Title: Defensive Programming for PHP
Trainer: Mike Doyle
When: October 22nd, 2013
Where: LASCON 2013, Austin, TX (held at Norris Conference Center)
Cost: $245, includes meals
Abstract:
This full-day course helps PHP developers understand the features and specifics of the platform that can potentially introduce risks. The course builds upon this knowledge and teaches a set of defensive programming techniques that can be followed to create secure PHP applications.
PHP is a powerful and versatile web development platform that is widely used throughout the industry. PHP applications are generally affected by most of the same risks that affect web applications written in other languages. Although it has a lot in common with other web platforms, there are specific aspects of PHP that set it apart from the other technologies. This is also true from a risk perspective. Some PHP risks are unique or amplified by the platform.
The features and specifics covered by this course include (but not limited to) unsafe PHP configuration, null-byte issues, dangerous APIs, cryptography, and dynamic file inclusion issues. Defensive techniques covered by this course include the areas of file system access, session management, authentication, input validation/output encoding, cross-site request forgery prevention, transport security, and techniques for the prevention of injection attacks.
This course is structured into modules that cover the areas of concentration for defensive programming for the PHP platform and includes code analysis and remediation exercises. The high-level topics for this course are:
Labs and Demonstrations
Two labs guide the student through secure configuration and remediation of an insecure PHP application. These labs are provided as an Oracle VirtualBox VM running a typical LAMP stack with configuration management provided by Puppet. A variety of supplemental open source development and security tools are provided on the VMs. Students who wish to participate are encouraged to bring their own laptops with Oracle VirtualBox. Students may wish to collaborate in pairs or small groups.
There are also two interactive demonstrations during which the PHP application is exploited to show directory traversal, information leakage, and SQL injection. Cost is $245.
Title: Secure Developer Training: OWASP Top 10++
Trainer: Matt Tesauro
When: October 22nd and 23rd, 2013
Where: LASCON 2013, Austin, TX (held at Norris Conference Center)
Cost: $495, includes meals
Abstract:
The Secure Development Training is a two-day (16 hour) instructor lead course that covers a variety of topics including the OWASP Top 10 Web Application Security Vulnerabilities, Threat Modeling, Basic Security Theory and Encryption. The course includes hands-on labs, interactive exercises and group discussion driven exercises. Special attention is given to mitigation of vulnerabilities in the lab application, particularly at design time or during initial application development.
Real-world examples drawn from the pen testing experience of the instructor are used to demonstrate how minor vulnerabilities can be chained into surprising compromises. The goal of this course is to increase the security awareness and experience among develops with the subsequent result of producing increasingly rugged code going forward. Additional information covering the gambit of resources available to developers from OWASP is interwoven into the course. When complete with the course, attendees should have increased their security foo substantially.
The lab application is written in Python but the training will be programming language agnostic. Cost is $495.
Title: Securing Mobile Devices and Applications
Trainer: David Lindner
When: October 22nd and 23rd, 2013
Where: LASCON 2013, Austin, TX (held at Norris Conference Center)
Cost: $495, includes meals
Abstract:
Mobile applications enable new threats and attacks which introduce significant risks to the enterprise, and many custom applications contain significant vulnerabilities that are unknown to the team that developed them. Considering the number of mobile applications available in the Google Play and Apple AppStore is nearing 1.5 million and vulnerabilities are skyrocketing it is imperative to perform typical application security practices. But, how is mobile different?
This two-day, hands-on course enables students to understand how easily mobile devices and applications can be successfully attacked. They will learn how to identify, avoid and remediate common vulnerabilities by walking through a threat analysis and learning critical security areas such as those identified in the OWASP Top Ten Mobile Risks and Controls. Using state-of-the-art testing tools, students will learn how to secure mobile devices across the enterprise. Students will be able to choose from iOS or Android hands-on labs throughout the course, while they learn how easily the bad guy can compromise applications and the data they contain.
Title: Defensive Programming for JavaScript & HTML5
Trainer: Ksenia Dmitrieva
When: October 23rd, 2013
Where: LASCON 2013, Austin, TX (held at Norris Conference Center)
Cost: $245, includes meals
Abstract:
Understand JavaScript and HTML5 Features to Secure Your Client-side Code.
This full-day course helps web front-end developers understand the risks involved with manipulating JavaScript and HTML5 and apply defensive programming techniques in both languages.
Some of the topics covered include, but are not limited to, important security aspects of modern browser architecture (DOM and SOP), XSS, CSRF, DOM manipulation, Sandboxing iframes, JavaScript Execution Contexts, CORS, Web Messaging, Web Storage, and JSON.
This course is structured into modules and includes code analysis and remediation exercises. The high-level topics for this course are:
• The HTML5 and JavaScript Risk Landscape
• Storage of Sensitive Data
• Secure Cross-domain Communications
• Implementing Secure Dataflow
• JSON-related Techniques
Objectives
After completing this course, students will be able to:
• Apply HTML5 Defensive Programming Techniques
• Apply JavaScript Defensive Programming Techniques
• Apply JSON Defensive Programming Techniques
There should be a maximum of 20 students.
Labs and Demonstrations
If students bring their own laptops with VirtualBox software installed, they can install an Ubuntu VM (provided by the instructor) with an insecure web application and students will participate in two interactive lab sessions where they will learn to fix issues related localStorage object, web messaging, sandbox attribute for iframes, input validation and output encoding, parsing JSON data, and cross-site scripting. There are also two interactive demonstrations showing how to tamper with client-side data, evade client-side filters and work with Firebug. The labs are not compulsory to get the full value of the course.
Title: Secure Developer Training: OWASP Top 10++
Trainer: Matt Tesauro
When: October 22nd and 23rd, 2013
Where: LASCON 2013, Austin, TX (held at Norris Conference Center)
Cost: $495, includes meals
Abstract:
The Secure Development Training is a two-day (16 hour) instructor lead course that covers a variety of topics including the OWASP Top 10 Web Application Security Vulnerabilities, Threat Modeling, Basic Security Theory and Encryption. The course includes hands-on labs, interactive exercises and group discussion driven exercises. Special attention is given to mitigation of vulnerabilities in the lab application, particularly at design time or during initial application development.
Real-world examples drawn from the pen testing experience of the instructor are used to demonstrate how minor vulnerabilities can be chained into surprising compromises. The goal of this course is to increase the security awareness and experience among develops with the subsequent result of producing increasingly rugged code going forward. Additional information covering the gambit of resources available to developers from OWASP is interwoven into the course. When complete with the course, attendees should have increased their security foo substantially.
The lab application is written in Python but the training will be programming language agnostic. Cost is $495.
Title: Securing Mobile Devices and Applications
Trainer: David Lindner
When: October 22nd and 23rd, 2013
Where: LASCON 2013, Austin, TX (held at Norris Conference Center)
Cost: $495, includes meals
Abstract:
Mobile applications enable new threats and attacks which introduce significant risks to the enterprise, and many custom applications contain significant vulnerabilities that are unknown to the team that developed them. Considering the number of mobile applications available in the Google Play and Apple AppStore is nearing 1.5 million and vulnerabilities are skyrocketing it is imperative to perform typical application security practices. But, how is mobile different?
This two-day, hands-on course enables students to understand how easily mobile devices and applications can be successfully attacked. They will learn how to identify, avoid and remediate common vulnerabilities by walking through a threat analysis and learning critical security areas such as those identified in the OWASP Top Ten Mobile Risks and Controls. Using state-of-the-art testing tools, students will learn how to secure mobile devices across the enterprise. Students will be able to choose from iOS or Android hands-on labs throughout the course, while they learn how easily the bad guy can compromise applications and the data they contain.
In the Internet of Things, security issues have grown well beyond our day jobs. Our dependence on software is growing faster than our ability to secure it. In our efforts to find the grown-ups who are paying attention to these risks, one painful truth has become clear: The Cavalry Isn¹t Coming. Our fate falls to us or to no one. At BSidesLV and DEF CON 21, a call was made and many of you have answered. At DerbyCon, we begin the work of shaping our futures. Here at LASCON, we have the opportunity to level-up and reframe our role in all of this. As the initiated, we face a clear and present danger in the criminalization of research, to our liberties, and (with our increased dependence on indefensible IT) even to human safety and human life. What was once our hobby became our profession and (when we weren¹t looking) now permeates every aspect of our personal lives, our families, our safetyŠ Now that security issues are mainstream, security illiteracy has lead to very dangerous precedents as many of us are watching our own demise. It is time for some uncomfortable experimentation.
Traditional approaches to secure development lifecycles have relied on high-touch and process-driven models involving a series of assessments (e.g. design review, threat model, vuln scan) and associated decisions on whether to proceed to the next phase and gate. While this model serves many well, there are an increasing number of organizations embracing concepts like DevOps, agile, cloud, and continuous delivery that are looking for more pragmatic, automated, and dynamic approaches that suit the technology and business environments in which they exist. In this talk, Jason will highlight some of the ways Netflix has approached this shift, emphasizing practical methods to problems ranging from continuous assessment to regulatory compliance to team staffing.
This talk will discuss amusingly simple yet effective techniques to detect vulnerabilities as they're discovered by attackers, as well as how to make specific types of malicious activity economically infeasible.
Online advertising networks can be a web hacker’s best friend. For mere pennies per thousand impressions (that means browsers) there are service providers who allow you to broadly distribute arbitrary javascript -- even malicious javascript! You are SUPPOSED to use this “feature” to show ads, to track users, and get clicks, but that doesn’t mean you have to abide. Absolutely nothing prevents spending $10, $100, or more to create a massive javascript-driven browser botnet instantly. The real-world power is spooky cool. We know, because we tested it… in-the-wild.
With a few lines of HTML5 and javascript code we’ll demonstrate just how you can easily commandeer browsers to perform DDoS attacks, participate in email spam campaigns, crack hashes and even help brute-force passwords. Put simply, instruct browsers to make HTTP requests they didn’t intend, even something as well-known as Cross-Site Request Forgery. With CSRF, no zero-days or malware is required. Oh, and there is no patch. The Web is supposed to work this way. Also nice, when the user leaves the page, our code vanishes. No traces. No tracks.
Before leveraging advertising networks, the reason this attack scenario didn’t worry many people is because it has always been difficult to scale up, which is to say, simultaneously control enough browsers (aka botnets) to reach critical mass. Previously, web hackers tried poisoning search engine results, phishing users via email, link spamming Facebook, Twitter and instant messages, Cross-Site Scripting attacks, publishing rigged open proxies, and malicious browser plugins. While all useful methods in certain scenarios, they lack simplicity, invisibility, and most importantly -- scale. That’s what we want! At a moment’s notice, we will show how it is possible to run javascript on an impressively large number of browsers all at once and no one will be the wiser. Today this is possible, and practical.