BEGIN:VCALENDAR
VERSION:2.0
PRODID:Data::ICal 0.24
BEGIN:VEVENT
DESCRIPTION:   'Title: Hacking & Defending Blockchain Applications\n   When
 : Saturday\, Aug 13\, 15:30 - 16:30 PDT\n   Where: Flamingo - Twilight Bal
 lroom - AppSec Village - Main Stage -\n   [1]Map\n   Speakers:Kennashka De
 Silva\,Aimee Reyes\n\n   SpeakerBio:Kennashka DeSilva\n   Kennashka DeSilv
 a\, Cybersecurity Consultant at EY\, is highly skilled\n   in building web
 2 and web3 applications in addition to securing cloud\n   environments. Sh
 e is passionate about integrating best practices in\n   blockchain securit
 y and cloud computing.\n\n   SpeakerBio:Aimee Reyes\n   When not typing "t
 erraform destroy" I build security tooling that\n   intersects with machin
 e learning. Ex-OWASP DevSlop co-host\, currrent\n   Women in Cybersecurity
  and Society of Hispanic Professional Engineers\n   student chapter presid
 ent.\n\n   Description:\n   Blockchain is a technology that is rapidly gai
 ning widespread\n   adoption\; however\, security standards\, frameworks\,
  or methodologies\n   that incorporate the OWASP principles are not widely
  available.\n   Frameworks such as OWASP as it relates to Blockchain Appli
 cation\n   Security (BAS) can ensure accountability\, fair participation\,
  and\n   security within the network.\n\n   DEFI stands for Decentralized 
 Finance and is an alternate financial\n   universe with a steadily growing
  catalog of applications that runs\n   autonomously\, where users can depo
 sit digital assets and earn returns\,\n   borrow\, and loan money — stil
 l in its infancy. There is an\n   opportunity to increase the quality of l
 ife and economic health across\n   the board as currently\, the total all-
 time high exceeds $2t with about\n   $3b lost or stolen through hacks.\n\n
    What are some components within a blockchain?\n\n   Blockchain networks
  are primarily managed through a peer-to-peer\n   network for use as a pub
 licly distributed ledger. Some components of\n   the blockchain include tr
 ansaction blocks of data representing each\n   transaction found. The wall
 et stores your funds and allows a way to\n   buy\, sell\, swap\, and earn 
 cryptocurrencies. Smart Contracts are\n   computer code that automatically
  executes all or parts of an\n   agreement. Public Key Cryptography\, or a
 symmetric cryptography\, is an\n   encryption method that employs two math
 ematically related numbers.\n\n   How does the blockchain work?\n\n   Bob 
 wants to send money to Susan. Bob’s transaction gets represented\n   wit
 hin the block. The block gets broadcasted to every party in the\n   networ
 k. The transactions gets confirmed and approved. The block gets\n   append
 ed to the ledger\, and Susan receives her funds.\n\n   The OWASP Top Ten L
 ist is an industry-recognized tool for identifying\n   vulnerabilities in 
 application security. Blockchain Application\n   security has some areas o
 f opportunity for correlating OWASP to the\n   blockchain to help discover
  potential vulnerabilities in blockchain\n   systems.\n\n   Here is a list
  of OWASP's top ten vulnerabilities as it relates to\n   blockchain applic
 ations:\n\n   A01:2021 – Broken Access Control\n\n   Secure implementati
 on of authentication is critical to the DEFI\n   ecosystem. The wide use o
 f browser wallet transaction authorization\n   means that a large attack s
 urface exists.\n\n   Examples\n\n   Metamask wallet: Signing a transaction
  to an insecure wallet such as\n   fake projects posing as trusted brands 
 with the average end-users\n   being unable to analyze a smart contract.\n
 \n   Contract Function calls allowing the owner to sign a transaction and\
 n   allowing bad actors to claim ownership of the digital assets but\n   d
 idn’t check. Solution:\n\n   Wallet Access Policy and Implementation\n\n
    Reading the contract before signing\n\n   Researching the credibility o
 f the project\n\n   A02:2021-CRYPTOGRAPHIC FAILURES\n\n   Cryptographic al
 gorithms within Blockchain Applications can guarantee\n   a high level of 
 privacy for the users. On the other hand\, failures in\n   cryptography ca
 n be traced to poor management errors.\n\n   Examples\n\n   Keccak-256 fai
 lure (hashing algorithm for accessing addresses in\n   memory or storage).
 \n\n   Multi-signature architecture Failure\n\n   Private keys that are no
 t encrypted somehow fell into the hands of the\n   hackers.\n\n   A02:2021
 -CRYPTOGRAPHIC FAILURES DEFENSE\n\n   Solution\n\n   Life cycle management
  of cryptographic keys (generation\, distribution\,\n   destruction)\n\n  
  Ensure geographical dispersion of keys required to sign a transaction.\n\
 n   Implement Identity and Access Management (IAM) controls such as least\
 n   privilege and zero-trust principles.\n\n   A03:2021-INJECTION\n\n   In
 jection attacks occur when the user-supplied is able to insert\n   informa
 tion into an insecure Blockchain Application API.\n\n   Examples\n        
  Insecure Blockchain API Smart-contract parsing function that\n         al
 lowed a buffer-out-of-bounds write Unsecure function calls\n         that 
 allow a buffer-out-of-bounds write.\n\n   A03:2021-INJECTION DEFENSE\n\n  
  Solution\n         Test early and often for dynamic queries\, escape spec
 ial\n         characters and etc. Sanitize\, validate and filter Leveragin
 g\n         machine learning for signature-based detection and anomaly-bas
 ed\n         detection.\n\n   A04:2021-INSECURE DESIGN\n\n   An insecure d
 esign flaw in DEFI applications relates to\, design\n   patterns flaws in 
 architectures such as weakness in the operation\,\n   management of exchan
 ges\, and e-wallet services\n\n   Insecure Design example:\n\n   Double Sp
 ending Attacks\n   Re-entrancy Attacks\n\n   A04:2021-INSECURE DESIGN DEFE
 NSE\n\n   Solution\n         Secure Development Lifecycle with CICD princi
 ples Secured\n         component library\, tooling\, and threat modeling.\
 n\n   A05:2021-SECURITY MISCONFIGURATION\n   DEFI applications allow acces
 s to a variety of services in the palm of\n   your hands such as DAO\, Tra
 ding\, Insurance\, P2P lending and borrowing\,\n   and more. In this case\
 , security misconfigurations in the application\n   could drastically end-
 users.\n\n   Examples\n\n   Security features that are not enabled by defa
 ult such as wallet\n   password protection for browser-based wallets.\n\n 
   DEFI applications rely on third-party outdated libraries such as NPM\n  
  packages.\n\n   A05:2021-SECURITY MISCONFIGURATION DEFENSE\n\n   Solution
 s\n         Auditing Tools MFA Defense In-Depth Patch Management and Updat
 es\n         An automated testing process to verify the effectiveness of t
 he\n         configurations and settings in all environments.\n\n   A06:20
 21-VULNERABLE AND OUTDATED COMPONENTS\n\n   Blockchain systems rely on com
 plex middleware\, like Ethereum or\n   Hyperledger Fabric\, and ether.js t
 hat allow running smart contracts\,\n   which specify business logic in co
 operative applications.\n\n   Examples\n         Dependency faults lead to
  the declaration which allows an\n         application to read data\n\n   
 A06:2021-VULNERABLE AND OUTDATED COMPONENTS DEFENSE\n\n   Solution\n      
    Patch management policy and process for outdated dependencies\,\n      
    unnecessary features\, components\, files\, and documentation.\n       
   Actively Monitor for external libraries and functions that may\n        
  be deprecated or within an outdated version.\n\n   A07:2021-IDENTIFICATIO
 N AND AUTHENTICATION FAILURES\n\n   In a decentralized application\, it is
  important to verify the user's\n   identity\, authentication\, along with
  user session management to\n   protect against authentication-related att
 acks.\n\n   Examples\n\n   Authentication weaknesses in the DEFI applicati
 on that permit\n   automated attacks such as brute force or other automate
 d attacks No\n   API Authentication Exposed Private Keys from Github Repos
 itories\n   Excessive API data exposure in HTTP requests (GET\, POST reque
 sts)\n\n   A07:2021-IDENTIFICATION AND AUTHENTICATION FAILURES DEFENSE\n\n
    Solution\n\n   Multi-factor authentication (MFA) to prevent automated c
 redential\n   stuffing\, brute force\, and stolen credential reuse attacks
 . Strong\n   password Policy Password for users and internal systems API A
 ccess\n   Policy\, and Attributes to limit requests for Session Manager Po
 licy\n   Good Testing\n\n   A08:2021-SOFTWARE AND DATA INTEGRITY FAILURES\
 n\n   Software and data integrity failures as it relates to blockchain\n  
  application security hold valuable data that must be kept secret and\n   
 must be appropriately protected.\n\n   Example\n         A failure to achi
 eve oracle integrity which allows exploitation\n         by malicious acto
 rs.\n\n   A08:2021-SOFTWARE AND DATA INTEGRITY FAILURES DEFENSE\n\n   Solu
 tion\n\n   Digital signatures or similar mechanisms to verify the software
  or\n   data is from the expected source and has not been altered. Ensure\
 n   libraries and dependencies\, such as npm\, are consuming trusted\n   r
 epositories.\n\n   Utilize logs\n\n   Change Policies to minimize the chan
 ce that malicious code or\n   configuration may be introduced into your so
 ftware pipeline.\n\n   Compliance Frameworks as it relates to personal dat
 a protected by\n   privacy laws like the General Data Protection Regulatio
 n (GDPR) or the\n   Health Insurance Portability and Accessibility Act (HI
 PAA)\n\n   Centralized or private blockchain implementation\n\n   A09:2021
 -SECURITY LOGGING AND MONITORING FAILURES\n\n   Security Logging and Monit
 oring is currently not widely available for\n   all blockchains such as bi
 tcoin\, Ethereum\, and others. With proper\n   logging and monitoring mech
 anism\, anomalies can be detected.\n\n   For example:\n\n   Blockchain exp
 lorer auditable events such as high-value transactions\n   failed transact
 ions and etc.\n\n   Appropriate alerting thresholds and response escalatio
 n processes are\n   not made widely available on all blockchains.\n\n   A0
 9:2021-SECURITY LOGGING AND MONITORING FAILURES DEFENSE\n\n   Solution\n  
        Anomaly Detection and Alerts Real-Time Blockchain Explorer\n       
   Analysis Ensure that logs are generated in a consumable format\n        
  leveraged with AI Incident response and recovery policy\n\n   A10:2021-SE
 RVER-SIDE REQUEST FORGERY\n\n   SSRF flaws as it relates to DEFI Applicati
 ons occur whenever a web\n   application is receiving resources without va
 lidating the\n   user-supplied URL.\n\n   Examples\n\n   Insecure URL fetc
 hing during the enumeration phases of an attack\n\n   Untrusted data from 
 the blockchain explorer without validating and\n   sanitizing it first.\n\
 n   Cross-site scripting vulnerabilities that allow crypto-mining malware\
 n   to be run on the victim’s computer.\n\n   A10:2021-SERVER-SIDE REQUE
 ST FORGERY DEFENSE\n\n   Solution\n         Web Application Firewall: Enfo
 rce “deny by default” firewall\n         policies. Establish a lifecyc
 le policy for firewall rules based\n         on applications. Log all acce
 pted and blocked network flows on\n         the firewall\n\n   Sanitize an
 d validate all client-supplied input data\n\n   Enforce strong URL schema\
 n\n   Disallow HTTP redirections\n\n   CONCLUSION\n\n   Blockchain Applica
 tion Security (BAS) lacks specific security guidance\n   and resource. The
  Blockchain may be secure however applications\n   sitting on the blockcha
 in may not. Most Web3 Application have HTML\n   front-ends\; in result\, s
 ecurity controls correlating to the OWASP\n   Framework centered around tr
 aditional web application security is\n   critical.\n\n   '\n\n   1. https
 ://defcon.outel.org/consolidated_page.html#FlamingoThirdFloor\n\n\n
DTEND:20220813T233000Z
DTSTART:20220813T223000Z
LOCATION:APV - Flamingo - Twilight Ballroom - AppSec Village - Main Stage
SUMMARY:Hacking & Defending Blockchain Applications
END:VEVENT
END:VCALENDAR