as the Director of Information Security for Xerox’ State Healthcare in California and then managed the very successful implantation of Colorado’s Health Insurance Exchange as a consulting manager for CGI. Mike currently consults for one of the World’s largest software companies on improving security in... Read More →



Friday September 19, 2014 2:00pm - 2:45pm
Independence [Skills Lab] Denver Marriott City Center

2:00pm

Recruiting developers
Friday September 19, 2014 2:00pm - 2:45pm
Matchless [OWASP Workshop] Denver Marriott City Center

3:00pm

Cloud Security at Scale and What it Means for Your Application
Cloud computing is all the rage, but few organizations have really thought about what security means for their applications and networks in cloud-centric deployments. Netflix is amongst the largest users of public cloud resources and consumes roughly 1/3 of all the US’s downstream broadband at peak. This talk will cover the processes used at Netflix to deploy and secure large-scale applications to the Cloud. Netflix has developed a suite of architectures, processes, and tools to make security in the Cloud as elegant as possible... most of these are, or will soon be, Open Sourced. Several tools will be previewed in the talk.

These systems include:
- Hundreds of applications; with hundreds of production deployments a day ... all using an “immutable server model”
- Crazy monkeys that roam the clouds to enforce availability models through random instance homicide
- OCD fish that swim cloudy waters to make sure firewalls are sane and consistent across the globe
- Inquisitive penguins automatically assess the risk of an application based upon its codebase and interconnections with other applications
- ... and many more ...

Speakers
BH

Ben Hagen

Engineering Manager, Security Tools and Operations, Netflix
Ben Hagen is likely the only security professional in the world who has won both a presidential election and an Emmy. He loves security and both building and breaking things. Ben currently leads the Security Tools and Operations team at Netflix. During the 2012 US Presidential Election he was in charge of security for the Obama 2012 re-election campaign’s technology program. Prior to this role, he was a Security Consultant with Neohapsis, and... Read More →



Friday September 19, 2014 3:00pm - 3:45pm
Colorado Ballroom E [Defenders] Denver Marriott City Center

3:00pm

Ground Truths of a Rugged DevOps Practitioner
DevOps isn't just a buzzword. It isn't a miracle cure. It isn't the security apocolypse. From the perspecitve of a practitioner who has been on a DevOps journey, we can explore the lessons learned - including surprises. This session will be a mixture of case study, lessons learned, future plans, and interactive discussion.

Speakers
avatar for Matt Tesauro

Matt Tesauro

OWASP Foundation
Matt Tesauro is currently working full-time for the OWASP Foundation, adding automation and awesome to OWASP projects. Previously, he was a founder and CTO of Infinitiv, a Senior Software Security Engineer at Pearson and the Senior Product Security Engineer at Rackspace. He is also an Adjunct Professor for the University of Texas Computer Science department teaching the next generation of CS students about Application Security. Matt is... Read More →


Friday September 19, 2014 3:00pm - 3:45pm
Colorado Ballroom A-D [Mgmt/DevOps] Denver Marriott City Center

3:00pm

Headless Browser Hide and Seek
Headless browsers have quietly become indispensable tools for security teams, researchers, and attackers focusing on web applications. Tools like PhantomJS enable anyone to interact with highly dynamic websites to find vulnerabilities, performance bottlenecks, and even automate attacks.

This presentation will dive into the offensive use of these tools, and how to counteract them in practice. This will include techniques used by attackers to find vulnerabilities in websites, and how security teams can use these techniques to perform their own daily security practice.

With these base established, we will delve into an extended analysis of techniques that malicious browsers use to impersonate real end-users, and the countermeasures security teams can use to expose them. We will provide examples of how to collect threat forensics and attacker attribution data when malicious browsers are detected on your site. Lastly we will review vulnerabilities in headless browsers themselves and provide recommendations to ensure that your tools aren't turned against you.

Introduction to Headless Browsers
- What it is and how it works
- Legitimate uses and how you can benefit
- Malicious Use of PhantomJS
- Impersonate a legitimate browser
- Fuzzing a web application
- Find performance bottlenecks

Exploiting the Exploiter
- How attackers attempt to hide
- How to expose them on your site
- Additional evasion and techniques and countermeasures

Demonstrations
- Example of attacking with phantomJS with subsequent detection
- Arbitrary code execution on up-to-date remote PhantomJS
- Various ways of abusing remote PhantomJS

Counter-attacking and Attribution
- How to turn a headless browser against the attacker
- Vulnerabilities in PhantomJS
- Best practices for using headless browsers safely

Speakers
SS

Sergey Shekyan

Principal Engineer, Shape Security
Sergey Shekyan is a Principal Engineer at Shape Security, where he is focused on the development of the new generation web security product. Prior to Shape Security, he spent 4 years at Qualys developing their on demand web application vulnerability scanning service. Sergey presented research at security conferences around the world, covering various information security topics. Sergey has spoken at BlackHat USA, HITB Amsterdam, PHDays, H2HC, and... Read More →
BZ

Bei Zhang

Senior Software Engineer, Shape Security
Bei Zhang is a Senior Software Engineer at Shape Security, focused on analysis and countermeasures of automatic web attacks. Previously, he worked at the Chrome team at Google with a focus on the Chrome Apps API. His interests include web security, source code analysis, and algorithms.


Friday September 19, 2014 3:00pm - 3:45pm
Colorado Ballroom F [Breakers] Denver Marriott City Center

3:00pm

OWASP A9: A Year Later - Are you still using components with known vulnerabilities?
It's been more than a year now since the introduction of the new A9 to the OWASP Top Ten list. How are you doing to ensure you are not "using components with known vulnerabilities" in your applications? Join this session to hear real-world case studies of organizations who have taken steps to follow the best practices in this guideline to manage the use of comments across the software lifecycle. Hear what is working well and where there are still challenges. Trend data from thousands of application analyses will also be shared to provide a broader view of how we are doing as an industry to manage this risk.

Speakers
avatar for Ryan Berg

Ryan Berg

Chief Security Officer, Sonatype
Ryan is the Chief Security Officer at Sonatype. Before joining Sonatype, Ryan was a co-founder and chief scientist for Ounce Labs which was acquired by IBM in 2009. Ryan holds multiple patents and is a popular speaker, instructor and author, in the fields of security, risk management, and secure application development. Prior to Ounce Labs, Ryan co-founded Qiave Technologies, a pioneer in kernel-level security, which later sold to WatchGuard... Read More →



Friday September 19, 2014 3:00pm - 3:45pm
Colorado Ballroom G-J [Builders] Denver Marriott City Center

3:00pm

Hosting a project summit
Friday September 19, 2014 3:00pm - 3:45pm
Matchless [OWASP Workshop] Denver Marriott City Center

3:00pm

Pwning the Pawns with WiHawk
The elements that play a major role in today’s network architecture are router, gateway, switch, hub, access point etc. In a typical network, wireless or wired router is the key element responsible for connecting the LAN to the internet. A router can be connected to two or more data lines from different network which play the important role of forwarding data packets within computer networks. Security measures at each and every component in network are imperative and there has been significant development in last decade to make networks even more secure. While powerful security rules have been implied at different components of network, router has been one such sensitive and essential element in network which is still poorly configured by companies. They can be compromised by attackers to gain unauthorized access to the private network and can lead to malicious activities like following:          

1.     An attacker could configure the router to use a malicious DNS (Domain Name System) server, which can then lead to redirection of users to malicious websites.

2.    An attacker can set up port forwarding rules to expose internal network services to the Internet.

Vulnerabilities in the management interfaces of wireless routers, vulnerabilities in protocols, inconsistencies in router software and weak authentication can expose the device to remote attacks and thus can be compromised by attackers. These issues had been raised by researchers in late 2012 but even if companies provide patches to upgrade management interface and inconsistencies in router software, these vulnerabilities are unlikely to go away soon because many users never update their routers and other embedded systems.


Speakers
SK

Santhosh Kumar

Security Researcher, Near Security
Santhosh is Security Researcher from India who has been with the security Community since the AGE of 12. Santhosh is also a Founder of a Non Profit Project "Near Security" which mainly focuses on Providing Free and Open Infosec Education Around the Globe. Santhosh has Reported Security vulnerabilities for many companies such as INTEL,IBM, Yahoo, Microsoft, Cisco Etc. Santhosh enjoys learning new things in the age of Digital Security and... Read More →


Friday September 19, 2014 3:00pm - 3:45pm
Independence [Skills Lab] Denver Marriott City Center

4:00pm

Coffee Break
Friday September 19, 2014 4:00pm - 4:30pm
Denver Ballroom [Sponsor Expo] Denver Marriott City Center

4:30pm

Keynote: OWASP Global Board
Friday September 19, 2014 4:30pm - 5:30pm
Colorado Ballroom [Assembled Conference] Denver Marriott City Center

5:30pm

Sponsor raffle and prize giveaway (must be present to win!)
What better way to end a conference than winning free stuff? Join us for sponsor contests, the Passport raffle, and more!

Friday September 19, 2014 5:30pm - 6:15pm
Colorado Ballroom [Assembled Conference] Denver Marriott City Center

5:30pm

Capture the Flag: Awards Ceremony
Held during the Main Reception, the Code Brew is a part of one of Colorado's oldest traditions.  Denver produces more beer than any other city in the United States.  We take it seriously and it shows.  Code Brew is designed to showcase our passion with a community-driven beer garden and homebrew competition.

Volunteers
CC

Chris Campbell

Security Engineer, Aerstone


Friday September 19, 2014 5:30pm - 6:30pm
Colorado Ballroom [Assembled Conference] Denver Marriott City Center

7:00pm

Downtown Denver Brewery Tour
Close out the conference with a walking tour of one of America's finest beer destinations: downtown Denver! Partake in a brewery crawl including tours, tastings, and more.

The group will hit the town Meet in the hotel lobby following the Closing Ceremonies on Friday, or join us mid-tour. All stops may be followed on Twitter using the hashtag,
#BeerSecUSA

Friday September 19, 2014 7:00pm - 11:00pm
TBA