Web Application Authorization: Taming the Perfect Storm

This month’s featured presentation is by Tim Tomes on "Web Application Authorization: Taming the Perfect Storm".

Description

My last 40 web application security assessments have resulted in 41 findings that relate to access control vulnerabilities. That means, on average, every application I test has at least one access control vulnerability. It's no surprise then that Broken Access Control is #1 on OWASP's list of top 10 web application security risks. But what makes access control systems so problematic?

To put it plainly, access control systems are hard; hard to design, hard to implement, hard to maintain, and hard to test. This combination creates a perfect storm for privilege escalation in web applications. But only those that understand these systems and how to evaluate them can use the storm to their advantage.

In this talk, I aim to equip you with the ability to tame the perfect storm. I'll start by addressing the pitfalls around access control systems in web applications of varying design architectures. I'll then demonstrate the tools and techniques that I use to uncover issues in these systems. Finally, I'll provide some insight into remediating access control issues, and how development teams can automate access control testing as part of a CI/CD pipeline... something that is largely considered to be impossible.

​Location​

OpenWorks

Third Floor, 101 N Main St #302, Greenville, SC 29601

​

For paid parking, it’s easiest to use the Richardson Street Garage’s 3rd level which has a direct breezeway access to OpenWorks. Use this for parking and how to find us: https://joinopenworks.com/guest-access#after-hours​

​

A special thank you to OpenWorks for making the location available to everyone that would like to attend.