OWASP IL Meetup January 2023

HCxx✡ OWASP IL ✡ is happy to invite you to our new year Meetup!🚀
Join us for another AppSec community event and enjoy food, drinks, mingling, and great talks about security.

The event will be hosted and sponsored by JFrog🐸!
We will also have a raffle for a pair of 2nd Generation Airpods Pro for all of the attendees!

=====================================================================

Agenda:

➡️ 18:00 - 18:30 - Gathering and gorging

➡️ 18:30 - 18:35 - Welcoming remarks & Community announcements

➡️ 18:40 - The Human Bug Bounty - Roy Avrahamy

In this talk, we will discuss the potential benefits and drawbacks of implementing a bug bounty program for human beings. Just like in a traditional bug bounty program, where members of the public can report vulnerabilities in a companies applications, this theoretical program would allow individuals to report weaknesses or flaws in other people. We'll explore the potential for this type of program to help individuals improve themselves and address their personal flaws, as well as the potential drawbacks and ethical problems of implementing such a controversial idea. Throughout the talk, we'll highlight the similarities between this theoretical program and real-world bug bounty programs, offering insights and examples from the world of cyber security.

Roy started as a programmer in the IDF, only to later enter the security world as a penetration tester. For the last 6 years focusing on the AppSec world as an Application Security Engineer in various companies.

➡️ 19:10 - Automated 0-Day Discovery in binaries - Squashing the Low-Hanging Fruit - Shachar Menashe

In past years, publicly available infrastructures such as Ghidra, AFL and Angr have put the "holy grail" of vulnerability research within our grasp: real-world automated 0-day identification, without any reliance on source code and with zero/minimal pre-configuration. After quickly presenting the INFRA:HALT vulnerabilities (affecting HCC embedded TCP/IP stack) and discussing exploitation techniques for the most critical ones from the batch, we will treat them as a case study to present a myriad of contemporary techniques for vulnerability detection by using binary firmware image static analysis. This will include data flow analysis, symbolic execution and standard library function detection through emulation.

Shachar, Sr. Director Security Research
Shachar has more than 15 years of experience in security research & engineering, including low-level R&D, reverse engineering and vulnerability research. He currently leads the security research division in JFrog, specializing in automated vulnerability research techniques.

➡️ 19:40 - Homemade SAST – Using Semgrep Rules for Security Code Scanning - Michal Kamensky

What if you could write regex rules to scan for security flaws in your application, that look just like your code?

That’s exactly what Semgrep is here for!

Semgrep is a free, open-source tool that allows you to find patterns in your code automatically, and with barely any new syntax to learn. In this talk, I will explain the different features of Semgrep, including some of the more advanced and experimental ones.

This talk is based on recent experience working with and evaluating the tool, and encountering some of its challenges. I will also show examples of the different security vulnerabilities you can find with it. Importantly, I will also talk about what its limitations are.

Michal is a security analyst at Bounce Security - a boutique security consultancy, and an undergrad student of computer science and math. In her spare time, she enjoys playing chess, following artistic and rhythmic gymnastics and is the lucky human of a ginger tabby cat named Unix.

This marvelous event will also be available virtually over Zoom:

Join Zoom Meeting
https://us06web.zoom.us/j/87634837139?pwd=blRVSy9GRUNWTC9pcml2N3A2WU43UT09