A Report on AppSec Europe 2011

I arrived back from Dublin on Friday night following a full programme of training, presentations, meetings and networking at AppSec Europe 2011, held in Dublin, Ireland.

As usual, the OWASP Ireland Dublin chapter gave a warm welcome and we have to thank Fabio Cerullo, Eoin Keary and Fiona Walsh in particular. But there was also great support from the OWASP Global Conferences Committee, Kate Hartmann, OWASP Operations Director, the OWASP Board and many of the active participants within OWASP especially Steven van der Baan (Capture the Flag competition), Martin Knobloch, and of course many others I either do not know or was not aware of. Dublin is an excellent city to host such an event with its good transport links and wealth of cultural, social and commercial opportunities.

Like the one-day OWASP AppSec Ireland event last year, AppSec EU 2011 was located within Trinity College, providing access to a large number of well-equiped & spacious lecture theatres and meeting rooms. I had also booked my accommodation there. I had arrived promptly on Monday and took the opportunity to take a guided tour of the college, visit the college's Old Library (1712-1732) and see the valuable illuminated manuscript known as the Book of Kells (ca. 800).

It was good to see many familiar faces, speak to people I knew but had never physically met before, and meet a whole new group of people from Europe and further afield. Some of the speakers asked their audiences about their backgrounds, and it was interesting. Not only was there a large number of attendees who had never been to an OWASP event before, but there was also a large proportion who were developers — just like at the recent OWASP Greece Training Event. This seems to be contrary to the belief that OWASP might not be able to reach out to this community. But I suspect it has more to do with developers' desire to learn about application security, and perhaps they see it as a valuable skill which can also improve the quality of their code.

Like other OWASP AppSec Conferences, the conference was proceeded by training classes. I had arranged to attend Christian Bockermann's class on Tactical Defense With ModSecurity, to immerse myself in a single topic for two days — something you don't often get the chance to do. Not only did the course provide a refresher about installing and configuring ModSecurity, we had considerable time to write example rules, discuss the pros and cons of web application firewalls (WAFs), and examine the wide range of supporting tools that Christian has developed (available at jwall.org). I also picked up some good tips from Christian about proving training, which I will use for my training course on Application Attack Detection & Response Planning at AppSec USA in September. I only heard great feedback from the people who attended the other classes too.

The conference used four lecture theatres for the keynotes and plenary sessions, with the latter identified by the categories "defend", "prevent" and "attack". Most of the sessions I attended fell into the defend and prevent categories although I did spend some time at Justin Searle's presentation on "Python Basics for Web App Pentesters". But there were also additional meetings and working sessions running concurrently organised by the OWASP Global Committees for Chapters, Projects and Industry.

The initial keynote by Brad Arkin (Adobe) discussed their secure software initiatives and the large amour of internal training this entailed. The theme of secure software development lifecycles was returned to in the session by Mark Crosbie (IBM) on the practicalities of integrating security testing earlier in the SDLC and in the keynote by Alex Lucas (Microsoft). Janne Uusilehto (Nokia) provided an insight into the range of contributing efforts needed to build secure products (mobile devices) and in particular how software security efforts need to be matched to the product lifecycle, and John Dickson (Denim Group) described how security officers and project owners can build justification cases for software security initiatives.

On Thursday I attended the ENISA/OWASP Workshop on Global Secure Software Initiatives - Beyond Awareness organised by Giles Hogben (ENISA), Yaroslav Usenko and Eoin Keary. This produced a large number of ideas on what can be done to ensure that existing guidance and tools are really put into practice in the field, which will be produced as a an opinion paper. Giles Hogben also provided a well-received keynote concerning mobile security, smartphones and the security implications of HTML5.

I spoke about OWASP AppSensor project, providing an initial overview but with further discussion of high-level architectures, detailed application logging requirements, event signalling (broadcasting), and visual insight into attack events using an application-specific monitoring dashboard. I described possible base and advanced AppSensor configurations for a retail e-commerce web site. This led onto a live demonstration of event signalling and display of detection events and response actions in an Ajax dashboard updated using a Comet (Ajax push) server (videos on YouTube of the dashboard for the base and advanced configurations). I will post a more detailed description in a few days.

Although there was a busy conference schedule, I also took part in one of the Global Industry Committee outreach sessions concerning the design and execution of a proposed enterprise application security survey. Rex Booth led the discussions with participants, and we shall be hearing more about this in the next few months.

A presentation by Marco Cova (University of Birmingham) and Davide Canali (EURECOM) discussed their research and implementation of building a detection system for web-based malware. On a very practical note, Alexis Fitzgerald (RITS Group) discussed a simple approach to specifying security requirements and Elke Roth-Mandutz (Georg Simon Ohm University) took a critical look at privacy classification schemes. It was good to hear Tobias Gondrom (IETF WG/OWASP London) describing some current and upcoming browser security initiatives and encouraging to see there was already some awareness and even adoption of draft W3C standards. He provided an estimated forward plan for the release dates of the final standards.

Dan Cornell (Denim Group) described testing smartphone applications, working through some live code examination demonstrations and providing some good tips on a methodology and tools to use. There were also two talks relating to threat modelling; Paco Hope (Cigital) gave an introduction to the topic, and later on Friday Marco Marona (OWASP Cincinnatti) and Tony UcedaVelez (Versprite) gave us a first look at their Process for Attack Simulation and Threat Analysis (PASTA) threat modelling framework by working through an example for malware-based attacks against a bank.

Simon Bennetts (OWASP Leeds/Northern UK) presented the recently updated Zed Attack Proxy tool, and unfortunately I missed the talk by Justin Clarke (Gotham Digital Science) about practical cryptographic attacks. Maybe we'll see that one in London soon. It was a pity you cannot attend all the presentations, but they were being recorded on video, so I hope to catch up with some more subsequently.

Unfortunately due to illness, Ivan Ristic was unable to provide the final keynote, but Arian Evans (Whitehat Security) stepped in to discuss the problems of scaling application security testing, possible application security metrics and his thoughts on areas where OWASP may be able to help facilitate improvements in these areas.

On a social note, the KartCon EU was great fun. Somehow I managed to change my ranking from being near-last in the heats, to somewhere more middling in the finals. The conference reception at the Church Bar, worked very well, providing a quality venue for attendees to mingle, meet and exchange ideas.

The subsequent AppSec 2011 conferences are AppSec USA in Minneapolis USA (20-23 September), AppSec Latin America in Porto Alegre Brazil (4-7 October), and AppSec Asia in Beijing China (8-11 November).