• 15-16
    Nov 2018
    2018 ANNUAL Conference
    Owasp Appsec Morocco & Africa
    Casablanca, Kingdom of Morocco
    15
    Nov
  • 2018 ANNUAL Conference
    Owasp Appsec Morocco & Africa
    Casablanca, Kingdom of Morocco
    15
    Nov
  • 15-16
    Nov 2018
    2018 ANNUAL Conference
    Owasp Appsec Morocco & Africa
    • 00
      Days
    • 00
      Hours
    • 00
      Mins
    • 00
      Secs
    15
    Nov
About Owasp Appsec Morocco & Africa

OWASP Morocco is organized with a strong board comprised of different skills in security domain, project management and organizational area. With a mission of spreading cyber security awareness, OWASP Morocco proudly presents the largest ever cyber security event for the hole Africa and North Africa region. OWASP AppSec Morocco & Africa 2018 on November 15th and 16th, 2018, will witness a gathering of over 300 cyber security professionals, hackers, CISOs, government dignitaries and academia. 10+ cyber security companies are participating to showcase their products and services in the exhibition area. 10 renowned cyber security speakers are going to present their papers on latest research and 2 hands-on training on the two second days of the event are going to bring a lot of learning for the participants.

Meet Our Speakers

CEO & Co-Founder @Yogosha
    CEO & Founder @AdamRidson
      Owasp Morocco Leader
        Security Engineer at Google
          Offensive and R&D Activities Leader at AB Conseils
            Sr. Sales Engineer at Contrast Security
              CEO at Cybersecurity Malaysia
                ISC2 CISSP & CSSLP Creator
                  Associate Partner - IBM
                    SCHEDULE

                    Please note the program is subject to change.

                    • 15 Nov
                      Day 1
                    • Night 15-16 Nov
                      Day 2
                    • 16 Nov
                      Day 3
                    • Conferences
                    • Workshops
                    • Bug Bounty Yogosha
                    Attendees - Coffee and Registration

                    Attendees - Coffee, welcome and Registration

                    09:30 - 10:00 Tarik El Aouadi & Alaeddine Mesbahi
                    OWASP AppSec Introduction

                    Welcome to OWASP Annual AppSec Morocco & Africa Cyber Security Conference, the premier application and cyber security conference for African developers and security experts. AppSec Morocco & Africa provides attendees with insight into leading speakers for application security and cyber security, workshops hands-on sessions on various applications, mobile, IoT ICS/SCADA, networking, connections and exposure to the best practices in cybersecurity. The event has eight conferences and eight different hands-on workshop programs between Thursday 15th and Friday 16th of November 2018. This is an exceptional opportunity to attend one of the many workshop hands-on courses offered by various well known, industry experts, and future pioneers of the application and cyber security industry. They are talks, for pen-testers and ethical hackers, developers and security engineers, DevOps practices and GRC/risk level talks for managers and CISOs. This year's conference program will focus on the bottom to the top and top to the bottom in application security based on the SABSA framework and TOGAF 9 EA framework. We offer also a Capture The Flag. Welcome.

                    10:00 - 10:30 Azzeddine Ramrami
                    Keynote session: Toward a Safer and More Secure Cyberspace

                    Given the growing importance of cyberspace to nearly all aspects of national life, a secure cyberspace is vitally important to the nation, but cyberspace is far from secure today.

                    Morocco, Africa faces the real risk that adversaries will exploit vulnerabilities in the nation’s critical information systems, thereby causing considerable suffering and damage. Online e-commerce business, government agency files, and identity records are all potential security targets.

                    Toward a Safer and More Secure Cyberspace examines these Internet security vulnerabilities and offers a strategy for future research aimed at countering cyber attacks.

                    It also explores the nature of online threats and some of the reasons why past research for improving cybersecurity has had less impact than anticipated, and considers the human resource base needed to advance the cybersecurity research agenda.

                    This talk will be an invaluable introduction for Internet security professionals, information technologists, policy makers, data stewards, e-commerce providers, consumer protection advocates, and others interested in digital security and safety.


                    Author's Bio: Azzeddine RAMRAMI
                    Azzeddine RAMRAMI is a Senior Security Architect at IBM Security and working as researcher in cyber security at IBM Security X-Force.
                    Azzeddine RAMRAMI is alos the chapter leader for OWASP Morocco and the president of OWASP Africa.

                    Coffee Break & Networking

                    Coffee Break & Networking You may need to visite our sponsors exhibit booth for product demo, discussion and more while enoying a good moroccan's tea.

                    11:00 - 11:30 Rali Kettani
                    Jumpstarting your DevSecOps Pipeline with IAST and RASP

                    Target Audience: Architects, Developers, Cybersecurity Specialist, Programmers
                    Prerequisites: Basic Security Software Knowledge
                    Domain: DevSecOps


                    DevSecOps is so much more than "automating the scan button." In this talk, we will create a continuous, effective, and scalable DevSecOps pipeline using only *free* tools.  We'll use IAST (Interactive Application Security Testing) to accurately pinpoint vulnerabilities in real time without scanning.

                    Then we'll set up RASP (Runtime Application Self-Protection) to gain comprehensive visibility of attacks in operations and prevent exploits.  And we'll integrate all of this security vulnerability and attack telemetry into the tools your teams are already using.

                  • We will enable developers with real-time security feedback right in their IDE
                  • We will also ensure that libraries are frameworks are analyzed continuously for vulnerabilities
                  • We'll integrate security into the CI/CD process so that we can easily fail a build
                  • We'll identify application layer attacks and create a whole new level of visibility for your SOC
                  • We'll even prevent exploitation of newly discovered vulnerabilities in open source libraries


                  • After this talk, you'll be able to establish your own DevSecOps pipeline immediately. This reference architecture can be adapted easily to almost any tools and processes -- even legacy applications and waterfall style projects.

                    Author's Bio: Rali Kettani

                    Rali Kettani is a Solutions Architect with Contrast Security, an IAST and RASP company that helps organizations incorporate security at the DevOps speed. He has been in the technology field for over 15 years, with a big chunk of it in application security. Rali has a background in software development with an extensive experience with SAST, IAST and RASP technologies. He has successfully helped dozens of Fortune 500 companies and US government entities to modernize their Application Security practice and switch into DevSecOps.

                    Rali has a Masters degree in Management Information Systems from the George Washington University and a Bachelor’s degree in Computer Science from the Georgia College. Rali is based out of Washington DC

                    11:30 - 12:00 Alaeddine Mesbahi
                    Secience of Software Security Assessments


                    Target Audience: Architects, Developers, Cybersecurity Specialist, Programmers
                    Prerequisites: Basic Security Software Knowledge
                    Domain: Offensive Security


                    Offensive Security has long been an esoteric knowledge, discussed in closed circles among select groups, shared as black magic recipes with secret ingredients. A lot has changed since the days of IRC chat rooms, 0-days exchanges and invite only conferences. Security is now taught at schools, published in books and presented at conferences.

                    Despite this progress, offensive security is in its most parts a manual process performed by pentesters, bug hunters or weekend enthousiast. Most tools is use both - open source and commercial - are glorified brute forcers that tests large set of inputs hoping to find the one that works.

                    New Research and progress has however been made in the past few years like:

                  • Introducing techniques from the world of machine learning for fuzzing, like reinforcement learning for input mutation and deep learning for dictionary inference
                  • Enhancing taint tracking for both source code and binary analysis
                  • Tree based testing for black box assessment of web applications


                  • This presentation focuses on the most astonishing progress made in this area, and share our experience implementing and running these techniques to target web, mobile and systems applications as part of the largest security scanning infrastructure in the world. We will present the challenges that software assessment present, like path explosion, formalisation or simply the sheer randomness of the world of web and standards.

                    Author's Bio: Alaeddine Mesbahi works as a Security Engineer at Google specialized in penetration testing and security source code review.

                    He is in his own words a Python addict, self-proclaimed green mint tea expert. He enjoys learning new stuff about InfoSec every day, losing at chess and practicing martial arts. Alaeddine holds the Offensive Security Certified Professional (OSCP) and Offensive Security Certified Expert (OSCE) certifications.

                    12:00 - 12:30 Amine El Boukhari
                    Penetration tests on web services


                    Target Audience: Architects, Developers, Cybersecurity Specialist, Programmers
                    Prerequisites: Basic Security Software Knowledge
                    Domain: API and Web Services


                    First, an overview of how the web services actually work,

                    Second, why they are critical and vulnerable, and finally the main and critical vulnerabilities that we encountered today on the penetration testing engagements.

                    I will also present a brief demonstration of the tools and the methodology of a web service pentration testing.
                    Author's Bio: Amine El Boukhari
                    Amine El Boukhari is a senior cyber security consultant and a penetration tester working at KPMG Paris. He leads a various engagements and had the opportunity to be involved in a lot of web services penetration testing engagements.

                    Launch & Networking

                    We will discuss during an authentic Moroccan Tajine. Enjoy.  

                    14:00 - 17:30 Workshop 1 – Abdessamad Temmar
                    Automated DevSecOps Infrastructure Deployment: Recipes to secure your devops tool chain

                    Target Audience: Architects, Developpers, Cybersecurity Specialist, Programmers
                    Prerequisites: Strong Security Software Knowledge,
                    Domain: DevSecOps


                    Securty is becoming an increasingly important concern during the lifecycle of developing application especially for those using the concept of fast (and furious) continuous delivery, and frequent release cycle.

                    In this workshop, participants will learn who to easily configure/map security tools to their existing DevOps toolchain, and who to automate this process using cloud-infrastructure automation tools.

                    The aim is to introduce security controls at the early stage of software development (controls while the developer is coding in his own machine), and before pushing code to the mutualized code repo (version control tool), and finally before (and after) deploying code to the production environment.

                    The workshop provide also technical demo on how to make sure that initial fixed security requirements are always respected by the production environment through "continuous security monitoring".

                    Author's Bio: Abdessamad TEMMAR
                    Abdessamad TEMMAR is an information security consultant at Abcit, a Moroccan firm fully dedicated to information security. He worked through a variety of sources to provide security professional services to clients.

                    Abdessamad is also a member of the OWASP Proactive controls Project, where he contributes in the update of his Top-Ten document, and also a co-author o the Mobile Security Tesing guide
                    https://www.owasp.org/index.php/OWASP_Mobile_Security_Testing_Guide#tab=Acknowledgemen
                    and
                    https://www.owasp.org/index.php/OWASP_Proactive_Controls

                    14:00 - 17:30 Workshop 2 – Boumediene KADDOUR
                    Decrypting SSL traffic using malicious smart phone and USB sticks


                    Target Audience: Architects, SOC Analyst, Cybersecurity Specialist, Programmers
                    Prerequisites: Strong Security Software Knowledge, Basic Assembly Language, Hardware knowledge
                    Domain: Ethical Hacking


                    Most of computer users avoid risks coming from removable media throughout performing an antivirus scan or formatting the entire disk, thinking that all viruses are wiped out from the disk located on the mass storage area of the USB.

                    Security researchers have revealed a vulnerability within some microcontroller on the USB that is hidden from the user, and not accessible by antiviruses and security controls, this hidden area on the USB has been leveraged by criminals and hackers to store malwares to be executed automatically when the USB device is plugged on a computer.

                    One of the recent techniques mostly used is the USB HID Keyboard attack, this attack makes a USB flash drive impersonating a Human Interface Device (HID) such as keyboard to execute commands automatically and hijack the computer. The same techniques is now applied within smart phones, which extends the risk for end users.

                    In this workshop, we are going to provide as many as such scenarios with full hands-on demonstrating how computers and phones can easily be exploitable by these reprogrammed firmwares,and how a smart phone can easily be turned on to a rogue device or BadUSB to steal peoples sensitive information like facebook chats and email credentials with SSL turned on.

                    Our added value in this talk is to represent how we can easily request the browsers (chrome & firefox) to store SSL master keys within a file of our choice that's sent to our gmail account via our installed script deployed by the smart phone, and then easily use those Master keys to eventually decrypt encrypted data.

                    Author's BIO: Boumediene KADDOUR is a cyber defense consultant, he holds OSCP and OSWP certified. He worked Infosec Thief Trainer before, also as Incident Handler, and Cyber Defense Consultant in Dubai with a company called Malcrove.
                    He participated in many international Seminars where he animated cyber security talks as professional speaker.

                    14:00 - 17:30 Workshop 3 – Nadia Benchikha
                    Web Application Threat Modling - A Use Case as Example


                    Target Audience: Architects, Developers, Cybersecurity Specialist, Programmers
                    Prerequisites: Basic Security Software Knowledge
                    Domain: Secure SDLC


                    Se The lack of security into your projects from the beginning can lead to damage in terms of quality and security.

                    The threat modeling approach can help identifying and mitigating threats at the design phase of SDLC process before coding. This approach will be used as a guide for the next security activities such as secure code review and penetration testing.

                    Adopting such an approach in the SDLC process helps to reduce risk and improve the quality of the application.

                    The objective of the workshop is to present the methodology to follow to threat model a Web application by analyzing a use case.


                    Author's BIO: Nadia BENCHIKHA
                    My name is Nadia BENCHIKHA, I’m currently working as an information security analyst within SOCIETE GENERALE ALGERIE.

                    Actually, I graduated with a master's degree in computer science security since 2014 and I have in general 4 years of professional experience in both telecommunication and banking areas. I had the opportunity to practice several security activities such as; forensics, secure code review, penetration testing, managing security solutions and many more.

                    I am interested in web application security, writing articles and self-training.

                    14:00 - 17:30 Yassir Kazar
                    Bug Bounty All day with Yogosha (Part 1)


                    Target Audience: Architects, Developers, Cybersecurity Specialist, Programmers
                    Prerequisites: High skills on security and bug hunting
                    Domain: Bug Bounty


                    The four steps of your Bug Bounty

                     
                  • Define your target
                  • Define your budget
                  • Estimate the price of your bugs
                  • Validate and reward bug reports submitted by our researchers

                  • We will discuss the following during two wokshop sessions:

                  • What are the advantages of a bug bounty?
                  • How does the platform work?
                  • How are Yogosha security researchers selected ?
                  • How can I be sure that no researcher will damage my IT?
                  • What if two researchers report the same vulnerability?
                  • What does CVSS mean?
                  • How to estimate the price of a vulnerability?
                  • What’s the price of a bug bounty?
                  • Is the plateforme secure ?


                  • Author's BIO: Yassir Kazar

                    Yassir Kazar is CEO of Yogosha

                    • Capture the Flag Challenges
                    08:00pm - 08:00am Capture The Flag Details
                    CTF Start at 8pm on November 15, 2018


                    The challenge will start on Thursday 15-09-2018 20:00 and end on the next day at 08:00 Moroccan time.

                    All participants must be physically present at the location of the CTF (Hotel Val d’Infa Casablanca).

                    Support will be given in person and using a communication channel shared before the beginning of the challenge.

                    In order to be eligible for the prizes and be a part of the competition, you must abide by the following rules:

                  • Teams are composed of 3 to 5 players
                  • Do not attack the infrastructure. If you find a problem with one of the tasks, please report to it to the organisation team
                  • You are not allowed to attack other them. Any attempt to cheat on the contest will lead to immediate disqualification
                  • Only team members that are present to the CTF location can be part of the contest. Requesting help from members outside of the event location will lead to immediate disqualification
                  • The winner will be the team that collected the maximum point
                  • Requesting hints in private is forbidden. Hints will be shared with all teams
                  • If two teams have equal scores, the team that got to that score first will have the advantage
                  • In order to be eligible for money prizes, the top 3 teams are expected to deliver write-ups. Write-ups will be made public and shared on the OWASP conference website
                  • We reserves the right to disqualify teams if the write-ups are not sufficiently complete
                  • The organisation team of the conference are not allowed to participate to the challenges
                  • Be respectful of other participants and report any misconduct or discrimination


                  • Registration will be open on 30 October 2018. Please stay connected.

                    Be your best!

                    • Conferences
                    • Workshops
                    • Bug Bounty Yogosha
                    8:30 - 9:30 Attendees - Coffee and Registration

                    14:30 - 15:00 Franck Thicot
                    Considerations on implementing regulation requirements to protect critical applications


                    Target Audience: Architects, Developers, Cybersecurity Specialist, Programmers
                    Prerequisites: Basic Security Software Knowledge
                    Level: Practicing


                    Presentation of the key requirements
                    Challenges to implement them
                    Approach scenarios selected in the context of a financial services organization results and lessons learned

                    15:00 - 15:30 Amina Dik
                    Sécurité et fraude en informatique : Aspects juridiques


                    Target Audience: Architects, Developers, Cybersecurity Specialist, Programmers
                    Prerequisites: Basic Security Software Knowledge
                    Level: Practicing


                    Points à présenter/discuter :
                    I – Mesures réprimant la fraude des systèmes d’informations
                    1 - Accès frauduleux et maintien dans un système d’information
                    2- Atteintes volontaires au fonctionnement d’un système informatique
                    II – Mesures réprimant la fraude relative aux données
                    1. Atteintes à l’intégrité des données
                    2. Atteintes relatives au traitement de données à caractère personnel
                    III- L’arsenal organisationnel de lutte contre la fraude informatique
                    1. Les moyens institutionnels de lutte contre la fraude informatique
                    2. Les outils de la coopération judiciaire
                    IV - Encadrement juridique de la sécurité informatique
                    1. Recommandations et lignes directrices des partenaires de la sécurité
                    2. La régulation en matière de protection des données à caractère personnel
                    V- Les obligations légales de sécurité
                    1. Le manquement à l'obligation de sécurité
                    2. L’obligation de notification des failles de sécurité
                    3. L’étendue et les limites de l’obligation de déchiffrement

                    15:30 - 16:00 Azzeddine RAMRAMI
                    No Silver Bullets – Cybersecurity in the Cognitive Era


                    Target Audience: Architects, Developers, Cybersecurity Specialist, Programmers
                    Prerequisites: Basic Security Software Knowledge
                    Level: Practicing


                    It's no surprise that our organizations are under attack by industrialized threats from highly skilled adversaries. At the same time we're drowning in information, facing a growing skills shortage, and often dealing with security infrastructures from the dark ages. We'll talk about the threats in more detail, the growing migration from compliance to risk-focused security, and how security is fundamentally an information management problem.

                    Extended Abstract
                    It's no surprise that our organizations are under attack by industrialized threats from highly skilled adversaries. At the same time we're drowning in information, facing a growing skills shortage, and often dealing with security infrastructures from the dark ages.

                    It's no wonder that the industry is looking for the latest magic bullet, and Cognitive security is now the king of the hype curve. We'll talk about the threats in more detail, the growing migration from compliance to risk-focused security, and how security is fundamentally an information management problem.

                    We'll investigate how cognitive technology is being applied in real organizations today, and try to get beyond the marketing and hype to understand this fundamental shift coming our way

                    16:00 - 16:30 Coffee Break & Networking

                    17:00 - 17:30 STAFF
                    Conlusion and CTF Winners Bug Bounty Winners

                    CTF description and registration will be managed via a Google form. We will publish more information this week.

                    09:30 - 12:30 Workshop 1 – Youness Zougar
                    Reverse Engineering & Malware analysis - Training (Part 1)


                    Target Audience: Architects, SOC Analyst, Cybersecurity Specialist, Programmers
                    Prerequisites: Strong Security Software Knowledge, Basic Assembly Language
                    Domain: Malware Analysis


                    Malware based cyberattacks is one of the most complex topics when we talk about cybersecurity. Recently, we heard a lot talking about ransomwares such WannaCry and NotPetya which made a lot of damages and losses.

                    That's why in this workshop, you'll be able to understand the different types of malwares and to learn the basics in order to detect and remove them. Different analysis approaches will be explained and demonstrated to help you.

                    The goal of this 3 hours workshop is not to make of you a malware analyst overnight, but to give you the key components so you can easily deepen this topic alone.

                    Author's Bio: Youness Zougar
                    Youness Zougar is co-founder and malware analyst at SAFE-Cyberdefense (specialized in endpoint security solutions development).

                    He is also a passionate about Windows Drivers Development such as Minifilters and Windows Filtering Platform drivers.

                    09:30 - 12:30 Workshop 2 – Souri Abdelhalim
                    Orchestrating containers with Kubernetes


                    Target Audience: Architects, Developers, Cybersecurity Specialist, Programmers
                    Prerequisites: Basic Security Software Knowledge
                    Domain: DevSecOps

                    Ever heard about docker and kubernetes ? or maybe you are using today to manage you containers.

                    In this workshop you'll use Kubernetes to deploy real-world applications, and by doing so you'll learn the concepts necessary to not just have a rote memorization of the individual tasks needed to operate Kubernetes, but a fundamental understanding of how you can use Kubernetes to build and deploy robust applications.

                    Whether you're a beginning system administrator, an advanced developer, or even a CTO, you're bound to gain an understanding into the technology that underpins the most well-designed and delivered applications available today.

                    Bio: Abdelhalim Souri is a senior security engineer, iwith a lot of passion on security field as well as other fields like ML(Machine Learning, AI, competitive programming contest,SecDevOps).

                    09:30 - 12:30 Workshop 3 – IoT ICS/SCADA Security & Hacking
                    IoT ICS/SCADA Security & Hacking

                    Target Audience: Architects, SOC Analyst, Cybersecurity Specialist, Programmers
                    Prerequisites: Strong Security Software Knowledge, Basic Assembly Language
                    Level: Hardware Security


                    Securing control systems is a challenge. Off the-shelve software and hardware as well as remote access possibilities in industrial environments increase continuously.

                    The broader threat landscape and increased sophistication of attacks indicate the need to bolster the security poster of Operational Technology (OT) and in particular industrial control systems (ICS) and SCADA environments. But where to begin?

                    Workshop Contents:

                  • ICS fundamentals and ICS framework
                    - ICS basics
                    - Developing governance and ICS framework
                    - Risk Management in ICS
                  • Controls and solutions
                    - Incident management
                    - Network segmentationSecurity monitoring
                    - Remote access security
                    - Patching and malware prevention
                    - Portable media security
                  • Practical approach
                    - Case studies from practice
                    - Active and passive security assessments
                    - Building security operating model
                    - Security roadmap in ICS organisations


                  • Author's Bio: Azzeddine RAMRAMI
                    Azzeddine RAMRAMI is a Senior Security Architect at IBM Security and working as researcher in cyber security at IBM Security X-Force.
                    Azzeddine RAMRAMI is alos the chapter leader for OWASP Morocco and the president of OWASP Africa.

                    09:30 - 12:30 Yassir Kazar
                    Bug Bounty All day with Yogosha (Part 3)

                    Register

                    Join the community at AppSec Morocco & Africa 2018, the premier conference event for application and information security in Africa.

                    Standard
                    $ 120.00
                    • Coffee breaks
                    • Launch
                    • CTF (Subscribed teams)
                    • Access to all conferences and workshops
                    • Access to Bug Bounty require pre-selection
                    Student Pass
                    $ 50.00
                    • Coffee breaks
                    • Launch
                    • CTF (Subscribed teams)
                    • Access to all conferences and workshops
                    • Access to Bug Bounty require pre-selection
                    Sponsors

                    At AppSec Morocco & Africa you can connect with over 250 security professionals in our sponsor hall. Our floor plan is designed to allow you to engage with speakers and attendees.

                    Hotel Club Val D'Anfa, Casablanca
                    Address
                    Angle Boulevard De L'océan Atlantique et، Boulevard De La Corniche Ain Diab, Casablanca 20180, Maroc
                    +212 5227-97070