OWASP Bucharest AppSec Conference 2017 Workshops
13th of October
begins at 10:30
| Threat Modelling a fictitious payment web application
||Mustafa Kasmani|| Description:|
Following on from the Threat Modelling presentation by the same author, this workshop will aim to put the theory covered by that presentation into practice.
The objective of doing so is to introduce the audience to the benefits of performing Threat Modelling on a system during the early stages of design / development. This ensures that key security threats are known and understood early on allowing remediation to be done in a more cost effective and pragmatic way than had they been found much later on during testing or when in production.
A fictitious payment web application will be examined in this session – defining its business functionality, actors, assets and technology stack. Data flowing between the components will then be drawn out in the form of data-flow diagrams (DFD’s). Thereafter the attack-surface will be mapped out using the STRIDE methodology identifying threats pertaining to Spoofing, Tampering, Repudiation, Information disclosure, Denial of service and the Elevation of privilege. Finally, these will documented in a form allowing categorisation of risk together with identified security controls that should be tested.
13th of October
begins at 13:30
| AppSec Bucharest vs. OWASP Juice Shop
||Björn Kimminich|| Description:|
In this *free* workshop you can test your skills in hacking modern web applications against the OWASP Juice Shop! There are 43+ challenge that are waiting to be solved, ranging from simple functional problems and the usual XSS/SQLi issues over severe authentication flaws to multi-step & multi-path attacks against the discount coupons issued by the application!
How many challenges can you beat? During the workshop you can get some first-hand hints in case you fell stuck. At the end of the workshop there will be a demo of some of the more mindboggling challenges - but only for those, who don't want to solve them on their own later! You will have an idea how good you and your tools are with
13th of October
begins at 9:30
| Free Diving into Android Security
||Nikhil P Kulkarni and Ravi Kumar Kovela|| Description:|
The agenda of this free workshop is to get the taste of working on Android Security. The workshop would involve the attendees to install and learn the tools used for android pentesting. The following would be the topics that would be covered during the 3 hour session:
Though not in-depth but this workshop would definitely give a great push to start into the Mobile Security Scene. At the end of the workshop, the attendees would be given few challenges to be solved, giving them an understanding and idea on how to find some of the very well-known Android Security Issues. Intended Audience: Application Developers, Penetration Testers who plan to get into the field of Mobile Pentesting with basic knowledge and understanding of the Android Operating System. Prerequisites:
Seats available: 20 (first-come, first served)