OWASP Meetup November 2019

Our quarterly OWASP Israel meetup in Akamai office in Tel Aviv.
This time it is done together with DevSecCon!

Agenda:
17:30 - 18:15: Gathering and Networking

18:15 - 18:20: Opening words (Ori Troyna co-lead OWASP)

18:20 - 18:50: What’s new in the ASVS 4.0
Josh Grossman - Head of security services AppSec Labs

OWASP’s Application Security Verification Standard (ASVS) is one of the few comprehensive guides of security requirements for applications. The 4.0 version, released in March 2019 represents a significant update with many new features as well as structural changes. In this talk, Josh, one of the project co-leaders, will go through what the ASVS is, how it is put together and how it can help you achieve more secure applications.

18:50 - 19:20: At Your Service - Abusing the Service Workers Web API
Daniel Abeles, Shay Shavit - Senior Security Researcher, Akamai.

The Service Workers API is a modern web API that grants web developers advanced capabilities, such as acting as a proxy server, intercepting network requests and improving offline experience as a background service.

In this talk we will cover new and emerging web based attacks that (ab)use the Service Worker web API. We will cover and demonstrate the attack flow where a potential attacker can amplify and persist his foothold on the client and exfiltrate sensitive information by abusing the service worker API.

Along showcasing those kind of attacks, we will also discuss and explain how to find those attacks and methods to mitigate and prevent them.

19:30 - 20:00: Behind enemy hooks: What AV really does to your apps
Yarden Shafir - Software Engineer at CrowdStrike

Abstract: We've all seen 3rd party Windows-based anti-virus products install DLLs into all running processes, leading to any number of issues for IT staff, administrators, and even users trying to get by with their life. Why do vendors do this, and what are the risks, side-effects, and outright bugs that these products instil on your applications? This talk will go over a few war stories from a veteran of the AV industry in all sorts of "case of" stories on how application compatibility, OS mitigations and hooks hooking hooks have caused grief and strife for customers. With Microsoft locking down the OS in a style similar to iOS, as well as the new "Windows 10X" and ARM64, you'll also learn about what's likely going to be replacing this approach in future products.

The event will be in Hebrew