AppSec California 2015

Register for Training

Incident Response is a multidisciplinary approach to understanding the methodologies, techniques, and tools for both offensive and defensive security. This course introduces a tactical approach for instrumenting, alerting, and responding for enterprises. Using a combination of new tools, and uncommon techniques students will learn how to defend a network against today’s evolving threats. Real world attacks concentrate heavily on a number of methodologies including; compromising systems without depending upon standard exploits, Personal Security Product (PSP) evasion, unique stealth approaches, persistence mechanisms, and varying degrees of collection strategies. Attendees will learn how real attackers use these strategies and how to detect, alert, respond, and defend against these techniques.

Students will learn:

1. How to manipulate enterprise tools and infrastructures in unusual ways for better security
2. Build and employ custom logging tools for detecting lateral movement, persistence mechanisms, data targeting, and exfiltration
3. How to provide actionable data to help decision makers
4. Properly defend against and respond to incidents on a network
5. Offensive mindset for defensive purposes

The following items are the topic areas that will be covered in the class:

1. Real offensive mindsets, not penetration testing mindsets, for enterprise response
2. Proper response mechanisms and communication
3. Host and network indicator extraction for enterprise results
4. Quickly gather and identify data for incident use
5. Host logging and auditing
6. Leveraging active directory
7. PCAP and network intelligence extraction
8. Advanced host and file triage capabilities
9. Host command and process monitoring across a host

Students will get the chance to work with real “APT” tools and see the unique differences between how they are used in real attacks vs the penetration testing tools used today. These differences will help students learn how to truly detect real adversaries. The labs will be interwoven into the lecture so that students will receive a significant amount of time exercising these new skills as they learn. By the end of the class students will have spent 50% of the time in a lab environment. A significant portion of the class will be dedicated to building new tools, on the fly, to solve the challenges posed by a difficult adversary. Questions can be sent to training@attackresearch.com.

Register for Training
The major cause of application insecurity is insecure software development practices. This highly intensive and interactive course provides essential application security training for web application, webservice and mobile software developers and architects.

This class is a combination of lecture, security testing demonstration and code review. Students will learn the most common threats against applications and how to defend against them in a variety of programming frameworks.

The following topics, and more, will be covered.

1. HTTP Basics
2. SQL and other Injection
3. Authentication
4. XSS Defense
5. Content Spoofing
6. HTML Hacking
7. Access Control
8. Cross Site Request Forgery
9. Clickjacking
10. Applied Crypto Basics
11. Mobile Security
12. SDLC Architecture
13. App Layer Intrusion Detection
14. Webservice Security
15. HTML5 Security Considerations
16. Multi-form Workflow Security Considerations

This course is built for the software developer, but any application security professional wishing to learn more about secure coding techniques will benefit.

This training will walk through the 7 stages of the Process for Attack Simulation and Threat Analysis (PASTA), a risk centric approach to threat modeling that can be paralleled to SDL activities for developers, architects, system engineers, and (of course) security professionals. Students will begin by learning about threat modeling fundamentals that are agnostic to any methodology. Activities such as application deconstruction, data flow diagramming, enumeration exercises, use/ abuse case mapping will all be exemplified in the training. The key benefit will be in applying a risk centric approach to threat modeling via the PASTA approach which looks to identify the most likely attack vectors based upon harvesting threat intelligence sources and evaluating other factors such as deployments models, inherent industry threat agents/ motives, and overall application architecture. An outline of the training to be provided is included below:

I. Threat Modeling Intro & Primer
  A. Objectives & Approaches
  B. Threat Modeling Taxonomy & Syntax
  C. Tools & Techniques
  D. PASTA Methodology Overview
II. P1 – Define Business Objectives of Application Threat Model (Goal: Define Impact)
  A. Enumerate business objectives serving as application drivers
  B. Identify application data types (privacy implications)
  C. Identify regulatory impact/ landscape for application environment
  D. Identify SLAs associated with product app
III. P2. Define Technology Scope (Component Enum)
  A. Enum Application Frameworks leveraged by Framework
  B. Enum platform components (system OS, etc.)
  C. Enum actors running component processes
  D. Enum network services supporting various layers of application architecture
  E. Enum third party product (COTS) supporting application solution
  F. Enum data components across application layers
  G. Enum existing countermeasures (processes, technological controls, etc.)
IV. P3 – Application Decomposition (Call Tracing – Understanding calls amongst app components)
  A. Identify Use Cases using Components
  B. Map Call Flows amongst App Components
  C. Identify Trust Boundaries in the Application
  D. Perform CRUD exercises on back data storage sources (DBs, disk, client data storage)
  E. System level permissioning review
  F. Open and Integrated Auth Model Considerations
  G. Cloud API considerations
V. P4 – Threat Analysis
  A. Harvesting relevant threat intel sources (external sources)
  B. Harvesting threat data (internal sources)
  C. Probabilistic threat analysis
  D. Deployment models and architectural review of apps
  E. Identifying Threat Agents and Motives for targeted app
VI. P5 – Vuln Analysis
  A. Leveraging vulnerability assessments
  B. Using a strong Weakness/ Vulnerability Library (CVE/ CWE)
  C. Identifying & Correlating flaws in application model
  D. Identifying & Correlating system/ DB/ framework related vulnerabilities
VII. P6 – Attack Modeling
  A. Leveraging a valid attack library (CAPEC)
  B. Understanding Kill Chains and Attack Trees
  C. Assigning probabilities to attack branches (probabilistic analysis of attacks)
D. Exploit DB & Common Attack Patterns
VIII. P7 – Residual Risk Analysis & Countermeasure Development
  A. Inherent countermeasures
  B. Inherent countermeasure effectiveness
  C. Residual Risk Analysis
  D. Impact Analysis from Threats
  E. Prioritizing Countermeasures
IX. Threat Modeling Vignettes
  A. Threat Modeling Exercises in groups
X. Maturity Modeling & SDLC Integration
  A. OpenSAMM Use
  B. SDLC Metrics
  C. RACI for PASTA

Register for Training

This course focuses on building secure Ruby on Rails applications. In addition to covering existing vulnerabilities within the OWASP Project built by the instructor dubbed “Railsgoat”, there will be comprehensive discussion on the implementation of Rails specific defense mechanisms. Students will learn attack techniques, all of which are specific to the Rails framework. The OWASP Top 10 Risks and Controls will be covered at great length as well.

After an overview on the fundamentals of Ruby on Rails, students will be immersed in modifying and improving the security flaws within the Railsgoat application. In addition to Rails-specific manifestations of the OWASP Top 10 vulnerabilities, students will learn about advanced topics such remote code execution and MetaProgramming vulnerabilities.

At the end of this course, attendees should understand how to review and protect their Rails applications, implement proactive defensive measures, and perform penetration testing geared towards Ruby on Rails applications.

High-level Course Outline:

- Secure use of cryptographic libraries
- Authentication system
• Password complexity
• Time-based attacks
• Enumeration
• Lockout
• Insecure forgot password functions
- Authorization
• Insecure direct object reference
• Impersonation functionality
• Role Based Access Controls
- Metaprogramming Issues
• Common flaws
• Secure usage of metaprogramming methods
- SQL Injection
• Scoping
• String interpolation or concatenation
• Insecure use of unsafe methods such as pluck
- Insecure usage of validation functions
- Insecure application configuration(s)
- Cross-Site Scripting (XSS)
• Types of XSS
• XSS Context - JS, HTML, JSON, CSS
• Vulnerable templating language methods
• Demonstrate impact
• CSP + Secure Header RubyGem
- Session management issues
• Client-side cookies
• Improper destruction
• Session Fixation
- Remote Code Execution flaws
• Serialization libraries
- Misconfiguration in application settings
- Denial of Service
- Sensitive Data Exposure
• Model attribute exposure
• Application log handling
- Defensive Measures
• Guard
• Brakeman
• Bundler-Audit
• Security-based Unit-Tests

Register for Training

Most web application developers have heard about SQL Injection and Cross-Site Scripting, but few know which safeguards are really effective against expert hackers. Exploitation techniques have greatly evolved in the last few years and programmers need to keep their guard up. They are in the tough position of securing systems against experienced hackers. What help do they have?

The OWASP Top 10 web application vulnerabilities list has done a great job promoting awareness on the subject. Along with many cheat sheets, they provide valuable tools and techniques to web developers. But such a great source of information could be overwhelming for the programmer who wants to learn about security. This course aims at providing all web developers deep hands-on knowledge on the subject.

To achieve this goal, participants will first learn the technical details about each OWASP Top 10 vulnerability. Then the instructor will give demos on how attacks are performed against these vulnerabilities. After that, participants will use virtual machines and follow step by step procedures to launch attacks against a vulnerable web site. This step is key in understanding how exploitation works so they can later implement effective safeguards in their systems. Our experience is that participants who have had hands-on experience at exploiting vulnerabilities will always remember how to prevent them.

At the end of the course, participants will have learned:
• What are the OWASP Top 10 vulnerabilities
• How hackers exploit them
• Which safeguards are effective… and which ones are not!

The course will cover the following topics:

1. SSL Certificates
2. Effective Password Management
3. Secure Application Architecture
4. Injection Attacks
5. Command Injection
6. File Injection
7. SQL Injection
8. Cross-Site Scripting (XSS)
9. Cross-Site Request Forgery (CSRF)
10. Broken Authentication and Session Management
11. Insecure Direct Object References
12. Security Misconfiguration
13. Sensitive Data Exposure
14. Missing Function Level Access Control
15. Using Known Vulnerable Components
16. Unvalidated Redirects and Forwards
17. Securing Web Services (REST and SOAP)
18. Secure Coding Best Practices
19. List of Effective Safeguards

Hands-on Exercises:

1. Session Initialization and Client-Side Validation
   1. Part 1: Web Proxy and Session Initialization
   2. Part 2: Client-Side Validation
2. Online Password Guessing Attack
3. Account Harvesting
4. Using a Web Application Vulnerability Scanner
5. Optional Exercises:
   1. Sniffing Encrypted Traffic
   2. Command Injection
   3. Create SSL certificates

This course is designed to help intermediate to expert web developers and security professionals understand how to secure web applications. Candidates are expected to have basic knowledge of HTML, XML and SQL, but no experience in security is required prior to taking this course. However, security professionals who want to learn more about web security will benefit from this class.

Participants are asked to bring a laptop (Windows, Mac or Linux) with at least 3 GB of RAM, 20 GB of free disk space, a DVD reader and either VMWare Player (free), VMWare Workstation, VMWare Fusion or Oracle VirtualBox pre-installed. They must also have an administrator/root account on their laptop. At the beginning of the course, participants will receive a DVD containing two pre-configured virtual machines.

Register for Training
Year after year, cryptography is incorporated in to more and more systems. Whether it be encrypting data in transit with off-the-shelf protocols, or implementing custom encryption mechanisms for data at rest, software developers are increasingly expected to leverage cryptography to meet security demands.

However, few developers have the experience or training to implement cryptography safely. The significant learning curve associated with using any cryptographic primitive properly, combined with the error prone APIs that most development environments expose to developers has led to countless flaws in modern applications.

This course is designed to provide attendees with the core concepts required to make informed decisions about what cryptographic primitives and APIs are safest to use in practice. Attendees will further learn that with a proper implementation, cryptography can make their development tasks easier, in addition to being more secure.

No significant background in cryptography is required to take this one-day course. However, attendees are expected to have a software development background. Lab sessions will include short exercises which ask students to write simple programs in their chosen language to solve various challenges. The content will include approximately 50% lecture and 50% labs or other exercises to reinforce the concepts presented.

Expected Outline:

0. Intro

1. Cryptography Primer/Refresher
– Symmetric Encryption
– Pseudorandom Number Generators
– Hashing and Integrity Protection
– Asymmetric Encryption
– How Crypto Makes Life Easier

1L. Crypto Basics Quiz & VM Setup

2. Overview of Modern Attacks and Common Mistakes
– PRNG issues, APIs
– Integrity Problems
– Padding Oracle Attacks
– Modern Password Cracking

2L. Exercise: Fix their Code

3. Key Exchange and PKIs
– Man-in-the-middle attacks
– PKI approaches
– Problems with PKIs
– Certificate Pinning

3L. Certificate Validation Testing

4. Practical Concerns
– Recent SSL/TLS bugs
– Standard API Overviews: Java, .NET, OpenSSL
– Better APIs: NaCl, KeyCzar,
– Ciphertext Fuzzing Techniques ?

4L. Exercise: Implement a Safe Token

This event requires separate registration: https://pages.bugcrowd.com/Appsec-California-Bug-Bash.html

Bugcrowd is proud to host the AppSec Cali Bug Bash - a bug bounty hackathon where cash bounties will be rewarded to those who discover vulnerabilities in companies such as Heroku, Indeed, Blackphone, and more who utilize Bugcrowd's Crowdcontrol platform.

We'll be rewarding the best bug with a Parrot 2.0 AR Drone 2.0: Power Edition, so make sure to bring your laptop for some hacking! Note: You must be physically present at the event for a chance to win the drone.

You'll learn the steps researchers go through to find vulnerabilities by acting as one, and how Bugcrowd's Crowdcontrol simplifies the validation process for security teams. 

Forget the golf course – security folks do Brazilian jiu-jitsu!

For whatever reason, there is a high proportion of infosec folks who train BJJ. The BJJ Smackdown is a chance for us to do what we love best – training jiu-jitsu – with our friends and peers in the industry when we get together at infosec and appsec security conferences like RSA and Blackhat. For the first time OWASP AppSec California will offer its own Smackdown.

The event will take place at the academy of Shawn Williams, a 3rd degree black belt under the one and only Renzo Gracie. If you watch any IBJJF broadcasts, you’ll recognize Shawn as he’s one of the commentators! Shawn’s academy is holding open mat that evening and it’s close (~25 minutes) by Los Angeles standards.

If you’d like more information, please reach out to Caleb. 

This even twill consist of a variety of challenges and will test a variety of skills. Some sugjects might include but are not limited to:

• Physical Security
• Web application security
• Reversing
• Forensics

This is an open event where people can etner at any time throughout the main event.

This even twill consist of a variety of challenges and will test a variety of skills. Some sugjects might include but are not limited to:

• Physical Security
• Web application security
• Reversing
• Forensics

This is an open event where people can etner at any time throughout the main event.

Chrome is a browser built for the modern web and driven by three guiding principles: speed, simplicity, and security. This talk will focus on Chrome’s approach to the latter while highlighting parallels between software security and medicine. I’ll review Chrome's vitals and architecture, some of our healthy engineering habits, facets of our immune response, genetic susceptibility to insecurity (and how we manage risk), and more. You'll leave with a better understanding of Chrome and probably a few bits of trivia about human health.