This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP Bucharest AppSec Conference 2018 Workshops"

From OWASP
Jump to: navigation, search
 
(7 intermediate revisions by the same user not shown)
Line 7: Line 7:
 
| style="width:40%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="0" | '''Description'''
 
| style="width:40%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="0" | '''Description'''
 
|-
 
|-
| style="width:10%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | Workshop <br> 25th of October<br> '''4 hours:'''<br>begins at 10:00 <br>''' '''<br>
+
| style="width:10%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | Workshop <br> 25th of October<br> '''3,5 hours:'''<br>begins at 09:00 <br>''' '''<br>
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | Automated CI Pipelines using ZAP, Docker and static code analysis
+
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | Automating CI Sec - Pipelines using ZAP, Docker and static code analysis
  
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" |   
+
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" |  [https://uk.linkedin.com/in/spyros-gasteratos-36787049 Spyros Gasteratos ] and [https://uk.linkedin.com/in/nataliya-dubrovska-02b2078b Nataliya Dubrovska]
| style="width:40%" valign="middle" height="30" bgcolor="#CCEEEE" align="justify" colspan="0" | '''Description:''' In this workshop we will go through customizing ZAP's docker images and some static code analysis scripts to work with GitLab CI so that it automatically tests the deployed web application.<br>
+
| style="width:40%" valign="middle" height="30" bgcolor="#CCEEEE" align="justify" colspan="0" | '''Description:''' In this workshop we will go through customizing ZAP's docker images and some static code analysis scripts to work with Concourse CI so that it automatically tests the deployed web application.
 
Moreover we will write an example ZAP orchestration script to better test specific parts of the example application.<br>
 
Moreover we will write an example ZAP orchestration script to better test specific parts of the example application.<br>
 
Last, we will create Docker containers of two static code analysis scripts so that we can easily integrate them into the CI pipeline. <br>
 
Last, we will create Docker containers of two static code analysis scripts so that we can easily integrate them into the CI pipeline. <br>
 
We will go through:
 
We will go through:
* Configuring GitLab CI to work with ZAP.
+
* Configuring Concourse CI to work with ZAP.
 
* Configuring the testing harness to work with ZAP
 
* Configuring the testing harness to work with ZAP
 
* Writing orchestration scripts to better test specific part of the application.
 
* Writing orchestration scripts to better test specific part of the application.
 
* Package extra tooling so that we better test the committed codebase
 
* Package extra tooling so that we better test the committed codebase
At the end of the workshop the attendees will have example configuration files, orchestration scripts, rules and Dockerfiles for all tools used.
+
At the end of the workshop the attendees will have example configuration files, orchestration scripts, rules and Dockerfiles for all tools used.<br>
'''Intended audience:''' developers, security enthusiasts <br>
+
'''Intended audience:''' security engineers, developers, pentesters<br>
'''Skill level: ''' intermediate<br>
+
'''Skill level: ''' beginner - intermediate<br>
'''Requirements:''' coding skills, a laptop
+
'''Requirements:''' a laptop with Virtual Box installed
 
<br>
 
<br>
 
'''Seats available: '''20 (first-come, first served)<br>
 
'''Seats available: '''20 (first-come, first served)<br>
 
'''Price: '''free <br>
 
'''Price: '''free <br>
[ Register here]
+
[https://www.eventbrite.com/e/owasp-bucharest-appsec-conference-2018-tickets-47960216298 Register here]
 
|-
 
|-
| style="width:10%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | Workshop <br> 25th of October<br><br> '''3 hours:'''<br>begins at 13:30 <br>''' '''<br>
+
| style="width:10%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | Workshop <br> 25th of October<br> '''3 hours:'''<br>begins at 13:30 <br>''' '''<br>
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | <br>
+
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | OAuth and OpenID Connect best practices<br>
  
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" |  
+
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | [https://www.linkedin.com/in/johanpeeters Johan Peeters]
| style="width:40%" valign="middle" height="30" bgcolor="#CCEEEE" align="justify" colspan="0" | '''Description:'''
+
| style="width:40%" valign="middle" height="30" bgcolor="#CCEEEE" align="justify" colspan="0" | '''Description:''' OAuth and OpenID Connect (OIDC) quickly became dominant in the API economy. Was this because they were shiny new toys or are they really superior to older protocols for obtaining authorization and identity information such as SAML? While SAML was designed for the enterprise, OAuth and OIDC’s creation myth is from a different universe: it gives social media users the possibility to delegate limited access to partially trusted clients. Since, OAuth and OIDC have been employed well beyond the confines of social media. Consequently, a good deal of creativity to adapt a protocol designed for Discretionary Access Control (DAC) in a social media context to enterprise Mandatory Access Control (MAC) requirements has been observed - I cannot help feeling the wheel has been reinvented many times over.<br>
'''Intended audience:''' <br>
 
'''Skill level: '''  <br>
 
'''Requirements:'''
 
*
 
*
 
*
 
'''Seats available:'''<br>
 
'''Price: '''free <br>
 
[Register here]
 
|-
 
| style="width:10%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | Workshop <br> 25th of October<br> '''3 hours:'''<br>begins at 9:30 <br>''' '''<br>
 
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | <br>
 
  
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" |
+
In this workshop, we discuss some of the design patterns that have come to the fore and reflect on the road ahead. What standard updates can we expect? Should we be compiling best practices? If so, what do they contain?<br>
| style="width:40%" valign="middle" height="30" bgcolor="#CCEEEE" align="justify" colspan="0" | '''Description:'''<br>  
+
Here are some candidate topics for an in-depth discussion:
'''Prerequisites:'''
+
* a format for OAuth access tokens
*
+
* principle of least privilege: what does this mean for security tokens?
*
+
* how are permissions represented?
*
+
* how are users granted permissions?
'''Software Requirements:'''
+
* how are permissions communicated to resource servers?
*
+
* security token Time To Live
*
+
* access token claims
'''Seats available: '''<br>
+
'''Intended audience:''' developers, security professionals <br>
 +
'''Skill level:''' intermediate <br>
 +
'''Requirements:''' for optimal benefit, participants should have a good knowledge of the OAuth and OIDC frameworks <br>
 +
'''Seats available:''' 20 (first-come, first served)<br>
 
'''Price: '''free <br>
 
'''Price: '''free <br>
[Register here]
+
[https://www.eventbrite.com/e/owasp-bucharest-appsec-conference-2018-tickets-47960216298 Register here]
 
|}
 
|}

Latest revision as of 10:54, 19 October 2018

Workshop

Time Title Trainers Description
Workshop
25th of October
3,5 hours:
begins at 09:00

Automating CI Sec - Pipelines using ZAP, Docker and static code analysis Spyros Gasteratos and Nataliya Dubrovska Description: In this workshop we will go through customizing ZAP's docker images and some static code analysis scripts to work with Concourse CI so that it automatically tests the deployed web application.

Moreover we will write an example ZAP orchestration script to better test specific parts of the example application.
Last, we will create Docker containers of two static code analysis scripts so that we can easily integrate them into the CI pipeline.
We will go through:

  • Configuring Concourse CI to work with ZAP.
  • Configuring the testing harness to work with ZAP
  • Writing orchestration scripts to better test specific part of the application.
  • Package extra tooling so that we better test the committed codebase

At the end of the workshop the attendees will have example configuration files, orchestration scripts, rules and Dockerfiles for all tools used.
Intended audience: security engineers, developers, pentesters
Skill level: beginner - intermediate
Requirements: a laptop with Virtual Box installed
Seats available: 20 (first-come, first served)
Price: free
Register here

Workshop
25th of October
3 hours:
begins at 13:30

OAuth and OpenID Connect best practices
Johan Peeters Description: OAuth and OpenID Connect (OIDC) quickly became dominant in the API economy. Was this because they were shiny new toys or are they really superior to older protocols for obtaining authorization and identity information such as SAML? While SAML was designed for the enterprise, OAuth and OIDC’s creation myth is from a different universe: it gives social media users the possibility to delegate limited access to partially trusted clients. Since, OAuth and OIDC have been employed well beyond the confines of social media. Consequently, a good deal of creativity to adapt a protocol designed for Discretionary Access Control (DAC) in a social media context to enterprise Mandatory Access Control (MAC) requirements has been observed - I cannot help feeling the wheel has been reinvented many times over.

In this workshop, we discuss some of the design patterns that have come to the fore and reflect on the road ahead. What standard updates can we expect? Should we be compiling best practices? If so, what do they contain?
Here are some candidate topics for an in-depth discussion:

  • a format for OAuth access tokens
  • principle of least privilege: what does this mean for security tokens?
  • how are permissions represented?
  • how are users granted permissions?
  • how are permissions communicated to resource servers?
  • security token Time To Live
  • access token claims

Intended audience: developers, security professionals
Skill level: intermediate
Requirements: for optimal benefit, participants should have a good knowledge of the OAuth and OIDC frameworks
Seats available: 20 (first-come, first served)
Price: free
Register here