OWASP - User contributions [en]

Bucharest

2019-05-16T13:35:44Z

Oana Cornea: /* Welcome to the Bucharest chapter homepage! */

__NOTOC__

=Welcome=

== Welcome to the Bucharest chapter homepage! ==
[http://lists.owasp.org/mailman/listinfo/owasp-Romania Click here to join our mailing list.] 
[https://lists.owasp.org/mailman/listinfo/owasp-community Click here to join the global community mailing list.] 
Follow us on [https://twitter.com/OWASPRomania Twitter.] and [https://www.facebook.com/owaspromania Facebook.] 
[[Image:Logo-ro.jpg|right|150px|link=https://www.owasp.org/index.php/]]

OWASP Chapter meetings are free and open. We encourage open discussion on all aspects of application security. Everyone is welcome to join us at our chapter meetings, members and non-members. 

The Chapter leader is [mailto:vlad.cotenescu@owasp.org Vlad Cotenescu] 
<li>Anyone who wants to get involved and help will be warmly welcome.</li>
<li>If you would like to give a presentation (make sure that you have read the [https://www.owasp.org/index.php/Speaker_Agreement speaker agreement]). </li>
<li>In case you have any questions about the OWASP Bucharest Chapter, send an email to [mailto:vlad.cotenescu@owasp.org Vlad Cotenescu]</li>
<li>[https://www.youtube.com/channel/UCsVFkvsVZguEWmDCIIJ9blA Youtube channel]</li>

Past chapter leaders 
2013 - 2019 [mailto:oana.cornea@owasp.org Oana Cornea] 
2011 - 2012 Claudiu Constantinescu

=Upcoming events=
== OWASP Bucharest AppSec Conference 2019 ==
https://www.owasp.org/index.php/OWASP_Bucharest_AppSec_Conference_2019

== Chapter Meeting #16: TBD , 2019 ==
'''Location and host: '''
'''Time: 19:00'''
'''19:00 - 19:15''' Introduction and OWASP news
'''19:15 - 21:00 '''
'''Description:'''
 

=Past events & meetings=
== Chapter Meeting #15: 2nd of July, 2018 ==
'''Location and host: B-dul Aviatorilor, nr. 8, Bucureşti, România'''
'''Time: 19:00'''
'''19:00 - 19:15''' Introduction and OWASP news
'''19:15 - 21:00 ''' '''Workshop: [https://www.owasp.org/images/b/b0/Webservice_and_Microservice_Security_7-2018.pdf Webservice Security] - Jim Manico'''
'''Description:''' Webservices are build upon the foundation of the same technology that is used to build web applications. Therefore, many of the standard web security defenses will apply when building webservices. However, stateless and other specialized webservice patterns make defending webservices different that normal web security in some regards. This module will review the various specialized attacks and defenses that developers need to be aware of when building secure webservices.

== Chapter Meeting #14: 1st of February , 2018 ==
'''Location and host: B-dul Timisoara, nr. 15, AFI Park 4, etaj 4, Bucureşti, România'''
'''Time: 19:00'''
'''19:00 - 19:15 Introduction and OWASP news'''
'''19:15 - 20:00''' '''Presentation: Handling of Security Requirements in Software Development Lifecycle - [https://de.linkedin.com/in/kefer/de Daniel Kefer]''' 
'''20:00 - 20:45''' '''Presentation: [https://www.owasp.org/images/4/4e/OWASP-Ionut-Popescu-Less-Known-Web-Application-Vulnerabilities-Stripped.pdf Less Known Web Application Vulnerabilities - part 2] - [https://ro.linkedin.com/in/nytro Ionut Popescu]'''
'''20:45 - 21:30''' Networking

== [https://www.owasp.org/index.php/OWASP_Bucharest_AppSec_Conference_2017 OWASP Bucharest AppSec Conference 2017, 11th - 13th of October 2017] ==
== [https://www.owasp.org/index.php/OWASP_Bucharest_AppSec_Conference_2016 OWASP AppSec Bucharest 6th of October, 2016] ==
== Chapter Meeting #13: 27th of April , 2016 ==

'''Location and host: B-dul Dimitrie Pompei, nr. 10A, Conect Business Park, Cladirea C3, etaj 5, Bucureşti, România'''
'''Time: 19:00'''
'''19:00 - 19:15 Introduction and OWASP news'''
'''19:15 - 20:00''' Presentation: [https://www.owasp.org/images/e/e7/OWASP_-_Ionut_Popescu.pptx PHP Object Injection] - [https://ro.linkedin.com/in/nytro Ionut Popescu]
'''20:00 - 20:15''' Presentation: [https://www.owasp.org/images/3/3a/Ksd.pdf Keystroke dynamics (2FA in web apps)] - [https://www.linkedin.com/in/cristian-grigoriu-93707b94 Cristian Grigoriu]
'''20:15 - 20:30''' Presentation: [https://www.owasp.org/images/0/03/OWASP_RansomwareHoneypots.pptx Early Detection: Using honeypots to spot ransomware infections] - [https://www.linkedin.com/in/aarongoldstein Aaron Goldstein]
 
Check out OWASP presentations at Agile Talks http://www.meetup.com/The-Bucharest-Agile-Software-Meetup-Group/events/226301564/ 
Tech Hub - 39-41 Nicolae Filipescu, Bucharest
== Eastern European Event: 9th of October, 2015 ==
[https://www.owasp.org/index.php/OWASP_EEE_Bucharest_Event_2015 Local event page] 
Follow us on [https://twitter.com/owasp_eee Twitter.] [[Image:Bug.jpg|60px]] 
== Chapter Meeting #12: 18th of June, 2015 ==

'''Location and host: B-dul Dimitrie Pompei, nr. 10A, Conect Business Park, Cladirea C3, Dell, Bucureşti, România'''
'''Time: 19:00'''
19:00 - 20:00 Presentation: [https://www.linkedin.com/in/johnnywachter Johnny Wachter] - '''Dynamic Malware Analysis'''– A hands on guide for quickly studying malware behavior and implementing mitigating controls:
* This will demonstrate the manual analysis of malicious samples commonly distributed via Phishing Emails and Exploit Kits.
* Common Tools and Techniques for Safely and Efficiently identifying Indicators of Compromise will be covered.
* A practical guide and hands-on labs will be made available in case attendees wish to “practice” at home.

== Chapter Meeting #11: 20th of November, 2014 ==

'''Location and host: B-dul Dimitrie Pompei, nr. 10A, Conect Business Park, Cladirea C3, Dell, Bucureşti, România'''
'''Time: 19:00'''
19:00 - 20:00 Presentation: Aaron Goldstein - Search Engine Dorking[https://www.owasp.org/images/4/4a/OWASP_Dorking.pdf]
20:00 - 21:00 Presentation: Johnny Wachter - Python and Incident Response [https://www.owasp.org/images/1/1e/Python_and_Incident_Response.pdf]

== OWASP Romania InfoSec Conference 2014: 24th of October, 2014 ==
[https://www.owasp.org/index.php/OwaspRomaniaConference2014 OWASP Romania InfoSec Conference 2014 page] 

== Chapter Meeting #10: 7th of August, 2014 ==

'''Location and host: Hanul Berarilor, Str. Poenaru Bordea, nr. 2, Bucureşti, România'''
'''Time: 19:00''' Owasp updates
 
== Chapter Meeting #9: June 12, 2014 ==

'''Location and host: BOC Tower, 3rd George Constantinescu St., entrance C, 4th floor, Bucureşti, România''' [https://maps.google.com/maps?t=m&ll=44.47907780000001%2C26.115150400000005&q=Intel+Software+Development&spn=0.0036512685548508207%2C0.0068231558434524815&output=classic]
'''Time: 19:00'''
19:00 - 19:15 Owasp updates
19:15 - 20:00 Presentation: Jack Mannino - Building Secure Android Apps
20:00 - 21:00 Presentation: Cosmin Huruiala - Risk scoring for penetration testing
 
== Chapter Meeting #8: April 9, 2014 ==

'''Location and host: [http://goo.gl/maps/Sofgh "Politehnica" University], Room EG306, Bucureşti, România'''
'''Time: 19:00'''
19:00 - 19:15 Owasp updates
19:15 - 20:00 Presentation: Simon Bennetts - "An introduction to OWASP ZAP"[https://www.owasp.org/index.php/User:Simon_Bennetts][https://www.owasp.org/images/9/96/OWASP_2014_OWASP_ROMANIA.pdf]
20:00 - 21:00 Presentation: Ionut Popescu - "Introduction to shellcode development" [https://www.owasp.org/images/4/4c/Introduction_to_shellcode_development.pdf]
 

== Chapter Meeting #7: March 6, 2014 ==

'''Location and host: Nicolae Titulescu 4-8, America House, East Entrance (near Starbucks), 6th floor, Bucureşti, România
'''Time: 19:00'''
19:00 - 19:15 Owasp updates
19:25 - 20:45 Presentation: Dinis Cruz[https://www.owasp.org/index.php/User:Dinis.cruz] - "REST Security and Exploitation"
http://blog.diniscruz.com/search/label/XmlDecoder
http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html
== Chapter Meeting #6: Jan 23, 2014 ==

'''Location and host: BOC Tower, 3rd George Constantinescu St., entrance C, 4th floor, Bucureşti, România''' [https://maps.google.com/maps?t=m&ll=44.47907780000001%2C26.115150400000005&q=Intel+Software+Development&spn=0.0036512685548508207%2C0.0068231558434524815&output=classic]
'''Time: 19:00'''
19:00 - 19:15 Owasp updates
19:25 - 20:00 Presentation: "Port knocking", Dan Vasile
20:00 - 21:00 Presentation: "Ecryptfs Tools for Android"[https://github.com/catalinionita/Ecryptfs-Tools-for-Android/commits/master], Catalin Ionita
== Chapter Meeting #5: Nov 21, 2013 ==

'''Location and host: Nicolae Titulescu 4-8, America House, East Entrance (near Starbucks), 2nd floor, Bucureşti, România'''
'''Time: 19:00'''
19:00 - 20:00 Owasp updates
20:00 - 21:00 Presentation: "Introduction to fuzzing", Costel Maxim
== OWASP Romania InfoSec Conference 2013, October 25 ==

'''When: October 25, 2013 Where: [http://goo.gl/maps/Sofgh "Politehnica" University, Bucureşti, România] Event page: [https://www.owasp.org/index.php/OwaspRomaniaConference OWASP Romania InfoSec Conference 2013] Participation to this event is free but you need to [https://owasp-romaniachapter-infosec.eventbrite.com/ register] (limited number of seats)'''

== Chapter Meeting #4: Aug 22, 2013 ==

'''Location and host: SemaParc RiverView Building, 6th floor, Str. Splaiul Independentei, nr. 309, Bucureşti, România'''
'''Time: 19:00'''
19:00 - 20:00 Owasp updates and projects
20:00 - 21:00 Presentation: "Application Security Introduction", Cristian Pascariu
 
== Chapter Meeting #3: Jun 5, 2013 ==

'''Location and host: "Politehnica" University, Bucureşti, România'''
'''Time: 14:30'''
Owasp EU Tour 2013 [https://www.owasp.org/index.php/EUTour2013_Bucharest_Agenda] 
Here are the presentations: 
<ul>
<li>
'''Introduction to Owasp''' - Ionel Chirita [https://www.owasp.org/images/9/9d/OWASP_EU_Tour_2013_Bucharest_Ionel_Chirita.pdf]</li>
<li>'''Investing in security''' - Claudiu Constantinescu [https://www.owasp.org/images/6/6c/OWASP_EU_Tour_2013_Bucharest_Claudiu_Constantinescu.pdf]</li>
<li>'''Penetration testing - a way of improving our cyber security''' - Adrian Furtuna [https://www.owasp.org/images/9/93/OWASP_EU_Tour_2013_Bucharest_AdrianFurtuna.pdf]</li>
<li>'''Android reverse engineering: understanding third-party applications''' - Vicente Aguilera Diaz [https://www.owasp.org/images/a/a6/OWASP_EU_Tour_2013_Bucharest_Vicente_Aguilera_Diaz.pdf]</li>
<li>'''The Trouble with Passwords''' - Mark Goodwin [http://people.mozilla.com/~mgoodwin/presentations/20130410/shells/embedder.html#http://people.mozilla.com/~mgoodwin/presentations/20130410/template.html]</li>
<li>'''Hacking the ViewState in ASP.NET''' - Ovidiu Diaconescu[https://www.owasp.org/images/d/d3/OWASP_EU_Tour_2013_Bucharest_OvidiuDiaconescu.pdf] </li>
<li>'''Do you "GRANT ALL PRIVILEGES ..." in MySQL/MariaDB/Percona Server? '''- Gabriel Preda[https://www.owasp.org/images/2/2c/OWASP_EU_Tour_2013_Bucharest_Gabriel_Preda.pdf]</li>
</ul>
'''Some photos [https://www.owasp.org/index.php/File:OwaspEUTour_RomaniaChapterMeeting2013Photos.zip]'''
 
== Chapter Meeting #2: Feb 28, 2013 ==

'''Location and host: Hanul Berarilor, Str. Poenaru Bordea, nr. 2, Bucureşti, România'''
'''Time: 19:00'''
19:00 - 20:30 Member expectations, future meetings, OWASP projects, technical topics

Feb 10, 2013 Oana Cornea published iOS Application Security Testing Cheat Sheet [https://www.owasp.org/index.php/IOS_Application_Security_Testing_Cheat_Sheet]

May 26, 2011 OWASP Top 10 Web Application Security Risks at RONUA [http://ronua.ro/CS/groups/ronua-bucuresti/default.aspx]

 
== Chapter Meeting #1: May 27, 2011 ==

'''Location and host: Muzeul Literaturii Române, Bd. Dacia 12, Sector 1, Bucureşti, România [http://www.mlr.ro]'''
'''Time: 17:00'''
17:00 - 17:15 Admission
17:15 - 17:30 Brief introduction to OWASP, Claudiu Constantinescu
17:30 - 18:00 Open discussion regarding OWASP Romania; what is expected or wished
18:00 - 18:15 Web Application Security Testing - comparison of 6 web application vulnerability scanners - Cristian
18:15 - 19:00 Other presentations and discussions

=Sponshorship=
Become a supporter of OWASP or of OWASP's Bucharest Chapter and help us to make application security visible. All information about becoming a member/sponsor can be found [https://www.owasp.org/index.php/Membership here.] 
https://www.owasp.org/index.php/Local_Chapter_Supporter
<headertabs />

==Chapter Supporters==

{|
|
|
|
|
|}
[[Category:OWASP Chapter]]
[[Category:Europe]]

Bucharest

2019-05-16T13:34:31Z

Oana Cornea: edit6

__NOTOC__

=Welcome=

== Welcome to the Bucharest chapter homepage! ==
[http://lists.owasp.org/mailman/listinfo/owasp-Romania Click here to join our mailing list.] 
[https://lists.owasp.org/mailman/listinfo/owasp-community Click here to join the global community mailing list.] 
Follow us on [https://twitter.com/OWASPRomania Twitter.] and [https://www.facebook.com/owaspromania Facebook.] 
[[Image:Logo-ro.jpg|right|150px|link=https://www.owasp.org/index.php/]]

OWASP Chapter meetings are free and open. We encourage open discussion on all aspects of application security. Everyone is welcome to join us at our chapter meetings, members and non-members. 

The Chapter leader is [mailto:vlad.cotenescu@owasp.org Vlad Cotenescu] 
<li>Anyone who wants to get involved and help will be warmly welcome.</li>
<li>If you would like to give a presentation (make sure that you have read the [https://www.owasp.org/index.php/Speaker_Agreement speaker agreement]). </li>
<li>In case you have any questions about the OWASP Bucharest Chapter, send an email to [mailto:vlad.cotenescu@owasp.org Vlad Cotenescu]</li>
<li>[https://www.youtube.com/channel/UCsVFkvsVZguEWmDCIIJ9blA Youtube channel]</li>

Past chapter leaders
<li>2013 - 2019 [mailto:oana.cornea@owasp.org Oana Cornea]<li>
<li>2011 - 2012 Claudiu Constantinescu<li>

=Upcoming events=
== OWASP Bucharest AppSec Conference 2019 ==
https://www.owasp.org/index.php/OWASP_Bucharest_AppSec_Conference_2019

== Chapter Meeting #16: TBD , 2019 ==
'''Location and host: '''
'''Time: 19:00'''
'''19:00 - 19:15''' Introduction and OWASP news
'''19:15 - 21:00 '''
'''Description:'''
 

=Past events & meetings=
== Chapter Meeting #15: 2nd of July, 2018 ==
'''Location and host: B-dul Aviatorilor, nr. 8, Bucureşti, România'''
'''Time: 19:00'''
'''19:00 - 19:15''' Introduction and OWASP news
'''19:15 - 21:00 ''' '''Workshop: [https://www.owasp.org/images/b/b0/Webservice_and_Microservice_Security_7-2018.pdf Webservice Security] - Jim Manico'''
'''Description:''' Webservices are build upon the foundation of the same technology that is used to build web applications. Therefore, many of the standard web security defenses will apply when building webservices. However, stateless and other specialized webservice patterns make defending webservices different that normal web security in some regards. This module will review the various specialized attacks and defenses that developers need to be aware of when building secure webservices.

== Chapter Meeting #14: 1st of February , 2018 ==
'''Location and host: B-dul Timisoara, nr. 15, AFI Park 4, etaj 4, Bucureşti, România'''
'''Time: 19:00'''
'''19:00 - 19:15 Introduction and OWASP news'''
'''19:15 - 20:00''' '''Presentation: Handling of Security Requirements in Software Development Lifecycle - [https://de.linkedin.com/in/kefer/de Daniel Kefer]''' 
'''20:00 - 20:45''' '''Presentation: [https://www.owasp.org/images/4/4e/OWASP-Ionut-Popescu-Less-Known-Web-Application-Vulnerabilities-Stripped.pdf Less Known Web Application Vulnerabilities - part 2] - [https://ro.linkedin.com/in/nytro Ionut Popescu]'''
'''20:45 - 21:30''' Networking

== [https://www.owasp.org/index.php/OWASP_Bucharest_AppSec_Conference_2017 OWASP Bucharest AppSec Conference 2017, 11th - 13th of October 2017] ==
== [https://www.owasp.org/index.php/OWASP_Bucharest_AppSec_Conference_2016 OWASP AppSec Bucharest 6th of October, 2016] ==
== Chapter Meeting #13: 27th of April , 2016 ==

'''Location and host: B-dul Dimitrie Pompei, nr. 10A, Conect Business Park, Cladirea C3, etaj 5, Bucureşti, România'''
'''Time: 19:00'''
'''19:00 - 19:15 Introduction and OWASP news'''
'''19:15 - 20:00''' Presentation: [https://www.owasp.org/images/e/e7/OWASP_-_Ionut_Popescu.pptx PHP Object Injection] - [https://ro.linkedin.com/in/nytro Ionut Popescu]
'''20:00 - 20:15''' Presentation: [https://www.owasp.org/images/3/3a/Ksd.pdf Keystroke dynamics (2FA in web apps)] - [https://www.linkedin.com/in/cristian-grigoriu-93707b94 Cristian Grigoriu]
'''20:15 - 20:30''' Presentation: [https://www.owasp.org/images/0/03/OWASP_RansomwareHoneypots.pptx Early Detection: Using honeypots to spot ransomware infections] - [https://www.linkedin.com/in/aarongoldstein Aaron Goldstein]
 
Check out OWASP presentations at Agile Talks http://www.meetup.com/The-Bucharest-Agile-Software-Meetup-Group/events/226301564/ 
Tech Hub - 39-41 Nicolae Filipescu, Bucharest
== Eastern European Event: 9th of October, 2015 ==
[https://www.owasp.org/index.php/OWASP_EEE_Bucharest_Event_2015 Local event page] 
Follow us on [https://twitter.com/owasp_eee Twitter.] [[Image:Bug.jpg|60px]] 
== Chapter Meeting #12: 18th of June, 2015 ==

'''Location and host: B-dul Dimitrie Pompei, nr. 10A, Conect Business Park, Cladirea C3, Dell, Bucureşti, România'''
'''Time: 19:00'''
19:00 - 20:00 Presentation: [https://www.linkedin.com/in/johnnywachter Johnny Wachter] - '''Dynamic Malware Analysis'''– A hands on guide for quickly studying malware behavior and implementing mitigating controls:
* This will demonstrate the manual analysis of malicious samples commonly distributed via Phishing Emails and Exploit Kits.
* Common Tools and Techniques for Safely and Efficiently identifying Indicators of Compromise will be covered.
* A practical guide and hands-on labs will be made available in case attendees wish to “practice” at home.

== Chapter Meeting #11: 20th of November, 2014 ==

'''Location and host: B-dul Dimitrie Pompei, nr. 10A, Conect Business Park, Cladirea C3, Dell, Bucureşti, România'''
'''Time: 19:00'''
19:00 - 20:00 Presentation: Aaron Goldstein - Search Engine Dorking[https://www.owasp.org/images/4/4a/OWASP_Dorking.pdf]
20:00 - 21:00 Presentation: Johnny Wachter - Python and Incident Response [https://www.owasp.org/images/1/1e/Python_and_Incident_Response.pdf]

== OWASP Romania InfoSec Conference 2014: 24th of October, 2014 ==
[https://www.owasp.org/index.php/OwaspRomaniaConference2014 OWASP Romania InfoSec Conference 2014 page] 

== Chapter Meeting #10: 7th of August, 2014 ==

'''Location and host: Hanul Berarilor, Str. Poenaru Bordea, nr. 2, Bucureşti, România'''
'''Time: 19:00''' Owasp updates
 
== Chapter Meeting #9: June 12, 2014 ==

'''Location and host: BOC Tower, 3rd George Constantinescu St., entrance C, 4th floor, Bucureşti, România''' [https://maps.google.com/maps?t=m&ll=44.47907780000001%2C26.115150400000005&q=Intel+Software+Development&spn=0.0036512685548508207%2C0.0068231558434524815&output=classic]
'''Time: 19:00'''
19:00 - 19:15 Owasp updates
19:15 - 20:00 Presentation: Jack Mannino - Building Secure Android Apps
20:00 - 21:00 Presentation: Cosmin Huruiala - Risk scoring for penetration testing
 
== Chapter Meeting #8: April 9, 2014 ==

'''Location and host: [http://goo.gl/maps/Sofgh "Politehnica" University], Room EG306, Bucureşti, România'''
'''Time: 19:00'''
19:00 - 19:15 Owasp updates
19:15 - 20:00 Presentation: Simon Bennetts - "An introduction to OWASP ZAP"[https://www.owasp.org/index.php/User:Simon_Bennetts][https://www.owasp.org/images/9/96/OWASP_2014_OWASP_ROMANIA.pdf]
20:00 - 21:00 Presentation: Ionut Popescu - "Introduction to shellcode development" [https://www.owasp.org/images/4/4c/Introduction_to_shellcode_development.pdf]
 

== Chapter Meeting #7: March 6, 2014 ==

'''Location and host: Nicolae Titulescu 4-8, America House, East Entrance (near Starbucks), 6th floor, Bucureşti, România
'''Time: 19:00'''
19:00 - 19:15 Owasp updates
19:25 - 20:45 Presentation: Dinis Cruz[https://www.owasp.org/index.php/User:Dinis.cruz] - "REST Security and Exploitation"
http://blog.diniscruz.com/search/label/XmlDecoder
http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html
== Chapter Meeting #6: Jan 23, 2014 ==

'''Location and host: BOC Tower, 3rd George Constantinescu St., entrance C, 4th floor, Bucureşti, România''' [https://maps.google.com/maps?t=m&ll=44.47907780000001%2C26.115150400000005&q=Intel+Software+Development&spn=0.0036512685548508207%2C0.0068231558434524815&output=classic]
'''Time: 19:00'''
19:00 - 19:15 Owasp updates
19:25 - 20:00 Presentation: "Port knocking", Dan Vasile
20:00 - 21:00 Presentation: "Ecryptfs Tools for Android"[https://github.com/catalinionita/Ecryptfs-Tools-for-Android/commits/master], Catalin Ionita
== Chapter Meeting #5: Nov 21, 2013 ==

'''Location and host: Nicolae Titulescu 4-8, America House, East Entrance (near Starbucks), 2nd floor, Bucureşti, România'''
'''Time: 19:00'''
19:00 - 20:00 Owasp updates
20:00 - 21:00 Presentation: "Introduction to fuzzing", Costel Maxim
== OWASP Romania InfoSec Conference 2013, October 25 ==

'''When: October 25, 2013 Where: [http://goo.gl/maps/Sofgh "Politehnica" University, Bucureşti, România] Event page: [https://www.owasp.org/index.php/OwaspRomaniaConference OWASP Romania InfoSec Conference 2013] Participation to this event is free but you need to [https://owasp-romaniachapter-infosec.eventbrite.com/ register] (limited number of seats)'''

== Chapter Meeting #4: Aug 22, 2013 ==

'''Location and host: SemaParc RiverView Building, 6th floor, Str. Splaiul Independentei, nr. 309, Bucureşti, România'''
'''Time: 19:00'''
19:00 - 20:00 Owasp updates and projects
20:00 - 21:00 Presentation: "Application Security Introduction", Cristian Pascariu
 
== Chapter Meeting #3: Jun 5, 2013 ==

'''Location and host: "Politehnica" University, Bucureşti, România'''
'''Time: 14:30'''
Owasp EU Tour 2013 [https://www.owasp.org/index.php/EUTour2013_Bucharest_Agenda] 
Here are the presentations: 
<ul>
<li>
'''Introduction to Owasp''' - Ionel Chirita [https://www.owasp.org/images/9/9d/OWASP_EU_Tour_2013_Bucharest_Ionel_Chirita.pdf]</li>
<li>'''Investing in security''' - Claudiu Constantinescu [https://www.owasp.org/images/6/6c/OWASP_EU_Tour_2013_Bucharest_Claudiu_Constantinescu.pdf]</li>
<li>'''Penetration testing - a way of improving our cyber security''' - Adrian Furtuna [https://www.owasp.org/images/9/93/OWASP_EU_Tour_2013_Bucharest_AdrianFurtuna.pdf]</li>
<li>'''Android reverse engineering: understanding third-party applications''' - Vicente Aguilera Diaz [https://www.owasp.org/images/a/a6/OWASP_EU_Tour_2013_Bucharest_Vicente_Aguilera_Diaz.pdf]</li>
<li>'''The Trouble with Passwords''' - Mark Goodwin [http://people.mozilla.com/~mgoodwin/presentations/20130410/shells/embedder.html#http://people.mozilla.com/~mgoodwin/presentations/20130410/template.html]</li>
<li>'''Hacking the ViewState in ASP.NET''' - Ovidiu Diaconescu[https://www.owasp.org/images/d/d3/OWASP_EU_Tour_2013_Bucharest_OvidiuDiaconescu.pdf] </li>
<li>'''Do you "GRANT ALL PRIVILEGES ..." in MySQL/MariaDB/Percona Server? '''- Gabriel Preda[https://www.owasp.org/images/2/2c/OWASP_EU_Tour_2013_Bucharest_Gabriel_Preda.pdf]</li>
</ul>
'''Some photos [https://www.owasp.org/index.php/File:OwaspEUTour_RomaniaChapterMeeting2013Photos.zip]'''
 
== Chapter Meeting #2: Feb 28, 2013 ==

'''Location and host: Hanul Berarilor, Str. Poenaru Bordea, nr. 2, Bucureşti, România'''
'''Time: 19:00'''
19:00 - 20:30 Member expectations, future meetings, OWASP projects, technical topics

Feb 10, 2013 Oana Cornea published iOS Application Security Testing Cheat Sheet [https://www.owasp.org/index.php/IOS_Application_Security_Testing_Cheat_Sheet]

May 26, 2011 OWASP Top 10 Web Application Security Risks at RONUA [http://ronua.ro/CS/groups/ronua-bucuresti/default.aspx]

 
== Chapter Meeting #1: May 27, 2011 ==

'''Location and host: Muzeul Literaturii Române, Bd. Dacia 12, Sector 1, Bucureşti, România [http://www.mlr.ro]'''
'''Time: 17:00'''
17:00 - 17:15 Admission
17:15 - 17:30 Brief introduction to OWASP, Claudiu Constantinescu
17:30 - 18:00 Open discussion regarding OWASP Romania; what is expected or wished
18:00 - 18:15 Web Application Security Testing - comparison of 6 web application vulnerability scanners - Cristian
18:15 - 19:00 Other presentations and discussions

=Sponshorship=
Become a supporter of OWASP or of OWASP's Bucharest Chapter and help us to make application security visible. All information about becoming a member/sponsor can be found [https://www.owasp.org/index.php/Membership here.] 
https://www.owasp.org/index.php/Local_Chapter_Supporter
<headertabs />

==Chapter Supporters==

{|
|
|
|
|
|}
[[Category:OWASP Chapter]]
[[Category:Europe]]

Bucharest

2019-05-16T13:20:54Z

Oana Cornea: /* Chapter Meeting #16: TBD , 2018 */

__NOTOC__

=Welcome=

== Welcome to the Bucharest chapter homepage! ==
[http://lists.owasp.org/mailman/listinfo/owasp-Romania Click here to join our mailing list.] 
[https://lists.owasp.org/mailman/listinfo/owasp-community Click here to join the global community mailing list.] 
Follow us on [https://twitter.com/OWASPRomania Twitter.] and [https://www.facebook.com/owaspromania Facebook.] 
[[Image:Logo-ro.jpg|right|150px|link=https://www.owasp.org/index.php/]]

OWASP Chapter meetings are free and open. We encourage open discussion on all aspects of application security. Everyone is welcome to join us at our chapter meetings, members and non-members. 

The Chapter leader is [mailto:vlad.cotenescu@owasp.org Vlad Cotenescu] 
<li>Anyone who wants to get involved and help will be warmly welcome.</li>
<li>If you would like to give a presentation (make sure that you have read the [https://www.owasp.org/index.php/Speaker_Agreement speaker agreement]). </li>
<li>In case you have any questions about the OWASP Bucharest Chapter, send an email to [mailto:vlad.cotenescu@owasp.org Vlad Cotenescu]</li>
<li>[https://www.youtube.com/channel/UCsVFkvsVZguEWmDCIIJ9blA Youtube channel]</li>

=Upcoming events=
== OWASP Bucharest AppSec Conference 2019 ==
https://www.owasp.org/index.php/OWASP_Bucharest_AppSec_Conference_2019

== Chapter Meeting #16: TBD , 2019 ==
'''Location and host: '''
'''Time: 19:00'''
'''19:00 - 19:15''' Introduction and OWASP news
'''19:15 - 21:00 '''
'''Description:'''
 

=Past events & meetings=
== Chapter Meeting #15: 2nd of July, 2018 ==
'''Location and host: B-dul Aviatorilor, nr. 8, Bucureşti, România'''
'''Time: 19:00'''
'''19:00 - 19:15''' Introduction and OWASP news
'''19:15 - 21:00 ''' '''Workshop: [https://www.owasp.org/images/b/b0/Webservice_and_Microservice_Security_7-2018.pdf Webservice Security] - Jim Manico'''
'''Description:''' Webservices are build upon the foundation of the same technology that is used to build web applications. Therefore, many of the standard web security defenses will apply when building webservices. However, stateless and other specialized webservice patterns make defending webservices different that normal web security in some regards. This module will review the various specialized attacks and defenses that developers need to be aware of when building secure webservices.

== Chapter Meeting #14: 1st of February , 2018 ==
'''Location and host: B-dul Timisoara, nr. 15, AFI Park 4, etaj 4, Bucureşti, România'''
'''Time: 19:00'''
'''19:00 - 19:15 Introduction and OWASP news'''
'''19:15 - 20:00''' '''Presentation: Handling of Security Requirements in Software Development Lifecycle - [https://de.linkedin.com/in/kefer/de Daniel Kefer]''' 
'''20:00 - 20:45''' '''Presentation: [https://www.owasp.org/images/4/4e/OWASP-Ionut-Popescu-Less-Known-Web-Application-Vulnerabilities-Stripped.pdf Less Known Web Application Vulnerabilities - part 2] - [https://ro.linkedin.com/in/nytro Ionut Popescu]'''
'''20:45 - 21:30''' Networking

== [https://www.owasp.org/index.php/OWASP_Bucharest_AppSec_Conference_2017 OWASP Bucharest AppSec Conference 2017, 11th - 13th of October 2017] ==
== [https://www.owasp.org/index.php/OWASP_Bucharest_AppSec_Conference_2016 OWASP AppSec Bucharest 6th of October, 2016] ==
== Chapter Meeting #13: 27th of April , 2016 ==

'''Location and host: B-dul Dimitrie Pompei, nr. 10A, Conect Business Park, Cladirea C3, etaj 5, Bucureşti, România'''
'''Time: 19:00'''
'''19:00 - 19:15 Introduction and OWASP news'''
'''19:15 - 20:00''' Presentation: [https://www.owasp.org/images/e/e7/OWASP_-_Ionut_Popescu.pptx PHP Object Injection] - [https://ro.linkedin.com/in/nytro Ionut Popescu]
'''20:00 - 20:15''' Presentation: [https://www.owasp.org/images/3/3a/Ksd.pdf Keystroke dynamics (2FA in web apps)] - [https://www.linkedin.com/in/cristian-grigoriu-93707b94 Cristian Grigoriu]
'''20:15 - 20:30''' Presentation: [https://www.owasp.org/images/0/03/OWASP_RansomwareHoneypots.pptx Early Detection: Using honeypots to spot ransomware infections] - [https://www.linkedin.com/in/aarongoldstein Aaron Goldstein]
 
Check out OWASP presentations at Agile Talks http://www.meetup.com/The-Bucharest-Agile-Software-Meetup-Group/events/226301564/ 
Tech Hub - 39-41 Nicolae Filipescu, Bucharest
== Eastern European Event: 9th of October, 2015 ==
[https://www.owasp.org/index.php/OWASP_EEE_Bucharest_Event_2015 Local event page] 
Follow us on [https://twitter.com/owasp_eee Twitter.] [[Image:Bug.jpg|60px]] 
== Chapter Meeting #12: 18th of June, 2015 ==

'''Location and host: B-dul Dimitrie Pompei, nr. 10A, Conect Business Park, Cladirea C3, Dell, Bucureşti, România'''
'''Time: 19:00'''
19:00 - 20:00 Presentation: [https://www.linkedin.com/in/johnnywachter Johnny Wachter] - '''Dynamic Malware Analysis'''– A hands on guide for quickly studying malware behavior and implementing mitigating controls:
* This will demonstrate the manual analysis of malicious samples commonly distributed via Phishing Emails and Exploit Kits.
* Common Tools and Techniques for Safely and Efficiently identifying Indicators of Compromise will be covered.
* A practical guide and hands-on labs will be made available in case attendees wish to “practice” at home.

== Chapter Meeting #11: 20th of November, 2014 ==

'''Location and host: B-dul Dimitrie Pompei, nr. 10A, Conect Business Park, Cladirea C3, Dell, Bucureşti, România'''
'''Time: 19:00'''
19:00 - 20:00 Presentation: Aaron Goldstein - Search Engine Dorking[https://www.owasp.org/images/4/4a/OWASP_Dorking.pdf]
20:00 - 21:00 Presentation: Johnny Wachter - Python and Incident Response [https://www.owasp.org/images/1/1e/Python_and_Incident_Response.pdf]

== OWASP Romania InfoSec Conference 2014: 24th of October, 2014 ==
[https://www.owasp.org/index.php/OwaspRomaniaConference2014 OWASP Romania InfoSec Conference 2014 page] 

== Chapter Meeting #10: 7th of August, 2014 ==

'''Location and host: Hanul Berarilor, Str. Poenaru Bordea, nr. 2, Bucureşti, România'''
'''Time: 19:00''' Owasp updates
 
== Chapter Meeting #9: June 12, 2014 ==

'''Location and host: BOC Tower, 3rd George Constantinescu St., entrance C, 4th floor, Bucureşti, România''' [https://maps.google.com/maps?t=m&ll=44.47907780000001%2C26.115150400000005&q=Intel+Software+Development&spn=0.0036512685548508207%2C0.0068231558434524815&output=classic]
'''Time: 19:00'''
19:00 - 19:15 Owasp updates
19:15 - 20:00 Presentation: Jack Mannino - Building Secure Android Apps
20:00 - 21:00 Presentation: Cosmin Huruiala - Risk scoring for penetration testing
 
== Chapter Meeting #8: April 9, 2014 ==

'''Location and host: [http://goo.gl/maps/Sofgh "Politehnica" University], Room EG306, Bucureşti, România'''
'''Time: 19:00'''
19:00 - 19:15 Owasp updates
19:15 - 20:00 Presentation: Simon Bennetts - "An introduction to OWASP ZAP"[https://www.owasp.org/index.php/User:Simon_Bennetts][https://www.owasp.org/images/9/96/OWASP_2014_OWASP_ROMANIA.pdf]
20:00 - 21:00 Presentation: Ionut Popescu - "Introduction to shellcode development" [https://www.owasp.org/images/4/4c/Introduction_to_shellcode_development.pdf]
 

== Chapter Meeting #7: March 6, 2014 ==

'''Location and host: Nicolae Titulescu 4-8, America House, East Entrance (near Starbucks), 6th floor, Bucureşti, România
'''Time: 19:00'''
19:00 - 19:15 Owasp updates
19:25 - 20:45 Presentation: Dinis Cruz[https://www.owasp.org/index.php/User:Dinis.cruz] - "REST Security and Exploitation"
http://blog.diniscruz.com/search/label/XmlDecoder
http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html
== Chapter Meeting #6: Jan 23, 2014 ==

'''Location and host: BOC Tower, 3rd George Constantinescu St., entrance C, 4th floor, Bucureşti, România''' [https://maps.google.com/maps?t=m&ll=44.47907780000001%2C26.115150400000005&q=Intel+Software+Development&spn=0.0036512685548508207%2C0.0068231558434524815&output=classic]
'''Time: 19:00'''
19:00 - 19:15 Owasp updates
19:25 - 20:00 Presentation: "Port knocking", Dan Vasile
20:00 - 21:00 Presentation: "Ecryptfs Tools for Android"[https://github.com/catalinionita/Ecryptfs-Tools-for-Android/commits/master], Catalin Ionita
== Chapter Meeting #5: Nov 21, 2013 ==

'''Location and host: Nicolae Titulescu 4-8, America House, East Entrance (near Starbucks), 2nd floor, Bucureşti, România'''
'''Time: 19:00'''
19:00 - 20:00 Owasp updates
20:00 - 21:00 Presentation: "Introduction to fuzzing", Costel Maxim
== OWASP Romania InfoSec Conference 2013, October 25 ==

'''When: October 25, 2013 Where: [http://goo.gl/maps/Sofgh "Politehnica" University, Bucureşti, România] Event page: [https://www.owasp.org/index.php/OwaspRomaniaConference OWASP Romania InfoSec Conference 2013] Participation to this event is free but you need to [https://owasp-romaniachapter-infosec.eventbrite.com/ register] (limited number of seats)'''

== Chapter Meeting #4: Aug 22, 2013 ==

'''Location and host: SemaParc RiverView Building, 6th floor, Str. Splaiul Independentei, nr. 309, Bucureşti, România'''
'''Time: 19:00'''
19:00 - 20:00 Owasp updates and projects
20:00 - 21:00 Presentation: "Application Security Introduction", Cristian Pascariu
 
== Chapter Meeting #3: Jun 5, 2013 ==

'''Location and host: "Politehnica" University, Bucureşti, România'''
'''Time: 14:30'''
Owasp EU Tour 2013 [https://www.owasp.org/index.php/EUTour2013_Bucharest_Agenda] 
Here are the presentations: 
<ul>
<li>
'''Introduction to Owasp''' - Ionel Chirita [https://www.owasp.org/images/9/9d/OWASP_EU_Tour_2013_Bucharest_Ionel_Chirita.pdf]</li>
<li>'''Investing in security''' - Claudiu Constantinescu [https://www.owasp.org/images/6/6c/OWASP_EU_Tour_2013_Bucharest_Claudiu_Constantinescu.pdf]</li>
<li>'''Penetration testing - a way of improving our cyber security''' - Adrian Furtuna [https://www.owasp.org/images/9/93/OWASP_EU_Tour_2013_Bucharest_AdrianFurtuna.pdf]</li>
<li>'''Android reverse engineering: understanding third-party applications''' - Vicente Aguilera Diaz [https://www.owasp.org/images/a/a6/OWASP_EU_Tour_2013_Bucharest_Vicente_Aguilera_Diaz.pdf]</li>
<li>'''The Trouble with Passwords''' - Mark Goodwin [http://people.mozilla.com/~mgoodwin/presentations/20130410/shells/embedder.html#http://people.mozilla.com/~mgoodwin/presentations/20130410/template.html]</li>
<li>'''Hacking the ViewState in ASP.NET''' - Ovidiu Diaconescu[https://www.owasp.org/images/d/d3/OWASP_EU_Tour_2013_Bucharest_OvidiuDiaconescu.pdf] </li>
<li>'''Do you "GRANT ALL PRIVILEGES ..." in MySQL/MariaDB/Percona Server? '''- Gabriel Preda[https://www.owasp.org/images/2/2c/OWASP_EU_Tour_2013_Bucharest_Gabriel_Preda.pdf]</li>
</ul>
'''Some photos [https://www.owasp.org/index.php/File:OwaspEUTour_RomaniaChapterMeeting2013Photos.zip]'''
 
== Chapter Meeting #2: Feb 28, 2013 ==

'''Location and host: Hanul Berarilor, Str. Poenaru Bordea, nr. 2, Bucureşti, România'''
'''Time: 19:00'''
19:00 - 20:30 Member expectations, future meetings, OWASP projects, technical topics

Feb 10, 2013 Oana Cornea published iOS Application Security Testing Cheat Sheet [https://www.owasp.org/index.php/IOS_Application_Security_Testing_Cheat_Sheet]

May 26, 2011 OWASP Top 10 Web Application Security Risks at RONUA [http://ronua.ro/CS/groups/ronua-bucuresti/default.aspx]

 
== Chapter Meeting #1: May 27, 2011 ==

'''Location and host: Muzeul Literaturii Române, Bd. Dacia 12, Sector 1, Bucureşti, România [http://www.mlr.ro]'''
'''Time: 17:00'''
17:00 - 17:15 Admission
17:15 - 17:30 Brief introduction to OWASP, Claudiu Constantinescu
17:30 - 18:00 Open discussion regarding OWASP Romania; what is expected or wished
18:00 - 18:15 Web Application Security Testing - comparison of 6 web application vulnerability scanners - Cristian
18:15 - 19:00 Other presentations and discussions

=Sponshorship=
Become a supporter of OWASP or of OWASP's Bucharest Chapter and help us to make application security visible. All information about becoming a member/sponsor can be found [https://www.owasp.org/index.php/Membership here.] 
https://www.owasp.org/index.php/Local_Chapter_Supporter
<headertabs />

==Chapter Supporters==

{|
|
|
|
|
|}
[[Category:OWASP Chapter]]
[[Category:Europe]]

Bucharest

2019-05-14T16:25:27Z

Oana Cornea: edit6

__NOTOC__

=Welcome=

== Welcome to the Bucharest chapter homepage! ==
[http://lists.owasp.org/mailman/listinfo/owasp-Romania Click here to join our mailing list.] 
[https://lists.owasp.org/mailman/listinfo/owasp-community Click here to join the global community mailing list.] 
Follow us on [https://twitter.com/OWASPRomania Twitter.] and [https://www.facebook.com/owaspromania Facebook.] 
[[Image:Logo-ro.jpg|right|150px|link=https://www.owasp.org/index.php/]]

OWASP Chapter meetings are free and open. We encourage open discussion on all aspects of application security. Everyone is welcome to join us at our chapter meetings, members and non-members. 

The Chapter leaders are [mailto:vlad.cotenescu@gmail.com Vlad Cotenescu] and
[mailto:oana.cornea@owasp.org Oana Cornea] 
<li>Anyone who wants to get involved and help will be warmly welcome.</li>
<li>If you would like to give a presentation (make sure that you have read the [https://www.owasp.org/index.php/Speaker_Agreement speaker agreement]). </li>
<li>In case you have any questions about the OWASP Bucharest Chapter, send an email to [mailto:oana.cornea@owasp.org Oana Cornea]</li>
<li>[https://www.youtube.com/channel/UCsVFkvsVZguEWmDCIIJ9blA Youtube channel]</li>

=Upcoming events=
== Chapter Meeting #16: TBD , 2018 ==
'''Location and host: '''
'''Time: 19:00'''
'''19:00 - 19:15''' Introduction and OWASP news
'''19:15 - 21:00 '''
'''Description:'''
 

=Past events & meetings=
== Chapter Meeting #15: 2nd of July, 2018 ==
'''Location and host: B-dul Aviatorilor, nr. 8, Bucureşti, România'''
'''Time: 19:00'''
'''19:00 - 19:15''' Introduction and OWASP news
'''19:15 - 21:00 ''' '''Workshop: [https://www.owasp.org/images/b/b0/Webservice_and_Microservice_Security_7-2018.pdf Webservice Security] - Jim Manico'''
'''Description:''' Webservices are build upon the foundation of the same technology that is used to build web applications. Therefore, many of the standard web security defenses will apply when building webservices. However, stateless and other specialized webservice patterns make defending webservices different that normal web security in some regards. This module will review the various specialized attacks and defenses that developers need to be aware of when building secure webservices.

== Chapter Meeting #14: 1st of February , 2018 ==
'''Location and host: B-dul Timisoara, nr. 15, AFI Park 4, etaj 4, Bucureşti, România'''
'''Time: 19:00'''
'''19:00 - 19:15 Introduction and OWASP news'''
'''19:15 - 20:00''' '''Presentation: Handling of Security Requirements in Software Development Lifecycle - [https://de.linkedin.com/in/kefer/de Daniel Kefer]''' 
'''20:00 - 20:45''' '''Presentation: [https://www.owasp.org/images/4/4e/OWASP-Ionut-Popescu-Less-Known-Web-Application-Vulnerabilities-Stripped.pdf Less Known Web Application Vulnerabilities - part 2] - [https://ro.linkedin.com/in/nytro Ionut Popescu]'''
'''20:45 - 21:30''' Networking

== [https://www.owasp.org/index.php/OWASP_Bucharest_AppSec_Conference_2017 OWASP Bucharest AppSec Conference 2017, 11th - 13th of October 2017] ==
== [https://www.owasp.org/index.php/OWASP_Bucharest_AppSec_Conference_2016 OWASP AppSec Bucharest 6th of October, 2016] ==
== Chapter Meeting #13: 27th of April , 2016 ==

'''Location and host: B-dul Dimitrie Pompei, nr. 10A, Conect Business Park, Cladirea C3, etaj 5, Bucureşti, România'''
'''Time: 19:00'''
'''19:00 - 19:15 Introduction and OWASP news'''
'''19:15 - 20:00''' Presentation: [https://www.owasp.org/images/e/e7/OWASP_-_Ionut_Popescu.pptx PHP Object Injection] - [https://ro.linkedin.com/in/nytro Ionut Popescu]
'''20:00 - 20:15''' Presentation: [https://www.owasp.org/images/3/3a/Ksd.pdf Keystroke dynamics (2FA in web apps)] - [https://www.linkedin.com/in/cristian-grigoriu-93707b94 Cristian Grigoriu]
'''20:15 - 20:30''' Presentation: [https://www.owasp.org/images/0/03/OWASP_RansomwareHoneypots.pptx Early Detection: Using honeypots to spot ransomware infections] - [https://www.linkedin.com/in/aarongoldstein Aaron Goldstein]
 
Check out OWASP presentations at Agile Talks http://www.meetup.com/The-Bucharest-Agile-Software-Meetup-Group/events/226301564/ 
Tech Hub - 39-41 Nicolae Filipescu, Bucharest
== Eastern European Event: 9th of October, 2015 ==
[https://www.owasp.org/index.php/OWASP_EEE_Bucharest_Event_2015 Local event page] 
Follow us on [https://twitter.com/owasp_eee Twitter.] [[Image:Bug.jpg|60px]] 
== Chapter Meeting #12: 18th of June, 2015 ==

'''Location and host: B-dul Dimitrie Pompei, nr. 10A, Conect Business Park, Cladirea C3, Dell, Bucureşti, România'''
'''Time: 19:00'''
19:00 - 20:00 Presentation: [https://www.linkedin.com/in/johnnywachter Johnny Wachter] - '''Dynamic Malware Analysis'''– A hands on guide for quickly studying malware behavior and implementing mitigating controls:
* This will demonstrate the manual analysis of malicious samples commonly distributed via Phishing Emails and Exploit Kits.
* Common Tools and Techniques for Safely and Efficiently identifying Indicators of Compromise will be covered.
* A practical guide and hands-on labs will be made available in case attendees wish to “practice” at home.

== Chapter Meeting #11: 20th of November, 2014 ==

'''Location and host: B-dul Dimitrie Pompei, nr. 10A, Conect Business Park, Cladirea C3, Dell, Bucureşti, România'''
'''Time: 19:00'''
19:00 - 20:00 Presentation: Aaron Goldstein - Search Engine Dorking[https://www.owasp.org/images/4/4a/OWASP_Dorking.pdf]
20:00 - 21:00 Presentation: Johnny Wachter - Python and Incident Response [https://www.owasp.org/images/1/1e/Python_and_Incident_Response.pdf]

== OWASP Romania InfoSec Conference 2014: 24th of October, 2014 ==
[https://www.owasp.org/index.php/OwaspRomaniaConference2014 OWASP Romania InfoSec Conference 2014 page] 

== Chapter Meeting #10: 7th of August, 2014 ==

'''Location and host: Hanul Berarilor, Str. Poenaru Bordea, nr. 2, Bucureşti, România'''
'''Time: 19:00''' Owasp updates
 
== Chapter Meeting #9: June 12, 2014 ==

'''Location and host: BOC Tower, 3rd George Constantinescu St., entrance C, 4th floor, Bucureşti, România''' [https://maps.google.com/maps?t=m&ll=44.47907780000001%2C26.115150400000005&q=Intel+Software+Development&spn=0.0036512685548508207%2C0.0068231558434524815&output=classic]
'''Time: 19:00'''
19:00 - 19:15 Owasp updates
19:15 - 20:00 Presentation: Jack Mannino - Building Secure Android Apps
20:00 - 21:00 Presentation: Cosmin Huruiala - Risk scoring for penetration testing
 
== Chapter Meeting #8: April 9, 2014 ==

'''Location and host: [http://goo.gl/maps/Sofgh "Politehnica" University], Room EG306, Bucureşti, România'''
'''Time: 19:00'''
19:00 - 19:15 Owasp updates
19:15 - 20:00 Presentation: Simon Bennetts - "An introduction to OWASP ZAP"[https://www.owasp.org/index.php/User:Simon_Bennetts][https://www.owasp.org/images/9/96/OWASP_2014_OWASP_ROMANIA.pdf]
20:00 - 21:00 Presentation: Ionut Popescu - "Introduction to shellcode development" [https://www.owasp.org/images/4/4c/Introduction_to_shellcode_development.pdf]
 

== Chapter Meeting #7: March 6, 2014 ==

'''Location and host: Nicolae Titulescu 4-8, America House, East Entrance (near Starbucks), 6th floor, Bucureşti, România
'''Time: 19:00'''
19:00 - 19:15 Owasp updates
19:25 - 20:45 Presentation: Dinis Cruz[https://www.owasp.org/index.php/User:Dinis.cruz] - "REST Security and Exploitation"
http://blog.diniscruz.com/search/label/XmlDecoder
http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html
== Chapter Meeting #6: Jan 23, 2014 ==

'''Location and host: BOC Tower, 3rd George Constantinescu St., entrance C, 4th floor, Bucureşti, România''' [https://maps.google.com/maps?t=m&ll=44.47907780000001%2C26.115150400000005&q=Intel+Software+Development&spn=0.0036512685548508207%2C0.0068231558434524815&output=classic]
'''Time: 19:00'''
19:00 - 19:15 Owasp updates
19:25 - 20:00 Presentation: "Port knocking", Dan Vasile
20:00 - 21:00 Presentation: "Ecryptfs Tools for Android"[https://github.com/catalinionita/Ecryptfs-Tools-for-Android/commits/master], Catalin Ionita
== Chapter Meeting #5: Nov 21, 2013 ==

'''Location and host: Nicolae Titulescu 4-8, America House, East Entrance (near Starbucks), 2nd floor, Bucureşti, România'''
'''Time: 19:00'''
19:00 - 20:00 Owasp updates
20:00 - 21:00 Presentation: "Introduction to fuzzing", Costel Maxim
== OWASP Romania InfoSec Conference 2013, October 25 ==

'''When: October 25, 2013 Where: [http://goo.gl/maps/Sofgh "Politehnica" University, Bucureşti, România] Event page: [https://www.owasp.org/index.php/OwaspRomaniaConference OWASP Romania InfoSec Conference 2013] Participation to this event is free but you need to [https://owasp-romaniachapter-infosec.eventbrite.com/ register] (limited number of seats)'''

== Chapter Meeting #4: Aug 22, 2013 ==

'''Location and host: SemaParc RiverView Building, 6th floor, Str. Splaiul Independentei, nr. 309, Bucureşti, România'''
'''Time: 19:00'''
19:00 - 20:00 Owasp updates and projects
20:00 - 21:00 Presentation: "Application Security Introduction", Cristian Pascariu
 
== Chapter Meeting #3: Jun 5, 2013 ==

'''Location and host: "Politehnica" University, Bucureşti, România'''
'''Time: 14:30'''
Owasp EU Tour 2013 [https://www.owasp.org/index.php/EUTour2013_Bucharest_Agenda] 
Here are the presentations: 
<ul>
<li>
'''Introduction to Owasp''' - Ionel Chirita [https://www.owasp.org/images/9/9d/OWASP_EU_Tour_2013_Bucharest_Ionel_Chirita.pdf]</li>
<li>'''Investing in security''' - Claudiu Constantinescu [https://www.owasp.org/images/6/6c/OWASP_EU_Tour_2013_Bucharest_Claudiu_Constantinescu.pdf]</li>
<li>'''Penetration testing - a way of improving our cyber security''' - Adrian Furtuna [https://www.owasp.org/images/9/93/OWASP_EU_Tour_2013_Bucharest_AdrianFurtuna.pdf]</li>
<li>'''Android reverse engineering: understanding third-party applications''' - Vicente Aguilera Diaz [https://www.owasp.org/images/a/a6/OWASP_EU_Tour_2013_Bucharest_Vicente_Aguilera_Diaz.pdf]</li>
<li>'''The Trouble with Passwords''' - Mark Goodwin [http://people.mozilla.com/~mgoodwin/presentations/20130410/shells/embedder.html#http://people.mozilla.com/~mgoodwin/presentations/20130410/template.html]</li>
<li>'''Hacking the ViewState in ASP.NET''' - Ovidiu Diaconescu[https://www.owasp.org/images/d/d3/OWASP_EU_Tour_2013_Bucharest_OvidiuDiaconescu.pdf] </li>
<li>'''Do you "GRANT ALL PRIVILEGES ..." in MySQL/MariaDB/Percona Server? '''- Gabriel Preda[https://www.owasp.org/images/2/2c/OWASP_EU_Tour_2013_Bucharest_Gabriel_Preda.pdf]</li>
</ul>
'''Some photos [https://www.owasp.org/index.php/File:OwaspEUTour_RomaniaChapterMeeting2013Photos.zip]'''
 
== Chapter Meeting #2: Feb 28, 2013 ==

'''Location and host: Hanul Berarilor, Str. Poenaru Bordea, nr. 2, Bucureşti, România'''
'''Time: 19:00'''
19:00 - 20:30 Member expectations, future meetings, OWASP projects, technical topics

Feb 10, 2013 Oana Cornea published iOS Application Security Testing Cheat Sheet [https://www.owasp.org/index.php/IOS_Application_Security_Testing_Cheat_Sheet]

May 26, 2011 OWASP Top 10 Web Application Security Risks at RONUA [http://ronua.ro/CS/groups/ronua-bucuresti/default.aspx]

 
== Chapter Meeting #1: May 27, 2011 ==

'''Location and host: Muzeul Literaturii Române, Bd. Dacia 12, Sector 1, Bucureşti, România [http://www.mlr.ro]'''
'''Time: 17:00'''
17:00 - 17:15 Admission
17:15 - 17:30 Brief introduction to OWASP, Claudiu Constantinescu
17:30 - 18:00 Open discussion regarding OWASP Romania; what is expected or wished
18:00 - 18:15 Web Application Security Testing - comparison of 6 web application vulnerability scanners - Cristian
18:15 - 19:00 Other presentations and discussions

=Sponshorship=
Become a supporter of OWASP or of OWASP's Bucharest Chapter and help us to make application security visible. All information about becoming a member/sponsor can be found [https://www.owasp.org/index.php/Membership here.] 
https://www.owasp.org/index.php/Local_Chapter_Supporter
<headertabs />

==Chapter Supporters==

{|
|
|
|
|
|}
[[Category:OWASP Chapter]]
[[Category:Romania]]
[[Category:Europe]]

OWASP Bucharest AppSec Conference 2019 Training2

2019-04-23T17:27:05Z

Oana Cornea: edit1

OWASP Bucharest AppSec Conference 2019 Workshops

2019-04-23T17:25:31Z

Oana Cornea: Created page with "{|style="vertical-align:top;width:90%;background-color:#white;padding:10px;border:1px solid silver;" align="center" cellspacing="4" | style="width:100%" valign="middle" height..."

OWASP Bucharest AppSec Conference 2019 WiA

2019-04-23T17:23:56Z

Oana Cornea: edit1

[[Image:WiA_400x400.jpg | 100px ]]

OWASP Bucharest AppSec Conference 2019 CTF

2019-04-23T17:23:16Z

Oana Cornea: Created page with "CTF (Capture The Flag) contests are popular ways to hone your practical security skills by solving challenges on topics such as web, crypto, reverse, exploiting. We invi..."

CTF (Capture The Flag) contests are popular ways to hone your practical security skills by solving challenges on topics such as web, crypto, reverse, exploiting. 

We invite all students passionate about practical security at the OWASP AppSec 2019 CTF! You and your team will solve challenges on web, reverse and exploiting. Challenges will be Linux-centric and web. 
Please note that this is a competition designed for students. 
Here are the important dates:
* The qualifiers are online on [TBD] September, between 10:00 and 22:00 (Bucharest time, UTC+2). In order to participate please [REGISTER HERE!]
* The first 10 teams will be invited to the final.
* The final will be on [TBD] October. The qualified teams that want to compete for the prizes must be on site, in the competition room.

The CTF final will take place during the OWASP Bucharest AppSec 2018 conference, on site, for 8 hours, from 9am to 5pm. Teams will consist of at most 5 players; everyone has to be on site at the conference. 
The CTF webpage is [https://owasp-ctf.security.cs.pub.ro/home here]

We would not cover any transport or accommodation costs for the final competitors, in order to attend the event on '''[TBD]October'''. 
Hope you can make it! You’ll have tons of fun! 

If you’re new to CTFs or you want to know more please check these links: 
* picoCTF (https://picoctf.com/): A good place for beginners to go through CTF tasks
*Computer and Network Security (http://ocw.cs.pub.ro/courses/cns): A masters class featuring concepts and tools on practical security
* Hack Night (https://github.com/isislab/Hack-Night): Training session run by the NYU Poly ISIS lab
* CTF Write-ups (https://github.com/ctfs/): Write-ups (solutions) for CTF contests arount the globe
* Online Wargames Bundle (http://security.cs.pub.ro/hexcellents/wiki/kb/practice-and-learning): A list of wargame sites you can use for honing your skills

Prizes: 
[TBD]

OWASP Bucharest AppSec Conference 2019 Team

2019-04-23T17:21:40Z

Oana Cornea: edit1

'''Organizers''':
*Oana Cornea [http://ro.linkedin.com/pub/oana-cornea/55/430/b10]
*Cosmin Marius Ilie [https://ro.linkedin.com/in/iliec]
*Andreea Druga[https://www.linkedin.com/in/andreea-cristina-drug%C4%83-9ab61090/]
*Andreea Cutlacai [https://ro.linkedin.com/in/cutlacai-andreea-3117231b]
*Daniel Barbu [http://ro.linkedin.com/in/barbuionutdaniel?trk=pub-pbmap]
*Raluca Vasilache [https://ro.linkedin.com/in/rvasilache?trk=pub-pbmap]
*Vlad Cotenescu [https://ro.linkedin.com/in/vladcotenescu]
*Alexandra Tautan [https://ro.linkedin.com/in/alexandra-maria-t-36b56544]
*Uzoma Ogbonna [https://www.linkedin.com/in/uzoma-chigozie-ogbonna-9a908a77]

'''CTF''':
*Razvan Deaconescu [https://ro.linkedin.com/in/razvandeaconescu]
*Vali Ghita [https://ro.linkedin.com/in/valighita]
*Vladimir Diaconescu
*Ștefania Popescu
*Alexandra Săndulescu
* Alexandru Razvan Caciulescu [https://www.linkedin.com/in/alexandru-razvan-caciulescu-049699106/]

'''Photo'''
*Andreea Druga[https://www.linkedin.com/in/andreea-cristina-drug%C4%83-9ab61090/]

OWASP Bucharest AppSec Conference 2019 Talks

2019-04-23T17:20:20Z

Oana Cornea: edit1

OWASP Bucharest AppSec Conference 2019 Agenda Talks

2019-04-23T17:18:34Z

Oana Cornea: edit1

OWASP Bucharest AppSec Conference 2019 Sponsors

2019-04-23T17:15:57Z

Oana Cornea: edit1

OWASP Bucharest AppSec Conference 2019

2019-04-23T17:14:19Z

Oana Cornea:

__NOTOC__

{{:OwaspHeader2019}}

=Welcome=
{| style="width: 100%;"
|-
| style="width: 100%; color: rgb(0, 0, 0);" |
{| style="border: 0px solid ; background: transparent none repeat scroll 0% 0%; width: 100%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;"
|-
| style="width: 95%; color: rgb(0, 0, 0);" |

'''OWASP Bucharest AppSec Conference 2019 - October [TBD]'''

OWASP Bucharest team is happy to announce the '''OWASP Bucharest AppSec Conference 2019''' a three days '''Security''' and '''Hacking Conference''' with additional training days dedicated to the application security. It will take place in October, 2019 - Bucharest, Romania. 

The objective of the OWASP's Bucharest AppSec Conference is to raise awareness about application security and to bring high-quality security content provided by renowned professionals in the European region. Everyone is free to participate in OWASP and all our materials are available under a free and open software license. 

[https://docs.google.com/forms/d/e/1FAIpQLSf7dkZLWvmyNmpbx25M_MOo9ngOuGGsGEh8Mfdjo_TaeUo2Ug/viewform CALL FOR SPEAKERS] 
[https://docs.google.com/forms/d/e/1FAIpQLSfVg3qu8GHFeHPhMda-C0izMz0G4bitNevmNrvA3z8Aobyk-w/viewform CALL FOR TRAININGS/WORKSHOPS]
{|
! style="text-align:left;"| Important dates
!
|-
|Call for papers deadline:
|'''15th of September 2019'''
|-
|Call for trainings deadline
|'''15th of September 2019'''
|-
|The final agenda will be published after
|'''1st of October 2019'''
|-
|CTF qualifiers will be on
|'''[TBD] September 2019'''
|-
|Conference trainings day is
|'''[TBD] October 2019'''
|-
|Conference trainings and CTF final day is
|'''[TBD] October 2019'''
|-
|Conference presentation tracks and workshops day is
|'''[TBD] October 2019'''
|-
|}
 
'''Who Should Attend?'''

*Application Developers
*Application Testers and Quality Assurance
*Application Project Management and Staff
*Chief Information Officers, Chief Information Security Officers, Chief Technology Officers, Deputies, Associates and Staff
*Chief Financial Officers, Auditors, and Staff Responsible for IT Security Oversight and Compliance
*Security Managers and Staff
*Executives, Managers, and Staff Responsible for IT Security Governance
*IT Professionals interested in improving IT Security
*Anyone interested in learning about or promoting Web Application Security

| style="width: 110px; font-size: 95%; color: rgb(0, 0, 0);" |
|}

| style="width: 110px; font-size: 95%; color: rgb(0, 0, 0);" |
|}
{|style="vertical-align:top;width:90%;background-color:#white;padding:10px;border:1px solid silver;" align="center" cellspacing="5"
|-
| align="center" style="background:#CCCCEE;" colspan="2" |
'''CONFERENCE (Friday [TBD] of October)'''
|-
|-
| style="width:20%" valign="middle" bgcolor="#CCCCEE" align="center" colspan="0" | '''Date'''
| style="width:80%" valign="middle" bgcolor="#CCCCEE" align="center" colspan="0" | '''Location'''
|-
| valign="middle" bgcolor="#EEEEEE" align="center" | ''' [TBD], 8.00 AM '''
| valign="middle" bgcolor="#EEEEEE" align="left" | '''Venue Location:''' [TBD] '''Workshops''': [TBD] 
'''Venue Address''': Bucharest, Romania 
|-
| align="center" style="background:#CCCCEE;" colspan="2" | '''Price and registration'''
|-
| align="center" style="background:#EEEEEE;" colspan="2" | The conference entrance is '''FREE''', you need to register on the link provided below, print your ticket and present it at the entrance. The training sessions will be paid. The workshops and CTF attendance is free of charge 
'''[https://www.eventbrite.com/e/owasp-bucharest-appsec-conference-2018-tickets-47960216298#tickets Registration]''' 
'''Limited number of seats! '''

|
|}
 

=Become a sponsor=
[https://www.owasp.org/images/6/6b/OWASPAppSecBucharest2019-sponsorshipopportunities.pdf Sponshorship opportunities ] 
Why sponsor?
*Join 300+ leaders, security consultants, security architects and developers gathered to share cutting-edge ideas, initiatives and trends in technology.
*OWASP events attract an audience interested in "What's next?" - As a sponsor, you will be promoted as an answer to this question.
*Increase awareness and recognition in Romanian Security IT environment.
*Support and involvement in the world of information security enthusiasts.

=Conference 0101 talks=
{{:OWASP_Bucharest_AppSec_Conference_2019_Agenda_Talks}}

=Conference 1010 talks=
{{:OWASP_Bucharest_AppSec_Conference_2019_Talks}}

=WiA=
{{:OWASP_Bucharest_AppSec_Conference_2019_WiA}}

=Free workshops=
{{:OWASP_Bucharest_AppSec_Conference_2019_Workshops}}

=2 days training=
{{:OWASP_Bucharest_AppSec_Conference_2019_Training2}}

=CTF=
{{:OWASP_Bucharest_AppSec_Conference_2019_CTF}}

=Team=
{{:OWASP_Bucharest_AppSec_Conference_2019_Team}}

<headertabs />

=Sponsors=
{{:OWASP_Bucharest_AppSec_Conference_2019_Sponsors}}

OWASP Bucharest AppSec Conference 2019

2019-04-23T16:37:08Z

Oana Cornea:

__NOTOC__

{{:OwaspHeader2019}}

=Welcome=
{| style="width: 100%;"
|-
| style="width: 100%; color: rgb(0, 0, 0);" |
{| style="border: 0px solid ; background: transparent none repeat scroll 0% 0%; width: 100%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;"
|-
| style="width: 95%; color: rgb(0, 0, 0);" |

'''OWASP Bucharest AppSec Conference 2019 - October [TBD]'''

OWASP Bucharest team is happy to announce the '''OWASP Bucharest AppSec Conference 2019''' a three days '''Security''' and '''Hacking Conference''' with additional training days dedicated to the application security. It will take place in October, 2019 - Bucharest, Romania. 

The objective of the OWASP's Bucharest AppSec Conference is to raise awareness about application security and to bring high-quality security content provided by renowned professionals in the European region. Everyone is free to participate in OWASP and all our materials are available under a free and open software license. 

{|
! style="text-align:left;"| Important dates
!
|-
|Call for papers deadline:
|'''15th of September 2019'''
|-
|Call for trainings deadline
|'''15th of September 2019'''
|-
|The final agenda will be published after
|'''1st of October 2019'''
|-
|CTF qualifiers will be on
|'''[TBD] September 2019'''
|-
|Conference trainings day is
|'''[TBD] October 2019'''
|-
|Conference trainings and CTF final day is
|'''[TBD] October 2019'''
|-
|Conference presentation tracks and workshops day is
|'''[TBD] October 2019'''
|-
|}
 
'''Who Should Attend?'''

*Application Developers
*Application Testers and Quality Assurance
*Application Project Management and Staff
*Chief Information Officers, Chief Information Security Officers, Chief Technology Officers, Deputies, Associates and Staff
*Chief Financial Officers, Auditors, and Staff Responsible for IT Security Oversight and Compliance
*Security Managers and Staff
*Executives, Managers, and Staff Responsible for IT Security Governance
*IT Professionals interested in improving IT Security
*Anyone interested in learning about or promoting Web Application Security

| style="width: 110px; font-size: 95%; color: rgb(0, 0, 0);" |
|}

| style="width: 110px; font-size: 95%; color: rgb(0, 0, 0);" |
|}
{|style="vertical-align:top;width:90%;background-color:#white;padding:10px;border:1px solid silver;" align="center" cellspacing="5"
|-
| align="center" style="background:#CCCCEE;" colspan="2" |
'''CONFERENCE (Friday [TBD] of October)'''
|-
|-
| style="width:20%" valign="middle" bgcolor="#CCCCEE" align="center" colspan="0" | '''Date'''
| style="width:80%" valign="middle" bgcolor="#CCCCEE" align="center" colspan="0" | '''Location'''
|-
| valign="middle" bgcolor="#EEEEEE" align="center" | ''' [TBD], 8.00 AM '''
| valign="middle" bgcolor="#EEEEEE" align="left" | '''Venue Location:''' [TBD] '''Workshops''': [TBD] 
'''Venue Address''': Bucharest, Romania 
|-
| align="center" style="background:#CCCCEE;" colspan="2" | '''Price and registration'''
|-
| align="center" style="background:#EEEEEE;" colspan="2" | The conference entrance is '''FREE''', you need to register on the link provided below, print your ticket and present it at the entrance. The training sessions will be paid. The workshops and CTF attendance is free of charge 
'''[https://www.eventbrite.com/e/owasp-bucharest-appsec-conference-2018-tickets-47960216298#tickets Registration]''' 
'''Limited number of seats! '''

|
|}
 

=Become a sponsor=
[https://www.owasp.org/images/6/6b/OWASPAppSecBucharest2019-sponsorshipopportunities.pdf Sponshorship opportunities ] 
Why sponsor?
*Join 300+ leaders, security consultants, security architects and developers gathered to share cutting-edge ideas, initiatives and trends in technology.
*OWASP events attract an audience interested in "What's next?" - As a sponsor, you will be promoted as an answer to this question.
*Increase awareness and recognition in Romanian Security IT environment.
*Support and involvement in the world of information security enthusiasts.

=Conference 0101 talks=
{{:OWASP_Bucharest_AppSec_Conference_2019_Agenda_Talks}}

=Conference 1010 talks=
{{:OWASP_Bucharest_AppSec_Conference_2019_Talks}}

=WiA=
{{:OWASP_Bucharest_AppSec_Conference_2019_WiA}}

=Free workshops=
{{:OWASP_Bucharest_AppSec_Conference_2019_Workshops}}

=2 days training=
{{:OWASP_Bucharest_AppSec_Conference_2019_Training2}}

=CTF=
{{:OWASP_Bucharest_AppSec_Conference_2019_CTF}}

=Team=
{{:OWASP_Bucharest_AppSec_Conference_2019_Team}}

<headertabs />

=Sponsors=
{{:OWASP_Bucharest_AppSec_Conference_2019_Sponsors}}

File:OWASPAppSecBucharest2019-sponsorshipopportunities.pdf

2019-04-23T16:36:47Z

Oana Cornea:

OwaspHeader2019

2019-04-23T16:34:26Z

Oana Cornea: edit1

[[File:HeaderBucharest2019.png|center]].

OwaspHeader2019

2019-04-23T16:33:22Z

Oana Cornea: edit1

[[File:HeaderBucharest2019.PNG |center]].

File:HeaderBucharest2019.png

2019-04-23T16:32:09Z

Oana Cornea:

OWASP Bucharest AppSec Conference 2019

2019-04-23T16:30:33Z

Oana Cornea:

__NOTOC__

{{:OwaspHeader2019}}

=Welcome=
{| style="width: 100%;"
|-
| style="width: 100%; color: rgb(0, 0, 0);" |
{| style="border: 0px solid ; background: transparent none repeat scroll 0% 0%; width: 100%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;"
|-
| style="width: 95%; color: rgb(0, 0, 0);" |

'''OWASP Bucharest AppSec Conference 2019 - October [TBD]'''

OWASP Bucharest team is happy to announce the '''OWASP Bucharest AppSec Conference 2019''' a three days '''Security''' and '''Hacking Conference''' with additional training days dedicated to the application security. It will take place in October, 2019 - Bucharest, Romania. 

The objective of the OWASP's Bucharest AppSec Conference is to raise awareness about application security and to bring high-quality security content provided by renowned professionals in the European region. Everyone is free to participate in OWASP and all our materials are available under a free and open software license. 

{|
! style="text-align:left;"| Important dates
!
|-
|Call for papers deadline:
|'''24th of September 2019'''
|-
|Call for trainings deadline
|'''24th of September 2019'''
|-
|The final agenda will be published after
|'''1st of October 2019'''
|-
|CTF qualifiers will be on
|'''29th of September 2019'''
|-
|Conference trainings day is
|'''24th of October 2019'''
|-
|Conference trainings and CTF final day is
|'''25th of October 2019'''
|-
|Conference presentation tracks and workshops day is
|'''26th of October 2019'''
|-
|}
 
'''Who Should Attend?'''

*Application Developers
*Application Testers and Quality Assurance
*Application Project Management and Staff
*Chief Information Officers, Chief Information Security Officers, Chief Technology Officers, Deputies, Associates and Staff
*Chief Financial Officers, Auditors, and Staff Responsible for IT Security Oversight and Compliance
*Security Managers and Staff
*Executives, Managers, and Staff Responsible for IT Security Governance
*IT Professionals interested in improving IT Security
*Anyone interested in learning about or promoting Web Application Security

| style="width: 110px; font-size: 95%; color: rgb(0, 0, 0);" |
|}

| style="width: 110px; font-size: 95%; color: rgb(0, 0, 0);" |
|}
{|style="vertical-align:top;width:90%;background-color:#white;padding:10px;border:1px solid silver;" align="center" cellspacing="5"
|-
| align="center" style="background:#CCCCEE;" colspan="2" |
'''CONFERENCE (Friday 26th of October)'''
|-
|-
| style="width:20%" valign="middle" bgcolor="#CCCCEE" align="center" colspan="0" | '''Date'''
| style="width:80%" valign="middle" bgcolor="#CCCCEE" align="center" colspan="0" | '''Location'''
|-
| valign="middle" bgcolor="#EEEEEE" align="center" | ''' [TBD], 8.00 AM '''
| valign="middle" bgcolor="#EEEEEE" align="left" | '''Venue Location:''' [TBD] '''Workshops''': [TBD] 
'''Venue Address''': Bucharest, Romania 
|-
| align="center" style="background:#CCCCEE;" colspan="2" | '''Price and registration'''
|-
| align="center" style="background:#EEEEEE;" colspan="2" | The conference entrance is '''FREE''', you need to register on the link provided below, print your ticket and present it at the entrance. The training sessions will be paid. The workshops and CTF attendance is free of charge 
'''[https://www.eventbrite.com/e/owasp-bucharest-appsec-conference-2018-tickets-47960216298#tickets Registration]''' 
'''Limited number of seats! '''

|
|}
 

=Become a sponsor=
[https://www.owasp.org/images/d/d3/OWASPAppSecBucharest2018-sponsorshipopportunities.pdf Sponshorship opportunities ] 
Why sponsor?
*Join 300+ leaders, security consultants, security architects and developers gathered to share cutting-edge ideas, initiatives and trends in technology.
*OWASP events attract an audience interested in "What's next?" - As a sponsor, you will be promoted as an answer to this question.
*Increase awareness and recognition in Romanian Security IT environment.
*Support and involvement in the world of information security enthusiasts.

=Conference 0101 talks=
{{:OWASP_Bucharest_AppSec_Conference_2019_Agenda_Talks}}

=Conference 1010 talks=
{{:OWASP_Bucharest_AppSec_Conference_2019_Talks}}

=WiA=
{{:OWASP_Bucharest_AppSec_Conference_2019_WiA}}

=Free workshops=
{{:OWASP_Bucharest_AppSec_Conference_2019_Workshops}}

=2 days training=
{{:OWASP_Bucharest_AppSec_Conference_2019_Training2}}

=CTF=
{{:OWASP_Bucharest_AppSec_Conference_2019_CTF}}

=Team=
{{:OWASP_Bucharest_AppSec_Conference_2019_Team}}

<headertabs />

=Sponsors=
{{:OWASP_Bucharest_AppSec_Conference_2019_Sponsors}}

OWASP Bucharest AppSec Conference 2019

2019-04-23T16:30:05Z

Oana Cornea: Created page with "__NOTOC__ {{:OwaspHeader2019}} =Welcome= {| style="width: 100%;" |- | style="width: 100%; color: rgb(0, 0, 0);" | {| style="border: 0px solid ; background: transparent no..."

__NOTOC__

{{:OwaspHeader2019}}

=Welcome=
{| style="width: 100%;"
|-
| style="width: 100%; color: rgb(0, 0, 0);" |
{| style="border: 0px solid ; background: transparent none repeat scroll 0% 0%; width: 100%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;"
|-
| style="width: 95%; color: rgb(0, 0, 0);" |

'''OWASP Bucharest AppSec Conference 2018 - October 24th - 26th'''

OWASP Bucharest team is happy to announce the '''OWASP Bucharest AppSec Conference 2019''' a three days '''Security''' and '''Hacking Conference''' with additional training days dedicated to the application security. It will take place in October, 2019 - Bucharest, Romania. 

The objective of the OWASP's Bucharest AppSec Conference is to raise awareness about application security and to bring high-quality security content provided by renowned professionals in the European region. Everyone is free to participate in OWASP and all our materials are available under a free and open software license. 

{|
! style="text-align:left;"| Important dates
!
|-
|Call for papers deadline:
|'''24th of September 2019'''
|-
|Call for trainings deadline
|'''24th of September 2019'''
|-
|The final agenda will be published after
|'''1st of October 2019'''
|-
|CTF qualifiers will be on
|'''29th of September 2019'''
|-
|Conference trainings day is
|'''24th of October 2019'''
|-
|Conference trainings and CTF final day is
|'''25th of October 2019'''
|-
|Conference presentation tracks and workshops day is
|'''26th of October 2019'''
|-
|}
 
'''Who Should Attend?'''

*Application Developers
*Application Testers and Quality Assurance
*Application Project Management and Staff
*Chief Information Officers, Chief Information Security Officers, Chief Technology Officers, Deputies, Associates and Staff
*Chief Financial Officers, Auditors, and Staff Responsible for IT Security Oversight and Compliance
*Security Managers and Staff
*Executives, Managers, and Staff Responsible for IT Security Governance
*IT Professionals interested in improving IT Security
*Anyone interested in learning about or promoting Web Application Security

| style="width: 110px; font-size: 95%; color: rgb(0, 0, 0);" |
|}

| style="width: 110px; font-size: 95%; color: rgb(0, 0, 0);" |
|}
{|style="vertical-align:top;width:90%;background-color:#white;padding:10px;border:1px solid silver;" align="center" cellspacing="5"
|-
| align="center" style="background:#CCCCEE;" colspan="2" |
'''CONFERENCE (Friday 26th of October)'''
|-
|-
| style="width:20%" valign="middle" bgcolor="#CCCCEE" align="center" colspan="0" | '''Date'''
| style="width:80%" valign="middle" bgcolor="#CCCCEE" align="center" colspan="0" | '''Location'''
|-
| valign="middle" bgcolor="#EEEEEE" align="center" | ''' [TBD], 8.00 AM '''
| valign="middle" bgcolor="#EEEEEE" align="left" | '''Venue Location:''' [TBD] '''Workshops''': [TBD] 
'''Venue Address''': Bucharest, Romania 
|-
| align="center" style="background:#CCCCEE;" colspan="2" | '''Price and registration'''
|-
| align="center" style="background:#EEEEEE;" colspan="2" | The conference entrance is '''FREE''', you need to register on the link provided below, print your ticket and present it at the entrance. The training sessions will be paid. The workshops and CTF attendance is free of charge 
'''[https://www.eventbrite.com/e/owasp-bucharest-appsec-conference-2018-tickets-47960216298#tickets Registration]''' 
'''Limited number of seats! '''

|
|}
 

=Become a sponsor=
[https://www.owasp.org/images/d/d3/OWASPAppSecBucharest2018-sponsorshipopportunities.pdf Sponshorship opportunities ] 
Why sponsor?
*Join 300+ leaders, security consultants, security architects and developers gathered to share cutting-edge ideas, initiatives and trends in technology.
*OWASP events attract an audience interested in "What's next?" - As a sponsor, you will be promoted as an answer to this question.
*Increase awareness and recognition in Romanian Security IT environment.
*Support and involvement in the world of information security enthusiasts.

=Conference 0101 talks=
{{:OWASP_Bucharest_AppSec_Conference_2019_Agenda_Talks}}

=Conference 1010 talks=
{{:OWASP_Bucharest_AppSec_Conference_2019_Talks}}

=WiA=
{{:OWASP_Bucharest_AppSec_Conference_2019_WiA}}

=Free workshops=
{{:OWASP_Bucharest_AppSec_Conference_2019_Workshops}}

=2 days training=
{{:OWASP_Bucharest_AppSec_Conference_2019_Training2}}

=CTF=
{{:OWASP_Bucharest_AppSec_Conference_2019_CTF}}

=Team=
{{:OWASP_Bucharest_AppSec_Conference_2019_Team}}

<headertabs />

=Sponsors=
{{:OWASP_Bucharest_AppSec_Conference_2019_Sponsors}}

File:OWASP-Tales-of-practical-penetration-testing.pdf

2018-10-30T17:35:58Z

Oana Cornea: Oana Cornea uploaded a new version of File:OWASP-Tales-of-practical-penetration-testing.pdf

OWASP Bucharest AppSec Conference 2018 Agenda Talks

2018-10-30T17:30:05Z

Oana Cornea:

{|style="vertical-align:top;width:90%;background-color:#white;padding:10px;border:1px solid silver;" align="center" cellspacing="4"
| style="width:100%" valign="middle" height="40" bgcolor="#CCCCEE" align="center" colspan="6" | <h2>Conference agenda, 26th of October </h2>
|-
| style="width:10%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="0" | '''Time'''
| style="width:25%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="0" | '''Title'''
| style="width:25%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="0" | '''Speaker'''
| style="width:40%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="0" | '''Description'''
|-
| style="width:10%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | 8:30 - 9:00 (30 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="3" | Registration and coffee break

|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 9:00 - 9:15 (15 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Introduction
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Oana Cornea
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Introduction to the OWASP Bucharest Event, Schedule for the Day
|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 9:15 - 9:45 (30 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://www.owasp.org/images/7/79/OWASP_Bucharest-Day2018_so_you_think_you_do_security.pdf So you think you do security?]
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://www.linkedin.com/in/martin-knobloch/ Martin Knobloch]
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" | Security is hot and we get all the fancy old and new titles: Chief Information Security Officer, Security Archtect, Security Tester, Security Engineer, Security and Risk Auditor! Of course, now the days you are falling behind if you do not have cyber in your title or job description, giving us the possibility of more fancy titles as for exampel 'Cyer security expert'! And we all doing security, right? Really, do you think you 'do security'?
As if compliancy has not been complex enough, let's add privacy vs security and don't forgeth moving to cloud and serverless architectures. Do you still think you are in control? Let me lift the smoke screen of cyber security obscurity and show you how to do security right! Getting in control buttom up and top down (is there really a choice), by building alliances, sharing knowledge and deligate responsibilities. Not the least by setting the right examples!
Let me show you an holistic but practical aproach adding security to your business responsibilityies and development metrics. Get control by let go and enable scalable security for your software factories. How to manage security in traditional waterfall and project centric envirnoments and how to scale in the agile worlds of DevOps and CD/CI!
|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 9:45 - 10:30 (45 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://www.owasp.org/images/a/a2/Browsers-for-better-or-worse-owasp.pdf Browsers - For better or worse ...]
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://pt.linkedin.com/in/simpsonpt Renato Rodrigues]
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" | It is no news that security is under close scrutiny of the public eye. Everyone is on alert for the latest database leak, closely tracking the updates on the business losing millions on a hack or digging deep into the web to find ways to stay protected. In this presentation, we'll tap into the role browsers play from the security practices perspective - regarding defense and browsers as attack platforms. While some of the tricks covered in this presentation will be recognizable for most in the community, others are still kept away from the limelight. Hopefully, in the end, you will be able to take something new for your assessments.
|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 10:45 - 11:30 (45 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://www.owasp.org/images/a/ac/Access_control%2C_REST_and_sessions.pdf Access control, REST and sessions]

| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://www.linkedin.com/in/johanpeeters Johan Peeters]
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" |There is a lot of confusion surrounding REST, state, sessions, and the implications for access control. Let’s clear this up. 
REST services are stateless. In other words, there are no sessions between REST API producers and consumers. Given the difficulties of securing sessions, this is A Good Thing from a security perspective. 
Access to REST APIs is incumbent on the presentation of a valid security token. Typically, this is an access token issued by an OAuth authorization server. The authZ server maintains a session with the user agent so that the user does not need to re-authenticate each time a new access token is needed. This is not entirely unproblematic, as will be illustrated through a discussion of logout and the tenuous implementation of silent authentication in client libraries. Conversely, I will argue for leveraging authorization server sessions to raise the consent game to a level where it truly serves the interests of the user. 
In summary, while REST APIs are stateless and do not maintain a session, access control architectures *do* rely on sessions trying to provide a good user experience while enforcing authorization policies.

|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 11:45 - 12:30 (45 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" |[https://www.owasp.org/images/5/53/20181021_-_Cookies_vs_tokens_-_A_paradoxial_choice_%28AppSec_Bucharest%29_small.pdf Cookies versus tokens: a paradoxical choice]
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://www.linkedin.com/in/philippederyck/ Philippe De Ryck]
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" |When you’re building Angular applications, you will need to figure out how to manage your user’s sessions. Back in the days, this used to be simple. But now, there are many different options, all with specific advantages and disadvantages. How can you make a sensible choice, and how will that impact the security of your application? 
This talk lays it out for you. We dive into the technicalities of cookies, JWT tokens and Authorization headers. You will learn how to assess your past choices, and how to substantiate future decisions.
|-
| style="width:10%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | 12:30 - 13:30 (60 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="3" |Lunch/Coffee Break
|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 13:30 - 14:15 (40 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="3" | Women in AppSec Panel 
[[Image:WiA_400x400.jpg | 50px ]]

|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 14:20 - 15:05 (45 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://www.owasp.org/images/1/14/Prezentare-Owasp-Ilca-Lucian-Florin.pptx Short A.V Evasion and Fast Incident Response]
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Lucian Ilca
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" | The field of Anti-Virus Evasion and Fast Incident Response, combined with Malware Analysis comprises the art and science of dissecting malicious software using diverse tools like: FLARE, Cuckoo Sandbox or other forensics tools and response immediatly to any type of incident.
The study and analysis of these tools fall within the general purview of the broad disciplines of Digital Forensics, PSIRT, Cyber Security Operations and general principles of Reverse Engineering.
In this paper, we explore and discuss the current state of anti-virus evasion, malware analysis and fast incident response, .
Based on author research, he conclude that the domain of malware analysis, A.V Evasion and Fast Incident Response has effectively been relegated from the academic realm to the domain of the practitioner's skill set.
For the final presentation, author will show how you can respond to an incident and how to protect your environment for new attacks. 
|-
| style="width:10%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | 15:05 - 15:20 (15 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="3" | Coffee break
|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 15:20 - 16:05 (45 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://www.owasp.org/images/5/53/OWASP_CTI_Presentation_Calita_Cristi.pptx Secure your cyber battlefield leveraging cyber threat intelligence]
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Cristian Calita
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" | Cyber crime, Cyber environment, Cyber activities, Cyber security, etc - Cyber is the new black. Therefore cyber threat intelligence (CTI) was expected to arise. 
As web applications are important pieces of the operational environment - at least to the fact that these may be entry points into internal networks, one of the CTI's goals is to keep the defenders (e.g. application security architects, application developers, etc) and stakeholders ahead threats and adversaries by feeding them with the missing piece from their knowledge. The presentation provides details on how this goal could be achieved.
|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 16:05 - 16:50 (45 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Automating Security Operations using Phantom
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Isabella Minca
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" | Our challenge consists in working with a SIEM which manages over 30 TB of logs per day and over 100 different types of Security Alerts, triggered based on the logs. Challenge accepted! This presentation aims to reveal our efforts towards automating Security Alerts triaging workflow using a Python based tool, Phantom. We investigate further and decide upon the actions needed in order to remediate the vulnerabilities. A wide range of workflow actions can be automated, such as running searches or scripts that enrich alert data, reporting and proactively resolving security misconfigurations using various app integrations like Exchange, Slack and Jira. While the adoption of such an initiative is not a quick win but a bumpy road, it easily results in translating the day-to-day Security Operations Center work into a highly scalable, automated and tailored approach when it comes to dealing with the threat landscape! As a consequence, the whole organisation is moving towards a world of SecDevOps.
|-
| style="width:10%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | 16:50 - 17:00 (15 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | Closing ceremony
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | OWASP Bucharest team
| style="width:40%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | CTF Prizes
|-
|}

File:Browsers-for-better-or-worse-owasp.pdf

2018-10-30T17:29:29Z

Oana Cornea:

File:OWASP Bucharest-Day2018 so you think you do security.pdf

2018-10-30T17:28:44Z

Oana Cornea:

File:OWASP Cosmin Radu 2018.pptx

2018-10-28T21:15:34Z

Oana Cornea: Oana Cornea uploaded a new version of File:OWASP Cosmin Radu 2018.pptx

OWASP Bucharest AppSec Conference 2018 Talks

2018-10-28T16:52:50Z

Oana Cornea:

{|style="vertical-align:top;width:90%;background-color:#white;padding:10px;border:1px solid silver;" align="center" cellspacing="4"
| style="width:100%" valign="middle" height="40" bgcolor="#CCCCEE" align="center" colspan="6" | <h2>Conference agenda, 26th of October </h2>
|-
| style="width:10%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="0" | '''Time'''
| style="width:25%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="0" | '''Title'''
| style="width:25%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="0" | '''Speaker'''
| style="width:40%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="0" | '''Description'''
|-
| style="width:10%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | 8:30 - 9:00 (30 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="3" | Registration and coffee break
|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 9:00 - 9:15 (15 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Introduction
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Oana Cornea
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Introduction to the OWASP Bucharest Event, Schedule for the Day
|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 9:15 - 9:45 (30 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | It's a World of SecDevOps @ OWASP
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://ro.linkedin.com/in/barbuionutdaniel/en Daniel Barbu]
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" | SecDevOps comes with a built-in security mindset and ideally adopts the proven practices already in use by embedded SRE teams. Day-to-day activities for this role contribute not only to achievement of operational and development goals but also to keeping high levels of confidentiality, integrity and availability. While improving the security posture, the processes become easier to audit and compliance controls better assessed. With product teams engaging with security as early as possible as opposed to the end of the project, the focus shifts from a reactive approach to a proactive one integrating defensive practices through the lifecycle. Consequently the systems’ predictability and understanding of the infrastructure behavior increases. When possible, open security issues should be tracked in the same work tracking system that Development and Operations are using, ensuring visibility and prioritization against all other work. Infosec being embedded within the product teams, enables informed decisions by gaining business context.
|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 9:45 - 10.30 (45 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://www.owasp.org/images/4/4b/OWASP-Tales-of-practical-penetration-testing.pdf Tales of Practical Android Penetration Testing (Mobile Pentest Toolkit)]
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://www.linkedin.com/in/alexander-subbotin-11290510a Alexander Subbotin]
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" | A vast number of open source tools and commercial products has been developed to support the security analysis of mobile apps. It has become a great challenge for a penetration tester to choose suitable or the best tools and the adequate pentest environment/distribution. And even when the test tools have been chosen, the problem remains that most of the tools only offer a CLI interface and that their usage can be very time consuming.
In order to automatize the setup of the test environment and the common processes during a mobile pentest, the author has developed the "Mobile Pentest Toolkit" (PMT). This toolkit takes over recurring and time consuming tasks for the tester. It has a standardized user interface for the usage of locally installed security tools (and installs them on demand). An example of use is: After the tester has modified the Smali code, the generation of a valid and signed APK file only takes a few moments. Aside from that, this talk illustrates techniques for dynamic analysis and tracking of changes within the app. The goal is to present the Mobile Pentest Toolkit to an interested audience and to publish it as an open source tool.
|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 10:45 - 11.30 (45 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://www.owasp.org/images/6/65/OWASP_Bucharest_AppSec_2018_-_Breaking_the_iOS_Sandbox_-_Razvan_Deaconescu.pdf Breaking the Apple iOS Sandbox]
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://ro.linkedin.com/in/razvandeaconescu Razvan Deaconescu]
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" | Apple iOS uses sandboxing to confine apps to certain calls they can make to services and the kernel. Apps are attached a sandbox profile: a set of rules that allow or deny actions. All 3rd party apps (i.e. downloaded from the AppStore) use the same sandbox profile (container). Sandbox profiles are stored as binary blobs in the iOS kernel. 
In this talk, I will highlight the way iOS sandboxing works and steps we undertook in reversing binary blobs. We then analyzed reversed human-readable sandbox profiles and found misconfigurations in the profiles that allowed crippling the system from a valid app. We let Apple know of our findings, now published as CVEs.
|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 11:45 - 12.30 (45 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://www.owasp.org/images/f/fe/OWASP_Cosmin_Radu_2018.pptx Evading your protection and exfiltrate data]
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://www.linkedin.com/in/cosminradu13 Cosmin Alexandru Radu]
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" |Evading your protection and exfiltrate data
This presentation is meant to be an introduction into a number of ex-filtration techniques that are out there, used by malicious attackers. It should be a view into the attackers toolset for developers and how they can counteract the issues attackers use to get data out of their applications, or how system administrators can guard their network against egress data leakage.
|-
| style="width:10%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | 12:30 - 13:30 (60 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="3" |Lunch/Coffee Break
|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 13:30 - 14:15 (45 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | OWASP Top 10 with .NET Core
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://ro.linkedin.com/in/ignatandrei Andrei Ignat]
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" | We will show OWASP Top 10 and how to counter them in .NET Core
|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 14:20 - 15:05 (45 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://www.owasp.org/images/7/77/OWASP_Gabriel_Pilat_talk.pptx AWS VMS]
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://ro.linkedin.com/in/gabriel-pilat-3053229b Gabriel Pilat]
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" | This presentation looks at how Vulnerability Management is generally performed (Scanning, Asset management, Reporting, TI etc. ), how it can be performed in the Amazon Cloud ( Deploy scanners, Use Integrated scanner, etc), the possibilities of automation Amazon offers and ways to integrate it with 3rd party tools such as Qualys. General AWS architecture, security services and benefits, inherited security flaws, issues and limitations encountered.
|-
| style="width:10%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | 15:05 - 15:20 (15 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="3" | Coffee break
|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 15:20 - 16:05 (45 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Protecting company information for GDPR compliance. A software architect’s perspective.
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Ovidiu Ariton
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" |For years cybersecurity has been approached at the network level and at endpoint level. Best practices are good but sometimes user behavior makes the difference between a compromised system and a safe one. Most of the times they don’t understand if something went wrong. What if they knew? 
The solution that I am going to present brings the tools available in a SOC to the user level, at the endpoint. It combines some of the best practices in security (like backup and DLP) with SOAR solutions and LRA in order to prevent loss of data and ensure rapid automated reaction to cybersecurity incidents.
|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 16:05 - 16:50 (45 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://www.owasp.org/images/8/82/OWASP-SB.pptx DevSecOps Use Case: Automate Early… But Securely]
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Serban Bejan
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" |In today’s increasingly digitalized world, the need for security in DevOps is met by a new concept, called DevSecOps. Aimed at creating and including modern security practices that can be incorporated into the fast and agile world of DevOps, DevSecOps is, in fact, an extension of DevOps’ main goal. 
In our use case we studied the possible benefits and challenges of integrating SAST and DAST tools into the existing toolchain (application lifecycle manager, IDE, source code management tool and continuous integration pipeline) for developing, deploying and testing a Java web application. 
Implementing DevSecOps brings a lot of value to organizations, it also comes with some challenges, like integrating more agile security methods and properly training users for using these advanced tools. Last but not least, we also need to take into consideration that any security functionality not automated in the available tools will result in creating friction in the cycle.
|-
| style="width:10%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | 16:50 - 17:00 (15 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | Closing ceremony
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | OWASP Bucharest team
| style="width:40%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | CTF Prizes
|-
|}

File:OWASP-SB.pptx

2018-10-28T16:52:35Z

Oana Cornea:

File:OWASP Gabriel Pilat talk.pptx

2018-10-28T16:51:19Z

Oana Cornea:

File:OWASP Cosmin Radu 2018.pptx

2018-10-28T16:50:39Z

Oana Cornea:

File:OWASP Bucharest AppSec 2018 - Breaking the iOS Sandbox - Razvan Deaconescu.pdf

2018-10-28T16:49:20Z

Oana Cornea:

File:OWASP-Tales-of-practical-penetration-testing.pdf

2018-10-28T16:48:31Z

Oana Cornea:

OWASP Bucharest AppSec Conference 2018 Agenda Talks

2018-10-28T16:46:23Z

Oana Cornea:

{|style="vertical-align:top;width:90%;background-color:#white;padding:10px;border:1px solid silver;" align="center" cellspacing="4"
| style="width:100%" valign="middle" height="40" bgcolor="#CCCCEE" align="center" colspan="6" | <h2>Conference agenda, 26th of October </h2>
|-
| style="width:10%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="0" | '''Time'''
| style="width:25%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="0" | '''Title'''
| style="width:25%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="0" | '''Speaker'''
| style="width:40%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="0" | '''Description'''
|-
| style="width:10%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | 8:30 - 9:00 (30 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="3" | Registration and coffee break

|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 9:00 - 9:15 (15 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Introduction
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Oana Cornea
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Introduction to the OWASP Bucharest Event, Schedule for the Day
|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 9:15 - 9:45 (30 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | So you think you do security?
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://www.linkedin.com/in/martin-knobloch/ Martin Knobloch]
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" | Security is hot and we get all the fancy old and new titles: Chief Information Security Officer, Security Archtect, Security Tester, Security Engineer, Security and Risk Auditor! Of course, now the days you are falling behind if you do not have cyber in your title or job description, giving us the possibility of more fancy titles as for exampel 'Cyer security expert'! And we all doing security, right? Really, do you think you 'do security'?
As if compliancy has not been complex enough, let's add privacy vs security and don't forgeth moving to cloud and serverless architectures. Do you still think you are in control? Let me lift the smoke screen of cyber security obscurity and show you how to do security right! Getting in control buttom up and top down (is there really a choice), by building alliances, sharing knowledge and deligate responsibilities. Not the least by setting the right examples!
Let me show you an holistic but practical aproach adding security to your business responsibilityies and development metrics. Get control by let go and enable scalable security for your software factories. How to manage security in traditional waterfall and project centric envirnoments and how to scale in the agile worlds of DevOps and CD/CI!
|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 9:45 - 10:30 (45 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://slides.com/simpson/browsers-for-better-or-worse-owasp/#/ Browsers - For better or worse ...]
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://pt.linkedin.com/in/simpsonpt Renato Rodrigues]
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" | It is no news that security is under close scrutiny of the public eye. Everyone is on alert for the latest database leak, closely tracking the updates on the business losing millions on a hack or digging deep into the web to find ways to stay protected. In this presentation, we'll tap into the role browsers play from the security practices perspective - regarding defense and browsers as attack platforms. While some of the tricks covered in this presentation will be recognizable for most in the community, others are still kept away from the limelight. Hopefully, in the end, you will be able to take something new for your assessments.
|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 10:45 - 11:30 (45 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://www.owasp.org/images/a/ac/Access_control%2C_REST_and_sessions.pdf Access control, REST and sessions]

| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://www.linkedin.com/in/johanpeeters Johan Peeters]
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" |There is a lot of confusion surrounding REST, state, sessions, and the implications for access control. Let’s clear this up. 
REST services are stateless. In other words, there are no sessions between REST API producers and consumers. Given the difficulties of securing sessions, this is A Good Thing from a security perspective. 
Access to REST APIs is incumbent on the presentation of a valid security token. Typically, this is an access token issued by an OAuth authorization server. The authZ server maintains a session with the user agent so that the user does not need to re-authenticate each time a new access token is needed. This is not entirely unproblematic, as will be illustrated through a discussion of logout and the tenuous implementation of silent authentication in client libraries. Conversely, I will argue for leveraging authorization server sessions to raise the consent game to a level where it truly serves the interests of the user. 
In summary, while REST APIs are stateless and do not maintain a session, access control architectures *do* rely on sessions trying to provide a good user experience while enforcing authorization policies.

|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 11:45 - 12:30 (45 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" |[https://www.owasp.org/images/5/53/20181021_-_Cookies_vs_tokens_-_A_paradoxial_choice_%28AppSec_Bucharest%29_small.pdf Cookies versus tokens: a paradoxical choice]
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://www.linkedin.com/in/philippederyck/ Philippe De Ryck]
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" |When you’re building Angular applications, you will need to figure out how to manage your user’s sessions. Back in the days, this used to be simple. But now, there are many different options, all with specific advantages and disadvantages. How can you make a sensible choice, and how will that impact the security of your application? 
This talk lays it out for you. We dive into the technicalities of cookies, JWT tokens and Authorization headers. You will learn how to assess your past choices, and how to substantiate future decisions.
|-
| style="width:10%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | 12:30 - 13:30 (60 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="3" |Lunch/Coffee Break
|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 13:30 - 14:15 (40 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="3" | Women in AppSec Panel 
[[Image:WiA_400x400.jpg | 50px ]]

|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 14:20 - 15:05 (45 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://www.owasp.org/images/1/14/Prezentare-Owasp-Ilca-Lucian-Florin.pptx Short A.V Evasion and Fast Incident Response]
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Lucian Ilca
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" | The field of Anti-Virus Evasion and Fast Incident Response, combined with Malware Analysis comprises the art and science of dissecting malicious software using diverse tools like: FLARE, Cuckoo Sandbox or other forensics tools and response immediatly to any type of incident.
The study and analysis of these tools fall within the general purview of the broad disciplines of Digital Forensics, PSIRT, Cyber Security Operations and general principles of Reverse Engineering.
In this paper, we explore and discuss the current state of anti-virus evasion, malware analysis and fast incident response, .
Based on author research, he conclude that the domain of malware analysis, A.V Evasion and Fast Incident Response has effectively been relegated from the academic realm to the domain of the practitioner's skill set.
For the final presentation, author will show how you can respond to an incident and how to protect your environment for new attacks. 
|-
| style="width:10%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | 15:05 - 15:20 (15 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="3" | Coffee break
|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 15:20 - 16:05 (45 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://www.owasp.org/images/5/53/OWASP_CTI_Presentation_Calita_Cristi.pptx Secure your cyber battlefield leveraging cyber threat intelligence]
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Cristian Calita
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" | Cyber crime, Cyber environment, Cyber activities, Cyber security, etc - Cyber is the new black. Therefore cyber threat intelligence (CTI) was expected to arise. 
As web applications are important pieces of the operational environment - at least to the fact that these may be entry points into internal networks, one of the CTI's goals is to keep the defenders (e.g. application security architects, application developers, etc) and stakeholders ahead threats and adversaries by feeding them with the missing piece from their knowledge. The presentation provides details on how this goal could be achieved.
|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 16:05 - 16:50 (45 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Automating Security Operations using Phantom
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Isabella Minca
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" | Our challenge consists in working with a SIEM which manages over 30 TB of logs per day and over 100 different types of Security Alerts, triggered based on the logs. Challenge accepted! This presentation aims to reveal our efforts towards automating Security Alerts triaging workflow using a Python based tool, Phantom. We investigate further and decide upon the actions needed in order to remediate the vulnerabilities. A wide range of workflow actions can be automated, such as running searches or scripts that enrich alert data, reporting and proactively resolving security misconfigurations using various app integrations like Exchange, Slack and Jira. While the adoption of such an initiative is not a quick win but a bumpy road, it easily results in translating the day-to-day Security Operations Center work into a highly scalable, automated and tailored approach when it comes to dealing with the threat landscape! As a consequence, the whole organisation is moving towards a world of SecDevOps.
|-
| style="width:10%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | 16:50 - 17:00 (15 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | Closing ceremony
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | OWASP Bucharest team
| style="width:40%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | CTF Prizes
|-
|}

OWASP Bucharest AppSec Conference 2018 Agenda Talks

2018-10-28T16:44:08Z

Oana Cornea:

{|style="vertical-align:top;width:90%;background-color:#white;padding:10px;border:1px solid silver;" align="center" cellspacing="4"
| style="width:100%" valign="middle" height="40" bgcolor="#CCCCEE" align="center" colspan="6" | <h2>Conference agenda, 26th of October </h2>
|-
| style="width:10%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="0" | '''Time'''
| style="width:25%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="0" | '''Title'''
| style="width:25%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="0" | '''Speaker'''
| style="width:40%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="0" | '''Description'''
|-
| style="width:10%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | 8:30 - 9:00 (30 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="3" | Registration and coffee break

|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 9:00 - 9:15 (15 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Introduction
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Oana Cornea
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Introduction to the OWASP Bucharest Event, Schedule for the Day
|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 9:15 - 9:45 (30 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | So you think you do security?
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://www.linkedin.com/in/martin-knobloch/ Martin Knobloch]
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" | Security is hot and we get all the fancy old and new titles: Chief Information Security Officer, Security Archtect, Security Tester, Security Engineer, Security and Risk Auditor! Of course, now the days you are falling behind if you do not have cyber in your title or job description, giving us the possibility of more fancy titles as for exampel 'Cyer security expert'! And we all doing security, right? Really, do you think you 'do security'?
As if compliancy has not been complex enough, let's add privacy vs security and don't forgeth moving to cloud and serverless architectures. Do you still think you are in control? Let me lift the smoke screen of cyber security obscurity and show you how to do security right! Getting in control buttom up and top down (is there really a choice), by building alliances, sharing knowledge and deligate responsibilities. Not the least by setting the right examples!
Let me show you an holistic but practical aproach adding security to your business responsibilityies and development metrics. Get control by let go and enable scalable security for your software factories. How to manage security in traditional waterfall and project centric envirnoments and how to scale in the agile worlds of DevOps and CD/CI!
|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 9:45 - 10:30 (45 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://slides.com/simpson/browsers-for-better-or-worse-owasp/#/ Browsers - For better or worse ...]
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://pt.linkedin.com/in/simpsonpt Renato Rodrigues]
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" | It is no news that security is under close scrutiny of the public eye. Everyone is on alert for the latest database leak, closely tracking the updates on the business losing millions on a hack or digging deep into the web to find ways to stay protected. In this presentation, we'll tap into the role browsers play from the security practices perspective - regarding defense and browsers as attack platforms. While some of the tricks covered in this presentation will be recognizable for most in the community, others are still kept away from the limelight. Hopefully, in the end, you will be able to take something new for your assessments.
|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 10:45 - 11:30 (45 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://www.owasp.org/images/a/ac/Access_control%2C_REST_and_sessions.pdf Access control, REST and sessions]

| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://www.linkedin.com/in/johanpeeters Johan Peeters]
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" |There is a lot of confusion surrounding REST, state, sessions, and the implications for access control. Let’s clear this up. 
REST services are stateless. In other words, there are no sessions between REST API producers and consumers. Given the difficulties of securing sessions, this is A Good Thing from a security perspective. 
Access to REST APIs is incumbent on the presentation of a valid security token. Typically, this is an access token issued by an OAuth authorization server. The authZ server maintains a session with the user agent so that the user does not need to re-authenticate each time a new access token is needed. This is not entirely unproblematic, as will be illustrated through a discussion of logout and the tenuous implementation of silent authentication in client libraries. Conversely, I will argue for leveraging authorization server sessions to raise the consent game to a level where it truly serves the interests of the user. 
In summary, while REST APIs are stateless and do not maintain a session, access control architectures *do* rely on sessions trying to provide a good user experience while enforcing authorization policies.

|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 11:45 - 12:30 (45 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" |[https://www.owasp.org/images/5/53/20181021_-_Cookies_vs_tokens_-_A_paradoxial_choice_%28AppSec_Bucharest%29_small.pdf Cookies versus tokens: a paradoxical choice]
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://www.linkedin.com/in/philippederyck/ Philippe De Ryck]
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" |When you’re building Angular applications, you will need to figure out how to manage your user’s sessions. Back in the days, this used to be simple. But now, there are many different options, all with specific advantages and disadvantages. How can you make a sensible choice, and how will that impact the security of your application? 
This talk lays it out for you. We dive into the technicalities of cookies, JWT tokens and Authorization headers. You will learn how to assess your past choices, and how to substantiate future decisions.
|-
| style="width:10%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | 12:30 - 13:30 (60 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="3" |Lunch/Coffee Break
|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 13:30 - 14:15 (40 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="3" | Women in AppSec Panel 
[[Image:WiA_400x400.jpg | 50px ]]

|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 14:20 - 15:05 (45 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://www.owasp.org/images/1/14/Prezentare-Owasp-Ilca-Lucian-Florin.pptx Short A.V Evasion and Fast Incident Response]
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Lucian Ilca
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" | The field of Anti-Virus Evasion and Fast Incident Response, combined with Malware Analysis comprises the art and science of dissecting malicious software using diverse tools like: FLARE, Cuckoo Sandbox or other forensics tools and response immediatly to any type of incident.
The study and analysis of these tools fall within the general purview of the broad disciplines of Digital Forensics, PSIRT, Cyber Security Operations and general principles of Reverse Engineering.
In this paper, we explore and discuss the current state of anti-virus evasion, malware analysis and fast incident response, .
Based on author research, he conclude that the domain of malware analysis, A.V Evasion and Fast Incident Response has effectively been relegated from the academic realm to the domain of the practitioner's skill set.
For the final presentation, author will show how you can respond to an incident and how to protect your environment for new attacks. 
|-
| style="width:10%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | 15:05 - 15:20 (15 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="3" | Coffee break
|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 15:20 - 16:05 (45 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://www.owasp.org/images/5/53/OWASP_CTI_Presentation_Calita_Cristi.pptx Secure your cyber battlefield leveraging cyber threat intelligence]
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Cristian Calita
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" | Cyber crime, Cyber environment, Cyber activities, Cyber security, etc - Cyber is the new black. Therefore cyber threat intelligence (CTI) was expected to arise. 
As web applications are important pieces of the operational environment - at least to the fact that these may be entry points into internal networks, one of the CTI's goals is to keep the defenders (e.g. application security architects, application developers, etc) and stakeholders ahead threats and adversaries by feeding them with the missing piece from their knowledge. The presentation provides details on how this goal could be achieved.
|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 16:05 - 16:50 (45 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://www.owasp.org/images/6/66/Automating_Security_Operations_using_Phantom.pptx Automating Security Operations using Phantom]
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Isabella Minca
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" | Our challenge consists in working with a SIEM which manages over 30 TB of logs per day and over 100 different types of Security Alerts, triggered based on the logs. Challenge accepted! This presentation aims to reveal our efforts towards automating Security Alerts triaging workflow using a Python based tool, Phantom. We investigate further and decide upon the actions needed in order to remediate the vulnerabilities. A wide range of workflow actions can be automated, such as running searches or scripts that enrich alert data, reporting and proactively resolving security misconfigurations using various app integrations like Exchange, Slack and Jira. While the adoption of such an initiative is not a quick win but a bumpy road, it easily results in translating the day-to-day Security Operations Center work into a highly scalable, automated and tailored approach when it comes to dealing with the threat landscape! As a consequence, the whole organisation is moving towards a world of SecDevOps.
|-
| style="width:10%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | 16:50 - 17:00 (15 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | Closing ceremony
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | OWASP Bucharest team
| style="width:40%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | CTF Prizes
|-
|}

File:Prezentare-Owasp-Ilca-Lucian-Florin.pptx

2018-10-28T16:22:58Z

Oana Cornea:

OWASP Bucharest AppSec Conference 2018 Agenda Talks

2018-10-28T16:21:21Z

Oana Cornea:

{|style="vertical-align:top;width:90%;background-color:#white;padding:10px;border:1px solid silver;" align="center" cellspacing="4"
| style="width:100%" valign="middle" height="40" bgcolor="#CCCCEE" align="center" colspan="6" | <h2>Conference agenda, 26th of October </h2>
|-
| style="width:10%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="0" | '''Time'''
| style="width:25%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="0" | '''Title'''
| style="width:25%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="0" | '''Speaker'''
| style="width:40%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="0" | '''Description'''
|-
| style="width:10%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | 8:30 - 9:00 (30 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="3" | Registration and coffee break

|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 9:00 - 9:15 (15 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Introduction
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Oana Cornea
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Introduction to the OWASP Bucharest Event, Schedule for the Day
|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 9:15 - 9:45 (30 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | So you think you do security?
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://www.linkedin.com/in/martin-knobloch/ Martin Knobloch]
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" | Security is hot and we get all the fancy old and new titles: Chief Information Security Officer, Security Archtect, Security Tester, Security Engineer, Security and Risk Auditor! Of course, now the days you are falling behind if you do not have cyber in your title or job description, giving us the possibility of more fancy titles as for exampel 'Cyer security expert'! And we all doing security, right? Really, do you think you 'do security'?
As if compliancy has not been complex enough, let's add privacy vs security and don't forgeth moving to cloud and serverless architectures. Do you still think you are in control? Let me lift the smoke screen of cyber security obscurity and show you how to do security right! Getting in control buttom up and top down (is there really a choice), by building alliances, sharing knowledge and deligate responsibilities. Not the least by setting the right examples!
Let me show you an holistic but practical aproach adding security to your business responsibilityies and development metrics. Get control by let go and enable scalable security for your software factories. How to manage security in traditional waterfall and project centric envirnoments and how to scale in the agile worlds of DevOps and CD/CI!
|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 9:45 - 10:30 (45 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Browsers - For better or worse ...
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://pt.linkedin.com/in/simpsonpt Renato Rodrigues]
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" | It is no news that security is under close scrutiny of the public eye. Everyone is on alert for the latest database leak, closely tracking the updates on the business losing millions on a hack or digging deep into the web to find ways to stay protected. In this presentation, we'll tap into the role browsers play from the security practices perspective - regarding defense and browsers as attack platforms. While some of the tricks covered in this presentation will be recognizable for most in the community, others are still kept away from the limelight. Hopefully, in the end, you will be able to take something new for your assessments.
|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 10:45 - 11:30 (45 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://www.owasp.org/images/a/ac/Access_control%2C_REST_and_sessions.pdf Access control, REST and sessions]

| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://www.linkedin.com/in/johanpeeters Johan Peeters]
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" |There is a lot of confusion surrounding REST, state, sessions, and the implications for access control. Let’s clear this up. 
REST services are stateless. In other words, there are no sessions between REST API producers and consumers. Given the difficulties of securing sessions, this is A Good Thing from a security perspective. 
Access to REST APIs is incumbent on the presentation of a valid security token. Typically, this is an access token issued by an OAuth authorization server. The authZ server maintains a session with the user agent so that the user does not need to re-authenticate each time a new access token is needed. This is not entirely unproblematic, as will be illustrated through a discussion of logout and the tenuous implementation of silent authentication in client libraries. Conversely, I will argue for leveraging authorization server sessions to raise the consent game to a level where it truly serves the interests of the user. 
In summary, while REST APIs are stateless and do not maintain a session, access control architectures *do* rely on sessions trying to provide a good user experience while enforcing authorization policies.

|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 11:45 - 12:30 (45 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" |[https://www.owasp.org/images/5/53/20181021_-_Cookies_vs_tokens_-_A_paradoxial_choice_%28AppSec_Bucharest%29_small.pdf Cookies versus tokens: a paradoxical choice]
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://www.linkedin.com/in/philippederyck/ Philippe De Ryck]
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" |When you’re building Angular applications, you will need to figure out how to manage your user’s sessions. Back in the days, this used to be simple. But now, there are many different options, all with specific advantages and disadvantages. How can you make a sensible choice, and how will that impact the security of your application? 
This talk lays it out for you. We dive into the technicalities of cookies, JWT tokens and Authorization headers. You will learn how to assess your past choices, and how to substantiate future decisions.
|-
| style="width:10%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | 12:30 - 13:30 (60 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="3" |Lunch/Coffee Break
|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 13:30 - 14:15 (40 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="3" | Women in AppSec Panel 
[[Image:WiA_400x400.jpg | 50px ]]

|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 14:20 - 15:05 (45 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Short A.V Evasion and Fast Incident Response
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Lucian Ilca
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" | The field of Anti-Virus Evasion and Fast Incident Response, combined with Malware Analysis comprises the art and science of dissecting malicious software using diverse tools like: FLARE, Cuckoo Sandbox or other forensics tools and response immediatly to any type of incident.
The study and analysis of these tools fall within the general purview of the broad disciplines of Digital Forensics, PSIRT, Cyber Security Operations and general principles of Reverse Engineering.
In this paper, we explore and discuss the current state of anti-virus evasion, malware analysis and fast incident response, .
Based on author research, he conclude that the domain of malware analysis, A.V Evasion and Fast Incident Response has effectively been relegated from the academic realm to the domain of the practitioner's skill set.
For the final presentation, author will show how you can respond to an incident and how to protect your environment for new attacks. 
|-
| style="width:10%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | 15:05 - 15:20 (15 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="3" | Coffee break
|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 15:20 - 16:05 (45 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://www.owasp.org/images/5/53/OWASP_CTI_Presentation_Calita_Cristi.pptx Secure your cyber battlefield leveraging cyber threat intelligence]
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Cristian Calita
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" | Cyber crime, Cyber environment, Cyber activities, Cyber security, etc - Cyber is the new black. Therefore cyber threat intelligence (CTI) was expected to arise. 
As web applications are important pieces of the operational environment - at least to the fact that these may be entry points into internal networks, one of the CTI's goals is to keep the defenders (e.g. application security architects, application developers, etc) and stakeholders ahead threats and adversaries by feeding them with the missing piece from their knowledge. The presentation provides details on how this goal could be achieved.
|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 16:05 - 16:50 (45 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://www.owasp.org/images/6/66/Automating_Security_Operations_using_Phantom.pptx Automating Security Operations using Phantom]
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Isabella Minca
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" | Our challenge consists in working with a SIEM which manages over 30 TB of logs per day and over 100 different types of Security Alerts, triggered based on the logs. Challenge accepted! This presentation aims to reveal our efforts towards automating Security Alerts triaging workflow using a Python based tool, Phantom. We investigate further and decide upon the actions needed in order to remediate the vulnerabilities. A wide range of workflow actions can be automated, such as running searches or scripts that enrich alert data, reporting and proactively resolving security misconfigurations using various app integrations like Exchange, Slack and Jira. While the adoption of such an initiative is not a quick win but a bumpy road, it easily results in translating the day-to-day Security Operations Center work into a highly scalable, automated and tailored approach when it comes to dealing with the threat landscape! As a consequence, the whole organisation is moving towards a world of SecDevOps.
|-
| style="width:10%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | 16:50 - 17:00 (15 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | Closing ceremony
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | OWASP Bucharest team
| style="width:40%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | CTF Prizes
|-
|}

File:Automating Security Operations using Phantom.pptx

2018-10-28T16:18:48Z

Oana Cornea:

OWASP Bucharest AppSec Conference 2018 Agenda Talks

2018-10-28T16:18:23Z

Oana Cornea:

{|style="vertical-align:top;width:90%;background-color:#white;padding:10px;border:1px solid silver;" align="center" cellspacing="4"
| style="width:100%" valign="middle" height="40" bgcolor="#CCCCEE" align="center" colspan="6" | <h2>Conference agenda, 26th of October </h2>
|-
| style="width:10%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="0" | '''Time'''
| style="width:25%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="0" | '''Title'''
| style="width:25%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="0" | '''Speaker'''
| style="width:40%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="0" | '''Description'''
|-
| style="width:10%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | 8:30 - 9:00 (30 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="3" | Registration and coffee break

|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 9:00 - 9:15 (15 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Introduction
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Oana Cornea
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Introduction to the OWASP Bucharest Event, Schedule for the Day
|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 9:15 - 9:45 (30 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | So you think you do security?
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://www.linkedin.com/in/martin-knobloch/ Martin Knobloch]
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" | Security is hot and we get all the fancy old and new titles: Chief Information Security Officer, Security Archtect, Security Tester, Security Engineer, Security and Risk Auditor! Of course, now the days you are falling behind if you do not have cyber in your title or job description, giving us the possibility of more fancy titles as for exampel 'Cyer security expert'! And we all doing security, right? Really, do you think you 'do security'?
As if compliancy has not been complex enough, let's add privacy vs security and don't forgeth moving to cloud and serverless architectures. Do you still think you are in control? Let me lift the smoke screen of cyber security obscurity and show you how to do security right! Getting in control buttom up and top down (is there really a choice), by building alliances, sharing knowledge and deligate responsibilities. Not the least by setting the right examples!
Let me show you an holistic but practical aproach adding security to your business responsibilityies and development metrics. Get control by let go and enable scalable security for your software factories. How to manage security in traditional waterfall and project centric envirnoments and how to scale in the agile worlds of DevOps and CD/CI!
|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 9:45 - 10:30 (45 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Browsers - For better or worse ...
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://pt.linkedin.com/in/simpsonpt Renato Rodrigues]
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" | It is no news that security is under close scrutiny of the public eye. Everyone is on alert for the latest database leak, closely tracking the updates on the business losing millions on a hack or digging deep into the web to find ways to stay protected. In this presentation, we'll tap into the role browsers play from the security practices perspective - regarding defense and browsers as attack platforms. While some of the tricks covered in this presentation will be recognizable for most in the community, others are still kept away from the limelight. Hopefully, in the end, you will be able to take something new for your assessments.
|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 10:45 - 11:30 (45 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://www.owasp.org/images/a/ac/Access_control%2C_REST_and_sessions.pdf Access control, REST and sessions]

| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://www.linkedin.com/in/johanpeeters Johan Peeters]
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" |There is a lot of confusion surrounding REST, state, sessions, and the implications for access control. Let’s clear this up. 
REST services are stateless. In other words, there are no sessions between REST API producers and consumers. Given the difficulties of securing sessions, this is A Good Thing from a security perspective. 
Access to REST APIs is incumbent on the presentation of a valid security token. Typically, this is an access token issued by an OAuth authorization server. The authZ server maintains a session with the user agent so that the user does not need to re-authenticate each time a new access token is needed. This is not entirely unproblematic, as will be illustrated through a discussion of logout and the tenuous implementation of silent authentication in client libraries. Conversely, I will argue for leveraging authorization server sessions to raise the consent game to a level where it truly serves the interests of the user. 
In summary, while REST APIs are stateless and do not maintain a session, access control architectures *do* rely on sessions trying to provide a good user experience while enforcing authorization policies.

|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 11:45 - 12:30 (45 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" |[https://www.owasp.org/images/5/53/20181021_-_Cookies_vs_tokens_-_A_paradoxial_choice_%28AppSec_Bucharest%29_small.pdf Cookies versus tokens: a paradoxical choice]
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://www.linkedin.com/in/philippederyck/ Philippe De Ryck]
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" |When you’re building Angular applications, you will need to figure out how to manage your user’s sessions. Back in the days, this used to be simple. But now, there are many different options, all with specific advantages and disadvantages. How can you make a sensible choice, and how will that impact the security of your application? 
This talk lays it out for you. We dive into the technicalities of cookies, JWT tokens and Authorization headers. You will learn how to assess your past choices, and how to substantiate future decisions.
|-
| style="width:10%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | 12:30 - 13:30 (60 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="3" |Lunch/Coffee Break
|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 13:30 - 14:15 (40 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="3" | Women in AppSec Panel 
[[Image:WiA_400x400.jpg | 50px ]]

|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 14:20 - 15:05 (45 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Short A.V Evasion and Fast Incident Response
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Lucian Ilca
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" | The field of Anti-Virus Evasion and Fast Incident Response, combined with Malware Analysis comprises the art and science of dissecting malicious software using diverse tools like: FLARE, Cuckoo Sandbox or other forensics tools and response immediatly to any type of incident.
The study and analysis of these tools fall within the general purview of the broad disciplines of Digital Forensics, PSIRT, Cyber Security Operations and general principles of Reverse Engineering.
In this paper, we explore and discuss the current state of anti-virus evasion, malware analysis and fast incident response, .
Based on author research, he conclude that the domain of malware analysis, A.V Evasion and Fast Incident Response has effectively been relegated from the academic realm to the domain of the practitioner's skill set.
For the final presentation, author will show how you can respond to an incident and how to protect your environment for new attacks. 
|-
| style="width:10%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | 15:05 - 15:20 (15 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="3" | Coffee break
|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 15:20 - 16:05 (45 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://www.owasp.org/images/5/53/OWASP_CTI_Presentation_Calita_Cristi.pptx Secure your cyber battlefield leveraging cyber threat intelligence]
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Cristian Calita
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" | Cyber crime, Cyber environment, Cyber activities, Cyber security, etc - Cyber is the new black. Therefore cyber threat intelligence (CTI) was expected to arise. 
As web applications are important pieces of the operational environment - at least to the fact that these may be entry points into internal networks, one of the CTI's goals is to keep the defenders (e.g. application security architects, application developers, etc) and stakeholders ahead threats and adversaries by feeding them with the missing piece from their knowledge. The presentation provides details on how this goal could be achieved.
|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 16:05 - 16:50 (45 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Automating Security Operations using Phantom
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Isabella Minca
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" | Our challenge consists in working with a SIEM which manages over 30 TB of logs per day and over 100 different types of Security Alerts, triggered based on the logs. Challenge accepted! This presentation aims to reveal our efforts towards automating Security Alerts triaging workflow using a Python based tool, Phantom. We investigate further and decide upon the actions needed in order to remediate the vulnerabilities. A wide range of workflow actions can be automated, such as running searches or scripts that enrich alert data, reporting and proactively resolving security misconfigurations using various app integrations like Exchange, Slack and Jira. While the adoption of such an initiative is not a quick win but a bumpy road, it easily results in translating the day-to-day Security Operations Center work into a highly scalable, automated and tailored approach when it comes to dealing with the threat landscape! As a consequence, the whole organisation is moving towards a world of SecDevOps.
|-
| style="width:10%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | 16:50 - 17:00 (15 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | Closing ceremony
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | OWASP Bucharest team
| style="width:40%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | CTF Prizes
|-
|}

File:Access control, REST and sessions.pdf

2018-10-28T16:17:59Z

Oana Cornea:

OWASP Bucharest AppSec Conference 2018 Agenda Talks

2018-10-28T16:16:14Z

Oana Cornea:

{|style="vertical-align:top;width:90%;background-color:#white;padding:10px;border:1px solid silver;" align="center" cellspacing="4"
| style="width:100%" valign="middle" height="40" bgcolor="#CCCCEE" align="center" colspan="6" | <h2>Conference agenda, 26th of October </h2>
|-
| style="width:10%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="0" | '''Time'''
| style="width:25%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="0" | '''Title'''
| style="width:25%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="0" | '''Speaker'''
| style="width:40%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="0" | '''Description'''
|-
| style="width:10%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | 8:30 - 9:00 (30 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="3" | Registration and coffee break

|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 9:00 - 9:15 (15 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Introduction
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Oana Cornea
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Introduction to the OWASP Bucharest Event, Schedule for the Day
|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 9:15 - 9:45 (30 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | So you think you do security?
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://www.linkedin.com/in/martin-knobloch/ Martin Knobloch]
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" | Security is hot and we get all the fancy old and new titles: Chief Information Security Officer, Security Archtect, Security Tester, Security Engineer, Security and Risk Auditor! Of course, now the days you are falling behind if you do not have cyber in your title or job description, giving us the possibility of more fancy titles as for exampel 'Cyer security expert'! And we all doing security, right? Really, do you think you 'do security'?
As if compliancy has not been complex enough, let's add privacy vs security and don't forgeth moving to cloud and serverless architectures. Do you still think you are in control? Let me lift the smoke screen of cyber security obscurity and show you how to do security right! Getting in control buttom up and top down (is there really a choice), by building alliances, sharing knowledge and deligate responsibilities. Not the least by setting the right examples!
Let me show you an holistic but practical aproach adding security to your business responsibilityies and development metrics. Get control by let go and enable scalable security for your software factories. How to manage security in traditional waterfall and project centric envirnoments and how to scale in the agile worlds of DevOps and CD/CI!
|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 9:45 - 10:30 (45 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Browsers - For better or worse ...
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://pt.linkedin.com/in/simpsonpt Renato Rodrigues]
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" | It is no news that security is under close scrutiny of the public eye. Everyone is on alert for the latest database leak, closely tracking the updates on the business losing millions on a hack or digging deep into the web to find ways to stay protected. In this presentation, we'll tap into the role browsers play from the security practices perspective - regarding defense and browsers as attack platforms. While some of the tricks covered in this presentation will be recognizable for most in the community, others are still kept away from the limelight. Hopefully, in the end, you will be able to take something new for your assessments.
|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 10:45 - 11:30 (45 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Access control, REST and sessions

| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://www.linkedin.com/in/johanpeeters Johan Peeters]
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" |There is a lot of confusion surrounding REST, state, sessions, and the implications for access control. Let’s clear this up. 
REST services are stateless. In other words, there are no sessions between REST API producers and consumers. Given the difficulties of securing sessions, this is A Good Thing from a security perspective. 
Access to REST APIs is incumbent on the presentation of a valid security token. Typically, this is an access token issued by an OAuth authorization server. The authZ server maintains a session with the user agent so that the user does not need to re-authenticate each time a new access token is needed. This is not entirely unproblematic, as will be illustrated through a discussion of logout and the tenuous implementation of silent authentication in client libraries. Conversely, I will argue for leveraging authorization server sessions to raise the consent game to a level where it truly serves the interests of the user. 
In summary, while REST APIs are stateless and do not maintain a session, access control architectures *do* rely on sessions trying to provide a good user experience while enforcing authorization policies.

|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 11:45 - 12:30 (45 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" |[https://www.owasp.org/images/5/53/20181021_-_Cookies_vs_tokens_-_A_paradoxial_choice_%28AppSec_Bucharest%29_small.pdf Cookies versus tokens: a paradoxical choice]
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://www.linkedin.com/in/philippederyck/ Philippe De Ryck]
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" |When you’re building Angular applications, you will need to figure out how to manage your user’s sessions. Back in the days, this used to be simple. But now, there are many different options, all with specific advantages and disadvantages. How can you make a sensible choice, and how will that impact the security of your application? 
This talk lays it out for you. We dive into the technicalities of cookies, JWT tokens and Authorization headers. You will learn how to assess your past choices, and how to substantiate future decisions.
|-
| style="width:10%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | 12:30 - 13:30 (60 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="3" |Lunch/Coffee Break
|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 13:30 - 14:15 (40 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="3" | Women in AppSec Panel 
[[Image:WiA_400x400.jpg | 50px ]]

|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 14:20 - 15:05 (45 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Short A.V Evasion and Fast Incident Response
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Lucian Ilca
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" | The field of Anti-Virus Evasion and Fast Incident Response, combined with Malware Analysis comprises the art and science of dissecting malicious software using diverse tools like: FLARE, Cuckoo Sandbox or other forensics tools and response immediatly to any type of incident.
The study and analysis of these tools fall within the general purview of the broad disciplines of Digital Forensics, PSIRT, Cyber Security Operations and general principles of Reverse Engineering.
In this paper, we explore and discuss the current state of anti-virus evasion, malware analysis and fast incident response, .
Based on author research, he conclude that the domain of malware analysis, A.V Evasion and Fast Incident Response has effectively been relegated from the academic realm to the domain of the practitioner's skill set.
For the final presentation, author will show how you can respond to an incident and how to protect your environment for new attacks. 
|-
| style="width:10%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | 15:05 - 15:20 (15 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="3" | Coffee break
|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 15:20 - 16:05 (45 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://www.owasp.org/images/5/53/OWASP_CTI_Presentation_Calita_Cristi.pptx Secure your cyber battlefield leveraging cyber threat intelligence]
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Cristian Calita
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" | Cyber crime, Cyber environment, Cyber activities, Cyber security, etc - Cyber is the new black. Therefore cyber threat intelligence (CTI) was expected to arise. 
As web applications are important pieces of the operational environment - at least to the fact that these may be entry points into internal networks, one of the CTI's goals is to keep the defenders (e.g. application security architects, application developers, etc) and stakeholders ahead threats and adversaries by feeding them with the missing piece from their knowledge. The presentation provides details on how this goal could be achieved.
|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 16:05 - 16:50 (45 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Automating Security Operations using Phantom
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Isabella Minca
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" | Our challenge consists in working with a SIEM which manages over 30 TB of logs per day and over 100 different types of Security Alerts, triggered based on the logs. Challenge accepted! This presentation aims to reveal our efforts towards automating Security Alerts triaging workflow using a Python based tool, Phantom. We investigate further and decide upon the actions needed in order to remediate the vulnerabilities. A wide range of workflow actions can be automated, such as running searches or scripts that enrich alert data, reporting and proactively resolving security misconfigurations using various app integrations like Exchange, Slack and Jira. While the adoption of such an initiative is not a quick win but a bumpy road, it easily results in translating the day-to-day Security Operations Center work into a highly scalable, automated and tailored approach when it comes to dealing with the threat landscape! As a consequence, the whole organisation is moving towards a world of SecDevOps.
|-
| style="width:10%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | 16:50 - 17:00 (15 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | Closing ceremony
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | OWASP Bucharest team
| style="width:40%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | CTF Prizes
|-
|}

File:OWASP CTI Presentation Calita Cristi.pptx

2018-10-28T16:15:37Z

Oana Cornea:

OWASP Bucharest AppSec Conference 2018 Agenda Talks

2018-10-28T16:03:37Z

Oana Cornea:

{|style="vertical-align:top;width:90%;background-color:#white;padding:10px;border:1px solid silver;" align="center" cellspacing="4"
| style="width:100%" valign="middle" height="40" bgcolor="#CCCCEE" align="center" colspan="6" | <h2>Conference agenda, 26th of October </h2>
|-
| style="width:10%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="0" | '''Time'''
| style="width:25%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="0" | '''Title'''
| style="width:25%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="0" | '''Speaker'''
| style="width:40%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="0" | '''Description'''
|-
| style="width:10%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | 8:30 - 9:00 (30 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="3" | Registration and coffee break

|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 9:00 - 9:15 (15 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Introduction
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Oana Cornea
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Introduction to the OWASP Bucharest Event, Schedule for the Day
|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 9:15 - 9:45 (30 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | So you think you do security?
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://www.linkedin.com/in/martin-knobloch/ Martin Knobloch]
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" | Security is hot and we get all the fancy old and new titles: Chief Information Security Officer, Security Archtect, Security Tester, Security Engineer, Security and Risk Auditor! Of course, now the days you are falling behind if you do not have cyber in your title or job description, giving us the possibility of more fancy titles as for exampel 'Cyer security expert'! And we all doing security, right? Really, do you think you 'do security'?
As if compliancy has not been complex enough, let's add privacy vs security and don't forgeth moving to cloud and serverless architectures. Do you still think you are in control? Let me lift the smoke screen of cyber security obscurity and show you how to do security right! Getting in control buttom up and top down (is there really a choice), by building alliances, sharing knowledge and deligate responsibilities. Not the least by setting the right examples!
Let me show you an holistic but practical aproach adding security to your business responsibilityies and development metrics. Get control by let go and enable scalable security for your software factories. How to manage security in traditional waterfall and project centric envirnoments and how to scale in the agile worlds of DevOps and CD/CI!
|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 9:45 - 10:30 (45 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Browsers - For better or worse ...
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://pt.linkedin.com/in/simpsonpt Renato Rodrigues]
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" | It is no news that security is under close scrutiny of the public eye. Everyone is on alert for the latest database leak, closely tracking the updates on the business losing millions on a hack or digging deep into the web to find ways to stay protected. In this presentation, we'll tap into the role browsers play from the security practices perspective - regarding defense and browsers as attack platforms. While some of the tricks covered in this presentation will be recognizable for most in the community, others are still kept away from the limelight. Hopefully, in the end, you will be able to take something new for your assessments.
|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 10:45 - 11:30 (45 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Access control, REST and sessions

| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://www.linkedin.com/in/johanpeeters Johan Peeters]
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" |There is a lot of confusion surrounding REST, state, sessions, and the implications for access control. Let’s clear this up. 
REST services are stateless. In other words, there are no sessions between REST API producers and consumers. Given the difficulties of securing sessions, this is A Good Thing from a security perspective. 
Access to REST APIs is incumbent on the presentation of a valid security token. Typically, this is an access token issued by an OAuth authorization server. The authZ server maintains a session with the user agent so that the user does not need to re-authenticate each time a new access token is needed. This is not entirely unproblematic, as will be illustrated through a discussion of logout and the tenuous implementation of silent authentication in client libraries. Conversely, I will argue for leveraging authorization server sessions to raise the consent game to a level where it truly serves the interests of the user. 
In summary, while REST APIs are stateless and do not maintain a session, access control architectures *do* rely on sessions trying to provide a good user experience while enforcing authorization policies.

|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 11:45 - 12:30 (45 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" |[https://www.owasp.org/images/5/53/20181021_-_Cookies_vs_tokens_-_A_paradoxial_choice_%28AppSec_Bucharest%29_small.pdf Cookies versus tokens: a paradoxical choice]
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://www.linkedin.com/in/philippederyck/ Philippe De Ryck]
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" |When you’re building Angular applications, you will need to figure out how to manage your user’s sessions. Back in the days, this used to be simple. But now, there are many different options, all with specific advantages and disadvantages. How can you make a sensible choice, and how will that impact the security of your application? 
This talk lays it out for you. We dive into the technicalities of cookies, JWT tokens and Authorization headers. You will learn how to assess your past choices, and how to substantiate future decisions.
|-
| style="width:10%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | 12:30 - 13:30 (60 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="3" |Lunch/Coffee Break
|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 13:30 - 14:15 (40 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="3" | Women in AppSec Panel 
[[Image:WiA_400x400.jpg | 50px ]]

|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 14:20 - 15:05 (45 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Short A.V Evasion and Fast Incident Response
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Lucian Ilca
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" | The field of Anti-Virus Evasion and Fast Incident Response, combined with Malware Analysis comprises the art and science of dissecting malicious software using diverse tools like: FLARE, Cuckoo Sandbox or other forensics tools and response immediatly to any type of incident.
The study and analysis of these tools fall within the general purview of the broad disciplines of Digital Forensics, PSIRT, Cyber Security Operations and general principles of Reverse Engineering.
In this paper, we explore and discuss the current state of anti-virus evasion, malware analysis and fast incident response, .
Based on author research, he conclude that the domain of malware analysis, A.V Evasion and Fast Incident Response has effectively been relegated from the academic realm to the domain of the practitioner's skill set.
For the final presentation, author will show how you can respond to an incident and how to protect your environment for new attacks. 
|-
| style="width:10%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | 15:05 - 15:20 (15 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="3" | Coffee break
|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 15:20 - 16:05 (45 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Secure your cyber battlefield leveraging cyber threat intelligence
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Cristian Calita
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" | Cyber crime, Cyber environment, Cyber activities, Cyber security, etc - Cyber is the new black. Therefore cyber threat intelligence (CTI) was expected to arise. 
As web applications are important pieces of the operational environment - at least to the fact that these may be entry points into internal networks, one of the CTI's goals is to keep the defenders (e.g. application security architects, application developers, etc) and stakeholders ahead threats and adversaries by feeding them with the missing piece from their knowledge. The presentation provides details on how this goal could be achieved.
|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 16:05 - 16:50 (45 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Automating Security Operations using Phantom
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Isabella Minca
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" | Our challenge consists in working with a SIEM which manages over 30 TB of logs per day and over 100 different types of Security Alerts, triggered based on the logs. Challenge accepted! This presentation aims to reveal our efforts towards automating Security Alerts triaging workflow using a Python based tool, Phantom. We investigate further and decide upon the actions needed in order to remediate the vulnerabilities. A wide range of workflow actions can be automated, such as running searches or scripts that enrich alert data, reporting and proactively resolving security misconfigurations using various app integrations like Exchange, Slack and Jira. While the adoption of such an initiative is not a quick win but a bumpy road, it easily results in translating the day-to-day Security Operations Center work into a highly scalable, automated and tailored approach when it comes to dealing with the threat landscape! As a consequence, the whole organisation is moving towards a world of SecDevOps.
|-
| style="width:10%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | 16:50 - 17:00 (15 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | Closing ceremony
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | OWASP Bucharest team
| style="width:40%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | CTF Prizes
|-
|}

File:20181021 - Cookies vs tokens - A paradoxial choice (AppSec Bucharest) small.pdf

2018-10-28T16:02:28Z

Oana Cornea:

OWASP Bucharest AppSec Conference 2018 Sponsors

2018-10-22T04:20:15Z

Oana Cornea:

__NOTOC__

{| cellspacing="20" border="0" valign="middle" align="center" style="background: none repeat scroll 0% 0%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous; color: white;"

|-
|  
|  
|  
|  
|  
|  
|  
|-
|  
|  
|  
| <h2>Diamond Sponsor</h2>
|  
|  
|  
|-
|  
|  
|  
| [[Image:Fitbit-logo.png|400px|center|link=https://fitbit.com]]
|  
|  
|  
|-
|  
|  
|  
| <h2>Platinum Sponsors</h2>
|  
|  
|  
|-
|  
|  
|  
| [[Image:Logo CMYK.JPG| 250px|center |link=https://atos.net/ro/romania]]
|  
|  
|  
|-
|  
|  
|  
| <h2>Gold Sponsor</h2>
|  
|  
|  
|-
|  
|  
|  
| [[Image:Endava Logo CMYK 300dpi-01.jpg| 300px|center |link=www.endava.com]]
|  
|  
|  
|-
|  
|  
|  
| <h2>CTF and Dinner Sponsor</h2>
|  
|  
|  
|-
|  
|  
|  
| [[Image:Adobe logoB.png| 100px|center |link=http://www.adobe.com/]]
|  
|  
|  
|-
|  
|  
|  
| <h2>Event Supporters</h2>
|  
|  
|  
|-
|  
|  
| [[Image:Infosec-conferences.png|250px|link=https://infosec-conferences.com/]]
| [[Image:RST.jpg|150px|center|link=https://rstforums.com/]]
| [[Image:SoftLead.png|200px|link=http://www.softlead.ro/]]
|  
|  
|-
|  
|  
| [[Image:Codette-logo-300x300.png|200px|link=https://codette.ro]]
| [[Image:Gwcr.png|200px|center|link=www.girlswhocode.ro]]
| [[Image:Mindgeek-logo.png |200px|center|link=https://www.mindgeek.com/]]
|  
|-
|  
|  
| [[Image:EU-cyberS.jpg|100px|center|link=https://cybersecuritymonth.eu/activities]]
| [[Image:CERT-RO banner.png|350px|center|link=https://www.cert.ro/]]
| [[Image:Logoanis.png|200px|center|link=https://www.anis.ro/]]
|  
|-
|  
|  
| [[Image:Agileworks-logo1.jpg| link=https://agileworks.ro/]]
|
|
|  
|-
|  
|  
|
|
|  
|  
|
|}

OWASP Bucharest AppSec Conference 2018 Workshops

2018-10-19T10:54:18Z

Oana Cornea:

OWASP Bucharest AppSec Conference 2018 Sponsors

2018-10-18T14:18:02Z

Oana Cornea:

__NOTOC__

{| cellspacing="20" border="0" valign="middle" align="center" style="background: none repeat scroll 0% 0%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous; color: white;"

|-
|  
|  
|  
|  
|  
|  
|  
|-
|  
|  
|  
| <h2>Diamond Sponsor</h2>
|  
|  
|  
|-
|  
|  
|  
| [[Image:Fitbit-logo.png|400px|center|link=https://fitbit.com]]
|  
|  
|  
|-
|  
|  
|  
| <h2>Platinum Sponsors</h2>
|  
|  
|  
|-
|  
|  
|  
| [[Image:Logo CMYK.JPG| 250px|center |link=https://atos.net/ro/romania]]
|  
|  
|  
|-
|  
|  
|  
| <h2>Gold Sponsor</h2>
|  
|  
|  
|-
|  
|  
|  
| [[Image:Endava Logo CMYK 300dpi-01.jpg| 300px|center |link=www.endava.com]]
|  
|  
|  
|-
|  
|  
|  
| <h2>Silver Sponsor</h2>
|  
|  
|  
|-
|  
|  
|  
| [[Image:Hackerone-logo.png|350px|center|link=https://www.hackerone.com]]
|  
|  
|  
|-
|  
|  
|  
| <h2>CTF and Dinner Sponsor</h2>
|  
|  
|  
|-
|  
|  
|  
| [[Image:Adobe logoB.png| 100px|center |link=http://www.adobe.com/]]
|  
|  
|  
|-
|  
|  
|  
| <h2>Event Supporters</h2>
|  
|  
|  
|-
|  
|  
| [[Image:Infosec-conferences.png|250px|link=https://infosec-conferences.com/]]
| [[Image:RST.jpg|150px|center|link=https://rstforums.com/]]
| [[Image:SoftLead.png|200px|link=http://www.softlead.ro/]]
|  
|  
|-
|  
|  
| [[Image:Codette-logo-300x300.png|200px|link=https://codette.ro]]
| [[Image:Gwcr.png|200px|center|link=www.girlswhocode.ro]]
| [[Image:Mindgeek-logo.png |200px|center|link=https://www.mindgeek.com/]]
|  
|-
|  
|  
| [[Image:EU-cyberS.jpg|100px|center|link=https://cybersecuritymonth.eu/activities]]
| [[Image:CERT-RO banner.png|350px|center|link=https://www.cert.ro/]]
| [[Image:Logoanis.png|200px|center|link=https://www.anis.ro/]]
|  
|-
|  
|  
| [[Image:Agileworks-logo1.jpg| link=https://agileworks.ro/]]
|
|
|  
|-
|  
|  
|
|
|  
|  
|
|}

OWASP Bucharest AppSec Conference 2018 Team

2018-10-16T09:01:53Z

Oana Cornea: edit6

OWASP Bucharest AppSec Conference 2018 Training2

2018-10-16T09:00:37Z

Oana Cornea:

{| style="vertical-align:top;width:90%;background-color:#white;padding:10px;border:1px solid silver;" align="center" cellspacing="4"
| colspan="6" style="width:100%" valign="middle" height="40" bgcolor="#CCCCEE" align="center" | <h2>Training </h2>
|-
| colspan="0" style="width:10%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" | '''Time'''
| colspan="0" style="width:25%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" | '''Title'''
| colspan="0" style="width:25%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" | '''Trainers'''
| colspan="0" style="width:40%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" | '''Description'''
|-
| colspan="0" style="width:10%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" | 2 days training 24th and 25th of October daily: 9:00 - 17:00 
| colspan="0" style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" | Advanced Web Hacking and Secure Coding
| colspan="0" style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" | [https://in.linkedin.com/in/vikramsalunke20 Vikram Salunke]
| colspan="0" style="width:40%" valign="middle" height="30" bgcolor="#CCEEEE" align="justify" | '''Description:''' Web applications are becoming more complex and targets are become more hardened to penetrate. Nowadays Load Balancers, Web Application Firewalls (WAF) are very common in infrastructure. So, as a pentester, we should improve our skills to defeat modern access controls mechanisms. 
This hands-on training covers both offensive and defensive approaches to web applications. You’ll learn how to identify vulnerabilities of web applications, how to execute exploit against that vulnerability, how the attacks works, and how to prevent them in the future. This training closes that gap between web application attack and defense. Because as they say - if you want to stop attacker from stealing you data then you must think like one. 
This training starts with the basic web app hacking and then moves into more advanced stuff such as bypassing Filters, bypassing Web Application Firewalls(WAF), HTML5 attacks and recent vulnerabilities such as Shellshock, Heartbleed, POODLE, Serialization, SSL Strip etc. You’ll learn how to get shell on the box using web application vulnerabilities as well as how to write secure code so you can avoid that attack. 
This training covers both offensive and defensive approach towards web applications. Firstly, the training would cover how to use certain attack on a web application and then how does this attack happened. So it covers where the developer went wrong and how to write secure code, so that the attack would not have happened. It covers various mistakes made by developers who wrote vulnerable code. This training covers how to write secure code in multiple languages such as PHP, Java, C# etc. Lab contains multiple CMS such as Wordpress, Drupal, Joomla and multiple databases such as MySql, SQL Server, MongoDB etc. Also, the training contains various client side attacks as well as server side attacks such as XSS, CSRF, SQL Injections etc. 
Training will teach attendees how to gain shell on the box and how to chain multiple attacks to pwn the entire infrastructure. Training follows Capture The Flag (CTF) approach to attack web applications and compromise the machines. 
After this training, attendees will be able to successfully identify and avoid insecure code and test their web applications for vulnerabilities. Attendees will get to know the difference between vulnerable code and secure code. 
This training contains over 50 labs and 30+ challenges which are inspired by real world vulnerabilities and case studies. 
Day 1:
* Introduction
* Spidering Web Applications and analyzing results
* Fuzzing
* Input Validation
* User Enumeration
* Bypassing Password Verification
* Information Leakage
* HTTP Verb Tampering
* Injection - HTML, iFrame, LDAP, CSS, JSON
* Advanced Cross Site Scripting (XSS) - XSS to system compromise
* Advanced client side exploitation with BeEF
* Extending Burp Proxy
* Clickjacking
* Insecure direct object reference (IDOR) and Open Redirects
* Server Side Request Forgery (SSRF)
* Server Side Includes Injection (SSI Injection)
* JavaScript Validation Bypass
* Advanced SQL Injection - SQL Injection to system compromise
* JSON Hijacking
* Session Management and Cookie Stealing
* HTML5
Day 2:
* Advanced XML Attacks
* JSON Web Token
* API Attacks
* Insecure System/Service configuration - FTP, NTP, VNC, SNMP, WebDav, Samba etc.
* Database Security - MySql, SQL Server, MongoDB etc.
* Remote Command Injection
* Local File Inclusion (LFI) and Remote File Inclusion (RFI)
* RCE via serialization/deserialization
* Serialization Attacks
* HTTP Response Splitting
* SSL Strip attack
* CMS Attacks and Defenses - Wordpress, Drupal, Joomla
* Recent Vulnerabilities Case Study - Shellshock, Heartbleed, POODLE, Struts, PHPMailer RCE, SSL Strip attack
* Logical Flaws
* Detection of Web Application Firewall and Load Balancers
* Filter Evasion and Bypassing Web Application Firewalls (WAF) - Tricks to Penetrate Firewall
* OWASP Top 10 Attacks
* OWASP Secure Coding Practices
* and more ...
'''Intended audience:''' software developers, security people with some programming experience 
'''This course requires following pre-requisites:'''
* Basic knowledge on HTTP, HTML
* Basic Web Application Penetration Skills
* Reading and understanding of PHP
'''Seats available: '''20 (first-come, first served) 
'''Price: 650 Euro / person''' 
[https://www.eventbrite.com/e/owasp-bucharest-appsec-conference-2018-tickets-47960216298#tickets Register here]
|}

OWASP Bucharest AppSec Conference 2018 Team

2018-10-15T19:01:03Z

Oana Cornea:

'''Organizers''':
*Oana Cornea [http://ro.linkedin.com/pub/oana-cornea/55/430/b10]
*Cosmin Marius Ilie [https://ro.linkedin.com/in/iliec]
*Andreea Druga[https://www.linkedin.com/in/andreea-cristina-drug%C4%83-9ab61090/]
*Daniel Barbu [http://ro.linkedin.com/in/barbuionutdaniel?trk=pub-pbmap]
*Raluca Vasilache [https://ro.linkedin.com/in/rvasilache?trk=pub-pbmap]
*Vlad Cotenescu [https://ro.linkedin.com/in/vladcotenescu]
*Alexandra Tautan [https://ro.linkedin.com/in/alexandra-maria-t-36b56544]
*Uzoma Ogbonna [https://www.linkedin.com/in/uzoma-chigozie-ogbonna-9a908a77]

'''CTF''':
*Razvan Deaconescu [https://ro.linkedin.com/in/razvandeaconescu]
*Vali Ghita [https://ro.linkedin.com/in/valighita]
*Vladimir Diaconescu
*Ștefania Popescu
*Alexandra Săndulescu
* Alexandru Razvan Caciulescu [https://www.linkedin.com/in/alexandru-razvan-caciulescu-049699106/]

'''Photo'''
*Andreea Druga[https://www.linkedin.com/in/andreea-cristina-drug%C4%83-9ab61090/]

OWASP Bucharest AppSec Conference 2018 Talks

2018-10-15T18:03:32Z

Oana Cornea: edit6

{|style="vertical-align:top;width:90%;background-color:#white;padding:10px;border:1px solid silver;" align="center" cellspacing="4"
| style="width:100%" valign="middle" height="40" bgcolor="#CCCCEE" align="center" colspan="6" | <h2>Conference agenda, 26th of October </h2>
|-
| style="width:10%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="0" | '''Time'''
| style="width:25%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="0" | '''Title'''
| style="width:25%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="0" | '''Speaker'''
| style="width:40%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="0" | '''Description'''
|-
| style="width:10%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | 8:30 - 9:00 (30 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="3" | Registration and coffee break
|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 9:00 - 9:15 (15 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Introduction
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Oana Cornea
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Introduction to the OWASP Bucharest Event, Schedule for the Day
|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 9:15 - 9:45 (30 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | It's a World of SecDevOps @ OWASP
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://ro.linkedin.com/in/barbuionutdaniel/en Daniel Barbu]
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" | SecDevOps comes with a built-in security mindset and ideally adopts the proven practices already in use by embedded SRE teams. Day-to-day activities for this role contribute not only to achievement of operational and development goals but also to keeping high levels of confidentiality, integrity and availability. While improving the security posture, the processes become easier to audit and compliance controls better assessed. With product teams engaging with security as early as possible as opposed to the end of the project, the focus shifts from a reactive approach to a proactive one integrating defensive practices through the lifecycle. Consequently the systems’ predictability and understanding of the infrastructure behavior increases. When possible, open security issues should be tracked in the same work tracking system that Development and Operations are using, ensuring visibility and prioritization against all other work. Infosec being embedded within the product teams, enables informed decisions by gaining business context.
|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 9:45 - 10.30 (45 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Tales of Practical Android Penetration Testing (Mobile Pentest Toolkit)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://www.linkedin.com/in/alexander-subbotin-11290510a Alexander Subbotin]
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" | A vast number of open source tools and commercial products has been developed to support the security analysis of mobile apps. It has become a great challenge for a penetration tester to choose suitable or the best tools and the adequate pentest environment/distribution. And even when the test tools have been chosen, the problem remains that most of the tools only offer a CLI interface and that their usage can be very time consuming.
In order to automatize the setup of the test environment and the common processes during a mobile pentest, the author has developed the "Mobile Pentest Toolkit" (PMT). This toolkit takes over recurring and time consuming tasks for the tester. It has a standardized user interface for the usage of locally installed security tools (and installs them on demand). An example of use is: After the tester has modified the Smali code, the generation of a valid and signed APK file only takes a few moments. Aside from that, this talk illustrates techniques for dynamic analysis and tracking of changes within the app. The goal is to present the Mobile Pentest Toolkit to an interested audience and to publish it as an open source tool.
|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 10:45 - 11.30 (45 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Breaking the Apple iOS Sandbox
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://ro.linkedin.com/in/razvandeaconescu Razvan Deaconescu]
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" | Apple iOS uses sandboxing to confine apps to certain calls they can make to services and the kernel. Apps are attached a sandbox profile: a set of rules that allow or deny actions. All 3rd party apps (i.e. downloaded from the AppStore) use the same sandbox profile (container). Sandbox profiles are stored as binary blobs in the iOS kernel. 
In this talk, I will highlight the way iOS sandboxing works and steps we undertook in reversing binary blobs. We then analyzed reversed human-readable sandbox profiles and found misconfigurations in the profiles that allowed crippling the system from a valid app. We let Apple know of our findings, now published as CVEs.
|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 11:45 - 12.30 (45 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Evading your protection and exfiltrate data
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://www.linkedin.com/in/cosminradu13 Cosmin Alexandru Radu]
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" |Evading your protection and exfiltrate data
This presentation is meant to be an introduction into a number of ex-filtration techniques that are out there, used by malicious attackers. It should be a view into the attackers toolset for developers and how they can counteract the issues attackers use to get data out of their applications, or how system administrators can guard their network against egress data leakage.
|-
| style="width:10%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | 12:30 - 13:30 (60 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="3" |Lunch/Coffee Break
|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 13:30 - 14:15 (45 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | OWASP Top 10 with .NET Core
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://ro.linkedin.com/in/ignatandrei Andrei Ignat]
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" | We will show OWASP Top 10 and how to counter them in .NET Core
|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 14:20 - 15:05 (45 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | AWS VMS
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://ro.linkedin.com/in/gabriel-pilat-3053229b Gabriel Pilat]
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" | This presentation looks at how Vulnerability Management is generally performed (Scanning, Asset management, Reporting, TI etc. ), how it can be performed in the Amazon Cloud ( Deploy scanners, Use Integrated scanner, etc), the possibilities of automation Amazon offers and ways to integrate it with 3rd party tools such as Qualys. General AWS architecture, security services and benefits, inherited security flaws, issues and limitations encountered.
|-
| style="width:10%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | 15:05 - 15:20 (15 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="3" | Coffee break
|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 15:20 - 16:05 (45 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Protecting company information for GDPR compliance. A software architect’s perspective.
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Ovidiu Ariton
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" |For years cybersecurity has been approached at the network level and at endpoint level. Best practices are good but sometimes user behavior makes the difference between a compromised system and a safe one. Most of the times they don’t understand if something went wrong. What if they knew? 
The solution that I am going to present brings the tools available in a SOC to the user level, at the endpoint. It combines some of the best practices in security (like backup and DLP) with SOAR solutions and LRA in order to prevent loss of data and ensure rapid automated reaction to cybersecurity incidents.
|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 16:05 - 16:50 (45 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | DevSecOps Use Case: Automate Early… But Securely
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Serban Bejan
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" |In today’s increasingly digitalized world, the need for security in DevOps is met by a new concept, called DevSecOps. Aimed at creating and including modern security practices that can be incorporated into the fast and agile world of DevOps, DevSecOps is, in fact, an extension of DevOps’ main goal. 
In our use case we studied the possible benefits and challenges of integrating SAST and DAST tools into the existing toolchain (application lifecycle manager, IDE, source code management tool and continuous integration pipeline) for developing, deploying and testing a Java web application. 
Implementing DevSecOps brings a lot of value to organizations, it also comes with some challenges, like integrating more agile security methods and properly training users for using these advanced tools. Last but not least, we also need to take into consideration that any security functionality not automated in the available tools will result in creating friction in the cycle.
|-
| style="width:10%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | 16:50 - 17:00 (15 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | Closing ceremony
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | OWASP Bucharest team
| style="width:40%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | CTF Prizes
|-
|}

OWASP Bucharest AppSec Conference 2018 Sponsors

2018-10-15T14:22:00Z

Oana Cornea:

__NOTOC__

{| cellspacing="20" border="0" valign="middle" align="center" style="background: none repeat scroll 0% 0%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous; color: white;"

|-
|  
|  
|  
|  
|  
|  
|  
|-
|  
|  
|  
| <h2>Diamond Sponsor</h2>
|  
|  
|  
|-
|  
|  
|  
| [[Image:Fitbit-logo.png|400px|center|link=https://fitbit.com]]
|  
|  
|  
|-
|  
|  
|  
| <h2>Platinum Sponsors</h2>
|  
|  
|  
|-
|  
|  
|  
| [[Image:Logo CMYK.JPG| 250px|center |link=https://atos.net/ro/romania]]
|  
|  
|  
|-
|  
|  
|  
| <h2>Gold Sponsor</h2>
|  
|  
|  
|-
|  
|  
|  
| [[Image:Endava Logo CMYK 300dpi-01.jpg| 300px|center |link=www.endava.com]]
|  
|  
|  
|-
|  
|  
|  
| <h2>Silver Sponsor</h2>
|  
|  
|  
|-
|  
|  
|  
| [[Image:Hackerone-logo.png|350px|center|link=https://www.hackerone.com]]
|  
|  
|  
|-
|  
|  
|  
| <h2>CTF and Dinner Sponsor</h2>
|  
|  
|  
|-
|  
|  
|  
| [[Image:Adobe logoB.png| 100px|center |link=http://www.adobe.com/]]
|  
|  
|  
|-
|  
|  
|  
| <h2>Event Supporters</h2>
|  
|  
|  
|-
|  
|  
| [[Image:Infosec-conferences.png|250px|link=https://infosec-conferences.com/]]
| [[Image:RST.jpg|150px|center|link=https://rstforums.com/]]
| [[Image:SoftLead.png|200px|link=http://www.softlead.ro/]]
|  
|  
|-
|  
|  
| [[Image:Codette-logo-300x300.png|200px|link=https://codette.ro]]
| [[Image:Gwcr.png|200px|center|link=www.girlswhocode.ro]]
| [[Image:Mindgeek-logo.png |200px|center|link=https://www.mindgeek.com/]]
|  
|-
|  
|  
| [[Image:EU-cyberS.jpg|100px|center|link=https://cybersecuritymonth.eu/activities]]
| [[Image:CERT-RO banner.png|350px|center|link=https://www.cert.ro/]]
| [[Image:Logoanis.png|200px|center|link=https://www.anis.ro/]]
|  
|-
|  
|  
|
|
|
|  
|-
|  
|  
|
|
|  
|  
|
|}