Global AppSec Amsterdam 2019: Day 2.
By Wojciech Cichon, SETL Software Developer
With my head exploding from the excessive amounts of information I consumed the day before, I decided to take a walk to the conference center, wholly consumed with thoughts of what this day’s talks would hold.
To my surprise, the day started with a big bang, as Chris Kubecka security researcher and cyberwarfare specialist was the first keynote speaker. I had the honor of attending one of her previous talks that she did for OWASP London, so naturally I was expecting an outstanding panel. Unsurprisingly, she exceeded my expectations. Kubecka shared a story of how Royal Saudi Arabian Embassy in Netherlands was attacked, how she was dragged into it, and how she handled that incident. The attack was caused by inside man inside at Embassy who tried extorted money for ISIS. Thankfully her story finished off with a happy ending for everyone, except for the culprit.
While I was standing in the corridor, deciding on which panel I wanted to see during this time slot, a very energetic young woman suddenly jumped out from the room I was next to and almost dragged me inside for her talk. This unexpected lady was Alison Eastaway. Alison works for a company called Square as the “Head of People,” which I figure is something like a fancy name for a Human Resources department. “So, I got myself into some boring HR talk,” I thought right after she introduced herself. Boy, was I ever wrong. First, she cut the distance between HR and Tech people by showing similarities in the jobs they do. She then moved on to teach us a very valuable lesson about why security teams and HR should work together, how they could work together successfully, and how to embed security practices in organisation culture overall.
After such a non technical talk I thought it would be good to balance it out with something more so in the programming field, so I went to see Ksenia Peguero’s panel. Her talk is a part of her academic research, in which she defined 4 levels of security mitigations depending on who implemented security component: L1 for developer, L2 for external library, L3 for framework plugin, and L4 if it’s fully implemented into framework. Peguer then presented her research, which she compiled to prove the hypothesis that higher mitigation levels make applications more secure. She analysed various applications looking at two types of vulnerabilities : XSS and CSRF. The first part of her research regarding XSS supported her hypothesis, however one for CSRF didn’t. This was caused by the fact that many js frameworks have CSRF protection disabled by default. Lesson learned, always check what are defaults for configuration.
With one more talk before lunch, I figure let’s make it count. James Kettle is a Director of research at PortSwigger. This was enough for me to know that this will be an excellent talk. James rand down a quick overview of old techniques discovered in 2005 that caused http request desynchronisation. This method allows a single request sent to an http server, which will be recognized as two different requests. The response to the second request will be treated as part of the next request. After that, James presented various ways how detect if a web application is vulnerable to Desync Attacks and how they could be used to compromise application. Overall enthralling.
After getting some food, there was time for next talk. Unfortunately, as I was caught up by one of the vendors, I came a bit late. The room was completely filled up, but in the end there was a pro to the situation, as ended up being so close, I was almost on stage. Jarrod Overson Director of Engineering at Shape Security conducted this talk. Credential stuffing, which was the subject of his talk, is a serious threat. Everyday we hear about password leaks from various sites and many people having the tendency to reuse their passwords doesn’t make it any better. Those passwords, if stolen, could be used to access services which were not compromised. His talk was about constant race between defenders who build loads of sophisticated methods to make that kind of attacks unprofitable, and attackers who are looking for ways how to bypass them.
2:35 PM: Making the web secure, by design ++
Two brothers, Glenn ten Cate and Riccardo ten Cate presented their project: Security Knowledge Framework. SKF is a nice extension to OWASP ASVS, while ASVS is a document that describes the security standards of secure applications. SFK helps manage security requirements through the entire SDLC.
Feeling a bit tired, I went to see Ruben Gonzalez’s talk on hacking. Ruben is a security researcher with an abundance of teaching experience under his belt. His talk was a guide on how to run a successful Capture the Flag and various other forms of how those kind of events might look like. I won’t go into details, but I certainly use it as reference material for Setl CTF events, which we run to encourage interpersonal connections and independant skill learning for our peers.
The last talk of the conference belongs to another AppSec legend, Mario Heiderich. Mario presented very entertaining stories of his past and his vision of InfoSec’s future. It was a perfect way to close out the day and conference overall. After his talk was over, we came to the closing remarks, and then… were armed with foam rockets for an epic battle of chaotic wills. We unleashed hell in that room for a couple minutes, shooting each other with those foam rockets. But just as quickly as the fun started, it ended. This possibly one of the best conferences that I have ever had the privilege to attend, as it left such unforgettable memories to last me till the next time around.