OWASP’s AppSec Israel 2018

AppSec Israel 2018 took place on 5–6 September 2018 at Tel Aviv University, in central Tel Aviv.

The annual OWASP AppSec Israel Conference is the largest conference in Israel for application security, and regularly draws hundreds of participants. Over 650 people attended last year!

Image Credits: AppSecIL 2018

This year approximately 1200+ developers, testers, product designers, security analyst, and managers attended this Conference. I’d like to admit here, AppSecIL is not just for security experts but it’s also for everyone who thinks that security is pretty important these days.

Our goal is to promote and educate people about authentication & authorization. Also, learn about the different concepts that make up server secure and stable.

More about the event, associated organization, agenda and speakers information can be found here;

My talk details can be found here;

It was my first time when I was excited to visit Israel and as usual, this was again in a rush when I applied for visa and just before 2 days of my departure I got my visa approved. Eventually after 10+ hours of the journey I finally touched down to Israel.

Guess what, at Istanbul airport, I met one of the co-speaker from India who came for this conference. I am very bad at remembering the faces and names but this guy immediately recognized me at the airport and asked me, “Hey, are you the speaker at AppSec Israel?” and I said “yes” and then got to know that even he is a speaker at the same conference.To be honest, since I got the invitation I did not even check who is my co-speakers, but coincidence was we both arrived together and we had a very healthy discussion during our whole travel. Really nice meeting you Swaroop Yermalkar, now more than a co-speaker we became good friends. :-D

One of the best part of this conference is, they have scheduled a training day right before the conference, this was fully hands-on along with making them aware of application-level attacks and white-hat hacking, as well as the corresponding secure coding best-practices, and provide the basic tools, understanding, and processes required for assessing the security of modern web applications.

Moreover, this training was NOT just for security experts with many years of experience, but also for the rest of us:
 It was more like a crash course in application security for developers, QA engineers, and anyone new to the AppSec field! More can be found here;

Fortunately, I have also attended some sessions and listened to some amazing speakers.😎

Training motive was to make the beginners able and give them the opportunity to seek the basic understanding and hands-on skills required to find their path in the appsec field.

Glad to see so many organizations coming together and supporting such an amazing conference. Personally, so many companies were known to me, like Deloitte, AppSecLab and much more.

This was the schedule for the day one. Unfortunately, I missed attending some talk because those were lined up parallel to my session. But later after my talk I really had a great conversation with them.

This time I have some of the new points in my talk which were new for me as well, but I started learning about this recently and would like to share that with amazing participants as well. So I practiced it this time and it went really great. Let me share how my talk went from start to end…

As I have mentioned couple of times in my recent talks that Serverless is a new cloud computing trend that changes the way you think about writing and maintaining applications.

But my idea is that at least participants go from here knowing two basic things;

  • What is serverless?
  • Why is serverless?

Before going ahead I gave a bit of background that Authentication and Authorization are two different processes. Because there where many people get confused.

And later talked about JWT and why JWT is using these days a lot. To explain how JWT work, I’ve begun with an abstract definition.

A JSON Web Token (JWT) is a JSON object that is defined in RFC 7519 as a safe way to represent a set of information between two parties. The token is composed of a header, a payload, and a signature.

When should you use JSON Web Tokens?

Authentication is the most common scenario for using JWT and other is when you transmitting information securely between parties.

For instance; Single Sign On is a feature that widely uses JWT nowadays, because of its small overhead and its ability to be easily used across different domains.

It’s time to create a JWT on our own and check how it looks. You can see recommended libraries for JWT creation and verification on https://jwt.io/

A small demo which helps participants to clearly understand the 3 parts of JWT separated by (.) dots. As we know, the first two parts are base64 encoded, we should be able to see the content in it. For that, let’s go to a website which decodes JWT. 😎

Focus on code, not servers.

This my favorite quote which I inspired from auth0 blog, so I can’t resist myself to include here. :-D

Auth0 make your life easy by offering an easy-to-use dashboard that allows you to start adding authentication to your applications. Does not matter what application or stack you’re using.

The another new platform that I have explored recently is Webtask.io which allows you to build serverless applications without thinking about infrastructure. Simply write your server-side logic, deploy your functions via the Webtask CLI, and access your serverless backend over HTTP.

Image source: softwareengineeringdaily.com

I have shared about Webtask with participants and created a samples application to demonstrates them. Furthermore, you can get started from here;

All you need is code! Run code with an HTTP call. No provisioning. No deployment.

Again my favorite quote which again inspired by auth0.

In my every event I am always seeking for feedbacks from participants/attendees/visitors, doesn’t matter its positive or negative because if you know the feedback you can definitely work on it to improve for next time to make it better.

Why is Feedback important? So I believe Feedback allows us to build and maintain communication with others and the most important, information collected from post-event surveys is whether attendees found the event valuable, whether it was worth for their investment of time and resources, and whether they would participate in the event again.? are some of the basic feedback's I collect.

At the end of the day, we all went for dinner with amazing co-speakers and the organizing team of AppSec Israel. This was the time where we all shared more of what we are doing, sharing some personal and professional experiences, heard each other’s experiences and promised that we gonna meet soon.

In the end, I would like to thanks all the team members of AppSec Israel for hosting us.!

What Next?

  1. Speaking at ServerlessDays Milano 2018 in Milan, Italy.
  2. Speaking at AllThingsOpen 2018 in the US.
  3. Speaking at Mozilla Festival 2018 in London, UK.
  4. Speaking at OpenAlt 2018 at Brno, Czech Republic.

Feel free to ping me anytime on telegram or twitter and I’m happy to chat with you.

Hope you enjoyed my blog! 🙂


Originally published at Rowdy’s Caf`e.