https://wiki.owasp.org/api.php?action=feedcontributions&feedformat=atom&user=Bart+De+WinOWASP - User contributions [en]2026-05-30T19:21:38ZUser contributionsMediaWiki 1.27.2https://wiki.owasp.org/index.php?title=OWASP_BeNeLux-Day_2017&diff=236304OWASP BeNeLux-Day 20172017-12-17T22:09:08Z<p>Bart De Win: /* Keywords */ Slide deck added</p>
<hr />
<div><center>[[Image:Header-BNL-2017.png]]<br></center><br />
<br />
<br><!-- Header --><br />
<br />
<br />
<!-- First tab --><br />
= Information =<br />
== Keynote speaker ==<br />
{{#switchtablink:Conferenceday|<p><br />
* Jacoba Sieders<br />
}}<br />
<br />
== Confirmed speakers Conference ==<br />
{{#switchtablink:Conferenceday|<p><br />
* Achim D. Brucker<br />
* Lieven Desmet<br />
* Philippe De Ryck<br />
* Sebastian Lekies<br />
* Matias Madou<br />
* Mattijs van Ommeren<br />
* Jeroen Willemsen<br />
}}<br />
<br />
== Confirmed trainers ==<br />
{{#switchtablink:Trainingday|<p><br />
* Nanne Baars<br />
* Sebastien Deleersnyder<br />
* Bart De Win<br />
}}<br />
<br />
== OWASP BeNeLux conference is free, but registration is required! ==<br />
[[image:Register_now_red.png|link=https://owasp-benelux-day-2017.eventbrite.com |alt=Register for the OWASP BeNeLux Day 2017 | Register for the OWASP BeNeLux Day 2017 ]]<br />
<br />
== The OWASP BeNeLux Program Committee ==<br />
*Bart De Win / Sebastien Deleersnyder/ Lieven Desmet/ David Mathy, OWASP Belgium<br />
*Martin Knobloch / Joren Poll, OWASP Netherlands<br />
*Jocelyn Aubert, OWASP Luxembourg<br />
<br><br />
<br />
== Tweet! ==<br />
Event tag is [http://twitter.com/#search?q=%23owaspbnl17 #owaspbnl17]<br />
<br><br><br />
== Donate to OWASP BeNeLux ==<br />
[https://co.clickandpledge.com/?wid=72689 Donate]<br />
<br />
<!-- Second tab --><br />
<br />
= Registration =<br />
<br />
<br />
== OWASP BeNeLux conference is free, but registration is required! ==<br />
[[image:Register_now_red.png|link=https://owasp-benelux-day-2017.eventbrite.com |alt=Register for the OWASP BeNeLux Day 2017 | Register for the OWASP BeNeLux Day 2017 ]]<br />
<br />
== OWASP BeNeLux training is reserved for OWASP members, and registration is required! ==<br />
To support the OWASP organisation, we ask training attendees to consider becoming an OWASP member, it's only US$50!<br />
Check out the [[Membership]] page to find out more. <br />
<br />
<!--<br />
[https://owasp-benelux-day-2017.eventbrite.com Register now!]<br />
--><br />
<br><br />
To support the OWASP organisation, consider to become a member, it's only US$50!<br />
<br> <br />
Check out the [[Membership]] page to find out more. <br />
<br><br />
<br />
<br />
<!-- Third tab --><br />
<br />
= Venue =<br />
<br />
== Venue ==<br />
<br />
<br />
The venue is located:<br />
<br />
:'''Interpolis''' <br />
:Spoorlaan 298<br />
:5017JZ Tilburg<br />
:Netherlands<br />
:[https://goo.gl/maps/5CJYYSMAJD92 Google map]<br />
<br />
'''''Parkeren kan in de gemeentelijke parkeergarage Tivoli, gelegen tussen de Rabobank en het Interpoliskantoor.'''''<br />
<br />
=== How to reach the venue? ===<br />
;'''Openbaar vervoer '''<br><br />
Het Centraal Station en bushalte liggen aan de Spoorlaan op ± 10 minuten loopafstand van het Achmeakantoor.<br />
<br />
'''<u>Eigen vervoer</u>'''<br />
;'''Routebeschrijving vanuit Den Bosch'''<br />
:Op A58 bij afslag 10 (Tilburg/ Hilvarenbeek) rechts af richting centrum (Ringbaan Oost). Na ongeveer 1 km, voor het spoorwegviaduct, links af richting centrum / Centraal Station (Spoorlaan). Na ongeveer 700 meter staat links het Interpoliskantoor.<br />
<br />
;'''Routebeschrijving vanuit Waalwijk'''<br />
:A261 richting Tilburg. Bij binnenkomst Tilburg rechtdoor, viaduct over. Bij de rotonde rechtdoor, 2e afslag (Ringbaan West) volgen. Na ongeveer 1km, ter hoogte van woontoren Westpoint, links af (Hart van Brabantlaan). Weg volgen, gaat over in Spoorlaan. Na ongeveer 2 km staat rechts het Interpoliskantoor.<br />
<br />
;'''Routebeschrijving vanuit Dongen'''<br />
:Vanuit Dongen de Burgemeester Letschertweg volgen tot de N261 Waalwijk/Tilburg. Neem de afslag Tilburg. Bij binnenkomst Tilburg rechtdoor, viaduct over. Bij de rotonde rechtdoor, 2e afslag (Ringbaan West) volgen. Na ongeveer 1km, ter hoogte van woontoren Westpoint, links af (Hart van Brabantlaan). Weg volgen, gaat over in Spoorlaan. Na ongeveer 2 km staat rechts het Interpoliskantoor.<br />
<br />
;'''Routebeschrijving vanuit Utrecht/Breda (A27 richting Tilburg)'''<br />
:Vanaf A58 afslag 11 (Tilburg West) rechts af richting centrum (Ringbaan West). Weg volgen. Na ongeveer 1,5 km, ter hoogte van woontoren Westpoint, rechts af (Hart van Brabantlaan). Weg volgen, gaat over in Spoorlaan. Na ongeveer 2 km staat rechts het Interpoliskantoor.<br />
<br />
=== Hotel nearby ===<br />
[https://www.google.nl/maps/search/Hotels/@51.5571525,5.0821866,15z/data=!3m1!4b1 Hotels on Google Maps]<br />
<!-- Fourth tab --><br />
<br />
= Trainingday =<br />
=== Trainingday is November 23rd ===<br />
<br />
== Location ==<br />
<br />
== Agenda ==<br />
{| class="wikitable"<br />
! Time !! Description !! Room TBA !! Room TBA !! Room TBA<br />
|-<br />
| 08h30 - 9h30<br />
| colspan="5" style="text-align: center; background: grey; color: white;" | ''Registration''<br />
|-<br />
| 09h30 - 11h00 || Training<br />
| rowspan="7" style="width:100px;" | [[OWASP_BeNeLux-Day_2017#WebGoat_-_Teaching_application_security_101_by_Nanne_Baars | WebGoat - Teaching application security 101]] <br>by [[OWASP_BeNeLux-Day_2017#WebGoat_-_Teaching_application_security_101_by_Nanne_Baars | Nanne Baars]]<br />
| rowspan="7" style="width:100px;" | [[OWASP_BeNeLux-Day_2017#Whiteboard_Hacking_aka_Hands-on_Threat Modeling_by_Sebastien Deleersnyder | Whiteboard Hacking aka Hands-on Threat Modeling]] <br>by [[OWASP_BeNeLux-Day_2017#Whiteboard_Hacking_aka_Hands-on_Threat Modeling_by_Sebastien Deleersnyder | Sebastien Deleersnyder]]<br />
| rowspan="7" style="width:100px;" | [[OWASP_BeNeLux-Day_2017#Secure_Development:_Models_and_best_practices_by_Bart_De_Win | Secure Development: Models and best practices]] <br>by [[OWASP_BeNeLux-Day_2017#Secure_Development:_Models_and_best_practices_by_Bart_De_Win | Bart De Win]]<br />
|-<br />
| 11h00 - 11h30 || ''Coffee Break''<br />
|-<br />
| 11h30 - 13h00 || Training<br />
|-<br />
| 13h00 - 14h00 || ''Lunch''<br />
|-<br />
| 14h00 - 15h30 || Training<br />
|-<br />
| 15h30 - 16h00 || ''Coffee Break''<br />
|-<br />
| 16h00 - 17h30 || Training<br />
|}<br />
<br />
== Trainings ==<br />
=== WebGoat - Teaching application security 101 by Nanne Baars ===<br />
====Topic(s) ====<br />
* Web Application Breaker<br />
* Other<br />
====Keywords ====<br />
WebGoat application, security teaching secure development<br />
<br />
====Abstract ====<br />
A good defense against insecure code requires understanding the mechanics behind how attackers exploit simple programming mistakes.<br />
The WebGoat team will walk through exercises like SQL Injection, XSS, XXE, CSRF, ... and demonstrate how these exploits work.<br />
<br />
We will show you how you can use WebGoat to train your developers to avoid these simple but common programming mistakes.<br />
<br />
We also show you how to extend WebGoat to create lessons specific to your environment.<br />
Join us to learn the most basic, but common, application security problems.<br />
<br />
Tired of all the lessons? During the training we will host a small CTF competition which you can take a shot at and compete with each other...<br />
<br />
=== Requirements===<br />
Please find the course prerequisites here: https://github.com/nbaars/owasp-training<br />
<br />
====Bio====<br />
Nanne Baars works as a security consultant & developer at JDriven and is one of the primary developers of WebGoat.<br />
<br />
=== Whiteboard Hacking aka Hands-on Threat Modeling by Sebastien Deleersnyder ===<br />
====Topic(s) ====<br />
* Threat modeling introduction<br />
* Diagrams – what are you building?<br />
* Identifying threats – what can go wrong?<br />
* Hands-on: STRIDE analysis of an Internet of Things (IoT) deployment with an on premise gateway and secure update service<br />
* Addressing each threats<br />
* Hands-on: threat mitigations OAuth scenarios for web and mobile applications<br />
<br />
====Keywords ====<br />
Threat Modeling, STRIDE, Technical risk assessment<br />
<br />
====Abstract ====<br />
This is a one day version of our Black Hat training on Threat Modeling. The students will be challenged to perform practical threat modeling in groups of 3 to 4 people covering the different stages of threat modeling on:<br />
* An Internet of Things (IoT) deployment with an on premise gateway and secure update service<br />
* An HR services OAuth scenario for mobile and web applications <br />
Threat modeling is a structured activity for identifying and evaluating application threats and vulnerabilities. It also allows consideration of security issues at the component or application level. The threat modeling course will teach you to perform threat modeling through a series of workshops, where our trainer will guide you through the different stages of a practical threat model. <br><br />
This course is aimed at software developers, architects, system managers or security professionals. Before attending this course, students should be familiar with basic knowledge of web and mobile Applications, databases & Single sign on (SSO) principles.<br />
<br />
<br />
====Bio====<br />
Sebastien (lead application security consultant Toreon) led engagements in the domain of ICT-security, Web and Mobile Security with several customers in the private and public sector. Sebastien is the Belgian OWASP Chapter Leader and is co-project leader of OWASP SAMM.<br />
<br />
=== Secure Development: Models and best practices by Bart De Win ===<br />
====Topic(s) ====<br />
* Software Assurance maturity models<br />
* Secure Development in agile development<br />
* Tips and tricks for practical SDLC<br />
* Hands-on: SAMM analysis of your enterprise using SAMM 1.5<br />
* Sneak preview of SAMM 2.0<br />
<br />
====Keywords ====<br />
SDLC, SAMM, Agile development, <br />
<br />
====Abstract ====<br />
It takes much more than a good developer to build secure software within an organisation. Indeed, building secure software is about ensuring that security is taken into consideration during the entire software lifecycle. It is about ensuring that security best practices are being employed efficiently, and that uncovered risks are appropriately dealt with in due time.<br />
<br />
During this one-day training, we will introduce and discuss different secure development approaches and models. We will look into waterfall vs. agile development and discuss different strategies to successfully run an SDLC program. Finally, we will also put theorie into practice and take your organisation to perform a mini SDLC assessment and improvement exercise.<br />
[[File:Benelux2017 - Secure Development Training deck.pdf|thumb]]<br />
The slides of this session are available for download in the media file.<br />
<br />
====Bio====<br />
Bart is an application security consultant and enthousiast and is spending considerable time on secure development projects. Bart is board member of the Belgian OWASP Chapter and is co-project leader of OWASP SAMM.<br />
<br />
<br />
<!-- Fifth tab --><br />
<br />
= Conferenceday =<br />
=== Conferenceday is November 24th ===<br />
<br />
<br />
== Agenda ==<br />
{| class="wikitable"<br />
! width="120pt" | Time<br />
! width="190pt" | Speaker <br />
! width="400pt" | Topic<br />
! width="100pt" -- ! | Media<br />
|- <br />
| 08h30 - 09h00<br />
| colspan="3" style="text-align: center; background: grey; color: white" | ''Registration''<br />
|- <br />
| 09h00 - 09h15<br />
| colspan="3" style="text-align: center; background: grey; color: white" | ''Opening''<br />
|- <br />
| 09h15 - 10h00 || [[OWASP_BeNeLux-Day_2017#Attribute Based Access Control. Why, what, how? by Jacoba Sieders | Jacoba Sieders]]<br />
|| [[OWASP_BeNeLux-Day_2017#Attribute Based Access Control. Why, what, how? by Jacoba Sieders | Attribute Based Access Control. Why, what, how?]] <br />
|| [[Media:OWASP BeNeLux-Day 2017 AttributeBasedAccessControl WhyWhatHow JacobaSieders.pdf|Slides]]<br>[https://youtu.be/O7iWITnZGsk Video]<br />
|-<br />
| 10h00 - 10h45 || [[OWASP_BeNeLux-Day_2017#How to spend $3.6mil on one coding mistake, and other fun stuff you can do with $3.6mil by Matia Madou | Matias Madou]]<br />
|| [[OWASP_BeNeLux-Day_2017#How to spend $3.6mil on one coding mistake, and other fun stuff you can do with $3.6mil by Matia Madou | How to spend $3.6mil on one coding mistake, and other fun stuff you can do with $3.6mil]]<br />
|| [[Media:OWASP_BeNeLux-Day_2017_how_to_spend_$3.6_mil_on_one_coding_mistake_by_Matias_Madou.pdf|Slides]] <br> [https://www.youtube.com/watch?v=dt5rFGBztJA&feature=youtu.be Video]<br />
<br />
|-<br />
| 10h45 - 11h15 <br />
| colspan="3" style="text-align: center;background: grey; color: white" | ''Morning Break'' <br />
|-<br />
| 11h15 - 12h00 || [[OWASP_BeNeLux-Day_2017#The evil friend in your browser by Achim D. Brucker | Achim D. Brucker]]<br />
|| [[OWASP_BeNeLux-Day_2017#The evil friend in your browser by Achim D. Brucker | The evil friend in your browser]]<br />
| [[Media:OWASP_BeNeLux-Day_2017_The evil friend in your browser_Achim_Brucker.pdf|Slides]]<br>[https://www.youtube.com/watch?v=_Uj-Ci37Rvw&feature=youtu.be Video]<br />
|-<br />
| 12h00 - 12h45 || [[OWASP_BeNeLux-Day_2017#Exploring the ecosystem of malicious domain registrations in the .eu TLD by Lieven Desmet | Lieven Desmet]]<br />
|| [[OWASP_BeNeLux-Day_2017#Exploring the ecosystem of malicious domain registrations in the .eu TLD by Lieven Desmet | Exploring the ecosystem of malicious domain registrations in the .eu TLD]]<br />
| [[Media:OWASP BeNeLux-Day 2017 Exploring the ecosystem of malicious domain registrations LievenDesmet.pdf|Slides]]<br>[https://www.youtube.com/watch?v=09SNSYHw8H0&feature=youtu.be Video]<br />
|-<br />
| 12h45 - 13h45<br />
| colspan="3" style="text-align: center;background: grey; color: white" | ''Lunch'' <br />
|-<br />
| 13h45 - 14h30 || [[OWASP_BeNeLux-Day_2017#Don't trust the DOM: Bypassing XSS mitigations via script gadgets by Sebastian Lekies | Sebastian Lekies]]<br />
|| [[OWASP_BeNeLux-Day_2017#Don't trust the DOM: Bypassing XSS mitigations via script gadgets by Sebastian Lekies | Don't trust the DOM: Bypassing XSS mitigations via script gadgets]]<br />
| [[Media:OWASP BeNeLux-Day 2017 Bypassing XSS mitigations via script gadgets Sebastian Lekies.pdf|Slides]]<br>[https://www.youtube.com/watch?v=rssg--FP1AE&feature=youtu.be Video]<br />
|-<br />
| 14h30 - 15h15 || [[OWASP_BeNeLux-Day_2017#A Series of Unfortunate Events: Where Malware Meets Murphy by Mattijs van Ommeren | Mattijs van Ommeren]]<br />
|| [[OWASP_BeNeLux-Day_2017#A Series of Unfortunate Events: Where Malware Meets Murphy by Mattijs van Ommeren | A Series of Unfortunate Events: Where Malware Meets Murphy]]<br />
| <!--[[Media:OWASP_Benelux-Day_2017_A_Series_Of_Unfortunate_Events-Where_Malware_Meets_Murphy_Mattijs_van_Ommeren.pdf|Slides]]<br> -->[https://www.youtube.com/watch?v=d67yxt3FdTA&feature=youtu.be Video]<br />
|-<br />
| 15h15 - 15h45<br />
| colspan="3" style="text-align: center;background: grey; color: white" | ''Break'' <br />
|-<br />
| 15h45 - 16h30 || [[OWASP_BeNeLux-Day_2017#Common REST API security pitfalls by Philippe De Ryck | Philippe De Ryck]]<br />
|| [[OWASP_BeNeLux-Day_2017#Common REST API security pitfalls by Philippe De Ryck | Common REST API security pitfalls]]<br />
| [[Media:OWASP BeNeLux-Day 2017 Common REST API security pitfalls Philippe De Ryck.pdf|Slides]]<br>[https://www.youtube.com/watch?v=Meh4EUmLCfM&feature=youtu.be Video]<br />
|-<br />
| 16h30 - 17h15 || [[OWASP_BeNeLux-Day_2017#Creating An AppSec Pipeline With Containers In A Week How We Failed And Succeeded by Jeroen Willemsen | Jeroen Willemsen]]<br />
|| [[OWASP_BeNeLux-Day_2017#Creating An AppSec Pipeline With Containers In A Week How We Failed And Succeeded by Jeroen Willemsen | Creating An AppSec Pipeline With Containers In A Week How We Failed And Succeeded]]<br />
| [[Media:OWASP BeNeLux-Day 2017 Creating An AppSec Pipeline With Containers In A Week How We Failed And Succeeded Jeroen Willemsen.pdf|Slides]]<br>[https://www.youtube.com/watch?v=Q3q1mdev5rs&feature=youtu.be Video]<br />
|-<br />
| 17h15 - 17h30<br />
| colspan="3" style="text-align: center;background: grey; color: white" | ''Closing'' <br />
|}<br />
<br />
<div id="TBD"></div><br />
<br />
== Talks == <br />
<br />
===Attribute Based Access Control. Why, what, how? by Jacoba Sieders===<br />
====Abstract====<br />
Digitization is rapidly transforming the traditional world and regulation on security and data protection is gaining weight. Digital identity, but also data protection become crucial capabilities for businesses. What are the trends in IAM and what role can Attribute Based Access Control (ABAC) play here? ABNAMRO started implementing ABAC in 2014. What were the approach and the lessons learnt?<br />
====Bio====<br />
Jacoba Sieders, Head of Digital Identity- & Access, ABNAMRO Bank.<br /><br />
Jacoba is an all-round Digital Identity and Information Security expert with 17 years of experience in the international finance industry, in technology, governance, consultancy, and implementation. She is accountable for digital identity services and access control for customers, employees and partners to the bank’s data and infrastructure. <br />
Major topics on her agenda today are ABAC, data centric security, API-banking and PSDII requirements, the interaction of IAM tools with the rest of the bank’s cybersecurity landscape, and the new authentication concept for which ABNAMRO is acquiring a patent. Her special interests are legal requirements impacting identity, e.g. Generic Data Protection Regulation, the EU e-IDAS scheme, KYC and AML legislation. <br />
Jacoba is a member of the Advisory Board of the independent European think-tank ID Next and is regularly speaking on the topic of IAM. She holds a master degree in Classics from Leiden University (Greek, Latin, Hebrew). <br />
<br />
<br />
===How to spend $3.6mil on one coding mistake, and other fun stuff you can do with $3.6mil by Matia Madou===<br />
====Abstract====<br />
In a recent global study, the average cost of a data breach is $3.62M globally. This session will discuss infamous examples of data breaches that has made headlines around the world. We will explore the technical details of the vulnerability itself and what a coding solution may have been to prevent the breach. We will also dive deeper on exploring different solutions, processes and techniques you can apply in your day-to-day to prevent application security vulnerabilities in your code.<br />
====Bio====<br />
Matias Madou is a Co-Founder and CTO of Secure Code Warrior where he is responsible for leading the company’s technology vision and overseeing the engineering team. Matias has more than 15 years of hands-on software security experience and has developed solution for companies such as HP Fortify, and founded a company called Sensei Security. Matias has led multiple application security research projects which have led to commercial products and boasts over 10 patents under his belt. When he is away from his desk, Matias has served as an instructor for advanced application security training courses and regularly speaks at global conferences including RSA Conference, Black Hat, DefCon, BSIMM, OWASP AppSec and BruCon. Matias holds a Ph.D. in Computer Engineering from Ghent University.<br />
<br />
<br />
===The evil friend in your browser by Achim D. Brucker===<br />
====Abstract====<br />
On the one hand, browser extensions, e.g., for Chrome, are very useful, as they extend web browsers with additional functionality<br />
(e.g., blocking ads). On the other hand, they are the most dangerous code that runs in your browsers: extension can read and modify both the content displayed in the browser. As they also can communicate with any web-site or web-service, they can report both data and metadata to external parties.<br />
<br />
The current security model for browser extensions seems to be inadequate for expressing the security or privacy needs of browser users. Consequently, browser extensions are a "juice target" for attackers targeting web users.<br />
<br />
We present results of analysing over 60000 browser extensions on how they use the current security model and discuss examples of extensions that are potentially of high risk. Based on the results of our analysis of real world browser extensions as well as our own threat model, we discuss the limitations of the current security model form a user perspective. need of browser users.<br />
<br />
====Bio====<br />
Dr. Achim D. Brucker (www.brucker.uk) is a Senior Lecturer and consultant for software and systems assurance at the Computer Science Department of The University of Sheffield, UK. Until December 2015, he was a Research Expert (Architect), Security Testing Strategist, and Project Lead in the Global Security Team of SAP SE, where he defined the risk-based security testing strategy of SAP that combines static, dynamic, and interactive security testing methods and integrates them deeply into SAP's Secure Software Development Lifecycle. He has experience in rolling out *AST tools to world-wide development organisations.<br />
<br />
===Exploring the ecosystem of malicious domain registrations in the .eu TLD by Lieven Desmet===<br />
====Abstract====<br />
In this talk, we report on an extensive analysis of 14 months of domain registration in the .eu TLD. The purpose is to identify large-scale malicious campaigns. Overall, the dataset of this study contains 824,121 new domain registrations; 2.53% of which have been flagged as malicious by blacklisting services. We explore the ecosystem and modus operandi of elaborate cybercriminal entities that recurrently register large amounts of domains for one-shot, malicious use. Although these malicious domains are short-lived, we establish that at least 80.04% of them can be framed in to 20 larger campaigns with varying duration and intensity. We further report on insights in the operational aspects of this business and observe, amongst other findings, that their processes are only partially automated. <br />
====Bio====<br />
Lieven Desmet is a Senior Research Manager on Secure Software in the imec-DistriNet Research Group at the Katholieke Universiteit Leuven (Belgium), where he outlines and implements the research strategy, coaches junior researchers in application security, and participates in dissemination, valorisation and spin-off activities. Lieven is also involved in OWASP as a board member of the Belgium OWASP Chapter, and part of the organisation team of the OWASP BeNeLux Day.<br />
<br />
===Don't trust the DOM: Bypassing XSS mitigations via script gadgets by Sebastian Lekies===<br />
====Abstract====<br />
Cross-Site Scripting is a constant problem of the Web platform. Over the years many techniques have been introduced to prevent or mitigate XSS. Most of these techniques, thereby, focus on script tags and event handlers. HTML sanitizers, for example, aim at removing potentially dangerous tags and attributes. Another example is the Content Security Policy, which forbids inline event handlers and aims at white listing of legitimate scripts.<br />
<br />
In this talk, we present a novel Web hacking technique that enables an attacker to circumvent most XSS mitigations. In order to do so, the attacker abuses so-called script gadgets. A script gadget Is a legitimate piece of JavaScript in a page that reads elements from the DOM via selectors and processes them in a way that results in script execution. To abuse a script gadget, the attacker injects a benign looking element into the page that matches the gadget's selector. Subsequently, the gadget selects the benign-looking element and executes attacker-controlled scripts. As the initially injected element is benign it passes HTML sanitizers and security policies. The XSS only surfaces when the gadget mistakenly elevates the privileges of the element.<br />
<br />
In this talk, we will demonstrate that these gadgets are present in almost all modern JavaScript libraries, APIs and applications. We will present several case studies and real-world examples that demonstrate that many mitigation techniques are not suited for modern applications. As a result, we argue that the Web should start focusing more on preventive mechanisms instead of mitigations.<br />
====Bio====<br />
Sebastian Lekies is tech leading the Web application security scanning team at Google. Before joining Google, he was part of SAP's Security Research team, where he conducted academic research in the area of client-side Web application security. Sebastian is regularly speaking at academic and non-academic security conferences such as BlackHat US/EU/Asia, DeepSec, OWASP AppSec EU, Usenix Security, CCS, and many more...<br />
<br />
<br />
===A Series of Unfortunate Events: Where Malware Meets Murphy by Mattijs van Ommeren===<br />
====Abstract====<br />
When an end user reports some “strange looking file names”, which, after investigating, you discover include several hundreds of Gigabytes of encrypted data, you of course know you are going to have a bad day. Your AV solution has failed you, your firewall has failed you, and your SIEM has failed you. Basically, every piece of security infrastructure you have put your trust (and money) into has left you out in the cold and you thank <deity of choice> that at least the nightly backup was completed successfully. Spin up the tape drive, and soon you will be back in business, or not…?<br />
<br />
This talk is about failure. Not only about a failing security infrastructure, but also about failure in doing the Right Thing™ as a first responder, about the failure of Operating System tools, failing APIs, and ironically, also the failure of malware (which is unfortunately not as positive as it may sound). The scenario presented comes pretty close to the worst chain of events you can imagine, in an attempt to recover from a ransomware incident.<br />
<br />
Luckily – this story has a happy ending. We will reveal how one can be prepared for when both Count Olaf and Murphy come knocking on your door simultaneously.<br />
====Bio====<br />
Mattijs van Ommeren has been poking hardware and software for 15 years. He has spent most of his working life as a security consultant, attacking and defending both traditional IT environments as well as more esoteric embedded devices and industrial systems. Presently he has a lot of fun at Nixu.<br />
<br />
<br />
===Common REST API security pitfalls by Philippe De Ryck===<br />
====Abstract====<br />
The shift towards a REST API landscape indicates a significant evolution in the way we build applications. The rise of JavaScript and mobile applications have sparked an explosion of easily-accessible REST APIs. But how do you protect access to your API? Which security aspects are no longer relevant? Which security features are an absolutely must-have, and which additional security measures do you need to take into account?<br />
<br />
These are hard questions, as evidenced by the deployment of numerous insecure REST APIs. Attend this session to find out about common API security pitfalls, that often result in compromised user accounts and unauthorized access to your data. We expose the problem that lies at the root of each of these pitfalls, and offer actionable advice to address these security problems. After this session, you will know how to assess the security of your APIs, and the best practices to improve them towards the future.<br />
====Bio====<br />
Philippe De Ryck is a professional speaker and trainer on software security and web security. Since he obtained his PhD at the imec-DistriNet research group (KU Leuven, Belgium), he has been running the group's Web Security Training program, which ensures a sustainable knowledge transfer of the group’s security expertise towards practitioners.<br />
<br />
<br />
===Creating An AppSec Pipeline With Containers In A Week How We Failed And Succeeded by Jeroen Willemsen===<br />
====Abstract====<br />
Join us on our adventure of setting up a appsec pipeline with Docker containers. What did go wrong, how did we succeed? How do you fight false positives and how do you get the best out of the products out there without bothering the development teams too much.<br />
====Bio====<br />
Jeroen Willemsen is a security architect with a passion for mobile and risk management. He loves to work on secure building blocks, security automation pipelines and embedding information security risk management controls in an agile environment. He is dedicated to help developers, product owners and architects to take security seriously in their daily development life (but not too serious of course ;-)).In his spare time he loves to experiment with new technologies and frameworks.”<br />
<br />
<br />
<!-- Sixth tab --><br />
<br />
= Social Event =<br />
<br />
== Social Event,starting at 7PM ==<br />
Thursday, November 23rd<br />
;Dudok Tilburg<br />
:Veemarktstraat 33<br />
:5038 CT Tilburg<br />
:http://www.dudok.nl/<br />
Menu:<br />
:As we are a big group, Dudok will prepare the following [[Media:Dudok menu OWASP.pdf|menu]] for us!<br />
'''If you want to join the social event, don't forget to register for the social event via the registration:'''<br />
:[[image:Register_now_red.png|link=https://owasp-benelux-day-2017.eventbrite.com |200px|alt=Register for the OWASP BeNeLux Day 2017 | Register for the OWASP BeNeLux Day 2017 ]]<br />
<br />
<br />
(limited) open tap sponsored by :<br />
[[File:Avi Logo Transparent Background 300pix.png|200px|link=https://avinetworks.com/]] <br />
<br />
<!-- Seventh tab --><br />
<br />
= Sponsor =<br />
<br />
=== Become a sponsor of OWASP BeNeLux ===<br />
<br />
There are 3 combined sponsorship packages (Gold, Silver or Bronze) that cover the BeNeLux chapter meetings 2018 and the BeNeLux OWASP Days 2017 in Tilburg, the Netherlands.<br />
<br />
Download our sponsor brochure TBD and contact [mailto:seba@owasp.org us] for questions or sponsorship confirmation!<br />
<br />
Your sponsorship will be invested directly in the chapter meetings, supporting speaker and catering expenses. <br />
<br />
The sponsorship will also be dedicated to cover the costs of the OWASP 2017 BeNeLux event.<br />
<br />
<!-- Don't remove these two lines! -->__NOTOC__ <br />
<headertabs></headertabs><br />
<br />
<br />
<br />
=== Made possible by our {{#switchtablink:Sponsor|Sponsors}}===<br />
'''Hosted by'''<br />
[[File:Interpolis logo 2736.gif|200px|link=https://www.interpolis.nl/]] <br />
<br />
'''Platinum:'''<br />
[[File:Achmea_L1_RGB_colour.jpg|250px||link=https://www.achmea.nl/]]<br />
<br />
'''Gold:'''<br />
[http://www.vest.nl https://www.owasp.org/images/6/67/Vest.jpg]<br />
[https://secwatch.nl https://www.owasp.org/images/f/ff/Secwatch_logo_small.png]<br />
[[File:Avi Logo Transparent Background 300pix.png|200px|link=https://avinetworks.com/]] <br />
<br />
'''Silver:'''<br />
[[File:LogoToreon.jpg|250px|link=https://www.toreon.com]] <br />
[http://www.nviso.be https://www.owasp.org/images/5/5e/Nviso_logo_RGB_baseline_200px.png]<br />
[http://www.sig.eu/security https://www.owasp.org/images/9/99/SIG_LOGO.png]<br />
[https://www.secura.com/ https://www.owasp.org/images/7/78/Secura_logo_small.png]<br />
[[File:Xebia logo-large-transparent.png|200px|link=https://xebia.com/agile-software-security]] <br />
<br />
'''Bronze:'''<br />
[https://informatiebeveiliging.nl/ https://www.owasp.org/images/9/9a/Logo_Informatiebeveiliging-200.png]<br />
[https://www.netsparker.com/ https://www.owasp.org/images/8/88/200x60_netsparker_logo.png]<br />
<br />
[[Category:OWASP_AppSec_Conference]] <br />
[[Category:OWASP_BeNeLux_Archives]]</div>Bart De Winhttps://wiki.owasp.org/index.php?title=File:Benelux2017_-_Secure_Development_Training_deck.pdf&diff=236303File:Benelux2017 - Secure Development Training deck.pdf2017-12-17T22:08:01Z<p>Bart De Win: </p>
<hr />
<div>Slide deck for the Benelux 2017 SDLC training by Bart De Win</div>Bart De Winhttps://wiki.owasp.org/index.php?title=OWASP_BeNeLux-Day_2017&diff=234812OWASP BeNeLux-Day 20172017-11-01T21:06:02Z<p>Bart De Win: </p>
<hr />
<div><center>[[Image:Header-BNL-2017.png]]<br></center><br />
<br />
<br><!-- Header --><br />
<br />
<br />
<!-- First tab --><br />
= Information =<br />
== Keynote speaker ==<br />
{{#switchtablink:Conferenceday|<p><br />
* Jacoba Sieders<br />
}}<br />
<br />
== Confirmed speakers Conference ==<br />
{{#switchtablink:Conferenceday|<p><br />
* Achim D. Brucker<br />
* Lieven Desmet<br />
* Philippe De Ryck<br />
* Sebastian Lekies<br />
* Matias Madou<br />
* Mattijs van Ommeren<br />
* Jeroen Willemsen<br />
}}<br />
<br />
== Confirmed trainers ==<br />
{{#switchtablink:Trainingday|<p><br />
* Nanne Baars<br />
* Sebastien Deleersnyder<br />
* Bart De Win<br />
}}<br />
<br />
== OWASP BeNeLux conference is free, but registration is required! ==<br />
<!--<br />
[[image:Register_now_red.png|link=https://owasp-benelux-day-2017.eventbrite.com |alt=Register for the OWASP BeNeLux Day 2017 | Register for the OWASP BeNeLux Day 2017 ]]<br />
--><br />
<br />
== The OWASP BeNeLux Program Committee ==<br />
*Bart De Win / Sebastien Deleersnyder/ Lieven Desmet/ David Mathy, OWASP Belgium<br />
*Martin Knobloch / Joren Poll, OWASP Netherlands<br />
*Jocelyn Aubert, OWASP Luxembourg<br />
<br><br />
<br />
== Tweet! ==<br />
Event tag is [http://twitter.com/#search?q=%23owaspbnl17 #owaspbnl17]<br />
<br><br><br />
== Donate to OWASP BeNeLux ==<br />
[https://co.clickandpledge.com/?wid=72689 Donate]<br />
<br />
<!-- Second tab --><br />
<br />
= Registration =<br />
<br />
<br />
== OWASP BeNeLux conference is free, but registration is required! ==<br />
<!--<br />
[[image:Register_now_red.png|link=https://owasp-benelux-day-2017.eventbrite.com |alt=Register for the OWASP BeNeLux Day 2017 | Register for the OWASP BeNeLux Day 2017 ]]<br />
--><br />
== OWASP BeNeLux training is reserved for OWASP members, and registration is required! ==<br />
To support the OWASP organisation, we ask training attendees to become an OWASP member, it's only US$50!<br />
Students and faculty are invited to become member as well, but can freely attend.<br />
Check out the [[Membership]] page to find out more. <br />
<br />
<!--<br />
[https://owasp-benelux-day-2017.eventbrite.com Register now!]<br />
--><br />
<br><br />
To support the OWASP organisation, consider to become a member, it's only US$50!<br />
<br> <br />
Check out the [[Membership]] page to find out more. <br />
<br><br />
<br />
<br />
<!-- Third tab --><br />
<br />
= Venue =<br />
<br />
== Venue ==<br />
<br />
<br />
The venue is located:<br />
<br />
'''Interpolis''' <br />
<br />
Spoorlaan 298, <br />
<br />
5017JZ Tilburg<br />
<br />
Netherlands<br />
=== How to reach the venue? ===<br />
Map: [https://goo.gl/maps/5CJYYSMAJD92 Google map]<br />
<br />
=== Hotel nearby ===<br />
<br />
<!-- Fourth tab --><br />
<br />
= Trainingday =<br />
=== Trainingday is November 23rd ===<br />
<br />
== Location ==<br />
<br />
== Agenda ==<br />
{| class="wikitable"<br />
! Time !! Description !! Room TBA !! Room TBA !! Room TBA<br />
|-<br />
| 08h30 - 9h30<br />
| colspan="5" style="text-align: center; background: grey; color: white;" | ''Registration''<br />
|-<br />
| 09h30 - 11h00 || Training<br />
| rowspan="7" style="width:100px;" | [[OWASP_BeNeLux-Day_2017#WebGoat_-_Teaching_application_security_101_by_Nanne_Baars | WebGoat - Teaching application security 101]] <br>by [[OWASP_BeNeLux-Day_2017#WebGoat_-_Teaching_application_security_101_by_Nanne_Baars | Nanne Baars]]<br />
| rowspan="7" style="width:100px;" | [[OWASP_BeNeLux-Day_2017#Whiteboard_Hacking_aka_Hands-on_Threat Modeling_by_Sebastien Deleersnyder | Whiteboard Hacking aka Hands-on Threat Modeling]] <br>by [[OWASP_BeNeLux-Day_2017#Whiteboard_Hacking_aka_Hands-on_Threat Modeling_by_Sebastien Deleersnyder | Sebastien Deleersnyder]]<br />
| rowspan="7" style="width:100px;" | [[OWASP_BeNeLux-Day_2017#Secure_Development:_Models_and_best_practices_by_Bart_De_Win | Secure Development: Models and best practices]] <br>by [[OWASP_BeNeLux-Day_2017#Secure_Development:_Models_and_best_practices_by_Bart_De_Win | Bart De Win]]<br />
|-<br />
| 11h00 - 11h30 || ''Coffee Break''<br />
|-<br />
| 11h30 - 13h00 || Training<br />
|-<br />
| 13h00 - 14h00 || ''Lunch''<br />
|-<br />
| 14h00 - 15h30 || Training<br />
|-<br />
| 15h30 - 16h00 || ''Coffee Break''<br />
|-<br />
| 16h00 - 17h30 || Training<br />
|}<br />
<br />
== Trainings ==<br />
=== WebGoat - Teaching application security 101 by Nanne Baars ===<br />
====Topic(s) ====<br />
* Web Application Breaker<br />
* Other<br />
====Keywords ====<br />
WebGoat application, security teaching secure development<br />
<br />
====Abstract ====<br />
A good defense against insecure code requires understanding the mechanics behind how attackers exploit simple programming mistakes.<br />
The WebGoat team will walk through exercises like SQL Injection, XSS, XXE, CSRF, ... and demonstrate how these exploits work.<br />
<br />
We will show you how you can use WebGoat to train your developers to avoid these simple but common programming mistakes.<br />
<br />
We also show you how to extend WebGoat to create lessons specific to your environment.<br />
Join us to learn the most basic, but common, application security problems.<br />
<br />
Tired of all the lessons? During the training we will host a small CTF competition which you can take a shot at and compete with each other...<br />
<br />
====Bio====<br />
Nanne Baars works as a security consultant & developer at JDriven and is one of the primary developers of WebGoat.<br />
<br />
<br />
<br />
=== Whiteboard Hacking aka Hands-on Threat Modeling by Sebastien Deleersnyder ===<br />
====Topic(s) ====<br />
* Threat modeling introduction<br />
* Diagrams – what are you building?<br />
* Identifying threats – what can go wrong?<br />
* Hands-on: STRIDE analysis of an Internet of Things (IoT) deployment with an on premise gateway and secure update service<br />
* Addressing each threats<br />
* Hands-on: threat mitigations OAuth scenarios for web and mobile applications<br />
<br />
====Keywords ====<br />
Threat Modeling, STRIDE, Technical risk assessment<br />
<br />
====Abstract ====<br />
This is a one day version of our Black Hat training on Threat Modeling. The students will be challenged to perform practical threat modeling in groups of 3 to 4 people covering the different stages of threat modeling on:<br />
* An Internet of Things (IoT) deployment with an on premise gateway and secure update service<br />
* An HR services OAuth scenario for mobile and web applications <br />
Threat modeling is a structured activity for identifying and evaluating application threats and vulnerabilities. It also allows consideration of security issues at the component or application level. The threat modeling course will teach you to perform threat modeling through a series of workshops, where our trainer will guide you through the different stages of a practical threat model. <br><br />
This course is aimed at software developers, architects, system managers or security professionals. Before attending this course, students should be familiar with basic knowledge of web and mobile Applications, databases & Single sign on (SSO) principles.<br />
<br />
<br />
====Bio====<br />
Sebastien (lead application security consultant Toreon) led engagements in the domain of ICT-security, Web and Mobile Security with several customers in the private and public sector. Sebastien is the Belgian OWASP Chapter Leader and is co-project leader of OWASP SAMM.<br />
<br />
=== Secure Development: Models and best practices by Bart De Win ===<br />
====Topic(s) ====<br />
* Software Assurance maturity models<br />
* Secure Development in agile development<br />
* Tips and tricks for practical SDLC<br />
* Hands-on: SAMM analysis of your enterprise using SAMM 1.5<br />
* Sneak preview of SAMM 2.0<br />
<br />
====Keywords ====<br />
SDLC, SAMM, Agile development, <br />
<br />
====Abstract ====<br />
It takes much more than a good developer to build secure software within an organisation. Indeed, building secure software is about ensuring that security is taken into consideration during the entire software lifecycle. It is about ensuring that security best practices are being employed efficiently, and that uncovered risks are appropriately dealt with in due time.<br />
<br />
During this one-day training, we will introduce and discuss different secure development approaches and models. We will look into waterfall vs. agile development and discuss different strategies to successfully run an SDLC program. Finally, we will also put theorie into practice and take your organisation to perform a mini SDLC assessment and improvement exercise.<br />
<br />
====Bio====<br />
Bart is an application security consultant and enthousiast and is spending considerable time on secure development projects. Bart is board member of the Belgian OWASP Chapter and is co-project leader of OWASP SAMM.<br />
<br />
<br />
<!-- Fifth tab --><br />
<br />
= Conferenceday =<br />
=== Conferenceday is November 24th ===<br />
<br />
<br />
== Agenda ==<br />
{| class="wikitable"<br />
! width="120pt" | Time<br />
! width="190pt" | Speaker <br />
! width="400pt" | Topic<br />
<!-- ! width="100pt" | Slides --><br />
|- <br />
| 08h30 - 09h00<br />
| colspan="3" style="text-align: center; background: grey; color: white" | ''Registration''<br />
|- <br />
| 09h00 - 09h15<br />
| colspan="3" style="text-align: center; background: grey; color: white" | ''Opening''<br />
|- <br />
| 09h15 - 10h00 || [[OWASP_BeNeLux-Day_2017#Attribute Based Access Control. Why, what, how? by Jacoba Sieders | Jacoba Sieders]]<br />
|| [[OWASP_BeNeLux-Day_2017#Attribute Based Access Control. Why, what, how? by Jacoba Sieders | Attribute Based Access Control. Why, what, how?]] <br />
<!-- || [link_to_presentation Download] --><br />
|-<br />
| 10h00 - 10h45 || [[OWASP_BeNeLux-Day_2017#How to spend $3.6mil on one coding mistake, and other fun stuff you can do with $3.6mil by Matia Madou | Matias Madou]]<br />
|| [[OWASP_BeNeLux-Day_2017#How to spend $3.6mil on one coding mistake, and other fun stuff you can do with $3.6mil by Matia Madou | How to spend $3.6mil on one coding mistake, and other fun stuff you can do with $3.6mil]]<br />
<!-- || [link_to_presentation Download] --><br />
|-<br />
| 10h45 - 11h15 <br />
| colspan="3" style="text-align: center;background: grey; color: white" | ''Morning Break'' <br />
|-<br />
| 11h15 - 12h00 || [[OWASP_BeNeLux-Day_2017#The evil friend in your browser by Achim D. Brucker | Achim D. Brucker]]<br />
|| [[OWASP_BeNeLux-Day_2017#The evil friend in your browser by Achim D. Brucker | The evil friend in your browser]]<br />
<!-- || [link_to_presentation Download] --><br />
|-<br />
| 12h00 - 12h45 || [[OWASP_BeNeLux-Day_2017#Exploring the ecosystem of malicious domain registrations in the .eu TLD by Lieven Desmet | Lieven Desmet]]<br />
|| [[OWASP_BeNeLux-Day_2017#Exploring the ecosystem of malicious domain registrations in the .eu TLD by Lieven Desmet | Exploring the ecosystem of malicious domain registrations in the .eu TLD]]<br />
<!-- || [link_to_presentation Download] --><br />
|-<br />
| 12h45 - 13h45<br />
| colspan="3" style="text-align: center;background: grey; color: white" | ''Lunch'' <br />
|-<br />
| 13h45 - 14h30 || [[OWASP_BeNeLux-Day_2017#Don't trust the DOM: Bypassing XSS mitigations via script gadgets by Sebastian Lekies | Sebastian Lekies]]<br />
|| [[OWASP_BeNeLux-Day_2017#Don't trust the DOM: Bypassing XSS mitigations via script gadgets by Sebastian Lekies | Don't trust the DOM: Bypassing XSS mitigations via script gadgets]]<br />
<!-- || [link_to_presentation Download] --><br />
|-<br />
| 14h30 - 15h15 || [[OWASP_BeNeLux-Day_2017#A Series of Unfortunate Events: Where Malware Meets Murphy by Mattijs van Ommeren | Mattijs van Ommeren]]<br />
|| [[OWASP_BeNeLux-Day_2017#A Series of Unfortunate Events: Where Malware Meets Murphy by Mattijs van Ommeren | A Series of Unfortunate Events: Where Malware Meets Murphy]]<br />
<!-- || [link_to_presentation Download] --><br />
|-<br />
| 15h15 - 15h45<br />
| colspan="3" style="text-align: center;background: grey; color: white" | ''Break'' <br />
|-<br />
| 15h45 - 16h30 || [[OWASP_BeNeLux-Day_2017#Common REST API security pitfalls by Philippe De Ryck | Philippe De Ryck]]<br />
|| [[OWASP_BeNeLux-Day_2017#Common REST API security pitfalls by Philippe De Ryck | Common REST API security pitfalls]]<br />
<!-- || [link_to_presentation Download] --><br />
|-<br />
| 16h30 - 17h15 || [[OWASP_BeNeLux-Day_2017#Creating An AppSec Pipeline With Containers In A Week How We Failed And Succeeded by Jeroen Willemsen | Jeroen Willemsen]]<br />
|| [[OWASP_BeNeLux-Day_2017#Creating An AppSec Pipeline With Containers In A Week How We Failed And Succeeded by Jeroen Willemsen | Creating An AppSec Pipeline With Containers In A Week How We Failed And Succeeded]]<br />
<!-- || [link_to_presentation Download] --><br />
|-<br />
| 17h15 - 17h30<br />
| colspan="3" style="text-align: center;background: grey; color: white" | ''Closing'' <br />
|}<br />
<br />
<div id="TBD"></div><br />
<br />
== Talks == <br />
<br />
===Attribute Based Access Control. Why, what, how? by Jacoba Sieders===<br />
====Abstract====<br />
Digitization is rapidly transforming the traditional world and regulation on security and data protection is gaining weight. Digital identity, but also data protection become crucial capabilities for businesses. What are the trends in IAM and what role can Attribute Based Access Control (ABAC) play here? ABNAMRO started implementing ABAC in 2014. What were the approach and the lessons learnt?<br />
====Bio====<br />
Jacoba Sieders, Head of Digital Identity- & Access, ABNAMRO Bank.<br /><br />
Jacoba is an all-round Digital Identity and Information Security expert with 17 years of experience in the international finance industry, in technology, governance, consultancy, and implementation. She is accountable for digital identity services and access control for customers, employees and partners to the bank’s data and infrastructure. <br />
Major topics on her agenda today are ABAC, data centric security, API-banking and PSDII requirements, the interaction of IAM tools with the rest of the bank’s cybersecurity landscape, and the new authentication concept for which ABNAMRO is acquiring a patent. Her special interests are legal requirements impacting identity, e.g. Generic Data Protection Regulation, the EU e-IDAS scheme, KYC and AML legislation. <br />
Jacoba is a member of the Advisory Board of the independent European think-tank ID Next and is regularly speaking on the topic of IAM. She holds a master degree in Classics from Leiden University (Greek, Latin, Hebrew). <br />
<br />
<br />
===How to spend $3.6mil on one coding mistake, and other fun stuff you can do with $3.6mil by Matia Madou===<br />
====Abstract====<br />
In a recent global study, the average cost of a data breach is $3.62M globally. This session will discuss infamous examples of data breaches that has made headlines around the world. We will explore the technical details of the vulnerability itself and what a coding solution may have been to prevent the breach. We will also dive deeper on exploring different solutions, processes and techniques you can apply in your day-to-day to prevent application security vulnerabilities in your code.<br />
====Bio====<br />
Matias Madou is a Co-Founder and CTO of Secure Code Warrior where he is responsible for leading the company’s technology vision and overseeing the engineering team. Matias has more than 15 years of hands-on software security experience and has developed solution for companies such as HP Fortify, and founded a company called Sensei Security. Matias has led multiple application security research projects which have led to commercial products and boasts over 10 patents under his belt. When he is away from his desk, Matias has served as an instructor for advanced application security training courses and regularly speaks at global conferences including RSA Conference, Black Hat, DefCon, BSIMM, OWASP AppSec and BruCon. Matias holds a Ph.D. in Computer Engineering from Ghent University.<br />
<br />
<br />
===The evil friend in your browser by Achim D. Brucker===<br />
====Abstract====<br />
On the one hand, browser extensions, e.g., for Chrome, are very useful, as they extend web browsers with additional functionality<br />
(e.g., blocking ads). On the other hand, they are the most dangerous code that runs in your browsers: extension can read and modify both the content displayed in the browser. As they also can communicate with any web-site or web-service, they can report both data and metadata to external parties.<br />
<br />
The current security model for browser extensions seems to be inadequate for expressing the security or privacy needs of browser users. Consequently, browser extensions are a "juice target" for attackers targeting web users.<br />
<br />
We present results of analysing over 60000 browser extensions on how they use the current security model and discuss examples of extensions that are potentially of high risk. Based on the results of our analysis of real world browser extensions as well as our own threat model, we discuss the limitations of the current security model form a user perspective. need of browser users.<br />
<br />
====Bio====<br />
Dr. Achim D. Brucker (www.brucker.uk) is a Senior Lecturer and consultant for software and systems assurance at the Computer Science Department of The University of Sheffield, UK. Until December 2015, he was a Research Expert (Architect), Security Testing Strategist, and Project Lead in the Global Security Team of SAP SE, where he defined the risk-based security testing strategy of SAP that combines static, dynamic, and interactive security testing methods and integrates them deeply into SAP's Secure Software Development Lifecycle. He has experience in rolling out *AST tools to world-wide development organisations.<br />
<br />
===Exploring the ecosystem of malicious domain registrations in the .eu TLD by Lieven Desmet===<br />
====Abstract====<br />
In this talk, we report on an extensive analysis of 14 months of domain registration in the .eu TLD. The purpose is to identify large-scale malicious campaigns. Overall, the dataset of this study contains 824,121 new domain registrations; 2.53% of which have been flagged as malicious by blacklisting services. We explore the ecosystem and modus operandi of elaborate cybercriminal entities that recurrently register large amounts of domains for one-shot, malicious use. Although these malicious domains are short-lived, we establish that at least 80.04% of them can be framed in to 20 larger campaigns with varying duration and intensity. We further report on insights in the operational aspects of this business and observe, amongst other findings, that their processes are only partially automated. <br />
====Bio====<br />
Lieven Desmet is a Senior Research Manager on Secure Software in the imec-DistriNet Research Group at the Katholieke Universiteit Leuven (Belgium), where he outlines and implements the research strategy, coaches junior researchers in application security, and participates in dissemination, valorisation and spin-off activities. Lieven is also involved in OWASP as a board member of the Belgium OWASP Chapter, and part of the organisation team of the OWASP BeNeLux Day.<br />
<br />
===Don't trust the DOM: Bypassing XSS mitigations via script gadgets by Sebastian Lekies===<br />
====Abstract====<br />
Cross-Site Scripting is a constant problem of the Web platform. Over the years many techniques have been introduced to prevent or mitigate XSS. Most of these techniques, thereby, focus on script tags and event handlers. HTML sanitizers, for example, aim at removing potentially dangerous tags and attributes. Another example is the Content Security Policy, which forbids inline event handlers and aims at white listing of legitimate scripts.<br />
<br />
In this talk, we present a novel Web hacking technique that enables an attacker to circumvent most XSS mitigations. In order to do so, the attacker abuses so-called script gadgets. A script gadget Is a legitimate piece of JavaScript in a page that reads elements from the DOM via selectors and processes them in a way that results in script execution. To abuse a script gadget, the attacker injects a benign looking element into the page that matches the gadget's selector. Subsequently, the gadget selects the benign-looking element and executes attacker-controlled scripts. As the initially injected element is benign it passes HTML sanitizers and security policies. The XSS only surfaces when the gadget mistakenly elevates the privileges of the element.<br />
<br />
In this talk, we will demonstrate that these gadgets are present in almost all modern JavaScript libraries, APIs and applications. We will present several case studies and real-world examples that demonstrate that many mitigation techniques are not suited for modern applications. As a result, we argue that the Web should start focusing more on preventive mechanisms instead of mitigations.<br />
====Bio====<br />
Sebastian Lekies is tech leading the Web application security scanning team at Google. Before joining Google, he was part of SAP's Security Research team, where he conducted academic research in the area of client-side Web application security. Sebastian is regularly speaking at academic and non-academic security conferences such as BlackHat US/EU/Asia, DeepSec, OWASP AppSec EU, Usenix Security, CCS, and many more...<br />
<br />
<br />
===A Series of Unfortunate Events: Where Malware Meets Murphy by Mattijs van Ommeren===<br />
====Abstract====<br />
When an end user reports some “strange looking file names”, which, after investigating, you discover include several hundreds of Gigabytes of encrypted data, you of course know you are going to have a bad day. Your AV solution has failed you, your firewall has failed you, and your SIEM has failed you. Basically, every piece of security infrastructure you have put your trust (and money) into has left you out in the cold and you thank <deity of choice> that at least the nightly backup was completed successfully. Spin up the tape drive, and soon you will be back in business, or not…?<br />
<br />
This talk is about failure. Not only about a failing security infrastructure, but also about failure in doing the Right Thing™ as a first responder, about the failure of Operating System tools, failing APIs, and ironically, also the failure of malware (which is unfortunately not as positive as it may sound). The scenario presented comes pretty close to the worst chain of events you can imagine, in an attempt to recover from a ransomware incident.<br />
<br />
Luckily – this story has a happy ending. We will reveal how one can be prepared for when both Count Olaf and Murphy come knocking on your door simultaneously.<br />
====Bio====<br />
Mattijs van Ommeren has been poking hardware and software for 15 years. He has spent most of his working life as a security consultant, attacking and defending both traditional IT environments as well as more esoteric embedded devices and industrial systems. Presently he has a lot of fun at Nixu.<br />
<br />
<br />
===Common REST API security pitfalls by Philippe De Ryck===<br />
====Abstract====<br />
The shift towards a REST API landscape indicates a significant evolution in the way we build applications. The rise of JavaScript and mobile applications have sparked an explosion of easily-accessible REST APIs. But how do you protect access to your API? Which security aspects are no longer relevant? Which security features are an absolutely must-have, and which additional security measures do you need to take into account?<br />
<br />
These are hard questions, as evidenced by the deployment of numerous insecure REST APIs. Attend this session to find out about common API security pitfalls, that often result in compromised user accounts and unauthorized access to your data. We expose the problem that lies at the root of each of these pitfalls, and offer actionable advice to address these security problems. After this session, you will know how to assess the security of your APIs, and the best practices to improve them towards the future.<br />
====Bio====<br />
Philippe De Ryck is a professional speaker and trainer on software security and web security. Since he obtained his PhD at the imec-DistriNet research group (KU Leuven, Belgium), he has been running the group's Web Security Training program, which ensures a sustainable knowledge transfer of the group’s security expertise towards practitioners.<br />
<br />
<br />
===Creating An AppSec Pipeline With Containers In A Week How We Failed And Succeeded by Jeroen Willemsen===<br />
====Abstract====<br />
Join us on our adventure of setting up a appsec pipeline with Docker containers. What did go wrong, how did we succeed? How do you fight false positives and how do you get the best out of the products out there without bothering the development teams too much.<br />
====Bio====<br />
Jeroen Willemsen is a security architect with a passion for mobile and risk management. He loves to work on secure building blocks, security automation pipelines and embedding information security risk management controls in an agile environment. He is dedicated to help developers, product owners and architects to take security seriously in their daily development life (but not too serious of course ;-)).In his spare time he loves to experiment with new technologies and frameworks.”<br />
<br />
<br />
<!-- Sixth tab --><br />
<br />
= Social Event =<br />
<br />
== Social Event,starting at 7PM ==<br />
TBD<br />
<br />
<!-- Seventh tab --><br />
= Sponsor =<br />
<br />
=== Become a sponsor of OWASP BeNeLux ===<br />
<br />
There are 3 combined sponsorship packages (Gold, Silver or Bronze) that cover the BeNeLux chapter meetings 2018 and the BeNeLux OWASP Days 2017 in Tilburg, the Netherlands.<br />
<br />
Download our sponsor brochure TBD and contact [mailto:seba@owasp.org us] for questions or sponsorship confirmation!<br />
<br />
Your sponsorship will be invested directly in the chapter meetings, supporting speaker and catering expenses. <br />
<br />
The sponsorship will also be dedicated to cover the costs of the OWASP 2017 BeNeLux event.<br />
<br />
<!-- Don't remove these two lines! -->__NOTOC__ <br />
<headertabs></headertabs><br />
<br />
<br />
<br />
=== Made possible by our {{#switchtablink:Sponsor|Sponsors}}===<br />
'''Hosted by'''<br />
INSERT INTERPOLIS<br />
<br />
'''Gold:'''<br />
[http://www.vest.nl https://www.owasp.org/images/6/67/Vest.jpg]<br />
[https://secwatch.nl https://www.owasp.org/images/f/ff/Secwatch_logo_small.png]<br />
<br />
'''Silver:'''<br />
[[File:LogoToreon.jpg|250px|link=https://www.toreon.com]] <br />
[http://www.nviso.be https://www.owasp.org/images/5/5e/Nviso_logo_RGB_baseline_200px.png]<br />
[https://www.sig.eu https://www.owasp.org/images/9/99/SIG_LOGO.png]<br />
[https://www.secura.com/ https://www.owasp.org/images/7/78/Secura_logo_small.png]<br />
<br />
'''Bronze:'''<br />
[https://informatiebeveiliging.nl/ https://www.owasp.org/images/9/9a/Logo_Informatiebeveiliging-200.png]<br />
[https://www.netsparker.com/ https://www.owasp.org/images/8/88/200x60_netsparker_logo.png]<br />
<br />
<br />
[[Category:OWASP_AppSec_Conference]] <br />
[[Category:OWASP_BeNeLux_Archives]]</div>Bart De Winhttps://wiki.owasp.org/index.php?title=User:Bart_De_Win&diff=177582User:Bart De Win2014-06-26T06:22:25Z<p>Bart De Win: </p>
<hr />
<div>[[File:Foto Bart De Win.jpg|thumb|Bart De Win]]<br />
<br />
Bart is a security enthousiast with an extensive academic background. He has a master in Computer Science. Afterwards, he has spent over a decade researching and improving techniques for the analysis and development of secure software, among others in the context of his Ph.D. He authored more than 60 articles published in international journals or conferences. He is specialized in methodological and constructive software security techniques, with a specific focus on application security. Because of his background, he has an in-depth knowledge of the state-of-the-art in the area.<br />
<br />
Bart currently works as a security consultant in the domain of application security. He works on a daily basis on application assessments (architecture reviews, pentests, code reviews, ...) and on helping customers improving their software security practices (SDLC).<br />
<br />
Bart is one of the OWASP chapter leaders of the Belgian OWASP chapter. He co-organizes the OWASP BeNeLux events and is a co-leader of the OpenSAMM project.</div>Bart De Winhttps://wiki.owasp.org/index.php?title=User:Bart_De_Win&diff=177581User:Bart De Win2014-06-26T06:21:30Z<p>Bart De Win: </p>
<hr />
<div>[[File:Foto Bart De Win.jpg|thumb|Bart De Win]]<br />
<br />
Bart is a security enthousiast with an extensive academic background. He is a master in Computer Science. Afterwards, he has spent over a decade researching and improving techniques for the analysis and development of secure software, among others in the context of his Ph.D. He authored more than 60 articles published in international journals or conferences. He is specialized in methodological and constructive software security techniques, with a specific focus on application security. Because of his background, he has an in-depth knowledge of the state-of-the-art in the area.<br />
<br />
Bart currently works as a security consultant in the domain of application security. He works on a daily basis on application assessments (architecture reviews, pentests, code reviews, ...) and on helping customers improving their software security practices (SDLC).<br />
<br />
Bart is one of the OWASP chapter leaders of the Belgian OWASP chapter. He co-organizes the OWASP BeNeLux events and is a co-leader of the OpenSAMM project.</div>Bart De Winhttps://wiki.owasp.org/index.php?title=User:Bart_De_Win&diff=177580User:Bart De Win2014-06-26T06:20:23Z<p>Bart De Win: </p>
<hr />
<div>[[File:Foto Bart De Win.jpg|frame|250px|Bart De Win]]<br />
<br />
Bart is a security enthousiast with an extensive academic background. He is a master in Computer Science. Afterwards, he has spent over a decade researching and improving techniques for the analysis and development of secure software, among others in the context of his Ph.D. He authored more than 60 articles published in international journals or conferences. He is specialized in methodological and constructive software security techniques, with a specific focus on application security. Because of his background, he has an in-depth knowledge of the state-of-the-art in the area.<br />
<br />
Bart currently works as a security consultant in the domain of application security. He works on a daily basis on application assessments (architecture reviews, pentests, code reviews, ...) and on helping customers improving their software security practices (SDLC).<br />
<br />
Bart is one of the OWASP chapter leaders of the Belgian OWASP chapter. He co-organizes the OWASP BeNeLux events and is a co-leader of the OpenSAMM project.</div>Bart De Winhttps://wiki.owasp.org/index.php?title=User:Bart_De_Win&diff=177579User:Bart De Win2014-06-26T06:19:21Z<p>Bart De Win: </p>
<hr />
<div>[[File:Foto Bart De Win.jpg|frame|Bart De Win]]<br />
<br />
Bart is a security enthousiast with an extensive academic background. He is a master in Computer Science. Afterwards, he has spent over a decade researching and improving techniques for the analysis and development of secure software, among others in the context of his Ph.D. He authored more than 60 articles published in international journals or conferences. He is specialized in methodological and constructive software security techniques, with a specific focus on application security. Because of his background, he has an in-depth knowledge of the state-of-the-art in the area.<br />
<br />
Bart currently works as a security consultant in the domain of application security. He works on a daily basis on application assessments (architecture reviews, pentests, code reviews, ...) and on helping customers improving their software security practices (SDLC).<br />
<br />
Bart is one of the OWASP chapter leaders of the Belgian OWASP chapter. He co-organizes the OWASP BeNeLux events and is a co-leader of the OpenSAMM project.</div>Bart De Winhttps://wiki.owasp.org/index.php?title=File:Foto_Bart_De_Win.jpg&diff=177578File:Foto Bart De Win.jpg2014-06-26T06:18:10Z<p>Bart De Win: </p>
<hr />
<div></div>Bart De Winhttps://wiki.owasp.org/index.php?title=User:Bart_De_Win&diff=177577User:Bart De Win2014-06-26T06:17:03Z<p>Bart De Win: </p>
<hr />
<div>[[File:Foto Bart De Win.jpg]]<br />
<br />
Bart is a security enthousiast with an extensive academic background. He is a master in Computer Science. Afterwards, he has spent over a decade researching and improving techniques for the analysis and development of secure software, among others in the context of his Ph.D. He authored more than 60 articles published in international journals or conferences. He is specialized in methodological and constructive software security techniques, with a specific focus on application security. Because of his background, he has an in-depth knowledge of the state-of-the-art in the area.<br />
<br />
Bart currently works as a security consultant in the domain of application security. He works on a daily basis on application assessments (architecture reviews, pentests, code reviews, ...) and on helping customers improving their software security practices (SDLC).<br />
<br />
Bart is one of the OWASP chapter leaders of the Belgian OWASP chapter. He co-organizes the OWASP BeNeLux events and is a co-leader of the OpenSAMM project.</div>Bart De Winhttps://wiki.owasp.org/index.php?title=BeNeLux_OWASP_Day_2012&diff=140332BeNeLux OWASP Day 20122012-11-27T21:57:25Z<p>Bart De Win: </p>
<hr />
<div><center>[[Image:owaspbnl12header.jpg]]<br></center><br />
<br><!-- Header --><br />
<br />
<br />
<!-- First tab --><br />
= Welcome =<br />
<br />
=== Welcome to OWASP BeNeLux 2012 ===<br />
<br />
==== News ====<br />
* Advanced O2 training, by Dinis Cruz will start at 10:30 AM!<br />
* Update on the Social Event (places for the brewery visit are limited, and an alternative is offered)<br />
<br><br />
<br />
==== Confirmed trainers for Trainingday ====<br />
{{#switchtablink:Trainingday| <p><br />
* Dan Cornell (Denim group) - SDLC with open source tools<br />
* Dinis Cruz (Security Innovation) - Advanced O2<br />
* Volkert de Buisonjé (Sogeti) - Secure Java Development with ESAPI (Hands-On )<br />
* Martin Knobloch (PervaSec) - Essential Web Appplication Security (OWASP Top 10, Webgoat, WebScarab)<br />
}}<br />
<br><br />
<br />
==== Confirmed speakers Conferenceday ====<br />
{{#switchtablink:Conferenceday| <p><br />
* Dinis Cruz (Security Innovation) - Making Security Invisible by Becoming the Developer’s Best Friends<br><br />
* Rüdiger Bachmann (SAP) - Code review large companies<br><br />
* Lieven Desmet (Distrinet, KU Leuven) - Sandboxing JavaScript<br><br />
* Asia Slowinska (VU Amsterdam) - Body Armor for Binaries<br><br />
* Marc Hullegie and Kees Mastwijk (Vest) - Forensics<br><br />
* Dan Cornell (Denim group) - Streamlining Application Vulnerability Management: Communication Between Development and Security Teams<br><br />
* John Wilander (OWASP Sweden) - Browser security<br><br />
* Erwin Geirnaert (Zion security) - OWASP Top 10 vs Drupal<Br><br />
* Seba Deleersnyder (OWASP) - Update on OWASP<br><br />
}}<br />
<br><br />
<br />
==== The OWASP BeNeLux Program Committee ====<br />
*Bart De Win / Sebastien Deleersnyder/ Lieven Desmet/ David Mathy, OWASP Belgium<br />
*Martin Knobloch / Ferdinand Vroom, OWASP Netherlands<br />
*Jocelyn Aubert / Andre Adelsbach/ Thierry Zoller, OWASP Luxembourg<br />
*Steven van der Baan, OWASP CTF Project<br />
<br><br />
<br />
=== Tweet! ===<br />
Event tag is [http://twitter.com/#search?q=%23owaspbnl12 #owaspbnl12]<br />
<br><br><br />
==== Donate to OWASP BeNeLux ====<br />
<paypal>BeNeLux OWASP Day 2012</paypal><br />
<br />
<!-- Second tab --><br />
= Registration =<br />
<br />
==== OWASP BeNeLux training day and conference are free! ==== <br />
<br />
=== Registration is open: ===<br />
<br />
[http://owaspbenelux2012.eventbrite.com/ http://www.owasp.org/images/7/77/Buttoncreate.png]<br />
<br />
<br><br />
To support the OWASP organisation, consider to become a member, it's only US$50!<br />
<br> <br />
Check out the [[Membership]] page to find out more. <br />
<br><br />
<br />
<br />
<!-- Third tab --><br />
= Venue =<br />
<br />
=== Venue is the iMinds-DistriNet Research Group @ KU Leuven ===<br />
<br />
''Celestijnenlaan, 200A<br><br />
3001 Heverlee<br><br />
Belgium<br>''<br />
<br><br />
<br />
<br>'''Parking & roadmap''':<br />
<br />
There is a public parking close to the conference venue.<br />
<br />
Roadmap and parking: http://distrinet.cs.kuleuven.be/about/route/<br />
<br />
<br />
<br>'''Hotels nearby''': <br> <br />
Board house (close to the venue)<br> http://www.boardhouse.be<br><br />
The lodge (close to the venue)<br> http://www.booking.com/hotel/be/the-lodge-heverlee.en.html<br><br />
Begijnhof Congres Hotel (1 km from the venue)<br> http://www.bchotel.be/<br><br />
La Royale (2 km from the venue)<br> http://www.laroyale.be<br> <br />
Hotel Ibis (2 km from the venue)<br> http://www.accorhotels.com/gb/hotel-1457-ibis-leuven-centrum/index.shtml<br> <br />
Mercure (2 km from the venue) <br> http://www.mercure.com/gb/hotel-7862-hotel-mercure-leuven-center/index.shtml<br> <br />
New Damshire (2 km from the venue)<br> http://www.hotelnewdamshire.be<br> <br />
<br />
<br />
<!-- Fourth tab --><br />
<br />
= Trainingday =<br />
<br />
==== Trainingday, November 29th ====<br />
<br />
==== Location ====<br />
The training room is: <br />
''Celestijnenlaan, 200A, fifth floor<br><br />
3001 Heverlee<br><br />
Belgium<br>''<br />
<br><br />
<br />
(for details, check the {{#switchtablink:Venue|Venue}} tab)<br />
<br />
==== Agenda ==== <br />
{| class="wikitable"<br />
! Time !! Description !! Room 1 !! Room 2 !! Room 3 !! Room 4<br />
|-<br />
| 08h30 - 9h30<br />
| colspan="5" style="text-align: center; background: grey; color: white;" | ''Registration''<br />
|-<br />
| 09h30 - 11h00 || Training<br />
| rowspan="7" style="width:100px;" | [[#DinisCruz|Advanced O2, by Dinis Cruz]]<br />
| rowspan="7" style="width:100px;" | [[#DanCornell|SDLC with Open Source tools, by Dan Cornell]]<br />
| rowspan="7" style="width:100px;" | [[#VolkertDeBuisonje|Secure Java Development with ESAPI (hands-on), by Volkert de Buisonjé]]<br />
| rowspan="7" style="width:100px;" | [[#MartinKnobloch|Essential Web Appplication Security (OWASP Top 10, Webgoat, WebScarab), by Martin Knobloch]]<br />
|-<br />
| 11h00 - 11h30 || ''Coffee Break''<br />
|-<br />
| 11h30 - 13h00 || Training<br />
|-<br />
| 13h00 - 14h00 || ''Lunch''<br />
|-<br />
| 14h00 - 15h30 || Training<br />
|-<br />
| 15h30 - 16h00 || ''Coffee Break''<br />
|-<br />
| 16h00 - 17h30 || Training<br />
|}<br />
<br />
<br />
<br />
<br />
<br />
<br><br />
<br />
<div id="VolkertDeBuisonje"></div><br />
<br />
=== Secure Java Development workshop with ESAPI, by Volkert de Buisonjé (Sogeti) ===<br />
''Workshop:''<br><br />
First, attendees will receive a brief introduction on application awareness. Then they will get acquainted with Webgoat, a "deliberately insecure J2EE web application" designed as a practice tool for secure application development and testing. They will learn how to exploit some vulnerabilities in Webgoat, through for instance Cross-Site Scripting (CSS) and Cross-Site Request Forgery (CSRF) attacks. Finally, the ESAPI library will be introduced and the attendees will learn how to apply ESAPI to fix such vulnerabilities in Webgoat's source code.<br><br />
<br><br />
''Prerequisites for this workshop:''<br><br />
* Reasonable knowledge of and experience with Java development<br />
* A laptop running a recent version of Linux, Mac OS X, or Windows<br />
* The most recent version of VirtualBox (4.x) installed<br />
* At least 2GB of RAM<br />
* At least 2GB of disk space<br />
<br><br />
''Bio:''<br><br />
Volkert de Buisonjé is a senior Java developer at Sogeti. He specializes in, and teaches application security courses, both to coworkers and to customers. Knowledge sharing (in both directions) is his passion. Volkert likes making friends and talking a lot. He never shuns a good discussion, and prefers to bring a high amount of interactivity to his classes. :-)<br><br />
<br><br />
<br><br />
<br />
<div id="DinisCruz"></div><br />
=== Advanced O2, by Dinis Cruz (Security Innovation) ===<br />
''Workshop:''<br><br />
The O2 platform represents a new paradigm for how to perform, document and distribute Web Application security reviews. O2 is designed to Automate Security Consultants Knowledge and Workflows and to Allow non-security experts to access and consume Security Knowledge.<br />
<br><br />
''Bio:''<br><br />
Dinis Cruz is a Security Consultant based in London (UK) and specialized in: ASP.NET/J2EE Application Security, Application Security audits and .NET Security Curriculum Development.<br><br />
For the past years Dinis has focused on the field of Static Source Code analysis, from May 2007 to Dec 2009 he worked as a independent consultant for Ounce Labs (bought by IBM in July 2009) where during active security engagements using Ounce's technology he developed the Open Source codebase which now is the foundation of the OWASP O2 Platform.<br><br />
Dinis is currently focused on making the O2 Platform the industry standard for consuming, instrumenting and data-sharing between the multiple WebAppSec tools, the Security consultants and the final developers. Dinis is a also active trainer on .Net security having written and delivered courses for IOActive, Foundstone, Intense School and KPMG (at multiple locations including BlackHat), and has delivered a number of presentations and keynote speeches at multiple OWASP and Security related conferences.<br><br />
At OWASP, Dinis is the leader of the OWASP O2 Platform project<br><br />
<br><br />
<br><br />
<br />
<div id="MartinKnobloch"></div><br />
<br />
=== Essential Web Appplication Security (OWASP Top 10, Webgoat, WebScarab), by Martin Knobloch (PervaSec) ===<br />
''Abstract:''<br><br />
This workshop is an introduction into (web) application security with hands-on labs, using OWASP documentation and tooling.<br />
You will be introduced into the security mindset, discus the OWASP TopTen 2010 and learn basic skills in how to find vulnerabilities in web applications. All tools and documentation are provided during the training.<br><br />
<b>As this is an hands-on workshop, please bring your own laptop!</b> <br><br />
Course structure:<br />
*Introduction OWASP, OWASP tool and documentation<br />
*Security Testing mindset <br />
*1st Lab: OWASP WebGoat / WebScarab <br />
*OWASP Top Ten 2010<br />
*OWASP Testing Guide <br />
*2nd Lab: OWASP WebGoat / WebScarab <br />
*3rd Lab: OWASP Hackademic / ZAP <br />
*Summary and completion <br />
Prerequisites for this workshop:<br />
*Basic understanding of HTTP and web application testing/development<br />
*An open mind<br />
<br><br />
''Bio:''<br><br />
Martin is an independent security consultant and owner of PervaSec (http://www.pervasec.nl). His main working area is (software) security in general, from awareness to implementation. In his daily work, he is responsible for education in application security matters, advise and implementation of application security measures.<br><br />
At OWASP, Martin is member of the Dutch chapter board and chair of the Global Education Committee and contributes to several projects.<br><br />
Martin is a frequent speaker at conferences, universities and hacker spaces.<br />
<br><br />
<br />
<br />
<div id="DanCornell"></div><br />
<br />
=== Building a Software Security Program On Open Source Tools, by Dan Cornell (Denim Group) ===<br />
''Abstract:''<br><br />
Using the Software Assurance Maturity Model (OpenSAMM) as a framework, this course walks through the major components of a comprehensive software security program and highlights open source and other freely-available tools that can be used to help implement the activities involved in such a program. The focus of the course is on providing hands-on demonstrations of the tools with an emphasis on integrating tool results into the overall software security program. Featured tools include: ESAPI, Microsoft Web Protection Library, FindBugs, FxCop, CAT.NET, Brakeman, Agnitio, Arachini, w3af, ZAProxy, ThreadFix as well as other educational resources from OWASP. Attendees should finish the course with a solid understanding of the various components of a comprehensive software security program as well as hands-on experience with a variety of freely-available tools that they can use to implement portions of these programs.<br><br />
<br><br />
''Outline:''<br><br />
* So You Want To Roll Out A Software Security Program?<br />
* The Software Assurance Maturity Model (OpenSAMM)<br />
* ThreadFix: Overview<br />
* Governance: Strategy and Metrics<br />
** ThreadFix: Reporting<br />
* Governance: Policy and Compliance<br />
* Governance: Education and Guidance<br />
** OWASP Development Guide<br />
** OWASP Cheat Sheets<br />
** OWASP Secure Coding Practices<br />
* Construction: Threat Assessment<br />
* Construction: Security Requirements<br />
* Construction: Secure Architecture<br />
** ESAPI overview<br />
** Microsoft Web Protection Library (Anti-XSS) overview<br />
* Verification: Design Review<br />
** Microsoft Threat Analysis and Modeling Tool<br />
* Verification: Code Review<br />
** FindBugs<br />
** FxCop<br />
** CAT.NET<br />
** Brakeman<br />
** Agnitio<br />
* Verification: Security Testing<br />
** Arachni<br />
** w3af<br />
** ZAProxy<br />
* Deployment: Vulnerability Management<br />
** ThreadFix: Defect Tracker Integration<br />
* Deployment: Environment Hardening<br />
** Microsoft Baseline Security Analyzer (MBSA)<br />
* Deployment: Operational Enablement<br />
** mod_security<br />
<br><br />
''Bio:''<br><br />
Dan Cornell has over fifteen years of experience architecting and developing web-based software systems. He leads Denim Group’s security research team in investigating the application of secure coding and development techniques to improve web-based software development methodologies.<br><br />
Dan was the founding coordinator and chairman for the Java Users Group of San Antonio (JUGSA) and currently serves as the OWASP San Antonio chapter leader, member of the OWASP Global Membership Committee and co-lead of the OWASP Open Review Project. Dan has spoken at such international conferences as RSA, OWASP AppSec USA, and OWASP EU Research in Greece.<br><br />
<br><br />
<br />
<br />
<!-- Fifth tab --><br />
<br />
= Conferenceday =<br />
<br />
==== Conferenceday, November 30th ====<br />
<br />
==== Location ====<br />
The training room is: (TBD) (for details, check the {{#switchtablink:Venue|Venue}} tab)<br />
<br />
==== Agenda ==== <br />
{| class="wikitable"<br />
! width="90pt" | Time<br />
! width="130pt" | Speaker !! Topic<br />
|- <br />
| 09h00 - 10h00<br />
| colspan="2" style="text-align: center; background: grey; color: white" | ''Registration''<br />
|- <br />
| 10h00 - 10h15 || OWASP Benelux Organization || Welcome ([https://www.owasp.org/images/a/ad/OWASP_BeNeLux_Day_2012_-_Organization_welcome.ppt PPT])<br />
|-<br />
| 10h15 - 10h30 || Sebastien Deleersnyder || OWASP update ([https://www.owasp.org/images/d/d7/OWASP-Update-BeNeLux-Day-2012_v1.pptx PPT])<br />
|-<br />
| 10h30 - 11h10 || [[#JohnWilander|John Wilander]] || ''' Secure Web Integration Patterns in the Era of HTML5'''<br>''Abstract:'' Quite a few organizations are finding themselves in a legacy situation with their web applications. Over ten years have passed since the era of dynamic HTML and with the rise of HTML5 and mobile platforms there is now need to gradually move these legacy beasts into a new architecture. Additionally, more and more third party services are offered such as maps, tracking, social media tie-ins, video etc. What are the possible and suitable design patterns for bringing new web, old web, and third party web together? Can we isolate them from each other to secure the new apps from legacy and third party security vulnerabilities? We will dig into the postMessage api, the iframe sandbox directive, CORS, and the same-origin policy while comparing it to the previous generation of integration with jsonp and other hacks.<br />
|-<br />
| 11h10 - 11h50 || [[#LievenDesmet|Lieven Desmet]] || '''Sandboxing Javascript'''<br>''Abstract:'' The inclusion of third-party scripts in web pages is a common practice. A recent study has shown that more than half of the Alexa top 10 000 sites include scripts from more than 5 different origins. However, such script inclusions carry risks, as the included scripts operate with the privileges of the including website.<br><br />
In this talk, we propose JSand, a server-driven but client-side JavaScript sandboxing framework. JSand requires no browser modifications: the sandboxing framework is implemented in JavaScript and is delivered to the browser by the websites that use it. Enforcement is done entirely at the client side: JSand enforces a server-specified policy on included scripts without requiring server-side filtering or rewriting of scripts.<br><br />
Most importantly, JSand is complete: access to all resources is mediated by the sandbox.<br><br />
We describe the design and implementation of JSand, and we show that it is secure, backwards compatible, and that it performs sufficiently well.<br><br />
|-<br />
| 11h50 - 12h30 || [[#ErwinGeirnaert|Erwin Geirnaert]] || '''OWASP Top 10 vs Drupal'''<br>''Abstract:'' Drupal is the most used and well-known open source content management system in the world. Created by Dries Buytaert years ago it has grown with the support of a big community. Drupal 7 is already released and there is an entire ecosystem for Drupal and Drupal web agencies.<br><br />
During this presentation we will discuss the findings of an automated static code analysis of Drupal 6 and Drupal 7 and how Drupal protects against the OWASP Top 10 Application Security Risks. We will explain the security weaknesses that remain when you use Drupal and what you can implement to have a secure cloud server running Drupal.<br><br />
|-<br />
| 12h30 - 13h30<br />
| colspan="2" style="text-align: center;background: grey; color: white" | ''Lunch'' <br />
|-<br />
| 13h30 - 14h10 || [[#AsiaSlowinska|Asia Slowinska]] || '''Body Armor for Binaries'''<br>''Abstract:'' BinArmor is a novel technique to protect existing C binaries from memory corruption attacks on both control data and non-control data. Without access to source code, non-control data attacks cannot be detected with current techniques. Our approach hardens binaries against both kinds of overflow, without requiring the pro- grams’ source or symbol tables. We show that BinArmor is able to stop real attacks—including the recent non- control data attack on Exim. Moreover, we did not in- cur a single false positive in practice. On the downside, the current overhead of BinArmor is high—although no worse than competing technologies like taint analysis that do not catch attacks on non-control data. Specifi- cally, we measured an overhead of 70% for gzip, 16%- 180% for lighttpd, and 190% for the nbench suite.<br />
|-<br />
| 14h10 - 14h50 || [[#MarcHullegieAndKeesMastwijk|Marc Hullegie and Kees Mastwijk]] || '''Forensics'''<br>''Abstract:'' In today’s investigations, forensics has become an important investigative method in fighting and solving (cyber)crimes and irregularities. During the session you will be briefly taken through the landscape of Forensics Basics; the Fraud Triangle and scenario's; What to look for and the appliance of Digital Forensics. What are the Challenges, the required Skills and Expertise and Solutions to these challenges. Specific focus on the Forensics of Web Applications and what you can do the create a more forensic ready system.<br><br />
|-<br />
| 14h50 - 15h30 || [[#DanCornell|Dan Cornell]] || '''Streamlining Application Vulnerability Management: Communication Between Development and Security Teams'''<br>''Abstract:'' Identifying application-level vulnerabilities via scanning, penetration tests and code reviews is only the first step in actually addressing the underlying risk. Managing vulnerabilities for applications is more challenging than dealing with traditional infrastructure-level vulnerabilities because they typically require the coordination of security teams with application development teams. The process also means that security managers need to get time from developers during already-cramped development and release schedules. In addition, fixes require changes to custom application code and application-specific business logic rather than the patches and configuration changes that are often sufficient to address infrastructure-level vulnerabilities. This presentation will illustrate the communication difficulties between security and development teams, and how this usually results in unactionable reports and fewer vulnerabilities remediated. In addition, the presentation will walk through an example workflow of addressing application vulnerabilities as software defects. This will be based on freely-available tools and show specific examples of how vulnerabilities can be grouped together, false positives can be culled out, and vulnerabilities transitioned to software defects, as well as how security managers can monitor and verify progress.<br><br />
|-<br />
| 15h30 - 15h50<br />
| colspan="2" style="text-align: center;background: grey; color: white" | ''Break'' <br />
|-<br />
| 15h50 - 16h30 || [[#RuedigerBachmann|Ruediger Bachmann]] || '''Code review for Large Companies'''<br>''Abstract:''Static source code analysis should be an essential part in the secure software development life cycle (SDLC) to start to minimize the number of potential vulnerabilities already in a very early stage in the software development process.<br><br />
The introduction of static code analysis at a large software manufacturer is a big challenge. In addition to the technical difficulties – based on the sheer number and size of the software projects or the number of different programing languages – there are also non-technical issues like creating new security awareness, trainings to use the provided tools efficiently and integration of analysis processes into the software development and maintenance life cycle.<br><br />
This talk gives an overview of the company-wide introduction of static code analysis at SAP AG.<br />
|-<br />
| 16h30 - 17h10 || [[#DinisCruz|Dinis Cruz]] || '''Making Security Invisible by Becoming the Developer’s Best Friends'''<br>''Abstract:'' Coming soon!<br />
|-<br />
| 17h10 - 17h50 || <br />
* Steven Wierckx<br />
* Luc Beirens<br />
* Jos Dumortier<br />
* Dieter Sarrazyn<br />
* Erwin Geirnaert<br />
* John Wilander<br />
|| '''Panel Discussion about the legal aspects of penetration testing'''<br> ''Abstract:'' In the past couple of years security has become a more visible topic in the media. As a result many companies are asking for security reviews in the form of a penetration test. A lot of entrepreneurs took the opportunity to form teams and/or companies that provide such services. There seems to be a lack of clear (standard) legal documentation to cover these activities both for the penetration tester and the company under review. With this panel discussion we would like to discuss this situation and to see if there is a possibility to have a standard document or framework that can be used as a starting point for companies and professionals to use as a contract. The purpose would be to end up with a (set of) documents similar to the “Testaankoop standard huurcontract”, this is a well-known Belgian contract framework for renting a house where both parties are protected and that is clear to both parties. It can be used without further legal intervention.<br />
|-<br />
| 17h50 - 18h00 || OWASP Benelux 2012 organization || '''Closing Notes'''<br />
|}<br />
<br />
<br><br />
<br><br />
<br />
<div id="AsiaSlowinska"></div><br />
<br />
=== Body Armor for Binaries, by Asia Slowinska (Vrije Universiteit Amsterdam) ===<br />
''Abstract:''<br><br />
BinArmor is a novel technique to protect existing C binaries from memory corruption attacks on both control data and non-control data. Without access to source code, non-control data attacks cannot be detected with current techniques. Our approach hardens binaries against both kinds of overflow, without requiring the pro- grams’ source or symbol tables. We show that BinArmor is able to stop real attacks—including the recent non- control data attack on Exim. Moreover, we did not in- cur a single false positive in practice. On the downside, the current overhead of BinArmor is high—although no worse than competing technologies like taint analysis that do not catch attacks on non-control data. Specifi- cally, we measured an overhead of 70% for gzip, 16%- 180% for lighttpd, and 190% for the nbench suite.<br><br />
<br><br />
''Bio:''<br><br />
I am a postdoctoral researcher in the System and Network Security group at the Vrije Universiteit Amsterdam, under the guidance of Prof. dr. ir. Herbert Bos.<br><br />
I obtained my PhD from the Vrije Universiteit Amsterdam. My dissertation Using information flow tracking to protect legacy binaries was completed under the supervision of Prof. dr. ir. Herbert Bos, while my copromotor was Prof. dr. ir. Henri E. Bal.<br><br />
During my PhD studies, I interned twice with Microsoft Research Cambridge, where I joined the Systems and Performance Group. I also spent few months interning with the Systems and Security Department at Institute for Infocomm Research in Singapore.<br><br />
My research focuses on developing techniques to automatically analyze and reverse engineer complex software that is available only in binary form. Further, I’ve been looking into mechanisms that proactively protect software from malicious activities. Currently, I am involved in a project on Reverse Engineering of binaries, known as Rosetta.<br><br />
<br><br />
<br />
<div id="RuedigerBachmann"></div><br />
=== Code review for Large Companies, by Ruediger Bachmann (SAP) ===<br />
''Abstract:''<br><br />
Static source code analysis should be an essential part in the secure software development life cycle (SDLC) to start to minimize the number of potential vulnerabilities already in a very early stage in the software development process.<br><br />
The introduction of static code analysis at a large software manufacturer is a big challenge. In addition to the technical difficulties – based on the sheer number and size of the software projects or the number of different programing languages – there are also non-technical issues like creating new security awareness, trainings to use the provided tools efficiently and integration of analysis processes into the software development and maintenance life cycle.<br><br />
This talk gives an overview of the company-wide introduction of static code analysis at SAP AG.<br />
<br><br />
''Bio:''<br><br />
After graduating with a degree in mathematics and computer science at the University of Giessen in 1997, Ruediger Bachmann worked at various software companies and IT service providers mainly in software development. Currently he is employed at SAP AG in Germany as a Development Architect in the central code analysis team. There he is focusing on application security and security code scans.<br><br />
<br />
<div id="LievenDesmet"></div><br />
<br />
=== Sandboxing JavaScript, by Lieven Desmet (Research Manager at KU Leuven) ===<br />
''Abstract:''<br><br />
The inclusion of third-party scripts in web pages is a common practice. A recent study has shown that more than half of the Alexa top 10 000 sites include scripts from more than 5 different origins. However, such script inclusions carry risks, as the included scripts operate with the privileges of the including website.<br><br />
In this talk, we propose JSand, a server-driven but client-side JavaScript sandboxing framework. JSand requires no browser modifications: the sandboxing framework is implemented in JavaScript and is delivered to the browser by the websites that use it. Enforcement is done entirely at the client side: JSand enforces a server-specified policy on included scripts without requiring server-side filtering or rewriting of scripts. Most importantly, JSand is complete: access to all resources is mediated by the sandbox.<br><br />
We describe the design and implementation of JSand, and we show that it is secure, backwards compatible, and that it performs sufficiently well.<br><br />
<br><br />
''Bio:''<br><br />
Lieven Desmet is Research Manager on Software Secure at the iMinds-DistriNet Research Group (KU Leuven, Belgium), where he coaches junior researchers in web application security and participates in dissemination and valorization activities. His interests are in security of middleware and web-enabled technologies. Lieven is actively engaged in OWASP and is board member of the OWASP Chapter Belgium.<br><br />
<br><br />
<br><br />
<br />
<div id="ErwinGeirnaert"></div><br />
=== OWASP Top 10 vs Drupal, by Erwin Geirnaert (Zion Security) ===<br />
''Abstract:''<br><br />
Drupal is the most used and well-known open source content management system in the world. Created by Dries Buytaert years ago it has grown with the support of a big community. Drupal 7 is already released and there is an entire ecosystem for Drupal and Drupal web agencies.<br><br />
During this presentation we will discuss the findings of an automated static code analysis of Drupal 6 and Drupal 7 and how Drupal protects against the OWASP Top 10 Application Security Risks. We will explain the security weaknesses that remain when you use Drupal and what you can implement to have a secure cloud server running Drupal.<br><br />
<br><br />
''Bio:''<br><br />
Erwin founded ZION SECURITY in 2005 to help companies to protect against the latest threats, attacks against web applications. ZION SECURITY is nowadays a Belgian market leader in the field of security testing, vulnerability management, penetration testing and banking security. Erwin has more than 10 years of experience in web security, graduating with a Master of Science in Software Development from the University of Ghent. Erwin executes different types of projects for a lot of international software companies, financial institutions, telecom and web agencies. Specialist in executing code reviews in different development languages for critical applications, executing continuous penetration tests of their infrastructure and Internet applications. A specialist in J2EE, PHP, .NET, mobile app and web services security. Erwin architects secure e-business projects for web agencies and software companies. He is a recognized application security expert and speaker at international events like Javapolis, OWASP, Eurostar, LSEC,...<br><br />
<br><br />
<br />
<div id="MarcHullegieAndKeesMastwijk"></div><br />
=== Forensics, by Marc Hullegie and Kees Mastwijk (Vest Information Security) === <br />
''Abstract:''<br><br />
In today’s investigations, forensics has become an important investigative method in fighting and solving (cyber)crimes and irregularities. During the session you will be briefly taken through the landscape of Forensics Basics; the Fraud Triangle and scenario's; What to look for and the appliance of Digital Forensics. What are the Challenges, the required Skills and Expertise and Solutions to these challenges. Specific focus on the Forensics of Web Applications and what you can do the create a more forensic ready system.<br><br />
<br><br />
''Bio:''<br><br />
Marc Hullegie is founder and CEO of Vest Information Security and is widely experienced in the information security business in all types of areas: Security Architecture and Infrastructure, Security Audits and Testing, Security Management, Awareness and Digital Forensics. He presents lectures at (international) conferences and is looking forward to share experiences at the OWASP Benelux days 2012 with you.<br><br />
<br> <br />
''Bio:''<br><br />
Kees Mastwijk is a security consultant working with Vest, acting as Security Auditor, Awareness Program leader and security Manager. He has a long (and ongoing) experience history in Digital Forensic Research.<br><br />
<br><br />
<br />
<div id="JohnWilander"></div><br />
=== Secure Web Integration Patterns in the Era of HTML5, by John Wilander (Svenska Handelbanken) ===<br />
''Abstract:''<br><br />
Quite a few organizations are finding themselves in a legacy situation with their web applications. Over ten years have passed since the era of dynamic HTML and with the rise of HTML5 and mobile platforms there is now need to gradually move these legacy beasts into a new architecture. Additionally, more and more third party services are offered such as maps, tracking, social media tie-ins, video etc. What are the possible and suitable design patterns for bringing new web, old web, and third party web together? Can we isolate them from each other to secure the new apps from legacy and third party security vulnerabilities? We will dig into the postMessage api, the iframe sandbox directive, CORS, and the same-origin policy while comparing it to the previous generation of integration with jsonp and other hacks.<br />
<br><br />
''Bio:''<br><br />
John Wilander is a frontend software developer at Svenska Handelbanken, the second strongest bank in the world according to Bloomberg Markets. He has been researching and working in application security for ten years and is an active leader in OWASP, the Open Web Application Security Project. In 2011 he organized the OWASP Summit Browser Security sessions in Portugal, with participants from the security teams behind Chrome, Firefox, Internet Explorer, Flash, and PayPal. During his years in academia he was elected best computer science teacher twice and nowadays gives 5-10 professional talks per year.<br><br />
<br><br />
<br><br />
<br />
<div id="DanCornell"></div><br />
<br />
=== Streamlining Application Vulnerability Management: Communication Between Development and Security Teams, by Dan Cornell (Denim Group) ===<br />
''Abstract:''<br><br />
Identifying application-level vulnerabilities via scanning, penetration tests and code reviews is only the first step in actually addressing the underlying risk. Managing vulnerabilities for applications is more challenging than dealing with traditional infrastructure-level vulnerabilities because they typically require the coordination of security teams with application development teams. The process also means that security managers need to get time from developers during already-cramped development and release schedules. In addition, fixes require changes to custom application code and application-specific business logic rather than the patches and configuration changes that are often sufficient to address infrastructure-level vulnerabilities. This presentation will illustrate the communication difficulties between security and development teams, and how this usually results in unactionable reports and fewer vulnerabilities remediated. In addition, the presentation will walk through an example workflow of addressing application vulnerabilities as software defects. This will be based on freely-available tools and show specific examples of how vulnerabilities can be grouped together, false positives can be culled out, and vulnerabilities transitioned to software defects, as well as how security managers can monitor and verify progress.<br><br />
<br><br />
''Bio:''<br><br />
''Dan Cornell has over fifteen years of experience architecting and developing web-based software systems. He leads Denim Group’s security research team in investigating the application of secure coding and development techniques to improve web-based software development methodologies.<br><br />
Dan was the founding coordinator and chairman for the Java Users Group of San Antonio (JUGSA) and currently serves as the OWASP San Antonio chapter leader, member of the OWASP Global Membership Committee and co-lead of the OWASP Open Review Project. Dan has spoken at such international conferences as RSA, OWASP AppSec USA, and OWASP EU Research in Greece.''<br><br />
<br><br />
<br><br />
<br />
<div id="DinisCruz"></div><br />
=== Making Security Invisible by Becoming the Developer’s Best Friends, by Dinis Cruz (Security Innovation) ===<br />
''Abstract:''<br><br />
''Coming soon!''<br><br />
<br><br />
''Bio:''<br><br />
Dinis Cruz is a Security Consultant based in London (UK) and specialized in: ASP.NET/J2EE Application Security, Application Security audits and .NET Security Curriculum Development.<br><br />
For the past years Dinis has focused on the field of Static Source Code analysis, from May 2007 to Dec 2009 he worked as a independent consultant for Ounce Labs (bought by IBM in July 2009) where during active security engagements using Ounce's technology he developed the Open Source codebase which now is the foundation of the OWASP O2 Platform.<br><br />
Dinis is currently focused on making the O2 Platform the industry standard for consuming, instrumenting and data-sharing between the multiple WebAppSec tools, the Security consultants and the final developers. Dinis is a also active trainer on .Net security having written and delivered courses for IOActive, Foundstone, Intense School and KPMG (at multiple locations including BlackHat), and has delivered a number of presentations and keynote speeches at multiple OWASP and Security related conferences.<br><br />
At OWASP, Dinis is the leader of the OWASP O2 Platform project<br><br />
<br><br />
<br><br />
<br />
=== Panel discussion about the legal aspects of penetration testing ===<br />
''with Steven Wierckx, Luc Beirens, Jos Dumortier, Dieter Sarrazyn, ...''<br><br><br />
''Abstract:''<br> In the past couple of years security has become a more visible topic in the media. As a result many companies are asking for security reviews in the form of a penetration test. A lot of entrepreneurs took the opportunity to form teams and/or companies that provide such services. There seems to be a lack of clear (standard) legal documentation to cover these activities both for the penetration tester and the company under review. With this panel discussion we would like to discuss this situation and to see if there is a possibility to have a standard document or framework that can be used as a starting point for companies and professionals to use as a contract. The purpose would be to end up with a (set of) documents similar to the “Testaankoop standard huurcontract”, this is a well-known Belgian contract framework for renting a house where both parties are protected and that is clear to both parties. It can be used without further legal intervention.<br><br />
<br><br />
<li>''Bio Steven Wierckx, ps_testware:''<br><br />
Steven Wierckx is currently working as Security Tester for [http://www.pstestware.com/ ps_testware], he specialises in web application security and keeps a security related blog [http://www.ihackforfun.eu/ ihackforfun]. He is also wrting articles and doing technical reviews for PenTest Magazine.<br><br />
<br><br />
<li>''Bio Luc Beirens, FCCU:''<br><br />
Head of Belgian Federal Computer Crime Unit & Chair EU Cybercrime Task Force trying to create partnerships and circumstances for a safer cyberspace.<br><br />
<br><br />
<li>''Bio Jos Dumortier, ICRI:''<br><br />
Jos Dumortier is Professor of ICT Law at the University of Leuven (Belgium) and the Director of the Interdisciplinary Research Centre for ICT and Law (ICRI) (www.icri.be). With his research team he participates in a series of R & D projects in the domain of telemedicine.<br><br />
He is also a member of the Bar of Brussels and partner in “time.lex”, a law firm specialized in information and technology law (www.timelex.eu).<br><br />
He participates in the boards of several national and international scientific and business associations and is a member of various editorial and program committees. <br><br />
He is the editor of the International Encyclopedia of Cyber Law and the author of more than one hundred books and articles on legal issues related to the information society.<br><br />
Jos Dumortier has taken the lead in a large number of European studies and projects in the area of information security, privacy and identity management. He worked on an assignment of the European Commission (DG INFSO) for a study on the legal obstacles for interoperable eHealth in Europe and on several studies for the Flemish government related to the implementation of a regional eHealth platform. He is also a member of the Flemish data protection supervisory authority for the health sector.<br><br />
<br><br />
<li>''Bio Dieter Sarrazyn, PWC:''<br><br />
Dieter is a senior manager and consultant within PwC and a team leader for Risk Management assessment services. His main focus is in performing penetration tests (external as well as internal), performing security audits, creating and evaluating security architectures,and creating and setting up vulnerability management frameworks & tools. He is a Certified Information Systems Security Professional (CISSP), a Certified Intrusion Analyst (GCIA), a Certified Incident Handling Analyst (GCIH), a Certified Intrusion Analyst (GCIA) a GIAC Systems and Network Auditor (GSNA). Dieter is also SANS Local Mentor and SANS Community Teacher<br><br />
<br><br />
<br><br />
<br />
<!-- Sixth tab --><br />
<br />
= Social Event =<br />
<br />
==== Social Event, November 29th ====<br />
<br />
==== <B>Important Update</B> ====<br />
The brewery visit is limit to 60 people. Therefor, the 60 first registered people that indicated interest in the social event have been invited to participate. Any remaining tickets will be offered on Thursday around noon at the registration desk.<br />
<br />
All other people (and the people of the brewery tour after that has finished) are warmly invited to join us in the Downtown Jack, a pub with a number of pool and snooker tables. 5 pool tables have been exclusively reserved for us from 20h00 onwards. You can also have a drink and eat something there if you like.<br />
<br />
The address: Parkstraat 40, 3000 Leuven (see http://www.downtownjack.be/)<br />
<br />
==== <B>Brewery Visit Information</B> ====<br />
The social event will take place at the InBev Brewery in Leuven, where there will be a guided tour and a beer tasting.<br><br />
Unfortunately, the tour is limited to 60 people. Since we have more registered people than places, we will soon announce how we will<br />
proceed.<br><br />
If you decide not to join, please inform the Benelux organisation, other participants will be happy to join.<br><br />
<br><br />
'''The entrance fee for the tour is 10 EUR'''. <br><br />
This amount will have to be paid to the Benelux organisation at the registration desk or upon entry in cash (please use correct notes).<br><br />
<br><br />
Below is the address where the event takes place. You can take your car, bus number 2 or a taxi to reach this.<br> '''The tour starts at 19h30 sharp'''.<br><br />
<br><br />
'''Address:''' <br><br />
Vuurkruisenlaan z/n <br><br />
3000 Leuven<br><br />
<br><br />
'''From the station:'''<br><br />
Take the street 'Diestepoort' (this street is parrallel with the railway behind the building)and walk straight through. You can see the brewery at the end of the street.<br><br />
'''By car:'''<br><br />
From the street diestesteenweg or beckeremieplein head to the railroadbridge. At the crossroad take first right, this is the entrance of the brewery. from the expressway R23 head to the Hotel ''NOVOTEL''. Take the street left from ''NOVOTEL'', this is the ''vuurkruisenlaan''. On your left side you can see the brewery. At the<br />
next crossroad take the first left, this is the entrance of the brewery.<br><br />
<br><br />
'''ENTRANCE BREWERY:'''<br><br />
is also the entrance for the trucks, next to the railroadbridge.<br><br />
We will meet at the entrance at 19h30 where the tour will start.<br><br><br />
<br />
<br />
<!-- Seventh tab --><br />
<br />
= CTF =<br />
<br />
==== Capture the Flag! ====<br />
<br />
* Do you like puzzles? <br />
* Do you like challenges? <br />
* Are you a hacker?<br />
<br />
Whether you are an experienced hacker or new enthusiast you should come to OWASP BeNeLux 2012 and participate in the Capture the Flag event November 30th 2012. <br />
<br />
The OWASP CTF is especially designed to support challengers of all skill levels. The CTF contains multiple challenges in various fields related to application security. As every challenge gains you one point, you can pick and choose which challenge you want to play.<br />
<br />
All you need is a laptop with a wifi card and your favorite (preferably) non-commercial tools. <br />
<br />
So come, show off your skills, learn new tricks and above all have a good time at the CTF event. <br />
<br />
<br />
<!-- Eighth tab --><br />
<br />
= Sponsor =<br />
<br />
==== Become a sponsor of OWASP BeNeLux ====<br />
<br />
==== Donate to OWASP BeNeLux ====<br />
<br />
<paypal>BeNeLux OWASP Day 2012</paypal> <br />
<br />
<br />
==== Promotion ====<br />
''Feel free to use the text below to promote our event!''<br />
<br />
We invite you to our next OWASP event: the '''BeNeLux OWASP Days 2012!'''<br />
<br />
Free your agenda on the 29th and 30th of November, 2012.<br />
<br />
The good news: free! No fee!<br />
<br />
The bad news: there are only 280 seats available (first register, first serve)!<br />
<br />
<br />
<!-- Don't remove these two lines! --><br />
__NOTOC__ <br />
<headertabs/><br />
<br />
<br />
==== Hosted and co-organized by: ====<br />
<br />
[http://distrinet.cs.kuleuven.be https://www.owasp.org/images/4/4a/Logo_distrinet.png]<br />
[http://www.nessos-project.eu/ https://www.owasp.org/images/5/52/Nessos.png]<br />
<br />
==== Made possible by our {{#switchtablink:Sponsor|Sponsors}}====<br />
<br />
==== OWASP Member Sponsor: ====<br />
{{MemberLinks|link=http://www.pwc.com/|logo=PWC_log_resized.png}} <br />
<br />
==== OWASP BeNeLux 2012 Sponsors: ====<br />
[http://www.madisongurkha.nl https://www.owasp.org/images/6/6e/Madison-gurkha-logo.jpg]<br />
[http://www.sogeti.nl https://www.owasp.org/images/9/94/Sogeti_logo.png]<br />
[http://www.vest.nl https://www.owasp.org/images/1/1d/Logo_Vest_BIG_170.gif]<br />
<br><br />
[http://www.iminds.be https://www.owasp.org/images/thumb/a/a1/Iminds-logo.png/200px-Iminds-logo.png]<br />
[http://www.zionsecurity.com https://www.owasp.org/images/e/e6/Zionsecurity.jpg]<br />
[http://on2it.net https://www.owasp.org/images/3/3d/On2it-sponsor.png]<br />
<br><br />
<br />
<br />
[[Category:OWASP_AppSec_Conference]] [[Category:OWASP_BeNeLux_Archives]]</div>Bart De Winhttps://wiki.owasp.org/index.php?title=BeNeLux_OWASP_Day_2012&diff=140331BeNeLux OWASP Day 20122012-11-27T21:57:00Z<p>Bart De Win: </p>
<hr />
<div><center>[[Image:owaspbnl12header.jpg]]<br></center><br />
<br><!-- Header --><br />
<br />
<br />
<!-- First tab --><br />
= Welcome =<br />
<br />
=== Welcome to OWASP BeNeLux 2012 ===<br />
<br />
==== News ====<br />
* Advanced O2 training, by Dinis Cruz will start at 10:30 AM!<br />
* Update on the Social Event (places for the brewery visit are limited, and an alternative is offered)<br />
<br><br />
<br />
==== Confirmed trainers for Trainingday ====<br />
{{#switchtablink:Trainingday| <p><br />
* Dan Cornell (Denim group) - SDLC with open source tools<br />
* Dinis Cruz (Security Innovation) - Advanced O2<br />
* Volkert de Buisonjé (Sogeti) - Secure Java Development with ESAPI (Hands-On )<br />
* Martin Knobloch (PervaSec) - Essential Web Appplication Security (OWASP Top 10, Webgoat, WebScarab)<br />
}}<br />
<br><br />
<br />
==== Confirmed speakers Conferenceday ====<br />
{{#switchtablink:Conferenceday| <p><br />
* Dinis Cruz (Security Innovation) - Making Security Invisible by Becoming the Developer’s Best Friends<br><br />
* Rüdiger Bachmann (SAP) - Code review large companies<br><br />
* Lieven Desmet (Distrinet, KU Leuven) - Sandboxing JavaScript<br><br />
* Asia Slowinska (VU Amsterdam) - Body Armor for Binaries<br><br />
* Marc Hullegie and Kees Mastwijk (Vest) - Forensics<br><br />
* Dan Cornell (Denim group) - Streamlining Application Vulnerability Management: Communication Between Development and Security Teams<br><br />
* John Wilander (OWASP Sweden) - Browser security<br><br />
* Erwin Geirnaert (Zion security) - OWASP Top 10 vs Drupal<Br><br />
* Seba Deleersnyder (OWASP) - Update on OWASP<br><br />
}}<br />
<br><br />
<br />
==== The OWASP BeNeLux Program Committee ====<br />
*Bart De Win / Sebastien Deleersnyder/ Lieven Desmet/ David Mathy, OWASP Belgium<br />
*Martin Knobloch / Ferdinand Vroom, OWASP Netherlands<br />
*Jocelyn Aubert / Andre Adelsbach/ Thierry Zoller, OWASP Luxembourg<br />
*Steven van der Baan, OWASP CTF Project<br />
<br><br />
<br />
=== Tweet! ===<br />
Event tag is [http://twitter.com/#search?q=%23owaspbnl12 #owaspbnl12]<br />
<br><br><br />
==== Donate to OWASP BeNeLux ====<br />
<paypal>BeNeLux OWASP Day 2012</paypal><br />
<br />
<!-- Second tab --><br />
= Registration =<br />
<br />
==== OWASP BeNeLux training day and conference are free! ==== <br />
<br />
=== Registration is open: ===<br />
<br />
[http://owaspbenelux2012.eventbrite.com/ http://www.owasp.org/images/7/77/Buttoncreate.png]<br />
<br />
<br><br />
To support the OWASP organisation, consider to become a member, it's only US$50!<br />
<br> <br />
Check out the [[Membership]] page to find out more. <br />
<br><br />
<br />
<br />
<!-- Third tab --><br />
= Venue =<br />
<br />
=== Venue is the iMinds-DistriNet Research Group @ KU Leuven ===<br />
<br />
''Celestijnenlaan, 200A<br><br />
3001 Heverlee<br><br />
Belgium<br>''<br />
<br><br />
<br />
<br>'''Parking & roadmap''':<br />
<br />
There is a public parking close to the conference venue.<br />
<br />
Roadmap and parking: http://distrinet.cs.kuleuven.be/about/route/<br />
<br />
<br />
<br>'''Hotels nearby''': <br> <br />
Board house (close to the venue)<br> http://www.boardhouse.be<br><br />
The lodge (close to the venue)<br> http://www.booking.com/hotel/be/the-lodge-heverlee.en.html<br><br />
Begijnhof Congres Hotel (1 km from the venue)<br> http://www.bchotel.be/<br><br />
La Royale (2 km from the venue)<br> http://www.laroyale.be<br> <br />
Hotel Ibis (2 km from the venue)<br> http://www.accorhotels.com/gb/hotel-1457-ibis-leuven-centrum/index.shtml<br> <br />
Mercure (2 km from the venue) <br> http://www.mercure.com/gb/hotel-7862-hotel-mercure-leuven-center/index.shtml<br> <br />
New Damshire (2 km from the venue)<br> http://www.hotelnewdamshire.be<br> <br />
<br />
<br />
<!-- Fourth tab --><br />
<br />
= Trainingday =<br />
<br />
==== Trainingday, November 29th ====<br />
<br />
==== Location ====<br />
The training room is: <br />
''Celestijnenlaan, 200A, fifth floor<br><br />
3001 Heverlee<br><br />
Belgium<br>''<br />
<br><br />
<br />
(for details, check the {{#switchtablink:Venue|Venue}} tab)<br />
<br />
==== Agenda ==== <br />
{| class="wikitable"<br />
! Time !! Description !! Room 1 !! Room 2 !! Room 3 !! Room 4<br />
|-<br />
| 08h30 - 9h30<br />
| colspan="5" style="text-align: center; background: grey; color: white;" | ''Registration''<br />
|-<br />
| 09h30 - 11h00 || Training<br />
| rowspan="7" style="width:100px;" | [[#DinisCruz|Advanced O2, by Dinis Cruz]]<br />
| rowspan="7" style="width:100px;" | [[#DanCornell|SDLC with Open Source tools, by Dan Cornell]]<br />
| rowspan="7" style="width:100px;" | [[#VolkertDeBuisonje|Secure Java Development with ESAPI (hands-on), by Volkert de Buisonjé]]<br />
| rowspan="7" style="width:100px;" | [[#MartinKnobloch|Essential Web Appplication Security (OWASP Top 10, Webgoat, WebScarab), by Martin Knobloch]]<br />
|-<br />
| 11h00 - 11h30 || ''Coffee Break''<br />
|-<br />
| 11h30 - 13h00 || Training<br />
|-<br />
| 13h00 - 14h00 || ''Lunch''<br />
|-<br />
| 14h00 - 15h30 || Training<br />
|-<br />
| 15h30 - 16h00 || ''Coffee Break''<br />
|-<br />
| 16h00 - 17h30 || Training<br />
|}<br />
<br />
<br />
<br />
<br />
<br />
<br><br />
<br />
<div id="VolkertDeBuisonje"></div><br />
<br />
=== Secure Java Development workshop with ESAPI, by Volkert de Buisonjé (Sogeti) ===<br />
''Workshop:''<br><br />
First, attendees will receive a brief introduction on application awareness. Then they will get acquainted with Webgoat, a "deliberately insecure J2EE web application" designed as a practice tool for secure application development and testing. They will learn how to exploit some vulnerabilities in Webgoat, through for instance Cross-Site Scripting (CSS) and Cross-Site Request Forgery (CSRF) attacks. Finally, the ESAPI library will be introduced and the attendees will learn how to apply ESAPI to fix such vulnerabilities in Webgoat's source code.<br><br />
<br><br />
''Prerequisites for this workshop:''<br><br />
* Reasonable knowledge of and experience with Java development<br />
* A laptop running a recent version of Linux, Mac OS X, or Windows<br />
* The most recent version of VirtualBox (4.x) installed<br />
* At least 2GB of RAM<br />
* At least 2GB of disk space<br />
<br><br />
''Bio:''<br><br />
Volkert de Buisonjé is a senior Java developer at Sogeti. He specializes in, and teaches application security courses, both to coworkers and to customers. Knowledge sharing (in both directions) is his passion. Volkert likes making friends and talking a lot. He never shuns a good discussion, and prefers to bring a high amount of interactivity to his classes. :-)<br><br />
<br><br />
<br><br />
<br />
<div id="DinisCruz"></div><br />
=== Advanced O2, by Dinis Cruz (Security Innovation) ===<br />
''Workshop:''<br><br />
The O2 platform represents a new paradigm for how to perform, document and distribute Web Application security reviews. O2 is designed to Automate Security Consultants Knowledge and Workflows and to Allow non-security experts to access and consume Security Knowledge.<br />
<br><br />
''Bio:''<br><br />
Dinis Cruz is a Security Consultant based in London (UK) and specialized in: ASP.NET/J2EE Application Security, Application Security audits and .NET Security Curriculum Development.<br><br />
For the past years Dinis has focused on the field of Static Source Code analysis, from May 2007 to Dec 2009 he worked as a independent consultant for Ounce Labs (bought by IBM in July 2009) where during active security engagements using Ounce's technology he developed the Open Source codebase which now is the foundation of the OWASP O2 Platform.<br><br />
Dinis is currently focused on making the O2 Platform the industry standard for consuming, instrumenting and data-sharing between the multiple WebAppSec tools, the Security consultants and the final developers. Dinis is a also active trainer on .Net security having written and delivered courses for IOActive, Foundstone, Intense School and KPMG (at multiple locations including BlackHat), and has delivered a number of presentations and keynote speeches at multiple OWASP and Security related conferences.<br><br />
At OWASP, Dinis is the leader of the OWASP O2 Platform project<br><br />
<br><br />
<br><br />
<br />
<div id="MartinKnobloch"></div><br />
<br />
=== Essential Web Appplication Security (OWASP Top 10, Webgoat, WebScarab), by Martin Knobloch (PervaSec) ===<br />
''Abstract:''<br><br />
This workshop is an introduction into (web) application security with hands-on labs, using OWASP documentation and tooling.<br />
You will be introduced into the security mindset, discus the OWASP TopTen 2010 and learn basic skills in how to find vulnerabilities in web applications. All tools and documentation are provided during the training.<br><br />
<b>As this is an hands-on workshop, please bring your own laptop!</b> <br><br />
Course structure:<br />
*Introduction OWASP, OWASP tool and documentation<br />
*Security Testing mindset <br />
*1st Lab: OWASP WebGoat / WebScarab <br />
*OWASP Top Ten 2010<br />
*OWASP Testing Guide <br />
*2nd Lab: OWASP WebGoat / WebScarab <br />
*3rd Lab: OWASP Hackademic / ZAP <br />
*Summary and completion <br />
Prerequisites for this workshop:<br />
*Basic understanding of HTTP and web application testing/development<br />
*An open mind<br />
<br><br />
''Bio:''<br><br />
Martin is an independent security consultant and owner of PervaSec (http://www.pervasec.nl). His main working area is (software) security in general, from awareness to implementation. In his daily work, he is responsible for education in application security matters, advise and implementation of application security measures.<br><br />
At OWASP, Martin is member of the Dutch chapter board and chair of the Global Education Committee and contributes to several projects.<br><br />
Martin is a frequent speaker at conferences, universities and hacker spaces.<br />
<br><br />
<br />
<br />
<div id="DanCornell"></div><br />
<br />
=== Building a Software Security Program On Open Source Tools, by Dan Cornell (Denim Group) ===<br />
''Abstract:''<br><br />
Using the Software Assurance Maturity Model (OpenSAMM) as a framework, this course walks through the major components of a comprehensive software security program and highlights open source and other freely-available tools that can be used to help implement the activities involved in such a program. The focus of the course is on providing hands-on demonstrations of the tools with an emphasis on integrating tool results into the overall software security program. Featured tools include: ESAPI, Microsoft Web Protection Library, FindBugs, FxCop, CAT.NET, Brakeman, Agnitio, Arachini, w3af, ZAProxy, ThreadFix as well as other educational resources from OWASP. Attendees should finish the course with a solid understanding of the various components of a comprehensive software security program as well as hands-on experience with a variety of freely-available tools that they can use to implement portions of these programs.<br><br />
<br><br />
''Outline:''<br><br />
* So You Want To Roll Out A Software Security Program?<br />
* The Software Assurance Maturity Model (OpenSAMM)<br />
* ThreadFix: Overview<br />
* Governance: Strategy and Metrics<br />
** ThreadFix: Reporting<br />
* Governance: Policy and Compliance<br />
* Governance: Education and Guidance<br />
** OWASP Development Guide<br />
** OWASP Cheat Sheets<br />
** OWASP Secure Coding Practices<br />
* Construction: Threat Assessment<br />
* Construction: Security Requirements<br />
* Construction: Secure Architecture<br />
** ESAPI overview<br />
** Microsoft Web Protection Library (Anti-XSS) overview<br />
* Verification: Design Review<br />
** Microsoft Threat Analysis and Modeling Tool<br />
* Verification: Code Review<br />
** FindBugs<br />
** FxCop<br />
** CAT.NET<br />
** Brakeman<br />
** Agnitio<br />
* Verification: Security Testing<br />
** Arachni<br />
** w3af<br />
** ZAProxy<br />
* Deployment: Vulnerability Management<br />
** ThreadFix: Defect Tracker Integration<br />
* Deployment: Environment Hardening<br />
** Microsoft Baseline Security Analyzer (MBSA)<br />
* Deployment: Operational Enablement<br />
** mod_security<br />
<br><br />
''Bio:''<br><br />
Dan Cornell has over fifteen years of experience architecting and developing web-based software systems. He leads Denim Group’s security research team in investigating the application of secure coding and development techniques to improve web-based software development methodologies.<br><br />
Dan was the founding coordinator and chairman for the Java Users Group of San Antonio (JUGSA) and currently serves as the OWASP San Antonio chapter leader, member of the OWASP Global Membership Committee and co-lead of the OWASP Open Review Project. Dan has spoken at such international conferences as RSA, OWASP AppSec USA, and OWASP EU Research in Greece.<br><br />
<br><br />
<br />
<br />
<!-- Fifth tab --><br />
<br />
= Conferenceday =<br />
<br />
==== Conferenceday, November 30th ====<br />
<br />
==== Location ====<br />
The training room is: (TBD) (for details, check the {{#switchtablink:Venue|Venue}} tab)<br />
<br />
==== Agenda ==== <br />
{| class="wikitable"<br />
! width="90pt" | Time<br />
! width="130pt" | Speaker !! Topic<br />
|- <br />
| 09h00 - 10h00<br />
| colspan="2" style="text-align: center; background: grey; color: white" | ''Registration''<br />
|- <br />
| 10h00 - 10h15 || OWASP Benelux Organization || Welcome ([https://www.owasp.org/images/a/ad/OWASP_BeNeLux_Day_2012_-_Organization_welcome.ppt PPT])<br />
|-<br />
| 10h15 - 10h30 || Sebastien Deleersnyder || OWASP update ([https://www.owasp.org/images/d/d7/OWASP-Update-BeNeLux-Day-2012_v1.pptx PPT])<br />
|-<br />
| 10h30 - 11h10 || [[#JohnWilander|John Wilander]] || ''' Secure Web Integration Patterns in the Era of HTML5'''<br>''Abstract:'' Quite a few organizations are finding themselves in a legacy situation with their web applications. Over ten years have passed since the era of dynamic HTML and with the rise of HTML5 and mobile platforms there is now need to gradually move these legacy beasts into a new architecture. Additionally, more and more third party services are offered such as maps, tracking, social media tie-ins, video etc. What are the possible and suitable design patterns for bringing new web, old web, and third party web together? Can we isolate them from each other to secure the new apps from legacy and third party security vulnerabilities? We will dig into the postMessage api, the iframe sandbox directive, CORS, and the same-origin policy while comparing it to the previous generation of integration with jsonp and other hacks.<br />
|-<br />
| 11h10 - 11h50 || [[#LievenDesmet|Lieven Desmet]] || '''Sandboxing Javascript'''<br>''Abstract:'' The inclusion of third-party scripts in web pages is a common practice. A recent study has shown that more than half of the Alexa top 10 000 sites include scripts from more than 5 different origins. However, such script inclusions carry risks, as the included scripts operate with the privileges of the including website.<br><br />
In this talk, we propose JSand, a server-driven but client-side JavaScript sandboxing framework. JSand requires no browser modifications: the sandboxing framework is implemented in JavaScript and is delivered to the browser by the websites that use it. Enforcement is done entirely at the client side: JSand enforces a server-specified policy on included scripts without requiring server-side filtering or rewriting of scripts.<br><br />
Most importantly, JSand is complete: access to all resources is mediated by the sandbox.<br><br />
We describe the design and implementation of JSand, and we show that it is secure, backwards compatible, and that it performs sufficiently well.<br><br />
|-<br />
| 11h50 - 12h30 || [[#ErwinGeirnaert|Erwin Geirnaert]] || '''OWASP Top 10 vs Drupal'''<br>''Abstract:'' Drupal is the most used and well-known open source content management system in the world. Created by Dries Buytaert years ago it has grown with the support of a big community. Drupal 7 is already released and there is an entire ecosystem for Drupal and Drupal web agencies.<br><br />
During this presentation we will discuss the findings of an automated static code analysis of Drupal 6 and Drupal 7 and how Drupal protects against the OWASP Top 10 Application Security Risks. We will explain the security weaknesses that remain when you use Drupal and what you can implement to have a secure cloud server running Drupal.<br><br />
|-<br />
| 12h30 - 13h30<br />
| colspan="2" style="text-align: center;background: grey; color: white" | ''Lunch'' <br />
|-<br />
| 13h30 - 14h10 || [[#AsiaSlowinska|Asia Slowinska]] || '''Body Armor for Binaries'''<br>''Abstract:'' BinArmor is a novel technique to protect existing C binaries from memory corruption attacks on both control data and non-control data. Without access to source code, non-control data attacks cannot be detected with current techniques. Our approach hardens binaries against both kinds of overflow, without requiring the pro- grams’ source or symbol tables. We show that BinArmor is able to stop real attacks—including the recent non- control data attack on Exim. Moreover, we did not in- cur a single false positive in practice. On the downside, the current overhead of BinArmor is high—although no worse than competing technologies like taint analysis that do not catch attacks on non-control data. Specifi- cally, we measured an overhead of 70% for gzip, 16%- 180% for lighttpd, and 190% for the nbench suite.<br />
|-<br />
| 14h10 - 14h50 || [[#MarcHullegieAndKeesMastwijk|Marc Hullegie and Kees Mastwijk]] || '''Forensics'''<br>''Abstract:'' In today’s investigations, forensics has become an important investigative method in fighting and solving (cyber)crimes and irregularities. During the session you will be briefly taken through the landscape of Forensics Basics; the Fraud Triangle and scenario's; What to look for and the appliance of Digital Forensics. What are the Challenges, the required Skills and Expertise and Solutions to these challenges. Specific focus on the Forensics of Web Applications and what you can do the create a more forensic ready system.<br><br />
|-<br />
| 14h50 - 15h30 || [[#DanCornell|Dan Cornell]] || '''Streamlining Application Vulnerability Management: Communication Between Development and Security Teams'''<br>''Abstract:'' Identifying application-level vulnerabilities via scanning, penetration tests and code reviews is only the first step in actually addressing the underlying risk. Managing vulnerabilities for applications is more challenging than dealing with traditional infrastructure-level vulnerabilities because they typically require the coordination of security teams with application development teams. The process also means that security managers need to get time from developers during already-cramped development and release schedules. In addition, fixes require changes to custom application code and application-specific business logic rather than the patches and configuration changes that are often sufficient to address infrastructure-level vulnerabilities. This presentation will illustrate the communication difficulties between security and development teams, and how this usually results in unactionable reports and fewer vulnerabilities remediated. In addition, the presentation will walk through an example workflow of addressing application vulnerabilities as software defects. This will be based on freely-available tools and show specific examples of how vulnerabilities can be grouped together, false positives can be culled out, and vulnerabilities transitioned to software defects, as well as how security managers can monitor and verify progress.<br><br />
|-<br />
| 15h30 - 15h50<br />
| colspan="2" style="text-align: center;background: grey; color: white" | ''Break'' <br />
|-<br />
| 15h50 - 16h30 || [[#RuedigerBachmann|Ruediger Bachmann]] || '''Code review for Large Companies'''<br>''Abstract:''Static source code analysis should be an essential part in the secure software development life cycle (SDLC) to start to minimize the number of potential vulnerabilities already in a very early stage in the software development process.<br><br />
The introduction of static code analysis at a large software manufacturer is a big challenge. In addition to the technical difficulties – based on the sheer number and size of the software projects or the number of different programing languages – there are also non-technical issues like creating new security awareness, trainings to use the provided tools efficiently and integration of analysis processes into the software development and maintenance life cycle.<br><br />
This talk gives an overview of the company-wide introduction of static code analysis at SAP AG.<br />
|-<br />
| 16h30 - 17h10 || [[#DinisCruz|Dinis Cruz]] || '''Making Security Invisible by Becoming the Developer’s Best Friends'''<br>''Abstract:'' Coming soon!<br />
|-<br />
| 17h10 - 17h50 || <br />
* Steven Wierckx<br />
* Luc Beirens<br />
* Jos Dumortier<br />
* Dieter Sarrazyn<br />
* Erwin Geirnaert<br />
* John Wilander<br />
|| '''Panel Discussion about the legal aspects of penetration testing'''<br> ''Abstract:'' In the past couple of years security has become a more visible topic in the media. As a result many companies are asking for security reviews in the form of a penetration test. A lot of entrepreneurs took the opportunity to form teams and/or companies that provide such services. There seems to be a lack of clear (standard) legal documentation to cover these activities both for the penetration tester and the company under review. With this panel discussion we would like to discuss this situation and to see if there is a possibility to have a standard document or framework that can be used as a starting point for companies and professionals to use as a contract. The purpose would be to end up with a (set of) documents similar to the “Testaankoop standard huurcontract”, this is a well-known Belgian contract framework for renting a house where both parties are protected and that is clear to both parties. It can be used without further legal intervention.<br />
|-<br />
| 17h50 - 18h00 || OWASP Benelux 2012 organization || '''Closing Notes'''<br />
|}<br />
<br />
<br><br />
<br><br />
<br />
<div id="AsiaSlowinska"></div><br />
<br />
=== Body Armor for Binaries, by Asia Slowinska (Vrije Universiteit Amsterdam) ===<br />
''Abstract:''<br><br />
BinArmor is a novel technique to protect existing C binaries from memory corruption attacks on both control data and non-control data. Without access to source code, non-control data attacks cannot be detected with current techniques. Our approach hardens binaries against both kinds of overflow, without requiring the pro- grams’ source or symbol tables. We show that BinArmor is able to stop real attacks—including the recent non- control data attack on Exim. Moreover, we did not in- cur a single false positive in practice. On the downside, the current overhead of BinArmor is high—although no worse than competing technologies like taint analysis that do not catch attacks on non-control data. Specifi- cally, we measured an overhead of 70% for gzip, 16%- 180% for lighttpd, and 190% for the nbench suite.<br><br />
<br><br />
''Bio:''<br><br />
I am a postdoctoral researcher in the System and Network Security group at the Vrije Universiteit Amsterdam, under the guidance of Prof. dr. ir. Herbert Bos.<br><br />
I obtained my PhD from the Vrije Universiteit Amsterdam. My dissertation Using information flow tracking to protect legacy binaries was completed under the supervision of Prof. dr. ir. Herbert Bos, while my copromotor was Prof. dr. ir. Henri E. Bal.<br><br />
During my PhD studies, I interned twice with Microsoft Research Cambridge, where I joined the Systems and Performance Group. I also spent few months interning with the Systems and Security Department at Institute for Infocomm Research in Singapore.<br><br />
My research focuses on developing techniques to automatically analyze and reverse engineer complex software that is available only in binary form. Further, I’ve been looking into mechanisms that proactively protect software from malicious activities. Currently, I am involved in a project on Reverse Engineering of binaries, known as Rosetta.<br><br />
<br><br />
<br />
<div id="RuedigerBachmann"></div><br />
=== Code review for Large Companies, by Ruediger Bachmann (SAP) ===<br />
''Abstract:''<br><br />
Static source code analysis should be an essential part in the secure software development life cycle (SDLC) to start to minimize the number of potential vulnerabilities already in a very early stage in the software development process.<br><br />
The introduction of static code analysis at a large software manufacturer is a big challenge. In addition to the technical difficulties – based on the sheer number and size of the software projects or the number of different programing languages – there are also non-technical issues like creating new security awareness, trainings to use the provided tools efficiently and integration of analysis processes into the software development and maintenance life cycle.<br><br />
This talk gives an overview of the company-wide introduction of static code analysis at SAP AG.<br />
<br><br />
''Bio:''<br><br />
After graduating with a degree in mathematics and computer science at the University of Giessen in 1997, Ruediger Bachmann worked at various software companies and IT service providers mainly in software development. Currently he is employed at SAP AG in Germany as a Development Architect in the central code analysis team. There he is focusing on application security and security code scans.<br><br />
<br />
<div id="LievenDesmet"></div><br />
<br />
=== Sandboxing JavaScript, by Lieven Desmet (Research Manager at KU Leuven) ===<br />
''Abstract:''<br><br />
The inclusion of third-party scripts in web pages is a common practice. A recent study has shown that more than half of the Alexa top 10 000 sites include scripts from more than 5 different origins. However, such script inclusions carry risks, as the included scripts operate with the privileges of the including website.<br><br />
In this talk, we propose JSand, a server-driven but client-side JavaScript sandboxing framework. JSand requires no browser modifications: the sandboxing framework is implemented in JavaScript and is delivered to the browser by the websites that use it. Enforcement is done entirely at the client side: JSand enforces a server-specified policy on included scripts without requiring server-side filtering or rewriting of scripts. Most importantly, JSand is complete: access to all resources is mediated by the sandbox.<br><br />
We describe the design and implementation of JSand, and we show that it is secure, backwards compatible, and that it performs sufficiently well.<br><br />
<br><br />
''Bio:''<br><br />
Lieven Desmet is Research Manager on Software Secure at the iMinds-DistriNet Research Group (KU Leuven, Belgium), where he coaches junior researchers in web application security and participates in dissemination and valorization activities. His interests are in security of middleware and web-enabled technologies. Lieven is actively engaged in OWASP and is board member of the OWASP Chapter Belgium.<br><br />
<br><br />
<br><br />
<br />
<div id="ErwinGeirnaert"></div><br />
=== OWASP Top 10 vs Drupal, by Erwin Geirnaert (Zion Security) ===<br />
''Abstract:''<br><br />
Drupal is the most used and well-known open source content management system in the world. Created by Dries Buytaert years ago it has grown with the support of a big community. Drupal 7 is already released and there is an entire ecosystem for Drupal and Drupal web agencies.<br><br />
During this presentation we will discuss the findings of an automated static code analysis of Drupal 6 and Drupal 7 and how Drupal protects against the OWASP Top 10 Application Security Risks. We will explain the security weaknesses that remain when you use Drupal and what you can implement to have a secure cloud server running Drupal.<br><br />
<br><br />
''Bio:''<br><br />
Erwin founded ZION SECURITY in 2005 to help companies to protect against the latest threats, attacks against web applications. ZION SECURITY is nowadays a Belgian market leader in the field of security testing, vulnerability management, penetration testing and banking security. Erwin has more than 10 years of experience in web security, graduating with a Master of Science in Software Development from the University of Ghent. Erwin executes different types of projects for a lot of international software companies, financial institutions, telecom and web agencies. Specialist in executing code reviews in different development languages for critical applications, executing continuous penetration tests of their infrastructure and Internet applications. A specialist in J2EE, PHP, .NET, mobile app and web services security. Erwin architects secure e-business projects for web agencies and software companies. He is a recognized application security expert and speaker at international events like Javapolis, OWASP, Eurostar, LSEC,...<br><br />
<br><br />
<br />
<div id="MarcHullegieAndKeesMastwijk"></div><br />
=== Forensics, by Marc Hullegie and Kees Mastwijk (Vest Information Security) === <br />
''Abstract:''<br><br />
In today’s investigations, forensics has become an important investigative method in fighting and solving (cyber)crimes and irregularities. During the session you will be briefly taken through the landscape of Forensics Basics; the Fraud Triangle and scenario's; What to look for and the appliance of Digital Forensics. What are the Challenges, the required Skills and Expertise and Solutions to these challenges. Specific focus on the Forensics of Web Applications and what you can do the create a more forensic ready system.<br><br />
<br><br />
''Bio:''<br><br />
Marc Hullegie is founder and CEO of Vest Information Security and is widely experienced in the information security business in all types of areas: Security Architecture and Infrastructure, Security Audits and Testing, Security Management, Awareness and Digital Forensics. He presents lectures at (international) conferences and is looking forward to share experiences at the OWASP Benelux days 2012 with you.<br><br />
<br> <br />
''Bio:''<br><br />
Kees Mastwijk is a security consultant working with Vest, acting as Security Auditor, Awareness Program leader and security Manager. He has a long (and ongoing) experience history in Digital Forensic Research.<br><br />
<br><br />
<br />
<div id="JohnWilander"></div><br />
=== Secure Web Integration Patterns in the Era of HTML5, by John Wilander (Svenska Handelbanken) ===<br />
''Abstract:''<br><br />
Quite a few organizations are finding themselves in a legacy situation with their web applications. Over ten years have passed since the era of dynamic HTML and with the rise of HTML5 and mobile platforms there is now need to gradually move these legacy beasts into a new architecture. Additionally, more and more third party services are offered such as maps, tracking, social media tie-ins, video etc. What are the possible and suitable design patterns for bringing new web, old web, and third party web together? Can we isolate them from each other to secure the new apps from legacy and third party security vulnerabilities? We will dig into the postMessage api, the iframe sandbox directive, CORS, and the same-origin policy while comparing it to the previous generation of integration with jsonp and other hacks.<br />
<br><br />
''Bio:''<br><br />
John Wilander is a frontend software developer at Svenska Handelbanken, the second strongest bank in the world according to Bloomberg Markets. He has been researching and working in application security for ten years and is an active leader in OWASP, the Open Web Application Security Project. In 2011 he organized the OWASP Summit Browser Security sessions in Portugal, with participants from the security teams behind Chrome, Firefox, Internet Explorer, Flash, and PayPal. During his years in academia he was elected best computer science teacher twice and nowadays gives 5-10 professional talks per year.<br><br />
<br><br />
<br><br />
<br />
<div id="DanCornell"></div><br />
<br />
=== Streamlining Application Vulnerability Management: Communication Between Development and Security Teams, by Dan Cornell (Denim Group) ===<br />
''Abstract:''<br><br />
Identifying application-level vulnerabilities via scanning, penetration tests and code reviews is only the first step in actually addressing the underlying risk. Managing vulnerabilities for applications is more challenging than dealing with traditional infrastructure-level vulnerabilities because they typically require the coordination of security teams with application development teams. The process also means that security managers need to get time from developers during already-cramped development and release schedules. In addition, fixes require changes to custom application code and application-specific business logic rather than the patches and configuration changes that are often sufficient to address infrastructure-level vulnerabilities. This presentation will illustrate the communication difficulties between security and development teams, and how this usually results in unactionable reports and fewer vulnerabilities remediated. In addition, the presentation will walk through an example workflow of addressing application vulnerabilities as software defects. This will be based on freely-available tools and show specific examples of how vulnerabilities can be grouped together, false positives can be culled out, and vulnerabilities transitioned to software defects, as well as how security managers can monitor and verify progress.<br><br />
<br><br />
''Bio:''<br><br />
''Dan Cornell has over fifteen years of experience architecting and developing web-based software systems. He leads Denim Group’s security research team in investigating the application of secure coding and development techniques to improve web-based software development methodologies.<br><br />
Dan was the founding coordinator and chairman for the Java Users Group of San Antonio (JUGSA) and currently serves as the OWASP San Antonio chapter leader, member of the OWASP Global Membership Committee and co-lead of the OWASP Open Review Project. Dan has spoken at such international conferences as RSA, OWASP AppSec USA, and OWASP EU Research in Greece.''<br><br />
<br><br />
<br><br />
<br />
<div id="DinisCruz"></div><br />
=== Making Security Invisible by Becoming the Developer’s Best Friends, by Dinis Cruz (Security Innovation) ===<br />
''Abstract:''<br><br />
''Coming soon!''<br><br />
<br><br />
''Bio:''<br><br />
Dinis Cruz is a Security Consultant based in London (UK) and specialized in: ASP.NET/J2EE Application Security, Application Security audits and .NET Security Curriculum Development.<br><br />
For the past years Dinis has focused on the field of Static Source Code analysis, from May 2007 to Dec 2009 he worked as a independent consultant for Ounce Labs (bought by IBM in July 2009) where during active security engagements using Ounce's technology he developed the Open Source codebase which now is the foundation of the OWASP O2 Platform.<br><br />
Dinis is currently focused on making the O2 Platform the industry standard for consuming, instrumenting and data-sharing between the multiple WebAppSec tools, the Security consultants and the final developers. Dinis is a also active trainer on .Net security having written and delivered courses for IOActive, Foundstone, Intense School and KPMG (at multiple locations including BlackHat), and has delivered a number of presentations and keynote speeches at multiple OWASP and Security related conferences.<br><br />
At OWASP, Dinis is the leader of the OWASP O2 Platform project<br><br />
<br><br />
<br><br />
<br />
=== Panel discussion about the legal aspects of penetration testing ===<br />
''with Steven Wierckx, Luc Beirens, Jos Dumortier, Dieter Sarrazyn, ...''<br><br><br />
''Abstract:''<br> In the past couple of years security has become a more visible topic in the media. As a result many companies are asking for security reviews in the form of a penetration test. A lot of entrepreneurs took the opportunity to form teams and/or companies that provide such services. There seems to be a lack of clear (standard) legal documentation to cover these activities both for the penetration tester and the company under review. With this panel discussion we would like to discuss this situation and to see if there is a possibility to have a standard document or framework that can be used as a starting point for companies and professionals to use as a contract. The purpose would be to end up with a (set of) documents similar to the “Testaankoop standard huurcontract”, this is a well-known Belgian contract framework for renting a house where both parties are protected and that is clear to both parties. It can be used without further legal intervention.<br><br />
<br><br />
<li>''Bio Steven Wierckx, ps_testware:''<br><br />
Steven Wierckx is currently working as Security Tester for [http://www.pstestware.com/ ps_testware], he specialises in web application security and keeps a security related blog [http://www.ihackforfun.eu/ ihackforfun]. He is also wrting articles and doing technical reviews for PenTest Magazine.<br><br />
<br><br />
<li>''Bio Luc Beirens, FCCU:''<br><br />
Head of Belgian Federal Computer Crime Unit & Chair EU Cybercrime Task Force trying to create partnerships and circumstances for a safer cyberspace.<br><br />
<br><br />
<li>''Bio Jos Dumortier, ICRI:''<br><br />
Jos Dumortier is Professor of ICT Law at the University of Leuven (Belgium) and the Director of the Interdisciplinary Research Centre for ICT and Law (ICRI) (www.icri.be). With his research team he participates in a series of R & D projects in the domain of telemedicine.<br><br />
He is also a member of the Bar of Brussels and partner in “time.lex”, a law firm specialized in information and technology law (www.timelex.eu).<br><br />
He participates in the boards of several national and international scientific and business associations and is a member of various editorial and program committees. <br><br />
He is the editor of the International Encyclopedia of Cyber Law and the author of more than one hundred books and articles on legal issues related to the information society.<br><br />
Jos Dumortier has taken the lead in a large number of European studies and projects in the area of information security, privacy and identity management. He worked on an assignment of the European Commission (DG INFSO) for a study on the legal obstacles for interoperable eHealth in Europe and on several studies for the Flemish government related to the implementation of a regional eHealth platform. He is also a member of the Flemish data protection supervisory authority for the health sector.<br><br />
<br><br />
<li>''Bio Dieter Sarrazyn, PWC:''<br><br />
Dieter is a senior manager and consultant within PwC and a team leader for Risk Management assessment services. His main focus is in performing penetration tests (external as well as internal), performing security audits, creating and evaluating security architectures,and creating and setting up vulnerability management frameworks & tools. He is a Certified Information Systems Security Professional (CISSP), a Certified Intrusion Analyst (GCIA), a Certified Incident Handling Analyst (GCIH), a Certified Intrusion Analyst (GCIA) a GIAC Systems and Network Auditor (GSNA). Dieter is also SANS Local Mentor and SANS Community Teacher<br><br />
<br><br />
<br><br />
<br />
<!-- Sixth tab --><br />
<br />
= Social Event =<br />
<br />
==== Social Event, November 29th ====<br />
<br />
==== <B>Important Update</B> ====<br />
The brewery visit is limit to 60 people. Therefor, the 60 first registered people that indicated interest in the social event have been invited to participate. Any remaining tickets will be offered on Thursday around noon at the registration desk.<br />
<br />
All other people (and the people of the brewery tour after that has finished) are warmly invited to join us in the Downtown Jack, a pub with a number of pool and snooker tables. 5 pool tables have been exclusively reserved for us from 20h00 onwards. You can also have a drink and eat something there if you like.<br />
<br />
The address: Parkstraat 40, 3000 Leuven (see http://www.downtownjack.be/)<br />
<br />
== <B>Brewery Visit Information</B> ==<br />
The social event will take place at the InBev Brewery in Leuven, where there will be a guided tour and a beer tasting.<br><br />
Unfortunately, the tour is limited to 60 people. Since we have more registered people than places, we will soon announce how we will<br />
proceed.<br><br />
If you decide not to join, please inform the Benelux organisation, other participants will be happy to join.<br><br />
<br><br />
'''The entrance fee for the tour is 10 EUR'''. <br><br />
This amount will have to be paid to the Benelux organisation at the registration desk or upon entry in cash (please use correct notes).<br><br />
<br><br />
Below is the address where the event takes place. You can take your car, bus number 2 or a taxi to reach this.<br> '''The tour starts at 19h30 sharp'''.<br><br />
<br><br />
'''Address:''' <br><br />
Vuurkruisenlaan z/n <br><br />
3000 Leuven<br><br />
<br><br />
'''From the station:'''<br><br />
Take the street 'Diestepoort' (this street is parrallel with the railway behind the building)and walk straight through. You can see the brewery at the end of the street.<br><br />
'''By car:'''<br><br />
From the street diestesteenweg or beckeremieplein head to the railroadbridge. At the crossroad take first right, this is the entrance of the brewery. from the expressway R23 head to the Hotel ''NOVOTEL''. Take the street left from ''NOVOTEL'', this is the ''vuurkruisenlaan''. On your left side you can see the brewery. At the<br />
next crossroad take the first left, this is the entrance of the brewery.<br><br />
<br><br />
'''ENTRANCE BREWERY:'''<br><br />
is also the entrance for the trucks, next to the railroadbridge.<br><br />
We will meet at the entrance at 19h30 where the tour will start.<br><br><br />
<br />
<br />
<!-- Seventh tab --><br />
<br />
= CTF =<br />
<br />
==== Capture the Flag! ====<br />
<br />
* Do you like puzzles? <br />
* Do you like challenges? <br />
* Are you a hacker?<br />
<br />
Whether you are an experienced hacker or new enthusiast you should come to OWASP BeNeLux 2012 and participate in the Capture the Flag event November 30th 2012. <br />
<br />
The OWASP CTF is especially designed to support challengers of all skill levels. The CTF contains multiple challenges in various fields related to application security. As every challenge gains you one point, you can pick and choose which challenge you want to play.<br />
<br />
All you need is a laptop with a wifi card and your favorite (preferably) non-commercial tools. <br />
<br />
So come, show off your skills, learn new tricks and above all have a good time at the CTF event. <br />
<br />
<br />
<!-- Eighth tab --><br />
<br />
= Sponsor =<br />
<br />
==== Become a sponsor of OWASP BeNeLux ====<br />
<br />
==== Donate to OWASP BeNeLux ====<br />
<br />
<paypal>BeNeLux OWASP Day 2012</paypal> <br />
<br />
<br />
==== Promotion ====<br />
''Feel free to use the text below to promote our event!''<br />
<br />
We invite you to our next OWASP event: the '''BeNeLux OWASP Days 2012!'''<br />
<br />
Free your agenda on the 29th and 30th of November, 2012.<br />
<br />
The good news: free! No fee!<br />
<br />
The bad news: there are only 280 seats available (first register, first serve)!<br />
<br />
<br />
<!-- Don't remove these two lines! --><br />
__NOTOC__ <br />
<headertabs/><br />
<br />
<br />
==== Hosted and co-organized by: ====<br />
<br />
[http://distrinet.cs.kuleuven.be https://www.owasp.org/images/4/4a/Logo_distrinet.png]<br />
[http://www.nessos-project.eu/ https://www.owasp.org/images/5/52/Nessos.png]<br />
<br />
==== Made possible by our {{#switchtablink:Sponsor|Sponsors}}====<br />
<br />
==== OWASP Member Sponsor: ====<br />
{{MemberLinks|link=http://www.pwc.com/|logo=PWC_log_resized.png}} <br />
<br />
==== OWASP BeNeLux 2012 Sponsors: ====<br />
[http://www.madisongurkha.nl https://www.owasp.org/images/6/6e/Madison-gurkha-logo.jpg]<br />
[http://www.sogeti.nl https://www.owasp.org/images/9/94/Sogeti_logo.png]<br />
[http://www.vest.nl https://www.owasp.org/images/1/1d/Logo_Vest_BIG_170.gif]<br />
<br><br />
[http://www.iminds.be https://www.owasp.org/images/thumb/a/a1/Iminds-logo.png/200px-Iminds-logo.png]<br />
[http://www.zionsecurity.com https://www.owasp.org/images/e/e6/Zionsecurity.jpg]<br />
[http://on2it.net https://www.owasp.org/images/3/3d/On2it-sponsor.png]<br />
<br><br />
<br />
<br />
[[Category:OWASP_AppSec_Conference]] [[Category:OWASP_BeNeLux_Archives]]</div>Bart De Winhttps://wiki.owasp.org/index.php?title=BeNeLux_OWASP_Day_2012&diff=140330BeNeLux OWASP Day 20122012-11-27T21:55:24Z<p>Bart De Win: </p>
<hr />
<div><center>[[Image:owaspbnl12header.jpg]]<br></center><br />
<br><!-- Header --><br />
<br />
<br />
<!-- First tab --><br />
= Welcome =<br />
<br />
=== Welcome to OWASP BeNeLux 2012 ===<br />
<br />
==== News ====<br />
* Advanced O2 training, by Dinis Cruz will start at 10:30 AM!<br />
* Update on the Social Event (places for the brewery visit are limited, and an alternative is offered)<br />
<br><br />
<br />
==== Confirmed trainers for Trainingday ====<br />
{{#switchtablink:Trainingday| <p><br />
* Dan Cornell (Denim group) - SDLC with open source tools<br />
* Dinis Cruz (Security Innovation) - Advanced O2<br />
* Volkert de Buisonjé (Sogeti) - Secure Java Development with ESAPI (Hands-On )<br />
* Martin Knobloch (PervaSec) - Essential Web Appplication Security (OWASP Top 10, Webgoat, WebScarab)<br />
}}<br />
<br><br />
<br />
==== Confirmed speakers Conferenceday ====<br />
{{#switchtablink:Conferenceday| <p><br />
* Dinis Cruz (Security Innovation) - Making Security Invisible by Becoming the Developer’s Best Friends<br><br />
* Rüdiger Bachmann (SAP) - Code review large companies<br><br />
* Lieven Desmet (Distrinet, KU Leuven) - Sandboxing JavaScript<br><br />
* Asia Slowinska (VU Amsterdam) - Body Armor for Binaries<br><br />
* Marc Hullegie and Kees Mastwijk (Vest) - Forensics<br><br />
* Dan Cornell (Denim group) - Streamlining Application Vulnerability Management: Communication Between Development and Security Teams<br><br />
* John Wilander (OWASP Sweden) - Browser security<br><br />
* Erwin Geirnaert (Zion security) - OWASP Top 10 vs Drupal<Br><br />
* Seba Deleersnyder (OWASP) - Update on OWASP<br><br />
}}<br />
<br><br />
<br />
==== The OWASP BeNeLux Program Committee ====<br />
*Bart De Win / Sebastien Deleersnyder/ Lieven Desmet/ David Mathy, OWASP Belgium<br />
*Martin Knobloch / Ferdinand Vroom, OWASP Netherlands<br />
*Jocelyn Aubert / Andre Adelsbach/ Thierry Zoller, OWASP Luxembourg<br />
*Steven van der Baan, OWASP CTF Project<br />
<br><br />
<br />
=== Tweet! ===<br />
Event tag is [http://twitter.com/#search?q=%23owaspbnl12 #owaspbnl12]<br />
<br><br><br />
==== Donate to OWASP BeNeLux ====<br />
<paypal>BeNeLux OWASP Day 2012</paypal><br />
<br />
<!-- Second tab --><br />
= Registration =<br />
<br />
==== OWASP BeNeLux training day and conference are free! ==== <br />
<br />
=== Registration is open: ===<br />
<br />
[http://owaspbenelux2012.eventbrite.com/ http://www.owasp.org/images/7/77/Buttoncreate.png]<br />
<br />
<br><br />
To support the OWASP organisation, consider to become a member, it's only US$50!<br />
<br> <br />
Check out the [[Membership]] page to find out more. <br />
<br><br />
<br />
<br />
<!-- Third tab --><br />
= Venue =<br />
<br />
=== Venue is the iMinds-DistriNet Research Group @ KU Leuven ===<br />
<br />
''Celestijnenlaan, 200A<br><br />
3001 Heverlee<br><br />
Belgium<br>''<br />
<br><br />
<br />
<br>'''Parking & roadmap''':<br />
<br />
There is a public parking close to the conference venue.<br />
<br />
Roadmap and parking: http://distrinet.cs.kuleuven.be/about/route/<br />
<br />
<br />
<br>'''Hotels nearby''': <br> <br />
Board house (close to the venue)<br> http://www.boardhouse.be<br><br />
The lodge (close to the venue)<br> http://www.booking.com/hotel/be/the-lodge-heverlee.en.html<br><br />
Begijnhof Congres Hotel (1 km from the venue)<br> http://www.bchotel.be/<br><br />
La Royale (2 km from the venue)<br> http://www.laroyale.be<br> <br />
Hotel Ibis (2 km from the venue)<br> http://www.accorhotels.com/gb/hotel-1457-ibis-leuven-centrum/index.shtml<br> <br />
Mercure (2 km from the venue) <br> http://www.mercure.com/gb/hotel-7862-hotel-mercure-leuven-center/index.shtml<br> <br />
New Damshire (2 km from the venue)<br> http://www.hotelnewdamshire.be<br> <br />
<br />
<br />
<!-- Fourth tab --><br />
<br />
= Trainingday =<br />
<br />
==== Trainingday, November 29th ====<br />
<br />
==== Location ====<br />
The training room is: <br />
''Celestijnenlaan, 200A, fifth floor<br><br />
3001 Heverlee<br><br />
Belgium<br>''<br />
<br><br />
<br />
(for details, check the {{#switchtablink:Venue|Venue}} tab)<br />
<br />
==== Agenda ==== <br />
{| class="wikitable"<br />
! Time !! Description !! Room 1 !! Room 2 !! Room 3 !! Room 4<br />
|-<br />
| 08h30 - 9h30<br />
| colspan="5" style="text-align: center; background: grey; color: white;" | ''Registration''<br />
|-<br />
| 09h30 - 11h00 || Training<br />
| rowspan="7" style="width:100px;" | [[#DinisCruz|Advanced O2, by Dinis Cruz]]<br />
| rowspan="7" style="width:100px;" | [[#DanCornell|SDLC with Open Source tools, by Dan Cornell]]<br />
| rowspan="7" style="width:100px;" | [[#VolkertDeBuisonje|Secure Java Development with ESAPI (hands-on), by Volkert de Buisonjé]]<br />
| rowspan="7" style="width:100px;" | [[#MartinKnobloch|Essential Web Appplication Security (OWASP Top 10, Webgoat, WebScarab), by Martin Knobloch]]<br />
|-<br />
| 11h00 - 11h30 || ''Coffee Break''<br />
|-<br />
| 11h30 - 13h00 || Training<br />
|-<br />
| 13h00 - 14h00 || ''Lunch''<br />
|-<br />
| 14h00 - 15h30 || Training<br />
|-<br />
| 15h30 - 16h00 || ''Coffee Break''<br />
|-<br />
| 16h00 - 17h30 || Training<br />
|}<br />
<br />
<br />
<br />
<br />
<br />
<br><br />
<br />
<div id="VolkertDeBuisonje"></div><br />
<br />
=== Secure Java Development workshop with ESAPI, by Volkert de Buisonjé (Sogeti) ===<br />
''Workshop:''<br><br />
First, attendees will receive a brief introduction on application awareness. Then they will get acquainted with Webgoat, a "deliberately insecure J2EE web application" designed as a practice tool for secure application development and testing. They will learn how to exploit some vulnerabilities in Webgoat, through for instance Cross-Site Scripting (CSS) and Cross-Site Request Forgery (CSRF) attacks. Finally, the ESAPI library will be introduced and the attendees will learn how to apply ESAPI to fix such vulnerabilities in Webgoat's source code.<br><br />
<br><br />
''Prerequisites for this workshop:''<br><br />
* Reasonable knowledge of and experience with Java development<br />
* A laptop running a recent version of Linux, Mac OS X, or Windows<br />
* The most recent version of VirtualBox (4.x) installed<br />
* At least 2GB of RAM<br />
* At least 2GB of disk space<br />
<br><br />
''Bio:''<br><br />
Volkert de Buisonjé is a senior Java developer at Sogeti. He specializes in, and teaches application security courses, both to coworkers and to customers. Knowledge sharing (in both directions) is his passion. Volkert likes making friends and talking a lot. He never shuns a good discussion, and prefers to bring a high amount of interactivity to his classes. :-)<br><br />
<br><br />
<br><br />
<br />
<div id="DinisCruz"></div><br />
=== Advanced O2, by Dinis Cruz (Security Innovation) ===<br />
''Workshop:''<br><br />
The O2 platform represents a new paradigm for how to perform, document and distribute Web Application security reviews. O2 is designed to Automate Security Consultants Knowledge and Workflows and to Allow non-security experts to access and consume Security Knowledge.<br />
<br><br />
''Bio:''<br><br />
Dinis Cruz is a Security Consultant based in London (UK) and specialized in: ASP.NET/J2EE Application Security, Application Security audits and .NET Security Curriculum Development.<br><br />
For the past years Dinis has focused on the field of Static Source Code analysis, from May 2007 to Dec 2009 he worked as a independent consultant for Ounce Labs (bought by IBM in July 2009) where during active security engagements using Ounce's technology he developed the Open Source codebase which now is the foundation of the OWASP O2 Platform.<br><br />
Dinis is currently focused on making the O2 Platform the industry standard for consuming, instrumenting and data-sharing between the multiple WebAppSec tools, the Security consultants and the final developers. Dinis is a also active trainer on .Net security having written and delivered courses for IOActive, Foundstone, Intense School and KPMG (at multiple locations including BlackHat), and has delivered a number of presentations and keynote speeches at multiple OWASP and Security related conferences.<br><br />
At OWASP, Dinis is the leader of the OWASP O2 Platform project<br><br />
<br><br />
<br><br />
<br />
<div id="MartinKnobloch"></div><br />
<br />
=== Essential Web Appplication Security (OWASP Top 10, Webgoat, WebScarab), by Martin Knobloch (PervaSec) ===<br />
''Abstract:''<br><br />
This workshop is an introduction into (web) application security with hands-on labs, using OWASP documentation and tooling.<br />
You will be introduced into the security mindset, discus the OWASP TopTen 2010 and learn basic skills in how to find vulnerabilities in web applications. All tools and documentation are provided during the training.<br><br />
<b>As this is an hands-on workshop, please bring your own laptop!</b> <br><br />
Course structure:<br />
*Introduction OWASP, OWASP tool and documentation<br />
*Security Testing mindset <br />
*1st Lab: OWASP WebGoat / WebScarab <br />
*OWASP Top Ten 2010<br />
*OWASP Testing Guide <br />
*2nd Lab: OWASP WebGoat / WebScarab <br />
*3rd Lab: OWASP Hackademic / ZAP <br />
*Summary and completion <br />
Prerequisites for this workshop:<br />
*Basic understanding of HTTP and web application testing/development<br />
*An open mind<br />
<br><br />
''Bio:''<br><br />
Martin is an independent security consultant and owner of PervaSec (http://www.pervasec.nl). His main working area is (software) security in general, from awareness to implementation. In his daily work, he is responsible for education in application security matters, advise and implementation of application security measures.<br><br />
At OWASP, Martin is member of the Dutch chapter board and chair of the Global Education Committee and contributes to several projects.<br><br />
Martin is a frequent speaker at conferences, universities and hacker spaces.<br />
<br><br />
<br />
<br />
<div id="DanCornell"></div><br />
<br />
=== Building a Software Security Program On Open Source Tools, by Dan Cornell (Denim Group) ===<br />
''Abstract:''<br><br />
Using the Software Assurance Maturity Model (OpenSAMM) as a framework, this course walks through the major components of a comprehensive software security program and highlights open source and other freely-available tools that can be used to help implement the activities involved in such a program. The focus of the course is on providing hands-on demonstrations of the tools with an emphasis on integrating tool results into the overall software security program. Featured tools include: ESAPI, Microsoft Web Protection Library, FindBugs, FxCop, CAT.NET, Brakeman, Agnitio, Arachini, w3af, ZAProxy, ThreadFix as well as other educational resources from OWASP. Attendees should finish the course with a solid understanding of the various components of a comprehensive software security program as well as hands-on experience with a variety of freely-available tools that they can use to implement portions of these programs.<br><br />
<br><br />
''Outline:''<br><br />
* So You Want To Roll Out A Software Security Program?<br />
* The Software Assurance Maturity Model (OpenSAMM)<br />
* ThreadFix: Overview<br />
* Governance: Strategy and Metrics<br />
** ThreadFix: Reporting<br />
* Governance: Policy and Compliance<br />
* Governance: Education and Guidance<br />
** OWASP Development Guide<br />
** OWASP Cheat Sheets<br />
** OWASP Secure Coding Practices<br />
* Construction: Threat Assessment<br />
* Construction: Security Requirements<br />
* Construction: Secure Architecture<br />
** ESAPI overview<br />
** Microsoft Web Protection Library (Anti-XSS) overview<br />
* Verification: Design Review<br />
** Microsoft Threat Analysis and Modeling Tool<br />
* Verification: Code Review<br />
** FindBugs<br />
** FxCop<br />
** CAT.NET<br />
** Brakeman<br />
** Agnitio<br />
* Verification: Security Testing<br />
** Arachni<br />
** w3af<br />
** ZAProxy<br />
* Deployment: Vulnerability Management<br />
** ThreadFix: Defect Tracker Integration<br />
* Deployment: Environment Hardening<br />
** Microsoft Baseline Security Analyzer (MBSA)<br />
* Deployment: Operational Enablement<br />
** mod_security<br />
<br><br />
''Bio:''<br><br />
Dan Cornell has over fifteen years of experience architecting and developing web-based software systems. He leads Denim Group’s security research team in investigating the application of secure coding and development techniques to improve web-based software development methodologies.<br><br />
Dan was the founding coordinator and chairman for the Java Users Group of San Antonio (JUGSA) and currently serves as the OWASP San Antonio chapter leader, member of the OWASP Global Membership Committee and co-lead of the OWASP Open Review Project. Dan has spoken at such international conferences as RSA, OWASP AppSec USA, and OWASP EU Research in Greece.<br><br />
<br><br />
<br />
<br />
<!-- Fifth tab --><br />
<br />
= Conferenceday =<br />
<br />
==== Conferenceday, November 30th ====<br />
<br />
==== Location ====<br />
The training room is: (TBD) (for details, check the {{#switchtablink:Venue|Venue}} tab)<br />
<br />
==== Agenda ==== <br />
{| class="wikitable"<br />
! width="90pt" | Time<br />
! width="130pt" | Speaker !! Topic<br />
|- <br />
| 09h00 - 10h00<br />
| colspan="2" style="text-align: center; background: grey; color: white" | ''Registration''<br />
|- <br />
| 10h00 - 10h15 || OWASP Benelux Organization || Welcome ([https://www.owasp.org/images/a/ad/OWASP_BeNeLux_Day_2012_-_Organization_welcome.ppt PPT])<br />
|-<br />
| 10h15 - 10h30 || Sebastien Deleersnyder || OWASP update ([https://www.owasp.org/images/d/d7/OWASP-Update-BeNeLux-Day-2012_v1.pptx PPT])<br />
|-<br />
| 10h30 - 11h10 || [[#JohnWilander|John Wilander]] || ''' Secure Web Integration Patterns in the Era of HTML5'''<br>''Abstract:'' Quite a few organizations are finding themselves in a legacy situation with their web applications. Over ten years have passed since the era of dynamic HTML and with the rise of HTML5 and mobile platforms there is now need to gradually move these legacy beasts into a new architecture. Additionally, more and more third party services are offered such as maps, tracking, social media tie-ins, video etc. What are the possible and suitable design patterns for bringing new web, old web, and third party web together? Can we isolate them from each other to secure the new apps from legacy and third party security vulnerabilities? We will dig into the postMessage api, the iframe sandbox directive, CORS, and the same-origin policy while comparing it to the previous generation of integration with jsonp and other hacks.<br />
|-<br />
| 11h10 - 11h50 || [[#LievenDesmet|Lieven Desmet]] || '''Sandboxing Javascript'''<br>''Abstract:'' The inclusion of third-party scripts in web pages is a common practice. A recent study has shown that more than half of the Alexa top 10 000 sites include scripts from more than 5 different origins. However, such script inclusions carry risks, as the included scripts operate with the privileges of the including website.<br><br />
In this talk, we propose JSand, a server-driven but client-side JavaScript sandboxing framework. JSand requires no browser modifications: the sandboxing framework is implemented in JavaScript and is delivered to the browser by the websites that use it. Enforcement is done entirely at the client side: JSand enforces a server-specified policy on included scripts without requiring server-side filtering or rewriting of scripts.<br><br />
Most importantly, JSand is complete: access to all resources is mediated by the sandbox.<br><br />
We describe the design and implementation of JSand, and we show that it is secure, backwards compatible, and that it performs sufficiently well.<br><br />
|-<br />
| 11h50 - 12h30 || [[#ErwinGeirnaert|Erwin Geirnaert]] || '''OWASP Top 10 vs Drupal'''<br>''Abstract:'' Drupal is the most used and well-known open source content management system in the world. Created by Dries Buytaert years ago it has grown with the support of a big community. Drupal 7 is already released and there is an entire ecosystem for Drupal and Drupal web agencies.<br><br />
During this presentation we will discuss the findings of an automated static code analysis of Drupal 6 and Drupal 7 and how Drupal protects against the OWASP Top 10 Application Security Risks. We will explain the security weaknesses that remain when you use Drupal and what you can implement to have a secure cloud server running Drupal.<br><br />
|-<br />
| 12h30 - 13h30<br />
| colspan="2" style="text-align: center;background: grey; color: white" | ''Lunch'' <br />
|-<br />
| 13h30 - 14h10 || [[#AsiaSlowinska|Asia Slowinska]] || '''Body Armor for Binaries'''<br>''Abstract:'' BinArmor is a novel technique to protect existing C binaries from memory corruption attacks on both control data and non-control data. Without access to source code, non-control data attacks cannot be detected with current techniques. Our approach hardens binaries against both kinds of overflow, without requiring the pro- grams’ source or symbol tables. We show that BinArmor is able to stop real attacks—including the recent non- control data attack on Exim. Moreover, we did not in- cur a single false positive in practice. On the downside, the current overhead of BinArmor is high—although no worse than competing technologies like taint analysis that do not catch attacks on non-control data. Specifi- cally, we measured an overhead of 70% for gzip, 16%- 180% for lighttpd, and 190% for the nbench suite.<br />
|-<br />
| 14h10 - 14h50 || [[#MarcHullegieAndKeesMastwijk|Marc Hullegie and Kees Mastwijk]] || '''Forensics'''<br>''Abstract:'' In today’s investigations, forensics has become an important investigative method in fighting and solving (cyber)crimes and irregularities. During the session you will be briefly taken through the landscape of Forensics Basics; the Fraud Triangle and scenario's; What to look for and the appliance of Digital Forensics. What are the Challenges, the required Skills and Expertise and Solutions to these challenges. Specific focus on the Forensics of Web Applications and what you can do the create a more forensic ready system.<br><br />
|-<br />
| 14h50 - 15h30 || [[#DanCornell|Dan Cornell]] || '''Streamlining Application Vulnerability Management: Communication Between Development and Security Teams'''<br>''Abstract:'' Identifying application-level vulnerabilities via scanning, penetration tests and code reviews is only the first step in actually addressing the underlying risk. Managing vulnerabilities for applications is more challenging than dealing with traditional infrastructure-level vulnerabilities because they typically require the coordination of security teams with application development teams. The process also means that security managers need to get time from developers during already-cramped development and release schedules. In addition, fixes require changes to custom application code and application-specific business logic rather than the patches and configuration changes that are often sufficient to address infrastructure-level vulnerabilities. This presentation will illustrate the communication difficulties between security and development teams, and how this usually results in unactionable reports and fewer vulnerabilities remediated. In addition, the presentation will walk through an example workflow of addressing application vulnerabilities as software defects. This will be based on freely-available tools and show specific examples of how vulnerabilities can be grouped together, false positives can be culled out, and vulnerabilities transitioned to software defects, as well as how security managers can monitor and verify progress.<br><br />
|-<br />
| 15h30 - 15h50<br />
| colspan="2" style="text-align: center;background: grey; color: white" | ''Break'' <br />
|-<br />
| 15h50 - 16h30 || [[#RuedigerBachmann|Ruediger Bachmann]] || '''Code review for Large Companies'''<br>''Abstract:''Static source code analysis should be an essential part in the secure software development life cycle (SDLC) to start to minimize the number of potential vulnerabilities already in a very early stage in the software development process.<br><br />
The introduction of static code analysis at a large software manufacturer is a big challenge. In addition to the technical difficulties – based on the sheer number and size of the software projects or the number of different programing languages – there are also non-technical issues like creating new security awareness, trainings to use the provided tools efficiently and integration of analysis processes into the software development and maintenance life cycle.<br><br />
This talk gives an overview of the company-wide introduction of static code analysis at SAP AG.<br />
|-<br />
| 16h30 - 17h10 || [[#DinisCruz|Dinis Cruz]] || '''Making Security Invisible by Becoming the Developer’s Best Friends'''<br>''Abstract:'' Coming soon!<br />
|-<br />
| 17h10 - 17h50 || <br />
* Steven Wierckx<br />
* Luc Beirens<br />
* Jos Dumortier<br />
* Dieter Sarrazyn<br />
* Erwin Geirnaert<br />
* John Wilander<br />
|| '''Panel Discussion about the legal aspects of penetration testing'''<br> ''Abstract:'' In the past couple of years security has become a more visible topic in the media. As a result many companies are asking for security reviews in the form of a penetration test. A lot of entrepreneurs took the opportunity to form teams and/or companies that provide such services. There seems to be a lack of clear (standard) legal documentation to cover these activities both for the penetration tester and the company under review. With this panel discussion we would like to discuss this situation and to see if there is a possibility to have a standard document or framework that can be used as a starting point for companies and professionals to use as a contract. The purpose would be to end up with a (set of) documents similar to the “Testaankoop standard huurcontract”, this is a well-known Belgian contract framework for renting a house where both parties are protected and that is clear to both parties. It can be used without further legal intervention.<br />
|-<br />
| 17h50 - 18h00 || OWASP Benelux 2012 organization || '''Closing Notes'''<br />
|}<br />
<br />
<br><br />
<br><br />
<br />
<div id="AsiaSlowinska"></div><br />
<br />
=== Body Armor for Binaries, by Asia Slowinska (Vrije Universiteit Amsterdam) ===<br />
''Abstract:''<br><br />
BinArmor is a novel technique to protect existing C binaries from memory corruption attacks on both control data and non-control data. Without access to source code, non-control data attacks cannot be detected with current techniques. Our approach hardens binaries against both kinds of overflow, without requiring the pro- grams’ source or symbol tables. We show that BinArmor is able to stop real attacks—including the recent non- control data attack on Exim. Moreover, we did not in- cur a single false positive in practice. On the downside, the current overhead of BinArmor is high—although no worse than competing technologies like taint analysis that do not catch attacks on non-control data. Specifi- cally, we measured an overhead of 70% for gzip, 16%- 180% for lighttpd, and 190% for the nbench suite.<br><br />
<br><br />
''Bio:''<br><br />
I am a postdoctoral researcher in the System and Network Security group at the Vrije Universiteit Amsterdam, under the guidance of Prof. dr. ir. Herbert Bos.<br><br />
I obtained my PhD from the Vrije Universiteit Amsterdam. My dissertation Using information flow tracking to protect legacy binaries was completed under the supervision of Prof. dr. ir. Herbert Bos, while my copromotor was Prof. dr. ir. Henri E. Bal.<br><br />
During my PhD studies, I interned twice with Microsoft Research Cambridge, where I joined the Systems and Performance Group. I also spent few months interning with the Systems and Security Department at Institute for Infocomm Research in Singapore.<br><br />
My research focuses on developing techniques to automatically analyze and reverse engineer complex software that is available only in binary form. Further, I’ve been looking into mechanisms that proactively protect software from malicious activities. Currently, I am involved in a project on Reverse Engineering of binaries, known as Rosetta.<br><br />
<br><br />
<br />
<div id="RuedigerBachmann"></div><br />
=== Code review for Large Companies, by Ruediger Bachmann (SAP) ===<br />
''Abstract:''<br><br />
Static source code analysis should be an essential part in the secure software development life cycle (SDLC) to start to minimize the number of potential vulnerabilities already in a very early stage in the software development process.<br><br />
The introduction of static code analysis at a large software manufacturer is a big challenge. In addition to the technical difficulties – based on the sheer number and size of the software projects or the number of different programing languages – there are also non-technical issues like creating new security awareness, trainings to use the provided tools efficiently and integration of analysis processes into the software development and maintenance life cycle.<br><br />
This talk gives an overview of the company-wide introduction of static code analysis at SAP AG.<br />
<br><br />
''Bio:''<br><br />
After graduating with a degree in mathematics and computer science at the University of Giessen in 1997, Ruediger Bachmann worked at various software companies and IT service providers mainly in software development. Currently he is employed at SAP AG in Germany as a Development Architect in the central code analysis team. There he is focusing on application security and security code scans.<br><br />
<br />
<div id="LievenDesmet"></div><br />
<br />
=== Sandboxing JavaScript, by Lieven Desmet (Research Manager at KU Leuven) ===<br />
''Abstract:''<br><br />
The inclusion of third-party scripts in web pages is a common practice. A recent study has shown that more than half of the Alexa top 10 000 sites include scripts from more than 5 different origins. However, such script inclusions carry risks, as the included scripts operate with the privileges of the including website.<br><br />
In this talk, we propose JSand, a server-driven but client-side JavaScript sandboxing framework. JSand requires no browser modifications: the sandboxing framework is implemented in JavaScript and is delivered to the browser by the websites that use it. Enforcement is done entirely at the client side: JSand enforces a server-specified policy on included scripts without requiring server-side filtering or rewriting of scripts. Most importantly, JSand is complete: access to all resources is mediated by the sandbox.<br><br />
We describe the design and implementation of JSand, and we show that it is secure, backwards compatible, and that it performs sufficiently well.<br><br />
<br><br />
''Bio:''<br><br />
Lieven Desmet is Research Manager on Software Secure at the iMinds-DistriNet Research Group (KU Leuven, Belgium), where he coaches junior researchers in web application security and participates in dissemination and valorization activities. His interests are in security of middleware and web-enabled technologies. Lieven is actively engaged in OWASP and is board member of the OWASP Chapter Belgium.<br><br />
<br><br />
<br><br />
<br />
<div id="ErwinGeirnaert"></div><br />
=== OWASP Top 10 vs Drupal, by Erwin Geirnaert (Zion Security) ===<br />
''Abstract:''<br><br />
Drupal is the most used and well-known open source content management system in the world. Created by Dries Buytaert years ago it has grown with the support of a big community. Drupal 7 is already released and there is an entire ecosystem for Drupal and Drupal web agencies.<br><br />
During this presentation we will discuss the findings of an automated static code analysis of Drupal 6 and Drupal 7 and how Drupal protects against the OWASP Top 10 Application Security Risks. We will explain the security weaknesses that remain when you use Drupal and what you can implement to have a secure cloud server running Drupal.<br><br />
<br><br />
''Bio:''<br><br />
Erwin founded ZION SECURITY in 2005 to help companies to protect against the latest threats, attacks against web applications. ZION SECURITY is nowadays a Belgian market leader in the field of security testing, vulnerability management, penetration testing and banking security. Erwin has more than 10 years of experience in web security, graduating with a Master of Science in Software Development from the University of Ghent. Erwin executes different types of projects for a lot of international software companies, financial institutions, telecom and web agencies. Specialist in executing code reviews in different development languages for critical applications, executing continuous penetration tests of their infrastructure and Internet applications. A specialist in J2EE, PHP, .NET, mobile app and web services security. Erwin architects secure e-business projects for web agencies and software companies. He is a recognized application security expert and speaker at international events like Javapolis, OWASP, Eurostar, LSEC,...<br><br />
<br><br />
<br />
<div id="MarcHullegieAndKeesMastwijk"></div><br />
=== Forensics, by Marc Hullegie and Kees Mastwijk (Vest Information Security) === <br />
''Abstract:''<br><br />
In today’s investigations, forensics has become an important investigative method in fighting and solving (cyber)crimes and irregularities. During the session you will be briefly taken through the landscape of Forensics Basics; the Fraud Triangle and scenario's; What to look for and the appliance of Digital Forensics. What are the Challenges, the required Skills and Expertise and Solutions to these challenges. Specific focus on the Forensics of Web Applications and what you can do the create a more forensic ready system.<br><br />
<br><br />
''Bio:''<br><br />
Marc Hullegie is founder and CEO of Vest Information Security and is widely experienced in the information security business in all types of areas: Security Architecture and Infrastructure, Security Audits and Testing, Security Management, Awareness and Digital Forensics. He presents lectures at (international) conferences and is looking forward to share experiences at the OWASP Benelux days 2012 with you.<br><br />
<br> <br />
''Bio:''<br><br />
Kees Mastwijk is a security consultant working with Vest, acting as Security Auditor, Awareness Program leader and security Manager. He has a long (and ongoing) experience history in Digital Forensic Research.<br><br />
<br><br />
<br />
<div id="JohnWilander"></div><br />
=== Secure Web Integration Patterns in the Era of HTML5, by John Wilander (Svenska Handelbanken) ===<br />
''Abstract:''<br><br />
Quite a few organizations are finding themselves in a legacy situation with their web applications. Over ten years have passed since the era of dynamic HTML and with the rise of HTML5 and mobile platforms there is now need to gradually move these legacy beasts into a new architecture. Additionally, more and more third party services are offered such as maps, tracking, social media tie-ins, video etc. What are the possible and suitable design patterns for bringing new web, old web, and third party web together? Can we isolate them from each other to secure the new apps from legacy and third party security vulnerabilities? We will dig into the postMessage api, the iframe sandbox directive, CORS, and the same-origin policy while comparing it to the previous generation of integration with jsonp and other hacks.<br />
<br><br />
''Bio:''<br><br />
John Wilander is a frontend software developer at Svenska Handelbanken, the second strongest bank in the world according to Bloomberg Markets. He has been researching and working in application security for ten years and is an active leader in OWASP, the Open Web Application Security Project. In 2011 he organized the OWASP Summit Browser Security sessions in Portugal, with participants from the security teams behind Chrome, Firefox, Internet Explorer, Flash, and PayPal. During his years in academia he was elected best computer science teacher twice and nowadays gives 5-10 professional talks per year.<br><br />
<br><br />
<br><br />
<br />
<div id="DanCornell"></div><br />
<br />
=== Streamlining Application Vulnerability Management: Communication Between Development and Security Teams, by Dan Cornell (Denim Group) ===<br />
''Abstract:''<br><br />
Identifying application-level vulnerabilities via scanning, penetration tests and code reviews is only the first step in actually addressing the underlying risk. Managing vulnerabilities for applications is more challenging than dealing with traditional infrastructure-level vulnerabilities because they typically require the coordination of security teams with application development teams. The process also means that security managers need to get time from developers during already-cramped development and release schedules. In addition, fixes require changes to custom application code and application-specific business logic rather than the patches and configuration changes that are often sufficient to address infrastructure-level vulnerabilities. This presentation will illustrate the communication difficulties between security and development teams, and how this usually results in unactionable reports and fewer vulnerabilities remediated. In addition, the presentation will walk through an example workflow of addressing application vulnerabilities as software defects. This will be based on freely-available tools and show specific examples of how vulnerabilities can be grouped together, false positives can be culled out, and vulnerabilities transitioned to software defects, as well as how security managers can monitor and verify progress.<br><br />
<br><br />
''Bio:''<br><br />
''Dan Cornell has over fifteen years of experience architecting and developing web-based software systems. He leads Denim Group’s security research team in investigating the application of secure coding and development techniques to improve web-based software development methodologies.<br><br />
Dan was the founding coordinator and chairman for the Java Users Group of San Antonio (JUGSA) and currently serves as the OWASP San Antonio chapter leader, member of the OWASP Global Membership Committee and co-lead of the OWASP Open Review Project. Dan has spoken at such international conferences as RSA, OWASP AppSec USA, and OWASP EU Research in Greece.''<br><br />
<br><br />
<br><br />
<br />
<div id="DinisCruz"></div><br />
=== Making Security Invisible by Becoming the Developer’s Best Friends, by Dinis Cruz (Security Innovation) ===<br />
''Abstract:''<br><br />
''Coming soon!''<br><br />
<br><br />
''Bio:''<br><br />
Dinis Cruz is a Security Consultant based in London (UK) and specialized in: ASP.NET/J2EE Application Security, Application Security audits and .NET Security Curriculum Development.<br><br />
For the past years Dinis has focused on the field of Static Source Code analysis, from May 2007 to Dec 2009 he worked as a independent consultant for Ounce Labs (bought by IBM in July 2009) where during active security engagements using Ounce's technology he developed the Open Source codebase which now is the foundation of the OWASP O2 Platform.<br><br />
Dinis is currently focused on making the O2 Platform the industry standard for consuming, instrumenting and data-sharing between the multiple WebAppSec tools, the Security consultants and the final developers. Dinis is a also active trainer on .Net security having written and delivered courses for IOActive, Foundstone, Intense School and KPMG (at multiple locations including BlackHat), and has delivered a number of presentations and keynote speeches at multiple OWASP and Security related conferences.<br><br />
At OWASP, Dinis is the leader of the OWASP O2 Platform project<br><br />
<br><br />
<br><br />
<br />
=== Panel discussion about the legal aspects of penetration testing ===<br />
''with Steven Wierckx, Luc Beirens, Jos Dumortier, Dieter Sarrazyn, ...''<br><br><br />
''Abstract:''<br> In the past couple of years security has become a more visible topic in the media. As a result many companies are asking for security reviews in the form of a penetration test. A lot of entrepreneurs took the opportunity to form teams and/or companies that provide such services. There seems to be a lack of clear (standard) legal documentation to cover these activities both for the penetration tester and the company under review. With this panel discussion we would like to discuss this situation and to see if there is a possibility to have a standard document or framework that can be used as a starting point for companies and professionals to use as a contract. The purpose would be to end up with a (set of) documents similar to the “Testaankoop standard huurcontract”, this is a well-known Belgian contract framework for renting a house where both parties are protected and that is clear to both parties. It can be used without further legal intervention.<br><br />
<br><br />
<li>''Bio Steven Wierckx, ps_testware:''<br><br />
Steven Wierckx is currently working as Security Tester for [http://www.pstestware.com/ ps_testware], he specialises in web application security and keeps a security related blog [http://www.ihackforfun.eu/ ihackforfun]. He is also wrting articles and doing technical reviews for PenTest Magazine.<br><br />
<br><br />
<li>''Bio Luc Beirens, FCCU:''<br><br />
Head of Belgian Federal Computer Crime Unit & Chair EU Cybercrime Task Force trying to create partnerships and circumstances for a safer cyberspace.<br><br />
<br><br />
<li>''Bio Jos Dumortier, ICRI:''<br><br />
Jos Dumortier is Professor of ICT Law at the University of Leuven (Belgium) and the Director of the Interdisciplinary Research Centre for ICT and Law (ICRI) (www.icri.be). With his research team he participates in a series of R & D projects in the domain of telemedicine.<br><br />
He is also a member of the Bar of Brussels and partner in “time.lex”, a law firm specialized in information and technology law (www.timelex.eu).<br><br />
He participates in the boards of several national and international scientific and business associations and is a member of various editorial and program committees. <br><br />
He is the editor of the International Encyclopedia of Cyber Law and the author of more than one hundred books and articles on legal issues related to the information society.<br><br />
Jos Dumortier has taken the lead in a large number of European studies and projects in the area of information security, privacy and identity management. He worked on an assignment of the European Commission (DG INFSO) for a study on the legal obstacles for interoperable eHealth in Europe and on several studies for the Flemish government related to the implementation of a regional eHealth platform. He is also a member of the Flemish data protection supervisory authority for the health sector.<br><br />
<br><br />
<li>''Bio Dieter Sarrazyn, PWC:''<br><br />
Dieter is a senior manager and consultant within PwC and a team leader for Risk Management assessment services. His main focus is in performing penetration tests (external as well as internal), performing security audits, creating and evaluating security architectures,and creating and setting up vulnerability management frameworks & tools. He is a Certified Information Systems Security Professional (CISSP), a Certified Intrusion Analyst (GCIA), a Certified Incident Handling Analyst (GCIH), a Certified Intrusion Analyst (GCIA) a GIAC Systems and Network Auditor (GSNA). Dieter is also SANS Local Mentor and SANS Community Teacher<br><br />
<br><br />
<br><br />
<br />
<!-- Sixth tab --><br />
<br />
= Social Event =<br />
<br />
==== Social Event, November 29th ====<br />
<br />
== <B>Important Update</B> ==<br />
The brewery visit is limit to 60 people. Therefor, the 60 first registered people that indicated interest in the social event have been invited to participate. Any remaining tickets will be offered on Thursday around noon at the registration desk.<br />
<br />
All other people (and the people of the brewery tour after that has finished) are warmly invited to join us in the Downtown Jack, a pub with a number of pool and snooker tables. 5 pool tables have been exclusively reserved for us from 20h00 onwards. You can also have a drink and eat something there if you like.<br />
<br />
The address: Parkstraat 40, 3000 Leuven (see http://www.downtownjack.be/)<br />
<br />
== <B>Brewery Visit Information</B> ==<br />
The social event will take place at the InBev Brewery in Leuven, where there will be a guided tour and a beer tasting.<br><br />
Unfortunately, the tour is limited to 60 people. Since we have more registered people than places, we will soon announce how we will<br />
proceed.<br><br />
If you decide not to join, please inform the Benelux organisation, other participants will be happy to join.<br><br />
<br><br />
'''The entrance fee for the tour is 10 EUR'''. <br><br />
This amount will have to be paid to the Benelux organisation at the registration desk or upon entry in cash (please use correct notes).<br><br />
<br><br />
Below is the address where the event takes place. You can take your car, bus number 2 or a taxi to reach this.<br> '''The tour starts at 19h30 sharp'''.<br><br />
<br><br />
'''Address:''' <br><br />
Vuurkruisenlaan z/n <br><br />
3000 Leuven<br><br />
<br><br />
'''From the station:'''<br><br />
Take the street 'Diestepoort' (this street is parrallel with the railway behind the building)and walk straight through. You can see the brewery at the end of the street.<br><br />
'''By car:'''<br><br />
From the street diestesteenweg or beckeremieplein head to the railroadbridge. At the crossroad take first right, this is the entrance of the brewery. from the expressway R23 head to the Hotel ''NOVOTEL''. Take the street left from ''NOVOTEL'', this is the ''vuurkruisenlaan''. On your left side you can see the brewery. At the<br />
next crossroad take the first left, this is the entrance of the brewery.<br><br />
<br><br />
'''ENTRANCE BREWERY:'''<br><br />
is also the entrance for the trucks, next to the railroadbridge.<br><br />
We will meet at the entrance at 19h30 where the tour will start.<br><br><br />
<br />
<br />
<!-- Seventh tab --><br />
<br />
= CTF =<br />
<br />
==== Capture the Flag! ====<br />
<br />
* Do you like puzzles? <br />
* Do you like challenges? <br />
* Are you a hacker?<br />
<br />
Whether you are an experienced hacker or new enthusiast you should come to OWASP BeNeLux 2012 and participate in the Capture the Flag event November 30th 2012. <br />
<br />
The OWASP CTF is especially designed to support challengers of all skill levels. The CTF contains multiple challenges in various fields related to application security. As every challenge gains you one point, you can pick and choose which challenge you want to play.<br />
<br />
All you need is a laptop with a wifi card and your favorite (preferably) non-commercial tools. <br />
<br />
So come, show off your skills, learn new tricks and above all have a good time at the CTF event. <br />
<br />
<br />
<!-- Eighth tab --><br />
<br />
= Sponsor =<br />
<br />
==== Become a sponsor of OWASP BeNeLux ====<br />
<br />
==== Donate to OWASP BeNeLux ====<br />
<br />
<paypal>BeNeLux OWASP Day 2012</paypal> <br />
<br />
<br />
==== Promotion ====<br />
''Feel free to use the text below to promote our event!''<br />
<br />
We invite you to our next OWASP event: the '''BeNeLux OWASP Days 2012!'''<br />
<br />
Free your agenda on the 29th and 30th of November, 2012.<br />
<br />
The good news: free! No fee!<br />
<br />
The bad news: there are only 280 seats available (first register, first serve)!<br />
<br />
<br />
<!-- Don't remove these two lines! --><br />
__NOTOC__ <br />
<headertabs/><br />
<br />
<br />
==== Hosted and co-organized by: ====<br />
<br />
[http://distrinet.cs.kuleuven.be https://www.owasp.org/images/4/4a/Logo_distrinet.png]<br />
[http://www.nessos-project.eu/ https://www.owasp.org/images/5/52/Nessos.png]<br />
<br />
==== Made possible by our {{#switchtablink:Sponsor|Sponsors}}====<br />
<br />
==== OWASP Member Sponsor: ====<br />
{{MemberLinks|link=http://www.pwc.com/|logo=PWC_log_resized.png}} <br />
<br />
==== OWASP BeNeLux 2012 Sponsors: ====<br />
[http://www.madisongurkha.nl https://www.owasp.org/images/6/6e/Madison-gurkha-logo.jpg]<br />
[http://www.sogeti.nl https://www.owasp.org/images/9/94/Sogeti_logo.png]<br />
[http://www.vest.nl https://www.owasp.org/images/1/1d/Logo_Vest_BIG_170.gif]<br />
<br><br />
[http://www.iminds.be https://www.owasp.org/images/thumb/a/a1/Iminds-logo.png/200px-Iminds-logo.png]<br />
[http://www.zionsecurity.com https://www.owasp.org/images/e/e6/Zionsecurity.jpg]<br />
[http://on2it.net https://www.owasp.org/images/3/3d/On2it-sponsor.png]<br />
<br><br />
<br />
<br />
[[Category:OWASP_AppSec_Conference]] [[Category:OWASP_BeNeLux_Archives]]</div>Bart De Winhttps://wiki.owasp.org/index.php?title=BeNeLux_OWASP_Day_2012&diff=140329BeNeLux OWASP Day 20122012-11-27T21:54:28Z<p>Bart De Win: </p>
<hr />
<div><center>[[Image:owaspbnl12header.jpg]]<br></center><br />
<br><!-- Header --><br />
<br />
<br />
<!-- First tab --><br />
= Welcome =<br />
<br />
=== Welcome to OWASP BeNeLux 2012 ===<br />
<br />
==== News ====<br />
* Advanced O2 training, by Dinis Cruz will start at 10:30 AM!<br />
* Update on the Social Event (places for the brewery visit are limited, and an alternative is offered)<br />
<br><br />
<br />
==== Confirmed trainers for Trainingday ====<br />
{{#switchtablink:Trainingday| <p><br />
* Dan Cornell (Denim group) - SDLC with open source tools<br />
* Dinis Cruz (Security Innovation) - Advanced O2<br />
* Volkert de Buisonjé (Sogeti) - Secure Java Development with ESAPI (Hands-On )<br />
* Martin Knobloch (PervaSec) - Essential Web Appplication Security (OWASP Top 10, Webgoat, WebScarab)<br />
}}<br />
<br><br />
<br />
==== Confirmed speakers Conferenceday ====<br />
{{#switchtablink:Conferenceday| <p><br />
* Dinis Cruz (Security Innovation) - Making Security Invisible by Becoming the Developer’s Best Friends<br><br />
* Rüdiger Bachmann (SAP) - Code review large companies<br><br />
* Lieven Desmet (Distrinet, KU Leuven) - Sandboxing JavaScript<br><br />
* Asia Slowinska (VU Amsterdam) - Body Armor for Binaries<br><br />
* Marc Hullegie and Kees Mastwijk (Vest) - Forensics<br><br />
* Dan Cornell (Denim group) - Streamlining Application Vulnerability Management: Communication Between Development and Security Teams<br><br />
* John Wilander (OWASP Sweden) - Browser security<br><br />
* Erwin Geirnaert (Zion security) - OWASP Top 10 vs Drupal<Br><br />
* Seba Deleersnyder (OWASP) - Update on OWASP<br><br />
}}<br />
<br><br />
<br />
==== The OWASP BeNeLux Program Committee ====<br />
*Bart De Win / Sebastien Deleersnyder/ Lieven Desmet/ David Mathy, OWASP Belgium<br />
*Martin Knobloch / Ferdinand Vroom, OWASP Netherlands<br />
*Jocelyn Aubert / Andre Adelsbach/ Thierry Zoller, OWASP Luxembourg<br />
*Steven van der Baan, OWASP CTF Project<br />
<br><br />
<br />
=== Tweet! ===<br />
Event tag is [http://twitter.com/#search?q=%23owaspbnl12 #owaspbnl12]<br />
<br><br><br />
==== Donate to OWASP BeNeLux ====<br />
<paypal>BeNeLux OWASP Day 2012</paypal><br />
<br />
<!-- Second tab --><br />
= Registration =<br />
<br />
==== OWASP BeNeLux training day and conference are free! ==== <br />
<br />
=== Registration is open: ===<br />
<br />
[http://owaspbenelux2012.eventbrite.com/ http://www.owasp.org/images/7/77/Buttoncreate.png]<br />
<br />
<br><br />
To support the OWASP organisation, consider to become a member, it's only US$50!<br />
<br> <br />
Check out the [[Membership]] page to find out more. <br />
<br><br />
<br />
<br />
<!-- Third tab --><br />
= Venue =<br />
<br />
=== Venue is the iMinds-DistriNet Research Group @ KU Leuven ===<br />
<br />
''Celestijnenlaan, 200A<br><br />
3001 Heverlee<br><br />
Belgium<br>''<br />
<br><br />
<br />
<br>'''Parking & roadmap''':<br />
<br />
There is a public parking close to the conference venue.<br />
<br />
Roadmap and parking: http://distrinet.cs.kuleuven.be/about/route/<br />
<br />
<br />
<br>'''Hotels nearby''': <br> <br />
Board house (close to the venue)<br> http://www.boardhouse.be<br><br />
The lodge (close to the venue)<br> http://www.booking.com/hotel/be/the-lodge-heverlee.en.html<br><br />
Begijnhof Congres Hotel (1 km from the venue)<br> http://www.bchotel.be/<br><br />
La Royale (2 km from the venue)<br> http://www.laroyale.be<br> <br />
Hotel Ibis (2 km from the venue)<br> http://www.accorhotels.com/gb/hotel-1457-ibis-leuven-centrum/index.shtml<br> <br />
Mercure (2 km from the venue) <br> http://www.mercure.com/gb/hotel-7862-hotel-mercure-leuven-center/index.shtml<br> <br />
New Damshire (2 km from the venue)<br> http://www.hotelnewdamshire.be<br> <br />
<br />
<br />
<!-- Fourth tab --><br />
<br />
= Trainingday =<br />
<br />
==== Trainingday, November 29th ====<br />
<br />
==== Location ====<br />
The training room is: <br />
''Celestijnenlaan, 200A, fifth floor<br><br />
3001 Heverlee<br><br />
Belgium<br>''<br />
<br><br />
<br />
(for details, check the {{#switchtablink:Venue|Venue}} tab)<br />
<br />
==== Agenda ==== <br />
{| class="wikitable"<br />
! Time !! Description !! Room 1 !! Room 2 !! Room 3 !! Room 4<br />
|-<br />
| 08h30 - 9h30<br />
| colspan="5" style="text-align: center; background: grey; color: white;" | ''Registration''<br />
|-<br />
| 09h30 - 11h00 || Training<br />
| rowspan="7" style="width:100px;" | [[#DinisCruz|Advanced O2, by Dinis Cruz]]<br />
| rowspan="7" style="width:100px;" | [[#DanCornell|SDLC with Open Source tools, by Dan Cornell]]<br />
| rowspan="7" style="width:100px;" | [[#VolkertDeBuisonje|Secure Java Development with ESAPI (hands-on), by Volkert de Buisonjé]]<br />
| rowspan="7" style="width:100px;" | [[#MartinKnobloch|Essential Web Appplication Security (OWASP Top 10, Webgoat, WebScarab), by Martin Knobloch]]<br />
|-<br />
| 11h00 - 11h30 || ''Coffee Break''<br />
|-<br />
| 11h30 - 13h00 || Training<br />
|-<br />
| 13h00 - 14h00 || ''Lunch''<br />
|-<br />
| 14h00 - 15h30 || Training<br />
|-<br />
| 15h30 - 16h00 || ''Coffee Break''<br />
|-<br />
| 16h00 - 17h30 || Training<br />
|}<br />
<br />
<br />
<br />
<br />
<br />
<br><br />
<br />
<div id="VolkertDeBuisonje"></div><br />
<br />
=== Secure Java Development workshop with ESAPI, by Volkert de Buisonjé (Sogeti) ===<br />
''Workshop:''<br><br />
First, attendees will receive a brief introduction on application awareness. Then they will get acquainted with Webgoat, a "deliberately insecure J2EE web application" designed as a practice tool for secure application development and testing. They will learn how to exploit some vulnerabilities in Webgoat, through for instance Cross-Site Scripting (CSS) and Cross-Site Request Forgery (CSRF) attacks. Finally, the ESAPI library will be introduced and the attendees will learn how to apply ESAPI to fix such vulnerabilities in Webgoat's source code.<br><br />
<br><br />
''Prerequisites for this workshop:''<br><br />
* Reasonable knowledge of and experience with Java development<br />
* A laptop running a recent version of Linux, Mac OS X, or Windows<br />
* The most recent version of VirtualBox (4.x) installed<br />
* At least 2GB of RAM<br />
* At least 2GB of disk space<br />
<br><br />
''Bio:''<br><br />
Volkert de Buisonjé is a senior Java developer at Sogeti. He specializes in, and teaches application security courses, both to coworkers and to customers. Knowledge sharing (in both directions) is his passion. Volkert likes making friends and talking a lot. He never shuns a good discussion, and prefers to bring a high amount of interactivity to his classes. :-)<br><br />
<br><br />
<br><br />
<br />
<div id="DinisCruz"></div><br />
=== Advanced O2, by Dinis Cruz (Security Innovation) ===<br />
''Workshop:''<br><br />
The O2 platform represents a new paradigm for how to perform, document and distribute Web Application security reviews. O2 is designed to Automate Security Consultants Knowledge and Workflows and to Allow non-security experts to access and consume Security Knowledge.<br />
<br><br />
''Bio:''<br><br />
Dinis Cruz is a Security Consultant based in London (UK) and specialized in: ASP.NET/J2EE Application Security, Application Security audits and .NET Security Curriculum Development.<br><br />
For the past years Dinis has focused on the field of Static Source Code analysis, from May 2007 to Dec 2009 he worked as a independent consultant for Ounce Labs (bought by IBM in July 2009) where during active security engagements using Ounce's technology he developed the Open Source codebase which now is the foundation of the OWASP O2 Platform.<br><br />
Dinis is currently focused on making the O2 Platform the industry standard for consuming, instrumenting and data-sharing between the multiple WebAppSec tools, the Security consultants and the final developers. Dinis is a also active trainer on .Net security having written and delivered courses for IOActive, Foundstone, Intense School and KPMG (at multiple locations including BlackHat), and has delivered a number of presentations and keynote speeches at multiple OWASP and Security related conferences.<br><br />
At OWASP, Dinis is the leader of the OWASP O2 Platform project<br><br />
<br><br />
<br><br />
<br />
<div id="MartinKnobloch"></div><br />
<br />
=== Essential Web Appplication Security (OWASP Top 10, Webgoat, WebScarab), by Martin Knobloch (PervaSec) ===<br />
''Abstract:''<br><br />
This workshop is an introduction into (web) application security with hands-on labs, using OWASP documentation and tooling.<br />
You will be introduced into the security mindset, discus the OWASP TopTen 2010 and learn basic skills in how to find vulnerabilities in web applications. All tools and documentation are provided during the training.<br><br />
<b>As this is an hands-on workshop, please bring your own laptop!</b> <br><br />
Course structure:<br />
*Introduction OWASP, OWASP tool and documentation<br />
*Security Testing mindset <br />
*1st Lab: OWASP WebGoat / WebScarab <br />
*OWASP Top Ten 2010<br />
*OWASP Testing Guide <br />
*2nd Lab: OWASP WebGoat / WebScarab <br />
*3rd Lab: OWASP Hackademic / ZAP <br />
*Summary and completion <br />
Prerequisites for this workshop:<br />
*Basic understanding of HTTP and web application testing/development<br />
*An open mind<br />
<br><br />
''Bio:''<br><br />
Martin is an independent security consultant and owner of PervaSec (http://www.pervasec.nl). His main working area is (software) security in general, from awareness to implementation. In his daily work, he is responsible for education in application security matters, advise and implementation of application security measures.<br><br />
At OWASP, Martin is member of the Dutch chapter board and chair of the Global Education Committee and contributes to several projects.<br><br />
Martin is a frequent speaker at conferences, universities and hacker spaces.<br />
<br><br />
<br />
<br />
<div id="DanCornell"></div><br />
<br />
=== Building a Software Security Program On Open Source Tools, by Dan Cornell (Denim Group) ===<br />
''Abstract:''<br><br />
Using the Software Assurance Maturity Model (OpenSAMM) as a framework, this course walks through the major components of a comprehensive software security program and highlights open source and other freely-available tools that can be used to help implement the activities involved in such a program. The focus of the course is on providing hands-on demonstrations of the tools with an emphasis on integrating tool results into the overall software security program. Featured tools include: ESAPI, Microsoft Web Protection Library, FindBugs, FxCop, CAT.NET, Brakeman, Agnitio, Arachini, w3af, ZAProxy, ThreadFix as well as other educational resources from OWASP. Attendees should finish the course with a solid understanding of the various components of a comprehensive software security program as well as hands-on experience with a variety of freely-available tools that they can use to implement portions of these programs.<br><br />
<br><br />
''Outline:''<br><br />
* So You Want To Roll Out A Software Security Program?<br />
* The Software Assurance Maturity Model (OpenSAMM)<br />
* ThreadFix: Overview<br />
* Governance: Strategy and Metrics<br />
** ThreadFix: Reporting<br />
* Governance: Policy and Compliance<br />
* Governance: Education and Guidance<br />
** OWASP Development Guide<br />
** OWASP Cheat Sheets<br />
** OWASP Secure Coding Practices<br />
* Construction: Threat Assessment<br />
* Construction: Security Requirements<br />
* Construction: Secure Architecture<br />
** ESAPI overview<br />
** Microsoft Web Protection Library (Anti-XSS) overview<br />
* Verification: Design Review<br />
** Microsoft Threat Analysis and Modeling Tool<br />
* Verification: Code Review<br />
** FindBugs<br />
** FxCop<br />
** CAT.NET<br />
** Brakeman<br />
** Agnitio<br />
* Verification: Security Testing<br />
** Arachni<br />
** w3af<br />
** ZAProxy<br />
* Deployment: Vulnerability Management<br />
** ThreadFix: Defect Tracker Integration<br />
* Deployment: Environment Hardening<br />
** Microsoft Baseline Security Analyzer (MBSA)<br />
* Deployment: Operational Enablement<br />
** mod_security<br />
<br><br />
''Bio:''<br><br />
Dan Cornell has over fifteen years of experience architecting and developing web-based software systems. He leads Denim Group’s security research team in investigating the application of secure coding and development techniques to improve web-based software development methodologies.<br><br />
Dan was the founding coordinator and chairman for the Java Users Group of San Antonio (JUGSA) and currently serves as the OWASP San Antonio chapter leader, member of the OWASP Global Membership Committee and co-lead of the OWASP Open Review Project. Dan has spoken at such international conferences as RSA, OWASP AppSec USA, and OWASP EU Research in Greece.<br><br />
<br><br />
<br />
<br />
<!-- Fifth tab --><br />
<br />
= Conferenceday =<br />
<br />
==== Conferenceday, November 30th ====<br />
<br />
==== Location ====<br />
The training room is: (TBD) (for details, check the {{#switchtablink:Venue|Venue}} tab)<br />
<br />
==== Agenda ==== <br />
{| class="wikitable"<br />
! width="90pt" | Time<br />
! width="130pt" | Speaker !! Topic<br />
|- <br />
| 09h00 - 10h00<br />
| colspan="2" style="text-align: center; background: grey; color: white" | ''Registration''<br />
|- <br />
| 10h00 - 10h15 || OWASP Benelux Organization || Welcome ([https://www.owasp.org/images/a/ad/OWASP_BeNeLux_Day_2012_-_Organization_welcome.ppt PPT])<br />
|-<br />
| 10h15 - 10h30 || Sebastien Deleersnyder || OWASP update ([https://www.owasp.org/images/d/d7/OWASP-Update-BeNeLux-Day-2012_v1.pptx PPT])<br />
|-<br />
| 10h30 - 11h10 || [[#JohnWilander|John Wilander]] || ''' Secure Web Integration Patterns in the Era of HTML5'''<br>''Abstract:'' Quite a few organizations are finding themselves in a legacy situation with their web applications. Over ten years have passed since the era of dynamic HTML and with the rise of HTML5 and mobile platforms there is now need to gradually move these legacy beasts into a new architecture. Additionally, more and more third party services are offered such as maps, tracking, social media tie-ins, video etc. What are the possible and suitable design patterns for bringing new web, old web, and third party web together? Can we isolate them from each other to secure the new apps from legacy and third party security vulnerabilities? We will dig into the postMessage api, the iframe sandbox directive, CORS, and the same-origin policy while comparing it to the previous generation of integration with jsonp and other hacks.<br />
|-<br />
| 11h10 - 11h50 || [[#LievenDesmet|Lieven Desmet]] || '''Sandboxing Javascript'''<br>''Abstract:'' The inclusion of third-party scripts in web pages is a common practice. A recent study has shown that more than half of the Alexa top 10 000 sites include scripts from more than 5 different origins. However, such script inclusions carry risks, as the included scripts operate with the privileges of the including website.<br><br />
In this talk, we propose JSand, a server-driven but client-side JavaScript sandboxing framework. JSand requires no browser modifications: the sandboxing framework is implemented in JavaScript and is delivered to the browser by the websites that use it. Enforcement is done entirely at the client side: JSand enforces a server-specified policy on included scripts without requiring server-side filtering or rewriting of scripts.<br><br />
Most importantly, JSand is complete: access to all resources is mediated by the sandbox.<br><br />
We describe the design and implementation of JSand, and we show that it is secure, backwards compatible, and that it performs sufficiently well.<br><br />
|-<br />
| 11h50 - 12h30 || [[#ErwinGeirnaert|Erwin Geirnaert]] || '''OWASP Top 10 vs Drupal'''<br>''Abstract:'' Drupal is the most used and well-known open source content management system in the world. Created by Dries Buytaert years ago it has grown with the support of a big community. Drupal 7 is already released and there is an entire ecosystem for Drupal and Drupal web agencies.<br><br />
During this presentation we will discuss the findings of an automated static code analysis of Drupal 6 and Drupal 7 and how Drupal protects against the OWASP Top 10 Application Security Risks. We will explain the security weaknesses that remain when you use Drupal and what you can implement to have a secure cloud server running Drupal.<br><br />
|-<br />
| 12h30 - 13h30<br />
| colspan="2" style="text-align: center;background: grey; color: white" | ''Lunch'' <br />
|-<br />
| 13h30 - 14h10 || [[#AsiaSlowinska|Asia Slowinska]] || '''Body Armor for Binaries'''<br>''Abstract:'' BinArmor is a novel technique to protect existing C binaries from memory corruption attacks on both control data and non-control data. Without access to source code, non-control data attacks cannot be detected with current techniques. Our approach hardens binaries against both kinds of overflow, without requiring the pro- grams’ source or symbol tables. We show that BinArmor is able to stop real attacks—including the recent non- control data attack on Exim. Moreover, we did not in- cur a single false positive in practice. On the downside, the current overhead of BinArmor is high—although no worse than competing technologies like taint analysis that do not catch attacks on non-control data. Specifi- cally, we measured an overhead of 70% for gzip, 16%- 180% for lighttpd, and 190% for the nbench suite.<br />
|-<br />
| 14h10 - 14h50 || [[#MarcHullegieAndKeesMastwijk|Marc Hullegie and Kees Mastwijk]] || '''Forensics'''<br>''Abstract:'' In today’s investigations, forensics has become an important investigative method in fighting and solving (cyber)crimes and irregularities. During the session you will be briefly taken through the landscape of Forensics Basics; the Fraud Triangle and scenario's; What to look for and the appliance of Digital Forensics. What are the Challenges, the required Skills and Expertise and Solutions to these challenges. Specific focus on the Forensics of Web Applications and what you can do the create a more forensic ready system.<br><br />
|-<br />
| 14h50 - 15h30 || [[#DanCornell|Dan Cornell]] || '''Streamlining Application Vulnerability Management: Communication Between Development and Security Teams'''<br>''Abstract:'' Identifying application-level vulnerabilities via scanning, penetration tests and code reviews is only the first step in actually addressing the underlying risk. Managing vulnerabilities for applications is more challenging than dealing with traditional infrastructure-level vulnerabilities because they typically require the coordination of security teams with application development teams. The process also means that security managers need to get time from developers during already-cramped development and release schedules. In addition, fixes require changes to custom application code and application-specific business logic rather than the patches and configuration changes that are often sufficient to address infrastructure-level vulnerabilities. This presentation will illustrate the communication difficulties between security and development teams, and how this usually results in unactionable reports and fewer vulnerabilities remediated. In addition, the presentation will walk through an example workflow of addressing application vulnerabilities as software defects. This will be based on freely-available tools and show specific examples of how vulnerabilities can be grouped together, false positives can be culled out, and vulnerabilities transitioned to software defects, as well as how security managers can monitor and verify progress.<br><br />
|-<br />
| 15h30 - 15h50<br />
| colspan="2" style="text-align: center;background: grey; color: white" | ''Break'' <br />
|-<br />
| 15h50 - 16h30 || [[#RuedigerBachmann|Ruediger Bachmann]] || '''Code review for Large Companies'''<br>''Abstract:''Static source code analysis should be an essential part in the secure software development life cycle (SDLC) to start to minimize the number of potential vulnerabilities already in a very early stage in the software development process.<br><br />
The introduction of static code analysis at a large software manufacturer is a big challenge. In addition to the technical difficulties – based on the sheer number and size of the software projects or the number of different programing languages – there are also non-technical issues like creating new security awareness, trainings to use the provided tools efficiently and integration of analysis processes into the software development and maintenance life cycle.<br><br />
This talk gives an overview of the company-wide introduction of static code analysis at SAP AG.<br />
|-<br />
| 16h30 - 17h10 || [[#DinisCruz|Dinis Cruz]] || '''Making Security Invisible by Becoming the Developer’s Best Friends'''<br>''Abstract:'' Coming soon!<br />
|-<br />
| 17h10 - 17h50 || <br />
* Steven Wierckx<br />
* Luc Beirens<br />
* Jos Dumortier<br />
* Dieter Sarrazyn<br />
* Erwin Geirnaert<br />
* John Wilander<br />
|| '''Panel Discussion about the legal aspects of penetration testing'''<br> ''Abstract:'' In the past couple of years security has become a more visible topic in the media. As a result many companies are asking for security reviews in the form of a penetration test. A lot of entrepreneurs took the opportunity to form teams and/or companies that provide such services. There seems to be a lack of clear (standard) legal documentation to cover these activities both for the penetration tester and the company under review. With this panel discussion we would like to discuss this situation and to see if there is a possibility to have a standard document or framework that can be used as a starting point for companies and professionals to use as a contract. The purpose would be to end up with a (set of) documents similar to the “Testaankoop standard huurcontract”, this is a well-known Belgian contract framework for renting a house where both parties are protected and that is clear to both parties. It can be used without further legal intervention.<br />
|-<br />
| 17h50 - 18h00 || OWASP Benelux 2012 organization || '''Closing Notes'''<br />
|}<br />
<br />
<br><br />
<br><br />
<br />
<div id="AsiaSlowinska"></div><br />
<br />
=== Body Armor for Binaries, by Asia Slowinska (Vrije Universiteit Amsterdam) ===<br />
''Abstract:''<br><br />
BinArmor is a novel technique to protect existing C binaries from memory corruption attacks on both control data and non-control data. Without access to source code, non-control data attacks cannot be detected with current techniques. Our approach hardens binaries against both kinds of overflow, without requiring the pro- grams’ source or symbol tables. We show that BinArmor is able to stop real attacks—including the recent non- control data attack on Exim. Moreover, we did not in- cur a single false positive in practice. On the downside, the current overhead of BinArmor is high—although no worse than competing technologies like taint analysis that do not catch attacks on non-control data. Specifi- cally, we measured an overhead of 70% for gzip, 16%- 180% for lighttpd, and 190% for the nbench suite.<br><br />
<br><br />
''Bio:''<br><br />
I am a postdoctoral researcher in the System and Network Security group at the Vrije Universiteit Amsterdam, under the guidance of Prof. dr. ir. Herbert Bos.<br><br />
I obtained my PhD from the Vrije Universiteit Amsterdam. My dissertation Using information flow tracking to protect legacy binaries was completed under the supervision of Prof. dr. ir. Herbert Bos, while my copromotor was Prof. dr. ir. Henri E. Bal.<br><br />
During my PhD studies, I interned twice with Microsoft Research Cambridge, where I joined the Systems and Performance Group. I also spent few months interning with the Systems and Security Department at Institute for Infocomm Research in Singapore.<br><br />
My research focuses on developing techniques to automatically analyze and reverse engineer complex software that is available only in binary form. Further, I’ve been looking into mechanisms that proactively protect software from malicious activities. Currently, I am involved in a project on Reverse Engineering of binaries, known as Rosetta.<br><br />
<br><br />
<br />
<div id="RuedigerBachmann"></div><br />
=== Code review for Large Companies, by Ruediger Bachmann (SAP) ===<br />
''Abstract:''<br><br />
Static source code analysis should be an essential part in the secure software development life cycle (SDLC) to start to minimize the number of potential vulnerabilities already in a very early stage in the software development process.<br><br />
The introduction of static code analysis at a large software manufacturer is a big challenge. In addition to the technical difficulties – based on the sheer number and size of the software projects or the number of different programing languages – there are also non-technical issues like creating new security awareness, trainings to use the provided tools efficiently and integration of analysis processes into the software development and maintenance life cycle.<br><br />
This talk gives an overview of the company-wide introduction of static code analysis at SAP AG.<br />
<br><br />
''Bio:''<br><br />
After graduating with a degree in mathematics and computer science at the University of Giessen in 1997, Ruediger Bachmann worked at various software companies and IT service providers mainly in software development. Currently he is employed at SAP AG in Germany as a Development Architect in the central code analysis team. There he is focusing on application security and security code scans.<br><br />
<br />
<div id="LievenDesmet"></div><br />
<br />
=== Sandboxing JavaScript, by Lieven Desmet (Research Manager at KU Leuven) ===<br />
''Abstract:''<br><br />
The inclusion of third-party scripts in web pages is a common practice. A recent study has shown that more than half of the Alexa top 10 000 sites include scripts from more than 5 different origins. However, such script inclusions carry risks, as the included scripts operate with the privileges of the including website.<br><br />
In this talk, we propose JSand, a server-driven but client-side JavaScript sandboxing framework. JSand requires no browser modifications: the sandboxing framework is implemented in JavaScript and is delivered to the browser by the websites that use it. Enforcement is done entirely at the client side: JSand enforces a server-specified policy on included scripts without requiring server-side filtering or rewriting of scripts. Most importantly, JSand is complete: access to all resources is mediated by the sandbox.<br><br />
We describe the design and implementation of JSand, and we show that it is secure, backwards compatible, and that it performs sufficiently well.<br><br />
<br><br />
''Bio:''<br><br />
Lieven Desmet is Research Manager on Software Secure at the iMinds-DistriNet Research Group (KU Leuven, Belgium), where he coaches junior researchers in web application security and participates in dissemination and valorization activities. His interests are in security of middleware and web-enabled technologies. Lieven is actively engaged in OWASP and is board member of the OWASP Chapter Belgium.<br><br />
<br><br />
<br><br />
<br />
<div id="ErwinGeirnaert"></div><br />
=== OWASP Top 10 vs Drupal, by Erwin Geirnaert (Zion Security) ===<br />
''Abstract:''<br><br />
Drupal is the most used and well-known open source content management system in the world. Created by Dries Buytaert years ago it has grown with the support of a big community. Drupal 7 is already released and there is an entire ecosystem for Drupal and Drupal web agencies.<br><br />
During this presentation we will discuss the findings of an automated static code analysis of Drupal 6 and Drupal 7 and how Drupal protects against the OWASP Top 10 Application Security Risks. We will explain the security weaknesses that remain when you use Drupal and what you can implement to have a secure cloud server running Drupal.<br><br />
<br><br />
''Bio:''<br><br />
Erwin founded ZION SECURITY in 2005 to help companies to protect against the latest threats, attacks against web applications. ZION SECURITY is nowadays a Belgian market leader in the field of security testing, vulnerability management, penetration testing and banking security. Erwin has more than 10 years of experience in web security, graduating with a Master of Science in Software Development from the University of Ghent. Erwin executes different types of projects for a lot of international software companies, financial institutions, telecom and web agencies. Specialist in executing code reviews in different development languages for critical applications, executing continuous penetration tests of their infrastructure and Internet applications. A specialist in J2EE, PHP, .NET, mobile app and web services security. Erwin architects secure e-business projects for web agencies and software companies. He is a recognized application security expert and speaker at international events like Javapolis, OWASP, Eurostar, LSEC,...<br><br />
<br><br />
<br />
<div id="MarcHullegieAndKeesMastwijk"></div><br />
=== Forensics, by Marc Hullegie and Kees Mastwijk (Vest Information Security) === <br />
''Abstract:''<br><br />
In today’s investigations, forensics has become an important investigative method in fighting and solving (cyber)crimes and irregularities. During the session you will be briefly taken through the landscape of Forensics Basics; the Fraud Triangle and scenario's; What to look for and the appliance of Digital Forensics. What are the Challenges, the required Skills and Expertise and Solutions to these challenges. Specific focus on the Forensics of Web Applications and what you can do the create a more forensic ready system.<br><br />
<br><br />
''Bio:''<br><br />
Marc Hullegie is founder and CEO of Vest Information Security and is widely experienced in the information security business in all types of areas: Security Architecture and Infrastructure, Security Audits and Testing, Security Management, Awareness and Digital Forensics. He presents lectures at (international) conferences and is looking forward to share experiences at the OWASP Benelux days 2012 with you.<br><br />
<br> <br />
''Bio:''<br><br />
Kees Mastwijk is a security consultant working with Vest, acting as Security Auditor, Awareness Program leader and security Manager. He has a long (and ongoing) experience history in Digital Forensic Research.<br><br />
<br><br />
<br />
<div id="JohnWilander"></div><br />
=== Secure Web Integration Patterns in the Era of HTML5, by John Wilander (Svenska Handelbanken) ===<br />
''Abstract:''<br><br />
Quite a few organizations are finding themselves in a legacy situation with their web applications. Over ten years have passed since the era of dynamic HTML and with the rise of HTML5 and mobile platforms there is now need to gradually move these legacy beasts into a new architecture. Additionally, more and more third party services are offered such as maps, tracking, social media tie-ins, video etc. What are the possible and suitable design patterns for bringing new web, old web, and third party web together? Can we isolate them from each other to secure the new apps from legacy and third party security vulnerabilities? We will dig into the postMessage api, the iframe sandbox directive, CORS, and the same-origin policy while comparing it to the previous generation of integration with jsonp and other hacks.<br />
<br><br />
''Bio:''<br><br />
John Wilander is a frontend software developer at Svenska Handelbanken, the second strongest bank in the world according to Bloomberg Markets. He has been researching and working in application security for ten years and is an active leader in OWASP, the Open Web Application Security Project. In 2011 he organized the OWASP Summit Browser Security sessions in Portugal, with participants from the security teams behind Chrome, Firefox, Internet Explorer, Flash, and PayPal. During his years in academia he was elected best computer science teacher twice and nowadays gives 5-10 professional talks per year.<br><br />
<br><br />
<br><br />
<br />
<div id="DanCornell"></div><br />
<br />
=== Streamlining Application Vulnerability Management: Communication Between Development and Security Teams, by Dan Cornell (Denim Group) ===<br />
''Abstract:''<br><br />
Identifying application-level vulnerabilities via scanning, penetration tests and code reviews is only the first step in actually addressing the underlying risk. Managing vulnerabilities for applications is more challenging than dealing with traditional infrastructure-level vulnerabilities because they typically require the coordination of security teams with application development teams. The process also means that security managers need to get time from developers during already-cramped development and release schedules. In addition, fixes require changes to custom application code and application-specific business logic rather than the patches and configuration changes that are often sufficient to address infrastructure-level vulnerabilities. This presentation will illustrate the communication difficulties between security and development teams, and how this usually results in unactionable reports and fewer vulnerabilities remediated. In addition, the presentation will walk through an example workflow of addressing application vulnerabilities as software defects. This will be based on freely-available tools and show specific examples of how vulnerabilities can be grouped together, false positives can be culled out, and vulnerabilities transitioned to software defects, as well as how security managers can monitor and verify progress.<br><br />
<br><br />
''Bio:''<br><br />
''Dan Cornell has over fifteen years of experience architecting and developing web-based software systems. He leads Denim Group’s security research team in investigating the application of secure coding and development techniques to improve web-based software development methodologies.<br><br />
Dan was the founding coordinator and chairman for the Java Users Group of San Antonio (JUGSA) and currently serves as the OWASP San Antonio chapter leader, member of the OWASP Global Membership Committee and co-lead of the OWASP Open Review Project. Dan has spoken at such international conferences as RSA, OWASP AppSec USA, and OWASP EU Research in Greece.''<br><br />
<br><br />
<br><br />
<br />
<div id="DinisCruz"></div><br />
=== Making Security Invisible by Becoming the Developer’s Best Friends, by Dinis Cruz (Security Innovation) ===<br />
''Abstract:''<br><br />
''Coming soon!''<br><br />
<br><br />
''Bio:''<br><br />
Dinis Cruz is a Security Consultant based in London (UK) and specialized in: ASP.NET/J2EE Application Security, Application Security audits and .NET Security Curriculum Development.<br><br />
For the past years Dinis has focused on the field of Static Source Code analysis, from May 2007 to Dec 2009 he worked as a independent consultant for Ounce Labs (bought by IBM in July 2009) where during active security engagements using Ounce's technology he developed the Open Source codebase which now is the foundation of the OWASP O2 Platform.<br><br />
Dinis is currently focused on making the O2 Platform the industry standard for consuming, instrumenting and data-sharing between the multiple WebAppSec tools, the Security consultants and the final developers. Dinis is a also active trainer on .Net security having written and delivered courses for IOActive, Foundstone, Intense School and KPMG (at multiple locations including BlackHat), and has delivered a number of presentations and keynote speeches at multiple OWASP and Security related conferences.<br><br />
At OWASP, Dinis is the leader of the OWASP O2 Platform project<br><br />
<br><br />
<br><br />
<br />
=== Panel discussion about the legal aspects of penetration testing ===<br />
''with Steven Wierckx, Luc Beirens, Jos Dumortier, Dieter Sarrazyn, ...''<br><br><br />
''Abstract:''<br> In the past couple of years security has become a more visible topic in the media. As a result many companies are asking for security reviews in the form of a penetration test. A lot of entrepreneurs took the opportunity to form teams and/or companies that provide such services. There seems to be a lack of clear (standard) legal documentation to cover these activities both for the penetration tester and the company under review. With this panel discussion we would like to discuss this situation and to see if there is a possibility to have a standard document or framework that can be used as a starting point for companies and professionals to use as a contract. The purpose would be to end up with a (set of) documents similar to the “Testaankoop standard huurcontract”, this is a well-known Belgian contract framework for renting a house where both parties are protected and that is clear to both parties. It can be used without further legal intervention.<br><br />
<br><br />
<li>''Bio Steven Wierckx, ps_testware:''<br><br />
Steven Wierckx is currently working as Security Tester for [http://www.pstestware.com/ ps_testware], he specialises in web application security and keeps a security related blog [http://www.ihackforfun.eu/ ihackforfun]. He is also wrting articles and doing technical reviews for PenTest Magazine.<br><br />
<br><br />
<li>''Bio Luc Beirens, FCCU:''<br><br />
Head of Belgian Federal Computer Crime Unit & Chair EU Cybercrime Task Force trying to create partnerships and circumstances for a safer cyberspace.<br><br />
<br><br />
<li>''Bio Jos Dumortier, ICRI:''<br><br />
Jos Dumortier is Professor of ICT Law at the University of Leuven (Belgium) and the Director of the Interdisciplinary Research Centre for ICT and Law (ICRI) (www.icri.be). With his research team he participates in a series of R & D projects in the domain of telemedicine.<br><br />
He is also a member of the Bar of Brussels and partner in “time.lex”, a law firm specialized in information and technology law (www.timelex.eu).<br><br />
He participates in the boards of several national and international scientific and business associations and is a member of various editorial and program committees. <br><br />
He is the editor of the International Encyclopedia of Cyber Law and the author of more than one hundred books and articles on legal issues related to the information society.<br><br />
Jos Dumortier has taken the lead in a large number of European studies and projects in the area of information security, privacy and identity management. He worked on an assignment of the European Commission (DG INFSO) for a study on the legal obstacles for interoperable eHealth in Europe and on several studies for the Flemish government related to the implementation of a regional eHealth platform. He is also a member of the Flemish data protection supervisory authority for the health sector.<br><br />
<br><br />
<li>''Bio Dieter Sarrazyn, PWC:''<br><br />
Dieter is a senior manager and consultant within PwC and a team leader for Risk Management assessment services. His main focus is in performing penetration tests (external as well as internal), performing security audits, creating and evaluating security architectures,and creating and setting up vulnerability management frameworks & tools. He is a Certified Information Systems Security Professional (CISSP), a Certified Intrusion Analyst (GCIA), a Certified Incident Handling Analyst (GCIH), a Certified Intrusion Analyst (GCIA) a GIAC Systems and Network Auditor (GSNA). Dieter is also SANS Local Mentor and SANS Community Teacher<br><br />
<br><br />
<br><br />
<br />
<!-- Sixth tab --><br />
<br />
= Social Event =<br />
<br />
==== Social Event, November 29th ====<br />
<br />
<B>Important Update</B><br />
The brewery visit is limit to 60 people. Therefor, the 60 first registered people that indicated interest in the social event have been invited to participate. Any remaining tickets will be offered on Thursday around noon at the registration desk.<br />
<br />
All other people (and the people of the brewery tour after that has finished) are warmly invited to join us in the Downtown Jack, a pub with a number of pool and snooker tables. 5 pool tables have been exclusively reserved for us from 20h00 onwards. You can also have a drink and eat something there if you like.<br />
<br />
The address: Parkstraat 40, 3000 Leuven (see http://www.downtownjack.be/)<br />
<br />
<B>Brewery Visit Information</B><br />
The social event will take place at the InBev Brewery in Leuven, where there will be a guided tour and a beer tasting.<br><br />
Unfortunately, the tour is limited to 60 people. Since we have more registered people than places, we will soon announce how we will<br />
proceed.<br><br />
If you decide not to join, please inform the Benelux organisation, other participants will be happy to join.<br><br />
<br><br />
'''The entrance fee for the tour is 10 EUR'''. <br><br />
This amount will have to be paid to the Benelux organisation at the registration desk or upon entry in cash (please use correct notes).<br><br />
<br><br />
Below is the address where the event takes place. You can take your car, bus number 2 or a taxi to reach this.<br> '''The tour starts at 19h30 sharp'''.<br><br />
<br><br />
'''Address:''' <br><br />
Vuurkruisenlaan z/n <br><br />
3000 Leuven<br><br />
<br><br />
'''From the station:'''<br><br />
Take the street 'Diestepoort' (this street is parrallel with the railway behind the building)and walk straight through. You can see the brewery at the end of the street.<br><br />
'''By car:'''<br><br />
From the street diestesteenweg or beckeremieplein head to the railroadbridge. At the crossroad take first right, this is the entrance of the brewery. from the expressway R23 head to the Hotel ''NOVOTEL''. Take the street left from ''NOVOTEL'', this is the ''vuurkruisenlaan''. On your left side you can see the brewery. At the<br />
next crossroad take the first left, this is the entrance of the brewery.<br><br />
<br><br />
'''ENTRANCE BREWERY:'''<br><br />
is also the entrance for the trucks, next to the railroadbridge.<br><br />
We will meet at the entrance at 19h30 where the tour will start.<br><br><br />
<br />
<br />
<!-- Seventh tab --><br />
<br />
= CTF =<br />
<br />
==== Capture the Flag! ====<br />
<br />
* Do you like puzzles? <br />
* Do you like challenges? <br />
* Are you a hacker?<br />
<br />
Whether you are an experienced hacker or new enthusiast you should come to OWASP BeNeLux 2012 and participate in the Capture the Flag event November 30th 2012. <br />
<br />
The OWASP CTF is especially designed to support challengers of all skill levels. The CTF contains multiple challenges in various fields related to application security. As every challenge gains you one point, you can pick and choose which challenge you want to play.<br />
<br />
All you need is a laptop with a wifi card and your favorite (preferably) non-commercial tools. <br />
<br />
So come, show off your skills, learn new tricks and above all have a good time at the CTF event. <br />
<br />
<br />
<!-- Eighth tab --><br />
<br />
= Sponsor =<br />
<br />
==== Become a sponsor of OWASP BeNeLux ====<br />
<br />
==== Donate to OWASP BeNeLux ====<br />
<br />
<paypal>BeNeLux OWASP Day 2012</paypal> <br />
<br />
<br />
==== Promotion ====<br />
''Feel free to use the text below to promote our event!''<br />
<br />
We invite you to our next OWASP event: the '''BeNeLux OWASP Days 2012!'''<br />
<br />
Free your agenda on the 29th and 30th of November, 2012.<br />
<br />
The good news: free! No fee!<br />
<br />
The bad news: there are only 280 seats available (first register, first serve)!<br />
<br />
<br />
<!-- Don't remove these two lines! --><br />
__NOTOC__ <br />
<headertabs/><br />
<br />
<br />
==== Hosted and co-organized by: ====<br />
<br />
[http://distrinet.cs.kuleuven.be https://www.owasp.org/images/4/4a/Logo_distrinet.png]<br />
[http://www.nessos-project.eu/ https://www.owasp.org/images/5/52/Nessos.png]<br />
<br />
==== Made possible by our {{#switchtablink:Sponsor|Sponsors}}====<br />
<br />
==== OWASP Member Sponsor: ====<br />
{{MemberLinks|link=http://www.pwc.com/|logo=PWC_log_resized.png}} <br />
<br />
==== OWASP BeNeLux 2012 Sponsors: ====<br />
[http://www.madisongurkha.nl https://www.owasp.org/images/6/6e/Madison-gurkha-logo.jpg]<br />
[http://www.sogeti.nl https://www.owasp.org/images/9/94/Sogeti_logo.png]<br />
[http://www.vest.nl https://www.owasp.org/images/1/1d/Logo_Vest_BIG_170.gif]<br />
<br><br />
[http://www.iminds.be https://www.owasp.org/images/thumb/a/a1/Iminds-logo.png/200px-Iminds-logo.png]<br />
[http://www.zionsecurity.com https://www.owasp.org/images/e/e6/Zionsecurity.jpg]<br />
[http://on2it.net https://www.owasp.org/images/3/3d/On2it-sponsor.png]<br />
<br><br />
<br />
<br />
[[Category:OWASP_AppSec_Conference]] [[Category:OWASP_BeNeLux_Archives]]</div>Bart De Winhttps://wiki.owasp.org/index.php?title=BeNeLux_OWASP_Day_2011&diff=121553BeNeLux OWASP Day 20112011-12-15T22:06:29Z<p>Bart De Win: </p>
<hr />
<div>__NOTOC__ <br />
<center>[[Image:OWASP BeNeLux 2011.jpg]]<br></center><br />
<br><!-- Header --><br />
<br />
==== Welcome ====<br />
<br />
<br><br />
<center><br />
=== Venue is the University of Luxembourg (Grand Duchy of Luxembourg) ===<br />
Training and conference location, together with hotel information, can be found [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Venue here].<br />
=== Training and first list of conference speakers are announced! ===<br />
See [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Training.2C_December_1st here] and [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Conference.2C_December_2nd here]<br />
=== Tweet! ===<br />
<br />
Event tag is [http://twitter.com/#search?q=%23owaspbnl11 #owaspbnl11]<br />
<br />
=== Registrations are open: ===<br />
<br />
[http://owaspbenelux2011.eventbrite.com/ http://www.owasp.org/images/7/77/Buttoncreate.png] <br />
<br />
=== Slides are available online ===<br />
Check out the Conference tab of the website to download the presentations.<br />
<br />
</center><br />
<br><br />
<br />
==== Training, December 1st ====<br />
<br />
Registration '''starts at 9h00'''<br />
<br />
Training will start at '''10h00''' and we plan to stop at '''17h00'''. From '''17h00''' til '''18h00''', there will be an extra session on security testing by Yves Le Traon (see details below).<br />
<br />
The training room is: '''Paul Feidert''' (for details, check the [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Venue venue] tab)<br />
<br />
'''OWASP Training: Secure Application Development, by Eoin Keary'''<br />
<br />
'''Abstract:''' Writing Secure code is the most effective method to securing your web applications. Writing secure code takes skill and know-how but results in a more stable and robust application and assists in protecting an organisations brand.<br />
Application security is not commonly a part of many computer science curricula today and most organizations have not focused on instituting a culture that includes application security as a core part of their software development training efforts. This intensive one-day course focuses on the most common web application security problems, including aspects of both the OWASP Top Ten (2010) and the MITRE Top 25. The course will introduce and demonstrate application assessment techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities in their code.<br />
<br />
'''This course includes coverage of the following areas:'''<br />
<br />
* Unvalidated Input<br />
* Injection Flaws, OS commanding, SQL Injection<br />
* Cross-Site Scriping & Client-side security<br />
* CSRF/XSRF<br />
* Authentication & Session Management<br />
* Access control & Authorisation<br />
* Broken Caching<br />
* Error Handling & Resource Management<br />
* The Secure SDLC<br />
* Fuzzing, Proxy use and testing approach<br />
<br />
'''Hands on Exercises'''<br />
<br />
To cement the principles discussed, students can participate in a number of hands-on security testing exercises where they attack a live web application (i.e., OWASP Bank etc) that has been seeded with common web application vulnerabilities.<br />
<br />
The students will use proxy tools commonly used by the hacker community to complete the exercises. Students need to bring their own windows based laptop to participate in the exercises. Wireless capability is recommended. '''Make sure to get a copy of BURP proxy prior to the training: [http://www.portswigger.net/burp/downloadfree.html http://www.portswigger.net/burp/downloadfree.html]'''<br />
<br />
'''Audience'''<br />
<br />
Developers who want to understand the most common web application security flaws, and how to avoid them and code in a secure manner.<br />
<br />
Level: Beginner/Intermediate<br />
<br />
Prerequisite: Basic knowledge of a web programming language like Java or .NET recommended but not required.<br />
<br />
Bringing your own windows based laptop is recommended so you can participate in the hands on exercises<br />
<br />
'''Trainer Bio:''' <br />
<br />
[[Eoin Keary]] is a Global OWASP board member since 2009. He is a long time member of OWASP and have contributed year on year to OWASP projects and the OWASP mission of fighting the causes of software insecurity. He is based in Dublin, Ireland and director of [http://www.bccriskadvisory.com Bccriskadvisory].<br />
<br />
<br />
<br />
===== Extra session on Security testing: a key challenge for software engineering of web apps (17h00 - 18h00)===== <br />
While important efforts are dedicated to system functional testing, very few works study how to specifically and systematically test security mechanisms. In this talk, we will present two categories of approaches. <br />
The first ones aim at assessing security mechanisms compliance with declared policies. Any security policy is strongly connected to system functionality: testing function includes exercising many security mechanisms. However, testing functionality does not intend at exercizing all security mechanisms. We thus propose test selection criteria to produce tests from a security policy. Empirical results will be presented about access control policies and about Android apps permission checks. <br />
<br />
The second ones concern the attack surface of web apps, with a particular focus on web browser sensitivity to XSS attacks. Indeed, one of the major threats against web applications is Cross-Site Scripting (XSS) that crosses several web components: web server, security components and finally the client’s web browser. The final target is thus the client running a particular web browser. During this last decade, several competing web browsers (IE, Netscape, Chrome, Firefox) have been upgraded to add new features for the final users benefit. However, the improvement of web browsers is not related with systematic security regression testing. Beginning with an analysis of their current exposure degree to XSS, we extend the empirical study to a decade of most popular web browser versions.The results reveal a chaotic behavior in the evolution of most web browsers attack surface over time. This particularly shows an urgent need for regression testing strategies to ensure that security is not sacrificed when a new version is delivered. <br />
<br />
In both cases, security must become a specific target for testing in order to get a satisfying level of confidence in security mechanisms<br />
<br />
'''Trainer bio:'''<br />
<br />
Yves Le Traon is professor at University of Luxembourg in the domain of software engineering, reliability, validation and security. He is also a member of the Interdisciplinary Centre for Security, Reliability and Trust (SnT), where he leads the research group SERVAL (SEcuRity and VALidation of services and networks). His research interests include software testing, design for security, security testing, model-driven validation, model based testing, web application, mobile computing. <br />
<br />
Professor Le Traon received his engineering degree and his PhD in Computer Science at the “Institut National Polytechnique” in Grenoble, France, in 1997. From 1998 to 2004, he was an associate professor at the University of Rennes, in Brittany, France. He is the co-founder of the Triskell INRIA team, which focuses on innovating design, modeling and testing techniques, such as Model-driven Engineering. During this period, Professor Le Traon studied design for testability techniques, validation and diagnosis of object-oriented programs and component-based systems. From 2004 to 2006, he was an expert in Model-Driven Architecture and Validation in the EXA team (Requirements Engineering and Applications) at “France Télécom R&D”. In 2006, he became professor at Telecom Bretagne (Ecole Nationale des Télécommunications de Bretagne), where he pioneered the application of testing for security assessment of web-applications, P2P systems and the promotion of intrusion detection systems using contract-based techniques.<br />
<br />
<br />
<br />
==== Conference, December 2nd ====<br />
<br />
We are pleased to announce the list of confirmed speakers:<br />
<br />
* Brenno De Winter (Journalist) From DigiNotar to Leaktober<br />
* Koen Vanderloock (Lead Security Competence Group at Cegeka) on [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#OWASP_SIMBA_-_guarding_your_applications_.28by_Koen_Vanderloock.2C_Leader_Security_Competence_Group_at_Cegeka.29 the new OWASP Simba project]<br />
* Justin Clarke (Director and Co-Founder of Gotham Digital Science Ltd) on [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Practical_Crypto_Attacks_Against_Web_Applications_.28by_Justin_Clarke.2C_Director_and_Co-Founder_of_Gotham_Digital_Science_Ltd.29 practical crypto attacks against web applications]<br />
* Lieven Desmet (Research Manager at University Leuven) on [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#HTML5_security_.28by_Lieven_Desmet.2C_Research_Manager_at_Katholieke_Universiteit_Leuven.29 HTML5 security]<br />
* Andrey Belenko (Chief Security Researcher at ElcomSoft Co. Ltd) on [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Overcoming_iOS_Data_Protection_to_Re-Enable_iPhone_Forensics_.28by_Andrey_Belenko.2C_Chief_Security_Researcher_at_ElcomSoft.29 iOS data protection internals]<br />
* Sascha Rommelfangen (Incident Management - Security Research at CIRCL) on dynamic malware analysis<br />
* Ludovic Petit (Group Fraud & Information Security Adviser at SFR, Vodafone Group) on [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Do_you..._Legal.3F_.28by_Ludovic_Petit.2C_Group_Fraud_.26_Information_Security_Adviser_at_SFR.2C_Vodafone_Group.29 WebApp Security and legal and regulatory aspects]<br />
*Jean-Marc Bost and Sébastien Bischof (ELCA) on The limits of e-banking<br />
* Yves Le Traon on security testing for web apps (talk will be held on the Training Day)<br />
* Seba Deleersnyder & Eoin Keary (OWASP Board) on OWASP Update<br />
<br />
Stay tuned for the final agenda!<br />
<br />
'''''Agenda''''' <br />
''(program has slightly changed !)''<br />
<br />
{| class="wikitable"<br />
! Time !! Speaker !! Topic<br />
|-<br />
| 08h30 - 9h30 || ''Registration'' || <br />
|-<br />
| 09h30 - 9h45 || OWASP Benelux Organization & Thomas Engel|| Welcome ([https://www.owasp.org/images/a/ad/OWASP_BeNeLux_Day_2011_-_Organization_welcome.ppt PPT], [https://www.owasp.org/images/8/8a/2011-11-15_SnT_General.pdf PDF])<br />
|-<br />
| 09h45 - 10h00 || Sebastien Deleersnyder & Eion Keary || OWASP update ([https://www.owasp.org/images/d/d7/OWASP-Update-BeNeLux-Day-2011_v1.pptx PPT])<br />
|-<br />
| 10h00 - 10h40 || Brenno De Winter || From DigiNotar to Leaktober <br />
|-<br />
| 10h40 - 11h00 || ''Break'' ||<br />
|-<br />
| 11h00 - 11h40 || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Justin_Clarke.2C_Director_and_Co-Founder_of_Gotham_Digital_Science_Ltd Justin Clarke] || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Practical_Crypto_Attacks_Against_Web_Applications_.28by_Justin_Clarke.2C_Director_and_Co-Founder_of_Gotham_Digital_Science_Ltd.29 practical crypto attacks against web applications] ([https://www.owasp.org/images/0/09/OWASP_BeNeLux_Day_2011_-_J._Clarke_-_Practical_Crypto_Attacks_Against_Web_Apps.pptx PPT])<br />
|-<br />
| 11h40 - 12h20 || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Andrey_Belenko.2C_Chief_Security_Researcher_at_ElcomSoft Andrey Belenko] || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Overcoming_iOS_Data_Protection_to_Re-Enable_iPhone_Forensics_.28by_Andrey_Belenko.2C_Chief_Security_Researcher_at_ElcomSoft.29 Overcoming iOS Data Protection to Re-Enable iPhone Forensics] ([https://www.owasp.org/images/7/76/OWASP_BeNeLux_Day_2011_-_A._Belenko_-_Overcoming_iOS_Data_Protection.pdf PDF])<br />
|-<br />
| 12h20 - 13h00 || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Koen_Vanderloock.2C_Leader_Security_Competence_Group_at_Cegeka Koen Vanderloock] || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#OWASP_SIMBA_-_guarding_your_applications_.28by_Koen_Vanderloock.2C_Leader_Security_Competence_Group_at_Cegeka.29 OWASP SIMBA - guarding your applications] ([https://www.owasp.org/images/5/59/OWASP_BeNeLux_Day_2011_-_K._Vanderloock_-_Simba.pptx PPTX])<br />
|-<br />
| 13h00 - 14h00 || ''Lunch'' || <br />
|-<br />
| 14h00 - 14h40 || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Ludovic_Petit.2C_Group_Fraud_.26_Information_Security_Adviser_at_SFR.2C_Vodafone_Group Ludovic Petit] || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Do_you..._Legal.3F_.28by_Ludovic_Petit.2C_Group_Fraud_.26_Information_Security_Adviser_at_SFR.2C_Vodafone_Group.29 Do you... Legal?] ([https://www.owasp.org/images/c/ca/OWASP_BeNeLux_Day_2011_-_L._Petit_-_Do_you..._Legal.pptx PPTX])<br />
|-<br />
| 14h40 - 15h20 || Thierry Zoller || The rise of the Vulnerability Market ([https://www.owasp.org/images/b/b7/OWASP_BeNeLux_Day_2011_-_T._Zoller_-_Rise_of_the_Vulnerability_Market.pdf PDF])<br />
|-<br />
| 15h20 - 16h00 || Jean-Marc Bost & Sébastien Bischof || The limits of e-banking ([https://www.owasp.org/images/8/87/OWASP_BeNeLux_Day_2011_-_BischofBost_-_The_limits_of_ebanking.pptx PPTX])<br />
|-<br />
| 16h00 - 16h20 || ''Break'' || <br />
|-<br />
| 16h20 - 17h00 || Sascha Rommelfangen || Dynamic malware analysis - or: The ~five deadly (anti-)venoms ([https://www.owasp.org/images/7/77/OWASP_BeNeLux_Day_2011_-_A._Delauney_-_Dynamic_malware_analysis.pdf PDF])<br />
|-<br />
| 17h00 - 17h40 || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Lieven_Desmet.2C_Research_Manager_at_Katholieke_Universiteit_Leuven Lieven Desmet] || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#HTML5_security_.28by_Lieven_Desmet.2C_Research_Manager_at_Katholieke_Universiteit_Leuven.29 HTML5 security] ([https://www.owasp.org/images/e/e6/OWASP_BeNeLux_Day_2011_-_L._Desmet_-_HTML5_security.pptx PPTX])<br />
|-<br />
| 17h40 - 18h00 || OWASP Benelux 2011 organization || Closing notes<br />
<br />
|}<br />
<br />
<!-- deze laten staan. is handig om anchors te vinden tijdens edi (seba) __TOC__ --><br />
<br />
===== From DigiNotar to Leaktober=====<br />
Web application security is hard. With Lektober, Brenno shows that to the general public. Privacy is at stake, not only in the Netherlands. Brenno will reveal some of the more "interesting" leaks.<br />
<br />
=====Brenno J.S.A.A.F. de Winter=====<br />
Brenno De Winter started experimenting with security at the age of 9. He has a background in open source that dates back to 1993 and he contributed to several projects like MySQL, GnuPG, Gnucomo (Gnu Computer Monitoring) and recently started the Small Sister-project for privacy-friendly internet usage. In his daily job he practices security,teaches it and works as an IT-journalist. His writings have triggered several debates in parliament and often raises questions. <br />
<br />
=====OWASP SIMBA - guarding your applications (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Koen_Vanderloock.2C_Leader_Security_Competence_Group_at_Cegeka Koen Vanderloock], Leader Security Competence Group at Cegeka)=====<br />
[[OWASP SIMBA Project|SIMBA (Security Integration Module for Business Applications)]] is a OWASP project that provides you with a User Access Management system that can be integrated with any business application. The purpose of SIMBA is to secure an application fast and easy. Because SIMBA itself is generic it can be customized for every project. Many features are customizable e.g. designing your own authentication chain is easy and fast by using existing or newly created building blocks. SIMBA contains authentication, authorization, session management and a GUI to manage your security information.<br />
<br />
======Koen Vanderloock, Leader Security Competence Group at Cegeka======<br />
Koen Vanderloock is the leader of the security competence group at Cegeka. About 2 years ago Cegeka decided to create a sandbox for investigating security issues and solutions so they could be included in the current projects. <br />
Koen Vanderloock is a Java developer with 8 years of experience and started exploring the world of security 3 years ago when UAM problems started to occur.<br />
<br />
=====Practical Crypto Attacks Against Web Applications (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Justin_Clarke.2C_Director_and_Co-Founder_of_Gotham_Digital_Science_Ltd Justin Clarke], Director and Co-Founder of Gotham Digital Science Ltd)=====<br />
The science of cryptography underpins many of the information security technologies we use on a daily basis, such as the ability to keep information confidential and to ensure we can identify who we are communicating with. However, it is a very complex subject area with many types of mistakes that can reduce the overall security of a solution. A number of these types of mistakes can be identified by a tester, if they know what they're looking for, but in general it isn't a well tested area.<br />
<br />
This talk is intended to provide a high level overview of some of the areas where cryptographic operations such as encryption and hashing can provide far less security than was planned, and concrete examples of how these were found and exploited. Examples will include discussion and demonstration of the recently patched cryptographic padding attack against the Microsoft .NET framework (affecting ASP.NET applications) caused by a design error in how ASP.NET handles some types of encrypted data, but we will also be looking at some other fun areas including bit flipping attacks, ECB mode attacks, and some miscellaneous hashing algorithm attacks against common web application implementations.<br />
<br />
======Justin Clarke, Director and Co-Founder of Gotham Digital Science Ltd======<br />
Justin is a Director and Co-Founder of Gotham Digital Science and an experienced software security consultant with extensive international Big 4 risk management, security consulting and testing experience. He is the lead author/technical editor of "SQL Injection Attacks and Defenses" (Syngress 2009), co-author of "Network Security Tools" (O'Reilly 2005), contributor to "Network Security Assessment, 2nd Edition" (O'Reilly 2007), as well as a speaker at various security conferences and events such as Black Hat, EuSecWest, ISACA, BruCON, OWASP, OSCON, RSA and SANS. He is currently the OWASP London chapter president, and a member of the OWASP Global Connections Committee.<br />
On 10 Oct 2011, at 09:33, Seba wrote:<br />
<br />
=====HTML5 security (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Lieven_Desmet.2C_Research_Manager_at_Katholieke_Universiteit_Leuven Lieven Desmet], Research Manager at Katholieke Universiteit Leuven)=====<br />
In this talk, Lieven will highlight the results of the HTML5 security analysis, conducted by the DistriNet Research Group (K.U.Leuven). The security analysis of next generation web standards, commissioned by ENISA, looked into 13 emerging W3C web standards (i.e. the specification of HTML 5 and some of the associated APIs), and assessed the security of each of them as well as the overall security and consistency across specifications.<br />
<br />
In total 51 security threats and issues have been identified, and detailed in the ENISA report (http://www.enisa.europa.eu/html5). During the talk, Lieven will discuss the methodology developed to assess the huge amount of specifications, and zoom into a representative set of identified threats and their remediation.<br />
<br />
======Lieven Desmet, Research Manager at Katholieke Universiteit Leuven======<br />
Lieven Desmet is the Research Manager on Secure Software at the Katholieke Universiteit Leuven (Belgium), where he coaches junior researchers in web application security and participates in dissemination and valorization activities. His interests are in software verification and security of middleware and web-enabled technologies. Lieven is actively engaged in OWASP and is board member of the OWASP Chapter Belgium.<br />
<br />
=====Overcoming iOS Data Protection to Re-Enable iPhone Forensics (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Andrey_Belenko.2C_Chief_Security_Researcher_at_ElcomSoft Andrey Belenko], Chief Security Researcher at ElcomSoft)=====<br />
Data protection is a feature available for iOS devices (iOS 4 and up) with hardware encryption: iPhone 4S, iPhone 4, iPhone 3GS, iPod touch (3rd generation or later), and all iPad models. Introduction of this feature had complicated iPhone forensics process because now (almost) all files on user partition are encrypted and physical dumps are of much less value to examiners: while the filesystem seems to be intact, actual file contents are encrypted and are not suitable for analysis.<br />
<br />
This talk will provide in-depth information about iOS Data protection internals and on the implication it had on iOS forensics. More specifically, it will cover the following:<br />
*System keys and their hierarchy<br />
*Device passcode and its recovery<br />
*Escrow keys<br />
*Filesystem encryption<br />
*Keychain encryption<br />
<br />
Presentation will start by providing attendees with required background on iOS encryption keys architecture: system keys, passcode key, escrow key. After attendees are familiar with those concepts, presentation will continue to filesystem and keychain encryption details and to the techniques that can be used to overcome the hurdles imposed by iOS Data Protection.<br />
<br />
======Andrey Belenko, Chief Security Researcher at ElcomSoft======<br />
Chief security researcher and software developer at Elcomsoft. Co-invented ThunderTables (which are improved RainbowTables) and was first to bring GPU acceleration to password recovery. M. Sc. IT and CISSP.<br />
<br />
LinkedIn: http://ru.linkedin.com/in/belenko<br />
<br />
Twitter: @andreybelenko<br />
<br />
=====Do you... Legal? (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Ludovic_Petit.2C_Group_Fraud_.26_Information_Security_Adviser_at_SFR.2C_Vodafone_Group Ludovic Petit], Group Fraud & Information Security Adviser at SFR, Vodafone Group) =====<br />
<br />
The OWASP core mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. However, if you do not pay enough attention to many aspects of Legal compliance, you'll see why Web Application Security is somehow linked to Legal and Regulatory aspects as well as... Corporate Responsability, so yours. Who is accountable for what, what about each other's responsibility? Nowadays, the legal constraints oblige us to comply via technical means, whatever the local framework, and this is specially true for Web Application Security, many sensitive informations having to be handled through these web interfaces. A such, what do you think about your Security Policy compliance with your local Legal framework? Compliant? Sure? Really? Interesting isn't it? Let's have a talk about this.<br />
<br />
======Ludovic Petit, Group Fraud & Information Security Adviser at SFR, Vodafone Group======<br />
Ludovic is an internationally recognised information security expert with over 25 years experience. Last 15 years spent in various Corporate Management positions covering both Technical and Law Enforcement expertise dedicated to Mobile Telecommunications Fraud and Security in multi-national corporations.<br />
<br />
Ludovic is Chapter Leader & Founding Member OWASP France and an active contributor to OWASP in several roles and projects.<br />
<br />
LinkedIn Profile: http://www.linkedin.com/in/lpetit<br />
<br />
=====Dynamic malware analysis - or: The ~five deadly (anti-)venoms (by Sascha Rommelfangen, Incident Management - Security Research at CIRCL) =====<br />
Malware reversing is a time consuming task. Many approaches are available to dissect and analyse suspicious binaries. Dynamic malware analysis is one of the option to better understand them and also a nifty companion to static analysis. The current dynamic malware analysis techniques will be presented especially the ones relying on instrumented operating system systems (from the filesystem to the network stack). You'll see a wandering through common and less common malware partially analysed using dynamic analysis and how dynamic malware analysis can help you.<br />
<br />
===== The limits of e-banking (by Jean-Marc Bost and Sébastien Bischof, ECLA) =====<br />
The swiss german TV channel SF1 showed a footage on swiss e-banking security. The TV show follows a team of the ETH who earned a special authorization to test several e-anking platforms. After admitting that a personal computer can be infected by different means (actually 5% of the tested PCs are infected according to Microsoft), The team from Zürich showed the limits of the different platforms. Only the bank who signs each transaction is labelled as safe. We will come back during the presentation on the nature of the threat.<br>First of all, we will explain how famous malwares such as Zeus and SpyEye manage to steal from their victims without them being able to notice anything. Then we will see that e-banking is not the only target, as a matter of fact, the reality is far from this.<br>And then we will comment the most recent techniques that allow malwares to escape Antivirus and Antimalware programs even if they are up to date. We will vulgarize several concepts such as DKOM and bootkits in order to let everybody have a glimpse on the danger they represent.<br>Finally, we will think about if signing each transaction can efficiently fight off these threats. In fact, when attacks are coupled with Social Engineering, they have potentially no limit. Zeus is a living proof of this fact, because it even managed to attack the transaction validation system by SMS. As a conclusion, we will see that the e-banking platform that managed to resist the tests of the ETH team is vulnerable to such kind of attacks. <br />
<br />
====== Jean-Marc Bost, ELCA ======<br />
Jean-Marc Bost leads the security division at ELCA. <br>He is in charge of the various security solutions proposed by ELCA, some being released by ELCA, others being provided by partner vendors. <br>With a significant experience in the development of internet applications, he focused 10 years ago on their need for security. <br>Since then, he has been very active in&nbsp;:<br>- demonstrating the threats, in particular for ebanking<br>- conceiving practical and patented solutions for strong authentication, online transactions, electronic signature and secured documents<br>- presenting the findings of the security division in security events and through expert talks<br> <br />
<br />
====== Sébastien Bischof, ELCA ======<br />
Sébastien Bischof works in the security division at ELCA Where he is specialized in OS-level and communication security.<br>As a major result, he developped a fully-working proof-of-concept of an attack against a sophisticated USB token for safe-browsing.<br>He obtained his Master of Science in Engineering at HEIG-VD/HES-SO with a strong emphasis on IT Security.<br>During his education, he focused on obfuscation and rootkit techniques.<br>Computer security enthusiast, he is very interested in hackings events such as Insomni'hack and keeps himself informed on the latest threats throuhg active participation in security forums.<br />
<br />
=====The Rise of the Vulnerability Markets - History, Impacts, Mitigations (by Thierry Zoller, Verizon) =====<br />
A decade has gone by and the security area is no longer the same, amongst other factors sophistication and motivation changed tremendously. This talk will give you a crash course on the history of vulnerability discovery and market value, a brief excurse into the world of Vulnerability Markets, how they emerged, how they vary and what this implies for those that are defending. The presentation will conclude with an Attacker Classification System (Attacker Triad) and an associated assurance model around OWASP OSVS. Some parts of this presentation will only be done in live and will not be published after this conference.<br />
<br />
====== Thierry Zoller, Verizon ======<br />
Born and living in Luxembourg, Thierry has been active in the Information Security space since over 14 years, he works as an EMEA wide Practise Lead and Professional Service Manager for Verizon Business Luxembourg. His past experience includes, maintaining a well known malware research site, leading a security software company, shifting over into the realms of Information Security Consulting focusing on Luxembourg (PSF), creating a national penetration test center, being Director of Security Services and Products for n.runs and doing information security consulting for "too big to fail" type of enterprises (formally known as "Fortune 100"). Thierry was endorsed as a TOP 10 Security Researcher by IBM Xforce in 2009.<br />
<br />
Thierry is leading the Verizon Business SDLC efforts and is managing the Microsoft SDL PRO partnership EMEA wide, he maintains a blog at http://blog.zoller.lu<br />
<br />
==== CTF ====<br />
<br />
Do you like puzzles? Do you like challenges? Are you a hacker?<br />
<br />
Whether you are an old hacker or new enthusiast you should come to OWASP BeNeLux days 2011 and participate in the Capture the Flag event December 2nd 2011 at the University of Luxemburg. <br />
<br />
The OWASP CTF is especially designed to support challengers of all skill levels. The CTF contains multiple challenges in various fields related to application security. As every challenge gains you one point, you can pick and choose which challenge you want to play.<br />
<br />
All you need is a laptop with a wifi card and your favorite (preferably) non-commercial tools. <br />
<br />
So come to Luxemburg, show off your skills, learn new tricks and above all have a good time at the CTF event. <br />
<br />
==== Registration ====<br />
<center><br />
'''The training day and the conference are free!'''&nbsp;<br />
<br />
<br> <br />
<br />
[http://owaspbenelux2011.eventbrite.com/ http://www.owasp.org/images/7/77/Buttoncreate.png] <br />
<br />
<br> To support the OWASP organisation, consider to become a member, it's only US$50!<br> Check out the [[Membership]] page to find out more.<br> <br />
<br />
<br> <br />
</center> <br />
==== Venue ====<br />
<center><br />
University of Luxembourg<br>Campus Kirchberg<br>6, rue Richard Coudenhove-Kalergi<br>L-1359 Luxembourg<br>[http://wwwen.uni.lu/contact/campus_kirchberg http://wwwen.uni.lu/contact/campus_kirchberg] <br>Room: Paul Feidert<br />
</center><br />
<br />
<br>'''Parking''':<br />
<br />
There is a public parking close to the conference venue.<br />
[http://maps.google.de/maps?q=49.63038,6.157061&num=1&t=h&vpsrc=0&z=16 Click here to find the parking on Google Maps]<br />
<br />
<br>'''Hotels nearby''': <br />
<br />
The first hotel is at 5 minutes on walk distance from the campus Kirchberg: '''[http://www.coque.lu/article/259 Hotel d’Coque]'''<br />
* single room with breakfast 77.50 €<br />
* double room with breakfast 93.00 €. <br />
* Booking email address with Ref. OWASP_SNT 2011 to : [mailto:reception@coque.lu reception@coque.lu]<br />
* Reservation deadline: 20 October 2011<br />
Second hotel (direct center of Luxembourg) 5/10 minutes with taxi or bus: '''[http://www.parcbellevue.lu/fr/index.php Hotel Parc Bellevue]'''<br />
* single room with breakfast 95.00 € (normal price 160 €)<br />
* double room with breakfast 115.00 € (normal price 180€)<br />
* wifi and parking included<br />
* Booking email address: [mailto:reservation@goeres-group.com reservation@goeres-group.com]<br />
* Reservation deadline&nbsp;: 30 November <br />
* Reservation form: [https://www.owasp.org/images/4/44/Uni_Luxembourg_OWASP_2011.doc download form] <br />
Third hotel (near the Parc Bellevue): '''[http://www.parcplaza.lu/fr/index.php Hotel Plaza]'''<br />
* single room with breakfast 130.00 € (normal price 225 €)<br />
* double room with breakfast 150.00 € (normal price 245€)<br />
* wifi and parking included<br />
* Booking email address: [mailto:reservation@goeres-group.com reservation@goeres-group.com]. <br />
* Reservation deadline: 30 November<br />
* Reservation form: [https://www.owasp.org/images/4/44/Uni_Luxembourg_OWASP_2011.doc download form] <br />
Fourth hotel: '''[http://www.melia-luxembourg.com/fr/melia-luxembourg.html Hotel Mélia]'''<br />
* single room with breakfast 140.00 €<br />
* Booking email address: [mailto:reservations.melia.luxembourg@solmelia.com reservations.melia.luxembourg@solmelia.com]<br />
* Reservation deadline: 28 October 2011<br />
* Reservation form: [https://www.owasp.org/images/f/f8/Uni_OWASP_2011_Melia.pdf download form] <br />
<br />
<br><br />
<br />
==== Organisation ====<br />
<br />
The BeNeLux Day 2011 Program Committee: <br />
<br />
*Martin Knobloch / Ferdinand Vroom ([[Netherlands|OWASP Netherlands]]) <br />
*Bart De Win / Sebastien Deleersnyder ([[Belgium|OWASP Belgium]]) <br />
*Jocelyn Aubert / Andre Adelsbach ([[Luxembourg|OWASP Luxembourg]]) <br />
*Steven van der Baan ([[:Category:OWASP CTF Project|Capture The Flag]])<br />
<br />
Local organization:<br />
<br />
*Thomas Engel <br />
*Radu State <br />
*Magali Martin <br />
*Aurel Machalek<br />
<br />
==== Sponsorship ====<br />
<br />
Contact seba &lt;at&gt; owasp.org for sponsorship <br />
<br />
<paypal>BeNeLux OWASP Day 2011</paypal> <br />
<br />
==== Social Event ====<br />
<br />
The social event is scheduled for Thursday, 1st of December, 19:00 at <br />
<br><br />
<br><br />
<center><br />
[http://www.aguadecoco.lu/ Agua De C&ocirc;co]<br><br />
2, rue Emile Mousel<br><br />
L-2165 Luxembourg<br><br />
<br><br />
([http://maps.google.com/maps?q=Rue+Emile+Mousel,+Luxembourg,+Luxemburg&hl=de&ll=49.612031,6.14125&spn=0.003379,0.009677&sll=49.709163,6.115265&sspn=0.003372,0.009677&vpsrc=6&geocode=FQIF9QIdPrVdAA&hnear=Rue+Emile+Mousel,+Luxembourg,+Luxemburg&t=h&z=17 find the location on Google Maps])<br />
<br />
Remark: split bill system - everyone has to cover own food & drinks.<br />
<br />
</center><br />
<br />
==== Promotion ====<br />
''Feel free to use the text below to promote our event!''<br />
<br />
We invite you to our next OWASP event: the '''BeNeLux OWASP Days 2011!'''<br />
<br />
Free your agenda on the 1st and 2nd of December, 2011.<br />
<br />
The good news: free! No fee!<br />
<br />
The bad news: there are only 160 seats available (first register, first serve)!<br />
<br />
<br />
'''PROGRAM Day 1'''<br />
* 10:00 AM - 18:00 PM: OWASP Training Day<br />
* 19:00 PM - ?: Social event<br />
<br />
'''OWASP Training: Secure Application Development''', by Eoin Keary<br><br />
This intensive one-day training focuses on the most common web application security problems, including aspects of both the OWASP Top Ten (2010) and the MITRE Top 25. The training will introduce and demonstrate application assessment techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities in their code.<br />
<br />
'''PROGRAM Day 2'''<br />
* 10:00 AM - 18:00 PM: OWASP Conference<br />
<br />
List of '''confirmed speakers''' (more to be announced soon):<br />
*Brenno De Winter (Journalist) on the Diginotar story<br />
*Koen Vanderloock (Lead Security Competence Group at Cegeka) on the new OWASP Simba project<br />
*Justin Clarke (Director and Co-Founder of Gotham Digital Science Ltd) on practical crypto attacks against web applications<br />
*Lieven Desmet (Research Manager at University Leuven) on HTML5 security<br />
*Andrey Belenko (Chief Security Researcher at ElcomSoft Co. Ltd) on iOS data protection internals<br />
*Sascha Rommelfangen (Incident Management - Security Research at CIRCL) on dynamic malware analysis<br />
*Ludovic Petit (Group Fraud & Information Security Adviser at SFR, Vodafone Group) on WebApp Security and legal and regulatory aspects<br />
*Seba Deleersnyder & Eoin Keary (OWASP Board) on OWASP Update<br />
<br />
'''ORGANIZATION<br>'''<br />
OWASP's all-volunteer participants produce free, professional quality, open-source documentation, tools, and standards on application security. An example of this is the famous OWASP top ten of most critical web application security flaws. The OWASP community facilitates conferences, local chapters, articles, and message forums. Participation in OWASP is free and open to all, as are all the materials we produce.<br />
<br />
'''WHO should attend?<br>'''<br />
Anyone interested in Web Application Security (management, security professionals, developers, students, etc). OWASP Belgium, Netherlands and Luxembourg chapters membership is free. All meetings are free. There are never vendor pitches or sales presentations at OWASP meetings.<br><br />
Check our chapter page http://www.owasp.org/index.php/Belgium on meeting details, sign up to the chapter mailing list and introduce yourself.<br><br />
Check our chapter page http://www.owasp.org/index.php/Netherlands on meeting details, sign up to the chapter mailing list and introduce yourself.<br><br />
Check our chapter page http://www.owasp.org/index.php/Luxembourg on meeting details, sign up to the chapter mailing list and introduce yourself.<br><br />
<br />
'''WHEN<br>'''<br />
Thursday and Friday, 1st and 2nd of December, 2011 (10 AM - 7 PM)<br />
<br />
'''WHERE<br>'''<br />
University of Luxembourg<br><br />
Campus Kirchberg<br><br />
6, rue Richard Coudenhove-Kalergi<br><br />
L-1359 Luxembourg<br><br />
http://wwwen.uni.lu/contact/campus_kirchberg<br><br />
Room: Paul Feidert<br />
<br />
Attention: make sure to '''book your hotel in time''', it will be difficult to find rooms in Luxembourg around Dec 1-2!<br><br />
Hotel details https://www.owasp.org/index.php?title=BeNeLux_OWASP_Day_2011#tab=Venue<br />
<br />
'''REGISTRATION<br>'''<br />
Only 160 places, please '''Register upfront: http://owaspbenelux2011.eventbrite.com''' !<br><br />
All latest details are available on http://www.owaspbenelux.eu<br><br />
Hope to see you all!<br><br />
<br />
The BeNeLux Program Committee,<br />
*Martin Knobloch / Ferdinand Vroom, OWASP Netherlands<br />
*Bart De Win / Sebastien Deleersnyder, OWASP Belgium<br />
*Jocelyn Aubert / Andre Adelsbach, OWASP Luxembourg<br />
*Steven van der Baan, OWASP CTF Project<br />
<br />
Kindly supported by the Interdisciplinary Centre for Security Reliability and Trust<br />
*Thomas Engel <br />
*Radu State <br />
*Magali Martin <br />
*Aurel Machalek<br />
<br />
<headertabs /><br />
<br />
<br />
<center><br />
'''Hosted and co-organized by:'''<br> <br />
[[Image:Bnl11-university-logo.jpg|link=http://wwwen.uni.lu]] <br />
[[Image:Bnl11-SECURITYANDTRUST-LOGO.jpg|link=http://www.securityandtrust.lu]] <br />
<br />
<br><br><br><br />
<br />
Made possible by our [http://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Sponsorship sponsors]:<br><br />
{{MemberLinks|link=http://www.ascure.com|logo=Ascure_Logo.jpg}} <br />
[http://www.zionsecurity.com http://www.owasp.org/images/e/e6/Zionsecurity.jpg]<br />
[http://www.zenitelbelgium.com http://www.owasp.org/images/d/df/SAIT_Zenitel.jpg]<br />
[http://www8.hp.com/us/en/solutions/solutions-detail.html?compURI=tcm:245-339290 https://www.owasp.org/images/b/b4/HP_Logo.jpg] <br />
[http://www.barracuda.com https://www.owasp.org/images/f/f6/Bnl11-Barracuda_Logo-4C.png] <br />
[http://circl.lu/ http://circl.lu/pics/logo.png]<br />
[http://www.f5.com https://www.owasp.org/images/f/fd/AppSec_Research_2010_sponsor_F5_logo.jpg]<br />
<br />
<br />
<br />
<br><br />
</center><br />
[[Category:OWASP_AppSec_Conference]] [[Category:OWASP_BeNeLux_Archives]]</div>Bart De Winhttps://wiki.owasp.org/index.php?title=BeNeLux_OWASP_Day_2011&diff=121552BeNeLux OWASP Day 20112011-12-15T22:05:05Z<p>Bart De Win: </p>
<hr />
<div>__NOTOC__ <br />
<center>[[Image:OWASP BeNeLux 2011.jpg]]<br></center><br />
<br><!-- Header --><br />
<br />
==== Welcome ====<br />
<br />
<br><br />
<center><br />
=== Venue is the University of Luxembourg (Grand Duchy of Luxembourg) ===<br />
Training and conference location, together with hotel information, can be found [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Venue here].<br />
=== Training and first list of conference speakers are announced! ===<br />
See [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Training.2C_December_1st here] and [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Conference.2C_December_2nd here]<br />
=== Tweet! ===<br />
<br />
Event tag is [http://twitter.com/#search?q=%23owaspbnl11 #owaspbnl11]<br />
<br />
=== Registrations are open: ===<br />
<br />
[http://owaspbenelux2011.eventbrite.com/ http://www.owasp.org/images/7/77/Buttoncreate.png] <br />
<br />
=== Slides are available online ===<br />
Check out the Conference tab of the website to download the presentations.<br />
<br />
</center><br />
<br><br />
<br />
==== Training, December 1st ====<br />
<br />
Registration '''starts at 9h00'''<br />
<br />
Training will start at '''10h00''' and we plan to stop at '''17h00'''. From '''17h00''' til '''18h00''', there will be an extra session on security testing by Yves Le Traon (see details below).<br />
<br />
The training room is: '''Paul Feidert''' (for details, check the [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Venue venue] tab)<br />
<br />
'''OWASP Training: Secure Application Development, by Eoin Keary'''<br />
<br />
'''Abstract:''' Writing Secure code is the most effective method to securing your web applications. Writing secure code takes skill and know-how but results in a more stable and robust application and assists in protecting an organisations brand.<br />
Application security is not commonly a part of many computer science curricula today and most organizations have not focused on instituting a culture that includes application security as a core part of their software development training efforts. This intensive one-day course focuses on the most common web application security problems, including aspects of both the OWASP Top Ten (2010) and the MITRE Top 25. The course will introduce and demonstrate application assessment techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities in their code.<br />
<br />
'''This course includes coverage of the following areas:'''<br />
<br />
* Unvalidated Input<br />
* Injection Flaws, OS commanding, SQL Injection<br />
* Cross-Site Scriping & Client-side security<br />
* CSRF/XSRF<br />
* Authentication & Session Management<br />
* Access control & Authorisation<br />
* Broken Caching<br />
* Error Handling & Resource Management<br />
* The Secure SDLC<br />
* Fuzzing, Proxy use and testing approach<br />
<br />
'''Hands on Exercises'''<br />
<br />
To cement the principles discussed, students can participate in a number of hands-on security testing exercises where they attack a live web application (i.e., OWASP Bank etc) that has been seeded with common web application vulnerabilities.<br />
<br />
The students will use proxy tools commonly used by the hacker community to complete the exercises. Students need to bring their own windows based laptop to participate in the exercises. Wireless capability is recommended. '''Make sure to get a copy of BURP proxy prior to the training: [http://www.portswigger.net/burp/downloadfree.html http://www.portswigger.net/burp/downloadfree.html]'''<br />
<br />
'''Audience'''<br />
<br />
Developers who want to understand the most common web application security flaws, and how to avoid them and code in a secure manner.<br />
<br />
Level: Beginner/Intermediate<br />
<br />
Prerequisite: Basic knowledge of a web programming language like Java or .NET recommended but not required.<br />
<br />
Bringing your own windows based laptop is recommended so you can participate in the hands on exercises<br />
<br />
'''Trainer Bio:''' <br />
<br />
[[Eoin Keary]] is a Global OWASP board member since 2009. He is a long time member of OWASP and have contributed year on year to OWASP projects and the OWASP mission of fighting the causes of software insecurity. He is based in Dublin, Ireland and director of [http://www.bccriskadvisory.com Bccriskadvisory].<br />
<br />
<br />
<br />
===== Extra session on Security testing: a key challenge for software engineering of web apps (17h00 - 18h00)===== <br />
While important efforts are dedicated to system functional testing, very few works study how to specifically and systematically test security mechanisms. In this talk, we will present two categories of approaches. <br />
The first ones aim at assessing security mechanisms compliance with declared policies. Any security policy is strongly connected to system functionality: testing function includes exercising many security mechanisms. However, testing functionality does not intend at exercizing all security mechanisms. We thus propose test selection criteria to produce tests from a security policy. Empirical results will be presented about access control policies and about Android apps permission checks. <br />
<br />
The second ones concern the attack surface of web apps, with a particular focus on web browser sensitivity to XSS attacks. Indeed, one of the major threats against web applications is Cross-Site Scripting (XSS) that crosses several web components: web server, security components and finally the client’s web browser. The final target is thus the client running a particular web browser. During this last decade, several competing web browsers (IE, Netscape, Chrome, Firefox) have been upgraded to add new features for the final users benefit. However, the improvement of web browsers is not related with systematic security regression testing. Beginning with an analysis of their current exposure degree to XSS, we extend the empirical study to a decade of most popular web browser versions.The results reveal a chaotic behavior in the evolution of most web browsers attack surface over time. This particularly shows an urgent need for regression testing strategies to ensure that security is not sacrificed when a new version is delivered. <br />
<br />
In both cases, security must become a specific target for testing in order to get a satisfying level of confidence in security mechanisms<br />
<br />
'''Trainer bio:'''<br />
<br />
Yves Le Traon is professor at University of Luxembourg in the domain of software engineering, reliability, validation and security. He is also a member of the Interdisciplinary Centre for Security, Reliability and Trust (SnT), where he leads the research group SERVAL (SEcuRity and VALidation of services and networks). His research interests include software testing, design for security, security testing, model-driven validation, model based testing, web application, mobile computing. <br />
<br />
Professor Le Traon received his engineering degree and his PhD in Computer Science at the “Institut National Polytechnique” in Grenoble, France, in 1997. From 1998 to 2004, he was an associate professor at the University of Rennes, in Brittany, France. He is the co-founder of the Triskell INRIA team, which focuses on innovating design, modeling and testing techniques, such as Model-driven Engineering. During this period, Professor Le Traon studied design for testability techniques, validation and diagnosis of object-oriented programs and component-based systems. From 2004 to 2006, he was an expert in Model-Driven Architecture and Validation in the EXA team (Requirements Engineering and Applications) at “France Télécom R&D”. In 2006, he became professor at Telecom Bretagne (Ecole Nationale des Télécommunications de Bretagne), where he pioneered the application of testing for security assessment of web-applications, P2P systems and the promotion of intrusion detection systems using contract-based techniques.<br />
<br />
<br />
<br />
==== Conference, December 2nd ====<br />
<br />
We are pleased to announce the list of confirmed speakers:<br />
<br />
* Brenno De Winter (Journalist) From DigiNotar to Leaktober<br />
* Koen Vanderloock (Lead Security Competence Group at Cegeka) on [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#OWASP_SIMBA_-_guarding_your_applications_.28by_Koen_Vanderloock.2C_Leader_Security_Competence_Group_at_Cegeka.29 the new OWASP Simba project]<br />
* Justin Clarke (Director and Co-Founder of Gotham Digital Science Ltd) on [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Practical_Crypto_Attacks_Against_Web_Applications_.28by_Justin_Clarke.2C_Director_and_Co-Founder_of_Gotham_Digital_Science_Ltd.29 practical crypto attacks against web applications]<br />
* Lieven Desmet (Research Manager at University Leuven) on [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#HTML5_security_.28by_Lieven_Desmet.2C_Research_Manager_at_Katholieke_Universiteit_Leuven.29 HTML5 security]<br />
* Andrey Belenko (Chief Security Researcher at ElcomSoft Co. Ltd) on [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Overcoming_iOS_Data_Protection_to_Re-Enable_iPhone_Forensics_.28by_Andrey_Belenko.2C_Chief_Security_Researcher_at_ElcomSoft.29 iOS data protection internals]<br />
* Sascha Rommelfangen (Incident Management - Security Research at CIRCL) on dynamic malware analysis<br />
* Ludovic Petit (Group Fraud & Information Security Adviser at SFR, Vodafone Group) on [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Do_you..._Legal.3F_.28by_Ludovic_Petit.2C_Group_Fraud_.26_Information_Security_Adviser_at_SFR.2C_Vodafone_Group.29 WebApp Security and legal and regulatory aspects]<br />
*Jean-Marc Bost and Sébastien Bischof (ELCA) on The limits of e-banking<br />
* Yves Le Traon on security testing for web apps (talk will be held on the Training Day)<br />
* Seba Deleersnyder & Eoin Keary (OWASP Board) on OWASP Update<br />
<br />
Stay tuned for the final agenda!<br />
<br />
'''''Agenda''''' <br />
''(program has slightly changed !)''<br />
<br />
{| class="wikitable"<br />
! Time !! Speaker !! Topic<br />
|-<br />
| 08h30 - 9h30 || ''Registration'' || <br />
|-<br />
| 09h30 - 9h45 || OWASP Benelux Organization & Thomas Engel|| Welcome ([https://www.owasp.org/images/a/ad/OWASP_BeNeLux_Day_2011_-_Organization_welcome.ppt PPT], [https://www.owasp.org/images/8/8a/2011-11-15_SnT_General.pdf PDF])<br />
|-<br />
| 09h45 - 10h00 || Sebastien Deleersnyder & Eion Keary || OWASP update ([https://www.owasp.org/images/d/d7/OWASP-Update-BeNeLux-Day-2011_v1.pptx PPT])<br />
|-<br />
| 10h00 - 10h40 || Brenno De Winter || From DigiNotar to Leaktober <br />
|-<br />
| 10h40 - 11h00 || ''Break'' ||<br />
|-<br />
| 11h00 - 11h40 || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Justin_Clarke.2C_Director_and_Co-Founder_of_Gotham_Digital_Science_Ltd Justin Clarke] || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Practical_Crypto_Attacks_Against_Web_Applications_.28by_Justin_Clarke.2C_Director_and_Co-Founder_of_Gotham_Digital_Science_Ltd.29 practical crypto attacks against web applications] ([https://www.owasp.org/images/0/09/OWASP_BeNeLux_Day_2011_-_J._Clarke_-_Practical_Crypto_Attacks_Against_Web_Apps.pptx PPT])<br />
|-<br />
| 11h40 - 12h20 || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Andrey_Belenko.2C_Chief_Security_Researcher_at_ElcomSoft Andrey Belenko] || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Overcoming_iOS_Data_Protection_to_Re-Enable_iPhone_Forensics_.28by_Andrey_Belenko.2C_Chief_Security_Researcher_at_ElcomSoft.29 Overcoming iOS Data Protection to Re-Enable iPhone Forensics] ([https://www.owasp.org/images/7/76/OWASP_BeNeLux_Day_2011_-_A._Belenko_-_Overcoming_iOS_Data_Protection.pdf PDF])<br />
|-<br />
| 12h20 - 13h00 || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Koen_Vanderloock.2C_Leader_Security_Competence_Group_at_Cegeka Koen Vanderloock] || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#OWASP_SIMBA_-_guarding_your_applications_.28by_Koen_Vanderloock.2C_Leader_Security_Competence_Group_at_Cegeka.29 OWASP SIMBA - guarding your applications] ([https://www.owasp.org/images/5/59/OWASP_BeNeLux_Day_2011_-_K._Vanderloock_-_Simba.pptx PPTX])<br />
|-<br />
| 13h00 - 14h00 || ''Lunch'' || <br />
|-<br />
| 14h00 - 14h40 || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Ludovic_Petit.2C_Group_Fraud_.26_Information_Security_Adviser_at_SFR.2C_Vodafone_Group Ludovic Petit] || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Do_you..._Legal.3F_.28by_Ludovic_Petit.2C_Group_Fraud_.26_Information_Security_Adviser_at_SFR.2C_Vodafone_Group.29 Do you... Legal?] ([https://www.owasp.org/images/c/ca/OWASP_BeNeLux_Day_2011_-_L._Petit_-_Do_you..._Legal.pptx PPTX])<br />
|-<br />
| 14h40 - 15h20 || Thierry Zoller || The rise of the Vulnerability Market ([https://www.owasp.org/images/b/b7/OWASP_BeNeLux_Day_2011_-_T._Zoller_-_Rise_of_the_Vulnerability_Market.pdf PDF])<br />
|-<br />
| 15h20 - 16h00 || Jean-Marc Bost & Sébastien Bischof || The limits of e-banking ([https://www.owasp.org/images/8/87/OWASP_BeNeLux_Day_2011_-_BischofBost_-_The_limits_of_ebanking.pptx PPTX])<br />
|-<br />
| 16h00 - 16h20 || ''Break'' || <br />
|-<br />
| 16h20 - 17h00 || Sascha Rommelfangen || Dynamic malware analysis - or: The ~five deadly (anti-)venoms ([https://www.owasp.org/images/7/77/OWASP_BeNeLux_Day_2011_-_A._Delauney_-_Dynamic_malware_analysis.pdf PDF])<br />
|-<br />
| 17h00 - 17h40 || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Lieven_Desmet.2C_Research_Manager_at_Katholieke_Universiteit_Leuven Lieven Desmet] || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#HTML5_security_.28by_Lieven_Desmet.2C_Research_Manager_at_Katholieke_Universiteit_Leuven.29 HTML5 security] ([https://www.owasp.org/images/e/e6/OWASP_BeNeLux_Day_2011_-_L._Desmet_-_HTML5_security.pptx PPTX])<br />
|-<br />
| 17h40 - 18h00 || OWASP Benelux 2011 organization || Closing notes<br />
<br />
|}<br />
<br />
<!-- deze laten staan. is handig om anchors te vinden tijdens edi (seba) __TOC__ --><br />
<br />
===== From DigiNotar to Leaktober=====<br />
Web application security is hard. With Lektober, Brenno shows that to the general public. Privacy is at stake, not only in the Netherlands. Brenno will reveal some of the more "interesting" leaks.<br />
<br />
=====Brenno J.S.A.A.F. de Winter=====<br />
Brenno De Winter started experimenting with security at the age of 9. He has a background in open source that dates back to 1993 and he contributed to several projects like MySQL, GnuPG, Gnucomo (Gnu Computer Monitoring) and recently started the Small Sister-project for privacy-friendly internet usage. In his daily job he practices security,teaches it and works as an IT-journalist. His writings have triggered several debates in parliament and often raises questions. <br />
<br />
=====OWASP SIMBA - guarding your applications (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Koen_Vanderloock.2C_Leader_Security_Competence_Group_at_Cegeka Koen Vanderloock], Leader Security Competence Group at Cegeka)=====<br />
[[OWASP SIMBA Project|SIMBA (Security Integration Module for Business Applications)]] is a OWASP project that provides you with a User Access Management system that can be integrated with any business application. The purpose of SIMBA is to secure an application fast and easy. Because SIMBA itself is generic it can be customized for every project. Many features are customizable e.g. designing your own authentication chain is easy and fast by using existing or newly created building blocks. SIMBA contains authentication, authorization, session management and a GUI to manage your security information.<br />
<br />
======Koen Vanderloock, Leader Security Competence Group at Cegeka======<br />
Koen Vanderloock is the leader of the security competence group at Cegeka. About 2 years ago Cegeka decided to create a sandbox for investigating security issues and solutions so they could be included in the current projects. <br />
Koen Vanderloock is a Java developer with 8 years of experience and started exploring the world of security 3 years ago when UAM problems started to occur.<br />
<br />
=====Practical Crypto Attacks Against Web Applications (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Justin_Clarke.2C_Director_and_Co-Founder_of_Gotham_Digital_Science_Ltd Justin Clarke], Director and Co-Founder of Gotham Digital Science Ltd)=====<br />
The science of cryptography underpins many of the information security technologies we use on a daily basis, such as the ability to keep information confidential and to ensure we can identify who we are communicating with. However, it is a very complex subject area with many types of mistakes that can reduce the overall security of a solution. A number of these types of mistakes can be identified by a tester, if they know what they're looking for, but in general it isn't a well tested area.<br />
<br />
This talk is intended to provide a high level overview of some of the areas where cryptographic operations such as encryption and hashing can provide far less security than was planned, and concrete examples of how these were found and exploited. Examples will include discussion and demonstration of the recently patched cryptographic padding attack against the Microsoft .NET framework (affecting ASP.NET applications) caused by a design error in how ASP.NET handles some types of encrypted data, but we will also be looking at some other fun areas including bit flipping attacks, ECB mode attacks, and some miscellaneous hashing algorithm attacks against common web application implementations.<br />
<br />
======Justin Clarke, Director and Co-Founder of Gotham Digital Science Ltd======<br />
Justin is a Director and Co-Founder of Gotham Digital Science and an experienced software security consultant with extensive international Big 4 risk management, security consulting and testing experience. He is the lead author/technical editor of "SQL Injection Attacks and Defenses" (Syngress 2009), co-author of "Network Security Tools" (O'Reilly 2005), contributor to "Network Security Assessment, 2nd Edition" (O'Reilly 2007), as well as a speaker at various security conferences and events such as Black Hat, EuSecWest, ISACA, BruCON, OWASP, OSCON, RSA and SANS. He is currently the OWASP London chapter president, and a member of the OWASP Global Connections Committee.<br />
On 10 Oct 2011, at 09:33, Seba wrote:<br />
<br />
=====HTML5 security (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Lieven_Desmet.2C_Research_Manager_at_Katholieke_Universiteit_Leuven Lieven Desmet], Research Manager at Katholieke Universiteit Leuven)=====<br />
In this talk, Lieven will highlight the results of the HTML5 security analysis, conducted by the DistriNet Research Group (K.U.Leuven). The security analysis of next generation web standards, commissioned by ENISA, looked into 13 emerging W3C web standards (i.e. the specification of HTML 5 and some of the associated APIs), and assessed the security of each of them as well as the overall security and consistency across specifications.<br />
<br />
In total 51 security threats and issues have been identified, and detailed in the ENISA report (http://www.enisa.europa.eu/html5). During the talk, Lieven will discuss the methodology developed to assess the huge amount of specifications, and zoom into a representative set of identified threats and their remediation.<br />
<br />
======Lieven Desmet, Research Manager at Katholieke Universiteit Leuven======<br />
Lieven Desmet is the Research Manager on Secure Software at the Katholieke Universiteit Leuven (Belgium), where he coaches junior researchers in web application security and participates in dissemination and valorization activities. His interests are in software verification and security of middleware and web-enabled technologies. Lieven is actively engaged in OWASP and is board member of the OWASP Chapter Belgium.<br />
<br />
=====Overcoming iOS Data Protection to Re-Enable iPhone Forensics (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Andrey_Belenko.2C_Chief_Security_Researcher_at_ElcomSoft Andrey Belenko], Chief Security Researcher at ElcomSoft)=====<br />
Data protection is a feature available for iOS devices (iOS 4 and up) with hardware encryption: iPhone 4S, iPhone 4, iPhone 3GS, iPod touch (3rd generation or later), and all iPad models. Introduction of this feature had complicated iPhone forensics process because now (almost) all files on user partition are encrypted and physical dumps are of much less value to examiners: while the filesystem seems to be intact, actual file contents are encrypted and are not suitable for analysis.<br />
<br />
This talk will provide in-depth information about iOS Data protection internals and on the implication it had on iOS forensics. More specifically, it will cover the following:<br />
*System keys and their hierarchy<br />
*Device passcode and its recovery<br />
*Escrow keys<br />
*Filesystem encryption<br />
*Keychain encryption<br />
<br />
Presentation will start by providing attendees with required background on iOS encryption keys architecture: system keys, passcode key, escrow key. After attendees are familiar with those concepts, presentation will continue to filesystem and keychain encryption details and to the techniques that can be used to overcome the hurdles imposed by iOS Data Protection.<br />
<br />
======Andrey Belenko, Chief Security Researcher at ElcomSoft======<br />
Chief security researcher and software developer at Elcomsoft. Co-invented ThunderTables (which are improved RainbowTables) and was first to bring GPU acceleration to password recovery. M. Sc. IT and CISSP.<br />
<br />
LinkedIn: http://ru.linkedin.com/in/belenko<br />
<br />
Twitter: @andreybelenko<br />
<br />
=====Do you... Legal? (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Ludovic_Petit.2C_Group_Fraud_.26_Information_Security_Adviser_at_SFR.2C_Vodafone_Group Ludovic Petit], Group Fraud & Information Security Adviser at SFR, Vodafone Group) =====<br />
<br />
The OWASP core mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. However, if you do not pay enough attention to many aspects of Legal compliance, you'll see why Web Application Security is somehow linked to Legal and Regulatory aspects as well as... Corporate Responsability, so yours. Who is accountable for what, what about each other's responsibility? Nowadays, the legal constraints oblige us to comply via technical means, whatever the local framework, and this is specially true for Web Application Security, many sensitive informations having to be handled through these web interfaces. A such, what do you think about your Security Policy compliance with your local Legal framework? Compliant? Sure? Really? Interesting isn't it? Let's have a talk about this.<br />
<br />
======Ludovic Petit, Group Fraud & Information Security Adviser at SFR, Vodafone Group======<br />
Ludovic is an internationally recognised information security expert with over 25 years experience. Last 15 years spent in various Corporate Management positions covering both Technical and Law Enforcement expertise dedicated to Mobile Telecommunications Fraud and Security in multi-national corporations.<br />
<br />
Ludovic is Chapter Leader & Founding Member OWASP France and an active contributor to OWASP in several roles and projects.<br />
<br />
LinkedIn Profile: http://www.linkedin.com/in/lpetit<br />
<br />
=====Dynamic malware analysis - or: The ~five deadly (anti-)venoms (by Sascha Rommelfangen, Incident Management - Security Research at CIRCL) =====<br />
Malware reversing is a time consuming task. Many approaches are available to dissect and analyse suspicious binaries. Dynamic malware analysis is one of the option to better understand them and also a nifty companion to static analysis. The current dynamic malware analysis techniques will be presented especially the ones relying on instrumented operating system systems (from the filesystem to the network stack). You'll see a wandering through common and less common malware partially analysed using dynamic analysis and how dynamic malware analysis can help you.<br />
<br />
===== The limits of e-banking (by Jean-Marc Bost and Sébastien Bischof, ECLA) =====<br />
The swiss german TV channel SF1 showed a footage on swiss e-banking security. The TV show follows a team of the ETH who earned a special authorization to test several e-anking platforms. After admitting that a personal computer can be infected by different means (actually 5% of the tested PCs are infected according to Microsoft), The team from Zürich showed the limits of the different platforms. Only the bank who signs each transaction is labelled as safe. We will come back during the presentation on the nature of the threat.<br>First of all, we will explain how famous malwares such as Zeus and SpyEye manage to steal from their victims without them being able to notice anything. Then we will see that e-banking is not the only target, as a matter of fact, the reality is far from this.<br>And then we will comment the most recent techniques that allow malwares to escape Antivirus and Antimalware programs even if they are up to date. We will vulgarize several concepts such as DKOM and bootkits in order to let everybody have a glimpse on the danger they represent.<br>Finally, we will think about if signing each transaction can efficiently fight off these threats. In fact, when attacks are coupled with Social Engineering, they have potentially no limit. Zeus is a living proof of this fact, because it even managed to attack the transaction validation system by SMS. As a conclusion, we will see that the e-banking platform that managed to resist the tests of the ETH team is vulnerable to such kind of attacks. <br />
<br />
====== Jean-Marc Bost, ELCA ======<br />
Jean-Marc Bost leads the security division at ELCA. <br>He is in charge of the various security solutions proposed by ELCA, some being released by ELCA, others being provided by partner vendors. <br>With a significant experience in the development of internet applications, he focused 10 years ago on their need for security. <br>Since then, he has been very active in&nbsp;:<br>- demonstrating the threats, in particular for ebanking<br>- conceiving practical and patented solutions for strong authentication, online transactions, electronic signature and secured documents<br>- presenting the findings of the security division in security events and through expert talks<br> <br />
<br />
====== Sébastien Bischof, ELCA ======<br />
Sébastien Bischof works in the security division at ELCA Where he is specialized in OS-level and communication security.<br>As a major result, he developped a fully-working proof-of-concept of an attack against a sophisticated USB token for safe-browsing.<br>He obtained his Master of Science in Engineering at HEIG-VD/HES-SO with a strong emphasis on IT Security.<br>During his education, he focused on obfuscation and rootkit techniques.<br>Computer security enthusiast, he is very interested in hackings events such as Insomni'hack and keeps himself informed on the latest threats throuhg active participation in security forums.<br />
<br />
======The Rise of the Vulnerability Markets - History, Impacts, Mitigations (by Thierry Zoller, Verizon) ======<br />
A decade has gone by and the security area is no longer the same, amongst other factors sophistication and motivation changed tremendously. This talk will give you a crash course on the history of vulnerability discovery and market value, a brief excurse into the world of Vulnerability Markets, how they emerged, how they vary and what this implies for those that are defending. The presentation will conclude with an Attacker Classification System (Attacker Triad) and an associated assurance model around OWASP OSVS. Some parts of this presentation will only be done in live and will not be published after this conference.<br />
<br />
====== Thierry Zoller, Verizon ======<br />
Born and living in Luxembourg, Thierry has been active in the Information Security space since over 14 years, he works as an EMEA wide Practise Lead and Professional Service Manager for Verizon Business Luxembourg. His past experience includes, maintaining a well known malware research site, leading a security software company, shifting over into the realms of Information Security Consulting focusing on Luxembourg (PSF), creating a national penetration test center, being Director of Security Services and Products for n.runs and doing information security consulting for "too big to fail" type of enterprises (formally known as "Fortune 100"). Thierry was endorsed as a TOP 10 Security Researcher by IBM Xforce in 2009.<br />
<br />
Thierry is leading the Verizon Business SDLC efforts and is managing the Microsoft SDL PRO partnership EMEA wide, he maintains a blog at http://blog.zoller.lu<br />
<br />
==== CTF ====<br />
<br />
Do you like puzzles? Do you like challenges? Are you a hacker?<br />
<br />
Whether you are an old hacker or new enthusiast you should come to OWASP BeNeLux days 2011 and participate in the Capture the Flag event December 2nd 2011 at the University of Luxemburg. <br />
<br />
The OWASP CTF is especially designed to support challengers of all skill levels. The CTF contains multiple challenges in various fields related to application security. As every challenge gains you one point, you can pick and choose which challenge you want to play.<br />
<br />
All you need is a laptop with a wifi card and your favorite (preferably) non-commercial tools. <br />
<br />
So come to Luxemburg, show off your skills, learn new tricks and above all have a good time at the CTF event. <br />
<br />
==== Registration ====<br />
<center><br />
'''The training day and the conference are free!'''&nbsp;<br />
<br />
<br> <br />
<br />
[http://owaspbenelux2011.eventbrite.com/ http://www.owasp.org/images/7/77/Buttoncreate.png] <br />
<br />
<br> To support the OWASP organisation, consider to become a member, it's only US$50!<br> Check out the [[Membership]] page to find out more.<br> <br />
<br />
<br> <br />
</center> <br />
==== Venue ====<br />
<center><br />
University of Luxembourg<br>Campus Kirchberg<br>6, rue Richard Coudenhove-Kalergi<br>L-1359 Luxembourg<br>[http://wwwen.uni.lu/contact/campus_kirchberg http://wwwen.uni.lu/contact/campus_kirchberg] <br>Room: Paul Feidert<br />
</center><br />
<br />
<br>'''Parking''':<br />
<br />
There is a public parking close to the conference venue.<br />
[http://maps.google.de/maps?q=49.63038,6.157061&num=1&t=h&vpsrc=0&z=16 Click here to find the parking on Google Maps]<br />
<br />
<br>'''Hotels nearby''': <br />
<br />
The first hotel is at 5 minutes on walk distance from the campus Kirchberg: '''[http://www.coque.lu/article/259 Hotel d’Coque]'''<br />
* single room with breakfast 77.50 €<br />
* double room with breakfast 93.00 €. <br />
* Booking email address with Ref. OWASP_SNT 2011 to : [mailto:reception@coque.lu reception@coque.lu]<br />
* Reservation deadline: 20 October 2011<br />
Second hotel (direct center of Luxembourg) 5/10 minutes with taxi or bus: '''[http://www.parcbellevue.lu/fr/index.php Hotel Parc Bellevue]'''<br />
* single room with breakfast 95.00 € (normal price 160 €)<br />
* double room with breakfast 115.00 € (normal price 180€)<br />
* wifi and parking included<br />
* Booking email address: [mailto:reservation@goeres-group.com reservation@goeres-group.com]<br />
* Reservation deadline&nbsp;: 30 November <br />
* Reservation form: [https://www.owasp.org/images/4/44/Uni_Luxembourg_OWASP_2011.doc download form] <br />
Third hotel (near the Parc Bellevue): '''[http://www.parcplaza.lu/fr/index.php Hotel Plaza]'''<br />
* single room with breakfast 130.00 € (normal price 225 €)<br />
* double room with breakfast 150.00 € (normal price 245€)<br />
* wifi and parking included<br />
* Booking email address: [mailto:reservation@goeres-group.com reservation@goeres-group.com]. <br />
* Reservation deadline: 30 November<br />
* Reservation form: [https://www.owasp.org/images/4/44/Uni_Luxembourg_OWASP_2011.doc download form] <br />
Fourth hotel: '''[http://www.melia-luxembourg.com/fr/melia-luxembourg.html Hotel Mélia]'''<br />
* single room with breakfast 140.00 €<br />
* Booking email address: [mailto:reservations.melia.luxembourg@solmelia.com reservations.melia.luxembourg@solmelia.com]<br />
* Reservation deadline: 28 October 2011<br />
* Reservation form: [https://www.owasp.org/images/f/f8/Uni_OWASP_2011_Melia.pdf download form] <br />
<br />
<br><br />
<br />
==== Organisation ====<br />
<br />
The BeNeLux Day 2011 Program Committee: <br />
<br />
*Martin Knobloch / Ferdinand Vroom ([[Netherlands|OWASP Netherlands]]) <br />
*Bart De Win / Sebastien Deleersnyder ([[Belgium|OWASP Belgium]]) <br />
*Jocelyn Aubert / Andre Adelsbach ([[Luxembourg|OWASP Luxembourg]]) <br />
*Steven van der Baan ([[:Category:OWASP CTF Project|Capture The Flag]])<br />
<br />
Local organization:<br />
<br />
*Thomas Engel <br />
*Radu State <br />
*Magali Martin <br />
*Aurel Machalek<br />
<br />
==== Sponsorship ====<br />
<br />
Contact seba &lt;at&gt; owasp.org for sponsorship <br />
<br />
<paypal>BeNeLux OWASP Day 2011</paypal> <br />
<br />
==== Social Event ====<br />
<br />
The social event is scheduled for Thursday, 1st of December, 19:00 at <br />
<br><br />
<br><br />
<center><br />
[http://www.aguadecoco.lu/ Agua De C&ocirc;co]<br><br />
2, rue Emile Mousel<br><br />
L-2165 Luxembourg<br><br />
<br><br />
([http://maps.google.com/maps?q=Rue+Emile+Mousel,+Luxembourg,+Luxemburg&hl=de&ll=49.612031,6.14125&spn=0.003379,0.009677&sll=49.709163,6.115265&sspn=0.003372,0.009677&vpsrc=6&geocode=FQIF9QIdPrVdAA&hnear=Rue+Emile+Mousel,+Luxembourg,+Luxemburg&t=h&z=17 find the location on Google Maps])<br />
<br />
Remark: split bill system - everyone has to cover own food & drinks.<br />
<br />
</center><br />
<br />
==== Promotion ====<br />
''Feel free to use the text below to promote our event!''<br />
<br />
We invite you to our next OWASP event: the '''BeNeLux OWASP Days 2011!'''<br />
<br />
Free your agenda on the 1st and 2nd of December, 2011.<br />
<br />
The good news: free! No fee!<br />
<br />
The bad news: there are only 160 seats available (first register, first serve)!<br />
<br />
<br />
'''PROGRAM Day 1'''<br />
* 10:00 AM - 18:00 PM: OWASP Training Day<br />
* 19:00 PM - ?: Social event<br />
<br />
'''OWASP Training: Secure Application Development''', by Eoin Keary<br><br />
This intensive one-day training focuses on the most common web application security problems, including aspects of both the OWASP Top Ten (2010) and the MITRE Top 25. The training will introduce and demonstrate application assessment techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities in their code.<br />
<br />
'''PROGRAM Day 2'''<br />
* 10:00 AM - 18:00 PM: OWASP Conference<br />
<br />
List of '''confirmed speakers''' (more to be announced soon):<br />
*Brenno De Winter (Journalist) on the Diginotar story<br />
*Koen Vanderloock (Lead Security Competence Group at Cegeka) on the new OWASP Simba project<br />
*Justin Clarke (Director and Co-Founder of Gotham Digital Science Ltd) on practical crypto attacks against web applications<br />
*Lieven Desmet (Research Manager at University Leuven) on HTML5 security<br />
*Andrey Belenko (Chief Security Researcher at ElcomSoft Co. Ltd) on iOS data protection internals<br />
*Sascha Rommelfangen (Incident Management - Security Research at CIRCL) on dynamic malware analysis<br />
*Ludovic Petit (Group Fraud & Information Security Adviser at SFR, Vodafone Group) on WebApp Security and legal and regulatory aspects<br />
*Seba Deleersnyder & Eoin Keary (OWASP Board) on OWASP Update<br />
<br />
'''ORGANIZATION<br>'''<br />
OWASP's all-volunteer participants produce free, professional quality, open-source documentation, tools, and standards on application security. An example of this is the famous OWASP top ten of most critical web application security flaws. The OWASP community facilitates conferences, local chapters, articles, and message forums. Participation in OWASP is free and open to all, as are all the materials we produce.<br />
<br />
'''WHO should attend?<br>'''<br />
Anyone interested in Web Application Security (management, security professionals, developers, students, etc). OWASP Belgium, Netherlands and Luxembourg chapters membership is free. All meetings are free. There are never vendor pitches or sales presentations at OWASP meetings.<br><br />
Check our chapter page http://www.owasp.org/index.php/Belgium on meeting details, sign up to the chapter mailing list and introduce yourself.<br><br />
Check our chapter page http://www.owasp.org/index.php/Netherlands on meeting details, sign up to the chapter mailing list and introduce yourself.<br><br />
Check our chapter page http://www.owasp.org/index.php/Luxembourg on meeting details, sign up to the chapter mailing list and introduce yourself.<br><br />
<br />
'''WHEN<br>'''<br />
Thursday and Friday, 1st and 2nd of December, 2011 (10 AM - 7 PM)<br />
<br />
'''WHERE<br>'''<br />
University of Luxembourg<br><br />
Campus Kirchberg<br><br />
6, rue Richard Coudenhove-Kalergi<br><br />
L-1359 Luxembourg<br><br />
http://wwwen.uni.lu/contact/campus_kirchberg<br><br />
Room: Paul Feidert<br />
<br />
Attention: make sure to '''book your hotel in time''', it will be difficult to find rooms in Luxembourg around Dec 1-2!<br><br />
Hotel details https://www.owasp.org/index.php?title=BeNeLux_OWASP_Day_2011#tab=Venue<br />
<br />
'''REGISTRATION<br>'''<br />
Only 160 places, please '''Register upfront: http://owaspbenelux2011.eventbrite.com''' !<br><br />
All latest details are available on http://www.owaspbenelux.eu<br><br />
Hope to see you all!<br><br />
<br />
The BeNeLux Program Committee,<br />
*Martin Knobloch / Ferdinand Vroom, OWASP Netherlands<br />
*Bart De Win / Sebastien Deleersnyder, OWASP Belgium<br />
*Jocelyn Aubert / Andre Adelsbach, OWASP Luxembourg<br />
*Steven van der Baan, OWASP CTF Project<br />
<br />
Kindly supported by the Interdisciplinary Centre for Security Reliability and Trust<br />
*Thomas Engel <br />
*Radu State <br />
*Magali Martin <br />
*Aurel Machalek<br />
<br />
<headertabs /><br />
<br />
<br />
<center><br />
'''Hosted and co-organized by:'''<br> <br />
[[Image:Bnl11-university-logo.jpg|link=http://wwwen.uni.lu]] <br />
[[Image:Bnl11-SECURITYANDTRUST-LOGO.jpg|link=http://www.securityandtrust.lu]] <br />
<br />
<br><br><br><br />
<br />
Made possible by our [http://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Sponsorship sponsors]:<br><br />
{{MemberLinks|link=http://www.ascure.com|logo=Ascure_Logo.jpg}} <br />
[http://www.zionsecurity.com http://www.owasp.org/images/e/e6/Zionsecurity.jpg]<br />
[http://www.zenitelbelgium.com http://www.owasp.org/images/d/df/SAIT_Zenitel.jpg]<br />
[http://www8.hp.com/us/en/solutions/solutions-detail.html?compURI=tcm:245-339290 https://www.owasp.org/images/b/b4/HP_Logo.jpg] <br />
[http://www.barracuda.com https://www.owasp.org/images/f/f6/Bnl11-Barracuda_Logo-4C.png] <br />
[http://circl.lu/ http://circl.lu/pics/logo.png]<br />
[http://www.f5.com https://www.owasp.org/images/f/fd/AppSec_Research_2010_sponsor_F5_logo.jpg]<br />
<br />
<br />
<br />
<br><br />
</center><br />
[[Category:OWASP_AppSec_Conference]] [[Category:OWASP_BeNeLux_Archives]]</div>Bart De Winhttps://wiki.owasp.org/index.php?title=BeNeLux_OWASP_Day_2011&diff=121179BeNeLux OWASP Day 20112011-12-07T10:39:16Z<p>Bart De Win: </p>
<hr />
<div>__NOTOC__ <br />
<center>[[Image:OWASP BeNeLux 2011.jpg]]<br></center><br />
<br><!-- Header --><br />
<br />
==== Welcome ====<br />
<br />
<br><br />
<center><br />
=== Venue is the University of Luxembourg (Grand Duchy of Luxembourg) ===<br />
Training and conference location, together with hotel information, can be found [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Venue here].<br />
=== Training and first list of conference speakers are announced! ===<br />
See [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Training.2C_December_1st here] and [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Conference.2C_December_2nd here]<br />
=== Tweet! ===<br />
<br />
Event tag is [http://twitter.com/#search?q=%23owaspbnl11 #owaspbnl11]<br />
<br />
=== Registrations are open: ===<br />
<br />
[http://owaspbenelux2011.eventbrite.com/ http://www.owasp.org/images/7/77/Buttoncreate.png] <br />
<br />
=== Slides are available online ===<br />
Check out the Conference tab of the website to download the presentations.<br />
<br />
</center><br />
<br><br />
<br />
==== Training, December 1st ====<br />
<br />
Registration '''starts at 9h00'''<br />
<br />
Training will start at '''10h00''' and we plan to stop at '''17h00'''. From '''17h00''' til '''18h00''', there will be an extra session on security testing by Yves Le Traon (see details below).<br />
<br />
The training room is: '''Paul Feidert''' (for details, check the [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Venue venue] tab)<br />
<br />
'''OWASP Training: Secure Application Development, by Eoin Keary'''<br />
<br />
'''Abstract:''' Writing Secure code is the most effective method to securing your web applications. Writing secure code takes skill and know-how but results in a more stable and robust application and assists in protecting an organisations brand.<br />
Application security is not commonly a part of many computer science curricula today and most organizations have not focused on instituting a culture that includes application security as a core part of their software development training efforts. This intensive one-day course focuses on the most common web application security problems, including aspects of both the OWASP Top Ten (2010) and the MITRE Top 25. The course will introduce and demonstrate application assessment techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities in their code.<br />
<br />
'''This course includes coverage of the following areas:'''<br />
<br />
* Unvalidated Input<br />
* Injection Flaws, OS commanding, SQL Injection<br />
* Cross-Site Scriping & Client-side security<br />
* CSRF/XSRF<br />
* Authentication & Session Management<br />
* Access control & Authorisation<br />
* Broken Caching<br />
* Error Handling & Resource Management<br />
* The Secure SDLC<br />
* Fuzzing, Proxy use and testing approach<br />
<br />
'''Hands on Exercises'''<br />
<br />
To cement the principles discussed, students can participate in a number of hands-on security testing exercises where they attack a live web application (i.e., OWASP Bank etc) that has been seeded with common web application vulnerabilities.<br />
<br />
The students will use proxy tools commonly used by the hacker community to complete the exercises. Students need to bring their own windows based laptop to participate in the exercises. Wireless capability is recommended. '''Make sure to get a copy of BURP proxy prior to the training: [http://www.portswigger.net/burp/downloadfree.html http://www.portswigger.net/burp/downloadfree.html]'''<br />
<br />
'''Audience'''<br />
<br />
Developers who want to understand the most common web application security flaws, and how to avoid them and code in a secure manner.<br />
<br />
Level: Beginner/Intermediate<br />
<br />
Prerequisite: Basic knowledge of a web programming language like Java or .NET recommended but not required.<br />
<br />
Bringing your own windows based laptop is recommended so you can participate in the hands on exercises<br />
<br />
'''Trainer Bio:''' <br />
<br />
[[Eoin Keary]] is a Global OWASP board member since 2009. He is a long time member of OWASP and have contributed year on year to OWASP projects and the OWASP mission of fighting the causes of software insecurity. He is based in Dublin, Ireland and director of [http://www.bccriskadvisory.com Bccriskadvisory].<br />
<br />
<br />
<br />
===== Extra session on Security testing: a key challenge for software engineering of web apps (17h00 - 18h00)===== <br />
While important efforts are dedicated to system functional testing, very few works study how to specifically and systematically test security mechanisms. In this talk, we will present two categories of approaches. <br />
The first ones aim at assessing security mechanisms compliance with declared policies. Any security policy is strongly connected to system functionality: testing function includes exercising many security mechanisms. However, testing functionality does not intend at exercizing all security mechanisms. We thus propose test selection criteria to produce tests from a security policy. Empirical results will be presented about access control policies and about Android apps permission checks. <br />
<br />
The second ones concern the attack surface of web apps, with a particular focus on web browser sensitivity to XSS attacks. Indeed, one of the major threats against web applications is Cross-Site Scripting (XSS) that crosses several web components: web server, security components and finally the client’s web browser. The final target is thus the client running a particular web browser. During this last decade, several competing web browsers (IE, Netscape, Chrome, Firefox) have been upgraded to add new features for the final users benefit. However, the improvement of web browsers is not related with systematic security regression testing. Beginning with an analysis of their current exposure degree to XSS, we extend the empirical study to a decade of most popular web browser versions.The results reveal a chaotic behavior in the evolution of most web browsers attack surface over time. This particularly shows an urgent need for regression testing strategies to ensure that security is not sacrificed when a new version is delivered. <br />
<br />
In both cases, security must become a specific target for testing in order to get a satisfying level of confidence in security mechanisms<br />
<br />
'''Trainer bio:'''<br />
<br />
Yves Le Traon is professor at University of Luxembourg in the domain of software engineering, reliability, validation and security. He is also a member of the Interdisciplinary Centre for Security, Reliability and Trust (SnT), where he leads the research group SERVAL (SEcuRity and VALidation of services and networks). His research interests include software testing, design for security, security testing, model-driven validation, model based testing, web application, mobile computing. <br />
<br />
Professor Le Traon received his engineering degree and his PhD in Computer Science at the “Institut National Polytechnique” in Grenoble, France, in 1997. From 1998 to 2004, he was an associate professor at the University of Rennes, in Brittany, France. He is the co-founder of the Triskell INRIA team, which focuses on innovating design, modeling and testing techniques, such as Model-driven Engineering. During this period, Professor Le Traon studied design for testability techniques, validation and diagnosis of object-oriented programs and component-based systems. From 2004 to 2006, he was an expert in Model-Driven Architecture and Validation in the EXA team (Requirements Engineering and Applications) at “France Télécom R&D”. In 2006, he became professor at Telecom Bretagne (Ecole Nationale des Télécommunications de Bretagne), where he pioneered the application of testing for security assessment of web-applications, P2P systems and the promotion of intrusion detection systems using contract-based techniques.<br />
<br />
<br />
<br />
==== Conference, December 2nd ====<br />
<br />
We are pleased to announce the list of confirmed speakers:<br />
<br />
* Brenno De Winter (Journalist) From DigiNotar to Leaktober<br />
* Koen Vanderloock (Lead Security Competence Group at Cegeka) on [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#OWASP_SIMBA_-_guarding_your_applications_.28by_Koen_Vanderloock.2C_Leader_Security_Competence_Group_at_Cegeka.29 the new OWASP Simba project]<br />
* Justin Clarke (Director and Co-Founder of Gotham Digital Science Ltd) on [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Practical_Crypto_Attacks_Against_Web_Applications_.28by_Justin_Clarke.2C_Director_and_Co-Founder_of_Gotham_Digital_Science_Ltd.29 practical crypto attacks against web applications]<br />
* Lieven Desmet (Research Manager at University Leuven) on [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#HTML5_security_.28by_Lieven_Desmet.2C_Research_Manager_at_Katholieke_Universiteit_Leuven.29 HTML5 security]<br />
* Andrey Belenko (Chief Security Researcher at ElcomSoft Co. Ltd) on [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Overcoming_iOS_Data_Protection_to_Re-Enable_iPhone_Forensics_.28by_Andrey_Belenko.2C_Chief_Security_Researcher_at_ElcomSoft.29 iOS data protection internals]<br />
* Sascha Rommelfangen (Incident Management - Security Research at CIRCL) on dynamic malware analysis<br />
* Ludovic Petit (Group Fraud & Information Security Adviser at SFR, Vodafone Group) on [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Do_you..._Legal.3F_.28by_Ludovic_Petit.2C_Group_Fraud_.26_Information_Security_Adviser_at_SFR.2C_Vodafone_Group.29 WebApp Security and legal and regulatory aspects]<br />
*Jean-Marc Bost and Sébastien Bischof (ELCA) on The limits of e-banking<br />
* Yves Le Traon on security testing for web apps (talk will be held on the Training Day)<br />
* Seba Deleersnyder & Eoin Keary (OWASP Board) on OWASP Update<br />
<br />
Stay tuned for the final agenda!<br />
<br />
'''''Agenda''''' <br />
''(program has slightly changed !)''<br />
<br />
{| class="wikitable"<br />
! Time !! Speaker !! Topic<br />
|-<br />
| 08h30 - 9h30 || ''Registration'' || <br />
|-<br />
| 09h30 - 9h45 || OWASP Benelux Organization & Thomas Engel|| Welcome ([https://www.owasp.org/images/a/ad/OWASP_BeNeLux_Day_2011_-_Organization_welcome.ppt PPT], [https://www.owasp.org/images/8/8a/2011-11-15_SnT_General.pdf PDF])<br />
|-<br />
| 09h45 - 10h00 || Sebastien Deleersnyder & Eion Keary || OWASP update ([https://www.owasp.org/images/d/d7/OWASP-Update-BeNeLux-Day-2011_v1.pptx PPT])<br />
|-<br />
| 10h00 - 10h40 || Brenno De Winter || From DigiNotar to Leaktober <br />
|-<br />
| 10h40 - 11h00 || ''Break'' ||<br />
|-<br />
| 11h00 - 11h40 || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Justin_Clarke.2C_Director_and_Co-Founder_of_Gotham_Digital_Science_Ltd Justin Clarke] || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Practical_Crypto_Attacks_Against_Web_Applications_.28by_Justin_Clarke.2C_Director_and_Co-Founder_of_Gotham_Digital_Science_Ltd.29 practical crypto attacks against web applications] ([https://www.owasp.org/images/0/09/OWASP_BeNeLux_Day_2011_-_J._Clarke_-_Practical_Crypto_Attacks_Against_Web_Apps.pptx PPT])<br />
|-<br />
| 11h40 - 12h20 || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Andrey_Belenko.2C_Chief_Security_Researcher_at_ElcomSoft Andrey Belenko] || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Overcoming_iOS_Data_Protection_to_Re-Enable_iPhone_Forensics_.28by_Andrey_Belenko.2C_Chief_Security_Researcher_at_ElcomSoft.29 Overcoming iOS Data Protection to Re-Enable iPhone Forensics] ([https://www.owasp.org/images/7/76/OWASP_BeNeLux_Day_2011_-_A._Belenko_-_Overcoming_iOS_Data_Protection.pdf PDF])<br />
|-<br />
| 12h20 - 13h00 || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Koen_Vanderloock.2C_Leader_Security_Competence_Group_at_Cegeka Koen Vanderloock] || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#OWASP_SIMBA_-_guarding_your_applications_.28by_Koen_Vanderloock.2C_Leader_Security_Competence_Group_at_Cegeka.29 OWASP SIMBA - guarding your applications] ([https://www.owasp.org/images/5/59/OWASP_BeNeLux_Day_2011_-_K._Vanderloock_-_Simba.pptx PPTX])<br />
|-<br />
| 13h00 - 14h00 || ''Lunch'' || <br />
|-<br />
| 14h00 - 14h40 || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Ludovic_Petit.2C_Group_Fraud_.26_Information_Security_Adviser_at_SFR.2C_Vodafone_Group Ludovic Petit] || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Do_you..._Legal.3F_.28by_Ludovic_Petit.2C_Group_Fraud_.26_Information_Security_Adviser_at_SFR.2C_Vodafone_Group.29 Do you... Legal?] ([https://www.owasp.org/images/c/ca/OWASP_BeNeLux_Day_2011_-_L._Petit_-_Do_you..._Legal.pptx PPTX])<br />
|-<br />
| 14h40 - 15h20 || Thierry Zoller || The rise of the Vulnerability Market ([https://www.owasp.org/images/b/b7/OWASP_BeNeLux_Day_2011_-_T._Zoller_-_Rise_of_the_Vulnerability_Market.pdf PDF])<br />
|-<br />
| 15h20 - 16h00 || Jean-Marc Bost & Sébastien Bischof || The limits of e-banking ([https://www.owasp.org/images/8/87/OWASP_BeNeLux_Day_2011_-_BischofBost_-_The_limits_of_ebanking.pptx PPTX])<br />
|-<br />
| 16h00 - 16h20 || ''Break'' || <br />
|-<br />
| 16h20 - 17h00 || Sascha Rommelfangen || Dynamic malware analysis - or: The ~five deadly (anti-)venoms ([https://www.owasp.org/images/7/77/OWASP_BeNeLux_Day_2011_-_A._Delauney_-_Dynamic_malware_analysis.pdf PDF])<br />
|-<br />
| 17h00 - 17h40 || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Lieven_Desmet.2C_Research_Manager_at_Katholieke_Universiteit_Leuven Lieven Desmet] || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#HTML5_security_.28by_Lieven_Desmet.2C_Research_Manager_at_Katholieke_Universiteit_Leuven.29 HTML5 security] ([https://www.owasp.org/images/e/e6/OWASP_BeNeLux_Day_2011_-_L._Desmet_-_HTML5_security.pptx PPTX])<br />
|-<br />
| 17h40 - 18h00 || OWASP Benelux 2011 organization || Closing notes<br />
<br />
|}<br />
<br />
<!-- deze laten staan. is handig om anchors te vinden tijdens edi (seba) __TOC__ --><br />
<br />
===== From DigiNotar to Leaktober=====<br />
Web application security is hard. With Lektober, Brenno shows that to the general public. Privacy is at stake, not only in the Netherlands. Brenno will reveal some of the more "interesting" leaks.<br />
<br />
=====Brenno J.S.A.A.F. de Winter=====<br />
Brenno De Winter started experimenting with security at the age of 9. He has a background in open source that dates back to 1993 and he contributed to several projects like MySQL, GnuPG, Gnucomo (Gnu Computer Monitoring) and recently started the Small Sister-project for privacy-friendly internet usage. In his daily job he practices security,teaches it and works as an IT-journalist. His writings have triggered several debates in parliament and often raises questions. <br />
<br />
=====OWASP SIMBA - guarding your applications (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Koen_Vanderloock.2C_Leader_Security_Competence_Group_at_Cegeka Koen Vanderloock], Leader Security Competence Group at Cegeka)=====<br />
[[OWASP SIMBA Project|SIMBA (Security Integration Module for Business Applications)]] is a OWASP project that provides you with a User Access Management system that can be integrated with any business application. The purpose of SIMBA is to secure an application fast and easy. Because SIMBA itself is generic it can be customized for every project. Many features are customizable e.g. designing your own authentication chain is easy and fast by using existing or newly created building blocks. SIMBA contains authentication, authorization, session management and a GUI to manage your security information.<br />
<br />
======Koen Vanderloock, Leader Security Competence Group at Cegeka======<br />
Koen Vanderloock is the leader of the security competence group at Cegeka. About 2 years ago Cegeka decided to create a sandbox for investigating security issues and solutions so they could be included in the current projects. <br />
Koen Vanderloock is a Java developer with 8 years of experience and started exploring the world of security 3 years ago when UAM problems started to occur.<br />
<br />
=====Practical Crypto Attacks Against Web Applications (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Justin_Clarke.2C_Director_and_Co-Founder_of_Gotham_Digital_Science_Ltd Justin Clarke], Director and Co-Founder of Gotham Digital Science Ltd)=====<br />
The science of cryptography underpins many of the information security technologies we use on a daily basis, such as the ability to keep information confidential and to ensure we can identify who we are communicating with. However, it is a very complex subject area with many types of mistakes that can reduce the overall security of a solution. A number of these types of mistakes can be identified by a tester, if they know what they're looking for, but in general it isn't a well tested area.<br />
<br />
This talk is intended to provide a high level overview of some of the areas where cryptographic operations such as encryption and hashing can provide far less security than was planned, and concrete examples of how these were found and exploited. Examples will include discussion and demonstration of the recently patched cryptographic padding attack against the Microsoft .NET framework (affecting ASP.NET applications) caused by a design error in how ASP.NET handles some types of encrypted data, but we will also be looking at some other fun areas including bit flipping attacks, ECB mode attacks, and some miscellaneous hashing algorithm attacks against common web application implementations.<br />
<br />
======Justin Clarke, Director and Co-Founder of Gotham Digital Science Ltd======<br />
Justin is a Director and Co-Founder of Gotham Digital Science and an experienced software security consultant with extensive international Big 4 risk management, security consulting and testing experience. He is the lead author/technical editor of "SQL Injection Attacks and Defenses" (Syngress 2009), co-author of "Network Security Tools" (O'Reilly 2005), contributor to "Network Security Assessment, 2nd Edition" (O'Reilly 2007), as well as a speaker at various security conferences and events such as Black Hat, EuSecWest, ISACA, BruCON, OWASP, OSCON, RSA and SANS. He is currently the OWASP London chapter president, and a member of the OWASP Global Connections Committee.<br />
On 10 Oct 2011, at 09:33, Seba wrote:<br />
<br />
=====HTML5 security (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Lieven_Desmet.2C_Research_Manager_at_Katholieke_Universiteit_Leuven Lieven Desmet], Research Manager at Katholieke Universiteit Leuven)=====<br />
In this talk, Lieven will highlight the results of the HTML5 security analysis, conducted by the DistriNet Research Group (K.U.Leuven). The security analysis of next generation web standards, commissioned by ENISA, looked into 13 emerging W3C web standards (i.e. the specification of HTML 5 and some of the associated APIs), and assessed the security of each of them as well as the overall security and consistency across specifications.<br />
<br />
In total 51 security threats and issues have been identified, and detailed in the ENISA report (http://www.enisa.europa.eu/html5). During the talk, Lieven will discuss the methodology developed to assess the huge amount of specifications, and zoom into a representative set of identified threats and their remediation.<br />
<br />
======Lieven Desmet, Research Manager at Katholieke Universiteit Leuven======<br />
Lieven Desmet is the Research Manager on Secure Software at the Katholieke Universiteit Leuven (Belgium), where he coaches junior researchers in web application security and participates in dissemination and valorization activities. His interests are in software verification and security of middleware and web-enabled technologies. Lieven is actively engaged in OWASP and is board member of the OWASP Chapter Belgium.<br />
<br />
=====Overcoming iOS Data Protection to Re-Enable iPhone Forensics (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Andrey_Belenko.2C_Chief_Security_Researcher_at_ElcomSoft Andrey Belenko], Chief Security Researcher at ElcomSoft)=====<br />
Data protection is a feature available for iOS devices (iOS 4 and up) with hardware encryption: iPhone 4S, iPhone 4, iPhone 3GS, iPod touch (3rd generation or later), and all iPad models. Introduction of this feature had complicated iPhone forensics process because now (almost) all files on user partition are encrypted and physical dumps are of much less value to examiners: while the filesystem seems to be intact, actual file contents are encrypted and are not suitable for analysis.<br />
<br />
This talk will provide in-depth information about iOS Data protection internals and on the implication it had on iOS forensics. More specifically, it will cover the following:<br />
*System keys and their hierarchy<br />
*Device passcode and its recovery<br />
*Escrow keys<br />
*Filesystem encryption<br />
*Keychain encryption<br />
<br />
Presentation will start by providing attendees with required background on iOS encryption keys architecture: system keys, passcode key, escrow key. After attendees are familiar with those concepts, presentation will continue to filesystem and keychain encryption details and to the techniques that can be used to overcome the hurdles imposed by iOS Data Protection.<br />
<br />
======Andrey Belenko, Chief Security Researcher at ElcomSoft======<br />
Chief security researcher and software developer at Elcomsoft. Co-invented ThunderTables (which are improved RainbowTables) and was first to bring GPU acceleration to password recovery. M. Sc. IT and CISSP.<br />
<br />
LinkedIn: http://ru.linkedin.com/in/belenko<br />
<br />
Twitter: @andreybelenko<br />
<br />
=====Do you... Legal? (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Ludovic_Petit.2C_Group_Fraud_.26_Information_Security_Adviser_at_SFR.2C_Vodafone_Group Ludovic Petit], Group Fraud & Information Security Adviser at SFR, Vodafone Group) =====<br />
<br />
The OWASP core mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. However, if you do not pay enough attention to many aspects of Legal compliance, you'll see why Web Application Security is somehow linked to Legal and Regulatory aspects as well as... Corporate Responsability, so yours. Who is accountable for what, what about each other's responsibility? Nowadays, the legal constraints oblige us to comply via technical means, whatever the local framework, and this is specially true for Web Application Security, many sensitive informations having to be handled through these web interfaces. A such, what do you think about your Security Policy compliance with your local Legal framework? Compliant? Sure? Really? Interesting isn't it? Let's have a talk about this.<br />
<br />
======Ludovic Petit, Group Fraud & Information Security Adviser at SFR, Vodafone Group======<br />
Ludovic is an internationally recognised information security expert with over 25 years experience. Last 15 years spent in various Corporate Management positions covering both Technical and Law Enforcement expertise dedicated to Mobile Telecommunications Fraud and Security in multi-national corporations.<br />
<br />
Ludovic is Chapter Leader & Founding Member OWASP France and an active contributor to OWASP in several roles and projects.<br />
<br />
LinkedIn Profile: http://www.linkedin.com/in/lpetit<br />
<br />
=====Dynamic malware analysis - or: The ~five deadly (anti-)venoms (by Sascha Rommelfangen, Incident Management - Security Research at CIRCL) =====<br />
Malware reversing is a time consuming task. Many approaches are available to dissect and analyse suspicious binaries. Dynamic malware analysis is one of the option to better understand them and also a nifty companion to static analysis. The current dynamic malware analysis techniques will be presented especially the ones relying on instrumented operating system systems (from the filesystem to the network stack). You'll see a wandering through common and less common malware partially analysed using dynamic analysis and how dynamic malware analysis can help you.<br />
<br />
===== The limits of e-banking (by Jean-Marc Bost and Sébastien Bischof, ECLA) =====<br />
The swiss german TV channel SF1 showed a footage on swiss e-banking security. The TV show follows a team of the ETH who earned a special authorization to test several e-anking platforms. After admitting that a personal computer can be infected by different means (actually 5% of the tested PCs are infected according to Microsoft), The team from Zürich showed the limits of the different platforms. Only the bank who signs each transaction is labelled as safe. We will come back during the presentation on the nature of the threat.<br>First of all, we will explain how famous malwares such as Zeus and SpyEye manage to steal from their victims without them being able to notice anything. Then we will see that e-banking is not the only target, as a matter of fact, the reality is far from this.<br>And then we will comment the most recent techniques that allow malwares to escape Antivirus and Antimalware programs even if they are up to date. We will vulgarize several concepts such as DKOM and bootkits in order to let everybody have a glimpse on the danger they represent.<br>Finally, we will think about if signing each transaction can efficiently fight off these threats. In fact, when attacks are coupled with Social Engineering, they have potentially no limit. Zeus is a living proof of this fact, because it even managed to attack the transaction validation system by SMS. As a conclusion, we will see that the e-banking platform that managed to resist the tests of the ETH team is vulnerable to such kind of attacks. <br />
<br />
====== Jean-Marc Bost, ELCA ======<br />
Jean-Marc Bost leads the security division at ELCA. <br>He is in charge of the various security solutions proposed by ELCA, some being released by ELCA, others being provided by partner vendors. <br>With a significant experience in the development of internet applications, he focused 10 years ago on their need for security. <br>Since then, he has been very active in&nbsp;:<br>- demonstrating the threats, in particular for ebanking<br>- conceiving practical and patented solutions for strong authentication, online transactions, electronic signature and secured documents<br>- presenting the findings of the security division in security events and through expert talks<br> <br />
<br />
====== Sébastien Bischof, ELCA ======<br />
Sébastien Bischof works in the security division at ELCA Where he is specialized in OS-level and communication security.<br>As a major result, he developped a fully-working proof-of-concept of an attack against a sophisticated USB token for safe-browsing.<br>He obtained his Master of Science in Engineering at HEIG-VD/HES-SO with a strong emphasis on IT Security.<br>During his education, he focused on obfuscation and rootkit techniques.<br>Computer security enthusiast, he is very interested in hackings events such as Insomni'hack and keeps himself informed on the latest threats throuhg active participation in security forums.<br />
<br />
<br />
<br />
==== CTF ====<br />
<br />
Do you like puzzles? Do you like challenges? Are you a hacker?<br />
<br />
Whether you are an old hacker or new enthusiast you should come to OWASP BeNeLux days 2011 and participate in the Capture the Flag event December 2nd 2011 at the University of Luxemburg. <br />
<br />
The OWASP CTF is especially designed to support challengers of all skill levels. The CTF contains multiple challenges in various fields related to application security. As every challenge gains you one point, you can pick and choose which challenge you want to play.<br />
<br />
All you need is a laptop with a wifi card and your favorite (preferably) non-commercial tools. <br />
<br />
So come to Luxemburg, show off your skills, learn new tricks and above all have a good time at the CTF event. <br />
<br />
==== Registration ====<br />
<center><br />
'''The training day and the conference are free!'''&nbsp;<br />
<br />
<br> <br />
<br />
[http://owaspbenelux2011.eventbrite.com/ http://www.owasp.org/images/7/77/Buttoncreate.png] <br />
<br />
<br> To support the OWASP organisation, consider to become a member, it's only US$50!<br> Check out the [[Membership]] page to find out more.<br> <br />
<br />
<br> <br />
</center> <br />
==== Venue ====<br />
<center><br />
University of Luxembourg<br>Campus Kirchberg<br>6, rue Richard Coudenhove-Kalergi<br>L-1359 Luxembourg<br>[http://wwwen.uni.lu/contact/campus_kirchberg http://wwwen.uni.lu/contact/campus_kirchberg] <br>Room: Paul Feidert<br />
</center><br />
<br />
<br>'''Parking''':<br />
<br />
There is a public parking close to the conference venue.<br />
[http://maps.google.de/maps?q=49.63038,6.157061&num=1&t=h&vpsrc=0&z=16 Click here to find the parking on Google Maps]<br />
<br />
<br>'''Hotels nearby''': <br />
<br />
The first hotel is at 5 minutes on walk distance from the campus Kirchberg: '''[http://www.coque.lu/article/259 Hotel d’Coque]'''<br />
* single room with breakfast 77.50 €<br />
* double room with breakfast 93.00 €. <br />
* Booking email address with Ref. OWASP_SNT 2011 to : [mailto:reception@coque.lu reception@coque.lu]<br />
* Reservation deadline: 20 October 2011<br />
Second hotel (direct center of Luxembourg) 5/10 minutes with taxi or bus: '''[http://www.parcbellevue.lu/fr/index.php Hotel Parc Bellevue]'''<br />
* single room with breakfast 95.00 € (normal price 160 €)<br />
* double room with breakfast 115.00 € (normal price 180€)<br />
* wifi and parking included<br />
* Booking email address: [mailto:reservation@goeres-group.com reservation@goeres-group.com]<br />
* Reservation deadline&nbsp;: 30 November <br />
* Reservation form: [https://www.owasp.org/images/4/44/Uni_Luxembourg_OWASP_2011.doc download form] <br />
Third hotel (near the Parc Bellevue): '''[http://www.parcplaza.lu/fr/index.php Hotel Plaza]'''<br />
* single room with breakfast 130.00 € (normal price 225 €)<br />
* double room with breakfast 150.00 € (normal price 245€)<br />
* wifi and parking included<br />
* Booking email address: [mailto:reservation@goeres-group.com reservation@goeres-group.com]. <br />
* Reservation deadline: 30 November<br />
* Reservation form: [https://www.owasp.org/images/4/44/Uni_Luxembourg_OWASP_2011.doc download form] <br />
Fourth hotel: '''[http://www.melia-luxembourg.com/fr/melia-luxembourg.html Hotel Mélia]'''<br />
* single room with breakfast 140.00 €<br />
* Booking email address: [mailto:reservations.melia.luxembourg@solmelia.com reservations.melia.luxembourg@solmelia.com]<br />
* Reservation deadline: 28 October 2011<br />
* Reservation form: [https://www.owasp.org/images/f/f8/Uni_OWASP_2011_Melia.pdf download form] <br />
<br />
<br><br />
<br />
==== Organisation ====<br />
<br />
The BeNeLux Day 2011 Program Committee: <br />
<br />
*Martin Knobloch / Ferdinand Vroom ([[Netherlands|OWASP Netherlands]]) <br />
*Bart De Win / Sebastien Deleersnyder ([[Belgium|OWASP Belgium]]) <br />
*Jocelyn Aubert / Andre Adelsbach ([[Luxembourg|OWASP Luxembourg]]) <br />
*Steven van der Baan ([[:Category:OWASP CTF Project|Capture The Flag]])<br />
<br />
Local organization:<br />
<br />
*Thomas Engel <br />
*Radu State <br />
*Magali Martin <br />
*Aurel Machalek<br />
<br />
==== Sponsorship ====<br />
<br />
Contact seba &lt;at&gt; owasp.org for sponsorship <br />
<br />
<paypal>BeNeLux OWASP Day 2011</paypal> <br />
<br />
==== Social Event ====<br />
<br />
The social event is scheduled for Thursday, 1st of December, 19:00 at <br />
<br><br />
<br><br />
<center><br />
[http://www.aguadecoco.lu/ Agua De C&ocirc;co]<br><br />
2, rue Emile Mousel<br><br />
L-2165 Luxembourg<br><br />
<br><br />
([http://maps.google.com/maps?q=Rue+Emile+Mousel,+Luxembourg,+Luxemburg&hl=de&ll=49.612031,6.14125&spn=0.003379,0.009677&sll=49.709163,6.115265&sspn=0.003372,0.009677&vpsrc=6&geocode=FQIF9QIdPrVdAA&hnear=Rue+Emile+Mousel,+Luxembourg,+Luxemburg&t=h&z=17 find the location on Google Maps])<br />
<br />
Remark: split bill system - everyone has to cover own food & drinks.<br />
<br />
</center><br />
<br />
==== Promotion ====<br />
''Feel free to use the text below to promote our event!''<br />
<br />
We invite you to our next OWASP event: the '''BeNeLux OWASP Days 2011!'''<br />
<br />
Free your agenda on the 1st and 2nd of December, 2011.<br />
<br />
The good news: free! No fee!<br />
<br />
The bad news: there are only 160 seats available (first register, first serve)!<br />
<br />
<br />
'''PROGRAM Day 1'''<br />
* 10:00 AM - 18:00 PM: OWASP Training Day<br />
* 19:00 PM - ?: Social event<br />
<br />
'''OWASP Training: Secure Application Development''', by Eoin Keary<br><br />
This intensive one-day training focuses on the most common web application security problems, including aspects of both the OWASP Top Ten (2010) and the MITRE Top 25. The training will introduce and demonstrate application assessment techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities in their code.<br />
<br />
'''PROGRAM Day 2'''<br />
* 10:00 AM - 18:00 PM: OWASP Conference<br />
<br />
List of '''confirmed speakers''' (more to be announced soon):<br />
*Brenno De Winter (Journalist) on the Diginotar story<br />
*Koen Vanderloock (Lead Security Competence Group at Cegeka) on the new OWASP Simba project<br />
*Justin Clarke (Director and Co-Founder of Gotham Digital Science Ltd) on practical crypto attacks against web applications<br />
*Lieven Desmet (Research Manager at University Leuven) on HTML5 security<br />
*Andrey Belenko (Chief Security Researcher at ElcomSoft Co. Ltd) on iOS data protection internals<br />
*Sascha Rommelfangen (Incident Management - Security Research at CIRCL) on dynamic malware analysis<br />
*Ludovic Petit (Group Fraud & Information Security Adviser at SFR, Vodafone Group) on WebApp Security and legal and regulatory aspects<br />
*Seba Deleersnyder & Eoin Keary (OWASP Board) on OWASP Update<br />
<br />
'''ORGANIZATION<br>'''<br />
OWASP's all-volunteer participants produce free, professional quality, open-source documentation, tools, and standards on application security. An example of this is the famous OWASP top ten of most critical web application security flaws. The OWASP community facilitates conferences, local chapters, articles, and message forums. Participation in OWASP is free and open to all, as are all the materials we produce.<br />
<br />
'''WHO should attend?<br>'''<br />
Anyone interested in Web Application Security (management, security professionals, developers, students, etc). OWASP Belgium, Netherlands and Luxembourg chapters membership is free. All meetings are free. There are never vendor pitches or sales presentations at OWASP meetings.<br><br />
Check our chapter page http://www.owasp.org/index.php/Belgium on meeting details, sign up to the chapter mailing list and introduce yourself.<br><br />
Check our chapter page http://www.owasp.org/index.php/Netherlands on meeting details, sign up to the chapter mailing list and introduce yourself.<br><br />
Check our chapter page http://www.owasp.org/index.php/Luxembourg on meeting details, sign up to the chapter mailing list and introduce yourself.<br><br />
<br />
'''WHEN<br>'''<br />
Thursday and Friday, 1st and 2nd of December, 2011 (10 AM - 7 PM)<br />
<br />
'''WHERE<br>'''<br />
University of Luxembourg<br><br />
Campus Kirchberg<br><br />
6, rue Richard Coudenhove-Kalergi<br><br />
L-1359 Luxembourg<br><br />
http://wwwen.uni.lu/contact/campus_kirchberg<br><br />
Room: Paul Feidert<br />
<br />
Attention: make sure to '''book your hotel in time''', it will be difficult to find rooms in Luxembourg around Dec 1-2!<br><br />
Hotel details https://www.owasp.org/index.php?title=BeNeLux_OWASP_Day_2011#tab=Venue<br />
<br />
'''REGISTRATION<br>'''<br />
Only 160 places, please '''Register upfront: http://owaspbenelux2011.eventbrite.com''' !<br><br />
All latest details are available on http://www.owaspbenelux.eu<br><br />
Hope to see you all!<br><br />
<br />
The BeNeLux Program Committee,<br />
*Martin Knobloch / Ferdinand Vroom, OWASP Netherlands<br />
*Bart De Win / Sebastien Deleersnyder, OWASP Belgium<br />
*Jocelyn Aubert / Andre Adelsbach, OWASP Luxembourg<br />
*Steven van der Baan, OWASP CTF Project<br />
<br />
Kindly supported by the Interdisciplinary Centre for Security Reliability and Trust<br />
*Thomas Engel <br />
*Radu State <br />
*Magali Martin <br />
*Aurel Machalek<br />
<br />
<headertabs /><br />
<br />
<br />
<center><br />
'''Hosted and co-organized by:'''<br> <br />
[[Image:Bnl11-university-logo.jpg|link=http://wwwen.uni.lu]] <br />
[[Image:Bnl11-SECURITYANDTRUST-LOGO.jpg|link=http://www.securityandtrust.lu]] <br />
<br />
<br><br><br><br />
<br />
Made possible by our [http://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Sponsorship sponsors]:<br><br />
{{MemberLinks|link=http://www.ascure.com|logo=Ascure_Logo.jpg}} <br />
[http://www.zionsecurity.com http://www.owasp.org/images/e/e6/Zionsecurity.jpg]<br />
[http://www.zenitelbelgium.com http://www.owasp.org/images/d/df/SAIT_Zenitel.jpg]<br />
[http://www8.hp.com/us/en/solutions/solutions-detail.html?compURI=tcm:245-339290 https://www.owasp.org/images/b/b4/HP_Logo.jpg] <br />
[http://www.barracuda.com https://www.owasp.org/images/f/f6/Bnl11-Barracuda_Logo-4C.png] <br />
[http://circl.lu/ http://circl.lu/pics/logo.png]<br />
[http://www.f5.com https://www.owasp.org/images/f/fd/AppSec_Research_2010_sponsor_F5_logo.jpg]<br />
<br />
<br />
<br />
<br><br />
</center><br />
[[Category:OWASP_AppSec_Conference]] [[Category:OWASP_BeNeLux_Archives]]</div>Bart De Winhttps://wiki.owasp.org/index.php?title=BeNeLux_OWASP_Day_2011&diff=121178BeNeLux OWASP Day 20112011-12-07T06:50:06Z<p>Bart De Win: </p>
<hr />
<div>__NOTOC__ <br />
<center>[[Image:OWASP BeNeLux 2011.jpg]]<br></center><br />
<br><!-- Header --><br />
<br />
==== Welcome ====<br />
<br />
<br><br />
<center><br />
=== Venue is the University of Luxembourg (Grand Duchy of Luxembourg) ===<br />
Training and conference location, together with hotel information, can be found [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Venue here].<br />
=== Training and first list of conference speakers are announced! ===<br />
See [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Training.2C_December_1st here] and [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Conference.2C_December_2nd here]<br />
=== Tweet! ===<br />
<br />
Event tag is [http://twitter.com/#search?q=%23owaspbnl11 #owaspbnl11]<br />
<br />
=== Registrations are open: ===<br />
<br />
[http://owaspbenelux2011.eventbrite.com/ http://www.owasp.org/images/7/77/Buttoncreate.png] <br />
<br />
</center><br />
<br><br />
<br />
==== Training, December 1st ====<br />
<br />
Registration '''starts at 9h00'''<br />
<br />
Training will start at '''10h00''' and we plan to stop at '''17h00'''. From '''17h00''' til '''18h00''', there will be an extra session on security testing by Yves Le Traon (see details below).<br />
<br />
The training room is: '''Paul Feidert''' (for details, check the [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Venue venue] tab)<br />
<br />
'''OWASP Training: Secure Application Development, by Eoin Keary'''<br />
<br />
'''Abstract:''' Writing Secure code is the most effective method to securing your web applications. Writing secure code takes skill and know-how but results in a more stable and robust application and assists in protecting an organisations brand.<br />
Application security is not commonly a part of many computer science curricula today and most organizations have not focused on instituting a culture that includes application security as a core part of their software development training efforts. This intensive one-day course focuses on the most common web application security problems, including aspects of both the OWASP Top Ten (2010) and the MITRE Top 25. The course will introduce and demonstrate application assessment techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities in their code.<br />
<br />
'''This course includes coverage of the following areas:'''<br />
<br />
* Unvalidated Input<br />
* Injection Flaws, OS commanding, SQL Injection<br />
* Cross-Site Scriping & Client-side security<br />
* CSRF/XSRF<br />
* Authentication & Session Management<br />
* Access control & Authorisation<br />
* Broken Caching<br />
* Error Handling & Resource Management<br />
* The Secure SDLC<br />
* Fuzzing, Proxy use and testing approach<br />
<br />
'''Hands on Exercises'''<br />
<br />
To cement the principles discussed, students can participate in a number of hands-on security testing exercises where they attack a live web application (i.e., OWASP Bank etc) that has been seeded with common web application vulnerabilities.<br />
<br />
The students will use proxy tools commonly used by the hacker community to complete the exercises. Students need to bring their own windows based laptop to participate in the exercises. Wireless capability is recommended. '''Make sure to get a copy of BURP proxy prior to the training: [http://www.portswigger.net/burp/downloadfree.html http://www.portswigger.net/burp/downloadfree.html]'''<br />
<br />
'''Audience'''<br />
<br />
Developers who want to understand the most common web application security flaws, and how to avoid them and code in a secure manner.<br />
<br />
Level: Beginner/Intermediate<br />
<br />
Prerequisite: Basic knowledge of a web programming language like Java or .NET recommended but not required.<br />
<br />
Bringing your own windows based laptop is recommended so you can participate in the hands on exercises<br />
<br />
'''Trainer Bio:''' <br />
<br />
[[Eoin Keary]] is a Global OWASP board member since 2009. He is a long time member of OWASP and have contributed year on year to OWASP projects and the OWASP mission of fighting the causes of software insecurity. He is based in Dublin, Ireland and director of [http://www.bccriskadvisory.com Bccriskadvisory].<br />
<br />
<br />
<br />
===== Extra session on Security testing: a key challenge for software engineering of web apps (17h00 - 18h00)===== <br />
While important efforts are dedicated to system functional testing, very few works study how to specifically and systematically test security mechanisms. In this talk, we will present two categories of approaches. <br />
The first ones aim at assessing security mechanisms compliance with declared policies. Any security policy is strongly connected to system functionality: testing function includes exercising many security mechanisms. However, testing functionality does not intend at exercizing all security mechanisms. We thus propose test selection criteria to produce tests from a security policy. Empirical results will be presented about access control policies and about Android apps permission checks. <br />
<br />
The second ones concern the attack surface of web apps, with a particular focus on web browser sensitivity to XSS attacks. Indeed, one of the major threats against web applications is Cross-Site Scripting (XSS) that crosses several web components: web server, security components and finally the client’s web browser. The final target is thus the client running a particular web browser. During this last decade, several competing web browsers (IE, Netscape, Chrome, Firefox) have been upgraded to add new features for the final users benefit. However, the improvement of web browsers is not related with systematic security regression testing. Beginning with an analysis of their current exposure degree to XSS, we extend the empirical study to a decade of most popular web browser versions.The results reveal a chaotic behavior in the evolution of most web browsers attack surface over time. This particularly shows an urgent need for regression testing strategies to ensure that security is not sacrificed when a new version is delivered. <br />
<br />
In both cases, security must become a specific target for testing in order to get a satisfying level of confidence in security mechanisms<br />
<br />
'''Trainer bio:'''<br />
<br />
Yves Le Traon is professor at University of Luxembourg in the domain of software engineering, reliability, validation and security. He is also a member of the Interdisciplinary Centre for Security, Reliability and Trust (SnT), where he leads the research group SERVAL (SEcuRity and VALidation of services and networks). His research interests include software testing, design for security, security testing, model-driven validation, model based testing, web application, mobile computing. <br />
<br />
Professor Le Traon received his engineering degree and his PhD in Computer Science at the “Institut National Polytechnique” in Grenoble, France, in 1997. From 1998 to 2004, he was an associate professor at the University of Rennes, in Brittany, France. He is the co-founder of the Triskell INRIA team, which focuses on innovating design, modeling and testing techniques, such as Model-driven Engineering. During this period, Professor Le Traon studied design for testability techniques, validation and diagnosis of object-oriented programs and component-based systems. From 2004 to 2006, he was an expert in Model-Driven Architecture and Validation in the EXA team (Requirements Engineering and Applications) at “France Télécom R&D”. In 2006, he became professor at Telecom Bretagne (Ecole Nationale des Télécommunications de Bretagne), where he pioneered the application of testing for security assessment of web-applications, P2P systems and the promotion of intrusion detection systems using contract-based techniques.<br />
<br />
<br />
<br />
==== Conference, December 2nd ====<br />
<br />
We are pleased to announce the list of confirmed speakers:<br />
<br />
* Brenno De Winter (Journalist) From DigiNotar to Leaktober<br />
* Koen Vanderloock (Lead Security Competence Group at Cegeka) on [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#OWASP_SIMBA_-_guarding_your_applications_.28by_Koen_Vanderloock.2C_Leader_Security_Competence_Group_at_Cegeka.29 the new OWASP Simba project]<br />
* Justin Clarke (Director and Co-Founder of Gotham Digital Science Ltd) on [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Practical_Crypto_Attacks_Against_Web_Applications_.28by_Justin_Clarke.2C_Director_and_Co-Founder_of_Gotham_Digital_Science_Ltd.29 practical crypto attacks against web applications]<br />
* Lieven Desmet (Research Manager at University Leuven) on [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#HTML5_security_.28by_Lieven_Desmet.2C_Research_Manager_at_Katholieke_Universiteit_Leuven.29 HTML5 security]<br />
* Andrey Belenko (Chief Security Researcher at ElcomSoft Co. Ltd) on [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Overcoming_iOS_Data_Protection_to_Re-Enable_iPhone_Forensics_.28by_Andrey_Belenko.2C_Chief_Security_Researcher_at_ElcomSoft.29 iOS data protection internals]<br />
* Sascha Rommelfangen (Incident Management - Security Research at CIRCL) on dynamic malware analysis<br />
* Ludovic Petit (Group Fraud & Information Security Adviser at SFR, Vodafone Group) on [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Do_you..._Legal.3F_.28by_Ludovic_Petit.2C_Group_Fraud_.26_Information_Security_Adviser_at_SFR.2C_Vodafone_Group.29 WebApp Security and legal and regulatory aspects]<br />
*Jean-Marc Bost and Sébastien Bischof (ELCA) on The limits of e-banking<br />
* Yves Le Traon on security testing for web apps (talk will be held on the Training Day)<br />
* Seba Deleersnyder & Eoin Keary (OWASP Board) on OWASP Update<br />
<br />
Stay tuned for the final agenda!<br />
<br />
'''''Agenda''''' <br />
''(program has slightly changed !)''<br />
<br />
{| class="wikitable"<br />
! Time !! Speaker !! Topic<br />
|-<br />
| 08h30 - 9h30 || ''Registration'' || <br />
|-<br />
| 09h30 - 9h45 || OWASP Benelux Organization & Thomas Engel|| Welcome ([https://www.owasp.org/images/a/ad/OWASP_BeNeLux_Day_2011_-_Organization_welcome.ppt PPT], [https://www.owasp.org/images/8/8a/2011-11-15_SnT_General.pdf PDF])<br />
|-<br />
| 09h45 - 10h00 || Sebastien Deleersnyder & Eion Keary || OWASP update ([https://www.owasp.org/images/d/d7/OWASP-Update-BeNeLux-Day-2011_v1.pptx PPT])<br />
|-<br />
| 10h00 - 10h40 || Brenno De Winter || From DigiNotar to Leaktober <br />
|-<br />
| 10h40 - 11h00 || ''Break'' ||<br />
|-<br />
| 11h00 - 11h40 || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Justin_Clarke.2C_Director_and_Co-Founder_of_Gotham_Digital_Science_Ltd Justin Clarke] || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Practical_Crypto_Attacks_Against_Web_Applications_.28by_Justin_Clarke.2C_Director_and_Co-Founder_of_Gotham_Digital_Science_Ltd.29 practical crypto attacks against web applications] ([https://www.owasp.org/images/0/09/OWASP_BeNeLux_Day_2011_-_J._Clarke_-_Practical_Crypto_Attacks_Against_Web_Apps.pptx PPT])<br />
|-<br />
| 11h40 - 12h20 || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Andrey_Belenko.2C_Chief_Security_Researcher_at_ElcomSoft Andrey Belenko] || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Overcoming_iOS_Data_Protection_to_Re-Enable_iPhone_Forensics_.28by_Andrey_Belenko.2C_Chief_Security_Researcher_at_ElcomSoft.29 Overcoming iOS Data Protection to Re-Enable iPhone Forensics] ([https://www.owasp.org/images/7/76/OWASP_BeNeLux_Day_2011_-_A._Belenko_-_Overcoming_iOS_Data_Protection.pdf PDF])<br />
|-<br />
| 12h20 - 13h00 || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Koen_Vanderloock.2C_Leader_Security_Competence_Group_at_Cegeka Koen Vanderloock] || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#OWASP_SIMBA_-_guarding_your_applications_.28by_Koen_Vanderloock.2C_Leader_Security_Competence_Group_at_Cegeka.29 OWASP SIMBA - guarding your applications] ([https://www.owasp.org/images/5/59/OWASP_BeNeLux_Day_2011_-_K._Vanderloock_-_Simba.pptx PPTX])<br />
|-<br />
| 13h00 - 14h00 || ''Lunch'' || <br />
|-<br />
| 14h00 - 14h40 || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Ludovic_Petit.2C_Group_Fraud_.26_Information_Security_Adviser_at_SFR.2C_Vodafone_Group Ludovic Petit] || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Do_you..._Legal.3F_.28by_Ludovic_Petit.2C_Group_Fraud_.26_Information_Security_Adviser_at_SFR.2C_Vodafone_Group.29 Do you... Legal?] ([https://www.owasp.org/images/c/ca/OWASP_BeNeLux_Day_2011_-_L._Petit_-_Do_you..._Legal.pptx PPTX])<br />
|-<br />
| 14h40 - 15h20 || Thierry Zoller || The rise of the Vulnerability Market ([https://www.owasp.org/images/b/b7/OWASP_BeNeLux_Day_2011_-_T._Zoller_-_Rise_of_the_Vulnerability_Market.pdf PDF])<br />
|-<br />
| 15h20 - 16h00 || Jean-Marc Bost & Sébastien Bischof || The limits of e-banking ([https://www.owasp.org/images/8/87/OWASP_BeNeLux_Day_2011_-_BischofBost_-_The_limits_of_ebanking.pptx PPTX])<br />
|-<br />
| 16h00 - 16h20 || ''Break'' || <br />
|-<br />
| 16h20 - 17h00 || Sascha Rommelfangen || Dynamic malware analysis - or: The ~five deadly (anti-)venoms ([https://www.owasp.org/images/7/77/OWASP_BeNeLux_Day_2011_-_A._Delauney_-_Dynamic_malware_analysis.pdf PDF])<br />
|-<br />
| 17h00 - 17h40 || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Lieven_Desmet.2C_Research_Manager_at_Katholieke_Universiteit_Leuven Lieven Desmet] || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#HTML5_security_.28by_Lieven_Desmet.2C_Research_Manager_at_Katholieke_Universiteit_Leuven.29 HTML5 security] ([https://www.owasp.org/images/e/e6/OWASP_BeNeLux_Day_2011_-_L._Desmet_-_HTML5_security.pptx PPTX])<br />
|-<br />
| 17h40 - 18h00 || OWASP Benelux 2011 organization || Closing notes<br />
<br />
|}<br />
<br />
<!-- deze laten staan. is handig om anchors te vinden tijdens edi (seba) __TOC__ --><br />
<br />
===== From DigiNotar to Leaktober=====<br />
Web application security is hard. With Lektober, Brenno shows that to the general public. Privacy is at stake, not only in the Netherlands. Brenno will reveal some of the more "interesting" leaks.<br />
<br />
=====Brenno J.S.A.A.F. de Winter=====<br />
Brenno De Winter started experimenting with security at the age of 9. He has a background in open source that dates back to 1993 and he contributed to several projects like MySQL, GnuPG, Gnucomo (Gnu Computer Monitoring) and recently started the Small Sister-project for privacy-friendly internet usage. In his daily job he practices security,teaches it and works as an IT-journalist. His writings have triggered several debates in parliament and often raises questions. <br />
<br />
=====OWASP SIMBA - guarding your applications (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Koen_Vanderloock.2C_Leader_Security_Competence_Group_at_Cegeka Koen Vanderloock], Leader Security Competence Group at Cegeka)=====<br />
[[OWASP SIMBA Project|SIMBA (Security Integration Module for Business Applications)]] is a OWASP project that provides you with a User Access Management system that can be integrated with any business application. The purpose of SIMBA is to secure an application fast and easy. Because SIMBA itself is generic it can be customized for every project. Many features are customizable e.g. designing your own authentication chain is easy and fast by using existing or newly created building blocks. SIMBA contains authentication, authorization, session management and a GUI to manage your security information.<br />
<br />
======Koen Vanderloock, Leader Security Competence Group at Cegeka======<br />
Koen Vanderloock is the leader of the security competence group at Cegeka. About 2 years ago Cegeka decided to create a sandbox for investigating security issues and solutions so they could be included in the current projects. <br />
Koen Vanderloock is a Java developer with 8 years of experience and started exploring the world of security 3 years ago when UAM problems started to occur.<br />
<br />
=====Practical Crypto Attacks Against Web Applications (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Justin_Clarke.2C_Director_and_Co-Founder_of_Gotham_Digital_Science_Ltd Justin Clarke], Director and Co-Founder of Gotham Digital Science Ltd)=====<br />
The science of cryptography underpins many of the information security technologies we use on a daily basis, such as the ability to keep information confidential and to ensure we can identify who we are communicating with. However, it is a very complex subject area with many types of mistakes that can reduce the overall security of a solution. A number of these types of mistakes can be identified by a tester, if they know what they're looking for, but in general it isn't a well tested area.<br />
<br />
This talk is intended to provide a high level overview of some of the areas where cryptographic operations such as encryption and hashing can provide far less security than was planned, and concrete examples of how these were found and exploited. Examples will include discussion and demonstration of the recently patched cryptographic padding attack against the Microsoft .NET framework (affecting ASP.NET applications) caused by a design error in how ASP.NET handles some types of encrypted data, but we will also be looking at some other fun areas including bit flipping attacks, ECB mode attacks, and some miscellaneous hashing algorithm attacks against common web application implementations.<br />
<br />
======Justin Clarke, Director and Co-Founder of Gotham Digital Science Ltd======<br />
Justin is a Director and Co-Founder of Gotham Digital Science and an experienced software security consultant with extensive international Big 4 risk management, security consulting and testing experience. He is the lead author/technical editor of "SQL Injection Attacks and Defenses" (Syngress 2009), co-author of "Network Security Tools" (O'Reilly 2005), contributor to "Network Security Assessment, 2nd Edition" (O'Reilly 2007), as well as a speaker at various security conferences and events such as Black Hat, EuSecWest, ISACA, BruCON, OWASP, OSCON, RSA and SANS. He is currently the OWASP London chapter president, and a member of the OWASP Global Connections Committee.<br />
On 10 Oct 2011, at 09:33, Seba wrote:<br />
<br />
=====HTML5 security (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Lieven_Desmet.2C_Research_Manager_at_Katholieke_Universiteit_Leuven Lieven Desmet], Research Manager at Katholieke Universiteit Leuven)=====<br />
In this talk, Lieven will highlight the results of the HTML5 security analysis, conducted by the DistriNet Research Group (K.U.Leuven). The security analysis of next generation web standards, commissioned by ENISA, looked into 13 emerging W3C web standards (i.e. the specification of HTML 5 and some of the associated APIs), and assessed the security of each of them as well as the overall security and consistency across specifications.<br />
<br />
In total 51 security threats and issues have been identified, and detailed in the ENISA report (http://www.enisa.europa.eu/html5). During the talk, Lieven will discuss the methodology developed to assess the huge amount of specifications, and zoom into a representative set of identified threats and their remediation.<br />
<br />
======Lieven Desmet, Research Manager at Katholieke Universiteit Leuven======<br />
Lieven Desmet is the Research Manager on Secure Software at the Katholieke Universiteit Leuven (Belgium), where he coaches junior researchers in web application security and participates in dissemination and valorization activities. His interests are in software verification and security of middleware and web-enabled technologies. Lieven is actively engaged in OWASP and is board member of the OWASP Chapter Belgium.<br />
<br />
=====Overcoming iOS Data Protection to Re-Enable iPhone Forensics (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Andrey_Belenko.2C_Chief_Security_Researcher_at_ElcomSoft Andrey Belenko], Chief Security Researcher at ElcomSoft)=====<br />
Data protection is a feature available for iOS devices (iOS 4 and up) with hardware encryption: iPhone 4S, iPhone 4, iPhone 3GS, iPod touch (3rd generation or later), and all iPad models. Introduction of this feature had complicated iPhone forensics process because now (almost) all files on user partition are encrypted and physical dumps are of much less value to examiners: while the filesystem seems to be intact, actual file contents are encrypted and are not suitable for analysis.<br />
<br />
This talk will provide in-depth information about iOS Data protection internals and on the implication it had on iOS forensics. More specifically, it will cover the following:<br />
*System keys and their hierarchy<br />
*Device passcode and its recovery<br />
*Escrow keys<br />
*Filesystem encryption<br />
*Keychain encryption<br />
<br />
Presentation will start by providing attendees with required background on iOS encryption keys architecture: system keys, passcode key, escrow key. After attendees are familiar with those concepts, presentation will continue to filesystem and keychain encryption details and to the techniques that can be used to overcome the hurdles imposed by iOS Data Protection.<br />
<br />
======Andrey Belenko, Chief Security Researcher at ElcomSoft======<br />
Chief security researcher and software developer at Elcomsoft. Co-invented ThunderTables (which are improved RainbowTables) and was first to bring GPU acceleration to password recovery. M. Sc. IT and CISSP.<br />
<br />
LinkedIn: http://ru.linkedin.com/in/belenko<br />
<br />
Twitter: @andreybelenko<br />
<br />
=====Do you... Legal? (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Ludovic_Petit.2C_Group_Fraud_.26_Information_Security_Adviser_at_SFR.2C_Vodafone_Group Ludovic Petit], Group Fraud & Information Security Adviser at SFR, Vodafone Group) =====<br />
<br />
The OWASP core mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. However, if you do not pay enough attention to many aspects of Legal compliance, you'll see why Web Application Security is somehow linked to Legal and Regulatory aspects as well as... Corporate Responsability, so yours. Who is accountable for what, what about each other's responsibility? Nowadays, the legal constraints oblige us to comply via technical means, whatever the local framework, and this is specially true for Web Application Security, many sensitive informations having to be handled through these web interfaces. A such, what do you think about your Security Policy compliance with your local Legal framework? Compliant? Sure? Really? Interesting isn't it? Let's have a talk about this.<br />
<br />
======Ludovic Petit, Group Fraud & Information Security Adviser at SFR, Vodafone Group======<br />
Ludovic is an internationally recognised information security expert with over 25 years experience. Last 15 years spent in various Corporate Management positions covering both Technical and Law Enforcement expertise dedicated to Mobile Telecommunications Fraud and Security in multi-national corporations.<br />
<br />
Ludovic is Chapter Leader & Founding Member OWASP France and an active contributor to OWASP in several roles and projects.<br />
<br />
LinkedIn Profile: http://www.linkedin.com/in/lpetit<br />
<br />
=====Dynamic malware analysis - or: The ~five deadly (anti-)venoms (by Sascha Rommelfangen, Incident Management - Security Research at CIRCL) =====<br />
Malware reversing is a time consuming task. Many approaches are available to dissect and analyse suspicious binaries. Dynamic malware analysis is one of the option to better understand them and also a nifty companion to static analysis. The current dynamic malware analysis techniques will be presented especially the ones relying on instrumented operating system systems (from the filesystem to the network stack). You'll see a wandering through common and less common malware partially analysed using dynamic analysis and how dynamic malware analysis can help you.<br />
<br />
===== The limits of e-banking (by Jean-Marc Bost and Sébastien Bischof, ECLA) =====<br />
The swiss german TV channel SF1 showed a footage on swiss e-banking security. The TV show follows a team of the ETH who earned a special authorization to test several e-anking platforms. After admitting that a personal computer can be infected by different means (actually 5% of the tested PCs are infected according to Microsoft), The team from Zürich showed the limits of the different platforms. Only the bank who signs each transaction is labelled as safe. We will come back during the presentation on the nature of the threat.<br>First of all, we will explain how famous malwares such as Zeus and SpyEye manage to steal from their victims without them being able to notice anything. Then we will see that e-banking is not the only target, as a matter of fact, the reality is far from this.<br>And then we will comment the most recent techniques that allow malwares to escape Antivirus and Antimalware programs even if they are up to date. We will vulgarize several concepts such as DKOM and bootkits in order to let everybody have a glimpse on the danger they represent.<br>Finally, we will think about if signing each transaction can efficiently fight off these threats. In fact, when attacks are coupled with Social Engineering, they have potentially no limit. Zeus is a living proof of this fact, because it even managed to attack the transaction validation system by SMS. As a conclusion, we will see that the e-banking platform that managed to resist the tests of the ETH team is vulnerable to such kind of attacks. <br />
<br />
====== Jean-Marc Bost, ELCA ======<br />
Jean-Marc Bost leads the security division at ELCA. <br>He is in charge of the various security solutions proposed by ELCA, some being released by ELCA, others being provided by partner vendors. <br>With a significant experience in the development of internet applications, he focused 10 years ago on their need for security. <br>Since then, he has been very active in&nbsp;:<br>- demonstrating the threats, in particular for ebanking<br>- conceiving practical and patented solutions for strong authentication, online transactions, electronic signature and secured documents<br>- presenting the findings of the security division in security events and through expert talks<br> <br />
<br />
====== Sébastien Bischof, ELCA ======<br />
Sébastien Bischof works in the security division at ELCA Where he is specialized in OS-level and communication security.<br>As a major result, he developped a fully-working proof-of-concept of an attack against a sophisticated USB token for safe-browsing.<br>He obtained his Master of Science in Engineering at HEIG-VD/HES-SO with a strong emphasis on IT Security.<br>During his education, he focused on obfuscation and rootkit techniques.<br>Computer security enthusiast, he is very interested in hackings events such as Insomni'hack and keeps himself informed on the latest threats throuhg active participation in security forums.<br />
<br />
<br />
<br />
==== CTF ====<br />
<br />
Do you like puzzles? Do you like challenges? Are you a hacker?<br />
<br />
Whether you are an old hacker or new enthusiast you should come to OWASP BeNeLux days 2011 and participate in the Capture the Flag event December 2nd 2011 at the University of Luxemburg. <br />
<br />
The OWASP CTF is especially designed to support challengers of all skill levels. The CTF contains multiple challenges in various fields related to application security. As every challenge gains you one point, you can pick and choose which challenge you want to play.<br />
<br />
All you need is a laptop with a wifi card and your favorite (preferably) non-commercial tools. <br />
<br />
So come to Luxemburg, show off your skills, learn new tricks and above all have a good time at the CTF event. <br />
<br />
==== Registration ====<br />
<center><br />
'''The training day and the conference are free!'''&nbsp;<br />
<br />
<br> <br />
<br />
[http://owaspbenelux2011.eventbrite.com/ http://www.owasp.org/images/7/77/Buttoncreate.png] <br />
<br />
<br> To support the OWASP organisation, consider to become a member, it's only US$50!<br> Check out the [[Membership]] page to find out more.<br> <br />
<br />
<br> <br />
</center> <br />
==== Venue ====<br />
<center><br />
University of Luxembourg<br>Campus Kirchberg<br>6, rue Richard Coudenhove-Kalergi<br>L-1359 Luxembourg<br>[http://wwwen.uni.lu/contact/campus_kirchberg http://wwwen.uni.lu/contact/campus_kirchberg] <br>Room: Paul Feidert<br />
</center><br />
<br />
<br>'''Parking''':<br />
<br />
There is a public parking close to the conference venue.<br />
[http://maps.google.de/maps?q=49.63038,6.157061&num=1&t=h&vpsrc=0&z=16 Click here to find the parking on Google Maps]<br />
<br />
<br>'''Hotels nearby''': <br />
<br />
The first hotel is at 5 minutes on walk distance from the campus Kirchberg: '''[http://www.coque.lu/article/259 Hotel d’Coque]'''<br />
* single room with breakfast 77.50 €<br />
* double room with breakfast 93.00 €. <br />
* Booking email address with Ref. OWASP_SNT 2011 to : [mailto:reception@coque.lu reception@coque.lu]<br />
* Reservation deadline: 20 October 2011<br />
Second hotel (direct center of Luxembourg) 5/10 minutes with taxi or bus: '''[http://www.parcbellevue.lu/fr/index.php Hotel Parc Bellevue]'''<br />
* single room with breakfast 95.00 € (normal price 160 €)<br />
* double room with breakfast 115.00 € (normal price 180€)<br />
* wifi and parking included<br />
* Booking email address: [mailto:reservation@goeres-group.com reservation@goeres-group.com]<br />
* Reservation deadline&nbsp;: 30 November <br />
* Reservation form: [https://www.owasp.org/images/4/44/Uni_Luxembourg_OWASP_2011.doc download form] <br />
Third hotel (near the Parc Bellevue): '''[http://www.parcplaza.lu/fr/index.php Hotel Plaza]'''<br />
* single room with breakfast 130.00 € (normal price 225 €)<br />
* double room with breakfast 150.00 € (normal price 245€)<br />
* wifi and parking included<br />
* Booking email address: [mailto:reservation@goeres-group.com reservation@goeres-group.com]. <br />
* Reservation deadline: 30 November<br />
* Reservation form: [https://www.owasp.org/images/4/44/Uni_Luxembourg_OWASP_2011.doc download form] <br />
Fourth hotel: '''[http://www.melia-luxembourg.com/fr/melia-luxembourg.html Hotel Mélia]'''<br />
* single room with breakfast 140.00 €<br />
* Booking email address: [mailto:reservations.melia.luxembourg@solmelia.com reservations.melia.luxembourg@solmelia.com]<br />
* Reservation deadline: 28 October 2011<br />
* Reservation form: [https://www.owasp.org/images/f/f8/Uni_OWASP_2011_Melia.pdf download form] <br />
<br />
<br><br />
<br />
==== Organisation ====<br />
<br />
The BeNeLux Day 2011 Program Committee: <br />
<br />
*Martin Knobloch / Ferdinand Vroom ([[Netherlands|OWASP Netherlands]]) <br />
*Bart De Win / Sebastien Deleersnyder ([[Belgium|OWASP Belgium]]) <br />
*Jocelyn Aubert / Andre Adelsbach ([[Luxembourg|OWASP Luxembourg]]) <br />
*Steven van der Baan ([[:Category:OWASP CTF Project|Capture The Flag]])<br />
<br />
Local organization:<br />
<br />
*Thomas Engel <br />
*Radu State <br />
*Magali Martin <br />
*Aurel Machalek<br />
<br />
==== Sponsorship ====<br />
<br />
Contact seba &lt;at&gt; owasp.org for sponsorship <br />
<br />
<paypal>BeNeLux OWASP Day 2011</paypal> <br />
<br />
==== Social Event ====<br />
<br />
The social event is scheduled for Thursday, 1st of December, 19:00 at <br />
<br><br />
<br><br />
<center><br />
[http://www.aguadecoco.lu/ Agua De C&ocirc;co]<br><br />
2, rue Emile Mousel<br><br />
L-2165 Luxembourg<br><br />
<br><br />
([http://maps.google.com/maps?q=Rue+Emile+Mousel,+Luxembourg,+Luxemburg&hl=de&ll=49.612031,6.14125&spn=0.003379,0.009677&sll=49.709163,6.115265&sspn=0.003372,0.009677&vpsrc=6&geocode=FQIF9QIdPrVdAA&hnear=Rue+Emile+Mousel,+Luxembourg,+Luxemburg&t=h&z=17 find the location on Google Maps])<br />
<br />
Remark: split bill system - everyone has to cover own food & drinks.<br />
<br />
</center><br />
<br />
==== Promotion ====<br />
''Feel free to use the text below to promote our event!''<br />
<br />
We invite you to our next OWASP event: the '''BeNeLux OWASP Days 2011!'''<br />
<br />
Free your agenda on the 1st and 2nd of December, 2011.<br />
<br />
The good news: free! No fee!<br />
<br />
The bad news: there are only 160 seats available (first register, first serve)!<br />
<br />
<br />
'''PROGRAM Day 1'''<br />
* 10:00 AM - 18:00 PM: OWASP Training Day<br />
* 19:00 PM - ?: Social event<br />
<br />
'''OWASP Training: Secure Application Development''', by Eoin Keary<br><br />
This intensive one-day training focuses on the most common web application security problems, including aspects of both the OWASP Top Ten (2010) and the MITRE Top 25. The training will introduce and demonstrate application assessment techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities in their code.<br />
<br />
'''PROGRAM Day 2'''<br />
* 10:00 AM - 18:00 PM: OWASP Conference<br />
<br />
List of '''confirmed speakers''' (more to be announced soon):<br />
*Brenno De Winter (Journalist) on the Diginotar story<br />
*Koen Vanderloock (Lead Security Competence Group at Cegeka) on the new OWASP Simba project<br />
*Justin Clarke (Director and Co-Founder of Gotham Digital Science Ltd) on practical crypto attacks against web applications<br />
*Lieven Desmet (Research Manager at University Leuven) on HTML5 security<br />
*Andrey Belenko (Chief Security Researcher at ElcomSoft Co. Ltd) on iOS data protection internals<br />
*Sascha Rommelfangen (Incident Management - Security Research at CIRCL) on dynamic malware analysis<br />
*Ludovic Petit (Group Fraud & Information Security Adviser at SFR, Vodafone Group) on WebApp Security and legal and regulatory aspects<br />
*Seba Deleersnyder & Eoin Keary (OWASP Board) on OWASP Update<br />
<br />
'''ORGANIZATION<br>'''<br />
OWASP's all-volunteer participants produce free, professional quality, open-source documentation, tools, and standards on application security. An example of this is the famous OWASP top ten of most critical web application security flaws. The OWASP community facilitates conferences, local chapters, articles, and message forums. Participation in OWASP is free and open to all, as are all the materials we produce.<br />
<br />
'''WHO should attend?<br>'''<br />
Anyone interested in Web Application Security (management, security professionals, developers, students, etc). OWASP Belgium, Netherlands and Luxembourg chapters membership is free. All meetings are free. There are never vendor pitches or sales presentations at OWASP meetings.<br><br />
Check our chapter page http://www.owasp.org/index.php/Belgium on meeting details, sign up to the chapter mailing list and introduce yourself.<br><br />
Check our chapter page http://www.owasp.org/index.php/Netherlands on meeting details, sign up to the chapter mailing list and introduce yourself.<br><br />
Check our chapter page http://www.owasp.org/index.php/Luxembourg on meeting details, sign up to the chapter mailing list and introduce yourself.<br><br />
<br />
'''WHEN<br>'''<br />
Thursday and Friday, 1st and 2nd of December, 2011 (10 AM - 7 PM)<br />
<br />
'''WHERE<br>'''<br />
University of Luxembourg<br><br />
Campus Kirchberg<br><br />
6, rue Richard Coudenhove-Kalergi<br><br />
L-1359 Luxembourg<br><br />
http://wwwen.uni.lu/contact/campus_kirchberg<br><br />
Room: Paul Feidert<br />
<br />
Attention: make sure to '''book your hotel in time''', it will be difficult to find rooms in Luxembourg around Dec 1-2!<br><br />
Hotel details https://www.owasp.org/index.php?title=BeNeLux_OWASP_Day_2011#tab=Venue<br />
<br />
'''REGISTRATION<br>'''<br />
Only 160 places, please '''Register upfront: http://owaspbenelux2011.eventbrite.com''' !<br><br />
All latest details are available on http://www.owaspbenelux.eu<br><br />
Hope to see you all!<br><br />
<br />
The BeNeLux Program Committee,<br />
*Martin Knobloch / Ferdinand Vroom, OWASP Netherlands<br />
*Bart De Win / Sebastien Deleersnyder, OWASP Belgium<br />
*Jocelyn Aubert / Andre Adelsbach, OWASP Luxembourg<br />
*Steven van der Baan, OWASP CTF Project<br />
<br />
Kindly supported by the Interdisciplinary Centre for Security Reliability and Trust<br />
*Thomas Engel <br />
*Radu State <br />
*Magali Martin <br />
*Aurel Machalek<br />
<br />
<headertabs /><br />
<br />
<br />
<center><br />
'''Hosted and co-organized by:'''<br> <br />
[[Image:Bnl11-university-logo.jpg|link=http://wwwen.uni.lu]] <br />
[[Image:Bnl11-SECURITYANDTRUST-LOGO.jpg|link=http://www.securityandtrust.lu]] <br />
<br />
<br><br><br><br />
<br />
Made possible by our [http://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Sponsorship sponsors]:<br><br />
{{MemberLinks|link=http://www.ascure.com|logo=Ascure_Logo.jpg}} <br />
[http://www.zionsecurity.com http://www.owasp.org/images/e/e6/Zionsecurity.jpg]<br />
[http://www.zenitelbelgium.com http://www.owasp.org/images/d/df/SAIT_Zenitel.jpg]<br />
[http://www8.hp.com/us/en/solutions/solutions-detail.html?compURI=tcm:245-339290 https://www.owasp.org/images/b/b4/HP_Logo.jpg] <br />
[http://www.barracuda.com https://www.owasp.org/images/f/f6/Bnl11-Barracuda_Logo-4C.png] <br />
[http://circl.lu/ http://circl.lu/pics/logo.png]<br />
[http://www.f5.com https://www.owasp.org/images/f/fd/AppSec_Research_2010_sponsor_F5_logo.jpg]<br />
<br />
<br />
<br />
<br><br />
</center><br />
[[Category:OWASP_AppSec_Conference]] [[Category:OWASP_BeNeLux_Archives]]</div>Bart De Winhttps://wiki.owasp.org/index.php?title=File:OWASP_BeNeLux_Day_2011_-_T._Zoller_-_Rise_of_the_Vulnerability_Market.pdf&diff=121177File:OWASP BeNeLux Day 2011 - T. Zoller - Rise of the Vulnerability Market.pdf2011-12-07T06:49:28Z<p>Bart De Win: </p>
<hr />
<div></div>Bart De Winhttps://wiki.owasp.org/index.php?title=File:OWASP_BeNeLux_Day_2011_-_A._Belenko_-_Overcoming_iOS_Data_Protection.pdf&diff=121176File:OWASP BeNeLux Day 2011 - A. Belenko - Overcoming iOS Data Protection.pdf2011-12-07T06:48:07Z<p>Bart De Win: </p>
<hr />
<div></div>Bart De Winhttps://wiki.owasp.org/index.php?title=File:OWASP_BeNeLux_Day_2011_-_J._Clarke_-_Practical_Crypto_Attacks_Against_Web_Apps.pptx&diff=121175File:OWASP BeNeLux Day 2011 - J. Clarke - Practical Crypto Attacks Against Web Apps.pptx2011-12-07T06:46:51Z<p>Bart De Win: </p>
<hr />
<div></div>Bart De Winhttps://wiki.owasp.org/index.php?title=BeNeLux_OWASP_Day_2011&diff=121133BeNeLux OWASP Day 20112011-12-05T20:44:09Z<p>Bart De Win: </p>
<hr />
<div>__NOTOC__ <br />
<center>[[Image:OWASP BeNeLux 2011.jpg]]<br></center><br />
<br><!-- Header --><br />
<br />
==== Welcome ====<br />
<br />
<br><br />
<center><br />
=== Venue is the University of Luxembourg (Grand Duchy of Luxembourg) ===<br />
Training and conference location, together with hotel information, can be found [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Venue here].<br />
=== Training and first list of conference speakers are announced! ===<br />
See [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Training.2C_December_1st here] and [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Conference.2C_December_2nd here]<br />
=== Tweet! ===<br />
<br />
Event tag is [http://twitter.com/#search?q=%23owaspbnl11 #owaspbnl11]<br />
<br />
=== Registrations are open: ===<br />
<br />
[http://owaspbenelux2011.eventbrite.com/ http://www.owasp.org/images/7/77/Buttoncreate.png] <br />
<br />
</center><br />
<br><br />
<br />
==== Training, December 1st ====<br />
<br />
Registration '''starts at 9h00'''<br />
<br />
Training will start at '''10h00''' and we plan to stop at '''17h00'''. From '''17h00''' til '''18h00''', there will be an extra session on security testing by Yves Le Traon (see details below).<br />
<br />
The training room is: '''Paul Feidert''' (for details, check the [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Venue venue] tab)<br />
<br />
'''OWASP Training: Secure Application Development, by Eoin Keary'''<br />
<br />
'''Abstract:''' Writing Secure code is the most effective method to securing your web applications. Writing secure code takes skill and know-how but results in a more stable and robust application and assists in protecting an organisations brand.<br />
Application security is not commonly a part of many computer science curricula today and most organizations have not focused on instituting a culture that includes application security as a core part of their software development training efforts. This intensive one-day course focuses on the most common web application security problems, including aspects of both the OWASP Top Ten (2010) and the MITRE Top 25. The course will introduce and demonstrate application assessment techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities in their code.<br />
<br />
'''This course includes coverage of the following areas:'''<br />
<br />
* Unvalidated Input<br />
* Injection Flaws, OS commanding, SQL Injection<br />
* Cross-Site Scriping & Client-side security<br />
* CSRF/XSRF<br />
* Authentication & Session Management<br />
* Access control & Authorisation<br />
* Broken Caching<br />
* Error Handling & Resource Management<br />
* The Secure SDLC<br />
* Fuzzing, Proxy use and testing approach<br />
<br />
'''Hands on Exercises'''<br />
<br />
To cement the principles discussed, students can participate in a number of hands-on security testing exercises where they attack a live web application (i.e., OWASP Bank etc) that has been seeded with common web application vulnerabilities.<br />
<br />
The students will use proxy tools commonly used by the hacker community to complete the exercises. Students need to bring their own windows based laptop to participate in the exercises. Wireless capability is recommended. '''Make sure to get a copy of BURP proxy prior to the training: [http://www.portswigger.net/burp/downloadfree.html http://www.portswigger.net/burp/downloadfree.html]'''<br />
<br />
'''Audience'''<br />
<br />
Developers who want to understand the most common web application security flaws, and how to avoid them and code in a secure manner.<br />
<br />
Level: Beginner/Intermediate<br />
<br />
Prerequisite: Basic knowledge of a web programming language like Java or .NET recommended but not required.<br />
<br />
Bringing your own windows based laptop is recommended so you can participate in the hands on exercises<br />
<br />
'''Trainer Bio:''' <br />
<br />
[[Eoin Keary]] is a Global OWASP board member since 2009. He is a long time member of OWASP and have contributed year on year to OWASP projects and the OWASP mission of fighting the causes of software insecurity. He is based in Dublin, Ireland and director of [http://www.bccriskadvisory.com Bccriskadvisory].<br />
<br />
<br />
<br />
===== Extra session on Security testing: a key challenge for software engineering of web apps (17h00 - 18h00)===== <br />
While important efforts are dedicated to system functional testing, very few works study how to specifically and systematically test security mechanisms. In this talk, we will present two categories of approaches. <br />
The first ones aim at assessing security mechanisms compliance with declared policies. Any security policy is strongly connected to system functionality: testing function includes exercising many security mechanisms. However, testing functionality does not intend at exercizing all security mechanisms. We thus propose test selection criteria to produce tests from a security policy. Empirical results will be presented about access control policies and about Android apps permission checks. <br />
<br />
The second ones concern the attack surface of web apps, with a particular focus on web browser sensitivity to XSS attacks. Indeed, one of the major threats against web applications is Cross-Site Scripting (XSS) that crosses several web components: web server, security components and finally the client’s web browser. The final target is thus the client running a particular web browser. During this last decade, several competing web browsers (IE, Netscape, Chrome, Firefox) have been upgraded to add new features for the final users benefit. However, the improvement of web browsers is not related with systematic security regression testing. Beginning with an analysis of their current exposure degree to XSS, we extend the empirical study to a decade of most popular web browser versions.The results reveal a chaotic behavior in the evolution of most web browsers attack surface over time. This particularly shows an urgent need for regression testing strategies to ensure that security is not sacrificed when a new version is delivered. <br />
<br />
In both cases, security must become a specific target for testing in order to get a satisfying level of confidence in security mechanisms<br />
<br />
'''Trainer bio:'''<br />
<br />
Yves Le Traon is professor at University of Luxembourg in the domain of software engineering, reliability, validation and security. He is also a member of the Interdisciplinary Centre for Security, Reliability and Trust (SnT), where he leads the research group SERVAL (SEcuRity and VALidation of services and networks). His research interests include software testing, design for security, security testing, model-driven validation, model based testing, web application, mobile computing. <br />
<br />
Professor Le Traon received his engineering degree and his PhD in Computer Science at the “Institut National Polytechnique” in Grenoble, France, in 1997. From 1998 to 2004, he was an associate professor at the University of Rennes, in Brittany, France. He is the co-founder of the Triskell INRIA team, which focuses on innovating design, modeling and testing techniques, such as Model-driven Engineering. During this period, Professor Le Traon studied design for testability techniques, validation and diagnosis of object-oriented programs and component-based systems. From 2004 to 2006, he was an expert in Model-Driven Architecture and Validation in the EXA team (Requirements Engineering and Applications) at “France Télécom R&D”. In 2006, he became professor at Telecom Bretagne (Ecole Nationale des Télécommunications de Bretagne), where he pioneered the application of testing for security assessment of web-applications, P2P systems and the promotion of intrusion detection systems using contract-based techniques.<br />
<br />
<br />
<br />
==== Conference, December 2nd ====<br />
<br />
We are pleased to announce the list of confirmed speakers:<br />
<br />
* Brenno De Winter (Journalist) From DigiNotar to Leaktober<br />
* Koen Vanderloock (Lead Security Competence Group at Cegeka) on [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#OWASP_SIMBA_-_guarding_your_applications_.28by_Koen_Vanderloock.2C_Leader_Security_Competence_Group_at_Cegeka.29 the new OWASP Simba project]<br />
* Justin Clarke (Director and Co-Founder of Gotham Digital Science Ltd) on [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Practical_Crypto_Attacks_Against_Web_Applications_.28by_Justin_Clarke.2C_Director_and_Co-Founder_of_Gotham_Digital_Science_Ltd.29 practical crypto attacks against web applications]<br />
* Lieven Desmet (Research Manager at University Leuven) on [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#HTML5_security_.28by_Lieven_Desmet.2C_Research_Manager_at_Katholieke_Universiteit_Leuven.29 HTML5 security]<br />
* Andrey Belenko (Chief Security Researcher at ElcomSoft Co. Ltd) on [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Overcoming_iOS_Data_Protection_to_Re-Enable_iPhone_Forensics_.28by_Andrey_Belenko.2C_Chief_Security_Researcher_at_ElcomSoft.29 iOS data protection internals]<br />
* Sascha Rommelfangen (Incident Management - Security Research at CIRCL) on dynamic malware analysis<br />
* Ludovic Petit (Group Fraud & Information Security Adviser at SFR, Vodafone Group) on [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Do_you..._Legal.3F_.28by_Ludovic_Petit.2C_Group_Fraud_.26_Information_Security_Adviser_at_SFR.2C_Vodafone_Group.29 WebApp Security and legal and regulatory aspects]<br />
*Jean-Marc Bost and Sébastien Bischof (ELCA) on The limits of e-banking<br />
* Yves Le Traon on security testing for web apps (talk will be held on the Training Day)<br />
* Seba Deleersnyder & Eoin Keary (OWASP Board) on OWASP Update<br />
<br />
Stay tuned for the final agenda!<br />
<br />
'''''Agenda''''' <br />
''(program has slightly changed !)''<br />
<br />
{| class="wikitable"<br />
! Time !! Speaker !! Topic<br />
|-<br />
| 08h30 - 9h30 || ''Registration'' || <br />
|-<br />
| 09h30 - 9h45 || OWASP Benelux Organization & Thomas Engel|| Welcome ([https://www.owasp.org/images/a/ad/OWASP_BeNeLux_Day_2011_-_Organization_welcome.ppt PPT], [https://www.owasp.org/images/8/8a/2011-11-15_SnT_General.pdf PDF])<br />
|-<br />
| 09h45 - 10h00 || Sebastien Deleersnyder & Eion Keary || OWASP update ([https://www.owasp.org/images/d/d7/OWASP-Update-BeNeLux-Day-2011_v1.pptx PPT])<br />
|-<br />
| 10h00 - 10h40 || Brenno De Winter || From DigiNotar to Leaktober <br />
|-<br />
| 10h40 - 11h00 || ''Break'' ||<br />
|-<br />
| 11h00 - 11h40 || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Justin_Clarke.2C_Director_and_Co-Founder_of_Gotham_Digital_Science_Ltd Justin Clarke] || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Practical_Crypto_Attacks_Against_Web_Applications_.28by_Justin_Clarke.2C_Director_and_Co-Founder_of_Gotham_Digital_Science_Ltd.29 practical crypto attacks against web applications] <br />
|-<br />
| 11h40 - 12h20 || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Andrey_Belenko.2C_Chief_Security_Researcher_at_ElcomSoft Andrey Belenko] || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Overcoming_iOS_Data_Protection_to_Re-Enable_iPhone_Forensics_.28by_Andrey_Belenko.2C_Chief_Security_Researcher_at_ElcomSoft.29 Overcoming iOS Data Protection to Re-Enable iPhone Forensics] <br />
|-<br />
| 12h20 - 13h00 || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Koen_Vanderloock.2C_Leader_Security_Competence_Group_at_Cegeka Koen Vanderloock] || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#OWASP_SIMBA_-_guarding_your_applications_.28by_Koen_Vanderloock.2C_Leader_Security_Competence_Group_at_Cegeka.29 OWASP SIMBA - guarding your applications] ([https://www.owasp.org/images/5/59/OWASP_BeNeLux_Day_2011_-_K._Vanderloock_-_Simba.pptx PPTX])<br />
|-<br />
| 13h00 - 14h00 || ''Lunch'' || <br />
|-<br />
| 14h00 - 14h40 || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Ludovic_Petit.2C_Group_Fraud_.26_Information_Security_Adviser_at_SFR.2C_Vodafone_Group Ludovic Petit] || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Do_you..._Legal.3F_.28by_Ludovic_Petit.2C_Group_Fraud_.26_Information_Security_Adviser_at_SFR.2C_Vodafone_Group.29 Do you... Legal?] ([https://www.owasp.org/images/c/ca/OWASP_BeNeLux_Day_2011_-_L._Petit_-_Do_you..._Legal.pptx PPTX])<br />
|-<br />
| 14h40 - 15h20 || Thierry Zoller || The rise of the Vulnerability Market<br />
|-<br />
| 15h20 - 16h00 || Jean-Marc Bost & Sébastien Bischof || The limits of e-banking ([https://www.owasp.org/images/8/87/OWASP_BeNeLux_Day_2011_-_BischofBost_-_The_limits_of_ebanking.pptx PPTX])<br />
|-<br />
| 16h00 - 16h20 || ''Break'' || <br />
|-<br />
| 16h20 - 17h00 || Sascha Rommelfangen || Dynamic malware analysis - or: The ~five deadly (anti-)venoms ([https://www.owasp.org/images/7/77/OWASP_BeNeLux_Day_2011_-_A._Delauney_-_Dynamic_malware_analysis.pdf PDF])<br />
|-<br />
| 17h00 - 17h40 || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Lieven_Desmet.2C_Research_Manager_at_Katholieke_Universiteit_Leuven Lieven Desmet] || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#HTML5_security_.28by_Lieven_Desmet.2C_Research_Manager_at_Katholieke_Universiteit_Leuven.29 HTML5 security] ([https://www.owasp.org/images/e/e6/OWASP_BeNeLux_Day_2011_-_L._Desmet_-_HTML5_security.pptx PPTX])<br />
|-<br />
| 17h40 - 18h00 || OWASP Benelux 2011 organization || Closing notes<br />
<br />
|}<br />
<br />
<!-- deze laten staan. is handig om anchors te vinden tijdens edi (seba) __TOC__ --><br />
<br />
===== From DigiNotar to Leaktober=====<br />
Web application security is hard. With Lektober, Brenno shows that to the general public. Privacy is at stake, not only in the Netherlands. Brenno will reveal some of the more "interesting" leaks.<br />
<br />
=====Brenno J.S.A.A.F. de Winter=====<br />
Brenno De Winter started experimenting with security at the age of 9. He has a background in open source that dates back to 1993 and he contributed to several projects like MySQL, GnuPG, Gnucomo (Gnu Computer Monitoring) and recently started the Small Sister-project for privacy-friendly internet usage. In his daily job he practices security,teaches it and works as an IT-journalist. His writings have triggered several debates in parliament and often raises questions. <br />
<br />
=====OWASP SIMBA - guarding your applications (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Koen_Vanderloock.2C_Leader_Security_Competence_Group_at_Cegeka Koen Vanderloock], Leader Security Competence Group at Cegeka)=====<br />
[[OWASP SIMBA Project|SIMBA (Security Integration Module for Business Applications)]] is a OWASP project that provides you with a User Access Management system that can be integrated with any business application. The purpose of SIMBA is to secure an application fast and easy. Because SIMBA itself is generic it can be customized for every project. Many features are customizable e.g. designing your own authentication chain is easy and fast by using existing or newly created building blocks. SIMBA contains authentication, authorization, session management and a GUI to manage your security information.<br />
<br />
======Koen Vanderloock, Leader Security Competence Group at Cegeka======<br />
Koen Vanderloock is the leader of the security competence group at Cegeka. About 2 years ago Cegeka decided to create a sandbox for investigating security issues and solutions so they could be included in the current projects. <br />
Koen Vanderloock is a Java developer with 8 years of experience and started exploring the world of security 3 years ago when UAM problems started to occur.<br />
<br />
=====Practical Crypto Attacks Against Web Applications (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Justin_Clarke.2C_Director_and_Co-Founder_of_Gotham_Digital_Science_Ltd Justin Clarke], Director and Co-Founder of Gotham Digital Science Ltd)=====<br />
The science of cryptography underpins many of the information security technologies we use on a daily basis, such as the ability to keep information confidential and to ensure we can identify who we are communicating with. However, it is a very complex subject area with many types of mistakes that can reduce the overall security of a solution. A number of these types of mistakes can be identified by a tester, if they know what they're looking for, but in general it isn't a well tested area.<br />
<br />
This talk is intended to provide a high level overview of some of the areas where cryptographic operations such as encryption and hashing can provide far less security than was planned, and concrete examples of how these were found and exploited. Examples will include discussion and demonstration of the recently patched cryptographic padding attack against the Microsoft .NET framework (affecting ASP.NET applications) caused by a design error in how ASP.NET handles some types of encrypted data, but we will also be looking at some other fun areas including bit flipping attacks, ECB mode attacks, and some miscellaneous hashing algorithm attacks against common web application implementations.<br />
<br />
======Justin Clarke, Director and Co-Founder of Gotham Digital Science Ltd======<br />
Justin is a Director and Co-Founder of Gotham Digital Science and an experienced software security consultant with extensive international Big 4 risk management, security consulting and testing experience. He is the lead author/technical editor of "SQL Injection Attacks and Defenses" (Syngress 2009), co-author of "Network Security Tools" (O'Reilly 2005), contributor to "Network Security Assessment, 2nd Edition" (O'Reilly 2007), as well as a speaker at various security conferences and events such as Black Hat, EuSecWest, ISACA, BruCON, OWASP, OSCON, RSA and SANS. He is currently the OWASP London chapter president, and a member of the OWASP Global Connections Committee.<br />
On 10 Oct 2011, at 09:33, Seba wrote:<br />
<br />
=====HTML5 security (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Lieven_Desmet.2C_Research_Manager_at_Katholieke_Universiteit_Leuven Lieven Desmet], Research Manager at Katholieke Universiteit Leuven)=====<br />
In this talk, Lieven will highlight the results of the HTML5 security analysis, conducted by the DistriNet Research Group (K.U.Leuven). The security analysis of next generation web standards, commissioned by ENISA, looked into 13 emerging W3C web standards (i.e. the specification of HTML 5 and some of the associated APIs), and assessed the security of each of them as well as the overall security and consistency across specifications.<br />
<br />
In total 51 security threats and issues have been identified, and detailed in the ENISA report (http://www.enisa.europa.eu/html5). During the talk, Lieven will discuss the methodology developed to assess the huge amount of specifications, and zoom into a representative set of identified threats and their remediation.<br />
<br />
======Lieven Desmet, Research Manager at Katholieke Universiteit Leuven======<br />
Lieven Desmet is the Research Manager on Secure Software at the Katholieke Universiteit Leuven (Belgium), where he coaches junior researchers in web application security and participates in dissemination and valorization activities. His interests are in software verification and security of middleware and web-enabled technologies. Lieven is actively engaged in OWASP and is board member of the OWASP Chapter Belgium.<br />
<br />
=====Overcoming iOS Data Protection to Re-Enable iPhone Forensics (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Andrey_Belenko.2C_Chief_Security_Researcher_at_ElcomSoft Andrey Belenko], Chief Security Researcher at ElcomSoft)=====<br />
Data protection is a feature available for iOS devices (iOS 4 and up) with hardware encryption: iPhone 4S, iPhone 4, iPhone 3GS, iPod touch (3rd generation or later), and all iPad models. Introduction of this feature had complicated iPhone forensics process because now (almost) all files on user partition are encrypted and physical dumps are of much less value to examiners: while the filesystem seems to be intact, actual file contents are encrypted and are not suitable for analysis.<br />
<br />
This talk will provide in-depth information about iOS Data protection internals and on the implication it had on iOS forensics. More specifically, it will cover the following:<br />
*System keys and their hierarchy<br />
*Device passcode and its recovery<br />
*Escrow keys<br />
*Filesystem encryption<br />
*Keychain encryption<br />
<br />
Presentation will start by providing attendees with required background on iOS encryption keys architecture: system keys, passcode key, escrow key. After attendees are familiar with those concepts, presentation will continue to filesystem and keychain encryption details and to the techniques that can be used to overcome the hurdles imposed by iOS Data Protection.<br />
<br />
======Andrey Belenko, Chief Security Researcher at ElcomSoft======<br />
Chief security researcher and software developer at Elcomsoft. Co-invented ThunderTables (which are improved RainbowTables) and was first to bring GPU acceleration to password recovery. M. Sc. IT and CISSP.<br />
<br />
LinkedIn: http://ru.linkedin.com/in/belenko<br />
<br />
Twitter: @andreybelenko<br />
<br />
=====Do you... Legal? (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Ludovic_Petit.2C_Group_Fraud_.26_Information_Security_Adviser_at_SFR.2C_Vodafone_Group Ludovic Petit], Group Fraud & Information Security Adviser at SFR, Vodafone Group) =====<br />
<br />
The OWASP core mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. However, if you do not pay enough attention to many aspects of Legal compliance, you'll see why Web Application Security is somehow linked to Legal and Regulatory aspects as well as... Corporate Responsability, so yours. Who is accountable for what, what about each other's responsibility? Nowadays, the legal constraints oblige us to comply via technical means, whatever the local framework, and this is specially true for Web Application Security, many sensitive informations having to be handled through these web interfaces. A such, what do you think about your Security Policy compliance with your local Legal framework? Compliant? Sure? Really? Interesting isn't it? Let's have a talk about this.<br />
<br />
======Ludovic Petit, Group Fraud & Information Security Adviser at SFR, Vodafone Group======<br />
Ludovic is an internationally recognised information security expert with over 25 years experience. Last 15 years spent in various Corporate Management positions covering both Technical and Law Enforcement expertise dedicated to Mobile Telecommunications Fraud and Security in multi-national corporations.<br />
<br />
Ludovic is Chapter Leader & Founding Member OWASP France and an active contributor to OWASP in several roles and projects.<br />
<br />
LinkedIn Profile: http://www.linkedin.com/in/lpetit<br />
<br />
=====Dynamic malware analysis - or: The ~five deadly (anti-)venoms (by Sascha Rommelfangen, Incident Management - Security Research at CIRCL) =====<br />
Malware reversing is a time consuming task. Many approaches are available to dissect and analyse suspicious binaries. Dynamic malware analysis is one of the option to better understand them and also a nifty companion to static analysis. The current dynamic malware analysis techniques will be presented especially the ones relying on instrumented operating system systems (from the filesystem to the network stack). You'll see a wandering through common and less common malware partially analysed using dynamic analysis and how dynamic malware analysis can help you.<br />
<br />
===== The limits of e-banking (by Jean-Marc Bost and Sébastien Bischof, ECLA) =====<br />
The swiss german TV channel SF1 showed a footage on swiss e-banking security. The TV show follows a team of the ETH who earned a special authorization to test several e-anking platforms. After admitting that a personal computer can be infected by different means (actually 5% of the tested PCs are infected according to Microsoft), The team from Zürich showed the limits of the different platforms. Only the bank who signs each transaction is labelled as safe. We will come back during the presentation on the nature of the threat.<br>First of all, we will explain how famous malwares such as Zeus and SpyEye manage to steal from their victims without them being able to notice anything. Then we will see that e-banking is not the only target, as a matter of fact, the reality is far from this.<br>And then we will comment the most recent techniques that allow malwares to escape Antivirus and Antimalware programs even if they are up to date. We will vulgarize several concepts such as DKOM and bootkits in order to let everybody have a glimpse on the danger they represent.<br>Finally, we will think about if signing each transaction can efficiently fight off these threats. In fact, when attacks are coupled with Social Engineering, they have potentially no limit. Zeus is a living proof of this fact, because it even managed to attack the transaction validation system by SMS. As a conclusion, we will see that the e-banking platform that managed to resist the tests of the ETH team is vulnerable to such kind of attacks. <br />
<br />
====== Jean-Marc Bost, ELCA ======<br />
Jean-Marc Bost leads the security division at ELCA. <br>He is in charge of the various security solutions proposed by ELCA, some being released by ELCA, others being provided by partner vendors. <br>With a significant experience in the development of internet applications, he focused 10 years ago on their need for security. <br>Since then, he has been very active in&nbsp;:<br>- demonstrating the threats, in particular for ebanking<br>- conceiving practical and patented solutions for strong authentication, online transactions, electronic signature and secured documents<br>- presenting the findings of the security division in security events and through expert talks<br> <br />
<br />
====== Sébastien Bischof, ELCA ======<br />
Sébastien Bischof works in the security division at ELCA Where he is specialized in OS-level and communication security.<br>As a major result, he developped a fully-working proof-of-concept of an attack against a sophisticated USB token for safe-browsing.<br>He obtained his Master of Science in Engineering at HEIG-VD/HES-SO with a strong emphasis on IT Security.<br>During his education, he focused on obfuscation and rootkit techniques.<br>Computer security enthusiast, he is very interested in hackings events such as Insomni'hack and keeps himself informed on the latest threats throuhg active participation in security forums.<br />
<br />
<br />
<br />
==== CTF ====<br />
<br />
Do you like puzzles? Do you like challenges? Are you a hacker?<br />
<br />
Whether you are an old hacker or new enthusiast you should come to OWASP BeNeLux days 2011 and participate in the Capture the Flag event December 2nd 2011 at the University of Luxemburg. <br />
<br />
The OWASP CTF is especially designed to support challengers of all skill levels. The CTF contains multiple challenges in various fields related to application security. As every challenge gains you one point, you can pick and choose which challenge you want to play.<br />
<br />
All you need is a laptop with a wifi card and your favorite (preferably) non-commercial tools. <br />
<br />
So come to Luxemburg, show off your skills, learn new tricks and above all have a good time at the CTF event. <br />
<br />
==== Registration ====<br />
<center><br />
'''The training day and the conference are free!'''&nbsp;<br />
<br />
<br> <br />
<br />
[http://owaspbenelux2011.eventbrite.com/ http://www.owasp.org/images/7/77/Buttoncreate.png] <br />
<br />
<br> To support the OWASP organisation, consider to become a member, it's only US$50!<br> Check out the [[Membership]] page to find out more.<br> <br />
<br />
<br> <br />
</center> <br />
==== Venue ====<br />
<center><br />
University of Luxembourg<br>Campus Kirchberg<br>6, rue Richard Coudenhove-Kalergi<br>L-1359 Luxembourg<br>[http://wwwen.uni.lu/contact/campus_kirchberg http://wwwen.uni.lu/contact/campus_kirchberg] <br>Room: Paul Feidert<br />
</center><br />
<br />
<br>'''Parking''':<br />
<br />
There is a public parking close to the conference venue.<br />
[http://maps.google.de/maps?q=49.63038,6.157061&num=1&t=h&vpsrc=0&z=16 Click here to find the parking on Google Maps]<br />
<br />
<br>'''Hotels nearby''': <br />
<br />
The first hotel is at 5 minutes on walk distance from the campus Kirchberg: '''[http://www.coque.lu/article/259 Hotel d’Coque]'''<br />
* single room with breakfast 77.50 €<br />
* double room with breakfast 93.00 €. <br />
* Booking email address with Ref. OWASP_SNT 2011 to : [mailto:reception@coque.lu reception@coque.lu]<br />
* Reservation deadline: 20 October 2011<br />
Second hotel (direct center of Luxembourg) 5/10 minutes with taxi or bus: '''[http://www.parcbellevue.lu/fr/index.php Hotel Parc Bellevue]'''<br />
* single room with breakfast 95.00 € (normal price 160 €)<br />
* double room with breakfast 115.00 € (normal price 180€)<br />
* wifi and parking included<br />
* Booking email address: [mailto:reservation@goeres-group.com reservation@goeres-group.com]<br />
* Reservation deadline&nbsp;: 30 November <br />
* Reservation form: [https://www.owasp.org/images/4/44/Uni_Luxembourg_OWASP_2011.doc download form] <br />
Third hotel (near the Parc Bellevue): '''[http://www.parcplaza.lu/fr/index.php Hotel Plaza]'''<br />
* single room with breakfast 130.00 € (normal price 225 €)<br />
* double room with breakfast 150.00 € (normal price 245€)<br />
* wifi and parking included<br />
* Booking email address: [mailto:reservation@goeres-group.com reservation@goeres-group.com]. <br />
* Reservation deadline: 30 November<br />
* Reservation form: [https://www.owasp.org/images/4/44/Uni_Luxembourg_OWASP_2011.doc download form] <br />
Fourth hotel: '''[http://www.melia-luxembourg.com/fr/melia-luxembourg.html Hotel Mélia]'''<br />
* single room with breakfast 140.00 €<br />
* Booking email address: [mailto:reservations.melia.luxembourg@solmelia.com reservations.melia.luxembourg@solmelia.com]<br />
* Reservation deadline: 28 October 2011<br />
* Reservation form: [https://www.owasp.org/images/f/f8/Uni_OWASP_2011_Melia.pdf download form] <br />
<br />
<br><br />
<br />
==== Organisation ====<br />
<br />
The BeNeLux Day 2011 Program Committee: <br />
<br />
*Martin Knobloch / Ferdinand Vroom ([[Netherlands|OWASP Netherlands]]) <br />
*Bart De Win / Sebastien Deleersnyder ([[Belgium|OWASP Belgium]]) <br />
*Jocelyn Aubert / Andre Adelsbach ([[Luxembourg|OWASP Luxembourg]]) <br />
*Steven van der Baan ([[:Category:OWASP CTF Project|Capture The Flag]])<br />
<br />
Local organization:<br />
<br />
*Thomas Engel <br />
*Radu State <br />
*Magali Martin <br />
*Aurel Machalek<br />
<br />
==== Sponsorship ====<br />
<br />
Contact seba &lt;at&gt; owasp.org for sponsorship <br />
<br />
<paypal>BeNeLux OWASP Day 2011</paypal> <br />
<br />
==== Social Event ====<br />
<br />
The social event is scheduled for Thursday, 1st of December, 19:00 at <br />
<br><br />
<br><br />
<center><br />
[http://www.aguadecoco.lu/ Agua De C&ocirc;co]<br><br />
2, rue Emile Mousel<br><br />
L-2165 Luxembourg<br><br />
<br><br />
([http://maps.google.com/maps?q=Rue+Emile+Mousel,+Luxembourg,+Luxemburg&hl=de&ll=49.612031,6.14125&spn=0.003379,0.009677&sll=49.709163,6.115265&sspn=0.003372,0.009677&vpsrc=6&geocode=FQIF9QIdPrVdAA&hnear=Rue+Emile+Mousel,+Luxembourg,+Luxemburg&t=h&z=17 find the location on Google Maps])<br />
<br />
Remark: split bill system - everyone has to cover own food & drinks.<br />
<br />
</center><br />
<br />
==== Promotion ====<br />
''Feel free to use the text below to promote our event!''<br />
<br />
We invite you to our next OWASP event: the '''BeNeLux OWASP Days 2011!'''<br />
<br />
Free your agenda on the 1st and 2nd of December, 2011.<br />
<br />
The good news: free! No fee!<br />
<br />
The bad news: there are only 160 seats available (first register, first serve)!<br />
<br />
<br />
'''PROGRAM Day 1'''<br />
* 10:00 AM - 18:00 PM: OWASP Training Day<br />
* 19:00 PM - ?: Social event<br />
<br />
'''OWASP Training: Secure Application Development''', by Eoin Keary<br><br />
This intensive one-day training focuses on the most common web application security problems, including aspects of both the OWASP Top Ten (2010) and the MITRE Top 25. The training will introduce and demonstrate application assessment techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities in their code.<br />
<br />
'''PROGRAM Day 2'''<br />
* 10:00 AM - 18:00 PM: OWASP Conference<br />
<br />
List of '''confirmed speakers''' (more to be announced soon):<br />
*Brenno De Winter (Journalist) on the Diginotar story<br />
*Koen Vanderloock (Lead Security Competence Group at Cegeka) on the new OWASP Simba project<br />
*Justin Clarke (Director and Co-Founder of Gotham Digital Science Ltd) on practical crypto attacks against web applications<br />
*Lieven Desmet (Research Manager at University Leuven) on HTML5 security<br />
*Andrey Belenko (Chief Security Researcher at ElcomSoft Co. Ltd) on iOS data protection internals<br />
*Sascha Rommelfangen (Incident Management - Security Research at CIRCL) on dynamic malware analysis<br />
*Ludovic Petit (Group Fraud & Information Security Adviser at SFR, Vodafone Group) on WebApp Security and legal and regulatory aspects<br />
*Seba Deleersnyder & Eoin Keary (OWASP Board) on OWASP Update<br />
<br />
'''ORGANIZATION<br>'''<br />
OWASP's all-volunteer participants produce free, professional quality, open-source documentation, tools, and standards on application security. An example of this is the famous OWASP top ten of most critical web application security flaws. The OWASP community facilitates conferences, local chapters, articles, and message forums. Participation in OWASP is free and open to all, as are all the materials we produce.<br />
<br />
'''WHO should attend?<br>'''<br />
Anyone interested in Web Application Security (management, security professionals, developers, students, etc). OWASP Belgium, Netherlands and Luxembourg chapters membership is free. All meetings are free. There are never vendor pitches or sales presentations at OWASP meetings.<br><br />
Check our chapter page http://www.owasp.org/index.php/Belgium on meeting details, sign up to the chapter mailing list and introduce yourself.<br><br />
Check our chapter page http://www.owasp.org/index.php/Netherlands on meeting details, sign up to the chapter mailing list and introduce yourself.<br><br />
Check our chapter page http://www.owasp.org/index.php/Luxembourg on meeting details, sign up to the chapter mailing list and introduce yourself.<br><br />
<br />
'''WHEN<br>'''<br />
Thursday and Friday, 1st and 2nd of December, 2011 (10 AM - 7 PM)<br />
<br />
'''WHERE<br>'''<br />
University of Luxembourg<br><br />
Campus Kirchberg<br><br />
6, rue Richard Coudenhove-Kalergi<br><br />
L-1359 Luxembourg<br><br />
http://wwwen.uni.lu/contact/campus_kirchberg<br><br />
Room: Paul Feidert<br />
<br />
Attention: make sure to '''book your hotel in time''', it will be difficult to find rooms in Luxembourg around Dec 1-2!<br><br />
Hotel details https://www.owasp.org/index.php?title=BeNeLux_OWASP_Day_2011#tab=Venue<br />
<br />
'''REGISTRATION<br>'''<br />
Only 160 places, please '''Register upfront: http://owaspbenelux2011.eventbrite.com''' !<br><br />
All latest details are available on http://www.owaspbenelux.eu<br><br />
Hope to see you all!<br><br />
<br />
The BeNeLux Program Committee,<br />
*Martin Knobloch / Ferdinand Vroom, OWASP Netherlands<br />
*Bart De Win / Sebastien Deleersnyder, OWASP Belgium<br />
*Jocelyn Aubert / Andre Adelsbach, OWASP Luxembourg<br />
*Steven van der Baan, OWASP CTF Project<br />
<br />
Kindly supported by the Interdisciplinary Centre for Security Reliability and Trust<br />
*Thomas Engel <br />
*Radu State <br />
*Magali Martin <br />
*Aurel Machalek<br />
<br />
<headertabs /><br />
<br />
<br />
<center><br />
'''Hosted and co-organized by:'''<br> <br />
[[Image:Bnl11-university-logo.jpg|link=http://wwwen.uni.lu]] <br />
[[Image:Bnl11-SECURITYANDTRUST-LOGO.jpg|link=http://www.securityandtrust.lu]] <br />
<br />
<br><br><br><br />
<br />
Made possible by our [http://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Sponsorship sponsors]:<br><br />
{{MemberLinks|link=http://www.ascure.com|logo=Ascure_Logo.jpg}} <br />
[http://www.zionsecurity.com http://www.owasp.org/images/e/e6/Zionsecurity.jpg]<br />
[http://www.zenitelbelgium.com http://www.owasp.org/images/d/df/SAIT_Zenitel.jpg]<br />
[http://www8.hp.com/us/en/solutions/solutions-detail.html?compURI=tcm:245-339290 https://www.owasp.org/images/b/b4/HP_Logo.jpg] <br />
[http://www.barracuda.com https://www.owasp.org/images/f/f6/Bnl11-Barracuda_Logo-4C.png] <br />
[http://circl.lu/ http://circl.lu/pics/logo.png]<br />
[http://www.f5.com https://www.owasp.org/images/f/fd/AppSec_Research_2010_sponsor_F5_logo.jpg]<br />
<br />
<br />
<br />
<br><br />
</center><br />
[[Category:OWASP_AppSec_Conference]] [[Category:OWASP_BeNeLux_Archives]]</div>Bart De Winhttps://wiki.owasp.org/index.php?title=File:OWASP_BeNeLux_Day_2011_-_Organization_welcome.ppt&diff=121132File:OWASP BeNeLux Day 2011 - Organization welcome.ppt2011-12-05T20:43:35Z<p>Bart De Win: </p>
<hr />
<div></div>Bart De Winhttps://wiki.owasp.org/index.php?title=File:OWASP_BeNeLux_Day_2011_-_L._Petit_-_Do_you..._Legal.pptx&diff=121131File:OWASP BeNeLux Day 2011 - L. Petit - Do you... Legal.pptx2011-12-05T20:42:50Z<p>Bart De Win: </p>
<hr />
<div></div>Bart De Winhttps://wiki.owasp.org/index.php?title=File:OWASP_BeNeLux_Day_2011_-_L._Desmet_-_HTML5_security.pptx&diff=121130File:OWASP BeNeLux Day 2011 - L. Desmet - HTML5 security.pptx2011-12-05T20:41:51Z<p>Bart De Win: </p>
<hr />
<div></div>Bart De Winhttps://wiki.owasp.org/index.php?title=File:OWASP_BeNeLux_Day_2011_-_K._Vanderloock_-_Simba.pptx&diff=121129File:OWASP BeNeLux Day 2011 - K. Vanderloock - Simba.pptx2011-12-05T20:39:58Z<p>Bart De Win: </p>
<hr />
<div></div>Bart De Winhttps://wiki.owasp.org/index.php?title=File:OWASP_BeNeLux_Day_2011_-_BischofBost_-_The_limits_of_ebanking.pptx&diff=121128File:OWASP BeNeLux Day 2011 - BischofBost - The limits of ebanking.pptx2011-12-05T20:38:27Z<p>Bart De Win: </p>
<hr />
<div></div>Bart De Winhttps://wiki.owasp.org/index.php?title=File:OWASP_BeNeLux_Day_2011_-_A._Delauney_-_Dynamic_malware_analysis.pdf&diff=121127File:OWASP BeNeLux Day 2011 - A. Delauney - Dynamic malware analysis.pdf2011-12-05T20:35:33Z<p>Bart De Win: </p>
<hr />
<div></div>Bart De Winhttps://wiki.owasp.org/index.php?title=BeNeLux_OWASP_Day_2011&diff=121126BeNeLux OWASP Day 20112011-12-05T20:29:27Z<p>Bart De Win: </p>
<hr />
<div>__NOTOC__ <br />
<center>[[Image:OWASP BeNeLux 2011.jpg]]<br></center><br />
<br><!-- Header --><br />
<br />
==== Welcome ====<br />
<br />
<br><br />
<center><br />
=== Venue is the University of Luxembourg (Grand Duchy of Luxembourg) ===<br />
Training and conference location, together with hotel information, can be found [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Venue here].<br />
=== Training and first list of conference speakers are announced! ===<br />
See [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Training.2C_December_1st here] and [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Conference.2C_December_2nd here]<br />
=== Tweet! ===<br />
<br />
Event tag is [http://twitter.com/#search?q=%23owaspbnl11 #owaspbnl11]<br />
<br />
=== Registrations are open: ===<br />
<br />
[http://owaspbenelux2011.eventbrite.com/ http://www.owasp.org/images/7/77/Buttoncreate.png] <br />
<br />
</center><br />
<br><br />
<br />
==== Training, December 1st ====<br />
<br />
Registration '''starts at 9h00'''<br />
<br />
Training will start at '''10h00''' and we plan to stop at '''17h00'''. From '''17h00''' til '''18h00''', there will be an extra session on security testing by Yves Le Traon (see details below).<br />
<br />
The training room is: '''Paul Feidert''' (for details, check the [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Venue venue] tab)<br />
<br />
'''OWASP Training: Secure Application Development, by Eoin Keary'''<br />
<br />
'''Abstract:''' Writing Secure code is the most effective method to securing your web applications. Writing secure code takes skill and know-how but results in a more stable and robust application and assists in protecting an organisations brand.<br />
Application security is not commonly a part of many computer science curricula today and most organizations have not focused on instituting a culture that includes application security as a core part of their software development training efforts. This intensive one-day course focuses on the most common web application security problems, including aspects of both the OWASP Top Ten (2010) and the MITRE Top 25. The course will introduce and demonstrate application assessment techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities in their code.<br />
<br />
'''This course includes coverage of the following areas:'''<br />
<br />
* Unvalidated Input<br />
* Injection Flaws, OS commanding, SQL Injection<br />
* Cross-Site Scriping & Client-side security<br />
* CSRF/XSRF<br />
* Authentication & Session Management<br />
* Access control & Authorisation<br />
* Broken Caching<br />
* Error Handling & Resource Management<br />
* The Secure SDLC<br />
* Fuzzing, Proxy use and testing approach<br />
<br />
'''Hands on Exercises'''<br />
<br />
To cement the principles discussed, students can participate in a number of hands-on security testing exercises where they attack a live web application (i.e., OWASP Bank etc) that has been seeded with common web application vulnerabilities.<br />
<br />
The students will use proxy tools commonly used by the hacker community to complete the exercises. Students need to bring their own windows based laptop to participate in the exercises. Wireless capability is recommended. '''Make sure to get a copy of BURP proxy prior to the training: [http://www.portswigger.net/burp/downloadfree.html http://www.portswigger.net/burp/downloadfree.html]'''<br />
<br />
'''Audience'''<br />
<br />
Developers who want to understand the most common web application security flaws, and how to avoid them and code in a secure manner.<br />
<br />
Level: Beginner/Intermediate<br />
<br />
Prerequisite: Basic knowledge of a web programming language like Java or .NET recommended but not required.<br />
<br />
Bringing your own windows based laptop is recommended so you can participate in the hands on exercises<br />
<br />
'''Trainer Bio:''' <br />
<br />
[[Eoin Keary]] is a Global OWASP board member since 2009. He is a long time member of OWASP and have contributed year on year to OWASP projects and the OWASP mission of fighting the causes of software insecurity. He is based in Dublin, Ireland and director of [http://www.bccriskadvisory.com Bccriskadvisory].<br />
<br />
<br />
<br />
===== Extra session on Security testing: a key challenge for software engineering of web apps (17h00 - 18h00)===== <br />
While important efforts are dedicated to system functional testing, very few works study how to specifically and systematically test security mechanisms. In this talk, we will present two categories of approaches. <br />
The first ones aim at assessing security mechanisms compliance with declared policies. Any security policy is strongly connected to system functionality: testing function includes exercising many security mechanisms. However, testing functionality does not intend at exercizing all security mechanisms. We thus propose test selection criteria to produce tests from a security policy. Empirical results will be presented about access control policies and about Android apps permission checks. <br />
<br />
The second ones concern the attack surface of web apps, with a particular focus on web browser sensitivity to XSS attacks. Indeed, one of the major threats against web applications is Cross-Site Scripting (XSS) that crosses several web components: web server, security components and finally the client’s web browser. The final target is thus the client running a particular web browser. During this last decade, several competing web browsers (IE, Netscape, Chrome, Firefox) have been upgraded to add new features for the final users benefit. However, the improvement of web browsers is not related with systematic security regression testing. Beginning with an analysis of their current exposure degree to XSS, we extend the empirical study to a decade of most popular web browser versions.The results reveal a chaotic behavior in the evolution of most web browsers attack surface over time. This particularly shows an urgent need for regression testing strategies to ensure that security is not sacrificed when a new version is delivered. <br />
<br />
In both cases, security must become a specific target for testing in order to get a satisfying level of confidence in security mechanisms<br />
<br />
'''Trainer bio:'''<br />
<br />
Yves Le Traon is professor at University of Luxembourg in the domain of software engineering, reliability, validation and security. He is also a member of the Interdisciplinary Centre for Security, Reliability and Trust (SnT), where he leads the research group SERVAL (SEcuRity and VALidation of services and networks). His research interests include software testing, design for security, security testing, model-driven validation, model based testing, web application, mobile computing. <br />
<br />
Professor Le Traon received his engineering degree and his PhD in Computer Science at the “Institut National Polytechnique” in Grenoble, France, in 1997. From 1998 to 2004, he was an associate professor at the University of Rennes, in Brittany, France. He is the co-founder of the Triskell INRIA team, which focuses on innovating design, modeling and testing techniques, such as Model-driven Engineering. During this period, Professor Le Traon studied design for testability techniques, validation and diagnosis of object-oriented programs and component-based systems. From 2004 to 2006, he was an expert in Model-Driven Architecture and Validation in the EXA team (Requirements Engineering and Applications) at “France Télécom R&D”. In 2006, he became professor at Telecom Bretagne (Ecole Nationale des Télécommunications de Bretagne), where he pioneered the application of testing for security assessment of web-applications, P2P systems and the promotion of intrusion detection systems using contract-based techniques.<br />
<br />
<br />
<br />
==== Conference, December 2nd ====<br />
<br />
We are pleased to announce the list of confirmed speakers:<br />
<br />
* Brenno De Winter (Journalist) From DigiNotar to Leaktober<br />
* Koen Vanderloock (Lead Security Competence Group at Cegeka) on [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#OWASP_SIMBA_-_guarding_your_applications_.28by_Koen_Vanderloock.2C_Leader_Security_Competence_Group_at_Cegeka.29 the new OWASP Simba project]<br />
* Justin Clarke (Director and Co-Founder of Gotham Digital Science Ltd) on [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Practical_Crypto_Attacks_Against_Web_Applications_.28by_Justin_Clarke.2C_Director_and_Co-Founder_of_Gotham_Digital_Science_Ltd.29 practical crypto attacks against web applications]<br />
* Lieven Desmet (Research Manager at University Leuven) on [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#HTML5_security_.28by_Lieven_Desmet.2C_Research_Manager_at_Katholieke_Universiteit_Leuven.29 HTML5 security]<br />
* Andrey Belenko (Chief Security Researcher at ElcomSoft Co. Ltd) on [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Overcoming_iOS_Data_Protection_to_Re-Enable_iPhone_Forensics_.28by_Andrey_Belenko.2C_Chief_Security_Researcher_at_ElcomSoft.29 iOS data protection internals]<br />
* Sascha Rommelfangen (Incident Management - Security Research at CIRCL) on dynamic malware analysis<br />
* Ludovic Petit (Group Fraud & Information Security Adviser at SFR, Vodafone Group) on [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Do_you..._Legal.3F_.28by_Ludovic_Petit.2C_Group_Fraud_.26_Information_Security_Adviser_at_SFR.2C_Vodafone_Group.29 WebApp Security and legal and regulatory aspects]<br />
*Jean-Marc Bost and Sébastien Bischof (ELCA) on The limits of e-banking<br />
* Yves Le Traon on security testing for web apps (talk will be held on the Training Day)<br />
* Seba Deleersnyder & Eoin Keary (OWASP Board) on OWASP Update<br />
<br />
Stay tuned for the final agenda!<br />
<br />
'''''Agenda''''' <br />
''(program has slightly changed !)''<br />
<br />
{| class="wikitable"<br />
! Time !! Speaker !! Topic<br />
|-<br />
| 08h30 - 9h30 || ''Registration'' || <br />
|-<br />
| 09h30 - 9h45 || OWASP Benelux Organization & Thomas Engel|| Welcome ([https://www.owasp.org/images/8/8a/2011-11-15_SnT_General.pdf PDF])<br />
|-<br />
| 09h45 - 10h00 || Sebastien Deleersnyder & Eion Keary || OWASP update ([https://www.owasp.org/images/d/d7/OWASP-Update-BeNeLux-Day-2011_v1.pptx PPT])<br />
|-<br />
| 10h00 - 10h40 || Brenno De Winter || From DigiNotar to Leaktober <br />
|-<br />
| 10h40 - 11h00 || ''Break'' ||<br />
|-<br />
| 11h00 - 11h40 || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Justin_Clarke.2C_Director_and_Co-Founder_of_Gotham_Digital_Science_Ltd Justin Clarke] || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Practical_Crypto_Attacks_Against_Web_Applications_.28by_Justin_Clarke.2C_Director_and_Co-Founder_of_Gotham_Digital_Science_Ltd.29 practical crypto attacks against web applications] <br />
|-<br />
| 11h40 - 12h20 || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Andrey_Belenko.2C_Chief_Security_Researcher_at_ElcomSoft Andrey Belenko] || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Overcoming_iOS_Data_Protection_to_Re-Enable_iPhone_Forensics_.28by_Andrey_Belenko.2C_Chief_Security_Researcher_at_ElcomSoft.29 Overcoming iOS Data Protection to Re-Enable iPhone Forensics] <br />
|-<br />
| 12h20 - 13h00 || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Koen_Vanderloock.2C_Leader_Security_Competence_Group_at_Cegeka Koen Vanderloock] || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#OWASP_SIMBA_-_guarding_your_applications_.28by_Koen_Vanderloock.2C_Leader_Security_Competence_Group_at_Cegeka.29 OWASP SIMBA - guarding your applications] <br />
|-<br />
| 13h00 - 14h00 || ''Lunch'' || <br />
|-<br />
| 14h00 - 14h40 || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Ludovic_Petit.2C_Group_Fraud_.26_Information_Security_Adviser_at_SFR.2C_Vodafone_Group Ludovic Petit] || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Do_you..._Legal.3F_.28by_Ludovic_Petit.2C_Group_Fraud_.26_Information_Security_Adviser_at_SFR.2C_Vodafone_Group.29 Do you... Legal?]<br />
|-<br />
| 14h40 - 15h20 || Thierry Zoller || The rise of the Vulnerability Market<br />
|-<br />
| 15h20 - 16h00 || Jean-Marc Bost & Sébastien Bischof || The limits of e-banking <br />
|-<br />
| 16h00 - 16h20 || ''Break'' || <br />
|-<br />
| 16h20 - 17h00 || Sascha Rommelfangen || Dynamic malware analysis - or: The ~five deadly (anti-)venoms<br />
|-<br />
| 17h00 - 17h40 || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Lieven_Desmet.2C_Research_Manager_at_Katholieke_Universiteit_Leuven Lieven Desmet] || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#HTML5_security_.28by_Lieven_Desmet.2C_Research_Manager_at_Katholieke_Universiteit_Leuven.29 HTML5 security]<br />
|-<br />
| 17h40 - 18h00 || OWASP Benelux 2011 organization || Closing notes<br />
<br />
|}<br />
<br />
<!-- deze laten staan. is handig om anchors te vinden tijdens edi (seba) __TOC__ --><br />
<br />
===== From DigiNotar to Leaktober=====<br />
Web application security is hard. With Lektober, Brenno shows that to the general public. Privacy is at stake, not only in the Netherlands. Brenno will reveal some of the more "interesting" leaks.<br />
<br />
=====Brenno J.S.A.A.F. de Winter=====<br />
Brenno De Winter started experimenting with security at the age of 9. He has a background in open source that dates back to 1993 and he contributed to several projects like MySQL, GnuPG, Gnucomo (Gnu Computer Monitoring) and recently started the Small Sister-project for privacy-friendly internet usage. In his daily job he practices security,teaches it and works as an IT-journalist. His writings have triggered several debates in parliament and often raises questions. <br />
<br />
=====OWASP SIMBA - guarding your applications (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Koen_Vanderloock.2C_Leader_Security_Competence_Group_at_Cegeka Koen Vanderloock], Leader Security Competence Group at Cegeka)=====<br />
[[OWASP SIMBA Project|SIMBA (Security Integration Module for Business Applications)]] is a OWASP project that provides you with a User Access Management system that can be integrated with any business application. The purpose of SIMBA is to secure an application fast and easy. Because SIMBA itself is generic it can be customized for every project. Many features are customizable e.g. designing your own authentication chain is easy and fast by using existing or newly created building blocks. SIMBA contains authentication, authorization, session management and a GUI to manage your security information.<br />
<br />
======Koen Vanderloock, Leader Security Competence Group at Cegeka======<br />
Koen Vanderloock is the leader of the security competence group at Cegeka. About 2 years ago Cegeka decided to create a sandbox for investigating security issues and solutions so they could be included in the current projects. <br />
Koen Vanderloock is a Java developer with 8 years of experience and started exploring the world of security 3 years ago when UAM problems started to occur.<br />
<br />
=====Practical Crypto Attacks Against Web Applications (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Justin_Clarke.2C_Director_and_Co-Founder_of_Gotham_Digital_Science_Ltd Justin Clarke], Director and Co-Founder of Gotham Digital Science Ltd)=====<br />
The science of cryptography underpins many of the information security technologies we use on a daily basis, such as the ability to keep information confidential and to ensure we can identify who we are communicating with. However, it is a very complex subject area with many types of mistakes that can reduce the overall security of a solution. A number of these types of mistakes can be identified by a tester, if they know what they're looking for, but in general it isn't a well tested area.<br />
<br />
This talk is intended to provide a high level overview of some of the areas where cryptographic operations such as encryption and hashing can provide far less security than was planned, and concrete examples of how these were found and exploited. Examples will include discussion and demonstration of the recently patched cryptographic padding attack against the Microsoft .NET framework (affecting ASP.NET applications) caused by a design error in how ASP.NET handles some types of encrypted data, but we will also be looking at some other fun areas including bit flipping attacks, ECB mode attacks, and some miscellaneous hashing algorithm attacks against common web application implementations.<br />
<br />
======Justin Clarke, Director and Co-Founder of Gotham Digital Science Ltd======<br />
Justin is a Director and Co-Founder of Gotham Digital Science and an experienced software security consultant with extensive international Big 4 risk management, security consulting and testing experience. He is the lead author/technical editor of "SQL Injection Attacks and Defenses" (Syngress 2009), co-author of "Network Security Tools" (O'Reilly 2005), contributor to "Network Security Assessment, 2nd Edition" (O'Reilly 2007), as well as a speaker at various security conferences and events such as Black Hat, EuSecWest, ISACA, BruCON, OWASP, OSCON, RSA and SANS. He is currently the OWASP London chapter president, and a member of the OWASP Global Connections Committee.<br />
On 10 Oct 2011, at 09:33, Seba wrote:<br />
<br />
=====HTML5 security (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Lieven_Desmet.2C_Research_Manager_at_Katholieke_Universiteit_Leuven Lieven Desmet], Research Manager at Katholieke Universiteit Leuven)=====<br />
In this talk, Lieven will highlight the results of the HTML5 security analysis, conducted by the DistriNet Research Group (K.U.Leuven). The security analysis of next generation web standards, commissioned by ENISA, looked into 13 emerging W3C web standards (i.e. the specification of HTML 5 and some of the associated APIs), and assessed the security of each of them as well as the overall security and consistency across specifications.<br />
<br />
In total 51 security threats and issues have been identified, and detailed in the ENISA report (http://www.enisa.europa.eu/html5). During the talk, Lieven will discuss the methodology developed to assess the huge amount of specifications, and zoom into a representative set of identified threats and their remediation.<br />
<br />
======Lieven Desmet, Research Manager at Katholieke Universiteit Leuven======<br />
Lieven Desmet is the Research Manager on Secure Software at the Katholieke Universiteit Leuven (Belgium), where he coaches junior researchers in web application security and participates in dissemination and valorization activities. His interests are in software verification and security of middleware and web-enabled technologies. Lieven is actively engaged in OWASP and is board member of the OWASP Chapter Belgium.<br />
<br />
=====Overcoming iOS Data Protection to Re-Enable iPhone Forensics (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Andrey_Belenko.2C_Chief_Security_Researcher_at_ElcomSoft Andrey Belenko], Chief Security Researcher at ElcomSoft)=====<br />
Data protection is a feature available for iOS devices (iOS 4 and up) with hardware encryption: iPhone 4S, iPhone 4, iPhone 3GS, iPod touch (3rd generation or later), and all iPad models. Introduction of this feature had complicated iPhone forensics process because now (almost) all files on user partition are encrypted and physical dumps are of much less value to examiners: while the filesystem seems to be intact, actual file contents are encrypted and are not suitable for analysis.<br />
<br />
This talk will provide in-depth information about iOS Data protection internals and on the implication it had on iOS forensics. More specifically, it will cover the following:<br />
*System keys and their hierarchy<br />
*Device passcode and its recovery<br />
*Escrow keys<br />
*Filesystem encryption<br />
*Keychain encryption<br />
<br />
Presentation will start by providing attendees with required background on iOS encryption keys architecture: system keys, passcode key, escrow key. After attendees are familiar with those concepts, presentation will continue to filesystem and keychain encryption details and to the techniques that can be used to overcome the hurdles imposed by iOS Data Protection.<br />
<br />
======Andrey Belenko, Chief Security Researcher at ElcomSoft======<br />
Chief security researcher and software developer at Elcomsoft. Co-invented ThunderTables (which are improved RainbowTables) and was first to bring GPU acceleration to password recovery. M. Sc. IT and CISSP.<br />
<br />
LinkedIn: http://ru.linkedin.com/in/belenko<br />
<br />
Twitter: @andreybelenko<br />
<br />
=====Do you... Legal? (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Ludovic_Petit.2C_Group_Fraud_.26_Information_Security_Adviser_at_SFR.2C_Vodafone_Group Ludovic Petit], Group Fraud & Information Security Adviser at SFR, Vodafone Group) =====<br />
<br />
The OWASP core mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. However, if you do not pay enough attention to many aspects of Legal compliance, you'll see why Web Application Security is somehow linked to Legal and Regulatory aspects as well as... Corporate Responsability, so yours. Who is accountable for what, what about each other's responsibility? Nowadays, the legal constraints oblige us to comply via technical means, whatever the local framework, and this is specially true for Web Application Security, many sensitive informations having to be handled through these web interfaces. A such, what do you think about your Security Policy compliance with your local Legal framework? Compliant? Sure? Really? Interesting isn't it? Let's have a talk about this.<br />
<br />
======Ludovic Petit, Group Fraud & Information Security Adviser at SFR, Vodafone Group======<br />
Ludovic is an internationally recognised information security expert with over 25 years experience. Last 15 years spent in various Corporate Management positions covering both Technical and Law Enforcement expertise dedicated to Mobile Telecommunications Fraud and Security in multi-national corporations.<br />
<br />
Ludovic is Chapter Leader & Founding Member OWASP France and an active contributor to OWASP in several roles and projects.<br />
<br />
LinkedIn Profile: http://www.linkedin.com/in/lpetit<br />
<br />
=====Dynamic malware analysis - or: The ~five deadly (anti-)venoms (by Sascha Rommelfangen, Incident Management - Security Research at CIRCL) =====<br />
Malware reversing is a time consuming task. Many approaches are available to dissect and analyse suspicious binaries. Dynamic malware analysis is one of the option to better understand them and also a nifty companion to static analysis. The current dynamic malware analysis techniques will be presented especially the ones relying on instrumented operating system systems (from the filesystem to the network stack). You'll see a wandering through common and less common malware partially analysed using dynamic analysis and how dynamic malware analysis can help you.<br />
<br />
===== The limits of e-banking (by Jean-Marc Bost and Sébastien Bischof, ECLA) =====<br />
The swiss german TV channel SF1 showed a footage on swiss e-banking security. The TV show follows a team of the ETH who earned a special authorization to test several e-anking platforms. After admitting that a personal computer can be infected by different means (actually 5% of the tested PCs are infected according to Microsoft), The team from Zürich showed the limits of the different platforms. Only the bank who signs each transaction is labelled as safe. We will come back during the presentation on the nature of the threat.<br>First of all, we will explain how famous malwares such as Zeus and SpyEye manage to steal from their victims without them being able to notice anything. Then we will see that e-banking is not the only target, as a matter of fact, the reality is far from this.<br>And then we will comment the most recent techniques that allow malwares to escape Antivirus and Antimalware programs even if they are up to date. We will vulgarize several concepts such as DKOM and bootkits in order to let everybody have a glimpse on the danger they represent.<br>Finally, we will think about if signing each transaction can efficiently fight off these threats. In fact, when attacks are coupled with Social Engineering, they have potentially no limit. Zeus is a living proof of this fact, because it even managed to attack the transaction validation system by SMS. As a conclusion, we will see that the e-banking platform that managed to resist the tests of the ETH team is vulnerable to such kind of attacks. <br />
<br />
====== Jean-Marc Bost, ELCA ======<br />
Jean-Marc Bost leads the security division at ELCA. <br>He is in charge of the various security solutions proposed by ELCA, some being released by ELCA, others being provided by partner vendors. <br>With a significant experience in the development of internet applications, he focused 10 years ago on their need for security. <br>Since then, he has been very active in&nbsp;:<br>- demonstrating the threats, in particular for ebanking<br>- conceiving practical and patented solutions for strong authentication, online transactions, electronic signature and secured documents<br>- presenting the findings of the security division in security events and through expert talks<br> <br />
<br />
====== Sébastien Bischof, ELCA ======<br />
Sébastien Bischof works in the security division at ELCA Where he is specialized in OS-level and communication security.<br>As a major result, he developped a fully-working proof-of-concept of an attack against a sophisticated USB token for safe-browsing.<br>He obtained his Master of Science in Engineering at HEIG-VD/HES-SO with a strong emphasis on IT Security.<br>During his education, he focused on obfuscation and rootkit techniques.<br>Computer security enthusiast, he is very interested in hackings events such as Insomni'hack and keeps himself informed on the latest threats throuhg active participation in security forums.<br />
<br />
<br />
<br />
==== CTF ====<br />
<br />
Do you like puzzles? Do you like challenges? Are you a hacker?<br />
<br />
Whether you are an old hacker or new enthusiast you should come to OWASP BeNeLux days 2011 and participate in the Capture the Flag event December 2nd 2011 at the University of Luxemburg. <br />
<br />
The OWASP CTF is especially designed to support challengers of all skill levels. The CTF contains multiple challenges in various fields related to application security. As every challenge gains you one point, you can pick and choose which challenge you want to play.<br />
<br />
All you need is a laptop with a wifi card and your favorite (preferably) non-commercial tools. <br />
<br />
So come to Luxemburg, show off your skills, learn new tricks and above all have a good time at the CTF event. <br />
<br />
==== Registration ====<br />
<center><br />
'''The training day and the conference are free!'''&nbsp;<br />
<br />
<br> <br />
<br />
[http://owaspbenelux2011.eventbrite.com/ http://www.owasp.org/images/7/77/Buttoncreate.png] <br />
<br />
<br> To support the OWASP organisation, consider to become a member, it's only US$50!<br> Check out the [[Membership]] page to find out more.<br> <br />
<br />
<br> <br />
</center> <br />
==== Venue ====<br />
<center><br />
University of Luxembourg<br>Campus Kirchberg<br>6, rue Richard Coudenhove-Kalergi<br>L-1359 Luxembourg<br>[http://wwwen.uni.lu/contact/campus_kirchberg http://wwwen.uni.lu/contact/campus_kirchberg] <br>Room: Paul Feidert<br />
</center><br />
<br />
<br>'''Parking''':<br />
<br />
There is a public parking close to the conference venue.<br />
[http://maps.google.de/maps?q=49.63038,6.157061&num=1&t=h&vpsrc=0&z=16 Click here to find the parking on Google Maps]<br />
<br />
<br>'''Hotels nearby''': <br />
<br />
The first hotel is at 5 minutes on walk distance from the campus Kirchberg: '''[http://www.coque.lu/article/259 Hotel d’Coque]'''<br />
* single room with breakfast 77.50 €<br />
* double room with breakfast 93.00 €. <br />
* Booking email address with Ref. OWASP_SNT 2011 to : [mailto:reception@coque.lu reception@coque.lu]<br />
* Reservation deadline: 20 October 2011<br />
Second hotel (direct center of Luxembourg) 5/10 minutes with taxi or bus: '''[http://www.parcbellevue.lu/fr/index.php Hotel Parc Bellevue]'''<br />
* single room with breakfast 95.00 € (normal price 160 €)<br />
* double room with breakfast 115.00 € (normal price 180€)<br />
* wifi and parking included<br />
* Booking email address: [mailto:reservation@goeres-group.com reservation@goeres-group.com]<br />
* Reservation deadline&nbsp;: 30 November <br />
* Reservation form: [https://www.owasp.org/images/4/44/Uni_Luxembourg_OWASP_2011.doc download form] <br />
Third hotel (near the Parc Bellevue): '''[http://www.parcplaza.lu/fr/index.php Hotel Plaza]'''<br />
* single room with breakfast 130.00 € (normal price 225 €)<br />
* double room with breakfast 150.00 € (normal price 245€)<br />
* wifi and parking included<br />
* Booking email address: [mailto:reservation@goeres-group.com reservation@goeres-group.com]. <br />
* Reservation deadline: 30 November<br />
* Reservation form: [https://www.owasp.org/images/4/44/Uni_Luxembourg_OWASP_2011.doc download form] <br />
Fourth hotel: '''[http://www.melia-luxembourg.com/fr/melia-luxembourg.html Hotel Mélia]'''<br />
* single room with breakfast 140.00 €<br />
* Booking email address: [mailto:reservations.melia.luxembourg@solmelia.com reservations.melia.luxembourg@solmelia.com]<br />
* Reservation deadline: 28 October 2011<br />
* Reservation form: [https://www.owasp.org/images/f/f8/Uni_OWASP_2011_Melia.pdf download form] <br />
<br />
<br><br />
<br />
==== Organisation ====<br />
<br />
The BeNeLux Day 2011 Program Committee: <br />
<br />
*Martin Knobloch / Ferdinand Vroom ([[Netherlands|OWASP Netherlands]]) <br />
*Bart De Win / Sebastien Deleersnyder ([[Belgium|OWASP Belgium]]) <br />
*Jocelyn Aubert / Andre Adelsbach ([[Luxembourg|OWASP Luxembourg]]) <br />
*Steven van der Baan ([[:Category:OWASP CTF Project|Capture The Flag]])<br />
<br />
Local organization:<br />
<br />
*Thomas Engel <br />
*Radu State <br />
*Magali Martin <br />
*Aurel Machalek<br />
<br />
==== Sponsorship ====<br />
<br />
Contact seba &lt;at&gt; owasp.org for sponsorship <br />
<br />
<paypal>BeNeLux OWASP Day 2011</paypal> <br />
<br />
==== Social Event ====<br />
<br />
The social event is scheduled for Thursday, 1st of December, 19:00 at <br />
<br><br />
<br><br />
<center><br />
[http://www.aguadecoco.lu/ Agua De C&ocirc;co]<br><br />
2, rue Emile Mousel<br><br />
L-2165 Luxembourg<br><br />
<br><br />
([http://maps.google.com/maps?q=Rue+Emile+Mousel,+Luxembourg,+Luxemburg&hl=de&ll=49.612031,6.14125&spn=0.003379,0.009677&sll=49.709163,6.115265&sspn=0.003372,0.009677&vpsrc=6&geocode=FQIF9QIdPrVdAA&hnear=Rue+Emile+Mousel,+Luxembourg,+Luxemburg&t=h&z=17 find the location on Google Maps])<br />
<br />
Remark: split bill system - everyone has to cover own food & drinks.<br />
<br />
</center><br />
<br />
==== Promotion ====<br />
''Feel free to use the text below to promote our event!''<br />
<br />
We invite you to our next OWASP event: the '''BeNeLux OWASP Days 2011!'''<br />
<br />
Free your agenda on the 1st and 2nd of December, 2011.<br />
<br />
The good news: free! No fee!<br />
<br />
The bad news: there are only 160 seats available (first register, first serve)!<br />
<br />
<br />
'''PROGRAM Day 1'''<br />
* 10:00 AM - 18:00 PM: OWASP Training Day<br />
* 19:00 PM - ?: Social event<br />
<br />
'''OWASP Training: Secure Application Development''', by Eoin Keary<br><br />
This intensive one-day training focuses on the most common web application security problems, including aspects of both the OWASP Top Ten (2010) and the MITRE Top 25. The training will introduce and demonstrate application assessment techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities in their code.<br />
<br />
'''PROGRAM Day 2'''<br />
* 10:00 AM - 18:00 PM: OWASP Conference<br />
<br />
List of '''confirmed speakers''' (more to be announced soon):<br />
*Brenno De Winter (Journalist) on the Diginotar story<br />
*Koen Vanderloock (Lead Security Competence Group at Cegeka) on the new OWASP Simba project<br />
*Justin Clarke (Director and Co-Founder of Gotham Digital Science Ltd) on practical crypto attacks against web applications<br />
*Lieven Desmet (Research Manager at University Leuven) on HTML5 security<br />
*Andrey Belenko (Chief Security Researcher at ElcomSoft Co. Ltd) on iOS data protection internals<br />
*Sascha Rommelfangen (Incident Management - Security Research at CIRCL) on dynamic malware analysis<br />
*Ludovic Petit (Group Fraud & Information Security Adviser at SFR, Vodafone Group) on WebApp Security and legal and regulatory aspects<br />
*Seba Deleersnyder & Eoin Keary (OWASP Board) on OWASP Update<br />
<br />
'''ORGANIZATION<br>'''<br />
OWASP's all-volunteer participants produce free, professional quality, open-source documentation, tools, and standards on application security. An example of this is the famous OWASP top ten of most critical web application security flaws. The OWASP community facilitates conferences, local chapters, articles, and message forums. Participation in OWASP is free and open to all, as are all the materials we produce.<br />
<br />
'''WHO should attend?<br>'''<br />
Anyone interested in Web Application Security (management, security professionals, developers, students, etc). OWASP Belgium, Netherlands and Luxembourg chapters membership is free. All meetings are free. There are never vendor pitches or sales presentations at OWASP meetings.<br><br />
Check our chapter page http://www.owasp.org/index.php/Belgium on meeting details, sign up to the chapter mailing list and introduce yourself.<br><br />
Check our chapter page http://www.owasp.org/index.php/Netherlands on meeting details, sign up to the chapter mailing list and introduce yourself.<br><br />
Check our chapter page http://www.owasp.org/index.php/Luxembourg on meeting details, sign up to the chapter mailing list and introduce yourself.<br><br />
<br />
'''WHEN<br>'''<br />
Thursday and Friday, 1st and 2nd of December, 2011 (10 AM - 7 PM)<br />
<br />
'''WHERE<br>'''<br />
University of Luxembourg<br><br />
Campus Kirchberg<br><br />
6, rue Richard Coudenhove-Kalergi<br><br />
L-1359 Luxembourg<br><br />
http://wwwen.uni.lu/contact/campus_kirchberg<br><br />
Room: Paul Feidert<br />
<br />
Attention: make sure to '''book your hotel in time''', it will be difficult to find rooms in Luxembourg around Dec 1-2!<br><br />
Hotel details https://www.owasp.org/index.php?title=BeNeLux_OWASP_Day_2011#tab=Venue<br />
<br />
'''REGISTRATION<br>'''<br />
Only 160 places, please '''Register upfront: http://owaspbenelux2011.eventbrite.com''' !<br><br />
All latest details are available on http://www.owaspbenelux.eu<br><br />
Hope to see you all!<br><br />
<br />
The BeNeLux Program Committee,<br />
*Martin Knobloch / Ferdinand Vroom, OWASP Netherlands<br />
*Bart De Win / Sebastien Deleersnyder, OWASP Belgium<br />
*Jocelyn Aubert / Andre Adelsbach, OWASP Luxembourg<br />
*Steven van der Baan, OWASP CTF Project<br />
<br />
Kindly supported by the Interdisciplinary Centre for Security Reliability and Trust<br />
*Thomas Engel <br />
*Radu State <br />
*Magali Martin <br />
*Aurel Machalek<br />
<br />
<headertabs /><br />
<br />
<br />
<center><br />
'''Hosted and co-organized by:'''<br> <br />
[[Image:Bnl11-university-logo.jpg|link=http://wwwen.uni.lu]] <br />
[[Image:Bnl11-SECURITYANDTRUST-LOGO.jpg|link=http://www.securityandtrust.lu]] <br />
<br />
<br><br><br><br />
<br />
Made possible by our [http://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Sponsorship sponsors]:<br><br />
{{MemberLinks|link=http://www.ascure.com|logo=Ascure_Logo.jpg}} <br />
[http://www.zionsecurity.com http://www.owasp.org/images/e/e6/Zionsecurity.jpg]<br />
[http://www.zenitelbelgium.com http://www.owasp.org/images/d/df/SAIT_Zenitel.jpg]<br />
[http://www8.hp.com/us/en/solutions/solutions-detail.html?compURI=tcm:245-339290 https://www.owasp.org/images/b/b4/HP_Logo.jpg] <br />
[http://www.barracuda.com https://www.owasp.org/images/f/f6/Bnl11-Barracuda_Logo-4C.png] <br />
[http://circl.lu/ http://circl.lu/pics/logo.png]<br />
[http://www.f5.com https://www.owasp.org/images/f/fd/AppSec_Research_2010_sponsor_F5_logo.jpg]<br />
<br />
<br />
<br />
<br><br />
</center><br />
[[Category:OWASP_AppSec_Conference]] [[Category:OWASP_BeNeLux_Archives]]</div>Bart De Winhttps://wiki.owasp.org/index.php?title=File:2011-11-15_SnT_General.pdf&diff=121125File:2011-11-15 SnT General.pdf2011-12-05T20:27:32Z<p>Bart De Win: </p>
<hr />
<div></div>Bart De Winhttps://wiki.owasp.org/index.php?title=BeNeLux_OWASP_Day_2011&diff=120869BeNeLux OWASP Day 20112011-11-29T19:50:09Z<p>Bart De Win: </p>
<hr />
<div>__NOTOC__ <br />
<center>[[Image:OWASP BeNeLux 2011.jpg]]<br></center><br />
<br><!-- Header --><br />
<br />
==== Welcome ====<br />
<br />
<br><br />
<center><br />
=== Venue is the University of Luxembourg (Grand Duchy of Luxembourg) ===<br />
Training and conference location, together with hotel information, can be found [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Venue here].<br />
=== Training and first list of conference speakers are announced! ===<br />
See [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Training.2C_December_1st here] and [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Conference.2C_December_2nd here]<br />
=== Tweet! ===<br />
<br />
Event tag is [http://twitter.com/#search?q=%23owaspbnl11 #owaspbnl11]<br />
<br />
=== Registrations are open: ===<br />
<br />
[http://owaspbenelux2011.eventbrite.com/ http://www.owasp.org/images/7/77/Buttoncreate.png] <br />
<br />
</center><br />
<br><br />
<br />
==== Training, December 1st ====<br />
<br />
Registration '''starts at 9h00'''<br />
<br />
Training will start at '''10h00''' and we plan to stop at '''17h00'''. From '''17h00''' til '''18h00''', there will be an extra session on security testing by Yves Le Traon (see details below).<br />
<br />
The training room is: '''Paul Feidert''' (for details, check the [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Venue venue] tab)<br />
<br />
'''OWASP Training: Secure Application Development, by Eoin Keary'''<br />
<br />
'''Abstract:''' Writing Secure code is the most effective method to securing your web applications. Writing secure code takes skill and know-how but results in a more stable and robust application and assists in protecting an organisations brand.<br />
Application security is not commonly a part of many computer science curricula today and most organizations have not focused on instituting a culture that includes application security as a core part of their software development training efforts. This intensive one-day course focuses on the most common web application security problems, including aspects of both the OWASP Top Ten (2010) and the MITRE Top 25. The course will introduce and demonstrate application assessment techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities in their code.<br />
<br />
'''This course includes coverage of the following areas:'''<br />
<br />
* Unvalidated Input<br />
* Injection Flaws, OS commanding, SQL Injection<br />
* Cross-Site Scriping & Client-side security<br />
* CSRF/XSRF<br />
* Authentication & Session Management<br />
* Access control & Authorisation<br />
* Broken Caching<br />
* Error Handling & Resource Management<br />
* The Secure SDLC<br />
* Fuzzing, Proxy use and testing approach<br />
<br />
'''Hands on Exercises'''<br />
<br />
To cement the principles discussed, students can participate in a number of hands-on security testing exercises where they attack a live web application (i.e., OWASP Bank etc) that has been seeded with common web application vulnerabilities.<br />
<br />
The students will use proxy tools commonly used by the hacker community to complete the exercises. Students need to bring their own windows based laptop to participate in the exercises. Wireless capability is recommended. '''Make sure to get a copy of BURP proxy prior to the training: [http://www.portswigger.net/burp/downloadfree.html http://www.portswigger.net/burp/downloadfree.html]'''<br />
<br />
'''Audience'''<br />
<br />
Developers who want to understand the most common web application security flaws, and how to avoid them and code in a secure manner.<br />
<br />
Level: Beginner/Intermediate<br />
<br />
Prerequisite: Basic knowledge of a web programming language like Java or .NET recommended but not required.<br />
<br />
Bringing your own windows based laptop is recommended so you can participate in the hands on exercises<br />
<br />
'''Trainer Bio:''' <br />
<br />
[[Eoin Keary]] is a Global OWASP board member since 2009. He is a long time member of OWASP and have contributed year on year to OWASP projects and the OWASP mission of fighting the causes of software insecurity. He is based in Dublin, Ireland and director of [http://www.bccriskadvisory.com Bccriskadvisory].<br />
<br />
<br />
<br />
===== Extra session on Security testing: a key challenge for software engineering of web apps (17h00 - 18h00)===== <br />
While important efforts are dedicated to system functional testing, very few works study how to specifically and systematically test security mechanisms. In this talk, we will present two categories of approaches. <br />
The first ones aim at assessing security mechanisms compliance with declared policies. Any security policy is strongly connected to system functionality: testing function includes exercising many security mechanisms. However, testing functionality does not intend at exercizing all security mechanisms. We thus propose test selection criteria to produce tests from a security policy. Empirical results will be presented about access control policies and about Android apps permission checks. <br />
<br />
The second ones concern the attack surface of web apps, with a particular focus on web browser sensitivity to XSS attacks. Indeed, one of the major threats against web applications is Cross-Site Scripting (XSS) that crosses several web components: web server, security components and finally the client’s web browser. The final target is thus the client running a particular web browser. During this last decade, several competing web browsers (IE, Netscape, Chrome, Firefox) have been upgraded to add new features for the final users benefit. However, the improvement of web browsers is not related with systematic security regression testing. Beginning with an analysis of their current exposure degree to XSS, we extend the empirical study to a decade of most popular web browser versions.The results reveal a chaotic behavior in the evolution of most web browsers attack surface over time. This particularly shows an urgent need for regression testing strategies to ensure that security is not sacrificed when a new version is delivered. <br />
<br />
In both cases, security must become a specific target for testing in order to get a satisfying level of confidence in security mechanisms<br />
<br />
'''Trainer bio:'''<br />
<br />
Yves Le Traon is professor at University of Luxembourg in the domain of software engineering, reliability, validation and security. He is also a member of the Interdisciplinary Centre for Security, Reliability and Trust (SnT), where he leads the research group SERVAL (SEcuRity and VALidation of services and networks). His research interests include software testing, design for security, security testing, model-driven validation, model based testing, web application, mobile computing. <br />
<br />
Professor Le Traon received his engineering degree and his PhD in Computer Science at the “Institut National Polytechnique” in Grenoble, France, in 1997. From 1998 to 2004, he was an associate professor at the University of Rennes, in Brittany, France. He is the co-founder of the Triskell INRIA team, which focuses on innovating design, modeling and testing techniques, such as Model-driven Engineering. During this period, Professor Le Traon studied design for testability techniques, validation and diagnosis of object-oriented programs and component-based systems. From 2004 to 2006, he was an expert in Model-Driven Architecture and Validation in the EXA team (Requirements Engineering and Applications) at “France Télécom R&D”. In 2006, he became professor at Telecom Bretagne (Ecole Nationale des Télécommunications de Bretagne), where he pioneered the application of testing for security assessment of web-applications, P2P systems and the promotion of intrusion detection systems using contract-based techniques.<br />
<br />
<br />
<br />
==== Conference, December 2nd ====<br />
<br />
We are pleased to announce the list of confirmed speakers:<br />
<br />
* Brenno De Winter (Journalist) From DigiNotar to Leaktober<br />
* Koen Vanderloock (Lead Security Competence Group at Cegeka) on [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#OWASP_SIMBA_-_guarding_your_applications_.28by_Koen_Vanderloock.2C_Leader_Security_Competence_Group_at_Cegeka.29 the new OWASP Simba project]<br />
* Justin Clarke (Director and Co-Founder of Gotham Digital Science Ltd) on [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Practical_Crypto_Attacks_Against_Web_Applications_.28by_Justin_Clarke.2C_Director_and_Co-Founder_of_Gotham_Digital_Science_Ltd.29 practical crypto attacks against web applications]<br />
* Lieven Desmet (Research Manager at University Leuven) on [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#HTML5_security_.28by_Lieven_Desmet.2C_Research_Manager_at_Katholieke_Universiteit_Leuven.29 HTML5 security]<br />
* Andrey Belenko (Chief Security Researcher at ElcomSoft Co. Ltd) on [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Overcoming_iOS_Data_Protection_to_Re-Enable_iPhone_Forensics_.28by_Andrey_Belenko.2C_Chief_Security_Researcher_at_ElcomSoft.29 iOS data protection internals]<br />
* Sascha Rommelfangen (Incident Management - Security Research at CIRCL) on dynamic malware analysis<br />
* Ludovic Petit (Group Fraud & Information Security Adviser at SFR, Vodafone Group) on [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Do_you..._Legal.3F_.28by_Ludovic_Petit.2C_Group_Fraud_.26_Information_Security_Adviser_at_SFR.2C_Vodafone_Group.29 WebApp Security and legal and regulatory aspects]<br />
*Jean-Marc Bost and Sébastien Bischof (ELCA) on The limits of e-banking<br />
* Yves Le Traon on security testing for web apps (talk will be held on the Training Day)<br />
* Seba Deleersnyder & Eoin Keary (OWASP Board) on OWASP Update<br />
<br />
Stay tuned for the final agenda!<br />
<br />
'''''Agenda''''' <br />
''(program has slightly changed !)''<br />
<br />
{| class="wikitable"<br />
! Time !! Speaker !! Topic<br />
|-<br />
| 08h30 - 9h30 || ''Registration'' || <br />
|-<br />
| 09h30 - 9h45 || OWASP Benelux Organization & Thomas Engel|| Welcome<br />
|-<br />
| 09h45 - 10h00 || Sebastien Deleersnyder & Eion Keary || OWASP update<br />
|-<br />
| 10h00 - 10h40 || Brenno De Winter || From DigiNotar to Leaktober <br />
|-<br />
| 10h40 - 11h00 || ''Break'' ||<br />
|-<br />
| 11h00 - 11h40 || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Justin_Clarke.2C_Director_and_Co-Founder_of_Gotham_Digital_Science_Ltd Justin Clarke] || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Practical_Crypto_Attacks_Against_Web_Applications_.28by_Justin_Clarke.2C_Director_and_Co-Founder_of_Gotham_Digital_Science_Ltd.29 practical crypto attacks against web applications] <br />
|-<br />
| 11h40 - 12h20 || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Andrey_Belenko.2C_Chief_Security_Researcher_at_ElcomSoft Andrey Belenko] || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Overcoming_iOS_Data_Protection_to_Re-Enable_iPhone_Forensics_.28by_Andrey_Belenko.2C_Chief_Security_Researcher_at_ElcomSoft.29 Overcoming iOS Data Protection to Re-Enable iPhone Forensics] <br />
|-<br />
| 12h20 - 13h00 || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Koen_Vanderloock.2C_Leader_Security_Competence_Group_at_Cegeka Koen Vanderloock] || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#OWASP_SIMBA_-_guarding_your_applications_.28by_Koen_Vanderloock.2C_Leader_Security_Competence_Group_at_Cegeka.29 OWASP SIMBA - guarding your applications] <br />
|-<br />
| 13h00 - 14h00 || ''Lunch'' || <br />
|-<br />
| 14h00 - 14h40 || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Ludovic_Petit.2C_Group_Fraud_.26_Information_Security_Adviser_at_SFR.2C_Vodafone_Group Ludovic Petit] || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Do_you..._Legal.3F_.28by_Ludovic_Petit.2C_Group_Fraud_.26_Information_Security_Adviser_at_SFR.2C_Vodafone_Group.29 Do you... Legal?]<br />
|-<br />
| 14h40 - 15h20 || Thierry Zoller || The rise of the Vulnerability Market<br />
|-<br />
| 15h20 - 16h00 || Jean-Marc Bost & Sébastien Bischof || The limits of e-banking <br />
|-<br />
| 16h00 - 16h20 || ''Break'' || <br />
|-<br />
| 16h20 - 17h00 || Sascha Rommelfangen || Dynamic malware analysis <br />
|-<br />
| 17h00 - 17h40 || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Lieven_Desmet.2C_Research_Manager_at_Katholieke_Universiteit_Leuven Lieven Desmet] || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#HTML5_security_.28by_Lieven_Desmet.2C_Research_Manager_at_Katholieke_Universiteit_Leuven.29 HTML5 security]<br />
|-<br />
| 17h40 - 18h00 || OWASP Benelux 2011 organization || Closing notes<br />
<br />
|}<br />
<br />
<!-- deze laten staan. is handig om anchors te vinden tijdens edi (seba) __TOC__ --><br />
<br />
===== From DigiNotar to Leaktober=====<br />
Web application security is hard. With Lektober, Brenno shows that to the general public. Privacy is at stake, not only in the Netherlands. Brenno will reveal some of the more "interesting" leaks.<br />
<br />
=====Brenno J.S.A.A.F. de Winter=====<br />
Brenno De Winter started experimenting with security at the age of 9. He has a background in open source that dates back to 1993 and he contributed to several projects like MySQL, GnuPG, Gnucomo (Gnu Computer Monitoring) and recently started the Small Sister-project for privacy-friendly internet usage. In his daily job he practices security,teaches it and works as an IT-journalist. His writings have triggered several debates in parliament and often raises questions. <br />
<br />
=====OWASP SIMBA - guarding your applications (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Koen_Vanderloock.2C_Leader_Security_Competence_Group_at_Cegeka Koen Vanderloock], Leader Security Competence Group at Cegeka)=====<br />
[[OWASP SIMBA Project|SIMBA (Security Integration Module for Business Applications)]] is a OWASP project that provides you with a User Access Management system that can be integrated with any business application. The purpose of SIMBA is to secure an application fast and easy. Because SIMBA itself is generic it can be customized for every project. Many features are customizable e.g. designing your own authentication chain is easy and fast by using existing or newly created building blocks. SIMBA contains authentication, authorization, session management and a GUI to manage your security information.<br />
<br />
======Koen Vanderloock, Leader Security Competence Group at Cegeka======<br />
Koen Vanderloock is the leader of the security competence group at Cegeka. About 2 years ago Cegeka decided to create a sandbox for investigating security issues and solutions so they could be included in the current projects. <br />
Koen Vanderloock is a Java developer with 8 years of experience and started exploring the world of security 3 years ago when UAM problems started to occur.<br />
<br />
=====Practical Crypto Attacks Against Web Applications (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Justin_Clarke.2C_Director_and_Co-Founder_of_Gotham_Digital_Science_Ltd Justin Clarke], Director and Co-Founder of Gotham Digital Science Ltd)=====<br />
The science of cryptography underpins many of the information security technologies we use on a daily basis, such as the ability to keep information confidential and to ensure we can identify who we are communicating with. However, it is a very complex subject area with many types of mistakes that can reduce the overall security of a solution. A number of these types of mistakes can be identified by a tester, if they know what they're looking for, but in general it isn't a well tested area.<br />
<br />
This talk is intended to provide a high level overview of some of the areas where cryptographic operations such as encryption and hashing can provide far less security than was planned, and concrete examples of how these were found and exploited. Examples will include discussion and demonstration of the recently patched cryptographic padding attack against the Microsoft .NET framework (affecting ASP.NET applications) caused by a design error in how ASP.NET handles some types of encrypted data, but we will also be looking at some other fun areas including bit flipping attacks, ECB mode attacks, and some miscellaneous hashing algorithm attacks against common web application implementations.<br />
<br />
======Justin Clarke, Director and Co-Founder of Gotham Digital Science Ltd======<br />
Justin is a Director and Co-Founder of Gotham Digital Science and an experienced software security consultant with extensive international Big 4 risk management, security consulting and testing experience. He is the lead author/technical editor of "SQL Injection Attacks and Defenses" (Syngress 2009), co-author of "Network Security Tools" (O'Reilly 2005), contributor to "Network Security Assessment, 2nd Edition" (O'Reilly 2007), as well as a speaker at various security conferences and events such as Black Hat, EuSecWest, ISACA, BruCON, OWASP, OSCON, RSA and SANS. He is currently the OWASP London chapter president, and a member of the OWASP Global Connections Committee.<br />
On 10 Oct 2011, at 09:33, Seba wrote:<br />
<br />
=====HTML5 security (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Lieven_Desmet.2C_Research_Manager_at_Katholieke_Universiteit_Leuven Lieven Desmet], Research Manager at Katholieke Universiteit Leuven)=====<br />
In this talk, Lieven will highlight the results of the HTML5 security analysis, conducted by the DistriNet Research Group (K.U.Leuven). The security analysis of next generation web standards, commissioned by ENISA, looked into 13 emerging W3C web standards (i.e. the specification of HTML 5 and some of the associated APIs), and assessed the security of each of them as well as the overall security and consistency across specifications.<br />
<br />
In total 51 security threats and issues have been identified, and detailed in the ENISA report (http://www.enisa.europa.eu/html5). During the talk, Lieven will discuss the methodology developed to assess the huge amount of specifications, and zoom into a representative set of identified threats and their remediation.<br />
<br />
======Lieven Desmet, Research Manager at Katholieke Universiteit Leuven======<br />
Lieven Desmet is the Research Manager on Secure Software at the Katholieke Universiteit Leuven (Belgium), where he coaches junior researchers in web application security and participates in dissemination and valorization activities. His interests are in software verification and security of middleware and web-enabled technologies. Lieven is actively engaged in OWASP and is board member of the OWASP Chapter Belgium.<br />
<br />
=====Overcoming iOS Data Protection to Re-Enable iPhone Forensics (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Andrey_Belenko.2C_Chief_Security_Researcher_at_ElcomSoft Andrey Belenko], Chief Security Researcher at ElcomSoft)=====<br />
Data protection is a feature available for iOS devices (iOS 4 and up) with hardware encryption: iPhone 4S, iPhone 4, iPhone 3GS, iPod touch (3rd generation or later), and all iPad models. Introduction of this feature had complicated iPhone forensics process because now (almost) all files on user partition are encrypted and physical dumps are of much less value to examiners: while the filesystem seems to be intact, actual file contents are encrypted and are not suitable for analysis.<br />
<br />
This talk will provide in-depth information about iOS Data protection internals and on the implication it had on iOS forensics. More specifically, it will cover the following:<br />
*System keys and their hierarchy<br />
*Device passcode and its recovery<br />
*Escrow keys<br />
*Filesystem encryption<br />
*Keychain encryption<br />
<br />
Presentation will start by providing attendees with required background on iOS encryption keys architecture: system keys, passcode key, escrow key. After attendees are familiar with those concepts, presentation will continue to filesystem and keychain encryption details and to the techniques that can be used to overcome the hurdles imposed by iOS Data Protection.<br />
<br />
======Andrey Belenko, Chief Security Researcher at ElcomSoft======<br />
Chief security researcher and software developer at Elcomsoft. Co-invented ThunderTables (which are improved RainbowTables) and was first to bring GPU acceleration to password recovery. M. Sc. IT and CISSP.<br />
<br />
LinkedIn: http://ru.linkedin.com/in/belenko<br />
<br />
Twitter: @andreybelenko<br />
<br />
=====Do you... Legal? (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Ludovic_Petit.2C_Group_Fraud_.26_Information_Security_Adviser_at_SFR.2C_Vodafone_Group Ludovic Petit], Group Fraud & Information Security Adviser at SFR, Vodafone Group) =====<br />
<br />
The OWASP core mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. However, if you do not pay enough attention to many aspects of Legal compliance, you'll see why Web Application Security is somehow linked to Legal and Regulatory aspects as well as... Corporate Responsability, so yours. Who is accountable for what, what about each other's responsibility? Nowadays, the legal constraints oblige us to comply via technical means, whatever the local framework, and this is specially true for Web Application Security, many sensitive informations having to be handled through these web interfaces. A such, what do you think about your Security Policy compliance with your local Legal framework? Compliant? Sure? Really? Interesting isn't it? Let's have a talk about this.<br />
<br />
======Ludovic Petit, Group Fraud & Information Security Adviser at SFR, Vodafone Group======<br />
Ludovic is an internationally recognised information security expert with over 25 years experience. Last 15 years spent in various Corporate Management positions covering both Technical and Law Enforcement expertise dedicated to Mobile Telecommunications Fraud and Security in multi-national corporations.<br />
<br />
Ludovic is Chapter Leader & Founding Member OWASP France and an active contributor to OWASP in several roles and projects.<br />
<br />
LinkedIn Profile: http://www.linkedin.com/in/lpetit<br />
<br />
=====Dynamic Malware Analysis or How to Play in the House of Horrors (by Sascha Rommelfangen, Incident Management - Security Research at CIRCL) =====<br />
Malware reversing is a time consuming task. Many approaches are available to dissect and analyse suspicious binaries. Dynamic malware analysis is one of the option to better understand them and also a nifty companion to static analysis. The current dynamic malware analysis techniques will be presented especially the ones relying on instrumented operating system systems (from the filesystem to the network stack). You'll see a wandering through common and less common malware partially analysed using dynamic analysis and how dynamic malware analysis can help you.<br />
<br />
===== The limits of e-banking (by Jean-Marc Bost and Sébastien Bischof, ECLA) =====<br />
The swiss german TV channel SF1 showed a footage on swiss e-banking security. The TV show follows a team of the ETH who earned a special authorization to test several e-anking platforms. After admitting that a personal computer can be infected by different means (actually 5% of the tested PCs are infected according to Microsoft), The team from Zürich showed the limits of the different platforms. Only the bank who signs each transaction is labelled as safe. We will come back during the presentation on the nature of the threat.<br>First of all, we will explain how famous malwares such as Zeus and SpyEye manage to steal from their victims without them being able to notice anything. Then we will see that e-banking is not the only target, as a matter of fact, the reality is far from this.<br>And then we will comment the most recent techniques that allow malwares to escape Antivirus and Antimalware programs even if they are up to date. We will vulgarize several concepts such as DKOM and bootkits in order to let everybody have a glimpse on the danger they represent.<br>Finally, we will think about if signing each transaction can efficiently fight off these threats. In fact, when attacks are coupled with Social Engineering, they have potentially no limit. Zeus is a living proof of this fact, because it even managed to attack the transaction validation system by SMS. As a conclusion, we will see that the e-banking platform that managed to resist the tests of the ETH team is vulnerable to such kind of attacks. <br />
<br />
====== Jean-Marc Bost, ELCA ======<br />
Jean-Marc Bost leads the security division at ELCA. <br>He is in charge of the various security solutions proposed by ELCA, some being released by ELCA, others being provided by partner vendors. <br>With a significant experience in the development of internet applications, he focused 10 years ago on their need for security. <br>Since then, he has been very active in&nbsp;:<br>- demonstrating the threats, in particular for ebanking<br>- conceiving practical and patented solutions for strong authentication, online transactions, electronic signature and secured documents<br>- presenting the findings of the security division in security events and through expert talks<br> <br />
<br />
====== Sébastien Bischof, ELCA ======<br />
Sébastien Bischof works in the security division at ELCA Where he is specialized in OS-level and communication security.<br>As a major result, he developped a fully-working proof-of-concept of an attack against a sophisticated USB token for safe-browsing.<br>He obtained his Master of Science in Engineering at HEIG-VD/HES-SO with a strong emphasis on IT Security.<br>During his education, he focused on obfuscation and rootkit techniques.<br>Computer security enthusiast, he is very interested in hackings events such as Insomni'hack and keeps himself informed on the latest threats throuhg active participation in security forums.<br />
<br />
<br />
<br />
==== CTF ====<br />
<br />
Do you like puzzles? Do you like challenges? Are you a hacker?<br />
<br />
Whether you are an old hacker or new enthusiast you should come to OWASP BeNeLux days 2011 and participate in the Capture the Flag event December 2nd 2011 at the University of Luxemburg. <br />
<br />
The OWASP CTF is especially designed to support challengers of all skill levels. The CTF contains multiple challenges in various fields related to application security. As every challenge gains you one point, you can pick and choose which challenge you want to play.<br />
<br />
All you need is a laptop with a wifi card and your favorite (preferably) non-commercial tools. <br />
<br />
So come to Luxemburg, show off your skills, learn new tricks and above all have a good time at the CTF event. <br />
<br />
==== Registration ====<br />
<center><br />
'''The training day and the conference are free!'''&nbsp;<br />
<br />
<br> <br />
<br />
[http://owaspbenelux2011.eventbrite.com/ http://www.owasp.org/images/7/77/Buttoncreate.png] <br />
<br />
<br> To support the OWASP organisation, consider to become a member, it's only US$50!<br> Check out the [[Membership]] page to find out more.<br> <br />
<br />
<br> <br />
</center> <br />
==== Venue ====<br />
<center><br />
University of Luxembourg<br>Campus Kirchberg<br>6, rue Richard Coudenhove-Kalergi<br>L-1359 Luxembourg<br>[http://wwwen.uni.lu/contact/campus_kirchberg http://wwwen.uni.lu/contact/campus_kirchberg] <br>Room: Paul Feidert<br />
</center><br />
<br />
<br>'''Parking''':<br />
<br />
There is a public parking close to the conference venue.<br />
[http://maps.google.de/maps?q=49.63038,6.157061&num=1&t=h&vpsrc=0&z=16 Click here to find the parking on Google Maps]<br />
<br />
<br>'''Hotels nearby''': <br />
<br />
The first hotel is at 5 minutes on walk distance from the campus Kirchberg: '''[http://www.coque.lu/article/259 Hotel d’Coque]'''<br />
* single room with breakfast 77.50 €<br />
* double room with breakfast 93.00 €. <br />
* Booking email address with Ref. OWASP_SNT 2011 to : [mailto:reception@coque.lu reception@coque.lu]<br />
* Reservation deadline: 20 October 2011<br />
Second hotel (direct center of Luxembourg) 5/10 minutes with taxi or bus: '''[http://www.parcbellevue.lu/fr/index.php Hotel Parc Bellevue]'''<br />
* single room with breakfast 95.00 € (normal price 160 €)<br />
* double room with breakfast 115.00 € (normal price 180€)<br />
* wifi and parking included<br />
* Booking email address: [mailto:reservation@goeres-group.com reservation@goeres-group.com]<br />
* Reservation deadline&nbsp;: 30 November <br />
* Reservation form: [https://www.owasp.org/images/4/44/Uni_Luxembourg_OWASP_2011.doc download form] <br />
Third hotel (near the Parc Bellevue): '''[http://www.parcplaza.lu/fr/index.php Hotel Plaza]'''<br />
* single room with breakfast 130.00 € (normal price 225 €)<br />
* double room with breakfast 150.00 € (normal price 245€)<br />
* wifi and parking included<br />
* Booking email address: [mailto:reservation@goeres-group.com reservation@goeres-group.com]. <br />
* Reservation deadline: 30 November<br />
* Reservation form: [https://www.owasp.org/images/4/44/Uni_Luxembourg_OWASP_2011.doc download form] <br />
Fourth hotel: '''[http://www.melia-luxembourg.com/fr/melia-luxembourg.html Hotel Mélia]'''<br />
* single room with breakfast 140.00 €<br />
* Booking email address: [mailto:reservations.melia.luxembourg@solmelia.com reservations.melia.luxembourg@solmelia.com]<br />
* Reservation deadline: 28 October 2011<br />
* Reservation form: [https://www.owasp.org/images/f/f8/Uni_OWASP_2011_Melia.pdf download form] <br />
<br />
<br><br />
<br />
==== Organisation ====<br />
<br />
The BeNeLux Day 2011 Program Committee: <br />
<br />
*Martin Knobloch / Ferdinand Vroom ([[Netherlands|OWASP Netherlands]]) <br />
*Bart De Win / Sebastien Deleersnyder ([[Belgium|OWASP Belgium]]) <br />
*Jocelyn Aubert / Andre Adelsbach ([[Luxembourg|OWASP Luxembourg]]) <br />
*Steven van der Baan ([[:Category:OWASP CTF Project|Capture The Flag]])<br />
<br />
Local organization:<br />
<br />
*Thomas Engel <br />
*Radu State <br />
*Magali Martin <br />
*Aurel Machalek<br />
<br />
==== Sponsorship ====<br />
<br />
Contact seba &lt;at&gt; owasp.org for sponsorship <br />
<br />
<paypal>BeNeLux OWASP Day 2011</paypal> <br />
<br />
==== Social Event ====<br />
<br />
The social event is scheduled for Thursday, 1st of December, 19:00 at <br />
<br><br />
<br><br />
<center><br />
[http://www.aguadecoco.lu/ Agua De C&ocirc;co]<br><br />
2, rue Emile Mousel<br><br />
L-2165 Luxembourg<br><br />
<br><br />
([http://maps.google.com/maps?q=Rue+Emile+Mousel,+Luxembourg,+Luxemburg&hl=de&ll=49.612031,6.14125&spn=0.003379,0.009677&sll=49.709163,6.115265&sspn=0.003372,0.009677&vpsrc=6&geocode=FQIF9QIdPrVdAA&hnear=Rue+Emile+Mousel,+Luxembourg,+Luxemburg&t=h&z=17 find the location on Google Maps])<br />
<br />
Remark: split bill system - everyone has to cover own food & drinks.<br />
<br />
</center><br />
<br />
==== Promotion ====<br />
''Feel free to use the text below to promote our event!''<br />
<br />
We invite you to our next OWASP event: the '''BeNeLux OWASP Days 2011!'''<br />
<br />
Free your agenda on the 1st and 2nd of December, 2011.<br />
<br />
The good news: free! No fee!<br />
<br />
The bad news: there are only 160 seats available (first register, first serve)!<br />
<br />
<br />
'''PROGRAM Day 1'''<br />
* 10:00 AM - 18:00 PM: OWASP Training Day<br />
* 19:00 PM - ?: Social event<br />
<br />
'''OWASP Training: Secure Application Development''', by Eoin Keary<br><br />
This intensive one-day training focuses on the most common web application security problems, including aspects of both the OWASP Top Ten (2010) and the MITRE Top 25. The training will introduce and demonstrate application assessment techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities in their code.<br />
<br />
'''PROGRAM Day 2'''<br />
* 10:00 AM - 18:00 PM: OWASP Conference<br />
<br />
List of '''confirmed speakers''' (more to be announced soon):<br />
*Brenno De Winter (Journalist) on the Diginotar story<br />
*Koen Vanderloock (Lead Security Competence Group at Cegeka) on the new OWASP Simba project<br />
*Justin Clarke (Director and Co-Founder of Gotham Digital Science Ltd) on practical crypto attacks against web applications<br />
*Lieven Desmet (Research Manager at University Leuven) on HTML5 security<br />
*Andrey Belenko (Chief Security Researcher at ElcomSoft Co. Ltd) on iOS data protection internals<br />
*Sascha Rommelfangen (Incident Management - Security Research at CIRCL) on dynamic malware analysis<br />
*Ludovic Petit (Group Fraud & Information Security Adviser at SFR, Vodafone Group) on WebApp Security and legal and regulatory aspects<br />
*Seba Deleersnyder & Eoin Keary (OWASP Board) on OWASP Update<br />
<br />
'''ORGANIZATION<br>'''<br />
OWASP's all-volunteer participants produce free, professional quality, open-source documentation, tools, and standards on application security. An example of this is the famous OWASP top ten of most critical web application security flaws. The OWASP community facilitates conferences, local chapters, articles, and message forums. Participation in OWASP is free and open to all, as are all the materials we produce.<br />
<br />
'''WHO should attend?<br>'''<br />
Anyone interested in Web Application Security (management, security professionals, developers, students, etc). OWASP Belgium, Netherlands and Luxembourg chapters membership is free. All meetings are free. There are never vendor pitches or sales presentations at OWASP meetings.<br><br />
Check our chapter page http://www.owasp.org/index.php/Belgium on meeting details, sign up to the chapter mailing list and introduce yourself.<br><br />
Check our chapter page http://www.owasp.org/index.php/Netherlands on meeting details, sign up to the chapter mailing list and introduce yourself.<br><br />
Check our chapter page http://www.owasp.org/index.php/Luxembourg on meeting details, sign up to the chapter mailing list and introduce yourself.<br><br />
<br />
'''WHEN<br>'''<br />
Thursday and Friday, 1st and 2nd of December, 2011 (10 AM - 7 PM)<br />
<br />
'''WHERE<br>'''<br />
University of Luxembourg<br><br />
Campus Kirchberg<br><br />
6, rue Richard Coudenhove-Kalergi<br><br />
L-1359 Luxembourg<br><br />
http://wwwen.uni.lu/contact/campus_kirchberg<br><br />
Room: Paul Feidert<br />
<br />
Attention: make sure to '''book your hotel in time''', it will be difficult to find rooms in Luxembourg around Dec 1-2!<br><br />
Hotel details https://www.owasp.org/index.php?title=BeNeLux_OWASP_Day_2011#tab=Venue<br />
<br />
'''REGISTRATION<br>'''<br />
Only 160 places, please '''Register upfront: http://owaspbenelux2011.eventbrite.com''' !<br><br />
All latest details are available on http://www.owaspbenelux.eu<br><br />
Hope to see you all!<br><br />
<br />
The BeNeLux Program Committee,<br />
*Martin Knobloch / Ferdinand Vroom, OWASP Netherlands<br />
*Bart De Win / Sebastien Deleersnyder, OWASP Belgium<br />
*Jocelyn Aubert / Andre Adelsbach, OWASP Luxembourg<br />
*Steven van der Baan, OWASP CTF Project<br />
<br />
Kindly supported by the Interdisciplinary Centre for Security Reliability and Trust<br />
*Thomas Engel <br />
*Radu State <br />
*Magali Martin <br />
*Aurel Machalek<br />
<br />
<headertabs /><br />
<br />
<br />
<center><br />
'''Hosted and co-organized by:'''<br> <br />
[[Image:Bnl11-university-logo.jpg|link=http://wwwen.uni.lu]] <br />
[[Image:Bnl11-SECURITYANDTRUST-LOGO.jpg|link=http://www.securityandtrust.lu]] <br />
<br />
<br><br><br><br />
<br />
Made possible by our [http://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Sponsorship sponsors]:<br><br />
{{MemberLinks|link=http://www.ascure.com|logo=Ascure_Logo.jpg}} <br />
[http://www.zionsecurity.com http://www.owasp.org/images/e/e6/Zionsecurity.jpg]<br />
[http://www.zenitelbelgium.com http://www.owasp.org/images/d/df/SAIT_Zenitel.jpg]<br />
[http://www8.hp.com/us/en/solutions/solutions-detail.html?compURI=tcm:245-339290 https://www.owasp.org/images/b/b4/HP_Logo.jpg] <br />
[http://www.barracuda.com https://www.owasp.org/images/f/f6/Bnl11-Barracuda_Logo-4C.png] <br />
[http://circl.lu/ http://circl.lu/pics/logo.png]<br />
[http://www.f5.com https://www.owasp.org/images/f/fd/AppSec_Research_2010_sponsor_F5_logo.jpg]<br />
<br />
<br />
<br />
<br><br />
</center><br />
[[Category:OWASP_AppSec_Conference]] [[Category:OWASP_BeNeLux_Archives]]</div>Bart De Winhttps://wiki.owasp.org/index.php?title=BeNeLux_OWASP_Day_2011&diff=120848BeNeLux OWASP Day 20112011-11-28T21:13:47Z<p>Bart De Win: </p>
<hr />
<div>__NOTOC__ <br />
<center>[[Image:OWASP BeNeLux 2011.jpg]]<br></center><br />
<br><!-- Header --><br />
<br />
==== Welcome ====<br />
<br />
<br><br />
<center><br />
=== Venue is the University of Luxembourg (Grand Duchy of Luxembourg) ===<br />
Training and conference location, together with hotel information, can be found [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Venue here].<br />
=== Training and first list of conference speakers are announced! ===<br />
See [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Training.2C_December_1st here] and [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Conference.2C_December_2nd here]<br />
=== Tweet! ===<br />
<br />
Event tag is [http://twitter.com/#search?q=%23owaspbnl11 #owaspbnl11]<br />
<br />
=== Registrations are open: ===<br />
<br />
[http://owaspbenelux2011.eventbrite.com/ http://www.owasp.org/images/7/77/Buttoncreate.png] <br />
<br />
</center><br />
<br><br />
<br />
==== Training, December 1st ====<br />
<br />
Registration '''starts at 9h00'''<br />
<br />
Training will start at '''10h00''' and we plan to stop at '''17h00'''. From '''17h00''' til '''18h00''', there will be an extra session on security testing by Yves Le Traon (see details below).<br />
<br />
The training room is: '''Paul Feidert''' (for details, check the [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Venue venue] tab)<br />
<br />
'''OWASP Training: Secure Application Development, by Eoin Keary'''<br />
<br />
'''Abstract:''' Writing Secure code is the most effective method to securing your web applications. Writing secure code takes skill and know-how but results in a more stable and robust application and assists in protecting an organisations brand.<br />
Application security is not commonly a part of many computer science curricula today and most organizations have not focused on instituting a culture that includes application security as a core part of their software development training efforts. This intensive one-day course focuses on the most common web application security problems, including aspects of both the OWASP Top Ten (2010) and the MITRE Top 25. The course will introduce and demonstrate application assessment techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities in their code.<br />
<br />
'''This course includes coverage of the following areas:'''<br />
<br />
* Unvalidated Input<br />
* Injection Flaws, OS commanding, SQL Injection<br />
* Cross-Site Scriping & Client-side security<br />
* CSRF/XSRF<br />
* Authentication & Session Management<br />
* Access control & Authorisation<br />
* Broken Caching<br />
* Error Handling & Resource Management<br />
* The Secure SDLC<br />
* Fuzzing, Proxy use and testing approach<br />
<br />
'''Hands on Exercises'''<br />
<br />
To cement the principles discussed, students can participate in a number of hands-on security testing exercises where they attack a live web application (i.e., OWASP Bank etc) that has been seeded with common web application vulnerabilities.<br />
<br />
The students will use proxy tools commonly used by the hacker community to complete the exercises. Students need to bring their own windows based laptop to participate in the exercises. Wireless capability is recommended.<br />
<br />
'''Audience'''<br />
<br />
Developers who want to understand the most common web application security flaws, and how to avoid them and code in a secure manner.<br />
<br />
Level: Beginner/Intermediate<br />
<br />
Prerequisite: Basic knowledge of a web programming language like Java or .NET recommended but not required.<br />
<br />
Bringing your own windows based laptop is recommended so you can participate in the hands on exercises<br />
<br />
'''Trainer Bio:''' <br />
<br />
[[Eoin Keary]] is a Global OWASP board member since 2009. He is a long time member of OWASP and have contributed year on year to OWASP projects and the OWASP mission of fighting the causes of software insecurity. He is based in Dublin, Ireland and director of [http://www.bccriskadvisory.com Bccriskadvisory].<br />
<br />
<br />
<br />
===== Extra session on Security testing: a key challenge for software engineering of web apps (17h00 - 18h00)===== <br />
While important efforts are dedicated to system functional testing, very few works study how to specifically and systematically test security mechanisms. In this talk, we will present two categories of approaches. <br />
The first ones aim at assessing security mechanisms compliance with declared policies. Any security policy is strongly connected to system functionality: testing function includes exercising many security mechanisms. However, testing functionality does not intend at exercizing all security mechanisms. We thus propose test selection criteria to produce tests from a security policy. Empirical results will be presented about access control policies and about Android apps permission checks. <br />
<br />
The second ones concern the attack surface of web apps, with a particular focus on web browser sensitivity to XSS attacks. Indeed, one of the major threats against web applications is Cross-Site Scripting (XSS) that crosses several web components: web server, security components and finally the client’s web browser. The final target is thus the client running a particular web browser. During this last decade, several competing web browsers (IE, Netscape, Chrome, Firefox) have been upgraded to add new features for the final users benefit. However, the improvement of web browsers is not related with systematic security regression testing. Beginning with an analysis of their current exposure degree to XSS, we extend the empirical study to a decade of most popular web browser versions.The results reveal a chaotic behavior in the evolution of most web browsers attack surface over time. This particularly shows an urgent need for regression testing strategies to ensure that security is not sacrificed when a new version is delivered. <br />
<br />
In both cases, security must become a specific target for testing in order to get a satisfying level of confidence in security mechanisms<br />
<br />
'''Trainer bio:'''<br />
<br />
Yves Le Traon is professor at University of Luxembourg in the domain of software engineering, reliability, validation and security. He is also a member of the Interdisciplinary Centre for Security, Reliability and Trust (SnT), where he leads the research group SERVAL (SEcuRity and VALidation of services and networks). His research interests include software testing, design for security, security testing, model-driven validation, model based testing, web application, mobile computing. <br />
<br />
Professor Le Traon received his engineering degree and his PhD in Computer Science at the “Institut National Polytechnique” in Grenoble, France, in 1997. From 1998 to 2004, he was an associate professor at the University of Rennes, in Brittany, France. He is the co-founder of the Triskell INRIA team, which focuses on innovating design, modeling and testing techniques, such as Model-driven Engineering. During this period, Professor Le Traon studied design for testability techniques, validation and diagnosis of object-oriented programs and component-based systems. From 2004 to 2006, he was an expert in Model-Driven Architecture and Validation in the EXA team (Requirements Engineering and Applications) at “France Télécom R&D”. In 2006, he became professor at Telecom Bretagne (Ecole Nationale des Télécommunications de Bretagne), where he pioneered the application of testing for security assessment of web-applications, P2P systems and the promotion of intrusion detection systems using contract-based techniques.<br />
<br />
<br />
<br />
==== Conference, December 2nd ====<br />
<br />
We are pleased to announce the list of confirmed speakers:<br />
<br />
* Brenno De Winter (Journalist) From DigiNotar to Leaktober<br />
* Koen Vanderloock (Lead Security Competence Group at Cegeka) on [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#OWASP_SIMBA_-_guarding_your_applications_.28by_Koen_Vanderloock.2C_Leader_Security_Competence_Group_at_Cegeka.29 the new OWASP Simba project]<br />
* Justin Clarke (Director and Co-Founder of Gotham Digital Science Ltd) on [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Practical_Crypto_Attacks_Against_Web_Applications_.28by_Justin_Clarke.2C_Director_and_Co-Founder_of_Gotham_Digital_Science_Ltd.29 practical crypto attacks against web applications]<br />
* Lieven Desmet (Research Manager at University Leuven) on [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#HTML5_security_.28by_Lieven_Desmet.2C_Research_Manager_at_Katholieke_Universiteit_Leuven.29 HTML5 security]<br />
* Andrey Belenko (Chief Security Researcher at ElcomSoft Co. Ltd) on [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Overcoming_iOS_Data_Protection_to_Re-Enable_iPhone_Forensics_.28by_Andrey_Belenko.2C_Chief_Security_Researcher_at_ElcomSoft.29 iOS data protection internals]<br />
* Alexandre Dulaunoy (Incident Management - Security Research at CIRCL) on dynamic malware analysis<br />
* Ludovic Petit (Group Fraud & Information Security Adviser at SFR, Vodafone Group) on [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Do_you..._Legal.3F_.28by_Ludovic_Petit.2C_Group_Fraud_.26_Information_Security_Adviser_at_SFR.2C_Vodafone_Group.29 WebApp Security and legal and regulatory aspects]<br />
*Jean-Marc Bost and Sébastien Bischof (ELCA) on The limits of e-banking<br />
* Yves Le Traon on security testing for web apps (talk will be held on the Training Day)<br />
* Seba Deleersnyder & Eoin Keary (OWASP Board) on OWASP Update<br />
<br />
Stay tuned for the final agenda!<br />
<br />
'''''Agenda''''' <br />
''(program has slightly changed !)''<br />
<br />
{| class="wikitable"<br />
! Time !! Speaker !! Topic<br />
|-<br />
| 08h30 - 9h30 || ''Registration'' || <br />
|-<br />
| 09h30 - 9h40 || OWASP Benelux Organization & Thomas Engel|| Welcome<br />
|-<br />
| 09h40 - 10h00 || Sebastien Deleersnyder & Eion Keary || OWASP update<br />
|-<br />
| 10h00 - 10h40 || Brenno De Winter || From DigiNotar to Leaktober <br />
|-<br />
| 10h40 - 11h00 || ''Break'' ||<br />
|-<br />
| 11h00 - 11h40 || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Justin_Clarke.2C_Director_and_Co-Founder_of_Gotham_Digital_Science_Ltd Justin Clarke] || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Practical_Crypto_Attacks_Against_Web_Applications_.28by_Justin_Clarke.2C_Director_and_Co-Founder_of_Gotham_Digital_Science_Ltd.29 practical crypto attacks against web applications] <br />
|-<br />
| 11h40 - 12h20 || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Andrey_Belenko.2C_Chief_Security_Researcher_at_ElcomSoft Andrey Belenko] || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Overcoming_iOS_Data_Protection_to_Re-Enable_iPhone_Forensics_.28by_Andrey_Belenko.2C_Chief_Security_Researcher_at_ElcomSoft.29 Overcoming iOS Data Protection to Re-Enable iPhone Forensics] <br />
|-<br />
| 12h20 - 13h00 || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Koen_Vanderloock.2C_Leader_Security_Competence_Group_at_Cegeka Koen Vanderloock] || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#OWASP_SIMBA_-_guarding_your_applications_.28by_Koen_Vanderloock.2C_Leader_Security_Competence_Group_at_Cegeka.29 OWASP SIMBA - guarding your applications] <br />
|-<br />
| 13h00 - 14h00 || ''Lunch'' || <br />
|-<br />
| 14h00 - 14h40 || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Ludovic_Petit.2C_Group_Fraud_.26_Information_Security_Adviser_at_SFR.2C_Vodafone_Group Ludovic Petit] || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Do_you..._Legal.3F_.28by_Ludovic_Petit.2C_Group_Fraud_.26_Information_Security_Adviser_at_SFR.2C_Vodafone_Group.29 Do you... Legal?]<br />
|-<br />
| 14h40 - 15h20 || Thierry Zoller || The rise of the Vulnerability Market<br />
|-<br />
| 15h20 - 16h00 || Jean-Marc Bost & Sébastien Bischof || The limits of e-banking <br />
|-<br />
| 16h00 - 16h20 || ''Break'' || <br />
|-<br />
| 16h20 - 17h00 || Alexandre Delaunoy || Dynamic malware analysis <br />
|-<br />
| 17h00 - 17h40 || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Lieven_Desmet.2C_Research_Manager_at_Katholieke_Universiteit_Leuven Lieven Desmet] || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#HTML5_security_.28by_Lieven_Desmet.2C_Research_Manager_at_Katholieke_Universiteit_Leuven.29 HTML5 security]<br />
|-<br />
| 17h40 - 18h00 || OWASP Benelux 2011 organization || Closing notes<br />
<br />
|}<br />
<br />
<!-- deze laten staan. is handig om anchors te vinden tijdens edi (seba) __TOC__ --><br />
<br />
===== From DigiNotar to Leaktober=====<br />
Web application security is hard. With Lektober, Brenno shows that to the general public. Privacy is at stake, not only in the Netherlands. Brenno will reveal some of the more "interesting" leaks.<br />
<br />
=====Brenno J.S.A.A.F. de Winter=====<br />
Brenno De Winter started experimenting with security at the age of 9. He has a background in open source that dates back to 1993 and he contributed to several projects like MySQL, GnuPG, Gnucomo (Gnu Computer Monitoring) and recently started the Small Sister-project for privacy-friendly internet usage. In his daily job he practices security,teaches it and works as an IT-journalist. His writings have triggered several debates in parliament and often raises questions. <br />
<br />
=====OWASP SIMBA - guarding your applications (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Koen_Vanderloock.2C_Leader_Security_Competence_Group_at_Cegeka Koen Vanderloock], Leader Security Competence Group at Cegeka)=====<br />
[[OWASP SIMBA Project|SIMBA (Security Integration Module for Business Applications)]] is a OWASP project that provides you with a User Access Management system that can be integrated with any business application. The purpose of SIMBA is to secure an application fast and easy. Because SIMBA itself is generic it can be customized for every project. Many features are customizable e.g. designing your own authentication chain is easy and fast by using existing or newly created building blocks. SIMBA contains authentication, authorization, session management and a GUI to manage your security information.<br />
<br />
======Koen Vanderloock, Leader Security Competence Group at Cegeka======<br />
Koen Vanderloock is the leader of the security competence group at Cegeka. About 2 years ago Cegeka decided to create a sandbox for investigating security issues and solutions so they could be included in the current projects. <br />
Koen Vanderloock is a Java developer with 8 years of experience and started exploring the world of security 3 years ago when UAM problems started to occur.<br />
<br />
=====Practical Crypto Attacks Against Web Applications (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Justin_Clarke.2C_Director_and_Co-Founder_of_Gotham_Digital_Science_Ltd Justin Clarke], Director and Co-Founder of Gotham Digital Science Ltd)=====<br />
The science of cryptography underpins many of the information security technologies we use on a daily basis, such as the ability to keep information confidential and to ensure we can identify who we are communicating with. However, it is a very complex subject area with many types of mistakes that can reduce the overall security of a solution. A number of these types of mistakes can be identified by a tester, if they know what they're looking for, but in general it isn't a well tested area.<br />
<br />
This talk is intended to provide a high level overview of some of the areas where cryptographic operations such as encryption and hashing can provide far less security than was planned, and concrete examples of how these were found and exploited. Examples will include discussion and demonstration of the recently patched cryptographic padding attack against the Microsoft .NET framework (affecting ASP.NET applications) caused by a design error in how ASP.NET handles some types of encrypted data, but we will also be looking at some other fun areas including bit flipping attacks, ECB mode attacks, and some miscellaneous hashing algorithm attacks against common web application implementations.<br />
<br />
======Justin Clarke, Director and Co-Founder of Gotham Digital Science Ltd======<br />
Justin is a Director and Co-Founder of Gotham Digital Science and an experienced software security consultant with extensive international Big 4 risk management, security consulting and testing experience. He is the lead author/technical editor of "SQL Injection Attacks and Defenses" (Syngress 2009), co-author of "Network Security Tools" (O'Reilly 2005), contributor to "Network Security Assessment, 2nd Edition" (O'Reilly 2007), as well as a speaker at various security conferences and events such as Black Hat, EuSecWest, ISACA, BruCON, OWASP, OSCON, RSA and SANS. He is currently the OWASP London chapter president, and a member of the OWASP Global Connections Committee.<br />
On 10 Oct 2011, at 09:33, Seba wrote:<br />
<br />
=====HTML5 security (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Lieven_Desmet.2C_Research_Manager_at_Katholieke_Universiteit_Leuven Lieven Desmet], Research Manager at Katholieke Universiteit Leuven)=====<br />
In this talk, Lieven will highlight the results of the HTML5 security analysis, conducted by the DistriNet Research Group (K.U.Leuven). The security analysis of next generation web standards, commissioned by ENISA, looked into 13 emerging W3C web standards (i.e. the specification of HTML 5 and some of the associated APIs), and assessed the security of each of them as well as the overall security and consistency across specifications.<br />
<br />
In total 51 security threats and issues have been identified, and detailed in the ENISA report (http://www.enisa.europa.eu/html5). During the talk, Lieven will discuss the methodology developed to assess the huge amount of specifications, and zoom into a representative set of identified threats and their remediation.<br />
<br />
======Lieven Desmet, Research Manager at Katholieke Universiteit Leuven======<br />
Lieven Desmet is the Research Manager on Secure Software at the Katholieke Universiteit Leuven (Belgium), where he coaches junior researchers in web application security and participates in dissemination and valorization activities. His interests are in software verification and security of middleware and web-enabled technologies. Lieven is actively engaged in OWASP and is board member of the OWASP Chapter Belgium.<br />
<br />
=====Overcoming iOS Data Protection to Re-Enable iPhone Forensics (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Andrey_Belenko.2C_Chief_Security_Researcher_at_ElcomSoft Andrey Belenko], Chief Security Researcher at ElcomSoft)=====<br />
Data protection is a feature available for iOS devices (iOS 4 and up) with hardware encryption: iPhone 4S, iPhone 4, iPhone 3GS, iPod touch (3rd generation or later), and all iPad models. Introduction of this feature had complicated iPhone forensics process because now (almost) all files on user partition are encrypted and physical dumps are of much less value to examiners: while the filesystem seems to be intact, actual file contents are encrypted and are not suitable for analysis.<br />
<br />
This talk will provide in-depth information about iOS Data protection internals and on the implication it had on iOS forensics. More specifically, it will cover the following:<br />
*System keys and their hierarchy<br />
*Device passcode and its recovery<br />
*Escrow keys<br />
*Filesystem encryption<br />
*Keychain encryption<br />
<br />
Presentation will start by providing attendees with required background on iOS encryption keys architecture: system keys, passcode key, escrow key. After attendees are familiar with those concepts, presentation will continue to filesystem and keychain encryption details and to the techniques that can be used to overcome the hurdles imposed by iOS Data Protection.<br />
<br />
======Andrey Belenko, Chief Security Researcher at ElcomSoft======<br />
Chief security researcher and software developer at Elcomsoft. Co-invented ThunderTables (which are improved RainbowTables) and was first to bring GPU acceleration to password recovery. M. Sc. IT and CISSP.<br />
<br />
LinkedIn: http://ru.linkedin.com/in/belenko<br />
<br />
Twitter: @andreybelenko<br />
<br />
=====Do you... Legal? (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Ludovic_Petit.2C_Group_Fraud_.26_Information_Security_Adviser_at_SFR.2C_Vodafone_Group Ludovic Petit], Group Fraud & Information Security Adviser at SFR, Vodafone Group) =====<br />
<br />
The OWASP core mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. However, if you do not pay enough attention to many aspects of Legal compliance, you'll see why Web Application Security is somehow linked to Legal and Regulatory aspects as well as... Corporate Responsability, so yours. Who is accountable for what, what about each other's responsibility? Nowadays, the legal constraints oblige us to comply via technical means, whatever the local framework, and this is specially true for Web Application Security, many sensitive informations having to be handled through these web interfaces. A such, what do you think about your Security Policy compliance with your local Legal framework? Compliant? Sure? Really? Interesting isn't it? Let's have a talk about this.<br />
<br />
======Ludovic Petit, Group Fraud & Information Security Adviser at SFR, Vodafone Group======<br />
Ludovic is an internationally recognised information security expert with over 25 years experience. Last 15 years spent in various Corporate Management positions covering both Technical and Law Enforcement expertise dedicated to Mobile Telecommunications Fraud and Security in multi-national corporations.<br />
<br />
Ludovic is Chapter Leader & Founding Member OWASP France and an active contributor to OWASP in several roles and projects.<br />
<br />
LinkedIn Profile: http://www.linkedin.com/in/lpetit<br />
<br />
=====Dynamic Malware Analysis or How to Play in the House of Horrors (by Alexandre Dulaunoy, Incident Management - Security Research at CIRCL) =====<br />
Malware reversing is a time consuming task. Many approaches are available to dissect and analyse suspicious binaries. Dynamic malware analysis is one of the option to better understand them and also a nifty companion to static analysis. The current dynamic malware analysis techniques will be presented especially the ones relying on instrumented operating system systems (from the filesystem to the network stack). You'll see a wandering through common and less common malware partially analysed using dynamic analysis and how dynamic malware analysis can help you.<br />
<br />
===== The limits of e-banking (by Jean-Marc Bost and Sébastien Bischof, ECLA) =====<br />
The swiss german TV channel SF1 showed a footage on swiss e-banking security. The TV show follows a team of the ETH who earned a special authorization to test several e-anking platforms. After admitting that a personal computer can be infected by different means (actually 5% of the tested PCs are infected according to Microsoft), The team from Zürich showed the limits of the different platforms. Only the bank who signs each transaction is labelled as safe. We will come back during the presentation on the nature of the threat.<br>First of all, we will explain how famous malwares such as Zeus and SpyEye manage to steal from their victims without them being able to notice anything. Then we will see that e-banking is not the only target, as a matter of fact, the reality is far from this.<br>And then we will comment the most recent techniques that allow malwares to escape Antivirus and Antimalware programs even if they are up to date. We will vulgarize several concepts such as DKOM and bootkits in order to let everybody have a glimpse on the danger they represent.<br>Finally, we will think about if signing each transaction can efficiently fight off these threats. In fact, when attacks are coupled with Social Engineering, they have potentially no limit. Zeus is a living proof of this fact, because it even managed to attack the transaction validation system by SMS. As a conclusion, we will see that the e-banking platform that managed to resist the tests of the ETH team is vulnerable to such kind of attacks. <br />
<br />
====== Jean-Marc Bost, ELCA ======<br />
Jean-Marc Bost leads the security division at ELCA. <br>He is in charge of the various security solutions proposed by ELCA, some being released by ELCA, others being provided by partner vendors. <br>With a significant experience in the development of internet applications, he focused 10 years ago on their need for security. <br>Since then, he has been very active in&nbsp;:<br>- demonstrating the threats, in particular for ebanking<br>- conceiving practical and patented solutions for strong authentication, online transactions, electronic signature and secured documents<br>- presenting the findings of the security division in security events and through expert talks<br> <br />
<br />
====== Sébastien Bischof, ELCA ======<br />
Sébastien Bischof works in the security division at ELCA Where he is specialized in OS-level and communication security.<br>As a major result, he developped a fully-working proof-of-concept of an attack against a sophisticated USB token for safe-browsing.<br>He obtained his Master of Science in Engineering at HEIG-VD/HES-SO with a strong emphasis on IT Security.<br>During his education, he focused on obfuscation and rootkit techniques.<br>Computer security enthusiast, he is very interested in hackings events such as Insomni'hack and keeps himself informed on the latest threats throuhg active participation in security forums.<br />
<br />
<br />
<br />
==== CTF ====<br />
<br />
Do you like puzzles? Do you like challenges? Are you a hacker?<br />
<br />
Whether you are an old hacker or new enthusiast you should come to OWASP BeNeLux days 2011 and participate in the Capture the Flag event December 2nd 2011 at the University of Luxemburg. <br />
<br />
The OWASP CTF is especially designed to support challengers of all skill levels. The CTF contains multiple challenges in various fields related to application security. As every challenge gains you one point, you can pick and choose which challenge you want to play.<br />
<br />
All you need is a laptop with a wifi card and your favorite (preferably) non-commercial tools. <br />
<br />
So come to Luxemburg, show off your skills, learn new tricks and above all have a good time at the CTF event. <br />
<br />
==== Registration ====<br />
<center><br />
'''The training day and the conference are free!'''&nbsp;<br />
<br />
<br> <br />
<br />
[http://owaspbenelux2011.eventbrite.com/ http://www.owasp.org/images/7/77/Buttoncreate.png] <br />
<br />
<br> To support the OWASP organisation, consider to become a member, it's only US$50!<br> Check out the [[Membership]] page to find out more.<br> <br />
<br />
<br> <br />
</center> <br />
==== Venue ====<br />
<center><br />
University of Luxembourg<br>Campus Kirchberg<br>6, rue Richard Coudenhove-Kalergi<br>L-1359 Luxembourg<br>[http://wwwen.uni.lu/contact/campus_kirchberg http://wwwen.uni.lu/contact/campus_kirchberg] <br>Room: Paul Feidert<br />
</center><br />
<br />
<br>'''Parking''':<br />
<br />
There is a public parking close to the conference venue.<br />
[http://maps.google.de/maps?q=49.63038,6.157061&num=1&t=h&vpsrc=0&z=16 Click here to find the parking on Google Maps]<br />
<br />
<br>'''Hotels nearby''': <br />
<br />
The first hotel is at 5 minutes on walk distance from the campus Kirchberg: '''[http://www.coque.lu/article/259 Hotel d’Coque]'''<br />
* single room with breakfast 77.50 €<br />
* double room with breakfast 93.00 €. <br />
* Booking email address with Ref. OWASP_SNT 2011 to : [mailto:reception@coque.lu reception@coque.lu]<br />
* Reservation deadline: 20 October 2011<br />
Second hotel (direct center of Luxembourg) 5/10 minutes with taxi or bus: '''[http://www.parcbellevue.lu/fr/index.php Hotel Parc Bellevue]'''<br />
* single room with breakfast 95.00 € (normal price 160 €)<br />
* double room with breakfast 115.00 € (normal price 180€)<br />
* wifi and parking included<br />
* Booking email address: [mailto:reservation@goeres-group.com reservation@goeres-group.com]<br />
* Reservation deadline&nbsp;: 30 November <br />
* Reservation form: [https://www.owasp.org/images/4/44/Uni_Luxembourg_OWASP_2011.doc download form] <br />
Third hotel (near the Parc Bellevue): '''[http://www.parcplaza.lu/fr/index.php Hotel Plaza]'''<br />
* single room with breakfast 130.00 € (normal price 225 €)<br />
* double room with breakfast 150.00 € (normal price 245€)<br />
* wifi and parking included<br />
* Booking email address: [mailto:reservation@goeres-group.com reservation@goeres-group.com]. <br />
* Reservation deadline: 30 November<br />
* Reservation form: [https://www.owasp.org/images/4/44/Uni_Luxembourg_OWASP_2011.doc download form] <br />
Fourth hotel: '''[http://www.melia-luxembourg.com/fr/melia-luxembourg.html Hotel Mélia]'''<br />
* single room with breakfast 140.00 €<br />
* Booking email address: [mailto:reservations.melia.luxembourg@solmelia.com reservations.melia.luxembourg@solmelia.com]<br />
* Reservation deadline: 28 October 2011<br />
* Reservation form: [https://www.owasp.org/images/f/f8/Uni_OWASP_2011_Melia.pdf download form] <br />
<br />
<br><br />
<br />
==== Organisation ====<br />
<br />
The BeNeLux Day 2011 Program Committee: <br />
<br />
*Martin Knobloch / Ferdinand Vroom ([[Netherlands|OWASP Netherlands]]) <br />
*Bart De Win / Sebastien Deleersnyder ([[Belgium|OWASP Belgium]]) <br />
*Jocelyn Aubert / Andre Adelsbach ([[Luxembourg|OWASP Luxembourg]]) <br />
*Steven van der Baan ([[:Category:OWASP CTF Project|Capture The Flag]])<br />
<br />
Local organization:<br />
<br />
*Thomas Engel <br />
*Radu State <br />
*Magali Martin <br />
*Aurel Machalek<br />
<br />
==== Sponsorship ====<br />
<br />
Contact seba &lt;at&gt; owasp.org for sponsorship <br />
<br />
<paypal>BeNeLux OWASP Day 2011</paypal> <br />
<br />
==== Social Event ====<br />
<br />
The social event is scheduled for Thursday, 1st of December, 19:00 at <br />
<br><br />
<br><br />
<center><br />
[http://www.aguadecoco.lu/ Agua De C&ocirc;co]<br><br />
2, rue Emile Mousel<br><br />
L-2165 Luxembourg<br><br />
<br><br />
([http://maps.google.com/maps?q=Rue+Emile+Mousel,+Luxembourg,+Luxemburg&hl=de&ll=49.612031,6.14125&spn=0.003379,0.009677&sll=49.709163,6.115265&sspn=0.003372,0.009677&vpsrc=6&geocode=FQIF9QIdPrVdAA&hnear=Rue+Emile+Mousel,+Luxembourg,+Luxemburg&t=h&z=17 find the location on Google Maps])<br />
<br />
Remark: split bill system - everyone has to cover own food & drinks.<br />
<br />
</center><br />
<br />
==== Promotion ====<br />
''Feel free to use the text below to promote our event!''<br />
<br />
We invite you to our next OWASP event: the '''BeNeLux OWASP Days 2011!'''<br />
<br />
Free your agenda on the 1st and 2nd of December, 2011.<br />
<br />
The good news: free! No fee!<br />
<br />
The bad news: there are only 160 seats available (first register, first serve)!<br />
<br />
<br />
'''PROGRAM Day 1'''<br />
* 10:00 AM - 18:00 PM: OWASP Training Day<br />
* 19:00 PM - ?: Social event<br />
<br />
'''OWASP Training: Secure Application Development''', by Eoin Keary<br><br />
This intensive one-day training focuses on the most common web application security problems, including aspects of both the OWASP Top Ten (2010) and the MITRE Top 25. The training will introduce and demonstrate application assessment techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities in their code.<br />
<br />
'''PROGRAM Day 2'''<br />
* 10:00 AM - 18:00 PM: OWASP Conference<br />
<br />
List of '''confirmed speakers''' (more to be announced soon):<br />
*Brenno De Winter (Journalist) on the Diginotar story<br />
*Koen Vanderloock (Lead Security Competence Group at Cegeka) on the new OWASP Simba project<br />
*Justin Clarke (Director and Co-Founder of Gotham Digital Science Ltd) on practical crypto attacks against web applications<br />
*Lieven Desmet (Research Manager at University Leuven) on HTML5 security<br />
*Andrey Belenko (Chief Security Researcher at ElcomSoft Co. Ltd) on iOS data protection internals<br />
*Alexandre Dulaunoy (Incident Management - Security Research at CIRCL) on dynamic malware analysis<br />
*Ludovic Petit (Group Fraud & Information Security Adviser at SFR, Vodafone Group) on WebApp Security and legal and regulatory aspects<br />
*Seba Deleersnyder & Eoin Keary (OWASP Board) on OWASP Update<br />
<br />
'''ORGANIZATION<br>'''<br />
OWASP's all-volunteer participants produce free, professional quality, open-source documentation, tools, and standards on application security. An example of this is the famous OWASP top ten of most critical web application security flaws. The OWASP community facilitates conferences, local chapters, articles, and message forums. Participation in OWASP is free and open to all, as are all the materials we produce.<br />
<br />
'''WHO should attend?<br>'''<br />
Anyone interested in Web Application Security (management, security professionals, developers, students, etc). OWASP Belgium, Netherlands and Luxembourg chapters membership is free. All meetings are free. There are never vendor pitches or sales presentations at OWASP meetings.<br><br />
Check our chapter page http://www.owasp.org/index.php/Belgium on meeting details, sign up to the chapter mailing list and introduce yourself.<br><br />
Check our chapter page http://www.owasp.org/index.php/Netherlands on meeting details, sign up to the chapter mailing list and introduce yourself.<br><br />
Check our chapter page http://www.owasp.org/index.php/Luxembourg on meeting details, sign up to the chapter mailing list and introduce yourself.<br><br />
<br />
'''WHEN<br>'''<br />
Thursday and Friday, 1st and 2nd of December, 2011 (10 AM - 7 PM)<br />
<br />
'''WHERE<br>'''<br />
University of Luxembourg<br><br />
Campus Kirchberg<br><br />
6, rue Richard Coudenhove-Kalergi<br><br />
L-1359 Luxembourg<br><br />
http://wwwen.uni.lu/contact/campus_kirchberg<br><br />
Room: Paul Feidert<br />
<br />
Attention: make sure to '''book your hotel in time''', it will be difficult to find rooms in Luxembourg around Dec 1-2!<br><br />
Hotel details https://www.owasp.org/index.php?title=BeNeLux_OWASP_Day_2011#tab=Venue<br />
<br />
'''REGISTRATION<br>'''<br />
Only 160 places, please '''Register upfront: http://owaspbenelux2011.eventbrite.com''' !<br><br />
All latest details are available on http://www.owaspbenelux.eu<br><br />
Hope to see you all!<br><br />
<br />
The BeNeLux Program Committee,<br />
*Martin Knobloch / Ferdinand Vroom, OWASP Netherlands<br />
*Bart De Win / Sebastien Deleersnyder, OWASP Belgium<br />
*Jocelyn Aubert / Andre Adelsbach, OWASP Luxembourg<br />
*Steven van der Baan, OWASP CTF Project<br />
<br />
Kindly supported by the Interdisciplinary Centre for Security Reliability and Trust<br />
*Thomas Engel <br />
*Radu State <br />
*Magali Martin <br />
*Aurel Machalek<br />
<br />
<headertabs /><br />
<br />
<br />
<center><br />
'''Hosted and co-organized by:'''<br> <br />
[[Image:Bnl11-university-logo.jpg|link=http://wwwen.uni.lu]] <br />
[[Image:Bnl11-SECURITYANDTRUST-LOGO.jpg|link=http://www.securityandtrust.lu]] <br />
<br />
<br><br><br><br />
<br />
Made possible by our [http://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Sponsorship sponsors]:<br><br />
{{MemberLinks|link=http://www.ascure.com|logo=Ascure_Logo.jpg}} <br />
[http://www.zionsecurity.com http://www.owasp.org/images/e/e6/Zionsecurity.jpg]<br />
[http://www.zenitelbelgium.com http://www.owasp.org/images/d/df/SAIT_Zenitel.jpg]<br />
[http://www8.hp.com/us/en/solutions/solutions-detail.html?compURI=tcm:245-339290 https://www.owasp.org/images/b/b4/HP_Logo.jpg] <br />
[http://www.barracuda.com https://www.owasp.org/images/f/f6/Bnl11-Barracuda_Logo-4C.png] <br />
[http://circl.lu/ http://circl.lu/pics/logo.png]<br />
[http://www.f5.com https://www.owasp.org/images/f/fd/AppSec_Research_2010_sponsor_F5_logo.jpg]<br />
<br />
<br />
<br />
<br><br />
</center><br />
[[Category:OWASP_AppSec_Conference]] [[Category:OWASP_BeNeLux_Archives]]</div>Bart De Winhttps://wiki.owasp.org/index.php?title=BeNeLux_OWASP_Day_2011&diff=120847BeNeLux OWASP Day 20112011-11-28T21:13:05Z<p>Bart De Win: </p>
<hr />
<div>__NOTOC__ <br />
<center>[[Image:OWASP BeNeLux 2011.jpg]]<br></center><br />
<br><!-- Header --><br />
<br />
==== Welcome ====<br />
<br />
<br><br />
<center><br />
=== Venue is the University of Luxembourg (Grand Duchy of Luxembourg) ===<br />
Training and conference location, together with hotel information, can be found [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Venue here].<br />
=== Training and first list of conference speakers are announced! ===<br />
See [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Training.2C_December_1st here] and [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Conference.2C_December_2nd here]<br />
=== Tweet! ===<br />
<br />
Event tag is [http://twitter.com/#search?q=%23owaspbnl11 #owaspbnl11]<br />
<br />
=== Registrations are open: ===<br />
<br />
[http://owaspbenelux2011.eventbrite.com/ http://www.owasp.org/images/7/77/Buttoncreate.png] <br />
<br />
</center><br />
<br><br />
<br />
==== Training, December 1st ====<br />
<br />
Registration '''starts at 9h00'''<br />
<br />
Training will start at '''10h00''' and we plan to stop at '''17h00'''. From '''17h00''' til '''18h00''', there will be an extra session on security testing by Yves Le Traon (see details below).<br />
<br />
The training room is: '''Paul Feidert''' (for details, check the [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Venue venue] tab)<br />
<br />
'''OWASP Training: Secure Application Development, by Eoin Keary'''<br />
<br />
'''Abstract:''' Writing Secure code is the most effective method to securing your web applications. Writing secure code takes skill and know-how but results in a more stable and robust application and assists in protecting an organisations brand.<br />
Application security is not commonly a part of many computer science curricula today and most organizations have not focused on instituting a culture that includes application security as a core part of their software development training efforts. This intensive one-day course focuses on the most common web application security problems, including aspects of both the OWASP Top Ten (2010) and the MITRE Top 25. The course will introduce and demonstrate application assessment techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities in their code.<br />
<br />
'''This course includes coverage of the following areas:'''<br />
<br />
* Unvalidated Input<br />
* Injection Flaws, OS commanding, SQL Injection<br />
* Cross-Site Scriping & Client-side security<br />
* CSRF/XSRF<br />
* Authentication & Session Management<br />
* Access control & Authorisation<br />
* Broken Caching<br />
* Error Handling & Resource Management<br />
* The Secure SDLC<br />
* Fuzzing, Proxy use and testing approach<br />
<br />
'''Hands on Exercises'''<br />
<br />
To cement the principles discussed, students can participate in a number of hands-on security testing exercises where they attack a live web application (i.e., OWASP Bank etc) that has been seeded with common web application vulnerabilities.<br />
<br />
The students will use proxy tools commonly used by the hacker community to complete the exercises. Students need to bring their own windows based laptop to participate in the exercises. Wireless capability is recommended.<br />
<br />
'''Audience'''<br />
<br />
Developers who want to understand the most common web application security flaws, and how to avoid them and code in a secure manner.<br />
<br />
Level: Beginner/Intermediate<br />
<br />
Prerequisite: Basic knowledge of a web programming language like Java or .NET recommended but not required.<br />
<br />
Bringing your own windows based laptop is recommended so you can participate in the hands on exercises<br />
<br />
'''Trainer Bio:''' <br />
<br />
[[Eoin Keary]] is a Global OWASP board member since 2009. He is a long time member of OWASP and have contributed year on year to OWASP projects and the OWASP mission of fighting the causes of software insecurity. He is based in Dublin, Ireland and director of [http://www.bccriskadvisory.com Bccriskadvisory].<br />
<br />
===== Extra session on Security testing: a key challenge for software engineering of web apps (17h00 - 18h00)===== <br />
While important efforts are dedicated to system functional testing, very few works study how to specifically and systematically test security mechanisms. In this talk, we will present two categories of approaches. <br />
The first ones aim at assessing security mechanisms compliance with declared policies. Any security policy is strongly connected to system functionality: testing function includes exercising many security mechanisms. However, testing functionality does not intend at exercizing all security mechanisms. We thus propose test selection criteria to produce tests from a security policy. Empirical results will be presented about access control policies and about Android apps permission checks. <br />
<br />
The second ones concern the attack surface of web apps, with a particular focus on web browser sensitivity to XSS attacks. Indeed, one of the major threats against web applications is Cross-Site Scripting (XSS) that crosses several web components: web server, security components and finally the client’s web browser. The final target is thus the client running a particular web browser. During this last decade, several competing web browsers (IE, Netscape, Chrome, Firefox) have been upgraded to add new features for the final users benefit. However, the improvement of web browsers is not related with systematic security regression testing. Beginning with an analysis of their current exposure degree to XSS, we extend the empirical study to a decade of most popular web browser versions.The results reveal a chaotic behavior in the evolution of most web browsers attack surface over time. This particularly shows an urgent need for regression testing strategies to ensure that security is not sacrificed when a new version is delivered. <br />
<br />
In both cases, security must become a specific target for testing in order to get a satisfying level of confidence in security mechanisms<br />
<br />
'''Trainer bio:'''<br />
Yves Le Traon is professor at University of Luxembourg in the domain of software engineering, reliability, validation and security. He is also a member of the Interdisciplinary Centre for Security, Reliability and Trust (SnT), where he leads the research group SERVAL (SEcuRity and VALidation of services and networks). His research interests include software testing, design for security, security testing, model-driven validation, model based testing, web application, mobile computing. <br />
<br />
Professor Le Traon received his engineering degree and his PhD in Computer Science at the “Institut National Polytechnique” in Grenoble, France, in 1997. From 1998 to 2004, he was an associate professor at the University of Rennes, in Brittany, France. He is the co-founder of the Triskell INRIA team, which focuses on innovating design, modeling and testing techniques, such as Model-driven Engineering. During this period, Professor Le Traon studied design for testability techniques, validation and diagnosis of object-oriented programs and component-based systems. From 2004 to 2006, he was an expert in Model-Driven Architecture and Validation in the EXA team (Requirements Engineering and Applications) at “France Télécom R&D”. In 2006, he became professor at Telecom Bretagne (Ecole Nationale des Télécommunications de Bretagne), where he pioneered the application of testing for security assessment of web-applications, P2P systems and the promotion of intrusion detection systems using contract-based techniques.<br />
<br />
<br />
<br />
==== Conference, December 2nd ====<br />
<br />
We are pleased to announce the list of confirmed speakers:<br />
<br />
* Brenno De Winter (Journalist) From DigiNotar to Leaktober<br />
* Koen Vanderloock (Lead Security Competence Group at Cegeka) on [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#OWASP_SIMBA_-_guarding_your_applications_.28by_Koen_Vanderloock.2C_Leader_Security_Competence_Group_at_Cegeka.29 the new OWASP Simba project]<br />
* Justin Clarke (Director and Co-Founder of Gotham Digital Science Ltd) on [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Practical_Crypto_Attacks_Against_Web_Applications_.28by_Justin_Clarke.2C_Director_and_Co-Founder_of_Gotham_Digital_Science_Ltd.29 practical crypto attacks against web applications]<br />
* Lieven Desmet (Research Manager at University Leuven) on [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#HTML5_security_.28by_Lieven_Desmet.2C_Research_Manager_at_Katholieke_Universiteit_Leuven.29 HTML5 security]<br />
* Andrey Belenko (Chief Security Researcher at ElcomSoft Co. Ltd) on [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Overcoming_iOS_Data_Protection_to_Re-Enable_iPhone_Forensics_.28by_Andrey_Belenko.2C_Chief_Security_Researcher_at_ElcomSoft.29 iOS data protection internals]<br />
* Alexandre Dulaunoy (Incident Management - Security Research at CIRCL) on dynamic malware analysis<br />
* Ludovic Petit (Group Fraud & Information Security Adviser at SFR, Vodafone Group) on [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Do_you..._Legal.3F_.28by_Ludovic_Petit.2C_Group_Fraud_.26_Information_Security_Adviser_at_SFR.2C_Vodafone_Group.29 WebApp Security and legal and regulatory aspects]<br />
*Jean-Marc Bost and Sébastien Bischof (ELCA) on The limits of e-banking<br />
* Yves Le Traon on security testing for web apps (talk will be held on the Training Day)<br />
* Seba Deleersnyder & Eoin Keary (OWASP Board) on OWASP Update<br />
<br />
Stay tuned for the final agenda!<br />
<br />
'''''Agenda''''' <br />
''(program has slightly changed !)''<br />
<br />
{| class="wikitable"<br />
! Time !! Speaker !! Topic<br />
|-<br />
| 08h30 - 9h30 || ''Registration'' || <br />
|-<br />
| 09h30 - 9h40 || OWASP Benelux Organization & Thomas Engel|| Welcome<br />
|-<br />
| 09h40 - 10h00 || Sebastien Deleersnyder & Eion Keary || OWASP update<br />
|-<br />
| 10h00 - 10h40 || Brenno De Winter || From DigiNotar to Leaktober <br />
|-<br />
| 10h40 - 11h00 || ''Break'' ||<br />
|-<br />
| 11h00 - 11h40 || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Justin_Clarke.2C_Director_and_Co-Founder_of_Gotham_Digital_Science_Ltd Justin Clarke] || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Practical_Crypto_Attacks_Against_Web_Applications_.28by_Justin_Clarke.2C_Director_and_Co-Founder_of_Gotham_Digital_Science_Ltd.29 practical crypto attacks against web applications] <br />
|-<br />
| 11h40 - 12h20 || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Andrey_Belenko.2C_Chief_Security_Researcher_at_ElcomSoft Andrey Belenko] || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Overcoming_iOS_Data_Protection_to_Re-Enable_iPhone_Forensics_.28by_Andrey_Belenko.2C_Chief_Security_Researcher_at_ElcomSoft.29 Overcoming iOS Data Protection to Re-Enable iPhone Forensics] <br />
|-<br />
| 12h20 - 13h00 || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Koen_Vanderloock.2C_Leader_Security_Competence_Group_at_Cegeka Koen Vanderloock] || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#OWASP_SIMBA_-_guarding_your_applications_.28by_Koen_Vanderloock.2C_Leader_Security_Competence_Group_at_Cegeka.29 OWASP SIMBA - guarding your applications] <br />
|-<br />
| 13h00 - 14h00 || ''Lunch'' || <br />
|-<br />
| 14h00 - 14h40 || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Ludovic_Petit.2C_Group_Fraud_.26_Information_Security_Adviser_at_SFR.2C_Vodafone_Group Ludovic Petit] || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Do_you..._Legal.3F_.28by_Ludovic_Petit.2C_Group_Fraud_.26_Information_Security_Adviser_at_SFR.2C_Vodafone_Group.29 Do you... Legal?]<br />
|-<br />
| 14h40 - 15h20 || Thierry Zoller || The rise of the Vulnerability Market<br />
|-<br />
| 15h20 - 16h00 || Jean-Marc Bost & Sébastien Bischof || The limits of e-banking <br />
|-<br />
| 16h00 - 16h20 || ''Break'' || <br />
|-<br />
| 16h20 - 17h00 || Alexandre Delaunoy || Dynamic malware analysis <br />
|-<br />
| 17h00 - 17h40 || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Lieven_Desmet.2C_Research_Manager_at_Katholieke_Universiteit_Leuven Lieven Desmet] || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#HTML5_security_.28by_Lieven_Desmet.2C_Research_Manager_at_Katholieke_Universiteit_Leuven.29 HTML5 security]<br />
|-<br />
| 17h40 - 18h00 || OWASP Benelux 2011 organization || Closing notes<br />
<br />
|}<br />
<br />
<!-- deze laten staan. is handig om anchors te vinden tijdens edi (seba) __TOC__ --><br />
<br />
===== From DigiNotar to Leaktober=====<br />
Web application security is hard. With Lektober, Brenno shows that to the general public. Privacy is at stake, not only in the Netherlands. Brenno will reveal some of the more "interesting" leaks.<br />
<br />
=====Brenno J.S.A.A.F. de Winter=====<br />
Brenno De Winter started experimenting with security at the age of 9. He has a background in open source that dates back to 1993 and he contributed to several projects like MySQL, GnuPG, Gnucomo (Gnu Computer Monitoring) and recently started the Small Sister-project for privacy-friendly internet usage. In his daily job he practices security,teaches it and works as an IT-journalist. His writings have triggered several debates in parliament and often raises questions. <br />
<br />
=====OWASP SIMBA - guarding your applications (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Koen_Vanderloock.2C_Leader_Security_Competence_Group_at_Cegeka Koen Vanderloock], Leader Security Competence Group at Cegeka)=====<br />
[[OWASP SIMBA Project|SIMBA (Security Integration Module for Business Applications)]] is a OWASP project that provides you with a User Access Management system that can be integrated with any business application. The purpose of SIMBA is to secure an application fast and easy. Because SIMBA itself is generic it can be customized for every project. Many features are customizable e.g. designing your own authentication chain is easy and fast by using existing or newly created building blocks. SIMBA contains authentication, authorization, session management and a GUI to manage your security information.<br />
<br />
======Koen Vanderloock, Leader Security Competence Group at Cegeka======<br />
Koen Vanderloock is the leader of the security competence group at Cegeka. About 2 years ago Cegeka decided to create a sandbox for investigating security issues and solutions so they could be included in the current projects. <br />
Koen Vanderloock is a Java developer with 8 years of experience and started exploring the world of security 3 years ago when UAM problems started to occur.<br />
<br />
=====Practical Crypto Attacks Against Web Applications (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Justin_Clarke.2C_Director_and_Co-Founder_of_Gotham_Digital_Science_Ltd Justin Clarke], Director and Co-Founder of Gotham Digital Science Ltd)=====<br />
The science of cryptography underpins many of the information security technologies we use on a daily basis, such as the ability to keep information confidential and to ensure we can identify who we are communicating with. However, it is a very complex subject area with many types of mistakes that can reduce the overall security of a solution. A number of these types of mistakes can be identified by a tester, if they know what they're looking for, but in general it isn't a well tested area.<br />
<br />
This talk is intended to provide a high level overview of some of the areas where cryptographic operations such as encryption and hashing can provide far less security than was planned, and concrete examples of how these were found and exploited. Examples will include discussion and demonstration of the recently patched cryptographic padding attack against the Microsoft .NET framework (affecting ASP.NET applications) caused by a design error in how ASP.NET handles some types of encrypted data, but we will also be looking at some other fun areas including bit flipping attacks, ECB mode attacks, and some miscellaneous hashing algorithm attacks against common web application implementations.<br />
<br />
======Justin Clarke, Director and Co-Founder of Gotham Digital Science Ltd======<br />
Justin is a Director and Co-Founder of Gotham Digital Science and an experienced software security consultant with extensive international Big 4 risk management, security consulting and testing experience. He is the lead author/technical editor of "SQL Injection Attacks and Defenses" (Syngress 2009), co-author of "Network Security Tools" (O'Reilly 2005), contributor to "Network Security Assessment, 2nd Edition" (O'Reilly 2007), as well as a speaker at various security conferences and events such as Black Hat, EuSecWest, ISACA, BruCON, OWASP, OSCON, RSA and SANS. He is currently the OWASP London chapter president, and a member of the OWASP Global Connections Committee.<br />
On 10 Oct 2011, at 09:33, Seba wrote:<br />
<br />
=====HTML5 security (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Lieven_Desmet.2C_Research_Manager_at_Katholieke_Universiteit_Leuven Lieven Desmet], Research Manager at Katholieke Universiteit Leuven)=====<br />
In this talk, Lieven will highlight the results of the HTML5 security analysis, conducted by the DistriNet Research Group (K.U.Leuven). The security analysis of next generation web standards, commissioned by ENISA, looked into 13 emerging W3C web standards (i.e. the specification of HTML 5 and some of the associated APIs), and assessed the security of each of them as well as the overall security and consistency across specifications.<br />
<br />
In total 51 security threats and issues have been identified, and detailed in the ENISA report (http://www.enisa.europa.eu/html5). During the talk, Lieven will discuss the methodology developed to assess the huge amount of specifications, and zoom into a representative set of identified threats and their remediation.<br />
<br />
======Lieven Desmet, Research Manager at Katholieke Universiteit Leuven======<br />
Lieven Desmet is the Research Manager on Secure Software at the Katholieke Universiteit Leuven (Belgium), where he coaches junior researchers in web application security and participates in dissemination and valorization activities. His interests are in software verification and security of middleware and web-enabled technologies. Lieven is actively engaged in OWASP and is board member of the OWASP Chapter Belgium.<br />
<br />
=====Overcoming iOS Data Protection to Re-Enable iPhone Forensics (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Andrey_Belenko.2C_Chief_Security_Researcher_at_ElcomSoft Andrey Belenko], Chief Security Researcher at ElcomSoft)=====<br />
Data protection is a feature available for iOS devices (iOS 4 and up) with hardware encryption: iPhone 4S, iPhone 4, iPhone 3GS, iPod touch (3rd generation or later), and all iPad models. Introduction of this feature had complicated iPhone forensics process because now (almost) all files on user partition are encrypted and physical dumps are of much less value to examiners: while the filesystem seems to be intact, actual file contents are encrypted and are not suitable for analysis.<br />
<br />
This talk will provide in-depth information about iOS Data protection internals and on the implication it had on iOS forensics. More specifically, it will cover the following:<br />
*System keys and their hierarchy<br />
*Device passcode and its recovery<br />
*Escrow keys<br />
*Filesystem encryption<br />
*Keychain encryption<br />
<br />
Presentation will start by providing attendees with required background on iOS encryption keys architecture: system keys, passcode key, escrow key. After attendees are familiar with those concepts, presentation will continue to filesystem and keychain encryption details and to the techniques that can be used to overcome the hurdles imposed by iOS Data Protection.<br />
<br />
======Andrey Belenko, Chief Security Researcher at ElcomSoft======<br />
Chief security researcher and software developer at Elcomsoft. Co-invented ThunderTables (which are improved RainbowTables) and was first to bring GPU acceleration to password recovery. M. Sc. IT and CISSP.<br />
<br />
LinkedIn: http://ru.linkedin.com/in/belenko<br />
<br />
Twitter: @andreybelenko<br />
<br />
=====Do you... Legal? (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Ludovic_Petit.2C_Group_Fraud_.26_Information_Security_Adviser_at_SFR.2C_Vodafone_Group Ludovic Petit], Group Fraud & Information Security Adviser at SFR, Vodafone Group) =====<br />
<br />
The OWASP core mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. However, if you do not pay enough attention to many aspects of Legal compliance, you'll see why Web Application Security is somehow linked to Legal and Regulatory aspects as well as... Corporate Responsability, so yours. Who is accountable for what, what about each other's responsibility? Nowadays, the legal constraints oblige us to comply via technical means, whatever the local framework, and this is specially true for Web Application Security, many sensitive informations having to be handled through these web interfaces. A such, what do you think about your Security Policy compliance with your local Legal framework? Compliant? Sure? Really? Interesting isn't it? Let's have a talk about this.<br />
<br />
======Ludovic Petit, Group Fraud & Information Security Adviser at SFR, Vodafone Group======<br />
Ludovic is an internationally recognised information security expert with over 25 years experience. Last 15 years spent in various Corporate Management positions covering both Technical and Law Enforcement expertise dedicated to Mobile Telecommunications Fraud and Security in multi-national corporations.<br />
<br />
Ludovic is Chapter Leader & Founding Member OWASP France and an active contributor to OWASP in several roles and projects.<br />
<br />
LinkedIn Profile: http://www.linkedin.com/in/lpetit<br />
<br />
=====Dynamic Malware Analysis or How to Play in the House of Horrors (by Alexandre Dulaunoy, Incident Management - Security Research at CIRCL) =====<br />
Malware reversing is a time consuming task. Many approaches are available to dissect and analyse suspicious binaries. Dynamic malware analysis is one of the option to better understand them and also a nifty companion to static analysis. The current dynamic malware analysis techniques will be presented especially the ones relying on instrumented operating system systems (from the filesystem to the network stack). You'll see a wandering through common and less common malware partially analysed using dynamic analysis and how dynamic malware analysis can help you.<br />
<br />
===== The limits of e-banking (by Jean-Marc Bost and Sébastien Bischof, ECLA) =====<br />
The swiss german TV channel SF1 showed a footage on swiss e-banking security. The TV show follows a team of the ETH who earned a special authorization to test several e-anking platforms. After admitting that a personal computer can be infected by different means (actually 5% of the tested PCs are infected according to Microsoft), The team from Zürich showed the limits of the different platforms. Only the bank who signs each transaction is labelled as safe. We will come back during the presentation on the nature of the threat.<br>First of all, we will explain how famous malwares such as Zeus and SpyEye manage to steal from their victims without them being able to notice anything. Then we will see that e-banking is not the only target, as a matter of fact, the reality is far from this.<br>And then we will comment the most recent techniques that allow malwares to escape Antivirus and Antimalware programs even if they are up to date. We will vulgarize several concepts such as DKOM and bootkits in order to let everybody have a glimpse on the danger they represent.<br>Finally, we will think about if signing each transaction can efficiently fight off these threats. In fact, when attacks are coupled with Social Engineering, they have potentially no limit. Zeus is a living proof of this fact, because it even managed to attack the transaction validation system by SMS. As a conclusion, we will see that the e-banking platform that managed to resist the tests of the ETH team is vulnerable to such kind of attacks. <br />
<br />
====== Jean-Marc Bost, ELCA ======<br />
Jean-Marc Bost leads the security division at ELCA. <br>He is in charge of the various security solutions proposed by ELCA, some being released by ELCA, others being provided by partner vendors. <br>With a significant experience in the development of internet applications, he focused 10 years ago on their need for security. <br>Since then, he has been very active in&nbsp;:<br>- demonstrating the threats, in particular for ebanking<br>- conceiving practical and patented solutions for strong authentication, online transactions, electronic signature and secured documents<br>- presenting the findings of the security division in security events and through expert talks<br> <br />
<br />
====== Sébastien Bischof, ELCA ======<br />
Sébastien Bischof works in the security division at ELCA Where he is specialized in OS-level and communication security.<br>As a major result, he developped a fully-working proof-of-concept of an attack against a sophisticated USB token for safe-browsing.<br>He obtained his Master of Science in Engineering at HEIG-VD/HES-SO with a strong emphasis on IT Security.<br>During his education, he focused on obfuscation and rootkit techniques.<br>Computer security enthusiast, he is very interested in hackings events such as Insomni'hack and keeps himself informed on the latest threats throuhg active participation in security forums.<br />
<br />
<br />
<br />
==== CTF ====<br />
<br />
Do you like puzzles? Do you like challenges? Are you a hacker?<br />
<br />
Whether you are an old hacker or new enthusiast you should come to OWASP BeNeLux days 2011 and participate in the Capture the Flag event December 2nd 2011 at the University of Luxemburg. <br />
<br />
The OWASP CTF is especially designed to support challengers of all skill levels. The CTF contains multiple challenges in various fields related to application security. As every challenge gains you one point, you can pick and choose which challenge you want to play.<br />
<br />
All you need is a laptop with a wifi card and your favorite (preferably) non-commercial tools. <br />
<br />
So come to Luxemburg, show off your skills, learn new tricks and above all have a good time at the CTF event. <br />
<br />
==== Registration ====<br />
<center><br />
'''The training day and the conference are free!'''&nbsp;<br />
<br />
<br> <br />
<br />
[http://owaspbenelux2011.eventbrite.com/ http://www.owasp.org/images/7/77/Buttoncreate.png] <br />
<br />
<br> To support the OWASP organisation, consider to become a member, it's only US$50!<br> Check out the [[Membership]] page to find out more.<br> <br />
<br />
<br> <br />
</center> <br />
==== Venue ====<br />
<center><br />
University of Luxembourg<br>Campus Kirchberg<br>6, rue Richard Coudenhove-Kalergi<br>L-1359 Luxembourg<br>[http://wwwen.uni.lu/contact/campus_kirchberg http://wwwen.uni.lu/contact/campus_kirchberg] <br>Room: Paul Feidert<br />
</center><br />
<br />
<br>'''Parking''':<br />
<br />
There is a public parking close to the conference venue.<br />
[http://maps.google.de/maps?q=49.63038,6.157061&num=1&t=h&vpsrc=0&z=16 Click here to find the parking on Google Maps]<br />
<br />
<br>'''Hotels nearby''': <br />
<br />
The first hotel is at 5 minutes on walk distance from the campus Kirchberg: '''[http://www.coque.lu/article/259 Hotel d’Coque]'''<br />
* single room with breakfast 77.50 €<br />
* double room with breakfast 93.00 €. <br />
* Booking email address with Ref. OWASP_SNT 2011 to : [mailto:reception@coque.lu reception@coque.lu]<br />
* Reservation deadline: 20 October 2011<br />
Second hotel (direct center of Luxembourg) 5/10 minutes with taxi or bus: '''[http://www.parcbellevue.lu/fr/index.php Hotel Parc Bellevue]'''<br />
* single room with breakfast 95.00 € (normal price 160 €)<br />
* double room with breakfast 115.00 € (normal price 180€)<br />
* wifi and parking included<br />
* Booking email address: [mailto:reservation@goeres-group.com reservation@goeres-group.com]<br />
* Reservation deadline&nbsp;: 30 November <br />
* Reservation form: [https://www.owasp.org/images/4/44/Uni_Luxembourg_OWASP_2011.doc download form] <br />
Third hotel (near the Parc Bellevue): '''[http://www.parcplaza.lu/fr/index.php Hotel Plaza]'''<br />
* single room with breakfast 130.00 € (normal price 225 €)<br />
* double room with breakfast 150.00 € (normal price 245€)<br />
* wifi and parking included<br />
* Booking email address: [mailto:reservation@goeres-group.com reservation@goeres-group.com]. <br />
* Reservation deadline: 30 November<br />
* Reservation form: [https://www.owasp.org/images/4/44/Uni_Luxembourg_OWASP_2011.doc download form] <br />
Fourth hotel: '''[http://www.melia-luxembourg.com/fr/melia-luxembourg.html Hotel Mélia]'''<br />
* single room with breakfast 140.00 €<br />
* Booking email address: [mailto:reservations.melia.luxembourg@solmelia.com reservations.melia.luxembourg@solmelia.com]<br />
* Reservation deadline: 28 October 2011<br />
* Reservation form: [https://www.owasp.org/images/f/f8/Uni_OWASP_2011_Melia.pdf download form] <br />
<br />
<br><br />
<br />
==== Organisation ====<br />
<br />
The BeNeLux Day 2011 Program Committee: <br />
<br />
*Martin Knobloch / Ferdinand Vroom ([[Netherlands|OWASP Netherlands]]) <br />
*Bart De Win / Sebastien Deleersnyder ([[Belgium|OWASP Belgium]]) <br />
*Jocelyn Aubert / Andre Adelsbach ([[Luxembourg|OWASP Luxembourg]]) <br />
*Steven van der Baan ([[:Category:OWASP CTF Project|Capture The Flag]])<br />
<br />
Local organization:<br />
<br />
*Thomas Engel <br />
*Radu State <br />
*Magali Martin <br />
*Aurel Machalek<br />
<br />
==== Sponsorship ====<br />
<br />
Contact seba &lt;at&gt; owasp.org for sponsorship <br />
<br />
<paypal>BeNeLux OWASP Day 2011</paypal> <br />
<br />
==== Social Event ====<br />
<br />
The social event is scheduled for Thursday, 1st of December, 19:00 at <br />
<br><br />
<br><br />
<center><br />
[http://www.aguadecoco.lu/ Agua De C&ocirc;co]<br><br />
2, rue Emile Mousel<br><br />
L-2165 Luxembourg<br><br />
<br><br />
([http://maps.google.com/maps?q=Rue+Emile+Mousel,+Luxembourg,+Luxemburg&hl=de&ll=49.612031,6.14125&spn=0.003379,0.009677&sll=49.709163,6.115265&sspn=0.003372,0.009677&vpsrc=6&geocode=FQIF9QIdPrVdAA&hnear=Rue+Emile+Mousel,+Luxembourg,+Luxemburg&t=h&z=17 find the location on Google Maps])<br />
<br />
Remark: split bill system - everyone has to cover own food & drinks.<br />
<br />
</center><br />
<br />
==== Promotion ====<br />
''Feel free to use the text below to promote our event!''<br />
<br />
We invite you to our next OWASP event: the '''BeNeLux OWASP Days 2011!'''<br />
<br />
Free your agenda on the 1st and 2nd of December, 2011.<br />
<br />
The good news: free! No fee!<br />
<br />
The bad news: there are only 160 seats available (first register, first serve)!<br />
<br />
<br />
'''PROGRAM Day 1'''<br />
* 10:00 AM - 18:00 PM: OWASP Training Day<br />
* 19:00 PM - ?: Social event<br />
<br />
'''OWASP Training: Secure Application Development''', by Eoin Keary<br><br />
This intensive one-day training focuses on the most common web application security problems, including aspects of both the OWASP Top Ten (2010) and the MITRE Top 25. The training will introduce and demonstrate application assessment techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities in their code.<br />
<br />
'''PROGRAM Day 2'''<br />
* 10:00 AM - 18:00 PM: OWASP Conference<br />
<br />
List of '''confirmed speakers''' (more to be announced soon):<br />
*Brenno De Winter (Journalist) on the Diginotar story<br />
*Koen Vanderloock (Lead Security Competence Group at Cegeka) on the new OWASP Simba project<br />
*Justin Clarke (Director and Co-Founder of Gotham Digital Science Ltd) on practical crypto attacks against web applications<br />
*Lieven Desmet (Research Manager at University Leuven) on HTML5 security<br />
*Andrey Belenko (Chief Security Researcher at ElcomSoft Co. Ltd) on iOS data protection internals<br />
*Alexandre Dulaunoy (Incident Management - Security Research at CIRCL) on dynamic malware analysis<br />
*Ludovic Petit (Group Fraud & Information Security Adviser at SFR, Vodafone Group) on WebApp Security and legal and regulatory aspects<br />
*Seba Deleersnyder & Eoin Keary (OWASP Board) on OWASP Update<br />
<br />
'''ORGANIZATION<br>'''<br />
OWASP's all-volunteer participants produce free, professional quality, open-source documentation, tools, and standards on application security. An example of this is the famous OWASP top ten of most critical web application security flaws. The OWASP community facilitates conferences, local chapters, articles, and message forums. Participation in OWASP is free and open to all, as are all the materials we produce.<br />
<br />
'''WHO should attend?<br>'''<br />
Anyone interested in Web Application Security (management, security professionals, developers, students, etc). OWASP Belgium, Netherlands and Luxembourg chapters membership is free. All meetings are free. There are never vendor pitches or sales presentations at OWASP meetings.<br><br />
Check our chapter page http://www.owasp.org/index.php/Belgium on meeting details, sign up to the chapter mailing list and introduce yourself.<br><br />
Check our chapter page http://www.owasp.org/index.php/Netherlands on meeting details, sign up to the chapter mailing list and introduce yourself.<br><br />
Check our chapter page http://www.owasp.org/index.php/Luxembourg on meeting details, sign up to the chapter mailing list and introduce yourself.<br><br />
<br />
'''WHEN<br>'''<br />
Thursday and Friday, 1st and 2nd of December, 2011 (10 AM - 7 PM)<br />
<br />
'''WHERE<br>'''<br />
University of Luxembourg<br><br />
Campus Kirchberg<br><br />
6, rue Richard Coudenhove-Kalergi<br><br />
L-1359 Luxembourg<br><br />
http://wwwen.uni.lu/contact/campus_kirchberg<br><br />
Room: Paul Feidert<br />
<br />
Attention: make sure to '''book your hotel in time''', it will be difficult to find rooms in Luxembourg around Dec 1-2!<br><br />
Hotel details https://www.owasp.org/index.php?title=BeNeLux_OWASP_Day_2011#tab=Venue<br />
<br />
'''REGISTRATION<br>'''<br />
Only 160 places, please '''Register upfront: http://owaspbenelux2011.eventbrite.com''' !<br><br />
All latest details are available on http://www.owaspbenelux.eu<br><br />
Hope to see you all!<br><br />
<br />
The BeNeLux Program Committee,<br />
*Martin Knobloch / Ferdinand Vroom, OWASP Netherlands<br />
*Bart De Win / Sebastien Deleersnyder, OWASP Belgium<br />
*Jocelyn Aubert / Andre Adelsbach, OWASP Luxembourg<br />
*Steven van der Baan, OWASP CTF Project<br />
<br />
Kindly supported by the Interdisciplinary Centre for Security Reliability and Trust<br />
*Thomas Engel <br />
*Radu State <br />
*Magali Martin <br />
*Aurel Machalek<br />
<br />
<headertabs /><br />
<br />
<br />
<center><br />
'''Hosted and co-organized by:'''<br> <br />
[[Image:Bnl11-university-logo.jpg|link=http://wwwen.uni.lu]] <br />
[[Image:Bnl11-SECURITYANDTRUST-LOGO.jpg|link=http://www.securityandtrust.lu]] <br />
<br />
<br><br><br><br />
<br />
Made possible by our [http://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Sponsorship sponsors]:<br><br />
{{MemberLinks|link=http://www.ascure.com|logo=Ascure_Logo.jpg}} <br />
[http://www.zionsecurity.com http://www.owasp.org/images/e/e6/Zionsecurity.jpg]<br />
[http://www.zenitelbelgium.com http://www.owasp.org/images/d/df/SAIT_Zenitel.jpg]<br />
[http://www8.hp.com/us/en/solutions/solutions-detail.html?compURI=tcm:245-339290 https://www.owasp.org/images/b/b4/HP_Logo.jpg] <br />
[http://www.barracuda.com https://www.owasp.org/images/f/f6/Bnl11-Barracuda_Logo-4C.png] <br />
[http://circl.lu/ http://circl.lu/pics/logo.png]<br />
[http://www.f5.com https://www.owasp.org/images/f/fd/AppSec_Research_2010_sponsor_F5_logo.jpg]<br />
<br />
<br />
<br />
<br><br />
</center><br />
[[Category:OWASP_AppSec_Conference]] [[Category:OWASP_BeNeLux_Archives]]</div>Bart De Winhttps://wiki.owasp.org/index.php?title=BeNeLux_OWASP_Day_2011&diff=120846BeNeLux OWASP Day 20112011-11-28T21:07:52Z<p>Bart De Win: </p>
<hr />
<div>__NOTOC__ <br />
<center>[[Image:OWASP BeNeLux 2011.jpg]]<br></center><br />
<br><!-- Header --><br />
<br />
==== Welcome ====<br />
<br />
<br><br />
<center><br />
=== Venue is the University of Luxembourg (Grand Duchy of Luxembourg) ===<br />
Training and conference location, together with hotel information, can be found [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Venue here].<br />
=== Training and first list of conference speakers are announced! ===<br />
See [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Training.2C_December_1st here] and [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Conference.2C_December_2nd here]<br />
=== Tweet! ===<br />
<br />
Event tag is [http://twitter.com/#search?q=%23owaspbnl11 #owaspbnl11]<br />
<br />
=== Registrations are open: ===<br />
<br />
[http://owaspbenelux2011.eventbrite.com/ http://www.owasp.org/images/7/77/Buttoncreate.png] <br />
<br />
</center><br />
<br><br />
<br />
==== Training, December 1st ====<br />
<br />
Registration '''starts at 9h00'''<br />
<br />
Training will start at '''10h00''' and we plan to stop at '''17h00'''<br />
<br />
The training room is: '''Paul Feidert''' (for details, check the [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Venue venue] tab)<br />
<br />
'''OWASP Training: Secure Application Development, by Eoin Keary'''<br />
<br />
'''Abstract:''' Writing Secure code is the most effective method to securing your web applications. Writing secure code takes skill and know-how but results in a more stable and robust application and assists in protecting an organisations brand.<br />
Application security is not commonly a part of many computer science curricula today and most organizations have not focused on instituting a culture that includes application security as a core part of their software development training efforts. This intensive one-day course focuses on the most common web application security problems, including aspects of both the OWASP Top Ten (2010) and the MITRE Top 25. The course will introduce and demonstrate application assessment techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities in their code.<br />
<br />
'''This course includes coverage of the following areas:'''<br />
<br />
* Unvalidated Input<br />
* Injection Flaws, OS commanding, SQL Injection<br />
* Cross-Site Scriping & Client-side security<br />
* CSRF/XSRF<br />
* Authentication & Session Management<br />
* Access control & Authorisation<br />
* Broken Caching<br />
* Error Handling & Resource Management<br />
* The Secure SDLC<br />
* Fuzzing, Proxy use and testing approach<br />
<br />
'''Hands on Exercises'''<br />
<br />
To cement the principles discussed, students can participate in a number of hands-on security testing exercises where they attack a live web application (i.e., OWASP Bank etc) that has been seeded with common web application vulnerabilities.<br />
<br />
The students will use proxy tools commonly used by the hacker community to complete the exercises. Students need to bring their own windows based laptop to participate in the exercises. Wireless capability is recommended.<br />
<br />
'''Audience'''<br />
<br />
Developers who want to understand the most common web application security flaws, and how to avoid them and code in a secure manner.<br />
<br />
Level: Beginner/Intermediate<br />
<br />
Prerequisite: Basic knowledge of a web programming language like Java or .NET recommended but not required.<br />
<br />
Bringing your own windows based laptop is recommended so you can participate in the hands on exercises<br />
<br />
'''Trainer Bio:''' <br />
<br />
[[Eoin Keary]] is a Global OWASP board member since 2009. He is a long time member of OWASP and have contributed year on year to OWASP projects and the OWASP mission of fighting the causes of software insecurity. He is based in Dublin, Ireland and director of [http://www.bccriskadvisory.com Bccriskadvisory].<br />
<br />
==== Conference, December 2nd ====<br />
<br />
We are pleased to announce the list of confirmed speakers:<br />
<br />
* Brenno De Winter (Journalist) From DigiNotar to Leaktober<br />
* Koen Vanderloock (Lead Security Competence Group at Cegeka) on [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#OWASP_SIMBA_-_guarding_your_applications_.28by_Koen_Vanderloock.2C_Leader_Security_Competence_Group_at_Cegeka.29 the new OWASP Simba project]<br />
* Justin Clarke (Director and Co-Founder of Gotham Digital Science Ltd) on [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Practical_Crypto_Attacks_Against_Web_Applications_.28by_Justin_Clarke.2C_Director_and_Co-Founder_of_Gotham_Digital_Science_Ltd.29 practical crypto attacks against web applications]<br />
* Lieven Desmet (Research Manager at University Leuven) on [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#HTML5_security_.28by_Lieven_Desmet.2C_Research_Manager_at_Katholieke_Universiteit_Leuven.29 HTML5 security]<br />
* Andrey Belenko (Chief Security Researcher at ElcomSoft Co. Ltd) on [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Overcoming_iOS_Data_Protection_to_Re-Enable_iPhone_Forensics_.28by_Andrey_Belenko.2C_Chief_Security_Researcher_at_ElcomSoft.29 iOS data protection internals]<br />
* Alexandre Dulaunoy (Incident Management - Security Research at CIRCL) on dynamic malware analysis<br />
* Ludovic Petit (Group Fraud & Information Security Adviser at SFR, Vodafone Group) on [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Do_you..._Legal.3F_.28by_Ludovic_Petit.2C_Group_Fraud_.26_Information_Security_Adviser_at_SFR.2C_Vodafone_Group.29 WebApp Security and legal and regulatory aspects]<br />
*Jean-Marc Bost and Sébastien Bischof (ELCA) on The limits of e-banking<br />
* Yves Le Traon on security testing for web apps (talk will be held on the Training Day)<br />
* Seba Deleersnyder & Eoin Keary (OWASP Board) on OWASP Update<br />
<br />
Stay tuned for the final agenda!<br />
<br />
'''''Agenda''''' <br />
''(program has slightly changed !)''<br />
<br />
{| class="wikitable"<br />
! Time !! Speaker !! Topic<br />
|-<br />
| 08h30 - 9h30 || ''Registration'' || <br />
|-<br />
| 09h30 - 9h40 || OWASP Benelux Organization & Thomas Engel|| Welcome<br />
|-<br />
| 09h40 - 10h00 || Sebastien Deleersnyder & Eion Keary || OWASP update<br />
|-<br />
| 10h00 - 10h40 || Brenno De Winter || From DigiNotar to Leaktober <br />
|-<br />
| 10h40 - 11h00 || ''Break'' ||<br />
|-<br />
| 11h00 - 11h40 || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Justin_Clarke.2C_Director_and_Co-Founder_of_Gotham_Digital_Science_Ltd Justin Clarke] || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Practical_Crypto_Attacks_Against_Web_Applications_.28by_Justin_Clarke.2C_Director_and_Co-Founder_of_Gotham_Digital_Science_Ltd.29 practical crypto attacks against web applications] <br />
|-<br />
| 11h40 - 12h20 || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Andrey_Belenko.2C_Chief_Security_Researcher_at_ElcomSoft Andrey Belenko] || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Overcoming_iOS_Data_Protection_to_Re-Enable_iPhone_Forensics_.28by_Andrey_Belenko.2C_Chief_Security_Researcher_at_ElcomSoft.29 Overcoming iOS Data Protection to Re-Enable iPhone Forensics] <br />
|-<br />
| 12h20 - 13h00 || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Koen_Vanderloock.2C_Leader_Security_Competence_Group_at_Cegeka Koen Vanderloock] || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#OWASP_SIMBA_-_guarding_your_applications_.28by_Koen_Vanderloock.2C_Leader_Security_Competence_Group_at_Cegeka.29 OWASP SIMBA - guarding your applications] <br />
|-<br />
| 13h00 - 14h00 || ''Lunch'' || <br />
|-<br />
| 14h00 - 14h40 || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Ludovic_Petit.2C_Group_Fraud_.26_Information_Security_Adviser_at_SFR.2C_Vodafone_Group Ludovic Petit] || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Do_you..._Legal.3F_.28by_Ludovic_Petit.2C_Group_Fraud_.26_Information_Security_Adviser_at_SFR.2C_Vodafone_Group.29 Do you... Legal?]<br />
|-<br />
| 14h40 - 15h20 || Thierry Zoller || The rise of the Vulnerability Market<br />
|-<br />
| 15h20 - 16h00 || Jean-Marc Bost & Sébastien Bischof || The limits of e-banking <br />
|-<br />
| 16h00 - 16h20 || ''Break'' || <br />
|-<br />
| 16h20 - 17h00 || Alexandre Delaunoy || Dynamic malware analysis <br />
|-<br />
| 17h00 - 17h40 || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Lieven_Desmet.2C_Research_Manager_at_Katholieke_Universiteit_Leuven Lieven Desmet] || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#HTML5_security_.28by_Lieven_Desmet.2C_Research_Manager_at_Katholieke_Universiteit_Leuven.29 HTML5 security]<br />
|-<br />
| 17h40 - 18h00 || OWASP Benelux 2011 organization || Closing notes<br />
<br />
|}<br />
<br />
<!-- deze laten staan. is handig om anchors te vinden tijdens edi (seba) __TOC__ --><br />
<br />
===== From DigiNotar to Leaktober=====<br />
Web application security is hard. With Lektober, Brenno shows that to the general public. Privacy is at stake, not only in the Netherlands. Brenno will reveal some of the more "interesting" leaks.<br />
<br />
=====Brenno J.S.A.A.F. de Winter=====<br />
Brenno De Winter started experimenting with security at the age of 9. He has a background in open source that dates back to 1993 and he contributed to several projects like MySQL, GnuPG, Gnucomo (Gnu Computer Monitoring) and recently started the Small Sister-project for privacy-friendly internet usage. In his daily job he practices security,teaches it and works as an IT-journalist. His writings have triggered several debates in parliament and often raises questions. <br />
<br />
=====OWASP SIMBA - guarding your applications (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Koen_Vanderloock.2C_Leader_Security_Competence_Group_at_Cegeka Koen Vanderloock], Leader Security Competence Group at Cegeka)=====<br />
[[OWASP SIMBA Project|SIMBA (Security Integration Module for Business Applications)]] is a OWASP project that provides you with a User Access Management system that can be integrated with any business application. The purpose of SIMBA is to secure an application fast and easy. Because SIMBA itself is generic it can be customized for every project. Many features are customizable e.g. designing your own authentication chain is easy and fast by using existing or newly created building blocks. SIMBA contains authentication, authorization, session management and a GUI to manage your security information.<br />
<br />
======Koen Vanderloock, Leader Security Competence Group at Cegeka======<br />
Koen Vanderloock is the leader of the security competence group at Cegeka. About 2 years ago Cegeka decided to create a sandbox for investigating security issues and solutions so they could be included in the current projects. <br />
Koen Vanderloock is a Java developer with 8 years of experience and started exploring the world of security 3 years ago when UAM problems started to occur.<br />
<br />
=====Practical Crypto Attacks Against Web Applications (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Justin_Clarke.2C_Director_and_Co-Founder_of_Gotham_Digital_Science_Ltd Justin Clarke], Director and Co-Founder of Gotham Digital Science Ltd)=====<br />
The science of cryptography underpins many of the information security technologies we use on a daily basis, such as the ability to keep information confidential and to ensure we can identify who we are communicating with. However, it is a very complex subject area with many types of mistakes that can reduce the overall security of a solution. A number of these types of mistakes can be identified by a tester, if they know what they're looking for, but in general it isn't a well tested area.<br />
<br />
This talk is intended to provide a high level overview of some of the areas where cryptographic operations such as encryption and hashing can provide far less security than was planned, and concrete examples of how these were found and exploited. Examples will include discussion and demonstration of the recently patched cryptographic padding attack against the Microsoft .NET framework (affecting ASP.NET applications) caused by a design error in how ASP.NET handles some types of encrypted data, but we will also be looking at some other fun areas including bit flipping attacks, ECB mode attacks, and some miscellaneous hashing algorithm attacks against common web application implementations.<br />
<br />
======Justin Clarke, Director and Co-Founder of Gotham Digital Science Ltd======<br />
Justin is a Director and Co-Founder of Gotham Digital Science and an experienced software security consultant with extensive international Big 4 risk management, security consulting and testing experience. He is the lead author/technical editor of "SQL Injection Attacks and Defenses" (Syngress 2009), co-author of "Network Security Tools" (O'Reilly 2005), contributor to "Network Security Assessment, 2nd Edition" (O'Reilly 2007), as well as a speaker at various security conferences and events such as Black Hat, EuSecWest, ISACA, BruCON, OWASP, OSCON, RSA and SANS. He is currently the OWASP London chapter president, and a member of the OWASP Global Connections Committee.<br />
On 10 Oct 2011, at 09:33, Seba wrote:<br />
<br />
=====HTML5 security (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Lieven_Desmet.2C_Research_Manager_at_Katholieke_Universiteit_Leuven Lieven Desmet], Research Manager at Katholieke Universiteit Leuven)=====<br />
In this talk, Lieven will highlight the results of the HTML5 security analysis, conducted by the DistriNet Research Group (K.U.Leuven). The security analysis of next generation web standards, commissioned by ENISA, looked into 13 emerging W3C web standards (i.e. the specification of HTML 5 and some of the associated APIs), and assessed the security of each of them as well as the overall security and consistency across specifications.<br />
<br />
In total 51 security threats and issues have been identified, and detailed in the ENISA report (http://www.enisa.europa.eu/html5). During the talk, Lieven will discuss the methodology developed to assess the huge amount of specifications, and zoom into a representative set of identified threats and their remediation.<br />
<br />
======Lieven Desmet, Research Manager at Katholieke Universiteit Leuven======<br />
Lieven Desmet is the Research Manager on Secure Software at the Katholieke Universiteit Leuven (Belgium), where he coaches junior researchers in web application security and participates in dissemination and valorization activities. His interests are in software verification and security of middleware and web-enabled technologies. Lieven is actively engaged in OWASP and is board member of the OWASP Chapter Belgium.<br />
<br />
=====Overcoming iOS Data Protection to Re-Enable iPhone Forensics (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Andrey_Belenko.2C_Chief_Security_Researcher_at_ElcomSoft Andrey Belenko], Chief Security Researcher at ElcomSoft)=====<br />
Data protection is a feature available for iOS devices (iOS 4 and up) with hardware encryption: iPhone 4S, iPhone 4, iPhone 3GS, iPod touch (3rd generation or later), and all iPad models. Introduction of this feature had complicated iPhone forensics process because now (almost) all files on user partition are encrypted and physical dumps are of much less value to examiners: while the filesystem seems to be intact, actual file contents are encrypted and are not suitable for analysis.<br />
<br />
This talk will provide in-depth information about iOS Data protection internals and on the implication it had on iOS forensics. More specifically, it will cover the following:<br />
*System keys and their hierarchy<br />
*Device passcode and its recovery<br />
*Escrow keys<br />
*Filesystem encryption<br />
*Keychain encryption<br />
<br />
Presentation will start by providing attendees with required background on iOS encryption keys architecture: system keys, passcode key, escrow key. After attendees are familiar with those concepts, presentation will continue to filesystem and keychain encryption details and to the techniques that can be used to overcome the hurdles imposed by iOS Data Protection.<br />
<br />
======Andrey Belenko, Chief Security Researcher at ElcomSoft======<br />
Chief security researcher and software developer at Elcomsoft. Co-invented ThunderTables (which are improved RainbowTables) and was first to bring GPU acceleration to password recovery. M. Sc. IT and CISSP.<br />
<br />
LinkedIn: http://ru.linkedin.com/in/belenko<br />
<br />
Twitter: @andreybelenko<br />
<br />
=====Do you... Legal? (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Ludovic_Petit.2C_Group_Fraud_.26_Information_Security_Adviser_at_SFR.2C_Vodafone_Group Ludovic Petit], Group Fraud & Information Security Adviser at SFR, Vodafone Group) =====<br />
<br />
The OWASP core mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. However, if you do not pay enough attention to many aspects of Legal compliance, you'll see why Web Application Security is somehow linked to Legal and Regulatory aspects as well as... Corporate Responsability, so yours. Who is accountable for what, what about each other's responsibility? Nowadays, the legal constraints oblige us to comply via technical means, whatever the local framework, and this is specially true for Web Application Security, many sensitive informations having to be handled through these web interfaces. A such, what do you think about your Security Policy compliance with your local Legal framework? Compliant? Sure? Really? Interesting isn't it? Let's have a talk about this.<br />
<br />
======Ludovic Petit, Group Fraud & Information Security Adviser at SFR, Vodafone Group======<br />
Ludovic is an internationally recognised information security expert with over 25 years experience. Last 15 years spent in various Corporate Management positions covering both Technical and Law Enforcement expertise dedicated to Mobile Telecommunications Fraud and Security in multi-national corporations.<br />
<br />
Ludovic is Chapter Leader & Founding Member OWASP France and an active contributor to OWASP in several roles and projects.<br />
<br />
LinkedIn Profile: http://www.linkedin.com/in/lpetit<br />
<br />
=====Dynamic Malware Analysis or How to Play in the House of Horrors (by Alexandre Dulaunoy, Incident Management - Security Research at CIRCL) =====<br />
Malware reversing is a time consuming task. Many approaches are available to dissect and analyse suspicious binaries. Dynamic malware analysis is one of the option to better understand them and also a nifty companion to static analysis. The current dynamic malware analysis techniques will be presented especially the ones relying on instrumented operating system systems (from the filesystem to the network stack). You'll see a wandering through common and less common malware partially analysed using dynamic analysis and how dynamic malware analysis can help you.<br />
<br />
===== The limits of e-banking (by Jean-Marc Bost and Sébastien Bischof, ECLA) =====<br />
The swiss german TV channel SF1 showed a footage on swiss e-banking security. The TV show follows a team of the ETH who earned a special authorization to test several e-anking platforms. After admitting that a personal computer can be infected by different means (actually 5% of the tested PCs are infected according to Microsoft), The team from Zürich showed the limits of the different platforms. Only the bank who signs each transaction is labelled as safe. We will come back during the presentation on the nature of the threat.<br>First of all, we will explain how famous malwares such as Zeus and SpyEye manage to steal from their victims without them being able to notice anything. Then we will see that e-banking is not the only target, as a matter of fact, the reality is far from this.<br>And then we will comment the most recent techniques that allow malwares to escape Antivirus and Antimalware programs even if they are up to date. We will vulgarize several concepts such as DKOM and bootkits in order to let everybody have a glimpse on the danger they represent.<br>Finally, we will think about if signing each transaction can efficiently fight off these threats. In fact, when attacks are coupled with Social Engineering, they have potentially no limit. Zeus is a living proof of this fact, because it even managed to attack the transaction validation system by SMS. As a conclusion, we will see that the e-banking platform that managed to resist the tests of the ETH team is vulnerable to such kind of attacks. <br />
<br />
====== Jean-Marc Bost, ELCA ======<br />
Jean-Marc Bost leads the security division at ELCA. <br>He is in charge of the various security solutions proposed by ELCA, some being released by ELCA, others being provided by partner vendors. <br>With a significant experience in the development of internet applications, he focused 10 years ago on their need for security. <br>Since then, he has been very active in&nbsp;:<br>- demonstrating the threats, in particular for ebanking<br>- conceiving practical and patented solutions for strong authentication, online transactions, electronic signature and secured documents<br>- presenting the findings of the security division in security events and through expert talks<br> <br />
<br />
====== Sébastien Bischof, ELCA ======<br />
Sébastien Bischof works in the security division at ELCA Where he is specialized in OS-level and communication security.<br>As a major result, he developped a fully-working proof-of-concept of an attack against a sophisticated USB token for safe-browsing.<br>He obtained his Master of Science in Engineering at HEIG-VD/HES-SO with a strong emphasis on IT Security.<br>During his education, he focused on obfuscation and rootkit techniques.<br>Computer security enthusiast, he is very interested in hackings events such as Insomni'hack and keeps himself informed on the latest threats throuhg active participation in security forums.<br />
<br />
===== Security testing: a key challenge for software engineering of web apps (by Yves Le Traon, UdL)===== <br />
While important efforts are dedicated to system functional testing, very few works study how to specifically and systematically test security mechanisms. In this talk, we will present two categories of approaches. <br />
The first ones aim at assessing security mechanisms compliance with declared policies. Any security policy is strongly connected to system functionality: testing function includes exercising many security mechanisms. However, testing functionality does not intend at exercizing all security mechanisms. We thus propose test selection criteria to produce tests from a security policy. Empirical results will be presented about access control policies and about Android apps permission checks. <br />
<br />
The second ones concern the attack surface of web apps, with a particular focus on web browser sensitivity to XSS attacks. Indeed, one of the major threats against web applications is Cross-Site Scripting (XSS) that crosses several web components: web server, security components and finally the client’s web browser. The final target is thus the client running a particular web browser. During this last decade, several competing web browsers (IE, Netscape, Chrome, Firefox) have been upgraded to add new features for the final users benefit. However, the improvement of web browsers is not related with systematic security regression testing. Beginning with an analysis of their current exposure degree to XSS, we extend the empirical study to a decade of most popular web browser versions.The results reveal a chaotic behavior in the evolution of most web browsers attack surface over time. This particularly shows an urgent need for regression testing strategies to ensure that security is not sacrificed when a new version is delivered. <br />
<br />
In both cases, security must become a specific target for testing in order to get a satisfying level of confidence in security mechanisms<br />
<br />
====== Yves Le Traon, UdL====== <br />
Yves Le Traon is professor at University of Luxembourg in the domain of software engineering, reliability, validation and security. He is also a member of the Interdisciplinary Centre for Security, Reliability and Trust (SnT), where he leads the research group SERVAL (SEcuRity and VALidation of services and networks). His research interests include software testing, design for security, security testing, model-driven validation, model based testing, web application, mobile computing. <br />
<br />
Professor Le Traon received his engineering degree and his PhD in Computer Science at the “Institut National Polytechnique” in Grenoble, France, in 1997. From 1998 to 2004, he was an associate professor at the University of Rennes, in Brittany, France. He is the co-founder of the Triskell INRIA team, which focuses on innovating design, modeling and testing techniques, such as Model-driven Engineering. During this period, Professor Le Traon studied design for testability techniques, validation and diagnosis of object-oriented programs and component-based systems. From 2004 to 2006, he was an expert in Model-Driven Architecture and Validation in the EXA team (Requirements Engineering and Applications) at “France Télécom R&D”. In 2006, he became professor at Telecom Bretagne (Ecole Nationale des Télécommunications de Bretagne), where he pioneered the application of testing for security assessment of web-applications, P2P systems and the promotion of intrusion detection systems using contract-based techniques.<br />
<br />
<br />
==== CTF ====<br />
<br />
Do you like puzzles? Do you like challenges? Are you a hacker?<br />
<br />
Whether you are an old hacker or new enthusiast you should come to OWASP BeNeLux days 2011 and participate in the Capture the Flag event December 2nd 2011 at the University of Luxemburg. <br />
<br />
The OWASP CTF is especially designed to support challengers of all skill levels. The CTF contains multiple challenges in various fields related to application security. As every challenge gains you one point, you can pick and choose which challenge you want to play.<br />
<br />
All you need is a laptop with a wifi card and your favorite (preferably) non-commercial tools. <br />
<br />
So come to Luxemburg, show off your skills, learn new tricks and above all have a good time at the CTF event. <br />
<br />
==== Registration ====<br />
<center><br />
'''The training day and the conference are free!'''&nbsp;<br />
<br />
<br> <br />
<br />
[http://owaspbenelux2011.eventbrite.com/ http://www.owasp.org/images/7/77/Buttoncreate.png] <br />
<br />
<br> To support the OWASP organisation, consider to become a member, it's only US$50!<br> Check out the [[Membership]] page to find out more.<br> <br />
<br />
<br> <br />
</center> <br />
==== Venue ====<br />
<center><br />
University of Luxembourg<br>Campus Kirchberg<br>6, rue Richard Coudenhove-Kalergi<br>L-1359 Luxembourg<br>[http://wwwen.uni.lu/contact/campus_kirchberg http://wwwen.uni.lu/contact/campus_kirchberg] <br>Room: Paul Feidert<br />
</center><br />
<br />
<br>'''Parking''':<br />
<br />
There is a public parking close to the conference venue.<br />
[http://maps.google.de/maps?q=49.63038,6.157061&num=1&t=h&vpsrc=0&z=16 Click here to find the parking on Google Maps]<br />
<br />
<br>'''Hotels nearby''': <br />
<br />
The first hotel is at 5 minutes on walk distance from the campus Kirchberg: '''[http://www.coque.lu/article/259 Hotel d’Coque]'''<br />
* single room with breakfast 77.50 €<br />
* double room with breakfast 93.00 €. <br />
* Booking email address with Ref. OWASP_SNT 2011 to : [mailto:reception@coque.lu reception@coque.lu]<br />
* Reservation deadline: 20 October 2011<br />
Second hotel (direct center of Luxembourg) 5/10 minutes with taxi or bus: '''[http://www.parcbellevue.lu/fr/index.php Hotel Parc Bellevue]'''<br />
* single room with breakfast 95.00 € (normal price 160 €)<br />
* double room with breakfast 115.00 € (normal price 180€)<br />
* wifi and parking included<br />
* Booking email address: [mailto:reservation@goeres-group.com reservation@goeres-group.com]<br />
* Reservation deadline&nbsp;: 30 November <br />
* Reservation form: [https://www.owasp.org/images/4/44/Uni_Luxembourg_OWASP_2011.doc download form] <br />
Third hotel (near the Parc Bellevue): '''[http://www.parcplaza.lu/fr/index.php Hotel Plaza]'''<br />
* single room with breakfast 130.00 € (normal price 225 €)<br />
* double room with breakfast 150.00 € (normal price 245€)<br />
* wifi and parking included<br />
* Booking email address: [mailto:reservation@goeres-group.com reservation@goeres-group.com]. <br />
* Reservation deadline: 30 November<br />
* Reservation form: [https://www.owasp.org/images/4/44/Uni_Luxembourg_OWASP_2011.doc download form] <br />
Fourth hotel: '''[http://www.melia-luxembourg.com/fr/melia-luxembourg.html Hotel Mélia]'''<br />
* single room with breakfast 140.00 €<br />
* Booking email address: [mailto:reservations.melia.luxembourg@solmelia.com reservations.melia.luxembourg@solmelia.com]<br />
* Reservation deadline: 28 October 2011<br />
* Reservation form: [https://www.owasp.org/images/f/f8/Uni_OWASP_2011_Melia.pdf download form] <br />
<br />
<br><br />
<br />
==== Organisation ====<br />
<br />
The BeNeLux Day 2011 Program Committee: <br />
<br />
*Martin Knobloch / Ferdinand Vroom ([[Netherlands|OWASP Netherlands]]) <br />
*Bart De Win / Sebastien Deleersnyder ([[Belgium|OWASP Belgium]]) <br />
*Jocelyn Aubert / Andre Adelsbach ([[Luxembourg|OWASP Luxembourg]]) <br />
*Steven van der Baan ([[:Category:OWASP CTF Project|Capture The Flag]])<br />
<br />
Local organization:<br />
<br />
*Thomas Engel <br />
*Radu State <br />
*Magali Martin <br />
*Aurel Machalek<br />
<br />
==== Sponsorship ====<br />
<br />
Contact seba &lt;at&gt; owasp.org for sponsorship <br />
<br />
<paypal>BeNeLux OWASP Day 2011</paypal> <br />
<br />
==== Social Event ====<br />
<br />
The social event is scheduled for Thursday, 1st of December, 19:00 at <br />
<br><br />
<br><br />
<center><br />
[http://www.aguadecoco.lu/ Agua De C&ocirc;co]<br><br />
2, rue Emile Mousel<br><br />
L-2165 Luxembourg<br><br />
<br><br />
([http://maps.google.com/maps?q=Rue+Emile+Mousel,+Luxembourg,+Luxemburg&hl=de&ll=49.612031,6.14125&spn=0.003379,0.009677&sll=49.709163,6.115265&sspn=0.003372,0.009677&vpsrc=6&geocode=FQIF9QIdPrVdAA&hnear=Rue+Emile+Mousel,+Luxembourg,+Luxemburg&t=h&z=17 find the location on Google Maps])<br />
<br />
Remark: split bill system - everyone has to cover own food & drinks.<br />
<br />
</center><br />
<br />
==== Promotion ====<br />
''Feel free to use the text below to promote our event!''<br />
<br />
We invite you to our next OWASP event: the '''BeNeLux OWASP Days 2011!'''<br />
<br />
Free your agenda on the 1st and 2nd of December, 2011.<br />
<br />
The good news: free! No fee!<br />
<br />
The bad news: there are only 160 seats available (first register, first serve)!<br />
<br />
<br />
'''PROGRAM Day 1'''<br />
* 10:00 AM - 18:00 PM: OWASP Training Day<br />
* 19:00 PM - ?: Social event<br />
<br />
'''OWASP Training: Secure Application Development''', by Eoin Keary<br><br />
This intensive one-day training focuses on the most common web application security problems, including aspects of both the OWASP Top Ten (2010) and the MITRE Top 25. The training will introduce and demonstrate application assessment techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities in their code.<br />
<br />
'''PROGRAM Day 2'''<br />
* 10:00 AM - 18:00 PM: OWASP Conference<br />
<br />
List of '''confirmed speakers''' (more to be announced soon):<br />
*Brenno De Winter (Journalist) on the Diginotar story<br />
*Koen Vanderloock (Lead Security Competence Group at Cegeka) on the new OWASP Simba project<br />
*Justin Clarke (Director and Co-Founder of Gotham Digital Science Ltd) on practical crypto attacks against web applications<br />
*Lieven Desmet (Research Manager at University Leuven) on HTML5 security<br />
*Andrey Belenko (Chief Security Researcher at ElcomSoft Co. Ltd) on iOS data protection internals<br />
*Alexandre Dulaunoy (Incident Management - Security Research at CIRCL) on dynamic malware analysis<br />
*Ludovic Petit (Group Fraud & Information Security Adviser at SFR, Vodafone Group) on WebApp Security and legal and regulatory aspects<br />
*Seba Deleersnyder & Eoin Keary (OWASP Board) on OWASP Update<br />
<br />
'''ORGANIZATION<br>'''<br />
OWASP's all-volunteer participants produce free, professional quality, open-source documentation, tools, and standards on application security. An example of this is the famous OWASP top ten of most critical web application security flaws. The OWASP community facilitates conferences, local chapters, articles, and message forums. Participation in OWASP is free and open to all, as are all the materials we produce.<br />
<br />
'''WHO should attend?<br>'''<br />
Anyone interested in Web Application Security (management, security professionals, developers, students, etc). OWASP Belgium, Netherlands and Luxembourg chapters membership is free. All meetings are free. There are never vendor pitches or sales presentations at OWASP meetings.<br><br />
Check our chapter page http://www.owasp.org/index.php/Belgium on meeting details, sign up to the chapter mailing list and introduce yourself.<br><br />
Check our chapter page http://www.owasp.org/index.php/Netherlands on meeting details, sign up to the chapter mailing list and introduce yourself.<br><br />
Check our chapter page http://www.owasp.org/index.php/Luxembourg on meeting details, sign up to the chapter mailing list and introduce yourself.<br><br />
<br />
'''WHEN<br>'''<br />
Thursday and Friday, 1st and 2nd of December, 2011 (10 AM - 7 PM)<br />
<br />
'''WHERE<br>'''<br />
University of Luxembourg<br><br />
Campus Kirchberg<br><br />
6, rue Richard Coudenhove-Kalergi<br><br />
L-1359 Luxembourg<br><br />
http://wwwen.uni.lu/contact/campus_kirchberg<br><br />
Room: Paul Feidert<br />
<br />
Attention: make sure to '''book your hotel in time''', it will be difficult to find rooms in Luxembourg around Dec 1-2!<br><br />
Hotel details https://www.owasp.org/index.php?title=BeNeLux_OWASP_Day_2011#tab=Venue<br />
<br />
'''REGISTRATION<br>'''<br />
Only 160 places, please '''Register upfront: http://owaspbenelux2011.eventbrite.com''' !<br><br />
All latest details are available on http://www.owaspbenelux.eu<br><br />
Hope to see you all!<br><br />
<br />
The BeNeLux Program Committee,<br />
*Martin Knobloch / Ferdinand Vroom, OWASP Netherlands<br />
*Bart De Win / Sebastien Deleersnyder, OWASP Belgium<br />
*Jocelyn Aubert / Andre Adelsbach, OWASP Luxembourg<br />
*Steven van der Baan, OWASP CTF Project<br />
<br />
Kindly supported by the Interdisciplinary Centre for Security Reliability and Trust<br />
*Thomas Engel <br />
*Radu State <br />
*Magali Martin <br />
*Aurel Machalek<br />
<br />
<headertabs /><br />
<br />
<br />
<center><br />
'''Hosted and co-organized by:'''<br> <br />
[[Image:Bnl11-university-logo.jpg|link=http://wwwen.uni.lu]] <br />
[[Image:Bnl11-SECURITYANDTRUST-LOGO.jpg|link=http://www.securityandtrust.lu]] <br />
<br />
<br><br><br><br />
<br />
Made possible by our [http://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Sponsorship sponsors]:<br><br />
{{MemberLinks|link=http://www.ascure.com|logo=Ascure_Logo.jpg}} <br />
[http://www.zionsecurity.com http://www.owasp.org/images/e/e6/Zionsecurity.jpg]<br />
[http://www.zenitelbelgium.com http://www.owasp.org/images/d/df/SAIT_Zenitel.jpg]<br />
[http://www8.hp.com/us/en/solutions/solutions-detail.html?compURI=tcm:245-339290 https://www.owasp.org/images/b/b4/HP_Logo.jpg] <br />
[http://www.barracuda.com https://www.owasp.org/images/f/f6/Bnl11-Barracuda_Logo-4C.png] <br />
[http://circl.lu/ http://circl.lu/pics/logo.png]<br />
[http://www.f5.com https://www.owasp.org/images/f/fd/AppSec_Research_2010_sponsor_F5_logo.jpg]<br />
<br />
<br />
<br />
<br><br />
</center><br />
[[Category:OWASP_AppSec_Conference]] [[Category:OWASP_BeNeLux_Archives]]</div>Bart De Winhttps://wiki.owasp.org/index.php?title=BeNeLux_OWASP_Day_2011&diff=120845BeNeLux OWASP Day 20112011-11-28T21:06:59Z<p>Bart De Win: </p>
<hr />
<div>__NOTOC__ <br />
<center>[[Image:OWASP BeNeLux 2011.jpg]]<br></center><br />
<br><!-- Header --><br />
<br />
==== Welcome ====<br />
<br />
<br><br />
<center><br />
=== Venue is the University of Luxembourg (Grand Duchy of Luxembourg) ===<br />
Training and conference location, together with hotel information, can be found [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Venue here].<br />
=== Training and first list of conference speakers are announced! ===<br />
See [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Training.2C_December_1st here] and [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Conference.2C_December_2nd here]<br />
=== Tweet! ===<br />
<br />
Event tag is [http://twitter.com/#search?q=%23owaspbnl11 #owaspbnl11]<br />
<br />
=== Registrations are open: ===<br />
<br />
[http://owaspbenelux2011.eventbrite.com/ http://www.owasp.org/images/7/77/Buttoncreate.png] <br />
<br />
</center><br />
<br><br />
<br />
==== Training, December 1st ====<br />
<br />
Registration '''starts at 9h00'''<br />
<br />
Training will start at '''10h00''' and we plan to stop at '''17h00'''<br />
<br />
The training room is: '''Paul Feidert''' (for details, check the [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Venue venue] tab)<br />
<br />
'''OWASP Training: Secure Application Development, by Eoin Keary'''<br />
<br />
'''Abstract:''' Writing Secure code is the most effective method to securing your web applications. Writing secure code takes skill and know-how but results in a more stable and robust application and assists in protecting an organisations brand.<br />
Application security is not commonly a part of many computer science curricula today and most organizations have not focused on instituting a culture that includes application security as a core part of their software development training efforts. This intensive one-day course focuses on the most common web application security problems, including aspects of both the OWASP Top Ten (2010) and the MITRE Top 25. The course will introduce and demonstrate application assessment techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities in their code.<br />
<br />
'''This course includes coverage of the following areas:'''<br />
<br />
* Unvalidated Input<br />
* Injection Flaws, OS commanding, SQL Injection<br />
* Cross-Site Scriping & Client-side security<br />
* CSRF/XSRF<br />
* Authentication & Session Management<br />
* Access control & Authorisation<br />
* Broken Caching<br />
* Error Handling & Resource Management<br />
* The Secure SDLC<br />
* Fuzzing, Proxy use and testing approach<br />
<br />
'''Hands on Exercises'''<br />
<br />
To cement the principles discussed, students can participate in a number of hands-on security testing exercises where they attack a live web application (i.e., OWASP Bank etc) that has been seeded with common web application vulnerabilities.<br />
<br />
The students will use proxy tools commonly used by the hacker community to complete the exercises. Students need to bring their own windows based laptop to participate in the exercises. Wireless capability is recommended.<br />
<br />
'''Audience'''<br />
<br />
Developers who want to understand the most common web application security flaws, and how to avoid them and code in a secure manner.<br />
<br />
Level: Beginner/Intermediate<br />
<br />
Prerequisite: Basic knowledge of a web programming language like Java or .NET recommended but not required.<br />
<br />
Bringing your own windows based laptop is recommended so you can participate in the hands on exercises<br />
<br />
'''Trainer Bio:''' <br />
<br />
[[Eoin Keary]] is a Global OWASP board member since 2009. He is a long time member of OWASP and have contributed year on year to OWASP projects and the OWASP mission of fighting the causes of software insecurity. He is based in Dublin, Ireland and director of [http://www.bccriskadvisory.com Bccriskadvisory].<br />
<br />
==== Conference, December 2nd ====<br />
<br />
We are pleased to announce the list of confirmed speakers:<br />
<br />
* Brenno De Winter (Journalist) From DigiNotar to Leaktober<br />
* Koen Vanderloock (Lead Security Competence Group at Cegeka) on [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#OWASP_SIMBA_-_guarding_your_applications_.28by_Koen_Vanderloock.2C_Leader_Security_Competence_Group_at_Cegeka.29 the new OWASP Simba project]<br />
* Justin Clarke (Director and Co-Founder of Gotham Digital Science Ltd) on [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Practical_Crypto_Attacks_Against_Web_Applications_.28by_Justin_Clarke.2C_Director_and_Co-Founder_of_Gotham_Digital_Science_Ltd.29 practical crypto attacks against web applications]<br />
* Lieven Desmet (Research Manager at University Leuven) on [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#HTML5_security_.28by_Lieven_Desmet.2C_Research_Manager_at_Katholieke_Universiteit_Leuven.29 HTML5 security]<br />
* Andrey Belenko (Chief Security Researcher at ElcomSoft Co. Ltd) on [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Overcoming_iOS_Data_Protection_to_Re-Enable_iPhone_Forensics_.28by_Andrey_Belenko.2C_Chief_Security_Researcher_at_ElcomSoft.29 iOS data protection internals]<br />
* Alexandre Dulaunoy (Incident Management - Security Research at CIRCL) on dynamic malware analysis<br />
* Ludovic Petit (Group Fraud & Information Security Adviser at SFR, Vodafone Group) on [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Do_you..._Legal.3F_.28by_Ludovic_Petit.2C_Group_Fraud_.26_Information_Security_Adviser_at_SFR.2C_Vodafone_Group.29 WebApp Security and legal and regulatory aspects]<br />
*Jean-Marc Bost and Sébastien Bischof (ELCA) on The limits of e-banking<br />
* Yves Le Traon on security testing for web apps (talk will be held on the Training Day)<br />
* Seba Deleersnyder & Eoin Keary (OWASP Board) on OWASP Update<br />
<br />
Stay tuned for the final agenda!<br />
<br />
'''''Agenda''''' '<br />
''(program has slightly changed !)''<br />
<br />
{| class="wikitable"<br />
! Time !! Speaker !! Topic<br />
|-<br />
| 08h30 - 9h30 || ''Registration'' || <br />
|-<br />
| 09h30 - 9h40 || OWASP Benelux Organization & Thomas Engel|| Welcome<br />
|-<br />
| 09h40 - 10h00 || Sebastien Deleersnyder & Eion Keary || OWASP update<br />
|-<br />
| 10h00 - 10h40 || Brenno De Winter || From DigiNotar to Leaktober <br />
|-<br />
| 10h40 - 11h00 || ''Break'' ||<br />
|-<br />
| 11h00 - 11h40 || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Justin_Clarke.2C_Director_and_Co-Founder_of_Gotham_Digital_Science_Ltd Justin Clarke] || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Practical_Crypto_Attacks_Against_Web_Applications_.28by_Justin_Clarke.2C_Director_and_Co-Founder_of_Gotham_Digital_Science_Ltd.29 practical crypto attacks against web applications] <br />
|-<br />
| 11h40 - 12h20 || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Andrey_Belenko.2C_Chief_Security_Researcher_at_ElcomSoft Andrey Belenko] || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Overcoming_iOS_Data_Protection_to_Re-Enable_iPhone_Forensics_.28by_Andrey_Belenko.2C_Chief_Security_Researcher_at_ElcomSoft.29 Overcoming iOS Data Protection to Re-Enable iPhone Forensics] <br />
|-<br />
| 12h20 - 13h00 || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Koen_Vanderloock.2C_Leader_Security_Competence_Group_at_Cegeka Koen Vanderloock] || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#OWASP_SIMBA_-_guarding_your_applications_.28by_Koen_Vanderloock.2C_Leader_Security_Competence_Group_at_Cegeka.29 OWASP SIMBA - guarding your applications] <br />
|-<br />
| 13h00 - 14h00 || ''Lunch'' || <br />
|-<br />
| 14h00 - 14h40 || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Ludovic_Petit.2C_Group_Fraud_.26_Information_Security_Adviser_at_SFR.2C_Vodafone_Group Ludovic Petit] || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Do_you..._Legal.3F_.28by_Ludovic_Petit.2C_Group_Fraud_.26_Information_Security_Adviser_at_SFR.2C_Vodafone_Group.29 Do you... Legal?]<br />
|-<br />
| 14h40 - 15h20 || Thierry Zoller || The rise of the Vulnerability Market<br />
|-<br />
| 15h20 - 16h00 || Jean-Marc Bost & Sébastien Bischof || The limits of e-banking <br />
|-<br />
| 16h00 - 16h20 || ''Break'' || <br />
|-<br />
| 16h20 - 17h00 || Alexandre Delaunoy || Dynamic malware analysis <br />
|-<br />
| 17h00 - 17h40 || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Lieven_Desmet.2C_Research_Manager_at_Katholieke_Universiteit_Leuven Lieven Desmet] || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#HTML5_security_.28by_Lieven_Desmet.2C_Research_Manager_at_Katholieke_Universiteit_Leuven.29 HTML5 security]<br />
|-<br />
| 17h40 - 18h00 || OWASP Benelux 2011 organization || Closing notes<br />
<br />
|}<br />
<br />
<!-- deze laten staan. is handig om anchors te vinden tijdens edi (seba) __TOC__ --><br />
<br />
===== From DigiNotar to Leaktober=====<br />
Web application security is hard. With Lektober, Brenno shows that to the general public. Privacy is at stake, not only in the Netherlands. Brenno will reveal some of the more "interesting" leaks.<br />
<br />
=====Brenno J.S.A.A.F. de Winter=====<br />
Brenno De Winter started experimenting with security at the age of 9. He has a background in open source that dates back to 1993 and he contributed to several projects like MySQL, GnuPG, Gnucomo (Gnu Computer Monitoring) and recently started the Small Sister-project for privacy-friendly internet usage. In his daily job he practices security,teaches it and works as an IT-journalist. His writings have triggered several debates in parliament and often raises questions. <br />
<br />
=====OWASP SIMBA - guarding your applications (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Koen_Vanderloock.2C_Leader_Security_Competence_Group_at_Cegeka Koen Vanderloock], Leader Security Competence Group at Cegeka)=====<br />
[[OWASP SIMBA Project|SIMBA (Security Integration Module for Business Applications)]] is a OWASP project that provides you with a User Access Management system that can be integrated with any business application. The purpose of SIMBA is to secure an application fast and easy. Because SIMBA itself is generic it can be customized for every project. Many features are customizable e.g. designing your own authentication chain is easy and fast by using existing or newly created building blocks. SIMBA contains authentication, authorization, session management and a GUI to manage your security information.<br />
<br />
======Koen Vanderloock, Leader Security Competence Group at Cegeka======<br />
Koen Vanderloock is the leader of the security competence group at Cegeka. About 2 years ago Cegeka decided to create a sandbox for investigating security issues and solutions so they could be included in the current projects. <br />
Koen Vanderloock is a Java developer with 8 years of experience and started exploring the world of security 3 years ago when UAM problems started to occur.<br />
<br />
=====Practical Crypto Attacks Against Web Applications (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Justin_Clarke.2C_Director_and_Co-Founder_of_Gotham_Digital_Science_Ltd Justin Clarke], Director and Co-Founder of Gotham Digital Science Ltd)=====<br />
The science of cryptography underpins many of the information security technologies we use on a daily basis, such as the ability to keep information confidential and to ensure we can identify who we are communicating with. However, it is a very complex subject area with many types of mistakes that can reduce the overall security of a solution. A number of these types of mistakes can be identified by a tester, if they know what they're looking for, but in general it isn't a well tested area.<br />
<br />
This talk is intended to provide a high level overview of some of the areas where cryptographic operations such as encryption and hashing can provide far less security than was planned, and concrete examples of how these were found and exploited. Examples will include discussion and demonstration of the recently patched cryptographic padding attack against the Microsoft .NET framework (affecting ASP.NET applications) caused by a design error in how ASP.NET handles some types of encrypted data, but we will also be looking at some other fun areas including bit flipping attacks, ECB mode attacks, and some miscellaneous hashing algorithm attacks against common web application implementations.<br />
<br />
======Justin Clarke, Director and Co-Founder of Gotham Digital Science Ltd======<br />
Justin is a Director and Co-Founder of Gotham Digital Science and an experienced software security consultant with extensive international Big 4 risk management, security consulting and testing experience. He is the lead author/technical editor of "SQL Injection Attacks and Defenses" (Syngress 2009), co-author of "Network Security Tools" (O'Reilly 2005), contributor to "Network Security Assessment, 2nd Edition" (O'Reilly 2007), as well as a speaker at various security conferences and events such as Black Hat, EuSecWest, ISACA, BruCON, OWASP, OSCON, RSA and SANS. He is currently the OWASP London chapter president, and a member of the OWASP Global Connections Committee.<br />
On 10 Oct 2011, at 09:33, Seba wrote:<br />
<br />
=====HTML5 security (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Lieven_Desmet.2C_Research_Manager_at_Katholieke_Universiteit_Leuven Lieven Desmet], Research Manager at Katholieke Universiteit Leuven)=====<br />
In this talk, Lieven will highlight the results of the HTML5 security analysis, conducted by the DistriNet Research Group (K.U.Leuven). The security analysis of next generation web standards, commissioned by ENISA, looked into 13 emerging W3C web standards (i.e. the specification of HTML 5 and some of the associated APIs), and assessed the security of each of them as well as the overall security and consistency across specifications.<br />
<br />
In total 51 security threats and issues have been identified, and detailed in the ENISA report (http://www.enisa.europa.eu/html5). During the talk, Lieven will discuss the methodology developed to assess the huge amount of specifications, and zoom into a representative set of identified threats and their remediation.<br />
<br />
======Lieven Desmet, Research Manager at Katholieke Universiteit Leuven======<br />
Lieven Desmet is the Research Manager on Secure Software at the Katholieke Universiteit Leuven (Belgium), where he coaches junior researchers in web application security and participates in dissemination and valorization activities. His interests are in software verification and security of middleware and web-enabled technologies. Lieven is actively engaged in OWASP and is board member of the OWASP Chapter Belgium.<br />
<br />
=====Overcoming iOS Data Protection to Re-Enable iPhone Forensics (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Andrey_Belenko.2C_Chief_Security_Researcher_at_ElcomSoft Andrey Belenko], Chief Security Researcher at ElcomSoft)=====<br />
Data protection is a feature available for iOS devices (iOS 4 and up) with hardware encryption: iPhone 4S, iPhone 4, iPhone 3GS, iPod touch (3rd generation or later), and all iPad models. Introduction of this feature had complicated iPhone forensics process because now (almost) all files on user partition are encrypted and physical dumps are of much less value to examiners: while the filesystem seems to be intact, actual file contents are encrypted and are not suitable for analysis.<br />
<br />
This talk will provide in-depth information about iOS Data protection internals and on the implication it had on iOS forensics. More specifically, it will cover the following:<br />
*System keys and their hierarchy<br />
*Device passcode and its recovery<br />
*Escrow keys<br />
*Filesystem encryption<br />
*Keychain encryption<br />
<br />
Presentation will start by providing attendees with required background on iOS encryption keys architecture: system keys, passcode key, escrow key. After attendees are familiar with those concepts, presentation will continue to filesystem and keychain encryption details and to the techniques that can be used to overcome the hurdles imposed by iOS Data Protection.<br />
<br />
======Andrey Belenko, Chief Security Researcher at ElcomSoft======<br />
Chief security researcher and software developer at Elcomsoft. Co-invented ThunderTables (which are improved RainbowTables) and was first to bring GPU acceleration to password recovery. M. Sc. IT and CISSP.<br />
<br />
LinkedIn: http://ru.linkedin.com/in/belenko<br />
<br />
Twitter: @andreybelenko<br />
<br />
=====Do you... Legal? (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Ludovic_Petit.2C_Group_Fraud_.26_Information_Security_Adviser_at_SFR.2C_Vodafone_Group Ludovic Petit], Group Fraud & Information Security Adviser at SFR, Vodafone Group) =====<br />
<br />
The OWASP core mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. However, if you do not pay enough attention to many aspects of Legal compliance, you'll see why Web Application Security is somehow linked to Legal and Regulatory aspects as well as... Corporate Responsability, so yours. Who is accountable for what, what about each other's responsibility? Nowadays, the legal constraints oblige us to comply via technical means, whatever the local framework, and this is specially true for Web Application Security, many sensitive informations having to be handled through these web interfaces. A such, what do you think about your Security Policy compliance with your local Legal framework? Compliant? Sure? Really? Interesting isn't it? Let's have a talk about this.<br />
<br />
======Ludovic Petit, Group Fraud & Information Security Adviser at SFR, Vodafone Group======<br />
Ludovic is an internationally recognised information security expert with over 25 years experience. Last 15 years spent in various Corporate Management positions covering both Technical and Law Enforcement expertise dedicated to Mobile Telecommunications Fraud and Security in multi-national corporations.<br />
<br />
Ludovic is Chapter Leader & Founding Member OWASP France and an active contributor to OWASP in several roles and projects.<br />
<br />
LinkedIn Profile: http://www.linkedin.com/in/lpetit<br />
<br />
=====Dynamic Malware Analysis or How to Play in the House of Horrors (by Alexandre Dulaunoy, Incident Management - Security Research at CIRCL) =====<br />
Malware reversing is a time consuming task. Many approaches are available to dissect and analyse suspicious binaries. Dynamic malware analysis is one of the option to better understand them and also a nifty companion to static analysis. The current dynamic malware analysis techniques will be presented especially the ones relying on instrumented operating system systems (from the filesystem to the network stack). You'll see a wandering through common and less common malware partially analysed using dynamic analysis and how dynamic malware analysis can help you.<br />
<br />
===== The limits of e-banking (by Jean-Marc Bost and Sébastien Bischof, ECLA) =====<br />
The swiss german TV channel SF1 showed a footage on swiss e-banking security. The TV show follows a team of the ETH who earned a special authorization to test several e-anking platforms. After admitting that a personal computer can be infected by different means (actually 5% of the tested PCs are infected according to Microsoft), The team from Zürich showed the limits of the different platforms. Only the bank who signs each transaction is labelled as safe. We will come back during the presentation on the nature of the threat.<br>First of all, we will explain how famous malwares such as Zeus and SpyEye manage to steal from their victims without them being able to notice anything. Then we will see that e-banking is not the only target, as a matter of fact, the reality is far from this.<br>And then we will comment the most recent techniques that allow malwares to escape Antivirus and Antimalware programs even if they are up to date. We will vulgarize several concepts such as DKOM and bootkits in order to let everybody have a glimpse on the danger they represent.<br>Finally, we will think about if signing each transaction can efficiently fight off these threats. In fact, when attacks are coupled with Social Engineering, they have potentially no limit. Zeus is a living proof of this fact, because it even managed to attack the transaction validation system by SMS. As a conclusion, we will see that the e-banking platform that managed to resist the tests of the ETH team is vulnerable to such kind of attacks. <br />
<br />
====== Jean-Marc Bost, ELCA ======<br />
Jean-Marc Bost leads the security division at ELCA. <br>He is in charge of the various security solutions proposed by ELCA, some being released by ELCA, others being provided by partner vendors. <br>With a significant experience in the development of internet applications, he focused 10 years ago on their need for security. <br>Since then, he has been very active in&nbsp;:<br>- demonstrating the threats, in particular for ebanking<br>- conceiving practical and patented solutions for strong authentication, online transactions, electronic signature and secured documents<br>- presenting the findings of the security division in security events and through expert talks<br> <br />
<br />
====== Sébastien Bischof, ELCA ======<br />
Sébastien Bischof works in the security division at ELCA Where he is specialized in OS-level and communication security.<br>As a major result, he developped a fully-working proof-of-concept of an attack against a sophisticated USB token for safe-browsing.<br>He obtained his Master of Science in Engineering at HEIG-VD/HES-SO with a strong emphasis on IT Security.<br>During his education, he focused on obfuscation and rootkit techniques.<br>Computer security enthusiast, he is very interested in hackings events such as Insomni'hack and keeps himself informed on the latest threats throuhg active participation in security forums.<br />
<br />
===== Security testing: a key challenge for software engineering of web apps (by Yves Le Traon, UdL)===== <br />
While important efforts are dedicated to system functional testing, very few works study how to specifically and systematically test security mechanisms. In this talk, we will present two categories of approaches. <br />
The first ones aim at assessing security mechanisms compliance with declared policies. Any security policy is strongly connected to system functionality: testing function includes exercising many security mechanisms. However, testing functionality does not intend at exercizing all security mechanisms. We thus propose test selection criteria to produce tests from a security policy. Empirical results will be presented about access control policies and about Android apps permission checks. <br />
<br />
The second ones concern the attack surface of web apps, with a particular focus on web browser sensitivity to XSS attacks. Indeed, one of the major threats against web applications is Cross-Site Scripting (XSS) that crosses several web components: web server, security components and finally the client’s web browser. The final target is thus the client running a particular web browser. During this last decade, several competing web browsers (IE, Netscape, Chrome, Firefox) have been upgraded to add new features for the final users benefit. However, the improvement of web browsers is not related with systematic security regression testing. Beginning with an analysis of their current exposure degree to XSS, we extend the empirical study to a decade of most popular web browser versions.The results reveal a chaotic behavior in the evolution of most web browsers attack surface over time. This particularly shows an urgent need for regression testing strategies to ensure that security is not sacrificed when a new version is delivered. <br />
<br />
In both cases, security must become a specific target for testing in order to get a satisfying level of confidence in security mechanisms<br />
<br />
====== Yves Le Traon, UdL====== <br />
Yves Le Traon is professor at University of Luxembourg in the domain of software engineering, reliability, validation and security. He is also a member of the Interdisciplinary Centre for Security, Reliability and Trust (SnT), where he leads the research group SERVAL (SEcuRity and VALidation of services and networks). His research interests include software testing, design for security, security testing, model-driven validation, model based testing, web application, mobile computing. <br />
<br />
Professor Le Traon received his engineering degree and his PhD in Computer Science at the “Institut National Polytechnique” in Grenoble, France, in 1997. From 1998 to 2004, he was an associate professor at the University of Rennes, in Brittany, France. He is the co-founder of the Triskell INRIA team, which focuses on innovating design, modeling and testing techniques, such as Model-driven Engineering. During this period, Professor Le Traon studied design for testability techniques, validation and diagnosis of object-oriented programs and component-based systems. From 2004 to 2006, he was an expert in Model-Driven Architecture and Validation in the EXA team (Requirements Engineering and Applications) at “France Télécom R&D”. In 2006, he became professor at Telecom Bretagne (Ecole Nationale des Télécommunications de Bretagne), where he pioneered the application of testing for security assessment of web-applications, P2P systems and the promotion of intrusion detection systems using contract-based techniques.<br />
<br />
<br />
==== CTF ====<br />
<br />
Do you like puzzles? Do you like challenges? Are you a hacker?<br />
<br />
Whether you are an old hacker or new enthusiast you should come to OWASP BeNeLux days 2011 and participate in the Capture the Flag event December 2nd 2011 at the University of Luxemburg. <br />
<br />
The OWASP CTF is especially designed to support challengers of all skill levels. The CTF contains multiple challenges in various fields related to application security. As every challenge gains you one point, you can pick and choose which challenge you want to play.<br />
<br />
All you need is a laptop with a wifi card and your favorite (preferably) non-commercial tools. <br />
<br />
So come to Luxemburg, show off your skills, learn new tricks and above all have a good time at the CTF event. <br />
<br />
==== Registration ====<br />
<center><br />
'''The training day and the conference are free!'''&nbsp;<br />
<br />
<br> <br />
<br />
[http://owaspbenelux2011.eventbrite.com/ http://www.owasp.org/images/7/77/Buttoncreate.png] <br />
<br />
<br> To support the OWASP organisation, consider to become a member, it's only US$50!<br> Check out the [[Membership]] page to find out more.<br> <br />
<br />
<br> <br />
</center> <br />
==== Venue ====<br />
<center><br />
University of Luxembourg<br>Campus Kirchberg<br>6, rue Richard Coudenhove-Kalergi<br>L-1359 Luxembourg<br>[http://wwwen.uni.lu/contact/campus_kirchberg http://wwwen.uni.lu/contact/campus_kirchberg] <br>Room: Paul Feidert<br />
</center><br />
<br />
<br>'''Parking''':<br />
<br />
There is a public parking close to the conference venue.<br />
[http://maps.google.de/maps?q=49.63038,6.157061&num=1&t=h&vpsrc=0&z=16 Click here to find the parking on Google Maps]<br />
<br />
<br>'''Hotels nearby''': <br />
<br />
The first hotel is at 5 minutes on walk distance from the campus Kirchberg: '''[http://www.coque.lu/article/259 Hotel d’Coque]'''<br />
* single room with breakfast 77.50 €<br />
* double room with breakfast 93.00 €. <br />
* Booking email address with Ref. OWASP_SNT 2011 to : [mailto:reception@coque.lu reception@coque.lu]<br />
* Reservation deadline: 20 October 2011<br />
Second hotel (direct center of Luxembourg) 5/10 minutes with taxi or bus: '''[http://www.parcbellevue.lu/fr/index.php Hotel Parc Bellevue]'''<br />
* single room with breakfast 95.00 € (normal price 160 €)<br />
* double room with breakfast 115.00 € (normal price 180€)<br />
* wifi and parking included<br />
* Booking email address: [mailto:reservation@goeres-group.com reservation@goeres-group.com]<br />
* Reservation deadline&nbsp;: 30 November <br />
* Reservation form: [https://www.owasp.org/images/4/44/Uni_Luxembourg_OWASP_2011.doc download form] <br />
Third hotel (near the Parc Bellevue): '''[http://www.parcplaza.lu/fr/index.php Hotel Plaza]'''<br />
* single room with breakfast 130.00 € (normal price 225 €)<br />
* double room with breakfast 150.00 € (normal price 245€)<br />
* wifi and parking included<br />
* Booking email address: [mailto:reservation@goeres-group.com reservation@goeres-group.com]. <br />
* Reservation deadline: 30 November<br />
* Reservation form: [https://www.owasp.org/images/4/44/Uni_Luxembourg_OWASP_2011.doc download form] <br />
Fourth hotel: '''[http://www.melia-luxembourg.com/fr/melia-luxembourg.html Hotel Mélia]'''<br />
* single room with breakfast 140.00 €<br />
* Booking email address: [mailto:reservations.melia.luxembourg@solmelia.com reservations.melia.luxembourg@solmelia.com]<br />
* Reservation deadline: 28 October 2011<br />
* Reservation form: [https://www.owasp.org/images/f/f8/Uni_OWASP_2011_Melia.pdf download form] <br />
<br />
<br><br />
<br />
==== Organisation ====<br />
<br />
The BeNeLux Day 2011 Program Committee: <br />
<br />
*Martin Knobloch / Ferdinand Vroom ([[Netherlands|OWASP Netherlands]]) <br />
*Bart De Win / Sebastien Deleersnyder ([[Belgium|OWASP Belgium]]) <br />
*Jocelyn Aubert / Andre Adelsbach ([[Luxembourg|OWASP Luxembourg]]) <br />
*Steven van der Baan ([[:Category:OWASP CTF Project|Capture The Flag]])<br />
<br />
Local organization:<br />
<br />
*Thomas Engel <br />
*Radu State <br />
*Magali Martin <br />
*Aurel Machalek<br />
<br />
==== Sponsorship ====<br />
<br />
Contact seba &lt;at&gt; owasp.org for sponsorship <br />
<br />
<paypal>BeNeLux OWASP Day 2011</paypal> <br />
<br />
==== Social Event ====<br />
<br />
The social event is scheduled for Thursday, 1st of December, 19:00 at <br />
<br><br />
<br><br />
<center><br />
[http://www.aguadecoco.lu/ Agua De C&ocirc;co]<br><br />
2, rue Emile Mousel<br><br />
L-2165 Luxembourg<br><br />
<br><br />
([http://maps.google.com/maps?q=Rue+Emile+Mousel,+Luxembourg,+Luxemburg&hl=de&ll=49.612031,6.14125&spn=0.003379,0.009677&sll=49.709163,6.115265&sspn=0.003372,0.009677&vpsrc=6&geocode=FQIF9QIdPrVdAA&hnear=Rue+Emile+Mousel,+Luxembourg,+Luxemburg&t=h&z=17 find the location on Google Maps])<br />
<br />
Remark: split bill system - everyone has to cover own food & drinks.<br />
<br />
</center><br />
<br />
==== Promotion ====<br />
''Feel free to use the text below to promote our event!''<br />
<br />
We invite you to our next OWASP event: the '''BeNeLux OWASP Days 2011!'''<br />
<br />
Free your agenda on the 1st and 2nd of December, 2011.<br />
<br />
The good news: free! No fee!<br />
<br />
The bad news: there are only 160 seats available (first register, first serve)!<br />
<br />
<br />
'''PROGRAM Day 1'''<br />
* 10:00 AM - 18:00 PM: OWASP Training Day<br />
* 19:00 PM - ?: Social event<br />
<br />
'''OWASP Training: Secure Application Development''', by Eoin Keary<br><br />
This intensive one-day training focuses on the most common web application security problems, including aspects of both the OWASP Top Ten (2010) and the MITRE Top 25. The training will introduce and demonstrate application assessment techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities in their code.<br />
<br />
'''PROGRAM Day 2'''<br />
* 10:00 AM - 18:00 PM: OWASP Conference<br />
<br />
List of '''confirmed speakers''' (more to be announced soon):<br />
*Brenno De Winter (Journalist) on the Diginotar story<br />
*Koen Vanderloock (Lead Security Competence Group at Cegeka) on the new OWASP Simba project<br />
*Justin Clarke (Director and Co-Founder of Gotham Digital Science Ltd) on practical crypto attacks against web applications<br />
*Lieven Desmet (Research Manager at University Leuven) on HTML5 security<br />
*Andrey Belenko (Chief Security Researcher at ElcomSoft Co. Ltd) on iOS data protection internals<br />
*Alexandre Dulaunoy (Incident Management - Security Research at CIRCL) on dynamic malware analysis<br />
*Ludovic Petit (Group Fraud & Information Security Adviser at SFR, Vodafone Group) on WebApp Security and legal and regulatory aspects<br />
*Seba Deleersnyder & Eoin Keary (OWASP Board) on OWASP Update<br />
<br />
'''ORGANIZATION<br>'''<br />
OWASP's all-volunteer participants produce free, professional quality, open-source documentation, tools, and standards on application security. An example of this is the famous OWASP top ten of most critical web application security flaws. The OWASP community facilitates conferences, local chapters, articles, and message forums. Participation in OWASP is free and open to all, as are all the materials we produce.<br />
<br />
'''WHO should attend?<br>'''<br />
Anyone interested in Web Application Security (management, security professionals, developers, students, etc). OWASP Belgium, Netherlands and Luxembourg chapters membership is free. All meetings are free. There are never vendor pitches or sales presentations at OWASP meetings.<br><br />
Check our chapter page http://www.owasp.org/index.php/Belgium on meeting details, sign up to the chapter mailing list and introduce yourself.<br><br />
Check our chapter page http://www.owasp.org/index.php/Netherlands on meeting details, sign up to the chapter mailing list and introduce yourself.<br><br />
Check our chapter page http://www.owasp.org/index.php/Luxembourg on meeting details, sign up to the chapter mailing list and introduce yourself.<br><br />
<br />
'''WHEN<br>'''<br />
Thursday and Friday, 1st and 2nd of December, 2011 (10 AM - 7 PM)<br />
<br />
'''WHERE<br>'''<br />
University of Luxembourg<br><br />
Campus Kirchberg<br><br />
6, rue Richard Coudenhove-Kalergi<br><br />
L-1359 Luxembourg<br><br />
http://wwwen.uni.lu/contact/campus_kirchberg<br><br />
Room: Paul Feidert<br />
<br />
Attention: make sure to '''book your hotel in time''', it will be difficult to find rooms in Luxembourg around Dec 1-2!<br><br />
Hotel details https://www.owasp.org/index.php?title=BeNeLux_OWASP_Day_2011#tab=Venue<br />
<br />
'''REGISTRATION<br>'''<br />
Only 160 places, please '''Register upfront: http://owaspbenelux2011.eventbrite.com''' !<br><br />
All latest details are available on http://www.owaspbenelux.eu<br><br />
Hope to see you all!<br><br />
<br />
The BeNeLux Program Committee,<br />
*Martin Knobloch / Ferdinand Vroom, OWASP Netherlands<br />
*Bart De Win / Sebastien Deleersnyder, OWASP Belgium<br />
*Jocelyn Aubert / Andre Adelsbach, OWASP Luxembourg<br />
*Steven van der Baan, OWASP CTF Project<br />
<br />
Kindly supported by the Interdisciplinary Centre for Security Reliability and Trust<br />
*Thomas Engel <br />
*Radu State <br />
*Magali Martin <br />
*Aurel Machalek<br />
<br />
<headertabs /><br />
<br />
<br />
<center><br />
'''Hosted and co-organized by:'''<br> <br />
[[Image:Bnl11-university-logo.jpg|link=http://wwwen.uni.lu]] <br />
[[Image:Bnl11-SECURITYANDTRUST-LOGO.jpg|link=http://www.securityandtrust.lu]] <br />
<br />
<br><br><br><br />
<br />
Made possible by our [http://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Sponsorship sponsors]:<br><br />
{{MemberLinks|link=http://www.ascure.com|logo=Ascure_Logo.jpg}} <br />
[http://www.zionsecurity.com http://www.owasp.org/images/e/e6/Zionsecurity.jpg]<br />
[http://www.zenitelbelgium.com http://www.owasp.org/images/d/df/SAIT_Zenitel.jpg]<br />
[http://www8.hp.com/us/en/solutions/solutions-detail.html?compURI=tcm:245-339290 https://www.owasp.org/images/b/b4/HP_Logo.jpg] <br />
[http://www.barracuda.com https://www.owasp.org/images/f/f6/Bnl11-Barracuda_Logo-4C.png] <br />
[http://circl.lu/ http://circl.lu/pics/logo.png]<br />
[http://www.f5.com https://www.owasp.org/images/f/fd/AppSec_Research_2010_sponsor_F5_logo.jpg]<br />
<br />
<br />
<br />
<br><br />
</center><br />
[[Category:OWASP_AppSec_Conference]] [[Category:OWASP_BeNeLux_Archives]]</div>Bart De Winhttps://wiki.owasp.org/index.php?title=BeNeLux_OWASP_Day_2011&diff=120844BeNeLux OWASP Day 20112011-11-28T21:06:29Z<p>Bart De Win: </p>
<hr />
<div>__NOTOC__ <br />
<center>[[Image:OWASP BeNeLux 2011.jpg]]<br></center><br />
<br><!-- Header --><br />
<br />
==== Welcome ====<br />
<br />
<br><br />
<center><br />
=== Venue is the University of Luxembourg (Grand Duchy of Luxembourg) ===<br />
Training and conference location, together with hotel information, can be found [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Venue here].<br />
=== Training and first list of conference speakers are announced! ===<br />
See [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Training.2C_December_1st here] and [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Conference.2C_December_2nd here]<br />
=== Tweet! ===<br />
<br />
Event tag is [http://twitter.com/#search?q=%23owaspbnl11 #owaspbnl11]<br />
<br />
=== Registrations are open: ===<br />
<br />
[http://owaspbenelux2011.eventbrite.com/ http://www.owasp.org/images/7/77/Buttoncreate.png] <br />
<br />
</center><br />
<br><br />
<br />
==== Training, December 1st ====<br />
<br />
Registration '''starts at 9h00'''<br />
<br />
Training will start at '''10h00''' and we plan to stop at '''17h00'''<br />
<br />
The training room is: '''Paul Feidert''' (for details, check the [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Venue venue] tab)<br />
<br />
'''OWASP Training: Secure Application Development, by Eoin Keary'''<br />
<br />
'''Abstract:''' Writing Secure code is the most effective method to securing your web applications. Writing secure code takes skill and know-how but results in a more stable and robust application and assists in protecting an organisations brand.<br />
Application security is not commonly a part of many computer science curricula today and most organizations have not focused on instituting a culture that includes application security as a core part of their software development training efforts. This intensive one-day course focuses on the most common web application security problems, including aspects of both the OWASP Top Ten (2010) and the MITRE Top 25. The course will introduce and demonstrate application assessment techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities in their code.<br />
<br />
'''This course includes coverage of the following areas:'''<br />
<br />
* Unvalidated Input<br />
* Injection Flaws, OS commanding, SQL Injection<br />
* Cross-Site Scriping & Client-side security<br />
* CSRF/XSRF<br />
* Authentication & Session Management<br />
* Access control & Authorisation<br />
* Broken Caching<br />
* Error Handling & Resource Management<br />
* The Secure SDLC<br />
* Fuzzing, Proxy use and testing approach<br />
<br />
'''Hands on Exercises'''<br />
<br />
To cement the principles discussed, students can participate in a number of hands-on security testing exercises where they attack a live web application (i.e., OWASP Bank etc) that has been seeded with common web application vulnerabilities.<br />
<br />
The students will use proxy tools commonly used by the hacker community to complete the exercises. Students need to bring their own windows based laptop to participate in the exercises. Wireless capability is recommended.<br />
<br />
'''Audience'''<br />
<br />
Developers who want to understand the most common web application security flaws, and how to avoid them and code in a secure manner.<br />
<br />
Level: Beginner/Intermediate<br />
<br />
Prerequisite: Basic knowledge of a web programming language like Java or .NET recommended but not required.<br />
<br />
Bringing your own windows based laptop is recommended so you can participate in the hands on exercises<br />
<br />
'''Trainer Bio:''' <br />
<br />
[[Eoin Keary]] is a Global OWASP board member since 2009. He is a long time member of OWASP and have contributed year on year to OWASP projects and the OWASP mission of fighting the causes of software insecurity. He is based in Dublin, Ireland and director of [http://www.bccriskadvisory.com Bccriskadvisory].<br />
<br />
==== Conference, December 2nd ====<br />
<br />
We are pleased to announce the list of confirmed speakers:<br />
<br />
* Brenno De Winter (Journalist) From DigiNotar to Leaktober<br />
* Koen Vanderloock (Lead Security Competence Group at Cegeka) on [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#OWASP_SIMBA_-_guarding_your_applications_.28by_Koen_Vanderloock.2C_Leader_Security_Competence_Group_at_Cegeka.29 the new OWASP Simba project]<br />
* Justin Clarke (Director and Co-Founder of Gotham Digital Science Ltd) on [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Practical_Crypto_Attacks_Against_Web_Applications_.28by_Justin_Clarke.2C_Director_and_Co-Founder_of_Gotham_Digital_Science_Ltd.29 practical crypto attacks against web applications]<br />
* Lieven Desmet (Research Manager at University Leuven) on [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#HTML5_security_.28by_Lieven_Desmet.2C_Research_Manager_at_Katholieke_Universiteit_Leuven.29 HTML5 security]<br />
* Andrey Belenko (Chief Security Researcher at ElcomSoft Co. Ltd) on [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Overcoming_iOS_Data_Protection_to_Re-Enable_iPhone_Forensics_.28by_Andrey_Belenko.2C_Chief_Security_Researcher_at_ElcomSoft.29 iOS data protection internals]<br />
* Alexandre Dulaunoy (Incident Management - Security Research at CIRCL) on dynamic malware analysis<br />
* Ludovic Petit (Group Fraud & Information Security Adviser at SFR, Vodafone Group) on [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Do_you..._Legal.3F_.28by_Ludovic_Petit.2C_Group_Fraud_.26_Information_Security_Adviser_at_SFR.2C_Vodafone_Group.29 WebApp Security and legal and regulatory aspects]<br />
*Jean-Marc Bost and Sébastien Bischof (ELCA) on The limits of e-banking<br />
* Yves Le Traon on security testing for web apps (talk will be held on the Training Day)<br />
* Seba Deleersnyder & Eoin Keary (OWASP Board) on OWASP Update<br />
<br />
Stay tuned for the final agenda!<br />
<br />
'''''Agenda''''' '<br />
''(program has slightly changed !)''<br />
<br />
{| class="wikitable"<br />
! Time !! Speaker !! Topic<br />
|-<br />
| 08h30 - 9h30 || "Registration" || <br />
|-<br />
| 09h30 - 9h40 || OWASP Benelux Organization & Thomas Engel|| Welcome<br />
|-<br />
| 09h40 - 10h00 || Sebastien Deleersnyder & Eion Keary || OWASP update<br />
|-<br />
| 10h00 - 10h40 || Brenno De Winter || From DigiNotar to Leaktober <br />
|-<br />
| 10h40 - 11h00 || ''Break'' ||<br />
|-<br />
| 11h00 - 11h40 || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Justin_Clarke.2C_Director_and_Co-Founder_of_Gotham_Digital_Science_Ltd Justin Clarke] || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Practical_Crypto_Attacks_Against_Web_Applications_.28by_Justin_Clarke.2C_Director_and_Co-Founder_of_Gotham_Digital_Science_Ltd.29 practical crypto attacks against web applications] <br />
|-<br />
| 11h40 - 12h20 || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Andrey_Belenko.2C_Chief_Security_Researcher_at_ElcomSoft Andrey Belenko] || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Overcoming_iOS_Data_Protection_to_Re-Enable_iPhone_Forensics_.28by_Andrey_Belenko.2C_Chief_Security_Researcher_at_ElcomSoft.29 Overcoming iOS Data Protection to Re-Enable iPhone Forensics] <br />
|-<br />
| 12h20 - 13h00 || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Koen_Vanderloock.2C_Leader_Security_Competence_Group_at_Cegeka Koen Vanderloock] || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#OWASP_SIMBA_-_guarding_your_applications_.28by_Koen_Vanderloock.2C_Leader_Security_Competence_Group_at_Cegeka.29 OWASP SIMBA - guarding your applications] <br />
|-<br />
| 13h00 - 14h00 || ''Lunch'' || <br />
|-<br />
| 14h00 - 14h40 || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Ludovic_Petit.2C_Group_Fraud_.26_Information_Security_Adviser_at_SFR.2C_Vodafone_Group Ludovic Petit] || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Do_you..._Legal.3F_.28by_Ludovic_Petit.2C_Group_Fraud_.26_Information_Security_Adviser_at_SFR.2C_Vodafone_Group.29 Do you... Legal?]<br />
|-<br />
| 14h40 - 15h20 || Thierry Zoller || The rise of the Vulnerability Market<br />
|-<br />
| 15h20 - 16h00 || Jean-Marc Bost & Sébastien Bischof || The limits of e-banking <br />
|-<br />
| 16h00 - 16h20 || ''Break'' || <br />
|-<br />
| 16h20 - 17h00 || Alexandre Delaunoy || Dynamic malware analysis <br />
|-<br />
| 17h00 - 17h40 || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Lieven_Desmet.2C_Research_Manager_at_Katholieke_Universiteit_Leuven Lieven Desmet] || [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#HTML5_security_.28by_Lieven_Desmet.2C_Research_Manager_at_Katholieke_Universiteit_Leuven.29 HTML5 security]<br />
|-<br />
| 17h40 - 18h00 || OWASP Benelux 2011 organization || Closing notes<br />
<br />
|}<br />
<br />
<!-- deze laten staan. is handig om anchors te vinden tijdens edi (seba) __TOC__ --><br />
<br />
===== From DigiNotar to Leaktober=====<br />
Web application security is hard. With Lektober, Brenno shows that to the general public. Privacy is at stake, not only in the Netherlands. Brenno will reveal some of the more "interesting" leaks.<br />
<br />
=====Brenno J.S.A.A.F. de Winter=====<br />
Brenno De Winter started experimenting with security at the age of 9. He has a background in open source that dates back to 1993 and he contributed to several projects like MySQL, GnuPG, Gnucomo (Gnu Computer Monitoring) and recently started the Small Sister-project for privacy-friendly internet usage. In his daily job he practices security,teaches it and works as an IT-journalist. His writings have triggered several debates in parliament and often raises questions. <br />
<br />
=====OWASP SIMBA - guarding your applications (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Koen_Vanderloock.2C_Leader_Security_Competence_Group_at_Cegeka Koen Vanderloock], Leader Security Competence Group at Cegeka)=====<br />
[[OWASP SIMBA Project|SIMBA (Security Integration Module for Business Applications)]] is a OWASP project that provides you with a User Access Management system that can be integrated with any business application. The purpose of SIMBA is to secure an application fast and easy. Because SIMBA itself is generic it can be customized for every project. Many features are customizable e.g. designing your own authentication chain is easy and fast by using existing or newly created building blocks. SIMBA contains authentication, authorization, session management and a GUI to manage your security information.<br />
<br />
======Koen Vanderloock, Leader Security Competence Group at Cegeka======<br />
Koen Vanderloock is the leader of the security competence group at Cegeka. About 2 years ago Cegeka decided to create a sandbox for investigating security issues and solutions so they could be included in the current projects. <br />
Koen Vanderloock is a Java developer with 8 years of experience and started exploring the world of security 3 years ago when UAM problems started to occur.<br />
<br />
=====Practical Crypto Attacks Against Web Applications (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Justin_Clarke.2C_Director_and_Co-Founder_of_Gotham_Digital_Science_Ltd Justin Clarke], Director and Co-Founder of Gotham Digital Science Ltd)=====<br />
The science of cryptography underpins many of the information security technologies we use on a daily basis, such as the ability to keep information confidential and to ensure we can identify who we are communicating with. However, it is a very complex subject area with many types of mistakes that can reduce the overall security of a solution. A number of these types of mistakes can be identified by a tester, if they know what they're looking for, but in general it isn't a well tested area.<br />
<br />
This talk is intended to provide a high level overview of some of the areas where cryptographic operations such as encryption and hashing can provide far less security than was planned, and concrete examples of how these were found and exploited. Examples will include discussion and demonstration of the recently patched cryptographic padding attack against the Microsoft .NET framework (affecting ASP.NET applications) caused by a design error in how ASP.NET handles some types of encrypted data, but we will also be looking at some other fun areas including bit flipping attacks, ECB mode attacks, and some miscellaneous hashing algorithm attacks against common web application implementations.<br />
<br />
======Justin Clarke, Director and Co-Founder of Gotham Digital Science Ltd======<br />
Justin is a Director and Co-Founder of Gotham Digital Science and an experienced software security consultant with extensive international Big 4 risk management, security consulting and testing experience. He is the lead author/technical editor of "SQL Injection Attacks and Defenses" (Syngress 2009), co-author of "Network Security Tools" (O'Reilly 2005), contributor to "Network Security Assessment, 2nd Edition" (O'Reilly 2007), as well as a speaker at various security conferences and events such as Black Hat, EuSecWest, ISACA, BruCON, OWASP, OSCON, RSA and SANS. He is currently the OWASP London chapter president, and a member of the OWASP Global Connections Committee.<br />
On 10 Oct 2011, at 09:33, Seba wrote:<br />
<br />
=====HTML5 security (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Lieven_Desmet.2C_Research_Manager_at_Katholieke_Universiteit_Leuven Lieven Desmet], Research Manager at Katholieke Universiteit Leuven)=====<br />
In this talk, Lieven will highlight the results of the HTML5 security analysis, conducted by the DistriNet Research Group (K.U.Leuven). The security analysis of next generation web standards, commissioned by ENISA, looked into 13 emerging W3C web standards (i.e. the specification of HTML 5 and some of the associated APIs), and assessed the security of each of them as well as the overall security and consistency across specifications.<br />
<br />
In total 51 security threats and issues have been identified, and detailed in the ENISA report (http://www.enisa.europa.eu/html5). During the talk, Lieven will discuss the methodology developed to assess the huge amount of specifications, and zoom into a representative set of identified threats and their remediation.<br />
<br />
======Lieven Desmet, Research Manager at Katholieke Universiteit Leuven======<br />
Lieven Desmet is the Research Manager on Secure Software at the Katholieke Universiteit Leuven (Belgium), where he coaches junior researchers in web application security and participates in dissemination and valorization activities. His interests are in software verification and security of middleware and web-enabled technologies. Lieven is actively engaged in OWASP and is board member of the OWASP Chapter Belgium.<br />
<br />
=====Overcoming iOS Data Protection to Re-Enable iPhone Forensics (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Andrey_Belenko.2C_Chief_Security_Researcher_at_ElcomSoft Andrey Belenko], Chief Security Researcher at ElcomSoft)=====<br />
Data protection is a feature available for iOS devices (iOS 4 and up) with hardware encryption: iPhone 4S, iPhone 4, iPhone 3GS, iPod touch (3rd generation or later), and all iPad models. Introduction of this feature had complicated iPhone forensics process because now (almost) all files on user partition are encrypted and physical dumps are of much less value to examiners: while the filesystem seems to be intact, actual file contents are encrypted and are not suitable for analysis.<br />
<br />
This talk will provide in-depth information about iOS Data protection internals and on the implication it had on iOS forensics. More specifically, it will cover the following:<br />
*System keys and their hierarchy<br />
*Device passcode and its recovery<br />
*Escrow keys<br />
*Filesystem encryption<br />
*Keychain encryption<br />
<br />
Presentation will start by providing attendees with required background on iOS encryption keys architecture: system keys, passcode key, escrow key. After attendees are familiar with those concepts, presentation will continue to filesystem and keychain encryption details and to the techniques that can be used to overcome the hurdles imposed by iOS Data Protection.<br />
<br />
======Andrey Belenko, Chief Security Researcher at ElcomSoft======<br />
Chief security researcher and software developer at Elcomsoft. Co-invented ThunderTables (which are improved RainbowTables) and was first to bring GPU acceleration to password recovery. M. Sc. IT and CISSP.<br />
<br />
LinkedIn: http://ru.linkedin.com/in/belenko<br />
<br />
Twitter: @andreybelenko<br />
<br />
=====Do you... Legal? (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Ludovic_Petit.2C_Group_Fraud_.26_Information_Security_Adviser_at_SFR.2C_Vodafone_Group Ludovic Petit], Group Fraud & Information Security Adviser at SFR, Vodafone Group) =====<br />
<br />
The OWASP core mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. However, if you do not pay enough attention to many aspects of Legal compliance, you'll see why Web Application Security is somehow linked to Legal and Regulatory aspects as well as... Corporate Responsability, so yours. Who is accountable for what, what about each other's responsibility? Nowadays, the legal constraints oblige us to comply via technical means, whatever the local framework, and this is specially true for Web Application Security, many sensitive informations having to be handled through these web interfaces. A such, what do you think about your Security Policy compliance with your local Legal framework? Compliant? Sure? Really? Interesting isn't it? Let's have a talk about this.<br />
<br />
======Ludovic Petit, Group Fraud & Information Security Adviser at SFR, Vodafone Group======<br />
Ludovic is an internationally recognised information security expert with over 25 years experience. Last 15 years spent in various Corporate Management positions covering both Technical and Law Enforcement expertise dedicated to Mobile Telecommunications Fraud and Security in multi-national corporations.<br />
<br />
Ludovic is Chapter Leader & Founding Member OWASP France and an active contributor to OWASP in several roles and projects.<br />
<br />
LinkedIn Profile: http://www.linkedin.com/in/lpetit<br />
<br />
=====Dynamic Malware Analysis or How to Play in the House of Horrors (by Alexandre Dulaunoy, Incident Management - Security Research at CIRCL) =====<br />
Malware reversing is a time consuming task. Many approaches are available to dissect and analyse suspicious binaries. Dynamic malware analysis is one of the option to better understand them and also a nifty companion to static analysis. The current dynamic malware analysis techniques will be presented especially the ones relying on instrumented operating system systems (from the filesystem to the network stack). You'll see a wandering through common and less common malware partially analysed using dynamic analysis and how dynamic malware analysis can help you.<br />
<br />
===== The limits of e-banking (by Jean-Marc Bost and Sébastien Bischof, ECLA) =====<br />
The swiss german TV channel SF1 showed a footage on swiss e-banking security. The TV show follows a team of the ETH who earned a special authorization to test several e-anking platforms. After admitting that a personal computer can be infected by different means (actually 5% of the tested PCs are infected according to Microsoft), The team from Zürich showed the limits of the different platforms. Only the bank who signs each transaction is labelled as safe. We will come back during the presentation on the nature of the threat.<br>First of all, we will explain how famous malwares such as Zeus and SpyEye manage to steal from their victims without them being able to notice anything. Then we will see that e-banking is not the only target, as a matter of fact, the reality is far from this.<br>And then we will comment the most recent techniques that allow malwares to escape Antivirus and Antimalware programs even if they are up to date. We will vulgarize several concepts such as DKOM and bootkits in order to let everybody have a glimpse on the danger they represent.<br>Finally, we will think about if signing each transaction can efficiently fight off these threats. In fact, when attacks are coupled with Social Engineering, they have potentially no limit. Zeus is a living proof of this fact, because it even managed to attack the transaction validation system by SMS. As a conclusion, we will see that the e-banking platform that managed to resist the tests of the ETH team is vulnerable to such kind of attacks. <br />
<br />
====== Jean-Marc Bost, ELCA ======<br />
Jean-Marc Bost leads the security division at ELCA. <br>He is in charge of the various security solutions proposed by ELCA, some being released by ELCA, others being provided by partner vendors. <br>With a significant experience in the development of internet applications, he focused 10 years ago on their need for security. <br>Since then, he has been very active in&nbsp;:<br>- demonstrating the threats, in particular for ebanking<br>- conceiving practical and patented solutions for strong authentication, online transactions, electronic signature and secured documents<br>- presenting the findings of the security division in security events and through expert talks<br> <br />
<br />
====== Sébastien Bischof, ELCA ======<br />
Sébastien Bischof works in the security division at ELCA Where he is specialized in OS-level and communication security.<br>As a major result, he developped a fully-working proof-of-concept of an attack against a sophisticated USB token for safe-browsing.<br>He obtained his Master of Science in Engineering at HEIG-VD/HES-SO with a strong emphasis on IT Security.<br>During his education, he focused on obfuscation and rootkit techniques.<br>Computer security enthusiast, he is very interested in hackings events such as Insomni'hack and keeps himself informed on the latest threats throuhg active participation in security forums.<br />
<br />
===== Security testing: a key challenge for software engineering of web apps (by Yves Le Traon, UdL)===== <br />
While important efforts are dedicated to system functional testing, very few works study how to specifically and systematically test security mechanisms. In this talk, we will present two categories of approaches. <br />
The first ones aim at assessing security mechanisms compliance with declared policies. Any security policy is strongly connected to system functionality: testing function includes exercising many security mechanisms. However, testing functionality does not intend at exercizing all security mechanisms. We thus propose test selection criteria to produce tests from a security policy. Empirical results will be presented about access control policies and about Android apps permission checks. <br />
<br />
The second ones concern the attack surface of web apps, with a particular focus on web browser sensitivity to XSS attacks. Indeed, one of the major threats against web applications is Cross-Site Scripting (XSS) that crosses several web components: web server, security components and finally the client’s web browser. The final target is thus the client running a particular web browser. During this last decade, several competing web browsers (IE, Netscape, Chrome, Firefox) have been upgraded to add new features for the final users benefit. However, the improvement of web browsers is not related with systematic security regression testing. Beginning with an analysis of their current exposure degree to XSS, we extend the empirical study to a decade of most popular web browser versions.The results reveal a chaotic behavior in the evolution of most web browsers attack surface over time. This particularly shows an urgent need for regression testing strategies to ensure that security is not sacrificed when a new version is delivered. <br />
<br />
In both cases, security must become a specific target for testing in order to get a satisfying level of confidence in security mechanisms<br />
<br />
====== Yves Le Traon, UdL====== <br />
Yves Le Traon is professor at University of Luxembourg in the domain of software engineering, reliability, validation and security. He is also a member of the Interdisciplinary Centre for Security, Reliability and Trust (SnT), where he leads the research group SERVAL (SEcuRity and VALidation of services and networks). His research interests include software testing, design for security, security testing, model-driven validation, model based testing, web application, mobile computing. <br />
<br />
Professor Le Traon received his engineering degree and his PhD in Computer Science at the “Institut National Polytechnique” in Grenoble, France, in 1997. From 1998 to 2004, he was an associate professor at the University of Rennes, in Brittany, France. He is the co-founder of the Triskell INRIA team, which focuses on innovating design, modeling and testing techniques, such as Model-driven Engineering. During this period, Professor Le Traon studied design for testability techniques, validation and diagnosis of object-oriented programs and component-based systems. From 2004 to 2006, he was an expert in Model-Driven Architecture and Validation in the EXA team (Requirements Engineering and Applications) at “France Télécom R&D”. In 2006, he became professor at Telecom Bretagne (Ecole Nationale des Télécommunications de Bretagne), where he pioneered the application of testing for security assessment of web-applications, P2P systems and the promotion of intrusion detection systems using contract-based techniques.<br />
<br />
<br />
==== CTF ====<br />
<br />
Do you like puzzles? Do you like challenges? Are you a hacker?<br />
<br />
Whether you are an old hacker or new enthusiast you should come to OWASP BeNeLux days 2011 and participate in the Capture the Flag event December 2nd 2011 at the University of Luxemburg. <br />
<br />
The OWASP CTF is especially designed to support challengers of all skill levels. The CTF contains multiple challenges in various fields related to application security. As every challenge gains you one point, you can pick and choose which challenge you want to play.<br />
<br />
All you need is a laptop with a wifi card and your favorite (preferably) non-commercial tools. <br />
<br />
So come to Luxemburg, show off your skills, learn new tricks and above all have a good time at the CTF event. <br />
<br />
==== Registration ====<br />
<center><br />
'''The training day and the conference are free!'''&nbsp;<br />
<br />
<br> <br />
<br />
[http://owaspbenelux2011.eventbrite.com/ http://www.owasp.org/images/7/77/Buttoncreate.png] <br />
<br />
<br> To support the OWASP organisation, consider to become a member, it's only US$50!<br> Check out the [[Membership]] page to find out more.<br> <br />
<br />
<br> <br />
</center> <br />
==== Venue ====<br />
<center><br />
University of Luxembourg<br>Campus Kirchberg<br>6, rue Richard Coudenhove-Kalergi<br>L-1359 Luxembourg<br>[http://wwwen.uni.lu/contact/campus_kirchberg http://wwwen.uni.lu/contact/campus_kirchberg] <br>Room: Paul Feidert<br />
</center><br />
<br />
<br>'''Parking''':<br />
<br />
There is a public parking close to the conference venue.<br />
[http://maps.google.de/maps?q=49.63038,6.157061&num=1&t=h&vpsrc=0&z=16 Click here to find the parking on Google Maps]<br />
<br />
<br>'''Hotels nearby''': <br />
<br />
The first hotel is at 5 minutes on walk distance from the campus Kirchberg: '''[http://www.coque.lu/article/259 Hotel d’Coque]'''<br />
* single room with breakfast 77.50 €<br />
* double room with breakfast 93.00 €. <br />
* Booking email address with Ref. OWASP_SNT 2011 to : [mailto:reception@coque.lu reception@coque.lu]<br />
* Reservation deadline: 20 October 2011<br />
Second hotel (direct center of Luxembourg) 5/10 minutes with taxi or bus: '''[http://www.parcbellevue.lu/fr/index.php Hotel Parc Bellevue]'''<br />
* single room with breakfast 95.00 € (normal price 160 €)<br />
* double room with breakfast 115.00 € (normal price 180€)<br />
* wifi and parking included<br />
* Booking email address: [mailto:reservation@goeres-group.com reservation@goeres-group.com]<br />
* Reservation deadline&nbsp;: 30 November <br />
* Reservation form: [https://www.owasp.org/images/4/44/Uni_Luxembourg_OWASP_2011.doc download form] <br />
Third hotel (near the Parc Bellevue): '''[http://www.parcplaza.lu/fr/index.php Hotel Plaza]'''<br />
* single room with breakfast 130.00 € (normal price 225 €)<br />
* double room with breakfast 150.00 € (normal price 245€)<br />
* wifi and parking included<br />
* Booking email address: [mailto:reservation@goeres-group.com reservation@goeres-group.com]. <br />
* Reservation deadline: 30 November<br />
* Reservation form: [https://www.owasp.org/images/4/44/Uni_Luxembourg_OWASP_2011.doc download form] <br />
Fourth hotel: '''[http://www.melia-luxembourg.com/fr/melia-luxembourg.html Hotel Mélia]'''<br />
* single room with breakfast 140.00 €<br />
* Booking email address: [mailto:reservations.melia.luxembourg@solmelia.com reservations.melia.luxembourg@solmelia.com]<br />
* Reservation deadline: 28 October 2011<br />
* Reservation form: [https://www.owasp.org/images/f/f8/Uni_OWASP_2011_Melia.pdf download form] <br />
<br />
<br><br />
<br />
==== Organisation ====<br />
<br />
The BeNeLux Day 2011 Program Committee: <br />
<br />
*Martin Knobloch / Ferdinand Vroom ([[Netherlands|OWASP Netherlands]]) <br />
*Bart De Win / Sebastien Deleersnyder ([[Belgium|OWASP Belgium]]) <br />
*Jocelyn Aubert / Andre Adelsbach ([[Luxembourg|OWASP Luxembourg]]) <br />
*Steven van der Baan ([[:Category:OWASP CTF Project|Capture The Flag]])<br />
<br />
Local organization:<br />
<br />
*Thomas Engel <br />
*Radu State <br />
*Magali Martin <br />
*Aurel Machalek<br />
<br />
==== Sponsorship ====<br />
<br />
Contact seba &lt;at&gt; owasp.org for sponsorship <br />
<br />
<paypal>BeNeLux OWASP Day 2011</paypal> <br />
<br />
==== Social Event ====<br />
<br />
The social event is scheduled for Thursday, 1st of December, 19:00 at <br />
<br><br />
<br><br />
<center><br />
[http://www.aguadecoco.lu/ Agua De C&ocirc;co]<br><br />
2, rue Emile Mousel<br><br />
L-2165 Luxembourg<br><br />
<br><br />
([http://maps.google.com/maps?q=Rue+Emile+Mousel,+Luxembourg,+Luxemburg&hl=de&ll=49.612031,6.14125&spn=0.003379,0.009677&sll=49.709163,6.115265&sspn=0.003372,0.009677&vpsrc=6&geocode=FQIF9QIdPrVdAA&hnear=Rue+Emile+Mousel,+Luxembourg,+Luxemburg&t=h&z=17 find the location on Google Maps])<br />
<br />
Remark: split bill system - everyone has to cover own food & drinks.<br />
<br />
</center><br />
<br />
==== Promotion ====<br />
''Feel free to use the text below to promote our event!''<br />
<br />
We invite you to our next OWASP event: the '''BeNeLux OWASP Days 2011!'''<br />
<br />
Free your agenda on the 1st and 2nd of December, 2011.<br />
<br />
The good news: free! No fee!<br />
<br />
The bad news: there are only 160 seats available (first register, first serve)!<br />
<br />
<br />
'''PROGRAM Day 1'''<br />
* 10:00 AM - 18:00 PM: OWASP Training Day<br />
* 19:00 PM - ?: Social event<br />
<br />
'''OWASP Training: Secure Application Development''', by Eoin Keary<br><br />
This intensive one-day training focuses on the most common web application security problems, including aspects of both the OWASP Top Ten (2010) and the MITRE Top 25. The training will introduce and demonstrate application assessment techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities in their code.<br />
<br />
'''PROGRAM Day 2'''<br />
* 10:00 AM - 18:00 PM: OWASP Conference<br />
<br />
List of '''confirmed speakers''' (more to be announced soon):<br />
*Brenno De Winter (Journalist) on the Diginotar story<br />
*Koen Vanderloock (Lead Security Competence Group at Cegeka) on the new OWASP Simba project<br />
*Justin Clarke (Director and Co-Founder of Gotham Digital Science Ltd) on practical crypto attacks against web applications<br />
*Lieven Desmet (Research Manager at University Leuven) on HTML5 security<br />
*Andrey Belenko (Chief Security Researcher at ElcomSoft Co. Ltd) on iOS data protection internals<br />
*Alexandre Dulaunoy (Incident Management - Security Research at CIRCL) on dynamic malware analysis<br />
*Ludovic Petit (Group Fraud & Information Security Adviser at SFR, Vodafone Group) on WebApp Security and legal and regulatory aspects<br />
*Seba Deleersnyder & Eoin Keary (OWASP Board) on OWASP Update<br />
<br />
'''ORGANIZATION<br>'''<br />
OWASP's all-volunteer participants produce free, professional quality, open-source documentation, tools, and standards on application security. An example of this is the famous OWASP top ten of most critical web application security flaws. The OWASP community facilitates conferences, local chapters, articles, and message forums. Participation in OWASP is free and open to all, as are all the materials we produce.<br />
<br />
'''WHO should attend?<br>'''<br />
Anyone interested in Web Application Security (management, security professionals, developers, students, etc). OWASP Belgium, Netherlands and Luxembourg chapters membership is free. All meetings are free. There are never vendor pitches or sales presentations at OWASP meetings.<br><br />
Check our chapter page http://www.owasp.org/index.php/Belgium on meeting details, sign up to the chapter mailing list and introduce yourself.<br><br />
Check our chapter page http://www.owasp.org/index.php/Netherlands on meeting details, sign up to the chapter mailing list and introduce yourself.<br><br />
Check our chapter page http://www.owasp.org/index.php/Luxembourg on meeting details, sign up to the chapter mailing list and introduce yourself.<br><br />
<br />
'''WHEN<br>'''<br />
Thursday and Friday, 1st and 2nd of December, 2011 (10 AM - 7 PM)<br />
<br />
'''WHERE<br>'''<br />
University of Luxembourg<br><br />
Campus Kirchberg<br><br />
6, rue Richard Coudenhove-Kalergi<br><br />
L-1359 Luxembourg<br><br />
http://wwwen.uni.lu/contact/campus_kirchberg<br><br />
Room: Paul Feidert<br />
<br />
Attention: make sure to '''book your hotel in time''', it will be difficult to find rooms in Luxembourg around Dec 1-2!<br><br />
Hotel details https://www.owasp.org/index.php?title=BeNeLux_OWASP_Day_2011#tab=Venue<br />
<br />
'''REGISTRATION<br>'''<br />
Only 160 places, please '''Register upfront: http://owaspbenelux2011.eventbrite.com''' !<br><br />
All latest details are available on http://www.owaspbenelux.eu<br><br />
Hope to see you all!<br><br />
<br />
The BeNeLux Program Committee,<br />
*Martin Knobloch / Ferdinand Vroom, OWASP Netherlands<br />
*Bart De Win / Sebastien Deleersnyder, OWASP Belgium<br />
*Jocelyn Aubert / Andre Adelsbach, OWASP Luxembourg<br />
*Steven van der Baan, OWASP CTF Project<br />
<br />
Kindly supported by the Interdisciplinary Centre for Security Reliability and Trust<br />
*Thomas Engel <br />
*Radu State <br />
*Magali Martin <br />
*Aurel Machalek<br />
<br />
<headertabs /><br />
<br />
<br />
<center><br />
'''Hosted and co-organized by:'''<br> <br />
[[Image:Bnl11-university-logo.jpg|link=http://wwwen.uni.lu]] <br />
[[Image:Bnl11-SECURITYANDTRUST-LOGO.jpg|link=http://www.securityandtrust.lu]] <br />
<br />
<br><br><br><br />
<br />
Made possible by our [http://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Sponsorship sponsors]:<br><br />
{{MemberLinks|link=http://www.ascure.com|logo=Ascure_Logo.jpg}} <br />
[http://www.zionsecurity.com http://www.owasp.org/images/e/e6/Zionsecurity.jpg]<br />
[http://www.zenitelbelgium.com http://www.owasp.org/images/d/df/SAIT_Zenitel.jpg]<br />
[http://www8.hp.com/us/en/solutions/solutions-detail.html?compURI=tcm:245-339290 https://www.owasp.org/images/b/b4/HP_Logo.jpg] <br />
[http://www.barracuda.com https://www.owasp.org/images/f/f6/Bnl11-Barracuda_Logo-4C.png] <br />
[http://circl.lu/ http://circl.lu/pics/logo.png]<br />
[http://www.f5.com https://www.owasp.org/images/f/fd/AppSec_Research_2010_sponsor_F5_logo.jpg]<br />
<br />
<br />
<br />
<br><br />
</center><br />
[[Category:OWASP_AppSec_Conference]] [[Category:OWASP_BeNeLux_Archives]]</div>Bart De Winhttps://wiki.owasp.org/index.php?title=BeNeLux_OWASP_Day_2011&diff=120808BeNeLux OWASP Day 20112011-11-27T21:23:24Z<p>Bart De Win: </p>
<hr />
<div>__NOTOC__ <br />
<center>[[Image:OWASP BeNeLux 2011.jpg]]<br></center><br />
<br><!-- Header --><br />
<br />
==== Welcome ====<br />
<br />
<br><br />
<center><br />
=== Venue is the University of Luxembourg (Grand Duchy of Luxembourg) ===<br />
Training and conference location, together with hotel information, can be found [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Venue here].<br />
=== Training and first list of conference speakers are announced! ===<br />
See [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Training.2C_December_1st here] and [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Conference.2C_December_2nd here]<br />
=== Tweet! ===<br />
<br />
Event tag is [http://twitter.com/#search?q=%23owaspbnl11 #owaspbnl11]<br />
<br />
=== Registrations are open: ===<br />
<br />
[http://owaspbenelux2011.eventbrite.com/ http://www.owasp.org/images/7/77/Buttoncreate.png] <br />
<br />
</center><br />
<br><br />
<br />
==== Training, December 1st ====<br />
'''OWASP Training: Secure Application Development, by Eoin Keary'''<br />
<br />
'''Abstract:''' Writing Secure code is the most effective method to securing your web applications. Writing secure code takes skill and know-how but results in a more stable and robust application and assists in protecting an organisations brand.<br />
Application security is not commonly a part of many computer science curricula today and most organizations have not focused on instituting a culture that includes application security as a core part of their software development training efforts. This intensive one-day course focuses on the most common web application security problems, including aspects of both the OWASP Top Ten (2010) and the MITRE Top 25. The course will introduce and demonstrate application assessment techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities in their code.<br />
<br />
'''This course includes coverage of the following areas:'''<br />
<br />
* Unvalidated Input<br />
* Injection Flaws, OS commanding, SQL Injection<br />
* Cross-Site Scriping & Client-side security<br />
* CSRF/XSRF<br />
* Authentication & Session Management<br />
* Access control & Authorisation<br />
* Broken Caching<br />
* Error Handling & Resource Management<br />
* The Secure SDLC<br />
* Fuzzing, Proxy use and testing approach<br />
<br />
'''Hands on Exercises'''<br />
<br />
To cement the principles discussed, students can participate in a number of hands-on security testing exercises where they attack a live web application (i.e., OWASP Bank etc) that has been seeded with common web application vulnerabilities.<br />
<br />
The students will use proxy tools commonly used by the hacker community to complete the exercises. Students need to bring their own windows based laptop to participate in the exercises. Wireless capability is recommended.<br />
<br />
'''Audience'''<br />
<br />
Developers who want to understand the most common web application security flaws, and how to avoid them and code in a secure manner.<br />
<br />
Level: Beginner/Intermediate<br />
<br />
Prerequisite: Basic knowledge of a web programming language like Java or .NET recommended but not required.<br />
<br />
Bringing your own windows based laptop is recommended so you can participate in the hands on exercises<br />
<br />
'''Trainer Bio:''' <br />
<br />
[[Eoin Keary]] is a Global OWASP board member since 2009. He is a long time member of OWASP and have contributed year on year to OWASP projects and the OWASP mission of fighting the causes of software insecurity. He is based in Dublin, Ireland and director of [http://www.bccriskadvisory.com Bccriskadvisory].<br />
<br />
==== Conference, December 2nd ====<br />
<br />
We are pleased to announce the list of confirmed speakers:<br />
<br />
* Brenno De Winter (Journalist) on the Diginotar story<br />
* Koen Vanderloock (Lead Security Competence Group at Cegeka) on [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#OWASP_SIMBA_-_guarding_your_applications_.28by_Koen_Vanderloock.2C_Leader_Security_Competence_Group_at_Cegeka.29 the new OWASP Simba project]<br />
* Justin Clarke (Director and Co-Founder of Gotham Digital Science Ltd) on [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Practical_Crypto_Attacks_Against_Web_Applications_.28by_Justin_Clarke.2C_Director_and_Co-Founder_of_Gotham_Digital_Science_Ltd.29 practical crypto attacks against web applications]<br />
* Lieven Desmet (Research Manager at University Leuven) on [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#HTML5_security_.28by_Lieven_Desmet.2C_Research_Manager_at_Katholieke_Universiteit_Leuven.29 HTML5 security]<br />
* Andrey Belenko (Chief Security Researcher at ElcomSoft Co. Ltd) on [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Overcoming_iOS_Data_Protection_to_Re-Enable_iPhone_Forensics_.28by_Andrey_Belenko.2C_Chief_Security_Researcher_at_ElcomSoft.29 iOS data protection internals]<br />
* Alexandre Dulaunoy (Incident Management - Security Research at CIRCL) on dynamic malware analysis<br />
* Ludovic Petit (Group Fraud & Information Security Adviser at SFR, Vodafone Group) on [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Do_you..._Legal.3F_.28by_Ludovic_Petit.2C_Group_Fraud_.26_Information_Security_Adviser_at_SFR.2C_Vodafone_Group.29 WebApp Security and legal and regulatory aspects]<br />
*Jean-Marc Bost and Sébastien Bischof (ELCA) on The limits of e-banking<br />
* Yves Le Traon on security testing for web apps (talk will be held on the Training Day)<br />
* Seba Deleersnyder & Eoin Keary (OWASP Board) on OWASP Update<br />
<br />
Stay tuned for the final agenda!<br />
<br />
'''''Agenda''''' '<br />
''(program has slightly changed !)''<br />
<br />
{| class="wikitable"<br />
! Time !! Speaker !! Topic<br />
|-<br />
| 09h30 - 9h40 || OWASP Benelux Organization & Thomas Engel|| Welcome<br />
|-<br />
| 09h40 - 10h00 || Sebastien Deleersnyder & Eion Keary || OWASP update<br />
|-<br />
| 10h00 - 10h40 || Brenno De Winter || The Diginotar story <br />
|-<br />
| 10h40 - 11h00 || ''Break'' ||<br />
|-<br />
| 11h00 - 11h40 || Justin Clarke || Practical Crypto Attacks Against Web Applications <br />
|-<br />
| 11h40 - 12h20 || Andre Belenko || Overcoming iOS Data Protection to Re-Enable iPhone Forensics <br />
|-<br />
| 12h20 - 13h00 || Koen Vanderloock || OWASP SIMBA - guarding your applications <br />
|-<br />
| 13h00 - 14h00 || ''Lunch'' || <br />
|-<br />
| 14h00 - 14h40 || Ludovic Petit || Do you... Legal?<br />
|-<br />
| 14h40 - 15h20 || Thierry Zoller || The rise of the Vulnerability Market<br />
|-<br />
| 15h20 - 16h00 || Jean-Marc Bost & Sébastien Bischof || The limits of e-banking <br />
|-<br />
| 16h00 - 16h20 || ''Break'' || <br />
|-<br />
| 16h20 - 17h00 || Alexandre Delaunoy || Dynamic malware analysis <br />
|-<br />
| 17h00 - 17h40 || Lieven Desmet || HTML5 security<br />
|-<br />
| 17h40 - 18h00 || OWASP Benelux 2011 organization || Closing notes<br />
<br />
|}<br />
<br />
<!-- deze laten staan. is handig om anchors te vinden tijdens edi (seba) __TOC__ --><br />
<br />
=====OWASP SIMBA - guarding your applications (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Koen_Vanderloock.2C_Leader_Security_Competence_Group_at_Cegeka Koen Vanderloock], Leader Security Competence Group at Cegeka)=====<br />
[[OWASP SIMBA Project|SIMBA (Security Integration Module for Business Applications)]] is a OWASP project that provides you with a User Access Management system that can be integrated with any business application. The purpose of SIMBA is to secure an application fast and easy. Because SIMBA itself is generic it can be customized for every project. Many features are customizable e.g. designing your own authentication chain is easy and fast by using existing or newly created building blocks. SIMBA contains authentication, authorization, session management and a GUI to manage your security information.<br />
<br />
======Koen Vanderloock, Leader Security Competence Group at Cegeka======<br />
Koen Vanderloock is the leader of the security competence group at Cegeka. About 2 years ago Cegeka decided to create a sandbox for investigating security issues and solutions so they could be included in the current projects. <br />
Koen Vanderloock is a Java developer with 8 years of experience and started exploring the world of security 3 years ago when UAM problems started to occur.<br />
<br />
=====Practical Crypto Attacks Against Web Applications (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Justin_Clarke.2C_Director_and_Co-Founder_of_Gotham_Digital_Science_Ltd Justin Clarke], Director and Co-Founder of Gotham Digital Science Ltd)=====<br />
The science of cryptography underpins many of the information security technologies we use on a daily basis, such as the ability to keep information confidential and to ensure we can identify who we are communicating with. However, it is a very complex subject area with many types of mistakes that can reduce the overall security of a solution. A number of these types of mistakes can be identified by a tester, if they know what they're looking for, but in general it isn't a well tested area.<br />
<br />
This talk is intended to provide a high level overview of some of the areas where cryptographic operations such as encryption and hashing can provide far less security than was planned, and concrete examples of how these were found and exploited. Examples will include discussion and demonstration of the recently patched cryptographic padding attack against the Microsoft .NET framework (affecting ASP.NET applications) caused by a design error in how ASP.NET handles some types of encrypted data, but we will also be looking at some other fun areas including bit flipping attacks, ECB mode attacks, and some miscellaneous hashing algorithm attacks against common web application implementations.<br />
<br />
======Justin Clarke, Director and Co-Founder of Gotham Digital Science Ltd======<br />
Justin is a Director and Co-Founder of Gotham Digital Science and an experienced software security consultant with extensive international Big 4 risk management, security consulting and testing experience. He is the lead author/technical editor of "SQL Injection Attacks and Defenses" (Syngress 2009), co-author of "Network Security Tools" (O'Reilly 2005), contributor to "Network Security Assessment, 2nd Edition" (O'Reilly 2007), as well as a speaker at various security conferences and events such as Black Hat, EuSecWest, ISACA, BruCON, OWASP, OSCON, RSA and SANS. He is currently the OWASP London chapter president, and a member of the OWASP Global Connections Committee.<br />
On 10 Oct 2011, at 09:33, Seba wrote:<br />
<br />
=====HTML5 security (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Lieven_Desmet.2C_Research_Manager_at_Katholieke_Universiteit_Leuven Lieven Desmet], Research Manager at Katholieke Universiteit Leuven)=====<br />
In this talk, Lieven will highlight the results of the HTML5 security analysis, conducted by the DistriNet Research Group (K.U.Leuven). The security analysis of next generation web standards, commissioned by ENISA, looked into 13 emerging W3C web standards (i.e. the specification of HTML 5 and some of the associated APIs), and assessed the security of each of them as well as the overall security and consistency across specifications.<br />
<br />
In total 51 security threats and issues have been identified, and detailed in the ENISA report (http://www.enisa.europa.eu/html5). During the talk, Lieven will discuss the methodology developed to assess the huge amount of specifications, and zoom into a representative set of identified threats and their remediation.<br />
<br />
======Lieven Desmet, Research Manager at Katholieke Universiteit Leuven======<br />
Lieven Desmet is the Research Manager on Secure Software at the Katholieke Universiteit Leuven (Belgium), where he coaches junior researchers in web application security and participates in dissemination and valorization activities. His interests are in software verification and security of middleware and web-enabled technologies. Lieven is actively engaged in OWASP and is board member of the OWASP Chapter Belgium.<br />
<br />
=====Overcoming iOS Data Protection to Re-Enable iPhone Forensics (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Andrey_Belenko.2C_Chief_Security_Researcher_at_ElcomSoft Andrey Belenko], Chief Security Researcher at ElcomSoft)=====<br />
Data protection is a feature available for iOS devices (iOS 4 and up) with hardware encryption: iPhone 4S, iPhone 4, iPhone 3GS, iPod touch (3rd generation or later), and all iPad models. Introduction of this feature had complicated iPhone forensics process because now (almost) all files on user partition are encrypted and physical dumps are of much less value to examiners: while the filesystem seems to be intact, actual file contents are encrypted and are not suitable for analysis.<br />
<br />
This talk will provide in-depth information about iOS Data protection internals and on the implication it had on iOS forensics. More specifically, it will cover the following:<br />
*System keys and their hierarchy<br />
*Device passcode and its recovery<br />
*Escrow keys<br />
*Filesystem encryption<br />
*Keychain encryption<br />
<br />
Presentation will start by providing attendees with required background on iOS encryption keys architecture: system keys, passcode key, escrow key. After attendees are familiar with those concepts, presentation will continue to filesystem and keychain encryption details and to the techniques that can be used to overcome the hurdles imposed by iOS Data Protection.<br />
<br />
======Andrey Belenko, Chief Security Researcher at ElcomSoft======<br />
Chief security researcher and software developer at Elcomsoft. Co-invented ThunderTables (which are improved RainbowTables) and was first to bring GPU acceleration to password recovery. M. Sc. IT and CISSP.<br />
<br />
LinkedIn: http://ru.linkedin.com/in/belenko<br />
<br />
Twitter: @andreybelenko<br />
<br />
=====Do you... Legal? (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Ludovic_Petit.2C_Group_Fraud_.26_Information_Security_Adviser_at_SFR.2C_Vodafone_Group Ludovic Petit], Group Fraud & Information Security Adviser at SFR, Vodafone Group) =====<br />
<br />
The OWASP core mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. However, if you do not pay enough attention to many aspects of Legal compliance, you'll see why Web Application Security is somehow linked to Legal and Regulatory aspects as well as... Corporate Responsability, so yours. Who is accountable for what, what about each other's responsibility? Nowadays, the legal constraints oblige us to comply via technical means, whatever the local framework, and this is specially true for Web Application Security, many sensitive informations having to be handled through these web interfaces. A such, what do you think about your Security Policy compliance with your local Legal framework? Compliant? Sure? Really? Interesting isn't it? Let's have a talk about this.<br />
<br />
======Ludovic Petit, Group Fraud & Information Security Adviser at SFR, Vodafone Group======<br />
Ludovic is an internationally recognised information security expert with over 25 years experience. Last 15 years spent in various Corporate Management positions covering both Technical and Law Enforcement expertise dedicated to Mobile Telecommunications Fraud and Security in multi-national corporations.<br />
<br />
Ludovic is Chapter Leader & Founding Member OWASP France and an active contributor to OWASP in several roles and projects.<br />
<br />
LinkedIn Profile: http://www.linkedin.com/in/lpetit<br />
<br />
=====Dynamic Malware Analysis or How to Play in the House of Horrors (by Alexandre Dulaunoy, Incident Management - Security Research at CIRCL) =====<br />
Malware reversing is a time consuming task. Many approaches are available to dissect and analyse suspicious binaries. Dynamic malware analysis is one of the option to better understand them and also a nifty companion to static analysis. The current dynamic malware analysis techniques will be presented especially the ones relying on instrumented operating system systems (from the filesystem to the network stack). You'll see a wandering through common and less common malware partially analysed using dynamic analysis and how dynamic malware analysis can help you.<br />
<br />
===== The limits of e-banking (by Jean-Marc Bost and Sébastien Bischof, ECLA) =====<br />
The swiss german TV channel SF1 showed a footage on swiss e-banking security. The TV show follows a team of the ETH who earned a special authorization to test several e-anking platforms. After admitting that a personal computer can be infected by different means (actually 5% of the tested PCs are infected according to Microsoft), The team from Zürich showed the limits of the different platforms. Only the bank who signs each transaction is labelled as safe. We will come back during the presentation on the nature of the threat.<br>First of all, we will explain how famous malwares such as Zeus and SpyEye manage to steal from their victims without them being able to notice anything. Then we will see that e-banking is not the only target, as a matter of fact, the reality is far from this.<br>And then we will comment the most recent techniques that allow malwares to escape Antivirus and Antimalware programs even if they are up to date. We will vulgarize several concepts such as DKOM and bootkits in order to let everybody have a glimpse on the danger they represent.<br>Finally, we will think about if signing each transaction can efficiently fight off these threats. In fact, when attacks are coupled with Social Engineering, they have potentially no limit. Zeus is a living proof of this fact, because it even managed to attack the transaction validation system by SMS. As a conclusion, we will see that the e-banking platform that managed to resist the tests of the ETH team is vulnerable to such kind of attacks. <br />
<br />
====== Jean-Marc Bost, ELCA ======<br />
Jean-Marc Bost leads the security division at ELCA. <br>He is in charge of the various security solutions proposed by ELCA, some being released by ELCA, others being provided by partner vendors. <br>With a significant experience in the development of internet applications, he focused 10 years ago on their need for security. <br>Since then, he has been very active in&nbsp;:<br>- demonstrating the threats, in particular for ebanking<br>- conceiving practical and patented solutions for strong authentication, online transactions, electronic signature and secured documents<br>- presenting the findings of the security division in security events and through expert talks<br> <br />
<br />
====== Sébastien Bischof, ELCA ======<br />
Sébastien Bischof works in the security division at ELCA Where he is specialized in OS-level and communication security.<br>As a major result, he developped a fully-working proof-of-concept of an attack against a sophisticated USB token for safe-browsing.<br>He obtained his Master of Science in Engineering at HEIG-VD/HES-SO with a strong emphasis on IT Security.<br>During his education, he focused on obfuscation and rootkit techniques.<br>Computer security enthusiast, he is very interested in hackings events such as Insomni'hack and keeps himself informed on the latest threats throuhg active participation in security forums.<br />
<br />
===== Security testing: a key challenge for software engineering of web apps (by Yves Le Traon, UdL)===== <br />
While important efforts are dedicated to system functional testing, very few works study how to specifically and systematically test security mechanisms. In this talk, we will present two categories of approaches. <br />
The first ones aim at assessing security mechanisms compliance with declared policies. Any security policy is strongly connected to system functionality: testing function includes exercising many security mechanisms. However, testing functionality does not intend at exercizing all security mechanisms. We thus propose test selection criteria to produce tests from a security policy. Empirical results will be presented about access control policies and about Android apps permission checks. <br />
<br />
The second ones concern the attack surface of web apps, with a particular focus on web browser sensitivity to XSS attacks. Indeed, one of the major threats against web applications is Cross-Site Scripting (XSS) that crosses several web components: web server, security components and finally the client’s web browser. The final target is thus the client running a particular web browser. During this last decade, several competing web browsers (IE, Netscape, Chrome, Firefox) have been upgraded to add new features for the final users benefit. However, the improvement of web browsers is not related with systematic security regression testing. Beginning with an analysis of their current exposure degree to XSS, we extend the empirical study to a decade of most popular web browser versions.The results reveal a chaotic behavior in the evolution of most web browsers attack surface over time. This particularly shows an urgent need for regression testing strategies to ensure that security is not sacrificed when a new version is delivered. <br />
<br />
In both cases, security must become a specific target for testing in order to get a satisfying level of confidence in security mechanisms<br />
<br />
====== Yves Le Traon, UdL====== <br />
Yves Le Traon is professor at University of Luxembourg in the domain of software engineering, reliability, validation and security. He is also a member of the Interdisciplinary Centre for Security, Reliability and Trust (SnT), where he leads the research group SERVAL (SEcuRity and VALidation of services and networks). His research interests include software testing, design for security, security testing, model-driven validation, model based testing, web application, mobile computing. <br />
<br />
Professor Le Traon received his engineering degree and his PhD in Computer Science at the “Institut National Polytechnique” in Grenoble, France, in 1997. From 1998 to 2004, he was an associate professor at the University of Rennes, in Brittany, France. He is the co-founder of the Triskell INRIA team, which focuses on innovating design, modeling and testing techniques, such as Model-driven Engineering. During this period, Professor Le Traon studied design for testability techniques, validation and diagnosis of object-oriented programs and component-based systems. From 2004 to 2006, he was an expert in Model-Driven Architecture and Validation in the EXA team (Requirements Engineering and Applications) at “France Télécom R&D”. In 2006, he became professor at Telecom Bretagne (Ecole Nationale des Télécommunications de Bretagne), where he pioneered the application of testing for security assessment of web-applications, P2P systems and the promotion of intrusion detection systems using contract-based techniques.<br />
<br />
<br />
==== CTF ====<br />
<br />
Do you like puzzles? Do you like challenges? Are you a hacker?<br />
<br />
Whether you are an old hacker or new enthusiast you should come to OWASP BeNeLux days 2011 and participate in the Capture the Flag event December 2nd 2011 at the University of Luxemburg. <br />
<br />
The OWASP CTF is especially designed to support challengers of all skill levels. The CTF contains multiple challenges in various fields related to application security. As every challenge gains you one point, you can pick and choose which challenge you want to play.<br />
<br />
All you need is a laptop with a wifi card and your favorite (preferably) non-commercial tools. <br />
<br />
So come to Luxemburg, show off your skills, learn new tricks and above all have a good time at the CTF event. <br />
<br />
==== Registration ====<br />
<center><br />
'''The training day and the conference are free!'''&nbsp;<br />
<br />
<br> <br />
<br />
[http://owaspbenelux2011.eventbrite.com/ http://www.owasp.org/images/7/77/Buttoncreate.png] <br />
<br />
<br> To support the OWASP organisation, consider to become a member, it's only US$50!<br> Check out the [[Membership]] page to find out more.<br> <br />
<br />
<br> <br />
</center> <br />
==== Venue ====<br />
<center><br />
University of Luxembourg<br>Campus Kirchberg<br>6, rue Richard Coudenhove-Kalergi<br>L-1359 Luxembourg<br>[http://wwwen.uni.lu/contact/campus_kirchberg http://wwwen.uni.lu/contact/campus_kirchberg] <br>Room: Paul Feidert<br />
</center><br />
<br />
<br>'''Parking''':<br />
<br />
There is a public parking close to the conference venue.<br />
[http://maps.google.de/maps?q=49.63038,6.157061&num=1&t=h&vpsrc=0&z=16 Click here to find the parking on Google Maps]<br />
<br />
<br>'''Hotels nearby''': <br />
<br />
The first hotel is at 5 minutes on walk distance from the campus Kirchberg: '''[http://www.coque.lu/article/259 Hotel d’Coque]'''<br />
* single room with breakfast 77.50 €<br />
* double room with breakfast 93.00 €. <br />
* Booking email address with Ref. OWASP_SNT 2011 to : [mailto:reception@coque.lu reception@coque.lu]<br />
* Reservation deadline: 20 October 2011<br />
Second hotel (direct center of Luxembourg) 5/10 minutes with taxi or bus: '''[http://www.parcbellevue.lu/fr/index.php Hotel Parc Bellevue]'''<br />
* single room with breakfast 95.00 € (normal price 160 €)<br />
* double room with breakfast 115.00 € (normal price 180€)<br />
* wifi and parking included<br />
* Booking email address: [mailto:reservation@goeres-group.com reservation@goeres-group.com]<br />
* Reservation deadline&nbsp;: 30 November <br />
* Reservation form: [https://www.owasp.org/images/4/44/Uni_Luxembourg_OWASP_2011.doc download form] <br />
Third hotel (near the Parc Bellevue): '''[http://www.parcplaza.lu/fr/index.php Hotel Plaza]'''<br />
* single room with breakfast 130.00 € (normal price 225 €)<br />
* double room with breakfast 150.00 € (normal price 245€)<br />
* wifi and parking included<br />
* Booking email address: [mailto:reservation@goeres-group.com reservation@goeres-group.com]. <br />
* Reservation deadline: 30 November<br />
* Reservation form: [https://www.owasp.org/images/4/44/Uni_Luxembourg_OWASP_2011.doc download form] <br />
Fourth hotel: '''[http://www.melia-luxembourg.com/fr/melia-luxembourg.html Hotel Mélia]'''<br />
* single room with breakfast 140.00 €<br />
* Booking email address: [mailto:reservations.melia.luxembourg@solmelia.com reservations.melia.luxembourg@solmelia.com]<br />
* Reservation deadline: 28 October 2011<br />
* Reservation form: [https://www.owasp.org/images/f/f8/Uni_OWASP_2011_Melia.pdf download form] <br />
<br />
<br><br />
<br />
==== Organisation ====<br />
<br />
The BeNeLux Day 2011 Program Committee: <br />
<br />
*Martin Knobloch / Ferdinand Vroom ([[Netherlands|OWASP Netherlands]]) <br />
*Bart De Win / Sebastien Deleersnyder ([[Belgium|OWASP Belgium]]) <br />
*Jocelyn Aubert / Andre Adelsbach ([[Luxembourg|OWASP Luxembourg]]) <br />
*Steven van der Baan ([[:Category:OWASP CTF Project|Capture The Flag]])<br />
<br />
Local organization:<br />
<br />
*Thomas Engel <br />
*Radu State <br />
*Magali Martin <br />
*Aurel Machalek<br />
<br />
==== Sponsorship ====<br />
<br />
Contact seba &lt;at&gt; owasp.org for sponsorship <br />
<br />
<paypal>BeNeLux OWASP Day 2011</paypal> <br />
<br />
==== Social Event ====<br />
<br />
The social event is scheduled for Thursday, 1st of December, 19:00 at <br />
<br><br />
<br><br />
<center><br />
[http://www.aguadecoco.lu/ Agua De C&ocirc;co]<br><br />
2, rue Emile Mousel<br><br />
L-2165 Luxembourg<br><br />
<br><br />
([http://maps.google.com/maps?q=Rue+Emile+Mousel,+Luxembourg,+Luxemburg&hl=de&ll=49.612031,6.14125&spn=0.003379,0.009677&sll=49.709163,6.115265&sspn=0.003372,0.009677&vpsrc=6&geocode=FQIF9QIdPrVdAA&hnear=Rue+Emile+Mousel,+Luxembourg,+Luxemburg&t=h&z=17 find the location on Google Maps])<br />
<br />
Remark: split bill system - everyone has to cover own food & drinks.<br />
<br />
</center><br />
<br />
==== Promotion ====<br />
''Feel free to use the text below to promote our event!''<br />
<br />
We invite you to our next OWASP event: the '''BeNeLux OWASP Days 2011!'''<br />
<br />
Free your agenda on the 1st and 2nd of December, 2011.<br />
<br />
The good news: free! No fee!<br />
<br />
The bad news: there are only 160 seats available (first register, first serve)!<br />
<br />
<br />
'''PROGRAM Day 1'''<br />
* 10:00 AM - 18:00 PM: OWASP Training Day<br />
* 19:00 PM - ?: Social event<br />
<br />
'''OWASP Training: Secure Application Development''', by Eoin Keary<br><br />
This intensive one-day training focuses on the most common web application security problems, including aspects of both the OWASP Top Ten (2010) and the MITRE Top 25. The training will introduce and demonstrate application assessment techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities in their code.<br />
<br />
'''PROGRAM Day 2'''<br />
* 10:00 AM - 18:00 PM: OWASP Conference<br />
<br />
List of '''confirmed speakers''' (more to be announced soon):<br />
*Brenno De Winter (Journalist) on the Diginotar story<br />
*Koen Vanderloock (Lead Security Competence Group at Cegeka) on the new OWASP Simba project<br />
*Justin Clarke (Director and Co-Founder of Gotham Digital Science Ltd) on practical crypto attacks against web applications<br />
*Lieven Desmet (Research Manager at University Leuven) on HTML5 security<br />
*Andrey Belenko (Chief Security Researcher at ElcomSoft Co. Ltd) on iOS data protection internals<br />
*Alexandre Dulaunoy (Incident Management - Security Research at CIRCL) on dynamic malware analysis<br />
*Ludovic Petit (Group Fraud & Information Security Adviser at SFR, Vodafone Group) on WebApp Security and legal and regulatory aspects<br />
*Seba Deleersnyder & Eoin Keary (OWASP Board) on OWASP Update<br />
<br />
'''ORGANIZATION<br>'''<br />
OWASP's all-volunteer participants produce free, professional quality, open-source documentation, tools, and standards on application security. An example of this is the famous OWASP top ten of most critical web application security flaws. The OWASP community facilitates conferences, local chapters, articles, and message forums. Participation in OWASP is free and open to all, as are all the materials we produce.<br />
<br />
'''WHO should attend?<br>'''<br />
Anyone interested in Web Application Security (management, security professionals, developers, students, etc). OWASP Belgium, Netherlands and Luxembourg chapters membership is free. All meetings are free. There are never vendor pitches or sales presentations at OWASP meetings.<br><br />
Check our chapter page http://www.owasp.org/index.php/Belgium on meeting details, sign up to the chapter mailing list and introduce yourself.<br><br />
Check our chapter page http://www.owasp.org/index.php/Netherlands on meeting details, sign up to the chapter mailing list and introduce yourself.<br><br />
Check our chapter page http://www.owasp.org/index.php/Luxembourg on meeting details, sign up to the chapter mailing list and introduce yourself.<br><br />
<br />
'''WHEN<br>'''<br />
Thursday and Friday, 1st and 2nd of December, 2011 (10 AM - 7 PM)<br />
<br />
'''WHERE<br>'''<br />
University of Luxembourg<br><br />
Campus Kirchberg<br><br />
6, rue Richard Coudenhove-Kalergi<br><br />
L-1359 Luxembourg<br><br />
http://wwwen.uni.lu/contact/campus_kirchberg<br><br />
Room: Paul Feidert<br />
<br />
Attention: make sure to '''book your hotel in time''', it will be difficult to find rooms in Luxembourg around Dec 1-2!<br><br />
Hotel details https://www.owasp.org/index.php?title=BeNeLux_OWASP_Day_2011#tab=Venue<br />
<br />
'''REGISTRATION<br>'''<br />
Only 160 places, please '''Register upfront: http://owaspbenelux2011.eventbrite.com''' !<br><br />
All latest details are available on http://www.owaspbenelux.eu<br><br />
Hope to see you all!<br><br />
<br />
The BeNeLux Program Committee,<br />
*Martin Knobloch / Ferdinand Vroom, OWASP Netherlands<br />
*Bart De Win / Sebastien Deleersnyder, OWASP Belgium<br />
*Jocelyn Aubert / Andre Adelsbach, OWASP Luxembourg<br />
*Steven van der Baan, OWASP CTF Project<br />
<br />
Kindly supported by the Interdisciplinary Centre for Security Reliability and Trust<br />
*Thomas Engel <br />
*Radu State <br />
*Magali Martin <br />
*Aurel Machalek<br />
<br />
<headertabs /><br />
<br />
<br />
<center><br />
'''Hosted and co-organized by:'''<br> <br />
[[Image:Bnl11-university-logo.jpg|link=http://wwwen.uni.lu]] <br />
[[Image:Bnl11-SECURITYANDTRUST-LOGO.jpg|link=http://www.securityandtrust.lu]] <br />
<br />
<br><br><br><br />
<br />
Made possible by our [http://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Sponsorship sponsors]:<br><br />
{{MemberLinks|link=http://www.ascure.com|logo=Ascure_Logo.jpg}} <br />
[http://www.zionsecurity.com http://www.owasp.org/images/e/e6/Zionsecurity.jpg]<br />
[http://www.zenitelbelgium.com http://www.owasp.org/images/d/df/SAIT_Zenitel.jpg]<br />
[http://www8.hp.com/us/en/solutions/solutions-detail.html?compURI=tcm:245-339290 https://www.owasp.org/images/b/b4/HP_Logo.jpg] <br />
[http://www.barracuda.com https://www.owasp.org/images/f/f6/Bnl11-Barracuda_Logo-4C.png] <br />
[http://circl.lu/ http://circl.lu/pics/logo.png]<br />
[http://www.f5.com https://www.owasp.org/images/f/fd/AppSec_Research_2010_sponsor_F5_logo.jpg]<br />
<br />
<br />
<br />
<br><br />
</center><br />
[[Category:OWASP_AppSec_Conference]] [[Category:OWASP_BeNeLux_Archives]]</div>Bart De Winhttps://wiki.owasp.org/index.php?title=BeNeLux_OWASP_Day_2011&diff=120807BeNeLux OWASP Day 20112011-11-27T21:22:26Z<p>Bart De Win: </p>
<hr />
<div>__NOTOC__ <br />
<center>[[Image:OWASP BeNeLux 2011.jpg]]<br></center><br />
<br><!-- Header --><br />
<br />
==== Welcome ====<br />
<br />
<br><br />
<center><br />
=== Venue is the University of Luxembourg (Grand Duchy of Luxembourg) ===<br />
Training and conference location, together with hotel information, can be found [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Venue here].<br />
=== Training and first list of conference speakers are announced! ===<br />
See [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Training.2C_December_1st here] and [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Conference.2C_December_2nd here]<br />
=== Tweet! ===<br />
<br />
Event tag is [http://twitter.com/#search?q=%23owaspbnl11 #owaspbnl11]<br />
<br />
=== Registrations are open: ===<br />
<br />
[http://owaspbenelux2011.eventbrite.com/ http://www.owasp.org/images/7/77/Buttoncreate.png] <br />
<br />
</center><br />
<br><br />
<br />
==== Training, December 1st ====<br />
'''OWASP Training: Secure Application Development, by Eoin Keary'''<br />
<br />
'''Abstract:''' Writing Secure code is the most effective method to securing your web applications. Writing secure code takes skill and know-how but results in a more stable and robust application and assists in protecting an organisations brand.<br />
Application security is not commonly a part of many computer science curricula today and most organizations have not focused on instituting a culture that includes application security as a core part of their software development training efforts. This intensive one-day course focuses on the most common web application security problems, including aspects of both the OWASP Top Ten (2010) and the MITRE Top 25. The course will introduce and demonstrate application assessment techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities in their code.<br />
<br />
'''This course includes coverage of the following areas:'''<br />
<br />
* Unvalidated Input<br />
* Injection Flaws, OS commanding, SQL Injection<br />
* Cross-Site Scriping & Client-side security<br />
* CSRF/XSRF<br />
* Authentication & Session Management<br />
* Access control & Authorisation<br />
* Broken Caching<br />
* Error Handling & Resource Management<br />
* The Secure SDLC<br />
* Fuzzing, Proxy use and testing approach<br />
<br />
'''Hands on Exercises'''<br />
<br />
To cement the principles discussed, students can participate in a number of hands-on security testing exercises where they attack a live web application (i.e., OWASP Bank etc) that has been seeded with common web application vulnerabilities.<br />
<br />
The students will use proxy tools commonly used by the hacker community to complete the exercises. Students need to bring their own windows based laptop to participate in the exercises. Wireless capability is recommended.<br />
<br />
'''Audience'''<br />
<br />
Developers who want to understand the most common web application security flaws, and how to avoid them and code in a secure manner.<br />
<br />
Level: Beginner/Intermediate<br />
<br />
Prerequisite: Basic knowledge of a web programming language like Java or .NET recommended but not required.<br />
<br />
Bringing your own windows based laptop is recommended so you can participate in the hands on exercises<br />
<br />
'''Trainer Bio:''' <br />
<br />
[[Eoin Keary]] is a Global OWASP board member since 2009. He is a long time member of OWASP and have contributed year on year to OWASP projects and the OWASP mission of fighting the causes of software insecurity. He is based in Dublin, Ireland and director of [http://www.bccriskadvisory.com Bccriskadvisory].<br />
<br />
==== Conference, December 2nd ====<br />
<br />
We are pleased to announce the list of confirmed speakers:<br />
<br />
* Brenno De Winter (Journalist) on the Diginotar story<br />
* Koen Vanderloock (Lead Security Competence Group at Cegeka) on [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#OWASP_SIMBA_-_guarding_your_applications_.28by_Koen_Vanderloock.2C_Leader_Security_Competence_Group_at_Cegeka.29 the new OWASP Simba project]<br />
* Justin Clarke (Director and Co-Founder of Gotham Digital Science Ltd) on [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Practical_Crypto_Attacks_Against_Web_Applications_.28by_Justin_Clarke.2C_Director_and_Co-Founder_of_Gotham_Digital_Science_Ltd.29 practical crypto attacks against web applications]<br />
* Lieven Desmet (Research Manager at University Leuven) on [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#HTML5_security_.28by_Lieven_Desmet.2C_Research_Manager_at_Katholieke_Universiteit_Leuven.29 HTML5 security]<br />
* Andrey Belenko (Chief Security Researcher at ElcomSoft Co. Ltd) on [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Overcoming_iOS_Data_Protection_to_Re-Enable_iPhone_Forensics_.28by_Andrey_Belenko.2C_Chief_Security_Researcher_at_ElcomSoft.29 iOS data protection internals]<br />
* Alexandre Dulaunoy (Incident Management - Security Research at CIRCL) on dynamic malware analysis<br />
* Ludovic Petit (Group Fraud & Information Security Adviser at SFR, Vodafone Group) on [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Do_you..._Legal.3F_.28by_Ludovic_Petit.2C_Group_Fraud_.26_Information_Security_Adviser_at_SFR.2C_Vodafone_Group.29 WebApp Security and legal and regulatory aspects]<br />
*Jean-Marc Bost and Sébastien Bischof (ELCA) on The limits of e-banking<br />
* Yves Le Traon on security testing for web apps (talk will be held on the Training Day)<br />
* Seba Deleersnyder & Eoin Keary (OWASP Board) on OWASP Update<br />
<br />
Stay tuned for the final agenda!<br />
<br />
'''''Agenda''''' '<br />
''(program has slightly changed !)''<br />
<br />
{| class="wikitable"<br />
! Time !! Speaker !! Topic<br />
|-<br />
| 09h30 - 9h40 || OWASP Benelux Organization || Welcome<br />
|-<br />
| || Thomas Engel || SNT Welcome<br />
|-<br />
| 09h40 - 10h00 || Sebastien Deleersnyder & Eion Keary || OWASP update<br />
|-<br />
| 10h00 - 10h40 || Brenno De Winter || The Diginotar story <br />
|-<br />
| 10h40 - 11h00 || ''Break'' ||<br />
|-<br />
| 11h00 - 11h40 || Justin Clarke || Practical Crypto Attacks Against Web Applications <br />
|-<br />
| 11h40 - 12h20 || Andre Belenko || Overcoming iOS Data Protection to Re-Enable iPhone Forensics <br />
|-<br />
| 12h20 - 13h00 || Koen Vanderloock || OWASP SIMBA - guarding your applications <br />
|-<br />
| 13h00 - 14h00 || ''Lunch'' || <br />
|-<br />
| 14h00 - 14h40 || Ludovic Petit || Do you... Legal?<br />
|-<br />
| 14h40 - 15h20 || Thierry Zoller || The rise of the Vulnerability Market<br />
|-<br />
| 15h20 - 16h00 || Jean-Marc Bost & Sébastien Bischof || The limits of e-banking <br />
|-<br />
| 16h00 - 16h20 || ''Break'' || <br />
|-<br />
| 16h20 - 17h00 || Alexandre Delaunoy || Dynamic malware analysis <br />
|-<br />
| 17h00 - 17h40 || Lieven Desmet || HTML5 security<br />
|-<br />
| 17h40 - 18h00 || OWASP Benelux 2011 organization || Closing notes<br />
<br />
|}<br />
<br />
<!-- deze laten staan. is handig om anchors te vinden tijdens edi (seba) __TOC__ --><br />
<br />
=====OWASP SIMBA - guarding your applications (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Koen_Vanderloock.2C_Leader_Security_Competence_Group_at_Cegeka Koen Vanderloock], Leader Security Competence Group at Cegeka)=====<br />
[[OWASP SIMBA Project|SIMBA (Security Integration Module for Business Applications)]] is a OWASP project that provides you with a User Access Management system that can be integrated with any business application. The purpose of SIMBA is to secure an application fast and easy. Because SIMBA itself is generic it can be customized for every project. Many features are customizable e.g. designing your own authentication chain is easy and fast by using existing or newly created building blocks. SIMBA contains authentication, authorization, session management and a GUI to manage your security information.<br />
<br />
======Koen Vanderloock, Leader Security Competence Group at Cegeka======<br />
Koen Vanderloock is the leader of the security competence group at Cegeka. About 2 years ago Cegeka decided to create a sandbox for investigating security issues and solutions so they could be included in the current projects. <br />
Koen Vanderloock is a Java developer with 8 years of experience and started exploring the world of security 3 years ago when UAM problems started to occur.<br />
<br />
=====Practical Crypto Attacks Against Web Applications (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Justin_Clarke.2C_Director_and_Co-Founder_of_Gotham_Digital_Science_Ltd Justin Clarke], Director and Co-Founder of Gotham Digital Science Ltd)=====<br />
The science of cryptography underpins many of the information security technologies we use on a daily basis, such as the ability to keep information confidential and to ensure we can identify who we are communicating with. However, it is a very complex subject area with many types of mistakes that can reduce the overall security of a solution. A number of these types of mistakes can be identified by a tester, if they know what they're looking for, but in general it isn't a well tested area.<br />
<br />
This talk is intended to provide a high level overview of some of the areas where cryptographic operations such as encryption and hashing can provide far less security than was planned, and concrete examples of how these were found and exploited. Examples will include discussion and demonstration of the recently patched cryptographic padding attack against the Microsoft .NET framework (affecting ASP.NET applications) caused by a design error in how ASP.NET handles some types of encrypted data, but we will also be looking at some other fun areas including bit flipping attacks, ECB mode attacks, and some miscellaneous hashing algorithm attacks against common web application implementations.<br />
<br />
======Justin Clarke, Director and Co-Founder of Gotham Digital Science Ltd======<br />
Justin is a Director and Co-Founder of Gotham Digital Science and an experienced software security consultant with extensive international Big 4 risk management, security consulting and testing experience. He is the lead author/technical editor of "SQL Injection Attacks and Defenses" (Syngress 2009), co-author of "Network Security Tools" (O'Reilly 2005), contributor to "Network Security Assessment, 2nd Edition" (O'Reilly 2007), as well as a speaker at various security conferences and events such as Black Hat, EuSecWest, ISACA, BruCON, OWASP, OSCON, RSA and SANS. He is currently the OWASP London chapter president, and a member of the OWASP Global Connections Committee.<br />
On 10 Oct 2011, at 09:33, Seba wrote:<br />
<br />
=====HTML5 security (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Lieven_Desmet.2C_Research_Manager_at_Katholieke_Universiteit_Leuven Lieven Desmet], Research Manager at Katholieke Universiteit Leuven)=====<br />
In this talk, Lieven will highlight the results of the HTML5 security analysis, conducted by the DistriNet Research Group (K.U.Leuven). The security analysis of next generation web standards, commissioned by ENISA, looked into 13 emerging W3C web standards (i.e. the specification of HTML 5 and some of the associated APIs), and assessed the security of each of them as well as the overall security and consistency across specifications.<br />
<br />
In total 51 security threats and issues have been identified, and detailed in the ENISA report (http://www.enisa.europa.eu/html5). During the talk, Lieven will discuss the methodology developed to assess the huge amount of specifications, and zoom into a representative set of identified threats and their remediation.<br />
<br />
======Lieven Desmet, Research Manager at Katholieke Universiteit Leuven======<br />
Lieven Desmet is the Research Manager on Secure Software at the Katholieke Universiteit Leuven (Belgium), where he coaches junior researchers in web application security and participates in dissemination and valorization activities. His interests are in software verification and security of middleware and web-enabled technologies. Lieven is actively engaged in OWASP and is board member of the OWASP Chapter Belgium.<br />
<br />
=====Overcoming iOS Data Protection to Re-Enable iPhone Forensics (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Andrey_Belenko.2C_Chief_Security_Researcher_at_ElcomSoft Andrey Belenko], Chief Security Researcher at ElcomSoft)=====<br />
Data protection is a feature available for iOS devices (iOS 4 and up) with hardware encryption: iPhone 4S, iPhone 4, iPhone 3GS, iPod touch (3rd generation or later), and all iPad models. Introduction of this feature had complicated iPhone forensics process because now (almost) all files on user partition are encrypted and physical dumps are of much less value to examiners: while the filesystem seems to be intact, actual file contents are encrypted and are not suitable for analysis.<br />
<br />
This talk will provide in-depth information about iOS Data protection internals and on the implication it had on iOS forensics. More specifically, it will cover the following:<br />
*System keys and their hierarchy<br />
*Device passcode and its recovery<br />
*Escrow keys<br />
*Filesystem encryption<br />
*Keychain encryption<br />
<br />
Presentation will start by providing attendees with required background on iOS encryption keys architecture: system keys, passcode key, escrow key. After attendees are familiar with those concepts, presentation will continue to filesystem and keychain encryption details and to the techniques that can be used to overcome the hurdles imposed by iOS Data Protection.<br />
<br />
======Andrey Belenko, Chief Security Researcher at ElcomSoft======<br />
Chief security researcher and software developer at Elcomsoft. Co-invented ThunderTables (which are improved RainbowTables) and was first to bring GPU acceleration to password recovery. M. Sc. IT and CISSP.<br />
<br />
LinkedIn: http://ru.linkedin.com/in/belenko<br />
<br />
Twitter: @andreybelenko<br />
<br />
=====Do you... Legal? (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Ludovic_Petit.2C_Group_Fraud_.26_Information_Security_Adviser_at_SFR.2C_Vodafone_Group Ludovic Petit], Group Fraud & Information Security Adviser at SFR, Vodafone Group) =====<br />
<br />
The OWASP core mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. However, if you do not pay enough attention to many aspects of Legal compliance, you'll see why Web Application Security is somehow linked to Legal and Regulatory aspects as well as... Corporate Responsability, so yours. Who is accountable for what, what about each other's responsibility? Nowadays, the legal constraints oblige us to comply via technical means, whatever the local framework, and this is specially true for Web Application Security, many sensitive informations having to be handled through these web interfaces. A such, what do you think about your Security Policy compliance with your local Legal framework? Compliant? Sure? Really? Interesting isn't it? Let's have a talk about this.<br />
<br />
======Ludovic Petit, Group Fraud & Information Security Adviser at SFR, Vodafone Group======<br />
Ludovic is an internationally recognised information security expert with over 25 years experience. Last 15 years spent in various Corporate Management positions covering both Technical and Law Enforcement expertise dedicated to Mobile Telecommunications Fraud and Security in multi-national corporations.<br />
<br />
Ludovic is Chapter Leader & Founding Member OWASP France and an active contributor to OWASP in several roles and projects.<br />
<br />
LinkedIn Profile: http://www.linkedin.com/in/lpetit<br />
<br />
=====Dynamic Malware Analysis or How to Play in the House of Horrors (by Alexandre Dulaunoy, Incident Management - Security Research at CIRCL) =====<br />
Malware reversing is a time consuming task. Many approaches are available to dissect and analyse suspicious binaries. Dynamic malware analysis is one of the option to better understand them and also a nifty companion to static analysis. The current dynamic malware analysis techniques will be presented especially the ones relying on instrumented operating system systems (from the filesystem to the network stack). You'll see a wandering through common and less common malware partially analysed using dynamic analysis and how dynamic malware analysis can help you.<br />
<br />
===== The limits of e-banking (by Jean-Marc Bost and Sébastien Bischof, ECLA) =====<br />
The swiss german TV channel SF1 showed a footage on swiss e-banking security. The TV show follows a team of the ETH who earned a special authorization to test several e-anking platforms. After admitting that a personal computer can be infected by different means (actually 5% of the tested PCs are infected according to Microsoft), The team from Zürich showed the limits of the different platforms. Only the bank who signs each transaction is labelled as safe. We will come back during the presentation on the nature of the threat.<br>First of all, we will explain how famous malwares such as Zeus and SpyEye manage to steal from their victims without them being able to notice anything. Then we will see that e-banking is not the only target, as a matter of fact, the reality is far from this.<br>And then we will comment the most recent techniques that allow malwares to escape Antivirus and Antimalware programs even if they are up to date. We will vulgarize several concepts such as DKOM and bootkits in order to let everybody have a glimpse on the danger they represent.<br>Finally, we will think about if signing each transaction can efficiently fight off these threats. In fact, when attacks are coupled with Social Engineering, they have potentially no limit. Zeus is a living proof of this fact, because it even managed to attack the transaction validation system by SMS. As a conclusion, we will see that the e-banking platform that managed to resist the tests of the ETH team is vulnerable to such kind of attacks. <br />
<br />
====== Jean-Marc Bost, ELCA ======<br />
Jean-Marc Bost leads the security division at ELCA. <br>He is in charge of the various security solutions proposed by ELCA, some being released by ELCA, others being provided by partner vendors. <br>With a significant experience in the development of internet applications, he focused 10 years ago on their need for security. <br>Since then, he has been very active in&nbsp;:<br>- demonstrating the threats, in particular for ebanking<br>- conceiving practical and patented solutions for strong authentication, online transactions, electronic signature and secured documents<br>- presenting the findings of the security division in security events and through expert talks<br> <br />
<br />
====== Sébastien Bischof, ELCA ======<br />
Sébastien Bischof works in the security division at ELCA Where he is specialized in OS-level and communication security.<br>As a major result, he developped a fully-working proof-of-concept of an attack against a sophisticated USB token for safe-browsing.<br>He obtained his Master of Science in Engineering at HEIG-VD/HES-SO with a strong emphasis on IT Security.<br>During his education, he focused on obfuscation and rootkit techniques.<br>Computer security enthusiast, he is very interested in hackings events such as Insomni'hack and keeps himself informed on the latest threats throuhg active participation in security forums.<br />
<br />
===== Security testing: a key challenge for software engineering of web apps (by Yves Le Traon, UdL)===== <br />
While important efforts are dedicated to system functional testing, very few works study how to specifically and systematically test security mechanisms. In this talk, we will present two categories of approaches. <br />
The first ones aim at assessing security mechanisms compliance with declared policies. Any security policy is strongly connected to system functionality: testing function includes exercising many security mechanisms. However, testing functionality does not intend at exercizing all security mechanisms. We thus propose test selection criteria to produce tests from a security policy. Empirical results will be presented about access control policies and about Android apps permission checks. <br />
<br />
The second ones concern the attack surface of web apps, with a particular focus on web browser sensitivity to XSS attacks. Indeed, one of the major threats against web applications is Cross-Site Scripting (XSS) that crosses several web components: web server, security components and finally the client’s web browser. The final target is thus the client running a particular web browser. During this last decade, several competing web browsers (IE, Netscape, Chrome, Firefox) have been upgraded to add new features for the final users benefit. However, the improvement of web browsers is not related with systematic security regression testing. Beginning with an analysis of their current exposure degree to XSS, we extend the empirical study to a decade of most popular web browser versions.The results reveal a chaotic behavior in the evolution of most web browsers attack surface over time. This particularly shows an urgent need for regression testing strategies to ensure that security is not sacrificed when a new version is delivered. <br />
<br />
In both cases, security must become a specific target for testing in order to get a satisfying level of confidence in security mechanisms<br />
<br />
====== Yves Le Traon, UdL====== <br />
Yves Le Traon is professor at University of Luxembourg in the domain of software engineering, reliability, validation and security. He is also a member of the Interdisciplinary Centre for Security, Reliability and Trust (SnT), where he leads the research group SERVAL (SEcuRity and VALidation of services and networks). His research interests include software testing, design for security, security testing, model-driven validation, model based testing, web application, mobile computing. <br />
<br />
Professor Le Traon received his engineering degree and his PhD in Computer Science at the “Institut National Polytechnique” in Grenoble, France, in 1997. From 1998 to 2004, he was an associate professor at the University of Rennes, in Brittany, France. He is the co-founder of the Triskell INRIA team, which focuses on innovating design, modeling and testing techniques, such as Model-driven Engineering. During this period, Professor Le Traon studied design for testability techniques, validation and diagnosis of object-oriented programs and component-based systems. From 2004 to 2006, he was an expert in Model-Driven Architecture and Validation in the EXA team (Requirements Engineering and Applications) at “France Télécom R&D”. In 2006, he became professor at Telecom Bretagne (Ecole Nationale des Télécommunications de Bretagne), where he pioneered the application of testing for security assessment of web-applications, P2P systems and the promotion of intrusion detection systems using contract-based techniques.<br />
<br />
<br />
==== CTF ====<br />
<br />
Do you like puzzles? Do you like challenges? Are you a hacker?<br />
<br />
Whether you are an old hacker or new enthusiast you should come to OWASP BeNeLux days 2011 and participate in the Capture the Flag event December 2nd 2011 at the University of Luxemburg. <br />
<br />
The OWASP CTF is especially designed to support challengers of all skill levels. The CTF contains multiple challenges in various fields related to application security. As every challenge gains you one point, you can pick and choose which challenge you want to play.<br />
<br />
All you need is a laptop with a wifi card and your favorite (preferably) non-commercial tools. <br />
<br />
So come to Luxemburg, show off your skills, learn new tricks and above all have a good time at the CTF event. <br />
<br />
==== Registration ====<br />
<center><br />
'''The training day and the conference are free!'''&nbsp;<br />
<br />
<br> <br />
<br />
[http://owaspbenelux2011.eventbrite.com/ http://www.owasp.org/images/7/77/Buttoncreate.png] <br />
<br />
<br> To support the OWASP organisation, consider to become a member, it's only US$50!<br> Check out the [[Membership]] page to find out more.<br> <br />
<br />
<br> <br />
</center> <br />
==== Venue ====<br />
<center><br />
University of Luxembourg<br>Campus Kirchberg<br>6, rue Richard Coudenhove-Kalergi<br>L-1359 Luxembourg<br>[http://wwwen.uni.lu/contact/campus_kirchberg http://wwwen.uni.lu/contact/campus_kirchberg] <br>Room: Paul Feidert<br />
</center><br />
<br />
<br>'''Parking''':<br />
<br />
There is a public parking close to the conference venue.<br />
[http://maps.google.de/maps?q=49.63038,6.157061&num=1&t=h&vpsrc=0&z=16 Click here to find the parking on Google Maps]<br />
<br />
<br>'''Hotels nearby''': <br />
<br />
The first hotel is at 5 minutes on walk distance from the campus Kirchberg: '''[http://www.coque.lu/article/259 Hotel d’Coque]'''<br />
* single room with breakfast 77.50 €<br />
* double room with breakfast 93.00 €. <br />
* Booking email address with Ref. OWASP_SNT 2011 to : [mailto:reception@coque.lu reception@coque.lu]<br />
* Reservation deadline: 20 October 2011<br />
Second hotel (direct center of Luxembourg) 5/10 minutes with taxi or bus: '''[http://www.parcbellevue.lu/fr/index.php Hotel Parc Bellevue]'''<br />
* single room with breakfast 95.00 € (normal price 160 €)<br />
* double room with breakfast 115.00 € (normal price 180€)<br />
* wifi and parking included<br />
* Booking email address: [mailto:reservation@goeres-group.com reservation@goeres-group.com]<br />
* Reservation deadline&nbsp;: 30 November <br />
* Reservation form: [https://www.owasp.org/images/4/44/Uni_Luxembourg_OWASP_2011.doc download form] <br />
Third hotel (near the Parc Bellevue): '''[http://www.parcplaza.lu/fr/index.php Hotel Plaza]'''<br />
* single room with breakfast 130.00 € (normal price 225 €)<br />
* double room with breakfast 150.00 € (normal price 245€)<br />
* wifi and parking included<br />
* Booking email address: [mailto:reservation@goeres-group.com reservation@goeres-group.com]. <br />
* Reservation deadline: 30 November<br />
* Reservation form: [https://www.owasp.org/images/4/44/Uni_Luxembourg_OWASP_2011.doc download form] <br />
Fourth hotel: '''[http://www.melia-luxembourg.com/fr/melia-luxembourg.html Hotel Mélia]'''<br />
* single room with breakfast 140.00 €<br />
* Booking email address: [mailto:reservations.melia.luxembourg@solmelia.com reservations.melia.luxembourg@solmelia.com]<br />
* Reservation deadline: 28 October 2011<br />
* Reservation form: [https://www.owasp.org/images/f/f8/Uni_OWASP_2011_Melia.pdf download form] <br />
<br />
<br><br />
<br />
==== Organisation ====<br />
<br />
The BeNeLux Day 2011 Program Committee: <br />
<br />
*Martin Knobloch / Ferdinand Vroom ([[Netherlands|OWASP Netherlands]]) <br />
*Bart De Win / Sebastien Deleersnyder ([[Belgium|OWASP Belgium]]) <br />
*Jocelyn Aubert / Andre Adelsbach ([[Luxembourg|OWASP Luxembourg]]) <br />
*Steven van der Baan ([[:Category:OWASP CTF Project|Capture The Flag]])<br />
<br />
Local organization:<br />
<br />
*Thomas Engel <br />
*Radu State <br />
*Magali Martin <br />
*Aurel Machalek<br />
<br />
==== Sponsorship ====<br />
<br />
Contact seba &lt;at&gt; owasp.org for sponsorship <br />
<br />
<paypal>BeNeLux OWASP Day 2011</paypal> <br />
<br />
==== Social Event ====<br />
<br />
The social event is scheduled for Thursday, 1st of December, 19:00 at <br />
<br><br />
<br><br />
<center><br />
[http://www.aguadecoco.lu/ Agua De C&ocirc;co]<br><br />
2, rue Emile Mousel<br><br />
L-2165 Luxembourg<br><br />
<br><br />
([http://maps.google.com/maps?q=Rue+Emile+Mousel,+Luxembourg,+Luxemburg&hl=de&ll=49.612031,6.14125&spn=0.003379,0.009677&sll=49.709163,6.115265&sspn=0.003372,0.009677&vpsrc=6&geocode=FQIF9QIdPrVdAA&hnear=Rue+Emile+Mousel,+Luxembourg,+Luxemburg&t=h&z=17 find the location on Google Maps])<br />
<br />
Remark: split bill system - everyone has to cover own food & drinks.<br />
<br />
</center><br />
<br />
==== Promotion ====<br />
''Feel free to use the text below to promote our event!''<br />
<br />
We invite you to our next OWASP event: the '''BeNeLux OWASP Days 2011!'''<br />
<br />
Free your agenda on the 1st and 2nd of December, 2011.<br />
<br />
The good news: free! No fee!<br />
<br />
The bad news: there are only 160 seats available (first register, first serve)!<br />
<br />
<br />
'''PROGRAM Day 1'''<br />
* 10:00 AM - 18:00 PM: OWASP Training Day<br />
* 19:00 PM - ?: Social event<br />
<br />
'''OWASP Training: Secure Application Development''', by Eoin Keary<br><br />
This intensive one-day training focuses on the most common web application security problems, including aspects of both the OWASP Top Ten (2010) and the MITRE Top 25. The training will introduce and demonstrate application assessment techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities in their code.<br />
<br />
'''PROGRAM Day 2'''<br />
* 10:00 AM - 18:00 PM: OWASP Conference<br />
<br />
List of '''confirmed speakers''' (more to be announced soon):<br />
*Brenno De Winter (Journalist) on the Diginotar story<br />
*Koen Vanderloock (Lead Security Competence Group at Cegeka) on the new OWASP Simba project<br />
*Justin Clarke (Director and Co-Founder of Gotham Digital Science Ltd) on practical crypto attacks against web applications<br />
*Lieven Desmet (Research Manager at University Leuven) on HTML5 security<br />
*Andrey Belenko (Chief Security Researcher at ElcomSoft Co. Ltd) on iOS data protection internals<br />
*Alexandre Dulaunoy (Incident Management - Security Research at CIRCL) on dynamic malware analysis<br />
*Ludovic Petit (Group Fraud & Information Security Adviser at SFR, Vodafone Group) on WebApp Security and legal and regulatory aspects<br />
*Seba Deleersnyder & Eoin Keary (OWASP Board) on OWASP Update<br />
<br />
'''ORGANIZATION<br>'''<br />
OWASP's all-volunteer participants produce free, professional quality, open-source documentation, tools, and standards on application security. An example of this is the famous OWASP top ten of most critical web application security flaws. The OWASP community facilitates conferences, local chapters, articles, and message forums. Participation in OWASP is free and open to all, as are all the materials we produce.<br />
<br />
'''WHO should attend?<br>'''<br />
Anyone interested in Web Application Security (management, security professionals, developers, students, etc). OWASP Belgium, Netherlands and Luxembourg chapters membership is free. All meetings are free. There are never vendor pitches or sales presentations at OWASP meetings.<br><br />
Check our chapter page http://www.owasp.org/index.php/Belgium on meeting details, sign up to the chapter mailing list and introduce yourself.<br><br />
Check our chapter page http://www.owasp.org/index.php/Netherlands on meeting details, sign up to the chapter mailing list and introduce yourself.<br><br />
Check our chapter page http://www.owasp.org/index.php/Luxembourg on meeting details, sign up to the chapter mailing list and introduce yourself.<br><br />
<br />
'''WHEN<br>'''<br />
Thursday and Friday, 1st and 2nd of December, 2011 (10 AM - 7 PM)<br />
<br />
'''WHERE<br>'''<br />
University of Luxembourg<br><br />
Campus Kirchberg<br><br />
6, rue Richard Coudenhove-Kalergi<br><br />
L-1359 Luxembourg<br><br />
http://wwwen.uni.lu/contact/campus_kirchberg<br><br />
Room: Paul Feidert<br />
<br />
Attention: make sure to '''book your hotel in time''', it will be difficult to find rooms in Luxembourg around Dec 1-2!<br><br />
Hotel details https://www.owasp.org/index.php?title=BeNeLux_OWASP_Day_2011#tab=Venue<br />
<br />
'''REGISTRATION<br>'''<br />
Only 160 places, please '''Register upfront: http://owaspbenelux2011.eventbrite.com''' !<br><br />
All latest details are available on http://www.owaspbenelux.eu<br><br />
Hope to see you all!<br><br />
<br />
The BeNeLux Program Committee,<br />
*Martin Knobloch / Ferdinand Vroom, OWASP Netherlands<br />
*Bart De Win / Sebastien Deleersnyder, OWASP Belgium<br />
*Jocelyn Aubert / Andre Adelsbach, OWASP Luxembourg<br />
*Steven van der Baan, OWASP CTF Project<br />
<br />
Kindly supported by the Interdisciplinary Centre for Security Reliability and Trust<br />
*Thomas Engel <br />
*Radu State <br />
*Magali Martin <br />
*Aurel Machalek<br />
<br />
<headertabs /><br />
<br />
<br />
<center><br />
'''Hosted and co-organized by:'''<br> <br />
[[Image:Bnl11-university-logo.jpg|link=http://wwwen.uni.lu]] <br />
[[Image:Bnl11-SECURITYANDTRUST-LOGO.jpg|link=http://www.securityandtrust.lu]] <br />
<br />
<br><br><br><br />
<br />
Made possible by our [http://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Sponsorship sponsors]:<br><br />
{{MemberLinks|link=http://www.ascure.com|logo=Ascure_Logo.jpg}} <br />
[http://www.zionsecurity.com http://www.owasp.org/images/e/e6/Zionsecurity.jpg]<br />
[http://www.zenitelbelgium.com http://www.owasp.org/images/d/df/SAIT_Zenitel.jpg]<br />
[http://www8.hp.com/us/en/solutions/solutions-detail.html?compURI=tcm:245-339290 https://www.owasp.org/images/b/b4/HP_Logo.jpg] <br />
[http://www.barracuda.com https://www.owasp.org/images/f/f6/Bnl11-Barracuda_Logo-4C.png] <br />
[http://circl.lu/ http://circl.lu/pics/logo.png]<br />
[http://www.f5.com https://www.owasp.org/images/f/fd/AppSec_Research_2010_sponsor_F5_logo.jpg]<br />
<br />
<br />
<br />
<br><br />
</center><br />
[[Category:OWASP_AppSec_Conference]] [[Category:OWASP_BeNeLux_Archives]]</div>Bart De Winhttps://wiki.owasp.org/index.php?title=BeNeLux_OWASP_Day_2011&diff=120806BeNeLux OWASP Day 20112011-11-27T21:20:55Z<p>Bart De Win: </p>
<hr />
<div>__NOTOC__ <br />
<center>[[Image:OWASP BeNeLux 2011.jpg]]<br></center><br />
<br><!-- Header --><br />
<br />
==== Welcome ====<br />
<br />
<br><br />
<center><br />
=== Venue is the University of Luxembourg (Grand Duchy of Luxembourg) ===<br />
Training and conference location, together with hotel information, can be found [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Venue here].<br />
=== Training and first list of conference speakers are announced! ===<br />
See [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Training.2C_December_1st here] and [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Conference.2C_December_2nd here]<br />
=== Tweet! ===<br />
<br />
Event tag is [http://twitter.com/#search?q=%23owaspbnl11 #owaspbnl11]<br />
<br />
=== Registrations are open: ===<br />
<br />
[http://owaspbenelux2011.eventbrite.com/ http://www.owasp.org/images/7/77/Buttoncreate.png] <br />
<br />
</center><br />
<br><br />
<br />
==== Training, December 1st ====<br />
'''OWASP Training: Secure Application Development, by Eoin Keary'''<br />
<br />
'''Abstract:''' Writing Secure code is the most effective method to securing your web applications. Writing secure code takes skill and know-how but results in a more stable and robust application and assists in protecting an organisations brand.<br />
Application security is not commonly a part of many computer science curricula today and most organizations have not focused on instituting a culture that includes application security as a core part of their software development training efforts. This intensive one-day course focuses on the most common web application security problems, including aspects of both the OWASP Top Ten (2010) and the MITRE Top 25. The course will introduce and demonstrate application assessment techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities in their code.<br />
<br />
'''This course includes coverage of the following areas:'''<br />
<br />
* Unvalidated Input<br />
* Injection Flaws, OS commanding, SQL Injection<br />
* Cross-Site Scriping & Client-side security<br />
* CSRF/XSRF<br />
* Authentication & Session Management<br />
* Access control & Authorisation<br />
* Broken Caching<br />
* Error Handling & Resource Management<br />
* The Secure SDLC<br />
* Fuzzing, Proxy use and testing approach<br />
<br />
'''Hands on Exercises'''<br />
<br />
To cement the principles discussed, students can participate in a number of hands-on security testing exercises where they attack a live web application (i.e., OWASP Bank etc) that has been seeded with common web application vulnerabilities.<br />
<br />
The students will use proxy tools commonly used by the hacker community to complete the exercises. Students need to bring their own windows based laptop to participate in the exercises. Wireless capability is recommended.<br />
<br />
'''Audience'''<br />
<br />
Developers who want to understand the most common web application security flaws, and how to avoid them and code in a secure manner.<br />
<br />
Level: Beginner/Intermediate<br />
<br />
Prerequisite: Basic knowledge of a web programming language like Java or .NET recommended but not required.<br />
<br />
Bringing your own windows based laptop is recommended so you can participate in the hands on exercises<br />
<br />
'''Trainer Bio:''' <br />
<br />
[[Eoin Keary]] is a Global OWASP board member since 2009. He is a long time member of OWASP and have contributed year on year to OWASP projects and the OWASP mission of fighting the causes of software insecurity. He is based in Dublin, Ireland and director of [http://www.bccriskadvisory.com Bccriskadvisory].<br />
<br />
==== Conference, December 2nd ====<br />
<br />
We are pleased to announce the list of confirmed speakers:<br />
<br />
* Brenno De Winter (Journalist) on the Diginotar story<br />
* Koen Vanderloock (Lead Security Competence Group at Cegeka) on [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#OWASP_SIMBA_-_guarding_your_applications_.28by_Koen_Vanderloock.2C_Leader_Security_Competence_Group_at_Cegeka.29 the new OWASP Simba project]<br />
* Justin Clarke (Director and Co-Founder of Gotham Digital Science Ltd) on [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Practical_Crypto_Attacks_Against_Web_Applications_.28by_Justin_Clarke.2C_Director_and_Co-Founder_of_Gotham_Digital_Science_Ltd.29 practical crypto attacks against web applications]<br />
* Lieven Desmet (Research Manager at University Leuven) on [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#HTML5_security_.28by_Lieven_Desmet.2C_Research_Manager_at_Katholieke_Universiteit_Leuven.29 HTML5 security]<br />
* Andrey Belenko (Chief Security Researcher at ElcomSoft Co. Ltd) on [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Overcoming_iOS_Data_Protection_to_Re-Enable_iPhone_Forensics_.28by_Andrey_Belenko.2C_Chief_Security_Researcher_at_ElcomSoft.29 iOS data protection internals]<br />
* Alexandre Dulaunoy (Incident Management - Security Research at CIRCL) on dynamic malware analysis<br />
* Ludovic Petit (Group Fraud & Information Security Adviser at SFR, Vodafone Group) on [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Do_you..._Legal.3F_.28by_Ludovic_Petit.2C_Group_Fraud_.26_Information_Security_Adviser_at_SFR.2C_Vodafone_Group.29 WebApp Security and legal and regulatory aspects]<br />
*Jean-Marc Bost and Sébastien Bischof (ELCA) on The limits of e-banking<br />
* Yves Le Traon on security testing for web apps (talk will be held on the Training Day)<br />
* Seba Deleersnyder & Eoin Keary (OWASP Board) on OWASP Update<br />
<br />
Stay tuned for the final agenda!<br />
<br />
'''''Agenda''''' '<br />
''(program has slightly changed !)''<br />
<br />
{| class="wikitable"<br />
! Time !! Speaker !! Topic<br />
|-<br />
| 09h30 - 9h40 || OWASP Benelux Organization || Welcome<br />
| || Thomas Engel || SNT Welcome<br />
|-<br />
| 09h40 - 10h00 || Sebastien Deleersnyder & Eion Keary || OWASP update<br />
|-<br />
| 10h00 - 10h40 || Brenno De Winter || The Diginotar story <br />
|-<br />
| 10h40 - 11h00 || ''Break'' ||<br />
|-<br />
| 11h00 - 11h40 || Justin Clarke || Practical Crypto Attacks Against Web Applications <br />
|-<br />
| 11h40 - 12h20 || Andre Belenko || Overcoming iOS Data Protection to Re-Enable iPhone Forensics <br />
|-<br />
| 12h20 - 13h00 || Koen Vanderloock || OWASP SIMBA - guarding your applications <br />
|-<br />
| 13h00 - 14h00 || ''Lunch'' || <br />
|-<br />
| 14h00 - 14h40 || Ludovic Petit || Do you... Legal?<br />
|-<br />
| 14h40 - 15h20 || Thierry Zoller || The rise of the Vulnerability Market<br />
|-<br />
| 15h20 - 16h00 || Jean-Marc Bost & Sébastien Bischof || The limits of e-banking <br />
|-<br />
| 16h00 - 16h20 || ''Break'' || <br />
|-<br />
| 16h20 - 17h00 || Alexandre Delaunoy || Dynamic malware analysis <br />
|-<br />
| 17h00 - 17h40 || Lieven Desmet || HTML5 security<br />
|-<br />
| 17h40 - 18h00 || OWASP Benelux 2011 organization || Closing notes<br />
<br />
|}<br />
<br />
<!-- deze laten staan. is handig om anchors te vinden tijdens edi (seba) __TOC__ --><br />
<br />
=====OWASP SIMBA - guarding your applications (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Koen_Vanderloock.2C_Leader_Security_Competence_Group_at_Cegeka Koen Vanderloock], Leader Security Competence Group at Cegeka)=====<br />
[[OWASP SIMBA Project|SIMBA (Security Integration Module for Business Applications)]] is a OWASP project that provides you with a User Access Management system that can be integrated with any business application. The purpose of SIMBA is to secure an application fast and easy. Because SIMBA itself is generic it can be customized for every project. Many features are customizable e.g. designing your own authentication chain is easy and fast by using existing or newly created building blocks. SIMBA contains authentication, authorization, session management and a GUI to manage your security information.<br />
<br />
======Koen Vanderloock, Leader Security Competence Group at Cegeka======<br />
Koen Vanderloock is the leader of the security competence group at Cegeka. About 2 years ago Cegeka decided to create a sandbox for investigating security issues and solutions so they could be included in the current projects. <br />
Koen Vanderloock is a Java developer with 8 years of experience and started exploring the world of security 3 years ago when UAM problems started to occur.<br />
<br />
=====Practical Crypto Attacks Against Web Applications (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Justin_Clarke.2C_Director_and_Co-Founder_of_Gotham_Digital_Science_Ltd Justin Clarke], Director and Co-Founder of Gotham Digital Science Ltd)=====<br />
The science of cryptography underpins many of the information security technologies we use on a daily basis, such as the ability to keep information confidential and to ensure we can identify who we are communicating with. However, it is a very complex subject area with many types of mistakes that can reduce the overall security of a solution. A number of these types of mistakes can be identified by a tester, if they know what they're looking for, but in general it isn't a well tested area.<br />
<br />
This talk is intended to provide a high level overview of some of the areas where cryptographic operations such as encryption and hashing can provide far less security than was planned, and concrete examples of how these were found and exploited. Examples will include discussion and demonstration of the recently patched cryptographic padding attack against the Microsoft .NET framework (affecting ASP.NET applications) caused by a design error in how ASP.NET handles some types of encrypted data, but we will also be looking at some other fun areas including bit flipping attacks, ECB mode attacks, and some miscellaneous hashing algorithm attacks against common web application implementations.<br />
<br />
======Justin Clarke, Director and Co-Founder of Gotham Digital Science Ltd======<br />
Justin is a Director and Co-Founder of Gotham Digital Science and an experienced software security consultant with extensive international Big 4 risk management, security consulting and testing experience. He is the lead author/technical editor of "SQL Injection Attacks and Defenses" (Syngress 2009), co-author of "Network Security Tools" (O'Reilly 2005), contributor to "Network Security Assessment, 2nd Edition" (O'Reilly 2007), as well as a speaker at various security conferences and events such as Black Hat, EuSecWest, ISACA, BruCON, OWASP, OSCON, RSA and SANS. He is currently the OWASP London chapter president, and a member of the OWASP Global Connections Committee.<br />
On 10 Oct 2011, at 09:33, Seba wrote:<br />
<br />
=====HTML5 security (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Lieven_Desmet.2C_Research_Manager_at_Katholieke_Universiteit_Leuven Lieven Desmet], Research Manager at Katholieke Universiteit Leuven)=====<br />
In this talk, Lieven will highlight the results of the HTML5 security analysis, conducted by the DistriNet Research Group (K.U.Leuven). The security analysis of next generation web standards, commissioned by ENISA, looked into 13 emerging W3C web standards (i.e. the specification of HTML 5 and some of the associated APIs), and assessed the security of each of them as well as the overall security and consistency across specifications.<br />
<br />
In total 51 security threats and issues have been identified, and detailed in the ENISA report (http://www.enisa.europa.eu/html5). During the talk, Lieven will discuss the methodology developed to assess the huge amount of specifications, and zoom into a representative set of identified threats and their remediation.<br />
<br />
======Lieven Desmet, Research Manager at Katholieke Universiteit Leuven======<br />
Lieven Desmet is the Research Manager on Secure Software at the Katholieke Universiteit Leuven (Belgium), where he coaches junior researchers in web application security and participates in dissemination and valorization activities. His interests are in software verification and security of middleware and web-enabled technologies. Lieven is actively engaged in OWASP and is board member of the OWASP Chapter Belgium.<br />
<br />
=====Overcoming iOS Data Protection to Re-Enable iPhone Forensics (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Andrey_Belenko.2C_Chief_Security_Researcher_at_ElcomSoft Andrey Belenko], Chief Security Researcher at ElcomSoft)=====<br />
Data protection is a feature available for iOS devices (iOS 4 and up) with hardware encryption: iPhone 4S, iPhone 4, iPhone 3GS, iPod touch (3rd generation or later), and all iPad models. Introduction of this feature had complicated iPhone forensics process because now (almost) all files on user partition are encrypted and physical dumps are of much less value to examiners: while the filesystem seems to be intact, actual file contents are encrypted and are not suitable for analysis.<br />
<br />
This talk will provide in-depth information about iOS Data protection internals and on the implication it had on iOS forensics. More specifically, it will cover the following:<br />
*System keys and their hierarchy<br />
*Device passcode and its recovery<br />
*Escrow keys<br />
*Filesystem encryption<br />
*Keychain encryption<br />
<br />
Presentation will start by providing attendees with required background on iOS encryption keys architecture: system keys, passcode key, escrow key. After attendees are familiar with those concepts, presentation will continue to filesystem and keychain encryption details and to the techniques that can be used to overcome the hurdles imposed by iOS Data Protection.<br />
<br />
======Andrey Belenko, Chief Security Researcher at ElcomSoft======<br />
Chief security researcher and software developer at Elcomsoft. Co-invented ThunderTables (which are improved RainbowTables) and was first to bring GPU acceleration to password recovery. M. Sc. IT and CISSP.<br />
<br />
LinkedIn: http://ru.linkedin.com/in/belenko<br />
<br />
Twitter: @andreybelenko<br />
<br />
=====Do you... Legal? (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Ludovic_Petit.2C_Group_Fraud_.26_Information_Security_Adviser_at_SFR.2C_Vodafone_Group Ludovic Petit], Group Fraud & Information Security Adviser at SFR, Vodafone Group) =====<br />
<br />
The OWASP core mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. However, if you do not pay enough attention to many aspects of Legal compliance, you'll see why Web Application Security is somehow linked to Legal and Regulatory aspects as well as... Corporate Responsability, so yours. Who is accountable for what, what about each other's responsibility? Nowadays, the legal constraints oblige us to comply via technical means, whatever the local framework, and this is specially true for Web Application Security, many sensitive informations having to be handled through these web interfaces. A such, what do you think about your Security Policy compliance with your local Legal framework? Compliant? Sure? Really? Interesting isn't it? Let's have a talk about this.<br />
<br />
======Ludovic Petit, Group Fraud & Information Security Adviser at SFR, Vodafone Group======<br />
Ludovic is an internationally recognised information security expert with over 25 years experience. Last 15 years spent in various Corporate Management positions covering both Technical and Law Enforcement expertise dedicated to Mobile Telecommunications Fraud and Security in multi-national corporations.<br />
<br />
Ludovic is Chapter Leader & Founding Member OWASP France and an active contributor to OWASP in several roles and projects.<br />
<br />
LinkedIn Profile: http://www.linkedin.com/in/lpetit<br />
<br />
=====Dynamic Malware Analysis or How to Play in the House of Horrors (by Alexandre Dulaunoy, Incident Management - Security Research at CIRCL) =====<br />
Malware reversing is a time consuming task. Many approaches are available to dissect and analyse suspicious binaries. Dynamic malware analysis is one of the option to better understand them and also a nifty companion to static analysis. The current dynamic malware analysis techniques will be presented especially the ones relying on instrumented operating system systems (from the filesystem to the network stack). You'll see a wandering through common and less common malware partially analysed using dynamic analysis and how dynamic malware analysis can help you.<br />
<br />
===== The limits of e-banking (by Jean-Marc Bost and Sébastien Bischof, ECLA) =====<br />
The swiss german TV channel SF1 showed a footage on swiss e-banking security. The TV show follows a team of the ETH who earned a special authorization to test several e-anking platforms. After admitting that a personal computer can be infected by different means (actually 5% of the tested PCs are infected according to Microsoft), The team from Zürich showed the limits of the different platforms. Only the bank who signs each transaction is labelled as safe. We will come back during the presentation on the nature of the threat.<br>First of all, we will explain how famous malwares such as Zeus and SpyEye manage to steal from their victims without them being able to notice anything. Then we will see that e-banking is not the only target, as a matter of fact, the reality is far from this.<br>And then we will comment the most recent techniques that allow malwares to escape Antivirus and Antimalware programs even if they are up to date. We will vulgarize several concepts such as DKOM and bootkits in order to let everybody have a glimpse on the danger they represent.<br>Finally, we will think about if signing each transaction can efficiently fight off these threats. In fact, when attacks are coupled with Social Engineering, they have potentially no limit. Zeus is a living proof of this fact, because it even managed to attack the transaction validation system by SMS. As a conclusion, we will see that the e-banking platform that managed to resist the tests of the ETH team is vulnerable to such kind of attacks. <br />
<br />
====== Jean-Marc Bost, ELCA ======<br />
Jean-Marc Bost leads the security division at ELCA. <br>He is in charge of the various security solutions proposed by ELCA, some being released by ELCA, others being provided by partner vendors. <br>With a significant experience in the development of internet applications, he focused 10 years ago on their need for security. <br>Since then, he has been very active in&nbsp;:<br>- demonstrating the threats, in particular for ebanking<br>- conceiving practical and patented solutions for strong authentication, online transactions, electronic signature and secured documents<br>- presenting the findings of the security division in security events and through expert talks<br> <br />
<br />
====== Sébastien Bischof, ELCA ======<br />
Sébastien Bischof works in the security division at ELCA Where he is specialized in OS-level and communication security.<br>As a major result, he developped a fully-working proof-of-concept of an attack against a sophisticated USB token for safe-browsing.<br>He obtained his Master of Science in Engineering at HEIG-VD/HES-SO with a strong emphasis on IT Security.<br>During his education, he focused on obfuscation and rootkit techniques.<br>Computer security enthusiast, he is very interested in hackings events such as Insomni'hack and keeps himself informed on the latest threats throuhg active participation in security forums.<br />
<br />
===== Security testing: a key challenge for software engineering of web apps (by Yves Le Traon, UdL)===== <br />
While important efforts are dedicated to system functional testing, very few works study how to specifically and systematically test security mechanisms. In this talk, we will present two categories of approaches. <br />
The first ones aim at assessing security mechanisms compliance with declared policies. Any security policy is strongly connected to system functionality: testing function includes exercising many security mechanisms. However, testing functionality does not intend at exercizing all security mechanisms. We thus propose test selection criteria to produce tests from a security policy. Empirical results will be presented about access control policies and about Android apps permission checks. <br />
<br />
The second ones concern the attack surface of web apps, with a particular focus on web browser sensitivity to XSS attacks. Indeed, one of the major threats against web applications is Cross-Site Scripting (XSS) that crosses several web components: web server, security components and finally the client’s web browser. The final target is thus the client running a particular web browser. During this last decade, several competing web browsers (IE, Netscape, Chrome, Firefox) have been upgraded to add new features for the final users benefit. However, the improvement of web browsers is not related with systematic security regression testing. Beginning with an analysis of their current exposure degree to XSS, we extend the empirical study to a decade of most popular web browser versions.The results reveal a chaotic behavior in the evolution of most web browsers attack surface over time. This particularly shows an urgent need for regression testing strategies to ensure that security is not sacrificed when a new version is delivered. <br />
<br />
In both cases, security must become a specific target for testing in order to get a satisfying level of confidence in security mechanisms<br />
<br />
====== Yves Le Traon, UdL====== <br />
Yves Le Traon is professor at University of Luxembourg in the domain of software engineering, reliability, validation and security. He is also a member of the Interdisciplinary Centre for Security, Reliability and Trust (SnT), where he leads the research group SERVAL (SEcuRity and VALidation of services and networks). His research interests include software testing, design for security, security testing, model-driven validation, model based testing, web application, mobile computing. <br />
<br />
Professor Le Traon received his engineering degree and his PhD in Computer Science at the “Institut National Polytechnique” in Grenoble, France, in 1997. From 1998 to 2004, he was an associate professor at the University of Rennes, in Brittany, France. He is the co-founder of the Triskell INRIA team, which focuses on innovating design, modeling and testing techniques, such as Model-driven Engineering. During this period, Professor Le Traon studied design for testability techniques, validation and diagnosis of object-oriented programs and component-based systems. From 2004 to 2006, he was an expert in Model-Driven Architecture and Validation in the EXA team (Requirements Engineering and Applications) at “France Télécom R&D”. In 2006, he became professor at Telecom Bretagne (Ecole Nationale des Télécommunications de Bretagne), where he pioneered the application of testing for security assessment of web-applications, P2P systems and the promotion of intrusion detection systems using contract-based techniques.<br />
<br />
<br />
==== CTF ====<br />
<br />
Do you like puzzles? Do you like challenges? Are you a hacker?<br />
<br />
Whether you are an old hacker or new enthusiast you should come to OWASP BeNeLux days 2011 and participate in the Capture the Flag event December 2nd 2011 at the University of Luxemburg. <br />
<br />
The OWASP CTF is especially designed to support challengers of all skill levels. The CTF contains multiple challenges in various fields related to application security. As every challenge gains you one point, you can pick and choose which challenge you want to play.<br />
<br />
All you need is a laptop with a wifi card and your favorite (preferably) non-commercial tools. <br />
<br />
So come to Luxemburg, show off your skills, learn new tricks and above all have a good time at the CTF event. <br />
<br />
==== Registration ====<br />
<center><br />
'''The training day and the conference are free!'''&nbsp;<br />
<br />
<br> <br />
<br />
[http://owaspbenelux2011.eventbrite.com/ http://www.owasp.org/images/7/77/Buttoncreate.png] <br />
<br />
<br> To support the OWASP organisation, consider to become a member, it's only US$50!<br> Check out the [[Membership]] page to find out more.<br> <br />
<br />
<br> <br />
</center> <br />
==== Venue ====<br />
<center><br />
University of Luxembourg<br>Campus Kirchberg<br>6, rue Richard Coudenhove-Kalergi<br>L-1359 Luxembourg<br>[http://wwwen.uni.lu/contact/campus_kirchberg http://wwwen.uni.lu/contact/campus_kirchberg] <br>Room: Paul Feidert<br />
</center><br />
<br />
<br>'''Parking''':<br />
<br />
There is a public parking close to the conference venue.<br />
[http://maps.google.de/maps?q=49.63038,6.157061&num=1&t=h&vpsrc=0&z=16 Click here to find the parking on Google Maps]<br />
<br />
<br>'''Hotels nearby''': <br />
<br />
The first hotel is at 5 minutes on walk distance from the campus Kirchberg: '''[http://www.coque.lu/article/259 Hotel d’Coque]'''<br />
* single room with breakfast 77.50 €<br />
* double room with breakfast 93.00 €. <br />
* Booking email address with Ref. OWASP_SNT 2011 to : [mailto:reception@coque.lu reception@coque.lu]<br />
* Reservation deadline: 20 October 2011<br />
Second hotel (direct center of Luxembourg) 5/10 minutes with taxi or bus: '''[http://www.parcbellevue.lu/fr/index.php Hotel Parc Bellevue]'''<br />
* single room with breakfast 95.00 € (normal price 160 €)<br />
* double room with breakfast 115.00 € (normal price 180€)<br />
* wifi and parking included<br />
* Booking email address: [mailto:reservation@goeres-group.com reservation@goeres-group.com]<br />
* Reservation deadline&nbsp;: 30 November <br />
* Reservation form: [https://www.owasp.org/images/4/44/Uni_Luxembourg_OWASP_2011.doc download form] <br />
Third hotel (near the Parc Bellevue): '''[http://www.parcplaza.lu/fr/index.php Hotel Plaza]'''<br />
* single room with breakfast 130.00 € (normal price 225 €)<br />
* double room with breakfast 150.00 € (normal price 245€)<br />
* wifi and parking included<br />
* Booking email address: [mailto:reservation@goeres-group.com reservation@goeres-group.com]. <br />
* Reservation deadline: 30 November<br />
* Reservation form: [https://www.owasp.org/images/4/44/Uni_Luxembourg_OWASP_2011.doc download form] <br />
Fourth hotel: '''[http://www.melia-luxembourg.com/fr/melia-luxembourg.html Hotel Mélia]'''<br />
* single room with breakfast 140.00 €<br />
* Booking email address: [mailto:reservations.melia.luxembourg@solmelia.com reservations.melia.luxembourg@solmelia.com]<br />
* Reservation deadline: 28 October 2011<br />
* Reservation form: [https://www.owasp.org/images/f/f8/Uni_OWASP_2011_Melia.pdf download form] <br />
<br />
<br><br />
<br />
==== Organisation ====<br />
<br />
The BeNeLux Day 2011 Program Committee: <br />
<br />
*Martin Knobloch / Ferdinand Vroom ([[Netherlands|OWASP Netherlands]]) <br />
*Bart De Win / Sebastien Deleersnyder ([[Belgium|OWASP Belgium]]) <br />
*Jocelyn Aubert / Andre Adelsbach ([[Luxembourg|OWASP Luxembourg]]) <br />
*Steven van der Baan ([[:Category:OWASP CTF Project|Capture The Flag]])<br />
<br />
Local organization:<br />
<br />
*Thomas Engel <br />
*Radu State <br />
*Magali Martin <br />
*Aurel Machalek<br />
<br />
==== Sponsorship ====<br />
<br />
Contact seba &lt;at&gt; owasp.org for sponsorship <br />
<br />
<paypal>BeNeLux OWASP Day 2011</paypal> <br />
<br />
==== Social Event ====<br />
<br />
The social event is scheduled for Thursday, 1st of December, 19:00 at <br />
<br><br />
<br><br />
<center><br />
[http://www.aguadecoco.lu/ Agua De C&ocirc;co]<br><br />
2, rue Emile Mousel<br><br />
L-2165 Luxembourg<br><br />
<br><br />
([http://maps.google.com/maps?q=Rue+Emile+Mousel,+Luxembourg,+Luxemburg&hl=de&ll=49.612031,6.14125&spn=0.003379,0.009677&sll=49.709163,6.115265&sspn=0.003372,0.009677&vpsrc=6&geocode=FQIF9QIdPrVdAA&hnear=Rue+Emile+Mousel,+Luxembourg,+Luxemburg&t=h&z=17 find the location on Google Maps])<br />
<br />
Remark: split bill system - everyone has to cover own food & drinks.<br />
<br />
</center><br />
<br />
==== Promotion ====<br />
''Feel free to use the text below to promote our event!''<br />
<br />
We invite you to our next OWASP event: the '''BeNeLux OWASP Days 2011!'''<br />
<br />
Free your agenda on the 1st and 2nd of December, 2011.<br />
<br />
The good news: free! No fee!<br />
<br />
The bad news: there are only 160 seats available (first register, first serve)!<br />
<br />
<br />
'''PROGRAM Day 1'''<br />
* 10:00 AM - 18:00 PM: OWASP Training Day<br />
* 19:00 PM - ?: Social event<br />
<br />
'''OWASP Training: Secure Application Development''', by Eoin Keary<br><br />
This intensive one-day training focuses on the most common web application security problems, including aspects of both the OWASP Top Ten (2010) and the MITRE Top 25. The training will introduce and demonstrate application assessment techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities in their code.<br />
<br />
'''PROGRAM Day 2'''<br />
* 10:00 AM - 18:00 PM: OWASP Conference<br />
<br />
List of '''confirmed speakers''' (more to be announced soon):<br />
*Brenno De Winter (Journalist) on the Diginotar story<br />
*Koen Vanderloock (Lead Security Competence Group at Cegeka) on the new OWASP Simba project<br />
*Justin Clarke (Director and Co-Founder of Gotham Digital Science Ltd) on practical crypto attacks against web applications<br />
*Lieven Desmet (Research Manager at University Leuven) on HTML5 security<br />
*Andrey Belenko (Chief Security Researcher at ElcomSoft Co. Ltd) on iOS data protection internals<br />
*Alexandre Dulaunoy (Incident Management - Security Research at CIRCL) on dynamic malware analysis<br />
*Ludovic Petit (Group Fraud & Information Security Adviser at SFR, Vodafone Group) on WebApp Security and legal and regulatory aspects<br />
*Seba Deleersnyder & Eoin Keary (OWASP Board) on OWASP Update<br />
<br />
'''ORGANIZATION<br>'''<br />
OWASP's all-volunteer participants produce free, professional quality, open-source documentation, tools, and standards on application security. An example of this is the famous OWASP top ten of most critical web application security flaws. The OWASP community facilitates conferences, local chapters, articles, and message forums. Participation in OWASP is free and open to all, as are all the materials we produce.<br />
<br />
'''WHO should attend?<br>'''<br />
Anyone interested in Web Application Security (management, security professionals, developers, students, etc). OWASP Belgium, Netherlands and Luxembourg chapters membership is free. All meetings are free. There are never vendor pitches or sales presentations at OWASP meetings.<br><br />
Check our chapter page http://www.owasp.org/index.php/Belgium on meeting details, sign up to the chapter mailing list and introduce yourself.<br><br />
Check our chapter page http://www.owasp.org/index.php/Netherlands on meeting details, sign up to the chapter mailing list and introduce yourself.<br><br />
Check our chapter page http://www.owasp.org/index.php/Luxembourg on meeting details, sign up to the chapter mailing list and introduce yourself.<br><br />
<br />
'''WHEN<br>'''<br />
Thursday and Friday, 1st and 2nd of December, 2011 (10 AM - 7 PM)<br />
<br />
'''WHERE<br>'''<br />
University of Luxembourg<br><br />
Campus Kirchberg<br><br />
6, rue Richard Coudenhove-Kalergi<br><br />
L-1359 Luxembourg<br><br />
http://wwwen.uni.lu/contact/campus_kirchberg<br><br />
Room: Paul Feidert<br />
<br />
Attention: make sure to '''book your hotel in time''', it will be difficult to find rooms in Luxembourg around Dec 1-2!<br><br />
Hotel details https://www.owasp.org/index.php?title=BeNeLux_OWASP_Day_2011#tab=Venue<br />
<br />
'''REGISTRATION<br>'''<br />
Only 160 places, please '''Register upfront: http://owaspbenelux2011.eventbrite.com''' !<br><br />
All latest details are available on http://www.owaspbenelux.eu<br><br />
Hope to see you all!<br><br />
<br />
The BeNeLux Program Committee,<br />
*Martin Knobloch / Ferdinand Vroom, OWASP Netherlands<br />
*Bart De Win / Sebastien Deleersnyder, OWASP Belgium<br />
*Jocelyn Aubert / Andre Adelsbach, OWASP Luxembourg<br />
*Steven van der Baan, OWASP CTF Project<br />
<br />
Kindly supported by the Interdisciplinary Centre for Security Reliability and Trust<br />
*Thomas Engel <br />
*Radu State <br />
*Magali Martin <br />
*Aurel Machalek<br />
<br />
<headertabs /><br />
<br />
<br />
<center><br />
'''Hosted and co-organized by:'''<br> <br />
[[Image:Bnl11-university-logo.jpg|link=http://wwwen.uni.lu]] <br />
[[Image:Bnl11-SECURITYANDTRUST-LOGO.jpg|link=http://www.securityandtrust.lu]] <br />
<br />
<br><br><br><br />
<br />
Made possible by our [http://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Sponsorship sponsors]:<br><br />
{{MemberLinks|link=http://www.ascure.com|logo=Ascure_Logo.jpg}} <br />
[http://www.zionsecurity.com http://www.owasp.org/images/e/e6/Zionsecurity.jpg]<br />
[http://www.zenitelbelgium.com http://www.owasp.org/images/d/df/SAIT_Zenitel.jpg]<br />
[http://www8.hp.com/us/en/solutions/solutions-detail.html?compURI=tcm:245-339290 https://www.owasp.org/images/b/b4/HP_Logo.jpg] <br />
[http://www.barracuda.com https://www.owasp.org/images/f/f6/Bnl11-Barracuda_Logo-4C.png] <br />
[http://circl.lu/ http://circl.lu/pics/logo.png]<br />
[http://www.f5.com https://www.owasp.org/images/f/fd/AppSec_Research_2010_sponsor_F5_logo.jpg]<br />
<br />
<br />
<br />
<br><br />
</center><br />
[[Category:OWASP_AppSec_Conference]] [[Category:OWASP_BeNeLux_Archives]]</div>Bart De Winhttps://wiki.owasp.org/index.php?title=BeNeLux_OWASP_Day_2011&diff=120709BeNeLux OWASP Day 20112011-11-25T06:07:01Z<p>Bart De Win: </p>
<hr />
<div>__NOTOC__ <br />
<center>[[Image:OWASP BeNeLux 2011.jpg]]<br></center><br />
<br><!-- Header --><br />
<br />
==== Welcome ====<br />
<br />
<br><br />
<center><br />
=== Venue is the University of Luxembourg (Grand Duchy of Luxembourg) ===<br />
Training and conference location, together with hotel information, can be found [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Venue here].<br />
=== Training and first list of conference speakers are announced! ===<br />
See [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Training.2C_December_1st here] and [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Conference.2C_December_2nd here]<br />
=== Tweet! ===<br />
<br />
Event tag is [http://twitter.com/#search?q=%23owaspbnl11 #owaspbnl11]<br />
<br />
=== Registrations are open: ===<br />
<br />
[http://owaspbenelux2011.eventbrite.com/ http://www.owasp.org/images/7/77/Buttoncreate.png] <br />
<br />
</center><br />
<br><br />
<br />
==== Training, December 1st ====<br />
'''OWASP Training: Secure Application Development, by Eoin Keary'''<br />
<br />
'''Abstract:''' Writing Secure code is the most effective method to securing your web applications. Writing secure code takes skill and know-how but results in a more stable and robust application and assists in protecting an organisations brand.<br />
Application security is not commonly a part of many computer science curricula today and most organizations have not focused on instituting a culture that includes application security as a core part of their software development training efforts. This intensive one-day course focuses on the most common web application security problems, including aspects of both the OWASP Top Ten (2010) and the MITRE Top 25. The course will introduce and demonstrate application assessment techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities in their code.<br />
<br />
'''This course includes coverage of the following areas:'''<br />
<br />
* Unvalidated Input<br />
* Injection Flaws, OS commanding, SQL Injection<br />
* Cross-Site Scriping & Client-side security<br />
* CSRF/XSRF<br />
* Authentication & Session Management<br />
* Access control & Authorisation<br />
* Broken Caching<br />
* Error Handling & Resource Management<br />
* The Secure SDLC<br />
* Fuzzing, Proxy use and testing approach<br />
<br />
'''Hands on Exercises'''<br />
<br />
To cement the principles discussed, students can participate in a number of hands-on security testing exercises where they attack a live web application (i.e., OWASP Bank etc) that has been seeded with common web application vulnerabilities.<br />
<br />
The students will use proxy tools commonly used by the hacker community to complete the exercises. Students need to bring their own windows based laptop to participate in the exercises. Wireless capability is recommended.<br />
<br />
'''Audience'''<br />
<br />
Developers who want to understand the most common web application security flaws, and how to avoid them and code in a secure manner.<br />
<br />
Level: Beginner/Intermediate<br />
<br />
Prerequisite: Basic knowledge of a web programming language like Java or .NET recommended but not required.<br />
<br />
Bringing your own windows based laptop is recommended so you can participate in the hands on exercises<br />
<br />
'''Trainer Bio:''' <br />
<br />
[[Eoin Keary]] is a Global OWASP board member since 2009. He is a long time member of OWASP and have contributed year on year to OWASP projects and the OWASP mission of fighting the causes of software insecurity. He is based in Dublin, Ireland and director of [http://www.bccriskadvisory.com Bccriskadvisory].<br />
<br />
==== Conference, December 2nd ====<br />
<br />
We are pleased to announce a first list of confirmed speakers:<br />
<br />
* Brenno De Winter (Journalist) on the Diginotar story<br />
* Koen Vanderloock (Lead Security Competence Group at Cegeka) on [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#OWASP_SIMBA_-_guarding_your_applications_.28by_Koen_Vanderloock.2C_Leader_Security_Competence_Group_at_Cegeka.29 the new OWASP Simba project]<br />
* Justin Clarke (Director and Co-Founder of Gotham Digital Science Ltd) on [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Practical_Crypto_Attacks_Against_Web_Applications_.28by_Justin_Clarke.2C_Director_and_Co-Founder_of_Gotham_Digital_Science_Ltd.29 practical crypto attacks against web applications]<br />
* Lieven Desmet (Research Manager at University Leuven) on [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#HTML5_security_.28by_Lieven_Desmet.2C_Research_Manager_at_Katholieke_Universiteit_Leuven.29 HTML5 security]<br />
* Andrey Belenko (Chief Security Researcher at ElcomSoft Co. Ltd) on [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Overcoming_iOS_Data_Protection_to_Re-Enable_iPhone_Forensics_.28by_Andrey_Belenko.2C_Chief_Security_Researcher_at_ElcomSoft.29 iOS data protection internals]<br />
* Alexandre Dulaunoy (Incident Management - Security Research at CIRCL) on dynamic malware analysis<br />
* Ludovic Petit (Group Fraud & Information Security Adviser at SFR, Vodafone Group) on [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Do_you..._Legal.3F_.28by_Ludovic_Petit.2C_Group_Fraud_.26_Information_Security_Adviser_at_SFR.2C_Vodafone_Group.29 WebApp Security and legal and regulatory aspects]<br />
*Jean-Marc Bost and Sébastien Bischof (ELCA) on The limits of e-banking<br />
* Yves Le Traon on security testing for web apps<br />
* Seba Deleersnyder & Eoin Keary (OWASP Board) on OWASP Update<br />
<br />
Stay tuned for the final agenda!<br />
<br />
'''''Agenda''''' '<br />
''(program has slightly changed !)''<br />
<br />
{| class="wikitable"<br />
! Time !! Speaker !! Topic<br />
|-<br />
| 09h30 - 10h00 || Sebastien Deleersnyder & Eion Keary || Intro & OWASP update<br />
|-<br />
| 10h00 - 10h40 || Brenno De Winter || The Diginotar story <br />
|-<br />
| 10h40 - 11h00 || ''Break'' ||<br />
|-<br />
| 11h00 - 11h40 || Justin Clarke || Practical Crypto Attacks Against Web Applications <br />
|-<br />
| 11h40 - 12h20 || Andre Belenko || Overcoming iOS Data Protection to Re-Enable iPhone Forensics <br />
|-<br />
| 12h20 - 13h00 || Koen Vanderloock || OWASP SIMBA - guarding your applications <br />
|-<br />
| 13h00 - 14h00 || ''Lunch'' || <br />
|-<br />
| 14h00 - 14h40 || Ludovic Petit || Do you... Legal?<br />
|-<br />
| 14h40 - 15h20 || Thierry Zoller || The rise of the Vulnerability Market<br />
|-<br />
| 15h20 - 16h00 || Jean-Marc Bost & Sébastien Bischof || The limits of e-banking <br />
|-<br />
| 16h00 - 16h20 || ''Break'' || <br />
|-<br />
| 16h20 - 17h00 || Alexandre Delaunoy || Dynamic malware analysis <br />
|-<br />
| 17h00 - 17h40 || Lieven Desmet || HTML5 security<br />
|-<br />
| 17h40 - 18h00 || OWASP Benelux 2011 organization || Closing notes<br />
<br />
|}<br />
<br />
<!-- deze laten staan. is handig om anchors te vinden tijdens edi (seba) __TOC__ --><br />
<br />
=====OWASP SIMBA - guarding your applications (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Koen_Vanderloock.2C_Leader_Security_Competence_Group_at_Cegeka Koen Vanderloock], Leader Security Competence Group at Cegeka)=====<br />
[[OWASP SIMBA Project|SIMBA (Security Integration Module for Business Applications)]] is a OWASP project that provides you with a User Access Management system that can be integrated with any business application. The purpose of SIMBA is to secure an application fast and easy. Because SIMBA itself is generic it can be customized for every project. Many features are customizable e.g. designing your own authentication chain is easy and fast by using existing or newly created building blocks. SIMBA contains authentication, authorization, session management and a GUI to manage your security information.<br />
<br />
======Koen Vanderloock, Leader Security Competence Group at Cegeka======<br />
Koen Vanderloock is the leader of the security competence group at Cegeka. About 2 years ago Cegeka decided to create a sandbox for investigating security issues and solutions so they could be included in the current projects. <br />
Koen Vanderloock is a Java developer with 8 years of experience and started exploring the world of security 3 years ago when UAM problems started to occur.<br />
<br />
=====Practical Crypto Attacks Against Web Applications (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Justin_Clarke.2C_Director_and_Co-Founder_of_Gotham_Digital_Science_Ltd Justin Clarke], Director and Co-Founder of Gotham Digital Science Ltd)=====<br />
The science of cryptography underpins many of the information security technologies we use on a daily basis, such as the ability to keep information confidential and to ensure we can identify who we are communicating with. However, it is a very complex subject area with many types of mistakes that can reduce the overall security of a solution. A number of these types of mistakes can be identified by a tester, if they know what they're looking for, but in general it isn't a well tested area.<br />
<br />
This talk is intended to provide a high level overview of some of the areas where cryptographic operations such as encryption and hashing can provide far less security than was planned, and concrete examples of how these were found and exploited. Examples will include discussion and demonstration of the recently patched cryptographic padding attack against the Microsoft .NET framework (affecting ASP.NET applications) caused by a design error in how ASP.NET handles some types of encrypted data, but we will also be looking at some other fun areas including bit flipping attacks, ECB mode attacks, and some miscellaneous hashing algorithm attacks against common web application implementations.<br />
<br />
======Justin Clarke, Director and Co-Founder of Gotham Digital Science Ltd======<br />
Justin is a Director and Co-Founder of Gotham Digital Science and an experienced software security consultant with extensive international Big 4 risk management, security consulting and testing experience. He is the lead author/technical editor of "SQL Injection Attacks and Defenses" (Syngress 2009), co-author of "Network Security Tools" (O'Reilly 2005), contributor to "Network Security Assessment, 2nd Edition" (O'Reilly 2007), as well as a speaker at various security conferences and events such as Black Hat, EuSecWest, ISACA, BruCON, OWASP, OSCON, RSA and SANS. He is currently the OWASP London chapter president, and a member of the OWASP Global Connections Committee.<br />
On 10 Oct 2011, at 09:33, Seba wrote:<br />
<br />
=====HTML5 security (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Lieven_Desmet.2C_Research_Manager_at_Katholieke_Universiteit_Leuven Lieven Desmet], Research Manager at Katholieke Universiteit Leuven)=====<br />
In this talk, Lieven will highlight the results of the HTML5 security analysis, conducted by the DistriNet Research Group (K.U.Leuven). The security analysis of next generation web standards, commissioned by ENISA, looked into 13 emerging W3C web standards (i.e. the specification of HTML 5 and some of the associated APIs), and assessed the security of each of them as well as the overall security and consistency across specifications.<br />
<br />
In total 51 security threats and issues have been identified, and detailed in the ENISA report (http://www.enisa.europa.eu/html5). During the talk, Lieven will discuss the methodology developed to assess the huge amount of specifications, and zoom into a representative set of identified threats and their remediation.<br />
<br />
======Lieven Desmet, Research Manager at Katholieke Universiteit Leuven======<br />
Lieven Desmet is the Research Manager on Secure Software at the Katholieke Universiteit Leuven (Belgium), where he coaches junior researchers in web application security and participates in dissemination and valorization activities. His interests are in software verification and security of middleware and web-enabled technologies. Lieven is actively engaged in OWASP and is board member of the OWASP Chapter Belgium.<br />
<br />
=====Overcoming iOS Data Protection to Re-Enable iPhone Forensics (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Andrey_Belenko.2C_Chief_Security_Researcher_at_ElcomSoft Andrey Belenko], Chief Security Researcher at ElcomSoft)=====<br />
Data protection is a feature available for iOS devices (iOS 4 and up) with hardware encryption: iPhone 4S, iPhone 4, iPhone 3GS, iPod touch (3rd generation or later), and all iPad models. Introduction of this feature had complicated iPhone forensics process because now (almost) all files on user partition are encrypted and physical dumps are of much less value to examiners: while the filesystem seems to be intact, actual file contents are encrypted and are not suitable for analysis.<br />
<br />
This talk will provide in-depth information about iOS Data protection internals and on the implication it had on iOS forensics. More specifically, it will cover the following:<br />
*System keys and their hierarchy<br />
*Device passcode and its recovery<br />
*Escrow keys<br />
*Filesystem encryption<br />
*Keychain encryption<br />
<br />
Presentation will start by providing attendees with required background on iOS encryption keys architecture: system keys, passcode key, escrow key. After attendees are familiar with those concepts, presentation will continue to filesystem and keychain encryption details and to the techniques that can be used to overcome the hurdles imposed by iOS Data Protection.<br />
<br />
======Andrey Belenko, Chief Security Researcher at ElcomSoft======<br />
Chief security researcher and software developer at Elcomsoft. Co-invented ThunderTables (which are improved RainbowTables) and was first to bring GPU acceleration to password recovery. M. Sc. IT and CISSP.<br />
<br />
LinkedIn: http://ru.linkedin.com/in/belenko<br />
<br />
Twitter: @andreybelenko<br />
<br />
=====Do you... Legal? (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Ludovic_Petit.2C_Group_Fraud_.26_Information_Security_Adviser_at_SFR.2C_Vodafone_Group Ludovic Petit], Group Fraud & Information Security Adviser at SFR, Vodafone Group) =====<br />
<br />
The OWASP core mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. However, if you do not pay enough attention to many aspects of Legal compliance, you'll see why Web Application Security is somehow linked to Legal and Regulatory aspects as well as... Corporate Responsability, so yours. Who is accountable for what, what about each other's responsibility? Nowadays, the legal constraints oblige us to comply via technical means, whatever the local framework, and this is specially true for Web Application Security, many sensitive informations having to be handled through these web interfaces. A such, what do you think about your Security Policy compliance with your local Legal framework? Compliant? Sure? Really? Interesting isn't it? Let's have a talk about this.<br />
<br />
======Ludovic Petit, Group Fraud & Information Security Adviser at SFR, Vodafone Group======<br />
Ludovic is an internationally recognised information security expert with over 25 years experience. Last 15 years spent in various Corporate Management positions covering both Technical and Law Enforcement expertise dedicated to Mobile Telecommunications Fraud and Security in multi-national corporations.<br />
<br />
Ludovic is Chapter Leader & Founding Member OWASP France and an active contributor to OWASP in several roles and projects.<br />
<br />
LinkedIn Profile: http://www.linkedin.com/in/lpetit<br />
<br />
=====Dynamic Malware Analysis or How to Play in the House of Horrors (by Alexandre Dulaunoy, Incident Management - Security Research at CIRCL) =====<br />
Malware reversing is a time consuming task. Many approaches are available to dissect and analyse suspicious binaries. Dynamic malware analysis is one of the option to better understand them and also a nifty companion to static analysis. The current dynamic malware analysis techniques will be presented especially the ones relying on instrumented operating system systems (from the filesystem to the network stack). You'll see a wandering through common and less common malware partially analysed using dynamic analysis and how dynamic malware analysis can help you.<br />
<br />
===== The limits of e-banking (by Jean-Marc Bost and Sébastien Bischof, ECLA) =====<br />
The swiss german TV channel SF1 showed a footage on swiss e-banking security. The TV show follows a team of the ETH who earned a special authorization to test several e-anking platforms. After admitting that a personal computer can be infected by different means (actually 5% of the tested PCs are infected according to Microsoft), The team from Zürich showed the limits of the different platforms. Only the bank who signs each transaction is labelled as safe. We will come back during the presentation on the nature of the threat.<br>First of all, we will explain how famous malwares such as Zeus and SpyEye manage to steal from their victims without them being able to notice anything. Then we will see that e-banking is not the only target, as a matter of fact, the reality is far from this.<br>And then we will comment the most recent techniques that allow malwares to escape Antivirus and Antimalware programs even if they are up to date. We will vulgarize several concepts such as DKOM and bootkits in order to let everybody have a glimpse on the danger they represent.<br>Finally, we will think about if signing each transaction can efficiently fight off these threats. In fact, when attacks are coupled with Social Engineering, they have potentially no limit. Zeus is a living proof of this fact, because it even managed to attack the transaction validation system by SMS. As a conclusion, we will see that the e-banking platform that managed to resist the tests of the ETH team is vulnerable to such kind of attacks. <br />
<br />
====== Jean-Marc Bost, ELCA ======<br />
Jean-Marc Bost leads the security division at ELCA. <br>He is in charge of the various security solutions proposed by ELCA, some being released by ELCA, others being provided by partner vendors. <br>With a significant experience in the development of internet applications, he focused 10 years ago on their need for security. <br>Since then, he has been very active in&nbsp;:<br>- demonstrating the threats, in particular for ebanking<br>- conceiving practical and patented solutions for strong authentication, online transactions, electronic signature and secured documents<br>- presenting the findings of the security division in security events and through expert talks<br> <br />
<br />
====== Sébastien Bischof, ELCA ======<br />
Sébastien Bischof works in the security division at ELCA Where he is specialized in OS-level and communication security.<br>As a major result, he developped a fully-working proof-of-concept of an attack against a sophisticated USB token for safe-browsing.<br>He obtained his Master of Science in Engineering at HEIG-VD/HES-SO with a strong emphasis on IT Security.<br>During his education, he focused on obfuscation and rootkit techniques.<br>Computer security enthusiast, he is very interested in hackings events such as Insomni'hack and keeps himself informed on the latest threats throuhg active participation in security forums.<br />
<br />
===== Security testing: a key challenge for software engineering of web apps (by Yves Le Traon, UdL)===== <br />
While important efforts are dedicated to system functional testing, very few works study how to specifically and systematically test security mechanisms. In this talk, we will present two categories of approaches. <br />
The first ones aim at assessing security mechanisms compliance with declared policies. Any security policy is strongly connected to system functionality: testing function includes exercising many security mechanisms. However, testing functionality does not intend at exercizing all security mechanisms. We thus propose test selection criteria to produce tests from a security policy. Empirical results will be presented about access control policies and about Android apps permission checks. <br />
<br />
The second ones concern the attack surface of web apps, with a particular focus on web browser sensitivity to XSS attacks. Indeed, one of the major threats against web applications is Cross-Site Scripting (XSS) that crosses several web components: web server, security components and finally the client’s web browser. The final target is thus the client running a particular web browser. During this last decade, several competing web browsers (IE, Netscape, Chrome, Firefox) have been upgraded to add new features for the final users benefit. However, the improvement of web browsers is not related with systematic security regression testing. Beginning with an analysis of their current exposure degree to XSS, we extend the empirical study to a decade of most popular web browser versions.The results reveal a chaotic behavior in the evolution of most web browsers attack surface over time. This particularly shows an urgent need for regression testing strategies to ensure that security is not sacrificed when a new version is delivered. <br />
<br />
In both cases, security must become a specific target for testing in order to get a satisfying level of confidence in security mechanisms<br />
<br />
====== Yves Le Traon, UdL====== <br />
Yves Le Traon is professor at University of Luxembourg in the domain of software engineering, reliability, validation and security. He is also a member of the Interdisciplinary Centre for Security, Reliability and Trust (SnT), where he leads the research group SERVAL (SEcuRity and VALidation of services and networks). His research interests include software testing, design for security, security testing, model-driven validation, model based testing, web application, mobile computing. <br />
<br />
Professor Le Traon received his engineering degree and his PhD in Computer Science at the “Institut National Polytechnique” in Grenoble, France, in 1997. From 1998 to 2004, he was an associate professor at the University of Rennes, in Brittany, France. He is the co-founder of the Triskell INRIA team, which focuses on innovating design, modeling and testing techniques, such as Model-driven Engineering. During this period, Professor Le Traon studied design for testability techniques, validation and diagnosis of object-oriented programs and component-based systems. From 2004 to 2006, he was an expert in Model-Driven Architecture and Validation in the EXA team (Requirements Engineering and Applications) at “France Télécom R&D”. In 2006, he became professor at Telecom Bretagne (Ecole Nationale des Télécommunications de Bretagne), where he pioneered the application of testing for security assessment of web-applications, P2P systems and the promotion of intrusion detection systems using contract-based techniques.<br />
<br />
<br />
==== CTF ====<br />
<br />
Do you like puzzles? Do you like challenges? Are you a hacker?<br />
<br />
Whether you are an old hacker or new enthusiast you should come to OWASP BeNeLux days 2011 and participate in the Capture the Flag event December 2nd 2011 at the University of Luxemburg. <br />
<br />
The OWASP CTF is especially designed to support challengers of all skill levels. The CTF contains multiple challenges in various fields related to application security. As every challenge gains you one point, you can pick and choose which challenge you want to play.<br />
<br />
All you need is a laptop with a wifi card and your favorite (preferably) non-commercial tools. <br />
<br />
So come to Luxemburg, show off your skills, learn new tricks and above all have a good time at the CTF event. <br />
<br />
==== Registration ====<br />
<center><br />
'''The training day and the conference are free!'''&nbsp;<br />
<br />
<br> <br />
<br />
[http://owaspbenelux2011.eventbrite.com/ http://www.owasp.org/images/7/77/Buttoncreate.png] <br />
<br />
<br> To support the OWASP organisation, consider to become a member, it's only US$50!<br> Check out the [[Membership]] page to find out more.<br> <br />
<br />
<br> <br />
</center> <br />
==== Venue ====<br />
<center><br />
University of Luxembourg<br>Campus Kirchberg<br>6, rue Richard Coudenhove-Kalergi<br>L-1359 Luxembourg<br>[http://wwwen.uni.lu/contact/campus_kirchberg http://wwwen.uni.lu/contact/campus_kirchberg] <br>Room: Paul Feidert<br />
</center><br />
<br />
<br>'''Parking''':<br />
<br />
There is a public parking close to the conference venue.<br />
[http://maps.google.de/maps?q=49.63038,6.157061&num=1&t=h&vpsrc=0&z=16 Click here to find the parking on Google Maps]<br />
<br />
<br>'''Hotels nearby''': <br />
<br />
The first hotel is at 5 minutes on walk distance from the campus Kirchberg: '''[http://www.coque.lu/article/259 Hotel d’Coque]'''<br />
* single room with breakfast 77.50 €<br />
* double room with breakfast 93.00 €. <br />
* Booking email address with Ref. OWASP_SNT 2011 to : [mailto:reception@coque.lu reception@coque.lu]<br />
* Reservation deadline: 20 October 2011<br />
Second hotel (direct center of Luxembourg) 5/10 minutes with taxi or bus: '''[http://www.parcbellevue.lu/fr/index.php Hotel Parc Bellevue]'''<br />
* single room with breakfast 95.00 € (normal price 160 €)<br />
* double room with breakfast 115.00 € (normal price 180€)<br />
* wifi and parking included<br />
* Booking email address: [mailto:reservation@goeres-group.com reservation@goeres-group.com]<br />
* Reservation deadline&nbsp;: 30 November <br />
* Reservation form: [https://www.owasp.org/images/4/44/Uni_Luxembourg_OWASP_2011.doc download form] <br />
Third hotel (near the Parc Bellevue): '''[http://www.parcplaza.lu/fr/index.php Hotel Plaza]'''<br />
* single room with breakfast 130.00 € (normal price 225 €)<br />
* double room with breakfast 150.00 € (normal price 245€)<br />
* wifi and parking included<br />
* Booking email address: [mailto:reservation@goeres-group.com reservation@goeres-group.com]. <br />
* Reservation deadline: 30 November<br />
* Reservation form: [https://www.owasp.org/images/4/44/Uni_Luxembourg_OWASP_2011.doc download form] <br />
Fourth hotel: '''[http://www.melia-luxembourg.com/fr/melia-luxembourg.html Hotel Mélia]'''<br />
* single room with breakfast 140.00 €<br />
* Booking email address: [mailto:reservations.melia.luxembourg@solmelia.com reservations.melia.luxembourg@solmelia.com]<br />
* Reservation deadline: 28 October 2011<br />
* Reservation form: [https://www.owasp.org/images/f/f8/Uni_OWASP_2011_Melia.pdf download form] <br />
<br />
<br><br />
<br />
==== Organisation ====<br />
<br />
The BeNeLux Day 2011 Program Committee: <br />
<br />
*Martin Knobloch / Ferdinand Vroom ([[Netherlands|OWASP Netherlands]]) <br />
*Bart De Win / Sebastien Deleersnyder ([[Belgium|OWASP Belgium]]) <br />
*Jocelyn Aubert / Andre Adelsbach ([[Luxembourg|OWASP Luxembourg]]) <br />
*Steven van der Baan ([[:Category:OWASP CTF Project|Capture The Flag]])<br />
<br />
Local organization:<br />
<br />
*Thomas Engel <br />
*Radu State <br />
*Magali Martin <br />
*Aurel Machalek<br />
<br />
==== Sponsorship ====<br />
<br />
Contact seba &lt;at&gt; owasp.org for sponsorship <br />
<br />
<paypal>BeNeLux OWASP Day 2011</paypal> <br />
<br />
==== Social Event ====<br />
<br />
The social event is scheduled for Thursday, 1st of December @ TBD <br />
<br />
<br><br><br />
<br />
==== Promotion ====<br />
''Feel free to use the text below to promote our event!''<br />
<br />
We invite you to our next OWASP event: the '''BeNeLux OWASP Days 2011!'''<br />
<br />
Free your agenda on the 1st and 2nd of December, 2011.<br />
<br />
The good news: free! No fee!<br />
<br />
The bad news: there are only 160 seats available (first register, first serve)!<br />
<br />
<br />
'''PROGRAM Day 1'''<br />
* 10:00 AM - 18:00 PM: OWASP Training Day<br />
* 19:00 PM - ?: Social event<br />
<br />
'''OWASP Training: Secure Application Development''', by Eoin Keary<br><br />
This intensive one-day training focuses on the most common web application security problems, including aspects of both the OWASP Top Ten (2010) and the MITRE Top 25. The training will introduce and demonstrate application assessment techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities in their code.<br />
<br />
'''PROGRAM Day 2'''<br />
* 10:00 AM - 18:00 PM: OWASP Conference<br />
<br />
List of '''confirmed speakers''' (more to be announced soon):<br />
*Brenno De Winter (Journalist) on the Diginotar story<br />
*Koen Vanderloock (Lead Security Competence Group at Cegeka) on the new OWASP Simba project<br />
*Justin Clarke (Director and Co-Founder of Gotham Digital Science Ltd) on practical crypto attacks against web applications<br />
*Lieven Desmet (Research Manager at University Leuven) on HTML5 security<br />
*Andrey Belenko (Chief Security Researcher at ElcomSoft Co. Ltd) on iOS data protection internals<br />
*Alexandre Dulaunoy (Incident Management - Security Research at CIRCL) on dynamic malware analysis<br />
*Ludovic Petit (Group Fraud & Information Security Adviser at SFR, Vodafone Group) on WebApp Security and legal and regulatory aspects<br />
*Seba Deleersnyder & Eoin Keary (OWASP Board) on OWASP Update<br />
<br />
'''ORGANIZATION<br>'''<br />
OWASP's all-volunteer participants produce free, professional quality, open-source documentation, tools, and standards on application security. An example of this is the famous OWASP top ten of most critical web application security flaws. The OWASP community facilitates conferences, local chapters, articles, and message forums. Participation in OWASP is free and open to all, as are all the materials we produce.<br />
<br />
'''WHO should attend?<br>'''<br />
Anyone interested in Web Application Security (management, security professionals, developers, students, etc). OWASP Belgium, Netherlands and Luxembourg chapters membership is free. All meetings are free. There are never vendor pitches or sales presentations at OWASP meetings.<br><br />
Check our chapter page http://www.owasp.org/index.php/Belgium on meeting details, sign up to the chapter mailing list and introduce yourself.<br><br />
Check our chapter page http://www.owasp.org/index.php/Netherlands on meeting details, sign up to the chapter mailing list and introduce yourself.<br><br />
Check our chapter page http://www.owasp.org/index.php/Luxembourg on meeting details, sign up to the chapter mailing list and introduce yourself.<br><br />
<br />
'''WHEN<br>'''<br />
Thursday and Friday, 1st and 2nd of December, 2011 (10 AM - 7 PM)<br />
<br />
'''WHERE<br>'''<br />
University of Luxembourg<br><br />
Campus Kirchberg<br><br />
6, rue Richard Coudenhove-Kalergi<br><br />
L-1359 Luxembourg<br><br />
http://wwwen.uni.lu/contact/campus_kirchberg<br><br />
Room: Paul Feidert<br />
<br />
Attention: make sure to '''book your hotel in time''', it will be difficult to find rooms in Luxembourg around Dec 1-2!<br><br />
Hotel details https://www.owasp.org/index.php?title=BeNeLux_OWASP_Day_2011#tab=Venue<br />
<br />
'''REGISTRATION<br>'''<br />
Only 160 places, please '''Register upfront: http://owaspbenelux2011.eventbrite.com''' !<br><br />
All latest details are available on http://www.owaspbenelux.eu<br><br />
Hope to see you all!<br><br />
<br />
The BeNeLux Program Committee,<br />
*Martin Knobloch / Ferdinand Vroom, OWASP Netherlands<br />
*Bart De Win / Sebastien Deleersnyder, OWASP Belgium<br />
*Jocelyn Aubert / Andre Adelsbach, OWASP Luxembourg<br />
*Steven van der Baan, OWASP CTF Project<br />
<br />
Kindly supported by the Interdisciplinary Centre for Security Reliability and Trust<br />
*Thomas Engel <br />
*Radu State <br />
*Magali Martin <br />
*Aurel Machalek<br />
<br />
<headertabs /><br />
<center>Made possible by our [http://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Sponsorship sponsors]:<br><br />
{{MemberLinks|link=http://www.ascure.com|logo=Ascure_Logo.jpg}} <br />
[http://www.zionsecurity.com http://www.owasp.org/images/e/e6/Zionsecurity.jpg]<br />
[http://www.zenitelbelgium.com http://www.owasp.org/images/d/df/SAIT_Zenitel.jpg]<br />
[http://www8.hp.com/us/en/solutions/solutions-detail.html?compURI=tcm:245-339290 https://www.owasp.org/images/b/b4/HP_Logo.jpg] <br />
[http://www.barracuda.com https://www.owasp.org/images/f/f6/Bnl11-Barracuda_Logo-4C.png] <br />
[http://circl.lu/ http://circl.lu/pics/logo.png]<br />
<br />
<br />
<br />
<br><br><br>'''Supported by:'''<br> <br />
[[Image:Bnl11-university-logo.jpg|link=http://wwwen.uni.lu]] <br />
[[Image:Bnl11-SECURITYANDTRUST-LOGO.jpg|link=http://www.securityandtrust.lu]] <br />
<br />
<br><br />
</center><br />
[[Category:OWASP_AppSec_Conference]] [[Category:OWASP_BeNeLux_Archives]]</div>Bart De Winhttps://wiki.owasp.org/index.php?title=BeNeLux_OWASP_Day_2011&diff=120325BeNeLux OWASP Day 20112011-11-16T21:38:20Z<p>Bart De Win: </p>
<hr />
<div>__NOTOC__ <br />
<center>[[Image:OWASP BeNeLux 2011.jpg]]<br></center><br />
<br><!-- Header --><br />
<br />
==== Welcome ====<br />
<br />
<br><br />
<center><br />
=== Venue is the University of Luxembourg (Grand Duchy of Luxembourg) ===<br />
Training and conference location, together with hotel information, can be found [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Venue here].<br />
=== Training and first list of conference speakers are announced! ===<br />
See [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Training.2C_December_1st here] and [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Conference.2C_December_2nd here]<br />
=== Tweet! ===<br />
<br />
Event tag is [http://twitter.com/#search?q=%23owaspbnl11 #owaspbnl11]<br />
<br />
=== Registrations are open: ===<br />
<br />
[http://owaspbenelux2011.eventbrite.com/ http://www.owasp.org/images/7/77/Buttoncreate.png] <br />
<br />
</center><br />
<br><br />
<br />
==== Training, December 1st ====<br />
'''OWASP Training: Secure Application Development, by Eoin Keary'''<br />
<br />
'''Abstract:''' Writing Secure code is the most effective method to securing your web applications. Writing secure code takes skill and know-how but results in a more stable and robust application and assists in protecting an organisations brand.<br />
Application security is not commonly a part of many computer science curricula today and most organizations have not focused on instituting a culture that includes application security as a core part of their software development training efforts. This intensive one-day course focuses on the most common web application security problems, including aspects of both the OWASP Top Ten (2010) and the MITRE Top 25. The course will introduce and demonstrate application assessment techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities in their code.<br />
<br />
'''This course includes coverage of the following areas:'''<br />
<br />
* Unvalidated Input<br />
* Injection Flaws, OS commanding, SQL Injection<br />
* Cross-Site Scriping & Client-side security<br />
* CSRF/XSRF<br />
* Authentication & Session Management<br />
* Access control & Authorisation<br />
* Broken Caching<br />
* Error Handling & Resource Management<br />
* The Secure SDLC<br />
* Fuzzing, Proxy use and testing approach<br />
<br />
'''Hands on Exercises'''<br />
<br />
To cement the principles discussed, students can participate in a number of hands-on security testing exercises where they attack a live web application (i.e., OWASP Bank etc) that has been seeded with common web application vulnerabilities.<br />
<br />
The students will use proxy tools commonly used by the hacker community to complete the exercises. Students need to bring their own windows based laptop to participate in the exercises. Wireless capability is recommended.<br />
<br />
'''Audience'''<br />
<br />
Developers who want to understand the most common web application security flaws, and how to avoid them and code in a secure manner.<br />
<br />
Level: Beginner/Intermediate<br />
<br />
Prerequisite: Basic knowledge of a web programming language like Java or .NET recommended but not required.<br />
<br />
Bringing your own windows based laptop is recommended so you can participate in the hands on exercises<br />
<br />
'''Trainer Bio:''' <br />
<br />
[[Eoin Keary]] is a Global OWASP board member since 2009. He is a long time member of OWASP and have contributed year on year to OWASP projects and the OWASP mission of fighting the causes of software insecurity. He is based in Dublin, Ireland and director of [http://www.bccriskadvisory.com Bccriskadvisory].<br />
<br />
==== Conference, December 2nd ====<br />
<br />
We are pleased to announce a first list of confirmed speakers:<br />
<br />
* Brenno De Winter (Journalist) on the Diginotar story<br />
* Koen Vanderloock (Lead Security Competence Group at Cegeka) on [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#OWASP_SIMBA_-_guarding_your_applications_.28by_Koen_Vanderloock.2C_Leader_Security_Competence_Group_at_Cegeka.29 the new OWASP Simba project]<br />
* Justin Clarke (Director and Co-Founder of Gotham Digital Science Ltd) on [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Practical_Crypto_Attacks_Against_Web_Applications_.28by_Justin_Clarke.2C_Director_and_Co-Founder_of_Gotham_Digital_Science_Ltd.29 practical crypto attacks against web applications]<br />
* Lieven Desmet (Research Manager at University Leuven) on [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#HTML5_security_.28by_Lieven_Desmet.2C_Research_Manager_at_Katholieke_Universiteit_Leuven.29 HTML5 security]<br />
* Andrey Belenko (Chief Security Researcher at ElcomSoft Co. Ltd) on [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Overcoming_iOS_Data_Protection_to_Re-Enable_iPhone_Forensics_.28by_Andrey_Belenko.2C_Chief_Security_Researcher_at_ElcomSoft.29 iOS data protection internals]<br />
* Alexandre Dulaunoy (Incident Management - Security Research at CIRCL) on dynamic malware analysis<br />
* Ludovic Petit (Group Fraud & Information Security Adviser at SFR, Vodafone Group) on [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Do_you..._Legal.3F_.28by_Ludovic_Petit.2C_Group_Fraud_.26_Information_Security_Adviser_at_SFR.2C_Vodafone_Group.29 WebApp Security and legal and regulatory aspects]<br />
*Jean-Marc Bost and Sébastien Bischof (ELCA) on The limits of e-banking<br />
* Seba Deleersnyder & Eoin Keary (OWASP Board) on OWASP Update<br />
<br />
Stay tuned for the final agenda!<br />
<br />
'''''Agenda'''''<br />
<br />
{| class="wikitable"<br />
! Time !! Speaker !! Topic<br />
|-<br />
| 09h30 - 10h00 || Sebastien Deleersnyder & Eion Keary || Intro & OWASP update<br />
|-<br />
| 10h00 - 10h40 || Brenno De Winter || The Diginotar story <br />
|-<br />
| 10h40 - 11h00 || ''Break'' ||<br />
|-<br />
| 11h00 - 11h40 || Lieven Desmet || HTML5 security<br />
|-<br />
| 11h40 - 12h20 || Andre Belenko || Overcoming iOS Data Protection to Re-Enable iPhone Forensics <br />
|-<br />
| 12h20 - 13h00 || Justin Clarke || Practical Crypto Attacks Against Web Applications <br />
|-<br />
| 13h00 - 14h00 || ''Lunch'' || <br />
|-<br />
| 14h00 - 14h40 || Ludovic Petit || Do you... Legal?<br />
|-<br />
| 14h40 - 15h20 || Thierry Zoller || The rise of the Vulnerability Market<br />
|-<br />
| 15h20 - 16h00 || Jean-Marc Bost & Sébastien Bischof || eBanking vs. Malwares <br />
|-<br />
| 16h00 - 16h20 || ''Break'' || <br />
|-<br />
| 16h20 - 17h00 || Alexandre Delaunoy || Dynamic malware analysis <br />
|-<br />
| 17h00 - 17h40 || Koen Vanderloock || OWASP SIMBA - guarding your applications <br />
|-<br />
| 17h40 - 18h00 || OWASP Benelux 2011 organization || Closing notes<br />
<br />
|}<br />
<br />
<!-- deze laten staan. is handig om anchors te vinden tijdens edi (seba) __TOC__ --><br />
<br />
=====OWASP SIMBA - guarding your applications (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Koen_Vanderloock.2C_Leader_Security_Competence_Group_at_Cegeka Koen Vanderloock], Leader Security Competence Group at Cegeka)=====<br />
[[OWASP SIMBA Project|SIMBA (Security Integration Module for Business Applications)]] is a OWASP project that provides you with a User Access Management system that can be integrated with any business application. The purpose of SIMBA is to secure an application fast and easy. Because SIMBA itself is generic it can be customized for every project. Many features are customizable e.g. designing your own authentication chain is easy and fast by using existing or newly created building blocks. SIMBA contains authentication, authorization, session management and a GUI to manage your security information.<br />
<br />
======Koen Vanderloock, Leader Security Competence Group at Cegeka======<br />
Koen Vanderloock is the leader of the security competence group at Cegeka. About 2 years ago Cegeka decided to create a sandbox for investigating security issues and solutions so they could be included in the current projects. <br />
Koen Vanderloock is a Java developer with 8 years of experience and started exploring the world of security 3 years ago when UAM problems started to occur.<br />
<br />
=====Practical Crypto Attacks Against Web Applications (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Justin_Clarke.2C_Director_and_Co-Founder_of_Gotham_Digital_Science_Ltd Justin Clarke], Director and Co-Founder of Gotham Digital Science Ltd)=====<br />
The science of cryptography underpins many of the information security technologies we use on a daily basis, such as the ability to keep information confidential and to ensure we can identify who we are communicating with. However, it is a very complex subject area with many types of mistakes that can reduce the overall security of a solution. A number of these types of mistakes can be identified by a tester, if they know what they're looking for, but in general it isn't a well tested area.<br />
<br />
This talk is intended to provide a high level overview of some of the areas where cryptographic operations such as encryption and hashing can provide far less security than was planned, and concrete examples of how these were found and exploited. Examples will include discussion and demonstration of the recently patched cryptographic padding attack against the Microsoft .NET framework (affecting ASP.NET applications) caused by a design error in how ASP.NET handles some types of encrypted data, but we will also be looking at some other fun areas including bit flipping attacks, ECB mode attacks, and some miscellaneous hashing algorithm attacks against common web application implementations.<br />
<br />
======Justin Clarke, Director and Co-Founder of Gotham Digital Science Ltd======<br />
Justin is a Director and Co-Founder of Gotham Digital Science and an experienced software security consultant with extensive international Big 4 risk management, security consulting and testing experience. He is the lead author/technical editor of "SQL Injection Attacks and Defenses" (Syngress 2009), co-author of "Network Security Tools" (O'Reilly 2005), contributor to "Network Security Assessment, 2nd Edition" (O'Reilly 2007), as well as a speaker at various security conferences and events such as Black Hat, EuSecWest, ISACA, BruCON, OWASP, OSCON, RSA and SANS. He is currently the OWASP London chapter president, and a member of the OWASP Global Connections Committee.<br />
On 10 Oct 2011, at 09:33, Seba wrote:<br />
<br />
=====HTML5 security (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Lieven_Desmet.2C_Research_Manager_at_Katholieke_Universiteit_Leuven Lieven Desmet], Research Manager at Katholieke Universiteit Leuven)=====<br />
In this talk, Lieven will highlight the results of the HTML5 security analysis, conducted by the DistriNet Research Group (K.U.Leuven). The security analysis of next generation web standards, commissioned by ENISA, looked into 13 emerging W3C web standards (i.e. the specification of HTML 5 and some of the associated APIs), and assessed the security of each of them as well as the overall security and consistency across specifications.<br />
<br />
In total 51 security threats and issues have been identified, and detailed in the ENISA report (http://www.enisa.europa.eu/html5). During the talk, Lieven will discuss the methodology developed to assess the huge amount of specifications, and zoom into a representative set of identified threats and their remediation.<br />
<br />
======Lieven Desmet, Research Manager at Katholieke Universiteit Leuven======<br />
Lieven Desmet is the Research Manager on Secure Software at the Katholieke Universiteit Leuven (Belgium), where he coaches junior researchers in web application security and participates in dissemination and valorization activities. His interests are in software verification and security of middleware and web-enabled technologies. Lieven is actively engaged in OWASP and is board member of the OWASP Chapter Belgium.<br />
<br />
=====Overcoming iOS Data Protection to Re-Enable iPhone Forensics (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Andrey_Belenko.2C_Chief_Security_Researcher_at_ElcomSoft Andrey Belenko], Chief Security Researcher at ElcomSoft)=====<br />
Data protection is a feature available for iOS devices (iOS 4 and up) with hardware encryption: iPhone 4S, iPhone 4, iPhone 3GS, iPod touch (3rd generation or later), and all iPad models. Introduction of this feature had complicated iPhone forensics process because now (almost) all files on user partition are encrypted and physical dumps are of much less value to examiners: while the filesystem seems to be intact, actual file contents are encrypted and are not suitable for analysis.<br />
<br />
This talk will provide in-depth information about iOS Data protection internals and on the implication it had on iOS forensics. More specifically, it will cover the following:<br />
*System keys and their hierarchy<br />
*Device passcode and its recovery<br />
*Escrow keys<br />
*Filesystem encryption<br />
*Keychain encryption<br />
<br />
Presentation will start by providing attendees with required background on iOS encryption keys architecture: system keys, passcode key, escrow key. After attendees are familiar with those concepts, presentation will continue to filesystem and keychain encryption details and to the techniques that can be used to overcome the hurdles imposed by iOS Data Protection.<br />
<br />
======Andrey Belenko, Chief Security Researcher at ElcomSoft======<br />
Chief security researcher and software developer at Elcomsoft. Co-invented ThunderTables (which are improved RainbowTables) and was first to bring GPU acceleration to password recovery. M. Sc. IT and CISSP.<br />
<br />
LinkedIn: http://ru.linkedin.com/in/belenko<br />
<br />
Twitter: @andreybelenko<br />
<br />
=====Do you... Legal? (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Ludovic_Petit.2C_Group_Fraud_.26_Information_Security_Adviser_at_SFR.2C_Vodafone_Group Ludovic Petit], Group Fraud & Information Security Adviser at SFR, Vodafone Group) =====<br />
<br />
The OWASP core mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. However, if you do not pay enough attention to many aspects of Legal compliance, you'll see why Web Application Security is somehow linked to Legal and Regulatory aspects as well as... Corporate Responsability, so yours. Who is accountable for what, what about each other's responsibility? Nowadays, the legal constraints oblige us to comply via technical means, whatever the local framework, and this is specially true for Web Application Security, many sensitive informations having to be handled through these web interfaces. A such, what do you think about your Security Policy compliance with your local Legal framework? Compliant? Sure? Really? Interesting isn't it? Let's have a talk about this.<br />
<br />
======Ludovic Petit, Group Fraud & Information Security Adviser at SFR, Vodafone Group======<br />
Ludovic is an internationally recognised information security expert with over 25 years experience. Last 15 years spent in various Corporate Management positions covering both Technical and Law Enforcement expertise dedicated to Mobile Telecommunications Fraud and Security in multi-national corporations.<br />
<br />
Ludovic is Chapter Leader & Founding Member OWASP France and an active contributor to OWASP in several roles and projects.<br />
<br />
LinkedIn Profile: http://www.linkedin.com/in/lpetit<br />
<br />
=====Dynamic Malware Analysis or How to Play in the House of Horrors (by Alexandre Dulaunoy, Incident Management - Security Research at CIRCL) =====<br />
Malware reversing is a time consuming task. Many approaches are available to dissect and analyse suspicious binaries. Dynamic malware analysis is one of the option to better understand them and also a nifty companion to static analysis. The current dynamic malware analysis techniques will be presented especially the ones relying on instrumented operating system systems (from the filesystem to the network stack). You'll see a wandering through common and less common malware partially analysed using dynamic analysis and how dynamic malware analysis can help you.<br />
<br />
===== The limits of e-banking (by Jean-Marc Bost and Sébastien Bischof, ECLA) =====<br />
The swiss german TV channel SF1 showed a footage on swiss e-banking security. The TV show follows a team of the ETH who earned a special authorization to test several e-anking platforms. After admitting that a personal computer can be infected by different means (actually 5% of the tested PCs are infected according to Microsoft), The team from Zürich showed the limits of the different platforms. Only the bank who signs each transaction is labelled as safe. We will come back during the presentation on the nature of the threat.<br>First of all, we will explain how famous malwares such as Zeus and SpyEye manage to steal from their victims without them being able to notice anything. Then we will see that e-banking is not the only target, as a matter of fact, the reality is far from this.<br>And then we will comment the most recent techniques that allow malwares to escape Antivirus and Antimalware programs even if they are up to date. We will vulgarize several concepts such as DKOM and bootkits in order to let everybody have a glimpse on the danger they represent.<br>Finally, we will think about if signing each transaction can efficiently fight off these threats. In fact, when attacks are coupled with Social Engineering, they have potentially no limit. Zeus is a living proof of this fact, because it even managed to attack the transaction validation system by SMS. As a conclusion, we will see that the e-banking platform that managed to resist the tests of the ETH team is vulnerable to such kind of attacks. <br />
<br />
====== Jean-Marc Bost, ELCA ======<br />
Jean-Marc Bost leads the security division at ELCA. <br>He is in charge of the various security solutions proposed by ELCA, some being released by ELCA, others being provided by partner vendors. <br>With a significant experience in the development of internet applications, he focused 10 years ago on their need for security. <br>Since then, he has been very active in&nbsp;:<br>- demonstrating the threats, in particular for ebanking<br>- conceiving practical and patented solutions for strong authentication, online transactions, electronic signature and secured documents<br>- presenting the findings of the security division in security events and through expert talks<br> <br />
<br />
====== Sébastien Bischof, ELCA ======<br />
Sébastien Bischof works in the security division at ELCA Where he is specialized in OS-level and communication security.<br>As a major result, he developped a fully-working proof-of-concept of an attack against a sophisticated USB token for safe-browsing.<br>He obtained his Master of Science in Engineering at HEIG-VD/HES-SO with a strong emphasis on IT Security.<br>During his education, he focused on obfuscation and rootkit techniques.<br>Computer security enthusiast, he is very interested in hackings events such as Insomni'hack and keeps himself informed on the latest threats throuhg active participation in security forums.<br> <br />
<br />
==== CTF ====<br />
<br />
Do you like puzzles? Do you like challenges? Are you a hacker?<br />
<br />
Whether you are an old hacker or new enthusiast you should come to OWASP BeNeLux days 2011 and participate in the Capture the Flag event December 2nd 2011 at the University of Luxemburg. <br />
<br />
The OWASP CTF is especially designed to support challengers of all skill levels. The CTF contains multiple challenges in various fields related to application security. As every challenge gains you one point, you can pick and choose which challenge you want to play.<br />
<br />
All you need is a laptop with a wifi card and your favorite (preferably) non-commercial tools. <br />
<br />
So come to Luxemburg, show off your skills, learn new tricks and above all have a good time at the CTF event. <br />
<br />
==== Registration ====<br />
<center><br />
'''The training day and the conference are free!'''&nbsp;<br />
<br />
<br> <br />
<br />
[http://owaspbenelux2011.eventbrite.com/ http://www.owasp.org/images/7/77/Buttoncreate.png] <br />
<br />
<br> To support the OWASP organisation, consider to become a member, it's only US$50!<br> Check out the [[Membership]] page to find out more.<br> <br />
<br />
<br> <br />
</center> <br />
==== Venue ====<br />
<center><br />
University of Luxembourg<br>Campus Kirchberg<br>6, rue Richard Coudenhove-Kalergi<br>L-1359 Luxembourg<br>[http://wwwen.uni.lu/contact/campus_kirchberg http://wwwen.uni.lu/contact/campus_kirchberg] <br>Room: Paul Feidert<br />
</center><br />
<br>'''Hotels nearby''': <br />
<br />
The first hotel is at 5 minutes on walk distance from the campus Kirchberg: '''[http://www.coque.lu/article/259 Hotel d’Coque]'''<br />
* single room with breakfast 77.50 €<br />
* double room with breakfast 93.00 €. <br />
* Booking email address with Ref. OWASP_SNT 2011 to : [mailto:reception@coque.lu reception@coque.lu]<br />
* Reservation deadline: 20 October 2011<br />
Second hotel (direct center of Luxembourg) 5/10 minutes with taxi or bus: '''[http://www.parcbellevue.lu/fr/index.php Hotel Parc Bellevue]'''<br />
* single room with breakfast 95.00 € (normal price 160 €)<br />
* double room with breakfast 115.00 € (normal price 180€)<br />
* wifi and parking included<br />
* Booking email address: [mailto:reservation@goeres-group.com reservation@goeres-group.com]<br />
* Reservation deadline&nbsp;: 30 November <br />
* Reservation form: [https://www.owasp.org/images/4/44/Uni_Luxembourg_OWASP_2011.doc download form] <br />
Third hotel (near the Parc Bellevue): '''[http://www.parcplaza.lu/fr/index.php Hotel Plaza]'''<br />
* single room with breakfast 130.00 € (normal price 225 €)<br />
* double room with breakfast 150.00 € (normal price 245€)<br />
* wifi and parking included<br />
* Booking email address: [mailto:reservation@goeres-group.com reservation@goeres-group.com]. <br />
* Reservation deadline: 30 November<br />
* Reservation form: [https://www.owasp.org/images/4/44/Uni_Luxembourg_OWASP_2011.doc download form] <br />
Fourth hotel: '''[http://www.melia-luxembourg.com/fr/melia-luxembourg.html Hotel Mélia]'''<br />
* single room with breakfast 140.00 €<br />
* Booking email address: [mailto:reservations.melia.luxembourg@solmelia.com reservations.melia.luxembourg@solmelia.com]<br />
* Reservation deadline: 28 October 2011<br />
* Reservation form: [https://www.owasp.org/images/f/f8/Uni_OWASP_2011_Melia.pdf download form] <br />
<br />
<br><br />
<br />
==== Organisation ====<br />
<br />
The BeNeLux Day 2011 Program Committee: <br />
<br />
*Martin Knobloch / Ferdinand Vroom ([[Netherlands|OWASP Netherlands]]) <br />
*Bart De Win / Sebastien Deleersnyder ([[Belgium|OWASP Belgium]]) <br />
*Jocelyn Aubert / Andre Adelsbach ([[Luxembourg|OWASP Luxembourg]]) <br />
*Steven van der Baan ([[:Category:OWASP CTF Project|Capture The Flag]])<br />
<br />
Local organization:<br />
<br />
*Thomas Engel <br />
*Radu State <br />
*Magali Martin <br />
*Aurel Machalek<br />
<br />
==== Sponsorship ====<br />
<br />
Contact seba &lt;at&gt; owasp.org for sponsorship <br />
<br />
<paypal>BeNeLux OWASP Day 2011</paypal> <br />
<br />
==== Social Event ====<br />
<br />
The social event is scheduled for Thursday, 1st of December @ TBD <br />
<br />
<br><br><br />
<br />
==== Promotion ====<br />
''Feel free to use the text below to promote our event!''<br />
<br />
We invite you to our next OWASP event: the '''BeNeLux OWASP Days 2011!'''<br />
<br />
Free your agenda on the 1st and 2nd of December, 2011.<br />
<br />
The good news: free! No fee!<br />
<br />
The bad news: there are only 160 seats available (first register, first serve)!<br />
<br />
<br />
'''PROGRAM Day 1'''<br />
* 10:00 AM - 18:00 PM: OWASP Training Day<br />
* 19:00 PM - ?: Social event<br />
<br />
'''OWASP Training: Secure Application Development''', by Eoin Keary<br><br />
This intensive one-day training focuses on the most common web application security problems, including aspects of both the OWASP Top Ten (2010) and the MITRE Top 25. The training will introduce and demonstrate application assessment techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities in their code.<br />
<br />
'''PROGRAM Day 2'''<br />
* 10:00 AM - 18:00 PM: OWASP Conference<br />
<br />
List of '''confirmed speakers''' (more to be announced soon):<br />
*Brenno De Winter (Journalist) on the Diginotar story<br />
*Koen Vanderloock (Lead Security Competence Group at Cegeka) on the new OWASP Simba project<br />
*Justin Clarke (Director and Co-Founder of Gotham Digital Science Ltd) on practical crypto attacks against web applications<br />
*Lieven Desmet (Research Manager at University Leuven) on HTML5 security<br />
*Andrey Belenko (Chief Security Researcher at ElcomSoft Co. Ltd) on iOS data protection internals<br />
*Alexandre Dulaunoy (Incident Management - Security Research at CIRCL) on dynamic malware analysis<br />
*Ludovic Petit (Group Fraud & Information Security Adviser at SFR, Vodafone Group) on WebApp Security and legal and regulatory aspects<br />
*Seba Deleersnyder & Eoin Keary (OWASP Board) on OWASP Update<br />
<br />
'''ORGANIZATION<br>'''<br />
OWASP's all-volunteer participants produce free, professional quality, open-source documentation, tools, and standards on application security. An example of this is the famous OWASP top ten of most critical web application security flaws. The OWASP community facilitates conferences, local chapters, articles, and message forums. Participation in OWASP is free and open to all, as are all the materials we produce.<br />
<br />
'''WHO should attend?<br>'''<br />
Anyone interested in Web Application Security (management, security professionals, developers, students, etc). OWASP Belgium, Netherlands and Luxembourg chapters membership is free. All meetings are free. There are never vendor pitches or sales presentations at OWASP meetings.<br><br />
Check our chapter page http://www.owasp.org/index.php/Belgium on meeting details, sign up to the chapter mailing list and introduce yourself.<br><br />
Check our chapter page http://www.owasp.org/index.php/Netherlands on meeting details, sign up to the chapter mailing list and introduce yourself.<br><br />
Check our chapter page http://www.owasp.org/index.php/Luxembourg on meeting details, sign up to the chapter mailing list and introduce yourself.<br><br />
<br />
'''WHEN<br>'''<br />
Thursday and Friday, 1st and 2nd of December, 2011 (10 AM - 7 PM)<br />
<br />
'''WHERE<br>'''<br />
University of Luxembourg<br><br />
Campus Kirchberg<br><br />
6, rue Richard Coudenhove-Kalergi<br><br />
L-1359 Luxembourg<br><br />
http://wwwen.uni.lu/contact/campus_kirchberg<br><br />
Room: Paul Feidert<br />
<br />
Attention: make sure to '''book your hotel in time''', it will be difficult to find rooms in Luxembourg around Dec 1-2!<br><br />
Hotel details https://www.owasp.org/index.php?title=BeNeLux_OWASP_Day_2011#tab=Venue<br />
<br />
'''REGISTRATION<br>'''<br />
Only 160 places, please '''Register upfront: http://owaspbenelux2011.eventbrite.com''' !<br><br />
All latest details are available on http://www.owaspbenelux.eu<br><br />
Hope to see you all!<br><br />
<br />
The BeNeLux Program Committee,<br />
*Martin Knobloch / Ferdinand Vroom, OWASP Netherlands<br />
*Bart De Win / Sebastien Deleersnyder, OWASP Belgium<br />
*Jocelyn Aubert / Andre Adelsbach, OWASP Luxembourg<br />
*Steven van der Baan, OWASP CTF Project<br />
<br />
Kindly supported by the Interdisciplinary Centre for Security Reliability and Trust<br />
*Thomas Engel <br />
*Radu State <br />
*Magali Martin <br />
*Aurel Machalek<br />
<br />
<headertabs /><br />
<center>Made possible by our [http://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Sponsorship sponsors]:<br><br />
{{MemberLinks|link=http://www.ascure.com|logo=Ascure_Logo.jpg}} <br />
[http://www.zionsecurity.com http://www.owasp.org/images/e/e6/Zionsecurity.jpg]<br />
[http://www.zenitelbelgium.com http://www.owasp.org/images/d/df/SAIT_Zenitel.jpg]<br />
[http://www8.hp.com/us/en/solutions/solutions-detail.html?compURI=tcm:245-339290 https://www.owasp.org/images/b/b4/HP_Logo.jpg] <br />
[http://www.barracuda.com https://www.owasp.org/images/f/f6/Bnl11-Barracuda_Logo-4C.png] <br />
<br />
<br />
<br />
<br><br><br>'''Supported by:'''<br> <br />
[[Image:Bnl11-university-logo.jpg|link=http://wwwen.uni.lu]] <br />
[[Image:Bnl11-SECURITYANDTRUST-LOGO.jpg|link=http://www.securityandtrust.lu]] <br />
<br />
<br><br />
</center><br />
[[Category:OWASP_AppSec_Conference]] [[Category:OWASP_BeNeLux_Archives]]</div>Bart De Winhttps://wiki.owasp.org/index.php?title=BeNeLux_OWASP_Day_2011&diff=120323BeNeLux OWASP Day 20112011-11-16T21:28:52Z<p>Bart De Win: </p>
<hr />
<div>__NOTOC__ <br />
<center>[[Image:OWASP BeNeLux 2011.jpg]]<br></center><br />
<br><!-- Header --><br />
<br />
==== Welcome ====<br />
<br />
<br><br />
<center><br />
=== Venue is the University of Luxembourg (Grand Duchy of Luxembourg) ===<br />
Training and conference location, together with hotel information, can be found [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Venue here].<br />
=== Training and first list of conference speakers are announced! ===<br />
See [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Training.2C_December_1st here] and [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Conference.2C_December_2nd here]<br />
=== Tweet! ===<br />
<br />
Event tag is [http://twitter.com/#search?q=%23owaspbnl11 #owaspbnl11]<br />
<br />
=== Registrations are open: ===<br />
<br />
[http://owaspbenelux2011.eventbrite.com/ http://www.owasp.org/images/7/77/Buttoncreate.png] <br />
<br />
</center><br />
<br><br />
<br />
==== Training, December 1st ====<br />
'''OWASP Training: Secure Application Development, by Eoin Keary'''<br />
<br />
'''Abstract:''' Writing Secure code is the most effective method to securing your web applications. Writing secure code takes skill and know-how but results in a more stable and robust application and assists in protecting an organisations brand.<br />
Application security is not commonly a part of many computer science curricula today and most organizations have not focused on instituting a culture that includes application security as a core part of their software development training efforts. This intensive one-day course focuses on the most common web application security problems, including aspects of both the OWASP Top Ten (2010) and the MITRE Top 25. The course will introduce and demonstrate application assessment techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities in their code.<br />
<br />
'''This course includes coverage of the following areas:'''<br />
<br />
* Unvalidated Input<br />
* Injection Flaws, OS commanding, SQL Injection<br />
* Cross-Site Scriping & Client-side security<br />
* CSRF/XSRF<br />
* Authentication & Session Management<br />
* Access control & Authorisation<br />
* Broken Caching<br />
* Error Handling & Resource Management<br />
* The Secure SDLC<br />
* Fuzzing, Proxy use and testing approach<br />
<br />
'''Hands on Exercises'''<br />
<br />
To cement the principles discussed, students can participate in a number of hands-on security testing exercises where they attack a live web application (i.e., OWASP Bank etc) that has been seeded with common web application vulnerabilities.<br />
<br />
The students will use proxy tools commonly used by the hacker community to complete the exercises. Students need to bring their own windows based laptop to participate in the exercises. Wireless capability is recommended.<br />
<br />
'''Audience'''<br />
<br />
Developers who want to understand the most common web application security flaws, and how to avoid them and code in a secure manner.<br />
<br />
Level: Beginner/Intermediate<br />
<br />
Prerequisite: Basic knowledge of a web programming language like Java or .NET recommended but not required.<br />
<br />
Bringing your own windows based laptop is recommended so you can participate in the hands on exercises<br />
<br />
'''Trainer Bio:''' <br />
<br />
[[Eoin Keary]] is a Global OWASP board member since 2009. He is a long time member of OWASP and have contributed year on year to OWASP projects and the OWASP mission of fighting the causes of software insecurity. He is based in Dublin, Ireland and director of [http://www.bccriskadvisory.com Bccriskadvisory].<br />
<br />
==== Conference, December 2nd ====<br />
<br />
We are pleased to announce a first list of confirmed speakers:<br />
<br />
* Brenno De Winter (Journalist) on the Diginotar story<br />
* Koen Vanderloock (Lead Security Competence Group at Cegeka) on [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#OWASP_SIMBA_-_guarding_your_applications_.28by_Koen_Vanderloock.2C_Leader_Security_Competence_Group_at_Cegeka.29 the new OWASP Simba project]<br />
* Justin Clarke (Director and Co-Founder of Gotham Digital Science Ltd) on [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Practical_Crypto_Attacks_Against_Web_Applications_.28by_Justin_Clarke.2C_Director_and_Co-Founder_of_Gotham_Digital_Science_Ltd.29 practical crypto attacks against web applications]<br />
* Lieven Desmet (Research Manager at University Leuven) on [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#HTML5_security_.28by_Lieven_Desmet.2C_Research_Manager_at_Katholieke_Universiteit_Leuven.29 HTML5 security]<br />
* Andrey Belenko (Chief Security Researcher at ElcomSoft Co. Ltd) on [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Overcoming_iOS_Data_Protection_to_Re-Enable_iPhone_Forensics_.28by_Andrey_Belenko.2C_Chief_Security_Researcher_at_ElcomSoft.29 iOS data protection internals]<br />
* Alexandre Dulaunoy (Incident Management - Security Research at CIRCL) on dynamic malware analysis<br />
* Ludovic Petit (Group Fraud & Information Security Adviser at SFR, Vodafone Group) on [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Do_you..._Legal.3F_.28by_Ludovic_Petit.2C_Group_Fraud_.26_Information_Security_Adviser_at_SFR.2C_Vodafone_Group.29 WebApp Security and legal and regulatory aspects]<br />
*Jean-Marc Bost and Sébastien Bischof (ELCA) on The limits of e-banking<br />
* Seba Deleersnyder & Eoin Keary (OWASP Board) on OWASP Update<br />
<br />
Stay tuned for the final agenda!<br />
<br />
'''''Agenda'''''<br />
<br />
{| class="wikitable"<br />
! Time !! Speaker !! Topic<br />
|-<br />
| 09h30 - 10h00 || Sebastien Deleersnyder & Eion Keary || Intro & OWASP update<br />
|-<br />
| 10h00 - 10h40 || Brenno De Winter || The Diginotar story <br />
|-<br />
| 10h40 - 11h00 || ''Break'' ||<br />
|-<br />
| 11h00 - 11h40 || Lieven Desmet || HTML5 security <br />
|-<br />
| 11h40 - 12h20 || Andre Belenko || Overcoming iOS Data Protection to Re-Enable iPhone Forensics <br />
|-<br />
| 12h20 - 13h00 || Justin Clarke || Practical Crypto Attacks Against Web Applications <br />
|-<br />
| 13h00 - 14h00 || ''Lunch'' || <br />
|-<br />
| 14h00 - 14h40 || Ludovic Petit || Do you... Legal?<br />
|-<br />
| 14h40 - 15h20 || Thierry Zoller || The rise of the Vulnerability Market<br />
|-<br />
| 15h20 - 16h00 || Jean-Marc Bost & Sébastien Bischof || eBanking vs. Malwares <br />
|-<br />
| 16h00 - 16h20 || ''Break'' || <br />
|-<br />
| 16h20 - 17h00 || Alexandre Delaunoy || Dynamic malware analysis <br />
|-<br />
| 17h00 - 17h40 || Koen Vanderloock || OWASP SIMBA - guarding your applications <br />
|-<br />
| 17h40 - 18h00 || OWASP Benelux 2011 organization || Closing notes<br />
<br />
|}<br />
<br />
<!-- deze laten staan. is handig om anchors te vinden tijdens edi (seba) __TOC__ --><br />
<br />
=====OWASP SIMBA - guarding your applications (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Koen_Vanderloock.2C_Leader_Security_Competence_Group_at_Cegeka Koen Vanderloock], Leader Security Competence Group at Cegeka)=====<br />
[[OWASP SIMBA Project|SIMBA (Security Integration Module for Business Applications)]] is a OWASP project that provides you with a User Access Management system that can be integrated with any business application. The purpose of SIMBA is to secure an application fast and easy. Because SIMBA itself is generic it can be customized for every project. Many features are customizable e.g. designing your own authentication chain is easy and fast by using existing or newly created building blocks. SIMBA contains authentication, authorization, session management and a GUI to manage your security information.<br />
<br />
======Koen Vanderloock, Leader Security Competence Group at Cegeka======<br />
Koen Vanderloock is the leader of the security competence group at Cegeka. About 2 years ago Cegeka decided to create a sandbox for investigating security issues and solutions so they could be included in the current projects. <br />
Koen Vanderloock is a Java developer with 8 years of experience and started exploring the world of security 3 years ago when UAM problems started to occur.<br />
<br />
=====Practical Crypto Attacks Against Web Applications (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Justin_Clarke.2C_Director_and_Co-Founder_of_Gotham_Digital_Science_Ltd Justin Clarke], Director and Co-Founder of Gotham Digital Science Ltd)=====<br />
The science of cryptography underpins many of the information security technologies we use on a daily basis, such as the ability to keep information confidential and to ensure we can identify who we are communicating with. However, it is a very complex subject area with many types of mistakes that can reduce the overall security of a solution. A number of these types of mistakes can be identified by a tester, if they know what they're looking for, but in general it isn't a well tested area.<br />
<br />
This talk is intended to provide a high level overview of some of the areas where cryptographic operations such as encryption and hashing can provide far less security than was planned, and concrete examples of how these were found and exploited. Examples will include discussion and demonstration of the recently patched cryptographic padding attack against the Microsoft .NET framework (affecting ASP.NET applications) caused by a design error in how ASP.NET handles some types of encrypted data, but we will also be looking at some other fun areas including bit flipping attacks, ECB mode attacks, and some miscellaneous hashing algorithm attacks against common web application implementations.<br />
<br />
======Justin Clarke, Director and Co-Founder of Gotham Digital Science Ltd======<br />
Justin is a Director and Co-Founder of Gotham Digital Science and an experienced software security consultant with extensive international Big 4 risk management, security consulting and testing experience. He is the lead author/technical editor of "SQL Injection Attacks and Defenses" (Syngress 2009), co-author of "Network Security Tools" (O'Reilly 2005), contributor to "Network Security Assessment, 2nd Edition" (O'Reilly 2007), as well as a speaker at various security conferences and events such as Black Hat, EuSecWest, ISACA, BruCON, OWASP, OSCON, RSA and SANS. He is currently the OWASP London chapter president, and a member of the OWASP Global Connections Committee.<br />
On 10 Oct 2011, at 09:33, Seba wrote:<br />
<br />
=====HTML5 security (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Lieven_Desmet.2C_Research_Manager_at_Katholieke_Universiteit_Leuven Lieven Desmet], Research Manager at Katholieke Universiteit Leuven)=====<br />
In this talk, Lieven will highlight the results of the HTML5 security analysis, conducted by the DistriNet Research Group (K.U.Leuven). The security analysis of next generation web standards, commissioned by ENISA, looked into 13 emerging W3C web standards (i.e. the specification of HTML 5 and some of the associated APIs), and assessed the security of each of them as well as the overall security and consistency across specifications.<br />
<br />
In total 51 security threats and issues have been identified, and detailed in the ENISA report (http://www.enisa.europa.eu/html5). During the talk, Lieven will discuss the methodology developed to assess the huge amount of specifications, and zoom into a representative set of identified threats and their remediation.<br />
<br />
======Lieven Desmet, Research Manager at Katholieke Universiteit Leuven======<br />
Lieven Desmet is the Research Manager on Secure Software at the Katholieke Universiteit Leuven (Belgium), where he coaches junior researchers in web application security and participates in dissemination and valorization activities. His interests are in software verification and security of middleware and web-enabled technologies. Lieven is actively engaged in OWASP and is board member of the OWASP Chapter Belgium.<br />
<br />
=====Overcoming iOS Data Protection to Re-Enable iPhone Forensics (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Andrey_Belenko.2C_Chief_Security_Researcher_at_ElcomSoft Andrey Belenko], Chief Security Researcher at ElcomSoft)=====<br />
Data protection is a feature available for iOS devices (iOS 4 and up) with hardware encryption: iPhone 4S, iPhone 4, iPhone 3GS, iPod touch (3rd generation or later), and all iPad models. Introduction of this feature had complicated iPhone forensics process because now (almost) all files on user partition are encrypted and physical dumps are of much less value to examiners: while the filesystem seems to be intact, actual file contents are encrypted and are not suitable for analysis.<br />
<br />
This talk will provide in-depth information about iOS Data protection internals and on the implication it had on iOS forensics. More specifically, it will cover the following:<br />
*System keys and their hierarchy<br />
*Device passcode and its recovery<br />
*Escrow keys<br />
*Filesystem encryption<br />
*Keychain encryption<br />
<br />
Presentation will start by providing attendees with required background on iOS encryption keys architecture: system keys, passcode key, escrow key. After attendees are familiar with those concepts, presentation will continue to filesystem and keychain encryption details and to the techniques that can be used to overcome the hurdles imposed by iOS Data Protection.<br />
<br />
======Andrey Belenko, Chief Security Researcher at ElcomSoft======<br />
Chief security researcher and software developer at Elcomsoft. Co-invented ThunderTables (which are improved RainbowTables) and was first to bring GPU acceleration to password recovery. M. Sc. IT and CISSP.<br />
<br />
LinkedIn: http://ru.linkedin.com/in/belenko<br />
<br />
Twitter: @andreybelenko<br />
<br />
=====Do you... Legal? (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Ludovic_Petit.2C_Group_Fraud_.26_Information_Security_Adviser_at_SFR.2C_Vodafone_Group Ludovic Petit], Group Fraud & Information Security Adviser at SFR, Vodafone Group) =====<br />
<br />
The OWASP core mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. However, if you do not pay enough attention to many aspects of Legal compliance, you'll see why Web Application Security is somehow linked to Legal and Regulatory aspects as well as... Corporate Responsability, so yours. Who is accountable for what, what about each other's responsibility? Nowadays, the legal constraints oblige us to comply via technical means, whatever the local framework, and this is specially true for Web Application Security, many sensitive informations having to be handled through these web interfaces. A such, what do you think about your Security Policy compliance with your local Legal framework? Compliant? Sure? Really? Interesting isn't it? Let's have a talk about this.<br />
<br />
======Ludovic Petit, Group Fraud & Information Security Adviser at SFR, Vodafone Group======<br />
Ludovic is an internationally recognised information security expert with over 25 years experience. Last 15 years spent in various Corporate Management positions covering both Technical and Law Enforcement expertise dedicated to Mobile Telecommunications Fraud and Security in multi-national corporations.<br />
<br />
Ludovic is Chapter Leader & Founding Member OWASP France and an active contributor to OWASP in several roles and projects.<br />
<br />
LinkedIn Profile: http://www.linkedin.com/in/lpetit<br />
<br />
=====Dynamic Malware Analysis or How to Play in the House of Horrors (by Alexandre Dulaunoy, Incident Management - Security Research at CIRCL) =====<br />
Malware reversing is a time consuming task. Many approaches are available to dissect and analyse suspicious binaries. Dynamic malware analysis is one of the option to better understand them and also a nifty companion to static analysis. The current dynamic malware analysis techniques will be presented especially the ones relying on instrumented operating system systems (from the filesystem to the network stack). You'll see a wandering through common and less common malware partially analysed using dynamic analysis and how dynamic malware analysis can help you.<br />
<br />
===== The limits of e-banking (by Jean-Marc Bost and Sébastien Bischof, ECLA) =====<br />
The swiss german TV channel SF1 showed a footage on swiss e-banking security. The TV show follows a team of the ETH who earned a special authorization to test several e-anking platforms. After admitting that a personal computer can be infected by different means (actually 5% of the tested PCs are infected according to Microsoft), The team from Zürich showed the limits of the different platforms. Only the bank who signs each transaction is labelled as safe. We will come back during the presentation on the nature of the threat.<br>First of all, we will explain how famous malwares such as Zeus and SpyEye manage to steal from their victims without them being able to notice anything. Then we will see that e-banking is not the only target, as a matter of fact, the reality is far from this.<br>And then we will comment the most recent techniques that allow malwares to escape Antivirus and Antimalware programs even if they are up to date. We will vulgarize several concepts such as DKOM and bootkits in order to let everybody have a glimpse on the danger they represent.<br>Finally, we will think about if signing each transaction can efficiently fight off these threats. In fact, when attacks are coupled with Social Engineering, they have potentially no limit. Zeus is a living proof of this fact, because it even managed to attack the transaction validation system by SMS. As a conclusion, we will see that the e-banking platform that managed to resist the tests of the ETH team is vulnerable to such kind of attacks. <br />
<br />
====== Jean-Marc Bost, ELCA ======<br />
Jean-Marc Bost leads the security division at ELCA. <br>He is in charge of the various security solutions proposed by ELCA, some being released by ELCA, others being provided by partner vendors. <br>With a significant experience in the development of internet applications, he focused 10 years ago on their need for security. <br>Since then, he has been very active in&nbsp;:<br>- demonstrating the threats, in particular for ebanking<br>- conceiving practical and patented solutions for strong authentication, online transactions, electronic signature and secured documents<br>- presenting the findings of the security division in security events and through expert talks<br> <br />
<br />
====== Sébastien Bischof, ELCA ======<br />
Sébastien Bischof works in the security division at ELCA Where he is specialized in OS-level and communication security.<br>As a major result, he developped a fully-working proof-of-concept of an attack against a sophisticated USB token for safe-browsing.<br>He obtained his Master of Science in Engineering at HEIG-VD/HES-SO with a strong emphasis on IT Security.<br>During his education, he focused on obfuscation and rootkit techniques.<br>Computer security enthusiast, he is very interested in hackings events such as Insomni'hack and keeps himself informed on the latest threats throuhg active participation in security forums.<br> <br />
<br />
==== CTF ====<br />
<br />
Do you like puzzles? Do you like challenges? Are you a hacker?<br />
<br />
Whether you are an old hacker or new enthusiast you should come to OWASP BeNeLux days 2011 and participate in the Capture the Flag event December 2nd 2011 at the University of Luxemburg. <br />
<br />
The OWASP CTF is especially designed to support challengers of all skill levels. The CTF contains multiple challenges in various fields related to application security. As every challenge gains you one point, you can pick and choose which challenge you want to play.<br />
<br />
All you need is a laptop with a wifi card and your favorite (preferably) non-commercial tools. <br />
<br />
So come to Luxemburg, show off your skills, learn new tricks and above all have a good time at the CTF event. <br />
<br />
==== Registration ====<br />
<center><br />
'''The training day and the conference are free!'''&nbsp;<br />
<br />
<br> <br />
<br />
[http://owaspbenelux2011.eventbrite.com/ http://www.owasp.org/images/7/77/Buttoncreate.png] <br />
<br />
<br> To support the OWASP organisation, consider to become a member, it's only US$50!<br> Check out the [[Membership]] page to find out more.<br> <br />
<br />
<br> <br />
</center> <br />
==== Venue ====<br />
<center><br />
University of Luxembourg<br>Campus Kirchberg<br>6, rue Richard Coudenhove-Kalergi<br>L-1359 Luxembourg<br>[http://wwwen.uni.lu/contact/campus_kirchberg http://wwwen.uni.lu/contact/campus_kirchberg] <br>Room: Paul Feidert<br />
</center><br />
<br>'''Hotels nearby''': <br />
<br />
The first hotel is at 5 minutes on walk distance from the campus Kirchberg: '''[http://www.coque.lu/article/259 Hotel d’Coque]'''<br />
* single room with breakfast 77.50 €<br />
* double room with breakfast 93.00 €. <br />
* Booking email address with Ref. OWASP_SNT 2011 to : [mailto:reception@coque.lu reception@coque.lu]<br />
* Reservation deadline: 20 October 2011<br />
Second hotel (direct center of Luxembourg) 5/10 minutes with taxi or bus: '''[http://www.parcbellevue.lu/fr/index.php Hotel Parc Bellevue]'''<br />
* single room with breakfast 95.00 € (normal price 160 €)<br />
* double room with breakfast 115.00 € (normal price 180€)<br />
* wifi and parking included<br />
* Booking email address: [mailto:reservation@goeres-group.com reservation@goeres-group.com]<br />
* Reservation deadline&nbsp;: 30 November <br />
* Reservation form: [https://www.owasp.org/images/4/44/Uni_Luxembourg_OWASP_2011.doc download form] <br />
Third hotel (near the Parc Bellevue): '''[http://www.parcplaza.lu/fr/index.php Hotel Plaza]'''<br />
* single room with breakfast 130.00 € (normal price 225 €)<br />
* double room with breakfast 150.00 € (normal price 245€)<br />
* wifi and parking included<br />
* Booking email address: [mailto:reservation@goeres-group.com reservation@goeres-group.com]. <br />
* Reservation deadline: 30 November<br />
* Reservation form: [https://www.owasp.org/images/4/44/Uni_Luxembourg_OWASP_2011.doc download form] <br />
Fourth hotel: '''[http://www.melia-luxembourg.com/fr/melia-luxembourg.html Hotel Mélia]'''<br />
* single room with breakfast 140.00 €<br />
* Booking email address: [mailto:reservations.melia.luxembourg@solmelia.com reservations.melia.luxembourg@solmelia.com]<br />
* Reservation deadline: 28 October 2011<br />
* Reservation form: [https://www.owasp.org/images/f/f8/Uni_OWASP_2011_Melia.pdf download form] <br />
<br />
<br><br />
<br />
==== Organisation ====<br />
<br />
The BeNeLux Day 2011 Program Committee: <br />
<br />
*Martin Knobloch / Ferdinand Vroom ([[Netherlands|OWASP Netherlands]]) <br />
*Bart De Win / Sebastien Deleersnyder ([[Belgium|OWASP Belgium]]) <br />
*Jocelyn Aubert / Andre Adelsbach ([[Luxembourg|OWASP Luxembourg]]) <br />
*Steven van der Baan ([[:Category:OWASP CTF Project|Capture The Flag]])<br />
<br />
Local organization:<br />
<br />
*Thomas Engel <br />
*Radu State <br />
*Magali Martin <br />
*Aurel Machalek<br />
<br />
==== Sponsorship ====<br />
<br />
Contact seba &lt;at&gt; owasp.org for sponsorship <br />
<br />
<paypal>BeNeLux OWASP Day 2011</paypal> <br />
<br />
==== Social Event ====<br />
<br />
The social event is scheduled for Thursday, 1st of December @ TBD <br />
<br />
<br><br><br />
<br />
==== Promotion ====<br />
''Feel free to use the text below to promote our event!''<br />
<br />
We invite you to our next OWASP event: the '''BeNeLux OWASP Days 2011!'''<br />
<br />
Free your agenda on the 1st and 2nd of December, 2011.<br />
<br />
The good news: free! No fee!<br />
<br />
The bad news: there are only 160 seats available (first register, first serve)!<br />
<br />
<br />
'''PROGRAM Day 1'''<br />
* 10:00 AM - 18:00 PM: OWASP Training Day<br />
* 19:00 PM - ?: Social event<br />
<br />
'''OWASP Training: Secure Application Development''', by Eoin Keary<br><br />
This intensive one-day training focuses on the most common web application security problems, including aspects of both the OWASP Top Ten (2010) and the MITRE Top 25. The training will introduce and demonstrate application assessment techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities in their code.<br />
<br />
'''PROGRAM Day 2'''<br />
* 10:00 AM - 18:00 PM: OWASP Conference<br />
<br />
List of '''confirmed speakers''' (more to be announced soon):<br />
*Brenno De Winter (Journalist) on the Diginotar story<br />
*Koen Vanderloock (Lead Security Competence Group at Cegeka) on the new OWASP Simba project<br />
*Justin Clarke (Director and Co-Founder of Gotham Digital Science Ltd) on practical crypto attacks against web applications<br />
*Lieven Desmet (Research Manager at University Leuven) on HTML5 security<br />
*Andrey Belenko (Chief Security Researcher at ElcomSoft Co. Ltd) on iOS data protection internals<br />
*Alexandre Dulaunoy (Incident Management - Security Research at CIRCL) on dynamic malware analysis<br />
*Ludovic Petit (Group Fraud & Information Security Adviser at SFR, Vodafone Group) on WebApp Security and legal and regulatory aspects<br />
*Seba Deleersnyder & Eoin Keary (OWASP Board) on OWASP Update<br />
<br />
'''ORGANIZATION<br>'''<br />
OWASP's all-volunteer participants produce free, professional quality, open-source documentation, tools, and standards on application security. An example of this is the famous OWASP top ten of most critical web application security flaws. The OWASP community facilitates conferences, local chapters, articles, and message forums. Participation in OWASP is free and open to all, as are all the materials we produce.<br />
<br />
'''WHO should attend?<br>'''<br />
Anyone interested in Web Application Security (management, security professionals, developers, students, etc). OWASP Belgium, Netherlands and Luxembourg chapters membership is free. All meetings are free. There are never vendor pitches or sales presentations at OWASP meetings.<br><br />
Check our chapter page http://www.owasp.org/index.php/Belgium on meeting details, sign up to the chapter mailing list and introduce yourself.<br><br />
Check our chapter page http://www.owasp.org/index.php/Netherlands on meeting details, sign up to the chapter mailing list and introduce yourself.<br><br />
Check our chapter page http://www.owasp.org/index.php/Luxembourg on meeting details, sign up to the chapter mailing list and introduce yourself.<br><br />
<br />
'''WHEN<br>'''<br />
Thursday and Friday, 1st and 2nd of December, 2011 (10 AM - 7 PM)<br />
<br />
'''WHERE<br>'''<br />
University of Luxembourg<br><br />
Campus Kirchberg<br><br />
6, rue Richard Coudenhove-Kalergi<br><br />
L-1359 Luxembourg<br><br />
http://wwwen.uni.lu/contact/campus_kirchberg<br><br />
Room: Paul Feidert<br />
<br />
Attention: make sure to '''book your hotel in time''', it will be difficult to find rooms in Luxembourg around Dec 1-2!<br><br />
Hotel details https://www.owasp.org/index.php?title=BeNeLux_OWASP_Day_2011#tab=Venue<br />
<br />
'''REGISTRATION<br>'''<br />
Only 160 places, please '''Register upfront: http://owaspbenelux2011.eventbrite.com''' !<br><br />
All latest details are available on http://www.owaspbenelux.eu<br><br />
Hope to see you all!<br><br />
<br />
The BeNeLux Program Committee,<br />
*Martin Knobloch / Ferdinand Vroom, OWASP Netherlands<br />
*Bart De Win / Sebastien Deleersnyder, OWASP Belgium<br />
*Jocelyn Aubert / Andre Adelsbach, OWASP Luxembourg<br />
*Steven van der Baan, OWASP CTF Project<br />
<br />
Kindly supported by the Interdisciplinary Centre for Security Reliability and Trust<br />
*Thomas Engel <br />
*Radu State <br />
*Magali Martin <br />
*Aurel Machalek<br />
<br />
<headertabs /><br />
<center>Made possible by our [http://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Sponsorship sponsors]:<br><br />
{{MemberLinks|link=http://www.ascure.com|logo=Ascure_Logo.jpg}} <br />
[http://www.zionsecurity.com http://www.owasp.org/images/e/e6/Zionsecurity.jpg]<br />
[http://www.zenitelbelgium.com http://www.owasp.org/images/d/df/SAIT_Zenitel.jpg]<br />
[http://www8.hp.com/us/en/solutions/solutions-detail.html?compURI=tcm:245-339290 https://www.owasp.org/images/b/b4/HP_Logo.jpg] <br />
[http://www.barracuda.com https://www.owasp.org/images/f/f6/Bnl11-Barracuda_Logo-4C.png] <br />
<br />
<br />
<br />
<br><br><br>'''Supported by:'''<br> <br />
[[Image:Bnl11-university-logo.jpg|link=http://wwwen.uni.lu]] <br />
[[Image:Bnl11-SECURITYANDTRUST-LOGO.jpg|link=http://www.securityandtrust.lu]] <br />
<br />
<br><br />
</center><br />
[[Category:OWASP_AppSec_Conference]] [[Category:OWASP_BeNeLux_Archives]]</div>Bart De Winhttps://wiki.owasp.org/index.php?title=BeNeLux_OWASP_Day_2011&diff=120322BeNeLux OWASP Day 20112011-11-16T21:28:12Z<p>Bart De Win: </p>
<hr />
<div>__NOTOC__ <br />
<center>[[Image:OWASP BeNeLux 2011.jpg]]<br></center><br />
<br><!-- Header --><br />
<br />
==== Welcome ====<br />
<br />
<br><br />
<center><br />
=== Venue is the University of Luxembourg (Grand Duchy of Luxembourg) ===<br />
Training and conference location, together with hotel information, can be found [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Venue here].<br />
=== Training and first list of conference speakers are announced! ===<br />
See [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Training.2C_December_1st here] and [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Conference.2C_December_2nd here]<br />
=== Tweet! ===<br />
<br />
Event tag is [http://twitter.com/#search?q=%23owaspbnl11 #owaspbnl11]<br />
<br />
=== Registrations are open: ===<br />
<br />
[http://owaspbenelux2011.eventbrite.com/ http://www.owasp.org/images/7/77/Buttoncreate.png] <br />
<br />
</center><br />
<br><br />
<br />
==== Training, December 1st ====<br />
'''OWASP Training: Secure Application Development, by Eoin Keary'''<br />
<br />
'''Abstract:''' Writing Secure code is the most effective method to securing your web applications. Writing secure code takes skill and know-how but results in a more stable and robust application and assists in protecting an organisations brand.<br />
Application security is not commonly a part of many computer science curricula today and most organizations have not focused on instituting a culture that includes application security as a core part of their software development training efforts. This intensive one-day course focuses on the most common web application security problems, including aspects of both the OWASP Top Ten (2010) and the MITRE Top 25. The course will introduce and demonstrate application assessment techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities in their code.<br />
<br />
'''This course includes coverage of the following areas:'''<br />
<br />
* Unvalidated Input<br />
* Injection Flaws, OS commanding, SQL Injection<br />
* Cross-Site Scriping & Client-side security<br />
* CSRF/XSRF<br />
* Authentication & Session Management<br />
* Access control & Authorisation<br />
* Broken Caching<br />
* Error Handling & Resource Management<br />
* The Secure SDLC<br />
* Fuzzing, Proxy use and testing approach<br />
<br />
'''Hands on Exercises'''<br />
<br />
To cement the principles discussed, students can participate in a number of hands-on security testing exercises where they attack a live web application (i.e., OWASP Bank etc) that has been seeded with common web application vulnerabilities.<br />
<br />
The students will use proxy tools commonly used by the hacker community to complete the exercises. Students need to bring their own windows based laptop to participate in the exercises. Wireless capability is recommended.<br />
<br />
'''Audience'''<br />
<br />
Developers who want to understand the most common web application security flaws, and how to avoid them and code in a secure manner.<br />
<br />
Level: Beginner/Intermediate<br />
<br />
Prerequisite: Basic knowledge of a web programming language like Java or .NET recommended but not required.<br />
<br />
Bringing your own windows based laptop is recommended so you can participate in the hands on exercises<br />
<br />
'''Trainer Bio:''' <br />
<br />
[[Eoin Keary]] is a Global OWASP board member since 2009. He is a long time member of OWASP and have contributed year on year to OWASP projects and the OWASP mission of fighting the causes of software insecurity. He is based in Dublin, Ireland and director of [http://www.bccriskadvisory.com Bccriskadvisory].<br />
<br />
==== Conference, December 2nd ====<br />
<br />
We are pleased to announce a first list of confirmed speakers:<br />
<br />
* Brenno De Winter (Journalist) on the Diginotar story<br />
* Koen Vanderloock (Lead Security Competence Group at Cegeka) on [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#OWASP_SIMBA_-_guarding_your_applications_.28by_Koen_Vanderloock.2C_Leader_Security_Competence_Group_at_Cegeka.29 the new OWASP Simba project]<br />
* Justin Clarke (Director and Co-Founder of Gotham Digital Science Ltd) on [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Practical_Crypto_Attacks_Against_Web_Applications_.28by_Justin_Clarke.2C_Director_and_Co-Founder_of_Gotham_Digital_Science_Ltd.29 practical crypto attacks against web applications]<br />
* Lieven Desmet (Research Manager at University Leuven) on [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#HTML5_security_.28by_Lieven_Desmet.2C_Research_Manager_at_Katholieke_Universiteit_Leuven.29 HTML5 security]<br />
* Andrey Belenko (Chief Security Researcher at ElcomSoft Co. Ltd) on [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Overcoming_iOS_Data_Protection_to_Re-Enable_iPhone_Forensics_.28by_Andrey_Belenko.2C_Chief_Security_Researcher_at_ElcomSoft.29 iOS data protection internals]<br />
* Alexandre Dulaunoy (Incident Management - Security Research at CIRCL) on dynamic malware analysis<br />
* Ludovic Petit (Group Fraud & Information Security Adviser at SFR, Vodafone Group) on [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Do_you..._Legal.3F_.28by_Ludovic_Petit.2C_Group_Fraud_.26_Information_Security_Adviser_at_SFR.2C_Vodafone_Group.29 WebApp Security and legal and regulatory aspects]<br />
*Jean-Marc Bost and Sébastien Bischof (ELCA) on The limits of e-banking<br />
* Seba Deleersnyder & Eoin Keary (OWASP Board) on OWASP Update<br />
<br />
Stay tuned for the final agenda!<br />
<br />
'''''Agenda will come here'''''<br />
<br />
{| class="wikitable"<br />
! Time !! Speaker !! Topic<br />
|-<br />
| 09h30 - 10h00 || Sebastien Deleersnyder & Eion Keary || Intro & OWASP update<br />
|-<br />
| 10h00 - 10h40 || Brenno De Winter || The Diginotar story <br />
|-<br />
| 10h40 - 11h00 || ''Break'' ||<br />
|-<br />
| 11h00 - 11h40 || Lieven Desmet || HTML5 security <br />
|-<br />
| 11h40 - 12h20 || Andre Belenko || Overcoming iOS Data Protection to Re-Enable iPhone Forensics <br />
|-<br />
| 12h20 - 13h00 || Justin Clarke || Practical Crypto Attacks Against Web Applications <br />
|-<br />
| 13h00 - 14h00 || ''Lunch'' || <br />
|-<br />
| 14h00 - 14h40 || Ludovic Petit || Do you... Legal?<br />
|-<br />
| 14h40 - 15h20 || Thierry Zoller || The rise of the Vulnerability Market<br />
|-<br />
| 15h20 - 16h00 || Jean-Marc Bost & Sébastien Bischof || eBanking vs. Malwares <br />
|-<br />
| 16h00 - 16h20 || ''Break'' || <br />
|-<br />
| 16h20 - 17h00 || Alexandre Delaunoy || Dynamic malware analysis <br />
|-<br />
| 17h00 - 17h40 || Koen Vanderloock || OWASP SIMBA - guarding your applications <br />
|-<br />
| 17h40 - 18h00 || OWASP Benelux 2011 organization || Closing notes<br />
<br />
|}<br />
<br />
<!-- deze laten staan. is handig om anchors te vinden tijdens edi (seba) __TOC__ --><br />
<br />
=====OWASP SIMBA - guarding your applications (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Koen_Vanderloock.2C_Leader_Security_Competence_Group_at_Cegeka Koen Vanderloock], Leader Security Competence Group at Cegeka)=====<br />
[[OWASP SIMBA Project|SIMBA (Security Integration Module for Business Applications)]] is a OWASP project that provides you with a User Access Management system that can be integrated with any business application. The purpose of SIMBA is to secure an application fast and easy. Because SIMBA itself is generic it can be customized for every project. Many features are customizable e.g. designing your own authentication chain is easy and fast by using existing or newly created building blocks. SIMBA contains authentication, authorization, session management and a GUI to manage your security information.<br />
<br />
======Koen Vanderloock, Leader Security Competence Group at Cegeka======<br />
Koen Vanderloock is the leader of the security competence group at Cegeka. About 2 years ago Cegeka decided to create a sandbox for investigating security issues and solutions so they could be included in the current projects. <br />
Koen Vanderloock is a Java developer with 8 years of experience and started exploring the world of security 3 years ago when UAM problems started to occur.<br />
<br />
=====Practical Crypto Attacks Against Web Applications (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Justin_Clarke.2C_Director_and_Co-Founder_of_Gotham_Digital_Science_Ltd Justin Clarke], Director and Co-Founder of Gotham Digital Science Ltd)=====<br />
The science of cryptography underpins many of the information security technologies we use on a daily basis, such as the ability to keep information confidential and to ensure we can identify who we are communicating with. However, it is a very complex subject area with many types of mistakes that can reduce the overall security of a solution. A number of these types of mistakes can be identified by a tester, if they know what they're looking for, but in general it isn't a well tested area.<br />
<br />
This talk is intended to provide a high level overview of some of the areas where cryptographic operations such as encryption and hashing can provide far less security than was planned, and concrete examples of how these were found and exploited. Examples will include discussion and demonstration of the recently patched cryptographic padding attack against the Microsoft .NET framework (affecting ASP.NET applications) caused by a design error in how ASP.NET handles some types of encrypted data, but we will also be looking at some other fun areas including bit flipping attacks, ECB mode attacks, and some miscellaneous hashing algorithm attacks against common web application implementations.<br />
<br />
======Justin Clarke, Director and Co-Founder of Gotham Digital Science Ltd======<br />
Justin is a Director and Co-Founder of Gotham Digital Science and an experienced software security consultant with extensive international Big 4 risk management, security consulting and testing experience. He is the lead author/technical editor of "SQL Injection Attacks and Defenses" (Syngress 2009), co-author of "Network Security Tools" (O'Reilly 2005), contributor to "Network Security Assessment, 2nd Edition" (O'Reilly 2007), as well as a speaker at various security conferences and events such as Black Hat, EuSecWest, ISACA, BruCON, OWASP, OSCON, RSA and SANS. He is currently the OWASP London chapter president, and a member of the OWASP Global Connections Committee.<br />
On 10 Oct 2011, at 09:33, Seba wrote:<br />
<br />
=====HTML5 security (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Lieven_Desmet.2C_Research_Manager_at_Katholieke_Universiteit_Leuven Lieven Desmet], Research Manager at Katholieke Universiteit Leuven)=====<br />
In this talk, Lieven will highlight the results of the HTML5 security analysis, conducted by the DistriNet Research Group (K.U.Leuven). The security analysis of next generation web standards, commissioned by ENISA, looked into 13 emerging W3C web standards (i.e. the specification of HTML 5 and some of the associated APIs), and assessed the security of each of them as well as the overall security and consistency across specifications.<br />
<br />
In total 51 security threats and issues have been identified, and detailed in the ENISA report (http://www.enisa.europa.eu/html5). During the talk, Lieven will discuss the methodology developed to assess the huge amount of specifications, and zoom into a representative set of identified threats and their remediation.<br />
<br />
======Lieven Desmet, Research Manager at Katholieke Universiteit Leuven======<br />
Lieven Desmet is the Research Manager on Secure Software at the Katholieke Universiteit Leuven (Belgium), where he coaches junior researchers in web application security and participates in dissemination and valorization activities. His interests are in software verification and security of middleware and web-enabled technologies. Lieven is actively engaged in OWASP and is board member of the OWASP Chapter Belgium.<br />
<br />
=====Overcoming iOS Data Protection to Re-Enable iPhone Forensics (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Andrey_Belenko.2C_Chief_Security_Researcher_at_ElcomSoft Andrey Belenko], Chief Security Researcher at ElcomSoft)=====<br />
Data protection is a feature available for iOS devices (iOS 4 and up) with hardware encryption: iPhone 4S, iPhone 4, iPhone 3GS, iPod touch (3rd generation or later), and all iPad models. Introduction of this feature had complicated iPhone forensics process because now (almost) all files on user partition are encrypted and physical dumps are of much less value to examiners: while the filesystem seems to be intact, actual file contents are encrypted and are not suitable for analysis.<br />
<br />
This talk will provide in-depth information about iOS Data protection internals and on the implication it had on iOS forensics. More specifically, it will cover the following:<br />
*System keys and their hierarchy<br />
*Device passcode and its recovery<br />
*Escrow keys<br />
*Filesystem encryption<br />
*Keychain encryption<br />
<br />
Presentation will start by providing attendees with required background on iOS encryption keys architecture: system keys, passcode key, escrow key. After attendees are familiar with those concepts, presentation will continue to filesystem and keychain encryption details and to the techniques that can be used to overcome the hurdles imposed by iOS Data Protection.<br />
<br />
======Andrey Belenko, Chief Security Researcher at ElcomSoft======<br />
Chief security researcher and software developer at Elcomsoft. Co-invented ThunderTables (which are improved RainbowTables) and was first to bring GPU acceleration to password recovery. M. Sc. IT and CISSP.<br />
<br />
LinkedIn: http://ru.linkedin.com/in/belenko<br />
<br />
Twitter: @andreybelenko<br />
<br />
=====Do you... Legal? (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Ludovic_Petit.2C_Group_Fraud_.26_Information_Security_Adviser_at_SFR.2C_Vodafone_Group Ludovic Petit], Group Fraud & Information Security Adviser at SFR, Vodafone Group) =====<br />
<br />
The OWASP core mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. However, if you do not pay enough attention to many aspects of Legal compliance, you'll see why Web Application Security is somehow linked to Legal and Regulatory aspects as well as... Corporate Responsability, so yours. Who is accountable for what, what about each other's responsibility? Nowadays, the legal constraints oblige us to comply via technical means, whatever the local framework, and this is specially true for Web Application Security, many sensitive informations having to be handled through these web interfaces. A such, what do you think about your Security Policy compliance with your local Legal framework? Compliant? Sure? Really? Interesting isn't it? Let's have a talk about this.<br />
<br />
======Ludovic Petit, Group Fraud & Information Security Adviser at SFR, Vodafone Group======<br />
Ludovic is an internationally recognised information security expert with over 25 years experience. Last 15 years spent in various Corporate Management positions covering both Technical and Law Enforcement expertise dedicated to Mobile Telecommunications Fraud and Security in multi-national corporations.<br />
<br />
Ludovic is Chapter Leader & Founding Member OWASP France and an active contributor to OWASP in several roles and projects.<br />
<br />
LinkedIn Profile: http://www.linkedin.com/in/lpetit<br />
<br />
=====Dynamic Malware Analysis or How to Play in the House of Horrors (by Alexandre Dulaunoy, Incident Management - Security Research at CIRCL) =====<br />
Malware reversing is a time consuming task. Many approaches are available to dissect and analyse suspicious binaries. Dynamic malware analysis is one of the option to better understand them and also a nifty companion to static analysis. The current dynamic malware analysis techniques will be presented especially the ones relying on instrumented operating system systems (from the filesystem to the network stack). You'll see a wandering through common and less common malware partially analysed using dynamic analysis and how dynamic malware analysis can help you.<br />
<br />
===== The limits of e-banking (by Jean-Marc Bost and Sébastien Bischof, ECLA) =====<br />
The swiss german TV channel SF1 showed a footage on swiss e-banking security. The TV show follows a team of the ETH who earned a special authorization to test several e-anking platforms. After admitting that a personal computer can be infected by different means (actually 5% of the tested PCs are infected according to Microsoft), The team from Zürich showed the limits of the different platforms. Only the bank who signs each transaction is labelled as safe. We will come back during the presentation on the nature of the threat.<br>First of all, we will explain how famous malwares such as Zeus and SpyEye manage to steal from their victims without them being able to notice anything. Then we will see that e-banking is not the only target, as a matter of fact, the reality is far from this.<br>And then we will comment the most recent techniques that allow malwares to escape Antivirus and Antimalware programs even if they are up to date. We will vulgarize several concepts such as DKOM and bootkits in order to let everybody have a glimpse on the danger they represent.<br>Finally, we will think about if signing each transaction can efficiently fight off these threats. In fact, when attacks are coupled with Social Engineering, they have potentially no limit. Zeus is a living proof of this fact, because it even managed to attack the transaction validation system by SMS. As a conclusion, we will see that the e-banking platform that managed to resist the tests of the ETH team is vulnerable to such kind of attacks. <br />
<br />
====== Jean-Marc Bost, ELCA ======<br />
Jean-Marc Bost leads the security division at ELCA. <br>He is in charge of the various security solutions proposed by ELCA, some being released by ELCA, others being provided by partner vendors. <br>With a significant experience in the development of internet applications, he focused 10 years ago on their need for security. <br>Since then, he has been very active in&nbsp;:<br>- demonstrating the threats, in particular for ebanking<br>- conceiving practical and patented solutions for strong authentication, online transactions, electronic signature and secured documents<br>- presenting the findings of the security division in security events and through expert talks<br> <br />
<br />
====== Sébastien Bischof, ELCA ======<br />
Sébastien Bischof works in the security division at ELCA Where he is specialized in OS-level and communication security.<br>As a major result, he developped a fully-working proof-of-concept of an attack against a sophisticated USB token for safe-browsing.<br>He obtained his Master of Science in Engineering at HEIG-VD/HES-SO with a strong emphasis on IT Security.<br>During his education, he focused on obfuscation and rootkit techniques.<br>Computer security enthusiast, he is very interested in hackings events such as Insomni'hack and keeps himself informed on the latest threats throuhg active participation in security forums.<br> <br />
<br />
==== CTF ====<br />
<br />
Do you like puzzles? Do you like challenges? Are you a hacker?<br />
<br />
Whether you are an old hacker or new enthusiast you should come to OWASP BeNeLux days 2011 and participate in the Capture the Flag event December 2nd 2011 at the University of Luxemburg. <br />
<br />
The OWASP CTF is especially designed to support challengers of all skill levels. The CTF contains multiple challenges in various fields related to application security. As every challenge gains you one point, you can pick and choose which challenge you want to play.<br />
<br />
All you need is a laptop with a wifi card and your favorite (preferably) non-commercial tools. <br />
<br />
So come to Luxemburg, show off your skills, learn new tricks and above all have a good time at the CTF event. <br />
<br />
==== Registration ====<br />
<center><br />
'''The training day and the conference are free!'''&nbsp;<br />
<br />
<br> <br />
<br />
[http://owaspbenelux2011.eventbrite.com/ http://www.owasp.org/images/7/77/Buttoncreate.png] <br />
<br />
<br> To support the OWASP organisation, consider to become a member, it's only US$50!<br> Check out the [[Membership]] page to find out more.<br> <br />
<br />
<br> <br />
</center> <br />
==== Venue ====<br />
<center><br />
University of Luxembourg<br>Campus Kirchberg<br>6, rue Richard Coudenhove-Kalergi<br>L-1359 Luxembourg<br>[http://wwwen.uni.lu/contact/campus_kirchberg http://wwwen.uni.lu/contact/campus_kirchberg] <br>Room: Paul Feidert<br />
</center><br />
<br>'''Hotels nearby''': <br />
<br />
The first hotel is at 5 minutes on walk distance from the campus Kirchberg: '''[http://www.coque.lu/article/259 Hotel d’Coque]'''<br />
* single room with breakfast 77.50 €<br />
* double room with breakfast 93.00 €. <br />
* Booking email address with Ref. OWASP_SNT 2011 to : [mailto:reception@coque.lu reception@coque.lu]<br />
* Reservation deadline: 20 October 2011<br />
Second hotel (direct center of Luxembourg) 5/10 minutes with taxi or bus: '''[http://www.parcbellevue.lu/fr/index.php Hotel Parc Bellevue]'''<br />
* single room with breakfast 95.00 € (normal price 160 €)<br />
* double room with breakfast 115.00 € (normal price 180€)<br />
* wifi and parking included<br />
* Booking email address: [mailto:reservation@goeres-group.com reservation@goeres-group.com]<br />
* Reservation deadline&nbsp;: 30 November <br />
* Reservation form: [https://www.owasp.org/images/4/44/Uni_Luxembourg_OWASP_2011.doc download form] <br />
Third hotel (near the Parc Bellevue): '''[http://www.parcplaza.lu/fr/index.php Hotel Plaza]'''<br />
* single room with breakfast 130.00 € (normal price 225 €)<br />
* double room with breakfast 150.00 € (normal price 245€)<br />
* wifi and parking included<br />
* Booking email address: [mailto:reservation@goeres-group.com reservation@goeres-group.com]. <br />
* Reservation deadline: 30 November<br />
* Reservation form: [https://www.owasp.org/images/4/44/Uni_Luxembourg_OWASP_2011.doc download form] <br />
Fourth hotel: '''[http://www.melia-luxembourg.com/fr/melia-luxembourg.html Hotel Mélia]'''<br />
* single room with breakfast 140.00 €<br />
* Booking email address: [mailto:reservations.melia.luxembourg@solmelia.com reservations.melia.luxembourg@solmelia.com]<br />
* Reservation deadline: 28 October 2011<br />
* Reservation form: [https://www.owasp.org/images/f/f8/Uni_OWASP_2011_Melia.pdf download form] <br />
<br />
<br><br />
<br />
==== Organisation ====<br />
<br />
The BeNeLux Day 2011 Program Committee: <br />
<br />
*Martin Knobloch / Ferdinand Vroom ([[Netherlands|OWASP Netherlands]]) <br />
*Bart De Win / Sebastien Deleersnyder ([[Belgium|OWASP Belgium]]) <br />
*Jocelyn Aubert / Andre Adelsbach ([[Luxembourg|OWASP Luxembourg]]) <br />
*Steven van der Baan ([[:Category:OWASP CTF Project|Capture The Flag]])<br />
<br />
Local organization:<br />
<br />
*Thomas Engel <br />
*Radu State <br />
*Magali Martin <br />
*Aurel Machalek<br />
<br />
==== Sponsorship ====<br />
<br />
Contact seba &lt;at&gt; owasp.org for sponsorship <br />
<br />
<paypal>BeNeLux OWASP Day 2011</paypal> <br />
<br />
==== Social Event ====<br />
<br />
The social event is scheduled for Thursday, 1st of December @ TBD <br />
<br />
<br><br><br />
<br />
==== Promotion ====<br />
''Feel free to use the text below to promote our event!''<br />
<br />
We invite you to our next OWASP event: the '''BeNeLux OWASP Days 2011!'''<br />
<br />
Free your agenda on the 1st and 2nd of December, 2011.<br />
<br />
The good news: free! No fee!<br />
<br />
The bad news: there are only 160 seats available (first register, first serve)!<br />
<br />
<br />
'''PROGRAM Day 1'''<br />
* 10:00 AM - 18:00 PM: OWASP Training Day<br />
* 19:00 PM - ?: Social event<br />
<br />
'''OWASP Training: Secure Application Development''', by Eoin Keary<br><br />
This intensive one-day training focuses on the most common web application security problems, including aspects of both the OWASP Top Ten (2010) and the MITRE Top 25. The training will introduce and demonstrate application assessment techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities in their code.<br />
<br />
'''PROGRAM Day 2'''<br />
* 10:00 AM - 18:00 PM: OWASP Conference<br />
<br />
List of '''confirmed speakers''' (more to be announced soon):<br />
*Brenno De Winter (Journalist) on the Diginotar story<br />
*Koen Vanderloock (Lead Security Competence Group at Cegeka) on the new OWASP Simba project<br />
*Justin Clarke (Director and Co-Founder of Gotham Digital Science Ltd) on practical crypto attacks against web applications<br />
*Lieven Desmet (Research Manager at University Leuven) on HTML5 security<br />
*Andrey Belenko (Chief Security Researcher at ElcomSoft Co. Ltd) on iOS data protection internals<br />
*Alexandre Dulaunoy (Incident Management - Security Research at CIRCL) on dynamic malware analysis<br />
*Ludovic Petit (Group Fraud & Information Security Adviser at SFR, Vodafone Group) on WebApp Security and legal and regulatory aspects<br />
*Seba Deleersnyder & Eoin Keary (OWASP Board) on OWASP Update<br />
<br />
'''ORGANIZATION<br>'''<br />
OWASP's all-volunteer participants produce free, professional quality, open-source documentation, tools, and standards on application security. An example of this is the famous OWASP top ten of most critical web application security flaws. The OWASP community facilitates conferences, local chapters, articles, and message forums. Participation in OWASP is free and open to all, as are all the materials we produce.<br />
<br />
'''WHO should attend?<br>'''<br />
Anyone interested in Web Application Security (management, security professionals, developers, students, etc). OWASP Belgium, Netherlands and Luxembourg chapters membership is free. All meetings are free. There are never vendor pitches or sales presentations at OWASP meetings.<br><br />
Check our chapter page http://www.owasp.org/index.php/Belgium on meeting details, sign up to the chapter mailing list and introduce yourself.<br><br />
Check our chapter page http://www.owasp.org/index.php/Netherlands on meeting details, sign up to the chapter mailing list and introduce yourself.<br><br />
Check our chapter page http://www.owasp.org/index.php/Luxembourg on meeting details, sign up to the chapter mailing list and introduce yourself.<br><br />
<br />
'''WHEN<br>'''<br />
Thursday and Friday, 1st and 2nd of December, 2011 (10 AM - 7 PM)<br />
<br />
'''WHERE<br>'''<br />
University of Luxembourg<br><br />
Campus Kirchberg<br><br />
6, rue Richard Coudenhove-Kalergi<br><br />
L-1359 Luxembourg<br><br />
http://wwwen.uni.lu/contact/campus_kirchberg<br><br />
Room: Paul Feidert<br />
<br />
Attention: make sure to '''book your hotel in time''', it will be difficult to find rooms in Luxembourg around Dec 1-2!<br><br />
Hotel details https://www.owasp.org/index.php?title=BeNeLux_OWASP_Day_2011#tab=Venue<br />
<br />
'''REGISTRATION<br>'''<br />
Only 160 places, please '''Register upfront: http://owaspbenelux2011.eventbrite.com''' !<br><br />
All latest details are available on http://www.owaspbenelux.eu<br><br />
Hope to see you all!<br><br />
<br />
The BeNeLux Program Committee,<br />
*Martin Knobloch / Ferdinand Vroom, OWASP Netherlands<br />
*Bart De Win / Sebastien Deleersnyder, OWASP Belgium<br />
*Jocelyn Aubert / Andre Adelsbach, OWASP Luxembourg<br />
*Steven van der Baan, OWASP CTF Project<br />
<br />
Kindly supported by the Interdisciplinary Centre for Security Reliability and Trust<br />
*Thomas Engel <br />
*Radu State <br />
*Magali Martin <br />
*Aurel Machalek<br />
<br />
<headertabs /><br />
<center>Made possible by our [http://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Sponsorship sponsors]:<br><br />
{{MemberLinks|link=http://www.ascure.com|logo=Ascure_Logo.jpg}} <br />
[http://www.zionsecurity.com http://www.owasp.org/images/e/e6/Zionsecurity.jpg]<br />
[http://www.zenitelbelgium.com http://www.owasp.org/images/d/df/SAIT_Zenitel.jpg]<br />
[http://www8.hp.com/us/en/solutions/solutions-detail.html?compURI=tcm:245-339290 https://www.owasp.org/images/b/b4/HP_Logo.jpg] <br />
[http://www.barracuda.com https://www.owasp.org/images/f/f6/Bnl11-Barracuda_Logo-4C.png] <br />
<br />
<br />
<br />
<br><br><br>'''Supported by:'''<br> <br />
[[Image:Bnl11-university-logo.jpg|link=http://wwwen.uni.lu]] <br />
[[Image:Bnl11-SECURITYANDTRUST-LOGO.jpg|link=http://www.securityandtrust.lu]] <br />
<br />
<br><br />
</center><br />
[[Category:OWASP_AppSec_Conference]] [[Category:OWASP_BeNeLux_Archives]]</div>Bart De Winhttps://wiki.owasp.org/index.php?title=BeNeLux_OWASP_Day_2011&diff=120193BeNeLux OWASP Day 20112011-11-15T19:41:41Z<p>Bart De Win: </p>
<hr />
<div>__NOTOC__ <br />
<center>[[Image:OWASP BeNeLux 2011.jpg]]<br></center><br />
<br><!-- Header --><br />
<br />
==== Welcome ====<br />
<br />
<br><br />
<center><br />
=== Venue is the University of Luxembourg (Grand Duchy of Luxembourg) ===<br />
Training and conference location, together with hotel information, can be found [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Venue here].<br />
=== Training and first list of conference speakers are announced! ===<br />
See [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Training.2C_December_1st here] and [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Conference.2C_December_2nd here]<br />
=== Tweet! ===<br />
<br />
Event tag is [http://twitter.com/#search?q=%23owaspbnl11 #owaspbnl11]<br />
<br />
=== Registrations are open: ===<br />
<br />
[http://owaspbenelux2011.eventbrite.com/ http://www.owasp.org/images/7/77/Buttoncreate.png] <br />
<br />
</center><br />
<br><br />
<br />
==== Training, December 1st ====<br />
'''OWASP Training: Secure Application Development, by Eoin Keary'''<br />
<br />
'''Abstract:''' Writing Secure code is the most effective method to securing your web applications. Writing secure code takes skill and know-how but results in a more stable and robust application and assists in protecting an organisations brand.<br />
Application security is not commonly a part of many computer science curricula today and most organizations have not focused on instituting a culture that includes application security as a core part of their software development training efforts. This intensive one-day course focuses on the most common web application security problems, including aspects of both the OWASP Top Ten (2010) and the MITRE Top 25. The course will introduce and demonstrate application assessment techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities in their code.<br />
<br />
'''This course includes coverage of the following areas:'''<br />
<br />
* Unvalidated Input<br />
* Injection Flaws, OS commanding, SQL Injection<br />
* Cross-Site Scriping & Client-side security<br />
* CSRF/XSRF<br />
* Authentication & Session Management<br />
* Access control & Authorisation<br />
* Broken Caching<br />
* Error Handling & Resource Management<br />
* The Secure SDLC<br />
* Fuzzing, Proxy use and testing approach<br />
<br />
'''Hands on Exercises'''<br />
<br />
To cement the principles discussed, students can participate in a number of hands-on security testing exercises where they attack a live web application (i.e., OWASP Bank etc) that has been seeded with common web application vulnerabilities.<br />
<br />
The students will use proxy tools commonly used by the hacker community to complete the exercises. Students need to bring their own windows based laptop to participate in the exercises. Wireless capability is recommended.<br />
<br />
'''Audience'''<br />
<br />
Developers who want to understand the most common web application security flaws, and how to avoid them and code in a secure manner.<br />
<br />
Level: Beginner/Intermediate<br />
<br />
Prerequisite: Basic knowledge of a web programming language like Java or .NET recommended but not required.<br />
<br />
Bringing your own windows based laptop is recommended so you can participate in the hands on exercises<br />
<br />
'''Trainer Bio:''' <br />
<br />
[[Eoin Keary]] is a Global OWASP board member since 2009. He is a long time member of OWASP and have contributed year on year to OWASP projects and the OWASP mission of fighting the causes of software insecurity. He is based in Dublin, Ireland and director of [http://www.bccriskadvisory.com Bccriskadvisory].<br />
<br />
==== Conference, December 2nd ====<br />
<br />
We are pleased to announce a first list of confirmed speakers:<br />
<br />
* Brenno De Winter (Journalist) on the Diginotar story<br />
* Koen Vanderloock (Lead Security Competence Group at Cegeka) on [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#OWASP_SIMBA_-_guarding_your_applications_.28by_Koen_Vanderloock.2C_Leader_Security_Competence_Group_at_Cegeka.29 the new OWASP Simba project]<br />
* Justin Clarke (Director and Co-Founder of Gotham Digital Science Ltd) on [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Practical_Crypto_Attacks_Against_Web_Applications_.28by_Justin_Clarke.2C_Director_and_Co-Founder_of_Gotham_Digital_Science_Ltd.29 practical crypto attacks against web applications]<br />
* Lieven Desmet (Research Manager at University Leuven) on [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#HTML5_security_.28by_Lieven_Desmet.2C_Research_Manager_at_Katholieke_Universiteit_Leuven.29 HTML5 security]<br />
* Andrey Belenko (Chief Security Researcher at ElcomSoft Co. Ltd) on [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Overcoming_iOS_Data_Protection_to_Re-Enable_iPhone_Forensics_.28by_Andrey_Belenko.2C_Chief_Security_Researcher_at_ElcomSoft.29 iOS data protection internals]<br />
* Alexandre Dulaunoy (Incident Management - Security Research at CIRCL) on dynamic malware analysis<br />
* Ludovic Petit (Group Fraud & Information Security Adviser at SFR, Vodafone Group) on [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Do_you..._Legal.3F_.28by_Ludovic_Petit.2C_Group_Fraud_.26_Information_Security_Adviser_at_SFR.2C_Vodafone_Group.29 WebApp Security and legal and regulatory aspects]<br />
*Jean-Marc Bost and Sébastien Bischof (ELCA) on eBanking vs. Malwares <br />
* Seba Deleersnyder & Eoin Keary (OWASP Board) on OWASP Update<br />
<br />
Stay tuned for the final agenda!<br />
<br />
'''''Agenda will come here'''''<br />
<br />
{| class="wikitable"<br />
! Name !! Speaker !! Topic<br />
|-<br />
| 09h30 - 10h00 || Sebastien Deleersnyder & Eion Keary || Intro & OWASP update<br />
|-<br />
| 10h00 - 10h40 || speaker1 || <br />
|-<br />
| 10h40 - 11h00 || ''Break'' ||<br />
|-<br />
| 11h00 - 11h40 || speaker2 || <br />
|-<br />
| 11h40 - 12h20 || speaker3 || <br />
|-<br />
| 12h20 - 13h00 || speaker4 || <br />
|-<br />
| 13h00 - 14h00 || ''Lunch'' || <br />
|-<br />
| 14h00 - 14h40 || speaker5 || <br />
|-<br />
| 14h40 - 15h20 || speaker6 || <br />
|-<br />
| 15h20 - 16h00 || speaker7 || <br />
|-<br />
| 16h00 - 16h20 || ''Break'' || <br />
|-<br />
| 16h20 - 17h00 || speaker8 || <br />
|-<br />
| 17h00 - 17h40 || speaker9 || <br />
|-<br />
| 17h40 - 18h00 || OWASP Benelux 2011 organization || Closing notes<br />
<br />
|}<br />
<br />
<!-- deze laten staan. is handig om anchors te vinden tijdens edi (seba) __TOC__ --><br />
<br />
=====OWASP SIMBA - guarding your applications (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Koen_Vanderloock.2C_Leader_Security_Competence_Group_at_Cegeka Koen Vanderloock], Leader Security Competence Group at Cegeka)=====<br />
[[OWASP SIMBA Project|SIMBA (Security Integration Module for Business Applications)]] is a OWASP project that provides you with a User Access Management system that can be integrated with any business application. The purpose of SIMBA is to secure an application fast and easy. Because SIMBA itself is generic it can be customized for every project. Many features are customizable e.g. designing your own authentication chain is easy and fast by using existing or newly created building blocks. SIMBA contains authentication, authorization, session management and a GUI to manage your security information.<br />
<br />
======Koen Vanderloock, Leader Security Competence Group at Cegeka======<br />
Koen Vanderloock is the leader of the security competence group at Cegeka. About 2 years ago Cegeka decided to create a sandbox for investigating security issues and solutions so they could be included in the current projects. <br />
Koen Vanderloock is a Java developer with 8 years of experience and started exploring the world of security 3 years ago when UAM problems started to occur.<br />
<br />
=====Practical Crypto Attacks Against Web Applications (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Justin_Clarke.2C_Director_and_Co-Founder_of_Gotham_Digital_Science_Ltd Justin Clarke], Director and Co-Founder of Gotham Digital Science Ltd)=====<br />
The science of cryptography underpins many of the information security technologies we use on a daily basis, such as the ability to keep information confidential and to ensure we can identify who we are communicating with. However, it is a very complex subject area with many types of mistakes that can reduce the overall security of a solution. A number of these types of mistakes can be identified by a tester, if they know what they're looking for, but in general it isn't a well tested area.<br />
<br />
This talk is intended to provide a high level overview of some of the areas where cryptographic operations such as encryption and hashing can provide far less security than was planned, and concrete examples of how these were found and exploited. Examples will include discussion and demonstration of the recently patched cryptographic padding attack against the Microsoft .NET framework (affecting ASP.NET applications) caused by a design error in how ASP.NET handles some types of encrypted data, but we will also be looking at some other fun areas including bit flipping attacks, ECB mode attacks, and some miscellaneous hashing algorithm attacks against common web application implementations.<br />
<br />
======Justin Clarke, Director and Co-Founder of Gotham Digital Science Ltd======<br />
Justin is a Director and Co-Founder of Gotham Digital Science and an experienced software security consultant with extensive international Big 4 risk management, security consulting and testing experience. He is the lead author/technical editor of "SQL Injection Attacks and Defenses" (Syngress 2009), co-author of "Network Security Tools" (O'Reilly 2005), contributor to "Network Security Assessment, 2nd Edition" (O'Reilly 2007), as well as a speaker at various security conferences and events such as Black Hat, EuSecWest, ISACA, BruCON, OWASP, OSCON, RSA and SANS. He is currently the OWASP London chapter president, and a member of the OWASP Global Connections Committee.<br />
On 10 Oct 2011, at 09:33, Seba wrote:<br />
<br />
=====HTML5 security (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Lieven_Desmet.2C_Research_Manager_at_Katholieke_Universiteit_Leuven Lieven Desmet], Research Manager at Katholieke Universiteit Leuven)=====<br />
In this talk, Lieven will highlight the results of the HTML5 security analysis, conducted by the DistriNet Research Group (K.U.Leuven). The security analysis of next generation web standards, commissioned by ENISA, looked into 13 emerging W3C web standards (i.e. the specification of HTML 5 and some of the associated APIs), and assessed the security of each of them as well as the overall security and consistency across specifications.<br />
<br />
In total 51 security threats and issues have been identified, and detailed in the ENISA report (http://www.enisa.europa.eu/html5). During the talk, Lieven will discuss the methodology developed to assess the huge amount of specifications, and zoom into a representative set of identified threats and their remediation.<br />
<br />
======Lieven Desmet, Research Manager at Katholieke Universiteit Leuven======<br />
Lieven Desmet is the Research Manager on Secure Software at the Katholieke Universiteit Leuven (Belgium), where he coaches junior researchers in web application security and participates in dissemination and valorization activities. His interests are in software verification and security of middleware and web-enabled technologies. Lieven is actively engaged in OWASP and is board member of the OWASP Chapter Belgium.<br />
<br />
=====Overcoming iOS Data Protection to Re-Enable iPhone Forensics (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Andrey_Belenko.2C_Chief_Security_Researcher_at_ElcomSoft Andrey Belenko], Chief Security Researcher at ElcomSoft)=====<br />
Data protection is a feature available for iOS devices (iOS 4 and up) with hardware encryption: iPhone 4S, iPhone 4, iPhone 3GS, iPod touch (3rd generation or later), and all iPad models. Introduction of this feature had complicated iPhone forensics process because now (almost) all files on user partition are encrypted and physical dumps are of much less value to examiners: while the filesystem seems to be intact, actual file contents are encrypted and are not suitable for analysis.<br />
<br />
This talk will provide in-depth information about iOS Data protection internals and on the implication it had on iOS forensics. More specifically, it will cover the following:<br />
*System keys and their hierarchy<br />
*Device passcode and its recovery<br />
*Escrow keys<br />
*Filesystem encryption<br />
*Keychain encryption<br />
<br />
Presentation will start by providing attendees with required background on iOS encryption keys architecture: system keys, passcode key, escrow key. After attendees are familiar with those concepts, presentation will continue to filesystem and keychain encryption details and to the techniques that can be used to overcome the hurdles imposed by iOS Data Protection.<br />
<br />
======Andrey Belenko, Chief Security Researcher at ElcomSoft======<br />
Chief security researcher and software developer at Elcomsoft. Co-invented ThunderTables (which are improved RainbowTables) and was first to bring GPU acceleration to password recovery. M. Sc. IT and CISSP.<br />
<br />
LinkedIn: http://ru.linkedin.com/in/belenko<br />
<br />
Twitter: @andreybelenko<br />
<br />
=====Do you... Legal? (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Ludovic_Petit.2C_Group_Fraud_.26_Information_Security_Adviser_at_SFR.2C_Vodafone_Group Ludovic Petit], Group Fraud & Information Security Adviser at SFR, Vodafone Group) =====<br />
<br />
The OWASP core mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. However, if you do not pay enough attention to many aspects of Legal compliance, you'll see why Web Application Security is somehow linked to Legal and Regulatory aspects as well as... Corporate Responsability, so yours. Who is accountable for what, what about each other's responsibility? Nowadays, the legal constraints oblige us to comply via technical means, whatever the local framework, and this is specially true for Web Application Security, many sensitive informations having to be handled through these web interfaces. A such, what do you think about your Security Policy compliance with your local Legal framework? Compliant? Sure? Really? Interesting isn't it? Let's have a talk about this.<br />
<br />
======Ludovic Petit, Group Fraud & Information Security Adviser at SFR, Vodafone Group======<br />
Ludovic is an internationally recognised information security expert with over 25 years experience. Last 15 years spent in various Corporate Management positions covering both Technical and Law Enforcement expertise dedicated to Mobile Telecommunications Fraud and Security in multi-national corporations.<br />
<br />
Ludovic is Chapter Leader & Founding Member OWASP France and an active contributor to OWASP in several roles and projects.<br />
<br />
LinkedIn Profile: http://www.linkedin.com/in/lpetit<br />
<br />
<br />
===== eBanking vs. Malwares (by Jean-Marc Bost and Sébastien Bischof, ECLA) =====<br />
<br />
The swiss german TV channel SF1 showed a footage on swiss e-banking security. The TV show follows a team of the ETH who earned a special authorization to test several e-anking platforms. After admitting that a personal computer can be infected by different means (actually 5% of the tested PCs are infected according to Microsoft), The team from Zürich showed the limits of the different platforms. Only the bank who signs each transaction is labelled as safe. We will come back during the presentation on the nature of the threat.<br>First of all, we will explain how famous malwares such as Zeus and SpyEye manage to steal from their victims without them being able to notice anything. Then we will see that e-banking is not the only target, as a matter of fact, the reality is far from this.<br>And then we will comment the most recent techniques that allow malwares to escape Antivirus and Antimalware programs even if they are up to date. We will vulgarize several concepts such as DKOM and bootkits in order to let everybody have a glimpse on the danger they represent.<br>Finally, we will think about if signing each transaction can efficiently fight off these threats. In fact, when attacks are coupled with Social Engineering, they have potentially no limit. Zeus is a living proof of this fact, because it even managed to attack the transaction validation system by SMS. As a conclusion, we will see that the e-banking platform that managed to resist the tests of the ETH team is vulnerable to such kind of attacks. <br />
<br />
====== Jean-Marc Bost, ELCA ======<br />
<br />
Jean-Marc Bost leads the security division at ELCA. <br>He is in charge of the various security solutions proposed by ELCA, some being released by ELCA, others being provided by partner vendors. <br>With a significant experience in the development of internet applications, he focused 10 years ago on their need for security. <br>Since then, he has been very active in&nbsp;:<br>- demonstrating the threats, in particular for ebanking<br>- conceiving practical and patented solutions for strong authentication, online transactions, electronic signature and secured documents<br>- presenting the findings of the security division in security events and through expert talks<br> <br />
<br />
====== Sébastien Bischof, ELCA ======<br />
<br />
Sébastien Bischof works in the security division at ELCA Where he is specialized in OS-level and communication security.<br>As a major result, he developped a fully-working proof-of-concept of an attack against a sophisticated USB token for safe-browsing.<br>He obtained his Master of Science in Engineering at HEIG-VD/HES-SO with a strong emphasis on IT Security.<br>During his education, he focused on obfuscation and rootkit techniques.<br>Computer security enthusiast, he is very interested in hackings events such as Insomni'hack and keeps himself informed on the latest threats throuhg active participation in security forums.<br> <br />
<br />
==== CTF ====<br />
<br />
Do you like puzzles? Do you like challenges? Are you a hacker?<br />
<br />
Whether you are an old hacker or new enthusiast you should come to OWASP BeNeLux days 2011 and participate in the Capture the Flag event December 2nd 2011 at the University of Luxemburg. <br />
<br />
The OWASP CTF is especially designed to support challengers of all skill levels. The CTF contains multiple challenges in various fields related to application security. As every challenge gains you one point, you can pick and choose which challenge you want to play.<br />
<br />
All you need is a laptop with a wifi card and your favorite (preferably) non-commercial tools. <br />
<br />
So come to Luxemburg, show off your skills, learn new tricks and above all have a good time at the CTF event. <br />
<br />
==== Registration ====<br />
<center><br />
'''The training day and the conference are free!'''&nbsp;<br />
<br />
<br> <br />
<br />
[http://owaspbenelux2011.eventbrite.com/ http://www.owasp.org/images/7/77/Buttoncreate.png] <br />
<br />
<br> To support the OWASP organisation, consider to become a member, it's only US$50!<br> Check out the [[Membership]] page to find out more.<br> <br />
<br />
<br> <br />
</center> <br />
==== Venue ====<br />
<center><br />
University of Luxembourg<br>Campus Kirchberg<br>6, rue Richard Coudenhove-Kalergi<br>L-1359 Luxembourg<br>[http://wwwen.uni.lu/contact/campus_kirchberg http://wwwen.uni.lu/contact/campus_kirchberg] <br>Room: Paul Feidert<br />
</center><br />
<br>'''Hotels nearby''': <br />
<br />
The first hotel is at 5 minutes on walk distance from the campus Kirchberg: '''[http://www.coque.lu/article/259 Hotel d’Coque]'''<br />
* single room with breakfast 77.50 €<br />
* double room with breakfast 93.00 €. <br />
* Booking email address with Ref. OWASP_SNT 2011 to : [mailto:reception@coque.lu reception@coque.lu]<br />
* Reservation deadline: 20 October 2011<br />
Second hotel (direct center of Luxembourg) 5/10 minutes with taxi or bus: '''[http://www.parcbellevue.lu/fr/index.php Hotel Parc Bellevue]'''<br />
* single room with breakfast 95.00 € (normal price 160 €)<br />
* double room with breakfast 115.00 € (normal price 180€)<br />
* wifi and parking included<br />
* Booking email address: [mailto:reservation@goeres-group.com reservation@goeres-group.com]<br />
* Reservation deadline&nbsp;: 30 November <br />
* Reservation form: [https://www.owasp.org/images/4/44/Uni_Luxembourg_OWASP_2011.doc download form] <br />
Third hotel (near the Parc Bellevue): '''[http://www.parcplaza.lu/fr/index.php Hotel Plaza]'''<br />
* single room with breakfast 130.00 € (normal price 225 €)<br />
* double room with breakfast 150.00 € (normal price 245€)<br />
* wifi and parking included<br />
* Booking email address: [mailto:reservation@goeres-group.com reservation@goeres-group.com]. <br />
* Reservation deadline: 30 November<br />
* Reservation form: [https://www.owasp.org/images/4/44/Uni_Luxembourg_OWASP_2011.doc download form] <br />
Fourth hotel: '''[http://www.melia-luxembourg.com/fr/melia-luxembourg.html Hotel Mélia]'''<br />
* single room with breakfast 140.00 €<br />
* Booking email address: [mailto:reservations.melia.luxembourg@solmelia.com reservations.melia.luxembourg@solmelia.com]<br />
* Reservation deadline: 28 October 2011<br />
* Reservation form: [https://www.owasp.org/images/f/f8/Uni_OWASP_2011_Melia.pdf download form] <br />
<br />
<br><br />
<br />
==== Organisation ====<br />
<br />
The BeNeLux Day 2011 Program Committee: <br />
<br />
*Martin Knobloch / Ferdinand Vroom ([[Netherlands|OWASP Netherlands]]) <br />
*Bart De Win / Sebastien Deleersnyder ([[Belgium|OWASP Belgium]]) <br />
*Jocelyn Aubert / Andre Adelsbach ([[Luxembourg|OWASP Luxembourg]]) <br />
*Steven van der Baan ([[:Category:OWASP CTF Project|Capture The Flag]])<br />
<br />
Local organization:<br />
<br />
*Thomas Engel <br />
*Radu State <br />
*Magali Martin <br />
*Aurel Machalek<br />
<br />
==== Sponsorship ====<br />
<br />
Contact seba &lt;at&gt; owasp.org for sponsorship <br />
<br />
<paypal>BeNeLux OWASP Day 2011</paypal> <br />
<br />
==== Social Event ====<br />
<br />
The social event is scheduled for Thursday, 1st of December @ TBD <br />
<br />
<br><br><br />
<br />
==== Promotion ====<br />
''Feel free to use the text below to promote our event!''<br />
<br />
We invite you to our next OWASP event: the '''BeNeLux OWASP Days 2011!'''<br />
<br />
Free your agenda on the 1st and 2nd of December, 2011.<br />
<br />
The good news: free! No fee!<br />
<br />
The bad news: there are only 160 seats available (first register, first serve)!<br />
<br />
<br />
'''PROGRAM Day 1'''<br />
* 10:00 AM - 18:00 PM: OWASP Training Day<br />
* 19:00 PM - ?: Social event<br />
<br />
'''OWASP Training: Secure Application Development''', by Eoin Keary<br><br />
This intensive one-day training focuses on the most common web application security problems, including aspects of both the OWASP Top Ten (2010) and the MITRE Top 25. The training will introduce and demonstrate application assessment techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities in their code.<br />
<br />
'''PROGRAM Day 2'''<br />
* 10:00 AM - 18:00 PM: OWASP Conference<br />
<br />
List of '''confirmed speakers''' (more to be announced soon):<br />
*Brenno De Winter (Journalist) on the Diginotar story<br />
*Koen Vanderloock (Lead Security Competence Group at Cegeka) on the new OWASP Simba project<br />
*Justin Clarke (Director and Co-Founder of Gotham Digital Science Ltd) on practical crypto attacks against web applications<br />
*Lieven Desmet (Research Manager at University Leuven) on HTML5 security<br />
*Andrey Belenko (Chief Security Researcher at ElcomSoft Co. Ltd) on iOS data protection internals<br />
*Alexandre Dulaunoy (Incident Management - Security Research at CIRCL) on dynamic malware analysis<br />
*Ludovic Petit (Group Fraud & Information Security Adviser at SFR, Vodafone Group) on WebApp Security and legal and regulatory aspects<br />
*Seba Deleersnyder & Eoin Keary (OWASP Board) on OWASP Update<br />
<br />
'''ORGANIZATION<br>'''<br />
OWASP's all-volunteer participants produce free, professional quality, open-source documentation, tools, and standards on application security. An example of this is the famous OWASP top ten of most critical web application security flaws. The OWASP community facilitates conferences, local chapters, articles, and message forums. Participation in OWASP is free and open to all, as are all the materials we produce.<br />
<br />
'''WHO should attend?<br>'''<br />
Anyone interested in Web Application Security (management, security professionals, developers, students, etc). OWASP Belgium, Netherlands and Luxembourg chapters membership is free. All meetings are free. There are never vendor pitches or sales presentations at OWASP meetings.<br><br />
Check our chapter page http://www.owasp.org/index.php/Belgium on meeting details, sign up to the chapter mailing list and introduce yourself.<br><br />
Check our chapter page http://www.owasp.org/index.php/Netherlands on meeting details, sign up to the chapter mailing list and introduce yourself.<br><br />
Check our chapter page http://www.owasp.org/index.php/Luxembourg on meeting details, sign up to the chapter mailing list and introduce yourself.<br><br />
<br />
'''WHEN<br>'''<br />
Thursday and Friday, 1st and 2nd of December, 2011 (10 AM - 7 PM)<br />
<br />
'''WHERE<br>'''<br />
University of Luxembourg<br><br />
Campus Kirchberg<br><br />
6, rue Richard Coudenhove-Kalergi<br><br />
L-1359 Luxembourg<br><br />
http://wwwen.uni.lu/contact/campus_kirchberg<br><br />
Room: Paul Feidert<br />
<br />
Attention: make sure to '''book your hotel in time''', it will be difficult to find rooms in Luxembourg around Dec 1-2!<br><br />
Hotel details https://www.owasp.org/index.php?title=BeNeLux_OWASP_Day_2011#tab=Venue<br />
<br />
'''REGISTRATION<br>'''<br />
Only 160 places, please '''Register upfront: http://owaspbenelux2011.eventbrite.com''' !<br><br />
All latest details are available on http://www.owaspbenelux.eu<br><br />
Hope to see you all!<br><br />
<br />
The BeNeLux Program Committee,<br />
*Martin Knobloch / Ferdinand Vroom, OWASP Netherlands<br />
*Bart De Win / Sebastien Deleersnyder, OWASP Belgium<br />
*Jocelyn Aubert / Andre Adelsbach, OWASP Luxembourg<br />
*Steven van der Baan, OWASP CTF Project<br />
<br />
Kindly supported by the Interdisciplinary Centre for Security Reliability and Trust<br />
*Thomas Engel <br />
*Radu State <br />
*Magali Martin <br />
*Aurel Machalek<br />
<br />
<headertabs /><br />
<center>Made possible by our [http://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Sponsorship sponsors]:<br><br />
{{MemberLinks|link=http://www.ascure.com|logo=Ascure_Logo.jpg}} <br />
[http://www.zionsecurity.com http://www.owasp.org/images/e/e6/Zionsecurity.jpg]<br />
[http://www.zenitelbelgium.com http://www.owasp.org/images/d/df/SAIT_Zenitel.jpg]<br />
[http://www8.hp.com/us/en/solutions/solutions-detail.html?compURI=tcm:245-339290 https://www.owasp.org/images/b/b4/HP_Logo.jpg] <br />
[http://www.barracuda.com https://www.owasp.org/images/f/f6/Bnl11-Barracuda_Logo-4C.png] <br />
<br />
<br />
<br />
<br><br><br>'''Supported by:'''<br> <br />
[[Image:Bnl11-university-logo.jpg|link=http://wwwen.uni.lu]] <br />
[[Image:Bnl11-SECURITYANDTRUST-LOGO.jpg|link=http://www.securityandtrust.lu]] <br />
<br />
<br><br />
</center><br />
[[Category:OWASP_AppSec_Conference]] [[Category:OWASP_BeNeLux_Archives]]</div>Bart De Winhttps://wiki.owasp.org/index.php?title=BeNeLux_OWASP_Day_2010&diff=95874BeNeLux OWASP Day 20102010-12-10T09:48:31Z<p>Bart De Win: </p>
<hr />
<div>__NOTOC__ <br />
<center>[[File:OWASP_BeNeLux_2010.jpg]]<br></center> <br />
<br> <!-- Header --> <br />
<br />
==== Welcome ====<br />
<br />
<br> <br />
<center><br />
===Presentations online===<br />
First presentations are available online. Check out the conference agenda page.<br />
<br />
===blog===<br />
Xavier did blog a nice wrap-up of the BeNeLux day: see his [http://blog.rootshell.be/2010/12/03/owasp-benelux-day-2010-wrap-up/ blog].<br />
<br />
The Luxembourg Chapter published on Flickr a set of pictures: [http://www.flickr.com/photos/owasplux/sets/72157625432687293/ OWASP BeNeLux Days 2010 set].<br />
<br />
If you know of other coverage, photo's: send them to seba@owasp.org<br />
<br />
===Tweet!===<br />
Event tag is [http://twitter.com/#search?q=%23owaspbnl10 #owaspbnl10]<br />
<br />
===Confirmed Speakers:===<br />
Sebastien Deleersnyder (OWASP Board, SAIT Zenitel)<br> Radu State (University of Luxembourg)<br> N Nikiforakis (Katholieke Universiteit Leuven)<br> Marco Balduzzi (Eurecom)<br> Walter Belgers (Madison Gurkha)<br> Thierry Zoller<br> ... <br />
<br />
Download the conference flyer [http://www.owasp.org/images/8/8d/OWASP_BeNeLux_2010_flyer_v1.5%282%29.jpg here].<br> All the presentations will be available for download in the [http://www.owasp.org/index.php/BeNeLux_OWASP_Day_2010#tab=Conference.2C_December_2nd agenda] tab. <br />
<br />
<br> <br> <br />
</center> <br />
<br> <br />
<br />
==== Training, December 1st ====<br />
<br />
{{:Benelux Training}}<br />
<br />
==== Conference, December 2nd ====<br />
<br />
{| border="0" align="center" style="width: 80%;"<br />
|-<br />
! align="center" colspan="3" | '''Location''' - December 2nd, 2010<br />
|-<br />
| style="background: none repeat scroll 0% 0% rgb(123, 138, 189); width: 15%; -moz-background-inline-policy: continuous;" | 09h00-10h00 <br />
| align="left" style="background: none repeat scroll 0% 0% rgb(194, 194, 194); width: 75%; -moz-background-inline-policy: continuous;" colspan="2" | '''Registration'''<br />
|-<br />
| style="background: none repeat scroll 0% 0% rgb(123, 138, 189); width: 15%; -moz-background-inline-policy: continuous;" | 10h00-10h15 <br />
| align="left" style="background: none repeat scroll 0% 0% rgb(242, 242, 242); width: 75%; -moz-background-inline-policy: continuous;" colspan="2" | '''Welcome''' (by Martin Knobloch and Ferdinand Vroom, OWASP NL Chapter)<br />
|-<br />
| style="background: none repeat scroll 0% 0% rgb(123, 138, 189); width: 15%; -moz-background-inline-policy: continuous;" | 10h15-10h45 <br />
| align="left" style="background: none repeat scroll 0% 0% rgb(242, 242, 242); width: 75%; -moz-background-inline-policy: continuous;" colspan="2" | '''OWASP Update''' (by Seba Deleersnyder, OWASP Board, SAIT Zenitel)<br />
|-<br />
| style="background: none repeat scroll 0% 0% rgb(123, 138, 189); width: 15%; -moz-background-inline-policy: continuous;" | 10h45-11h00 <br />
| align="left" style="background: none repeat scroll 0% 0% rgb(194, 194, 194); width: 75%; -moz-background-inline-policy: continuous;" colspan="2" | '''Coffee Break'''<br />
|-<br />
| style="background: none repeat scroll 0% 0% rgb(123, 138, 189); width: 15%; -moz-background-inline-policy: continuous;" | 11h00-11h40 <br />
| align="left" style="background: none repeat scroll 0% 0% rgb(242, 242, 242); width: 75%; -moz-background-inline-policy: continuous;" colspan="2" | '''Clickjacking: an empirical study with an automated testing/detection system''' (by Marco Balduzzi, Eurecom) [http://www.owasp.org/images/d/d2/OWASPBeNeLux2010-Balduzzi-Clickjacking.pdf Presentation]<br />
:Clickjacking recently received new media attentions: Thousands of Facebook users have fallen victims of a worm that uses clickjacking techniques to propagate.<br />
:In a clickjacking attack, a malicious page is constructed (or a benign page is hijacked) to trick the user into performing unintended clicks that are advantageous for the attacker, such as propagating a web worm, stealing confidential information or abusing of the user session.<br />
:However it is currently unclear to what extent clickjacking is being used by attackers in the wild and how significant the attack is for the security of Internet users.<br />
:In this talk, we presents a solution we designed for studying the prevalence of clickjacking on the Internet and for detecting possible malicious pages in an automated fashion. We deployed our system over 10 distinct virtual machines to test more then a million unique web-pages in two months. From the analysis of our experimental results we discuss the clickjacking phenomenon and its future implications.<br />
|-<br />
| style="background: none repeat scroll 0% 0% rgb(123, 138, 189); width: 15%; -moz-background-inline-policy: continuous;" | 11h40-12h20 <br />
| align="left" style="background: none repeat scroll 0% 0% rgb(242, 242, 242); width: 75%; -moz-background-inline-policy: continuous;" colspan="2" | '''Privacy of file sharing service''' (by Nick Nikiforakis, Katholieke Universiteit Leuven) [http://www.owasp.org/images/1/14/OWASPBeNeLux2010-Nikiforakis-FileSharing.pdf Presentation]<br />
:File sharing services are used daily by tens of thousands of people as a way of sharing files. Almost all such services, use a security-through-obscurity method of hiding the files of one user from others. For each uploaded file, the user is given a secret URL which supposedly cannot be guessed. The user can then share his uploaded file by sharing this URL with other users of his choice. Unfortunately though, a number of file sharing services are incorrectly implemented allowing an attacker to guess valid URLs of millions of files and thus allowing him to enumerate their file database and access all of the uploaded files. In this paper, we study some of these services and we record their incorrect implementations. We design automatic enumerators for two such services and a privacy-classifying module which characterises an uploaded file as private or public. Using this technique we gain access to thousands of private files ranging from private and company documents to personal photographs. We present a taxonomy of the private files found and ways that the users and services can protect themselves against such attacks.<br />
|-<br />
| style="background: none repeat scroll 0% 0% rgb(123, 138, 189); width: 15%; -moz-background-inline-policy: continuous;" | 12h20-13h00 <br />
| align="left" style="background: none repeat scroll 0% 0% rgb(242, 242, 242); width: 75%; -moz-background-inline-policy: continuous;" colspan="2" | '''Finding Backdoors in Code''' (by Matias Madou, Fortify) [http://www.owasp.org/images/8/8f/OWASPBeNeLux2010-Madou-RepellingTheWilyInsider.pdf Presentation]<br />
:Insiders who write code, whether they are developers working for an enterprise or contributors to an open source project, have an almost unlimited number of ways to put chinks in the armor of their software. Many times, these holes are put in place for seemingly good reasons—to facilitate easy debugging, make working from home easier, or as a failsafe in case other mechanisms for interfacing with the system fail. Worse still, malicious insiders can plant logic bombs or insert backdoors so that they can embezzle funds, steal private information, or exact revenge if they become disgruntled.<BR><br />
:Whether unintentional or malicious, code that performs questionable behavior or permits unauthorized access can be introduced with relative ease and can persist in a code base almost indefinitely without being discovered. Until it's too late. In this talk, we discuss techniques for applying static analysis to program source code to assist auditors hunting for backdoors, logic bombs, and other threats introduced by insiders. We give detailed examples of insider threats that have been uncovered in real software systems, outline possible motives for malicious insiders, and discuss how external stimuli like layoffs are increasing the attention paid to insider threats. We conclude the talk with results of applying the detection techniques discussed in this talk to real-world software. <br />
|-<br />
| style="background: none repeat scroll 0% 0% rgb(123, 138, 189); width: 15%; -moz-background-inline-policy: continuous;" | 13h00-14h00 <br />
| align="left" style="background: none repeat scroll 0% 0% rgb(194, 194, 194); width: 75%; -moz-background-inline-policy: continuous;" colspan="2" | '''Lunch'''<br />
|-<br />
| style="background: none repeat scroll 0% 0% rgb(123, 138, 189); width: 15%; -moz-background-inline-policy: continuous;" | 14h00-14h40 <br />
| align="left" style="background: none repeat scroll 0% 0% rgb(242, 242, 242); width: 75%; -moz-background-inline-policy: continuous;" colspan="2" | '''How NOT to implement a Payback/Cashback System''' (by Thierry Zoller)<br />
:Casback is a name given to progams where participants will earn points for every net euro/dollar in purchases made. There are many ways this can go wrong. We will revisit the design, architecture of common Cashback systems on every operational level. We will take one particular interesting Payback program as an example and show how NOT to deploy. Death by a thousand cuts.<br><br />
:Beware : Hilarity will ensue.<br />
|-<br />
| style="background: none repeat scroll 0% 0% rgb(123, 138, 189); width: 15%; -moz-background-inline-policy: continuous;" | 14h40-15h20 <br />
| align="left" style="background: none repeat scroll 0% 0% rgb(242, 242, 242); width: 75%; -moz-background-inline-policy: continuous;" colspan="2" | '''Botnets/Bredolab''' (by Michael Sandee, Fox-IT)<br />
:Botnets are a hot debated topic, with much controversies on how to fight them. Recently there was headline news regarding the takedown of the Bredolab botnet, which caused a lot of discussion and contained a lot of conflicting views on the subject. During this presentation the facts of this Bredolab botnet takedown will be discussed, alongside the views of a Cybercriminal on how to setup your own botnet. You will be given a crash-course Cybercrime in 30 minutes.<br><br />
|-<br />
| style="background: none repeat scroll 0% 0% rgb(123, 138, 189); width: 15%; -moz-background-inline-policy: continuous;" | 15h20-16h00 <br />
| align="left" style="background: none repeat scroll 0% 0% rgb(242, 242, 242); width: 75%; -moz-background-inline-policy: continuous;" colspan="2" | '''0wning Networks with VoIP and Web attacks''' (by Radu State, University of Luxembourg) [http://www.owasp.org/images/6/6a/OWASPBeNeLux2010-State-VoipHacking.pdf Presentation]<br />
:Voice over IP is the current de facto technology for delivering voice data in both enterprise and service provider infrastructure. Although , security threats specific to VoIP signalling have been known for a while, few is known about cross-layer attacks in which Web enabled VoIP devices allow for efficient attacks against the VoIP infrastructure and general IT networks .<br />
:This talk will give a short introduction to VoIP and continue with a series of attacks that leverage SIP as efficient transport vehicle for billing attacks , disclosure attacks and network penetration. The talk will show how one single phone call can compromise even the best secured and hardened network perimeter .<br />
|-<br />
| style="background: none repeat scroll 0% 0% rgb(123, 138, 189); width: 15%; -moz-background-inline-policy: continuous;" | 16h00-16h20 <br />
| align="left" style="background: none repeat scroll 0% 0% rgb(194, 194, 194); width: 75%; -moz-background-inline-policy: continuous;" colspan="2" | '''Coffee Break'''<br />
|-<br />
| style="background: none repeat scroll 0% 0% rgb(123, 138, 189); width: 15%; -moz-background-inline-policy: continuous;" | 16h20-17h00 <br />
| align="left" style="background: none repeat scroll 0% 0% rgb(242, 242, 242); width: 75%; -moz-background-inline-policy: continuous;" colspan="2" | '''The Social Networking Corporate Threat''' (by Chen Gour-Arie, Comsec Consulting)<br />
:Social Networking Sites (SNS) and Web 2.0 platforms have been growing rapidly over the past few years, with multi-millions utilizing these platforms on a daily basis. In this talk, we will present some of the threats that SNS introduces to the corporate environment. <br />
|-<br />
| style="background: none repeat scroll 0% 0% rgb(123, 138, 189); width: 15%; -moz-background-inline-policy: continuous;" | 17h00-17h40 <br />
| align="left" style="background: none repeat scroll 0% 0% rgb(242, 242, 242); width: 75%; -moz-background-inline-policy: continuous;" colspan="2" | '''Attacking is easy, defending is hard''' (by Walter Belgers, Madison Gurkha) [http://www.owasp.org/images/d/d3/OWASPBeNeLux2010-Belgers-DefendingIsHard.pdf Presentation]<br />
:An attacker has an easy job. They need only find one security hole, and they've broken the system. The system, application and network administrators :have a much harder task. They have to find not just one, but each and every one of the holes. Preferably before the bad guys do.<br />
:And, these holes can be at several different layers. In the presentation, we will look at those layers (system level, application level, but also user :level) and observe what goes wrong and how to fix it. The observations come from the daily work at Madison Gurkha.<br />
:Examples of problems are lack of patches, problems during the development phase, susceptibility to social engineering attacks and more. <br />
|-<br />
| style="background: none repeat scroll 0% 0% rgb(123, 138, 189); width: 15%; -moz-background-inline-policy: continuous;" | 17h40-17h50 <br />
| align="left" style="background: none repeat scroll 0% 0% rgb(242, 242, 242); width: 75%; -moz-background-inline-policy: continuous;" colspan="2" | '''Closing''' (by Martin Knobloch and Ferdinand Vroom, OWASP NL Chapter)<br />
<br />
|}<br />
==== Speakers ====<br />
{|<br />
|-<br />
|'''Sebastien Deleersnyder (OWASP Board, SAIT Zenitel)''' <br />
|-<br />
|Sebastien started the successful Belgian OWASP Chapter and performed several public presentations on web application and web services security. Sebastien specialises in (web) application security, combining his software development and information security experience. He is currently OWASP Foundation board member and Managing Technical Consultant at SAIT Zenitel.<br />
|}<br />
{|<br />
|-<br />
|'''Radu State (University of Luxembourg)''' <br />
|-<br />
|Radu received his PhD degree from INRIA, Nancy – University Henri Poincaré in 2001.<br><br />
Radu has held positions as Research Engineer and Senior Engineer at INRIA-LORIA and has been working as Senior Researcher at the University of Luxembourg, FSTC-CSC Research Unit from October 2008 to September 2010. Radu's research activity will be on one side investigate interoperability aspects to supply security components in the area of ubiquitous computing and on the other side set up a project specific interoperability research lab in close cooperation with industry.<br />
|}<br />
{|<br />
|-<br />
|'''Nick Nikiforakis (Katholieke Universiteit Leuven)''' <br />
|-<br />
|Nick Nikiforakis is a PhD student at the Katholieke Universiteit Leuven, in Belgium. He belongs to the DistriNet research group and specifically in the “Security & Languages” task-force. His current research interests are: low-level security for unsafe languages and web application security. <br><br />
Nick holds a BSc in Computer Science and a MSc on Distributed Systems from the University of Crete in Greece. He worked for 3 years as a research assistant in the Distributed Computing Systems group at the Foundation of Research and Technology in Crete where he did research in network data visualization, authentication schemes using mobile devices and phishing countermeasures. In the past, Nick has presented his work in academic conferences as well as hacking conventions. His work can be found online at www.securitee.org.<br />
|}<br />
{|<br />
|-<br />
|'''Matias Madou (Fortify)''' <br />
|-<br />
|Matias Madou is principal security researcher at Fortify's Security Research Group, which is responsible for building security knowledge into Fortify's products. His work focuses on developing new techniques to detect vulnerabilities. Matias holds a Ph.D. in computer engineering from Ghent University, where he studied application security through program obfuscation to hide the inner workings of an application. During his Ph.D., he collaborated with top research and industry players in the field of program obfuscation. <br />
|}<br />
{|<br />
|-<br />
|'''Marco Balduzzi (Eurecom)''' <br />
|-<br />
|<br />
Marco Balduzzi is an IT security specialist with several years of experience as engineer and consultant for different international<br />
companies located in Milan, Munich and Nice. At the moment, he is a PhD researcher in EURECOM and a proud member of the [http://www.iseclab.org International Secure System Lab]. He designs systems for the detection of botnets/malware, the analysis of<br />
web threats and the security of cloud computing. <br><br />
Marco owns a MSc in Computer Engineering from the University of Bergamo and is a co-founder of the Bergamo Linux User Group. He contributed to several Free Software projects (e.g. Nast) and has been involved in many underground non-profit organizations.<br />
|}<br />
{|<br />
|-<br />
|'''Walter Belgers (Madison Gurkha) ''' <br />
|-<br />
|Walter Belgers heeft Technische Informatica gestudeerd aan de Technische Universiteit Eindhoven met als extra vak o.a. Computercriminaliteit (Universiteit van Tilburg). Walter is in 1994 begonnen bij Philips C&P (tegenwoordig Atos Origin) als ontwikkelaar van wereldwijde firewall-diensten en de uitrol daarvan. Daarna heeft hij enkele jaren lesgegeven op het gebied van UNIX en Internet beveiliging bij AT Computing. In 2002 is hij toegetreden tot Madison Gurkha als partner. Naast zijn technische consultancy-activiteiten, houdt Walter zich bezig met het schrijven van artikelen en columns, het geven van lezingen en voorlichten van de pers. Walter is gecertificeerd security professional (CISSP) en security auditor (CISA).<br />
|}<br />
{|<br />
|-<br />
|'''Martin Knobloch (Sogeti Nederland B.V.) ''' <br />
|-<br />
|Martin Knobloch is employed at Sogeti Netherlands as Senior Security Consultant. He is founder and thought leader of the Sogeti task force PaSS, Proactive Security Strategy, with an integral solution of information security within organisation, infrastructure and software. <br><br />
At OWASP, Martin is board member of the OWASP Netherlands Chapter and member of the Global Education Committee.<br />
|}<br />
{|<br />
|-<br />
|'''Michael Sandee (Fox-IT)'''<br />
|-<br />
|Michael Sandee, Lead Expert Cybercrime at Fox-IT, has been working analyzing Cybercrime for over 5 years. With day-to-day analysis of malware and cybercrime activities he has developed a good understanding on how the underground economy operates and how large this market is, and also how we are affected by this every day.<br />
|}<br />
{|<br />
|-<br />
|'''Chen Gour-Arie (Comsec Consulting)'''<br />
|-<br />
|Chen Gour-Arie has years of experience in information security, with a specific expertise in application level security. Chen<br />
has conducted projects in all areas of information security, in diverse environments, utilizing a wide range of professional<br />
tools. Some of his notable projects have focused on: complex penetration testing, comprehensive White Box audits,<br />
network security, policy and procedure formulation, manual and automated security testing, security evaluation of<br />
products, leading secure software development lifecycles, infrastructure security audits, risk assessments, PCI and PA-DSS<br />
consulting, and more.<br />
|}<br />
==== CTF ====<br />
During both days, a '''C'''apture '''T'''he '''F'''lag challenge will be online and available!<br />
<br><br />
Do you have the skills to hack websites? Can you crack various codes? Can you think outside the box? Do you like challenges?<br><br />
Then come and participate in the OWASP Capture The Flag Competition. Test your webhacking/codecracking skills against various challenges. Compete against yourself and others. The CTF will run the complete conference, so you can logon and play anytime you want. We will announce the winner at the last day of the conference. The winner will earn $100 worth of OWASP books and gets a OWASP membership for a year, the runner up wins $50 of OWASP books and gets a OWASP membership for a year, the person on third place will win a OWASP membership for a year.<br><br />
So come and play and earn the bragging rights for the OWASP CTF Challenge at OWASP BeNeLux 2010.<br><br />
<br><br />
<br><br />
==== Registration ====<br />
<center><br />
'''The training day and the conference are free!'''&nbsp;<br />
<br />
<br> <br />
<br />
[http://owaspbenelux.eventbrite.com?ref=ebtn http://www.owasp.org/images/7/77/Buttoncreate.png] <br />
<br />
<br> To support the OWASP organisation, consider to become a member, it's only US$50!<br> Check out the [[Membership]] page to find out more.<br> <br />
<br />
<br> <br />
</center> <br />
==== Venue ====<br />
<center><br />
'''Hogeschool Fontys''' <br> <br />
Building R5 , Rachelsmolen 1 <br><br />
5612 AM Eindhoven, The Netherlands<br> <br />
<br />
[http://maps.google.com/maps?f=q&source=s_q&hl=nl&geocode=&q=Hogeschool+Fontys,+Rachelsmolen+1,+5612+AM+Eindhoven&sll=51.502694,5.262446&sspn=0.541971,0.907745&ie=UTF8&hq=Hogeschool+Fontys,&hnear=Rachelsmolen+1,+Woenselse+Watermolen,+Eindhoven,+Noord-Brabant,+Nederland&ll=51.453071,5.481298&spn=0.008478,0.014184&t=h&z=16&iwloc=A '''Campus Rachelsmolen''']<br><br />
<br />
</center> <br />
<br> '''Hotels nearby''': [http://maps.google.com/maps?near=Rachelsmolen+1,+5612+MA+Eindhoven,+Nederland+(Fontys+Hogescholen+|+Campus+Rachelsmolen)&geocode=CYt8kT41vzHwFdMZEQMdSaNTACF7CO7YoPOYHA&q=hotel&f=l&dq=Hogeschool+Fontys,+loc:+Rachelsmolen+1,+5612+AM+Eindhoven&sll=51.452371,5.481289&sspn=0.006295,0.006295&ie=UTF8&hq=hotel&hnear=&t=h&z=14 maps.google.nl/maps]<br> <br />
<br />
==== Organisation ====<br />
<br />
The BeNeLux Day 2010 Program Committee: <br />
<br />
*Martin Knobloch / Ferdinand Vroom ([[Netherlands|OWASP Netherlands]]) <br />
*Bart De Win / Sebastien Deleersnyder ([[Belgium|OWASP Belgium]]) <br />
*Jocelyn Aubert / Andre Adelsbach ([[Luxembourg|OWASP Luxembourg]])<br />
<br />
==== Sponsorship ====<br />
<br />
Contact netherlands &lt;at&gt; owasp.org for sponsorship <br />
<br />
<paypal>BeNeLux OWASP Day 2010</paypal> <br />
<br />
==== Social Event ====<br />
<br />
The social event is scheduled for Wednesday, 1st of December:<br />
[http://www.effenaar.nl/over-de-effenaar Effenaar], starting from 7 pm!<br />
<br />
<br />
<br> <headertabs /> <br />
<center>Made possible by our [http://www.owasp.org/index.php/BeNeLux_OWASP_Day_2010#tab=Sponsorship sponsors]:<br> <br />
{{MemberLinks|link=http://www.ascure.com|logo=Ascure_Logo.jpg}}<br />
[http://www.f5.com http://www.owasp.org/images/7/7e/50px-F5_50px.jpg]<br />
[http://www.zionsecurity.com http://www.owasp.org/images/e/e6/Zionsecurity.jpg]<br />
[http://www.radware.com http://www.owasp.org/images/8/82/Rad_logo.gif]<br />
[http://www.zenitelbelgium.com http://www.owasp.org/images/d/df/SAIT_Zenitel.jpg]<br />
[http://www.sogeti.nl http://www.owasp.org/images/3/31/Sogeti_Nederland_b_v_Logo.jpg]<br />
[http://www.comsec.nl/ http://www.owasp.org/images/c/c1/Comsec.gif]<br />
[http://www.fortify.com/ http://www.owasp.org/images/c/cf/Fortify_HP_cmyk1-200.jpg]<br />
<br />
<br />
<br><br> '''Supported by:'''<br><br />
[[File:Bnl10 Fontys.jpg|200px]]<br />
<br />
<br> <br />
</center> <br />
[[Category:OWASP_AppSec_Conference]] [[Category:OWASP_BeNeLux_Archives]]</div>Bart De Winhttps://wiki.owasp.org/index.php?title=File:OWASPBeNeLux2010-Belgers-DefendingIsHard.pdf&diff=95873File:OWASPBeNeLux2010-Belgers-DefendingIsHard.pdf2010-12-10T09:45:52Z<p>Bart De Win: </p>
<hr />
<div></div>Bart De Winhttps://wiki.owasp.org/index.php?title=BeNeLux_OWASP_Day_2010&diff=95746BeNeLux OWASP Day 20102010-12-08T21:37:23Z<p>Bart De Win: </p>
<hr />
<div>__NOTOC__ <br />
<center>[[File:OWASP_BeNeLux_2010.jpg]]<br></center> <br />
<br> <!-- Header --> <br />
<br />
==== Welcome ====<br />
<br />
<br> <br />
<center><br />
===Presentations online===<br />
First presentations are available online. Check out the conference agenda page.<br />
<br />
===blog===<br />
Xavier did blog a nice wrap-up of the BeNeLux day: see his [http://blog.rootshell.be/2010/12/03/owasp-benelux-day-2010-wrap-up/ blog].<br />
<br />
If you know of other coverage, photo's: send them to seba@owasp.org<br />
<br />
===Tweet!===<br />
Event tag is [http://twitter.com/#search?q=%23owaspbnl10 #owaspbnl10]<br />
<br />
===Confirmed Speakers:===<br />
Sebastien Deleersnyder (OWASP Board, SAIT Zenitel)<br> Radu State (University of Luxembourg)<br> N Nikiforakis (Katholieke Universiteit Leuven)<br> Marco Balduzzi (Eurecom)<br> Walter Belgers (Madison Gurkha)<br> Thierry Zoller<br> ... <br />
<br />
Download the conference flyer [http://www.owasp.org/images/8/8d/OWASP_BeNeLux_2010_flyer_v1.5%282%29.jpg here].<br> All the presentations will be available for download in the [http://www.owasp.org/index.php/BeNeLux_OWASP_Day_2010#tab=Conference.2C_December_2nd agenda] tab. <br />
<br />
<br> <br> <br />
</center> <br />
<br> <br />
<br />
==== Training, December 1st ====<br />
<br />
{{:Benelux Training}}<br />
<br />
==== Conference, December 2nd ====<br />
<br />
{| border="0" align="center" style="width: 80%;"<br />
|-<br />
! align="center" colspan="3" | '''Location''' - December 2nd, 2010<br />
|-<br />
| style="background: none repeat scroll 0% 0% rgb(123, 138, 189); width: 15%; -moz-background-inline-policy: continuous;" | 09h00-10h00 <br />
| align="left" style="background: none repeat scroll 0% 0% rgb(194, 194, 194); width: 75%; -moz-background-inline-policy: continuous;" colspan="2" | '''Registration'''<br />
|-<br />
| style="background: none repeat scroll 0% 0% rgb(123, 138, 189); width: 15%; -moz-background-inline-policy: continuous;" | 10h00-10h15 <br />
| align="left" style="background: none repeat scroll 0% 0% rgb(242, 242, 242); width: 75%; -moz-background-inline-policy: continuous;" colspan="2" | '''Welcome''' (by Martin Knobloch and Ferdinand Vroom, OWASP NL Chapter)<br />
|-<br />
| style="background: none repeat scroll 0% 0% rgb(123, 138, 189); width: 15%; -moz-background-inline-policy: continuous;" | 10h15-10h45 <br />
| align="left" style="background: none repeat scroll 0% 0% rgb(242, 242, 242); width: 75%; -moz-background-inline-policy: continuous;" colspan="2" | '''OWASP Update''' (by Seba Deleersnyder, OWASP Board, SAIT Zenitel)<br />
|-<br />
| style="background: none repeat scroll 0% 0% rgb(123, 138, 189); width: 15%; -moz-background-inline-policy: continuous;" | 10h45-11h00 <br />
| align="left" style="background: none repeat scroll 0% 0% rgb(194, 194, 194); width: 75%; -moz-background-inline-policy: continuous;" colspan="2" | '''Coffee Break'''<br />
|-<br />
| style="background: none repeat scroll 0% 0% rgb(123, 138, 189); width: 15%; -moz-background-inline-policy: continuous;" | 11h00-11h40 <br />
| align="left" style="background: none repeat scroll 0% 0% rgb(242, 242, 242); width: 75%; -moz-background-inline-policy: continuous;" colspan="2" | '''Clickjacking: an empirical study with an automated testing/detection system''' (by Marco Balduzzi, Eurecom) [http://www.owasp.org/images/d/d2/OWASPBeNeLux2010-Balduzzi-Clickjacking.pdf Presentation]<br />
:Clickjacking recently received new media attentions: Thousands of Facebook users have fallen victims of a worm that uses clickjacking techniques to propagate.<br />
:In a clickjacking attack, a malicious page is constructed (or a benign page is hijacked) to trick the user into performing unintended clicks that are advantageous for the attacker, such as propagating a web worm, stealing confidential information or abusing of the user session.<br />
:However it is currently unclear to what extent clickjacking is being used by attackers in the wild and how significant the attack is for the security of Internet users.<br />
:In this talk, we presents a solution we designed for studying the prevalence of clickjacking on the Internet and for detecting possible malicious pages in an automated fashion. We deployed our system over 10 distinct virtual machines to test more then a million unique web-pages in two months. From the analysis of our experimental results we discuss the clickjacking phenomenon and its future implications.<br />
|-<br />
| style="background: none repeat scroll 0% 0% rgb(123, 138, 189); width: 15%; -moz-background-inline-policy: continuous;" | 11h40-12h20 <br />
| align="left" style="background: none repeat scroll 0% 0% rgb(242, 242, 242); width: 75%; -moz-background-inline-policy: continuous;" colspan="2" | '''Privacy of file sharing service''' (by Nick Nikiforakis, Katholieke Universiteit Leuven) [http://www.owasp.org/images/1/14/OWASPBeNeLux2010-Nikiforakis-FileSharing.pdf Presentation]<br />
:File sharing services are used daily by tens of thousands of people as a way of sharing files. Almost all such services, use a security-through-obscurity method of hiding the files of one user from others. For each uploaded file, the user is given a secret URL which supposedly cannot be guessed. The user can then share his uploaded file by sharing this URL with other users of his choice. Unfortunately though, a number of file sharing services are incorrectly implemented allowing an attacker to guess valid URLs of millions of files and thus allowing him to enumerate their file database and access all of the uploaded files. In this paper, we study some of these services and we record their incorrect implementations. We design automatic enumerators for two such services and a privacy-classifying module which characterises an uploaded file as private or public. Using this technique we gain access to thousands of private files ranging from private and company documents to personal photographs. We present a taxonomy of the private files found and ways that the users and services can protect themselves against such attacks.<br />
|-<br />
| style="background: none repeat scroll 0% 0% rgb(123, 138, 189); width: 15%; -moz-background-inline-policy: continuous;" | 12h20-13h00 <br />
| align="left" style="background: none repeat scroll 0% 0% rgb(242, 242, 242); width: 75%; -moz-background-inline-policy: continuous;" colspan="2" | '''Finding Backdoors in Code''' (by Matias Madou, Fortify) [http://www.owasp.org/images/8/8f/OWASPBeNeLux2010-Madou-RepellingTheWilyInsider.pdf Presentation]<br />
:Insiders who write code, whether they are developers working for an enterprise or contributors to an open source project, have an almost unlimited number of ways to put chinks in the armor of their software. Many times, these holes are put in place for seemingly good reasons—to facilitate easy debugging, make working from home easier, or as a failsafe in case other mechanisms for interfacing with the system fail. Worse still, malicious insiders can plant logic bombs or insert backdoors so that they can embezzle funds, steal private information, or exact revenge if they become disgruntled.<BR><br />
:Whether unintentional or malicious, code that performs questionable behavior or permits unauthorized access can be introduced with relative ease and can persist in a code base almost indefinitely without being discovered. Until it's too late. In this talk, we discuss techniques for applying static analysis to program source code to assist auditors hunting for backdoors, logic bombs, and other threats introduced by insiders. We give detailed examples of insider threats that have been uncovered in real software systems, outline possible motives for malicious insiders, and discuss how external stimuli like layoffs are increasing the attention paid to insider threats. We conclude the talk with results of applying the detection techniques discussed in this talk to real-world software. <br />
|-<br />
| style="background: none repeat scroll 0% 0% rgb(123, 138, 189); width: 15%; -moz-background-inline-policy: continuous;" | 13h00-14h00 <br />
| align="left" style="background: none repeat scroll 0% 0% rgb(194, 194, 194); width: 75%; -moz-background-inline-policy: continuous;" colspan="2" | '''Lunch'''<br />
|-<br />
| style="background: none repeat scroll 0% 0% rgb(123, 138, 189); width: 15%; -moz-background-inline-policy: continuous;" | 14h00-14h40 <br />
| align="left" style="background: none repeat scroll 0% 0% rgb(242, 242, 242); width: 75%; -moz-background-inline-policy: continuous;" colspan="2" | '''How NOT to implement a Payback/Cashback System''' (by Thierry Zoller)<br />
:Casback is a name given to progams where participants will earn points for every net euro/dollar in purchases made. There are many ways this can go wrong. We will revisit the design, architecture of common Cashback systems on every operational level. We will take one particular interesting Payback program as an example and show how NOT to deploy. Death by a thousand cuts.<br><br />
:Beware : Hilarity will ensue.<br />
|-<br />
| style="background: none repeat scroll 0% 0% rgb(123, 138, 189); width: 15%; -moz-background-inline-policy: continuous;" | 14h40-15h20 <br />
| align="left" style="background: none repeat scroll 0% 0% rgb(242, 242, 242); width: 75%; -moz-background-inline-policy: continuous;" colspan="2" | '''Botnets/Bredolab''' (by Michael Sandee, Fox-IT)<br />
:Botnets are a hot debated topic, with much controversies on how to fight them. Recently there was headline news regarding the takedown of the Bredolab botnet, which caused a lot of discussion and contained a lot of conflicting views on the subject. During this presentation the facts of this Bredolab botnet takedown will be discussed, alongside the views of a Cybercriminal on how to setup your own botnet. You will be given a crash-course Cybercrime in 30 minutes.<br><br />
|-<br />
| style="background: none repeat scroll 0% 0% rgb(123, 138, 189); width: 15%; -moz-background-inline-policy: continuous;" | 15h20-16h00 <br />
| align="left" style="background: none repeat scroll 0% 0% rgb(242, 242, 242); width: 75%; -moz-background-inline-policy: continuous;" colspan="2" | '''0wning Networks with VoIP and Web attacks''' (by Radu State, University of Luxembourg) [http://www.owasp.org/images/6/6a/OWASPBeNeLux2010-State-VoipHacking.pdf Presentation]<br />
:Voice over IP is the current de facto technology for delivering voice data in both enterprise and service provider infrastructure. Although , security threats specific to VoIP signalling have been known for a while, few is known about cross-layer attacks in which Web enabled VoIP devices allow for efficient attacks against the VoIP infrastructure and general IT networks .<br />
:This talk will give a short introduction to VoIP and continue with a series of attacks that leverage SIP as efficient transport vehicle for billing attacks , disclosure attacks and network penetration. The talk will show how one single phone call can compromise even the best secured and hardened network perimeter .<br />
|-<br />
| style="background: none repeat scroll 0% 0% rgb(123, 138, 189); width: 15%; -moz-background-inline-policy: continuous;" | 16h00-16h20 <br />
| align="left" style="background: none repeat scroll 0% 0% rgb(194, 194, 194); width: 75%; -moz-background-inline-policy: continuous;" colspan="2" | '''Coffee Break'''<br />
|-<br />
| style="background: none repeat scroll 0% 0% rgb(123, 138, 189); width: 15%; -moz-background-inline-policy: continuous;" | 16h20-17h00 <br />
| align="left" style="background: none repeat scroll 0% 0% rgb(242, 242, 242); width: 75%; -moz-background-inline-policy: continuous;" colspan="2" | '''The Social Networking Corporate Threat''' (by Chen Gour-Arie, Comsec Consulting)<br />
:Social Networking Sites (SNS) and Web 2.0 platforms have been growing rapidly over the past few years, with multi-millions utilizing these platforms on a daily basis. In this talk, we will present some of the threats that SNS introduces to the corporate environment. <br />
|-<br />
| style="background: none repeat scroll 0% 0% rgb(123, 138, 189); width: 15%; -moz-background-inline-policy: continuous;" | 17h00-17h40 <br />
| align="left" style="background: none repeat scroll 0% 0% rgb(242, 242, 242); width: 75%; -moz-background-inline-policy: continuous;" colspan="2" | '''Attacking is easy, defending is hard''' (by Walter Belgers, Madison Gurkha)<br />
:An attacker has an easy job. They need only find one security hole, and they've broken the system. The system, application and network administrators :have a much harder task. They have to find not just one, but each and every one of the holes. Preferably before the bad guys do.<br />
:And, these holes can be at several different layers. In the presentation, we will look at those layers (system level, application level, but also user :level) and observe what goes wrong and how to fix it. The observations come from the daily work at Madison Gurkha.<br />
:Examples of problems are lack of patches, problems during the development phase, susceptibility to social engineering attacks and more. <br />
|-<br />
| style="background: none repeat scroll 0% 0% rgb(123, 138, 189); width: 15%; -moz-background-inline-policy: continuous;" | 17h40-17h50 <br />
| align="left" style="background: none repeat scroll 0% 0% rgb(242, 242, 242); width: 75%; -moz-background-inline-policy: continuous;" colspan="2" | '''Closing''' (by Martin Knobloch and Ferdinand Vroom, OWASP NL Chapter)<br />
<br />
|}<br />
==== Speakers ====<br />
{|<br />
|-<br />
|'''Sebastien Deleersnyder (OWASP Board, SAIT Zenitel)''' <br />
|-<br />
|Sebastien started the successful Belgian OWASP Chapter and performed several public presentations on web application and web services security. Sebastien specialises in (web) application security, combining his software development and information security experience. He is currently OWASP Foundation board member and Managing Technical Consultant at SAIT Zenitel.<br />
|}<br />
{|<br />
|-<br />
|'''Radu State (University of Luxembourg)''' <br />
|-<br />
|Radu received his PhD degree from INRIA, Nancy – University Henri Poincaré in 2001.<br><br />
Radu has held positions as Research Engineer and Senior Engineer at INRIA-LORIA and has been working as Senior Researcher at the University of Luxembourg, FSTC-CSC Research Unit from October 2008 to September 2010. Radu's research activity will be on one side investigate interoperability aspects to supply security components in the area of ubiquitous computing and on the other side set up a project specific interoperability research lab in close cooperation with industry.<br />
|}<br />
{|<br />
|-<br />
|'''Nick Nikiforakis (Katholieke Universiteit Leuven)''' <br />
|-<br />
|Nick Nikiforakis is a PhD student at the Katholieke Universiteit Leuven, in Belgium. He belongs to the DistriNet research group and specifically in the “Security & Languages” task-force. His current research interests are: low-level security for unsafe languages and web application security. <br><br />
Nick holds a BSc in Computer Science and a MSc on Distributed Systems from the University of Crete in Greece. He worked for 3 years as a research assistant in the Distributed Computing Systems group at the Foundation of Research and Technology in Crete where he did research in network data visualization, authentication schemes using mobile devices and phishing countermeasures. In the past, Nick has presented his work in academic conferences as well as hacking conventions. His work can be found online at www.securitee.org.<br />
|}<br />
{|<br />
|-<br />
|'''Matias Madou (Fortify)''' <br />
|-<br />
|Matias Madou is principal security researcher at Fortify's Security Research Group, which is responsible for building security knowledge into Fortify's products. His work focuses on developing new techniques to detect vulnerabilities. Matias holds a Ph.D. in computer engineering from Ghent University, where he studied application security through program obfuscation to hide the inner workings of an application. During his Ph.D., he collaborated with top research and industry players in the field of program obfuscation. <br />
|}<br />
{|<br />
|-<br />
|'''Marco Balduzzi (Eurecom)''' <br />
|-<br />
|<br />
Marco Balduzzi is an IT security specialist with several years of experience as engineer and consultant for different international<br />
companies located in Milan, Munich and Nice. At the moment, he is a PhD researcher in EURECOM and a proud member of the [http://www.iseclab.org International Secure System Lab]. He designs systems for the detection of botnets/malware, the analysis of<br />
web threats and the security of cloud computing. <br><br />
Marco owns a MSc in Computer Engineering from the University of Bergamo and is a co-founder of the Bergamo Linux User Group. He contributed to several Free Software projects (e.g. Nast) and has been involved in many underground non-profit organizations.<br />
|}<br />
{|<br />
|-<br />
|'''Walter Belgers (Madison Gurkha) ''' <br />
|-<br />
|Walter Belgers heeft Technische Informatica gestudeerd aan de Technische Universiteit Eindhoven met als extra vak o.a. Computercriminaliteit (Universiteit van Tilburg). Walter is in 1994 begonnen bij Philips C&P (tegenwoordig Atos Origin) als ontwikkelaar van wereldwijde firewall-diensten en de uitrol daarvan. Daarna heeft hij enkele jaren lesgegeven op het gebied van UNIX en Internet beveiliging bij AT Computing. In 2002 is hij toegetreden tot Madison Gurkha als partner. Naast zijn technische consultancy-activiteiten, houdt Walter zich bezig met het schrijven van artikelen en columns, het geven van lezingen en voorlichten van de pers. Walter is gecertificeerd security professional (CISSP) en security auditor (CISA).<br />
|}<br />
{|<br />
|-<br />
|'''Martin Knobloch (Sogeti Nederland B.V.) ''' <br />
|-<br />
|Martin Knobloch is employed at Sogeti Netherlands as Senior Security Consultant. He is founder and thought leader of the Sogeti task force PaSS, Proactive Security Strategy, with an integral solution of information security within organisation, infrastructure and software. <br><br />
At OWASP, Martin is board member of the OWASP Netherlands Chapter and member of the Global Education Committee.<br />
|}<br />
{|<br />
|-<br />
|'''Michael Sandee (Fox-IT)'''<br />
|-<br />
|Michael Sandee, Lead Expert Cybercrime at Fox-IT, has been working analyzing Cybercrime for over 5 years. With day-to-day analysis of malware and cybercrime activities he has developed a good understanding on how the underground economy operates and how large this market is, and also how we are affected by this every day.<br />
|}<br />
{|<br />
|-<br />
|'''Chen Gour-Arie (Comsec Consulting)'''<br />
|-<br />
|Chen Gour-Arie has years of experience in information security, with a specific expertise in application level security. Chen<br />
has conducted projects in all areas of information security, in diverse environments, utilizing a wide range of professional<br />
tools. Some of his notable projects have focused on: complex penetration testing, comprehensive White Box audits,<br />
network security, policy and procedure formulation, manual and automated security testing, security evaluation of<br />
products, leading secure software development lifecycles, infrastructure security audits, risk assessments, PCI and PA-DSS<br />
consulting, and more.<br />
|}<br />
==== CTF ====<br />
During both days, a '''C'''apture '''T'''he '''F'''lag challenge will be online and available!<br />
<br><br />
Do you have the skills to hack websites? Can you crack various codes? Can you think outside the box? Do you like challenges?<br><br />
Then come and participate in the OWASP Capture The Flag Competition. Test your webhacking/codecracking skills against various challenges. Compete against yourself and others. The CTF will run the complete conference, so you can logon and play anytime you want. We will announce the winner at the last day of the conference. The winner will earn $100 worth of OWASP books and gets a OWASP membership for a year, the runner up wins $50 of OWASP books and gets a OWASP membership for a year, the person on third place will win a OWASP membership for a year.<br><br />
So come and play and earn the bragging rights for the OWASP CTF Challenge at OWASP BeNeLux 2010.<br><br />
<br><br />
<br><br />
==== Registration ====<br />
<center><br />
'''The training day and the conference are free!'''&nbsp;<br />
<br />
<br> <br />
<br />
[http://owaspbenelux.eventbrite.com?ref=ebtn http://www.owasp.org/images/7/77/Buttoncreate.png] <br />
<br />
<br> To support the OWASP organisation, consider to become a member, it's only US$50!<br> Check out the [[Membership]] page to find out more.<br> <br />
<br />
<br> <br />
</center> <br />
==== Venue ====<br />
<center><br />
'''Hogeschool Fontys''' <br> <br />
Building R5 , Rachelsmolen 1 <br><br />
5612 AM Eindhoven, The Netherlands<br> <br />
<br />
[http://maps.google.com/maps?f=q&source=s_q&hl=nl&geocode=&q=Hogeschool+Fontys,+Rachelsmolen+1,+5612+AM+Eindhoven&sll=51.502694,5.262446&sspn=0.541971,0.907745&ie=UTF8&hq=Hogeschool+Fontys,&hnear=Rachelsmolen+1,+Woenselse+Watermolen,+Eindhoven,+Noord-Brabant,+Nederland&ll=51.453071,5.481298&spn=0.008478,0.014184&t=h&z=16&iwloc=A '''Campus Rachelsmolen''']<br><br />
<br />
</center> <br />
<br> '''Hotels nearby''': [http://maps.google.com/maps?near=Rachelsmolen+1,+5612+MA+Eindhoven,+Nederland+(Fontys+Hogescholen+|+Campus+Rachelsmolen)&geocode=CYt8kT41vzHwFdMZEQMdSaNTACF7CO7YoPOYHA&q=hotel&f=l&dq=Hogeschool+Fontys,+loc:+Rachelsmolen+1,+5612+AM+Eindhoven&sll=51.452371,5.481289&sspn=0.006295,0.006295&ie=UTF8&hq=hotel&hnear=&t=h&z=14 maps.google.nl/maps]<br> <br />
<br />
==== Organisation ====<br />
<br />
The BeNeLux Day 2010 Program Committee: <br />
<br />
*Martin Knobloch / Ferdinand Vroom ([[Netherlands|OWASP Netherlands]]) <br />
*Bart De Win / Sebastien Deleersnyder ([[Belgium|OWASP Belgium]]) <br />
*Jocelyn Aubert / Andre Adelsbach ([[Luxembourg|OWASP Luxembourg]])<br />
<br />
==== Sponsorship ====<br />
<br />
Contact netherlands &lt;at&gt; owasp.org for sponsorship <br />
<br />
<paypal>BeNeLux OWASP Day 2010</paypal> <br />
<br />
==== Social Event ====<br />
<br />
The social event is scheduled for Wednesday, 1st of December:<br />
[http://www.effenaar.nl/over-de-effenaar Effenaar], starting from 7 pm!<br />
<br />
<br />
<br> <headertabs /> <br />
<center>Made possible by our [http://www.owasp.org/index.php/BeNeLux_OWASP_Day_2010#tab=Sponsorship sponsors]:<br> <br />
{{MemberLinks|link=http://www.ascure.com|logo=Ascure_Logo.jpg}}<br />
[http://www.f5.com http://www.owasp.org/images/7/7e/50px-F5_50px.jpg]<br />
[http://www.zionsecurity.com http://www.owasp.org/images/e/e6/Zionsecurity.jpg]<br />
[http://www.radware.com http://www.owasp.org/images/8/82/Rad_logo.gif]<br />
[http://www.zenitelbelgium.com http://www.owasp.org/images/d/df/SAIT_Zenitel.jpg]<br />
[http://www.sogeti.nl http://www.owasp.org/images/3/31/Sogeti_Nederland_b_v_Logo.jpg]<br />
[http://www.comsec.nl/ http://www.owasp.org/images/c/c1/Comsec.gif]<br />
[http://www.fortify.com/ http://www.owasp.org/images/c/cf/Fortify_HP_cmyk1-200.jpg]<br />
<br />
<br />
<br><br> '''Supported by:'''<br><br />
[[File:Bnl10 Fontys.jpg|200px]]<br />
<br />
<br> <br />
</center> <br />
[[Category:OWASP_AppSec_Conference]] [[Category:OWASP_BeNeLux_Archives]]</div>Bart De Winhttps://wiki.owasp.org/index.php?title=BeNeLux_OWASP_Day_2010&diff=95745BeNeLux OWASP Day 20102010-12-08T21:30:43Z<p>Bart De Win: </p>
<hr />
<div>__NOTOC__ <br />
<center>[[File:OWASP_BeNeLux_2010.jpg]]<br></center> <br />
<br> <!-- Header --> <br />
<br />
==== Welcome ====<br />
<br />
<br> <br />
<center><br />
===blog===<br />
Xavier did blog a nice wrap-up of the BeNeLux day: see his [http://blog.rootshell.be/2010/12/03/owasp-benelux-day-2010-wrap-up/ blog].<br />
<br />
If you know of other coverage, photo's: send them to seba@owasp.org<br />
<br />
===Tweet!===<br />
Event tag is [http://twitter.com/#search?q=%23owaspbnl10 #owaspbnl10]<br />
<br />
===Confirmed Speakers:===<br />
Sebastien Deleersnyder (OWASP Board, SAIT Zenitel)<br> Radu State (University of Luxembourg)<br> N Nikiforakis (Katholieke Universiteit Leuven)<br> Marco Balduzzi (Eurecom)<br> Walter Belgers (Madison Gurkha)<br> Thierry Zoller<br> ... <br />
<br />
Download the conference flyer [http://www.owasp.org/images/8/8d/OWASP_BeNeLux_2010_flyer_v1.5%282%29.jpg here].<br> All the presentations will be available for download in the [http://www.owasp.org/index.php/BeNeLux_OWASP_Day_2010#tab=Conference.2C_December_2nd agenda] tab. <br />
<br />
<br> <br> <br />
</center> <br />
<br> <br />
<br />
==== Training, December 1st ====<br />
<br />
{{:Benelux Training}}<br />
<br />
==== Conference, December 2nd ====<br />
<br />
{| border="0" align="center" style="width: 80%;"<br />
|-<br />
! align="center" colspan="3" | '''Location''' - December 2nd, 2010<br />
|-<br />
| style="background: none repeat scroll 0% 0% rgb(123, 138, 189); width: 15%; -moz-background-inline-policy: continuous;" | 09h00-10h00 <br />
| align="left" style="background: none repeat scroll 0% 0% rgb(194, 194, 194); width: 75%; -moz-background-inline-policy: continuous;" colspan="2" | '''Registration'''<br />
|-<br />
| style="background: none repeat scroll 0% 0% rgb(123, 138, 189); width: 15%; -moz-background-inline-policy: continuous;" | 10h00-10h15 <br />
| align="left" style="background: none repeat scroll 0% 0% rgb(242, 242, 242); width: 75%; -moz-background-inline-policy: continuous;" colspan="2" | '''Welcome''' (by Martin Knobloch and Ferdinand Vroom, OWASP NL Chapter)<br />
|-<br />
| style="background: none repeat scroll 0% 0% rgb(123, 138, 189); width: 15%; -moz-background-inline-policy: continuous;" | 10h15-10h45 <br />
| align="left" style="background: none repeat scroll 0% 0% rgb(242, 242, 242); width: 75%; -moz-background-inline-policy: continuous;" colspan="2" | '''OWASP Update''' (by Seba Deleersnyder, OWASP Board, SAIT Zenitel)<br />
|-<br />
| style="background: none repeat scroll 0% 0% rgb(123, 138, 189); width: 15%; -moz-background-inline-policy: continuous;" | 10h45-11h00 <br />
| align="left" style="background: none repeat scroll 0% 0% rgb(194, 194, 194); width: 75%; -moz-background-inline-policy: continuous;" colspan="2" | '''Coffee Break'''<br />
|-<br />
| style="background: none repeat scroll 0% 0% rgb(123, 138, 189); width: 15%; -moz-background-inline-policy: continuous;" | 11h00-11h40 <br />
| align="left" style="background: none repeat scroll 0% 0% rgb(242, 242, 242); width: 75%; -moz-background-inline-policy: continuous;" colspan="2" | '''Clickjacking: an empirical study with an automated testing/detection system''' (by Marco Balduzzi, Eurecom) [http://www.owasp.org/images/d/d2/OWASPBeNeLux2010-Balduzzi-Clickjacking.pdf Presentation]<br />
:Clickjacking recently received new media attentions: Thousands of Facebook users have fallen victims of a worm that uses clickjacking techniques to propagate.<br />
:In a clickjacking attack, a malicious page is constructed (or a benign page is hijacked) to trick the user into performing unintended clicks that are advantageous for the attacker, such as propagating a web worm, stealing confidential information or abusing of the user session.<br />
:However it is currently unclear to what extent clickjacking is being used by attackers in the wild and how significant the attack is for the security of Internet users.<br />
:In this talk, we presents a solution we designed for studying the prevalence of clickjacking on the Internet and for detecting possible malicious pages in an automated fashion. We deployed our system over 10 distinct virtual machines to test more then a million unique web-pages in two months. From the analysis of our experimental results we discuss the clickjacking phenomenon and its future implications.<br />
|-<br />
| style="background: none repeat scroll 0% 0% rgb(123, 138, 189); width: 15%; -moz-background-inline-policy: continuous;" | 11h40-12h20 <br />
| align="left" style="background: none repeat scroll 0% 0% rgb(242, 242, 242); width: 75%; -moz-background-inline-policy: continuous;" colspan="2" | '''Privacy of file sharing service''' (by Nick Nikiforakis, Katholieke Universiteit Leuven) [http://www.owasp.org/images/1/14/OWASPBeNeLux2010-Nikiforakis-FileSharing.pdf Presentation]<br />
:File sharing services are used daily by tens of thousands of people as a way of sharing files. Almost all such services, use a security-through-obscurity method of hiding the files of one user from others. For each uploaded file, the user is given a secret URL which supposedly cannot be guessed. The user can then share his uploaded file by sharing this URL with other users of his choice. Unfortunately though, a number of file sharing services are incorrectly implemented allowing an attacker to guess valid URLs of millions of files and thus allowing him to enumerate their file database and access all of the uploaded files. In this paper, we study some of these services and we record their incorrect implementations. We design automatic enumerators for two such services and a privacy-classifying module which characterises an uploaded file as private or public. Using this technique we gain access to thousands of private files ranging from private and company documents to personal photographs. We present a taxonomy of the private files found and ways that the users and services can protect themselves against such attacks.<br />
|-<br />
| style="background: none repeat scroll 0% 0% rgb(123, 138, 189); width: 15%; -moz-background-inline-policy: continuous;" | 12h20-13h00 <br />
| align="left" style="background: none repeat scroll 0% 0% rgb(242, 242, 242); width: 75%; -moz-background-inline-policy: continuous;" colspan="2" | '''Finding Backdoors in Code''' (by Matias Madou, Fortify) [http://www.owasp.org/images/8/8f/OWASPBeNeLux2010-Madou-RepellingTheWilyInsider.pdf Presentation]<br />
:Insiders who write code, whether they are developers working for an enterprise or contributors to an open source project, have an almost unlimited number of ways to put chinks in the armor of their software. Many times, these holes are put in place for seemingly good reasons—to facilitate easy debugging, make working from home easier, or as a failsafe in case other mechanisms for interfacing with the system fail. Worse still, malicious insiders can plant logic bombs or insert backdoors so that they can embezzle funds, steal private information, or exact revenge if they become disgruntled.<BR><br />
:Whether unintentional or malicious, code that performs questionable behavior or permits unauthorized access can be introduced with relative ease and can persist in a code base almost indefinitely without being discovered. Until it's too late. In this talk, we discuss techniques for applying static analysis to program source code to assist auditors hunting for backdoors, logic bombs, and other threats introduced by insiders. We give detailed examples of insider threats that have been uncovered in real software systems, outline possible motives for malicious insiders, and discuss how external stimuli like layoffs are increasing the attention paid to insider threats. We conclude the talk with results of applying the detection techniques discussed in this talk to real-world software. <br />
|-<br />
| style="background: none repeat scroll 0% 0% rgb(123, 138, 189); width: 15%; -moz-background-inline-policy: continuous;" | 13h00-14h00 <br />
| align="left" style="background: none repeat scroll 0% 0% rgb(194, 194, 194); width: 75%; -moz-background-inline-policy: continuous;" colspan="2" | '''Lunch'''<br />
|-<br />
| style="background: none repeat scroll 0% 0% rgb(123, 138, 189); width: 15%; -moz-background-inline-policy: continuous;" | 14h00-14h40 <br />
| align="left" style="background: none repeat scroll 0% 0% rgb(242, 242, 242); width: 75%; -moz-background-inline-policy: continuous;" colspan="2" | '''How NOT to implement a Payback/Cashback System''' (by Thierry Zoller)<br />
:Casback is a name given to progams where participants will earn points for every net euro/dollar in purchases made. There are many ways this can go wrong. We will revisit the design, architecture of common Cashback systems on every operational level. We will take one particular interesting Payback program as an example and show how NOT to deploy. Death by a thousand cuts.<br><br />
:Beware : Hilarity will ensue.<br />
|-<br />
| style="background: none repeat scroll 0% 0% rgb(123, 138, 189); width: 15%; -moz-background-inline-policy: continuous;" | 14h40-15h20 <br />
| align="left" style="background: none repeat scroll 0% 0% rgb(242, 242, 242); width: 75%; -moz-background-inline-policy: continuous;" colspan="2" | '''Botnets/Bredolab''' (by Michael Sandee, Fox-IT)<br />
:Botnets are a hot debated topic, with much controversies on how to fight them. Recently there was headline news regarding the takedown of the Bredolab botnet, which caused a lot of discussion and contained a lot of conflicting views on the subject. During this presentation the facts of this Bredolab botnet takedown will be discussed, alongside the views of a Cybercriminal on how to setup your own botnet. You will be given a crash-course Cybercrime in 30 minutes.<br><br />
|-<br />
| style="background: none repeat scroll 0% 0% rgb(123, 138, 189); width: 15%; -moz-background-inline-policy: continuous;" | 15h20-16h00 <br />
| align="left" style="background: none repeat scroll 0% 0% rgb(242, 242, 242); width: 75%; -moz-background-inline-policy: continuous;" colspan="2" | '''0wning Networks with VoIP and Web attacks''' (by Radu State, University of Luxembourg) [http://www.owasp.org/images/6/6a/OWASPBeNeLux2010-State-VoipHacking.pdf Presentation]<br />
:Voice over IP is the current de facto technology for delivering voice data in both enterprise and service provider infrastructure. Although , security threats specific to VoIP signalling have been known for a while, few is known about cross-layer attacks in which Web enabled VoIP devices allow for efficient attacks against the VoIP infrastructure and general IT networks .<br />
:This talk will give a short introduction to VoIP and continue with a series of attacks that leverage SIP as efficient transport vehicle for billing attacks , disclosure attacks and network penetration. The talk will show how one single phone call can compromise even the best secured and hardened network perimeter .<br />
|-<br />
| style="background: none repeat scroll 0% 0% rgb(123, 138, 189); width: 15%; -moz-background-inline-policy: continuous;" | 16h00-16h20 <br />
| align="left" style="background: none repeat scroll 0% 0% rgb(194, 194, 194); width: 75%; -moz-background-inline-policy: continuous;" colspan="2" | '''Coffee Break'''<br />
|-<br />
| style="background: none repeat scroll 0% 0% rgb(123, 138, 189); width: 15%; -moz-background-inline-policy: continuous;" | 16h20-17h00 <br />
| align="left" style="background: none repeat scroll 0% 0% rgb(242, 242, 242); width: 75%; -moz-background-inline-policy: continuous;" colspan="2" | '''The Social Networking Corporate Threat''' (by Chen Gour-Arie, Comsec Consulting)<br />
:Social Networking Sites (SNS) and Web 2.0 platforms have been growing rapidly over the past few years, with multi-millions utilizing these platforms on a daily basis. In this talk, we will present some of the threats that SNS introduces to the corporate environment. <br />
|-<br />
| style="background: none repeat scroll 0% 0% rgb(123, 138, 189); width: 15%; -moz-background-inline-policy: continuous;" | 17h00-17h40 <br />
| align="left" style="background: none repeat scroll 0% 0% rgb(242, 242, 242); width: 75%; -moz-background-inline-policy: continuous;" colspan="2" | '''Attacking is easy, defending is hard''' (by Walter Belgers, Madison Gurkha)<br />
:An attacker has an easy job. They need only find one security hole, and they've broken the system. The system, application and network administrators :have a much harder task. They have to find not just one, but each and every one of the holes. Preferably before the bad guys do.<br />
:And, these holes can be at several different layers. In the presentation, we will look at those layers (system level, application level, but also user :level) and observe what goes wrong and how to fix it. The observations come from the daily work at Madison Gurkha.<br />
:Examples of problems are lack of patches, problems during the development phase, susceptibility to social engineering attacks and more. <br />
|-<br />
| style="background: none repeat scroll 0% 0% rgb(123, 138, 189); width: 15%; -moz-background-inline-policy: continuous;" | 17h40-17h50 <br />
| align="left" style="background: none repeat scroll 0% 0% rgb(242, 242, 242); width: 75%; -moz-background-inline-policy: continuous;" colspan="2" | '''Closing''' (by Martin Knobloch and Ferdinand Vroom, OWASP NL Chapter)<br />
<br />
|}<br />
==== Speakers ====<br />
{|<br />
|-<br />
|'''Sebastien Deleersnyder (OWASP Board, SAIT Zenitel)''' <br />
|-<br />
|Sebastien started the successful Belgian OWASP Chapter and performed several public presentations on web application and web services security. Sebastien specialises in (web) application security, combining his software development and information security experience. He is currently OWASP Foundation board member and Managing Technical Consultant at SAIT Zenitel.<br />
|}<br />
{|<br />
|-<br />
|'''Radu State (University of Luxembourg)''' <br />
|-<br />
|Radu received his PhD degree from INRIA, Nancy – University Henri Poincaré in 2001.<br><br />
Radu has held positions as Research Engineer and Senior Engineer at INRIA-LORIA and has been working as Senior Researcher at the University of Luxembourg, FSTC-CSC Research Unit from October 2008 to September 2010. Radu's research activity will be on one side investigate interoperability aspects to supply security components in the area of ubiquitous computing and on the other side set up a project specific interoperability research lab in close cooperation with industry.<br />
|}<br />
{|<br />
|-<br />
|'''Nick Nikiforakis (Katholieke Universiteit Leuven)''' <br />
|-<br />
|Nick Nikiforakis is a PhD student at the Katholieke Universiteit Leuven, in Belgium. He belongs to the DistriNet research group and specifically in the “Security & Languages” task-force. His current research interests are: low-level security for unsafe languages and web application security. <br><br />
Nick holds a BSc in Computer Science and a MSc on Distributed Systems from the University of Crete in Greece. He worked for 3 years as a research assistant in the Distributed Computing Systems group at the Foundation of Research and Technology in Crete where he did research in network data visualization, authentication schemes using mobile devices and phishing countermeasures. In the past, Nick has presented his work in academic conferences as well as hacking conventions. His work can be found online at www.securitee.org.<br />
|}<br />
{|<br />
|-<br />
|'''Matias Madou (Fortify)''' <br />
|-<br />
|Matias Madou is principal security researcher at Fortify's Security Research Group, which is responsible for building security knowledge into Fortify's products. His work focuses on developing new techniques to detect vulnerabilities. Matias holds a Ph.D. in computer engineering from Ghent University, where he studied application security through program obfuscation to hide the inner workings of an application. During his Ph.D., he collaborated with top research and industry players in the field of program obfuscation. <br />
|}<br />
{|<br />
|-<br />
|'''Marco Balduzzi (Eurecom)''' <br />
|-<br />
|<br />
Marco Balduzzi is an IT security specialist with several years of experience as engineer and consultant for different international<br />
companies located in Milan, Munich and Nice. At the moment, he is a PhD researcher in EURECOM and a proud member of the [http://www.iseclab.org International Secure System Lab]. He designs systems for the detection of botnets/malware, the analysis of<br />
web threats and the security of cloud computing. <br><br />
Marco owns a MSc in Computer Engineering from the University of Bergamo and is a co-founder of the Bergamo Linux User Group. He contributed to several Free Software projects (e.g. Nast) and has been involved in many underground non-profit organizations.<br />
|}<br />
{|<br />
|-<br />
|'''Walter Belgers (Madison Gurkha) ''' <br />
|-<br />
|Walter Belgers heeft Technische Informatica gestudeerd aan de Technische Universiteit Eindhoven met als extra vak o.a. Computercriminaliteit (Universiteit van Tilburg). Walter is in 1994 begonnen bij Philips C&P (tegenwoordig Atos Origin) als ontwikkelaar van wereldwijde firewall-diensten en de uitrol daarvan. Daarna heeft hij enkele jaren lesgegeven op het gebied van UNIX en Internet beveiliging bij AT Computing. In 2002 is hij toegetreden tot Madison Gurkha als partner. Naast zijn technische consultancy-activiteiten, houdt Walter zich bezig met het schrijven van artikelen en columns, het geven van lezingen en voorlichten van de pers. Walter is gecertificeerd security professional (CISSP) en security auditor (CISA).<br />
|}<br />
{|<br />
|-<br />
|'''Martin Knobloch (Sogeti Nederland B.V.) ''' <br />
|-<br />
|Martin Knobloch is employed at Sogeti Netherlands as Senior Security Consultant. He is founder and thought leader of the Sogeti task force PaSS, Proactive Security Strategy, with an integral solution of information security within organisation, infrastructure and software. <br><br />
At OWASP, Martin is board member of the OWASP Netherlands Chapter and member of the Global Education Committee.<br />
|}<br />
{|<br />
|-<br />
|'''Michael Sandee (Fox-IT)'''<br />
|-<br />
|Michael Sandee, Lead Expert Cybercrime at Fox-IT, has been working analyzing Cybercrime for over 5 years. With day-to-day analysis of malware and cybercrime activities he has developed a good understanding on how the underground economy operates and how large this market is, and also how we are affected by this every day.<br />
|}<br />
{|<br />
|-<br />
|'''Chen Gour-Arie (Comsec Consulting)'''<br />
|-<br />
|Chen Gour-Arie has years of experience in information security, with a specific expertise in application level security. Chen<br />
has conducted projects in all areas of information security, in diverse environments, utilizing a wide range of professional<br />
tools. Some of his notable projects have focused on: complex penetration testing, comprehensive White Box audits,<br />
network security, policy and procedure formulation, manual and automated security testing, security evaluation of<br />
products, leading secure software development lifecycles, infrastructure security audits, risk assessments, PCI and PA-DSS<br />
consulting, and more.<br />
|}<br />
==== CTF ====<br />
During both days, a '''C'''apture '''T'''he '''F'''lag challenge will be online and available!<br />
<br><br />
Do you have the skills to hack websites? Can you crack various codes? Can you think outside the box? Do you like challenges?<br><br />
Then come and participate in the OWASP Capture The Flag Competition. Test your webhacking/codecracking skills against various challenges. Compete against yourself and others. The CTF will run the complete conference, so you can logon and play anytime you want. We will announce the winner at the last day of the conference. The winner will earn $100 worth of OWASP books and gets a OWASP membership for a year, the runner up wins $50 of OWASP books and gets a OWASP membership for a year, the person on third place will win a OWASP membership for a year.<br><br />
So come and play and earn the bragging rights for the OWASP CTF Challenge at OWASP BeNeLux 2010.<br><br />
<br><br />
<br><br />
==== Registration ====<br />
<center><br />
'''The training day and the conference are free!'''&nbsp;<br />
<br />
<br> <br />
<br />
[http://owaspbenelux.eventbrite.com?ref=ebtn http://www.owasp.org/images/7/77/Buttoncreate.png] <br />
<br />
<br> To support the OWASP organisation, consider to become a member, it's only US$50!<br> Check out the [[Membership]] page to find out more.<br> <br />
<br />
<br> <br />
</center> <br />
==== Venue ====<br />
<center><br />
'''Hogeschool Fontys''' <br> <br />
Building R5 , Rachelsmolen 1 <br><br />
5612 AM Eindhoven, The Netherlands<br> <br />
<br />
[http://maps.google.com/maps?f=q&source=s_q&hl=nl&geocode=&q=Hogeschool+Fontys,+Rachelsmolen+1,+5612+AM+Eindhoven&sll=51.502694,5.262446&sspn=0.541971,0.907745&ie=UTF8&hq=Hogeschool+Fontys,&hnear=Rachelsmolen+1,+Woenselse+Watermolen,+Eindhoven,+Noord-Brabant,+Nederland&ll=51.453071,5.481298&spn=0.008478,0.014184&t=h&z=16&iwloc=A '''Campus Rachelsmolen''']<br><br />
<br />
</center> <br />
<br> '''Hotels nearby''': [http://maps.google.com/maps?near=Rachelsmolen+1,+5612+MA+Eindhoven,+Nederland+(Fontys+Hogescholen+|+Campus+Rachelsmolen)&geocode=CYt8kT41vzHwFdMZEQMdSaNTACF7CO7YoPOYHA&q=hotel&f=l&dq=Hogeschool+Fontys,+loc:+Rachelsmolen+1,+5612+AM+Eindhoven&sll=51.452371,5.481289&sspn=0.006295,0.006295&ie=UTF8&hq=hotel&hnear=&t=h&z=14 maps.google.nl/maps]<br> <br />
<br />
==== Organisation ====<br />
<br />
The BeNeLux Day 2010 Program Committee: <br />
<br />
*Martin Knobloch / Ferdinand Vroom ([[Netherlands|OWASP Netherlands]]) <br />
*Bart De Win / Sebastien Deleersnyder ([[Belgium|OWASP Belgium]]) <br />
*Jocelyn Aubert / Andre Adelsbach ([[Luxembourg|OWASP Luxembourg]])<br />
<br />
==== Sponsorship ====<br />
<br />
Contact netherlands &lt;at&gt; owasp.org for sponsorship <br />
<br />
<paypal>BeNeLux OWASP Day 2010</paypal> <br />
<br />
==== Social Event ====<br />
<br />
The social event is scheduled for Wednesday, 1st of December:<br />
[http://www.effenaar.nl/over-de-effenaar Effenaar], starting from 7 pm!<br />
<br />
<br />
<br> <headertabs /> <br />
<center>Made possible by our [http://www.owasp.org/index.php/BeNeLux_OWASP_Day_2010#tab=Sponsorship sponsors]:<br> <br />
{{MemberLinks|link=http://www.ascure.com|logo=Ascure_Logo.jpg}}<br />
[http://www.f5.com http://www.owasp.org/images/7/7e/50px-F5_50px.jpg]<br />
[http://www.zionsecurity.com http://www.owasp.org/images/e/e6/Zionsecurity.jpg]<br />
[http://www.radware.com http://www.owasp.org/images/8/82/Rad_logo.gif]<br />
[http://www.zenitelbelgium.com http://www.owasp.org/images/d/df/SAIT_Zenitel.jpg]<br />
[http://www.sogeti.nl http://www.owasp.org/images/3/31/Sogeti_Nederland_b_v_Logo.jpg]<br />
[http://www.comsec.nl/ http://www.owasp.org/images/c/c1/Comsec.gif]<br />
[http://www.fortify.com/ http://www.owasp.org/images/c/cf/Fortify_HP_cmyk1-200.jpg]<br />
<br />
<br />
<br><br> '''Supported by:'''<br><br />
[[File:Bnl10 Fontys.jpg|200px]]<br />
<br />
<br> <br />
</center> <br />
[[Category:OWASP_AppSec_Conference]] [[Category:OWASP_BeNeLux_Archives]]</div>Bart De Winhttps://wiki.owasp.org/index.php?title=BeNeLux_OWASP_Day_2010&diff=95735BeNeLux OWASP Day 20102010-12-08T21:24:43Z<p>Bart De Win: </p>
<hr />
<div>__NOTOC__ <br />
<center>[[File:OWASP_BeNeLux_2010.jpg]]<br></center> <br />
<br> <!-- Header --> <br />
<br />
==== Welcome ====<br />
<br />
<br> <br />
<center><br />
===blog===<br />
Xavier did blog a nice wrap-up of the BeNeLux day: see his [http://blog.rootshell.be/2010/12/03/owasp-benelux-day-2010-wrap-up/ blog].<br />
<br />
If you know of other coverage, photo's: send them to seba@owasp.org<br />
<br />
===Tweet!===<br />
Event tag is [http://twitter.com/#search?q=%23owaspbnl10 #owaspbnl10]<br />
<br />
===Confirmed Speakers:===<br />
Sebastien Deleersnyder (OWASP Board, SAIT Zenitel)<br> Radu State (University of Luxembourg)<br> N Nikiforakis (Katholieke Universiteit Leuven)<br> Marco Balduzzi (Eurecom)<br> Walter Belgers (Madison Gurkha)<br> Thierry Zoller<br> ... <br />
<br />
Download the conference flyer [http://www.owasp.org/images/8/8d/OWASP_BeNeLux_2010_flyer_v1.5%282%29.jpg here].<br> All the presentations will be available for download in the [http://www.owasp.org/index.php/BeNeLux_OWASP_Day_2010#tab=Conference.2C_December_2nd agenda] tab. <br />
<br />
<br> <br> <br />
</center> <br />
<br> <br />
<br />
==== Training, December 1st ====<br />
<br />
{{:Benelux Training}}<br />
<br />
==== Conference, December 2nd ====<br />
<br />
{| border="0" align="center" style="width: 80%;"<br />
|-<br />
! align="center" colspan="3" | '''Location''' - December 2nd, 2010<br />
|-<br />
| style="background: none repeat scroll 0% 0% rgb(123, 138, 189); width: 15%; -moz-background-inline-policy: continuous;" | 09h00-10h00 <br />
| align="left" style="background: none repeat scroll 0% 0% rgb(194, 194, 194); width: 75%; -moz-background-inline-policy: continuous;" colspan="2" | '''Registration'''<br />
|-<br />
| style="background: none repeat scroll 0% 0% rgb(123, 138, 189); width: 15%; -moz-background-inline-policy: continuous;" | 10h00-10h15 <br />
| align="left" style="background: none repeat scroll 0% 0% rgb(242, 242, 242); width: 75%; -moz-background-inline-policy: continuous;" colspan="2" | '''Welcome''' (by Martin Knobloch and Ferdinand Vroom, OWASP NL Chapter)<br />
|-<br />
| style="background: none repeat scroll 0% 0% rgb(123, 138, 189); width: 15%; -moz-background-inline-policy: continuous;" | 10h15-10h45 <br />
| align="left" style="background: none repeat scroll 0% 0% rgb(242, 242, 242); width: 75%; -moz-background-inline-policy: continuous;" colspan="2" | '''OWASP Update''' (by Seba Deleersnyder, OWASP Board, SAIT Zenitel)<br />
|-<br />
| style="background: none repeat scroll 0% 0% rgb(123, 138, 189); width: 15%; -moz-background-inline-policy: continuous;" | 10h45-11h00 <br />
| align="left" style="background: none repeat scroll 0% 0% rgb(194, 194, 194); width: 75%; -moz-background-inline-policy: continuous;" colspan="2" | '''Coffee Break'''<br />
|-<br />
| style="background: none repeat scroll 0% 0% rgb(123, 138, 189); width: 15%; -moz-background-inline-policy: continuous;" | 11h00-11h40 <br />
| align="left" style="background: none repeat scroll 0% 0% rgb(242, 242, 242); width: 75%; -moz-background-inline-policy: continuous;" colspan="2" | '''Clickjacking: an empirical study with an automated testing/detection system''' (by Marco Balduzzi, Eurecom) [http://www.owasp.org/images/d/d2/OWASPBeNeLux2010-Balduzzi-Clickjacking.pdf]<br />
:Clickjacking recently received new media attentions: Thousands of Facebook users have fallen victims of a worm that uses clickjacking techniques to propagate.<br />
:In a clickjacking attack, a malicious page is constructed (or a benign page is hijacked) to trick the user into performing unintended clicks that are advantageous for the attacker, such as propagating a web worm, stealing confidential information or abusing of the user session.<br />
:However it is currently unclear to what extent clickjacking is being used by attackers in the wild and how significant the attack is for the security of Internet users.<br />
:In this talk, we presents a solution we designed for studying the prevalence of clickjacking on the Internet and for detecting possible malicious pages in an automated fashion. We deployed our system over 10 distinct virtual machines to test more then a million unique web-pages in two months. From the analysis of our experimental results we discuss the clickjacking phenomenon and its future implications.<br />
|-<br />
| style="background: none repeat scroll 0% 0% rgb(123, 138, 189); width: 15%; -moz-background-inline-policy: continuous;" | 11h40-12h20 <br />
| align="left" style="background: none repeat scroll 0% 0% rgb(242, 242, 242); width: 75%; -moz-background-inline-policy: continuous;" colspan="2" | '''Privacy of file sharing service''' (by Nick Nikiforakis, Katholieke Universiteit Leuven) [http://www.owasp.org/images/1/14/OWASPBeNeLux2010-Nikiforakis-FileSharing.pdf]<br />
:File sharing services are used daily by tens of thousands of people as a way of sharing files. Almost all such services, use a security-through-obscurity method of hiding the files of one user from others. For each uploaded file, the user is given a secret URL which supposedly cannot be guessed. The user can then share his uploaded file by sharing this URL with other users of his choice. Unfortunately though, a number of file sharing services are incorrectly implemented allowing an attacker to guess valid URLs of millions of files and thus allowing him to enumerate their file database and access all of the uploaded files. In this paper, we study some of these services and we record their incorrect implementations. We design automatic enumerators for two such services and a privacy-classifying module which characterises an uploaded file as private or public. Using this technique we gain access to thousands of private files ranging from private and company documents to personal photographs. We present a taxonomy of the private files found and ways that the users and services can protect themselves against such attacks.<br />
|-<br />
| style="background: none repeat scroll 0% 0% rgb(123, 138, 189); width: 15%; -moz-background-inline-policy: continuous;" | 12h20-13h00 <br />
| align="left" style="background: none repeat scroll 0% 0% rgb(242, 242, 242); width: 75%; -moz-background-inline-policy: continuous;" colspan="2" | '''Finding Backdoors in Code''' (by Matias Madou, Fortify) [http://www.owasp.org/images/8/8f/OWASPBeNeLux2010-Madou-RepellingTheWilyInsider.pdf]<br />
:Insiders who write code, whether they are developers working for an enterprise or contributors to an open source project, have an almost unlimited number of ways to put chinks in the armor of their software. Many times, these holes are put in place for seemingly good reasons—to facilitate easy debugging, make working from home easier, or as a failsafe in case other mechanisms for interfacing with the system fail. Worse still, malicious insiders can plant logic bombs or insert backdoors so that they can embezzle funds, steal private information, or exact revenge if they become disgruntled.<BR><br />
:Whether unintentional or malicious, code that performs questionable behavior or permits unauthorized access can be introduced with relative ease and can persist in a code base almost indefinitely without being discovered. Until it's too late. In this talk, we discuss techniques for applying static analysis to program source code to assist auditors hunting for backdoors, logic bombs, and other threats introduced by insiders. We give detailed examples of insider threats that have been uncovered in real software systems, outline possible motives for malicious insiders, and discuss how external stimuli like layoffs are increasing the attention paid to insider threats. We conclude the talk with results of applying the detection techniques discussed in this talk to real-world software. <br />
|-<br />
| style="background: none repeat scroll 0% 0% rgb(123, 138, 189); width: 15%; -moz-background-inline-policy: continuous;" | 13h00-14h00 <br />
| align="left" style="background: none repeat scroll 0% 0% rgb(194, 194, 194); width: 75%; -moz-background-inline-policy: continuous;" colspan="2" | '''Lunch'''<br />
|-<br />
| style="background: none repeat scroll 0% 0% rgb(123, 138, 189); width: 15%; -moz-background-inline-policy: continuous;" | 14h00-14h40 <br />
| align="left" style="background: none repeat scroll 0% 0% rgb(242, 242, 242); width: 75%; -moz-background-inline-policy: continuous;" colspan="2" | '''How NOT to implement a Payback/Cashback System''' (by Thierry Zoller)<br />
:Casback is a name given to progams where participants will earn points for every net euro/dollar in purchases made. There are many ways this can go wrong. We will revisit the design, architecture of common Cashback systems on every operational level. We will take one particular interesting Payback program as an example and show how NOT to deploy. Death by a thousand cuts.<br><br />
:Beware : Hilarity will ensue.<br />
|-<br />
| style="background: none repeat scroll 0% 0% rgb(123, 138, 189); width: 15%; -moz-background-inline-policy: continuous;" | 14h40-15h20 <br />
| align="left" style="background: none repeat scroll 0% 0% rgb(242, 242, 242); width: 75%; -moz-background-inline-policy: continuous;" colspan="2" | '''Botnets/Bredolab''' (by Michael Sandee, Fox-IT)<br />
:Botnets are a hot debated topic, with much controversies on how to fight them. Recently there was headline news regarding the takedown of the Bredolab botnet, which caused a lot of discussion and contained a lot of conflicting views on the subject. During this presentation the facts of this Bredolab botnet takedown will be discussed, alongside the views of a Cybercriminal on how to setup your own botnet. You will be given a crash-course Cybercrime in 30 minutes.<br><br />
|-<br />
| style="background: none repeat scroll 0% 0% rgb(123, 138, 189); width: 15%; -moz-background-inline-policy: continuous;" | 15h20-16h00 <br />
| align="left" style="background: none repeat scroll 0% 0% rgb(242, 242, 242); width: 75%; -moz-background-inline-policy: continuous;" colspan="2" | '''0wning Networks with VoIP and Web attacks''' (by Radu State, University of Luxembourg) [http://www.owasp.org/images/6/6a/OWASPBeNeLux2010-State-VoipHacking.pdf]<br />
:Voice over IP is the current de facto technology for delivering voice data in both enterprise and service provider infrastructure. Although , security threats specific to VoIP signalling have been known for a while, few is known about cross-layer attacks in which Web enabled VoIP devices allow for efficient attacks against the VoIP infrastructure and general IT networks .<br />
:This talk will give a short introduction to VoIP and continue with a series of attacks that leverage SIP as efficient transport vehicle for billing attacks , disclosure attacks and network penetration. The talk will show how one single phone call can compromise even the best secured and hardened network perimeter .<br />
|-<br />
| style="background: none repeat scroll 0% 0% rgb(123, 138, 189); width: 15%; -moz-background-inline-policy: continuous;" | 16h00-16h20 <br />
| align="left" style="background: none repeat scroll 0% 0% rgb(194, 194, 194); width: 75%; -moz-background-inline-policy: continuous;" colspan="2" | '''Coffee Break'''<br />
|-<br />
| style="background: none repeat scroll 0% 0% rgb(123, 138, 189); width: 15%; -moz-background-inline-policy: continuous;" | 16h20-17h00 <br />
| align="left" style="background: none repeat scroll 0% 0% rgb(242, 242, 242); width: 75%; -moz-background-inline-policy: continuous;" colspan="2" | '''The Social Networking Corporate Threat''' (by Chen Gour-Arie, Comsec Consulting)<br />
:Social Networking Sites (SNS) and Web 2.0 platforms have been growing rapidly over the past few years, with multi-millions utilizing these platforms on a daily basis. In this talk, we will present some of the threats that SNS introduces to the corporate environment. <br />
|-<br />
| style="background: none repeat scroll 0% 0% rgb(123, 138, 189); width: 15%; -moz-background-inline-policy: continuous;" | 17h00-17h40 <br />
| align="left" style="background: none repeat scroll 0% 0% rgb(242, 242, 242); width: 75%; -moz-background-inline-policy: continuous;" colspan="2" | '''Attacking is easy, defending is hard''' (by Walter Belgers, Madison Gurkha)<br />
:An attacker has an easy job. They need only find one security hole, and they've broken the system. The system, application and network administrators :have a much harder task. They have to find not just one, but each and every one of the holes. Preferably before the bad guys do.<br />
:And, these holes can be at several different layers. In the presentation, we will look at those layers (system level, application level, but also user :level) and observe what goes wrong and how to fix it. The observations come from the daily work at Madison Gurkha.<br />
:Examples of problems are lack of patches, problems during the development phase, susceptibility to social engineering attacks and more. <br />
|-<br />
| style="background: none repeat scroll 0% 0% rgb(123, 138, 189); width: 15%; -moz-background-inline-policy: continuous;" | 17h40-17h50 <br />
| align="left" style="background: none repeat scroll 0% 0% rgb(242, 242, 242); width: 75%; -moz-background-inline-policy: continuous;" colspan="2" | '''Closing''' (by Martin Knobloch and Ferdinand Vroom, OWASP NL Chapter)<br />
<br />
|}<br />
==== Speakers ====<br />
{|<br />
|-<br />
|'''Sebastien Deleersnyder (OWASP Board, SAIT Zenitel)''' <br />
|-<br />
|Sebastien started the successful Belgian OWASP Chapter and performed several public presentations on web application and web services security. Sebastien specialises in (web) application security, combining his software development and information security experience. He is currently OWASP Foundation board member and Managing Technical Consultant at SAIT Zenitel.<br />
|}<br />
{|<br />
|-<br />
|'''Radu State (University of Luxembourg)''' <br />
|-<br />
|Radu received his PhD degree from INRIA, Nancy – University Henri Poincaré in 2001.<br><br />
Radu has held positions as Research Engineer and Senior Engineer at INRIA-LORIA and has been working as Senior Researcher at the University of Luxembourg, FSTC-CSC Research Unit from October 2008 to September 2010. Radu's research activity will be on one side investigate interoperability aspects to supply security components in the area of ubiquitous computing and on the other side set up a project specific interoperability research lab in close cooperation with industry.<br />
|}<br />
{|<br />
|-<br />
|'''Nick Nikiforakis (Katholieke Universiteit Leuven)''' <br />
|-<br />
|Nick Nikiforakis is a PhD student at the Katholieke Universiteit Leuven, in Belgium. He belongs to the DistriNet research group and specifically in the “Security & Languages” task-force. His current research interests are: low-level security for unsafe languages and web application security. <br><br />
Nick holds a BSc in Computer Science and a MSc on Distributed Systems from the University of Crete in Greece. He worked for 3 years as a research assistant in the Distributed Computing Systems group at the Foundation of Research and Technology in Crete where he did research in network data visualization, authentication schemes using mobile devices and phishing countermeasures. In the past, Nick has presented his work in academic conferences as well as hacking conventions. His work can be found online at www.securitee.org.<br />
|}<br />
{|<br />
|-<br />
|'''Matias Madou (Fortify)''' <br />
|-<br />
|Matias Madou is principal security researcher at Fortify's Security Research Group, which is responsible for building security knowledge into Fortify's products. His work focuses on developing new techniques to detect vulnerabilities. Matias holds a Ph.D. in computer engineering from Ghent University, where he studied application security through program obfuscation to hide the inner workings of an application. During his Ph.D., he collaborated with top research and industry players in the field of program obfuscation. <br />
|}<br />
{|<br />
|-<br />
|'''Marco Balduzzi (Eurecom)''' <br />
|-<br />
|<br />
Marco Balduzzi is an IT security specialist with several years of experience as engineer and consultant for different international<br />
companies located in Milan, Munich and Nice. At the moment, he is a PhD researcher in EURECOM and a proud member of the [http://www.iseclab.org International Secure System Lab]. He designs systems for the detection of botnets/malware, the analysis of<br />
web threats and the security of cloud computing. <br><br />
Marco owns a MSc in Computer Engineering from the University of Bergamo and is a co-founder of the Bergamo Linux User Group. He contributed to several Free Software projects (e.g. Nast) and has been involved in many underground non-profit organizations.<br />
|}<br />
{|<br />
|-<br />
|'''Walter Belgers (Madison Gurkha) ''' <br />
|-<br />
|Walter Belgers heeft Technische Informatica gestudeerd aan de Technische Universiteit Eindhoven met als extra vak o.a. Computercriminaliteit (Universiteit van Tilburg). Walter is in 1994 begonnen bij Philips C&P (tegenwoordig Atos Origin) als ontwikkelaar van wereldwijde firewall-diensten en de uitrol daarvan. Daarna heeft hij enkele jaren lesgegeven op het gebied van UNIX en Internet beveiliging bij AT Computing. In 2002 is hij toegetreden tot Madison Gurkha als partner. Naast zijn technische consultancy-activiteiten, houdt Walter zich bezig met het schrijven van artikelen en columns, het geven van lezingen en voorlichten van de pers. Walter is gecertificeerd security professional (CISSP) en security auditor (CISA).<br />
|}<br />
{|<br />
|-<br />
|'''Martin Knobloch (Sogeti Nederland B.V.) ''' <br />
|-<br />
|Martin Knobloch is employed at Sogeti Netherlands as Senior Security Consultant. He is founder and thought leader of the Sogeti task force PaSS, Proactive Security Strategy, with an integral solution of information security within organisation, infrastructure and software. <br><br />
At OWASP, Martin is board member of the OWASP Netherlands Chapter and member of the Global Education Committee.<br />
|}<br />
{|<br />
|-<br />
|'''Michael Sandee (Fox-IT)'''<br />
|-<br />
|Michael Sandee, Lead Expert Cybercrime at Fox-IT, has been working analyzing Cybercrime for over 5 years. With day-to-day analysis of malware and cybercrime activities he has developed a good understanding on how the underground economy operates and how large this market is, and also how we are affected by this every day.<br />
|}<br />
{|<br />
|-<br />
|'''Chen Gour-Arie (Comsec Consulting)'''<br />
|-<br />
|Chen Gour-Arie has years of experience in information security, with a specific expertise in application level security. Chen<br />
has conducted projects in all areas of information security, in diverse environments, utilizing a wide range of professional<br />
tools. Some of his notable projects have focused on: complex penetration testing, comprehensive White Box audits,<br />
network security, policy and procedure formulation, manual and automated security testing, security evaluation of<br />
products, leading secure software development lifecycles, infrastructure security audits, risk assessments, PCI and PA-DSS<br />
consulting, and more.<br />
|}<br />
==== CTF ====<br />
During both days, a '''C'''apture '''T'''he '''F'''lag challenge will be online and available!<br />
<br><br />
Do you have the skills to hack websites? Can you crack various codes? Can you think outside the box? Do you like challenges?<br><br />
Then come and participate in the OWASP Capture The Flag Competition. Test your webhacking/codecracking skills against various challenges. Compete against yourself and others. The CTF will run the complete conference, so you can logon and play anytime you want. We will announce the winner at the last day of the conference. The winner will earn $100 worth of OWASP books and gets a OWASP membership for a year, the runner up wins $50 of OWASP books and gets a OWASP membership for a year, the person on third place will win a OWASP membership for a year.<br><br />
So come and play and earn the bragging rights for the OWASP CTF Challenge at OWASP BeNeLux 2010.<br><br />
<br><br />
<br><br />
==== Registration ====<br />
<center><br />
'''The training day and the conference are free!'''&nbsp;<br />
<br />
<br> <br />
<br />
[http://owaspbenelux.eventbrite.com?ref=ebtn http://www.owasp.org/images/7/77/Buttoncreate.png] <br />
<br />
<br> To support the OWASP organisation, consider to become a member, it's only US$50!<br> Check out the [[Membership]] page to find out more.<br> <br />
<br />
<br> <br />
</center> <br />
==== Venue ====<br />
<center><br />
'''Hogeschool Fontys''' <br> <br />
Building R5 , Rachelsmolen 1 <br><br />
5612 AM Eindhoven, The Netherlands<br> <br />
<br />
[http://maps.google.com/maps?f=q&source=s_q&hl=nl&geocode=&q=Hogeschool+Fontys,+Rachelsmolen+1,+5612+AM+Eindhoven&sll=51.502694,5.262446&sspn=0.541971,0.907745&ie=UTF8&hq=Hogeschool+Fontys,&hnear=Rachelsmolen+1,+Woenselse+Watermolen,+Eindhoven,+Noord-Brabant,+Nederland&ll=51.453071,5.481298&spn=0.008478,0.014184&t=h&z=16&iwloc=A '''Campus Rachelsmolen''']<br><br />
<br />
</center> <br />
<br> '''Hotels nearby''': [http://maps.google.com/maps?near=Rachelsmolen+1,+5612+MA+Eindhoven,+Nederland+(Fontys+Hogescholen+|+Campus+Rachelsmolen)&geocode=CYt8kT41vzHwFdMZEQMdSaNTACF7CO7YoPOYHA&q=hotel&f=l&dq=Hogeschool+Fontys,+loc:+Rachelsmolen+1,+5612+AM+Eindhoven&sll=51.452371,5.481289&sspn=0.006295,0.006295&ie=UTF8&hq=hotel&hnear=&t=h&z=14 maps.google.nl/maps]<br> <br />
<br />
==== Organisation ====<br />
<br />
The BeNeLux Day 2010 Program Committee: <br />
<br />
*Martin Knobloch / Ferdinand Vroom ([[Netherlands|OWASP Netherlands]]) <br />
*Bart De Win / Sebastien Deleersnyder ([[Belgium|OWASP Belgium]]) <br />
*Jocelyn Aubert / Andre Adelsbach ([[Luxembourg|OWASP Luxembourg]])<br />
<br />
==== Sponsorship ====<br />
<br />
Contact netherlands &lt;at&gt; owasp.org for sponsorship <br />
<br />
<paypal>BeNeLux OWASP Day 2010</paypal> <br />
<br />
==== Social Event ====<br />
<br />
The social event is scheduled for Wednesday, 1st of December:<br />
[http://www.effenaar.nl/over-de-effenaar Effenaar], starting from 7 pm!<br />
<br />
<br />
<br> <headertabs /> <br />
<center>Made possible by our [http://www.owasp.org/index.php/BeNeLux_OWASP_Day_2010#tab=Sponsorship sponsors]:<br> <br />
{{MemberLinks|link=http://www.ascure.com|logo=Ascure_Logo.jpg}}<br />
[http://www.f5.com http://www.owasp.org/images/7/7e/50px-F5_50px.jpg]<br />
[http://www.zionsecurity.com http://www.owasp.org/images/e/e6/Zionsecurity.jpg]<br />
[http://www.radware.com http://www.owasp.org/images/8/82/Rad_logo.gif]<br />
[http://www.zenitelbelgium.com http://www.owasp.org/images/d/df/SAIT_Zenitel.jpg]<br />
[http://www.sogeti.nl http://www.owasp.org/images/3/31/Sogeti_Nederland_b_v_Logo.jpg]<br />
[http://www.comsec.nl/ http://www.owasp.org/images/c/c1/Comsec.gif]<br />
[http://www.fortify.com/ http://www.owasp.org/images/c/cf/Fortify_HP_cmyk1-200.jpg]<br />
<br />
<br />
<br><br> '''Supported by:'''<br><br />
[[File:Bnl10 Fontys.jpg|200px]]<br />
<br />
<br> <br />
</center> <br />
[[Category:OWASP_AppSec_Conference]] [[Category:OWASP_BeNeLux_Archives]]</div>Bart De Winhttps://wiki.owasp.org/index.php?title=File:OWASPBeNeLux2010-State-VoipHacking.pdf&diff=95731File:OWASPBeNeLux2010-State-VoipHacking.pdf2010-12-08T21:06:03Z<p>Bart De Win: </p>
<hr />
<div></div>Bart De Winhttps://wiki.owasp.org/index.php?title=File:OWASPBeNeLux2010-Nikiforakis-FileSharing.pdf&diff=95730File:OWASPBeNeLux2010-Nikiforakis-FileSharing.pdf2010-12-08T21:04:40Z<p>Bart De Win: </p>
<hr />
<div></div>Bart De Win