Tim Tomes
Tim is an Application Security Professional with over 30 years of experience in the information technology and security industries. From network architecture design to software development to full-scope penetration testing, Tim has worked in multiple disciplines as both a manager and technician for the United States Military and private industry. Now focusing exclusively on web applications, Tim hones his development and security skills through managing multiple Open Source software projects, conducting consultative engagements, and providing training through OnDefend, where he serves as the Director of Training and Programs. Tim has a strong belief in contributing to the community and does so through writing technical articles, speaking at conferences, and mentoring the next generation of web application security professionals.
X/Twitter
@Lanmaster53
Session
My last 40 web application security assessments have resulted in 41 findings that relate to access control vulnerabilities. That means, on average, every application I test has at least one access control vulnerability. It's no surprise then that Broken Access Control is #1 on OWASP's list of top 10 web application security risks. But what makes access control systems so problematic?
To put it plainly, access control systems are hard; hard to design, hard to implement, hard to maintain, and hard to test. This combination creates a perfect storm for privilege escalation in web applications. But only those that understand these systems and how to evaluate them can use the storm to their advantage.
In this talk, I aim to equip you with the ability to tame the perfect storm. I'll start by addressing the pitfalls around access control systems in web applications of varying design architectures. I'll then demonstrate the tools and techniques that I use to uncover issues in these systems. Finally, I'll provide some insight into remediating access control issues, and how development teams can automate access control testing as part of a CI/CD pipeline... something that is largely considered to be impossible.