Loading…
AppSec IL 2020 has ended
Welcome to Virtual AppSec Israel 2020!

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Training [clear filter]
Tuesday, October 27
 

09:00 IST

Threat Modelling with the OWASP Mobile Top 10
Overview:
Learn how to build a threat model by starting with the OWASP Mobile Top 10, looking at each of the risks in detail, linking them to atomic security attributes and applicable areas, and finally taking the final high level threat model and applying it to an example application.

Attendees will run through the details of the OWASP Mobile Top 10 risks, learning the details and broad implications of each and adapting the list as a whole into an efficient, rapid, and usable threat model for security by design in mobile development. Running through an example application together attendees will have the opportunity to consider and remediate specific vulnerabilities within an application design, and will leave with a useful threat model which can be further developed and applied to any mobile development design stage.

Agenda (2 hours):
Basics of threat modelling
Turning the OWASP Mobile Top 10 into a usable threat model
Exercise against example design

Prerequisites
Basic familiarity with web or mobile development will be helpful to attendees.



Speakers
avatar for James Bore

James Bore

Director, Bores Security Consultancy Ltd
James Bore (coffee_fueled) has a varied and eclectic background in IT security, with expertise covering a range of industry sectors, organisations and IT disciplines. However, his main passion and focus is on the promotion and improvement of security.When he is not researching security or preaching the v... Read More →


Tuesday October 27, 2020 09:00 - 11:00 IST
Track B

09:00 IST

Define and Execute Your Product Security Strategy With OWASP SAMM 2
Overview:
In this hands-on workshop, you will try out OWASP SAMM 2 yourself to better understand how it can help you define the product security strategy for your organization. We will focus on understanding the model, carrying out an assessment and using the gathered data to define a security roadmap.


Agenda (3 hours):

1. Introduction
Motivation for a maturity model
Overview of SAMM
SAMM and other models

2. Performing an Assessment:
Supporting tools
Scope definition
Explanation of the business functions
Hands-on assessment

3. Creating a Roadmap
Economical considerations
Working with stakeholders
Measuring and reporting

4. Success Tips
Leveraging other SAMM resources and OWASP projects
SAMM Benchmarking
Interacting with the SAMM community

Prerequisites:
Internet browser
MS Excel if possible

Speakers
avatar for Daniel Kefer

Daniel Kefer

IT Security, 1&1
Daniel has been working in the application security field for thirteen years. Having started as a penetration tester, he soon bought into the mission of making security a business enabler by guiding product teams through security challenges during the whole lifecycle. He currently... Read More →


Tuesday October 27, 2020 09:00 - 12:00 IST
Track A

11:15 IST

Android Mobile Hacking Workshop
Overview:
The workshop is the Android (very) short version of a 3-days training dedicated to learning the basics to be able to assess the security of Android mobile applications.

Guillaume Lopes (@Guillaume_Lopes) will share many techniques, tips and tricks to deliver to pentesters, bug bounty researchers, app makers or just curious about a 100% hands-on Android workshop. The goals are:
  • Understand Android basics
  • Learn how to use the common tools (adb, apktool, JADX, Frida and Objection) in order to assess Android applications
  • Practice on how to resolve the OWASP Android crackmes (Levels 1, 2 and 3)

Agenda:
This 2 hours workshop is divided in 4 main parts:
1. Setup your environment: Presentation of the tools used during this workshop and creation of an Android Virtual Device with Android Studio

2. Resolution of the UnCrackable Level 1:
a) Defeat root detection
  • Using only tampering (aka apktool and your favorite text editor)
  • Using Frida on a rooted device
  • Using Frida on a non rooted-device
  • Using Objection

2. Resolution of the UnCrackable Level 2
a) Defeat root detection
b) Handle native code with Frida

4. Resolution of the UnCrackable Level 3
a) Defeat root detection, anti-hooking and anti-tampering with Frida

Prerequisites:
- Download a specially crafted Virtual Machine (based on Kali). - Link will be emailed *to attendees only* a few days before the workshop.
- Need a laptop with 30 Gb of free space
- Download and install VMWare Workstation Player 16 (DO NOT use Virtual Box) : https://www.vmware.com/products/workstation-player/workstation-player-evaluation.html


Speakers
GL

Guillaume Lopes

Senior Penetration Tester, RandoriSec
Guillaume Lopes (@Guillaume_Lopes) is a pentester with 10 years of experience in different fields (Active Directory, Windows, Linux, Web applications, Wifi, Android). Currently working as a Senior Penetration Tester at RandoriSec and also member of the Checkmarx Application Security... Read More →


Tuesday October 27, 2020 11:15 - 13:15 IST
Track B

13:00 IST

Intro to Hacking Web Applications
Overview:
The vast majority of cyber attacks against a web application are relatively easy to defend – yet most applications remain vulnerable. In fact many developers aren’t even aware of how simple these attacks are to execute.

Spoiler alert: it’s really, really easy.

During this day-long workshop we’ll learn a variety of tools (including OWASP ZAP) to hack a vulnerable web application written in Node.js, Express and Angular. We’ll cover a variety of approaches to how attackers exploit web applications: everything from XSS and SQL injections, and lots of other hacking tricks.
Be prepared to learn, laugh and cry as we explore security flaws common to most web applications. You’ll leave this workshop with hands-on experience in penetration testing methodology, a deep understanding of the current OWASP best practices, and a broad appreciation for application security.

If you can’t protect your web applications from hackers, who will?

Agenda (3 hours):
  • 0:00 Intro & Broad discussion of Web App technologies (HTML, CSS, JS)
  • 0:15 Tour of Browser DevTools
  • 0:30 Use DevTools to find the easter eggs in OWASP Cyber Scavenger Hunt
  • 0:45 Browser extensions to help us enumerate Web App technologies
  • 1:00 Introduction of OWASP Juice Shop
  • 1:15 Using DevTools to find the Juice Shop “scoreboard”
  • 1:30 Solving some Juice Shop challenges
  • 2:00 Introduction of OWASP ZAP
  • 2:00 Enumerating the Juice Shop application with ZAP
  • 2:30 Advanced ZAP features
  • 3:00 End

Prerequisites:
Instance of OWASP Juice Shop (locally or via Heroku)
Install OWASP ZAP
Install Firefox or Chrome
Permissions to Install Browser extensions



Speakers
avatar for Arthur Kay

Arthur Kay

Principal Software Engineer, Cox Automotive
With nearly 20 years of engineering, operations and cybersecurity experience, Arthur Kay offers an extraordinary set of leadership skills and technical expertise to develop meaningful products and high-performing teams.Arthur is a successful entrepreneur, technology professional... Read More →


Tuesday October 27, 2020 13:00 - 16:00 IST
Track A

14:15 IST

iOS Mobile Hacking Workshop
Overview:
The workshop is the iOS (very) short version of a 3-days training dedicated to learning the basics to be able to assess the security of iOS mobile applications.

Davy Douhine (ddouhine) will share many techniques, tips and tricks to deliver to pentesters, bug bounty researchers, app makers or just curious about a 100% hands-on iOS workshop. The goals are:
  • Understand iOS basics and the OWASP Mobile Security Testing Guide
  • Learn how to use the common tools (Cydia Impactor, Hopper, rvictl, rvi_capture, Frida and Objection) in order to assess iOS applications
  • Practice on how to resolve iGoat and DVIA challenges

Agenda:
This 2 hours workshop is divided in 4 main parts:
  1. OWASP Mobile Security Testing Guide project:
    1. The Guide
    2. The Standard
    3. The Checklist
    4. The TOP10
  2. Setup your environment: Presentation of the tools used during this workshop
  3. Practical exercises
    1. Static Analysis (2 labs)
    2. Data Security (3 labs)
    3. Execution Analysis (2 labs)
    4. Transport Security (1 lab)

Prerequisites:
- If possible an iOS device.
- Download a specially crafted Virtual Machine (based on Kali). - Link will be emailed *to attendees only* a few days before the workshop.
- Need a laptop with 30 Gb of free space
- Download and install VMWare Workstation Player 16 (DO NOT use Virtual Box) : https://www.vmware.com/products/workstation-player/workstation-player-evaluation.html



Speakers
avatar for Davy Douhine

Davy Douhine

Founder of RandoriSec (https://randorisec.fr/) a security focused IT firm, Davy is working in the itsec field since almost fifteen years.He has mainly worked for financial, banks and defense key accounts doing pentests and trainings to help them to improve their security.He enjoys... Read More →


Tuesday October 27, 2020 14:15 - 16:15 IST
Track B