Difference between revisions of "8th OWASP IL chapter meeting"

From OWASP
Jump to: navigation, search
(At Watchfire, Herzliya, Wednesday, September 5th 2007, 17:00)
(At Watchfire, Herzliya, Wednesday, September 5th 2007, 17:00)
Line 2: Line 2:
  
 
[[Image:OWASP_IL_Sponsor_Watchfire.jpg‎|right]]The next meeting of OWASP IL, The Israeli Chapter of OWASP, would be held at Watchfire offices in Herzelia on Wed, September 5th at 17:00. Watchfire will also sponsore the meeting.
 
[[Image:OWASP_IL_Sponsor_Watchfire.jpg‎|right]]The next meeting of OWASP IL, The Israeli Chapter of OWASP, would be held at Watchfire offices in Herzelia on Wed, September 5th at 17:00. Watchfire will also sponsore the meeting.
 +
 +
The meeting is part of OWASP Day, a Worldwide OWASP 1 day conferences on Privacy in the 21st Century which is in turn OWASP contribution to the [[http://www.globalsecurityweek.com/ Global Security Week]].
  
 
The agenda of the meeting is:
 
The agenda of the meeting is:
Line 12: Line 14:
 
Jonathan Afek, Senior Security Researcher, Watchfire
 
Jonathan Afek, Senior Security Researcher, Watchfire
  
 +
This is the presentation material as I presented it in BlackHat. Some changes will be applied according to the time frame we can get for the presentation and it will be less technical.
 +
This subject is a general security problem for applications that are developed with native-code (non managed) object oriented languages like C++ and applies to web applications that are developed with these languages too. The specific demonstrated issue was found within the IIS 5.1 web server.
  
 
<big>'''15:40 – 16:00 [[Media:Enterprise_portals_security.pdf|Malicious content in enterprise portals]]'''</big>
 
 
Shalom Carmel, A security icon, the world's authority on hacking AS/400 and a BlackHat 2006 speaker
 
 
In 2005, enterprise portals rank in the top 10 of CIO technology focus areas in many surveys. The main drivers of the portal business growth are the horizontal portal suites, which provide content management capabilities, application integration tools, and specific solutions for collaboration and knowledge management. This lecture will address the security problems an enterprise may have due to the various content management abilities in a typical Portal implementation, and will focus on cross site scripting attacks.
 
 
 
<big>'''16:00 – 16:30 Information Warfare against commercial companies – lessons from dealing with hostile internet entities'''</big>
 
 
Ariel Pisetsky, CISO and Infrastructure Manager, NetVision
 
 
During the recent war in the north, many information security events where detected in private and government organization. These events, usually no more than web site defacement, provide an opportunity to examine a large scale hostile activity against web sites affiliated with Israel. Commercial companies with no direct relation to the war found themselves under a direct attack or indirectly affected due to attacks on ISPs and the Internet Infrastructure in Israel.
 
 
In the presentation we will discuss what happened during this summer of war, whether it can be classified as information warfare and what are the lessons that can be learnt going forward
 
 
 
'''16:30 – 16:45 Break, coffee, tea & fruits'''
 
 
 
<big>'''16:45 – 17:15 [[Media:Secure_coding.pdf|Real vs. Virtual Patching]]'''</big>
 
 
Ravid Lazinski, Technical Manager, Applicure Technologies
 
 
The penetration team has found a bug. What's next? In order to prevent exploitation, the application has to be patched.
 
 
The presentation will discuss the advantage and disadvantages of the two available solutions: patching the application or using an external patching solution in a process called "virtual patching".
 
 
 
<big>'''17:15 – 17:45 [[Media:The_Core_Rule_Set.pdf|"The Core Rule Set": Generic detection of application layer attacks]]'''</big>
 
 
Ofer Shezaf, CTO, Breach Security, OWASP IL chapter Leader, Director, the Web Application Security Consortium
 
 
Web Applications are unique, each one having its own vulnerabilities and therefore a positive security model is usually considered the optimal way to protect them. The [http://www.modsecurity.org ModSecurity] open source project has recently released a "core rule set", essentially a set of super signatures that try to provide significant security to custom application without the effort of defining a positive security model.
 
 
The lecture will discuss generic application security signatures and rules, how they differ from network centric signatures and their strengths and limitations when dealing with the OWASP top 10 attacks.
 
 
 
'''17:50 – 18:00 Break'''
 
 
 
<big>'''18:00 – 18:30 [[Media:OWASP_10_Most_Common_Backdoors.pdf|The OWASP Top Ten Backdoors]]'''</big>
 
 
Yaniv Simsolo, Application Security Consultant, Comsec Consulting
 
 
Just as the OWASP Top Ten outlines the top ten mistakes that developers make in applications, the top ten backdoors discuss the features developed on purpose, that do just the same: leave the application vulnerable. Backdoors are more common than developers and system professionals think. Hackers and malicious users can exploit backdoors easily, without leaving any special traces in the system. An SQL interface to an application, providing a lot of flexibility but little security is a good example of such a backdoor.
 
 
The presentation will discuss common backdoors found in web applications and how they relate to the OWASP top 10.
 
  
 +
<big>'''15:10 – 15:40 Evasive Crimeware attacks, Business Risk, and Proposed Defense'''</big>
  
<big>'''18:30 – 19:15 [[Media:Hacking_The_FrameWork.ppt|Hacking The Framework]]'''</big>
+
Iftach Amit, Director Security Research, Finjan
  
Nimrod Luria, Head Of Consulting Services, 2Bsecure
+
The presentation will explore the “other side” of web security: the client side. As traditional web application security is starting to pay more attention to the client side, which became a major part of the web application security market (can you spell XSS without a client involved…), more and more attack vectors are re-targeting the browser as a way to get into the organization.
  
Modern development environment such as .Net and J2EE promise enhanced security by relying on the framework services rather than good coding. The presentation will demonstrate using real hacking demos the weak points in such frameworks using .Net as an example.
+
In the presentation we will understand the business risks that are imposed by browsing, explore some recent examples of these attacks with an eye-opening review of the attacker “community” and how it operates (technically and economically). To conclude, the technical aspects of these attacks will be examined in light of the security mechanisms currently available to counteract the attacks, and a short discussion on how to handle the more sophisticated attacks will conclude the presentation.

Revision as of 01:54, 20 August 2007

At Watchfire, Herzliya, Wednesday, September 5th 2007, 17:00

OWASP IL Sponsor Watchfire.jpg
The next meeting of OWASP IL, The Israeli Chapter of OWASP, would be held at Watchfire offices in Herzelia on Wed, September 5th at 17:00. Watchfire will also sponsore the meeting.

The meeting is part of OWASP Day, a Worldwide OWASP 1 day conferences on Privacy in the 21st Century which is in turn OWASP contribution to the [Global Security Week].

The agenda of the meeting is:

17:00 – 17:15 Gathering and refreshments


15:10 – 15:40 Straight from Blackhat: Dangling Poniters

Jonathan Afek, Senior Security Researcher, Watchfire

This is the presentation material as I presented it in BlackHat. Some changes will be applied according to the time frame we can get for the presentation and it will be less technical. This subject is a general security problem for applications that are developed with native-code (non managed) object oriented languages like C++ and applies to web applications that are developed with these languages too. The specific demonstrated issue was found within the IIS 5.1 web server.


15:10 – 15:40 Evasive Crimeware attacks, Business Risk, and Proposed Defense

Iftach Amit, Director Security Research, Finjan

The presentation will explore the “other side” of web security: the client side. As traditional web application security is starting to pay more attention to the client side, which became a major part of the web application security market (can you spell XSS without a client involved…), more and more attack vectors are re-targeting the browser as a way to get into the organization.

In the presentation we will understand the business risks that are imposed by browsing, explore some recent examples of these attacks with an eye-opening review of the attacker “community” and how it operates (technically and economically). To conclude, the technical aspects of these attacks will be examined in light of the security mechanisms currently available to counteract the attacks, and a short discussion on how to handle the more sophisticated attacks will conclude the presentation.