8th OWASP IL chapter meeting

Revision as of 01:47, 20 August 2007 by Oshezaf (Talk | contribs)

Jump to: navigation, search

At Watchfire, Herzliya, Wednesday, September 5th 2007, 17:00

OWASP IL Sponsor Watchfire.jpg
The next meeting of OWASP IL, The Israeli Chapter of OWASP, would be held at Watchfire offices in Herzelia on Wed, September 5th at 17:00. Watchfire will also sponsore the meeting.

The agenda of the meeting is:

17:00 – 17:15 Gathering and refreshments

15:10 – 15:40 Straight from Blackhat: Dangling Poniters

Jonathan Afek, Senior Security Researcher, Watchfire

15:40 – 16:00 Malicious content in enterprise portals

Shalom Carmel, A security icon, the world's authority on hacking AS/400 and a BlackHat 2006 speaker

In 2005, enterprise portals rank in the top 10 of CIO technology focus areas in many surveys. The main drivers of the portal business growth are the horizontal portal suites, which provide content management capabilities, application integration tools, and specific solutions for collaboration and knowledge management. This lecture will address the security problems an enterprise may have due to the various content management abilities in a typical Portal implementation, and will focus on cross site scripting attacks.

16:00 – 16:30 Information Warfare against commercial companies – lessons from dealing with hostile internet entities

Ariel Pisetsky, CISO and Infrastructure Manager, NetVision

During the recent war in the north, many information security events where detected in private and government organization. These events, usually no more than web site defacement, provide an opportunity to examine a large scale hostile activity against web sites affiliated with Israel. Commercial companies with no direct relation to the war found themselves under a direct attack or indirectly affected due to attacks on ISPs and the Internet Infrastructure in Israel.

In the presentation we will discuss what happened during this summer of war, whether it can be classified as information warfare and what are the lessons that can be learnt going forward

16:30 – 16:45 Break, coffee, tea & fruits

16:45 – 17:15 Real vs. Virtual Patching

Ravid Lazinski, Technical Manager, Applicure Technologies

The penetration team has found a bug. What's next? In order to prevent exploitation, the application has to be patched.

The presentation will discuss the advantage and disadvantages of the two available solutions: patching the application or using an external patching solution in a process called "virtual patching".

17:15 – 17:45 "The Core Rule Set": Generic detection of application layer attacks

Ofer Shezaf, CTO, Breach Security, OWASP IL chapter Leader, Director, the Web Application Security Consortium

Web Applications are unique, each one having its own vulnerabilities and therefore a positive security model is usually considered the optimal way to protect them. The ModSecurity open source project has recently released a "core rule set", essentially a set of super signatures that try to provide significant security to custom application without the effort of defining a positive security model.

The lecture will discuss generic application security signatures and rules, how they differ from network centric signatures and their strengths and limitations when dealing with the OWASP top 10 attacks.

17:50 – 18:00 Break

18:00 – 18:30 The OWASP Top Ten Backdoors

Yaniv Simsolo, Application Security Consultant, Comsec Consulting

Just as the OWASP Top Ten outlines the top ten mistakes that developers make in applications, the top ten backdoors discuss the features developed on purpose, that do just the same: leave the application vulnerable. Backdoors are more common than developers and system professionals think. Hackers and malicious users can exploit backdoors easily, without leaving any special traces in the system. An SQL interface to an application, providing a lot of flexibility but little security is a good example of such a backdoor.

The presentation will discuss common backdoors found in web applications and how they relate to the OWASP top 10.

18:30 – 19:15 Hacking The Framework

Nimrod Luria, Head Of Consulting Services, 2Bsecure

Modern development environment such as .Net and J2EE promise enhanced security by relying on the framework services rather than good coding. The presentation will demonstrate using real hacking demos the weak points in such frameworks using .Net as an example.