• 15 Nov
    Day 1
  • Night 15-16 Nov
    Day 2
  • 16 Nov
    Day 3
  • Conferences
  • Workshops
Attendees - Coffee and Registration

Attendees - Coffee, welcome and Registration

09:30 - 10:00 Tarik El Aouadi & Alaeddine Mesbahi
OWASP AppSec Introduction

Welcome to OWASP Annual AppSec Morocco & Africa Cyber Security Conference, the premier application and cyber security conference for African developers and security experts. AppSec Morocco & Africa provides attendees with insight into leading speakers for application security and cyber security, workshops hands-on sessions on various applications, mobile, IoT ICS/SCADA, networking, connections and exposure to the best practices in cybersecurity. The event has eight conferences and eight different hands-on workshop programs between Thursday 15th and Friday 16th of November 2018. This is an exceptional opportunity to attend one of the many workshop hands-on courses offered by various well known, industry experts, and future pioneers of the application and cyber security industry. They are talks, for pen-testers and ethical hackers, developers and security engineers, DevOps practices and GRC/risk level talks for managers and CISOs. This year's conference program will focus on the bottom to the top and top to the bottom in application security based on the SABSA framework and TOGAF 9 EA framework. We offer also a Capture The Flag. Welcome.

10:00 - 10:30 Azzeddine Ramrami
Keynote session: Toward a Safer and More Secure Cyberspace

Given the growing importance of cyberspace to nearly all aspects of national life, a secure cyberspace is vitally important to the nation, but cyberspace is far from secure today.

Morocco, Africa faces the real risk that adversaries will exploit vulnerabilities in the nation’s critical information systems, thereby causing considerable suffering and damage. Online e-commerce business, government agency files, and identity records are all potential security targets.

Toward a Safer and More Secure Cyberspace examines these Internet security vulnerabilities and offers a strategy for future research aimed at countering cyber attacks.

It also explores the nature of online threats and some of the reasons why past research for improving cybersecurity has had less impact than anticipated, and considers the human resource base needed to advance the cybersecurity research agenda.

This talk will be an invaluable introduction for Internet security professionals, information technologists, policy makers, data stewards, e-commerce providers, consumer protection advocates, and others interested in digital security and safety.


Author's Bio: Azzeddine RAMRAMI
Azzeddine RAMRAMI is a Senior Security Architect at IBM Security and working as researcher in cyber security at IBM Security X-Force.
Azzeddine RAMRAMI is alos the chapter leader for OWASP Morocco and the president of OWASP Africa.

Coffee Break & Networking

Coffee Break & Networking You may need to visite our sponsors exhibit booth for product demo, discussion and more while enoying a good moroccan's tea.

11:00 - 11:30 Rali Kettani
Jumpstarting your DevSecOps Pipeline with IAST and RASP

Target Audience: Architects, Developers, Cybersecurity Specialist, Programmers
Prerequisites: Basic Security Software Knowledge
Domain: DevSecOps


DevSecOps is so much more than "automating the scan button." In this talk, we will create a continuous, effective, and scalable DevSecOps pipeline using only *free* tools.  We'll use IAST (Interactive Application Security Testing) to accurately pinpoint vulnerabilities in real time without scanning.

Then we'll set up RASP (Runtime Application Self-Protection) to gain comprehensive visibility of attacks in operations and prevent exploits.  And we'll integrate all of this security vulnerability and attack telemetry into the tools your teams are already using.

  • We will enable developers with real-time security feedback right in their IDE
  • We will also ensure that libraries are frameworks are analyzed continuously for vulnerabilities
  • We'll integrate security into the CI/CD process so that we can easily fail a build
  • We'll identify application layer attacks and create a whole new level of visibility for your SOC
  • We'll even prevent exploitation of newly discovered vulnerabilities in open source libraries


  • After this talk, you'll be able to establish your own DevSecOps pipeline immediately. This reference architecture can be adapted easily to almost any tools and processes -- even legacy applications and waterfall style projects.

    Author's Bio: Rali Kettani

    Rali Kettani is a Solutions Architect with Contrast Security, an IAST and RASP company that helps organizations incorporate security at the DevOps speed. He has been in the technology field for over 15 years, with a big chunk of it in application security. Rali has a background in software development with an extensive experience with SAST, IAST and RASP technologies. He has successfully helped dozens of Fortune 500 companies and US government entities to modernize their Application Security practice and switch into DevSecOps.

    Rali has a Masters degree in Management Information Systems from the George Washington University and a Bachelor’s degree in Computer Science from the Georgia College. Rali is based out of Washington DC

    11:30 - 12:00 Alaeddine Mesbahi
    Secience of Software Security Assessments


    Target Audience: Architects, Developers, Cybersecurity Specialist, Programmers
    Prerequisites: Basic Security Software Knowledge
    Domain: Offensive Security


    Offensive Security has long been an esoteric knowledge, discussed in closed circles among select groups, shared as black magic recipes with secret ingredients. A lot has changed since the days of IRC chat rooms, 0-days exchanges and invite only conferences. Security is now taught at schools, published in books and presented at conferences.

    Despite this progress, offensive security is in its most parts a manual process performed by pentesters, bug hunters or weekend enthousiast. Most tools is use both - open source and commercial - are glorified brute forcers that tests large set of inputs hoping to find the one that works.

    New Research and progress has however been made in the past few years like:

  • Introducing techniques from the world of machine learning for fuzzing, like reinforcement learning for input mutation and deep learning for dictionary inference
  • Enhancing taint tracking for both source code and binary analysis
  • Tree based testing for black box assessment of web applications


  • This presentation focuses on the most astonishing progress made in this area, and share our experience implementing and running these techniques to target web, mobile and systems applications as part of the largest security scanning infrastructure in the world. We will present the challenges that software assessment present, like path explosion, formalisation or simply the sheer randomness of the world of web and standards.

    Author's Bio: Alaeddine Mesbahi works as a Security Engineer at Google specialized in penetration testing and security source code review.

    He is in his own words a Python addict, self-proclaimed green mint tea expert. He enjoys learning new stuff about InfoSec every day, losing at chess and practicing martial arts. Alaeddine holds the Offensive Security Certified Professional (OSCP) and Offensive Security Certified Expert (OSCE) certifications.

    12:00 - 12:30 Amine El Boukhari
    Penetration tests on web services


    Target Audience: Architects, Developers, Cybersecurity Specialist, Programmers
    Prerequisites: Basic Security Software Knowledge
    Domain: API and Web Services


    First, an overview of how the web services actually work,

    Second, why they are critical and vulnerable, and finally the main and critical vulnerabilities that we encountered today on the penetration testing engagements.

    I will also present a brief demonstration of the tools and the methodology of a web service pentration testing.
    Author's Bio: Amine El Boukhari
    Amine El Boukhari is a senior cyber security consultant and a penetration tester working at KPMG Paris. He leads a various engagements and had the opportunity to be involved in a lot of web services penetration testing engagements.

    Launch & Networking

    We will discuss during an authentic Moroccan Tajine. Enjoy.  

    14:00 - 17:30 Workshop 1 – Abdessamad Temmar
    Automated DevSecOps Infrastructure Deployment: Recipes to secure your devops tool chain

    Target Audience: Architects, Developpers, Cybersecurity Specialist, Programmers
    Prerequisites: Strong Security Software Knowledge,
    Domain: DevSecOps


    Securty is becoming an increasingly important concern during the lifecycle of developing application especially for those using the concept of fast (and furious) continuous delivery, and frequent release cycle.

    In this workshop, participants will learn who to easily configure/map security tools to their existing DevOps toolchain, and who to automate this process using cloud-infrastructure automation tools.

    The aim is to introduce security controls at the early stage of software development (controls while the developer is coding in his own machine), and before pushing code to the mutualized code repo (version control tool), and finally before (and after) deploying code to the production environment.

    The workshop provide also technical demo on how to make sure that initial fixed security requirements are always respected by the production environment through "continuous security monitoring".

    Author's Bio: Abdessamad TEMMAR
    Abdessamad TEMMAR is an information security consultant at Abcit, a Moroccan firm fully dedicated to information security. He worked through a variety of sources to provide security professional services to clients.

    Abdessamad is also a member of the OWASP Proactive controls Project, where he contributes in the update of his Top-Ten document, and also a co-author o the Mobile Security Tesing guide
    https://www.owasp.org/index.php/OWASP_Mobile_Security_Testing_Guide#tab=Acknowledgemen
    and
    https://www.owasp.org/index.php/OWASP_Proactive_Controls

    14:00 - 17:30 Workshop 2 – Boumediene KADDOUR
    Decrypting SSL traffic using malicious smart phone and USB sticks


    Target Audience: Architects, SOC Analyst, Cybersecurity Specialist, Programmers
    Prerequisites: Strong Security Software Knowledge, Basic Assembly Language, Hardware knowledge
    Domain: Ethical Hacking


    Most of computer users avoid risks coming from removable media throughout performing an antivirus scan or formatting the entire disk, thinking that all viruses are wiped out from the disk located on the mass storage area of the USB.

    Security researchers have revealed a vulnerability within some microcontroller on the USB that is hidden from the user, and not accessible by antiviruses and security controls, this hidden area on the USB has been leveraged by criminals and hackers to store malwares to be executed automatically when the USB device is plugged on a computer.

    One of the recent techniques mostly used is the USB HID Keyboard attack, this attack makes a USB flash drive impersonating a Human Interface Device (HID) such as keyboard to execute commands automatically and hijack the computer. The same techniques is now applied within smart phones, which extends the risk for end users.

    In this workshop, we are going to provide as many as such scenarios with full hands-on demonstrating how computers and phones can easily be exploitable by these reprogrammed firmwares,and how a smart phone can easily be turned on to a rogue device or BadUSB to steal peoples sensitive information like facebook chats and email credentials with SSL turned on.

    Our added value in this talk is to represent how we can easily request the browsers (chrome & firefox) to store SSL master keys within a file of our choice that's sent to our gmail account via our installed script deployed by the smart phone, and then easily use those Master keys to eventually decrypt encrypted data.

    Author's BIO: Boumediene KADDOUR is a cyber defense consultant, he holds OSCP and OSWP certified. He worked Infosec Thief Trainer before, also as Incident Handler, and Cyber Defense Consultant in Dubai with a company called Malcrove.
    He participated in many international Seminars where he animated cyber security talks as professional speaker.

    14:00 - 17:30 Workshop 3 – Nadia Benchikha
    Web Application Threat Modling - A Use Case as Example


    Target Audience: Architects, Developers, Cybersecurity Specialist, Programmers
    Prerequisites: Basic Security Software Knowledge
    Domain: Secure SDLC


    Se The lack of security into your projects from the beginning can lead to damage in terms of quality and security.

    The threat modeling approach can help identifying and mitigating threats at the design phase of SDLC process before coding. This approach will be used as a guide for the next security activities such as secure code review and penetration testing.

    Adopting such an approach in the SDLC process helps to reduce risk and improve the quality of the application.

    The objective of the workshop is to present the methodology to follow to threat model a Web application by analyzing a use case.


    Author's BIO: Nadia BENCHIKHA
    My name is Nadia BENCHIKHA, I’m currently working as an information security analyst within SOCIETE GENERALE ALGERIE.

    Actually, I graduated with a master's degree in computer science security since 2014 and I have in general 4 years of professional experience in both telecommunication and banking areas. I had the opportunity to practice several security activities such as; forensics, secure code review, penetration testing, managing security solutions and many more.

    I am interested in web application security, writing articles and self-training.

    14:00 - 17:30 Workshop 4 – Benjamin NABET
    Création d'application embarquant un virus sur iOS.

    Target Audience: Architects, SOC Analyst, Cybersecurity Specialist, Programmers
    Prerequisites: Strong Security Software Knowledge, Basic Assembly Language
    Domain: Mobile Malware


    En partant d'une application officielle, on procède à son déchiffrement puis à sa décompilation.
    On montrera (rapidement) au passage les méthodes d'exploration dynamique de l'application.
    Une fois le binaire et après avoir présenté succinctement les bases du reverse ARM et du format MACH-O, nous explorerons le fichier et expliquerons les points importants du reverse sur iOS.
    Nous montrerons enfin comment modifier l'application, la signer puis la diffuser.


    Il faut un Mac avec Xcode d'installé avec Hopper.

    Author's Bio: Benjamin NABET
    Benjamin NABET iis a CEO at BESURE (www.besure.fr)

    • Capture the Flag Challenges
    08:00pm - 08:00am Capture The Flag Details
    CTF Start at 8pm on November 15, 2018


    The challenge will start on Thursday 15-09-2018 20:00 and end on the next day at 08:00 Moroccan time.

    All participants must be physically present at the location of the CTF (Hotel Val d’Infa Casablanca).

    Support will be given in person and using a communication channel shared before the beginning of the challenge.

    In order to be eligible for the prizes and be a part of the competition, you must abide by the following rules:

  • Teams are composed of 3 to 5 players
  • Do not attack the infrastructure. If you find a problem with one of the tasks, please report to it to the organisation team
  • You are not allowed to attack other them. Any attempt to cheat on the contest will lead to immediate disqualification
  • Only team members that are present to the CTF location can be part of the contest. Requesting help from members outside of the event location will lead to immediate disqualification
  • The winner will be the team that collected the maximum point
  • Requesting hints in private is forbidden. Hints will be shared with all teams
  • If two teams have equal scores, the team that got to that score first will have the advantage
  • In order to be eligible for money prizes, the top 3 teams are expected to deliver write-ups. Write-ups will be made public and shared on the OWASP conference website
  • We reserves the right to disqualify teams if the write-ups are not sufficiently complete
  • The organisation team of the conference are not allowed to participate to the challenges
  • Be respectful of other participants and report any misconduct or discrimination


  • Registration will be open on 30 October 2018. Please stay connected.

    Be your best!

    • Conferences
    • Workshops
    • Bug Bounty Yogosha
    8:30 - 9:30 Attendees - Coffee and Registration

    14:30 - 15:00 Franck Thicot
    Considerations on implementing regulation requirements to protect critical applications


    Target Audience: Architects, Developers, Cybersecurity Specialist, Programmers
    Prerequisites: Basic Security Software Knowledge
    Level: Practicing


    Presentation of the key requirements
    Challenges to implement them
    Approach scenarios selected in the context of a financial services organization results and lessons learned

    15:00 - 15:30 Amina Dik
    Sécurité et fraude en informatique : Aspects juridiques


    Target Audience: Architects, Developers, Cybersecurity Specialist, Programmers
    Prerequisites: Basic Security Software Knowledge
    Level: Practicing


    Points à présenter/discuter :
    I – Mesures réprimant la fraude des systèmes d’informations
    1 - Accès frauduleux et maintien dans un système d’information
    2- Atteintes volontaires au fonctionnement d’un système informatique
    II – Mesures réprimant la fraude relative aux données
    1. Atteintes à l’intégrité des données
    2. Atteintes relatives au traitement de données à caractère personnel
    III- L’arsenal organisationnel de lutte contre la fraude informatique
    1. Les moyens institutionnels de lutte contre la fraude informatique
    2. Les outils de la coopération judiciaire
    IV - Encadrement juridique de la sécurité informatique
    1. Recommandations et lignes directrices des partenaires de la sécurité
    2. La régulation en matière de protection des données à caractère personnel
    V- Les obligations légales de sécurité
    1. Le manquement à l'obligation de sécurité
    2. L’obligation de notification des failles de sécurité
    3. L’étendue et les limites de l’obligation de déchiffrement

    15:30 - 16:00 Azzeddine RAMRAMI
    No Silver Bullets – Cybersecurity in the Cognitive Era


    Target Audience: Architects, Developers, Cybersecurity Specialist, Programmers
    Prerequisites: Basic Security Software Knowledge
    Level: Practicing


    It's no surprise that our organizations are under attack by industrialized threats from highly skilled adversaries. At the same time we're drowning in information, facing a growing skills shortage, and often dealing with security infrastructures from the dark ages. We'll talk about the threats in more detail, the growing migration from compliance to risk-focused security, and how security is fundamentally an information management problem.

    Extended Abstract
    It's no surprise that our organizations are under attack by industrialized threats from highly skilled adversaries. At the same time we're drowning in information, facing a growing skills shortage, and often dealing with security infrastructures from the dark ages.

    It's no wonder that the industry is looking for the latest magic bullet, and Cognitive security is now the king of the hype curve. We'll talk about the threats in more detail, the growing migration from compliance to risk-focused security, and how security is fundamentally an information management problem.

    We'll investigate how cognitive technology is being applied in real organizations today, and try to get beyond the marketing and hype to understand this fundamental shift coming our way

    16:00 - 16:30 Coffee Break & Networking

    17:00 - 17:30 STAFF
    Conlusion and CTF Winners Bug Bounty Winners

    CTF description and registration will be managed via a Google form. We will publish more information this week.

    09:00 - 12:30 Workshop 1 – Mohamed Oussama Lessis
    Windows Buffer Over Flow vulnerability - from vulnerability discovering to Exploit Writing

    Target Audience: Architects, Developers, Cybersecurity Specialist, Programmers Prerequisites: Basic Security Software Knowledge Domain: Exploit Developpement

    Description : In this Workshop we will look at how to exploit a Buffer Overflows on Windows systems. We will start from the very basics of reverse Engineering of a vulnerable application, discovering the Buffer Overflow issue and writing the exploit for that vulnerable application. Participants will examine various recognized Exploit Writing techniques. They will be led through a series of advanced topics and exercises based on real world and staged application examples to illustrate the concepts.

    Prérequis pour le lab : Un PC avec une VM Windows.

     

    Author's BIO: Mohamed Oussama Lessis

    Oussema Lessis, is a cyber security manager in EY. He is a Security enthusiast and researcher since an early age. He covered multiple topics including and not limited to :

     

    -          Penetration testing

    -          Red Team engagements

    -          Malware Analysis

    -          Social Engineering

    -          Exploit Writing

    -          Forensic investigation.

    09:00 - 12:30 Workshop 2 – Souri Abdelhalim
    Orchestrating containers with Kubernetes

    Target Audience: Architects, Developers, Cybersecurity Specialist, Programmers Prerequisites: Basic Security Software Knowledge Domain: DevSecOps Ever heard about docker and kubernetes ? or maybe you are using today to manage you containers. In this workshop you'll use Kubernetes to deploy real-world applications, and by doing so you'll learn the concepts necessary to not just have a rote memorization of the individual tasks needed to operate Kubernetes, but a fundamental understanding of how you can use Kubernetes to build and deploy robust applications. Whether you're a beginning system administrator, an advanced developer, or even a CTO, you're bound to gain an understanding into the technology that underpins the most well-designed and delivered applications available today. Bio: Abdelhalim Souri is a senior security engineer, iwith a lot of passion on security field as well as other fields like ML(Machine Learning, AI, competitive programming contest,SecDevOps).

    09:00 - 12:30 Workshop 3 – IoT ICS/SCADA Security & Hacking
    IoT ICS/SCADA Security & Hacking

    Target Audience: Architects, SOC Analyst, Cybersecurity Specialist, Programmers Prerequisites: Strong Security Software Knowledge, Basic Assembly Language Level: Hardware Security Securing control systems is a challenge. Off the-shelve software and hardware as well as remote access possibilities in industrial environments increase continuously. The broader threat landscape and increased sophistication of attacks indicate the need to bolster the security poster of Operational Technology (OT) and in particular industrial control systems (ICS) and SCADA environments. But where to begin? Workshop Contents:

    • ICS fundamentals and ICS framework - ICS basics - Developing governance and ICS framework - Risk Management in ICS
    • Controls and solutions - Incident management - Network segmentationSecurity monitoring - Remote access security - Patching and malware prevention - Portable media security
    • Practical approach - Case studies from practice - Active and passive security assessments - Building security operating model - Security roadmap in ICS organisations
    Author's Bio: Azzeddine RAMRAMI Azzeddine RAMRAMI is a Senior Security Architect at IBM Security and working as researcher in cyber security at IBM Security X-Force. Azzeddine RAMRAMI is alos the chapter leader for OWASP Morocco and the president of OWASP Africa.

    08:30 - 12:30 Yassir Kazar
    Bug Bounty All day with Yogosha (Part 1)

    Target Audience: Architects, Developers, Cybersecurity Specialist, Programmers Prerequisites: High skills on security and bug hunting Domain: Bug Bounty

    The four steps of your Bug Bounty

     
    • Define your target
    • Define your budget
    • Estimate the price of your bugs
    • Validate and reward bug reports submitted by our researchers
    We will discuss the following during two wokshop sessions:
    • What are the advantages of a bug bounty?
    • How does the platform work?
    • How are Yogosha security researchers selected ?
    • How can I be sure that no researcher will damage my IT?
    • What if two researchers report the same vulnerability?
    • What does CVSS mean?
    • How to estimate the price of a vulnerability?
    • What’s the price of a bug bounty?
    • Is the plateforme secure ?
    Author's BIO: Yassir Kazar Yassir Kazar is CEO of Yogosha