• OWASP Meetup February 2019

    Perimeterx Office

    Save the date! we will have our quarterly OWASP Israel meetup in PerimeterX office in Tel Aviv. Agenda: 17:00 - 17:30: Gathering and Networking 17:30 - 18:15: "When Applications & Infrastructure Converge - A Perspective on Istio, the Service Mesh Platform", Gadi Naor, Alcide CTO In this session we will dive into Istio - the leading service mesh platform - the security machinery it offers, and the role it plays in application security, throughout the application delivery lifecycle. We will also peek into how serverless and Istio co-exist. 18:15 - 19:00: "OWASP Serverless Top 10", Hillel Solow CTO and Co-founder, Protego Labs In moving to serverless, we shift some security responsibilities to the infrastructure provider by eliminating the need to manage servers. Unfortunately, that doesn’t mean we’re entirely absolved of all security duties. Serverless functions still execute code and can still be vulnerable to traditional application-level attacks. As a new type of architecture, serverless presents new security challenges. Some are equal to traditional application development, but some take a new form. In this talk, I will examine how the original Top 10 stack up for serverless apps based on the OWASP Serverless Top 10 project and why they are different from traditional attacks in attack vectors and defense techniques. I will also introduce the Damn Vulnerable Serverless Application (DVSA), a deliberately vulnerable, open-source tool, aiming to be an aid for both security professionals and developers to better understand the implications and processes of serverless security. 19:00 - 19:15: Coffee Break 19:15 - 20:00: "Identity Resolution in Cyber Security", Shlomo Yona, Founder and Chief Scientist @Mathematic.ai Resolving actor's identity is imperative in many online systems. Misunderstanding of your actors' identity means that you may be confusing bots with people, mistakenly resolving an individual actor as several different other actors, mislead by multiple identities which are actually the same actor and many more. These misunderstandings may well be wreaking havoc in your analytics be it by wrong visualization or by introducing noise to your statistical models. We will learn a strategy to try and mitigate this problem and how this strategy fits into a broader security system.

  • OWASP Meetup November 2018

    Synopsis Offices

    Save the date! we will have our quarterly OWASP Israel meetup in Synopsys office in Herzliya. Agenda: 17:30 - 18:00: Gathering and Networking 18:00 - 18:45: “Scratching the Surface of your CD?” Ofer Maor, Director, Solutions Management, Synopsys Continuous Delivery (CD) introduces a new set of challenges for application security testing, even compared with already fast Continuous Integration (CI) and DevOps methodologies. CD development organization can produce hundreds or even thousands of software updates per day, some of them taking no longer than a few hours from beginning to end. True continuous testing calls for true, inline, continuous security testing, which does not rely on any dedicated testing slots. In this talk we will talk about some of these concepts - how to streamline security testing in the background, how to fit it into modern A/B testing cycles, and how to build an approval process that fits a modern CD workflow, rather than an old security go/no-go approach. 18:45 - 19:30: "Client JavaScript Security - an Oxymoron?" Hadar Blutrich, Source Defense co-founder Your firewall, WAF, source code review, and many other security solutions are focused on your internal servers and their communication with your customer 's browser. 3rd party scripts are hosted on remote servers which are completely outside of your security system's reach and executed on the customer 's browser over which you have no control. Thus, after every layer of your corporate security program has already done its job, the user 's browser is communicating with these remote servers. This means that you have no visibility, management, or control over the behaviors and actions of each 3rd party. Source Defense will discuss preventing JavaScript from accessing data that the JavaScript was not intended to access. 19:30 - 19:45 coffee break 19:45 - 20:30: "Fighting Fraud in the Trenches" Amir Shaked VP R&D PeremiterX Let’s break a native mobile app, bypass the certificate pinning, skip the token validation and build an automated attack to breach accounts, the first step in today’s retail fraud. We'll demo all the attack steps, suggesting mitigation factors, so that you can both take the offense on your apps, and find them before the attackers do.

  • AppSec Israel 2018

    Bar Shira Auditorium, Tel Aviv University

    The registration for AppSec Israel is publicly available for the: Training day, Women in AppSec (WIA) event and Conference day Number of seats is limited, for registration https://2018.appsecil.org/Register We are encouraging you all to: Submit your CFP by July 15th - https://www.papercall.io/appsecisrael2018 Submit your CFT by July 25th - https://www.papercall.io/appsecisrael2018training AND support us by becoming an official conference sponsor - https://2018.appsecil.org/assets/AppSecIL_2018_Sponsorships.pdf

  • OWASP Meetup - May 2018


    The next OWASP meet-up will be hosted on Soluto offices Rothschild Blvd 39, Tel Aviv-Yafo on May 8th 18:00. As always, attendance is free but we do need you to register in advance in the meet-up page - The DevSecCon conference will be held in Tel-Aviv on the meet-up week and we will host international guests therefore the presentation will be in English. Agenda for the meet-up: Title: Pushing Left Like a Boss Abstract: With incident response and penetration testing currently receiving most of our application security dollars, it would appear that industry has decided to treat the symptom instead of the disease. “Pushing left” refers to starting security earlier in the SDLC; addressing the problem throughout the process. From scanning your code with a vulnerability scanner to red team exercises, developer education programs and bug bounties, this talk will show you how to ‘push left', like a boss. Tanya Janca - Bio: Tanya Janca is a senior cloud advocate for Microsoft, specializing in application security; evangelizing software security and advocating for developers through public speaking, her open source project OWASP DevSlop, and various forms of teaching via workshops, blogs and community events. As an ethical hacker, OWASP Project and Chapter Leader, software developer, effective altruist and professional computer geek of 20+ years, she is a person who is truly fascinated by the ‘science’ of computer science. Title: Crypto-mining: The New Force Behind Remote Code Execution Attacks Abstract: Remote Code Execution (RCE) attacks involving crypto-mining are gaining momentum. They've become attackers' new favorite way to exploit vulnerabilities in web application source code and are prevalent in over 88% of all RCE attacks. In this talk we will investigate the methods attackers are using to infect with crypto-mining malwares, specifically how they exploit RCE and insecure deserialization vulnerabilities in order to launch their attacks. We will analyze malicious crypto-mining scripts and see how the attackers make money by tracing their actual crypto wallets and mining pools. We will also explain why although there is a surge in crypto mining attacks, we have not seen any Bitcoin mining, only mining of other crypto currencies. Gilad Yehudai - Bio: Gilad Yehudai is an algorithm developer and security researcher within Imperva’s research group. Gilad develops algorithms and solutions using machine learning algorithms, and also researches new security threats and vulnerabilities. Gilad holds both a bachelor’s degree and a master’s degree in mathematics from Tel Aviv University. Natan Elul - Bio: Natan Elul is a security researcher within Imperva’s research group. Natan researches new security threats and vulnerabilities and develops research infrastructures for vulnerability assessment and malware analysis. Natan holds both a bachelor’s degree and a master’s degree in Computer Science from Ben Gurion University.

  • OWASP Israel + Defcon Israel Joint Meetup


    • What we'll do Agenda: 18:30 - 18:45 networking 18:45 - 19:00 Brief introductions and updates. 19:00 - 19:45 Jumping into Heaven’s Gate - Yarden Shafir 19:45 - 20:30 Breaking obfuscations - Tomer Zait Presentations abstract: Title: Jumping into Heaven’s Gate - Yarden Shafir Abstract: The old days of 32bit applications are long bygone, nowadays most Operating Systems are running in a 64bit environment, requiring 64bit applications. So how can a 64bit Operating System run a 32bit legacy Application? The native 64bit environment cannot directly support the execution of a 32bit Application. 32bit Applications expect several surrounding pillars which help it perform necessary actions, and those no longer exist in a 64bit environment. However, in practice Windows contains many secrets, and one of those secrets is the WoW64 subsystem. The Wow64 Subsystem supplies a natural environment for the legacy 32bit Application and enables anyone to run them on newer 64bit Operating Systems without any trouble. How the subsystem actually does this remains a question to many. Any Application, whatever its type, begins its execution in 64bit mode. The Operating System then relentlessly moves forward to the 32bit world by loading the WoW64 Subsystem, in order to let the 32bit Application execute freely. In this talk we will dive into the WoW64 Subsystem and explain how a 32bit Application performs 64bit (native) system calls. We will also see how it is possible to exploit this mechanism in order to create smarter malware that evade Next-Generation and Previous-Generation AV products and integrates with the Cuckoo Sandbox to “detonate” the user-supplied specimen in a controlled environment to observe active mutex objects and their effects on the malicious program. Title: Breaking obfuscations - Tomer Zait Abstract: During my journey in de-obfuscating malicious scripts, such as JavaScript and PowerShell, I have realized that there is a lack of good one-stop-shop solution. Researchers still perform this tedious task manually while encountering exploit kits, web injects, PowerShell and python post exploitation agents as well as different legitimate JavaScript products. During this Session I will demonstrate working with de-obfuscation tools I created, of-the-shelf tools and how to create similar tools on your own . In addition, I will touch Android de-obfuscation in practice and the obfuscation attack surface each language provides. • What to bring • Important to know

  • All Day DevOps 2017

    A virtual event - no location

    On October 24th, OWASP Israel will be supporting the Live Online All Day DevOps (http://www.alldaydevops.com/) Conference. This is a 24 hour event with 5 simultaneous tracks, delivering 96 sessions and 4 keynotes in 38 time zones. Session tracks include Automated Security, CI/CD, Modern Infrastructure, DevOps in Government, and the Tech Crawl, where companies will take you behind the scenes of their DevOps working environments. Featured speakers include Gene Kim, John Willis, Dave Farley, Patrick Dubois, James Wickett, Shannon Lietz, Damon Edwards, and Jez Humble. Registration is free (https://www.alldaydevops.com/all-day-devops-2017-register-now). Full details are located at AllDayDevOps.com (https://www.alldaydevops.com/) or watch this 40 second video (https://www.youtube.com/watch?v=ZXnRxptwcTE) to see what it’s all about.

  • AppSec Israel 2017 Conference!

    Needs a location

    Details and registration at https://appsecil.org/ . Note this meetup is just a stub, you must register at https://appsecil.org/Register !

  • OWASP Israel June 2017 Chapter Meeting

    Location visible to members

    Agenda: 17:00 – Gathering, food & drinks 17:30 – Opening note 17:45 – Encrypting Data at Scale Gleb Keselman, Development Manager, Intuit Data Protection Services Intuit's internal key management service served, just over a month ago, to encrypt the tax and financial history of more than 30 million American citizens. Overall, this required 2 billion cryptographic operations to encrypt and decrypt application data. Scaling a key management service requires a combination of system-level best practices along with with novel cryptographic solutions. We will discuss how we are able to achieve a high level of security, combined with ease of use for developers and great performance. 18:30 – “…well then, we have an OWASP Top 10 opportunity” Josh Grossman, Comsec Group A couple of months ago the draft 2017 version of the OWASP Top 10 list was released and with it came some surprises and some controversy. Whilst the Top 10 is very widely used, many people do not realise how it is actually produced and what it is based on. When I dug into the process behind it, the picture became even more concerning. In this session, I will explain the basis of the latest Top 10 list, summarise the reaction to the recent release and give my take on what I think should be done next. I will also suggest how we can use the Top 10 list and other OWASP projects to give better application security advice and also how we can contribute back. 19:15 - Coffee Break 19:30 – Cloud Security for Startups - From A to E(xit) Shahar Maor, Information Security Manager, Outbrain Eitan Satmary, Security Architect, Wix Founding a startup is a hard work. The daily roller coaster can exhaust you fast. And on top of that, you need to cope with information security challenges, compliance and tough questions from customers. The Israeli chapter of the Cloud Security Alliance is helping the local startup community cope with those challenges. Over the last couple of years we have identified a gap in the InfoSec knowledge and produced a Best Practices manual, designed for startups that rely on Cloud infrastructure. This talk is a digest of a paper created by the Israeli Chapter of the CSA to help Software-as-a-Service startups (SaaS-SUs) gain and maintain client trust, by building solid security foundations. Link to the paper: https://chapters.cloudsecurityalliance.org/israel/papers/ Map for directions and parking here. (https://drive.google.com/file/d/0BxTR4z9R5DpbLWlvSE90LVlrNFU/view?usp=sharing)

  • OWASP Israel 2017 Chapter Meeting #2

    Location visible to members

    Agenda: 17:00 – Gathering, food & drinks 17:30 – Opening note 17:45 – The Borders are Dissolving – Application Security Crystal Ball Maty Siman, CTO & Founder, Checkmarx Over several years applications have become central to anything we do. Whether web, mobile or even IoT applications, they all control almost every aspect of our daily lives. For that exact same reason they have also become the hacker’s new best friend. But it seems that there is a change happening and it isn’t being discussed as often as it should. Data and financial gain is still considered the end goal but the how is dramatically changing. Join us to try to envision what kind of attacks we will be seeing in the near future, how and who will be taking or dropping responsibility and how modern development practices may benefit attack techniques. 18:30 – Automated security tests using ZAP and Webdriver.io Omer Levi Hevroni, Soluto Webdriver.io is a great framework for writing automation tests for your webapp. With a very small configuration you can easily integrate ZAP`s passive scan into those tests, and upgrade those tests into automated security scanning – by enjoying from all the useful things that ZAP is able to detect. I am going to cover how we did this at Soluto – and as we run everything using Docker containers, it is very easy to reproduce this setup for any webapp with existing Webdriver.io/Selenium tests. 19:15 - Coffee Break 19:30 - WebShell AV signature bypass and identification Gil Cohen, CTO, Comsec Ever wondered how easy or hard it is to trick a signature based defensive product? Ever wanted to bypass such a product to upload your own malicious web-shell file to an attacked web server? This lecture is for you! In a very lightweight, straightforward and eye-opening talk I’m going to show how easy it is to upload a slightly modified version of the famous C99 webshell, to get full control over a web server, and how ineffective are signature based modules of defensive products. I’m also going to show tips on how to identify a web-shell, and present 2 open-source tools that try to do just that.

  • OWASP Israel January 2017 Chapter Meeting

    Location visible to members

    Join us for the first meetup of the year! Agenda: 17:00 – Gathering, Food & drinks 17:30 – Opening Note 17:45 – IP Agnostic Bot Detection Michael Groskop, Director of WAF & R&D Security, Radware Bot-generated attacks targeting web application infrastructure are increasing in both volume and scope. Bots are becoming more sophisticated, leveraging headless browser technologies and use different evasion techniques such as dynamically changing IP addresses. In this presentation we will review the challenges associated with IP agnostic detection of bot generated attacks, the complexity involved in distinguishing the good bots from the bad and the actions application developers can take for better thwarting of such attacks. 18:30 – R U aBLE? - BLE Application Hacking Tal Melamed, Technical Lead, AppSec Labs As IoT devices are increasingly embedded in our every day lives, vulnerabilities have real impact on our digital and physical security. Bluetooth Low Energy (BLE), also known as Bluetooth Smart, is part of Bluetooth 4. Today Bluetooth is the most popular protocol used for interfacing IoT and smart devices, wearables and medical equipment. Like most rising technologies, security is often left out. In this lecture we will demonstrate how to perform penetration-testing for applications communicating with connected-devices over BLE. What equipment, libraries and projects can be used. 19:15 - Coffee Break 19:30 - Should I Trust My Vendor? Yaniv Simsolo, CTO, Palantir Security Modern systems and business models mandate different approaches to security. Sometimes, the business objectives of the vendor override the security objectives that we, the security community, think the product should have. When approaching a complex system design, numerous challenges arise when considering the trust we put on vendors’ hands and vendors’ responsibilities. Similar security challenges exist on the other scale: considering the maturity (or lack thereof) of small scale IoT products. Does the aim sanctify the means? In certain cases, either mal-coding or business practices result in a very poor security of a product or a service. This can get to extreme cases were the vendor outright attacks its own customers. Such was the case for example when I purchased a brand new laptop from a known manufacturer, and was attacked with viruses and malicious business practices software. Indeed, certain vendors are worse than others. In the presentation we will explore notable examples of vendors abusing their customers’ trust and review the (few) mitigation alternatives we may incorporate in our products and systems.