This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Israel"

From OWASP
Jump to: navigation, search
(2nd OWASP IL mini conference at the Interdisciplinary Center (IDC) Herzliya, May 21th 2007)
(2nd OWASP IL mini conference at the Interdisciplinary Center (IDC) Herzliya, May 21th 2007)
Line 6: Line 6:
  
 
The meeting will be held on Monday, May 21st, Starting at 13:30 at the Interdisciplinary Center (IDC) Herzliya campus. Participation is free and open to all, but please inform us (e-mail to [email protected]) that you are coming as space is limited. Feel free to spread the word about this meeting to anyone you feel would be interested. You can also register to get the [http://lists.owasp.org/mailman/listinfo/owasp-israel OWASP Israel mailing list] and receive updates regarding chapter's meetings. For further details please contact us.
 
The meeting will be held on Monday, May 21st, Starting at 13:30 at the Interdisciplinary Center (IDC) Herzliya campus. Participation is free and open to all, but please inform us (e-mail to [email protected]) that you are coming as space is limited. Feel free to spread the word about this meeting to anyone you feel would be interested. You can also register to get the [http://lists.owasp.org/mailman/listinfo/owasp-israel OWASP Israel mailing list] and receive updates regarding chapter's meetings. For further details please contact us.
 +
 +
'''The conference will be held at the Arazi Building, room CL05, at the Interdisciplinary Center (IDC) Herzliya. You can find instruction s and maps on getting to IDC [http://pow.idc.ac.il/portal/page?_pageid=493,93043&_dad=portal&_schema=PORTAL&p_calledfrom=1 here]'''
  
 
Dr. Anat Bremler-Barr<br>
 
Dr. Anat Bremler-Barr<br>

Revision as of 09:57, 20 May 2007

OWASP Israel

Welcome to the Israel chapter homepage. The chapter leader is Ofer Shezaf


Participation

OWASP Foundation (Overview Slides) is a professional association of global members and is open to anyone interested in learning more about software security. Local chapters are run independently and guided by the Chapter_Leader_Handbook. As a 501(c)(3) non-profit professional association your support and sponsorship of any meeting venue and/or refreshments is tax-deductible. Financial contributions should only be made online using the authorized online chapter donation button. To be a SPEAKER at ANY OWASP Chapter in the world simply review the speaker agreement and then contact the local chapter leader with details of what OWASP PROJECT, independent research or related software security topic you would like to present on.

Sponsorship/Membership

Btn donate SM.gif to this chapter or become a local chapter supporter. Or consider the value of Individual, Corporate, or Academic Supporter membership. Ready to become a member? Join Now BlueIcon.JPG


2nd OWASP IL mini conference at the Interdisciplinary Center (IDC) Herzliya, May 21th 2007

Following the big success of the 1st one, we are glad to announce the 2nd OWASP IL mini conference at the Interdisciplinary Center (IDC) Herzliya . The mini conference is a non-commercial event focusing on web application security. As you can see in the program below, we have carefully selected the presentations and we hope they are all relevant, informative and most importantly, none commercial. Never the less, we are happy to say that we were able to get very distinguish companies to sponsor the event and make sure that the refreshments would be great.

The meeting will be held on Monday, May 21st, Starting at 13:30 at the Interdisciplinary Center (IDC) Herzliya campus. Participation is free and open to all, but please inform us (e-mail to [email protected]) that you are coming as space is limited. Feel free to spread the word about this meeting to anyone you feel would be interested. You can also register to get the OWASP Israel mailing list and receive updates regarding chapter's meetings. For further details please contact us.

The conference will be held at the Arazi Building, room CL05, at the Interdisciplinary Center (IDC) Herzliya. You can find instruction s and maps on getting to IDC here

Dr. Anat Bremler-Barr
Program Academic Director, Information Security Program
Efi Arazi School of Computer Science, Interdisciplinary Center (IDC) Herzliya

Ofer Shezaf
CTO, Breach Security
Chapter Leader, OWASP Israel

The meeting is sponsored by Breach Security, Checkpoint, Hacktics, Microsoft, Zend, 2Bsecure, F5 Networks and the Efi Arazi school of Computer Science at the Interdisciplinary Center (IDC) Herzliya.

Breach logo.gif    OWASP IL Sponsor Hacktics.jpgOWASP IL Sponsor Zend.jpg    OWASP IL Sponsor 2B.jpg    OWASP IL Sponsor F5.jpg

OWASP IL Sponsor Checkpoint.gif    OWASP IL Sponsor Microsoft.gif    OWASP IL Sponsor IDC.jpg


The agenda of the meeting is:

Gathering and Refreshments
13:30 - 14:00


Updates from OWASP Europe, Milan
Ofer Shezaf, OWASP IL chapter leader, CTO, Breach Security
14:00 - 14:15

Since the conference is just a few days after OWASP Europe 2007 in Milan, and since most of you would not have a chance to be there, I will try to convey the content and spirit of this unique conference to you.

In addition you will hear Yair Amit, who will repeat the presentation he is going to make in OWASP Europe, and Erez Metula will build his lecture on OWASP chief evangelist's presentation about .NET. For my presentation in OWASP Europe, you had to come to the previous OWASP IL Mini Conference.


Pen-Testing at Microsoft: FuzzGuru fuzzing framework
John Neystadt, Lead Program Manager, Microsoft Forefront Edge, Microsoft
14:15 - 15:00

Fuzzing is the main systematic methodology used these days by hackers to find vulnerabilities in web and other applications. Fuzzing can find buffer overrun, denial-of-service and information disclosure vulnerabilities. It should be done for C++, C#/Java, ASP/JP code.

FuzzGuru is a generic network fuzzing development framework developed in Microsoft Israel Development Center and is formally recommended best practice for all products developed in Microsoft.

In this talk John will present some fuzzing testing theory, demonstrate the tools and discuss Microsoft fuzzing practices.


Unregister Attacks in SIP
Ronit Halachmi-Bekel, Efi Arazi school of Computer Science at Interdisciplinary Center (IDC) Herzliya
15:00 - 15:40

The presentation discusses a research work done at the Efi Arazi school of Computer Science at Interdisciplinary Center (IDC) Herzliya about the "unregister attack", a new kind of a denial of service attack on SIP servers. In this attack, the attacker sends a spoofed "unregister" message to a SIP server and cancels the registration of the victim at that server. This prevents the victim user from receiving any calls.

The research also offers a solution: the SIP One-Way Hash Function Algorithm (SOHA), motivated by the one-time password mechanism. SOHA prevents the unregister attack in all situations. The algorithm is easy to deploy since it requires only a minor modification and is fully backwards compatible and requires no additional configuration from the user or the server.

The paper is a joint work with Dr. Anat Bremler-Barr and Jussi Kangasharju. The paper was presented at the 14th IEEE International Conference on Network Protocols (ICNP).


Break
15:40 - 16:00


Application Denial of Service; is it Really That Easy?
Shay Chen, Hacktics
16:00 - 16:40

Denial of service attacks, which are quite a nuisance on the network layer, are a nightmare when done on the application layer, but are equally underrated.

On our last conference, Dr. Anat Bremler-Bar discussed some of the theoretical aspects of application layer denial of service attacks. Shay Chen will expand and explore the practicalities of application layer denial of service. He will show real world techniques, real life stories and personal experiences conducting DOS attacks during penetration testing on major Israeli sites.


Behavioral Analysis for Generating A Positive Security Model For Applications
Ofer Shezaf, OWASP IL chapter leader, CTO, Breach Security
16:40 - 17:10

In the last OWASP IL conference, as well as in OWASP Europe in Milan, I explored the potential of a negative security model for securing applications. While a negative security model can provide some level of security, most agree that a positive security model is preferable for protection application.

However, building a rule set to provide positive security is a difficult and never ending project. Modern tools employ behavioral analysis to build automatically those rules. The presentation will discuss the algorithms and methods used to build automatically an application layer positive security rule set as well as the problems and limitation of such as approach.


Overtaking Google Desktop - Leveraging XSS to Raise Havoc
Yair Amit, Senior Security Researcher, Watchfire
17:10 - 17:50

Yair will present a ground breaking research paper by Watchfire application security team. The paper describes an innovative attack methodology against Google Desktop which enables a malicious individual to achieve a remote, persistent access to sensitive data, and potentially a full system control.

This represents a significant real world example of a new generation of computer attacks which take advantage of Web application vulnerabilities utilizing the increasing power of the Web browser. Their purpose is to remotely access private information.

This presentation would be presented by Yair the week before at OWASP Europe in Milan.


Break
17:50 - 18:00


Application Security is Not Just About Development
David Lewis, CISM, CISA, CISSP, Rosenblum Holtzman
18:00 - 18:20

What many developers forget about is that the application even though it is a very important part of securing the "Gold", data, there are other risks that require their attention. These risks require their understanding and preventative measures need to be implemented, managed and validated to limit the exposure to themselves and their organizations. E.g. Developers do not see the need for securing their code.

One of the things I will provide you during my presentation is why you should secure your code. It is one of the ways you will keep your job.


.NET reverse engineering
Erez Metula, Application Security Department Manager, 2Bsecure
18:20 - 19:20

The presentation will introduce MSIL (Microsoft Intermediate Language) and debugging MSIL. Based on this foundation the presentation will explore and demonstrate tools and techniques for changing the behavior of .NET assemblies and the CLR using reversing engineering techniques.

6th OWASP IL meeting, January 24th 2007

The 6th OWASP IL meeting was held on January 24th 2007, at 17:15, at Breach Security offices in Herzelya and was sponsored by Breach Security. The meeting was very successful, with nearly 50 people attending the meeting.

The agenda of the meeting was:


Source Code Analysis and Application Security - Cheating the Maze

Maty Siman, Founder & CTO, Checkmarx

During the last few years automatically analyzing source code in order to find security vulnerabilities became a popular method in the field of Application Security. The presentation will discuss the theory and research of static code analysis, the application of static code analysis for security, comparing this method to other application security defense technologies and will demonstrate the use of static code analysis for application security.


Security Implications of .Net 3.0 and the Windows Communication Foundation (WCF)

Emmanuel Cohen-Yashar (Manu), Senior .NET technology consultant, Sela Group

Windows Communication Foundation (WCF) is the new Microsoft communication framework bundled as part of of .NET Framework 3.0, the new .NET Windows API succeeding Win32 with the release of Windows Vista. WCF programming model unifies Web Services, .NET Remoting, Distributed Transactions, and Message Queues into a single Service-oriented programming model for distributed computing. The presentation will describe the tenets of SOA – Service Oriented Architecture, introduce WCF and discuss the security implications of this broad new communication paradigm.


Analysis of the Universal XSS PDF vulnerability - Cause, Solutions and Fun Stuff

Ofer Shezaf, CTO, Breach Security, Leader of ModSecurity Core Rule Set open source project

Recently a new vulnerability was discovered in commonly used versions of Adobe Acrobat software. Unlike common XSS attacks that require a specific vulnerability in the attacked web site, in this case the vulnerability in Acrobat is sufficient and no fault is required in the attacked web site, and any site that serves PDF files is vulnerable. Therefore it is called "universal XSS" vulnerability.

The presentation will describe the vulnerability, the theoretical and practical solutions for the vulnerability as well as some very funny stories about the dynamics of such a high profile vulnerability, or in other words, what happens when you try to get a car mechanic to fix an application security vulnerability.

OWASP IL mini conference at IDC, November 13th 2006

OWASP IL and the Interdisciplinary Center Herzliya (IDC) held a half day conference on application security on Nov 13th 2006. The event marked the establishment of a new academic program on information security in the net era at IDC's Efi Arazi School of Computer Science. More than 90! people attended the conference, enjoyed professional catering and heard no less than 7 presentations.

The meeting was sponsored by Breach Security and Applicure Technologies.

Breach logo.gif   File:Applicure logo.JPG

Use the links in the event program to access the presentations themselves:

14:30 – 15:00 Gathering and refreshments (hopefully more elaborate than Pizza this time!)
OWASP IL IDC.jpg

15:00 – 15:10 Introducing the new information security program at the net era at the Efi Arazi School of Computer Science, IDC Herzliya

Dr. Anat Bremler-Barr, Program Academic Director.


15:10 – 15:40 Sophisticated Denial of Service attacks

Dr. Anat Bremler-Barr, Efi Arazi School of Computer Science, IDC Herzliya

In Denial of Service attack, the attackers consume the resources of the victim, a server or a network, causing degradation in performance or even total failure of the victim. The basic DDoS attack is a simple brute force flooding, where the attacker sends as much traffic as he can to consume the network resources. In contrast, the sophisticated DDoS attack aims to hurt the weakest point in the victim's applications by sending specific traffic type that burdens the application the most. In this talk we will cover recent works that show that several common mechanisms are vulnerable to sophisticated DDoS attacks. For example, Crosby and Wallach showed that using bandwidth of less than a typical dialup modem can bring a dedicated Bro server to its knees. We will discuss some basic guidelines of how to design applications to be resilient to sophisticated attacks.


15:40 – 16:00 Malicious content in enterprise portals

Shalom Carmel, A security icon, the world's authority on hacking AS/400 and a BlackHat 2006 speaker

In 2005, enterprise portals rank in the top 10 of CIO technology focus areas in many surveys. The main drivers of the portal business growth are the horizontal portal suites, which provide content management capabilities, application integration tools, and specific solutions for collaboration and knowledge management. This lecture will address the security problems an enterprise may have due to the various content management abilities in a typical Portal implementation, and will focus on cross site scripting attacks.


16:00 – 16:30 Information Warfare against commercial companies – lessons from dealing with hostile internet entities

Ariel Pisetsky, CISO and Infrastructure Manager, NetVision

During the recent war in the north, many information security events where detected in private and government organization. These events, usually no more than web site defacement, provide an opportunity to examine a large scale hostile activity against web sites affiliated with Israel. Commercial companies with no direct relation to the war found themselves under a direct attack or indirectly affected due to attacks on ISPs and the Internet Infrastructure in Israel.

In the presentation we will discuss what happened during this summer of war, whether it can be classified as information warfare and what are the lessons that can be learnt going forward


16:30 – 16:45 Break, coffee, tea & fruits


16:45 – 17:15 Real vs. Virtual Patching

Ravid Lazinski, Technical Manager, Applicure Technologies

The penetration team has found a bug. What's next? In order to prevent exploitation, the application has to be patched.

The presentation will discuss the advantage and disadvantages of the two available solutions: patching the application or using an external patching solution in a process called "virtual patching".


17:15 – 17:45 "The Core Rule Set": Generic detection of application layer attacks

Ofer Shezaf, CTO, Breach Security, OWASP IL chapter Leader, Director, the Web Application Security Consortium

Web Applications are unique, each one having its own vulnerabilities and therefore a positive security model is usually considered the optimal way to protect them. The ModSecurity open source project has recently released a "core rule set", essentially a set of super signatures that try to provide significant security to custom application without the effort of defining a positive security model.

The lecture will discuss generic application security signatures and rules, how they differ from network centric signatures and their strengths and limitations when dealing with the OWASP top 10 attacks.


17:50 – 18:00 Break


18:00 – 18:30 The OWASP Top Ten Backdoors

Yaniv Simsolo, Application Security Consultant, Comsec Consulting

Just as the OWASP Top Ten outlines the top ten mistakes that developers make in applications, the top ten backdoors discuss the features developed on purpose, that do just the same: leave the application vulnerable. Backdoors are more common than developers and system professionals think. Hackers and malicious users can exploit backdoors easily, without leaving any special traces in the system. An SQL interface to an application, providing a lot of flexibility but little security is a good example of such a backdoor.

The presentation will discuss common backdoors found in web applications and how they relate to the OWASP top 10.


18:30 – 19:15 Hacking The Framework

Nimrod Luria, Head Of Consulting Services, 2Bsecure

Modern development environment such as .Net and J2EE promise enhanced security by relying on the framework services rather than good coding. The presentation will demonstrate using real hacking demos the weak points in such frameworks using .Net as an example.

4th OWASP IL meeting, July 26th 2006

The 4th OWASP IL meeting was held on July 26th 2006 at Breach Security offices with the following presentations:

Exposing cryptography for software developers

Shai Zalalichin, Head of AppSec group, Comsec

Encryption is a very important tool in the application security tool chest, but is also a very complex technology. The presentation will explore common pitfalls & countermeasures that every developer should follow when writing crypto-aware applications.

The presentation was originally given at OWASP Europe conference in May.

Preventing Spoofing, Phishing and Spamming by Secure Usability and Cryptography

Prof. Amir Herzberg, dept. of computer science, Bar-Ilan University, Israel

Spoofing, Phishing and spamming are of the worst security problems in the Internet. Amir will present vulnerabilities in the current email and web systems, causing the proliferation of such attacks. Amir will then discuss some recent proposals made by him as well as others to improve security against these threats. Some solutions involve secure usability,

some use (simple) cryptographic protocols, while others involve both areas.