OWASP Meetup - SF February 2019

Please note: due to a packed schedule we'll be starting at 6:10 instead of the usual 7.

It's time for more security in the city, courtesy of our host Insight Engines. There will be four(!!!) talks, food/drinks, and great people to meet.

• 6:00 - Doors open

• 6:10-6:15 - Intro/welcome

• 6:15-6:45 - The Role of Natural Language in Cyber Security (Grant Wernick)

• 6:50-:7:20 - Hacker vs Company, Cyber Security Automated with Kubernetes (Demi Ben-Ari)

• 7:25-7:55 - Reviewing Modern JavaScript Applications (Lewis Ardern)

• 8:00-8:30 - Abusing Insecure WCF Endpoints for PrivEsc. and RCE (Chris Anastasio)

• 8:30-9:00 - Networking

Talk 1: The Role of Natural Language in Cyber Security (Grant Wernick)

Since more realistic ambitions are likely to lead to less disappointment in the future, Grant Wernick will present on how to identify some phases and tasks where natural language processing may usefully be applied.

Bio:
Grant Wernick, CEO of Insight Engines. (We are Hiring!) Experienced product focused leader with over a decade of experience building amazing teams to create cutting edge natural language, intelligence augmentation, and machine learning technologies.

Talk 2: Hacker vs Company, Cyber Security Automated with Kubernetes (Demi Ben-Ari)

In the talk we'll give a brief overview on different aspects of Cyber Security in the modern world, talking about Cloud and other external services that any size of a company uses now a days. We'll show from experience that the best and most fit approach is to achieve on going monitoring on your security posture.

Lessons learned promised and a glimpse of the Hackers view, because it's always interesting to see how you look from the outside.

Bio:
Demi has over 12 years of experience in building various systems both from the field of near real time applications and Big Data distributed systems. Co-Founder of the “Big Things” Big Data community and Google Developer Group Cloud. Big Data Expert, but interested in all kinds of technologies, from front-end to backend, whatever moves data around.

Talk 3: Reviewing Modern JavaScript Applications (Lewis Ardern)

When dealing with modern JavaScript applications, many penetration testers approach from an ‘out-side-in’ perspective, this is approach often misses security issues in plain sight. This talk will attempt to demystify common JavaScript issues which should be better understood/identified during security reviews. We will discuss reviewing applications in code-centric manner by utilizing freely available tools to help start identifying security issues through processes such as linting and dependency auditing.

Bio:

Lewis Ardern is a Senior Security Consultant at Synopsys. His primary areas of expertise are in web security and security engineering. Lewis enjoys creating and delivering security training to various types of organizations and institutes in topics such as web and JavaScript security. He is also the founder of the Leeds Ethical Hacking Society and has helped develop projects such as bXSS and SecGen.

Talk 4: Abusing Insecure WCF Endpoints for PrivEsc. and RCE (Chris Anastasio)

The aim of this presentation is to spread awareness of WCF as an attack surface, and to demonstrate how to get started finding and exploiting these bugs. This will be accomplished by reviewing the vulnerability identification and exploit development process for a recent 0-day privilege escalation in Check Point’s flagship antivirus product ZoneAlarm.

Bio:
Chris Anastasio is a penetration tester at Illumant, bug bounty hunter, amateur exploit dev, and bad coder. He’s been working in Infosec professionally for 5 years, and as a hobbyist for many more. He cofounded the Dark Corner (darkcorner.org), a monthly hacker meet up in Palo Alto CA. You can check out some of his other hacks at www.muffsec.com.