This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP Bucharest AppSec Conference 2018 Agenda Talks"

From OWASP
Jump to: navigation, search
 
(5 intermediate revisions by the same user not shown)
Line 17: Line 17:
 
|-
 
|-
 
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 9:15 - 9:45<br>(30 mins)
 
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 9:15 - 9:45<br>(30 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | So you think you do security?
+
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://www.owasp.org/images/7/79/OWASP_Bucharest-Day2018_so_you_think_you_do_security.pdf So you think you do security?]
 
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://www.linkedin.com/in/martin-knobloch/ Martin Knobloch]
 
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://www.linkedin.com/in/martin-knobloch/ Martin Knobloch]
 
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" | Security is hot and we get all the fancy old and new titles: Chief Information Security Officer, Security Archtect, Security Tester, Security Engineer, Security and Risk Auditor! Of course, now the days you are falling behind if you do not have cyber in your title or job description, giving us the possibility of more fancy titles as for exampel 'Cyer security expert'! And we all doing security, right? Really, do you think you 'do security'?   
 
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" | Security is hot and we get all the fancy old and new titles: Chief Information Security Officer, Security Archtect, Security Tester, Security Engineer, Security and Risk Auditor! Of course, now the days you are falling behind if you do not have cyber in your title or job description, giving us the possibility of more fancy titles as for exampel 'Cyer security expert'! And we all doing security, right? Really, do you think you 'do security'?   
Line 24: Line 24:
 
|-
 
|-
 
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 9:45 - 10:30<br>(45 mins)
 
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 9:45 - 10:30<br>(45 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Browsers - For better or worse ...
+
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://www.owasp.org/images/a/a2/Browsers-for-better-or-worse-owasp.pdf Browsers - For better or worse ...]
 
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://pt.linkedin.com/in/simpsonpt Renato Rodrigues]
 
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://pt.linkedin.com/in/simpsonpt Renato Rodrigues]
 
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" | It is no news that security is under close scrutiny of the public eye. Everyone is on alert for the latest database leak, closely tracking the updates on the business losing millions on a hack or digging deep into the web to find ways to stay protected. In this presentation, we'll tap into the role browsers play from the security practices perspective - regarding defense and browsers as attack platforms. While some of the tricks covered in this presentation will be recognizable for most in the community, others are still kept away from the limelight. Hopefully, in the end, you will be able to take something new for your assessments.
 
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" | It is no news that security is under close scrutiny of the public eye. Everyone is on alert for the latest database leak, closely tracking the updates on the business losing millions on a hack or digging deep into the web to find ways to stay protected. In this presentation, we'll tap into the role browsers play from the security practices perspective - regarding defense and browsers as attack platforms. While some of the tricks covered in this presentation will be recognizable for most in the community, others are still kept away from the limelight. Hopefully, in the end, you will be able to take something new for your assessments.
 
|-
 
|-
 
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 10:45 - 11:30<br>(45 mins)  
 
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 10:45 - 11:30<br>(45 mins)  
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Access control, REST and sessions
+
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://www.owasp.org/images/a/ac/Access_control%2C_REST_and_sessions.pdf Access control, REST and sessions]
  
 
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://www.linkedin.com/in/johanpeeters Johan Peeters]
 
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://www.linkedin.com/in/johanpeeters Johan Peeters]
Line 53: Line 53:
 
|-
 
|-
 
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 14:20 - 15:05<br>(45 mins)  
 
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 14:20 - 15:05<br>(45 mins)  
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Short A.V Evasion and Fast Incident Response
+
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://www.owasp.org/images/1/14/Prezentare-Owasp-Ilca-Lucian-Florin.pptx Short A.V Evasion and Fast Incident Response]
 
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Lucian Ilca
 
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Lucian Ilca
 
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" | The field of Anti-Virus Evasion and Fast Incident Response, combined with Malware Analysis comprises the art and science of dissecting malicious software using diverse tools like: FLARE, Cuckoo Sandbox or other forensics tools and response immediatly to any type of incident.  
 
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" | The field of Anti-Virus Evasion and Fast Incident Response, combined with Malware Analysis comprises the art and science of dissecting malicious software using diverse tools like: FLARE, Cuckoo Sandbox or other forensics tools and response immediatly to any type of incident.  
Line 65: Line 65:
 
|-
 
|-
 
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 15:20 - 16:05<br>(45 mins)  
 
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 15:20 - 16:05<br>(45 mins)  
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Secure your cyber battlefield leveraging cyber threat intelligence
+
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://www.owasp.org/images/5/53/OWASP_CTI_Presentation_Calita_Cristi.pptx Secure your cyber battlefield leveraging cyber threat intelligence]
 
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Cristian Calita
 
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Cristian Calita
 
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" | Cyber crime, Cyber environment, Cyber activities, Cyber security, etc - Cyber is the new black. Therefore cyber threat intelligence (CTI) was expected to arise. <br>
 
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" | Cyber crime, Cyber environment, Cyber activities, Cyber security, etc - Cyber is the new black. Therefore cyber threat intelligence (CTI) was expected to arise. <br>

Latest revision as of 17:30, 30 October 2018

Conference agenda, 26th of October

Time Title Speaker Description
8:30 - 9:00
(30 mins)
Registration and coffee break
9:00 - 9:15
(15 mins)
Introduction Oana Cornea Introduction to the OWASP Bucharest Event, Schedule for the Day
9:15 - 9:45
(30 mins)
So you think you do security? Martin Knobloch Security is hot and we get all the fancy old and new titles: Chief Information Security Officer, Security Archtect, Security Tester, Security Engineer, Security and Risk Auditor! Of course, now the days you are falling behind if you do not have cyber in your title or job description, giving us the possibility of more fancy titles as for exampel 'Cyer security expert'! And we all doing security, right? Really, do you think you 'do security'?

As if compliancy has not been complex enough, let's add privacy vs security and don't forgeth moving to cloud and serverless architectures. Do you still think you are in control? Let me lift the smoke screen of cyber security obscurity and show you how to do security right! Getting in control buttom up and top down (is there really a choice), by building alliances, sharing knowledge and deligate responsibilities. Not the least by setting the right examples! Let me show you an holistic but practical aproach adding security to your business responsibilityies and development metrics. Get control by let go and enable scalable security for your software factories. How to manage security in traditional waterfall and project centric envirnoments and how to scale in the agile worlds of DevOps and CD/CI!

9:45 - 10:30
(45 mins)
Browsers - For better or worse ... Renato Rodrigues It is no news that security is under close scrutiny of the public eye. Everyone is on alert for the latest database leak, closely tracking the updates on the business losing millions on a hack or digging deep into the web to find ways to stay protected. In this presentation, we'll tap into the role browsers play from the security practices perspective - regarding defense and browsers as attack platforms. While some of the tricks covered in this presentation will be recognizable for most in the community, others are still kept away from the limelight. Hopefully, in the end, you will be able to take something new for your assessments.
10:45 - 11:30
(45 mins)
Access control, REST and sessions Johan Peeters There is a lot of confusion surrounding REST, state, sessions, and the implications for access control. Let’s clear this up.

REST services are stateless. In other words, there are no sessions between REST API producers and consumers. Given the difficulties of securing sessions, this is A Good Thing from a security perspective.
Access to REST APIs is incumbent on the presentation of a valid security token. Typically, this is an access token issued by an OAuth authorization server. The authZ server maintains a session with the user agent so that the user does not need to re-authenticate each time a new access token is needed. This is not entirely unproblematic, as will be illustrated through a discussion of logout and the tenuous implementation of silent authentication in client libraries. Conversely, I will argue for leveraging authorization server sessions to raise the consent game to a level where it truly serves the interests of the user.
In summary, while REST APIs are stateless and do not maintain a session, access control architectures *do* rely on sessions trying to provide a good user experience while enforcing authorization policies.

11:45 - 12:30
(45 mins)
Cookies versus tokens: a paradoxical choice Philippe De Ryck When you’re building Angular applications, you will need to figure out how to manage your user’s sessions. Back in the days, this used to be simple. But now, there are many different options, all with specific advantages and disadvantages. How can you make a sensible choice, and how will that impact the security of your application?

This talk lays it out for you. We dive into the technicalities of cookies, JWT tokens and Authorization headers. You will learn how to assess your past choices, and how to substantiate future decisions.

12:30 - 13:30
(60 mins)
Lunch/Coffee Break
13:30 - 14:15
(40 mins)
Women in AppSec Panel

WiA 400x400.jpg

14:20 - 15:05
(45 mins)
Short A.V Evasion and Fast Incident Response Lucian Ilca The field of Anti-Virus Evasion and Fast Incident Response, combined with Malware Analysis comprises the art and science of dissecting malicious software using diverse tools like: FLARE, Cuckoo Sandbox or other forensics tools and response immediatly to any type of incident.

The study and analysis of these tools fall within the general purview of the broad disciplines of Digital Forensics, PSIRT, Cyber Security Operations and general principles of Reverse Engineering. In this paper, we explore and discuss the current state of anti-virus evasion, malware analysis and fast incident response, . Based on author research, he conclude that the domain of malware analysis, A.V Evasion and Fast Incident Response has effectively been relegated from the academic realm to the domain of the practitioner's skill set. For the final presentation, author will show how you can respond to an incident and how to protect your environment for new attacks.

15:05 - 15:20
(15 mins)
Coffee break
15:20 - 16:05
(45 mins)
Secure your cyber battlefield leveraging cyber threat intelligence Cristian Calita Cyber crime, Cyber environment, Cyber activities, Cyber security, etc - Cyber is the new black. Therefore cyber threat intelligence (CTI) was expected to arise.

As web applications are important pieces of the operational environment - at least to the fact that these may be entry points into internal networks, one of the CTI's goals is to keep the defenders (e.g. application security architects, application developers, etc) and stakeholders ahead threats and adversaries by feeding them with the missing piece from their knowledge. The presentation provides details on how this goal could be achieved.

16:05 - 16:50
(45 mins)
Automating Security Operations using Phantom Isabella Minca Our challenge consists in working with a SIEM which manages over 30 TB of logs per day and over 100 different types of Security Alerts, triggered based on the logs. Challenge accepted! This presentation aims to reveal our efforts towards automating Security Alerts triaging workflow using a Python based tool, Phantom. We investigate further and decide upon the actions needed in order to remediate the vulnerabilities. A wide range of workflow actions can be automated, such as running searches or scripts that enrich alert data, reporting and proactively resolving security misconfigurations using various app integrations like Exchange, Slack and Jira. While the adoption of such an initiative is not a quick win but a bumpy road, it easily results in translating the day-to-day Security Operations Center work into a highly scalable, automated and tailored approach when it comes to dealing with the threat landscape! As a consequence, the whole organisation is moving towards a world of SecDevOps.
16:50 - 17:00
(15 mins)
Closing ceremony OWASP Bucharest team CTF Prizes