Loading…
This event has ended. View the official site or create your own event → Check it out
This event has ended. Create your own
View analytic

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Monday, May 8
 

08:00

09:00

Exploiting Websites by using offensive HTML, SVG, CSS and other Browser-Evil (3 days)
More and more web applications delegate business logic to the client. HTML.next, JavaScript, SVG, Canvas, ES2016 & AngularJS are just some terms that describe the contents of the modern web stack. But how does the attack surface look for those? What if there’s not GET parameters anymore that our scanner scan tamper with? Classic web-pentests are “so nineties” in this realm. And keeping up the pace with progress is getting harder and harder.

But there is hope. We’ll learn how to attack any web-application with either unknown legacy features – or the half-baked results coming to your browser from the labs of W3C, WHATWG and the ES2016 mailing lists. Whether you want to attack modern web applications or shiny browser extensions – we have that covered.

HTML is a living standard. And so is this workshop. The course material will be provided on-site and via access to a private Github repository so all attendees will be receive updated material even months after the actual training.

Trainers
avatar for Mario Heiderich

Mario Heiderich

Director, Cure53
Dr.-Ing. Mario Heiderich, handsome heart-breaker, bon-vivant and (as he loves to call himself) “security researcher” is from Berlin, likes everything between lesser- and greater-than and leads a small yet exquisite pen-test company. He commonly pesters peaceful attendees on v... Read More →


Monday May 8, 2017 09:00 - Wednesday May 10, 2017 17:00
Lagan A Hilton

09:00

Hands on Web Exploitation with Python (3days)
This hands on, three (3) day class will help students learn Python programming and scripting as it pertains to penetration testing web applications. Day one (1) will start off with the very basics of the language and is constructed so that users with little programming experience can quickly gain experience. Day two (2) will slowly ramp up into slightly more difficult Python topics and will challenge students to write exploits for vulnerabilities present within a custom vulnerable web application. Day three (3) will increase the difficulty once again, and will cover advanced topics within the Python programming language in the morning, while challenging students to write more advanced exploits for vulnerabilities present within the custom vulnerable web application. The second half of Day three (3) will encourage students to work in teams to complete a single capture the flag challenge. The winning team will win a prize for each of its team members.

Students:
Students will need to bring a laptop capable of running at least two virtual machines.

VM #1: Kali Linux (used to develop our scripts)
VM #2: Vulnerable VM provided by trainers 1 month before training begins (Virtual Box and VMWare OVA files will be available)

Students will need to have both of these virtual machines installed prior to the start of the training. Michael and Fred will not have time to provide support for installing these virtual machines when the training begins.
 

Trainers
avatar for Michael Born

Michael Born

Senior Security Consultant, Threat Services, NTT Security (US), Inc.
I enjoy breaking into things more than defending, I love Python, can tolerate Ruby, and am always trying to improve at C and Assembly. My current security testing focus is network penetration testing, application penetration testing, mobile application penetration testing, and so... Read More →
avatar for Fred Donovan

Fred Donovan

Application Security Architect | Enjoy discussions on "hacking back" | Friend and brother to many


Monday May 8, 2017 09:00 - Wednesday May 10, 2017 17:00
Glenbank Suite Hilton

09:00

Hands-on Mobile Application Exploitation - iOS & Android (3 days)
Even wondered how different attacking a Mobile application would be, from a traditional web application? Gone are the days when knowledge of just SQL Injection or XSS could help you land a lucrative high-paying infoSec job.


After a sold-out class in OWASP Appsec USA 2016, we are bringing an updated version of the course with the latest tools & techniques. This will be an introductory course on exploiting iOS and Android applications, suited well for both beginners as well as advanced security enthusiasts. The training will be based on exploiting Damn Vulnerable iOS app, Android-InsecureBankv2 and other real-world application vulnerabilities in order to give an in-depth knowledge about the different kinds of vulnerabilities in Mobile applications. After the workshop, the students will be able to successfully pentest and secure applications running on the various operating systems.

Students will be provided with all the slides, tools and VMs used during the course.

Trainers
avatar for Dinesh Shetty

Dinesh Shetty

Director of Security Engineering, Security Innovation
Dinesh leads the Mobile Security Testing Center of Excellence at Security Innovation. He has performed innumerable penetration tests on Web, Mobile and VoIP technologies - however his core area of expertise is Mobile and Embedded application pentesting and exploitation. He is an... Read More →


Monday May 8, 2017 09:00 - Wednesday May 10, 2017 17:00
Boardroom Suite Hilton

09:00

Secure coding in Java (3 days)
The course provides developers with practical guidance for developing Java programs that are robust and secure. Material in this presentation was derived from the Addison-Wesley book "The CERT Oracle Secure Coding Standard for Java". Participants will acquire a working knowledge of common software vulnerabilities and effective mitigation strategies. In particular, participants will learn how to:

• Explain the need for secure coding
• Follow fundamental secure coding guidelines
• Validate and sanitize data
• Correctly predict numerical behavior
• Avoid pitfalls in the use of characters and strings
• Securely process input and output
• Develop secure classes and methods
• Implement secure exception handling

Moreover, the course encourages programmers to adopt security best practices and develop a security mindset that can help protect software from tomorrow’s attacks, not just today’s.

Trainers
avatar for Robert C. Seacord

Robert C. Seacord

Principal Security Consultant, NCC Group
Robert C. Seacord is a Principal Security Consultant with NCC Group where he works with software developers and software development organizations to eliminate vulnerabilities resulting from coding errors before they are deployed. Previously, Robert led the secure coding initiat... Read More →


Monday May 8, 2017 09:00 - Wednesday May 10, 2017 17:00
Roseband Suite Hilton

09:00

Systematically Breaking and Fixing Single Sign-On (3 days)
Single Sign-On (SSO) has been the target of serious attacks in recent years.
We systematically analyzed different SSO protocols, such as SAML, OpenID, OAuth, and OpenID Connect, and came up with a large range of attacks partially or totally breaking the security of these protocols.

This 3-day training will give an overview of the general SSO authentication concept and present new insights into three widely-used protocols: SAML, OAuth and OpenID Connect.
Participants will get the opportunity to carry out the introduced attacks in a prepared environment. We will additionally show techniques to mitigate the attacks and implement SSO securely.

Contents
- Single Sign-On Basics
- General attacks on Single Sign-On to Service and Identity Providers
- Numerous attacks on SAML, OAuth, and OpenID Connect
- Strengthen Single Sign-On via Token Bindings

Requirements
- Laptop with a recent version of Virtual Box

Trainers
avatar for Christian Mainka

Christian Mainka

Security Consultant, Hackmanit GmbH
Christian Mainka is a Security Researcher at the Ruhr University Bochum, Chair for Network and Data Security. Since 2009, he focuses on XML and Web Services technologies and develops his penetration testing tool WS-Attacker and has published several papers in the field of XML sec... Read More →
avatar for Vladislav Mladenov

Vladislav Mladenov

Ruhr University Bochum
Vladislav Mladenov is a PhD Student at the Ruhr University Bochum, Chair for Network and Data Security. He is interested in the security of XML-based services. Additionally, he investigates different Single Sign-On protocols like OAuth, OpenID, OpenID Connect and SAML. Other topi... Read More →


Monday May 8, 2017 09:00 - Wednesday May 10, 2017 17:00
Lisburn Suite Hilton

18:00

Women in AppSec Networking Session
On Monday 8th May at 6:00 pm in the Waterfront Conference Centre, we will have a group of mentors each give a brief talk about their experience followed by an "unconference" event. During the "unconference" event, we will break into groups to discuss popular technical topics. This will be a fantastic opportunity to engage in mentoring relationships and hear from women in the field. You can sign up for this free event on Meetup.com here: 

Monday May 8, 2017 18:00 - 21:00
Waterfront Center: Room 3
 
Tuesday, May 9
 

08:00

08:45

OWASP Project Summit

We are excited to announce the OWASP Projct Summit 2017 OWASP is providing a platform for project leaders on the two full days prior to AppSec Europe 2017.  Project Summits are a place for project leaders and contributors to collaborate as well as provide feedback to OWASP. The platform provides an open forum setting for ideas, discussing innovations, gaining project contributors and sharing feedback for projects with the goal of helping them advance to the next level. Use this opportunity to demo your project to others at the summit, promote for sponsorship, gain feedback, or simply brainstorm some ideas and add a few features.

Current Projects Participating:

  • OWASP Juice Shop Project
  • OWASP OWTF Project
  • OWASP Embedded Application Security
  • OWASP Podcast
  • OWASP Virtual Village Project
  • OWASP Automated Threats to Web Applications
  • OWASP Node js Goat Project
  • OWASP Vicnum Project
  • OWASP WebGoat Project
  • OWASP DefectDojo Project

Please use our contact us form with any questions or concerns.

 Contacts at OWASP Foundation: Matt Tesauro and Claudia Aviles Casanovas

 


Moderators
avatar for Matt Tesauro

Matt Tesauro

Senior Technical Project Engineer, OWASP Foundation
Matt Tesauro is currently working full-time for the OWASP Foundation, adding automation and awesome to OWASP projects. Previously, he was a founder and CTO of Infinitiv, a Senior Software Security Engineer at Pearson and the Senior Product Security Engineer at Rackspace. He is also an Adjunct Professor for the University of Texas Computer Science department teaching the next generation of CS students about Application Security. Matt is broadly experienced information security professional of 15 years specializing in application and cloud security. He is a former board member of the OWASP Foundation and project lead for OWASP AppSec Pipeline... Read More →

Tuesday May 9, 2017 08:45 - 17:45
Waterfront Center: Room 1

09:00

Developer Summit

We are excited to announce the OWASP Developer Summit EU 2017. OWASP is providing a structured platform for Developers two full days prior to the AppSec EU 2017 conference. The Developer Summit will start with a full-day, hands-on developer session followed by two half day sessions geared towards learning about security vulnerabilities.

Come by yourself or grab a couple friends. The Developer Summit is FREE (no charge) for anyone who would like to participate and learn something new.

We just ask that you SIGN UP so we can get a head count to be sure we have enough space and food.

Day 1: Full Day Hands On Session
Date: Tuesday, May 9th 
Time: 9am-5pm (breakfast at 8:45am, lunch at 12:15pm)
Presenter: Johanna Curiel, Vice Chair of the OWASP Board of Directors

Reverse Engineering Android Apps with Bytecodeviewer

Description hands on Session
Two important OWASP Top 10 Mobile risks are how resistant an application is against Reverse Engineering and Code Tampering. In this hands on session, we will go through the process of Reverse Engineering known Android apps (like Facebook, some banking apps,Twitter etc), or bring your own app and test it if you want! 

Using hands-on techniques you will learn:

  • How to apply OWASP Mobile Top 10, Mobile Testing Guide(in progress) and Android Cheat Sheet pen testing
  • How hackers actually ‘decompile’ an APK and code tamper apps with Hooking methods using Xposed, Frida or changing Smali
  • Techniques to find useful information in highly obfuscated apps
  • How to bypass Certificate Pinning and Root detection
  • What can you do to make your apps harder against Reverse Engineering
  • How to root a phone. If you have not root'ed a phone, bring one (make sure is using Android Nougat 6.0 or earlier versions of Android)


Requirements:


Trainers
avatar for Johanna Curiel

Johanna Curiel

Security Researcher, Banking Sector
https://www.owasp.org/index.php/About_The_Open_Web_Application_Security_Project#Johanna_Curiel_Vice_Chair



Tuesday May 9, 2017 09:00 - 17:00
Waterfront Center: Hall 1B

09:00

OWASP Project Reviews

OWASP is reviewing projects who wish to graduate from Incubator to Lab to Flagship at this workshop.  The purpose of these assessments is to determine whether a project meets the minimum criteria to graduate as outlined in the Project Health Assessment Criteria Document.  The review process begins with an initial self-assessment done by the project leader and reviewed by Matt Tesauro.  Next, the assessment enters the peer review phase where we ask volunteers in our OWASP Community to participate and finalize the results. Here's a Sample of a Project Assessment to give you an idea what these look like.

OWASP Project Reviews @ APPSEC Belfast 2017

  • Johanna Curiel (Program Leader)
  • Matt Tesauro (Sr. Project Coordinator)
  • Claudia Aviles Casanovas (Project Coordinator)
  • Azzeddine Ramrami
  • Talal Albach
  • Kuai Hinojosa
  • Nabin Kc

Description of Scope of Work: Additional Information here.

Tool Projects

OWASP Benchmark Project & OWASP Juiceshop Project

Code Projects:

OWASP DefectDojo Project & OWASP Node.js Goat Project

Documentation Projects:

OWASP Automated Threats to Web Applications & OWASP Snakes and Ladder

 The newly addeded OWASP Incubator Project Health Checks will also be covered during this workshop

 


Moderators
avatar for Johanna Curiel

Johanna Curiel

Security Researcher, Banking Sector
https://www.owasp.org/index.php/About_The_Open_Web_Application_Security_Project#Johanna_Curiel_Vice_Chair
avatar for Matt Tesauro

Matt Tesauro

Senior Technical Project Engineer, OWASP Foundation
Matt Tesauro is currently working full-time for the OWASP Foundation, adding automation and awesome to OWASP projects. Previously, he was a founder and CTO of Infinitiv, a Senior Software Security Engineer at Pearson and the Senior Product Security Engineer at Rackspace. He is also an Adjunct Professor for the University of Texas Computer Science department teaching the next generation of CS students about Application Security. Matt is broadly experienced information security professional of 15 years specializing in application and cloud security. He is a former board member of the OWASP Foundation and project lead for OWASP AppSec Pipeline... Read More →

Tuesday May 9, 2017 09:00 - 17:00
Waterfront Center: Room 1

09:00

University Challenge

The University Challenge is a competition among teams comprised of university students that will be held on the Tuesday and Wednesday of AppSecEU. There is no admission fee for the University Challenge (participation is free). During the University Challenge teams will solve mission style security challenges using the Hacking-Lab framework.

The OWASP University Challenge will be limited to 10 teams, where teams consist of 4-8 students, with one team per university. All team openings are on a first come first serve basis. All team members must registered for the University Challenge, which will be available on the conference website (though registration is free).

Food and beverages are provided during the challenge and all participants will get an OWASP University Challenge t-shirt. The first three winning teams will get some small prizes (to be announced).


Tuesday May 9, 2017 09:00 - 17:00
Waterfront Center: Room 3

09:00

Hands-on Workshop on Security in DevOps (SecDevOps) v 2.0 (2 days)
After a sold out workshops at the OWASP AppSecUSA 2016, California and Bangalore, we45 is proud to have trained several professionals on Security in DevOps.
In the Hands-on Security in DevOps (SecDevOps) workshop you will receive training on how you can implement scalable and effective security for rapid-release applications. The workshop will be a hardcore hands-on workshop with coverage of, but not limited to:
* Automated SAST Techniques with CI
* Customized Security Automation Scripting for Continuous Integration – using Selenium
* Specialized Testing tools for REST API Security Testing and integration into CI
* Scripting Instrumented Application Vulnerability Assessments with ZAP and w3af for integration into Jenkins and other CI tools
* Security Practices for Docker Deployments
* Creating Security “Infrastructure as Code” and Validation Scripts
* Deep-dive into Secrets Management for Application Security in DevOps
* Practical Threat Modeling in an Agile and DevOps world

Trainers
avatar for Abhay Bhargav

Abhay Bhargav

Chief Technology Officer, we45
Abhay Bhargav is the founder and CTO of the we45, a focused Information Security Solutions Company. He has extensive experience with Information Security. He has performed security assessments for various enterprises in various domains like banking, software development, retail... Read More →


Tuesday May 9, 2017 09:00 - Wednesday May 10, 2017 17:00
Lagan B Hilton

09:00

Smart lockpicking - hands-on exploiting software flaws in IoT (2 days)

There is no doubt electronic locks are among the most profitable smart devices to attack. And yet recent disclosures of multiple vulnerabilities clearly show there are not enough specialists able to help with software-related issues to so-far mostly hardware vendors.

This course is intended to fill this skills gap. Based on hands-on exercises with real devices (we will have fun hacking a dozen various smart locks), you will learn how to analyse their security and design them properly. The knowledge will then apply to many other IoT devices.

We will perform: wireless sniffing, spoofing, cloning, replay, DoS, authentication and command-injection attacks. Practical exercises will include investigating proprietary network protocols, demystifying and breaking “military grade encryption”, abusing excessive services, triggering fallback open, brute-forcing PINs via voice calls and attacking building automation systems.

The software activities will be mixed with short entertaining tricks, including opening a lock by a strong magnet, counterfeiting fingerprints in a biometric sensor or opening voice-controlled lock by remotely hacking speaker-enabled devices.

Several tasks will be associated with electromagnetic lock guarding a special vault - full of goods from Poland. Whenever a student will succeed in hacking the lock, the box opens automatically, and one can have something delicious.

Technologies covered will include Bluetooth Smart, Linux embedded, KNX, NFC, Wiegand, WiFi, P2P, GSM...

Each student will receive about 100 EUR value hardware (detailed below).

 

List of topics:

Bluetooth Smart - based on at least 7 various smart locks, and tools developed by the trainer: GATTacker BLE MITM proxy and  deliberately vulnerable Hackmelock (consisting of Android mobile application and lock device simulated on Raspberry Pi):

-       passive sniffing

-       static authentication password

-       spoofing

-       replay attacks

-       command injection

-       Denial of Service

-       cracking "Latest PKI technology"

-       other flaws of custom challenge-response authentication

-       abusing excessive services (e.g. module's default AT-command interface).

-       weaknesses of key sharing with guests functionality

-       physical hands-on: opening lock with a strong magnet which turns motor inside

-       takeaway Hackmelock challenges for practising later at home using provided hardware

 

Linux embedded - based on wireless door lock, alarm+home automation system and other devices:

-       authentication bypass

-       information disclosure

-       telnet brute-force

-       OS command injection

-       switching to WiFi maintenance mode using external intercom

-       UART interfaces introduction

 

Proprietary network protocols - based on fingerprint sensor device, wireless door lock, HVAC controller

-       various approaches to analysing proprietary protocols

-       step-by-step understanding packets and attacking remote management binary communication of fingerprint sensor

-       sniffing and decoding administrative credentials

-       abusing improper session management (authentication bypass)

-       P2P communication - how to attack devices hidden behind NAT

-       a few case-studies of proprietary protocols vulnerabilities identified in financial systems, mobile apps, other devices

 

KNX home automation - we will have an example installation connected to electromagnetic lock

-       theory introduction, typical architecture, group address, device address...

-       tools: ETS configuration suite vs open-source knxd, knxmap, nmap scripts

-       how to locate and connect to KNX-IP gateway in LAN or remotely

-       monitor mode - sniffing the bus communication

-       write command to group address and open lock

 

SMS and DTMF remote control over GSM - based on remote control alarm system

-       theory introduction to GSM interception

-       brute-force alarm administrative PIN via automated remote SMS and voice calls 

 

NFC/RFID - based on hotel electronic door lock, ski lift pass and a bus ticket

-       clone contactless card

-       brute-force ID

 

Wiegand - wired access control transmission standard

-       theory introduction

-       sniff the data transmitted from access control reader using BLEKey

 

Moreover, you will also be able try for yourself to:

-       open smart lock using special strokes of a strong magnet which turns the device's inside motor

-       cheat fingerprint biometric sensor - we can make your own fingerprint clone during training

-       open voice-controlled lock by hacking nearby speaker-enabled device

We will also have several Mirai-vulnerable cameras and DVR. We will expose them directly to Internet and watch how long it will take for them to be pwned. Having enough time we will analyse the attack online.

 

Who should come?

Pentesters, security professionals, IoT developers, anyone interested - regardless initial skills level or experience, everybody will learn something new.

What students should bring?

-       contemporary laptop capable of running Kali Linux in virtual machine

-       Android > 4.3 smartphone. If you don't have one, please inform in advance - a few will be available for students.

-       basic familiarity with Linux command-line, Kali, Wireshark

-       scripting skills or pentesting experience will be an advantage, but is not crucial

 

What will be provided?

-       course materials in PDFs (several hundred pages)

-       all required additional files: source code, documentation, installation binaries...

-       Bluetooth Smart hardware sniffer and development kit based on nrf51822 module

-       2 Bluetooth Low Energy USB dongles

-       Raspberry Pi 3 with assessment tools and Hackmelock for further hacking at home.

-       NFC NXP PN532 board + "magic UID" card - which will allow you to clone most common Mifare Classic contactless cards

 

 

 


Trainers
avatar for Slawomir Jasek

Slawomir Jasek

SecuRing
IT security consultant with over 10 years of experience. He participated in many assessments of systems' and applications' security for leading financial companies and public institutions across the world, including a few dozen e-banking systems. Also he developed secure embedded... Read More →


Tuesday May 9, 2017 09:00 - Wednesday May 10, 2017 17:00
Brookfield Hilton

09:00

Web Application Security Essentials (2 days)
In order to protect your web applications, you need to understand how hackers will attack them. This course combines theory and hands-on practical exercises which will allow participants to learn about common web vulnerabilities such as the ones described in the OWASP Top 10. Participants are given access to a purpose-built web application that contains vulnerabilities discussed during the course and are asked to exploit them using different open source tools and techniques.

Topics covered include:

• Introduction to Web Application Security
• The Security Tester Toolkit
• Critical Areas in Web Applications
• Injection
• Cross Site Scripting (XSS)
• Cross Site Request Forgery (CSRF)
• Broken Authentication and Session Management
• Insecure Direct Object References
• Security Misconfiguration
• Insecure Cryptographic Storage
• Failure to restrict URL Access
• Insufficient Transport Layer Protection
• Unvalidated Redirects and Forwards

Trainers
avatar for Fabio Cerullo

Fabio Cerullo

Managing Director, Cycubix
Fabio Cerullo has over 15 years of experience in the information security field gained across a diverse range of industries ranging from financial and government institutions to software houses and start-ups. As a member of the OWASP Foundation, Fabio helps individuals and organi... Read More →


Tuesday May 9, 2017 09:00 - Wednesday May 10, 2017 17:00
Broadway Suite Hilton

09:00

Whiteboard Hacking aka Hands-on Threat Modeling (2 days)
Toreon proposes a 2 day, trainer-led, on-site, Threat Modeling course. The training material and hands-on workshops with real live Use Cases are provided by Toreon. The students will be challenged to perform practical threat modeling in groups of 3 to 4 people covering the different stages of threat modeling on:
• A hotel booking web and mobile application, sharing the same REST backend
• An Internet of Things (IoT) deployment with an on premise gateway and secure update service
• An HR services OAuth scenario for mobile and web applications

This edition also introduces a new section on privacy threats and privacy by design, including a hands-on privacy impact assessment of a face recognition system in an airport. Each student will receive a hard copy of the book: Threat Modeling, designing for security by Adam Shostack (2014, Wiley)

More details and the outline of the training are available in the attached proposal.

Trainers
avatar for Sebastien Deleersnyder

Sebastien Deleersnyder

Managing Partner, Toreon
Sebastien Deleersnyder is Co-founder & managing partner application security at Toreon.com. Sebastien has helped various companies improve their ICT-, Web- and Mobile Security, including BNP Paribas Fortis, Atos Worldline, KBC, Nationale Nederlanden (ING), Isabel, Fluxys, OLAF, E... Read More →


Tuesday May 9, 2017 09:00 - Wednesday May 10, 2017 17:00
Ewart Suite Hilton
 
Wednesday, May 10
 

08:45

OWASP Project Summit

We are excited to announce the OWASP Project Summit 2017 OWASP is providing a platform for project leaders on the two full days prior to AppSec Europe 2017.  Project Summits are a place for project leaders and contributors to collaborate as well as provide feedback to OWASP. The platform provides an open forum setting for ideas, discussing innovations, gaining project contributors and sharing feedback for projects with the goal of helping them advance to the next level. Use this opportunity to demo your project to others at the summit, promote for sponsorship, gain feedback, or simply brainstorm some ideas and add a few features.


Current Projects Participating:

  • OWASP Juice Shop Project
  • OWASP OWTF Project
  • OWASP Embedded Application Security
  • OWASP Podcast
  • OWASP Virtual Village Project
  • OWASP Automated Threats to Web Applications
  • OWASP Node js Goat Project
  • OWASP Vicnum Project
  • OWASP WebGoat Project
  • OWASP DefectDojo Project 

 Please use our contact us form with any questions or concerns.

Contacts at OWASP Foundation: Matt Tesauro and Claudia Aviles Casanovas


Moderators
avatar for Matt Tesauro

Matt Tesauro

Senior Technical Project Engineer, OWASP Foundation
Matt Tesauro is currently working full-time for the OWASP Foundation, adding automation and awesome to OWASP projects. Previously, he was a founder and CTO of Infinitiv, a Senior Software Security Engineer at Pearson and the Senior Product Security Engineer at Rackspace. He is also an Adjunct Professor for the University of Texas Computer Science department teaching the next generation of CS students about Application Security. Matt is broadly experienced information security professional of 15 years specializing in application and cloud security. He is a former board member of the OWASP Foundation and project lead for OWASP AppSec Pipeline... Read More →

Wednesday May 10, 2017 08:45 - 17:45
Waterfront Center: Room 1

09:00

Developer Summit

We are excited to announce the OWASP Developer Summit EU 2017. OWASP is providing a structured platform for Developers two full days prior to the AppSec EU 2017 conference. The Developer Summit will start with a full-day, hands-on developer session followed by two half day sessions geared towards learning about security vulnerabilities.

Come by yourself or grab a couple friends. The Developer Summit is FREE (no charge) for anyone who would like to participate and learn something new.

We just ask that you SIGN UP so we can get a head count to be sure we have enough space and food.


Day 2: Half Day Morning Session
Date: Wednesday, May 10th
Time: 9am-1pm (breakfast at 8:45am, lunch at 12:15pm)
Presenter: Spyros Gasteratos 

Automating On-Deploy Security Testing* of web applications with ZAP and Jen

Description Hands on Session

In this workshop we will go through installing and configuring Zap to work with Jenkins so that it automatically tests the deployed web application when we ask Jenkins to do so. Moreover we will write an example Zap plugin to better test specific parts of the example application. 

We will go through:

  • Configuring Jenkins to work with ZAP (there’s a plugin, we’ll go through how it works)
  • Configuring the testing harness to work with ZAP
  • Writing zap plugins in order to test better


Requirements: <To be announced>





Wednesday May 10, 2017 09:00 - 13:00
Waterfront Center: Hall 1B

09:00

OWASP Project Reviews

OWASP is reviewing projects who wish to graduate from Incubator to Lab to Flagship at this workshop.  The purpose of these assessments is to determine whether a project meets the minimum criteria to graduate as outlined in the Project Health Assessment Criteria Document.  The review process begins with an initial self-assessment done by the project leader and reviewed by Matt Tesauro.  Next, the assessment enters the peer review phase where we ask volunteers in our OWASP Community to participate and finalize the results. Here's a Sample of a Project Assessment to give you an idea what these look like.

OWASP Project Reviews @ APPSEC Belfast 2017

  • Johanna Curiel (Program Leader)
  • Matt Tesauro (Sr. Project Coordinator)
  • Claudia Aviles Casanovas (Project Coordinator)
  • Azzeddine Ramrami
  • Talal Albach
  • Kuai Hinojosa
  • Nabin Kc

Description of Scope of Work: Additional Information here.

Tool Projects

OWASP Benchmark Project & OWASP Juiceshop Project

Code Projects:

OWASP DefectDojo Project & OWASP Node.js Goat Project

Documentation Projects:

OWASP Automated Threats to Web Applications & OWASP Snakes and Ladder

 The newly addeded OWASP Incubator Project Health Checks will also be covered during this workshop

 


Moderators
avatar for Johanna Curiel

Johanna Curiel

Security Researcher, Banking Sector
https://www.owasp.org/index.php/About_The_Open_Web_Application_Security_Project#Johanna_Curiel_Vice_Chair
avatar for Matt Tesauro

Matt Tesauro

Senior Technical Project Engineer, OWASP Foundation
Matt Tesauro is currently working full-time for the OWASP Foundation, adding automation and awesome to OWASP projects. Previously, he was a founder and CTO of Infinitiv, a Senior Software Security Engineer at Pearson and the Senior Product Security Engineer at Rackspace. He is also an Adjunct Professor for the University of Texas Computer Science department teaching the next generation of CS students about Application Security. Matt is broadly experienced information security professional of 15 years specializing in application and cloud security. He is a former board member of the OWASP Foundation and project lead for OWASP AppSec Pipeline... Read More →

Wednesday May 10, 2017 09:00 - 17:00
Waterfront Center: Room 1

09:00

University Challenge

The University Challenge is a competition among teams comprised of university students that will be held on the Tuesday and Wednesday of AppSecEU. There is no admission fee for the University Challenge (participation is free). During the University Challenge teams will solve mission style security challenges using the Hacking-Lab framework.

The OWASP University Challenge will be limited to 10 teams, where teams consist of 4-8 students, with one team per university. All team openings are on a first come first serve basis. All team members must registered for the University Challenge, which will be available on the conference website (though registration is free).

Food and beverages are provided during the challenge and all participants will get an OWASP University Challenge t-shirt. The first three winning teams will get some small prizes (to be announced).


Wednesday May 10, 2017 09:00 - 17:00
Waterfront Center: Room 3

13:00

Developer Summit

We are excited to announce the OWASP Developer Summit EU 2017. OWASP is providing a structured platform for Developers two full days prior to the AppSec EU 2017 conference. The Developer Summit will start with a full-day, hands-on developer session followed by two half day sessions geared towards learning about security vulnerabilities.

Come by yourself or grab a couple friends. The Developer Summit is FREE (no charge) for anyone who would like to participate and learn something new.

We just ask that you SIGN UP so we can get a head count to be sure we have enough space and food.


Day 2: Half Day Afternoon Session
Date: Wednesday, May 10th
Time: 1pm - 5pm
Presenters: Nicole Becher & Mordecai Kraushar

Attacking your web app 

There are some great OWASP projects that deal with both methodologies and tools for testing web sites. There may be even more to it! This workshop will provide the developer with a look at the offensive mindset an attacker has in attacking your web site

We will go through:

  • Using automated scanning tools against the app
  • Using ZAP we will look at a few things you can do as a proxy
  • Use sqlmap to enumerate and inject into databases
  • How to go after those non-technical app vulnerabilities

Requirements: 

  • On a Virtual Machine a recent copy of Kali
  • On a Virtual Machine a copy of the Broken Web Application Distribution
  • The OWASP Juice Shop project 

 



Trainers
avatar for Mordecai Kraushar

Mordecai Kraushar

CipherTechs
Mordecai Kraushar is Director of Audit for CipherTechs, a security solutions company based in New York City. He leads an OWASP project called Vicnum, (it is part of the OWASPBWA project) and which demonstrates vulnerabilities such as cross-site scripting, SQL injections and session management issues that are helpful to IT security analysts developing web security... Read More →



Wednesday May 10, 2017 13:00 - 17:00
Waterfront Center: Hall 1B

16:00

17:00

Pre-Conference Reception

AppSecEU is hosting a drinks reception at the conference venue on the Wednesday night, just before the main conference days. Snacks and drinks will be served in the sponsors’ hall, where delegates and sponsors can socialize with the local business community. Delegates holding tickets for the main conference (or training courses) can attend the drinks reception for free. Local business leaders will be invited to extend the reach of the conference to the local business community.



Wednesday May 10, 2017 17:00 - 21:00
Hall 1 C and D

18:15

OWASP Leaders workshop
If you are a Project Leader, Chapter Leader, or interested in becoming one the Leader's workshop is for you!  You will hear about everything new that is going down at OWASP and be able to participate in a community discussion focused on your needs.  At the last Leaders Workshop we discussed OWASP communication strategist,  community concerns regarding the leader's list, and new leaders learned strategies for addressing their most pressing concerns from our more experienced leaders.  

Wednesday May 10, 2017 18:15 - 19:30
Waterfront Center: Room 1
 
Thursday, May 11
 

07:30

Women in AppSec Mentoring Breakfast
Mentoring BreakfastJoin us at our pre-conference WiA breakfast in the Waterfront Conference Centre at 7.30 am on Thursday 11th May. A light breakfast will be provided for table discussions on various topics. This will also be a second opportunity to chat with anyone you didn't get to during the Monday evening event. Details to register for this event will be available soon, it will also be free to attend.

Thursday May 11, 2017 07:30 - 08:30
Waterfront Center: Exhibition Hall

08:00

09:00

Allstars Opening Note

Allstars 2017 is delivering in one full day what’s known to be the finest, hand-selected talks from prolific speakers and top-tier researchers in the field of information-security.

You can think of Allstars 2017 as a conference inside a conference - offering you one day with the most interesting influencers in today’s web application & general IT (in-)security. Allstars 2017 is a dedicated invited-speakers track at the OWASP AppSec EU 2017 conference.

Allstars 2017 itself is free. You only need to have a ticket for the OWASP conference to get in.

We recommend all attendees to have a really good breakfast on 11th. Don’t “allstar” on an empty belly.


Trainers
avatar for Mario Heiderich

Mario Heiderich

Director, Cure53
Dr.-Ing. Mario Heiderich, handsome heart-breaker, bon-vivant and (as he loves to call himself) “security researcher” is from Berlin, likes everything between lesser- and greater-than and leads a small yet exquisite pen-test company. He commonly pesters peaceful attendees on v... Read More →


Thursday May 11, 2017 09:00 - 09:10
Waterfront Center: Room 3

09:00

Conference Opening Address
Speakers
avatar for Gary Robinson

Gary Robinson

European Board Member and AppSec EU Conference Chair, OWASP


Thursday May 11, 2017 09:00 - 09:10
Waterfront Center: Hall 1A

09:00

Exhibit
Thursday May 11, 2017 09:00 - 18:00
Waterfront Center: Exhibition Hall

09:15

My Sweet Innocence Exposed - Eleven Reasons why we will all miss you, "e"
This talk will briefly cover eleven weird and often unexpected
technologies and features that are embedded in MSIE. Technologies that
are relevant for penetration testers, for security researchers or simply
for people who enjoy crazy browser behaviors. This talk has no other
mission than to be bizarrely entertaining. Lean back, buckle up and enjoy.

Trainers
avatar for Mario Heiderich

Mario Heiderich

Director, Cure53
Dr.-Ing. Mario Heiderich, handsome heart-breaker, bon-vivant and (as he loves to call himself) “security researcher” is from Berlin, likes everything between lesser- and greater-than and leads a small yet exquisite pen-test company. He commonly pesters peaceful attendees on v... Read More →


Thursday May 11, 2017 09:15 - 09:45
Waterfront Center: Room 3

09:15

KeyNote: Shannon Lietz. The Gift of Feedback
Are you frustrated with developer response to the OWASP Top 10?  Do you find yourself begging for security defects to get proper attention?  Do you feel like you are in the loop on how software is getting built or surprised by what you are finding?  Is there really any wonder that attackers are finding easy opportunities for malicious fame or gain?  Is it possible that most everything we believe about how we endeavor to secure workloads is simply wrong?  With the current migration of everything to code, complexity is increasing and so are opportunities to make mistakes.  Because of this trend, it is essential that we re-evaluate how to implement security by pushing it as far to the left as possible and accelerating outcomes by making security consumable.  Come hear how to engage in next generation security by leveraging the gift of feedback.

Speakers
avatar for Shannon Lietz

Shannon Lietz

DevSecOps Lead, Intuit
Shannon Lietz is an award winning innovator with over two decades of experience pursuing advanced security defenses and next generation security solutions.  Ms. Lietz is currently the DevSecOps Leader for Intuit where she is responsible for setting and driving the company’s cloud security strategy, roadmap and implementation in support of corporate... Read More →


Thursday May 11, 2017 09:15 - 10:00
Waterfront Center: Hall 1A

10:00

CTF
Capture The Flag (CtF), solving hacking challenges.


Thursday May 11, 2017 10:00 - 15:00
CTF Room

10:00

Member Lounge
OWASP Members Lounge
at AppSec Eu 2017

Thursday, May 11th 10am-5pm &
Friday, May 12th 10am-3pm 
 
Looking for a place to recharge?  
Feeling a bit hungry or thirsty?  
Maybe you are looking for an OWASP t-shirt?
Or just looking to take a break from the hectic conference atmosphere? 

Head on over to the Members Lounge located in Waterfront Center Hall 1A

Here you can grab a snack, quench your thirst, recharge your electronics, kick up your feet, and network with other OWASP members all within a relaxed atmosphere.

Not an OWASP Member?  No problem!  Swing on over to the lounge, and you can sign up on the spot!

Look for the signs or ask a volunteer how to find us!


Thursday May 11, 2017 10:00 - 17:00
Waterfront Center: Hall 1A

10:05

Phishing your way through Two-Factor Authentication
If you do Phishing attacks on a regular basis, you will end up using aframework or scripts to automate some of the tedious parts. You haveyour preferred web stack for phishing pages, your custom SMTP deliverysystem (with SPF/DKIM enabled AND good reputation – of course), yourcustom payloads, and you need to maintain all of that while evolvingit at the same time. PhishLulz is an open source bundle of PhishingFrenzy, BeEF and othercustom tools tailored to the fisherman. Multiple real-life engagementsdone with PhishLulz will be discussed, including automatedfunctionality to concurrently grep and extrude content from OWA andOutlook 365 webmails using different credentials. You will alsodiscover how Two-Factor Authentication is effective mostly via‘security by obscurity’, as in when the attacker has zero knowledgeabout the presence and implementation of the 2FA solution. Byfingerprinting in advance the 2FA solution, and having ready phishingtemplates to steal the second factor tokens, you will see how trivialbypassing 2FA can become. Expect demos on real applications protected by 2FA viaSMS/Hardware/Software-based tokens (Opsec here until you come to thetalk :-).

Speakers
avatar for Michele Orrú

Michele Orrú

Antisnatchor is the lead core developer and smart-minds-recruiter forthe BeEF project. Michele is also the co-author of the “BrowserHacker’s Handbook”. He has a deep knowledge of programming in multiplelanguages and paradigms, and is excited to apply this knowledge whilereading and hacking code written by others. Michele loves lateralthinking, s/fishing/phishing/, black metal, and the communist utopia(however, there is no hope). He also enjoys speaking and drinking at amultitude of hacking conferences, including CONFidence, DeepSec,InsomniHack, Hacktivity, SecurityByte, AthCon, HackPra AllStars,ZeroNights, OWASP AppSec USA, 44Con, EUSecWest, Ruxcon, KiwiCon, PXE,BlackHat. Besides having a grim passion for hacking and programming,he enjoys leaving his Mac alone, while s/phishing/fishing/ in the seaand hoping for... Read More →


Thursday May 11, 2017 10:05 - 10:50
Waterfront Center: Room 3

10:20

What is a DevSecOps Engineer? - Helen Beal (UK)
In DevOps we don’t like job titles, so why are we talking about this thing called a DevSecOps Engineer? What does a DevSecOps Engineer do? What skills do they have? What are their responsibilities and goals? If you are a security professional how do you evolve into this role, and most importantly, why would you want to? In this talk, Helenwill explore the provenance of this term, its definitions and how to train and certify as a DevSecOps Engineer.

Speakers
avatar for Helen Beal

Helen Beal

Helen has 20 years’ experience working in the technology industry with a focus on the Software Development and Delivery Lifecycle for a wealth of cross industry clients in the UK and abroad. Helen is passionate about DevOps and is the creator of the Ranger4 DevOps LiftOff Workshop and the Ranger4 DevOps Maturity Assessment - winner of the IBM Beacon Award 2015 for Outstanding DevOps Solution. She also started... Read More →


Thursday May 11, 2017 10:20 - 10:45
Waterfront Center: Hall 2A

10:20

Boosting the security of your Angular application
Angular is one of the most popular frameworks, and there is a lot of information available on building applications, improving performance, and various other topics. But do you know how to make your Angular applications secure? What kind of security features does Angular offer you, and which additional steps can you take to really boost the security of your applications?
In this session, you will learn how the paradigm shift from server-side to client-side applications impacts security. We will discuss script-based threats against Angular applications, and the concrete defenses Angular offers to prevent or minimize these attacks. Additionally, we will dig into various session management problems in combination with Angular. We investigate topics such as Cross-Site Request Forgery (CSRF), cookie flags, Authorization headers and JWT tokens.
After attending this talk, you will have a good understanding of various security threats against your Angular applications. In addition, you will have concrete knowledge on how to use the latest security technologies to effectively secure your Angular applications against these threats.

Speakers
avatar for Philippe De Ryck

Philippe De Ryck

Web Security Expert, KU Leuven
Philippe De Ryck is a professional speaker and trainer on software security and web security. Since he obtained his PhD at the imec-DistriNet research group (KU Leuven, Belgium), he has been running the group's Web Security Training program, which ensures a sustainable knowledge... Read More →


Thursday May 11, 2017 10:20 - 10:55
Waterfront Center: Hall 1A

10:20

Embedding GDPR into the SDLC
We will map the GDPR requirements to the typical software security activities as part of a Secure Development Lifecycle. This will cover:
• How to include the DPO as part of the software security governance?
• Providing privacy awareness training to developers
• Including privacy in secure coding guidelines
• Including a Privacy Impact Analysis as part of software risk analysis.
• Mapping the GDPR to software security requirements
• Applying privacy by design on software architecture
• Including privacy threats in software threat modeling
• Including a privacy security checklist as part of software security testing
• Applying GDPR specific breach notification requirements on the vulnerability and incident management processes
The talk will focus on practical implementation aspects and demonstrations of real life use cases encountered in our software security and privacy projects.

Speakers
avatar for Sebastien Deleersnyder

Sebastien Deleersnyder

Managing Partner, Toreon
Sebastien Deleersnyder is Co-founder & managing partner application security at Toreon.com. Sebastien has helped various companies improve their ICT-, Web- and Mobile Security, including BNP Paribas Fortis, Atos Worldline, KBC, Nationale Nederlanden (ING), Isabel, Fluxys, OLAF, E... Read More →
avatar for Siebe De Roovere

Siebe De Roovere

Siebe De Roovere is a senior governance, risk, compliance (GRC) expert with a focus on privacy and information security. Within his career he has collaborated on a wide range of privacy & security consultancy missions ranging from conducting privacy research for the European Commission over implementing privacy... Read More →


Thursday May 11, 2017 10:20 - 11:05
Waterfront Center: Hall 2B

10:20

Making Vulnerability Management Suck Less with the new OWASP Project, DefectDojo
In 2013, a security engineer at Rackspace stupidly opened his mouth in front of his leadership team and DefectDojo was created. No one really enjoys vulnerability management. It is tedious, time consuming, and mentally draining. DefectDojo attempts to streamline vulnerability management by offering templating, report generation, metrics, scanner deduplication, and baseline self-service tools. DefectDojo is currently used by multiple large enterprises and has core contributors from five different companies. It has made several engineers' lives much easier, and it can help you too. Got a ton of findings to dedupe and report on? DefectDojo has you covered. Need to have a dashboard of your team’s work? DefectDojo has you covered. Tired of boilerplate report generation? DefectDojo does that for you. Come check out how to make vulnerability management less painful and speed up your appsec program in this talk with demo.

Speakers
avatar for Greg Anderson

Greg Anderson

Senior Security Engineer, Pearson
Greg Anderson is a security professional with diverse experience ranging from vulnerability assessments to intrusion detection and root cause analysis. Greg’s recent work has focused on advanced security automation to get the most out of application security programs... Read More →


Thursday May 11, 2017 10:20 - 11:05
Waterfront Center: Hall 1B

10:45

Security and the Self-Contained Unit of Software - Gareth Rushgrove (UK)
Containers, microservices, the 12 factor app methodology, unikernels;
all of these are examples of a theme in modern development towards
both smaller and more self-contained components. These patterns
stretch to breaking point the idea that an edge firewall or
well-configured application server can address all of your security
challenges.

What does this mean for application security? How can existing
security tools take advantage of these self-contained applications?
Most importantly, what security features or functionality can we move
from the infrastructure to being part of this new unit of software?

In this talk we’ll discuss:

* The advantages and disadvantages of the application as a black box
* Ways of asking questions and aggregating information from across
your new distributed system
* Examples of other operational concerns moving from the
infrastructure to the application, for instance with metrics and
application health information
* The importance of relating build-time and runtime data to fully
understand the state of your system

Speakers
avatar for Gareth Rushgrove

Gareth Rushgrove

Gareth Rushgrove is a senior software engineer at Puppet Labs. He works remotely from Cambridge, UK, building interesting tools for people to better manage infrastructure. Previously he worked for the UK Government Digital Service focused on infrastructure, operations and inform... Read More →


Thursday May 11, 2017 10:45 - 11:10
Waterfront Center: Hall 2A

11:05

11:35

Bot or Not? - Mitigating Automated Threats to Web Applications
One of the prevalent threats for web applications are automated attacks. These range from the well-known scenario where an attacker tries to brute force password-protected login forms to sophisticated bots that try to silently but automatically harvest potentially sensitive information.Various technologies try to mitigate the threat posed by automated attacks. Some applications employ CAPTCHAs, others try to block requests from the attacker’s IP address. However, these anti-automation techniques usually suffer from side effects - many just impairing the user experience while some even tend to lock out a number of users mistakenly.This talk provides an overview of available anti-automation concepts and discusses advantages and shortcomings of each approach. Based on these characteristics, it gives recommendations about suitable areas of application for each concept and takes a long view on the applicability of today's best practices.

Speakers
avatar for Bastian Braun

Bastian Braun

Bastian works as a Senior Consultant IT Security at mgm security partners. He supports development teams to integrate security at an early stage, gives seminars for developers, project leads, decision makers, and penetration testers, and does analyses and case studies for custome... Read More →


Thursday May 11, 2017 11:35 - 11:50
Waterfront Center: Lightning Room

11:35

I am not a Robot: Job Security in a DevSecOps World - Correy Voo (UK)
The automation of tech and non-tech jobs to be done is hitting the news on a daily basis. IT and application security is no exception in which there are concerns over job security around automation. While there exists a dearth of skilled professionals in the SecDevOps space, the countervailing force of fear over job security can be an organizational hurdle to organizational change.  

This talk will explore transitioning individuals understanding of their own "security value" from being a point of control and decision making, to a business value creator regarding security and compliance.  This talk would be geared toward engineering professionals who would like ways of elevating the conversation from security technical controls to security business value.

Speakers

Thursday May 11, 2017 11:35 - 12:00
Waterfront Center: Hall 2A

11:35

Wicked malware persistence methods
Most malware types need to carry on their mission for as long aspossible. That's why successfully entering to the system is not enough -they also need to ensure being redeployed on each system startup. Mostof authors rely on classic and well-documented methodsof persistence, such as Run/RunOnce registry keys, link in the Startupfolder, via task scheduler etc. Those methods are very easy to implement, but also easy to detect.That's why, from time to time we can encounter some creativealternatives, that make the job of a malware analyst harder.Some of them are simple, based on just one trick while others aremultilayered and completly wicked. This talk will be a walk though someof them - touching also new trends, such as "fileless malware"and malware making use of legitimate applications.

Speakers
avatar for Hasherezade

Hasherezade

Master in Computer Science. From the teenage years passionate inprogramming and reverse engineering. Activly taking part in the life of the InfoSec community by publishingopen source applications and blogging about malware analysis. Currently works as a malwareintelligence analys... Read More →


Thursday May 11, 2017 11:35 - 12:15
Waterfront Center: Room 3

11:35

Threat Modeling w/ PASTA - Risk Centric Application Threat Modeling Case Studies
Developers needs prescriptive guidance on preemptive design and coding techniques. This can be done blindly or in alignment to both application use cases and the context of abuse cases or threats. This talk will speak to case studies in risk centric threat modeling using the PASTA (Process for Attack Simulation & Threat Analysis) methodology and provide 3 use cases of IoT, E-Commerce, and Mobile Applications. 

This talk will assume that a basic understanding of data flow diagramming, pen testing, security architecture, and threat analytics is understood by the audience. This talk also centers around the idea of modeling threats for applications based upon a higher propensity of threat intelligence, how to harvest and correlate threat patterns to your threat model and also how to correlate a threat model to defining preemptive controls and countermeasures to include in the overall design.

Speakers
avatar for Tony UcedaVelez

Tony UcedaVelez

CEO/ Owner, VerSprite
Tony UcedaVélez is CEO at VerSprite, an Atlanta based security services firm assisting global multi-national corporations on various areas of cyber security, secure software development, threat modeling, application security, security governance, and security risk management. To... Read More →


Thursday May 11, 2017 11:35 - 12:20
Waterfront Center: Hall 2B

11:35

Don’t Get Caught Em-bed:Finding and Preventing Vulns at its Lowest Level
It's no secret that embedded systems surround and control our daily lives. Embedded device and system manufactures have long prioritized code quality and/or user experience over application security. As devices become more interconnected to each other, it is becoming apparent that change is needed throughout the industry. Utilizing millions of vulnerable embedded devices, we have witnessed some of the worlds largest DDoS attacks in 2016 as a result of neglecting fundamental secure coding principles. Join me as we discuss common embedded application security threats, employing proactive controls, and best practices.

Speakers
avatar for Aaron Guzman

Aaron Guzman

Principal Security Consultant, SecureWorks
Aaron Guzman is a Principal Security Consultant from the Los Angeles area with expertise in web application security, mobile application security, and embedded security. He has previously worked with established tech companies such as Belkin, Linksys, Symantec and Dell, breaking... Read More →


Thursday May 11, 2017 11:35 - 12:20
Waterfront Center: Hall 1B

11:35

Don’t trust the DOM: Bypassing XSS mitigations via Script gadgets
Over the years many techniques have been introduced to prevent or mitigate XSS. Thereby, most of these techniques such as HTML sanitizers or CSP focus on script tags and event handlers. In this talk, we present a novel Web hacking technique that enables an attacker to bypass these mitigations. In order to to so, the attacker abuses so-called script gadgets. A gadget Is a legitimate piece of JS in a page that reads elements via selectors and processes them in a way that results in script execution. To abuse a gadget, the attacker injects benign elements that match the gadget’s selector. Subsequently, the gadget selects the elements and executes the attacker's scripts. As the attacker's markup is benign it passes HTML sanitizers and security policies. The XSS only surfaces when the gadget mistakenly elevates the privileges of the element. Based on real-world examples, we will demonstrate that these gadgets are present in almost all modern JavaScript libraries, APIs and applications.

Speakers
avatar for Sebastian Lekies

Sebastian Lekies

Sebastian Lekies is a Senior Software Engineer at Google and a PhD Student at the Ruhr-University Bochum. His research interests include client-side Web application security and Web application security scanning. At Google, Sebastian is part of the Security Test Engineering team... Read More →


Thursday May 11, 2017 11:35 - 12:20
Waterfront Center: Hall 1A

12:05

Improving the security of Software Defined Infrastructures - Theodoor Scholte (Netherlands)
Configuration management tools such as Puppet or Chef have become increasingly popular as many organizations shifted towards a Software Defined Infrastructure (SDI).. These tools allow system administrators to express the infrastructure in source code once and deploy them multiple times. While configuration management tools offer many advantages in terms of single point of maintenance, (security) testing and the ability to perform security audits, they are also an attractive target for attackers as they can be used to gain control of the full software stack. 

In this talk, we present the lessons learned of security reviews on real-world SDI deployments. First, we give an overview of a typical SDI deployment. Second, we explain the attack surface and threats of the SDI deployment. Third, we present how we identified vulnerabilities in this SDI deployment using source code analysis techniques. We conclude with an explanation on how to remediate these vulnerabilities.

Speakers
avatar for Theodoor Scholte

Theodoor Scholte

Theodoor Scholte is a software security consultant at SIG with more than 8 years experience in software security. In this role, his work ranges from establishing application security programs as well conducting manual secure code and design reviews assisted by security tools. Being part of... Read More →


Thursday May 11, 2017 12:05 - 12:35
Waterfront Center: Hall 2A

12:25

Creating a buzz: Tales of building WordPress Honeypots at Scale
A very short talk on my MSc Cyber Security dissertation on "A Dynamic, Cloud-Based, Homogeneous Honeypot Management Framework Utilising Container Technology". The talk will describe the nature of the project, and the challenges of honeypots, culminating in the creation of a dynamic and scalable data-gathering framework based around the popular CMS: WordPress. I'll also describe how I (completely accidentally) created a surveillance honeypot to track unsavoury individuals online.

Speakers
avatar for Claire Burn

Claire Burn

Claire Burn is a recent graduate of Queen's University Belfast with a BEng in Computer Science and a MSc in Cyber Security. She currently works at Titan-IC, a startup company specialising in high performance Regex matching on hardware for Cyber Security analytics. A big advocate for diversity in the tech industry, she is the Youth Outreach Leader and a City Lead for Women Who Code Belfast, and founded and organised the Google... Read More →


Thursday May 11, 2017 12:25 - 12:40
Waterfront Center: Lightning Room

12:25

12:25

The Flaws in Hordes, The Security in Crowds
The crowdsourced security model has been embraced by organizations running bug bounty programs. These programs are intended to discover and resolve vulns in production applications, but too often they deviate from an effective part of the security development lifecycle into a source of noise. This presentation questions what role such programs have in improving security and the pitfalls they pose for security budgets. It covers strategies for keeping a program focused on positive, risk-based contributions to development and avoiding the traps that make it a distraction.

The presentation also explores what the emergence of bounty programs implies about trends in appsec automation and where major gaps remain. Tools must remain part of any crowdsourced security model. From budgeting to communications, there are more challenges to building a useful appsec program than just determining whether a bug exists.

Speakers
avatar for Mike Shema

Mike Shema

VP SecOps & Research, Cobalt.io
Mike Shema is VP of SecOps and Research at Cobalt.io, where he organizes crowdsourced pen tests. Mike's experience with information security includes managing product security teams, building web application scanners, and consulting across a range of infosec topics. He's shared t... Read More →



Thursday May 11, 2017 12:25 - 13:10
Waterfront Center: Hall 2B

12:25

So we broke all CSPs... You won't guess what happened next!
Last year we proved that the whitelist-based approach of Content Security Policy (CSP) is flawed and proposed an alternative based on 'strict-dynamic' in combination with nonces or hashes.

In our academic paper (CSP Is Dead, Long Live CSP! On the Insecurity of Whitelists and the Future of Content Security Policy, ACM CCS, 2016), we demonstrated, using automatic checks, that 94.72% of all real-world policies can be trivially bypassed by an attacker with an XSS bug, and 75.81% are bypassable due to whitelists.

Thanks to the new 'strict-dynamic' approach, we were finally able to deploy an effective policy to many important Google products, such as GMail, Photos, and others. In this presentation we would like to share our experience, show examples, best practices and common pitfalls.

Finally, we share how we are addressing the recent bypasses of nonce-based policies, such as nonce exfiltration/reuse techniques and dangling markup attacks.

Speakers
avatar for Michele Spagnuolo

Michele Spagnuolo

Senior Information Security Engineer, Google
Senior Information Security Engineer at Google Switzerland, Michele is a security researcher focused on web application security, and the Rosetta Flash guy. He is also author of BitIodine, a tool for extracting intelligence from the Bitcoin network.


Thursday May 11, 2017 12:25 - 13:10
Waterfront Center: Hall 1B

12:25

The Key Under the Doormat: Design Flaws and Vulnerabilities in Android Password Manager Applications
How is the reality on Android mobile, password manger applications? Can users really be sure that their secrets are stored in a secure way, even if their device gets lost or stolen? Considering this “lost device” scenario we analyzed 15 of the most popular Android password manager apps based on download count.

In our analyses, we tested the apps’ resistance against attempts to extract the user’s stored secrets and we tried to assess how hard it would be for an attacker to steal the stored secrets.

Assuming the correctness of the Android crypto API implementation, developers still can introduce conceptual flaws when using encryption. This can lead to serious vulnerabilities inside the apps.

In this talk we will present the most common implementation pitfalls and design failures. We will show that a faulty concept will break the confidentiality even without root privileges. Furthermore we explain countermeasures and best practice approaches to avoid these vulnerabilities.

Speakers
avatar for Steven Arzt

Steven Arzt

Steven is a currently a researcher at the Fraunhofer Institute for Secure Information Technology (SIT) in Darmstadt. He has received a PhD, a master’s degree in computer science, and a master’s degree in IT Security from Technische Universität Darm... Read More →
avatar for Stephan Huber

Stephan Huber

Stephan Huber is a security researcher at the Testlab Mobile Security group at the Fraunhofer Institute for Secure Information Technology (SIT). His main focus is Android application security testing and developing new static and dynamic analysis t... Read More →


Thursday May 11, 2017 12:25 - 13:10
Waterfront Center: Hall 1A

12:40

An SDLC for the DevSecOps Era - Zane Lackey (USA)
The standard approaches for web application security over the last decade and beyond has focused heavily on slow gatekeeping controls like static analysis and dynamic scanning. However, these controls was originally designed in a world of Waterfall development and their heavy weight nature often cause more problems than they solve in today’s world of agile, DevOps, and CI/CD.

This talk will share practical lessons learned on the most effective application security techniques in todays increasingly rapid world of application creation and delivery. Specifically, it will cover how to: 
  1. Adapt traditionally heavyweight controls like static analysis and dynamic scanning to lightweight efforts that work in modern development and deployment practices 
  2. Obtain visibility to enable, rather than hinder, development and DevOps teams ability to iterate quickly 
  3. Measure maturity of your organizations security efforts in a non-theoretical way

Speakers
avatar for Zane Lackey

Zane Lackey

Zane Lackey is the Co-Founder/CSO at Signal Sciences and serves on the Advisory Boards of the Internet Bug Bounty Program and the US State Department-backed Open Technology Fund. Prior to Signal Sciences, Zane was the Director of Security Engineering at Etsy and a Senior Security Consultant at iSEC Partners. He has been featured in notable media outlets such as the BBC, Associated Press, Forbes, Wired, CNET, Network World, and SC Magazine. A frequent speaker at top industry conferences, he has presented at BlackHat, RSA, USENIX, Velocity, Microsoft BlueHat, SANS, OWASP, QCon, and has given invited lectures at Facebook, Goldman Sachs, IBM, and the Federal Trade Commission. He is a contributing author... Read More →


Thursday May 11, 2017 12:40 - 13:10
Waterfront Center: Hall 2A

13:10

Lunch
Thursday May 11, 2017 13:10 - 14:10
Waterfront Center: Exhibition Hall

14:10

Is Software Eating Security? How disruption has hit Security & how to survive the "tidal forces".
Secure development, Public Cloud and "agile transformation"/disruption are going to hit Security hard. Inspired by Rich Mogull's "Tidal Forces" recent work, this is a commentary from a seasoned software developer/architect on how the current disruption tearing the software industry apart will change security as we know it. A think piece on how traditional security cannot operate with new development (with real war stories) and how security can evolve to partner with dev and the business. Some thoughts on the skills required by the new cross-functional team (including infoSec) and finally some principles on how to move fast in the Public Cloud, with Security.

Speakers
avatar for Dave Anderson

Dave Anderson

As Director of Technology with Liberty IT, working on many Liberty Mutual key systems, David has exposure to a wide range of technologies and techniques covering Architecture, UX, Dev, Test, DevOps, Analytics & Cyber-Security. A life-long programmer, David brings deep technical k... Read More →


Thursday May 11, 2017 14:10 - 14:25
Waterfront Center: Lightning Room

14:10

Requirements Gathering for Successful DevSecOps Pipeline - Aaron Volkman and Hasan Yasar (USA_
Secure coding and verification practices within the software development lifecycle are paramount to producing secure software. Every team has unique requirements, motivations, and technologies requiring preparation and iteration to achieve DevOps nirvana. We must consider and shape our organization’s security policy, development platform, application technical stack, cross-team involvement, and most importantly secure software practices.

The key questions are:
  • How to assess the current state?
  • Where are the productivity bottlenecks?
  • Whom to train on what?
  • What and how to measure?
  • Finally How to monitor? 
Orgs leveraging a custom, integrated development pipeline can increase security assurance along with other quality attributes such as quality, performance, and regulatory compliance. In this session, we will share our considerations and approach to discovering the proper requirements for a security-first automated development pipeline implementation in your organization

Speakers
avatar for Aaron Volkman

Aaron Volkman

Aaron Volkmann is a developer and DevOps researcher at Carnegie Mellon University's Software Engineering Institute / CERT division specializing in product and research-driven development. He teaches DevOps workshops and assists government software shops adopt DevOps principles.  ... Read More →
avatar for Hasan Yasar

Hasan Yasar

Hasan Yasar is the technical manager of the Secure Lifecycle Solutions group in the CERT Division of the Software Engineering Institute, CMU. Hasan leads an engineering group on software development processes and methodologies, specifically on DevOps and development; and cloud technologies, and big data problems while providing expertise... Read More →


Thursday May 11, 2017 14:10 - 14:50
Waterfront Center: Hall 2A

14:10

PDF - A file format that never stops giving
PDF is a well-known file format in the world of computers and even mobile phones. This talk focus on PDF Features in the context of the World Wide Web.As soon as a PDF is opened in a web browser, the rules and security implication change. The talk discusses the different PDF viewers, their supported featuresand the implications for web security. This includes PDF viewers, which are used by modern web browsers.Additionally an overview of classic and reoccurring vulnerabilities in PDF viewers will be shown.

Speakers
avatar for Alex Inführ

Alex Inführ

As a Senior Penetration Tester with Cure53, Alex is an expert on browsersecurity and PDF security. His cardinal skillset relates to spotting andabusing ways for uncommon script execution in MSIE, Firefox and Chrome.Alex’s additional research foci revolve around SVG security and A... Read More →


Thursday May 11, 2017 14:10 - 14:55
Waterfront Center: Room 3

14:10

The Dark Side of Search Engines Optimizations Campaigns
Search engines optimization (SEO) is a technique that is being used by web sites owners in order to improve visibility and traffic to their web site. 

The presentation shows what happens when threat actors get into the world of SEO campaigns and abuse SEO optimization techniques in order to promote their favorite web sites. Moreover, we will present how those threat actors add to the arsenal of optimization techniques all kind of web attack techniques such as: SQL injection, content spamming and open redirects, in order to manipulate search engines ranking.
We will also try to evaluate whether those SEO campaigns achieved their goal by measuring the promoted web sites in terms of traffic ranking, level of users’ engagement and traffic sources.

Finally, we will try to determine why such SEO campaigns were successful and suggest possible solutions that would help with detecting and mitigating future SEO campaigns.

Speakers
avatar for Or Katz

Or Katz

Principal Lead, Security Researcher, Akamai
Security research veteran, serves as principal lead security researcher for Akamai's Enterprise Security BU . Always excited to speak in security conferences, to share my research and thoughts. High school teacher one day a week.


Thursday May 11, 2017 14:10 - 14:55
Waterfront Center: Hall 2B

14:10

Become a "Capture the Flag" Star: Part 1
In the world of application security a 'Capture the Flag' event is a competition where contestents race to complete hacking challenges.  A server is setup that is knowlingly vulnerable, and teams try to hack the system as quickly as they can and 'grab the flag' first.

In Part 1 of this session we introduce everyone to the world of 'Capture the Flag' (CtF) competitions, how to hack the server and complete the challenges, and some other skills.  In Part 2, everyone will get their laptops out and compete in a real CtF competition.

Speakers
avatar for Nanne Baars

Nanne Baars

Nanne works as a security consultant & developer at Xebia Group and is one of the primary developers of WebGoat
avatar for Jason White

Jason White

Jason worked on web apps as a full-stack developer for over 15 years (spending some of his time breaking them too). He now works full-time as an application security consultant with AsTech. Jason has been contributing to OWASP & WebGoat since 2014.


Thursday May 11, 2017 14:10 - 14:55
Waterfront Center: Hall 1B

14:10

OWASP Juice Shop: Achieving sustainability for open source projects
OWASP Juice Shop is a "shooting star" among broken web applications. To make sure it does not end as a "one-hit wonder", the project embraces principles and techniques that enhance its sustainability, e.g. Clean Code, TDD, CI/CD, Quality Metrics and Mutation Testing.

In this session you will see how
- even a horrible language such as Javascript can be written in a maintainable manner
- a complete and reliable test suite eliminates the "fear of change"
- automation is a key to increased productivity - even for small open source projects
- free-for-open-source SaaS tools can improve your development process

Where is light, there is shadow! You will also learn
- about some limitations in the automation processes
- the pain keeping Javascript dependencies up to date
- why some 3rd party services had to be dropped

If the Internet gods are with us, we will even perform a production release of OWASP Juice Shop during the session!

Speakers
avatar for Björn Kimminich

Björn Kimminich

IT Architect / AppSec Officer, Kühne + Nagel (AG & Co.) KG
Björn is the inventor and Project Leader of OWASP Juice Shop. Translating "dump" or "useless outfit" into German yields "Saftladen" which can be reverse-translated word by word into "juice shop". Hence the project name. That the initials "JS" match with those of "Javascript" was... Read More →


Thursday May 11, 2017 14:10 - 14:55
Waterfront Center: Hall 1A

14:55

Integrating Security in Agile Projects - Elena Kravchenko and Efrat Wasserman (Israel)
A fully implemented SDLC program is often represented as heavy, time-consuming and not suitable to Agile development methodology.

We’d like to break the myth and show how a very comprehensive security program, managed by a dedicated security office and development Project Manager, can be successfully integrated in agile development project on a real case example.
We’ll shortly describe the main challenges, the techniques and the procedures helping to overcome the challenges. 

We’ll present the Security Lifecycle Management Framework developed and used by us in the last 3 years, and describe how it was integrated into development of new SaaS based fully agile developed product, with emphasis on main activities and roles. Based on the real use case, we will be giving practical tips for development organizations in which security is a fundamental value.

Speakers
avatar for Elena Kravchenko

Elena Kravchenko

Application Security Lead / HPE Master Level Architect, HPE Software
Elena represents the Security side of the project and brings vast experience in both development and security areas. She is responsible for a department developing 12 products ( ~400 developers)  HPE Software Security Lead for HPE’s Application Delivery Management (ADM) Busin... Read More →
avatar for Efrat Wasserman

Efrat Wasserman

Senior Program Manager, Intel
Efrat represents the development team\side as a Senior Program Manager, responsible for the lifecycle of “Storm Runner Load” - the cloud based product developed according to Agile methodology. Efrat brings deep knowledge and experience in both software development and project management. This specific RND group consists of 5 development teams ( 50... Read More →


Thursday May 11, 2017 14:55 - 15:35
Waterfront Center: Hall 2A

15:00

CSP Pitfalls and Gotchas
Content Security Policy is one of most complicated and powerful security layers which helps to detect and mitigate data injection attacks such as XSS. Despite its power and support by all modern browsers, its usage by web application developers is surprisingly low. In this presentation I’ll explain common misunderstanding of different CSP concepts and we’ll dive deep into examples to understand better what leads to successful CSP violations and how to prevent it. Do you worry about adding CSP into production because some of your users still use CSP 1 or CSP 2 compatible browsers and you scary about needs to implement dynamic CSP? Don’t worry, we’ll talk about CSP backward compatibility and how to make policy, which work for all versions. I’ll also explain latest changes in CSP level 3 specification and features you can already use to make your application even more secure and process of adding CSP to your web-app much more easier.

Speakers
avatar for Ilya Nesterov

Ilya Nesterov

Shape Security
Ilya Nesterov is currently an engineering manager at Shape Security. Prior to Shape, Ilya worked at F5 Networks, and earned his master's degree from Tomsk Polytechnic University. His interests include, but are not limited to, modern Web Application security threats and countermea... Read More →


Thursday May 11, 2017 15:00 - 15:15
Waterfront Center: Lightning Room

15:00

Building security teams
While 'security is not a team', you'll find that most companies growing just beyond 60-80 people start employing a group of people focusing primarily on the topic. But the culture of secure engineering in a company does not only strongly correlate with when you start building a security team - it becomes (and grows as) a matter of how they connect with the rest of your organization, and make security, adversarial thinking, and the care for user safety and privacy part of everyone's concern. In this talk, we will review what the purposes of a security team can be, which challenges you'll face, how you can make it scale beyond the team's boundaries; as well as proven good practices of running (fairly operational) engineering teams themselves. Whether your organization already has a security team or is currently distributing security demands across areas, you'll be able to take away how to build (out) a dedicated security team and make your engineers (and, spoiler alert, other teams!) happy, healthy, and sustainable for the years to come.

Speakers
avatar for Astera Schneeweisz

Astera Schneeweisz

Astera has always been fascinated with machines and how to make them do her own bidding, working in defensive security for the past decade. More recently, she's grown to love and prioritize the challenge of working with real humans in her life, and exciting others about this fron... Read More →


Thursday May 11, 2017 15:00 - 15:45
Waterfront Center: Room 3

15:00

The evil friend in your browser
On the one hand, browser extensions, e.g., for Chrome, are very useful, as they extend web browsers with additional functionality (e.g., blocking ads). On the other hand, they are the most dangerous code that runs in your browsers: extension can read and modify both the content displayed in the browser. As they also can communicate with any web-site or web-service, they can report data and metadata to external parties.

The current security model for browser extensions seems to be inadequate for expressing the security or privacy needs of browser users. Thus, browser extensions are a "juice target" for attackers targeting web users.

We present results of analysing over 2500 browser extensions on how they use the current security model and discuss examples of extensions that are potentially of high risk. Based on the results of our analysis of real world browser extensions as well as our own threat model, we discuss the limitations of the current security model form a user perspective.

Speakers
avatar for Achim D. Brucker

Achim D. Brucker

The University of Sheffield
Dr. Achim D. Brucker (www.brucker.ch) is a Senior Lecturer and consultant at The University of Sheffield, UK where he heads the heads the Software Assurance & Security Research Team (logicalhacking.com). Until December 2015, he was a Research Expert (Architect), Security Testing... Read More →
avatar for Michael Herzberg

Michael Herzberg

PhD Student, University of Sheffield
Michael is a PhD student at the University of Sheffield, working together with Achim Brucker. His focus lies on formal methods for building secure systems, in particular ones using web technologies. Previously he graduated from the | Karlsruhe Institute of Technology, Germany... Read More →


Thursday May 11, 2017 15:00 - 15:45
Waterfront Center: Hall 2B

15:00

Become a "Capture the Flag" Star: Part 2
In the world of application security a 'Capture the Flag' event is a competition where contestents race to complete hacking challenges.  A server is setup that is knowlingly vulnerable, and teams try to hack the system as quickly as they can and 'grab the flag' first.

In Part 1 we introduced everyone to the world of 'Capture the Flag' (CtF) competitions, how to hack the server and complete the challenges, and some other skills.

In this part 2, we open up a real CtF competition and allow everyone will get on their laptops out and compete.

Speakers
avatar for Nanne Baars

Nanne Baars

Nanne works as a security consultant & developer at Xebia Group and is one of the primary developers of WebGoat
avatar for Jason White

Jason White

Jason worked on web apps as a full-stack developer for over 15 years (spending some of his time breaking them too). He now works full-time as an application security consultant with AsTech. Jason has been contributing to OWASP & WebGoat since 2014.


Thursday May 11, 2017 15:00 - 15:45
Waterfront Center: Hall 1B

15:00

Printer Security
From a security point of view, printers have been overseen for a long time. Even though these devices have direct access to sensitive information like confidential reports, contracts, or patient recipes, there is no research summarizing attacks on printers. More importantly, there is no general methodology on printer security evaluation, and no pentesting tools are available.
In our research, we provide the first comprehensive study regarding the security of printers. We evaluate 20 different printers revealing serious security flaws on all of them. We categorize the attacks in four different classes: Denial-of-Service (DoS), Protection Bypass, Print Job Manipulation, and Information Disclosure. Our evaluation was supported by a novel open source pentesting tool called PRET.
We extend our analysis on systems beyond printers and evaluate Google Cloud Print and other PostScript processing websites. The result reveals information leakages and further security issues.

Speakers
avatar for Jens Müller

Jens Müller

Ruhr University Bochum
Jens Müller received his M.Sc. degree in IT Security / Networks and Systems from the Ruhr University Bochum in 2016. He has experience as a freelancer in network penetration testing and security auditing. In his spare time he develops free open source software, at present tools... Read More →

Trainers
avatar for Vladislav Mladenov

Vladislav Mladenov

Ruhr University Bochum
Vladislav Mladenov is a PhD Student at the Ruhr University Bochum, Chair for Network and Data Security. He is interested in the security of XML-based services. Additionally, he investigates different Single Sign-On protocols like OAuth, OpenID, OpenID Connect and SAML. Other topi... Read More →


Thursday May 11, 2017 15:00 - 15:45
Waterfront Center: Hall 1A

15:45

16:15

Knowing Is Only Half the Battle
In today's world of rapid innovation, agile development with short iterative sprints, and frequent acquisitions, Engineering, Operations, and IT teams are moving fast, opening up the potential for shortcuts and increased security & technical debt. This lightning talk will describe a lightweight internal security program to help identify, prioritize, and remediate known risks, usually found in undocumented institutional knowledge, that can have a material impact on security and availability of both external and internal facing services.

Speakers
avatar for Gregory Shapiro

Gregory Shapiro

Gregory Shapiro sets the technical vision, strategy, and direction for Global Information Security at Proofpoint, Inc.  His past roles have including leadership positions in Operations, Engineering, IT, and Business Development at Proofpoint, Sendmail, and WPI.


Thursday May 11, 2017 16:15 - 16:30
Waterfront Center: Lightning Room

16:15

Secure DevOps Journey: A How to Guide - Peter Chestna (USA)
As you consider the shift from waterfall to agile, or agile to DevOps, there is more to think about than just architecture. Peter Chestna, the Director of Developer Engagement at Veracode, led Veracode’s transition from Waterfall to DevOps and in turn has helped hundreds of customers do the same. Join us as Peter shares his own case study, how Veracode reengineered its own architecture but more importantly the overall process including team structure, the technologies to build a robust pipeline, security considerations and the cultural shifts required.

What you will learn:
  1. A basic understanding of Waterfall, Agile and DevOps from a people, process and technology point of view
  2. Considerations when transitioning between these methodologies including org structure, process changes and technical debt
  3. An approach to leading the change in your own company
  4. How security can best be integrated deeply into DevOps to keep schedule risk to a minimum and velocity high

Speakers
avatar for Peter Chestna

Peter Chestna

Director of Developer Engagement, Veracode, Inc
As Director of Developer Engagement at Veracode, Pete provides customers with practical advice on how to successfully roll out developer-centric application security programs. Relying on more than 10 years of direct AppSec practitioner experience as both a developer and developme... Read More →


Thursday May 11, 2017 16:15 - 16:35
Waterfront Center: Hall 2A

16:15

DOM based Angular sandbox escapes
You may think the fun is over regarding sandbox escapes since it was removed in version 1.6 well...not quite yet. We have a whole new context to explore and hack. This talk will demonstrate brand new sandbox escapes and feature lovely JavaScript hacks for your viewing pleasure. If you like JavaScript then you must watch this talk.

Speakers
GH

Gareth Heyes

Gareth works as a researcher at Portswigger and loves breaking sandboxes and anything to do with JavaScript. He has developed various free online tools such as Hackvertor and Shazzer. He also created MentalJS a free JavaScript sandbox that provides a safe dom environment for sand... Read More →


Thursday May 11, 2017 16:15 - 17:00
Waterfront Center: Room 3

16:15

Introducing the OWASP ModSecurity Core Rule Set 3.0
The CRS is a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls that saw a new major release in November 2016 (3.0 -> CRS3). CRS is the 1st line of defense against web application attacks like those summarized in the OWASP Top Ten and all with a minimum of false alerts.
This talk demonstrates the installation of the rule set and introduces the most important groups of rules. It covers key concepts like anomaly scoring and thresholds, paranoia levels, stricter siblings and the sampling mode. The important handling of false positives is also covered as well as pre-defined lists of rule exclusions for popular web applications helping to avoid false positives.

Speakers
avatar for Christian Folini

Christian Folini

Partner, netnea.com
Christian Folini is a partner at netnea AG in Berne, Switzerland. He holds a PhD in medieval history and enjoys defending castles across Europe. Unfortunately, defending medieval castles is no big business anymore and Christian turned to defending web servers which he thinks equa... Read More →


Thursday May 11, 2017 16:15 - 17:00
Waterfront Center: Hall 2B

16:15

Long term study on SSL/TLS certificates
The amount of encrypted communication is constantly increasing but nobody can really say if the encrypted data is secure or not. Every time data has to be encrypted, an encryption key has to be created and used to secure the channel, but no information is available regarding the security or the quality of the key itself.

We conducted a long term study (48 months) to analyze and test a large number of cryptographic keys, collected from open and public sources and across a variety of protocols. Each key has been subjected to a battery of tests to identify possible issues and generate security related metrics.

In this presentation we will review how cryptographic keys have been collected and tested, how the tests led to the identification of a large numbers of vulnerable and insecure keys, and which kind of issues are affecting the industry the most.

Thursday May 11, 2017 16:15 - 17:00
Waterfront Center: Hall 1B

16:15

2017: Rise of the Machines
Faced with the challenge of securing hundreds of applications in our organization, we struggled to find the capacity to manually scan them all and still have the time to focus on our more critical issues. Having to deal with a wide variety of programming languages, platforms, legacy applications and needing to prioritise a never ending list of applications with limited time and resources…Sound familiar? 

Join our journey and live demo of how we are utilizing “machines” to automate assessments. We’ll show you the technologies we chose not to use, and why; how understanding our requirements better allowed us to focus on the things we really needed rather than the ideal solution.

Our team will showcase how we’ve utilized a blend of Jenkins, HP Fortify SCA/SSC, OWASP ZAP, OWASP DefectDojo, Slack and Jira to create an automation-scanning and reporting platform. 

We’re anticipating a highly collaborative session and hope you’ll join - feedback, criticism and praise are all welcome!

Speakers
avatar for Kev D'Arcy

Kev D'Arcy

Application Security Automation, Dun & Bradstreet
Spent 16 years as a Java software developer before making the move to the dark (bright?!)-side of application security. My role covers everything from penetration testing, automation, compliance, audit, training, testing, fixing, (occasionally) breaking things. Feel free to say h... Read More →
NR

Nicholas Raite

Dun & Bradstreet
With humble beginnings in development at a small start- up between classes, Nick took what he learned and applied his interest in security. The result of that recipe has been the entering the world of application security; which includes penetration testing, automation, training... Read More →
avatar for Rohini Sulatycki

Rohini Sulatycki

Dun & Bradstreet
Rohini specializes in application security, application penetration testing, mobile penetration testing, virtualization security assessments, network penetration testing and security code reviews. Rohini has conducted Secure Development Training classes for clients worldwide. Roh... Read More →


Thursday May 11, 2017 16:15 - 17:00
Waterfront Center: Hall 1A

16:40

DevSecOps Review: Take Aways from Today's Sessions - Mark Miller and Guests
Join us as we review the day's presentations and play "DevOps Presentation Bingo" for customized Lego figures.

Speakers
avatar for Helen Beal

Helen Beal

Helen has 20 years’ experience working in the technology industry with a focus on the Software Development and Delivery Lifecycle for a wealth of cross industry clients in the UK and abroad. Helen is passionate about DevOps and is the creator of the Ranger4 DevOps LiftOff Workshop and the Ranger4 DevOps Maturity Assessment - winner of the IBM Beacon Award 2015 for Outstanding DevOps Solution. She also started... Read More →
avatar for Peter Chestna

Peter Chestna

Director of Developer Engagement, Veracode, Inc
As Director of Developer Engagement at Veracode, Pete provides customers with practical advice on how to successfully roll out developer-centric application security programs. Relying on more than 10 years of direct AppSec practitioner experience as both a developer and developme... Read More →
avatar for Elena Kravchenko

Elena Kravchenko

Application Security Lead / HPE Master Level Architect, HPE Software
Elena represents the Security side of the project and brings vast experience in both development and security areas. She is responsible for a department developing 12 products ( ~400 developers)  HPE Software Security Lead for HPE’s Application Delivery Management (ADM) Busin... Read More →
avatar for Zane Lackey

Zane Lackey

Zane Lackey is the Co-Founder/CSO at Signal Sciences and serves on the Advisory Boards of the Internet Bug Bounty Program and the US State Department-backed Open Technology Fund. Prior to Signal Sciences, Zane was the Director of Security Engineering at Etsy and a Senior Security Consultant at iSEC Partners. He has been featured in notable media outlets such as the BBC, Associated Press, Forbes, Wired, CNET, Network World, and SC Magazine. A frequent speaker at top industry conferences, he has presented at BlackHat, RSA, USENIX, Velocity, Microsoft BlueHat, SANS, OWASP, QCon, and has given invited lectures at Facebook, Goldman Sachs, IBM, and the Federal Trade Commission. He is a contributing author... Read More →
avatar for Elizabeth Lawler

Elizabeth Lawler

Elizabeth Lawler is CEO and Co-founder of Conjur, Inc., a security company which focuses on security for next generation infrastructure. Lawler has over 20 years of experience working in highly regulated and sensitive data environments. Prior to founding Conjur, she was Chief Dat... Read More →
avatar for Mark Miller

Mark Miller

Senior Storyteller, Sonatype
Some of you might know Mark Miller as the Founder and Editor of EndUserSharePoint.com, and co-producer of NothingButSharePoint, two of the world's largest SharePoint Community initiatives. In a more recent incarnation, he was the co-founder of the "All Day DevOps" live online conference with over 13,500 registrations for the conference, which included 3 simultaneous sessions, 15 hours, 15 time zones, 54 sessions. This was an extension of SharePoint Saturday EMEA, Live Online, a concept initiated seven years ago for the SharePoint Community. Mr. Miller is the Editor-in-Chief of the... Read More →
avatar for Gareth Rushgrove

Gareth Rushgrove

Gareth Rushgrove is a senior software engineer at Puppet Labs. He works remotely from Cambridge, UK, building interesting tools for people to better manage infrastructure. Previously he worked for the UK Government Digital Service focused on infrastructure, operations and inform... Read More →
avatar for Theodoor Scholte

Theodoor Scholte

Theodoor Scholte is a software security consultant at SIG with more than 8 years experience in software security. In this role, his work ranges from establishing application security programs as well conducting manual secure code and design reviews assisted by security tools. Being part of... Read More →
avatar for Aaron Volkman

Aaron Volkman

Aaron Volkmann is a developer and DevOps researcher at Carnegie Mellon University's Software Engineering Institute / CERT division specializing in product and research-driven development. He teaches DevOps workshops and assists government software shops adopt DevOps principles.  ... Read More →
avatar for Efrat Wasserman

Efrat Wasserman

Senior Program Manager, Intel
Efrat represents the development team\side as a Senior Program Manager, responsible for the lifecycle of “Storm Runner Load” - the cloud based product developed according to Agile methodology. Efrat brings deep knowledge and experience in both software development and project management. This specific RND group consists of 5 development teams ( 50... Read More →
avatar for Hasan Yasar

Hasan Yasar

Hasan Yasar is the technical manager of the Secure Lifecycle Solutions group in the CERT Division of the Software Engineering Institute, CMU. Hasan leads an engineering group on software development processes and methodologies, specifically on DevOps and development; and cloud technologies, and big data problems while providing expertise... Read More →


Thursday May 11, 2017 16:40 - 17:05
Waterfront Center: Hall 2A

17:05

Exploiting the unexploitable with lesser known browser tricks
You see the website is fully armed with HTTP security headers, you give up. You see the website does not reflect inputs, you give up. You see user generated content is put in a sandboxed domain, you give up. This talk will briefly talk about how you can exploit those seemingly unexploitable scenario with lesser known browser tricks.

Speakers
avatar for Filedescriptor

Filedescriptor

As a Penetration Tester with Cure53, Filedescriptor focuses on webapplication security and specializes in XSS attacks and browsersecurity. Filedescriptor is known as someone who helps to keep Twittersecure as he is currently ranked first among the participants ofTwitter’s respons... Read More →


Thursday May 11, 2017 17:05 - 17:50
Waterfront Center: Room 3

17:05

KeyNote: Brian Honan. Looking back to look ahead.

Computers are now ubiquitous within all aspects of our lives and we are now more dependent than ever on the code that is embedded in our computers, our homes, our vehicles, and even our bodies. Brian will look back at the history of computing over the past decades and look what lessons should we be learning to ensure we secure the code and systems of the future.


Speakers
avatar for Brian Honan

Brian Honan

Brian Honan is an independent security consultant based in Dublin, Ireland, and is also the founder and head of IRISSCERT, Ireland’s first CERT. He is a Special Advisor to Europol’s Cybercrime Centre (EC3), an adjunct lecturer on Information Security in University College Dublin, and sits on the advisory board for a number of innovative security companies. He is the author of the book... Read More →


Thursday May 11, 2017 17:05 - 17:50
Waterfront Center: Hall 1A

17:55

Allstars Closing Note

Allstars 2017 is delivering in one full day what’s known to be the finest, hand-selected talks from prolific speakers and top-tier researchers in the field of information-security.

You can think of Allstars 2017 as a conference inside a conference - offering you one day with the most interesting influencers in today’s web application & general IT (in-)security. Allstars 2017 is a dedicated invited-speakers track at the OWASP AppSec EU 2017 conference.

Allstars 2017 itself is free. You only need to have a ticket for the OWASP conference to get in.

We recommend all attendees to have a really good breakfast on 11th. Don’t “allstar” on an empty belly.


Thursday May 11, 2017 17:55 - 18:05
Waterfront Center: Room 3

18:45

Conference Dinner
The main conference dinner will be held in the beautiful Titanic Suite at the Titanic Center in Belfast, just a 5 minute walk away from the main conference venue. Titanic Belfast, an architecturally stunning venue in the heart of Belfast’s Titanic Quarter, recently voted the Europe’s Leading Tourist Attraction in 2016 (World Travel Awards).

The evening will start with a drinks reception at 6:45pm, held in the main foyer. Guests will then move to the main suites at 7:30pm where entertainment will be followed by the best of Northern Irish foods will be provided in a buffet style.

The suites used for the dinner (Titanic Suite and Bridge) both overlook the Lagan River and the Game of Thrones studios where the famous TV program is filmed.


Thursday May 11, 2017 18:45 - 23:00
Titanic Center 7 Queens Rd, Belfast BT3
 
Friday, May 12
 

08:00

09:00

Exhibit
Friday May 12, 2017 09:00 - 16:00
Waterfront Center: Exhibition Hall

09:15

KeyNote: Jeremiah Grossman. What the Kidnapping & Ransom Economy Teaches Us About Ransomware
Ransomware is center stage, as campaigns are practically guaranteed financial gain. Cyber-criminals profit hundreds of millions of dollars by selling our data back to us. If you look closely, the ransomware economic dynamics closely follow the real-world kidnapping and ransom industry. We’ll explore the eerie similarities, where ransomware is headed, and strategies we can bring to the fight.

Speakers
avatar for Jeremiah Grossman

Jeremiah Grossman

Chief of Security Strategy (SentinelOne). Professional Hacker. Black Belt in Brazilian Jiu-Jitsu. Founder of WhiteHat Security. Jeremiah Grossman’s career spans nearly 20 years and has lived a literal lifetime in computer security to become one of the industry’s biggest names. And since Jeremiah earned a Brazilian Jiu-Jitsu black belt, the media has described him as... Read More →


Friday May 12, 2017 09:15 - 10:00
Waterfront Center: Hall 1A

10:00

CTF
Offense/Defense (Blue/Red Team), defending your vulnerable web application whilst attacking the application of the other teams


Friday May 12, 2017 10:00 - 15:00
CTF Room

10:00

Member Lounge
OWASP Members Lounge
at AppSec Eu 2017

Thursday, May 11th 10am-5pm &
Friday, May 12th 10am-3pm 
 
Looking for a place to recharge?  
Feeling a bit hungry or thirsty?  
Maybe you are looking for an OWASP t-shirt?
Or just looking to take a break from the hectic conference atmosphere? 

Head on over to the Members Lounge located in Waterfront Center Hall 1A

Here you can grab a snack, quench your thirst, recharge your electronics, kick up your feet, and network with other OWASP members all within a relaxed atmosphere.

Not an OWASP Member?  No problem!  Swing on over to the lounge, and you can sign up on the spot!

Look for the signs or ask a volunteer how to find us!


Friday May 12, 2017 10:00 - 15:00
Waterfront Center: Hall 1A

10:20

The DevSecOps Playbook from a Practitioner’s Perspective - Shannon Lietz (USA)
 Lot’s of folks are talking about DevSecOps but their doesn’t seem to be a lot of information about how exactly to do it or get started.  With fluffy guidance, how can anyone really get excited about adopting it?  The DevSecOps journey was born out of sheer necessity with the aim of implementing safer software sooner.  This adapted lightning talk will describe the journey to DevSecOps for you to kick off a similar effort at your organization.  Don’t miss it!

Speakers
avatar for Shannon Lietz

Shannon Lietz

DevSecOps Lead, Intuit
Shannon Lietz is an award winning innovator with over two decades of experience pursuing advanced security defenses and next generation security solutions.  Ms. Lietz is currently the DevSecOps Leader for Intuit where she is responsible for setting and driving the company’s cloud security strategy, roadmap and implementation in support of corporate... Read More →


Friday May 12, 2017 10:20 - 10:45
Waterfront Center: Hall 2A

10:20

Incremental Threat Modelling
Threat modelling is one of the best techniques for achieving security on architectural level. However, introducing it on existing complex projects requires time which developers may not have. This talk introduces a technique for performing threat modelling in ongoing projects without a prohibitive initial time investment.

Speakers
avatar for Irene Michlin

Irene Michlin

Principal Security Consultant, NCC Group
Introducing security into software development lifecycle, threat modelling, security for Agile and Lean. | @IreneMichlin



Friday May 12, 2017 10:20 - 11:05
Waterfront Center: Hall 2B

10:20

How to lead better security through our Mini Hardening project
In Japan, we held 5 competitions called Mini Hardening. Those were derived by original Hardening Project which is constructed by 8 hours playing time and 8 hours reflection time through 2 days. Our one is a bit of different but only using 1 day. The another difference is that we focused on beginners and novices.
We have to consider business continuity regarding our investigation and operations when security incident happened. Sometimes operation could be affected to their own business such as password changing. So, we are evaluating scores by using report document. It's technical competition but hard to win without considering about business exactly what it is.
On the other hand, original competition is too hard for beginners to participate by its difficulties and costs. That's why I made own competition. Through my this presentation, I will provide my all experiences how to lead own volunteer team, to create lots of environments, to introduce security for beginners.

Speakers
avatar for Kazuki Tsubo

Kazuki Tsubo

Cloud Support Engineer, Amazon Web Services Ireland
Belonged OWASP Japan promotion team for a few years, and hosted own event which is Mini Hardening. Although working at AWS as Cloud Support Engineer, but area is including security. As a technical support, resolving so many issues. Previous job was web developer in Newspaper comp... Read More →


Friday May 12, 2017 10:20 - 11:05
Waterfront Center: Hall 1B

10:20

Pentesting voice biometrics solutions
The era of scratch cards, RSA tokens, SMS codes and different variations of second factor authentication (and authorization) devices is soon to be over. The question is - what will replace current 2-FA methods - smart mobile applications or biometric solutions? And how quickly will the attackers find ways to bypass these methods.
One of the most popular biometric authentication already being widely implemented is voice biometrics. In this talk, expect to learn:
- how to pentest voice biometrics
- tools for automating calls to IVR channels
- how good is a good microphone
- how to fuzz the voice and identify key biometric characteristics and thresholds to bypass the algorithms
- how these kind of solutions compare to standard password metrics
I am sharing my experience of pentesting few voice biometrics systems, fuzzing voice in IVR channels, abusing implementation in mobile apps, and finally, I define security requirements for implementing this kind of solutions

Speakers
avatar for Jakub Kaluzny

Jakub Kaluzny

Jakub is a Security Consultant at The Missing Link Security in Australia and performs penetration tests of high-risk applications, systems and devices. Previously securing online banking in Europe, working for European Space Agency and protecting instant bank transfers interm... Read More →


Friday May 12, 2017 10:20 - 11:05
Waterfront Center: Hall 1A

10:20

Hallway Track
Dedicated room for anyone to use.  When you meet friends and colleagues at the conference and want to start your own discussion or session, simply contact the AppSec EU organizers and you can book this room to host it.

There will be chairs, projector and whiteboard to facilitate your discussion. 

Friday May 12, 2017 10:20 - 11:05
Hallway Track Room

10:45

DevSecOps: A Rose by Any Other Name Would Smell Sweeter - Nigel Kersten (USA)
Names matter and we should stop it with the DevSecOps, SecDevOps labels. In this talk we’ll discuss some simple linguistic theory on the hidden baggage that names and metaphors can carry, how we can use this to our advantage when modifying processes and organizational interactions to improve security posture, and how some of the key terms around DevOps such as “infrastructure-as-code” were successful at least partially due to positive baggage and implications around their names.

Speakers
avatar for Nigel Kersten

Nigel Kersten

Chief Technical Strategist, Puppet
Nigel came to Puppet from Google HQ in Mountain View, where he was responsible for the design and implementation of one of the largest Puppet deployments in the world. At Puppet, Nigel was responsible for the development of the initial versions of Puppet Enterprise and has since... Read More →


Friday May 12, 2017 10:45 - 11:10
Waterfront Center: Hall 2A

11:05

11:35

AngularJS + CSP: A Perfect Match or Unhappy Marriage?
Using AngularJS and thinking of deploying a Content Security Policy to improve your client-side security? Come listen to this lightning talk to find out how they play together, what works and what breaks out of the box, whether they’ll find love for each other and live happily ever after or eventually file for divorce.

Speakers
avatar for David Johansson

David Johansson

David Johansson has worked as a security consultant for several leading IT-security companies and has 10 years of experience in software security. Among other things, he has worked with software development and architecture, web security testing and training developers and testers in security. David lives in London where he works as an Associate Principal Consultant for Synopsys Software Integrity Group (formerly... Read More →


Friday May 12, 2017 11:35 - 11:50
Waterfront Center: Lightning Room

11:35

Pushing Left Like a Boss: Application Security Foundations - Tanya Janca (Canada)
With incident response and penetration testing currently receiving most of our application security dollars, it would appear that industry has decided to treat the symptom instead of the disease. “Pushing left” refers to starting security earlier in the SDLC; addressing the problem throughout the process, and specifically during the development phase. From scanning your code with a vulnerability scanner to red team exercises, developer education programs and bug bounties, this talk will show you how to ‘push left', like a boss.

This talk is aimed at developers, operations, dev-ops, people who are new to application security, managers, or anyone who works in any other field of security than AppSec.

Speakers
avatar for Tanya Janca

Tanya Janca

IT Security Specialist - Vulnerability Assessment Team
Tanya Janca is an application security evangelist, a web application penetration tester and vulnerability assessor, an ethical hacker, the Co-Leader of the OWASP Ottawa chapter, and has been developing software since the late 90’s.  She has worn many hats and done many things, including; Custom Apps, Ethical Hacking, COTS, Incident Response, Enterprise Architect, Project and People Management, and even Tech... Read More →


Friday May 12, 2017 11:35 - 12:00
Waterfront Center: Hall 2A

11:35

How to put the Sec in DevOps
Automation and DevOps have changed the way organizations deliver products. The shift towards DevOps made it pretty clear that companies are adopting this organizational model in order to facilitate a practice of automated software deployment. While the traditional idea of a “software release” dissolves away into a continuous cycle of service and delivery improvements, organizations find that their traditional application security solutions are having a hard time to adapt to the new process and security becomes an inhibitor to the complete process. In this session, you’ll learn how organizations adopted security into DevOps processes.


Join us to:
Discover which obstacles should be expected and how to overcome them
Understand what functionality is key to enable real automation of your AppSec program
Explore the benefits of having security as part of your DevOps automation (what’s in it for me?)

Speakers
avatar for Helen Bravo

Helen Bravo

Product Manager, Checkmarx
Helen Bravo is the Product Manager at Checkmarx. Helen has more than fifteen years of experience in software development, IT security and source-code analysis. | Prior to working at Checkmarx, Helen has worked in Comverse one of the biggest Israeli Hi-tech firms as a software e... Read More →


Friday May 12, 2017 11:35 - 12:20
Waterfront Center: Hall 2B

11:35

Security Best practices in Azure Cloud
Your are using Azure for deploying applications, storing data, hybrid networking, and many other services? And how secure it is? Author will offer a technical, hands-on overview of how security shall be implemented in each of step. Will go thru overall security practices and will end up with .Net application deployment to Azure in secure way.

Speakers
avatar for Viktorija Almazova

Viktorija Almazova

Security Architect
IT Security Architect for If Skadeforsikring NUF with experience more than 10 years in security. She spends all her time working closely with developers and architects to make security built in from design level. She is a big supporter of making security as culture and shifting s... Read More →


Friday May 12, 2017 11:35 - 12:20
Waterfront Center: Hall 1B

11:35

How to steal mobile wallet? – Mobile contactless payments apps attack and defense
Nowadays we are observing very dynamic adoption of mobile contactless payments. These are systems provided by OS manufacturers (Android Pay, Apple Pay) as well as apps delivered by banks or 3rd party payment operators. Is it possible to clone card data? Yes, it is – demo included!
What are other ways to attack? What are the risks and what can we do to lower it? Based on several assessments and lab experiments done by our team, I will answer these questions and provide best practices on how to mitigate the risks.

Speakers
avatar for Wojtek Dworakowski

Wojtek Dworakowski

SecuRing
IT security consultant with over 15 years of experience in the field. Managing Partner at SecuRing, a company dealing with application security testing and advisory on IT security. Has led multiple security assessments and penetration tests especially for financial services, paym... Read More →

Trainers
avatar for Slawomir Jasek

Slawomir Jasek

SecuRing
IT security consultant with over 10 years of experience. He participated in many assessments of systems' and applications' security for leading financial companies and public institutions across the world, including a few dozen e-banking systems. Also he developed secure embedded... Read More →


Friday May 12, 2017 11:35 - 12:20
Waterfront Center: Hall 1A

11:35

Hallway Track
Dedicated room for anyone to use.  When you meet friends and colleagues at the conference and want to start your own discussion or session, simply contact the AppSec EU organizers and you can book this room to host it.

There will be chairs, projector and whiteboard to facilitate your discussion. 

Friday May 12, 2017 11:35 - 12:20
Hallway Track Room

12:05

Security In The Land of Microservices - Jack Mannino (USA)
Microservices offer a lot of benefits for deploying large-scale applications, but they introduce their own unique security challenges. Services are highly decoupled from each other as well as producers and consumers of data moving throughout the architecture. You support web users, mobile users, IoT device users, and a few people that still use flip phones and your old dusty legacy services. 

In this presentation, we will discuss the challenges with securing microservices. Using real-world examples of successes and failures while building microservices, we will discuss what translates well from monolithic design. Securely sharing secrets between services is important, and we’ll examine open source and AWS related tools to achieve this. We will demonstrate how to build authentication into a microservice architecture using the API Gateway Pattern. At the end of this presentation, you’ll understand how to chase your tail less as you migrate to this great new world of tiny services.

Speakers
avatar for Jack Mannino

Jack Mannino

Jack is the CEO at nVisium and loves solving problems in the field of application security. With experience building, breaking, and securing software, he founded nVisium in 2009 to invent new and more efficient ways of protecting software. He focuses on solutions for making secur... Read More →


Friday May 12, 2017 12:05 - 12:35
Waterfront Center: Hall 2A

12:25

Increasing web apps security with the power of http headers
Nowadays everyone uses web browsers on a daily basis for various tasks such as reading emails or purchasing on ecommerce portals. Web developers often forget that a browser is a piece of software that can be used as remote code execution engine, an can be used to inject malicious code either by exploiting an Cross-Site Scripting (XSS) vulnerability or by executing a MITM attack. The focus of this talk is to explain how new browser headers (HSTS, HPKP, CSP) can help to easily add an extra layer of security in order to defend against common web security vulnerabilities. These could be the talking points: -Introduction about web browsers security,explaining why secure transport is important and what HTTPS provides in terms of confidentiality, authenticity and integrity -Analyze new headers, such as HTTP Strict Transport Security (HSTS), HTTP Public Key Pinning (HPKP) and Content Security Policy (CSP),explaining how they work for avoid HTTPS,XSS and Clickjacking attacks.

Speakers
avatar for Jose Manuel Ortega

Jose Manuel Ortega

I’m a Software Engineer really focused on new technologies, open source, security and testing.My career has been focused from the beginning to specialize in Python and security testing projects.In recent years I'm interesting in security development, especially on web and mobile... Read More →


Friday May 12, 2017 12:25 - 12:40
Waterfront Center: Lightning Room

12:25

Could a few lines of code F!#ck it all up!
Recently, an anonymous open source developer decides to remove his code (left-pad) from a public repository. Shortly thereafter, several large organizations felt the impact of his actions. Facebook, AirBnB and others experienced errors impacting the functionality of their services. Packages using “left-pad” wouldn’t properly execute.
Today, we embrace both the open source community and the growth of open source projects, modules and packages but… Dependencies and recursive dependencies might become a risk or even a new attack vector which we didn’t foresee. 
Could there be other cases of common and popular open source packages depending on open source modules that might not be there tomorrow or, even worse, could they be maliciously modified?

Join us and learn:
- Which common open source packages might not be there tomorrow and how this can affect you?
- How packages you use could be maliciously modified impact on your app 
- How intertwined and complex dependencies have become

Speakers
avatar for Erez Yalon

Erez Yalon

Application Security Research Manager, Checkmarx
Erez heads the security research group at Checkmarx. With vast defender and attacker experience and as an independent security researcher, he brings invaluable knowledge and skills to the table. Erez is responsible for maintaining Checkmarx’s top notch vulnerability detection t... Read More →


Friday May 12, 2017 12:25 - 13:10
Waterfront Center: Hall 2B

12:25

Fixing Mobile AppSec: The OWASP Mobile Project
Even though modern mobile operating systems like iOS and Android offer great APIs for secure data storage and communication, those APIs have to be used correctly in order to be effective. Data storage, inter-app communication, proper usage of cryptographic APIs and secure network communication are only some of the aspects that require careful consideration.

The OWASP Mobile Application Verification Standard (MASVS) is an attempt to standardize mobile app security requirements using different verification levels. Complementary to the MASVS, we are developing a Mobile Security Testing Guide (MSTG) that provides detailed test cases for each requirement. 

In this talk, we introduce both the MASVS and MSTG, and discuss the many challenges we faced during development, from dealing with the diversity and fragmentation of the Android ecosystem to clarifying the role of software protections in mobile security.

Speakers
avatar for Bernhard Mueller

Bernhard Mueller

Bernhard is a cyber security specialist with a talent in hacking all kinds of systems. During more than a decade in the industry he has published many bugs and papers in a variety of fields including Internet protocols, web apps, mobile operating systems, WAFs and others. If you... Read More →
avatar for Sven Schleier

Sven Schleier

Sven is a mobile security thought leader with over seven years of hands-on experience in application penetration testing, network penetration testing and source code review. In his role as an application security architect at Vantage Point Security, he has supported and guided ma... Read More →


Friday May 12, 2017 12:25 - 13:10
Waterfront Center: Hall 1B

12:25

Exploiting CORS Misconfigurations for Bitcoins and Bounties
Cross-Origin Resource Sharing (CORS) is a mechanism for relaxing the Same Origin Policy to enable communication between websites via browsers. It’s already widely understood that certain CORS configurations are dangerous. In this presentation, I'll skim over the old knowledge then coax out and share with you an array of under-appreciated but dangerous subtleties and implications buried in the CORS specification. I'll illustrate each of these with recent attacks on real websites, showing how I could have used them to steal bitcoins from two different exchanges, partially bypass Google's use of HTTPS, and requisition API keys from numerous others. I'll also show how CORS blunders can provide an invaluable link in crafting exploit chains to pivot across protocols, exploit the unexploitable via server and client-side cache poisoning, and even escalate certain open redirects into vulnerabilities that are actually notable.

Speakers
avatar for James Kettle

James Kettle

Head of Research, PortSwigger Web Security
James Kettle is head of research at PortSwigger Web Security, where he designs and refines vulnerability detection techniques for Burp Suite's scanner. Recent work has focused on techniques to detect unknown classes of vulnerabilities, and the new Burp Collaborator system for ide... Read More →


Friday May 12, 2017 12:25 - 13:10
Waterfront Center: Hall 1A

12:40

Don’t Learn, Don’t See, Don’t Run: Application Security for DevSecOps - Joseph Feiman (USA)
DevOps has not yet become DevSecOps, leaving DevOps insecure. What is preventing security from integration into DevOps and CI/CD? This presentation offers the answer. It defines capabilities that application security should adopt, explains how existing technologies should change, forecasts emerging technologies, and estimates the pace of application security transformation in the era of DevOps.

In this presentation, we prove a hypothesis that DevSecOps is in need of technologies with specific features – technologies that application development, operation, and security specialists don’t have to learn, see, and run. Only these technologies will seamlessly integrate into DevOps, making it DevSecOps. 

Attendees of this session will learn what will come to the market within the next three years, how to plan adoption, and what will or will not work in the era when application security transforms to enable DevSecOps. 

Speakers
avatar for Joseph Feiman

Joseph Feiman

Chief Innovation Officer, Veracode
Joseph Feiman, PhD is Chief Innovation Officer at Veracode responsible for advanced technologies that drive innovative security strategies. He is a recognized industry leader with nearly two decades’ experience in application development and security, analyzing the markets for Gartner Research. Prior to joining Veracode in the end of 2015, Joseph was a research VP and Gartner Fellow, leading application and data security research. He is widely credited with shaping application security... Read More →


Friday May 12, 2017 12:40 - 13:10
Waterfront Center: Hall 2A

13:10

Lunch
Friday May 12, 2017 13:10 - 14:10
Waterfront Center: Exhibition Hall

14:10

How to ensure that no one wants to work with you. Mistakes that all security programs make, and how to correct them.
So often security stumbles over knowing what the 'right thing' to do is, but not getting buy in from the buisness or from the developers. How do we as an industry need to change our message to make more people feel like they can take their first steps into the security world? How can we become more accepting and welcoming to new voices. In this talk I'll present some real life mistakes and the lessons that we can all learn from them to move forward

Speakers
avatar for Siren Hofvander

Siren Hofvander

Siren Hofvander is passionate about making security something that everyone feels that they understand and has access to.  She works as a CSO for Min Doktor, where she  ensures that security is built not only into the service itself, but into the backbone of the company.  She is the founder of the... Read More →


Friday May 12, 2017 14:10 - 14:25
Waterfront Center: Lightning Room

14:10

Securing the Continuous Integration Process - Irene Michlin (UK)
Continuous integration (CI) has long left the stage of experimental practices and moved into mainstream software development. It is used everywhere from start-ups to large organisations, in variety of technology stacks and problem domains. However, the security implications of introducing CI are often overlooked or underestimated. 

This talk intentionally avoids recommending a specific solution or vendor. Instead it focuses on technology and process changes involved in setting up CI environment, and aims to provide best practice guidance for introducing CI in your secure Software Development Life Cycle (SDLC). The choice of tools in various steps of CI is enormous. This presentation does not discuss their relative merits from functionality point of view, but suggests which features are necessary to allow secure integration of the tools.

Speakers
avatar for Irene Michlin

Irene Michlin

Principal Security Consultant, NCC Group
Introducing security into software development lifecycle, threat modelling, security for Agile and Lean. | @IreneMichlin



Friday May 12, 2017 14:10 - 14:35
Waterfront Center: Hall 2A

14:10

An Introduction to Quantum-Safe Cryptography
Quantum computing has captured the imagination of researchers and quantum algorithms have been published that show, in principle, an exponential speed up in integer factorisation. As much of our modern day public key cryptography, such as RSA, ECC and DSA is based on the hardness of such problems, a machine that implements quantum factoring at scale threatens much of our current IT security. 

In 2015 the US National Security Agency announced that their "Suite B" cryptographic algorithms used to protect federal systems is no longer fit for purpose and a competition to replace these with new quantum-safe algorithms is underway. This is a massive disruption to the data security marketplace. 

The SAFEcrypto project: Secure Architectures of Future Emerging Cryptography is funded under the EU H2020 programme. SAFEcrypto will provide a new generation of practical, robust and physically secure post-quantum cryptographic solutions that ensure long-term security for future IT systems.

Speakers
avatar for Gavin McWilliams

Gavin McWilliams

Director of Engineering, CSIT, Queen's University Belfast
Gavin McWilliams (CISSP) is Director of Engineering in the Centre for Secure Information Technologies (CSIT) which is a dedicated cybersecurity research centre in Queen's University Belfast. He is the consortium manager of a large european research project (www.SAFEcrypto.eu) wh... Read More →


Friday May 12, 2017 14:10 - 14:55
Waterfront Center: Hall 2B

14:10

The path of secure software
Cyber attacks are a real and growing threat to businesses and an increasing number of attacks take place at application layer. The best defence is to develop applications where security controls are incorporated in development cycle and used by developers while writing their code. How can developers deliver more secure applications? What are the security techniques they can use while writing the software? 

This presentation will discuss the proactive controls that will guide developers down the path of secure software. It will explore the security techniques that can be incorporated in development cycle and will provide real world examples on how to solve some of the most prevalent security problems on the internet. 

Recommended to all builders and security professionals interested in incorporating security techniques as part of software development life cycle in the effort to build more secure applications.

Speakers
avatar for Katy Anton

Katy Anton

Application Security Consultant, Veracode
Katy Anton is security professional with a background in software development. | In her previous roles she led software development teams and implemented security best practices in SDLC. As part of her work she got involved in OWASP Top Ten Proactive Controls project where she... Read More →


Friday May 12, 2017 14:10 - 14:55
Waterfront Center: Hall 1B

14:10

Analysis and Detection of Authentication Cross-Site Request Forgery
Cross-Site Request Forgery (CSRF) attacks are one of the critical threats for web applications. In this presentation, we focus on CSRF attacks that affects web sites’ authentication and identity management functionalities. We call them collectively as Authentication CSRF. If carried out successfully, Authentication CSRF attacks can cause sensitive information theft, account hijack, etc. We will present seven security testing strategies that can be used by a tester to manually detect vulnerabilities causing Authentication CSRF. We will also present CSRF-Checker, a proof-of-concept tool based on OWASP ZAP that helps in the semi-automatic detection of Authentication CSRF. Additionally, we will describe our experience of testing Alexa top 1500 web sites using our manual and semi-automatic Authentication CSRF testing strategies. The results are alarming, we discovered 191 vulnerable web sites spread across Alexa top 1500, including web sites from top vendors such as Microsoft, Google, etc.

Speakers
avatar for Luca Compagna

Luca Compagna

Researcher, SAP
Dr. Luca Compagna is part of the Security Research team at SAP where is contributing to the research strategy and to the software security analysis area in particular. He received his Ph.D. in Computer Science jointly from the U. of Genova and U. of Edinburgh. His area of interes... Read More →
avatar for Avinash Sudhodanan

Avinash Sudhodanan

Early Stage Researcher, Fondazione Bruno Kessler
Avinash Sudhodanan is an Early Stage Researcher at the Security & Trust Unit of Fondazione Bruno Kessler and a 3rd year PhD student at University of Trento. He is focusing his research on Automatic Analysis of Browser-Based Security Protocols (in the context of the EU project SEC... Read More →


Friday May 12, 2017 14:10 - 14:55
Waterfront Center: Hall 1A

14:10

Hallway Track
Dedicated room for anyone to use.  When you meet friends and colleagues at the conference and want to start your own discussion or session, simply contact the AppSec EU organizers and you can book this room to host it.

There will be chairs, projector and whiteboard to facilitate your discussion. 

Friday May 12, 2017 14:10 - 14:55
Hallway Track Room

14:40

Monitoring Attack Surface and Integrating Security into DevOps Pipelines - Dan Cornell (USA)
A web application’s attack surface is the combination of URLs it will respond to as well as the inputs to those URLs that can change the behavior of the application. Understanding an application’s attack surface is critical to being able to provide sufficient security test coverage, and by watching an application’s attack surface change over time security and development teams can help target and optimize testing activities.

This presentation looks at methods of calculating web application attack surface and tracking the evolution of attack surface over time. In addition, it looks at metrics and thresholds that can be used to craft policies for integrating different testing activities into Continuous Integration / Continuous Delivery (CI/CD) pipelines for teams integrating security into their DevOps practices.

Speakers
avatar for Dan Cornell

Dan Cornell

A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process. He is also the original creator of ThreadFix, Denim... Read More →


Friday May 12, 2017 14:40 - 15:05
Waterfront Center: Hall 2A

15:00

The Next Generation in Biometrics - ECG
Electrocardiogram (ECG) biometric technology utilises a person’s unique heartbeat electrical wave that is filtered, amplified and processed by an algorithm to allow authentication of a person against a stored profile. This talk will examine how this next generation of biometric technology is set to disrupt the market.

Speakers
avatar for Adrian Condon

Adrian Condon

Adrian Condon - Chief Technology Officer | With nearly 20 years experience, Adrian has an impressive track record in new product design, leading technical teams and delivering strategic new technology across the industrial, automotive, aeronautical and medical industries. | | Adrian is currently CTO of B-Secur... Read More →


Friday May 12, 2017 15:00 - 15:15
Waterfront Center: Lightning Room

15:00

AppSec Panel: Diversity
In this session we will as set and audience questions to our panel regarding the question of diversity in the cyber security industry.  This session will include representives from the WomenInAppSec community.

Friday May 12, 2017 15:00 - 15:45
Waterfront Center: Hall 2B

15:00

DNS hijacking using cloud providers – no verification needed

A few years ago, Detectify did a blog post regarding domain hijacking using services like AWS, Heroku and GitHub. These issues still remains and are still affecting a lot of companies and there are many tools to find these vulnerabilities that have popped up after this went public. 

However, there are many more ways to hijack domains, nameservers and DNS-providers. The tools out there are missing these cases completely. Frans will go through both the currently disclosed and the non-disclosed ways to take control over domains and will share the specific techniques involved.


Speakers
avatar for Frans Rosén

Frans Rosén

Security Advisor, Detectify
Frans Rosén is a tech entrepreneur, bug bounty hunter and a Security Advisor at Detectify, a security service for developers. He's a frequent blogger at Detectify Labs and a top ranked participant of bug bounty programs, receiving the highest bounty payout ever on HackerOne... Read More →


Friday May 12, 2017 15:00 - 15:45
Waterfront Center: Hall 1B

15:00

Preventing 10 Common Security Mistakes in the MEAN Stack

The MEAN stack (Mongo, Express, Angular, and NodeJS) provides developers with a collection of open source JavaScript frameworks and technologies for building web applications. The combined simplicity and flexibility of these frameworks has made this a very popular technology stack among developers in recent years. This talk will focus on how to prevent 10 common security mistakes when developing MEAN stack applications. The security mistakes that we will discuss are introduced within the core frameworks, popular third-party plugins, and custom code. The resulting impact ranges from leaking system information through verbose errors to unauthenticated access. Some of the topics we will explore include:

  • MongoDB Query Selector Injection
  • MongoDB HTTP Interface
  • Express Case-Insensitive Routing
  • Express Middleware Precedence
  • Angular Template Injection
  • Angular SCE Misconfiguration
  • Use of LocalStorage vs SessionStorage
  • NodeJS NODE_ENV Configuration
Many of the mistakes are introduced simply by using the core frameworks or common plugins in their default configuration. These insecure-by-default components are problematic and increase the need for developer security awareness. Other mistakes are introduced by misusing or omitting security controls within these frameworks. This talk will include code examples for every type of mistake, a dynamic demonstration of how the defect may be exploited, and the recommended solutions or prevention measures. All demos and examples are based on the intentionally vulnerable open source application MEANBug https://github.com/dbohannon/MEANBug

Speakers
avatar for David Bohannon

David Bohannon

Senior Security Consultant, Synopsys
David Bohannon is a Senior Security Consultant with Synopsys Software Integrity Group (previously, Cigital). He performs penetration tests and code reviews of various web and mobile applications, frameworks, and middleware technologies. He is also an instructor teaching Defensive... Read More →


Friday May 12, 2017 15:00 - 15:45
Waterfront Center: Hall 1A

15:00

Hallway Track
Dedicated room for anyone to use.  When you meet friends and colleagues at the conference and want to start your own discussion or session, simply contact the AppSec EU organizers and you can book this room to host it.

There will be chairs, projector and whiteboard to facilitate your discussion. 

Friday May 12, 2017 15:00 - 15:45
Hallway Track Room

15:10

DevSec: Continuous Patch and Security Assessment with InSpec - Christoph Hartmann (Germany)
Best-practices for server hardening and patching have been in place for decades. Nevertheless, it is still very cumbersome to enforce those rules continuously and many servers are still unsecured in 2016. DevOps tools like Chef, Puppet or Ansible help to enforce secure configuration, but they cannot fully assess a state of a machine e.g. you cannot easily verify if something is not installed.

InSpec is here to help. It is an open source tool for infrastructure, security and compliance testing. InSpec's DSL is a human and machine-readable assessment language that is extendable and customizable. Since testing can be fully automated with InSpec, companies are enabled to assess and enforce secure configuration across their IT fleet. Integration with CI/CD systems allows continuous testing in high-velocity organizations.

This talk will give an introduction to InSpec and demonstrate how patch and security level can be assessed in CI/CD and production environments.

Speakers
avatar for Christoph Hartmann

Christoph Hartmann

Christoph Hartmann is a lead engineer at Chef and a founder who spent the last decade building complex software and infrastructure systems. Previously, Christoph was responsible for automation at the innovation laboratory at Deutsche Telekom and created effective solutions managi... Read More →


Friday May 12, 2017 15:10 - 15:35
Waterfront Center: Hall 2A

15:45

16:15

Creating an AppSec Pipeline with Containers in a Week: How We Failed and Succeeded - Jeroen Willemsen (Netherlands)
Join us on our adventure of setting up a appsec pipeline with Docker containers. What did go wrong, how did we succeed? How do you fight false positives and how do you get the best out of the products out there without bothering the development teams too much.

Speakers
avatar for Jeroen Willemsen

Jeroen Willemsen

Security Architect, Xebia
Jeroen Willemsen is a security architect with a passion for mobile and risk management. He loves to work on secure building blocks, security automation pipelines and embedding information security risk management controls in an agile environment. He is dedicated to help developer... Read More →



Friday May 12, 2017 16:15 - 16:40
Waterfront Center: Hall 2A

16:15

Dangerous Optimizations and the Loss of Causality
Increasingly, compiler writers are taking advantage of undefined behaviors in the C and C++ programming languages to improve optimizations. Frequently, these optimizations are interfering with the ability of developers to perform cause-effect analysis on their source code, that is, analyzing the dependence of downstream results on prior results. Consequently, these optimizations are eliminating causality in software and are increasing the probability of software faults, defects, and vulnerabilities. This presentation describes some common optimizations, describes how these can lead to software vulnerabilities, and identifies applicable and practical mitigation strategies.

Trainers
avatar for Robert C. Seacord

Robert C. Seacord

Principal Security Consultant, NCC Group
Robert C. Seacord is a Principal Security Consultant with NCC Group where he works with software developers and software development organizations to eliminate vulnerabilities resulting from coding errors before they are deployed. Previously, Robert led the secure coding initiat... Read More →


Friday May 12, 2017 16:15 - 17:00
Waterfront Center: Hall 2B

16:15

Combining the Security Risks of Native and Web Development: Hybrid Apps
Cross-platform frameworks, such as Apache Cordova, are becoming increasingly popular. They promote the development of hybrid apps that combine native, i.e., system specific, code and system independent code, e.g., HTML5/JavaScript. Combining native with platform independent code opens Pandora's box: all the the security risks for native development are multiplied with the security risk of web applications.

In the first half of our talk, we start our talk with short introduction into hybrid app development, present specific attacks followed by a report on how Android developers are using Apache Cordova. In the second half of the talk, we will focus on developing
secure hybrid apps: both with hands-on guidelines for defensive programming as well as recommendations for hybrid app specific security testing strategies.

Speakers
avatar for Achim D. Brucker

Achim D. Brucker

The University of Sheffield
Dr. Achim D. Brucker (www.brucker.ch) is a Senior Lecturer and consultant at The University of Sheffield, UK where he heads the heads the Software Assurance & Security Research Team (logicalhacking.com). Until December 2015, he was a Research Expert (Architect), Security Testing... Read More →
avatar for Michael Herzberg

Michael Herzberg

PhD Student, University of Sheffield
Michael is a PhD student at the University of Sheffield, working together with Achim Brucker. His focus lies on formal methods for building secure systems, in particular ones using web technologies. Previously he graduated from the | Karlsruhe Institute of Technology, Germany... Read More →


Friday May 12, 2017 16:15 - 17:00
Waterfront Center: Hall 1B

16:15

On the (in-)security of JavaScript Object Signing and Encryption
JavaScript Object Signing and Encryption (JOSE) has been standardized as a lightweight alternative to XML Signature and Encryption. It has early been integrated in authentication and authorization protocols like OpenID Connect and OAuth. In addition, it has been adopted in Web services.
In our research, we provide the first study regarding the JSON security adapting and extending known attack techniques. We provide an evaluation of four different libraries revealing critical cryptographic attacks, ranging from attacks bypassing JSON Signature (Signature exclusion, Key Confusion, and Timing Attack on HMAC), to JSON Encryption (Bleichenbacher Million Message Attack).
To facilitate the analysis we developed JOSEPH - the first open-source automated tool for evaluating JSON security. The extensible design of JOSEPH allows one to implement further cryptographic attacks, for example, padding oracle or invalid curve attacks.

Speakers
avatar for Dennis Detering

Dennis Detering

IT Security Consultant, CSPi GmbH
Dennis Detering has a Master's degree of IT security from the Ruhr University Bochum and works as a penetration tester at the CSPi GmbH in cologne.

Trainers
avatar for Christian Mainka

Christian Mainka

Security Consultant, Hackmanit GmbH
Christian Mainka is a Security Researcher at the Ruhr University Bochum, Chair for Network and Data Security. Since 2009, he focuses on XML and Web Services technologies and develops his penetration testing tool WS-Attacker and has published several papers in the field of XML sec... Read More →
avatar for Vladislav Mladenov

Vladislav Mladenov

Ruhr University Bochum
Vladislav Mladenov is a PhD Student at the Ruhr University Bochum, Chair for Network and Data Security. He is interested in the security of XML-based services. Additionally, he investigates different Single Sign-On protocols like OAuth, OpenID, OpenID Connect and SAML. Other topi... Read More →



Friday May 12, 2017 16:15 - 17:00
Waterfront Center: Hall 1A

16:15

Hallway Track
Dedicated room for anyone to use.  When you meet friends and colleagues at the conference and want to start your own discussion or session, simply contact the AppSec EU organizers and you can book this room to host it.

There will be chairs, projector and whiteboard to facilitate your discussion. 

Friday May 12, 2017 16:15 - 17:00
Hallway Track Room

16:40

DevSecOps Roundup: An Overview of the Current State of DevSecOps - Mark Miller and Guests
Join us for a review of the days sessions and a chance to win customized Lego figures while playing DevOps Presentation Bingo.

Speakers
avatar for Dan Cornell

Dan Cornell

A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process. He is also the original creator of ThreadFix, Denim... Read More →
avatar for Joseph Feiman

Joseph Feiman

Chief Innovation Officer, Veracode
Joseph Feiman, PhD is Chief Innovation Officer at Veracode responsible for advanced technologies that drive innovative security strategies. He is a recognized industry leader with nearly two decades’ experience in application development and security, analyzing the markets for Gartner Research. Prior to joining Veracode in the end of 2015, Joseph was a research VP and Gartner Fellow, leading application and data security research. He is widely credited with shaping application security... Read More →
avatar for Christoph Hartmann

Christoph Hartmann

Christoph Hartmann is a lead engineer at Chef and a founder who spent the last decade building complex software and infrastructure systems. Previously, Christoph was responsible for automation at the innovation laboratory at Deutsche Telekom and created effective solutions managi... Read More →
avatar for Tanya Janca

Tanya Janca

IT Security Specialist - Vulnerability Assessment Team
Tanya Janca is an application security evangelist, a web application penetration tester and vulnerability assessor, an ethical hacker, the Co-Leader of the OWASP Ottawa chapter, and has been developing software since the late 90’s.  She has worn many hats and done many things, including; Custom Apps, Ethical Hacking, COTS, Incident Response, Enterprise Architect, Project and People Management, and even Tech... Read More →
avatar for Nigel Kersten

Nigel Kersten

Chief Technical Strategist, Puppet
Nigel came to Puppet from Google HQ in Mountain View, where he was responsible for the design and implementation of one of the largest Puppet deployments in the world. At Puppet, Nigel was responsible for the development of the initial versions of Puppet Enterprise and has since... Read More →
avatar for Shannon Lietz

Shannon Lietz

DevSecOps Lead, Intuit
Shannon Lietz is an award winning innovator with over two decades of experience pursuing advanced security defenses and next generation security solutions.  Ms. Lietz is currently the DevSecOps Leader for Intuit where she is responsible for setting and driving the company’s cloud security strategy, roadmap and implementation in support of corporate... Read More →
avatar for Jack Mannino

Jack Mannino

Jack is the CEO at nVisium and loves solving problems in the field of application security. With experience building, breaking, and securing software, he founded nVisium in 2009 to invent new and more efficient ways of protecting software. He focuses on solutions for making secur... Read More →
avatar for Irene Michlin

Irene Michlin

Principal Security Consultant, NCC Group
Introducing security into software development lifecycle, threat modelling, security for Agile and Lean. | @IreneMichlin
avatar for Mark Miller

Mark Miller

Senior Storyteller, Sonatype
Some of you might know Mark Miller as the Founder and Editor of EndUserSharePoint.com, and co-producer of NothingButSharePoint, two of the world's largest SharePoint Community initiatives. In a more recent incarnation, he was the co-founder of the "All Day DevOps" live online conference with over 13,500 registrations for the conference, which included 3 simultaneous sessions, 15 hours, 15 time zones, 54 sessions. This was an extension of SharePoint Saturday EMEA, Live Online, a concept initiated seven years ago for the SharePoint Community. Mr. Miller is the Editor-in-Chief of the... Read More →
avatar for Jeroen Willemsen

Jeroen Willemsen

Security Architect, Xebia
Jeroen Willemsen is a security architect with a passion for mobile and risk management. He loves to work on secure building blocks, security automation pipelines and embedding information security risk management controls in an agile environment. He is dedicated to help developer... Read More →


Friday May 12, 2017 16:40 - 17:05
Waterfront Center: Hall 2A

17:05

KeyNote: Jaya Baloo. Everything is Quantum!

As the race for quantum computing systems rapidly evolves, the threat to modern cryptography becomes more pressing.

There must be new strategies and clear options to ensure data protection for the near and long term.

The presentation will discuss current developments and projects in this area, which is set against the background of ever more persistent government surveillance.

 


Speakers
avatar for Jaya Baloo

Jaya Baloo

Jaya Baloo the CISO of KPN Telecom in the Netherlands. She won the Cyber Security Executive of the year award in 2015. Jaya works with an amazing information security team of highly driven specialists. Working in the information security arena for the past 18 years, she has worke... Read More →


Friday May 12, 2017 17:05 - 17:55
Waterfront Center: Hall 1A

17:50

Conference Closing Address
Speakers
avatar for Gary Robinson

Gary Robinson

European Board Member and AppSec EU Conference Chair, OWASP


Friday May 12, 2017 17:50 - 18:00
Waterfront Center: Hall 1A