https://wiki.owasp.org/api.php?action=feedcontributions&feedformat=atom&user=BvankampenOWASP - User contributions [en]2026-05-16T09:13:00ZUser contributionsMediaWiki 1.27.2https://wiki.owasp.org/index.php?title=File:Itq_logo.jpg&diff=83338File:Itq logo.jpg2010-05-11T14:40:03Z<p>Bvankampen: </p>
<hr />
<div></div>Bvankampenhttps://wiki.owasp.org/index.php?title=Netherlands&diff=83337Netherlands2010-05-11T14:39:33Z<p>Bvankampen: /* WHERE */</p>
<hr />
<div>{{Chapter Template|chaptername=Netherlands|extra=|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-netherlands|emailarchives=http://lists.owasp.org/pipermail/owasp-netherlands}} <br />
<br />
<br> <br />
<br />
==== Local News ====<br />
<br />
Please block your agendas on Thursday, March 11th, 18h-21:30h for the next Netherlands chapter meeting.<br>Subject will be: Database Security! <br />
<br />
==== Chapter Meetings ====<br />
<br />
== 2010 Schedule ==<br />
<br />
*March 11th, 18.00 - 21.30 Topic: Database Security<br> <br />
*May 20th, 18.00 - 21.30 Topic: Web Application Firewalls <br />
*September 23rd, 18.00 - 21.30 Topic: Security in Content Management Systems <br />
*November 18th, 18.00 - 21.30 Topic &nbsp;: TBD<br />
<br />
<br><br />
== REGISTRATION ==<br />
<br />
To register for a chapter meeting (first register, first serve)! Please '''send an email''' to: [mailto:netherlands@owasp.org netherlands 'at' owasp.org].<br />
<br />
== Next Meeting (May 2010) ==<br />
=== WHEN ===<br />
May 2010 (18h00pm-21h30pm). <br />
<br />
=== WHERE ===<br />
{|<br />
|-<br />
| width="350" | <br />
Location: http://www.setuputrecht.nl/ <br><br />
SETUP is gevestigd aan het Neude plein in Utrecht (Neude 4) in het nieuwe kantoor van de Dutch Game Garden.<br><br />
(entrance at the back of the ABNamro building on “het Neude”) <br><br />
[[Image:lokatie_setup_google.gif|200px]] <br><br />
| width="650" | <br />
[[Image:Setup_logo.jpg|200px]] <br><br />
<br />
[[Image:itq_logo.jpg|200px]] <br />
|-<br />
| width="350" | <br> <br />
| width="650" | <br />
<br> <br />
|}<br />
<br />
=== PROGRAM ===<br />
<b>18:00 - 18:30 Check-In (catering included)</b><br><br />
<b>18:30 - 18:45 Introduction (OWASP organization, projects, sponsor)</b><br><br />
<b>18.45 - 19.45 Web Application Firewalls in dynamic environments</b>(by Alexander Meisel)<br><br />
Alexander Meisel is the CTO of 'art of defence' (AOD), a German based software vendor. The company specializes in high performance deployments of Web Application Firewalls in very dynamic environments all over the world.<br />
<br />
Abstract:<br />
The current trend towards cloud computing forces everybody to deploy services in a virtual environment. In current dedicated environments WAFs or Web Application Firewalls are mostly deployed as a hardware (black) box which is easy at first but limits them to only low performance web cluster architectures. Moving those systems virtualized into a cloud environment makes almost no sense because of the resource limitations.<br />
The is solution is a redesign which enables WAFs to be part of a true message based cloud system. This talk explains how truly virtualized and distributed web applications are architected, work and scale in high performance environments. <br><br />
<b>19.45 – 20.00 Break</b><br><br />
<b>20.00 - 21:00 Bypassing Web Application Firewalls </b>(by Sandro Gauci)<br><br />
Sandro Gauci is the owner and Founder of EnableSecurity (www.enablesecurity.com) where he performs R&D and securityconsultancy for mid-sized companies. Sandro has over 9 years experience in the security industry and is focused on analysis of security challenges and providing solutions to such threats. Hispassion is vulnerability research and has previously worked together with various endors such as Microsoft and Sun to fix security holes. Sandro is the author of the free VoIP security scanning suite SIPVicious (sipvicious.org) and VOIPPACK for CANVAS.<br />
<br />
Abstract:<br />
WAFs or Web Application Firewalls are being deployed to fix security issues in your web applications. The question is, are they?<br />
In this presentation we take a look at some of the issues related to making use of this solution and how it may affect the overall security posture of your web application. Finally we will describe tools to automate detection of WAFs, and also tools to help identify ways to bypass WAFs. This presentation will include updates to the open source WAF security testing tools - WAFFIT. <br><br />
<b>21.00 – 21:30 Discussion, questions and social networking</b><br><br />
<br />
The Announcement of this meeting: [[Media:Announcement_OWASP-NL_May_20th_2010.pdf]]<br> <br />
<br />
== Database Security (Mar-11-2010) ==<br />
<br />
=== WHEN ===<br />
<br />
Thurday, March 11th, 2010 (18h00pm-21h30pm). <br />
<br />
=== WHERE ===<br />
{|<br />
|-<br />
| width="350" | <br />
ASR Nederland<br> <br> MD0.60 - Auditorium<br> Smallepad 30<br> 3811MG Amersfoort<br> <br />
<br />
| width="650" | <br />
[[Image:ASR Nederland logo.jpg|200px]] <br />
<br />
|-<br />
| width="350" | <br> <br />
| width="650" | <br />
<br> <br />
<br />
<br> <br />
<br />
|}<br />
<br />
=== PROGRAM ===<br />
<b>18:00 - 18:30 Check-In (catering included)</b><br><br />
<b>18:30 - 18:45 Introduction (OWASP organization, projects, sponsor)</b><br><br />
<b>18.45 - 19.45 SQL Injection - How far does the rabbit hole go?</b> (By Justin Clarke)<br><br />
<b>Justin Clarke</b> is a co-founder and Director at Gotham Digital Science, based in the United Kingdom. He has over twelve years of experience in assessing the security of networks, web applications, and wireless networks for large financial, retail, technology and government clients in the United States, the United Kingdom and New Zealand.<br />
Justin is the the technical editor and lead author of “SQL Injection Attacks and Defense” (Syngress 2009), co-author of "Network Security Tools: Writing, Hacking, and Modifying Security Tools" (O’Reilly 2005), a contributing author to "Network Security Assessment: Know Your Network, 2nd Edition" (O’Reilly 2007), as well as a speaker at a number of conferences and events on security topics, including Black Hat USA, EuSecWest, OSCON, ISACA, RSA, SANS, OWASP, and the British Computer Society. He is the author of the open source SQLBrute blind SQL injection testing tool, and is the Chapter Leader for the London chapter of OWASP.<br />
SQl Injection - How far does the rabbit hole go? SQL Injection has been around for over 10 years, and yet it is still to this day not truly understood by many security professionals and developers. With the recent mass attacks against sites across the world it has again come to the fore of vulnerabilities under the spotlight, however many consider it to only be a data access issue, or parameterized queries to be a panacea.<br><br />
This talk starts from what was demonstrated last year at Black Hat in Las Vegas, where a self propagating SQL Injection worm was demonstrated live on stage. Explore some of the deeper, darker areas of SQL Injection, hybrid attacks, and exploiting obscure database functionality<br><br />
([[Media:OWASP-SQLInjection5nov09.pdf|the slides in pdf format]])<br><br />
<b>19.45 – 20.00 Break</b><br><br />
<b>20. 00 – 20.30 VAC Insecure Direct Object Reference</b> (By Marinus Kuivenhoven)<br><br />
<b>Marinus Kuivenhoven</b> is a Senior Technology Specialist with Sogeti Nederland B.V. specializing in service oriented architectures and secure application development. His experience include developing and administrating Oracle-based systems. At Sogeti Nederland B.V. he is also an active member of the PaSS -Software(Proactive Security Strategy) taskforce focusing on secure application development. Marinus also developed and teaches several application security courses both within and outside Sogeti. In the past years he has written for magazine such as Computable and We Love IT. And he has spoken on a number of conferences and events like OWASP, Recent OO Trends, Open Source Developer Conference and Engineering World.<br />
<b>Vulnerability:</b> Insecure Direct Object Reference is when a web application exposes an internal implementation object to the user. Some examples of internal implementation objects are database records, URLs, or files.<br><br />
<b>Attack:</b> An attacker can modify the internal implementation object in an attempt to abuse the access controls on this object. When the attacker does this they may have the ability to access functionality that the developer didn’t intend to expose access to.<br><br />
<b>Countermeasure:</b> Reference should be validated for authorization and accessed through reference maps. How this should be done will be shown.<br><br />
([[Media:20100311_VAC-IDOR_Marinus Kuivenhoven.pdf|the slides in pdf format]])<br><br />
<b>20.30 – 21.15 Overlooked Resources and Practices</b> (By Justin Clarke)<br><br />
In his second presentation, Justin Clarke discussed OWASP resources and best practices by highlighting some OWASP projects and underused security practices. He shared his experiences in his daily work as well as the known pitfalls.<br><br />
([[Media:20100311_Overlooked_Resources_and _Practices-Justin_Clarke.pdf|the slides in pdf format]])<br><br />
<b>21.15 – 21:30 Discussion, questions and social networking</b><br><br />
<br />
The Announcement of this meeting: [[Media:Announcement_OWASP-NL_March_11th_2010.pdf]]<br> <br />
The flyer of this meeting: [[Media:Owasp_NL_march2010.pdf]] <br> <br />
<br />
== Past Events ==<br />
<br />
*Events held in [[Netherlands Previous Events 2009|2009]] <br />
*Events held in [[Netherlands Previous Events 2008|2008]] <br />
*Events held in [[Netherlands Previous Events 2007|2007]] <br />
*Events held in [[Netherlands Previous Events 2006|2006]] <br />
*Events held in [[Netherlands Previous Events 2005|2005]]<br />
<br />
==== Call for Speakers ====<br />
<br />
We are continuously looking for speakers.<br>'''Presentations:''' Are you working on an interesting subject, would you like to share your experience with the OWASP community and do you have presentation skills. Please let us know! Any topic related to web application security will be appreciated!<br>'''VAC, Vulnerability, Attack, Countermeasure:''' The VAC is a re occuring part of the chapter meetings. The VAC is a half hour in-depth technical presentation about a vulnerability, how it can be exploited and how to prevent it!<br> <br />
<br />
<span style="font-weight: bold;">Links: </span> <br />
<br />
[http://www.owasp.org/index.php/Speaker_Agreement Speaker Agreement] <br />
<br />
[http://www.owasp.org/images/5/54/Presentation_template.ppt Template] <br />
<br />
==== Chapter Leaders ====<br />
<br />
The Netherlands Chapter is supported by the following board: <br />
<br />
*[mailto:bert.koelewijn@owasp.org Bert Koelewijn], ASR <br />
*[mailto:peter.gouwentak@owasp.org Peter Gouwentak], ING <br />
*[mailto:martin.knobloch@owasp.org Martin Knobloch], Sogeti <br />
*[mailto:ferdinand.vroom@owasp.org Ferdinand Vroom], Nationale Nederlanden<br />
<br />
Our goal is to professionalize the local OWASP functioning, provide in a bigger footprint to detect OWASP opportunities such as speakers/topics/sponsors/… and set a 5 year target on: Target audiences, Different events and Interactions of OWASP global – local projects. <br />
<br />
==== Chapter Sponsoring ====<br />
<br />
OWASP Netherlands is looking for organizations to sponsor our chapter. If you are interested in sponsoring the Netherlands chapter please contact via email: [mailto:netherlands@owasp.org netherlands 'at' owasp.org]. <br />
<br />
<br>If you would like to donate to our chapter, please use the PayPal link below. Thank you! <br />
<br />
<br><paypal>Netherlands</paypal> <br />
__NOTOC__<headertabs/></div>Bvankampenhttps://wiki.owasp.org/index.php?title=Netherlands&diff=83336Netherlands2010-05-11T14:37:55Z<p>Bvankampen: /* WHERE */</p>
<hr />
<div>{{Chapter Template|chaptername=Netherlands|extra=|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-netherlands|emailarchives=http://lists.owasp.org/pipermail/owasp-netherlands}} <br />
<br />
<br> <br />
<br />
==== Local News ====<br />
<br />
Please block your agendas on Thursday, March 11th, 18h-21:30h for the next Netherlands chapter meeting.<br>Subject will be: Database Security! <br />
<br />
==== Chapter Meetings ====<br />
<br />
== 2010 Schedule ==<br />
<br />
*March 11th, 18.00 - 21.30 Topic: Database Security<br> <br />
*May 20th, 18.00 - 21.30 Topic: Web Application Firewalls <br />
*September 23rd, 18.00 - 21.30 Topic: Security in Content Management Systems <br />
*November 18th, 18.00 - 21.30 Topic &nbsp;: TBD<br />
<br />
<br><br />
== REGISTRATION ==<br />
<br />
To register for a chapter meeting (first register, first serve)! Please '''send an email''' to: [mailto:netherlands@owasp.org netherlands 'at' owasp.org].<br />
<br />
== Next Meeting (May 2010) ==<br />
=== WHEN ===<br />
May 2010 (18h00pm-21h30pm). <br />
<br />
=== WHERE ===<br />
{|<br />
|-<br />
| width="350" | <br />
Location: http://www.setuputrecht.nl/ <br><br />
SETUP is gevestigd aan het Neude plein in Utrecht (Neude 4) in het nieuwe kantoor van de Dutch Game Garden.<br><br />
(entrance at the back of the ABNamro building on “het Neude”) <br><br />
[[Image:lokatie_setup_google.gif|200px]] <br><br />
| width="650" | <br />
[[Image:Setup_logo.jpg|200px]] <br><br />
<br />
[[Image:iqt_logo.jpg|200px]] <br />
|-<br />
| width="350" | <br> <br />
| width="650" | <br />
<br> <br />
|}<br />
<br />
=== PROGRAM ===<br />
<b>18:00 - 18:30 Check-In (catering included)</b><br><br />
<b>18:30 - 18:45 Introduction (OWASP organization, projects, sponsor)</b><br><br />
<b>18.45 - 19.45 Web Application Firewalls in dynamic environments</b>(by Alexander Meisel)<br><br />
Alexander Meisel is the CTO of 'art of defence' (AOD), a German based software vendor. The company specializes in high performance deployments of Web Application Firewalls in very dynamic environments all over the world.<br />
<br />
Abstract:<br />
The current trend towards cloud computing forces everybody to deploy services in a virtual environment. In current dedicated environments WAFs or Web Application Firewalls are mostly deployed as a hardware (black) box which is easy at first but limits them to only low performance web cluster architectures. Moving those systems virtualized into a cloud environment makes almost no sense because of the resource limitations.<br />
The is solution is a redesign which enables WAFs to be part of a true message based cloud system. This talk explains how truly virtualized and distributed web applications are architected, work and scale in high performance environments. <br><br />
<b>19.45 – 20.00 Break</b><br><br />
<b>20.00 - 21:00 Bypassing Web Application Firewalls </b>(by Sandro Gauci)<br><br />
Sandro Gauci is the owner and Founder of EnableSecurity (www.enablesecurity.com) where he performs R&D and securityconsultancy for mid-sized companies. Sandro has over 9 years experience in the security industry and is focused on analysis of security challenges and providing solutions to such threats. Hispassion is vulnerability research and has previously worked together with various endors such as Microsoft and Sun to fix security holes. Sandro is the author of the free VoIP security scanning suite SIPVicious (sipvicious.org) and VOIPPACK for CANVAS.<br />
<br />
Abstract:<br />
WAFs or Web Application Firewalls are being deployed to fix security issues in your web applications. The question is, are they?<br />
In this presentation we take a look at some of the issues related to making use of this solution and how it may affect the overall security posture of your web application. Finally we will describe tools to automate detection of WAFs, and also tools to help identify ways to bypass WAFs. This presentation will include updates to the open source WAF security testing tools - WAFFIT. <br><br />
<b>21.00 – 21:30 Discussion, questions and social networking</b><br><br />
<br />
The Announcement of this meeting: [[Media:Announcement_OWASP-NL_May_20th_2010.pdf]]<br> <br />
<br />
== Database Security (Mar-11-2010) ==<br />
<br />
=== WHEN ===<br />
<br />
Thurday, March 11th, 2010 (18h00pm-21h30pm). <br />
<br />
=== WHERE ===<br />
{|<br />
|-<br />
| width="350" | <br />
ASR Nederland<br> <br> MD0.60 - Auditorium<br> Smallepad 30<br> 3811MG Amersfoort<br> <br />
<br />
| width="650" | <br />
[[Image:ASR Nederland logo.jpg|200px]] <br />
<br />
|-<br />
| width="350" | <br> <br />
| width="650" | <br />
<br> <br />
<br />
<br> <br />
<br />
|}<br />
<br />
=== PROGRAM ===<br />
<b>18:00 - 18:30 Check-In (catering included)</b><br><br />
<b>18:30 - 18:45 Introduction (OWASP organization, projects, sponsor)</b><br><br />
<b>18.45 - 19.45 SQL Injection - How far does the rabbit hole go?</b> (By Justin Clarke)<br><br />
<b>Justin Clarke</b> is a co-founder and Director at Gotham Digital Science, based in the United Kingdom. He has over twelve years of experience in assessing the security of networks, web applications, and wireless networks for large financial, retail, technology and government clients in the United States, the United Kingdom and New Zealand.<br />
Justin is the the technical editor and lead author of “SQL Injection Attacks and Defense” (Syngress 2009), co-author of "Network Security Tools: Writing, Hacking, and Modifying Security Tools" (O’Reilly 2005), a contributing author to "Network Security Assessment: Know Your Network, 2nd Edition" (O’Reilly 2007), as well as a speaker at a number of conferences and events on security topics, including Black Hat USA, EuSecWest, OSCON, ISACA, RSA, SANS, OWASP, and the British Computer Society. He is the author of the open source SQLBrute blind SQL injection testing tool, and is the Chapter Leader for the London chapter of OWASP.<br />
SQl Injection - How far does the rabbit hole go? SQL Injection has been around for over 10 years, and yet it is still to this day not truly understood by many security professionals and developers. With the recent mass attacks against sites across the world it has again come to the fore of vulnerabilities under the spotlight, however many consider it to only be a data access issue, or parameterized queries to be a panacea.<br><br />
This talk starts from what was demonstrated last year at Black Hat in Las Vegas, where a self propagating SQL Injection worm was demonstrated live on stage. Explore some of the deeper, darker areas of SQL Injection, hybrid attacks, and exploiting obscure database functionality<br><br />
([[Media:OWASP-SQLInjection5nov09.pdf|the slides in pdf format]])<br><br />
<b>19.45 – 20.00 Break</b><br><br />
<b>20. 00 – 20.30 VAC Insecure Direct Object Reference</b> (By Marinus Kuivenhoven)<br><br />
<b>Marinus Kuivenhoven</b> is a Senior Technology Specialist with Sogeti Nederland B.V. specializing in service oriented architectures and secure application development. His experience include developing and administrating Oracle-based systems. At Sogeti Nederland B.V. he is also an active member of the PaSS -Software(Proactive Security Strategy) taskforce focusing on secure application development. Marinus also developed and teaches several application security courses both within and outside Sogeti. In the past years he has written for magazine such as Computable and We Love IT. And he has spoken on a number of conferences and events like OWASP, Recent OO Trends, Open Source Developer Conference and Engineering World.<br />
<b>Vulnerability:</b> Insecure Direct Object Reference is when a web application exposes an internal implementation object to the user. Some examples of internal implementation objects are database records, URLs, or files.<br><br />
<b>Attack:</b> An attacker can modify the internal implementation object in an attempt to abuse the access controls on this object. When the attacker does this they may have the ability to access functionality that the developer didn’t intend to expose access to.<br><br />
<b>Countermeasure:</b> Reference should be validated for authorization and accessed through reference maps. How this should be done will be shown.<br><br />
([[Media:20100311_VAC-IDOR_Marinus Kuivenhoven.pdf|the slides in pdf format]])<br><br />
<b>20.30 – 21.15 Overlooked Resources and Practices</b> (By Justin Clarke)<br><br />
In his second presentation, Justin Clarke discussed OWASP resources and best practices by highlighting some OWASP projects and underused security practices. He shared his experiences in his daily work as well as the known pitfalls.<br><br />
([[Media:20100311_Overlooked_Resources_and _Practices-Justin_Clarke.pdf|the slides in pdf format]])<br><br />
<b>21.15 – 21:30 Discussion, questions and social networking</b><br><br />
<br />
The Announcement of this meeting: [[Media:Announcement_OWASP-NL_March_11th_2010.pdf]]<br> <br />
The flyer of this meeting: [[Media:Owasp_NL_march2010.pdf]] <br> <br />
<br />
== Past Events ==<br />
<br />
*Events held in [[Netherlands Previous Events 2009|2009]] <br />
*Events held in [[Netherlands Previous Events 2008|2008]] <br />
*Events held in [[Netherlands Previous Events 2007|2007]] <br />
*Events held in [[Netherlands Previous Events 2006|2006]] <br />
*Events held in [[Netherlands Previous Events 2005|2005]]<br />
<br />
==== Call for Speakers ====<br />
<br />
We are continuously looking for speakers.<br>'''Presentations:''' Are you working on an interesting subject, would you like to share your experience with the OWASP community and do you have presentation skills. Please let us know! Any topic related to web application security will be appreciated!<br>'''VAC, Vulnerability, Attack, Countermeasure:''' The VAC is a re occuring part of the chapter meetings. The VAC is a half hour in-depth technical presentation about a vulnerability, how it can be exploited and how to prevent it!<br> <br />
<br />
<span style="font-weight: bold;">Links: </span> <br />
<br />
[http://www.owasp.org/index.php/Speaker_Agreement Speaker Agreement] <br />
<br />
[http://www.owasp.org/images/5/54/Presentation_template.ppt Template] <br />
<br />
==== Chapter Leaders ====<br />
<br />
The Netherlands Chapter is supported by the following board: <br />
<br />
*[mailto:bert.koelewijn@owasp.org Bert Koelewijn], ASR <br />
*[mailto:peter.gouwentak@owasp.org Peter Gouwentak], ING <br />
*[mailto:martin.knobloch@owasp.org Martin Knobloch], Sogeti <br />
*[mailto:ferdinand.vroom@owasp.org Ferdinand Vroom], Nationale Nederlanden<br />
<br />
Our goal is to professionalize the local OWASP functioning, provide in a bigger footprint to detect OWASP opportunities such as speakers/topics/sponsors/… and set a 5 year target on: Target audiences, Different events and Interactions of OWASP global – local projects. <br />
<br />
==== Chapter Sponsoring ====<br />
<br />
OWASP Netherlands is looking for organizations to sponsor our chapter. If you are interested in sponsoring the Netherlands chapter please contact via email: [mailto:netherlands@owasp.org netherlands 'at' owasp.org]. <br />
<br />
<br>If you would like to donate to our chapter, please use the PayPal link below. Thank you! <br />
<br />
<br><paypal>Netherlands</paypal> <br />
__NOTOC__<headertabs/></div>Bvankampenhttps://wiki.owasp.org/index.php?title=File:Owasp_NL_march2010.pdf&diff=78967File:Owasp NL march2010.pdf2010-02-26T07:05:34Z<p>Bvankampen: Flyer of the OWASP Netherlands March 2010 meeting</p>
<hr />
<div>Flyer of the OWASP Netherlands March 2010 meeting</div>Bvankampenhttps://wiki.owasp.org/index.php?title=Netherlands&diff=70020Netherlands2009-09-29T09:16:29Z<p>Bvankampen: /* Next OWASP Cafe: */ Reduced size of displaying the flyer</p>
<hr />
<div>{{Chapter Template|chaptername=Netherlands|extra=The chapter leader is [mailto:owasp@irc2.nl Bert Koelewijn]<br />
<paypal>Netherlands</paypal><br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-netherlands|emailarchives=http://lists.owasp.org/pipermail/owasp-netherlands}} <br />
<br />
=== Call for Speakers ===<br />
<br />
We are continuously looking for speakers and presentations make the chapter meetings as interesting as possible. Therefore we are looking inside and outside OWASP for known international specialists. But we know, there is a lot interesting stuf happening inside the Netherlands, too! <br> '''Presentations:''' Are you working on interesting subject, you would like to share your experiences with the OWASP community. Any topic related to application security will be appreciated!<br> '''VAC, Vulnerability, Attack, Countermeasure:''' The goal is an half hour in-depth technical presentation about a vulnerability, how it can be exploited and how to prevent it!<br> <br />
<br />
=== Sponsorship of a local chapter meeting ===<br />
<br />
We are continuously looking for locations to hold local chapter meetings. Therefore, we need companies willing to sponsor of host events.<br> '''Hosting a local chapter meeting:''' To host a local chapter meeting, you facilitate the meeting location and beverage for the attendees<br> '''Sponsorship of a local chapter meeting:''' You cover the cost of renting the location for the meeting and the payment of the beverages for the attendees<br> '''Please let us know via the OWASP chapter meeting questionnaire of via email to martin.knobloch@owasp.org<br>''' <br />
<br />
== '''OWASP NL Cafe''' ==<br />
<br />
<font color="red">'''NEW:'''</font> Monthly informal platform to speak about (Web) application security matters! No registration required, just drop by! <br />
<br />
*no programm <br />
*no agenda <br />
*whatever comes up!<br />
<br />
=== Next OWASP Cafe: ===<br />
Open and free event, just drop in and discuse what's on your mind about application security!<br />
<pre><br />
When: Thursday, 8 October, starting from 6pm<br />
Where: Prof. Dr. Ornsteinlaan 14, 3431 EP Nieuwegein<br />
...my place again ;-)<br />
</pre><br />
The flyer: [[File:OWASP_NL_Cafe_oct09.jpg|100px]]<br />
<br />
== '''OWASP NL Chapter Meetings Schedule 2009''' ==<br />
<br />
This is an overview of the 2009 local chapter meeting schedule. Details of the meetings can be found in the announcements that will be posted below this schedule. <br />
<pre>April 9th<br />
----------<br />
Time &nbsp;: 18.00 - 21.30<br />
Main Topic &nbsp;: Knowing Your Enemy<br />
Presentations: Modern information gathering; how to abuse search engines Dave van Stein<br />
VAC Cross-site scripting Martin Visser <br />
Beveiligingsaspecten van webapplicatie-ontwikkeling Wouter van Kuipers <br />
Location &nbsp;: Lange Dreef 17<br />
4131 NJ Vianen<br />
Sponsor &nbsp;: Sogeti Nederland B.V.<br />
<br />
May 28th<br />
----------<br />
Time &nbsp;: 18.00 - 21.30<br />
Main Topic &nbsp;: AppSec Europe 2009<br />
Presentations: AppSec-EU 2009 Sebastien Deleersnyder, Telindus <br />
VAC Cross-Site Request Forgery Niels Teusink<br />
Open session / discussion about subjects brought forward by <br />
the attendees Martin Knobloch/Ferdinand Vroom/Peter Gouwentak<br />
Location &nbsp;: ASR Nederland<br />
MD0.60 - Auditorium<br />
Smallepad 30<br />
3811MG Amersfoort<br />
Sponsor &nbsp;: ASR Nederland<br />
<br />
September 24th<br />
----------<br />
Time &nbsp;: 18.00 - 21.30<br />
Main Topic &nbsp;: Unauthorised Access<br />
Presentations: Unauthorised Access Wil Allsopp<br />
Mini Meetings report: Time- Box testing &amp; Test Tools Barry van Kampen/ Dave van Stein<br />
Education Project report Martin Knobloch<br />
Discussion, questions and social networking<br />
Location &nbsp;: Sofitel Cocagne<br />
Vestdijk 47<br />
5611 CA Eindhoven<br />
Google Maps Route: http://tiny.cc/24kWE<br />
Sponsor &nbsp;: Madison Gurkha<br />
<br />
December 10th<br />
----------<br />
Time &nbsp;: 17.30 - 21.30<br />
Main Topic &nbsp;: <br />
Presentations: <br />
Location &nbsp;: <br />
Sponsor &nbsp;: <br />
</pre> <br />
<br> <br />
<br />
'''Registration'''<br> If you want to attend, please send an email to: netherlands-board@lists.owasp.org <br> <br> All OWASP chapter meetings are free of charge and you don't have to be an OWASP member to attend. There are never any vendor pitches or sales presentations at OWASP meetings.<br> <br> NOTE TO CISSP's: OWASP Meetings count towards CPE Credits.<br> <br> <br> <br />
<br />
== '''OWASP NL Mini-Meetings''' ==<br />
<br />
<font color="red">'''NEW:'''</font> Platform to discus on specific issues related to (Web) Application Security. The topic's are brought in by the OWASP NL community!<br> Something on your mind to discus, put your idea online at: Mini Meetings [[Netherlands Mini Meeting 2009|Netherlands_Mini_Meeting_2009]] To attend the meeting, send an email to the contact's email address! <br />
<br />
=== Next Mini-Meeting: <font color="red">CANCELLED&nbsp;!!!</font> ===<br />
<pre>Topic &nbsp;: Tools of the trade; exchange real-life experiences<br />
Contact &nbsp;: Dave van Stein, dvstein+owasp [-at-] gmail [-dot-] com<br />
----------<br />
Date &nbsp;: cancelled<br />
Time &nbsp;: <br />
Location &nbsp;: <br />
Details &nbsp;: Exchange real-world experience about web testing tools. What is really useable and what is not.<br />
Attendees &nbsp;: Min 6, max 8, currently 3 attendees <br />
</pre> <br />
== '''Meeting Minutes''' ==<br />
<br />
=== Meeting minutes May 28th 2009 ===<br />
<br />
At May 28th, the Dutch OWASP chapter came together at the ASR building in Amersfoort. The main topic of the evening was AppSec 2009. There were 2 speakers and approximately 20 attendees.<br> <br> There was no sponsor talk or general announcement so after a very short welcome talk by Bert the evening started.<br> <br> '''First presentation:''' AppSec 2009 by Sebastien Deleersnyder. <br> The first presentation of the evening was a recap of AppSec 2009 in Poland. The conference was a big success with around 170 attendees. The meeting preceded the 2009 edition of Confidence [http://2009.confidence.org.pl/] resulting in a week of security presentations and workshops. All AppSec presentations and many movies, pictures, and other material can be found on the AppSec wiki [http://www.owasp.org/index.php/OWASP_AppSec_Europe_2009_-_Poland] but a few items are worth mentioning in specific. First of all OWASP is growing and changing. These changes include a simplification of the membership fees, the introduction of a 'code of ethics', and a general review of all 120 projects. Other highlights are the project ASVS, which has reached an international standard status and updated versions of WebGoat and LabRat.<br> Lastly besides a Wiki and a LinkedIn group, OWASP is now also active on Twitter [http://twitter.com/owasp] &amp; [http://twitter.com/owasp_nl] and has two overview pages with all video [http://www.owasp.org/index.php/Category:OWASP_Video] and audio materials [http://www.owasp.org/index.php/OWASP_Podcast].<br> Feel free to use all the materials (as long as you abide by the new code of ethics off course) and visit the OWASP websites frequently for updates&nbsp;!<br> <br> '''Second presentation:''' VAC Cross-Site Request Forgery by Niels Teusink. <br> After succesfull VAC's about SQL injection and Cross-site scripting, the topic of this evening's VAC was Cross-site Request Forgery, also known as CSRF. CSRF is probably one of the least understood vulnerabilities, but can have tremendous consequences when succesfully exploited. In essence it is an attack that misuses the victim's autorisations with malicious scripts. CSRF attacks can also be easily combined with other attack, like e.g. XSS, making them even more dangerous. <br> Despite the name suggests, these attacks do not have to be on different websites (domains). With the continuing trend to combine multiple functionalities in a single application, so-called onsite request forgeries are becoming more and more frequent. Contrary to XSS and SQL injection, CSRF can not be blocked by input validation. In order to prevent these kind of attacks, an application has to able to verify the authenticity of a request. This can be achieved by several methods like using a unique identifier for a session or each request or requiring additional user input like a CAPTCHA or a one-time token. <br> <br> '''Open Discussion''' <br> The evening was closed with an open discussion about how to improve knowledge sharing among the OWASP members. Many interesting discussions start during the drinks after the presentations on the OWASP evenings, discussions that sadly often are stopped prematurly due to time restraints.<br> As an addition on the quarterly presentation evenings, the Dutch chapter decided to also start mini-meetings and the OWASP cafe.<br> Mini-meetings will not be planned on beforehand, but instead will be planned when a topic is proposed and enough attendees have stated an interest in the topic. The attendees will have to select a location themselves but can request a donation from the OWASP for drinks and snacks. Topics discussed at the mini-meeting will have to be listed in minutes so other members can also profit from this knowledge exchange.<br> The OWASP cafe will be planned each first thursday of the month on a location that will be listed on the OWASP Dutch chapter site. The rules are simple: the evening starts at a certain time, ends at a certain time and will be filled with drinks, snacks, and nerd/hacker/geek humor and discussions in between.<br> Check the website frequently for the location of the next mini-meeting and OWASP cafe&nbsp;!<br> <br> <br />
<br />
----<br />
<br />
=== Meeting minutes April 9th 2009 ===<br />
<br />
At April 9th, the Dutch OWASP chapter came together at the office of Sogeti in Vianen. The main topic of the evening was "knowing your enemy". There were 3 speakers and approximately 50 attendees.<br> <br> The sponsor of the evening started with a small welcome and an overview of their internal security program named PASS. After some small announcements from the OWASP the evening started.<br> <br> '''First presentation:''' Modern information gathering; how to abuse search engines by Dave van Stein.<br> The first presentation of the evening was about using search engines and crawlers to gain detailed information about webservers and websites. Ill configured webservers allow search engine crawlers to collect much information about a system, information that is stored and can be retrieved with search engines. Many websites and tools make use of this mechanism and, combined with DNS and WHOIS information, are able to provide detailed or sensitive information like usernames, vulnerabilities, present files or network topology about a system without targeting it directly.<br> Restricting crawlers to access a system can act as a first line of defence and reduce exposure and risks.<br> <br> '''Second presentation:''' VAC Cross-site scripting by Martin Visser. <br> The second VAC on an OWASP meeting was about Cross-site scripting also known as XSS. XSS vulnerabilities are often misunderstood and underestimated but facts show that XSS vulnerability abusing attacks are nowadys the fastest growing and most widespread type of exploit. In short XSS vulnerabilities allow for user input to be executed when containing javascript or HTML code. When combined with other vulnerabilities the possibilities of these attacks are vitually limitless.<br> The only way to prevent these attacks is to sanitize all input and output fields, but this can be more difficult than it appears to be. Simply blacklisting fragments like &lt;script&gt; is not sufficient due to the possibility of recursivity (e.g. &lt;scr&lt;script&gt;ipt&gt;) and encoding (e.g. URL encoding:&nbsp;%3C%73%63%72%69%70%74%3E). Using multiple layers of filters on various places is the only way to assure enough protection against these types of attacks.<br> <br> '''Third presentation:''' Beveiligingsaspecten van webapplicatie-ontwikkeling by Wouter van Kuipers. <br> The third presentation of the evening was about the efficiency of a source code analyer for php based websites. Approximately 33% of all websites use php and this can be explained by the low learning curve and ease of use of the language. Due to the low learning curve many php developers have little experience with programming and almost no awareness regading security resulting in many unsecure websites. Source code analysis can help preventing many security issues, but their usage does have some limitations. Firstly the scan on itself takes only a few minutes, but analysing the results requires much longer and depends greatly on how familiar the analyser is with the scanned source code. Second these analysers produce many flase positives, making analysis even more time consuming. Lastly not all vulnerabilities are detected with the same efficiency. Especially vulnerabilities that are dependent on the application logic like injection or XSS are not always efficiently detected.<br> Concluding, like all tools, a source code analyser can be a powerful tool, but one has to be aware of its limitations. These tools can provide results very fast, but when used on unfamiliar code the analysis can be very time consuming. <br> <br />
<br />
== Scheduled OWASP NL Chapter Meetings: ==<br />
<br />
=== Meeting Schedule September 24th 2009: Unautorized Access<br> ===<br />
<br />
'''Summary:''' The main goal of the upcoming OWASP-NL meeting is to provide information to managers, architects, designers, developers and security and risk professionals. The speakers will give specific examples and there will be time to ask questions.<br> <br />
<br />
{| cellspacing="1" cellpadding="1" border="0" width="500" align="left"<br />
|-<br />
| <br />
Madison Gurkha <br />
<br />
Sofitel Cocagne Eindhoven<br>Vestdijk 47<br>5611 CA Eindhoven<br> <br />
<br />
| [[Image:Logo Madison Gurkha.GIF|200px]]<br><br />
|}<br />
<br />
<br> <br />
<br />
<br> <br />
<br />
<br> <br />
<br />
<br> <br />
<br />
<br> '''18:00 - 18:30 Check-In (catering included)'''<br> <br />
<br />
'''18:30 - 18:45 Introduction (OWASP organization, projects, sponsor)'''<br> <br />
<br />
'''18.45 - 19.45 Unauthorized Access (Wil Allsopp)<br>''' <br />
<br />
Physical Penetration Testing and Social Engineering have been conducted by testing organisations for some time but there has been very little discussion within the industry regarding the use of formal approaches ensuring a consistently high quality and repeatability of the testing lifecycle. <br />
<br />
This was a problem I attempted to address in the book Unauthorized Access and is the focus of this discussion. <br />
<br />
We will look at the following: <br />
<br />
*What is physical penetration testing and what does it aim to achieve?<br> <br />
*Tactical approaches to Social Engineering in testing.<br> <br />
*The advantages and disadvantages of deploying SE.<br> <br />
*Training operators and building operating teams - what skill sets should you deploy? <br> <br />
*What are the legal aspects involved, how do these vary between jurisdictions? <br> <br />
*How should you plan a physical penetration test at strategic, tactical and operational levels? <br> <br />
*How do you gauge risk i.e. Contractual, Operational, Legal and Environmental?<br />
<br />
<br>The biggest problem currently facing physical penetration testing teams is that it's hard to prove a negative i.e. a failed test by no means guarantees the security of the client. By ensuring your team is trained and prepared you can mitigate this problem to a large degree.'''<br>'''<br> <br />
<br />
'''19.45 – 20.00 Break''' <br />
<br />
'''20. 00 – 20.30 Mini Meetings: Time- Box testing &amp; Test Tools (Barry van Kampen en Dave van Stein)<br />
<br />
'''20.30 – 21.00 Education Project (Martin Knobloch)'''<br />
<br />
'''21.00 – 21:30 Discussion, questions and social networking'''<br><br />
<br />
=== Meeting Schedule May 28th 2009: AppSec Europe 2009 ===<br />
<br />
'''Summary''' The main goal of the upcoming OWASP-NL meeting is to provide an abstract of the recently held AppSec Europe 2009, a VAC about CSRF and, new, an open discussion on application security subjects brought forward by the attendees. <br />
<br />
{|<br />
|-<br />
| width="350" | <br />
ASR Nederland<br> <br> MD0.60 - Auditorium<br> Smallepad 30<br> 3811MG Amersfoort<br> <br />
<br />
| width="650" | <br />
[[Image:ASR Nederland logo.jpg|200px]] <br />
<br />
|-<br />
| width="350" | <br> <br />
| width="650" | <br />
<br> <br />
<br />
<br> <br />
<br />
|}<br />
<br />
'''18.30 - 18.45 Introduction (OWASP organization, projects, sponsor) '''<br> <br />
<br />
'''18.45 - 19.45 AppSec-EU 2009 (Sebastien Deleersnyder, Telindus) '''<br> Update on the AppSec-EU 2009: <br> OWASP State of the union, an update on OWASP and OWASP projects and of course the highlights of the AppSec-EU 2009 presentations. <br />
<br />
'''19.45 - 20.00 Break '''<br> <br />
<br />
'''20.00 - 20.30 VAC Cross-Site Request Forgery (Niels Teusink, Fox-IT) ''' ([[Media:20090409_VAC-CSRF-Niels_Teusink.pdf]])<br> CSRF is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. With a little help of social engineering (like sending a link via email/chat), an attacker may force the users of a web application to execute actions of the attacker's choosing. A successful CSRF exploit can compromise end user data and operation in case of normal user. If the targeted end user is the administrator account, this can compromise the entire web application. <br />
<br />
Niels Teusink holds a bachelor degree in Computer Science and has been experimenting with IT security for over a decade. He has worked for Fox-IT since 2005; first as a software engineer and since 2007 as a penetration tester. He has since performed dozens of penetration tests for all sorts of companies, including governments, banks and nuclear installations. <br />
<br />
'''20.30 - 21.15 Open session / discussion (Martin Knobloch/Ferdinand Vroom/Peter Gouwentak) ''' <br> Open session / discussion about subjects brought forward by the attendees. <br />
<br />
The Announcement of this meeting: [[Media:Announcement_OWASP-NL_May_28th_2009.pdf]]<br> The flyer of this meeting: [[Media:Owasp_NL_may2009.pdf]] <br> <br />
<br />
----<br />
<br />
=== Meeting Schedule 9th April Knowing Your Enemy ===<br />
<br />
'''Summary''' The main goal of the upcoming OWASP-NL meeting is to provide information to managers, architects, designers, developers and security and risk professionals. The speakers will give specific examples and there will be time to ask questions. <br />
<br />
{|<br />
|-<br />
| width="350" | <br />
Lange Dreef 17<br> 4131 NJ Vianen<br> <br />
<br />
| width="650" | <br />
[[Image:Sogeti Nederland b v Logo.jpg|http:\\www.sogeti.nl]] <br />
<br />
|-<br />
| width="350" | <br> <br />
| width="650" | <br />
About Sogeti Nederland B.V. Sogeti Nederland B.V. is one of top-5 IT companies of the Netherlands. Our workforce of over 3,500 employees provides top quality IT consultancy and services to leading companies in several industry sectors in the Netherlands. Our focus is local, but we are part of Sogeti Worldwide, offering IT services in the American, German, French, Belgian, UK, Swedish, Swiss and Spanish markets. <br />
<br />
Our core business is the design, construction, deployment, testing and maintenance of IT solutions. We stand for quality and IT skills; this is visible in our service and in the methods developed by us such as DYA®, Regatta®, TMap®, TPI® , Inframe®, and TEmb. <br />
<br />
Vision Sogeti delivers value by aligning the results of her services to the strategic goals of the client, thereby committing herself to the success of the client. We prove our commitment by assuming responsibility in various forms and to various degrees. <br />
<br />
New trends Our own research institute ViNT (Institute for Research into New Technology) keeps us and our clients ahead of the newest technology trends and their potential influence, benefits and risks. <br> More information about Sogeti can be found on our website www.sogeti.nl. <br> <br />
<br />
|}<br />
<br />
'''18.30 - 18.45 Introduction (OWASP organization, projects, sponsor) '''<br> '''18.45 - 19.30 Modern information gathering; how to abuse search engines Dave van Stein '''([[Media:20090409_passsive_reconnaissance-Dave_van_Stein.pdf]])<br> Great generals already know the key to success is "knowing your enemy". In hacking terms this is called information gathering, fingerprinting or reconnaissance. Traditionally this phase consisted of using public records like WHOIS and DNS combined with active scans on servers. With the rise of advanced search engines like Yahoo, Live Search and Google a whole new type of reconnaissance has come to life; passive reconnaissance. Often servers are not properly configured which causes lots of valuable information to become available without accessing the server at all. Recently several hacker-tools appeared which use the full capabilities of these search engines giving hackers a head-start at mapping the network they plan to attack. The goal of this session is to give insight in the methods and tools hackers have at their disposal to gather information about systems they plan to attack without accessing the system itself. Dave van Stein has close to 8 years of experience in software testing. Since the beginning of 2008 he's working for ps_testware as a web application security testing specialist. <br />
<br />
'''19.30 - 20.00 VAC Cross-site scripting Martin Visser '''([[Media:20090409_VAC_Cross-site-scripting_Martin_Visser.pdf]])<br> Martin Visser is a software designer with Sogeti Nederland B.V. specialized in secure application development with Microsoft technologies. He has experience with Microsoft server technologies like ASP.NET, SharePoint and Biztalk. Martin also developed and teaches a 2-day "Application Security - Microsoft development" course both within and outside Sogeti. <br />
<br />
'''20.00 - 20.15 Break ''' <br> '''20.15 - 21.00 Beveiligingsaspecten van webapplicatie-ontwikkeling Wouter van Kuipers ''' ([[Media:20090409_presentatie_Wouter_van_Kuipers.pdf]])<br> Het ontwikkelen van webapplicaties verschilt op verschillende aspecten met het ontwikkelen van desktop applicaties, met name op het gebied van security. Voor grote bedrijven zijn er oplossingen beschikbaar als bijvoorbeeld SDL, maar voor het midden- en kleinbedrijf zijn dit soort oplossingen beperkt, omdat zij vaak niet de middelen hebben om dergelijke strategieën uit te kunnen voeren. Voor zijn scriptie heeft Wouter van Kuipers middels een literatuuronderzoek, interviews met ontwikkelaars en een onderzoek naar Fortify 360 gekeken hoe het midden- en kleinbedrijf omgaat met deze verschillen en hoe zij het ontwikkelproces kunnen optimaliseren op het gebied van security. <br />
<br />
Na een MBO opleiding in de IT is Wouter van Kuipers via de HBO opleiding 'Communicatie Systemen' begin 2007 begonnen met een master Informatiekunde aan de Radboud Universiteit Nijmegen, welke hij in maart dit jaar hoopt af te ronden. Tijdens zijn MBO studie is zijn interesse in het ontwikkelen van webapplicaties gewekt, wat in 2003 resulteerde in het opzetten van een eigen web-development bedrijf. Dit bedrijf is met name gespecialiseerd in het ontwikkelen van webapplicaties op maat, en het ondersteunen van bedrijven op het gebied van web-developement op freelance basis. <br />
<br />
The flyer of this meeting: [[Media:Owasp_NL_april2009.pdf]] <br />
<br />
== Past Events ==<br />
<br />
*Events held in [[Netherlands Previous Events 2008|2008]] <br />
*Events held in [[Netherlands Previous Events 2007|2007]] <br />
*Events held in [[Netherlands Previous Events 2006|2006]] <br />
*Events held in [[Netherlands Previous Events 2005|2005]]</div>Bvankampenhttps://wiki.owasp.org/index.php?title=File:OWASP_NL_Cafe_oct09.jpg&diff=70019File:OWASP NL Cafe oct09.jpg2009-09-29T09:15:11Z<p>Bvankampen: Flyer OWASP NL Cafe October 2009</p>
<hr />
<div>Flyer OWASP NL Cafe October 2009</div>Bvankampenhttps://wiki.owasp.org/index.php?title=Netherlands&diff=70018Netherlands2009-09-29T09:13:54Z<p>Bvankampen: /* Next OWASP Cafe: */ Added OWASP NL Cafe flyer october 2009</p>
<hr />
<div>{{Chapter Template|chaptername=Netherlands|extra=The chapter leader is [mailto:owasp@irc2.nl Bert Koelewijn]<br />
<paypal>Netherlands</paypal><br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-netherlands|emailarchives=http://lists.owasp.org/pipermail/owasp-netherlands}} <br />
<br />
=== Call for Speakers ===<br />
<br />
We are continuously looking for speakers and presentations make the chapter meetings as interesting as possible. Therefore we are looking inside and outside OWASP for known international specialists. But we know, there is a lot interesting stuf happening inside the Netherlands, too! <br> '''Presentations:''' Are you working on interesting subject, you would like to share your experiences with the OWASP community. Any topic related to application security will be appreciated!<br> '''VAC, Vulnerability, Attack, Countermeasure:''' The goal is an half hour in-depth technical presentation about a vulnerability, how it can be exploited and how to prevent it!<br> <br />
<br />
=== Sponsorship of a local chapter meeting ===<br />
<br />
We are continuously looking for locations to hold local chapter meetings. Therefore, we need companies willing to sponsor of host events.<br> '''Hosting a local chapter meeting:''' To host a local chapter meeting, you facilitate the meeting location and beverage for the attendees<br> '''Sponsorship of a local chapter meeting:''' You cover the cost of renting the location for the meeting and the payment of the beverages for the attendees<br> '''Please let us know via the OWASP chapter meeting questionnaire of via email to martin.knobloch@owasp.org<br>''' <br />
<br />
== '''OWASP NL Cafe''' ==<br />
<br />
<font color="red">'''NEW:'''</font> Monthly informal platform to speak about (Web) application security matters! No registration required, just drop by! <br />
<br />
*no programm <br />
*no agenda <br />
*whatever comes up!<br />
<br />
=== Next OWASP Cafe: ===<br />
Open and free event, just drop in and discuse what's on your mind about application security!<br />
<pre><br />
When: Thursday, 8 October, starting from 6pm<br />
Where: Prof. Dr. Ornsteinlaan 14, 3431 EP Nieuwegein<br />
...my place again ;-)<br />
</pre><br />
[[File:OWASP_NL_Cafe_oct09.jpg]]<br />
<br />
== '''OWASP NL Chapter Meetings Schedule 2009''' ==<br />
<br />
This is an overview of the 2009 local chapter meeting schedule. Details of the meetings can be found in the announcements that will be posted below this schedule. <br />
<pre>April 9th<br />
----------<br />
Time &nbsp;: 18.00 - 21.30<br />
Main Topic &nbsp;: Knowing Your Enemy<br />
Presentations: Modern information gathering; how to abuse search engines Dave van Stein<br />
VAC Cross-site scripting Martin Visser <br />
Beveiligingsaspecten van webapplicatie-ontwikkeling Wouter van Kuipers <br />
Location &nbsp;: Lange Dreef 17<br />
4131 NJ Vianen<br />
Sponsor &nbsp;: Sogeti Nederland B.V.<br />
<br />
May 28th<br />
----------<br />
Time &nbsp;: 18.00 - 21.30<br />
Main Topic &nbsp;: AppSec Europe 2009<br />
Presentations: AppSec-EU 2009 Sebastien Deleersnyder, Telindus <br />
VAC Cross-Site Request Forgery Niels Teusink<br />
Open session / discussion about subjects brought forward by <br />
the attendees Martin Knobloch/Ferdinand Vroom/Peter Gouwentak<br />
Location &nbsp;: ASR Nederland<br />
MD0.60 - Auditorium<br />
Smallepad 30<br />
3811MG Amersfoort<br />
Sponsor &nbsp;: ASR Nederland<br />
<br />
September 24th<br />
----------<br />
Time &nbsp;: 18.00 - 21.30<br />
Main Topic &nbsp;: Unauthorised Access<br />
Presentations: Unauthorised Access Wil Allsopp<br />
Mini Meetings report: Time- Box testing &amp; Test Tools Barry van Kampen/ Dave van Stein<br />
Education Project report Martin Knobloch<br />
Discussion, questions and social networking<br />
Location &nbsp;: Sofitel Cocagne<br />
Vestdijk 47<br />
5611 CA Eindhoven<br />
Google Maps Route: http://tiny.cc/24kWE<br />
Sponsor &nbsp;: Madison Gurkha<br />
<br />
December 10th<br />
----------<br />
Time &nbsp;: 17.30 - 21.30<br />
Main Topic &nbsp;: <br />
Presentations: <br />
Location &nbsp;: <br />
Sponsor &nbsp;: <br />
</pre> <br />
<br> <br />
<br />
'''Registration'''<br> If you want to attend, please send an email to: netherlands-board@lists.owasp.org <br> <br> All OWASP chapter meetings are free of charge and you don't have to be an OWASP member to attend. There are never any vendor pitches or sales presentations at OWASP meetings.<br> <br> NOTE TO CISSP's: OWASP Meetings count towards CPE Credits.<br> <br> <br> <br />
<br />
== '''OWASP NL Mini-Meetings''' ==<br />
<br />
<font color="red">'''NEW:'''</font> Platform to discus on specific issues related to (Web) Application Security. The topic's are brought in by the OWASP NL community!<br> Something on your mind to discus, put your idea online at: Mini Meetings [[Netherlands Mini Meeting 2009|Netherlands_Mini_Meeting_2009]] To attend the meeting, send an email to the contact's email address! <br />
<br />
=== Next Mini-Meeting: <font color="red">CANCELLED&nbsp;!!!</font> ===<br />
<pre>Topic &nbsp;: Tools of the trade; exchange real-life experiences<br />
Contact &nbsp;: Dave van Stein, dvstein+owasp [-at-] gmail [-dot-] com<br />
----------<br />
Date &nbsp;: cancelled<br />
Time &nbsp;: <br />
Location &nbsp;: <br />
Details &nbsp;: Exchange real-world experience about web testing tools. What is really useable and what is not.<br />
Attendees &nbsp;: Min 6, max 8, currently 3 attendees <br />
</pre> <br />
== '''Meeting Minutes''' ==<br />
<br />
=== Meeting minutes May 28th 2009 ===<br />
<br />
At May 28th, the Dutch OWASP chapter came together at the ASR building in Amersfoort. The main topic of the evening was AppSec 2009. There were 2 speakers and approximately 20 attendees.<br> <br> There was no sponsor talk or general announcement so after a very short welcome talk by Bert the evening started.<br> <br> '''First presentation:''' AppSec 2009 by Sebastien Deleersnyder. <br> The first presentation of the evening was a recap of AppSec 2009 in Poland. The conference was a big success with around 170 attendees. The meeting preceded the 2009 edition of Confidence [http://2009.confidence.org.pl/] resulting in a week of security presentations and workshops. All AppSec presentations and many movies, pictures, and other material can be found on the AppSec wiki [http://www.owasp.org/index.php/OWASP_AppSec_Europe_2009_-_Poland] but a few items are worth mentioning in specific. First of all OWASP is growing and changing. These changes include a simplification of the membership fees, the introduction of a 'code of ethics', and a general review of all 120 projects. Other highlights are the project ASVS, which has reached an international standard status and updated versions of WebGoat and LabRat.<br> Lastly besides a Wiki and a LinkedIn group, OWASP is now also active on Twitter [http://twitter.com/owasp] &amp; [http://twitter.com/owasp_nl] and has two overview pages with all video [http://www.owasp.org/index.php/Category:OWASP_Video] and audio materials [http://www.owasp.org/index.php/OWASP_Podcast].<br> Feel free to use all the materials (as long as you abide by the new code of ethics off course) and visit the OWASP websites frequently for updates&nbsp;!<br> <br> '''Second presentation:''' VAC Cross-Site Request Forgery by Niels Teusink. <br> After succesfull VAC's about SQL injection and Cross-site scripting, the topic of this evening's VAC was Cross-site Request Forgery, also known as CSRF. CSRF is probably one of the least understood vulnerabilities, but can have tremendous consequences when succesfully exploited. In essence it is an attack that misuses the victim's autorisations with malicious scripts. CSRF attacks can also be easily combined with other attack, like e.g. XSS, making them even more dangerous. <br> Despite the name suggests, these attacks do not have to be on different websites (domains). With the continuing trend to combine multiple functionalities in a single application, so-called onsite request forgeries are becoming more and more frequent. Contrary to XSS and SQL injection, CSRF can not be blocked by input validation. In order to prevent these kind of attacks, an application has to able to verify the authenticity of a request. This can be achieved by several methods like using a unique identifier for a session or each request or requiring additional user input like a CAPTCHA or a one-time token. <br> <br> '''Open Discussion''' <br> The evening was closed with an open discussion about how to improve knowledge sharing among the OWASP members. Many interesting discussions start during the drinks after the presentations on the OWASP evenings, discussions that sadly often are stopped prematurly due to time restraints.<br> As an addition on the quarterly presentation evenings, the Dutch chapter decided to also start mini-meetings and the OWASP cafe.<br> Mini-meetings will not be planned on beforehand, but instead will be planned when a topic is proposed and enough attendees have stated an interest in the topic. The attendees will have to select a location themselves but can request a donation from the OWASP for drinks and snacks. Topics discussed at the mini-meeting will have to be listed in minutes so other members can also profit from this knowledge exchange.<br> The OWASP cafe will be planned each first thursday of the month on a location that will be listed on the OWASP Dutch chapter site. The rules are simple: the evening starts at a certain time, ends at a certain time and will be filled with drinks, snacks, and nerd/hacker/geek humor and discussions in between.<br> Check the website frequently for the location of the next mini-meeting and OWASP cafe&nbsp;!<br> <br> <br />
<br />
----<br />
<br />
=== Meeting minutes April 9th 2009 ===<br />
<br />
At April 9th, the Dutch OWASP chapter came together at the office of Sogeti in Vianen. The main topic of the evening was "knowing your enemy". There were 3 speakers and approximately 50 attendees.<br> <br> The sponsor of the evening started with a small welcome and an overview of their internal security program named PASS. After some small announcements from the OWASP the evening started.<br> <br> '''First presentation:''' Modern information gathering; how to abuse search engines by Dave van Stein.<br> The first presentation of the evening was about using search engines and crawlers to gain detailed information about webservers and websites. Ill configured webservers allow search engine crawlers to collect much information about a system, information that is stored and can be retrieved with search engines. Many websites and tools make use of this mechanism and, combined with DNS and WHOIS information, are able to provide detailed or sensitive information like usernames, vulnerabilities, present files or network topology about a system without targeting it directly.<br> Restricting crawlers to access a system can act as a first line of defence and reduce exposure and risks.<br> <br> '''Second presentation:''' VAC Cross-site scripting by Martin Visser. <br> The second VAC on an OWASP meeting was about Cross-site scripting also known as XSS. XSS vulnerabilities are often misunderstood and underestimated but facts show that XSS vulnerability abusing attacks are nowadys the fastest growing and most widespread type of exploit. In short XSS vulnerabilities allow for user input to be executed when containing javascript or HTML code. When combined with other vulnerabilities the possibilities of these attacks are vitually limitless.<br> The only way to prevent these attacks is to sanitize all input and output fields, but this can be more difficult than it appears to be. Simply blacklisting fragments like &lt;script&gt; is not sufficient due to the possibility of recursivity (e.g. &lt;scr&lt;script&gt;ipt&gt;) and encoding (e.g. URL encoding:&nbsp;%3C%73%63%72%69%70%74%3E). Using multiple layers of filters on various places is the only way to assure enough protection against these types of attacks.<br> <br> '''Third presentation:''' Beveiligingsaspecten van webapplicatie-ontwikkeling by Wouter van Kuipers. <br> The third presentation of the evening was about the efficiency of a source code analyer for php based websites. Approximately 33% of all websites use php and this can be explained by the low learning curve and ease of use of the language. Due to the low learning curve many php developers have little experience with programming and almost no awareness regading security resulting in many unsecure websites. Source code analysis can help preventing many security issues, but their usage does have some limitations. Firstly the scan on itself takes only a few minutes, but analysing the results requires much longer and depends greatly on how familiar the analyser is with the scanned source code. Second these analysers produce many flase positives, making analysis even more time consuming. Lastly not all vulnerabilities are detected with the same efficiency. Especially vulnerabilities that are dependent on the application logic like injection or XSS are not always efficiently detected.<br> Concluding, like all tools, a source code analyser can be a powerful tool, but one has to be aware of its limitations. These tools can provide results very fast, but when used on unfamiliar code the analysis can be very time consuming. <br> <br />
<br />
== Scheduled OWASP NL Chapter Meetings: ==<br />
<br />
=== Meeting Schedule September 24th 2009: Unautorized Access<br> ===<br />
<br />
'''Summary:''' The main goal of the upcoming OWASP-NL meeting is to provide information to managers, architects, designers, developers and security and risk professionals. The speakers will give specific examples and there will be time to ask questions.<br> <br />
<br />
{| cellspacing="1" cellpadding="1" border="0" width="500" align="left"<br />
|-<br />
| <br />
Madison Gurkha <br />
<br />
Sofitel Cocagne Eindhoven<br>Vestdijk 47<br>5611 CA Eindhoven<br> <br />
<br />
| [[Image:Logo Madison Gurkha.GIF|200px]]<br><br />
|}<br />
<br />
<br> <br />
<br />
<br> <br />
<br />
<br> <br />
<br />
<br> <br />
<br />
<br> '''18:00 - 18:30 Check-In (catering included)'''<br> <br />
<br />
'''18:30 - 18:45 Introduction (OWASP organization, projects, sponsor)'''<br> <br />
<br />
'''18.45 - 19.45 Unauthorized Access (Wil Allsopp)<br>''' <br />
<br />
Physical Penetration Testing and Social Engineering have been conducted by testing organisations for some time but there has been very little discussion within the industry regarding the use of formal approaches ensuring a consistently high quality and repeatability of the testing lifecycle. <br />
<br />
This was a problem I attempted to address in the book Unauthorized Access and is the focus of this discussion. <br />
<br />
We will look at the following: <br />
<br />
*What is physical penetration testing and what does it aim to achieve?<br> <br />
*Tactical approaches to Social Engineering in testing.<br> <br />
*The advantages and disadvantages of deploying SE.<br> <br />
*Training operators and building operating teams - what skill sets should you deploy? <br> <br />
*What are the legal aspects involved, how do these vary between jurisdictions? <br> <br />
*How should you plan a physical penetration test at strategic, tactical and operational levels? <br> <br />
*How do you gauge risk i.e. Contractual, Operational, Legal and Environmental?<br />
<br />
<br>The biggest problem currently facing physical penetration testing teams is that it's hard to prove a negative i.e. a failed test by no means guarantees the security of the client. By ensuring your team is trained and prepared you can mitigate this problem to a large degree.'''<br>'''<br> <br />
<br />
'''19.45 – 20.00 Break''' <br />
<br />
'''20. 00 – 20.30 Mini Meetings: Time- Box testing &amp; Test Tools (Barry van Kampen en Dave van Stein)<br />
<br />
'''20.30 – 21.00 Education Project (Martin Knobloch)'''<br />
<br />
'''21.00 – 21:30 Discussion, questions and social networking'''<br><br />
<br />
=== Meeting Schedule May 28th 2009: AppSec Europe 2009 ===<br />
<br />
'''Summary''' The main goal of the upcoming OWASP-NL meeting is to provide an abstract of the recently held AppSec Europe 2009, a VAC about CSRF and, new, an open discussion on application security subjects brought forward by the attendees. <br />
<br />
{|<br />
|-<br />
| width="350" | <br />
ASR Nederland<br> <br> MD0.60 - Auditorium<br> Smallepad 30<br> 3811MG Amersfoort<br> <br />
<br />
| width="650" | <br />
[[Image:ASR Nederland logo.jpg|200px]] <br />
<br />
|-<br />
| width="350" | <br> <br />
| width="650" | <br />
<br> <br />
<br />
<br> <br />
<br />
|}<br />
<br />
'''18.30 - 18.45 Introduction (OWASP organization, projects, sponsor) '''<br> <br />
<br />
'''18.45 - 19.45 AppSec-EU 2009 (Sebastien Deleersnyder, Telindus) '''<br> Update on the AppSec-EU 2009: <br> OWASP State of the union, an update on OWASP and OWASP projects and of course the highlights of the AppSec-EU 2009 presentations. <br />
<br />
'''19.45 - 20.00 Break '''<br> <br />
<br />
'''20.00 - 20.30 VAC Cross-Site Request Forgery (Niels Teusink, Fox-IT) ''' ([[Media:20090409_VAC-CSRF-Niels_Teusink.pdf]])<br> CSRF is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. With a little help of social engineering (like sending a link via email/chat), an attacker may force the users of a web application to execute actions of the attacker's choosing. A successful CSRF exploit can compromise end user data and operation in case of normal user. If the targeted end user is the administrator account, this can compromise the entire web application. <br />
<br />
Niels Teusink holds a bachelor degree in Computer Science and has been experimenting with IT security for over a decade. He has worked for Fox-IT since 2005; first as a software engineer and since 2007 as a penetration tester. He has since performed dozens of penetration tests for all sorts of companies, including governments, banks and nuclear installations. <br />
<br />
'''20.30 - 21.15 Open session / discussion (Martin Knobloch/Ferdinand Vroom/Peter Gouwentak) ''' <br> Open session / discussion about subjects brought forward by the attendees. <br />
<br />
The Announcement of this meeting: [[Media:Announcement_OWASP-NL_May_28th_2009.pdf]]<br> The flyer of this meeting: [[Media:Owasp_NL_may2009.pdf]] <br> <br />
<br />
----<br />
<br />
=== Meeting Schedule 9th April Knowing Your Enemy ===<br />
<br />
'''Summary''' The main goal of the upcoming OWASP-NL meeting is to provide information to managers, architects, designers, developers and security and risk professionals. The speakers will give specific examples and there will be time to ask questions. <br />
<br />
{|<br />
|-<br />
| width="350" | <br />
Lange Dreef 17<br> 4131 NJ Vianen<br> <br />
<br />
| width="650" | <br />
[[Image:Sogeti Nederland b v Logo.jpg|http:\\www.sogeti.nl]] <br />
<br />
|-<br />
| width="350" | <br> <br />
| width="650" | <br />
About Sogeti Nederland B.V. Sogeti Nederland B.V. is one of top-5 IT companies of the Netherlands. Our workforce of over 3,500 employees provides top quality IT consultancy and services to leading companies in several industry sectors in the Netherlands. Our focus is local, but we are part of Sogeti Worldwide, offering IT services in the American, German, French, Belgian, UK, Swedish, Swiss and Spanish markets. <br />
<br />
Our core business is the design, construction, deployment, testing and maintenance of IT solutions. We stand for quality and IT skills; this is visible in our service and in the methods developed by us such as DYA®, Regatta®, TMap®, TPI® , Inframe®, and TEmb. <br />
<br />
Vision Sogeti delivers value by aligning the results of her services to the strategic goals of the client, thereby committing herself to the success of the client. We prove our commitment by assuming responsibility in various forms and to various degrees. <br />
<br />
New trends Our own research institute ViNT (Institute for Research into New Technology) keeps us and our clients ahead of the newest technology trends and their potential influence, benefits and risks. <br> More information about Sogeti can be found on our website www.sogeti.nl. <br> <br />
<br />
|}<br />
<br />
'''18.30 - 18.45 Introduction (OWASP organization, projects, sponsor) '''<br> '''18.45 - 19.30 Modern information gathering; how to abuse search engines Dave van Stein '''([[Media:20090409_passsive_reconnaissance-Dave_van_Stein.pdf]])<br> Great generals already know the key to success is "knowing your enemy". In hacking terms this is called information gathering, fingerprinting or reconnaissance. Traditionally this phase consisted of using public records like WHOIS and DNS combined with active scans on servers. With the rise of advanced search engines like Yahoo, Live Search and Google a whole new type of reconnaissance has come to life; passive reconnaissance. Often servers are not properly configured which causes lots of valuable information to become available without accessing the server at all. Recently several hacker-tools appeared which use the full capabilities of these search engines giving hackers a head-start at mapping the network they plan to attack. The goal of this session is to give insight in the methods and tools hackers have at their disposal to gather information about systems they plan to attack without accessing the system itself. Dave van Stein has close to 8 years of experience in software testing. Since the beginning of 2008 he's working for ps_testware as a web application security testing specialist. <br />
<br />
'''19.30 - 20.00 VAC Cross-site scripting Martin Visser '''([[Media:20090409_VAC_Cross-site-scripting_Martin_Visser.pdf]])<br> Martin Visser is a software designer with Sogeti Nederland B.V. specialized in secure application development with Microsoft technologies. He has experience with Microsoft server technologies like ASP.NET, SharePoint and Biztalk. Martin also developed and teaches a 2-day "Application Security - Microsoft development" course both within and outside Sogeti. <br />
<br />
'''20.00 - 20.15 Break ''' <br> '''20.15 - 21.00 Beveiligingsaspecten van webapplicatie-ontwikkeling Wouter van Kuipers ''' ([[Media:20090409_presentatie_Wouter_van_Kuipers.pdf]])<br> Het ontwikkelen van webapplicaties verschilt op verschillende aspecten met het ontwikkelen van desktop applicaties, met name op het gebied van security. Voor grote bedrijven zijn er oplossingen beschikbaar als bijvoorbeeld SDL, maar voor het midden- en kleinbedrijf zijn dit soort oplossingen beperkt, omdat zij vaak niet de middelen hebben om dergelijke strategieën uit te kunnen voeren. Voor zijn scriptie heeft Wouter van Kuipers middels een literatuuronderzoek, interviews met ontwikkelaars en een onderzoek naar Fortify 360 gekeken hoe het midden- en kleinbedrijf omgaat met deze verschillen en hoe zij het ontwikkelproces kunnen optimaliseren op het gebied van security. <br />
<br />
Na een MBO opleiding in de IT is Wouter van Kuipers via de HBO opleiding 'Communicatie Systemen' begin 2007 begonnen met een master Informatiekunde aan de Radboud Universiteit Nijmegen, welke hij in maart dit jaar hoopt af te ronden. Tijdens zijn MBO studie is zijn interesse in het ontwikkelen van webapplicaties gewekt, wat in 2003 resulteerde in het opzetten van een eigen web-development bedrijf. Dit bedrijf is met name gespecialiseerd in het ontwikkelen van webapplicaties op maat, en het ondersteunen van bedrijven op het gebied van web-developement op freelance basis. <br />
<br />
The flyer of this meeting: [[Media:Owasp_NL_april2009.pdf]] <br />
<br />
== Past Events ==<br />
<br />
*Events held in [[Netherlands Previous Events 2008|2008]] <br />
*Events held in [[Netherlands Previous Events 2007|2007]] <br />
*Events held in [[Netherlands Previous Events 2006|2006]] <br />
*Events held in [[Netherlands Previous Events 2005|2005]]</div>Bvankampenhttps://wiki.owasp.org/index.php?title=Category_talk:OWASP_CAL9000_Project&diff=64865Category talk:OWASP CAL9000 Project2009-06-25T10:22:04Z<p>Bvankampen: /* Click the edit+ button to add a comment */</p>
<hr />
<div>'''We need your input! Ask questions, make comments or suggest new features for CAL9000 below.'''<br />
<br />
== Click the edit+ button to add a comment ==<br />
<br />
Edit this page and ask your question here<br />
<br />
= Link not functioning? =<br />
Do we've got a broken link?<BR><br />
"* Click [http://www.digilantesecurity.com/CAL9000/files/CAL9000.zip here] to download the CAL9000 tool."</div>Bvankampenhttps://wiki.owasp.org/index.php?title=Netherlands_Mini_Meeting_2009&diff=64864Netherlands Mini Meeting 20092009-06-25T07:25:51Z<p>Bvankampen: Update on attendee''s</p>
<hr />
<div>[[Netherlands]] Calendar and Topics for OWASP NL Mini Meetings:<br />
The 'Mini Meetings' are a informal platform to discus on a specific topic in a small group.<br />
Chair is, whoever put's in a topic. You will get all support by the OWASP NL Chapter Board!<br />
Those meetings must result in meeting notes and can result in a presentation on a OWASP NL Chapter meeting!<br />
<br />
== Mini Meeting Topics 2009 ==<br />
<br />
Topics addressed at the open discussion on the May 28th meeting:<br />
<br />
<pre><br />
Topic : Quickscans and other timeboxed test approaches (discussion)<br />
Contact : Barry van Kampen, owasp@itq.nl<br />
----------<br />
Date : 25th june 2009<br />
Time : 18:00 Dinner (free of charge), 19:00 Start of discussion, Till ca 21:30<br />
Location : ITQ Consultancy<br />
Joop Geesinkweg 701 <br />
1096 AZ Amsterdam<br />
Details : This discussion will be about the way quickscans can be performed.<br />
At least basic web application testing knowledge is needed for this session.<br />
Please send an email if you would like to attend.<br />
Total persons: 7 are attending, max 8 in total.<br />
</pre><br />
<pre><br />
Topic : SAMM, ASVS and other methodologies<br />
Contact : Martin Knobloch, martin.knobloch@owasp.org<br />
----------<br />
Date : 23rd July 2009<br />
Time : 18:00 (dinner provided) to 21:30 <br />
Location : Sogeti Nederland B.V.<br />
Plotterweg 31-33<br />
3821 BB Amersfoort<br />
Details : About ideas and experiences of using, implementing and verifying the different methodologies<br />
Attendees : Max 10 persons, currently 0</pre><br />
<pre><br />
Topic : Tools of the trade; exchange real-life experiences<br />
Contact : Dave van Stein<br />
----------<br />
Date : 27th August 2009<br />
Time : 18:00 (sandwiches provided) to 21:30<br />
Location : ps_testware<br />
Dorpsstraat 26<br />
3941 JM Doorn<br />
Details : Exchange real-world experience about web testing tools. What is really useable and what is not.<br />
Attendees : Max 8 persons, currently 2 <br />
</pre><br />
<pre><br />
Topic : Web Application Firewalls<br />
Contact : put in your contact details<br />
----------<br />
Date : suggest a date<br />
Time : suggest a time<br />
Location : suggest a location<br />
Attendees : Max 10 persons, currently 0<br />
</pre><br />
Add your own suggestions below:<br />
<pre><br />
Topic : suggest a topic<br />
Contact : put in your contact details<br />
----------<br />
Date : suggest a date<br />
Time : suggest a time<br />
Location : suggest a location<br />
Attendees : Max 10 persons, currently 0<br />
</pre><br />
<br />
== Mini Meeting minutes ==<br />
Space below is mend to put the Mini-Meeting-Note!<br />
<br />
'''Registration'''<br/><br />
If you want to attend, please send an email to the contact of the topic.<br/><br />
<br/><br />
All OWASP chapter meetings are free of charge and you don’t have to be an OWASP member to attend. There are never any vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/></div>Bvankampenhttps://wiki.owasp.org/index.php?title=Netherlands&diff=64774Netherlands2009-06-23T11:32:41Z<p>Bvankampen: /* Meeting minutes May 28th 2009 */ Added twitter NL to the meeting minutes</p>
<hr />
<div>{{Chapter Template|chaptername=Netherlands|extra=The chapter leader is [mailto:owasp@irc2.nl Bert Koelewijn]<br />
<paypal>Netherlands</paypal><br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-netherlands|emailarchives=http://lists.owasp.org/pipermail/owasp-netherlands}}<br />
<br />
=== Call for Speakers ===<br />
We are continuously looking for speakers and presentations make the chapter meetings as interesting as possible. Therefore we are looking inside and outside OWASP for known international specialists. But we know, there is a lot interesting stuf happening inside the Netherlands, too! <br/><br />
'''Presentations:''' Are you working on interesting subject, you would like to share your experiences with the OWASP community. Any topic related to application security will be appreciated!<br/><br />
'''VAC, Vulnerability, Attack, Countermeasure:''' The goal is an half hour in-depth technical presentation about a vulnerability, how it can be exploited and how to prevent it!<br/><br />
<br />
=== Sponsorship of a local chapter meeting ===<br />
We are continuously looking for locations to hold local chapter meetings. Therefore, we need companies willing to sponsor of host events.<br><br />
'''Hosting a local chapter meeting:''' To host a local chapter meeting, you facilitate the meeting location and beverage for the attendees<br><br />
'''Sponsorship of a local chapter meeting:''' You cover the cost of renting the location for the meeting and the payment of the beverages for the attendees<br><br />
'''Please let us know via the OWASP chapter meeting questionnaire of via email to martin.knobloch@owasp.org<br>'''<br />
<br />
== '''OWASP NL Cafe''' == <br />
<font color="red">'''NEW:'''</font><br />
Monthly informal platform to speak about (Web) application security matters! No registration required, just drop by!<br />
* no programm<br />
* no agenda<br />
* whatever comes up!<br />
<br />
=== Next OWASP Cafe:===<br />
<br />
Tuesday July 7th, from 7 pm, drop in whenever you can!<br />
<br />
<pre><br />
Where:<br />
Prof. Dr. Ornsteinlaan 14<br />
3431 EP Nieuwegein<br />
Public transport from Utrecht Centraal:<br />
Bus 74, bus stop "Zorgcentrum Zuilenstein" Nieuwegein (2 min walk)<br />
Streetcar / Tram stop: "Batau Noord" Nieuwegein (8 min walk)<br />
</pre><br />
[http://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=prof.+dr.+ornsteinlaan+14,+3431+EP+Nieuwegein&sll=37.0625,-95.677068&sspn=42.901912,58.095703&ie=UTF8&z=16 Google maps of the next Café]<br><br />
The flyer of this café: [[Media:owasp_NL_cafe_july2009.pdf]]<br />
<br />
<br />
== '''OWASP NL Chapter Meetings Schedule 2009''' ==<br />
This is an overview of the 2009 local chapter meeting schedule. Details of the meetings can be found in the announcements that will be posted below this schedule.<br />
<pre><br />
April 9th<br />
----------<br />
Time : 18.00 - 21.30<br />
Main Topic : Knowing Your Enemy<br />
Presentations: Modern information gathering; how to abuse search engines Dave van Stein<br />
VAC Cross-site scripting Martin Visser <br />
Beveiligingsaspecten van webapplicatie-ontwikkeling Wouter van Kuipers <br />
Location : Lange Dreef 17<br />
4131 NJ Vianen<br />
Sponsor : Sogeti Nederland B.V.<br />
<br />
May 28th<br />
----------<br />
Time : 18.00 - 21.30<br />
Main Topic : AppSec Europe 2009<br />
Presentations: AppSec-EU 2009 Sebastien Deleersnyder, Telindus <br />
VAC Cross-Site Request Forgery Niels Teusink<br />
Open session / discussion about subjects brought forward by <br />
the attendees Martin Knobloch/Ferdinand Vroom/Peter Gouwentak<br />
Location : ASR Nederland<br />
MD0.60 - Auditorium<br />
Smallepad 30<br />
3811MG Amersfoort<br />
Sponsor : ASR Nederland<br />
<br />
September 24th<br />
----------<br />
Time : 17.30 - 21.30<br />
Main Topic : <br />
Presentations: <br />
Location : <br />
Sponsor : <br />
<br />
December 10th<br />
----------<br />
Time : 17.30 - 21.30<br />
Main Topic : <br />
Presentations: <br />
Location : <br />
Sponsor : <br />
</pre><br />
<br />
<br />
<br />
'''Registration'''<br><br />
If you want to attend, please send an email to: bert.koelewijn@owasp.org<br />
<br/><br />
<br/><br />
All OWASP chapter meetings are free of charge and you don't have to be an OWASP member to attend. There are never any vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP's: OWASP Meetings count towards CPE Credits.<br/><br />
<br/><br />
<br/><br />
<br />
=='''OWASP NL Mini-Meetings''' == <br />
<font color="red">'''NEW:'''</font><br />
Platform to discus on specific issues related to (Web) Application Security. The topic's are brought in by the OWASP NL community!<br><br />
Something on your mind to discus, put your idea online at: Mini Meetings [[Netherlands_Mini_Meeting_2009|Netherlands_Mini_Meeting_2009]]<br />
<br />
=== Mini-Meeting Scheduled: ===<br />
<pre><br />
Topic : Quickscans and other timeboxed test approaches (discussion)<br />
Contact : Barry van Kampen, owasp@itq.nl<br />
----------<br />
Date : 25th june 2009<br />
Time : 18:00 Diner (free of charge), 19:00 Start of discussion, Till ca 21:30<br />
Location : ITQ Consultancy<br />
Joop Geesinkweg 701 <br />
1096 AZ Amsterdam<br />
Details : This discussion will be about the way quickscans can be performed.<br />
At least basic web application testing knowledge is needed for this session.<br />
Max 8 persons in total, please send an email if you would like to attend <br />
<br />
Topic : SAMM, ASVS and other methodologies<br />
Contact : Martin Knobloch<br />
----------<br />
Date : 23rd July 2009<br />
Time : 18:00 (dinner provided) to 21:30 <br />
Location : Sogeti Nederland B.V.<br />
Plotterweg 31-33<br />
3821 BB Amersfoort<br />
Details : About ideas and experiences of using, implementing and verifying the different methodologies<br />
<br />
Topic : Tools of the trade; exchange real-life experiences<br />
Contact : Dave van Stein<br />
----------<br />
Date : 27th August 2009<br />
Time : 18:00 (sandwiches provided) to 21:30<br />
Location : ps_testware<br />
Dorpsstraat 26<br />
3941 JM Doorn<br />
Details : Exchange real-world experience about web testing tools. What is really useable and what is not.<br />
Attendees : Max 8 persons, currently 2 <br />
</pre><br />
<br />
== '''Meeting Minutes''' ==<br />
=== Meeting minutes May 28th 2009 ===<br />
<br />
At May 28th, the Dutch OWASP chapter came together at the ASR building in Amersfoort. The main topic of the evening was AppSec 2009. There were 2 speakers and approximately 20 attendees.<br/><br />
<br/><br />
There was no sponsor talk or general announcement so after a very short welcome talk by Bert the evening started.<br/><br />
<br/><br />
'''First presentation:''' AppSec 2009 by Sebastien Deleersnyder. <br/><br />
The first presentation of the evening was a recap of AppSec 2009 in Poland. The conference was a big success with around 170 attendees. The meeting preceded the 2009 edition of Confidence [http://2009.confidence.org.pl/] resulting in a week of security presentations and workshops. All AppSec presentations and many movies, pictures, and other material can be found on the AppSec wiki [http://www.owasp.org/index.php/OWASP_AppSec_Europe_2009_-_Poland] but a few items are worth mentioning in specific. First of all OWASP is growing and changing. These changes include a simplification of the membership fees, the introduction of a 'code of ethics', and a general review of all 120 projects. Other highlights are the project ASVS, which has reached an international standard status and updated versions of WebGoat and LabRat.<br/><br />
Lastly besides a Wiki and a LinkedIn group, OWASP is now also active on Twitter [http://twitter.com/owasp] & [http://twitter.com/owasp_nl] and has two overview pages with all video [http://www.owasp.org/index.php/Category:OWASP_Video] and audio materials [http://www.owasp.org/index.php/OWASP_Podcast].<br/><br />
Feel free to use all the materials (as long as you abide by the new code of ethics off course) and visit the OWASP websites frequently for updates !<br/><br />
<br/><br />
'''Second presentation:''' VAC Cross-Site Request Forgery by Niels Teusink. <br/><br />
After succesfull VAC's about SQL injection and Cross-site scripting, the topic of this evening's VAC was Cross-site Request Forgery, also known as CSRF. CSRF is probably one of the least understood vulnerabilities, but can have tremendous consequences when succesfully exploited. In essence it is an attack that misuses the victim's autorisations with malicious scripts. CSRF attacks can also be easily combined with other attack, like e.g. XSS, making them even more dangerous. <br/><br />
Despite the name suggests, these attacks do not have to be on different websites (domains). With the continuing trend to combine multiple functionalities in a single application, so-called onsite request forgeries are becoming more and more frequent. Contrary to XSS and SQL injection, CSRF can not be blocked by input validation. In order to prevent these kind of attacks, an application has to able to verify the authenticity of a request. This can be achieved by several methods like using a unique identifier for a session or each request or requiring additional user input like a CAPTCHA or a one-time token. <br/><br />
<br/><br />
'''Open Discussion''' <br/><br />
The evening was closed with an open discussion about how to improve knowledge sharing among the OWASP members. Many interesting discussions start during the drinks after the presentations on the OWASP evenings, discussions that sadly often are stopped prematurly due to time restraints.<br/><br />
As an addition on the quarterly presentation evenings, the Dutch chapter decided to also start mini-meetings and the OWASP cafe.<br/><br />
Mini-meetings will not be planned on beforehand, but instead will be planned when a topic is proposed and enough attendees have stated an interest in the topic. The attendees will have to select a location themselves but can request a donation from the OWASP for drinks and snacks. Topics discussed at the mini-meeting will have to be listed in minutes so other members can also profit from this knowledge exchange.<br/><br />
The OWASP cafe will be planned each first thursday of the month on a location that will be listed on the OWASP Dutch chapter site. The rules are simple: the evening starts at a certain time, ends at a certain time and will be filled with drinks, snacks, and nerd/hacker/geek humor and discussions in between.<br/><br />
Check the website frequently for the location of the next mini-meeting and OWASP cafe !<br/><br />
<br/><br />
<hr><br />
<br />
=== Meeting minutes April 9th 2009 ===<br />
<br />
At April 9th, the Dutch OWASP chapter came together at the office of Sogeti in Vianen. The main topic of the evening was "knowing your enemy". There were 3 speakers and approximately 50 attendees.<br/><br />
<br/><br />
The sponsor of the evening started with a small welcome and an overview of their internal security program named PASS. After some small announcements from the OWASP the evening started.<br/><br />
<br/><br />
'''First presentation:''' Modern information gathering; how to abuse search engines by Dave van Stein.<br/><br />
The first presentation of the evening was about using search engines and crawlers to gain detailed information about webservers and websites. Ill configured webservers allow search engine crawlers to collect much information about a system, information that is stored and can be retrieved with search engines. Many websites and tools make use of this mechanism and, combined with DNS and WHOIS information, are able to provide detailed or sensitive information like usernames, vulnerabilities, present files or network topology about a system without targeting it directly.<br/><br />
Restricting crawlers to access a system can act as a first line of defence and reduce exposure and risks.<br/> <br />
<br/><br />
'''Second presentation:''' VAC Cross-site scripting by Martin Visser. <br/><br />
The second VAC on an OWASP meeting was about Cross-site scripting also known as XSS. XSS vulnerabilities are often misunderstood and underestimated but facts show that XSS vulnerability abusing attacks are nowadys the fastest growing and most widespread type of exploit. In short XSS vulnerabilities allow for user input to be executed when containing javascript or HTML code. When combined with other vulnerabilities the possibilities of these attacks are vitually limitless.<br/><br />
The only way to prevent these attacks is to sanitize all input and output fields, but this can be more difficult than it appears to be. Simply blacklisting fragments like <script> is not sufficient due to the possibility of recursivity (e.g. <scr<script>ipt>) and encoding (e.g. URL encoding: %3C%73%63%72%69%70%74%3E). Using multiple layers of filters on various places is the only way to assure enough protection against these types of attacks.<br/><br />
<br/><br />
'''Third presentation:''' Beveiligingsaspecten van webapplicatie-ontwikkeling by Wouter van Kuipers. <br/><br />
The third presentation of the evening was about the efficiency of a source code analyer for php based websites. Approximately 33% of all websites use php and this can be explained by the low learning curve and ease of use of the language. Due to the low learning curve many php developers have little experience with programming and almost no awareness regading security resulting in many unsecure websites. Source code analysis can help preventing many security issues, but their usage does have some limitations. Firstly the scan on itself takes only a few minutes, but analysing the results requires much longer and depends greatly on how familiar the analyser is with the scanned source code. Second these analysers produce many flase positives, making analysis even more time consuming. Lastly not all vulnerabilities are detected with the same efficiency. Especially vulnerabilities that are dependent on the application logic like injection or XSS are not always efficiently detected.<br/><br />
Concluding, like all tools, a source code analyser can be a powerful tool, but one has to be aware of its limitations. These tools can provide results very fast, but when used on unfamiliar code the analysis can be very time consuming.<br />
<br/><br />
<br />
== Scheduled OWASP NL Chapter Meetings: ==<br />
=== Meeting Schedule May 28th 2009: AppSec Europe 2009 ===<br />
<br />
'''Summary'''<br />
The main goal of the upcoming OWASP-NL meeting is to provide an abstract of the recently held AppSec Europe 2009, a VAC about CSRF and, new, an open discussion on application security subjects brought forward by the attendees. <br />
<table><br />
<tr><br />
<td width="350"><br />
ASR Nederland<br/><br />
<br/><br />
MD0.60 - Auditorium<br/><br />
Smallepad 30<br/><br />
3811MG Amersfoort<br/><br />
</td><br />
<td width="650"><br />
[[Image:ASR Nederland logo.jpg|200px]]<br />
</td><br />
</tr><br />
<tr><br />
<td width="350"><br />
</td><br />
<td width="650"><br />
<br />
<br/><br />
<br />
<br/><br />
</td><br />
</tr><br />
</table><br />
<br />
'''18.30 - 18.45 Introduction (OWASP organization, projects, sponsor) '''<br><br />
<br />
'''18.45 - 19.45 AppSec-EU 2009 (Sebastien Deleersnyder, Telindus) '''<br><br />
Update on the AppSec-EU 2009: <br><br />
OWASP State of the union, an update on OWASP and OWASP projects and of course the highlights of the AppSec-EU 2009 presentations.<br />
<br />
'''19.45 - 20.00 Break '''<br><br />
<br />
'''20.00 - 20.30 VAC Cross-Site Request Forgery (Niels Teusink, Fox-IT) ''' ([[Media:20090409_VAC-CSRF-Niels_Teusink.pdf]])<br><br />
CSRF is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. With a little help of social engineering (like sending a link via email/chat), an attacker may force the users of a web application to execute actions of the attacker's choosing. A successful CSRF exploit can compromise end user data and operation in case of normal user. If the targeted end user is the administrator account, this can compromise the entire web application.<br />
<br />
Niels Teusink holds a bachelor degree in Computer Science and has been experimenting with IT security for over a decade. He has worked for Fox-IT since 2005; first as a software engineer and since 2007 as a penetration tester. He has since performed dozens of penetration tests for all sorts of companies, including governments, banks and nuclear installations.<br />
<br />
'''20.30 - 21.15 Open session / discussion (Martin Knobloch/Ferdinand Vroom/Peter Gouwentak) ''' <br><br />
Open session / discussion about subjects brought forward by the attendees.<br />
<br />
The Announcement of this meeting: [[Media:Announcement OWASP-NL May 28th 2009.pdf]]<br><br />
The flyer of this meeting: [[Media:owasp_NL_may2009.pdf]]<br />
<br/><br />
<hr><br />
=== Meeting Schedule 9th April Knowing Your Enemy ===<br />
<br />
'''Summary'''<br />
The main goal of the upcoming OWASP-NL meeting is to provide information to managers, architects, designers, developers and security and risk professionals. The speakers will give specific examples and there will be time to ask questions. <br />
<table><br />
<tr><br />
<td width="350"><br />
Lange Dreef 17<br/><br />
4131 NJ Vianen<br/><br />
</td><br />
<td width="650"><br />
[[Image:Sogeti_Nederland_b_v_Logo.jpg|http:\\www.sogeti.nl]]<br />
</td><br />
</tr><br />
<tr><br />
<td width="350"><br />
</td><br />
<td width="650"><br />
About Sogeti Nederland B.V.<br />
Sogeti Nederland B.V. is one of top-5 IT companies of the Netherlands. Our workforce of over 3,500 employees provides top quality IT consultancy and services to leading companies in several industry sectors in the Netherlands. Our focus is local, but we are part of Sogeti Worldwide, offering IT services in the American, German, French, Belgian, UK, Swedish, Swiss and Spanish markets. <br />
<br />
Our core business is the design, construction, deployment, testing and maintenance of IT solutions. We stand for quality and IT skills; this is visible in our service and in the methods developed by us such as DYA®, Regatta®, TMap®, TPI® , Inframe®, and TEmb. <br />
<br />
Vision<br />
Sogeti delivers value by aligning the results of her services to the strategic goals of the client, thereby committing herself to the success of the client. We prove our commitment by assuming responsibility in various forms and to various degrees. <br />
<br />
New trends<br />
Our own research institute ViNT (Institute for Research into New Technology) keeps us and our clients ahead of the newest technology trends and their potential influence, benefits and risks.<br />
<br/><br />
More information about Sogeti can be found on our website www.sogeti.nl.<br />
<br/><br />
</td><br />
</tr><br />
</table><br />
<br />
'''18.30 - 18.45 Introduction (OWASP organization, projects, sponsor) '''<br><br />
'''18.45 - 19.30 Modern information gathering; how to abuse search engines Dave van Stein '''([[Media:20090409_passsive_reconnaissance-Dave_van_Stein.pdf]])<br><br />
Great generals already know the key to success is "knowing your enemy". In hacking terms this is called information gathering, fingerprinting or reconnaissance. Traditionally this phase consisted of using public records like WHOIS and DNS combined with active scans on servers. With the rise of advanced search engines like Yahoo, Live Search and Google a whole new type of reconnaissance has come to life; passive reconnaissance. Often servers are not properly configured which causes lots of valuable information to become available without accessing the server at all. Recently several hacker-tools appeared which use the full capabilities of these search engines giving hackers a head-start at mapping the network they plan to attack. The goal of this session is to give insight in the methods and tools hackers have at their disposal to gather information about systems they plan to attack without accessing the system itself. <br />
Dave van Stein has close to 8 years of experience in software testing. Since the beginning of 2008 he's working for ps_testware as a web application security testing specialist. <br />
<br />
'''19.30 - 20.00 VAC Cross-site scripting Martin Visser '''([[Media:20090409_VAC_Cross-site-scripting_Martin_Visser.pdf]])<br><br />
Martin Visser is a software designer with Sogeti Nederland B.V. specialized in secure application development with Microsoft technologies. He has experience with Microsoft server technologies like ASP.NET, SharePoint and Biztalk. Martin also developed and teaches a 2-day "Application Security - Microsoft development" course both within and outside Sogeti. <br />
<br />
'''20.00 - 20.15 Break ''' <br><br />
'''20.15 - 21.00 Beveiligingsaspecten van webapplicatie-ontwikkeling Wouter van Kuipers ''' ([[Media:20090409_presentatie_Wouter_van_Kuipers.pdf]])<br><br />
Het ontwikkelen van webapplicaties verschilt op verschillende aspecten met het ontwikkelen van desktop applicaties, met name op het gebied van security. Voor grote bedrijven zijn er oplossingen beschikbaar als bijvoorbeeld SDL, maar voor het midden- en kleinbedrijf zijn dit soort oplossingen beperkt, omdat zij vaak niet de middelen hebben om dergelijke strategieën uit te kunnen voeren. Voor zijn scriptie heeft Wouter van Kuipers middels een literatuuronderzoek, interviews met ontwikkelaars en een onderzoek naar Fortify 360 gekeken hoe het midden- en kleinbedrijf omgaat met deze verschillen en hoe zij het ontwikkelproces kunnen optimaliseren op het gebied van security.<br />
<br />
Na een MBO opleiding in de IT is Wouter van Kuipers via de HBO opleiding 'Communicatie Systemen' begin 2007 begonnen met een master<br />
Informatiekunde aan de Radboud Universiteit Nijmegen, welke hij in maart dit jaar hoopt af te ronden. Tijdens zijn MBO studie is zijn interesse in het ontwikkelen van webapplicaties gewekt, wat in 2003 resulteerde in het opzetten van een eigen web-development bedrijf. Dit bedrijf is met name gespecialiseerd in het ontwikkelen van webapplicaties op maat, en het ondersteunen van bedrijven op het gebied van web-developement op freelance basis.<br />
<br />
The flyer of this meeting: [[Media:owasp_NL_april2009.pdf]]<br />
<br />
== Past Events ==<br />
* Events held in [[Netherlands_Previous_Events_2008|2008]]<br />
* Events held in [[Netherlands_Previous_Events_2007|2007]]<br />
* Events held in [[Netherlands_Previous_Events_2006|2006]]<br />
* Events held in [[Netherlands_Previous_Events_2005|2005]]</div>Bvankampenhttps://wiki.owasp.org/index.php?title=File:Owasp_NL_cafe_july2009.pdf&diff=64140File:Owasp NL cafe july2009.pdf2009-06-12T14:41:18Z<p>Bvankampen: THe flyer of the OWASP Café meeting</p>
<hr />
<div>THe flyer of the OWASP Café meeting</div>Bvankampenhttps://wiki.owasp.org/index.php?title=Netherlands&diff=64139Netherlands2009-06-12T14:40:33Z<p>Bvankampen: Added flyer OWASP Café July 2009, changed google maps link of OWASP Café</p>
<hr />
<div>{{Chapter Template|chaptername=Netherlands|extra=The chapter leader is [mailto:owasp@irc2.nl Bert Koelewijn]<br />
<paypal>Netherlands</paypal><br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-netherlands|emailarchives=http://lists.owasp.org/pipermail/owasp-netherlands}}<br />
<br />
=== Call for Speakers ===<br />
We are continuously looking for speakers and presentations make the chapter meetings as interesting as possible. Therefore we are looking inside and outside OWASP for known international specialists. But we know, there is a lot interesting stuf happening inside the Netherlands, too! <br/><br />
'''Presentations:''' Are you working on interesting subject, you would like to share your experiences with the OWASP community. Any topic related to application security will be appreciated!<br/><br />
'''VAC, Vulnerability, Attack, Countermeasure:''' The goal is an half hour in-depth technical presentation about a vulnerability, how it can be exploited and how to prevent it!<br/><br />
<br />
=== Sponsorship of a local chapter meeting ===<br />
We are continuously looking for locations to hold local chapter meetings. Therefore, we need companies willing to sponsor of host events.<br><br />
'''Hosting a local chapter meeting:''' To host a local chapter meeting, you facilitate the meeting location and beverage for the attendees<br><br />
'''Sponsorship of a local chapter meeting:''' You cover the cost of renting the location for the meeting and the payment of the beverages for the attendees<br><br />
'''Please let us know via the OWASP chapter meeting questionnaire of via email to martin.knobloch@owasp.org<br>'''<br />
<br />
== '''OWASP NL Cafe''' == <br />
<font color="red">'''NEW:'''</font><br />
Monthly informal platform to speak about (Web) application security matters! No registration required, just drop by!<br />
* no programm<br />
* no agenda<br />
* whatever comes up!<br />
<br />
=== Next OWASP Cafe:===<br />
<br />
Tuesday July 7th, from 7 pm, drop in whenever you can!<br />
<br />
<pre><br />
Where:<br />
Prof. Dr. Ornsteinlaan 14<br />
3431 EP Nieuwegein<br />
Public transport from Utrecht Centraal:<br />
Bus 74, bus stop "Zorgcentrum Zuilenstein" Nieuwegein (2 min walk)<br />
Streetcar / Tram stop: "Batau Noord" Nieuwegein (8 min walk)<br />
</pre><br />
[http://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=prof.+dr.+ornsteinlaan+14,+3431+EP+Nieuwegein&sll=37.0625,-95.677068&sspn=42.901912,58.095703&ie=UTF8&z=16 Google maps of the next Café]<br><br />
The flyer of this café: [[Media:owasp_NL_cafe_july2009.pdf]]<br />
<br />
<br />
== '''OWASP NL Chapter Meetings Schedule 2009''' ==<br />
This is an overview of the 2009 local chapter meeting schedule. Details of the meetings can be found in the announcements that will be posted below this schedule.<br />
<pre><br />
April 9th<br />
----------<br />
Time : 18.00 - 21.30<br />
Main Topic : Knowing Your Enemy<br />
Presentations: Modern information gathering; how to abuse search engines Dave van Stein<br />
VAC Cross-site scripting Martin Visser <br />
Beveiligingsaspecten van webapplicatie-ontwikkeling Wouter van Kuipers <br />
Location : Lange Dreef 17<br />
4131 NJ Vianen<br />
Sponsor : Sogeti Nederland B.V.<br />
<br />
May 28th<br />
----------<br />
Time : 18.00 - 21.30<br />
Main Topic : AppSec Europe 2009<br />
Presentations: AppSec-EU 2009 Sebastien Deleersnyder, Telindus <br />
VAC Cross-Site Request Forgery Niels Teusink<br />
Open session / discussion about subjects brought forward by <br />
the attendees Martin Knobloch/Ferdinand Vroom/Peter Gouwentak<br />
Location : ASR Nederland<br />
MD0.60 - Auditorium<br />
Smallepad 30<br />
3811MG Amersfoort<br />
Sponsor : ASR Nederland<br />
<br />
September 24th<br />
----------<br />
Time : 17.30 - 21.30<br />
Main Topic : <br />
Presentations: <br />
Location : <br />
Sponsor : <br />
<br />
December 10th<br />
----------<br />
Time : 17.30 - 21.30<br />
Main Topic : <br />
Presentations: <br />
Location : <br />
Sponsor : <br />
</pre><br />
<br />
<br />
<br />
'''Registration'''<br><br />
If you want to attend, please send an email to: bert.koelewijn@owasp.org<br />
<br/><br />
<br/><br />
All OWASP chapter meetings are free of charge and you don't have to be an OWASP member to attend. There are never any vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP's: OWASP Meetings count towards CPE Credits.<br/><br />
<br/><br />
<br/><br />
<br />
=='''OWASP NL Mini-Meetings''' == <br />
<font color="red">'''NEW:'''</font><br />
Platform to discus on specific issues related to (Web) Application Security. The topic's are brought in by the OWASP NL community!<br><br />
Something on your mind to discus, put your idea online at: Mini Meetings [[Netherlands_Mini_Meeting_2009|Netherlands_Mini_Meeting_2009]]<br />
<br />
=== Mini-Meeting Scheduled: ===<br />
<pre><br />
Topic : Quickscans and other timeboxed test approaches (discussion)<br />
Contact : Barry van Kampen, owasp@itq.nl<br />
----------<br />
Date : 25th june 2009<br />
Time : 18:00 Diner (free of charge), 19:00 Start of discussion, Till ca 21:30<br />
Location : ITQ Consultancy<br />
Joop Geesinkweg 701 <br />
1096 AZ Amsterdam<br />
Details : This discussion will be about the way quickscans can be performed.<br />
At least basic web application testing knowledge is needed for this session.<br />
Max 8 persons in total, please send an email if you would like to attend <br />
<br />
Topic : SAMM, ASVS and other methodologies<br />
Contact : Martin Knobloch<br />
----------<br />
Date : 23rd July 2009<br />
Time : 18:00 (dinner provided) to 21:30 <br />
Location : Sogeti Nederland B.V.<br />
Plotterweg 31-33<br />
3821 BB Amersfoort<br />
Details : About ideas and experiences of using, implementing and verifying the different methodologies<br />
<br />
Topic : Tools of the trade; exchange real-life experiences<br />
Contact : Dave van Stein<br />
----------<br />
Date : 27th August 2009<br />
Time : 18:00 (sandwiches provided) to 21:30<br />
Location : ps_testware<br />
Dorpsstraat 26<br />
3941 JM Doorn<br />
Details : Exchange real-world experience about web testing tools. What is really useable and what is not.<br />
Attendees : Max 8 persons, currently 2 <br />
</pre><br />
<br />
== '''Meeting Minutes''' ==<br />
=== Meeting minutes May 28th 2009 ===<br />
<br />
At May 28th, the Dutch OWASP chapter came together at the ASR building in Amersfoort. The main topic of the evening was AppSec 2009. There were 2 speakers and approximately 20 attendees.<br/><br />
<br/><br />
There was no sponsor talk or general announcement so after a very short welcome talk by Bert the evening started.<br/><br />
<br/><br />
'''First presentation:''' AppSec 2009 by Sebastien Deleersnyder. <br/><br />
The first presentation of the evening was a recap of AppSec 2009 in Poland. The conference was a big success with around 170 attendees. The meeting preceded the 2009 edition of Confidence [http://2009.confidence.org.pl/] resulting in a week of security presentations and workshops. All AppSec presentations and many movies, pictures, and other material can be found on the AppSec wiki [http://www.owasp.org/index.php/OWASP_AppSec_Europe_2009_-_Poland] but a few items are worth mentioning in specific. First of all OWASP is growing and changing. These changes include a simplification of the membership fees, the introduction of a 'code of ethics', and a general review of all 120 projects. Other highlights are the project ASVS, which has reached an international standard status and updated versions of WebGoat and LabRat.<br/><br />
Lastly besides a Wiki and a LinkedIn group, OWASP is now also active on Twitter [http://twitter.com/owasp] and has two overview pages with all video [http://www.owasp.org/index.php/Category:OWASP_Video] and audio materials [http://www.owasp.org/index.php/OWASP_Podcast].<br/><br />
Feel free to use all the materials (as long as you abide by the new code of ethics off course) and visit the OWASP websites frequently for updates !<br/><br />
<br/><br />
'''Second presentation:''' VAC Cross-Site Request Forgery by Niels Teusink. <br/><br />
After succesfull VAC's about SQL injection and Cross-site scripting, the topic of this evening's VAC was Cross-site Request Forgery, also known as CSRF. CSRF is probably one of the least understood vulnerabilities, but can have tremendous consequences when succesfully exploited. In essence it is an attack that misuses the victim's autorisations with malicious scripts. CSRF attacks can also be easily combined with other attack, like e.g. XSS, making them even more dangerous. <br/><br />
Despite the name suggests, these attacks do not have to be on different websites (domains). With the continuing trend to combine multiple functionalities in a single application, so-called onsite request forgeries are becoming more and more frequent. Contrary to XSS and SQL injection, CSRF can not be blocked by input validation. In order to prevent these kind of attacks, an application has to able to verify the authenticity of a request. This can be achieved by several methods like using a unique identifier for a session or each request or requiring additional user input like a CAPTCHA or a one-time token. <br/><br />
<br/><br />
'''Open Discussion''' <br/><br />
The evening was closed with an open discussion about how to improve knowledge sharing among the OWASP members. Many interesting discussions start during the drinks after the presentations on the OWASP evenings, discussions that sadly often are stopped prematurly due to time restraints.<br/><br />
As an addition on the quarterly presentation evenings, the Dutch chapter decided to also start mini-meetings and the OWASP cafe.<br/><br />
Mini-meetings will not be planned on beforehand, but instead will be planned when a topic is proposed and enough attendees have stated an interest in the topic. The attendees will have to select a location themselves but can request a donation from the OWASP for drinks and snacks. Topics discussed at the mini-meeting will have to be listed in minutes so other members can also profit from this knowledge exchange.<br/><br />
The OWASP cafe will be planned each first thursday of the month on a location that will be listed on the OWASP Dutch chapter site. The rules are simple: the evening starts at a certain time, ends at a certain time and will be filled with drinks, snacks, and nerd/hacker/geek humor and discussions in between.<br/><br />
Check the website frequently for the location of the next mini-meeting and OWASP cafe !<br/><br />
<br/><br />
<hr><br />
<br />
=== Meeting minutes April 9th 2009 ===<br />
<br />
At April 9th, the Dutch OWASP chapter came together at the office of Sogeti in Vianen. The main topic of the evening was "knowing your enemy". There were 3 speakers and approximately 50 attendees.<br/><br />
<br/><br />
The sponsor of the evening started with a small welcome and an overview of their internal security program named PASS. After some small announcements from the OWASP the evening started.<br/><br />
<br/><br />
'''First presentation:''' Modern information gathering; how to abuse search engines by Dave van Stein.<br/><br />
The first presentation of the evening was about using search engines and crawlers to gain detailed information about webservers and websites. Ill configured webservers allow search engine crawlers to collect much information about a system, information that is stored and can be retrieved with search engines. Many websites and tools make use of this mechanism and, combined with DNS and WHOIS information, are able to provide detailed or sensitive information like usernames, vulnerabilities, present files or network topology about a system without targeting it directly.<br/><br />
Restricting crawlers to access a system can act as a first line of defence and reduce exposure and risks.<br/> <br />
<br/><br />
'''Second presentation:''' VAC Cross-site scripting by Martin Visser. <br/><br />
The second VAC on an OWASP meeting was about Cross-site scripting also known as XSS. XSS vulnerabilities are often misunderstood and underestimated but facts show that XSS vulnerability abusing attacks are nowadys the fastest growing and most widespread type of exploit. In short XSS vulnerabilities allow for user input to be executed when containing javascript or HTML code. When combined with other vulnerabilities the possibilities of these attacks are vitually limitless.<br/><br />
The only way to prevent these attacks is to sanitize all input and output fields, but this can be more difficult than it appears to be. Simply blacklisting fragments like <script> is not sufficient due to the possibility of recursivity (e.g. <scr<script>ipt>) and encoding (e.g. URL encoding: %3C%73%63%72%69%70%74%3E). Using multiple layers of filters on various places is the only way to assure enough protection against these types of attacks.<br/><br />
<br/><br />
'''Third presentation:''' Beveiligingsaspecten van webapplicatie-ontwikkeling by Wouter van Kuipers. <br/><br />
The third presentation of the evening was about the efficiency of a source code analyer for php based websites. Approximately 33% of all websites use php and this can be explained by the low learning curve and ease of use of the language. Due to the low learning curve many php developers have little experience with programming and almost no awareness regading security resulting in many unsecure websites. Source code analysis can help preventing many security issues, but their usage does have some limitations. Firstly the scan on itself takes only a few minutes, but analysing the results requires much longer and depends greatly on how familiar the analyser is with the scanned source code. Second these analysers produce many flase positives, making analysis even more time consuming. Lastly not all vulnerabilities are detected with the same efficiency. Especially vulnerabilities that are dependent on the application logic like injection or XSS are not always efficiently detected.<br/><br />
Concluding, like all tools, a source code analyser can be a powerful tool, but one has to be aware of its limitations. These tools can provide results very fast, but when used on unfamiliar code the analysis can be very time consuming.<br />
<br/><br />
<br />
== Scheduled OWASP NL Chapter Meetings: ==<br />
=== Meeting Schedule May 28th 2009: AppSec Europe 2009 ===<br />
<br />
'''Summary'''<br />
The main goal of the upcoming OWASP-NL meeting is to provide an abstract of the recently held AppSec Europe 2009, a VAC about CSRF and, new, an open discussion on application security subjects brought forward by the attendees. <br />
<table><br />
<tr><br />
<td width="350"><br />
ASR Nederland<br/><br />
<br/><br />
MD0.60 - Auditorium<br/><br />
Smallepad 30<br/><br />
3811MG Amersfoort<br/><br />
</td><br />
<td width="650"><br />
[[Image:ASR Nederland logo.jpg|200px]]<br />
</td><br />
</tr><br />
<tr><br />
<td width="350"><br />
</td><br />
<td width="650"><br />
<br />
<br/><br />
<br />
<br/><br />
</td><br />
</tr><br />
</table><br />
<br />
'''18.30 - 18.45 Introduction (OWASP organization, projects, sponsor) '''<br><br />
<br />
'''18.45 - 19.45 AppSec-EU 2009 (Sebastien Deleersnyder, Telindus) '''<br><br />
Update on the AppSec-EU 2009: <br><br />
OWASP State of the union, an update on OWASP and OWASP projects and of course the highlights of the AppSec-EU 2009 presentations.<br />
<br />
'''19.45 - 20.00 Break '''<br><br />
<br />
'''20.00 - 20.30 VAC Cross-Site Request Forgery (Niels Teusink, Fox-IT) ''' ([[Media:20090409_VAC-CSRF-Niels_Teusink.pdf]])<br><br />
CSRF is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. With a little help of social engineering (like sending a link via email/chat), an attacker may force the users of a web application to execute actions of the attacker's choosing. A successful CSRF exploit can compromise end user data and operation in case of normal user. If the targeted end user is the administrator account, this can compromise the entire web application.<br />
<br />
Niels Teusink holds a bachelor degree in Computer Science and has been experimenting with IT security for over a decade. He has worked for Fox-IT since 2005; first as a software engineer and since 2007 as a penetration tester. He has since performed dozens of penetration tests for all sorts of companies, including governments, banks and nuclear installations.<br />
<br />
'''20.30 - 21.15 Open session / discussion (Martin Knobloch/Ferdinand Vroom/Peter Gouwentak) ''' <br><br />
Open session / discussion about subjects brought forward by the attendees.<br />
<br />
The Announcement of this meeting: [[Media:Announcement OWASP-NL May 28th 2009.pdf]]<br><br />
The flyer of this meeting: [[Media:owasp_NL_may2009.pdf]]<br />
<br/><br />
<hr><br />
=== Meeting Schedule 9th April Knowing Your Enemy ===<br />
<br />
'''Summary'''<br />
The main goal of the upcoming OWASP-NL meeting is to provide information to managers, architects, designers, developers and security and risk professionals. The speakers will give specific examples and there will be time to ask questions. <br />
<table><br />
<tr><br />
<td width="350"><br />
Lange Dreef 17<br/><br />
4131 NJ Vianen<br/><br />
</td><br />
<td width="650"><br />
[[Image:Sogeti_Nederland_b_v_Logo.jpg|http:\\www.sogeti.nl]]<br />
</td><br />
</tr><br />
<tr><br />
<td width="350"><br />
</td><br />
<td width="650"><br />
About Sogeti Nederland B.V.<br />
Sogeti Nederland B.V. is one of top-5 IT companies of the Netherlands. Our workforce of over 3,500 employees provides top quality IT consultancy and services to leading companies in several industry sectors in the Netherlands. Our focus is local, but we are part of Sogeti Worldwide, offering IT services in the American, German, French, Belgian, UK, Swedish, Swiss and Spanish markets. <br />
<br />
Our core business is the design, construction, deployment, testing and maintenance of IT solutions. We stand for quality and IT skills; this is visible in our service and in the methods developed by us such as DYA®, Regatta®, TMap®, TPI® , Inframe®, and TEmb. <br />
<br />
Vision<br />
Sogeti delivers value by aligning the results of her services to the strategic goals of the client, thereby committing herself to the success of the client. We prove our commitment by assuming responsibility in various forms and to various degrees. <br />
<br />
New trends<br />
Our own research institute ViNT (Institute for Research into New Technology) keeps us and our clients ahead of the newest technology trends and their potential influence, benefits and risks.<br />
<br/><br />
More information about Sogeti can be found on our website www.sogeti.nl.<br />
<br/><br />
</td><br />
</tr><br />
</table><br />
<br />
'''18.30 - 18.45 Introduction (OWASP organization, projects, sponsor) '''<br><br />
'''18.45 - 19.30 Modern information gathering; how to abuse search engines Dave van Stein '''([[Media:20090409_passsive_reconnaissance-Dave_van_Stein.pdf]])<br><br />
Great generals already know the key to success is "knowing your enemy". In hacking terms this is called information gathering, fingerprinting or reconnaissance. Traditionally this phase consisted of using public records like WHOIS and DNS combined with active scans on servers. With the rise of advanced search engines like Yahoo, Live Search and Google a whole new type of reconnaissance has come to life; passive reconnaissance. Often servers are not properly configured which causes lots of valuable information to become available without accessing the server at all. Recently several hacker-tools appeared which use the full capabilities of these search engines giving hackers a head-start at mapping the network they plan to attack. The goal of this session is to give insight in the methods and tools hackers have at their disposal to gather information about systems they plan to attack without accessing the system itself. <br />
Dave van Stein has close to 8 years of experience in software testing. Since the beginning of 2008 he's working for ps_testware as a web application security testing specialist. <br />
<br />
'''19.30 - 20.00 VAC Cross-site scripting Martin Visser '''([[Media:20090409_VAC_Cross-site-scripting_Martin_Visser.pdf]])<br><br />
Martin Visser is a software designer with Sogeti Nederland B.V. specialized in secure application development with Microsoft technologies. He has experience with Microsoft server technologies like ASP.NET, SharePoint and Biztalk. Martin also developed and teaches a 2-day "Application Security - Microsoft development" course both within and outside Sogeti. <br />
<br />
'''20.00 - 20.15 Break ''' <br><br />
'''20.15 - 21.00 Beveiligingsaspecten van webapplicatie-ontwikkeling Wouter van Kuipers ''' ([[Media:20090409_presentatie_Wouter_van_Kuipers.pdf]])<br><br />
Het ontwikkelen van webapplicaties verschilt op verschillende aspecten met het ontwikkelen van desktop applicaties, met name op het gebied van security. Voor grote bedrijven zijn er oplossingen beschikbaar als bijvoorbeeld SDL, maar voor het midden- en kleinbedrijf zijn dit soort oplossingen beperkt, omdat zij vaak niet de middelen hebben om dergelijke strategieën uit te kunnen voeren. Voor zijn scriptie heeft Wouter van Kuipers middels een literatuuronderzoek, interviews met ontwikkelaars en een onderzoek naar Fortify 360 gekeken hoe het midden- en kleinbedrijf omgaat met deze verschillen en hoe zij het ontwikkelproces kunnen optimaliseren op het gebied van security.<br />
<br />
Na een MBO opleiding in de IT is Wouter van Kuipers via de HBO opleiding 'Communicatie Systemen' begin 2007 begonnen met een master<br />
Informatiekunde aan de Radboud Universiteit Nijmegen, welke hij in maart dit jaar hoopt af te ronden. Tijdens zijn MBO studie is zijn interesse in het ontwikkelen van webapplicaties gewekt, wat in 2003 resulteerde in het opzetten van een eigen web-development bedrijf. Dit bedrijf is met name gespecialiseerd in het ontwikkelen van webapplicaties op maat, en het ondersteunen van bedrijven op het gebied van web-developement op freelance basis.<br />
<br />
The flyer of this meeting: [[Media:owasp_NL_april2009.pdf]]<br />
<br />
== Past Events ==<br />
* Events held in [[Netherlands_Previous_Events_2008|2008]]<br />
* Events held in [[Netherlands_Previous_Events_2007|2007]]<br />
* Events held in [[Netherlands_Previous_Events_2006|2006]]<br />
* Events held in [[Netherlands_Previous_Events_2005|2005]]</div>Bvankampenhttps://wiki.owasp.org/index.php?title=Netherlands_Mini_Meeting_2009&diff=63930Netherlands Mini Meeting 20092009-06-09T07:56:23Z<p>Bvankampen: Added total persons at minimeet 25-june-09</p>
<hr />
<div>[[Netherlands]] Calendar and Topics for OWASP NL Mini Meetings:<br />
The 'Mini Meetings' are a informal platform to discus on a specific topic in a small group.<br />
Chair is, whoever put's in a topic. You will get all support by the OWASP NL Chapter Board!<br />
Those meetings must result in meeting notes and can result in a presentation on a OWASP NL Chapter meeting!<br />
<br />
== Mini Meeting Topics 2009 ==<br />
<br />
Topics addressed at the open discussion on the May 28th meeting:<br />
<br />
<pre><br />
Topic : Quickscans and other timeboxed test approaches (discussion)<br />
Contact : Barry van Kampen, owasp@itq.nl<br />
----------<br />
Date : 25th june 2009<br />
Time : 18:00 Dinner (free of charge), 19:00 Start of discussion, Till ca 21:30<br />
Location : ITQ Consultancy<br />
Joop Geesinkweg 701 <br />
1096 AZ Amsterdam<br />
Details : This discussion will be about the way quickscans can be performed.<br />
At least basic web application testing knowledge is needed for this session.<br />
Please send an email if you would like to attend.<br />
Total persons: 6 are attending, max 8 in total.<br />
</pre><br />
<pre><br />
Topic : SAMM, ASVS and other methodologies<br />
Contact : Martin Knobloch<br />
----------<br />
Date : 23rd July 2009<br />
Time : 18:00 (dinner provided) to 21:30 <br />
Location : Sogeti Nederland B.V.<br />
Plotterweg 31-33<br />
3821 BB Amersfoort<br />
Details : About ideas and experiences of using, implementing and verifying the different methodologies<br />
</pre><br />
<pre><br />
Topic : Tools of the trade; exchange real-life experiences<br />
Contact : Dave van Stein<br />
----------<br />
Date : 27th August 2009<br />
Time : 18:00 (sandwiches provided) to 21:30<br />
Location : ps_testware<br />
Dorpsstraat 26<br />
3941 JM Doorn<br />
Details : Exchange real-world experience about web testing tools. What is really useable and what is not.<br />
Attendees : Max 8 persons, currently 2 <br />
</pre><br />
<pre><br />
Topic : Web Application Firewalls<br />
Contact : put in your contact details<br />
----------<br />
Date : suggest a date<br />
Time : suggest a time<br />
Location : suggest a location<br />
</pre><br />
Add your own suggestions below:<br />
<pre><br />
Topic : suggest a topic<br />
Contact : put in your contact details<br />
----------<br />
Date : suggest a date<br />
Time : suggest a time<br />
Location : suggest a location<br />
</pre><br />
<br />
== Mini Meeting minutes ==<br />
Space below is mend to put the Mini-Meeting-Note!<br />
<br />
'''Registration'''<br/><br />
If you want to attend, please send an email to the contact of the topic.<br/><br />
<br/><br />
All OWASP chapter meetings are free of charge and you don’t have to be an OWASP member to attend. There are never any vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/></div>Bvankampenhttps://wiki.owasp.org/index.php?title=Netherlands_Mini_Meeting_2009&diff=63632Netherlands Mini Meeting 20092009-06-05T07:52:03Z<p>Bvankampen: Corrected a typo</p>
<hr />
<div>[[Netherlands]] Calendar and Topics for OWASP NL Mini Meetings:<br />
The 'Mini Meetings' are a informal platform to discus on a specific topic in a small group.<br />
Chair is, whoever put's in a topic. You will get all support by the OWASP NL Chapter Board!<br />
Those meetings must result in meeting notes and can result in a presentation on a OWASP NL Chapter meeting!<br />
<br />
== Mini Meeting Topics 2009 ==<br />
<br />
Topics addressed at the open discussion on the May 28th meeting:<br />
<br />
<pre><br />
Topic : Quickscans and other timeboxed test approaches (discussion)<br />
Contact : Barry van Kampen, owasp@itq.nl<br />
----------<br />
Date : 25th june 2009<br />
Time : 18:00 Dinner (free of charge), 19:00 Start of discussion, Till ca 21:30<br />
Location : ITQ Consultancy<br />
Joop Geesinkweg 701 <br />
1096 AZ Amsterdam<br />
Details : This discussion will be about the way quickscans can be performed.<br />
At least basic web application testing knowledge is needed for this session.<br />
Max 8 persons in total, please send an email if you would like to attend <br />
</pre><br />
<pre><br />
Topic : Tools of the trade; exchange real-life experiences<br />
Contact : put in your contact details<br />
----------<br />
Date : suggest a date<br />
Time : suggest a time<br />
Location : suggest a location<br />
</pre><br />
<pre><br />
Topic : Web Application Firewalls<br />
Contact : put in your contact details<br />
----------<br />
Date : suggest a date<br />
Time : suggest a time<br />
Location : suggest a location<br />
</pre><br />
<pre><br />
Topic : SAMM, ASVS and other methodologies<br />
Contact : put in your contact details<br />
----------<br />
Date : suggest a date<br />
Time : suggest a time<br />
Location : suggest a location<br />
</pre><br />
Add your own suggestions below:<br />
<pre><br />
Topic : suggest a topic<br />
Contact : put in your contact details<br />
----------<br />
Date : suggest a date<br />
Time : suggest a time<br />
Location : suggest a location<br />
</pre><br />
<br />
== Mini Meeting minutes ==<br />
Space below is mend to put the Mini-Meeting-Note!<br />
<br />
'''Registration'''<br/><br />
If you want to attend, please send an email to the contact of the topic.<br/><br />
<br/><br />
All OWASP chapter meetings are free of charge and you don’t have to be an OWASP member to attend. There are never any vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/></div>Bvankampenhttps://wiki.owasp.org/index.php?title=Netherlands_Mini_Meeting_2009&diff=63585Netherlands Mini Meeting 20092009-06-04T06:47:00Z<p>Bvankampen: Added details quickscan minimeeting</p>
<hr />
<div>[[Netherlands]] Calendar and Topics for OWASP NL Mini Meetings:<br />
The 'Mini Meetings' are a informal platform to discus on a specific topic in a small group.<br />
Chair is, whoever put's in a topic. You will get all support by the OWASP NL Chapter Board!<br />
Those meetings must result in meeting notes and can result in a presentation on a OWASP NL Chapter meeting!<br />
<br />
== Mini Meeting Topics 2009 ==<br />
<br />
Topics addressed at the open discussion on the May 28th meeting:<br />
<br />
<pre><br />
Topic : Quickscans and other timeboxed test approaches (discussion)<br />
Contact : Barry van Kampen, owasp@itq.nl<br />
----------<br />
Date : 25th june 2009<br />
Time : 18:00 Diner (free of charge), 19:00 Start of discussion, Till ca 21:30<br />
Location : ITQ Consultancy<br />
Joop Geesinkweg 701 <br />
1096 AZ Amsterdam<br />
Details : This discussion will be about the way quickscans can be performed.<br />
At least basic web application testing knowledge is needed for this session.<br />
Max 8 persons in total, please send an email if you would like to attend <br />
</pre><br />
<pre><br />
Topic : Tools of the trade; exchange real-life experiences<br />
Contact : put in your contact details<br />
----------<br />
Date : suggest a date<br />
Time : suggest a time<br />
Location : suggest a location<br />
</pre><br />
<pre><br />
Topic : Web Application Firewalls<br />
Contact : put in your contact details<br />
----------<br />
Date : suggest a date<br />
Time : suggest a time<br />
Location : suggest a location<br />
</pre><br />
<pre><br />
Topic : SAMM, ASVS and other methodologies<br />
Contact : put in your contact details<br />
----------<br />
Date : suggest a date<br />
Time : suggest a time<br />
Location : suggest a location<br />
</pre><br />
Add your own suggestions below:<br />
<pre><br />
Topic : suggest a topic<br />
Contact : put in your contact details<br />
----------<br />
Date : suggest a date<br />
Time : suggest a time<br />
Location : suggest a location<br />
</pre><br />
<br />
== Mini Meeting minutes ==<br />
Space below is mend to put the Mini-Meeting-Note!<br />
<br />
'''Registration'''<br/><br />
If you want to attend, please send an email to the contact of the topic.<br/><br />
<br/><br />
All OWASP chapter meetings are free of charge and you don’t have to be an OWASP member to attend. There are never any vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/></div>Bvankampenhttps://wiki.owasp.org/index.php?title=Netherlands_Mini_Meeting_2009&diff=63570Netherlands Mini Meeting 20092009-06-03T17:02:20Z<p>Bvankampen: Filled quickscan details</p>
<hr />
<div>[[Netherlands]] Calendar and Topics for OWASP NL Mini Meetings:<br />
The 'Mini Meetings' are a informal platform to discus on a specific topic in a small group.<br />
Chair is, whoever put's in a topic. You will get all support by the OWASP NL Chapter Board!<br />
Those meetings must result in meeting notes and can result in a presentation on a OWASP NL Chapter meeting!<br />
<br />
== Mini Meeting Topics 2009 ==<br />
<br />
Topics addressed at the open discussion on the May 28th meeting:<br />
<br />
<pre><br />
Topic : Discussion about Quickscans and other timeboxed test approaches<br />
Contact : Barry van Kampen (email will follow soon)<br />
----------<br />
Date : 25th june 2009<br />
Time : 18:00 Diner (free of charge), 19:00 Start of discussion, Till ca 21:30<br />
Location : Amsterdam (Amstel business park), ITQ office<br />
</pre><br />
<pre><br />
Topic : Tools of the trade; exchange real-life experiences<br />
Contact : put in your contact details<br />
----------<br />
Date : suggest a date<br />
Time : suggest a time<br />
Location : suggest a location<br />
</pre><br />
<pre><br />
Topic : Web Application Firewalls<br />
Contact : put in your contact details<br />
----------<br />
Date : suggest a date<br />
Time : suggest a time<br />
Location : suggest a location<br />
</pre><br />
<pre><br />
Topic : SAMM, ASVS and other methodologies<br />
Contact : put in your contact details<br />
----------<br />
Date : suggest a date<br />
Time : suggest a time<br />
Location : suggest a location<br />
</pre><br />
Add your own suggestions below:<br />
<pre><br />
Topic : suggest a topic<br />
Contact : put in your contact details<br />
----------<br />
Date : suggest a date<br />
Time : suggest a time<br />
Location : suggest a location<br />
</pre><br />
<br />
== Mini Meeting minutes ==<br />
Space below is mend to put the Mini-Meeting-Note!<br />
<br />
'''Registration'''<br/><br />
If you want to attend, please send an email to the contact of the topic.<br/><br />
<br/><br />
All OWASP chapter meetings are free of charge and you don’t have to be an OWASP member to attend. There are never any vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/></div>Bvankampenhttps://wiki.owasp.org/index.php?title=Netherlands&diff=61732Netherlands2009-05-25T08:35:13Z<p>Bvankampen: Removed spam link: http://www.textaltadarli.com</p>
<hr />
<div>{{Chapter Template|chaptername=Netherlands|extra=The chapter leader is [mailto:owasp@irc2.nl Bert Koelewijn]<br />
<paypal>Netherlands</paypal><br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-netherlands|emailarchives=http://lists.owasp.org/pipermail/owasp-netherlands}}<br />
<br />
=== Call for Speakers ===<br />
We are continuously looking for speakers and presentations make the chapter meetings as interesting as possible. Therefore we are looking inside and outside OWASP for known international specialists. But we know, there is a lot interesting stuf happening inside the Netherlands, too! <br/><br />
'''Presentations:'''<br/><br />
Are you working on interesting subject, you would like to share your experiences with the OWASP community.<br />
Any topic related to application security will be appreciated!<br/><br />
'''VAC, Vulnerability, Attack, Countermeasure:'''<br/><br />
The goal is an half hour in-depth technical presentation about a vulnerability, how it can be exploited and how to prevent it!<br/><br />
<br />
=== Sponsorship of a local chapter meeting ===<br />
We are continuously looking for locations to hold local chapter meetings. Therefore, we need companies willing to sponsor of host events.<br><br />
'''Hosting a local chapter meeting:'''<br><br />
To host a local chapter meeting, you facilitate the meeting location and beverage for the attendees<br><br />
'''Sponsorship of a local chapter meeting:'''<br><br />
You cover the cost of renting the location for the meeting and the payment of the beverages for the attendees<br><br />
<br />
'''Please let us know via the OWASP chapter meeting questionnaire of via email to martin.knobloch@owasp.org<br>'''<br />
<br />
== Meeting schedule 2009 ==<br />
This is an overview of the 2009 local chapter meeting schedule. Details of the meetings can be found in the announcements that will be posted below this schedule.<br />
<pre><br />
April 9th<br />
----------<br />
Time : 18.00 - 21.30<br />
Main Topic : Knowing Your Enemy<br />
Presentations: Modern information gathering; how to abuse search engines Dave van Stein<br />
VAC Cross-site scripting Martin Visser <br />
Beveiligingsaspecten van webapplicatie-ontwikkeling Wouter van Kuipers <br />
Location : Lange Dreef 17<br />
4131 NJ Vianen<br />
Sponsor : Sogeti Nederland B.V.<br />
<br />
May 28th<br />
----------<br />
Time : 18.00 - 21.30<br />
Main Topic : AppSec Europe 2009<br />
Presentations: AppSec-EU 2009 Sebastien Deleersnyder, Telindus <br />
VAC Cross-Site Request Forgery Niels Teusink<br />
Open session / discussion about subjects brought forward by <br />
the attendees Martin Knobloch/Ferdinand Vroom/Peter Gouwentak<br />
Location : ASR Nederland<br />
MD0.60 - Auditorium<br />
Smallepad 30<br />
3811MG Amersfoort<br />
Sponsor : ASR Nederland<br />
<br />
September 24th<br />
----------<br />
Time : 17.30 - 21.30<br />
Main Topic : <br />
Presentations: <br />
Location : <br />
Sponsor : <br />
<br />
December 10th<br />
----------<br />
Time : 17.30 - 21.30<br />
Main Topic : <br />
Presentations: <br />
Location : <br />
Sponsor : <br />
</pre><br />
<br />
<br />
<br />
'''Registration'''<br><br />
If you want to attend, please send an email to: bert.koelewijn@owasp.org<br />
<br/><br />
<br/><br />
All OWASP chapter meetings are free of charge and you don't have to be an OWASP member to attend. There are never any vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP's: OWASP Meetings count towards CPE Credits.<br/><br />
<br/><br />
<br/><br />
<br />
== Meeting Schedule May 28th 2009: AppSec Europe 2009 ==<br />
<br />
'''Summary'''<br />
The main goal of the upcoming OWASP-NL meeting is to provide an abstract of the recently held AppSec Europe 2009, a VAC about CSRF and, new, an open discussion on application security subjects brought forward by the attendees. <br />
<table><br />
<tr><br />
<td width="350"><br />
ASR Nederland<br/><br />
<br/><br />
MD0.60 - Auditorium<br/><br />
Smallepad 30<br/><br />
3811MG Amersfoort<br/><br />
</td><br />
<td width="650"><br />
[[Image:ASR Nederland logo.jpg|200px]]<br />
</td><br />
</tr><br />
<tr><br />
<td width="350"><br />
</td><br />
<td width="650"><br />
<br />
<br/><br />
<br />
<br/><br />
</td><br />
</tr><br />
</table><br />
<br />
'''18.30 - 18.45 Introduction (OWASP organization, projects, sponsor) '''<br><br />
<br />
'''18.45 - 19.45 AppSec-EU 2009 (Sebastien Deleersnyder, Telindus) '''<br><br />
Update on the AppSec-EU 2009: <br><br />
OWASP State of the union, an update on OWASP and OWASP projects and of course the highlights of the AppSec-EU 2009 presentations.<br />
<br />
'''19.45 - 20.00 Break '''<br><br />
<br />
'''20.00 - 20.30 VAC Cross-Site Request Forgery (Niels Teusink, Fox-IT) ''' <br><br />
CSRF is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. With a little help of social engineering (like sending a link via email/chat), an attacker may force the users of a web application to execute actions of the attacker's choosing. A successful CSRF exploit can compromise end user data and operation in case of normal user. If the targeted end user is the administrator account, this can compromise the entire web application.<br />
<br />
Niels Teusink holds a bachelor degree in Computer Science and has been experimenting with IT security for over a decade. He has worked for Fox-IT since 2005; first as a software engineer and since 2007 as a penetration tester. He has since performed dozens of penetration tests for all sorts of companies, including governments, banks and nuclear installations.<br />
<br />
'''20.30 - 21.15 Open session / discussion (Martin Knobloch/Ferdinand Vroom/Peter Gouwentak) ''' <br><br />
Open session / discussion about subjects brought forward by the attendees.<br />
<br />
The Announcement of this meeting: [[Media:Announcement OWASP-NL May 28th 2009.pdf]]<br><br />
The flyer of this meeting: [[Media:owasp_NL_may2009.pdf]]<br />
<br />
== Meeting Schedule 9th April Knowing Your Enemy ==<br />
<br />
'''Summary'''<br />
The main goal of the upcoming OWASP-NL meeting is to provide information to managers, architects, designers, developers and security and risk professionals. The speakers will give specific examples and there will be time to ask questions. <br />
<table><br />
<tr><br />
<td width="350"><br />
Lange Dreef 17<br/><br />
4131 NJ Vianen<br/><br />
</td><br />
<td width="650"><br />
[[Image:Sogeti_Nederland_b_v_Logo.jpg|http:\\www.sogeti.nl]]<br />
</td><br />
</tr><br />
<tr><br />
<td width="350"><br />
</td><br />
<td width="650"><br />
About Sogeti Nederland B.V.<br />
Sogeti Nederland B.V. is one of top-5 IT companies of the Netherlands. Our workforce of over 3,500 employees provides top quality IT consultancy and services to leading companies in several industry sectors in the Netherlands. Our focus is local, but we are part of Sogeti Worldwide, offering IT services in the American, German, French, Belgian, UK, Swedish, Swiss and Spanish markets. <br />
<br />
Our core business is the design, construction, deployment, testing and maintenance of IT solutions. We stand for quality and IT skills; this is visible in our service and in the methods developed by us such as DYA®, Regatta®, TMap®, TPI® , Inframe®, and TEmb. <br />
<br />
Vision<br />
Sogeti delivers value by aligning the results of her services to the strategic goals of the client, thereby committing herself to the success of the client. We prove our commitment by assuming responsibility in various forms and to various degrees. <br />
<br />
New trends<br />
Our own research institute ViNT (Institute for Research into New Technology) keeps us and our clients ahead of the newest technology trends and their potential influence, benefits and risks.<br />
<br/><br />
More information about Sogeti can be found on our website www.sogeti.nl.<br />
<br/><br />
</td><br />
</tr><br />
</table><br />
<br />
'''18.30 â 18.45 Introduction (OWASP organization, projects, sponsor) '''<br><br />
'''18.45 - 19.30 Modern information gathering; how to abuse search engines Dave van Stein '''([[Media:20090409_passsive_reconnaissance_Dave_van_Stein.pdf]])<br><br />
Great generals already know the key to success is "knowing your enemy". In hacking terms this is called information gathering, fingerprinting or reconnaissance. Traditionally this phase consisted of using public records like WHOIS and DNS combined with active scans on servers. With the rise of advanced search engines like Yahoo, Live Search and Google a whole new type of reconnaissance has come to life; passive reconnaissance. Often servers are not properly configured which causes lots of valuable information to become available without accessing the server at all. Recently several hacker-tools appeared which use the full capabilities of these search engines giving hackers a head-start at mapping the network they plan to attack. The goal of this session is to give insight in the methods and tools hackers have at their disposal to gather information about systems they plan to attack without accessing the system itself. <br />
Dave van Stein has close to 8 years of experience in software testing. Since the beginning of 2008 he's working for ps_testware as a web application security testing specialist. <br />
<br />
'''19.30 - 20.00 VAC Cross-site scripting Martin Visser '''([[Media:20090409_VAC_Cross-site-scripting_Martin_Visser.pdf]])<br><br />
Martin Visser is a software designer with Sogeti Nederland B.V. specialized in secure application development with Microsoft technologies. He has experience with Microsoft server technologies like ASP.NET, SharePoint and Biztalk. Martin also developed and teaches a 2-day "Application Security â Microsoft development" course both within and outside Sogeti. <br />
<br />
'''20.00 - 20.15 Break ''' <br><br />
'''20.15 - 21.00 Beveiligingsaspecten van webapplicatie-ontwikkeling Wouter van Kuipers ''' ([[Media:20090409_presentatie_Wouter_van_Kuipers.pdf]])<br><br />
Het ontwikkelen van webapplicaties verschilt op verschillende aspecten met het ontwikkelen van desktop applicaties, met name op het gebied van security. Voor grote bedrijven zijn er oplossingen beschikbaar als bijvoorbeeld SDL, maar voor het midden- en kleinbedrijf zijn dit soort oplossingen beperkt, omdat zij vaak niet de middelen hebben om dergelijke strategieën uit te kunnen voeren. Voor zijn scriptie heeft Wouter van Kuipers middels een literatuuronderzoek, interviews met ontwikkelaars en een onderzoek naar Fortify 360 gekeken hoe het midden- en kleinbedrijf omgaat met deze verschillen en hoe zij het ontwikkelproces kunnen optimaliseren op het gebied van security.<br />
<br />
Na een MBO opleiding in de IT is Wouter van Kuipers via de HBO opleiding 'Communicatie Systemen' begin 2007 begonnen met een master<br />
Informatiekunde aan de Radboud Universiteit Nijmegen, welke hij in maart dit jaar hoopt af te ronden. Tijdens zijn MBO studie is zijn interesse in het ontwikkelen van webapplicaties gewekt, wat in 2003 resulteerde in het opzetten van een eigen web-development bedrijf. Dit bedrijf is met name gespecialiseerd in het ontwikkelen van webapplicaties op maat, en het ondersteunen van bedrijven op het gebied van web-developement op freelance basis.<br />
<br />
The flyer of this meeting: [[Media:owasp_NL_april2009.pdf]]<br />
<br />
== Past Events ==<br />
* Events held in [[Netherlands_Previous_Events_2008|2008]]<br />
* Events held in [[Netherlands_Previous_Events_2007|2007]]<br />
* Events held in [[Netherlands_Previous_Events_2006|2006]]<br />
* Events held in [[Netherlands_Previous_Events_2005|2005]]</div>Bvankampenhttps://wiki.owasp.org/index.php?title=Netherlands&diff=61731Netherlands2009-05-25T08:33:02Z<p>Bvankampen: Removed "" like characters and added the flyer for may 2009</p>
<hr />
<div>http://www.textaltadarli.com <br />
{{Chapter Template|chaptername=Netherlands|extra=The chapter leader is [mailto:owasp@irc2.nl Bert Koelewijn]<br />
<paypal>Netherlands</paypal><br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-netherlands|emailarchives=http://lists.owasp.org/pipermail/owasp-netherlands}}<br />
<br />
=== Call for Speakers ===<br />
We are continuously looking for speakers and presentations make the chapter meetings as interesting as possible. Therefore we are looking inside and outside OWASP for known international specialists. But we know, there is a lot interesting stuf happening inside the Netherlands, too! <br/><br />
'''Presentations:'''<br/><br />
Are you working on interesting subject, you would like to share your experiences with the OWASP community.<br />
Any topic related to application security will be appreciated!<br/><br />
'''VAC, Vulnerability, Attack, Countermeasure:'''<br/><br />
The goal is an half hour in-depth technical presentation about a vulnerability, how it can be exploited and how to prevent it!<br/><br />
<br />
=== Sponsorship of a local chapter meeting ===<br />
We are continuously looking for locations to hold local chapter meetings. Therefore, we need companies willing to sponsor of host events.<br><br />
'''Hosting a local chapter meeting:'''<br><br />
To host a local chapter meeting, you facilitate the meeting location and beverage for the attendees<br><br />
'''Sponsorship of a local chapter meeting:'''<br><br />
You cover the cost of renting the location for the meeting and the payment of the beverages for the attendees<br><br />
<br />
'''Please let us know via the OWASP chapter meeting questionnaire of via email to martin.knobloch@owasp.org<br>'''<br />
<br />
== Meeting schedule 2009 ==<br />
This is an overview of the 2009 local chapter meeting schedule. Details of the meetings can be found in the announcements that will be posted below this schedule.<br />
<pre><br />
April 9th<br />
----------<br />
Time : 18.00 - 21.30<br />
Main Topic : Knowing Your Enemy<br />
Presentations: Modern information gathering; how to abuse search engines Dave van Stein<br />
VAC Cross-site scripting Martin Visser <br />
Beveiligingsaspecten van webapplicatie-ontwikkeling Wouter van Kuipers <br />
Location : Lange Dreef 17<br />
4131 NJ Vianen<br />
Sponsor : Sogeti Nederland B.V.<br />
<br />
May 28th<br />
----------<br />
Time : 18.00 - 21.30<br />
Main Topic : AppSec Europe 2009<br />
Presentations: AppSec-EU 2009 Sebastien Deleersnyder, Telindus <br />
VAC Cross-Site Request Forgery Niels Teusink<br />
Open session / discussion about subjects brought forward by <br />
the attendees Martin Knobloch/Ferdinand Vroom/Peter Gouwentak<br />
Location : ASR Nederland<br />
MD0.60 - Auditorium<br />
Smallepad 30<br />
3811MG Amersfoort<br />
Sponsor : ASR Nederland<br />
<br />
September 24th<br />
----------<br />
Time : 17.30 - 21.30<br />
Main Topic : <br />
Presentations: <br />
Location : <br />
Sponsor : <br />
<br />
December 10th<br />
----------<br />
Time : 17.30 - 21.30<br />
Main Topic : <br />
Presentations: <br />
Location : <br />
Sponsor : <br />
</pre><br />
<br />
<br />
<br />
'''Registration'''<br><br />
If you want to attend, please send an email to: bert.koelewijn@owasp.org<br />
<br/><br />
<br/><br />
All OWASP chapter meetings are free of charge and you don't have to be an OWASP member to attend. There are never any vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP's: OWASP Meetings count towards CPE Credits.<br/><br />
<br/><br />
<br/><br />
<br />
== Meeting Schedule May 28th 2009: AppSec Europe 2009 ==<br />
<br />
'''Summary'''<br />
The main goal of the upcoming OWASP-NL meeting is to provide an abstract of the recently held AppSec Europe 2009, a VAC about CSRF and, new, an open discussion on application security subjects brought forward by the attendees. <br />
<table><br />
<tr><br />
<td width="350"><br />
ASR Nederland<br/><br />
<br/><br />
MD0.60 - Auditorium<br/><br />
Smallepad 30<br/><br />
3811MG Amersfoort<br/><br />
</td><br />
<td width="650"><br />
[[Image:ASR Nederland logo.jpg|200px]]<br />
</td><br />
</tr><br />
<tr><br />
<td width="350"><br />
</td><br />
<td width="650"><br />
<br />
<br/><br />
<br />
<br/><br />
</td><br />
</tr><br />
</table><br />
<br />
'''18.30 - 18.45 Introduction (OWASP organization, projects, sponsor) '''<br><br />
<br />
'''18.45 - 19.45 AppSec-EU 2009 (Sebastien Deleersnyder, Telindus) '''<br><br />
Update on the AppSec-EU 2009: <br><br />
OWASP State of the union, an update on OWASP and OWASP projects and of course the highlights of the AppSec-EU 2009 presentations.<br />
<br />
'''19.45 - 20.00 Break '''<br><br />
<br />
'''20.00 - 20.30 VAC Cross-Site Request Forgery (Niels Teusink, Fox-IT) ''' <br><br />
CSRF is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. With a little help of social engineering (like sending a link via email/chat), an attacker may force the users of a web application to execute actions of the attacker's choosing. A successful CSRF exploit can compromise end user data and operation in case of normal user. If the targeted end user is the administrator account, this can compromise the entire web application.<br />
<br />
Niels Teusink holds a bachelor degree in Computer Science and has been experimenting with IT security for over a decade. He has worked for Fox-IT since 2005; first as a software engineer and since 2007 as a penetration tester. He has since performed dozens of penetration tests for all sorts of companies, including governments, banks and nuclear installations.<br />
<br />
'''20.30 - 21.15 Open session / discussion (Martin Knobloch/Ferdinand Vroom/Peter Gouwentak) ''' <br><br />
Open session / discussion about subjects brought forward by the attendees.<br />
<br />
The Announcement of this meeting: [[Media:Announcement OWASP-NL May 28th 2009.pdf]]<br><br />
The flyer of this meeting: [[Media:owasp_NL_may2009.pdf]]<br />
<br />
== Meeting Schedule 9th April Knowing Your Enemy ==<br />
<br />
'''Summary'''<br />
The main goal of the upcoming OWASP-NL meeting is to provide information to managers, architects, designers, developers and security and risk professionals. The speakers will give specific examples and there will be time to ask questions. <br />
<table><br />
<tr><br />
<td width="350"><br />
Lange Dreef 17<br/><br />
4131 NJ Vianen<br/><br />
</td><br />
<td width="650"><br />
[[Image:Sogeti_Nederland_b_v_Logo.jpg|http:\\www.sogeti.nl]]<br />
</td><br />
</tr><br />
<tr><br />
<td width="350"><br />
</td><br />
<td width="650"><br />
About Sogeti Nederland B.V.<br />
Sogeti Nederland B.V. is one of top-5 IT companies of the Netherlands. Our workforce of over 3,500 employees provides top quality IT consultancy and services to leading companies in several industry sectors in the Netherlands. Our focus is local, but we are part of Sogeti Worldwide, offering IT services in the American, German, French, Belgian, UK, Swedish, Swiss and Spanish markets. <br />
<br />
Our core business is the design, construction, deployment, testing and maintenance of IT solutions. We stand for quality and IT skills; this is visible in our service and in the methods developed by us such as DYA®, Regatta®, TMap®, TPI® , Inframe®, and TEmb. <br />
<br />
Vision<br />
Sogeti delivers value by aligning the results of her services to the strategic goals of the client, thereby committing herself to the success of the client. We prove our commitment by assuming responsibility in various forms and to various degrees. <br />
<br />
New trends<br />
Our own research institute ViNT (Institute for Research into New Technology) keeps us and our clients ahead of the newest technology trends and their potential influence, benefits and risks.<br />
<br/><br />
More information about Sogeti can be found on our website www.sogeti.nl.<br />
<br/><br />
</td><br />
</tr><br />
</table><br />
<br />
'''18.30 â 18.45 Introduction (OWASP organization, projects, sponsor) '''<br><br />
'''18.45 - 19.30 Modern information gathering; how to abuse search engines Dave van Stein '''([[Media:20090409_passsive_reconnaissance_Dave_van_Stein.pdf]])<br><br />
Great generals already know the key to success is "knowing your enemy". In hacking terms this is called information gathering, fingerprinting or reconnaissance. Traditionally this phase consisted of using public records like WHOIS and DNS combined with active scans on servers. With the rise of advanced search engines like Yahoo, Live Search and Google a whole new type of reconnaissance has come to life; passive reconnaissance. Often servers are not properly configured which causes lots of valuable information to become available without accessing the server at all. Recently several hacker-tools appeared which use the full capabilities of these search engines giving hackers a head-start at mapping the network they plan to attack. The goal of this session is to give insight in the methods and tools hackers have at their disposal to gather information about systems they plan to attack without accessing the system itself. <br />
Dave van Stein has close to 8 years of experience in software testing. Since the beginning of 2008 he's working for ps_testware as a web application security testing specialist. <br />
<br />
'''19.30 - 20.00 VAC Cross-site scripting Martin Visser '''([[Media:20090409_VAC_Cross-site-scripting_Martin_Visser.pdf]])<br><br />
Martin Visser is a software designer with Sogeti Nederland B.V. specialized in secure application development with Microsoft technologies. He has experience with Microsoft server technologies like ASP.NET, SharePoint and Biztalk. Martin also developed and teaches a 2-day "Application Security â Microsoft development" course both within and outside Sogeti. <br />
<br />
'''20.00 - 20.15 Break ''' <br><br />
'''20.15 - 21.00 Beveiligingsaspecten van webapplicatie-ontwikkeling Wouter van Kuipers ''' ([[Media:20090409_presentatie_Wouter_van_Kuipers.pdf]])<br><br />
Het ontwikkelen van webapplicaties verschilt op verschillende aspecten met het ontwikkelen van desktop applicaties, met name op het gebied van security. Voor grote bedrijven zijn er oplossingen beschikbaar als bijvoorbeeld SDL, maar voor het midden- en kleinbedrijf zijn dit soort oplossingen beperkt, omdat zij vaak niet de middelen hebben om dergelijke strategieën uit te kunnen voeren. Voor zijn scriptie heeft Wouter van Kuipers middels een literatuuronderzoek, interviews met ontwikkelaars en een onderzoek naar Fortify 360 gekeken hoe het midden- en kleinbedrijf omgaat met deze verschillen en hoe zij het ontwikkelproces kunnen optimaliseren op het gebied van security.<br />
<br />
Na een MBO opleiding in de IT is Wouter van Kuipers via de HBO opleiding 'Communicatie Systemen' begin 2007 begonnen met een master<br />
Informatiekunde aan de Radboud Universiteit Nijmegen, welke hij in maart dit jaar hoopt af te ronden. Tijdens zijn MBO studie is zijn interesse in het ontwikkelen van webapplicaties gewekt, wat in 2003 resulteerde in het opzetten van een eigen web-development bedrijf. Dit bedrijf is met name gespecialiseerd in het ontwikkelen van webapplicaties op maat, en het ondersteunen van bedrijven op het gebied van web-developement op freelance basis.<br />
<br />
The flyer of this meeting: [[Media:owasp_NL_april2009.pdf]]<br />
<br />
== Past Events ==<br />
* Events held in [[Netherlands_Previous_Events_2008|2008]]<br />
* Events held in [[Netherlands_Previous_Events_2007|2007]]<br />
* Events held in [[Netherlands_Previous_Events_2006|2006]]<br />
* Events held in [[Netherlands_Previous_Events_2005|2005]]</div>Bvankampenhttps://wiki.owasp.org/index.php?title=File:Owasp_NL_may2009.pdf&diff=61730File:Owasp NL may2009.pdf2009-05-25T08:31:45Z<p>Bvankampen: The flyer of the OWASP Netherlands meeting on the 28th of May 2009</p>
<hr />
<div>The flyer of the OWASP Netherlands meeting on the 28th of May 2009</div>Bvankampenhttps://wiki.owasp.org/index.php?title=File:Owasp_NL_april2009.pdf&diff=54878File:Owasp NL april2009.pdf2009-02-18T12:04:02Z<p>Bvankampen: uploaded a new version of "Image:Owasp NL april2009.pdf": Flyer OWASP Meeting April 2009, new version has a correct year in the tittle</p>
<hr />
<div>Meeting flyer OWASP Netherlands April 2009</div>Bvankampenhttps://wiki.owasp.org/index.php?title=Netherlands&diff=54869Netherlands2009-02-18T09:40:53Z<p>Bvankampen: /* Meeting Schedule 9th April Knowing Your Enemy */ Added flyer</p>
<hr />
<div>{{Chapter Template|chaptername=Netherlands|extra=The chapter leader is [mailto:owasp@irc2.nl Bert Koelewijn]<br />
<paypal>Netherlands</paypal><br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-netherlands|emailarchives=http://lists.owasp.org/pipermail/owasp-netherlands}}<br />
<br />
=== Call for Speakers ===<br />
We are continuously looking for speakers and presentations make the chapter meetings as interesting as possible. Therefore we are looking inside and outside OWASP for known international specialists. But we know, there is a lot interesting stuf happening inside the Netherlands, too! <br/><br />
'''Presentations:'''<br/><br />
Are you working on interesting subject, you would like to share your experiences with the OWASP community.<br />
Any topic related to application security will be appreciated!<br/><br />
'''VAC, Vulnerability, Attack, Countermeasure:'''<br/><br />
The goal is an half hour in-depth technical presentation about a vulnerability, how it can be exploited and how to prevent it!<br/><br />
<br />
=== Sponsorship of a local chapter meeting ===<br />
We are continuously looking for locations to hold local chapter meetings. Therefore, we need companies willing to sponsor of host events.<br><br />
'''Hosting a local chapter meeting:'''<br><br />
To host a local chapter meeting, you facilitate the meeting location and beverage for the attendees<br><br />
'''Sponsorship of a local chapter meeting:'''<br><br />
You cover the cost of renting the location for the meeting and the payment of the beverages for the attendees<br><br />
<br />
'''Please let us know via the OWASP chapter meeting questionnaire of via email to martin.knobloch@owasp.org<br>'''<br />
<br />
== Meeting schedule 2009 ==<br />
This is an overview of the 2009 local chapter meeting schedule. Details of the meetings can be found in the announcements that will be posted below this schedule.<br />
<pre><br />
April 9th<br />
----------<br />
Time : 17.30 - 21.30<br />
Main Topic : Knowing Your Enemy<br />
Presentations: Modern information gathering; how to abuse search engines Dave van Stein <br />
VAC Cross-site scripting Martin Visser <br />
Beveiligingsaspecten van webapplicatie-ontwikkeling Wouter van Kuipers <br />
Location : Lange Dreef 17, 4131 NJ Vianen<br />
088 - 660 66 00<br />
Sponsor : Sogeti Nederland B.V.<br />
<br />
May 28th<br />
----------<br />
Time : 17.30 - 21.30<br />
Main Topic : <br />
Presentations: <br />
Location : <br />
Sponsor : <br />
<br />
September 24th<br />
----------<br />
Time : 17.30 - 21.30<br />
Main Topic : <br />
Presentations: <br />
Location : <br />
Sponsor : <br />
<br />
December 10th<br />
----------<br />
Time : 17.30 - 21.30<br />
Main Topic : <br />
Presentations: <br />
Location : <br />
Sponsor : <br />
</pre><br />
<br />
<br />
<br />
'''Registration'''<br><br />
If you want to attend, please send an email to: owasp@irc2.com.<br />
<br/><br />
<br/><br />
All OWASP chapter meetings are free of charge and you don’t have to be an OWASP member to attend. There are never any vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP's: OWASP Meetings count towards CPE Credits.<br/><br />
<br/><br />
<br />
== Meeting Schedule 9th April Knowing Your Enemy ==<br />
<br />
'''Summary'''<br />
The main goal of the upcoming OWASP-NL meeting is to provide information to managers, architects, designers, developers and security and risk professionals. The speakers will give specific examples and there will be time to ask questions. <br />
<table><br />
<tr><br />
<td width="350"><br />
Lange Dreef 17<br/><br />
4131 NJ Vianen<br/><br />
</td><br />
<td width="650"><br />
[[Image:Sogeti_Nederland_b_v_Logo.jpg|http:\\www.sogeti.nl]]<br />
</td><br />
</tr><br />
<tr><br />
<td width="350"><br />
</td><br />
<td width="650"><br />
About Sogeti Nederland B.V.<br />
Sogeti Nederland B.V. is one of top-5 IT companies of the Netherlands. Our workforce of over 3,500 employees provides top quality IT consultancy and services to leading companies in several industry sectors in the Netherlands. Our focus is local, but we are part of Sogeti Worldwide, offering IT services in the American, German, French, Belgian, UK, Swedish, Swiss and Spanish markets. <br />
<br />
Our core business is the design, construction, deployment, testing and maintenance of IT solutions. We stand for quality and IT skills; this is visible in our service and in the methods developed by us such as DYA®, Regatta®, TMap®, TPI® , Inframe®, and TEmb. <br />
<br />
Vision<br />
Sogeti delivers value by aligning the results of her services to the strategic goals of the client, thereby committing herself to the success of the client. We prove our commitment by assuming responsibility in various forms and to various degrees. <br />
<br />
New trends<br />
Our own research institute ViNT (Institute for Research into New Technology) keeps us and our clients ahead of the newest technology trends and their potential influence, benefits and risks.<br />
<br/><br />
More information about Sogeti can be found on our website www.sogeti.nl.<br />
<br/><br />
</td><br />
</tr><br />
</table><br />
<br />
'''18.30 – 19:00 Introduction (OWASP organization, projects, sponsor) '''<br><br />
'''19.00 - 19.45 Modern information gathering; how to abuse search engines Dave van Stein '''<br><br />
Great generals already know the key to success is "knowing your enemy". In hacking terms this is called information gathering, fingerprinting or reconnaissance. Traditionally this phase consisted of using public records like WHOIS and DNS combined with active scans on servers. With the rise of advanced search engines like Yahoo, Live Search and Google a whole new type of reconnaissance has come to live; passive reconnaissance. Often servers are not properly configured which causes lots of valuable information to become available without accessing the server at all. Recently several hacker-tools appeared which use the full capabilities of these search engines giving hackers a head-start at mapping the network they plan to attack. The goal of this session is to give insight in the methods and tools hackers have at their disposal to gather information about systems they plan to attack without accessing the system itself. <br />
Dave van Stein has close to 8 years of experience in software testing. Since the beginning of 2008 he’s working for ps_testware as a web application security testing specialist. <br />
<br />
'''19.45 – 20.00 VAC Cross-site scripting Martin Visser ''' <br><br />
<br />
Martin Visser is a software designer with Sogeti Nederland B.V. specialized in secure application development with Microsoft technologies. He has experience with Microsoft server technologies like ASP.NET, SharePoint and Biztalk. Martin also developed and teaches a 2-day "Application Security – Microsoft development" course both within and outside Sogeti. <br />
<br />
'''20.00 – 20.15 Break ''' <br><br />
'''20.15 – 21.00 Beveiligingsaspecten van webapplicatie-ontwikkeling Wouter van Kuipers '''<br><br />
Het ontwikkelen van webapplicaties verschilt op verschillende aspecten met het ontwikkelen van desktop applicaties, met name op het gebied van security. Voor grote bedrijven zijn er oplossingen beschikbaar als bijvoorbeeld SDL, maar voor het midden- en kleinbedrijf zijn dit soort oplossingen beperkt, omdat zij vaak niet de middelen hebben om dergelijke strategieën uit te kunnen voeren. Voor mijn scriptie heb ik middels een literatuuronderzoek, interviews met ontwikkelaars en een onderzoek naar Fortify 360 gekeken hoe het midden- en kleinbedrijf omgaat met deze verschillen en hoe zij het ontwikkelproces kunnen optimaliseren op het gebied van security. <br />
<br />
Na een MBO opleiding in de IT is Wouter Kuipers via de HBO opleiding 'Communicatie Systemen' begin 2007 begonnen met een master<br />
Informatiekunde aan de Radboud Universiteit Nijmegen, welke hij in maart dit jaar hoopt af te ronden. Tijdens zijn MBO studie is zijn interesse in het ontwikkelen van webapplicaties gewekt, wat in 2003 resulteerde in het opzetten van een eigen web-development bedrijf. Dit bedrijf is met name gespecialiseerd in het ontwikkelen van webapplicaties op maat, en het ondersteunen van bedrijven op het gebied van web-developement op freelance basis.<br />
<br />
The flyer of this meeting: [[Media:owasp_NL_april2009.pdf]]<br />
<br />
== Past Events ==<br />
* Events held in [[Netherlands_Previous_Events_2008|2008]]<br />
* Events held in [[Netherlands_Previous_Events_2007|2007]]<br />
* Events held in [[Netherlands_Previous_Events_2006|2006]]<br />
* Events held in [[Netherlands_Previous_Events_2005|2005]]</div>Bvankampenhttps://wiki.owasp.org/index.php?title=File:Owasp_NL_april2009.pdf&diff=54868File:Owasp NL april2009.pdf2009-02-18T09:40:15Z<p>Bvankampen: Meeting flyer OWASP Netherlands April 2009</p>
<hr />
<div>Meeting flyer OWASP Netherlands April 2009</div>Bvankampen