OWASP AppSec USA 2014

The IEEE Computer Society's CSD (Center for Secure Design) was formed in 2014 with the goal of identifying common design flaws and creating tools or design patterns so architects and developers can avoid introducing those design flaws into software.

The CSD aims to create artifacts to aid in the analysis of software design and additional artifacts to aid in designing software for security. This presentation will outline the results of the first workshop convened in May of this year where the Top N design flaws were documented, and also discuss some of the goals of future IEEE CSD workshops.

Learn the nuts-and-bolts of how a memory scraping, credit card stealing point-of-sale (POS) malware works and identify strategies that you can implement to make it hard for the bad guys.

Sensitive information, like credit card numbers, are encrypting on disk and also during transit. But the one place where this information is vulnerable is in process memory and the bad guys have already found ways of stealing it from there.

This presentation has three parts. The first part will introduce RAM scraping techniques and how they were recently used in conjunction with point-of-sale (POS) systems to steal credit card data. The nuts-and-bolts of such malware will be studied to understand its behavior and working. This technique evades security measures including encryption on disk and encryption in transit as the information is available un-encrypted in process memory before or after encryption. The second part of the presentation will be a demo of such a home grown malware which will allow us to study how these techniques behaves under different circumstances. The demo will lead to the third part which will suggest methods that will make it hard on the malware. This includes various techniques including changing memory sizes or making it hard for the malware to identifying POS process or all together changing the attributes of the POS process so that it could be hidden. Finally we will also go over some techniques that will aid in finding RAM scraping malware and making it difficult for such malware to do it's job.

At Netflix developers deploy code hundreds of times a day. Each code push could be a production canary taking only a percentage of the total requests or a test determining which new feature is improving customer experience the best. The large number of applications along with multiple concurrent code bases creates an environment that is impractical for manual security testing. This presentation will outline and demo Project Monterey as one of many solutions that the Netflix Cloud Security Team has been developing to secure Netflix’s large cloud deployment.

Monterey’s main goal is to automate as much security testing as possible. It provides a framework for deploying and running traditional tools in the cloud. Taking industry standard tools such as the OWASP Zap web application scanner, NMAP, nessus, etc. and allowing them to be run in a large distributed and scalable manner. By providing a plugin interface Monterey allows security professionals to create and integrate their own tools with ease. Monterey also enables tools to be chained together; with output of one tool acting as the input of the other.

An important part of Monterey’s automation is the capability to respond to the dynamic nature of Netflix’s deployment process and environment. This means automatically detecting new applications or new code pushes as they happen and detecting services that are newly exposed to the internet.

Prior work in this area includes projects such as minion and graudit.

This talk will include a demo of Monterey itself, cover current use cases that Netflix has leveraged, and propose future expansion ideas, including open sourcing the project.

While lacking the sex appeal of memory corruption based attacks, phishing remains a problem for many end users. Defenses against phishing have not advanced significantly. We will discuss current approaches to phishing detection, and present a new one along with accompanying tool.

We will discuss several perceptual hashing algorithms, and describe how we can leverage them to detect phishing sites masquerading as popular sites such as Paypal, Amazon, and others.

Code to collect and identify these malicious sites, and a browser extension leveraging will be explained, demonstrated and released for attendee use and study.

It is well known there is a race going on in the “Big Data” arena. One of the stronger competitors in the “Big Data” market is Real-Time, In-Memory Platforms. An interesting thing about this platform and, the one we will talk about specifically, is that it blends everything to increase performance. The database tables, webserver engine, webserver code, authorization, analytics engine, libraries, etc. are all optimized to, if possible, never touch the disk.

Surprisingly, this causes a perspective shift for the web and database application threat landscape and how security professionals should address it. For example:

* The resources are massive enough that the Database can store all previous versions of the table. We will introduce a new SQL Injection attack vector that abuses a “TIME TRAVEL” feature, providing access to previously deleted data.
* The Web Application code is stored in the database and not on the filesystem! Or to put it another way, web application code is executed though a web server engine by retrieving the code directly from the database. We will present Server-Side Javascript exploits performed using SQL queries.
* The Database is enhanced with special libraries to support advanced analytics and statistical features, such as integration with the R programming environment. We will demonstrate how, if implemented insecurely, this could lead to exploits “written in R”.
* The Web Application database queries are typically run in the context of the current users session. In other words, no database credentials are stored in the web application backend code. We will show how an attacker may need to resort to Social Engineering as a critical component of SQL Injection.

In this talk we will explore how an attacker might blend old attack vectors to obtain the same or novel goals in the industry-leading Real-Time, In-Memory platform: SAP HANA. We will present live demos of new vulnerabilities discovered by the Onapsis Research Labs team, as well as ways to ensure your platform is protected.

Furthermore, we will present a reference framework for professionals that need to assess the security of these unique platforms, as well as sample vulnerable applications for developers to understand how to avoid common pitfalls that would introduce security risks.

Amazon Web Services (AWS) is billed as an amazingly secure and resilient cloud services provider, but what is the reality once you look past that pristine environment and the manicured forests give way to dark jungle as you start to migrate existing applications to the AWS Cloud or design new ones for AWS exclusively?

With concrete examples and new techniques this presentation will explore “full stack” vulnerabilities and their effect on security and how they create new pitfalls when migrating to and operating in an AWS world. From the simple (checking in your AWS credentials to github or embedding them in your app) the unexpected (XXE injection to expose AWS metadata), to the unintended (data leakage and service exposure to other AWS customers and 3rd party cloud management services). Many examples will be shared along side new techniques showing how easy it is to expose your applications and infrastructure to attack through misunderstanding, ignorance or bad actors.

To address these challenges this presentation will also reveal and demonstrate a free tool we have designed to assess full stack AWS applications, map out the interactions between infrastructure and code and help individuals and organizations get clarity and bring a machete to the Amazon Cloud.

Screening HTTP traffic can be something really tricky and attacks to applications are becoming increasingly complex day by day. By analyzing thousands upon thousands of infections, we noticed that regular blacklisting is increasingly failing and we started research on a new approach to mitigate the problem. Initially reverse engineering the most popular CMS applications such as Joomla, vBulletin and WordPress, which led to us creating a way to detect attackers based on whitelist protection in combination with behavior analysis. Integrating traffic analysis with log correlation, resulting in more than 2500 websites now being protected, generating 2 to 3 million alerts daily with a low false positive rate. In this presentation we will share some of our research, their results and how we have maintained WAF (Web Application Firewall), using very low CPU processes and high detection rates.

Detailed Outline:

- Current method of detection (We'll show how WAF operates today, allowing us to emphasize our unique approach)
- Reverse engineering a CMS application (In this step we'll show how we reverse engineered a CMS Application to understand its fragility and common attack vectors)
- Setting up honeypots (We'll share our work with honeypots which gathered data in real time during massive attacks on popular CMS applications)
- Identifying behavior (analyzing data to understand points to be considered when creating counter measures and evaluating the best approach to each type of attack type)
- Creating countermeasures (using behaviour information, CMS vulnerabilities and attack methods spreading in the wild, we'll show how we created better signatures specific to each CMS based on the knowledge acquired during research on each one of them)
- Live analysis (merging everything together and seeing the tool operate live, well-tuned, blocking specific attacks, with improving low false-positive rate in an effective and efficient manner)

Securing web applications has placed extreme demands on security professionals – in addition to understanding attack patterns and defense tactics, effectively protecting web apps requires some level of programming and database management expertise. With broad adoption of public clouds, this bar is rising once again. Today’s cloud enabled applications scale-up well beyond previous web applications. It is not unusual for cloud enabled web applications to have changing infrastructure footprint within minutes that scale to millions of users. This has placed a greater burden on securing these applications. How can you design auto-scaling security to match these rapidly scaling web applications? Older style web application defenses and security almost always fail. Additional web application security capacity added days or even weeks after the server farm has grown and began processing live transactions is not acceptable.

In this session the audience will learn several approaches to auto-scaling web application security, using practical examples built around Amazon Web Services. The audience will learn about:
• Common techniques and tools used to provide security for auto-scaling web applications including Chef/Puppet, CloudFormation, Elastic Load Balancer.
• Role of auto-scaling groups and common requirements for management APIs in automatically deploying web security infrastructure.
• Common scaling triggers and mechanics by which web application security infrastructure must scale to operate in lockstep with elastic web server farms.
• Impact Platform-as-a-Service (PaaS) services have on auto-scaling web application security and approaches to deploying application security controls embedded directly into web applications.
While this is a session primarily designed for an advanced audience with strong understanding of IP networking, web application security fundamentals and experience in managing security infrastructure in a public cloud environment, the information covered will also be of interest to intermediate attendees that set technology strategy and formulate requirements for cloud security controls.

With close to 10,000 new, legitimate websites being added to the Google malware blacklist every day, its clear that infecting websites to spread malware has become the go-to choice for malicious hackers. In this talk I will focus on how the problem is evolving, how websites are getting infected and what gets injected into websites. I will also focus on how to use machine learning to quickly build a system that can scale far beyond what AV engines can catch.

This talk will show a live demo and will be a mix of powerpoint slides that educate, inform and enable the audience to understand web malware trends and set up mechanisms to catch non obvious pieces of web malware.

Cloud computing is all the rage, but few organizations have really thought about what security means for their applications and networks in cloud-centric deployments. Netflix is amongst the largest users of public cloud resources and consumes roughly 1/3 of all the US’s downstream broadband at peak. This talk will cover the processes used at Netflix to deploy and secure large-scale applications to the Cloud. Netflix has developed a suite of architectures, processes, and tools to make security in the Cloud as elegant as possible... most of these are, or will soon be, Open Sourced. Several tools will be previewed in the talk.

These systems include:
- Hundreds of applications; with hundreds of production deployments a day ... all using an “immutable server model”
- Crazy monkeys that roam the clouds to enforce availability models through random instance homicide
- OCD fish that swim cloudy waters to make sure firewalls are sane and consistent across the globe
- Inquisitive penguins automatically assess the risk of an application based upon its codebase and interconnections with other applications
- ... and many more ...