This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
OWASP Bucharest AppSec Conference 2017 Talks
Conference agenda, 13th of October | |||||
| Time | Title | Speaker | Description | ||
| 9:00 - 9:30 (30 mins) |
Registration and coffee break | ||||
| 9:30 - 9:45 (15 mins) |
Introduction | Oana Cornea | Introduction to the OWASP Bucharest Event, Schedule for the Day | ||
| 9:45 - 10.30 (45 mins) |
Threat modelling – How we deconstruct systems and the threats they are at risk from | Mustafa Kasmani | The presentation focuses on plenty of great case studies in threat modelling – how we deconstruct systems and the threats they are at risk from. There will be implicit training in the form of practical exercises in how you calculate risk and accountability. Threat modelling also involves different disciplines in design, development and security so we expect the audience to join the conversation. | ||
| 10:45 - 11.30 (45 mins) |
Testing for cyber resilience: tools & techniques for adversary attack/defense simulation | Teodor Cimpoesu and Adrian Ifrim | We know that testing selected points around large infrastructures, combined with testing a subset of the enterprise applications (the critical ones) is no longer enough to match what is going on in the wild in terms of cyber risk.
Nowadays real attacks often go undetected for months, use modern tools & techniques, and the responders many times get overwhelmed by the complexity of analysis, time pressure, and the need to understand adversary tactics. | ||
| 11:45 - 12.30 (45 mins) |
Less Known Web Application Vulnerabilities | Ionut Popescu | Many application programs (including their testing strategies) rely on rather simple standards, sometimes even as simple as OWASP Top Ten. This often leads to a false sense of security – developers tend to believe that if they have worked their way through ready-made checklists and took proper care of the well-known topics like authentication, authorization or using parameterized queries, there should be no big surprises ahead. Nevertheless, the real world of application security is way more complicated than this. New attack vectors are being found on a regular basis and security standards and vulnerability libraries tend to get obsolete pretty fast. It’s nearly impossible to keep on track regarding all vulnerabilities which an application can be vulnerable to. | ||
| 12:30 - 13:30 (60 mins) |
Lunch/Coffee Break | ||||
| 13:30 - 14:15 (45 mins) |
Overview of TLS v1.3 | Andy Brodie | Transport Layer Secure (TLS), a.k.a. Secure Sockets Layer (SSL), is probably the most important security protocol used on the Internet today. It provides privacy, integrity and authentication for any two parties who want to have a secure conversation across the public Internet. Most popular websites and web services, and all online banking and payment services use TLS today, and the uptake is increasing as consumers demand more protection against both hackers and state agencies trying to monitor or interfere with communications. The TLS v1.3 specification, managed by the Internet Engineering Task Force (IETF), is currently on its 21st draft and is aiming to be ratified later this year. It marks the biggest change in the protocol since 1996 when SSL v3.0 was published. Rather than incremental additions and deprecations, features such as RSA key exchange, 3DES and session renegotiation have been removed completely and big efficiency gains can now be made from one-round-trip and even zero-round-trip handshakes. This talk will explain to the audience thee basics of TLS 1.3: the goals of the protocol and how it achieves them; what features have been added, removed and changed The talk is technical, but does not require knowledge or experience of cryptography or mathematics. | ||
| 14:20 - 15:05 (45 mins) |
Protecting against credential stuffing attacks | Cristian Opincaru, Catalin Manole, Razvan Matei |
Attackers have easy access to vast amounts of credentials from known breaches of major websites (ex. Yahoo: 1.5 billion credentials). Furthermore, automation tools specially crafted for ease of use, are readily available: Sentry.MBA (brute-forcer), ProxyScraper (scraper for open proxies), D3V Spider (credential scraper for Paste Bin). What’s more, tutorials are available on YouTube. This presentation will go through reactive and proactive measures that authentication systems can take to protect their users against credential stuffing. | ||
| 15:05 - 15:20 (15 mins) |
Coffee break | ||||
| 15:20 - 16:05 (45 mins) |
BDD Mobile security testing with OWASP MASVS, OWASP MSTG and Calabash | Davide Cioccia | Big companies only use mobile BDD tests to check that all the functionalities work. BDD security testing is becoming more and more important in the business panorama, where complex applications need to be tested continuously because part of continuous delivery (CD) and continuous integration (CD). Agile way of working requires more flexibility also in the security testing,so this means that a complete pentest at the end of the development is not enough anymore. OWASP MASVS and MSTG (Mobile Security Testing Guide), gives developers and security professionals hints on what to test and how. What if we can automate this tests directly in the development pipeline before building the application? Integrating together Cucumber, Calabash and Ruby is possible to create simple, medium and advanced security tests, automating the UI, accessing the Filesystem, Keychain, Databases, Logs in the background and check the memory on the fly. | ||
| 16:05 - 16:50 (45 mins) |
Securing the code and waiting for skilled hackers | Sergiu Zaharia | When code is analyzed and secured early in the development phase, the developers are really curious about the remaining channels that can be exploited by hackers.
Via this presentation we try to provide hints on the following topics:
| ||
| 16:50 - 17:00 (15 mins) |
Closing ceremony | OWASP Bucharest team | CTF Prizes | ||
