OWASP IL Meetup - December 2024

🐝✡ OWASP IL ✡🐝 is excited to announce our next Meetup! 🚀
Join us for an evening filled with engaging discussions on application security, networking with the AppSec community, and of course, delicious food and drinks.
We’re thrilled to have this event graciously hosted by JFrog at their amazing offices. Don’t miss this opportunity to connect, learn, and grow with fellow security enthusiasts!

====================================================================
Agenda:
➡️ 18:00 - 18:20 - gathering and food - We will gather at JFrog's Offices for drinks, great treats, and mingling.
➡️ 18:20 - 18:30 - Keynote + Microphone tuning
➡️ 18:30 to 19:15 - Hacking Like a Developer: Applying a Developer Mindset to Blackbox Penetration Tests
Moti Harmats - Product Security Team Leader @ JFrog
In this session, we’ll explore how adopting a developer’s mindset can elevate your penetration testing techniques and uncover vulnerabilities more effectively. By leveraging tools like debuggers, developer tools, and runtime analysis, even without access to source code, you can gain deeper insights into application behavior.

We’ll cover practical techniques for using these tools in blackbox environments, demonstrating how to trace application flows, identify critical breakpoints, and manipulate data to expose security flaws. Whether you’re a seasoned pentester or just getting started, this talk will equip you with actionable techniques to think like a developer, hack like a pro, and improve the value of your penetration tests.

Small Break - 19:15 - 19:20

➡️ 19:20 - 20:05 - Secure Your Gen Code
Or Sahar -CoFounder @ Secure From Scratch
GenAI tools have transformed the way developers write code, but in many cases, this code does not adhere to secure coding practices. In this talk, we’ll carefully examine how GenAI generates vulnerable code snippets and explore ways to generate secure ones.

This talk is designed for developers and team leads looking to leverage GenAI responsibly while ensuring code quality and security.

Small Break - 20:05 - 20:15

➡️ 20:15 - 21:00 - DOM Jungle - Can We Trust The UI?
Gal Weizman - Security Engineer @ MetaMask
One thing's for sure—we can no longer fully trust all code running under the same origin as our app. This is due to today's development landscape, where web apps are mostly composed of third-party code that the app builders do not control.
Considering this, we can no longer trustfully perform many operations we are used to blindly trusting. A significant one is DOM interaction—if some code I don't trust can run in my app, how can I rest assured it doesn't manipulate the DOM and the content accessible to the user? If I present sensitive content to the user, can an attacker just steal it? What stops an attacker from changing my website's layout to phish the user?
The way the Web is designed, any JavaScript code running within a certain origin has full access to its document. Due to how the DOM's API is designed, regulating restrictions on it is a hard problem to solve—many have tried (and still are).
In this talk, after making sure it's clear why DOM API is so complicated to confine, we'll discuss why we should worry about this problem, what we can do about it, and, most importantly, what projects/initiatives/proposals are already being worked on.

====================================================================
This event is hosted by JFrog in collaboration with OWASP Israel.
Join us at the event physically as we will not include Zoom or remote participation this time.