• OWASP Meetup December 2020

    Online event

    Our quarterly OWASP Israel meetup will be virtual again! bring your own Pizza & Beer ;)

    We are excited to welcome a special guest speaker from overseas as well as two great talks from some of our local talent!

    Agenda:
    ----------------------
    17:45 - 17:55
    Virtual Gathering
    ----------------------
    18:00 - 18:40
    Enforcing Code & Security Standards with Semgrep
    Clint Gilber - Head of Security Research @ R2C

    In this talk, we’ll present Semgrep (https://semgrep.dev), an open source, lightweight static analysis tool. It's like a code-aware grep, enabling you to easily search for complicated code patterns without writing painful abstract syntax tree (AST) visitors or using heavyweight, expensive, proprietary traditional SAST tools.

    We’ll demo how to easily write custom Semgrep rules tailored to your specific code base, and how to get continuous security coverage in CI in a just a few minutes.
    ----------------------
    18:40 - 19:20
    Kubernetes and Nginx - Crunchy Exterior, Soft Interior
    Kfir Tal - CyberOps Consultant @ Cilynx

    The saying on Kubernetes is “It has a Crunchy exterior and a Soft interior”. It's hard to get in but once an attacker is inside without the proper configurations an attacker can reach their goal relative quickly.
    There are many common misconfigurations or default configurations which can make a cluster vulnerable. One of the common issues is when deploying a pod containing Ngnix, it's common to grant the pod excessive privileges “Just In Case”, it’s so common it was mentioned in 2020 BlackHat.

    In this talk we will go through what happens when a attacker meets a pod with excessive privileges and what can be done to prevent this kind of event in the future.
    ----------------------
    19:20 - 20:00
    A one-step way to protect against XXE
    Anat Mazar - Senior Developer and Security Champion @ Tufin
    Michael Furman - Lead Security Architect @ Tufin

    XML External Entities (XXE) is a dangerous vulnerability, currently ranked fourth (A4) in the OWASP Top Ten. Resolving this vulnerability should be a high priority for all developers. In this session, we will:
    - Demonstrate why XXE is so dangerous
    - Show you how this vulnerability is typically resolved in Java - in each and every place in the code that you parse an XML file
    - Show you the ultimate resolution in Java – set a couple of system properties once.

    Be the first on your team to learn about this solution, which is not even listed in the OWASP cheat sheet yet!
    ----------------------

    1
  • Virtual AppSec IL 2020 Conference (Track A & B)

    Online event

    Hi Everybody! Agenda is now online for the conference!!!

    https://appsecil.org/Agenda

    Please register here, we will publish the sessions urls in the sessions details in sched.
    We are going to have 2 conference tracks with lots of great session!!!

    AppSec IL site : https://appsecil.org

    Looking forward to seeing you all!

    24
  • Virtual AppSec IL 2020 Training Day (Track 1 & 2)

    Online event

    Hi Everybody!
    Agenda is now online for training!!!
    https://appsecil.org/Training
    please register here
    we will publish the sessions urls in the sessions details in sched

    Wow we are going to have 2 training tracks with lots of great session!!!

    AppSec IL site : https://appsecil.org
    Looking forward to seeing you all!

    4
  • OWASP Chapters All Day (24hr conference)

    Online event

    ### OWASP Chapters All Day ###
    Start: Saturday, June 06 at 5am PST (12:00 noon UTC)
    End: Sunday, June 07 at 5am PST (12:00 noon UTC, 15:00 IST).

    Leaders from OWASP Chapters throughout the world invite you to join us for 24 hours of non-stop AppSec!

    We’ll kick off the festivities with Welcoming Remarks and a Keynote presentation at 12:00 noon (UTC) on Saturday, 6 June. Then, each hour, the (virtual) floor will be handed over to a leader from another OWASP Chapter, who will introduce speakers from their chapter/region. At 12:00 noon (UTC) on Sunday, 7 June, we’ll wrap things up with a brief recap and closing remarks.

    The entire event will be live-streamed on the OWASP Chapters All Day YouTube Channel. Each presentation segment will be hosted by a different Chapter Leader and will be streamed separately. Live viewers will need to select a new stream to view each host change, while those viewing the recordings later will find 25 videos, listed by hour and host chapter.

    The OWASP Israel at 11:00am Israel time on 7th June we have two great new talks:
    First Michael Furman with "How SameSite Cookies Are Making the World a Safer Place" and then Omer Levi Hevroni with "Vulnerable Dependencies: It's Not About Discovery".

    Full schedule and details:
    https://owasp.org/www-community/social/chapters_all_day/

    Location:
    Stream -- https://www.youtube.com/channel/UCJNkJT42qFOBdnD8pCpelrw
    Chat -- #owasp-chapters-all-day channel on https://owasp.slack.com/. If you don't have an account, create one at https://owasp-slack.herokuapp.com/.

    1
  • OWASP Meetup March 2020

    Needs a location

    Join link: https://primetime.bluejeans.com/a2m/live-event/wxsxzjca

    We are feeling spontaneous, with current situation (COVID-19), our quarterly OWASP Israel meet-up will be virtual! bring your own Pizza & Beer ;)

    Event URL will be share soon

    Agenda:
    18:00 - 18:10: Virtual Gathering

    18:15 - 18:45: Guy Barnhart Magen - meliorsec.com, a security consultant and researcher, focusing on security architecture, machine learning and low level embedded technologies.

    MoH Hamagen App

    Developing secure apps while running, against time, with the government.
    Guy will explore the path that led to the successful launch of the privacy focused, open source, government led tracking app.

    18:45 - 19:15: Bar Hofesh - Co-Founder, CTO & Security Researcher at NeuraLegion
    Defining Business Logic Vulnerabilities (BLVs) can be difficult, such vulnerabilities are often context dependent and specific to the business, making it a tricky thing to deal with at scale. Organizations must invest significant resources into finding and fixing such vulnerabilities, in most cases relying on manual detection.

    The complexity of Business Logic Vulnerabilities and the difficulty of generalizing them, leads many think it is impossible to automate their detection. However, with today's advancements in AI, it is finally possible to automate tasks that were previously done only manually, by professionals with significant security expertise.

    19:15 - 19:45: Alex Peleg - CEO & Co-Founder at Cilynx
    Open Source projects for gamification of developers training

    The event will be in English

    1) Web Browser
    a) https://primetime.bluejeans.com/a2m/live-event/wxsxzjca

    2) Joining via a mobile device?
    a) Open this link : https://primetime.bluejeans.com/a2m/live-event/wxsxzjca
    b) Download the app if you don’t have it already.
    c) Enter event ID : wxsxzjca

    3) Phone
    Dial one of the following numbers, enter the participant PIN followed by # to confirm:

    +1 (415)[masked] (US)
    PIN[masked] #

    +1 (760)[masked] (US)
    PIN[masked] #

    Joining from outside the US? https://www.bluejeans.com/numbers/primetime-attendees/event?id=wxsxzjca

    1
  • OWASP Meetup Feb 2020

    BridgeCrew.io Office

    I am pleased to have another Docker image security workshop to make sure everyone can make it this time.

    Note it is hands-on workshop with limited seats for better attention, we have more coming, please register if you are interested.

    Agenda:
    17:30 - 18:00: Gathering and Networking

    18:00 - 18:30: Barak Schoster
    Embedding security into your Terraform code
    Incorporating infrastructure-as-code into software development is helping cloud security practitioners to prevent bad configurations upstream, without inflating development backlogs. In this session, we cover a simple method to write, test, and maintain infrastructure-as-code at scale using policy-as-code. We will go over open source projects to analyze your Terraform code and AWS environment and compare the two approaches (runtime vs static analysis)

    Barak Schoster, CTO & Co-founder at Bridgecrew, Author of checkov.io

    18:30 - 20:00: Liran Tal
    Docker image security best practices workshop:
    1. Learn how to find and fix vulnerabilities in docker images
    2. Learn how to detect bad defaults and bad configurations in docker images using automated tools
    3. Learn how to use deterministic and trusted docker images

    Liran Tal, Senior Developer Advocate at Snyk & Node.js Foundation Security Working Group

    Please that the next workshop will be for OWASP members
    https://wiki.owasp.org/index.php/Membership

    Ori

    13
  • OWASP Meetup January 2020

    ZOOZ Office

    Please note it is hands-on workshop with limited seats for better attention, we have more coming, please register if you are interested.

    please bring your laptops and make sure to install an IDE and Docker before the workshop

    Our quarterly OWASP Israel meetup in Tel Aviv.
    This time be ready to use your laptops! If you use docker and would like to understand why images can be malicious, we are planning a practical workshop about malicious Docker images.

    Agenda:
    17:00 - 17:30: Gathering and Networking

    17:30 - 19:00: Liran Tal
    Docker image security best practices workshop:
    1. Learn how to find and fix vulnerabilities in docker images
    2. Learn how to detect bad defaults and bad configurations in docker images using automated tools
    3. Learn how to use deterministic and trusted docker images

    Liran Tal, Senior Developer Advocate at Snyk & Node.js Foundation Security Working Group

    Remember to bring your laptop with you :)

    The event will be in English

    10
  • OWASP Meetup November 2019

    Akamai Israel Ltd.

    Our quarterly OWASP Israel meetup in Akamai office in Tel Aviv.
    This time it is done together with DevSecCon!

    Agenda:
    17:30 - 18:15: Gathering and Networking

    18:15 - 18:20: Opening words (Ori Troyna co-lead OWASP)

    18:20 - 18:50: What’s new in the ASVS 4.0
    Josh Grossman - Head of security services AppSec Labs

    OWASP’s Application Security Verification Standard (ASVS) is one of the few comprehensive guides of security requirements for applications. The 4.0 version, released in March 2019 represents a significant update with many new features as well as structural changes. In this talk, Josh, one of the project co-leaders, will go through what the ASVS is, how it is put together and how it can help you achieve more secure applications.

    18:50 - 19:20: At Your Service - Abusing the Service Workers Web API
    Daniel Abeles, Shay Shavit - Senior Security Researcher, Akamai.

    The Service Workers API is a modern web API that grants web developers advanced capabilities, such as acting as a proxy server, intercepting network requests and improving offline experience as a background service.

    In this talk we will cover new and emerging web based attacks that (ab)use the Service Worker web API. We will cover and demonstrate the attack flow where a potential attacker can amplify and persist his foothold on the client and exfiltrate sensitive information by abusing the service worker API.

    Along showcasing those kind of attacks, we will also discuss and explain how to find those attacks and methods to mitigate and prevent them.

    19:30 - 20:00: Behind enemy hooks: What AV really does to your apps
    Yarden Shafir - Software Engineer at CrowdStrike

    Abstract: We've all seen 3rd party Windows-based anti-virus products install DLLs into all running processes, leading to any number of issues for IT staff, administrators, and even users trying to get by with their life. Why do vendors do this, and what are the risks, side-effects, and outright bugs that these products instil on your applications? This talk will go over a few war stories from a veteran of the AV industry in all sorts of "case of" stories on how application compatibility, OS mitigations and hooks hooking hooks have caused grief and strife for customers. With Microsoft locking down the OS in a style similar to iOS, as well as the new "Windows 10X" and ARM64, you'll also learn about what's likely going to be replacing this approach in future products.

    The event will be in Hebrew

    13
  • OWASP Meetup June 2019

    Derech Menachem Begin 125

    Save the date! we will have our quarterly OWASP Israel meetup in Imperva office in Tel Aviv.

    Agenda:
    17:30 - 18:00: Gathering and Networking

    18:00 - 18:45: Troy Hunt - 'Rise of the Breaches'
    Data breaches are the new normal. We’ve created ecosystems with so many moving parts and so many complex units, it’s little wonder that we so frequently see them go wrong. A combination of more systems, more people, more devices and more ways than ever of producing and publishing data stack the odds in favour of attackers breaching more systems than ever.

    In this talk we’ll get a look inside the world of data breaches based on his experiences dealing with billions of breached records. We’ll see what’s motivating hackers, how they’re gaining access to data and how organisations are dealing with the aftermath of attacks. Most importantly, it will help you contextualise these incidents and understand both what these attacks actually look like and how to defend against them in your organisation.

    18:45 - 19:00: Coffee Break

    19:00 - 19:30: Lior Mazor - SDLC in Agile and DevOps development - Case Study.
    - Waterfall VS Agile and DevOps development
    - Secure Software Development Life Cycle (S-SDLC)
    - S-SDLC journey – Case Study

    19:30 - 20:00: Yury Geiler - How account takeover botnets outsmart traditional security controls.
    Account Takeover (ATO) describes a scenario in which an account is accessed by someone other than its legitimate owner, usually for malicious purposes. Although the risk is not new, it is still considered one of the top risks to cause financial loss for corporates and individuals alike today. One of the reasons for this grim reality is that businesses rely on outdated detection methods like static security rules, rate limit and bot protection. While these methods work well on technical attacks like SQL injection or cross site scripting, they are less effective against business logic attacks such as ATO. These methods can be easily bypassed as today’s ATO attackers use advanced tools and botnets that allows them to operate at a slow steady rate, impersonate legitimate clients and to morph the attack when needed.
    In this meetup I'll present real life botnets that we've exposed and the methods that we used to do that.

    The event will be in English

    4
  • Global AppSec Tel Aviv

    InterContinental David Tel Aviv

    (Locked placeholder event) Make sure to sign up at https://telaviv.appsecglobal.org/registration/registration-locals --- The OWASP Israel chapter will be hosting OWASP Global AppSec Tel Aviv, on May 26-30, 2019. https://telaviv.appsecglobal.org/ This is a flagship event for the Global OWASP Foundation, and we are expecting hundreds of OWASP leaders and security professionals from across Europe and the rest of the world. It will be a week-long event: 3 days of Training and other activities, and then 2 days of exciting content at the Conference! Our theme this year is “AppSec: The Community of Innovation”. Schedule: https://telaviv.appsecglobal.org/program/ Training: https://telaviv.appsecglobal.org/program/trainings Registration: https://telaviv.appsecglobal.org/registration/registration-locals