OWASP IL Meetup March 2022

These are crazy days in the AppSec domain and ricochets are flying all over! This is a great time for an OWASP IL meetup to enrich your minds with top quality content.
Join us for an exciting event of the local chapter and enjoy mingling, presentations, many treats, and a piece of mind from your daily security hassles!
This event will be hosted at Enso's office in Tel Aviv, alongside treats, drinks and more!

Agenda:

➡️ 18:00 - 18:30 - gathering and food - We will gather at Enso Security Offices, 1st floor for drinks, great treats, mingling and COVID19 free zone!

➡️ 18:30 - 18:45 - Keynote + Microphone tuning

➡️ 18:45 to 19:15 - Going beyond the SBOM - an Application Stack BOM for modern WebApps

Omer Yaron - Head of Research @ Enso Security

The common perception of software development maintains that the source code is the fundamental element of any application. However as modern applications grow more complex, researchers (like us!) are eager to dive deeper and gain a wider and more comprehensive view of their application stack. Since standard techniques generated a limited and fragmented picture, we set out on a new approach. The presentation will take listeners through an in-depth research process which led us to build a new infrastructure, something beyond the SBOM towards a comprehensive and full in scope bill of materials for the entire application stack-- the ASBOM.

➡️ 19:15 to 19:45 - The Major CI/CD risks of 2022

Omer Gil - Head of Research @ Cider Security
Daniel Krivelevich - Co-Founder & CTO @ Cider Security

Adversaries of all levels of sophistication are shifting their attention to CI/CD, realizing CI/CD services provide an efficient path to reaching an organization’s crown jewels. The industry is witnessing a significant rise in the amount, frequency and magnitude of incidents and attack vectors focusing on abusing flaws in the CI/CD ecosystem, including Solarwinds, Codecov, The PHP hack, Dependency Confusion and many others.
In this talk we will review the results of our research covering some of today’s most common CI/CD security risks, the technical nature of each risk, and the best practices around detecting and preventing these risks.

➡️ 19:45 - 20:15 - Hacking like in the old days

Gil Cohen - Research Director & Application Security SME @ CYE
and Omri Inbar - Cyber Security Expert @ CYE

Recent advanced technologies such as server side object-relational mapping (ORM) and client side JS frameworks, eliminate SQL injection and cross site scripting (XSS) attacks. Injections are no longer at the top of OWASP top 10 for the first time in years. Are these vulnerabilities still relevant in 2022?
In this lecture we will present some recent examples of the-good-old-days-vulnerabilities from the last 2 years, including advanced SQL injections and XSS, server side XSS, RCE & server side template injection as well as a case study of an advanced concatenation of 6 techniques to bypass a web application firewall.

This marvelous meetup will also be available virtually in Zoom