OWASP - User contributions [en]

File:Core rule set 1.51.zip

2016-11-13T20:36:56Z

Oshezaf: A historic version of the OWASP ModSecurity Core Rule Set

A historic version of the OWASP ModSecurity Core Rule Set

Template:AppSec Israel 2014 Sponsors

2014-08-29T20:17:49Z

Oshezaf:

{| align="center"
|  <H1>Platinum Sponsors</H1>
|  
|  
|  
|-
|  [http://www.akamai.com https://www.owasp.org/images/9/93/Akamai_logoIL.gif]
|  [http://www.checkpoint.com https://www.owasp.org/images/5/54/OWASP_IL_Sponsors_Checkpoint.jpg]
|  
|  
|-
|  <h2>Gold Sponsors</h2>
|  
|  
|  
|-
|  [http://www.idc.ac.il https://www.owasp.org/images/f/f1/OWASP_IL_Sponsors_IDC_New.JPG]
|  [http://www.ey.com https://www.owasp.org/images/3/34/EY-IL.jpg]
|  [http://www.imperva.com https://www.owasp.org/images/8/89/OWASP_IL_Sponsors_Imperva.png]
|  [http://www.Checkmarx.com https://www.owasp.org/images/a/a2/Checkmarx.jpg]
|-
|  <h3>Silver Sponsors</h3>
|  
|  
|  
|-
|  [http://www.quotium.com https://www.owasp.org/images/5/56/LogoQuotium.png]
|  [http://www.appsec-labs.com https://www.owasp.org/images/2/24/AppSecLabsIL.png]
|  [http://www.komodosec.com/ https://www.owasp.org/images/0/03/Komodo-small.jpg]
|  [http://www.radware.com/ https://www.owasp.org/images/7/78/OWASP_IL_Sponsors_Radware.jpg]
|}

Template:AppSec Israel 2014 Sponsors

2014-08-29T20:17:09Z

Oshezaf:

{| align="center"
|  <H1>Platinum Sponsors</H1>
|  
|  
|  
|-
|  [http://www.akamai.com https://www.owasp.org/images/9/93/Akamai_logoIL.gif]
|  [http://www.checkpoint.com https://www.owasp.org/images/5/54/OWASP_IL_Sponsors_Checkpoint.jpg]
|  
|  
|-
|  <h2>Gold Sponsors</h2>
|  
|  
|  
|-
|  [http://www.idc.ac.il https://www.owasp.org/images/f/f1/OWASP_IL_Sponsors_IDC_New.JPG]
|  [http://www.ey.com https://www.owasp.org/images/3/34/EY-IL.jpg]
|  [http://www.imperva.com https://www.owasp.org/images/8/89/OWASP_IL_Sponsors_Imperva.png]
|  [http://www.Checkmarx.com https://www.owasp.org/images/a/a2/Checkmarx.jpg]
|-
|  <h2>Silver Sponsors</h2>
|  
|  
|  
|-
|  [http://www.quotium.com https://www.owasp.org/images/5/56/LogoQuotium.png]
|  [http://www.appsec-labs.com https://www.owasp.org/images/2/24/AppSecLabsIL.png]
|  [http://www.komodosec.com/ https://www.owasp.org/images/0/03/Komodo-small.jpg]
|  [http://www.radware.com/ https://www.owasp.org/images/7/78/OWASP_IL_Sponsors_Radware.jpg]
|}

File:OWASP IL Sponsors Checkpoint.jpg

2014-08-29T20:16:31Z

Oshezaf:

File:OWASP IL Sponsors Radware.jpg

2014-08-29T20:14:09Z

Oshezaf: Oshezaf uploaded a new version of "File:OWASP IL Sponsors Radware.jpg"

Template:AppSec Israel 2014 Sponsors

2014-08-29T20:09:59Z

Oshezaf:

{| align="center"
|  <H1>Platinum Sponsors</H1>
|  
|  
|  
|-
|  [http://www.akamai.com https://www.owasp.org/images/9/93/Akamai_logoIL.gif]
|  
|  
|  
|-
|  <h2>Gold Sponsors</h2>
|  
|  
|  
|-
|  [http://www.idc.ac.il https://www.owasp.org/images/f/f1/OWASP_IL_Sponsors_IDC_New.JPG]
|  [http://www.ey.com https://www.owasp.org/images/3/34/EY-IL.jpg]
|  [http://www.imperva.com https://www.owasp.org/images/8/89/OWASP_IL_Sponsors_Imperva.png]
|  [http://www.Checkmarx.com https://www.owasp.org/images/a/a2/Checkmarx.jpg]
|-
|  <h2>Silver Sponsors</h2>
|  
|  
|  
|-
|  [http://www.quotium.com https://www.owasp.org/images/5/56/LogoQuotium.png]
|  [http://www.appsec-labs.com https://www.owasp.org/images/2/24/AppSecLabsIL.png]
|  [http://www.komodosec.com/ https://www.owasp.org/images/0/03/Komodo-small.jpg]
|  [http://www.radware.com/ https://www.owasp.org/images/7/78/OWASP_IL_Sponsors_Radware.jpg]
|}

File:OWASP IL Sponsors Radware.jpg

2014-08-29T20:09:14Z

Oshezaf:

Template:AppSec Israel 2014 Sponsors

2014-08-27T15:23:57Z

Oshezaf:

User:Oshezaf

2014-04-28T19:07:23Z

Oshezaf:

[[Image:OWASP_IL_2008_01_Ofer_Shezaf.jpg|right|200px]]My name is Ofer Shezaf and I am an information security practitioner specializing in real time web application security, i.e. web application firewalls. At [http://www.xiom.com Xiom] we provide expert unbiased information about and 3rd party service to web application firewalls.

Previously I led research and later product management at [http://www.breach.com Breach Security] and was responsible for Breach acquisition and support of [http://www.modsecurity.org ModSecurity], an open source application firewall. Prior to joining Breach, I specialized in national information security and worked with organizations such as the Israeli National Information Security Agency, the Israeli Intelligence Forces and the Israeli Nuclear Research Center specializing in areas such as information warfare & critical infrastructure protection. I work and live in Israel.

I am also a very active member of the application security community:
* I lead [http://www.owasp.org/index.php/israel the OWASP Israeli Chapter] and I am a member of [https://www.owasp.org/index.php/Global_Chapter_Committee OWASP global chapter committee] which drives OWASP succesful chapters activity around the world.
* I am an officer in the [http://www.webappsec.org Web Application Security Consortium (WASC)] where Ilead the [http://whic.webappsec.org/ Web Hacking Incidents Database Project (WHID)]
* And lastly I pariticipate in [http://www.webappsec.org/projects/wafec/ The Web Application Firewall Evaluation Crietia (WAFEC)] and [http://www.owasp.org/index.php/Category:OWASP_on_the_Move_Project OWASP on the Move (OotM)] projects.

File:OWASP IL 2008 01 Ofer Shezaf.jpg

2014-04-28T19:03:28Z

Oshezaf: Oshezaf uploaded a new version of "File:OWASP IL 2008 01 Ofer Shezaf.jpg"

Template:Cheatsheet Navigation

2013-11-01T23:13:17Z

Oshezaf:

'''OWASP Cheat Sheets Project Homepage'''
* [[Cheat Sheets]]

'''Developer Cheat Sheets (Builder)'''
* [[Authentication Cheat Sheet]]
* [[Business Logic Security Cheat Sheet]]
* [[Choosing and Using Security Questions Cheat Sheet]]
* [[Clickjacking Defense Cheat Sheet]]
* [[C-Based Toolchain Hardening Cheat Sheet]]
* [[Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet]]
* [[Cryptographic Storage Cheat Sheet]]
* [[DOM based XSS Prevention Cheat Sheet]]
* [[Forgot Password Cheat Sheet]]
* [[HTML5 Security Cheat Sheet]]
* [[Input Validation Cheat Sheet]]
* [[JAAS Cheat Sheet]]
* [[Logging Cheat Sheet]]
* [[.NET Security Cheat Sheet]]
* [[OWASP Top Ten Cheat Sheet]]
* [[Password Storage Cheat Sheet]]
* [[Pinning Cheat Sheet]]
* [[Query Parameterization Cheat Sheet]]
* [[Ruby on Rails Cheatsheet]]
* [[REST Security Cheat Sheet]]
* [[Session Management Cheat Sheet]]
* [[SQL Injection Prevention Cheat Sheet]]
* [[Transport Layer Protection Cheat Sheet]]
* [[Unvalidated Redirects and Forwards Cheat Sheet]]
* [[User Privacy Protection Cheat Sheet]]
* [[Web Service Security Cheat Sheet]]
* [[XSS (Cross Site Scripting) Prevention Cheat Sheet]]

'''Assessment Cheat Sheets (Breaker)'''
* [[Attack Surface Analysis Cheat Sheet]]
* [[XSS Filter Evasion Cheat Sheet]]
* [[REST Assessment Cheat Sheet]]

'''Mobile Cheat Sheets'''
* [[IOS Developer Cheat Sheet]]
* [[Mobile Jailbreaking Cheat Sheet]]

'''OpSec Cheat Sheets (Defender)'''
* [[Virtual Patching Cheat Sheet]]

'''Draft Cheat Sheets'''
* [[Access Control Cheat Sheet]]
* [[Application Security Architecture Cheat Sheet]]
* [[PHP Security Cheat Sheet]]
* [[Secure Coding Cheat Sheet]]
* [[Secure SDLC Cheat Sheet]]
* [[Threat Modeling Cheat Sheet]]
* [[Web Application Security Testing Cheat Sheet]]
* [[Grails Secure Code Review Cheat Sheet]]
* [[IOS Application Security Testing Cheat Sheet]]

REST Assessment Cheat Sheet

2013-11-01T23:12:00Z

Oshezaf: /* Related Resources */

= About RESTful Web Services =

Web Services are an implementation of web technology used for machine to machine communication. As such they are used for Inter application communication, Web 2.0 and Mashups and by desktop and mobile applications to call a server. RESTful web services (often called simply REST) are a light weight variant of Web Services based on the RESTful design pattern. In practice RESTful web services utilizes HTTP requests that are similar to regular HTTP calls in contrast with other Web Services technologies such as SOAP which utilizes a complex protocol.

= Key relevant properties of RESTful web services =
* Use of HTTP methods (GET, POST, PUT and DELETE) as the primary verb for the requested operation.
* None standard parameters specifications:
** As part of the URL
** In headers
* Structured parameters and responses using JSON or XML in a parameter values, request body or response body. Those are required to communicate machine useful information.
* Custom authentication and session management, often utilizing custom security tokens: this is needed as machine to machine communication does not allow for login sequences.
* Lack of formal documentation. A proposed standard for describing RESTful web services called WADL was never officially adapted.

= The challenge of security testing RESTful web services =
* Inspecting the application does not reveal the attack surface, I.e. the URLs and parameter structure used by the RESTful web service. The reasons are:
** No application utilizes all the available functions and parameters exposed by the service
** Those used are often activated dynamically by client side code and not as links in pages.
** The client application is often not a web application and does not allow inspection of the activating link or even relevant code.
* The parameters are none standard making it hard to determine what is just part of the URL or a constant header and what is a parameter worth fuzzing.
* As a machine interface the number of parameters used can be very large, for example a JSON structure may include dozens of parameters. Fuzzing each one significantly lengthen the time required for testing.
* Custom authentication mechanisms require reverse engineering and make popular tools not useful as they cannot track a login session.

= How to pen test a RESTful web service? =
; Determine the attack surface through documentation - RESTful pen testing might be better off if some level of white box testing is allowed and you can get information about the service. This information will ensure fuller coverage of the attach surface. Such information to look for:
* Formal service description - While for other types of web services such as SOAP a formal description, usually in WSDL is often available, this is seldom the case for REST. That said, either WSDL 2.0 or WADL can describe REST and are sometimes used.
* A developer guide for using the service may be less detailed but will commonly be found, and might even be considered "black box"
* Application source or configuration - in many frameworks, including dotNet ,the REST service definition might be easily obtained from configuration files rather than from code.

; Collect full requests using a proxy - while always an important pen testing step, this is more important for REST based applications as the application UI may not give clues on the actual attack surface. Note that the proxy must be able to collect full requests and not just URLs as REST services utilize more than just GET parameters.

; Analyze collected requests to determine the attack surface:
* Look for non-standard parameters:
** Look for abnormal HTTP headers - those would many times be header based parameters.
** Determine if a URL segment has a repeating pattern across URLs. Such patterns can include a date, a number or an ID like string and indicate that the URL segment is a URL embedded parameter. For example: http://server/srv/2013-10-21/use.php
** Look for structured parameter values - those may be JSON, XML or a non-standard structure.
** If the last element of a URL does not have an extension, it may be a parameter. This is especially true if the application technology normally uses extensions or if a previous segment does have an extension. For example: http://server/svc/Grid.asmx/GetRelatedListItems
** Look for highly varying URL segments - a single URL segment that has many values may be parameter and not a physical directory. For example if the URL http://server/src/XXXX/page repeats with hundreds of value for XXXX, chances XXXX is a parameter.
; Verify non-standard parameters: in some cases (but not all), setting the value of a URL segment suspected of being a parameter to a value expected to be invalid can help determine if it is a path elements of a parameter. If a path element, the web server will return a 404 message, while for an invalid value to a parameter the answer would be an application level message as the value is legal at the web server level.

; Analyzing collected requests to optimize fuzzing - after identifying potential parameters to fuzz, analyze the collected values for each to determine -
* Valid vs. invalid values, so that fuzzing can focus on marginal invalid values. For example sending "0" for a value found to be always a positive integer.
* Sequences allowing to fuzz beyond the range presumably allocated to the current user.

; Lastly, when fuzzing, don't forget to emulate the authentication mechanism used.

= Related Resources =
* [[REST Security Cheat Sheet]] - the other side of this cheat sheet 
* [http://www.xiom.com/2011/11/20/restful_webservices_testing RESTful services, web security blind spot] - a presentation (including video) elaborating on most of the topics on this cheat.

{{Cheatsheet_Navigation}}

= Authors and Primary Editors =

Ofer Shezaf - ofer@shezaf.com 

[[Category:Cheatsheets]]

REST Assessment Cheat Sheet

2013-11-01T23:11:35Z

Oshezaf: /* Related Resources */

= About RESTful Web Services =

Web Services are an implementation of web technology used for machine to machine communication. As such they are used for Inter application communication, Web 2.0 and Mashups and by desktop and mobile applications to call a server. RESTful web services (often called simply REST) are a light weight variant of Web Services based on the RESTful design pattern. In practice RESTful web services utilizes HTTP requests that are similar to regular HTTP calls in contrast with other Web Services technologies such as SOAP which utilizes a complex protocol.

= Key relevant properties of RESTful web services =
* Use of HTTP methods (GET, POST, PUT and DELETE) as the primary verb for the requested operation.
* None standard parameters specifications:
** As part of the URL
** In headers
* Structured parameters and responses using JSON or XML in a parameter values, request body or response body. Those are required to communicate machine useful information.
* Custom authentication and session management, often utilizing custom security tokens: this is needed as machine to machine communication does not allow for login sequences.
* Lack of formal documentation. A proposed standard for describing RESTful web services called WADL was never officially adapted.

= The challenge of security testing RESTful web services =
* Inspecting the application does not reveal the attack surface, I.e. the URLs and parameter structure used by the RESTful web service. The reasons are:
** No application utilizes all the available functions and parameters exposed by the service
** Those used are often activated dynamically by client side code and not as links in pages.
** The client application is often not a web application and does not allow inspection of the activating link or even relevant code.
* The parameters are none standard making it hard to determine what is just part of the URL or a constant header and what is a parameter worth fuzzing.
* As a machine interface the number of parameters used can be very large, for example a JSON structure may include dozens of parameters. Fuzzing each one significantly lengthen the time required for testing.
* Custom authentication mechanisms require reverse engineering and make popular tools not useful as they cannot track a login session.

= How to pen test a RESTful web service? =
; Determine the attack surface through documentation - RESTful pen testing might be better off if some level of white box testing is allowed and you can get information about the service. This information will ensure fuller coverage of the attach surface. Such information to look for:
* Formal service description - While for other types of web services such as SOAP a formal description, usually in WSDL is often available, this is seldom the case for REST. That said, either WSDL 2.0 or WADL can describe REST and are sometimes used.
* A developer guide for using the service may be less detailed but will commonly be found, and might even be considered "black box"
* Application source or configuration - in many frameworks, including dotNet ,the REST service definition might be easily obtained from configuration files rather than from code.

; Collect full requests using a proxy - while always an important pen testing step, this is more important for REST based applications as the application UI may not give clues on the actual attack surface. Note that the proxy must be able to collect full requests and not just URLs as REST services utilize more than just GET parameters.

; Analyze collected requests to determine the attack surface:
* Look for non-standard parameters:
** Look for abnormal HTTP headers - those would many times be header based parameters.
** Determine if a URL segment has a repeating pattern across URLs. Such patterns can include a date, a number or an ID like string and indicate that the URL segment is a URL embedded parameter. For example: http://server/srv/2013-10-21/use.php
** Look for structured parameter values - those may be JSON, XML or a non-standard structure.
** If the last element of a URL does not have an extension, it may be a parameter. This is especially true if the application technology normally uses extensions or if a previous segment does have an extension. For example: http://server/svc/Grid.asmx/GetRelatedListItems
** Look for highly varying URL segments - a single URL segment that has many values may be parameter and not a physical directory. For example if the URL http://server/src/XXXX/page repeats with hundreds of value for XXXX, chances XXXX is a parameter.
; Verify non-standard parameters: in some cases (but not all), setting the value of a URL segment suspected of being a parameter to a value expected to be invalid can help determine if it is a path elements of a parameter. If a path element, the web server will return a 404 message, while for an invalid value to a parameter the answer would be an application level message as the value is legal at the web server level.

; Analyzing collected requests to optimize fuzzing - after identifying potential parameters to fuzz, analyze the collected values for each to determine -
* Valid vs. invalid values, so that fuzzing can focus on marginal invalid values. For example sending "0" for a value found to be always a positive integer.
* Sequences allowing to fuzz beyond the range presumably allocated to the current user.

; Lastly, when fuzzing, don't forget to emulate the authentication mechanism used.

= Related Resources =
[[REST Security Cheat Sheet]] - the other side of this cheat sheet 
[http://www.xiom.com/2011/11/20/restful_webservices_testing RESTful services, web security blind spot] - a presentation (including video) elaborating on most of the topics on this cheat.

{{Cheatsheet_Navigation}}

= Authors and Primary Editors =

Ofer Shezaf - ofer@shezaf.com 

[[Category:Cheatsheets]]

REST Assessment Cheat Sheet

2013-11-01T23:10:48Z

Oshezaf: Created page with "= About RESTful Web Services = Web Services are an implementation of web technology used for machine to machine communication. As such they are used for Inter application com..."

= About RESTful Web Services =

Web Services are an implementation of web technology used for machine to machine communication. As such they are used for Inter application communication, Web 2.0 and Mashups and by desktop and mobile applications to call a server. RESTful web services (often called simply REST) are a light weight variant of Web Services based on the RESTful design pattern. In practice RESTful web services utilizes HTTP requests that are similar to regular HTTP calls in contrast with other Web Services technologies such as SOAP which utilizes a complex protocol.

= Key relevant properties of RESTful web services =
* Use of HTTP methods (GET, POST, PUT and DELETE) as the primary verb for the requested operation.
* None standard parameters specifications:
** As part of the URL
** In headers
* Structured parameters and responses using JSON or XML in a parameter values, request body or response body. Those are required to communicate machine useful information.
* Custom authentication and session management, often utilizing custom security tokens: this is needed as machine to machine communication does not allow for login sequences.
* Lack of formal documentation. A proposed standard for describing RESTful web services called WADL was never officially adapted.

= The challenge of security testing RESTful web services =
* Inspecting the application does not reveal the attack surface, I.e. the URLs and parameter structure used by the RESTful web service. The reasons are:
** No application utilizes all the available functions and parameters exposed by the service
** Those used are often activated dynamically by client side code and not as links in pages.
** The client application is often not a web application and does not allow inspection of the activating link or even relevant code.
* The parameters are none standard making it hard to determine what is just part of the URL or a constant header and what is a parameter worth fuzzing.
* As a machine interface the number of parameters used can be very large, for example a JSON structure may include dozens of parameters. Fuzzing each one significantly lengthen the time required for testing.
* Custom authentication mechanisms require reverse engineering and make popular tools not useful as they cannot track a login session.

= How to pen test a RESTful web service? =
; Determine the attack surface through documentation - RESTful pen testing might be better off if some level of white box testing is allowed and you can get information about the service. This information will ensure fuller coverage of the attach surface. Such information to look for:
* Formal service description - While for other types of web services such as SOAP a formal description, usually in WSDL is often available, this is seldom the case for REST. That said, either WSDL 2.0 or WADL can describe REST and are sometimes used.
* A developer guide for using the service may be less detailed but will commonly be found, and might even be considered "black box"
* Application source or configuration - in many frameworks, including dotNet ,the REST service definition might be easily obtained from configuration files rather than from code.

; Collect full requests using a proxy - while always an important pen testing step, this is more important for REST based applications as the application UI may not give clues on the actual attack surface. Note that the proxy must be able to collect full requests and not just URLs as REST services utilize more than just GET parameters.

; Analyze collected requests to determine the attack surface:
* Look for non-standard parameters:
** Look for abnormal HTTP headers - those would many times be header based parameters.
** Determine if a URL segment has a repeating pattern across URLs. Such patterns can include a date, a number or an ID like string and indicate that the URL segment is a URL embedded parameter. For example: http://server/srv/2013-10-21/use.php
** Look for structured parameter values - those may be JSON, XML or a non-standard structure.
** If the last element of a URL does not have an extension, it may be a parameter. This is especially true if the application technology normally uses extensions or if a previous segment does have an extension. For example: http://server/svc/Grid.asmx/GetRelatedListItems
** Look for highly varying URL segments - a single URL segment that has many values may be parameter and not a physical directory. For example if the URL http://server/src/XXXX/page repeats with hundreds of value for XXXX, chances XXXX is a parameter.
; Verify non-standard parameters: in some cases (but not all), setting the value of a URL segment suspected of being a parameter to a value expected to be invalid can help determine if it is a path elements of a parameter. If a path element, the web server will return a 404 message, while for an invalid value to a parameter the answer would be an application level message as the value is legal at the web server level.

; Analyzing collected requests to optimize fuzzing - after identifying potential parameters to fuzz, analyze the collected values for each to determine -
* Valid vs. invalid values, so that fuzzing can focus on marginal invalid values. For example sending "0" for a value found to be always a positive integer.
* Sequences allowing to fuzz beyond the range presumably allocated to the current user.

; Lastly, when fuzzing, don't forget to emulate the authentication mechanism used.

= Related Resources =
[[REST Security Cheat Sheet]] - the other side of this cheat sheet
[http://www.xiom.com/2011/11/20/restful_webservices_testing RESTful services, web security blind spot] - a presentation (including video) elaborating on most of the topics on this cheat.

{{Cheatsheet_Navigation}}

= Authors and Primary Editors =

Ofer Shezaf - ofer@shezaf.com 

[[Category:Cheatsheets]]

OWASP Israel 2013 Presentations

2013-10-14T05:58:47Z

Oshezaf:

= Keynote =

=== Why Are Investors Excited About Cyber Security Startups, Again?‎ ===
'''''Ron Moritz, Consigliere on Venture Strategies, Issues and Trends''''' 
([[media:OWASP_IL_2013_10_OWASP_Ron_Moritz_Why_Are_Investors_Excited_About_Cyber_Security_Startups.pdf‎|download presentation]] | [http://www.youtube.com/watch?v=WTmd7ahBXAU&list=SPA4gj-PiNukdr7SY4XKoF4xhb0XZYw-WI&index=1 watch video])

Ron will speak about the current state of security startups, the current crop of security problems being solved by startups, and the trends of what solutions investment capital is looking to support.

The Keynote will be in English.

 
Speaker Bio

Ron Moritz is a well-regarded executive with over twenty-five years of broad operational and strategy experience from premier technology companies such as Microsoft (GM, Forefront), Symantec (SVP & CTO), and Computer Associates (SVP, Security Products Business Unit), where he was a member of each company's distinguished corporate or divisional leadership teams.

Having advised C-level executives, boards of directors, venture capitalists and private equity firms on value-creation activities including new markets, acquisition and divestiture strategy, global sourcing of labor, major technology decisions, and eco-system development, Mr. Moritz brings a unique point of view at the intersection of technology, strategy, global markets and finance.

Ron is currently a partner in Aura Coffee, a third-wave coffee roasting company based in Modiin; a member of the Fireblade board of directors; and a mentor Jerusalem-based crowd-funding leader, OurCrowd.

 

= Plenary Sessions =

=== Evolution of online banking attack techniques ===
'''''Amit Klein, CTO, Trusteer'''''
([http://www.youtube.com/watch?v=PBqqKYgU2ZM&list=SPA4gj-PiNukdr7SY4XKoF4xhb0XZYw-WI&index=2 watch video])

I will survey the evolution of attack techniques against online banking since the mid-2000s till today. This starts with keylogging malware, moves over to screenshooting malware, and finally gets to HTML injection malware (the “Man in the Browser” concept). I will then show several examples of the power of MitB attacks, especially when combined with social engineering, and how this can overcome many security measures such as two-factor authentication and transaction verification.

 
Speaker Bio

As Trusteer’s CTO, Amit Klein manages the company’s security research. Prior to Trusteer, Mr. Klein was Chief Scientist at Cyota Inc. (acquired by RSA Security), a leading provider of layered authentication solutions. In this role, Mr. Klein researched technologies that prevent online fraud, phishing, and pharming and filed several patents in those areas. Prior to this, Mr. Klein worked as Director of Security and Research at Sanctum, Inc. (acquired by Watchfire), where he was responsible for the security architecture of all Sanctum products. Mr. Klein holds a B.Sc. (cum laude) in Mathematics and Physics.
Mr. Klein is a world-renowned security researcher, having published more than thirty articles, papers and technical notes on the topic of Internet security. He was named CTO of the Year by InfoWorld Magazine and has presented at many prestigious conferences including RSA, FSISAC, OWASP and CertConf.

 
Technical Level: Intermediate

 

=== Your mobile device in the service of the malicious hacker (Live Demo) ===
''''' Adi Sharabani, CEO, Skycure ''''' 
([[media:OWASP_IL_2013_10_Adi_Sharabani_Mobile_Threats.pdf‎|download presentation]] | [http://www.youtube.com/watch?v=nJU98g1SdBM&list=SPA4gj-PiNukdr7SY4XKoF4xhb0XZYw-WI&index=12 watch video])

We all developed natural instincts when it comes to protecting our physical space. We all know to look to the sides before crossing the road, and we all have some capabilities to assess current risks and make decisions accordingly. However, when it comes to using our mobile devices in the cyber era, these instincts have not yet evolved. People and organizations are at risk, and do not have an understanding how to assess or mitigate them. On top of that, current protection solutions provide inadequate protection against these threats. The organizational need to support mobile devices for business related activity created a huge gap in securing the organization. Adi Sharabani's keynote will highlight some of these threats via a live demonstration of a mobile hacking activity. The audience will be able to opt in for the demo, reflecting how easy it is for a hacker to hack into remote devices.

 
Speaker Bio

Mr. Adi Sharabani is a world-class security expert and the CEO of Skycure, a start-up that focuses on providing firewall solutions for mobile devices. Formerly, Adi led the security of IBM software products. He came to IBM through the Watchfire acquisition, a start-up company which was a pioneer in the field of application security. Among his roles, Adi built and led the Watchfire’s security group. Adi has written many patents in the security space, and his works have been presented in many known conferences such as BlackHat, RSA, OWASP, Innovate, Herzliya Conference and many more; his presentations and keynotes are constantly being ranked as best presentations of most conferences he presents at. Adi is also a fellow at Prof. Yuval Ne’eman’s workshop. In his spare time, Adi teaches at Ohel-Shem high school, and is a part of the vision and implementation of the cyber-defense curriculum for high school students, a vision that is now being implemented in Israel.

 
Technical Level: Introduction

 

= Track A =

=== Get Ready for the Next Big Wave of Attacks: Hacking of Leading CMS Systems ===
'''''Maty Siman, CTO, Checkmarx'''''
([http://www.youtube.com/watch?v=KIgMMLS8_Jc&list=SPA4gj-PiNukdr7SY4XKoF4xhb0XZYw-WI&index=3 watch video])

The flow of this talk is given by – you! Before this talk, we emailed the audience to provide us with their favorite WordPress plugins that they would like to test for security. In a live demo, we assess the security of the requested plugins. Previous similar trials that we performed on WordPress showed that 30% of the top 50 most downloaded plugins were vulnerable to common Web attacks. What will be the results of this experiment?

As we’ll continue to show, assessing the security posture of a plugin is only the hacker’s first step in mass attacks. As opposed to past mass SQL Injection attacks which leveraged tools such as SQLMap, these next wave of attacks do not focus on the site’s platform or customized development code. Rather, these attacks leverage on the increasing popularity of CMS platforms such as WordPress and Joomla. The maturity, prevalence and market penetration of CMS platforms allow any marketing, sales or HR individual to easily set up their own fully-operational site. Accordingly, CMS apps are flourishing – and so are the vulnerabilities in these apps.

 
Speaker Bio

Maty is the CTO and founder of Checkmarx. Maty has more than a decade of experience in software development, IT security and source-code analysis. An authoritative figure in application security, Maty is regularly interviewed by the media on security-breaking news and frequently speaks at various IT security conferences. Prior to founding Checkmarx, Maty worked for two years at the Israeli Prime Minister’s Office as a senior IT security expert and project manager. Prior to that, he spent six years with the Israeli Defense Forces (IDF), where he established and led a development team in the IDF’s Information Security Center.

 
Technical Level: Intermediate

 

=== Utilizing Popular Websites for Malicious Purposes Using RDI ===
'''''Daniel Chechik, Security Researcher, Trustwave SpiderLabs''''' 
'''''Anat Davidi, Security Researcher, Trustwave SpiderLabs''''' 
([[Media:OWASP IL 2013 10 Chechik Davidi Utilizing Popular Websites for Malicious Purposes Using RDI.pdf|download presentation]] | [http://www.youtube.com/watch?v=jUBC4qY0akg&list=SPA4gj-PiNukdr7SY4XKoF4xhb0XZYw-WI&index=4 watch video])‎

Reflected DOM Injection is a new attack vector first presented at the DefCon 21 conference in July. We will explain the technique and show a live demo where we use it to hide malicious code within popular and trusted websites. For those of you who are interested in RDI but couldn’t make it to DefCon, we are bringing the talk to you!

The introduction of this session will briefly review the struggle between malicious websites and security products. We will explain the issues of hosting a malicious website and the techniques security vendors use in order to block them.
We will then present our new technique to avoid detection and proceed to explain all parts of it in-depth. A full demo of the attack from beginning to end will be included.
common and known services published by popular websites will be used in order to dynamically construct an attack hosted for us by these services.
Finally, we will add a layer of defense to our attack, and generate malicious code which will become practically invisible to dynamic analysis engines and thus evade most of today's security engines and technologies.

 
Speaker Bio

Daniel Chechik is a veteran security researcher at Trustwave's SpiderLabs. Among other things, he specializes in malware analysis, web exploits detection, Trojan and botnet detection and neutralizing and defining security requirements for the Secure Web Gateway product.
Prior to that, Daniel served in a technological unit as a security specialist in the IDF. During the service, Daniel specialized in CheckPoint Firewall equipment, AntiVirus products and other IT security products.
Daniel, among other things, has spoken at the RSA conference, DefCon, holds CEH and CCSE certificates and has a patent pending for 'Detecting Malware Communication on an Infected Computing Device'.

Anat Davidi is a security researcher at Trustwave's SpiderLabs. Her role includes vulnerability analysis, malware analysis and developing detection logic for the Secure Web Gateway product.
Prior to that, Anat worked as a security consultant providing security reviews and penetration tests for organizations in various business sectors, ranging from banks and insurance companies to hi-tech corporations. Amongst other things, Anat has spoken at the RSA conference, DefCon.

 
Technical Level: Intermediate

 

=== Invisibility Purge - Manipulating Properties Of Invisible & Dormant Asp.Net Controls‎ ===
'''''Shay Chen, CTO, Ernst & Young (Hacktics)''''' 
([[Media:OWASP IL 2013 10 Shay Chen Invisible Purge.pdf|download presentation]] | [http://www.youtube.com/watch?v=tAQTMdNU5dA&list=SPA4gj-PiNukdr7SY4XKoF4xhb0XZYw-WI&index=5 watch video])

Server-Side Web Controls became popular components in modern web application frameworks.
In addition to the development benefits of these components provide, they are also protected using a variety of security mechanisms, including digital signatures, content access restrictions and even invisibility.
However, developers that use these components improperly can expose the application to a variety of different attacks that can be executed despite, and sometimes due to the existence of security mechanisms.
The presentation will demonstrate several new methods that attackers can harness to bypass security mechanism, manipulate server control properties and identify, enumerate and activate events of dormant server web controls, in popular platforms such as ASP.Net, JSF and Mono.

 
Speaker Bio

Shay Chen is the CTO of Hacktics, an advanced security center of Ernst & Young.

As a victim of the law of familiarity, a decade of exposure to common vulnerabilities was enough to shift his focus to abnormal hacking methodologies and new attack vectors.

He is also a prominent blogger and researcher, and is responsible for many security publications, including new application-level attacks, testing methodologies and open source projects.
As the co-author of the platforms "Diviner", "SCIP" and "WAVSEP" he was involved in the publication of several large-scale researches in the field of automated security scanners.

Shay is an experienced speaker, has been instructing a variety of information security courses for the past 8 years, and had multiple appearances in international conferences, including Blackhat, Hacktivity, AppSecUSA and others.

 
Technical Level: Advanced

 

=== The ReFrameworker Android runtime manipulator – pentesting Android apps like a king ‎===
'''''Erez Metula, Application Security Expert, AppSec Labs (Founder)''''' 
([[Media:OWASP IL 2013 10 Erez Metula The ReFrameworker Android runtime manipulator.pdf|download presentation]] | [http://www.youtube.com/watch?v=mFW2ST4-b4s&list=SPA4gj-PiNukdr7SY4XKoF4xhb0XZYw-WI&index=6 watch video])

ReFrameworker is a new exiting addition to the AppUse pentest VM which we just released at recent BlackHat USA, targeting Android applications. With ReFrameworker, we can manipulate Android applications to make our life as pentesters a lot more easier. Does the app you test insists to be used only for a particular IMEI or phone number? Or does it break on invalidated certificates when you try to SSL MitM it using a proxy? No problem! With ReFrameworker, you can just give a new behavior to any runtime method you'd like, like disabling verifications, controlling return values, and so on. Snooping on local SQL queries or encryption keys? ReFrameworker gives you a proxy for local variables so you can changes important or sensitive values on the fly.
The idea is that we'd built a new Android ROM for the sole purpose of pentesting Android apps, loaded with hooks at important places inside the Dalvik runtime. During this talk we'll witness the power of ReFrameworker, we'll learn how to use it, how it was implemented and how it can be extended.

 
Speaker Bio

Erez Metula Author of the book "Managed Code Rootkits", is a world renowned application security expert. Erez has extensive hands-on experience performing security assessments, code reviews and secure development trainings for worldwide organizations, and had previously talked at international security conferences such as BlackHat, Defcon, OWASP, RSA, SOURCE, CanSecWest and more. He is the founder of AppSec Labs, where he focuses on advanced application security topics. Erez holds an MSc in computer science and he is CISSP.

 
Technical Level: Advanced

 

=== A Game of Pwns: Pwning iPhone application security assessment using the iNalyzer framework ===
'''''Chilik Tamir, Chief Scientist, AppSec Labs''''' 
([[Media:OWASP_IL_2013_10_Chilik_Tamir_GameOfPwns-Pwning_iOS_pentesting_with_iNalyzer.pdf‎|download presentation]] | [http://www.youtube.com/watch?v=gJK6G7y7AvY&list=SPA4gj-PiNukdr7SY4XKoF4xhb0XZYw-WI&index=7 watch video])

iNalyzer is an open-source free to use pen-testing framework I have recently updated for BlackHat USA, targeting iPhone applications. In the following presentation I will present my latest research on a new approach to performing security assessments of iOS applications utilizing the iNalyzer. The presentation will include live demonstration of using iNalyzer to transform a tedious black-box penetration testing into an exciting gray-box effort.
The talk will cover some of the problems with testing iOS applications, and present a wider picture of the testing process for different applications using iNalyzer, from the point of view of the tester, and how to handle the difficulties that may ensue.
* You will learn how to utilize iNalyzer to bind the power of regular web vulnerability scanner - such as Zap, Burp or AppScan into the exciting world of iOS penetration testing.
* You will learn how to fill in the gaps and use iNalyzer in your IDA reversing effort when testing.
* You will learn how to manipulate iPhone applications to make our life as pen-testers a lot easier using iNalyzer.

 
Speaker Bio

Chilik Tamir is an information security expert with over two decades of experience in training, research, development, testing and consulting in the field of applicative information security for clients in the fields of finance, security, government offices and corporations. His latest research - the iOS iNalyzer is an open-source iOS application Penetration Testing Dashboard. Among his previous publications you will find AppUse – a testing environment for Android applications developed together with Erez Metula; Belch – an automatic tool for analysis and testing of binary protocols such as Flex and Java-Serialization; Chilik is an experienced security trainer and speaker with previous talks and training in security conferences such as BlackHat USA, HITB Amsterdam, OWASP Israel as well as training in cooperations such as Intel, HP, Cisco, Amdocs, Verint, RedBend and others. He is the Chief Scientist at AppSec Labs, where he acts as head of R&D and innovation. Chilik holds an Biomedical Engineering B.Sc. degree.

 
Technical Level: Advanced

 

=== Automatic trust based segregation for content providers on mobile devices ===
'''''Oren Poleg, IDC''''' 
([[Media:OWASP_IL_2013_10_Oren_Peleg_Automatic_trust_based_segregation_for_content_providers.pdf|download presentation]] | [http://www.youtube.com/watch?v=QNqcC_gS6Y0&list=SPA4gj-PiNukdr7SY4XKoF4xhb0XZYw-WI&index=8 watch video])

In this work we have designed and developed a modification to the Android Content Providers that allows us to impose access restrictions on the sensitive data items they contain (such as contacts, calendar events) .

We have developed lightweight solution that is compatible with the current Android design (so it can be easily integrated with the current Android implementation) that creates separation between different types of sensitive data, also separating them from the non-sensitive information in Android content providers. We allow the device owner to view the data in a unified manner, while 3rd party applications will be allowed access only to content created by them or that they were granted permission to view.

User interaction is not required for the security decisions. Instead, we are defining trust relationship between the data and the applications, in which the owner of the data can delegate access permissions to the applications.

This approach will enable organization to store sensitive information on the device content providers, allow the user to easily access it from the organizational applications as well as from system applications while preventing its leakage through other 3rd party applications
While developed for Android, the concept can be implemented on other mobile devices, such as iPhone and Windows Phone.

 
Speaker Bio

Oren Poleg is a mobile platforms expert, with more than 10 years in the mobile platforms space.
As a team leader in (the Former) Sun Microsystems, Oren was responsible to the integration of Java VM into mobile devices, later to be followed with and research of smart phone infrastructures
Currently Oren is a working as a Consultant, dealing with Android Devices, Smart TVs and Network Security.

 
Technical Level: Intermediate/Advanced

 
= Track B =

=== Web Application Forensics ===
'''''Renana Friedlich, Forensic Department Leader, Ernst and Young (Hacktics)'''''

Most organizations are not aware of successful application-level attacks, until it's too late.
Application penetration tests don't provide information on attacks that ALREADY occurred, on attacks are CURRENTLY in progress, on failed attempts, or even on the actual impact.
Organizations usually rely on security products such as WAF and IDS to locate hacking incidents, but what about attacks that slipped pass the WAF?
What about attacks with a pattern that the IDS did not recognize? What about organizations that implemented these products too late, or not at all?
That's where Web Application Proactive Forensics comes in - A collection of detailed methodologies for locating evidence of attacks that were performed and/or exploited, including attacks listed in OWASP testing guide, WASC and CWE.

 
Speaker Bio

Renana Friedlich is the Forensic Department Leader at Hacktics, an advanced security center of EY. Renana specializes in forensic investigations, developing incident response, malware assessments, and escorting start-up companies in implementing forensic methodologies into their products.
Prior to working at Hacktics, she served at the intelligence corps for seven years, and has over nine years of experience in the information security field.
In recent years, Renana was a frequent speaker in the government sector and had multiple appearances in public conferences, including OWASP, annual risk management conferences, and universities. She also regularly instructs forensic and incident response courses in universities and clients from various industries.

 
Technical Level: Intermediate

 

=== STDD - The protection you REALLY need ===
''''' Nir Valtman, R&D CSO, Retalix ''''' 
''''' Alex Linder, Solution Architect, Retalix ''''' 
([[Media:OWASP_IL_2013_10_Nir_Valtman_STDD.pdf|download presentation]])‎

Today in the agile world, many streams based on Acceptance Test Driven Development (ATDD). In this presentation we are going to demonstrate how to reuse this concept in context of security. In addition, this presentation includes common scenarios from attacker's point of view as well as the defender should think. Needless to mention, we have many demos...

 
Speaker Bio

Nir is employed in Retalix as R&D CSO. Before this position he worked as chief security architect, senior technology consultant, application security consultant, system security consultant and a technological trainer. As part of his positions, Nir didn't only consulting, but also performed hands-on activities in various fields, e.g. hardening, penetration testing and development for personal\internal applications. 
Nir has a BSc in computer science but his knowledge is based mainly on cowboy learning and information sharing with the techno-oriented communities. 
Blog: http://www.valtman.org

Alex is a technology geek, likes to research and play with new stuff. Alex is a highly experienced Solution Architect specializing in Software, middleware and APIs. 
Alex has more than 14 years of experience and performed vast roles in the Israeli market such as VP Professional services, Group manager, Solution Architect, Dev team leader and Senior consultant. 
Currently working as a solution architect of large scale R&D firm with cutting edge technologies. 
Blog: http://linderalex.blogspot.co.il/

 
Technical Level: Intermediate / Advanced

 

=== Spam, Death Threats, and Other Abuses of Online Communities ===
'''''Avi Douglen, Security Architect, Independant''''' 
([[Media:OWASP_IL_2013_10_Avi_Douglan_Spam-DeathThreats-Abuse-OnlineCommunities.pdf‎|download presentation]])‎

Many contemporary websites are based on so-called “User Generated Content” (aka UGC). Furthermore, many sites oriented around a community of users enable users to interact with each other, via the site. Sites like Wikipedia and StackOverflow allow users to freely edit pages visible to all users, popular discussion forums are based on continuous postings of content by users, and social networks such as Facebook encourage users to constantly add their own rich data to the site for others’ consumption.

Aside from the usual web attacks common to all user input on websites, such as XSS and SQL Injection, there are some forms of attacks or abuse that are specific to sites such as these. Some of them are purely technical, some of them are social in nature and just take advantage of the available technology. These are often exacerbated by the scope and huge amount of traffic to these sites, and take advantage of the network effect.

The talk will be based in a large part on the speaker’s experience on the Stack Exchange network of sites, but will also compare to the models prevalent on other popular sites. We will discuss some of the aspects particular to these platforms, and show how even the more “boring” of these attacks can sometimes be interesting depending on the situation. We will also see some of the stranger happenings that occur on a large site. Finally, we will discuss and compare some of the different models that these huge websites use to limit the damage.
We will of course focus on what is both these sites’ biggest weakness, and greatest strength - the community.

 
Speaker Bio

Avi Douglen had a CISSP before it was popular, but he is not a hipster. Avi is a high-end, independent security architect and developer, and has been designing, developing and testing secure applications, and leading development teams in building secure products, for over 15 years. Avi is also a Community Moderator (volunteer basis) on Stack Exchange’s fantastic Information Security site (http://security.stackexchange.com), sister site to Stack Overflow. As a moderator, and as an active user on several other Stack Exchange sites, he has spent a lot of time handling these types of attacks, and has had the opportunity to see up close, what works, what doesn’t, and what can scale to millions of users.

 
Technical Level: Introductory

 

=== Delivering Security in Continuous Delivery Environment ‎===
''''' Yaniv Simsolo, Senior Consultant, Comsec Consulting''''' 
([[Media:OWASP IL 2013 10 Yaniv Simsolo Delivering Security in CD Environments.pdf|download presentation]] | [http://www.youtube.com/watch?v=D5dyf13RbCU&list=SPA4gj-PiNukdr7SY4XKoF4xhb0XZYw-WI&index=9 watch video])

Moving from traditional development environment to Agile environment, creates many a challenge to the security of the organization and developed system. Moving from Agile development environment towards Continuous Delivery environment ups the stakes.
We will venture in to the challenges of delivering security in Continuous Delivery environment, and test whether in-depth security is achievable.
Relying on industry evidences, a unique approach to the evolvement of security under Continuous Delivery development environment will be presented.

 
Speaker Bio

Yaniv Simsolo, CISSP, Senior IT Security Professional. A consultant in application security from 2004, and an expert of security of compound and enterprise scale systems.

 
Technical Level: Intermediate

 

=== Designing a national defense strategy for DDoS applications and volume attacks ===
'''''Mirit Kagarlitsky, Head of System Analysis, Israeli National Cyber Bureau '''''

DDoS attacks exploit vulnerabilities in different protocol stack layers, from the application layer and downward. These attacks undermine the availability of various services, some of which transcend the local interest of the compromised organization, bearing broader consequences.
Designing a national defense strategy for DDoS attacks has advantages, since the state has both the interest and the capacity to devise large-scale technological solutions of security from targeted attacks on critical services as well as from cumulative damage in this realm. The problem is that there is a wide spectrum of solutions and possible network locations for state intervention: services entry point, ISPs, cloud-based approaches and more; every solution should be analyzed from a national standpoint.
Our work examines when and where should the state take action in the realm, ranging from the individual organization to the ISP level. We also suggest how its accumulated benefit should be assessed in order to evaluate the overall effectiveness of the national strategy.

 
Speaker Bio

Mirit Kagarlitsky holds a B.Sc. in physics and mathematics from the Hebrew University in Jerusalem and is in the process of completion of M.Sc. in Statistics from Tel Aviv University. She has vast experience with operations research and system analysis in various fields, as an analyst and as a team leader. Today she work as the head of system analysis in the Israeli National Cyber Bureau.

 
Technical Level: Introduction

 

=== Enhancing Web Application Defense Using Big Data ===
''''' Or Katz, Principal Security Researcher, Akamai Technologies '''''
([http://www.youtube.com/watch?v=rNecoaL78Sw&list=SPA4gj-PiNukdr7SY4XKoF4xhb0XZYw-WI&index=10 watch video])

In recent years Big Data has become a commonly used technology in many products, in this presentation I will unveil practical examples on how we can improve web application defenses by using Big Data. Using Big Data enables us to combine web application filter triggers from multiple data sources. Big data analysis contributes to the improvement and enhances defense tactics. In this presentation I will show some examples such as:
* SQLi – detecting malicious users and their level of maliciousness
* Web Scraping – expose scrapers that fly under the radar and what is their target information
* False positives reduction – using Big Data in order to learn how to tune your configuration

 
Speaker Bio

Or Katz has vast expertise in Web Application Firewall technology, working in market leading web application firewall vendors as a web application security researcher.
Mr. Katz is a board member in OWASP Israel chapter, frequent speaker in the chapter conferences and he was also responsible for leading the OWASP Top 10 Hebrew translation project.
Mr. Katz also published several innovative white papers on web applications defensive techniques.

 
Technical Level: Intermediate

 

=== From Obscurity to Pop Culture - Evolution of Application Security ‎===
''''' Irene Abezgauz, VP Product Management, Quotium'''''
([[Media:OWASP_IL_2013_10_Irene_Abezgauz_Evolution_of_Application_Security.pdf‎|download presentation]] | [http://www.youtube.com/watch?v=ASZvPxGHZ5g&list=SPA4gj-PiNukdr7SY4XKoF4xhb0XZYw-WI&index=11 watch video])

In 1998 the New York Times website was hacked. According to various news sources, the site underwent a thorough security test just two years before and at that point it became clear that 'it might not be sufficient'. Fifteen years later, application security trends talk about APTs, Agile SDLCs and Security Products being commoditized.
In this lecture we review the evolution of application security in the past decade and a half. Examining technology and aspects of security management from the early days of OWASP foundation to present day mobile application security testing as part of the development lifecycle.

 
Speaker Bio

Irene has ten years of experience in information and application security. Focused on application security penetration testing and research she is a builder and breaker of things. She is the Product Manager of Seeker™, the new generation of automatic application security testing, and head of security research activities at Seeker Security (Quotium). Ms. Abezgauz has discovered numerous vulnerabilities and published advisories related to products of leading vendors.

 
Technical Level: Introduction

File:OWASP IL 2013 10 Oren Peleg Automatic trust based segregation for content providers.pdf

2013-10-14T05:57:35Z

Oshezaf:

File:OWASP IL 2013 10 Chilik Tamir GameOfPwns-Pwning iOS pentesting with iNalyzer.pdf

2013-10-14T05:54:04Z

Oshezaf:

OWASP Israel 2013

2013-10-08T19:00:15Z

Oshezaf: /* Location and Time */

== Location and Time ==

The 2013 annual OWASP AppSec Israel conference was held at the Interdisciplinary Center in Herzliya (IDC) on October 1st, in the Efi Arazi school of Computer Science. With well over 450 participants, it was a huge and impressive success! You can find pictures of the event on [https://www.facebook.com/media/set/?set=a.10151737522773985.1073741834.225900483984&type=3 ComSec facebook page]

Thanks for participation in the event. Use the [[OWASP_Israel_2013_Presentations|presentations info page]] to download presentations.

The conference is sponsored by:

{{Template:OWASP_IL_2013_Sponsors}}

For further details contact Avi Douglen (douglen at hotmail.com)

== Agenda ==

{{Template:OWASP_IL_2013_Agenda}}

== The people behind the conference ==

OWASP Israel is made by the people who contribute their time and brain to its success. The following people are working to ensure that OWASP Israel 2013 is a success. If you feel that you also can contribute or have interesting ideas regarding the conference, don't hesitate to contact me.

=== Contributors ===

*Avi Douglen (Independent)
*Or Katz (Akamai)
*Ory Segal (Akamai)
*Ofer Maor (Quotium)
*Itzik Kotler (Independent)
*Dr. Anat Bremler-Barr (Interdisciplinary Center Herzliya)

[[Category:Israel]] [[Category:OWASP_Israel_2013]]

OWASP Israel 2013 Presentations

2013-10-07T16:08:20Z

Oshezaf: /* Your mobile device in the service of the malicious hacker (Live Demo) */

= Keynote =

=== Why Are Investors Excited About Cyber Security Startups, Again?‎ ===
'''''Ron Moritz, Consigliere on Venture Strategies, Issues and Trends''''' 
([[media:OWASP_IL_2013_10_OWASP_Ron_Moritz_Why_Are_Investors_Excited_About_Cyber_Security_Startups.pdf‎|download presentation]])

Ron will speak about the current state of security startups, the current crop of security problems being solved by startups, and the trends of what solutions investment capital is looking to support.

The Keynote will be in English.

 
Speaker Bio

Ron Moritz is a well-regarded executive with over twenty-five years of broad operational and strategy experience from premier technology companies such as Microsoft (GM, Forefront), Symantec (SVP & CTO), and Computer Associates (SVP, Security Products Business Unit), where he was a member of each company's distinguished corporate or divisional leadership teams.

Having advised C-level executives, boards of directors, venture capitalists and private equity firms on value-creation activities including new markets, acquisition and divestiture strategy, global sourcing of labor, major technology decisions, and eco-system development, Mr. Moritz brings a unique point of view at the intersection of technology, strategy, global markets and finance.

Ron is currently a partner in Aura Coffee, a third-wave coffee roasting company based in Modiin; a member of the Fireblade board of directors; and a mentor Jerusalem-based crowd-funding leader, OurCrowd.

 

= Plenary Sessions =

=== Evolution of online banking attack techniques ===
'''''Amit Klein, CTO, Trusteer'''''

I will survey the evolution of attack techniques against online banking since the mid-2000s till today. This starts with keylogging malware, moves over to screenshooting malware, and finally gets to HTML injection malware (the “Man in the Browser” concept). I will then show several examples of the power of MitB attacks, especially when combined with social engineering, and how this can overcome many security measures such as two-factor authentication and transaction verification.

 
Speaker Bio

As Trusteer’s CTO, Amit Klein manages the company’s security research. Prior to Trusteer, Mr. Klein was Chief Scientist at Cyota Inc. (acquired by RSA Security), a leading provider of layered authentication solutions. In this role, Mr. Klein researched technologies that prevent online fraud, phishing, and pharming and filed several patents in those areas. Prior to this, Mr. Klein worked as Director of Security and Research at Sanctum, Inc. (acquired by Watchfire), where he was responsible for the security architecture of all Sanctum products. Mr. Klein holds a B.Sc. (cum laude) in Mathematics and Physics.
Mr. Klein is a world-renowned security researcher, having published more than thirty articles, papers and technical notes on the topic of Internet security. He was named CTO of the Year by InfoWorld Magazine and has presented at many prestigious conferences including RSA, FSISAC, OWASP and CertConf.

 
Technical Level: Intermediate

 

=== Your mobile device in the service of the malicious hacker (Live Demo) ===
''''' Adi Sharabani, CEO, Skycure ''''' 
([[media:OWASP_IL_2013_10_Adi_Sharabani_Mobile_Threats.pdf‎|download presentation]])

We all developed natural instincts when it comes to protecting our physical space. We all know to look to the sides before crossing the road, and we all have some capabilities to assess current risks and make decisions accordingly. However, when it comes to using our mobile devices in the cyber era, these instincts have not yet evolved. People and organizations are at risk, and do not have an understanding how to assess or mitigate them. On top of that, current protection solutions provide inadequate protection against these threats. The organizational need to support mobile devices for business related activity created a huge gap in securing the organization. Adi Sharabani's keynote will highlight some of these threats via a live demonstration of a mobile hacking activity. The audience will be able to opt in for the demo, reflecting how easy it is for a hacker to hack into remote devices.

 
Speaker Bio

Mr. Adi Sharabani is a world-class security expert and the CEO of Skycure, a start-up that focuses on providing firewall solutions for mobile devices. Formerly, Adi led the security of IBM software products. He came to IBM through the Watchfire acquisition, a start-up company which was a pioneer in the field of application security. Among his roles, Adi built and led the Watchfire’s security group. Adi has written many patents in the security space, and his works have been presented in many known conferences such as BlackHat, RSA, OWASP, Innovate, Herzliya Conference and many more; his presentations and keynotes are constantly being ranked as best presentations of most conferences he presents at. Adi is also a fellow at Prof. Yuval Ne’eman’s workshop. In his spare time, Adi teaches at Ohel-Shem high school, and is a part of the vision and implementation of the cyber-defense curriculum for high school students, a vision that is now being implemented in Israel.

 
Technical Level: Introduction

 

= Track A =

=== Get Ready for the Next Big Wave of Attacks: Hacking of Leading CMS Systems ===
'''''Maty Siman, CTO, Checkmarx'''''

The flow of this talk is given by – you! Before this talk, we emailed the audience to provide us with their favorite WordPress plugins that they would like to test for security. In a live demo, we assess the security of the requested plugins. Previous similar trials that we performed on WordPress showed that 30% of the top 50 most downloaded plugins were vulnerable to common Web attacks. What will be the results of this experiment?

As we’ll continue to show, assessing the security posture of a plugin is only the hacker’s first step in mass attacks. As opposed to past mass SQL Injection attacks which leveraged tools such as SQLMap, these next wave of attacks do not focus on the site’s platform or customized development code. Rather, these attacks leverage on the increasing popularity of CMS platforms such as WordPress and Joomla. The maturity, prevalence and market penetration of CMS platforms allow any marketing, sales or HR individual to easily set up their own fully-operational site. Accordingly, CMS apps are flourishing – and so are the vulnerabilities in these apps.

 
Speaker Bio

Maty is the CTO and founder of Checkmarx. Maty has more than a decade of experience in software development, IT security and source-code analysis. An authoritative figure in application security, Maty is regularly interviewed by the media on security-breaking news and frequently speaks at various IT security conferences. Prior to founding Checkmarx, Maty worked for two years at the Israeli Prime Minister’s Office as a senior IT security expert and project manager. Prior to that, he spent six years with the Israeli Defense Forces (IDF), where he established and led a development team in the IDF’s Information Security Center.

 
Technical Level: Intermediate

 

=== Utilizing Popular Websites for Malicious Purposes Using RDI ===
'''''Daniel Chechik, Security Researcher, Trustwave SpiderLabs''''' 
'''''Anat Davidi, Security Researcher, Trustwave SpiderLabs''''' 
([[Media:OWASP IL 2013 10 Chechik Davidi Utilizing Popular Websites for Malicious Purposes Using RDI.pdf|download presentation]])‎

Reflected DOM Injection is a new attack vector first presented at the DefCon 21 conference in July. We will explain the technique and show a live demo where we use it to hide malicious code within popular and trusted websites. For those of you who are interested in RDI but couldn’t make it to DefCon, we are bringing the talk to you!

The introduction of this session will briefly review the struggle between malicious websites and security products. We will explain the issues of hosting a malicious website and the techniques security vendors use in order to block them.
We will then present our new technique to avoid detection and proceed to explain all parts of it in-depth. A full demo of the attack from beginning to end will be included.
common and known services published by popular websites will be used in order to dynamically construct an attack hosted for us by these services.
Finally, we will add a layer of defense to our attack, and generate malicious code which will become practically invisible to dynamic analysis engines and thus evade most of today's security engines and technologies.

 
Speaker Bio

Daniel Chechik is a veteran security researcher at Trustwave's SpiderLabs. Among other things, he specializes in malware analysis, web exploits detection, Trojan and botnet detection and neutralizing and defining security requirements for the Secure Web Gateway product.
Prior to that, Daniel served in a technological unit as a security specialist in the IDF. During the service, Daniel specialized in CheckPoint Firewall equipment, AntiVirus products and other IT security products.
Daniel, among other things, has spoken at the RSA conference, DefCon, holds CEH and CCSE certificates and has a patent pending for 'Detecting Malware Communication on an Infected Computing Device'.

Anat Davidi is a security researcher at Trustwave's SpiderLabs. Her role includes vulnerability analysis, malware analysis and developing detection logic for the Secure Web Gateway product.
Prior to that, Anat worked as a security consultant providing security reviews and penetration tests for organizations in various business sectors, ranging from banks and insurance companies to hi-tech corporations. Amongst other things, Anat has spoken at the RSA conference, DefCon.

 
Technical Level: Intermediate

 

=== Invisibility Purge - Manipulating Properties Of Invisible & Dormant Asp.Net Controls‎ ===
'''''Shay Chen, CTO, Ernst & Young (Hacktics)''''' 
([[Media:OWASP IL 2013 10 Shay Chen Invisible Purge.pdf|download presentation]])

Server-Side Web Controls became popular components in modern web application frameworks.
In addition to the development benefits of these components provide, they are also protected using a variety of security mechanisms, including digital signatures, content access restrictions and even invisibility.
However, developers that use these components improperly can expose the application to a variety of different attacks that can be executed despite, and sometimes due to the existence of security mechanisms.
The presentation will demonstrate several new methods that attackers can harness to bypass security mechanism, manipulate server control properties and identify, enumerate and activate events of dormant server web controls, in popular platforms such as ASP.Net, JSF and Mono.

 
Speaker Bio

Shay Chen is the CTO of Hacktics, an advanced security center of Ernst & Young.

As a victim of the law of familiarity, a decade of exposure to common vulnerabilities was enough to shift his focus to abnormal hacking methodologies and new attack vectors.

He is also a prominent blogger and researcher, and is responsible for many security publications, including new application-level attacks, testing methodologies and open source projects.
As the co-author of the platforms "Diviner", "SCIP" and "WAVSEP" he was involved in the publication of several large-scale researches in the field of automated security scanners.

Shay is an experienced speaker, has been instructing a variety of information security courses for the past 8 years, and had multiple appearances in international conferences, including Blackhat, Hacktivity, AppSecUSA and others.

 
Technical Level: Advanced

 

=== The ReFrameworker Android runtime manipulator – pentesting Android apps like a king ‎===
'''''Erez Metula, Application Security Expert, AppSec Labs (Founder)''''' 
([[Media:OWASP IL 2013 10 Erez Metula The ReFrameworker Android runtime manipulator.pdf|download presentation]])

ReFrameworker is a new exiting addition to the AppUse pentest VM which we just released at recent BlackHat USA, targeting Android applications. With ReFrameworker, we can manipulate Android applications to make our life as pentesters a lot more easier. Does the app you test insists to be used only for a particular IMEI or phone number? Or does it break on invalidated certificates when you try to SSL MitM it using a proxy? No problem! With ReFrameworker, you can just give a new behavior to any runtime method you'd like, like disabling verifications, controlling return values, and so on. Snooping on local SQL queries or encryption keys? ReFrameworker gives you a proxy for local variables so you can changes important or sensitive values on the fly.
The idea is that we'd built a new Android ROM for the sole purpose of pentesting Android apps, loaded with hooks at important places inside the Dalvik runtime. During this talk we'll witness the power of ReFrameworker, we'll learn how to use it, how it was implemented and how it can be extended.

 
Speaker Bio

Erez Metula Author of the book "Managed Code Rootkits", is a world renowned application security expert. Erez has extensive hands-on experience performing security assessments, code reviews and secure development trainings for worldwide organizations, and had previously talked at international security conferences such as BlackHat, Defcon, OWASP, RSA, SOURCE, CanSecWest and more. He is the founder of AppSec Labs, where he focuses on advanced application security topics. Erez holds an MSc in computer science and he is CISSP.

 
Technical Level: Advanced

 

=== A Game of Pwns: Pwning iPhone application security assessment using the iNalyzer framework ===
'''''Chilik Tamir, Chief Scientist, AppSec Labs'''''

iNalyzer is an open-source free to use pen-testing framework I have recently updated for BlackHat USA, targeting iPhone applications. In the following presentation I will present my latest research on a new approach to performing security assessments of iOS applications utilizing the iNalyzer. The presentation will include live demonstration of using iNalyzer to transform a tedious black-box penetration testing into an exciting gray-box effort.
The talk will cover some of the problems with testing iOS applications, and present a wider picture of the testing process for different applications using iNalyzer, from the point of view of the tester, and how to handle the difficulties that may ensue.
* You will learn how to utilize iNalyzer to bind the power of regular web vulnerability scanner - such as Zap, Burp or AppScan into the exciting world of iOS penetration testing.
* You will learn how to fill in the gaps and use iNalyzer in your IDA reversing effort when testing.
* You will learn how to manipulate iPhone applications to make our life as pen-testers a lot easier using iNalyzer.

 
Speaker Bio

Chilik Tamir is an information security expert with over two decades of experience in training, research, development, testing and consulting in the field of applicative information security for clients in the fields of finance, security, government offices and corporations. His latest research - the iOS iNalyzer is an open-source iOS application Penetration Testing Dashboard. Among his previous publications you will find AppUse – a testing environment for Android applications developed together with Erez Metula; Belch – an automatic tool for analysis and testing of binary protocols such as Flex and Java-Serialization; Chilik is an experienced security trainer and speaker with previous talks and training in security conferences such as BlackHat USA, HITB Amsterdam, OWASP Israel as well as training in cooperations such as Intel, HP, Cisco, Amdocs, Verint, RedBend and others. He is the Chief Scientist at AppSec Labs, where he acts as head of R&D and innovation. Chilik holds an Biomedical Engineering B.Sc. degree.

 
Technical Level: Advanced

 

=== Automatic trust based segregation for content providers on mobile devices ===
'''''Oren Poleg, IDC'''''

In this work we have designed and developed a modification to the Android Content Providers that allows us to impose access restrictions on the sensitive data items they contain (such as contacts, calendar events) .

We have developed lightweight solution that is compatible with the current Android design (so it can be easily integrated with the current Android implementation) that creates separation between different types of sensitive data, also separating them from the non-sensitive information in Android content providers. We allow the device owner to view the data in a unified manner, while 3rd party applications will be allowed access only to content created by them or that they were granted permission to view.

User interaction is not required for the security decisions. Instead, we are defining trust relationship between the data and the applications, in which the owner of the data can delegate access permissions to the applications.

This approach will enable organization to store sensitive information on the device content providers, allow the user to easily access it from the organizational applications as well as from system applications while preventing its leakage through other 3rd party applications
While developed for Android, the concept can be implemented on other mobile devices, such as iPhone and Windows Phone.

 
Speaker Bio

Oren Poleg is a mobile platforms expert, with more than 10 years in the mobile platforms space.
As a team leader in (the Former) Sun Microsystems, Oren was responsible to the integration of Java VM into mobile devices, later to be followed with and research of smart phone infrastructures
Currently Oren is a working as a Consultant, dealing with Android Devices, Smart TVs and Network Security.

 
Technical Level: Intermediate/Advanced

 
= Track B =

=== Web Application Forensics ===
'''''Renana Friedlich, Forensic Department Leader, Ernst and Young (Hacktics)'''''

Most organizations are not aware of successful application-level attacks, until it's too late.
Application penetration tests don't provide information on attacks that ALREADY occurred, on attacks are CURRENTLY in progress, on failed attempts, or even on the actual impact.
Organizations usually rely on security products such as WAF and IDS to locate hacking incidents, but what about attacks that slipped pass the WAF?
What about attacks with a pattern that the IDS did not recognize? What about organizations that implemented these products too late, or not at all?
That's where Web Application Proactive Forensics comes in - A collection of detailed methodologies for locating evidence of attacks that were performed and/or exploited, including attacks listed in OWASP testing guide, WASC and CWE.

 
Speaker Bio

Renana Friedlich is the Forensic Department Leader at Hacktics, an advanced security center of EY. Renana specializes in forensic investigations, developing incident response, malware assessments, and escorting start-up companies in implementing forensic methodologies into their products.
Prior to working at Hacktics, she served at the intelligence corps for seven years, and has over nine years of experience in the information security field.
In recent years, Renana was a frequent speaker in the government sector and had multiple appearances in public conferences, including OWASP, annual risk management conferences, and universities. She also regularly instructs forensic and incident response courses in universities and clients from various industries.

 
Technical Level: Intermediate

 

=== STDD - The protection you REALLY need ===
''''' Nir Valtman, R&D CSO, Retalix ''''' 
''''' Alex Linder, Solution Architect, Retalix ''''' 
([[Media:OWASP_IL_2013_10_Nir_Valtman_STDD.pdf|download presentation]])‎

Today in the agile world, many streams based on Acceptance Test Driven Development (ATDD). In this presentation we are going to demonstrate how to reuse this concept in context of security. In addition, this presentation includes common scenarios from attacker's point of view as well as the defender should think. Needless to mention, we have many demos...

 
Speaker Bio

Nir is employed in Retalix as R&D CSO. Before this position he worked as chief security architect, senior technology consultant, application security consultant, system security consultant and a technological trainer. As part of his positions, Nir didn't only consulting, but also performed hands-on activities in various fields, e.g. hardening, penetration testing and development for personal\internal applications. 
Nir has a BSc in computer science but his knowledge is based mainly on cowboy learning and information sharing with the techno-oriented communities. 
Blog: http://www.valtman.org

Alex is a technology geek, likes to research and play with new stuff. Alex is a highly experienced Solution Architect specializing in Software, middleware and APIs. 
Alex has more than 14 years of experience and performed vast roles in the Israeli market such as VP Professional services, Group manager, Solution Architect, Dev team leader and Senior consultant. 
Currently working as a solution architect of large scale R&D firm with cutting edge technologies. 
Blog: http://linderalex.blogspot.co.il/

 
Technical Level: Intermediate / Advanced

 

=== Spam, Death Threats, and Other Abuses of Online Communities ===
'''''Avi Douglen, Security Architect, Independant''''' 
([[Media:OWASP_IL_2013_10_Avi_Douglan_Spam-DeathThreats-Abuse-OnlineCommunities.pdf‎|download presentation]])‎

Many contemporary websites are based on so-called “User Generated Content” (aka UGC). Furthermore, many sites oriented around a community of users enable users to interact with each other, via the site. Sites like Wikipedia and StackOverflow allow users to freely edit pages visible to all users, popular discussion forums are based on continuous postings of content by users, and social networks such as Facebook encourage users to constantly add their own rich data to the site for others’ consumption.

Aside from the usual web attacks common to all user input on websites, such as XSS and SQL Injection, there are some forms of attacks or abuse that are specific to sites such as these. Some of them are purely technical, some of them are social in nature and just take advantage of the available technology. These are often exacerbated by the scope and huge amount of traffic to these sites, and take advantage of the network effect.

The talk will be based in a large part on the speaker’s experience on the Stack Exchange network of sites, but will also compare to the models prevalent on other popular sites. We will discuss some of the aspects particular to these platforms, and show how even the more “boring” of these attacks can sometimes be interesting depending on the situation. We will also see some of the stranger happenings that occur on a large site. Finally, we will discuss and compare some of the different models that these huge websites use to limit the damage.
We will of course focus on what is both these sites’ biggest weakness, and greatest strength - the community.

 
Speaker Bio

Avi Douglen had a CISSP before it was popular, but he is not a hipster. Avi is a high-end, independent security architect and developer, and has been designing, developing and testing secure applications, and leading development teams in building secure products, for over 15 years. Avi is also a Community Moderator (volunteer basis) on Stack Exchange’s fantastic Information Security site (http://security.stackexchange.com), sister site to Stack Overflow. As a moderator, and as an active user on several other Stack Exchange sites, he has spent a lot of time handling these types of attacks, and has had the opportunity to see up close, what works, what doesn’t, and what can scale to millions of users.

 
Technical Level: Introductory

 

=== Delivering Security in Continuous Delivery Environment ‎===
''''' Yaniv Simsolo, Senior Consultant, Comsec Consulting''''' 
([[Media:OWASP IL 2013 10 Yaniv Simsolo Delivering Security in CD Environments.pdf|download presentation]])

Moving from traditional development environment to Agile environment, creates many a challenge to the security of the organization and developed system. Moving from Agile development environment towards Continuous Delivery environment ups the stakes.
We will venture in to the challenges of delivering security in Continuous Delivery environment, and test whether in-depth security is achievable.
Relying on industry evidences, a unique approach to the evolvement of security under Continuous Delivery development environment will be presented.

 
Speaker Bio

Yaniv Simsolo, CISSP, Senior IT Security Professional. A consultant in application security from 2004, and an expert of security of compound and enterprise scale systems.

 
Technical Level: Intermediate

 

=== Designing a national defense strategy for DDoS applications and volume attacks ===
'''''Mirit Kagarlitsky, Head of System Analysis, Israeli National Cyber Bureau '''''

DDoS attacks exploit vulnerabilities in different protocol stack layers, from the application layer and downward. These attacks undermine the availability of various services, some of which transcend the local interest of the compromised organization, bearing broader consequences.
Designing a national defense strategy for DDoS attacks has advantages, since the state has both the interest and the capacity to devise large-scale technological solutions of security from targeted attacks on critical services as well as from cumulative damage in this realm. The problem is that there is a wide spectrum of solutions and possible network locations for state intervention: services entry point, ISPs, cloud-based approaches and more; every solution should be analyzed from a national standpoint.
Our work examines when and where should the state take action in the realm, ranging from the individual organization to the ISP level. We also suggest how its accumulated benefit should be assessed in order to evaluate the overall effectiveness of the national strategy.

 
Speaker Bio

Mirit Kagarlitsky holds a B.Sc. in physics and mathematics from the Hebrew University in Jerusalem and is in the process of completion of M.Sc. in Statistics from Tel Aviv University. She has vast experience with operations research and system analysis in various fields, as an analyst and as a team leader. Today she work as the head of system analysis in the Israeli National Cyber Bureau.

 
Technical Level: Introduction

 

=== Enhancing Web Application Defense Using Big Data ===
''''' Or Katz, Principal Security Researcher, Akamai Technologies '''''

In recent years Big Data has become a commonly used technology in many products, in this presentation I will unveil practical examples on how we can improve web application defenses by using Big Data. Using Big Data enables us to combine web application filter triggers from multiple data sources. Big data analysis contributes to the improvement and enhances defense tactics. In this presentation I will show some examples such as:
* SQLi – detecting malicious users and their level of maliciousness
* Web Scraping – expose scrapers that fly under the radar and what is their target information
* False positives reduction – using Big Data in order to learn how to tune your configuration

 
Speaker Bio

Or Katz has vast expertise in Web Application Firewall technology, working in market leading web application firewall vendors as a web application security researcher.
Mr. Katz is a board member in OWASP Israel chapter, frequent speaker in the chapter conferences and he was also responsible for leading the OWASP Top 10 Hebrew translation project.
Mr. Katz also published several innovative white papers on web applications defensive techniques.

 
Technical Level: Intermediate

 

=== From Obscurity to Pop Culture - Evolution of Application Security ([[Media:OWASP_IL_2013_10_Irene_Abezgauz_Evolution_of_Application_Security.pdf‎|download presentation]])‎===
''''' Irene Abezgauz, VP Product Management, Quotium'''''

In 1998 the New York Times website was hacked. According to various news sources, the site underwent a thorough security test just two years before and at that point it became clear that 'it might not be sufficient'. Fifteen years later, application security trends talk about APTs, Agile SDLCs and Security Products being commoditized.
In this lecture we review the evolution of application security in the past decade and a half. Examining technology and aspects of security management from the early days of OWASP foundation to present day mobile application security testing as part of the development lifecycle.

 
Speaker Bio

Irene has ten years of experience in information and application security. Focused on application security penetration testing and research she is a builder and breaker of things. She is the Product Manager of Seeker™, the new generation of automatic application security testing, and head of security research activities at Seeker Security (Quotium). Ms. Abezgauz has discovered numerous vulnerabilities and published advisories related to products of leading vendors.

 
Technical Level: Introduction

OWASP Israel 2013 Presentations

2013-10-07T16:06:03Z

Oshezaf: /* Your mobile device in the service of the malicious hacker (Live Demo) */

= Keynote =

=== Why Are Investors Excited About Cyber Security Startups, Again?‎ ===
'''''Ron Moritz, Consigliere on Venture Strategies, Issues and Trends''''' 
([[media:OWASP_IL_2013_10_OWASP_Ron_Moritz_Why_Are_Investors_Excited_About_Cyber_Security_Startups.pdf‎|download presentation]])

Ron will speak about the current state of security startups, the current crop of security problems being solved by startups, and the trends of what solutions investment capital is looking to support.

The Keynote will be in English.

 
Speaker Bio

Ron Moritz is a well-regarded executive with over twenty-five years of broad operational and strategy experience from premier technology companies such as Microsoft (GM, Forefront), Symantec (SVP & CTO), and Computer Associates (SVP, Security Products Business Unit), where he was a member of each company's distinguished corporate or divisional leadership teams.

Having advised C-level executives, boards of directors, venture capitalists and private equity firms on value-creation activities including new markets, acquisition and divestiture strategy, global sourcing of labor, major technology decisions, and eco-system development, Mr. Moritz brings a unique point of view at the intersection of technology, strategy, global markets and finance.

Ron is currently a partner in Aura Coffee, a third-wave coffee roasting company based in Modiin; a member of the Fireblade board of directors; and a mentor Jerusalem-based crowd-funding leader, OurCrowd.

 

= Plenary Sessions =

=== Evolution of online banking attack techniques ===
'''''Amit Klein, CTO, Trusteer'''''

I will survey the evolution of attack techniques against online banking since the mid-2000s till today. This starts with keylogging malware, moves over to screenshooting malware, and finally gets to HTML injection malware (the “Man in the Browser” concept). I will then show several examples of the power of MitB attacks, especially when combined with social engineering, and how this can overcome many security measures such as two-factor authentication and transaction verification.

 
Speaker Bio

As Trusteer’s CTO, Amit Klein manages the company’s security research. Prior to Trusteer, Mr. Klein was Chief Scientist at Cyota Inc. (acquired by RSA Security), a leading provider of layered authentication solutions. In this role, Mr. Klein researched technologies that prevent online fraud, phishing, and pharming and filed several patents in those areas. Prior to this, Mr. Klein worked as Director of Security and Research at Sanctum, Inc. (acquired by Watchfire), where he was responsible for the security architecture of all Sanctum products. Mr. Klein holds a B.Sc. (cum laude) in Mathematics and Physics.
Mr. Klein is a world-renowned security researcher, having published more than thirty articles, papers and technical notes on the topic of Internet security. He was named CTO of the Year by InfoWorld Magazine and has presented at many prestigious conferences including RSA, FSISAC, OWASP and CertConf.

 
Technical Level: Intermediate

 

=== Your mobile device in the service of the malicious hacker (Live Demo) ===
''''' Adi Sharabani, CEO, Skycure ''''' 
([[media:OWASP_IL_2013_10_Adi_Sharabani_Mobile_Threats.pdf‎]])

We all developed natural instincts when it comes to protecting our physical space. We all know to look to the sides before crossing the road, and we all have some capabilities to assess current risks and make decisions accordingly. However, when it comes to using our mobile devices in the cyber era, these instincts have not yet evolved. People and organizations are at risk, and do not have an understanding how to assess or mitigate them. On top of that, current protection solutions provide inadequate protection against these threats. The organizational need to support mobile devices for business related activity created a huge gap in securing the organization. Adi Sharabani's keynote will highlight some of these threats via a live demonstration of a mobile hacking activity. The audience will be able to opt in for the demo, reflecting how easy it is for a hacker to hack into remote devices.

 
Speaker Bio

Mr. Adi Sharabani is a world-class security expert and the CEO of Skycure, a start-up that focuses on providing firewall solutions for mobile devices. Formerly, Adi led the security of IBM software products. He came to IBM through the Watchfire acquisition, a start-up company which was a pioneer in the field of application security. Among his roles, Adi built and led the Watchfire’s security group. Adi has written many patents in the security space, and his works have been presented in many known conferences such as BlackHat, RSA, OWASP, Innovate, Herzliya Conference and many more; his presentations and keynotes are constantly being ranked as best presentations of most conferences he presents at. Adi is also a fellow at Prof. Yuval Ne’eman’s workshop. In his spare time, Adi teaches at Ohel-Shem high school, and is a part of the vision and implementation of the cyber-defense curriculum for high school students, a vision that is now being implemented in Israel.

 
Technical Level: Introduction

 

= Track A =

=== Get Ready for the Next Big Wave of Attacks: Hacking of Leading CMS Systems ===
'''''Maty Siman, CTO, Checkmarx'''''

The flow of this talk is given by – you! Before this talk, we emailed the audience to provide us with their favorite WordPress plugins that they would like to test for security. In a live demo, we assess the security of the requested plugins. Previous similar trials that we performed on WordPress showed that 30% of the top 50 most downloaded plugins were vulnerable to common Web attacks. What will be the results of this experiment?

As we’ll continue to show, assessing the security posture of a plugin is only the hacker’s first step in mass attacks. As opposed to past mass SQL Injection attacks which leveraged tools such as SQLMap, these next wave of attacks do not focus on the site’s platform or customized development code. Rather, these attacks leverage on the increasing popularity of CMS platforms such as WordPress and Joomla. The maturity, prevalence and market penetration of CMS platforms allow any marketing, sales or HR individual to easily set up their own fully-operational site. Accordingly, CMS apps are flourishing – and so are the vulnerabilities in these apps.

 
Speaker Bio

Maty is the CTO and founder of Checkmarx. Maty has more than a decade of experience in software development, IT security and source-code analysis. An authoritative figure in application security, Maty is regularly interviewed by the media on security-breaking news and frequently speaks at various IT security conferences. Prior to founding Checkmarx, Maty worked for two years at the Israeli Prime Minister’s Office as a senior IT security expert and project manager. Prior to that, he spent six years with the Israeli Defense Forces (IDF), where he established and led a development team in the IDF’s Information Security Center.

 
Technical Level: Intermediate

 

=== Utilizing Popular Websites for Malicious Purposes Using RDI ===
'''''Daniel Chechik, Security Researcher, Trustwave SpiderLabs''''' 
'''''Anat Davidi, Security Researcher, Trustwave SpiderLabs''''' 
([[Media:OWASP IL 2013 10 Chechik Davidi Utilizing Popular Websites for Malicious Purposes Using RDI.pdf|download presentation]])‎

Reflected DOM Injection is a new attack vector first presented at the DefCon 21 conference in July. We will explain the technique and show a live demo where we use it to hide malicious code within popular and trusted websites. For those of you who are interested in RDI but couldn’t make it to DefCon, we are bringing the talk to you!

The introduction of this session will briefly review the struggle between malicious websites and security products. We will explain the issues of hosting a malicious website and the techniques security vendors use in order to block them.
We will then present our new technique to avoid detection and proceed to explain all parts of it in-depth. A full demo of the attack from beginning to end will be included.
common and known services published by popular websites will be used in order to dynamically construct an attack hosted for us by these services.
Finally, we will add a layer of defense to our attack, and generate malicious code which will become practically invisible to dynamic analysis engines and thus evade most of today's security engines and technologies.

 
Speaker Bio

Daniel Chechik is a veteran security researcher at Trustwave's SpiderLabs. Among other things, he specializes in malware analysis, web exploits detection, Trojan and botnet detection and neutralizing and defining security requirements for the Secure Web Gateway product.
Prior to that, Daniel served in a technological unit as a security specialist in the IDF. During the service, Daniel specialized in CheckPoint Firewall equipment, AntiVirus products and other IT security products.
Daniel, among other things, has spoken at the RSA conference, DefCon, holds CEH and CCSE certificates and has a patent pending for 'Detecting Malware Communication on an Infected Computing Device'.

Anat Davidi is a security researcher at Trustwave's SpiderLabs. Her role includes vulnerability analysis, malware analysis and developing detection logic for the Secure Web Gateway product.
Prior to that, Anat worked as a security consultant providing security reviews and penetration tests for organizations in various business sectors, ranging from banks and insurance companies to hi-tech corporations. Amongst other things, Anat has spoken at the RSA conference, DefCon.

 
Technical Level: Intermediate

 

=== Invisibility Purge - Manipulating Properties Of Invisible & Dormant Asp.Net Controls‎ ===
'''''Shay Chen, CTO, Ernst & Young (Hacktics)''''' 
([[Media:OWASP IL 2013 10 Shay Chen Invisible Purge.pdf|download presentation]])

Server-Side Web Controls became popular components in modern web application frameworks.
In addition to the development benefits of these components provide, they are also protected using a variety of security mechanisms, including digital signatures, content access restrictions and even invisibility.
However, developers that use these components improperly can expose the application to a variety of different attacks that can be executed despite, and sometimes due to the existence of security mechanisms.
The presentation will demonstrate several new methods that attackers can harness to bypass security mechanism, manipulate server control properties and identify, enumerate and activate events of dormant server web controls, in popular platforms such as ASP.Net, JSF and Mono.

 
Speaker Bio

Shay Chen is the CTO of Hacktics, an advanced security center of Ernst & Young.

As a victim of the law of familiarity, a decade of exposure to common vulnerabilities was enough to shift his focus to abnormal hacking methodologies and new attack vectors.

He is also a prominent blogger and researcher, and is responsible for many security publications, including new application-level attacks, testing methodologies and open source projects.
As the co-author of the platforms "Diviner", "SCIP" and "WAVSEP" he was involved in the publication of several large-scale researches in the field of automated security scanners.

Shay is an experienced speaker, has been instructing a variety of information security courses for the past 8 years, and had multiple appearances in international conferences, including Blackhat, Hacktivity, AppSecUSA and others.

 
Technical Level: Advanced

 

=== The ReFrameworker Android runtime manipulator – pentesting Android apps like a king ‎===
'''''Erez Metula, Application Security Expert, AppSec Labs (Founder)''''' 
([[Media:OWASP IL 2013 10 Erez Metula The ReFrameworker Android runtime manipulator.pdf|download presentation]])

ReFrameworker is a new exiting addition to the AppUse pentest VM which we just released at recent BlackHat USA, targeting Android applications. With ReFrameworker, we can manipulate Android applications to make our life as pentesters a lot more easier. Does the app you test insists to be used only for a particular IMEI or phone number? Or does it break on invalidated certificates when you try to SSL MitM it using a proxy? No problem! With ReFrameworker, you can just give a new behavior to any runtime method you'd like, like disabling verifications, controlling return values, and so on. Snooping on local SQL queries or encryption keys? ReFrameworker gives you a proxy for local variables so you can changes important or sensitive values on the fly.
The idea is that we'd built a new Android ROM for the sole purpose of pentesting Android apps, loaded with hooks at important places inside the Dalvik runtime. During this talk we'll witness the power of ReFrameworker, we'll learn how to use it, how it was implemented and how it can be extended.

 
Speaker Bio

Erez Metula Author of the book "Managed Code Rootkits", is a world renowned application security expert. Erez has extensive hands-on experience performing security assessments, code reviews and secure development trainings for worldwide organizations, and had previously talked at international security conferences such as BlackHat, Defcon, OWASP, RSA, SOURCE, CanSecWest and more. He is the founder of AppSec Labs, where he focuses on advanced application security topics. Erez holds an MSc in computer science and he is CISSP.

 
Technical Level: Advanced

 

=== A Game of Pwns: Pwning iPhone application security assessment using the iNalyzer framework ===
'''''Chilik Tamir, Chief Scientist, AppSec Labs'''''

iNalyzer is an open-source free to use pen-testing framework I have recently updated for BlackHat USA, targeting iPhone applications. In the following presentation I will present my latest research on a new approach to performing security assessments of iOS applications utilizing the iNalyzer. The presentation will include live demonstration of using iNalyzer to transform a tedious black-box penetration testing into an exciting gray-box effort.
The talk will cover some of the problems with testing iOS applications, and present a wider picture of the testing process for different applications using iNalyzer, from the point of view of the tester, and how to handle the difficulties that may ensue.
* You will learn how to utilize iNalyzer to bind the power of regular web vulnerability scanner - such as Zap, Burp or AppScan into the exciting world of iOS penetration testing.
* You will learn how to fill in the gaps and use iNalyzer in your IDA reversing effort when testing.
* You will learn how to manipulate iPhone applications to make our life as pen-testers a lot easier using iNalyzer.

 
Speaker Bio

Chilik Tamir is an information security expert with over two decades of experience in training, research, development, testing and consulting in the field of applicative information security for clients in the fields of finance, security, government offices and corporations. His latest research - the iOS iNalyzer is an open-source iOS application Penetration Testing Dashboard. Among his previous publications you will find AppUse – a testing environment for Android applications developed together with Erez Metula; Belch – an automatic tool for analysis and testing of binary protocols such as Flex and Java-Serialization; Chilik is an experienced security trainer and speaker with previous talks and training in security conferences such as BlackHat USA, HITB Amsterdam, OWASP Israel as well as training in cooperations such as Intel, HP, Cisco, Amdocs, Verint, RedBend and others. He is the Chief Scientist at AppSec Labs, where he acts as head of R&D and innovation. Chilik holds an Biomedical Engineering B.Sc. degree.

 
Technical Level: Advanced

 

=== Automatic trust based segregation for content providers on mobile devices ===
'''''Oren Poleg, IDC'''''

In this work we have designed and developed a modification to the Android Content Providers that allows us to impose access restrictions on the sensitive data items they contain (such as contacts, calendar events) .

We have developed lightweight solution that is compatible with the current Android design (so it can be easily integrated with the current Android implementation) that creates separation between different types of sensitive data, also separating them from the non-sensitive information in Android content providers. We allow the device owner to view the data in a unified manner, while 3rd party applications will be allowed access only to content created by them or that they were granted permission to view.

User interaction is not required for the security decisions. Instead, we are defining trust relationship between the data and the applications, in which the owner of the data can delegate access permissions to the applications.

This approach will enable organization to store sensitive information on the device content providers, allow the user to easily access it from the organizational applications as well as from system applications while preventing its leakage through other 3rd party applications
While developed for Android, the concept can be implemented on other mobile devices, such as iPhone and Windows Phone.

 
Speaker Bio

Oren Poleg is a mobile platforms expert, with more than 10 years in the mobile platforms space.
As a team leader in (the Former) Sun Microsystems, Oren was responsible to the integration of Java VM into mobile devices, later to be followed with and research of smart phone infrastructures
Currently Oren is a working as a Consultant, dealing with Android Devices, Smart TVs and Network Security.

 
Technical Level: Intermediate/Advanced

 
= Track B =

=== Web Application Forensics ===
'''''Renana Friedlich, Forensic Department Leader, Ernst and Young (Hacktics)'''''

Most organizations are not aware of successful application-level attacks, until it's too late.
Application penetration tests don't provide information on attacks that ALREADY occurred, on attacks are CURRENTLY in progress, on failed attempts, or even on the actual impact.
Organizations usually rely on security products such as WAF and IDS to locate hacking incidents, but what about attacks that slipped pass the WAF?
What about attacks with a pattern that the IDS did not recognize? What about organizations that implemented these products too late, or not at all?
That's where Web Application Proactive Forensics comes in - A collection of detailed methodologies for locating evidence of attacks that were performed and/or exploited, including attacks listed in OWASP testing guide, WASC and CWE.

 
Speaker Bio

Renana Friedlich is the Forensic Department Leader at Hacktics, an advanced security center of EY. Renana specializes in forensic investigations, developing incident response, malware assessments, and escorting start-up companies in implementing forensic methodologies into their products.
Prior to working at Hacktics, she served at the intelligence corps for seven years, and has over nine years of experience in the information security field.
In recent years, Renana was a frequent speaker in the government sector and had multiple appearances in public conferences, including OWASP, annual risk management conferences, and universities. She also regularly instructs forensic and incident response courses in universities and clients from various industries.

 
Technical Level: Intermediate

 

=== STDD - The protection you REALLY need ===
''''' Nir Valtman, R&D CSO, Retalix ''''' 
''''' Alex Linder, Solution Architect, Retalix ''''' 
([[Media:OWASP_IL_2013_10_Nir_Valtman_STDD.pdf|download presentation]])‎

Today in the agile world, many streams based on Acceptance Test Driven Development (ATDD). In this presentation we are going to demonstrate how to reuse this concept in context of security. In addition, this presentation includes common scenarios from attacker's point of view as well as the defender should think. Needless to mention, we have many demos...

 
Speaker Bio

Nir is employed in Retalix as R&D CSO. Before this position he worked as chief security architect, senior technology consultant, application security consultant, system security consultant and a technological trainer. As part of his positions, Nir didn't only consulting, but also performed hands-on activities in various fields, e.g. hardening, penetration testing and development for personal\internal applications. 
Nir has a BSc in computer science but his knowledge is based mainly on cowboy learning and information sharing with the techno-oriented communities. 
Blog: http://www.valtman.org

Alex is a technology geek, likes to research and play with new stuff. Alex is a highly experienced Solution Architect specializing in Software, middleware and APIs. 
Alex has more than 14 years of experience and performed vast roles in the Israeli market such as VP Professional services, Group manager, Solution Architect, Dev team leader and Senior consultant. 
Currently working as a solution architect of large scale R&D firm with cutting edge technologies. 
Blog: http://linderalex.blogspot.co.il/

 
Technical Level: Intermediate / Advanced

 

=== Spam, Death Threats, and Other Abuses of Online Communities ===
'''''Avi Douglen, Security Architect, Independant''''' 
([[Media:OWASP_IL_2013_10_Avi_Douglan_Spam-DeathThreats-Abuse-OnlineCommunities.pdf‎|download presentation]])‎

Many contemporary websites are based on so-called “User Generated Content” (aka UGC). Furthermore, many sites oriented around a community of users enable users to interact with each other, via the site. Sites like Wikipedia and StackOverflow allow users to freely edit pages visible to all users, popular discussion forums are based on continuous postings of content by users, and social networks such as Facebook encourage users to constantly add their own rich data to the site for others’ consumption.

Aside from the usual web attacks common to all user input on websites, such as XSS and SQL Injection, there are some forms of attacks or abuse that are specific to sites such as these. Some of them are purely technical, some of them are social in nature and just take advantage of the available technology. These are often exacerbated by the scope and huge amount of traffic to these sites, and take advantage of the network effect.

The talk will be based in a large part on the speaker’s experience on the Stack Exchange network of sites, but will also compare to the models prevalent on other popular sites. We will discuss some of the aspects particular to these platforms, and show how even the more “boring” of these attacks can sometimes be interesting depending on the situation. We will also see some of the stranger happenings that occur on a large site. Finally, we will discuss and compare some of the different models that these huge websites use to limit the damage.
We will of course focus on what is both these sites’ biggest weakness, and greatest strength - the community.

 
Speaker Bio

Avi Douglen had a CISSP before it was popular, but he is not a hipster. Avi is a high-end, independent security architect and developer, and has been designing, developing and testing secure applications, and leading development teams in building secure products, for over 15 years. Avi is also a Community Moderator (volunteer basis) on Stack Exchange’s fantastic Information Security site (http://security.stackexchange.com), sister site to Stack Overflow. As a moderator, and as an active user on several other Stack Exchange sites, he has spent a lot of time handling these types of attacks, and has had the opportunity to see up close, what works, what doesn’t, and what can scale to millions of users.

 
Technical Level: Introductory

 

=== Delivering Security in Continuous Delivery Environment ‎===
''''' Yaniv Simsolo, Senior Consultant, Comsec Consulting''''' 
([[Media:OWASP IL 2013 10 Yaniv Simsolo Delivering Security in CD Environments.pdf|download presentation]])

Moving from traditional development environment to Agile environment, creates many a challenge to the security of the organization and developed system. Moving from Agile development environment towards Continuous Delivery environment ups the stakes.
We will venture in to the challenges of delivering security in Continuous Delivery environment, and test whether in-depth security is achievable.
Relying on industry evidences, a unique approach to the evolvement of security under Continuous Delivery development environment will be presented.

 
Speaker Bio

Yaniv Simsolo, CISSP, Senior IT Security Professional. A consultant in application security from 2004, and an expert of security of compound and enterprise scale systems.

 
Technical Level: Intermediate

 

=== Designing a national defense strategy for DDoS applications and volume attacks ===
'''''Mirit Kagarlitsky, Head of System Analysis, Israeli National Cyber Bureau '''''

DDoS attacks exploit vulnerabilities in different protocol stack layers, from the application layer and downward. These attacks undermine the availability of various services, some of which transcend the local interest of the compromised organization, bearing broader consequences.
Designing a national defense strategy for DDoS attacks has advantages, since the state has both the interest and the capacity to devise large-scale technological solutions of security from targeted attacks on critical services as well as from cumulative damage in this realm. The problem is that there is a wide spectrum of solutions and possible network locations for state intervention: services entry point, ISPs, cloud-based approaches and more; every solution should be analyzed from a national standpoint.
Our work examines when and where should the state take action in the realm, ranging from the individual organization to the ISP level. We also suggest how its accumulated benefit should be assessed in order to evaluate the overall effectiveness of the national strategy.

 
Speaker Bio

Mirit Kagarlitsky holds a B.Sc. in physics and mathematics from the Hebrew University in Jerusalem and is in the process of completion of M.Sc. in Statistics from Tel Aviv University. She has vast experience with operations research and system analysis in various fields, as an analyst and as a team leader. Today she work as the head of system analysis in the Israeli National Cyber Bureau.

 
Technical Level: Introduction

 

=== Enhancing Web Application Defense Using Big Data ===
''''' Or Katz, Principal Security Researcher, Akamai Technologies '''''

In recent years Big Data has become a commonly used technology in many products, in this presentation I will unveil practical examples on how we can improve web application defenses by using Big Data. Using Big Data enables us to combine web application filter triggers from multiple data sources. Big data analysis contributes to the improvement and enhances defense tactics. In this presentation I will show some examples such as:
* SQLi – detecting malicious users and their level of maliciousness
* Web Scraping – expose scrapers that fly under the radar and what is their target information
* False positives reduction – using Big Data in order to learn how to tune your configuration

 
Speaker Bio

Or Katz has vast expertise in Web Application Firewall technology, working in market leading web application firewall vendors as a web application security researcher.
Mr. Katz is a board member in OWASP Israel chapter, frequent speaker in the chapter conferences and he was also responsible for leading the OWASP Top 10 Hebrew translation project.
Mr. Katz also published several innovative white papers on web applications defensive techniques.

 
Technical Level: Intermediate

 

=== From Obscurity to Pop Culture - Evolution of Application Security ([[Media:OWASP_IL_2013_10_Irene_Abezgauz_Evolution_of_Application_Security.pdf‎|download presentation]])‎===
''''' Irene Abezgauz, VP Product Management, Quotium'''''

In 1998 the New York Times website was hacked. According to various news sources, the site underwent a thorough security test just two years before and at that point it became clear that 'it might not be sufficient'. Fifteen years later, application security trends talk about APTs, Agile SDLCs and Security Products being commoditized.
In this lecture we review the evolution of application security in the past decade and a half. Examining technology and aspects of security management from the early days of OWASP foundation to present day mobile application security testing as part of the development lifecycle.

 
Speaker Bio

Irene has ten years of experience in information and application security. Focused on application security penetration testing and research she is a builder and breaker of things. She is the Product Manager of Seeker™, the new generation of automatic application security testing, and head of security research activities at Seeker Security (Quotium). Ms. Abezgauz has discovered numerous vulnerabilities and published advisories related to products of leading vendors.

 
Technical Level: Introduction

File:OWASP IL 2013 10 Adi Sharabani Mobile Threats.pdf

2013-10-07T16:04:08Z

Oshezaf:

OWASP Israel 2013

2013-10-03T12:37:35Z

Oshezaf: /* Location and Time */

== Location and Time ==

The 2013 annual OWASP AppSec Israel conference was held at the Interdisciplinary Center in Herzliya (IDC) on October 1st, in the Efi Arazi school of Computer Science. With around 450 participants it was a huge and impressive success!

Thanks for participation in the event. Use the [[OWASP_Israel_2013_Presentations|presentations info page]] to download presentations

The conference is sponsored by:

{{Template:OWASP_IL_2013_Sponsors}}

For further details contact Avi Douglen (douglen at hotmail.com)

== Agenda ==

{{Template:OWASP_IL_2013_Agenda}}

== The people behind the conference ==

OWASP Israel is made by the people who contribute their time and brain to its success. The following people are working to ensure that OWASP Israel 2013 is a success. If you feel that you also can contribute or have interesting ideas regarding the conference, don't hesitate to contact me.

=== Contributors ===

*Avi Douglen (Independent)
*Or Katz (Akamai)
*Ory Segal (Akamai)
*Ofer Maor (Quotium)
*Itzik Kotler (Independent)
*Dr. Anat Bremler-Barr (Interdisciplinary Center Herzliya)

[[Category:Israel]] [[Category:OWASP_Israel_2013]]

OWASP Israel 2013

2013-10-03T12:36:35Z

Oshezaf: /* Registration */

== Location and Time ==

The 2013 annual OWASP AppSec Israel conference will be held at the Interdisciplinary Center in Herzliya (IDC) on October 1st, in the Efi Arazi school of Computer Science.

The conference is sponsored by:

{{Template:OWASP_IL_2013_Sponsors}}

For further details contact Avi Douglen (douglen at hotmail.com)

Thanks for participation in the event. With around 450 participants it was a huge and impressive success!

Use the [[OWASP_Israel_2013_Presentations|presentations info page]] to download presentations

== Agenda ==

{{Template:OWASP_IL_2013_Agenda}}

== The people behind the conference ==

OWASP Israel is made by the people who contribute their time and brain to its success. The following people are working to ensure that OWASP Israel 2013 is a success. If you feel that you also can contribute or have interesting ideas regarding the conference, don't hesitate to contact me.

=== Contributors ===

*Avi Douglen (Independent)
*Or Katz (Akamai)
*Ory Segal (Akamai)
*Ofer Maor (Quotium)
*Itzik Kotler (Independent)
*Dr. Anat Bremler-Barr (Interdisciplinary Center Herzliya)

[[Category:Israel]] [[Category:OWASP_Israel_2013]]

OWASP Israel 2013 Presentations

2013-10-03T12:34:50Z

Oshezaf: /* From Obscurity to Pop Culture - Evolution of Application Security */

= Keynote =

=== Why Are Investors Excited About Cyber Security Startups, Again?‎ ===
'''''Ron Moritz, Consigliere on Venture Strategies, Issues and Trends''''' 
([[media:OWASP_IL_2013_10_OWASP_Ron_Moritz_Why_Are_Investors_Excited_About_Cyber_Security_Startups.pdf‎|download presentation]])

Ron will speak about the current state of security startups, the current crop of security problems being solved by startups, and the trends of what solutions investment capital is looking to support.

The Keynote will be in English.

 
Speaker Bio

Ron Moritz is a well-regarded executive with over twenty-five years of broad operational and strategy experience from premier technology companies such as Microsoft (GM, Forefront), Symantec (SVP & CTO), and Computer Associates (SVP, Security Products Business Unit), where he was a member of each company's distinguished corporate or divisional leadership teams.

Having advised C-level executives, boards of directors, venture capitalists and private equity firms on value-creation activities including new markets, acquisition and divestiture strategy, global sourcing of labor, major technology decisions, and eco-system development, Mr. Moritz brings a unique point of view at the intersection of technology, strategy, global markets and finance.

Ron is currently a partner in Aura Coffee, a third-wave coffee roasting company based in Modiin; a member of the Fireblade board of directors; and a mentor Jerusalem-based crowd-funding leader, OurCrowd.

 

= Plenary Sessions =

=== Evolution of online banking attack techniques ===
'''''Amit Klein, CTO, Trusteer'''''

I will survey the evolution of attack techniques against online banking since the mid-2000s till today. This starts with keylogging malware, moves over to screenshooting malware, and finally gets to HTML injection malware (the “Man in the Browser” concept). I will then show several examples of the power of MitB attacks, especially when combined with social engineering, and how this can overcome many security measures such as two-factor authentication and transaction verification.

 
Speaker Bio

As Trusteer’s CTO, Amit Klein manages the company’s security research. Prior to Trusteer, Mr. Klein was Chief Scientist at Cyota Inc. (acquired by RSA Security), a leading provider of layered authentication solutions. In this role, Mr. Klein researched technologies that prevent online fraud, phishing, and pharming and filed several patents in those areas. Prior to this, Mr. Klein worked as Director of Security and Research at Sanctum, Inc. (acquired by Watchfire), where he was responsible for the security architecture of all Sanctum products. Mr. Klein holds a B.Sc. (cum laude) in Mathematics and Physics.
Mr. Klein is a world-renowned security researcher, having published more than thirty articles, papers and technical notes on the topic of Internet security. He was named CTO of the Year by InfoWorld Magazine and has presented at many prestigious conferences including RSA, FSISAC, OWASP and CertConf.

 
Technical Level: Intermediate

 

=== Your mobile device in the service of the malicious hacker (Live Demo) ===
''''' Adi Sharabani, CEO, Skycure '''''

We all developed natural instincts when it comes to protecting our physical space. We all know to look to the sides before crossing the road, and we all have some capabilities to assess current risks and make decisions accordingly. However, when it comes to using our mobile devices in the cyber era, these instincts have not yet evolved. People and organizations are at risk, and do not have an understanding how to assess or mitigate them. On top of that, current protection solutions provide inadequate protection against these threats. The organizational need to support mobile devices for business related activity created a huge gap in securing the organization. Adi Sharabani's keynote will highlight some of these threats via a live demonstration of a mobile hacking activity. The audience will be able to opt in for the demo, reflecting how easy it is for a hacker to hack into remote devices.

 
Speaker Bio

Mr. Adi Sharabani is a world-class security expert and the CEO of Skycure, a start-up that focuses on providing firewall solutions for mobile devices. Formerly, Adi led the security of IBM software products. He came to IBM through the Watchfire acquisition, a start-up company which was a pioneer in the field of application security. Among his roles, Adi built and led the Watchfire’s security group. Adi has written many patents in the security space, and his works have been presented in many known conferences such as BlackHat, RSA, OWASP, Innovate, Herzliya Conference and many more; his presentations and keynotes are constantly being ranked as best presentations of most conferences he presents at. Adi is also a fellow at Prof. Yuval Ne’eman’s workshop. In his spare time, Adi teaches at Ohel-Shem high school, and is a part of the vision and implementation of the cyber-defense curriculum for high school students, a vision that is now being implemented in Israel.

 
Technical Level: Introduction

 
= Track A =

=== Get Ready for the Next Big Wave of Attacks: Hacking of Leading CMS Systems ===
'''''Maty Siman, CTO, Checkmarx'''''

The flow of this talk is given by – you! Before this talk, we emailed the audience to provide us with their favorite WordPress plugins that they would like to test for security. In a live demo, we assess the security of the requested plugins. Previous similar trials that we performed on WordPress showed that 30% of the top 50 most downloaded plugins were vulnerable to common Web attacks. What will be the results of this experiment?

As we’ll continue to show, assessing the security posture of a plugin is only the hacker’s first step in mass attacks. As opposed to past mass SQL Injection attacks which leveraged tools such as SQLMap, these next wave of attacks do not focus on the site’s platform or customized development code. Rather, these attacks leverage on the increasing popularity of CMS platforms such as WordPress and Joomla. The maturity, prevalence and market penetration of CMS platforms allow any marketing, sales or HR individual to easily set up their own fully-operational site. Accordingly, CMS apps are flourishing – and so are the vulnerabilities in these apps.

 
Speaker Bio

Maty is the CTO and founder of Checkmarx. Maty has more than a decade of experience in software development, IT security and source-code analysis. An authoritative figure in application security, Maty is regularly interviewed by the media on security-breaking news and frequently speaks at various IT security conferences. Prior to founding Checkmarx, Maty worked for two years at the Israeli Prime Minister’s Office as a senior IT security expert and project manager. Prior to that, he spent six years with the Israeli Defense Forces (IDF), where he established and led a development team in the IDF’s Information Security Center.

 
Technical Level: Intermediate

 

=== Utilizing Popular Websites for Malicious Purposes Using RDI ===
'''''Daniel Chechik, Security Researcher, Trustwave SpiderLabs''''' 
'''''Anat Davidi, Security Researcher, Trustwave SpiderLabs''''' 
([[Media:OWASP IL 2013 10 Chechik Davidi Utilizing Popular Websites for Malicious Purposes Using RDI.pdf|download presentation]])‎

Reflected DOM Injection is a new attack vector first presented at the DefCon 21 conference in July. We will explain the technique and show a live demo where we use it to hide malicious code within popular and trusted websites. For those of you who are interested in RDI but couldn’t make it to DefCon, we are bringing the talk to you!

The introduction of this session will briefly review the struggle between malicious websites and security products. We will explain the issues of hosting a malicious website and the techniques security vendors use in order to block them.
We will then present our new technique to avoid detection and proceed to explain all parts of it in-depth. A full demo of the attack from beginning to end will be included.
common and known services published by popular websites will be used in order to dynamically construct an attack hosted for us by these services.
Finally, we will add a layer of defense to our attack, and generate malicious code which will become practically invisible to dynamic analysis engines and thus evade most of today's security engines and technologies.

 
Speaker Bio

Daniel Chechik is a veteran security researcher at Trustwave's SpiderLabs. Among other things, he specializes in malware analysis, web exploits detection, Trojan and botnet detection and neutralizing and defining security requirements for the Secure Web Gateway product.
Prior to that, Daniel served in a technological unit as a security specialist in the IDF. During the service, Daniel specialized in CheckPoint Firewall equipment, AntiVirus products and other IT security products.
Daniel, among other things, has spoken at the RSA conference, DefCon, holds CEH and CCSE certificates and has a patent pending for 'Detecting Malware Communication on an Infected Computing Device'.

Anat Davidi is a security researcher at Trustwave's SpiderLabs. Her role includes vulnerability analysis, malware analysis and developing detection logic for the Secure Web Gateway product.
Prior to that, Anat worked as a security consultant providing security reviews and penetration tests for organizations in various business sectors, ranging from banks and insurance companies to hi-tech corporations. Amongst other things, Anat has spoken at the RSA conference, DefCon.

 
Technical Level: Intermediate

 

=== Invisibility Purge - Manipulating Properties Of Invisible & Dormant Asp.Net Controls‎ ===
'''''Shay Chen, CTO, Ernst & Young (Hacktics)''''' 
([[Media:OWASP IL 2013 10 Shay Chen Invisible Purge.pdf|download presentation]])

Server-Side Web Controls became popular components in modern web application frameworks.
In addition to the development benefits of these components provide, they are also protected using a variety of security mechanisms, including digital signatures, content access restrictions and even invisibility.
However, developers that use these components improperly can expose the application to a variety of different attacks that can be executed despite, and sometimes due to the existence of security mechanisms.
The presentation will demonstrate several new methods that attackers can harness to bypass security mechanism, manipulate server control properties and identify, enumerate and activate events of dormant server web controls, in popular platforms such as ASP.Net, JSF and Mono.

 
Speaker Bio

Shay Chen is the CTO of Hacktics, an advanced security center of Ernst & Young.

As a victim of the law of familiarity, a decade of exposure to common vulnerabilities was enough to shift his focus to abnormal hacking methodologies and new attack vectors.

He is also a prominent blogger and researcher, and is responsible for many security publications, including new application-level attacks, testing methodologies and open source projects.
As the co-author of the platforms "Diviner", "SCIP" and "WAVSEP" he was involved in the publication of several large-scale researches in the field of automated security scanners.

Shay is an experienced speaker, has been instructing a variety of information security courses for the past 8 years, and had multiple appearances in international conferences, including Blackhat, Hacktivity, AppSecUSA and others.

 
Technical Level: Advanced

 

=== The ReFrameworker Android runtime manipulator – pentesting Android apps like a king ‎===
'''''Erez Metula, Application Security Expert, AppSec Labs (Founder)''''' 
([[Media:OWASP IL 2013 10 Erez Metula The ReFrameworker Android runtime manipulator.pdf|download presentation]])

ReFrameworker is a new exiting addition to the AppUse pentest VM which we just released at recent BlackHat USA, targeting Android applications. With ReFrameworker, we can manipulate Android applications to make our life as pentesters a lot more easier. Does the app you test insists to be used only for a particular IMEI or phone number? Or does it break on invalidated certificates when you try to SSL MitM it using a proxy? No problem! With ReFrameworker, you can just give a new behavior to any runtime method you'd like, like disabling verifications, controlling return values, and so on. Snooping on local SQL queries or encryption keys? ReFrameworker gives you a proxy for local variables so you can changes important or sensitive values on the fly.
The idea is that we'd built a new Android ROM for the sole purpose of pentesting Android apps, loaded with hooks at important places inside the Dalvik runtime. During this talk we'll witness the power of ReFrameworker, we'll learn how to use it, how it was implemented and how it can be extended.

 
Speaker Bio

Erez Metula Author of the book "Managed Code Rootkits", is a world renowned application security expert. Erez has extensive hands-on experience performing security assessments, code reviews and secure development trainings for worldwide organizations, and had previously talked at international security conferences such as BlackHat, Defcon, OWASP, RSA, SOURCE, CanSecWest and more. He is the founder of AppSec Labs, where he focuses on advanced application security topics. Erez holds an MSc in computer science and he is CISSP.

 
Technical Level: Advanced

 

=== A Game of Pwns: Pwning iPhone application security assessment using the iNalyzer framework ===
'''''Chilik Tamir, Chief Scientist, AppSec Labs'''''

iNalyzer is an open-source free to use pen-testing framework I have recently updated for BlackHat USA, targeting iPhone applications. In the following presentation I will present my latest research on a new approach to performing security assessments of iOS applications utilizing the iNalyzer. The presentation will include live demonstration of using iNalyzer to transform a tedious black-box penetration testing into an exciting gray-box effort.
The talk will cover some of the problems with testing iOS applications, and present a wider picture of the testing process for different applications using iNalyzer, from the point of view of the tester, and how to handle the difficulties that may ensue.
* You will learn how to utilize iNalyzer to bind the power of regular web vulnerability scanner - such as Zap, Burp or AppScan into the exciting world of iOS penetration testing.
* You will learn how to fill in the gaps and use iNalyzer in your IDA reversing effort when testing.
* You will learn how to manipulate iPhone applications to make our life as pen-testers a lot easier using iNalyzer.

 
Speaker Bio

Chilik Tamir is an information security expert with over two decades of experience in training, research, development, testing and consulting in the field of applicative information security for clients in the fields of finance, security, government offices and corporations. His latest research - the iOS iNalyzer is an open-source iOS application Penetration Testing Dashboard. Among his previous publications you will find AppUse – a testing environment for Android applications developed together with Erez Metula; Belch – an automatic tool for analysis and testing of binary protocols such as Flex and Java-Serialization; Chilik is an experienced security trainer and speaker with previous talks and training in security conferences such as BlackHat USA, HITB Amsterdam, OWASP Israel as well as training in cooperations such as Intel, HP, Cisco, Amdocs, Verint, RedBend and others. He is the Chief Scientist at AppSec Labs, where he acts as head of R&D and innovation. Chilik holds an Biomedical Engineering B.Sc. degree.

 
Technical Level: Advanced

 

=== Automatic trust based segregation for content providers on mobile devices ===
'''''Oren Poleg, IDC'''''

In this work we have designed and developed a modification to the Android Content Providers that allows us to impose access restrictions on the sensitive data items they contain (such as contacts, calendar events) .

We have developed lightweight solution that is compatible with the current Android design (so it can be easily integrated with the current Android implementation) that creates separation between different types of sensitive data, also separating them from the non-sensitive information in Android content providers. We allow the device owner to view the data in a unified manner, while 3rd party applications will be allowed access only to content created by them or that they were granted permission to view.

User interaction is not required for the security decisions. Instead, we are defining trust relationship between the data and the applications, in which the owner of the data can delegate access permissions to the applications.

This approach will enable organization to store sensitive information on the device content providers, allow the user to easily access it from the organizational applications as well as from system applications while preventing its leakage through other 3rd party applications
While developed for Android, the concept can be implemented on other mobile devices, such as iPhone and Windows Phone.

 
Speaker Bio

Oren Poleg is a mobile platforms expert, with more than 10 years in the mobile platforms space.
As a team leader in (the Former) Sun Microsystems, Oren was responsible to the integration of Java VM into mobile devices, later to be followed with and research of smart phone infrastructures
Currently Oren is a working as a Consultant, dealing with Android Devices, Smart TVs and Network Security.

 
Technical Level: Intermediate/Advanced

 
= Track B =

=== Web Application Forensics ===
'''''Renana Friedlich, Forensic Department Leader, Ernst and Young (Hacktics)'''''

Most organizations are not aware of successful application-level attacks, until it's too late.
Application penetration tests don't provide information on attacks that ALREADY occurred, on attacks are CURRENTLY in progress, on failed attempts, or even on the actual impact.
Organizations usually rely on security products such as WAF and IDS to locate hacking incidents, but what about attacks that slipped pass the WAF?
What about attacks with a pattern that the IDS did not recognize? What about organizations that implemented these products too late, or not at all?
That's where Web Application Proactive Forensics comes in - A collection of detailed methodologies for locating evidence of attacks that were performed and/or exploited, including attacks listed in OWASP testing guide, WASC and CWE.

 
Speaker Bio

Renana Friedlich is the Forensic Department Leader at Hacktics, an advanced security center of EY. Renana specializes in forensic investigations, developing incident response, malware assessments, and escorting start-up companies in implementing forensic methodologies into their products.
Prior to working at Hacktics, she served at the intelligence corps for seven years, and has over nine years of experience in the information security field.
In recent years, Renana was a frequent speaker in the government sector and had multiple appearances in public conferences, including OWASP, annual risk management conferences, and universities. She also regularly instructs forensic and incident response courses in universities and clients from various industries.

 
Technical Level: Intermediate

 

=== STDD - The protection you REALLY need ===
''''' Nir Valtman, R&D CSO, Retalix ''''' 
''''' Alex Linder, Solution Architect, Retalix ''''' 
([[Media:OWASP_IL_2013_10_Nir_Valtman_STDD.pdf|download presentation]])‎

Today in the agile world, many streams based on Acceptance Test Driven Development (ATDD). In this presentation we are going to demonstrate how to reuse this concept in context of security. In addition, this presentation includes common scenarios from attacker's point of view as well as the defender should think. Needless to mention, we have many demos...

 
Speaker Bio

Nir is employed in Retalix as R&D CSO. Before this position he worked as chief security architect, senior technology consultant, application security consultant, system security consultant and a technological trainer. As part of his positions, Nir didn't only consulting, but also performed hands-on activities in various fields, e.g. hardening, penetration testing and development for personal\internal applications. 
Nir has a BSc in computer science but his knowledge is based mainly on cowboy learning and information sharing with the techno-oriented communities. 
Blog: http://www.valtman.org

Alex is a technology geek, likes to research and play with new stuff. Alex is a highly experienced Solution Architect specializing in Software, middleware and APIs. 
Alex has more than 14 years of experience and performed vast roles in the Israeli market such as VP Professional services, Group manager, Solution Architect, Dev team leader and Senior consultant. 
Currently working as a solution architect of large scale R&D firm with cutting edge technologies. 
Blog: http://linderalex.blogspot.co.il/

 
Technical Level: Intermediate / Advanced

 

=== Spam, Death Threats, and Other Abuses of Online Communities ===
'''''Avi Douglen, Security Architect, Independant''''' 
([[Media:OWASP_IL_2013_10_Avi_Douglan_Spam-DeathThreats-Abuse-OnlineCommunities.pdf‎|download presentation]])‎

Many contemporary websites are based on so-called “User Generated Content” (aka UGC). Furthermore, many sites oriented around a community of users enable users to interact with each other, via the site. Sites like Wikipedia and StackOverflow allow users to freely edit pages visible to all users, popular discussion forums are based on continuous postings of content by users, and social networks such as Facebook encourage users to constantly add their own rich data to the site for others’ consumption.

Aside from the usual web attacks common to all user input on websites, such as XSS and SQL Injection, there are some forms of attacks or abuse that are specific to sites such as these. Some of them are purely technical, some of them are social in nature and just take advantage of the available technology. These are often exacerbated by the scope and huge amount of traffic to these sites, and take advantage of the network effect.

The talk will be based in a large part on the speaker’s experience on the Stack Exchange network of sites, but will also compare to the models prevalent on other popular sites. We will discuss some of the aspects particular to these platforms, and show how even the more “boring” of these attacks can sometimes be interesting depending on the situation. We will also see some of the stranger happenings that occur on a large site. Finally, we will discuss and compare some of the different models that these huge websites use to limit the damage.
We will of course focus on what is both these sites’ biggest weakness, and greatest strength - the community.

 
Speaker Bio

Avi Douglen had a CISSP before it was popular, but he is not a hipster. Avi is a high-end, independent security architect and developer, and has been designing, developing and testing secure applications, and leading development teams in building secure products, for over 15 years. Avi is also a Community Moderator (volunteer basis) on Stack Exchange’s fantastic Information Security site (http://security.stackexchange.com), sister site to Stack Overflow. As a moderator, and as an active user on several other Stack Exchange sites, he has spent a lot of time handling these types of attacks, and has had the opportunity to see up close, what works, what doesn’t, and what can scale to millions of users.

 
Technical Level: Introductory

 

=== Delivering Security in Continuous Delivery Environment ‎===
''''' Yaniv Simsolo, Senior Consultant, Comsec Consulting''''' 
([[Media:OWASP IL 2013 10 Yaniv Simsolo Delivering Security in CD Environments.pdf|download presentation]])

Moving from traditional development environment to Agile environment, creates many a challenge to the security of the organization and developed system. Moving from Agile development environment towards Continuous Delivery environment ups the stakes.
We will venture in to the challenges of delivering security in Continuous Delivery environment, and test whether in-depth security is achievable.
Relying on industry evidences, a unique approach to the evolvement of security under Continuous Delivery development environment will be presented.

 
Speaker Bio

Yaniv Simsolo, CISSP, Senior IT Security Professional. A consultant in application security from 2004, and an expert of security of compound and enterprise scale systems.

 
Technical Level: Intermediate

 

=== Designing a national defense strategy for DDoS applications and volume attacks ===
'''''Mirit Kagarlitsky, Head of System Analysis, Israeli National Cyber Bureau '''''

DDoS attacks exploit vulnerabilities in different protocol stack layers, from the application layer and downward. These attacks undermine the availability of various services, some of which transcend the local interest of the compromised organization, bearing broader consequences.
Designing a national defense strategy for DDoS attacks has advantages, since the state has both the interest and the capacity to devise large-scale technological solutions of security from targeted attacks on critical services as well as from cumulative damage in this realm. The problem is that there is a wide spectrum of solutions and possible network locations for state intervention: services entry point, ISPs, cloud-based approaches and more; every solution should be analyzed from a national standpoint.
Our work examines when and where should the state take action in the realm, ranging from the individual organization to the ISP level. We also suggest how its accumulated benefit should be assessed in order to evaluate the overall effectiveness of the national strategy.

 
Speaker Bio

Mirit Kagarlitsky holds a B.Sc. in physics and mathematics from the Hebrew University in Jerusalem and is in the process of completion of M.Sc. in Statistics from Tel Aviv University. She has vast experience with operations research and system analysis in various fields, as an analyst and as a team leader. Today she work as the head of system analysis in the Israeli National Cyber Bureau.

 
Technical Level: Introduction

 

=== Enhancing Web Application Defense Using Big Data ===
''''' Or Katz, Principal Security Researcher, Akamai Technologies '''''

In recent years Big Data has become a commonly used technology in many products, in this presentation I will unveil practical examples on how we can improve web application defenses by using Big Data. Using Big Data enables us to combine web application filter triggers from multiple data sources. Big data analysis contributes to the improvement and enhances defense tactics. In this presentation I will show some examples such as:
* SQLi – detecting malicious users and their level of maliciousness
* Web Scraping – expose scrapers that fly under the radar and what is their target information
* False positives reduction – using Big Data in order to learn how to tune your configuration

 
Speaker Bio

Or Katz has vast expertise in Web Application Firewall technology, working in market leading web application firewall vendors as a web application security researcher.
Mr. Katz is a board member in OWASP Israel chapter, frequent speaker in the chapter conferences and he was also responsible for leading the OWASP Top 10 Hebrew translation project.
Mr. Katz also published several innovative white papers on web applications defensive techniques.

 
Technical Level: Intermediate

 

=== From Obscurity to Pop Culture - Evolution of Application Security ([[Media:OWASP_IL_2013_10_Irene_Abezgauz_Evolution_of_Application_Security.pdf‎|download presentation]])‎===
''''' Irene Abezgauz, VP Product Management, Quotium'''''

In 1998 the New York Times website was hacked. According to various news sources, the site underwent a thorough security test just two years before and at that point it became clear that 'it might not be sufficient'. Fifteen years later, application security trends talk about APTs, Agile SDLCs and Security Products being commoditized.
In this lecture we review the evolution of application security in the past decade and a half. Examining technology and aspects of security management from the early days of OWASP foundation to present day mobile application security testing as part of the development lifecycle.

 
Speaker Bio

Irene has ten years of experience in information and application security. Focused on application security penetration testing and research she is a builder and breaker of things. She is the Product Manager of Seeker™, the new generation of automatic application security testing, and head of security research activities at Seeker Security (Quotium). Ms. Abezgauz has discovered numerous vulnerabilities and published advisories related to products of leading vendors.

 
Technical Level: Introduction

Category:Israel

2013-10-03T12:34:03Z

Oshezaf: /* Previous OWASP Israel Conferences and Meetings */

{{Chapter Template|chaptername=Israel|extra= 

The chapter leader is '''[mailto:douglen@hotmail.com Avi Douglen]'''.

* OWASP Israel Board:'''[mailto:ofer@shezaf.com Ofer Shezaf]''' (Chapter Founder), '''Avi Douglen''', '''Or Katz''',''' Adi Sharabani''',''' Ofer Maor''', '''Ory Segal''', '''Itzik Kotler'''
* [[OWASP_Top10_Hebrew|OWASP Top 10 Hebrew]]: Or Katz
* Homepage Maintenance: Ofer Shezaf, Ofer Maor
* Mailing List Management: Ofer Shezaf, Avi Douglen, Ofer Maor

|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-israel|emailarchives=http://lists.owasp.org/pipermail/owasp-israel}}

<paypal>Israel</paypal>

== OWASP Activity ==

* An annual conference, usually in September
* Periodical meetings. If you would like to host a meeting or speak in one contact [mailto:ofer.maor@owasp.org Ofer Maor] or [mailto:ofer@shezaf.com Ofer Shezaf].
* [[OWASP_Top10_Hebrew|OWASP Top 10 Hebrew translation]].
* Spreading the Word - Reaching out for more people, especially outside of the AppSec community.

If you have anything else on your mind, please speak up!

== OWASP Top 10 in Hebrew ==
The OWASP Top 10 was translated to Hebrew and is [[OWASP_Top10_Hebrew|available for download]].

== Previous OWASP Israel Conferences and Meetings ==

; '''[[OWASP_Israel_2013|OWASP Israel 2013]] Conference held on October 1st with approximately 450 participants!''' (Use the [[OWASP_Israel_2013_Presentations|presentations info page]] to download presentations)

; [[OWASP_Israel_2013_05|OWASP Israel May 2013]] was held at RSA on May 28th 2013 with 80 participants.

; [[OWASP_Israel_2013_02|OWASP Israel February 2013]] meeting was held at E&Y on February 12th 2013 ([[OWASP_ISRAEL_2013_02_Hebrew|Hebrew version]]).

;[[OWASP_Israel_2012|OWASP Israel 2012 conference]] Was held at the IDC on Sep 5th 2012.

;[[OWASP_Israel_2011|OWASP Israel 2011 Conference]] Was held in the IDC in Herzliya on Sep 15th 2011, with about 350 attendees.

;[[OWASP_Israel_2010|OWASP Israel 2010 Conference]] Was held in the IDC in Herzliya on Sep 6th 2010 with about 150 attendees.

;[[OWASP_Israel_2010_06|OWASP Israel Jun-2010]] meeting was held in IBM/Watchfire in Herzliya on Jun 22nd 2010.

;[[OWASP_Israel_2010_02|OWASP Israel Feb-2010]] meeting was held in Amdocs in Ra'anana on Feb 9th 2010 with over 70 attendees.

;[[OWASP_Israel_2010_01|OWASP Israel Jan-2010]] meeting was held in Breach Security in Herzliya on Jan 12th 2010 with over 60 attendees.

;[[OWASP_Israel_2009_12|OWASP Israel Dec-2009]] meeting was held in IBM/Watchfire in Herzliya in Dec 2009.

;[[OWASP_Israel_2009|OWASP Israel 2009]] conference was held at the Interdisciplinary Center Herzliya on Sunday, September 6th 2009.
: You can find the agenda and uploaded presentations [[OWASP_Israel_2009|here]].

; [[OWASP_Israel_2009_05|OWASP Israel May 2009 meeting]] was held at IBM in Park Azorim in Petach-Tikva on May 7th. The presentations were:
* Web-Based Man-in-the-Middle Attack, Adi Sharabani, IBM ([http://blog.watchfire.com/wfblog/2009/02/active-man-in-the-middle-attacks.html more info])
* Automation Attacks and Counter Measures, Ofer Shezaf, Xiom ([http://www.owasp.org/images/5/58/OWASP_Israel_-_May_2009_-_Ofer_Shezaf_-_Automation_Attacks.pdf presentation])
: [[OWASP_ISRAEL_2009_05_Hebrew|Full details in Hebrew]]

; [[OWASP_Israel_2009_03|OWASP Israel March 2009 meeting]] was held at the Tel-Aviv University on March 26th, with approximately 60 attendees. The presentations were:
* Securing cellular web applications, Mikko Saario, Founder, OWASP Finland, Security Architect, Large Telecom Solution Provider ([[Media:OWASP_Israel_-_March_2009_-_Mikko_Saario_-_Web_Application_Security_in_the_Mobile_World.pdf‎|download]])
* Real world implementation of a PCI DSS compliance key management, Yaron Hakon, [http://www.2bsecure.co.il 2bsecure] ([[Media:OWASP_Israel_-_March_2009_-_Yaron_Hakon_-_PCI_key_managment.pdf‎|download]])
* Detecting RFI attacks, Or Katz, [http://www.breach.com Breach Security] ([[Media:OWASP_Israel_-_March_2009_-_Or_Katz_-_RFI_detection.pdf‎|download]])
* WAFEC 2.0 - Do WAFs deliver?, Ofer Shezaf, [http://www.xiom.com Xiom] ([[Media:OWASP_Israel_-_March_2009_-_Ofer_Shezaf_-_Why_WAFs_fail.pdf‎|download]])
: [[OWASP_ISRAEL_2009_03_Hebrew|Full details in Hebrew]]

; [[OWASP_Israel_2009_01|OWASP Israel January 2009 meeting]] was held at Checkpoint on January 28th, with over a 100 people attending. The presentations were:
* Improving Web Application Firewall testing for better deployment in production network, Gregory Fresnais from BreakingPoint, visiting us from France ([[Media:OWASP_Israel_2009_01_Gregory_Fresnais_Measuring_WAF_Performance.pdf‎|download]])
* Web 2.0 Hacking, Nimrod Luria, Qrity ([[Media:OWASP_Israel_2009_01_Nimrod_Luria_Web_2.0_Security.pdf‎|download]])
* Wiki Security, Ofer Shezaf, Xiom ([http://www.xiom.com/research/wiki_security download])

; [[OWASP_Israel_2008_Conference_at_the_Interdisciplinary_Center_Herzliya|The OWASP Israel 2008 conference at the Interdisciplinary Center Herzliya (IDC)]] was held on September 14th with 250 attendees.

; OWASP Israel at the [http://www.idc.co.il/?showproduct=31108&content_lang=ENG IDC Security Road Show]
: OWASP sponsored the IDC Security Road Show event in Israel on June 3rd 2008. Thanks for Iris Lev-Ari and Tomer Teller for the help in the OWASP booth.

; [[OWASP_Israel_2007_Conference|OWASP Israel 2007 conference at the Interdisciplinary Center Herzliya (IDC)]]
: the 1st official OWASP conference in Israel, was held on Dec 3rd 2007 at the Interdisciplinary Center (IDC) Herzliya. The conference really set itself as an event you must come to if you have anything to do with application security. [ [http://picasaweb.google.com/oshezaf/OWASPIsrael2007 pictures from the conference]

[[Category:Middle East]]

File:OWASP IL 2013 10 Irene Abezgauz Evolution of Application Security.pdf

2013-10-03T12:31:48Z

Oshezaf:

OWASP Israel 2013 Presentations

2013-10-02T20:29:18Z

Oshezaf: /* Delivering Security in Continuous Delivery Environment */

= Keynote =

=== Why Are Investors Excited About Cyber Security Startups, Again? ([[media:OWASP_IL_2013_10_OWASP_Ron_Moritz_Why_Are_Investors_Excited_About_Cyber_Security_Startups.pdf‎|download presentation]])‎ ===
'''''Ron Moritz, Consigliere on Venture Strategies, Issues and Trends'''''

Ron will speak about the current state of security startups, the current crop of security problems being solved by startups, and the trends of what solutions investment capital is looking to support.

The Keynote will be in English.

 
Speaker Bio

Ron Moritz is a well-regarded executive with over twenty-five years of broad operational and strategy experience from premier technology companies such as Microsoft (GM, Forefront), Symantec (SVP & CTO), and Computer Associates (SVP, Security Products Business Unit), where he was a member of each company's distinguished corporate or divisional leadership teams.

Having advised C-level executives, boards of directors, venture capitalists and private equity firms on value-creation activities including new markets, acquisition and divestiture strategy, global sourcing of labor, major technology decisions, and eco-system development, Mr. Moritz brings a unique point of view at the intersection of technology, strategy, global markets and finance.

Ron is currently a partner in Aura Coffee, a third-wave coffee roasting company based in Modiin; a member of the Fireblade board of directors; and a mentor Jerusalem-based crowd-funding leader, OurCrowd.

 

= Plenary Sessions =

=== Evolution of online banking attack techniques ===
'''''Amit Klein, CTO, Trusteer'''''

I will survey the evolution of attack techniques against online banking since the mid-2000s till today. This starts with keylogging malware, moves over to screenshooting malware, and finally gets to HTML injection malware (the “Man in the Browser” concept). I will then show several examples of the power of MitB attacks, especially when combined with social engineering, and how this can overcome many security measures such as two-factor authentication and transaction verification.

 
Speaker Bio

As Trusteer’s CTO, Amit Klein manages the company’s security research. Prior to Trusteer, Mr. Klein was Chief Scientist at Cyota Inc. (acquired by RSA Security), a leading provider of layered authentication solutions. In this role, Mr. Klein researched technologies that prevent online fraud, phishing, and pharming and filed several patents in those areas. Prior to this, Mr. Klein worked as Director of Security and Research at Sanctum, Inc. (acquired by Watchfire), where he was responsible for the security architecture of all Sanctum products. Mr. Klein holds a B.Sc. (cum laude) in Mathematics and Physics.
Mr. Klein is a world-renowned security researcher, having published more than thirty articles, papers and technical notes on the topic of Internet security. He was named CTO of the Year by InfoWorld Magazine and has presented at many prestigious conferences including RSA, FSISAC, OWASP and CertConf.

 
Technical Level: Intermediate

 

=== Your mobile device in the service of the malicious hacker (Live Demo) ===
''''' Adi Sharabani, CEO, Skycure '''''

We all developed natural instincts when it comes to protecting our physical space. We all know to look to the sides before crossing the road, and we all have some capabilities to assess current risks and make decisions accordingly. However, when it comes to using our mobile devices in the cyber era, these instincts have not yet evolved. People and organizations are at risk, and do not have an understanding how to assess or mitigate them. On top of that, current protection solutions provide inadequate protection against these threats. The organizational need to support mobile devices for business related activity created a huge gap in securing the organization. Adi Sharabani's keynote will highlight some of these threats via a live demonstration of a mobile hacking activity. The audience will be able to opt in for the demo, reflecting how easy it is for a hacker to hack into remote devices.

 
Speaker Bio

Mr. Adi Sharabani is a world-class security expert and the CEO of Skycure, a start-up that focuses on providing firewall solutions for mobile devices. Formerly, Adi led the security of IBM software products. He came to IBM through the Watchfire acquisition, a start-up company which was a pioneer in the field of application security. Among his roles, Adi built and led the Watchfire’s security group. Adi has written many patents in the security space, and his works have been presented in many known conferences such as BlackHat, RSA, OWASP, Innovate, Herzliya Conference and many more; his presentations and keynotes are constantly being ranked as best presentations of most conferences he presents at. Adi is also a fellow at Prof. Yuval Ne’eman’s workshop. In his spare time, Adi teaches at Ohel-Shem high school, and is a part of the vision and implementation of the cyber-defense curriculum for high school students, a vision that is now being implemented in Israel.

 
Technical Level: Introduction

 
= Track A =

=== Get Ready for the Next Big Wave of Attacks: Hacking of Leading CMS Systems ===
'''''Maty Siman, CTO, Checkmarx'''''

The flow of this talk is given by – you! Before this talk, we emailed the audience to provide us with their favorite WordPress plugins that they would like to test for security. In a live demo, we assess the security of the requested plugins. Previous similar trials that we performed on WordPress showed that 30% of the top 50 most downloaded plugins were vulnerable to common Web attacks. What will be the results of this experiment?

As we’ll continue to show, assessing the security posture of a plugin is only the hacker’s first step in mass attacks. As opposed to past mass SQL Injection attacks which leveraged tools such as SQLMap, these next wave of attacks do not focus on the site’s platform or customized development code. Rather, these attacks leverage on the increasing popularity of CMS platforms such as WordPress and Joomla. The maturity, prevalence and market penetration of CMS platforms allow any marketing, sales or HR individual to easily set up their own fully-operational site. Accordingly, CMS apps are flourishing – and so are the vulnerabilities in these apps.

 
Speaker Bio

Maty is the CTO and founder of Checkmarx. Maty has more than a decade of experience in software development, IT security and source-code analysis. An authoritative figure in application security, Maty is regularly interviewed by the media on security-breaking news and frequently speaks at various IT security conferences. Prior to founding Checkmarx, Maty worked for two years at the Israeli Prime Minister’s Office as a senior IT security expert and project manager. Prior to that, he spent six years with the Israeli Defense Forces (IDF), where he established and led a development team in the IDF’s Information Security Center.

 
Technical Level: Intermediate

 

=== Utilizing Popular Websites for Malicious Purposes Using RDI ([[Media:OWASP IL 2013 10 Chechik Davidi Utilizing Popular Websites for Malicious Purposes Using RDI.pdf|download presentation]])‎===
'''''Daniel Chechik, Security Researcher, Trustwave SpiderLabs''''' 
'''''Anat Davidi, Security Researcher, Trustwave SpiderLabs'''''

Reflected DOM Injection is a new attack vector first presented at the DefCon 21 conference in July. We will explain the technique and show a live demo where we use it to hide malicious code within popular and trusted websites. For those of you who are interested in RDI but couldn’t make it to DefCon, we are bringing the talk to you!

The introduction of this session will briefly review the struggle between malicious websites and security products. We will explain the issues of hosting a malicious website and the techniques security vendors use in order to block them.
We will then present our new technique to avoid detection and proceed to explain all parts of it in-depth. A full demo of the attack from beginning to end will be included.
common and known services published by popular websites will be used in order to dynamically construct an attack hosted for us by these services.
Finally, we will add a layer of defense to our attack, and generate malicious code which will become practically invisible to dynamic analysis engines and thus evade most of today's security engines and technologies.

 
Speaker Bio

Daniel Chechik is a veteran security researcher at Trustwave's SpiderLabs. Among other things, he specializes in malware analysis, web exploits detection, Trojan and botnet detection and neutralizing and defining security requirements for the Secure Web Gateway product.
Prior to that, Daniel served in a technological unit as a security specialist in the IDF. During the service, Daniel specialized in CheckPoint Firewall equipment, AntiVirus products and other IT security products.
Daniel, among other things, has spoken at the RSA conference, DefCon, holds CEH and CCSE certificates and has a patent pending for 'Detecting Malware Communication on an Infected Computing Device'.

Anat Davidi is a security researcher at Trustwave's SpiderLabs. Her role includes vulnerability analysis, malware analysis and developing detection logic for the Secure Web Gateway product.
Prior to that, Anat worked as a security consultant providing security reviews and penetration tests for organizations in various business sectors, ranging from banks and insurance companies to hi-tech corporations. Amongst other things, Anat has spoken at the RSA conference, DefCon.

 
Technical Level: Intermediate

 

=== Invisibility Purge - Manipulating Properties Of Invisible & Dormant Asp.Net Controls ([[Media:OWASP IL 2013 10 Shay Chen Invisible Purge.pdf|download presentation]])‎ ===
'''''Shay Chen, CTO, Ernst & Young (Hacktics)'''''

Server-Side Web Controls became popular components in modern web application frameworks.
In addition to the development benefits of these components provide, they are also protected using a variety of security mechanisms, including digital signatures, content access restrictions and even invisibility.
However, developers that use these components improperly can expose the application to a variety of different attacks that can be executed despite, and sometimes due to the existence of security mechanisms.
The presentation will demonstrate several new methods that attackers can harness to bypass security mechanism, manipulate server control properties and identify, enumerate and activate events of dormant server web controls, in popular platforms such as ASP.Net, JSF and Mono.

 
Speaker Bio

Shay Chen is the CTO of Hacktics, an advanced security center of Ernst & Young.

As a victim of the law of familiarity, a decade of exposure to common vulnerabilities was enough to shift his focus to abnormal hacking methodologies and new attack vectors.

He is also a prominent blogger and researcher, and is responsible for many security publications, including new application-level attacks, testing methodologies and open source projects.
As the co-author of the platforms "Diviner", "SCIP" and "WAVSEP" he was involved in the publication of several large-scale researches in the field of automated security scanners.

Shay is an experienced speaker, has been instructing a variety of information security courses for the past 8 years, and had multiple appearances in international conferences, including Blackhat, Hacktivity, AppSecUSA and others.

 
Technical Level: Advanced

 

=== The ReFrameworker Android runtime manipulator – pentesting Android apps like a king ([[Media:OWASP IL 2013 10 Erez Metula The ReFrameworker Android runtime manipulator.pdf|download presentation]])‎===
'''''Erez Metula, AppSec Labs'''''

ReFrameworker is a new exiting addition to the AppUse pentest VM which we just released at recent BlackHat USA, targeting Android applications. With ReFrameworker, we can manipulate Android applications to make our life as pentesters a lot more easier. Does the app you test insists to be used only for a particular IMEI or phone number? Or does it break on invalidated certificates when you try to SSL MitM it using a proxy? No problem! With ReFrameworker, you can just give a new behavior to any runtime method you'd like, like disabling verifications, controlling return values, and so on. Snooping on local SQL queries or encryption keys? ReFrameworker gives you a proxy for local variables so you can changes important or sensitive values on the fly.
The idea is that we'd built a new Android ROM for the sole purpose of pentesting Android apps, loaded with hooks at important places inside the Dalvik runtime. During this talk we'll witness the power of ReFrameworker, we'll learn how to use it, how it was implemented and how it can be extended.

 
Speaker Bio

Erez Metula Author of the book "Managed Code Rootkits", is a world renowned application security expert. Erez has extensive hands-on experience performing security assessments, code reviews and secure development trainings for worldwide organizations, and had previously talked at international security conferences such as BlackHat, Defcon, OWASP, RSA, SOURCE, CanSecWest and more. He is the founder of AppSec Labs, where he focuses on advanced application security topics. Erez holds an MSc in computer science and he is CISSP.

 
Technical Level: Advanced

 

=== A Game of Pwns: Pwning iPhone application security assessment using the iNalyzer framework ===
'''''Chilik Tamir, Chief Scientist, AppSec Labs'''''

iNalyzer is an open-source free to use pen-testing framework I have recently updated for BlackHat USA, targeting iPhone applications. In the following presentation I will present my latest research on a new approach to performing security assessments of iOS applications utilizing the iNalyzer. The presentation will include live demonstration of using iNalyzer to transform a tedious black-box penetration testing into an exciting gray-box effort.
The talk will cover some of the problems with testing iOS applications, and present a wider picture of the testing process for different applications using iNalyzer, from the point of view of the tester, and how to handle the difficulties that may ensue.
* You will learn how to utilize iNalyzer to bind the power of regular web vulnerability scanner - such as Zap, Burp or AppScan into the exciting world of iOS penetration testing.
* You will learn how to fill in the gaps and use iNalyzer in your IDA reversing effort when testing.
* You will learn how to manipulate iPhone applications to make our life as pen-testers a lot easier using iNalyzer.

 
Speaker Bio

Chilik Tamir is an information security expert with over two decades of experience in training, research, development, testing and consulting in the field of applicative information security for clients in the fields of finance, security, government offices and corporations. His latest research - the iOS iNalyzer is an open-source iOS application Penetration Testing Dashboard. Among his previous publications you will find AppUse – a testing environment for Android applications developed together with Erez Metula; Belch – an automatic tool for analysis and testing of binary protocols such as Flex and Java-Serialization; Chilik is an experienced security trainer and speaker with previous talks and training in security conferences such as BlackHat USA, HITB Amsterdam, OWASP Israel as well as training in cooperations such as Intel, HP, Cisco, Amdocs, Verint, RedBend and others. He is the Chief Scientist at AppSec Labs, where he acts as head of R&D and innovation. Chilik holds an Biomedical Engineering B.Sc. degree.

 
Technical Level: Advanced

 

=== Automatic trust based segregation for content providers on mobile devices ===
'''''Oren Poleg, IDC'''''

In this work we have designed and developed a modification to the Android Content Providers that allows us to impose access restrictions on the sensitive data items they contain (such as contacts, calendar events) .

We have developed lightweight solution that is compatible with the current Android design (so it can be easily integrated with the current Android implementation) that creates separation between different types of sensitive data, also separating them from the non-sensitive information in Android content providers. We allow the device owner to view the data in a unified manner, while 3rd party applications will be allowed access only to content created by them or that they were granted permission to view.

User interaction is not required for the security decisions. Instead, we are defining trust relationship between the data and the applications, in which the owner of the data can delegate access permissions to the applications.

This approach will enable organization to store sensitive information on the device content providers, allow the user to easily access it from the organizational applications as well as from system applications while preventing its leakage through other 3rd party applications
While developed for Android, the concept can be implemented on other mobile devices, such as iPhone and Windows Phone.

 
Speaker Bio

Oren Poleg is a mobile platforms expert, with more than 10 years in the mobile platforms space.
As a team leader in (the Former) Sun Microsystems, Oren was responsible to the integration of Java VM into mobile devices, later to be followed with and research of smart phone infrastructures
Currently Oren is a working as a Consultant, dealing with Android Devices, Smart TVs and Network Security.

 
Technical Level: Intermediate/Advanced

 
= Track B =

=== Web Application Forensics ===
'''''Renana Friedlich, Forensic Department Leader, Ernst and Young (Hacktics)'''''

Most organizations are not aware of successful application-level attacks, until it's too late.
Application penetration tests don't provide information on attacks that ALREADY occurred, on attacks are CURRENTLY in progress, on failed attempts, or even on the actual impact.
Organizations usually rely on security products such as WAF and IDS to locate hacking incidents, but what about attacks that slipped pass the WAF?
What about attacks with a pattern that the IDS did not recognize? What about organizations that implemented these products too late, or not at all?
That's where Web Application Proactive Forensics comes in - A collection of detailed methodologies for locating evidence of attacks that were performed and/or exploited, including attacks listed in OWASP testing guide, WASC and CWE.

 
Speaker Bio

Renana Friedlich is the Forensic Department Leader at Hacktics, an advanced security center of EY. Renana specializes in forensic investigations, developing incident response, malware assessments, and escorting start-up companies in implementing forensic methodologies into their products.
Prior to working at Hacktics, she served at the intelligence corps for seven years, and has over nine years of experience in the information security field.
In recent years, Renana was a frequent speaker in the government sector and had multiple appearances in public conferences, including OWASP, annual risk management conferences, and universities. She also regularly instructs forensic and incident response courses in universities and clients from various industries.

 
Technical Level: Intermediate

 

=== STDD - The protection you REALLY need ([[Media:OWASP_IL_2013_10_Nir_Valtman_STDD.pdf|download presentation]])‎ ===
''''' Nir Valtman, R&D CSO, Retalix ''''' 
''''' Alex Linder, Solution Architect, Retalix '''''

Today in the agile world, many streams based on Acceptance Test Driven Development (ATDD). In this presentation we are going to demonstrate how to reuse this concept in context of security. In addition, this presentation includes common scenarios from attacker's point of view as well as the defender should think. Needless to mention, we have many demos...

 
Speaker Bio

Nir is employed in Retalix as R&D CSO. Before this position he worked as chief security architect, senior technology consultant, application security consultant, system security consultant and a technological trainer. As part of his positions, Nir didn't only consulting, but also performed hands-on activities in various fields, e.g. hardening, penetration testing and development for personal\internal applications. 
Nir has a BSc in computer science but his knowledge is based mainly on cowboy learning and information sharing with the techno-oriented communities. 
Blog: http://www.valtman.org

Alex is a technology geek, likes to research and play with new stuff. Alex is a highly experienced Solution Architect specializing in Software, middleware and APIs. 
Alex has more than 14 years of experience and performed vast roles in the Israeli market such as VP Professional services, Group manager, Solution Architect, Dev team leader and Senior consultant. 
Currently working as a solution architect of large scale R&D firm with cutting edge technologies. 
Blog: http://linderalex.blogspot.co.il/

 
Technical Level: Intermediate / Advanced

 

=== Spam, Death Threats, and Other Abuses of Online Communities ([[Media:OWASP_IL_2013_10_Avi_Douglan_Spam-DeathThreats-Abuse-OnlineCommunities.pdf‎|download presentation]])‎ ===
'''''Avi Douglen, Security Architect, Independant'''''

Many contemporary websites are based on so-called “User Generated Content” (aka UGC). Furthermore, many sites oriented around a community of users enable users to interact with each other, via the site. Sites like Wikipedia and StackOverflow allow users to freely edit pages visible to all users, popular discussion forums are based on continuous postings of content by users, and social networks such as Facebook encourage users to constantly add their own rich data to the site for others’ consumption.

Aside from the usual web attacks common to all user input on websites, such as XSS and SQL Injection, there are some forms of attacks or abuse that are specific to sites such as these. Some of them are purely technical, some of them are social in nature and just take advantage of the available technology. These are often exacerbated by the scope and huge amount of traffic to these sites, and take advantage of the network effect.

The talk will be based in a large part on the speaker’s experience on the Stack Exchange network of sites, but will also compare to the models prevalent on other popular sites. We will discuss some of the aspects particular to these platforms, and show how even the more “boring” of these attacks can sometimes be interesting depending on the situation. We will also see some of the stranger happenings that occur on a large site. Finally, we will discuss and compare some of the different models that these huge websites use to limit the damage.
We will of course focus on what is both these sites’ biggest weakness, and greatest strength - the community.

 
Speaker Bio

Avi Douglen had a CISSP before it was popular, but he is not a hipster. Avi is a high-end, independent security architect and developer, and has been designing, developing and testing secure applications, and leading development teams in building secure products, for over 15 years. Avi is also a Community Moderator (volunteer basis) on Stack Exchange’s fantastic Information Security site (http://security.stackexchange.com), sister site to Stack Overflow. As a moderator, and as an active user on several other Stack Exchange sites, he has spent a lot of time handling these types of attacks, and has had the opportunity to see up close, what works, what doesn’t, and what can scale to millions of users.

 
Technical Level: Introductory

 

=== Delivering Security in Continuous Delivery Environment ([[Media:OWASP IL 2013 10 Yaniv Simsolo Delivering Security in CD Environments.pdf|download presentation]])‎===
''''' Yaniv Simsolo, Senior Consultant, Comsec Consulting'''''

Moving from traditional development environment to Agile environment, creates many a challenge to the security of the organization and developed system. Moving from Agile development environment towards Continuous Delivery environment ups the stakes.
We will venture in to the challenges of delivering security in Continuous Delivery environment, and test whether in-depth security is achievable.
Relying on industry evidences, a unique approach to the evolvement of security under Continuous Delivery development environment will be presented.

 
Speaker Bio

Yaniv Simsolo, CISSP, Senior IT Security Professional. A consultant in application security from 2004, and an expert of security of compound and enterprise scale systems.

 
Technical Level: Intermediate

 

=== Designing a national defense strategy for DDoS applications and volume attacks ===
'''''Mirit Kagarlitsky, Head of System Analysis, Israeli National Cyber Bureau '''''

DDoS attacks exploit vulnerabilities in different protocol stack layers, from the application layer and downward. These attacks undermine the availability of various services, some of which transcend the local interest of the compromised organization, bearing broader consequences.
Designing a national defense strategy for DDoS attacks has advantages, since the state has both the interest and the capacity to devise large-scale technological solutions of security from targeted attacks on critical services as well as from cumulative damage in this realm. The problem is that there is a wide spectrum of solutions and possible network locations for state intervention: services entry point, ISPs, cloud-based approaches and more; every solution should be analyzed from a national standpoint.
Our work examines when and where should the state take action in the realm, ranging from the individual organization to the ISP level. We also suggest how its accumulated benefit should be assessed in order to evaluate the overall effectiveness of the national strategy.

 
Speaker Bio

Mirit Kagarlitsky holds a B.Sc. in physics and mathematics from the Hebrew University in Jerusalem and is in the process of completion of M.Sc. in Statistics from Tel Aviv University. She has vast experience with operations research and system analysis in various fields, as an analyst and as a team leader. Today she work as the head of system analysis in the Israeli National Cyber Bureau.

 
Technical Level: Introduction

 

=== Enhancing Web Application Defense Using Big Data ===
''''' Or Katz, Principal Security Researcher, Akamai Technologies '''''

In recent years Big Data has become a commonly used technology in many products, in this presentation I will unveil practical examples on how we can improve web application defenses by using Big Data. Using Big Data enables us to combine web application filter triggers from multiple data sources. Big data analysis contributes to the improvement and enhances defense tactics. In this presentation I will show some examples such as:
* SQLi – detecting malicious users and their level of maliciousness
* Web Scraping – expose scrapers that fly under the radar and what is their target information
* False positives reduction – using Big Data in order to learn how to tune your configuration

 
Speaker Bio

Or Katz has vast expertise in Web Application Firewall technology, working in market leading web application firewall vendors as a web application security researcher.
Mr. Katz is a board member in OWASP Israel chapter, frequent speaker in the chapter conferences and he was also responsible for leading the OWASP Top 10 Hebrew translation project.
Mr. Katz also published several innovative white papers on web applications defensive techniques.

 
Technical Level: Intermediate

 

=== From Obscurity to Pop Culture - Evolution of Application Security ===
''''' Irene Abezgauz, VP Product Management, Quotium'''''

In 1998 the New York Times website was hacked. According to various news sources, the site underwent a thorough security test just two years before and at that point it became clear that 'it might not be sufficient'. Fifteen years later, application security trends talk about APTs, Agile SDLCs and Security Products being commoditized.
In this lecture we review the evolution of application security in the past decade and a half. Examining technology and aspects of security management from the early days of OWASP foundation to present day mobile application security testing as part of the development lifecycle.

 
Speaker Bio

Irene has ten years of experience in information and application security. Focused on application security penetration testing and research she is a builder and breaker of things. She is the Product Manager of Seeker™, the new generation of automatic application security testing, and head of security research activities at Seeker Security (Quotium). Ms. Abezgauz has discovered numerous vulnerabilities and published advisories related to products of leading vendors.

 
Technical Level: Introduction

OWASP Israel 2013 Presentations

2013-10-02T20:28:20Z

Oshezaf: /* The ReFrameworker Android runtime manipulator – pentesting Android apps like a king */

= Keynote =

=== Why Are Investors Excited About Cyber Security Startups, Again? ([[media:OWASP_IL_2013_10_OWASP_Ron_Moritz_Why_Are_Investors_Excited_About_Cyber_Security_Startups.pdf‎|download presentation]])‎ ===
'''''Ron Moritz, Consigliere on Venture Strategies, Issues and Trends'''''

Ron will speak about the current state of security startups, the current crop of security problems being solved by startups, and the trends of what solutions investment capital is looking to support.

The Keynote will be in English.

 
Speaker Bio

Ron Moritz is a well-regarded executive with over twenty-five years of broad operational and strategy experience from premier technology companies such as Microsoft (GM, Forefront), Symantec (SVP & CTO), and Computer Associates (SVP, Security Products Business Unit), where he was a member of each company's distinguished corporate or divisional leadership teams.

Having advised C-level executives, boards of directors, venture capitalists and private equity firms on value-creation activities including new markets, acquisition and divestiture strategy, global sourcing of labor, major technology decisions, and eco-system development, Mr. Moritz brings a unique point of view at the intersection of technology, strategy, global markets and finance.

Ron is currently a partner in Aura Coffee, a third-wave coffee roasting company based in Modiin; a member of the Fireblade board of directors; and a mentor Jerusalem-based crowd-funding leader, OurCrowd.

 

= Plenary Sessions =

=== Evolution of online banking attack techniques ===
'''''Amit Klein, CTO, Trusteer'''''

I will survey the evolution of attack techniques against online banking since the mid-2000s till today. This starts with keylogging malware, moves over to screenshooting malware, and finally gets to HTML injection malware (the “Man in the Browser” concept). I will then show several examples of the power of MitB attacks, especially when combined with social engineering, and how this can overcome many security measures such as two-factor authentication and transaction verification.

 
Speaker Bio

As Trusteer’s CTO, Amit Klein manages the company’s security research. Prior to Trusteer, Mr. Klein was Chief Scientist at Cyota Inc. (acquired by RSA Security), a leading provider of layered authentication solutions. In this role, Mr. Klein researched technologies that prevent online fraud, phishing, and pharming and filed several patents in those areas. Prior to this, Mr. Klein worked as Director of Security and Research at Sanctum, Inc. (acquired by Watchfire), where he was responsible for the security architecture of all Sanctum products. Mr. Klein holds a B.Sc. (cum laude) in Mathematics and Physics.
Mr. Klein is a world-renowned security researcher, having published more than thirty articles, papers and technical notes on the topic of Internet security. He was named CTO of the Year by InfoWorld Magazine and has presented at many prestigious conferences including RSA, FSISAC, OWASP and CertConf.

 
Technical Level: Intermediate

 

=== Your mobile device in the service of the malicious hacker (Live Demo) ===
''''' Adi Sharabani, CEO, Skycure '''''

We all developed natural instincts when it comes to protecting our physical space. We all know to look to the sides before crossing the road, and we all have some capabilities to assess current risks and make decisions accordingly. However, when it comes to using our mobile devices in the cyber era, these instincts have not yet evolved. People and organizations are at risk, and do not have an understanding how to assess or mitigate them. On top of that, current protection solutions provide inadequate protection against these threats. The organizational need to support mobile devices for business related activity created a huge gap in securing the organization. Adi Sharabani's keynote will highlight some of these threats via a live demonstration of a mobile hacking activity. The audience will be able to opt in for the demo, reflecting how easy it is for a hacker to hack into remote devices.

 
Speaker Bio

Mr. Adi Sharabani is a world-class security expert and the CEO of Skycure, a start-up that focuses on providing firewall solutions for mobile devices. Formerly, Adi led the security of IBM software products. He came to IBM through the Watchfire acquisition, a start-up company which was a pioneer in the field of application security. Among his roles, Adi built and led the Watchfire’s security group. Adi has written many patents in the security space, and his works have been presented in many known conferences such as BlackHat, RSA, OWASP, Innovate, Herzliya Conference and many more; his presentations and keynotes are constantly being ranked as best presentations of most conferences he presents at. Adi is also a fellow at Prof. Yuval Ne’eman’s workshop. In his spare time, Adi teaches at Ohel-Shem high school, and is a part of the vision and implementation of the cyber-defense curriculum for high school students, a vision that is now being implemented in Israel.

 
Technical Level: Introduction

 
= Track A =

=== Get Ready for the Next Big Wave of Attacks: Hacking of Leading CMS Systems ===
'''''Maty Siman, CTO, Checkmarx'''''

The flow of this talk is given by – you! Before this talk, we emailed the audience to provide us with their favorite WordPress plugins that they would like to test for security. In a live demo, we assess the security of the requested plugins. Previous similar trials that we performed on WordPress showed that 30% of the top 50 most downloaded plugins were vulnerable to common Web attacks. What will be the results of this experiment?

As we’ll continue to show, assessing the security posture of a plugin is only the hacker’s first step in mass attacks. As opposed to past mass SQL Injection attacks which leveraged tools such as SQLMap, these next wave of attacks do not focus on the site’s platform or customized development code. Rather, these attacks leverage on the increasing popularity of CMS platforms such as WordPress and Joomla. The maturity, prevalence and market penetration of CMS platforms allow any marketing, sales or HR individual to easily set up their own fully-operational site. Accordingly, CMS apps are flourishing – and so are the vulnerabilities in these apps.

 
Speaker Bio

Maty is the CTO and founder of Checkmarx. Maty has more than a decade of experience in software development, IT security and source-code analysis. An authoritative figure in application security, Maty is regularly interviewed by the media on security-breaking news and frequently speaks at various IT security conferences. Prior to founding Checkmarx, Maty worked for two years at the Israeli Prime Minister’s Office as a senior IT security expert and project manager. Prior to that, he spent six years with the Israeli Defense Forces (IDF), where he established and led a development team in the IDF’s Information Security Center.

 
Technical Level: Intermediate

 

=== Utilizing Popular Websites for Malicious Purposes Using RDI ([[Media:OWASP IL 2013 10 Chechik Davidi Utilizing Popular Websites for Malicious Purposes Using RDI.pdf|download presentation]])‎===
'''''Daniel Chechik, Security Researcher, Trustwave SpiderLabs''''' 
'''''Anat Davidi, Security Researcher, Trustwave SpiderLabs'''''

Reflected DOM Injection is a new attack vector first presented at the DefCon 21 conference in July. We will explain the technique and show a live demo where we use it to hide malicious code within popular and trusted websites. For those of you who are interested in RDI but couldn’t make it to DefCon, we are bringing the talk to you!

The introduction of this session will briefly review the struggle between malicious websites and security products. We will explain the issues of hosting a malicious website and the techniques security vendors use in order to block them.
We will then present our new technique to avoid detection and proceed to explain all parts of it in-depth. A full demo of the attack from beginning to end will be included.
common and known services published by popular websites will be used in order to dynamically construct an attack hosted for us by these services.
Finally, we will add a layer of defense to our attack, and generate malicious code which will become practically invisible to dynamic analysis engines and thus evade most of today's security engines and technologies.

 
Speaker Bio

Daniel Chechik is a veteran security researcher at Trustwave's SpiderLabs. Among other things, he specializes in malware analysis, web exploits detection, Trojan and botnet detection and neutralizing and defining security requirements for the Secure Web Gateway product.
Prior to that, Daniel served in a technological unit as a security specialist in the IDF. During the service, Daniel specialized in CheckPoint Firewall equipment, AntiVirus products and other IT security products.
Daniel, among other things, has spoken at the RSA conference, DefCon, holds CEH and CCSE certificates and has a patent pending for 'Detecting Malware Communication on an Infected Computing Device'.

Anat Davidi is a security researcher at Trustwave's SpiderLabs. Her role includes vulnerability analysis, malware analysis and developing detection logic for the Secure Web Gateway product.
Prior to that, Anat worked as a security consultant providing security reviews and penetration tests for organizations in various business sectors, ranging from banks and insurance companies to hi-tech corporations. Amongst other things, Anat has spoken at the RSA conference, DefCon.

 
Technical Level: Intermediate

 

=== Invisibility Purge - Manipulating Properties Of Invisible & Dormant Asp.Net Controls ([[Media:OWASP IL 2013 10 Shay Chen Invisible Purge.pdf|download presentation]])‎ ===
'''''Shay Chen, CTO, Ernst & Young (Hacktics)'''''

Server-Side Web Controls became popular components in modern web application frameworks.
In addition to the development benefits of these components provide, they are also protected using a variety of security mechanisms, including digital signatures, content access restrictions and even invisibility.
However, developers that use these components improperly can expose the application to a variety of different attacks that can be executed despite, and sometimes due to the existence of security mechanisms.
The presentation will demonstrate several new methods that attackers can harness to bypass security mechanism, manipulate server control properties and identify, enumerate and activate events of dormant server web controls, in popular platforms such as ASP.Net, JSF and Mono.

 
Speaker Bio

Shay Chen is the CTO of Hacktics, an advanced security center of Ernst & Young.

As a victim of the law of familiarity, a decade of exposure to common vulnerabilities was enough to shift his focus to abnormal hacking methodologies and new attack vectors.

He is also a prominent blogger and researcher, and is responsible for many security publications, including new application-level attacks, testing methodologies and open source projects.
As the co-author of the platforms "Diviner", "SCIP" and "WAVSEP" he was involved in the publication of several large-scale researches in the field of automated security scanners.

Shay is an experienced speaker, has been instructing a variety of information security courses for the past 8 years, and had multiple appearances in international conferences, including Blackhat, Hacktivity, AppSecUSA and others.

 
Technical Level: Advanced

 

=== The ReFrameworker Android runtime manipulator – pentesting Android apps like a king ([[Media:OWASP IL 2013 10 Erez Metula The ReFrameworker Android runtime manipulator.pdf|download presentation]])‎===
'''''Erez Metula, AppSec Labs'''''

ReFrameworker is a new exiting addition to the AppUse pentest VM which we just released at recent BlackHat USA, targeting Android applications. With ReFrameworker, we can manipulate Android applications to make our life as pentesters a lot more easier. Does the app you test insists to be used only for a particular IMEI or phone number? Or does it break on invalidated certificates when you try to SSL MitM it using a proxy? No problem! With ReFrameworker, you can just give a new behavior to any runtime method you'd like, like disabling verifications, controlling return values, and so on. Snooping on local SQL queries or encryption keys? ReFrameworker gives you a proxy for local variables so you can changes important or sensitive values on the fly.
The idea is that we'd built a new Android ROM for the sole purpose of pentesting Android apps, loaded with hooks at important places inside the Dalvik runtime. During this talk we'll witness the power of ReFrameworker, we'll learn how to use it, how it was implemented and how it can be extended.

 
Speaker Bio

Erez Metula Author of the book "Managed Code Rootkits", is a world renowned application security expert. Erez has extensive hands-on experience performing security assessments, code reviews and secure development trainings for worldwide organizations, and had previously talked at international security conferences such as BlackHat, Defcon, OWASP, RSA, SOURCE, CanSecWest and more. He is the founder of AppSec Labs, where he focuses on advanced application security topics. Erez holds an MSc in computer science and he is CISSP.

 
Technical Level: Advanced

 

=== A Game of Pwns: Pwning iPhone application security assessment using the iNalyzer framework ===
'''''Chilik Tamir, Chief Scientist, AppSec Labs'''''

iNalyzer is an open-source free to use pen-testing framework I have recently updated for BlackHat USA, targeting iPhone applications. In the following presentation I will present my latest research on a new approach to performing security assessments of iOS applications utilizing the iNalyzer. The presentation will include live demonstration of using iNalyzer to transform a tedious black-box penetration testing into an exciting gray-box effort.
The talk will cover some of the problems with testing iOS applications, and present a wider picture of the testing process for different applications using iNalyzer, from the point of view of the tester, and how to handle the difficulties that may ensue.
* You will learn how to utilize iNalyzer to bind the power of regular web vulnerability scanner - such as Zap, Burp or AppScan into the exciting world of iOS penetration testing.
* You will learn how to fill in the gaps and use iNalyzer in your IDA reversing effort when testing.
* You will learn how to manipulate iPhone applications to make our life as pen-testers a lot easier using iNalyzer.

 
Speaker Bio

Chilik Tamir is an information security expert with over two decades of experience in training, research, development, testing and consulting in the field of applicative information security for clients in the fields of finance, security, government offices and corporations. His latest research - the iOS iNalyzer is an open-source iOS application Penetration Testing Dashboard. Among his previous publications you will find AppUse – a testing environment for Android applications developed together with Erez Metula; Belch – an automatic tool for analysis and testing of binary protocols such as Flex and Java-Serialization; Chilik is an experienced security trainer and speaker with previous talks and training in security conferences such as BlackHat USA, HITB Amsterdam, OWASP Israel as well as training in cooperations such as Intel, HP, Cisco, Amdocs, Verint, RedBend and others. He is the Chief Scientist at AppSec Labs, where he acts as head of R&D and innovation. Chilik holds an Biomedical Engineering B.Sc. degree.

 
Technical Level: Advanced

 

=== Automatic trust based segregation for content providers on mobile devices ===
'''''Oren Poleg, IDC'''''

In this work we have designed and developed a modification to the Android Content Providers that allows us to impose access restrictions on the sensitive data items they contain (such as contacts, calendar events) .

We have developed lightweight solution that is compatible with the current Android design (so it can be easily integrated with the current Android implementation) that creates separation between different types of sensitive data, also separating them from the non-sensitive information in Android content providers. We allow the device owner to view the data in a unified manner, while 3rd party applications will be allowed access only to content created by them or that they were granted permission to view.

User interaction is not required for the security decisions. Instead, we are defining trust relationship between the data and the applications, in which the owner of the data can delegate access permissions to the applications.

This approach will enable organization to store sensitive information on the device content providers, allow the user to easily access it from the organizational applications as well as from system applications while preventing its leakage through other 3rd party applications
While developed for Android, the concept can be implemented on other mobile devices, such as iPhone and Windows Phone.

 
Speaker Bio

Oren Poleg is a mobile platforms expert, with more than 10 years in the mobile platforms space.
As a team leader in (the Former) Sun Microsystems, Oren was responsible to the integration of Java VM into mobile devices, later to be followed with and research of smart phone infrastructures
Currently Oren is a working as a Consultant, dealing with Android Devices, Smart TVs and Network Security.

 
Technical Level: Intermediate/Advanced

 
= Track B =

=== Web Application Forensics ===
'''''Renana Friedlich, Forensic Department Leader, Ernst and Young (Hacktics)'''''

Most organizations are not aware of successful application-level attacks, until it's too late.
Application penetration tests don't provide information on attacks that ALREADY occurred, on attacks are CURRENTLY in progress, on failed attempts, or even on the actual impact.
Organizations usually rely on security products such as WAF and IDS to locate hacking incidents, but what about attacks that slipped pass the WAF?
What about attacks with a pattern that the IDS did not recognize? What about organizations that implemented these products too late, or not at all?
That's where Web Application Proactive Forensics comes in - A collection of detailed methodologies for locating evidence of attacks that were performed and/or exploited, including attacks listed in OWASP testing guide, WASC and CWE.

 
Speaker Bio

Renana Friedlich is the Forensic Department Leader at Hacktics, an advanced security center of EY. Renana specializes in forensic investigations, developing incident response, malware assessments, and escorting start-up companies in implementing forensic methodologies into their products.
Prior to working at Hacktics, she served at the intelligence corps for seven years, and has over nine years of experience in the information security field.
In recent years, Renana was a frequent speaker in the government sector and had multiple appearances in public conferences, including OWASP, annual risk management conferences, and universities. She also regularly instructs forensic and incident response courses in universities and clients from various industries.

 
Technical Level: Intermediate

 

=== STDD - The protection you REALLY need ([[Media:OWASP_IL_2013_10_Nir_Valtman_STDD.pdf|download presentation]])‎ ===
''''' Nir Valtman, R&D CSO, Retalix ''''' 
''''' Alex Linder, Solution Architect, Retalix '''''

Today in the agile world, many streams based on Acceptance Test Driven Development (ATDD). In this presentation we are going to demonstrate how to reuse this concept in context of security. In addition, this presentation includes common scenarios from attacker's point of view as well as the defender should think. Needless to mention, we have many demos...

 
Speaker Bio

Nir is employed in Retalix as R&D CSO. Before this position he worked as chief security architect, senior technology consultant, application security consultant, system security consultant and a technological trainer. As part of his positions, Nir didn't only consulting, but also performed hands-on activities in various fields, e.g. hardening, penetration testing and development for personal\internal applications. 
Nir has a BSc in computer science but his knowledge is based mainly on cowboy learning and information sharing with the techno-oriented communities. 
Blog: http://www.valtman.org

Alex is a technology geek, likes to research and play with new stuff. Alex is a highly experienced Solution Architect specializing in Software, middleware and APIs. 
Alex has more than 14 years of experience and performed vast roles in the Israeli market such as VP Professional services, Group manager, Solution Architect, Dev team leader and Senior consultant. 
Currently working as a solution architect of large scale R&D firm with cutting edge technologies. 
Blog: http://linderalex.blogspot.co.il/

 
Technical Level: Intermediate / Advanced

 

=== Spam, Death Threats, and Other Abuses of Online Communities ([[Media:OWASP_IL_2013_10_Avi_Douglan_Spam-DeathThreats-Abuse-OnlineCommunities.pdf‎|download presentation]])‎ ===
'''''Avi Douglen, Security Architect, Independant'''''

Many contemporary websites are based on so-called “User Generated Content” (aka UGC). Furthermore, many sites oriented around a community of users enable users to interact with each other, via the site. Sites like Wikipedia and StackOverflow allow users to freely edit pages visible to all users, popular discussion forums are based on continuous postings of content by users, and social networks such as Facebook encourage users to constantly add their own rich data to the site for others’ consumption.

Aside from the usual web attacks common to all user input on websites, such as XSS and SQL Injection, there are some forms of attacks or abuse that are specific to sites such as these. Some of them are purely technical, some of them are social in nature and just take advantage of the available technology. These are often exacerbated by the scope and huge amount of traffic to these sites, and take advantage of the network effect.

The talk will be based in a large part on the speaker’s experience on the Stack Exchange network of sites, but will also compare to the models prevalent on other popular sites. We will discuss some of the aspects particular to these platforms, and show how even the more “boring” of these attacks can sometimes be interesting depending on the situation. We will also see some of the stranger happenings that occur on a large site. Finally, we will discuss and compare some of the different models that these huge websites use to limit the damage.
We will of course focus on what is both these sites’ biggest weakness, and greatest strength - the community.

 
Speaker Bio

Avi Douglen had a CISSP before it was popular, but he is not a hipster. Avi is a high-end, independent security architect and developer, and has been designing, developing and testing secure applications, and leading development teams in building secure products, for over 15 years. Avi is also a Community Moderator (volunteer basis) on Stack Exchange’s fantastic Information Security site (http://security.stackexchange.com), sister site to Stack Overflow. As a moderator, and as an active user on several other Stack Exchange sites, he has spent a lot of time handling these types of attacks, and has had the opportunity to see up close, what works, what doesn’t, and what can scale to millions of users.

 
Technical Level: Introductory

 

=== Delivering Security in Continuous Delivery Environment ===
''''' Yaniv Simsolo, Senior Consultant, Comsec Consulting'''''

Moving from traditional development environment to Agile environment, creates many a challenge to the security of the organization and developed system. Moving from Agile development environment towards Continuous Delivery environment ups the stakes.
We will venture in to the challenges of delivering security in Continuous Delivery environment, and test whether in-depth security is achievable.
Relying on industry evidences, a unique approach to the evolvement of security under Continuous Delivery development environment will be presented.

 
Speaker Bio

Yaniv Simsolo, CISSP, Senior IT Security Professional. A consultant in application security from 2004, and an expert of security of compound and enterprise scale systems.

 
Technical Level: Intermediate

 

=== Designing a national defense strategy for DDoS applications and volume attacks ===
'''''Mirit Kagarlitsky, Head of System Analysis, Israeli National Cyber Bureau '''''

DDoS attacks exploit vulnerabilities in different protocol stack layers, from the application layer and downward. These attacks undermine the availability of various services, some of which transcend the local interest of the compromised organization, bearing broader consequences.
Designing a national defense strategy for DDoS attacks has advantages, since the state has both the interest and the capacity to devise large-scale technological solutions of security from targeted attacks on critical services as well as from cumulative damage in this realm. The problem is that there is a wide spectrum of solutions and possible network locations for state intervention: services entry point, ISPs, cloud-based approaches and more; every solution should be analyzed from a national standpoint.
Our work examines when and where should the state take action in the realm, ranging from the individual organization to the ISP level. We also suggest how its accumulated benefit should be assessed in order to evaluate the overall effectiveness of the national strategy.

 
Speaker Bio

Mirit Kagarlitsky holds a B.Sc. in physics and mathematics from the Hebrew University in Jerusalem and is in the process of completion of M.Sc. in Statistics from Tel Aviv University. She has vast experience with operations research and system analysis in various fields, as an analyst and as a team leader. Today she work as the head of system analysis in the Israeli National Cyber Bureau.

 
Technical Level: Introduction

 

=== Enhancing Web Application Defense Using Big Data ===
''''' Or Katz, Principal Security Researcher, Akamai Technologies '''''

In recent years Big Data has become a commonly used technology in many products, in this presentation I will unveil practical examples on how we can improve web application defenses by using Big Data. Using Big Data enables us to combine web application filter triggers from multiple data sources. Big data analysis contributes to the improvement and enhances defense tactics. In this presentation I will show some examples such as:
* SQLi – detecting malicious users and their level of maliciousness
* Web Scraping – expose scrapers that fly under the radar and what is their target information
* False positives reduction – using Big Data in order to learn how to tune your configuration

 
Speaker Bio

Or Katz has vast expertise in Web Application Firewall technology, working in market leading web application firewall vendors as a web application security researcher.
Mr. Katz is a board member in OWASP Israel chapter, frequent speaker in the chapter conferences and he was also responsible for leading the OWASP Top 10 Hebrew translation project.
Mr. Katz also published several innovative white papers on web applications defensive techniques.

 
Technical Level: Intermediate

 

=== From Obscurity to Pop Culture - Evolution of Application Security ===
''''' Irene Abezgauz, VP Product Management, Quotium'''''

In 1998 the New York Times website was hacked. According to various news sources, the site underwent a thorough security test just two years before and at that point it became clear that 'it might not be sufficient'. Fifteen years later, application security trends talk about APTs, Agile SDLCs and Security Products being commoditized.
In this lecture we review the evolution of application security in the past decade and a half. Examining technology and aspects of security management from the early days of OWASP foundation to present day mobile application security testing as part of the development lifecycle.

 
Speaker Bio

Irene has ten years of experience in information and application security. Focused on application security penetration testing and research she is a builder and breaker of things. She is the Product Manager of Seeker™, the new generation of automatic application security testing, and head of security research activities at Seeker Security (Quotium). Ms. Abezgauz has discovered numerous vulnerabilities and published advisories related to products of leading vendors.

 
Technical Level: Introduction

OWASP Israel 2013 Presentations

2013-10-02T20:27:37Z

Oshezaf: /* Invisibility Purge - Manipulating Properties Of Invisible & Dormant Asp.Net Controls */

= Keynote =

=== Why Are Investors Excited About Cyber Security Startups, Again? ([[media:OWASP_IL_2013_10_OWASP_Ron_Moritz_Why_Are_Investors_Excited_About_Cyber_Security_Startups.pdf‎|download presentation]])‎ ===
'''''Ron Moritz, Consigliere on Venture Strategies, Issues and Trends'''''

Ron will speak about the current state of security startups, the current crop of security problems being solved by startups, and the trends of what solutions investment capital is looking to support.

The Keynote will be in English.

 
Speaker Bio

Ron Moritz is a well-regarded executive with over twenty-five years of broad operational and strategy experience from premier technology companies such as Microsoft (GM, Forefront), Symantec (SVP & CTO), and Computer Associates (SVP, Security Products Business Unit), where he was a member of each company's distinguished corporate or divisional leadership teams.

Having advised C-level executives, boards of directors, venture capitalists and private equity firms on value-creation activities including new markets, acquisition and divestiture strategy, global sourcing of labor, major technology decisions, and eco-system development, Mr. Moritz brings a unique point of view at the intersection of technology, strategy, global markets and finance.

Ron is currently a partner in Aura Coffee, a third-wave coffee roasting company based in Modiin; a member of the Fireblade board of directors; and a mentor Jerusalem-based crowd-funding leader, OurCrowd.

 

= Plenary Sessions =

=== Evolution of online banking attack techniques ===
'''''Amit Klein, CTO, Trusteer'''''

I will survey the evolution of attack techniques against online banking since the mid-2000s till today. This starts with keylogging malware, moves over to screenshooting malware, and finally gets to HTML injection malware (the “Man in the Browser” concept). I will then show several examples of the power of MitB attacks, especially when combined with social engineering, and how this can overcome many security measures such as two-factor authentication and transaction verification.

 
Speaker Bio

As Trusteer’s CTO, Amit Klein manages the company’s security research. Prior to Trusteer, Mr. Klein was Chief Scientist at Cyota Inc. (acquired by RSA Security), a leading provider of layered authentication solutions. In this role, Mr. Klein researched technologies that prevent online fraud, phishing, and pharming and filed several patents in those areas. Prior to this, Mr. Klein worked as Director of Security and Research at Sanctum, Inc. (acquired by Watchfire), where he was responsible for the security architecture of all Sanctum products. Mr. Klein holds a B.Sc. (cum laude) in Mathematics and Physics.
Mr. Klein is a world-renowned security researcher, having published more than thirty articles, papers and technical notes on the topic of Internet security. He was named CTO of the Year by InfoWorld Magazine and has presented at many prestigious conferences including RSA, FSISAC, OWASP and CertConf.

 
Technical Level: Intermediate

 

=== Your mobile device in the service of the malicious hacker (Live Demo) ===
''''' Adi Sharabani, CEO, Skycure '''''

We all developed natural instincts when it comes to protecting our physical space. We all know to look to the sides before crossing the road, and we all have some capabilities to assess current risks and make decisions accordingly. However, when it comes to using our mobile devices in the cyber era, these instincts have not yet evolved. People and organizations are at risk, and do not have an understanding how to assess or mitigate them. On top of that, current protection solutions provide inadequate protection against these threats. The organizational need to support mobile devices for business related activity created a huge gap in securing the organization. Adi Sharabani's keynote will highlight some of these threats via a live demonstration of a mobile hacking activity. The audience will be able to opt in for the demo, reflecting how easy it is for a hacker to hack into remote devices.

 
Speaker Bio

Mr. Adi Sharabani is a world-class security expert and the CEO of Skycure, a start-up that focuses on providing firewall solutions for mobile devices. Formerly, Adi led the security of IBM software products. He came to IBM through the Watchfire acquisition, a start-up company which was a pioneer in the field of application security. Among his roles, Adi built and led the Watchfire’s security group. Adi has written many patents in the security space, and his works have been presented in many known conferences such as BlackHat, RSA, OWASP, Innovate, Herzliya Conference and many more; his presentations and keynotes are constantly being ranked as best presentations of most conferences he presents at. Adi is also a fellow at Prof. Yuval Ne’eman’s workshop. In his spare time, Adi teaches at Ohel-Shem high school, and is a part of the vision and implementation of the cyber-defense curriculum for high school students, a vision that is now being implemented in Israel.

 
Technical Level: Introduction

 
= Track A =

=== Get Ready for the Next Big Wave of Attacks: Hacking of Leading CMS Systems ===
'''''Maty Siman, CTO, Checkmarx'''''

The flow of this talk is given by – you! Before this talk, we emailed the audience to provide us with their favorite WordPress plugins that they would like to test for security. In a live demo, we assess the security of the requested plugins. Previous similar trials that we performed on WordPress showed that 30% of the top 50 most downloaded plugins were vulnerable to common Web attacks. What will be the results of this experiment?

As we’ll continue to show, assessing the security posture of a plugin is only the hacker’s first step in mass attacks. As opposed to past mass SQL Injection attacks which leveraged tools such as SQLMap, these next wave of attacks do not focus on the site’s platform or customized development code. Rather, these attacks leverage on the increasing popularity of CMS platforms such as WordPress and Joomla. The maturity, prevalence and market penetration of CMS platforms allow any marketing, sales or HR individual to easily set up their own fully-operational site. Accordingly, CMS apps are flourishing – and so are the vulnerabilities in these apps.

 
Speaker Bio

Maty is the CTO and founder of Checkmarx. Maty has more than a decade of experience in software development, IT security and source-code analysis. An authoritative figure in application security, Maty is regularly interviewed by the media on security-breaking news and frequently speaks at various IT security conferences. Prior to founding Checkmarx, Maty worked for two years at the Israeli Prime Minister’s Office as a senior IT security expert and project manager. Prior to that, he spent six years with the Israeli Defense Forces (IDF), where he established and led a development team in the IDF’s Information Security Center.

 
Technical Level: Intermediate

 

=== Utilizing Popular Websites for Malicious Purposes Using RDI ([[Media:OWASP IL 2013 10 Chechik Davidi Utilizing Popular Websites for Malicious Purposes Using RDI.pdf|download presentation]])‎===
'''''Daniel Chechik, Security Researcher, Trustwave SpiderLabs''''' 
'''''Anat Davidi, Security Researcher, Trustwave SpiderLabs'''''

Reflected DOM Injection is a new attack vector first presented at the DefCon 21 conference in July. We will explain the technique and show a live demo where we use it to hide malicious code within popular and trusted websites. For those of you who are interested in RDI but couldn’t make it to DefCon, we are bringing the talk to you!

The introduction of this session will briefly review the struggle between malicious websites and security products. We will explain the issues of hosting a malicious website and the techniques security vendors use in order to block them.
We will then present our new technique to avoid detection and proceed to explain all parts of it in-depth. A full demo of the attack from beginning to end will be included.
common and known services published by popular websites will be used in order to dynamically construct an attack hosted for us by these services.
Finally, we will add a layer of defense to our attack, and generate malicious code which will become practically invisible to dynamic analysis engines and thus evade most of today's security engines and technologies.

 
Speaker Bio

Daniel Chechik is a veteran security researcher at Trustwave's SpiderLabs. Among other things, he specializes in malware analysis, web exploits detection, Trojan and botnet detection and neutralizing and defining security requirements for the Secure Web Gateway product.
Prior to that, Daniel served in a technological unit as a security specialist in the IDF. During the service, Daniel specialized in CheckPoint Firewall equipment, AntiVirus products and other IT security products.
Daniel, among other things, has spoken at the RSA conference, DefCon, holds CEH and CCSE certificates and has a patent pending for 'Detecting Malware Communication on an Infected Computing Device'.

Anat Davidi is a security researcher at Trustwave's SpiderLabs. Her role includes vulnerability analysis, malware analysis and developing detection logic for the Secure Web Gateway product.
Prior to that, Anat worked as a security consultant providing security reviews and penetration tests for organizations in various business sectors, ranging from banks and insurance companies to hi-tech corporations. Amongst other things, Anat has spoken at the RSA conference, DefCon.

 
Technical Level: Intermediate

 

=== Invisibility Purge - Manipulating Properties Of Invisible & Dormant Asp.Net Controls ([[Media:OWASP IL 2013 10 Shay Chen Invisible Purge.pdf|download presentation]])‎ ===
'''''Shay Chen, CTO, Ernst & Young (Hacktics)'''''

Server-Side Web Controls became popular components in modern web application frameworks.
In addition to the development benefits of these components provide, they are also protected using a variety of security mechanisms, including digital signatures, content access restrictions and even invisibility.
However, developers that use these components improperly can expose the application to a variety of different attacks that can be executed despite, and sometimes due to the existence of security mechanisms.
The presentation will demonstrate several new methods that attackers can harness to bypass security mechanism, manipulate server control properties and identify, enumerate and activate events of dormant server web controls, in popular platforms such as ASP.Net, JSF and Mono.

 
Speaker Bio

Shay Chen is the CTO of Hacktics, an advanced security center of Ernst & Young.

As a victim of the law of familiarity, a decade of exposure to common vulnerabilities was enough to shift his focus to abnormal hacking methodologies and new attack vectors.

He is also a prominent blogger and researcher, and is responsible for many security publications, including new application-level attacks, testing methodologies and open source projects.
As the co-author of the platforms "Diviner", "SCIP" and "WAVSEP" he was involved in the publication of several large-scale researches in the field of automated security scanners.

Shay is an experienced speaker, has been instructing a variety of information security courses for the past 8 years, and had multiple appearances in international conferences, including Blackhat, Hacktivity, AppSecUSA and others.

 
Technical Level: Advanced

 

=== The ReFrameworker Android runtime manipulator – pentesting Android apps like a king ===
'''''Erez Metula, AppSec Labs'''''

ReFrameworker is a new exiting addition to the AppUse pentest VM which we just released at recent BlackHat USA, targeting Android applications. With ReFrameworker, we can manipulate Android applications to make our life as pentesters a lot more easier. Does the app you test insists to be used only for a particular IMEI or phone number? Or does it break on invalidated certificates when you try to SSL MitM it using a proxy? No problem! With ReFrameworker, you can just give a new behavior to any runtime method you'd like, like disabling verifications, controlling return values, and so on. Snooping on local SQL queries or encryption keys? ReFrameworker gives you a proxy for local variables so you can changes important or sensitive values on the fly.
The idea is that we'd built a new Android ROM for the sole purpose of pentesting Android apps, loaded with hooks at important places inside the Dalvik runtime. During this talk we'll witness the power of ReFrameworker, we'll learn how to use it, how it was implemented and how it can be extended.

 
Speaker Bio

Erez Metula Author of the book "Managed Code Rootkits", is a world renowned application security expert. Erez has extensive hands-on experience performing security assessments, code reviews and secure development trainings for worldwide organizations, and had previously talked at international security conferences such as BlackHat, Defcon, OWASP, RSA, SOURCE, CanSecWest and more. He is the founder of AppSec Labs, where he focuses on advanced application security topics. Erez holds an MSc in computer science and he is CISSP.

 
Technical Level: Advanced

 

=== A Game of Pwns: Pwning iPhone application security assessment using the iNalyzer framework ===
'''''Chilik Tamir, Chief Scientist, AppSec Labs'''''

iNalyzer is an open-source free to use pen-testing framework I have recently updated for BlackHat USA, targeting iPhone applications. In the following presentation I will present my latest research on a new approach to performing security assessments of iOS applications utilizing the iNalyzer. The presentation will include live demonstration of using iNalyzer to transform a tedious black-box penetration testing into an exciting gray-box effort.
The talk will cover some of the problems with testing iOS applications, and present a wider picture of the testing process for different applications using iNalyzer, from the point of view of the tester, and how to handle the difficulties that may ensue.
* You will learn how to utilize iNalyzer to bind the power of regular web vulnerability scanner - such as Zap, Burp or AppScan into the exciting world of iOS penetration testing.
* You will learn how to fill in the gaps and use iNalyzer in your IDA reversing effort when testing.
* You will learn how to manipulate iPhone applications to make our life as pen-testers a lot easier using iNalyzer.

 
Speaker Bio

Chilik Tamir is an information security expert with over two decades of experience in training, research, development, testing and consulting in the field of applicative information security for clients in the fields of finance, security, government offices and corporations. His latest research - the iOS iNalyzer is an open-source iOS application Penetration Testing Dashboard. Among his previous publications you will find AppUse – a testing environment for Android applications developed together with Erez Metula; Belch – an automatic tool for analysis and testing of binary protocols such as Flex and Java-Serialization; Chilik is an experienced security trainer and speaker with previous talks and training in security conferences such as BlackHat USA, HITB Amsterdam, OWASP Israel as well as training in cooperations such as Intel, HP, Cisco, Amdocs, Verint, RedBend and others. He is the Chief Scientist at AppSec Labs, where he acts as head of R&D and innovation. Chilik holds an Biomedical Engineering B.Sc. degree.

 
Technical Level: Advanced

 

=== Automatic trust based segregation for content providers on mobile devices ===
'''''Oren Poleg, IDC'''''

In this work we have designed and developed a modification to the Android Content Providers that allows us to impose access restrictions on the sensitive data items they contain (such as contacts, calendar events) .

We have developed lightweight solution that is compatible with the current Android design (so it can be easily integrated with the current Android implementation) that creates separation between different types of sensitive data, also separating them from the non-sensitive information in Android content providers. We allow the device owner to view the data in a unified manner, while 3rd party applications will be allowed access only to content created by them or that they were granted permission to view.

User interaction is not required for the security decisions. Instead, we are defining trust relationship between the data and the applications, in which the owner of the data can delegate access permissions to the applications.

This approach will enable organization to store sensitive information on the device content providers, allow the user to easily access it from the organizational applications as well as from system applications while preventing its leakage through other 3rd party applications
While developed for Android, the concept can be implemented on other mobile devices, such as iPhone and Windows Phone.

 
Speaker Bio

Oren Poleg is a mobile platforms expert, with more than 10 years in the mobile platforms space.
As a team leader in (the Former) Sun Microsystems, Oren was responsible to the integration of Java VM into mobile devices, later to be followed with and research of smart phone infrastructures
Currently Oren is a working as a Consultant, dealing with Android Devices, Smart TVs and Network Security.

 
Technical Level: Intermediate/Advanced

 
= Track B =

=== Web Application Forensics ===
'''''Renana Friedlich, Forensic Department Leader, Ernst and Young (Hacktics)'''''

Most organizations are not aware of successful application-level attacks, until it's too late.
Application penetration tests don't provide information on attacks that ALREADY occurred, on attacks are CURRENTLY in progress, on failed attempts, or even on the actual impact.
Organizations usually rely on security products such as WAF and IDS to locate hacking incidents, but what about attacks that slipped pass the WAF?
What about attacks with a pattern that the IDS did not recognize? What about organizations that implemented these products too late, or not at all?
That's where Web Application Proactive Forensics comes in - A collection of detailed methodologies for locating evidence of attacks that were performed and/or exploited, including attacks listed in OWASP testing guide, WASC and CWE.

 
Speaker Bio

Renana Friedlich is the Forensic Department Leader at Hacktics, an advanced security center of EY. Renana specializes in forensic investigations, developing incident response, malware assessments, and escorting start-up companies in implementing forensic methodologies into their products.
Prior to working at Hacktics, she served at the intelligence corps for seven years, and has over nine years of experience in the information security field.
In recent years, Renana was a frequent speaker in the government sector and had multiple appearances in public conferences, including OWASP, annual risk management conferences, and universities. She also regularly instructs forensic and incident response courses in universities and clients from various industries.

 
Technical Level: Intermediate

 

=== STDD - The protection you REALLY need ([[Media:OWASP_IL_2013_10_Nir_Valtman_STDD.pdf|download presentation]])‎ ===
''''' Nir Valtman, R&D CSO, Retalix ''''' 
''''' Alex Linder, Solution Architect, Retalix '''''

Today in the agile world, many streams based on Acceptance Test Driven Development (ATDD). In this presentation we are going to demonstrate how to reuse this concept in context of security. In addition, this presentation includes common scenarios from attacker's point of view as well as the defender should think. Needless to mention, we have many demos...

 
Speaker Bio

Nir is employed in Retalix as R&D CSO. Before this position he worked as chief security architect, senior technology consultant, application security consultant, system security consultant and a technological trainer. As part of his positions, Nir didn't only consulting, but also performed hands-on activities in various fields, e.g. hardening, penetration testing and development for personal\internal applications. 
Nir has a BSc in computer science but his knowledge is based mainly on cowboy learning and information sharing with the techno-oriented communities. 
Blog: http://www.valtman.org

Alex is a technology geek, likes to research and play with new stuff. Alex is a highly experienced Solution Architect specializing in Software, middleware and APIs. 
Alex has more than 14 years of experience and performed vast roles in the Israeli market such as VP Professional services, Group manager, Solution Architect, Dev team leader and Senior consultant. 
Currently working as a solution architect of large scale R&D firm with cutting edge technologies. 
Blog: http://linderalex.blogspot.co.il/

 
Technical Level: Intermediate / Advanced

 

=== Spam, Death Threats, and Other Abuses of Online Communities ([[Media:OWASP_IL_2013_10_Avi_Douglan_Spam-DeathThreats-Abuse-OnlineCommunities.pdf‎|download presentation]])‎ ===
'''''Avi Douglen, Security Architect, Independant'''''

Many contemporary websites are based on so-called “User Generated Content” (aka UGC). Furthermore, many sites oriented around a community of users enable users to interact with each other, via the site. Sites like Wikipedia and StackOverflow allow users to freely edit pages visible to all users, popular discussion forums are based on continuous postings of content by users, and social networks such as Facebook encourage users to constantly add their own rich data to the site for others’ consumption.

Aside from the usual web attacks common to all user input on websites, such as XSS and SQL Injection, there are some forms of attacks or abuse that are specific to sites such as these. Some of them are purely technical, some of them are social in nature and just take advantage of the available technology. These are often exacerbated by the scope and huge amount of traffic to these sites, and take advantage of the network effect.

The talk will be based in a large part on the speaker’s experience on the Stack Exchange network of sites, but will also compare to the models prevalent on other popular sites. We will discuss some of the aspects particular to these platforms, and show how even the more “boring” of these attacks can sometimes be interesting depending on the situation. We will also see some of the stranger happenings that occur on a large site. Finally, we will discuss and compare some of the different models that these huge websites use to limit the damage.
We will of course focus on what is both these sites’ biggest weakness, and greatest strength - the community.

 
Speaker Bio

Avi Douglen had a CISSP before it was popular, but he is not a hipster. Avi is a high-end, independent security architect and developer, and has been designing, developing and testing secure applications, and leading development teams in building secure products, for over 15 years. Avi is also a Community Moderator (volunteer basis) on Stack Exchange’s fantastic Information Security site (http://security.stackexchange.com), sister site to Stack Overflow. As a moderator, and as an active user on several other Stack Exchange sites, he has spent a lot of time handling these types of attacks, and has had the opportunity to see up close, what works, what doesn’t, and what can scale to millions of users.

 
Technical Level: Introductory

 

=== Delivering Security in Continuous Delivery Environment ===
''''' Yaniv Simsolo, Senior Consultant, Comsec Consulting'''''

Moving from traditional development environment to Agile environment, creates many a challenge to the security of the organization and developed system. Moving from Agile development environment towards Continuous Delivery environment ups the stakes.
We will venture in to the challenges of delivering security in Continuous Delivery environment, and test whether in-depth security is achievable.
Relying on industry evidences, a unique approach to the evolvement of security under Continuous Delivery development environment will be presented.

 
Speaker Bio

Yaniv Simsolo, CISSP, Senior IT Security Professional. A consultant in application security from 2004, and an expert of security of compound and enterprise scale systems.

 
Technical Level: Intermediate

 

=== Designing a national defense strategy for DDoS applications and volume attacks ===
'''''Mirit Kagarlitsky, Head of System Analysis, Israeli National Cyber Bureau '''''

DDoS attacks exploit vulnerabilities in different protocol stack layers, from the application layer and downward. These attacks undermine the availability of various services, some of which transcend the local interest of the compromised organization, bearing broader consequences.
Designing a national defense strategy for DDoS attacks has advantages, since the state has both the interest and the capacity to devise large-scale technological solutions of security from targeted attacks on critical services as well as from cumulative damage in this realm. The problem is that there is a wide spectrum of solutions and possible network locations for state intervention: services entry point, ISPs, cloud-based approaches and more; every solution should be analyzed from a national standpoint.
Our work examines when and where should the state take action in the realm, ranging from the individual organization to the ISP level. We also suggest how its accumulated benefit should be assessed in order to evaluate the overall effectiveness of the national strategy.

 
Speaker Bio

Mirit Kagarlitsky holds a B.Sc. in physics and mathematics from the Hebrew University in Jerusalem and is in the process of completion of M.Sc. in Statistics from Tel Aviv University. She has vast experience with operations research and system analysis in various fields, as an analyst and as a team leader. Today she work as the head of system analysis in the Israeli National Cyber Bureau.

 
Technical Level: Introduction

 

=== Enhancing Web Application Defense Using Big Data ===
''''' Or Katz, Principal Security Researcher, Akamai Technologies '''''

In recent years Big Data has become a commonly used technology in many products, in this presentation I will unveil practical examples on how we can improve web application defenses by using Big Data. Using Big Data enables us to combine web application filter triggers from multiple data sources. Big data analysis contributes to the improvement and enhances defense tactics. In this presentation I will show some examples such as:
* SQLi – detecting malicious users and their level of maliciousness
* Web Scraping – expose scrapers that fly under the radar and what is their target information
* False positives reduction – using Big Data in order to learn how to tune your configuration

 
Speaker Bio

Or Katz has vast expertise in Web Application Firewall technology, working in market leading web application firewall vendors as a web application security researcher.
Mr. Katz is a board member in OWASP Israel chapter, frequent speaker in the chapter conferences and he was also responsible for leading the OWASP Top 10 Hebrew translation project.
Mr. Katz also published several innovative white papers on web applications defensive techniques.

 
Technical Level: Intermediate

 

=== From Obscurity to Pop Culture - Evolution of Application Security ===
''''' Irene Abezgauz, VP Product Management, Quotium'''''

In 1998 the New York Times website was hacked. According to various news sources, the site underwent a thorough security test just two years before and at that point it became clear that 'it might not be sufficient'. Fifteen years later, application security trends talk about APTs, Agile SDLCs and Security Products being commoditized.
In this lecture we review the evolution of application security in the past decade and a half. Examining technology and aspects of security management from the early days of OWASP foundation to present day mobile application security testing as part of the development lifecycle.

 
Speaker Bio

Irene has ten years of experience in information and application security. Focused on application security penetration testing and research she is a builder and breaker of things. She is the Product Manager of Seeker™, the new generation of automatic application security testing, and head of security research activities at Seeker Security (Quotium). Ms. Abezgauz has discovered numerous vulnerabilities and published advisories related to products of leading vendors.

 
Technical Level: Introduction

OWASP Israel 2013 Presentations

2013-10-02T20:26:54Z

Oshezaf: /* Utilizing Popular Websites for Malicious Purposes Using RDI */

= Keynote =

=== Why Are Investors Excited About Cyber Security Startups, Again? ([[media:OWASP_IL_2013_10_OWASP_Ron_Moritz_Why_Are_Investors_Excited_About_Cyber_Security_Startups.pdf‎|download presentation]])‎ ===
'''''Ron Moritz, Consigliere on Venture Strategies, Issues and Trends'''''

Ron will speak about the current state of security startups, the current crop of security problems being solved by startups, and the trends of what solutions investment capital is looking to support.

The Keynote will be in English.

 
Speaker Bio

Ron Moritz is a well-regarded executive with over twenty-five years of broad operational and strategy experience from premier technology companies such as Microsoft (GM, Forefront), Symantec (SVP & CTO), and Computer Associates (SVP, Security Products Business Unit), where he was a member of each company's distinguished corporate or divisional leadership teams.

Having advised C-level executives, boards of directors, venture capitalists and private equity firms on value-creation activities including new markets, acquisition and divestiture strategy, global sourcing of labor, major technology decisions, and eco-system development, Mr. Moritz brings a unique point of view at the intersection of technology, strategy, global markets and finance.

Ron is currently a partner in Aura Coffee, a third-wave coffee roasting company based in Modiin; a member of the Fireblade board of directors; and a mentor Jerusalem-based crowd-funding leader, OurCrowd.

 

= Plenary Sessions =

=== Evolution of online banking attack techniques ===
'''''Amit Klein, CTO, Trusteer'''''

I will survey the evolution of attack techniques against online banking since the mid-2000s till today. This starts with keylogging malware, moves over to screenshooting malware, and finally gets to HTML injection malware (the “Man in the Browser” concept). I will then show several examples of the power of MitB attacks, especially when combined with social engineering, and how this can overcome many security measures such as two-factor authentication and transaction verification.

 
Speaker Bio

As Trusteer’s CTO, Amit Klein manages the company’s security research. Prior to Trusteer, Mr. Klein was Chief Scientist at Cyota Inc. (acquired by RSA Security), a leading provider of layered authentication solutions. In this role, Mr. Klein researched technologies that prevent online fraud, phishing, and pharming and filed several patents in those areas. Prior to this, Mr. Klein worked as Director of Security and Research at Sanctum, Inc. (acquired by Watchfire), where he was responsible for the security architecture of all Sanctum products. Mr. Klein holds a B.Sc. (cum laude) in Mathematics and Physics.
Mr. Klein is a world-renowned security researcher, having published more than thirty articles, papers and technical notes on the topic of Internet security. He was named CTO of the Year by InfoWorld Magazine and has presented at many prestigious conferences including RSA, FSISAC, OWASP and CertConf.

 
Technical Level: Intermediate

 

=== Your mobile device in the service of the malicious hacker (Live Demo) ===
''''' Adi Sharabani, CEO, Skycure '''''

We all developed natural instincts when it comes to protecting our physical space. We all know to look to the sides before crossing the road, and we all have some capabilities to assess current risks and make decisions accordingly. However, when it comes to using our mobile devices in the cyber era, these instincts have not yet evolved. People and organizations are at risk, and do not have an understanding how to assess or mitigate them. On top of that, current protection solutions provide inadequate protection against these threats. The organizational need to support mobile devices for business related activity created a huge gap in securing the organization. Adi Sharabani's keynote will highlight some of these threats via a live demonstration of a mobile hacking activity. The audience will be able to opt in for the demo, reflecting how easy it is for a hacker to hack into remote devices.

 
Speaker Bio

Mr. Adi Sharabani is a world-class security expert and the CEO of Skycure, a start-up that focuses on providing firewall solutions for mobile devices. Formerly, Adi led the security of IBM software products. He came to IBM through the Watchfire acquisition, a start-up company which was a pioneer in the field of application security. Among his roles, Adi built and led the Watchfire’s security group. Adi has written many patents in the security space, and his works have been presented in many known conferences such as BlackHat, RSA, OWASP, Innovate, Herzliya Conference and many more; his presentations and keynotes are constantly being ranked as best presentations of most conferences he presents at. Adi is also a fellow at Prof. Yuval Ne’eman’s workshop. In his spare time, Adi teaches at Ohel-Shem high school, and is a part of the vision and implementation of the cyber-defense curriculum for high school students, a vision that is now being implemented in Israel.

 
Technical Level: Introduction

 
= Track A =

=== Get Ready for the Next Big Wave of Attacks: Hacking of Leading CMS Systems ===
'''''Maty Siman, CTO, Checkmarx'''''

The flow of this talk is given by – you! Before this talk, we emailed the audience to provide us with their favorite WordPress plugins that they would like to test for security. In a live demo, we assess the security of the requested plugins. Previous similar trials that we performed on WordPress showed that 30% of the top 50 most downloaded plugins were vulnerable to common Web attacks. What will be the results of this experiment?

As we’ll continue to show, assessing the security posture of a plugin is only the hacker’s first step in mass attacks. As opposed to past mass SQL Injection attacks which leveraged tools such as SQLMap, these next wave of attacks do not focus on the site’s platform or customized development code. Rather, these attacks leverage on the increasing popularity of CMS platforms such as WordPress and Joomla. The maturity, prevalence and market penetration of CMS platforms allow any marketing, sales or HR individual to easily set up their own fully-operational site. Accordingly, CMS apps are flourishing – and so are the vulnerabilities in these apps.

 
Speaker Bio

Maty is the CTO and founder of Checkmarx. Maty has more than a decade of experience in software development, IT security and source-code analysis. An authoritative figure in application security, Maty is regularly interviewed by the media on security-breaking news and frequently speaks at various IT security conferences. Prior to founding Checkmarx, Maty worked for two years at the Israeli Prime Minister’s Office as a senior IT security expert and project manager. Prior to that, he spent six years with the Israeli Defense Forces (IDF), where he established and led a development team in the IDF’s Information Security Center.

 
Technical Level: Intermediate

 

=== Utilizing Popular Websites for Malicious Purposes Using RDI ([[Media:OWASP IL 2013 10 Chechik Davidi Utilizing Popular Websites for Malicious Purposes Using RDI.pdf|download presentation]])‎===
'''''Daniel Chechik, Security Researcher, Trustwave SpiderLabs''''' 
'''''Anat Davidi, Security Researcher, Trustwave SpiderLabs'''''

Reflected DOM Injection is a new attack vector first presented at the DefCon 21 conference in July. We will explain the technique and show a live demo where we use it to hide malicious code within popular and trusted websites. For those of you who are interested in RDI but couldn’t make it to DefCon, we are bringing the talk to you!

The introduction of this session will briefly review the struggle between malicious websites and security products. We will explain the issues of hosting a malicious website and the techniques security vendors use in order to block them.
We will then present our new technique to avoid detection and proceed to explain all parts of it in-depth. A full demo of the attack from beginning to end will be included.
common and known services published by popular websites will be used in order to dynamically construct an attack hosted for us by these services.
Finally, we will add a layer of defense to our attack, and generate malicious code which will become practically invisible to dynamic analysis engines and thus evade most of today's security engines and technologies.

 
Speaker Bio

Daniel Chechik is a veteran security researcher at Trustwave's SpiderLabs. Among other things, he specializes in malware analysis, web exploits detection, Trojan and botnet detection and neutralizing and defining security requirements for the Secure Web Gateway product.
Prior to that, Daniel served in a technological unit as a security specialist in the IDF. During the service, Daniel specialized in CheckPoint Firewall equipment, AntiVirus products and other IT security products.
Daniel, among other things, has spoken at the RSA conference, DefCon, holds CEH and CCSE certificates and has a patent pending for 'Detecting Malware Communication on an Infected Computing Device'.

Anat Davidi is a security researcher at Trustwave's SpiderLabs. Her role includes vulnerability analysis, malware analysis and developing detection logic for the Secure Web Gateway product.
Prior to that, Anat worked as a security consultant providing security reviews and penetration tests for organizations in various business sectors, ranging from banks and insurance companies to hi-tech corporations. Amongst other things, Anat has spoken at the RSA conference, DefCon.

 
Technical Level: Intermediate

 

=== Invisibility Purge - Manipulating Properties Of Invisible & Dormant Asp.Net Controls ===
'''''Shay Chen, CTO, Ernst & Young (Hacktics)'''''

Server-Side Web Controls became popular components in modern web application frameworks.
In addition to the development benefits of these components provide, they are also protected using a variety of security mechanisms, including digital signatures, content access restrictions and even invisibility.
However, developers that use these components improperly can expose the application to a variety of different attacks that can be executed despite, and sometimes due to the existence of security mechanisms.
The presentation will demonstrate several new methods that attackers can harness to bypass security mechanism, manipulate server control properties and identify, enumerate and activate events of dormant server web controls, in popular platforms such as ASP.Net, JSF and Mono.

 
Speaker Bio

Shay Chen is the CTO of Hacktics, an advanced security center of Ernst & Young.

As a victim of the law of familiarity, a decade of exposure to common vulnerabilities was enough to shift his focus to abnormal hacking methodologies and new attack vectors.

He is also a prominent blogger and researcher, and is responsible for many security publications, including new application-level attacks, testing methodologies and open source projects.
As the co-author of the platforms "Diviner", "SCIP" and "WAVSEP" he was involved in the publication of several large-scale researches in the field of automated security scanners.

Shay is an experienced speaker, has been instructing a variety of information security courses for the past 8 years, and had multiple appearances in international conferences, including Blackhat, Hacktivity, AppSecUSA and others.

 
Technical Level: Advanced

 

=== The ReFrameworker Android runtime manipulator – pentesting Android apps like a king ===
'''''Erez Metula, AppSec Labs'''''

ReFrameworker is a new exiting addition to the AppUse pentest VM which we just released at recent BlackHat USA, targeting Android applications. With ReFrameworker, we can manipulate Android applications to make our life as pentesters a lot more easier. Does the app you test insists to be used only for a particular IMEI or phone number? Or does it break on invalidated certificates when you try to SSL MitM it using a proxy? No problem! With ReFrameworker, you can just give a new behavior to any runtime method you'd like, like disabling verifications, controlling return values, and so on. Snooping on local SQL queries or encryption keys? ReFrameworker gives you a proxy for local variables so you can changes important or sensitive values on the fly.
The idea is that we'd built a new Android ROM for the sole purpose of pentesting Android apps, loaded with hooks at important places inside the Dalvik runtime. During this talk we'll witness the power of ReFrameworker, we'll learn how to use it, how it was implemented and how it can be extended.

 
Speaker Bio

Erez Metula Author of the book "Managed Code Rootkits", is a world renowned application security expert. Erez has extensive hands-on experience performing security assessments, code reviews and secure development trainings for worldwide organizations, and had previously talked at international security conferences such as BlackHat, Defcon, OWASP, RSA, SOURCE, CanSecWest and more. He is the founder of AppSec Labs, where he focuses on advanced application security topics. Erez holds an MSc in computer science and he is CISSP.

 
Technical Level: Advanced

 

=== A Game of Pwns: Pwning iPhone application security assessment using the iNalyzer framework ===
'''''Chilik Tamir, Chief Scientist, AppSec Labs'''''

iNalyzer is an open-source free to use pen-testing framework I have recently updated for BlackHat USA, targeting iPhone applications. In the following presentation I will present my latest research on a new approach to performing security assessments of iOS applications utilizing the iNalyzer. The presentation will include live demonstration of using iNalyzer to transform a tedious black-box penetration testing into an exciting gray-box effort.
The talk will cover some of the problems with testing iOS applications, and present a wider picture of the testing process for different applications using iNalyzer, from the point of view of the tester, and how to handle the difficulties that may ensue.
* You will learn how to utilize iNalyzer to bind the power of regular web vulnerability scanner - such as Zap, Burp or AppScan into the exciting world of iOS penetration testing.
* You will learn how to fill in the gaps and use iNalyzer in your IDA reversing effort when testing.
* You will learn how to manipulate iPhone applications to make our life as pen-testers a lot easier using iNalyzer.

 
Speaker Bio

Chilik Tamir is an information security expert with over two decades of experience in training, research, development, testing and consulting in the field of applicative information security for clients in the fields of finance, security, government offices and corporations. His latest research - the iOS iNalyzer is an open-source iOS application Penetration Testing Dashboard. Among his previous publications you will find AppUse – a testing environment for Android applications developed together with Erez Metula; Belch – an automatic tool for analysis and testing of binary protocols such as Flex and Java-Serialization; Chilik is an experienced security trainer and speaker with previous talks and training in security conferences such as BlackHat USA, HITB Amsterdam, OWASP Israel as well as training in cooperations such as Intel, HP, Cisco, Amdocs, Verint, RedBend and others. He is the Chief Scientist at AppSec Labs, where he acts as head of R&D and innovation. Chilik holds an Biomedical Engineering B.Sc. degree.

 
Technical Level: Advanced

 

=== Automatic trust based segregation for content providers on mobile devices ===
'''''Oren Poleg, IDC'''''

In this work we have designed and developed a modification to the Android Content Providers that allows us to impose access restrictions on the sensitive data items they contain (such as contacts, calendar events) .

We have developed lightweight solution that is compatible with the current Android design (so it can be easily integrated with the current Android implementation) that creates separation between different types of sensitive data, also separating them from the non-sensitive information in Android content providers. We allow the device owner to view the data in a unified manner, while 3rd party applications will be allowed access only to content created by them or that they were granted permission to view.

User interaction is not required for the security decisions. Instead, we are defining trust relationship between the data and the applications, in which the owner of the data can delegate access permissions to the applications.

This approach will enable organization to store sensitive information on the device content providers, allow the user to easily access it from the organizational applications as well as from system applications while preventing its leakage through other 3rd party applications
While developed for Android, the concept can be implemented on other mobile devices, such as iPhone and Windows Phone.

 
Speaker Bio

Oren Poleg is a mobile platforms expert, with more than 10 years in the mobile platforms space.
As a team leader in (the Former) Sun Microsystems, Oren was responsible to the integration of Java VM into mobile devices, later to be followed with and research of smart phone infrastructures
Currently Oren is a working as a Consultant, dealing with Android Devices, Smart TVs and Network Security.

 
Technical Level: Intermediate/Advanced

 
= Track B =

=== Web Application Forensics ===
'''''Renana Friedlich, Forensic Department Leader, Ernst and Young (Hacktics)'''''

Most organizations are not aware of successful application-level attacks, until it's too late.
Application penetration tests don't provide information on attacks that ALREADY occurred, on attacks are CURRENTLY in progress, on failed attempts, or even on the actual impact.
Organizations usually rely on security products such as WAF and IDS to locate hacking incidents, but what about attacks that slipped pass the WAF?
What about attacks with a pattern that the IDS did not recognize? What about organizations that implemented these products too late, or not at all?
That's where Web Application Proactive Forensics comes in - A collection of detailed methodologies for locating evidence of attacks that were performed and/or exploited, including attacks listed in OWASP testing guide, WASC and CWE.

 
Speaker Bio

Renana Friedlich is the Forensic Department Leader at Hacktics, an advanced security center of EY. Renana specializes in forensic investigations, developing incident response, malware assessments, and escorting start-up companies in implementing forensic methodologies into their products.
Prior to working at Hacktics, she served at the intelligence corps for seven years, and has over nine years of experience in the information security field.
In recent years, Renana was a frequent speaker in the government sector and had multiple appearances in public conferences, including OWASP, annual risk management conferences, and universities. She also regularly instructs forensic and incident response courses in universities and clients from various industries.

 
Technical Level: Intermediate

 

=== STDD - The protection you REALLY need ([[Media:OWASP_IL_2013_10_Nir_Valtman_STDD.pdf|download presentation]])‎ ===
''''' Nir Valtman, R&D CSO, Retalix ''''' 
''''' Alex Linder, Solution Architect, Retalix '''''

Today in the agile world, many streams based on Acceptance Test Driven Development (ATDD). In this presentation we are going to demonstrate how to reuse this concept in context of security. In addition, this presentation includes common scenarios from attacker's point of view as well as the defender should think. Needless to mention, we have many demos...

 
Speaker Bio

Nir is employed in Retalix as R&D CSO. Before this position he worked as chief security architect, senior technology consultant, application security consultant, system security consultant and a technological trainer. As part of his positions, Nir didn't only consulting, but also performed hands-on activities in various fields, e.g. hardening, penetration testing and development for personal\internal applications. 
Nir has a BSc in computer science but his knowledge is based mainly on cowboy learning and information sharing with the techno-oriented communities. 
Blog: http://www.valtman.org

Alex is a technology geek, likes to research and play with new stuff. Alex is a highly experienced Solution Architect specializing in Software, middleware and APIs. 
Alex has more than 14 years of experience and performed vast roles in the Israeli market such as VP Professional services, Group manager, Solution Architect, Dev team leader and Senior consultant. 
Currently working as a solution architect of large scale R&D firm with cutting edge technologies. 
Blog: http://linderalex.blogspot.co.il/

 
Technical Level: Intermediate / Advanced

 

=== Spam, Death Threats, and Other Abuses of Online Communities ([[Media:OWASP_IL_2013_10_Avi_Douglan_Spam-DeathThreats-Abuse-OnlineCommunities.pdf‎|download presentation]])‎ ===
'''''Avi Douglen, Security Architect, Independant'''''

Many contemporary websites are based on so-called “User Generated Content” (aka UGC). Furthermore, many sites oriented around a community of users enable users to interact with each other, via the site. Sites like Wikipedia and StackOverflow allow users to freely edit pages visible to all users, popular discussion forums are based on continuous postings of content by users, and social networks such as Facebook encourage users to constantly add their own rich data to the site for others’ consumption.

Aside from the usual web attacks common to all user input on websites, such as XSS and SQL Injection, there are some forms of attacks or abuse that are specific to sites such as these. Some of them are purely technical, some of them are social in nature and just take advantage of the available technology. These are often exacerbated by the scope and huge amount of traffic to these sites, and take advantage of the network effect.

The talk will be based in a large part on the speaker’s experience on the Stack Exchange network of sites, but will also compare to the models prevalent on other popular sites. We will discuss some of the aspects particular to these platforms, and show how even the more “boring” of these attacks can sometimes be interesting depending on the situation. We will also see some of the stranger happenings that occur on a large site. Finally, we will discuss and compare some of the different models that these huge websites use to limit the damage.
We will of course focus on what is both these sites’ biggest weakness, and greatest strength - the community.

 
Speaker Bio

Avi Douglen had a CISSP before it was popular, but he is not a hipster. Avi is a high-end, independent security architect and developer, and has been designing, developing and testing secure applications, and leading development teams in building secure products, for over 15 years. Avi is also a Community Moderator (volunteer basis) on Stack Exchange’s fantastic Information Security site (http://security.stackexchange.com), sister site to Stack Overflow. As a moderator, and as an active user on several other Stack Exchange sites, he has spent a lot of time handling these types of attacks, and has had the opportunity to see up close, what works, what doesn’t, and what can scale to millions of users.

 
Technical Level: Introductory

 

=== Delivering Security in Continuous Delivery Environment ===
''''' Yaniv Simsolo, Senior Consultant, Comsec Consulting'''''

Moving from traditional development environment to Agile environment, creates many a challenge to the security of the organization and developed system. Moving from Agile development environment towards Continuous Delivery environment ups the stakes.
We will venture in to the challenges of delivering security in Continuous Delivery environment, and test whether in-depth security is achievable.
Relying on industry evidences, a unique approach to the evolvement of security under Continuous Delivery development environment will be presented.

 
Speaker Bio

Yaniv Simsolo, CISSP, Senior IT Security Professional. A consultant in application security from 2004, and an expert of security of compound and enterprise scale systems.

 
Technical Level: Intermediate

 

=== Designing a national defense strategy for DDoS applications and volume attacks ===
'''''Mirit Kagarlitsky, Head of System Analysis, Israeli National Cyber Bureau '''''

DDoS attacks exploit vulnerabilities in different protocol stack layers, from the application layer and downward. These attacks undermine the availability of various services, some of which transcend the local interest of the compromised organization, bearing broader consequences.
Designing a national defense strategy for DDoS attacks has advantages, since the state has both the interest and the capacity to devise large-scale technological solutions of security from targeted attacks on critical services as well as from cumulative damage in this realm. The problem is that there is a wide spectrum of solutions and possible network locations for state intervention: services entry point, ISPs, cloud-based approaches and more; every solution should be analyzed from a national standpoint.
Our work examines when and where should the state take action in the realm, ranging from the individual organization to the ISP level. We also suggest how its accumulated benefit should be assessed in order to evaluate the overall effectiveness of the national strategy.

 
Speaker Bio

Mirit Kagarlitsky holds a B.Sc. in physics and mathematics from the Hebrew University in Jerusalem and is in the process of completion of M.Sc. in Statistics from Tel Aviv University. She has vast experience with operations research and system analysis in various fields, as an analyst and as a team leader. Today she work as the head of system analysis in the Israeli National Cyber Bureau.

 
Technical Level: Introduction

 

=== Enhancing Web Application Defense Using Big Data ===
''''' Or Katz, Principal Security Researcher, Akamai Technologies '''''

In recent years Big Data has become a commonly used technology in many products, in this presentation I will unveil practical examples on how we can improve web application defenses by using Big Data. Using Big Data enables us to combine web application filter triggers from multiple data sources. Big data analysis contributes to the improvement and enhances defense tactics. In this presentation I will show some examples such as:
* SQLi – detecting malicious users and their level of maliciousness
* Web Scraping – expose scrapers that fly under the radar and what is their target information
* False positives reduction – using Big Data in order to learn how to tune your configuration

 
Speaker Bio

Or Katz has vast expertise in Web Application Firewall technology, working in market leading web application firewall vendors as a web application security researcher.
Mr. Katz is a board member in OWASP Israel chapter, frequent speaker in the chapter conferences and he was also responsible for leading the OWASP Top 10 Hebrew translation project.
Mr. Katz also published several innovative white papers on web applications defensive techniques.

 
Technical Level: Intermediate

 

=== From Obscurity to Pop Culture - Evolution of Application Security ===
''''' Irene Abezgauz, VP Product Management, Quotium'''''

In 1998 the New York Times website was hacked. According to various news sources, the site underwent a thorough security test just two years before and at that point it became clear that 'it might not be sufficient'. Fifteen years later, application security trends talk about APTs, Agile SDLCs and Security Products being commoditized.
In this lecture we review the evolution of application security in the past decade and a half. Examining technology and aspects of security management from the early days of OWASP foundation to present day mobile application security testing as part of the development lifecycle.

 
Speaker Bio

Irene has ten years of experience in information and application security. Focused on application security penetration testing and research she is a builder and breaker of things. She is the Product Manager of Seeker™, the new generation of automatic application security testing, and head of security research activities at Seeker Security (Quotium). Ms. Abezgauz has discovered numerous vulnerabilities and published advisories related to products of leading vendors.

 
Technical Level: Introduction

OWASP Israel 2013 Presentations

2013-10-02T20:26:09Z

Oshezaf: /* Why Are Investors Excited About Cyber Security Startups, Again? (download presentation)‎ */

= Keynote =

=== Why Are Investors Excited About Cyber Security Startups, Again? ([[media:OWASP_IL_2013_10_OWASP_Ron_Moritz_Why_Are_Investors_Excited_About_Cyber_Security_Startups.pdf‎|download presentation]])‎ ===
'''''Ron Moritz, Consigliere on Venture Strategies, Issues and Trends'''''

Ron will speak about the current state of security startups, the current crop of security problems being solved by startups, and the trends of what solutions investment capital is looking to support.

The Keynote will be in English.

 
Speaker Bio

Ron Moritz is a well-regarded executive with over twenty-five years of broad operational and strategy experience from premier technology companies such as Microsoft (GM, Forefront), Symantec (SVP & CTO), and Computer Associates (SVP, Security Products Business Unit), where he was a member of each company's distinguished corporate or divisional leadership teams.

Having advised C-level executives, boards of directors, venture capitalists and private equity firms on value-creation activities including new markets, acquisition and divestiture strategy, global sourcing of labor, major technology decisions, and eco-system development, Mr. Moritz brings a unique point of view at the intersection of technology, strategy, global markets and finance.

Ron is currently a partner in Aura Coffee, a third-wave coffee roasting company based in Modiin; a member of the Fireblade board of directors; and a mentor Jerusalem-based crowd-funding leader, OurCrowd.

 

= Plenary Sessions =

=== Evolution of online banking attack techniques ===
'''''Amit Klein, CTO, Trusteer'''''

I will survey the evolution of attack techniques against online banking since the mid-2000s till today. This starts with keylogging malware, moves over to screenshooting malware, and finally gets to HTML injection malware (the “Man in the Browser” concept). I will then show several examples of the power of MitB attacks, especially when combined with social engineering, and how this can overcome many security measures such as two-factor authentication and transaction verification.

 
Speaker Bio

As Trusteer’s CTO, Amit Klein manages the company’s security research. Prior to Trusteer, Mr. Klein was Chief Scientist at Cyota Inc. (acquired by RSA Security), a leading provider of layered authentication solutions. In this role, Mr. Klein researched technologies that prevent online fraud, phishing, and pharming and filed several patents in those areas. Prior to this, Mr. Klein worked as Director of Security and Research at Sanctum, Inc. (acquired by Watchfire), where he was responsible for the security architecture of all Sanctum products. Mr. Klein holds a B.Sc. (cum laude) in Mathematics and Physics.
Mr. Klein is a world-renowned security researcher, having published more than thirty articles, papers and technical notes on the topic of Internet security. He was named CTO of the Year by InfoWorld Magazine and has presented at many prestigious conferences including RSA, FSISAC, OWASP and CertConf.

 
Technical Level: Intermediate

 

=== Your mobile device in the service of the malicious hacker (Live Demo) ===
''''' Adi Sharabani, CEO, Skycure '''''

We all developed natural instincts when it comes to protecting our physical space. We all know to look to the sides before crossing the road, and we all have some capabilities to assess current risks and make decisions accordingly. However, when it comes to using our mobile devices in the cyber era, these instincts have not yet evolved. People and organizations are at risk, and do not have an understanding how to assess or mitigate them. On top of that, current protection solutions provide inadequate protection against these threats. The organizational need to support mobile devices for business related activity created a huge gap in securing the organization. Adi Sharabani's keynote will highlight some of these threats via a live demonstration of a mobile hacking activity. The audience will be able to opt in for the demo, reflecting how easy it is for a hacker to hack into remote devices.

 
Speaker Bio

Mr. Adi Sharabani is a world-class security expert and the CEO of Skycure, a start-up that focuses on providing firewall solutions for mobile devices. Formerly, Adi led the security of IBM software products. He came to IBM through the Watchfire acquisition, a start-up company which was a pioneer in the field of application security. Among his roles, Adi built and led the Watchfire’s security group. Adi has written many patents in the security space, and his works have been presented in many known conferences such as BlackHat, RSA, OWASP, Innovate, Herzliya Conference and many more; his presentations and keynotes are constantly being ranked as best presentations of most conferences he presents at. Adi is also a fellow at Prof. Yuval Ne’eman’s workshop. In his spare time, Adi teaches at Ohel-Shem high school, and is a part of the vision and implementation of the cyber-defense curriculum for high school students, a vision that is now being implemented in Israel.

 
Technical Level: Introduction

 
= Track A =

=== Get Ready for the Next Big Wave of Attacks: Hacking of Leading CMS Systems ===
'''''Maty Siman, CTO, Checkmarx'''''

The flow of this talk is given by – you! Before this talk, we emailed the audience to provide us with their favorite WordPress plugins that they would like to test for security. In a live demo, we assess the security of the requested plugins. Previous similar trials that we performed on WordPress showed that 30% of the top 50 most downloaded plugins were vulnerable to common Web attacks. What will be the results of this experiment?

As we’ll continue to show, assessing the security posture of a plugin is only the hacker’s first step in mass attacks. As opposed to past mass SQL Injection attacks which leveraged tools such as SQLMap, these next wave of attacks do not focus on the site’s platform or customized development code. Rather, these attacks leverage on the increasing popularity of CMS platforms such as WordPress and Joomla. The maturity, prevalence and market penetration of CMS platforms allow any marketing, sales or HR individual to easily set up their own fully-operational site. Accordingly, CMS apps are flourishing – and so are the vulnerabilities in these apps.

 
Speaker Bio

Maty is the CTO and founder of Checkmarx. Maty has more than a decade of experience in software development, IT security and source-code analysis. An authoritative figure in application security, Maty is regularly interviewed by the media on security-breaking news and frequently speaks at various IT security conferences. Prior to founding Checkmarx, Maty worked for two years at the Israeli Prime Minister’s Office as a senior IT security expert and project manager. Prior to that, he spent six years with the Israeli Defense Forces (IDF), where he established and led a development team in the IDF’s Information Security Center.

 
Technical Level: Intermediate

 

=== Utilizing Popular Websites for Malicious Purposes Using RDI ===
'''''Daniel Chechik, Security Researcher, Trustwave SpiderLabs''''' 
'''''Anat Davidi, Security Researcher, Trustwave SpiderLabs'''''

Reflected DOM Injection is a new attack vector first presented at the DefCon 21 conference in July. We will explain the technique and show a live demo where we use it to hide malicious code within popular and trusted websites. For those of you who are interested in RDI but couldn’t make it to DefCon, we are bringing the talk to you!

The introduction of this session will briefly review the struggle between malicious websites and security products. We will explain the issues of hosting a malicious website and the techniques security vendors use in order to block them.
We will then present our new technique to avoid detection and proceed to explain all parts of it in-depth. A full demo of the attack from beginning to end will be included.
common and known services published by popular websites will be used in order to dynamically construct an attack hosted for us by these services.
Finally, we will add a layer of defense to our attack, and generate malicious code which will become practically invisible to dynamic analysis engines and thus evade most of today's security engines and technologies.

 
Speaker Bio

Daniel Chechik is a veteran security researcher at Trustwave's SpiderLabs. Among other things, he specializes in malware analysis, web exploits detection, Trojan and botnet detection and neutralizing and defining security requirements for the Secure Web Gateway product.
Prior to that, Daniel served in a technological unit as a security specialist in the IDF. During the service, Daniel specialized in CheckPoint Firewall equipment, AntiVirus products and other IT security products.
Daniel, among other things, has spoken at the RSA conference, DefCon, holds CEH and CCSE certificates and has a patent pending for 'Detecting Malware Communication on an Infected Computing Device'.

Anat Davidi is a security researcher at Trustwave's SpiderLabs. Her role includes vulnerability analysis, malware analysis and developing detection logic for the Secure Web Gateway product.
Prior to that, Anat worked as a security consultant providing security reviews and penetration tests for organizations in various business sectors, ranging from banks and insurance companies to hi-tech corporations. Amongst other things, Anat has spoken at the RSA conference, DefCon.

 
Technical Level: Intermediate

 

=== Invisibility Purge - Manipulating Properties Of Invisible & Dormant Asp.Net Controls ===
'''''Shay Chen, CTO, Ernst & Young (Hacktics)'''''

Server-Side Web Controls became popular components in modern web application frameworks.
In addition to the development benefits of these components provide, they are also protected using a variety of security mechanisms, including digital signatures, content access restrictions and even invisibility.
However, developers that use these components improperly can expose the application to a variety of different attacks that can be executed despite, and sometimes due to the existence of security mechanisms.
The presentation will demonstrate several new methods that attackers can harness to bypass security mechanism, manipulate server control properties and identify, enumerate and activate events of dormant server web controls, in popular platforms such as ASP.Net, JSF and Mono.

 
Speaker Bio

Shay Chen is the CTO of Hacktics, an advanced security center of Ernst & Young.

As a victim of the law of familiarity, a decade of exposure to common vulnerabilities was enough to shift his focus to abnormal hacking methodologies and new attack vectors.

He is also a prominent blogger and researcher, and is responsible for many security publications, including new application-level attacks, testing methodologies and open source projects.
As the co-author of the platforms "Diviner", "SCIP" and "WAVSEP" he was involved in the publication of several large-scale researches in the field of automated security scanners.

Shay is an experienced speaker, has been instructing a variety of information security courses for the past 8 years, and had multiple appearances in international conferences, including Blackhat, Hacktivity, AppSecUSA and others.

 
Technical Level: Advanced

 

=== The ReFrameworker Android runtime manipulator – pentesting Android apps like a king ===
'''''Erez Metula, AppSec Labs'''''

ReFrameworker is a new exiting addition to the AppUse pentest VM which we just released at recent BlackHat USA, targeting Android applications. With ReFrameworker, we can manipulate Android applications to make our life as pentesters a lot more easier. Does the app you test insists to be used only for a particular IMEI or phone number? Or does it break on invalidated certificates when you try to SSL MitM it using a proxy? No problem! With ReFrameworker, you can just give a new behavior to any runtime method you'd like, like disabling verifications, controlling return values, and so on. Snooping on local SQL queries or encryption keys? ReFrameworker gives you a proxy for local variables so you can changes important or sensitive values on the fly.
The idea is that we'd built a new Android ROM for the sole purpose of pentesting Android apps, loaded with hooks at important places inside the Dalvik runtime. During this talk we'll witness the power of ReFrameworker, we'll learn how to use it, how it was implemented and how it can be extended.

 
Speaker Bio

Erez Metula Author of the book "Managed Code Rootkits", is a world renowned application security expert. Erez has extensive hands-on experience performing security assessments, code reviews and secure development trainings for worldwide organizations, and had previously talked at international security conferences such as BlackHat, Defcon, OWASP, RSA, SOURCE, CanSecWest and more. He is the founder of AppSec Labs, where he focuses on advanced application security topics. Erez holds an MSc in computer science and he is CISSP.

 
Technical Level: Advanced

 

=== A Game of Pwns: Pwning iPhone application security assessment using the iNalyzer framework ===
'''''Chilik Tamir, Chief Scientist, AppSec Labs'''''

iNalyzer is an open-source free to use pen-testing framework I have recently updated for BlackHat USA, targeting iPhone applications. In the following presentation I will present my latest research on a new approach to performing security assessments of iOS applications utilizing the iNalyzer. The presentation will include live demonstration of using iNalyzer to transform a tedious black-box penetration testing into an exciting gray-box effort.
The talk will cover some of the problems with testing iOS applications, and present a wider picture of the testing process for different applications using iNalyzer, from the point of view of the tester, and how to handle the difficulties that may ensue.
* You will learn how to utilize iNalyzer to bind the power of regular web vulnerability scanner - such as Zap, Burp or AppScan into the exciting world of iOS penetration testing.
* You will learn how to fill in the gaps and use iNalyzer in your IDA reversing effort when testing.
* You will learn how to manipulate iPhone applications to make our life as pen-testers a lot easier using iNalyzer.

 
Speaker Bio

Chilik Tamir is an information security expert with over two decades of experience in training, research, development, testing and consulting in the field of applicative information security for clients in the fields of finance, security, government offices and corporations. His latest research - the iOS iNalyzer is an open-source iOS application Penetration Testing Dashboard. Among his previous publications you will find AppUse – a testing environment for Android applications developed together with Erez Metula; Belch – an automatic tool for analysis and testing of binary protocols such as Flex and Java-Serialization; Chilik is an experienced security trainer and speaker with previous talks and training in security conferences such as BlackHat USA, HITB Amsterdam, OWASP Israel as well as training in cooperations such as Intel, HP, Cisco, Amdocs, Verint, RedBend and others. He is the Chief Scientist at AppSec Labs, where he acts as head of R&D and innovation. Chilik holds an Biomedical Engineering B.Sc. degree.

 
Technical Level: Advanced

 

=== Automatic trust based segregation for content providers on mobile devices ===
'''''Oren Poleg, IDC'''''

In this work we have designed and developed a modification to the Android Content Providers that allows us to impose access restrictions on the sensitive data items they contain (such as contacts, calendar events) .

We have developed lightweight solution that is compatible with the current Android design (so it can be easily integrated with the current Android implementation) that creates separation between different types of sensitive data, also separating them from the non-sensitive information in Android content providers. We allow the device owner to view the data in a unified manner, while 3rd party applications will be allowed access only to content created by them or that they were granted permission to view.

User interaction is not required for the security decisions. Instead, we are defining trust relationship between the data and the applications, in which the owner of the data can delegate access permissions to the applications.

This approach will enable organization to store sensitive information on the device content providers, allow the user to easily access it from the organizational applications as well as from system applications while preventing its leakage through other 3rd party applications
While developed for Android, the concept can be implemented on other mobile devices, such as iPhone and Windows Phone.

 
Speaker Bio

Oren Poleg is a mobile platforms expert, with more than 10 years in the mobile platforms space.
As a team leader in (the Former) Sun Microsystems, Oren was responsible to the integration of Java VM into mobile devices, later to be followed with and research of smart phone infrastructures
Currently Oren is a working as a Consultant, dealing with Android Devices, Smart TVs and Network Security.

 
Technical Level: Intermediate/Advanced

 
= Track B =

=== Web Application Forensics ===
'''''Renana Friedlich, Forensic Department Leader, Ernst and Young (Hacktics)'''''

Most organizations are not aware of successful application-level attacks, until it's too late.
Application penetration tests don't provide information on attacks that ALREADY occurred, on attacks are CURRENTLY in progress, on failed attempts, or even on the actual impact.
Organizations usually rely on security products such as WAF and IDS to locate hacking incidents, but what about attacks that slipped pass the WAF?
What about attacks with a pattern that the IDS did not recognize? What about organizations that implemented these products too late, or not at all?
That's where Web Application Proactive Forensics comes in - A collection of detailed methodologies for locating evidence of attacks that were performed and/or exploited, including attacks listed in OWASP testing guide, WASC and CWE.

 
Speaker Bio

Renana Friedlich is the Forensic Department Leader at Hacktics, an advanced security center of EY. Renana specializes in forensic investigations, developing incident response, malware assessments, and escorting start-up companies in implementing forensic methodologies into their products.
Prior to working at Hacktics, she served at the intelligence corps for seven years, and has over nine years of experience in the information security field.
In recent years, Renana was a frequent speaker in the government sector and had multiple appearances in public conferences, including OWASP, annual risk management conferences, and universities. She also regularly instructs forensic and incident response courses in universities and clients from various industries.

 
Technical Level: Intermediate

 

=== STDD - The protection you REALLY need ([[Media:OWASP_IL_2013_10_Nir_Valtman_STDD.pdf|download presentation]])‎ ===
''''' Nir Valtman, R&D CSO, Retalix ''''' 
''''' Alex Linder, Solution Architect, Retalix '''''

Today in the agile world, many streams based on Acceptance Test Driven Development (ATDD). In this presentation we are going to demonstrate how to reuse this concept in context of security. In addition, this presentation includes common scenarios from attacker's point of view as well as the defender should think. Needless to mention, we have many demos...

 
Speaker Bio

Nir is employed in Retalix as R&D CSO. Before this position he worked as chief security architect, senior technology consultant, application security consultant, system security consultant and a technological trainer. As part of his positions, Nir didn't only consulting, but also performed hands-on activities in various fields, e.g. hardening, penetration testing and development for personal\internal applications. 
Nir has a BSc in computer science but his knowledge is based mainly on cowboy learning and information sharing with the techno-oriented communities. 
Blog: http://www.valtman.org

Alex is a technology geek, likes to research and play with new stuff. Alex is a highly experienced Solution Architect specializing in Software, middleware and APIs. 
Alex has more than 14 years of experience and performed vast roles in the Israeli market such as VP Professional services, Group manager, Solution Architect, Dev team leader and Senior consultant. 
Currently working as a solution architect of large scale R&D firm with cutting edge technologies. 
Blog: http://linderalex.blogspot.co.il/

 
Technical Level: Intermediate / Advanced

 

=== Spam, Death Threats, and Other Abuses of Online Communities ([[Media:OWASP_IL_2013_10_Avi_Douglan_Spam-DeathThreats-Abuse-OnlineCommunities.pdf‎|download presentation]])‎ ===
'''''Avi Douglen, Security Architect, Independant'''''

Many contemporary websites are based on so-called “User Generated Content” (aka UGC). Furthermore, many sites oriented around a community of users enable users to interact with each other, via the site. Sites like Wikipedia and StackOverflow allow users to freely edit pages visible to all users, popular discussion forums are based on continuous postings of content by users, and social networks such as Facebook encourage users to constantly add their own rich data to the site for others’ consumption.

Aside from the usual web attacks common to all user input on websites, such as XSS and SQL Injection, there are some forms of attacks or abuse that are specific to sites such as these. Some of them are purely technical, some of them are social in nature and just take advantage of the available technology. These are often exacerbated by the scope and huge amount of traffic to these sites, and take advantage of the network effect.

The talk will be based in a large part on the speaker’s experience on the Stack Exchange network of sites, but will also compare to the models prevalent on other popular sites. We will discuss some of the aspects particular to these platforms, and show how even the more “boring” of these attacks can sometimes be interesting depending on the situation. We will also see some of the stranger happenings that occur on a large site. Finally, we will discuss and compare some of the different models that these huge websites use to limit the damage.
We will of course focus on what is both these sites’ biggest weakness, and greatest strength - the community.

 
Speaker Bio

Avi Douglen had a CISSP before it was popular, but he is not a hipster. Avi is a high-end, independent security architect and developer, and has been designing, developing and testing secure applications, and leading development teams in building secure products, for over 15 years. Avi is also a Community Moderator (volunteer basis) on Stack Exchange’s fantastic Information Security site (http://security.stackexchange.com), sister site to Stack Overflow. As a moderator, and as an active user on several other Stack Exchange sites, he has spent a lot of time handling these types of attacks, and has had the opportunity to see up close, what works, what doesn’t, and what can scale to millions of users.

 
Technical Level: Introductory

 

=== Delivering Security in Continuous Delivery Environment ===
''''' Yaniv Simsolo, Senior Consultant, Comsec Consulting'''''

Moving from traditional development environment to Agile environment, creates many a challenge to the security of the organization and developed system. Moving from Agile development environment towards Continuous Delivery environment ups the stakes.
We will venture in to the challenges of delivering security in Continuous Delivery environment, and test whether in-depth security is achievable.
Relying on industry evidences, a unique approach to the evolvement of security under Continuous Delivery development environment will be presented.

 
Speaker Bio

Yaniv Simsolo, CISSP, Senior IT Security Professional. A consultant in application security from 2004, and an expert of security of compound and enterprise scale systems.

 
Technical Level: Intermediate

 

=== Designing a national defense strategy for DDoS applications and volume attacks ===
'''''Mirit Kagarlitsky, Head of System Analysis, Israeli National Cyber Bureau '''''

DDoS attacks exploit vulnerabilities in different protocol stack layers, from the application layer and downward. These attacks undermine the availability of various services, some of which transcend the local interest of the compromised organization, bearing broader consequences.
Designing a national defense strategy for DDoS attacks has advantages, since the state has both the interest and the capacity to devise large-scale technological solutions of security from targeted attacks on critical services as well as from cumulative damage in this realm. The problem is that there is a wide spectrum of solutions and possible network locations for state intervention: services entry point, ISPs, cloud-based approaches and more; every solution should be analyzed from a national standpoint.
Our work examines when and where should the state take action in the realm, ranging from the individual organization to the ISP level. We also suggest how its accumulated benefit should be assessed in order to evaluate the overall effectiveness of the national strategy.

 
Speaker Bio

Mirit Kagarlitsky holds a B.Sc. in physics and mathematics from the Hebrew University in Jerusalem and is in the process of completion of M.Sc. in Statistics from Tel Aviv University. She has vast experience with operations research and system analysis in various fields, as an analyst and as a team leader. Today she work as the head of system analysis in the Israeli National Cyber Bureau.

 
Technical Level: Introduction

 

=== Enhancing Web Application Defense Using Big Data ===
''''' Or Katz, Principal Security Researcher, Akamai Technologies '''''

In recent years Big Data has become a commonly used technology in many products, in this presentation I will unveil practical examples on how we can improve web application defenses by using Big Data. Using Big Data enables us to combine web application filter triggers from multiple data sources. Big data analysis contributes to the improvement and enhances defense tactics. In this presentation I will show some examples such as:
* SQLi – detecting malicious users and their level of maliciousness
* Web Scraping – expose scrapers that fly under the radar and what is their target information
* False positives reduction – using Big Data in order to learn how to tune your configuration

 
Speaker Bio

Or Katz has vast expertise in Web Application Firewall technology, working in market leading web application firewall vendors as a web application security researcher.
Mr. Katz is a board member in OWASP Israel chapter, frequent speaker in the chapter conferences and he was also responsible for leading the OWASP Top 10 Hebrew translation project.
Mr. Katz also published several innovative white papers on web applications defensive techniques.

 
Technical Level: Intermediate

 

=== From Obscurity to Pop Culture - Evolution of Application Security ===
''''' Irene Abezgauz, VP Product Management, Quotium'''''

In 1998 the New York Times website was hacked. According to various news sources, the site underwent a thorough security test just two years before and at that point it became clear that 'it might not be sufficient'. Fifteen years later, application security trends talk about APTs, Agile SDLCs and Security Products being commoditized.
In this lecture we review the evolution of application security in the past decade and a half. Examining technology and aspects of security management from the early days of OWASP foundation to present day mobile application security testing as part of the development lifecycle.

 
Speaker Bio

Irene has ten years of experience in information and application security. Focused on application security penetration testing and research she is a builder and breaker of things. She is the Product Manager of Seeker™, the new generation of automatic application security testing, and head of security research activities at Seeker Security (Quotium). Ms. Abezgauz has discovered numerous vulnerabilities and published advisories related to products of leading vendors.

 
Technical Level: Introduction

OWASP Israel 2013 Presentations

2013-10-02T20:25:51Z

Oshezaf: /* Why Are Investors Excited About Cyber Security Startups, Again? */

= Keynote =

=== Why Are Investors Excited About Cyber Security Startups, Again? ([[OWASP_IL_2013_10_OWASP_Ron_Moritz_Why_Are_Investors_Excited_About_Cyber_Security_Startups.pdf‎|download presentation]])‎ ===
'''''Ron Moritz, Consigliere on Venture Strategies, Issues and Trends'''''

Ron will speak about the current state of security startups, the current crop of security problems being solved by startups, and the trends of what solutions investment capital is looking to support.

The Keynote will be in English.

 
Speaker Bio

Ron Moritz is a well-regarded executive with over twenty-five years of broad operational and strategy experience from premier technology companies such as Microsoft (GM, Forefront), Symantec (SVP & CTO), and Computer Associates (SVP, Security Products Business Unit), where he was a member of each company's distinguished corporate or divisional leadership teams.

Having advised C-level executives, boards of directors, venture capitalists and private equity firms on value-creation activities including new markets, acquisition and divestiture strategy, global sourcing of labor, major technology decisions, and eco-system development, Mr. Moritz brings a unique point of view at the intersection of technology, strategy, global markets and finance.

Ron is currently a partner in Aura Coffee, a third-wave coffee roasting company based in Modiin; a member of the Fireblade board of directors; and a mentor Jerusalem-based crowd-funding leader, OurCrowd.

 

= Plenary Sessions =

=== Evolution of online banking attack techniques ===
'''''Amit Klein, CTO, Trusteer'''''

I will survey the evolution of attack techniques against online banking since the mid-2000s till today. This starts with keylogging malware, moves over to screenshooting malware, and finally gets to HTML injection malware (the “Man in the Browser” concept). I will then show several examples of the power of MitB attacks, especially when combined with social engineering, and how this can overcome many security measures such as two-factor authentication and transaction verification.

 
Speaker Bio

As Trusteer’s CTO, Amit Klein manages the company’s security research. Prior to Trusteer, Mr. Klein was Chief Scientist at Cyota Inc. (acquired by RSA Security), a leading provider of layered authentication solutions. In this role, Mr. Klein researched technologies that prevent online fraud, phishing, and pharming and filed several patents in those areas. Prior to this, Mr. Klein worked as Director of Security and Research at Sanctum, Inc. (acquired by Watchfire), where he was responsible for the security architecture of all Sanctum products. Mr. Klein holds a B.Sc. (cum laude) in Mathematics and Physics.
Mr. Klein is a world-renowned security researcher, having published more than thirty articles, papers and technical notes on the topic of Internet security. He was named CTO of the Year by InfoWorld Magazine and has presented at many prestigious conferences including RSA, FSISAC, OWASP and CertConf.

 
Technical Level: Intermediate

 

=== Your mobile device in the service of the malicious hacker (Live Demo) ===
''''' Adi Sharabani, CEO, Skycure '''''

We all developed natural instincts when it comes to protecting our physical space. We all know to look to the sides before crossing the road, and we all have some capabilities to assess current risks and make decisions accordingly. However, when it comes to using our mobile devices in the cyber era, these instincts have not yet evolved. People and organizations are at risk, and do not have an understanding how to assess or mitigate them. On top of that, current protection solutions provide inadequate protection against these threats. The organizational need to support mobile devices for business related activity created a huge gap in securing the organization. Adi Sharabani's keynote will highlight some of these threats via a live demonstration of a mobile hacking activity. The audience will be able to opt in for the demo, reflecting how easy it is for a hacker to hack into remote devices.

 
Speaker Bio

Mr. Adi Sharabani is a world-class security expert and the CEO of Skycure, a start-up that focuses on providing firewall solutions for mobile devices. Formerly, Adi led the security of IBM software products. He came to IBM through the Watchfire acquisition, a start-up company which was a pioneer in the field of application security. Among his roles, Adi built and led the Watchfire’s security group. Adi has written many patents in the security space, and his works have been presented in many known conferences such as BlackHat, RSA, OWASP, Innovate, Herzliya Conference and many more; his presentations and keynotes are constantly being ranked as best presentations of most conferences he presents at. Adi is also a fellow at Prof. Yuval Ne’eman’s workshop. In his spare time, Adi teaches at Ohel-Shem high school, and is a part of the vision and implementation of the cyber-defense curriculum for high school students, a vision that is now being implemented in Israel.

 
Technical Level: Introduction

 
= Track A =

=== Get Ready for the Next Big Wave of Attacks: Hacking of Leading CMS Systems ===
'''''Maty Siman, CTO, Checkmarx'''''

The flow of this talk is given by – you! Before this talk, we emailed the audience to provide us with their favorite WordPress plugins that they would like to test for security. In a live demo, we assess the security of the requested plugins. Previous similar trials that we performed on WordPress showed that 30% of the top 50 most downloaded plugins were vulnerable to common Web attacks. What will be the results of this experiment?

As we’ll continue to show, assessing the security posture of a plugin is only the hacker’s first step in mass attacks. As opposed to past mass SQL Injection attacks which leveraged tools such as SQLMap, these next wave of attacks do not focus on the site’s platform or customized development code. Rather, these attacks leverage on the increasing popularity of CMS platforms such as WordPress and Joomla. The maturity, prevalence and market penetration of CMS platforms allow any marketing, sales or HR individual to easily set up their own fully-operational site. Accordingly, CMS apps are flourishing – and so are the vulnerabilities in these apps.

 
Speaker Bio

Maty is the CTO and founder of Checkmarx. Maty has more than a decade of experience in software development, IT security and source-code analysis. An authoritative figure in application security, Maty is regularly interviewed by the media on security-breaking news and frequently speaks at various IT security conferences. Prior to founding Checkmarx, Maty worked for two years at the Israeli Prime Minister’s Office as a senior IT security expert and project manager. Prior to that, he spent six years with the Israeli Defense Forces (IDF), where he established and led a development team in the IDF’s Information Security Center.

 
Technical Level: Intermediate

 

=== Utilizing Popular Websites for Malicious Purposes Using RDI ===
'''''Daniel Chechik, Security Researcher, Trustwave SpiderLabs''''' 
'''''Anat Davidi, Security Researcher, Trustwave SpiderLabs'''''

Reflected DOM Injection is a new attack vector first presented at the DefCon 21 conference in July. We will explain the technique and show a live demo where we use it to hide malicious code within popular and trusted websites. For those of you who are interested in RDI but couldn’t make it to DefCon, we are bringing the talk to you!

The introduction of this session will briefly review the struggle between malicious websites and security products. We will explain the issues of hosting a malicious website and the techniques security vendors use in order to block them.
We will then present our new technique to avoid detection and proceed to explain all parts of it in-depth. A full demo of the attack from beginning to end will be included.
common and known services published by popular websites will be used in order to dynamically construct an attack hosted for us by these services.
Finally, we will add a layer of defense to our attack, and generate malicious code which will become practically invisible to dynamic analysis engines and thus evade most of today's security engines and technologies.

 
Speaker Bio

Daniel Chechik is a veteran security researcher at Trustwave's SpiderLabs. Among other things, he specializes in malware analysis, web exploits detection, Trojan and botnet detection and neutralizing and defining security requirements for the Secure Web Gateway product.
Prior to that, Daniel served in a technological unit as a security specialist in the IDF. During the service, Daniel specialized in CheckPoint Firewall equipment, AntiVirus products and other IT security products.
Daniel, among other things, has spoken at the RSA conference, DefCon, holds CEH and CCSE certificates and has a patent pending for 'Detecting Malware Communication on an Infected Computing Device'.

Anat Davidi is a security researcher at Trustwave's SpiderLabs. Her role includes vulnerability analysis, malware analysis and developing detection logic for the Secure Web Gateway product.
Prior to that, Anat worked as a security consultant providing security reviews and penetration tests for organizations in various business sectors, ranging from banks and insurance companies to hi-tech corporations. Amongst other things, Anat has spoken at the RSA conference, DefCon.

 
Technical Level: Intermediate

 

=== Invisibility Purge - Manipulating Properties Of Invisible & Dormant Asp.Net Controls ===
'''''Shay Chen, CTO, Ernst & Young (Hacktics)'''''

Server-Side Web Controls became popular components in modern web application frameworks.
In addition to the development benefits of these components provide, they are also protected using a variety of security mechanisms, including digital signatures, content access restrictions and even invisibility.
However, developers that use these components improperly can expose the application to a variety of different attacks that can be executed despite, and sometimes due to the existence of security mechanisms.
The presentation will demonstrate several new methods that attackers can harness to bypass security mechanism, manipulate server control properties and identify, enumerate and activate events of dormant server web controls, in popular platforms such as ASP.Net, JSF and Mono.

 
Speaker Bio

Shay Chen is the CTO of Hacktics, an advanced security center of Ernst & Young.

As a victim of the law of familiarity, a decade of exposure to common vulnerabilities was enough to shift his focus to abnormal hacking methodologies and new attack vectors.

He is also a prominent blogger and researcher, and is responsible for many security publications, including new application-level attacks, testing methodologies and open source projects.
As the co-author of the platforms "Diviner", "SCIP" and "WAVSEP" he was involved in the publication of several large-scale researches in the field of automated security scanners.

Shay is an experienced speaker, has been instructing a variety of information security courses for the past 8 years, and had multiple appearances in international conferences, including Blackhat, Hacktivity, AppSecUSA and others.

 
Technical Level: Advanced

 

=== The ReFrameworker Android runtime manipulator – pentesting Android apps like a king ===
'''''Erez Metula, AppSec Labs'''''

ReFrameworker is a new exiting addition to the AppUse pentest VM which we just released at recent BlackHat USA, targeting Android applications. With ReFrameworker, we can manipulate Android applications to make our life as pentesters a lot more easier. Does the app you test insists to be used only for a particular IMEI or phone number? Or does it break on invalidated certificates when you try to SSL MitM it using a proxy? No problem! With ReFrameworker, you can just give a new behavior to any runtime method you'd like, like disabling verifications, controlling return values, and so on. Snooping on local SQL queries or encryption keys? ReFrameworker gives you a proxy for local variables so you can changes important or sensitive values on the fly.
The idea is that we'd built a new Android ROM for the sole purpose of pentesting Android apps, loaded with hooks at important places inside the Dalvik runtime. During this talk we'll witness the power of ReFrameworker, we'll learn how to use it, how it was implemented and how it can be extended.

 
Speaker Bio

Erez Metula Author of the book "Managed Code Rootkits", is a world renowned application security expert. Erez has extensive hands-on experience performing security assessments, code reviews and secure development trainings for worldwide organizations, and had previously talked at international security conferences such as BlackHat, Defcon, OWASP, RSA, SOURCE, CanSecWest and more. He is the founder of AppSec Labs, where he focuses on advanced application security topics. Erez holds an MSc in computer science and he is CISSP.

 
Technical Level: Advanced

 

=== A Game of Pwns: Pwning iPhone application security assessment using the iNalyzer framework ===
'''''Chilik Tamir, Chief Scientist, AppSec Labs'''''

iNalyzer is an open-source free to use pen-testing framework I have recently updated for BlackHat USA, targeting iPhone applications. In the following presentation I will present my latest research on a new approach to performing security assessments of iOS applications utilizing the iNalyzer. The presentation will include live demonstration of using iNalyzer to transform a tedious black-box penetration testing into an exciting gray-box effort.
The talk will cover some of the problems with testing iOS applications, and present a wider picture of the testing process for different applications using iNalyzer, from the point of view of the tester, and how to handle the difficulties that may ensue.
* You will learn how to utilize iNalyzer to bind the power of regular web vulnerability scanner - such as Zap, Burp or AppScan into the exciting world of iOS penetration testing.
* You will learn how to fill in the gaps and use iNalyzer in your IDA reversing effort when testing.
* You will learn how to manipulate iPhone applications to make our life as pen-testers a lot easier using iNalyzer.

 
Speaker Bio

Chilik Tamir is an information security expert with over two decades of experience in training, research, development, testing and consulting in the field of applicative information security for clients in the fields of finance, security, government offices and corporations. His latest research - the iOS iNalyzer is an open-source iOS application Penetration Testing Dashboard. Among his previous publications you will find AppUse – a testing environment for Android applications developed together with Erez Metula; Belch – an automatic tool for analysis and testing of binary protocols such as Flex and Java-Serialization; Chilik is an experienced security trainer and speaker with previous talks and training in security conferences such as BlackHat USA, HITB Amsterdam, OWASP Israel as well as training in cooperations such as Intel, HP, Cisco, Amdocs, Verint, RedBend and others. He is the Chief Scientist at AppSec Labs, where he acts as head of R&D and innovation. Chilik holds an Biomedical Engineering B.Sc. degree.

 
Technical Level: Advanced

 

=== Automatic trust based segregation for content providers on mobile devices ===
'''''Oren Poleg, IDC'''''

In this work we have designed and developed a modification to the Android Content Providers that allows us to impose access restrictions on the sensitive data items they contain (such as contacts, calendar events) .

We have developed lightweight solution that is compatible with the current Android design (so it can be easily integrated with the current Android implementation) that creates separation between different types of sensitive data, also separating them from the non-sensitive information in Android content providers. We allow the device owner to view the data in a unified manner, while 3rd party applications will be allowed access only to content created by them or that they were granted permission to view.

User interaction is not required for the security decisions. Instead, we are defining trust relationship between the data and the applications, in which the owner of the data can delegate access permissions to the applications.

This approach will enable organization to store sensitive information on the device content providers, allow the user to easily access it from the organizational applications as well as from system applications while preventing its leakage through other 3rd party applications
While developed for Android, the concept can be implemented on other mobile devices, such as iPhone and Windows Phone.

 
Speaker Bio

Oren Poleg is a mobile platforms expert, with more than 10 years in the mobile platforms space.
As a team leader in (the Former) Sun Microsystems, Oren was responsible to the integration of Java VM into mobile devices, later to be followed with and research of smart phone infrastructures
Currently Oren is a working as a Consultant, dealing with Android Devices, Smart TVs and Network Security.

 
Technical Level: Intermediate/Advanced

 
= Track B =

=== Web Application Forensics ===
'''''Renana Friedlich, Forensic Department Leader, Ernst and Young (Hacktics)'''''

Most organizations are not aware of successful application-level attacks, until it's too late.
Application penetration tests don't provide information on attacks that ALREADY occurred, on attacks are CURRENTLY in progress, on failed attempts, or even on the actual impact.
Organizations usually rely on security products such as WAF and IDS to locate hacking incidents, but what about attacks that slipped pass the WAF?
What about attacks with a pattern that the IDS did not recognize? What about organizations that implemented these products too late, or not at all?
That's where Web Application Proactive Forensics comes in - A collection of detailed methodologies for locating evidence of attacks that were performed and/or exploited, including attacks listed in OWASP testing guide, WASC and CWE.

 
Speaker Bio

Renana Friedlich is the Forensic Department Leader at Hacktics, an advanced security center of EY. Renana specializes in forensic investigations, developing incident response, malware assessments, and escorting start-up companies in implementing forensic methodologies into their products.
Prior to working at Hacktics, she served at the intelligence corps for seven years, and has over nine years of experience in the information security field.
In recent years, Renana was a frequent speaker in the government sector and had multiple appearances in public conferences, including OWASP, annual risk management conferences, and universities. She also regularly instructs forensic and incident response courses in universities and clients from various industries.

 
Technical Level: Intermediate

 

=== STDD - The protection you REALLY need ([[Media:OWASP_IL_2013_10_Nir_Valtman_STDD.pdf|download presentation]])‎ ===
''''' Nir Valtman, R&D CSO, Retalix ''''' 
''''' Alex Linder, Solution Architect, Retalix '''''

Today in the agile world, many streams based on Acceptance Test Driven Development (ATDD). In this presentation we are going to demonstrate how to reuse this concept in context of security. In addition, this presentation includes common scenarios from attacker's point of view as well as the defender should think. Needless to mention, we have many demos...

 
Speaker Bio

Nir is employed in Retalix as R&D CSO. Before this position he worked as chief security architect, senior technology consultant, application security consultant, system security consultant and a technological trainer. As part of his positions, Nir didn't only consulting, but also performed hands-on activities in various fields, e.g. hardening, penetration testing and development for personal\internal applications. 
Nir has a BSc in computer science but his knowledge is based mainly on cowboy learning and information sharing with the techno-oriented communities. 
Blog: http://www.valtman.org

Alex is a technology geek, likes to research and play with new stuff. Alex is a highly experienced Solution Architect specializing in Software, middleware and APIs. 
Alex has more than 14 years of experience and performed vast roles in the Israeli market such as VP Professional services, Group manager, Solution Architect, Dev team leader and Senior consultant. 
Currently working as a solution architect of large scale R&D firm with cutting edge technologies. 
Blog: http://linderalex.blogspot.co.il/

 
Technical Level: Intermediate / Advanced

 

=== Spam, Death Threats, and Other Abuses of Online Communities ([[Media:OWASP_IL_2013_10_Avi_Douglan_Spam-DeathThreats-Abuse-OnlineCommunities.pdf‎|download presentation]])‎ ===
'''''Avi Douglen, Security Architect, Independant'''''

Many contemporary websites are based on so-called “User Generated Content” (aka UGC). Furthermore, many sites oriented around a community of users enable users to interact with each other, via the site. Sites like Wikipedia and StackOverflow allow users to freely edit pages visible to all users, popular discussion forums are based on continuous postings of content by users, and social networks such as Facebook encourage users to constantly add their own rich data to the site for others’ consumption.

Aside from the usual web attacks common to all user input on websites, such as XSS and SQL Injection, there are some forms of attacks or abuse that are specific to sites such as these. Some of them are purely technical, some of them are social in nature and just take advantage of the available technology. These are often exacerbated by the scope and huge amount of traffic to these sites, and take advantage of the network effect.

The talk will be based in a large part on the speaker’s experience on the Stack Exchange network of sites, but will also compare to the models prevalent on other popular sites. We will discuss some of the aspects particular to these platforms, and show how even the more “boring” of these attacks can sometimes be interesting depending on the situation. We will also see some of the stranger happenings that occur on a large site. Finally, we will discuss and compare some of the different models that these huge websites use to limit the damage.
We will of course focus on what is both these sites’ biggest weakness, and greatest strength - the community.

 
Speaker Bio

Avi Douglen had a CISSP before it was popular, but he is not a hipster. Avi is a high-end, independent security architect and developer, and has been designing, developing and testing secure applications, and leading development teams in building secure products, for over 15 years. Avi is also a Community Moderator (volunteer basis) on Stack Exchange’s fantastic Information Security site (http://security.stackexchange.com), sister site to Stack Overflow. As a moderator, and as an active user on several other Stack Exchange sites, he has spent a lot of time handling these types of attacks, and has had the opportunity to see up close, what works, what doesn’t, and what can scale to millions of users.

 
Technical Level: Introductory

 

=== Delivering Security in Continuous Delivery Environment ===
''''' Yaniv Simsolo, Senior Consultant, Comsec Consulting'''''

Moving from traditional development environment to Agile environment, creates many a challenge to the security of the organization and developed system. Moving from Agile development environment towards Continuous Delivery environment ups the stakes.
We will venture in to the challenges of delivering security in Continuous Delivery environment, and test whether in-depth security is achievable.
Relying on industry evidences, a unique approach to the evolvement of security under Continuous Delivery development environment will be presented.

 
Speaker Bio

Yaniv Simsolo, CISSP, Senior IT Security Professional. A consultant in application security from 2004, and an expert of security of compound and enterprise scale systems.

 
Technical Level: Intermediate

 

=== Designing a national defense strategy for DDoS applications and volume attacks ===
'''''Mirit Kagarlitsky, Head of System Analysis, Israeli National Cyber Bureau '''''

DDoS attacks exploit vulnerabilities in different protocol stack layers, from the application layer and downward. These attacks undermine the availability of various services, some of which transcend the local interest of the compromised organization, bearing broader consequences.
Designing a national defense strategy for DDoS attacks has advantages, since the state has both the interest and the capacity to devise large-scale technological solutions of security from targeted attacks on critical services as well as from cumulative damage in this realm. The problem is that there is a wide spectrum of solutions and possible network locations for state intervention: services entry point, ISPs, cloud-based approaches and more; every solution should be analyzed from a national standpoint.
Our work examines when and where should the state take action in the realm, ranging from the individual organization to the ISP level. We also suggest how its accumulated benefit should be assessed in order to evaluate the overall effectiveness of the national strategy.

 
Speaker Bio

Mirit Kagarlitsky holds a B.Sc. in physics and mathematics from the Hebrew University in Jerusalem and is in the process of completion of M.Sc. in Statistics from Tel Aviv University. She has vast experience with operations research and system analysis in various fields, as an analyst and as a team leader. Today she work as the head of system analysis in the Israeli National Cyber Bureau.

 
Technical Level: Introduction

 

=== Enhancing Web Application Defense Using Big Data ===
''''' Or Katz, Principal Security Researcher, Akamai Technologies '''''

In recent years Big Data has become a commonly used technology in many products, in this presentation I will unveil practical examples on how we can improve web application defenses by using Big Data. Using Big Data enables us to combine web application filter triggers from multiple data sources. Big data analysis contributes to the improvement and enhances defense tactics. In this presentation I will show some examples such as:
* SQLi – detecting malicious users and their level of maliciousness
* Web Scraping – expose scrapers that fly under the radar and what is their target information
* False positives reduction – using Big Data in order to learn how to tune your configuration

 
Speaker Bio

Or Katz has vast expertise in Web Application Firewall technology, working in market leading web application firewall vendors as a web application security researcher.
Mr. Katz is a board member in OWASP Israel chapter, frequent speaker in the chapter conferences and he was also responsible for leading the OWASP Top 10 Hebrew translation project.
Mr. Katz also published several innovative white papers on web applications defensive techniques.

 
Technical Level: Intermediate

 

=== From Obscurity to Pop Culture - Evolution of Application Security ===
''''' Irene Abezgauz, VP Product Management, Quotium'''''

In 1998 the New York Times website was hacked. According to various news sources, the site underwent a thorough security test just two years before and at that point it became clear that 'it might not be sufficient'. Fifteen years later, application security trends talk about APTs, Agile SDLCs and Security Products being commoditized.
In this lecture we review the evolution of application security in the past decade and a half. Examining technology and aspects of security management from the early days of OWASP foundation to present day mobile application security testing as part of the development lifecycle.

 
Speaker Bio

Irene has ten years of experience in information and application security. Focused on application security penetration testing and research she is a builder and breaker of things. She is the Product Manager of Seeker™, the new generation of automatic application security testing, and head of security research activities at Seeker Security (Quotium). Ms. Abezgauz has discovered numerous vulnerabilities and published advisories related to products of leading vendors.

 
Technical Level: Introduction

OWASP Israel 2013 Presentations

2013-10-02T20:24:46Z

Oshezaf: /* Spam, Death Threats, and Other Abuses of Online Communities */

= Keynote =

=== Why Are Investors Excited About Cyber Security Startups, Again? ===
'''''Ron Moritz, Consigliere on Venture Strategies, Issues and Trends'''''

Ron will speak about the current state of security startups, the current crop of security problems being solved by startups, and the trends of what solutions investment capital is looking to support.

The Keynote will be in English.

 
Speaker Bio

Ron Moritz is a well-regarded executive with over twenty-five years of broad operational and strategy experience from premier technology companies such as Microsoft (GM, Forefront), Symantec (SVP & CTO), and Computer Associates (SVP, Security Products Business Unit), where he was a member of each company's distinguished corporate or divisional leadership teams.

Having advised C-level executives, boards of directors, venture capitalists and private equity firms on value-creation activities including new markets, acquisition and divestiture strategy, global sourcing of labor, major technology decisions, and eco-system development, Mr. Moritz brings a unique point of view at the intersection of technology, strategy, global markets and finance.

Ron is currently a partner in Aura Coffee, a third-wave coffee roasting company based in Modiin; a member of the Fireblade board of directors; and a mentor Jerusalem-based crowd-funding leader, OurCrowd.

 
= Plenary Sessions =

=== Evolution of online banking attack techniques ===
'''''Amit Klein, CTO, Trusteer'''''

I will survey the evolution of attack techniques against online banking since the mid-2000s till today. This starts with keylogging malware, moves over to screenshooting malware, and finally gets to HTML injection malware (the “Man in the Browser” concept). I will then show several examples of the power of MitB attacks, especially when combined with social engineering, and how this can overcome many security measures such as two-factor authentication and transaction verification.

 
Speaker Bio

As Trusteer’s CTO, Amit Klein manages the company’s security research. Prior to Trusteer, Mr. Klein was Chief Scientist at Cyota Inc. (acquired by RSA Security), a leading provider of layered authentication solutions. In this role, Mr. Klein researched technologies that prevent online fraud, phishing, and pharming and filed several patents in those areas. Prior to this, Mr. Klein worked as Director of Security and Research at Sanctum, Inc. (acquired by Watchfire), where he was responsible for the security architecture of all Sanctum products. Mr. Klein holds a B.Sc. (cum laude) in Mathematics and Physics.
Mr. Klein is a world-renowned security researcher, having published more than thirty articles, papers and technical notes on the topic of Internet security. He was named CTO of the Year by InfoWorld Magazine and has presented at many prestigious conferences including RSA, FSISAC, OWASP and CertConf.

 
Technical Level: Intermediate

 

=== Your mobile device in the service of the malicious hacker (Live Demo) ===
''''' Adi Sharabani, CEO, Skycure '''''

We all developed natural instincts when it comes to protecting our physical space. We all know to look to the sides before crossing the road, and we all have some capabilities to assess current risks and make decisions accordingly. However, when it comes to using our mobile devices in the cyber era, these instincts have not yet evolved. People and organizations are at risk, and do not have an understanding how to assess or mitigate them. On top of that, current protection solutions provide inadequate protection against these threats. The organizational need to support mobile devices for business related activity created a huge gap in securing the organization. Adi Sharabani's keynote will highlight some of these threats via a live demonstration of a mobile hacking activity. The audience will be able to opt in for the demo, reflecting how easy it is for a hacker to hack into remote devices.

 
Speaker Bio

Mr. Adi Sharabani is a world-class security expert and the CEO of Skycure, a start-up that focuses on providing firewall solutions for mobile devices. Formerly, Adi led the security of IBM software products. He came to IBM through the Watchfire acquisition, a start-up company which was a pioneer in the field of application security. Among his roles, Adi built and led the Watchfire’s security group. Adi has written many patents in the security space, and his works have been presented in many known conferences such as BlackHat, RSA, OWASP, Innovate, Herzliya Conference and many more; his presentations and keynotes are constantly being ranked as best presentations of most conferences he presents at. Adi is also a fellow at Prof. Yuval Ne’eman’s workshop. In his spare time, Adi teaches at Ohel-Shem high school, and is a part of the vision and implementation of the cyber-defense curriculum for high school students, a vision that is now being implemented in Israel.

 
Technical Level: Introduction

 
= Track A =

=== Get Ready for the Next Big Wave of Attacks: Hacking of Leading CMS Systems ===
'''''Maty Siman, CTO, Checkmarx'''''

The flow of this talk is given by – you! Before this talk, we emailed the audience to provide us with their favorite WordPress plugins that they would like to test for security. In a live demo, we assess the security of the requested plugins. Previous similar trials that we performed on WordPress showed that 30% of the top 50 most downloaded plugins were vulnerable to common Web attacks. What will be the results of this experiment?

As we’ll continue to show, assessing the security posture of a plugin is only the hacker’s first step in mass attacks. As opposed to past mass SQL Injection attacks which leveraged tools such as SQLMap, these next wave of attacks do not focus on the site’s platform or customized development code. Rather, these attacks leverage on the increasing popularity of CMS platforms such as WordPress and Joomla. The maturity, prevalence and market penetration of CMS platforms allow any marketing, sales or HR individual to easily set up their own fully-operational site. Accordingly, CMS apps are flourishing – and so are the vulnerabilities in these apps.

 
Speaker Bio

Maty is the CTO and founder of Checkmarx. Maty has more than a decade of experience in software development, IT security and source-code analysis. An authoritative figure in application security, Maty is regularly interviewed by the media on security-breaking news and frequently speaks at various IT security conferences. Prior to founding Checkmarx, Maty worked for two years at the Israeli Prime Minister’s Office as a senior IT security expert and project manager. Prior to that, he spent six years with the Israeli Defense Forces (IDF), where he established and led a development team in the IDF’s Information Security Center.

 
Technical Level: Intermediate

 

=== Utilizing Popular Websites for Malicious Purposes Using RDI ===
'''''Daniel Chechik, Security Researcher, Trustwave SpiderLabs''''' 
'''''Anat Davidi, Security Researcher, Trustwave SpiderLabs'''''

Reflected DOM Injection is a new attack vector first presented at the DefCon 21 conference in July. We will explain the technique and show a live demo where we use it to hide malicious code within popular and trusted websites. For those of you who are interested in RDI but couldn’t make it to DefCon, we are bringing the talk to you!

The introduction of this session will briefly review the struggle between malicious websites and security products. We will explain the issues of hosting a malicious website and the techniques security vendors use in order to block them.
We will then present our new technique to avoid detection and proceed to explain all parts of it in-depth. A full demo of the attack from beginning to end will be included.
common and known services published by popular websites will be used in order to dynamically construct an attack hosted for us by these services.
Finally, we will add a layer of defense to our attack, and generate malicious code which will become practically invisible to dynamic analysis engines and thus evade most of today's security engines and technologies.

 
Speaker Bio

Daniel Chechik is a veteran security researcher at Trustwave's SpiderLabs. Among other things, he specializes in malware analysis, web exploits detection, Trojan and botnet detection and neutralizing and defining security requirements for the Secure Web Gateway product.
Prior to that, Daniel served in a technological unit as a security specialist in the IDF. During the service, Daniel specialized in CheckPoint Firewall equipment, AntiVirus products and other IT security products.
Daniel, among other things, has spoken at the RSA conference, DefCon, holds CEH and CCSE certificates and has a patent pending for 'Detecting Malware Communication on an Infected Computing Device'.

Anat Davidi is a security researcher at Trustwave's SpiderLabs. Her role includes vulnerability analysis, malware analysis and developing detection logic for the Secure Web Gateway product.
Prior to that, Anat worked as a security consultant providing security reviews and penetration tests for organizations in various business sectors, ranging from banks and insurance companies to hi-tech corporations. Amongst other things, Anat has spoken at the RSA conference, DefCon.

 
Technical Level: Intermediate

 

=== Invisibility Purge - Manipulating Properties Of Invisible & Dormant Asp.Net Controls ===
'''''Shay Chen, CTO, Ernst & Young (Hacktics)'''''

Server-Side Web Controls became popular components in modern web application frameworks.
In addition to the development benefits of these components provide, they are also protected using a variety of security mechanisms, including digital signatures, content access restrictions and even invisibility.
However, developers that use these components improperly can expose the application to a variety of different attacks that can be executed despite, and sometimes due to the existence of security mechanisms.
The presentation will demonstrate several new methods that attackers can harness to bypass security mechanism, manipulate server control properties and identify, enumerate and activate events of dormant server web controls, in popular platforms such as ASP.Net, JSF and Mono.

 
Speaker Bio

Shay Chen is the CTO of Hacktics, an advanced security center of Ernst & Young.

As a victim of the law of familiarity, a decade of exposure to common vulnerabilities was enough to shift his focus to abnormal hacking methodologies and new attack vectors.

He is also a prominent blogger and researcher, and is responsible for many security publications, including new application-level attacks, testing methodologies and open source projects.
As the co-author of the platforms "Diviner", "SCIP" and "WAVSEP" he was involved in the publication of several large-scale researches in the field of automated security scanners.

Shay is an experienced speaker, has been instructing a variety of information security courses for the past 8 years, and had multiple appearances in international conferences, including Blackhat, Hacktivity, AppSecUSA and others.

 
Technical Level: Advanced

 

=== The ReFrameworker Android runtime manipulator – pentesting Android apps like a king ===
'''''Erez Metula, AppSec Labs'''''

ReFrameworker is a new exiting addition to the AppUse pentest VM which we just released at recent BlackHat USA, targeting Android applications. With ReFrameworker, we can manipulate Android applications to make our life as pentesters a lot more easier. Does the app you test insists to be used only for a particular IMEI or phone number? Or does it break on invalidated certificates when you try to SSL MitM it using a proxy? No problem! With ReFrameworker, you can just give a new behavior to any runtime method you'd like, like disabling verifications, controlling return values, and so on. Snooping on local SQL queries or encryption keys? ReFrameworker gives you a proxy for local variables so you can changes important or sensitive values on the fly.
The idea is that we'd built a new Android ROM for the sole purpose of pentesting Android apps, loaded with hooks at important places inside the Dalvik runtime. During this talk we'll witness the power of ReFrameworker, we'll learn how to use it, how it was implemented and how it can be extended.

 
Speaker Bio

Erez Metula Author of the book "Managed Code Rootkits", is a world renowned application security expert. Erez has extensive hands-on experience performing security assessments, code reviews and secure development trainings for worldwide organizations, and had previously talked at international security conferences such as BlackHat, Defcon, OWASP, RSA, SOURCE, CanSecWest and more. He is the founder of AppSec Labs, where he focuses on advanced application security topics. Erez holds an MSc in computer science and he is CISSP.

 
Technical Level: Advanced

 

=== A Game of Pwns: Pwning iPhone application security assessment using the iNalyzer framework ===
'''''Chilik Tamir, Chief Scientist, AppSec Labs'''''

iNalyzer is an open-source free to use pen-testing framework I have recently updated for BlackHat USA, targeting iPhone applications. In the following presentation I will present my latest research on a new approach to performing security assessments of iOS applications utilizing the iNalyzer. The presentation will include live demonstration of using iNalyzer to transform a tedious black-box penetration testing into an exciting gray-box effort.
The talk will cover some of the problems with testing iOS applications, and present a wider picture of the testing process for different applications using iNalyzer, from the point of view of the tester, and how to handle the difficulties that may ensue.
* You will learn how to utilize iNalyzer to bind the power of regular web vulnerability scanner - such as Zap, Burp or AppScan into the exciting world of iOS penetration testing.
* You will learn how to fill in the gaps and use iNalyzer in your IDA reversing effort when testing.
* You will learn how to manipulate iPhone applications to make our life as pen-testers a lot easier using iNalyzer.

 
Speaker Bio

Chilik Tamir is an information security expert with over two decades of experience in training, research, development, testing and consulting in the field of applicative information security for clients in the fields of finance, security, government offices and corporations. His latest research - the iOS iNalyzer is an open-source iOS application Penetration Testing Dashboard. Among his previous publications you will find AppUse – a testing environment for Android applications developed together with Erez Metula; Belch – an automatic tool for analysis and testing of binary protocols such as Flex and Java-Serialization; Chilik is an experienced security trainer and speaker with previous talks and training in security conferences such as BlackHat USA, HITB Amsterdam, OWASP Israel as well as training in cooperations such as Intel, HP, Cisco, Amdocs, Verint, RedBend and others. He is the Chief Scientist at AppSec Labs, where he acts as head of R&D and innovation. Chilik holds an Biomedical Engineering B.Sc. degree.

 
Technical Level: Advanced

 

=== Automatic trust based segregation for content providers on mobile devices ===
'''''Oren Poleg, IDC'''''

In this work we have designed and developed a modification to the Android Content Providers that allows us to impose access restrictions on the sensitive data items they contain (such as contacts, calendar events) .

We have developed lightweight solution that is compatible with the current Android design (so it can be easily integrated with the current Android implementation) that creates separation between different types of sensitive data, also separating them from the non-sensitive information in Android content providers. We allow the device owner to view the data in a unified manner, while 3rd party applications will be allowed access only to content created by them or that they were granted permission to view.

User interaction is not required for the security decisions. Instead, we are defining trust relationship between the data and the applications, in which the owner of the data can delegate access permissions to the applications.

This approach will enable organization to store sensitive information on the device content providers, allow the user to easily access it from the organizational applications as well as from system applications while preventing its leakage through other 3rd party applications
While developed for Android, the concept can be implemented on other mobile devices, such as iPhone and Windows Phone.

 
Speaker Bio

Oren Poleg is a mobile platforms expert, with more than 10 years in the mobile platforms space.
As a team leader in (the Former) Sun Microsystems, Oren was responsible to the integration of Java VM into mobile devices, later to be followed with and research of smart phone infrastructures
Currently Oren is a working as a Consultant, dealing with Android Devices, Smart TVs and Network Security.

 
Technical Level: Intermediate/Advanced

 
= Track B =

=== Web Application Forensics ===
'''''Renana Friedlich, Forensic Department Leader, Ernst and Young (Hacktics)'''''

Most organizations are not aware of successful application-level attacks, until it's too late.
Application penetration tests don't provide information on attacks that ALREADY occurred, on attacks are CURRENTLY in progress, on failed attempts, or even on the actual impact.
Organizations usually rely on security products such as WAF and IDS to locate hacking incidents, but what about attacks that slipped pass the WAF?
What about attacks with a pattern that the IDS did not recognize? What about organizations that implemented these products too late, or not at all?
That's where Web Application Proactive Forensics comes in - A collection of detailed methodologies for locating evidence of attacks that were performed and/or exploited, including attacks listed in OWASP testing guide, WASC and CWE.

 
Speaker Bio

Renana Friedlich is the Forensic Department Leader at Hacktics, an advanced security center of EY. Renana specializes in forensic investigations, developing incident response, malware assessments, and escorting start-up companies in implementing forensic methodologies into their products.
Prior to working at Hacktics, she served at the intelligence corps for seven years, and has over nine years of experience in the information security field.
In recent years, Renana was a frequent speaker in the government sector and had multiple appearances in public conferences, including OWASP, annual risk management conferences, and universities. She also regularly instructs forensic and incident response courses in universities and clients from various industries.

 
Technical Level: Intermediate

 

=== STDD - The protection you REALLY need ([[Media:OWASP_IL_2013_10_Nir_Valtman_STDD.pdf|download presentation]])‎ ===
''''' Nir Valtman, R&D CSO, Retalix ''''' 
''''' Alex Linder, Solution Architect, Retalix '''''

Today in the agile world, many streams based on Acceptance Test Driven Development (ATDD). In this presentation we are going to demonstrate how to reuse this concept in context of security. In addition, this presentation includes common scenarios from attacker's point of view as well as the defender should think. Needless to mention, we have many demos...

 
Speaker Bio

Nir is employed in Retalix as R&D CSO. Before this position he worked as chief security architect, senior technology consultant, application security consultant, system security consultant and a technological trainer. As part of his positions, Nir didn't only consulting, but also performed hands-on activities in various fields, e.g. hardening, penetration testing and development for personal\internal applications. 
Nir has a BSc in computer science but his knowledge is based mainly on cowboy learning and information sharing with the techno-oriented communities. 
Blog: http://www.valtman.org

Alex is a technology geek, likes to research and play with new stuff. Alex is a highly experienced Solution Architect specializing in Software, middleware and APIs. 
Alex has more than 14 years of experience and performed vast roles in the Israeli market such as VP Professional services, Group manager, Solution Architect, Dev team leader and Senior consultant. 
Currently working as a solution architect of large scale R&D firm with cutting edge technologies. 
Blog: http://linderalex.blogspot.co.il/

 
Technical Level: Intermediate / Advanced

 

=== Spam, Death Threats, and Other Abuses of Online Communities ([[Media:OWASP_IL_2013_10_Avi_Douglan_Spam-DeathThreats-Abuse-OnlineCommunities.pdf‎|download presentation]])‎ ===
'''''Avi Douglen, Security Architect, Independant'''''

Many contemporary websites are based on so-called “User Generated Content” (aka UGC). Furthermore, many sites oriented around a community of users enable users to interact with each other, via the site. Sites like Wikipedia and StackOverflow allow users to freely edit pages visible to all users, popular discussion forums are based on continuous postings of content by users, and social networks such as Facebook encourage users to constantly add their own rich data to the site for others’ consumption.

Aside from the usual web attacks common to all user input on websites, such as XSS and SQL Injection, there are some forms of attacks or abuse that are specific to sites such as these. Some of them are purely technical, some of them are social in nature and just take advantage of the available technology. These are often exacerbated by the scope and huge amount of traffic to these sites, and take advantage of the network effect.

The talk will be based in a large part on the speaker’s experience on the Stack Exchange network of sites, but will also compare to the models prevalent on other popular sites. We will discuss some of the aspects particular to these platforms, and show how even the more “boring” of these attacks can sometimes be interesting depending on the situation. We will also see some of the stranger happenings that occur on a large site. Finally, we will discuss and compare some of the different models that these huge websites use to limit the damage.
We will of course focus on what is both these sites’ biggest weakness, and greatest strength - the community.

 
Speaker Bio

Avi Douglen had a CISSP before it was popular, but he is not a hipster. Avi is a high-end, independent security architect and developer, and has been designing, developing and testing secure applications, and leading development teams in building secure products, for over 15 years. Avi is also a Community Moderator (volunteer basis) on Stack Exchange’s fantastic Information Security site (http://security.stackexchange.com), sister site to Stack Overflow. As a moderator, and as an active user on several other Stack Exchange sites, he has spent a lot of time handling these types of attacks, and has had the opportunity to see up close, what works, what doesn’t, and what can scale to millions of users.

 
Technical Level: Introductory

 

=== Delivering Security in Continuous Delivery Environment ===
''''' Yaniv Simsolo, Senior Consultant, Comsec Consulting'''''

Moving from traditional development environment to Agile environment, creates many a challenge to the security of the organization and developed system. Moving from Agile development environment towards Continuous Delivery environment ups the stakes.
We will venture in to the challenges of delivering security in Continuous Delivery environment, and test whether in-depth security is achievable.
Relying on industry evidences, a unique approach to the evolvement of security under Continuous Delivery development environment will be presented.

 
Speaker Bio

Yaniv Simsolo, CISSP, Senior IT Security Professional. A consultant in application security from 2004, and an expert of security of compound and enterprise scale systems.

 
Technical Level: Intermediate

 

=== Designing a national defense strategy for DDoS applications and volume attacks ===
'''''Mirit Kagarlitsky, Head of System Analysis, Israeli National Cyber Bureau '''''

DDoS attacks exploit vulnerabilities in different protocol stack layers, from the application layer and downward. These attacks undermine the availability of various services, some of which transcend the local interest of the compromised organization, bearing broader consequences.
Designing a national defense strategy for DDoS attacks has advantages, since the state has both the interest and the capacity to devise large-scale technological solutions of security from targeted attacks on critical services as well as from cumulative damage in this realm. The problem is that there is a wide spectrum of solutions and possible network locations for state intervention: services entry point, ISPs, cloud-based approaches and more; every solution should be analyzed from a national standpoint.
Our work examines when and where should the state take action in the realm, ranging from the individual organization to the ISP level. We also suggest how its accumulated benefit should be assessed in order to evaluate the overall effectiveness of the national strategy.

 
Speaker Bio

Mirit Kagarlitsky holds a B.Sc. in physics and mathematics from the Hebrew University in Jerusalem and is in the process of completion of M.Sc. in Statistics from Tel Aviv University. She has vast experience with operations research and system analysis in various fields, as an analyst and as a team leader. Today she work as the head of system analysis in the Israeli National Cyber Bureau.

 
Technical Level: Introduction

 

=== Enhancing Web Application Defense Using Big Data ===
''''' Or Katz, Principal Security Researcher, Akamai Technologies '''''

In recent years Big Data has become a commonly used technology in many products, in this presentation I will unveil practical examples on how we can improve web application defenses by using Big Data. Using Big Data enables us to combine web application filter triggers from multiple data sources. Big data analysis contributes to the improvement and enhances defense tactics. In this presentation I will show some examples such as:
* SQLi – detecting malicious users and their level of maliciousness
* Web Scraping – expose scrapers that fly under the radar and what is their target information
* False positives reduction – using Big Data in order to learn how to tune your configuration

 
Speaker Bio

Or Katz has vast expertise in Web Application Firewall technology, working in market leading web application firewall vendors as a web application security researcher.
Mr. Katz is a board member in OWASP Israel chapter, frequent speaker in the chapter conferences and he was also responsible for leading the OWASP Top 10 Hebrew translation project.
Mr. Katz also published several innovative white papers on web applications defensive techniques.

 
Technical Level: Intermediate

 

=== From Obscurity to Pop Culture - Evolution of Application Security ===
''''' Irene Abezgauz, VP Product Management, Quotium'''''

In 1998 the New York Times website was hacked. According to various news sources, the site underwent a thorough security test just two years before and at that point it became clear that 'it might not be sufficient'. Fifteen years later, application security trends talk about APTs, Agile SDLCs and Security Products being commoditized.
In this lecture we review the evolution of application security in the past decade and a half. Examining technology and aspects of security management from the early days of OWASP foundation to present day mobile application security testing as part of the development lifecycle.

 
Speaker Bio

Irene has ten years of experience in information and application security. Focused on application security penetration testing and research she is a builder and breaker of things. She is the Product Manager of Seeker™, the new generation of automatic application security testing, and head of security research activities at Seeker Security (Quotium). Ms. Abezgauz has discovered numerous vulnerabilities and published advisories related to products of leading vendors.

 
Technical Level: Introduction

OWASP Israel 2013 Presentations

2013-10-02T20:23:51Z

Oshezaf: /* STDD - The protection you REALLY need */

= Keynote =

=== Why Are Investors Excited About Cyber Security Startups, Again? ===
'''''Ron Moritz, Consigliere on Venture Strategies, Issues and Trends'''''

Ron will speak about the current state of security startups, the current crop of security problems being solved by startups, and the trends of what solutions investment capital is looking to support.

The Keynote will be in English.

 
Speaker Bio

Ron Moritz is a well-regarded executive with over twenty-five years of broad operational and strategy experience from premier technology companies such as Microsoft (GM, Forefront), Symantec (SVP & CTO), and Computer Associates (SVP, Security Products Business Unit), where he was a member of each company's distinguished corporate or divisional leadership teams.

Having advised C-level executives, boards of directors, venture capitalists and private equity firms on value-creation activities including new markets, acquisition and divestiture strategy, global sourcing of labor, major technology decisions, and eco-system development, Mr. Moritz brings a unique point of view at the intersection of technology, strategy, global markets and finance.

Ron is currently a partner in Aura Coffee, a third-wave coffee roasting company based in Modiin; a member of the Fireblade board of directors; and a mentor Jerusalem-based crowd-funding leader, OurCrowd.

 
= Plenary Sessions =

=== Evolution of online banking attack techniques ===
'''''Amit Klein, CTO, Trusteer'''''

I will survey the evolution of attack techniques against online banking since the mid-2000s till today. This starts with keylogging malware, moves over to screenshooting malware, and finally gets to HTML injection malware (the “Man in the Browser” concept). I will then show several examples of the power of MitB attacks, especially when combined with social engineering, and how this can overcome many security measures such as two-factor authentication and transaction verification.

 
Speaker Bio

As Trusteer’s CTO, Amit Klein manages the company’s security research. Prior to Trusteer, Mr. Klein was Chief Scientist at Cyota Inc. (acquired by RSA Security), a leading provider of layered authentication solutions. In this role, Mr. Klein researched technologies that prevent online fraud, phishing, and pharming and filed several patents in those areas. Prior to this, Mr. Klein worked as Director of Security and Research at Sanctum, Inc. (acquired by Watchfire), where he was responsible for the security architecture of all Sanctum products. Mr. Klein holds a B.Sc. (cum laude) in Mathematics and Physics.
Mr. Klein is a world-renowned security researcher, having published more than thirty articles, papers and technical notes on the topic of Internet security. He was named CTO of the Year by InfoWorld Magazine and has presented at many prestigious conferences including RSA, FSISAC, OWASP and CertConf.

 
Technical Level: Intermediate

 

=== Your mobile device in the service of the malicious hacker (Live Demo) ===
''''' Adi Sharabani, CEO, Skycure '''''

We all developed natural instincts when it comes to protecting our physical space. We all know to look to the sides before crossing the road, and we all have some capabilities to assess current risks and make decisions accordingly. However, when it comes to using our mobile devices in the cyber era, these instincts have not yet evolved. People and organizations are at risk, and do not have an understanding how to assess or mitigate them. On top of that, current protection solutions provide inadequate protection against these threats. The organizational need to support mobile devices for business related activity created a huge gap in securing the organization. Adi Sharabani's keynote will highlight some of these threats via a live demonstration of a mobile hacking activity. The audience will be able to opt in for the demo, reflecting how easy it is for a hacker to hack into remote devices.

 
Speaker Bio

Mr. Adi Sharabani is a world-class security expert and the CEO of Skycure, a start-up that focuses on providing firewall solutions for mobile devices. Formerly, Adi led the security of IBM software products. He came to IBM through the Watchfire acquisition, a start-up company which was a pioneer in the field of application security. Among his roles, Adi built and led the Watchfire’s security group. Adi has written many patents in the security space, and his works have been presented in many known conferences such as BlackHat, RSA, OWASP, Innovate, Herzliya Conference and many more; his presentations and keynotes are constantly being ranked as best presentations of most conferences he presents at. Adi is also a fellow at Prof. Yuval Ne’eman’s workshop. In his spare time, Adi teaches at Ohel-Shem high school, and is a part of the vision and implementation of the cyber-defense curriculum for high school students, a vision that is now being implemented in Israel.

 
Technical Level: Introduction

 
= Track A =

=== Get Ready for the Next Big Wave of Attacks: Hacking of Leading CMS Systems ===
'''''Maty Siman, CTO, Checkmarx'''''

The flow of this talk is given by – you! Before this talk, we emailed the audience to provide us with their favorite WordPress plugins that they would like to test for security. In a live demo, we assess the security of the requested plugins. Previous similar trials that we performed on WordPress showed that 30% of the top 50 most downloaded plugins were vulnerable to common Web attacks. What will be the results of this experiment?

As we’ll continue to show, assessing the security posture of a plugin is only the hacker’s first step in mass attacks. As opposed to past mass SQL Injection attacks which leveraged tools such as SQLMap, these next wave of attacks do not focus on the site’s platform or customized development code. Rather, these attacks leverage on the increasing popularity of CMS platforms such as WordPress and Joomla. The maturity, prevalence and market penetration of CMS platforms allow any marketing, sales or HR individual to easily set up their own fully-operational site. Accordingly, CMS apps are flourishing – and so are the vulnerabilities in these apps.

 
Speaker Bio

Maty is the CTO and founder of Checkmarx. Maty has more than a decade of experience in software development, IT security and source-code analysis. An authoritative figure in application security, Maty is regularly interviewed by the media on security-breaking news and frequently speaks at various IT security conferences. Prior to founding Checkmarx, Maty worked for two years at the Israeli Prime Minister’s Office as a senior IT security expert and project manager. Prior to that, he spent six years with the Israeli Defense Forces (IDF), where he established and led a development team in the IDF’s Information Security Center.

 
Technical Level: Intermediate

 

=== Utilizing Popular Websites for Malicious Purposes Using RDI ===
'''''Daniel Chechik, Security Researcher, Trustwave SpiderLabs''''' 
'''''Anat Davidi, Security Researcher, Trustwave SpiderLabs'''''

Reflected DOM Injection is a new attack vector first presented at the DefCon 21 conference in July. We will explain the technique and show a live demo where we use it to hide malicious code within popular and trusted websites. For those of you who are interested in RDI but couldn’t make it to DefCon, we are bringing the talk to you!

The introduction of this session will briefly review the struggle between malicious websites and security products. We will explain the issues of hosting a malicious website and the techniques security vendors use in order to block them.
We will then present our new technique to avoid detection and proceed to explain all parts of it in-depth. A full demo of the attack from beginning to end will be included.
common and known services published by popular websites will be used in order to dynamically construct an attack hosted for us by these services.
Finally, we will add a layer of defense to our attack, and generate malicious code which will become practically invisible to dynamic analysis engines and thus evade most of today's security engines and technologies.

 
Speaker Bio

Daniel Chechik is a veteran security researcher at Trustwave's SpiderLabs. Among other things, he specializes in malware analysis, web exploits detection, Trojan and botnet detection and neutralizing and defining security requirements for the Secure Web Gateway product.
Prior to that, Daniel served in a technological unit as a security specialist in the IDF. During the service, Daniel specialized in CheckPoint Firewall equipment, AntiVirus products and other IT security products.
Daniel, among other things, has spoken at the RSA conference, DefCon, holds CEH and CCSE certificates and has a patent pending for 'Detecting Malware Communication on an Infected Computing Device'.

Anat Davidi is a security researcher at Trustwave's SpiderLabs. Her role includes vulnerability analysis, malware analysis and developing detection logic for the Secure Web Gateway product.
Prior to that, Anat worked as a security consultant providing security reviews and penetration tests for organizations in various business sectors, ranging from banks and insurance companies to hi-tech corporations. Amongst other things, Anat has spoken at the RSA conference, DefCon.

 
Technical Level: Intermediate

 

=== Invisibility Purge - Manipulating Properties Of Invisible & Dormant Asp.Net Controls ===
'''''Shay Chen, CTO, Ernst & Young (Hacktics)'''''

Server-Side Web Controls became popular components in modern web application frameworks.
In addition to the development benefits of these components provide, they are also protected using a variety of security mechanisms, including digital signatures, content access restrictions and even invisibility.
However, developers that use these components improperly can expose the application to a variety of different attacks that can be executed despite, and sometimes due to the existence of security mechanisms.
The presentation will demonstrate several new methods that attackers can harness to bypass security mechanism, manipulate server control properties and identify, enumerate and activate events of dormant server web controls, in popular platforms such as ASP.Net, JSF and Mono.

 
Speaker Bio

Shay Chen is the CTO of Hacktics, an advanced security center of Ernst & Young.

As a victim of the law of familiarity, a decade of exposure to common vulnerabilities was enough to shift his focus to abnormal hacking methodologies and new attack vectors.

He is also a prominent blogger and researcher, and is responsible for many security publications, including new application-level attacks, testing methodologies and open source projects.
As the co-author of the platforms "Diviner", "SCIP" and "WAVSEP" he was involved in the publication of several large-scale researches in the field of automated security scanners.

Shay is an experienced speaker, has been instructing a variety of information security courses for the past 8 years, and had multiple appearances in international conferences, including Blackhat, Hacktivity, AppSecUSA and others.

 
Technical Level: Advanced

 

=== The ReFrameworker Android runtime manipulator – pentesting Android apps like a king ===
'''''Erez Metula, AppSec Labs'''''

ReFrameworker is a new exiting addition to the AppUse pentest VM which we just released at recent BlackHat USA, targeting Android applications. With ReFrameworker, we can manipulate Android applications to make our life as pentesters a lot more easier. Does the app you test insists to be used only for a particular IMEI or phone number? Or does it break on invalidated certificates when you try to SSL MitM it using a proxy? No problem! With ReFrameworker, you can just give a new behavior to any runtime method you'd like, like disabling verifications, controlling return values, and so on. Snooping on local SQL queries or encryption keys? ReFrameworker gives you a proxy for local variables so you can changes important or sensitive values on the fly.
The idea is that we'd built a new Android ROM for the sole purpose of pentesting Android apps, loaded with hooks at important places inside the Dalvik runtime. During this talk we'll witness the power of ReFrameworker, we'll learn how to use it, how it was implemented and how it can be extended.

 
Speaker Bio

Erez Metula Author of the book "Managed Code Rootkits", is a world renowned application security expert. Erez has extensive hands-on experience performing security assessments, code reviews and secure development trainings for worldwide organizations, and had previously talked at international security conferences such as BlackHat, Defcon, OWASP, RSA, SOURCE, CanSecWest and more. He is the founder of AppSec Labs, where he focuses on advanced application security topics. Erez holds an MSc in computer science and he is CISSP.

 
Technical Level: Advanced

 

=== A Game of Pwns: Pwning iPhone application security assessment using the iNalyzer framework ===
'''''Chilik Tamir, Chief Scientist, AppSec Labs'''''

iNalyzer is an open-source free to use pen-testing framework I have recently updated for BlackHat USA, targeting iPhone applications. In the following presentation I will present my latest research on a new approach to performing security assessments of iOS applications utilizing the iNalyzer. The presentation will include live demonstration of using iNalyzer to transform a tedious black-box penetration testing into an exciting gray-box effort.
The talk will cover some of the problems with testing iOS applications, and present a wider picture of the testing process for different applications using iNalyzer, from the point of view of the tester, and how to handle the difficulties that may ensue.
* You will learn how to utilize iNalyzer to bind the power of regular web vulnerability scanner - such as Zap, Burp or AppScan into the exciting world of iOS penetration testing.
* You will learn how to fill in the gaps and use iNalyzer in your IDA reversing effort when testing.
* You will learn how to manipulate iPhone applications to make our life as pen-testers a lot easier using iNalyzer.

 
Speaker Bio

Chilik Tamir is an information security expert with over two decades of experience in training, research, development, testing and consulting in the field of applicative information security for clients in the fields of finance, security, government offices and corporations. His latest research - the iOS iNalyzer is an open-source iOS application Penetration Testing Dashboard. Among his previous publications you will find AppUse – a testing environment for Android applications developed together with Erez Metula; Belch – an automatic tool for analysis and testing of binary protocols such as Flex and Java-Serialization; Chilik is an experienced security trainer and speaker with previous talks and training in security conferences such as BlackHat USA, HITB Amsterdam, OWASP Israel as well as training in cooperations such as Intel, HP, Cisco, Amdocs, Verint, RedBend and others. He is the Chief Scientist at AppSec Labs, where he acts as head of R&D and innovation. Chilik holds an Biomedical Engineering B.Sc. degree.

 
Technical Level: Advanced

 

=== Automatic trust based segregation for content providers on mobile devices ===
'''''Oren Poleg, IDC'''''

In this work we have designed and developed a modification to the Android Content Providers that allows us to impose access restrictions on the sensitive data items they contain (such as contacts, calendar events) .

We have developed lightweight solution that is compatible with the current Android design (so it can be easily integrated with the current Android implementation) that creates separation between different types of sensitive data, also separating them from the non-sensitive information in Android content providers. We allow the device owner to view the data in a unified manner, while 3rd party applications will be allowed access only to content created by them or that they were granted permission to view.

User interaction is not required for the security decisions. Instead, we are defining trust relationship between the data and the applications, in which the owner of the data can delegate access permissions to the applications.

This approach will enable organization to store sensitive information on the device content providers, allow the user to easily access it from the organizational applications as well as from system applications while preventing its leakage through other 3rd party applications
While developed for Android, the concept can be implemented on other mobile devices, such as iPhone and Windows Phone.

 
Speaker Bio

Oren Poleg is a mobile platforms expert, with more than 10 years in the mobile platforms space.
As a team leader in (the Former) Sun Microsystems, Oren was responsible to the integration of Java VM into mobile devices, later to be followed with and research of smart phone infrastructures
Currently Oren is a working as a Consultant, dealing with Android Devices, Smart TVs and Network Security.

 
Technical Level: Intermediate/Advanced

 
= Track B =

=== Web Application Forensics ===
'''''Renana Friedlich, Forensic Department Leader, Ernst and Young (Hacktics)'''''

Most organizations are not aware of successful application-level attacks, until it's too late.
Application penetration tests don't provide information on attacks that ALREADY occurred, on attacks are CURRENTLY in progress, on failed attempts, or even on the actual impact.
Organizations usually rely on security products such as WAF and IDS to locate hacking incidents, but what about attacks that slipped pass the WAF?
What about attacks with a pattern that the IDS did not recognize? What about organizations that implemented these products too late, or not at all?
That's where Web Application Proactive Forensics comes in - A collection of detailed methodologies for locating evidence of attacks that were performed and/or exploited, including attacks listed in OWASP testing guide, WASC and CWE.

 
Speaker Bio

Renana Friedlich is the Forensic Department Leader at Hacktics, an advanced security center of EY. Renana specializes in forensic investigations, developing incident response, malware assessments, and escorting start-up companies in implementing forensic methodologies into their products.
Prior to working at Hacktics, she served at the intelligence corps for seven years, and has over nine years of experience in the information security field.
In recent years, Renana was a frequent speaker in the government sector and had multiple appearances in public conferences, including OWASP, annual risk management conferences, and universities. She also regularly instructs forensic and incident response courses in universities and clients from various industries.

 
Technical Level: Intermediate

 

=== STDD - The protection you REALLY need ([[Media:OWASP_IL_2013_10_Nir_Valtman_STDD.pdf|download presentation]])‎ ===
''''' Nir Valtman, R&D CSO, Retalix ''''' 
''''' Alex Linder, Solution Architect, Retalix '''''

Today in the agile world, many streams based on Acceptance Test Driven Development (ATDD). In this presentation we are going to demonstrate how to reuse this concept in context of security. In addition, this presentation includes common scenarios from attacker's point of view as well as the defender should think. Needless to mention, we have many demos...

 
Speaker Bio

Nir is employed in Retalix as R&D CSO. Before this position he worked as chief security architect, senior technology consultant, application security consultant, system security consultant and a technological trainer. As part of his positions, Nir didn't only consulting, but also performed hands-on activities in various fields, e.g. hardening, penetration testing and development for personal\internal applications. 
Nir has a BSc in computer science but his knowledge is based mainly on cowboy learning and information sharing with the techno-oriented communities. 
Blog: http://www.valtman.org

Alex is a technology geek, likes to research and play with new stuff. Alex is a highly experienced Solution Architect specializing in Software, middleware and APIs. 
Alex has more than 14 years of experience and performed vast roles in the Israeli market such as VP Professional services, Group manager, Solution Architect, Dev team leader and Senior consultant. 
Currently working as a solution architect of large scale R&D firm with cutting edge technologies. 
Blog: http://linderalex.blogspot.co.il/

 
Technical Level: Intermediate / Advanced

 

=== Spam, Death Threats, and Other Abuses of Online Communities ===
'''''Avi Douglen, Security Architect, Independant'''''

Many contemporary websites are based on so-called “User Generated Content” (aka UGC). Furthermore, many sites oriented around a community of users enable users to interact with each other, via the site. Sites like Wikipedia and StackOverflow allow users to freely edit pages visible to all users, popular discussion forums are based on continuous postings of content by users, and social networks such as Facebook encourage users to constantly add their own rich data to the site for others’ consumption.

Aside from the usual web attacks common to all user input on websites, such as XSS and SQL Injection, there are some forms of attacks or abuse that are specific to sites such as these. Some of them are purely technical, some of them are social in nature and just take advantage of the available technology. These are often exacerbated by the scope and huge amount of traffic to these sites, and take advantage of the network effect.

The talk will be based in a large part on the speaker’s experience on the Stack Exchange network of sites, but will also compare to the models prevalent on other popular sites. We will discuss some of the aspects particular to these platforms, and show how even the more “boring” of these attacks can sometimes be interesting depending on the situation. We will also see some of the stranger happenings that occur on a large site. Finally, we will discuss and compare some of the different models that these huge websites use to limit the damage.
We will of course focus on what is both these sites’ biggest weakness, and greatest strength - the community.

 
Speaker Bio

Avi Douglen had a CISSP before it was popular, but he is not a hipster. Avi is a high-end, independent security architect and developer, and has been designing, developing and testing secure applications, and leading development teams in building secure products, for over 15 years. Avi is also a Community Moderator (volunteer basis) on Stack Exchange’s fantastic Information Security site (http://security.stackexchange.com), sister site to Stack Overflow. As a moderator, and as an active user on several other Stack Exchange sites, he has spent a lot of time handling these types of attacks, and has had the opportunity to see up close, what works, what doesn’t, and what can scale to millions of users.

 
Technical Level: Introductory

 

=== Delivering Security in Continuous Delivery Environment ===
''''' Yaniv Simsolo, Senior Consultant, Comsec Consulting'''''

Moving from traditional development environment to Agile environment, creates many a challenge to the security of the organization and developed system. Moving from Agile development environment towards Continuous Delivery environment ups the stakes.
We will venture in to the challenges of delivering security in Continuous Delivery environment, and test whether in-depth security is achievable.
Relying on industry evidences, a unique approach to the evolvement of security under Continuous Delivery development environment will be presented.

 
Speaker Bio

Yaniv Simsolo, CISSP, Senior IT Security Professional. A consultant in application security from 2004, and an expert of security of compound and enterprise scale systems.

 
Technical Level: Intermediate

 

=== Designing a national defense strategy for DDoS applications and volume attacks ===
'''''Mirit Kagarlitsky, Head of System Analysis, Israeli National Cyber Bureau '''''

DDoS attacks exploit vulnerabilities in different protocol stack layers, from the application layer and downward. These attacks undermine the availability of various services, some of which transcend the local interest of the compromised organization, bearing broader consequences.
Designing a national defense strategy for DDoS attacks has advantages, since the state has both the interest and the capacity to devise large-scale technological solutions of security from targeted attacks on critical services as well as from cumulative damage in this realm. The problem is that there is a wide spectrum of solutions and possible network locations for state intervention: services entry point, ISPs, cloud-based approaches and more; every solution should be analyzed from a national standpoint.
Our work examines when and where should the state take action in the realm, ranging from the individual organization to the ISP level. We also suggest how its accumulated benefit should be assessed in order to evaluate the overall effectiveness of the national strategy.

 
Speaker Bio

Mirit Kagarlitsky holds a B.Sc. in physics and mathematics from the Hebrew University in Jerusalem and is in the process of completion of M.Sc. in Statistics from Tel Aviv University. She has vast experience with operations research and system analysis in various fields, as an analyst and as a team leader. Today she work as the head of system analysis in the Israeli National Cyber Bureau.

 
Technical Level: Introduction

 

=== Enhancing Web Application Defense Using Big Data ===
''''' Or Katz, Principal Security Researcher, Akamai Technologies '''''

In recent years Big Data has become a commonly used technology in many products, in this presentation I will unveil practical examples on how we can improve web application defenses by using Big Data. Using Big Data enables us to combine web application filter triggers from multiple data sources. Big data analysis contributes to the improvement and enhances defense tactics. In this presentation I will show some examples such as:
* SQLi – detecting malicious users and their level of maliciousness
* Web Scraping – expose scrapers that fly under the radar and what is their target information
* False positives reduction – using Big Data in order to learn how to tune your configuration

 
Speaker Bio

Or Katz has vast expertise in Web Application Firewall technology, working in market leading web application firewall vendors as a web application security researcher.
Mr. Katz is a board member in OWASP Israel chapter, frequent speaker in the chapter conferences and he was also responsible for leading the OWASP Top 10 Hebrew translation project.
Mr. Katz also published several innovative white papers on web applications defensive techniques.

 
Technical Level: Intermediate

 

=== From Obscurity to Pop Culture - Evolution of Application Security ===
''''' Irene Abezgauz, VP Product Management, Quotium'''''

In 1998 the New York Times website was hacked. According to various news sources, the site underwent a thorough security test just two years before and at that point it became clear that 'it might not be sufficient'. Fifteen years later, application security trends talk about APTs, Agile SDLCs and Security Products being commoditized.
In this lecture we review the evolution of application security in the past decade and a half. Examining technology and aspects of security management from the early days of OWASP foundation to present day mobile application security testing as part of the development lifecycle.

 
Speaker Bio

Irene has ten years of experience in information and application security. Focused on application security penetration testing and research she is a builder and breaker of things. She is the Product Manager of Seeker™, the new generation of automatic application security testing, and head of security research activities at Seeker Security (Quotium). Ms. Abezgauz has discovered numerous vulnerabilities and published advisories related to products of leading vendors.

 
Technical Level: Introduction

File:OWASP IL 2013 10 Shay Chen Invisible Purge.pdf

2013-10-02T20:21:12Z

Oshezaf:

File:OWASP IL 2013 10 Yaniv Simsolo Delivering Security in CD Environments.pdf

2013-10-02T20:21:07Z

Oshezaf:

File:OWASP IL 2013 10 OWASP Ron Moritz Why Are Investors Excited About Cyber Security Startups.pdf

2013-10-02T20:20:23Z

Oshezaf:

File:OWASP IL 2013 10 Avi Douglan Spam-DeathThreats-Abuse-OnlineCommunities.pdf

2013-10-02T20:20:12Z

Oshezaf:

File:OWASP IL 2013 10 Nir Valtman STDD.pdf

2013-10-02T20:19:50Z

Oshezaf:

File:OWASP IL 2013 10 Erez Metula The ReFrameworker Android runtime manipulator.pdf

2013-10-02T20:19:34Z

Oshezaf:

File:OWASP IL 2013 10 Chechik Davidi Utilizing Popular Websites for Malicious Purposes Using RDI.pdf

2013-10-02T20:18:44Z

Oshezaf:

Category:Israel

2013-10-02T20:06:43Z

Oshezaf:

{{Chapter Template|chaptername=Israel|extra= 

The chapter leader is '''[mailto:douglen@hotmail.com Avi Douglen]'''.

* OWASP Israel Board:'''[mailto:ofer@shezaf.com Ofer Shezaf]''' (Chapter Founder), '''Avi Douglen''', '''Or Katz''',''' Adi Sharabani''',''' Ofer Maor''', '''Ory Segal''', '''Itzik Kotler'''
* [[OWASP_Top10_Hebrew|OWASP Top 10 Hebrew]]: Or Katz
* Homepage Maintenance: Ofer Shezaf, Ofer Maor
* Mailing List Management: Ofer Shezaf, Avi Douglen, Ofer Maor

|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-israel|emailarchives=http://lists.owasp.org/pipermail/owasp-israel}}

<paypal>Israel</paypal>

== OWASP Activity ==

* An annual conference, usually in September
* Periodical meetings. If you would like to host a meeting or speak in one contact [mailto:ofer.maor@owasp.org Ofer Maor] or [mailto:ofer@shezaf.com Ofer Shezaf].
* [[OWASP_Top10_Hebrew|OWASP Top 10 Hebrew translation]].
* Spreading the Word - Reaching out for more people, especially outside of the AppSec community.

If you have anything else on your mind, please speak up!

== OWASP Top 10 in Hebrew ==
The OWASP Top 10 was translated to Hebrew and is [[OWASP_Top10_Hebrew|available for download]].

== Previous OWASP Israel Conferences and Meetings ==

; '''[[OWASP_Israel_2013|OWASP Israel 2013]] Conference held on October 1st with approximately 450 participants!'''

; [[OWASP_Israel_2013_05|OWASP Israel May 2013]] was held at RSA on May 28th 2013 with 80 participants.

; [[OWASP_Israel_2013_02|OWASP Israel February 2013]] meeting was held at E&Y on February 12th 2013 ([[OWASP_ISRAEL_2013_02_Hebrew|Hebrew version]]).

;[[OWASP_Israel_2012|OWASP Israel 2012 conference]] Was held at the IDC on Sep 5th 2012.

;[[OWASP_Israel_2011|OWASP Israel 2011 Conference]] Was held in the IDC in Herzliya on Sep 15th 2011, with about 350 attendees.

;[[OWASP_Israel_2010|OWASP Israel 2010 Conference]] Was held in the IDC in Herzliya on Sep 6th 2010 with about 150 attendees.

;[[OWASP_Israel_2010_06|OWASP Israel Jun-2010]] meeting was held in IBM/Watchfire in Herzliya on Jun 22nd 2010.

;[[OWASP_Israel_2010_02|OWASP Israel Feb-2010]] meeting was held in Amdocs in Ra'anana on Feb 9th 2010 with over 70 attendees.

;[[OWASP_Israel_2010_01|OWASP Israel Jan-2010]] meeting was held in Breach Security in Herzliya on Jan 12th 2010 with over 60 attendees.

;[[OWASP_Israel_2009_12|OWASP Israel Dec-2009]] meeting was held in IBM/Watchfire in Herzliya in Dec 2009.

;[[OWASP_Israel_2009|OWASP Israel 2009]] conference was held at the Interdisciplinary Center Herzliya on Sunday, September 6th 2009.
: You can find the agenda and uploaded presentations [[OWASP_Israel_2009|here]].

; [[OWASP_Israel_2009_05|OWASP Israel May 2009 meeting]] was held at IBM in Park Azorim in Petach-Tikva on May 7th. The presentations were:
* Web-Based Man-in-the-Middle Attack, Adi Sharabani, IBM ([http://blog.watchfire.com/wfblog/2009/02/active-man-in-the-middle-attacks.html more info])
* Automation Attacks and Counter Measures, Ofer Shezaf, Xiom ([http://www.owasp.org/images/5/58/OWASP_Israel_-_May_2009_-_Ofer_Shezaf_-_Automation_Attacks.pdf presentation])
: [[OWASP_ISRAEL_2009_05_Hebrew|Full details in Hebrew]]

; [[OWASP_Israel_2009_03|OWASP Israel March 2009 meeting]] was held at the Tel-Aviv University on March 26th, with approximately 60 attendees. The presentations were:
* Securing cellular web applications, Mikko Saario, Founder, OWASP Finland, Security Architect, Large Telecom Solution Provider ([[Media:OWASP_Israel_-_March_2009_-_Mikko_Saario_-_Web_Application_Security_in_the_Mobile_World.pdf‎|download]])
* Real world implementation of a PCI DSS compliance key management, Yaron Hakon, [http://www.2bsecure.co.il 2bsecure] ([[Media:OWASP_Israel_-_March_2009_-_Yaron_Hakon_-_PCI_key_managment.pdf‎|download]])
* Detecting RFI attacks, Or Katz, [http://www.breach.com Breach Security] ([[Media:OWASP_Israel_-_March_2009_-_Or_Katz_-_RFI_detection.pdf‎|download]])
* WAFEC 2.0 - Do WAFs deliver?, Ofer Shezaf, [http://www.xiom.com Xiom] ([[Media:OWASP_Israel_-_March_2009_-_Ofer_Shezaf_-_Why_WAFs_fail.pdf‎|download]])
: [[OWASP_ISRAEL_2009_03_Hebrew|Full details in Hebrew]]

; [[OWASP_Israel_2009_01|OWASP Israel January 2009 meeting]] was held at Checkpoint on January 28th, with over a 100 people attending. The presentations were:
* Improving Web Application Firewall testing for better deployment in production network, Gregory Fresnais from BreakingPoint, visiting us from France ([[Media:OWASP_Israel_2009_01_Gregory_Fresnais_Measuring_WAF_Performance.pdf‎|download]])
* Web 2.0 Hacking, Nimrod Luria, Qrity ([[Media:OWASP_Israel_2009_01_Nimrod_Luria_Web_2.0_Security.pdf‎|download]])
* Wiki Security, Ofer Shezaf, Xiom ([http://www.xiom.com/research/wiki_security download])

; [[OWASP_Israel_2008_Conference_at_the_Interdisciplinary_Center_Herzliya|The OWASP Israel 2008 conference at the Interdisciplinary Center Herzliya (IDC)]] was held on September 14th with 250 attendees.

; OWASP Israel at the [http://www.idc.co.il/?showproduct=31108&content_lang=ENG IDC Security Road Show]
: OWASP sponsored the IDC Security Road Show event in Israel on June 3rd 2008. Thanks for Iris Lev-Ari and Tomer Teller for the help in the OWASP booth.

; [[OWASP_Israel_2007_Conference|OWASP Israel 2007 conference at the Interdisciplinary Center Herzliya (IDC)]]
: the 1st official OWASP conference in Israel, was held on Dec 3rd 2007 at the Interdisciplinary Center (IDC) Herzliya. The conference really set itself as an event you must come to if you have anything to do with application security. [ [http://picasaweb.google.com/oshezaf/OWASPIsrael2007 pictures from the conference]

[[Category:Middle East]]

OWASP Israel 2013 05

2013-06-01T12:35:16Z

Oshezaf:

The next meeting for the Israel chapter of OWASP will take place on May 28th, starting from 17:00.

The meeting will be held at the EMC Center of Excellence - ‎7 Hamada St., Herzliya. If you are planning on attending, please confirm your participation to rsvp@owasp.org.il even if it is not definite.

The meeting’s agenda will be:

''' 17:00 – 17:30 Gathering, pizza, and drinks'''

''' 17:30 – 17:45 Opening note '''

''' 17:45 – 18:30 DoS Made Easy – Yaniv Simsolo ''' ([[Media:OWASP IL 2013 05 Denial of Service - Made Easy.pdf|download presentation]])‎

Modern systems rely on multiple layers and distributed architecture. Availability and redundancy considerations implemented in systems' architecture ought to prevent successful DOS attacks. However, common modern system' architecture incorporate several security key holes in many modern and cutting edge systems, enabling effortless and effective DOS attacks. The presentation will review some of this security key holes, and the DOS factors thereof.

''' 18:30 – 19:15 Publishing Enterprise Web Applications on BYOD using a Granular Trust Model – Shachaf Levi, Intel''' ([[Media:OWASP IL 2013 05 Publishing Enterprise Web Applications to BYOD using a Granular Trust Model.pdf|download presentation]])

* A web application gateway for mobile devices based on their trust level in a dynamic matter (and the web applications' requirement of being designed for mobile friendly UI)
* A software-based one-time password (OTP) solution that requires no additional hardware and is customized two-factor authentication – creating a seamless authentication experience.
* A single sign-on process that uses Kerberos protocol transition.
* A new approach to information security dynamic and granular security controls based on trust calculation and web content that is exposed based on it.
* A client that collects data, sends it to a broker that calculate the trust level of the device and location, and based on that, exposes specific web sites

'''19:15 – 19:30 Coffee break'''

'''19:30 – 20:15 Lessons and Impressions cyber attacks on Israel – Nimrod Luria'''

In the presentation I will review the existing issues in deploying and protecting web sites and why this cannot ensure availability and survivability. The presentation will include live demos of methods of securing web sites against today threats.

File:OWASP IL 2013 05 Denial of Service - Made Easy.pdf

2013-06-01T12:34:02Z

Oshezaf:

OWASP Israel 2013 05

2013-06-01T10:37:06Z

Oshezaf:

The next meeting for the Israel chapter of OWASP will take place on May 28th, starting from 17:00.

The meeting will be held at the EMC Center of Excellence - ‎7 Hamada St., Herzliya. If you are planning on attending, please confirm your participation to rsvp@owasp.org.il even if it is not definite.

The meeting’s agenda will be:

''' 17:00 – 17:30 Gathering, pizza, and drinks'''

''' 17:30 – 17:45 Opening note '''

''' 17:45 – 18:30 DoS Made Easy – Yaniv Simsolo '''

Modern systems rely on multiple layers and distributed architecture. Availability and redundancy considerations implemented in systems' architecture ought to prevent successful DOS attacks. However, common modern system' architecture incorporate several security key holes in many modern and cutting edge systems, enabling effortless and effective DOS attacks. The presentation will review some of this security key holes, and the DOS factors thereof.

''' 18:30 – 19:15 Publishing Enterprise Web Applications on BYOD using a Granular Trust Model – Shachaf Levi, Intel''' ([[Media:OWASP IL 2013 05 Publishing Enterprise Web Applications to BYOD using a Granular Trust Model.pdf|download presentation]])

* A web application gateway for mobile devices based on their trust level in a dynamic matter (and the web applications' requirement of being designed for mobile friendly UI)
* A software-based one-time password (OTP) solution that requires no additional hardware and is customized two-factor authentication – creating a seamless authentication experience.
* A single sign-on process that uses Kerberos protocol transition.
* A new approach to information security dynamic and granular security controls based on trust calculation and web content that is exposed based on it.
* A client that collects data, sends it to a broker that calculate the trust level of the device and location, and based on that, exposes specific web sites

'''19:15 – 19:30 Coffee break'''

'''19:30 – 20:15 Lessons and Impressions cyber attacks on Israel – Nimrod Luria'''

In the presentation I will review the existing issues in deploying and protecting web sites and why this cannot ensure availability and survivability. The presentation will include live demos of methods of securing web sites against today threats.

File:OWASP IL 2013 05 Publishing Enterprise Web Applications to BYOD using a Granular Trust Model.pdf

2013-06-01T10:35:25Z

Oshezaf:

Category:Israel

2013-06-01T10:14:56Z

Oshezaf: /* Previous OWASP Israel Conferences and Meetings */

{{Chapter Template|chaptername=Israel|extra= 

The chapter leader is '''[mailto:ofer.maor@owasp.org Ofer Maor]'''.

* OWASP Israel Board:'''[mailto:ofer@shezaf.com Ofer Shezaf]''' (Chapter Founder), '''Avi Douglen''', '''Or Katz''',''' Adi Sharabani''',''' Ofer Maor''', '''Ory Segal'''
* [[OWASP_Top10_Hebrew|OWASP Top 10 Hebrew]]: Or Katz
* Homepage Maintenance: Ofer Shezaf, Ofer Maor
* Mailing List Management: Ofer Shezaf, Avi Douglen, Ofer Maor

|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-israel|emailarchives=http://lists.owasp.org/pipermail/owasp-israel}}

<paypal>Israel</paypal>

== OWASP Activity ==

* An annual conference, usually in September (see [[OWASP_Israel_201|2012 conference information]] for more details)
* Periodical meetings. If you would like to host a meeting or speak in one contact [mailto:ofer.maor@owasp.org Ofer Maor] or [mailto:ofer@shezaf.com Ofer Shezaf].
* [[OWASP_Top10_Hebrew|OWASP Top 10 Hebrew translation]].
* Spreading the Word - Reaching out for more people, especially outside of the AppSec community.

If you have anything else on your mind, please speak up!

== OWASP Top 10 in Hebrew ==
The OWASP Top 10 was translated to Hebrew and is [[OWASP_Top10_Hebrew|available for download]].

== Previous OWASP Israel Conferences and Meetings ==
; [[OWASP_Israel_2013_05|OWASP Israel May 2013]] was held at RSA on May 28th 2013 with 80 participants.

; [[OWASP_Israel_2013_02|OWASP Israel February 2013]] meeting was held at E&Y on February 12th 2013 ([[OWASP_ISRAEL_2013_02_Hebrew|Hebrew version]]).

;[[OWASP_Israel_2012|OWASP Israel 2012 conference]] Was held at the IDC on Sep 5th 2012.

;[[OWASP_Israel_2011|OWASP Israel 2011 Conference]] Was held in the IDC in Herzliya on Sep 15th 2011, with about 350 attendees.

;[[OWASP_Israel_2010|OWASP Israel 2010 Conference]] Was held in the IDC in Herzliya on Sep 6th 2010 with about 150 attendees.

;[[OWASP_Israel_2010_06|OWASP Israel Jun-2010]] meeting was held in IBM/Watchfire in Herzliya on Jun 22nd 2010.

;[[OWASP_Israel_2010_02|OWASP Israel Feb-2010]] meeting was held in Amdocs in Ra'anana on Feb 9th 2010 with over 70 attendees.

;[[OWASP_Israel_2010_01|OWASP Israel Jan-2010]] meeting was held in Breach Security in Herzliya on Jan 12th 2010 with over 60 attendees.

;[[OWASP_Israel_2009_12|OWASP Israel Dec-2009]] meeting was held in IBM/Watchfire in Herzliya in Dec 2009.

;[[OWASP_Israel_2009|OWASP Israel 2009]] conference was held at the Interdisciplinary Center Herzliya on Sunday, September 6th 2009.
: You can find the agenda and uploaded presentations [[OWASP_Israel_2009|here]].

; [[OWASP_Israel_2009_05|OWASP Israel May 2009 meeting]] was held at IBM in Park Azorim in Petach-Tikva on May 7th. The presentations were:
* Web-Based Man-in-the-Middle Attack, Adi Sharabani, IBM ([http://blog.watchfire.com/wfblog/2009/02/active-man-in-the-middle-attacks.html more info])
* Automation Attacks and Counter Measures, Ofer Shezaf, Xiom ([http://www.owasp.org/images/5/58/OWASP_Israel_-_May_2009_-_Ofer_Shezaf_-_Automation_Attacks.pdf presentation])
: [[OWASP_ISRAEL_2009_05_Hebrew|Full details in Hebrew]]

; [[OWASP_Israel_2009_03|OWASP Israel March 2009 meeting]] was held at the Tel-Aviv University on March 26th, with approximately 60 attendees. The presentations were:
* Securing cellular web applications, Mikko Saario, Founder, OWASP Finland, Security Architect, Large Telecom Solution Provider ([[Media:OWASP_Israel_-_March_2009_-_Mikko_Saario_-_Web_Application_Security_in_the_Mobile_World.pdf‎|download]])
* Real world implementation of a PCI DSS compliance key management, Yaron Hakon, [http://www.2bsecure.co.il 2bsecure] ([[Media:OWASP_Israel_-_March_2009_-_Yaron_Hakon_-_PCI_key_managment.pdf‎|download]])
* Detecting RFI attacks, Or Katz, [http://www.breach.com Breach Security] ([[Media:OWASP_Israel_-_March_2009_-_Or_Katz_-_RFI_detection.pdf‎|download]])
* WAFEC 2.0 - Do WAFs deliver?, Ofer Shezaf, [http://www.xiom.com Xiom] ([[Media:OWASP_Israel_-_March_2009_-_Ofer_Shezaf_-_Why_WAFs_fail.pdf‎|download]])
: [[OWASP_ISRAEL_2009_03_Hebrew|Full details in Hebrew]]

; [[OWASP_Israel_2009_01|OWASP Israel January 2009 meeting]] was held at Checkpoint on January 28th, with over a 100 people attending. The presentations were:
* Improving Web Application Firewall testing for better deployment in production network, Gregory Fresnais from BreakingPoint, visiting us from France ([[Media:OWASP_Israel_2009_01_Gregory_Fresnais_Measuring_WAF_Performance.pdf‎|download]])
* Web 2.0 Hacking, Nimrod Luria, Qrity ([[Media:OWASP_Israel_2009_01_Nimrod_Luria_Web_2.0_Security.pdf‎|download]])
* Wiki Security, Ofer Shezaf, Xiom ([http://www.xiom.com/research/wiki_security download])

; [[OWASP_Israel_2008_Conference_at_the_Interdisciplinary_Center_Herzliya|The OWASP Israel 2008 conference at the Interdisciplinary Center Herzliya (IDC)]] was held on September 14th with 250 attendees.

; OWASP Israel at the [http://www.idc.co.il/?showproduct=31108&content_lang=ENG IDC Security Road Show]
: OWASP sponsored the IDC Security Road Show event in Israel on June 3rd 2008. Thanks for Iris Lev-Ari and Tomer Teller for the help in the OWASP booth.

; [[OWASP_Israel_2007_Conference|OWASP Israel 2007 conference at the Interdisciplinary Center Herzliya (IDC)]]
: the 1st official OWASP conference in Israel, was held on Dec 3rd 2007 at the Interdisciplinary Center (IDC) Herzliya. The conference really set itself as an event you must come to if you have anything to do with application security. [ [http://picasaweb.google.com/oshezaf/OWASPIsrael2007 pictures from the conference]

[[Category:Middle East]]

Category:Israel

2013-06-01T10:11:17Z

Oshezaf: /* Previous OWASP Israel Conferences and Meetings */

{{Chapter Template|chaptername=Israel|extra= 

The chapter leader is '''[mailto:ofer.maor@owasp.org Ofer Maor]'''.

* OWASP Israel Board:'''[mailto:ofer@shezaf.com Ofer Shezaf]''' (Chapter Founder), '''Avi Douglen''', '''Or Katz''',''' Adi Sharabani''',''' Ofer Maor''', '''Ory Segal'''
* [[OWASP_Top10_Hebrew|OWASP Top 10 Hebrew]]: Or Katz
* Homepage Maintenance: Ofer Shezaf, Ofer Maor
* Mailing List Management: Ofer Shezaf, Avi Douglen, Ofer Maor

|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-israel|emailarchives=http://lists.owasp.org/pipermail/owasp-israel}}

<paypal>Israel</paypal>

== OWASP Activity ==

* An annual conference, usually in September (see [[OWASP_Israel_201|2012 conference information]] for more details)
* Periodical meetings. If you would like to host a meeting or speak in one contact [mailto:ofer.maor@owasp.org Ofer Maor] or [mailto:ofer@shezaf.com Ofer Shezaf].
* [[OWASP_Top10_Hebrew|OWASP Top 10 Hebrew translation]].
* Spreading the Word - Reaching out for more people, especially outside of the AppSec community.

If you have anything else on your mind, please speak up!

== OWASP Top 10 in Hebrew ==
The OWASP Top 10 was translated to Hebrew and is [[OWASP_Top10_Hebrew|available for download]].

== Previous OWASP Israel Conferences and Meetings ==
; [[OWASP_Israel_2013_05|OWASP Israel May 2013]] was held at RSA on May 28th 2013.

; [[OWASP_Israel_2013_02|OWASP Israel February 2013]] meeting was held at E&Y on February 12th 2013 ([[OWASP_ISRAEL_2013_02_Hebrew|Hebrew version]]).

;[[OWASP_Israel_2012|OWASP Israel 2012 conference]] Was held at the IDC on Sep 5th 2012.

;[[OWASP_Israel_2011|OWASP Israel 2011 Conference]] Was held in the IDC in Herzliya on Sep 15th 2011, with about 350 attendees.

;[[OWASP_Israel_2010|OWASP Israel 2010 Conference]] Was held in the IDC in Herzliya on Sep 6th 2010 with about 150 attendees.

;[[OWASP_Israel_2010_06|OWASP Israel Jun-2010]] meeting was held in IBM/Watchfire in Herzliya on Jun 22nd 2010.

;[[OWASP_Israel_2010_02|OWASP Israel Feb-2010]] meeting was held in Amdocs in Ra'anana on Feb 9th 2010 with over 70 attendees.

;[[OWASP_Israel_2010_01|OWASP Israel Jan-2010]] meeting was held in Breach Security in Herzliya on Jan 12th 2010 with over 60 attendees.

;[[OWASP_Israel_2009_12|OWASP Israel Dec-2009]] meeting was held in IBM/Watchfire in Herzliya in Dec 2009.

;[[OWASP_Israel_2009|OWASP Israel 2009]] conference was held at the Interdisciplinary Center Herzliya on Sunday, September 6th 2009.
: You can find the agenda and uploaded presentations [[OWASP_Israel_2009|here]].

; [[OWASP_Israel_2009_05|OWASP Israel May 2009 meeting]] was held at IBM in Park Azorim in Petach-Tikva on May 7th. The presentations were:
* Web-Based Man-in-the-Middle Attack, Adi Sharabani, IBM ([http://blog.watchfire.com/wfblog/2009/02/active-man-in-the-middle-attacks.html more info])
* Automation Attacks and Counter Measures, Ofer Shezaf, Xiom ([http://www.owasp.org/images/5/58/OWASP_Israel_-_May_2009_-_Ofer_Shezaf_-_Automation_Attacks.pdf presentation])
: [[OWASP_ISRAEL_2009_05_Hebrew|Full details in Hebrew]]

; [[OWASP_Israel_2009_03|OWASP Israel March 2009 meeting]] was held at the Tel-Aviv University on March 26th, with approximately 60 attendees. The presentations were:
* Securing cellular web applications, Mikko Saario, Founder, OWASP Finland, Security Architect, Large Telecom Solution Provider ([[Media:OWASP_Israel_-_March_2009_-_Mikko_Saario_-_Web_Application_Security_in_the_Mobile_World.pdf‎|download]])
* Real world implementation of a PCI DSS compliance key management, Yaron Hakon, [http://www.2bsecure.co.il 2bsecure] ([[Media:OWASP_Israel_-_March_2009_-_Yaron_Hakon_-_PCI_key_managment.pdf‎|download]])
* Detecting RFI attacks, Or Katz, [http://www.breach.com Breach Security] ([[Media:OWASP_Israel_-_March_2009_-_Or_Katz_-_RFI_detection.pdf‎|download]])
* WAFEC 2.0 - Do WAFs deliver?, Ofer Shezaf, [http://www.xiom.com Xiom] ([[Media:OWASP_Israel_-_March_2009_-_Ofer_Shezaf_-_Why_WAFs_fail.pdf‎|download]])
: [[OWASP_ISRAEL_2009_03_Hebrew|Full details in Hebrew]]

; [[OWASP_Israel_2009_01|OWASP Israel January 2009 meeting]] was held at Checkpoint on January 28th, with over a 100 people attending. The presentations were:
* Improving Web Application Firewall testing for better deployment in production network, Gregory Fresnais from BreakingPoint, visiting us from France ([[Media:OWASP_Israel_2009_01_Gregory_Fresnais_Measuring_WAF_Performance.pdf‎|download]])
* Web 2.0 Hacking, Nimrod Luria, Qrity ([[Media:OWASP_Israel_2009_01_Nimrod_Luria_Web_2.0_Security.pdf‎|download]])
* Wiki Security, Ofer Shezaf, Xiom ([http://www.xiom.com/research/wiki_security download])

; [[OWASP_Israel_2008_Conference_at_the_Interdisciplinary_Center_Herzliya|The OWASP Israel 2008 conference at the Interdisciplinary Center Herzliya (IDC)]] was held on September 14th with 250 attendees.

; OWASP Israel at the [http://www.idc.co.il/?showproduct=31108&content_lang=ENG IDC Security Road Show]
: OWASP sponsored the IDC Security Road Show event in Israel on June 3rd 2008. Thanks for Iris Lev-Ari and Tomer Teller for the help in the OWASP booth.

; [[OWASP_Israel_2007_Conference|OWASP Israel 2007 conference at the Interdisciplinary Center Herzliya (IDC)]]
: the 1st official OWASP conference in Israel, was held on Dec 3rd 2007 at the Interdisciplinary Center (IDC) Herzliya. The conference really set itself as an event you must come to if you have anything to do with application security. [ [http://picasaweb.google.com/oshezaf/OWASPIsrael2007 pictures from the conference]

[[Category:Middle East]]

Category:Israel

2013-06-01T10:10:28Z

Oshezaf:

{{Chapter Template|chaptername=Israel|extra= 

The chapter leader is '''[mailto:ofer.maor@owasp.org Ofer Maor]'''.

* OWASP Israel Board:'''[mailto:ofer@shezaf.com Ofer Shezaf]''' (Chapter Founder), '''Avi Douglen''', '''Or Katz''',''' Adi Sharabani''',''' Ofer Maor''', '''Ory Segal'''
* [[OWASP_Top10_Hebrew|OWASP Top 10 Hebrew]]: Or Katz
* Homepage Maintenance: Ofer Shezaf, Ofer Maor
* Mailing List Management: Ofer Shezaf, Avi Douglen, Ofer Maor

|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-israel|emailarchives=http://lists.owasp.org/pipermail/owasp-israel}}

<paypal>Israel</paypal>

== OWASP Activity ==

* An annual conference, usually in September (see [[OWASP_Israel_201|2012 conference information]] for more details)
* Periodical meetings. If you would like to host a meeting or speak in one contact [mailto:ofer.maor@owasp.org Ofer Maor] or [mailto:ofer@shezaf.com Ofer Shezaf].
* [[OWASP_Top10_Hebrew|OWASP Top 10 Hebrew translation]].
* Spreading the Word - Reaching out for more people, especially outside of the AppSec community.

If you have anything else on your mind, please speak up!

== OWASP Top 10 in Hebrew ==
The OWASP Top 10 was translated to Hebrew and is [[OWASP_Top10_Hebrew|available for download]].

== Previous OWASP Israel Conferences and Meetings ==
; [[OWASP_Israel_2013_05|OWASP Israel May 2013]] was held at RSA on May 28th 2013'''

; [[OWASP_Israel_2013_02|OWASP Israel February 2013]] meeting was held at E&Y on February 12th 2013 ([[OWASP_ISRAEL_2013_02_Hebrew|Hebrew version]]).

;[[OWASP_Israel_2012|OWASP Israel 2012 conference]] Was held at the IDC on Sep 5th 2012.

;[[OWASP_Israel_2011|OWASP Israel 2011 Conference]] Was held in the IDC in Herzliya on Sep 15th 2011, with about 350 attendees.

;[[OWASP_Israel_2010|OWASP Israel 2010 Conference]] Was held in the IDC in Herzliya on Sep 6th 2010 with about 150 attendees.

;[[OWASP_Israel_2010_06|OWASP Israel Jun-2010]] meeting was held in IBM/Watchfire in Herzliya on Jun 22nd 2010.

;[[OWASP_Israel_2010_02|OWASP Israel Feb-2010]] meeting was held in Amdocs in Ra'anana on Feb 9th 2010 with over 70 attendees.

;[[OWASP_Israel_2010_01|OWASP Israel Jan-2010]] meeting was held in Breach Security in Herzliya on Jan 12th 2010 with over 60 attendees.

;[[OWASP_Israel_2009_12|OWASP Israel Dec-2009]] meeting was held in IBM/Watchfire in Herzliya in Dec 2009.

;[[OWASP_Israel_2009|OWASP Israel 2009]] conference was held at the Interdisciplinary Center Herzliya on Sunday, September 6th 2009.
: You can find the agenda and uploaded presentations [[OWASP_Israel_2009|here]].

; [[OWASP_Israel_2009_05|OWASP Israel May 2009 meeting]] was held at IBM in Park Azorim in Petach-Tikva on May 7th. The presentations were:
* Web-Based Man-in-the-Middle Attack, Adi Sharabani, IBM ([http://blog.watchfire.com/wfblog/2009/02/active-man-in-the-middle-attacks.html more info])
* Automation Attacks and Counter Measures, Ofer Shezaf, Xiom ([http://www.owasp.org/images/5/58/OWASP_Israel_-_May_2009_-_Ofer_Shezaf_-_Automation_Attacks.pdf presentation])
: [[OWASP_ISRAEL_2009_05_Hebrew|Full details in Hebrew]]

; [[OWASP_Israel_2009_03|OWASP Israel March 2009 meeting]] was held at the Tel-Aviv University on March 26th, with approximately 60 attendees. The presentations were:
* Securing cellular web applications, Mikko Saario, Founder, OWASP Finland, Security Architect, Large Telecom Solution Provider ([[Media:OWASP_Israel_-_March_2009_-_Mikko_Saario_-_Web_Application_Security_in_the_Mobile_World.pdf‎|download]])
* Real world implementation of a PCI DSS compliance key management, Yaron Hakon, [http://www.2bsecure.co.il 2bsecure] ([[Media:OWASP_Israel_-_March_2009_-_Yaron_Hakon_-_PCI_key_managment.pdf‎|download]])
* Detecting RFI attacks, Or Katz, [http://www.breach.com Breach Security] ([[Media:OWASP_Israel_-_March_2009_-_Or_Katz_-_RFI_detection.pdf‎|download]])
* WAFEC 2.0 - Do WAFs deliver?, Ofer Shezaf, [http://www.xiom.com Xiom] ([[Media:OWASP_Israel_-_March_2009_-_Ofer_Shezaf_-_Why_WAFs_fail.pdf‎|download]])
: [[OWASP_ISRAEL_2009_03_Hebrew|Full details in Hebrew]]

; [[OWASP_Israel_2009_01|OWASP Israel January 2009 meeting]] was held at Checkpoint on January 28th, with over a 100 people attending. The presentations were:
* Improving Web Application Firewall testing for better deployment in production network, Gregory Fresnais from BreakingPoint, visiting us from France ([[Media:OWASP_Israel_2009_01_Gregory_Fresnais_Measuring_WAF_Performance.pdf‎|download]])
* Web 2.0 Hacking, Nimrod Luria, Qrity ([[Media:OWASP_Israel_2009_01_Nimrod_Luria_Web_2.0_Security.pdf‎|download]])
* Wiki Security, Ofer Shezaf, Xiom ([http://www.xiom.com/research/wiki_security download])

; [[OWASP_Israel_2008_Conference_at_the_Interdisciplinary_Center_Herzliya|The OWASP Israel 2008 conference at the Interdisciplinary Center Herzliya (IDC)]] was held on September 14th with 250 attendees.

; OWASP Israel at the [http://www.idc.co.il/?showproduct=31108&content_lang=ENG IDC Security Road Show]
: OWASP sponsored the IDC Security Road Show event in Israel on June 3rd 2008. Thanks for Iris Lev-Ari and Tomer Teller for the help in the OWASP booth.

; [[OWASP_Israel_2007_Conference|OWASP Israel 2007 conference at the Interdisciplinary Center Herzliya (IDC)]]
: the 1st official OWASP conference in Israel, was held on Dec 3rd 2007 at the Interdisciplinary Center (IDC) Herzliya. The conference really set itself as an event you must come to if you have anything to do with application security. [ [http://picasaweb.google.com/oshezaf/OWASPIsrael2007 pictures from the conference]

[[Category:Middle East]]

OWASP ISRAEL 2013 02 Hebrew

2013-05-07T21:30:21Z

Oshezaf:

<div dir="rtl" lang="he">
מפגש פברואר 2013 של OWASP נערך ב 12.2.2013, יום שלישי במרכז ההדרכה של ארנסט אנד יאנג ברחוב מיטב 6, תל אביב (
[https://www.owasp.org/index.php/File:OWASP_IL_EY_MAP.png מפה]).

סדר יום של המפגש:

'''17:00 – 17:30 התאספות, פיצה ושתיה קלה.'''

'''17:30 – 17:45 דברי פתיחה.'''

'''17:45 – 18:30 איציק קוטלר – היכרות עם Pythonect''' ([https://www.owasp.org/images/4/4a/OWASP_IL_2013_02_Itzik_Kotler_Pythonect_for_SP.pdf מצגת])

Pythonect היא שפת תכנות חדשה וניסיונית אשר תומכת בפרדיגמת תכנות של Dataflow Programming.
השפה מנסה לשלב בין הקלילות של Shell Scripting (וכל מה שנגזר מכך, כולל לדוגמא: Implicit Parallelism) והגמישות של שפת Python.
Pythonect נפלאה ליצירה מהירה של כלי מחקר ובדיקה של אבטחת מידע, החל מ- Fuzzers ועד Revesre Engineering ו- Penetration Testing.
בהרצאה זאת אסביר על Pythonect ובנוסף אראה דוגמאות קוד שימחישו את היתרונות של השפה.

'''18:30 – 19:15 רננה פרידליך - הפשע כן משתלם - אלא אם כן נתפסת!!'''
([https://www.owasp.org/images/2/27/OWASP_IL_2013_02_Renana_Friedlich_CrimeDoesPay.pdf מצגת])

בואו נגיד שבאמת נתפסת!! - מה אם × בוצע במדינה א', הפרוקסי יושב במדינה ב', והמטרה במדינה ג'?
* היכן נמצאת הסמכות השיפוטית?
* מהם תהליכי ההאשמה וההרשעה?
* לפי חוקים של איזו מדינה תישפטו?

האם ביצוע SQL INJECTION יכול להשליככם לכלא ?האם XSS יוכל?
* מה בעצם "עבירת מחשב"?

בנוסף, אנחנו נדבר גם על שיתופי פעולה בין מדינות בנושא עביר× מחשב:
* מה קיים בין המדינות ומה לא?
* מהם סיכוייך להיות מוסגר למדינה אחרת בעקבות עבירו× מחשב?

אך בואו נגיד שבאמת הורשעתם...
* האם ידעת שיש אפשרות לקבל מאסר עולם על עבירות מחשב?
* מצד שני.... האם זה באמת כ"כ קשה לצאת נקי מכל העסק?

הרצאה זו תענה על כל השאלות הנ"ל ותקשר את עולם עבירות המחשב בסביבות WEB לעולם עבירות המחשב.

'''19:15 – 19:30 הפסקת קפה'''

'''19:30 – 20:15 פנל WAFEC עופר שיזף מנחה'''

(הפאנל לא כלל מצגת, ניתן למצוא פרטים נוספים על WAFEC [http://wafec.webasppsec.org באתר]])

WAFEC, המדריך להערכת Web Application Firewalls, שפורסם לראשונה ב- 2006 הוא למעשה הסטנדרט ללימוד ולהערכת Web Application Firewalls ונעשה בו תכופות שימוש במכרזים בתחום. חברי קבוצת הפרויקט, הכוללים את כל המי-ומי בתחום בעולם (ואם שכחנו אותך את/ה מוזמנ/ת להצטרף) עובדת בימים אילו על הגרסה החדשה של המדריך. כחלק מכנס OWASP נפגיש בין מספר מהמחברים של הגרסה החדשה, כולם מומחים עולמיים בתחום, לדיון במצב טכנולוגית ה-WAF, מצב התעשייה, והאתגרים בכתיבת מדריך להערכת WAFs. הפנל יהיה אינטראקטיבי ויתבסס על שאלות שלי ושלכם. אשמח לקבל שאלות מראש!
</div>