This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP Bucharest AppSec Conference 2018 Agenda Talks"

From OWASP
Jump to: navigation, search
(edit6)
Line 46: Line 46:
 
|-
 
|-
 
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 14:20 - 15:05<br>(45 mins)  
 
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 14:20 - 15:05<br>(45 mins)  
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" |Tales of Practical Android Penetration Testing (Mobile Pentest Toolkit)
+
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Short A.V Evasion and Fast Incident Response
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://www.linkedin.com/in/alexander-subbotin-11290510a Alexander Subbotin]
+
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Lucian Ilca
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" | A vast number of open source tools and commercial products has been developed to support the security analysis of mobile apps. It has become a great challenge for a penetration tester to choose suitable or the best tools and the adequate pentest environment/distribution. And even when the test tools have been chosen, the problem remains that most of the tools only offer a CLI interface and that their usage can be very time consuming.
+
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" | The field of Anti-Virus Evasion and Fast Incident Response, combined with Malware Analysis comprises the art and science of dissecting malicious software using diverse tools like: FLARE, Cuckoo Sandbox or other forensics tools and response immediatly to any type of incident.  
In order to automatize the setup of the test environment and the common processes during a mobile pentest, the author has developed the "Mobile Pentest Toolkit" (PMT). This toolkit takes over recurring and time consuming tasks for the tester. It has a standardized user interface for the usage of locally installed security tools (and installs them on demand). An example of use is: After the tester has modified the Smali code, the generation of a valid and signed APK file only takes a few moments.  
+
The study and analysis of these tools fall within the general purview of the broad disciplines of Digital Forensics, PSIRT, Cyber Security Operations and general principles of Reverse Engineering.  
Aside from that, this talk illustrates techniques for dynamic analysis and tracking of changes within the app. The goal is to present the Mobile Pentest Toolkit to an interested audience and to publish it as an open source tool. <br>  
+
In this paper, we explore and discuss the current state of anti-virus evasion, malware analysis and fast incident response, .
 +
Based on author research, he conclude that the domain of malware analysis, A.V Evasion and Fast Incident Response has effectively been relegated from the academic realm to the domain of the practitioner's skill set.  
 +
For the final presentation, author will show how you can respond to an incident and how to protect your environment for new attacks. <br>  
 
|-
 
|-
 
| style="width:10%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | 15:05 - 15:20<br>(15 mins)  
 
| style="width:10%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | 15:05 - 15:20<br>(15 mins)  
Line 56: Line 58:
 
|-
 
|-
 
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 15:20 - 16:05<br>(45 mins)  
 
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 15:20 - 16:05<br>(45 mins)  
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | OWASP Top 10 with .NET Core
+
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" |  
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://ro.linkedin.com/in/ignatandrei Andrei Ignat]
+
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" |  
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" | We will show OWASP Top 10 and how to counter them in .NET Core
+
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" |  
 
|-
 
|-
 
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 16:05 - 16:50<br>(45 mins)  
 
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 16:05 - 16:50<br>(45 mins)  
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Short A.V Evasion and Fast Incident Response
+
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" |  
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Lucian Ilca
+
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" |  
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" | The field of Anti-Virus Evasion and Fast Incident Response, combined with Malware Analysis comprises the art and science of dissecting malicious software using diverse tools like: FLARE, Cuckoo Sandbox or other forensics tools and response immediatly to any type of incident.
+
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" |  
The study and analysis of these tools fall within the general purview of the broad disciplines of Digital Forensics, PSIRT, Cyber Security Operations and general principles of Reverse Engineering.
 
In this paper, we explore and discuss the current state of anti-virus evasion, malware analysis and fast incident response, .
 
Based on author research, he conclude that the domain of malware analysis, A.V Evasion and Fast Incident Response has effectively been relegated from the academic realm to the domain of the practitioner's skill set.
 
For the final presentation, author will show how you can respond to an incident and how to protect your environment for new attacks.
 
 
|-
 
|-
 
| style="width:10%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | 16:50 - 17:00<br>(15 mins)  
 
| style="width:10%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | 16:50 - 17:00<br>(15 mins)  

Revision as of 12:58, 24 September 2018

Conference agenda, 26th of October

Time Title Speaker Description
9:00 - 9:30
(30 mins) 		Registration and coffee break
9:30 - 9:45
(15 mins) 		Introduction Oana Cornea Introduction to the OWASP Bucharest Event, Schedule for the Day
9:45 - 10:30
(45 mins) 		Browsers - For better or worse ... Renato Rodrigues It is no news that security is under close scrutiny of the public eye. Everyone is on alert for the latest database leak, closely tracking the updates on the business losing millions on a hack or digging deep into the web to find ways to stay protected. In this presentation, we'll tap into the role browsers play from the security practices perspective - regarding defense and browsers as attack platforms. While some of the tricks covered in this presentation will be recognizable for most in the community, others are still kept away from the limelight. Hopefully, in the end, you will be able to take something new for your assessments.
10:45 - 11:30
(45 mins) 		Access control, REST and sessions Johan Peeters There is a lot of confusion surrounding REST, state, sessions, and the implications for access control. Let’s clear this up.

REST services are stateless. In other words, there are no sessions between REST API producers and consumers. Given the difficulties of securing sessions, this is A Good Thing from a security perspective.
Access to REST APIs is incumbent on the presentation of a valid security token. Typically, this is an access token issued by an OAuth authorization server. The authZ server maintains a session with the user agent so that the user does not need to re-authenticate each time a new access token is needed. This is not entirely unproblematic, as will be illustrated through a discussion of logout and the tenuous implementation of silent authentication in client libraries. Conversely, I will argue for leveraging authorization server sessions to raise the consent game to a level where it truly serves the interests of the user.
In summary, while REST APIs are stateless and do not maintain a session, access control architectures *do* rely on sessions trying to provide a good user experience while enforcing authorization policies.

11:45 - 12:30
(45 mins) 		Cookies versus tokens: a paradoxical choice Philippe De Ryck When you’re building Angular applications, you will need to figure out how to manage your user’s sessions. Back in the days, this used to be simple. But now, there are many different options, all with specific advantages and disadvantages. How can you make a sensible choice, and how will that impact the security of your application?

This talk lays it out for you. We dive into the technicalities of cookies, JWT tokens and Authorization headers. You will learn how to assess your past choices, and how to substantiate future decisions.

12:30 - 13:30
(60 mins) 		Lunch/Coffee Break
13:30 - 14:15
(40 mins) 		Women in AppSec Panel

WiA 400x400.jpg

14:20 - 15:05
(45 mins) 		Short A.V Evasion and Fast Incident Response Lucian Ilca The field of Anti-Virus Evasion and Fast Incident Response, combined with Malware Analysis comprises the art and science of dissecting malicious software using diverse tools like: FLARE, Cuckoo Sandbox or other forensics tools and response immediatly to any type of incident.

The study and analysis of these tools fall within the general purview of the broad disciplines of Digital Forensics, PSIRT, Cyber Security Operations and general principles of Reverse Engineering. In this paper, we explore and discuss the current state of anti-virus evasion, malware analysis and fast incident response, . Based on author research, he conclude that the domain of malware analysis, A.V Evasion and Fast Incident Response has effectively been relegated from the academic realm to the domain of the practitioner's skill set. For the final presentation, author will show how you can respond to an incident and how to protect your environment for new attacks.

15:05 - 15:20
(15 mins) 		Coffee break
15:20 - 16:05
(45 mins)
16:05 - 16:50
(45 mins)
16:50 - 17:00
(15 mins) 		Closing ceremony OWASP Bucharest team CTF Prizes
Retrieved from "https://wiki.owasp.org/index.php?title=OWASP_Bucharest_AppSec_Conference_2018_Agenda_Talks&oldid=243667"