News from AppSecUSA 2012 in Austin TX

[Updated Post Friday November 30, 2012]

Conference videos posted, http://videos.2012.appsecusa.org/

[Original Post Follows]

This years Open Web Application Security Project(OWASP) AppSecUsa 2012 was in downtown Austin Texas at the Hyatt.  There were many sessions and speakers from across industry.  Whether your just starting out, or a seasoned computer security professional, OWASP conferences provide good value across all levels of experience.  In addition to security training, OWASP events are a great place to gather as a community and exchange ideas around security.

James Wickett (left), Milton Smith (right)

AppSecUsa was organized by the local OWASP chapter.  In the photo to the right is James Wickett (Twitter, @wickett), Austin OWASP Chapter Leader.  Josh Sokol (Twitter, @joshsokol) chairs OWASP Chapters Committee Chair, not shown.  Matt Tesauro (Twitter, @matt_tesauro) is the OWASP LiveCD Lead, also not shown.  I know I’m understating their credentials.  Amazing what these individuals have done in Austin.  Good job on the conference.  You rock and it’s great to see you again!

Jim Manico (right)

There were a number of interesting presentations this year, I will cover a few. Top 10 Web Defenses – Jim Manico (Twitter, @manicode) VP Security, Whitehat Security.  The surprise for me, Jim communicated is that SQL Injection is still the largest attack vector.  I keep hearing the same rant from others so maybe I should start believing it.  We’ve known about SQL Injection attacks for years so it surprises me and it’s disappointing.  The most pervasive attack I’ve seen to date is Cross-Site Scripting(XSS).  In fact, I contemplated interrupting or raising my hand during Jim’s presentation but the next sentence out his mouth was, “XSS is the cockroach of the Internet”.  Bravo!  Jim’s a resident of Hawaii.  No, the hand signal in the photo is not a Hawaiian gang sign, it’s a friendly greeting.

Jim provided a number of useful resources throughout his session like OWASP’s cheat sheets covering a variety of topics[1].  The cheat sheet mentioned in the session is the Password Storage Cheat Sheet[2].  Another cheat sheet mentioned is the Forgot Password Cheat Sheet which you can find on main cheat sheet page[1].   I notice there is no cheat sheet specifically for storage of application or service passwords or at least one I find.  Some of the cheat sheets are work in progress while others are more mature.  In any case, the cheat sheets are a good emerging resource for common challenges.

Discussion around Content Security Policy(CSP)[3] kept surfacing in different sessions.  CSP is new to me but one of the interesting features is that it help’s prevent content reposting.  From a practical perspective, you can use CSP to prevent attackers from iFraming your protected page content.  CSP protects content by including a new HTTP header (e.g., X-Frame-Options) communicating to browsers not to embed protected content.  Without even looking at the spec, my intuition tells me there are ways around CSP like using old browsers where CSP is not supported, MITM proxies to strip out the header, etc.  CSP is likely in the same camp as HTTPOnly, not bullet proof, but good defense-in-depth measure especially when combined with HTTPS and other measures.

Why Web Security Is Fundamentally Broken – Jeremiah Grossman, CTO, WhiteHat Security (Twitter @jeremiahg) Most noteworthy, Jeremiah demonstrated some social media hacking.  The hacking demo uses clicks provided by the user to authorize calls to social media sites like Twitter and Facebook.  In the demo, the Twitter Tweet box or Facebook Like button, usually provided on news pages or blog articles, is made to follow or tail the user’s cursor around on the page.  Anywhere, the user clicks on the page, the social media button is clicked by the user — a type of click jack.  User data is gathered from their social media site and populated into a redacted demo page.  In a real implementation, these same buttons can be made invisible so it’s not obvious the linkage between the redacted demo page and the social media sites.   The redacted form demo is clever, when users see their personal data populated into the redacted form, one field at a time before their eyes, it’s compelling and shocking.  When Jeremiah gets the real redacted demo page live it’s guaranteed to get grab some press headlines.

Real World Cloud Application Security – Jason Chan, Cloud Security Architect, Netflix. (No Twitter)  Jason’s presentation was interesting since Netflix is laying a lot of new ground with operational and engineering practices.  It’s safe to say, almost nothing in their operational or engineering practices is standard.  For instance, Netflix combined both the development and operations into a single unit.  Netflix is largely operating on Amazon’s cloud infrastructure.  An interesting fact is that 1/3 of all US Internet traffic is Netflix streams.  To harden their production infrastructure Netflix crashes their servers and applications on a regular basis.  Yup, you heard me right, they crash their systems regularly and purposefully.  To crash their systems they employe a framework of Monkeys — stay with me for a moment.  One of the monkeys, Chaos Monkey, periodically kills a process, service, or an entire virtual machines at random.  The idea of killing various cloud components at runtime is that it builds more resilient applications.  Programmers and operations staff, that enjoy sleep, quickly learn how to build fault resilient applications tolerant to environmental changes.  Phew, that must have been a prickly implementation assuming they started with traditional processes.

Armadillo Races

The photo on the right was from the Armadillo races.  Armadillo’s move really fast.  I don’t think they ever stopped moving and they almost never travel in straight lines.  I have seen many dead armadillos on the side of the road so to finally see a live one is refreshing.  Live armadillo, check.  Now I only need to see a UFO and our national debt disappear.  We also had a mechanical bull on site.  Anyone wanting to ride the lightning could give it a try.  Also so everyone knows, I do have photos of Jim Manico (Twitter, @manicode) riding the mechanical bull.  No, I’m not going to post them.  There’s some things you need to attend in person to see for yourself.

Lock Pick Village

Of course, no security event is complete without a Lock Pick Village.  Several years back I was attending a security conference with a lock pick village.  Interestingly enough, I learned how to pick locks with Johnny Long,  (Twitter, @ihackstuff) , author Google Hacking[4].  I bought my first set of lock picks at the conference(hope they are legal in California).  Actually, mine got rusty so I threw them out years ago.  You learn lots of life skills at security conferences.  Johnny’s charity organization was at the conference but he was overseas assisting helping his team.  He’s pretty active about making the world a better place, admirable.  Yes, I did buy a ihackcharities.org t-shirt.  There’s just something wrong about that URL I like.

[1] “Cheat Sheets.” OWASP. OWASP, 28 July 2012. Web. 27 Oct. 2012. <https://www.owasp.org/index.php/Cheat_Sheets>.

[2] Manico, Jim. “Password Storage Cheat Sheet.” OWASP. OWASP, 26 Aug. 2011. Web. 27 Oct. 2012. <https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet>.

[3] Stern, Brandon, and Adam Barth. “Content Security Policy 1.0.” Content Security Policy 1.0. W3C, n.d. Web. 27 Oct. 2012. <http://www.w3.org/TR/CSP/>.

[4] Google Hacking for Penetration Testers, Volume 2, http://www.amazon.com/Google-Hacking-Penetration-Testers-Johnny/dp/1597491764/ref=sr_1_cc_1?s=aps&ie=UTF8&qid=1351625349&sr=1-1-catcorr&keywords=google+hacking

Author: milton

For bio see, https://www.securitycurmudgeon.com/about/