OWASP Israel April 2017

The 2nd meeting in 2017 of the Israeli chapter of OWASP will hold a meeting on Monday, April 3rd, at 17:00.

The meeting will be held at Checkmarx's office, in the Amot Atrium Tower, 2 Jabotinsky St., Ramat Gan.

Attendance is free of course, but you must register if you are planning to attend: https://www.meetup.com/OWASP-Israel/events/238112640/

Agenda:
 17:00   Gathering, food, and drinks (KOSHER)

 17:30    Introductions and Opening Notes 

 17:45 – The Borders are Dissolving – Application Security Crystal Ball   Maty Siman, Checkmarx 

Over several years applications have become central to anything we do. Whether web, mobile or even IoT applications, they all control almost every aspect of our daily lives. For that exact same reason they have also become the hacker’s new best friend. But it seems that there is a change happening and it isn’t being discussed as often as it should. Data and financial gain is still considered the end goal but the how is dramatically changing.

Join us to try to envision what kind of attacks we will be seeing in the near future, how and who will be taking or dropping responsibility and how modern development practices may benefit attack techniques.

 18:30 - Automated security tests using ZAP and Webdriver.io   Omer Levi Hevroni, Soluto  ([[Media:OWASPIL-2017-04-03_Automated-tests-ZAP-Webdriverio_OmerLeviHevroni.pptx|download presentation]])

Webdriver.io is a great framework for writing automation tests for your webapp. With a very small configuration you can easily integrate ZAP`s passive scan into those tests, and upgrade those tests into automated security scanning – by enjoying from all the useful things that ZAP is able to detect. I am going to cover how we did this at Soluto – and as we run everything using Docker containers, it is very easy to reproduce this setup for any webapp with existing Webdriver.io/Selenium tests.

 19:15 – Coffee break 

 19:30 – WebShell AV signature bypass and identification   Gil Cohen, Comsec 

Ever wondered how easy or hard it is to trick a signature based defensive product? Ever wanted to bypass such a product to upload your own malicious web-shell file to an attacked web server? This lecture is for you! In a very lightweight, straightforward and eye-opening talk I’m going to show how easy it is to upload a slightly modified version of the famous C99 webshell, to get full control over a web server, and how ineffective are signature based modules of defensive products. I’m also going to show tips on how to identify a web-shell, and present 2 open-source tools that try to do just that.