Presentations
Mobile AppSec: Development and Alphabet Soup

There are approximately 6 billion mobile devices in the world today and the number of mobile applications available in the Google Play and Apple AppStore’s is around 1.5 million. Vulnerabilities and mobile malware are skyrocketing, and development of new applications and release of new devices continue at an increasing pace. We are treating mobile application security like a foreign language and are struggling with alphabet soup concerning BYOD, MDM, MAM, and MNM. Dave will explain his experiences in running a mobile application security practice and the solutions he is seeing in the industry in regard to effectively managing the mobile security of devices, applications, and data. Dave will talk about how to effectively protect your data and applications from the bad guy.

Download presentation

Aspect 2013 GLOBAL APPLICATION SECURITY RISK REPORT

“Insights extracted from thousands of application security risks carefully identified, analyzed, scored, and documented for clients with critical application portfolios. Aspect’s verification efforts are primarily manual code review and manual security testing, and our results shine a light on the dangers of relying on highly automated approaches to application security.”

View Report

Real World Application Security in Real Time (04.18.2013)

Presented by: Jeff Williams, CEO – Aspect Security, Inc. & Co-Founder of OWASP

Application security has never been more important, yet traditional approaches are starting to fall apart as applications get larger, faster, and more complex while software development has accelerated to “ludicrous speed.” Unless something changes quickly, the world’s entire, limited pool of security experts will soon be completely absorbed seeking out Cross Site Scripting (XSS) vulnerabilities. A new, automated approach called IAST has the potential to achieve better vulnerability analysis results in a way that is much more compatible with the way in which software is developed.

View Presentation

Mobile Application Security – There’s No App For That (02.14.2013)

Presented by: Dave Lindner, Global Practice Manager – Application Security Services & OWASP Mobile Top Ten Mobile Project Contributor

The number of mobile applications available in the Google Play and Apple App Stores is nearing 1.5 million and vulnerabilities are skyrocketing. On average, Aspect finds {11.6} vulnerabilities in every mobile application we verify. Dave will share his experiences leading Aspect’s Mobile Application Security practice, including the tools and advanced techniques we use. Mobile application security isn’t only about writing secure apps. Organizations also have to protect themselves against employees who download malicious and vulnerable applications and use them on their mobile devices at the same time they access corporate systems. Dave will talk about BYOD, BYON, and MDM issues as they pertain to protecting your data and applications from the bad guy. Join David as he explains mobile application security and why your existing web application security practice needs to adapt and change as this new threat grows in importance. Dave has first-hand expertise in helping clients in the financial and retail sectors with their mobile application security programs.

View Presentation: Conference Video
Presentation: Download PDF

Mobile Applications & Proxy Shenanigans (10.25.2012)

Presented by: David Lindner, Global Practice Manager, Mobile Application Security Services
Dan Amodio, Application Security Engineer

With over 5 Billion mobile devices presently in use, mobile applications enable new threats and attacks which introduce significant risks to organizations. As such, it is imperative that we perform our normal application security procedures on all mobile applications, including pen testing and code reviews. Pen testing mobile applications has proven to be difficult when typical application security testing practices are employed. Proxying mobile traffic for examination and modification is anything but straightforward and every application presents its own, unique challenges. David and Dan will explain the issues that arise when trying to proxy mobile application traffic. Join Dan and Dave as they provide guidance and a roadmap so that you may overcome these obstacles.

View Presentation: Conference Video
Presentation: Mobile Application and Proxy Shenanigans PDF

Get Rugged! The Practical Path to Securing the Software that Powers Your Business (10.26.2012)

Presented by: Jeff Williams, CEO

Would it surprise you to know that although the threat has changed dramatically in the last 30 years, the techniques for building secure code have hardly advanced at all? We trust software with our lives, our safety, our healthcare, our communications and our businesses. Unfortunately, there are over 925 different ways that developers can introduce vulnerabilities. The result is widespread flaws that criminals who know how can exploit them and cause malicious harm to others. What does it take to create and deploy secure applications? How do you get a handle on your application portfolio? How do you create a positive, practical and responsible application security program? Join Jeff Williams to learn about the steps your organization can take immediately to Get Rugged and improve your organization’s security posture.

View Presentation: Get Rugged! The Practical Path to Securing the Software that Powers Your Business

Unraveling Some of the Mysteries around DOM-Based XSS (10.26.2012)

Presented by: Dave Wichers, COO

DOM-based XSS was first revealed to the world back in 2005 by Amit Klien, when it was an interesting theoretical vulnerability. In 2012, with the push towards Web 2.0 well into the mainstream, DOM-based XSS has become a very commonly uncovered and exploited vulnerability, but it’s poorly understood. This talk focuses on the full range of issues around DOM-based XSS. It begins with a discussion of the technical details of the vulnerability, the true nature of the risk it introduces (both likelihood and impact), and some new terminology and updated definitions about what truly is a DOM-based XSS vulnerability as compared to the standard Stored and Reflected XSS that the community is well aware of. We then discuss the difficulties that security analysts face when trying to find DOM-based XSS flaws, and provide recommended analysis techniques that help move DOM-based XSS discovery from an art towards more of a science. In closing, we discuss simple techniques for avoiding DOM-based XSS issues in the first place as well as how to mitigate issues that are uncovered during a security review.

View Presentation: ASDC12 – Unraveling some of the Mysteries around DOMbased_XSS

Keynote: Stop Fighting It – How to Ruggedize Your Culture and Make Security Easy (10.10.2012)

Presented by: Jeff Williams, CEO

Many organizations have reacted to the onslaught of vulnerabilities in their code by searching harder – more dynamic scans, more static analysis, more code review, and more penetration testing. But the cost and complexity of these reactive programs will continue to increase until they are completely ineffective. The only way to get in front of the problem is to find a new path that leads to healthier software development lifestyle.
In this keynote address, Jeff presented a new mindset towards application security called “Rugged.” We won’t find the culture change we’re looking for in a process model or in a new tool. We’re going to explore techniques for creating a development organization where everyone is aligned on what security means and what their responsibilities are. Think how Apple’s culture produces usability or how Google creates innovation. Application security has many more questions than answers, but today’s solutions are not up to the challenge.

View Presentation: Beyond AppSec…Get Rugged!

Using Instrumentation to Find Vulnerabilities in Java EE Applications (10.01.2012)

Presented by: Jeff Williams, CEO and Arshan Dabirsiaghi, Director of Research

Java EE™ is the platform of choice for critical applications – exactly the ones targeted by groups like Anonymous and organized crime. However, discovery of software vulnerabilities has always been a costly and error prone process. We have discovered a way to use the Java™ Instrumentation API to perform “intrinsic analysis” – finding vulnerabilities from within a running application. Our approach is simple to install and powerful – enabling developers to find security flaws without headaches and false alarms. We’ve created a Java agent that runs in your app server and discovers vulnerabilities passively as you develop and test, without requiring anyone to attack your code!

View Presentation

Proactive Mobile Forensics: Where is Your Data? (07.11.2012)

Presented By: Dave Lindner

With over 5 Billion mobile devices presently in use, mobile applications enable new threats and attacks which introduce significant risk. The biggest risks are data loss through an exploit or from devices being lost or stolen. Are your mobile applications susceptible to common software vulnerabilities? Do you know what critical data is being stored on these devices and backed up in the cloud? Is your sensitive data protected if a device is lost or stolen? Join David as he explains how to be proactive by examining your mobile applications, provisioned devices and their footprints.

As Aspect Security’s Global Practice Manager of Mobile Application Security Services, David has first-hand expertise in helping clients in the financial and retail sectors with their mobile security programs. David is an OWASP Mobile Top 10 Project Contributor.

View Presentation: www.brighttalk.com

The Unfortunate Reality of Insecure Libraries (04.04.2012)


Presented By: Jeff Williams, CEO

More than half of the Global 500 use software built using components with vulnerable code. 80% of the code in today’s applications comes from libraries and frameworks. The risk of vulnerabilities in these components is widely ignored and underappreciated. Our researchers analyzed over 113 million downloads by more than 60,000 commercial, government and non-profit organizations. We studied the 31 most popular Java frameworks and security libraries downloaded from the Central (“Central”) Repository and discovered that 26% of these have known vulnerabilities. Every organization should be concerned about the security of the components that they use and trust to run their business.

View presentation: https://isc2.brighttalk.com/

Securing the Cloud- Best Practices from Private to Public (05.23.2012)


Join industry leaders representing the top IT security publications, alliances and organizations
as they discuss best practices for securing your data in private, hybrid and public environments.

Panelists: Peter Judge, UK Editor, Tech Week Europe (moderator)
Jeff Williams, CEO Aspect Security
Daniele Catteddu, Managing Director EMEA, Cloud Security Alliance
David Mortman, Chief Security Architect, enStratus
JD Sherry, Director- Public Sector IT Security Solutions, Trend Micro

View webcast: http://www.brighttalk.com/webcast/288/46455

You Can’t Hack Yourself Secure (05.04.2012)

Presented by: Jeff Williams, CEO

Penetration testing is the most widespread assurance technique used today, but it is wildly inconsistent, reactive, and negative. Web applications have been enjoying a golden age of very easy “pentesting,” but that’s all about to change as technologies with faster transactions, more complex data structures, and custom protocols emerge. For a variety of reasons, the assurance challenge is not one that can be overcome with more and more powerful automated vulnerability tools. Jeff shares his experience helping organizations get over their pentesting addictions and build positive application security programs, like Microsoft Security Development Lifecycle.

View webinar: http://www.youtube.com/watch?v=egRzplcK7xo

Unraveling Some of the Mysteries around DOM-based XSS (04.04.2012)


Presented by: Dave Wichers, COO

DOM-based XSS was first revealed to the world back in 2005 by Amit Klien, when it was an interesting theoretical vulnerability. In 2012, with the push towards Web 2.0 well into the mainstream, DOM-based XSS has become a very commonly uncovered and exploited vulnerability, but it’s poorly understood.

This talk focuses on the full range of issues around DOM-based XSS. It starts with a discussion of the vulnerability’s technical details, the true nature of the risk it introduces and some new terminology and updated definitions about what truly is a DOM-based XSS vulnerability as compared to the standard Stored and Reflected XSS that the community is well aware of. We then discuss the difficulties that security analysts face when trying to find DOM-based XSS flaws, and provide recommended analysis techniques that help move DOM-based XSS discovery from an art towards more of a science. We also discuss simple techniques for avoiding DOM-based XSS issues in the first place and how to mitigate issues that are uncovered during a security review.

View webinar: https://www.owasp.org/images/f/f4/ASDC12-Unraveling_some_of_the_Mysteries_around_DOMbased_XSS.pdf

Understanding IAST – More Context, Better Analysis (04.05.2012)


Presented by: Jeff Williams, CEO

Automated tools for application security are either “static” (SAST) or “dynamic” (DAST). But recently, new classes of “interactive” or “intrinsic” (IAST) tools have emerged — some are calling them “hybrid” analysis tools. Is this finally application security automation that works? Or is it just another round of hype and false alarms? Jeff explains IAST technology and how it can be used to find security vulnerabilities. We cover the full range of IAST approaches, from simple URL-to-code informers, to dynamic test generators, and all the way to fully integrated vulnerability detectors. How can we compare the performance of these new tools? Jeff shares experiences using the static analysis test suite from the NSA to evaluate tool results. Finally, we discuss some of the implications of detecting vulnerabilities in running applications, from getting better security results from QA teams to the possibility of a future where all apps (web, mobile, cloud, desktop, etc.) detect and report their own vulnerabilities while they are being used.

Don’t Get Injected: Verify Your Code (03.14.2012)


Presented by: Dave Wichers, COO & Cofounder, Aspect Security & OWASP Board Member

There’s only one surefire way to prevent SQL injection, the #1 most frequent and damaging application security attack: verify that your code does not have SQL injection vulnerabilities. SQL injection allows hackers to steal or modify everything in your database. Code review is the most effective analysis technique for finding SQL injection flaws, and it also pinpoints exactly where the flaw is located, making it much easier and faster to remediate. If your organization is still solely focused on application penetration testing, you are wasting your time and putting your organization at risk. Join Dave and learn about the simple genius of performing application code review to efficiently identify vulnerabilities in your applications.

View webinar: http://www.brighttalk.com/r/g8B

AppSec Inception- Exploiting Software Culture (a.k.a. Exploiting the Software Ecosystem) (12.12.2011)


Presented by: Jeff Williams, CEO

Learn how to create a software ecosystem that produces security naturally. No matter how fast you are at playing vulnerability whack-a-mole, the moles always win eventually. If you truly want to get in front of application security, you have to start looking at changing your software development culture. Jeff shares his experiences with multiple approaches to changing security culture, going back to the late 1980’s. Not surprisingly, few of these approaches have made any difference. OWASP represents a new approach, and is an interesting experiment on how we change software culture worldwide. Jeff extracts and clarifies the lessons from OWASP that you can use in your own organization to bootstrap a software culture that generates security.

View webinar: http://vimeo.com/33555368

Scaling AppSec the Right Way with OWASP ESAPI (11.17.2011)


Presented by: Jeff Williams, CEO

There’s a math problem with application security. The costs associated with finding and fixing an organization’s software vulnerabilities are dramatically more than anyone has to spend. Attempts to automate our way out of this crisis have left us with inch-deep coverage and huge numbers of minor findings to address. Fortunately, there is another way. Jeff started the OWASP Enterprise Security API (ESAPI) Project to encourage organizations to standardize and externalize their security controls. By making security simpler for developers, we can break the cycle of chasing vulnerabilities and get proactive about security. Jeff shows how you can get started with this approach, and how other organizations have used it to eliminate entire classes of vulnerabilities from their codebase and their culture. The ESAPI Project mission is to ensure that every developer in every environment has a set of simple and strong security controls. Shouldn’t your developers have the same?

View presentation: Scaling AppSec the Right Way with OWASP ESAPI

Creating a Culture of Responsible Application Security (12.06.2011)


Presented by: Jeff Williams, CEO

The applications we entrust with our healthcare, financials and national defense are just as vulnerable as other code. The problem is, that while our threat environment has changed dramatically over the last 20 years, the way in which we write code has not. Security doesn’t have to weigh down software development. A responsible application security program provides services that make software development more agile and efficient. Jeff shares success stories from large organizations that have standardized their application security controls, raised the awareness of their personnel, and transitioned away from punitive penetration testing programs to a positive verification approach.

View webinar: http://www.bankinfosecurity.com/webinars/creating-culture-responsible-application-security-w-248

How to Audit Enterprise Application Security (11.15.2011)


Presented by: Jeff Williams, CEO

How do you know if your organization is creating and deploying secure applications? Insecure applications put organizations at risk on a variety of levels. Are the right risk management and security standards in place in your organization? Do you verify the security of your entire application portfolio? Are your developers armed with the technical controls, services and education that they need? Does your IT staff have the application security knowledge and skills that are required? During this presentation, Jeff demonstrates how to audit the enterprise controls you’ll need to build, deploy and operate secure applications to protect your business, your data and reputation.

https://isaca-washdc.sharepointsite.net/webresources/Presentations/201111_session6.pdf

Addressing the Top 5 Web Application Security Threats (10.13.2011)


Presented by: Dave Wichers, COO, Co-author & Project Lead- OWASP Top Ten

Dave explains the Top 5 out of the OWASP Top 10 – 2012 Most Critical Web Application Security Risks, and presents the most effective methods for eliminating them from your applications, and even better, how to avoid introducing them in the first place. Dave focuses on the most cost effective techniques for stamping these issues out in your entire portfolio, rather than eliminating these issues one vulnerability at a time.

View webinar: http://www.brighttalk.com/webcast/1903/32669

2011 Defense Against the Dark Arts (09.14.2011)


Presented by: Chris Schmidt, Application Security Engineer

Chris demonstrates how you can use ESAPI to protect your application from vulnerabilities that could lead to serious breaches from attackers -ranging from script kiddies to the advanced, persistent threat. We will examine high profile attacks and the defenses to be used against them. By illustrating the recent Sony and Citibank breaches, Chris discusses how you can protect your application from the same types of attacks by leveraging the components in ESAPI to detect and react to the threat before it becomes a breach.

View this presentation