- OWASP Meetup January 2020
Please note it is hands-on workshop with limited seats for better attention, we have more coming, please register if you are interested. please bring your laptops and make sure to install an IDE and Docker before the workshop Our quarterly OWASP Israel meetup in Tel Aviv. This time be ready to use your laptops! If you use docker and would like to understand why images can be malicious, we are planning a practical workshop about malicious Docker images. Agenda: 17:00 - 17:30: Gathering and Networking 17:30 - 19:00: Liran Tal Docker image security best practices workshop: 1. Learn how to find and fix vulnerabilities in docker images 2. Learn how to detect bad defaults and bad configurations in docker images using automated tools 3. Learn how to use deterministic and trusted docker images Liran Tal, Senior Developer Advocate at Snyk & Node.js Foundation Security Working Group Remember to bring your laptop with you :) The event will be in English
- OWASP Meetup November 2019
Our quarterly OWASP Israel meetup in Akamai office in Tel Aviv. This time it is done together with DevSecCon! Agenda: 17:30 - 18:15: Gathering and Networking 18:15 - 18:20: Opening words (Ori Troyna co-lead OWASP) 18:20 - 18:50: What’s new in the ASVS 4.0 Josh Grossman - Head of security services AppSec Labs OWASP’s Application Security Verification Standard (ASVS) is one of the few comprehensive guides of security requirements for applications. The 4.0 version, released in March 2019 represents a significant update with many new features as well as structural changes. In this talk, Josh, one of the project co-leaders, will go through what the ASVS is, how it is put together and how it can help you achieve more secure applications. 18:50 - 19:20: At Your Service - Abusing the Service Workers Web API Daniel Abeles, Shay Shavit - Senior Security Researcher, Akamai. The Service Workers API is a modern web API that grants web developers advanced capabilities, such as acting as a proxy server, intercepting network requests and improving offline experience as a background service. In this talk we will cover new and emerging web based attacks that (ab)use the Service Worker web API. We will cover and demonstrate the attack flow where a potential attacker can amplify and persist his foothold on the client and exfiltrate sensitive information by abusing the service worker API. Along showcasing those kind of attacks, we will also discuss and explain how to find those attacks and methods to mitigate and prevent them. 19:30 - 20:00: Behind enemy hooks: What AV really does to your apps Yarden Shafir - Software Engineer at CrowdStrike Abstract: We've all seen 3rd party Windows-based anti-virus products install DLLs into all running processes, leading to any number of issues for IT staff, administrators, and even users trying to get by with their life. Why do vendors do this, and what are the risks, side-effects, and outright bugs that these products instil on your applications? This talk will go over a few war stories from a veteran of the AV industry in all sorts of "case of" stories on how application compatibility, OS mitigations and hooks hooking hooks have caused grief and strife for customers. With Microsoft locking down the OS in a style similar to iOS, as well as the new "Windows 10X" and ARM64, you'll also learn about what's likely going to be replacing this approach in future products. The event will be in Hebrew
- OWASP Meetup June 2019
Save the date! we will have our quarterly OWASP Israel meetup in Imperva office in Tel Aviv. Agenda: 17:30 - 18:00: Gathering and Networking 18:00 - 18:45: Troy Hunt - 'Rise of the Breaches' Data breaches are the new normal. We’ve created ecosystems with so many moving parts and so many complex units, it’s little wonder that we so frequently see them go wrong. A combination of more systems, more people, more devices and more ways than ever of producing and publishing data stack the odds in favour of attackers breaching more systems than ever. In this talk we’ll get a look inside the world of data breaches based on his experiences dealing with billions of breached records. We’ll see what’s motivating hackers, how they’re gaining access to data and how organisations are dealing with the aftermath of attacks. Most importantly, it will help you contextualise these incidents and understand both what these attacks actually look like and how to defend against them in your organisation. 18:45 - 19:00: Coffee Break 19:00 - 19:30: Lior Mazor - SDLC in Agile and DevOps development - Case Study. - Waterfall VS Agile and DevOps development - Secure Software Development Life Cycle (S-SDLC) - S-SDLC journey – Case Study 19:30 - 20:00: Yury Geiler - How account takeover botnets outsmart traditional security controls. Account Takeover (ATO) describes a scenario in which an account is accessed by someone other than its legitimate owner, usually for malicious purposes. Although the risk is not new, it is still considered one of the top risks to cause financial loss for corporates and individuals alike today. One of the reasons for this grim reality is that businesses rely on outdated detection methods like static security rules, rate limit and bot protection. While these methods work well on technical attacks like SQL injection or cross site scripting, they are less effective against business logic attacks such as ATO. These methods can be easily bypassed as today’s ATO attackers use advanced tools and botnets that allows them to operate at a slow steady rate, impersonate legitimate clients and to morph the attack when needed. In this meetup I'll present real life botnets that we've exposed and the methods that we used to do that. The event will be in English
- Global AppSec Tel Aviv
(Locked placeholder event) Make sure to sign up at https://telaviv.appsecglobal.org/registration/registration-locals --- The OWASP Israel chapter will be hosting OWASP Global AppSec Tel Aviv, on May 26-30, 2019. https://telaviv.appsecglobal.org/ This is a flagship event for the Global OWASP Foundation, and we are expecting hundreds of OWASP leaders and security professionals from across Europe and the rest of the world. It will be a week-long event: 3 days of Training and other activities, and then 2 days of exciting content at the Conference! Our theme this year is “AppSec: The Community of Innovation”. Schedule: https://telaviv.appsecglobal.org/program/ Training: https://telaviv.appsecglobal.org/program/trainings Registration: https://telaviv.appsecglobal.org/registration/registration-locals
- OWASP Meetup February 2019
Save the date! we will have our quarterly OWASP Israel meetup in PerimeterX office in Tel Aviv. Agenda: 17:00 - 17:30: Gathering and Networking 17:30 - 18:15: "When Applications & Infrastructure Converge - A Perspective on Istio, the Service Mesh Platform", Gadi Naor, Alcide CTO In this session we will dive into Istio - the leading service mesh platform - the security machinery it offers, and the role it plays in application security, throughout the application delivery lifecycle. We will also peek into how serverless and Istio co-exist. 18:15 - 19:00: "OWASP Serverless Top 10", Hillel Solow CTO and Co-founder, Protego Labs In moving to serverless, we shift some security responsibilities to the infrastructure provider by eliminating the need to manage servers. Unfortunately, that doesn’t mean we’re entirely absolved of all security duties. Serverless functions still execute code and can still be vulnerable to traditional application-level attacks. As a new type of architecture, serverless presents new security challenges. Some are equal to traditional application development, but some take a new form. In this talk, I will examine how the original Top 10 stack up for serverless apps based on the OWASP Serverless Top 10 project and why they are different from traditional attacks in attack vectors and defense techniques. I will also introduce the Damn Vulnerable Serverless Application (DVSA), a deliberately vulnerable, open-source tool, aiming to be an aid for both security professionals and developers to better understand the implications and processes of serverless security. 19:00 - 19:15: Coffee Break 19:15 - 20:00: "Identity Resolution in Cyber Security", Shlomo Yona, Founder and Chief Scientist @Mathematic.ai Resolving actor's identity is imperative in many online systems. Misunderstanding of your actors' identity means that you may be confusing bots with people, mistakenly resolving an individual actor as several different other actors, mislead by multiple identities which are actually the same actor and many more. These misunderstandings may well be wreaking havoc in your analytics be it by wrong visualization or by introducing noise to your statistical models. We will learn a strategy to try and mitigate this problem and how this strategy fits into a broader security system.
- OWASP Meetup November 2018
- AppSec Israel 2018
The registration for AppSec Israel is publicly available for the: Training day, Women in AppSec (WIA) event and Conference day Number of seats is limited, for registration https://2018.appsecil.org/Register We are encouraging you all to: Submit your CFP by July 15th - https://www.papercall.io/appsecisrael2018 Submit your CFT by July 25th - https://www.papercall.io/appsecisrael2018training AND support us by becoming an official conference sponsor - https://2018.appsecil.org/assets/AppSecIL_2018_Sponsorships.pdf
- OWASP Meetup - May 2018
The next OWASP meet-up will be hosted on Soluto offices Rothschild Blvd 39, Tel Aviv-Yafo on May 8th 18:00. As always, attendance is free but we do need you to register in advance in the meet-up page - The DevSecCon conference will be held in Tel-Aviv on the meet-up week and we will host international guests therefore the presentation will be in English. Agenda for the meet-up: Title: Pushing Left Like a Boss Abstract: With incident response and penetration testing currently receiving most of our application security dollars, it would appear that industry has decided to treat the symptom instead of the disease. “Pushing left” refers to starting security earlier in the SDLC; addressing the problem throughout the process. From scanning your code with a vulnerability scanner to red team exercises, developer education programs and bug bounties, this talk will show you how to ‘push left', like a boss. Tanya Janca - Bio: Tanya Janca is a senior cloud advocate for Microsoft, specializing in application security; evangelizing software security and advocating for developers through public speaking, her open source project OWASP DevSlop, and various forms of teaching via workshops, blogs and community events. As an ethical hacker, OWASP Project and Chapter Leader, software developer, effective altruist and professional computer geek of 20+ years, she is a person who is truly fascinated by the ‘science’ of computer science. Title: Crypto-mining: The New Force Behind Remote Code Execution Attacks Abstract: Remote Code Execution (RCE) attacks involving crypto-mining are gaining momentum. They've become attackers' new favorite way to exploit vulnerabilities in web application source code and are prevalent in over 88% of all RCE attacks. In this talk we will investigate the methods attackers are using to infect with crypto-mining malwares, specifically how they exploit RCE and insecure deserialization vulnerabilities in order to launch their attacks. We will analyze malicious crypto-mining scripts and see how the attackers make money by tracing their actual crypto wallets and mining pools. We will also explain why although there is a surge in crypto mining attacks, we have not seen any Bitcoin mining, only mining of other crypto currencies. Gilad Yehudai - Bio: Gilad Yehudai is an algorithm developer and security researcher within Imperva’s research group. Gilad develops algorithms and solutions using machine learning algorithms, and also researches new security threats and vulnerabilities. Gilad holds both a bachelor’s degree and a master’s degree in mathematics from Tel Aviv University. Natan Elul - Bio: Natan Elul is a security researcher within Imperva’s research group. Natan researches new security threats and vulnerabilities and develops research infrastructures for vulnerability assessment and malware analysis. Natan holds both a bachelor’s degree and a master’s degree in Computer Science from Ben Gurion University.
- OWASP Israel + Defcon Israel Joint Meetup
- All Day DevOps 2017
On October 24th, OWASP Israel will be supporting the Live Online All Day DevOps (http://www.alldaydevops.com/) Conference. This is a 24 hour event with 5 simultaneous tracks, delivering 96 sessions and 4 keynotes in 38 time zones. Session tracks include Automated Security, CI/CD, Modern Infrastructure, DevOps in Government, and the Tech Crawl, where companies will take you behind the scenes of their DevOps working environments. Featured speakers include Gene Kim, John Willis, Dave Farley, Patrick Dubois, James Wickett, Shannon Lietz, Damon Edwards, and Jez Humble. Registration is free (https://www.alldaydevops.com/all-day-devops-2017-register-now). Full details are located at AllDayDevOps.com (https://www.alldaydevops.com/) or watch this 40 second video (https://www.youtube.com/watch?v=ZXnRxptwcTE) to see what it’s all about.