OWASP Israel June 2014

The 3rd meeting of 2014 for the Israel chapter of OWASP took place on June 16, at 17:00, with over 110 participants.

The meeting was held at F5’s office, in Kiryat Atidim (Tel Aviv), Building #8, 30th floor. (There is parking in Building #6).

Some pictures from the event, and some more pictures.

Agenda:
 17:00 – 17:30    Gathering, food, and drinks (KOSHER)

 17:30 – 17:40    Opening note 

 17:40 – 18:20     Rise of the Machines Shlomo Yona, Applied Researcher and Innovation Group Leader, F5 Networks (online presentation)

Why we need machines to handle machine generated intel and how to do it. We will discuss a severe and growing problem of IT/Ops/Security professionals and exemplify concretely with a description of how we reproduced results reported in “An Empirical Study Of Passive 802.11 Device Fingerprinting” (http://arxiv.org/abs/1404.6457) with some modifications and use the opportunity to see how Automated Statistical Inference can be utilized to identify spoofed MAC addresses.

 18:20 – 19:00     Security Testing & The Depth Behind OWASP Top 10

Yaniv Simsolo, Senior Security Expert ([[Media:OWASPIL-2014-06-16_OWASP-Top-10_-_Security-Testing.pptx|download presentation]])

OWASP changed the Top 10 List in 2013. Some new security areas are incorporated into the updated Top 10 list. In the past few years modern systems’ architecture and coding practices have also changed, evolved and transformed exponentially. Relying on proven security concepts is not sufficient anymore and therefore other approaches are required.

We will venture into the depth of the more obscure security areas now included in the Top 10, and the reality of the security of modern systems. The pitfalls of security tests will be reviewed and an alternative approach for modern systems security testing will be discussed in length.

19:00 – 19:20     Coffee break

19:20 – 20:00     DDoS Attacks: Peeling The Onion On One Of The Most Sophisticated Ever Seen

Eldad Chai, VP Products, Incapsula ([[Media:OWASPIL-2014-06-16_DDoS-Attacks_Peeling-the-Onion.pdf|download presentation]])

Taking down a competitor's website can be very valuable. Unlike Hacktivists, with generally short attention spans, or regular cybercriminals, who usually give up when faced with adequate protection, these well-funded attacks persist over time, and employ multiple, sophisticated vectors. This session will review a real case study defending against one of the largest, most sophisticated and persistent DDoS attacks. These include: Networking Capacity, Client Classification, Whitelisting/Blacklisting/Crowdsourcing, Challenge mechanisms, Anomaly detection and the secret sauce...