Italy OWASP Day Cagliari 2018

David Calligaris, Director of Vulnerability Research & Security Testing Automation Huawei Technologies GMBH

Bio Old School Security Guy, playing with memory corruption bugs since 2000. Former CTO of Cyber Security Firm Emaze S.p.A. currently leads the group for Vulnerability Research & Automation of Security Testing for Huawei Europe.

Talk Abstract The introduction of cloud services has changed the way we develop and deploy web applications, introducing new security issues. We often talk about risks related to the cloud but many times these can be traced back to old issues applied to a different context, but the cloud also introduces new classes of problems: Open Bucket, Subdomain Takeover are just some of the issues that are affecting the world of the application security. In this talk, we will explore how to identify these issues, what the real impacts are and what technologies are available to prevent and mitigate them.

Marco Pacchiardo

Bio Marco (aka V3t3r4n) has 20 years of experience in international security consulting and management, encompassing all areas of security. He is author of two books on security, guides and several articles for main italian Security IT magazines. He started his career in security late in 1995, working firstly for local companies where he had the opportunity to develop from scratch security functions and security portfolios with great success. He invented brand new services for security awareness, security compliance and risk management. Later he moved to international security consulting companies as Principal Security Consultant where he was asked to support customers in almost all continents. In this role he worked with enterprises and foreign governments to increase their security posture in the areas of compliance, risk management and technical countermeasures. More recently Marco took over the responsibility of the Italian security consulting function of a telco company as Head of Security Italy, where he managed to push and optimize the security proposition. He worked as Senior Enterprise Security Architect for a well known international company for which he was responsible for South Europe and Middle East.

Abstract How API work, how they can be attacked and how to protect API. You will learn the API framework of working, the vulnerabilities and threats and examples on how to exploit them.

Giuseppe Porcu, Minded Security

Bio: Giuseppe Porcu is a Security Consultant at Minded Security. He holds a Bachelor degree in Computer Science from the University of Cagliari, where he performed a Network Penetration Test for his thesis, then he moved to University of Verona to continue his studies in Software Engineering and Cyber Security. Before working at Minded Security he was an IT Consultant and Full Stack Developer, now he performs Web Application and Network Penetration Tests and other activities focused on Cyber Security. He is also interested in new technologies and Digital Forensics.

Abstract: This era has seen an increase in attacks to devices that we always carry with us and that we use for different activities, from playing videogame and watching videos to reading confidential messages and transferring funds from our bank account: our smartphones. The applications installed on our device, like websites and standalone applications, could be subject to vulnerabilities often left unconsciously by developers. The vision of this project is to define the industry standard for mobile application security and in this presentation we will introduce the Mobile Security Testing Guide, a comprehensive manual for mobile app security testing. This manual could be a very useful resource for developers and testers in order to do build and mantain secure mobile applications. We will see the testing techniques for the key areas in mobile application security like local data storage, secure communication, anti-tampering and anti-reversing etc.. We will see also some real vulnerabilities we found during our tests in order to analyze some specific related mobile security problems.

Igino Corona, Computer Security Researcher, Co-Founder & Security CTO at Pluribus One Bio: Igino Corona received the M.Sc. Degree in Electronic Engineering from the University of Cagliari, in 2006. In his MSc thesis (in Italian), he discussed the design and the implementation (in Python and C++ programming languages) of an anomaly-based, unsupervised Intrusion Detection System for the analysis of the HTTP traffic. The Clusit Association awarded this work as one of the best Italian research thesis on computer system security.

Abstract: Modern web services rely on complex, distributed architectures, characterized by a myriad of inter-dependent interpreters running at both client- and server-side. This makes web security an impressively hard task. However, in this presentation we will see that many vulnerabilities, including those in the TOP 10 OWASP, although apparently unrelated to each other, actually share the same root cause. Identifying and focusing on the root cause of vulnerabilities allows one to prefigure general and well-suited prevention and protection measures, capable to address both known and new security issues. Throughout the discussion, we will make concrete application examples according to our framework.

Learning objectives Many vulnerabilities, including those in the TOP 10 OWASP, although apparently unrelated to each other, actually share the same root cause. Focusing on the root cause of vulnerabilities allows one to foresee new security problems. Focusing on the root cause of vulnerabilities allows one to prefigure general and well-suited prevention and protection measures against web attacks.Concrete application of the framework to address known attacks and foresee new attacks

Marco Festa, Politecnico di Milano

Bio: "Marco Festa is a student finishing his Master Degree in Computer Science and Engineering at Politecnico di Milano. For the past 2 years he has been working for Cefriel as a Cyber Security Engineer performing (mostly but not only) penetration testing and vulnerability assessment activities. Focused on reverse engineering and binary exploitation he's also an hard-core CTF player with Polimi's official team "Tower Of Hanoi". He actively participated in the creation of the Italian super team mHACKeroni (DEFCON CTF Finalist in 2018)"

Abstract: "In this talk, we present our story on how we ended up playing DEF CON CTF Finals in Las Vegas. mHackeroni is born in April 2018 from 5 different Italian CTF teams who decided to merge their diversified skills and join the ultimate flag capturing machine. In May 2018 we played the DEF CON Qualifier event achieving an unexpected 2nd place! What now ? How do we survive Vegas Finals? Be prepared, develop tools, have a strategy, network infrastructure ...and then... change everything during the competition: new strategies, some tools don't work, keep hacking, sync each other, no sleep, NO INTERNET ?!?! At the end of the talk we'll try to write a "0day" exploit for a legacy browser to solve one of the qualifiers challenges. The service will be opened to the audience as well, who gets the flag first wins..."

The Conference is entrance free but you need to register to participate.

Please use the following link to researve your seat!

https://www.eventbrite.it/e/biglietti-owasp-italy-day-2018-cagliari-50038283854

• The event will show several points of discussion: we will present the state of the art of the Secure Software Initiatives and technical speeches about the new researches in Application Security.
• Conference goal is creating a debate on which will be the evolution of the research for the Web Application Security, and how to start a secure software initiative.

Thank you to our sponsors:

www.mindedsecurity.com

www.numera.it