This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP Romania InfoSec Conference 2013 Agenda"
Oana Cornea (talk | contribs) |
Oana Cornea (talk | contribs) |
||
(12 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
__NOTOC__ | __NOTOC__ | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
{|style="vertical-align:top;width:90%;background-color:#white;padding:10px;border:1px solid silver;" align="center" cellspacing="4" | {|style="vertical-align:top;width:90%;background-color:#white;padding:10px;border:1px solid silver;" align="center" cellspacing="4" | ||
− | | style="width:100%" valign="middle" height="40" bgcolor="#CCCCEE" align="center" colspan="6" | | + | | style="width:100%" valign="middle" height="40" bgcolor="#CCCCEE" align="center" colspan="6" | <h2>Agenda </h2> |
|- | |- | ||
| style="width:10%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="0" | '''Time''' | | style="width:10%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="0" | '''Time''' | ||
Line 41: | Line 9: | ||
| style="width:40%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="0" | '''Description''' | | style="width:40%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="0" | '''Description''' | ||
|- | |- | ||
− | | style="width:10%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | 15 mins | + | | style="width:10%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | 10:30 - 11:00<br>(30 mins) |
+ | | style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | Registration | ||
+ | | style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | | ||
+ | | style="width:40%" valign="middle" height="30" bgcolor="#CCEEEE" align="justify" colspan="0" | | ||
+ | |- | ||
+ | | style="width:10%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | 11:00 - 11:15<br>(15 mins) | ||
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | Introduction & Welcome | | style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | Introduction & Welcome | ||
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | [http://ro.linkedin.com/pub/oana-cornea/55/430/b10 Oana Cornea] | | style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | [http://ro.linkedin.com/pub/oana-cornea/55/430/b10 Oana Cornea] | ||
| style="width:40%" valign="middle" height="30" bgcolor="#CCEEEE" align="justify" colspan="0" | Introduction to OWASP & Bucharest Event, Schedule for the Day | | style="width:40%" valign="middle" height="30" bgcolor="#CCEEEE" align="justify" colspan="0" | Introduction to OWASP & Bucharest Event, Schedule for the Day | ||
|- | |- | ||
− | | style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 45 mins | + | | style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 11:15 - 12:00<br>(45 mins) |
− | | style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Secure Development LifeCycle<br> | + | | style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Secure Development LifeCycle <br> |
− | (aka "The good the bad and the ugly implementations") | + | (aka "The good the bad and the ugly implementations") [https://www.owasp.org/images/1/1a/OWASP_-_InfoSec_Romania_-_SDLC_the_good%2C_the_bad_and_the_ugly_.pdf] |
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [http://nl.linkedin.com/pub/martin-knobloch/3/182/b97 Martin Knobloch] | | style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [http://nl.linkedin.com/pub/martin-knobloch/3/182/b97 Martin Knobloch] | ||
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" | Software development is not THAT new anymore, but it is still a fast changing work environment.<br> | | style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" | Software development is not THAT new anymore, but it is still a fast changing work environment.<br> | ||
Line 56: | Line 29: | ||
Lets help developer by implementing impalpable mechanism! | Lets help developer by implementing impalpable mechanism! | ||
|- | |- | ||
− | | style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 45 mins | + | | style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 12:05 - 12:50<br>(45 mins) |
− | | style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Practical Defense with mod_security Web Application Firewall | + | | style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Practical Defense with mod_security Web Application Firewall [https://www.owasp.org/images/e/eb/2013-10-25_-_Practical_Defense_with_ModSecurity_WAF_-_v1.1.pdf] |
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [http://ie.linkedin.com/in/mventuneac Marian Ventuneac] | | style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [http://ie.linkedin.com/in/mventuneac Marian Ventuneac] | ||
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" | Marian will introduce the mod_security Web Application Firewall (WAF). This session will be a practical demonstration of mitigating security risks for a sample vulnerable Web application. | | style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" | Marian will introduce the mod_security Web Application Firewall (WAF). This session will be a practical demonstration of mitigating security risks for a sample vulnerable Web application. | ||
|- | |- | ||
− | | style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 45 mins | + | | style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 12:55 - 13:40<br>(45 mins) |
− | | style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Scanning Romania with Nessus (web part) | + | | style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Scanning Romania with Nessus (web part) [https://www.owasp.org/images/e/e9/OWASP_-_InfoSec_Romania_-AdrianFurtuna_ScanningRomania.pdf] |
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [http://ro.linkedin.com/in/adrianfurtuna Adrian Furtuna] | | style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [http://ro.linkedin.com/in/adrianfurtuna Adrian Furtuna] | ||
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" | This talk presents the results of a passive vulnerability scan performed against all Romanian IP addresses, targeting all web servers listening on port 80. <br> | | style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" | This talk presents the results of a passive vulnerability scan performed against all Romanian IP addresses, targeting all web servers listening on port 80. <br> | ||
The research was performed against multiple network packet captures selected from the output of Carna botnet, which scanned Romania in July 2012. | The research was performed against multiple network packet captures selected from the output of Carna botnet, which scanned Romania in July 2012. | ||
|- | |- | ||
− | | style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 45 mins | + | | style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 13:40 - 14:30<br>(50 mins) |
− | | style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Reading the minds | + | | style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" |Lunch/Coffee Break |
+ | | style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | | ||
+ | | style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" | | ||
+ | |- | ||
+ | | style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 14:30 - 15:15<br>(45 mins) | ||
+ | | style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Reading the minds [https://www.owasp.org/images/c/c7/OWASP_-_InfoSec_Romania_-reading-the-minds.pdf] | ||
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [http://ro.linkedin.com/pub/anatolie-prisacaru/45/232/764 Anatolie Prisacaru] | | style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [http://ro.linkedin.com/pub/anatolie-prisacaru/45/232/764 Anatolie Prisacaru] | ||
− | | style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" | In my presentation I will focus the analysis of | + | | style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" | In my presentation I will focus the analysis of what data web browsers, extensions and web servers keep in memory.<br> I will start with a quick introduction on how to dump and analyse processes' random access memory maps on a Linux based operating system with basic tools and then run a quick code review to see a couple of weak points, find their Achilles' heel and finally prove why statements like "Your sensitive data is encrypted _locally_ before upload so even LastPass cannot get access to it" can be pretty misleading. |
− | |||
− | |||
− | |||
− | |||
− | |||
|- | |- | ||
− | | style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 45 mins | + | | style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 15:20 - 16:05<br>(45 mins) |
− | | style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Hacking the Wordpress ecosystem | + | | style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Online Fraud and the part it plays in Cybercrime [https://www.owasp.org/images/3/3b/OWASP_-_InfoSec_Romania_-_Online_Fraud.pdf] |
+ | | style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [http://ro.linkedin.com/pub/alex-doroftei/50/b74/36b Alexandru Doroftei] | ||
+ | | style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" | The presentation will be about what is online fraud, what risks do companies face when they support e-commerce and the growing role fraud has in the cybercrime area. I will describe a few of the best practices against fraud, diving a little bit in the fraud industry numbers associated with fraud. | ||
+ | |-) | ||
+ | | style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 16:10 - 16:55<br>(45 mins) | ||
+ | | style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Hacking the Wordpress ecosystem [https://www.owasp.org/images/9/9a/Dan_Catalin_VASILE_-_Hacking_the_Wordpress_EcoSystem.pdf] | ||
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [http://ro.linkedin.com/pub/dan-catalin-vasile/1a/549/384 Dan Catalin Vasile] | | style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [http://ro.linkedin.com/pub/dan-catalin-vasile/1a/549/384 Dan Catalin Vasile] | ||
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" | This talk came from the personal need of securing multiple instances of Wordpress. An OWASP Project was initiated to gather the knowledge around this subject in one place.<br> | | style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" | This talk came from the personal need of securing multiple instances of Wordpress. An OWASP Project was initiated to gather the knowledge around this subject in one place.<br> | ||
Line 88: | Line 66: | ||
- hacking plugins | - hacking plugins | ||
|- | |- | ||
− | | style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 45 mins | + | | style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 17:00 - 17:45<br>(45 mins) |
− | | style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | | + | | style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Resolving 3 Common threats in MVC (A4 - Insecure Direct Object References , A3 - Cross-Site Scripting (XSS) , A8 - Cross-Site Request Forgery (CSRF) ) [https://www.owasp.org/images/6/6d/OWASP_-_InfoSec_Romania_-AndreiIgnat.pdf] |
− | | style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [http://ro.linkedin.com/ | + | | style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [http://ro.linkedin.com/in/ignatandrei Andrei Ignat] |
− | | style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" | The | + | | style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" | Any website is confronted with hackers. The security measures are easy to follow - and this presentation shares to you this knowledge. |
|- | |- | ||
|} | |} |
Latest revision as of 19:32, 1 November 2013
Agenda | |||||
Time | Title | Speaker | Description | ||
10:30 - 11:00 (30 mins) |
Registration | ||||
11:00 - 11:15 (15 mins) |
Introduction & Welcome | Oana Cornea | Introduction to OWASP & Bucharest Event, Schedule for the Day | ||
11:15 - 12:00 (45 mins) |
Secure Development LifeCycle (aka "The good the bad and the ugly implementations") [1] |
Martin Knobloch | Software development is not THAT new anymore, but it is still a fast changing work environment. We do develop more functionality faster, and the applications do even look more pretty! | ||
12:05 - 12:50 (45 mins) |
Practical Defense with mod_security Web Application Firewall [2] | Marian Ventuneac | Marian will introduce the mod_security Web Application Firewall (WAF). This session will be a practical demonstration of mitigating security risks for a sample vulnerable Web application. | ||
12:55 - 13:40 (45 mins) |
Scanning Romania with Nessus (web part) [3] | Adrian Furtuna | This talk presents the results of a passive vulnerability scan performed against all Romanian IP addresses, targeting all web servers listening on port 80. The research was performed against multiple network packet captures selected from the output of Carna botnet, which scanned Romania in July 2012. | ||
13:40 - 14:30 (50 mins) |
Lunch/Coffee Break | ||||
14:30 - 15:15 (45 mins) |
Reading the minds [4] | Anatolie Prisacaru | In my presentation I will focus the analysis of what data web browsers, extensions and web servers keep in memory. I will start with a quick introduction on how to dump and analyse processes' random access memory maps on a Linux based operating system with basic tools and then run a quick code review to see a couple of weak points, find their Achilles' heel and finally prove why statements like "Your sensitive data is encrypted _locally_ before upload so even LastPass cannot get access to it" can be pretty misleading. | ||
15:20 - 16:05 (45 mins) |
Online Fraud and the part it plays in Cybercrime [5] | Alexandru Doroftei | The presentation will be about what is online fraud, what risks do companies face when they support e-commerce and the growing role fraud has in the cybercrime area. I will describe a few of the best practices against fraud, diving a little bit in the fraud industry numbers associated with fraud. | ||
16:10 - 16:55 (45 mins) |
Hacking the Wordpress ecosystem [6] | Dan Catalin Vasile | This talk came from the personal need of securing multiple instances of Wordpress. An OWASP Project was initiated to gather the knowledge around this subject in one place. The presentation will address the following subjects: | ||
17:00 - 17:45 (45 mins) |
Resolving 3 Common threats in MVC (A4 - Insecure Direct Object References , A3 - Cross-Site Scripting (XSS) , A8 - Cross-Site Request Forgery (CSRF) ) [7] | Andrei Ignat | Any website is confronted with hackers. The security measures are easy to follow - and this presentation shares to you this knowledge. |