This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP Bucharest AppSec Conference 2017"
Oana Cornea (talk | contribs) (reg link) |
Oana Cornea (talk | contribs) |
||
| Line 91: | Line 91: | ||
=CTF= | =CTF= | ||
{{:OWASP_Bucharest_AppSec_Conference_2017_CTF}} | {{:OWASP_Bucharest_AppSec_Conference_2017_CTF}} | ||
| + | |||
| + | =Women in AppSec= | ||
| + | {{:OWASP_Bucharest_AppSec_Conference_2017_WiA}} | ||
=Team= | =Team= | ||
Revision as of 16:29, 21 July 2017
- Welcome
- Become a sponsor
- Conference talks
- Free workshops
- 3 days training
- 2 days training
- 1 day training
- CTF
- Women in AppSec
- Team
|
|
CONFERENCE (Friday 13th of October) | ||
| Date | Location | |
| Friday 13th of October, 8.00 AM |
Venue Location: Hotel Caro Workshops: Hotel Caro Venue Address: 164A Barbu Vacarescu Blvd. 2nd District, 020285 Bucharest, Romania | |
| Price and registration | ||
| The conference entrance is FREE, you need to register on the link provided below, print your ticket and present it at the entrance. The training sessions will be paid. The workshops and CTF attendance is free of charge Registration |
||
Sponshorship opportunities
Why sponsor?
- Join 300+ leaders, security consultants, security architects and developers gathered to share cutting-edge ideas, initiatives and trends in technology.
- OWASP events attract an audience interested in "What's next?" - As a sponsor, you will be promoted as an answer to this question.
- Increase awareness and recognition in Romanian Security IT environment.
- Support and involvement in the world of information security enthusiasts.
Conference agenda, 13th of October | |||||
| Time | Title | Speaker | Description | ||
| 9:00 - 9:30 (30 mins) |
Registration and coffee break | ||||
| 9:30 - 9:45 (15 mins) |
Introduction | Oana Cornea | Introduction to the OWASP Bucharest Event, Schedule for the Day | ||
| 9:45 - 10:30 (45 mins) |
OWASP Juice Shop: The most trustworthy online shop out there | Bjoern Kimminich | OWASP Juice Shop is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws. In this talk you will learn all about the project and its capabilities. You will...
| ||
| 10:45 - 11:30 (45 mins) |
Application Security Lifecycle | Adrian Locusteanu | A complete perspective on application security assumes addressing the whole application lifecycle: from secure design and (static or dynamic) testing to changes and continuous operational protection through adaptive managed application security services. A standardized end2end frame to provide secure enablement for both application developers and online presences will be presented from Telekom's experience. | ||
| 11:45 - 12:30 (45 mins) |
N different strategies to automate OWASP ZAP | Marudhamaran Gunasekaran (Maran) | In this talk we will explore the many different ways of automating security testing with the OWASP Zed Attack Proxy and how it ties to an overall Software Security Initiative. Over the years, ZAP has made many advancements to its powerful APIs and introduced scripts to make security automation consumable for mortals. This talk is structured to demonstrate how ZAP's API, and scripts could be integrated with Automated Testing frameworks beyond selenium, Continuous Integration and Continuous Delivery Pipelines beyond Jenkins, scanning authenticated parts of the application, options to manage the discovered vulnerabilities and so on with real world case studies and implementation challenges.
This is a demonstration oriented talk that explains OWASP ZAP automation strategies for Security Testing by example. | ||
| 12:30 - 13:30 (60 mins) |
Lunch/Coffee Break | ||||
| 13:30 - 14:15 (40 mins) |
Women in AppSec Panel
| ||||
| 14:20 - 15:05 (45 mins) |
Security champions 2.0 | Alexander Antukh | Security champions is an interesting concept of scaling security in multi-team companies. During this presentation I'll share experience of building a team of champions, challenges we had to overcome, and metrics to evaluate the efficiency of the model. As a bonus, security champion playbook will be introduced to the audience. | ||
| 15:05 - 15:20 (15 mins) |
Coffee break | ||||
| 15:20 - 16:05 (45 mins) |
Man-in-the-browser attacks | Daniel Tomescu | Most of today's efforts towards securing web applications rely on securing the web server and providing users with web pages which are protected against common weaknesses over a secure channel. However, we often forget that web applications are client-server applications where the client is the web browser. Therefore, accessing a website is not safe as long as the web browser cannot be trusted.
How many web browsers do we use in a week or a month? Are those web browsers exposed to attacks? Do we trust our favourite web browsers? We will discover multiple attack scenarios and attack vectors which can endanger our browsing experience. Be warned, your relationship with your favourite web browser might suffer and trust issues might arise. | ||
| 16:05 - 16:50 (45 mins) |
How my SVM nailed your Malware | Nikhil.P.K | As we know the Android Application Industry from a security perspective, it is also quite well known that the Android platform is succeptible to malicious applications. And with the recent trend where all the vendors and customers going completely mobile, android has now become an attack surface for most of the malicious attacks. Moreover, the mechanisms used for android malware detection comprise of several known methods, and we also know that most of these mechanisms are permission based or based on API usage. This Project implementation is based on well known machine learning algorithm which is Support Vector Machines for solving the problem of android malware analysis. This method involves the mechanism of detection of android malware by effeciently embedding the functional call graphs along the feature map. The gamechanger in this concept would be the optimal utilization of the SVM Algorithm(Support Vector Machine) that proves to be better than other approaches with a minimalistic amount of false positives found and a higher detection rate. | ||
| 16:50 - 17:00 (15 mins) |
Closing ceremony | OWASP Bucharest team | CTF Prizes | ||
Workshop | |||||
| Time | Title | Trainers | Description | ||
| Workshop 13th of October 2 hours: begins at 10:30 Goga Room |
Threat Modelling a fictitious payment web application |
Mustafa Kasmani | Description: Following on from the Threat Modelling presentation by the same author, this workshop will aim to put the theory covered by that presentation into practice. The objective of doing so is to introduce the audience to the benefits of performing Threat Modelling on a system during the early stages of design / development. This ensures that key security threats are known and understood early on allowing remediation to be done in a more cost effective and pragmatic way than had they been found much later on during testing or when in production. A fictitious payment web application will be examined in this session – defining its business functionality, actors, assets and technology stack. Data flowing between the components will then be drawn out in the form of data-flow diagrams (DFD’s). Thereafter the attack-surface will be mapped out using the STRIDE methodology identifying threats pertaining to Spoofing, Tampering, Repudiation, Information disclosure, Denial of service and the Elevation of privilege. Finally, these will documented in a form allowing categorisation of risk together with identified security controls that should be tested. | ||
| Workshop 13th of October 3 hours: begins at 13:30 Goga Room |
AppSec Bucharest vs. OWASP Juice Shop |
Björn Kimminich | Description: In this *free* workshop you can test your skills in hacking modern web applications against the OWASP Juice Shop! There are 43+ challenge that are waiting to be solved, ranging from simple functional problems and the usual XSS/SQLi issues over severe authentication flaws to multi-step & multi-path attacks against the discount coupons issued by the application! How many challenges can you beat? During the workshop you can get some first-hand hints in case you fell stuck. At the end of the workshop there will be a demo of some of the more mindboggling challenges - but only for those, who don't want to solve them on their own later! You will have an idea how good you and your tools are with
| ||
| Workshop 13th of October 3 hours: begins at 9:30 Slavici Room |
Free Diving into Android Security |
Nikhil P Kulkarni and Ravi Kumar Kovela | Description: The agenda of this free workshop is to get the taste of working on Android Security. The workshop would involve the attendees to install and learn the tools used for android pentesting. The following would be the topics that would be covered during the 3 hour session:
Though not in-depth but this workshop would definitely give a great push to start into the Mobile Security Scene. At the end of the workshop, the attendees would be given few challenges to be solved, giving them an understanding and idea on how to find some of the very well-known Android Security Issues. Intended Audience: Application Developers, Penetration Testers who plan to get into the field of Mobile Pentesting with basic knowledge and understanding of the Android Operating System. Prerequisites:
Software Requirements:
Seats available: 20 (first-come, first served) | ||
Training | |||||
| Time | Title | Trainers | Description | ||
| 3 days training 11th, 12th, 13th of October daily: 9:00 - 17:00 |
Secure Coding for Java |
Robert Seacord | Description: This three-day instructor-led Secure Coding for Java course provides developers with practical guidance for developing Java programs that are robust and secure. Material in this presentation was derived from the Addison-Wesley book The CERT Oracle Secure Coding Standard for Java and is supported by the Secure Coding Rules for Java Live Lessons videos. Participants should come away from the course with a working knowledge of common programming errors that lead to software vulnerabilities, how these errors can be exploited, and effective mitigation strategies for preventing the introduction of these errors. In particular, participants will learn how to:
Moreover, the course encourages programmers to adopt security best practices and develop a security mindset that can help protect software from tomorrow’s attacks, not just today’s. Seats available: 20 (first-come, first served) | ||
Training | |||||
| Time | Title | Trainers | Description | ||
| 2 days training 11th and 12th of October daily: 9:00 - 17:00 |
Assessing and securing applications using the OWASP ASVS (Application Security Verification Standard) |
Oana Cornea | Description: The focus of this training will be on how to build secure applications and how to evaluate them using real world scenarios. The attendees will learn the concepts solving exercises and using various OWASP resources like the OWASP ASVS (Application Security Verification Standard) and the OWASP Testing Guide.
Topics covered:
Day 2:
| ||
Training | |||||
| Time | Title | Trainers | Description | ||
| 1 day training 11th of October daily: 9:00 - 17:00 |
OWASP Top 10 vulnerabilities – discover, exploit, remediate |
Adrian Furtună – Founder & Ethical Hacker – VirtualStorm Security and Ionuţ Ambrosie – Security Consultant – KPMG Belgium |
Description: The overall objective of this workshop is to increase the participants’ awareness on the most common web application vulnerabilities and their associated risks. We will discuss each type of vulnerability described in the OWASP Top 10 project and will teach participants manual discovery and exploitation techniques. Furthermore, a set of useful security testing tools will be introduced during the workshop. This is a hands-on workshop where participants will learn how to:
Moreover, we will discuss ways in which security can be better integrated into the software development lifecycle and how the OWASP Top 10 vulnerabilities can be avoided, identified early on or mitigated before they reach production environments.
Seats available: 20 (first-come, first served) | ||
CTF (Capture The Flag) contests are popular ways to hone your practical security skills by solving challenges on topics such as web, crypto, reverse, exploiting.
We invite everyone passionate about practical security at the OWASP AppSec 2017 CTF, where you and your team will solve challenges on web, reverse and exploiting. Challenges will be Linux-centric and web.
Please note that this is a competition designed for beginners, students and security enthusiasts.
Here are the important dates:
- The qualifiers are online on 9th of September, between 10:00 and 22:00 (Bucharest time, UTC+2). In order to participate please REGISTER HERE!
- The first 10 teams will be invited to the final.
- The final will be on 12th of October. The qualified teams that want to compete for the prizes must be on site, in the competition room.
The CTF webpage is here: https://owasp-ctf.security.cs.pub.ro/home .
The CTF final will take place during the OWASP Bucharest AppSec 2017 conference, on site, for 8 hours, from 9am to 5pm. Teams will consist of at most 5 players; everyone has to be on site at the conference.
The teams qualified for the final are:
| knights who say ni | 775 |
| penthackon | 350 |
| UPTimSec | 275 |
| StackOrSlack | 275 |
| Fuszuly | 225 |
| Shellphish | 225 |
| tum_cyber | 225 |
| ynot ro | 150 |
| Just a Hack | 75 |
| TimeXlord | 75 |
| Xor_the_World | 75 |
We would not cover any transport or accommodation costs for the final competitors, in order to attend the event on 12th of October.
Hope you can make it! You’ll have tons of fun!
If you’re new to CTFs or you want to know more please check these links:
- picoCTF (https://picoctf.com/): A good place for beginners to go through CTF tasks
- Computer and Network Security (http://ocw.cs.pub.ro/courses/cns): A masters class featuring concepts and tools on practical security
- Hack Night (https://github.com/isislab/Hack-Night): Training session run by the NYU Poly ISIS lab
- CTF Write-ups (https://github.com/ctfs/): Write-ups (solutions) for CTF contests arount the globe
- Online Wargames Bundle (http://security.cs.pub.ro/hexcellents/wiki/kb/practice-and-learning): A list of wargame sites you can use for honing your skills
Prizes:
- 1st place: 1024 euros
- 2nd place: 512 euros
- 3rd place: 256 euros
Panel discussion
Presented by Iulia Ivanov
For 11 years Iulia Ivanov lives a transformational professional journey in the human resources field, accessing diverse organisation cultures like Heineken, Oracle, Samsung. Passionate about planning and career management counseling, focused on the young generation, Iulia follows a vocational calling in this area thru an all-inclusive practical approach:
- Studies a dedicated master program at the University of Psychology & Educational Sciences
- Collaborates closely with Fundatia Calea Victoriei whereas a public speaking lector she delivers the tailored workshop for the adolescents
Kicked-off a new partnership with the Aspire for Teachers academy in the role of Community Engagement Leader.
| Panelist | Bio | Photo |
|---|---|---|
| Giorgiana Vlăsceanu | Giorgiana Vlăsceanu has more than 8 years of experience in organizing events, she pursued the Bachelor degree at the Faculty of Automatic Control and Computers, UPB, where she is currently a Master student, studying Advanced Computer Architectures.. She is passionate about technology and teaching and she's a co-founder at Codette, the community for all Romanian women technologists, regardless of age, level of experience, or tech branch. Codette aims to develop events based on education, inclusion and personal development. Among the Codetteevents the ones which stand out the most are IoT4Girls, Codette Stories, Codette Travel Grant. | |
| Alexandra Anghel | Alexandra Anghel is the Co-founder & CTO at Appticles.com, a multi-channel mobile publishing platform, and Co-founder at Codette. She has a technical background, mostly in backend programming, and she has previously owned an outsourcing company. She's passionate about startups & entrepreneurship and likes to get involved in various activities to help women get into programming/coding. In 2012, she won the runner up award at Girls in Tech, Paris. In 2016, she graduated from the Prosper Women Entrepreneurs accelerator in the US. | |
| Daniela Ene | Daniela is a passionate software developer with a bachelor degree at the Faculty of Automatic Control and Computer Science, UPB. She has over 5 years of experience in developing java solutions for virtual machine management, investment banking and digital publishing. She is a curious person continuously looking to learn new technologies that can help at delivering a better user experience. In her spare time, she enjoys traveling, snowboarding, photography or reading random things about machine learning. | |
| Daniel Barbu | Daniel BARBU is a Ph.D candidate in the field of Information Security who brings passion into his daily tasks. He enjoyed learning and growing while working at Electronic Arts, Dell Secureworks and now Adobe. As a member of OWASP Bucharest Chapter and RAISA (Romanian Association for Information Security Assurance) , Daniel is constantly seeking opportunities to popularize information security. Daniel is currently managing a multi - role & diverse security team within TechOps Romania at Adobe where he focuses on the growth of the team members’ skill set. |
Sponsors
Platinum+ Sponsor |
||||||
|
||||||
Platinum Sponsors |
||||||
|
|
|||||
Gold Sponsors |
||||||
|
|
|
||||
|   | ||||||
Event Supporters |
||||||
|
|
|
||||
|
|
|
||||
|
|
|
||||
|
|
|
||||
|
|
