This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP Bucharest AppSec Conference 2017"

From OWASP
Jump to: navigation, search
(edit date)
(edit2 date)
Line 13: Line 13:
 
'''OWASP Bucharest AppSec Conference 2017 - October 13th'''
 
'''OWASP Bucharest AppSec Conference 2017 - October 13th'''
  
OWASP Bucharest team is happy to announce the '''OWASP Bucharest AppSec Conference 2017''' a one day '''Security''' and '''Hacking Conference''' dedicated to the application security. It will take place between 11th and 13th of October, 2017 - Bucharest, Romania. 11th and 12th of October are training days. 13th of October is the conference day, with trainings, free workshops and the CTF in parallel<br>
+
OWASP Bucharest team is happy to announce the '''OWASP Bucharest AppSec Conference 2017''' a one day '''Security''' and '''Hacking Conference''' with additional training days dedicated to the application security. It will take place between 11th and 13th of October, 2017 - Bucharest, Romania. 11th and 12th of October are training days. 13th of October is the conference day, with trainings, free workshops and the CTF in parallel<br>
  
 
The objective of the OWASP's Bucharest AppSec Conference is to raise awareness about application security and to bring high-quality security content provided by renowned professionals in the European region. Everyone is free to participate in OWASP and all our materials are available under a free and open software license.<br>
 
The objective of the OWASP's Bucharest AppSec Conference is to raise awareness about application security and to bring high-quality security content provided by renowned professionals in the European region. Everyone is free to participate in OWASP and all our materials are available under a free and open software license.<br>

Revision as of 12:08, 6 July 2017


HeaderBucharest2017.png
.

OWASP Bucharest AppSec Conference 2017 - October 13th

OWASP Bucharest team is happy to announce the OWASP Bucharest AppSec Conference 2017 a one day Security and Hacking Conference with additional training days dedicated to the application security. It will take place between 11th and 13th of October, 2017 - Bucharest, Romania. 11th and 12th of October are training days. 13th of October is the conference day, with trainings, free workshops and the CTF in parallel

The objective of the OWASP's Bucharest AppSec Conference is to raise awareness about application security and to bring high-quality security content provided by renowned professionals in the European region. Everyone is free to participate in OWASP and all our materials are available under a free and open software license.

Call for speakers is now open
Call for trainings/workshops is now open

Who Should Attend?

  • Application Developers
  • Application Testers and Quality Assurance
  • Application Project Management and Staff
  • Chief Information Officers, Chief Information Security Officers, Chief Technology Officers, Deputies, Associates and Staff
  • Chief Financial Officers, Auditors, and Staff Responsible for IT Security Oversight and Compliance
  • Security Managers and Staff
  • Executives, Managers, and Staff Responsible for IT Security Governance
  • IT Professionals interested in improving IT Security
  • Anyone interested in learning about or promoting Web Application Security


CONFERENCE (Thursday 6th of October)

Date Location
Friday 13th of October, 8.00 AM
Venue Location: TBD Workshops: TBD

Venue Address: TBD
Venue Map: -->

Price and registration
The conference entrance is FREE, you need to register on the link provided below, print your ticket and present it at the entrance.
The training sessions will be paid.

Registration




Limited number of seats!


Sponshorship opportunities
Why sponsor?

  • Join 300+ leaders, security consultants, security architects and developers gathered to share cutting-edge ideas, initiatives and trends in technology.
  • OWASP events attract an audience interested in "What's next?" - As a sponsor, you will be promoted as an answer to this question.
  • Increase awareness and recognition in Romanian Security IT environment.
  • Support and involvement in the world of information security enthusiasts.

Conference agenda, 13th of October

Time Title Speaker Description
9:00 - 9:30
(30 mins)
Registration and coffee break
9:30 - 9:45
(15 mins)
Introduction Oana Cornea Introduction to the OWASP Bucharest Event, Schedule for the Day
9:45 - 10:30
(45 mins)
OWASP Juice Shop: The most trustworthy online shop out there Bjoern Kimminich OWASP Juice Shop is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws.

In this talk you will learn all about the project and its capabilities. You will...

  • join a "happy shopper round tour"
  • enjoy a hacking demo of some of the 43+ challenges
  • get an insight into the underlying application architecture
  • witness how to customize Juice Shop into a security awareness booster
  • learn how to set up a CTF event with Juice Shop for extra fun during trainings

https://www.owasp.org/index.php/OWASP_Juice_Shop_Project

10:45 - 11:30
(45 mins)
Application Security Lifecycle Adrian Locusteanu A complete perspective on application security assumes addressing the whole application lifecycle: from secure design and (static or dynamic) testing to changes and continuous operational protection through adaptive managed application security services.

A standardized end2end frame to provide secure enablement for both application developers and online presences will be presented from Telekom's experience.

11:45 - 12:30
(45 mins)
N different strategies to automate OWASP ZAP Marudhamaran Gunasekaran (Maran) In this talk we will explore the many different ways of automating security testing with the OWASP Zed Attack Proxy and how it ties to an overall Software Security Initiative. Over the years, ZAP has made many advancements to its powerful APIs and introduced scripts to make security automation consumable for mortals. This talk is structured to demonstrate how ZAP's API, and scripts could be integrated with Automated Testing frameworks beyond selenium, Continuous Integration and Continuous Delivery Pipelines beyond Jenkins, scanning authenticated parts of the application, options to manage the discovered vulnerabilities and so on with real world case studies and implementation challenges.

This is a demonstration oriented talk that explains OWASP ZAP automation strategies for Security Testing by example.

12:30 - 13:30
(60 mins)
Lunch/Coffee Break
13:30 - 14:15
(40 mins)
Women in AppSec Panel

WiA 400x400.jpg Panel discussion with: Iulia Ivanov, Giorgiana Vlasceanu, Alexandra Anghel, Daniela Ene and Daniel Barbu
      See panelists bios here

14:20 - 15:05
(45 mins)
Security champions 2.0 Alexander Antukh Security champions is an interesting concept of scaling security in multi-team companies. During this presentation I'll share experience of building a team of champions, challenges we had to overcome, and metrics to evaluate the efficiency of the model. As a bonus, security champion playbook will be introduced to the audience.
15:05 - 15:20
(15 mins)
Coffee break
15:20 - 16:05
(45 mins)
Man-in-the-browser attacks Daniel Tomescu Most of today's efforts towards securing web applications rely on securing the web server and providing users with web pages which are protected against common weaknesses over a secure channel. However, we often forget that web applications are client-server applications where the client is the web browser. Therefore, accessing a website is not safe as long as the web browser cannot be trusted.

How many web browsers do we use in a week or a month? Are those web browsers exposed to attacks? Do we trust our favourite web browsers? We will discover multiple attack scenarios and attack vectors which can endanger our browsing experience. Be warned, your relationship with your favourite web browser might suffer and trust issues might arise.

16:05 - 16:50
(45 mins)
How my SVM nailed your Malware Nikhil.P.K As we know the Android Application Industry from a security perspective, it is also quite well known that the Android platform is succeptible to malicious applications. And with the recent trend where all the vendors and customers going completely mobile, android has now become an attack surface for most of the malicious attacks. Moreover, the mechanisms used for android malware detection comprise of several known methods, and we also know that most of these mechanisms are permission based or based on API usage.

This Project implementation is based on well known machine learning algorithm which is Support Vector Machines for solving the problem of android malware analysis. This method involves the mechanism of detection of android malware by effeciently embedding the functional call graphs along the feature map. The gamechanger in this concept would be the optimal utilization of the SVM Algorithm(Support Vector Machine) that proves to be better than other approaches with a minimalistic amount of false positives found and a higher detection rate.

16:50 - 17:00
(15 mins)
Closing ceremony OWASP Bucharest team CTF Prizes

Workshop

Time Title Trainers Description
Workshop
13th of October
2 hours:
begins at 10:30
Goga Room
Threat Modelling a fictitious payment web application
Mustafa Kasmani Description:
Following on from the Threat Modelling presentation by the same author, this workshop will aim to put the theory covered by that presentation into practice.

The objective of doing so is to introduce the audience to the benefits of performing Threat Modelling on a system during the early stages of design / development. This ensures that key security threats are known and understood early on allowing remediation to be done in a more cost effective and pragmatic way than had they been found much later on during testing or when in production.

A fictitious payment web application will be examined in this session – defining its business functionality, actors, assets and technology stack. Data flowing between the components will then be drawn out in the form of data-flow diagrams (DFD’s). Thereafter the attack-surface will be mapped out using the STRIDE methodology identifying threats pertaining to Spoofing, Tampering, Repudiation, Information disclosure, Denial of service and the Elevation of privilege. Finally, these will documented in a form allowing categorisation of risk together with identified security controls that should be tested.
Intended audience: Architects, Designers, Developers, Testers, Security professionals, Project managers.
Skill level: The workshop does not assume an in-depth knowledge of software security.
Requirements: A mind-set of how an attacker might seek to compromise this system, so as to best identify the threats pertaining to it.
Seats available: 20 (first-come, first served)
Price: free
Register here

Workshop
13th of October

3 hours:
begins at 13:30
Goga Room
AppSec Bucharest vs. OWASP Juice Shop
Björn Kimminich Description:
In this *free* workshop you can test your skills in hacking modern web applications against the OWASP Juice Shop! There are 43+ challenge that are waiting to be solved, ranging from simple functional problems and the usual XSS/SQLi issues over severe authentication flaws to multi-step & multi-path attacks against the discount coupons issued by the application!

How many challenges can you beat? During the workshop you can get some first-hand hints in case you fell stuck. At the end of the workshop there will be a demo of some of the more mindboggling challenges - but only for those, who don't want to solve them on their own later! You will have an idea how good you and your tools are with
Intended audience: Developers and pentesters with at least basic understanding of common web application vulnerabilities
Skill level: The workshop does not assume an in-depth knowledge of software security.
Requirements:

  • laptop with OWASP Juice Shop installed using one of the setups described in https://github.com/bkimminich/juice-shop#setup
  • internet browser with some API testing plugin (e.g. PostMan for Chrome)
  • (optionally) any kind of pentesting tools


Seats available: 20 (first-come, first served)
Price: free
Register here

Workshop
13th of October
3 hours:
begins at 9:30
Slavici Room
Free Diving into Android Security
Nikhil P Kulkarni and Ravi Kumar Kovela Description:
The agenda of this free workshop is to get the taste of working on Android Security. The workshop would involve the attendees to install and learn the tools used for android pentesting. The following would be the topics that would be covered during the 3 hour session:
  • Fundamentals of Android Operating System
  • Understanding the Android Security Architecture
  • Android Permission Model
  • Understanding how to setup a pentest environment
  • Understanding the Android Debug Bridge
  • Fundamentals of Android Application Signing
  • Understanding the working of app permissions using the Android Manifest File

Though not in-depth but this workshop would definitely give a great push to start into the Mobile Security Scene. At the end of the workshop, the attendees would be given few challenges to be solved, giving them an understanding and idea on how to find some of the very well-known Android Security Issues. Intended Audience: Application Developers, Penetration Testers who plan to get into the field of Mobile Pentesting with basic knowledge and understanding of the Android Operating System. Prerequisites:

  • A Laptop with full administrative access since you will be installing software.
  • Make sure to have free space of atleast 10 GB on your laptop and with minimum 4 GB RAM
  • Basic knowledge on Android

Software Requirements:

  • VirtualBox 5.x.x installed. Please have this installed before the session starts. VMWare will not be supported.
  • Any of the following OS : OSX , Win 7 and above, Ubuntu 12.0.4 and above

Seats available: 20 (first-come, first served)
Price: free
Register here

CTF (Capture The Flag) contests are popular ways to hone your practical security skills by solving challenges on topics such as web, crypto, reverse, exploiting.

We invite everyone passionate about practical security at the OWASP AppSec 2017 CTF, where you and your team will solve challenges on web, reverse and exploiting. Challenges will be Linux-centric and web.
Please note that this is a competition designed for beginners, students and security enthusiasts.
Here are the important dates:

  • The qualifiers are online on 9th of September, between 10:00 and 22:00 (Bucharest time, UTC+2). In order to participate please REGISTER HERE!
  • The first 10 teams will be invited to the final.
  • The final will be on 12th of October. The qualified teams that want to compete for the prizes must be on site, in the competition room.

The CTF webpage is here: https://owasp-ctf.security.cs.pub.ro/home .

The CTF final will take place during the OWASP Bucharest AppSec 2017 conference, on site, for 8 hours, from 9am to 5pm. Teams will consist of at most 5 players; everyone has to be on site at the conference.

The teams qualified for the final are:

knights who say ni 775
penthackon 350
UPTimSec 275
StackOrSlack 275
Fuszuly 225
Shellphish 225
tum_cyber 225
ynot ro 150
Just a Hack 75
TimeXlord 75
Xor_the_World 75

We would not cover any transport or accommodation costs for the final competitors, in order to attend the event on 12th of October.
Hope you can make it! You’ll have tons of fun!

If you’re new to CTFs or you want to know more please check these links:

Prizes:

  • 1st place: 1024 euros
  • 2nd place: 512 euros
  • 3rd place: 256 euros

Organizers:

  • Oana Cornea [1]
  • Vlad Cotenescu [2]
  • Cosmin Marius Ilie [3]
  • Sorina Marghescu
  • Andreea Cutlacai [4]
  • Daniel Barbu [5]
  • Razvan Costin Ionescu [6]
  • Raluca Vasilache [7]
  • Cora Sandu
  • Victor Zamfir

CTF:

  • Razvan Deaconescu [8]
  • Vali Ghita [9]
  • Alexandros Dimos
  • Alexandru Razvan Caciulescu [10]

Photo

Volunteers:

  • Radu-Florin Dunaretu [12]
  • Oana Alina Holban [13]
  • Cristina Nica


Sponsors

             
     

Platinum+ Sponsor

     
      Telekom2.PNG      
     

Platinum Sponsors

     
    Adobe logoB.png SW logo transp color 2 pos.png    
     

Gold Sponsors

     
    DEL resize.jpg KPMG RGB.jpg Worldpay  
      &nbsp    
     

Event Supporters

     
    RST.jpg SoftLead.png Logo-aries-300x9712.jpg    
    BannerCyberM.jpg CERT-RO banner.png EU-cyberS.jpg  
    Devtalks.png Logoanis.png Logo phpromania.png  
    Agileworks-logo1.jpg Logo-se-horizontal-square.png Danielbarbu.png  
    Logo-ISM medium.png Logo-defcamp.jpg