Cobalt Crowdsourced Application PentestCobalt Crowdsourced Application PentestCobalt Crowdsourced Application Pentest

<
Back to Main

3 Takeaways from OWASP AppSec Israel 2018

Swaroop Yermalkar
Sep 21, 2018

OWASP AppSec Israel 2018 Conference with 700+ participants, 18 talks, and a CTF has just ended and I would say it was a great experience as a speaker and as an attendee.

I presented my talk “Is Your Mobile Application Storing Your Company Secrets?” which talks about recent critical findings in mobile apps that could have resulted in millions of dollars lost if fallen into the wrong hands. My talk received great response and many attendees discussed various approaches for possible solutions.

This was my first trip to Tel Aviv, Israel and first time participating in AppSec Israel conference. Below are some insights I’d like to share about the overall conference, my three takeaways from the conference:

  1. The entire conference is free! : In the last few years, I’ve attended several conferences and none of them were free to attend. Some conferences have free sessions open to all but not the entire conference. AppSec Israel was completely free to attend with interesting talks, high-tech venue, workshops, and free food.

Source: @OWASP_IL

2. Focus on Serverless, Smart Contracts, and DevSecOps: The conference had interesting talks focusing on Serverless security, Smart contracts, and DevSecOps sessions. One of my friend’s, Mehul Patel, presented on the topic of “Serverless Authentication with JWT” . His talk was about why we should use JWTs in our applications when it comes to security. Another talk that I found to be very interesting was by Erez Metula on “Exploiting Smart Contracts For Fun And Profit” which discussed common security vulnerabilities that can occur in smart contracts. Lastly, my friend Tanya Janca presented a great talk on “Security is everyone’s job” which discussed introducing security right from the first step of requirement gathering to release.

3. Free training for developers: One of the most important aspects for driving any application security program is to train developers. Nowadays almost all information security conferences offer training but usually at a high price point. Which could be a part of why they may not attend. However, AppSec Israel had completely free training for developers. In addition, all the training courses were extremely hands-on and interactive application security focused sessions.

My talk audience was mostly developers and pen testers interested in application security. I presented critical mobile findings such as:

  1. Pwning AWS using iOS Application

  2. Accessing Upcoming Features (Un-released)

  3. Presented OWASP iGoat Project (https://igoatapp.com/)

I want to say thanks to Cobalt.io (http://cobalt.io/) for supporting me on this trip. You can check out more details about the above critical findings here: https://resource.cobalt.io/is-your-mobile-app-storing-your-company-secrets

The conference had a selfie challenge for all speakers and below is snap from my talk (I’m not someone who normally takes selfies but I accepted the challenge)

Photo from Selfie Challenge for Speakers

Want to dive deep into iOS app pen testing? Check out this free and open source project at — http://igoatapp.com/. Feel free to reach out to me directly by commenting on this blog or find me on Twitter at @swaroopsy for additional queries. Stay tuned for more blogs!