AppSec Israel 2015 Presentations - Revision history

Avi Douglen: /* Cross-Site Search Attacks */

2015-12-17T02:11:07Z

‎Cross-Site Search Attacks

Avi Douglen: /* The Node.js Highway: Attacks are at Full Throttle */

2015-12-14T21:42:11Z

‎The Node.js Highway: Attacks are at Full Throttle

Avi Douglen: /* Internet of Things (IOT) Insecurity */

2015-11-27T09:16:16Z

‎Internet of Things (IOT) Insecurity

Avi Douglen: Added presentations

2015-11-18T01:50:32Z

Added presentations

Avi Douglen at 06:20, 15 October 2015

2015-10-15T06:20:12Z

Avi Douglen: /* Keynote - Main Auditorium */

2015-10-12T07:40:00Z

‎Keynote - Main Auditorium

Avi Douglen: /* Keynote - Main Auditorium */

2015-10-12T07:26:40Z

‎Keynote - Main Auditorium

Avi Douglen: Added links to schedule

2015-10-11T01:52:25Z

Added links to schedule

Avi Douglen: /* One Class to Rule Them All: Deserialization Vulnerabilities in Android */

2015-10-08T23:13:36Z

‎One Class to Rule Them All: Deserialization Vulnerabilities in Android

Avi Douglen: /* Theories of Agile, Fails of Security */

2015-10-08T23:01:17Z

‎Theories of Agile, Fails of Security

@@ Line 308: / Line 308: @@
 === Cross-Site Search Attacks ===
-''''' Hemi Leibowitz, Cyber Security Researcher at Bar Ilan University and a lecturer at the College of Management '''''    <br />
+''''' Hemi Leibowitz, Cyber Security Researcher at Bar Ilan University and a lecturer at the College of Management '''''
 Cross-site search (XS-search) attacks circumvent the same-origin policy and extract sensitive information, by using
 the time it takes for the browser to receive responses to search queries.
@@ Line 327: / Line 330: @@
 <br/><u>Language:</u> Hebrew
 <br>
 === Certifi-gate - Front Door Access to Pwning hundreds of Millions of Androids Devices: The Aftermath. ===

@@ Line 57: / Line 57: @@
 === The Node.js Highway: Attacks are at Full Throttle  ===
 ''''' Helen Bravo, Product Management Director at Checkmarx '''''    <br />
 The popularity of the Node.js coding language is soaring. Just five years after its debut, the language’s framework now boasts more 2 million downloads a month. It’s easy to understand why. This event-driven language kept the simplicity of existing Web concepts and trashed the complexities; applications built on Node.js do not require a dedicated Web server to run; and Google is even pushing the language with its enhanced V8 engine for the Google Chrome Web browser. In fact, just consider Node.js as the drive-and-go language.
 But before accelerating too quickly, it is important to understand the power – and corresponding mishaps – of this language.
@@ Line 80: / Line 82: @@
 <br/><u>Language:</u> English
 <br>
 === Security Automation in the Agile SDLC - Real World Cases ===

@@ Line 28: / Line 28: @@
 ''''' Erez Metula, Application Security Expert and Chairman, AppSec Labs '''''    <br />
 ''''' Israel Chorzevski, CTO, AppSec Labs '''''    <br />
 During this talk we're going to discuss the security of the so called internet-of-things (IOT),and have a better understanding of what it's all about. This talk will give a broad overview of  IOT , the major vulnerabilities that are out there, challenges that exist in securing the things , and what we as security people can do about it.
@@ Line 52: / Line 54: @@
 <br/><u>Language:</u> Hebrew
 <br>
 === The Node.js Highway: Attacks are at Full Throttle  ===

@@ Line 103: / Line 103: @@
 '''המרגל בארגז החול: התקפות מטמון ב-Javascript, וההשלכות שלהן''' <br/>
 ''''' Yossi Oren, Senior Lecturer at the Department of Information Systems Engineering, Ben Gurion University '''''    <br />
 Side channel analysis is a remarkably powerful cryptanalytic technique. It allows attackers to extract secret information hidden inside a secure device, by analyzing the physical signals (e.g., power, heat) that the device emits as it performs a secure computation. While the potency of side-channel attacks is established without question, their application to practical settings is debatable. The main limiting factor to the practicality of side-channel attacks is the problematic attack model they assume; with the exception of network-based timing attacks, most side-channel attacks require the attacker be in “close proximity” to the victim.
@@ Line 125: / Line 127: @@
 ''' התקפת הברנש בענן ''' <br/>
 ''''' Sagie Dulce, ADC TL, Imperva '''''    <br />
 File synchronization services, such as GoogleDrive, DropBox and others are becoming widespread, both with private and corporate use. These applications, while offering great convenience to their users, also provide a hacker with ideal platform for C2 infrastructure. Instead of setting up a new C2 server, an attacker simply needs to open a new cloud storage account, or even use the victims account as the platform.
@@ Line 147: / Line 151: @@
 === Game of Hacks: Play, Hack & Track ===
 ''''' Amit Ashbel, AppSec Strategist at Checkmarx '''''    <br />
 We created “Game of Hacks”– a viral web app marketed as a tool to train developers on secure coding – with the intention of building a honeypot.  Game of Hacks, built using the node.js framework, displays a range of vulnerable code snippets challenging the player to locate the vulnerability. A multiplayer option makes the challenge even more attractive and the leaderboard spices up things when players compete for a seat on the iron throne.
@@ Line 172: / Line 178: @@
 === One Class to Rule Them All: Deserialization Vulnerabilities in Android ===
 ''''' Roee Hay, Application Security Research Team Lead, IBM X-Force '''''    <br />
 We present high severity vulnerabilities in Android.
@@ Line 194: / Line 202: @@
 ''' מת לחיות 0x3E9 ''' <br/>
 ''''' Yaniv Balmas, Security Researcher, Check Point Software Technologies '''''    <br />
 Along the years many attempts have been made to combine static and dynamic analysis results. Some were good, other were bad, however the fact is that those two approaches still remain mostly separated as most analysis tools focus on one of them only.
@@ Line 230: / Line 240: @@
 === From zero to secure in 1 minute ===
 ''''' Moshe Ferber, Chairman, Cloud Security Alliance Israel '''''    <br />
 Companies moving to cloud infrastructure (IaaS) discover that they can do amazing things with the automation of infrastructure tasks. Companies can deploy environments in seconds and do production changes several times a day - but security still holds them down. Many of our security procedures have not adopted to cloud automation and still relay on traditional maintenance windows and manual tasks such as static / dynamic analysis, vulnerability scans, hardening and more. And this is a major obstacle in a world where cloud instance can be installed, configured moved to production and terminate within an hour. So security must to adopt to this new accelerated life cycle and change accordingly. In this presentation, we will demonstrate how to automate creation of instances, generating and safeguarding encryption keys, do configuration management and security scans and automatically process the results and take decisions accordingly. The result is cloud instances that are launched and configured with security requirements in automated way within minutes. Implementing the techniques and tools shown can help organizations to overcome security challenges and make sure that security is not the bottleneck on the way to faster applications deployments.
@@ Line 245: / Line 257: @@
 === Why Are Hackers Winning the Mobile Malware Battle ===
 ''''' Yair Amit, CTO & Co-Founder, Skycure '''''    <br />
 In the proverbial game of cat-and-mouse between endpoint security vendors and malware writers, malware attacks have recently grown more sophisticated. More enterprises are losing ground to hackers, who are able to outmaneuver static and runtime solutions by constantly changing their attack strategies. In his presentation, Yair will break down the current set of techniques (signatures, static analysis, dynamic analysis, social cyber-intelligence) used to identify malware on mobile devices, and identify the pros and cons of these approaches. He will also explain why attackers constantly succeed in fooling these technologies, and explore the problem of false positive/false negative tradeoffs in such solutions. In order to demonstrate the aforementioned, Yair will create on stage a malicious mobile app live, which can bypass signatures, static and dynamic analysis approaches.
@@ Line 266: / Line 279: @@
 === Too Big to Fail - Breaking WordPress Core ===
 ''''' Netanel Rubin, Senior Vulnerability Researcher, PerimeterX '''''    <br />
 When attacking web applications, what do you do when there are no injection points? No false-assumptions? No logical errors?
@@ Line 339: / Line 353: @@
 ''' הצילו, אבטחת מידע אג'ילית! ''' <br/>
 ''''' Daniel Liber, R&D Security Leader, CyberArk '''''    <br />
-Format: Lecture
+([[Media:AppSecIL2015_Theories_of_Agile_Fails_of_Security_DanielLiber.pptx|download presentation]])
 Buzzwords about Agile are flying around in overwhelming speed, talks about Scrum, Kanban, XP and other methodologies and practices are thoroughly discussed while security is still left as a 'high level' talk or sometimes as understanding how to adapt from traditional development methodologies. Some best practices will leave you scratching your head, unsure what was the original intention and without understanding how to implement security in Agile, effectively. This lecture will bring the all the undocumented failures during such process, and best ways of avoiding them prior to experiencing them.

@@ Line 8: / Line 8: @@
 === Keynote: The Rebellious Teenage Years: 15 years of Web Security  ===
 ''''' Jeremiah Grossman, Founder, WhiteHat Security '''''      <br />
 It's been 15 years of Web Security. Jeremiah will discuss where we’ve been, where we are, and where we’re going.

@@ Line 17: / Line 17: @@
 Innovator. Inventor. Protector of the Web. Jeremiah Grossman is the founder of WhiteHat Security.
-Jeremiah possesses a unique combination of technology savvy, customer advocacy and personal passion to lead WhiteHat into the future. A world-renowned web security expert, sought-after speaker and influential blogger, Jeremiah brings a literal lifetime of information security experience, both homegrown and from his days as Yahoo!’s information security engineer, to the role. The ultimate “WhiteHat,” Jeremiah is also founder of the Web Application Security Consortium and the mind behind Aviator, WhiteHat’s next generation secure web browser. In his spare time, Jeremiah practices Brazilian Jiu jitsu and has earned a black belt.
+Jeremiah possesses a unique combination of technology savvy, customer advocacy and personal passion to lead WhiteHat into the future. A world-renowned web security expert, sought-after speaker and influential blogger, Jeremiah brings a literal lifetime of information security experience, both homegrown and from his days as Yahoo!’s information security engineer. The ultimate “WhiteHat,” Jeremiah is also founder of the Web Application Security Consortium and the mind behind Aviator, WhiteHat’s next generation secure web browser. In his spare time, Jeremiah practices Brazilian Jiu jitsu and has earned a black belt.
 <br>
 <br/><u>Language:</u> English

@@ Line 7: / Line 7: @@
 = Keynote - Main Auditorium =
-=== Keynote: 15 years of Web Security: Where we’ve been, where we are, and where we’re going ===
+=== Keynote: The Rebellious Teenage Years: 15 years of Web Security  ===
 ''''' Jeremiah Grossman, Founder, WhiteHat Security '''''      <br />
 <br>
@@ Line 18: / Line 20: @@
 <br>
 <br/><u>Language:</u> English
 <br/>
 = Track 1 - Main Auditorium =

← Older revision		Revision as of 01:52, 11 October 2015
Line 1:		Line 1:
		+
		+	Here are the full descriptions of the talks at [[AppSec_Israel_2015\|AppSec Israel 2015]], and the biographies for each of the speakers.
		+
		+	The [https://appsecil2015.sched.org/ full schedule can be found and subscribed here].
		+

	= Keynote - Main Auditorium =		= Keynote - Main Auditorium =