OWASP Israel 2011 Presentations

= Keynote =

Composite Applications Over Hybrid Clouds – Enterprise Security Challenges of the IT Supply Chain
[Dr. Ethan Hadar], Senior Vice President Corporate Technical Strategy, CA

Cloud Computing offerings range at several levels. Infrastructure, Platform, Business and Software services are consumed according to a pay per use “as a Service” manner, implementing the parts of a service supply chain. The services range from dedicated single SaaS applications such as sales force, or using an isolated utility computing such as accessing an IaaS virtual image on Amazon or Rackspace, or composing your own application on PaaS platform such as Azure or Force.com. All these offerings enable to create compound solutions over hybrid clouds, in which the parts of the integrated composite applications are provided from several different vendors and suppliers with different quality attributes, including application security. The provider of the composite application is responsible for the overall quality levels, and is expected to verify the security quality levels of each sub-element, as well as be able to verify and prove its existence to the composite applications consumers.

Or is it not the case?

The programmable web creates many challenges. Even if the author of the composite applications detects application security issues within the supply chain, can a remedy and a change occur? Is the author even allowed to try and verify (hack) the provided public services, in order to verify its own obligations, and by that, exposing the provider to other opportunistic hackers?

Consequently, there are many challenges:  what are the breaches potentials in a supply chain? Can a chain reaction of hacking occur? What “secured enough” supply chain means? At what level (IaaS, PaaS, BSaaS, SaaS) should we test the sub-services? Are we allowed to? What happens if we find an issue? How do we wrap security fences on top of a non-secured sub-services? What are the sub-contracted obligations that may be solved legally or financial wise? If a change occurs, what are the implications to the running connected systems? Should the sub-provider quality levels affect the consumer, or can the consumer impose security requirements on the provider? If there is a remedy plan, how can it be executed and verified, who will pay for the expenses? Who will manage the hardening project?

In this keynote, we will present the environment and its challenges, highlighting potential solutions, dilemmas or directions, all in order to generate an open Q&A discussion with the forum.

Speaker Bio [Dr. Ethan Hadar] is a Distinguished Engineer and Senior Vice President at CA Technologies, responsible for the Corporate Technical Strategy, as well as for leading CA Technologies Israel Research & Development. His responsibility includes defining and communicating, collaboratively with the Chief Technology Officer, the company's technical strategy according to the corporate goals and business strategy, while focusing on identifying breakthrough innovation.

Jointly with CA Technologies Chief Technology Officer and CA Labs Director, Ethan is engaged with the company’s lead strategists, architects, customers, researchers and visionary leaders to form strategic technological and innovative directions. Across the hybrid domains of physical, virtual and cloud computing, and within the realm of emerging technologies, Ethan forms integrated technological approaches aimed at advancing the corporate strategic technological capabilities.

Ethan has numerous patents and publications, and regularly presents at conferences as a thought leader, author, keynote and chair. Prior to this role, Ethan was a Senior Vice President for Corporate Reference Architecture, and Senior Vice President for Research at CA Labs. Ethan has served as a member of the faculty at the Netanya Academic College and as adjunct faculty at the Technion, Israel Institute of Technology.

= Track A =

Finding Security in Misery of Others
Amichai Shulman, CTO, Imperva

We frequently read about different security incidents, including data breaches, attacks and other hacks. The details of these incidents enable us to learn from others. However, most of the news reports regarding security breaches are vague and nebulous. This session will explain how to "Read between the Lines" of press reports on security breaches. The presentation will demonstrate, using past security incident reports, how to understand the attack methods, the compromised services, and the different applied security policies at the attack location. The session will also describe mitigation techniques that might have been helpful in a specific incident. Examples breaches will focus on hacking techniques that span search engines, SQL injection and data theft.

This "Behind the Scenes" perspective, will illustrate the important failure points, how to find information regarding the detection process, and analyze the effectiveness of the audit trail in the incident. Finally, the presenter will suggest some preventive measures to avoid similar breaches. The attendees will learn how to diagnose the attack scenario in order to apply and test the correct security controls in their system to prevent a similar mishap at their site.

Speaker Bio

Amichai Shulman is Co-Founder and CTO of Imperva, where he heads the Application Defense Center (ADC), Imperva's internationally recognized research organization focused on security and compliance. Shulman regularly lectures at trade conferences and delivers monthly eSeminars. The press draws on Shulman's expertise to comment on breaking news, including security breaches, mitigation techniques, and related technologies. Under his direction, the ADC has been credited with the discovery of serious vulnerabilities in commercial Web application and database products, including Oracle, IBM, and Microsoft. Shulman has appeared on CNN, in the New York Times, USA Today, Washington Post, BBC and Sydney Morning Herald. Prior to Imperva, Shulman was founder and CTO of Edvice Security Services Ltd., a consulting group that provided application and database security services to major financial institutions, including Web and database penetration testing and security strategy, design and implementation. Shulman served in the Israel Defense Forces, where he led a team that identified new computer attack and defense techniques. He has B.Sc and Masters Degrees in Computer Science from the Technion, Israel Institute of Technology

Building an Effective SDLC Program - Case Study
Guy Bejerano, CSO, Liveperson Ofer Maor, CTO, Seeker Security

This talk will present tools for security managers and experts on how to build an effective SDLC program. The talk will be presented as a dialogue between a SaaS provider building such a program and a security expert offering solutions, using real-world cases. The talk will take the audience, in 45 mintues, through the entire process of identifying relevant methods and implementing them effectivly to creat a successful SDLC.

Guy Bejerano, CSO of LivePerson (NASDAQ:LPSN) will present the challenges facing a CSO of a Cloud vendor attempting to build such a program, and how they were resolved. This will be emphasized by showing a case study of LivePerson with real world examples. Ofer Maor, CTO of Seeker Security, will represent the plethora of product and service solutions, based on many years of experience as an application security expert.

Speaker Bio

TBD

All Your Mobile Applications Are Belong to Us
Itzik Kotler, CTO, Security Art

TBD

Speaker Bio

TBD

CMS - The Nightmare of AppSec Testing
Irene Abezgauz, Product Manager, Seeker Security

TBD

Speaker Bio

TBD

When Crypto Goes Wrong
Erez Metula, CEO, AppSec Labs 

Cryptography, when implemented properly, can solve many day-to-day security tasks such as confidentially, integrity, authentication, secure random number generation, and so on. But the problem is, too many things can go wrong…

In this presentation we'll examine some of the most common mistakes developers tend to do when dealing with crypto. During the presentation we'll examine the influence of mistakes such as failure to verify a certificate, replay attacks, client side encryption, crypto DoS, and so on.

In other words, we'll see how attackers can break crypto based mechanisms deployed in applications without breaking the crypto itself – but just going around them.

Speaker Bio

Erez Metula is a world renowned application security expert, spending most of his time finding software vulnerabilities and teaching developers how they should avoid them. Erez has an extensive hands-on experience performing security assessments, code reviews and secure development trainings for worldwide organizations, and had previously talked at international security conferences such as BlackHat, Defcon, OWASP, RSA, SOURCE, CanSecWest and more. His latest research on Managed Code Rootkits, presented at major conferences throughout the world, was published recently as a book by Syngress publishing. He is the founder of AppSec Labs, where he works as an independent consultant focusing on advanced application security topics.

Security Testing of RESTful Services
Ofer Shezaf, Head of AppSec Research, HP Eyal Fingold, Senior Security Developer, HP

RESTful services have become popular for emerging platforms. Less resource intensive and simpler than traditional web services, RESTful services are a particularly good fit for low footprint mobile and tablet applications, as well as for web 2.0 sites offering an interface for 3rd party developers.

Upon first glance, RESTful services seem very different than web services and suspiciously similar to regular web technology. This similarity leads to the common belief that securing RESTful services is similar to securing regular web applications. However, RESTful services hide the same complexities of web services, albeit with a much lower level of formal documentation.

The presentation will provide an overview of RESTful services, development frameworks using RESTful services, and the formal methods to document them, including WADL and WSDL 2.0. The speaker will discuss complexities in protecting RESTful services, and describe variants of common attack vectors that are specific to REST services,for example, embedding attack vectors in the URL and permutation of HTTP verbs. We conclude the with a discussion of the challenges of testing RESTful services for security issues and describe innovative ideas for discovering the RESTful service attack surface using black-box penetration testing, and a hybrid method often called grey-box testing to enhance this discovery.

Speaker Bio

TBD

The Bank Job
Adi Sharabani, Rational Security, IBM

TBD

Speaker Bio

TBD

= Track B =

Temporal Session Race Conditions
Shay Chen, CTO, Hacktics Advanced Security Center, Ernst & Young

TBD

Speaker Bio

TBD

Space-Time Tradeoffs in Software-Based Deep Packet Inspection
Yotam Harchol, IDC

Deep Packet Inspection (DPI) lies at the core of contemporary Network Intrusion Detection Systems (NIDS). DPI aims to identify various malware by inspecting both the header and the payload of each packet and comparing it to a known set of patterns. DPI is often performed on the critical path of the packet processing, thus the overall performance of the security tools is dominated by the speed of DPI.

The Aho-Corasick (AC) algorithm is the de-facto standard for pattern matching in NIDS. Basically, the AC algorithm constructs a Deterministic Finite Automaton (DFA) for detecting all occurrences of a given set of patterns by processing the input in a single pass. The input is inspected symbol by symbol, such that each symbol results in a state transition. Thus, in principle, the AC algorithm has deterministic performance, which does not depend on specific input and therefore is not vulnerable to algorithmic complexity attacks, making it very attractive.

In this talk I will show that, when implementing the AC algorithm in software, this property does not hold, due to the fact that contemporary pattern sets induce very large DFAs that cannot be stored entirely in cache. We propose a novel technique to compress the representation of the AC automaton, so it can fit in modern cache. We compare both the performance and the memory footprint of our technique to previously-proposed implementation, under various settings and pattern sets. Our results reveal the space-time tradeoffs of DPI. Specifically, we show that our compression technique reduces the memory footprint of the best prior-art algorithm by approximately 60%, while achieving comparable throughput.

Joint work with Anat Bremler-Barr (IDC) and David Hay (HUJI).

This work was presented in IEEE International Conference on High Speed Switching and Routing (HPSR), July 2011, Cartagena, Spain.

Speaker Bio

Yotam Harchol is a graduate student at the Hebrew University of Jerusalem. Currently he works with Dr. Anat Bremler-Barr (IDC) and Dr. David Hay (HUJI) on network algorithms and security, deep packet inspection and high performance computing. He received his bachelor degree in Computer Science from IDC Herzliya.

Glass Box Testing - Think Inside the Box
Omri Weisman

Automatically scanning for web application security vulnerabilities is traditionally performed either using a white box approach or using a black box approach. Each of the two approaches has its pros and cons. An exciting new technology called glass box is emerging as a way to enjoy the benefits of both approaches and beyond. Glass box technology allows observing the behavior of the application from within while scanning the application, providing the missing bridge between black box and white box. Research shows that this approach can greatly augment key aspects of black box scanning such as the logical coverage of scanned applications, as well as the detection of previously undetected security issues. This lecture presents some of the most painful challenges automated tools are facing nowadays as well as innovative approaches for solving them.

Speaker Bio

TBD

Mitigating Application DDoS Attacks with Bi-Directional Solutions
Or Katz, Principal Security Engineer, F5

In recent years we have been hearing more and more incidents involving groups of hackers trying to damage commercial and government organizations’ web facing applications, exhausting their resources by using application distributed denial of service (DDoS) attacks.

In this presentation I will show what are the offensive challenges involved in prevention of such attack and suggest a bi-directional solution that can effectively mitigate the attack.

Speaker Bio

Or Katz, A principal security engineer in F5 networks, leading the web application security research team activities for F5 Application Security Module (ASM).

Or has a Bachelors Degree in Economics and Computer Science and MBA both from the Open University of Israel.

Advanced Techniques & Tools for Testing Binary Protocols
SPEAKER

TBD

Speaker Bio

TBD

TITLE
SPEAKER

TBD

Speaker Bio

TBD

TITLE
SPEAKER

TBD

Speaker Bio

TBD