- OWASP Meetup February 2019
Save the date! we will have our quarterly OWASP Israel meetup in PerimeterX office in Tel Aviv. Agenda: 17:00 - 17:30: Gathering and Networking 17:30 - 18:15: "When Applications & Infrastructure Converge - A Perspective on Istio, the Service Mesh Platform", Gadi Naor, Alcide CTO In this session we will dive into Istio - the leading service mesh platform - the security machinery it offers, and the role it plays in application security, throughout the application delivery lifecycle. We will also peek into how serverless and Istio co-exist. 18:15 - 19:00: "OWASP Serverless Top 10", Hillel Solow CTO and Co-founder, Protego Labs In moving to serverless, we shift some security responsibilities to the infrastructure provider by eliminating the need to manage servers. Unfortunately, that doesn’t mean we’re entirely absolved of all security duties. Serverless functions still execute code and can still be vulnerable to traditional application-level attacks. As a new type of architecture, serverless presents new security challenges. Some are equal to traditional application development, but some take a new form. In this talk, I will examine how the original Top 10 stack up for serverless apps based on the OWASP Serverless Top 10 project and why they are different from traditional attacks in attack vectors and defense techniques. I will also introduce the Damn Vulnerable Serverless Application (DVSA), a deliberately vulnerable, open-source tool, aiming to be an aid for both security professionals and developers to better understand the implications and processes of serverless security. 19:00 - 19:15: Coffee Break 19:15 - 20:00: "Identity Resolution in Cyber Security", Shlomo Yona, Founder and Chief Scientist @Mathematic.ai Resolving actor's identity is imperative in many online systems. Misunderstanding of your actors' identity means that you may be confusing bots with people, mistakenly resolving an individual actor as several different other actors, mislead by multiple identities which are actually the same actor and many more. These misunderstandings may well be wreaking havoc in your analytics be it by wrong visualization or by introducing noise to your statistical models. We will learn a strategy to try and mitigate this problem and how this strategy fits into a broader security system.
- OWASP Meetup November 2018
- AppSec Israel 2018
The registration for AppSec Israel is publicly available for the: Training day, Women in AppSec (WIA) event and Conference day Number of seats is limited, for registration https://2018.appsecil.org/Register We are encouraging you all to: Submit your CFP by July 15th - https://www.papercall.io/appsecisrael2018 Submit your CFT by July 25th - https://www.papercall.io/appsecisrael2018training AND support us by becoming an official conference sponsor - https://2018.appsecil.org/assets/AppSecIL_2018_Sponsorships.pdf
- OWASP Meetup - May 2018
The next OWASP meet-up will be hosted on Soluto offices Rothschild Blvd 39, Tel Aviv-Yafo on May 8th 18:00. As always, attendance is free but we do need you to register in advance in the meet-up page - The DevSecCon conference will be held in Tel-Aviv on the meet-up week and we will host international guests therefore the presentation will be in English. Agenda for the meet-up: Title: Pushing Left Like a Boss Abstract: With incident response and penetration testing currently receiving most of our application security dollars, it would appear that industry has decided to treat the symptom instead of the disease. “Pushing left” refers to starting security earlier in the SDLC; addressing the problem throughout the process. From scanning your code with a vulnerability scanner to red team exercises, developer education programs and bug bounties, this talk will show you how to ‘push left', like a boss. Tanya Janca - Bio: Tanya Janca is a senior cloud advocate for Microsoft, specializing in application security; evangelizing software security and advocating for developers through public speaking, her open source project OWASP DevSlop, and various forms of teaching via workshops, blogs and community events. As an ethical hacker, OWASP Project and Chapter Leader, software developer, effective altruist and professional computer geek of 20+ years, she is a person who is truly fascinated by the ‘science’ of computer science. Title: Crypto-mining: The New Force Behind Remote Code Execution Attacks Abstract: Remote Code Execution (RCE) attacks involving crypto-mining are gaining momentum. They've become attackers' new favorite way to exploit vulnerabilities in web application source code and are prevalent in over 88% of all RCE attacks. In this talk we will investigate the methods attackers are using to infect with crypto-mining malwares, specifically how they exploit RCE and insecure deserialization vulnerabilities in order to launch their attacks. We will analyze malicious crypto-mining scripts and see how the attackers make money by tracing their actual crypto wallets and mining pools. We will also explain why although there is a surge in crypto mining attacks, we have not seen any Bitcoin mining, only mining of other crypto currencies. Gilad Yehudai - Bio: Gilad Yehudai is an algorithm developer and security researcher within Imperva’s research group. Gilad develops algorithms and solutions using machine learning algorithms, and also researches new security threats and vulnerabilities. Gilad holds both a bachelor’s degree and a master’s degree in mathematics from Tel Aviv University. Natan Elul - Bio: Natan Elul is a security researcher within Imperva’s research group. Natan researches new security threats and vulnerabilities and develops research infrastructures for vulnerability assessment and malware analysis. Natan holds both a bachelor’s degree and a master’s degree in Computer Science from Ben Gurion University.
- OWASP Israel + Defcon Israel Joint Meetup
- All Day DevOps 2017
On October 24th, OWASP Israel will be supporting the Live Online All Day DevOps (http://www.alldaydevops.com/) Conference. This is a 24 hour event with 5 simultaneous tracks, delivering 96 sessions and 4 keynotes in 38 time zones. Session tracks include Automated Security, CI/CD, Modern Infrastructure, DevOps in Government, and the Tech Crawl, where companies will take you behind the scenes of their DevOps working environments. Featured speakers include Gene Kim, John Willis, Dave Farley, Patrick Dubois, James Wickett, Shannon Lietz, Damon Edwards, and Jez Humble. Registration is free (https://www.alldaydevops.com/all-day-devops-2017-register-now). Full details are located at AllDayDevOps.com (https://www.alldaydevops.com/) or watch this 40 second video (https://www.youtube.com/watch?v=ZXnRxptwcTE) to see what it’s all about.
- OWASP Israel June 2017 Chapter Meeting
Agenda: 17:00 – Gathering, food & drinks 17:30 – Opening note 17:45 – Encrypting Data at Scale Gleb Keselman, Development Manager, Intuit Data Protection Services Intuit's internal key management service served, just over a month ago, to encrypt the tax and financial history of more than 30 million American citizens. Overall, this required 2 billion cryptographic operations to encrypt and decrypt application data. Scaling a key management service requires a combination of system-level best practices along with with novel cryptographic solutions. We will discuss how we are able to achieve a high level of security, combined with ease of use for developers and great performance. 18:30 – “…well then, we have an OWASP Top 10 opportunity” Josh Grossman, Comsec Group A couple of months ago the draft 2017 version of the OWASP Top 10 list was released and with it came some surprises and some controversy. Whilst the Top 10 is very widely used, many people do not realise how it is actually produced and what it is based on. When I dug into the process behind it, the picture became even more concerning. In this session, I will explain the basis of the latest Top 10 list, summarise the reaction to the recent release and give my take on what I think should be done next. I will also suggest how we can use the Top 10 list and other OWASP projects to give better application security advice and also how we can contribute back. 19:15 - Coffee Break 19:30 – Cloud Security for Startups - From A to E(xit) Shahar Maor, Information Security Manager, Outbrain Eitan Satmary, Security Architect, Wix Founding a startup is a hard work. The daily roller coaster can exhaust you fast. And on top of that, you need to cope with information security challenges, compliance and tough questions from customers. The Israeli chapter of the Cloud Security Alliance is helping the local startup community cope with those challenges. Over the last couple of years we have identified a gap in the InfoSec knowledge and produced a Best Practices manual, designed for startups that rely on Cloud infrastructure. This talk is a digest of a paper created by the Israeli Chapter of the CSA to help Software-as-a-Service startups (SaaS-SUs) gain and maintain client trust, by building solid security foundations. Link to the paper: https://chapters.cloudsecurityalliance.org/israel/papers/ Map for directions and parking here. (https://drive.google.com/file/d/0BxTR4z9R5DpbLWlvSE90LVlrNFU/view?usp=sharing)
- OWASP Israel 2017 Chapter Meeting #2
Agenda: 17:00 – Gathering, food & drinks 17:30 – Opening note 17:45 – The Borders are Dissolving – Application Security Crystal Ball Maty Siman, CTO & Founder, Checkmarx Over several years applications have become central to anything we do. Whether web, mobile or even IoT applications, they all control almost every aspect of our daily lives. For that exact same reason they have also become the hacker’s new best friend. But it seems that there is a change happening and it isn’t being discussed as often as it should. Data and financial gain is still considered the end goal but the how is dramatically changing. Join us to try to envision what kind of attacks we will be seeing in the near future, how and who will be taking or dropping responsibility and how modern development practices may benefit attack techniques. 18:30 – Automated security tests using ZAP and Webdriver.io Omer Levi Hevroni, Soluto Webdriver.io is a great framework for writing automation tests for your webapp. With a very small configuration you can easily integrate ZAP`s passive scan into those tests, and upgrade those tests into automated security scanning – by enjoying from all the useful things that ZAP is able to detect. I am going to cover how we did this at Soluto – and as we run everything using Docker containers, it is very easy to reproduce this setup for any webapp with existing Webdriver.io/Selenium tests. 19:15 - Coffee Break 19:30 - WebShell AV signature bypass and identification Gil Cohen, CTO, Comsec Ever wondered how easy or hard it is to trick a signature based defensive product? Ever wanted to bypass such a product to upload your own malicious web-shell file to an attacked web server? This lecture is for you! In a very lightweight, straightforward and eye-opening talk I’m going to show how easy it is to upload a slightly modified version of the famous C99 webshell, to get full control over a web server, and how ineffective are signature based modules of defensive products. I’m also going to show tips on how to identify a web-shell, and present 2 open-source tools that try to do just that.
- OWASP Israel January 2017 Chapter Meeting
Join us for the first meetup of the year! Agenda: 17:00 – Gathering, Food & drinks 17:30 – Opening Note 17:45 – IP Agnostic Bot Detection Michael Groskop, Director of WAF & R&D Security, Radware Bot-generated attacks targeting web application infrastructure are increasing in both volume and scope. Bots are becoming more sophisticated, leveraging headless browser technologies and use different evasion techniques such as dynamically changing IP addresses. In this presentation we will review the challenges associated with IP agnostic detection of bot generated attacks, the complexity involved in distinguishing the good bots from the bad and the actions application developers can take for better thwarting of such attacks. 18:30 – R U aBLE? - BLE Application Hacking Tal Melamed, Technical Lead, AppSec Labs As IoT devices are increasingly embedded in our every day lives, vulnerabilities have real impact on our digital and physical security. Bluetooth Low Energy (BLE), also known as Bluetooth Smart, is part of Bluetooth 4. Today Bluetooth is the most popular protocol used for interfacing IoT and smart devices, wearables and medical equipment. Like most rising technologies, security is often left out. In this lecture we will demonstrate how to perform penetration-testing for applications communicating with connected-devices over BLE. What equipment, libraries and projects can be used. 19:15 - Coffee Break 19:30 - Should I Trust My Vendor? Yaniv Simsolo, CTO, Palantir Security Modern systems and business models mandate different approaches to security. Sometimes, the business objectives of the vendor override the security objectives that we, the security community, think the product should have. When approaching a complex system design, numerous challenges arise when considering the trust we put on vendors’ hands and vendors’ responsibilities. Similar security challenges exist on the other scale: considering the maturity (or lack thereof) of small scale IoT products. Does the aim sanctify the means? In certain cases, either mal-coding or business practices result in a very poor security of a product or a service. This can get to extreme cases were the vendor outright attacks its own customers. Such was the case for example when I purchased a brand new laptop from a known manufacturer, and was attacked with viruses and malicious business practices software. Indeed, certain vendors are worse than others. In the presentation we will explore notable examples of vendors abusing their customers’ trust and review the (few) mitigation alternatives we may incorporate in our products and systems.