OWASP AppSec Track

The OWASP Application Security Track presents new material especially relevant for software and mobile app developers and managers, application penetration testers, ethical hackers and security researchers. Skilled application developers remain in high demand, while application security continues to change rapidly. Come build your knowledge in both and keep at the forefront of security research.

O1 – What is the Android Colluded Applications Attack and How to Detect It

Igor Khokhlov & Leon Reznik

We present our study on the colluded applications attack in Android OS; its definition, possible scenarios of its exploitation, and developed methods of detection. We analyzed and classified existing techniques of detection and mitigation in relation this attack. Our analysis allows us to formally define the colluded application attack and to develop an attack model. We will present numerous scenarios of the colluded applications attack exploitation and discuss the results of their simulation. Regarding attack detection, three classifiers are developed and examined. Developed classifiers are based on various machine learning techniques. We will present results from each classifier’s performance in detecting attacks and analyze their recognition accuracy.


Igor Khokhlov is a Ph.D. candidate. He conducts research on data quality and value evaluation for sensor-originated data. Igor’s fields of interest include Android OS, cyberssecurity, and AI.

Leon Reznik is a Professor of Computer Science (primary affiliation) and Computing Security (secondary affiliation). His current research concentrates on data quality and security evaluation and assurance, cognitive sensor networks and systems, intelligent intrusion detection, and big data analytics.

O2 – Pentesting DevOps: Attacking Containers and Container Orchestration

Mark Manning

Monolithic applications are a thing of the past but our job as security professionals is to review them from a security perspective. This talk will review container technologies (e.g. Docker), as well as container orchestration technologies (e.g. Kubernetes, Marathon). We will cover new container-centric OS’s like CoreOS and what security implications exist for each. What is their threat model? What does a “pen test” against these technologies really mean? We’ll include real-world exploit scenarios we’ve seen in client environments.


Mark Manning is a Principal Security Consultant with NCC Group with a focus on enterprise devops and container technologies. He has worked with numerous clients on Docker, Mesos, Rancher, CoreOS, Kubernetes, and other container-related technologies. He’s performed penetration tests to breakout from container to host, architecture review of devops and container orchestration systems, and research on container technologies. Mark also works on mobile applications, general application security, and security reviews of privacy and pseudonymity technologies like Tor. He also is a BSidesROC and Rochester 2600 organizer.

O3 – Rocking The (Vox)Vote

Jason Ross

VoxVote is a nifty little live voting app that turns out to have terrible security. Messing with it gives us a great opportunity to learn common flaws in REST API design, and the process an attacker uses to target these common resources.


Jason Ross is a Senior Consultant with NCC Group, a global information assurance specialist providing organizations with expert security consulting services. Jason began working with NCC Group in 2010, based out of the New York City office. Jason has performed security research in the following areas: web applications, devops security, mobile device & application security, and malware analysis. Jason has given talks at at Blackhat DC, BSides Las Vegas, DerbyCon, and DEF CON Skytalks; as well having spoken at many regional conferences across the United States. Jason has developed and delivered training tools and programs on topics such as advanced mobile penetration testing, android forensics techniques, and enterprise-level malware analysis. Jason is also FEDRAMP certified and is an active part of the NCC Group 3PAO service offering.

O4 – Your Apps Have Gone Serverless. Has Your Security?

Tal Melamed

The revolution came and went. No shots were fired, but lots of chaos ensued. You finally got your head around containers and Docker, and your teams have moved on to serverless. There are many benefits to moving to a serverless architecture.

Does that mean that our applications are now safer, or are they vulnerable to the same attacks that we are used to in the monolithic architecture? Along with its advantages, serverless architecture presents new security challenges. Some of these security threats are equal to those we know from traditional application development, but some take a new form.


Tal Malamed has 15 years’ experience in the information security field, specializing in security research and vulnerability assessment. Prior to being the Head of Security Research at Protego, Tal was a tech leader at AppSec Labs, leading and executing a variety of security projects for serverless, IoT, mobile, web, and client applications, as well as working for leading security organizations, such as Synack, CheckPoint, and RSA.

O5 – Techniques Criminals Use to Break Authentication and How to Defend Against These Attacks

Danny Harris

Providing access to systems should be done in proportion to risk. Higher value systems with sensitive or confidential data require greater protection. Traditionally, passwords have been used as the way to gain access to systems, yet often they can’t provide sufficient protection because they may be weak or rely on poorly implemented password authentication services.

In this presentation, you will learn:

  • Some common attacks against passwords and authentication services, to help you understand how to better design and protect applications against criminal attackers
  • Password and authentication-related security patterns
  • Techniques to improve the security of your passwords and authentication processes


Danny Harris has been an information and application security practitioner for over 20 years. He is knowledgeable in all phases of the secure software development life cycle (SDLC) and is responsible for the creation and delivery of application security training and SDLC assessment programs at Security Innovation. Previous teaching experience includes seven years as an adjunct professor for the Computer Security and Forensic Investigation program at Wilbur Wright College and as a security instructor for the SANS Institute.

O6 – The Industrialization of Red and Blue Teaming

Ashley Zaya

The industrial revolution was brought on by purpose-built machinery and automation. A similar revolution has occurred in security and has led to the industrialization of red and blue teaming. In large part, this industrialization has been realized through security instrumentation platforms. We need to readjust, so that we are focusing on security effectiveness and the efficacy of security controls. We need to industrialize our approach to red and blue teaming with security instrumentation through automation, environmental drift detection, prescriptive actions, and analytics that will enable us to finally and empirically manage, measure, and improve security effectiveness.


Ashley researches and analyzes malware, vulnerabilities, and the techniques and tactics of adversaries. Her work helps organizations have advanced threat and attacker insights so that they can better prevent, detect, and respond to cyber threats thus aiding red and blue teams. Prior to working at Verodin, Ashley was a lead analyst at Boeing’s Security Operations Center. She graduated with a bachelor’s degree in Security and Risk Analysis at Pennsylvania State University.

O7 – Understanding Web Application Firewalls with Open Source ModSecurity and OWASP Core Rule Set

Tin Zaw

Everyone who has ever used, or attempted to use, OWASP ModSecurity Web Application Firewall, knows something about fine-tuning rules. ModSecurity Core Rule Set (CRS) was designed to catch more, show more and to let you decide what to do with security alerts. It is a time consuming, and often frustrating, exercise to analyze alerts – to separate the wheat from the chaff and then determine which are candidates for blocking. With thousands of servers at more than 100 locations, Verizon Edgecast CDN is one of the world’s largest deployments of OWASP Core Rule Set. We will share our experience in fine-tuning the CRS for a large number of customers, adjusting for their tastes regarding risk and their attitudes toward false positives.


Tin Zaw has served as Verizon Digital Media Services’ director of global security solutions since 2015. He and his team provide managed and professional security services, protecting their clients’ web properties from external threats. He launched the services during his first year at Verizon and continues to grow the business each year.

Prior to joining Verizon, Tin led web and product security teams at AT&T and Intuit. He previously designed and implemented security products at Symantec and participated in the early days of the web infrastructure at Inktomi, which later became part of Yahoo! and now Verizon. He started his career by programming network protocols at QUALCOMM and Cerner.

Tin graduated with a bachelor’s degree in computer science from Pittsburg State University, Kansas. He earned a master’s degree in computer Science from the University of Southern California and an MBA from the USC Marshall School of Business.