This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
OWASP Bucharest AppSec Conference 2016 Agenda Talks
Conference agenda | |||||
| Time | Title | Speaker | Description | ||
| 8:30 - 9:00 (30 mins) |
Registration and coffee break | ||||
| 9:00 - 9:15 (15 mins) |
Introduction | Oana Cornea | Introduction to the OWASP Bucharest Event, Schedule for the Day | ||
| 9:15 - 10:00 (45 mins) |
Handling of Security Requirements in Software Development Lifecycle | Daniel Kefer | The bigger the company you're working in, the more technologies and methodologies used by development teams you are going to face. At the same time, you want to address security risks in an appropriate, reliable and traceable way for all of them. After a short introduction of a unified process for handling security requirements in a large company, the main part of the talk is going to focus on a tool called SecurityRAT (Requirement Automation Tool) which has been developed in order to support and accelerate this process. The goal of the tool is first to provide a list of relevant security requirements according to properties of the developed software, and afterwards to handle these in a mostly automated way - integration with an issue tracker being used as a core feature. Work in progress and future plans will form the last part of the talk. | ||
| 10:00 - 10:45 (45 mins) |
CSWSH (Cross-Site Wbsocket Hijacking) Compromising websockets with an XSS vulnerability | Vali Malinoiu | The relatively new technique to allow full duplex communication between client and server is gaining more and more attention from developers in order to build realtime web applications. During the process they open their application to a vulnerability sometimes called CSWSH. | ||
| 11:00 - 11:40 (40 mins) |
Software assurance with OpenSAMM Part I | Jacco van Tuijl | More and more developers realize that something needs to change into their development process. This is to reduce the number of vulnerabilities and to be well prepared when incidents are reported. The Secure Software Development Life Cycle process ( SSDLC ) ensures that there is thought to security at all stages of the development process. This reduces the number of vulnerabilities in delivered software and provides a thorough process for handling incidents. | ||
| 11:50 - 12:30 (40 mins) |
Software assurance with OpenSAMM Part II | Jacco van Tuijl | There are several frameworks for the implementation of SSDLC like BSIMM , MS SDL and OpenSAMM . Jacco van Tuijl will discuss the OpenSAMM : The Software Assurance Maturity Model. A completely open framework of OWASP. Jacco will share experiences regarding the implementation of OpenSAMM within various organizations. | ||
| 12:30 - 13:30 (60 mins) |
Lunch/Coffee Break | ||||
| 13:30 - 14:15 (45 mins) |
How to handle bot threats | Andrei Daniel Oprisan | This talk is an overview, from a security perspective, of the robotic systems (bots) that we can find today over the internet. It consists of two main parts: Robot Detection and Robot Mitigation. I will explain how the detection models can be applied in preventing the robots to harm the website but also explaining why it is important not to affect the user experience in a significant way. | ||
| 14:15 - 15:00 (45 mins) |
Mass-analyzing a chunk of the Internet: The Romanian IT landscape | Alexandru George Andrei | Scanning the internet is a bad idea. It's what bad guys do everyday. Looking for misconfigurations, vulnerable servers, unpatched critical vulnerabilities and IoT devices in a fun, informative and "non-intrusive way" to determine just how vulnerable Romania is. From the defensive side, we are going to be able to tell precisely how many sistems are still vulnerable to heartbleed and other critical vulnerabilities exposed in the last years, how many systems are could be used in a DDoS attack (NTP amplification or otherwise), survey all SSL certificates and implementations and get a good view of the IT assets that are publicly facing in Romania. | ||
| 15:00 - 15:15 (15 mins) |
Coffee break | ||||
| 15:15 - 16:00 (45 mins) |
Static application Security Testing (SAST) to combat the risk to web and mobile applications | Moni Stern | Application security is the number one priority of security professionals, but developers just want to code. Getting developers to use Application Security Testing is one of the biggest challenges facing security professionals today. How can both be accomplished. | ||
| 16:00 - 16:45 (45 mins) |
It’s time to go hunting! Indicators of Compromise vs. Indicators of Attack | Octavian Savin and Mihai Capraru | Cyber defense isn't a new domain anymore and it is in a continuous change. A few years ago the boundary defense approach was the state of the art in this field, but now we are facing a multi-layered one with complex mechanisms, ranging from user behavior analysis to advanced threat hunting. For many years now a very effective solution for identifying computer infections was the utilization of Indicators of Compromise in different formats, but the evolution of malware complexity has made the development of IOCs a time consuming action. | ||
| 16:45 - 17:00 (15 mins) |
Closing ceremony | OWASP Bucharest team | CTF Prizes | ||
