OWASP Israel April 2016

Our second meeting in 2016 for the Israel chapter of OWASP took place on April 12, at 17:00, at HP Enterprise in Yehud(Altalef 9, Yehud, Building M3).

Over 150 people attended.

As always, attendance was free but registration was required. Please join (free) and RSVP here: http://www.meetup.com/OWASP-Israel/events/229091469/

Agenda:
 17:00 – 17:30    Gathering, food, and drinks (KOSHER)

 17:30 – 17:45     Introductions and Opening Notes 

 17:45 – 18:05      A Day in The Life of a Security Architect    Ori Troyna, HPE SW  ([[Media:OWASPIL-2016-04-12_DayInLifeSecurityArchitect_OriTroyna.pdf|download presentation]])‎

Security architect’s day can be full with processes and formalities, it is a crucial part of the architects’ work and allow the risk management to be possible in an enterprise.

I would like to focus on the day to day work to present how technical it is and how to take the security to the next level when talking about releases, the discussion with developers, the research and the innovations!

In my presentation, I will refer to number of use cases from the last few months; Docker, Redis, e2e encryption, etc..

 18:05 – 18:50     Regulating Cyber Security Disciplines 

 Avi Weismann, See Security 

The cyber security field in Israel employs a variety of professionals in various cyber security disciplines. Those professionals vary significantly in their professional level and no assurance is provided regarding their professional expertise to assist organizations to appropriately handle cyber security threats and incident. That was the background for the Cyber Security professions regulation, that is designed to assure the professionalism, integrity and ethics of cyber security professionals.

In light of the complexity of the regulation matter, and since the purpose has been deem required, minimal professional requirements were established in order to appropriately deal with various threats such as: defense, public safety, national economy.

The regulating document strictly defines a significant part of cyber security disciplines, and will in the feature define minimal professional requirements in the form of: Independent certification by the NCB, and\or Internationally recognized vendor-free certifications, and\or Internationally recognized  vendor-specific certifications.

The presentation shall describe the NCB decisions thus far and the upcoming steps to assure the professional level of cyber security professionals in Israel.

 18:50 – 19:05      Coffee break 

 19:05 – 19:25   ''' When Crypto Fails – can we actually break AES? '''

 Shay Zalalichin, Palantir Security / HPE SW Security Labs  ([[Media:OWASPIL-2016-04-12_WhenCryptoFails_ShayZalalichin.pdf|download presentation]])‎

There is a common misconception that strong cryptography provides the required “silver bullet” just because its being used.

However, in reality, cryptography is far from being a trivial subject and using cryptography correctly does requires us to understand the “little bits” and the weaknesses of the algorithms that are being used.

In this short presentation I will try to touch the “tip of the iceberg” with demonstration of practical attacks that totally breaks CBC based ciphers such as DES, 3DES and AES.

 19:25 – 20:15    The bits DO matter: Extreme Penetration Testing Techniques  

 Yaniv Simsolo, Palantir Security  ([[Media:OWASPIL-2016-04-12_ExtremePenetrationTesting_YanivSimsolo.pdf|download presentation]])‎

Normally, pen-testing a system is a process defined by whatever available interfaces and GUI the application is exposing. Each type of interface or protocol requires a different approach, for which many proven tools exist. Most systems can be tested through their GUI layer up to an acceptable level.

Similarly, most internal components and interfaces can be thoroughly tested given relevant internal access. Books and best practices are published for most of the security testing areas and approaches, hence (almost) nothing new under the sun and it takes serious efforts to extend the current know-how. Sometimes a tested system or component has no GUI whatsoever. This is no obstacle for professionals, since proven techniques like Reversing, Memory Analysis, Code Review and Debug will be implemented.

However, when Reversing, Memory Analysis or Debug are not feasible or practical and Code Review is known to be limited, a different approach is required. This is the case for example when the components to be tested are internal and bounded at a level such that using said auditing techniques is not practical.

The revival of Penetration Testing: the Extreme approach. The presentation will demonstrate a hands-on practical approach for extreme pen-testing when other techniques are not feasible. We will discuss the typical problems and limitations, introduce a solution and review its advantages, effectiveness (and limitations) over other techniques.