• 15-16
    Nov 2018
    2nd Edition is now over !
    Pictures, Videos, Slides and Write-ups are coming soon
    See you all in the next edition
  • 2nd Edition is now over !
    Pictures, Videos, Slides and Write-ups are coming soon
    See you all in the next edition
  • 15-16
    Nov 2018
    2nd Edition is now over !
    Pictures, Videos, Slides and Write-ups are coming soon
    • 00
    • 00
    • 00
    • 00
About Owasp Appsec Morocco & Africa

Welcome to the annual OWASP AppSec Morocco & Africa Security Conference, the premier regional security conference. AppSec Morocco & Africa provides attendees with insight into leading speakers, workshops hands-on sessions on various topics and exposure to the best practices in security.

The event hosts eight conferences, eight hands-on workshop, an all night CTF and a Bug Bounty program from Thursday 15th to Friday 16th of November 2018

Meet Our Speakers

CEO & Co-Founder @Yogosha
    CEO & Founder @AdamRidson
      Owasp Morocco Leader
        Security Engineer at Google
          Offensive and R&D Activities Leader at AB Conseils
            Sr. Sales Engineer at Contrast Security
              CEO at Cybersecurity Malaysia
                ISC2 CISSP & CSSLP Creator
                  Associate Partner - IBM

                    • 15 Nov
                      Day 1
                    • Night 15-16 Nov
                      Day 2
                    • 16 Nov
                      Day 3
                    • Conferences & Workshops
                    Attendees - Coffee and Registration

                    Attendees - Coffee, welcome and Registration

                    09:30 - 10:00 Tarik El Aouadi & Alaeddine Mesbahi
                    OWASP AppSec Introduction

                    Welcome to OWASP Annual AppSec Morocco & Africa Cyber Security Conference, the premier application and cyber security conference for African developers and security experts. AppSec Morocco & Africa provides attendees with insight into leading speakers for application security and cyber security, workshops hands-on sessions on various applications, mobile, IoT ICS/SCADA, networking, connections and exposure to the best practices in cybersecurity. The event has eight conferences and eight different hands-on workshop programs between Thursday 15th and Friday 16th of November 2018. This is an exceptional opportunity to attend one of the many workshop hands-on courses offered by various well known, industry experts, and future pioneers of the application and cyber security industry. They are talks, for pen-testers and ethical hackers, developers and security engineers, DevOps practices and GRC/risk level talks for managers and CISOs. This year's conference program will focus on the bottom to the top and top to the bottom in application security based on the SABSA framework and TOGAF 9 EA framework. We offer also a Capture The Flag. Welcome.

                    10:00 - 10:30 Azzeddine Ramrami
                    Keynote session: Toward a Safer and More Secure Cyberspace

                    Given the growing importance of cyberspace to nearly all aspects of national life, a secure cyberspace is vitally important to the nation, but cyberspace is far from secure today.

                    Morocco, Africa faces the real risk that adversaries will exploit vulnerabilities in the nation’s critical information systems, thereby causing considerable suffering and damage. Online e-commerce business, government agency files, and identity records are all potential security targets.

                    Toward a Safer and More Secure Cyberspace examines these Internet security vulnerabilities and offers a strategy for future research aimed at countering cyber attacks.

                    It also explores the nature of online threats and some of the reasons why past research for improving cybersecurity has had less impact than anticipated, and considers the human resource base needed to advance the cybersecurity research agenda.

                    This talk will be an invaluable introduction for Internet security professionals, information technologists, policy makers, data stewards, e-commerce providers, consumer protection advocates, and others interested in digital security and safety.

                    Author's Bio: Azzeddine RAMRAMI
                    Azzeddine RAMRAMI is a Senior Security Architect at IBM Security and working as researcher in cyber security at IBM Security X-Force.
                    Azzeddine RAMRAMI is alos the chapter leader for OWASP Morocco and the president of OWASP Africa.

                    Coffee Break & Networking

                    Coffee Break & Networking You may need to visite our sponsors exhibit booth for product demo, discussion and more while enoying a good moroccan's tea.

                    11:00 - 11:30 Rali Kettani
                    Jumpstarting your DevSecOps Pipeline with IAST and RASP

                    Target Audience: Architects, Developers, Cybersecurity Specialist, Programmers
                    Prerequisites: Basic Security Software Knowledge
                    Domain: DevSecOps

                    DevSecOps is so much more than "automating the scan button." In this talk, we will create a continuous, effective, and scalable DevSecOps pipeline using only *free* tools.  We'll use IAST (Interactive Application Security Testing) to accurately pinpoint vulnerabilities in real time without scanning.

                    Then we'll set up RASP (Runtime Application Self-Protection) to gain comprehensive visibility of attacks in operations and prevent exploits.  And we'll integrate all of this security vulnerability and attack telemetry into the tools your teams are already using.

                  • We will enable developers with real-time security feedback right in their IDE
                  • We will also ensure that libraries are frameworks are analyzed continuously for vulnerabilities
                  • We'll integrate security into the CI/CD process so that we can easily fail a build
                  • We'll identify application layer attacks and create a whole new level of visibility for your SOC
                  • We'll even prevent exploitation of newly discovered vulnerabilities in open source libraries

                  • After this talk, you'll be able to establish your own DevSecOps pipeline immediately. This reference architecture can be adapted easily to almost any tools and processes -- even legacy applications and waterfall style projects.

                    Author's Bio: Rali Kettani

                    Rali Kettani is a Solutions Architect with Contrast Security, an IAST and RASP company that helps organizations incorporate security at the DevOps speed. He has been in the technology field for over 15 years, with a big chunk of it in application security. Rali has a background in software development with an extensive experience with SAST, IAST and RASP technologies. He has successfully helped dozens of Fortune 500 companies and US government entities to modernize their Application Security practice and switch into DevSecOps.

                    Rali has a Masters degree in Management Information Systems from the George Washington University and a Bachelor’s degree in Computer Science from the Georgia College. Rali is based out of Washington DC

                    11:30 - 12:00 Alaeddine Mesbahi
                    Secience of Software Security Assessments

                    Target Audience: Architects, Developers, Cybersecurity Specialist, Programmers
                    Prerequisites: Basic Security Software Knowledge
                    Domain: Offensive Security

                    Offensive Security has long been an esoteric knowledge, discussed in closed circles among select groups, shared as black magic recipes with secret ingredients. A lot has changed since the days of IRC chat rooms, 0-days exchanges and invite only conferences. Security is now taught at schools, published in books and presented at conferences.

                    Despite this progress, offensive security is in its most parts a manual process performed by pentesters, bug hunters or weekend enthousiast. Most tools is use both - open source and commercial - are glorified brute forcers that tests large set of inputs hoping to find the one that works.

                    New Research and progress has however been made in the past few years like:

                  • Introducing techniques from the world of machine learning for fuzzing, like reinforcement learning for input mutation and deep learning for dictionary inference
                  • Enhancing taint tracking for both source code and binary analysis
                  • Tree based testing for black box assessment of web applications

                  • This presentation focuses on the most astonishing progress made in this area, and share our experience implementing and running these techniques to target web, mobile and systems applications as part of the largest security scanning infrastructure in the world. We will present the challenges that software assessment present, like path explosion, formalisation or simply the sheer randomness of the world of web and standards.

                    Author's Bio: Alaeddine Mesbahi works as a Security Engineer at Google specialized in penetration testing and security source code review.

                    He is in his own words a Python addict, self-proclaimed green mint tea expert. He enjoys learning new stuff about InfoSec every day, losing at chess and practicing martial arts. Alaeddine holds the Offensive Security Certified Professional (OSCP) and Offensive Security Certified Expert (OSCE) certifications.

                    12:00 - 12:30 Amine El Boukhari
                    Penetration tests on web services

                    Target Audience: Architects, Developers, Cybersecurity Specialist, Programmers
                    Prerequisites: Basic Security Software Knowledge
                    Domain: API and Web Services

                    First, an overview of how the web services actually work,

                    Second, why they are critical and vulnerable, and finally the main and critical vulnerabilities that we encountered today on the penetration testing engagements.

                    I will also present a brief demonstration of the tools and the methodology of a web service pentration testing.
                    Author's Bio: Amine El Boukhari
                    Amine El Boukhari is a senior cyber security consultant and a penetration tester working at KPMG Paris. He leads a various engagements and had the opportunity to be involved in a lot of web services penetration testing engagements.

                    Lunch & Networking

                    We will discuss during an authentic Moroccan Tajine. Enjoy.  

                    14:00 - 17:30 Workshop 1 – Abdessamad Temmar
                    Automated DevSecOps Infrastructure Deployment: Recipes to secure your devops tool chain

                    Target Audience: Architects, Developpers, Cybersecurity Specialist, Programmers
                    Prerequisites: Strong Security Software Knowledge,
                    Domain: DevSecOps

                    Securty is becoming an increasingly important concern during the lifecycle of developing application especially for those using the concept of fast (and furious) continuous delivery, and frequent release cycle.

                    In this workshop, participants will learn who to easily configure/map security tools to their existing DevOps toolchain, and who to automate this process using cloud-infrastructure automation tools.

                    The aim is to introduce security controls at the early stage of software development (controls while the developer is coding in his own machine), and before pushing code to the mutualized code repo (version control tool), and finally before (and after) deploying code to the production environment.

                    The workshop provide also technical demo on how to make sure that initial fixed security requirements are always respected by the production environment through "continuous security monitoring".

                    Author's Bio: Abdessamad TEMMAR
                    Abdessamad TEMMAR is an information security consultant at Abcit, a Moroccan firm fully dedicated to information security. He worked through a variety of sources to provide security professional services to clients.

                    Abdessamad is also a member of the OWASP Proactive controls Project, where he contributes in the update of his Top-Ten document, and also a co-author o the Mobile Security Tesing guide

                    14:00 - 17:30 Workshop 2 – Boumediene KADDOUR
                    Decrypting SSL traffic using malicious smart phone and USB sticks

                    Target Audience: Architects, SOC Analyst, Cybersecurity Specialist, Programmers
                    Prerequisites: Strong Security Software Knowledge, Basic Assembly Language, Hardware knowledge
                    Domain: Ethical Hacking

                    Most of computer users avoid risks coming from removable media throughout performing an antivirus scan or formatting the entire disk, thinking that all viruses are wiped out from the disk located on the mass storage area of the USB.

                    Security researchers have revealed a vulnerability within some microcontroller on the USB that is hidden from the user, and not accessible by antiviruses and security controls, this hidden area on the USB has been leveraged by criminals and hackers to store malwares to be executed automatically when the USB device is plugged on a computer.

                    One of the recent techniques mostly used is the USB HID Keyboard attack, this attack makes a USB flash drive impersonating a Human Interface Device (HID) such as keyboard to execute commands automatically and hijack the computer. The same techniques is now applied within smart phones, which extends the risk for end users.

                    In this workshop, we are going to provide as many as such scenarios with full hands-on demonstrating how computers and phones can easily be exploitable by these reprogrammed firmwares,and how a smart phone can easily be turned on to a rogue device or BadUSB to steal peoples sensitive information like facebook chats and email credentials with SSL turned on.

                    Our added value in this talk is to represent how we can easily request the browsers (chrome & firefox) to store SSL master keys within a file of our choice that's sent to our gmail account via our installed script deployed by the smart phone, and then easily use those Master keys to eventually decrypt encrypted data.

                    Author's BIO: Boumediene KADDOUR is a cyber defense consultant, he holds OSCP and OSWP certified. He worked Infosec Thief Trainer before, also as Incident Handler, and Cyber Defense Consultant in Dubai with a company called Malcrove.
                    He participated in many international Seminars where he animated cyber security talks as professional speaker.

                    14:00 - 17:30 Workshop 3 – Benjamin NABET
                    Modifying an official and trusted iOS application to make it malicious

                    Target Audience: Architects, SOC Analyst, Cybersecurity Specialist, Programmers
                    Mandatory: MacOS, XCode -  
                    Good to know: Objective C and ARM basis - 
                    Nice to have : Jailbreaked iPhone

                    Starting from an official iOS application published on the App Store, we'll learn how to reverse it in order to embeds malicious code and share it. Showing how to dump and decrypt the code (ARM reversing, MACH-O architecture, ...), we'll pass through the basis of debugging on the target (dynamic inspection) to analyze the app and spot the sensitive functions and data. We'll show then how to modify the code, resigning the app and share the malicious version.

                    Author's Bio:
                    Benjamin NABET - 
                    CEO at BESURE (www.bsecure.fr)
                    Benjamin works in the cybersecurity from 2002. He owns Bsecure, a french company, from 2010 and provides security consultancy for both big companies and SMB. Fond of mobile security, he started in mobile security application since 2009 and helped well known companies in securing their apps.

                    • Capture the Flag Challenges
                    08:00pm - 08:00am Capture The Flag Details
                    CTF Start at 8pm on November 15, 2018

                    The challenge will start on Thursday 15-09-2018 20:00 and end on the next day at 08:00 Moroccan time.

                    All participants must be physically present at the location of the CTF (Hotel Val d’Infa Casablanca).

                    Support will be given in person and using a communication channel shared before the beginning of the challenge.

                    In order to be eligible for the prizes and be a part of the competition, you must abide by the following rules:

                  • Teams are composed of 3 to 5 players
                  • Do not attack the infrastructure. If you find a problem with one of the tasks, please report to it to the organisation team
                  • You are not allowed to attack other them. Any attempt to cheat on the contest will lead to immediate disqualification
                  • Only team members that are present to the CTF location can be part of the contest. Requesting help from members outside of the event location will lead to immediate disqualification
                  • The winner will be the team that collected the maximum point
                  • Requesting hints in private is forbidden. Hints will be shared with all teams
                  • If two teams have equal scores, the team that got to that score first will have the advantage
                  • In order to be eligible for money prizes, the top 3 teams are expected to deliver write-ups. Write-ups will be made public and shared on the OWASP conference website
                  • We reserves the right to disqualify teams if the write-ups are not sufficiently complete
                  • The organisation team of the conference are not allowed to participate to the challenges
                  • Be respectful of other participants and report any misconduct or discrimination

                  • Registration will be open on 30 October 2018. Please stay connected.

                    Be your best!

                    • Conferences, Workshops & Bug Bounty
                    8:30 - 9:30 Attendees - Coffee and Registration

                    09:00 - 16:00 Bug Bounty Yogosha
                    Bug Bounty All day with Yogosha (Part 1)

                    Target Audience: Architects, Developers, Cybersecurity Specialist, Programmers Prerequisites: High skills on security and bug hunting Domain: Bug Bounty

                    The four steps of your Bug Bounty

                    • Define your target
                    • Define your budget
                    • Estimate the price of your bugs
                    • Validate and reward bug reports submitted by our researchers
                    We will discuss the following during two wokshop sessions:
                    • What are the advantages of a bug bounty?
                    • How does the platform work?
                    • How are Yogosha security researchers selected ?
                    • How can I be sure that no researcher will damage my IT?
                    • What if two researchers report the same vulnerability?
                    • What does CVSS mean?
                    • How to estimate the price of a vulnerability?
                    • What’s the price of a bug bounty?
                    • Is the plateforme secure ?
                    Author's BIO: Yassir Kazar Yassir Kazar is CEO of Yogosha

                    09:00 - 12:30 Workshop 1 – Mohamed Oussama Lessis
                    Windows Buffer Over Flow vulnerability - from vulnerability discovering to Exploit Writing

                    Target Audience: Architects, Developers, Cybersecurity Specialist, Programmers Prerequisites: Basic Security Software Knowledge Domain: Exploit Developpement

                    Description : In this Workshop we will look at how to exploit a Buffer Overflows on Windows systems. We will start from the very basics of reverse Engineering of a vulnerable application, discovering the Buffer Overflow issue and writing the exploit for that vulnerable application. Participants will examine various recognized Exploit Writing techniques. They will be led through a series of advanced topics and exercises based on real world and staged application examples to illustrate the concepts.

                    Prérequis pour le lab : Un PC avec une VM Windows.


                    Author's BIO: Mohamed Oussama Lessis

                    Oussema Lessis, is a cyber security manager in EY. He is a Security enthusiast and researcher since an early age. He covered multiple topics including and not limited to :


                    -          Penetration testing

                    -          Red Team engagements

                    -          Malware Analysis

                    -          Social Engineering

                    -          Exploit Writing

                    -          Forensic investigation.

                    09:00 - 12:30 Workshop 2 – Souri Abdelhalim
                    Orchestrating containers with Kubernetes

                    Target Audience: Architects,sysadmins, Developers, Cybersecurity Specialist,Devops enginners, Programmers, and everyone eager to learn new stuff.
                    Basic Security Software Knowledge
                    A working knowledge of Linux (e.g., shells, SSH, and package managers)
                    A basic understanding of web servers, particularly how they typically communicate, IPs, and ports
                    Domain: DevSecOps

                    Description : If you have heard about Docker, containers and kubernetes, but haven't much (or any!) experience yet, this will get you started with a fast-paced.

                    In this workshop you'll learn :
                    How to create/modify/intercate with container images
                    Docker Client and Server running In Single or Distributed mode
                    Build and publish your own custom images.
                    Scanning your Image container
                    Build your own penetration testing lab
                    Gain basic understanding of Kubernetes Fundamentals
                    Learn how to use Kubernetes in production
                    Deploy and manage Docker containers using kubectl
                    Setup ReplicaSets, Services and Deployments on Kubernetes
                    Deploy Applications on Kubernetes
                    Materials or downloads needed in advance : https://github.com/etadata/owasp-workshop/blob/master/README.md

                    Bio: Abdelhalim Souri
                    Bio: Abdelhalim Souri is a senior security engineer at N+ONE, a leading carrier-neutral datacenter company in Morocco.
                    His interests include secdevops and studies of how to apply machine learning to detect eventual security flaws.
                    He also enjoys participating into competitive programming contests.

                    09:00 - 12:30 Workshop 3 – IoT ICS/SCADA Security & Hacking
                    IoT ICS/SCADA Security & Hacking

                    Target Audience: Architects, SOC Analyst, Cybersecurity Specialist, Programmers Prerequisites: Strong Security Software Knowledge, Basic Assembly Language Level: Hardware Security

                    Securing control systems is a challenge. Off the-shelve software and hardware as well as remote access possibilities in industrial environments increase continuously. The broader threat landscape and increased sophistication of attacks indicate the need to bolster the security poster of Operational Technology (OT) and in particular industrial control systems (ICS) and SCADA environments. But where to begin?
                    Workshop Contents:

                    • ICS fundamentals and ICS framework - ICS basics - Developing governance and ICS framework - Risk Management in ICS
                    • Controls and solutions - Incident management - Network segmentationSecurity monitoring - Remote access security - Patching and malware prevention - Portable media security
                    • Practical approach - Case studies from practice - Active and passive security assessments - Building security operating model - Security roadmap in ICS organisations

                    Author's Bio: Azzeddine RAMRAMI
                    Azzeddine RAMRAMI is a Senior Security Architect at IBM Security and working as researcher in cyber security at IBM Security X-Force.
                    Azzeddine RAMRAMI is alos the chapter leader for OWASP Morocco and the President of OWASP Africa.

                    12:30 - 14h30 Lunch & Networking

                    14:30 - 15:00 Franck Thicot
                    Considerations on implementing regulation requirements to protect critical applications

                    Target Audience: Architects, Developers, Cybersecurity Specialist, Programmers
                    Prerequisites: Basic Security Software Knowledge
                    Level: Practicing

                    Presentation of the key requirements
                    Challenges to implement them
                    Approach scenarios selected in the context of a financial services organization results and lessons learned

                    15:00 - 15:30 Amina Dik
                    Sécurité et fraude en informatique : Aspects juridiques

                    Target Audience: Architects, Developers, Cybersecurity Specialist, Programmers
                    Prerequisites: No requirement
                    Level: Regulation

                    Points à présenter/discuter :
                    I – Mesures réprimant la fraude des systèmes d’informations
                    1 - Accès frauduleux et maintien dans un système d’information
                    2- Atteintes volontaires au fonctionnement d’un système informatique
                    II – Mesures réprimant la fraude relative aux données
                    1. Atteintes à l’intégrité des données
                    2. Atteintes relatives au traitement de données à caractère personnel
                    III- L’arsenal organisationnel de lutte contre la fraude informatique
                    1. Les moyens institutionnels de lutte contre la fraude informatique
                    2. Les outils de la coopération judiciaire
                    IV - Encadrement juridique de la sécurité informatique
                    1. Recommandations et lignes directrices des partenaires de la sécurité
                    2. La régulation en matière de protection des données à caractère personnel
                    V- Les obligations légales de sécurité
                    1. Le manquement à l'obligation de sécurité
                    2. L’obligation de notification des failles de sécurité
                    3. L’étendue et les limites de l’obligation de déchiffrement

                    Author's BIO: Amina DIK
                    Ingénieur en chef chargée d’études au ministère de la Justice, Amina Dik est doctorante en sciences de l’ingénieur à la faculté des Sciences à Rabat.
                    Elle a également poursuivi le cursus juridique depuis le début pour aboutir à l’obtention d’un doctorat en droit privé.
                    Elle consent mettre cette bipolarisation de sa formation pour inciter les juristes et les ingénieurs à rimer ensemble pour répondre aux demandes de sécurité juridique qui sont liées à une demande de sécurité technique.

                    15:30 - 16:00 Hassan CHARRAF
                    La quete du bonheur dans un monde digital

                    Target Audience: All
                    Prerequisites: Que du bonheur
                    Level: Keep Cool

                    Nous vivons dans un monde plein de mutations et de changements auxquels personne ne peut plus y echapper.
                    Le défi technologique apporte à la fois des solutions mais aussi plus de contraintes.
                    Serions nous plus heureux ou allons nous passer à côté de l essentiel ?

                    Author's BIO: Hassan Charraf
                    Ingénieur d'Etat 1989
                    MBA de l'Université de Sherbrooke - Québec
                    Doctorant chercheur à l’Académie de management de Paris sur le.bonheur
                    Vice président CIDEC centre international pour le developpement et la cooperation
                    Past Président CJD Maroc
                    Vice-Président AMDUS
                    Past Administrateur au sein d’INMA – SA
                    Ex Directeur Général de l'Omnium International du Commerce et de l'industrie
                    Ex Directeur des Études Stratégiques et de la Planification (Groupe pétrolier)
                    Ex Directeur d'organisation et Systémes d'informations ( Groupe Industriel )
                    Ex Membre de la commission Emploi et relations sociales ( CGEM )
                    Expert développement Humain Projets Européens - MEDA2 FP -
                    Expert Marché du Travail Projets Européenns - MEDA 2 FP -
                    Expert Entrepreneuriat & Investissement Diaspora Projets Européens ( ACEDIM - PACEIM - DIAMED - MAGHRIB ENTREPRENEURS )
                    Past Administrateur de INTENT
                    Conférencier International

                    16:00 - 16:30 Coffee Break & Networking

                    16:30 - 17:00 Yassir Kazar
                    Cyber Sécurité : Retour Vers le Futur

                    Bio : Passionné par la cybersécurité, Yassir Kazar est un serial entrepreneur qui a monté sa première startup alors qu’il terminait ses études. Par la suite, il fera carrière dans les services informatique et deviendra staff manager en Business Intelligence chez CGI tout en enseignant l’informatique décisionnelle aux masters de Paris V. Il a participé au lancement de la branche locale de l’Open Knowledge Foundation ainsi qu’à celle de OuiShare, un thinktank dédié à l’économie collaborative. En 2015, il fonde Yogosha, « défenseur » en japonais, une plateforme de confiance pour Bug Bounties privé qui ambitionne de rayonner tant en Europe, qu’en Afrique et au Moyen-Orient.

                    17:00 - 17:30 STAFF
                    Conlusion and CTF Winners Bug Bounty Winners

                    CTF description and registration will be managed via a Google form. We will publish more information this week.


                    Standard Pass
                    $ 120.00
                    • Conferences
                    • Workshops
                    • Capture the Flag
                    • Bug Bounty - requires passing the preselection
                    • Lunch
                    • Coffee breaks
                    Student Pass
                    $ 50.00
                    • Conferences
                    • Workshops
                    • Capture the Flag
                    • Bug Bounty - requires passing the preselection
                    • Lunch
                    • Coffee breaks

                    Hotel Club Val D'Anfa, Casablanca
                    Angle Boulevard De L'océan Atlantique et، Boulevard De La Corniche Ain Diab, Casablanca 20180, Maroc
                    +212 5227-97070

                    Joins us!

                    • 00
                    • 00
                    • 00
                    • 00