- This event has passed.
AppSec Tales of Fails(& avoiding them), plus Deserialization Intro-Rebecca Deck
June 27, 2019 @ 6:30 pm - 8:30 pm
****PLEASE NOTE LOCATION: Not our normal meeting space****
Pizza and beverages will be supplied. Thanks to Pendo for offering us meeting space and drinks!
Rebecca Deck of DirectDefense will be covering two topics for us this month.
Appsec Tales of Fails:
Manual application security testing is expensive. As a third-party consultant, you regularly are forced to deliver substandard test results to clients. No one wants that! This leads to depressed consultants, unhappy clients, and less secure software. Maybe the contract has specific language that makes complete testing impossible. Perhaps the client (knowingly or not) places impossible restrictions on the tester. Sometimes the software is just completely untestable. Only by examining the ways in which projects fail can we hope to improve. This presentation serves as a guide of what companies looking for manual AppSec testing should do before, during, and after engagements to get their money’s worth. There will be some real-world stories about ways that AppSec testing engagements ended in abject failure. Attendees who play some role in AppSec testing will come away with useful strategies to ensure their testing program delivers results, whether testing is performed by in-house or third-party testers.
As time allows, Rebecca will also talk about deserialization vulnerabilities and the attack surface they expose in your apps.
Deserialization has been the bane of application security since ysoserial released in 2015. Since then, it has caused a cat and mouse game with developers having to patch critical vulnerabilities extremely quickly. By crafting objects and supplying them to victims that deserialize untrusted input, attackers can alter application flow or even execute arbitrary code on victims. Although commonly associated with Java, deserialization affects a variety of languages. This presentation covers the basics of what deserialization is, how the attacks work, why they are difficult to patch, and how to effectively remediate these security issues. No prior knowledge is necessary to understand this session.
Rebecca Deck is a senior application security consultant for DirectDefense where she performs security testing on web, mobile, and client-side applications. Rebecca previously worked as a security engineer, incident responder, software developer, and soldier. Rebecca’s current work focuses on identifying software vulnerabilities, writing exploits, improving application testing methodologies, and better integrating software security in the software development lifecycle.