Loading…
This event has ended. View the official site or create your own event → Check it out
This event has ended. Create your own
View analytic

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Tuesday, October 1
 

9:00am

Training: Hacking - Hands On
Show the principles of hacking and the main tools of backtrack, starting with information gathering to exploit.

Speakers
avatar for Jordan M. Bonagura

Jordan M. Bonagura

Information Security Researcher, Bonagura
Jordan M. Bonagura is a computer scientist with postgraduate qualifications in the areas of strategic business management, innovation and teaching (methodology of teaching and research). Acts as a business consultant and researcher in the field of information security with emphasis on the search for new vulnerabilities and forms of exploitation. CEH. Lecturer in the area of information technology in various institutions, among them the... Read More →


Tuesday October 1, 2013 9:00am - 5:00pm
Computer Lab 1 Escuela de Postgrado UTP Salaverry 2443, Lima, Peru

9:00am

Training: How To Secure The SDLC
The course aims to teach the various aspects required to design a hacking resilient software product. After showing which best practices activities around a SDLC must be incorporate, the course will dive deeper on the concepts, processes and techniques behind them; best known as the Common Base Knowledge. At end of the course, the comprehensive knowledge will equip you to re-start your SDLC in a “secure way”, or at least to quickly improve your current practices, whatever your role is in your software development team.

Speakers
JR

Javier Romero

CTO, JaCkSecurity
Javier Romero is the Chief Technology Officer of JaCkSecurity. He works in the security field since October 1999. His jobs since those years has spanned from analyst, officer and chief, to manage risk, secure networks and response incidents. | | Specialties:In the present, his job focus on information security consulting and out-tasking, with ISMS, BCM, IR, pentesting and network security monitoring, as operational team leader. Currently holds... Read More →


Tuesday October 1, 2013 9:00am - 5:00pm
Computer Lab 3 Escuela de Postgrado UTP Salaverry 2443, Lima, Peru

9:00am

Training: Scripting for Penetration Testers
The work of a true pentester is not limited to the use of tools developed by third parties becasue these tools do not completely cover the requirements for real penetration testing.
This training enables a working knowledge of the application of different scripting languages ​​in penetration, both to automate some processes and to get success where automated tools and / or specialized ones don't get the expected results.
It will cover script development at operating system level (MS Windows and Linux), use of the scripting options in popular hacking tools (NMAP, Nessus, Metasploit) to extend or improve their results and script development to exploit MS Windows and web application vulnerabilities.

Speakers
avatar for Walter Cuestas

Walter Cuestas

CEO and Co-Founder, Open-Sec
Walter Cuestas is the current CEO and co-founder of Open-Sec, a Peruvian company dedicated to developing ethical hacking services, computer forensics and analysis of computer security incidents. I'm the technical leader of the team of ethical hackers at Open-Sec carrying out processes of vulnerability analysis and penetration testing. My daily work is about defining attack strategies and my main interest is about developing scripts for... Read More →


Tuesday October 1, 2013 9:00am - 5:00pm
Computer Lab 2 Escuela de Postgrado UTP Salaverry 2443, Lima, Peru
 
Wednesday, October 2
 

9:00am

Training: Hacking - Hands On
Show the principles of hacking and the main tools of backtrack, starting with information gathering to exploit.

Speakers
avatar for Jordan M. Bonagura

Jordan M. Bonagura

Information Security Researcher, Bonagura
Jordan M. Bonagura is a computer scientist with postgraduate qualifications in the areas of strategic business management, innovation and teaching (methodology of teaching and research). Acts as a business consultant and researcher in the field of information security with emphasis on the search for new vulnerabilities and forms of exploitation. CEH. Lecturer in the area of information technology in various institutions, among them the... Read More →


Wednesday October 2, 2013 9:00am - 5:00pm
Computer Lab 1 Escuela de Postgrado UTP Salaverry 2443, Lima, Peru

9:00am

Training: How To Secure The SDLC
The course aims to teach the various aspects required to design a hacking resilient software product. After showing which best practices activities around a SDLC must be incorporate, the course will dive deeper on the concepts, processes and techniques behind them; best known as the Common Base Knowledge. At end of the course, the comprehensive knowledge will equip you to re-start your SDLC in a “secure way”, or at least to quickly improve your current practices, whatever your role is in your software development team.

Speakers
JR

Javier Romero

CTO, JaCkSecurity
Javier Romero is the Chief Technology Officer of JaCkSecurity. He works in the security field since October 1999. His jobs since those years has spanned from analyst, officer and chief, to manage risk, secure networks and response incidents. | | Specialties:In the present, his job focus on information security consulting and out-tasking, with ISMS, BCM, IR, pentesting and network security monitoring, as operational team leader. Currently holds... Read More →


Wednesday October 2, 2013 9:00am - 5:00pm
Computer Lab 3 Escuela de Postgrado UTP Salaverry 2443, Lima, Peru

9:00am

Training: Scripting for Penetration Testers
The work of a true pentester is not limited to the use of tools developed by third parties becasue these tools do not completely cover the requirements for real penetration testing.
This training enables a working knowledge of the application of different scripting languages ​​in penetration, both to automate some processes and to get success where automated tools and / or specialized ones don't get the expected results.
It will cover script development at operating system level (MS Windows and Linux), use of the scripting options in popular hacking tools (NMAP, Nessus, Metasploit) to extend or improve their results and script development to exploit MS Windows and web application vulnerabilities.

Speakers
avatar for Walter Cuestas

Walter Cuestas

CEO and Co-Founder, Open-Sec
Walter Cuestas is the current CEO and co-founder of Open-Sec, a Peruvian company dedicated to developing ethical hacking services, computer forensics and analysis of computer security incidents. I'm the technical leader of the team of ethical hackers at Open-Sec carrying out processes of vulnerability analysis and penetration testing. My daily work is about defining attack strategies and my main interest is about developing scripts for... Read More →


Wednesday October 2, 2013 9:00am - 5:00pm
Computer Lab 2 Escuela de Postgrado UTP Salaverry 2443, Lima, Peru
 
Thursday, October 3
 

9:00am

Opening Remarks and OWASP Welcome Kickoff
Thursday October 3, 2013 9:00am - 9:50am
Conference Auditorium Escuela de Postgrado UTP Salaverry 2443, Lima, Peru

9:50am

Keynote: Empowering a new era of Application Security
Speakers
avatar for VerSprite

VerSprite

Versprite
versprite.com/ | VerSprite is a pure-play security consulting firm based in Atlanta, GA with a global presence.  Known for being a security hybrid group that captures the essence of being both the proverbial ‘Suit’ and the ‘BlackHat’, VerSprite is able to deliver services as a hybrid professional service firm that in the areas of Application Security, Threat Modeling, Network Security, Social Engineering, and... Read More →


Thursday October 3, 2013 9:50am - 10:40am
Conference Auditorium Escuela de Postgrado UTP Salaverry 2443, Lima, Peru

10:40am

Coffee Break
Thursday October 3, 2013 10:40am - 11:00am
Conference Auditorium Escuela de Postgrado UTP Salaverry 2443, Lima, Peru

11:00am

Securing the digital certificate issuing process
Public Key Cryptography is a reality in Brazil. For the past three years more than five million digital certificates were issued under the Brazilian Public Key Infrastructure (Infraestrutura de Chaves Públicas Brasileira – ICP-Brasil). This number is expected to grow more and more insofar as new applications created for using digital certificates are incorporated in the Brazilian’s everyday life.
A digital certificate is a digital file that binds a public key to a specific subject. It is usually issued by Certificate Authorities (CA), entities that are trusted by the public. The public key is mathematically related to a private key, which is supposed to be kept by (and only by) the subject.
The process of issuing digital certificates is crucial to the Certificate Authority operation. Through it, the digital certificate requesters perform the key pair generation and create a formal request (Certificate Signing Request), which is sent to the CA for validation and certificate file generation (formatted according the X.509 standard).
Important parts of this process take place in the requester/end-user environment, that is, the key pair generation, formal request creation and final installation of the digital certificate into the cryptographic repository. Security is obviously a critical issue in this scenario, mostly because we are dealing with an environment that is not controlled by the certificate authority: the end user’s one.
The purpose of this talk is to describe the path followed by Certisign Certificadora Digital S.A. through the years, searching to improve the digital certificate issuing operations that take place in the end user’s environment, focusing on usability and security. We are going to show the software components adopted, their evolution, problems faced and solutions applied. We are also going to take the opportunity to discuss trends, standards and projects under development in the field.
Emphasis will be placed on the Web Application security issues related to the digital certificate issuing process, since most of the existing Certificate Authorities make use of this kind of application to deliver services to their stakeholders and customers. It keeps representing a challenge to the application developers, as long as Web Browsers and Operating Systems impose a great number of restrictions on the interactions between the web page and cryptographic key repositories. Also, the currently known Web Application vulnerabilities represent an important threat to the end user and to the whole Public Key Infrastructure.

Speakers
avatar for Andre Ortiz

Andre Ortiz

Software Development Coordinator, Certisign Certificadora Digital SA
Software Development Coordinator at Certisign Certificadora Digital SA with focus on services solutions. Expert in software development with more than 10 years of experience in system administration, object oriented programming, software architecture and e-commerce applications. Bachelor Degree in Business from Faculdade Presbiteriana Mackenzie.
avatar for Bruno Ribeiro, M.Sc., CSSLP

Bruno Ribeiro, M.Sc., CSSLP

Software Development Coordinator, Certisign Certificadora Digital SA
Software Development Coordinator at Certisign Certificadora Digital SA with focus on business solutions. Expert in secure software engineering with 15 years of experience in analysis, development and requirement specification of security software. Master's Degree in Software Engineering and Computer Science from Universidade Federal do Rio de Janeiro. Certified Secure Software Lifecycle Professional (CSSLP).


Thursday October 3, 2013 11:00am - 11:50am
Conference Auditorium Escuela de Postgrado UTP Salaverry 2443, Lima, Peru

11:50am

Secure Development Training: A Real Case of Sucess
The talk aims to present a project run in a multinational company with over 500,000 employees, security training in software development by following the guidelines and projects developed by OWASP.
The speaker is responsible for the project, which began in 2012, has trained hundreds of developers, and will continue for 2013 and 2014. The data presented involve the level of compliance of the applications developed by the company, the use of the content presented by the developers, and the positive impact on the quality of software developed.
Some of the material used in training is shown and the methodology used will be explained.

Speakers
avatar for Luiz Vieira

Luiz Vieira

Volunteer, HackProofing
Rio de Janeiro/Brazil OWASP Chapter Leader. Security specialist, and works with Audit, Penetration Testing and Computer Forensics. Currently developing projects in the area of Information Security in a company of oil and gas in Brazil, and is an instructor of courses about information security. Has published several articles on websites and electronic magazines. He is the administrator of the mailing list of Brazil on vulnerability research and... Read More →


Thursday October 3, 2013 11:50am - 12:40pm
Conference Auditorium Escuela de Postgrado UTP Salaverry 2443, Lima, Peru

12:40pm

Lunch Break
Thursday October 3, 2013 12:40pm - 2:00pm
Conference Auditorium Escuela de Postgrado UTP Salaverry 2443, Lima, Peru

2:00pm

The CSOs Myopia
Before reading this article imagine what it would be like to manage your company without your customer’s data or if the data was in your competitors’ hands.
The value of data is an established fact and almost doesn’t bear mentioning. The experiences your customers acquire along the years as well as their database are fundamental and represent a great competitive edge in this new corporate era.
Keeping this in mind we realize the importance of implementing specific policies in order to build a base to guarantee the safety of these data.
Recently, there’s been an increase in security related incidents in a way that IT management has become more and more complex and, automatically, the need for a new kind of professional has emerged, the Chief Security Officer (CSO).
The CSO has become the person responsible for all risk areas, data security and, also for the definition and implementation of security strategies and policies that a company will implement.
Such policies are developed to reduce risks and negative impacts and also to limit exposure to liability in all areas.
However, the main issue dealt with here doesn’t question the need for good professionals, for secured information or development of better security policies. It deals with the constructive process through which every company goes when creating and structuring such policies.
The limited vision, commonly used at the moment of creating these policies, isn’t, enough to comprise all the company’s existing range of vulnerabilities.

So, I will demonstrate a lot of security issues that this limited vision brings, like human faults in WebServers, and others vulnerabilities like SQL Injections and other related with TOP 10 OWASP.

Speakers
avatar for Jordan M. Bonagura

Jordan M. Bonagura

Information Security Researcher, Bonagura
Jordan M. Bonagura is a computer scientist with postgraduate qualifications in the areas of strategic business management, innovation and teaching (methodology of teaching and research). Acts as a business consultant and researcher in the field of information security with emphasis on the search for new vulnerabilities and forms of exploitation. CEH. Lecturer in the area of information technology in various institutions, among them the... Read More →


Thursday October 3, 2013 2:00pm - 2:50pm
Conference Auditorium Escuela de Postgrado UTP Salaverry 2443, Lima, Peru

2:50pm

Coffee Break
Thursday October 3, 2013 2:50pm - 3:10pm
Conference Auditorium Escuela de Postgrado UTP Salaverry 2443, Lima, Peru

3:10pm

WAFs are for excuses, ByWaf knows it
Today, all the well-known companies have lots of Web applications with vulnerabilities such as INJECTIONS; somehow they remain confident about them, WHY??

Well, this is mainly because they think they have a silver bullet called Web Application Firewall (WAF). This device is like IPS or IDS. WAF catches the requests and analyzes them looking for some malicious code like SQL, JAVA Script, LDAP, etc. If it finds any of them, the WAF blocks the request and sends an alert or just drops the request.

This is the ideal scenario but, as it always happens with any defense tool, there are lots of ways to bypass them. In this case, the way is using a new framework that is called ByWaf. ByWaf has the ability to bypass a WAF but also it can be a complete tool to exploit vulnerability in web applications.

The idea came three months ago, when I was pentesting a Web Application and found that it had a WAF, and that there were a few tools that could be useful for this objective.

A couple of weeks after, I found some other people with the same issue like mine. We got along and agreed to make this new framework for the OWASP community.

The topics covered in this talk are:

About me
Some references about me in the battle field in Web Application Penetration Testing and how I heard from OWASP?

About OWASP (real life)
How companies, consultants, hackers and so on, use OWASP on a daily basis. What can we find into it?

What is an OWASP Project?
Concepts about OWASP projects, types, how to get into them.

What is WAF?
Colors, flavors, and more about them.

How it works?
How the devil works trying to give us a hard time.

How to detect WAFs?
From console to some tools.

How to bypass them?
Some ways to make it look like fool

ByWaf Project
Past
Present
Future

Demo

Speakers
avatar for Rafael Gil Larios

Rafael Gil Larios

Supervising Sr., KPMG
Ha desarrollo consultoría, pruebas de penetración, revisión de aplicaciones Web y revisión de código en industrias como: Financieras, Retail, Bancarias, Legales, Broadcasting, Telecomunicaciones, Hosting, Hoteleras, Manufactura, etc. Ha realizado auditorías, revisiones e implementaciones de controles del estándar ISO 27001 en industrias como: Financieras, Call Centers, Servicios, etc. Ha realizado revisiones y consultoria en... Read More →


Thursday October 3, 2013 3:10pm - 4:00pm
Conference Auditorium Escuela de Postgrado UTP Salaverry 2443, Lima, Peru

4:00pm

Certify Your App: Developing Secure Applications for the Marketplace
WordPress is the most popular Content Management System (CMS), powering more than 60 million websites. In June 2013, we ran an automated code scanning tool against the top 50 most downloaded plugins. The results were more than concerning. We found that more than 20% of these plugins were vulnerable to common Web attacks, potentially leading to 8 million vulnerable Websites. How do other CMS platforms and marketplaces fare?
In this talk we discuss how different application marketplaces encourage and enforce developers to write and submit secure apps. We look at their security measures and discuss their certification process to verify that the apps stand up to their set of standards. We examine the technological challenges associated with performing some of these security measures, such as source code analysis, when the developer has no visibility into the code of the underlying platform.
For this presentation we draw up examples of common marketplaces such as WordPress, Joomla and Force.com.
In particular, this talk will address:
- Different security requirements that marketplaces seek in order to certify an application
- Best practices to using a source code analsyis tool to pass the marketplace’s certification bar
- How to use the security certification as an added-value to your application

Speakers
avatar for Maty Siman

Maty Siman

Founder and CTO, Checkmarx
Maty is the CTO and founder of Checkmarx. Maty has more than a decade of experience in software development, IT security and source-code analysis. Prior to founding Checkmarx, Maty worked for two years at the Israeli Prime Minister’s Office as a senior IT security expert and project manager. Prior to that, he spent six years with the Israel Defense Forces (IDF), where he established and led a development team in the IDF’s... Read More →


Thursday October 3, 2013 4:00pm - 4:50pm
Conference Auditorium Escuela de Postgrado UTP Salaverry 2443, Lima, Peru
 
Friday, October 4
 

9:00am

Keynote: Testing Web Sockets with OWASP ZAP
Speakers
avatar for Cristian Borghello

Cristian Borghello

Director, Segu-Info
Cristian Borghello, Currently Director of Segu-Info and independent consultant in Information Security. He writes for various specialized media and research independently on Computer Security and Information. Interest in Computer Security and its research has led him to keep this site: http://www.segu-info.com.ar/ Cristian is member of OWASP (Open Web Application Security Project) Buenos Aires Chapter, ISSA (Information Systems Security... Read More →


Friday October 4, 2013 9:00am - 9:50am
Conference Auditorium Escuela de Postgrado UTP Salaverry 2443, Lima, Peru

9:50am

Exploiting Secure Software
After several security conferences and trainings and explaining to the management about the importance of security in the Software Development Life Cycle (SDLC) there are several companies and development teams creating "secure software" implementing OWASP Top 10 controls and other security best practices of the market.



The main objective of this paper is to make a review of those best practices implemented in companies with a mature view of software security and as a second objective to explain how to exploit those applications.



_We believe in Software Security

- How to embed security in the SDLC

- OWASP Top 10 2013

- Best Practices

- Integrated Tools

- I don´t want pentesters saying "LoL" about our software



_Exploiting is sexy!

- What we missed up?

- What after OWASP Top 10?

- Where can I find exploits?

- Where can I find new exploits?

- How to exploit "Secure Software"?



_LAB - Exploiting Secure Software Life Cycle (ESSLC)

- Secure Software Development

- Secure OS Hardening

- Secure Configuration & Architecture

- OWASP Top 10 Compliance Phase

- Code Review (internal and external)

- Secure Testing

- External VA

- External pentesting

- EXPLOTATION



_Conclusion

We´ve a long road to ride in other to protect agains all the OWASP Top 10 risks but attackers knows the OWASP TOP 10 and they know the companies who are working on protection because of the information disclosed in job post, RFPs, etc so we could predict the use of different types of attacks across those kind of companies across the globe. So we need to define OWASP Top 10 as the minimal baseline that we need to implement but always remembering that it is not the only thing that we should be aware of. Let´s protect our software agains well-known and also new vulnerabilities or new technology breaches.

Speakers
avatar for Mateo

Mateo

More than 10 years of experience in IT & Security strategy, Business Continuity Management,ISO 27001, CobIT and ITIL. | Projects based in Dubai, Chicago, Montevideo and Buenos Aires. | Project Manager in many IT Projects and business development in ITO and Software development. | | I´m CISSP, ITIL & MCP certified. | | Specialties:E-governance, CobIT, ITIL, ISO 27001, Software Security, PHP, Information Security... Read More →


Friday October 4, 2013 9:50am - 11:25am
Conference Auditorium Escuela de Postgrado UTP Salaverry 2443, Lima, Peru

10:40am

Coffee Break
Friday October 4, 2013 10:40am - 11:00am
Conference Auditorium Escuela de Postgrado UTP Salaverry 2443, Lima, Peru

11:00am

Seguridad en la Nube - OWASP Cloud Top 10
Cada vez más empresas están poniendo sus infraestructuras en la nube. Esta alternativa brinda grandes beneficios a nivel de los costos y la gestión, pero introduce riesgos de seguridad diferentes a los que presentan las infraestructuras tradicionales. Esta charla esta orientada a conocer los principales riesgos de seguridad identificados en el OWASP Cloud Top 10 y acciones que pueden tomarse para mitigarlos y mejorar la seguridad en la nube.

Speakers
avatar for Mauro Flores

Mauro Flores

Gerente, Deloitte
Mauro Flores tiene más de 15 años de experiencia en Seguridad de la Información. Ha participado en proyectos de diseño, especificación y desarrollo de aplicaciones de seguridad para diferentes empresas de Uruguay y el exterior, incluyendo trabajos de Reserarch & Develop en seguridad para empresas de UK y USA. Ha realizado más de 50 hackeos éticos, diversos trabajos de análisis forense... Read More →


Friday October 4, 2013 11:00am - 11:50am
Conference Auditorium Escuela de Postgrado UTP Salaverry 2443, Lima, Peru

11:50am

The OWASP O2 Platform : An approach to Automate Application Security Knowledge

The OWASP O2 Platform : An approach to Automate Application Security KnowledgeSoftware evolves, defects get fixed ,new architectures are adopted and new requirements are met. As a part of this evolution we need to make sure that our applications are secure too. However , not all the time Software Developers have a strong background in Application Security and we need to find a way to transfer the knowledge from Security experts.

Therefore ,the O2 platform represents a new paradigm for how to perform, document and distribute Web Application security reviews. O2 is designed to Automate Application Security Knowledge and Workflows and to Allow non-security experts to access and consume Security Knowledge.

 

The topics covered in this talk are:

-Software development and the approach on Application Security

-The OWASP O2 Platform at Glance 

-What can we do with the O2 Platform

-What problems can be solved by using Unit Testing.

-Case of Studies : Vulnerabilities found

-A demo that shows how to use it.

-How to get involved and where to ask for help.


Speakers
avatar for Michael Hidalgo

Michael Hidalgo

Software Developer Engineer, Security Innovation
Software Developer Engineer based on San José, Costa Rica. With more than 6 years of experience building financial applications and with his high sense of responsibility and quality, Michael always work hard to do things better. Currently Michael works as a Software Developer Engineer for one of the best Application Security company in the market. He also leads the OWASP Chapter in Costa Rica and he is always writing about software, testing... Read More →


Friday October 4, 2013 11:50am - 12:40pm
Conference Auditorium Escuela de Postgrado UTP Salaverry 2443, Lima, Peru

12:40pm

Lunch Break
Friday October 4, 2013 12:40pm - 2:00pm
Conference Auditorium Escuela de Postgrado UTP Salaverry 2443, Lima, Peru

2:00pm

Dom Based Xss
En esta charla se hablará de los diferentes tipos de ataque del lado cliente que se pueden dar debido a un mal filtro de inputs y outputs.

El dom de un navegador es un lugar cada vez mas interesante para explorar, debido a que muchos sites no validan el javascript y quedan vulnerables, casi ningun scanner incluye busqueda de dom xss.

Se hablará de como encontrarlos, como explotarlos y como mitigarlos.

Speakers
avatar for Camilo Galdos AkA Dedalo

Camilo Galdos AkA Dedalo

Pentester, Open-Sec
Has been working as developer since 16 years old, after two years started working as a Pentester and Security Researcher and haven't stop hacking since that day. Actually he has been Acknowledged By Adobe, MicroSoft, Paypal, Apple and others because he has find Security holes in their systems. | | He works full time as a Pentester, in his free times he writes in his personal InfoSec blog SeguridadBlanca.in and win bug bounty programs for... Read More →


Friday October 4, 2013 2:00pm - 2:50pm
Conference Auditorium Escuela de Postgrado UTP Salaverry 2443, Lima, Peru

2:50pm

Coffee Break
Friday October 4, 2013 2:50pm - 3:10pm
Conference Auditorium Escuela de Postgrado UTP Salaverry 2443, Lima, Peru

3:10pm

TBA
Friday October 4, 2013 3:10pm - 4:00pm
Conference Auditorium Escuela de Postgrado UTP Salaverry 2443, Lima, Peru

4:00pm

TBA
TBA

Friday October 4, 2013 4:00pm - 4:50pm
Conference Auditorium Escuela de Postgrado UTP Salaverry 2443, Lima, Peru

4:50pm

Conference Wrap Up and Thanks
Friday October 4, 2013 4:50pm - 5:00pm
Conference Auditorium Escuela de Postgrado UTP Salaverry 2443, Lima, Peru