 All right. Good morning everybody. Good morning and welcome to OASP's APSAC Israel 2017. As you all know, the best APSAC conference in Israel. The best security conference in Israel. Without throwing shade in any other conference. Real quick, I'm going to talk for a few minutes and then I'm going to pass on to the actual speakers that are here. That's what I came for. Do you see me hand it up on stage? A few quick logistics and then I'm just going to talk a little bit about OASP. First of all, as every year we cannot bring any food or drink or coffee other than water into any of the rooms, the auditorium or the other rooms, so please remember, eat outside and leave your coffee outside. In case anybody needs to recharge their power outlets under everybody's seat and find them, please do not leave any cables there. We have a couple from yesterday that we're left to need to deal with. So yes, take your cables with you. As you can tell, I am speaking English in contrast to previous years. This is a decision that we've been trying to do for a few years. This year we've been gaining a lot of international attention. A lot of people want to come internationally. And we've been collecting statistics that say while many people would prefer Hebrew, most seem to be okay with English whereas the opposite is not necessary. So yeah, it's part of the conference growing up now that we've been doing it for 11 years I think. It's time for the conference to grow up and yeah, I don't think anybody will help with that. There is anybody that parked their car in the parking lot here. There is a machine to pay your ticket. You can pay any time during the day. It's right underneath the stairs to the auditorium. If you're paying now you're going to have to wait online afterwards and ease up the traffic leaving the parking. And any social media that you post, we'd really appreciate it if you used the app, the hashtag. You'll be able to find a lot easier. Now we're talking, most of you probably know me. For those that don't, my name is Arby Douglas and you've probably been getting a ridiculous amount of emails from me. I'm not sorry about that. A lot of people are still filing in. It's good. So as you probably know, I am the chairman of AOSP Israel. We're the Israel chapter of AOSP. We run the conference. Just so you know, my background is a security consultant, architect, research developer, things like that. And if you ever want to buy me a drink, always appreciate it. Smokey whiskey, dark beer, strong coffee, anything that's like, yeah, that's good. I also run a moderator on security stack exchange. Let's remove the stack overflow. Security stack exchange is the same thing just for security. Always a good site to be on. And, well, I'm not going to go into high school shit now. Obviously, I don't run the conference alone. We have a great chapter board here. So we have Ofer Maurer. He's not here yet. Ofer? No. We have Aura Cots. Raise your hand. There you go. Aura's been doing a great job getting us budget for the conference. We have Yossi Oran. There you go. Khamed, is Khamed in the room? In the back. There you go. We made a small change. We have a few small changes to the board. One of the changes that I'm going to talk about now is Iris Mutulo was running our CFP in content for the past few years, and he stepped down. So first of all, is Iris in the room? Well, I think he gets a great applause also. He's done a great job for the past few years working on amazing content. This year, Irene stepped up, take his place, and she's also doing a great job. Irene's not here yet? Give her applause anyway. She's doing a great job. There you go. And my ticker face is all over the internet. I'm sure you've... Other than the chapter board, we've had a lot of people working on the conference with us this year. As the conference grows, we have a lot more people. So Iris Mutulo, even though he stepped down from the board, he still continued to help with the speakers and proving... Yeah, there's Iris Mutulo. Give him a hand, guys. Even though he had to step down from the board, he continued to help us improve the speaker deck and the mentorship and things like that have been really amazing. Helped us pick out amazing content for today. A few other people joined us was also Ian or Iftah Amit and Guy Mizrafi. We're working on the content together with Irene. Karen Lazari and Shira Shamban. Karen runs B-Sites Tel Aviv. Our only other real competition when it comes to community conferences for security in Israel. Another great conference. And Shira runs the SheCodes. They helped us put on... Last night, we had a really great women in an app site event. They helped us put that on. They helped do a lot of PR for it. He got all the funding towards XITE. They're a nice website to take the place of our cranky old wiki, which is really pathetic. So we have a really nice website now. Thanks to these guys. So I think this whole group gets around to applause because we do a lot of work for it and all they get is this lousy t-shirt. So what are you guys all here for? The biggest, the best app sec event in Israel. People are still filing in. We're expecting 600, 700 people today. That's great. We have a whole bunch of great, amazing talks today. I mean, off from some of these topics, it's great stuff. We have two tracks, 14 different lectures. We also have a Capture the Flag competition run by one of our... by our diamond sponsor, GE. They have a really big model. I'm sure you've seen it all by their sponsor stand. If not, go take a look. That's the URL for anybody that wants to sign up and join the Capture the Flag competition. You can do it anywhere. You don't have to be in a specific room. So that's the URL to have some really amazing prizes. It looks really interesting. You guys can join as a team. If anybody that wants to go as a team, rack up more points. They're also doing a few workshops and technical workshops for those that have difficulty with some of the topics in the Capture the Flag. Some really nice in-depth content hands-on to really practice some of the topics. We're also going to be doing a resume workshop or a CV review. Those that are new or not so new to the industry and feel that their resume or CV does not properly showcase their talents and what they can do. You can sit down with an expert with an experienced hiring manager or an HR director and they'll really help you. They'll give you some tips to really improve your CV and be able to get you the job that you really deserve because I think that's really cool for them. And of course we have a whole lot of sponsors in the other building, the computer science building. Please visit them. They're going to have some great swag, some really interesting products and services. A lot of them are looking to hire. If anybody's looking for a job, a lot of really great companies to work for. Yesterday. Anybody who's here yesterday? Show of hands? Awesome. So those that weren't, you might not know, for the first time we did a second day or rather a minus one day. We did a training day for developers to expand, this is really what OSP does. This is our mission. I'm sorry, but you guys are not our target audience. Developers are our target audience. Actually, I don't know. How many here are developers or working development sometimes? Okay, I stand corrected. You guys are target audience. That's what we're here for. Our purpose is to make the world more secure, to make software security visible. And one of the steps in doing that is reaching out to developers, especially those that are new to security, and teaching them the basics of secure coding and security principles and things like that. And that's what we had. Just over 300 developers here yesterday that a full day hands-on amazing session with Shai Chen. I heard some great things from people. They really enjoyed some of the things they learned. And they really learned the basics. In the evening we had, for the first time in Israel, we had what we call a Ouya event. Women in Apsak. Around 40-something women showed up. It was a women's only event. They had a really nice panel. These queer tips. So I heard I was allowed in. But that's a really nice event, mentoring, some networking. And the reason that we do this is because, as you all know, there are not enough women, female representation in our industry. And seeing other women professionals, senior professionals that have done it and succeeded really encourages. And I talked to a lot of younger women last night that came to the event. And they're like, oh, this is really cool. This is something that I could see myself doing and succeeding in. And I think a lot of women will be joining the industry, whether they're students or, you know, more experienced in other professions, and joining the industry. This is really what we need more women to join the industry. And that really helped. So that was yesterday. It's the second day. Now I'm going to talk a little bit about our sponsors real quick. Before our sponsors is Dr. Yehudal Madaf in the room. He's not able to join us later, to say hello. Our physical host of the location. So here are our sponsors. First of all, for the first year we had it, we offered a diamond sponsorship. Thanks to GE, GE came to us and said, we really want to increase visibility. Where is, here? So GE Digital is our diamond sponsor. I'm going to invite Lior to come up. To say a couple of words about mostly IOT, that's where they focus on. Round of applause for our diamond sponsor, please. Thank you, Avi. I think it's a pleasure being here and also taking part in this conference and in general with the host. For General Electric, it's not the first day and we are always happy to take part in something like this. I think it's a very important conference and also a very important organization. So with that, you might ask yourself what is the connection between General Electric and web security and you will be surprised to discover how many web technology is now part of IOT in terms of infrastructure, the control power plants, oil rigs and different types of equipment. The same technology that we have seen for website is now in all of those devices and the impact is even more bigger than what we can see in other areas if you think about just plain websites. So for us it's extremely important to support this effort and also to get a lot of benefit out of it. We try to support this conference not just being a sponsor but also by trying to build a very interesting competition for you guys. There are really great prizes. We'll see who can really... We'll see who will manage to actually get them. And we decided this year to also really provide an in-depth workshops. This year we're actually revealing several critical CVEs first time how they were found and how to exploit them. It's the first time that this is ever presented and also different attacks from big companies and we'll see that also in the challenges themselves. So we are taking issues from the real world and giving you the opportunity to exercise them. I'm really excited for that and I thank you for the opportunity to take part. Thank you, Dio. We have a lot of other sponsors too. Our gold sponsors are Imperva, Synopsis, Akamai, WhiteSource for the first time joined us. We're very happy to see more companies in the space joining us and PerimeterX. Of course all these sponsors do have booths and stands. You can go visit them either by the product or their service or go work for them. A lot of companies are looking to hire. Oh, I'm sorry. I forgot Cyborg also. Yeah, so these are gold sponsors or solar sponsors also are here. Twistlock, Checkmars, Comsec, Intel, Accenture, Maglan, Apsik Labs, SafeBreach, CyberJobs, Microsoft, and Ben Gurion University. We also have a few community supporters joining us. They don't have a booth, you can find them. They have flyers passing out. Let's still talk to them. We're very happy to involve SheCodes in some of the PR that we joined. We had both for the training event and for the WIA. We also have a lot of other product sponsors this year. I feel like I'm a walking advertisement. I feel like I'm a NASCAR or something. So yes, we have these great lanyards from Checkmars. We have Checkpoint through the badges and of course all these shirts. They're fantastic. I don't even remember who we have here. We have Dome9, Checkpoint, PermeterX, and Vahta did these fantastic t-shirts. We're going to give them out later in the day. So you can find them. I love being a walking advertisement. One day I put on a shirt without any logos. It just felt wrong and uncomfortable. These are sponsors. They help put the budget together and thanks to them we're able to still continue to offer this conference free with food and everything. So I really appreciate all the help from all the sponsors. Tiffany did not show up yet, did she? She's still on the way, probably jet lagged. So I just wanted to introduce you all to Tiffany. She's the community manager. She will be around here later on. She blew her hair. You'll be able to find her. Anybody that wants to join or ask about things like that. So I'll just go around, run down real quick and she was going to talk about what OWASP does. She was going to talk about how OWASP is based on teamwork. And OWASP is a community. More than anything else, it's an open-source community both of people and projects and thanks to everybody working together this is what gets OWASP to the mission that we want. The mission, as I mentioned before is to make software security visible. Usually, or rather a huge percentage of security spend for organizations is around network security, firewalls, antivirus, things like that. And software security, well, that's where the core business is, right? So that's what we really are doing here at OWASP, trying to make software security visible, trying to make people pay more attention to it both through development and all the other phases of software. So we're going to actually pay attention to software security. OWASP has 113 active projects. These include both software projects, things like ZAP for testing. There's libraries like EZAPI that programs can just drop it, including their code. And there's a lot of documentation projects like the OWASP top 10, which I'm sure most of you have heard of, Proactive Controls and a whole bunch of other really interesting documentation projects. One of my favorite ones is the cheat sheets. If you're not familiar with OWASP cheat sheets definitely recommend checking it out. They're fantastic. Many drops of exactly what you need to know at any given topic. There are currently 385 chapters around the world. Active chapters. I didn't talk about the boring ones. Can you buy? So yes, wherever you go unless you find an active chapter somebody talked to, there are over 80,000 people on whether they're active on the mailing lists or the different groups and things like that. There are 88 over 88 I guess it's 88 different citations by industry and government regulations, things like the PCI recommends OWASP and a whole bunch of other citations over 100 academic supporters universities, colleges and things like that. 40 corporate members there are 2,000 almost 2,500 individual paying members. These are people that pay $50 or $30 depending on the location and just to become an individual member of OWASP there's something that I cannot recommend enough. When I get my $50 first of all I get that nice warm fuzzy feeling of supporting the organization that helps so much. That's always a nice thing. You get a discount for any of our global conferences, the fundraisers whether it's the Europe conference or the US conference or the OWASP summit. So you get a $50 discount right up front. So you go to conferences and you're already making money. You do get do we have anybody here that's individual members? If you are fantastic come to me later you get a member shirt. Members are likely to get member shirts. I'm not wearing that. It's a nice shirt. Come to me later. Anybody that joins today will also get a shirt on the spot in any other conference you go to will also get shirts. You also get to vote for the global directors. Board of Directors help really give change in the industry. Help us decide what OWASP should be working on. That's what you get for basically the membership. There's a few other small perks which hopefully if Tiffany turns up she'll explain. I'm not that familiar with it. But Tiffany will be on site and you can definitely join here on the spot and be able to get those benefits right away. We'll also spend the past year over a million dollars working on the mission. This includes things like the OWASP summit which I'll mention in a moment. Spending sponsoring open source projects and doing a lot of things like that. And this is what OWASP does. So, OWASP is not about the companies. It's not about us. It's not everybody. We need people to join, whether it's joining as a member, joining the chapter to be more active, joining a project and submitting code. Everything is open source, grant and change, whatever you want and sharing this knowledge with everybody else. One of the best things I heard from the training yesterday is that several people told me my boss will only let me come if I gather the notes and give a talk back to all my colleagues explaining everything I learned. That's fantastic. That's exactly what we want. We want that network effect of sharing that information. That's exactly what we need. A couple things about the coming year. I mentioned before the Global AppSec EU conference, AppSecure conference. Next year we'll be in nearby Tel Aviv. June 17th to 21st, a few days of training, a few other things like developer summit, project summit and the main conferences on June 20th and 21st. Interestingly enough cycle week. So, works good. Hey, offers here, offer more, give them a hand. AppSec Europe is a great place to meet people from all over the world. Looking to it. Another thing that's really interesting is the OWASP summit doing it again this year in near London. In April, this is basically a week. It's kind of like a conference, except instead of sitting there listening to new drone on, you're doing the work. The summit is coming and if you're looking for the opportunity to be able to do work for free, that's a great place. We got you covered. And you can work on OWASP projects. Meet people all over. I went to last year. It was amazing. I met one of my idols. I'm Shusack. We did a threat modeling session and we created a methodology of threat modeling for OWASP. It was fantastic. I really recommend going to that if you can. A little bit about the Israel chapter in OWASP. So, that's us. Already seen it. We have close to a thousand users on our mailing list. We don't post drunk discussion group just announcements and occasional job postings that are relevant to the industry here. Such a great place. We have our made up group, of course, over a thousand users. We are the eighth largest OWASP meetup group. That's pretty cool. We do around quarterly meetings every two or three months. We have a chapter meeting, which is an evening of two or three hours and we have a few great, really in-depth lectures. Free, of course. Welcome to join. This conference, of course. And we also do a lot of, other than working on regular OWASP projects, we also do a lot of translations. We have the OWASP top 10 translated to Hebrew, if people need that. We translated the CISO guide to Hebrew because a lot of corporate CISOs in Israel need that. We have the proactive controls translated to Hebrew. Now, almost all of this is the work of one guy who just sees a new version of OWASP top 10 come out and he just says, it's translated before I see it's final. It is amazing work. I recommend all of you start doing this work because we're going to reward OWASP. Not going to call them out now by name. But come to me later. You'll get your shirt. You know what I'm talking to. You'll get your shirt and the rest of the benefits for it. So, there is some give back from the community. Who's here for the first time at the conference? Yeah, give me a round of hand. The anonymous translator. Who's here for the first time at Abzik Israel? Oh, wow. Nice crop of new faces. Fantastic. I thought I was going to recognize anybody. So, just so you know, we have track number one on the schedule. On the left, the track number one that's right here. Bricks will be outside. So, track number one is here. The second track is in room 10. If you walk across to where the sponsors are, you walk through the sponsors to the end of the hall, that's room 10. That's where track 2 is taking place. In addition, we have workshops going on, workshops. That's in room 37. When you walk into the computer science building, go around the wall to your right to the end of the hallway on the right side. And that's where we're having the technical workshops. We'll be doing, oh yeah, should sign up, sorry, should sign up on the agenda on the schedule. You can just add yourself to the session and be able to go in. We're also going to, as I mentioned, we're doing the resume workshop. That would be in room number 12, which is that. Okay? The numbering is not spongy. Yeah, so that's where the resume workshop is taking place. That's between 11 o'clock and 3 o'clock. So just wander in and see who's there to help you. And of course, the sponsors are all in the lobby in the interest way of the computer science department. Snacks, coffee, coffee all day long, snacks will have their own breaks both here and by the computer science department. Well, when Tiffany gets here we'll set her up with a desk few on a meter and join as a member. We'll do that. Now a couple of things I need to finish up, even though we're running just a few minutes late. I'm going to take a few more minutes to talk about something that we need to mention. I've had a lot of comments, both from people who want to pay for talks on the stage or for people who are disappointed by the talks. Like why do you let that sponsor have time on the stage? Now, money does no pay for play. Everything was done purely independent, content free. This year we even completely separated the committees. Those are dealing with the sponsors, those are dealing with the talks, and Chinese firewall between them. Nobody knows what's going on, so there is no pay for play. Last year I mentioned on the stage that it was very disappointed that we only had 5% of the submissions for female. I'm going to rant about this for a minute. And I have other conferences in Israel and it's about that. It was really disappointing. And I said that we're going to change things. So a few of the things that we did to change to see if we can improve it. First of all, we changed the way we built the content selection committee. Instead of having the same group of people on the chapter board, instead of having the same people in our own little bubble choosing the same people that we know independently, sure, but we know the content. This year we gathered a whole bunch of different leaders in the industry unrelated to the chapter, or partially related to the chapter, and they were in charge of the selection. So that was what we had. We had Eris Mutullah and Irene and Ian and Guy. They were in charge of the content completely separate from everything else that the chapter board does. That's one thing we changed. We did anonymous submissions. Blind reviews. So when the content committee was choosing the talks, they didn't even know who they were selecting. It's not that anybody would say, I'm not going to choose one speaker, except that completely separate that out. So purely all the talks were chosen purely based on the content in the submission. This year for the first year, we actually publicized an explicit code of conduct, not that we've ever had problems asked, at least as far as we know. If any problems ever do come up, find anybody in a purple shirt. We'll be happy to help if there's any problems and basically no tolerance for bad conduct, basically. Another thing that we did is we did a lot of targeted outreach to specific speakers, to female groups, through SheCodes I mentioned, through cyber ladies and a few other industry groups. And so these are the changes we made. We actually so overall we had over 50 submissions after we folded out the junk. We actually had over 50 submissions, which is pretty good crowd, which is more than three times the amount of talks that we were able to select, which is pretty good. The quality of them was amazing, higher than last year even, really pleased with it. And the bottom line is that we had 15% of the submissions from female speakers. Some of them were together, you know, a group of speakers, one of them was female. That still counts, but that's how you count it. This still counts. Definitely an improvement, three times as more as we've had in any year in the past. That said, 15% is nowhere near where it needs to be. Now if anybody is asking why is this so important, or why are you guys even doing the WEA event? There's plenty of women that we don't need to encourage, and we don't need to improve. It's really simple. Our industry is broken. I think most of you know that. Our industry is broken, and we definitely need to change the situation. And it's not because I have my lovely daughters going to the industry, and I want them to have good experience in the industry. It's true. Not the point, because it's not about me. It's not because my wife finds it attractive to all feminists, all social justice and everything. True, not the point. It's not about me. It's not just because I prefer working with female colleagues where if we don't improve the diversity that will miss out on some of the best talent out there. True, not the point. It's not about me. It's not about you. It's not about the companies. It's definitely not because we can pace the female workers less. If you ever hear that pile of bull crap, please just serve them a big pile of physical bull crap, because that's just disgusting. That's not true. Other than that, everything else is true. Not the point. It's not about me. It's not about you. It's about the fact that our industry is broken, and we are changing it. We will fix it. And we are working on that. We will get better at that. I'm done with my rant. Sorry about that. A little bit of our social media. So we have all the groups here, the mailing list, the meetup. Of course, it's all of the schedules. LinkedIn, Facebook, of course. Twitter's OS underscore IL. A little bit of case of identity theft. Not getting into that. Getting back to you guys. What do we need from you? Anybody was here? Anybody here was at B-Sites Televive a few months ago? Fantastic. We all remember the closing keynote. Ian and me got up and said get up and do something. Whether it's working on projects, creating community, whether it's giving a talk, wherever you feel comfortable with. You don't feel comfortable even talking in front of 500 people? Fine. Go and mentor some high school class. They need it. It's helpful. Get up and do something. Be active. Give back to the community. Some ways we can do that in OWASP is the chapter meetings, whether it's a company willing to sponsor, whether to host the meeting. Usually we have about 100, 150 people joining the meeting in the evening. We have a couple of meetings and give some food, some drink, maybe some beers. Speaking is good. We always need more speakers, though about two thirds of the submissions we were able to take. The more submissions we get, the better we could improve it. And yes, we had a lot of, thanks to the blind submissions, we had a lot of brand new speakers, first time speakers, which I'm very happy about. Again, that improves our pool of talent, improves our pool of speakers. We can work on the OWASP projects. It's always helpful. Sponsorship is always useful, always very helpful. And membership, as I mentioned. I think I saw Tiffany walk in. Oh, there you are. Tiffany, do you want to say a quick few words about membership? We are running just a few minutes late. So, I don't know if OWASP, if Avi told you, I've now started identifying him as OWASP. I don't know if Avi told you, but in the last year, OWASP has been really lucky and we've been able to give away a million dollars to chapters and projects in order to make the industry amazing. And the way we do this is through our amazing members. But here's the thing. We only have about 2,500 members. So, members of the people who decide that OWASP does so much for them, for their careers, for their teams, helps prepare them, brings them amazing documentation like the cheat sheets, gives them tools for free like Zap that they want to donate to us $20 or $50. That money is split between their chapter or the project that they choose. So, if you're here, you should definitely give the money to OWASP Israel so that they can do this again next year. The other OWASP body. That money is then used to help continue outreach programs like today's event, yesterday where we trained 300 developers and helped them become more secure developers to make your jobs as security professionals slightly easier. When you become a member, we do give you a few things. The first thing we give you is an OWASP email so that you can do whatever you want under the OWASP name to reach out to other people to get out there and do something like Avi said. The next is, you can actually change the face of the industry because you're able to vote on our boards of directors, you're able to vote on where we need to spend our money, you're able to vote on what our priorities are. And frankly, we don't have enough people from around the world telling us what the global position is on these things. Most of our members do come from select countries so I really want to make sure that we hear more voices. And then, of course, you get a discount on all of our global events and by the way, next year our global event is going to be here in Tel Aviv. But also you get that delightful feeling of when you've donated to a cause that you know is important, that you know is going to help, that's going to bring the next generation of your industry up, but that's also going to help our industry change and face our issues. There's not much out there on how to secure an API but we know that APIs are the grease that make your network, the grease that make everything work. So we're trying to do that. There's not that much information out there beyond things like the top ten for developers and we know that helping developers understand what it is they need to care about when it comes to security, it's going to make your job a lot less stressful or at least move the stress. So this is what our members do. This is what as a member you can commit to doing. Is there anything else? I'm going to hand the mic back. So that's Tiffany, the community manager. Please do find your later. Ask about what you can do. Ask about projects you can join. Ask about how to become a member. Yeah. And most importantly as I said, continue to promote all of us as Tiffany said also. That's what we need. We're going to do that. One other thing we need from you, you're at the conference, you're joining sessions, we need to know what works and what doesn't. What is good and what needs to be improved. So please, you're going to fill out the feedback on each session. You can do that directly from the agenda online. And we're going to send you a survey at the end of the day. We're going to send you a link to fill out some general information. So yeah, so that's one thing that we need. We are running just a few minutes late. We're going to, I think according to the schedule, we're going to be ten minutes past everything on the schedule. Okay, so we're going to continue I think in five minutes. We're going to split up now. Yeah, come on up. So we're going to invite the rest of the board up. The chapter board. Or you'll see Ofer. Irene? Want to come up for a second? Ofer? No? Irene? No? No? Euler? Euler? So one thing that we did this year is thanks to Oher's work, we managed to for the first time actually not lose money at the conference. So we were able to afford these great toys. There you go. Grab lemon just for yourself. Don't cheat them at your dog. They don't like that. So we're going to put these outside. And we're going to continue in five minutes here and in route 10. Here's the track you're going to.