This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

OWASP Bucharest AppSec Conference 2017 Talks

From OWASP
Revision as of 19:32, 8 August 2017 by Oana Cornea (talk | contribs) (edit3)

Jump to: navigation, search

Conference agenda

Time Title Speaker Description
8:30 - 9:00
(30 mins) 		Registration and coffee break
9:15 - 10:00
(45 mins) 		Testing for cyber resilience: tools & techniques for adversary attack/defense simulation Teodor Cimpoesu and Adrian Ifrim We know that testing selected points around large infrastructures, combined with testing a subset of the enterprise applications (the critical ones) is no longer enough to match what is going on in the wild in terms of cyber risk.

Nowadays real attacks often go undetected for months, use modern tools & techniques, and the responders many times get overwhelmed by the complexity of analysis, time pressure, and the need to understand adversary tactics.
In this presentation and demo, we will show some common techniques of getting a foothold in a target, stealing credentials, doing lateral movement and preparing for data exfil from the red teamer perspective, as well as best practices and approaches for blue teamers to detect and respond to them.

10:00 - 10:45
(45 mins) 		Securing the code and waiting for skilled hackers Sergiu Zaharia When code is analyzed and secured early in the development phase, the developers are really curious about the remaining channels that can be exploited by hackers.

Via this presentation we try to provide hints on the following topics:

  • What software security standards tell us and why we should listen to them;
  • Types of vulnerabilities statistically identified by SAST scanners on source code / Deep dive into some vulnerabilities discovered by SAST solutions;
  • Solutions at code level and for the software environment: supporting processes and technology (vendor-agnostic), architectures, features, limitations. / The holistic secure software development process model;
  • How can ethical hackers make use of SAST solutions to optimize their white box tests.
11:00 - 11:40
(40 mins) 		Less Known Web Application Vulnerabilities Ionut Popescu Many application programs (including their testing strategies) rely on rather simple standards, sometimes even as simple as OWASP Top Ten. This often leads to a false sense of security – developers tend to believe that if they have worked their way through ready-made checklists and took proper care of the well-known topics like authentication, authorization or using parameterized queries, there should be no big surprises ahead.

Nevertheless, the real world of application security is way more complicated than this. New attack vectors are being found on a regular basis and security standards and vulnerability libraries tend to get obsolete pretty fast. It’s nearly impossible to keep on track regarding all vulnerabilities which an application can be vulnerable to.
The goal of this talk is to raise awareness about this topic. Several less known security vulnerabilities will be explained, shown in practice and mitigation strategies will be proposed.

11:50 - 12:30
(40 mins) 		Students in Security Panel
12:30 - 13:30
(60 mins) 		Lunch/Coffee Break
13:30 - 14:15
(45 mins) 		OWASP Risk Rating Management Ade Putra OWASP Risk Rating Management Project

There are many methodologies that can be used for security assessments, particularly website security assessments. OWASP already has a methodology for website security assessments, called the “OWASP Risk Rating Methodology”. OWASP also provides an Excel template to calculate the risk score. But some users do not know how to assess their own websites. Some users may have difficulty understanding a methodology, or they do not understand the threat agent factor, the skill level or vulnerability factor, or ease of exploit. Another problem occurs when an owner must assess many websites; they must create multiple copies of the OWASP Risk score template, increasing the likelihood of losing the file or data in the process. The OWASP Risk Rating Management Project will help owners/developers to avoid these problems when they implement a website security assessment.
https://www.owasp.org/index.php/OWASP_Risk_Rating_Management

14:15 - 15:00
(45 mins) 		BDD Mobile security testing with OWASP MASVS, OWASP MSTG and Calabash Davide Cioccia Big companies only use mobile BDD tests to check that all the functionalities work. BDD security testing is becoming more and more important in the business panorama, where complex applications need to be tested continuously because part of continuous delivery (CD) and continuous integration (CD). Agile way of working requires more flexibility also in the security testing,so this means that a complete pentest at the end of the development is not enough anymore. OWASP MASVS and MSTG (Mobile Security Testing Guide), gives developers and security professionals hints on what to test and how. What if we can automate this tests directly in the development pipeline before building the application? Integrating together Cucumber, Calabash and Ruby is possible to create simple, medium and advanced security tests, automating the UI, accessing the Filesystem, Keychain, Databases, Logs in the background and check the memory on the fly.
15:00 - 15:15
(15 mins) 		Coffee break
15:15 - 16:00
(45 mins) 		Security champions: Opera experience Alexander Antukh Security champions is an interesting concept of scaling security in multi-team companies. During this presentation I'll share experience of building a team of champions, challenges we had to overcome, and metrics to evaluate the efficiency of the model. As a bonus, security champion playbook will be introduced to the audience.
16:00 - 16:45
(45 mins)
16:45 - 17:00
(15 mins) 		Closing ceremony OWASP Bucharest team CTF Prizes
Retrieved from "https://wiki.owasp.org/index.php?title=OWASP_Bucharest_AppSec_Conference_2017_Talks&oldid=232086"