OWASP Israel 2007 Conference at the Interdisciplinary Center Herzliya (IDC)

OWASP Israel 2007 Conference was held at the Interdisciplinary Center (IDC) Herzliya on Dec 3rd 2007. More than 200 people attended the conference and enjoyed interesting presentations, a great networking opportunity. OWASP Israel 2007 became a must be for any application security professional and drew a lot of people from the wider information security community as well.

Sponsors & Contributors
The meeting is sponsored by Breach Security, Hacktics, GamaSec, Applicure, The National Information Security Forum and the Efi Arazi school of Computer Science at the Interdisciplinary Center (IDC) Herzliya.

https://www.owasp.org/images/b/bb/OWASP_IL_Sponsor_GamaSec.jpg     https://www.owasp.org/images/c/c8/OWAS_IL_Sponsor_Applicure.JPG      https://www.owasp.org/images/8/8c/OWASP_IL_LOGO_NISF.jpg

Additional sponsorship opportunities still available, [mailto:ofer@shezaf.com contact me] for details.

I would also like to thank those individuals which without their help this event would not be possible:


 * Dr. Anat Bremler-Bar, our host at the IDC.


 * Shay Shuker, on helping with organization.


 * Bat-Sheva Shezaf, who took pictures.

Pictures
The pictures from the conference available here.

Program
The following presentation where given at OWASP Israel 2007:

[[Media:OWASP_IL_2007_CSRF_basics.ppt|Cross Site Request Forgery - Overview and Solutions]]
Ofer Shezaf, OWASP IL chapter leader, Breach Security

Cross Site Request Forgery (CSRF) made the highest entry into this year's version of the OWASP top 10, jumping straight to number 5. But as common and dangerous as it is, CSRF has remained obscured to many, and the ways to protect your application even less well understood. This turbo talk will provide an overview of CSRF and the common ways to mitigate it, leading to Amichai Shulman’s presentation which will present innovative methods for protecting from CSRF.

Ofer will also update on the OWASP 2007 conference in San Jose and other OWASP news.

([[Media:OWASP_IL_2007_CSRF_basics.ppt|PowerPoint]], video)

[[Media:OWASP-WASCAppSec2007SanJose_DefeatWeb2.0Attacks.ppt|Defeating Web 2.0 Attacks without Recoding Applications]]
Amichai Shulman, CTO, Imperva

Amichai will present a novel approach for solving client side solutions which would naturally be considered out of reach for server applications such as CSRF and JavaScript Hijacking. The method uses a gateway to inject a script that will require feedback from the client. If you have seen the presentation about content injection in the last OWASP IL meeting and felt it lacked actual working examples, Amichai provides some very strong evidence of the usefulness of this method.

This talk was presented in OWASP 2007 in San Jose.

([[Media:OWASP-WASCAppSec2007SanJose_DefeatWeb2.0Attacks.ppt|PowerPoint]], video)

Hunting Down XSS Vulnerabilities
Erez Metula, Application Security Department Manager, 2Bsecure

XSS is the most common web application vulnerability and leads the OWASP top 10. The lecture will discuss automatic and manual approaches for detecting XSS vulnerabilities. Erez will present tools used to find XSS vulnerabilities as well as innovative method to overcome obstacles when looking for vulnerabilities.

(video)

The National Information Security Forum
Avi Weissman, CEO, See-Security

Avi will take 10 minutes to announce and describe the new national information security forum (NISF), a new information security initiative that we welcome and would like to cooperate with at OWASP.

How Dangerous Is It Out There?
Dror Paz, Director of Professional Services, Breach Security

One of the key issues facing application security professionals is the lack of information about the actual risk. The number of reported incidents is small, and therefore while the potential danger of web layer attacks is known, whether and how this potential is abused is a great mystery. In the presentation, Dror Paz will show what’s really happening out there, based on work done in project such as the open proxy honeypot project, WASC statistics project and the Web Hacking Incidents database as well as information gathered (incognito) from Breach installations around the globe.

this presentation was canceled since Dror was sick and would be rescheduled for a future OWASP meeting.

[[Media:OWASP_IL_2007_SOA_security.ppt|SOA security]]
Iris Levari, Amdocs

As application security specialists we need to follow up with information technology trends. Service Oriented Architecture (SOA) is a new method for developing large scale enterprise applications that promise to revolutionize the IT landscape. Applications built around SOA isolates each business process into a separate service that can serve and interconnect with other services. SOA can use different technologies such as XML, Web Services and SOAP as its infrastructure. The presentation will explain SOA and discuss the security features and considerations when adapting SOA.

([[Media:OWASP_IL_2007_SOA_security.ppt|PowerPoint]], video)

[[Media:OWASP-WASCAppSec2007SanJose_PKILie.ppt|The PKI Lie - Attacking Certificate-Based Authentication]]
Ofer Maor, CTO, Hacktics

While public key cryptography and client side certificates have certainly proved to be a very valuable security mechanism, blind reliance on them may lead to a disaster. These complex technologies are prone to implementation and deployment mistakes that hinders them useless. Ofer will discuss and demonstrate some common implementation pitfalls he often sees in real life PKI based authentication systems.

This talk was presented in OWASP 2007 in San Jose.

([[Media:OWASP-WASCAppSec2007SanJose_PKILie.ppt|PowerPoint]], video

Harvesting Skype Super-Nodes
Omer Dekel, IDC

Skype has revolutionized the way we use VoIP and has entered almost every network and all parts of the Internet. However, little is known about the way the Skype Network operates. Further, since its traffic is encrypted and bypasses firewalls, the network administrators have almost no ability to monitor or filter Skype. In this work we explore the possibility of filtering Skype traffic by harvesting its Super Nodes (SNs), which form the heart of Skype, and of blocking the network nodes from connecting to them. Using experimental results and an analytic model we show that it is possible to collect a large enough number of SNs as to block, with a probability higher than 95%, the service for an arbitrary connecting client.

This talk is based on a research project done with Dr. Anat Bremler-Barr (IDC) & Prof. Hanoch Levy (ETH)

[[Media:OWASP_IL_2007_Harvesting_Skype_SuperNodes.pdf‎|Download presentation (PDF format)]]

[[Media:OWASP_IL_2007_SQL_Smuggling.pdf‎|Smuggling SQL injection attacks]]
Avi Douglen, ComSec

SQL Injection is a common, well-understood application-level attack against databases. Several protection mechanisms exist for protecting from SQL injection attacks, including input validation and use of stored procedures. The presentation will discuss novel techniques to bypass these protection mechanisms by exploiting differences in interpretation between systems.

This is a new research work presented for the first time in OWASP Israel 2007.

([[Media:OWASP_IL_2007_SQL_Smuggling.pdf‎|PDF]], video)