AppSec: Overview, Deep Dive, and Trends

Thursday, June 19, 2014

11:00 AM - 12:00 PM PDT

60 minutes, including Q&A

AppSec: Overview, Deep Dive, and Trends by Jared DeMott
Vulnerability Remediation by Nabil Hannan

In this presentation we will describe Application Security, dive into 2 pillars (code auditing and fuzzing), and discuss current trends.

Application Security is a process improvement exercise, but depends more on the skill of the humans involved that other more mechanically oriented processes. Developers with the right skillset and training will produce better code than those without. And security architects and penetration testers will find more bugs if they have deep security experience and skills. Even so, bugs will be missed in peer review and formal code audits. Thus a solid process with a variety of techniques, are required to examine programs from all possible angles.

In terms of code auditing we'll talk about three popular bugs: use-after-free, type confusion, and double fetch. We'll briefly describe each bug and show examples to help code auditors think about how to find such bugs in their source.

Fuzzing is one of the popular dynamic testing techniques to hunt within the fully compiled binary for bugs missed in other types of testing. We'll walk through an example of file fuzzing and network fuzzing. For file fuzzing we'll use the peach framework and for the network example we'll use Sully.

This talk includes a perspective managers will appreciate, as well as the technical skills your code folks enjoy and require. Come join us on this 30 minute whirlwind tour of application security.

Brought to you by:



Dr. Jared DeMott

Dr. Jared DeMott is a seasoned security researcher, and has spoken at conferences such as DerbyCon, Black Hat, DEF CON, ToorCon, Shakacon, DakotaCon, CarolinaCon, ThotCon, GRRCon, and Bsides*. Past notable research relates to stopping a trendy hacker exploit technique (known as ROP), by placing as a finalist in Microsoft's BlueHat prize contest, and by more recently showing how to bypass Microsoft's EMET protection tool.

Jared is active in the security community by teaching his Application Security course, and has co-authored the book – Fuzzing for Software Security Testing and Quality Assurance. DeMott has been on three winning Defcon CTF teams, and has the black badges to prove it. He has been an invited lecturer at prestigious institutions such as the United States Military Academy, and previously worked for the National Security Agency. DeMott holds a PhD from Michigan State University.

Sponsor Presenter:

Nabil Hannan

Nabil Hannan is a Managing Principal at Cigital, where he leads the company's North East practice, focusing on helping clients solve their software security needs and build/improve effective software security initiatives. During his tenure at Cigital, he has identified, scoped and delivered on software security projects (Architectural Risk Analysis, Penetration Testing, Secure Code Review, Malicious Code Detection, Vulnerability Remediation, Mobile Security Assessments, etc.) and products (SecureAssist, Enterprise Security Portal, Remediation Helpdesk, Operational Assessment Database, etc.) for many clients, in particular in the financial services sector. Prior to Cigital, Nabil worked as a Product Manager at Research In Motion/BlackBerry and has managed several initiatives and projects through the full Software Development Lifecycle.

Sustaining Partners