Learn how Cobalt’s Pentest as a Service (PtaaS) model makes you faster, better, and more efficient.

3 Takeaways from OWASP AppSec Israel 2018

Source: @OWASP_IL

OWASP AppSec Israel 2018 Conference with 700+ participants, 18 talks, and a CTF has just ended and I would say it was a great experience as a speaker and as an attendee.

I presented my talk “Is Your Mobile Application Storing Your Company Secrets?” which talks about recent critical findings in mobile apps that could have resulted in millions of dollars lost if fallen into the wrong hands. My talk received great response and many attendees discussed various approaches for possible solutions.

This was my first trip to Tel Aviv, Israel and first time participating in AppSec Israel conference. Below are some insights I’d like to share about the overall conference, my three takeaways from the conference:

The entire conference is free!

In the last few years, I’ve attended several conferences and none of them were free to attend. Some conferences have free sessions open to all but not the entire conference. AppSec Israel was completely free to attend with interesting talks, high-tech venue, workshops, and free food.

2. Focus on Serverless, Smart Contracts, and DevSecOps

The conference had interesting talks focusing on Serverless security, Smart contracts, and DevSecOps sessions. One of my friend’s, Mehul Patel, presented on the topic of “Serverless Authentication with JWT” . His talk was about why we should use JWTs in our applications when it comes to security. Another talk that I found to be very interesting was by Erez Metula on “Exploiting Smart Contracts For Fun And Profit” which discussed common security vulnerabilities that can occur in smart contracts. Lastly, my friend Tanya Janca presented a great talk on “Security is everyone’s job” which discussed introducing security right from the first step of requirement gathering to release.

Free training for developers

One of the most important aspects for driving any application security program is to train developers. Nowadays almost all information security conferences offer training but usually at a high price point. Which could be a part of why they may not attend. However, AppSec Israel had completely free training for developers. In addition, all the training courses were extremely hands-on and interactive application security focused sessions.

My talk audience was mostly developers and pen testers interested in application security. I presented critical mobile findings aligned with OWASP 2018 such as:**

  1. Pwning AWS using iOS Application

  2. Accessing Upcoming Features (Un-released)

  3. Presented OWASP iGoat Project (

I want to say thanks to Cobalt for supporting me on this trip. You can check out more details about the above critical findings here.

The conference had a selfie challenge for all speakers and below is snap from my talk (I’m not someone who normally takes selfies but I accepted the challenge)

Photo from Selfie Challenge for Speakers

Want to dive deep into AppSec? Read more with this blog post highlight the differences between AppSec & DevSecOps. Feel free to reach out to me directly by commenting on this blog or find me on Twitter at @swaroopsy for additional queries. Stay tuned for more blogs!

New call-to-action
Back to Blog
About Swaroop Yermalkar
Swaroop works as Senior Security Engineer. Author of the book - Learning iOS Penetration Testing published with packtpub. He's been a speaker at at AppSec USA, BruCON, SEC-T, HITCON, GroundZero, c0c0n. Experienced in security assessments of mobile apps (iOS, Android, Windows), web, network, web services, thick app. More details at: More By Swaroop Yermalkar