Software security is first, and foremost, a business problem. Attackers have learned that nearly all web applications can be exploited via application-level vulnerabilities. Using any one of a long list of common entry points, an attacker can make the software misbehave in a variety of ways, including granting access to unauthorized data. Security-conscious organizations recognize this threat and are making secure application development a business priority. By doing this, they are creating leading programs to help protect against reputational risk, brand damage, and to improve customer experiences.
During this presentation, you will learn:
· How to create a vision of software security success aligned with business goals.
· Activities that security practitioners can establish to improve application security.
· Ways to think differently about the impact of application security so you can innovate change and be more successful with your program.
· Techniques to address today’s risks and tomorrow’s opportunities.
Get your favorite dynamic application security scanner ready to try out Hackazon! Hackazon, is a modern vulnerable web application. Hackazon looks like an online storefront with a modern AJAX interface, strict workflows and RESTful API's used by a companion mobile app. Hackazon is here to replace the old Web 1.0 test apps (WebGoat, DVWA, Hackme Bank and Hackme Casino) that no longer mirror the applications we see in the wild. Will your application security scanner successfully test this site? Doubt it! Even manual pen testers will have their hands full testing their skills against it.
There are vulnerabilities scattered throughout Hackazon, and each vulnerable area is configurable so that users can change the vulnerability landscape to prevent “known vuln testing” or any other form of cheating. To find all the vulnerabilities in Hackazon it will require proper handling of not only classic web security, but will require testing RESTful interface formats that power AJAX functionality and mobile clients (JSON, XML, GwT, and AMF). It will also require tedious testing of strict workflows common in todays business applications.
Hackazon is an open source application that will ultimately be contributed to OWASP to be included with the other vulnerable test applications.
During this workshop, Dan will give you a sneak preview of Hackazon, and seek your input as to what you’re seeing in applications and would like to see in Hackazon.
A continuous challenge facing penetration testers is ensuring adequate coverage of a target application. A purely black box perspective makes it almost impossible to accurately identify how much of the attack surface was tested for penetration during assessment. Glass box testing techniques significantly improve the insight that penetration testers have into the coverage and makeup of the applications they are targeting. This 45-minute session will start with brief introductory material and will then jump into a live demo using OWASP Code Pulse, a newly released real-time code coverage tool. Session attendees will learn about the benefits of real-time code coverage insight and will learn how to effectively use Code Pulse to improve the coverage in their penetration testing activities regardless of whether they’re relying purely or manual scans or automated scans by one or more DAST tools.
1. An attacker could configure the router to use a malicious DNS (Domain Name System) server, which can then lead to redirection of users to malicious websites.
2. An attacker can set up port forwarding rules to expose internal network services to the Internet.
Vulnerabilities in the management interfaces of wireless routers, vulnerabilities in protocols, inconsistencies in router software and weak authentication can expose the device to remote attacks and thus can be compromised by attackers. These issues had been raised by researchers in late 2012 but even if companies provide patches to upgrade management interface and inconsistencies in router software, these vulnerabilities are unlikely to go away soon because many users never update their routers and other embedded systems.
