2nd OWASP Israel mini conference at the Interdisciplinary Center

看板Bugtraq作者時間19年前 (2007/05/10 05:00), 編輯推噓0(000)
留言0則, 0人參與, 最新討論串1/1
Hi fellow Security experts, Following the big success of the 1st one, we are glad to announce the = 2nd OWASP Israel mini conference at Interdisciplinary Center Herzliya = (IDC). The mini conference is a non-commercial event focusing on web = application security. As you can see in the program below, we have = carefully selected the presentations and we hope they are all relevant, = informative and most importantly, none commercial. Never the less, we = are happy to say that we were able to get very distinguish companies to = sponsor the event and make sure that the refreshments would be great. = The meeting is sponsored by Breach Security, Checkpoint, Hacktics, = Applicure Technologies, Zend, Microsoft and the Interdisciplinary Center = Herzliya (IDC).=20 The meeting will be held on Monday, May 21st, Starting at 13:30 at = Interdisciplinary Center (IDC) Herzliya campus (driving directions will = be sent to registrants). Participation is free and open to all, but = please inform us (e-mail to ofers@breach.com) that you are coming as = space is limited. Feel free to spread the word about this meeting to = anyone you feel would be interested. You can also register to get the = OWASP Israel mailing list = (http://lists.owasp.org/mailman/listinfo/owasp-israel) and receive = updates regarding chapter's meetings. For further details please contact = us at ofers@breach.com or go to the web page at = http://www.owasp.org/index.php/Israel#2nd_OWASP_IL_mini_conference_at_IDC= ..2C_May__21th_2007 Dr. Anat Bremler-Barr Program Academic Director, Information Security Program Efi Arazi School of Computer Science, IDC Herzliya=A0=A0=A0=A0=A0=A0=20 Ofer Shezaf Chapter Leader, OWASP Israel=20 CTO, Breach Security The agenda of the meeting is:=20 * Gathering and Refreshments=20 13:30 - 14:00=20 * Updates from OWASP Europe, Milan Ofer Shezaf, OWASP IL chapter leader, CTO, Breach Security=20 14:00 - 14:15=20 Since the conference is just a few days after OWASP Europe 2007 in = Milan, and since most of you would not have a chance to be there, I will = try to convey the content and spirit of this unique conference to you.=20 In addition you will hear Yair Amit, who will repeat the presentation he = is going to make in OWASP Europe, and Erez Metula will build his lecture = on OWASP chief evangelist's presentation about .NET. For my presentation = in OWASP Europe, you had to come to the previous OWASP IL Mini = Conference.=20 * Pen-Testing at Microsoft: FuzzGuru fuzzing framework=20 John Neystadt, Lead Program Manager, Microsoft Forefront Edge, Microsoft = 14:15 - 15:00=20 Fuzzing is the main systematic methodology used these days by hackers to = find vulnerabilities in web and other applications. Fuzzing can find = buffer overrun, denial-of-service and information disclosure = vulnerabilities. It should be done for C++, C#/Java, ASP/JP code.=20 FuzzGuru is a generic network fuzzing development framework developed in = Microsoft Israel Development Center and is formally recommended best = practice for all products developed in Microsoft.=20 In this talk John will present some fuzzing testing theory, demonstrate = the tools and discuss Microsoft fuzzing practices.=20 * Unregister Attacks in SIP=20 Ronit Halachmi-Bekel, Efi Arazi school of Computer Science at = Interdisciplinary Center (IDC) Herzliya=20 15:00 - 15:40=20 The presentation discusses a research work done at the Interdisciplinary = Center (IDC) Herzliya about the "unregister attack", a new kind of a = denial of service attack on SIP servers. In this attack, the attacker = sends a spoofed "unregister" message to a SIP server and cancels the = registration of the victim at that server. This prevents the victim user = from receiving any calls.=20 The research also offers a solution: the SIP One-Way Hash Function = Algorithm (SOHA), motivated by the one-time password mechanism. SOHA = prevents the unregister attack in all situations. The algorithm is easy = to deploy since it requires only a minor modification and is fully = backwards compatible and requires no additional configuration from the = user or the server.=20 The paper is a joint work with Dr. Anat Bremler-Barr and Jussi = Kangasharju. The paper was presented at the 14th IEEE International = Conference on Network Protocols (ICNP).=20 * Break=20 15:40 - 16:00=20 * Application Denial of Service; is it Really That Easy?=20 Shay Chen, Hacktics=20 16:00 - 16:40=20 Denial of service attacks, which are quite a nuisance on the network = layer, are a nightmare when done on the application layer, but are = equally underrated.=20 On our last conference, Dr. Anat Bremler-Bar discussed some of the = theoretical aspects of application layer denial of service attacks. Shay = Chen will expand and explore the practicalities of application layer = denial of service. He will show real world techniques, real life stories = and personal experiences conducting DOS attacks during penetration = testing on major Israeli sites.=20 * Behavioral Analysis for Generating A Positive Security Model For = Applications=20 Ofer Shezaf, OWASP IL chapter leader, CTO, Breach Security=20 16:40 - 17:10=20 In the last OWASP IL conference, as well as in OWASP Europe in Milan, I = explored the potential of a negative security model for securing = applications. While a negative security model can provide some level of = security, most agree that a positive security model is preferable for = protection application.=20 However, building a rule set to provide positive security is a difficult = and never ending project. Modern tools employ behavioral analysis to = build automatically those rules. The presentation will discuss the = algorithms and methods used to build automatically an application layer = positive security rule set as well as the problems and limitation of = such as approach.=20 * Overtaking Google Desktop - Leveraging XSS to Raise Havoc=20 Yair Amit, Senior Security Researcher, Watchfire=20 17:10 - 17:50=20 Yair will present a ground breaking research paper by Watchfire = application security labs. The paper describes an innovative attack = methodology against Google Desktop which enables a malicious individual = to achieve a remote, persistent access to sensitive data, and = potentially a full system control.=20 This represents a significant real world example of a new generation of = computer attacks which take advantage of Web application vulnerabilities = utilizing the increasing power of the Web browser. Their purpose is to = remotely access private information.=20 This presentation would be presented by Yair the week before at OWASP = Europe in Milan.=20 * Break=20 17:50 - 18:00=20 * Application Security is Not Just About Development=20 David Lewis, CISM, CISA, CISSP, Rosenblum Holtzman=20 18:00 - 18:20=20 What many developers forget about is that the application even though it = is a very important part of securing the "Gold", data, there are other = risks that require their attention. These risks require their = understanding and preventative measures need to be implemented, managed = and validated to limit the exposure to themselves and their = organizations. E.g. Developers do not see the need for securing their = code.=20 One of the things I will provide you during my presentation is why you = should secure your code. It is one of the ways you will keep your job.=20 * .NET reverse engineering=20 Erez Metula, Application Security Department Manager, 2Bsecure=20 18:20 - 19:20=20 The presentation will introduce MSIL (Microsoft Intermediate Language) = and debugging MSIL. Based on this foundation the presentation will = explore and demonstrate tools and techniques for changing the behavior = of .NET assemblies and the CLR using reversing engineering techniques.=20
更多 OferS. 的文章
文章代碼(AID): #16GZP-00 (Bugtraq)