AppSec IL 2020 has ended
Welcome to Virtual AppSec Israel 2020!

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Lecture [clear filter]
Wednesday, October 28

09:30 IST

Hacking AWS Account Under the Radar
Zoom link: https://zoom.us/j/94644636569
Many businesses are still struggling to understand the Least Privilege principle in the cloud. In this talk, I will present a sophisticated way to stay under the radar while escalating privileges which could lead to sensitive data exfiltration and sometimes to a total account takeover!

avatar for Lior Sonntag

Lior Sonntag

Security Researcher, Check Point
Lior Sonntag is a security researcher at Check Point CloudGuard. Lior’s focus main domains are researching and analyzing cloud traffic and behaviors. Writing signatures, detection methods and policies for identifying and securing cloud workloads. Monitor and adjust detections based... Read More →

Wednesday October 28, 2020 09:30 - 10:15 IST
Track A

10:00 IST

Security Facts and Fallacies about Browser Storage
Zoom link:  https://zoom.us/j/91379563987
What if I told you that your data stored in the browser memory are still retrievable with an XSS? Let's talk about the different browser storage options with their (in)securities and discuss what it takes to build an in-memory storage solution resistant to XSS.

avatar for Eva Sarafianou

Eva Sarafianou

Senior Product Security Engineer 2, Auth0
Eva Sarafianou is a Senior Product Security Engineer at Auth0 - an Identity platform for application builders -, a member of the Node.js Security Ecosystem Working Group and a member of the Vulnerability Disclosures Working Group of the Open Source Security Foundation. At Auth0 Eva... Read More →

Wednesday October 28, 2020 10:00 - 10:45 IST
Track B

10:30 IST

Using OWASP Nettacker For Recon and Vulnerability Scanning
Zoom link: https://zoom.us/j/94644636569
This talk is about the OWASP Nettacker Project, one of OWASP's "Unsung Hero" projects. Nettacker is a little-known yet awesome and powerful 'swiss-army-knife' type tool for information gathering and vulnerability scanning fully written in Python. Featuring live demo and practical usage examples

avatar for Sam Stepanyan

Sam Stepanyan

OWASP London Chapter Leader, OWASP London
@securestep9 on TwitterSam Stepanyan is an OWASP London Chapter Leader and an Independent Application Security Consultant with over 20 years of experience in IT industry with a background in software engineering and web application development. Sam has worked for various financial... Read More →

Wednesday October 28, 2020 10:30 - 11:15 IST
Track A

11:00 IST

Use the OWASP Threat Modeling Playbook to Improve your Product Security
Zoom link: https://zoom.us/j/91379563987
We pulled together our threat modeling vision and strategy with OWASP best practices to create a ‘Threat modeling playbook’. The playbook shows you how to turn threat modeling into an established, reliable practice for your teams. We released this OWASP project for everyone to use and improve upon.

avatar for Sebastien Deleersnyder

Sebastien Deleersnyder

Seba is co-founder and CEO of Toreon. He started the Belgian OWASP chapter, co-leads the OWASP SAMM project, and co-founded the yearly BruCON conference. With a background in development and many years of experience in security, Seba has trained countless developers to create more... Read More →

Wednesday October 28, 2020 11:00 - 11:45 IST
Track B

11:30 IST

Building Products with Privacy and Trust as a Baseline
Zoom link: https://zoom.us/j/94644636569
Tim Berners-Lee recently published his Contract for the Web with a core principle stating we must "Respect consumers’ privacy and personal data so people are in control of their lives online."

Noble's talk explores tactical approaches to be good stewards of data through software.


Wednesday October 28, 2020 11:30 - 12:15 IST
Track A

12:00 IST

Architect of threat landscape: How to secure your microservice-based system
Zoom link: https://zoom.us/j/91379563987
The presentation focuses on the securing microservice-based applications. Based on our expirience, we present an approach to collect application architecture information and use it to secure an application. Our research results were also contributed to the OWASP community.

avatar for Alexander Barabanov

Alexander Barabanov

Principal Security Architect, Advanced Software Technology Lab, Huawei
Ph.D. in Computer Science, CISSP, CSSLP. Over ten years of working experience in IT security evaluation and application security. Current position is a Principal Security Engineer at Advanced Software Technology Lab, Huawei. Associate Professor at Bauman Moscow State Technical University... Read More →

Wednesday October 28, 2020 12:00 - 12:45 IST
Track B

12:30 IST

OWASP SAMM 2: Your Dynamic Software Security Journey
Zoom link: https://zoom.us/j/94644636569
After three years of preparation, the project team delivered version 2.0 of SAMM (Software Assurance Maturity Model) - flagship project used by many organizations worldwide. The talk will explain how it can help you define and execute a software security strategy tailored to your risk profile.

avatar for Daniel Kefer

Daniel Kefer

IT Security, 1&1
Daniel has been working in the application security field for thirteen years. Having started as a penetration tester, he soon bought into the mission of making security a business enabler by guiding product teams through security challenges during the whole lifecycle. He currently... Read More →

Wednesday October 28, 2020 12:30 - 13:15 IST
Track A

13:00 IST

Building better security for your API platform using Azure API Management
Zoom link: https://zoom.us/j/91379563987
This session will show how we can use Azure API Management to leverage better security for your APIs. Expect everything around hardening security of your services, with demo's, best practices, and tips and tricks from the field.

avatar for Eldert Grootenboer

Eldert Grootenboer

Speaker, Motion10
Eldert can be described as an Azure MVP, Cloud Solution Architect, blogger, public speaker and technical author. He can regularly be seen on conferences and user groups, speaking on Cloud related topics, with a strong focus on Azure. His experience with the Cloud comes from his daily... Read More →

Wednesday October 28, 2020 13:00 - 13:45 IST
Track B

13:30 IST

CSP is broken, let’s fix it
Zoom link: https://zoom.us/j/94644636569
The CSP standard was supposed to improve the security of websites, but like any standard, it needs to evolve to stay relevant. Learn the gaps in CSP and get a checklist to fix these gaps on your site.

avatar for Amir Shaked

Amir Shaked

VP R&D, PerimeterX
Amir Shaked is the VP of research and development at PerimeterX, responsible for building a multi-zone distributed system that detects and mitigates automated attacks on websites in real-time. Before that, he led several software engineering groups in the Israeli ministry of prime-minister... Read More →

Wednesday October 28, 2020 13:30 - 14:15 IST
Track A

14:00 IST

Find bugs faster with fuzzing
Zoom link: https://zoom.us/j/91379563987
If done properly fuzzing can help ou find vulnerabilities quickly and efficiently. This talk will show you how to do just that: find bugs fast!

avatar for Alper Basaran

Alper Basaran

Chief Hacking Officer, Sparta Bilisim
I'm working as a penetration tester and cybersecurity consultant. I like coffee and hummus.

Wednesday October 28, 2020 14:00 - 14:45 IST
Track B

14:30 IST

Dev, Sec, Oops: How Agile Security increases Attack Surface
Zoom link: https://zoom.us/j/94644636569
In today's reality, security engineers are the guards of products and its users. But who guards the guards? Based on real scenarios of supply chain attacks, we'll demonstrate the weakest points of the “Agile Security” paradigm and redefine Code of Conduct for Security Engineer.


Wednesday October 28, 2020 14:30 - 15:15 IST
Track A

15:30 IST

GraphQL APIs from bug hunter's perspective
Zoom link: https://zoom.us/j/94644636569
In this talk we'll look at practical techniques of finding vulnerabilities in GraphQL APIs as well as specific tools that makes this process easier for researcher, including one private tool from the speaker (it'll be open sourced).

avatar for Nikita Stupin

Nikita Stupin

Security Researcher, Huawei

Wednesday October 28, 2020 15:30 - 16:15 IST
Track A

16:00 IST

Learn race conditions in web apps with OWASP TimeGap Theory
Zoom link: https://zoom.us/j/91379563987
Race conditions in web applications. They are hard to find and more challenging to exploit. OWASP TimeGap Theory is a free and open-source CTF for learning how-to-find and how-to-exploit race conditions.

You will get tools, tips, and tricks to find and exploit TOCTOU issues.


Abhi Balakrishnan

Security Consultant, Security Compass

Wednesday October 28, 2020 16:00 - 16:45 IST
Track B

16:30 IST

Tag soup – food for mXSS
Zoom link: https://zoom.us/j/94644636569
Mutation based XSS attacks are nurtured from Soup tag. What is soup tag? How it affects the attack surface, what sanitizers do, what they don't, and is Mutation Xss is reflected XSS or stored XSS?

avatar for Or Sahar

Or Sahar

Application Security Researcher, Checkmarx

Wednesday October 28, 2020 16:30 - 17:15 IST
Track A

17:00 IST

Securing Docker runtime with DockerENT
Zoom link: https://zoom.us/j/91379563987
Docker are growing and so are their threats. There are plenty of tools to scan a docker image but there are very few to no tool to analyze running docker containers in production, without affecting any transaction.
I present open source an plug able Docker Runtime security scanning framework & tool.

avatar for Rohit Sehgal

Rohit Sehgal

Cybersecurity Engineer, VISA
A small town boy and a Security Engineer by passion.OSCP Certified, Masters degree from IITK with specialization in System Security and more than 3.5 years of professional security experience, across Development of security services, Penetration Testing, DevSecOps, System Security, SSDLC... Read More →

Wednesday October 28, 2020 17:00 - 17:45 IST
Track B

17:30 IST

Privacy & prejudice: on privacy threat modeling misconceptions
Zoom link: https://zoom.us/j/94644636569
Privacy by design is important! It however goes beyond the quick fixes that are typically associated with it (e.g. consent for newsletters) and requires a thorough upfront analysis of potential privacy issues in the system.
Time to get the facts straight!

avatar for Kim Wuyts

Kim Wuyts

Postdoctoral researcher, imec-DistriNet, KU Leuven
Kim Wuyts is a postdoctoral researcher at the Department of Computer Science at KU Leuven (Belgium). She has more than 10 years of experience in security and privacy in software engineering. Kim is one of the driving forces behind the development and extension of LINDDUN, a privacy-by-design... Read More →

Wednesday October 28, 2020 17:30 - 18:15 IST
Track A