So after a busy day at my graduation, I had the opportunity to fly out for day two of OWASP AppSec EU. An opportunity I took, naturally. Having been to a number of OWASP chapter meetings but never an AppSec conference, I was very much looking forward to it. I am happy to report that, with around 350 people from all over the globe and a variety of backgrounds, it didn’t disappoint!
Below is a brief overview of the talks that I attended.
OpenSAMM Best Practices: Lessons from the Trenches
By Seba Deleersynder & Bart De Win
The first talk I made it too was on the OpenSAMM project. It began with discussing what the OpenSAMM framework is and the challenges faced with adoption. The talk then moved on to look at what has worked well and what hasn’t for organisations try to implement OpenSAMM. This included a look at the lessons learned so far throughout the continued development of the project. Discussion was had on how to try and allow companies to assess where they are in relation to maturity towards education and awareness levels. Overall, OpenSAMM looks to be a great project and all involved seem to be making real strides with it.
Making CSP Work For You
By Mark Goodwin
A surprise talk as the original talk did not happen. None the less, Mark delivered a great job standing in and taking over with an interesting talk on Content Security Policy and its current place in security for defending against attacks such as XSS. He then went on to discuss some unsafe functions typically found within applications that make them vulnerable. Such as Eval in JavaScript and the need for separation between code and data due to the two becoming confused with each other. The talk contained some nice practical examples and interesting statistics. One big statistic that stood out was that out of the top million websites only 300 currently use CSP. Showing that more can be done to raise the overall security posture for applications.
ActiveScan++: Augmenting manual testing with attack proxy plugins
By James Kettle
A nice talk on the Python plugin ActiveScan++ that James created for use within burp suite. The talk cover the benefits associated with implementing vulnerability scanners into intercepting proxies as well as their drawbacks. It looked at how automating attacks, host header injection/poisoning, cache poisoning, DNS rebinding and relative path overwrite could be done with some good practical examples. The talk finished off by looking at fuzzy point detection and its potential effectiveness. ActiveScan++ was launched with this talk too!
Metro down the tube. Security Testing Windows Store Apps
By Marion Mccune
As the name suggests this talk was focused on security testing Windows store applications and the direction Microsoft are heading with these applications. Discussed were the different kinds of frameworks and applications currently utilised by Microsoft. Additionally what security is and is not employed including a nice extract of which of the OWASP top 10 are actively tested for. Also covered was the prospect of universal applications that Microsoft are looking to employ meaning that one single app could be ran on anything from a 4” smart phone to a Xbox One on a 50” screen.
Can Application Security Training Make Developers Build Less Vulnerable Code?
By John Dickson
My final talk of the day was from John Dickson and focused around a study he carried out last year in North America. The study looked at assessing software developer’s depth of security knowledge. It was targeted at software developers and the results were very interesting with outcomes such as: High turnover in staff in relation to software developers typically between 20-30% per annum and in areas such as Silicon Valley it can be even higher. There for if you trained your developers 2 years ago, they aren’t the same developers you have right now, for a varying number of reasons. Meaning your development team can be completely different every few years so training must be recurrent. Other results included looking at how many developers had been given training, unfortunately the specifics were not questioned i.e. how long ago was it, and what did it actually consist of/its intensity. Something I believe John is going to look at in the future when carrying out further surveys.
Aftermath/conclusion
Overall I thoroughly enjoyed my first time at OWASP AppSec EU with the 7 Elements team, the talks were good; stands were excellent as were some of the freebies! Unfortunately I missed the Automatic Detection of Inadequate Authorization Checks in Web Applications. Thankfully however there is a YouTube channel for the conference with all the talks so if you are interested I recommend checking that out! It was also nice to see such a large number developers attending.
I will leave you with one final statistic from the conference, 83% of software Developers know what XSS is but only 11% know how to remediate against it. Definition of “know” to be confirmed. But still shows that a lot of education is still required.