06-28, 15:30β16:20 (Asia/Jerusalem), Main Hall
The Python eco-system and community made a lot of progress in terms of security and security awareness, but common OWASP top 10 mistakes still happen in the real world.
Python gives developers multiple tools and best practices to avoid common security issues and vulnerabilities. However, real life requirements, obstacles and deadlines can sometimes cause good developers to produce insecure code that is vulnerable to common OWASP top 10 attacks like Authorization Bypass, SQL Injection and Cross Site Scripting (XSS).
This presentation shows examples based on real-life vulnerabilities we encounter at CYE in our everyday penetration testing of our clients, with vulnerable code examples and mitigations.
Presentation outline:
Attack and threats - OWASP Top 10
* Parameter Tampering
* SQL Injections
* XSS\PXSS
* Malicious File Upload
Mitigations
* Parameterized Queries and ORM
* Hardening: Authorizations + Views
* Authorization and permission checks
* Input Validation
* Output HTML Encoding
English
Target audience βDevelopers
Gil Cohen, Research director & Appsec SME
Gil is a highly experienced information security architect, consultant, researcher and penetration tester with more than 16 years of experience. Previously a senior consultant and team leader, mentor for colleagues, head of penetration testing and training and the CTO of Comsec Group, Gil currently acts as a research director and application security subject matter expert at Cye, taking part in both the information security services department and in the research of the Hyver automation product.
Gil started his computer science career in the Israeli Mamram IDF programming course. After serving in the military for 3 years as a Programmer, Gil changed his focus to computer security and moved to the IDF's Infosec - Center for Encryption and Information Security, specializing in penetration testing.
After honorably discharging from service, Gil worked in several companies and further developed his expertise in application security and computer security in general, including development of unique hacking utilities and techniques. In 2009, Gil finished a Computer Science B.Sc degree with excellence in The College of Management Academic Studies. Lectures at international well-known conferences including Defcon in Las Vegas and others.