Our Unhealthy Relationship with Injection Vulnerabilities

*
Accepted Session
Short Form
Intermediate
Scheduled: Tuesday, June 21, 2016 from 10:00 – 10:45am in B304

Excerpt

Ever concatenated strings in your code? Did those strings include any kind of structured syntax? Then your code might be vulnerable to injection. What does that mean? I will show you the common patterns of injection that occur, what their impact might be, and how to avoid them.

Description

Injection flaws are broad, common category of vulnerability in modern software. While many developers are aware of high-profile technical issues, such as SQL injection, any number of injection vulnerabilities are possible in other languages, protocols, and syntaxes. Upon studying these flaws in many contexts, an underlying “theory of injection” emerges. This simple concept can be applied to many situations (including new technologies and those yet to be invented) to help developers avoid the most common types of implementation vulnerabilities.

Tags

security, injection, owasp

Speaking experience

I have spoken at dozens of local security groups over the years. More notably, I have spoken at the Blackhat USA security conference and at AppSec USA. I am also a trainer, regularly delivering 1/2 day, 1 day, and 2 day courses.

Speaker

  • Timothy Morgan

    Blindspot Security

    Biography

    As an application security consultant and vulnerability researcher, Tim has been taking deep technical dives in security for over a decade. In that time, he has been credited with the discovery and responsible disclosure of numerous security vulnerabilities in a variety of software products, including: IBM Tivoli Access Manager, Sun Java Runtime Environment, Google Chrome Web Browser, OpenOffice, Oracle WebLogic Application Server, and IBM Websphere Commerce. His current research interests include applied cryptanalysis, XML external entities attacks, and network timing attacks. Tim develops and maintains several open source forensics tools in addition to Bletchley, an application cryptanalysis toolkit.

    Tim works to secure his customers’ environments through black box testing, code reviews, social engineering exercises, security training, and a variety of other services. Previously, Tim worked at for a Boston-based security consulting firm as a lead security consultant and researcher. Tim has also worked on security teams at financial services companies and as a software developer. Tim has worked in a variety of roles in the information security field including incident response, digital forensics, and risk analysis, giving him a broad set of experiences to draw upon. Tim earned his
    computer science degrees from Harvey Mudd College and Northeastern University and currently resides in Portland, Oregon where he leads the local OWASP chapter.

    Sessions

Leave a private comment to organizers about this proposal