Loading…
The date for the release of slides and videos has not been determined.  
Please, visit the event site for further information.
Thanks

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Sunday, May 26
 

8:00am

Registration
Sunday May 26, 2019 8:00am - 5:00pm
Foyer

9:00am

Advanced Web Hacking
This class teaches audience a wealth of hacking techniques to compromise modern day web applications, APIs and associated end-points. This class focus on specific areas of appsec and on advanced vulnerability identification and exploitation techniques. The class allows attendees to learn and practice some neat, new and ridiculous hacks which affected real life products and have found a mention in real bug-bounty programs. The vulnerabilities selected for the class either typically go undetected by modern scanners or the exploitation techniques are not so well known.
Attendees will also benefit from a state-of-art Hacklab and we will be providing FREE 30 days lab access after the class to allow attendees more practice time. Some of the highlight of the class includes:


  • Modern JWT, SAML, oauth bugs
  • Core business logic issues
  • Practical cryptographic flaws.
  • RCE via Serialisation, Object, OGNL and template injection.
  • Exploitation over DNS channels
  • Advanced SSRF, HPP, XXE and SQLi topics.
  • Serverless exploits
  • Web Caching issues
  • Attack chaining and real life examples.

OVERVIEW Much like our popular Advanced Infrastructure Hacking class, this class talks about a wealth of hacking techniques to compromise web applications, APIs, cloud components and other associated end-points. This class focus on specific areas of appsec and on advanced vulnerability identification and exploitation techniques (especially server side flaws). The class allows attendees to practice some neat, new and ridiculous hacks which affected real life products and have found a mention in real bug-bounty programs. The vulnerabilities selected for the class either typically go undetected by modern scanners or the exploitation techniques are not so well known.
Note: Attendees will also benefit from a state-of-art Hacklab and we will be providing free 30 days lab access after the class to allow attendees more practice time.

The following is the course outline:
  • Authentication Attacks
    • Logical Bypass / Boundary Conditions
    • Token Hijacking attacks
  • Attacking SSO
    • SAML / OAuth 2.0 / JWT Attacks
    • SAML Authentication and Authorization Bypass
  • Advanced XXE Attacks
    • XXE through SAML
    • XXE in file parsing
    • XXE Exploitation over OOB channels
  • Complex Password Reset Attacks
    • Cookie Swap
    • Host Header Validation Bypass
    • Case study of popular password reset fails.
  • Breaking Crypto
    • Known Plaintext Attack (Faulty Password Reset)
    • Path Traversal using Padding Oracle
    • Hash length extension attacks
  • Complex Business Logic Flaws / Authorization flaws
    • Mass Assignment bugs
    • Invite/Promo Code Bypass
    • Replay Attack
    • API Authorization Bypass
  • Server Side Request Forgery (SSRF)
    • SSRF to call internal files
    • SSRF to query internal network


  • SQL Injection Masterclass
    • 2nd Order Injection
    • Out-of-Band exploitation
    • SQLi through crypto
    • OS code exec via powershell
    • Advanced topics in SQli
  • Remote Code Execution (RCE)
    • Java Serialisation Attack
    • Node.js RCE
    • PHP object injection
    • Ruby/ERB template injection
    • Exploiting code injection over OOB channel
  • Cloud Attacks
    • Google dorking in the Cloud era
    • Serverless Exploitation
    • PaaS Exploitation
  • Tricky File Uploads
    • Malicious File Extensions
    • Circumventing File validation checks
  • Miscellaneous Topics
    • HTTP Parameter Pollution (HPP)
    • A Collection of weird and wonderful XSS and CSRF attacks.
  • Attack Chaining
  • Combining Client-side and or Server-side attacks to steal internal secrets
  • B33r 101

Note: This is a fast paced version of the 4 day class, cut down to 3 days. Some of the exercises have been replaced by demos which will be shown by the instructor. Students will receive FREE 1 month lab access to practice each exercise after the class.

WHO SHOULD TAKE THIS COURSE
Web developers, SOC analysts, intermediate level penetration testers, DevOps engineers, network engineers, security architects, security enthusiasts and anyone who wants to take their skills to next level.

STUDENT REQUIREMENTS
Students must bring their own laptop and have admin/root access on it. The laptop must have a virtualization software (virtualbox / VMWare) pre installed. A customized version of Kali Linux (ova format) containing custom tools, scripts and VPN scripts for the class will be provided to the students. The laptop should have at least 4 GB RAM and 20 GB of free disk space dedicatedly for the VM.

WHAT STUDENTS SHOULD BRING
see student requirement

WHAT STUDENTS WILL BE PROVIDED WITH
Access to a hacking lab not just during the course but for 30 days after the class too. This gives them plenty of time to practice the concepts taught in the class. Numerous scripts and tools will also be provided during the training, along with student handouts.

TRAINERS
Dhruv Shah is an information security professional working as a Principal Security Consultant at NotSoSecure. He has over 7+ years of experience in application, mobile and network security. He has co-authored the book 'Kali Linux Intrusion and Exploitation' by Packtpub. His work can be found on security-geek.in. He is also a trainer of NotSoSecure's much acclaimed advanced web hacking class and has been a trainer at several leading public conferences such as Black Hat USA and Europe. He has provided security training to various clients in UK, EU and USA via corporate trainings
Sunil works as Head of Research for NotSoSecure, a Claranet group company. He has 10 years of experience in application security. He has also been a trainer for the Web Hacking - Black Belt Edition and Basic Web Hacking courses at Black Hat and other leading conferences. He has provided security training to various clients in UK, EU and USA via corporate trainings. Sunil has won credits and accolades from several organizations like Microsoft, LinkedIn, Yahoo, Nokia, PayPal, Apache and Oracle for identifying and reporting security vulnerabilities in their products.

Speakers
avatar for Sunil Yadav

Sunil Yadav

Associate Director, NotSoSecure Global Services
Sunil works as Head of Research for NotSoSecure, a Claranet group company. He has 10 years of experience in application security. He has also been a trainer for the Web Hacking - Black Belt Edition and Basic Web Hacking courses at Black Hat and other leading conferences. He has provided... Read More →
avatar for Dhruv Shah

Dhruv Shah

Principal Security Consultant, NotSoSecure
Dhruv Shah is an information security professional working as a Principal Security Consultant at NotSoSecure. He has over 7+ years of experience in application, mobile, and network security. He has co-authored the book 'Kali Linux Intrusion and Exploitation' by Packtpub. His work... Read More →


Sunday May 26, 2019 9:00am - Tuesday May 28, 2019 5:00pm
Gallery (lobby level)

9:00am

DevSecOps MasterClass
A phased approach to continuous delivery is not only preferable, but it’s also infinitely more manageable". This quote by Maurice Kherlakian refers to DevOps, a movement that has seeped into organizations across the globe, resulting in Continuous delivery of apps. However, security remains a serious bottleneck for DevOps. Organizations struggle with including security in continuous delivery processes. This training is a comprehensive, focused and practical approach at implementing Security for your Continuous Delivery Pipeline. The training is backed by a ton of hands-on labs, original research and real-world implementations of DevSecOps that work. The training starts with Application Security Automation for SAST, DAST, SCA, IAST, and RASP, apart from Vulnerability Management and Correlation. Finally, the training closes with a deep-dive of Container Security and Kubernetes, with detailed perspectives of implementing scalable security for these deployments.

* Battle-tested Application Security Automation Techniques + Practical Security Pipelines, with both conventional and unconventional techniques like leveraging AWS Lambda and Fargate
* Comprehensive Container Security coverage including Kubernetes Security, which is critical, as organizations typically need to use Container Orchestration and security is a key aspect of orchestrating containers.
The trainer will provide the attendee with:
* Slides for all the material covered in the class
* Access to we45 Cloud Labs through the length of the class *
Access to detailed instructions through and after the class
* All the vulnerable apps, code from the class that the trainee will need for continuing education after the class
* VM with the tools for the class

Attendees should Bring:
* Laptops with VMWare (Virtualbox is not preferred)
* Ability to connect to WiFi and access CLoud labs over SSH and/or HTTPS
* Laptops should be reasonably powerful with at least 8GB of Host memory and 50GB HDD for storage
* BurpSuite Pro license for Burp Labs


Speakers
avatar for Abhay Bhargav

Abhay Bhargav

CEO, we45
Abhay Bhargav is the Founder of we45, a focused Application Security Company. Abhay is a builder and breaker of applications. He is the Chief Architect of “Orchestron", a leading Application Vulnerability Correlation and Orchestration Framework. He has created some pioneering works... Read More →


Sunday May 26, 2019 9:00am - Tuesday May 28, 2019 5:00pm
Library (lobby level)

10:45am

Coffee Break
Sunday May 26, 2019 10:45am - 11:00am
Hall D & E

1:00pm

Lunch Break
Sunday May 26, 2019 1:00pm - 2:00pm
Nomi Restaurant

3:30pm

Coffee Break
Sunday May 26, 2019 3:30pm - 3:45pm
Hall D & E
 
Monday, May 27
 

8:00am

Registration
Monday May 27, 2019 8:00am - 5:00pm
Foyer

9:00am

Project Review
Monday May 27, 2019 9:00am - 4:00pm
Room 1125

9:00am

Advanced Whiteboard hacking – aka hands-on Threat Modeling
Between academic knowledge of threat modeling and the real world.
In order to minimize that gap, we have developed practical Use Cases, based on real-life projects. Each use case includes a description of the environment, together with questions and templates to build a threat model. Students will be challenged in groups of 3 to 4 people to perform the different stages of threat modeling on the following:
• B2B web and mobile applications, sharing the same REST backend
• An Internet of Things (IoT) deployment with an on-premise gateway and a cloud-based update service
• OAuth scenarios for an HR application
• Privacy of a new face recognition system in an airport
After each hands-on workshop, the results are discussed, and students receive a documented solution.

Upon completion attendees should know:
Upon completion of this training, attendees will have a practical framework, tools and the first hands-on experience to start and improve threat modeling in their own organizations.

The course students receive the following package as part of the course:
• Hand-outs of the presentations
• Worksheets of the use cases,
• Detailed solution descriptions of the use cases
• Template to document a threat model
• Template to calculate risk levels of identified threats
• Receive certificate: Following a successful exam (passing grade defined at 70%) the student will receive certification for successful completion of course

Attendees should bring:
The students should bring their own laptop or tablet to read and use the training handouts and exercise descriptions.

Attendees should know:
This course is aimed at software developers, architects, system managers or security professionals. Before attending this course, students should be familiar with basic knowledge of web and mobile Applications, databases & Single sign-on (SSO) principles.

Speakers

Monday May 27, 2019 9:00am - Tuesday May 28, 2019 5:00pm
11th Floor Room 1122

9:00am

An Introduction to Hacking Blockchain Applications and Smart Contracts
As Blockchain platforms become more developed, companies are beginning to investigate how this emerging technology might improve their business and are beginning to consider the risk implications involved with integration.

This two-day course is a deep-dive into state of the art methodologies used when developing smart contracts for Blockchain enabled Decentralized Applications (DApps). We focus on the Ethereum Blockchain, Web 3.0, and the Solidity language, as these are currently the most used platforms for building decentralized applications. Participants are guided through Solidity and its constructs so that they will be able to identify (and exploit) the most common vulnerabilities on this platform.

Since the consequences of insecure smart contracts are so public and costly, often resulting in immediate theft of funds, we focus the course primarily on common vulnerabilities found in this platform and how to prevent them.

We will be utilizing our custom Blockchain Capture the Flag platform as part of our exercises and demos. This platform allows users to interact with realistic DApp simulations and score points on a leaderboard by stealing funds from smart contracts on the test network.

Challenges and exercises will be used to demonstrate many of the most common vulnerabilities found in solidity smart contracts, including the following:
- Reentrancy
- Integer Underflows/Overflows
- Predictable Randomness
- Insecure Authorization
- Unchecked Low-Level Function Calls
- Unexpected Balance
- Denial of Service
**Exploiting these vulnerabilities will require a deep understanding of the following concepts:
- Identifying and avoiding client-side protections
- Communicating with smart contracts directly using a tool like MyCrypto
- Understanding and constructing an ABI
- Code reviewing Solidity projects for vulnerabilities
- Writing and deploying attack contracts written in Solidity on the test network
**All of these skill sets will be covered and demonstrated in this course.

Upon completion attendees will know:
* How Blockchain works, what makes it a novel, and where might it be useful
* What Web3 is and what are Decentralized Applications (DApps)
* How to interact with DApps using common tooling
* How to write and deploy example smart contracts
* What are common vulnerabilities found in DApps and smart contracts
* How to exploit these vulnerabilities in practice

Attendees will be provided with:
* A copy of our slides
* Access to our custom CTF platform
* Flash drives containing the tools and exercises used during this training

Attendees should bring
:
Students must bring a modern laptop machine capable of running Chrome or a similar web browser.

Speakers
avatar for Mick Ayzenberg

Mick Ayzenberg

Principle Security Engineer, Security Innovation
Mick Ayzenberg is a Senior Security Engineer at Security Innovation. His years of security industry experience have included countless assessments for well-known technology companies. He has done extensive work in web pentesting, mobile pentesting, network protocol analysis, reversing... Read More →


Monday May 27, 2019 9:00am - Tuesday May 28, 2019 5:00pm
11th Floor Room 1124

9:00am

Hands-on Secure Coding in Node.js
This course provides essential practical knowledge to build secure and resilient Node.js applications. It starts with a brief primer on Node.js fundamentals, related idiosyncrasies, and then flows into exploiting and fixing the most common web application vulnerabilities, identified as the top OWASP 10 risks, and beyond.  

Topics covered include: 

* Node.js fundamentals
* Security implications of JavaScript language constructs and Node.js specific Idiosyncrasies
* Building secure REST and GraphQL APIs
* Building Authentication with JSON Web Tokens (JWT)
* Securing data in transit and at rest
* Effective logging strategies for microservices architecture
* Eliminating Security Misconfiguration pitfalls
* Client-side attacks and mitigations
* Common sources of Denial of Service attacks and mitigations
* Securing against Components with known vulnerabilities
* Preparing for the Production Environment  

During the training, participants will gain valuable insights from the security mistakes frequently found in known Node package vulnerabilities.  This course includes a balanced combination of essential theory, discussions, and hands-on lab exercises. With the practical knowledge gained during the class, participants can introduce a security culture into their teams and immediately improve the security posture of the Node applications they ship.

Upon completion attendees will learn:

* How a malicious attacker thinks about your application by finding and exploiting these vulnerabilities
* The most common web and Node.js specific security vulnerabilities.
* How to fix these vulnerabilities and incorporate defensive coding practices to bake in security in your apps from the beginning.
* What to look for in the application source code when conducting a code review.

The trainers will provide:

* A copy of the slide deck used during the training
* Source code for hands-on labs
* Lab handouts with step-by-step instructions to solve the lab exercises
* Lab exercises solutions

Attendees should bring:

A laptop with -
* Windows/Linux/MacOS with Node.js 8.x or later pre-installed
* Visual Studio Code or any other IDE pre-installed
* Wifi enabled for network access

Attendees should know:

A beginner level knowledge of the JavaScript language and Node.js is recommended.

Speakers
avatar for Chetan Karande

Chetan Karande

Chetan Karande is a security researcher, speaker, and author of Securing Node Applications (O’Reilly). He is the project leader for the OWASP NodeGoat project and contributor to multiple open source projects.


Monday May 27, 2019 9:00am - Tuesday May 28, 2019 5:00pm
11th Floor Room 1128

9:00am

Seth & Ken’s Excellent Adventures (in Code Review)
Have you ever been tasked with reviewing 3.2 million lines of code manually for SQL Injection, XSS, and Access Control flaws? Have you been asked to review a new framework on short notice? Does the idea of reviewing Ruby, Go, or Node code leave you with heartburn? This course addresses all of these common challenges in modern code review. We have concentrated on taking our past adventures in code review, the lessons we’ve learned along the way, and made them applicable for others who perform code reviews. We will share our methodology to perform analysis of any source code and suss out security flaws, no matter the size of the code base, or the framework, or the language.  You as a student will learn the methodology, techniques, approach, and tools used by Seth Law and Ken Johnson to understand code flows, trace user input, identify vulnerabilities, and effectively secure an application code base.

Upon completion attendees will know:
Students will take away knowledge and experience in approaching numerous code languages and frameworks to complete a security source code review. In addition, the learned methodology can be customized by the attendee to fit into any organization’s security SDLC. Finally, the attendee will have the tools to review source code for any web, mobile, or modern application, whether or not the targeted language is specifically covered during the course.

The trainer will provide:
Presentation materials
Source code to be analyzed during the course (VM provided if desired).

Attendees should bring:
Laptop with wireless and virtual machine (VMWare/Virtual Box) capabilities.
Preferred IDE


Speakers
avatar for Seth Law

Seth Law

President and Principal Security Consultant, Redpoint Security
Seth Law is the President and Principal Security Consultant of Redpoint Security (rdpt.io). During the last 15 years as a security professional, Seth has worked within multiple disciplines, from software development to network protection, as a manager and individual contributor. Seth... Read More →
avatar for Ken Johnson

Ken Johnson

AppSec Person, GitHub
Ken Johnson, has been hacking web applications professionally for 11 years. Ken is both a breaker and builder and currently works on the GitHub application security team. Previously, Ken has spoken at RSA, You Sh0t the Sheriff, Insomnihack, CERN, DerbyCon, AppSec USA, AppSec DC, AppSec... Read More →


Monday May 27, 2019 9:00am - Tuesday May 28, 2019 5:00pm
11th Floor Room 1126

10:45am

1:00pm

Lunch Break
Monday May 27, 2019 1:00pm - 2:00pm
Nomi Restaurant

3:30pm

 
Tuesday, May 28
 

8:00am

Registration
Tuesday May 28, 2019 8:00am - 5:00pm
Foyer

9:00am

Project Review
Tuesday May 28, 2019 9:00am - 4:00pm
Room 1125

9:00am

Free- Web Application Hacking with Burp Suite and OWASP ZAP - For Woman
In this completely hands-on workshop, you would get to understand the techniques and methodologies that could be applied when performing a web application penetration testing. Throughout this workshop, you would be using Burp Suite tool, which is a conglomerate of distinct tools with powerful features. Apart from gaining familiarity with the tools and the techniques involved in application security testing, you would also get an opportunity to understand some of the common vulnerabilities from the OWASP Top 10 - 2017 list. We would provide you with a vulnerable website, and you would uncover security issues in it even if you have never done this before!

1. Laptop with administrator access (mandatory)
2. Minimum 4 GB RAM
3. At least 10 GB of free hard disk space
4. Oracle VirtualBox 5.x or later installed (https://www.virtualbox.org/wiki/Downloads/)
5. Oracle VM VirtualBox Extension Pack Installed
5. Burp Suite Community Edition installed (https://portswigger.net/burp/communitydownload)
6. USB enabled the laptop to copy the Virtual Machines


Speakers
avatar for Vandana Verma

Vandana Verma

Security Solutions Architect, WIA Asia Lead and Secretary, OWASP Bangalore Chapter Leader, IBM
Vandana Verma is an experienced application security practitioner, OWASP Bangalore Chapter Leader, OWASP WIA Lead, WoSec, InfoSecgirls and Women in Cyber Security Advocate. She has given talks and workshops at many colleges and security conferences including AppSec Europe, AppSec... Read More →


Tuesday May 28, 2019 9:00am - 5:00pm
Hall J (conference floor level)

10:45am

Coffee Break
Tuesday May 28, 2019 10:45am - 11:00am
Hall J (conference floor level)

1:00pm

Lunch Break
Tuesday May 28, 2019 1:00pm - 2:00pm
Main Restaurant

3:30pm

Coffee Break
Tuesday May 28, 2019 3:30pm - 3:45pm
Hall J (conference floor level)

5:00pm

6:30pm

Leaders Meeting
Tuesday May 28, 2019 6:30pm - 8:00pm
Hall l (conference floor level)

8:30pm

Speakers Dinner
Tuesday May 28, 2019 8:30pm - 10:00pm
Jaffa Deck (outside)
 
Wednesday, May 29
 

8:00am

Registration
Wednesday May 29, 2019 8:00am - 5:00pm
Foyer

9:00am

Sponsor Exhibit
Wednesday May 29, 2019 9:00am - 6:00pm
Hall D & E

9:30am

Conference Opening Remarks
Welcoming of all the attendees to the conference.

Wednesday May 29, 2019 9:30am - 9:45am
Halls A & B

9:45am

The Importance of the Cloud and the Developers Communities in Fighting Cyber Crime
Speakers
avatar for Michal Braverman-Blumenstyk

Michal Braverman-Blumenstyk

CTO, Cloud and AI Security Division, Microsoft
Michal Braverman-Blumenstyk is the CTO of Cloud and AI Security division, Microsoft. Michal and teamare driving the Microsoft security strategy and innovation. Prior to her promotion to CTO in September2017, Michal was the Azure Cybersecurity GM where among other achievements, she... Read More →


Wednesday May 29, 2019 9:45am - 10:20am
Halls A & B

10:15am

Coffee Break
Wednesday May 29, 2019 10:15am - 10:45am
Hall D & E

10:45am

Glue Tool

Wednesday May 29, 2019 10:45am - 11:15am
Hall G

10:45am

Vehicle Security Trends: Implications for Automotive Suppliers
As the automotive industry continues to introduce bleeding edge technology, vehicles have become increasingly intelligent expanding the automotive attack surface far beyond traditional paradigms. We are living in a world of connected and autonomous vehicles with expectations that our means of transport are resilient in the face of malice. OEM’s along with numerous integrator's and hardware/software suppliers support the daunting task of holistically securing a vehicle’s ecosystem. But how can we know this for sure?  In this presentation, we will discuss the latest in-vehicle security attack trends, supplier third-party risk, and provide mitigative solutions suppliers can employ into their development processes.

Speakers
avatar for Aaron Guzman

Aaron Guzman

Head of IoT, Aon
Aaron Guzman is a Director with Aon’s Cyber Solutions group, also serving as Head of Automotive & IoT Testing. Aaron is a passionate information security professional specializing in IoT, embedded, and automotive security. Mr. Guzman has extensive public speaking experience delivering... Read More →


Wednesday May 29, 2019 10:45am - 11:15am
Hall A

10:45am

NOSQL web application vulnerabilities and mitigation
NOSQL data storage systems have become very popular, due to their scalability and ease of use.
I will examine injection methods, CSRF vulnerabilities, and mitigation solutions.
Moreover, NOSQL does authentication, encryption, and role management is optional.
as a result, it is vulnerable to DOS, DDOS, and injection impact is more effective.

Speakers
avatar for Amir Luckach

Amir Luckach

Endpoint security team leader, CyberArk
Experienced technical manager with more than 19 years of hands-on experience. During this time I've filled roles of development, team leading, project management, system engineering/architecture, research and managing development and QA teams in several countries (TLV, India, China... Read More →


Wednesday May 29, 2019 10:45am - 11:15am
Hall B

10:45am

Uninvited Guests: Understanding Malicious Web Bots with OWASP Handbook
Scalping, Scraping, Skewing, Sniping … oh my! What are they? How do you wrap your mind around malicious bots and unwanted automation? Presented by a co-leader of the OWASP project on automated threats, this talk will help you navigate the swampland of malicious web automation using the OWASP Automated Threat Handbook as a guide, along with examples from the real world.

Speakers
avatar for Tin Zaw

Tin Zaw

Director, Security Solutions, Verizon
The author resides in sunny southern California, where he seeks a Zen state of mind amid the chaotic mix of technology, society and cyber threats. Wanting to make the world safer online, he gave up his beloved programming job to focus on cyber security. He is a former president of... Read More →


Wednesday May 29, 2019 10:45am - 11:15am
Hall C

10:45am

Capture the Flag
Speakers
avatar for Steven van der Baan

Steven van der Baan

Capture the Flag leader
Steven is a security consultant with a strong background in software development. He has created and hosted the OWASP Capture the Flag competition at various events.


Wednesday May 29, 2019 10:45am - Thursday May 30, 2019 3:30pm
Meeting Room 5

10:45am

WIA
Wednesday May 29, 2019 10:45am - Thursday May 30, 2019 5:00pm
11th Floor Room 1122

11:20am

Injecting Security Controls in Software Applications
Cyber attacks are a real and growing threat to businesses and an increasing number of attacks take place at application layer. The best defense is to develop applications where security is incorporated as part of the software development life cycle.
How can developers write more secure applications? What are the security techniques they can use while writing the software that will help them produce more secure applications ?

These are hard questions as evidenced by the numerous insecure applications we still have today. Starting from real-world examples, we will discuss the security controls that developers are familiar with, offer actionable advice when to use them in the software development life cycle and how to verify for them.

Recommended to all builders and security professionals interested to incorporate security controls as part of software development cycle and building more secure applications.


Speakers
avatar for Katy Anton

Katy Anton

Principal Application Security Consultant, Veracode
Katy Anton is a security professional with a background in software development. An international public speaker, she enjoys speaking about software security and how to secure software applications.In her previous roles, she led software development teams and implemented security... Read More →


Wednesday May 29, 2019 11:20am - 11:50am
Hall B

11:20am

Security for Modern Webapps: New Web Platform Security Features to Protect your Application
Web applications have historically been plagued by vulnerabilities which allow attackers to compromise the session of a logged-in user: XSS, CSRF, clickjacking and related issues. Luckily, new security mechanisms available in web browsers in 2019 offer exciting features which allow developers to protect their applications. In this talk, we'll introduce these features and explain how to most effectively use them.
We'll start by reviewing major threats based on an analysis of thousands of vulnerability reports Google receives each year under our Vulnerability Reward Program. We will find common themes between bugs which appear unrelated and focus our attention on the most frequent high-risk problems.
We'll then turn our attention to protective mechanisms implemented in modern browsers, which address entire classes of security problems. This includes CSP3 and Trusted Types to prevent XSS, Fetch Metadata Request Headers to protect from CSRF, and CORP/COOP to mitigate the threat of Spectre.

Speakers
avatar for Lukas Weichselbaum

Lukas Weichselbaum

Staff Information Security Engineer, Google
Lukas Weichselbaum is a Staff Information Security Engineer at Google with 10+ years of industry experience who frequently speaks at international infosec and developer conferences.He's passionate about securing Web applications from common Web vulnerabilities and leads the Google-wide... Read More →


Wednesday May 29, 2019 11:20am - 11:50am
Hall A

11:20am

Bringing Rapid Prototyping To The Threat Model Process
Threat Modelling is a powerful way of discovering security risks during software architecture and design. It can be used to build security into software and remove design flaws before actual code development starts. However, it can be a laborious and time-consuming exercise, which is not a happy marriage with Continuous Integration and DevOps methodologies. As a result, there is very poor adoption of threat modelling industry-wide. This talk will introduce the open-source Rapid Threat Model Prototyping (RTMP) process, which addresses these complications. It uses a just-in-time design process to quickly build a model and identify high-threat areas. The RTMP methodology is proven to speed up software threat analysis in fast-moving Agile/DevOps environments tenfold. It is perfect for creating more automated analysis workflows.

Speakers
avatar for Geoffrey Hill

Geoffrey Hill

Founder and CEO, Tutamantic Sec
I have directly involved in application security since 2003 when I enhanced the Microsoft SDL to use with my customers' growing Agile projects. I also started using the Microsoft Threat Modeling process actively at this point and have been building my process over many years to adapt... Read More →


Wednesday May 29, 2019 11:20am - 11:50am
Hall C

11:55am

IoT & Embedded AppSec
Speakers
avatar for Aaron Guzman

Aaron Guzman

Head of IoT, Aon
Aaron Guzman is a Director with Aon’s Cyber Solutions group, also serving as Head of Automotive & IoT Testing. Aaron is a passionate information security professional specializing in IoT, embedded, and automotive security. Mr. Guzman has extensive public speaking experience delivering... Read More →


Wednesday May 29, 2019 11:55am - 12:10pm
Hall G

11:55am

Common API Security Pitfalls
The shift towards an API landscape indicates a significant evolution in the way we build applications. The rise of JavaScript and mobile applications have sparked an explosion of easily-accessible REST APIs. But how do you protect access to your API? Which security aspects are no longer relevant? Which security features are an absolutely must-have, and which additional security measures do you need to take into account?

These are hard questions, as evidenced by the deployment of numerous insecure APIs. Attend this session to find out about common API security pitfalls, that often result in compromised user accounts and unauthorized access to your data. We expose the problem that lies at the root of each of these pitfalls and offer actionable advice to address these security problems. After this session, you will know how to assess the security of your APIs, and the best practices to improve them towards the future.


Speakers
avatar for Philippe De Ryck

Philippe De Ryck

Founder, Pragmatic Web Security
Philippe De Ryck helps developers protect companies through better web security. As the founder of Pragmatic Web Security, he travels the world to train developers on web security and security engineering. His Ph.D. in web security from KU Leuven lies at the basis of his exceptional... Read More →


Wednesday May 29, 2019 11:55am - 12:25pm
Hall A

11:55am

Security Culture: Here be Hackers
RFC1983 clarifies hacker term as "a person who delights in having an intimate understanding of the internal workings of a system, computers and computer networks in particular". Let's say we want our developers and other IT stuff be security hackers. So they can look at their duties from a security perspective: develop more secure applications, seek for security flaws in it and be inside the security culture in general. We will talk about construction of bridges from security team to other IT stuff (mostly developers): knowledge spreading and communication. How not to make from scratch yet another developer's guide? How to make all developers know about presence (yes, presence) of security team from the first work days? How to interest them in application security? How to increase this knowledge? Let's ask on these questions!

Speakers
avatar for Taras Ivashchenko

Taras Ivashchenko

Head of Product Security Team, OZON
Head of Russian OWASP branch. Head of product security team at OZON. Also known as the developer of a browser extension called CSP Tester and contributor other security related projects.


Wednesday May 29, 2019 11:55am - 12:25pm
Hall B

11:55am

Testing and Hacking APIs
Most of the modern applications that have been developed in the last years deeply rely on APIs, including web, mobile and IOT apps.  APIs are different than traditional web servers in many ways. This change might be confusing and challenging for pentesters and security researches.  
Come to learn how to leverage the new battleground to your advantage and:
1. Understand the underlying implementation of the application from the API traffic
2. Detect potential vulnerable points in APIs
3. Perform a successful and effective pen test in modern applications

Speakers
avatar for Inon Shkedy

Inon Shkedy

The speaker has 7 years of experience in application security. He started his career in a red team in a government organization for 5 years, and then moved to the Silicon Valley to learn more about startups, modern applications and APIs. Today he provides consultation to various companies... Read More →



Wednesday May 29, 2019 11:55am - 12:25pm
Hall C

12:30pm

Lunch Break
Wednesday May 29, 2019 12:30pm - 1:30pm
Hall D & E

12:30pm

WIA Luncheon
Wednesday May 29, 2019 12:30pm - 1:30pm
11th Floor Room 1122

1:30pm

Insights from the trenches: must-have secure coding lessons in mobile
In this session we’ll present common coding pitfalls of mobile app developers, present their real-world ramifications and provide guidance on how to avoid them. The presentation will include demonstrations of techniques that attackers use to overcome the different protection layers provided by the OS stack, as well as code samples that can help better design apps against those risks.

Speakers
avatar for Yair Amit

Yair Amit

Vice President & CTO of Modern OSs Security, Symantec
The speaker is Vice President & CTO of Modern OSs Security at Symantec; he leads the company’s research, vision and R&D center for securing iOS & Android devices, as well as envisioning the security model of future desktop operating systems. He joined Symantec through the acquisition... Read More →
avatar for Igal Kreichman

Igal Kreichman

Dev Manager, Symantec


Wednesday May 29, 2019 1:30pm - 2:00pm
Hall A

1:30pm

Rhyming with Hacks - the Ballad of Supply Chain Attacks
2018 was big on Supply Chain Attacks (SCA), with big e-commerce companies such as British Airways or Ticketmaster being targeted. The cyber criminal groups behind some of these attacks are referred to as Magecart.    During this talk, we'll present SCAs, how they work and how they scale. We’ll go through the anatomy of these attacks and see if and how they can be prevented or mitigated. We’ll discuss the effectiveness of existing solutions like Content Security Policy or Subresource Integrity.    We’ll take a deeper look into one real-life SCA, by going through the attacking code and understanding what it does.    We’ll then present a new approach that we’ve been working on that is based on DOM real-time monitoring. We'll do a live demo of our solution defending against the real-life SCA presented before. Its merit in detecting and mitigating this and other SCA attacks will be discussed.

Speakers
avatar for Pedro Fortuna

Pedro Fortuna

CTO, Jscrambler
Pedro Fortuna is CTO and Co-Founder of Jscrambler where he leads the technical vision for the product suite and contributes with his cybersecurity knowledge for R&D. Pedro holds a degree in Computing Engineering and a MSc in Computer Networks and Services, having more than a decade... Read More →


Wednesday May 29, 2019 1:30pm - 2:00pm
Hall B

1:30pm

Trusted Types: End-to-end injection safety at scale
18 years have passed since Cross-Site Scripting (XSS) became the single most common security problem in web applications. Since then, numerous efforts have been proposed to detect, fix or mitigate it, but these piecemeal efforts have not combined to make it easy to produce XSS-free code.

This talk explains how Google’s security team has achieved a high-level of safety against XSS and related problems by integrating tools to make it easier for developers to easier to produce secure software than vulnerable, and to bound the portion of a code base that could contribute to a vulnerability.

We will show how this works in practice and end with advice on how to achieve the same results on widely-used, open-source stacks and new browser mechanisms that will make it much easier to achieve high-levels of security with good developer experience.


Speakers
avatar for Krzysztof Kotowicz

Krzysztof Kotowicz

Senior Software Engineer, Information Security Engineering team, Google
Krzysztof Kotowicz is a web security researcher specializing in discovery and exploitation of client-side vulnerabilities, and a software engineer in the Information Security Engineering team at Google. Speaker at various security conferences (ACM CCS 2017, Black Hat USA 2017, OWASP... Read More →
avatar for Mike Samuel

Mike Samuel

Software Engineer, Google LLC
Mike Samuel works on Google's technical infrastructure team improving libraries and programming languages to make it easier to produce secure & robust software. Mike has worked on JavaScript sandboxing, the Secure EcmaScript and other language committee proposals, making template... Read More →


Wednesday May 29, 2019 1:30pm - 2:00pm
Hall C

2:05pm

SAMM
Speakers

Wednesday May 29, 2019 2:05pm - 2:35pm
Hall G

2:05pm

OWASP Top 10 for JavaScript Developers
With the release of the OWASP TOP 10 2017 we saw new issues rise as contenders of most common issues in the web landscape. Much of the OWASP documentation displays issues, and remediation advice/code relating to Java, C++, and C#; however not much relating to JavaScript. JavaScript has drastically changed over the last few years with the release of Angular, React, and Vue, alongside the popular use of NodeJS and its libraries/frameworks.  This talk will introduce you to the OWASP Top 10 explaining JavaScript client and server-side vulnerabilities.

Speakers
avatar for Lewis Ardern

Lewis Ardern

Senior Security Consultant, Synopsys
Lewis Ardern is a Senior Security Consultant at Synopsys. His primary areas of expertise are in web security and security engineering. Lewis enjoys creating and delivering security training to various types of organizations and institutes in topics such as web and JavaScript security... Read More →


Wednesday May 29, 2019 2:05pm - 2:35pm
Hall B

2:05pm

Testing Security In, the Right Way
Developing secure software requires a solid SDLC, including all team members throughout ALL stages of the process, from requirements through implementation.
 
So how come we always ignore QA? Why do we often talk about developers as security champions, but rarely mention the QA team for this?
 
In our talk, we will show how to integrate the QA team into the security testing process, and why we should shift some of the security tasks to QA for optimum results. 
We’ll see some examples, and templates, we built and used for our projects, that the audience can implement quickly in their own projects.

We aim to convince the audience that a partnership between QA & Security teams can work very well, based on their mutual interests, and this will enable in-depth security testing, both automatically and manually, to be done in every sprint.

Speakers
avatar for Iris Levari

Iris Levari

Application Security Expert, Self Employed
An Application security architect @ Playtech, 20 years in Cyber security,CISSP trainer,  SDLC practitioner,LA27001, loves cryptography, penetration testing.  Samsung security lab bug bounty manager (smart TV) IoT penetration testing 2011-2014  security researcher @ Amdocs 2007-2010... Read More →
avatar for Adi Belinkov

Adi Belinkov

JPMorgan Chase & Co, VP Cybersecurity
Currently a VP Cybersecurity at JPMorgan Chase & Co  an Application security architect, 7 years in Cyber security,Ironsource: 2015-2018 as Security Manager at ironSource2013-2015 as Information Security Consultant at EY (Hacktics)Degree in Software Engineering  served in 8200 2... Read More →


Wednesday May 29, 2019 2:05pm - 2:35pm
Hall A

2:05pm

Webhooks Hookups: Abusing API Developers
The concept of a Webhook is quite simple: an HTTP callback that occurs when something happens. However, Webhook's powerful nature of open ended integration with arbitrary web services, makes it very easy for API developers to pipe data in and out of its CISO defined boundaries,  and might even end up in a network compromise.  
We will share our research on the tool-chains used by API developers to develop and test Webhooks and show why those could be disastrous. We will provide examples of real life exposed applications and present our war stories on the vulnerabilities we have discovered and responsibly disclosed. We will talk how Webhooks tools are already being abused in the wild. Attendees will walk away with a better sense of understanding Webhook development threats and the feasible preventive controls. Finally we will be releasing a toolkit to assist in auditing the exposure of organizations using Webhooks.

Speakers
avatar for Tomer Zait

Tomer Zait

Principal Security Researcher, F5
Tomer Zait (Principal Security Researcher at F5Networks) worked in a range of professions in the security industry (Web Application Firewall Integrator, Penetration Tester, Application Security Engineer, Security Researcher, Etc.). During this time, he developed open-source projects... Read More →
avatar for Maxim Zavodchik

Maxim Zavodchik

Security Research Manager, F5 Networks
The speaker has more than 10 years of offensive security and web vulnerabilities research experience. In his current role as Head of Security Research, Maxim is building and growing the threat research at F5 Networks.


Wednesday May 29, 2019 2:05pm - 2:35pm
Hall C

2:40pm

2:40pm

Dissecting Mobile Application Privacy and Analytics
Have you ever wondered how much data your favorite business application is capturing during your mobile app visits? Are you a developer or security engineer tasked with keeping your client data secure? Are you curious about what kind of data that mobile game you love can gather, even if you don’t give it special permissions? The apps we trust with our data hopefully use caution and comply with regulations, but what about the safeguards and authentication around these analytics portals? This session will hone in on precisely those questions. We will tear apart some favorite apps and their analytic products/tracking engines to expose exactly the content and frequency commonly used mobile applications are reporting. Attendees will walk away with insider knowledge to make informed decisions regarding the scope of this exposure, in effort to guard or personal and client data.

Speakers
avatar for Kevin Cody

Kevin Cody

Principal Application Security Consultant, nVisium
Kevin Cody is a Principal Application Security Consultant with experience working at several Fortune 500 enterprises. Although his particular expertise is geared toward hacking Web and Mobile applications, he is also experienced in the entire gamut from mainframes to embedded systems... Read More →


Wednesday May 29, 2019 2:40pm - 3:10pm
Hall B

2:40pm

Who left open the cookie jar?
Nowadays, cookies are the most prominent mechanism to identify and authenticate users on the Internet. Although facilitating important usability advances, they also opened the door to cross-site attacks and third-party tracking. Various countermeasures have been developed as a reaction to these threats, such as built-in browser policies and extensions that block undesirable requests and cookies.

However, these countermeasures are rarely questioned on their effectiveness. Motivated by this, we developed a framework to evaluate these countermeasures in an automated manner, spanning 8 browsers, and 46 ad blockers and privacy extensions. Unfortunately, our comprehensive evaluation uncovered that virtually every policy can be bypassed.

In this talk, we explore various interesting bypasses to built-in browser policies and extensions. Furthermore, we argue that our framework is a much-needed tool for evaluating browser policies. We illustrate that our framework can be expanded to evaluate other policy implementations such as Content Security Policy and private browsing mode.

Speakers
avatar for Tom Van Goethem

Tom Van Goethem

imec-DistriNet - KU Leuven
Tom Van Goethem is a PhD student at the University of Leuven with a keen interest in web security and privacy. In his research, Tom likes performing large-scale security experiments, whether to analyze the presence of good and bad practices on the web, or to demystify security claims... Read More →


Wednesday May 29, 2019 2:40pm - 3:10pm
Hall A

2:40pm

How NLP Can Help Us Understand Web Attackers
Word2Vec is a popular Natural Language Processing approach, which was imported by different domains (as Something2Vec), embedding domain objects in Euclidean spaces for similarity/distance calculation, clustering, visualization and more.
We will present our research on importing the Word2Vec to Web Application Security. Looking at malicious web requests as words and at their sequences as sentences, we applied a variant of Word2Vec to embed web attack vectors in an Euclidean space and to analyze their contextual relations. This embedding allows identification of attack vectors that tend to come together, either of the same attack category, like different SQL Injection attempts, or from “adjacent” attack types like File Upload and Backdoor Communication.
We will discuss practical applications of this research, like modeling web scanning tools and popular attack flows, assessment of accuracy and effectiveness of security rules, isolation of attacks belonging to the same campaign and telling targeted attacks from web scans

Speakers
avatar for Itsik Mantin

Itsik Mantin

Lead Scientist, Imperva
In the last 20 years I have researched and innovated in various cyber-security domains, including web application security, advanced persistent threats, DRM systems, automotive systems and more. While thinking as an attacker is my second nature, my first nature is problem solving... Read More →
avatar for Ori Or-Meir

Ori Or-Meir

Data Scientist, Imperva
From an early age I liked solving puzzles of all kinds. Finding solutions to problems is my passion, and finding patterns in ‘randomness’ is my hobby. I recently finished my M.Sc. studies at Ben-Gurion University in Cyber Security, and as a Data Scientist at Imperva my skills... Read More →


Wednesday May 29, 2019 2:40pm - 3:10pm
Hall C

3:10pm

Coffee Break
Wednesday May 29, 2019 3:10pm - 3:45pm
Hall D & E

3:45pm

Innovation Fair
This year in Global AppSec Tel Aviv we will run, for the first time, an innovation fair for startups in the area of Application and Software Security. This fair is an opportunity for early-stage startups (younger than 3 years, with less than 1M$ revenue and 10M$ funding) to pitch their innovation to the OWASP conference attendees. We believe this is a great opportunity for practitioners of AppSec to learn about new and upcoming technologies, and a great opportunity for the startups to get some initial exposure and market feedback.

We believe Global AppSec Tel Aviv is the perfect OWASP conference to kick start this type of event and tradition, thanks to the marvelous ecosystem of startups and innovation in Israel, alongside a long-lasting focus of AppSec companies who started here, bringing to life some of the first and most significant solutions in areas such as DAST, SAST, IAST, WAF and more....


The Innovation Fair includes two parts. The first part is a one hour presentation phase, that will take place just before the closing keynote of the first conference day, where each startup gets to do a 5 minutes pitch of the problem they solve, the solution they built, the team behind it, and explain the innovation that differentiates it from what's out there today. After each presentation, the hosts of the event will ask followup questions.


The second part of the event will take place later that night, during the conference Networking Event, taking place at the Peres Peace and Innovation Center. Each of the startups participating in the innovation fair will get a spot where they can talk with the conference attendees, show them demos, answer their questions and provide more depth.

Following this event, we will promote a survey amongst conference attendees to choose their favorite innovation, and will announce the winner on the 2nd day of the event. 

Below you can find the list of companies who are planned to take place in the event:
- Vicarius
- Protego Labs
- IXDen
- L7 Defense
- Cyber Intellectuals
- Salt Security

Wednesday May 29, 2019 3:45pm - 4:45pm
Halls A & B

4:45pm

Lessons from the Early Web Application Security Days
I had the privilege to join Perfecto Technologies in its early days (1997), and observe its ascent and demise. Perfecto (later renamed into Sanctum) was a very innovative Israeli startup – the pioneer of commercial web application solutions. Sanctum produced the first WAF and the first web application vulnerability scanner. In this speech I want to cover the early (and less known) history of Sanctum/Perfecto, how it was intertwined with the early history of web application security (and market), and what lessons I learned from this experience – both about conducting research in an immature area, and about the fate of a security company in an immature market.

Speakers
avatar for Amit Klein

Amit Klein

VP Security Research, SafeBreach
Amit Klein is a world-renowned information security expert, with 28 years in information security and over 30 published technical and academic papers on this topic. Amit is VP Security Research at SafeBreach, responsible for researching various infiltration, exfiltration, and lateral... Read More →


Wednesday May 29, 2019 4:45pm - 5:15pm
Halls A & B

6:30pm

Networking Event - Buses will pick up outside entrance of InterContinental David
Buses start loading at 6:30 pm

Wednesday May 29, 2019 6:30pm - 9:00pm
Peres Center for Peace and Innovation Kedem Street 132, Tel Aviv-Yafo
 
Thursday, May 30
 

8:00am

Registration
Thursday May 30, 2019 8:00am - 5:00pm
Foyer

9:00am

Sponsor Exhibit
Thursday May 30, 2019 9:00am - 5:00pm
Hall D & E

9:30am

The Evolving Community of Appsec
Application Security as a discipline has continuously evolved over the last couple of decades. This is an expected outcome of the growth and maturity of this engineering discipline. At the same time, technology has continued to become more pervasive that has led to increased risk associated with appsec failures. On this learning journey, our community has played an important part since the beginning, OWASP being an important contributor to that. In this talk, we will discuss how that community has evolved until now and how it needs to change in the future to enable us to solve future security problems at scale.

Speakers
avatar for Astha Singhal

Astha Singhal

Netflix
Astha Singhal leads the Application Security team at Netflix that is responsible for securing all the applications in Netflix's cloud infrastructure. Prior to this, she managed product security for the Salesforce AppExchange and other core Salesforce products. She is a security engineer... Read More →


Thursday May 30, 2019 9:30am - 10:00am
Halls A & B

10:00am

Coffee Break
Thursday May 30, 2019 10:00am - 10:30am
Hall D & E

10:30am

API Security
Speakers
avatar for Inon Shkedy

Inon Shkedy

The speaker has 7 years of experience in application security. He started his career in a red team in a government organization for 5 years, and then moved to the Silicon Valley to learn more about startups, modern applications and APIs. Today he provides consultation to various companies... Read More →


Thursday May 30, 2019 10:30am - 11:00am
Hall G

10:30am

Building & Hacking Modern iOS Apps
After my offensive presentation "Testing iOS Apps without Jailbreak in 2018" it is time to focus also on building not just breaking. This talk will cover the most important milestones in reaching secure iOS/macOS apps. I'm going to show you how to develop modern & secure iOS/macOS apps using new security features presented at the latest Apple's Worldwide Developers Conference.  Hackers will be satisfied as well, since I'm going to cover also pen tester's perspective. What's more - I will share with you details of multiple vulnerabilities (*including not disclosed previously*) that I found during security assessments and my research of Apple's applications.

Speakers
avatar for Wojciech Reguła

Wojciech Reguła

SecuRing
The speaker is IT Senior Security Specialist employed at SecuRing. Professionally responsible for web and mobile security testing with particular emphasis on iOS. He is a creator of secure Ruby code examples for OWASP Security Knowledge Framework and founder of infosec student research... Read More →


Thursday May 30, 2019 10:30am - 11:00am
Hall A

10:30am

Can We Automate Security?
This talk will focus on the tools that Microsoft built into our CI/CD pipelines to secure the products and services we are deploying, and the lessons we've learned along the way.

Speakers
avatar for Sasha Rosenbaum

Sasha Rosenbaum

Azure DevOps Program Manager, Microsoft
Sasha is a Program Manager on the Azure DevOps engineering team, focused on making the technology better aligned with open source software projects. Sasha has a Computer Science degree from the Technion. She is a co-organizer of the DevOps Days Chicago conference, and recently published... Read More →


Thursday May 30, 2019 10:30am - 11:00am
Hall C

10:30am

How Online Dating Made Me Better At Threat Modeling
Isaiah has used online dating sites such as Tinder and OkCupid. At times this seems antithetical to his stance on privacy and security. To better understand the security ramifications of online dating, and to establish safer methods of doing it, he applied threat modeling to online dating. Through this he came up with a set of best practices depending on your threat model. This talk is relevant for anyone who is trying to balance privacy/security and a desire for human connection in this modern world. Due to the real and perceived dangers of online dating, the stigma that surrounds it, and the pervasiveness of it, it is a great lens through which folks can be introduced to the core principles of threat modeling. It also makes it fun to talk about!

Speakers
avatar for Isaiah Sarju

Isaiah Sarju

Co-Owner, Revis Solutions
Isaiah Sarju is a Red Teamer. He has contributed to the Microsoft Security Intelligence Report, conducted numerous penetration/red team engagements, and taught students how to become top tier defenders. He plays tabletop games, swims, and trains Brazilian Jiu-Jitsu. @isaiahsarju


Thursday May 30, 2019 10:30am - 11:00am
Hall B

11:05am

Securing Node.js and JavaScript
In this talk, we will see what security issues can be found in the Node.js and JavaScript world and how to successfully protect against attackers.

Speakers
avatar for Vladimir de Turckheim

Vladimir de Turckheim

Software Engineer, Sqreen
V. works as a software engineer at Sqreen where he builds a tool to secure web applications. He used to be a professional security auditor and a web developer in agencies.    He is one of the most active members of the Node.js Security Working Group where he handles the security... Read More →


Thursday May 30, 2019 11:05am - 11:35am
Hall A

11:05am

DevSecOps with OWASP DevSlop
The OWASP DevSlop team is dedicated to learning and teaching DevSecOps via examples, and “Patty the Pipeline” is no exception: we ensure all the 3rd party components are known-secure, retrieve secrets from a secret store, and the code must pass negative unit tests, dynamic application security testing (DAST), static application security testing (SAST), and encryption and infrastructure VA verification.  This entire system/project is open-sourced as part of the OWASP DevSlop project on GitHub and as live streaming and recorded videos, so that developers can watch each of the lessons, add it to their own pipelines, giving them a head start on DevSecOps. The talk will consist mostly of a start-to-finish demo of each part of the pipeline. Tools showcased include SSL Labs, White Source Bolt, Azure DevOps Security Toolkit and OWASP Zap. Supporting videos available here: https://aka.ms/DevSlopSho

Speakers
avatar for Nancy Gariché

Nancy Gariché

Co-Founder, Secure That Cert!
In the early 2000's, this speaker joined the Canadian federal government as a computer science CO-OP student and never left. In 2009, he/she moved to Ottawa from Montreal, his/her beloved hometown, to land his/her first IT security job as a security analyst. This multi-hatted role... Read More →
avatar for Tanya Janca

Tanya Janca

CEO and Co-Founder, Security Sidekick
Tanya Janca is the co-founder and CEO of Security Sidekick. Her obsession with securing software runs deep, from starting her company, to running her own OWASP chapter for 4 years and founding the OWASP DevSlop open-source and education project. With her countless blog articles, workshops... Read More →


Thursday May 30, 2019 11:05am - 11:35am
Hall C

11:05am

Software Security War: your reports are dead!
The talk will introduce the new OWASP Software Security 5D Framework showing the assessment data of various International companies.  
The evolution of software security verification activities: from firm reports on desks to the integration of security bugs in the life cycle.


Speakers
avatar for Matteo Meucci

Matteo Meucci

CEO and a co-founder, Minded Security
More than 18 years of specializing in Application Security and collaborates with the OWASP project since 2002: he founded the OWASP-Italy Chapter in 2005 and leads the OWASP Testing Guide since 2006, the OWASP Software Security 5D Framework since 2018 . He is invited as speaker at... Read More →


Thursday May 30, 2019 11:05am - 11:35am
Hall B

11:50am

Mod Security Core Rule Set
Speakers
avatar for Tin Zaw

Tin Zaw

Director, Security Solutions, Verizon
The author resides in sunny southern California, where he seeks a Zen state of mind amid the chaotic mix of technology, society and cyber threats. Wanting to make the world safer online, he gave up his beloved programming job to focus on cyber security. He is a former president of... Read More →


Thursday May 30, 2019 11:50am - 12:20pm
Hall G

11:50am

Struts 2 Must Die: The Life and Inevitable Death of Java’s Spaghettiest™ Framework
Struts2 Java framework has started as a cool modern framework and ended up like a bomb periodically exploding into security teams’ faces. Now it’s impossible to get rid of from production and it may lead to massive damage like Equifax breach because of the architectural decisions from long time ago. Take the plunge into OGNL swamp, play the cat and mouse game alongside with Struts2 developers and security researchers and finally find out prerequisites to blow up the framework with a new exploit

Speakers
avatar for Eugene Rojavski

Eugene Rojavski

Application Security Researcher, Checkmarx
A passionate appsec specialist who loves to poke things until they explode. 8 years in infosec and appsec constantly pursuing a goal to unravel the mystery of security. I enjoy coaching others how to create "securer things"


Thursday May 30, 2019 11:50am - 12:20pm
Hall C

11:50am

Three levels of complexity: Threat Modeling of Containerized Application
Threat Modeling is a very powerful tool of Application Security; however, many organizations are struggling to use it. There is a common perception that the Threat Modelling is too heavy and should be done only at specific stages of development process. In the session I am going to explain how we can optimize threat modeling and improve the process outcome. As well as how we can handle a new dimension in the model since the containers usage requires attention to additional aspects which can be easily overlooked. The session will also touch aspects of success measurement and incremental improvements.  In addition I will provide examples of real cases when properly identified risks during thread modeling for containerized applications reduce the recently reported Docker and Kubernetes vulnerabilities impact.

Speakers
avatar for Elena Kravchenko

Elena Kravchenko

Application Security Expert, CISSP, Micro Focus
Application Security Expert, CISSP• 6+ years as Security Lead for Business Unit ( global, multidisciplinary, 400+ developers)• 25+ years of software engineering, in different positions : software engineer, technical lead, system architect, application security lead• MS in Applied... Read More →


Thursday May 30, 2019 11:50am - 12:20pm
Hall A

11:50am

Docker Security Insights
As innovation in technology increases, security becomes trickier. In order to embrace latest technologies like Docker and Kubernetics, Product IT organizations must consider security as top priority. Containers vulnerabilities like “Dirty Cow”, “Escape Vulnerability” and a recent vulnerability “Jack-In-The-Box” when unpacking image etc. have shaken the world. During my talk, I would like to present core issues with Docker related components like daemon, images, containers with practical demos & possible counter measures, Docker Secrets management, Docker Content Trust Signature Verification, Docker notary services, best practices to be followed in production environment and also how to deal with Open Source Libraries used in building images.

Speakers
avatar for Sujatha Yakasiri

Sujatha Yakasiri

Senior Computer Scientist, EdgeVerve Systems Limited
Working as a Senior Computer Scientist at EdgeVerve Systems Limited (An Infosys Company). She is a passionate security researcher, speaker and author with in-depth expertise in pen testing web applications, mobile applications, performing source code reviews and performing threat... Read More →


Thursday May 30, 2019 11:50am - 12:20pm
Hall B

12:25pm

Automated Threats
Speakers
avatar for Tin Zaw

Tin Zaw

Director, Security Solutions, Verizon
The author resides in sunny southern California, where he seeks a Zen state of mind amid the chaotic mix of technology, society and cyber threats. Wanting to make the world safer online, he gave up his beloved programming job to focus on cyber security. He is a former president of... Read More →


Thursday May 30, 2019 12:25pm - 12:55pm
Hall G

12:25pm

Automated Cyber Security Platform at Scale
Automated Security and Security Orchestration is the new way of tackling very sophisticated threats and cyber crime. The volume of data, processes, procedures and workflows are overwhelming, making human power and expertise insufficient to work with it all.
During the presentation, I will be explaining the vision we have for building the Automated Security Platform and demo the current phase and development.
IT and Security professionals will have the chance to witness the first Open Source Automated Security Platform, try it out after the demo on invite based access and contribute to the future of this Platform.

Speakers
avatar for Ovidiu Cical

Ovidiu Cical

Security Architect, https://cyscale.com
OWASP Cluj (Transylvania) Chapter (Leader since 2018).Cybersecurity enthusiast with 15 years experience in the field of information technology, working with Go, Big Data, Python and Linux. I worked as Software Developer at Sophos/Astaro, Software Security Engineer at CoSoSys where... Read More →


Thursday May 30, 2019 12:25pm - 12:55pm
Hall A

12:25pm

Defending Cloud Infrastructures with Cloud Security Suite
Nowadays, cloud infrastructure is pretty much the de-facto service used by large/small companies. Most of the major organizations have entirely moved to cloud. With more and more companies moving to cloud, the security of cloud becomes a major concern. While AWS, GCP & Azure provide you protection with traditional security methodologies and have a neat structure for authorization/configuration, their security is as robust as the person in-charge of creating/assigning these configuration/policies. Also, the massive scale at which cloud services are adopted in enterprises, merged with inevitability of human error, often leads to catastrophic business damages.
While managing massive infrastructures, system audit of server instances is a challenging task. CS Suite is a one stop tool for auditing the security posture of the AWS/GCP/Azure infrastructures along with server audit feature. CS-Suite leverages capabilities of current open source tools and has plethora of custom checks into one tool to rule them all.

Speakers
avatar for Jayesh Chauhan

Jayesh Chauhan

Lead Security Engineer, Sprinklr
Jayesh Singh Chauhan is a security professional with 7+ years of experience in the security space. In past, he has been part of security teams of PayPal, PwC and currently works as the Lead security engineer at Sprinklr. He has authored Cloud Security Suite, OWASP Skanda, RFID_Cloner... Read More →


Thursday May 30, 2019 12:25pm - 12:55pm
Hall C

12:25pm

Looking Towards the Future of Open Source Vulnerability Management
Open source usage has become a mainstream practice — it’s impossible to keep up with today’s pace of software production without it. The rise in open source usage has led to a dramatic rise in open source vulnerabilities, demanding that development teams address the rapidly evolving issue of open source security. The State of Open Source Vulnerability Management Report drills down into the deeper layers of open source management. Surveying over 650 developers and collecting data from the NVD, security advisories, peer-reviewed vulnerability databases, and popular open source issue trackers, this report brings to light the realities of current open source security management. It’s mission is to determine where we are as an industry and create a best practices for managing open source vulnerabilities and compliance issues.


Speakers
avatar for Shiri Ivtsan

Shiri Ivtsan

WhiteSource, Product Manager
Experienced Cloud Solutions Architect and Product Manager, focusing on open-source security and compliance tools for developers and DevOps. holds BS in Industrial Engineering and Management. Prior to joining her current company, worked for various companies where she held roles in... Read More →


Thursday May 30, 2019 12:25pm - 12:55pm
Hall B

12:55pm

Lunch Break
Thursday May 30, 2019 12:55pm - 2:00pm
Hall D & E

2:00pm

Breaking out of the container without Zero Day – Can that happen to me?
Organizations are in the process of changing and becoming more agile and to adopt DevOps as way of thinking. Many of them use Docker and Containers in order to implements those concepts in effective, Accurate and secure way. The changes from the traditional relationships between “System”, “Dev” and “Security” relationships into new relationships that Dev is actually doing the whole process include the “System” and “Security”, dramatically affect not only the internal IT infrastructure but the balance between the attacker and defenders. That change expose the organization to whole new security and cyber risks that seem to be solved years ago and revived with the new structure of the IT department.

Speakers
avatar for Asher Genachowski

Asher Genachowski

Security Senior Principal , Cyber Readiness & Audit Lead, Accenture
The speaker is senior manager at global management consulting and professional services firm that provides strategy, consulting, digital, technology and operations services and leading the Cyber Readiness and Purple Team services for that firm.    The speaker has over 30 years of... Read More →
avatar for Chen Cohen

Chen Cohen

Linux Cyber Security consultant, Accenture
Chen Cohen is Linux Cyber Security consultant in Accenture cyber security readiness team.  As part of his job Chen is working with major global companies in order to create and improve secure Linux &  Unix environments include virtualization, cloud and more.  Chen is specialized... Read More →


Thursday May 30, 2019 2:00pm - 2:30pm
Hall C

2:00pm

Black Clouds and Silver Linings in Node.js Security
With a great ecosystem, comes great responsibility, and application security is not one to wave off. Let’s review some black clouds of security horror stories in the Node.js ecosystem, and learn how to mitigate them to build secure JavaScript and Node.js applications.

Speakers
avatar for Liran Tal

Liran Tal

Developer Advocate, Snyk
Liran Tal is a Developer Advocate at Snyk and a member of the Node.js Security working group. He is a JSHeroes ambassador, passionate about building communities and the open source movement and greatly enjoys pizza, wine, web technologies, and CLIs. Liran is also the author of Essential... Read More →


Thursday May 30, 2019 2:00pm - 2:30pm
Hall A

2:00pm

Once Upon a Time in the West - A story on DNS Attacks
Just like in Old West movies, we are going through a land riddle with well-known gunmen: OceanLotus, DNSpionage and OilRig among others, who roam at ease, while the security cowboys sleep. This presentation will uncover the toolset and techniques used by these gunmen, taking a closer look at their big guns and their behavioral patterns. We will explore the attacks involving DNS that took place during the last decade to examine the latest discovered techniques in order to improve detections to dodge the bullets they are firing in our direction.

Speakers
avatar for Ruth Esmeralda Barbacil

Ruth Esmeralda Barbacil

Senior Analyst, Deloitte
Ruth is an information systems engineering student from the Universidad Tecnológica Nacional (UTN). She works at Deloitte's Argentina Cyber Threat Intelligence area. She has gained experience related to Tactics, Techniques and Procedures (TTPs) investigation, Advanced Persistent... Read More →
avatar for Valentina Palacín

Valentina Palacín

Threat Intelligence Analyst, Deloitte
Valentina is one of Deloitte Threat Intelligence Analyst, and she have specialized in tracking APTs worldwide using ATT&CK Framework to analyze their tools, tactics and techniques. She is a self-taught developer with a degree in Translation and Interpretation from Universidad de Málaga... Read More →


Thursday May 30, 2019 2:00pm - 2:30pm
Hall B

2:35pm

“Alexa and Cortana in Windowsland”: Hacking an Innovative Partnership and Other Adventures
This is a presentation about the essence of Cyber Security – what happens when you take new and innovative concepts, spice them up with business partnerships and plug them into existing security mechanisms.

In our talk, we will demonstrate a variety of new “Evil Maid” attacks on locked Windows machines. We will show vulnerabilities that stem from the high-profile business partnership between Cortana and Alexa – the voice assistants of Microsoft and Amazon, as well as code execution vulnerabilities in Cortana’s internal integrations.

We will take our audience on an amusing journey of our discovery process and the fascinating battle of Microsoft to patch these vulnerabilities with minimum effort and public exposure. This journey demonstrates the difficulty of tying up together new usage concepts with older security assumptions, the catastrophic outcome of breaking these assumptions, and the importance of implementing the learned lessons in future integrations between AI technologies and IoT devices.

Speakers
avatar for Amichai Shulman

Amichai Shulman

Cyber Security Researcher, Entrepreneur and Investor
A cyber security researcher, entrepreneur and investor. Carries 25 years of cyber security experience in military, government and commercial environments. Co founded a notable security company in 2002 and served as CTO for the company over 15 years, driving innovation and thought... Read More →
avatar for Yuval Ron

Yuval Ron

Technion - Israel Institute of Technology
The speaker is a Master’s student in the Computer Science Department (Psagot program) at the Technion - Israel Institute of Technology. Yuval was one of the youngest speakers at Black Hat USA 2018, and was acknowledged several times on the MSRC public researchers website. His main... Read More →


Thursday May 30, 2019 2:35pm - 3:05pm
Hall C

2:35pm

OWASP Serverless Top 10
In moving to serverless, we shift some security responsibilities to the infrastructure provider by eliminating the need to manage servers. Unfortunately, that doesn’t mean we’re entirely absolved of all security duties. Serverless functions still execute code and can still be vulnerable to application-level attacks. As a new type of architecture, serverless presents new security challenges. Some are equal to traditional application development, but some take a new form. Attackers are thinking differently, and developers must do so as well to gain the upper hand. 

In this talk, I will dive into the Top 10 risks of the OWASP Serverless Top 10 project. I will discuss why these risks are different from traditional attacks and how we should protect our application against them. I will also introduce OWASP DVSA, a deliberately vulnerable tool, aiming to assist both security professionals and developers to better understand the implications and processes of serverless security.

Speakers
avatar for Tal Melamed

Tal Melamed

Head of Security Research, Protego Labs
In the past year, Tal Melamed been experimenting in offensive and defensive security for the serverless technology, as part of his role as Head of Security Research at Protego Labs. Specializing in AppSec, he has more than 15 years of experience in security research and vulnerability... Read More →


Thursday May 30, 2019 2:35pm - 3:05pm
Hall A

2:35pm

What do you mean threat model EVERY story?
We are all going continuous these days. Continuous delivery, integration - but what about Threat Modeling? How do we bring this (traditionally) heavy activity into the new "speed" of development, integrate and educate developers and reflect the correct state of a rapidly evolving system? This talk will share the experiences of the speaker developing a methodology and collaborating with real life product teams operating in a continuous environment.

Speakers
avatar for Izar Tarandach

Izar Tarandach

Lead Product Security Architect, Autodesk
Long-time security practitioner, currently Lead Product Security Architect at Autodesk, previously at DellEMC. member of the SAFECode Technical Leadership Council and founding member of the IEEE Center for Secure Design, holds a masters degree in Computer Science/Security from Boston... Read More →


Thursday May 30, 2019 2:35pm - 3:05pm
Hall B

3:10pm

Damned Vulnerable Serverless Application
Speakers
avatar for Tal Melamed

Tal Melamed

Head of Security Research, Protego Labs
In the past year, Tal Melamed been experimenting in offensive and defensive security for the serverless technology, as part of his role as Head of Security Research at Protego Labs. Specializing in AppSec, he has more than 15 years of experience in security research and vulnerability... Read More →


Thursday May 30, 2019 3:10pm - 3:40pm
Hall G

3:10pm

Crypto Failures - And not just in bitcoin...
Crypto used to mean cryptography - and the business of older mathematicians with a serious demeanor. Nowadays, everyone wants some crypto, be it coins, ICOs or similar offering. What people forget though is that crypto is hard - and putting real money in crypto is very risky if you don't actually have cryptographers in your team! In this talk, we will review some common crypto failures and how they led to some of the biggest issues we've seen in recent years.

Speakers
avatar for Guy Barnhart-Magen

Guy Barnhart-Magen

OS Hardening, Security Architecture and Embedded Devices, Cyber Security Consultant
BSidesTLV co-founder and CTF lead, Public speaker, and recipient of the Cisco “black belt” security ninja honor – Cisco’s highest cyber security advocate rank.With nearly 20 years of experience in the cyber-security industry, Guy held various positions in both corporates and... Read More →


Thursday May 30, 2019 3:10pm - 3:40pm
Hall A

3:10pm

Are we making our engineers blue?
Our engineers are going from software engineers to software + infrastructure + network + database engineers, and they’re delivering faster. In an environment of continuous deployment how can we ensure that as security teams we’re scaling as fast as our applications are?

In this talk we’re going to be covering how we turn our engineers blue. Not sad; not by telling them to fix every possible threat vector before building any new features and not by saying no. We’re going to start turning them into our extended blue team, giving them tools, techniques and processes to better secure our estate.

We’re going to be covering off a few different TTP’s for our engineers using real threat models as examples;
How to use incidents to evolve our threat models
  •  Using incidents to better evolve our understanding of the threat landscape
  •  Determining other attack vectors that could contribute to the same outcome as the incident (with threat example)
  •  How to create incremental threat models/ rapid threat models
  • Why and how we should write and use security tests to validate our models
  •  How to use BDD tests (and contribute to the Cloud security OWASP project)
  •  Why we should write tests for threat vectors we have proven mitigations for (with threat example)
  • How to use tests to educate product owners/ project managers on threat vectors
The power of POC’ing attack vectors from our models to evolve them further.
  • Example: Cloudfront subdomain hijacking
  • Using POC's to discover new threat vectors and provide security awareness training for engineers
How we build, evolve, share and ultimately transfer ownership of these models to our engineering teams - teaching them to be our blue team.
  • How to create security champions (building programs, what programs should include)
  • How to integrate rapid threat modeling into the SDLC

Speakers
avatar for Tash Norris

Tash Norris

AppSec Lead, Photobox Group
Senior Cloud Security Engineer at Photobox Group. Currently building tools and processes to automate all the things/ make the Cloud more secure.


Thursday May 30, 2019 3:10pm - 3:40pm
Hall C

3:10pm

Magecart - a growing threat to e-commerce sites
In the last two years, we’ve observed a growing threat for e-commerce sites: Magecart. By using a cocktail of 0-days and known de-serialization bugs in the Magento platform and Magento extensions it managed to impact major web sites such as British Airways, TicketMaster and NewEgg as well many thousands online shops. Attackers compromised third-party servers that hosted JavaScript code that major websites “re-used”, leading the malicious code to run on client computers and skim data directly back to the bad guys.  This talk will describe the techniques used by these cybercriminals, discuss the nature of vulnerabilities that allowed these attacks and present possible defense and detection measures.

Speakers
avatar for Simon Kenin

Simon Kenin

Security Researcher, Trustwave Spider Labs
Simon Kenin is a security researcher in Trustwave SpiderLabs. He’s responsible for vulnerability analysis, malware analysis and developing detection logic for web-based attacks both for server and client sides, as well as keeping track of the exploit kit market and the world of... Read More →
avatar for Ziv Mador

Ziv Mador

VP, Security Research, Trustwave SpiderLabs
Ziv manages the global security research team at Trustwave, covering research areas such as vulnerability assessment and scanning, analysis of attacks against Web servers and Web clients, malware reverse engineering, IDS/IPS research, SIEM correlation and reporting, spam and phishing... Read More →


Thursday May 30, 2019 3:10pm - 3:40pm
Hall B

3:40pm

Coffee Break
Thursday May 30, 2019 3:40pm - 4:15pm
Hall D & E

4:15pm

Protecting a High Profile Enterprise
In this talk, I will share my 20+ years’ experience in protecting large and small, multinational and high profile enterprises.  I will present strategies and disciplines, and how do the CISO and the executive teams choose the right one for the organization and how does application security, in its various roles, fit in.

Speakers
avatar for Yoram Golandsky

Yoram Golandsky

VP Technologies and InfoSec, NSO Group
Yoram is the VP Technologies and InfoSec at NSO Group, prior to that Yoram was the founder and CEO of CSA, which provided strategic advisory on Cyber Security, Crisis management and Blockchain to Board of Directors and executive teams.He is a sought after speaker and has presented... Read More →


Thursday May 30, 2019 4:15pm - 4:45pm
Halls A & B

4:45pm

Closing Remarks
CFT winner announcement

Thursday May 30, 2019 4:45pm - 5:00pm
Halls A & B
 
Friday, May 31
 

8:30am

Optional Tour: Masada and the Dead Sea (Not included in Conference)
For ALL questions concerning accommodations and tours, please feel free to contact:
Target Conferences Ltd.
Phone: +972 3 5175150
Email address: owasp.reg@target-conferences.com

**Not included in conference, additional purchase is required**

Speakers
TC

Target Conference - Tour Booking

Target Conference
For any questions concerning accommodations and tours, please feel free to contact:Target Conferences Ltd.Phone: +972 3 5175150Email address: owasp.reg@target-conferences.comPayment


Friday May 31, 2019 8:30am - 6:30pm
 
Saturday, June 1
 

9:00am

Optional Tour: Jerusalem, the Old and the New (Not included in Conference)
For ALL questions concerning accommodations and tours, please feel free to contact:
Target Conferences Ltd.
Phone: +972 3 5175150
Email address: owasp.reg@target-conferences.com

**Not included in conference, additional purchase is required**

Speakers
TC

Target Conference - Tour Booking

Target Conference
For any questions concerning accommodations and tours, please feel free to contact:Target Conferences Ltd.Phone: +972 3 5175150Email address: owasp.reg@target-conferences.comPayment


Saturday June 1, 2019 9:00am - 5:00pm
 
Sunday, June 2
 

8:00am

Optional Tour: Nazareth, Tiberias, & Sea of Galilee (Not included in Conference)
For ALL questions concerning accommodations and tours, please feel free to contact:
Target Conferences Ltd.
Phone: +972 3 5175150
Email address: owasp.reg@target-conferences.com

**Not included in conference, additional purchase is required**

Speakers
TC

Target Conference - Tour Booking

Target Conference
For any questions concerning accommodations and tours, please feel free to contact:Target Conferences Ltd.Phone: +972 3 5175150Email address: owasp.reg@target-conferences.comPayment


Sunday June 2, 2019 8:00am - 6:00pm

8:00am

Optional Tour: Petra, Jordan (Not included in Conference)
For ALL questions concerning accommodations and tours, please feel free to contact:
Target Conferences Ltd.
Phone: +972 3 5175150
Email address: owasp.reg@target-conferences.com

**Not included in conference, additional purchase is required**

Speakers
TC

Target Conference - Tour Booking

Target Conference
For any questions concerning accommodations and tours, please feel free to contact:Target Conferences Ltd.Phone: +972 3 5175150Email address: owasp.reg@target-conferences.comPayment


Sunday June 2, 2019 8:00am - 6:00pm