Latest Event Updates
Workshop prerequisites
If you plan to attend one of the workshops, you should prepare by bringing a laptop with the below prerequisites to get the most out of your participation:
WebGoat: Teaching application security 101 with Nanne Baars
- Java 8
- Docker
- Burp or ZAP or any other favorite proxy interceptor tool
- Maven 3 (optional)
Gothenburg pwns the OWASP Juice Shop with Björn Kimminich
- Node.js (v4, 6 or 7) OR
- Docker OR
- Vagrant
and
- OWASP Juice Shop (https://github.com/bkimminich/juice-shop#setup)
Digital Forensics: Know your enemy and know yourself with Ahmed Neil
Software installation is done during workshop
Passwords are dead! with Viktor Lindström
Hardware is provided by OWASP Gothenburg. Software installation is done during workshop.
See you on Thursday!
The end is nigh!
Now it’s only a few days until the security event of the year! We are officially sold out and have done everything we can to serve you high-quality security content throughout the day. We are very excited and look forward to seeing you on Thursday!
The registration starts at 8.30. Make sure to be on time and grab a tasty breakfast roll and a cup of coffee before the talks and workshops start at 9.00. The schedule can be found here: https://owaspgbgday.se/schedule/
The conference will run three parallel tracks – one speaker track in the Pascal room and two workshop tracks in the Tesla and Kelvin rooms. All conference visitors are free to participate in workshops and watch talks of their choice. However, the workshop seats are limited and provided on a first come, first served basis. There will be no reservations, so make sure to be on time and take a seat if you are aiming for a specific workshop.
There has been a slight change in the workshop area. The previously communicated OWASP Zap workshop has been canceled. Instead, you will get the opportunity to solder and program your own USB based two-factor-authentication device to bring home. The workshop has 10 seats and will be headed by Viktor Lindström. Go there for some serious hardware work!
After the last presentation, we will walk across the hallway to L’s Resto for a security pub with beer and quiz. Be there or be square!
Viktor Lindström – Passwords are dead! (workshop)
Passwords are dead! We all know it, they can no longer be trusted. Only this year, the well known Troy Hunt has made his point over and over and OVER again. Yahoo did a boo boo, Linked in did a boo boo, Dropbox did a boo boo… The list is so long it’s not even worth continuing, it’s just makes you sad. You will know it for real if you had a “friend” that had an account on Adult Friend Finder or Ashley Madison.
So lets step back and take a look at authentication, wouldn’t it be nice if were more like a real tangible item which, when activated grants you access when you uses it. It’s groundbreaking! IT’S U2F-ZERO! Take this chance and build your own 2 Factor Authentication Key, and use it for your Github, GMail or why not implement 2FA at your own webpage.
To be clear – This workshop actually contains soldering your own 2FA-device that works. Components are free. No equipment required. Limited seats.
Viktor Lindström has a passion for security, loves the offensive as well as the defensive side. Currently he focuses his daily work in the automotive industry trying to do more good than bad. He has worked as programmer, pentester, adviser and loves spread the word about security.
Lucas Lundgren, Neil Hindocha – LIGHT-WEIGHT PROTOCOL! SERIOUS EQUIPMENT! CRITICAL IMPLICATIONS!
Lucas Lundgren has a vast experience in IT security, with the “bad luck” (or tendency) to annoy companies by reporting vulnerabilities in their products. He started breaking things at the age of twelve, and has reported numerous vulnerabilities in various products. Having worked with penetration testing professionally for over 19 years, Lucas has held IT Security positions within companies such as Sony Ericsson and IOActive. He has also been part of Corelan Team before moving on to FortConsult (Part of NCC Group)
Lucas has been breaking everything from OS vendors and financials, and he has spent a considerable amount of time inside “impenetrable fortresses”. He is primarily focusing on penetration testing as well as fuzzing and exploit development, no matter the platform or medium, were he also has a passion for IoT and Smart Technology.
Pierre Pavlidès – Overview of some automotive RKE systems
Car security started as a simple mean to prevent car theft. The issue is becoming increasingly serious with onboard computers controlling every key component. Some are now part of the Internet of things, or even self-driving. Massive car hacking a la Ghost in the Shell may come sooner than we think.
In this talk however, we will come back to one of the security features used by the vast majority of our cars: remote keyless entry systems (RKE). These systems are in charge of locking and unlocking the car when the owner pushes the corresponding button on the remote control.
Like any computing systems, RKEs schemes may be prone to security issues. We will present two categories of vulnerabilities that allow an attacker to clone a key fob under the right circumstances and (un)lock the car at will. Such insecure schemes have be used by major manufacturers over more than 20 years.
This talk is based on the paper “Lock It and Still Lose It – On the (In)Security of Automotive Remote Keyless Entry Systems” presented at the 25th USENIX Security Symposium (August 2016) and authored by Flavio D. Garcia, David Oswald, Timo Kasper and Pierre Pavlidès.
Pierre Pavlidès studied RKE systems during his Master of Science at the School of Computer Science of the University of Birmingham (UK). Today he is working as a pentester and security trainer at Lexsi in France.
Ahmed Neil – Digital Forensics: Know your enemy and know yourself (workshop)
The widespread use of computers in many daily bases fields has caused computer crimes to increase. This allowed cyber criminals to maliciously attack vital computational infrastructure to obtain or misuse the information illegally. After a crime occurred in a computer device, an investigation process should take place to reveal what happened based on some evidence. It is used to solve a mysterious event to help the court ascertain whether the suspect is innocence or guilt. In this talk I will be showing various techniques to extract and investigate any digital evidence. I will also discuss some areas where an investigator can extract data from digital mediums.
Ahmed M Neil is a well known thought leader in application security and Digital Forensics whose work focuses on approaching to information security, Risk Analysis, and Digital Forensics. He holds a MSc in Information Systems – Computer Forensics, Mansoura University, Egypt. He is available to travel for the purpose of consultation with other experts in the field of security. He also is willing to train others so that they may share his methods, seminars, workshops and professional procedures.
Alex Inführ – PDF + the Web: What could possible go wrong
PDF is a well-known file format in the world of PCs and even mobile phones.
This talk will focus on PDF Features in the context of the World Wide Web.
As soon as a PDF is opened in a Web Browser, the rules and security implication change.
The talk will discuss features like Formcalc, an easy to use language to access files on the same origin.
I will show how FDF can be used to steal a static PDF, which cannot influenced by an attacker at all.
Additionally some unfished research will be shown and a short glimpse, why Foxit Reader is even worse than Adobe Reader.
Alexander Inführ started his career as a Penetration Tester for Cure53 during his studies.
His research focus on modern Web Browsers and their used technology. Dies lead to a contract with Microsoft, where he worked with an external team, which was assigned to uncover flawes in Internet Explorer.
Today he is researching the Portable Document Format and modern PDF viewers. He presented his findings on conferences like BSides Vienna, IT-SECX, OWASP Appsec 2015 or HackPra.
Nanne Baars – WebGoat: Teaching application security 101 (workshop)
A good defense against insecure code requires understanding the mechanics behind how attackers exploit simple programming mistakes.
The WebGoat team will walk through exercises like SQL Injection, XSS, ReDOS, CSRF, … and demonstrate how these exploits work.
We will show you how you can use WebGoat to train your developers to avoid these simple but common programming mistakes.
We also show you how to extend WebGoat to create lessons specific to your environment.
Join us to learn the most basic, but common, application security problems.
Björn Kimminich – Gothenburg pwns the OWASP Juice Shop (workshop)
OWASP Juice Shop is an intentionally insecure web app made for pentesting and security awareness trainings. It as written entirely in the most sophisticated, beautiful and secure language on the planet: Javascript! With reference to the OWASP Vulnerable Web Applications Directory it seems to be the first (intentionally) broken web app published using Express/Angular/Node! In this session you will…
…learn why and how the Juice Shop was created! (25min)
…join Joe Average on a regular customer’s shopping tour! (5min)
…actively search and mercilessly exploit vulnerabilities in the application… (120min)
…thus releasing lots of happiness hormones as more and more achievement notifications light up in bright green! (instantly during hacking)
…be shown some of the harder challenge solutions on stage (10min)
Please bring your own laptop with a local installation of OWASP Juice Shop to the workshop! The application can be run locally on node.js, as a Docker container or in a Vagrant VM: https://github.com/bkimminich/juice-shop#setup. You can also bring all your favorite pentesting tools! Or just your favorite browser! Both works fine for hacking the Juice Shop!
If someone feels like translating (https://crowdin.com/project/owasp-juice-shop) the application into Swedish before the OWASP Gothenburg Day, I’ll bring a Juice Shop t-shirt to the event and hand it over live on stage! For everyone else, there will be free laptop stickers and also pin-back buttons!
Björn is a “hands-on coding architect” working for over 10 years in the area of software development, IT architecture and application security. His most sophisticated open source work (https://github.com/bkimminich) is the intentionally insecure web application Juice Shop, which recently became an OWASP Tool Project.
Avi Douglen – Passwords, Rehashed All Over Again
Passwords suck.
It’s no secret – passwords are boring, passwords are weak, passwords are STOOPID. We all hate using them, we all hate building systems for them, we all hate breaking them, we all just hate dealing with them. Nevertheless, passwords are here to stay as the most common authentication mechanism. At least, passwords are a simple mechanism, and we all understand how to protect them well enough.
Then how come we keep getting them wrong?
Wait, whaaaat??
Not only are password protected sites usually flawed; not only are millions of passwords stolen more often than stupid cat pictures are posted to Facebook; not only does your mother reuse the same simple password everywhere – we, the security industry, keep giving bad password advice!
This talk will discuss popular misconceptions regarding how to secure passwords, even amongst security experts. We will also show some practical attacks against the common recommendations in this area. Finally, I will share the simple solutions that we should be recommending, and prove mathematically that they are correct.
AviD has always denied being a hipster, but when it comes to password misuse he is a downright cranky neckbeard.
During his many years as a developer, security lead, and consultant, he has been party to some pretty poor password practices. (Pretty poor password practice parties are not as much fun as you might think). Now, he is attempting to atone for that, and throws a hissy fit every time he encounters a site with counter-productive password practices. Stay on his good side and do the right thing.
For the past X years, AviD has been working as a consultant, supporting organizations of all sizes in integrating security methodologies and products into their development processes. He spends a lot of time doing security research, and often provides training on secure coding and other security topics. He is also a frequent speaker at industry conferences, such as OWASP and RSA.
AviD also leads the OWASP Israel chapter, is a community moderator on https://security.StackExchange.com/ , and a volunteers as a high school tech teacher.