This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
OWASP Bucharest AppSec Conference 2018 Agenda Talks
Conference agenda, 26th of October | |||||
| Time | Title | Speaker | Description | ||
| 9:00 - 9:30 (30 mins) |
Registration and coffee break | ||||
| 9:30 - 9:45 (15 mins) |
Introduction | Oana Cornea | Introduction to the OWASP Bucharest Event, Schedule for the Day | ||
| 9:45 - 10:30 (45 mins) |
Browsers - For better or worse ... | Renato Rodrigues | It is no news that security is under close scrutiny of the public eye. Everyone is on alert for the latest database leak, closely tracking the updates on the business losing millions on a hack or digging deep into the web to find ways to stay protected. In this presentation, we'll tap into the role browsers play from the security practices perspective - regarding defense and browsers as attack platforms. While some of the tricks covered in this presentation will be recognizable for most in the community, others are still kept away from the limelight. Hopefully, in the end, you will be able to take something new for your assessments. | ||
| 10:45 - 11:30 (45 mins) |
Access control, REST and sessions | Johan Peeters | There is a lot of confusion surrounding REST, state, sessions, and the implications for access control. Let’s clear this up. REST services are stateless. In other words, there are no sessions between REST API producers and consumers. Given the difficulties of securing sessions, this is A Good Thing from a security perspective. | ||
| 11:45 - 12:30 (45 mins) |
Cookies versus tokens: a paradoxical choice | Philippe De Ryck | When you’re building Angular applications, you will need to figure out how to manage your user’s sessions. Back in the days, this used to be simple. But now, there are many different options, all with specific advantages and disadvantages. How can you make a sensible choice, and how will that impact the security of your application? This talk lays it out for you. We dive into the technicalities of cookies, JWT tokens and Authorization headers. You will learn how to assess your past choices, and how to substantiate future decisions. | ||
| 12:30 - 13:30 (60 mins) |
Lunch/Coffee Break | ||||
| 13:30 - 14:15 (40 mins) |
Women in AppSec Panel
| ||||
| 14:20 - 15:05 (45 mins) |
Tales of Practical Android Penetration Testing (Mobile Pentest Toolkit) | Alexander Subbotin | A vast number of open source tools and commercial products has been developed to support the security analysis of mobile apps. It has become a great challenge for a penetration tester to choose suitable or the best tools and the adequate pentest environment/distribution. And even when the test tools have been chosen, the problem remains that most of the tools only offer a CLI interface and that their usage can be very time consuming.
In order to automatize the setup of the test environment and the common processes during a mobile pentest, the author has developed the "Mobile Pentest Toolkit" (PMT). This toolkit takes over recurring and time consuming tasks for the tester. It has a standardized user interface for the usage of locally installed security tools (and installs them on demand). An example of use is: After the tester has modified the Smali code, the generation of a valid and signed APK file only takes a few moments.
Aside from that, this talk illustrates techniques for dynamic analysis and tracking of changes within the app. The goal is to present the Mobile Pentest Toolkit to an interested audience and to publish it as an open source tool. | ||
| 15:05 - 15:20 (15 mins) |
Coffee break | ||||
| 15:20 - 16:05 (45 mins) |
|||||
| 16:05 - 16:50 (45 mins) |
|||||
| 16:50 - 17:00 (15 mins) |
Closing ceremony | OWASP Bucharest team | CTF Prizes | ||
