Loading…
View analytic

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Conference Talk [clear filter]
Thursday, October 3
 

11:00am

Securing the digital certificate issuing process
Public Key Cryptography is a reality in Brazil. For the past three years more than five million digital certificates were issued under the Brazilian Public Key Infrastructure (Infraestrutura de Chaves Públicas Brasileira – ICP-Brasil). This number is expected to grow more and more insofar as new applications created for using digital certificates are incorporated in the Brazilian’s everyday life.
A digital certificate is a digital file that binds a public key to a specific subject. It is usually issued by Certificate Authorities (CA), entities that are trusted by the public. The public key is mathematically related to a private key, which is supposed to be kept by (and only by) the subject.
The process of issuing digital certificates is crucial to the Certificate Authority operation. Through it, the digital certificate requesters perform the key pair generation and create a formal request (Certificate Signing Request), which is sent to the CA for validation and certificate file generation (formatted according the X.509 standard).
Important parts of this process take place in the requester/end-user environment, that is, the key pair generation, formal request creation and final installation of the digital certificate into the cryptographic repository. Security is obviously a critical issue in this scenario, mostly because we are dealing with an environment that is not controlled by the certificate authority: the end user’s one.
The purpose of this talk is to describe the path followed by Certisign Certificadora Digital S.A. through the years, searching to improve the digital certificate issuing operations that take place in the end user’s environment, focusing on usability and security. We are going to show the software components adopted, their evolution, problems faced and solutions applied. We are also going to take the opportunity to discuss trends, standards and projects under development in the field.
Emphasis will be placed on the Web Application security issues related to the digital certificate issuing process, since most of the existing Certificate Authorities make use of this kind of application to deliver services to their stakeholders and customers. It keeps representing a challenge to the application developers, as long as Web Browsers and Operating Systems impose a great number of restrictions on the interactions between the web page and cryptographic key repositories. Also, the currently known Web Application vulnerabilities represent an important threat to the end user and to the whole Public Key Infrastructure.

Speakers
avatar for Bruno Ribeiro, M.Sc., CSSLP

Bruno Ribeiro, M.Sc., CSSLP

Software Development Coordinator, Certisign Certificadora Digital SA
Software Development Coordinator at Certisign Certificadora Digital SA with focus on business solutions. Expert in secure software engineering with 15 years of experience in analysis, development and requirement specification of security software. Master's Degree in Software Engineering... Read More →
avatar for Andre Ortiz

Andre Ortiz

Software Development Coordinator, Certisign Certificadora Digital SA
Software Development Coordinator at Certisign Certificadora Digital SA with focus on services solutions. Expert in software development with more than 10 years of experience in system administration, object oriented programming, software architecture and e-commerce applications. Bachelor... Read More →


Thursday October 3, 2013 11:00am - 11:50am
Conference Auditorium Escuela de Postgrado UTP Salaverry 2443, Lima, Peru

11:50am

Secure Development Training: A Real Case of Sucess
The talk aims to present a project run in a multinational company with over 500,000 employees, security training in software development by following the guidelines and projects developed by OWASP.
The speaker is responsible for the project, which began in 2012, has trained hundreds of developers, and will continue for 2013 and 2014. The data presented involve the level of compliance of the applications developed by the company, the use of the content presented by the developers, and the positive impact on the quality of software developed.
Some of the material used in training is shown and the methodology used will be explained.

Speakers
avatar for Luiz Vieira

Luiz Vieira

Volunteer, HackProofing
Rio de Janeiro/Brazil OWASP Chapter Leader. Security specialist, and works with Audit, Penetration Testing and Computer Forensics. Currently developing projects in the area of Information Security in a company of oil and gas in Brazil, and is an instructor of courses about information... Read More →


Thursday October 3, 2013 11:50am - 12:40pm
Conference Auditorium Escuela de Postgrado UTP Salaverry 2443, Lima, Peru

2:00pm

The CSOs Myopia
Before reading this article imagine what it would be like to manage your company without your customer’s data or if the data was in your competitors’ hands.
The value of data is an established fact and almost doesn’t bear mentioning. The experiences your customers acquire along the years as well as their database are fundamental and represent a great competitive edge in this new corporate era.
Keeping this in mind we realize the importance of implementing specific policies in order to build a base to guarantee the safety of these data.
Recently, there’s been an increase in security related incidents in a way that IT management has become more and more complex and, automatically, the need for a new kind of professional has emerged, the Chief Security Officer (CSO).
The CSO has become the person responsible for all risk areas, data security and, also for the definition and implementation of security strategies and policies that a company will implement.
Such policies are developed to reduce risks and negative impacts and also to limit exposure to liability in all areas.
However, the main issue dealt with here doesn’t question the need for good professionals, for secured information or development of better security policies. It deals with the constructive process through which every company goes when creating and structuring such policies.
The limited vision, commonly used at the moment of creating these policies, isn’t, enough to comprise all the company’s existing range of vulnerabilities.

So, I will demonstrate a lot of security issues that this limited vision brings, like human faults in WebServers, and others vulnerabilities like SQL Injections and other related with TOP 10 OWASP.

Speakers
avatar for Jordan M. Bonagura

Jordan M. Bonagura

Information Security Researcher, Bonagura
Jordan M. Bonagura is a computer scientist with postgraduate qualifications in the areas of strategic business management, innovation and teaching (methodology of teaching and research). Acts as a business consultant and researcher in the field of information security with emphasis... Read More →


Thursday October 3, 2013 2:00pm - 2:50pm
Conference Auditorium Escuela de Postgrado UTP Salaverry 2443, Lima, Peru

3:10pm

WAFs are for excuses, ByWaf knows it
Today, all the well-known companies have lots of Web applications with vulnerabilities such as INJECTIONS; somehow they remain confident about them, WHY??

Well, this is mainly because they think they have a silver bullet called Web Application Firewall (WAF). This device is like IPS or IDS. WAF catches the requests and analyzes them looking for some malicious code like SQL, JAVA Script, LDAP, etc. If it finds any of them, the WAF blocks the request and sends an alert or just drops the request.

This is the ideal scenario but, as it always happens with any defense tool, there are lots of ways to bypass them. In this case, the way is using a new framework that is called ByWaf. ByWaf has the ability to bypass a WAF but also it can be a complete tool to exploit vulnerability in web applications.

The idea came three months ago, when I was pentesting a Web Application and found that it had a WAF, and that there were a few tools that could be useful for this objective.

A couple of weeks after, I found some other people with the same issue like mine. We got along and agreed to make this new framework for the OWASP community.

The topics covered in this talk are:

About me
Some references about me in the battle field in Web Application Penetration Testing and how I heard from OWASP?

About OWASP (real life)
How companies, consultants, hackers and so on, use OWASP on a daily basis. What can we find into it?

What is an OWASP Project?
Concepts about OWASP projects, types, how to get into them.

What is WAF?
Colors, flavors, and more about them.

How it works?
How the devil works trying to give us a hard time.

How to detect WAFs?
From console to some tools.

How to bypass them?
Some ways to make it look like fool

ByWaf Project
Past
Present
Future

Demo

Speakers
avatar for Rafael Gil Larios

Rafael Gil Larios

Supervising Sr., KPMG
Ha desarrollo consultoría, pruebas de penetración, revisión de aplicaciones Web y revisión de código en industrias como: Financieras, Retail, Bancarias, Legales, Broadcasting, Telecomunicaciones, Hosting, Hoteleras, Manufactura, etc. Ha realizado auditorías, revisiones e implementaciones... Read More →


Thursday October 3, 2013 3:10pm - 4:00pm
Conference Auditorium Escuela de Postgrado UTP Salaverry 2443, Lima, Peru

4:00pm

Certify Your App: Developing Secure Applications for the Marketplace
WordPress is the most popular Content Management System (CMS), powering more than 60 million websites. In June 2013, we ran an automated code scanning tool against the top 50 most downloaded plugins. The results were more than concerning. We found that more than 20% of these plugins were vulnerable to common Web attacks, potentially leading to 8 million vulnerable Websites. How do other CMS platforms and marketplaces fare?
In this talk we discuss how different application marketplaces encourage and enforce developers to write and submit secure apps. We look at their security measures and discuss their certification process to verify that the apps stand up to their set of standards. We examine the technological challenges associated with performing some of these security measures, such as source code analysis, when the developer has no visibility into the code of the underlying platform.
For this presentation we draw up examples of common marketplaces such as WordPress, Joomla and Force.com.
In particular, this talk will address:
- Different security requirements that marketplaces seek in order to certify an application
- Best practices to using a source code analsyis tool to pass the marketplace’s certification bar
- How to use the security certification as an added-value to your application

Speakers
avatar for Maty Siman

Maty Siman

Founder and CTO, Checkmarx
Maty is the CTO and founder of Checkmarx. Maty has more than a decade of experience in software development, IT security and source-code analysis. Prior to founding Checkmarx, Maty worked for two years at the Israeli Prime Minister’s Office as a senior IT security expert and project... Read More →


Thursday October 3, 2013 4:00pm - 4:50pm
Conference Auditorium Escuela de Postgrado UTP Salaverry 2443, Lima, Peru
 
Friday, October 4
 

9:50am

Exploiting Secure Software
After several security conferences and trainings and explaining to the management about the importance of security in the Software Development Life Cycle (SDLC) there are several companies and development teams creating "secure software" implementing OWASP Top 10 controls and other security best practices of the market.



The main objective of this paper is to make a review of those best practices implemented in companies with a mature view of software security and as a second objective to explain how to exploit those applications.



_We believe in Software Security

- How to embed security in the SDLC

- OWASP Top 10 2013

- Best Practices

- Integrated Tools

- I don´t want pentesters saying "LoL" about our software



_Exploiting is sexy!

- What we missed up?

- What after OWASP Top 10?

- Where can I find exploits?

- Where can I find new exploits?

- How to exploit "Secure Software"?



_LAB - Exploiting Secure Software Life Cycle (ESSLC)

- Secure Software Development

- Secure OS Hardening

- Secure Configuration & Architecture

- OWASP Top 10 Compliance Phase

- Code Review (internal and external)

- Secure Testing

- External VA

- External pentesting

- EXPLOTATION



_Conclusion

We´ve a long road to ride in other to protect agains all the OWASP Top 10 risks but attackers knows the OWASP TOP 10 and they know the companies who are working on protection because of the information disclosed in job post, RFPs, etc so we could predict the use of different types of attacks across those kind of companies across the globe. So we need to define OWASP Top 10 as the minimal baseline that we need to implement but always remembering that it is not the only thing that we should be aware of. Let´s protect our software agains well-known and also new vulnerabilities or new technology breaches.

Speakers
avatar for Mateo

Mateo

More than 10 years of experience in IT & Security strategy, Business Continuity Management,ISO 27001, CobIT and ITIL. | Projects based in Dubai, Chicago, Montevideo and Buenos Aires. | Project Manager in many IT Projects and business development in ITO and Software development... Read More →


Friday October 4, 2013 9:50am - 11:25am
Conference Auditorium Escuela de Postgrado UTP Salaverry 2443, Lima, Peru

11:00am

Seguridad en la Nube - OWASP Cloud Top 10
Cada vez más empresas están poniendo sus infraestructuras en la nube. Esta alternativa brinda grandes beneficios a nivel de los costos y la gestión, pero introduce riesgos de seguridad diferentes a los que presentan las infraestructuras tradicionales. Esta charla esta orientada a conocer los principales riesgos de seguridad identificados en el OWASP Cloud Top 10 y acciones que pueden tomarse para mitigarlos y mejorar la seguridad en la nube.

Speakers
avatar for Mauro Flores

Mauro Flores

Gerente, Deloitte
Mauro Flores tiene más de 15 años de experiencia en Seguridad de la Información. Ha participado en proyectos de diseño, especificación y desarrollo de aplicaciones de seguridad para diferentes empresas de Uruguay y el exterior, incluyendo trabajos de Reserarch & Develop en seguridad... Read More →


Friday October 4, 2013 11:00am - 11:50am
Conference Auditorium Escuela de Postgrado UTP Salaverry 2443, Lima, Peru

11:50am

The OWASP O2 Platform : An approach to Automate Application Security Knowledge

The OWASP O2 Platform : An approach to Automate Application Security KnowledgeSoftware evolves, defects get fixed ,new architectures are adopted and new requirements are met. As a part of this evolution we need to make sure that our applications are secure too. However , not all the time Software Developers have a strong background in Application Security and we need to find a way to transfer the knowledge from Security experts.

Therefore ,the O2 platform represents a new paradigm for how to perform, document and distribute Web Application security reviews. O2 is designed to Automate Application Security Knowledge and Workflows and to Allow non-security experts to access and consume Security Knowledge.

 

The topics covered in this talk are:

-Software development and the approach on Application Security

-The OWASP O2 Platform at Glance 

-What can we do with the O2 Platform

-What problems can be solved by using Unit Testing.

-Case of Studies : Vulnerabilities found

-A demo that shows how to use it.

-How to get involved and where to ask for help.


Speakers
avatar for Michael Hidalgo

Michael Hidalgo

Software Developer Engineer, Security Innovation
Software Developer Engineer based on San José, Costa Rica. With more than 6 years of experience building financial applications and with his high sense of responsibility and quality, Michael always work hard to do things better. Currently Michael works as a Software Developer Engineer... Read More →


Friday October 4, 2013 11:50am - 12:40pm
Conference Auditorium Escuela de Postgrado UTP Salaverry 2443, Lima, Peru

2:00pm

Dom Based Xss
En esta charla se hablará de los diferentes tipos de ataque del lado cliente que se pueden dar debido a un mal filtro de inputs y outputs.

El dom de un navegador es un lugar cada vez mas interesante para explorar, debido a que muchos sites no validan el javascript y quedan vulnerables, casi ningun scanner incluye busqueda de dom xss.

Se hablará de como encontrarlos, como explotarlos y como mitigarlos.

Speakers
avatar for Camilo Galdos AkA Dedalo

Camilo Galdos AkA Dedalo

Pentester, Open-Sec
Has been working as developer since 16 years old, after two years started working as a Pentester and Security Researcher and haven't stop hacking since that day. Actually he has been Acknowledged By Adobe, MicroSoft, Paypal, Apple and others because he has find Security holes in their... Read More →


Friday October 4, 2013 2:00pm - 2:50pm
Conference Auditorium Escuela de Postgrado UTP Salaverry 2443, Lima, Peru

3:10pm

TBA
Friday October 4, 2013 3:10pm - 4:00pm
Conference Auditorium Escuela de Postgrado UTP Salaverry 2443, Lima, Peru

4:00pm

TBA
TBA

Friday October 4, 2013 4:00pm - 4:50pm
Conference Auditorium Escuela de Postgrado UTP Salaverry 2443, Lima, Peru