#ASFWS to #cybersecconf2015 (#dontkillthecow!)


#ICS #CYBERSECURITY #CYBER #EFF #CSE #SCADA #InfoSec #AppSec #ASFWS ##cybersecconf2015

The Appsec Forum was renamed “CyberSec Conference“. The aim of this conference is to provide practical advice to companies and share experts views on the trends and challenges we as people, company and society face when it comes to talk about Cyber Security. Powered by the Cyber Security Alliance - formerly known as the Appsec Forum - is a swiss initiative aiming at increasing awareness around Cyber Security. We organize a yearly conference and have created a community. Follow the CyberSec Conference on: Twitter (#CSEC15) Facebook Linkedin05-12-2014 05-20-48 Special Thanks to @tomlabaude

You can also join the Google+ Community to exchange ideas🙂

Posted in ASFWS 2014

#ASFWS Edition: Slides are online

You can consult most of the Slides on slideshare:


See you next year for the first CyberSec Conference. 3-5 November 2015.

Follow us on Twitter. @cybersecconf

11-11-2014 18-15-14

Posted in ASFWS 2014

Get ready for something new!


Posted in ASFWS 2014

Special Halloween Offer

Haven’t bought your ticket yet? Keep calm!  :-)

The AppSec Forum Organization Committee is celebrating Halloween during the week-end and extending the ticket sales for 3 extra days!



So head off to Eventbrite and buy your ticket now!


Happy HalloweenWishing you a Happy Halloween!

Posted in ASFWS 2014, News

Enjoy the Swiss lifestyle at the AppSec Social Events!

After the busy AppSec conference days, the evening social events will be the opportunity to have some informal networking time with other professionals while enjoying some of the best Swiss traditions.

The Château Dinner (November 5th)

Overlooking the Neuchâtel Lake, Grandson Castle is an ancient medieval fortress built between the 11th and 14th centuries. It houses an exceptional collection of arms and armors and was witness to the famous Grandson Battle between Charles the Bold and the Swiss Confederates in 1476.

The AppSec Château Dinner will be hosted in the Banquet Hall and will be sponsored by Trend Micro.

A contest and prize draw will take place during the evening and two lucky winners will walk away with a Go Pro Hero3+ Black Explorer Set (1st prize) and a Samsung Galaxy Note 10.1 (2014 Edition) Tablet (2nd prize).

The Grandson Castle is a 10 to 15 minutes drive from Y-Parc. Transportation will be organized by bus for all participants. It is planned to leave the conference venue at 7:45 pm and the bus will return to Yverdon (drop-offs at Y-Parc train station and hotels) around 11:30 pm.

Castle grandson.jpg
„Grandson Castle“. License under CC BY-SA 3.0 by Wikimedia Commons.

Château de Grandson
Place du Château
CH-1422 Grandson
Phone: +41(0)24 445 29 26

 The Alpine Dinner (November 6th)

It has become a tradition, ever since the second edition, to end the AppSec event with a traditional Swiss cheese fondue. This year, we will return to the  Chalet de Grange Neuve where we had previously hosted this event in 2011.

Located at an altitude of 1356 meters (4448 feet) and nested in an open valley in the Jura mountains, Grange Neuve offers the typical warm atmosphere and wooden interior of the a Swiss chalet.

In a large room, heated by a wood burning stove, you will enjoy a cheese fondue and local white wine before ending the meal with the renowned meringues et double-crème.

Grange Neuve is about 30 minutes drive from the center of Yverdon and transportation will be provided by bus. It is planned to leave the conference venue around 7:30 pm and the bus will return to the city  by 11:30 pm with drop-offs at Y-Parc, train station and hotels.

Grange Neuve
Chalet de Grange Neuve” (photo Gaël Greppin).

Chalet de Grange Neuve
CH-1446 Baulmes
Phone: +41 (0)24 459 11 81

Posted in ASFWS 2014, News

AppSec Contests: Test Your Knowledge and Win Prizes!


The 2014 AppSec Forum will not only be about serious trainings and talks and there will also be some opportunities for fun and games. Participate in one of the AppSec contests on November 5th: test your Security Knowledge and win some great prizes!

Here’s a list of all the contests that will be organized during the AppSec Forum:

Insomni’App Capture The Flag (CTF)

What: Individual contest where participants will be invited to gain points by solving questions and problems in various domains such as cryptography, reverse engineering, web, etc. The winner will be whoever  has the most points at the end of the 2-hour challenge.

When: Wednesday, November 5th, between 5 and 7 pm

Prizes: (click on the links for pictures)

Organized by: Insomni’Hack (prizes by AppSec Forum)

AppSec Jeopardy

What:  4 contestants, picked on-site, will battle against each other in an entertaining game inspired by the famous DEFCON Hacker Jeopardy.

When: Wednesday, November 5th, at 7pm

Prizes: (click on the links for pictures)

Organized by: Kudelski Security

Security Quiz

What: Short (2 questions) quiz on Trend Micro security solutions, open to all with a prize draw among the correct answers to designate the winners.

When: Wednesday, November 5th, during the Château Dinner

Prizes: (click on the links for pictures)

Organized by: Trend Micro

Posted in ASFWS 2014, News

Keynote speaker: Nicolas Fischbach

The 2014 edition of the AppSec Forum will be opening its doors in exactly 3 weeks and today we are pleased to announce that Nicolas Fischbach will be the keynote speaker on Wednesday, November 5th.

Working for Colt Technology Services, Nicolas’s talk, entitled “La securité chez un opérateur en 2014” will give us a telco’s perspective on security and will be made up of three parts:

  • Denial of service (state of the art in 2014)
  • What does ISO 27001 imply for a Service Provider imply ?
  • What it means to do an IAM project within a complex multi-country environment


Posted in ASFWS 2014, News

2014 Rump Session: Call for submissions

The AppSec Forum Rump Session will take place on Thursday, November 6th, between 5 and 7 pm. This is the opportunity for participants to give short talks on topics of interest to the community. Talks should be either informative or amusing… or both!  :-)

All subjects are accepted, as long as the following rules are respected:

  • Talks should be 8 minutes or less
  • Commercial talks are forbidden!

If you are interested, please send an email to rump@appsec-forum.ch stating:

  • Your name
  • Talk title
  • Short description
  • Expected duration: 2, 4, 6 or 8 minutes

Submissions will be accepted until: Wednesday, November 5th at 10 pm.

The Rump Session program will be announced at the conference opening on November 6th.

The video of the 2013 Rump Session:

Posted in ASFWS 2014, News | Tagged rump session

Capture The Flag (CTF) Contest

In partnership with Insomni’hack, the AppSec Forum 2014 Edition will host a Jeopardy-style CTF Contest on Wednesday, November 5th, between 5 and 7 pm.

Participants will be invited to gain points by solving questions and problems in various domains such as cryptography, reverse engineering, web, etc. The winner will be whoever  has the most points at the end of the 2-hour challenge.

Contest prizes:

  • 1st place: iPad Mini (value 320.- CHF)
  • 2ns & 3rd places: Yubikey NEO (value 50.- USD)

This is an individual contest and entries are limited to 80 persons.

Participation is FREE, but you must register on our EventBrite page.

CTF Contest

Posted in ASFWS 2014, News | 1 Comment

Special event: InnovaudConnect@APPSEC

We are pleased to announce that special event InnovaudConnect@APPSEC will take place at the Swiss Technopole Y-Parc during the next AppSec Forum on Wednesday, November 5th, between 15:45 and 18:30.

This event is co-organized by AppSec partners ALPICT, Innovaud and Y-Parc and will attempt to define the role that Switzerland can play regarding cybercrime. It will be hosted by Rudolf Koller, Editor in Chief of the ICT Journal.

After an opening speech by Professor Pascal Junod (cryptography specialist at HEIG-VD) who will give an academic perspective, the conference will focus on the protection of critical infrastructures.

Experts from Romande Energie, Swissquotes and CISO (information protection for the state of Vaud) will share with us their experience and the challenges they must meet regarding cybercrime.

Four innovative Swiss startups will then present the solutions they have developed regarding data privacy and protection:

  • Sysmosoft
  • NetGuardians
  • Crossing-Tech
  • Graspeo

This event will conclude with a informal and friendly networking moment for all participants.

Price: the event is FREE, but registration is compulsory on out Eventbrite page.


Posted in ASFWS 2014, News

Keynote speaker: Hervé Schauer

With less than 6 weeks left until the opening day of the AppSec Forum 2014 edition, the Program Committee is pleased to announced that renowned information security expert, Hervé Schauer, will be the keynote speaker on, Thursday November 6th.

Hervé’s talk, entitled “De la Sécurité Informatique à la Cyberdéfense”, will take us back 20 years to show how our field of expertise has evolved from IT Security to the actual broader concept of cyberdefense. He will also share his thoughts on what our future challenges will be: critical infrastructure protection, cyberwarfare, etc.


Posted in ASFWS 2014, News

Detailed Event Program Now Available!

AppSec Forum Speakers

The complete AppSec Forum Western Switzerland 2014 Edition Program is now available. The full list of speakers and trainers can be found on the Program page of this site.

As previously annouced, the AppSec Forum 2014 event will cover a full 3 days.

Day 1 (November 4th), will be dedicated to full day appsec training sessions.

Days 2 and 3 (November 5th and 6th) will host conferences by appsec profesionnals from around the world. Here’s a list of all the scheduled talks.

The event will also host keynote speakers (more info coming on that soon !) as well as rump sessions and the opportunity for two students of the local HEIG-VD to present their work.

Stay tuned as we will be sharing more info on this site in the coming days and head off to Eventbrite to get your ticket now!


Posted in ASFWS 2014, News | Tagged ASFWS, program, speakers

#ASFWS 2014: New speakers announced

04-09-2014 22-58-35

Just a little more than two months to go before the Application Security Forum Western Switzerland opens its doors in Yverdon-les-Bains. The Program Committee is pleased to announce that the following speakers have been selected for the conferences (Second round selection):

Regular presentations
- David Sancho, “Finding Holes in banking 2FA: Operation Emmental”
- Alexandre Herzog, “Why .NET needs MACs and other serial(-ization) tales”
- Dominique Bongard, “Offline bruteforce attack on WiFi Protected Setup”
- Andrey Belenko, “On the Security of the iCloud Keychain”
- Philippe Oechslin, “Analyse technique d’un piratage helvétique”

Student presentations
- Yassine Mansri, “Virtual Patching Automatisé des Applications Web”
- Bertrand Mesot and Sylvain Heiniger, “TProxy: un proxy pour l’interception transparente de trafic TCP”

Seats are limited, so register now!

Posted in ASFWS 2014, News

Registration for AppSec trainings is now open!


Just a little more than two months to go before the Application Security Forum Western Switzerland opens its doors in Yverdon-les-Bains. The first day of the forum will be dedicated to full day appsec training sessions.

You’ll find all the details on our Trainings page.

This year’s program includes:

Specific security audits will be done on pages like:

Prices range from 650.- to 750.- per session and, in some cases, special discount prices are available for students.

Seats are limited, so register now!

Posted in ASFWS 2014, News

ASFWS14 Call for Papers: Second round now open!

Application Security Forum Western Switzerland  has decided to open a second round for talk proposals. We are looking for 45 minute talks (including Q&A) as well as two 25 minute student talks.

You’ll find all the details regarding the subjects and submission requirements on our Call for Papers page.

Proposals may be submitted until August 24th, 2014, 23h59 CET.

Go to the Call for Papers page.


Posted in ASFWS 2014, News

Early Bird Registration Ends in 5 Days!

The 5th edition of the Application Security Forum Western Switzerland will take place in a little more than 3 months. The first round of selection of speakers is terminated and the list of talks and trainings has been published.

AppSec Forum is the largest annual cybersecurity event in the region and the opportunity to listen and meet with some of the most recognized specialists in the field.

Early Bird tickets are still on sale for another 5 days: only 250.- CHF for a full 2 days of conferences, including coffee breaks and buffet lunch. As of August 1st, the price will go up to 300.- CHF.

AppSec Forum Mug

Posted in ASFWS 2014, News

Super Early Bird Tickets Now Available!

Super Early Bird tickets are on sale until June 22nd.

Buy your tickets now and get a special price of 200.- CHF for a full 2 days of InfoSec conferences!


AppSec Forum 2013

AppSec Forum 2013

Posted in ASFWS 2014, News

ASFWS 2014 Call for Papers… Now Open!

Application Security Forum Western Switzerland  invites application security professionnals to be part of the 5th edition by submitting proposals for talks and trainings.

You’ll find all the details regarding the subjects and submission requirements on our Call for Papers page.

Proposals may be submitted until June 1st, 2014, 23h59 CET.

Go to the Call for Papers page.

Posted in ASFWS 2014, News

Photos from previous editions of ASFWS

Application Security Forum Western Switzerland was first held in 2010 in Geneva. At that time it was just a short evening event but it was already quite a success.

As of 2011, ASFWS moved to Yverdon-les-Bains and the Haute Ecole d’Ingénierie et de Gestion (HEIG-VD) was the venue that year.

Since 2012, ASFWS is traditionally held at Yverdon’s Y-Parc (Swiss Technopole). The 2014 edition will be a full 3-day event with conferences and workshops and it will mark the fifth anniversary of what has become the largest application security conference in Western Switzerland.

You can find a few photos from the previous editions on a dedicated page.

Posted in ASFWS 2014, News

Members of the Program Committee Announced

As the Call For Papers process will be initiated shortly, members of the ASFWS 2014 Program Committee have been announced. The member list is available on our CFP page.

Posted in ASFWS 2014, News

The Insomni’hack 2014 Schedule Is Out!

Insomnihack 2014 Logo

The detailed Insomni’hack 2014 conference schedule has been published this week. You will find all the details on the event website.

And it’s still time to register for the appsec workshops that will be organised on the day preceeding the conferences!

The whole ASFWS Team will be present at Insomni’hack 2014 and we look forward to meeting you there.

Posted in Insomni’hack 2014, News

Appsec Trainings at Insomni’hack 2014

Hacker Logo

ASFWS will be present at Insomni’hack 2014 on March 20th and 21st at Palexpo, Geneva.

As an official Insomni’hack partner, we will take this opportunity to propose two appsec trainings:

Click here to register for Insomni’hack-Appsec Trainings

Posted in Insomni’hack 2014, News

Announcing the 5th edition of the ASFWS


The next edition of the Application Security Forum - Western Switzerland (ASFWS) will take place on November 4th, 5th and 6th, 2014 at the Y-Parc Swiss Technopole in Yverdon-les-Bains.

Like previous years, the event will include workshops, conferences, exhibitions, CTF competition as well as informal networking oppotunities in the evenings.

Details will be posted on this site as we finalize the program. In the meantime you can view the videos from the previous sessions, available on the ASFWS You Tube Channel.

Posted in ASFWS 2014, News | Tagged ASFWS

Helen Bravo

Helen BravoHelen Bravo is the Head of Product Management at Checkmarx. Continue reading

Posted in ASFWS 2014, Speakers

Nicolas Fischbach

Nicolas FischbachNicolas Fischbach is Director of Strategy, Architecture and Innovation at Colt. Before moving into this role he was in charge of Security Engineering and Operations. Continue reading

Posted in ASFWS 2014, Speakers | 1 Comment

Hervé Schauer

Hervé SchauerHervé Schauer est un expert renommé internationalement en sécurité des systèmes d’information. Continue reading

Posted in ASFWS 2014, Speakers | 1 Comment

Virtual Patching Automatisé des Applications Web

Le patching virtuel des applications Web est le processus par lequel les paramètres d’un pare-feu applicatif sont modifiés en fonction des résultats d’un audit de vulnérabilités. Il vise à réduire au maximum le risque d’exploitation des vulnérabilités découvertes.

Pour la sécurité applicative, cela signifie modifier la politique de sécurité d’un parefeu applicatif (Web Application Firewall ou WAF) pour protéger les applications web en fonction des résultats d’un scan de vulnérabilités effectué par un outil de test dynamique (Dynamic Application Security Testing ou DAST).

Ce travail rentre dans le cadre du projet de diplôme intitulé « Virtual Patching Automatisé des Applications Web » et proposé par l’entreprise e-Xpert Solutions SA.

L’objectif principal de mon travail de Bachelor est de mettre à disposition un outil permettant de lancer des scans de vulnérabilités pour ensuite patcher les pare-feux applicatifs en utilisant les résultats générés par le scan. Cela permet de fournir une solution optimisée de protection des applications web contre les menaces externes.

SPEAKER: Yassine Mansri

Posted in ASFWS 2014, Student Slots | 1 Comment

TProxy: un proxy pour l’interception transparente de trafic TCP

Lorsqu’il effectue des tests de pénétration, l’auditeur moderne est parfois confronté à des services et des protocoles plus exotiques que les désormais traditionnelles applications web accessibles par HTTP ou HTTPS. Les proxies d’interception HTTP ne lui sont d’aucune aide lorsque le succès de son audit dépend de sa capacité à intercepter et modifier du trafic protégé par SSL (IMAPS, SIP over SSL), de manipuler des flux de bases de données (MySQL, Oracle), ou encore de s’immiscer dans des systèmes industriels (systèmes SCADA, protocoles IEC 60870-5-10x). Dans de telles situations, le recours à un proxy transparent capable de digérer n’importe quel protocole peut s’avérer bien utile.

Le besoin d’un proxy transparent et générique s’est fait sentir dans quelques-uns des audits récents auxquels Objectif Sécurité a participé. Bien que dans chaque cas le protocole à traiter était différent, la même approche pouvait la plupart du temps être appliquée. Pour pallier à l’absence apparente d’un outil proposant des fonctionnalités appropriées, Objectif Sécurité a décidé de développer TProxy, son propre proxy transparent générique.

Jusqu’ici réservé à un usage interne au sein d’Objectif Sécurité, TProxy a maintenant atteint un degré de maturité suffisant pour lui permettre d’être utilisé par tout un chacun. TProxy possède une interface graphique qui permet de visualiser, intercepter et injecter des données dans du trafic TCP. Il est capable de détecter automatiquement et de déchiffrer les connexions sécurisées par SSL/TLS, même lorsque le chiffrement est activé en cours de route —avec STARTTLS par exemple. TProxy propose en outre une fonctionnalité qui à notre connaissance est unique, celle d’utiliser les dissecteurs Wireshark afin de pouvoir interpréter la plus grande partie des protocoles TCP. Cette fonctionnalité le rend particulièrement pratique lorsque le succès d’une attaque peut dépendre de la possibilité de modifier un seul bit dans un flot soutenu de données.

L’objectif de cette présentation est de donner une vue générale du fonctionnement de TProxy et de démontrer son usage dans des situations concrètes.

TProxy devrait bientôt être rendu public en tant que projet open source sous licence GPL.

SPEAKER: Bertrand Mesot

Posted in ASFWS 2014, Student Slots | 1 Comment

Finding holes: Operation Emmental

Like Swiss Emmental cheese, online banking protections may be full of holes. Banks have been trying to prevent cyber crooks from accessing their customers’ online accounts for ages. They have, in fact, invented all sorts of methods to allow their customers to safely bank online. This research describes an ongoing attack we have dubbed “Emmental” that targets a number of countries worldwide. The attack is designed to bypass a certain two-factor authentication scheme used by banks. In particular, it bypasses session tokens, which are frequently sent to users’ mobile devices via Short Message Service (SMS). Users are expected to enter a session token to activate banking sessions so they can authenticate their identities. Since this token is sent through a separate channel, this method is generally considered secure.

However, this criminal gang has managed to create a complex system to defeat this protection.

SPEAKER: David Sancho

Posted in ASFWS 2014, Talks | 1 Comment

Why .NET needs MACs and other serial(-ization) tales

What is the story behind Microsoft’s patches MS13-067 (SharePoint) and MS13-105 (Outlook Web Access)? What is really involved in a .NET ViewState and why did Microsoft disable the ability to turn off its integrity protection since ASP.NET version 4.5.2 (KB2905247)? What is MS13-100 all about? What was the state of the art of exploiting unprotected ViewState fields before our research? Which new advances did we identify in our research?

This talk is about several stories and discoveries which, once interconnected, triggered an important effort at Microsoft to patch and address some ground issues within the .NET framework and in some of the flagship products of the company. This talk is not just storytelling, but will also present a few demos featuring some of the exploits we crafted at this occasion. Finally, it will include guidance for system administrators, developers and pentesters on how to protect, detect and/or exploit such serialization flaws in their applications.

SPEAKER: Alexandre Herzog

Posted in ASFWS 2014, Talks | 1 Comment

Offline bruteforce attack on WiFi Protected Setup

Wi-Fi Protected Setup™ is an optional certification program based on technology designed to ease the setup of security-enabled Wi-Fi networks in home and small office environments. Wi-Fi Protected Setup supports methods (pushing a button, entering a PIN, or using NFC) that are familiar to most consumers to configure a network and enable security. An online bruteforce attack against WPS PIN was published in 2011. As a consequence, rate throttling and lockout of bruteforce attempts are now common remediation measures.

The security of the Wi-Fi Protected Setup (WPS) PIN-External Registrar protocol depends on the availability of a source of unpredictable random numbers to generate temporary keys. It is well known that this requirement is generally not met in embedded network devices.

In this talk, we present an attack which recovers the WPS PIN code in one single authentication attempt for devices which use guessable keys due to weak random number generation.

SPEAKER: Dominique Bongard

Posted in ASFWS 2014, Talks | 2 Comments

On the Security of the iCloud Keychain

iCloud Keychain, one of the latest additions to the family of iCloud services that was pitched by  Apple. It is no doubt great for usability, but what about security? What kind of access does Apple  have to your passwords stored in the iCloud? It haven’t received much research attention to the  date and this talk aims to fill the gap.

SPEAKER: Andrey Belenko

Posted in ASFWS 2014, Talks | 1 Comment

Analyse technique d’un piratage helvétique

Il est rare qu’une affaire de piratage suisse fasse autant de vagues que le piratage d’un journaliste de la TSR cet été dans le cadre de l’affaire Giroud. Sans nous prononcer sur le fond de l’affaire nous allons décortiquer en détail les mécanismes techniques de cette attaque. A vous de juger si vous seriez tombé dans le panneau et si votre système informatique aurait réussi à bloquer l’attaque.

SPEAKER: Philippe Oechslin

Posted in ASFWS 2014, Talks | 1 Comment

Sébastien Andrivet

Sébastien AndrivetSébastien is playing with computers since the beginning of ’80s. After spending some years with 8-bit processor assembly programming, he specialized in the ’90 in C/C++ and i386 assembly on Win/Intel. Continue reading

Posted in ASFWS 2014, Speakers | 1 Comment

Jean-Philippe Aumasson

Jean-Philippe AumassonJean-Philippe Aumasson is Principal Cryptographer at Kudelski Security, and is employed in the Kudelski Group since 2010. Continue reading

Posted in ASFWS 2014, Speakers | 1 Comment