OWASP Bucharest AppSec Conference 2016

Jump to: navigation, search


OWASP Bucharest AppSec Conference 2016 - October 6th

OWASP Bucharest team is happy to announce the OWASP Bucharest AppSec Conference 2016 a one day Security and Hacking Conference dedicated to the application security. It will take place on 6th of October, 2016 - Bucharest, Romania.

The objective of the OWASP's Bucharest AppSec Conference is to raise awareness about application security and to bring high-quality security content provided by renowned professionals in the European region. Everyone is free to participate in OWASP and all our materials are available under a free and open software license.

Who Should Attend?

  • Application Developers
  • Application Testers and Quality Assurance
  • Application Project Management and Staff
  • Chief Information Officers, Chief Information Security Officers, Chief Technology Officers, Deputies, Associates and Staff
  • Chief Financial Officers, Auditors, and Staff Responsible for IT Security Oversight and Compliance
  • Security Managers and Staff
  • Executives, Managers, and Staff Responsible for IT Security Governance
  • IT Professionals interested in improving IT Security
  • Anyone interested in learning about or promoting Web Application Security

CONFERENCE (Thursday 6th of October)

Date Location
Thursday 6th of October, 8.00 AM
Venue Location: Iridium Room Workshop: Oregon and Nevada Rooms

Venue Address:Sheraton Bucharest Hotel , Calea Dorobantilor 5-7, Bucuresti, ROMANIA;

Price and registration
The conference entrance is FREE, you need to register on the link provided below, print your ticket and present it at the entrance.
The training sessions will be paid.

OWASP Top 10 vulnerabilities – discover, exploit, remediate Adrian Furtuna and Ionut Ambrosie
Secure Web Applications in Java Cristian Serban and Lucian Suta
Shellcode Development and Exploiting Razvan Deaconescu and Mihai Țigănuș
Practical Cryptography on the Internet Sergiu Costea
Limited number of seats! Register now!

Sponshorship opportunities
Why sponsor?

  • Join 300+ leaders, security consultants, security architects and developers gathered to share cutting-edge ideas, initiatives and trends in technology.
  • OWASP events attract an audience interested in "What's next?" - As a sponsor, you will be promoted as an answer to this question.
  • Increase awareness and recognition in Romanian Security IT environment.
  • Support and involvement in the world of information security enthusiasts.

Conference agenda

Time Title Speaker Description
8:30 - 9:00
(30 mins)
Registration and coffee break
9:00 - 9:15
(15 mins)
Introduction Oana Cornea Introduction to the OWASP Bucharest Event, Schedule for the Day
9:15 - 10:00
(45 mins)
Handling of Security Requirements in Software Development Lifecycle Daniel Kefer The bigger the company you're working in, the more technologies and methodologies used by development teams you are going to face. At the same time, you want to address security risks in an appropriate, reliable and traceable way for all of them.

After a short introduction of a unified process for handling security requirements in a large company, the main part of the talk is going to focus on a tool called SecurityRAT (Requirement Automation Tool) which has been developed in order to support and accelerate this process. The goal of the tool is first to provide a list of relevant security requirements according to properties of the developed software, and afterwards to handle these in a mostly automated way - integration with an issue tracker being used as a core feature. Work in progress and future plans will form the last part of the talk.

10:00 - 10:45
(45 mins)
CSWSH (Cross-Site Wbsocket Hijacking) Compromising websockets with an XSS vulnerability Vali Malinoiu The relatively new technique to allow full duplex communication between client and server is gaining more and more attention from developers in order to build realtime web applications. During the process they open their application to a vulnerability sometimes called CSWSH.
11:00 - 11:40
(40 mins)
Software assurance with OpenSAMM Part I Jacco van Tuijl More and more developers realize that something needs to change into their development process. This is to reduce the number of vulnerabilities and to be well prepared when incidents are reported. The Secure Software Development Life Cycle process ( SSDLC ) ensures that there is thought to security at all stages of the development process. This reduces the number of vulnerabilities in delivered software and provides a thorough process for handling incidents.
11:50 - 12:30
(40 mins)
Software assurance with OpenSAMM Part II Jacco van Tuijl There are several frameworks for the implementation of SSDLC like BSIMM , MS SDL and OpenSAMM . Jacco van Tuijl will discuss the OpenSAMM : The Software Assurance Maturity Model. A completely open framework of OWASP. Jacco will share experiences regarding the implementation of OpenSAMM within various organizations.
12:30 - 13:30
(60 mins)
Lunch/Coffee Break
13:30 - 14:15
(45 mins)
How to handle bot threats Andrei Daniel Oprisan This talk is an overview, from a security perspective, of the robotic systems (bots) that we can find today over the internet. It consists of two main parts: Robot Detection and Robot Mitigation. I will explain how the detection models can be applied in preventing the robots to harm the website but also explaining why it is important not to affect the user experience in a significant way.
14:15 - 15:00
(45 mins)
Mass-analyzing a chunk of the Internet: The Romanian IT landscape Alexandru George Andrei Scanning the internet is a bad idea. It's what bad guys do everyday. Looking for misconfigurations, vulnerable servers, unpatched critical vulnerabilities and IoT devices in a fun, informative and "non-intrusive way" to determine just how vulnerable Romania is. From the defensive side, we are going to be able to tell precisely how many sistems are still vulnerable to heartbleed and other critical vulnerabilities exposed in the last years, how many systems are could be used in a DDoS attack (NTP amplification or otherwise), survey all SSL certificates and implementations and get a good view of the IT assets that are publicly facing in Romania.
15:00 - 15:15
(15 mins)
Coffee break
15:15 - 16:00
(45 mins)
Static application Security Testing (SAST) to combat the risk to web and mobile applications Moni Stern Application security is the number one priority of security professionals, but developers just want to code. Getting developers to use Application Security Testing is one of the biggest challenges facing security professionals today. How can both be accomplished.
16:00 - 16:45
(45 mins)
It’s time to go hunting! Indicators of Compromise vs. Indicators of Attack Octavian Savin and Mihai Capraru Cyber defense isn't a new domain anymore and it is in a continuous change. A few years ago the boundary defense approach was the state of the art in this field, but now we are facing a multi-layered one with complex mechanisms, ranging from user behavior analysis to advanced threat hunting.

For many years now a very effective solution for identifying computer infections was the utilization of Indicators of Compromise in different formats, but the evolution of malware complexity has made the development of IOCs a time consuming action.
Learning to discourage attackers has determined a change in the mindset of security professionals, to create mechanisms capable of identifying attacks in their earliest phases, thus the cutting edge in cyber defense has become threat hunting - a more proactive approach aimed at identifying and stopping cyber threats before they meet their goals. IOCs are now going in a new direction, with a new scope in mind: to discover the attack, not the compromise, and for this to be effective we need to actively hunt for threats using Indicators of Attacks.

16:45 - 17:00
(15 mins)
Closing ceremony OWASP Bucharest team CTF Prizes


Time Title Trainers Description
9:00 - 17:00

OWASP Top 10 Vulnerabilities – Discover, Exploit, Remediate
Adrian Furtună – Founder & Ethical Hacker – VirtualStorm Security
Ionuţ Ambrosie – Security Consultant – KPMG Romania
Description:The purpose of this workshop is to increase the participants’ awareness on the most common web application vulnerabilities and their associated risks.

We will discuss each type of vulnerability described in the OWASP Top 10 project and we will be practicing manual discovery and exploitation techniques. Furthermore, a set of useful security testing tools will be presented and used during the workshop.
This will be a (very) hands-on workshop where we will practice exercises as:

  • Discover SQL injection and exploit it to extract information from the database
  • Find OS command injection and exploit it to execute arbitrary commands on the target server
  • Discover Cross-Site Scripting and exploit it to gain access to another user’s web session
  • Spot XML External Entity vulnerabilities and use them to read arbitrary files from the server
  • Identify Local File Inclusion and exploit it to gain remote command execution
  • Find Cross-Site Request Forgery and exploit it to gain access to the admin panel
  • Detect standard components of web apps containing known vulnerabilities and exploit them
  • Other fun and challenging tasks

Of course, we will also present safe ways in which the identified vulnerabilities can be eliminated or mitigated in production environments.
Intended audience: Web application developers, security testers, quality assurance personnel, people passionate about web security
Skill level: Intermediate

  • Laptop with a working operating system
  • At least 2 GB of free disk space and at least 2 GB RAM
  • Administrative rights on the laptop
  • VMWare Player installed

Seats available: 20 (first-come, first served)
Price: 200 euros/person
Register here

9:00 - 17:00

Secure Web Applications in Java
Cristian Serban- AppSec Architecture Manager
Lucian Suta - Software Security Trainer and Consultant
Description: Everybody is familiar with OWASP Top 10, but how is that applicable when you write Java web applications using the Spring Framework, JSP, or FreeMarker templates? What are the security features built into the most common Java frameworks and how to apply security principles such as ‘defense in depth’ in order to build robust applications. Together we will build secure coding and secure code review skills, uncover and protect against some of the most common vulnerabilities in Java code.

Intended audience: Web application developers, security testers, quality assurance personnel, people passionate about web security
Skill level: Intermediate
Requirements: This course requires moderate Java coding skills, a laptop with a latest JDK, Intellij IDEA or Spring Tool Suite and ZAP installed.

Seats available: 20 (first-come, first served)
Price: 200 euros/person
Register here

9:00 - 17:00

Shellcode Development and Exploiting
Razvan Deaconescu- Assistant Professor at University POLITEHNICA of Bucharest
Mihai Țigănuș - Master Student at University POLITEHNICA of Bucharest
Description: Shellcodes are small pieces of executable code that provide arbitrary functionality to a given program. They are usually obtained from assembly source code and used in runtime application security to exploit a vulnerability in the program and alter the execution flow, i.e. arbitrary code execution attack.

In this training we will provide you with the know-how and skills to create shellcodes and construct basic attack vectors using shellcodes. You will better understand how programs and processes work.

The training is highly practical. We will use a Linux environment and common Linux tools for static and dynamic analysis, shellcode creation and exploiting. The training will feature hands-on activities such as:

  • Analyzing existing binary shellcode blobs
  • Writing shellcodes
  • Building shellcodes
  • Testing shellcodes
  • Injecting shellcodes in vulnerable programs
  • Detecting basic vulnerabilties in programs and injecting shellcodes

We will present different scenarios for vulnerable programs and then create the shellcode-based attack vectors to exploit them.

Outcome: After this training you will be able to create shellcodes and assembly-based binary blobs and use them for for exploiting or executable hardening. You will increase your skills in using assembly language and in working with binary exploration tools. You will understand shellcode-based attacks and you will gain basic understanding of shellcode-based attack requirements and how to mitigate them.

Intended Audience: System-level developers, security researchers, people interested in runtime appplication security and binary exploitation

  • Laptop with a working operating system
  • At least 6 GB of free disk space and at least 2 GB RAM
  • Administrative rights on the laptop
  • VirtualBox installed

Seats available: 20 (first-come, first served)
Price: 200 euros/person
Register here

9:00 - 17:00

Practical Cryptography on the Internet
Sergiu Costea - Security Researcher at University POLITEHNICA of Bucharest Description: Cryptography is used throughout the Internet to keep information safe. It is everywhere, from banking security tokens to Youtube streams. Simply authenticating into Facebook performs tens of different cryptographic operations to establish a secure connection.

Cryptography mostly operates under the hood — we use it without having to worry about how it works. However, when something in the crypto world cracks, it cracks loudly. Heartbleed, compromised certificate authorities, identity theft, mass surveillance, bitcoin exploits worth millions of dollars — they all originate in the complex layer of cryptographic algorithms and have negative impact on our lives.

In this session, we will take a very practical look at cryptography and see how it works on the Internet. Some of the topics we will cover include:

  • authentication mechanisms (PKI, certificates, certificate transparency, password storage);
  • secure protocols (SSL, TLS and HTTPS);
  • web application security (secure cookies, CSP, key pinning).

The training will feature many guided hands-on activities. These include, but are not limited to: creating certificate hierarchies, configuring custom certificates on clients and servers, modifying security policies, impersonating “seemingly secure” identities, downgrading connections, and extracting information from secure HTTPS sessions.

We'll also explore how easily crypto breaks when used improperly, looking back at notable recent attacks and what made them possible.

Outcome: After this training you will be able to:

  • Describe how Public Key Certificates work;
  • Adequately protect information against tampering, eavesdropping and extraction attempts;
  • Use OpenSSL to issue certificates and configure them on clients and servers;
  • Select secure crypto algorithms when presented with the choice;
  • Describe how secure browser to server connections are established on the Internet, including possible threats that relate to them;
  • Enhance web application security using state of the art browser and server capabilities.

Intended Audience: Network and web security engineers, security researchers, web developers

Skill Level: intermediate, basic Linux command line skills, basic knowledge of networking, basic knowledge of HTTP

  • Laptop with a working operating system
  • At least 6 GB of free disk space and at least 2 GB RAM
  • Administrative rights on the laptop
  • VirtualBox installed

Seats available: 20 (first-come, first served)
Price: 200 euros/person
Register here

CTF (Capture The Flag) contests are popular ways to hone your practical security skills by solving challenges on topics such as web, crypto, reverse, exploiting.

We invite everyone passionate about practical security at the OWASP AppSec 2016 CTF, where you and your team will solve challenges on web, reverse and exploiting. Challenges will be Linux-centric and web.

The CTF webpage is here: https://owasp-ctf.security.cs.pub.ro/home. In order to participate please register here

The CTF will take place during the OWASP Bucharest AppSec 2016 conference, on site, for 8 hours, from 9am to 5pm. Teams will consist of at most 5 players; everyone has to be on site at the conference.

Hope you can make it! You’ll have tons of fun!

If you’re new to CTFs or you want to know more please check these links:


  • 1st place: 1024 euros
  • 2nd place: 512 euros
  • 3rd place: 256 euros


  • Oana Cornea [1]
  • Vlad Cotenescu [2]
  • Andreea Gheorghita [3]
  • Cosmin Marius Ilie [4]


  • Razvan Deaconescu [5]
  • Vali Ghita [6]

Logo design:

  • Andrei Jurca [7]


  • Raluca Vasilache [8]
  • Daniel Barbu [9]



Platinum Sponsors

    Logo SWRX.jpg AmgenLogo Blue.jpg  

Gold Sponsor


Silver Sponsor

      KPMG RGB.jpg &nbsp    

Event Supporters

    RST.jpg Logo-defcamp.jpg Logo-cert-ro-final.png  
    Logo phpromania.png Agileworks-logo1.jpg SoftLead.png  
    ALogoIQool1.png EU-cyberS.jpg