This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Israel"
(→OWASP IL mini conference at IDC, November 13th 2006) |
(→Next Meeting: September 5th, at Watchfire, Herzeliya) |
||
| Line 1: | Line 1: | ||
{{Chapter Template|chaptername=Israel|extra=The chapter leader is [mailto:[email protected] Ofer Shezaf]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-israel|emailarchives=http://lists.owasp.org/pipermail/owasp-israel}} | {{Chapter Template|chaptername=Israel|extra=The chapter leader is [mailto:[email protected] Ofer Shezaf]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-israel|emailarchives=http://lists.owasp.org/pipermail/owasp-israel}} | ||
| − | == | + | == At Watchfire, Herzliya, Wednesday, September 5th 2007, 17:00 == |
| − | + | [[Image:OWASP_IL_global_security_week_logo.jpg|left|200px]]The next meeting of OWASP IL, The Israeli Chapter of OWASP, would be held at Watchfire offices in Herzliya on Wednesday, September 5th at 17:00. Watchfire will also sponsor the meeting. The meeting is part of OWASP Day, a Worldwide OWASP one day conferences on Privacy in the 21st Century which is in turn OWASP contribution to the [http://www.globalsecurityweek.com/ Global Security Week]. | |
| − | [[ | + | You can find instructions on how to get to Watchfire office in the [[Media:Owasp_il_map_to_watchfire_offices.gif|map]]. Parking lots which charge a flat reasonable fee are marked on the map. |
| − | The | + | The agenda of the meeting is: |
| − | ''' | + | '''16:45 – 17:00 Gathering and refreshments'''[[Image:OWASP_IL_Sponsor_Watchfire.jpg|right]] |
| − | + | ||
| + | <big>'''17:00 – 17:15 OWASP Updates'''</big> | ||
| + | |||
| + | |||
| + | <big>'''17:15 – 18:00 Straight from Blackhat: Dangling Pointers'''</big> | ||
| + | |||
| + | Jonathan Afek, Senior Security Researcher, [http://www.watchfire.com Watchfire] | ||
| + | |||
| + | Jonthan will bring to us his acclaimed Blackhat presentation. Dangling pointers are a common programming error, but even OWASP experts assumed, until now, that exploiting this vulnerability can lead only to crashes and therefore only to denial of service attacks (see [http://www.owasp.org/index.php/Using_freed_memory OWASP vulnerability guide]). The research team at Watchfire proved that dangling pointers can be exploited to take control of a vulnerable system, elevating the severity of dangling pointers. | ||
| + | |||
| + | The presentation will explain the vulnerability and demonstrate a real exploit of the vulnerability using IIS as an example. | ||
| + | |||
| + | |||
| + | '''18:00 – 18:15 Break''' | ||
| + | |||
| + | |||
| + | <big>'''18:15 – 19:00 Evasive Crimeware attacks, Business drivers, and Proposed Defense'''</big> | ||
| + | |||
| + | Iftach Amit, Director Security Research, [http://www.finjan.com Finjan] | ||
| + | |||
| + | Any web based attack requires a business model in order to spread. As the director of research for Finjan, Iftach monitors the highly successful web attacks focusing on client abuse and malware installation and the community that creates them. In the presentation Iftach will share with us his research findings. | ||
| + | |||
| + | The presentation will cover the business drivers of client side attack vectors, explore recent examples of such attacks with an eye-opening review of the attacker community and its operation methods, and conclude with a technical discussion of the cat and mouse game between cutting edge solutions and ever advancing attack vectors. | ||
| + | |||
| + | |||
| + | <big>'''19:00 – 19:30 Content Injection as a solution for client side browser vulnerabilities'''</big> | ||
| + | |||
| + | Ofer Shezaf, OWASP IL Leader; CTO, Breach Security, [http://www.breach.com Breach Security] | ||
| + | |||
| + | As we have seen in Iftach's presentation, clients are not very secure. While we, as web site owners, may not be directly responsible, this situation is just as much a problem for us: law might hold us responsible and the conquered and potentially trusted client may pose a risk to our web site. Good examples of problems which blurs the lines between client and server are the [http://www.gnucitizen.org/blog/universal-pdf-xss-after-party/ Universal PDF XSS] and [http://en.wikipedia.org/wiki/Cross-site_request_forgery Cross Site Request Forgery]. | ||
| + | |||
| + | Content Injection is a method proposed by Ivan Ristic, the creator of [http://www.modsecurity.org ModSecurity] to enable a Web Application Firewall to protect against this family of problems. The presentation will explain this novel method and build on it to offer some practical recipes for protection against client side problems. | ||
== 2nd OWASP IL mini conference at the Interdisciplinary Center (IDC) Herzliya, May 21th 2007 == | == 2nd OWASP IL mini conference at the Interdisciplinary Center (IDC) Herzliya, May 21th 2007 == | ||
Revision as of 14:31, 20 August 2007
- 1 OWASP Israel
- 2 Participation
- 3 Sponsorship/Membership
- 4 At Watchfire, Herzliya, Wednesday, September 5th 2007, 17:00
- 5 2nd OWASP IL mini conference at the Interdisciplinary Center (IDC) Herzliya, May 21th 2007
- 6 6th OWASP IL meeting, January 24th 2007
- 7 OWASP IL mini conference at IDC, November 13th 2006
- 8 4th OWASP IL meeting, July 26th 2006
OWASP Israel
Welcome to the Israel chapter homepage. The chapter leader is Ofer Shezaf
Participation
OWASP Foundation (Overview Slides) is a professional association of global members and is open to anyone interested in learning more about software security. Local chapters are run independently and guided by the Chapter_Leader_Handbook. As a 501(c)(3) non-profit professional association your support and sponsorship of any meeting venue and/or refreshments is tax-deductible. Financial contributions should only be made online using the authorized online chapter donation button. To be a SPEAKER at ANY OWASP Chapter in the world simply review the speaker agreement and then contact the local chapter leader with details of what OWASP PROJECT, independent research or related software security topic you would like to present on.
Sponsorship/Membership
to this chapter or become a local chapter supporter.
Or consider the value of Individual, Corporate, or Academic Supporter membership. Ready to become a member? 
At Watchfire, Herzliya, Wednesday, September 5th 2007, 17:00
You can find instructions on how to get to Watchfire office in the map. Parking lots which charge a flat reasonable fee are marked on the map.
The agenda of the meeting is:
17:00 – 17:15 OWASP Updates
17:15 – 18:00 Straight from Blackhat: Dangling Pointers
Jonathan Afek, Senior Security Researcher, Watchfire
Jonthan will bring to us his acclaimed Blackhat presentation. Dangling pointers are a common programming error, but even OWASP experts assumed, until now, that exploiting this vulnerability can lead only to crashes and therefore only to denial of service attacks (see OWASP vulnerability guide). The research team at Watchfire proved that dangling pointers can be exploited to take control of a vulnerable system, elevating the severity of dangling pointers.
The presentation will explain the vulnerability and demonstrate a real exploit of the vulnerability using IIS as an example.
18:00 – 18:15 Break
18:15 – 19:00 Evasive Crimeware attacks, Business drivers, and Proposed Defense
Iftach Amit, Director Security Research, Finjan
Any web based attack requires a business model in order to spread. As the director of research for Finjan, Iftach monitors the highly successful web attacks focusing on client abuse and malware installation and the community that creates them. In the presentation Iftach will share with us his research findings.
The presentation will cover the business drivers of client side attack vectors, explore recent examples of such attacks with an eye-opening review of the attacker community and its operation methods, and conclude with a technical discussion of the cat and mouse game between cutting edge solutions and ever advancing attack vectors.
19:00 – 19:30 Content Injection as a solution for client side browser vulnerabilities
Ofer Shezaf, OWASP IL Leader; CTO, Breach Security, Breach Security
As we have seen in Iftach's presentation, clients are not very secure. While we, as web site owners, may not be directly responsible, this situation is just as much a problem for us: law might hold us responsible and the conquered and potentially trusted client may pose a risk to our web site. Good examples of problems which blurs the lines between client and server are the Universal PDF XSS and Cross Site Request Forgery.
Content Injection is a method proposed by Ivan Ristic, the creator of ModSecurity to enable a Web Application Firewall to protect against this family of problems. The presentation will explain this novel method and build on it to offer some practical recipes for protection against client side problems.
2nd OWASP IL mini conference at the Interdisciplinary Center (IDC) Herzliya, May 21th 2007
The 2nd OWASP IL mini conference was herd at the Interdisciplinary Center (IDC) Herzliya on May 21th 2007. The event was a huge success with over a 150 people attending and 8 companies and organizations sponsoring the event. The feedback for the carefully selected presentations presentations, all of them relevant, informative and most importantly none commercial was great.
Conference program and presentations download
The meeting was sponsored by Breach Security, Checkpoint, Hacktics, Microsoft, Zend, 2Bsecure, F5 Networks and the Efi Arazi school of Computer Science at the Interdisciplinary Center (IDC) Herzliya.
6th OWASP IL meeting, January 24th 2007
The 6th OWASP IL meeting was held on January 24th 2007, at 17:15, at Breach Security offices in Herzelya and was sponsored by Breach Security. The meeting was very successful, with nearly 50 people attending the meeting.
The agenda of the meeting was:
Source Code Analysis and Application Security - Cheating the Maze
Maty Siman, Founder & CTO, Checkmarx
During the last few years automatically analyzing source code in order to find security vulnerabilities became a popular method in the field of Application Security. The presentation will discuss the theory and research of static code analysis, the application of static code analysis for security, comparing this method to other application security defense technologies and will demonstrate the use of static code analysis for application security.
Security Implications of .Net 3.0 and the Windows Communication Foundation (WCF)
Emmanuel Cohen-Yashar (Manu), Senior .NET technology consultant, Sela Group
Windows Communication Foundation (WCF) is the new Microsoft communication framework bundled as part of of .NET Framework 3.0, the new .NET Windows API succeeding Win32 with the release of Windows Vista. WCF programming model unifies Web Services, .NET Remoting, Distributed Transactions, and Message Queues into a single Service-oriented programming model for distributed computing. The presentation will describe the tenets of SOA – Service Oriented Architecture, introduce WCF and discuss the security implications of this broad new communication paradigm.
Analysis of the Universal XSS PDF vulnerability - Cause, Solutions and Fun Stuff
Ofer Shezaf, CTO, Breach Security, Leader of ModSecurity Core Rule Set open source project
Recently a new vulnerability was discovered in commonly used versions of Adobe Acrobat software. Unlike common XSS attacks that require a specific vulnerability in the attacked web site, in this case the vulnerability in Acrobat is sufficient and no fault is required in the attacked web site, and any site that serves PDF files is vulnerable. Therefore it is called "universal XSS" vulnerability.
The presentation will describe the vulnerability, the theoretical and practical solutions for the vulnerability as well as some very funny stories about the dynamics of such a high profile vulnerability, or in other words, what happens when you try to get a car mechanic to fix an application security vulnerability.
OWASP IL mini conference at IDC, November 13th 2006
OWASP IL and the Interdisciplinary Center Herzliya (IDC) held a half day conference on application security on Nov 13th 2006. The event marked the establishment of a new academic program on information security in the net era at IDC's Efi Arazi School of Computer Science. More than 90! people attended the conference, enjoyed professional catering and heard no less than 7 presentations.
Conference program and presentations download
The meeting was sponsored by Breach Security and Applicure Technologies.
4th OWASP IL meeting, July 26th 2006
The 4th OWASP IL meeting was held on July 26th 2006 at Breach Security offices with the following presentations:
Exposing cryptography for software developers
Shai Zalalichin, Head of AppSec group, Comsec
Encryption is a very important tool in the application security tool chest, but is also a very complex technology. The presentation will explore common pitfalls & countermeasures that every developer should follow when writing crypto-aware applications.
The presentation was originally given at OWASP Europe conference in May.
Preventing Spoofing, Phishing and Spamming by Secure Usability and Cryptography
Prof. Amir Herzberg, dept. of computer science, Bar-Ilan University, Israel
Spoofing, Phishing and spamming are of the worst security problems in the Internet. Amir will present vulnerabilities in the current email and web systems, causing the proliferation of such attacks. Amir will then discuss some recent proposals made by him as well as others to improve security against these threats. Some solutions involve secure usability,
some use (simple) cryptographic protocols, while others involve both areas.
