LASCON X

Applications log their activities for a variety of purposes including security. Developers and operation personnel adopt OWASP tools and others to enhance the security posture of their products and services.

On the one hand, businesses have different security requirements based on risks faced by and trust levels required of their products. More relevant security guidance is often needed by developers. On the other hand, GDPR is the law safeguarding privacy of individual EU citizens. This affects all products sold or operated in EU. Developers often raise questions regarding to what data can or cannot be logged to keep GDPR compliance. Although many material and training on GDPR exist, few provides guidance on application logging.

In this talk, we describe how we address these issues, including security and privacy related to application logging, protection of log data, and impacts of GDPR. Audiences will take away with recommendations and tips.

Published research shows that static code analysis cost-effectively catches security weaknesses before they become exploitable vulnerabilities. But finding the right code analyzers can be challenging.
This talk will discuss research funded by the U.S. Department of Homeland Security to deliver unbiased methods and information to assess and compare the performance of static analyzer products.
In this talk we introduce a new, freely-available website that presents the results of our research. We will discuss plans to track the types of weaknesses that analyzers can detect to help people quickly find the right analyzer and how to achieve good detection coverage of multiple weaknesses.
We’ll discuss the properties of analyzers important to consider when bringing one (or a few!) into your development pipeline. We’ll also cover plans to benchmark results quality using real code, not artificial data sets. Finally, we’re looking forward to audience feedback on what information or capabilities are important.

Since the creation of the first web application, more and more applications are moving to the web. As applications, data, and the users migrate online, so do the respective threats. Viruses that used to infect people’s computers now try to steal user data online.
As developers, it is our responsibility to protect our end users from potential threats. Although the vulnerabilities apply to any web servers, the tools and best practices we will discuss are specific to nodejs based webserver. Nodejs is a javascript runtime which can be used to serve web application with highly scalable asynchronous I/O.

As organizations adopt DevSecOps, security professionals interact more and more with pure development teams. If you’ve ever explained why security is important to a developer, however, you’ve probably run into a language barrier. This talk is given by a developer/casual hacker that wants to help infosec communities understand communication pitfalls; some common language we can all use; and what developers need from security to succeed.

Why do some developers and development teams write more secure code than others? In this talk we will describe several human factors—developer, team and environmental characteristics—that influence whether developers will inadvertently introduce security weaknesses into their code. We’ll present the results of research on how factors such as developer experience, disrupted attention, team size, team co-location, communication, work hours, and code rewrites affect software security. The research results are drawn from DoD-funded R&D conducted by our company on both open-source and proprietary software repositories, as well as academic research on software engineering practices. At the end of the talk, we will describe how others can participate in this research.

Web applications have traditionally accepted file uploaded via web portals, which had bot prevention controls to avoid bots uploading files vs user. With the boom of API economy, more and more applications have started accepting files over API, this allows uploading of file a programmatic approach available for good bots and vector for allowing numerous file uploads during a day. This convenience, also comes with security shortcomings - for example, files cannot be analysed manually for potential malware since the number is huge, there could be synchronous processing needed as business functionality in web app. This talk will look at a novel approach to build and operate a practical automated malware analysis platform and considerations for it to scale at enterprise level maintaining heavy performance needs of web apps, to effectively detect and discard malicious file uploads in web app.