Loading…

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

AppSec [clear filter]
Friday, May 5
 

9:00am

Eliminating XSS in PHP: Applying Context-Sensitive Auto-Sanitization to the PHP Programming Language
Cross-Site Scripting (XSS) has been a problem in the modern web dating back to the earliest instances of dynamic web pages. XSS arises when programmers of web applications improperly sanitize user input, which allows malicious or otherwise undesirable input to be inserted into the business logic of the vulnerable application. Though sanitization routines provided by programming languages can prevent these attacks in most cases, they only work if programmers remember to wrap user inputs in these routines. Worse yet, the standard HTML sanitization routines of certain web frameworks (such as PHP) may not be enough to prevent XSS in all contexts. Context-sensitive auto-sanitization (CSAS) seeks to remedy this issue by automatically sanitizing untrusted data for the context in which it is output. While many modern web frameworks provide good protection against XSS, there are few options for existing PHP codebases. In this paper, we present our open-source work sponsored by Cisco Systems to implement CSAS in PHP as a PHP extension that has seen positive results of preventing XSS in PHP web applications automatically and with minimal overhead. It is additionally compatible with PHP 7 and recent versions of Wordpress, MediaWiki, RoundCube Webmail, and other widely used PHP web applications. Join us for a riveting story of the turbulent past of PHP applications numerous XSS vulnerabilities, and witness the beginning of a future of PHP web applications without XSS.

Speakers
JR

Joseph R. Connor

Joseph is a Software Security Engineer at Cisco’s Advanced Security Initiatives Group. He graduated from the University of Tennessee, Knoxville in 2016 with a BS in Computer Science. He also co-founded and led UT’s computer security organization, HackUTK.
avatar for Jared M. Smith

Jared M. Smith

Security Researcher, Oak Ridge National Laboratory
Jared is a Cyber Security Research Scientist at Oak Ridge National Laboratory, where he leads several projects on the Systems Security Research Team. He is currently working on his PhD in Computer Science at the University of Tennessee, Knoxville, where he also received his BS in... Read More →


Friday May 5, 2017 9:00am - 10:00am
KEC 17 Market Square #101, Knoxville, TN 37902

5:00pm

How to kick start an application security program
Management wants a security program setup in the software development life cycle (SDLC). You have very little programing experience. What do you do? This talk will walk through my experience of setting up appsec programs with minimal programming experience. The first part of the journey will cover tools. How a dynamic and static analyzer fit into an appsec program. Options for tracking vulnerabilities. Working with developers to remediate findings. Training developers to use the tools. The second part of the journey will focus on strategy. Understanding the environment. Implementing assessments and processes. Training developers to improve their security mindset. Finally, the talk will touch on potential next steps. This talk is for those looking to make an impact in the SDLC.

Speakers
avatar for Timothy DeBlock

Timothy DeBlock

Senior Software Security Engineer
Timothy De Block is a senior software security engineer based in Nashville, TN. In his current role he provides guidance to the development on all things security. He believes in building strong relationships and putting people in a position to succeed. As a presenter he believes... Read More →


Friday May 5, 2017 5:00pm - 6:00pm
Scruffy City Hall 32 Market Square, Knoxville, TN 37902