 Welcome to Apsik Israel 2017 the training day is the first time we're doing a training day like this I think it's a Gonna be really helpful. I think it's a Could be very useful for you guys Gun just gonna talk for a few minutes. I like to ramble on for a bit and then I'm gonna let shy take over He's gonna be your trainer for the day So just let you know some things get some logistics out of the way first of all No food or drinks allowed in this room other than water. So keep your drink your coffee outside and Don't bring it in. I get yelled at when people do that Let everybody know there are power outlets under your seat when your lap that runs out and it will you'll need to charge There are power outlets right underneath you. You just bend down and plug in As you can tell we're talking in English if that's a surprise for some people I'm sorry, but there are plenty of people to help translate if you have any problems with that Parking tickets anybody that parked here, you know, I got a parking ticket. You can pay that anytime during the day It's best not to wait till the end. So, you know, there's not a long line Everybody shut it in If you're gonna tweet love for you guys to use the app's like a hell of a hashtag easier to find This people don't know me my name is a wee Dublin just to introduce myself I am the chairman of the alas Israel chapter Tell you what alas is for anybody doesn't know in a moment Who here heard of alas before you heard about the trading day? Okay, great. Most of you familiar with it for those that are not they what it is Sure, you all got spammed by me a little bit too much lately. I'm sorry not sorry But you know who I am I'm security researcher consulting etc. That's how I got into alas Okay, if you ever want to buy me a drink whiskey beer always useful Comes with being in security. So, you know Hope you all familiar with security that stack exchange like stock overflow I'm sure all of you familiar with that security stock exchange is the same thing, but for security questions. Check that out Yeah I'm not the only one that runs it that sets everything up. We had a whole chapter board With me on the chapter board are not all of us are here today, but we have over my hour or cuts. Where's work? Where's your hand? There you go or cuts Yoshi or an over there habit Over there. There we go Irene. I know is not here and well me. I'm a this is a cute ticker everywhere You can other organizers are everybody's wearing a purple shirt today, so you'll be able to find us very easily if you Need anything we also have Tiffany Where Sarah is? Sarah's hand if you need any help with anything there you go We also have a lot of other people helping us in the conference this year was a much bigger event So a lot of people helping us and say thank you to everybody that helped us as Matula Ian you stuff people know who has Kai Karen Shira and Eagle and Tomer What's going on today? You all here for security training developer training secure coding. That's what's going to happen There's actually part of a wider initiative that the OS global foundation decided to Expand and try to get they call this the OS world tour It's going on in several different locations last week was in Boston the week before that I think it was in two weeks ago It was there was one in Tokyo. They had over 700 people there huge success The point of this the reason that all of us is funding this is because that's our mission Our mission is not to be a fun place for security people is to serve you Serve the developers the point our mission as a wasp is to create a more secure world, right? Get all the software more secured This evening We're also having another mini event called we are women in absec. It's women only there'll be some panel on careers and some mentoring and a great Opportunity for networking. The reason we're doing this is because as you all know, there's a lot of inequality and lack of diversity in our field Actually, I think a little bit less in Israel than elsewhere, but it's still yeah, nowhere near needs to be so Hopefully this mini event will help be able to counteract that Tomorrow who's playing a cup tomorrow Fantastic for those of that you are not coming. Hopefully you probably never heard of it Just so you know tomorrow is the main absec Israel conference. Okay, we're expecting over 700 people Okay, there'll be two tracks 14 amazing lectures really advanced security a lot of advanced topics a lot of speakers We're having a capture the flag competition some amazing prizes The few workshops going on tomorrow also helping with both with the topics in the capture the flag And we're also doing for the first time a resume workshop Anybody that wants help getting their resume updated We're improved so we're gonna have people help you with that if you want to bring your resume and help you with that Also be an exhibition ground great place for swag beating other companies and in the field Anybody that's looking for a job many of our sponsors are looking to hire great place to talk to them Okay, I'll introduce y'all to Tiffany long Okay, she's the community manager from a wasp and she has she's gonna tell you what awesome is all about Thanks y'all. Thanks, Adi So like I said, I'm the security manager for a wasp before we get started I should tell you what that means that means that it's my job to work with all of our amazing volunteers To help them achieve their goals It's also my job to help our community become more communicative to do our outreach So if you have any of the questions about the people side of a wasp I am definitely your person So, um, I'd like to tell you a little bit about a wasp. We started a little over 10 years ago Basically a bunch of guys on the mailing list decided that our security Was not working because people didn't actually know enough There wasn't an organization that was helping push it But more importantly developers were stuck in this place where they didn't have the knowledge of security So they were building something and it was awesome and then about a month after they built it a security person came in and had to say Hey, there's a lot of problems and we've got to fix them and as you know once you've stepped away from your code for even just a few hours you kind of forget a little bit because we don't document as well as we could and it takes hours and hours to try and fix that and The idea behind a wasp. I'm actually gonna stand up here if you don't mind Sorry, the idea behind a wasp was to make software security visible so that we could address these issues And we do this in a number of ways So I'm gonna leave our mission up here for you to read for a moment because you don't need me to read it to you But a wasp is bifurcated It's basically there are two things that we do to help the world the first is we have projects We have a ton of projects We have a hundred and thirteen active projects that come in the form of documentation projects For example, you're a developer. You need to know how to do secure logging for an app You're developing well rather than spend three days researching it We have one sheet that tells you everything you need to know and then we also have if you really get into secure logging for some reason Further reading for you to do we have 35 of these So if you're somewhere and you're trying to do something cross-site scripting something you're trying to fix it We have all the information you need Curated by the experts in the field to help you do your job faster and more smoothly We also have tools and there's some pretty cool tools There's the OS top 10 which most developers at least have to say they know about these are the top 10 vulnerabilities in applications We're coming out the new RC content was released just last week if you're interested in the new top 10 But we also have some cool tools like dependency check which you can use to make sure the libraries you are bringing in To your code are actually secure. It will tell you which vulnerabilities you have to deal with there We have app sensor, which is actually just kind of cool because it actively tells you when you're being hacked and Automatically starts processes to fix that We have code libraries that you can download These are the types of projects that that we have and you as a developer Absolutely welcome to join any of these types of projects and contribute your own items The second part of OASP is that we have chapters and chapters are where I do a lot of my work so as you know here in Israel we have OASP Israel and they don't just put on this great training conference or a conference for tomorrow They have regular meetings our chapters worldwide. We have nearly 400 of them They meet regularly. They have speakers that talk to you about interesting cool or niche items and security They do trainings that do mentorships Your chapter is really a wealth of information for you and it's open to everybody. Every event is free Every event is open and you will find a welcoming home in your chapter So we've been talking about the little parts of OASP, but really what you should know is that OASP is quite huge In our greater community including chapters the people who follow us on Twitter the people who pop up to donate code to us And then disappear forever. We have about 80,000 people helping us to create a World that is going to be more secure for our children because sometimes it's easy to forget that our generation and our children's generations are the They're the first generations where all of their medical information might be available to some stranger Before they are they're the first generation who's not going to sit down with their boyfriend or girlfriend or husband or wife's Parents to see their baby pictures. They're already out there And so these are the things that we really need to to focus on in making security security better We do a lot of things. I'm just going to run through these last few a little bit more quickly We have 88 plus government and judiciary and industry citations. We have over a hundred academic supporters These are universities who work with us to support the mission by offering us Locations or training in their programs. We have over 40 corporate members and we have a membership base of 2400 people now, I know what you're thinking How does OAS do all of these things because we have 80,000 people who maybe they come and absorb our content But how do we fund having 400 chapters and how do we fund having the largest penetration testing tool out there? Well, we do this with our members There are 2400 people out there that think OAS is so awesome that they're going to donate either 40 or 20 dollars To us and that money is split the part of that money goes to the project or the chapter that they're asking to support The rest of the money comes to the foundation and what the foundation does is we make grants so that any chapter no matter where they're located who wants to do an event or Bring a trainer in has access to be able to do that When you become a member you get your OAS email, of course You get the right to vote and really try to drive What the industry is doing? But really what you get is like the warm feeling of knowing that you're Concretely contributing to an organization that is working every day to make your life better. Oh You sorry, sorry, you also get a discount to all of our global events And I'm going to come back to the global events in a minute because you're definitely coming back to join us in June Right to see our global war worldwide event here in Tel Aviv So one of the things that I think is the most important that we do is we take these funds that our members give us and their energy and their time and We enable people to build and and deliver products trainings mentorships So far this year we've given out over a million dollars in order to help create programs like this free Training that we've done in three places worldwide These are This is the basics of what we do and of course every chapter is a little bit different and a little bit Obvious going to talk to you about the Israel chapter and what makes it special But definitely you should you should join us. We're completely open source That means that all of our code is usable by you for whatever you want as long as you don't make money on it We're completely open. You can access any OWASP event except for our two global fundraisers for free No questions asked and of course when you become a member will give you a $50 discount on those fundraisers I'm sorry. I forgot the highlights So coming up next year, we are going to have Appsec Europe which will be here in Tel Aviv during Cyber Week. It's going to be the most amazing event We also have the OWASP summit, which is sort of like a conference except we actually ask you to do a ton of work So if you want to work but not get paid for it, we are there for you I really should have read this card earlier I'm just gonna fill in some details about our chapter the Israel chapter As Tiffany said, we do host the yearly Appsec Israel conference. It's usually around the holidays Plus minus usually trying to time it before the semester starts, but after the summer holidays So we try to time it around then we have close to a thousand users on our email distribution list That's where you give out the notices sometimes chat postings are the things relevant to the local industry That's the URL to join I'm always gonna remember that but you'll find it later We also have a meet-up group. We are the eighth largest OWASP group in the world. By the way So that's pretty cool. We have over a thousand members But over a thousand members on the meet-up group as Tiffany mentioned we also host chapter meetings every two or three months give or take Depends how it goes every two or three months. We have a chapter meeting It's usually a few hours in the evening hosted by one of our local companies We have two or three great really technical deep talks It's a great place to meet a network with other people in the industry Usually around a hundred hundred fifty people show up to these meetings. So that's that's pretty cool in addition to that we also have the Appsec Israel conference as mentioned and We do a lot other than a lot of people contribute to other projects other OS projects We have a lot of local projects which are based around localizing the Documentation that also puts out for example, we have the OS top ten which has been translated to Hebrew Which is very useful in a lot of organizations. We have a few other documents and projects that were also localized to Hebrew If you have other ones that you need in Hebrew for whatever reason, you know Let's now we have a microphone died. So I'll just talk really loud So if you need a any documentation in Hebrew, let us know We'll see if we can get one of the volunteers to join or better yet Why don't you do it and join us and help us translate some of the OS documentation and there's a lot of them Okay, so for example the OS top ten very good for management types like to see a short top-end list of what we need to do With security we have what's called a CISO guide, you know with the security officer needs to know We have a list of top ten proactive controls, which actually probably more useful for programmers And you know a few other documentation like this let us know what's going on I'm gonna throw up some links really quick flash them really quick for you can Memorize them. So we have the mailing list. We have the meet-up just search for a lot of Israel You'll find it where I'm linking of course. We have a nice discussion group there Facebook group also usually runs in Hebrew and of course on Twitter where I'll ask underscore I'll for identity theft reasons As mentioned that I'm like I'll for doing Very important. We need your feedback. This is the first time we're doing the training We need to know what was done good what was done less good or could be better could be improved So if you go on the website if you go on to the agenda You'll see a session for the training or if you go straight on to sked.org You can go into there if you a register there and all of you are registered if you log in You can put your feedback and add additional comments. We'll also send a general Survey couple of just a very few questions about how we run the conference general Other than the session itself. So please please fill that out when you get that and at the end of the day Fill out the sked feedback and let us know how that goes With that, I will pass it on to you your excellent trainer today. We have a shy Ken from effective security He's Seriously one of the best trainers in the business. That's why we got him to do this He didn't he said no actually and then I asked him again and he said no again With some gentle pressure. Are you talking into it? So he's gonna take over now and I hope you enjoy this One of the purposes here is not just for you guys to enjoy this and to get benefit out of this But to take this back to wherever you work and several people already told me well My boss said I could only come if I tell them afterwards what I learned Fantastic, that's exactly what we want We want the network effect of the hundreds of people that are here to start writing more secure code and to get everybody around them To also know how to write secure code. It's really not that difficult and shy is going to show you what to pay attention to and I'll shut up