Loading…
Attending this event?
THE MUST ATTEND EVENT FOR CYBERSECURITY PROFESSIONALS
Simple
Expanded
Grid
By Venue
Breakout: Breaker Track clear filter
arrow_back View All Dates
Friday, September 27
 

10:30am PDT

Sanitize Client-Side: Why Server-Side HTML Sanitization is Doomed to Fail
Friday September 27, 2024 10:30am - 11:15am PDT
Room: Grand Ballroom
When a web application needs to safely render the user’s input as HTML, e.g., to enable rich text formatting, sanitization would be the solution. Generally speaking, sanitizing user input should be done on the server side, right? Well, this is not so obvious for XSS mitigation. While sanitizing on the client side sounds counterintuitive at first, in this talk, we will explain not only why it makes sense for HTML but also why it is important to do so. This talk showcases common pitfalls of sanitizing HTML server-side and dives into multiple interesting real-world vulnerabilities.
Speakers
avatar for Yaniv Nizry

Yaniv Nizry

Vulnerability Researcher, SonarSource
Yaniv Nizry (@YNizry) is a Vulnerability Researcher at Sonar, where he leverages his expertise to identify and mitigate vulnerabilities in complex systems. Starting his way as a software engineer, he shifted his focus while serving in the IDF's 8200 unit, where he gained experience... Read More →
Friday September 27, 2024 10:30am - 11:15am PDT
Room: Grand Ballroom
  Breakout: Breaker Track

11:30am PDT

Hidden Chains: Revealing High-Impact Bugs from Bounty submissions
Friday September 27, 2024 11:30am - 12:15pm PDT
Room: Grand Ballroom
Despite defense in depth bounty hunters continue to bypass security measures. We will chronicle curated submissions from our bug bounty program. 


This talk covers bugs that span across application security and infrastructure security domain. Folks from Detection and response will find this especially useful to help further strengthen their D&R capabilities. Frankly we recommend this to all security practitioners (red\blue and purple team)  since we will share real world bugs reported to our program and how we applied the learnings to elevate our security program.


Expect to hear root cause analysis, technical details, and mitigations. You will take away practical strategies to elevate your own security program. 

Speakers
avatar for vinay prabhushankar

vinay prabhushankar

Security Lead, Snapchat
Vinay brings over a decade of experience in the security industry, and previously held positions at Microsoft and Splunk. He currently runs the Bug Bounty program for Snapchat and leads their M&A Security program. Vinay has presented at Bluehat, LASCON, and BSides Las Vegas.
avatar for Murali Vadakke Puthanveetil

Murali Vadakke Puthanveetil

Security Lead, Snapchat
Murali Vadakke Puthanveetil is a Security Lead at Snap Inc. currently working on securing M&As and defining a security trust center to enable business. He has over a decade of experience in Application security domains including Authentication, Web Application design, FIDO2 and WebAuthn... Read More →
Friday September 27, 2024 11:30am - 12:15pm PDT
Room: Grand Ballroom
  Breakout: Breaker Track

1:15pm PDT

Hackuracy: Boosting AST accuracy through hacking
Friday September 27, 2024 1:15pm - 2:00pm PDT
Room: Grand Ballroom
How may a system's exposure to successful cyberattacks be detected more accurately? The short answer is that it is not possible with vulnerability scanning alone; expert manual evaluation by ethical hackers is also necessary.

While automated tools, due to their processing capacity and speed, have become indispensable in identifying potential vulnerabilities, they report high rates of false positives and false negatives, finding only 45% of systems' risk exposure. Tools cannot find vulnerabilities when their discovery involves an external user having come up with a complex, unexpected use of the application. This is where the expertise of ethical hackers comes into play.


In this talk, we will explain what accuracy in AppSec entails and specify three different measures that we used to assess security testing accuracy of scanning alone and the combination of scanning and hacking. We will characterize the insecure-by-design web application that was used as the target of evaluation (ToE), and then compare the performance of the different conditions both in reporting vulnerabilities and risk exposure (identified with a metric designed to accurately show the severity of vulnerabilities to help prioritize them for remediation).


We will present our research findings, which highlight that the combination of scanning and hacking dramatically outperformed all of the assessed tools' scanning in all three accuracy measures in identifying both the amount of vulnerabilities and associated risk exposure. Specifically, the combined approach achieved accuracy scores ranging from 78.9% to 93.7% in detecting the amount of vulnerabilities in the ToE, and from 94.3% to 98.5% in identifying its risk exposure. In contrast, the most accurate tool's scores ranged from 26.4% to 58.4% and 8.5% to 27.0%, respectively. Notably, the overall performance of application security testing in our research was better for guaranteeing few false negatives in reports than for providing reports containing all legitimate vulnerabilities.


In summary, we will demonstrate that achieving accurate detection of a system's risk exposure related to its vulnerabilities requires more than just automated security testing. It necessitates the involvement of expert hackers who can perform manual evaluations, understand the nuances of application logic and identify sophisticated security flaws. Further, we mention how the accuracy of vulnerability scanners can be enhanced. Ultimately, the goal is to equip developers, security professionals and organizations with the knowledge and tools needed to enhance the security of their applications and protect against threats.

Speakers
AR

Andres Roldan

VP of Hacking, Fluid Attacks
Andres Roldan is Fluid Attacks’ VP of Hacking. He leads the company's research team and has identified and ethically disclosed 110 CVEs in open-source software. He has over 20 years of experience in cybersecurity, is a GIAC Advisory Board member, and holds 29 certifications in offensive... Read More →
Friday September 27, 2024 1:15pm - 2:00pm PDT
Room: Grand Ballroom
  Breakout: Breaker Track

2:15pm PDT

Kernel Alchemy: Crafting Mobile Kernel Code to Evade Modern RASP Protections
Friday September 27, 2024 2:15pm - 3:00pm PDT
Room: Grand Ballroom
In the realm of mobile security, Runtime Application Self-Protection (RASP) has emerged as a pivotal defense mechanism against cyber threats. However, the relentless pursuit of security loopholes by adversaries demands constant innovation in evasion techniques. This session offers an immersive exploration of the intricate art of manipulating mobile kernels to bypass contemporary RASP protections. Through a combination of theoretical insights and live demonstrations, attendees will gain insights into advanced kernel modification methods and their application in evading detection.




The session will feature captivating live demos showcasing the practical implementation of kernel modifications to bypass RASP defenses in real-time scenarios. From understanding kernel architecture intricacies to exploiting vulnerabilities and employing sophisticated memory manipulation techniques, participants will acquire practical knowledge essential for staying ahead in the dynamic field of mobile security evasion. By the session's conclusion, attendees will be equipped with actionable insights and tools to bolster their defense strategies against emerging cyber threats, ensuring they remain resilient in the face of evolving security challenges.

Speakers
avatar for Subho Halder

Subho Halder

Co-Founder and CTO, Appknox
Subho Halder is the Co-Founder and CTO at Appknox, driving the development of secure mobile applications. A passionate security technologist and product developer, Subho's expertise stems from deep research into mobile platforms. He has earned accolades in Hall Of Fame programs for... Read More →
Friday September 27, 2024 2:15pm - 3:00pm PDT
Room: Grand Ballroom
  Breakout: Breaker Track

3:30pm PDT

Modernizing the Application Penetration Engagement and Reporting Lifecycle
Friday September 27, 2024 3:30pm - 4:15pm PDT
Room: Grand Ballroom
There exists an abundance of resources addressing the general topic of writing penetration test reports, but few – if any – address the systems and processes holistically within the lifecycle of an engagement. Further, there is an absence of resources and standards that examine the unique challenges and requirements for the reporting of application security tests compared to penetration tests targeting networks and systems. Existing standards and frameworks for report creation also lack consideration for the contemporary needs and challenges of both mature and immature security teams and organizations. These divergent needs themselves dictate for multiple reporting processes, considerations, and ultimately deliverables.


This presentation will focus largely on the evolution of the reporting processes and output of an application security testing team working within an offensive security consulting organization. The presentation will follow the timeline in our journey from a legacy reporting ecosystem to our present implementation and beyond. 


Beginning with a discussion of our legacy systems, this presentation will describe our traditional reporting tooling, systems, and processes while highlighting the major challenges and deficiencies. The following key considerations will be centered: ease of use and efficiency, data collection and analytics, error prevention, automation, and client-specific requirements. 

Research was conducted to evaluate alternative systems and approaches in reconstructing a reporting ecosystem. We first sought to determine the key requirements for an ideal report and associated deliverables. A comprehensive comparative review of publicly available application penetration test reports was conducted to identify these key attributes. The results of this analysis will be presented and available publicly in written form. 

A similarly comprehensive approach was taken to evaluate freely available and commercial reporting platforms. This presentation will discuss the methodology and process but will not present a summary comparison of platforms assessed. The chosen commercial platform will be discussed, but this talk is not a promotion or endorsement and will highlight also challenges and limitations.

Finally, we will examine the processes and systems that have been adopted to manage reporting content and processes beyond the reporting platform itself. This includes significant use of the Microsoft 365 and Power platforms which allow us to manage data and automations around the engagement lifecycle. The discussion will cover our successes, challenges, and future endeavors. 











Speakers
avatar for Ryan Armstrong

Ryan Armstrong

Manager of Application Security Services, Digital Boundary Group (DBG)
Ryan Armstrong is the Manager of Application Security Services at Digital Boundary Group (DBG). Ryan began with DBG as an application penetration tester and security consultant following completion of his PhD in Biomedical Engineering at Western University in 2016. With a passion... Read More →
Friday September 27, 2024 3:30pm - 4:15pm PDT
Room: Grand Ballroom
  Breakout: Breaker Track