This years OWASP AppSec 2014 USA was held in Denver, Colorado. The downtown Denver metro was a great location. Plenty of stores, restaurants, and great evening walks for the adventurous.
In one of the conference sessions, Static Analysis for Dynamic Assessments presented by Greg Patton with HP Fortify, he describes a new process for reviewing dynamic web app data with static analysis tools. Patton developed a security tool, RIPSA, which he uses for downloading dynamic web site content. Tools like SiteSucker have been around for awhile but they are limited usefulness when working with dynamic content. RIPSA bridges the gap and allows downloading dynamic content to a local working directory. Once the content dynamic content is downloaded traditional static analysis tools may be leveraged.
Patton mentions the top vulnerability they usually find with the approach is DOM based XSS. I don’t think RIPSA tool is necessarily too special but the idea of using static analysis on dynamic content is impressive and opens up a completely new way to use static analysis tools. Apologize in advance, I don’t have a RIPSA link. I contacted Patton but he did not respond in time for this post. Patton’s approach is creative, rock on!
Another session, Reverse Engineering a Web App, described the process of reverse engineering web applications and perimeter WAF detection techniques. The session was more or less what I would expect except a tool was presented that was new to me, OSSEC. OSSEC is open source host IDS. If you are in need you may wish to investigate. I always like new tools.
|Photo: Skycure threats for San Jose, CA|
At the event, Skycure provided an innovative product demonstration. The following photo shows a real-time display of threats from their web site. There is also a companion application that runs on the mobile device and likely uploads intelligence data to their central service. Skycure describes the overall advantages for customers broadly as: seamless, cross-platform, built for enterprise, visibility, device protection, and crowd wisdom. The web site is a little short on technical detail so it’s not clear exactly which threats are included in the analysis or mitigated but I’m assuming rogue AP’s at a minimum.
|Photo: Iron-Clad Java book|
Signing my first copy of Iron-Clad Java at the conference was a reality moment for me. The only time my autograph was previously requested is signing Visa receipts at the cash register. At the conference we discussed and agreed to start another book project. The new Iron-Clad book project team is Jim Manico (Twitter: @manicode), August Detlefsen (Twitter: @codemagi), Eoin Keary (Twitter: @EoinKeary), and myself.
We all enjoyed working together on the last project and thought Eoin would make an interesting addition to the team. No idea about publisher or content still working out the details. More on that later.
Now that AppSec USA is past it’s back to JavaOne. JavaOne starts next week.