• OWASP Meetup December 2020

    Online event

    Our quarterly OWASP Israel meetup will be virtual again! bring your own Pizza & Beer ;) We are excited to welcome a special guest speaker from overseas as well as two great talks from some of our local talent! Agenda: ---------------------- 17:45 - 17:55 Virtual Gathering ---------------------- 18:00 - 18:40 Enforcing Code & Security Standards with Semgrep Clint Gilber - Head of Security Research @ R2C In this talk, we’ll present Semgrep (https://semgrep.dev), an open source, lightweight static analysis tool. It's like a code-aware grep, enabling you to easily search for complicated code patterns without writing painful abstract syntax tree (AST) visitors or using heavyweight, expensive, proprietary traditional SAST tools. We’ll demo how to easily write custom Semgrep rules tailored to your specific code base, and how to get continuous security coverage in CI in a just a few minutes. ---------------------- 18:40 - 19:20 Kubernetes and Nginx - Crunchy Exterior, Soft Interior Kfir Tal - CyberOps Consultant @ Cilynx The saying on Kubernetes is “It has a Crunchy exterior and a Soft interior”. It's hard to get in but once an attacker is inside without the proper configurations an attacker can reach their goal relative quickly. There are many common misconfigurations or default configurations which can make a cluster vulnerable. One of the common issues is when deploying a pod containing Ngnix, it's common to grant the pod excessive privileges “Just In Case”, it’s so common it was mentioned in 2020 BlackHat. In this talk we will go through what happens when a attacker meets a pod with excessive privileges and what can be done to prevent this kind of event in the future. ---------------------- 19:20 - 20:00 A one-step way to protect against XXE Anat Mazar - Senior Developer and Security Champion @ Tufin Michael Furman - Lead Security Architect @ Tufin XML External Entities (XXE) is a dangerous vulnerability, currently ranked fourth (A4) in the OWASP Top Ten. Resolving this vulnerability should be a high priority for all developers. In this session, we will: - Demonstrate why XXE is so dangerous - Show you how this vulnerability is typically resolved in Java - in each and every place in the code that you parse an XML file - Show you the ultimate resolution in Java – set a couple of system properties once. Be the first on your team to learn about this solution, which is not even listed in the OWASP cheat sheet yet! ----------------------