Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Terrace Lounge [clear filter]
Monday, January 25


OWASP Top 10 – Exploitation and Effective Safeguards

About the course 

The OWASP Top 10 web application vulnerabilities has done a great job promoting awareness for the developers. Along with many cheat sheets, they provide valuable tools and techniques to web developers. But such a great source of information could be overwhelming for the programmer who wants to learn about security. This course aims at providing all web developers deep hands-on knowledge on the subject.

To achieve this goal, participants will first learn the technical details about each OWASP Top 10 vulnerability. Then the instructor will give demos on how attacks are performed against each of them. After that, participants will use virtual machines and follow step by step procedures to launch attacks against a vulnerable web site. This step is key in understanding how exploitation works so they can later implement effective safeguards in their systems. Our experience is that participants who have had hands-on experience at exploiting vulnerabilities will always remember how to prevent them.

Who should take this course?

This course is designed to help intermediate to expert web developers and security professionals understand how to secure web applications. Candidates are expected to have basic knowledge of web technologies, but no experience in security is required prior to taking this course. However, security professionals who want to learn more about web security will benefit from this class.

The course will cover the following topics

1. OWASP Top 10 web application vulnerabilities:
    A1 - Injection Attacks
        Command Injection
        File Injection
        SQL Injection
    A2 - Broken Authentication and Session Management
    A3 - Cross-Site Scripting (XSS)
    A4 - Insecure Direct Object References
    A5 - Security Misconfiguration
    A6 - Sensitive Data Exposure
    A7 - Missing Function Level Access Control
    A8 - Cross-Site Request Forgery (CSRF)
    A9 - Using Known Vulnerable Components
    A10 - Unvalidated Redirects and Forwards
2. Proper Password Management
3. Secure Coding Best Practices
4. Effective Safeguards

Demos from the instructor

1.  SQL Injection Attack
2.  Cross-Site Scripting Attack
3.  Insecure Direct Object References
4.  Sensitive Data Exposure
5.  Cross-Site Request Forgery

Hands-on Exercises

1.  Session Initialization and Client-Side Validation       
      Part 1: Web Proxy and Session Initialization       
      Part 2: Client-Side Validation   
2.  Online Password Guessing Attack   
3.  Account Harvesting   
4.  Sniffing Encrypted Traffic   
5.  Launching Command Injection Attacks   
6.  Using a Web Application Vulnerability Scanner   
7.  Optional Exercise:
           Create SSL certificates


Participants are asked to bring a laptop (Windows, Mac or Linux) with at least 3 GB of RAM, 20 GB of free disk space and either VMWare Player (free), VMWare Workstation, VMWare Fusion or Oracle VirtualBox pre-installed. They must also have an administrator/root account on their laptop. At the beginning of the course, participants will receive a USB thumb drive containing two pre-configured virtual machines. 

avatar for David Caissy

David Caissy

Security consultant, Albero Solutions Inc.
David Caissy, OSCP, GWAPT, GPEN, GSEC, CISSP, CEH has 16 years of experience as a security consultant and a web application architect. He has performed security audits, vulnerability assessments, web application penetration tests and has designed several secure systems. He has worked... Read More →

Tuesday, January 26


Taking AppSec to 11: AppSec Pipelines, DevOps and Making Things Better
How many applications are in your company’s portfolio? What’s the headcount for your AppSec team? Whatever your situation is, I am sure the numbers are not in your favor. Its not time to find a new career, it's time to up your game. This talk will cover how to take your small merry band of AppSec professionals and scale it up to a virtual army. By taking the best of DevOps, Agile and CI/CD, you can iteratively up your AppSec game over time and begin your ascent out of the security hole you are in.

The talk covers real world experiences running AppSec groups at two different companies. Rackspace with approximately 4,000+ employees and Pearson with 40,000+. Both have an international presence and far more apps and developers that AppSec staff. The talk covers the key principles to speed and scale up AppSec programs using an AppSec Pipeline as well as practical examples of these practices put into use. Start early and begin to buy down the technical security dept which feels inevitable with more traditional AppSec program thinking. 

avatar for Matt Tesauro

Matt Tesauro

Founder, Infinitiv
Matt has been involved in the information technology and application development for more than 15 years. He is currently the Senior Software Security Engineer at Pearson.  He is also an Adjunct Professor for the University of Texas Computer Science department teaching the next generation... Read More →


AuthMatrix: Simplified Authorization Testing for Web Applications

While many threats to web applications such as SQLi and XSS can be mitigated through generic framework solutions, enforcing authorization remains a complex task for developers. Proper enforcement of access controls requires unique design considerations for each application and can be difficult to get right. Detecting vulnerabilities in authorization can be just as challenging, as these issues are generally difficult to map and test for. Due to the complexity in an application's architecture, pen-testers must frequently use their limited time and resources developing custom tools specific to a single application's authorization model.


In this presentation we take you through the process of designing a tool capable of simplifying this testing methodology to reduce the redundancy between testing unique targets. We will discuss some of the common authorization insecurity patterns seen in web applications and services, consider the common challenges faced by pen-testers when testing for these issues, and present effective methods for mapping the intricacies of these models. Additionally, we will introduce AuthMatrix, a new extension to the Burp Suite testing utility designed to simplify authorization test cases in a clear and reproducible manner.

avatar for Mick Ayzenberg

Mick Ayzenberg

Security Engineer, Security Innovation
Mick’s years of security industry experience have included consulting on dozens of mid-to-long term projects for well-known technology companies.  He has done extensive work in network protocol analysis, reversing, and fuzzing of both software applications and network communications... Read More →


Integrating Mobile Devices into Your Penetration Testing Program
Though still an imperfect science in many ways, penetration testing is often our only way of assessing the effectiveness of our security programs against actual attackers. As mobile devices enter the enterprise en masse, much focus has been on securing them and limiting the risk of BYOD using EMM, MDM, MIM, pick your favorite security control acronym. While many shops are engaging in code review, static analysis, pentesting, etc. against custom mobile applications built in house, even enterprises with mature security programs are often ignoring mobile devices and the surrounding infrastructure in their security testing. It seems like common sense to provide adequate security testing for all devices on corporate networks, particularly when spending large chunks of budget on security controls around BYOD. If we have a DoS protection, we put it in front of staging and hit it with DoS attacks. If it falls down, the control is not providing return on investment. If we have a patch management practice we make sure there are no missing patches leading to compromise during our penetration tests, and if there are, we augment our security program accordingly. We need to be doing the same around mobile. How secure are these devices really against attack? If they are compromised what data on the device is in jeopardy? What other assets in the enterprise are now at risk of attack from the compromised mobile device? By using traditional penetration testing techniques augmented for the unique attack vectors for mobile devices we can assess these risks and get a clear picture of the risk of BYOD in the environment. In this talk we will discuss techniques along with live demonstration scenarios of penetration tests on mobile devices and the surrounding infrastructure. From mobile phishing to undermining security controls to using compromised mobile devices as pivot points, the mobile risk is real and we need to be simulating it in our security testing. We will discuss how these techniques can augment and extend penetration testing and how they can be seamlessly integrated into your existing security program.  

avatar for Georgia Weidman

Georgia Weidman

Founder and CEO, Bulb Security and Shevirah Inc.
Georgia Weidman is a penetration tester, security researcher, and trainer. She holds a MS in computer science as well as holding CISSP, CEH, and OSCP certifications. Her work in the field of smartphone exploitation has been featured in print and on television internationally. She... Read More →


Adaptive Testing Methodology: Crowdsourced Testing Methodology Customized to the Target Stack

Testing methodology is a sore subject for most pentesters. Everyone has their own way to do things, and 3 people testing the same thing often end up with different results—especially when constrained for time.

The ASTM project has two goals: 1) allow testers to consistently find the best vulnerabilities in the shortest amount of time, and 2) provide a framework for community improvement of the methodologies.

ASTM combines a time restraint with a quick technology detection step to build a customized testing methodology for that specific website given how much time you have to test it.

avatar for Daniel Miessler

Daniel Miessler

Director of Client Advisory Services, IOActive
Daniel Miessler is a Director of Client Advisory Services with IOActive, based out of San Francisco, California. Daniel has 15 years of experience in information security with a focus on web, mobile, and IoT, and is a project leader for the OWASP IoT and OWASP Mobile Top Ten projects... Read More →


Security Automation in the Agile SDLC - Real World Cases
How can we really automate secure coding? Agile, DevOps, Continuous Integration, Orchestration, Static, Dynamic - There's an endless feed of Buzzwords, but how can we turn this into a practice that really works? In this session we will review real world examples of building a successful automation process for delivery of secure software in fast paced development environments.

avatar for Ofer Maor

Ofer Maor

Director of Security Strategy, Synopsys
Ofer Maor is a security expert and entrepreneur with over 20 years of experience in information and application security. Ofer has been involved in application security from its early days, through research, penetration testing, consulting, and product development.  As the founder... Read More →

Wednesday, January 27


Ad Hoc Mutable Infrastructure for Security Management
Cloud service adoption is increasing across organizations, from startups to massive enterprises. Managing and auditing the security around cloud services is oftentimes difficult given the myriad of unknowns around connectivity and complexity. We’ve developed a completely mutable infrastructure for managing a traditionally critical piece of infrastructure, active directory identity management. This infrastructure eliminates many of the problems associated with traditional domain controller exploitation with ad hoc network routes, extremely restrictive access controls and the ability to destroy any complete domain controller compromise via automation technologies.

avatar for Will Bengtson

Will Bengtson

Senior Security Program Manager, Nuna Health
Will Bengtson is the punisher of security at Nuna Health and has been blowing cyber criminals away for years.  His experience across industries in low level implementation, architecture risk analysis, red teaming, and penetration testing among others has allowed him to partner up... Read More →
avatar for Robert Wood

Robert Wood

Head of Security, Nuna Health
Robert Wood is the dark knight of security at Nuna Health and has been fighting cyber crime for years.  Robert has experience with threat modeling, red teaming, incident response, static analysis, and penetration testing. Having been engaged in these capacities across many industries... Read More →


Making Security Agile
Many progressive IT organizations have already adopted agile methodologies and run in a CI/CD mode, while security processes and a level of security automation are still behind and can easily become a bottleneck if not changed.

We’ll show in our presentation how to convert the old approach to application security to a more progressive and a faster one. You will also learn how to extend a leverage of a small security team by utilizing QA regression unit tests for security processes. Achieving a greater level of productivity and security automation by utilizing open source and commercial tools will be also covered in our talk.

avatar for Oleg Gryb

Oleg Gryb

Sr. Manager, Security Engineering, Samsung Strategy and Innovation Center
Oleg Gryb is Security Architect working in the application security domain at Samsung Electronics Innovation Center. He was previously Security Architect at Intuit, where he was creating architecture for mission critical financial and business applications. Gryb participates actively... Read More →
avatar for Sanjay Tambe

Sanjay Tambe

Security Architect, Samsung Strategy and Innovation Center
Sanjay Tambe is working as Security Architect at Samsung Strategy & Innovation Center.  He is working on security of cloud based SAMI Internet of Things (IoT) platform.  Previously he worked as Core Security Champion at Intuit, where he ensured security of applications such as Mint... Read More →


10 Years of Working with the Community
Dave Lenoe, Director of Secure Software Engineering, has been working in the security community for 10 years, focusing for the majority of his time, on response. As a veteran, Dave will talk about his perspective on the security landscape, reflect on the evolution of response and application security, and look at the way that we all interact with each other now versus a decade ago. He’ll also discuss what the future may bring.

avatar for Dave Lenoe

Dave Lenoe

Adobe Systems, Inc.
David Lenoe is Director, Secure Software Engineering at Adobe. In his role, Lenoe manages the Product Security Incident Response Team (PSIRT) dedicated to responding to and communicating about security issues, as well as the Adobe Secure Software Engineering Team (ASSET) responsible... Read More →


Postcards from the Total Perspective Vortex
15 years in the product security group of a large corporation leaves one with deep appreciation and respect for the complexity of the universe.  Complexity rules everything around us -- technology, business ecosystem, corporate culture.  To succeed in our line of work one must be able to navigate this complexity, to pierce through the layers of abstraction, through the PowerPoint veils, through the air gaps, and to emerge undaunted by it and make progress in spite of it.

In this talk I will offer some glimpses of what I have seen in the Total Perspective Vortex over the last decade and a half, along with survival strategies and coping mechanisms.

Don't forget your towel.
Don't Panic.

avatar for Alex Gantman

Alex Gantman

VP, Product Security, Qualcomm Technologies Inc.
Alex Gantman serves as Vice President of engineering for Qualcomm Technologies Inc. He is responsible for leading the Qualcomm Product Security Initiative.Alex joined Qualcomm in 1996 as a software engineering intern. From 1996 to 2001 he worked as a software engineer on a variety... Read More →