OWASP - User contributions [en]

Israel

2019-09-05T10:22:41Z

Avi Douglen: /* The Team */

[[Category:OWASP_Chapter]]
[[image:Owasp_Israel_logo.png|center|500px]]
__NOTOC__ 


= Welcome =

{{Chapter Template|chaptername=Israel|extra= |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-israel|emailarchives=http://lists.owasp.org/pipermail/owasp-israel}}




= Chapter Details =
== The Team ==

* Chapter Co-Chairs: '''[mailto:shira.shamban@owasp.org Shira Shamban]''' and '''[mailto:ori.troyna@owasp.org Ori Troyna]'''

* Chapter Leaders: '''[mailto:shira.shamban@owasp.org Shira Shamban]''', '''[mailto:ori.troyna@owasp.org Ori Troyna]''' and '''[mailto:avi.douglen@owasp.org Avi Douglen]'''
* Chapter Board: '''[mailto:or.katz@owasp.org Or Katz]''', '''[[User:YossiOren|Dr. Yossi Oren]]''', '''Josh Grossman''', '''[mailto:Ofer.maor@owasp.org Ofer Maor]'''
* Chapter Founder: '''[mailto:ofer@shezaf.com Ofer Shezaf]'''
* [[OWASP_Top10_Hebrew|OWASP Top 10 Hebrew]]: Or Katz
* Homepage Maintenance: Avi Douglen, Ofer Maor, Yossi Oren
* Mailing List Management: Shira Shamban, Ori Troyna, Or Katz

== General Activity ==
* An annual conference, usually in September or October.
* Periodic meetings. If you would like to host a meeting or speak in one contact [mailto:avi.douglen@owasp.org Avi Douglen] or [mailto:or.katz@owasp.org Or Katz].
* Translation of OWASP resources to Hebrew
* Spreading the Word - Reaching out for more people, especially outside of the AppSec community.



= Current Activity =

== Meetings ==

 Get ready for OWASP [https://2018.appsecil.org/ AppSec Israel 2018], to be held on 5-6 September, 2018! 

* <meetup group="OWASP-Israel" />

== Hebrew Translations ==

; '''The OWASP Top 10, 2013 version was translated to Hebrew! '''
It is now [[OWASP_Top10_Hebrew|available for download]].

The [[OWASP_Risk_Rating_Methodology|OWASP Risk Rating Methodology]], part of the [[OWASP_Testing_Project|OWASP Testing Project]], has been translated to Hebrew, and is available for download in [[Media:OWASP_Risk_Rating_Methodology-Hebrew.pdf|PDF format]].
Much thanks to Tal Argoni from TriadSec.

== Additional Resources ==
* Security discussion forum in Hebrew - on [https://www.facebook.com/groups/owasp.il/ Facebook]. [[file:Facebook_logo_small.jpg|100px|link=https://www.facebook.com/groups/owasp.il/]]
* [https://www.linkedin.com/groups/39702 LinkedIn Group] for networking and announcements. [[file:Delhi_linkedin.jpg|100px|link=https://www.linkedin.com/groups/39702]]
* [https://owasp.slack.com/messages/chapter-israel/ Chat room] for security in Hebrew. [[file:Slack.png|90px|link=https://owasp.slack.com/messages/chapter-israel/]]
* [https://twitter.com/OWASP_IL Twitter] account. [[file:twitter_wide.jpg|75px|link=https://twitter.com/OWASP_IL]]
* [[OWASP_IL_Sponsorship|Sponsorship opportunities]], including #AppSecIL conference sponsorship.
* [http://www.meetup.com/OWASP-Israel/ Ongoing Meetings and socialization on Meetup]. [[file:Meetup-logo-2x.png|75px|link=http://www.meetup.com/OWASP-Israel/]]

If you have anything else on your mind, please speak up! Contact [mailto:avi.douglen@owasp.org Avi Douglen] with any ideas you have.



= Previous Annual Conferences =
{| class="wikitable" border="1" style="text-align:center;" |
! width="200" | Name
! width="200" | Date
! width="350" | Location
! width="200" | Attendance
|- align="center"
| '''[https://2017.appsecil.org/ AppSec Israel 2017]'''
| '''October 17-18, 2017'''
| '''College of Management'''
| '''more than 800 attendees!'''
|- align="left"
| colspan="4" |Use the [https://2017.appsecil.org/ AppSec Israel 2017] website to download presentations and videos
|- align="center"
| '''[[AppSec_Israel_2016|AppSec Israel 2016]]'''
| '''September 19th 2016'''
| '''College of Management'''
| '''more than 650 attendees!'''
|- align="left"
| colspan="4" |Use the [[AppSec_Israel_2016_Presentations|presentations info page]] to download presentations and videos
|- align="center"
| '''[[AppSec_Israel_2015|AppSec Israel 2015]]'''
| '''October 13th, 2015'''
| '''College of Management'''
| '''over 550 participants!'''
|- align="left"
| colspan="4" |Use the [[AppSec_Israel_2015_Presentations|presentations info page]] to download presentations
|- align="center"
| '''[[AppSec_Israel_2014|AppSec Israel 2014]]'''
| '''September 2nd, 2014'''
| '''IDC'''
| '''over 450 participants!'''
|- align="left"
| colspan="4" |Use the [[AppSec_Israel_2014_Presentations|presentations info page]] to download presentations
|- align="center"
| '''[[OWASP_Israel_2013|OWASP Israel 2013]]'''
| '''October 1st, 2013'''
|
| '''480 participants!'''
|- align="left"
| colspan="4" |Use the [[OWASP_Israel_2013_Presentations|presentations info page]] to download presentations
|- align="center"
| '''[[OWASP_Israel_2012|OWASP Israel 2012 conference]]'''
| '''Sep 5th, 2012'''
| '''IDC'''
|
|- align="center"
| '''[[OWASP_Israel_2011|OWASP Israel 2011 Conference]]'''
| '''Sep 15th, 2011'''
| '''IDC in Herzeliya'''
| '''350 attendees'''
|- align="center"
| '''[[OWASP_Israel_2010|OWASP Israel 2010 Conference]]'''
| '''Sep 6th, 2010'''
| '''IDC in Herzliya'''
| '''150 attendees'''
|- align="center"
| '''[[OWASP_Israel_2009|OWASP Israel 2009]]'''
| '''Sunday, September 6th 2009'''
| '''Interdisciplinary Center Herzliya'''
|
|- align="left"
| colspan="4" |You can find the agenda and uploaded presentations [[OWASP_Israel_2009|here]]
|- align="center"
| '''[[OWASP_Israel_2008_Conference_at_the_Interdisciplinary_Center_Herzliya|The OWASP Israel 2008 conference
at the Interdisciplinary Center Herzliya (IDC)]]'''
| '''September 14th, 2008'''
| '''Interdisciplinary Center Herzliya'''
| '''250 attendees'''
|- align="center"
| '''OWASP Israel at the [http://www.idc.co.il/?showproduct=31108&content_lang=ENG IDC Security Road Show]'''
| '''June 3rd, 2008'''
|
|
|- align="left"
| colspan="4" |OWASP sponsored the IDC Security Road Show event in Israel. Thanks for Iris Lev-Ari and Tomer Teller for the help in the OWASP booth.
|- align="center"
| '''[[OWASP_Israel_2007_Conference|OWASP Israel 2007 conference at the Interdisciplinary Center Herzliya (IDC)]]'''
| '''Dec 3rd 2007'''
| '''Interdisciplinary Center (IDC) Herzliya'''
|
|- align="left"
| colspan="4" |The 1st official OWASP conference in Israel, was held on Dec 3rd 2007 at the Interdisciplinary Center (IDC) Herzliya.
The conference really set itself as an event you must come to if you have anything to do with application security. [http://picasaweb.google.com/oshezaf/OWASPIsrael2007 pictures from the conference]
|}


= Previous Meetings =
{| class="wikitable" border="1" style="text-align:center;" |
! width="250" | Name
! width="200" | Date
! width="350" | Location
! width="200" | Attendance
|- align="center"
| [[OWASP_Israel_June_2017|OWASP Israel June 2017]]
| June 20th, 2017
| Intuit Israel, HaHarash St. 4, Hod Hasharon
|
|- align="center"
| [[OWASP_Israel_April_2017|OWASP Israel April 2017]]
| April 3rd, 2017
| Checkmarx's offices, in the Amot Atrium Tower, 2 Jabotinsky St., Ramat Gan
| 75 people
|- align="center"
| [[OWASP_Israel_January_2017|OWASP Israel January 2017]]
| January 18th, 2017
| Radware’s Tel Aviv offices, at Raul Wallenberg 22, Ramat HaChayal
| 120 people
|- align="center"
| [[OWASP_Israel_June_2016|OWASP Israel June 2016]]
| June 14, 2016
| Amdocs Auditorium in Raanana
|
|- align="center"
| [[OWASP_Israel_April_2016|OWASP Israel April 2016]]
| April 12, 2016
| HP Enterprise in Yehud
| 150 participants
|- align="center"
| [[OWASP_Israel_February_2016|OWASP Israel February 2016]]
| February 2, 2016
| F5 Networks in Tel Aviv
|
|- align="center"
| [[OWASP_Israel_June_2015|OWASP Israel June 2015]]
| June 16, 2015
| Microsoft in Herzeliya
| 120 participants
|- align="center"
| [[OWASP_Israel_March_2015|OWASP Israel March 2015]]
| March 30, 2015
| NCR in Raanana
| 120 participants
|- align="center"
| [[OWASP_Israel_June_2014|OWASP Israel June 2014]]
| June 16, 2014
| F5 Networks in Tel Aviv
| 110 participants
|- align="center"
| [[OWASP_Israel_April_2014|OWASP Israel April 2014]]
| April 23, 2014
| Akamai in Herzliya Pituach
| 100 participants
|- align="center"
| [[OWASP_Israel_January_2014|OWASP Israel January 2014]]
| January 14th, 2014
| Amdocs in Ra'anana
| 120 participants
|- align="center"
| [[OWASP_Israel_2013_05|OWASP Israel May 2013]]
| May 28th, 2013
| RSA
| 80 participants
|- align="center"
| [[OWASP_Israel_2013_02|OWASP Israel February 2013]]
| February 12th, 2013
| E&Y
|
|- align="left"
| colspan="4" |[[OWASP_ISRAEL_2013_02_Hebrew|Hebrew version]]
|- align="center"
| [[OWASP_Israel_2010_06|OWASP Israel Jun-2010]]
| Jun 22nd, 2010
| IBM/Watchfire in Herzliya
|
|- align="center"
| [[OWASP_Israel_2010_02|OWASP Israel Feb-2010]]
| Feb 9th, 2010
| Amdocs in Ra'anana
| 70 attendees
|- align="center"
| [[OWASP_Israel_2010_01|OWASP Israel Jan-2010]]
| Jan 12th, 2010
| Breach Security in Herzliya
| 60 attendees
|- align="center"
| [[OWASP_Israel_2009_12|OWASP Israel Dec-2009]]
| Dec 2009
| IBM/Watchfire in Herzliya
|
|- align="center"
| [[OWASP_Israel_2009_05|OWASP Israel May 2009 meeting]]
| May 7th, 2009
| IBM in Park Azorim in Petach-Tikva
|
|- align="left"
| colspan="4" |The presentations were:
* Web-Based Man-in-the-Middle Attack, Adi Sharabani, IBM ([http://blog.watchfire.com/wfblog/2009/02/active-man-in-the-middle-attacks.html more info])
* Automation Attacks and Counter Measures, Ofer Shezaf, Xiom ([http://www.owasp.org/images/5/58/OWASP_Israel_-_May_2009_-_Ofer_Shezaf_-_Automation_Attacks.pdf presentation])
: [[OWASP_ISRAEL_2009_05_Hebrew|Full details in Hebrew]]
|- align="center"
| [[OWASP_Israel_2009_03|OWASP Israel March 2009 meeting]]
| March 26th, 2009
| Tel-Aviv University
| 60 attendees
|- align="left"
| colspan="4" |The presentations were:
* Securing cellular web applications, Mikko Saario, Founder, OWASP Finland, Security Architect, Large Telecom Solution Provider ([[Media:OWASP_Israel_-_March_2009_-_Mikko_Saario_-_Web_Application_Security_in_the_Mobile_World.pdf‎|download]])
* Real world implementation of a PCI DSS compliance key management, Yaron Hakon, 2bsecure ([[Media:OWASP_Israel_-_March_2009_-_Yaron_Hakon_-_PCI_key_managment.pdf‎|download]])
* Detecting RFI attacks, Or Katz, Breach Security ([[Media:OWASP_Israel_-_March_2009_-_Or_Katz_-_RFI_detection.pdf‎|download]])
* WAFEC 2.0 - Do WAFs deliver?, Ofer Shezaf, Xiom ([[Media:OWASP_Israel_-_March_2009_-_Ofer_Shezaf_-_Why_WAFs_fail.pdf‎|download]])
: [[OWASP_ISRAEL_2009_03_Hebrew|Full details in Hebrew]]
|- align="center"
| [[OWASP_Israel_2009_01|OWASP Israel January 2009 meeting]]
| January 28th, 2009
| Checkpoint
| 100 people
|- align="left"
| colspan="4" |The presentations were:
* Improving Web Application Firewall testing for better deployment in production network, Gregory Fresnais from BreakingPoint, visiting us from France ([[Media:OWASP_Israel_2009_01_Gregory_Fresnais_Measuring_WAF_Performance.pdf‎|download]])
* Web 2.0 Hacking, Nimrod Luria, Qrity ([[Media:OWASP_Israel_2009_01_Nimrod_Luria_Web_2.0_Security.pdf‎|download]])
* Wiki Security, Ofer Shezaf, Xiom ([http://www.xiom.com/research/wiki_security download])
|}



<headertabs></headertabs>


= Chapter Sponsors =

The OWASP Israel chapter's yearly activity is being supported by the generous sponsorship of the following companies:

[[image:OWASPIL_Sponsors_2018.png|center]]

[[Category:Middle East]]
[[Category:Europe]]

Israel

2019-02-15T13:09:50Z

Avi Douglen:

[[Category:OWASP_Chapter]]
[[image:Owasp_Israel_logo.png|center|500px]]
__NOTOC__ 


= Welcome =

{{Chapter Template|chaptername=Israel|extra= |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-israel|emailarchives=http://lists.owasp.org/pipermail/owasp-israel}}




= Chapter Details =
== The Team ==

Chairman: '''[mailto:or.katz@owasp.org Or Katz]'''.

* Chapter Leaders: '''[mailto:or.katz@owasp.org Or Katz]''', '''[mailto:avi.douglen@owasp.org Avi Douglen]''', ''' Ofer Maor'''
* Chapter Board: '''[[User:YossiOren|Dr. Yossi Oren]]''', '''Shira Shamban''', '''Josh Grossman''', '''Ori Troyna''', '''[[User:Eyigal|Yigal Elefant]]'''
* Chapter Founder: '''[mailto:ofer@shezaf.com Ofer Shezaf]'''
* [[OWASP_Top10_Hebrew|OWASP Top 10 Hebrew]]: Or Katz
* Homepage Maintenance: Avi Douglen, Ofer Maor, Yossi Oren, [[User:Eyigal|Yigal Elefant]]
* Mailing List Management: Or Katz, Avi Douglen, Ofer Maor

== General Activity ==
* An annual conference, usually in September or October.
* Periodic meetings. If you would like to host a meeting or speak in one contact [mailto:avi.douglen@owasp.org Avi Douglen] or [mailto:or.katz@owasp.org Or Katz].
* Translation of OWASP resources to Hebrew
* Spreading the Word - Reaching out for more people, especially outside of the AppSec community.



= Current Activity =

== Meetings ==

 Get ready for OWASP [https://2018.appsecil.org/ AppSec Israel 2018], to be held on 5-6 September, 2018! 

* <meetup group="OWASP-Israel" />

== Hebrew Translations ==

; '''The OWASP Top 10, 2013 version was translated to Hebrew! '''
It is now [[OWASP_Top10_Hebrew|available for download]].

The [[OWASP_Risk_Rating_Methodology|OWASP Risk Rating Methodology]], part of the [[OWASP_Testing_Project|OWASP Testing Project]], has been translated to Hebrew, and is available for download in [[Media:OWASP_Risk_Rating_Methodology-Hebrew.pdf|PDF format]].
Much thanks to Tal Argoni from TriadSec.

== Additional Resources ==
* Security discussion forum in Hebrew - on [https://www.facebook.com/groups/owasp.il/ Facebook]. [[file:Facebook_logo_small.jpg|100px|link=https://www.facebook.com/groups/owasp.il/]]
* [https://www.linkedin.com/groups/39702 LinkedIn Group] for networking and announcements. [[file:Delhi_linkedin.jpg|100px|link=https://www.linkedin.com/groups/39702]]
* [https://owasp.slack.com/messages/chapter-israel/ Chat room] for security in Hebrew. [[file:Slack.png|90px|link=https://owasp.slack.com/messages/chapter-israel/]]
* [https://twitter.com/OWASP_IL Twitter] account. [[file:twitter_wide.jpg|75px|link=https://twitter.com/OWASP_IL]]
* [[OWASP_IL_Sponsorship|Sponsorship opportunities]], including #AppSecIL conference sponsorship.
* [http://www.meetup.com/OWASP-Israel/ Ongoing Meetings and socialization on Meetup]. [[file:Meetup-logo-2x.png|75px|link=http://www.meetup.com/OWASP-Israel/]]

If you have anything else on your mind, please speak up! Contact [mailto:avi.douglen@owasp.org Avi Douglen] with any ideas you have.



= Previous Annual Conferences =
{| class="wikitable" border="1" style="text-align:center;" |
! width="200" | Name
! width="200" | Date
! width="350" | Location
! width="200" | Attendance
|- align="center"
| '''[https://2017.appsecil.org/ AppSec Israel 2017]'''
| '''October 17-18, 2017'''
| '''College of Management'''
| '''more than 800 attendees!'''
|- align="left"
| colspan="4" |Use the [https://2017.appsecil.org/ AppSec Israel 2017] website to download presentations and videos
|- align="center"
| '''[[AppSec_Israel_2016|AppSec Israel 2016]]'''
| '''September 19th 2016'''
| '''College of Management'''
| '''more than 650 attendees!'''
|- align="left"
| colspan="4" |Use the [[AppSec_Israel_2016_Presentations|presentations info page]] to download presentations and videos
|- align="center"
| '''[[AppSec_Israel_2015|AppSec Israel 2015]]'''
| '''October 13th, 2015'''
| '''College of Management'''
| '''over 550 participants!'''
|- align="left"
| colspan="4" |Use the [[AppSec_Israel_2015_Presentations|presentations info page]] to download presentations
|- align="center"
| '''[[AppSec_Israel_2014|AppSec Israel 2014]]'''
| '''September 2nd, 2014'''
| '''IDC'''
| '''over 450 participants!'''
|- align="left"
| colspan="4" |Use the [[AppSec_Israel_2014_Presentations|presentations info page]] to download presentations
|- align="center"
| '''[[OWASP_Israel_2013|OWASP Israel 2013]]'''
| '''October 1st, 2013'''
|
| '''480 participants!'''
|- align="left"
| colspan="4" |Use the [[OWASP_Israel_2013_Presentations|presentations info page]] to download presentations
|- align="center"
| '''[[OWASP_Israel_2012|OWASP Israel 2012 conference]]'''
| '''Sep 5th, 2012'''
| '''IDC'''
|
|- align="center"
| '''[[OWASP_Israel_2011|OWASP Israel 2011 Conference]]'''
| '''Sep 15th, 2011'''
| '''IDC in Herzeliya'''
| '''350 attendees'''
|- align="center"
| '''[[OWASP_Israel_2010|OWASP Israel 2010 Conference]]'''
| '''Sep 6th, 2010'''
| '''IDC in Herzliya'''
| '''150 attendees'''
|- align="center"
| '''[[OWASP_Israel_2009|OWASP Israel 2009]]'''
| '''Sunday, September 6th 2009'''
| '''Interdisciplinary Center Herzliya'''
|
|- align="left"
| colspan="4" |You can find the agenda and uploaded presentations [[OWASP_Israel_2009|here]]
|- align="center"
| '''[[OWASP_Israel_2008_Conference_at_the_Interdisciplinary_Center_Herzliya|The OWASP Israel 2008 conference
at the Interdisciplinary Center Herzliya (IDC)]]'''
| '''September 14th, 2008'''
| '''Interdisciplinary Center Herzliya'''
| '''250 attendees'''
|- align="center"
| '''OWASP Israel at the [http://www.idc.co.il/?showproduct=31108&content_lang=ENG IDC Security Road Show]'''
| '''June 3rd, 2008'''
|
|
|- align="left"
| colspan="4" |OWASP sponsored the IDC Security Road Show event in Israel. Thanks for Iris Lev-Ari and Tomer Teller for the help in the OWASP booth.
|- align="center"
| '''[[OWASP_Israel_2007_Conference|OWASP Israel 2007 conference at the Interdisciplinary Center Herzliya (IDC)]]'''
| '''Dec 3rd 2007'''
| '''Interdisciplinary Center (IDC) Herzliya'''
|
|- align="left"
| colspan="4" |The 1st official OWASP conference in Israel, was held on Dec 3rd 2007 at the Interdisciplinary Center (IDC) Herzliya.
The conference really set itself as an event you must come to if you have anything to do with application security. [http://picasaweb.google.com/oshezaf/OWASPIsrael2007 pictures from the conference]
|}


= Previous Meetings =
{| class="wikitable" border="1" style="text-align:center;" |
! width="250" | Name
! width="200" | Date
! width="350" | Location
! width="200" | Attendance
|- align="center"
| [[OWASP_Israel_June_2017|OWASP Israel June 2017]]
| June 20th, 2017
| Intuit Israel, HaHarash St. 4, Hod Hasharon
|
|- align="center"
| [[OWASP_Israel_April_2017|OWASP Israel April 2017]]
| April 3rd, 2017
| Checkmarx's offices, in the Amot Atrium Tower, 2 Jabotinsky St., Ramat Gan
| 75 people
|- align="center"
| [[OWASP_Israel_January_2017|OWASP Israel January 2017]]
| January 18th, 2017
| Radware’s Tel Aviv offices, at Raul Wallenberg 22, Ramat HaChayal
| 120 people
|- align="center"
| [[OWASP_Israel_June_2016|OWASP Israel June 2016]]
| June 14, 2016
| Amdocs Auditorium in Raanana
|
|- align="center"
| [[OWASP_Israel_April_2016|OWASP Israel April 2016]]
| April 12, 2016
| HP Enterprise in Yehud
| 150 participants
|- align="center"
| [[OWASP_Israel_February_2016|OWASP Israel February 2016]]
| February 2, 2016
| F5 Networks in Tel Aviv
|
|- align="center"
| [[OWASP_Israel_June_2015|OWASP Israel June 2015]]
| June 16, 2015
| Microsoft in Herzeliya
| 120 participants
|- align="center"
| [[OWASP_Israel_March_2015|OWASP Israel March 2015]]
| March 30, 2015
| NCR in Raanana
| 120 participants
|- align="center"
| [[OWASP_Israel_June_2014|OWASP Israel June 2014]]
| June 16, 2014
| F5 Networks in Tel Aviv
| 110 participants
|- align="center"
| [[OWASP_Israel_April_2014|OWASP Israel April 2014]]
| April 23, 2014
| Akamai in Herzliya Pituach
| 100 participants
|- align="center"
| [[OWASP_Israel_January_2014|OWASP Israel January 2014]]
| January 14th, 2014
| Amdocs in Ra'anana
| 120 participants
|- align="center"
| [[OWASP_Israel_2013_05|OWASP Israel May 2013]]
| May 28th, 2013
| RSA
| 80 participants
|- align="center"
| [[OWASP_Israel_2013_02|OWASP Israel February 2013]]
| February 12th, 2013
| E&Y
|
|- align="left"
| colspan="4" |[[OWASP_ISRAEL_2013_02_Hebrew|Hebrew version]]
|- align="center"
| [[OWASP_Israel_2010_06|OWASP Israel Jun-2010]]
| Jun 22nd, 2010
| IBM/Watchfire in Herzliya
|
|- align="center"
| [[OWASP_Israel_2010_02|OWASP Israel Feb-2010]]
| Feb 9th, 2010
| Amdocs in Ra'anana
| 70 attendees
|- align="center"
| [[OWASP_Israel_2010_01|OWASP Israel Jan-2010]]
| Jan 12th, 2010
| Breach Security in Herzliya
| 60 attendees
|- align="center"
| [[OWASP_Israel_2009_12|OWASP Israel Dec-2009]]
| Dec 2009
| IBM/Watchfire in Herzliya
|
|- align="center"
| [[OWASP_Israel_2009_05|OWASP Israel May 2009 meeting]]
| May 7th, 2009
| IBM in Park Azorim in Petach-Tikva
|
|- align="left"
| colspan="4" |The presentations were:
* Web-Based Man-in-the-Middle Attack, Adi Sharabani, IBM ([http://blog.watchfire.com/wfblog/2009/02/active-man-in-the-middle-attacks.html more info])
* Automation Attacks and Counter Measures, Ofer Shezaf, Xiom ([http://www.owasp.org/images/5/58/OWASP_Israel_-_May_2009_-_Ofer_Shezaf_-_Automation_Attacks.pdf presentation])
: [[OWASP_ISRAEL_2009_05_Hebrew|Full details in Hebrew]]
|- align="center"
| [[OWASP_Israel_2009_03|OWASP Israel March 2009 meeting]]
| March 26th, 2009
| Tel-Aviv University
| 60 attendees
|- align="left"
| colspan="4" |The presentations were:
* Securing cellular web applications, Mikko Saario, Founder, OWASP Finland, Security Architect, Large Telecom Solution Provider ([[Media:OWASP_Israel_-_March_2009_-_Mikko_Saario_-_Web_Application_Security_in_the_Mobile_World.pdf‎|download]])
* Real world implementation of a PCI DSS compliance key management, Yaron Hakon, 2bsecure ([[Media:OWASP_Israel_-_March_2009_-_Yaron_Hakon_-_PCI_key_managment.pdf‎|download]])
* Detecting RFI attacks, Or Katz, Breach Security ([[Media:OWASP_Israel_-_March_2009_-_Or_Katz_-_RFI_detection.pdf‎|download]])
* WAFEC 2.0 - Do WAFs deliver?, Ofer Shezaf, Xiom ([[Media:OWASP_Israel_-_March_2009_-_Ofer_Shezaf_-_Why_WAFs_fail.pdf‎|download]])
: [[OWASP_ISRAEL_2009_03_Hebrew|Full details in Hebrew]]
|- align="center"
| [[OWASP_Israel_2009_01|OWASP Israel January 2009 meeting]]
| January 28th, 2009
| Checkpoint
| 100 people
|- align="left"
| colspan="4" |The presentations were:
* Improving Web Application Firewall testing for better deployment in production network, Gregory Fresnais from BreakingPoint, visiting us from France ([[Media:OWASP_Israel_2009_01_Gregory_Fresnais_Measuring_WAF_Performance.pdf‎|download]])
* Web 2.0 Hacking, Nimrod Luria, Qrity ([[Media:OWASP_Israel_2009_01_Nimrod_Luria_Web_2.0_Security.pdf‎|download]])
* Wiki Security, Ofer Shezaf, Xiom ([http://www.xiom.com/research/wiki_security download])
|}



<headertabs></headertabs>


= Chapter Sponsors =

The OWASP Israel chapter's yearly activity is being supported by the generous sponsorship of the following companies:

[[image:OWASPIL_Sponsors_2018.png|center]]

[[Category:Middle East]]
[[Category:Europe]]

Israel

2018-08-28T07:27:58Z

Avi Douglen: Swapped tabs

[[Category:OWASP_Chapter]]
[[image:Owasp_Israel_logo.png|center|500px]]
__NOTOC__ 


= Welcome =

{{Chapter Template|chaptername=Israel|extra= |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-israel|emailarchives=http://lists.owasp.org/pipermail/owasp-israel}}




= Chapter Details =
== The Team ==

Chairman: '''[mailto:or.katz@owasp.org Or Katz]'''.

* OWASP Israel Board: '''[mailto:or.katz@owasp.org Or Katz]''', '''[mailto:avi.douglen@owasp.org Avi Douglen]''', ''' Ofer Maor''', '''Erez Metula''', '''Hemed Gur Ary''', '''[[User:YossiOren|Dr. Yossi Oren]]'''
* Chapter Founder: '''[mailto:ofer@shezaf.com Ofer Shezaf]'''
* [[OWASP_Top10_Hebrew|OWASP Top 10 Hebrew]]: Or Katz
* Homepage Maintenance: Avi Douglen, Ofer Maor, Yossi Oren, [[User:Eyigal|Yigal Elefant]]
* Mailing List Management: Avi Douglen, Ofer Maor, Or Katz

== General Activity ==
* An annual conference, usually in September or October.
* Periodic meetings. If you would like to host a meeting or speak in one contact [mailto:avi.douglen@owasp.org Avi Douglen] or [mailto:or.katz@owasp.org Or Katz].
* Translation of OWASP resources to Hebrew
* Spreading the Word - Reaching out for more people, especially outside of the AppSec community.



= Current Activity =

== Meetings ==

 Get ready for OWASP [https://2018.appsecil.org/ AppSec Israel 2018], to be held on 5-6 September, 2018! 

* <meetup group="OWASP-Israel" />

== Hebrew Translations ==

; '''The OWASP Top 10, 2013 version was translated to Hebrew! '''
It is now [[OWASP_Top10_Hebrew|available for download]].

The [[OWASP_Risk_Rating_Methodology|OWASP Risk Rating Methodology]], part of the [[OWASP_Testing_Project|OWASP Testing Project]], has been translated to Hebrew, and is available for download in [[Media:OWASP_Risk_Rating_Methodology-Hebrew.pdf|PDF format]].
Much thanks to Tal Argoni from TriadSec.

== Additional Resources ==
* Security discussion forum in Hebrew - on [https://www.facebook.com/groups/owasp.il/ Facebook]. [[file:Facebook_logo_small.jpg|100px|link=https://www.facebook.com/groups/owasp.il/]]
* [https://www.linkedin.com/groups/39702 LinkedIn Group] for networking and announcements. [[file:Delhi_linkedin.jpg|100px|link=https://www.linkedin.com/groups/39702]]
* [https://owasp.slack.com/messages/chapter-israel/ Chat room] for security in Hebrew. [[file:Slack.png|90px|link=https://owasp.slack.com/messages/chapter-israel/]]
* [https://twitter.com/OWASP_IL Twitter] account. [[file:twitter_wide.jpg|75px|link=https://twitter.com/OWASP_IL]]
* [[OWASP_IL_Sponsorship|Sponsorship opportunities]], including #AppSecIL conference sponsorship.
* [http://www.meetup.com/OWASP-Israel/ Ongoing Meetings and socialization on Meetup]. [[file:Meetup-logo-2x.png|75px|link=http://www.meetup.com/OWASP-Israel/]]

If you have anything else on your mind, please speak up! Contact [mailto:avi.douglen@owasp.org Avi Douglen] with any ideas you have.



= Previous Annual Conferences =
{| class="wikitable" border="1" style="text-align:center;" |
! width="200" | Name
! width="200" | Date
! width="350" | Location
! width="200" | Attendance
|- align="center"
| '''[https://2017.appsecil.org/ AppSec Israel 2017]'''
| '''October 17-18, 2017'''
| '''College of Management'''
| '''more than 800 attendees!'''
|- align="left"
| colspan="4" |Use the [https://2017.appsecil.org/ AppSec Israel 2017] website to download presentations and videos
|- align="center"
| '''[[AppSec_Israel_2016|AppSec Israel 2016]]'''
| '''September 19th 2016'''
| '''College of Management'''
| '''more than 650 attendees!'''
|- align="left"
| colspan="4" |Use the [[AppSec_Israel_2016_Presentations|presentations info page]] to download presentations and videos
|- align="center"
| '''[[AppSec_Israel_2015|AppSec Israel 2015]]'''
| '''October 13th, 2015'''
| '''College of Management'''
| '''over 550 participants!'''
|- align="left"
| colspan="4" |Use the [[AppSec_Israel_2015_Presentations|presentations info page]] to download presentations
|- align="center"
| '''[[AppSec_Israel_2014|AppSec Israel 2014]]'''
| '''September 2nd, 2014'''
| '''IDC'''
| '''over 450 participants!'''
|- align="left"
| colspan="4" |Use the [[AppSec_Israel_2014_Presentations|presentations info page]] to download presentations
|- align="center"
| '''[[OWASP_Israel_2013|OWASP Israel 2013]]'''
| '''October 1st, 2013'''
|
| '''480 participants!'''
|- align="left"
| colspan="4" |Use the [[OWASP_Israel_2013_Presentations|presentations info page]] to download presentations
|- align="center"
| '''[[OWASP_Israel_2012|OWASP Israel 2012 conference]]'''
| '''Sep 5th, 2012'''
| '''IDC'''
|
|- align="center"
| '''[[OWASP_Israel_2011|OWASP Israel 2011 Conference]]'''
| '''Sep 15th, 2011'''
| '''IDC in Herzeliya'''
| '''350 attendees'''
|- align="center"
| '''[[OWASP_Israel_2010|OWASP Israel 2010 Conference]]'''
| '''Sep 6th, 2010'''
| '''IDC in Herzliya'''
| '''150 attendees'''
|- align="center"
| '''[[OWASP_Israel_2009|OWASP Israel 2009]]'''
| '''Sunday, September 6th 2009'''
| '''Interdisciplinary Center Herzliya'''
|
|- align="left"
| colspan="4" |You can find the agenda and uploaded presentations [[OWASP_Israel_2009|here]]
|- align="center"
| '''[[OWASP_Israel_2008_Conference_at_the_Interdisciplinary_Center_Herzliya|The OWASP Israel 2008 conference
at the Interdisciplinary Center Herzliya (IDC)]]'''
| '''September 14th, 2008'''
| '''Interdisciplinary Center Herzliya'''
| '''250 attendees'''
|- align="center"
| '''OWASP Israel at the [http://www.idc.co.il/?showproduct=31108&content_lang=ENG IDC Security Road Show]'''
| '''June 3rd, 2008'''
|
|
|- align="left"
| colspan="4" |OWASP sponsored the IDC Security Road Show event in Israel. Thanks for Iris Lev-Ari and Tomer Teller for the help in the OWASP booth.
|- align="center"
| '''[[OWASP_Israel_2007_Conference|OWASP Israel 2007 conference at the Interdisciplinary Center Herzliya (IDC)]]'''
| '''Dec 3rd 2007'''
| '''Interdisciplinary Center (IDC) Herzliya'''
|
|- align="left"
| colspan="4" |The 1st official OWASP conference in Israel, was held on Dec 3rd 2007 at the Interdisciplinary Center (IDC) Herzliya.
The conference really set itself as an event you must come to if you have anything to do with application security. [http://picasaweb.google.com/oshezaf/OWASPIsrael2007 pictures from the conference]
|}


= Previous Meetings =
{| class="wikitable" border="1" style="text-align:center;" |
! width="250" | Name
! width="200" | Date
! width="350" | Location
! width="200" | Attendance
|- align="center"
| [[OWASP_Israel_June_2017|OWASP Israel June 2017]]
| June 20th, 2017
| Intuit Israel, HaHarash St. 4, Hod Hasharon
|
|- align="center"
| [[OWASP_Israel_April_2017|OWASP Israel April 2017]]
| April 3rd, 2017
| Checkmarx's offices, in the Amot Atrium Tower, 2 Jabotinsky St., Ramat Gan
| 75 people
|- align="center"
| [[OWASP_Israel_January_2017|OWASP Israel January 2017]]
| January 18th, 2017
| Radware’s Tel Aviv offices, at Raul Wallenberg 22, Ramat HaChayal
| 120 people
|- align="center"
| [[OWASP_Israel_June_2016|OWASP Israel June 2016]]
| June 14, 2016
| Amdocs Auditorium in Raanana
|
|- align="center"
| [[OWASP_Israel_April_2016|OWASP Israel April 2016]]
| April 12, 2016
| HP Enterprise in Yehud
| 150 participants
|- align="center"
| [[OWASP_Israel_February_2016|OWASP Israel February 2016]]
| February 2, 2016
| F5 Networks in Tel Aviv
|
|- align="center"
| [[OWASP_Israel_June_2015|OWASP Israel June 2015]]
| June 16, 2015
| Microsoft in Herzeliya
| 120 participants
|- align="center"
| [[OWASP_Israel_March_2015|OWASP Israel March 2015]]
| March 30, 2015
| NCR in Raanana
| 120 participants
|- align="center"
| [[OWASP_Israel_June_2014|OWASP Israel June 2014]]
| June 16, 2014
| F5 Networks in Tel Aviv
| 110 participants
|- align="center"
| [[OWASP_Israel_April_2014|OWASP Israel April 2014]]
| April 23, 2014
| Akamai in Herzliya Pituach
| 100 participants
|- align="center"
| [[OWASP_Israel_January_2014|OWASP Israel January 2014]]
| January 14th, 2014
| Amdocs in Ra'anana
| 120 participants
|- align="center"
| [[OWASP_Israel_2013_05|OWASP Israel May 2013]]
| May 28th, 2013
| RSA
| 80 participants
|- align="center"
| [[OWASP_Israel_2013_02|OWASP Israel February 2013]]
| February 12th, 2013
| E&Y
|
|- align="left"
| colspan="4" |[[OWASP_ISRAEL_2013_02_Hebrew|Hebrew version]]
|- align="center"
| [[OWASP_Israel_2010_06|OWASP Israel Jun-2010]]
| Jun 22nd, 2010
| IBM/Watchfire in Herzliya
|
|- align="center"
| [[OWASP_Israel_2010_02|OWASP Israel Feb-2010]]
| Feb 9th, 2010
| Amdocs in Ra'anana
| 70 attendees
|- align="center"
| [[OWASP_Israel_2010_01|OWASP Israel Jan-2010]]
| Jan 12th, 2010
| Breach Security in Herzliya
| 60 attendees
|- align="center"
| [[OWASP_Israel_2009_12|OWASP Israel Dec-2009]]
| Dec 2009
| IBM/Watchfire in Herzliya
|
|- align="center"
| [[OWASP_Israel_2009_05|OWASP Israel May 2009 meeting]]
| May 7th, 2009
| IBM in Park Azorim in Petach-Tikva
|
|- align="left"
| colspan="4" |The presentations were:
* Web-Based Man-in-the-Middle Attack, Adi Sharabani, IBM ([http://blog.watchfire.com/wfblog/2009/02/active-man-in-the-middle-attacks.html more info])
* Automation Attacks and Counter Measures, Ofer Shezaf, Xiom ([http://www.owasp.org/images/5/58/OWASP_Israel_-_May_2009_-_Ofer_Shezaf_-_Automation_Attacks.pdf presentation])
: [[OWASP_ISRAEL_2009_05_Hebrew|Full details in Hebrew]]
|- align="center"
| [[OWASP_Israel_2009_03|OWASP Israel March 2009 meeting]]
| March 26th, 2009
| Tel-Aviv University
| 60 attendees
|- align="left"
| colspan="4" |The presentations were:
* Securing cellular web applications, Mikko Saario, Founder, OWASP Finland, Security Architect, Large Telecom Solution Provider ([[Media:OWASP_Israel_-_March_2009_-_Mikko_Saario_-_Web_Application_Security_in_the_Mobile_World.pdf‎|download]])
* Real world implementation of a PCI DSS compliance key management, Yaron Hakon, 2bsecure ([[Media:OWASP_Israel_-_March_2009_-_Yaron_Hakon_-_PCI_key_managment.pdf‎|download]])
* Detecting RFI attacks, Or Katz, Breach Security ([[Media:OWASP_Israel_-_March_2009_-_Or_Katz_-_RFI_detection.pdf‎|download]])
* WAFEC 2.0 - Do WAFs deliver?, Ofer Shezaf, Xiom ([[Media:OWASP_Israel_-_March_2009_-_Ofer_Shezaf_-_Why_WAFs_fail.pdf‎|download]])
: [[OWASP_ISRAEL_2009_03_Hebrew|Full details in Hebrew]]
|- align="center"
| [[OWASP_Israel_2009_01|OWASP Israel January 2009 meeting]]
| January 28th, 2009
| Checkpoint
| 100 people
|- align="left"
| colspan="4" |The presentations were:
* Improving Web Application Firewall testing for better deployment in production network, Gregory Fresnais from BreakingPoint, visiting us from France ([[Media:OWASP_Israel_2009_01_Gregory_Fresnais_Measuring_WAF_Performance.pdf‎|download]])
* Web 2.0 Hacking, Nimrod Luria, Qrity ([[Media:OWASP_Israel_2009_01_Nimrod_Luria_Web_2.0_Security.pdf‎|download]])
* Wiki Security, Ofer Shezaf, Xiom ([http://www.xiom.com/research/wiki_security download])
|}



<headertabs></headertabs>


= Chapter Sponsors =

The OWASP Israel chapter's yearly activity is being supported by the generous sponsorship of the following companies:

[[image:OWASPIL_Sponsors.png|center]]

[[Category:Middle East]]
[[Category:Europe]]

Israel

2018-05-18T15:01:32Z

Avi Douglen:

[[Category:OWASP_Chapter]]
[[image:Owasp_Israel_logo.png|center|500px]]
__NOTOC__ 


= Welcome =

{{Chapter Template|chaptername=Israel|extra= |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-israel|emailarchives=http://lists.owasp.org/pipermail/owasp-israel}}


= Current Activity =

== Meetings ==

* Get ready for OWASP [[AppSec Israel 2017]], to be held on October 17-18, 2017!
* OWASP Europe 2018 is planned to be in Israel. For sponsorship, questions, suggestions and more, contanct '''[mailto:avi.douglen@owasp.org Avi Douglen]'''
* [http://www.meetup.com/OWASP-Israel/ Ongoing Meetings and socialization on Meetup]. [[file:Meetup-logo-2x.png|75px|link=http://www.meetup.com/OWASP-Israel/]]

== Hebrew Translations ==

; '''The OWASP Top 10, 2013 version was translated to Hebrew! '''
It is now [[OWASP_Top10_Hebrew|available for download]].

The [[OWASP_Risk_Rating_Methodology|OWASP Risk Rating Methodology]], part of the [[OWASP_Testing_Project|OWASP Testing Project]], has been translated to Hebrew, and is available for download in [[Media:OWASP_Risk_Rating_Methodology-Hebrew.pdf|PDF format]].
Much thanks to Tal Argoni from TriadSec.

== Additional Resources ==
* Security discussion forum in Hebrew - on [https://www.facebook.com/groups/owasp.il/ Facebook]. [[file:Facebook_logo_small.jpg|100px|link=https://www.facebook.com/groups/owasp.il/]]
* [https://www.linkedin.com/groups/39702 LinkedIn Group] for networking and announcements. [[file:Delhi_linkedin.jpg|100px|link=https://www.linkedin.com/groups/39702]]
* [https://owasp.slack.com/messages/chapter-israel/ Chat room] for security in Hebrew. [[file:Slack.png|90px|link=https://owasp.slack.com/messages/chapter-israel/]]
* [https://twitter.com/OWASP_IL Twitter] account. [[file:twitter_wide.jpg|75px|link=https://twitter.com/OWASP_IL]]
* [[OWASP_IL_Sponsorship|Sponsorship opportunities]], including #AppSecIL conference sponsorship.

If you have anything else on your mind, please speak up! Contact [mailto:avi.douglen@owasp.org Avi Douglen] with any ideas you have.


= Chapter Details =
== The Team ==

Chairman: '''[mailto:or.katz@owasp.org Or Katz]'''.

* OWASP Israel Board: '''[mailto:or.katz@owasp.org Or Katz]''', '''[mailto:avi.douglen@owasp.org Avi Douglen]''', ''' Ofer Maor''', '''Erez Metula''', '''Hemed Gur Ary''', '''[[User:YossiOren|Dr. Yossi Oren]]'''
* Chapter Founder: '''[mailto:ofer@shezaf.com Ofer Shezaf]'''
* [[OWASP_Top10_Hebrew|OWASP Top 10 Hebrew]]: Or Katz
* Homepage Maintenance: Avi Douglen, Ofer Maor, Yossi Oren, [[User:Eyigal|Yigal Elefant]]
* Mailing List Management: Avi Douglen, Ofer Maor, Or Katz

== General Activity ==
* An annual conference, usually in September or October.
* Periodic meetings. If you would like to host a meeting or speak in one contact [mailto:avi.douglen@owasp.org Avi Douglen] or [mailto:katz3112@gmail.com Or Katz].
* Translation of OWASP resources to Hebrew
* Spreading the Word - Reaching out for more people, especially outside of the AppSec community.



= Previous Annual Conferences =
{| class="wikitable" border="1" style="text-align:center;" |
! width="200" | Name
! width="200" | Date
! width="350" | Location
! width="200" | Attendance
|- align="center"
| '''[[AppSec_Israel_2016|AppSec Israel 2016]]'''
| '''September 19th 2016'''
| '''College of Management'''
| '''more than 650 attendees!'''
|- align="left"
| colspan="4" |Use the [[AppSec_Israel_2016_Presentations|presentations info page]] to download presentations and videos
|- align="center"
| '''[[AppSec_Israel_2015|AppSec Israel 2015]]'''
| '''October 13th, 2015'''
| '''College of Management'''
| '''over 550 participants!'''
|- align="left"
| colspan="4" |Use the [[AppSec_Israel_2015_Presentations|presentations info page]] to download presentations
|- align="center"
| '''[[AppSec_Israel_2014|AppSec Israel 2014]]'''
| '''September 2nd, 2014'''
| '''IDC'''
| '''over 450 participants!'''
|- align="left"
| colspan="4" |Use the [[AppSec_Israel_2014_Presentations|presentations info page]] to download presentations
|- align="center"
| '''[[OWASP_Israel_2013|OWASP Israel 2013]]'''
| '''October 1st, 2013'''
|
| '''480 participants!'''
|- align="left"
| colspan="4" |Use the [[OWASP_Israel_2013_Presentations|presentations info page]] to download presentations
|- align="center"
| '''[[OWASP_Israel_2012|OWASP Israel 2012 conference]]'''
| '''Sep 5th, 2012'''
| '''IDC'''
|
|- align="center"
| '''[[OWASP_Israel_2011|OWASP Israel 2011 Conference]]'''
| '''Sep 15th, 2011'''
| '''IDC in Herzeliya'''
| '''350 attendees'''
|- align="center"
| '''[[OWASP_Israel_2010|OWASP Israel 2010 Conference]]'''
| '''Sep 6th, 2010'''
| '''IDC in Herzliya'''
| '''150 attendees'''
|- align="center"
| '''[[OWASP_Israel_2009|OWASP Israel 2009]]'''
| '''Sunday, September 6th 2009'''
| '''Interdisciplinary Center Herzliya'''
|
|- align="left"
| colspan="4" |You can find the agenda and uploaded presentations [[OWASP_Israel_2009|here]]
|- align="center"
| '''[[OWASP_Israel_2008_Conference_at_the_Interdisciplinary_Center_Herzliya|The OWASP Israel 2008 conference
at the Interdisciplinary Center Herzliya (IDC)]]'''
| '''September 14th, 2008'''
| '''Interdisciplinary Center Herzliya'''
| '''250 attendees'''
|- align="center"
| '''OWASP Israel at the [http://www.idc.co.il/?showproduct=31108&content_lang=ENG IDC Security Road Show]'''
| '''June 3rd, 2008'''
|
|
|- align="left"
| colspan="4" |OWASP sponsored the IDC Security Road Show event in Israel. Thanks for Iris Lev-Ari and Tomer Teller for the help in the OWASP booth.
|- align="center"
| '''[[OWASP_Israel_2007_Conference|OWASP Israel 2007 conference at the Interdisciplinary Center Herzliya (IDC)]]'''
| '''Dec 3rd 2007'''
| '''Interdisciplinary Center (IDC) Herzliya'''
|
|- align="left"
| colspan="4" |The 1st official OWASP conference in Israel, was held on Dec 3rd 2007 at the Interdisciplinary Center (IDC) Herzliya.
The conference really set itself as an event you must come to if you have anything to do with application security. [http://picasaweb.google.com/oshezaf/OWASPIsrael2007 pictures from the conference]
|}


= Previous Meetings =
{| class="wikitable" border="1" style="text-align:center;" |
! width="250" | Name
! width="200" | Date
! width="350" | Location
! width="200" | Attendance
|- align="center"
| [[OWASP_Israel_June_2017|OWASP Israel June 2017]]
| June 20th, 2017
| Intuit Israel, HaHarash St. 4, Hod Hasharon
|
|- align="center"
| [[OWASP_Israel_April_2017|OWASP Israel April 2017]]
| April 3rd, 2017
| Checkmarx's offices, in the Amot Atrium Tower, 2 Jabotinsky St., Ramat Gan
| 75 people
|- align="center"
| [[OWASP_Israel_January_2017|OWASP Israel January 2017]]
| January 18th, 2017
| Radware’s Tel Aviv offices, at Raul Wallenberg 22, Ramat HaChayal
| 120 people
|- align="center"
| [[OWASP_Israel_June_2016|OWASP Israel June 2016]]
| June 14, 2016
| Amdocs Auditorium in Raanana
|
|- align="center"
| [[OWASP_Israel_April_2016|OWASP Israel April 2016]]
| April 12, 2016
| HP Enterprise in Yehud
| 150 participants
|- align="center"
| [[OWASP_Israel_February_2016|OWASP Israel February 2016]]
| February 2, 2016
| F5 Networks in Tel Aviv
|
|- align="center"
| [[OWASP_Israel_June_2015|OWASP Israel June 2015]]
| June 16, 2015
| Microsoft in Herzeliya
| 120 participants
|- align="center"
| [[OWASP_Israel_March_2015|OWASP Israel March 2015]]
| March 30, 2015
| NCR in Raanana
| 120 participants
|- align="center"
| [[OWASP_Israel_June_2014|OWASP Israel June 2014]]
| June 16, 2014
| F5 Networks in Tel Aviv
| 110 participants
|- align="center"
| [[OWASP_Israel_April_2014|OWASP Israel April 2014]]
| April 23, 2014
| Akamai in Herzliya Pituach
| 100 participants
|- align="center"
| [[OWASP_Israel_January_2014|OWASP Israel January 2014]]
| January 14th, 2014
| Amdocs in Ra'anana
| 120 participants
|- align="center"
| [[OWASP_Israel_2013_05|OWASP Israel May 2013]]
| May 28th, 2013
| RSA
| 80 participants
|- align="center"
| [[OWASP_Israel_2013_02|OWASP Israel February 2013]]
| February 12th, 2013
| E&Y
|
|- align="left"
| colspan="4" |[[OWASP_ISRAEL_2013_02_Hebrew|Hebrew version]]
|- align="center"
| [[OWASP_Israel_2010_06|OWASP Israel Jun-2010]]
| Jun 22nd, 2010
| IBM/Watchfire in Herzliya
|
|- align="center"
| [[OWASP_Israel_2010_02|OWASP Israel Feb-2010]]
| Feb 9th, 2010
| Amdocs in Ra'anana
| 70 attendees
|- align="center"
| [[OWASP_Israel_2010_01|OWASP Israel Jan-2010]]
| Jan 12th, 2010
| Breach Security in Herzliya
| 60 attendees
|- align="center"
| [[OWASP_Israel_2009_12|OWASP Israel Dec-2009]]
| Dec 2009
| IBM/Watchfire in Herzliya
|
|- align="center"
| [[OWASP_Israel_2009_05|OWASP Israel May 2009 meeting]]
| May 7th, 2009
| IBM in Park Azorim in Petach-Tikva
|
|- align="left"
| colspan="4" |The presentations were:
* Web-Based Man-in-the-Middle Attack, Adi Sharabani, IBM ([http://blog.watchfire.com/wfblog/2009/02/active-man-in-the-middle-attacks.html more info])
* Automation Attacks and Counter Measures, Ofer Shezaf, Xiom ([http://www.owasp.org/images/5/58/OWASP_Israel_-_May_2009_-_Ofer_Shezaf_-_Automation_Attacks.pdf presentation])
: [[OWASP_ISRAEL_2009_05_Hebrew|Full details in Hebrew]]
|- align="center"
| [[OWASP_Israel_2009_03|OWASP Israel March 2009 meeting]]
| March 26th, 2009
| Tel-Aviv University
| 60 attendees
|- align="left"
| colspan="4" |The presentations were:
* Securing cellular web applications, Mikko Saario, Founder, OWASP Finland, Security Architect, Large Telecom Solution Provider ([[Media:OWASP_Israel_-_March_2009_-_Mikko_Saario_-_Web_Application_Security_in_the_Mobile_World.pdf‎|download]])
* Real world implementation of a PCI DSS compliance key management, Yaron Hakon, 2bsecure ([[Media:OWASP_Israel_-_March_2009_-_Yaron_Hakon_-_PCI_key_managment.pdf‎|download]])
* Detecting RFI attacks, Or Katz, Breach Security ([[Media:OWASP_Israel_-_March_2009_-_Or_Katz_-_RFI_detection.pdf‎|download]])
* WAFEC 2.0 - Do WAFs deliver?, Ofer Shezaf, Xiom ([[Media:OWASP_Israel_-_March_2009_-_Ofer_Shezaf_-_Why_WAFs_fail.pdf‎|download]])
: [[OWASP_ISRAEL_2009_03_Hebrew|Full details in Hebrew]]
|- align="center"
| [[OWASP_Israel_2009_01|OWASP Israel January 2009 meeting]]
| January 28th, 2009
| Checkpoint
| 100 people
|- align="left"
| colspan="4" |The presentations were:
* Improving Web Application Firewall testing for better deployment in production network, Gregory Fresnais from BreakingPoint, visiting us from France ([[Media:OWASP_Israel_2009_01_Gregory_Fresnais_Measuring_WAF_Performance.pdf‎|download]])
* Web 2.0 Hacking, Nimrod Luria, Qrity ([[Media:OWASP_Israel_2009_01_Nimrod_Luria_Web_2.0_Security.pdf‎|download]])
* Wiki Security, Ofer Shezaf, Xiom ([http://www.xiom.com/research/wiki_security download])
|}



<headertabs></headertabs>


= Chapter Sponsors =

The OWASP Israel chapter's yearly activity is being supported by the generous sponsorship of the following companies:

[[image:OWASPIL_Sponsors.png|center]]

[[Category:Middle East]]
[[Category:Europe]]

Israel

2018-05-16T21:19:41Z

Avi Douglen: /* Chapter Sponsors */

[[Category:OWASP_Chapter]]
[[image:Owasp_Israel_logo.png|center|500px]]
__NOTOC__ 


= Welcome =

{{Chapter Template|chaptername=Israel|extra= |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-israel|emailarchives=http://lists.owasp.org/pipermail/owasp-israel}}


= Current Activity =

== Meetings ==

* Get ready for OWASP [[AppSec Israel 2017]], to be held on October 17-18, 2017!
* OWASP Europe 2018 is planned to be in Israel. For sponsorship, questions, suggestions and more, contanct '''[mailto:avi.douglen@owasp.org Avi Douglen]'''
* [http://www.meetup.com/OWASP-Israel/ Ongoing Meetings and socialization on Meetup]. [[file:Meetup-logo-2x.png|75px|link=http://www.meetup.com/OWASP-Israel/]]

== Hebrew Translations ==

; '''The OWASP Top 10, 2013 version was translated to Hebrew! '''
It is now [[OWASP_Top10_Hebrew|available for download]].

The [[OWASP_Risk_Rating_Methodology|OWASP Risk Rating Methodology]], part of the [[OWASP_Testing_Project|OWASP Testing Project]], has been translated to Hebrew, and is available for download in [[Media:OWASP_Risk_Rating_Methodology-Hebrew.pdf|PDF format]].
Much thanks to Tal Argoni from TriadSec.

== Additional Resources ==
* Security discussion forum in Hebrew - on [https://www.facebook.com/groups/owasp.il/ Facebook]. [[file:Facebook_logo_small.jpg|100px|link=https://www.facebook.com/groups/owasp.il/]]
* [https://www.linkedin.com/groups/39702 LinkedIn Group] for networking and announcements. [[file:Delhi_linkedin.jpg|100px|link=https://www.linkedin.com/groups/39702]]
* [https://owasp.slack.com/messages/chapter-israel/ Chat room] for security in Hebrew. [[file:Slack.png|90px|link=https://owasp.slack.com/messages/chapter-israel/]]
* [https://twitter.com/OWASP_IL Twitter] account. [[file:twitter_wide.jpg|75px|link=https://twitter.com/OWASP_IL]]
* [[OWASP_IL_Sponsorship|Sponsorship opportunities]], including #AppSecIL conference sponsorship.

If you have anything else on your mind, please speak up! Contact [mailto:avi.douglen@owasp.org Avi Douglen] with any ideas you have.


= Chapter Details =
== The Team ==

Chapter leader: '''[mailto:avi.douglen@owasp.org Avi Douglen]'''.

* OWASP Israel Board: '''[mailto:avi.douglen@owasp.org Avi Douglen]''', '''Or Katz''', ''' Ofer Maor''', '''Erez Metula''', '''Hemed Gur Ary''', '''[[User:YossiOren|Dr. Yossi Oren]]'''
* Chapter Founder: '''[mailto:ofer@shezaf.com Ofer Shezaf]'''
* [[OWASP_Top10_Hebrew|OWASP Top 10 Hebrew]]: Or Katz
* Homepage Maintenance: Avi Douglen, Ofer Maor, Yossi Oren, [[User:Eyigal|Yigal Elefant]]
* Mailing List Management: Avi Douglen, Ofer Maor, Or Katz

== General Activity ==
* An annual conference, usually in September or October.
* Periodic meetings. If you would like to host a meeting or speak in one contact [mailto:avi.douglen@owasp.org Avi Douglen] or [mailto:katz3112@gmail.com Or Katz].
* Translation of OWASP resources to Hebrew
* Spreading the Word - Reaching out for more people, especially outside of the AppSec community.



= Previous Annual Conferences =
{| class="wikitable" border="1" style="text-align:center;" |
! width="200" | Name
! width="200" | Date
! width="350" | Location
! width="200" | Attendance
|- align="center"
| '''[[AppSec_Israel_2016|AppSec Israel 2016]]'''
| '''September 19th 2016'''
| '''College of Management'''
| '''more than 650 attendees!'''
|- align="left"
| colspan="4" |Use the [[AppSec_Israel_2016_Presentations|presentations info page]] to download presentations and videos
|- align="center"
| '''[[AppSec_Israel_2015|AppSec Israel 2015]]'''
| '''October 13th, 2015'''
| '''College of Management'''
| '''over 550 participants!'''
|- align="left"
| colspan="4" |Use the [[AppSec_Israel_2015_Presentations|presentations info page]] to download presentations
|- align="center"
| '''[[AppSec_Israel_2014|AppSec Israel 2014]]'''
| '''September 2nd, 2014'''
| '''IDC'''
| '''over 450 participants!'''
|- align="left"
| colspan="4" |Use the [[AppSec_Israel_2014_Presentations|presentations info page]] to download presentations
|- align="center"
| '''[[OWASP_Israel_2013|OWASP Israel 2013]]'''
| '''October 1st, 2013'''
|
| '''480 participants!'''
|- align="left"
| colspan="4" |Use the [[OWASP_Israel_2013_Presentations|presentations info page]] to download presentations
|- align="center"
| '''[[OWASP_Israel_2012|OWASP Israel 2012 conference]]'''
| '''Sep 5th, 2012'''
| '''IDC'''
|
|- align="center"
| '''[[OWASP_Israel_2011|OWASP Israel 2011 Conference]]'''
| '''Sep 15th, 2011'''
| '''IDC in Herzeliya'''
| '''350 attendees'''
|- align="center"
| '''[[OWASP_Israel_2010|OWASP Israel 2010 Conference]]'''
| '''Sep 6th, 2010'''
| '''IDC in Herzliya'''
| '''150 attendees'''
|- align="center"
| '''[[OWASP_Israel_2009|OWASP Israel 2009]]'''
| '''Sunday, September 6th 2009'''
| '''Interdisciplinary Center Herzliya'''
|
|- align="left"
| colspan="4" |You can find the agenda and uploaded presentations [[OWASP_Israel_2009|here]]
|- align="center"
| '''[[OWASP_Israel_2008_Conference_at_the_Interdisciplinary_Center_Herzliya|The OWASP Israel 2008 conference
at the Interdisciplinary Center Herzliya (IDC)]]'''
| '''September 14th, 2008'''
| '''Interdisciplinary Center Herzliya'''
| '''250 attendees'''
|- align="center"
| '''OWASP Israel at the [http://www.idc.co.il/?showproduct=31108&content_lang=ENG IDC Security Road Show]'''
| '''June 3rd, 2008'''
|
|
|- align="left"
| colspan="4" |OWASP sponsored the IDC Security Road Show event in Israel. Thanks for Iris Lev-Ari and Tomer Teller for the help in the OWASP booth.
|- align="center"
| '''[[OWASP_Israel_2007_Conference|OWASP Israel 2007 conference at the Interdisciplinary Center Herzliya (IDC)]]'''
| '''Dec 3rd 2007'''
| '''Interdisciplinary Center (IDC) Herzliya'''
|
|- align="left"
| colspan="4" |The 1st official OWASP conference in Israel, was held on Dec 3rd 2007 at the Interdisciplinary Center (IDC) Herzliya.
The conference really set itself as an event you must come to if you have anything to do with application security. [http://picasaweb.google.com/oshezaf/OWASPIsrael2007 pictures from the conference]
|}


= Previous Meetings =
{| class="wikitable" border="1" style="text-align:center;" |
! width="250" | Name
! width="200" | Date
! width="350" | Location
! width="200" | Attendance
|- align="center"
| [[OWASP_Israel_June_2017|OWASP Israel June 2017]]
| June 20th, 2017
| Intuit Israel, HaHarash St. 4, Hod Hasharon
|
|- align="center"
| [[OWASP_Israel_April_2017|OWASP Israel April 2017]]
| April 3rd, 2017
| Checkmarx's offices, in the Amot Atrium Tower, 2 Jabotinsky St., Ramat Gan
| 75 people
|- align="center"
| [[OWASP_Israel_January_2017|OWASP Israel January 2017]]
| January 18th, 2017
| Radware’s Tel Aviv offices, at Raul Wallenberg 22, Ramat HaChayal
| 120 people
|- align="center"
| [[OWASP_Israel_June_2016|OWASP Israel June 2016]]
| June 14, 2016
| Amdocs Auditorium in Raanana
|
|- align="center"
| [[OWASP_Israel_April_2016|OWASP Israel April 2016]]
| April 12, 2016
| HP Enterprise in Yehud
| 150 participants
|- align="center"
| [[OWASP_Israel_February_2016|OWASP Israel February 2016]]
| February 2, 2016
| F5 Networks in Tel Aviv
|
|- align="center"
| [[OWASP_Israel_June_2015|OWASP Israel June 2015]]
| June 16, 2015
| Microsoft in Herzeliya
| 120 participants
|- align="center"
| [[OWASP_Israel_March_2015|OWASP Israel March 2015]]
| March 30, 2015
| NCR in Raanana
| 120 participants
|- align="center"
| [[OWASP_Israel_June_2014|OWASP Israel June 2014]]
| June 16, 2014
| F5 Networks in Tel Aviv
| 110 participants
|- align="center"
| [[OWASP_Israel_April_2014|OWASP Israel April 2014]]
| April 23, 2014
| Akamai in Herzliya Pituach
| 100 participants
|- align="center"
| [[OWASP_Israel_January_2014|OWASP Israel January 2014]]
| January 14th, 2014
| Amdocs in Ra'anana
| 120 participants
|- align="center"
| [[OWASP_Israel_2013_05|OWASP Israel May 2013]]
| May 28th, 2013
| RSA
| 80 participants
|- align="center"
| [[OWASP_Israel_2013_02|OWASP Israel February 2013]]
| February 12th, 2013
| E&Y
|
|- align="left"
| colspan="4" |[[OWASP_ISRAEL_2013_02_Hebrew|Hebrew version]]
|- align="center"
| [[OWASP_Israel_2010_06|OWASP Israel Jun-2010]]
| Jun 22nd, 2010
| IBM/Watchfire in Herzliya
|
|- align="center"
| [[OWASP_Israel_2010_02|OWASP Israel Feb-2010]]
| Feb 9th, 2010
| Amdocs in Ra'anana
| 70 attendees
|- align="center"
| [[OWASP_Israel_2010_01|OWASP Israel Jan-2010]]
| Jan 12th, 2010
| Breach Security in Herzliya
| 60 attendees
|- align="center"
| [[OWASP_Israel_2009_12|OWASP Israel Dec-2009]]
| Dec 2009
| IBM/Watchfire in Herzliya
|
|- align="center"
| [[OWASP_Israel_2009_05|OWASP Israel May 2009 meeting]]
| May 7th, 2009
| IBM in Park Azorim in Petach-Tikva
|
|- align="left"
| colspan="4" |The presentations were:
* Web-Based Man-in-the-Middle Attack, Adi Sharabani, IBM ([http://blog.watchfire.com/wfblog/2009/02/active-man-in-the-middle-attacks.html more info])
* Automation Attacks and Counter Measures, Ofer Shezaf, Xiom ([http://www.owasp.org/images/5/58/OWASP_Israel_-_May_2009_-_Ofer_Shezaf_-_Automation_Attacks.pdf presentation])
: [[OWASP_ISRAEL_2009_05_Hebrew|Full details in Hebrew]]
|- align="center"
| [[OWASP_Israel_2009_03|OWASP Israel March 2009 meeting]]
| March 26th, 2009
| Tel-Aviv University
| 60 attendees
|- align="left"
| colspan="4" |The presentations were:
* Securing cellular web applications, Mikko Saario, Founder, OWASP Finland, Security Architect, Large Telecom Solution Provider ([[Media:OWASP_Israel_-_March_2009_-_Mikko_Saario_-_Web_Application_Security_in_the_Mobile_World.pdf‎|download]])
* Real world implementation of a PCI DSS compliance key management, Yaron Hakon, 2bsecure ([[Media:OWASP_Israel_-_March_2009_-_Yaron_Hakon_-_PCI_key_managment.pdf‎|download]])
* Detecting RFI attacks, Or Katz, Breach Security ([[Media:OWASP_Israel_-_March_2009_-_Or_Katz_-_RFI_detection.pdf‎|download]])
* WAFEC 2.0 - Do WAFs deliver?, Ofer Shezaf, Xiom ([[Media:OWASP_Israel_-_March_2009_-_Ofer_Shezaf_-_Why_WAFs_fail.pdf‎|download]])
: [[OWASP_ISRAEL_2009_03_Hebrew|Full details in Hebrew]]
|- align="center"
| [[OWASP_Israel_2009_01|OWASP Israel January 2009 meeting]]
| January 28th, 2009
| Checkpoint
| 100 people
|- align="left"
| colspan="4" |The presentations were:
* Improving Web Application Firewall testing for better deployment in production network, Gregory Fresnais from BreakingPoint, visiting us from France ([[Media:OWASP_Israel_2009_01_Gregory_Fresnais_Measuring_WAF_Performance.pdf‎|download]])
* Web 2.0 Hacking, Nimrod Luria, Qrity ([[Media:OWASP_Israel_2009_01_Nimrod_Luria_Web_2.0_Security.pdf‎|download]])
* Wiki Security, Ofer Shezaf, Xiom ([http://www.xiom.com/research/wiki_security download])
|}



<headertabs></headertabs>


= Chapter Sponsors =

The OWASP Israel chapter's yearly activity is being supported by the generous sponsorship of the following companies:

[[image:OWASPIL_Sponsors.png|center]]

[[Category:Middle East]]
[[Category:Europe]]

File:OWASPIL Sponsors.png

2018-05-16T21:19:18Z

Avi Douglen: Avi Douglen uploaded a new version of File:OWASPIL Sponsors.png

File:OWASPIL Sponsors.png

2018-05-16T21:16:56Z

Avi Douglen: Avi Douglen uploaded a new version of File:OWASPIL Sponsors.png

File:OWASPIL Sponsors.png

2018-05-16T20:55:34Z

Avi Douglen:

Joel Test for AppSec

2018-02-19T23:51:38Z

Avi Douglen: Created page with "At the [https://owaspsummit.org/ OWASP Summit 2017], there was held a session on [https://owaspsummit.org/Outcomes/Education/Recruiting-AppSec-Talent.html Recruiting AppSec Ta..."

At the [https://owaspsummit.org/ OWASP Summit 2017], there was held a session on [https://owaspsummit.org/Outcomes/Education/Recruiting-AppSec-Talent.html Recruiting AppSec Talent] with the purpose of improving the recruitment cycle, including improving job postings and suggested next steps for AppSec Managers looking for long-term growth of their team.

We discussed the gap between companies’ needs to recruit talented AppSec people, and attracting the best AppSec people to work at their company. The [https://www.joelonsoftware.com/2000/08/09/the-joel-test-12-steps-to-better-code/ Joel Test] is a quick indicator of Development culture: an irresponsible, sloppy test to rate the quality of a software team. We adapted the Joel Test to be a quick indicator of a company’s AppSec culture. The test’s purpose is to help companies attract the right talent and help talent to find the right company

First draft of the AppSec Joel Test (in no specific order):
* Does the company fund ongoing education for AppSec hires?
* Do developers undergo periodic AppSec training?
* Do AppSec people have a quiet working environment?
* Are there both offense and defense teams; do they work together?
* Can the AppSec team delay release (or fix) a new version or product?
* Is the AppSec team involved throughout the development lifecycle process?
* Can I access developers directly?
* Are security bugs treated like functional bugs?
* Is there some form of SDL / Maturity model / or other process in place?
* Can AppSec people choose their own tools (paid for by the company)?
* Is there a dedicated Incident Response team?
* Does the company contribute to Open Source and community efforts (or support personal contributions)?

2017 OWASP World Tour Israel

2017-09-05T14:53:13Z

Avi Douglen: Created page with "'''More information coming! Check back soon!''' '''[https://appsecil.org/ AppSec Israel Conference - Main Page]''' '''This is a free 1 day training event, however registrati..."

'''More information coming! Check back soon!'''

'''[https://appsecil.org/ AppSec Israel Conference - Main Page]'''

'''This is a free 1 day training event, however registration is required to attend.'''

'''Date:''' Tuesday, October 17, 2017

'''Time:''' 9:00am - 5:00pm

'''Location:''' College of Management (Michlala l’Minhal) 

The College of Management (ColMan) is in Rishon LeZion (about 20 minutes south of Tel Aviv).
The address is Eli Weisel 2, Rishon LeZiyon. There is plenty of parking available, entrance is via gate 4.

For directions and public transportation options, please see the information at this link: http://www.colman.ac.il/about/roads/Pages/default.aspx

=='''Call for Trainers'''==

https://owasp.submittable.com/submit/91874/owasp-global-training-tour-tel-aviv-isreal (closed)

=='''Registration'''==

Full details and registration will be available on the [https://appsecil.org/Training AppSecIL website].

OWASP World Tour

2017-09-05T14:47:00Z

Avi Douglen:

[[File:OWASP WT Banners wiki wiki (corrected).jpg|frameless|1024x1024px]]

== OWASP World Tour - The Main Idea ==
OWASP is committed to improving the quality of the worlds software security. We advocate approaching application security as a people, process, and technology problem because the most effective approaches to application security include improvements in all of these areas. As part of this Philosophy, OWASP is offering basic AppSec training for Developers in hopes of including security throughout the entire SDLC. The 2017 cities for this training are Boston, Tel Aviv, and Tokyo.

In accordance with the [[OWASP Strategic Goals|2017 strategic goal]], each of these one-day training events will target an audience of 500 developers and be delivered by Professional Trainers hired by OWASP. You can register for free at the Registration page linked from each individual event page.

== Call for Trainers ==
https://owasp.submittable.com/submit

== Events for 2017 ==
* [[2017 OWASP World Tour Tokyo|Tokyo Bootcamp]], September 30th
* [[2017 Global World Tour Boston|Boston OWASP Application Security Training]], October 9th, 2017
* [[2017 OWASP World Tour Israel|AppSec Israel Training Day]], October 17th, 2017

OWASP World Tour

2017-09-05T14:46:07Z

Avi Douglen: Added link to OWT-TA - AppSecIL

[[File:OWASP WT Banners wiki wiki (corrected).jpg|frameless|1024x1024px]]

== OWASP World Tour - The Main Idea ==
OWASP is committed to improving the quality of the worlds software security. We advocate approaching application security as a people, process, and technology problem because the most effective approaches to application security include improvements in all of these areas. As part of this Philosophy, OWASP is offering basic AppSec training for Developers in hopes of including security throughout the entire SDLC. The 2017 cities for this training are Boston, Tel Aviv, and Tokyo.

In accordance with the [[OWASP Strategic Goals|2017 strategic goal]], each of these one-day training events will target an audience of 500 developers and be delivered by Professional Trainers hired by OWASP. You can register for free at the Registration page linked from each individual event page.

== Call for Trainers ==
https://owasp.submittable.com/submit

== Events for 2017 ==
* [[2017 OWASP World Tour Tokyo|Tokyo Bootcamp]], September 30th
* [[2017 Global World Tour Boston|Boston OWASP Application Security Training]], October 9th, 2017
* [[2017 World Tour Israel|AppSec Israel Training Day]], October 17th, 2017

OWASP IL Sponsorship

2017-09-05T13:59:43Z

Avi Douglen: Legacy

[[Category:Israel]]

OWASP is an open source, non-profit organization. While our activities are free for all, we do have costs, and need your help to make our activities better. 
We are also open to any other non-financial sponsorship ideas that you may have. These are some simple ways in which you can help us:

=== Please note this is an outdated legacy page. All details for supporting us have moved to [[Israel|our Chapter page]]. ===

== Commercial Sponsoring an OWASP IL conference ==

{|
|-valign="top"
| OWASP Israel chapter hosts a Regional Conference once a year, usually in September or October. This year, we are holding the Conference in partnership with the School of Computer Science at the College of Management, in Rishon, Israel. [[Israel#Previous_OWASP_Israel_Conferences_and_Meetings|These conferences]] are always very successful and a large number of people attend.

We encourage companies to sponsor our conferences and help pay for such expenses such as refreshments, photography, video etc. The conferences are not commercial and the cost goes directly to cover expenses. Since the conferences draw an increasingly large number of people, our expenses are also rising accordingly.

If you or your company benefits from OWASP materials and/or conferences, we encourage you to support us! Moreover, the associated publicity and community goodwill can go a long way. We have several levels of sponsorship available, appropriate for the different organizations that wish to support our activities. Of course, if you are a Corporate Member of OWASP (at any level) and allocate a percentage (20-40%) of your membership fees to the Israel chapter, we can consider those funds as conference sponsorship. It is also possible to be creative and find non-financial ways to support us and contribute to the successful running of the conference. (If you have any other ideas please contact [mailto:avi.douglen@owasp.org AviD] directly.

'''Past sponsors include Check Point, Microsoft, F5, IBM, Ernst & Young, Checkmarx, Imperva, Quotium, Akamai, Synopsys and many others'''

| https://www.owasp.org/images/9/96/OWASP_IL_Conf_graphics_small.jpg
|}

=== What You Get for Sponsoring ===
All sponsors, regardless of sponsorship level receive the following:

* Many thanks, and hopefully a very good feeling of helping the community.

* Access to all the tools, guides, and libraries OWASP makes available for everybody - if you benefit from these, support the organization!

* Logo on the conference page.

* In general, if there is something else specific that you may want, and is within the OWASP guidelines, please let us know.

==== Platinum Sponsors (3 max) ====

* Largest booth area, where you can put up a "roll up" poster or two, and even a "pop-up" style booth (space permitting) to hand out your brochures and freebies.

* Prime booth location and first choice.

* Largest logo on the top of the conference page.

* Logo on the chapter page for the whole year.

* Recognition in all conference literature.

* Explicit mention in conference Opening Speech.

==== Gold Sponsors ====

* A table top style mini booth where you can put up a "roll up" poster or two and hand out your brochures and freebies.

* Good booth location and early choice.

* Large logo near the top of the conference page.

* Logo on the chapter page for the whole year.

* Recognition in all conference literature.

* Collective mention in conference Opening Speech.

==== Silver Sponsors ====

* A small table top style mini booth where you can put up a "roll up" poster and hand out your brochures and freebies.

* Smaller logo on the conference page.

* Recognition in some conference literature.

* Passive mention in conference Opening Speech.

==== Community Supporters ====

* The "Community Supporter" level of sponsorship is intended for non-profits, government offices, small startups, and other organizations with limited finances, but wish to show their support for the local OWASP chapter.

* Small logo on the conference page.

* Community Supporters do not get a booth or table at the sponsor's display area, but you can leave a stack of fliers or swag at a central table.

=== What You Don't Get ===
* List of people registering or attending. You can collect these by yourself in the booth, for example by offering a prize for people filling in details.

* A lecture for money. The conference program is strictly selected on professional terms.

=== What We Need Your Money For ===

OWASP is very strictly not-for-profit. We use the sponsorship funds to help make our events even more compelling to the audience while striving to make them free for participants. We want more people to come to our events so we can educate them about making applications more secure.

We use the money collected from sponsors for things such as:

* '''Lecture videos''' - recording presentations enables them to be available also to people who cannot make it to the conference, and further publicize the contents of the event.

* '''Venue costs''' - this year's conference is being hosted in partnership with the College of Management, so we have minimal direct costs for use of the halls. However there are additional associated costs, for some of the involved logistics such as hiring required equipment.

* '''Refreshments''' - we want to keep people a long time, and we certainly bring good and interesting speakers, yet we don't want people to go home when they become hungry.

* '''Name tags''' - we feel that professional networking and getting to know each other is an important facet of the community, and name tags make this easier.

* '''Promotion''' - Till now, our events are publicized mostly by word of mouth. We would like to get to a wider audience by advertising our events.

* '''Printed Materials''' - We are not very keen on killing trees, but some people learn more from actual printed paper. We would like to hand out certain printed materials in our conferences.

By the way, if you feel that you can contribute to any of these in anyway besides money, we will be happy to hear about it.

=== What Should You Prepare as a Sponsor ===
As a sponsor, you are not obliged to do anything. Sponsorship can be a philanthropy. However, in order to take advantage of the benefits listed above, we recommend the following:

* Send us a logo file to put on the conference web page. (Note the maximum logo size according to the sponsorship level).

* Prepare a roll-up type poster or equivalent for your table top booth.

* Prepare brochures for handling out to conference attendees.

* You might also want to hold a sweepstake between people who fill in their details in order to collect leads. We will be happy to announce the prize on the conference page.

* Come 30 minutes before the conference starts to setup your booth.

For further details contact [mailto:avi.douglen@owasp.org AviD] or [mailto:katz3112@gmail.com Or Katz].

== Not-for-Profit / Barter Sponsorship of OWASP IL Conferences ==

We are happy to allow any information security related not-for-profit organization to present at our conference expo. You will get, for free, the same benefits that the commercial vendors get. The only condition is that if you hold similar events we would like to present at those events in return.

We extend the same type of barter to commercial organizations that hold events. If you organize an information security related event, we would let you promote it in our expo in return for having presence in your event.

Contact [mailto:avi.douglen@owasp.org AviD] for further details.

== Hosting a meeting ==

We also host regular meetings and look for companies to host or sponsor these meetings. A company that hosts such a meeting is responsible for a meeting location and the refreshments. We need a room that can host at least 150 people. Pizza and drinks are the common refreshments, but alternatives are also OK. Keep in mind that food should be Kosher.

If you want to host such a meeting, contact [mailto:avi.douglen@owasp.org AviD].

== OWASP Membership ==

In addition to sponsoring OWASP Israel, you can also join OWASP as a member. For details, please refer to [http://www.owasp.org/index.php/Membership this page].

[[Category:OWASP Israel Meetings]]

File:OWASP2017 HackingBLEApplications TalMelamed.pdf

2017-08-11T00:56:23Z

Avi Douglen: Avi Douglen uploaded a new version of File:OWASP2017 HackingBLEApplications TalMelamed.pdf

Hacking BLE Applications
Tal Melamed
OWASP IL 2017

File:AppSec Israel 2017 Sponsorships.pdf

2017-07-20T11:03:29Z

Avi Douglen:

Israel

2017-07-07T14:19:37Z

Avi Douglen: Added June'17 meeting

#REDIRECT [[:Category:Israel]]
[[Category:OWASP_Chapter]]

[[image:Owasp_Israel_logo.png|center|500px]]
__NOTOC__


= Welcome =

{{Chapter Template|chaptername=Israel|extra= |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-israel|emailarchives=http://lists.owasp.org/pipermail/owasp-israel}}


= Current Activity =

== Meetings ==

* OWASP Europe 2018 is planned to be in Israel. For sponsorship, questions, suggestions and more, contanct '''[mailto:avi.douglen@owasp.org Avi Douglen]'''
* [http://www.meetup.com/OWASP-Israel/ Ongoing Meetings and socialization on Meetup]. [[file:Meetup-logo-2x.png|75px|link=http://www.meetup.com/OWASP-Israel/]]

== Hebrew Translations ==

; '''The OWASP Top 10, 2013 version was translated to Hebrew! 
It is now [[OWASP_Top10_Hebrew|available for download]].'''

The [[OWASP_Risk_Rating_Methodology|OWASP Risk Rating Methodology]], part of the [[OWASP_Testing_Project|OWASP Testing Project]], has been translated to Hebrew, and is available for download in [[Media:OWASP_Risk_Rating_Methodology-Hebrew.pdf|PDF format]].
Much thanks to Tal Argoni from TriadSec.

== Additional Resources ==
* Security discussion forum in Hebrew - on [https://www.facebook.com/groups/owasp.il/ Facebook]. [[file:Facebook_logo_small.jpg|100px|link=https://www.facebook.com/groups/owasp.il/]]
* [https://www.linkedin.com/groups/39702 LinkedIn Group] for networking and announcements. [[file:Delhi_linkedin.jpg|100px|link=https://www.linkedin.com/groups/39702]]
* [https://owasp.slack.com/messages/chapter-israel/ Chat room] for security in Hebrew. [[file:Slack.png|90px|link=https://owasp.slack.com/messages/chapter-israel/]]
* [https://twitter.com/OWASP_IL Twitter] account. [[file:twitter_wide.jpg|75px|link=https://twitter.com/OWASP_IL]]
* [[OWASP_IL_Sponsorship|Sponsorship opportunities]], including #AppSecIL conference sponsorship.

If you have anything else on your mind, please speak up! Contact [mailto:avi.douglen@owasp.org Avi Douglen] with any ideas you have.


= Chapter Details =
== The Team ==

Chapter leader: '''[mailto:avi.douglen@owasp.org Avi Douglen]'''.

* OWASP Israel Board: '''[mailto:avi.douglen@owasp.org Avi Douglen]''', '''Or Katz''', ''' Ofer Maor''', '''Erez Metula''', '''Hemed Gur Ary''', '''[[User:YossiOren|Dr. Yossi Oren]]'''
* Chapter Founder: '''[mailto:ofer@shezaf.com Ofer Shezaf]'''
* [[OWASP_Top10_Hebrew|OWASP Top 10 Hebrew]]: Or Katz
* Homepage Maintenance: Avi Douglen, Ofer Maor, Yossi Oren, [[User:Eyigal|Yigal Elefant]]
* Mailing List Management: Avi Douglen, Ofer Maor, Or Katz

== General Activity ==
* An annual conference, usually in September or October.
* Periodic meetings. If you would like to host a meeting or speak in one contact [mailto:avi.douglen@owasp.org Avi Douglen] or [mailto:katz3112@gmail.com Or Katz].
* Translation of OWASP resources to Hebrew
* Spreading the Word - Reaching out for more people, especially outside of the AppSec community.



= Previous Annual Conferences =
{|class="wikitable" border="1" style="text-align:center;"|
! width="250" | Name
! width="200" | Date
! width="350" | Location
! width="200" | Attendance
|- align="center"
| '''[[AppSec_Israel_2016|AppSec Israel 2016]]'''
| '''September 19th 2016'''
| '''College of Management'''
| '''more than 650 attendees!'''
|- align="center"
| colspan="4" |Use the [[AppSec_Israel_2016_Presentations|presentations info page]] to download presentations and videos
|- align="center"
| '''[[AppSec_Israel_2015|AppSec Israel 2015]]'''
| '''October 13th, 2015'''
| '''College of Management'''
| '''over 550 participants!'''
|- align="center"
| colspan="4" |Use the [[AppSec_Israel_2015_Presentations|presentations info page]] to download presentations
|- align="center"
| '''[[AppSec_Israel_2014|AppSec Israel 2014]]'''
| '''September 2nd, 2014'''
| '''IDC'''
| '''over 450 participants!'''
|- align="center"
| colspan="4" |Use the [[AppSec_Israel_2014_Presentations|presentations info page]] to download presentations
|- align="center"
| '''[[OWASP_Israel_2013|OWASP Israel 2013]]'''
| '''October 1st, 2013'''
|
| '''480 participants!'''
|- align="center"
| colspan="4" |Use the [[OWASP_Israel_2013_Presentations|presentations info page]] to download presentations
|- align="center"
| '''[[OWASP_Israel_2012|OWASP Israel 2012 conference]]'''
| '''Sep 5th, 2012'''
| '''IDC'''
|
|- align="center"
| '''[[OWASP_Israel_2011|OWASP Israel 2011 Conference]]'''
| '''Sep 15th, 2011'''
| '''IDC in Herzeliya'''
| '''350 attendees'''
|- align="center"
| '''[[OWASP_Israel_2010|OWASP Israel 2010 Conference]]'''
| '''Sep 6th, 2010'''
| '''IDC in Herzliya'''
| '''150 attendees'''
|- align="center"
| '''[[OWASP_Israel_2009|OWASP Israel 2009]]'''
| '''Sunday, September 6th 2009'''
| '''Interdisciplinary Center Herzliya'''
|
|- align="center"
| colspan="4" |You can find the agenda and uploaded presentations [[OWASP_Israel_2009|here]]
|- align="center"
| '''[[OWASP_Israel_2008_Conference_at_the_Interdisciplinary_Center_Herzliya|The OWASP Israel 2008 conference at the Interdisciplinary Center Herzliya (IDC)]]'''
| '''September 14th, 2008'''
| '''Interdisciplinary Center Herzliya'''
| '''250 attendees'''
|- align="center"
| '''OWASP Israel at the [http://www.idc.co.il/?showproduct=31108&content_lang=ENG IDC Security Road Show]'''
| '''June 3rd, 2008'''
|
|
|- align="center"
| colspan="4" |OWASP sponsored the IDC Security Road Show event in Israel. Thanks for Iris Lev-Ari and Tomer Teller for the help in the OWASP booth.
|- align="center"
| '''[[OWASP_Israel_2007_Conference|OWASP Israel 2007 conference at the Interdisciplinary Center Herzliya (IDC)]]'''
| '''Dec 3rd 2007'''
| '''Interdisciplinary Center (IDC) Herzliya'''
|
|- align="center"
| colspan="4" |The 1st official OWASP conference in Israel, was held on Dec 3rd 2007 at the Interdisciplinary Center (IDC) Herzliya. The conference really set itself as an event you must come to if you have anything to do with application security. [http://picasaweb.google.com/oshezaf/OWASPIsrael2007 pictures from the conference]
|}


= Previous Meetings =
{|class="wikitable" border="1" style="text-align:center;"|
! width="250" | Name
! width="200" | Date
! width="350" | Location
! width="200" | Attendance
|- align="center"
| [[OWASP_Israel_June_2017|OWASP Israel June 2017]]
| June 20th, 2017
| Intuit Israel, HaHarash St. 4, Hod Hasharon
|
|- align="center"
| [[OWASP_Israel_April_2017|OWASP Israel April 2017]]
| April 3rd, 2017
| Checkmarx's offices, in the Amot Atrium Tower, 2 Jabotinsky St., Ramat Gan
| 75 people
|- align="center"
| [[OWASP_Israel_January_2017|OWASP Israel January 2017]]
| January 18th, 2017
| Radware’s Tel Aviv offices, at Raul Wallenberg 22, Ramat HaChayal
| 120 people
|- align="center"
| [[OWASP_Israel_June_2016|OWASP Israel June 2016]]
| June 14, 2016
| Amdocs Auditorium in Raanana
|
|- align="center"
| [[OWASP_Israel_April_2016|OWASP Israel April 2016]]
| April 12, 2016
| HP Enterprise in Yehud
| 150 participants
|- align="center"
| [[OWASP_Israel_February_2016|OWASP Israel February 2016]]
| February 2, 2016
| F5 Networks in Tel Aviv
|
|- align="center"
| [[OWASP_Israel_June_2015|OWASP Israel June 2015]]
| June 16, 2015
| Microsoft in Herzeliya
| 120 participants
|- align="center"
| [[OWASP_Israel_March_2015|OWASP Israel March 2015]]
| March 30, 2015
| NCR in Raanana
| 120 participants
|- align="center"
| [[OWASP_Israel_June_2014|OWASP Israel June 2014]]
| June 16, 2014
| F5 Networks in Tel Aviv
| 110 participants
|- align="center"
| [[OWASP_Israel_April_2014|OWASP Israel April 2014]]
| April 23, 2014
| Akamai in Herzliya Pituach
| 100 participants
|- align="center"
| [[OWASP_Israel_January_2014|OWASP Israel January 2014]]
| January 14th, 2014
| Amdocs in Ra'anana
| 120 participants
|- align="center"
| [[OWASP_Israel_2013_05|OWASP Israel May 2013]]
| May 28th, 2013
| RSA
| 80 participants
|- align="center"
| [[OWASP_Israel_2013_02|OWASP Israel February 2013]]
| February 12th, 2013
| E&Y
|
|- align="center"
| colspan="4" |[[OWASP_ISRAEL_2013_02_Hebrew|Hebrew version]]
|- align="center"
| [[OWASP_Israel_2010_06|OWASP Israel Jun-2010]]
| Jun 22nd, 2010
| IBM/Watchfire in Herzliya
|
|- align="center"
| [[OWASP_Israel_2010_02|OWASP Israel Feb-2010]]
| Feb 9th, 2010
| Amdocs in Ra'anana
| 70 attendees
|- align="center"
| [[OWASP_Israel_2010_01|OWASP Israel Jan-2010]]
| Jan 12th, 2010
| Breach Security in Herzliya
| 60 attendees
|- align="center"
| [[OWASP_Israel_2009_12|OWASP Israel Dec-2009]]
| Dec 2009
| IBM/Watchfire in Herzliya
|
|- align="center"
| [[OWASP_Israel_2009_05|OWASP Israel May 2009 meeting]]
| May 7th, 2009
| IBM in Park Azorim in Petach-Tikva
|
|- align="left"
| colspan="4" |The presentations were:
* Web-Based Man-in-the-Middle Attack, Adi Sharabani, IBM ([http://blog.watchfire.com/wfblog/2009/02/active-man-in-the-middle-attacks.html more info])
* Automation Attacks and Counter Measures, Ofer Shezaf, Xiom ([http://www.owasp.org/images/5/58/OWASP_Israel_-_May_2009_-_Ofer_Shezaf_-_Automation_Attacks.pdf presentation])
: [[OWASP_ISRAEL_2009_05_Hebrew|Full details in Hebrew]]
|- align="center"
| [[OWASP_Israel_2009_03|OWASP Israel March 2009 meeting]]
| March 26th, 2009
| Tel-Aviv University
| 60 attendees
|- align="left"
| colspan="4" |The presentations were:
* Securing cellular web applications, Mikko Saario, Founder, OWASP Finland, Security Architect, Large Telecom Solution Provider ([[Media:OWASP_Israel_-_March_2009_-_Mikko_Saario_-_Web_Application_Security_in_the_Mobile_World.pdf‎|download]])
* Real world implementation of a PCI DSS compliance key management, Yaron Hakon, 2bsecure ([[Media:OWASP_Israel_-_March_2009_-_Yaron_Hakon_-_PCI_key_managment.pdf‎|download]])
* Detecting RFI attacks, Or Katz, Breach Security ([[Media:OWASP_Israel_-_March_2009_-_Or_Katz_-_RFI_detection.pdf‎|download]])
* WAFEC 2.0 - Do WAFs deliver?, Ofer Shezaf, Xiom ([[Media:OWASP_Israel_-_March_2009_-_Ofer_Shezaf_-_Why_WAFs_fail.pdf‎|download]])
: [[OWASP_ISRAEL_2009_03_Hebrew|Full details in Hebrew]]
|- align="center"
| [[OWASP_Israel_2009_01|OWASP Israel January 2009 meeting]]
| January 28th, 2009
| Checkpoint
| 100 people
|- align="left"
| colspan="4" |The presentations were:
* Improving Web Application Firewall testing for better deployment in production network, Gregory Fresnais from BreakingPoint, visiting us from France ([[Media:OWASP_Israel_2009_01_Gregory_Fresnais_Measuring_WAF_Performance.pdf‎|download]])
* Web 2.0 Hacking, Nimrod Luria, Qrity ([[Media:OWASP_Israel_2009_01_Nimrod_Luria_Web_2.0_Security.pdf‎|download]])
* Wiki Security, Ofer Shezaf, Xiom ([http://www.xiom.com/research/wiki_security download])
|}



<headertabs/>


= Chapter Sponsors =

The OWASP Israel chapter's yearly activity is being supported by the generous sponsorship of the following companies:

{{Template:OWASP_Israel_Sponsors}}

[[Category:Middle East]] [[Category:Europe]]

OWASP Israel June 2017

2017-07-06T10:50:12Z

Avi Douglen: category

The 3rd meeting of the Israeli chapter of OWASP in 2017 was held on Tuesday, June 20th, at 17:00.

The meeting was hosted by Intuit Israel, HaHarash St. 4, Hod Hasharon, Israel.

Attendance was free as always, here is the link to the Meetup event:
https://www.meetup.com/OWASP-Israel/events/240224137/

== Agenda: ==

''' 17:00 '''
'''Gathering, food, and drinks (KOSHER)'''

''' 17:30 '''
''' Introductions and Opening Notes '''

''' 17:45 – Encrypting Data at Scale ''' 
''' Gleb Keselman, Intuit Data Protection Services ''' 

Intuit's internal key management service served, just over a month ago, to encrypt the tax and financial history of more than 30 million American citizens. Overall, this required 2 billion cryptographic operations to encrypt and decrypt application data.

Scaling a key management service requires a combination of system-level best practices along with novel cryptographic solutions. We will discuss how we are able to achieve a high level of security, combined with ease of use for developers and great performance.

''' 18:30 – "... well then, we have an OWASP Top 10 opportunity" ''' 
''' Josh Grossman, Comsec Group ''' 

A couple of months ago the draft 2017 version of the OWASP Top 10 list was released and with it came some surprises and some controversy.

Whilst the Top 10 is very widely used, many people do not realise how it is actually produced and what it is based on. When I dug into the process behind it, the picture became even more concerning.

In this session, I will explain the basis of the latest Top 10 list, summarise the reaction to the recent release and give my take on what I think should be done next. I will also suggest how we can use the Top 10 list and other OWASP projects to give better application security advice and also how we can contribute back.

''' 19:15 - Coffee Break ''' 

''' 19:30 – Cloud Security for Startups - From A to E(xit) ''' 
''' Shahar Maor, Outbrain ''' 
''' Eitan Satmary, Wix ''' 

Founding a startup is a hard work. The daily roller coaster can exhaust you fast. And on top of that, you need to cope with information security challenges, compliance and tough questions from customers.

The Israeli chapter of the Cloud Security Alliance is helping the local startup community cope with those challenges. Over the last couple of years we have identified a gap in the InfoSec knowledge and produced a Best Practices manual, designed for startups that rely on Cloud infrastructure. This talk is a digest of a paper created by the Israeli Chapter of the CSA to help Software-as-a-Service startups (SaaS-SUs) gain and maintain client trust, by building solid security foundations.

Link to the paper: https://chapters.cloudsecurityalliance.org/israel/papers/

[[Category:Israel]]

OWASP Israel June 2017

2017-07-06T10:47:40Z

Avi Douglen: Created page with "The 3rd meeting of the Israeli chapter of OWASP in 2017 was held on Tuesday, June 20th, at 17:00. The meeting was hosted by Intuit Israel, HaHarash St. 4, Hod Hasharon, Isra..."

OWASP IL Sponsorship

2017-05-12T00:57:08Z

Avi Douglen:

[[Category:Israel]]

OWASP is an open source, non-profit organization. While our activities are free for all, we do have costs, and need your help to make our activities better. 
We are also open to any other non-financial sponsorship ideas that you may have. These are some simple ways in which you can help us:

== Commercial Sponsoring an OWASP IL conference ==

{|
|-valign="top"
| OWASP Israel chapter hosts a Regional Conference once a year, usually in September or October. This year, we are holding the Conference in partnership with the School of Computer Science at the College of Management, in Rishon, Israel. [[Israel#Previous_OWASP_Israel_Conferences_and_Meetings|These conferences]] are always very successful and a large number of people attend.

We encourage companies to sponsor our conferences and help pay for such expenses such as refreshments, photography, video etc. The conferences are not commercial and the cost goes directly to cover expenses. Since the conferences draw an increasingly large number of people, our expenses are also rising accordingly.

If you or your company benefits from OWASP materials and/or conferences, we encourage you to support us! Moreover, the associated publicity and community goodwill can go a long way. We have several levels of sponsorship available, appropriate for the different organizations that wish to support our activities. Of course, if you are a Corporate Member of OWASP (at any level) and allocate a percentage (20-40%) of your membership fees to the Israel chapter, we can consider those funds as conference sponsorship. It is also possible to be creative and find non-financial ways to support us and contribute to the successful running of the conference. (If you have any other ideas please contact [mailto:douglen@hotmail.com AviD] directly.

'''Past sponsors include Check Point, Microsoft, F5, IBM, Ernst & Young, Checkmarx, Imperva, Quotium, Akamai, Synopsys and many others'''

| https://www.owasp.org/images/9/96/OWASP_IL_Conf_graphics_small.jpg
|}

=== What You Get for Sponsoring ===
All sponsors, regardless of sponsorship level receive the following:

* Many thanks, and hopefully a very good feeling of helping the community.

* Access to all the tools, guides, and libraries OWASP makes available for everybody - if you benefit from these, support the organization!

* Logo on the conference page.

* In general, if there is something else specific that you may want, and is within the OWASP guidelines, please let us know.

==== Platinum Sponsors (3 max) ====

* Largest booth area, where you can put up a "roll up" poster or two, and even a "pop-up" style booth (space permitting) to hand out your brochures and freebies.

* Prime booth location and first choice.

* Largest logo on the top of the conference page.

* Logo on the chapter page for the whole year.

* Recognition in all conference literature.

* Explicit mention in conference Opening Speech.

==== Gold Sponsors ====

* A table top style mini booth where you can put up a "roll up" poster or two and hand out your brochures and freebies.

* Good booth location and early choice.

* Large logo near the top of the conference page.

* Logo on the chapter page for the whole year.

* Recognition in all conference literature.

* Collective mention in conference Opening Speech.

==== Silver Sponsors ====

* A small table top style mini booth where you can put up a "roll up" poster and hand out your brochures and freebies.

* Smaller logo on the conference page.

* Recognition in some conference literature.

* Passive mention in conference Opening Speech.

==== Community Supporters ====

* The "Community Supporter" level of sponsorship is intended for non-profits, government offices, small startups, and other organizations with limited finances, but wish to show their support for the local OWASP chapter.

* Small logo on the conference page.

* Community Supporters do not get a booth or table at the sponsor's display area, but you can leave a stack of fliers or swag at a central table.

=== What You Don't Get ===
* List of people registering or attending. You can collect these by yourself in the booth, for example by offering a prize for people filling in details.

* A lecture for money. The conference program is strictly selected on professional terms.

=== What We Need Your Money For ===

OWASP is very strictly not-for-profit. We use the sponsorship funds to help make our events even more compelling to the audience while striving to make them free for participants. We want more people to come to our events so we can educate them about making applications more secure.

We use the money collected from sponsors for things such as:

* '''Lecture videos''' - recording presentations enables them to be available also to people who cannot make it to the conference, and further publicize the contents of the event.

* '''Venue costs''' - this year's conference is being hosted in partnership with the College of Management, so we have minimal direct costs for use of the halls. However there are additional associated costs, for some of the involved logistics such as hiring required equipment.

* '''Refreshments''' - we want to keep people a long time, and we certainly bring good and interesting speakers, yet we don't want people to go home when they become hungry.

* '''Name tags''' - we feel that professional networking and getting to know each other is an important facet of the community, and name tags make this easier.

* '''Promotion''' - Till now, our events are publicized mostly by word of mouth. We would like to get to a wider audience by advertising our events.

* '''Printed Materials''' - We are not very keen on killing trees, but some people learn more from actual printed paper. We would like to hand out certain printed materials in our conferences.

By the way, if you feel that you can contribute to any of these in anyway besides money, we will be happy to hear about it.

=== What Should You Prepare as a Sponsor ===
As a sponsor, you are not obliged to do anything. Sponsorship can be a philanthropy. However, in order to take advantage of the benefits listed above, we recommend the following:

* Send us a logo file to put on the conference web page. (Note the maximum logo size according to the sponsorship level).

* Prepare a roll-up type poster or equivalent for your table top booth.

* Prepare brochures for handling out to conference attendees.

* You might also want to hold a sweepstake between people who fill in their details in order to collect leads. We will be happy to announce the prize on the conference page.

* Come 30 minutes before the conference starts to setup your booth.

For further details contact [mailto:douglen@hotmail.com AviD] or [mailto:katz3112@gmail.com Or Katz].

== Not-for-Profit / Barter Sponsorship of OWASP IL Conferences ==

We are happy to allow any information security related not-for-profit organization to present at our conference expo. You will get, for free, the same benefits that the commercial vendors get. The only condition is that if you hold similar events we would like to present at those events in return.

We extend the same type of barter to commercial organizations that hold events. If you organize an information security related event, we would let you promote it in our expo in return for having presence in your event.

Contact [mailto:douglen@hotmail.com AviD] for further details.

== Hosting a meeting ==

We also host regular meetings and look for companies to host or sponsor these meetings. A company that hosts such a meeting is responsible for a meeting location and the refreshments. We need a room that can host at least 150 people. Pizza and drinks are the common refreshments, but alternatives are also OK. Keep in mind that food should be Kosher.

If you want to host such a meeting, contact [mailto:douglen@hotmail.com AviD].

== OWASP Membership ==

In addition to sponsoring OWASP Israel, you can also join OWASP as a member. For details, please refer to [http://www.owasp.org/index.php/Membership this page].

[[Category:OWASP Israel Meetings]]

Category:Israel

2017-05-08T11:04:42Z

Avi Douglen: Added sponsors

[[image:Owasp_Israel_logo.png|center|500px]]

{{Chapter Template|chaptername=Israel|extra= 

The chapter leader is '''[mailto:avi.douglen@owasp.org Avi Douglen]'''.

* OWASP Israel Board: '''[mailto:avi.douglen@owasp.org Avi Douglen]''', '''Or Katz''', ''' Ofer Maor''', '''Erez Metula''', '''Hemed Gur Ary''', '''[[User:YossiOren|Dr. Yossi Oren]]'''
* Chapter Founder: '''[mailto:ofer@shezaf.com Ofer Shezaf]'''
* [[OWASP_Top10_Hebrew|OWASP Top 10 Hebrew]]: Or Katz
* Homepage Maintenance: Avi Douglen, Ofer Maor, Yossi Oren
* Mailing List Management: Avi Douglen, Ofer Maor, Or Katz

|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-israel|emailarchives=http://lists.owasp.org/pipermail/owasp-israel}}

<paypal>Israel</paypal>

== OWASP Activity ==

* An annual conference, usually in September or October.
* Periodic meetings. If you would like to host a meeting or speak in one contact [mailto:avi.douglen@owasp.org Avi Douglen] or [mailto:katz3112@gmail.com Or Katz].
* [[OWASP_Top10_Hebrew|OWASP Top 10 Hebrew translation]].
* Security discussion forum in Hebrew - on [https://www.facebook.com/groups/owasp.il/ Facebook].
* [https://www.linkedin.com/groups/39702 LinkedIn Group] for networking and announcements.
* [https://owasp.slack.com/messages/chapter-israel/ Chat room for security in Hebrew].
* [http://www.meetup.com/OWASP-Israel/ Meetings and socialization on Meetup].
* [https://twitter.com/OWASP_IL Twitter account].
* Spreading the Word - Reaching out for more people, especially outside of the AppSec community.
* [[OWASP_IL_Sponsorship|Sponsorship opportunities]], including #AppSecIL conference sponsorship.

If you have anything else on your mind, please speak up! Contact [mailto:avi.douglen@owasp.org Avi Douglen] with any ideas you have.

== Hebrew Translations ==

; '''The OWASP Top 10, 2013 version was translated to Hebrew! 
It is now [[OWASP_Top10_Hebrew|available for download]].'''

The [[OWASP_Risk_Rating_Methodology|OWASP Risk Rating Methodology]], part of the [[OWASP_Testing_Project|OWASP Testing Project]], has been translated to Hebrew, and is available for download in [[Media:OWASP_Risk_Rating_Methodology-Hebrew.pdf|PDF format]].
Much thanks to Tal Argoni from TriadSec.

== Chapter Sponsors ==

The OWASP Israel chapter's yearly activity is being supported by the generous sponsorship of the following companies:

{{Template:OWASP_Israel_Sponsors}}

== Previous OWASP Israel Conferences and Meetings ==

[[OWASP_Israel_April_2017|OWASP Israel April 2017]] took place in Checkmarx's offices, in the Amot Atrium Tower, 2 Jabotinsky St., Ramat Gan, on April 3rd, 2016. Around 75 people attended.

[[OWASP_Israel_January_2017|OWASP Israel January 2017]] took place in Radware’s Tel Aviv offices, at Raul Wallenberg 22, Ramat HaChayal, on January 18th, 2016. Around 120 people attended.

; [[AppSec_Israel_2016|AppSec Israel 2016]] Conference was held on Monday, September 19th, at the College of Management, with more than 650 attendees! (Use the [[AppSec_Israel_2016_Presentations|presentations info page]] to download presentations and videos)

[[OWASP_Israel_June_2016|OWASP Israel June 2016]] took place in the Amdocs Auditorium in Raanana, on June 14, 2016.

[[OWASP_Israel_April_2016|OWASP Israel April 2016]] was held at HP Enterprise in Yehud, on April 12, 2016, with over 150 participants.

[[OWASP_Israel_February_2016|OWASP Israel February 2016]] was held at F5 Networks in Tel Aviv, on February 2, 2016.

; [[AppSec_Israel_2015|AppSec Israel 2015]] Conference was held on October 13th, at the College of Management, with over 550 participants! (Use the [[AppSec_Israel_2015_Presentations|presentations info page]] to download presentations)

[[OWASP_Israel_June_2015|OWASP Israel June 2015]] was held at Microsoft in Herzeliya, on June 16, 2015, with around 120 participants.

[[OWASP_Israel_March_2015|OWASP Israel March 2015]] was held at NCR in Raanana, on March 30, 2015, with over 120 participants.

; [[AppSec_Israel_2014|AppSec Israel 2014]] Conference was held on September 2nd, at the IDC, with over 450 participants! (Use the [[AppSec_Israel_2014_Presentations|presentations info page]] to download presentations)

[[OWASP_Israel_June_2014|OWASP Israel June 2014]] was held at F5 Networks in Tel Aviv, on June 16, 2014, with over 110 participants.

[[OWASP_Israel_April_2014|OWASP Israel April 2014]] was held at Akamai in Herzliya Pituach, on April 23, 2014, with close to 100 participants.

[[OWASP_Israel_January_2014|OWASP Israel January 2014]] was held at Amdocs in Ra'anana on January 14th, 2014, with over 120 participants.

; [[OWASP_Israel_2013|OWASP Israel 2013]] Conference held on October 1st with close to 480 participants! (Use the [[OWASP_Israel_2013_Presentations|presentations info page]] to download presentations)

[[OWASP_Israel_2013_05|OWASP Israel May 2013]] was held at RSA on May 28th 2013 with 80 participants.

[[OWASP_Israel_2013_02|OWASP Israel February 2013]] meeting was held at E&Y on February 12th 2013 ([[OWASP_ISRAEL_2013_02_Hebrew|Hebrew version]]).

;[[OWASP_Israel_2012|OWASP Israel 2012 conference]] Was held at the IDC on Sep 5th 2012.

;[[OWASP_Israel_2011|OWASP Israel 2011 Conference]] Was held in the IDC in Herzliya on Sep 15th 2011, with about 350 attendees.

;[[OWASP_Israel_2010|OWASP Israel 2010 Conference]] Was held in the IDC in Herzliya on Sep 6th 2010 with about 150 attendees.

[[OWASP_Israel_2010_06|OWASP Israel Jun-2010]] meeting was held in IBM/Watchfire in Herzliya on Jun 22nd 2010.

[[OWASP_Israel_2010_02|OWASP Israel Feb-2010]] meeting was held in Amdocs in Ra'anana on Feb 9th 2010 with over 70 attendees.

[[OWASP_Israel_2010_01|OWASP Israel Jan-2010]] meeting was held in Breach Security in Herzliya on Jan 12th 2010 with over 60 attendees.

[[OWASP_Israel_2009_12|OWASP Israel Dec-2009]] meeting was held in IBM/Watchfire in Herzliya in Dec 2009.

;[[OWASP_Israel_2009|OWASP Israel 2009]] conference was held at the Interdisciplinary Center Herzliya on Sunday, September 6th 2009.
: You can find the agenda and uploaded presentations [[OWASP_Israel_2009|here]].

; [[OWASP_Israel_2009_05|OWASP Israel May 2009 meeting]] was held at IBM in Park Azorim in Petach-Tikva on May 7th. The presentations were:
* Web-Based Man-in-the-Middle Attack, Adi Sharabani, IBM ([http://blog.watchfire.com/wfblog/2009/02/active-man-in-the-middle-attacks.html more info])
* Automation Attacks and Counter Measures, Ofer Shezaf, Xiom ([http://www.owasp.org/images/5/58/OWASP_Israel_-_May_2009_-_Ofer_Shezaf_-_Automation_Attacks.pdf presentation])
: [[OWASP_ISRAEL_2009_05_Hebrew|Full details in Hebrew]]

; [[OWASP_Israel_2009_03|OWASP Israel March 2009 meeting]] was held at the Tel-Aviv University on March 26th, with approximately 60 attendees. The presentations were:
* Securing cellular web applications, Mikko Saario, Founder, OWASP Finland, Security Architect, Large Telecom Solution Provider ([[Media:OWASP_Israel_-_March_2009_-_Mikko_Saario_-_Web_Application_Security_in_the_Mobile_World.pdf‎|download]])
* Real world implementation of a PCI DSS compliance key management, Yaron Hakon, [http://www.2bsecure.co.il 2bsecure] ([[Media:OWASP_Israel_-_March_2009_-_Yaron_Hakon_-_PCI_key_managment.pdf‎|download]])
* Detecting RFI attacks, Or Katz, [http://www.breach.com Breach Security] ([[Media:OWASP_Israel_-_March_2009_-_Or_Katz_-_RFI_detection.pdf‎|download]])
* WAFEC 2.0 - Do WAFs deliver?, Ofer Shezaf, [http://www.xiom.com Xiom] ([[Media:OWASP_Israel_-_March_2009_-_Ofer_Shezaf_-_Why_WAFs_fail.pdf‎|download]])
: [[OWASP_ISRAEL_2009_03_Hebrew|Full details in Hebrew]]

; [[OWASP_Israel_2009_01|OWASP Israel January 2009 meeting]] was held at Checkpoint on January 28th, with over a 100 people attending. The presentations were:
* Improving Web Application Firewall testing for better deployment in production network, Gregory Fresnais from BreakingPoint, visiting us from France ([[Media:OWASP_Israel_2009_01_Gregory_Fresnais_Measuring_WAF_Performance.pdf‎|download]])
* Web 2.0 Hacking, Nimrod Luria, Qrity ([[Media:OWASP_Israel_2009_01_Nimrod_Luria_Web_2.0_Security.pdf‎|download]])
* Wiki Security, Ofer Shezaf, Xiom ([http://www.xiom.com/research/wiki_security download])

; [[OWASP_Israel_2008_Conference_at_the_Interdisciplinary_Center_Herzliya|The OWASP Israel 2008 conference at the Interdisciplinary Center Herzliya (IDC)]] was held on September 14th with 250 attendees.

; OWASP Israel at the [http://www.idc.co.il/?showproduct=31108&content_lang=ENG IDC Security Road Show]
: OWASP sponsored the IDC Security Road Show event in Israel on June 3rd 2008. Thanks for Iris Lev-Ari and Tomer Teller for the help in the OWASP booth.

; [[OWASP_Israel_2007_Conference|OWASP Israel 2007 conference at the Interdisciplinary Center Herzliya (IDC)]]
: the 1st official OWASP conference in Israel, was held on Dec 3rd 2007 at the Interdisciplinary Center (IDC) Herzliya. The conference really set itself as an event you must come to if you have anything to do with application security. [ [http://picasaweb.google.com/oshezaf/OWASPIsrael2007 pictures from the conference]

[[Category:Middle East]] [[Category:Europe]]

Template:OWASP Israel Sponsors

2017-05-08T11:00:34Z

Avi Douglen: Created page with "Platinum Sponsors <hr/> {| class="wikitable" style="margin:auto; border-spacing:10px; border-c..."

Platinum Sponsors <hr/> 

{| class="wikitable" style="margin:auto; border-spacing:10px; border-collapse:collapse;"
| style="padding: 10px;" | [[image:Intuit_IL_250.gif|center|link=http://careers.intuit.com/|250x100px]]
| style="padding: 10px;" | [[image:SafeBreach_logo.png|center|link=https://www.safebreach.com/|250x100px]]
| style="padding: 10px;" | [[image:GE_digital_logo.png|center|link=https://www.ge.com/digital/|250x100px]]
|}
 

Gold Sponsors <hr/> 

{| class="wikitable" style="margin: auto;"
|-
| style="text-align:center;" | [[image:OWASPIL_ColMan.jpg|link=https://www.colman.ac.il/|225x90px]]
| style="text-align:center;" | [[image:AppSecLabsIL_New.jpg|link=https://www.appsec-labs.com/|225x90px]]
| style="text-align:center;" | [[image:Akamai_LogoIL_Gold.png|link=https://www.akamai.com/|225x90px]]
|-
| style="text-align:center;" |[[image:Synopsys_375.jpg|center|link=https://www.synopsys.com/software/pages/default.aspx|225x90px]]
| style="text-align:center;" | [[image:Imperva_logox375.png|link=https://www.imperva.com/|225x90px]]
| style="text-align:center;" | [[image:PMO_Israel_logo.png|link=|225x90px]]
|}

File:Intuit IL 250.gif

2017-05-08T10:59:43Z

Avi Douglen:

OWASP Israel April 2017

2017-04-07T12:59:00Z

Avi Douglen:

The 2nd meeting in 2017 of the Israeli chapter of OWASP will hold a meeting on Monday, April 3rd, at 17:00.

The meeting will be held at Checkmarx's office, in the Amot Atrium Tower, 2 Jabotinsky St., Ramat Gan.

Attendance is free of course, but you must register if you are planning to attend:
https://www.meetup.com/OWASP-Israel/events/238112640/

== Agenda: ==

''' 17:00 '''
'''Gathering, food, and drinks (KOSHER)'''

''' 17:30 '''
''' Introductions and Opening Notes '''

''' 17:45 – The Borders are Dissolving – Application Security Crystal Ball ''' 
''' Maty Siman, Checkmarx ''' 

Over several years applications have become central to anything we do. Whether web, mobile or even IoT applications, they all control almost every aspect of our daily lives. For that exact same reason they have also become the hacker’s new best friend. But it seems that there is a change happening and it isn’t being discussed as often as it should. Data and financial gain is still considered the end goal but the how is dramatically changing.

Join us to try to envision what kind of attacks we will be seeing in the near future, how and who will be taking or dropping responsibility and how modern development practices may benefit attack techniques.

''' 18:30 - Automated security tests using ZAP and Webdriver.io ''' 
''' Omer Levi Hevroni, Soluto ''' 
([[Media:OWASPIL-2017-04-03_Automated-tests-ZAP-Webdriverio_OmerLeviHevroni.pdf|download presentation]])

Webdriver.io is a great framework for writing automation tests for your webapp. With a very small configuration you can easily integrate ZAP`s passive scan into those tests, and upgrade those tests into automated security scanning – by enjoying from all the useful things that ZAP is able to detect. I am going to cover how we did this at Soluto – and as we run everything using Docker containers, it is very easy to reproduce this setup for any webapp with existing Webdriver.io/Selenium tests.

''' 19:15 – Coffee break ''' 

''' 19:30 – WebShell AV signature bypass and identification ''' 
''' Gil Cohen, Comsec ''' 
([[Media:OWASPIL-2017-04-03_WebShell-AV-Signature-Bypass_GilCohen.pdf|download presentation]])

Ever wondered how easy or hard it is to trick a signature based defensive product? Ever wanted to bypass such a product to upload your own malicious web-shell file to an attacked web server? This lecture is for you!
In a very lightweight, straightforward and eye-opening talk I’m going to show how easy it is to upload a slightly modified version of the famous C99 webshell, to get full control over a web server, and how ineffective are signature based modules of defensive products. I’m also going to show tips on how to identify a web-shell, and present 2 open-source tools that try to do just that.

File:OWASPIL-2017-04-03 WebShell-AV-Signature-Bypass GilCohen.pdf

2017-04-07T12:58:50Z

Avi Douglen:

Category:Israel

2017-04-07T12:57:16Z

Avi Douglen:

[[image:Owasp_Israel_logo.png|center|500px]]

{{Chapter Template|chaptername=Israel|extra= 

The chapter leader is '''[mailto:avi.douglen@owasp.org Avi Douglen]'''.

* OWASP Israel Board: '''[mailto:avi.douglen@owasp.org Avi Douglen]''', '''Or Katz''', ''' Ofer Maor''', '''Erez Metula''', '''Hemed Gur Ary''', '''[[User:YossiOren|Dr. Yossi Oren]]'''
* Chapter Founder: '''[mailto:ofer@shezaf.com Ofer Shezaf]'''
* [[OWASP_Top10_Hebrew|OWASP Top 10 Hebrew]]: Or Katz
* Homepage Maintenance: Avi Douglen, Ofer Maor, Yossi Oren
* Mailing List Management: Avi Douglen, Ofer Maor, Or Katz

|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-israel|emailarchives=http://lists.owasp.org/pipermail/owasp-israel}}

<paypal>Israel</paypal>

== OWASP Activity ==

* An annual conference, usually in September or October.
* Periodic meetings. If you would like to host a meeting or speak in one contact [mailto:avi.douglen@owasp.org Avi Douglen] or [mailto:katz3112@gmail.com Or Katz].
* [[OWASP_Top10_Hebrew|OWASP Top 10 Hebrew translation]].
* Security discussion forum in Hebrew - on [https://www.facebook.com/groups/owasp.il/ Facebook].
* [https://www.linkedin.com/groups/39702 LinkedIn Group] for networking and announcements.
* [https://owasp.slack.com/messages/chapter-israel/ Chat room for security in Hebrew].
* [http://www.meetup.com/OWASP-Israel/ Meetings and socialization on Meetup].
* [https://twitter.com/OWASP_IL Twitter account].
* Spreading the Word - Reaching out for more people, especially outside of the AppSec community.
* [[OWASP_IL_Sponsorship|Sponsorship opportunities]], including #AppSecIL conference sponsorship.

If you have anything else on your mind, please speak up! Contact [mailto:avi.douglen@owasp.org Avi Douglen] with any ideas you have.

== Hebrew Translations ==

; '''The OWASP Top 10, 2013 version was translated to Hebrew! 
It is now [[OWASP_Top10_Hebrew|available for download]].'''

The [[OWASP_Risk_Rating_Methodology|OWASP Risk Rating Methodology]], part of the [[OWASP_Testing_Project|OWASP Testing Project]], has been translated to Hebrew, and is available for download in [[Media:OWASP_Risk_Rating_Methodology-Hebrew.pdf|PDF format]].
Much thanks to Tal Argoni from TriadSec.

== Previous OWASP Israel Conferences and Meetings ==

[[OWASP_Israel_April_2017|OWASP Israel April 2017]] took place in Checkmarx's offices, in the Amot Atrium Tower, 2 Jabotinsky St., Ramat Gan, on April 3rd, 2016. Around 75 people attended.

[[OWASP_Israel_January_2017|OWASP Israel January 2017]] took place in Radware’s Tel Aviv offices, at Raul Wallenberg 22, Ramat HaChayal, on January 18th, 2016. Around 120 people attended.

; [[AppSec_Israel_2016|AppSec Israel 2016]] Conference was held on Monday, September 19th, at the College of Management, with more than 650 attendees! (Use the [[AppSec_Israel_2016_Presentations|presentations info page]] to download presentations and videos)

[[OWASP_Israel_June_2016|OWASP Israel June 2016]] took place in the Amdocs Auditorium in Raanana, on June 14, 2016.

[[OWASP_Israel_April_2016|OWASP Israel April 2016]] was held at HP Enterprise in Yehud, on April 12, 2016, with over 150 participants.

[[OWASP_Israel_February_2016|OWASP Israel February 2016]] was held at F5 Networks in Tel Aviv, on February 2, 2016.

; [[AppSec_Israel_2015|AppSec Israel 2015]] Conference was held on October 13th, at the College of Management, with over 550 participants! (Use the [[AppSec_Israel_2015_Presentations|presentations info page]] to download presentations)

[[OWASP_Israel_June_2015|OWASP Israel June 2015]] was held at Microsoft in Herzeliya, on June 16, 2015, with around 120 participants.

[[OWASP_Israel_March_2015|OWASP Israel March 2015]] was held at NCR in Raanana, on March 30, 2015, with over 120 participants.

; [[AppSec_Israel_2014|AppSec Israel 2014]] Conference was held on September 2nd, at the IDC, with over 450 participants! (Use the [[AppSec_Israel_2014_Presentations|presentations info page]] to download presentations)

[[OWASP_Israel_June_2014|OWASP Israel June 2014]] was held at F5 Networks in Tel Aviv, on June 16, 2014, with over 110 participants.

[[OWASP_Israel_April_2014|OWASP Israel April 2014]] was held at Akamai in Herzliya Pituach, on April 23, 2014, with close to 100 participants.

[[OWASP_Israel_January_2014|OWASP Israel January 2014]] was held at Amdocs in Ra'anana on January 14th, 2014, with over 120 participants.

; [[OWASP_Israel_2013|OWASP Israel 2013]] Conference held on October 1st with close to 480 participants! (Use the [[OWASP_Israel_2013_Presentations|presentations info page]] to download presentations)

[[OWASP_Israel_2013_05|OWASP Israel May 2013]] was held at RSA on May 28th 2013 with 80 participants.

[[OWASP_Israel_2013_02|OWASP Israel February 2013]] meeting was held at E&Y on February 12th 2013 ([[OWASP_ISRAEL_2013_02_Hebrew|Hebrew version]]).

;[[OWASP_Israel_2012|OWASP Israel 2012 conference]] Was held at the IDC on Sep 5th 2012.

;[[OWASP_Israel_2011|OWASP Israel 2011 Conference]] Was held in the IDC in Herzliya on Sep 15th 2011, with about 350 attendees.

;[[OWASP_Israel_2010|OWASP Israel 2010 Conference]] Was held in the IDC in Herzliya on Sep 6th 2010 with about 150 attendees.

[[OWASP_Israel_2010_06|OWASP Israel Jun-2010]] meeting was held in IBM/Watchfire in Herzliya on Jun 22nd 2010.

[[OWASP_Israel_2010_02|OWASP Israel Feb-2010]] meeting was held in Amdocs in Ra'anana on Feb 9th 2010 with over 70 attendees.

[[OWASP_Israel_2010_01|OWASP Israel Jan-2010]] meeting was held in Breach Security in Herzliya on Jan 12th 2010 with over 60 attendees.

[[OWASP_Israel_2009_12|OWASP Israel Dec-2009]] meeting was held in IBM/Watchfire in Herzliya in Dec 2009.

;[[OWASP_Israel_2009|OWASP Israel 2009]] conference was held at the Interdisciplinary Center Herzliya on Sunday, September 6th 2009.
: You can find the agenda and uploaded presentations [[OWASP_Israel_2009|here]].

; [[OWASP_Israel_2009_05|OWASP Israel May 2009 meeting]] was held at IBM in Park Azorim in Petach-Tikva on May 7th. The presentations were:
* Web-Based Man-in-the-Middle Attack, Adi Sharabani, IBM ([http://blog.watchfire.com/wfblog/2009/02/active-man-in-the-middle-attacks.html more info])
* Automation Attacks and Counter Measures, Ofer Shezaf, Xiom ([http://www.owasp.org/images/5/58/OWASP_Israel_-_May_2009_-_Ofer_Shezaf_-_Automation_Attacks.pdf presentation])
: [[OWASP_ISRAEL_2009_05_Hebrew|Full details in Hebrew]]

; [[OWASP_Israel_2009_03|OWASP Israel March 2009 meeting]] was held at the Tel-Aviv University on March 26th, with approximately 60 attendees. The presentations were:
* Securing cellular web applications, Mikko Saario, Founder, OWASP Finland, Security Architect, Large Telecom Solution Provider ([[Media:OWASP_Israel_-_March_2009_-_Mikko_Saario_-_Web_Application_Security_in_the_Mobile_World.pdf‎|download]])
* Real world implementation of a PCI DSS compliance key management, Yaron Hakon, [http://www.2bsecure.co.il 2bsecure] ([[Media:OWASP_Israel_-_March_2009_-_Yaron_Hakon_-_PCI_key_managment.pdf‎|download]])
* Detecting RFI attacks, Or Katz, [http://www.breach.com Breach Security] ([[Media:OWASP_Israel_-_March_2009_-_Or_Katz_-_RFI_detection.pdf‎|download]])
* WAFEC 2.0 - Do WAFs deliver?, Ofer Shezaf, [http://www.xiom.com Xiom] ([[Media:OWASP_Israel_-_March_2009_-_Ofer_Shezaf_-_Why_WAFs_fail.pdf‎|download]])
: [[OWASP_ISRAEL_2009_03_Hebrew|Full details in Hebrew]]

; [[OWASP_Israel_2009_01|OWASP Israel January 2009 meeting]] was held at Checkpoint on January 28th, with over a 100 people attending. The presentations were:
* Improving Web Application Firewall testing for better deployment in production network, Gregory Fresnais from BreakingPoint, visiting us from France ([[Media:OWASP_Israel_2009_01_Gregory_Fresnais_Measuring_WAF_Performance.pdf‎|download]])
* Web 2.0 Hacking, Nimrod Luria, Qrity ([[Media:OWASP_Israel_2009_01_Nimrod_Luria_Web_2.0_Security.pdf‎|download]])
* Wiki Security, Ofer Shezaf, Xiom ([http://www.xiom.com/research/wiki_security download])

; [[OWASP_Israel_2008_Conference_at_the_Interdisciplinary_Center_Herzliya|The OWASP Israel 2008 conference at the Interdisciplinary Center Herzliya (IDC)]] was held on September 14th with 250 attendees.

; OWASP Israel at the [http://www.idc.co.il/?showproduct=31108&content_lang=ENG IDC Security Road Show]
: OWASP sponsored the IDC Security Road Show event in Israel on June 3rd 2008. Thanks for Iris Lev-Ari and Tomer Teller for the help in the OWASP booth.

; [[OWASP_Israel_2007_Conference|OWASP Israel 2007 conference at the Interdisciplinary Center Herzliya (IDC)]]
: the 1st official OWASP conference in Israel, was held on Dec 3rd 2007 at the Interdisciplinary Center (IDC) Herzliya. The conference really set itself as an event you must come to if you have anything to do with application security. [ [http://picasaweb.google.com/oshezaf/OWASPIsrael2007 pictures from the conference]

[[Category:Middle East]] [[Category:Europe]]

OWASP Israel April 2017

2017-04-04T12:11:25Z

Avi Douglen:

The 2nd meeting in 2017 of the Israeli chapter of OWASP will hold a meeting on Monday, April 3rd, at 17:00.

The meeting will be held at Checkmarx's office, in the Amot Atrium Tower, 2 Jabotinsky St., Ramat Gan.

Attendance is free of course, but you must register if you are planning to attend:
https://www.meetup.com/OWASP-Israel/events/238112640/

== Agenda: ==

''' 17:00 '''
'''Gathering, food, and drinks (KOSHER)'''

''' 17:30 '''
''' Introductions and Opening Notes '''

''' 17:45 – The Borders are Dissolving – Application Security Crystal Ball ''' 
''' Maty Siman, Checkmarx ''' 

Over several years applications have become central to anything we do. Whether web, mobile or even IoT applications, they all control almost every aspect of our daily lives. For that exact same reason they have also become the hacker’s new best friend. But it seems that there is a change happening and it isn’t being discussed as often as it should. Data and financial gain is still considered the end goal but the how is dramatically changing.

Join us to try to envision what kind of attacks we will be seeing in the near future, how and who will be taking or dropping responsibility and how modern development practices may benefit attack techniques.

''' 18:30 - Automated security tests using ZAP and Webdriver.io ''' 
''' Omer Levi Hevroni, Soluto ''' 
([[Media:OWASPIL-2017-04-03_Automated-tests-ZAP-Webdriverio_OmerLeviHevroni.pdf|download presentation]])

Webdriver.io is a great framework for writing automation tests for your webapp. With a very small configuration you can easily integrate ZAP`s passive scan into those tests, and upgrade those tests into automated security scanning – by enjoying from all the useful things that ZAP is able to detect. I am going to cover how we did this at Soluto – and as we run everything using Docker containers, it is very easy to reproduce this setup for any webapp with existing Webdriver.io/Selenium tests.

''' 19:15 – Coffee break ''' 

''' 19:30 – WebShell AV signature bypass and identification ''' 
''' Gil Cohen, Comsec ''' 

Ever wondered how easy or hard it is to trick a signature based defensive product? Ever wanted to bypass such a product to upload your own malicious web-shell file to an attacked web server? This lecture is for you!
In a very lightweight, straightforward and eye-opening talk I’m going to show how easy it is to upload a slightly modified version of the famous C99 webshell, to get full control over a web server, and how ineffective are signature based modules of defensive products. I’m also going to show tips on how to identify a web-shell, and present 2 open-source tools that try to do just that.

File:OWASPIL-2017-04-03 Automated-tests-ZAP-Webdriverio OmerLeviHevroni.pdf

2017-04-04T12:11:06Z

Avi Douglen:

OWASP Israel April 2017

2017-04-04T12:08:30Z

Avi Douglen:

The 2nd meeting in 2017 of the Israeli chapter of OWASP will hold a meeting on Monday, April 3rd, at 17:00.

The meeting will be held at Checkmarx's office, in the Amot Atrium Tower, 2 Jabotinsky St., Ramat Gan.

Attendance is free of course, but you must register if you are planning to attend:
https://www.meetup.com/OWASP-Israel/events/238112640/

== Agenda: ==

''' 17:00 '''
'''Gathering, food, and drinks (KOSHER)'''

''' 17:30 '''
''' Introductions and Opening Notes '''

''' 17:45 – The Borders are Dissolving – Application Security Crystal Ball ''' 
''' Maty Siman, Checkmarx ''' 

Over several years applications have become central to anything we do. Whether web, mobile or even IoT applications, they all control almost every aspect of our daily lives. For that exact same reason they have also become the hacker’s new best friend. But it seems that there is a change happening and it isn’t being discussed as often as it should. Data and financial gain is still considered the end goal but the how is dramatically changing.

Join us to try to envision what kind of attacks we will be seeing in the near future, how and who will be taking or dropping responsibility and how modern development practices may benefit attack techniques.

''' 18:30 - Automated security tests using ZAP and Webdriver.io ''' 
''' Omer Levi Hevroni, Soluto ''' 
([[Media:OWASPIL-2017-04-03_Automated-tests-ZAP-Webdriverio_OmerLeviHevroni.pptx|download presentation]])

Webdriver.io is a great framework for writing automation tests for your webapp. With a very small configuration you can easily integrate ZAP`s passive scan into those tests, and upgrade those tests into automated security scanning – by enjoying from all the useful things that ZAP is able to detect. I am going to cover how we did this at Soluto – and as we run everything using Docker containers, it is very easy to reproduce this setup for any webapp with existing Webdriver.io/Selenium tests.

''' 19:15 – Coffee break ''' 

''' 19:30 – WebShell AV signature bypass and identification ''' 
''' Gil Cohen, Comsec ''' 

Ever wondered how easy or hard it is to trick a signature based defensive product? Ever wanted to bypass such a product to upload your own malicious web-shell file to an attacked web server? This lecture is for you!
In a very lightweight, straightforward and eye-opening talk I’m going to show how easy it is to upload a slightly modified version of the famous C99 webshell, to get full control over a web server, and how ineffective are signature based modules of defensive products. I’m also going to show tips on how to identify a web-shell, and present 2 open-source tools that try to do just that.

OWASP Israel April 2017

2017-03-28T22:45:07Z

Avi Douglen: Created page with "The 2nd meeting in 2017 of the Israeli chapter of OWASP will hold a meeting on Monday, April 3rd, at 17:00. The meeting will be held at Checkmarx's office, in the Amot Atriu..."

The 2nd meeting in 2017 of the Israeli chapter of OWASP will hold a meeting on Monday, April 3rd, at 17:00.

The meeting will be held at Checkmarx's office, in the Amot Atrium Tower, 2 Jabotinsky St., Ramat Gan.

Attendance is free of course, but you must register if you are planning to attend:
https://www.meetup.com/OWASP-Israel/events/238112640/

== Agenda: ==

''' 17:00 '''
'''Gathering, food, and drinks (KOSHER)'''

''' 17:30 '''
''' Introductions and Opening Notes '''

''' 17:45 – The Borders are Dissolving – Application Security Crystal Ball ''' 
''' Amit Ashbel, Checkmarx ''' 

Over several years applications have become central to anything we do. Whether web, mobile or even IoT applications, they all control almost every aspect of our daily lives. For that exact same reason they have also become the hacker’s new best friend. But it seems that there is a change happening and it isn’t being discussed as often as it should. Data and financial gain is still considered the end goal but the how is dramatically changing.

Join us to try to envision what kind of attacks we will be seeing in the near future, how and who will be taking or dropping responsibility and how modern development practices may benefit attack techniques.

''' 18:30 - Automated security tests using ZAP and Webdriver.io ''' 
''' Omer Levi Hevroni, Soluto ''' 

Webdriver.io is a great framework for writing automation tests for your webapp. With a very small configuration you can easily integrate ZAP`s passive scan into those tests, and upgrade those tests into automated security scanning – by enjoying from all the useful things that ZAP is able to detect. I am going to cover how we did this at Soluto – and as we run everything using Docker containers, it is very easy to reproduce this setup for any webapp with existing Webdriver.io/Selenium tests.

''' 19:15 – Coffee break ''' 

''' 19:30 – WebShell AV signature bypass and identification ''' 
''' Gil Cohen, Comsec ''' 

Ever wondered how easy or hard it is to trick a signature based defensive product? Ever wanted to bypass such a product to upload your own malicious web-shell file to an attacked web server? This lecture is for you!
In a very lightweight, straightforward and eye-opening talk I’m going to show how easy it is to upload a slightly modified version of the famous C99 webshell, to get full control over a web server, and how ineffective are signature based modules of defensive products. I’m also going to show tips on how to identify a web-shell, and present 2 open-source tools that try to do just that.

Category:Israel

2017-03-28T22:36:15Z

Avi Douglen:

[[image:Owasp_Israel_logo.png|center|500px]]

{{Chapter Template|chaptername=Israel|extra= 

The chapter leader is '''[mailto:avi.douglen@owasp.org Avi Douglen]'''.

* OWASP Israel Board: '''[mailto:avi.douglen@owasp.org Avi Douglen]''', '''Or Katz''', ''' Ofer Maor''', '''Erez Metula''', '''Hemed Gur Ary''', '''[[User:YossiOren|Dr. Yossi Oren]]'''
* Chapter Founder: '''[mailto:ofer@shezaf.com Ofer Shezaf]'''
* [[OWASP_Top10_Hebrew|OWASP Top 10 Hebrew]]: Or Katz
* Homepage Maintenance: Avi Douglen, Ofer Maor, Yossi Oren
* Mailing List Management: Avi Douglen, Ofer Maor, Or Katz

|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-israel|emailarchives=http://lists.owasp.org/pipermail/owasp-israel}}

<paypal>Israel</paypal>

== OWASP Activity ==

* An annual conference, usually in September or October.
* Periodic meetings. If you would like to host a meeting or speak in one contact [mailto:avi.douglen@owasp.org Avi Douglen] or [mailto:katz3112@gmail.com Or Katz].
* [[OWASP_Top10_Hebrew|OWASP Top 10 Hebrew translation]].
* Security discussion forum in Hebrew - on [https://www.facebook.com/groups/owasp.il/ Facebook].
* [https://www.linkedin.com/groups/39702 LinkedIn Group] for networking and announcements.
* [https://owasp.slack.com/messages/chapter-israel/ Chat room for security in Hebrew].
* [http://www.meetup.com/OWASP-Israel/ Meetings and socialization on Meetup].
* [https://twitter.com/OWASP_IL Twitter account].
* Spreading the Word - Reaching out for more people, especially outside of the AppSec community.
* [[OWASP_IL_Sponsorship|Sponsorship opportunities]], including #AppSecIL conference sponsorship.

If you have anything else on your mind, please speak up! Contact [mailto:avi.douglen@owasp.org Avi Douglen] with any ideas you have.

== Hebrew Translations ==

; '''The OWASP Top 10, 2013 version was translated to Hebrew! 
It is now [[OWASP_Top10_Hebrew|available for download]].'''

The [[OWASP_Risk_Rating_Methodology|OWASP Risk Rating Methodology]], part of the [[OWASP_Testing_Project|OWASP Testing Project]], has been translated to Hebrew, and is available for download in [[Media:OWASP_Risk_Rating_Methodology-Hebrew.pdf|PDF format]].
Much thanks to Tal Argoni from TriadSec.

== Previous OWASP Israel Conferences and Meetings ==

[[OWASP_Israel_April_2017|OWASP Israel April 2017]] will take place in Checkmarx's offices, in the Amot Atrium Tower, 2 Jabotinsky St., Ramat Gan, on April 3rd, 2016.

[[OWASP_Israel_January_2017|OWASP Israel January 2017]] took place in Radware’s Tel Aviv offices, at Raul Wallenberg 22, Ramat HaChayal, on January 18th, 2016. Around 120 people attended.

; [[AppSec_Israel_2016|AppSec Israel 2016]] Conference was held on Monday, September 19th, at the College of Management, with more than 650 attendees! (Use the [[AppSec_Israel_2016_Presentations|presentations info page]] to download presentations and videos)

[[OWASP_Israel_June_2016|OWASP Israel June 2016]] took place in the Amdocs Auditorium in Raanana, on June 14, 2016.

[[OWASP_Israel_April_2016|OWASP Israel April 2016]] was held at HP Enterprise in Yehud, on April 12, 2016, with over 150 participants.

[[OWASP_Israel_February_2016|OWASP Israel February 2016]] was held at F5 Networks in Tel Aviv, on February 2, 2016.

; [[AppSec_Israel_2015|AppSec Israel 2015]] Conference was held on October 13th, at the College of Management, with over 550 participants! (Use the [[AppSec_Israel_2015_Presentations|presentations info page]] to download presentations)

[[OWASP_Israel_June_2015|OWASP Israel June 2015]] was held at Microsoft in Herzeliya, on June 16, 2015, with around 120 participants.

[[OWASP_Israel_March_2015|OWASP Israel March 2015]] was held at NCR in Raanana, on March 30, 2015, with over 120 participants.

; [[AppSec_Israel_2014|AppSec Israel 2014]] Conference was held on September 2nd, at the IDC, with over 450 participants! (Use the [[AppSec_Israel_2014_Presentations|presentations info page]] to download presentations)

[[OWASP_Israel_June_2014|OWASP Israel June 2014]] was held at F5 Networks in Tel Aviv, on June 16, 2014, with over 110 participants.

[[OWASP_Israel_April_2014|OWASP Israel April 2014]] was held at Akamai in Herzliya Pituach, on April 23, 2014, with close to 100 participants.

[[OWASP_Israel_January_2014|OWASP Israel January 2014]] was held at Amdocs in Ra'anana on January 14th, 2014, with over 120 participants.

; [[OWASP_Israel_2013|OWASP Israel 2013]] Conference held on October 1st with close to 480 participants! (Use the [[OWASP_Israel_2013_Presentations|presentations info page]] to download presentations)

[[OWASP_Israel_2013_05|OWASP Israel May 2013]] was held at RSA on May 28th 2013 with 80 participants.

[[OWASP_Israel_2013_02|OWASP Israel February 2013]] meeting was held at E&Y on February 12th 2013 ([[OWASP_ISRAEL_2013_02_Hebrew|Hebrew version]]).

;[[OWASP_Israel_2012|OWASP Israel 2012 conference]] Was held at the IDC on Sep 5th 2012.

;[[OWASP_Israel_2011|OWASP Israel 2011 Conference]] Was held in the IDC in Herzliya on Sep 15th 2011, with about 350 attendees.

;[[OWASP_Israel_2010|OWASP Israel 2010 Conference]] Was held in the IDC in Herzliya on Sep 6th 2010 with about 150 attendees.

[[OWASP_Israel_2010_06|OWASP Israel Jun-2010]] meeting was held in IBM/Watchfire in Herzliya on Jun 22nd 2010.

[[OWASP_Israel_2010_02|OWASP Israel Feb-2010]] meeting was held in Amdocs in Ra'anana on Feb 9th 2010 with over 70 attendees.

[[OWASP_Israel_2010_01|OWASP Israel Jan-2010]] meeting was held in Breach Security in Herzliya on Jan 12th 2010 with over 60 attendees.

[[OWASP_Israel_2009_12|OWASP Israel Dec-2009]] meeting was held in IBM/Watchfire in Herzliya in Dec 2009.

;[[OWASP_Israel_2009|OWASP Israel 2009]] conference was held at the Interdisciplinary Center Herzliya on Sunday, September 6th 2009.
: You can find the agenda and uploaded presentations [[OWASP_Israel_2009|here]].

; [[OWASP_Israel_2009_05|OWASP Israel May 2009 meeting]] was held at IBM in Park Azorim in Petach-Tikva on May 7th. The presentations were:
* Web-Based Man-in-the-Middle Attack, Adi Sharabani, IBM ([http://blog.watchfire.com/wfblog/2009/02/active-man-in-the-middle-attacks.html more info])
* Automation Attacks and Counter Measures, Ofer Shezaf, Xiom ([http://www.owasp.org/images/5/58/OWASP_Israel_-_May_2009_-_Ofer_Shezaf_-_Automation_Attacks.pdf presentation])
: [[OWASP_ISRAEL_2009_05_Hebrew|Full details in Hebrew]]

; [[OWASP_Israel_2009_03|OWASP Israel March 2009 meeting]] was held at the Tel-Aviv University on March 26th, with approximately 60 attendees. The presentations were:
* Securing cellular web applications, Mikko Saario, Founder, OWASP Finland, Security Architect, Large Telecom Solution Provider ([[Media:OWASP_Israel_-_March_2009_-_Mikko_Saario_-_Web_Application_Security_in_the_Mobile_World.pdf‎|download]])
* Real world implementation of a PCI DSS compliance key management, Yaron Hakon, [http://www.2bsecure.co.il 2bsecure] ([[Media:OWASP_Israel_-_March_2009_-_Yaron_Hakon_-_PCI_key_managment.pdf‎|download]])
* Detecting RFI attacks, Or Katz, [http://www.breach.com Breach Security] ([[Media:OWASP_Israel_-_March_2009_-_Or_Katz_-_RFI_detection.pdf‎|download]])
* WAFEC 2.0 - Do WAFs deliver?, Ofer Shezaf, [http://www.xiom.com Xiom] ([[Media:OWASP_Israel_-_March_2009_-_Ofer_Shezaf_-_Why_WAFs_fail.pdf‎|download]])
: [[OWASP_ISRAEL_2009_03_Hebrew|Full details in Hebrew]]

; [[OWASP_Israel_2009_01|OWASP Israel January 2009 meeting]] was held at Checkpoint on January 28th, with over a 100 people attending. The presentations were:
* Improving Web Application Firewall testing for better deployment in production network, Gregory Fresnais from BreakingPoint, visiting us from France ([[Media:OWASP_Israel_2009_01_Gregory_Fresnais_Measuring_WAF_Performance.pdf‎|download]])
* Web 2.0 Hacking, Nimrod Luria, Qrity ([[Media:OWASP_Israel_2009_01_Nimrod_Luria_Web_2.0_Security.pdf‎|download]])
* Wiki Security, Ofer Shezaf, Xiom ([http://www.xiom.com/research/wiki_security download])

; [[OWASP_Israel_2008_Conference_at_the_Interdisciplinary_Center_Herzliya|The OWASP Israel 2008 conference at the Interdisciplinary Center Herzliya (IDC)]] was held on September 14th with 250 attendees.

; OWASP Israel at the [http://www.idc.co.il/?showproduct=31108&content_lang=ENG IDC Security Road Show]
: OWASP sponsored the IDC Security Road Show event in Israel on June 3rd 2008. Thanks for Iris Lev-Ari and Tomer Teller for the help in the OWASP booth.

; [[OWASP_Israel_2007_Conference|OWASP Israel 2007 conference at the Interdisciplinary Center Herzliya (IDC)]]
: the 1st official OWASP conference in Israel, was held on Dec 3rd 2007 at the Interdisciplinary Center (IDC) Herzliya. The conference really set itself as an event you must come to if you have anything to do with application security. [ [http://picasaweb.google.com/oshezaf/OWASPIsrael2007 pictures from the conference]

[[Category:Middle East]] [[Category:Europe]]

Category:Israel

2017-02-09T02:26:32Z

Avi Douglen: /* OWASP Top 10 in Hebrew */

[[image:Owasp_Israel_logo.png|center|500px]]

{{Chapter Template|chaptername=Israel|extra= 

The chapter leader is '''[mailto:avi.douglen@owasp.org Avi Douglen]'''.

* OWASP Israel Board: '''[mailto:avi.douglen@owasp.org Avi Douglen]''', '''Or Katz''', ''' Ofer Maor''', '''Erez Metula''', '''Hemed Gur Ary''', '''[[User:YossiOren|Dr. Yossi Oren]]'''
* Chapter Founder: '''[mailto:ofer@shezaf.com Ofer Shezaf]'''
* [[OWASP_Top10_Hebrew|OWASP Top 10 Hebrew]]: Or Katz
* Homepage Maintenance: Avi Douglen, Ofer Maor, Yossi Oren
* Mailing List Management: Avi Douglen, Ofer Maor, Or Katz

|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-israel|emailarchives=http://lists.owasp.org/pipermail/owasp-israel}}

<paypal>Israel</paypal>

== OWASP Activity ==

* An annual conference, usually in September or October.
* Periodic meetings. If you would like to host a meeting or speak in one contact [mailto:avi.douglen@owasp.org Avi Douglen] or [mailto:katz3112@gmail.com Or Katz].
* [[OWASP_Top10_Hebrew|OWASP Top 10 Hebrew translation]].
* Security discussion forum in Hebrew - on [https://www.facebook.com/groups/owasp.il/ Facebook].
* [https://www.linkedin.com/groups/39702 LinkedIn Group] for networking and announcements.
* [https://owasp.slack.com/messages/chapter-israel/ Chat room for security in Hebrew].
* [http://www.meetup.com/OWASP-Israel/ Meetings and socialization on Meetup].
* [https://twitter.com/OWASP_IL Twitter account].
* Spreading the Word - Reaching out for more people, especially outside of the AppSec community.
* [[OWASP_IL_Sponsorship|Sponsorship opportunities]], including #AppSecIL conference sponsorship.

If you have anything else on your mind, please speak up! Contact [mailto:avi.douglen@owasp.org Avi Douglen] with any ideas you have.

== Hebrew Translations ==

; '''The OWASP Top 10, 2013 version was translated to Hebrew! 
It is now [[OWASP_Top10_Hebrew|available for download]].'''

The [[OWASP_Risk_Rating_Methodology|OWASP Risk Rating Methodology]], part of the [[OWASP_Testing_Project|OWASP Testing Project]], has been translated to Hebrew, and is available for download in [[Media:OWASP_Risk_Rating_Methodology-Hebrew.pdf|PDF format]].
Much thanks to Tal Argoni from TriadSec.

== Previous OWASP Israel Conferences and Meetings ==

[[OWASP_Israel_January_2017|OWASP Israel January 2017]] will take place in Radware’s Tel Aviv offices, at Raul Wallenberg 22, Ramat HaChayal, on January 18th, 2016.

; [[AppSec_Israel_2016|AppSec Israel 2016]] Conference was held on Monday, September 19th, at the College of Management, with more than 650 attendees! (Use the [[AppSec_Israel_2016_Presentations|presentations info page]] to download presentations and videos)

[[OWASP_Israel_June_2016|OWASP Israel June 2016]] took place in the Amdocs Auditorium in Raanana, on June 14, 2016.

[[OWASP_Israel_April_2016|OWASP Israel April 2016]] was held at HP Enterprise in Yehud, on April 12, 2016, with over 150 participants.

[[OWASP_Israel_February_2016|OWASP Israel February 2016]] was held at F5 Networks in Tel Aviv, on February 2, 2016.

; [[AppSec_Israel_2015|AppSec Israel 2015]] Conference was held on October 13th, at the College of Management, with over 550 participants! (Use the [[AppSec_Israel_2015_Presentations|presentations info page]] to download presentations)

[[OWASP_Israel_June_2015|OWASP Israel June 2015]] was held at Microsoft in Herzeliya, on June 16, 2015, with around 120 participants.

[[OWASP_Israel_March_2015|OWASP Israel March 2015]] was held at NCR in Raanana, on March 30, 2015, with over 120 participants.

; [[AppSec_Israel_2014|AppSec Israel 2014]] Conference was held on September 2nd, at the IDC, with over 450 participants! (Use the [[AppSec_Israel_2014_Presentations|presentations info page]] to download presentations)

[[OWASP_Israel_June_2014|OWASP Israel June 2014]] was held at F5 Networks in Tel Aviv, on June 16, 2014, with over 110 participants.

[[OWASP_Israel_April_2014|OWASP Israel April 2014]] was held at Akamai in Herzliya Pituach, on April 23, 2014, with close to 100 participants.

[[OWASP_Israel_January_2014|OWASP Israel January 2014]] was held at Amdocs in Ra'anana on January 14th, 2014, with over 120 participants.

; [[OWASP_Israel_2013|OWASP Israel 2013]] Conference held on October 1st with close to 480 participants! (Use the [[OWASP_Israel_2013_Presentations|presentations info page]] to download presentations)

[[OWASP_Israel_2013_05|OWASP Israel May 2013]] was held at RSA on May 28th 2013 with 80 participants.

[[OWASP_Israel_2013_02|OWASP Israel February 2013]] meeting was held at E&Y on February 12th 2013 ([[OWASP_ISRAEL_2013_02_Hebrew|Hebrew version]]).

;[[OWASP_Israel_2012|OWASP Israel 2012 conference]] Was held at the IDC on Sep 5th 2012.

;[[OWASP_Israel_2011|OWASP Israel 2011 Conference]] Was held in the IDC in Herzliya on Sep 15th 2011, with about 350 attendees.

;[[OWASP_Israel_2010|OWASP Israel 2010 Conference]] Was held in the IDC in Herzliya on Sep 6th 2010 with about 150 attendees.

[[OWASP_Israel_2010_06|OWASP Israel Jun-2010]] meeting was held in IBM/Watchfire in Herzliya on Jun 22nd 2010.

[[OWASP_Israel_2010_02|OWASP Israel Feb-2010]] meeting was held in Amdocs in Ra'anana on Feb 9th 2010 with over 70 attendees.

[[OWASP_Israel_2010_01|OWASP Israel Jan-2010]] meeting was held in Breach Security in Herzliya on Jan 12th 2010 with over 60 attendees.

[[OWASP_Israel_2009_12|OWASP Israel Dec-2009]] meeting was held in IBM/Watchfire in Herzliya in Dec 2009.

;[[OWASP_Israel_2009|OWASP Israel 2009]] conference was held at the Interdisciplinary Center Herzliya on Sunday, September 6th 2009.
: You can find the agenda and uploaded presentations [[OWASP_Israel_2009|here]].

; [[OWASP_Israel_2009_05|OWASP Israel May 2009 meeting]] was held at IBM in Park Azorim in Petach-Tikva on May 7th. The presentations were:
* Web-Based Man-in-the-Middle Attack, Adi Sharabani, IBM ([http://blog.watchfire.com/wfblog/2009/02/active-man-in-the-middle-attacks.html more info])
* Automation Attacks and Counter Measures, Ofer Shezaf, Xiom ([http://www.owasp.org/images/5/58/OWASP_Israel_-_May_2009_-_Ofer_Shezaf_-_Automation_Attacks.pdf presentation])
: [[OWASP_ISRAEL_2009_05_Hebrew|Full details in Hebrew]]

; [[OWASP_Israel_2009_03|OWASP Israel March 2009 meeting]] was held at the Tel-Aviv University on March 26th, with approximately 60 attendees. The presentations were:
* Securing cellular web applications, Mikko Saario, Founder, OWASP Finland, Security Architect, Large Telecom Solution Provider ([[Media:OWASP_Israel_-_March_2009_-_Mikko_Saario_-_Web_Application_Security_in_the_Mobile_World.pdf‎|download]])
* Real world implementation of a PCI DSS compliance key management, Yaron Hakon, [http://www.2bsecure.co.il 2bsecure] ([[Media:OWASP_Israel_-_March_2009_-_Yaron_Hakon_-_PCI_key_managment.pdf‎|download]])
* Detecting RFI attacks, Or Katz, [http://www.breach.com Breach Security] ([[Media:OWASP_Israel_-_March_2009_-_Or_Katz_-_RFI_detection.pdf‎|download]])
* WAFEC 2.0 - Do WAFs deliver?, Ofer Shezaf, [http://www.xiom.com Xiom] ([[Media:OWASP_Israel_-_March_2009_-_Ofer_Shezaf_-_Why_WAFs_fail.pdf‎|download]])
: [[OWASP_ISRAEL_2009_03_Hebrew|Full details in Hebrew]]

; [[OWASP_Israel_2009_01|OWASP Israel January 2009 meeting]] was held at Checkpoint on January 28th, with over a 100 people attending. The presentations were:
* Improving Web Application Firewall testing for better deployment in production network, Gregory Fresnais from BreakingPoint, visiting us from France ([[Media:OWASP_Israel_2009_01_Gregory_Fresnais_Measuring_WAF_Performance.pdf‎|download]])
* Web 2.0 Hacking, Nimrod Luria, Qrity ([[Media:OWASP_Israel_2009_01_Nimrod_Luria_Web_2.0_Security.pdf‎|download]])
* Wiki Security, Ofer Shezaf, Xiom ([http://www.xiom.com/research/wiki_security download])

; [[OWASP_Israel_2008_Conference_at_the_Interdisciplinary_Center_Herzliya|The OWASP Israel 2008 conference at the Interdisciplinary Center Herzliya (IDC)]] was held on September 14th with 250 attendees.

; OWASP Israel at the [http://www.idc.co.il/?showproduct=31108&content_lang=ENG IDC Security Road Show]
: OWASP sponsored the IDC Security Road Show event in Israel on June 3rd 2008. Thanks for Iris Lev-Ari and Tomer Teller for the help in the OWASP booth.

; [[OWASP_Israel_2007_Conference|OWASP Israel 2007 conference at the Interdisciplinary Center Herzliya (IDC)]]
: the 1st official OWASP conference in Israel, was held on Dec 3rd 2007 at the Interdisciplinary Center (IDC) Herzliya. The conference really set itself as an event you must come to if you have anything to do with application security. [ [http://picasaweb.google.com/oshezaf/OWASPIsrael2007 pictures from the conference]

[[Category:Middle East]] [[Category:Europe]]

OWASP Testing Project

2017-02-09T02:18:04Z

Avi Douglen: /* Translations */

{{OWASP Breakers}}
{{OWASP Book|5691953}}
{{Social Media Links}}
= New OWASP Testing Guide =
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

<div style="font-size:120%;border:none;margin: 0;color:#000">

== OWASP Testing Guide v4 ==

ANNOUNCING THE NEW "OWASP TESTING GUIDE v4

17th September, 2014: OWASP is announcing the new OWASP Testing Guide v4. 

A big thank you to all the contributors and reviewers! 

3rd August 2015, the OWASP Testing Guide v4 book now available!
 You can buy the Guide [http://www.lulu.com/shop/matteo-meucci-and-andrew-muller/testing-guide-40-release/paperback/product-22294314.html here] 

 Or you can download the Guide [[Media:OTGv4.pdf|here]] 

[[File:OWTGv4 Cover.png]]

Or browse the guide on the wiki [https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents here]

| valign="top" style="padding-left:25px;width:200px;" |

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" rowspan="2" width="50%" | [[File:Owasp-flagship-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]
| align="center" valign="center" width="50%"| [[File:Owasp-breakers-small.png|link=https://www.owasp.org/index.php/Breakers]]
|
|-
| align="center" valign="center" width="50%"|
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}
|}

= Old OWASP Testing Guides =

== OWASP Testing Guide v3 ==

16th December 2008: OWASP Testing Guide v3 is finished! 

*You can download the Guide in PDF [http://www.owasp.org/images/5/56/OWASP_Testing_Guide_v3.pdf here]
*Download the presentation [https://www.owasp.org/images/2/2c/OWASP_EU_Summit_2008_OWASP_Testing_Guide_v3.ppt here]
*Browse the Testing Guide v3 on the wiki [https://www.owasp.org/index.php/OWASP_Testing_Guide_v3_Table_of_Contents here]

''''NEW: OWASP projects and resources you can use TODAY'''' 
16th April 2010 in London, OWASP leaders deliver a course focused on the main OWASP Projects. 
Matteo Meucci will deliver a training course on the OWASP Testing Guide v3. 
More information [http://www.owasp.org/index.php/London/Training/OWASP_projects_and_resources_you_can_use_TODAY here]

Video @ FOSDEM 09: [http://fosdem.unixheads.org/2009/maintracks/owasp.ogv here]

Citations:

http://www.owasp.org/index.php/Testing_Guide_Quotes

== Overview ==

This project's goal is to create a "best practices" web application penetration testing framework which users can implement in their own organizations and a "low level" web application penetration testing guide that describes how to find certain issues.

Version 3 of the Testing Guide was released in December 2008 after going through a major upgrade through the [[OWASP Summer of Code 2008]].

= Background and Motivation =

'''History Behind Project''' The OWASP Testing guide originated in 2003 with Dan Cuthbert as one of the original editors. It was handed over to [[User:EoinKeary|Eoin Keary]] in 2005 and moved onto the new OWASP wiki when it came online. Being in a wiki is easier for people to contribute and has made updating much easier. [[User:Mmeucci|Matteo Meucci]] took on the Testing guide after Eoin and shepherded it through the version 2 and version 3 updates, which have been significant improvements.

= Project History =

== OWASP Testing Guide v3 ==

Testing Guide v3: plan (archive)

26th April 2008: Version 3 of the Testing Guide started under [[OWASP Summer of Code 2008]].

6th November 2008: Completed draft created and previewed at [[OWASP EU Summit 2008|OWASP EU Summit 2008 in Portugal]].

Final stable release in December 2008

== OWASP Testing Guide v2 ==

'''10th February 2007: The OWASP Testing Guide v2 is now published''' [[User:Mmeucci|Matteo Meucci]] (as part of his [[OWASP Autumn of Code 2006 - Projects: Testing Guide|AoC project]]) has just published the latest version of Testing guide which:

*you can read it on line on the [http://www.owasp.org/index.php/OWASP_Testing_Guide_v2_Table_of_Contents Testing Guide v2 wiki]
*or download the Guide in [http://www.owasp.org/index.php/Image:OWASP_Testing_Guide_v2_pdf.zip Adobe PDF format] or in [http://www.owasp.org/index.php/Image:OWASP_Testing_Guide_v2_doc.zip Ms Doc format]

'''OWASP Testing Guide v2 in Spanish:''' Now you can get a complete translation in [http://www.owasp.org/index.php/Image:OWASP_Testing_Guide_v2_spanish_doc.zip Ms Doc format]

For comments or questions, please join the [http://lists.owasp.org/mailman/listinfo/owasp-testing OWASP Testing mailing list], read our archive and share your ideas. Alternatively you can contact [[User:EoinKeary|Eoin Keary]] or [[User:Mmeucci|Matteo Meucci]] directly.

Here you can find:

*[http://www.owasp.org/index.php/Testing_Guide_Quotes The OWASP Testing Guide 'Quotes']
*[http://www.owasp.org/index.php/OWASP_Testing_Guide_Presentations Testing Guide presentations]

= Related =

'''OWASP Testing Guide (v2+v3) Report Generator''' is found at [http://yehg.net/lab/#wasarg http://yehg.net/lab/#wasarg].

'''THE OWASP Testing Project Live CD''' The OWASP testing project is currently implementing an Application security Live CD. LabRat Version 0.8 Alpha is just weeks away from Beta testing*.

The aim of this CD is to have a complete testing suite on one Disk. The CD shall also contain the forthcoming OWASP Testing guide.

The Live CD now has its own section you can find it here: [http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project]

= Feedback and Participation =

We hope you find the information in the OWASP Testing project useful. Please contribute back to the project by sending your comments, questions, and suggestions to the OWASP Testing mailing list. Thanks!

To join the OWASP Testing mailing list or view the archives, please visit the [http://lists.owasp.org/mailman/listinfo/owasp-testing subscription page].

= Translations =

Thanks to the translators all around the world you can download the guide in the following languages:

* Spanish in [http://www.owasp.org/images/8/80/Gu%C3%ADa_de_pruebas_de_OWASP_ver_3.0.pdf PDF] or [http://www.owasp.org/images/d/d7/Gu%C3%ADa_de_pruebas_de_OWASP_ver_3.0.zip MS Word] formats. (v3.0)

* Chinese in [http://www.owasp.org/images/0/06/OWASP%E6%B5%8B%E8%AF%95%E6%8C%87%E5%8D%97%28%E4%B8%AD%E6%96%87%EF%BC%89.pdf PDF] format. (Thanks to the [http://www.owasp.org/index.php/China-Mainland China-mainland chapter]. (v3.0; translation of v4.0 in process)

* Japanese in [http://www.owasp.org/images/1/1e/OTGv3Japanese.pdf PDF] format here (this is a 1st draft of v3.0, final release coming soon).

* '''Hebrew''' in [[Media:OWASP_Risk_Rating_Methodology-Hebrew.pdf|PDF format]] (Risk Rating Methodology only for now). Thanks to Tal Argoni from TriadSec.

We invite you to explore and help us translate OWASP Testing Guide 4.0 at Crowdin. Please visit URL below to start translating this project:

https://crowdin.com/project/owasp-testing-guide-40/invite

= Project About =
{{:Projects/OWASP Testing Project | Project About}}

__NOTOC__
<headertabs />

[[Category:OWASP_Project|Testing Guide]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_Release_Quality_Document|OWASP Stable Quality Document]] [[Category:SAMM-ST-1]]

File:OWASP Risk Rating Methodology-Hebrew.pdf

2017-02-09T02:13:04Z

Avi Douglen:

OWASP Israel January 2017

2017-01-23T16:58:00Z

Avi Douglen:

The Israeli chapter of OWASP will hold a meeting on Wednesday, January 18th, at 17:00.

The meeting will be held in Radware’s Tel Aviv offices, at Raul Wallenberg 22, Ramat HaChayal.

Attendance is free of course, but you must register if you are planning to attend:
https://www.meetup.com/OWASP-Israel/events/236372466/

== Agenda: ==

''' 17:00 '''
'''Gathering, food, and drinks (KOSHER)'''

''' 17:30 '''
''' Introductions and Opening Notes '''

''' 17:45 – IP Agnostic Bot Detection ''' 
''' Michael Groskop, Director of WAF & R&D Security, Radware ''' 
([[Media:OWASPIL-2017-01-18_IPAgnostic-BotDetection_MichaelGroskop.pdf|download presentation]])

Bot-generated attacks targeting web application infrastructure are increasing in both volume and scope. Bots are becoming more sophisticated, leveraging headless browser technologies and use different evasion techniques such as dynamically changing IP addresses.

In this presentation we will review the challenges associated with IP agnostic detection of bot generated attacks, the complexity involved in distinguishing the good bots from the bad and the actions application developers can take for better thwarting of such attacks.

''' 18:30 - R U aBLE? BLE Application Hacking ''' 
''' Tal Melamed, Technical Lead, AppSec Labs ''' 
([[Media:OWASP2017_HackingBLEApplications_TalMelamed.pdf|download presentation]]) 

As IoT devices are increasingly embedded in our every day lives, vulnerabilities have real impact on our digital and physical security.

Bluetooth Low Energy (BLE), also known as Bluetooth Smart, is part of Bluetooth 4. Today Bluetooth is the most popular protocol used for interfacing IoT and smart devices, wearables and medical equipment. Like most rising technologies, security is often left out.

In this lecture we will demonstrate how to perform penetration-testing for applications communicating with connected-devices over BLE. What equipment, libraries and projects can be used.

''' 19:15 – Coffee break ''' 

''' 19:30 – Should I Trust My Vendor? ''' 
''' Yaniv Simsolo, CTO, Palantir Security ''' 

Modern systems and business models mandate different approaches to security. Sometimes, the business objectives of the vendor override the security objectives that we, the security community, think the product should have. When approaching a complex system design, numerous challenges arise when considering the trust we put on vendors’ hands and vendors’ responsibilities. Similar security challenges exist on the other scale: considering the maturity (or lack thereof) of small scale IoT products.

Does the aim sanctify the means?

In certain cases, either mal-coding or business practices result in a very poor security of a product or a service. This can get to extreme cases were the vendor outright attacks its own customers. Such was the case for example when I purchased a brand new laptop from a known manufacturer, and was attacked with viruses and malicious business practices software. Indeed, certain vendors are worse than others.

In the presentation we will explore notable examples of vendors abusing their customers’ trust and review the (few) mitigation alternatives we may incorporate in our products and systems.

File:OWASPIL-2017-01-18 IPAgnostic-BotDetection MichaelGroskop.pdf

2017-01-23T16:57:23Z

Avi Douglen:

OWASP Israel June 2016

2017-01-23T16:56:40Z

Avi Douglen:

The Israeli chapter of OWASP held a meeting on June 14, at 17:00, in the Amdocs Auditorium.

The address is Hapnina 8, Ra'anana.

Over 50 people attended.

Meetup: http://www.meetup.com/OWASP-Israel/events/229662688/

== Agenda: ==

''' 17:00 '''
'''Gathering, food, and drinks (KOSHER)'''

''' 17:30 '''
''' Introductions and Opening Notes '''

''' 17:45 – Insiders – The Threat is Already Within ''' 
''' Sagie Dulce, Shiri Margel, Imperva ''' 
([[Media:OWASPIL-2016-06-14_Insiders-TheThreatisAlreadyWithin_SagieDulce-ShiriMargel.pdf|download presentation]])‎

In recent years, we have witnessed a growing number of enterprises and government agencies suffer data breaches. While organizations are buffing up their security layers—which is important—most of the focus is on preventing direct threats that come from outside, while detecting threats from within is neglected.

In this talk we will present our research data. Our data shows that insider threats, whether attributed to malicious, negligent or compromised insider, go unnoticed by common security tools. In order to detect insider attacks we suggest a mixture of Behavior Analytics and Deception technology. These technologies were deployed in several production environments. We then collected data from these environments and discovered different forms of insider threats in each and every deployment. Our data suggests that organizations are already experiencing some form of insider attack which current security technology does not address.

''' 18:30 – 1Password protects you, but who protects 1Password ? ''' 
''' Adi Ludmer, Perimiterx ''' 
([[Media:OWASPIL-2016-06-14_1PasswordProtection_AdiLudmer.pdf|download presentation]])‎

1Password is one of the most popular Password managers in the world.

The most important quality for tools in this category is the level of trust that they provide us when we let them guard our most sensitive data.

In this talk we will explain (and demonstrate) several flaws in the design of 1Password’s architecture, that could potentially be exploited and put our sensitive data which is stored there at risk.

We will also explain several flaws which have already been disclosed, and give some recommendations for how to use Password managers in a safer way.

''' 19:15 – Coffee break ''' 

''' 19:30 – Proxy based assertion ''' 
''' Erez Kalman, Amdocs ''' 
([[Media:OWASPIL-2016-06-14_ProxyBasedAssertion_ErezKalman.pdf|download presentation]])‎

Secure method of using a single proxy entry point to pass assertion data for user authentication and authorization using the headers to other systems.

[[Category:Israel]]

Category:Israel

2017-01-12T11:14:00Z

Avi Douglen: /* Previous OWASP Israel Conferences and Meetings */

[[image:Owasp_Israel_logo.png|center|500px]]

{{Chapter Template|chaptername=Israel|extra= 

The chapter leader is '''[mailto:avi.douglen@owasp.org Avi Douglen]'''.

* OWASP Israel Board: '''[mailto:avi.douglen@owasp.org Avi Douglen]''', '''Or Katz''', ''' Ofer Maor''', '''Erez Metula''', '''Hemed Gur Ary''', '''[[User:YossiOren|Dr. Yossi Oren]]'''
* Chapter Founder: '''[mailto:ofer@shezaf.com Ofer Shezaf]'''
* [[OWASP_Top10_Hebrew|OWASP Top 10 Hebrew]]: Or Katz
* Homepage Maintenance: Avi Douglen, Ofer Maor, Yossi Oren
* Mailing List Management: Avi Douglen, Ofer Maor, Or Katz

|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-israel|emailarchives=http://lists.owasp.org/pipermail/owasp-israel}}

<paypal>Israel</paypal>

== OWASP Activity ==

* An annual conference, usually in September or October.
* Periodic meetings. If you would like to host a meeting or speak in one contact [mailto:avi.douglen@owasp.org Avi Douglen] or [mailto:katz3112@gmail.com Or Katz].
* [[OWASP_Top10_Hebrew|OWASP Top 10 Hebrew translation]].
* Security discussion forum in Hebrew - on [https://www.facebook.com/groups/owasp.il/ Facebook].
* [https://www.linkedin.com/groups/39702 LinkedIn Group] for networking and announcements.
* [https://owasp.slack.com/messages/chapter-israel/ Chat room for security in Hebrew].
* [http://www.meetup.com/OWASP-Israel/ Meetings and socialization on Meetup].
* [https://twitter.com/OWASP_IL Twitter account].
* Spreading the Word - Reaching out for more people, especially outside of the AppSec community.
* [[OWASP_IL_Sponsorship|Sponsorship opportunities]], including #AppSecIL conference sponsorship.

If you have anything else on your mind, please speak up! Contact [mailto:avi.douglen@owasp.org Avi Douglen] with any ideas you have.

== OWASP Top 10 in Hebrew ==

; '''The OWASP Top 10, 2013 version was translated to Hebrew! 
It is now [[OWASP_Top10_Hebrew|available for download]].'''

== Previous OWASP Israel Conferences and Meetings ==

[[OWASP_Israel_January_2017|OWASP Israel January 2017]] will take place in Radware’s Tel Aviv offices, at Raul Wallenberg 22, Ramat HaChayal, on January 18th, 2016.

; [[AppSec_Israel_2016|AppSec Israel 2016]] Conference was held on Monday, September 19th, at the College of Management, with more than 650 attendees! (Use the [[AppSec_Israel_2016_Presentations|presentations info page]] to download presentations and videos)

[[OWASP_Israel_June_2016|OWASP Israel June 2016]] took place in the Amdocs Auditorium in Raanana, on June 14, 2016.

[[OWASP_Israel_April_2016|OWASP Israel April 2016]] was held at HP Enterprise in Yehud, on April 12, 2016, with over 150 participants.

[[OWASP_Israel_February_2016|OWASP Israel February 2016]] was held at F5 Networks in Tel Aviv, on February 2, 2016.

; [[AppSec_Israel_2015|AppSec Israel 2015]] Conference was held on October 13th, at the College of Management, with over 550 participants! (Use the [[AppSec_Israel_2015_Presentations|presentations info page]] to download presentations)

[[OWASP_Israel_June_2015|OWASP Israel June 2015]] was held at Microsoft in Herzeliya, on June 16, 2015, with around 120 participants.

[[OWASP_Israel_March_2015|OWASP Israel March 2015]] was held at NCR in Raanana, on March 30, 2015, with over 120 participants.

; [[AppSec_Israel_2014|AppSec Israel 2014]] Conference was held on September 2nd, at the IDC, with over 450 participants! (Use the [[AppSec_Israel_2014_Presentations|presentations info page]] to download presentations)

[[OWASP_Israel_June_2014|OWASP Israel June 2014]] was held at F5 Networks in Tel Aviv, on June 16, 2014, with over 110 participants.

[[OWASP_Israel_April_2014|OWASP Israel April 2014]] was held at Akamai in Herzliya Pituach, on April 23, 2014, with close to 100 participants.

[[OWASP_Israel_January_2014|OWASP Israel January 2014]] was held at Amdocs in Ra'anana on January 14th, 2014, with over 120 participants.

; [[OWASP_Israel_2013|OWASP Israel 2013]] Conference held on October 1st with close to 480 participants! (Use the [[OWASP_Israel_2013_Presentations|presentations info page]] to download presentations)

[[OWASP_Israel_2013_05|OWASP Israel May 2013]] was held at RSA on May 28th 2013 with 80 participants.

[[OWASP_Israel_2013_02|OWASP Israel February 2013]] meeting was held at E&Y on February 12th 2013 ([[OWASP_ISRAEL_2013_02_Hebrew|Hebrew version]]).

;[[OWASP_Israel_2012|OWASP Israel 2012 conference]] Was held at the IDC on Sep 5th 2012.

;[[OWASP_Israel_2011|OWASP Israel 2011 Conference]] Was held in the IDC in Herzliya on Sep 15th 2011, with about 350 attendees.

;[[OWASP_Israel_2010|OWASP Israel 2010 Conference]] Was held in the IDC in Herzliya on Sep 6th 2010 with about 150 attendees.

[[OWASP_Israel_2010_06|OWASP Israel Jun-2010]] meeting was held in IBM/Watchfire in Herzliya on Jun 22nd 2010.

[[OWASP_Israel_2010_02|OWASP Israel Feb-2010]] meeting was held in Amdocs in Ra'anana on Feb 9th 2010 with over 70 attendees.

[[OWASP_Israel_2010_01|OWASP Israel Jan-2010]] meeting was held in Breach Security in Herzliya on Jan 12th 2010 with over 60 attendees.

[[OWASP_Israel_2009_12|OWASP Israel Dec-2009]] meeting was held in IBM/Watchfire in Herzliya in Dec 2009.

;[[OWASP_Israel_2009|OWASP Israel 2009]] conference was held at the Interdisciplinary Center Herzliya on Sunday, September 6th 2009.
: You can find the agenda and uploaded presentations [[OWASP_Israel_2009|here]].

; [[OWASP_Israel_2009_05|OWASP Israel May 2009 meeting]] was held at IBM in Park Azorim in Petach-Tikva on May 7th. The presentations were:
* Web-Based Man-in-the-Middle Attack, Adi Sharabani, IBM ([http://blog.watchfire.com/wfblog/2009/02/active-man-in-the-middle-attacks.html more info])
* Automation Attacks and Counter Measures, Ofer Shezaf, Xiom ([http://www.owasp.org/images/5/58/OWASP_Israel_-_May_2009_-_Ofer_Shezaf_-_Automation_Attacks.pdf presentation])
: [[OWASP_ISRAEL_2009_05_Hebrew|Full details in Hebrew]]

; [[OWASP_Israel_2009_03|OWASP Israel March 2009 meeting]] was held at the Tel-Aviv University on March 26th, with approximately 60 attendees. The presentations were:
* Securing cellular web applications, Mikko Saario, Founder, OWASP Finland, Security Architect, Large Telecom Solution Provider ([[Media:OWASP_Israel_-_March_2009_-_Mikko_Saario_-_Web_Application_Security_in_the_Mobile_World.pdf‎|download]])
* Real world implementation of a PCI DSS compliance key management, Yaron Hakon, [http://www.2bsecure.co.il 2bsecure] ([[Media:OWASP_Israel_-_March_2009_-_Yaron_Hakon_-_PCI_key_managment.pdf‎|download]])
* Detecting RFI attacks, Or Katz, [http://www.breach.com Breach Security] ([[Media:OWASP_Israel_-_March_2009_-_Or_Katz_-_RFI_detection.pdf‎|download]])
* WAFEC 2.0 - Do WAFs deliver?, Ofer Shezaf, [http://www.xiom.com Xiom] ([[Media:OWASP_Israel_-_March_2009_-_Ofer_Shezaf_-_Why_WAFs_fail.pdf‎|download]])
: [[OWASP_ISRAEL_2009_03_Hebrew|Full details in Hebrew]]

; [[OWASP_Israel_2009_01|OWASP Israel January 2009 meeting]] was held at Checkpoint on January 28th, with over a 100 people attending. The presentations were:
* Improving Web Application Firewall testing for better deployment in production network, Gregory Fresnais from BreakingPoint, visiting us from France ([[Media:OWASP_Israel_2009_01_Gregory_Fresnais_Measuring_WAF_Performance.pdf‎|download]])
* Web 2.0 Hacking, Nimrod Luria, Qrity ([[Media:OWASP_Israel_2009_01_Nimrod_Luria_Web_2.0_Security.pdf‎|download]])
* Wiki Security, Ofer Shezaf, Xiom ([http://www.xiom.com/research/wiki_security download])

; [[OWASP_Israel_2008_Conference_at_the_Interdisciplinary_Center_Herzliya|The OWASP Israel 2008 conference at the Interdisciplinary Center Herzliya (IDC)]] was held on September 14th with 250 attendees.

; OWASP Israel at the [http://www.idc.co.il/?showproduct=31108&content_lang=ENG IDC Security Road Show]
: OWASP sponsored the IDC Security Road Show event in Israel on June 3rd 2008. Thanks for Iris Lev-Ari and Tomer Teller for the help in the OWASP booth.

; [[OWASP_Israel_2007_Conference|OWASP Israel 2007 conference at the Interdisciplinary Center Herzliya (IDC)]]
: the 1st official OWASP conference in Israel, was held on Dec 3rd 2007 at the Interdisciplinary Center (IDC) Herzliya. The conference really set itself as an event you must come to if you have anything to do with application security. [ [http://picasaweb.google.com/oshezaf/OWASPIsrael2007 pictures from the conference]

[[Category:Middle East]] [[Category:Europe]]

OWASP Israel January 2017

2017-01-12T11:12:38Z

Avi Douglen: Created page with "The Israeli chapter of OWASP will hold a meeting on Wednesday, January 18th, at 17:00. The meeting will be held in Radware’s Tel Aviv offices, at Raul Wallenberg 22, Ramat..."

The Israeli chapter of OWASP will hold a meeting on Wednesday, January 18th, at 17:00.

The meeting will be held in Radware’s Tel Aviv offices, at Raul Wallenberg 22, Ramat HaChayal.

Attendance is free of course, but you must register if you are planning to attend:
https://www.meetup.com/OWASP-Israel/events/236372466/

== Agenda: ==

''' 17:00 '''
'''Gathering, food, and drinks (KOSHER)'''

''' 17:30 '''
''' Introductions and Opening Notes '''

''' 17:45 – IP Agnostic Bot Detection ''' 
''' Michael Groskop, Director of WAF & R&D Security, Radware ''' 

Bot-generated attacks targeting web application infrastructure are increasing in both volume and scope. Bots are becoming more sophisticated, leveraging headless browser technologies and use different evasion techniques such as dynamically changing IP addresses.

In this presentation we will review the challenges associated with IP agnostic detection of bot generated attacks, the complexity involved in distinguishing the good bots from the bad and the actions application developers can take for better thwarting of such attacks.

''' 18:30 – R U aBLE? - BLE Comm Hacking ''' 
''' Tal Melamed, Technical Lead, AppSec Labs ''' 

As IoT devices are increasingly embedded in our every day lives, vulnerabilities have real impact on our digital and physical security.

Bluetooth Low Energy (BLE), also known as Bluetooth Smart, is part of Bluetooth 4. Today Bluetooth is the most popular protocol used for interfacing IoT and smart devices, wearables and medical equipment. Like most rising technologies, security is often left out.

In this lecture we will demonstrate how to perform penetration-testing for applications communicating with connected-devices over BLE. What equipment, libraries and projects can be used.

''' 19:15 – Coffee break ''' 

''' 19:30 – Should I Trust My Vendor? ''' 
''' Yaniv Simsolo, CTO, Palantir Security ''' 

Modern systems and business models mandate different approaches to security. Sometimes, the business objectives of the vendor override the security objectives that we, the security community, think the product should have. When approaching a complex system design, numerous challenges arise when considering the trust we put on vendors’ hands and vendors’ responsibilities. Similar security challenges exist on the other scale: considering the maturity (or lack thereof) of small scale IoT products.

Does the aim sanctify the means?

In certain cases, either mal-coding or business practices result in a very poor security of a product or a service. This can get to extreme cases were the vendor outright attacks its own customers. Such was the case for example when I purchased a brand new laptop from a known manufacturer, and was attacked with viruses and malicious business practices software. Indeed, certain vendors are worse than others.

In the presentation we will explore notable examples of vendors abusing their customers’ trust and review the (few) mitigation alternatives we may incorporate in our products and systems.

AppSec Israel 2016 Presentations

2016-10-18T06:57:35Z

Avi Douglen: /* The Unwanted Sons - Formalizing and Demonstrating WAF Bypass Methods for the REST of the Top 10 */

Full descriptions of all the talks at [[AppSec_Israel_2016|AppSec Israel 2016]] are below, together with each of the speakers' biographies.

The [https://appsecil2016.sched.org/ full schedule can be found and subscribed to here].

Pictures from the event [https://drive.google.com/drive/folders/0B0_K8tApcXxmVzBkcDNFUmt5S0U can be found here].

__TOC__

The AppSec Israel conference is proudly being sponsored by:
{{Template:AppSec_Israel_2016_Sponsors}}

== Technical Tracks ==

=== Bot Extension - Abusing Google Chrome Extensions for Bot Attacks ===
'''תוספי בוט - שימוש בתוספי כרום למטרת התקפות בוטים''' 
''''' Tomer Cohen, Head of R&D security, Wix.com ''''' 
Chrome extensions have opened a variety of opportunities for users as well as developers, expanding the limits of what we've known as browsing experience. Attacker have also spotted the wide usage of such extensions, and abuse people's trust in Chrome Web Store to distribute malicious extensions. This allows them to run web-based bot attacks straight from victims' browsers, including DDoS campaigns and cross-site requests resulting in impersonation of users in third-party websites.

Furthermore, the detection of such bot attack by a third-party is more complex than in regular distributed attacks, since real humans actually use the Chrome tab abused to attack the victim third-party.

The lecture will include an intro on Chrome Extension architecture followed by techniques to abuse this architecture in order to run bot attacks, as well as distribute a malicious extensions to big crowds of victims.

 Speaker Bio

Worked as a security consultant in several places, one of the founders of Magshimim Cyber Training Program.

 Technical Level: Intermediate / Advanced
 Language: Hebrew

 

=== Could a few lines of code <F!#ck> it all up?? ===
''''' Amit Ashbel, Director of Product Marketing & Cyber Security Evangelist, Checkmarx ''''' 
''''' Erez Yalon, Application Security Lead, Checkmarx ''''' 
([[Media:AppSecIL2016_AFewLinesOfCode-JS_AmitAshbel-ErezYalon.pptx|download presentation]])

March 2016. An anonymous open source developer decides to remove his code (left-pad) from a public repository.

Shortly thereafter, several large organizations felt the impact of his actions. Facebook, AirBnB and others experienced errors impacting the functionality of their services. Packages using “left-pad” wouldn’t properly execute.

Today, we embrace both the open source community and the growth of open source projects, modules and packages but... Dependencies and recursive dependencies might become a risk or even a new attack vector which we didn’t foresee.

Could there be other cases of common and popular open source packages depending on open source modules that might not be there tomorrow or, even worse, could they be maliciously modified?

Join us for an insightful session that will reveal our research on this topic where you will learn:
* Which common open source packages might not be there tomorrow and how this can affect you?
* How packages you use could be maliciously modified impact on your app Discuss the risks introduced by hybrid application development
* How intertwined and complex dependencies have become

 Speaker Bio

Amit has been with the security community for more than a decade where he has taken on multiple tasks and responsibilities, including technical and Senior Product lead positions. Amit adds valuable product knowledge including experience with a wide range of security platforms and familiarity with emerging threats. Amit also speaks at high profile events and conferences such as BlackHat, Defcon, OWASP and others.

 Speaker Bio

Erez Yalon heads the security research group at Checkmarx. With vast defender and attacker experience and as an independent security researcher, he brings invaluable knowledge and skills to the table. Erez is responsible for maintaining Checkmarx’s top notch vulnerability detection technology where his previous development experience with a variety of coding languages comes into play.

 Technical Level: Introduction
 Language: Hebrew

 

=== Crippling HTTPS with unholy PAC ===
'''איך להרוס HTTPS עם PAC"ל חבלה''' 
''''' Amit Klein, VP Security Research, SafeBreach ''''' 
([[Media:AppSecIL2016_CripplingHTTPSwithUnholyPAC_AmitKlein.pdf|download presentation]])

You're in a potentially malicious network (free WiFi, guest network, or maybe your own corporate LAN). You're a security conscious netizen so you restrict yourself to HTTPS (browsing to HSTS sites and/or using a "Force TLS/SSL" browser extension). All your traffic is protected from the first byte. Or is it?

We will demonstrate that, by forcing your browser/system to use a malicious PAC (Proxy AutoConfiguration) resource, it is possible to leak HTTPS URLs. We will explain how this affects the privacy of the user and how credentials/sessions can be stolen. We will present the concept of "PAC Malware" (a malware which is implemented only as JavaScript logic in a PAC resource) that features: a 2-way communication channel between the PAC malware and an external server, contextual phishing via messages, denial-of-service options, and sensitive data extraction from URI's. We present a comprehensive browser PAC feature matrix and elaborate more about this cross-platform (Linux, Windows, Mac) and cross-browser (IE, Chrome, Safari) threat.

 Speaker Bio

Amit Klein is a world renowned information security expert, with 25 years in information security and over 30 published technical papers on this topic. Amit is VP Security Research at SafeBreach, responsible for researching various infiltration, exfiltration and lateral movement attacks. Before SafeBreach, Amit was CTO for Trusteer (acquired by IBM) for 8.5 years. Prior to Trusteer, Amit was chief scientist for Cyota (acquired by RSA) for 2 years, and prior to that, director of Security and Research for Sanctum (acquired by Watchfire, now part of IBM security division) for 7 years. Amit has a B.Sc. from the Hebrew University (magna cum laude, Talpiot program), recognized by InfoWorld as a CTO of the year 2010, and has presented at HITB, RSA, OWASP, CertConf, BlueHat, CyberTech, APWG and AusCERT.

 Technical Level: Intermediate
 Language: Hebrew

 

=== Don't Feed the Hippos! ===
''''' Martin Knobloch, Principal Consultant, Nixu ''''' 
([[Media:AppSecIL2016_DontFeedTheHippos_MartinKnobloch.pdf|download presentation]])

The security community is trying to solve insecurity caused by bugs and flaws in software for many years now, but with what success?

We almost never look in successes and failures experiences in other areas, but we could really learn from. This talk is inspired by Ernesto Sirolli’s TED talk “Want to help someone? Shut up and listen!” about failures in the aid program’s around the world. Listening to Ernesto Sirolli, you cannot miss the similarity with the security community trying to tell developers how to write secure code. This talk points out common failures of the security community when communicating with developers, trying to solve their problems without understanding what their problems really are.

Using the hippo-analogy for security failures, during the talks those ‘(in-)secure hippos’ are identified, advice on how to avoid them are provided, by anecdotes and best practices from the experience of the past 10 years in the security field as a consultant.

 Speaker Bio

Martin is Principal Consultant at Nixu BeNeLux (https://www.nixu.com/en/nixubenelux). His main working area is (software) security in general, from awareness to implementation. In his daily work, he is responsible for education in application security matters, advise and implementation of application security measures.

With his background in Java Development, he understands the complexity of Enterprise software development, Agile Scrum environments and continuous delivery / deployment.

Martin got involved in OWASP in 2006. He became a member of the OWASP Netherland Chapter board in 2007. He has contributed to several OWASP projects and is co-organizer of the OWASP BeNeLux-Day conference since 2008. Martin has been chair of the Global Education Committee from 2008 until the ending of the Global Committees.

Futher, Martin is the conference chair of the OWASP AppSec-Eu/Research 2015 conference in Amsterdam, the Netherlands and involved in the AppSec-Eu 2016 among other activities as CfT Co-Chair.

Martin is a frequent speaker at universities, hacker spaces and various conferences.

 Technical Level: Intermediate / Advanced
 Language: English

 

=== Hacking HTTP/2 - New attacks on the Internet’s Next Generation Foundation ===
''''' Nadav Avital, Application Security Research Team Leader, Imperva ''''' 
''''' Noam Mazor, Security Research Engineer, Imperva ''''' 
HTTP/2 is the emerging network protocol for the Internet, facilitating leaner and faster web browsing by introducing several new mechanisms which can be seen as a single transition layer for web traffic. The adoption of HTTP/2 is lightning fast, and even though only a year has passed since its publication, HTTP/2 is already supported by all significant players in the field including browsers, web servers and Content Delivery Networks.

In the presentation we will overview the HTTP/2 attack surface - stream multiplexing, flow control, HPACK compression and server push, with a focus on how the way HTTP/2 servers implement these mechanisms can make or break your security posture. We will continue with presenting new classes of vulnerabilities that have been introduced by the mechanisms used with HTTP/2, and explaining how these vulnerabilities can be used for mounting effective attacks against web servers like Apache, IIS, Ngnix, Jetty and nghttp. We will explain in detail several serious zero-day vulnerabilities, such as CVE-2016-1546, CVE-2016-0150 and CVE-2016-1544, and end with discussing several approaches for mitigating attacks of these types.

Those attending this session will understand that:
* As an emerging technology that introduces novel and flexible mechanisms, HTTP/2 also induces new risks.
* HTTP/2 implementations are still not “security mature.” Therefore it is almost certain that scrutiny of HTTP/2 implementations will increase in coming years, resulting in the discovery of new vulnerabilities, exploits and security patches. With HTTP/2 gaining more popularity, this trend will intensify.
* An effective security strategy for newly adopted technologies must rely on supplemental solutions rather than patching

 Speaker Bio

Nadav Avital is an expert in Web Application Security. He leads an Imperva team who captures and analyzes hacking activities and then create mitigation strategies. These efforts result in research for new technologies and protocols. Nadav has more than 10 years industry experience in coding and creating security tools. He holds B.Sc. in Computer Science.

 Speaker Bio

Noam Mazor worked in Imperva as security research engineer in the Web Application Security team. Noam has experience in analyzing hacking activities, creating mitigation and researching vulnerabilities. He holds BSc in Computer Science and is currently a MSc student in Tel Aviv University.

 Technical Level: Intermediate
 Language: Hebrew

 

=== Hacking The IoT (Internet of Things) - PenTesting RF Operated Devices ===
'''האקינג של מערכות IoT מבוססות RF''' 
''''' Erez Metula, Application Security Expert, AppSec Labs (Founder) ''''' 
([[Media:AppSecIL2016_HackingTheIoT-PenTestingRFDevices_ErezMetula.pdf|download presentation]])

We often encounter IoT (Internet of Things) systems during our work as penetration testers and security consultants. We know how to assess the security of the server side API, the associated mobile apps, the web apps and so on - but what about the device itself (the "thing")? Moreover, what happens if the device is not using traditional HTTP/S request, or does not even "speak" plain old TCP/IP?

During this talk, we'll go over the obstacles we have to face when analyzing unknown, custom RF based communication that drives the target IoT system we're pentesting. We'll talk about and see in action tools that will allow us to capture RF traffic, analyze it, brute force it, replay it, and of course forge it. It's like plain old appsec hacking tricks, but at the RF level. So let's hack some physical things belonging to the real world!

 Speaker Bio

Erez Metula is the founder and Chairman of AppSec Labs, a leading company in the field of application security.

He is the author of the book "Managed Code Rootkits", and is a world renowned application security expert.

Erez has extensive hands-on experience performing security assessments, code reviews and secure development trainings for worldwide organizations, and had previously talked at international security conferences such as BlackHat, Defcon, OWASP, RSA, SOURCE, CanSecWest and more. Erez had helped companies from all sizes, from startups to Fortune 500 organizations.

Erez focuses on advanced application security topics and has performed extensive ground breaking research on mobile application security.

Erez holds an MSc in computer science and he is CISSP.

 Technical Level: Advanced
 Language: Hebrew

 

=== Integrating Security in Agile projects (real case study) ===
''''' Elena Kravchenko, ADM BU Security Lead, Security & Trust Office, HPE Software ''''' 
''''' Efrat Wasserman, ADM Senior Program manager, SRL, HPE Software ''''' 
([[Media:AppSecIL2016_IntegratingSecurityInAgile_ElenaKravchenko-EfratWasserman.pptx|download presentation]])

There are many different security development lifecycles (SDLC) frameworks in the modern world. However, a fully implemented SDLC program is often represented as heavy, time-consuming and not suitable to Agile development methodology. We’d like to break the myth and show how a very comprehensive security program, managed by a dedicated security office, can be successfully integrated in agile development project on a real case example.

We’ll shortly describe the main challenges, and the techniques and procedures helping to overcome the challenges. We’ll present the Security Lifecycle Management (SLM) Framework developed and used in HPE SW in the last three years, and describe how it integrated into development of new SaaS based fully agile developed product, with emphasis on main activities and roles. As a part of the presentation we would like to highlight the importance of the proper program management and role of the PMO and how it became a key success factor in the effective security program implementation.

 Speaker Bio

Elena has a MSc in Applied Mathematics from Leningrad State University, and over 25 years of software engineering experience in different roles, including Software Design Engineer, Technical Lead, Customer Oriented Development Engineer, and Software System Architect.

Currently a part of HPE Software ITOM and ADM Security and Trust Office as the Security Lead for HPE’s Application Delivery Management (ADM) Business Unit.

 Speaker Bio

Efrat has earned a BSc in Computer Science and Mathematics, and a MBA in Business Management and Marketing. She has over 17 years in Software Development, and 9 years as a Program manager.

Currently Senior Program Manager in HPE SW responsible for lifecycle of SaaS product

 Technical Level: Intermediate
 Language: Hebrew

 

=== Law and the Israeli Cybersecurity Industry ===
''''' Eli Greenbaum, Partner, Yigal Arnon & Co. ''''' 
From an international perspective, Israel provides a unique laboratory for studying the effect of law and regulation on cybersecurity research and development. This presentation will provide an introduction to specific laws and regulations concerning cybersecurity research and ask whether these laws have in actual practice influenced the growth of the cybersecurity ecosystem in Israel. More specifically, how have industry players, including startups, multinationals and the military, reacted to the unique legal framework that Israel provides for cybersecurity activities?

 
Speaker Bio

Eli Greenbaum is partner in the law firm of Yigal Arnon & Co., specializing in technology, intellectual property and cybersecurity. He received his Masters degree in Applied Physics from Columbia University and his law degree from Yale Law School. Eli has published widely in the intersection between technology and the law, including in the Harvard Journal of Law and Technology and the Cardozo Law Review. Eli clerked from Justice Miriam Naor of the Supreme Court of Israel and Judge David Cheshin of the District Court of Jerusalem.

 Technical Level: Introduction
 Language: English

 

=== Java Hurdling: Obstacles and Techniques in Java Client Penetration-testing ===
''''' Tal Melamed, Technical Leader, AppSec Labs ''''' 
([[Media:AppSecIL2016_JavaHurdling_TalMelamed.pdf|download presentation]])

Testing Java client applications is not always straightforward as testing web applications. Even under experienced hands, there might be obstacles coming your way; what if you cannot use a proxy? How do you MitM? What if you just can't? How do you modify the app to your benefit?

Fortunately, Java is still Java. This lecture is based on a true story, and will follow an interesting case of pen-testing a known product; what tools and techniques can be used in order to jump over hurdles, all the way to the finish line.

The lecture aims to enrich the pentester's toolbox as well as mind, when facing Java client applications; MitM-ing, run-time manipulations and patching the code are only some of the discussed cases.

In addition, a newly developed proxy for intercepting and tampering with TCP communication over TLS/SSL and bypassing certificate-pinning protections, will be introduced during the lecture.

 Speaker Bio

Tal is an Application Security Expert. As AppSec Labs' Technical Leader, he is leading a variety of security projects for Android, iOS, WP, Web and Client applications.

Prior to working at AppSec Labs, Tal has worked at Amdocs, CheckPoint and RSA, having more than a decade of experience in the Information Security field.

Tal is a lead Trainer, a neat developer, and a security dreamer; breaking, building, defending & training since '99.

 Technical Level: Intermediate / Advanced
 Language: Hebrew

 

=== NodeJS Security Done Right - The tips and tricks they won’t teach you in school ===
''''' Liran Tal, R&D Team Leader, Hewlett Packard Enterprise ''''' 
([[Media:AppSecIL2016_NodeJS-Security_LiranTal.pdf|download presentation]])

NodeJS, and JavaScript at large are quickly taking over software whether it is GitHub’s statistics for projects growth, the IoT industry, ChatOps projects written in JavaScript and Enterprises adoption is growing as well.

With this trend, it is imperative to review OWASP security practices and learn how to harden NodeJS Web Applications.

We will begin with a quick NodeJS intro and a few fail stories of how things can go wrong.

We will quickly dive into hands-on practical implementation of security measures to adopt in your current or future NodeJS project. Next I will show how to leverage widely adopted security tools for integration in the build and CI/CD process to audit and test for security vulnerabilities, as well as leveraging successful enterprise-level open source npm libraries to enhance your web application’s security.

In summary: in this session I will demonstrate:
* Securing ExpressJS by adopting mature and commonly used npm libraries
* Secure code guidelines for JavaScript software developers
* Integrating NodeJS security measures as part of your build CI/CD DevOps process

To empower others and make a lasting impression for Open Source awareness and Security involvement: In the closing minutes of this presentation I will ask a volunteer from the audience to commit a Pull-Request that enhances security for a NodeJS project on GitHub.

 Speaker Bio

Liran is a top contributor to the open source MEAN.io, and core team member of the MEAN.js full stack JavaScript framework. He is also an author of several Node.js npm packages, as well as actively contributing to many open source projects on GitHub. Being an avid supporter and contributor to the open source movement, in 2007 he has redefined network RADIUS management by establishing daloRADIUS, a world-recognized and industry-leading open source project (http://www.daloradius.com).

Liran is currently leading the R&D Engineering team for Hewlett Packard Enterprise content Marketplace, built on a microservices architecture for a combined technology stack of Java, NodeJS, AngularJS, MongoDB and MySQL. He loves mentoring and empowering team members, drive for better code methodology, and seek out innovative solutions to support business strategies.

He enjoys spending his time with his beloved wife Tal, and his son Ori. Amongst other things, his hobbies include playing the guitar, hacking all things Linux and continuously experimenting and contributing to open source projects.

 Technical Level: Introduction
 Language: Hebrew

 

=== Putting the "I" in Code Review - Turning Code Review Interactive ===
''''' Tamir Shavro, Seeker R&D Manager, Synopsys ''''' 
([[Media:AppSecIL2016_InteractiveCodeReview_TamirShavro.pdf|download presentation]])

Everybody knows that manual code review can be a tedious and lengthy effort, with complexity growing exponentially with the size of the code. However, understanding code flow and focusing on relevant parts can become much easier when employing interactive debugging techniques. This allows combining the best of penetration testing and code review benefits to achieve maximum results in the most efficient manner. In this talk we will explain and demonstrate this eye-opening technique for effectively performing a manual code review on a live system using a debugger and provide a quick starter kit for implementing this technique.

 Speaker Bio

Tamir Shavro has been involved both in complex R&D endeavors and in the security field in the past 18 years. As the Chief Architect & VP RnD of Seeker (acquired by Synopsys in 2015), Tamir has been the driving force behind the development of the Seeker technology.

Prior to Seeker he worked as a Senior Security Consultant in Hacktics, where he was involved in advance application security projects. He was previously a Captain in the IDF Intelligence Corps, involved in various development leadership and architecture roles.

 Technical Level: Advanced
 Language: Hebrew

 

=== Signoff or Sign-Out ===
''''' Ofer Maor, Director of Security Strategy, Synopsys ''''' 
Software Signoff is an inevitable step in maturing our software development processes in order to deliver better and safer software. Like with other engineering disciplines before, the growing concerns for safety, security and standards is driving the industry to do better. In this talk we will explain what Software Signoff means and why organizations must adopt it before it is too late.

 Speaker Bio

Ofer Maor is a security expert and entrepreneur with over 20 years of experience in information and application security. Ofer has been involved in application security from its early days, through research, penetration testing, consulting, and product development. As the founder and CTO of Seeker, Ofer pioneered IAST, the next generation of application security testing technology, currently used by some of the largest organizations in the world to continuously improve their software security. Ofer joined Synopsys when it acquired Seeker in July 2015. Prior to Seeker, Ofer was the Founder and CTO of Hacktics. He led Imperva's Application Defense Center research group and has also served as the Chairman of OWASP Israel and in the OWASP Global Membership Committee.

 Technical Level: Intermediate
 Language: Hebrew

 

=== The Dark Side of Search Engine Optimization ===
'''הצד האפל של קידום אתרים במנועי חיפוש''' 
''''' Or Katz, Principal Security Researcher, Akamai ''''' 
([[Media:AppSecIL2016_DarkSideSearchEngineOptimizations_OrKatz.pdf|download presentation]])

Search engines optimization (SEO) is a technique being used by web sites owners in order to improve visibility and traffic to their web site. Legitimate SEO activity will use optimization techniques such as: changing structure and textual usage of the web site pages, publication in social media and web forums that will referrer relevant users.

The ultimate goal of SEO campaign is to promote web site ranking in the leading search engines, having the promoted web site returned in the primary result page once searching for relevant terms and keywords.

In the presentation I’m going to present what happens when threat actors get into the world of SEO campaigns abuse SEO optimization techniques and moreover, use all kind of attack techniques such as SQL injection and open redirects in order to manipulate search engines ranking.

I will also evaluate some of the SEO attacks and the manipulating techniques, try to determine who are the victims in this story, check if these attacks achieved their goal and supply more interesting insights on the world of “Blackhat SEO”.

 Speaker Bio

Or is an application security veteran, with years of experience at industry leading vendors, currently serves as principal security researcher for Akamai's Cloud Security Intelligence platform. Or is a frequent speaker in conferences such as RSA, AppSec and CSA. Or has published several innovative articles and white papers on web applications threat intelligence and defensive techniques.

 Technical Level: Intermediate
 Language: Hebrew

 

=== The Threat of Advanced Cross-Site Search Attacks ===
'''האיום של התקפות Cross-Site Search מתקדמות''' 
''''' Dr. Nethanel Gelernter, Cyberpion & The College of Management Academic Studies ''''' 
([[Media:AppSecIL2016_AdvancedCrossSiteSearch_NethanelGelernter.pdf|download presentation]])

Cross-site search (XS-search) is a practical timing side-channel attack that allows the extraction of sensitive information from web-services. The attack exploits inflation techniques to efficiently distinguish between search requests that yield results and requests that do not. This work focuses on the response inflation technique that increases the size of the response; as the difference in the sizes of the responses increases, it becomes easier to distinguish between them. We begin with browser-based XS-search attack and demonstrate its use in extracting users' private data from Gmail and Facebook. The browser-based XS-search attack exploits the differences in the sizes of HTTP responses, and works even when significant inflation of the response is impossible. This part also involves algorithmic improvements compared to previous work. When there is no leakage of information via the timing side channel it is possible to use second-order (SO) XS-search, a novel type of attack that allows the attacker to significantly increase the difference in the sizes of the responses by planting maliciously crafted record into the storage. SO XS-search attacks can be used to extract sensitive information such as email content of Gmail and Yahoo! users, and search history of Bing users.

 Speaker Bio

Nethanel Gelernter received a PhD in Computer Science from Bar-Ilan University (Israel). His research mainly focuses on web application security, and in particular in exploring new attack vectors and threats in the web. Currently, he is leading the cyber security research and studies in the College of Management Academic Studies in Israel. Beyond the academic world, Nethanel provides consulting services, and he recently founded Cyberpion, a company that investigates unknown attack vectors and develops countermeasures against them.

 Technical Level: Advanced
 Language: Hebrew

 

=== The Unwanted Sons - Formalizing and Demonstrating WAF Bypass Methods for the REST of the Top 10 ===
'''צאצאים לא רצויים - פירמול לטכניקות חדשות למעקף WAF לשאר ההתקפות הנפוצות של OWASP TOP 10''' 
''''' Shay Chen, CEO, Effective Security ''''' 
([[Media:AppSecIL2016_TheUnwantedSons-WAFBypassTechniques_ShayChen.pptx|download presentation]])

The once uncommon application-level protection mechanisms are EVERYWHERE these days, and sooner or later, you'll have to face them.

Web Application Firewalls (WAF) and Intrusion Detection Systems (IDS), Filters and RASP Modules, all common and widespread countermeasures you have to face on a regular basis, with the power to turn a typical assessment into a nightmare, and make automated tools practically useless.

While the attack vectors are well covered in CWE, CAPEC, TECAPI RvR, WASC, OWASP Top 10 and Testing Guide, all you have to cover evasion techniques is a couple of cheat sheets focused on a limited set of attacks.

Sure, there are numerous XSS and SQL Injection evasion cheat sheets, but what about Path Traversal, Remote File Inclusion, OS Command Injection? What about Forced Browsing? What about other attacks?

Formalizing evasion techniques and methods for the REST of the common attack vectors makes a LOT of sense, for manual pen-testing and automated tools - and THIS is phase one, aimed to cover the rest of the unattended top 10.

 Speaker Bio

Shay Chen is the CEO of Effective Security, an information-security boutique company specializing in information security assessments and in automating security processes of vulnerability management and SDLC.

He has over twelve years in information technology and security, a strong background in software development, and a stream of previously published vulnerabilities, attack vectors, benchmarks and hacking methodologies.

Shay is an experienced speaker, and regularly instructs a wide variety of security related courses in Conferences and Enterprises. Before moving into the information security field, he was involved in various software development projects in ERP, mobile & enterprise environments.

 Technical Level: Intermediate / Advanced
 Language: Hebrew

 

=== The Ways Hackers Are Taking To Win The Mobile Malware Battle ===
''''' Yair Amit, CTO & Co-founder, Skycure ''''' 
([[Media:AppSecIL2016_WhyHackersAreWinningMobileMalwareBattle-YairAmit.pdf|download presentation]])

In the proverbial game of cat-and-mouse between endpoint security vendors and malware writers, malware attacks have recently grown more sophisticated. More enterprises are losing ground to hackers, who are able to outmaneuver static and runtime solutions by constantly changing their attack strategies. The team that uncovered iOS malicious profiles, WiFiGate, HTTP Request Hijacking, No iOS Zone and Invisible Profiles are taking it upon themselves to coach developers and organizations on how to regain control, and turn the tables on the hackers behind next-generation mobile malware.

In his presentation, Yair will discuss cutting-edge techniques used by malware writers to circumvent mobile security paradigms such as app-sandboxing and containers. Mr. Amit will then break down the current set of techniques (signatures, static analysis & dynamic analysis) used to identify malware on mobile devices, and identify the pros and cons of these approaches. He will also explain why attackers constantly succeed in fooling these technologies, and explore the problem of false positive/false negative tradeoffs in such solutions.

During a live, interactive demo, Yair will create a mobile malware on stage, meant to be undetected by static and runtime analysis technologies.

 Speaker Bio

Yair Amit is co-founder and CTO at Skycure, leading the company’s research and vision and overseeing its R&D center. Yair has been active in the security industry for more than a decade with his research regularly covered by media outlets and presented in security conferences around the world. Prior to co-founding Skycure, Yair managed the Application Security and Research Group at IBM, joining through the acquisition of Watchfire. At IBM, Yair led the research and implementation of IBM’s next-generation application security technology. Yair holds a BSc, summa cum laude, from Tel Aviv University in bioinformatics.

 Technical Level: Intermediate / Advanced
 Language: Hebrew

File:AppSecIL2016 TheUnwantedSons-WAFBypassTechniques ShayChen.pptx

2016-10-18T06:57:17Z

Avi Douglen:

AppSec Israel 2016 Presentations

2016-10-02T08:17:10Z

Avi Douglen: /* The Dark Side of Search Engine Optimization */

Full descriptions of all the talks at [[AppSec_Israel_2016|AppSec Israel 2016]] are below, together with each of the speakers' biographies.

The [https://appsecil2016.sched.org/ full schedule can be found and subscribed to here].

Pictures from the event [https://drive.google.com/drive/folders/0B0_K8tApcXxmVzBkcDNFUmt5S0U can be found here].

__TOC__

The AppSec Israel conference is proudly being sponsored by:
{{Template:AppSec_Israel_2016_Sponsors}}

== Technical Tracks ==

=== Bot Extension - Abusing Google Chrome Extensions for Bot Attacks ===
'''תוספי בוט - שימוש בתוספי כרום למטרת התקפות בוטים''' 
''''' Tomer Cohen, Head of R&D security, Wix.com ''''' 
Chrome extensions have opened a variety of opportunities for users as well as developers, expanding the limits of what we've known as browsing experience. Attacker have also spotted the wide usage of such extensions, and abuse people's trust in Chrome Web Store to distribute malicious extensions. This allows them to run web-based bot attacks straight from victims' browsers, including DDoS campaigns and cross-site requests resulting in impersonation of users in third-party websites.

Furthermore, the detection of such bot attack by a third-party is more complex than in regular distributed attacks, since real humans actually use the Chrome tab abused to attack the victim third-party.

The lecture will include an intro on Chrome Extension architecture followed by techniques to abuse this architecture in order to run bot attacks, as well as distribute a malicious extensions to big crowds of victims.

 Speaker Bio

Worked as a security consultant in several places, one of the founders of Magshimim Cyber Training Program.

 Technical Level: Intermediate / Advanced
 Language: Hebrew

 

=== Could a few lines of code <F!#ck> it all up?? ===
''''' Amit Ashbel, Director of Product Marketing & Cyber Security Evangelist, Checkmarx ''''' 
''''' Erez Yalon, Application Security Lead, Checkmarx ''''' 
([[Media:AppSecIL2016_AFewLinesOfCode-JS_AmitAshbel-ErezYalon.pptx|download presentation]])

March 2016. An anonymous open source developer decides to remove his code (left-pad) from a public repository.

Shortly thereafter, several large organizations felt the impact of his actions. Facebook, AirBnB and others experienced errors impacting the functionality of their services. Packages using “left-pad” wouldn’t properly execute.

Today, we embrace both the open source community and the growth of open source projects, modules and packages but... Dependencies and recursive dependencies might become a risk or even a new attack vector which we didn’t foresee.

Could there be other cases of common and popular open source packages depending on open source modules that might not be there tomorrow or, even worse, could they be maliciously modified?

Join us for an insightful session that will reveal our research on this topic where you will learn:
* Which common open source packages might not be there tomorrow and how this can affect you?
* How packages you use could be maliciously modified impact on your app Discuss the risks introduced by hybrid application development
* How intertwined and complex dependencies have become

 Speaker Bio

Amit has been with the security community for more than a decade where he has taken on multiple tasks and responsibilities, including technical and Senior Product lead positions. Amit adds valuable product knowledge including experience with a wide range of security platforms and familiarity with emerging threats. Amit also speaks at high profile events and conferences such as BlackHat, Defcon, OWASP and others.

 Speaker Bio

Erez Yalon heads the security research group at Checkmarx. With vast defender and attacker experience and as an independent security researcher, he brings invaluable knowledge and skills to the table. Erez is responsible for maintaining Checkmarx’s top notch vulnerability detection technology where his previous development experience with a variety of coding languages comes into play.

 Technical Level: Introduction
 Language: Hebrew

 

=== Crippling HTTPS with unholy PAC ===
'''איך להרוס HTTPS עם PAC"ל חבלה''' 
''''' Amit Klein, VP Security Research, SafeBreach ''''' 
([[Media:AppSecIL2016_CripplingHTTPSwithUnholyPAC_AmitKlein.pdf|download presentation]])

You're in a potentially malicious network (free WiFi, guest network, or maybe your own corporate LAN). You're a security conscious netizen so you restrict yourself to HTTPS (browsing to HSTS sites and/or using a "Force TLS/SSL" browser extension). All your traffic is protected from the first byte. Or is it?

We will demonstrate that, by forcing your browser/system to use a malicious PAC (Proxy AutoConfiguration) resource, it is possible to leak HTTPS URLs. We will explain how this affects the privacy of the user and how credentials/sessions can be stolen. We will present the concept of "PAC Malware" (a malware which is implemented only as JavaScript logic in a PAC resource) that features: a 2-way communication channel between the PAC malware and an external server, contextual phishing via messages, denial-of-service options, and sensitive data extraction from URI's. We present a comprehensive browser PAC feature matrix and elaborate more about this cross-platform (Linux, Windows, Mac) and cross-browser (IE, Chrome, Safari) threat.

 Speaker Bio

Amit Klein is a world renowned information security expert, with 25 years in information security and over 30 published technical papers on this topic. Amit is VP Security Research at SafeBreach, responsible for researching various infiltration, exfiltration and lateral movement attacks. Before SafeBreach, Amit was CTO for Trusteer (acquired by IBM) for 8.5 years. Prior to Trusteer, Amit was chief scientist for Cyota (acquired by RSA) for 2 years, and prior to that, director of Security and Research for Sanctum (acquired by Watchfire, now part of IBM security division) for 7 years. Amit has a B.Sc. from the Hebrew University (magna cum laude, Talpiot program), recognized by InfoWorld as a CTO of the year 2010, and has presented at HITB, RSA, OWASP, CertConf, BlueHat, CyberTech, APWG and AusCERT.

 Technical Level: Intermediate
 Language: Hebrew

 

=== Don't Feed the Hippos! ===
''''' Martin Knobloch, Principal Consultant, Nixu ''''' 
([[Media:AppSecIL2016_DontFeedTheHippos_MartinKnobloch.pdf|download presentation]])

The security community is trying to solve insecurity caused by bugs and flaws in software for many years now, but with what success?

We almost never look in successes and failures experiences in other areas, but we could really learn from. This talk is inspired by Ernesto Sirolli’s TED talk “Want to help someone? Shut up and listen!” about failures in the aid program’s around the world. Listening to Ernesto Sirolli, you cannot miss the similarity with the security community trying to tell developers how to write secure code. This talk points out common failures of the security community when communicating with developers, trying to solve their problems without understanding what their problems really are.

Using the hippo-analogy for security failures, during the talks those ‘(in-)secure hippos’ are identified, advice on how to avoid them are provided, by anecdotes and best practices from the experience of the past 10 years in the security field as a consultant.

 Speaker Bio

Martin is Principal Consultant at Nixu BeNeLux (https://www.nixu.com/en/nixubenelux). His main working area is (software) security in general, from awareness to implementation. In his daily work, he is responsible for education in application security matters, advise and implementation of application security measures.

With his background in Java Development, he understands the complexity of Enterprise software development, Agile Scrum environments and continuous delivery / deployment.

Martin got involved in OWASP in 2006. He became a member of the OWASP Netherland Chapter board in 2007. He has contributed to several OWASP projects and is co-organizer of the OWASP BeNeLux-Day conference since 2008. Martin has been chair of the Global Education Committee from 2008 until the ending of the Global Committees.

Futher, Martin is the conference chair of the OWASP AppSec-Eu/Research 2015 conference in Amsterdam, the Netherlands and involved in the AppSec-Eu 2016 among other activities as CfT Co-Chair.

Martin is a frequent speaker at universities, hacker spaces and various conferences.

 Technical Level: Intermediate / Advanced
 Language: English

 

=== Hacking HTTP/2 - New attacks on the Internet’s Next Generation Foundation ===
''''' Nadav Avital, Application Security Research Team Leader, Imperva ''''' 
''''' Noam Mazor, Security Research Engineer, Imperva ''''' 
HTTP/2 is the emerging network protocol for the Internet, facilitating leaner and faster web browsing by introducing several new mechanisms which can be seen as a single transition layer for web traffic. The adoption of HTTP/2 is lightning fast, and even though only a year has passed since its publication, HTTP/2 is already supported by all significant players in the field including browsers, web servers and Content Delivery Networks.

In the presentation we will overview the HTTP/2 attack surface - stream multiplexing, flow control, HPACK compression and server push, with a focus on how the way HTTP/2 servers implement these mechanisms can make or break your security posture. We will continue with presenting new classes of vulnerabilities that have been introduced by the mechanisms used with HTTP/2, and explaining how these vulnerabilities can be used for mounting effective attacks against web servers like Apache, IIS, Ngnix, Jetty and nghttp. We will explain in detail several serious zero-day vulnerabilities, such as CVE-2016-1546, CVE-2016-0150 and CVE-2016-1544, and end with discussing several approaches for mitigating attacks of these types.

Those attending this session will understand that:
* As an emerging technology that introduces novel and flexible mechanisms, HTTP/2 also induces new risks.
* HTTP/2 implementations are still not “security mature.” Therefore it is almost certain that scrutiny of HTTP/2 implementations will increase in coming years, resulting in the discovery of new vulnerabilities, exploits and security patches. With HTTP/2 gaining more popularity, this trend will intensify.
* An effective security strategy for newly adopted technologies must rely on supplemental solutions rather than patching

 Speaker Bio

Nadav Avital is an expert in Web Application Security. He leads an Imperva team who captures and analyzes hacking activities and then create mitigation strategies. These efforts result in research for new technologies and protocols. Nadav has more than 10 years industry experience in coding and creating security tools. He holds B.Sc. in Computer Science.

 Speaker Bio

Noam Mazor worked in Imperva as security research engineer in the Web Application Security team. Noam has experience in analyzing hacking activities, creating mitigation and researching vulnerabilities. He holds BSc in Computer Science and is currently a MSc student in Tel Aviv University.

 Technical Level: Intermediate
 Language: Hebrew

 

=== Hacking The IoT (Internet of Things) - PenTesting RF Operated Devices ===
'''האקינג של מערכות IoT מבוססות RF''' 
''''' Erez Metula, Application Security Expert, AppSec Labs (Founder) ''''' 
([[Media:AppSecIL2016_HackingTheIoT-PenTestingRFDevices_ErezMetula.pdf|download presentation]])

We often encounter IoT (Internet of Things) systems during our work as penetration testers and security consultants. We know how to assess the security of the server side API, the associated mobile apps, the web apps and so on - but what about the device itself (the "thing")? Moreover, what happens if the device is not using traditional HTTP/S request, or does not even "speak" plain old TCP/IP?

During this talk, we'll go over the obstacles we have to face when analyzing unknown, custom RF based communication that drives the target IoT system we're pentesting. We'll talk about and see in action tools that will allow us to capture RF traffic, analyze it, brute force it, replay it, and of course forge it. It's like plain old appsec hacking tricks, but at the RF level. So let's hack some physical things belonging to the real world!

 Speaker Bio

Erez Metula is the founder and Chairman of AppSec Labs, a leading company in the field of application security.

He is the author of the book "Managed Code Rootkits", and is a world renowned application security expert.

Erez has extensive hands-on experience performing security assessments, code reviews and secure development trainings for worldwide organizations, and had previously talked at international security conferences such as BlackHat, Defcon, OWASP, RSA, SOURCE, CanSecWest and more. Erez had helped companies from all sizes, from startups to Fortune 500 organizations.

Erez focuses on advanced application security topics and has performed extensive ground breaking research on mobile application security.

Erez holds an MSc in computer science and he is CISSP.

 Technical Level: Advanced
 Language: Hebrew

 

=== Integrating Security in Agile projects (real case study) ===
''''' Elena Kravchenko, ADM BU Security Lead, Security & Trust Office, HPE Software ''''' 
''''' Efrat Wasserman, ADM Senior Program manager, SRL, HPE Software ''''' 
([[Media:AppSecIL2016_IntegratingSecurityInAgile_ElenaKravchenko-EfratWasserman.pptx|download presentation]])

There are many different security development lifecycles (SDLC) frameworks in the modern world. However, a fully implemented SDLC program is often represented as heavy, time-consuming and not suitable to Agile development methodology. We’d like to break the myth and show how a very comprehensive security program, managed by a dedicated security office, can be successfully integrated in agile development project on a real case example.

We’ll shortly describe the main challenges, and the techniques and procedures helping to overcome the challenges. We’ll present the Security Lifecycle Management (SLM) Framework developed and used in HPE SW in the last three years, and describe how it integrated into development of new SaaS based fully agile developed product, with emphasis on main activities and roles. As a part of the presentation we would like to highlight the importance of the proper program management and role of the PMO and how it became a key success factor in the effective security program implementation.

 Speaker Bio

Elena has a MSc in Applied Mathematics from Leningrad State University, and over 25 years of software engineering experience in different roles, including Software Design Engineer, Technical Lead, Customer Oriented Development Engineer, and Software System Architect.

Currently a part of HPE Software ITOM and ADM Security and Trust Office as the Security Lead for HPE’s Application Delivery Management (ADM) Business Unit.

 Speaker Bio

Efrat has earned a BSc in Computer Science and Mathematics, and a MBA in Business Management and Marketing. She has over 17 years in Software Development, and 9 years as a Program manager.

Currently Senior Program Manager in HPE SW responsible for lifecycle of SaaS product

 Technical Level: Intermediate
 Language: Hebrew

 

=== Law and the Israeli Cybersecurity Industry ===
''''' Eli Greenbaum, Partner, Yigal Arnon & Co. ''''' 
From an international perspective, Israel provides a unique laboratory for studying the effect of law and regulation on cybersecurity research and development. This presentation will provide an introduction to specific laws and regulations concerning cybersecurity research and ask whether these laws have in actual practice influenced the growth of the cybersecurity ecosystem in Israel. More specifically, how have industry players, including startups, multinationals and the military, reacted to the unique legal framework that Israel provides for cybersecurity activities?

 
Speaker Bio

Eli Greenbaum is partner in the law firm of Yigal Arnon & Co., specializing in technology, intellectual property and cybersecurity. He received his Masters degree in Applied Physics from Columbia University and his law degree from Yale Law School. Eli has published widely in the intersection between technology and the law, including in the Harvard Journal of Law and Technology and the Cardozo Law Review. Eli clerked from Justice Miriam Naor of the Supreme Court of Israel and Judge David Cheshin of the District Court of Jerusalem.

 Technical Level: Introduction
 Language: English

 

=== Java Hurdling: Obstacles and Techniques in Java Client Penetration-testing ===
''''' Tal Melamed, Technical Leader, AppSec Labs ''''' 
([[Media:AppSecIL2016_JavaHurdling_TalMelamed.pdf|download presentation]])

Testing Java client applications is not always straightforward as testing web applications. Even under experienced hands, there might be obstacles coming your way; what if you cannot use a proxy? How do you MitM? What if you just can't? How do you modify the app to your benefit?

Fortunately, Java is still Java. This lecture is based on a true story, and will follow an interesting case of pen-testing a known product; what tools and techniques can be used in order to jump over hurdles, all the way to the finish line.

The lecture aims to enrich the pentester's toolbox as well as mind, when facing Java client applications; MitM-ing, run-time manipulations and patching the code are only some of the discussed cases.

In addition, a newly developed proxy for intercepting and tampering with TCP communication over TLS/SSL and bypassing certificate-pinning protections, will be introduced during the lecture.

 Speaker Bio

Tal is an Application Security Expert. As AppSec Labs' Technical Leader, he is leading a variety of security projects for Android, iOS, WP, Web and Client applications.

Prior to working at AppSec Labs, Tal has worked at Amdocs, CheckPoint and RSA, having more than a decade of experience in the Information Security field.

Tal is a lead Trainer, a neat developer, and a security dreamer; breaking, building, defending & training since '99.

 Technical Level: Intermediate / Advanced
 Language: Hebrew

 

=== NodeJS Security Done Right - The tips and tricks they won’t teach you in school ===
''''' Liran Tal, R&D Team Leader, Hewlett Packard Enterprise ''''' 
([[Media:AppSecIL2016_NodeJS-Security_LiranTal.pdf|download presentation]])

NodeJS, and JavaScript at large are quickly taking over software whether it is GitHub’s statistics for projects growth, the IoT industry, ChatOps projects written in JavaScript and Enterprises adoption is growing as well.

With this trend, it is imperative to review OWASP security practices and learn how to harden NodeJS Web Applications.

We will begin with a quick NodeJS intro and a few fail stories of how things can go wrong.

We will quickly dive into hands-on practical implementation of security measures to adopt in your current or future NodeJS project. Next I will show how to leverage widely adopted security tools for integration in the build and CI/CD process to audit and test for security vulnerabilities, as well as leveraging successful enterprise-level open source npm libraries to enhance your web application’s security.

In summary: in this session I will demonstrate:
* Securing ExpressJS by adopting mature and commonly used npm libraries
* Secure code guidelines for JavaScript software developers
* Integrating NodeJS security measures as part of your build CI/CD DevOps process

To empower others and make a lasting impression for Open Source awareness and Security involvement: In the closing minutes of this presentation I will ask a volunteer from the audience to commit a Pull-Request that enhances security for a NodeJS project on GitHub.

 Speaker Bio

Liran is a top contributor to the open source MEAN.io, and core team member of the MEAN.js full stack JavaScript framework. He is also an author of several Node.js npm packages, as well as actively contributing to many open source projects on GitHub. Being an avid supporter and contributor to the open source movement, in 2007 he has redefined network RADIUS management by establishing daloRADIUS, a world-recognized and industry-leading open source project (http://www.daloradius.com).

Liran is currently leading the R&D Engineering team for Hewlett Packard Enterprise content Marketplace, built on a microservices architecture for a combined technology stack of Java, NodeJS, AngularJS, MongoDB and MySQL. He loves mentoring and empowering team members, drive for better code methodology, and seek out innovative solutions to support business strategies.

He enjoys spending his time with his beloved wife Tal, and his son Ori. Amongst other things, his hobbies include playing the guitar, hacking all things Linux and continuously experimenting and contributing to open source projects.

 Technical Level: Introduction
 Language: Hebrew

 

=== Putting the "I" in Code Review - Turning Code Review Interactive ===
''''' Tamir Shavro, Seeker R&D Manager, Synopsys ''''' 
([[Media:AppSecIL2016_InteractiveCodeReview_TamirShavro.pdf|download presentation]])

Everybody knows that manual code review can be a tedious and lengthy effort, with complexity growing exponentially with the size of the code. However, understanding code flow and focusing on relevant parts can become much easier when employing interactive debugging techniques. This allows combining the best of penetration testing and code review benefits to achieve maximum results in the most efficient manner. In this talk we will explain and demonstrate this eye-opening technique for effectively performing a manual code review on a live system using a debugger and provide a quick starter kit for implementing this technique.

 Speaker Bio

Tamir Shavro has been involved both in complex R&D endeavors and in the security field in the past 18 years. As the Chief Architect & VP RnD of Seeker (acquired by Synopsys in 2015), Tamir has been the driving force behind the development of the Seeker technology.

Prior to Seeker he worked as a Senior Security Consultant in Hacktics, where he was involved in advance application security projects. He was previously a Captain in the IDF Intelligence Corps, involved in various development leadership and architecture roles.

 Technical Level: Advanced
 Language: Hebrew

 

=== Signoff or Sign-Out ===
''''' Ofer Maor, Director of Security Strategy, Synopsys ''''' 
Software Signoff is an inevitable step in maturing our software development processes in order to deliver better and safer software. Like with other engineering disciplines before, the growing concerns for safety, security and standards is driving the industry to do better. In this talk we will explain what Software Signoff means and why organizations must adopt it before it is too late.

 Speaker Bio

Ofer Maor is a security expert and entrepreneur with over 20 years of experience in information and application security. Ofer has been involved in application security from its early days, through research, penetration testing, consulting, and product development. As the founder and CTO of Seeker, Ofer pioneered IAST, the next generation of application security testing technology, currently used by some of the largest organizations in the world to continuously improve their software security. Ofer joined Synopsys when it acquired Seeker in July 2015. Prior to Seeker, Ofer was the Founder and CTO of Hacktics. He led Imperva's Application Defense Center research group and has also served as the Chairman of OWASP Israel and in the OWASP Global Membership Committee.

 Technical Level: Intermediate
 Language: Hebrew

 

=== The Dark Side of Search Engine Optimization ===
'''הצד האפל של קידום אתרים במנועי חיפוש''' 
''''' Or Katz, Principal Security Researcher, Akamai ''''' 
([[Media:AppSecIL2016_DarkSideSearchEngineOptimizations_OrKatz.pdf|download presentation]])

Search engines optimization (SEO) is a technique being used by web sites owners in order to improve visibility and traffic to their web site. Legitimate SEO activity will use optimization techniques such as: changing structure and textual usage of the web site pages, publication in social media and web forums that will referrer relevant users.

The ultimate goal of SEO campaign is to promote web site ranking in the leading search engines, having the promoted web site returned in the primary result page once searching for relevant terms and keywords.

In the presentation I’m going to present what happens when threat actors get into the world of SEO campaigns abuse SEO optimization techniques and moreover, use all kind of attack techniques such as SQL injection and open redirects in order to manipulate search engines ranking.

I will also evaluate some of the SEO attacks and the manipulating techniques, try to determine who are the victims in this story, check if these attacks achieved their goal and supply more interesting insights on the world of “Blackhat SEO”.

 Speaker Bio

Or is an application security veteran, with years of experience at industry leading vendors, currently serves as principal security researcher for Akamai's Cloud Security Intelligence platform. Or is a frequent speaker in conferences such as RSA, AppSec and CSA. Or has published several innovative articles and white papers on web applications threat intelligence and defensive techniques.

 Technical Level: Intermediate
 Language: Hebrew

 

=== The Threat of Advanced Cross-Site Search Attacks ===
'''האיום של התקפות Cross-Site Search מתקדמות''' 
''''' Dr. Nethanel Gelernter, Cyberpion & The College of Management Academic Studies ''''' 
([[Media:AppSecIL2016_AdvancedCrossSiteSearch_NethanelGelernter.pdf|download presentation]])

Cross-site search (XS-search) is a practical timing side-channel attack that allows the extraction of sensitive information from web-services. The attack exploits inflation techniques to efficiently distinguish between search requests that yield results and requests that do not. This work focuses on the response inflation technique that increases the size of the response; as the difference in the sizes of the responses increases, it becomes easier to distinguish between them. We begin with browser-based XS-search attack and demonstrate its use in extracting users' private data from Gmail and Facebook. The browser-based XS-search attack exploits the differences in the sizes of HTTP responses, and works even when significant inflation of the response is impossible. This part also involves algorithmic improvements compared to previous work. When there is no leakage of information via the timing side channel it is possible to use second-order (SO) XS-search, a novel type of attack that allows the attacker to significantly increase the difference in the sizes of the responses by planting maliciously crafted record into the storage. SO XS-search attacks can be used to extract sensitive information such as email content of Gmail and Yahoo! users, and search history of Bing users.

 Speaker Bio

Nethanel Gelernter received a PhD in Computer Science from Bar-Ilan University (Israel). His research mainly focuses on web application security, and in particular in exploring new attack vectors and threats in the web. Currently, he is leading the cyber security research and studies in the College of Management Academic Studies in Israel. Beyond the academic world, Nethanel provides consulting services, and he recently founded Cyberpion, a company that investigates unknown attack vectors and develops countermeasures against them.

 Technical Level: Advanced
 Language: Hebrew

 

=== The Unwanted Sons - Formalizing and Demonstrating WAF Bypass Methods for the REST of the Top 10 ===
'''צאצאים לא רצויים - פירמול לטכניקות חדשות למעקף WAF לשאר ההתקפות הנפוצות של OWASP TOP 10''' 
''''' Shay Chen, CEO, Effective Security ''''' 
The once uncommon application-level protection mechanisms are EVERYWHERE these days, and sooner or later, you'll have to face them.

Web Application Firewalls (WAF) and Intrusion Detection Systems (IDS), Filters and RASP Modules, all common and widespread countermeasures you have to face on a regular basis, with the power to turn a typical assessment into a nightmare, and make automated tools practically useless.

While the attack vectors are well covered in CWE, CAPEC, TECAPI RvR, WASC, OWASP Top 10 and Testing Guide, all you have to cover evasion techniques is a couple of cheat sheets focused on a limited set of attacks.

Sure, there are numerous XSS and SQL Injection evasion cheat sheets, but what about Path Traversal, Remote File Inclusion, OS Command Injection? What about Forced Browsing? What about other attacks?

Formalizing evasion techniques and methods for the REST of the common attack vectors makes a LOT of sense, for manual pen-testing and automated tools - and THIS is phase one, aimed to cover the rest of the unattended top 10.

 Speaker Bio

Shay Chen is the CEO of Effective Security, an information-security boutique company specializing in information security assessments and in automating security processes of vulnerability management and SDLC.

He has over twelve years in information technology and security, a strong background in software development, and a stream of previously published vulnerabilities, attack vectors, benchmarks and hacking methodologies.

Shay is an experienced speaker, and regularly instructs a wide variety of security related courses in Conferences and Enterprises. Before moving into the information security field, he was involved in various software development projects in ERP, mobile & enterprise environments.

 Technical Level: Intermediate / Advanced
 Language: Hebrew

 

=== The Ways Hackers Are Taking To Win The Mobile Malware Battle ===
''''' Yair Amit, CTO & Co-founder, Skycure ''''' 
([[Media:AppSecIL2016_WhyHackersAreWinningMobileMalwareBattle-YairAmit.pdf|download presentation]])

In the proverbial game of cat-and-mouse between endpoint security vendors and malware writers, malware attacks have recently grown more sophisticated. More enterprises are losing ground to hackers, who are able to outmaneuver static and runtime solutions by constantly changing their attack strategies. The team that uncovered iOS malicious profiles, WiFiGate, HTTP Request Hijacking, No iOS Zone and Invisible Profiles are taking it upon themselves to coach developers and organizations on how to regain control, and turn the tables on the hackers behind next-generation mobile malware.

In his presentation, Yair will discuss cutting-edge techniques used by malware writers to circumvent mobile security paradigms such as app-sandboxing and containers. Mr. Amit will then break down the current set of techniques (signatures, static analysis & dynamic analysis) used to identify malware on mobile devices, and identify the pros and cons of these approaches. He will also explain why attackers constantly succeed in fooling these technologies, and explore the problem of false positive/false negative tradeoffs in such solutions.

During a live, interactive demo, Yair will create a mobile malware on stage, meant to be undetected by static and runtime analysis technologies.

 Speaker Bio

Yair Amit is co-founder and CTO at Skycure, leading the company’s research and vision and overseeing its R&D center. Yair has been active in the security industry for more than a decade with his research regularly covered by media outlets and presented in security conferences around the world. Prior to co-founding Skycure, Yair managed the Application Security and Research Group at IBM, joining through the acquisition of Watchfire. At IBM, Yair led the research and implementation of IBM’s next-generation application security technology. Yair holds a BSc, summa cum laude, from Tel Aviv University in bioinformatics.

 Technical Level: Intermediate / Advanced
 Language: Hebrew

File:AppSecIL2016 DarkSideSearchEngineOptimizations OrKatz.pdf

2016-10-02T08:15:21Z

Avi Douglen:

AppSec Israel 2016 Presentations

2016-09-29T08:29:20Z

Avi Douglen: added more slidedecks

Full descriptions of all the talks at [[AppSec_Israel_2016|AppSec Israel 2016]] are below, together with each of the speakers' biographies.

The [https://appsecil2016.sched.org/ full schedule can be found and subscribed to here].

Pictures from the event [https://drive.google.com/drive/folders/0B0_K8tApcXxmVzBkcDNFUmt5S0U can be found here].

__TOC__

The AppSec Israel conference is proudly being sponsored by:
{{Template:AppSec_Israel_2016_Sponsors}}

== Technical Tracks ==

=== Bot Extension - Abusing Google Chrome Extensions for Bot Attacks ===
'''תוספי בוט - שימוש בתוספי כרום למטרת התקפות בוטים''' 
''''' Tomer Cohen, Head of R&D security, Wix.com ''''' 
Chrome extensions have opened a variety of opportunities for users as well as developers, expanding the limits of what we've known as browsing experience. Attacker have also spotted the wide usage of such extensions, and abuse people's trust in Chrome Web Store to distribute malicious extensions. This allows them to run web-based bot attacks straight from victims' browsers, including DDoS campaigns and cross-site requests resulting in impersonation of users in third-party websites.

Furthermore, the detection of such bot attack by a third-party is more complex than in regular distributed attacks, since real humans actually use the Chrome tab abused to attack the victim third-party.

The lecture will include an intro on Chrome Extension architecture followed by techniques to abuse this architecture in order to run bot attacks, as well as distribute a malicious extensions to big crowds of victims.

 Speaker Bio

Worked as a security consultant in several places, one of the founders of Magshimim Cyber Training Program.

 Technical Level: Intermediate / Advanced
 Language: Hebrew

 

=== Could a few lines of code <F!#ck> it all up?? ===
''''' Amit Ashbel, Director of Product Marketing & Cyber Security Evangelist, Checkmarx ''''' 
''''' Erez Yalon, Application Security Lead, Checkmarx ''''' 
([[Media:AppSecIL2016_AFewLinesOfCode-JS_AmitAshbel-ErezYalon.pptx|download presentation]])

March 2016. An anonymous open source developer decides to remove his code (left-pad) from a public repository.

Shortly thereafter, several large organizations felt the impact of his actions. Facebook, AirBnB and others experienced errors impacting the functionality of their services. Packages using “left-pad” wouldn’t properly execute.

Today, we embrace both the open source community and the growth of open source projects, modules and packages but... Dependencies and recursive dependencies might become a risk or even a new attack vector which we didn’t foresee.

Could there be other cases of common and popular open source packages depending on open source modules that might not be there tomorrow or, even worse, could they be maliciously modified?

Join us for an insightful session that will reveal our research on this topic where you will learn:
* Which common open source packages might not be there tomorrow and how this can affect you?
* How packages you use could be maliciously modified impact on your app Discuss the risks introduced by hybrid application development
* How intertwined and complex dependencies have become

 Speaker Bio

Amit has been with the security community for more than a decade where he has taken on multiple tasks and responsibilities, including technical and Senior Product lead positions. Amit adds valuable product knowledge including experience with a wide range of security platforms and familiarity with emerging threats. Amit also speaks at high profile events and conferences such as BlackHat, Defcon, OWASP and others.

 Speaker Bio

Erez Yalon heads the security research group at Checkmarx. With vast defender and attacker experience and as an independent security researcher, he brings invaluable knowledge and skills to the table. Erez is responsible for maintaining Checkmarx’s top notch vulnerability detection technology where his previous development experience with a variety of coding languages comes into play.

 Technical Level: Introduction
 Language: Hebrew

 

=== Crippling HTTPS with unholy PAC ===
'''איך להרוס HTTPS עם PAC"ל חבלה''' 
''''' Amit Klein, VP Security Research, SafeBreach ''''' 
([[Media:AppSecIL2016_CripplingHTTPSwithUnholyPAC_AmitKlein.pdf|download presentation]])

You're in a potentially malicious network (free WiFi, guest network, or maybe your own corporate LAN). You're a security conscious netizen so you restrict yourself to HTTPS (browsing to HSTS sites and/or using a "Force TLS/SSL" browser extension). All your traffic is protected from the first byte. Or is it?

We will demonstrate that, by forcing your browser/system to use a malicious PAC (Proxy AutoConfiguration) resource, it is possible to leak HTTPS URLs. We will explain how this affects the privacy of the user and how credentials/sessions can be stolen. We will present the concept of "PAC Malware" (a malware which is implemented only as JavaScript logic in a PAC resource) that features: a 2-way communication channel between the PAC malware and an external server, contextual phishing via messages, denial-of-service options, and sensitive data extraction from URI's. We present a comprehensive browser PAC feature matrix and elaborate more about this cross-platform (Linux, Windows, Mac) and cross-browser (IE, Chrome, Safari) threat.

 Speaker Bio

Amit Klein is a world renowned information security expert, with 25 years in information security and over 30 published technical papers on this topic. Amit is VP Security Research at SafeBreach, responsible for researching various infiltration, exfiltration and lateral movement attacks. Before SafeBreach, Amit was CTO for Trusteer (acquired by IBM) for 8.5 years. Prior to Trusteer, Amit was chief scientist for Cyota (acquired by RSA) for 2 years, and prior to that, director of Security and Research for Sanctum (acquired by Watchfire, now part of IBM security division) for 7 years. Amit has a B.Sc. from the Hebrew University (magna cum laude, Talpiot program), recognized by InfoWorld as a CTO of the year 2010, and has presented at HITB, RSA, OWASP, CertConf, BlueHat, CyberTech, APWG and AusCERT.

 Technical Level: Intermediate
 Language: Hebrew

 

=== Don't Feed the Hippos! ===
''''' Martin Knobloch, Principal Consultant, Nixu ''''' 
([[Media:AppSecIL2016_DontFeedTheHippos_MartinKnobloch.pdf|download presentation]])

The security community is trying to solve insecurity caused by bugs and flaws in software for many years now, but with what success?

We almost never look in successes and failures experiences in other areas, but we could really learn from. This talk is inspired by Ernesto Sirolli’s TED talk “Want to help someone? Shut up and listen!” about failures in the aid program’s around the world. Listening to Ernesto Sirolli, you cannot miss the similarity with the security community trying to tell developers how to write secure code. This talk points out common failures of the security community when communicating with developers, trying to solve their problems without understanding what their problems really are.

Using the hippo-analogy for security failures, during the talks those ‘(in-)secure hippos’ are identified, advice on how to avoid them are provided, by anecdotes and best practices from the experience of the past 10 years in the security field as a consultant.

 Speaker Bio

Martin is Principal Consultant at Nixu BeNeLux (https://www.nixu.com/en/nixubenelux). His main working area is (software) security in general, from awareness to implementation. In his daily work, he is responsible for education in application security matters, advise and implementation of application security measures.

With his background in Java Development, he understands the complexity of Enterprise software development, Agile Scrum environments and continuous delivery / deployment.

Martin got involved in OWASP in 2006. He became a member of the OWASP Netherland Chapter board in 2007. He has contributed to several OWASP projects and is co-organizer of the OWASP BeNeLux-Day conference since 2008. Martin has been chair of the Global Education Committee from 2008 until the ending of the Global Committees.

Futher, Martin is the conference chair of the OWASP AppSec-Eu/Research 2015 conference in Amsterdam, the Netherlands and involved in the AppSec-Eu 2016 among other activities as CfT Co-Chair.

Martin is a frequent speaker at universities, hacker spaces and various conferences.

 Technical Level: Intermediate / Advanced
 Language: English

 

=== Hacking HTTP/2 - New attacks on the Internet’s Next Generation Foundation ===
''''' Nadav Avital, Application Security Research Team Leader, Imperva ''''' 
''''' Noam Mazor, Security Research Engineer, Imperva ''''' 
HTTP/2 is the emerging network protocol for the Internet, facilitating leaner and faster web browsing by introducing several new mechanisms which can be seen as a single transition layer for web traffic. The adoption of HTTP/2 is lightning fast, and even though only a year has passed since its publication, HTTP/2 is already supported by all significant players in the field including browsers, web servers and Content Delivery Networks.

In the presentation we will overview the HTTP/2 attack surface - stream multiplexing, flow control, HPACK compression and server push, with a focus on how the way HTTP/2 servers implement these mechanisms can make or break your security posture. We will continue with presenting new classes of vulnerabilities that have been introduced by the mechanisms used with HTTP/2, and explaining how these vulnerabilities can be used for mounting effective attacks against web servers like Apache, IIS, Ngnix, Jetty and nghttp. We will explain in detail several serious zero-day vulnerabilities, such as CVE-2016-1546, CVE-2016-0150 and CVE-2016-1544, and end with discussing several approaches for mitigating attacks of these types.

Those attending this session will understand that:
* As an emerging technology that introduces novel and flexible mechanisms, HTTP/2 also induces new risks.
* HTTP/2 implementations are still not “security mature.” Therefore it is almost certain that scrutiny of HTTP/2 implementations will increase in coming years, resulting in the discovery of new vulnerabilities, exploits and security patches. With HTTP/2 gaining more popularity, this trend will intensify.
* An effective security strategy for newly adopted technologies must rely on supplemental solutions rather than patching

 Speaker Bio

Nadav Avital is an expert in Web Application Security. He leads an Imperva team who captures and analyzes hacking activities and then create mitigation strategies. These efforts result in research for new technologies and protocols. Nadav has more than 10 years industry experience in coding and creating security tools. He holds B.Sc. in Computer Science.

 Speaker Bio

Noam Mazor worked in Imperva as security research engineer in the Web Application Security team. Noam has experience in analyzing hacking activities, creating mitigation and researching vulnerabilities. He holds BSc in Computer Science and is currently a MSc student in Tel Aviv University.

 Technical Level: Intermediate
 Language: Hebrew

 

=== Hacking The IoT (Internet of Things) - PenTesting RF Operated Devices ===
'''האקינג של מערכות IoT מבוססות RF''' 
''''' Erez Metula, Application Security Expert, AppSec Labs (Founder) ''''' 
([[Media:AppSecIL2016_HackingTheIoT-PenTestingRFDevices_ErezMetula.pdf|download presentation]])

We often encounter IoT (Internet of Things) systems during our work as penetration testers and security consultants. We know how to assess the security of the server side API, the associated mobile apps, the web apps and so on - but what about the device itself (the "thing")? Moreover, what happens if the device is not using traditional HTTP/S request, or does not even "speak" plain old TCP/IP?

During this talk, we'll go over the obstacles we have to face when analyzing unknown, custom RF based communication that drives the target IoT system we're pentesting. We'll talk about and see in action tools that will allow us to capture RF traffic, analyze it, brute force it, replay it, and of course forge it. It's like plain old appsec hacking tricks, but at the RF level. So let's hack some physical things belonging to the real world!

 Speaker Bio

Erez Metula is the founder and Chairman of AppSec Labs, a leading company in the field of application security.

He is the author of the book "Managed Code Rootkits", and is a world renowned application security expert.

Erez has extensive hands-on experience performing security assessments, code reviews and secure development trainings for worldwide organizations, and had previously talked at international security conferences such as BlackHat, Defcon, OWASP, RSA, SOURCE, CanSecWest and more. Erez had helped companies from all sizes, from startups to Fortune 500 organizations.

Erez focuses on advanced application security topics and has performed extensive ground breaking research on mobile application security.

Erez holds an MSc in computer science and he is CISSP.

 Technical Level: Advanced
 Language: Hebrew

 

=== Integrating Security in Agile projects (real case study) ===
''''' Elena Kravchenko, ADM BU Security Lead, Security & Trust Office, HPE Software ''''' 
''''' Efrat Wasserman, ADM Senior Program manager, SRL, HPE Software ''''' 
([[Media:AppSecIL2016_IntegratingSecurityInAgile_ElenaKravchenko-EfratWasserman.pptx|download presentation]])

There are many different security development lifecycles (SDLC) frameworks in the modern world. However, a fully implemented SDLC program is often represented as heavy, time-consuming and not suitable to Agile development methodology. We’d like to break the myth and show how a very comprehensive security program, managed by a dedicated security office, can be successfully integrated in agile development project on a real case example.

We’ll shortly describe the main challenges, and the techniques and procedures helping to overcome the challenges. We’ll present the Security Lifecycle Management (SLM) Framework developed and used in HPE SW in the last three years, and describe how it integrated into development of new SaaS based fully agile developed product, with emphasis on main activities and roles. As a part of the presentation we would like to highlight the importance of the proper program management and role of the PMO and how it became a key success factor in the effective security program implementation.

 Speaker Bio

Elena has a MSc in Applied Mathematics from Leningrad State University, and over 25 years of software engineering experience in different roles, including Software Design Engineer, Technical Lead, Customer Oriented Development Engineer, and Software System Architect.

Currently a part of HPE Software ITOM and ADM Security and Trust Office as the Security Lead for HPE’s Application Delivery Management (ADM) Business Unit.

 Speaker Bio

Efrat has earned a BSc in Computer Science and Mathematics, and a MBA in Business Management and Marketing. She has over 17 years in Software Development, and 9 years as a Program manager.

Currently Senior Program Manager in HPE SW responsible for lifecycle of SaaS product

 Technical Level: Intermediate
 Language: Hebrew

 

=== Law and the Israeli Cybersecurity Industry ===
''''' Eli Greenbaum, Partner, Yigal Arnon & Co. ''''' 
From an international perspective, Israel provides a unique laboratory for studying the effect of law and regulation on cybersecurity research and development. This presentation will provide an introduction to specific laws and regulations concerning cybersecurity research and ask whether these laws have in actual practice influenced the growth of the cybersecurity ecosystem in Israel. More specifically, how have industry players, including startups, multinationals and the military, reacted to the unique legal framework that Israel provides for cybersecurity activities?

 
Speaker Bio

Eli Greenbaum is partner in the law firm of Yigal Arnon & Co., specializing in technology, intellectual property and cybersecurity. He received his Masters degree in Applied Physics from Columbia University and his law degree from Yale Law School. Eli has published widely in the intersection between technology and the law, including in the Harvard Journal of Law and Technology and the Cardozo Law Review. Eli clerked from Justice Miriam Naor of the Supreme Court of Israel and Judge David Cheshin of the District Court of Jerusalem.

 Technical Level: Introduction
 Language: English

 

=== Java Hurdling: Obstacles and Techniques in Java Client Penetration-testing ===
''''' Tal Melamed, Technical Leader, AppSec Labs ''''' 
([[Media:AppSecIL2016_JavaHurdling_TalMelamed.pdf|download presentation]])

Testing Java client applications is not always straightforward as testing web applications. Even under experienced hands, there might be obstacles coming your way; what if you cannot use a proxy? How do you MitM? What if you just can't? How do you modify the app to your benefit?

Fortunately, Java is still Java. This lecture is based on a true story, and will follow an interesting case of pen-testing a known product; what tools and techniques can be used in order to jump over hurdles, all the way to the finish line.

The lecture aims to enrich the pentester's toolbox as well as mind, when facing Java client applications; MitM-ing, run-time manipulations and patching the code are only some of the discussed cases.

In addition, a newly developed proxy for intercepting and tampering with TCP communication over TLS/SSL and bypassing certificate-pinning protections, will be introduced during the lecture.

 Speaker Bio

Tal is an Application Security Expert. As AppSec Labs' Technical Leader, he is leading a variety of security projects for Android, iOS, WP, Web and Client applications.

Prior to working at AppSec Labs, Tal has worked at Amdocs, CheckPoint and RSA, having more than a decade of experience in the Information Security field.

Tal is a lead Trainer, a neat developer, and a security dreamer; breaking, building, defending & training since '99.

 Technical Level: Intermediate / Advanced
 Language: Hebrew

 

=== NodeJS Security Done Right - The tips and tricks they won’t teach you in school ===
''''' Liran Tal, R&D Team Leader, Hewlett Packard Enterprise ''''' 
([[Media:AppSecIL2016_NodeJS-Security_LiranTal.pdf|download presentation]])

NodeJS, and JavaScript at large are quickly taking over software whether it is GitHub’s statistics for projects growth, the IoT industry, ChatOps projects written in JavaScript and Enterprises adoption is growing as well.

With this trend, it is imperative to review OWASP security practices and learn how to harden NodeJS Web Applications.

We will begin with a quick NodeJS intro and a few fail stories of how things can go wrong.

We will quickly dive into hands-on practical implementation of security measures to adopt in your current or future NodeJS project. Next I will show how to leverage widely adopted security tools for integration in the build and CI/CD process to audit and test for security vulnerabilities, as well as leveraging successful enterprise-level open source npm libraries to enhance your web application’s security.

In summary: in this session I will demonstrate:
* Securing ExpressJS by adopting mature and commonly used npm libraries
* Secure code guidelines for JavaScript software developers
* Integrating NodeJS security measures as part of your build CI/CD DevOps process

To empower others and make a lasting impression for Open Source awareness and Security involvement: In the closing minutes of this presentation I will ask a volunteer from the audience to commit a Pull-Request that enhances security for a NodeJS project on GitHub.

 Speaker Bio

Liran is a top contributor to the open source MEAN.io, and core team member of the MEAN.js full stack JavaScript framework. He is also an author of several Node.js npm packages, as well as actively contributing to many open source projects on GitHub. Being an avid supporter and contributor to the open source movement, in 2007 he has redefined network RADIUS management by establishing daloRADIUS, a world-recognized and industry-leading open source project (http://www.daloradius.com).

Liran is currently leading the R&D Engineering team for Hewlett Packard Enterprise content Marketplace, built on a microservices architecture for a combined technology stack of Java, NodeJS, AngularJS, MongoDB and MySQL. He loves mentoring and empowering team members, drive for better code methodology, and seek out innovative solutions to support business strategies.

He enjoys spending his time with his beloved wife Tal, and his son Ori. Amongst other things, his hobbies include playing the guitar, hacking all things Linux and continuously experimenting and contributing to open source projects.

 Technical Level: Introduction
 Language: Hebrew

 

=== Putting the "I" in Code Review - Turning Code Review Interactive ===
''''' Tamir Shavro, Seeker R&D Manager, Synopsys ''''' 
([[Media:AppSecIL2016_InteractiveCodeReview_TamirShavro.pdf|download presentation]])

Everybody knows that manual code review can be a tedious and lengthy effort, with complexity growing exponentially with the size of the code. However, understanding code flow and focusing on relevant parts can become much easier when employing interactive debugging techniques. This allows combining the best of penetration testing and code review benefits to achieve maximum results in the most efficient manner. In this talk we will explain and demonstrate this eye-opening technique for effectively performing a manual code review on a live system using a debugger and provide a quick starter kit for implementing this technique.

 Speaker Bio

Tamir Shavro has been involved both in complex R&D endeavors and in the security field in the past 18 years. As the Chief Architect & VP RnD of Seeker (acquired by Synopsys in 2015), Tamir has been the driving force behind the development of the Seeker technology.

Prior to Seeker he worked as a Senior Security Consultant in Hacktics, where he was involved in advance application security projects. He was previously a Captain in the IDF Intelligence Corps, involved in various development leadership and architecture roles.

 Technical Level: Advanced
 Language: Hebrew

 

=== Signoff or Sign-Out ===
''''' Ofer Maor, Director of Security Strategy, Synopsys ''''' 
Software Signoff is an inevitable step in maturing our software development processes in order to deliver better and safer software. Like with other engineering disciplines before, the growing concerns for safety, security and standards is driving the industry to do better. In this talk we will explain what Software Signoff means and why organizations must adopt it before it is too late.

 Speaker Bio

Ofer Maor is a security expert and entrepreneur with over 20 years of experience in information and application security. Ofer has been involved in application security from its early days, through research, penetration testing, consulting, and product development. As the founder and CTO of Seeker, Ofer pioneered IAST, the next generation of application security testing technology, currently used by some of the largest organizations in the world to continuously improve their software security. Ofer joined Synopsys when it acquired Seeker in July 2015. Prior to Seeker, Ofer was the Founder and CTO of Hacktics. He led Imperva's Application Defense Center research group and has also served as the Chairman of OWASP Israel and in the OWASP Global Membership Committee.

 Technical Level: Intermediate
 Language: Hebrew

 

=== The Dark Side of Search Engine Optimization ===
'''הצד האפל של קידום אתרים במנועי חיפוש''' 
''''' Or Katz, Principal Security Researcher, Akamai ''''' 
Search engines optimization (SEO) is a technique being used by web sites owners in order to improve visibility and traffic to their web site. Legitimate SEO activity will use optimization techniques such as: changing structure and textual usage of the web site pages, publication in social media and web forums that will referrer relevant users.

The ultimate goal of SEO campaign is to promote web site ranking in the leading search engines, having the promoted web site returned in the primary result page once searching for relevant terms and keywords.

In the presentation I’m going to present what happens when threat actors get into the world of SEO campaigns abuse SEO optimization techniques and moreover, use all kind of attack techniques such as SQL injection and open redirects in order to manipulate search engines ranking.

I will also evaluate some of the SEO attacks and the manipulating techniques, try to determine who are the victims in this story, check if these attacks achieved their goal and supply more interesting insights on the world of “Blackhat SEO”.

 Speaker Bio

Or is an application security veteran, with years of experience at industry leading vendors, currently serves as principal security researcher for Akamai's Cloud Security Intelligence platform. Or is a frequent speaker in conferences such as RSA, AppSec and CSA. Or has published several innovative articles and white papers on web applications threat intelligence and defensive techniques.

 Technical Level: Intermediate
 Language: Hebrew

 

=== The Threat of Advanced Cross-Site Search Attacks ===
'''האיום של התקפות Cross-Site Search מתקדמות''' 
''''' Dr. Nethanel Gelernter, Cyberpion & The College of Management Academic Studies ''''' 
([[Media:AppSecIL2016_AdvancedCrossSiteSearch_NethanelGelernter.pdf|download presentation]])

Cross-site search (XS-search) is a practical timing side-channel attack that allows the extraction of sensitive information from web-services. The attack exploits inflation techniques to efficiently distinguish between search requests that yield results and requests that do not. This work focuses on the response inflation technique that increases the size of the response; as the difference in the sizes of the responses increases, it becomes easier to distinguish between them. We begin with browser-based XS-search attack and demonstrate its use in extracting users' private data from Gmail and Facebook. The browser-based XS-search attack exploits the differences in the sizes of HTTP responses, and works even when significant inflation of the response is impossible. This part also involves algorithmic improvements compared to previous work. When there is no leakage of information via the timing side channel it is possible to use second-order (SO) XS-search, a novel type of attack that allows the attacker to significantly increase the difference in the sizes of the responses by planting maliciously crafted record into the storage. SO XS-search attacks can be used to extract sensitive information such as email content of Gmail and Yahoo! users, and search history of Bing users.

 Speaker Bio

Nethanel Gelernter received a PhD in Computer Science from Bar-Ilan University (Israel). His research mainly focuses on web application security, and in particular in exploring new attack vectors and threats in the web. Currently, he is leading the cyber security research and studies in the College of Management Academic Studies in Israel. Beyond the academic world, Nethanel provides consulting services, and he recently founded Cyberpion, a company that investigates unknown attack vectors and develops countermeasures against them.

 Technical Level: Advanced
 Language: Hebrew

 

=== The Unwanted Sons - Formalizing and Demonstrating WAF Bypass Methods for the REST of the Top 10 ===
'''צאצאים לא רצויים - פירמול לטכניקות חדשות למעקף WAF לשאר ההתקפות הנפוצות של OWASP TOP 10''' 
''''' Shay Chen, CEO, Effective Security ''''' 
The once uncommon application-level protection mechanisms are EVERYWHERE these days, and sooner or later, you'll have to face them.

Web Application Firewalls (WAF) and Intrusion Detection Systems (IDS), Filters and RASP Modules, all common and widespread countermeasures you have to face on a regular basis, with the power to turn a typical assessment into a nightmare, and make automated tools practically useless.

While the attack vectors are well covered in CWE, CAPEC, TECAPI RvR, WASC, OWASP Top 10 and Testing Guide, all you have to cover evasion techniques is a couple of cheat sheets focused on a limited set of attacks.

Sure, there are numerous XSS and SQL Injection evasion cheat sheets, but what about Path Traversal, Remote File Inclusion, OS Command Injection? What about Forced Browsing? What about other attacks?

Formalizing evasion techniques and methods for the REST of the common attack vectors makes a LOT of sense, for manual pen-testing and automated tools - and THIS is phase one, aimed to cover the rest of the unattended top 10.

 Speaker Bio

Shay Chen is the CEO of Effective Security, an information-security boutique company specializing in information security assessments and in automating security processes of vulnerability management and SDLC.

He has over twelve years in information technology and security, a strong background in software development, and a stream of previously published vulnerabilities, attack vectors, benchmarks and hacking methodologies.

Shay is an experienced speaker, and regularly instructs a wide variety of security related courses in Conferences and Enterprises. Before moving into the information security field, he was involved in various software development projects in ERP, mobile & enterprise environments.

 Technical Level: Intermediate / Advanced
 Language: Hebrew

 

=== The Ways Hackers Are Taking To Win The Mobile Malware Battle ===
''''' Yair Amit, CTO & Co-founder, Skycure ''''' 
([[Media:AppSecIL2016_WhyHackersAreWinningMobileMalwareBattle-YairAmit.pdf|download presentation]])

In the proverbial game of cat-and-mouse between endpoint security vendors and malware writers, malware attacks have recently grown more sophisticated. More enterprises are losing ground to hackers, who are able to outmaneuver static and runtime solutions by constantly changing their attack strategies. The team that uncovered iOS malicious profiles, WiFiGate, HTTP Request Hijacking, No iOS Zone and Invisible Profiles are taking it upon themselves to coach developers and organizations on how to regain control, and turn the tables on the hackers behind next-generation mobile malware.

In his presentation, Yair will discuss cutting-edge techniques used by malware writers to circumvent mobile security paradigms such as app-sandboxing and containers. Mr. Amit will then break down the current set of techniques (signatures, static analysis & dynamic analysis) used to identify malware on mobile devices, and identify the pros and cons of these approaches. He will also explain why attackers constantly succeed in fooling these technologies, and explore the problem of false positive/false negative tradeoffs in such solutions.

During a live, interactive demo, Yair will create a mobile malware on stage, meant to be undetected by static and runtime analysis technologies.

 Speaker Bio

Yair Amit is co-founder and CTO at Skycure, leading the company’s research and vision and overseeing its R&D center. Yair has been active in the security industry for more than a decade with his research regularly covered by media outlets and presented in security conferences around the world. Prior to co-founding Skycure, Yair managed the Application Security and Research Group at IBM, joining through the acquisition of Watchfire. At IBM, Yair led the research and implementation of IBM’s next-generation application security technology. Yair holds a BSc, summa cum laude, from Tel Aviv University in bioinformatics.

 Technical Level: Intermediate / Advanced
 Language: Hebrew

File:AppSecIL2016 NodeJS-Security LiranTal.pdf

2016-09-29T08:28:52Z

Avi Douglen:

File:AppSecIL2016 CripplingHTTPSwithUnholyPAC AmitKlein.pdf

2016-09-29T08:27:24Z

Avi Douglen:

File:AppSecIL2016 AdvancedCrossSiteSearch NethanelGelernter.pdf

2016-09-29T08:25:31Z

Avi Douglen:

Category:Israel

2016-09-27T08:39:20Z

Avi Douglen: after AppSecIL 2016

[[image:Owasp_Israel_logo.png|center|500px]]

{{Chapter Template|chaptername=Israel|extra= 

The chapter leader is '''[mailto:avi.douglen@owasp.org Avi Douglen]'''.

* OWASP Israel Board: '''[mailto:avi.douglen@owasp.org Avi Douglen]''', '''Or Katz''', ''' Ofer Maor''', '''Erez Metula''', '''Hemed Gur Ary''', '''[[User:YossiOren|Dr. Yossi Oren]]'''
* Chapter Founder: '''[mailto:ofer@shezaf.com Ofer Shezaf]'''
* [[OWASP_Top10_Hebrew|OWASP Top 10 Hebrew]]: Or Katz
* Homepage Maintenance: Avi Douglen, Ofer Maor, Yossi Oren
* Mailing List Management: Avi Douglen, Ofer Maor, Or Katz

|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-israel|emailarchives=http://lists.owasp.org/pipermail/owasp-israel}}

<paypal>Israel</paypal>

== OWASP Activity ==

* An annual conference, usually in September or October.
* Periodic meetings. If you would like to host a meeting or speak in one contact [mailto:avi.douglen@owasp.org Avi Douglen] or [mailto:katz3112@gmail.com Or Katz].
* [[OWASP_Top10_Hebrew|OWASP Top 10 Hebrew translation]].
* Security discussion forum in Hebrew - on [https://www.facebook.com/groups/owasp.il/ Facebook].
* [https://www.linkedin.com/groups/39702 LinkedIn Group] for networking and announcements.
* [https://owasp.slack.com/messages/chapter-israel/ Chat room for security in Hebrew].
* [http://www.meetup.com/OWASP-Israel/ Meetings and socialization on Meetup].
* [https://twitter.com/OWASP_IL Twitter account].
* Spreading the Word - Reaching out for more people, especially outside of the AppSec community.
* [[OWASP_IL_Sponsorship|Sponsorship opportunities]], including #AppSecIL conference sponsorship.

If you have anything else on your mind, please speak up! Contact [mailto:avi.douglen@owasp.org Avi Douglen] with any ideas you have.

== OWASP Top 10 in Hebrew ==

; '''The OWASP Top 10, 2013 version was translated to Hebrew! 
It is now [[OWASP_Top10_Hebrew|available for download]].'''

== Previous OWASP Israel Conferences and Meetings ==

; [[AppSec_Israel_2016|AppSec Israel 2016]] Conference was held on Monday, September 19th, at the College of Management, with more than 650 attendees! (Use the [[AppSec_Israel_2016_Presentations|presentations info page]] to download presentations and videos)

[[OWASP_Israel_June_2016|OWASP Israel June 2016]] took place in the Amdocs Auditorium in Raanana, on June 14, 2016.

[[OWASP_Israel_April_2016|OWASP Israel April 2016]] was held at HP Enterprise in Yehud, on April 12, 2016, with over 150 participants.

[[OWASP_Israel_February_2016|OWASP Israel February 2016]] was held at F5 Networks in Tel Aviv, on February 2, 2016.

; [[AppSec_Israel_2015|AppSec Israel 2015]] Conference was held on October 13th, at the College of Management, with over 550 participants! (Use the [[AppSec_Israel_2015_Presentations|presentations info page]] to download presentations)

[[OWASP_Israel_June_2015|OWASP Israel June 2015]] was held at Microsoft in Herzeliya, on June 16, 2015, with around 120 participants.

[[OWASP_Israel_March_2015|OWASP Israel March 2015]] was held at NCR in Raanana, on March 30, 2015, with over 120 participants.

; [[AppSec_Israel_2014|AppSec Israel 2014]] Conference was held on September 2nd, at the IDC, with over 450 participants! (Use the [[AppSec_Israel_2014_Presentations|presentations info page]] to download presentations)

[[OWASP_Israel_June_2014|OWASP Israel June 2014]] was held at F5 Networks in Tel Aviv, on June 16, 2014, with over 110 participants.

[[OWASP_Israel_April_2014|OWASP Israel April 2014]] was held at Akamai in Herzliya Pituach, on April 23, 2014, with close to 100 participants.

[[OWASP_Israel_January_2014|OWASP Israel January 2014]] was held at Amdocs in Ra'anana on January 14th, 2014, with over 120 participants.

; [[OWASP_Israel_2013|OWASP Israel 2013]] Conference held on October 1st with close to 480 participants! (Use the [[OWASP_Israel_2013_Presentations|presentations info page]] to download presentations)

[[OWASP_Israel_2013_05|OWASP Israel May 2013]] was held at RSA on May 28th 2013 with 80 participants.

[[OWASP_Israel_2013_02|OWASP Israel February 2013]] meeting was held at E&Y on February 12th 2013 ([[OWASP_ISRAEL_2013_02_Hebrew|Hebrew version]]).

;[[OWASP_Israel_2012|OWASP Israel 2012 conference]] Was held at the IDC on Sep 5th 2012.

;[[OWASP_Israel_2011|OWASP Israel 2011 Conference]] Was held in the IDC in Herzliya on Sep 15th 2011, with about 350 attendees.

;[[OWASP_Israel_2010|OWASP Israel 2010 Conference]] Was held in the IDC in Herzliya on Sep 6th 2010 with about 150 attendees.

[[OWASP_Israel_2010_06|OWASP Israel Jun-2010]] meeting was held in IBM/Watchfire in Herzliya on Jun 22nd 2010.

[[OWASP_Israel_2010_02|OWASP Israel Feb-2010]] meeting was held in Amdocs in Ra'anana on Feb 9th 2010 with over 70 attendees.

[[OWASP_Israel_2010_01|OWASP Israel Jan-2010]] meeting was held in Breach Security in Herzliya on Jan 12th 2010 with over 60 attendees.

[[OWASP_Israel_2009_12|OWASP Israel Dec-2009]] meeting was held in IBM/Watchfire in Herzliya in Dec 2009.

;[[OWASP_Israel_2009|OWASP Israel 2009]] conference was held at the Interdisciplinary Center Herzliya on Sunday, September 6th 2009.
: You can find the agenda and uploaded presentations [[OWASP_Israel_2009|here]].

; [[OWASP_Israel_2009_05|OWASP Israel May 2009 meeting]] was held at IBM in Park Azorim in Petach-Tikva on May 7th. The presentations were:
* Web-Based Man-in-the-Middle Attack, Adi Sharabani, IBM ([http://blog.watchfire.com/wfblog/2009/02/active-man-in-the-middle-attacks.html more info])
* Automation Attacks and Counter Measures, Ofer Shezaf, Xiom ([http://www.owasp.org/images/5/58/OWASP_Israel_-_May_2009_-_Ofer_Shezaf_-_Automation_Attacks.pdf presentation])
: [[OWASP_ISRAEL_2009_05_Hebrew|Full details in Hebrew]]

; [[OWASP_Israel_2009_03|OWASP Israel March 2009 meeting]] was held at the Tel-Aviv University on March 26th, with approximately 60 attendees. The presentations were:
* Securing cellular web applications, Mikko Saario, Founder, OWASP Finland, Security Architect, Large Telecom Solution Provider ([[Media:OWASP_Israel_-_March_2009_-_Mikko_Saario_-_Web_Application_Security_in_the_Mobile_World.pdf‎|download]])
* Real world implementation of a PCI DSS compliance key management, Yaron Hakon, [http://www.2bsecure.co.il 2bsecure] ([[Media:OWASP_Israel_-_March_2009_-_Yaron_Hakon_-_PCI_key_managment.pdf‎|download]])
* Detecting RFI attacks, Or Katz, [http://www.breach.com Breach Security] ([[Media:OWASP_Israel_-_March_2009_-_Or_Katz_-_RFI_detection.pdf‎|download]])
* WAFEC 2.0 - Do WAFs deliver?, Ofer Shezaf, [http://www.xiom.com Xiom] ([[Media:OWASP_Israel_-_March_2009_-_Ofer_Shezaf_-_Why_WAFs_fail.pdf‎|download]])
: [[OWASP_ISRAEL_2009_03_Hebrew|Full details in Hebrew]]

; [[OWASP_Israel_2009_01|OWASP Israel January 2009 meeting]] was held at Checkpoint on January 28th, with over a 100 people attending. The presentations were:
* Improving Web Application Firewall testing for better deployment in production network, Gregory Fresnais from BreakingPoint, visiting us from France ([[Media:OWASP_Israel_2009_01_Gregory_Fresnais_Measuring_WAF_Performance.pdf‎|download]])
* Web 2.0 Hacking, Nimrod Luria, Qrity ([[Media:OWASP_Israel_2009_01_Nimrod_Luria_Web_2.0_Security.pdf‎|download]])
* Wiki Security, Ofer Shezaf, Xiom ([http://www.xiom.com/research/wiki_security download])

; [[OWASP_Israel_2008_Conference_at_the_Interdisciplinary_Center_Herzliya|The OWASP Israel 2008 conference at the Interdisciplinary Center Herzliya (IDC)]] was held on September 14th with 250 attendees.

; OWASP Israel at the [http://www.idc.co.il/?showproduct=31108&content_lang=ENG IDC Security Road Show]
: OWASP sponsored the IDC Security Road Show event in Israel on June 3rd 2008. Thanks for Iris Lev-Ari and Tomer Teller for the help in the OWASP booth.

; [[OWASP_Israel_2007_Conference|OWASP Israel 2007 conference at the Interdisciplinary Center Herzliya (IDC)]]
: the 1st official OWASP conference in Israel, was held on Dec 3rd 2007 at the Interdisciplinary Center (IDC) Herzliya. The conference really set itself as an event you must come to if you have anything to do with application security. [ [http://picasaweb.google.com/oshezaf/OWASPIsrael2007 pictures from the conference]

[[Category:Middle East]] [[Category:Europe]]

AppSec Israel 2016

2016-09-27T08:14:13Z

Avi Douglen: PostConf

[[image:AppSecIL_Logo_2016.png|center]]

The annual OWASP AppSec Israel Conference is the largest conference in Israel for application security, and regularly draws hundreds of participants. Over 650 people attended this year!

But AppSecIL is not just for security experts!

Aimed at developers, testers, architects, product designers, and managers - anyone involved with the software lifecycle is welcome, regardless of type of software, website, mobile app, or any other type of application.

If you are responsible for, or involved with:
* web security
* devops security
* cloud security
* mobile security
* application security
* software development
* quality assurance
* software maintenance or operations
... you should join us at AppSecIL!

AppSec Israel 2016 has two lecture tracks from an amazing group of speakers. We also hosted a sponsors pavilion for products and services relevant to application security and developers.

All the talks at the Conference were recorded, and will be made available soon.

A [https://drive.google.com/drive/folders/0B0_K8tApcXxmVzBkcDNFUmt5S0U collection of pictures from the event].

 
= Location and Time =

The annual OWASP AppSec Israel 2016 conference was held this year in The College of Management (Michlala l’Minhal), in Rishon LeZion (about 20 minutes south of Tel Aviv), on Monday, September 19th, 2016, from 9AM to 6PM.

The address is Eli Weisel 2, Rishon LeZiyon. There is plenty of parking available, entrance is via gate 4.

For directions and public transportation options, please see the information at this link: http://www.colman.ac.il/about/roads/Pages/default.aspx

Please use the [https://twitter.com/hashtag/AppSecIL #AppSecIL] hashtag on Twitter.

= Sponsors =

The AppSec Israel conference is proudly being sponsored by:

{{Template:AppSec_Israel_2016_Sponsors}}

= Registration =

Thanks to our generous sponsors, attending the conference was free of charge. However, advance registration is required.

Please register here: https://appsecil2016.eventbrite.com/ .

From there you will also be able to sign up at Sched.org, to view the conference schedule interactively, add sessions to your personal calendar, and other features.

= Agenda =

See [[AppSec_Israel_2016_Presentations|detailed list of talks here]], and slidedecks are also available there.
Please note that while most of the talks are in English, some will be given in Hebrew. Please check the details of each session to know in which language it will be.

New this year is a [[AppSec_Israel_2016_CTF|Capture the Flag session]], organized and sponsored by Komodo Consulting: [[AppSec_Israel_2016_CTF|click here for details]].

The [https://appsecil2016.sched.org/ full schedule can be seen and subscribed to here].

* '''Tomer Cohen''', Head of R&D security, Wix.com
''Bot Extension - Abusing Google Chrome Extensions for Bot Attacks''
* '''Amit Ashbel''', Director of Product Marketing & Cyber Security Evangelist, Checkmarx
     '''Erez Yalon''', Application Security Lead, Checkmarx

''Could a few lines of code <F!#ck> it all up??''
* '''Amit Klein''', VP Security Research, SafeBreach
''Crippling HTTPS with unholy PAC''
* '''Martin Knobloch''', Principal Consultant, Nixu
''Don't Feed the Hippos!''
* '''Nadav Avital''', Application Security Research Team Leader, Imperva, and
     '''Noam Mazor''', Security Research Engineer, Imperva

''Hacking HTTP/2 - New attacks on the Internet’s Next Generation Foundation''
* '''Erez Metula''', Application Security Expert, AppSec Labs (Founder)
''Hacking The IoT (Internet of Things) - PenTesting RF Operated Devices''
* '''Elena Kravchenko''', ADM BU Security Lead Security & Trust Office, HPE Software, and
     '''Efrat Wasserman''', ADM Senior Program manager SRL, HPE Software

''Integrating Security in Agile projects (real case study)''
* '''Tal Melamed''', Technical Leader, AppSec Labs
''Java Hurdling: Obstacles and Techniques in Java Client Penetration-testing''
* '''Eli Greenbaum''', Partner, Yigal Arnon & Co.
''Law and the Israeli Cybersecurity Industry''
* '''Liran Tal''', R&D Team Leader, Hewlett Packard Enterprise
''NodeJS Security Done Right - The tips and tricks they won’t teach you in school ''
* '''Tamir Shavro''', Seeker R&D Manager, Synopsys
''Putting the "I" in Code Review - Turning Code Review Interactive''
* '''Ofer Maor''', Director of Security Strategy, Synopsys
''Signoff or Sign-Out''
* '''Or Katz''', Principal Security Researcher, Akamai
''The Dark Side of Search Engine Optimization''
* Dr. '''Nethanel Gelernter''', Cyberpion & The College of Management Academic Studies
''The Threat of Advanced Cross-Site Search Attacks''
* '''Shay Chen''', CEO, Effective Security
''The Unwanted Sons - Formalizing and Demonstrating WAF Bypass Methods for the REST of the Top 10''
* '''Yair Amit''', CTO & Co-founder, Skycure
''The Ways Hackers Are Taking To Win The Mobile Malware Battle''

= Sponsorships =

Whether you have a product to showcase, offering a service, or you are recruiting, sponsoring the OWASP AppSec Israel event gets you the right exposure. This year we are expecting well over 600 attendees, including security professionals, developers, managers, and more.

Sponsorship also helps support the OWASP community, and ensures that we can keep on making our conferences better and better. Sponsorship fees are intended to cover the costs of the conference. Since the conference is open to all and free of charge to attend, we need your support to enable us to put on a great conference.

We are now offering Silver, Gold and Platinum sponsorship levels. There is also a cost-effective “Community Supporter” option for non-profits, government offices, small startups, and such.
For more details on the available sponsorship options please see the [[AppSec_Israel_2016_Sponsorships|Conference Sponsorship page]].

For more details and to confirm your sponsorship, please contact [mailto:katz3112@gmail.com Or Katz].

= The people behind the conference =

OWASP AppSec Israel is made by the people who contribute their time and brains to its success. The following people are working to ensure that OWASP AppSec Israel is a success. If you feel that you also can contribute or have interesting ideas regarding the conference, please don't hesitate to contact [mailto:Avi.Douglen@owasp.org AviD] directly.

=== Contributors ===

* Avi Douglen (Independent)
* Or Katz (Akamai)
* Ofer Maor (Synopsys)
* Erez Metula (AppSec Labs)
* Hemed Gur Ary (Amdocs)
* Dr. Yossi Oren (Ben Gurion University)

[[Category:Israel]] [[Category:AppSec_Israel_2016]] [[Category:OWASP_AppSec_Conference]]

AppSec Israel 2016 Presentations

2016-09-27T08:07:48Z

Avi Douglen: Added presentations

Full descriptions of all the talks at [[AppSec_Israel_2016|AppSec Israel 2016]] are below, together with each of the speakers' biographies.

The [https://appsecil2016.sched.org/ full schedule can be found and subscribed to here].

Pictures from the event [https://drive.google.com/drive/folders/0B0_K8tApcXxmVzBkcDNFUmt5S0U can be found here].

__TOC__

The AppSec Israel conference is proudly being sponsored by:
{{Template:AppSec_Israel_2016_Sponsors}}

== Technical Tracks ==

=== Bot Extension - Abusing Google Chrome Extensions for Bot Attacks ===
'''תוספי בוט - שימוש בתוספי כרום למטרת התקפות בוטים''' 
''''' Tomer Cohen, Head of R&D security, Wix.com ''''' 
Chrome extensions have opened a variety of opportunities for users as well as developers, expanding the limits of what we've known as browsing experience. Attacker have also spotted the wide usage of such extensions, and abuse people's trust in Chrome Web Store to distribute malicious extensions. This allows them to run web-based bot attacks straight from victims' browsers, including DDoS campaigns and cross-site requests resulting in impersonation of users in third-party websites.

Furthermore, the detection of such bot attack by a third-party is more complex than in regular distributed attacks, since real humans actually use the Chrome tab abused to attack the victim third-party.

The lecture will include an intro on Chrome Extension architecture followed by techniques to abuse this architecture in order to run bot attacks, as well as distribute a malicious extensions to big crowds of victims.

 Speaker Bio

Worked as a security consultant in several places, one of the founders of Magshimim Cyber Training Program.

 Technical Level: Intermediate / Advanced
 Language: Hebrew

 

=== Could a few lines of code <F!#ck> it all up?? ===
''''' Amit Ashbel, Director of Product Marketing & Cyber Security Evangelist, Checkmarx ''''' 
''''' Erez Yalon, Application Security Lead, Checkmarx ''''' 
([[Media:AppSecIL2016_AFewLinesOfCode-JS_AmitAshbel-ErezYalon.pptx|download presentation]])

March 2016. An anonymous open source developer decides to remove his code (left-pad) from a public repository.

Shortly thereafter, several large organizations felt the impact of his actions. Facebook, AirBnB and others experienced errors impacting the functionality of their services. Packages using “left-pad” wouldn’t properly execute.

Today, we embrace both the open source community and the growth of open source projects, modules and packages but... Dependencies and recursive dependencies might become a risk or even a new attack vector which we didn’t foresee.

Could there be other cases of common and popular open source packages depending on open source modules that might not be there tomorrow or, even worse, could they be maliciously modified?

Join us for an insightful session that will reveal our research on this topic where you will learn:
* Which common open source packages might not be there tomorrow and how this can affect you?
* How packages you use could be maliciously modified impact on your app Discuss the risks introduced by hybrid application development
* How intertwined and complex dependencies have become

 Speaker Bio

Amit has been with the security community for more than a decade where he has taken on multiple tasks and responsibilities, including technical and Senior Product lead positions. Amit adds valuable product knowledge including experience with a wide range of security platforms and familiarity with emerging threats. Amit also speaks at high profile events and conferences such as BlackHat, Defcon, OWASP and others.

 Speaker Bio

Erez Yalon heads the security research group at Checkmarx. With vast defender and attacker experience and as an independent security researcher, he brings invaluable knowledge and skills to the table. Erez is responsible for maintaining Checkmarx’s top notch vulnerability detection technology where his previous development experience with a variety of coding languages comes into play.

 Technical Level: Introduction
 Language: Hebrew

 

=== Crippling HTTPS with unholy PAC ===
'''איך להרוס HTTPS עם PAC"ל חבלה''' 
''''' Amit Klein, VP Security Research, SafeBreach ''''' 
You're in a potentially malicious network (free WiFi, guest network, or maybe your own corporate LAN). You're a security conscious netizen so you restrict yourself to HTTPS (browsing to HSTS sites and/or using a "Force TLS/SSL" browser extension). All your traffic is protected from the first byte. Or is it?

We will demonstrate that, by forcing your browser/system to use a malicious PAC (Proxy AutoConfiguration) resource, it is possible to leak HTTPS URLs. We will explain how this affects the privacy of the user and how credentials/sessions can be stolen. We will present the concept of "PAC Malware" (a malware which is implemented only as JavaScript logic in a PAC resource) that features: a 2-way communication channel between the PAC malware and an external server, contextual phishing via messages, denial-of-service options, and sensitive data extraction from URI's. We present a comprehensive browser PAC feature matrix and elaborate more about this cross-platform (Linux, Windows, Mac) and cross-browser (IE, Chrome, Safari) threat.

 Speaker Bio

Amit Klein is a world renowned information security expert, with 25 years in information security and over 30 published technical papers on this topic. Amit is VP Security Research at SafeBreach, responsible for researching various infiltration, exfiltration and lateral movement attacks. Before SafeBreach, Amit was CTO for Trusteer (acquired by IBM) for 8.5 years. Prior to Trusteer, Amit was chief scientist for Cyota (acquired by RSA) for 2 years, and prior to that, director of Security and Research for Sanctum (acquired by Watchfire, now part of IBM security division) for 7 years. Amit has a B.Sc. from the Hebrew University (magna cum laude, Talpiot program), recognized by InfoWorld as a CTO of the year 2010, and has presented at HITB, RSA, OWASP, CertConf, BlueHat, CyberTech, APWG and AusCERT.

 Technical Level: Intermediate
 Language: Hebrew

 

=== Don't Feed the Hippos! ===
''''' Martin Knobloch, Principal Consultant, Nixu ''''' 
([[Media:AppSecIL2016_DontFeedTheHippos_MartinKnobloch.pdf|download presentation]])

The security community is trying to solve insecurity caused by bugs and flaws in software for many years now, but with what success?

We almost never look in successes and failures experiences in other areas, but we could really learn from. This talk is inspired by Ernesto Sirolli’s TED talk “Want to help someone? Shut up and listen!” about failures in the aid program’s around the world. Listening to Ernesto Sirolli, you cannot miss the similarity with the security community trying to tell developers how to write secure code. This talk points out common failures of the security community when communicating with developers, trying to solve their problems without understanding what their problems really are.

Using the hippo-analogy for security failures, during the talks those ‘(in-)secure hippos’ are identified, advice on how to avoid them are provided, by anecdotes and best practices from the experience of the past 10 years in the security field as a consultant.

 Speaker Bio

Martin is Principal Consultant at Nixu BeNeLux (https://www.nixu.com/en/nixubenelux). His main working area is (software) security in general, from awareness to implementation. In his daily work, he is responsible for education in application security matters, advise and implementation of application security measures.

With his background in Java Development, he understands the complexity of Enterprise software development, Agile Scrum environments and continuous delivery / deployment.

Martin got involved in OWASP in 2006. He became a member of the OWASP Netherland Chapter board in 2007. He has contributed to several OWASP projects and is co-organizer of the OWASP BeNeLux-Day conference since 2008. Martin has been chair of the Global Education Committee from 2008 until the ending of the Global Committees.

Futher, Martin is the conference chair of the OWASP AppSec-Eu/Research 2015 conference in Amsterdam, the Netherlands and involved in the AppSec-Eu 2016 among other activities as CfT Co-Chair.

Martin is a frequent speaker at universities, hacker spaces and various conferences.

 Technical Level: Intermediate / Advanced
 Language: English

 

=== Hacking HTTP/2 - New attacks on the Internet’s Next Generation Foundation ===
''''' Nadav Avital, Application Security Research Team Leader, Imperva ''''' 
''''' Noam Mazor, Security Research Engineer, Imperva ''''' 
HTTP/2 is the emerging network protocol for the Internet, facilitating leaner and faster web browsing by introducing several new mechanisms which can be seen as a single transition layer for web traffic. The adoption of HTTP/2 is lightning fast, and even though only a year has passed since its publication, HTTP/2 is already supported by all significant players in the field including browsers, web servers and Content Delivery Networks.

In the presentation we will overview the HTTP/2 attack surface - stream multiplexing, flow control, HPACK compression and server push, with a focus on how the way HTTP/2 servers implement these mechanisms can make or break your security posture. We will continue with presenting new classes of vulnerabilities that have been introduced by the mechanisms used with HTTP/2, and explaining how these vulnerabilities can be used for mounting effective attacks against web servers like Apache, IIS, Ngnix, Jetty and nghttp. We will explain in detail several serious zero-day vulnerabilities, such as CVE-2016-1546, CVE-2016-0150 and CVE-2016-1544, and end with discussing several approaches for mitigating attacks of these types.

Those attending this session will understand that:
* As an emerging technology that introduces novel and flexible mechanisms, HTTP/2 also induces new risks.
* HTTP/2 implementations are still not “security mature.” Therefore it is almost certain that scrutiny of HTTP/2 implementations will increase in coming years, resulting in the discovery of new vulnerabilities, exploits and security patches. With HTTP/2 gaining more popularity, this trend will intensify.
* An effective security strategy for newly adopted technologies must rely on supplemental solutions rather than patching

 Speaker Bio

Nadav Avital is an expert in Web Application Security. He leads an Imperva team who captures and analyzes hacking activities and then create mitigation strategies. These efforts result in research for new technologies and protocols. Nadav has more than 10 years industry experience in coding and creating security tools. He holds B.Sc. in Computer Science.

 Speaker Bio

Noam Mazor worked in Imperva as security research engineer in the Web Application Security team. Noam has experience in analyzing hacking activities, creating mitigation and researching vulnerabilities. He holds BSc in Computer Science and is currently a MSc student in Tel Aviv University.

 Technical Level: Intermediate
 Language: Hebrew

 

=== Hacking The IoT (Internet of Things) - PenTesting RF Operated Devices ===
'''האקינג של מערכות IoT מבוססות RF''' 
''''' Erez Metula, Application Security Expert, AppSec Labs (Founder) ''''' 
([[Media:AppSecIL2016_HackingTheIoT-PenTestingRFDevices_ErezMetula.pdf|download presentation]])

We often encounter IoT (Internet of Things) systems during our work as penetration testers and security consultants. We know how to assess the security of the server side API, the associated mobile apps, the web apps and so on - but what about the device itself (the "thing")? Moreover, what happens if the device is not using traditional HTTP/S request, or does not even "speak" plain old TCP/IP?

During this talk, we'll go over the obstacles we have to face when analyzing unknown, custom RF based communication that drives the target IoT system we're pentesting. We'll talk about and see in action tools that will allow us to capture RF traffic, analyze it, brute force it, replay it, and of course forge it. It's like plain old appsec hacking tricks, but at the RF level. So let's hack some physical things belonging to the real world!

 Speaker Bio

Erez Metula is the founder and Chairman of AppSec Labs, a leading company in the field of application security.

He is the author of the book "Managed Code Rootkits", and is a world renowned application security expert.

Erez has extensive hands-on experience performing security assessments, code reviews and secure development trainings for worldwide organizations, and had previously talked at international security conferences such as BlackHat, Defcon, OWASP, RSA, SOURCE, CanSecWest and more. Erez had helped companies from all sizes, from startups to Fortune 500 organizations.

Erez focuses on advanced application security topics and has performed extensive ground breaking research on mobile application security.

Erez holds an MSc in computer science and he is CISSP.

 Technical Level: Advanced
 Language: Hebrew

 

=== Integrating Security in Agile projects (real case study) ===
''''' Elena Kravchenko, ADM BU Security Lead, Security & Trust Office, HPE Software ''''' 
''''' Efrat Wasserman, ADM Senior Program manager, SRL, HPE Software ''''' 
([[Media:AppSecIL2016_IntegratingSecurityInAgile_ElenaKravchenko-EfratWasserman.pptx|download presentation]])

There are many different security development lifecycles (SDLC) frameworks in the modern world. However, a fully implemented SDLC program is often represented as heavy, time-consuming and not suitable to Agile development methodology. We’d like to break the myth and show how a very comprehensive security program, managed by a dedicated security office, can be successfully integrated in agile development project on a real case example.

We’ll shortly describe the main challenges, and the techniques and procedures helping to overcome the challenges. We’ll present the Security Lifecycle Management (SLM) Framework developed and used in HPE SW in the last three years, and describe how it integrated into development of new SaaS based fully agile developed product, with emphasis on main activities and roles. As a part of the presentation we would like to highlight the importance of the proper program management and role of the PMO and how it became a key success factor in the effective security program implementation.

 Speaker Bio

Elena has a MSc in Applied Mathematics from Leningrad State University, and over 25 years of software engineering experience in different roles, including Software Design Engineer, Technical Lead, Customer Oriented Development Engineer, and Software System Architect.

Currently a part of HPE Software ITOM and ADM Security and Trust Office as the Security Lead for HPE’s Application Delivery Management (ADM) Business Unit.

 Speaker Bio

Efrat has earned a BSc in Computer Science and Mathematics, and a MBA in Business Management and Marketing. She has over 17 years in Software Development, and 9 years as a Program manager.

Currently Senior Program Manager in HPE SW responsible for lifecycle of SaaS product

 Technical Level: Intermediate
 Language: Hebrew

 

=== Law and the Israeli Cybersecurity Industry ===
''''' Eli Greenbaum, Partner, Yigal Arnon & Co. ''''' 
From an international perspective, Israel provides a unique laboratory for studying the effect of law and regulation on cybersecurity research and development. This presentation will provide an introduction to specific laws and regulations concerning cybersecurity research and ask whether these laws have in actual practice influenced the growth of the cybersecurity ecosystem in Israel. More specifically, how have industry players, including startups, multinationals and the military, reacted to the unique legal framework that Israel provides for cybersecurity activities?

 
Speaker Bio

Eli Greenbaum is partner in the law firm of Yigal Arnon & Co., specializing in technology, intellectual property and cybersecurity. He received his Masters degree in Applied Physics from Columbia University and his law degree from Yale Law School. Eli has published widely in the intersection between technology and the law, including in the Harvard Journal of Law and Technology and the Cardozo Law Review. Eli clerked from Justice Miriam Naor of the Supreme Court of Israel and Judge David Cheshin of the District Court of Jerusalem.

 Technical Level: Introduction
 Language: English

 

=== Java Hurdling: Obstacles and Techniques in Java Client Penetration-testing ===
''''' Tal Melamed, Technical Leader, AppSec Labs ''''' 
([[Media:AppSecIL2016_JavaHurdling_TalMelamed.pdf|download presentation]])

Testing Java client applications is not always straightforward as testing web applications. Even under experienced hands, there might be obstacles coming your way; what if you cannot use a proxy? How do you MitM? What if you just can't? How do you modify the app to your benefit?

Fortunately, Java is still Java. This lecture is based on a true story, and will follow an interesting case of pen-testing a known product; what tools and techniques can be used in order to jump over hurdles, all the way to the finish line.

The lecture aims to enrich the pentester's toolbox as well as mind, when facing Java client applications; MitM-ing, run-time manipulations and patching the code are only some of the discussed cases.

In addition, a newly developed proxy for intercepting and tampering with TCP communication over TLS/SSL and bypassing certificate-pinning protections, will be introduced during the lecture.

 Speaker Bio

Tal is an Application Security Expert. As AppSec Labs' Technical Leader, he is leading a variety of security projects for Android, iOS, WP, Web and Client applications.

Prior to working at AppSec Labs, Tal has worked at Amdocs, CheckPoint and RSA, having more than a decade of experience in the Information Security field.

Tal is a lead Trainer, a neat developer, and a security dreamer; breaking, building, defending & training since '99.

 Technical Level: Intermediate / Advanced
 Language: Hebrew

 

=== NodeJS Security Done Right - The tips and tricks they won’t teach you in school ===
''''' Liran Tal, R&D Team Leader, Hewlett Packard Enterprise ''''' 
NodeJS, and JavaScript at large are quickly taking over software whether it is GitHub’s statistics for projects growth, the IoT industry, ChatOps projects written in JavaScript and Enterprises adoption is growing as well.

With this trend, it is imperative to review OWASP security practices and learn how to harden NodeJS Web Applications.

We will begin with a quick NodeJS intro and a few fail stories of how things can go wrong.

We will quickly dive into hands-on practical implementation of security measures to adopt in your current or future NodeJS project. Next I will show how to leverage widely adopted security tools for integration in the build and CI/CD process to audit and test for security vulnerabilities, as well as leveraging successful enterprise-level open source npm libraries to enhance your web application’s security.

In summary: in this session I will demonstrate:
* Securing ExpressJS by adopting mature and commonly used npm libraries
* Secure code guidelines for JavaScript software developers
* Integrating NodeJS security measures as part of your build CI/CD DevOps process

To empower others and make a lasting impression for Open Source awareness and Security involvement: In the closing minutes of this presentation I will ask a volunteer from the audience to commit a Pull-Request that enhances security for a NodeJS project on GitHub.

 Speaker Bio

Liran is a top contributor to the open source MEAN.io, and core team member of the MEAN.js full stack JavaScript framework. He is also an author of several Node.js npm packages, as well as actively contributing to many open source projects on GitHub. Being an avid supporter and contributor to the open source movement, in 2007 he has redefined network RADIUS management by establishing daloRADIUS, a world-recognized and industry-leading open source project (http://www.daloradius.com).

Liran is currently leading the R&D Engineering team for Hewlett Packard Enterprise content Marketplace, built on a microservices architecture for a combined technology stack of Java, NodeJS, AngularJS, MongoDB and MySQL. He loves mentoring and empowering team members, drive for better code methodology, and seek out innovative solutions to support business strategies.

He enjoys spending his time with his beloved wife Tal, and his son Ori. Amongst other things, his hobbies include playing the guitar, hacking all things Linux and continuously experimenting and contributing to open source projects.

 Technical Level: Introduction
 Language: Hebrew

 

=== Putting the "I" in Code Review - Turning Code Review Interactive ===
''''' Tamir Shavro, Seeker R&D Manager, Synopsys ''''' 
([[Media:AppSecIL2016_InteractiveCodeReview_TamirShavro.pdf|download presentation]])

Everybody knows that manual code review can be a tedious and lengthy effort, with complexity growing exponentially with the size of the code. However, understanding code flow and focusing on relevant parts can become much easier when employing interactive debugging techniques. This allows combining the best of penetration testing and code review benefits to achieve maximum results in the most efficient manner. In this talk we will explain and demonstrate this eye-opening technique for effectively performing a manual code review on a live system using a debugger and provide a quick starter kit for implementing this technique.

 Speaker Bio

Tamir Shavro has been involved both in complex R&D endeavors and in the security field in the past 18 years. As the Chief Architect & VP RnD of Seeker (acquired by Synopsys in 2015), Tamir has been the driving force behind the development of the Seeker technology.

Prior to Seeker he worked as a Senior Security Consultant in Hacktics, where he was involved in advance application security projects. He was previously a Captain in the IDF Intelligence Corps, involved in various development leadership and architecture roles.

 Technical Level: Advanced
 Language: Hebrew

 

=== Signoff or Sign-Out ===
''''' Ofer Maor, Director of Security Strategy, Synopsys ''''' 
Software Signoff is an inevitable step in maturing our software development processes in order to deliver better and safer software. Like with other engineering disciplines before, the growing concerns for safety, security and standards is driving the industry to do better. In this talk we will explain what Software Signoff means and why organizations must adopt it before it is too late.

 Speaker Bio

Ofer Maor is a security expert and entrepreneur with over 20 years of experience in information and application security. Ofer has been involved in application security from its early days, through research, penetration testing, consulting, and product development. As the founder and CTO of Seeker, Ofer pioneered IAST, the next generation of application security testing technology, currently used by some of the largest organizations in the world to continuously improve their software security. Ofer joined Synopsys when it acquired Seeker in July 2015. Prior to Seeker, Ofer was the Founder and CTO of Hacktics. He led Imperva's Application Defense Center research group and has also served as the Chairman of OWASP Israel and in the OWASP Global Membership Committee.

 Technical Level: Intermediate
 Language: Hebrew

 

=== The Dark Side of Search Engine Optimization ===
'''הצד האפל של קידום אתרים במנועי חיפוש''' 
''''' Or Katz, Principal Security Researcher, Akamai ''''' 
Search engines optimization (SEO) is a technique being used by web sites owners in order to improve visibility and traffic to their web site. Legitimate SEO activity will use optimization techniques such as: changing structure and textual usage of the web site pages, publication in social media and web forums that will referrer relevant users.

The ultimate goal of SEO campaign is to promote web site ranking in the leading search engines, having the promoted web site returned in the primary result page once searching for relevant terms and keywords.

In the presentation I’m going to present what happens when threat actors get into the world of SEO campaigns abuse SEO optimization techniques and moreover, use all kind of attack techniques such as SQL injection and open redirects in order to manipulate search engines ranking.

I will also evaluate some of the SEO attacks and the manipulating techniques, try to determine who are the victims in this story, check if these attacks achieved their goal and supply more interesting insights on the world of “Blackhat SEO”.

 Speaker Bio

Or is an application security veteran, with years of experience at industry leading vendors, currently serves as principal security researcher for Akamai's Cloud Security Intelligence platform. Or is a frequent speaker in conferences such as RSA, AppSec and CSA. Or has published several innovative articles and white papers on web applications threat intelligence and defensive techniques.

 Technical Level: Intermediate
 Language: Hebrew

 

=== The Threat of Advanced Cross-Site Search Attacks ===
'''האיום של התקפות Cross-Site Search מתקדמות''' 
''''' Dr. Nethanel Gelernter, Cyberpion & The College of Management Academic Studies ''''' 
Cross-site search (XS-search) is a practical timing side-channel attack that allows the extraction of sensitive information from web-services. The attack exploits inflation techniques to efficiently distinguish between search requests that yield results and requests that do not. This work focuses on the response inflation technique that increases the size of the response; as the difference in the sizes of the responses increases, it becomes easier to distinguish between them. We begin with browser-based XS-search attack and demonstrate its use in extracting users' private data from Gmail and Facebook. The browser-based XS-search attack exploits the differences in the sizes of HTTP responses, and works even when significant inflation of the response is impossible. This part also involves algorithmic improvements compared to previous work. When there is no leakage of information via the timing side channel it is possible to use second-order (SO) XS-search, a novel type of attack that allows the attacker to significantly increase the difference in the sizes of the responses by planting maliciously crafted record into the storage. SO XS-search attacks can be used to extract sensitive information such as email content of Gmail and Yahoo! users, and search history of Bing users.

 Speaker Bio

Nethanel Gelernter received a PhD in Computer Science from Bar-Ilan University (Israel). His research mainly focuses on web application security, and in particular in exploring new attack vectors and threats in the web. Currently, he is leading the cyber security research and studies in the College of Management Academic Studies in Israel. Beyond the academic world, Nethanel provides consulting services, and he recently founded Cyberpion, a company that investigates unknown attack vectors and develops countermeasures against them.

 Technical Level: Advanced
 Language: Hebrew

 

=== The Unwanted Sons - Formalizing and Demonstrating WAF Bypass Methods for the REST of the Top 10 ===
'''צאצאים לא רצויים - פירמול לטכניקות חדשות למעקף WAF לשאר ההתקפות הנפוצות של OWASP TOP 10''' 
''''' Shay Chen, CEO, Effective Security ''''' 
The once uncommon application-level protection mechanisms are EVERYWHERE these days, and sooner or later, you'll have to face them.

Web Application Firewalls (WAF) and Intrusion Detection Systems (IDS), Filters and RASP Modules, all common and widespread countermeasures you have to face on a regular basis, with the power to turn a typical assessment into a nightmare, and make automated tools practically useless.

While the attack vectors are well covered in CWE, CAPEC, TECAPI RvR, WASC, OWASP Top 10 and Testing Guide, all you have to cover evasion techniques is a couple of cheat sheets focused on a limited set of attacks.

Sure, there are numerous XSS and SQL Injection evasion cheat sheets, but what about Path Traversal, Remote File Inclusion, OS Command Injection? What about Forced Browsing? What about other attacks?

Formalizing evasion techniques and methods for the REST of the common attack vectors makes a LOT of sense, for manual pen-testing and automated tools - and THIS is phase one, aimed to cover the rest of the unattended top 10.

 Speaker Bio

Shay Chen is the CEO of Effective Security, an information-security boutique company specializing in information security assessments and in automating security processes of vulnerability management and SDLC.

He has over twelve years in information technology and security, a strong background in software development, and a stream of previously published vulnerabilities, attack vectors, benchmarks and hacking methodologies.

Shay is an experienced speaker, and regularly instructs a wide variety of security related courses in Conferences and Enterprises. Before moving into the information security field, he was involved in various software development projects in ERP, mobile & enterprise environments.

 Technical Level: Intermediate / Advanced
 Language: Hebrew

 

=== The Ways Hackers Are Taking To Win The Mobile Malware Battle ===
''''' Yair Amit, CTO & Co-founder, Skycure ''''' 
([[Media:AppSecIL2016_WhyHackersAreWinningMobileMalwareBattle-YairAmit.pdf|download presentation]])

In the proverbial game of cat-and-mouse between endpoint security vendors and malware writers, malware attacks have recently grown more sophisticated. More enterprises are losing ground to hackers, who are able to outmaneuver static and runtime solutions by constantly changing their attack strategies. The team that uncovered iOS malicious profiles, WiFiGate, HTTP Request Hijacking, No iOS Zone and Invisible Profiles are taking it upon themselves to coach developers and organizations on how to regain control, and turn the tables on the hackers behind next-generation mobile malware.

In his presentation, Yair will discuss cutting-edge techniques used by malware writers to circumvent mobile security paradigms such as app-sandboxing and containers. Mr. Amit will then break down the current set of techniques (signatures, static analysis & dynamic analysis) used to identify malware on mobile devices, and identify the pros and cons of these approaches. He will also explain why attackers constantly succeed in fooling these technologies, and explore the problem of false positive/false negative tradeoffs in such solutions.

During a live, interactive demo, Yair will create a mobile malware on stage, meant to be undetected by static and runtime analysis technologies.

 Speaker Bio

Yair Amit is co-founder and CTO at Skycure, leading the company’s research and vision and overseeing its R&D center. Yair has been active in the security industry for more than a decade with his research regularly covered by media outlets and presented in security conferences around the world. Prior to co-founding Skycure, Yair managed the Application Security and Research Group at IBM, joining through the acquisition of Watchfire. At IBM, Yair led the research and implementation of IBM’s next-generation application security technology. Yair holds a BSc, summa cum laude, from Tel Aviv University in bioinformatics.

 Technical Level: Intermediate / Advanced
 Language: Hebrew

File:AppSecIL2016 DontFeedTheHippos MartinKnobloch.pdf

2016-09-27T08:07:11Z

Avi Douglen: