An evening with OWASP
Hosted by The OWASP Seattle Chapter
Details
Four speakers:
[[ the first one ]]
Integrated security testing: finding security vulnerabilities using your existing test framework
Morgan Roman
https://www.linkedin.com/in/morgan-roman/
Having a dedicated suite of a continuously run security tests seems out of reach for all but the most mature security programs. Scanners only scratch the surface or your application. Many companies already have integration tests that snake their way deeply into their web application, covering nearly every workflow.
In this talk, we will use a minimal amount of work to transform these integration tests into a suite of security tests.
Using Selenium and ZAP we will repurpose integration tests into security tests to search for common web application flaws such as XSS and SQLi with more context than a scanner. These security tests will traverse the web application the same way a real user would. We will then extend these tests to find subtle security bugs in authorization and business logic.
This session is ideal for testers and developers interested in making security testing part of their continuous integration pipeline.
[[ the second one ]]
Pacu: a modular open source Amazon Web Services post exploitation attack tool
Spencer Gietzen
https://www.linkedin.com/in/spencer-gietzen/
Cloud infrastructure security and configuration has been shown to be a difficult task to master. Sysadmins and developers with years of traditional IT experience are now being pushed to the cloud, where there is a whole new set of rules. This is what makes AWS environments particularly exciting to attack as a penetration tester. Best practices are often overlooked or ignored, which can leave gaps throughout an AWS environment that are ripe for exploitation.With an increasing number of breaches leaking AWS secret keys, companies are working to be proactive and are looking for red-team-like post exploitation penetration tests, so that they can be sure that their client data is as safe as possible post-breach.
Due to this need and the lack of AWS specific attack tools, I wrote Pacu, a modular, open source Amazon Web Services post exploitation attack tool created and used for Rhino Security Labs pentests.
In this talk I'll give an overview of how red teamers can use Pacu to simulate real-world attack scenarios against AWS environments, starting from information enumeration and scanning through exploitation, privilege escalation, data exfiltration and even providing reporting documentation. It will be released early August as an open source project to encourage collaboration and discussion of different AWS attack techniques and methodologies with both attackers and defenders.
[[ the third one ]]
Entropy
Jeff Costlow
https://www.linkedin.com/in/jeffcostlow/
Entropy is a measurement of the amount of randomness in a system. All systems need entropy to run in a secure fashion. We'll do a deep dive into entropy; what entropy is, how it's used, and how it's generated and kept in a pool in the linux kernel. We'll also give some important safety tips.
[[ the fourth one ]]
Business problems suited for a blockchain solution
Ashok Misra
https://www.linkedin.com/in/paymentsnut/
Are there particularly good business problems suited for a blockchain solution?
Blockchain technology is evolving at an exponential rate. There are numerous companies and projects claiming to be disrupting whichever space they claim to be disrupting.
However, is blockchain a panacea for all business problems? This talk will drill into some atomic details of the technology with a view towards understanding what can possibly be disrupted.
