This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP Bucharest AppSec Conference 2017"
Oana Cornea (talk | contribs) |
Oana Cornea (talk | contribs) |
||
| Line 79: | Line 79: | ||
=CTF= | =CTF= | ||
| − | {{: | + | {{:OWASP_Bucharest_AppSec_Conference_2017_CTF}} |
=Team= | =Team= | ||
Revision as of 17:43, 10 June 2017
|
|
CONFERENCE (Thursday 6th of October) | ||
| Date | Location | |
| Friday 6th of October, 8.00 AM |
Venue Location: TBD Workshops: TBD Venue Address: TBD | |
| Price and registration | ||
| The conference entrance is FREE, you need to register on the link provided below, print your ticket and present it at the entrance. The training sessions will be paid. Registration |
||
Sponshorship opportunities
Why sponsor?
- Join 300+ leaders, security consultants, security architects and developers gathered to share cutting-edge ideas, initiatives and trends in technology.
- OWASP events attract an audience interested in "What's next?" - As a sponsor, you will be promoted as an answer to this question.
- Increase awareness and recognition in Romanian Security IT environment.
- Support and involvement in the world of information security enthusiasts.
Conference agenda, 13th of October | |||||
| Time | Title | Speaker | Description | ||
| 9:00 - 9:30 (30 mins) |
Registration and coffee break | ||||
| 9:30 - 9:45 (15 mins) |
Introduction | Oana Cornea | Introduction to the OWASP Bucharest Event, Schedule for the Day | ||
| 9:45 - 10:30 (45 mins) |
OWASP Juice Shop: The most trustworthy online shop out there | Bjoern Kimminich | OWASP Juice Shop is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws. In this talk you will learn all about the project and its capabilities. You will...
| ||
| 10:45 - 11:30 (45 mins) |
Application Security Lifecycle | Adrian Locusteanu | A complete perspective on application security assumes addressing the whole application lifecycle: from secure design and (static or dynamic) testing to changes and continuous operational protection through adaptive managed application security services. A standardized end2end frame to provide secure enablement for both application developers and online presences will be presented from Telekom's experience. | ||
| 11:45 - 12:30 (45 mins) |
N different strategies to automate OWASP ZAP | Marudhamaran Gunasekaran (Maran) | In this talk we will explore the many different ways of automating security testing with the OWASP Zed Attack Proxy and how it ties to an overall Software Security Initiative. Over the years, ZAP has made many advancements to its powerful APIs and introduced scripts to make security automation consumable for mortals. This talk is structured to demonstrate how ZAP's API, and scripts could be integrated with Automated Testing frameworks beyond selenium, Continuous Integration and Continuous Delivery Pipelines beyond Jenkins, scanning authenticated parts of the application, options to manage the discovered vulnerabilities and so on with real world case studies and implementation challenges.
This is a demonstration oriented talk that explains OWASP ZAP automation strategies for Security Testing by example. | ||
| 12:30 - 13:30 (60 mins) |
Lunch/Coffee Break | ||||
| 13:30 - 14:15 (40 mins) |
Women in AppSec Panel
| ||||
| 14:20 - 15:05 (45 mins) |
Security champions 2.0 | Alexander Antukh | Security champions is an interesting concept of scaling security in multi-team companies. During this presentation I'll share experience of building a team of champions, challenges we had to overcome, and metrics to evaluate the efficiency of the model. As a bonus, security champion playbook will be introduced to the audience. | ||
| 15:05 - 15:20 (15 mins) |
Coffee break | ||||
| 15:20 - 16:05 (45 mins) |
Man-in-the-browser attacks | Daniel Tomescu | Most of today's efforts towards securing web applications rely on securing the web server and providing users with web pages which are protected against common weaknesses over a secure channel. However, we often forget that web applications are client-server applications where the client is the web browser. Therefore, accessing a website is not safe as long as the web browser cannot be trusted.
How many web browsers do we use in a week or a month? Are those web browsers exposed to attacks? Do we trust our favourite web browsers? We will discover multiple attack scenarios and attack vectors which can endanger our browsing experience. Be warned, your relationship with your favourite web browser might suffer and trust issues might arise. | ||
| 16:05 - 16:50 (45 mins) |
How my SVM nailed your Malware | Nikhil.P.K | As we know the Android Application Industry from a security perspective, it is also quite well known that the Android platform is succeptible to malicious applications. And with the recent trend where all the vendors and customers going completely mobile, android has now become an attack surface for most of the malicious attacks. Moreover, the mechanisms used for android malware detection comprise of several known methods, and we also know that most of these mechanisms are permission based or based on API usage. This Project implementation is based on well known machine learning algorithm which is Support Vector Machines for solving the problem of android malware analysis. This method involves the mechanism of detection of android malware by effeciently embedding the functional call graphs along the feature map. The gamechanger in this concept would be the optimal utilization of the SVM Algorithm(Support Vector Machine) that proves to be better than other approaches with a minimalistic amount of false positives found and a higher detection rate. | ||
| 16:50 - 17:00 (15 mins) |
Closing ceremony | OWASP Bucharest team | CTF Prizes | ||
Workshop | |||||
| Time | Title | Trainers | Description | ||
| Workshop 13th of October 2 hours: begins at 10:30 Goga Room |
Threat Modelling a fictitious payment web application |
Mustafa Kasmani | Description: Following on from the Threat Modelling presentation by the same author, this workshop will aim to put the theory covered by that presentation into practice. The objective of doing so is to introduce the audience to the benefits of performing Threat Modelling on a system during the early stages of design / development. This ensures that key security threats are known and understood early on allowing remediation to be done in a more cost effective and pragmatic way than had they been found much later on during testing or when in production. A fictitious payment web application will be examined in this session – defining its business functionality, actors, assets and technology stack. Data flowing between the components will then be drawn out in the form of data-flow diagrams (DFD’s). Thereafter the attack-surface will be mapped out using the STRIDE methodology identifying threats pertaining to Spoofing, Tampering, Repudiation, Information disclosure, Denial of service and the Elevation of privilege. Finally, these will documented in a form allowing categorisation of risk together with identified security controls that should be tested. | ||
| Workshop 13th of October 3 hours: begins at 13:30 Goga Room |
AppSec Bucharest vs. OWASP Juice Shop |
Björn Kimminich | Description: In this *free* workshop you can test your skills in hacking modern web applications against the OWASP Juice Shop! There are 43+ challenge that are waiting to be solved, ranging from simple functional problems and the usual XSS/SQLi issues over severe authentication flaws to multi-step & multi-path attacks against the discount coupons issued by the application! How many challenges can you beat? During the workshop you can get some first-hand hints in case you fell stuck. At the end of the workshop there will be a demo of some of the more mindboggling challenges - but only for those, who don't want to solve them on their own later! You will have an idea how good you and your tools are with
| ||
| Workshop 13th of October 3 hours: begins at 9:30 Slavici Room |
Free Diving into Android Security |
Nikhil P Kulkarni and Ravi Kumar Kovela | Description: The agenda of this free workshop is to get the taste of working on Android Security. The workshop would involve the attendees to install and learn the tools used for android pentesting. The following would be the topics that would be covered during the 3 hour session:
Though not in-depth but this workshop would definitely give a great push to start into the Mobile Security Scene. At the end of the workshop, the attendees would be given few challenges to be solved, giving them an understanding and idea on how to find some of the very well-known Android Security Issues. Intended Audience: Application Developers, Penetration Testers who plan to get into the field of Mobile Pentesting with basic knowledge and understanding of the Android Operating System. Prerequisites:
Software Requirements:
Seats available: 20 (first-come, first served) | ||
CTF (Capture The Flag) contests are popular ways to hone your practical security skills by solving challenges on topics such as web, crypto, reverse, exploiting.
We invite everyone passionate about practical security at the OWASP AppSec 2017 CTF, where you and your team will solve challenges on web, reverse and exploiting. Challenges will be Linux-centric and web.
Please note that this is a competition designed for beginners, students and security enthusiasts.
Here are the important dates:
- The qualifiers are online on 9th of September, between 10:00 and 22:00 (Bucharest time, UTC+2). In order to participate please REGISTER HERE!
- The first 10 teams will be invited to the final.
- The final will be on 12th of October. The qualified teams that want to compete for the prizes must be on site, in the competition room.
The CTF webpage is here: https://owasp-ctf.security.cs.pub.ro/home .
The CTF final will take place during the OWASP Bucharest AppSec 2017 conference, on site, for 8 hours, from 9am to 5pm. Teams will consist of at most 5 players; everyone has to be on site at the conference.
The teams qualified for the final are:
| knights who say ni | 775 |
| penthackon | 350 |
| UPTimSec | 275 |
| StackOrSlack | 275 |
| Fuszuly | 225 |
| Shellphish | 225 |
| tum_cyber | 225 |
| ynot ro | 150 |
| Just a Hack | 75 |
| TimeXlord | 75 |
| Xor_the_World | 75 |
We would not cover any transport or accommodation costs for the final competitors, in order to attend the event on 12th of October.
Hope you can make it! You’ll have tons of fun!
If you’re new to CTFs or you want to know more please check these links:
- picoCTF (https://picoctf.com/): A good place for beginners to go through CTF tasks
- Computer and Network Security (http://ocw.cs.pub.ro/courses/cns): A masters class featuring concepts and tools on practical security
- Hack Night (https://github.com/isislab/Hack-Night): Training session run by the NYU Poly ISIS lab
- CTF Write-ups (https://github.com/ctfs/): Write-ups (solutions) for CTF contests arount the globe
- Online Wargames Bundle (http://security.cs.pub.ro/hexcellents/wiki/kb/practice-and-learning): A list of wargame sites you can use for honing your skills
Prizes:
- 1st place: 1024 euros
- 2nd place: 512 euros
- 3rd place: 256 euros
Sponsors
Platinum+ Sponsor |
||||||
|
||||||
Platinum Sponsors |
||||||
|
|
|||||
Gold Sponsors |
||||||
|
|
|
||||
|   | ||||||
Event Supporters |
||||||
|
|
|
||||
|
|
|
||||
|
|
|
||||
|
|
|
||||
|
|
