This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "AppSecEU 2017 Developer Summit"

From OWASP
Jump to: navigation, search
(AGENDA)
 
(11 intermediate revisions by 2 users not shown)
Line 1: Line 1:
<div class="center" style="width: auto; margin-left: auto; margin-right: auto;">[[File:Concept_belfast_final_02.pdf]]
+
<div class="center" style="width: auto; margin-left: auto; margin-right: auto;">[[File:Belfast_Banner_Ad.jpg]]
 
</div>
 
</div>
  
<div class="center" style="width: auto; margin-left: auto; margin-right: auto;">'''OWASP AppSec EU 2017  May 9th - 10th, 2017  Belfast, UK'''
+
<div class="center" style="width: auto; margin-left: auto; margin-right: auto;">'''OWASP AppSec Eu 2017  May 9th - 10th, 2017  Belfast, UK'''
 
</div>
 
</div>
 
<br>
 
<br>
<div class="center" style="width: auto; margin-left: auto; margin-right: auto;">We are excited to announce the [https://2017.appsec.eu/ OWASP Developer Summit EU 2017]. OWASP is providing a structured platform for Developers two full days prior to the AppSec EU 2017 conference. The Developer Summit will consist of a full day hands on developer session followed by two half day sessions geared towards vulnerabilities.</div>
+
<div class="center" style="width: auto; margin-left: auto; margin-right: auto;">We are excited to announce the [https://2017.appsec.eu/ OWASP Developer Summit Eu 2017]. <br /> OWASP is providing a structured platform for Developers two full days prior to the AppSec Eu 2017 conference. <br /> The Developer Summit will start with a full-day, hands-on developer session followed by two half day sessions geared towards learning about security vulnerabilities.</div>
  
<div class="center" style="width: auto; margin-left: auto; margin-right: auto;">Come by yourself or grab a couple friends. The Developer Summit is free (no charge) for anyone who would like to participate and learn something new. We just ask that you do [https://docs.google.com/spreadsheets/d/1mVVonj0axYtn3DSdku3nEsbSqx-rIrqgy9D1Gojg7AI/edit#gid=0 sign up] so we can get a head count to be sure we have enough space and food.
+
<div class="center" style="width: auto; margin-left: auto; margin-right: auto;">Come by yourself or grab a couple friends. The Developer Summit is free (no charge) for anyone who would like to participate and learn something new. <br /><br /> '''We just ask that you [https://docs.google.com/spreadsheets/d/1mVVonj0axYtn3DSdku3nEsbSqx-rIrqgy9D1Gojg7AI/edit#gid=0 SIGN UP]''' so we can get a head count to be sure we have enough space and food.
 
</div>
 
</div>
 
<br>
 
<br>
Line 20: Line 20:
 
<br>
 
<br>
 
'''Reverse Engineering Android Apps with Bytecodeviewer'''<br>
 
'''Reverse Engineering Android Apps with Bytecodeviewer'''<br>
 +
https://drive.google.com/drive/u/0/folders/0B28S4R_cON7JNG5HWmtCeWF1clE
 +
 
<br>
 
<br>
 
'''Description hands on Session'''<br>
 
'''Description hands on Session'''<br>
Two important OWASP Top 10 Mobile risks are how resistance can an application be against Reverse Engineering and Code Tampering. In this hands on session, we will go through the process of Reverse Engineering known Android apps(like Facebook, some banking apps,Twitter etc), or bring your own app if you want and test it!
+
Two important OWASP Top 10 Mobile risks are how resistant an application is against Reverse Engineering and Code Tampering. In this hands on session, we will go through the process of Reverse Engineering known Android apps (like Facebook, some banking apps,Twitter etc), or bring your own app and test it if you want!
 
<br>
 
<br>
 
<br>
 
<br>
Some hands-on techniques we will go through:<br>
+
Using hands-on techniques you will learn:<br>
 
*How to apply OWASP Mobile Top 10, Mobile Testing Guide(in progress) and Android Cheat Sheet pen testing<br>
 
*How to apply OWASP Mobile Top 10, Mobile Testing Guide(in progress) and Android Cheat Sheet pen testing<br>
*Learn how hackers actually ‘decompile’ an APK and code tamper apps with Hooking methods using Xposed or changing Smali<br>
+
*How hackers actually ‘decompile’ an APK and code tamper apps with Hooking methods using Xposed or changing Smali<br>
*Learn Techniques to find useful information in highly obfuscated apps<br>
+
*Techniques to find useful information in highly obfuscated apps<br>
 
*How to bypass Certificate Pinning and Root detection<br>
 
*How to bypass Certificate Pinning and Root detection<br>
 
*What can you do to make your apps harder against Reverse Engineering
 
*What can you do to make your apps harder against Reverse Engineering
*Learn how to root a phone If you did not root a phone, bring one (make sure is using Nougat 6.0 or less)
+
*How to root a phone. If you have not root'ed a phone, bring one (make sure is using Android Nougat 6.0 or earlier versions of Android)
 
<br>
 
<br>
 
Requirements:
 
Requirements:
 
*Own laptop  
 
*Own laptop  
*Bytecodeviewer 2.9.8
+
*[https://github.com/Konloch/bytecode-viewer Bytecodeviewer 2.9.8]
*Dex2Jar
+
*[https://github.com/pxb1988/dex2jar Dex2Jar]
*JD-GUI
+
*[http://jd.benow.ca/ JD-GUI]
*ApkTool
+
*[https://ibotpeaches.github.io/Apktool/ ApkTool]
 
*https://github.com/voider1/a2scomp
 
*https://github.com/voider1/a2scomp
*Android Studio + SDK Tools installed  
+
*[https://developer.android.com/studio/index.html Android Studio + SDK Tools installed]
*A rooted Android Device /or we rooted on in the class
+
*A rooted Android Device /or you can root your device in the class
 
*USB Cable to connect to your android phone to the laptop
 
*USB Cable to connect to your android phone to the laptop
 
<br>
 
<br>
Line 49: Line 51:
 
Date: Wednesday, May 10th<br>  
 
Date: Wednesday, May 10th<br>  
 
Time: 9am-1pm (breakfast at 9am, lunch at 12pm)<br>
 
Time: 9am-1pm (breakfast at 9am, lunch at 12pm)<br>
Presenter: Spyros Gasteratos<br>
+
Presenter: Spyros Gasteratos
Details will be available soon!<br>
+
<br>
 +
<br>
 +
'''Automating On-Deploy Security Testing* of web applications with ZAP and Jen'''<br>
 +
<br>'''Description hands on Session'''
 +
 
 +
In this workshop we will go through installing and configuring Zap to work with Jenkins so that it automatically tests the deployed web application when we ask Jenkins to do so. Moreover we will write an example Zap plugin to better test specific parts of the example application.
 
<br>
 
<br>
 +
<br>
 +
We will go through:
 +
* Configuring Jenkins to work with ZAP (there’s a plugin, we’ll go through how it works)
 +
* Configuring the testing harness to work with ZAP
 +
* Writing zap plugins in order to test better
 +
<br>
 +
Requirements:
 +
<To be announced>
 +
 
<br>
 
<br>
 
[[File:Computer_image.jpeg]]<br>
 
[[File:Computer_image.jpeg]]<br>
Line 57: Line 73:
 
Date: Wednesday, May 10th<br>
 
Date: Wednesday, May 10th<br>
 
Time: 1pm - 5pm<br>
 
Time: 1pm - 5pm<br>
Presenter: TBD<br>
+
Presenters: Nicole Becher & Mordecai Kraushar
<insert title of session><br>
+
 
<insert description of hand-on session><br>
+
'''Attacking your web app''' 
<insert any requirements for participation i.e. computer, etc.><br>
+
 
 +
There are some great OWASP projects that deal with both methodologies and tools for testing web sites. There may be even more to it! This workshop will provide the developer with a look at the offensive mindset an attacker has in attacking your web site
 +
 
 +
We will go through:
 +
* Using automated scanning tools against the app
 +
* Using ZAP we will look at a few things you can do as a proxy
 +
* Use ''sqlmap'' to enumerate and inject into databases
 +
* How to go after those non-technical app vulnerabilities
 +
 
 +
Requirements:
 +
* On a Virtual Machine a recent copy of Kali
 +
* On a Virtual Machine a copy of the Broken Web Application Distribution
 +
* The OWASP Juice Shop project
 +
 
 +
<br><br>

Latest revision as of 08:31, 9 May 2017

Belfast Banner Ad.jpg
OWASP AppSec Eu 2017 May 9th - 10th, 2017 Belfast, UK


We are excited to announce the OWASP Developer Summit Eu 2017.
OWASP is providing a structured platform for Developers two full days prior to the AppSec Eu 2017 conference.
The Developer Summit will start with a full-day, hands-on developer session followed by two half day sessions geared towards learning about security vulnerabilities.
Come by yourself or grab a couple friends. The Developer Summit is free (no charge) for anyone who would like to participate and learn something new.

We just ask that you SIGN UP so we can get a head count to be sure we have enough space and food.



AGENDA


Hands On Image.jpeg
Day 1: Full Day Hands On Session
Date: Tuesday, May 9th
Time: 9am-5pm (breakfast at 9am, lunch at 12pm)
Presenter: Johanna Curiel, Vice Chair of the OWASP Board of Directors

Reverse Engineering Android Apps with Bytecodeviewer
https://drive.google.com/drive/u/0/folders/0B28S4R_cON7JNG5HWmtCeWF1clE


Description hands on Session
Two important OWASP Top 10 Mobile risks are how resistant an application is against Reverse Engineering and Code Tampering. In this hands on session, we will go through the process of Reverse Engineering known Android apps (like Facebook, some banking apps,Twitter etc), or bring your own app and test it if you want!

Using hands-on techniques you will learn:

  • How to apply OWASP Mobile Top 10, Mobile Testing Guide(in progress) and Android Cheat Sheet pen testing
  • How hackers actually ‘decompile’ an APK and code tamper apps with Hooking methods using Xposed or changing Smali
  • Techniques to find useful information in highly obfuscated apps
  • How to bypass Certificate Pinning and Root detection
  • What can you do to make your apps harder against Reverse Engineering
  • How to root a phone. If you have not root'ed a phone, bring one (make sure is using Android Nougat 6.0 or earlier versions of Android)


Requirements:



Computer coding image.jpeg
Day 2: Half Day Morning Session
Date: Wednesday, May 10th
Time: 9am-1pm (breakfast at 9am, lunch at 12pm)
Presenter: Spyros Gasteratos

Automating On-Deploy Security Testing* of web applications with ZAP and Jen

Description hands on Session

In this workshop we will go through installing and configuring Zap to work with Jenkins so that it automatically tests the deployed web application when we ask Jenkins to do so. Moreover we will write an example Zap plugin to better test specific parts of the example application.

We will go through:

  • Configuring Jenkins to work with ZAP (there’s a plugin, we’ll go through how it works)
  • Configuring the testing harness to work with ZAP
  • Writing zap plugins in order to test better


Requirements: <To be announced>


Computer image.jpeg
Day 2: Half Day Afternoon Session
Date: Wednesday, May 10th
Time: 1pm - 5pm
Presenters: Nicole Becher & Mordecai Kraushar

Attacking your web app 

There are some great OWASP projects that deal with both methodologies and tools for testing web sites. There may be even more to it! This workshop will provide the developer with a look at the offensive mindset an attacker has in attacking your web site

We will go through:

  • Using automated scanning tools against the app
  • Using ZAP we will look at a few things you can do as a proxy
  • Use sqlmap to enumerate and inject into databases
  • How to go after those non-technical app vulnerabilities

Requirements:

  • On a Virtual Machine a recent copy of Kali
  • On a Virtual Machine a copy of the Broken Web Application Distribution
  • The OWASP Juice Shop project



Retrieved from "https://wiki.owasp.org/index.php?title=AppSecEU_2017_Developer_Summit&oldid=229476"