• OWASP Meetup January 2020

    ZOOZ Office

    Please note it is hands-on workshop with limited seats for better attention, we have more coming, please register if you are interested. please bring your laptops and make sure to install an IDE and Docker before the workshop Our quarterly OWASP Israel meetup in Tel Aviv. This time be ready to use your laptops! If you use docker and would like to understand why images can be malicious, we are planning a practical workshop about malicious Docker images. Agenda: 17:00 - 17:30: Gathering and Networking 17:30 - 19:00: Liran Tal Docker image security best practices workshop: 1. Learn how to find and fix vulnerabilities in docker images 2. Learn how to detect bad defaults and bad configurations in docker images using automated tools 3. Learn how to use deterministic and trusted docker images Liran Tal, Senior Developer Advocate at Snyk & Node.js Foundation Security Working Group Remember to bring your laptop with you :) The event will be in English

  • OWASP Meetup November 2019

    Akamai Israel Ltd.

    Our quarterly OWASP Israel meetup in Akamai office in Tel Aviv. This time it is done together with DevSecCon! Agenda: 17:30 - 18:15: Gathering and Networking 18:15 - 18:20: Opening words (Ori Troyna co-lead OWASP) 18:20 - 18:50: What’s new in the ASVS 4.0 Josh Grossman - Head of security services AppSec Labs OWASP’s Application Security Verification Standard (ASVS) is one of the few comprehensive guides of security requirements for applications. The 4.0 version, released in March 2019 represents a significant update with many new features as well as structural changes. In this talk, Josh, one of the project co-leaders, will go through what the ASVS is, how it is put together and how it can help you achieve more secure applications. 18:50 - 19:20: At Your Service - Abusing the Service Workers Web API Daniel Abeles, Shay Shavit - Senior Security Researcher, Akamai. The Service Workers API is a modern web API that grants web developers advanced capabilities, such as acting as a proxy server, intercepting network requests and improving offline experience as a background service. In this talk we will cover new and emerging web based attacks that (ab)use the Service Worker web API. We will cover and demonstrate the attack flow where a potential attacker can amplify and persist his foothold on the client and exfiltrate sensitive information by abusing the service worker API. Along showcasing those kind of attacks, we will also discuss and explain how to find those attacks and methods to mitigate and prevent them. 19:30 - 20:00: Behind enemy hooks: What AV really does to your apps Yarden Shafir - Software Engineer at CrowdStrike Abstract: We've all seen 3rd party Windows-based anti-virus products install DLLs into all running processes, leading to any number of issues for IT staff, administrators, and even users trying to get by with their life. Why do vendors do this, and what are the risks, side-effects, and outright bugs that these products instil on your applications? This talk will go over a few war stories from a veteran of the AV industry in all sorts of "case of" stories on how application compatibility, OS mitigations and hooks hooking hooks have caused grief and strife for customers. With Microsoft locking down the OS in a style similar to iOS, as well as the new "Windows 10X" and ARM64, you'll also learn about what's likely going to be replacing this approach in future products. The event will be in Hebrew

  • OWASP Meetup June 2019

    Derech Menachem Begin 125

    Save the date! we will have our quarterly OWASP Israel meetup in Imperva office in Tel Aviv. Agenda: 17:30 - 18:00: Gathering and Networking 18:00 - 18:45: Troy Hunt - 'Rise of the Breaches' Data breaches are the new normal. We’ve created ecosystems with so many moving parts and so many complex units, it’s little wonder that we so frequently see them go wrong. A combination of more systems, more people, more devices and more ways than ever of producing and publishing data stack the odds in favour of attackers breaching more systems than ever. In this talk we’ll get a look inside the world of data breaches based on his experiences dealing with billions of breached records. We’ll see what’s motivating hackers, how they’re gaining access to data and how organisations are dealing with the aftermath of attacks. Most importantly, it will help you contextualise these incidents and understand both what these attacks actually look like and how to defend against them in your organisation. 18:45 - 19:00: Coffee Break 19:00 - 19:30: Lior Mazor - SDLC in Agile and DevOps development - Case Study. - Waterfall VS Agile and DevOps development - Secure Software Development Life Cycle (S-SDLC) - S-SDLC journey – Case Study 19:30 - 20:00: Yury Geiler - How account takeover botnets outsmart traditional security controls. Account Takeover (ATO) describes a scenario in which an account is accessed by someone other than its legitimate owner, usually for malicious purposes. Although the risk is not new, it is still considered one of the top risks to cause financial loss for corporates and individuals alike today. One of the reasons for this grim reality is that businesses rely on outdated detection methods like static security rules, rate limit and bot protection. While these methods work well on technical attacks like SQL injection or cross site scripting, they are less effective against business logic attacks such as ATO. These methods can be easily bypassed as today’s ATO attackers use advanced tools and botnets that allows them to operate at a slow steady rate, impersonate legitimate clients and to morph the attack when needed. In this meetup I'll present real life botnets that we've exposed and the methods that we used to do that. The event will be in English

  • Global AppSec Tel Aviv

    InterContinental David Tel Aviv

    (Locked placeholder event) Make sure to sign up at https://telaviv.appsecglobal.org/registration/registration-locals --- The OWASP Israel chapter will be hosting OWASP Global AppSec Tel Aviv, on May 26-30, 2019. https://telaviv.appsecglobal.org/ This is a flagship event for the Global OWASP Foundation, and we are expecting hundreds of OWASP leaders and security professionals from across Europe and the rest of the world. It will be a week-long event: 3 days of Training and other activities, and then 2 days of exciting content at the Conference! Our theme this year is “AppSec: The Community of Innovation”. Schedule: https://telaviv.appsecglobal.org/program/ Training: https://telaviv.appsecglobal.org/program/trainings Registration: https://telaviv.appsecglobal.org/registration/registration-locals

  • OWASP Meetup February 2019

    Perimeterx Office

    Save the date! we will have our quarterly OWASP Israel meetup in PerimeterX office in Tel Aviv. Agenda: 17:00 - 17:30: Gathering and Networking 17:30 - 18:15: "When Applications & Infrastructure Converge - A Perspective on Istio, the Service Mesh Platform", Gadi Naor, Alcide CTO In this session we will dive into Istio - the leading service mesh platform - the security machinery it offers, and the role it plays in application security, throughout the application delivery lifecycle. We will also peek into how serverless and Istio co-exist. 18:15 - 19:00: "OWASP Serverless Top 10", Hillel Solow CTO and Co-founder, Protego Labs In moving to serverless, we shift some security responsibilities to the infrastructure provider by eliminating the need to manage servers. Unfortunately, that doesn’t mean we’re entirely absolved of all security duties. Serverless functions still execute code and can still be vulnerable to traditional application-level attacks. As a new type of architecture, serverless presents new security challenges. Some are equal to traditional application development, but some take a new form. In this talk, I will examine how the original Top 10 stack up for serverless apps based on the OWASP Serverless Top 10 project and why they are different from traditional attacks in attack vectors and defense techniques. I will also introduce the Damn Vulnerable Serverless Application (DVSA), a deliberately vulnerable, open-source tool, aiming to be an aid for both security professionals and developers to better understand the implications and processes of serverless security. 19:00 - 19:15: Coffee Break 19:15 - 20:00: "Identity Resolution in Cyber Security", Shlomo Yona, Founder and Chief Scientist @Mathematic.ai Resolving actor's identity is imperative in many online systems. Misunderstanding of your actors' identity means that you may be confusing bots with people, mistakenly resolving an individual actor as several different other actors, mislead by multiple identities which are actually the same actor and many more. These misunderstandings may well be wreaking havoc in your analytics be it by wrong visualization or by introducing noise to your statistical models. We will learn a strategy to try and mitigate this problem and how this strategy fits into a broader security system.

  • OWASP Meetup November 2018

    Synopsis Offices

    Save the date! we will have our quarterly OWASP Israel meetup in Synopsys office in Herzliya. Agenda: 17:30 - 18:00: Gathering and Networking 18:00 - 18:45: “Scratching the Surface of your CD?” Ofer Maor, Director, Solutions Management, Synopsys Continuous Delivery (CD) introduces a new set of challenges for application security testing, even compared with already fast Continuous Integration (CI) and DevOps methodologies. CD development organization can produce hundreds or even thousands of software updates per day, some of them taking no longer than a few hours from beginning to end. True continuous testing calls for true, inline, continuous security testing, which does not rely on any dedicated testing slots. In this talk we will talk about some of these concepts - how to streamline security testing in the background, how to fit it into modern A/B testing cycles, and how to build an approval process that fits a modern CD workflow, rather than an old security go/no-go approach. 18:45 - 19:30: "Client JavaScript Security - an Oxymoron?" Hadar Blutrich, Source Defense co-founder Your firewall, WAF, source code review, and many other security solutions are focused on your internal servers and their communication with your customer 's browser. 3rd party scripts are hosted on remote servers which are completely outside of your security system's reach and executed on the customer 's browser over which you have no control. Thus, after every layer of your corporate security program has already done its job, the user 's browser is communicating with these remote servers. This means that you have no visibility, management, or control over the behaviors and actions of each 3rd party. Source Defense will discuss preventing JavaScript from accessing data that the JavaScript was not intended to access. 19:30 - 19:45 coffee break 19:45 - 20:30: "Fighting Fraud in the Trenches" Amir Shaked VP R&D PeremiterX Let’s break a native mobile app, bypass the certificate pinning, skip the token validation and build an automated attack to breach accounts, the first step in today’s retail fraud. We'll demo all the attack steps, suggesting mitigation factors, so that you can both take the offense on your apps, and find them before the attackers do.

  • AppSec Israel 2018

    Bar Shira Auditorium, Tel Aviv University

    The registration for AppSec Israel is publicly available for the: Training day, Women in AppSec (WIA) event and Conference day Number of seats is limited, for registration https://2018.appsecil.org/Register We are encouraging you all to: Submit your CFP by July 15th - https://www.papercall.io/appsecisrael2018 Submit your CFT by July 25th - https://www.papercall.io/appsecisrael2018training AND support us by becoming an official conference sponsor - https://2018.appsecil.org/assets/AppSecIL_2018_Sponsorships.pdf

  • OWASP Meetup - May 2018


    The next OWASP meet-up will be hosted on Soluto offices Rothschild Blvd 39, Tel Aviv-Yafo on May 8th 18:00. As always, attendance is free but we do need you to register in advance in the meet-up page - The DevSecCon conference will be held in Tel-Aviv on the meet-up week and we will host international guests therefore the presentation will be in English. Agenda for the meet-up: Title: Pushing Left Like a Boss Abstract: With incident response and penetration testing currently receiving most of our application security dollars, it would appear that industry has decided to treat the symptom instead of the disease. “Pushing left” refers to starting security earlier in the SDLC; addressing the problem throughout the process. From scanning your code with a vulnerability scanner to red team exercises, developer education programs and bug bounties, this talk will show you how to ‘push left', like a boss. Tanya Janca - Bio: Tanya Janca is a senior cloud advocate for Microsoft, specializing in application security; evangelizing software security and advocating for developers through public speaking, her open source project OWASP DevSlop, and various forms of teaching via workshops, blogs and community events. As an ethical hacker, OWASP Project and Chapter Leader, software developer, effective altruist and professional computer geek of 20+ years, she is a person who is truly fascinated by the ‘science’ of computer science. Title: Crypto-mining: The New Force Behind Remote Code Execution Attacks Abstract: Remote Code Execution (RCE) attacks involving crypto-mining are gaining momentum. They've become attackers' new favorite way to exploit vulnerabilities in web application source code and are prevalent in over 88% of all RCE attacks. In this talk we will investigate the methods attackers are using to infect with crypto-mining malwares, specifically how they exploit RCE and insecure deserialization vulnerabilities in order to launch their attacks. We will analyze malicious crypto-mining scripts and see how the attackers make money by tracing their actual crypto wallets and mining pools. We will also explain why although there is a surge in crypto mining attacks, we have not seen any Bitcoin mining, only mining of other crypto currencies. Gilad Yehudai - Bio: Gilad Yehudai is an algorithm developer and security researcher within Imperva’s research group. Gilad develops algorithms and solutions using machine learning algorithms, and also researches new security threats and vulnerabilities. Gilad holds both a bachelor’s degree and a master’s degree in mathematics from Tel Aviv University. Natan Elul - Bio: Natan Elul is a security researcher within Imperva’s research group. Natan researches new security threats and vulnerabilities and develops research infrastructures for vulnerability assessment and malware analysis. Natan holds both a bachelor’s degree and a master’s degree in Computer Science from Ben Gurion University.

  • OWASP Israel + Defcon Israel Joint Meetup


    • What we'll do Agenda: 18:30 - 18:45 networking 18:45 - 19:00 Brief introductions and updates. 19:00 - 19:45 Jumping into Heaven’s Gate - Yarden Shafir 19:45 - 20:30 Breaking obfuscations - Tomer Zait Presentations abstract: Title: Jumping into Heaven’s Gate - Yarden Shafir Abstract: The old days of 32bit applications are long bygone, nowadays most Operating Systems are running in a 64bit environment, requiring 64bit applications. So how can a 64bit Operating System run a 32bit legacy Application? The native 64bit environment cannot directly support the execution of a 32bit Application. 32bit Applications expect several surrounding pillars which help it perform necessary actions, and those no longer exist in a 64bit environment. However, in practice Windows contains many secrets, and one of those secrets is the WoW64 subsystem. The Wow64 Subsystem supplies a natural environment for the legacy 32bit Application and enables anyone to run them on newer 64bit Operating Systems without any trouble. How the subsystem actually does this remains a question to many. Any Application, whatever its type, begins its execution in 64bit mode. The Operating System then relentlessly moves forward to the 32bit world by loading the WoW64 Subsystem, in order to let the 32bit Application execute freely. In this talk we will dive into the WoW64 Subsystem and explain how a 32bit Application performs 64bit (native) system calls. We will also see how it is possible to exploit this mechanism in order to create smarter malware that evade Next-Generation and Previous-Generation AV products and integrates with the Cuckoo Sandbox to “detonate” the user-supplied specimen in a controlled environment to observe active mutex objects and their effects on the malicious program. Title: Breaking obfuscations - Tomer Zait Abstract: During my journey in de-obfuscating malicious scripts, such as JavaScript and PowerShell, I have realized that there is a lack of good one-stop-shop solution. Researchers still perform this tedious task manually while encountering exploit kits, web injects, PowerShell and python post exploitation agents as well as different legitimate JavaScript products. During this Session I will demonstrate working with de-obfuscation tools I created, of-the-shelf tools and how to create similar tools on your own . In addition, I will touch Android de-obfuscation in practice and the obfuscation attack surface each language provides. • What to bring • Important to know

  • All Day DevOps 2017

    A virtual event - no location

    On October 24th, OWASP Israel will be supporting the Live Online All Day DevOps (http://www.alldaydevops.com/) Conference. This is a 24 hour event with 5 simultaneous tracks, delivering 96 sessions and 4 keynotes in 38 time zones. Session tracks include Automated Security, CI/CD, Modern Infrastructure, DevOps in Government, and the Tech Crawl, where companies will take you behind the scenes of their DevOps working environments. Featured speakers include Gene Kim, John Willis, Dave Farley, Patrick Dubois, James Wickett, Shannon Lietz, Damon Edwards, and Jez Humble. Registration is free (https://www.alldaydevops.com/all-day-devops-2017-register-now). Full details are located at AllDayDevOps.com (https://www.alldaydevops.com/) or watch this 40 second video (https://www.youtube.com/watch?v=ZXnRxptwcTE) to see what it’s all about.