Tony UV

After nearly 25 years of IT/ InfoSec work across a vast range of industries, experience has fueled my drive to deliver a better information security consulting practice. In 2007, I started VerSprite (aka VerSprite Security) with the idea of developing a team of 'security hybrids'​ - consummate security professionals that personify both technical mastery around emerging technologies and associated threats, as well as a foundation on business processes, acumen, and overall mindset. As such, the inception of 'true spirited'​ security consulting was developed. 

Through years of both hands on network, system, and software engineering and a foundation around risk management principles, the reality set in that true security, although relative to each organization, is best managed via a risk based approach where both an understanding of data usage and functional use cases are known in the context of viable threats scenarios and supportive attack vectors.

This risk-based approach led to the mantra behind VerSprite Security as well as the PASTA threat modeling methodology (Process for Attack Simulation and Threat Analysis), a co-developed risk based threat modeling methodology that I co-authored along with accompanying book (Risk Centric Threat Modeling, Wiley 2015). 

Leading VerSprite today requires constant innovation across both technical and non-technical areas. Changes to emerging technologies, regulations, and threat landscapes forces security strategy to be tailored, not pre-fabricated or imitated. As such, I focus on ensuring that VerSprite's consulting practice develops authentic and custom solutions for our clients in consideration of their risk appetite, threat landscape, technology footprint and regulatory environment.  Beyond VerSprite, I run the OWASP Atlanta, GA Chapter and have been heavily involved in the OWASP global initiatives since 2008.

The speaker's profile picture


A Tale of Two SaaS Providers around Session Hijacking - A case study in Vuln Disclosure Response, Session Hijacking & the Realities of Reverse Proxies in Compromising SaaS Accounts
Tony UV

Tenant hopping via compromised web sessions is one of a SaaS provider's worst nightmares. Then why are so many shrugging at mitigating real risks from users victimized by reverse web proxies? In recent months, VerSprite's OffSec team uncovered the prevalence and ease of abusing session tokens for SaaS providers via this attack pattern. This talk speaks on the effectiveness of this attack patterns against SaaS providers and depicts two distinct SaaS providers responses with regards to responsible disclosure and puts into question shared responsibility models maintained by the Cloud service provider.

We all know attack patterns are commonly layered, traversing over various means (e.g. – phishing, smishing, XSS, etc.). SaaS providers presented with an attack path that ultimately ends with session token compromise often claim that pre-requisites of an attack negate their responsibility for improved session management. This talk will speak on the ease of leveraging reverse web proxies for hijacking user web sessions in SaaS products, responses from two SaaS providers within the same industry and how the regard around responsible disclosure for high impact flaws can be treated extremely differently, and how/ what countermeasures exist to limit these attacks from becoming more widespread in abuse.

Key takeaways from this talk will center around the following:
1. Ease of leveraging reverse web proxies for account takeover and defeating MFA/ OTPs
2. Lessons in responsible disclosure for web application researchers
3. Countermeasures that SaaS providers should take for pre-authentication/ post-authentication

Room 401 - "Re-Engage" track