Difference between revisions of "OWASP Israel 2007 Conference at the Interdisciplinary Center Herzliya (IDC)"

From OWASP
Jump to: navigation, search
 
(45 intermediate revisions by one user not shown)
Line 1: Line 1:
OWASP Israel 2007 Conference will be held at the Interdisciplinary Center (IDC) Herzliya on Dec 3rd 2007. OWASP is the leading non for profit organization focusing on web application security. In [http://www.owasp.org/index.php/Israel#Previous_Chapter_Meetings Previous Israeli OWASP conferences] we had great talks and drew a significat crowd and we hope to replicate the success this time.
+
[[Category:Israel]]
 +
OWASP Israel 2007 Conference was held at the Interdisciplinary Center (IDC) Herzliya on Dec 3rd 2007. More than 200 people attended the conference and enjoyed interesting presentations, a great networking opportunity. OWASP Israel 2007 became a must be for any application security professional and drew a lot of people from the wider information security community as well.
  
You are all invited to hear our great speakers and enjoy the very professional crowd gathering for the event.
+
== Sponsors & Contributors ==
  
The meeting is sponsored by [http://www.breach.com Breach Security], [http://www.hacktics.com Hacktics], [http://www.gamasec.com GamaSec] and the [http://portal.idc.ac.il/en/main/academics/cs/Pages/General.aspx Efi Arazi school of Computer Science at the Interdisciplinary Center (IDC) Herzliya].
+
The meeting is sponsored by [http://www.breach.com Breach Security], [http://www.hacktics.com Hacktics], [http://www.gamasec.com GamaSec], [http://www.applicure.com Applicure], The National Information Security Forum and the [http://portal.idc.ac.il/en/main/academics/cs/Pages/General.aspx Efi Arazi school of Computer Science at the Interdisciplinary Center (IDC) Herzliya].
  
  
<center>[[Image:Breach_logo.gif]]&nbsp;&nbsp;&nbsp;&nbsp;[[Image:OWASP_IL_Sponsor_GamaSec_Logo.jpg‎]]&nbsp;&nbsp;&nbsp;&nbsp;[[Image:OWASP_IL_Sponsor_Hacktics.jpg|160px]]</center>
+
<center>[[Image:Breach_logo.gif]]&nbsp;&nbsp;&nbsp;&nbsp;[[Image:OWASP_IL_Sponsor_Hacktics.jpg|160px]]&nbsp;&nbsp;&nbsp;&nbsp; https://www.owasp.org/images/b/bb/OWASP_IL_Sponsor_GamaSec.jpg &nbsp;&nbsp;&nbsp;&nbsp; https://www.owasp.org/images/c/c8/OWAS_IL_Sponsor_Applicure.JPG &nbsp;&nbsp;&nbsp;&nbsp; https://www.owasp.org/images/8/8c/OWASP_IL_LOGO_NISF.jpg &nbsp;&nbsp;&nbsp;&nbsp;[[Image:OWASP_IL_Sponsor_IDC.jpg|160px]]</center>
  
  
Additoinal sponsorship opportunities still avaialble, [mailto:ofer@shezaf.com contact me] for details.
+
Additional [[OWASP_IL_Sponsorship|sponsorship]] opportunities still available, [mailto:ofer@shezaf.com contact me] for details.
  
__TOC__
 
  
== Location ==
+
I would also like to thank those individuals which without their help this event would not be possible:
  
The conference will be held at the campus of the Interdisciplinary Center (IDC) Herzliya. Parking is avaialble outside the campus and there will be signs from the gate directiting the arrivals to the lecture hall.
+
* Dr. Anat Bremler-Bar, our host at the IDC.
  
You can find instructions and a map on arriving to the campus [http://portal.idc.ac.il/he/Main/about_idc/campus_tour/Pages/MapsDirections.aspx here] (Hebrew).
+
* Shay Shuker, on helping with organization.
  
== Registration ==
+
* Bat-Sheva Shezaf, who took pictures.
  
The conference is free and open to all, but please register by sending an e-mail to me at ofer@shezaf.com. We need to know how many people will arrive in order to be prepared.
+
== Pictures ==
 +
 
 +
The pictures from the conference available [http://picasaweb.google.com/oshezaf/OWASPIsrael2007 here].
  
 
== Program ==
 
== Program ==
  
The following presentation will be given at OWASP Israel 2008:
+
The following presentation where given at OWASP Israel 2007:
  
<big>'''Cross Site Request Forgery - Overview and Solutions'''</big><br>
+
=== [[Media:OWASP_IL_2007_CSRF_basics.ppt|Cross Site Request Forgery - Overview and Solutions]] ===
 
'''Ofer Shezaf, OWASP IL chapter leader, Breach Security'''
 
'''Ofer Shezaf, OWASP IL chapter leader, Breach Security'''
  
Line 34: Line 36:
 
Ofer will also update on the OWASP 2007 conference in San Jose and other OWASP news.
 
Ofer will also update on the OWASP 2007 conference in San Jose and other OWASP news.
  
 +
([[Media:OWASP_IL_2007_CSRF_basics.ppt|PowerPoint]], [ftp://ftp.idc.ac.il/csvideos/OWASP%2007/Ofer%20Shezaf_1.wmv video])
  
<big>'''Defeating Web 2.0 Attacks without Recoding Applications'''</big><br>
+
=== [[Media:OWASP-WASCAppSec2007SanJose_DefeatWeb2.0Attacks.ppt|Defeating Web 2.0 Attacks without Recoding Applications]] ===
 
'''Amichai Shulman, CTO, Imperva'''
 
'''Amichai Shulman, CTO, Imperva'''
  
Line 42: Line 45:
 
This talk was presented in OWASP 2007 in San Jose.
 
This talk was presented in OWASP 2007 in San Jose.
  
 +
([[Media:OWASP-WASCAppSec2007SanJose_DefeatWeb2.0Attacks.ppt|PowerPoint]], [ftp://ftp.idc.ac.il/csvideos/OWASP%2007/Amihai%20Shulman_chunk_1.wmv video])
  
<big>'''Harvesting Skype Super-Nodes'''</big><br>
+
=== Hunting Down XSS Vulnerabilities ===
'''Omer Dekel, IDC'''
+
'''Erez Metula, Application Security Department Manager, 2Bsecure'''
  
Skype has revolutionized the way we use VoIP and has entered almost every network and all parts of the Internet. However, little is known about the way the Skype Network operates. Further, since its traffic is encrypted and bypasses firewalls, the network administrators have almost no ability to monitor or filter Skype.
+
XSS is the most common web application vulnerability and leads the OWASP top 10. The lecture will discuss automatic and manual approaches for detecting XSS vulnerabilities. Erez will present tools used to find XSS vulnerabilities as well as innovative method to overcome obstacles when looking for vulnerabilities.
In this work we explore the possibility of filtering Skype traffic by harvesting its Super Nodes (SNs), which form the heart of Skype, and of blocking  the network nodes from connecting to them. Using experimental results and an analytic model we show that it is possible to collect a large enough number of SNs as to block, with a probability higher than 95%, the service for an arbitrary connecting client.
+
  
This talk is based on a research project done with Dr. Anat Bremler-Barr (IDC) & Prof. Hanoch Levy (ETH)
+
([ftp://ftp.idc.ac.il/csvideos/OWASP%2007/Erez_chunk_1.wmv video])
  
 +
=== The National Information Security Forum ===
 +
'''Avi Weissman, CEO, See-Security'''
  
<big>'''The PKI Lie - Attacking Certificate-Based Authentication'''</big><br>
+
Avi will take 10 minutes to announce and describe the new [http://www.nisf.org.il national information security forum (NISF]), a new information security initiative that we welcome and would like to cooperate with at OWASP.
'''Ofer Maor, CTO, Hacktics'''
+
  
While public key cryptography and client side certificates have certainly proved to be a very valuable security mechanism, blind reliance on them may lead to a disaster. These complex technologies are prone to implementation and deployment mistakes that hinders them useless. Ofer will discuss and demonstrate some common implementation pitfalls he often sees in real life PKI based authentication systems.
+
=== How Dangerous Is It Out There? ===
 +
'''Dror Paz, Director of Professional Services, Breach Security'''
  
This talk was presented in OWASP 2007 in San Jose.
+
One of the key issues facing application security professionals is the lack of information about the actual risk. The number of reported incidents is small, and therefore while the potential danger of web layer attacks is known, whether and how this potential is abused is a great mystery. In the presentation, Dror Paz will show what’s really happening out there, based on work done in project such as the open proxy honeypot project, WASC statistics project and the Web Hacking Incidents database as well as information gathered (incognito) from Breach installations around the globe.
  
 +
this presentation was canceled since Dror was sick and would be rescheduled for a future OWASP meeting.
  
<big>'''Hunting Down XSS Vulnerabilities'''</big><br>
+
=== [[Media:OWASP_IL_2007_SOA_security.ppt|SOA security]] ===
'''Erez Metula, Applicatoin Security Consultant, 2Bsecure'''
+
'''Iris Levari, Amdocs'''
  
XSS is the most common web application vulnerability and leads the OWASP top 10. The lecture will discuss automatic and manual approaches for detecting XSS vulnerabilities. Erez will present tools used to find XSS vulnerabilities as well as innovative method to overcome obstacles when looking for vulnerabilities.
+
As application security specialists we need to follow up with information technology trends. Service Oriented Architecture (SOA) is a new method for developing large scale enterprise applications that promise to revolutionize the IT landscape. Applications built around SOA isolates each business process into a separate service that can serve and interconnect with other services. SOA can use different technologies such as XML, Web Services and SOAP as its infrastructure. The presentation will explain SOA and discuss the security features and considerations when adapting SOA.
  
 +
([[Media:OWASP_IL_2007_SOA_security.ppt|PowerPoint]], [ftp://ftp.idc.ac.il/csvideos/OWASP%2007/Iris%20Lev-Arie_chunk_1.wmv video])
  
<big>'''How Dangerous Is It Out There?'''</big><br>
+
=== [[Media:OWASP-WASCAppSec2007SanJose_PKILie.ppt|The PKI Lie - Attacking Certificate-Based Authentication]] ===
'''Dror Paz, Director of Professional Services, Breach Security'''
+
'''Ofer Maor, CTO, Hacktics'''
  
One of the key issues facing application security professionals is the lack of information about the actual risk. The number of reported incidents is small, and therefore while the potential danger of web layer attacks is known, whether and how this potential is abused is a great mystery. In the presentation, Dror Paz will show what’s really happening out there, based on work done in project such as the open proxy honeypot project, WASC statistics project and the Web Hacking Incidents database as well as information gathered (incognito) from Breach installations around the globe.
+
While public key cryptography and client side certificates have certainly proved to be a very valuable security mechanism, blind reliance on them may lead to a disaster. These complex technologies are prone to implementation and deployment mistakes that hinders them useless. Ofer will discuss and demonstrate some common implementation pitfalls he often sees in real life PKI based authentication systems.
  
 +
This talk was presented in OWASP 2007 in San Jose.
  
<big>'''Smuggling SQL injection attacks'''</big><br>
+
([[Media:OWASP-WASCAppSec2007SanJose_PKILie.ppt|PowerPoint]], [ftp://ftp.idc.ac.il/csvideos/OWASP%2007/Ofer%20Maor_chunk_1.wmv video])
'''Avi Douglen, Application Security Consultant, ComSec'''
+
  
SQL Injection is a common, well-understood application-level attack against databases. Several protection mechanisms exist for protecting from SQL injection attacks, including input validation and use of stored procedures. The presentation will discuss novel techniques to bypass these protection mechanisms by exploiting deference in interpretation between systems.  
+
=== [https://www.owasp.org/images/1/1f/OWASP_IL_2007_Harvesting_Skype_SuperNodes.pdf Harvesting Skype Super-Nodes] ===
 +
'''Omer Dekel, IDC'''
  
This is a new research work presented for the first time in OWASP Israel 2008.  
+
Skype has revolutionized the way we use VoIP and has entered almost every network and all parts of the Internet. However, little is known about the way the Skype Network operates. Further, since its traffic is encrypted and bypasses firewalls, the network administrators have almost no ability to monitor or filter Skype.
 +
In this work we explore the possibility of filtering Skype traffic by harvesting its Super Nodes (SNs), which form the heart of Skype, and of blocking  the network nodes from connecting to them. Using experimental results and an analytic model we show that it is possible to collect a large enough number of SNs as to block, with a probability higher than 95%, the service for an arbitrary connecting client.
  
 +
This talk is based on a research project done with Dr. Anat Bremler-Barr (IDC) & Prof. Hanoch Levy (ETH)
  
<big>'''SOA security'''</big><br>
+
[[Media:OWASP_IL_2007_Harvesting_Skype_SuperNodes.pdf‎|Download presentation (PDF format)]]
'''Iris Levari, Amdocs'''
+
  
As application security specialists we need to follow up with information technology trends. Service Oriented Architecture (SOA) is a new method for developing large scale enterprise applications that promise to revolutionize the IT landscape. Applications built around SOA isolates each business process into a separate service that can serve and interconnect with other services. SOA can use different technologies such as XML, Web Services and SOAP as its infrastructure. The presentation will explain SOA and discuss the security features and considerations when adapting SOA.
+
=== [[Media:OWASP_IL_2007_SQL_Smuggling.pdf‎|Smuggling SQL injection attacks]] ===
 +
'''Avi Douglen, ComSec'''
 +
 
 +
SQL Injection is a common, well-understood application-level attack against databases. Several protection mechanisms exist for protecting from SQL injection attacks, including input validation and use of stored procedures. The presentation will discuss novel techniques to bypass these protection mechanisms by exploiting differences in interpretation between systems.
 +
 
 +
This is a new research work presented for the first time in OWASP Israel 2007.
 +
 
 +
([[Media:OWASP_IL_2007_SQL_Smuggling.pdf‎|PDF]], [ftp://ftp.idc.ac.il/csvideos/OWASP%2007/Avi%20Doglen_chunk_1.wmv video])

Latest revision as of 06:33, 10 March 2009

OWASP Israel 2007 Conference was held at the Interdisciplinary Center (IDC) Herzliya on Dec 3rd 2007. More than 200 people attended the conference and enjoyed interesting presentations, a great networking opportunity. OWASP Israel 2007 became a must be for any application security professional and drew a lot of people from the wider information security community as well.

Contents

Sponsors & Contributors

The meeting is sponsored by Breach Security, Hacktics, GamaSec, Applicure, The National Information Security Forum and the Efi Arazi school of Computer Science at the Interdisciplinary Center (IDC) Herzliya.


Breach logo.gif    OWASP IL Sponsor Hacktics.jpg     OWASP_IL_Sponsor_GamaSec.jpg      OWAS_IL_Sponsor_Applicure.JPG      OWASP_IL_LOGO_NISF.jpg     OWASP IL Sponsor IDC.jpg


Additional sponsorship opportunities still available, contact me for details.


I would also like to thank those individuals which without their help this event would not be possible:

  • Dr. Anat Bremler-Bar, our host at the IDC.
  • Shay Shuker, on helping with organization.
  • Bat-Sheva Shezaf, who took pictures.

Pictures

The pictures from the conference available here.

Program

The following presentation where given at OWASP Israel 2007:

Cross Site Request Forgery - Overview and Solutions

Ofer Shezaf, OWASP IL chapter leader, Breach Security

Cross Site Request Forgery (CSRF) made the highest entry into this year's version of the OWASP top 10, jumping straight to number 5. But as common and dangerous as it is, CSRF has remained obscured to many, and the ways to protect your application even less well understood. This turbo talk will provide an overview of CSRF and the common ways to mitigate it, leading to Amichai Shulman’s presentation which will present innovative methods for protecting from CSRF.

Ofer will also update on the OWASP 2007 conference in San Jose and other OWASP news.

(PowerPoint, video)

Defeating Web 2.0 Attacks without Recoding Applications

Amichai Shulman, CTO, Imperva

Amichai will present a novel approach for solving client side solutions which would naturally be considered out of reach for server applications such as CSRF and JavaScript Hijacking. The method uses a gateway to inject a script that will require feedback from the client. If you have seen the presentation about content injection in the last OWASP IL meeting and felt it lacked actual working examples, Amichai provides some very strong evidence of the usefulness of this method.

This talk was presented in OWASP 2007 in San Jose.

(PowerPoint, video)

Hunting Down XSS Vulnerabilities

Erez Metula, Application Security Department Manager, 2Bsecure

XSS is the most common web application vulnerability and leads the OWASP top 10. The lecture will discuss automatic and manual approaches for detecting XSS vulnerabilities. Erez will present tools used to find XSS vulnerabilities as well as innovative method to overcome obstacles when looking for vulnerabilities.

(video)

The National Information Security Forum

Avi Weissman, CEO, See-Security

Avi will take 10 minutes to announce and describe the new national information security forum (NISF), a new information security initiative that we welcome and would like to cooperate with at OWASP.

How Dangerous Is It Out There?

Dror Paz, Director of Professional Services, Breach Security

One of the key issues facing application security professionals is the lack of information about the actual risk. The number of reported incidents is small, and therefore while the potential danger of web layer attacks is known, whether and how this potential is abused is a great mystery. In the presentation, Dror Paz will show what’s really happening out there, based on work done in project such as the open proxy honeypot project, WASC statistics project and the Web Hacking Incidents database as well as information gathered (incognito) from Breach installations around the globe.

this presentation was canceled since Dror was sick and would be rescheduled for a future OWASP meeting.

SOA security

Iris Levari, Amdocs

As application security specialists we need to follow up with information technology trends. Service Oriented Architecture (SOA) is a new method for developing large scale enterprise applications that promise to revolutionize the IT landscape. Applications built around SOA isolates each business process into a separate service that can serve and interconnect with other services. SOA can use different technologies such as XML, Web Services and SOAP as its infrastructure. The presentation will explain SOA and discuss the security features and considerations when adapting SOA.

(PowerPoint, video)

The PKI Lie - Attacking Certificate-Based Authentication

Ofer Maor, CTO, Hacktics

While public key cryptography and client side certificates have certainly proved to be a very valuable security mechanism, blind reliance on them may lead to a disaster. These complex technologies are prone to implementation and deployment mistakes that hinders them useless. Ofer will discuss and demonstrate some common implementation pitfalls he often sees in real life PKI based authentication systems.

This talk was presented in OWASP 2007 in San Jose.

(PowerPoint, video)

Harvesting Skype Super-Nodes

Omer Dekel, IDC

Skype has revolutionized the way we use VoIP and has entered almost every network and all parts of the Internet. However, little is known about the way the Skype Network operates. Further, since its traffic is encrypted and bypasses firewalls, the network administrators have almost no ability to monitor or filter Skype. In this work we explore the possibility of filtering Skype traffic by harvesting its Super Nodes (SNs), which form the heart of Skype, and of blocking the network nodes from connecting to them. Using experimental results and an analytic model we show that it is possible to collect a large enough number of SNs as to block, with a probability higher than 95%, the service for an arbitrary connecting client.

This talk is based on a research project done with Dr. Anat Bremler-Barr (IDC) & Prof. Hanoch Levy (ETH)

Download presentation (PDF format)

Smuggling SQL injection attacks

Avi Douglen, ComSec

SQL Injection is a common, well-understood application-level attack against databases. Several protection mechanisms exist for protecting from SQL injection attacks, including input validation and use of stored procedures. The presentation will discuss novel techniques to bypass these protection mechanisms by exploiting differences in interpretation between systems.

This is a new research work presented for the first time in OWASP Israel 2007.

(PDF, video)