OWASP Israel January 2017

The Israeli chapter of OWASP will hold a meeting on Wednesday, January 18th, at 17:00.

The meeting will be held in Radware’s Tel Aviv offices, at Raul Wallenberg 22, Ramat HaChayal.

Attendance is free of course, but you must register if you are planning to attend: https://www.meetup.com/OWASP-Israel/events/236372466/

Agenda:
 17:00   Gathering, food, and drinks (KOSHER)

 17:30    Introductions and Opening Notes 

 17:45 – IP Agnostic Bot Detection   Michael Groskop, Director of WAF & R&D Security, Radware 

Bot-generated attacks targeting web application infrastructure are increasing in both volume and scope. Bots are becoming more sophisticated, leveraging headless browser technologies and use different evasion techniques such as dynamically changing IP addresses.

In this presentation we will review the challenges associated with IP agnostic detection of bot generated attacks, the complexity involved in distinguishing the good bots from the bad and the actions application developers can take for better thwarting of such attacks.

''' 18:30 - R U aBLE? BLE Application Hacking '''  Tal Melamed, Technical Lead, AppSec Labs  ([[Media:OWASP2017_HackingBLEApplications_TalMelamed.pdf|download presentation]])

As IoT devices are increasingly embedded in our every day lives, vulnerabilities have real impact on our digital and physical security.

Bluetooth Low Energy (BLE), also known as Bluetooth Smart, is part of Bluetooth 4. Today Bluetooth is the most popular protocol used for interfacing IoT and smart devices, wearables and medical equipment. Like most rising technologies, security is often left out.

In this lecture we will demonstrate how to perform penetration-testing for applications communicating with connected-devices over BLE. What equipment, libraries and projects can be used.

 19:15 – Coffee break 

''' 19:30 – Should I Trust My Vendor?   Yaniv Simsolo, CTO, Palantir Security '''

Modern systems and business models mandate different approaches to security. Sometimes, the business objectives of the vendor override the security objectives that we, the security community, think the product should have. When approaching a complex system design, numerous challenges arise when considering the trust we put on vendors’ hands and vendors’ responsibilities. Similar security challenges exist on the other scale: considering the maturity (or lack thereof) of small scale IoT products.

Does the aim sanctify the means?

In certain cases, either mal-coding or business practices result in a very poor security of a product or a service. This can get to extreme cases were the vendor outright attacks its own customers. Such was the case for example when I purchased a brand new laptop from a known manufacturer, and was attacked with viruses and malicious business practices software. Indeed, certain vendors are worse than others.

In the presentation we will explore notable examples of vendors abusing their customers’ trust and review the (few) mitigation alternatives we may incorporate in our products and systems.