Application Security Abstracts

Covert Access: Rootkit Techniques and Defense

As defensive measures against malicious hackers grow, the toolsets they use continue to develop to become stealthier and more effective. One of the most effective tools they have to keep them hidden and embedded in a system is with rootkits. With a rootkit, an attacker can covertly operate so deep inside a system that it is very difficult to be detected and removed from the system without having to wipe the machine clean. Even though the concept of rootkits is well known, very few actually understand how they operate.

‘Covert Access: Rootkit Techniques and Defense’ is designed to be an introduction to the inner workings of a rootkit and a discussion about techniques that can be used to detect and protect against these types of threats.

Gerry Brunelle is a System Security Engineer for Boeing in the Washington, D.C. area. He is also currently a candidate for a MS in Computer Security and Information Assurance from RIT and has a BS in Network and System Administration for RIT.

Gerry has participated on the red team for the Northeast Regional Collegiate Cyber Defense Competition and the Mid-Atlantic Regional Collegiate Cyber Defense Competition as well as the DoD Cyber Defense Exercise. He also designed and ran the first Capture the Flag for the Rochester Security Summit in 2009.

Using Web Application Firewalls (WAFs) to Accelerate SDLCs

To get code fixes incorporated through a standard development cycle requires navigating with proper change and configuration management, scheduled releases, and so on. The best case scenario for a well managed environment is that it will take months to get the fix all the way into production - and this before security is thrown into the mix.

This talk will highlight how enterprises are using WAFs to accelerate SDLC processes. Using real-world examples, this talk details how WAFs help enterprises:

· Have a clearer view of malicious application traffic to help development and management focus on the application security problem.

· Combine WAF with vulnerability scanning to virtually patch issues.

· Leverage a WAF application’s profile to provide a window into potential issues, mis-configurations, or coding problems before an attack.

Rob Rachwald is Imperva’s Director of Security Strategy. In this role, Rob researches and analyzes data security trends from a business perspective. In the past, Rob worked in the early days of e-commerce at Intel, helping to convert the chip maker’s procurement and supply chain system into one of the largest online transaction systems worldwide. At Commerce One, Rob worked with F1000 companies to streamline e-procurement systems. Rob then managed marketing for code analysis firms Coverity and Fortify Software. He is a graduate of UC Berkeley and has an MBA from Vanderbilt University.

Web Security Education -- the OWASP Exams & Academies Projects

Ed Adams will report on the new OWASP Exams Project and the work being done by the OWASP Academies Working Group. This project has created a set of exam questions that can be used by universities and industry alike to test knowledge in web application security.

The project also has a set of rich content, which Ed will review in detail with the group, including a new self-paced computer-based training course on OWASP Top 10.

Ed will also discuss and demonstrate the new open source tool that was offered to the OWASP Community as part of the Exams Project - TeamMentor OWASP Edition. This session will be interactive as the audience will review the questions and answers and get demos of the products that the Exams Project has generated.

Ed Adams is a software executive with successful leadership experience in various-sized organizations that serve the IT security and quality assurance industries. As CEO of Security Innovation, Mr. Adams applies his security and business skills, as well as his pervasive industry experience in the software quality space, to direct application security experts in helping organizations understand the risks in their software systems and develop programs to mitigate those risks. Mr. Adams founded the Application Security Industry Consortium, Inc. (AppSIC), a non-profit association of industry analysts, enterprise technologists, and security leaders established to define cross-industry application security metrics and best practices. The non-profit eventually morphed into SAFECode at which point Mr. Adams became more engaged with other industry initiatives, including OWASP. Mr. Adams is on the board of the National Association of Information Security Groups (NAISG) as well as the Massachusetts North Shore Technology Council (NSTC.)

No stranger to the podium, Mr. Adams has presented to thousands at numerous seminars, software industry conferences, and private companies. He has contributed written and oral commentary for business and technology media outlets such as New England Cable News, CSO Magazine, SC Magazine, CIO Update, Investor’s Business Daily, Optimize, and CFO Magazine. Mr. Adams is in the process of co-writing a book entitled Winning Cyber War, which will be published by Jones & Bartlett, and is authoring his own title, Application Security Maturity – both due out in 2012. He maintains a blog with CSO Magazine, is a columnist for CIO Update, and can be followed on Twitter.

Mr. Adams earned his MBA Degree with Honors from Boston College, as well as a B.S. Degree in Mechanical Engineering and a B.A. Degree in English Literature from the University of Massachusetts.

I'll see your cross site scripting and raise you a Content Security Policy

The very nature of web browser-based Javascript execution provides a vast playground for attacking user sessions as evidenced by the endless parade of cross site scripting and “clickjacking” exploits that have arisen over the last decade. Mozilla’s proposed Content Security Policy provides a uniform mechanism for mitigating cross site scripting and “clickjacking” attacks along with the ability to reduce packet sniffing attacks against web browsers that are exposed by the inadvertent use of unencrypted data transmission protocols. This proposed policy is a declarative policy framework that provides fine-grained content inclusion controls and, when applied across domains, operates at a least-privileged level of inclusion. The policy also enables visibility of policy violations by providing for a means of reporting violations as they occur to the appropriate issuing domains.

Lou Leone -- After years of implementing solutions for the utility and telecommunications industries and for Rochester’s ever present Kodak and Xerox, Lou Leone is currently herding a small team of software developers at the ecommerce SaaS provider, UniteU Technologies Inc. When not battling PCI auditors, he enjoys detangling overly complicated multi-threaded architectures, programming in lolcode, and not having enough time to accomplish his goals as the current Rochester OWASP Chapter Evangelist.

Android Malware Analysis

The Android market has become a prime target for malicious software developers.

This talk will explore some of the reasons why, take guesses at where things will end up in the next few years, and explain why it matters. After ruminating about the 'what', the presentation will cover the 'how', including a basic overview of Android application design, followed by how to tear it apart using network, runtime, and static code analysis techniques.

Included in the talk is a detailed review of changes that have been made in the revised version of Mallory, an open source man-in-the-middle proxy. Additional tools to facilitate running the test environment (whether that's an Android emulator or a real device) will also be released.

Mr. Jason Ross has been working in the IT industry for about 12 years, specifically doing InfoSec for the past nine years. For his day job he provides security consulting services; after hours he performs malware research with a number of international organizations and runs the Rochester DefCon Group (DC585). Despite all that, he is most proud to be a husband and father to four wonderful sons.