This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP Bucharest AppSec Conference 2018 Talks"

From OWASP
Jump to: navigation, search
(edit6)
 
Line 21: Line 21:
 
|-
 
|-
 
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 9:45 - 10.30<br>(45 mins)  
 
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 9:45 - 10.30<br>(45 mins)  
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Tales of Practical Android Penetration Testing (Mobile Pentest Toolkit)
+
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://www.owasp.org/images/4/4b/OWASP-Tales-of-practical-penetration-testing.pdf Tales of Practical Android Penetration Testing (Mobile Pentest Toolkit)]
 
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://www.linkedin.com/in/alexander-subbotin-11290510a Alexander Subbotin]
 
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://www.linkedin.com/in/alexander-subbotin-11290510a Alexander Subbotin]
 
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" | A vast number of open source tools and commercial products has been developed to support the security analysis of mobile apps. It has become a great challenge for a penetration tester to choose suitable or the best tools and the adequate pentest environment/distribution. And even when the test tools have been chosen, the problem remains that most of the tools only offer a CLI interface and that their usage can be very time consuming.
 
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" | A vast number of open source tools and commercial products has been developed to support the security analysis of mobile apps. It has become a great challenge for a penetration tester to choose suitable or the best tools and the adequate pentest environment/distribution. And even when the test tools have been chosen, the problem remains that most of the tools only offer a CLI interface and that their usage can be very time consuming.
Line 27: Line 27:
 
|-
 
|-
 
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 10:45 - 11.30<br>(45 mins)
 
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 10:45 - 11.30<br>(45 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Breaking the Apple iOS Sandbox
+
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://www.owasp.org/images/6/65/OWASP_Bucharest_AppSec_2018_-_Breaking_the_iOS_Sandbox_-_Razvan_Deaconescu.pdf Breaking the Apple iOS Sandbox]
 
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://ro.linkedin.com/in/razvandeaconescu Razvan Deaconescu]
 
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://ro.linkedin.com/in/razvandeaconescu Razvan Deaconescu]
 
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" | Apple iOS uses sandboxing to confine apps to certain calls they can make to services and the kernel. Apps are attached a sandbox profile: a set of rules that allow or deny actions. All 3rd party apps (i.e. downloaded from the AppStore) use the same sandbox profile (container). Sandbox profiles are stored as binary blobs in the iOS kernel. <br>
 
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" | Apple iOS uses sandboxing to confine apps to certain calls they can make to services and the kernel. Apps are attached a sandbox profile: a set of rules that allow or deny actions. All 3rd party apps (i.e. downloaded from the AppStore) use the same sandbox profile (container). Sandbox profiles are stored as binary blobs in the iOS kernel. <br>
Line 33: Line 33:
 
|-
 
|-
 
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 11:45 - 12.30<br>(45 mins)
 
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 11:45 - 12.30<br>(45 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Evading your protection and exfiltrate data
+
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://www.owasp.org/images/f/fe/OWASP_Cosmin_Radu_2018.pptx Evading your protection and exfiltrate data]
 
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://www.linkedin.com/in/cosminradu13 Cosmin Alexandru Radu]
 
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://www.linkedin.com/in/cosminradu13 Cosmin Alexandru Radu]
 
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" |Evading your protection and exfiltrate data
 
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" |Evading your protection and exfiltrate data
Line 47: Line 47:
 
|-
 
|-
 
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 14:20 - 15:05<br>(45 mins)  
 
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 14:20 - 15:05<br>(45 mins)  
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | AWS VMS
+
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://www.owasp.org/images/7/77/OWASP_Gabriel_Pilat_talk.pptx AWS VMS]
 
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://ro.linkedin.com/in/gabriel-pilat-3053229b Gabriel Pilat]
 
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://ro.linkedin.com/in/gabriel-pilat-3053229b Gabriel Pilat]
 
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" | This presentation looks at how Vulnerability Management is generally performed (Scanning, Asset management, Reporting, TI etc. ), how it can be performed in the Amazon Cloud ( Deploy scanners, Use Integrated scanner, etc), the possibilities of automation Amazon offers and ways to integrate it with 3rd party tools such as Qualys. General AWS architecture, security services and benefits, inherited security flaws, issues and limitations encountered.  
 
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" | This presentation looks at how Vulnerability Management is generally performed (Scanning, Asset management, Reporting, TI etc. ), how it can be performed in the Amazon Cloud ( Deploy scanners, Use Integrated scanner, etc), the possibilities of automation Amazon offers and ways to integrate it with 3rd party tools such as Qualys. General AWS architecture, security services and benefits, inherited security flaws, issues and limitations encountered.  
Line 61: Line 61:
 
|-
 
|-
 
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 16:05 - 16:50<br>(45 mins)  
 
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 16:05 - 16:50<br>(45 mins)  
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | DevSecOps Use Case: Automate Early… But Securely
+
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://www.owasp.org/images/8/82/OWASP-SB.pptx DevSecOps Use Case: Automate Early… But Securely]
 
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Serban Bejan
 
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Serban Bejan
 
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" |In today’s increasingly digitalized world, the need for security in DevOps is met by a new concept, called DevSecOps. Aimed at creating and including modern security practices that can be incorporated into the fast and agile world of DevOps, DevSecOps is, in fact, an extension of DevOps’ main goal. <br>  
 
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" |In today’s increasingly digitalized world, the need for security in DevOps is met by a new concept, called DevSecOps. Aimed at creating and including modern security practices that can be incorporated into the fast and agile world of DevOps, DevSecOps is, in fact, an extension of DevOps’ main goal. <br>  

Latest revision as of 16:52, 28 October 2018

Conference agenda, 26th of October

Time Title Speaker Description
8:30 - 9:00
(30 mins)
Registration and coffee break
9:00 - 9:15
(15 mins)
Introduction Oana Cornea Introduction to the OWASP Bucharest Event, Schedule for the Day
9:15 - 9:45
(30 mins)
It's a World of SecDevOps @ OWASP Daniel Barbu SecDevOps comes with a built-in security mindset and ideally adopts the proven practices already in use by embedded SRE teams. Day-to-day activities for this role contribute not only to achievement of operational and development goals but also to keeping high levels of confidentiality, integrity and availability. While improving the security posture, the processes become easier to audit and compliance controls better assessed. With product teams engaging with security as early as possible as opposed to the end of the project, the focus shifts from a reactive approach to a proactive one integrating defensive practices through the lifecycle. Consequently the systems’ predictability and understanding of the infrastructure behavior increases. When possible, open security issues should be tracked in the same work tracking system that Development and Operations are using, ensuring visibility and prioritization against all other work. Infosec being embedded within the product teams, enables informed decisions by gaining business context.
9:45 - 10.30
(45 mins)
Tales of Practical Android Penetration Testing (Mobile Pentest Toolkit) Alexander Subbotin A vast number of open source tools and commercial products has been developed to support the security analysis of mobile apps. It has become a great challenge for a penetration tester to choose suitable or the best tools and the adequate pentest environment/distribution. And even when the test tools have been chosen, the problem remains that most of the tools only offer a CLI interface and that their usage can be very time consuming.

In order to automatize the setup of the test environment and the common processes during a mobile pentest, the author has developed the "Mobile Pentest Toolkit" (PMT). This toolkit takes over recurring and time consuming tasks for the tester. It has a standardized user interface for the usage of locally installed security tools (and installs them on demand). An example of use is: After the tester has modified the Smali code, the generation of a valid and signed APK file only takes a few moments. Aside from that, this talk illustrates techniques for dynamic analysis and tracking of changes within the app. The goal is to present the Mobile Pentest Toolkit to an interested audience and to publish it as an open source tool.

10:45 - 11.30
(45 mins)
Breaking the Apple iOS Sandbox Razvan Deaconescu Apple iOS uses sandboxing to confine apps to certain calls they can make to services and the kernel. Apps are attached a sandbox profile: a set of rules that allow or deny actions. All 3rd party apps (i.e. downloaded from the AppStore) use the same sandbox profile (container). Sandbox profiles are stored as binary blobs in the iOS kernel.

In this talk, I will highlight the way iOS sandboxing works and steps we undertook in reversing binary blobs. We then analyzed reversed human-readable sandbox profiles and found misconfigurations in the profiles that allowed crippling the system from a valid app. We let Apple know of our findings, now published as CVEs.

11:45 - 12.30
(45 mins)
Evading your protection and exfiltrate data Cosmin Alexandru Radu Evading your protection and exfiltrate data

This presentation is meant to be an introduction into a number of ex-filtration techniques that are out there, used by malicious attackers. It should be a view into the attackers toolset for developers and how they can counteract the issues attackers use to get data out of their applications, or how system administrators can guard their network against egress data leakage.

12:30 - 13:30
(60 mins)
Lunch/Coffee Break
13:30 - 14:15
(45 mins)
OWASP Top 10 with .NET Core Andrei Ignat We will show OWASP Top 10 and how to counter them in .NET Core
14:20 - 15:05
(45 mins)
AWS VMS Gabriel Pilat This presentation looks at how Vulnerability Management is generally performed (Scanning, Asset management, Reporting, TI etc. ), how it can be performed in the Amazon Cloud ( Deploy scanners, Use Integrated scanner, etc), the possibilities of automation Amazon offers and ways to integrate it with 3rd party tools such as Qualys. General AWS architecture, security services and benefits, inherited security flaws, issues and limitations encountered.
15:05 - 15:20
(15 mins)
Coffee break
15:20 - 16:05
(45 mins)
Protecting company information for GDPR compliance. A software architect’s perspective. Ovidiu Ariton For years cybersecurity has been approached at the network level and at endpoint level. Best practices are good but sometimes user behavior makes the difference between a compromised system and a safe one. Most of the times they don’t understand if something went wrong. What if they knew?

The solution that I am going to present brings the tools available in a SOC to the user level, at the endpoint. It combines some of the best practices in security (like backup and DLP) with SOAR solutions and LRA in order to prevent loss of data and ensure rapid automated reaction to cybersecurity incidents.

16:05 - 16:50
(45 mins)
DevSecOps Use Case: Automate Early… But Securely Serban Bejan In today’s increasingly digitalized world, the need for security in DevOps is met by a new concept, called DevSecOps. Aimed at creating and including modern security practices that can be incorporated into the fast and agile world of DevOps, DevSecOps is, in fact, an extension of DevOps’ main goal.

In our use case we studied the possible benefits and challenges of integrating SAST and DAST tools into the existing toolchain (application lifecycle manager, IDE, source code management tool and continuous integration pipeline) for developing, deploying and testing a Java web application.
Implementing DevSecOps brings a lot of value to organizations, it also comes with some challenges, like integrating more agile security methods and properly training users for using these advanced tools. Last but not least, we also need to take into consideration that any security functionality not automated in the available tools will result in creating friction in the cycle.

16:50 - 17:00
(15 mins)
Closing ceremony OWASP Bucharest team CTF Prizes