Loading…
The date for the release of slides and videos has not been determined.  
Please, visit the event site for further information.
Thanks
Simple
Expanded
Grid
By Venue
Hall B [clear filter]
Wednesday, May 29
 

10:45am IDT

NOSQL web application vulnerabilities and mitigation
REGISTER
NOSQL data storage systems have become very popular, due to their scalability and ease of use.
I will examine injection methods, CSRF vulnerabilities, and mitigation solutions.
Moreover, NOSQL does authentication, encryption, and role management is optional.
as a result, it is vulnerable to DOS, DDOS, and injection impact is more effective.
Speakers
avatar for Amir Luckach

Amir Luckach

Endpoint security team leader, CyberArk
Experienced technical manager with more than 19 years of hands-on experience. During this time I've filled roles of development, team leading, project management, system engineering/architecture, research and managing development and QA teams in several countries (TLV, India, China... Read More →

Wednesday May 29, 2019 10:45am - 11:15am IDT
Hall B
  Track 4 - Layer 8

11:20am IDT

Injecting Security Controls in Software Applications
REGISTER
Cyber attacks are a real and growing threat to businesses and an increasing number of attacks take place at application layer. The best defense is to develop applications where security is incorporated as part of the software development life cycle.
How can developers write more secure applications? What are the security techniques they can use while writing the software that will help them produce more secure applications ?

These are hard questions as evidenced by the numerous insecure applications we still have today. Starting from real-world examples, we will discuss the security controls that developers are familiar with, offer actionable advice when to use them in the software development life cycle and how to verify for them.

Recommended to all builders and security professionals interested to incorporate security controls as part of software development cycle and building more secure applications.

Speakers
avatar for Katy Anton

Katy Anton

Principal Application Security Consultant, Veracode
Katy Anton is a security professional with a background in software development. An international public speaker, she enjoys speaking about software security and how to secure software applications.In her previous roles, she led software development teams and implemented security... Read More →

Wednesday May 29, 2019 11:20am - 11:50am IDT
Hall B
  Track 2 - Builder, addnew

11:55am IDT

Security Culture: Here be Hackers
REGISTER
RFC1983 clarifies hacker term as "a person who delights in having an intimate understanding of the internal workings of a system, computers and computer networks in particular". Let's say we want our developers and other IT stuff be security hackers. So they can look at their duties from a security perspective: develop more secure applications, seek for security flaws in it and be inside the security culture in general. We will talk about construction of bridges from security team to other IT stuff (mostly developers): knowledge spreading and communication. How not to make from scratch yet another developer's guide? How to make all developers know about presence (yes, presence) of security team from the first work days? How to interest them in application security? How to increase this knowledge? Let's ask on these questions!
Speakers
avatar for Taras Ivashchenko

Taras Ivashchenko

Head of Product Security Team, OZON
Head of Russian OWASP branch. Head of product security team at OZON. Also known as the developer of a browser extension called CSP Tester and contributor other security related projects.

Wednesday May 29, 2019 11:55am - 12:25pm IDT
Hall B
  Track 4 - Layer 8, addnew

1:30pm IDT

Rhyming with Hacks - the Ballad of Supply Chain Attacks
REGISTER
2018 was big on Supply Chain Attacks (SCA), with big e-commerce companies such as British Airways or Ticketmaster being targeted. The cyber criminal groups behind some of these attacks are referred to as Magecart.    During this talk, we'll present SCAs, how they work and how they scale. We’ll go through the anatomy of these attacks and see if and how they can be prevented or mitigated. We’ll discuss the effectiveness of existing solutions like Content Security Policy or Subresource Integrity.    We’ll take a deeper look into one real-life SCA, by going through the attacking code and understanding what it does.    We’ll then present a new approach that we’ve been working on that is based on DOM real-time monitoring. We'll do a live demo of our solution defending against the real-life SCA presented before. Its merit in detecting and mitigating this and other SCA attacks will be discussed.
Speakers
avatar for Pedro Fortuna

Pedro Fortuna

CTO and Founder, Jscrambler
Once on a trajectory to a full academic career, where he taught security and computer science courses for about 5 years - ended up falling in love with the fast paced world of entrepreneurship. Started Jscrambler where he leads all security research and drives the company product... Read More →

Wednesday May 29, 2019 1:30pm - 2:00pm IDT
Hall B
  Track 2 - Builder

2:05pm IDT

OWASP Top 10 for JavaScript Developers
REGISTER
With the release of the OWASP TOP 10 2017 we saw new issues rise as contenders of most common issues in the web landscape. Much of the OWASP documentation displays issues, and remediation advice/code relating to Java, C++, and C#; however not much relating to JavaScript. JavaScript has drastically changed over the last few years with the release of Angular, React, and Vue, alongside the popular use of NodeJS and its libraries/frameworks.  This talk will introduce you to the OWASP Top 10 explaining JavaScript client and server-side vulnerabilities.
Speakers
avatar for Lewis Ardern

Lewis Ardern

Lead Security Engineer, Salesforce
Lewis Ardern is a Lead Security Engineer at Salesforce. His primary areas of expertise are in web security and security engineering. Lewis is an organizer of the OWASP Bay Area chapter and hosts a podcast called SecuriTEA & Crumpets which invites security professionals from different... Read More →

Wednesday May 29, 2019 2:05pm - 2:35pm IDT
Hall B
  Track 2 - Builder, addnew

2:40pm IDT

Dissecting Mobile Application Privacy and Analytics
REGISTER
Have you ever wondered how much data your favorite business application is capturing during your mobile app visits? Are you a developer or security engineer tasked with keeping your client data secure? Are you curious about what kind of data that mobile game you love can gather, even if you don’t give it special permissions? The apps we trust with our data hopefully use caution and comply with regulations, but what about the safeguards and authentication around these analytics portals? This session will hone in on precisely those questions. We will tear apart some favorite apps and their analytic products/tracking engines to expose exactly the content and frequency commonly used mobile applications are reporting. Attendees will walk away with insider knowledge to make informed decisions regarding the scope of this exposure, in effort to guard or personal and client data.
Speakers
avatar for Kevin Cody

Kevin Cody

Principal Application Security Consultant, nVisium
Kevin Cody is a Principal Application Security Consultant with experience working at several Fortune 500 enterprises. Although his particular expertise is geared toward hacking Web and Mobile applications, he is also experienced in the entire gamut from mainframes to embedded systems... Read More →

Wednesday May 29, 2019 2:40pm - 3:10pm IDT
Hall B
  Track 2 - Builder, addnew
 
Thursday, May 30
 

10:30am IDT

How Online Dating Made Me Better At Threat Modeling
REGISTER
Isaiah has used online dating sites such as Tinder and OkCupid. At times this seems antithetical to his stance on privacy and security. To better understand the security ramifications of online dating, and to establish safer methods of doing it, he applied threat modeling to online dating. Through this he came up with a set of best practices depending on your threat model. This talk is relevant for anyone who is trying to balance privacy/security and a desire for human connection in this modern world. Due to the real and perceived dangers of online dating, the stigma that surrounds it, and the pervasiveness of it, it is a great lens through which folks can be introduced to the core principles of threat modeling. It also makes it fun to talk about!
Speakers
avatar for Isaiah Sarju

Isaiah Sarju

Co-Owner, Revis Solutions
Isaiah Sarju is a Red Teamer. He has contributed to the Microsoft Security Intelligence Report, conducted numerous penetration/red team engagements, and taught students how to become top tier defenders. He plays tabletop games, swims, and trains Brazilian Jiu-Jitsu. @isaiahsarju

Thursday May 30, 2019 10:30am - 11:00am IDT
Hall B
  Track 5 - Risk Management, addnew

11:05am IDT

Software Security War: your reports are dead!
REGISTER
The talk will introduce the new OWASP Software Security 5D Framework showing the assessment data of various International companies.  
The evolution of software security verification activities: from firm reports on desks to the integration of security bugs in the life cycle.

Speakers
avatar for Matteo Meucci

Matteo Meucci

CEO, IMQ Minded Security
More than 18 years of specializing in Application Security and collaborates with the OWASP project since 2002: he founded the OWASP-Italy Chapter in 2005 and leads the OWASP Testing Guide since 2006, the OWASP Software Security 5D Framework since 2018 . He is invited as speaker at... Read More →

Thursday May 30, 2019 11:05am - 11:35am IDT
Hall B
  Track 5 - Risk Management

11:50am IDT

Docker Security Insights
REGISTER
As innovation in technology increases, security becomes trickier. In order to embrace latest technologies like Docker and Kubernetics, Product IT organizations must consider security as top priority. Containers vulnerabilities like “Dirty Cow”, “Escape Vulnerability” and a recent vulnerability “Jack-In-The-Box” when unpacking image etc. have shaken the world. During my talk, I would like to present core issues with Docker related components like daemon, images, containers with practical demos & possible counter measures, Docker Secrets management, Docker Content Trust Signature Verification, Docker notary services, best practices to be followed in production environment and also how to deal with Open Source Libraries used in building images.
Speakers
avatar for Sujatha Yakasiri

Sujatha Yakasiri

Senior Computer Scientist, EdgeVerve Systems Limited
Working as a Senior Computer Scientist at EdgeVerve Systems Limited (An Infosys Company). She is a passionate security researcher, speaker and author with in-depth expertise in pen testing web applications, mobile applications, performing source code reviews and performing threat... Read More →

Thursday May 30, 2019 11:50am - 12:20pm IDT
Hall B
  Track 5 - Risk Management

12:25pm IDT

Looking Towards the Future of Open Source Vulnerability Management
REGISTER
Open source usage has become a mainstream practice — it’s impossible to keep up with today’s pace of software production without it. The rise in open source usage has led to a dramatic rise in open source vulnerabilities, demanding that development teams address the rapidly evolving issue of open source security. The State of Open Source Vulnerability Management Report drills down into the deeper layers of open source management. Surveying over 650 developers and collecting data from the NVD, security advisories, peer-reviewed vulnerability databases, and popular open source issue trackers, this report brings to light the realities of current open source security management. It’s mission is to determine where we are as an industry and create a best practices for managing open source vulnerabilities and compliance issues.

Speakers
avatar for Shiri Ivtsan

Shiri Ivtsan

WhiteSource, Product Manager
Experienced Cloud Solutions Architect and Product Manager, focusing on open-source security and compliance tools for developers and DevOps. holds BS in Industrial Engineering and Management. Prior to joining her current company, worked for various companies where she held roles in... Read More →

Thursday May 30, 2019 12:25pm - 12:55pm IDT
Hall B
  Track 5 - Risk Management, addnew

2:00pm IDT

Once Upon a Time in the West - A story on DNS Attacks
REGISTER
Just like in Old West movies, we are going through a land riddle with well-known gunmen: OceanLotus, DNSpionage and OilRig among others, who roam at ease, while the security cowboys sleep. This presentation will uncover the toolset and techniques used by these gunmen, taking a closer look at their big guns and their behavioral patterns. We will explore the attacks involving DNS that took place during the last decade to examine the latest discovered techniques in order to improve detections to dodge the bullets they are firing in our direction.
Speakers
avatar for Ruth Esmeralda Barbacil

Ruth Esmeralda Barbacil

Threat Intelligence Manager, Deloitte
Ruth Barbacil is an Information Systems Engineer (UTN FRBA) and is a Specialist in the Threat Intelligence & Analytics team at Deloitte Argentina. She has carried out research and analysis of Malware, Tactics, Techniques and Procedures (TTPs) and advanced persistent threat activity... Read More →
avatar for Valentina Palacin

Valentina Palacin

Threat Intelligence Analyst, -
Valentina is one of Deloitte Threat Intelligence Analyst, and she have specialized in tracking APTs worldwide using ATT&CK Framework to analyze their tools, tactics and techniques. IShe is a self-taught developer with a degree in Translation and Interpretation from Universidad de... Read More →

Thursday May 30, 2019 2:00pm - 2:30pm IDT
Hall B
  Track 5 - Risk Management

2:35pm IDT

What do you mean threat model EVERY story?
REGISTER
We are all going continuous these days. Continuous delivery, integration - but what about Threat Modeling? How do we bring this (traditionally) heavy activity into the new "speed" of development, integrate and educate developers and reflect the correct state of a rapidly evolving system? This talk will share the experiences of the speaker developing a methodology and collaborating with real life product teams operating in a continuous environment.
Speakers
avatar for Izar Tarandach

Izar Tarandach

Sr. Staff Engineer
Long-time security practitioner, currently a Sr. Staff Engineer, previously Principal Security Engineer at Squarespace, where he also acted as (Interim) Head Of Security. With experience ranging from Bridgewater Associates to DellEMC via RSA, Autodesk, startup founder, investor and... Read More →

Thursday May 30, 2019 2:35pm - 3:05pm IDT
Hall B
  Track 5 - Risk Management

3:10pm IDT

Magecart - a growing threat to e-commerce sites
REGISTER
In the last two years, we’ve observed a growing threat for e-commerce sites: Magecart. By using a cocktail of 0-days and known de-serialization bugs in the Magento platform and Magento extensions it managed to impact major web sites such as British Airways, TicketMaster and NewEgg as well many thousands online shops. Attackers compromised third-party servers that hosted JavaScript code that major websites “re-used”, leading the malicious code to run on client computers and skim data directly back to the bad guys.  This talk will describe the techniques used by these cybercriminals, discuss the nature of vulnerabilities that allowed these attacks and present possible defense and detection measures.
Speakers
avatar for Simon Kenin

Simon Kenin

Security Researcher, Trustwave Spider Labs
Simon Kenin is a security researcher in Trustwave SpiderLabs. He’s responsible for vulnerability analysis, malware analysis and developing detection logic for web-based attacks both for server and client sides, as well as keeping track of the exploit kit market and the world of... Read More →
avatar for Ziv Mador

Ziv Mador

VP, Security Research, Trustwave SpiderLabs
Ziv manages the global security research team at Trustwave, covering research areas such as vulnerability assessment and scanning, analysis of attacks against Web servers and Web clients, malware reverse engineering, IDS/IPS research, SIEM correlation and reporting, spam and phishing... Read More →

Thursday May 30, 2019 3:10pm - 3:40pm IDT
Hall B
  Track 5 - Risk Management
 
Filter sessions
Apply filters to sessions.
Sunday, May 26
Monday, May 27
Tuesday, May 28
Wednesday, May 29
Thursday, May 30
Friday, May 31
Saturday, June 1
Sunday, June 2
11th Floor Room 1122
11th Floor Room 1124
11th Floor Room 1126
11th Floor Room 1128
Coffee served inside the training room.
Foyer
Gallery (lobby level)
Hall A
Hall B
Hall C
Hall D & E
Hall G
Hall J (conference floor level)
Hall l (conference floor level)
Halls A & B
Halls D & E (conference floor level)
Jaffa Deck (outside)
Library (lobby level)
Main Restaurant
Meeting Room 5
Nomi Restaurant
Peres Center for Peace and Innovation
Room 1125
  • 2 day Training
  • 3 day Training
  • Capture the Flag
  • Innovation Fair
  • Keynote Speaker
  • Optional Weekend Tour
  • Other
  • Project Review
  • Project Show Case
  • Sponsor Exhibit Area
  • Track 1 - Breaker
  • Track 2 - Builder
  • Track 3 - DevOps
  • Track 4 - Layer 8
  • Track 5 - Risk Management
  • Track 6 - Innovation
  • WIA