Loading…
AppSec IL 2020 has ended
Welcome to Virtual AppSec Israel 2020!

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Tuesday, October 27
 

09:00 IST

Threat Modelling with the OWASP Mobile Top 10
Overview:
Learn how to build a threat model by starting with the OWASP Mobile Top 10, looking at each of the risks in detail, linking them to atomic security attributes and applicable areas, and finally taking the final high level threat model and applying it to an example application.

Attendees will run through the details of the OWASP Mobile Top 10 risks, learning the details and broad implications of each and adapting the list as a whole into an efficient, rapid, and usable threat model for security by design in mobile development. Running through an example application together attendees will have the opportunity to consider and remediate specific vulnerabilities within an application design, and will leave with a useful threat model which can be further developed and applied to any mobile development design stage.

Agenda (2 hours):
Basics of threat modelling
Turning the OWASP Mobile Top 10 into a usable threat model
Exercise against example design

Prerequisites
Basic familiarity with web or mobile development will be helpful to attendees.



Speakers
avatar for James Bore

James Bore

Director, Bores Security Consultancy Ltd
James Bore (coffee_fueled) has a varied and eclectic background in IT security, with expertise covering a range of industry sectors, organisations and IT disciplines. However, his main passion and focus is on the promotion and improvement of security.When he is not researching security or preaching the v... Read More →


Tuesday October 27, 2020 09:00 - 11:00 IST
Track B

09:00 IST

Define and Execute Your Product Security Strategy With OWASP SAMM 2
Overview:
In this hands-on workshop, you will try out OWASP SAMM 2 yourself to better understand how it can help you define the product security strategy for your organization. We will focus on understanding the model, carrying out an assessment and using the gathered data to define a security roadmap.


Agenda (3 hours):

1. Introduction
Motivation for a maturity model
Overview of SAMM
SAMM and other models

2. Performing an Assessment:
Supporting tools
Scope definition
Explanation of the business functions
Hands-on assessment

3. Creating a Roadmap
Economical considerations
Working with stakeholders
Measuring and reporting

4. Success Tips
Leveraging other SAMM resources and OWASP projects
SAMM Benchmarking
Interacting with the SAMM community

Prerequisites:
Internet browser
MS Excel if possible

Speakers
avatar for Daniel Kefer

Daniel Kefer

IT Security, 1&1
Daniel has been working in the application security field for thirteen years. Having started as a penetration tester, he soon bought into the mission of making security a business enabler by guiding product teams through security challenges during the whole lifecycle. He currently... Read More →


Tuesday October 27, 2020 09:00 - 12:00 IST
Track A

11:15 IST

Android Mobile Hacking Workshop
Overview:
The workshop is the Android (very) short version of a 3-days training dedicated to learning the basics to be able to assess the security of Android mobile applications.

Guillaume Lopes (@Guillaume_Lopes) will share many techniques, tips and tricks to deliver to pentesters, bug bounty researchers, app makers or just curious about a 100% hands-on Android workshop. The goals are:
  • Understand Android basics
  • Learn how to use the common tools (adb, apktool, JADX, Frida and Objection) in order to assess Android applications
  • Practice on how to resolve the OWASP Android crackmes (Levels 1, 2 and 3)

Agenda:
This 2 hours workshop is divided in 4 main parts:
1. Setup your environment: Presentation of the tools used during this workshop and creation of an Android Virtual Device with Android Studio

2. Resolution of the UnCrackable Level 1:
a) Defeat root detection
  • Using only tampering (aka apktool and your favorite text editor)
  • Using Frida on a rooted device
  • Using Frida on a non rooted-device
  • Using Objection

2. Resolution of the UnCrackable Level 2
a) Defeat root detection
b) Handle native code with Frida

4. Resolution of the UnCrackable Level 3
a) Defeat root detection, anti-hooking and anti-tampering with Frida

Prerequisites:
- Download a specially crafted Virtual Machine (based on Kali). - Link will be emailed *to attendees only* a few days before the workshop.
- Need a laptop with 30 Gb of free space
- Download and install VMWare Workstation Player 16 (DO NOT use Virtual Box) : https://www.vmware.com/products/workstation-player/workstation-player-evaluation.html


Speakers
GL

Guillaume Lopes

Senior Penetration Tester, RandoriSec
Guillaume Lopes (@Guillaume_Lopes) is a pentester with 10 years of experience in different fields (Active Directory, Windows, Linux, Web applications, Wifi, Android). Currently working as a Senior Penetration Tester at RandoriSec and also member of the Checkmarx Application Security... Read More →


Tuesday October 27, 2020 11:15 - 13:15 IST
Track B

13:00 IST

Intro to Hacking Web Applications
Overview:
The vast majority of cyber attacks against a web application are relatively easy to defend – yet most applications remain vulnerable. In fact many developers aren’t even aware of how simple these attacks are to execute.

Spoiler alert: it’s really, really easy.

During this day-long workshop we’ll learn a variety of tools (including OWASP ZAP) to hack a vulnerable web application written in Node.js, Express and Angular. We’ll cover a variety of approaches to how attackers exploit web applications: everything from XSS and SQL injections, and lots of other hacking tricks.
Be prepared to learn, laugh and cry as we explore security flaws common to most web applications. You’ll leave this workshop with hands-on experience in penetration testing methodology, a deep understanding of the current OWASP best practices, and a broad appreciation for application security.

If you can’t protect your web applications from hackers, who will?

Agenda (3 hours):
  • 0:00 Intro & Broad discussion of Web App technologies (HTML, CSS, JS)
  • 0:15 Tour of Browser DevTools
  • 0:30 Use DevTools to find the easter eggs in OWASP Cyber Scavenger Hunt
  • 0:45 Browser extensions to help us enumerate Web App technologies
  • 1:00 Introduction of OWASP Juice Shop
  • 1:15 Using DevTools to find the Juice Shop “scoreboard”
  • 1:30 Solving some Juice Shop challenges
  • 2:00 Introduction of OWASP ZAP
  • 2:00 Enumerating the Juice Shop application with ZAP
  • 2:30 Advanced ZAP features
  • 3:00 End

Prerequisites:
Instance of OWASP Juice Shop (locally or via Heroku)
Install OWASP ZAP
Install Firefox or Chrome
Permissions to Install Browser extensions



Speakers
avatar for Arthur Kay

Arthur Kay

Principal Software Engineer, Cox Automotive
With nearly 20 years of engineering, operations and cybersecurity experience, Arthur Kay offers an extraordinary set of leadership skills and technical expertise to develop meaningful products and high-performing teams.Arthur is a successful entrepreneur, technology professional... Read More →


Tuesday October 27, 2020 13:00 - 16:00 IST
Track A

14:15 IST

iOS Mobile Hacking Workshop
Overview:
The workshop is the iOS (very) short version of a 3-days training dedicated to learning the basics to be able to assess the security of iOS mobile applications.

Davy Douhine (ddouhine) will share many techniques, tips and tricks to deliver to pentesters, bug bounty researchers, app makers or just curious about a 100% hands-on iOS workshop. The goals are:
  • Understand iOS basics and the OWASP Mobile Security Testing Guide
  • Learn how to use the common tools (Cydia Impactor, Hopper, rvictl, rvi_capture, Frida and Objection) in order to assess iOS applications
  • Practice on how to resolve iGoat and DVIA challenges

Agenda:
This 2 hours workshop is divided in 4 main parts:
  1. OWASP Mobile Security Testing Guide project:
    1. The Guide
    2. The Standard
    3. The Checklist
    4. The TOP10
  2. Setup your environment: Presentation of the tools used during this workshop
  3. Practical exercises
    1. Static Analysis (2 labs)
    2. Data Security (3 labs)
    3. Execution Analysis (2 labs)
    4. Transport Security (1 lab)

Prerequisites:
- If possible an iOS device.
- Download a specially crafted Virtual Machine (based on Kali). - Link will be emailed *to attendees only* a few days before the workshop.
- Need a laptop with 30 Gb of free space
- Download and install VMWare Workstation Player 16 (DO NOT use Virtual Box) : https://www.vmware.com/products/workstation-player/workstation-player-evaluation.html



Speakers
avatar for Davy Douhine

Davy Douhine

Founder of RandoriSec (https://randorisec.fr/) a security focused IT firm, Davy is working in the itsec field since almost fifteen years.He has mainly worked for financial, banks and defense key accounts doing pentests and trainings to help them to improve their security.He enjoys... Read More →


Tuesday October 27, 2020 14:15 - 16:15 IST
Track B
 
Wednesday, October 28
 

09:00 IST

Keynote: Lior Manor the Cyber Mentalist will read your mind!
Zoom link: https://zoom.us/j/94644636569
Lior Manor is a mind reader, mentalist and InfoTainer that used to fly around the world and entertain HighTech and security companies.
Today he's going to read YOUR mind and explain how your brain works, so think only positive thoughts 😉

Speakers


Wednesday October 28, 2020 09:00 - 09:30 IST
Zoom https://zoom.us/j/94644636569

09:30 IST

Hacking AWS Account Under the Radar
Zoom link: https://zoom.us/j/94644636569
Many businesses are still struggling to understand the Least Privilege principle in the cloud. In this talk, I will present a sophisticated way to stay under the radar while escalating privileges which could lead to sensitive data exfiltration and sometimes to a total account takeover!

Speakers
avatar for Lior Sonntag

Lior Sonntag

Security Researcher, Check Point
Lior Sonntag is a security researcher at Check Point CloudGuard. Lior’s focus main domains are researching and analyzing cloud traffic and behaviors. Writing signatures, detection methods and policies for identifying and securing cloud workloads. Monitor and adjust detections based... Read More →


Wednesday October 28, 2020 09:30 - 10:15 IST
Track A

10:00 IST

Security Facts and Fallacies about Browser Storage
Zoom link:  https://zoom.us/j/91379563987
What if I told you that your data stored in the browser memory are still retrievable with an XSS? Let's talk about the different browser storage options with their (in)securities and discuss what it takes to build an in-memory storage solution resistant to XSS.

Speakers
avatar for Eva Sarafianou

Eva Sarafianou

Senior Product Security Engineer 2, Auth0
Eva Sarafianou is a Senior Product Security Engineer at Auth0 - an Identity platform for application builders -, a member of the Node.js Security Ecosystem Working Group and a member of the Vulnerability Disclosures Working Group of the Open Source Security Foundation. At Auth0 Eva... Read More →


Wednesday October 28, 2020 10:00 - 10:45 IST
Track B

10:30 IST

Using OWASP Nettacker For Recon and Vulnerability Scanning
Zoom link: https://zoom.us/j/94644636569
This talk is about the OWASP Nettacker Project, one of OWASP's "Unsung Hero" projects. Nettacker is a little-known yet awesome and powerful 'swiss-army-knife' type tool for information gathering and vulnerability scanning fully written in Python. Featuring live demo and practical usage examples

Speakers
avatar for Sam Stepanyan

Sam Stepanyan

OWASP London Chapter Leader, OWASP London
@securestep9 on TwitterSam Stepanyan is an OWASP London Chapter Leader and an Independent Application Security Consultant with over 20 years of experience in IT industry with a background in software engineering and web application development. Sam has worked for various financial... Read More →


Wednesday October 28, 2020 10:30 - 11:15 IST
Track A

11:00 IST

Use the OWASP Threat Modeling Playbook to Improve your Product Security
Zoom link: https://zoom.us/j/91379563987
We pulled together our threat modeling vision and strategy with OWASP best practices to create a ‘Threat modeling playbook’. The playbook shows you how to turn threat modeling into an established, reliable practice for your teams. We released this OWASP project for everyone to use and improve upon.

Speakers
avatar for Sebastien Deleersnyder

Sebastien Deleersnyder

Seba is co-founder and CEO of Toreon. He started the Belgian OWASP chapter, co-leads the OWASP SAMM project, and co-founded the yearly BruCON conference. With a background in development and many years of experience in security, Seba has trained countless developers to create more... Read More →


Wednesday October 28, 2020 11:00 - 11:45 IST
Track B

11:30 IST

Building Products with Privacy and Trust as a Baseline
Zoom link: https://zoom.us/j/94644636569
Tim Berners-Lee recently published his Contract for the Web with a core principle stating we must "Respect consumers’ privacy and personal data so people are in control of their lives online."

Noble's talk explores tactical approaches to be good stewards of data through software.

Speakers

Wednesday October 28, 2020 11:30 - 12:15 IST
Track A

12:00 IST

Architect of threat landscape: How to secure your microservice-based system
Zoom link: https://zoom.us/j/91379563987
The presentation focuses on the securing microservice-based applications. Based on our expirience, we present an approach to collect application architecture information and use it to secure an application. Our research results were also contributed to the OWASP community.

Speakers
avatar for Alexander Barabanov

Alexander Barabanov

Principal Security Architect, Advanced Software Technology Lab, Huawei
Ph.D. in Computer Science, CISSP, CSSLP. Over ten years of working experience in IT security evaluation and application security. Current position is a Principal Security Engineer at Advanced Software Technology Lab, Huawei. Associate Professor at Bauman Moscow State Technical University... Read More →


Wednesday October 28, 2020 12:00 - 12:45 IST
Track B

12:30 IST

OWASP SAMM 2: Your Dynamic Software Security Journey
Zoom link: https://zoom.us/j/94644636569
After three years of preparation, the project team delivered version 2.0 of SAMM (Software Assurance Maturity Model) - flagship project used by many organizations worldwide. The talk will explain how it can help you define and execute a software security strategy tailored to your risk profile.

Speakers
avatar for Daniel Kefer

Daniel Kefer

IT Security, 1&1
Daniel has been working in the application security field for thirteen years. Having started as a penetration tester, he soon bought into the mission of making security a business enabler by guiding product teams through security challenges during the whole lifecycle. He currently... Read More →


Wednesday October 28, 2020 12:30 - 13:15 IST
Track A

13:00 IST

Building better security for your API platform using Azure API Management
Zoom link: https://zoom.us/j/91379563987
This session will show how we can use Azure API Management to leverage better security for your APIs. Expect everything around hardening security of your services, with demo's, best practices, and tips and tricks from the field.

Speakers
avatar for Eldert Grootenboer

Eldert Grootenboer

Speaker, Motion10
Eldert can be described as an Azure MVP, Cloud Solution Architect, blogger, public speaker and technical author. He can regularly be seen on conferences and user groups, speaking on Cloud related topics, with a strong focus on Azure. His experience with the Cloud comes from his daily... Read More →


Wednesday October 28, 2020 13:00 - 13:45 IST
Track B

13:30 IST

CSP is broken, let’s fix it
Zoom link: https://zoom.us/j/94644636569
The CSP standard was supposed to improve the security of websites, but like any standard, it needs to evolve to stay relevant. Learn the gaps in CSP and get a checklist to fix these gaps on your site.

Speakers
avatar for Amir Shaked

Amir Shaked

VP R&D, PerimeterX
Amir Shaked is the VP of research and development at PerimeterX, responsible for building a multi-zone distributed system that detects and mitigates automated attacks on websites in real-time. Before that, he led several software engineering groups in the Israeli ministry of prime-minister... Read More →


Wednesday October 28, 2020 13:30 - 14:15 IST
Track A

14:00 IST

Find bugs faster with fuzzing
Zoom link: https://zoom.us/j/91379563987
If done properly fuzzing can help ou find vulnerabilities quickly and efficiently. This talk will show you how to do just that: find bugs fast!

Speakers
avatar for Alper Basaran

Alper Basaran

Chief Hacking Officer, Sparta Bilisim
I'm working as a penetration tester and cybersecurity consultant. I like coffee and hummus.


Wednesday October 28, 2020 14:00 - 14:45 IST
Track B

14:30 IST

Dev, Sec, Oops: How Agile Security increases Attack Surface
Zoom link: https://zoom.us/j/94644636569
In today's reality, security engineers are the guards of products and its users. But who guards the guards? Based on real scenarios of supply chain attacks, we'll demonstrate the weakest points of the “Agile Security” paradigm and redefine Code of Conduct for Security Engineer.

Speakers

Wednesday October 28, 2020 14:30 - 15:15 IST
Track A

15:00 IST

(SPONSORED - technical usecase) SecDevOps @ Amdocs
Zoom link: https://zoom.us/j/91379563987
As an enterprise company with over 8K developers, Amdocs provides software to the largest telco's and media companies in the world.Navigating between our approach to 'security first' while meeting customer expectations and overall business requirements, require a robust approach for security automation while developing over 80 apps cross company.
The session presents Amdocs strategy, Way of work, Success story and ongoing challenges when embedding security within DevOps.


Wednesday October 28, 2020 15:00 - 15:30 IST

15:30 IST

GraphQL APIs from bug hunter's perspective
Zoom link: https://zoom.us/j/94644636569
In this talk we'll look at practical techniques of finding vulnerabilities in GraphQL APIs as well as specific tools that makes this process easier for researcher, including one private tool from the speaker (it'll be open sourced).

Speakers
avatar for Nikita Stupin

Nikita Stupin

Security Researcher, Huawei


Wednesday October 28, 2020 15:30 - 16:15 IST
Track A

16:00 IST

Learn race conditions in web apps with OWASP TimeGap Theory
Zoom link: https://zoom.us/j/91379563987
Race conditions in web applications. They are hard to find and more challenging to exploit. OWASP TimeGap Theory is a free and open-source CTF for learning how-to-find and how-to-exploit race conditions.

You will get tools, tips, and tricks to find and exploit TOCTOU issues.

Speakers
AB

Abhi Balakrishnan

Security Consultant, Security Compass


Wednesday October 28, 2020 16:00 - 16:45 IST
Track B

16:30 IST

Tag soup – food for mXSS
Zoom link: https://zoom.us/j/94644636569
Mutation based XSS attacks are nurtured from Soup tag. What is soup tag? How it affects the attack surface, what sanitizers do, what they don't, and is Mutation Xss is reflected XSS or stored XSS?

Speakers
avatar for Or Sahar

Or Sahar

Application Security Researcher, Checkmarx


Wednesday October 28, 2020 16:30 - 17:15 IST
Track A

17:00 IST

Securing Docker runtime with DockerENT
Zoom link: https://zoom.us/j/91379563987
Docker are growing and so are their threats. There are plenty of tools to scan a docker image but there are very few to no tool to analyze running docker containers in production, without affecting any transaction.
I present open source an plug able Docker Runtime security scanning framework & tool.

Speakers
avatar for Rohit Sehgal

Rohit Sehgal

Cybersecurity Engineer, VISA
A small town boy and a Security Engineer by passion.OSCP Certified, Masters degree from IITK with specialization in System Security and more than 3.5 years of professional security experience, across Development of security services, Penetration Testing, DevSecOps, System Security, SSDLC... Read More →


Wednesday October 28, 2020 17:00 - 17:45 IST
Track B

17:30 IST

Privacy & prejudice: on privacy threat modeling misconceptions
Zoom link: https://zoom.us/j/94644636569
Privacy by design is important! It however goes beyond the quick fixes that are typically associated with it (e.g. consent for newsletters) and requires a thorough upfront analysis of potential privacy issues in the system.
Time to get the facts straight!

Speakers
avatar for Kim Wuyts

Kim Wuyts

Postdoctoral researcher, imec-DistriNet, KU Leuven
Kim Wuyts is a postdoctoral researcher at the Department of Computer Science at KU Leuven (Belgium). She has more than 10 years of experience in security and privacy in software engineering. Kim is one of the driving forces behind the development and extension of LINDDUN, a privacy-by-design... Read More →


Wednesday October 28, 2020 17:30 - 18:15 IST
Track A

18:10 IST

The Checkmarx AppSec 2020 Summary Quiz+Prize
Zoom link: https://zoom.us/j/94644636569
All OWASPers are welcome to join a Kahoot style summary quiz, organized by OWASP Israel and Checkmarx, which will cover topics discussed at AppSec 2020.
For the quiz, we asked all the conference speakers to provide 1-2 questions which relate to the lectures they gave at the conference. This means everyone better pay attention to the lectures and get a chance to win a prize ( a $200 Amazon gift card).
Registration: please register to the quiz using this link -
https://info.checkmarx.com/owasp-appsec-2020-summary-quiz?utm_source=owasp&utm_medium=referral&utm_campaign=OWASP-AppSec-2020-Summary-Quiz
Special notice: Unfortunately, the speakers, Checkmarx employees, or OWASP Israel organizers, are not allowed to participate.

Checkmarx is the global leader in software security solutions for modern enterprise software development. Checkmarx delivers the industry’s most comprehensive software security platform that unifies with DevOps and provides static and interactive application security testing, SCA and developer AppSec training to reduce and remediate risk from software vulnerabilities. www.checkmarx.com


Wednesday October 28, 2020 18:10 - 18:30 IST

18:30 IST

Keynote: Dave Lewis - Together As One
Zoom link: https://zoom.us/j/94644636569
The year is 2020 and the world is under the immense strain of turmoil. But not all is negative. The positive note is that good things can rise from the ashes. We have to capture the strength of our collective. Democratizing security means that we need to change the way we view security and how it applies to the people we are protecting. Vilifying the users is not going to help as is constant infighting within our own ranks. We have to give up antiquated belief systems that we once held about security and embrace our responsibilities. It’s time for change. We can rise together as one.

Speakers
avatar for Dave Lewis

Dave Lewis

Global Advisory CISO, Duo Security
Dave Lewis has twenty five years of industry experience. He has extensive experience in IT security operations and management including a decade dealing with critical infrastructure. Lewis is a Global Advisory CISO for Duo Security (now Cisco). He is the founder of the security site... Read More →


Wednesday October 28, 2020 18:30 - 19:15 IST