Loading…
This event has ended. View the official site or create your own event → Check it out
This event has ended. Create your own
View analytic

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Tuesday, May 19
 

08:30

Registration
Please check-in to pick up your registration packet. 

Tuesday May 19, 2015 08:30 - 09:00
Ground Floor Amsterdam RAI

09:00

Welcome to Project Summit 2015
TBA

Speakers
avatar for Johanna Curiel

Johanna Curiel

Johanna has mainly worked in the area of C# and ASP.NET development, Testing and Quality Control. She is an experienced developer and understands different types of programming languages such as Java and PHP and different types of scripting languages. | Johanna has ample experience in Microsoft Technologies and Security Engineering LANGUAGES Dutch, English, Spanish, Papiamento


Tuesday May 19, 2015 09:00 - 09:30
E103/104 Amsterdam RAI

09:00

University Challenge - Registration
Teams to register.

Speakers

Tuesday May 19, 2015 09:00 - 10:00
Room E102 Amsterdam RAI

09:00

OWASP Knowledge Based Authentication Performance Metrics Project: general advances
Review of the OWASP KBA-PMP project general advances with the project leaders and project managers (Ann Racuya-Robbins, Noreen Whysel)

Moderators
Tuesday May 19, 2015 09:00 - 10:15
E104

09:00

Assessing and Exploiting Web Apps with SamuraiWTF (Day 1)
Come take the official Samurai-WTF (Web Testing Framework) training course given by one of the founders and lead developers of the project! You will learn the latest Samurai-WTF open source tools and the latest manual techniques to perform an end-to-end penetration test. After a quick overview of pen testing methodology, the instructors will lead you through the process of testing and exploiting web applications, including client side attacks using flaws within the application. We will introduce you to the best open source tools currently available, and teach you how these tools integrate with the manual testing techniques. One of the major goals in this course is teaching you the glue that keeps all these techniques and tools together to successfully perform a pentest from beginning to end, which is overlooked in most web pentesting courses.

The majority of the course will be performing an instructor lead, hands-on penetration test. We don’€™t give you a list of overly simplistic steps to go and do in the corner. Instead, at each stage of the test we present the goals that each testing task is to accomplish and perform pentest along with you on the projector while you are doing it on your own machine. Primary emphasis of these instructor lead exercises is how to integrate these tools into your own manual testing procedures to improve your overall workflow. At the end of course, you will be challenged with a capture the flag event to apply your new skills and knowledge. We will also send you home with several additional vulnerable web apps to practice your new skills at your own pace and experiment with your favorite new tools. This experience will help you gain the confidence and knowledge necessary to perform web application assessments and expose you to the wealth of freely available, open source tools.

Speakers
avatar for Justin Searle

Justin Searle

Justin Searle is a Managing Partner of UtiliSec, specializing in Smart Grid security architecture design and penetration testing. Justin led the Smart Grid Security Architecture group in the creation of NIST Interagency Report 7628 and played key roles in the Advanced Security Acceleration Project for the Smart Grid (ASAP-SG). He currently leads the testing group at the National Electric Sector Cybersecurity Organization Resources (NESCOR... Read More →


Tuesday May 19, 2015 09:00 - 17:00
Room D402 Amsterdam RAI

09:00

Enterprise Business Application Security: Attack and Defense (Day 1)
This training will cover basic and advanced areas of ERP and Business Application security. You will understand the architecture of typical business application systems and how every single component of those systems can be penetrated. Course will include live demo and hands-on exercises covering business applications from vendors such as SAP, Oracle and Microsoft.

Current dependence of big businesses on Enterprise Business applications is greater than ever before. These enormous systems store and process all the companies’ critical data. Any information an attacker might want, be it a cybercriminal, industrial spy or a competitor, is stored here. This information includes financial, customer or public relations, intellectual property, personally identifiable information and more. Industrial espionage, sabotage and insider embezzlement is a reality today, and for an attacker what can be more effective than targeting victim’€™s Business application systems and inflicting severe a damage. These applications may be of different types like ERP, CRM, SRM, XI, BI, ESB and others. Some of them store data and some of them like Enterprise Service Bus are for transferring critical data.
Unfortunately, there exists minimal information about Security of those systems both about how to break them during penetration tests and about how to configure them securely. Most of public research was focused on SAP ERP applications, but we additionally will also cover other software such as Oracle PeopleSoft, Oracle EBS, Oracle JD Edwards, Microsoft Dynamics, etc.

Speakers
DC

Dmitry Chastuhin

Dimitry Chastuhin — Director. Security Consulting at ERPScan Dmitry is a Director of security consulting at ERPScan. He works upon SAP security, particularly upon Web applications and JAVA, HANA and Mobile solutions. He has official acknowledgements from SAP for the vulnerabilities found. Dmitry is also a WEB 2.0 and social network security geek and bug bounty who found several critical bugs in Google, Nokia, Badoo. He is a contributor... Read More →
AT

Alexey Tuyrin

He holds a PHD in computer security. He is a director of Oracle Security department has a tremendous hands-on on experience in penetration testing projects on different business systems like ERPs, Banking software and Virtual infrastructure. Co-author of “SAP Security in figures 2011” research. He is a main developer ERPScan free tools like “ERPScan Pentesting tool” and “ERPScan XXE Scanner. Famous for his groundbreaking research of... Read More →


Tuesday May 19, 2015 09:00 - 17:00
Room D406 Amsterdam RAI

09:00

Exploiting Websites by using offensive HTML, SVG, CSS and other Browser-Evil (Day 1)
More and more web applications delegate business logic to the client. HTML.next, JavaScript, SVG, Canvas, ES6, AngularJS and ReactJS are just some terms that describe the contents of the modern web stack. But how does the attack surface look for those? What if there’s not GET parameters anymore that our scanner scan tamper with? What can we do when the server just delivers raw data and the rest is done by the browser? Classic web-pentests are “so nineties” in this realm. And keeping up the pace with progress is getting harder and harder.

But there is hope. The focus of this workshop is on the offensive and dangerous parts of HTML, JavaScript and related technologies, the nasty and undocumented stuff, dozens of new attack techniques straight from the laboratory of horrors of those maintaining the HTML5 Security Cheatsheet. We’ll learn how to attack any web-application with either unknown legacy features – or the half-baked results coming to your browser from the labs of W3C, WHATWG and the ES6 mailing lists. Whether you want to attack modern web applications or shiny browser extensions and Chrome Packaged Apps – we have that covered.

Whoever works with or against the security of modern web applications will enjoy and benefit from this workshop. A bit of knowledge on HTML and JavaScript is required, but rookies and rocket scientists will be satisfied equally.

HTML is a living standard. And so is this workshop. The course material will be provided on-site and via access to a private Github repo so all attendees will be receive updated material even months after the actual training. All attendees are granted perpetual access to updated slides and material.

Speakers
avatar for Mario Heiderich

Mario Heiderich

Mario Heiderich, handsome heart-breaker, bon-vivant and (as he loves to | call himself) “security researcher” is from Berlin, likes | everything between lesser- and greater-than, leads the small yet | exquisite pen-test company called Cure53 and pesters peaceful | attendees on various 5th tier conferences with his hastily assembled | powerpoint-slides. Other than that, Mario is a very simple person and | only parses three-word... Read More →


Tuesday May 19, 2015 09:00 - 17:00
Room D403 Amsterdam RAI

09:00

Hands on Web and REST Testing: Assessing Apps the OWASP way (Day 1)
The training will teach students how to identify, test, and exploit web application and REST vulnerabilities. The creator and project lead of the OWASP WTE (formerly the OWASP Live CD) will be the instructor for this course and WTE will be a major component of the class. Through lecture, demonstrations, and hands on labs, the session will cover the critical areas of web application security testing using the OWASP Testing Guide v3 as the framework and a custom version of OWASP WTE as the platform. Students will be introduced to a number of open source web security testing tools and provided with hands on labs to sharpen their skills and reinforce what they’ve learned. Students will also receive a complimentary USB drive containing the custom WTE training lab, a copy of the OWASP Testing Guide, handouts and cheat-sheets to use while testing plus several additional OWASP references. Demonstrations and labs will cover both common and esoteric web vulnerabilities and includes topics such as Cross-Site Scripting (XSS), SQL injection, CSRF and REST API testing. Students are encouraged to continue to use and share the custom WTE lab after the class to further hone their testing skills.

Speakers
avatar for Matt Tesauro

Matt Tesauro

Matt has been involved in the Information Technology and application development for more than 10 years. His background in web application development and system administration helped bring a holistic focus to Secure SDLC efforts he’s driven. He has taught both graduate level university courses and for large financial institutions. Matt has presented and provided training a various industry events including DHS Software Assurance... Read More →


Tuesday May 19, 2015 09:00 - 17:00
Room D407 Amsterdam RAI

09:00

Ruby on Rails – Auditing & Exploiting the Popular Web Framework (Day 1)
Day 1


  • Introduction

  • Ruby crash course – Structured introduction into the Ruby language specifics. This section will set the necessary basis for the rest of the training.

  • Bug Classes in Ruby – Common generic bug classes as well as Ruby specific issues will be introduced by example.

  • Introduction to Rails – A Ruby on Rails walk-through. On the way, the participants will learn the key features and usual as well as unusual patterns and techniques used in real-world applications.

  • The Rails Framework itself – In this section of the training, the participants will get an insight on the Rails framework itself, how it is designed and where to look for which feature implementation. Along with this, past vulnerabilities within the Rails framework will be explained and elaborated.

  • Real-world Apps hands-on – Day 1 closes with a hands-on on various real world applications.


Day 2


  • Rails Vulnerabilities – Day 2 will be all about Rails vulnerabilities. The common OWASP Top 10 style issues will be explained in Rails style and, of course, Rails specific flaws will be introduced and exploited in hands-on sessions. Various payloads for successful exploitation ranging from simple info leaks to a fully blown in-memory backdoor will be introduced to the participants.

  • Final Ruby on Rails Wargame – Day 2 closes with a Ruby on Rails wargame, where the participants can compete in hacking several Rails based challenges and use the skills learned the past two days.


This training is meant for:


  • Web App hackers – who want to audit/assess/break Ruby on Rails apps.

  • Professional Pentesters – who’d like to find more subtle issues on RoR assessments.

  • Ruby on Rails developers – who want to code more securely and get another point of view on RoR.

  • Everyone else – who is interested in RoR security and exploitation.


Objectives and Outcomes

After the training the participants will be able to assess, audit and exploit Ruby on Rails applications. This includes knowledge about the inner workings of the framework itself as well as a set of decent payloads for practical demonstration of vulnerabilities.

Required Skills

The training will cover most of the basics needed in order to audit and assess Ruby on Rails applications. However some intermediate programming skills in any language are required. Additionally basic (web) application security skills are required for this training.

Speakers
JS

Joern Schneeweisz

Recurity Labs GmbH
Joern Schneeweisz is a Security Consultant over at Recurity Labs by day. As findings bugs ~ 8hrs a day is not enough for him, he digs for bugs in Ruby on Rails apps in his spare time as well. By that he can look back to almost 5 years of bug hunting in both Ruby on Rails applications and the framework itself. | | Talk to me about everything which is Ruby on Rails Security related of course. | Other topics of interest are: Web... Read More →


Tuesday May 19, 2015 09:00 - 17:00
Room D401 Amsterdam RAI

09:00

Secure Java Coding (Day 1)
Toreon proposes a 2-day, trainer-led, on-site, secure Java coding course. This course includes a preliminary exam before the course. Following a successful exam at the end of the course (passing grade defined at 70%) each student will receive a certificate for successful completion of the course.
The training material and online lab environment are provided by our partner AppSec Labs. Toreon provides two experienced trainers, Sebastien Deleersnyder and Steven Wierckx.

This training has been provided to hundreds of developers around the world and we have received great feedback on the course, its content and the proposed trainers.

Speakers
avatar for Sebastien Deleersnyder

Sebastien Deleersnyder

Sebastien Deleersnyder is Co-founder & managing partner application security at Toreon.com. Sebastien has helped various companies improve their ICT-, Web- and Mobile Security, including BNP Paribas Fortis, Atos Worldline, KBC, Nationale Nederlanden (ING), Isabel, Fluxys, OLAF, EU Council, TNT Post, Flemish Community, Agfa-Gevaert and ING Insurance International. Sebastien is the Belgian OWASP Chapter Leader, co-project leader of the... Read More →
SW

Steven Wierckx

Steven Wierckx is application security expert and training at Toreon.com. Steven is a software and security Tester with 15 years of experience in programming, training, security testing, source code review, test automation, functional and technical analysis, development and database design. Steven has a passion for web application security and writeq articles for several professional magazines with regards to that topic. He has spoken at the... Read More →


Tuesday May 19, 2015 09:00 - 17:00
D408 Amsterdam RAI

09:00

Web Service and Single Sign-On Security (Day 1)
Web Services and Single Sign-On belong to a group of most important Internet technologies. However, in recent years, it has been shown that these technologies allow for serious attacks. The attacks take advantage of the XML complexity and make it possible to read data from secured servers, authenticate as an arbitrary user in Single Sign-On scenarios, or decrypt confidential data.
In this training, we will give an overview of the most important Web Service and Single Sign-On specific attacks. Participants will get the opportunity to carry out these attacks in a prepared virtual machine. The attacks will be first tested manually (e.g., with soapUI), in order to get a feeling for the attacks. Subsequently, we will present our penetration testing tool WS-Attacker, which will be used to execute the presented attacks automatically. For each of the attacks, countermeasures will be discussed, and it will be shown how to deploy them on widely used systems and firewalls, including IBM Datapower or Axway.

Speakers
avatar for Christian Mainka

Christian Mainka

Security Consultant, Hackmanit GmbH
Christian Mainka is a PhD Student at the Ruhr University Bochum, Chair for Network and Data Security. Since 2009, he focuses on XML and Web Services technologies and develops his penetration testing tool WS-Attacker and has published several papers in the field of XML security related topics on scientific workshops and conferences. Nowadays, the tool contains a large collection of specific attacks, which can be automatically applied to SOAP-based... Read More →
JS

Juraj Somorovsky

Dr. Juraj Somorovsky finished his PhD in the area of XML Security in 2013. In his thesis „On the Insecurity of XML Security“ he analyzes various attacks on Web Services and presents practical countermeasures against these attacks, which were applied in XML Security specifications and in countless frameworks and applications. He presented his work at many scientific and industry conferences, including Usenix Security or OWASP... Read More →


Tuesday May 19, 2015 09:00 - 17:00
Room D404 Amsterdam RAI

09:30

Project Review Task Force - Project Reviews 2014-2015 Results
Project Reviews 2014-2015 Results

Tuesday May 19, 2015 09:30 - 10:30
E104

09:30

Hackademics: Wiki page rewrite, documentation review
Greek, French translation We are currently implementing an internationalization feature using I18n which should be ready for our v2.0 release. Our goal is to translate the strings present in the platform in French and Greek. (Since it's already in English and French and Greek are the only other languages the core contributors(and most likely participants) speak. There are approximately 300 strings in the platform. Participants to help are gladly welcome.

Tuesday May 19, 2015 09:30 - 11:30
E103

10:00

OWASP OWTF Introduction for GSOC Students
The OWTF project has seen more than 8 GSoC projects being merged into the master branch over the past couple of years. We want to introduce the students to the program. Quick presentation of OWASP OWTF and some of its GSoC projects What did GSoC offer over the past 3 years? Current ideas for GSoC 2015 Brainstorm about new ideas for GSoC 2015 We expect to introduce students to OWTF and how GSoC would be a valuable experience for them.

Tuesday May 19, 2015 10:00 - 12:00
E103

10:00

University Challenge
The University Challenge is a competition among teams comprised of university students that will be held on the 19 and 20 May 2015, during the training days of the conference. There is no admission fee for the University Challenge – participation in the conference is possible at the student rate if applicable. During the University Challenge teams will defend a vulnerable web application while solving Capture The Flag type challenges.

Moderators
Tuesday May 19, 2015 10:00 - 18:00
Room E102 Amsterdam RAI

10:20

OWASP ASVS
Discuss issues around practitioners consuming ASVS in their consultancies Discuss how to improve adoption by development teams Live resolution of outstanding issues in ASVS Github Live QA of 2.1 Early planning of ASVS v3.0

Tuesday May 19, 2015 10:20 - 10:50
E104

10:30

OWASP Codes of Conduct: Document Review
The current Codes of Conduct were developed primarily during the last major OWASP Summit in Portugal. They cover: Government Bodies, Educational Institutions, Standards Groups, Trade Organizations, Certifying Bodies, and Development Organizations. This 1.5 hour session will review, edit, update and release v1.2 of each document. Participants should be interested in how external entities can be encouraged to support OWASP's mission, read the existing Codes of Conduct in advance, and come with suggestions for changes.

• Introduction
• Joint review and edit (15 mins each document)
• Publish updated documents to wiki (PDF and Word).

Project website: https://www.owasp.org/index.php/OWASP_Codes_of_Conduct

Tuesday May 19, 2015 10:30 - 12:00
E104

10:30

12:00

OWASP OWTF Open Forum
Two ex-GSoC students are available to speak about their experience with OWTF and GSoC. How did we hear about GSoC? Why did we choose OWTF? How did they contact the project leader? What is a proposal? How hard was it? How much time did it take? What did GSoC give them back? We expect to share our experiences with possible future-GSoC students and help them to better understand what it can offer.

Tuesday May 19, 2015 12:00 - 13:00
E103

13:00

AppSensor (Documentation): Guide Review
Guide Review The AppSensor Guide v2 was published in May last year, and has had two minor updates, the last one mainly due to the important release of the v2 code implementation. This session is to edit and improve the guide, since many of the chapters have not been fully reviewed. Participants should read a chapter or two in advance of the summit (chapter 5 onwards, but choose randomly/what is of interest) and bring their edits/comments to the session, where the guide will be updated. All participants will be acknowledged in the guide and on the project wiki page.

• Briefing
• Live editing
• Publication updated PDF.

The latest version of the guide is at: https://www.owasp.org/index.php/File:Owasp-appensor-guide-v2.doc

Tuesday May 19, 2015 13:00 - 15:00
E103

14:00

OWASP OWTF Wiki Review
Wiki Review Because OWTF has grown really fast the past years, some part of the wiki might be out of date even though we worked hard to update it. Proof-read the Wiki Reproduce the steps described in the Wiki Find the out-dated information Remove/Update them We expect to have an up-to-date wiki by the end of this session or at least a list of known out-of-date information.

Tuesday May 19, 2015 14:00 - 17:00
E103

14:00

Hackademics: Greek, French translation
Tuesday May 19, 2015 14:00 - 17:30
E103/104 Amsterdam RAI

14:30

OWASP ASVS
Discuss issues around practitioners consuming ASVS in their consultancies Discuss how to improve adoption by development teams Live resolution of outstanding issues in ASVS Github Live QA of 2.1 Early planning of ASVS v3.0

Tuesday May 19, 2015 14:30 - 17:30
E104

15:00

OWASP Knowledge Based Authentication Performance Metrics Project
Open discussion of the KBA-PMP project: Why does the industry need a KBA standard? How is KBA used by different service providers around the world? KBA pentest experiences. Is dynamic KBA more secure than static KBA? Legal and technical challenges of dynamic KBA? Legal and technical challenges of remote identity proofing and KBA? The new ground of identity, security, privacy and governance and the role of KBA in each.

Tuesday May 19, 2015 15:00 - 19:00
E104

15:30

Snakes and Ladders: Dutch Translation
Dutch Translation OWASP Snakes & Ladders (web applications) has been translated into 5 other languages already, and Portuguese is in progress. But so far not Dutch. This rapid session will ask participants to translate the 900 words or so into Dutch, so that a PDF and Adobe Illustrator version can be created. It will also be possible to help remotely, as it will be set up on Crowdin.

• Meet
• Translate
• Create Illustrator and PDF output
• Publish.

Project website: https://www.owasp.org/index.php/OWASP_Snakes_and_Ladders


Tuesday May 19, 2015 15:30 - 16:30
E104

18:00

AppSec EU Bug Bash

BugCrowd is proud to host the AppSec EU Bug Bash – a bug bounty hackathon where cash bounties will be rewarded to those who discover vulnerabilities in companies such as Heroku, Indeed, Blackphone, and more.

We’ll be rewarding the best bug each night with an Apple Watch, so make sure to bring your laptop for some hacking! Note: You must be physically present at the event for a chance to win the watch.

Join us (6-11:30PM) both nights (May 19 & 20):

  • Learn how Bugcrowd simplifies the disclosure process for security teams.
  • Hack on public websites like Pinterest, Western Union, and Indeed to find and disclose security vulnerabilities!
  • BRING YOUR LAPTOP! Hack with some of the best application security talent on the planet.
  • Compete for cash and swag prizes! Earn money for Team OWASP!
  • The best bug EACH NIGHT will earn an Apple Watch!

Drinks and food will be provided, so bring your laptop and your appetite!

You do not need a conference badge to attend this event, however space is limited, please pre-register here: http://bgcd.co/appsecEU


Speakers
avatar for Jonathan Cran

Jonathan Cran

With over 10 years of experience in network and application security, Jonathan began his career working as a penetration tester and quickly advanced to build Rapid7’s world class security assessment team. From there he spearheaded the quality assurance program for Metasploit, the world’s largest OSS Ruby project and a critical mechanism for security assessment. In 2012, Cran joined physical and mobile security startup... Read More →


Tuesday May 19, 2015 18:00 - 23:30
Room E102 Amsterdam RAI
 
Wednesday, May 20
 

08:30

Registration
Please check-in to pick up your Registration packet.

Wednesday May 20, 2015 08:30 - 09:00
Ground Floor Amsterdam RAI

09:00

University Challenge - Registration
Teams to register.

Speakers

Wednesday May 20, 2015 09:00 - 10:00
Room E102 Amsterdam RAI

09:00

Cornucopia: Video
The objective is to create a short "how to play the Cornucopia card game" video during this half-day session. Cornucopia is a card game that helps identify security requirements, but people may not be familiar with how easy it is to get started. Participants for this session are needed to be players, to create a narrative, to video the game being played, and if there is time and anyone has the skill, to edit the video and sound into a release version. It is preferable if participants are already a little familiar with the game and/or threat modelling. If there is time, we will also discuss alternative game strategies like a Jeopardy format.

• Storyboarding
• Game play recording
• Editing
• Soundtrack
• Publish video.

Project website: https://www.owasp.org/index.php/OWASP_Cornucopia

Wednesday May 20, 2015 09:00 - 12:00
E104

09:00

Android App Hacking - Internet Banking Edition

Android App Hacking is a one day course on learning Android application security assessment based on the “OWASP Top 10 Mobile Risks”. This hands-on training is designed around the dummy internet banking application which contains vulnerabilities that were observed by the trainer during his daily application security assessments. This dummy internet banking application has features such as adding a beneficiary account, fund transfer, view statements, OTP, Pin sign-in, etc. to provide attendees a real world application scenario.

Attendees will get familiar with following topics during the class:

  • Crash course on – Android application permission model, APK file architecture and – Setting up the emulator.
  • Reversing the APK file package
  • Investigating app permissions through manifest file
  • Understanding, patching and runtime debugging smali code
  • Importing SSL certificates and bypassing SSL pinning
  • Intercepting traffic and network activity monitoring
  • Exploring local data store
  • Analyzing system logs
  • Understanding components such as content provider, broadcast receiver and activity
  • Classification of vulnerabilities based on “OWASP Top 10 Mobile Risks”

Speakers
AM

Aditya Modha

Aditya Modha is a Senior Security Analyst at Lucideus Tech focused on web and mobile applications security assessment. Prior to joining Lucideus, he was a Principal Security Analyst at Net-Square solutions. He is a computer science graduate and a Microsoft Certified Technology Specialist. He has carried out security assessment of more than 200 eb and mobile applications including core banking solutions and middleware applications... Read More →


Wednesday May 20, 2015 09:00 - 17:00
D503 Amsterdam RAI

09:00

Bootstrap and improve your SDLC with OpenSAMM
Building security into the software development and management practices of a company can be a daunting task. There are many elements to the equation: company structure, different stakeholders, technology stacks, tools and processes, and so forth.
Implementing software assurance can have a significant impact on the organisation. Yet, trying to achieve this without a good framework is most likely leading to just marginal and unsustainable improvements. OWASP OpenSAMM gives you a structural and measurable framework to do just that.
It enables you to formulate and implement a strategy for software security that is tailored to the risk profile of your organisation.

The goal of this one-day training, which is conceived as a mix of training and workshop, is for the participants to get a more in-depth view on and practical feeling of the OpenSAMM model.
The training is setup in three different parts.

In a first part, an overview is presented of the OpenSAMM model and similarities and differences with other similar models are explained.
The different domains (governance, construction, verification, deployment), their activities and relations are explained.
Furthermore, different constituent elements (e.g., metrics) are discussed and the overall usage scenarios of the model are explained.
Next, approx. half a day will be spent on doing an actual OpenSAMM evaluation of your own organisation (or one that you have worked for).
We will go through an evaluation of all the OpenSAMM domains and discuss the results in group. This will give all participants a good indication of the organisation’s maturity with respect to software assurance.
In the same effort, we will define a target model for your organisation and identify the most important challenges in getting there.
The final part of the training will be dedicated to specific questions or challenges that you are facing with respect to secure development in your organisation. In this group discussion, experience
between the different participants will be shared to address these questions.

In case you haven’t started a secure software initiative in your organisation yet, this training should provide you with the necessary foundations and ideas to do so. Be prepared for a highly effective and applicable treatment of this large domain! And in case you would be concerned about confidentiality issues, we adhere to the Chatham House Rule.
After the conference the OpenSAMM project team comes together for their first OpenSAMM summit in Cambridge.
If you want to contribute to this flagship project, stay and join us at the summit. More details on www.opensamm.org.

Speakers
avatar for Bart De Win

Bart De Win

Bart De Win has over 15 years of experience in software security. He has an extensive background in the field, including his Ph.D. and research work on methods and techniques for software protection. Since 2009, Bart has been responsible for all application security services within Ascure & PwC Belgium. He has extensive project experience in software testing and in assisting companies improving their secure software... Read More →


Wednesday May 20, 2015 09:00 - 17:00
D502 Amsterdam RAI

09:00

Building Secure Single Page Applications
Single page web applications with a RESTful backend have profoundly changed the way web applications are developed, and are making their way onto mobile platforms as well. In this course, attendees will gain hands-on experience with the popular AngularJS framework. Throughout the course, we will use a realistic example application to discover the specifics of single page applications, potential security issues and effective countermeasures. Concretely, the course will cover the following topics:


  • Single page application architecture and basic concepts (templating, routing, controllers,…)

  • Authentication and authorization with a stateless RESTful backend

  • Applying well-known security practices in a single page application (XSS, CSRF,…)

  • Communication with third-party APIs and continuous updating information

  • Client-side data storage, offline operations and mobile applications


Attendees are expected to bring a laptop with VirtualBox installed to participate in the lab sessions.

Speakers
PD

Philippe De Ryck

Philippe De Ryck is a postdoctoral researcher with the iMinds-DistriNet research group at KU Leuven, Belgium, where he obtained his PhD on client-side web security. He has recently published a book titled Primer on Client-Side Web Security, which focuses on the state of practice and state of the art in client-side web security. Philippe is responsible for the web security modules in the secure software curriculum at the university... Read More →


Wednesday May 20, 2015 09:00 - 17:00
D504 Amsterdam RAI

09:00

Checking SSL/TLS in Practice
SSL/TLS as used today has more and more problems and it’s difficult to understand, what are the root causes of these problems, and how to detect and finally avoid or fix them.
This training will give a brief introduction to SSL, how it works, what problems are known according the protocol, the PKI used, and the known vulnerabilities including potential attacks and provide tools to check for these issues. The main focus will be on SSL used in HTTPS. Other usages i.e. SSL for SMTP are a small subset. As a round-up there will be recommendations how to configure SSL securely.

Speakers
AH

Achim Hoffmann

Starting with Linux/network security in the nineties. Achim Hoffmann has been working in web application security since more than 12 years. While working as a developer for web-application for several years he started concentrating on web application security as major subject in different roles like penetration tester, doing SCA and giving security workshops.  | | He is author, co-author and maintainer of various... Read More →


Wednesday May 20, 2015 09:00 - 17:00
D501 Amsterdam RAI

09:00

Assessing and Exploiting Web Apps with SamuraiWTF (Day 2)
Come take the official Samurai-WTF (Web Testing Framework) training course given by one of the founders and lead developers of the project! You will learn the latest Samurai-WTF open source tools and the latest manual techniques to perform an end-to-end penetration test. After a quick overview of pen testing methodology, the instructors will lead you through the process of testing and exploiting web applications, including client side attacks using flaws within the application. We will introduce you to the best open source tools currently available, and teach you how these tools integrate with the manual testing techniques. One of the major goals in this course is teaching you the glue that keeps all these techniques and tools together to successfully perform a pentest from beginning to end, which is overlooked in most web pentesting courses.

The majority of the course will be performing an instructor lead, hands-on penetration test. We don’€™t give you a list of overly simplistic steps to go and do in the corner. Instead, at each stage of the test we present the goals that each testing task is to accomplish and perform pentest along with you on the projector while you are doing it on your own machine. Primary emphasis of these instructor lead exercises is how to integrate these tools into your own manual testing procedures to improve your overall workflow. At the end of course, you will be challenged with a capture the flag event to apply your new skills and knowledge. We will also send you home with several additional vulnerable web apps to practice your new skills at your own pace and experiment with your favorite new tools. This experience will help you gain the confidence and knowledge necessary to perform web application assessments and expose you to the wealth of freely available, open source tools.

Speakers
avatar for Justin Searle

Justin Searle

Justin Searle is a Managing Partner of UtiliSec, specializing in Smart Grid security architecture design and penetration testing. Justin led the Smart Grid Security Architecture group in the creation of NIST Interagency Report 7628 and played key roles in the Advanced Security Acceleration Project for the Smart Grid (ASAP-SG). He currently leads the testing group at the National Electric Sector Cybersecurity Organization Resources (NESCOR... Read More →


Wednesday May 20, 2015 09:00 - 17:00
Room D402 Amsterdam RAI

09:00

Enterprise Business Application Security: Attack and Defense (Day 2)
This training will cover basic and advanced areas of ERP and Business Application security. You will understand the architecture of typical business application systems and how every single component of those systems can be penetrated. Course will include live demo and hands-on exercises covering business applications from vendors such as SAP, Oracle and Microsoft.

Current dependence of big businesses on Enterprise Business applications is greater than ever before. These enormous systems store and process all the companies’ critical data. Any information an attacker might want, be it a cybercriminal, industrial spy or a competitor, is stored here. This information includes financial, customer or public relations, intellectual property, personally identifiable information and more. Industrial espionage, sabotage and insider embezzlement is a reality today, and for an attacker what can be more effective than targeting victim’€™s Business application systems and inflicting severe a damage. These applications may be of different types like ERP, CRM, SRM, XI, BI, ESB and others. Some of them store data and some of them like Enterprise Service Bus are for transferring critical data.
Unfortunately, there exists minimal information about Security of those systems both about how to break them during penetration tests and about how to configure them securely. Most of public research was focused on SAP ERP applications, but we additionally will also cover other software such as Oracle PeopleSoft, Oracle EBS, Oracle JD Edwards, Microsoft Dynamics, etc.

Speakers
DC

Dmitry Chastuhin

Dimitry Chastuhin — Director. Security Consulting at ERPScan Dmitry is a Director of security consulting at ERPScan. He works upon SAP security, particularly upon Web applications and JAVA, HANA and Mobile solutions. He has official acknowledgements from SAP for the vulnerabilities found. Dmitry is also a WEB 2.0 and social network security geek and bug bounty who found several critical bugs in Google, Nokia, Badoo. He is a contributor... Read More →
AT

Alexey Tuyrin

He holds a PHD in computer security. He is a director of Oracle Security department has a tremendous hands-on on experience in penetration testing projects on different business systems like ERPs, Banking software and Virtual infrastructure. Co-author of “SAP Security in figures 2011” research. He is a main developer ERPScan free tools like “ERPScan Pentesting tool” and “ERPScan XXE Scanner. Famous for his groundbreaking research of... Read More →


Wednesday May 20, 2015 09:00 - 17:00
Room D406 Amsterdam RAI

09:00

Exploiting Websites by using offensive HTML, SVG, CSS and other Browser-Evil (Day 2)
More and more web applications delegate business logic to the client. HTML.next, JavaScript, SVG, Canvas, ES6, AngularJS and ReactJS are just some terms that describe the contents of the modern web stack. But how does the attack surface look for those? What if there’s not GET parameters anymore that our scanner scan tamper with? What can we do when the server just delivers raw data and the rest is done by the browser? Classic web-pentests are “so nineties” in this realm. And keeping up the pace with progress is getting harder and harder.

But there is hope. The focus of this workshop is on the offensive and dangerous parts of HTML, JavaScript and related technologies, the nasty and undocumented stuff, dozens of new attack techniques straight from the laboratory of horrors of those maintaining the HTML5 Security Cheatsheet. We’ll learn how to attack any web-application with either unknown legacy features – or the half-baked results coming to your browser from the labs of W3C, WHATWG and the ES6 mailing lists. Whether you want to attack modern web applications or shiny browser extensions and Chrome Packaged Apps – we have that covered.

Whoever works with or against the security of modern web applications will enjoy and benefit from this workshop. A bit of knowledge on HTML and JavaScript is required, but rookies and rocket scientists will be satisfied equally.

HTML is a living standard. And so is this workshop. The course material will be provided on-site and via access to a private Github repo so all attendees will be receive updated material even months after the actual training. All attendees are granted perpetual access to updated slides and material.

Speakers
avatar for Mario Heiderich

Mario Heiderich

Mario Heiderich, handsome heart-breaker, bon-vivant and (as he loves to | call himself) “security researcher” is from Berlin, likes | everything between lesser- and greater-than, leads the small yet | exquisite pen-test company called Cure53 and pesters peaceful | attendees on various 5th tier conferences with his hastily assembled | powerpoint-slides. Other than that, Mario is a very simple person and | only parses three-word... Read More →


Wednesday May 20, 2015 09:00 - 17:00
Room D403 Amsterdam RAI

09:00

Hands on Web and REST Testing: Assessing Apps the OWASP way (Day 2)
The training will teach students how to identify, test, and exploit web application and REST vulnerabilities. The creator and project lead of the OWASP WTE (formerly the OWASP Live CD) will be the instructor for this course and WTE will be a major component of the class. Through lecture, demonstrations, and hands on labs, the session will cover the critical areas of web application security testing using the OWASP Testing Guide v3 as the framework and a custom version of OWASP WTE as the platform. Students will be introduced to a number of open source web security testing tools and provided with hands on labs to sharpen their skills and reinforce what they’ve learned. Students will also receive a complimentary USB drive containing the custom WTE training lab, a copy of the OWASP Testing Guide, handouts and cheat-sheets to use while testing plus several additional OWASP references. Demonstrations and labs will cover both common and esoteric web vulnerabilities and includes topics such as Cross-Site Scripting (XSS), SQL injection, CSRF and REST API testing. Students are encouraged to continue to use and share the custom WTE lab after the class to further hone their testing skills.

Speakers
avatar for Matt Tesauro

Matt Tesauro

Matt has been involved in the Information Technology and application development for more than 10 years. His background in web application development and system administration helped bring a holistic focus to Secure SDLC efforts he’s driven. He has taught both graduate level university courses and for large financial institutions. Matt has presented and provided training a various industry events including DHS Software Assurance... Read More →


Wednesday May 20, 2015 09:00 - 17:00
Room D407 Amsterdam RAI

09:00

Ruby on Rails – Auditing & Exploiting the Popular Web Framework (Day 2)
Day 1


  • Introduction

  • Ruby crash course – Structured introduction into the Ruby language specifics. This section will set the necessary basis for the rest of the training.

  • Bug Classes in Ruby – Common generic bug classes as well as Ruby specific issues will be introduced by example.

  • Introduction to Rails – A Ruby on Rails walk-through. On the way, the participants will learn the key features and usual as well as unusual patterns and techniques used in real-world applications.

  • The Rails Framework itself – In this section of the training, the participants will get an insight on the Rails framework itself, how it is designed and where to look for which feature implementation. Along with this, past vulnerabilities within the Rails framework will be explained and elaborated.

  • Real-world Apps hands-on – Day 1 closes with a hands-on on various real world applications.


Day 2


  • Rails Vulnerabilities – Day 2 will be all about Rails vulnerabilities. The common OWASP Top 10 style issues will be explained in Rails style and, of course, Rails specific flaws will be introduced and exploited in hands-on sessions. Various payloads for successful exploitation ranging from simple info leaks to a fully blown in-memory backdoor will be introduced to the participants.

  • Final Ruby on Rails Wargame – Day 2 closes with a Ruby on Rails wargame, where the participants can compete in hacking several Rails based challenges and use the skills learned the past two days.


This training is meant for:


  • Web App hackers – who want to audit/assess/break Ruby on Rails apps.

  • Professional Pentesters – who’d like to find more subtle issues on RoR assessments.

  • Ruby on Rails developers – who want to code more securely and get another point of view on RoR.

  • Everyone else – who is interested in RoR security and exploitation.


Objectives and Outcomes

After the training the participants will be able to assess, audit and exploit Ruby on Rails applications. This includes knowledge about the inner workings of the framework itself as well as a set of decent payloads for practical demonstration of vulnerabilities.

Required Skills

The training will cover most of the basics needed in order to audit and assess Ruby on Rails applications. However some intermediate programming skills in any language are required. Additionally basic (web) application security skills are required for this training.

Speakers
JS

Joern Schneeweisz

Recurity Labs GmbH
Joern Schneeweisz is a Security Consultant over at Recurity Labs by day. As findings bugs ~ 8hrs a day is not enough for him, he digs for bugs in Ruby on Rails apps in his spare time as well. By that he can look back to almost 5 years of bug hunting in both Ruby on Rails applications and the framework itself. | | Talk to me about everything which is Ruby on Rails Security related of course. | Other topics of interest are: Web... Read More →


Wednesday May 20, 2015 09:00 - 17:00
Room D401 Amsterdam RAI

09:00

Secure Java Coding (Day 2)
Toreon proposes a 2-day, trainer-led, on-site, secure Java coding course. This course includes a preliminary exam before the course. Following a successful exam at the end of the course (passing grade defined at 70%) each student will receive a certificate for successful completion of the course.
The training material and online lab environment are provided by our partner AppSec Labs. Toreon provides two experienced trainers, Sebastien Deleersnyder and Steven Wierckx.

This training has been provided to hundreds of developers around the world and we have received great feedback on the course, its content and the proposed trainers.

Speakers
avatar for Sebastien Deleersnyder

Sebastien Deleersnyder

Sebastien Deleersnyder is Co-founder & managing partner application security at Toreon.com. Sebastien has helped various companies improve their ICT-, Web- and Mobile Security, including BNP Paribas Fortis, Atos Worldline, KBC, Nationale Nederlanden (ING), Isabel, Fluxys, OLAF, EU Council, TNT Post, Flemish Community, Agfa-Gevaert and ING Insurance International. Sebastien is the Belgian OWASP Chapter Leader, co-project leader of the... Read More →
SW

Steven Wierckx

Steven Wierckx is application security expert and training at Toreon.com. Steven is a software and security Tester with 15 years of experience in programming, training, security testing, source code review, test automation, functional and technical analysis, development and database design. Steven has a passion for web application security and writeq articles for several professional magazines with regards to that topic. He has spoken at the... Read More →


Wednesday May 20, 2015 09:00 - 17:00
D408 Amsterdam RAI

09:00

Web Service and Single Sign-On Security (Day 2)
Web Services and Single Sign-On belong to a group of most important Internet technologies. However, in recent years, it has been shown that these technologies allow for serious attacks. The attacks take advantage of the XML complexity and make it possible to read data from secured servers, authenticate as an arbitrary user in Single Sign-On scenarios, or decrypt confidential data.
In this training, we will give an overview of the most important Web Service and Single Sign-On specific attacks. Participants will get the opportunity to carry out these attacks in a prepared virtual machine. The attacks will be first tested manually (e.g., with soapUI), in order to get a feeling for the attacks. Subsequently, we will present our penetration testing tool WS-Attacker, which will be used to execute the presented attacks automatically. For each of the attacks, countermeasures will be discussed, and it will be shown how to deploy them on widely used systems and firewalls, including IBM Datapower or Axway.

Speakers
avatar for Christian Mainka

Christian Mainka

Security Consultant, Hackmanit GmbH
Christian Mainka is a PhD Student at the Ruhr University Bochum, Chair for Network and Data Security. Since 2009, he focuses on XML and Web Services technologies and develops his penetration testing tool WS-Attacker and has published several papers in the field of XML security related topics on scientific workshops and conferences. Nowadays, the tool contains a large collection of specific attacks, which can be automatically applied to SOAP-based... Read More →
JS

Juraj Somorovsky

Dr. Juraj Somorovsky finished his PhD in the area of XML Security in 2013. In his thesis „On the Insecurity of XML Security“ he analyzes various attacks on Web Services and presents practical countermeasures against these attacks, which were applied in XML Security specifications and in countless frameworks and applications. He presented his work at many scientific and industry conferences, including Usenix Security or OWASP... Read More →


Wednesday May 20, 2015 09:00 - 17:00
Room D404 Amsterdam RAI

09:30

Hackademics test coverage
Wednesday May 20, 2015 09:30 - 11:30
E103/104 Amsterdam RAI

09:30

OWASP Knowledge Based Authentication Performance Metrics: Project
Project Review of the KBA standard contents with the project leaders and managers (Luis Enriquez, Ann Racuya-Robbin, Noreen Whysel). 15h00 – 18h00. Open discussion of the OWASP Security Labeling system project proposal (secure code, privacy, ingredients, and openness labels) -Should security become visible for normal users? -Should Owasp consider providing labels and certifications? -Expected audience : +20 people.
  • Searching for interaction with other project leaders, and the board

Wednesday May 20, 2015 09:30 - 12:30
E104

10:00

OWASP OWTF Architecture Audit
During the past three years, OWTF has know a fast growth thanks to different GSoC projects. But the initial architecture is no more suited for the project nowadays. Identify the different elements of OWTF Define the inter-dependencies Estimate the accuracy of such dependencies Remove unnecessary dependencies Draw a better architecture for OWTF We expect to have a draft of the next architecture better suited for the needs of OWTF by the end of this session.

Wednesday May 20, 2015 10:00 - 13:00
E104

10:00

OWASP ZAP Summit
The ZAP summit is aimed at existing and prospective ZAP developers and is an opportunity to discuss all aspects of ZAP development and future direction. It is not planned to include any training on how to use ZAP.

The exact topics discussed will be agreed between the attendees at the start of the day, but are expected to cover things like: An introduction to ZAP and the attendees A review of ZAPs perceived strengths and weaknesses Discussions around the future direction of ZAP Areas of ZAP that people find difficult to contribute to Components of ZAP that attendees think need significant reworking How to encourage more participation Interworking with 3rd party tools The opportunity to focus on specific areas of interest to the attendees


Wednesday May 20, 2015 10:00 - 16:30
E103

10:00

University Challenge
The University Challenge is a competition among teams comprised of university students that will be held on the 19 and 20 May 2015, during the training days of the conference. There is no admission fee for the University Challenge – participation in the conference is possible at the student rate if applicable. During the University Challenge teams will defend a vulnerable web application while solving Capture The Flag type challenges.

Moderators
Wednesday May 20, 2015 10:00 - 18:00
Room E102 Amsterdam RAI

13:30

AppSensor (Code): Dashboard

The AppSensor v2.0.0 code implementation final release was undertaken in January. One of the tasks to continue with is the development of a reporting dashboard. This session is to brainstorm ideas and layouts for the dashboard, and identify what tools/libraries can assist in the creation of the dashboard. Bring ideas, energy, URLs, paper and pens! The outputs will be dashboard mockups.

• Introductions and objectives • Information requirements • User stories • Information design • Code libraries and frameworks.

Code roadmap: https://www.owasp.org/index.php/OWASP_AppSensor_Project#tab=Road_Map_and_Getting_Involved Microsite http://www.appsensor.org/


Wednesday May 20, 2015 13:30 - 17:00
E104

14:00

Hackademics: Student performance metrics visualization
Currently, the platform gathers student performance metrics in the form of how long it took them to solve challenges, how many requests, how much time idle e.t.c. However, the only way for a teacher to see the numbers is with database access.(The data is gathered for the advanced scoring functionality but it is also very useful as performance analytics). We plan to use graphing libraries to create interactive graphs to visualize the comprehension of the student performance. It's a simple front-end feature which will improve the usability of the platform.

Wednesday May 20, 2015 14:00 - 17:30
E104

15:00

OWASP OWTF Hack It For Fun
The OWTF project is written in Python and we want to show how easy it is to hack into the code base. We propose a small workshop where the students would customize OWTF the way the want. Presentation of small code snippets Customize the console output Customize the web interface Competition about Implementing small features We expect to show how easy it is for students to hack into the code base of OWTF. As a reward, the winners of the competition will be offered nice goodies :)

Wednesday May 20, 2015 15:00 - 17:00
E104

15:00

OWASP Knowledge Based Authentication Performance Metrics: Open discussion
Open discussion of the OWASP Security Labeling system project proposal (secure code, privacy, ingredients, and openness labels) -Should security become visible for normal users? -Should Owasp consider providing labels and certifications? -Expected audience : +20 people.
  •  Searching for interaction with other project leaders, and the board

Wednesday May 20, 2015 15:00 - 18:00
E104

17:00

Project Developments - The Good , The Bad and the Ugly: Open Forum with Project leaders
Open Forum with Project leaders Forum discussion with project leaders and Board==>(1 hour session)
  • Why my project is not moving forward?
  • What can be done to help improve my project?
  • How to improve the actual situation of projects
  • How to improve the review process

Deliverables:

  • Collect information and create a report
  • Use the session results and see how can we implement them
  • Inform leaders about the actual process

Wednesday May 20, 2015 17:00 - 17:30
E104

17:00

OWASP Automation Threats to Web Applications Project
The OWASP Automated Threats to Web Applications Project is undertaking research and will publish its outputs immediately prior to AppSec EU 2015. This meeting seeks input from training and conference attendees on their own organisations' experiences of automated attacks:

• What types of automated attacks occur and with what frequency?
• What were the symptoms?
• How are they detected?
• What incident response measures were taken?
• What steps were undertaken to prevent or mitigate such attacks?

Participation/contribution can be anonymous or otherwise. The intention is to update the published documents during the session and if possible create additional sector-specific guidance.

Wednesday May 20, 2015 17:00 - 18:00
E104

18:00

AppSec EU Bug Bash

BugCrowd is proud to host the AppSec EU Bug Bash – a bug bounty hackathon where cash bounties will be rewarded to those who discover vulnerabilities in companies such as Heroku, Indeed, Blackphone, and more.

We’ll be rewarding the best bug each night with an Apple Watch, so make sure to bring your laptop for some hacking! Note: You must be physically present at the event for a chance to win the watch.

Join us (6-11:30PM) both nights: (May 19 & 20)

  • Learn how Bugcrowd simplifies the disclosure process for security teams.
  • Hack on public websites like Pinterest, Western Union, and Indeed to find and disclose security vulnerabilities!
  • BRING YOUR LAPTOP! Hack with some of the best application security talent on the planet.
  • Compete for cash and swag prizes! Earn money for Team OWASP!
  • The best bug EACH NIGHT will earn an Apple Watch!

Drinks and food will be provided, so bring your laptop and your appetite!

You do not need a conference badge to attend this event, however space is limited, please pre-register here: http://bgcd.co/appsecEU


Speakers
avatar for Jonathan Cran

Jonathan Cran

With over 10 years of experience in network and application security, Jonathan began his career working as a penetration tester and quickly advanced to build Rapid7’s world class security assessment team. From there he spearheaded the quality assurance program for Metasploit, the world’s largest OSS Ruby project and a critical mechanism for security assessment. In 2012, Cran joined physical and mobile security startup... Read More →


Wednesday May 20, 2015 18:00 - 23:30
Room E102 Amsterdam RAI

18:30

Happy hour with Project leaders
Wednesday May 20, 2015 18:30 - 19:30
TBA
 
Thursday, May 21
 

08:45

Opening ceremony
Speakers
avatar for Tobias Gondrom

Tobias Gondrom

OWASP Foundation Board Chair
Tobias Gondrom is CEO at Thames Stanley, a boutique Global CISO and Information Security & Risk Management Advisory operating in Asia and Europe. | He has 15 years of experience in information security and risk management, software development, application security, cryptography and global standardization organizations, working for independent software vendors and large global corporations in the financial, technology and government... Read More →
avatar for Martin Knobloch

Martin Knobloch

Principal Consultant, Nixu
Martin is Principal Consultant at Nixu BeNeLux (https://www.nixu.com/en/nixubenelux). His main working area is (software) security in general, from awareness to implementation. In his daily work, he is responsible for education in application security matters, advise and implementation of application security measures. | With his background in Java Development, he understands the complexity of Enterprise software development, Agile Scrum... Read More →


Thursday May 21, 2015 08:45 - 09:00
Room Forum Amsterdam RAI

09:00

50 Shades of AppSec

The AppSec industry is enormously diverse and it only continues to diverge as we put more software into more things with more connections. It’s an industry that’s fluctuating between the sophisticated to the absurd, the intelligent to the primitive and the scary to the outright hilarious. There’s valuable lessons to be taken away from these events and applied in our future security efforts.

In this talk, Troy is going to cover a broad spectrum of what’s happening in our industry – an entire 50 shades of it in only 45 minutes – and you’ll get a sense of just how challenging it’s becoming for those of us working in AppSec to keep ahead of the attacks. Troy will cover everything from the social aspects of hacking through to some of the more obscure attacks and the increasing challenges we have as defenders.


Speakers
avatar for Troy Hunt

Troy Hunt

Troy Hunt is an Australian Microsoft Most Valuable Professional for Developer Security and Author for Pluralsight — a leader in online training for technology and creative professionals. Troy has been building software for browsers since the very early days of the web and possesses an exceptional ability to distil complex subjects into relatable explanations. This has lead Troy to become an industry thought leader in the security... Read More →


Thursday May 21, 2015 09:00 - 09:45
Room Forum Amsterdam RAI

09:45

Room switch
Thursday May 21, 2015 09:45 - 09:50
TBA

09:50

From Zero To Hero - Or How OWASP Saved My Holiday
Ok. You finally got your first big breach. Everybody knew it was only a question of when not if. So now your Exec Management team is pretty upset, your customers worried, your employees confused, your CEO has you on speed dial and you get the “pleasure” of daily and then weekly briefings on fixing everything and what you do to make sure this never happens again. So, review everything, lots of policies and SDLC to write. Forget your plans for a nice summer holiday next month. Or maybe not?
Setting up, managing and improving your global information security organisation, there are many mature OWASP projects and tools that can help. Achieve cost-effective application security and bring it all together on the management level. A journey through different organisational stages and how OWASP tools help organisations to move forward improving their web and application security. This talk will discuss a number of quick wins and how to effectively manage global security initiatives and use OWASP tools inside your organisation.

Speakers
avatar for Tobias Gondrom

Tobias Gondrom

OWASP Foundation Board Chair
Tobias Gondrom is CEO at Thames Stanley, a boutique Global CISO and Information Security & Risk Management Advisory operating in Asia and Europe. | He has 15 years of experience in information security and risk management, software development, application security, cryptography and global standardization organizations, working for independent software vendors and large global corporations in the financial, technology and government... Read More →


Thursday May 21, 2015 09:50 - 10:35
Room E103 Amsterdam RAI

09:50

HTTPS Is Better than Ever Before. Now It's Your Turn.
HTTPS/SSL/TLS has been under fire for years. BEAST, CRIME, POODLE, problems with the inherent weaknesses of the CA system, problems with various versions of the protocol – and more – have plagued HTTPS to be less than satisfactory, at best, as a transport security protocol. However, there is hope. Recent enhancements in browsers have made encryption in transit over the web rigorous and “secure” for the first time in history. This talk will review the HTTPS protocol and describe how it works. Historical attacks and other legacy issues with HTTPS will be discussed. And most important, we will talk about what can be done today to ensure that your users will have the most secure HTTPS experience possible including certificate stapling, ephemeral cipher suites, browser and mobile based certificate pinning, and more. Various guidelines will be provided based on which browsers you need to support. 2015 is the year of GOOD HTTPS STANDARDS, now it’s your turn enhance your HTTPS posture in your websites!

Speakers
avatar for Jim Manico

Jim Manico

Jim Manico is a Global Board Member for the OWASP foundation where he helps drive the strategic vision for the organization. Jim Manico is also the founder of Manicode Security where he trains software developers on secure coding and security engineering. He has a 18 year history building software as a developer and architect. Jim is a frequent speaker on secure software practices and is a member of the JavaOne rockstar speaker community... Read More →


Thursday May 21, 2015 09:50 - 10:35
E104&105 Amsterdam RAI

09:50

The Top 10 Web Hacks of 2014
Every year the security community produces a stunning number of new Web hacking techniques. Now in its 9th year, the Top 10 Web Hacking Techniques list encourages information and knowledge sharing and recognizes researchers who contribute excellent work. In this talk, we will do a technical deep dive and take you through the Top 10 Web Hacks of 2014, as picked by an expert panel of judges. - See more at: https://www.rsaconference.com/events/us15/agenda/sessions/1641/top-10-web-hacking-techniques-of-2014#sthash.nMmmvHCg.dpuf

Speakers
avatar for Matt Johansen

Matt Johansen

Senior Manager, WhiteHat Security
Matt Johansen is a Sr. Manager for the Threat Research Center at WhiteHat Security where he manages a team of Application Security Specialists, Engineers and Supervisors to prevent website security attacks and protect companies’ and their customers’ data. Before this he was an Application Security Engineer where he oversaw and assessed more than 35,000 web applications that WhiteHat has under contract for many Fortune 500... Read More →
avatar for Jonathan Kuskos

Jonathan Kuskos

Senior Application Security Engineer, WhiteHat Security
@JohnathanKuskos is a Manager for WhiteHat Security where he is charged with the expansion of their Belfast, Northern Ireland Threat Research Center. After personally hacking hundreds of web applications over several years he moved into a managerial role so that he could contribute to mentoring younger security engineers. Johnathan is extremely passionate about teaching and sharing the security knowledge he’s attained. He’s also an active bug... Read More →


Thursday May 21, 2015 09:50 - 10:35
Room E106 & E107 Amsterdam RAI

09:50

"Mac Hack Backup Attack - All Your Backed Up Passwords Belong To Us"
TBA

Speakers
avatar for Jonas &quotThe Doctor" Magazinius

Jonas "The Doctor" Magazinius

From Sweden, with a bag full of tricks… Jonas “The Doctor” Magazinius with “Mac Hack backup Attack – All your backed up passwords belong to us”


Thursday May 21, 2015 09:50 - 10:35
Room E102 Amsterdam RAI

09:50

Collective Detection Of Harmful Requests
During the presentation, two methods for identification of unusual behavior of the web applications' users will be presented and discussed. Typical signature-based methods rely on expert knowledge and the distribution of updated information to the clients, offering limited protection against newest (e.g. zero-day) threats.

The methods presented will aim at identifying typical and unusual behaviour patterns and unusual requests. Cooperation and exchange of information between servers will also be discussed.

Speakers
avatar for Marek Zachara

Marek Zachara

Marek Zachara graduated from Bristol University in 2000 and received his PhD in Computer Siences in 2008 from AGH UST, Poland. | | For the last five years he has been involved in a number of research activites centered around simulation of certain aspects of human behavior and web applications' security. In Poland, together with SecuRing, is often | engaged in security assessment of banking software, and has also been involved in a... Read More →


Thursday May 21, 2015 09:50 - 10:35
Room E106 & E107 Amsterdam RAI

09:50

Mobile App Reverse Engineering And Code Modification

Over the last year, we’ve seen a profound rise in new attack vectors (Wirelurker and Masque) against mobile apps that involve reverse engineering mobile code followed by unauthorized runtime behavior modification. How are hackers reverse engineering mobile apps and injecting their own malicious code into them? It’s disturbingly easy and there are plenty of freely available and easy-to-use tools on the market to help the hacker along the way. In this hands on session, you will use laptops and iOS devices we provide to reverse engineer and modify code in an iOS app. We will guide you through each step.
Attendees are asked to bring their own laptop and a jailbroken device. A very limited number of jailbroken devices will be available.

Here’s a description of how to prepare for the workshop:


Speakers
avatar for Jonathan Carter

Jonathan Carter

Application Security Strategist, Lending Club
Jonathan Carter is an application security professional with over 15 years of security expertise within Canada, United States, Australia, and England.  As a Software Engineer, Jonathan produced software for online gaming systems, payment gateways, SMS messaging gateways, and other solutions requiring a high degree of application security. | | Jonathan’s technical background in artificial intelligence and static code analysis has lead... Read More →


Thursday May 21, 2015 09:50 - 12:40
E108 Amsterdam RAI

11:05

Hard Knock Lessons On Bug Bounties
Distilling 30,000 submissions down into lessons for bounty providers and testers alike, the presenter takes a data- and anecdote- driven approach bug bounties. Ever wondered what type of bugs get submitted to a bug bounty? Every pondered what types of bugs get rewarded? What happens if you submit a bug that's out of scope? Join us for a fun journey through the bug bounty world and walk away armed with insider Attendees can expect to walk away giggling at ridiculous things that get submitted to bug bounties, and, at the same time, armed with a set of knowledge that provides them with an edge on the next guy. knowledge.

Taking a story-riddled and data-driven approach to bug bounties,
we'll address the following:
- what sort of submissions are being made
- what sort of submissions are being rewarded
- how much and how often are they being rewarded
- how can you find more bugs, and get paid, more quickly 

Speakers
avatar for Jonathan Cran

Jonathan Cran

With over 10 years of experience in network and application security, Jonathan began his career working as a penetration tester and quickly advanced to build Rapid7’s world class security assessment team. From there he spearheaded the quality assurance program for Metasploit, the world’s largest OSS Ruby project and a critical mechanism for security assessment. In 2012, Cran joined physical and mobile security startup... Read More →


Thursday May 21, 2015 11:05 - 11:50
Room E103 Amsterdam RAI

11:05

Client-Side Protection Against DOM-Based XSS Done Right
In this talk, we present an analysis of Chrome's XSS Auditor, in which
we discovered 17 flaws, that enable us to bypass the Auditor's filtering
capabilities. We will demonstrate the bypasses and present a tool to
automatically generated XSS attacks utilizing the bypasses.

Furthermore, we will report on a practical, empirical study of the Auditor's
protection capabilities in which we ran our generated attacks against a set of
several thousand DOM-based, zero-day XSS vulnerabilities in the Alexa
Top 10.000. In our experiments, we were able to successfully bypass the
XSS filter on first try in over 80% of all vulnerable Web applications.

Finally, we present an alternative XSS filter design, that reliably detects successful XSS attacks via
client-side taint tracking in the JavaScript engine. Unlike the current approach,
our filter does not rely on coarse approximation but on precise data flow information,
that allows us to robustly stop DOM-XSS for good.

Speakers
avatar for Martin Johns

Martin Johns

Research Expert, SAP SE
Dr. Martin Johns is a Research Expert in the Product Security Research unit within SAP SE, where he leads the Web application security team. Furthermore, he serves on the board of the German OWASP chapter. Before joining SAP, Martin studied Mathematics and Computer Science at the Universities of Hamburg, Santa Cruz (CA), and Passau. During the 1990ties and the early years of the new millennium he earned his living as a software engineer in... Read More →
avatar for Sebastian Lekies

Sebastian Lekies

Sebastian  Lekies is a Phd candidate at SAP and the University of  bochum. His main field of research is Web application security.
avatar for Ben Stock

Ben Stock

Ben Stock is a third-year PhD student at the  Friedrich-Alexander-University Erlangen-Nuremberg, focussing his research on client-side Web security. | | Ben is a published author at well-known |  academic conferences such as CCS, USENIX Security and AsiaCCS and a |  returning speaker to BlackHat and OWASP AppSec.


Thursday May 21, 2015 11:05 - 11:50
E104&105 Amsterdam RAI

11:05

OWASP ZAP: More Advanced Features
The Zed Attack Proxy (ZAP) is an OWASP Flagship project and the largest open source web application security tool measured by active contributors.
While it is an ideal tool for people new to appsec it also has many features specifically intended for advanced penetration testing.
In this talk Simon will give a quick introduction to ZAP and then talk about some of the latest changes that have been made, including features that will not have been presented at any other conference.

Speakers
avatar for Simon Bennetts

Simon Bennetts

Security, Mozilla
Simon Bennetts has been developing web applications since 1997, and strongly believes that you cannot build secure web applications without knowing how to attack them. He is the OWASP Zed Attack Proxy Project Leader and works for Mozilla as part of the Cloud Security Team.


Thursday May 21, 2015 11:05 - 11:50
Room Forum Amsterdam RAI

11:05

"Copy & Pest - A Case Study On The ClipBoard, Blind Trust And Invisible Cross-Application XSS
"Copy & Pest - A case study on the clipboard, blind trust and invinsible cross-application XSS.

Speakers
avatar for Mario Heiderich

Mario Heiderich

Mario Heiderich, handsome heart-breaker, bon-vivant and (as he loves to | call himself) “security researcher” is from Berlin, likes | everything between lesser- and greater-than, leads the small yet | exquisite pen-test company called Cure53 and pesters peaceful | attendees on various 5th tier conferences with his hastily assembled | powerpoint-slides. Other than that, Mario is a very simple person and | only parses three-word... Read More →


Thursday May 21, 2015 11:05 - 11:50
Room E102 Amsterdam RAI

11:05

Lessons From DevOps: Taking DevOps Practices Into Your AppSec Life
Bruce Lee once said “Don’t get set into one form, adapt it and build your own, and let it grow, be like water“.
AppSec needs to look beyond itself for answers to solving problems since we live in a world of every increasing numbers of apps. Technology and apps have invaded our lives, so how to you lead a security counter-insurgency? One way is to look at the key tenants of DevOps and apply those that make sense to your approach to AppSec. Something has to change as the application landscape is already changing around us.
This keynote will cover several fundamental principles of DevOps, how they translate into AppSec programs and provide real-world examples of where these principles where put into practice. The goal is to provide the audience with both the theoretical constructs to incorporate the best of DevOps into AppSec as well as concrete examples of the constructs being put to the test. Successes, failures and a few good laughs are on the table for this talk which will hopefully force you to rethink they way you’ve been doing things.

Speakers
avatar for Matt Tesauro

Matt Tesauro

Matt has been involved in the Information Technology and application development for more than 10 years. His background in web application development and system administration helped bring a holistic focus to Secure SDLC efforts he’s driven. He has taught both graduate level university courses and for large financial institutions. Matt has presented and provided training a various industry events including DHS Software Assurance... Read More →


Thursday May 21, 2015 11:05 - 11:50
Room E106 & E107 Amsterdam RAI

11:50

Room switch
Thursday May 21, 2015 11:50 - 11:55
TBA

11:55

Maliciously Monetizing AppSec "Feature". It's All About The Money.
Although the most common attack techniques are SQLi, Command Injection, RFI and XSS. Our research has found that some uncommon attack techniques are “profit driven” introducing attack sophistication by abusing application features or low Impact vulnerabilities such as: comments, page redirects and content availability. These attack techniques are used in order to promote fake brands, illegal services and attacking a competitors reputation.

Detecting this kind of attacks in real time was challenging, due to the inherent business logic exploited for malicious purposes. Our technique to detect them is anomaly detection with Akamai’s Big Data Platform, using a heuristic and forensic approach.
However, by careful review of the application logs, any affected party could identify these attacks. We will present a few examples of log entries that could be used to identify an attack.

To summarize the presentation we will also recommend on proper actions and mitigations that will help detecting and preventing related incidents.   

Speakers
avatar for Ezra Caltum

Ezra Caltum

Ezra is an Information Security enthusiast, with experience in the fields of Secure Software Development, Security consulting, Forensics and Red Teaming. He currently serves as a Senior Security Researcher for Akamai's Cloud Security Intelligence platform. | Ezra is one of the organizers of the DC9723 Israel Defcon group, and a volunteer at different Information Security groups in Israel. 
avatar for Or Katz

Or Katz

Principal Security Researcher, Akamai
Or is an application security veteran, with years of experience at industry leading vendors, currently serves as principal security researcher for Akamai's Cloud Security Intelligence platform. Or is a frequent speaker in conferences such as RSA, AppSec and CSA. Or has published several innovative articles and white papers on web applications threat intelligence and defensive techniques.


Thursday May 21, 2015 11:55 - 12:40
Room E103 Amsterdam RAI

11:55

If 6,000 Mobile Malware Applications Could Talk! Ow, They Do, And A Lot!
Current mobile malware detection solutions seem to be particularly good at something very specific, and use some specific detection mechanism. However, most of them are not extensible and the analysis technique is a black box. That is why we started our mobile malware detection research project by combining existing free-to-use solutions. We have also built our own static and dynamic analysis component. In this presentation, we dive deep in to the categories of checks that we've researched and implemented in our analysis components to complete existing techniques and create a better view on the scanned mobile sample.

The results of such distributed scan are presented in a report that can be interpreted by end-users, answering basic questions such as “Is this sample trying to send a text message to a premium number without my consent?” (which 15% of the apps we scanned does). Because of the distributed approach, we can answer more complex questions, including: “Did the sample behave differently in a sandboxed (virtual) environment than it did on a physical phone?”.

Our research project is free to use (http://apkscan.nviso.be ), contains a publicly available API and is used by researchers and companies around the world. In this presentation we give a broad range of statistics and interesting examples of what we found in thousands of scanned Android applications. 

Speakers
avatar for Matias Madou

Matias Madou

Matias works for NVISO, a boutique information security consulting firm located in Brussels. He holds a Ph.D. in computer engineering from Ghent University, where he studied application security through program obfuscation to hide the inner workings of an application. Matias spoke at conferences including RSA Conference, BlackHat and DefCon.
avatar for Daan Raman

Daan Raman

| Daan Raman works at NVISO, where he is responsible for R&D. His core activities consist of technical research with a current focus on application security for mobile systems. 


Thursday May 21, 2015 11:55 - 12:40
E104&105 Amsterdam RAI

11:55

Rise Of The Machines - How Automated Processes Overtook the Web
While we all surf the web, read news, buy products or download songs an entire world of automated minions are performing the dirty work for their human masters. These bots perform actions anywhere on the spectrum between legal and illegal. While some bots legally mine data from public web sites, others harass web sites by sending HTTP requests for different purposes such as content theft, comment spam, scan of vulnerabilities or even attempt to deny service from other users. Whether we like it or not - web bots of all kinds and forms are swarming the Internet.
 
In this presentation, we will provide an overview into the web bot world as it is seen by Akamai’s intelligent platform, which handles almost 30% of all web traffic every day.  The presentation will cover the following topics:
History of web bots
Web bot types & their purposes
Legal & illegal bot activity (w/ real world examples)
Mitigation approaches to web bots

Speakers
avatar for Yossi Daya

Yossi Daya

Senior Security Researcher, Akamai Technologies
Yossi Daya, Senior Security Researcher | | Yossi serves as a Senior researcher for Akamai's Cloud Security business unit. Yossi has over 13 years of experience in the cyber intelligence field with expertise in web data mining, information retrieval & software development.


Thursday May 21, 2015 11:55 - 12:40
Room Forum Amsterdam RAI

11:55

"Web Service Workers - Breaking The Web Because It Would Be A Shame To See Such A Cool Feature Go Unused"
Service Workers are an exciting new feature in the open web platform, that will enable many new types of applications. At the same time, they pose very interesting challenges to existing web applications. This talk will give a brief introduction to Service Workers, explain obvious abuse scenarios, potential new security applications, as well as some potential attacks and implementation problems.

Speakers
EV

Eduardo Vela Nava

Eduardo Vela Nava (sirdarckcat) leads Google's Product Security Response team, whose mission is to respond to security issues found in Google products and preventing them from happening ever again. He is a frequent speaker at security conferences and avid web security researcher.


Thursday May 21, 2015 11:55 - 12:40
Room E102 Amsterdam RAI

11:55

The Node.js Highway: Attacks Are At Full Throttle
Node.js is the drive-and-go language and its popularity is soaring. Five years after its debut, and the language’s framework boasts more 2M downloads a month.

Before accelerating too quickly, it is important to understand the power – and corresponding mishaps – of this language.

In this talk, we demonstrate new attack techniques against applications built on top of the Node.js language.

Attacks include:

·        Application-layer DDoS attacks. Bringing a server to its knees with just 4(!) requests.

·        Password exposure attacks. Leveraging the “Forgot My Password” feature of applications in order to reveal the passwords of all the application’s users

·        Business logic attacks. Running malicious code on all machines of users of the applications when exploiting a weak business feature

Speakers
MS

Maty Siman

Checkmarx
Maty is the CTO and founder of Checkmarx. Maty has more than a decade of experience in software development, IT security and source-code analysis. Prior to founding Checkmarx, Maty worked for two years at the Israeli Prime Minister’s Office as a senior IT security expert and project manager. Prior to that, he spent six years with the Israel Defense Forces (IDF), where he established and led a development team in the IDF’s... Read More →


Thursday May 21, 2015 11:55 - 12:40
Room E106 & E107 Amsterdam RAI

13:40

Server-Side Browsing Considered Harmful
Compromised some large service providers (Facebook, Yahoo, CoinBase,
 Prezi,... ). Pwned their cloud presence and got a few root shells. Using
 only SSRF. Bypassed tons of blacklists. And I'll give you all my tricks.

 ToC: Methodology, Vectors, Targets, Blacklists, Bugs, Toolbox

Speakers
avatar for Nicolas Grégoire

Nicolas Grégoire

Nicolas Gregoire has nearly 15 years of experience in penetration |  testing and auditing of networks and (mostly web) applications. A few |  years ago, he founded Agarri, a small company where he finds security |  bugs for customers and for fun. His research was presented at numerous |  conferences around the world and he was publicly thanked by tons of |  vendors for responsibly disclosing... Read More →


Thursday May 21, 2015 13:40 - 14:25
Room E102 Amsterdam RAI

13:40

Red Team, Blue Team Or White Cell? Trends In IT And How They Force Securtiy To Behave As An Immune System
The past few decades have been decades of change for IT. IT is no longer the department that operates from within the safe was of your datacenter, but it is the group of people that makes sure that your local IT (if you have any left) works well with your cloud services, interacts smoothly with the systems of your partners and has to deal with increasing consumerization, BYOD and the Internet of things.
This forces security to play a different role in the system, it can no longer be the department of NO, the defends the walls of the datacenter castle, but has to operate more like the a bodies immune system.
This talk wil focus on these developments, their impact on IT and security and how security can adapt to cope and keep the patient alive.

Speakers
avatar for Frank Breedijk

Frank Breedijk

Frank Breedijk started working as a Security Engineer at Schuberg Philis since 2006. He is Schuberg Philis’ Security officer since 2011 which makes him responsible for the information security of Schuberg Philis Mission Critical outsourcing services. This includes, but is not limited to | - Security Awareness | -Cooporation with the National Cyber Security Center in the MSP-ISAC | - Vulnerability management | - Internal security... Read More →


Thursday May 21, 2015 13:40 - 14:25
Room Forum Amsterdam RAI

14:25

Room switch
Thursday May 21, 2015 14:25 - 14:30
TBA

14:30

Application Security Of The Belgium Electronic Voting System
Application security of the Belgium electronic voting system
In this session Rob will discuss the secure code review his team performed on the Belgium electronic voting system, as used in the general elections of May 2014. The case illustrates typical application security challenges, their root causes and how they are mitigated. Rob concludes with key take-aways for application security in general.

Speakers
avatar for Rob van der Veer

Rob van der Veer

Principal consultant, Software Improvement Group
Rob van der Veer has an extensive background in building software and running software businesses. IT security has been a constant theme in his career, from hacking into the British RAF in 1986, to building big data solutions for national security. As principal consultant at the Software Improvement Group, Rob is responsible for SIG’s services regarding software quality for security. Rob is one of the founders of the Grip on Secure Software... Read More →


Thursday May 21, 2015 14:30 - 15:15
Room E103 Amsterdam RAI

14:30

OWASP Top 10 Privacy Risks
Discussions about how to protect personal data are lively, but still there was no specific and independent description of privacy risks for web applications available. Thus, companies lack guidance to apply during systems development and users cannot easily check whether they take privacy risks. Therefore the OWASP Top 10 Privacy Risks project was founded 2014 to develop a top 10 list for privacy risks in web applications. The project covers technological and organizational aspects like missing encryption or insufficient transparency and results and practical countermeasures are presented in this session.

Speakers
avatar for Stefan Burgmair

Stefan Burgmair

Stefan Burgmair is a German security and privacy consultant at msg systems in Munich. He wrote his Master Thesis in information systems and management about the “Top 10 Privacy Risks for Web Applications” and continues to deliver key content for the project.
avatar for Florian Stahl

Florian Stahl

Lead Consultant Information Security, msg systems ag
Florian Stahl is a German security and privacy consultant and evangelist. He is Master in information systems and computer science and has CISSP and CIPT certifications. Currently Florian is Lead Consultant at msg systems in Munich. He is regular speaker at conferences, writes articles on his blog securitybydesign.de and leads the OWASP Top 10 Privacy Risks Project.


Thursday May 21, 2015 14:30 - 15:15
E104&105 Amsterdam RAI

14:30

The API Assessment Primer
API's are everywhere now. SOA, IoT, Mobile, and Thick clients all heavily rely on web services and API's. This talk will present a primer on how to assess these services/interfaces for developers and testers alike. The introduction will include topics such as API identification, common implementations and frameworks. The bulk of the talk will focus on a assessment checklist that anyone can use to test these technologies for security flaws covering topics such as:

Authentication
Verbose-ness
Hidden Functions
Lack of Access Control
Transport Security
Tampering/Trust
Injection

** Where possible we will point to free resources for assessors to carry out the testing ** 

Speakers
avatar for Greg Patton

Greg Patton

Static Analysis Team Manager, HP Fortify on Demand
Greg Patton is the Static Application Security Testing (SAST) Team Manager with HP Fortify on Demand based in Houston, TX. Greg specializes in application security with a focus on dynamic run-time web and mobile assessments over the past eight years. Greg started his career in software development, but he discovered a natural talent and interest in breaking applications. Today Greg assists customers with building secure applications and secure... Read More →


Thursday May 21, 2015 14:30 - 15:15
Room Forum Amsterdam RAI

14:30

Dark Fairytales From A Phisherman
Phishing and client-side exploitation DevOps for all your needs. Combine BeEF, PhishingFrenzy and your fishy business to automate most of the usual phishing workflow while minimizing human interaction.

Speakers
avatar for Michele Orru

Michele Orru

antisnatchor – Michele is the lead core developer and smart-minds-recruiter for the BeEF project. Michele is also the co-author of the "Browser Hacker's Handbook." He has a deep knowledge of programming in multiple languages and paradigms, and is excited to apply this knowledge while reading and hacking code written by others. Michele loves lateral thinking, black metal, and the communist utopia (there is still hope!). He also... Read More →


Thursday May 21, 2015 14:30 - 15:15
Room E102 Amsterdam RAI

14:30

Lightning Talks

Listen to OWASP leaders explain their own projects in 10-minute lightning talks, describing the aims, audience, benefits and free open source outputs available. This first session showcases four OWASP projects:

  • Hackademic Challenges, implementing realistic scenarios with known vulnerabilities in a safe, controllable environment.
  • Application Security Verification Standard, providing a basis for assessing web application technical security controls, to establish a level of confidence in the security of web applications.
  • Reverse Engineering and Code Modification Prevention, educating security architects, risks analysts, software engineers, and pen testers around binary risks from code integrity violation and reverse engineering.
  • Testing Guide, version 4 the de facto standard for performing web application penetration testing.

Thursday May 21, 2015 14:30 - 15:15
Room E106 & E107 Amsterdam RAI

14:30

ZAP Hackshop
The Zed Attack Proxy (ZAP) is currently the most active open source web application security tool and competes effectively with commercial tools.

Speakers
ZR

Zakaria Rachid

Zakaria Rachid is a security consultant at Davidson with more than 13 years of intense computing and security experience in critical environments (Telcos, mil...). He specializes in penetration testing, web applications security, risk management and incidents.


Thursday May 21, 2015 14:30 - 16:30
E108 Amsterdam RAI

15:45

Bringing Security Testing To Development: How To Enable Developers To Act As Security Experts
Security testing is an important part of any security development
life-cycle (SDLC) and, thus, should be a part of any software
development life-cycle.

We will present SAP's Security Testing Strategy that enables
developers to find security vulnerabilities early by applying a
variety of different security testing methods and tools. We explain
the motivation behind it, how we enable global development teams to
implement the strategy, across different SDLCs and report on our
experiences.

Speakers
avatar for Achim D. Brucker

Achim D. Brucker

The University of Sheffield
Dr. Achim D. Brucker (www.brucker.uk) is a Senior Lecturer and consultant for software and systems assurance at the Computer Science Department of The University of Sheffield, UK. Until December 2015, he was a Research Expert (Architect), Security Testing Strategist, and Project Lead in the Global Security Team of SAP SE, where he defined the risk-based security testing strategy of SAP that combines static, dynamic, and interactive security... Read More →


Thursday May 21, 2015 15:45 - 16:30
Room E103 Amsterdam RAI

15:45

Security Policy Management: Easy as PIE
There are many security frameworks for web applications such as Content Security Policy (CSP), the Java Security Manager, and Spring Security. Effective use of these tools can mitigate or even eliminate entire classes of defects, but despite this they don't see widespread, standard use. This presentation discusses why this is, and focuses on one particular obstacle: defining a good security policy is hard. As part of this talk we present a new open-source tool, Policy Instantiation & Enforcement (PIE). PIE is designed as a generic tool which hooks into security managers and generates effective, simple, and verifiable security policies.

Speakers
avatar for Ian Haken

Ian Haken

Ian Haken is a security researcher at Coverity where he develops tools and methods for application security, software analysis, and detection of security defects. Prior to working at Coverity, he received his Ph.D. in mathematics from the University of California, Berkeley with a focus in computability theory and algorithmic information theory.


Thursday May 21, 2015 15:45 - 16:30
E104&105 Amsterdam RAI

15:45

Abusing JSONP With Rosetta Flash
Discussions about how to protect personal data are lively, but still there was no specific and independent description of privacy risks for web applications available. Thus, companies lack guidance to apply during systems development and users cannot easily check whether they take privacy risks. Therefore the OWASP Top 10 Privacy Risks project was founded 2014 to develop a top 10 list for privacy risks in web applications. The project covers technological and organizational aspects like missing encryption or insufficient transparency and results and practical countermeasures are presented in this session.

Speakers
avatar for Michele Spagnuolo

Michele Spagnuolo

Information Security Engineer, Google
Information Security Engineer at Google Switzerland, Michele is a security researcher focused on web application security, and the Rosetta Flash guy. He is also author of BitIodine, a tool for extracting intelligence from the Bitcoin network.


Thursday May 21, 2015 15:45 - 16:30
Room Forum Amsterdam RAI

15:45

XSS Horror Show
My talk is about RPO techniques and a history of XSS vectors
 I've found over the years while testing filters. I will cover mutation
 XSS, browser flaws and cool IE bugs.

Speakers
avatar for Gareth Heyes

Gareth Heyes

Gareth is based in the United Kingdom and is a web security |  researcher and works for Portswigger. He has been a speaker at the |  Microsoft BlueHat, Confidence Poland, and OWASP conferences, and is the |  author of many Web-based tools and sandboxes, including Hackvertor and |  MentalJS.


Thursday May 21, 2015 15:45 - 16:30
Room E102 Amsterdam RAI

15:45

Lightning Talks

In the second session a further four OWASP leaders explain their own projects in 10-minute lightning talks, describing the aims, audience, benefits and free open source outputs available from the following OWASP projects:

  • Top 10 Proactive Controls, describing the most important control and control categories that every architect and developer should include in every project, and Cheat Sheet Series, providing a concise collection of high value information on specific web application security topics.
  • Offensive Web Testing Framework (OWTF), making security assessments as efficient as possible by automating the manual uncreative part of pen testing, and providing out-of-box support for the OWASP Testing Guide, and NIST and PTES standards.
  • Knowledge Based Authentication Performance Metrics, establishing standard performance metrics for knowledge based authentication (KBA) in alignment the NSTIC guiding principles — at the intersection of security, identity and privacy.
  • Software Assurance Maturity Model (OpenSAMM), an open framework to help organizations measure, improve and manage their software security practice that is tailored to the specific risks facing the organization.

Thursday May 21, 2015 15:45 - 16:30
Room E106 & E107 Amsterdam RAI

16:30

Room switch
Thursday May 21, 2015 16:30 - 16:40
TBA

16:40

Preserving Arcade Games
Old-school arcade games were so protected that hacking is the only way
 to preserve them before all boards are dead, and the games are lost.

 an overview of famous old-school arcade games
 -their incredible hardware
 -the permanent piracy
 -the awesome protections (designed to commit suicide !)
 what was required to preserve some of them from being lost for ever.

Speakers
avatar for Ange Albertini

Ange Albertini

With a bucket full of pixels and crazy animations, it is the one and only Ange Albertini with “Preserving Arcade games”


Thursday May 21, 2015 16:40 - 17:25
Room E102 Amsterdam RAI

16:40

Continuous Acceleration: Why Continuous Everything Requires A Supply Chain Approach

With continuous development, we write less code and consume more re-usable open source code. Innovation is accelerated and so is application complexity. Complexity is the enemy of quality. Poor quality creates unplanned/unschedule work. Re-work creates a drag on development speed. It’s a continuous loop.
While Agile and DevOps have made us faster and more efficient, they can only take us so far… and worse the year of OpenSource attacks we’ve just had commands better practices.
What if we could deliver applications on-time (even faster), on-budget (even more efficiently) and with a natural byproduct of more acceptable quality and risk?
The good news: other industries have figured this out with supply chain management. Applying supply chain approaches to software raises the bar on continuous goals.
A few of the patterns we can take from the rigor of things like the Toyota Supply Chain:

  • Scrutinize the number and quality of your “suppliers”
  • Manage out avoidable risk and complexity
  • Improve traceability and visibility
  • Ensure prompt agile responses when things go wrong

Speakers
avatar for Joshua Corman

Joshua Corman

In his capacity as CTO, Josh researches new technologies and software development trends to help evolve Sonatype’s product strategy. Additionally, Josh is working with the broader IT community as well as policy and standards bodies to improve software development security standards and best practices. | Prior to Sonatype, Josh served as a security researcher and executive at Akamai Technologies, The 451 Group, and IBM Internet Security... Read More →


Thursday May 21, 2015 16:40 - 17:25
Room Forum Amsterdam RAI

17:25

Closing ceremony
Speakers
avatar for Martin Knobloch

Martin Knobloch

Principal Consultant, Nixu
Martin is Principal Consultant at Nixu BeNeLux (https://www.nixu.com/en/nixubenelux). His main working area is (software) security in general, from awareness to implementation. In his daily work, he is responsible for education in application security matters, advise and implementation of application security measures. | With his background in Java Development, he understands the complexity of Enterprise software development, Agile Scrum... Read More →


Thursday May 21, 2015 17:25 - 17:35
Room Forum Amsterdam RAI
 
Friday, May 22
 

08:00

Registration
Friday May 22, 2015 08:00 - 08:45
Ground Floor Amsterdam RAI

08:45

Opening ceremony
Speakers
avatar for Martin Knobloch

Martin Knobloch

Principal Consultant, Nixu
Martin is Principal Consultant at Nixu BeNeLux (https://www.nixu.com/en/nixubenelux). His main working area is (software) security in general, from awareness to implementation. In his daily work, he is responsible for education in application security matters, advise and implementation of application security measures. | With his background in Java Development, he understands the complexity of Enterprise software development, Agile Scrum... Read More →


Friday May 22, 2015 08:45 - 09:00
Room Forum Amsterdam RAI

09:00

Security is Part Of The DNA Of A Defense Organization
Security is not new. Already the Romans tried to defend themselves against intrusions by enemies. Techniques both in defence and in attack became more sophisticated over the years. Being secure is part of military thinking. Defense in depth is a military term. The military use of ICT has grown over the past decades as it has in the civilian world. This makes it a new target and it makes military vulnerable which requires new thoughts on defence. Within a military operation, but also prior to a mission during exercises and preparation.

Speakers
avatar for Hans Folmer

Hans Folmer

Colonel Hans Folmer was born in 1964 and joined the Royal Military Academy in 1982. In 1986 he was commissioned as Artillery Officer. In October 2011 he was tasked to implement the cyber program in the Netherlands Armed Forces. Currently Col Folmer is CO of the NLD Defence Cyber Command. | Before starting the cyber program Hans Folmer was Chief Joint C4ISR requirements at the MoD, Directorate for Operational Policy, Requirements and... Read More →


Friday May 22, 2015 09:00 - 09:45
Room Forum Amsterdam RAI

09:45

Room switch
Friday May 22, 2015 09:45 - 09:50
TBA

09:50

Security Touchpoints When Acquiring Software
When the need arises for a certain functionality that can be delivered by software, organizations that have development resources with enough capacity have to decide whether to build it or buy it. Such decision should be based on a cost-benefit analysis and the resulting software should meet the security needs of the organization. To achieve the latter, Gary McGraw’s Building Security In (1) argues for security to be built into the software development lifecycle in every stage with specific security touchpoints. However if the decision is to buy the software, do those touchpoints still apply?
We postulate that those touchpoints are still relevant when acquiring software, albeit in a different scope and in some cases to a lesser extent. We present a process for software acquisition that resembles the one for software development and thus allows for security touchpoints to be applied.


Speakers
avatar for Nadim Barsoum

Nadim Barsoum

Nadim Barsoum is a senior software security consultant who has worked for 12 years in the software industry, focused on the IT compliance needs of governmental institutions, private sector enterprises and banks. Nadim has helped organisations around the globe to plan, resource and initiate their Software Security Assurance programs, enabling them to realize the full potential of a structured, measurable approach to risk management and... Read More →
avatar for Carsten Huth

Carsten Huth

Dr. Carsten Huth joined the HP Fortify Professional Services team in 2009, which he leads now. He has consulted with Fortify SCA customers across Europe, and has delivered security assessments and trainings on topics including defensive programming, secure design, and Fortify implementations including Fortify SCA Custom Rules. Carsten has 8 years' technical consulting experience; prior to that Carsten held research positions in computer... Read More →
avatar for Dawid Sroka

Dawid Sroka

Software Security Consultant, HP Fortify
Dawid Sroka joined the HP Fortify Professional Services team in 2012. Across Europe he has helped customers initially deploying Fortify SCA and has consulted with them to define their solution and use the software efficiently. Prior to HP Fortify, Dawid has 13 years' technical consulting expertise, ranging from server and database administration to programming and system testing.


Friday May 22, 2015 09:50 - 10:35
Room E103 Amsterdam RAI

09:50

Security And Insecurity Of HTTP Headers
From the security perspective HTTP headers have two extreme occurrences:
They can provide a higher level of security for the browser and thus be used as an additional piece of defense, like e.g. HSTS and CSP.

On the flipside of the coin HTTP headers they can give an attacker with a default setup alreay some information and worse with crafted requests they even might divulge too much about the infrastructure involved (e.g. IP addresses behind reverse proxy or load balancer).

This talk will address those two sides of the coin. It'll start with basics with respect to HTTP headers, show what's neccessary and what's redundant information. It gives practical advices -- where to set which header, where to unset certain lines and what the pitfalls are.

It mentions browser dependencies and outline new features such as CSPv2 and
HPKP and new threats to privacy as the HSTS tracking.

The talk will look from the infrastructure perspective at the topics mentioned
and shows examples for often used server software.

Speakers
avatar for Dirk Wetter

Dirk Wetter

Dirk is an independent security consultant which has more than 17 years | experience in information security, as he is an old man even more in the world | of Unix/Linux. If his time allows he'ss giving talks at conferences and | publishing articles for computer magazines. | | He is engaged in OWASP Germany / Europe and chaired a couple of conferences. | He uses whenever possible Open Source Software. His pet project testssl.sh... Read More →


Friday May 22, 2015 09:50 - 10:35
E104&105 Amsterdam RAI

09:50

E-Banking Transaction Authorization - Common Vulnerabilities, Security Verification And Best Practices For Implementation
E-banking transaction authorization – possible vulnerabilities, security verification and best practices for implementation
Most of  the modern internet or mobile banking applications use some sort of second factor, such as TAN lists, SMS codes, time-based OTP tokens, etc. to let user verify  banking operations and to protect against MitM or malware attacks. During security tests in pre-production, it often turns out that tested banking systems have serious security flaws regarding implementation of transaction authorizations mechanisms,  that (if not detected and corrected) could allow attacker to bypass or weaken those safeguards. During this presentation I would like to throw light on transaction authorization mechanisms security. The agenda will include:
• Examples of possible vulnerabilities, which could allow to bypass those security mechanisms.
• Resistance of selected transaction authorization mechanisms to common banking malware attacks.
• Suggested best practices regarding implementation of transaction authorization.

Speakers
avatar for Wojtek Dworakowski

Wojtek Dworakowski

Wojtek Dworakowski, SecuRing Managing Partner Wojtek is an application security consultant with over 10 years of experience and a managing partner of SecuRing, a company dealing with application security testing and advisory. Over last years he has been helping banks, major financial institutions, and software vendors to achieve proper level of application security, including ING, BNP, KBC, UniCredit Group, Sage, Sodexo. Member of Crisis... Read More →


Friday May 22, 2015 09:50 - 10:35
Room Forum Amsterdam RAI

09:50

Security And "Modern" Software Deployment
Software deployment has moved a long way from the “walk to a shop and buy a physical disk” model that was prevalent in the 90’s. These days entire systems are deployed in the blink of an eye directly from a bewildering array of sources.

At the same time the threats posed by those who might target software developers and deployment ecosystems is increasing as the attacker community grows in size and looks for innovative ways to bypass security measures.

This talk is intended to look at the risk model inherent in the development and deployment models used in modern application development frameworks such as Node.JS and Ruby On Rails and examine specific potential security risks, along with discussion of how they could addressed

Speakers
avatar for Rory Mccune

Rory Mccune

Managing Consultant, NCC Group PLC
“Rory has worked in the Information and IT Security arena for the last 15 years with roles in consultancy and financial services.  His current role focuses on technical security testing and application security specifically.  He is an active member of the Information security community in Scotland and regularly presents at IT and Security related conferences.”


Friday May 22, 2015 09:50 - 10:35
Room E106 & E107 Amsterdam RAI

09:50

OWASP Security Shepherd
Session:
Women in AppSec

Abstract:
This will be a hands on workshop to demonstrate to women what a career in AppSec can involve (most likely using the OWASP Security Shepherd project). As its hands on will give practical experience. it will be a fairly informal session.  

Speakers
FC

Fiona Collins

Fiona Collins is the chapter leader for Cork in Ireland. She has been a member of OWASP since 2007 and prior to starting the Cork chapter she ran the Dublin Chapter. She has been in the security industry for almost 10 years in a variety of roles including penetration,


Friday May 22, 2015 09:50 - 11:50
E108 Amsterdam RAI

11:05

Building An AppSec Pipeline: Keeping Your Program, And Your Life, Sane
Are you currently running at AppSec program?  AppSec programs fall into a odd middle ground; highly technical interactions with the dev and ops teams yet a practical business focus is required as you go up the org chart.  How can you keep your far too small team efficient while making sure you meet the needs of the business all while making sure you’re catching vulnerabilities as early and often as possible?


At Pearson, the AppSec program was faced with a highly geographically dispersed company with a wide range of different development styles and business practices. The AppSec team and the business created an AppSec Pipeline to handle the work flow.  The pipeline starts with “Bag of Holding”, an open source web application which helps automate and streamline the activities of your AppSec team.  At the end of the pipeline is ThreadFix to manage all the findings from all the sources. Finally we incorporated a chatbot to tie all the information into one place. This talk will cover the motivation behind its AppSec pipeline, its implementation at Pearson and how it can help you get the most out of your AppSec program.

Speakers
avatar for Aaron Weaver (Cengage Learning)

Aaron Weaver (Cengage Learning)

Application Security Manager, Cengage Learning
Aaron Weaver is the Application Security Manager at Cengage Learning. Prior to that he was at Protiviti where he built out their secure coding practice. Aaron has managed application security programs at large organizations and leads OWASP Philadelphia. Aaron speaks frequently at OWASP, AppSec USA/EU, Infragard, ISSA, ISACA, IIA and Velocity. When he has time Aaron likes to make sawdust in his workshop.


Friday May 22, 2015 11:05 - 11:50
Room E103 Amsterdam RAI

11:05

Windows Phone App Security For Builders And Breakers
The talk will detail examples of real-world insecure code involving Windows Phone app developed with Silverlight and Windows Runtime technologies, which has been identified during our recent contribution to the OWASP Mobile Top Ten 2015. Each vulnerability has been mapped and organized on the basis of the MTT 2014 entries, thus representing a helpful resource for both developers and security professionals.

Speakers
avatar for Luca De Fulgentis

Luca De Fulgentis

CTO, Secure Network
Luca De Fulgentis is an offensive security enthusiast with experience in application security engineering and penetration testing. He holds a Master’s degree in Computer Engineering from Politecnico di Milano, where he graduated, cum laude, with a thesis on evolutionary fuzzing. As Chief Technology Officer of Secure Network, he manages company’s top-notch security services in EMEA and North America, and coordinates internal technical... Read More →


Friday May 22, 2015 11:05 - 11:50
E104&105 Amsterdam RAI

11:05

WebRTC, Or How Secure Is P2P Browser Communication?
In this presentation, we will provide the necessary insights in this emerging Web technology, and discuss the various security aspects of WebRTC. This content is based on a recent study of the Web Security specifications we have been conducting together with researchers at W3C and Trinity College Dublin in the context of the European FP7 research project STREWS.
Firstly, the overall WebRTC architecture will be presented, and the enabling technologies (such as STUN, TURN, ICE and DTLS-SRTP) will be introduced. This architecture will be illustrated in multiple deployment scenarios. As part of this description, the basic security characteristics of WebRTC will be identified.
Secondly, we will discuss how the new WebRTC technology impacts the security model of the current Web. We will highlight some of the weaknesses they have spot during their security assessment, as well as discuss the open security challenges with the WebRTC technology.

Speakers
avatar for Lieven Desmet

Lieven Desmet

Research Manager, iMinds-DistriNet-KU Leuven
Lieven Desmet is Research Manager on Software Secure at the iMinds-DistriNet Research Group (KU Leuven, Belgium), where he coaches junior researchers in web application security and participates in dissemination and valorization activities. His interests are in security of middleware and web-enabled technologies. Lieven is actively engaged in OWASP and is board member of the OWASP Chapter Belgium.
avatar for Martin Johns

Martin Johns

Research Expert, SAP SE
Dr. Martin Johns is a Research Expert in the Product Security Research unit within SAP SE, where he leads the Web application security team. Furthermore, he serves on the board of the German OWASP chapter. Before joining SAP, Martin studied Mathematics and Computer Science at the Universities of Hamburg, Santa Cruz (CA), and Passau. During the 1990ties and the early years of the new millennium he earned his living as a software engineer in... Read More →


Friday May 22, 2015 11:05 - 11:50
Room E106 & E107 Amsterdam RAI

11:05

Security DevOps - Staying Secure In Agile Projects
In this session I will present best practices of how open source tools (used in the DevOps and security communities) can be properly chained together to form a framework that can - as part of an agile software development CI chain - perform automated checking of certain security aspects. This does not remove the requirement for manual pentests, but tries to automate early security feedback to developers.

Based on my experience of applying SecDevOps techniques to projects, I will present the glue steps required on every commit and at nightly builds to achieve different levels of depth in automated security testing during the CI workflow.

I will conclude with a "SecDevOps Maturity Model" of different stages of automated security testing and present concrete examples of how to achieve each stage with open source security tools.

Speakers
avatar for Christian Schneider

Christian Schneider

Whitehat Hacker, Christian Schneider
Christian Schneider (@cschneider4711) writes software since the nineties, works as a freelance software developer since 1997, and focuses on Java since 1999. Aside from the traditional software engineering tasks he support clients in the field of IT security. This includes penetration testing, security audits, architectural reviews, and web application hardening. Christian enjoys writing articles about web application security (for the German... Read More →


Friday May 22, 2015 11:05 - 11:50
Room E106 & E107 Amsterdam RAI

11:50

Room switch
Friday May 22, 2015 11:50 - 11:55
TBA

11:55

Women of AppSec
During this panel session we will discuss what can be done to Make it Happen for Women in AppSec going forward. What have those currently working in the field done to Make it Happen for themselves and other women; what tips and advice do they have to help you do to make a career for yourself or encourage those around you (sister, friend, daughter, etc…) to pursue a career in AppSec? What can we as professionals can do to help encourage girls to go for a career in AppSec?

Speakers
avatar for Jaya Baloo

Jaya Baloo

Jaya Baloo is the CISO for KPN Telecom in the Netherlands.
avatar for Tobias Gondrom

Tobias Gondrom

OWASP Foundation Board Chair
Tobias Gondrom is CEO at Thames Stanley, a boutique Global CISO and Information Security & Risk Management Advisory operating in Asia and Europe. | He has 15 years of experience in information security and risk management, software development, application security, cryptography and global standardization organizations, working for independent software vendors and large global corporations in the financial, technology and government... Read More →
DA

Dhillon Andrew Kannabhiran

Dhillon Andrew  kannabhiran is the Founder and CEO of Hack in The  box and organiser of the HITbSecConf series of network security conferences.
avatar for Dr. Melanie Rieback

Dr. Melanie Rieback

Dr. Melanie Rieback is the CEO/Co-founder of Radically Open Security. Melanie is a former Asst. Prof. of Computer Science at the Free University of Amsterdam who performed RFID security research (RFID Virus and RFID Guardian), that got worldwide press coverage, and won several awards.


Friday May 22, 2015 11:55 - 12:40
Room E105 Amsterdam RAI

11:55

Using A JavaScript CDN That Can Not XSS You - With Subresource Integrity
Today, web applications commonly use a rich set of assets, such as JavaScript libraries or fonts. To perform well, these web applications have to rely on third party content delivery networks (CDNs) for performance. But how secure are these CDN providers? A compromised or a rogue CDN may harm thousands of web pages. A recent breach in jQuery.com confirms that it's a good security exercise not having to trust your content delivery network.
This talk will focus on a new web standard, called Subresource Integrity (SRI), which aims to help web developers to prevent rogue third party scripts compromising their web page. SRI achieves this by allowing the developer to provide a hash of the expected content in order to detect and prevent undesired changes. The talk will also cover the current standardization process by highlighting the security considerations faced, as well as the implementation status in modern browsers.

Speakers
FB

Frederik Braun

Senior Security Engineer at Mozilla


Friday May 22, 2015 11:55 - 12:40
E104&105 Amsterdam RAI

11:55

So, You Want To Use A WebView?
The (Android) WebView is an embeddable component that powers the majority of internet-enabled apps. In Android, WebViews are currently a hot topic but for all the wrong reasons. WebViews make connections, render HTML and run JavaScript and so can be attacked using traditional web attacks like connection hijacking and XSS. Secondly, WebView-enabled apps combine local resources with web-based content that are rendered in the same container. This makes a Same Origin Policy bypass far more dangerous: it can mean access to the local device file-system and juicy local user data that you thought was sandboxed. Malicious code can even target other applications remotely by using the WebView as a proxy. Finally WebViews create residual risks that simply cannot be mitigated through any in-app technical control. This talk is aimed at both testers and developers. They learn some fundamental WebView mistakes, how to attack them, how to fix them and which vulnerabilities simply must be accepted in this design.

Speakers
avatar for Andrew Lee-Thorp

Andrew Lee-Thorp

Senior Consultant, Cigital
Coder, tester, architect, mobile, and all round nice guy.


Friday May 22, 2015 11:55 - 12:40
Room E102 Amsterdam RAI

11:55

Can Saas Ever Be Secure?
Growth in the SaaS market is an agreed trend over the coming years but one of the main obstacles for majority adoption by Enterprise IT departments is trust in security. Further, the changing function of IT needs to be embraced as it evolves from purchasing, deploying and managing technology to managing data as an asset.

Myths need to be debunked for those who believe on premise software is inherently more secure than SaaS. A robust Risk Assessment approach is needed which addresses regulatory compliance, security standard best practices, benchmarking between SaaS providers, and setting of enterprise risk tolerance and acceptance criteria.

Making the distinction between Data Processor and Data Controller is important when working with a SaaS provider. As well as the integrated Data Architecture and User Access Control design, deployment and monitoring, which is critical for both corporate governance and demonstrating regulatory compliance. 

Speakers
HM

Helen McLaughlin

Brief Biography | Bringing over 15 years as a technology professional, with 10 years in Financial Services, Helen has been responsible for delivering software development and integration programmes, as well as managing operations support teams supporting global business applications. | | She recently joined Workday as EMEA Information Security Architect to work with customers on their risk assessment of subscribing to a SaaS... Read More →


Friday May 22, 2015 11:55 - 12:40
Room E106 & E107 Amsterdam RAI

13:40

Securing The Internet Of Things
Sometimes a bandwagon seems more like the fail train. The Internet of Things, a fantabulous, Willie-Wonka-esque larger than life term for “Embedded stuff with sensors that shunts data to and from the cloud” is an amazing, technicolour bandwagon and/or all-in-one security fail train. Will it revolutionise the way we post pictures of recently eaten food on Instagram? Or instead do we face a dystopian Snowpiercer-style fail train future filled with regret as The Internet of Things turns on it’s end users as a result of potentially perverse incentives?
In this talk I will discuss the Information superhighway to hell/paradise on which we find ourselves, the route travelled thus far and point out the many good intentions that pave the road ahead. Along the way I’ll illustrate some practical Internet of Things problems from the OWASP Internet of Things Top Ten and issue a call to arms to AppSec specialists both in the cloud and in embedded systems arenas to help ensure that systems are both traditionally secure and operate within an ethical framework that doesn’t leave end users as the product being sold or spied on.

Speakers
avatar for Steve Lord

Steve Lord

Steve has been a career penetration tester and occasional drop-in replacement for Chris John Riley for over 15 years. While heavier than Chris, he lacks Chris’ reach and would probably not beat Chris in a bloodsport-style pit-fight to the death. When not contemplating pit fights with Chris John Riley, Steve breaks into networks and applications at Mandalorian, co-organises the UKs 44CON Cybersecurity and 44CON London conferences... Read More →


Friday May 22, 2015 13:40 - 14:25
Room Forum Amsterdam RAI

14:25

Room switch
Friday May 22, 2015 14:25 - 14:30
TBA

14:30

Issues And Limitations Of Third Party Security Seals
In the current web of distrust, malware, and server compromises,
convincing an online consumer that a website is secure, can make the
difference between a visitor and a buyer. Third-party security seals
position themselves as a solution to this problem, where a trusted
external company vouches for the security of a website, and communicates
it to visitors through a security seal.

In our research, we explore the ecosystem of third-party security seals
focusing on their security claims, in an attempt to quantify the
difference between the advertised guarantees of security seals, and
reality. Through a series of automated and manual experiments, we
discover a real lack of thoroughness from the side of the seal
providers. Among other things, we show how seals can give more credence
to phishing attacks, and how the current architecture of third-party
security seals can be used as a completely passive vulnerability oracle,
allowing attackers to focus their energy on websites with known
vulnerabilities.

Speakers
avatar for Tom Van Goethem

Tom Van Goethem

Tom Van Goethem is a PhD student at the University of Leuven with a keen interest in web security and privacy. In his research, Tom likes performing large-scale security experiments, whether to analyze the presence of good and bad practices on the web, or to demystify security claims. In an attempt to make the web a safer place, Tom, on occasion, rummages the web in search for vulnerabilities, and has presented some of his findings at... Read More →


Friday May 22, 2015 14:30 - 15:15
Room E103 Amsterdam RAI

14:30

Implementing A User-Centric Datastore With Privacy Aware Access Control For Cloud-Based Data Platforms
This presentation introduces OPENi's Personal Cloudlets framework as a novel approach to enhancing users control and privacy over their data on a data driven, cloud-based platform. We outline OPENi's architecture and describe how through the use of REST based endpoints, object-based access control, OPENi Types, and stateless JSON Web Token (JWT) it allows users share, reuse, and control access to their data across many mobile applications while maintaining cloud scalability. Furthermore we describe how a number of the framework's features enhance a users privacy and control.

Speakers
avatar for Paul Malone

Paul Malone

Over the last 15 years Paul has worked on many network and service accounting and security projects since graduating including SUSIE, Bandwidth2000, and OPIUM and DBE. He has previously managed the TSSG’s participation in the IST DBE (Digital Business Ecosystems) project and the OPAALS network of excellence, developing models for decentralised trust, identity and accountability. Paul has in recent years worked on multiple EU and... Read More →


Friday May 22, 2015 14:30 - 15:15
E104&105 Amsterdam RAI

14:30

Mobile Application Assessments By The Numbers: A Whole-istic View
By analyzing the data from over 100 mobile application security assessments, we identify the typical types of mobile vulnerabilities, the system components that contain those vulnerabilities, the components where given types of vulnerabilities cluster, and how to test for each of these. Attendees will learn in the session how to identify these vulnerabilities, how to create and implement an effective mobile security plan, and where to focus their limited testing resources to minimize mobile application portfolio risks. This is critical because automated web application testing tools are able to easily find vulnerabilities while today’s mobile security industry does not offer automated testing tools that can effectively test web services (i.e. the interaction between mobile clients and back-end services.) As a result, best practices for mobile application testing must incorporate significant, often laborious, manual testing. At this point in the presentation, we will use the statistics from the research to define the appropriate manual testing that needs to be implemented. 

Speakers
avatar for Dan Cornell

Dan Cornell

CTO, Denim Group
A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As Chief Technology Officer and Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process.


Friday May 22, 2015 14:30 - 15:15
Room E102 Amsterdam RAI

14:30

Finding Bad Needles On A Worldwide Scale
Using automated web security scanners is an indispensable part of security program for any large web site.  Web security and specifically XSS scanning remains a hard and interesting problem.  In this talk, I will detail our experience of maintaining and developing the Yahoo-wide XSS scanning system over the last years, mistakes made, lessons learned, and progress achieved, leading into a discussion of the current ongoing work.  We will explore the challenges and solutions related to the scanner accuracy and the requirement of a low (near-zero) level of false positives which is crucial for a usable large-scale system.  I will demo Contextdetect - our novel method of using Go-based HTML5 and JavaScript parsers to verify XSS findings, as well as our recently open-sourced Webseclab - a set of scanner XSS tests

Speakers

Friday May 22, 2015 14:30 - 15:15
Room E106 & E107 Amsterdam RAI

14:30

BeEF: A Penetration Testing Tool That Focuses On The Web Browser
Session:
BeEF: a penetration testing tool that focuses on the web browser.

Abstract:
During this 2h session an introduction to BeEF (the Browser Exploitation Framework) will be given by one of the developers of BeEF. BeEF allows the professional penetration tester to assess the actual security posture of a target environment. 

Speakers
BL

Bart Leppens

Bart is an IT professional with over 10 years of experience with a strong focus on security. during his free time he spends a fair amount of time to (application) security. He likes  contributing to the BeEF project and attending security conferences. Bart is not afraid of looking into assembly code.


Friday May 22, 2015 14:30 - 16:30
E108 Amsterdam RAI

15:45

Facing Security Monitoring: Hype, Challenges, Solutions
Have you thought about security monitoring capabilities in your organization or in your development lifecycle? Are you planning to do research or invest in this area? Or are you already in an operating mode? Do you need information about how to evaluate outsourcing of such tasks? Are you wondering, why your solution does not perform as expected and cannot see a return on investment caused by increasing total cost of ownership?

 Our talk will examine the need of security monitoring capabilities, will focus on what kind of services a security operation center (SOC) can offer, and how it may deliver these effectively.

 In addition, we will outline common challenges and failings before and during the implementation phase on an illustrated example of a security information event management (SIEM) service monitoring a heterogenic application landscape.

 Last but not least, we will present recommendations for action but also well-known limitations, which are derived from insights during our actual security assessments measuring the maturity and capability of productive SOC’s. 

Speakers
AF

Alexios Fakos

Alexios is in IT-Business since 1999. He worked as a software architect and developer for seven years when he joined the security industry as a consultant in 2006. Alexios had the pleasure to speak at various OWASP conferences in the past, like AppSecUSA, BeNeLux or Germany. Currently, Alexios is part of PricewaterhouseCoopers growing Cyber Security team and is leading the Application Security practice in Germany. 
JS

Johannes Schonborn

Johannes has been working several years as a penetration tester in IT Security research and Security Monitoring before joining the Cyber Security Operations Center at DZBank. He can usually be found at the local OWASP meetings in Frankfurt.


Friday May 22, 2015 15:45 - 16:30
Room E103 Amsterdam RAI

15:45

Agile Security Testing - Lessons Learned
Agile, a blessing for software security?

Agile is challenging the world of security testers.

 Is Agile a threat for software security or a blessing? Can Agile and
 security be friends?

 The days are long gone where pentesters can launch their multi week
 pentest ceremony as soon as the final build is delivered and test
 environments are finally up and running.

 The world is shifting to Agile. And simply put, in Agile there is no
 time for such release based testing. Let alone rework. In a perfect
 world, we want to ship the code right after the sprint!

 Security teams that try to stick to the old way of testing can't keep up
 anymore. Dev teams release once every three weeks now, instead of once
 every number of months like before. How to get security sign-off for
 them all?

 In this talk I like to share my experiences and lessons learned while
 working with various Agile teams on getting security testing integrated.
 With a challenging goal: not blocking and cost efficient! We think we
 are on the right track!

Speakers
avatar for David Vaartjes

David Vaartjes

David is Co-Founder of Securify. With over ten years of experience in software security, David specializes in security code reviews on mobile and web applications. He is a true enthusiast of the Build Security In approach. Getting the right activities in place to catch things early and raising awareness amongst development teams. |   | Being employed at a Dutch bank, he worked close with the... Read More →


Friday May 22, 2015 15:45 - 16:30
E104&105 Amsterdam RAI

15:45

PDF - Mess With The Web
In this presentation Alex Inführ talks about possible attack vectors against web pages by using PDFs.
First the structure of a simple PDF will be presented to give
a quick overview about the concept of PDF. Additionally interesting features in the PDF specification will be discussed.
This includes information about privileged JavaScript,FormCalc, XFA, Actions and more.
Adobe Reader also has some interesting security concepts, which mostly focus on protecting the end user on a system level.

In the second part Alex Inführ will cover possible attacks against the user. This includes web related issues as well as attacks against the end user system.
The attacks show how privileged JavaScript can be used to steal local files from the user. Additionally possible XXE issues will be covered.
Another big topic is FormCalc and the possibility to read any file same origin. This gives attackers the possibility to break CSRF protection completely.

Last but not least Alex Inführ will talk about what protection could be applied.
This will cover methods for end users as well as for website owners. 

Speakers
avatar for Alex Inführ

Alex Inführ

| Alexander Inführ is a master student from Austria. | He is studying information security at the University of applied science in St. Pölten, Austria. | Beside being a student Alex works for the pentesting firm cure53 as a pentester. | He is especially interested in web related IT-Security topics, which is the reason why his research | is mostly about browser, browserplugins etc. | | Besides his interest in... Read More →


Friday May 22, 2015 15:45 - 16:30
Room E102 Amsterdam RAI

15:45

Naxsi, A Web Application Firewall for NGINX
The talk is about naxsi, a web application firewall for Nginx.

Instead of relying on a database of attack signatures (negative model - most common approach), naxsi relies on a way smaller set of "uncommon" or "dangerous" patterns, and will use those to decide if a request is malevolent or legitimate.

This approach allows to drastically reduce the runtime cost of request analysis, and offers as well a very good resilience against obfuscated / unkown attacks. On the other hand, as it relies on a model that is closer to a "classic" network firewall (authorize legitimate traffic), it requires a heavier work on whitelists. This can be done quite easily thanks to naxsi's learning mode and helper tools.


The talk will be presented by Thibault Koechlin (Author of naxsi, NBS System). Rather than just a presentation of the software, I will try to present Naxsi from 3 different point of views :
- As a system Administrator
- As a pentester
- As a WAF author

The presentation will as well include "practical" examples, extracted from real life experiences :
- How to handle learning mode
- Learning mode challenges and limits
- Feedback from medium to big websites running Naxsi in production

Speakers
avatar for Thibault Koechlin

Thibault Koechlin

Dedicated to penetration testing and offensive security since 2002, I |  have performed penetration testing in a huge variety of environments. |  Over the course of years, we have seen security - both defensive and |  offensive - change greatly, with a huge focus on web application |  security. Over the last 3 years, I have as well focused on defensive |  security, firstly by developing on open-source WAF... Read More →


Friday May 22, 2015 15:45 - 16:30
Room E106 & E107 Amsterdam RAI

16:30

Room switch
Friday May 22, 2015 16:30 - 16:40
TBA

16:40

The Software Not The Human Is The Weakest Link
Application security is still seen as one of the side tracks of information security. But given the reality that more or less most software sucks we are vulnereable to the core. Let’s see basic mistakes lead to huge risks in our daily live. How can we prevent software from being the weakest link and make the human the weakest link again? Are we telling the story right and how can the community fix this?

Speakers
avatar for Brenno De Winter

Brenno De Winter

Brenno de Winter (1971) is a nerd and investigative journalist. He has shown many failures with information security, privacy protection and governmental projects. In 2011 his ICT-reporting made him Journalist of the Year.


Friday May 22, 2015 16:40 - 17:25
Room Forum Amsterdam RAI

17:25

Closing ceremony
Speakers

Friday May 22, 2015 17:25 - 17:35
Room Forum Amsterdam RAI