This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

OWASP Bucharest AppSec Conference 2017 Talks

From OWASP
Jump to: navigation, search

Conference agenda, 13th of October

Time Title Speaker Description
9:00 - 9:30
(30 mins)
Registration and coffee break
9:30 - 9:45
(15 mins)
Introduction Oana Cornea Introduction to the OWASP Bucharest Event, Schedule for the Day
9:45 - 10.30
(45 mins)
Threat modelling – How we deconstruct systems and the threats they are at risk from Mustafa Kasmani The presentation focuses on plenty of great case studies in threat modelling – how we deconstruct systems and the threats they are at risk from.

There will be implicit training in the form of practical exercises in how you calculate risk and accountability. Threat modelling also involves different disciplines in design, development and security so we expect the audience to join the conversation.

10:45 - 11.30
(45 mins)
Testing for cyber resilience: tools & techniques for adversary attack/defense simulation Teodor Cimpoesu and Adrian Ifrim We know that testing selected points around large infrastructures, combined with testing a subset of the enterprise applications (the critical ones) is no longer enough to match what is going on in the wild in terms of cyber risk.

Nowadays real attacks often go undetected for months, use modern tools & techniques, and the responders many times get overwhelmed by the complexity of analysis, time pressure, and the need to understand adversary tactics.
In this presentation and demo, we will show some common techniques of getting a foothold in a target, stealing credentials, doing lateral movement and preparing for data exfil from the red teamer perspective, as well as best practices and approaches for blue teamers to detect and respond to them.

11:45 - 12.30
(45 mins)
Less Known Web Application Vulnerabilities Ionut Popescu Many application programs (including their testing strategies) rely on rather simple standards, sometimes even as simple as OWASP Top Ten. This often leads to a false sense of security – developers tend to believe that if they have worked their way through ready-made checklists and took proper care of the well-known topics like authentication, authorization or using parameterized queries, there should be no big surprises ahead.

Nevertheless, the real world of application security is way more complicated than this. New attack vectors are being found on a regular basis and security standards and vulnerability libraries tend to get obsolete pretty fast. It’s nearly impossible to keep on track regarding all vulnerabilities which an application can be vulnerable to.
The goal of this talk is to raise awareness about this topic. Several less known security vulnerabilities will be explained, shown in practice and mitigation strategies will be proposed.

12:30 - 13:30
(60 mins)
Lunch/Coffee Break
13:30 - 14:15
(45 mins)
‎ Overview of TLS v1.3 Andy Brodie Transport Layer Secure (TLS), a.k.a. Secure Sockets Layer (SSL), is probably the most important security protocol used on the Internet today. It provides privacy, integrity and authentication for any two parties who want to have a secure conversation across the public Internet. Most popular websites and web services, and all online banking and payment services use TLS today, and the uptake is increasing as consumers demand more protection against both hackers and state agencies trying to monitor or interfere with communications.

The TLS v1.3 specification, managed by the Internet Engineering Task Force (IETF), is currently on its 21st draft and is aiming to be ratified later this year. It marks the biggest change in the protocol since 1996 when SSL v3.0 was published. Rather than incremental additions and deprecations, features such as RSA key exchange, 3DES and session renegotiation have been removed completely and big efficiency gains can now be made from one-round-trip and even zero-round-trip handshakes.

This talk will explain to the audience thee basics of TLS 1.3: the goals of the protocol and how it achieves them; what features have been added, removed and changed

The talk is technical, but does not require knowledge or experience of cryptography or mathematics.

14:20 - 15:05
(45 mins)
Protecting against credential stuffing attacks Cristian Opincaru,
Catalin Manole, Razvan Matei
Attackers have easy access to vast amounts of credentials from known breaches of major websites (ex. Yahoo: 1.5 billion credentials). Furthermore, automation tools specially crafted for ease of use, are readily available: Sentry.MBA (brute-forcer), ProxyScraper (scraper for open proxies), D3V Spider (credential scraper for Paste Bin). What’s more, tutorials are available on YouTube.

This presentation will go through reactive and proactive measures that authentication systems can take to protect their users against credential stuffing.

15:05 - 15:20
(15 mins)
Coffee break
15:20 - 16:05
(45 mins)
BDD Mobile security testing with OWASP MASVS, OWASP MSTG and Calabash Davide Cioccia Big companies only use mobile BDD tests to check that all the functionalities work. BDD security testing is becoming more and more important in the business panorama, where complex applications need to be tested continuously because part of continuous delivery (CD) and continuous integration (CD). Agile way of working requires more flexibility also in the security testing,so this means that a complete pentest at the end of the development is not enough anymore. OWASP MASVS and MSTG (Mobile Security Testing Guide), gives developers and security professionals hints on what to test and how. What if we can automate this tests directly in the development pipeline before building the application? Integrating together Cucumber, Calabash and Ruby is possible to create simple, medium and advanced security tests, automating the UI, accessing the Filesystem, Keychain, Databases, Logs in the background and check the memory on the fly.
16:05 - 16:50
(45 mins)
Securing the code and waiting for skilled hackers Sergiu Zaharia When code is analyzed and secured early in the development phase, the developers are really curious about the remaining channels that can be exploited by hackers.

Via this presentation we try to provide hints on the following topics:

  • What software security standards tell us and why we should listen to them;
  • Types of vulnerabilities statistically identified by SAST scanners on source code / Deep dive into some vulnerabilities discovered by SAST solutions;
  • Solutions at code level and for the software environment: supporting processes and technology (vendor-agnostic), architectures, features, limitations. / The holistic secure software development process model;
  • How can ethical hackers make use of SAST solutions to optimize their white box tests.
16:50 - 17:00
(15 mins)
Closing ceremony OWASP Bucharest team CTF Prizes