Global AppSec Amsterdam 2019 Through The Eyes Of A Developer.
By Wojciech Cichon, SETL Software Developer
11/14/2019
This year I had the pleasure of attending Global AppSec Amsterdam 2019, which is an amazing chance to learn about the newest, leading application security technology in the field. I know there may be some who might be surprised to hear that developer is going to security conference, but let’s honestly say that security should be a built in feature and not a layer on the top. Hence a security conference, especially AppSec, is a good place to go for developer.
Let’s start from the beginning; AppSec Global are conferences organised by OWASP every year. This year we had 3 events, which were held in Tel-Aviv, Washington DC, and Amsterdam. Main goal is to bring people who work in InfoSec (so not only AppSec) together and enable them to share their experiences and knowledge. To me, it doesn’t matter if you are a PenTester, DevOps, CISO, or a developer. There’s definitely always something interesting to find.
The conference I attended was held in the RAI Amsterdam Convention Centre, which is a complex of conference and exhibition halls, containing one of the largest conference centers in europe. It started on Monday 23rd of September, for the first three days were various training sessions and panel sessions started few days later on Thursday the same week.
Day One
Opening Remarks- 8:45 AM
Day one started with opening remarks given by Martin Knobloch, who is a board member of Netherlands OWASP Chapter. He greeted the audience members and briefly explained what OWASP is, why it’s mission is important, and how to support it.
The House Is Built On Sand: Exploiting Hardware Glitches And Side Channels In Perfect Software -9:00 AM
Right after Martin’s introduction he welcomed the first keynote speaker, Herbert Bos. Herbert is professor at VUSec, the systems security group at the Vrije Universiteit Amsterdam in the Netherlands. His talk was presentation of his students’ research about various vulnerabilities found in hardware which could be triggered from software layer.
At first he described how they use various types of rowhammer attacks together with numerous other hardware vulnerabilities to compromise Edge browser, which is a Virtual Linux server running in the cloud and Android device.
A Rowhammer attack is an attack on DRAM3/DRAM4 semiconductors memory. It’s based on rapid flipping bits in neighbouring rows which might end up with leaking charge to victim row, and cause bits to flip.
In the last section of his panel, Herbert explained RIDL (Rogue In-Flight Data Load), which is a vulnerability in some Intel processors that allows attackers to gain access to sensitive data currently being processed. For some of the attacks he mentioned, his team was recognized and awarded with a Pwnies Award. For me it was like swallowing big bitter pill of paranoia. After a short break, which I spent talking with vendors and “snatching” goodies from them, I went for another talk.
Remote Code Execution in Firefox Beyond Memory Corruptions -10:15 AM
Unfortunately, video from talk is not available yet. Frederik Braun, who did this talk, is a security expert working for Mozilla. In his panel, he covered a few vulnerabilities in older versions of Firefox which could give access to an attacker to execute any application on a computer that accesses a website containing the malicious payload. This sounded a bit scary to me, given that issues like that were discovered in other browsers in the past. Fortunately, those bugs are often very quickly removed and everyone updates software as soon as any security patch is released, right?
API Security Project -11:05 AM
The next panel I attended was in a small and completely filled room. My first thought was that if the room is filled up, it’s usually something good and I was right. This presentation was led by two industry experts; Inon Shkedy and Erez Yalon. Many software providers expose the APIs of their applications. Inon and Erez gathered the most common security risks for API developers and presented them in their document “OWASP API Security Top 10”. In their talk they discussed plans for the project, did an overview of those risks, and how to prevent them. Even with a lot of shared content, this document complements OWASP’s Top 10 project.
Securing ProtonMail: Building a Web App that Doesn’t Trust the Server -11:55 AM
Wondering how to run WebApps in a zero trust environment? Daniel Huigens and Aron Wussler from ProtonMail talked about implemented solutions in the ProtonMail WebApp. This extremely interesting presentation shows how important security is for ProtonMail and how far they are taking it. Most developers, while building a secure application, considered secure login as top level security and added care to creating a secure transmission channel. The guys from ProtonMail provide methods to verify integrity of source code and data that comes from a server, which is a very impressive usage of merkle tree and hash chains.
I got food during the lunch break directly after the panel and decided to spend some time relaxing, playing some of the games in a corner filled with various old consoles. in the exhibit hall, it was almost like a retro games paradise. Shortly after I had my fill of gaming nostalgia, it was time for another session. Initially I planned to go to see Damian Rusinek’s talk “WebApps vs DApps”, but in the end I decided to go for a talk with a title that had more appeal. And just in case you were wondering, DApps is short for distributed apps, which is just a name for smart contracts. For more information, have a look here.
Being Powerful While Powerless: Elevating Security By Leading Without Authority -1:45 PM
In the end I chose this presentation over “WebApps vs DApps” and was not disappointed. This panel is by Nathan Yee, a security engineer from a company called Gusto. When he joined the company he became “Security Team”, which reflects in his presentation. This talk was how a single person without any real power can secure a company. He was sharing the best practices and tools that made his job easier. His first recommendation was to be able to code, as his company is a software house. It’s important to understand what people are doing and to gain their trust. Using Static Code Analysis tools to pick up some of vulnerabilities as an example, he recommends using dependency management tools to track down vulnerabilities in 3rd party code used by company. It’s also important to use outsiders to run tests, as his recommendation is to run a bounty program and regular pentesting. What is most important is bringing everyone on board in order for people to actively engage in security. This is important, because security is everyone’s job.
The Now And The Future Of Malicious WebAssembly -2:35 PM
Marius Musch is a PhD candidate at the Institute for Application Security at TU Braunschweig in Germany. His talk was a quick introduction to WebAssembly, which allows the development of high performance web applications. WebAssembly is a very powerful tool, which could be also used by duo Mallory and Mallet. One of the examples Marius mentioned was mining cryptocurrency. Cryptojacking popular websites with simple XSS attack can provide a much better payout than with JavaScript.
XSS magic tricks -4:05 PM
A quick look at available talks in this time slot revealed the best choice: XSS magic tricks. Gareth Hayes is a security researcher working for PortSwigger, a company known for building BurpSuite. His talks always bring in crowds, so as expected, the room was filled up, with some people crowded in the corridor just to catch a small glimpse of his presentation. Gareth is researching new ways to perform XSS attacks. His talk was very technical and contained a lot of interesting examples of those kinds of attacks. For those who are interested, the slides are in the link.
Securing the Future -5:00 PM
The last talk of the day belonged to keynote speaker Mikko Hypponen. Mikko is the Chief Research Officer of F-Secure. His presentation visually, aurally, and completely in every sense blew me away. He started his talk by giving an overview of the digital revolution we witnessed in the past and then moved on to the new revolution upon us; the IoT revolution. He mentioned the security risks involved in giving internet access to items that really don’t require it, such as a toaster. Some of you may consider receiving a notification from your toaster on the status of
your toast to be a great idea, but what if it compromises your security by giving attackers entry points to your network, or collects personal information without your knowledge? What if your toaster is involved in some sort of malicious activity? If you think this is science fiction, then you’re in for quite a surprise. It’s already happened, just google Mirai. Mikko finished this section, showing off an analogy between IoT and asbestos. As asbestos also was considered perfect solution for everything and we are still paying for that decision, so too will we for every small, insignificant appliance we have connected to the internet for the sake of convenience. In his talk, Mikko was talking about various challenges which security industry will have in the future, like cyber crime, cyber wars, and risks involved with growing AI capabilities.
After the last session of the day, we moved to Strandzuid beach bar for beer, food, and networking, where we spent some time discussing talks and sharing experiences. It was really a thrilling and mind opening experience. There should be warning sign there, because once you attend, your perception of the world will never be the same again. I closed out the day on a high note, anticipating what the next day of panelists would bring.