April Symposium: Web Application Security

Thursday, April 21, 2016
This was an all morning event. Doors opened at 8:00 AM and ended at 1:00PM.

XPO Logistics*
2055 Northwest Savier Street
Portland, OR 97209

Session 1: (8:45-9:35) – Securing the SDLC with Automated Code Analysis
Presented by Jeremy Anderson, Principal Solutions Architect with Veracode

PRESENTATION: Securing the SDLC 2.0

Over 90% of the $$ spent on InfoSec in today’s enterprises goes to late stage protection strategies, yet the single biggest threat to the enterprise today isn’t so much the infrastructure, but the software. Kaspersky labs mentioned in one of today’s briefs that they see the biggest issue of 2016 being vulnerable third party software. That, coupled with managing our own swiss cheese of software makes for a threat vector that nobody can handle. Jeremy’s presentation will be from a “mostly” tool agnostic approach, simply pointing out the need for good testing early and often, in keeping with today’s agile development processes.  Jeremy will demonstrate how to use Jenkins to build and upload to Veracode, and show the results automatically returned to JIRA – a defect tracking system.

Speaker Bio:
Jeremy Anderson has over 15+ years web software development experience in a variety of fields. He started out programming Perl and Java back in the late 90’s and has since written software in over 10 languages. He recently spent 7 years in operations management at US Bank here in Portland, building DR systems, managing vendor security and creating software security mitigation strategies. He recently joined Veracode, one of the fastest growing application security companies in the world where he works as a Principal Solutions Architect, supporting customers in their adoption of Veracode’s cloud based security testing solution.

Session 2: (9:45-10:35) – Extend login security for websites with two factor authentication based on possession.
Presented by Bill Bartlett, Founder of Fobfuscate


A demonstration of 4 methods of multi-factor authentication, 2 on a cell phone and 2 with USB touch activated tokens.  Google Authenticator is a cell phone app that generates one-time passwords.  CLEF is a cell phone web service that uses PKI to digitally sign and verify users.  Yubikeys are touch activated one-time password tokens with a cloud authentication service.  FIDO is an open standard that provides PKI challenge/response on a USB touch activated device.

Speaker Bio:
Bill Bartlett has been an application software developer for 35 years and has worked with banking encryption products for 25 years including challenge/response systems.  He is a 2FA enthusiast who believes that website users should be given options to improve their own security online by enrolling their own devices on their profile.  With new technology that uses cloud authentication for devices in their possession, user identity theft can be stopped dead.  Furthermore, most 2FA solutions do not require the website to cache any sensitive credentials reducing their exposure to data breach.

Session 3: (10:45-11:35) The basics of Red Teaming
Presented by Chris Z. and Robert Hartshorn, HP Cloud Solutions & Operations Security


Chris and Robert from the HP application security team will cover the basics of red teaming: what it is, where it fits in a security program, and how you can implement one on a shoe-string budget.  Assessment of web applications will be emphasized due to their popularity and low barrier to entry.  We will demonstrate a number of common web-app bugs and how real attacks abuse them.  Bring your questions!

Speaker Bio’s:
Chris has been working as an Application Security Engineer at HP for more than 5 years where he bootstrapped the CSO (Cloud Solutions & Operations) Security team and focuses predominately on exploit development and penetration testing.  He holds a bachelor of science in Computer Science along with a number of security industry certifications.

Robert Hartshorn is an Application Security Engineer at HP. His main area of expertise is penetration testing web applications, with working knowledge of Mobile applications security along with Incident response and malware analysis.

Lunch: (11:35-Noon) Content Security Policy

Session 4: (Noon-12:50) Content Security Policy
Presented by Timothy D. Morgan Founder and Principal Security Consultant Blindspot Security LLC

PRESENTATION: Content Security Policy TDM

Content Security Policy (CSP) is a mechanism to help harden web applications against a wide variety of client-side attacks including cross-site scripting, clickjacking, and cross-origin information leaks.  CSP is a powerful tool that is now available in all major browsers, but is sadly under-utilized.  Join Tim for an overview of CSP, what it can do for you, and how you can incrementally deploy it on at-risk web applications.

Speaker Bio:
As an application security consultant and vulnerability researcher, Tim Morgan has been taking deep technical dives in security for over a decade.  In that time, he has been credited with the discovery and responsible disclosure of numerous security vulnerabilities in a variety of software products, including: IBM Tivoli Access Manager, Sun Java Runtime Environment, Google Chrome Web Browser, OpenOffice, Oracle WebLogic Application Server, and IBM Websphere Commerce.  His current research interests include applied cryptanalysis, XML external entities attacks, and network timing attacks.  Tim develops and maintains several open source forensics tools in addition to Bletchley, an application cryptanalysis toolkit. Tim works to secure his customers’ environments through black box testing, code reviews, social engineering exercises, security training, and a variety of other services.  Tim has worked in a variety of roles in the information security field including incident response, digital forensics, and risk analysis, giving him a broad set of experiences to draw upon.  Tim earned his computer science degrees from Harvey Mudd College and Northeastern University and currently resides in Portland, Oregon where he leads the local OWASP chapter.

This entry was posted in Past Presentations. Bookmark the permalink.