Loading…
AppSec Israel 2018 has ended
Simple
Expanded
Grid
By Venue
Bar-Shira Auditorium [clear filter]
Wednesday, September 5
 

09:30 IDT

Welcome and Introduction
A few words of introduction welcoming everyone to the training day, thanking the sponsors, explaining the plan for the day and providing some important notices ,
Organizers
avatar for Or Katz

Or Katz

OWASP Israel / Akamai

Wednesday September 5, 2018 09:30 - 09:45 IDT
Bar-Shira Auditorium
  Training

09:45 IDT

Introduction To Application Level Attacks
This session is an introduction to application security threats, demonstrating the security problems that exist in corporate or internet based applications with a strong emphasis on application security and secure design. The seminar covers the major security vulnerabilities that might affect modern web application systems.
 
The main objective of this session is raising the awareness on the problems that might occur when secure coding practices are not used. The student will learn about the threat landscape and major attacks he or she must mitigate when as part of the development life cycle.
Speakers
avatar for Erez Metula

Introduction To Application Level Attacks pdf
Wednesday September 5, 2018 09:45 - 12:15 IDT
Bar-Shira Auditorium
  Training

13:15 IDT

The OWASP Top Ten for Developers (Part 1)
The major cause of web-service and web application insecurity is insecure software development practices. This highly intensive and interactive 4-hour seminar (split over two sessions) will provide essential application security training for web application and web-service developers and architects.

The class is a combination of lecture, security testing demonstration and code review. Students will learn the most common threats against applications. More importantly, students will learn how to code secure web solutions via defense-based code samples.

Our focus will be web application security basics:
  • OWASP Top Ten 2017
  • OWASP Top Ten Proactive Controls v3
  • OWASP ASVS 3.1+
Speakers
avatar for Jim Manico

Jim Manico

Founder, Manicode Security
Jim Manico is the Founder of Manicode Security, a company dedicated to providing expert training in secure coding and security engineering to software developers. His work at Manicode Security reflects his deep commitment to elevating software security standards in the industry. In... Read More →

Wednesday September 5, 2018 13:15 - 15:15 IDT
Bar-Shira Auditorium
  Training

15:30 IDT

The OWASP Top Ten for Developers (Part 2)
The major cause of web-service and web application insecurity is insecure software development practices. This highly intensive and interactive 4-hour seminar (split over two sessions) will provide essential application security training for web application and web-service developers and architects.

The class is a combination of lecture, security testing demonstration and code review. Students will learn the most common threats against applications. More importantly, students will learn how to code secure web solutions via defense-based code samples.

Our focus will be web application security basics:
  • OWASP Top Ten 2017
  • OWASP Top Ten Proactive Controls v3
  • OWASP ASVS 3.1+
Speakers
avatar for Jim Manico

Jim Manico

Founder, Manicode Security
Jim Manico is the Founder of Manicode Security, a company dedicated to providing expert training in secure coding and security engineering to software developers. His work at Manicode Security reflects his deep commitment to elevating software security standards in the industry. In... Read More →

Wednesday September 5, 2018 15:30 - 17:00 IDT
Bar-Shira Auditorium
  Training

17:00 IDT

Closing Words
Wednesday September 5, 2018 17:00 - 17:15 IDT
Bar-Shira Auditorium
  Training
 
Thursday, September 6
 

09:30 IDT

Opening
Or Katz
Ofer Maor
Organizers
avatar for Or Katz

Or Katz

OWASP Israel / Akamai

Thursday September 6, 2018 09:30 - 10:00 IDT
Bar-Shira Auditorium
  Plenary

10:00 IDT

Opening Keynote - The Last XSS Defense Talk
The Last XSS Defense Talk

Why are we still talking about Cross Site Scripting in 2018? Because it's painfully difficult to defend against XSS even to this day. This talk is a fundamental update to the 2011 AppSec USA talk "The Past Present and Future of XSS Defense". We'll address new defensive strategies such as modern JavaScript framework defense in Angular, React and other frameworks. We'll also look at how CSP deployment has changed in the past 7 years illustrating the progressive use of content security which supports CSP v1, v2 and v3 concurrently. We will then look at advances in HTML sanitization on both the client and server and focus on sanitizers and defensive libraries that have stood the test of time in terms of maintenance and security. We'll also look at interesting design topics such as how HTML injection is still critical even in the face of rigorous XSS defense and how HTTPOnly cookies are largely ineffective. This talk should help developers and security professionals alike build a focused and modern strategy to defend against XSS in modern applications.
Speakers
avatar for Jim Manico

Jim Manico

Founder, Manicode Security
Jim Manico is the Founder of Manicode Security, a company dedicated to providing expert training in secure coding and security engineering to software developers. His work at Manicode Security reflects his deep commitment to elevating software security standards in the industry. In... Read More →

Thursday September 6, 2018 10:00 - 10:40 IDT
Bar-Shira Auditorium
  Plenary

10:45 IDT

The Adventures of AV/IR and the Leaky Sandbox
By Amit Klein and Dor Azouri

Suppose you have malware running on one of your endpoints. But you have a highly secure enterprise, with cloud AV, IR team, and locked down network (endpoints can’t access the external network). Can the malware still exfiltrate sensitive data out of your network? You bet! And we’ll show you how!
Speakers
avatar for Dor Azouri

Dor Azouri

Researcher, SafeBreach
Dor Azouri is a security professional, having 7+ years of unique experience in the sec field. Currently doing research @SafeBreach, previously serving in various sec positions @IDF.His experience involved security from many angles: starting with data analysis, to network research... Read More →
avatar for Amit Klein

Amit Klein

VP Security Research, Safebreach
Amit Klein is a world renowned information security expert, with 25 years in information security and over 30 published technical papers on this topic. Amit is VP Security Research at SafeBreach, responsible for researching various infiltration, exfiltration and lateral movement attacks... Read More →

Thursday September 6, 2018 10:45 - 11:30 IDT
Bar-Shira Auditorium
  Track 1

11:45 IDT

JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and face recognition - and frankly, everywhere else
By Guy Barnhart-Magen and Ezra Caltum

Exploits, Backdoors, and Hacks: words we do not commonly hear when speaking of Machine Learning (ML). In this talk, I will present the relatively new field of hacking and manipulate machine learning systems and the potential these techniques pose for active offensive research.  
Speakers
avatar for Guy Barnhart-Magen

Guy Barnhart-Magen

OS Hardening, Security Architecture and Embedded Devices, Cyber Security Consultant
BSidesTLV co-founder and CTF lead, Public speaker, and recipient of the Cisco “black belt” security ninja honor – Cisco’s highest cyber security advocate rank.With nearly 20 years of experience in the cyber-security industry, Guy held various positions in both corporates and... Read More →
avatar for Ezra Caltum

Ezra Caltum

Security Research Manager, Intel
Ezra is a cyber-security practitioner, with a passion for reverse engineering, data analysis, and exploitation. He is the leader of the Tel Aviv DC9723 Defcon group and a co-founder and organizer of BSidesTlv.He is a frequent speaker at local and international events, like BHUSA... Read More →

Thursday September 6, 2018 11:45 - 12:30 IDT
Bar-Shira Auditorium
  Track 1

12:30 IDT

Stackoverflow, the vulnerability marketplace
By Danny Grander

Whether we like to admit it or not, we’ve all borrowed code from stackoverflow at one time in our lives. Many do it more often than they care to admit. If a vulnerability exists in a stackoverflow code snippet, it’s easy for it to go viral in even the most widely used frameworks and libraries. 
Speakers
avatar for Danny Grander

Danny Grander

Security, Snyk
Danny Grander is a veteran security researcher and the cofounder of Snyk.io, where he works on open source security and leads Snyk’s security research. Previously, Danny was the CTO of Gita Technologies and a lead researcher and developer for a few startups. Danny is a frequent... Read More →

Thursday September 6, 2018 12:30 - 13:00 IDT
Bar-Shira Auditorium
  Track 1

14:00 IDT

Security is everybody's job... Literally.
By Tanya Janca

This talk will explain what developers needs to adjust in order to turn DevOps into DevSecOps within their organizations. Several strategies are presented for weaving security into each of the “Three Ways”, with clear steps audience members can start implementing immediately. 
Speakers
TJ

Thursday September 6, 2018 14:00 - 14:45 IDT
Bar-Shira Auditorium
  Track 1

14:45 IDT

Path Of LeAst Resistance - Accelerating the search for vulnerable functions
By Ezra Caltum

By finding function relationships between dynamically compiled binaries and its libraries, and representing them in a Graph Database, we can quickly identify exploitation points. In this presentation, I’ll discuss Graphs, Binary Relationships and Vulnerable Functions.
Speakers
avatar for Ezra Caltum

Ezra Caltum

Security Research Manager, Intel
Ezra is a cyber-security practitioner, with a passion for reverse engineering, data analysis, and exploitation. He is the leader of the Tel Aviv DC9723 Defcon group and a co-founder and organizer of BSidesTlv.He is a frequent speaker at local and international events, like BHUSA... Read More →

Thursday September 6, 2018 14:45 - 15:30 IDT
Bar-Shira Auditorium
  Track 1

15:45 IDT

Exploiting Smart Contracts For Fun And Profit
By Erez Metula

During this talk, we'll discuss common security vulnerabilities that can occur in smart contracts and see how code that caused losses of millions of dollars looks like. We'll cover the tools and techniques to explore , analyze, identify and exploit vulnerabilities in smart contracts.

We'll talk about real world exploits, and look at the vulnerable code that caused them. We'll talk about a new class of code vulnerabilities related to smart contracts, such as re-entrancy, time manipulations, overflows, authorization bypass, exposing secrets, etc.  

Speakers
avatar for Erez Metula

Exploiting Smart Contracts for fun and profit Erez Metula AppSec Labs OWASP IL 2018 pdf
Thursday September 6, 2018 15:45 - 16:30 IDT
Bar-Shira Auditorium
  Track 1

16:30 IDT

Closing Keynote - A breach on your watch, do you really want to be that person?
A breach on your watch, do you really want to be that person?
Do you want to be that developer, that caused that vulnerability that caused that breach? Do you want to be that CIO that needs to explain to his board why it happened  on your watch?
If you don't want to be that person, then you should come and hear how it is actually possible for cybersecurity professionals and developers to partner, even collaborate, to create a secure coding culture. Security and development don't have to be adversarial anymore. Julie Baker will be sharing her lessons learned from years of experience as a security executive in large enterprises, including examples and practical tips, to turn the R&D lifecycle more secure and less of a headache.
The session will include time for Q&A, and an opportunity for you to share your personal "war story" about handling and implementing security (stories with a happy ending are welcome too!)
Speakers
avatar for Julie Baker

Julie Baker

CEO, TD Innovation Center Ltd.
Julie Baker has over 25 years of experience in all aspects of IT and Information Security in financial services as well as in academia.  Currently, Julie is the head of Cyber Innovation for TD Bank and the  CEO of the TD Innovation Center Ltd, located in Tel Aviv, which is a wholly... Read More →


Thursday September 6, 2018 16:30 - 17:15 IDT
Bar-Shira Auditorium
  Plenary

17:15 IDT

Closing
Organizers
avatar for Or Katz

Or Katz

OWASP Israel / Akamai

Thursday September 6, 2018 17:15 - 17:30 IDT
Bar-Shira Auditorium
  Plenary
 
Filter sessions
Apply filters to sessions.
Wednesday, September 5
Thursday, September 6
Bar-Shira Auditorium
Break
Room 001
Room 101
Room 205
Room 206
  • Activity
  • Break
  • Plenary
  • Track 1
  • Track 2
  • Track 3
  • Training
  • WIA