https://wiki.owasp.org/api.php?action=feedcontributions&feedformat=atom&user=DvsteinOWASP - User contributions [en]2026-05-09T18:52:11ZUser contributionsMediaWiki 1.27.2https://wiki.owasp.org/index.php?title=Netherlands&diff=72814Netherlands2009-11-08T12:00:39Z<p>Dvstein: /* Meeting minutes September 24th 2009 */</p>
<hr />
<div>{{Chapter Template|chaptername=Netherlands|extra=The chapter leader is [mailto:owasp@irc2.nl Bert Koelewijn]<br />
<paypal>Netherlands</paypal><br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-netherlands|emailarchives=http://lists.owasp.org/pipermail/owasp-netherlands}} <br />
<br />
== '''OWASP NL Chapter Meetings Schedule 2009''' ==<br />
<br />
This is an overview of the 2009 local chapter meeting schedule. Details of the meetings can be found in the announcements that will be posted below this schedule. <br />
<pre>December 2th<br />
----------<br />
Please block your agendas on December 2, 12h-22h for the BeNeLux OWASP Day 2009.<br />
<br />
<br />
December 10th<br />
----------<br />
Time &nbsp;: 18.00 - 21.30<br />
Main Topic &nbsp;: Secure Software Development<br />
Presentations: How OWASP resources can be used by universities to develop, test and deploy secure web applications<br />
By Kuai Hinojosa<br />
<br />
VAC Regular Expression Denial of Service<br />
By Adar Weidman, Checkmarx Ltd.<br />
<br />
BSIMM Europe results<br />
By Florance Mottay, Managing Principal Citigal<br />
<br />
Location &nbsp;: ps_testware, Dorpsstraat 26, 3941 JM Doorn<br />
Sponsor &nbsp;: ps_testware<br />
<br />
<br />
September 24th<br />
----------<br />
Time &nbsp;: 18.00 - 21.30<br />
Main Topic &nbsp;: Unauthorised Access<br />
Presentations: Unauthorised Access Wil Allsopp<br />
Mini Meetings report: Time- Box testing &amp; Test Tools Barry van Kampen/ Dave van Stein<br />
Education Project report Martin Knobloch<br />
Discussion, questions and social networking<br />
Location &nbsp;: Sofitel Cocagne<br />
Vestdijk 47<br />
5611 CA Eindhoven<br />
Google Maps Route: http://tiny.cc/24kWE<br />
Sponsor &nbsp;: Madison Gurkha<br />
<br />
<br />
May 28th<br />
----------<br />
Time &nbsp;: 18.00 - 21.30<br />
Main Topic &nbsp;: AppSec Europe 2009<br />
Presentations: AppSec-EU 2009 Sebastien Deleersnyder, Telindus <br />
VAC Cross-Site Request Forgery Niels Teusink<br />
Open session / discussion about subjects brought forward by <br />
the attendees Martin Knobloch/Ferdinand Vroom/Peter Gouwentak<br />
Location &nbsp;: ASR Nederland<br />
MD0.60 - Auditorium<br />
Smallepad 30<br />
3811MG Amersfoort<br />
Sponsor &nbsp;: ASR Nederland<br />
<br />
<br />
April 9th<br />
----------<br />
Time &nbsp;: 18.00 - 21.30<br />
Main Topic &nbsp;: Knowing Your Enemy<br />
Presentations: Modern information gathering; how to abuse search engines Dave van Stein<br />
VAC Cross-site scripting Martin Visser <br />
Beveiligingsaspecten van webapplicatie-ontwikkeling Wouter van Kuipers <br />
Location &nbsp;: Lange Dreef 17<br />
4131 NJ Vianen<br />
Sponsor &nbsp;: Sogeti Nederland B.V.<br />
</pre> <br />
<br> <br />
<br />
=== Call for Speakers ===<br />
<br />
We are continuously looking for speakers and presentations make the chapter meetings as interesting as possible. Therefore we are looking inside and outside OWASP for known international specialists. But we know, there is a lot interesting stuf happening inside the Netherlands, too! <br> '''Presentations:''' Are you working on interesting subject, you would like to share your experiences with the OWASP community. Any topic related to application security will be appreciated!<br> '''VAC, Vulnerability, Attack, Countermeasure:''' The goal is an half hour in-depth technical presentation about a vulnerability, how it can be exploited and how to prevent it!<br> <br />
<br />
<span style="font-weight: bold;">Links:<br />
</span><br />
<br />
[http://www.owasp.org/index.php/Speaker_Agreement Speaker Agreement] <br />
<br />
[http://www.owasp.org/images/5/54/Presentation_template.ppt Template]<br />
<br />
=== Sponsorship of a local chapter meeting ===<br />
<br />
We are continuously looking for locations to hold local chapter meetings. Therefore, we need companies willing to sponsor of host events.<br> '''Hosting a local chapter meeting:''' To host a local chapter meeting, you facilitate the meeting location and beverage for the attendees<br> '''Sponsorship of a local chapter meeting:''' You cover the cost of renting the location for the meeting and the payment of the beverages for the attendees<br> '''Please let us know via the OWASP chapter meeting questionnaire of via email to martin.knobloch@owasp.org<br>'''<br />
<br />
== '''OWASP NL Cafe''' ==<br />
<br />
<font color="red">'''NEW:'''</font> Monthly informal platform to speak about (Web) application security matters! No registration required, just drop by! <br />
<br />
*no programm <br />
*no agenda <br />
*whatever comes up!<br />
<br />
=== Next OWASP Cafe: ===<br />
Open and free event, just drop in and discuse what's on your mind about application security!<br />
<pre><br />
When: TBD<br />
Where: TBD<br />
</pre><br />
The flyer: [[File:OWASP_NL_Cafe_oct09.jpg|100px]]<br />
<br />
<br> <br />
<br />
'''Registration'''<br> If you want to attend, please send an email to: netherlands-board@lists.owasp.org <br> <br> All OWASP chapter meetings are free of charge and you don't have to be an OWASP member to attend. There are never any vendor pitches or sales presentations at OWASP meetings.<br> <br> NOTE TO CISSP's: OWASP Meetings count towards CPE Credits.<br> <br> <br><br />
<br />
== '''OWASP NL Mini-Meetings''' ==<br />
<br />
<font color="red">'''NEW:'''</font> Platform to discus on specific issues related to (Web) Application Security. The topic's are brought in by the OWASP NL community!<br> Something on your mind to discus, put your idea online at: Mini Meetings [[Netherlands Mini Meeting 2009|Netherlands_Mini_Meeting_2009]] To attend the meeting, send an email to the contact's email address! <br />
<br />
=== Next Mini-Meeting: ===<br />
<pre><br />
Topic : SAMM, ASVS and other methodologies<br />
Contact : Martin Knobloch, martin.knobloch@owasp.org<br />
----------<br />
Date : November 19th 2009<br />
Time : 18:00 (dinner provided) to 21:30 <br />
Location : Sogeti Nederland B.V.<br />
Plotterweg 31-33<br />
3821 BB Amersfoort<br />
Details : About ideas and experiences of using, implementing and verifying the different methodologies<br />
Attendees : Max 12 persons, currently 3, 9available<br />
</pre><br />
<br />
== '''Meeting Minutes''' ==<br />
<br />
=== Meeting minutes September 24th 2009 ===<br />
<br />
At September 24th 2009, the Dutch OWASP chapter met in Eindhoven. The sponsor of the evening was Madison Gurkha. The subject of the evening was Unautorized Access. There were 4 speakers and 21 attendees.<br/><br />
<br/><br />
After a short welcome talk by Ferdinand Vroom from OWASP, Madison Gurkha gave a small introduction to the company. Madison Gurkha is a small firm that focuses on the prevention, identification, and prevention of technical IT security problems throughout organizations. As such their scope reaches beyond that of web application testing up to the level of physical security. In practice they often see the OWASP top 10 vulnerabilities and use OWASP tools in their assessments, hence their interest in the OWASP.<br> <br />
<br><br />
'''First presentation:''' Unauthorized Access by Wil Allsopp. <br/><br />
Wil Allsopp performs Physical Penetration Tests at Madison Gurkha and recently wrote a book about the subject: Unauthorised Access: Physical Penetration Testing For IT Security Teams [http://www.amazon.com/Unauthorised-Access-Physical-Penetration-Security/dp/0470747617].<br/><br />
Physical Security is all hacking your way into physical locations, like buildings, by using a combination of reconnaissance, social engineering, and technical skills. Like all forms of testing these assessments can only be successful when performed in a structured manner. The first phase is the preparation phase in which the target is studied and a team with a balance of several expertises is selected. Obviously the legal consequences and risks for bodily harm can be more severe in conducting a physical security test. Therefore a careful preparation also includes covering these risks and defining solid boundary conditions. <br/><br />
In the second phase the actual test is done meaning that the team will try to enter a facility according to a well prepared plan. Since physical security deals with real people and other unpredictable circumstances, this phase heavily relies on social engineering skills and being creative. Test can be conducted in three modes of operation: overt (use the system as much as possible), covert (minimize contact), and unseen (apply stealth). The last phase is off course the reporting phase.<br/><br />
Wil clearly showed in his presentation that testing for physical security introduces whole new dimensions of interaction to take into account, but is in fact no different in approach than other forms of testing.<br/><br />
<br/><br />
'''Second presentation:''' Mini Meetings Results by Barry van Kampen en Dave van Stein. <br/><br />
As mentioned in the meeting minutes of May 28th 2009 [http://www.owasp.org/index.php/Netherlands#Meeting_minutes_May_28th_2009] the Dutch OWASP chapter decided to schedule mini-meetings. These meetings will facilitate an open discussion about a single topic of interest. Although only 1 of the 3 planned meetings actually took place, the results of this meeting were above expectations. The topic of this mini-meeting was "Quick-scans and other time-boxed test approaches". The conclusions were that these time-boxed test approaches are capable of quickly uncovering fundamental problems even while the scope is limited. Plans are to have a second meeting and maybe even start an OWASP project on the topic. <br/><br />
Since mini-meets are planned for and by the community, everybody is invited to check the mini-meet Wiki [http://www.owasp.org/index.php/Netherlands_Mini_Meeting_2009] and propose topics, dates or locations.<br/><br />
<br/><br />
'''Third presentation:''' OWASP Education Project by Martin Knobloch. <br/><br />
The awareness that application security is essential in the development and deployment of every web application is increasing, but it is often still applied as an end-of-pipe solution. The OWASP Education Project [http://www.owasp.org/index.php?title=Category:OWASP_Education_Project] tries to remediate this problem by delivering education material about OWASP tooling, methodologies, and principles. The project continuously creates educational & documentation papers, screen scrape video courses and learning environments and courses. By providing these materials to the community the OWASP body of knowledge can be spread in a controlled manner and deliver high quality training, both inside and outside of the OWASP community.<br/><br />
To improve the quality and progress of this project, contributors are needed on all areas. Therefore everybody is encouraged to take a look at the project Wiki and invited to help make the (virtual) world a better and safer place!<br/><br />
<br/><br />
----<br />
<br />
=== Meeting minutes May 28th 2009 ===<br />
<br />
At May 28th, the Dutch OWASP chapter came together at the ASR building in Amersfoort. The main topic of the evening was AppSec 2009. There were 2 speakers and approximately 20 attendees.<br> <br> There was no sponsor talk or general announcement so after a very short welcome talk by Bert the evening started.<br> <br> '''First presentation:''' AppSec 2009 by Sebastien Deleersnyder. <br> The first presentation of the evening was a recap of AppSec 2009 in Poland. The conference was a big success with around 170 attendees. The meeting preceded the 2009 edition of Confidence [http://2009.confidence.org.pl/] resulting in a week of security presentations and workshops. All AppSec presentations and many movies, pictures, and other material can be found on the AppSec wiki [http://www.owasp.org/index.php/OWASP_AppSec_Europe_2009_-_Poland] but a few items are worth mentioning in specific. First of all OWASP is growing and changing. These changes include a simplification of the membership fees, the introduction of a 'code of ethics', and a general review of all 120 projects. Other highlights are the project ASVS, which has reached an international standard status and updated versions of WebGoat and LabRat.<br> Lastly besides a Wiki and a LinkedIn group, OWASP is now also active on Twitter [http://twitter.com/owasp] &amp; [http://twitter.com/owasp_nl] and has two overview pages with all video [http://www.owasp.org/index.php/Category:OWASP_Video] and audio materials [http://www.owasp.org/index.php/OWASP_Podcast].<br> Feel free to use all the materials (as long as you abide by the new code of ethics off course) and visit the OWASP websites frequently for updates&nbsp;!<br> <br> '''Second presentation:''' VAC Cross-Site Request Forgery by Niels Teusink. <br> After succesfull VAC's about SQL injection and Cross-site scripting, the topic of this evening's VAC was Cross-site Request Forgery, also known as CSRF. CSRF is probably one of the least understood vulnerabilities, but can have tremendous consequences when succesfully exploited. In essence it is an attack that misuses the victim's autorisations with malicious scripts. CSRF attacks can also be easily combined with other attack, like e.g. XSS, making them even more dangerous. <br> Despite the name suggests, these attacks do not have to be on different websites (domains). With the continuing trend to combine multiple functionalities in a single application, so-called onsite request forgeries are becoming more and more frequent. Contrary to XSS and SQL injection, CSRF can not be blocked by input validation. In order to prevent these kind of attacks, an application has to able to verify the authenticity of a request. This can be achieved by several methods like using a unique identifier for a session or each request or requiring additional user input like a CAPTCHA or a one-time token. <br> <br> '''Open Discussion''' <br> The evening was closed with an open discussion about how to improve knowledge sharing among the OWASP members. Many interesting discussions start during the drinks after the presentations on the OWASP evenings, discussions that sadly often are stopped prematurly due to time restraints.<br> As an addition on the quarterly presentation evenings, the Dutch chapter decided to also start mini-meetings and the OWASP cafe.<br> Mini-meetings will not be planned on beforehand, but instead will be planned when a topic is proposed and enough attendees have stated an interest in the topic. The attendees will have to select a location themselves but can request a donation from the OWASP for drinks and snacks. Topics discussed at the mini-meeting will have to be listed in minutes so other members can also profit from this knowledge exchange.<br> The OWASP cafe will be planned each first thursday of the month on a location that will be listed on the OWASP Dutch chapter site. The rules are simple: the evening starts at a certain time, ends at a certain time and will be filled with drinks, snacks, and nerd/hacker/geek humor and discussions in between.<br> Check the website frequently for the location of the next mini-meeting and OWASP cafe&nbsp;!<br> <br> <br />
<br />
----<br />
<br />
=== Meeting minutes April 9th 2009 ===<br />
<br />
At April 9th, the Dutch OWASP chapter came together at the office of Sogeti in Vianen. The main topic of the evening was "knowing your enemy". There were 3 speakers and approximately 50 attendees.<br> <br> The sponsor of the evening started with a small welcome and an overview of their internal security program named PASS. After some small announcements from the OWASP the evening started.<br> <br> '''First presentation:''' Modern information gathering; how to abuse search engines by Dave van Stein.<br> The first presentation of the evening was about using search engines and crawlers to gain detailed information about webservers and websites. Ill configured webservers allow search engine crawlers to collect much information about a system, information that is stored and can be retrieved with search engines. Many websites and tools make use of this mechanism and, combined with DNS and WHOIS information, are able to provide detailed or sensitive information like usernames, vulnerabilities, present files or network topology about a system without targeting it directly.<br> Restricting crawlers to access a system can act as a first line of defence and reduce exposure and risks.<br> <br> '''Second presentation:''' VAC Cross-site scripting by Martin Visser. <br> The second VAC on an OWASP meeting was about Cross-site scripting also known as XSS. XSS vulnerabilities are often misunderstood and underestimated but facts show that XSS vulnerability abusing attacks are nowadys the fastest growing and most widespread type of exploit. In short XSS vulnerabilities allow for user input to be executed when containing javascript or HTML code. When combined with other vulnerabilities the possibilities of these attacks are vitually limitless.<br> The only way to prevent these attacks is to sanitize all input and output fields, but this can be more difficult than it appears to be. Simply blacklisting fragments like &lt;script&gt; is not sufficient due to the possibility of recursivity (e.g. &lt;scr&lt;script&gt;ipt&gt;) and encoding (e.g. URL encoding:&nbsp;%3C%73%63%72%69%70%74%3E). Using multiple layers of filters on various places is the only way to assure enough protection against these types of attacks.<br> <br> '''Third presentation:''' Beveiligingsaspecten van webapplicatie-ontwikkeling by Wouter van Kuipers. <br> The third presentation of the evening was about the efficiency of a source code analyer for php based websites. Approximately 33% of all websites use php and this can be explained by the low learning curve and ease of use of the language. Due to the low learning curve many php developers have little experience with programming and almost no awareness regading security resulting in many unsecure websites. Source code analysis can help preventing many security issues, but their usage does have some limitations. Firstly the scan on itself takes only a few minutes, but analysing the results requires much longer and depends greatly on how familiar the analyser is with the scanned source code. Second these analysers produce many flase positives, making analysis even more time consuming. Lastly not all vulnerabilities are detected with the same efficiency. Especially vulnerabilities that are dependent on the application logic like injection or XSS are not always efficiently detected.<br> Concluding, like all tools, a source code analyser can be a powerful tool, but one has to be aware of its limitations. These tools can provide results very fast, but when used on unfamiliar code the analysis can be very time consuming. <br><br />
<br />
== Scheduled OWASP NL Chapter Meetings: ==<br />
<br />
=== Meeting Schedule December 2nd 2009: BeNeLux OWASP Day 2009<br> ===<br />
<br />
Follow this link for more information: [[BeNeLux OWASP Day 2009]] <br />
<br />
[[Image:BeNeLux Day 2009 poster v1.png|200px]] <br />
<br />
----<br />
<br />
=== Meeting Schedule December 10th 2009: Secure Software Development, Testing, Deployment and Methodologies<br> ===<br />
<br />
'''Summary:''' The main goal of the upcoming OWASP-NL meeting is to provide information to managers, architects, designers, developers and security and risk professionals. The speakers will give specific examples and there will be time to ask questions.<br> <br />
<br />
{| width="500" cellspacing="1" cellpadding="1" border="0" align="left"<br />
|-<br />
| <br />
<br> ps_testware B.V. <br />
<br />
Dorpstraat 26<br>3941 JM&nbsp; Doorn<br> <br />
<br />
<br> <br />
<br />
| [[Image:Pstestware.png]]<br><br />
|}<br />
<br />
<br> <br />
<br />
<br> <br />
<br />
<br> <br />
<br />
<br> <br> <br />
<br />
<br> '''18:00 - 18:30 Check-In (catering included)'''<br> <br />
<br />
'''18:30 - 18:45 Introduction (OWASP organization, projects, sponsor)<br>''' <br />
<br />
'''18.45 - 19.45 How OWASP resources can be used by universities to develop, test and deploy secure web applications (Kuai Hinojosa)'''<br> Universities are key to making application security visible and the need to educate software developers about application security as an aspect of proper software development has never been more important. In this presentation I will share how OWASP resources can be used by universities to develop, test and deploy secure web applications. I will discuss challenges that Universities currently face integrating a pplication security best practices, describe how OWASP tools and resources are currently used at New York University to test for most common web application flaws. I will introduce projects such as the OWASP Enterprise Security API which can be used to mitigate most common flaws in web applications and share initiatives the OWASP Global Education Committee is currently working on. If you are interested in securing web applications, and supporting the OWASP Global Education Committee efforts you don't want to miss this! <br />
<br />
Kuai Hinojosa has been developing and securing web applications for about 12 years. He previously worked in the banking industry as a database security administrator for the 5th largest bank in the U.S. where he worked in a small team developing applications that protected company's assets. He now works for New York University as a Web Applications Specialist where he continues to use web application development and application security experience to protect university resources. In his spare time Kuai volunteers his time preaching the application security gospel and leading the Minneapolis OWASP chapter. Kuai is a member of the OWASP (Open Web Application Security Project) Global Education Committee.<br> <br />
<br />
'''19.45 – 20.00 Break''' <br />
<br />
'''20. 00 – 20.30 VAC REGEX Denial of Service Attacks''' '''(Adar Weidman, Senior Developer Checkmarx Ltd.)'''<br> <br />
<br />
This presentation explores the Regular Expression Denial of Service (ReDoS) attack and how it be used in order to implement new and old attacks. ReDoS is commonly known as a “bug” in systems, but the presentation will show how serious it is and how using this technique, various applications can be “ReDoSed”. These include, among others, Web Application, WAFs, IDS, AV, Web Servers, Client-side browsers (including cellular devices), and Database.<br> <br />
<br />
'''20.30 – 21.00 BSIMM Europe results (Florence Mottay, Managing Principal Citigal)'''<br> <br />
<br />
Most large organizations have practiced software security through many activities involving people, process and automation, but we are just now reaching the point where enough experience has been accumulated to compare notes and talk about what works at a macro level. Using the framework described in Gary McGraw’s book “Software Security: Building Security In” I will discuss and describe the state of the practice in software security. This talk is infused with real data from the field, based on my work with several large companies as a Cigital consultant.<br> <br />
<br />
Florence Mottay is a seasoned Business Manager and adept Security Expert. She is responsible for the long-term growth, stability, market leadership, and client satisfaction of the company's EMEA operations. At her former company, Security Innovation, she was the visionary behind Team Mentor, the company's first-of-a-kind software security knowledge management system that guides software development and test teams through the process of consistently developing secure applications. Other areas of expertise include Threat Modeling for the Enterprise and Customized Enterprise Security Solutions. Previously, Florence was a Software Test Engineer for JD Edwards. She was also a Project Leader at the Center for Software Engineering Research at the Florida Institute of Technology where she worked for Dr. Whittaker, the founder of Security Innovation. Florence has a BS in Applied Mathematics and an MS in Software Engineering from the Florida Institute of Technology.<br> <br />
<br />
'''21.00 – 21:30 Discussion, questions and social networking''' <br />
<br />
----<br />
<br />
=== Meeting Schedule September 24th 2009: Unautorized Access<br> ===<br />
<br />
'''Summary:''' The main goal of the upcoming OWASP-NL meeting is to provide information to managers, architects, designers, developers and security and risk professionals. The speakers will give specific examples and there will be time to ask questions.<br> <br />
<br />
{| width="500" cellspacing="1" cellpadding="1" border="0" align="left"<br />
|-<br />
| <br />
Madison Gurkha <br />
<br />
Sofitel Cocagne Eindhoven<br>Vestdijk 47<br>5611 CA Eindhoven<br> <br />
<br />
| [[Image:Logo Madison Gurkha.GIF|200px]]<br><br />
|}<br />
<br />
<br> <br />
<br />
<br> <br />
<br />
<br> <br />
<br />
<br> <br />
<br />
<br> '''18:00 - 18:30 Check-In (catering included)'''<br> <br />
<br />
'''18:30 - 18:45 Introduction (OWASP organization, projects, sponsor)'''<br> <br />
<br />
'''18.45 - 19.45 Unauthorized Access (Wil Allsopp)<br>''' <br />
<br />
Physical Penetration Testing and Social Engineering have been conducted by testing organisations for some time but there has been very little discussion within the industry regarding the use of formal approaches ensuring a consistently high quality and repeatability of the testing lifecycle. <br />
<br />
This was a problem I attempted to address in the book Unauthorized Access and is the focus of this discussion. <br />
<br />
We will look at the following: <br />
<br />
*What is physical penetration testing and what does it aim to achieve?<br> <br />
*Tactical approaches to Social Engineering in testing.<br> <br />
*The advantages and disadvantages of deploying SE.<br> <br />
*Training operators and building operating teams - what skill sets should you deploy? <br> <br />
*What are the legal aspects involved, how do these vary between jurisdictions? <br> <br />
*How should you plan a physical penetration test at strategic, tactical and operational levels? <br> <br />
*How do you gauge risk i.e. Contractual, Operational, Legal and Environmental?<br />
<br />
<br>The biggest problem currently facing physical penetration testing teams is that it's hard to prove a negative i.e. a failed test by no means guarantees the security of the client. By ensuring your team is trained and prepared you can mitigate this problem to a large degree.'''<br>'''<br> <br />
<br />
'''19.45 – 20.00 Break''' <br />
<br />
'''20. 00 – 20.30 Mini Meetings: Time- Box testing &amp; Test Tools (Barry van Kampen en Dave van Stein)''' <br />
<br />
'''20.30 – 21.00 Education Project (Martin Knobloch)''' <br />
<br />
'''21.00 – 21:30 Discussion, questions and social networking'''<br> <br />
<br />
----<br />
<br />
=== Meeting Schedule May 28th 2009: AppSec Europe 2009 ===<br />
<br />
'''Summary''' The main goal of the upcoming OWASP-NL meeting is to provide an abstract of the recently held AppSec Europe 2009, a VAC about CSRF and, new, an open discussion on application security subjects brought forward by the attendees. <br />
<br />
{|<br />
|-<br />
| width="350" | <br />
ASR Nederland<br> <br> MD0.60 - Auditorium<br> Smallepad 30<br> 3811MG Amersfoort<br> <br />
<br />
| width="650" | <br />
[[Image:ASR Nederland logo.jpg|200px]] <br />
<br />
|-<br />
| width="350" | <br> <br />
| width="650" | <br />
<br> <br />
<br />
<br> <br />
<br />
|}<br />
<br />
'''18.30 - 18.45 Introduction (OWASP organization, projects, sponsor) '''<br> <br />
<br />
'''18.45 - 19.45 AppSec-EU 2009 (Sebastien Deleersnyder, Telindus) '''<br> Update on the AppSec-EU 2009: <br> OWASP State of the union, an update on OWASP and OWASP projects and of course the highlights of the AppSec-EU 2009 presentations. <br />
<br />
'''19.45 - 20.00 Break '''<br> <br />
<br />
'''20.00 - 20.30 VAC Cross-Site Request Forgery (Niels Teusink, Fox-IT) ''' ([[Media:20090409_VAC-CSRF-Niels_Teusink.pdf]])<br> CSRF is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. With a little help of social engineering (like sending a link via email/chat), an attacker may force the users of a web application to execute actions of the attacker's choosing. A successful CSRF exploit can compromise end user data and operation in case of normal user. If the targeted end user is the administrator account, this can compromise the entire web application. <br />
<br />
Niels Teusink holds a bachelor degree in Computer Science and has been experimenting with IT security for over a decade. He has worked for Fox-IT since 2005; first as a software engineer and since 2007 as a penetration tester. He has since performed dozens of penetration tests for all sorts of companies, including governments, banks and nuclear installations. <br />
<br />
'''20.30 - 21.15 Open session / discussion (Martin Knobloch/Ferdinand Vroom/Peter Gouwentak) ''' <br> Open session / discussion about subjects brought forward by the attendees. <br />
<br />
The Announcement of this meeting: [[Media:Announcement_OWASP-NL_May_28th_2009.pdf]]<br> The flyer of this meeting: [[Media:Owasp_NL_may2009.pdf]] <br> <br />
<br />
----<br />
<br />
=== Meeting Schedule 9th April Knowing Your Enemy ===<br />
<br />
'''Summary''' The main goal of the upcoming OWASP-NL meeting is to provide information to managers, architects, designers, developers and security and risk professionals. The speakers will give specific examples and there will be time to ask questions. <br />
<br />
{|<br />
|-<br />
| width="350" | <br />
Lange Dreef 17<br> 4131 NJ Vianen<br> <br />
<br />
| width="650" | <br />
[[Image:Sogeti Nederland b v Logo.jpg|http:\\www.sogeti.nl]] <br />
<br />
|-<br />
| width="350" | <br> <br />
| width="650" | <br />
About Sogeti Nederland B.V. Sogeti Nederland B.V. is one of top-5 IT companies of the Netherlands. Our workforce of over 3,500 employees provides top quality IT consultancy and services to leading companies in several industry sectors in the Netherlands. Our focus is local, but we are part of Sogeti Worldwide, offering IT services in the American, German, French, Belgian, UK, Swedish, Swiss and Spanish markets. <br />
<br />
Our core business is the design, construction, deployment, testing and maintenance of IT solutions. We stand for quality and IT skills; this is visible in our service and in the methods developed by us such as DYA®, Regatta®, TMap®, TPI® , Inframe®, and TEmb. <br />
<br />
Vision Sogeti delivers value by aligning the results of her services to the strategic goals of the client, thereby committing herself to the success of the client. We prove our commitment by assuming responsibility in various forms and to various degrees. <br />
<br />
New trends Our own research institute ViNT (Institute for Research into New Technology) keeps us and our clients ahead of the newest technology trends and their potential influence, benefits and risks. <br> More information about Sogeti can be found on our website www.sogeti.nl. <br> <br />
<br />
|}<br />
<br />
'''18.30 - 18.45 Introduction (OWASP organization, projects, sponsor) '''<br> '''18.45 - 19.30 Modern information gathering; how to abuse search engines Dave van Stein '''([[Media:20090409_passsive_reconnaissance-Dave_van_Stein.pdf]])<br> Great generals already know the key to success is "knowing your enemy". In hacking terms this is called information gathering, fingerprinting or reconnaissance. Traditionally this phase consisted of using public records like WHOIS and DNS combined with active scans on servers. With the rise of advanced search engines like Yahoo, Live Search and Google a whole new type of reconnaissance has come to life; passive reconnaissance. Often servers are not properly configured which causes lots of valuable information to become available without accessing the server at all. Recently several hacker-tools appeared which use the full capabilities of these search engines giving hackers a head-start at mapping the network they plan to attack. The goal of this session is to give insight in the methods and tools hackers have at their disposal to gather information about systems they plan to attack without accessing the system itself. Dave van Stein has close to 8 years of experience in software testing. Since the beginning of 2008 he's working for ps_testware as a web application security testing specialist. <br />
<br />
'''19.30 - 20.00 VAC Cross-site scripting Martin Visser '''([[Media:20090409_VAC_Cross-site-scripting_Martin_Visser.pdf]])<br> Martin Visser is a software designer with Sogeti Nederland B.V. specialized in secure application development with Microsoft technologies. He has experience with Microsoft server technologies like ASP.NET, SharePoint and Biztalk. Martin also developed and teaches a 2-day "Application Security - Microsoft development" course both within and outside Sogeti. <br />
<br />
'''20.00 - 20.15 Break ''' <br> '''20.15 - 21.00 Beveiligingsaspecten van webapplicatie-ontwikkeling Wouter van Kuipers ''' ([[Media:20090409_presentatie_Wouter_van_Kuipers.pdf]])<br> Het ontwikkelen van webapplicaties verschilt op verschillende aspecten met het ontwikkelen van desktop applicaties, met name op het gebied van security. Voor grote bedrijven zijn er oplossingen beschikbaar als bijvoorbeeld SDL, maar voor het midden- en kleinbedrijf zijn dit soort oplossingen beperkt, omdat zij vaak niet de middelen hebben om dergelijke strategieën uit te kunnen voeren. Voor zijn scriptie heeft Wouter van Kuipers middels een literatuuronderzoek, interviews met ontwikkelaars en een onderzoek naar Fortify 360 gekeken hoe het midden- en kleinbedrijf omgaat met deze verschillen en hoe zij het ontwikkelproces kunnen optimaliseren op het gebied van security. <br />
<br />
Na een MBO opleiding in de IT is Wouter van Kuipers via de HBO opleiding 'Communicatie Systemen' begin 2007 begonnen met een master Informatiekunde aan de Radboud Universiteit Nijmegen, welke hij in maart dit jaar hoopt af te ronden. Tijdens zijn MBO studie is zijn interesse in het ontwikkelen van webapplicaties gewekt, wat in 2003 resulteerde in het opzetten van een eigen web-development bedrijf. Dit bedrijf is met name gespecialiseerd in het ontwikkelen van webapplicaties op maat, en het ondersteunen van bedrijven op het gebied van web-developement op freelance basis. <br />
<br />
The flyer of this meeting: [[Media:Owasp_NL_april2009.pdf]]<br />
<br />
== Past Events ==<br />
<br />
*Events held in [[Netherlands Previous Events 2008|2008]] <br />
*Events held in [[Netherlands Previous Events 2007|2007]] <br />
*Events held in [[Netherlands Previous Events 2006|2006]] <br />
*Events held in [[Netherlands Previous Events 2005|2005]]</div>Dvsteinhttps://wiki.owasp.org/index.php?title=Netherlands&diff=72813Netherlands2009-11-08T12:00:03Z<p>Dvstein: /* Meeting minutes September 24th 2009 */</p>
<hr />
<div>{{Chapter Template|chaptername=Netherlands|extra=The chapter leader is [mailto:owasp@irc2.nl Bert Koelewijn]<br />
<paypal>Netherlands</paypal><br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-netherlands|emailarchives=http://lists.owasp.org/pipermail/owasp-netherlands}} <br />
<br />
== '''OWASP NL Chapter Meetings Schedule 2009''' ==<br />
<br />
This is an overview of the 2009 local chapter meeting schedule. Details of the meetings can be found in the announcements that will be posted below this schedule. <br />
<pre>December 2th<br />
----------<br />
Please block your agendas on December 2, 12h-22h for the BeNeLux OWASP Day 2009.<br />
<br />
<br />
December 10th<br />
----------<br />
Time &nbsp;: 18.00 - 21.30<br />
Main Topic &nbsp;: Secure Software Development<br />
Presentations: How OWASP resources can be used by universities to develop, test and deploy secure web applications<br />
By Kuai Hinojosa<br />
<br />
VAC Regular Expression Denial of Service<br />
By Adar Weidman, Checkmarx Ltd.<br />
<br />
BSIMM Europe results<br />
By Florance Mottay, Managing Principal Citigal<br />
<br />
Location &nbsp;: ps_testware, Dorpsstraat 26, 3941 JM Doorn<br />
Sponsor &nbsp;: ps_testware<br />
<br />
<br />
September 24th<br />
----------<br />
Time &nbsp;: 18.00 - 21.30<br />
Main Topic &nbsp;: Unauthorised Access<br />
Presentations: Unauthorised Access Wil Allsopp<br />
Mini Meetings report: Time- Box testing &amp; Test Tools Barry van Kampen/ Dave van Stein<br />
Education Project report Martin Knobloch<br />
Discussion, questions and social networking<br />
Location &nbsp;: Sofitel Cocagne<br />
Vestdijk 47<br />
5611 CA Eindhoven<br />
Google Maps Route: http://tiny.cc/24kWE<br />
Sponsor &nbsp;: Madison Gurkha<br />
<br />
<br />
May 28th<br />
----------<br />
Time &nbsp;: 18.00 - 21.30<br />
Main Topic &nbsp;: AppSec Europe 2009<br />
Presentations: AppSec-EU 2009 Sebastien Deleersnyder, Telindus <br />
VAC Cross-Site Request Forgery Niels Teusink<br />
Open session / discussion about subjects brought forward by <br />
the attendees Martin Knobloch/Ferdinand Vroom/Peter Gouwentak<br />
Location &nbsp;: ASR Nederland<br />
MD0.60 - Auditorium<br />
Smallepad 30<br />
3811MG Amersfoort<br />
Sponsor &nbsp;: ASR Nederland<br />
<br />
<br />
April 9th<br />
----------<br />
Time &nbsp;: 18.00 - 21.30<br />
Main Topic &nbsp;: Knowing Your Enemy<br />
Presentations: Modern information gathering; how to abuse search engines Dave van Stein<br />
VAC Cross-site scripting Martin Visser <br />
Beveiligingsaspecten van webapplicatie-ontwikkeling Wouter van Kuipers <br />
Location &nbsp;: Lange Dreef 17<br />
4131 NJ Vianen<br />
Sponsor &nbsp;: Sogeti Nederland B.V.<br />
</pre> <br />
<br> <br />
<br />
=== Call for Speakers ===<br />
<br />
We are continuously looking for speakers and presentations make the chapter meetings as interesting as possible. Therefore we are looking inside and outside OWASP for known international specialists. But we know, there is a lot interesting stuf happening inside the Netherlands, too! <br> '''Presentations:''' Are you working on interesting subject, you would like to share your experiences with the OWASP community. Any topic related to application security will be appreciated!<br> '''VAC, Vulnerability, Attack, Countermeasure:''' The goal is an half hour in-depth technical presentation about a vulnerability, how it can be exploited and how to prevent it!<br> <br />
<br />
<span style="font-weight: bold;">Links:<br />
</span><br />
<br />
[http://www.owasp.org/index.php/Speaker_Agreement Speaker Agreement] <br />
<br />
[http://www.owasp.org/images/5/54/Presentation_template.ppt Template]<br />
<br />
=== Sponsorship of a local chapter meeting ===<br />
<br />
We are continuously looking for locations to hold local chapter meetings. Therefore, we need companies willing to sponsor of host events.<br> '''Hosting a local chapter meeting:''' To host a local chapter meeting, you facilitate the meeting location and beverage for the attendees<br> '''Sponsorship of a local chapter meeting:''' You cover the cost of renting the location for the meeting and the payment of the beverages for the attendees<br> '''Please let us know via the OWASP chapter meeting questionnaire of via email to martin.knobloch@owasp.org<br>'''<br />
<br />
== '''OWASP NL Cafe''' ==<br />
<br />
<font color="red">'''NEW:'''</font> Monthly informal platform to speak about (Web) application security matters! No registration required, just drop by! <br />
<br />
*no programm <br />
*no agenda <br />
*whatever comes up!<br />
<br />
=== Next OWASP Cafe: ===<br />
Open and free event, just drop in and discuse what's on your mind about application security!<br />
<pre><br />
When: TBD<br />
Where: TBD<br />
</pre><br />
The flyer: [[File:OWASP_NL_Cafe_oct09.jpg|100px]]<br />
<br />
<br> <br />
<br />
'''Registration'''<br> If you want to attend, please send an email to: netherlands-board@lists.owasp.org <br> <br> All OWASP chapter meetings are free of charge and you don't have to be an OWASP member to attend. There are never any vendor pitches or sales presentations at OWASP meetings.<br> <br> NOTE TO CISSP's: OWASP Meetings count towards CPE Credits.<br> <br> <br><br />
<br />
== '''OWASP NL Mini-Meetings''' ==<br />
<br />
<font color="red">'''NEW:'''</font> Platform to discus on specific issues related to (Web) Application Security. The topic's are brought in by the OWASP NL community!<br> Something on your mind to discus, put your idea online at: Mini Meetings [[Netherlands Mini Meeting 2009|Netherlands_Mini_Meeting_2009]] To attend the meeting, send an email to the contact's email address! <br />
<br />
=== Next Mini-Meeting: ===<br />
<pre><br />
Topic : SAMM, ASVS and other methodologies<br />
Contact : Martin Knobloch, martin.knobloch@owasp.org<br />
----------<br />
Date : November 19th 2009<br />
Time : 18:00 (dinner provided) to 21:30 <br />
Location : Sogeti Nederland B.V.<br />
Plotterweg 31-33<br />
3821 BB Amersfoort<br />
Details : About ideas and experiences of using, implementing and verifying the different methodologies<br />
Attendees : Max 12 persons, currently 3, 9available<br />
</pre><br />
<br />
== '''Meeting Minutes''' ==<br />
<br />
=== Meeting minutes September 24th 2009 ===<br />
<br />
At September 24th 2009, the Dutch OWASP chapter met in Eindhoven. The sponsor of the evening was Madison Gurkha. The subject of the evening was Unautorized Access. There were 4 speakers and 21 attendees.<br/><br />
<br/><br />
After a short welcome talk by Ferdinand Vroom from OWASP, Madison Gurkha gave a small introduction to the company. Madison Gurkha is a small firm that focuses on the prevention, identification, and prevention of technical IT security problems throughout organizations. As such their scope reaches beyond that of web application testing up to the level of physical security. In practice they often see the OWASP top 10 vulnerabilities and use OWASP tools in their assessments, hence their interest in the OWASP.<br> <br />
<br><br />
'''First presentation:''' Unauthorized Access by Wil Allsopp. <br/><br />
Wil Allsopp performs Physical Penetration Tests at Madison Gurkha and recently wrote a book about the subject: Unauthorised Access: Physical Penetration Testing For IT Security Teams [http://www.amazon.com/Unauthorised-Access-Physical-Penetration-Security/dp/0470747617].<br/><br />
Physical Security is all hacking your way into physical locations, like buildings, by using a combination of reconnaissance, social engineering, and technical skills. Like all forms of testing these assessments can only be successful when performed in a structured manner. The first phase is the preparation phase in which the target is studied and a team with a balance of several expertises is selected. Obviously the legal consequences and risks for bodily harm can be more severe in conducting a physical security test. Therefore a careful preparation also includes covering these risks and defining solid boundary conditions. <br/><br />
In the second phase the actual test is done meaning that the team will try to enter a facility according to a well prepared plan. Since physical security deals with real people and other unpredictable circumstances, this phase heavily relies on social engineering skills and being creative. Test can be conducted in three modes of operation: overt (use the system as much as possible), covert (minimize contact), and unseen (apply stealth). The last phase is off course the reporting phase.<br/><br />
Wil clearly showed in his presentation that testing for physical security introduces whole new dimensions of interaction to take into account, but is in fact no different in approach as other forms of testing.<br/><br />
<br/><br />
'''Second presentation:''' Mini Meetings Results by Barry van Kampen en Dave van Stein. <br/><br />
As mentioned in the meeting minutes of May 28th 2009 [http://www.owasp.org/index.php/Netherlands#Meeting_minutes_May_28th_2009] the Dutch OWASP chapter decided to schedule mini-meetings. These meetings will facilitate an open discussion about a single topic of interest. Although only 1 of the 3 planned meetings actually took place, the results of this meeting were above expectations. The topic of this mini-meeting was "Quick-scans and other time-boxed test approaches". The conclusions were that these time-boxed test approaches are capable of quickly uncovering fundamental problems even while the scope is limited. Plans are to have a second meeting and maybe even start an OWASP project on the topic. <br/><br />
Since mini-meets are planned for and by the community, everybody is invited to check the mini-meet Wiki [http://www.owasp.org/index.php/Netherlands_Mini_Meeting_2009] and propose topics, dates or locations.<br/><br />
<br/><br />
'''Third presentation:''' OWASP Education Project by Martin Knobloch. <br/><br />
The awareness that application security is essential in the development and deployment of every web application is increasing, but it is often still applied as an end-of-pipe solution. The OWASP Education Project [http://www.owasp.org/index.php?title=Category:OWASP_Education_Project] tries to remediate this problem by delivering education material about OWASP tooling, methodologies, and principles. The project continuously creates educational & documentation papers, screen scrape video courses and learning environments and courses. By providing these materials to the community the OWASP body of knowledge can be spread in a controlled manner and deliver high quality training, both inside and outside of the OWASP community.<br/><br />
To improve the quality and progress of this project, contributors are needed on all areas. Therefore everybody is encouraged to take a look at the project Wiki and invited to help make the (virtual) world a better and safer place!<br/><br />
<br/><br />
----<br />
<br />
=== Meeting minutes May 28th 2009 ===<br />
<br />
At May 28th, the Dutch OWASP chapter came together at the ASR building in Amersfoort. The main topic of the evening was AppSec 2009. There were 2 speakers and approximately 20 attendees.<br> <br> There was no sponsor talk or general announcement so after a very short welcome talk by Bert the evening started.<br> <br> '''First presentation:''' AppSec 2009 by Sebastien Deleersnyder. <br> The first presentation of the evening was a recap of AppSec 2009 in Poland. The conference was a big success with around 170 attendees. The meeting preceded the 2009 edition of Confidence [http://2009.confidence.org.pl/] resulting in a week of security presentations and workshops. All AppSec presentations and many movies, pictures, and other material can be found on the AppSec wiki [http://www.owasp.org/index.php/OWASP_AppSec_Europe_2009_-_Poland] but a few items are worth mentioning in specific. First of all OWASP is growing and changing. These changes include a simplification of the membership fees, the introduction of a 'code of ethics', and a general review of all 120 projects. Other highlights are the project ASVS, which has reached an international standard status and updated versions of WebGoat and LabRat.<br> Lastly besides a Wiki and a LinkedIn group, OWASP is now also active on Twitter [http://twitter.com/owasp] &amp; [http://twitter.com/owasp_nl] and has two overview pages with all video [http://www.owasp.org/index.php/Category:OWASP_Video] and audio materials [http://www.owasp.org/index.php/OWASP_Podcast].<br> Feel free to use all the materials (as long as you abide by the new code of ethics off course) and visit the OWASP websites frequently for updates&nbsp;!<br> <br> '''Second presentation:''' VAC Cross-Site Request Forgery by Niels Teusink. <br> After succesfull VAC's about SQL injection and Cross-site scripting, the topic of this evening's VAC was Cross-site Request Forgery, also known as CSRF. CSRF is probably one of the least understood vulnerabilities, but can have tremendous consequences when succesfully exploited. In essence it is an attack that misuses the victim's autorisations with malicious scripts. CSRF attacks can also be easily combined with other attack, like e.g. XSS, making them even more dangerous. <br> Despite the name suggests, these attacks do not have to be on different websites (domains). With the continuing trend to combine multiple functionalities in a single application, so-called onsite request forgeries are becoming more and more frequent. Contrary to XSS and SQL injection, CSRF can not be blocked by input validation. In order to prevent these kind of attacks, an application has to able to verify the authenticity of a request. This can be achieved by several methods like using a unique identifier for a session or each request or requiring additional user input like a CAPTCHA or a one-time token. <br> <br> '''Open Discussion''' <br> The evening was closed with an open discussion about how to improve knowledge sharing among the OWASP members. Many interesting discussions start during the drinks after the presentations on the OWASP evenings, discussions that sadly often are stopped prematurly due to time restraints.<br> As an addition on the quarterly presentation evenings, the Dutch chapter decided to also start mini-meetings and the OWASP cafe.<br> Mini-meetings will not be planned on beforehand, but instead will be planned when a topic is proposed and enough attendees have stated an interest in the topic. The attendees will have to select a location themselves but can request a donation from the OWASP for drinks and snacks. Topics discussed at the mini-meeting will have to be listed in minutes so other members can also profit from this knowledge exchange.<br> The OWASP cafe will be planned each first thursday of the month on a location that will be listed on the OWASP Dutch chapter site. The rules are simple: the evening starts at a certain time, ends at a certain time and will be filled with drinks, snacks, and nerd/hacker/geek humor and discussions in between.<br> Check the website frequently for the location of the next mini-meeting and OWASP cafe&nbsp;!<br> <br> <br />
<br />
----<br />
<br />
=== Meeting minutes April 9th 2009 ===<br />
<br />
At April 9th, the Dutch OWASP chapter came together at the office of Sogeti in Vianen. The main topic of the evening was "knowing your enemy". There were 3 speakers and approximately 50 attendees.<br> <br> The sponsor of the evening started with a small welcome and an overview of their internal security program named PASS. After some small announcements from the OWASP the evening started.<br> <br> '''First presentation:''' Modern information gathering; how to abuse search engines by Dave van Stein.<br> The first presentation of the evening was about using search engines and crawlers to gain detailed information about webservers and websites. Ill configured webservers allow search engine crawlers to collect much information about a system, information that is stored and can be retrieved with search engines. Many websites and tools make use of this mechanism and, combined with DNS and WHOIS information, are able to provide detailed or sensitive information like usernames, vulnerabilities, present files or network topology about a system without targeting it directly.<br> Restricting crawlers to access a system can act as a first line of defence and reduce exposure and risks.<br> <br> '''Second presentation:''' VAC Cross-site scripting by Martin Visser. <br> The second VAC on an OWASP meeting was about Cross-site scripting also known as XSS. XSS vulnerabilities are often misunderstood and underestimated but facts show that XSS vulnerability abusing attacks are nowadys the fastest growing and most widespread type of exploit. In short XSS vulnerabilities allow for user input to be executed when containing javascript or HTML code. When combined with other vulnerabilities the possibilities of these attacks are vitually limitless.<br> The only way to prevent these attacks is to sanitize all input and output fields, but this can be more difficult than it appears to be. Simply blacklisting fragments like &lt;script&gt; is not sufficient due to the possibility of recursivity (e.g. &lt;scr&lt;script&gt;ipt&gt;) and encoding (e.g. URL encoding:&nbsp;%3C%73%63%72%69%70%74%3E). Using multiple layers of filters on various places is the only way to assure enough protection against these types of attacks.<br> <br> '''Third presentation:''' Beveiligingsaspecten van webapplicatie-ontwikkeling by Wouter van Kuipers. <br> The third presentation of the evening was about the efficiency of a source code analyer for php based websites. Approximately 33% of all websites use php and this can be explained by the low learning curve and ease of use of the language. Due to the low learning curve many php developers have little experience with programming and almost no awareness regading security resulting in many unsecure websites. Source code analysis can help preventing many security issues, but their usage does have some limitations. Firstly the scan on itself takes only a few minutes, but analysing the results requires much longer and depends greatly on how familiar the analyser is with the scanned source code. Second these analysers produce many flase positives, making analysis even more time consuming. Lastly not all vulnerabilities are detected with the same efficiency. Especially vulnerabilities that are dependent on the application logic like injection or XSS are not always efficiently detected.<br> Concluding, like all tools, a source code analyser can be a powerful tool, but one has to be aware of its limitations. These tools can provide results very fast, but when used on unfamiliar code the analysis can be very time consuming. <br><br />
<br />
== Scheduled OWASP NL Chapter Meetings: ==<br />
<br />
=== Meeting Schedule December 2nd 2009: BeNeLux OWASP Day 2009<br> ===<br />
<br />
Follow this link for more information: [[BeNeLux OWASP Day 2009]] <br />
<br />
[[Image:BeNeLux Day 2009 poster v1.png|200px]] <br />
<br />
----<br />
<br />
=== Meeting Schedule December 10th 2009: Secure Software Development, Testing, Deployment and Methodologies<br> ===<br />
<br />
'''Summary:''' The main goal of the upcoming OWASP-NL meeting is to provide information to managers, architects, designers, developers and security and risk professionals. The speakers will give specific examples and there will be time to ask questions.<br> <br />
<br />
{| width="500" cellspacing="1" cellpadding="1" border="0" align="left"<br />
|-<br />
| <br />
<br> ps_testware B.V. <br />
<br />
Dorpstraat 26<br>3941 JM&nbsp; Doorn<br> <br />
<br />
<br> <br />
<br />
| [[Image:Pstestware.png]]<br><br />
|}<br />
<br />
<br> <br />
<br />
<br> <br />
<br />
<br> <br />
<br />
<br> <br> <br />
<br />
<br> '''18:00 - 18:30 Check-In (catering included)'''<br> <br />
<br />
'''18:30 - 18:45 Introduction (OWASP organization, projects, sponsor)<br>''' <br />
<br />
'''18.45 - 19.45 How OWASP resources can be used by universities to develop, test and deploy secure web applications (Kuai Hinojosa)'''<br> Universities are key to making application security visible and the need to educate software developers about application security as an aspect of proper software development has never been more important. In this presentation I will share how OWASP resources can be used by universities to develop, test and deploy secure web applications. I will discuss challenges that Universities currently face integrating a pplication security best practices, describe how OWASP tools and resources are currently used at New York University to test for most common web application flaws. I will introduce projects such as the OWASP Enterprise Security API which can be used to mitigate most common flaws in web applications and share initiatives the OWASP Global Education Committee is currently working on. If you are interested in securing web applications, and supporting the OWASP Global Education Committee efforts you don't want to miss this! <br />
<br />
Kuai Hinojosa has been developing and securing web applications for about 12 years. He previously worked in the banking industry as a database security administrator for the 5th largest bank in the U.S. where he worked in a small team developing applications that protected company's assets. He now works for New York University as a Web Applications Specialist where he continues to use web application development and application security experience to protect university resources. In his spare time Kuai volunteers his time preaching the application security gospel and leading the Minneapolis OWASP chapter. Kuai is a member of the OWASP (Open Web Application Security Project) Global Education Committee.<br> <br />
<br />
'''19.45 – 20.00 Break''' <br />
<br />
'''20. 00 – 20.30 VAC REGEX Denial of Service Attacks''' '''(Adar Weidman, Senior Developer Checkmarx Ltd.)'''<br> <br />
<br />
This presentation explores the Regular Expression Denial of Service (ReDoS) attack and how it be used in order to implement new and old attacks. ReDoS is commonly known as a “bug” in systems, but the presentation will show how serious it is and how using this technique, various applications can be “ReDoSed”. These include, among others, Web Application, WAFs, IDS, AV, Web Servers, Client-side browsers (including cellular devices), and Database.<br> <br />
<br />
'''20.30 – 21.00 BSIMM Europe results (Florence Mottay, Managing Principal Citigal)'''<br> <br />
<br />
Most large organizations have practiced software security through many activities involving people, process and automation, but we are just now reaching the point where enough experience has been accumulated to compare notes and talk about what works at a macro level. Using the framework described in Gary McGraw’s book “Software Security: Building Security In” I will discuss and describe the state of the practice in software security. This talk is infused with real data from the field, based on my work with several large companies as a Cigital consultant.<br> <br />
<br />
Florence Mottay is a seasoned Business Manager and adept Security Expert. She is responsible for the long-term growth, stability, market leadership, and client satisfaction of the company's EMEA operations. At her former company, Security Innovation, she was the visionary behind Team Mentor, the company's first-of-a-kind software security knowledge management system that guides software development and test teams through the process of consistently developing secure applications. Other areas of expertise include Threat Modeling for the Enterprise and Customized Enterprise Security Solutions. Previously, Florence was a Software Test Engineer for JD Edwards. She was also a Project Leader at the Center for Software Engineering Research at the Florida Institute of Technology where she worked for Dr. Whittaker, the founder of Security Innovation. Florence has a BS in Applied Mathematics and an MS in Software Engineering from the Florida Institute of Technology.<br> <br />
<br />
'''21.00 – 21:30 Discussion, questions and social networking''' <br />
<br />
----<br />
<br />
=== Meeting Schedule September 24th 2009: Unautorized Access<br> ===<br />
<br />
'''Summary:''' The main goal of the upcoming OWASP-NL meeting is to provide information to managers, architects, designers, developers and security and risk professionals. The speakers will give specific examples and there will be time to ask questions.<br> <br />
<br />
{| width="500" cellspacing="1" cellpadding="1" border="0" align="left"<br />
|-<br />
| <br />
Madison Gurkha <br />
<br />
Sofitel Cocagne Eindhoven<br>Vestdijk 47<br>5611 CA Eindhoven<br> <br />
<br />
| [[Image:Logo Madison Gurkha.GIF|200px]]<br><br />
|}<br />
<br />
<br> <br />
<br />
<br> <br />
<br />
<br> <br />
<br />
<br> <br />
<br />
<br> '''18:00 - 18:30 Check-In (catering included)'''<br> <br />
<br />
'''18:30 - 18:45 Introduction (OWASP organization, projects, sponsor)'''<br> <br />
<br />
'''18.45 - 19.45 Unauthorized Access (Wil Allsopp)<br>''' <br />
<br />
Physical Penetration Testing and Social Engineering have been conducted by testing organisations for some time but there has been very little discussion within the industry regarding the use of formal approaches ensuring a consistently high quality and repeatability of the testing lifecycle. <br />
<br />
This was a problem I attempted to address in the book Unauthorized Access and is the focus of this discussion. <br />
<br />
We will look at the following: <br />
<br />
*What is physical penetration testing and what does it aim to achieve?<br> <br />
*Tactical approaches to Social Engineering in testing.<br> <br />
*The advantages and disadvantages of deploying SE.<br> <br />
*Training operators and building operating teams - what skill sets should you deploy? <br> <br />
*What are the legal aspects involved, how do these vary between jurisdictions? <br> <br />
*How should you plan a physical penetration test at strategic, tactical and operational levels? <br> <br />
*How do you gauge risk i.e. Contractual, Operational, Legal and Environmental?<br />
<br />
<br>The biggest problem currently facing physical penetration testing teams is that it's hard to prove a negative i.e. a failed test by no means guarantees the security of the client. By ensuring your team is trained and prepared you can mitigate this problem to a large degree.'''<br>'''<br> <br />
<br />
'''19.45 – 20.00 Break''' <br />
<br />
'''20. 00 – 20.30 Mini Meetings: Time- Box testing &amp; Test Tools (Barry van Kampen en Dave van Stein)''' <br />
<br />
'''20.30 – 21.00 Education Project (Martin Knobloch)''' <br />
<br />
'''21.00 – 21:30 Discussion, questions and social networking'''<br> <br />
<br />
----<br />
<br />
=== Meeting Schedule May 28th 2009: AppSec Europe 2009 ===<br />
<br />
'''Summary''' The main goal of the upcoming OWASP-NL meeting is to provide an abstract of the recently held AppSec Europe 2009, a VAC about CSRF and, new, an open discussion on application security subjects brought forward by the attendees. <br />
<br />
{|<br />
|-<br />
| width="350" | <br />
ASR Nederland<br> <br> MD0.60 - Auditorium<br> Smallepad 30<br> 3811MG Amersfoort<br> <br />
<br />
| width="650" | <br />
[[Image:ASR Nederland logo.jpg|200px]] <br />
<br />
|-<br />
| width="350" | <br> <br />
| width="650" | <br />
<br> <br />
<br />
<br> <br />
<br />
|}<br />
<br />
'''18.30 - 18.45 Introduction (OWASP organization, projects, sponsor) '''<br> <br />
<br />
'''18.45 - 19.45 AppSec-EU 2009 (Sebastien Deleersnyder, Telindus) '''<br> Update on the AppSec-EU 2009: <br> OWASP State of the union, an update on OWASP and OWASP projects and of course the highlights of the AppSec-EU 2009 presentations. <br />
<br />
'''19.45 - 20.00 Break '''<br> <br />
<br />
'''20.00 - 20.30 VAC Cross-Site Request Forgery (Niels Teusink, Fox-IT) ''' ([[Media:20090409_VAC-CSRF-Niels_Teusink.pdf]])<br> CSRF is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. With a little help of social engineering (like sending a link via email/chat), an attacker may force the users of a web application to execute actions of the attacker's choosing. A successful CSRF exploit can compromise end user data and operation in case of normal user. If the targeted end user is the administrator account, this can compromise the entire web application. <br />
<br />
Niels Teusink holds a bachelor degree in Computer Science and has been experimenting with IT security for over a decade. He has worked for Fox-IT since 2005; first as a software engineer and since 2007 as a penetration tester. He has since performed dozens of penetration tests for all sorts of companies, including governments, banks and nuclear installations. <br />
<br />
'''20.30 - 21.15 Open session / discussion (Martin Knobloch/Ferdinand Vroom/Peter Gouwentak) ''' <br> Open session / discussion about subjects brought forward by the attendees. <br />
<br />
The Announcement of this meeting: [[Media:Announcement_OWASP-NL_May_28th_2009.pdf]]<br> The flyer of this meeting: [[Media:Owasp_NL_may2009.pdf]] <br> <br />
<br />
----<br />
<br />
=== Meeting Schedule 9th April Knowing Your Enemy ===<br />
<br />
'''Summary''' The main goal of the upcoming OWASP-NL meeting is to provide information to managers, architects, designers, developers and security and risk professionals. The speakers will give specific examples and there will be time to ask questions. <br />
<br />
{|<br />
|-<br />
| width="350" | <br />
Lange Dreef 17<br> 4131 NJ Vianen<br> <br />
<br />
| width="650" | <br />
[[Image:Sogeti Nederland b v Logo.jpg|http:\\www.sogeti.nl]] <br />
<br />
|-<br />
| width="350" | <br> <br />
| width="650" | <br />
About Sogeti Nederland B.V. Sogeti Nederland B.V. is one of top-5 IT companies of the Netherlands. Our workforce of over 3,500 employees provides top quality IT consultancy and services to leading companies in several industry sectors in the Netherlands. Our focus is local, but we are part of Sogeti Worldwide, offering IT services in the American, German, French, Belgian, UK, Swedish, Swiss and Spanish markets. <br />
<br />
Our core business is the design, construction, deployment, testing and maintenance of IT solutions. We stand for quality and IT skills; this is visible in our service and in the methods developed by us such as DYA®, Regatta®, TMap®, TPI® , Inframe®, and TEmb. <br />
<br />
Vision Sogeti delivers value by aligning the results of her services to the strategic goals of the client, thereby committing herself to the success of the client. We prove our commitment by assuming responsibility in various forms and to various degrees. <br />
<br />
New trends Our own research institute ViNT (Institute for Research into New Technology) keeps us and our clients ahead of the newest technology trends and their potential influence, benefits and risks. <br> More information about Sogeti can be found on our website www.sogeti.nl. <br> <br />
<br />
|}<br />
<br />
'''18.30 - 18.45 Introduction (OWASP organization, projects, sponsor) '''<br> '''18.45 - 19.30 Modern information gathering; how to abuse search engines Dave van Stein '''([[Media:20090409_passsive_reconnaissance-Dave_van_Stein.pdf]])<br> Great generals already know the key to success is "knowing your enemy". In hacking terms this is called information gathering, fingerprinting or reconnaissance. Traditionally this phase consisted of using public records like WHOIS and DNS combined with active scans on servers. With the rise of advanced search engines like Yahoo, Live Search and Google a whole new type of reconnaissance has come to life; passive reconnaissance. Often servers are not properly configured which causes lots of valuable information to become available without accessing the server at all. Recently several hacker-tools appeared which use the full capabilities of these search engines giving hackers a head-start at mapping the network they plan to attack. The goal of this session is to give insight in the methods and tools hackers have at their disposal to gather information about systems they plan to attack without accessing the system itself. Dave van Stein has close to 8 years of experience in software testing. Since the beginning of 2008 he's working for ps_testware as a web application security testing specialist. <br />
<br />
'''19.30 - 20.00 VAC Cross-site scripting Martin Visser '''([[Media:20090409_VAC_Cross-site-scripting_Martin_Visser.pdf]])<br> Martin Visser is a software designer with Sogeti Nederland B.V. specialized in secure application development with Microsoft technologies. He has experience with Microsoft server technologies like ASP.NET, SharePoint and Biztalk. Martin also developed and teaches a 2-day "Application Security - Microsoft development" course both within and outside Sogeti. <br />
<br />
'''20.00 - 20.15 Break ''' <br> '''20.15 - 21.00 Beveiligingsaspecten van webapplicatie-ontwikkeling Wouter van Kuipers ''' ([[Media:20090409_presentatie_Wouter_van_Kuipers.pdf]])<br> Het ontwikkelen van webapplicaties verschilt op verschillende aspecten met het ontwikkelen van desktop applicaties, met name op het gebied van security. Voor grote bedrijven zijn er oplossingen beschikbaar als bijvoorbeeld SDL, maar voor het midden- en kleinbedrijf zijn dit soort oplossingen beperkt, omdat zij vaak niet de middelen hebben om dergelijke strategieën uit te kunnen voeren. Voor zijn scriptie heeft Wouter van Kuipers middels een literatuuronderzoek, interviews met ontwikkelaars en een onderzoek naar Fortify 360 gekeken hoe het midden- en kleinbedrijf omgaat met deze verschillen en hoe zij het ontwikkelproces kunnen optimaliseren op het gebied van security. <br />
<br />
Na een MBO opleiding in de IT is Wouter van Kuipers via de HBO opleiding 'Communicatie Systemen' begin 2007 begonnen met een master Informatiekunde aan de Radboud Universiteit Nijmegen, welke hij in maart dit jaar hoopt af te ronden. Tijdens zijn MBO studie is zijn interesse in het ontwikkelen van webapplicaties gewekt, wat in 2003 resulteerde in het opzetten van een eigen web-development bedrijf. Dit bedrijf is met name gespecialiseerd in het ontwikkelen van webapplicaties op maat, en het ondersteunen van bedrijven op het gebied van web-developement op freelance basis. <br />
<br />
The flyer of this meeting: [[Media:Owasp_NL_april2009.pdf]]<br />
<br />
== Past Events ==<br />
<br />
*Events held in [[Netherlands Previous Events 2008|2008]] <br />
*Events held in [[Netherlands Previous Events 2007|2007]] <br />
*Events held in [[Netherlands Previous Events 2006|2006]] <br />
*Events held in [[Netherlands Previous Events 2005|2005]]</div>Dvsteinhttps://wiki.owasp.org/index.php?title=Netherlands&diff=72812Netherlands2009-11-08T11:59:23Z<p>Dvstein: /* Meeting minutes September 24th 2009 */</p>
<hr />
<div>{{Chapter Template|chaptername=Netherlands|extra=The chapter leader is [mailto:owasp@irc2.nl Bert Koelewijn]<br />
<paypal>Netherlands</paypal><br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-netherlands|emailarchives=http://lists.owasp.org/pipermail/owasp-netherlands}} <br />
<br />
== '''OWASP NL Chapter Meetings Schedule 2009''' ==<br />
<br />
This is an overview of the 2009 local chapter meeting schedule. Details of the meetings can be found in the announcements that will be posted below this schedule. <br />
<pre>December 2th<br />
----------<br />
Please block your agendas on December 2, 12h-22h for the BeNeLux OWASP Day 2009.<br />
<br />
<br />
December 10th<br />
----------<br />
Time &nbsp;: 18.00 - 21.30<br />
Main Topic &nbsp;: Secure Software Development<br />
Presentations: How OWASP resources can be used by universities to develop, test and deploy secure web applications<br />
By Kuai Hinojosa<br />
<br />
VAC Regular Expression Denial of Service<br />
By Adar Weidman, Checkmarx Ltd.<br />
<br />
BSIMM Europe results<br />
By Florance Mottay, Managing Principal Citigal<br />
<br />
Location &nbsp;: ps_testware, Dorpsstraat 26, 3941 JM Doorn<br />
Sponsor &nbsp;: ps_testware<br />
<br />
<br />
September 24th<br />
----------<br />
Time &nbsp;: 18.00 - 21.30<br />
Main Topic &nbsp;: Unauthorised Access<br />
Presentations: Unauthorised Access Wil Allsopp<br />
Mini Meetings report: Time- Box testing &amp; Test Tools Barry van Kampen/ Dave van Stein<br />
Education Project report Martin Knobloch<br />
Discussion, questions and social networking<br />
Location &nbsp;: Sofitel Cocagne<br />
Vestdijk 47<br />
5611 CA Eindhoven<br />
Google Maps Route: http://tiny.cc/24kWE<br />
Sponsor &nbsp;: Madison Gurkha<br />
<br />
<br />
May 28th<br />
----------<br />
Time &nbsp;: 18.00 - 21.30<br />
Main Topic &nbsp;: AppSec Europe 2009<br />
Presentations: AppSec-EU 2009 Sebastien Deleersnyder, Telindus <br />
VAC Cross-Site Request Forgery Niels Teusink<br />
Open session / discussion about subjects brought forward by <br />
the attendees Martin Knobloch/Ferdinand Vroom/Peter Gouwentak<br />
Location &nbsp;: ASR Nederland<br />
MD0.60 - Auditorium<br />
Smallepad 30<br />
3811MG Amersfoort<br />
Sponsor &nbsp;: ASR Nederland<br />
<br />
<br />
April 9th<br />
----------<br />
Time &nbsp;: 18.00 - 21.30<br />
Main Topic &nbsp;: Knowing Your Enemy<br />
Presentations: Modern information gathering; how to abuse search engines Dave van Stein<br />
VAC Cross-site scripting Martin Visser <br />
Beveiligingsaspecten van webapplicatie-ontwikkeling Wouter van Kuipers <br />
Location &nbsp;: Lange Dreef 17<br />
4131 NJ Vianen<br />
Sponsor &nbsp;: Sogeti Nederland B.V.<br />
</pre> <br />
<br> <br />
<br />
=== Call for Speakers ===<br />
<br />
We are continuously looking for speakers and presentations make the chapter meetings as interesting as possible. Therefore we are looking inside and outside OWASP for known international specialists. But we know, there is a lot interesting stuf happening inside the Netherlands, too! <br> '''Presentations:''' Are you working on interesting subject, you would like to share your experiences with the OWASP community. Any topic related to application security will be appreciated!<br> '''VAC, Vulnerability, Attack, Countermeasure:''' The goal is an half hour in-depth technical presentation about a vulnerability, how it can be exploited and how to prevent it!<br> <br />
<br />
<span style="font-weight: bold;">Links:<br />
</span><br />
<br />
[http://www.owasp.org/index.php/Speaker_Agreement Speaker Agreement] <br />
<br />
[http://www.owasp.org/images/5/54/Presentation_template.ppt Template]<br />
<br />
=== Sponsorship of a local chapter meeting ===<br />
<br />
We are continuously looking for locations to hold local chapter meetings. Therefore, we need companies willing to sponsor of host events.<br> '''Hosting a local chapter meeting:''' To host a local chapter meeting, you facilitate the meeting location and beverage for the attendees<br> '''Sponsorship of a local chapter meeting:''' You cover the cost of renting the location for the meeting and the payment of the beverages for the attendees<br> '''Please let us know via the OWASP chapter meeting questionnaire of via email to martin.knobloch@owasp.org<br>'''<br />
<br />
== '''OWASP NL Cafe''' ==<br />
<br />
<font color="red">'''NEW:'''</font> Monthly informal platform to speak about (Web) application security matters! No registration required, just drop by! <br />
<br />
*no programm <br />
*no agenda <br />
*whatever comes up!<br />
<br />
=== Next OWASP Cafe: ===<br />
Open and free event, just drop in and discuse what's on your mind about application security!<br />
<pre><br />
When: TBD<br />
Where: TBD<br />
</pre><br />
The flyer: [[File:OWASP_NL_Cafe_oct09.jpg|100px]]<br />
<br />
<br> <br />
<br />
'''Registration'''<br> If you want to attend, please send an email to: netherlands-board@lists.owasp.org <br> <br> All OWASP chapter meetings are free of charge and you don't have to be an OWASP member to attend. There are never any vendor pitches or sales presentations at OWASP meetings.<br> <br> NOTE TO CISSP's: OWASP Meetings count towards CPE Credits.<br> <br> <br><br />
<br />
== '''OWASP NL Mini-Meetings''' ==<br />
<br />
<font color="red">'''NEW:'''</font> Platform to discus on specific issues related to (Web) Application Security. The topic's are brought in by the OWASP NL community!<br> Something on your mind to discus, put your idea online at: Mini Meetings [[Netherlands Mini Meeting 2009|Netherlands_Mini_Meeting_2009]] To attend the meeting, send an email to the contact's email address! <br />
<br />
=== Next Mini-Meeting: ===<br />
<pre><br />
Topic : SAMM, ASVS and other methodologies<br />
Contact : Martin Knobloch, martin.knobloch@owasp.org<br />
----------<br />
Date : November 19th 2009<br />
Time : 18:00 (dinner provided) to 21:30 <br />
Location : Sogeti Nederland B.V.<br />
Plotterweg 31-33<br />
3821 BB Amersfoort<br />
Details : About ideas and experiences of using, implementing and verifying the different methodologies<br />
Attendees : Max 12 persons, currently 3, 9available<br />
</pre><br />
<br />
== '''Meeting Minutes''' ==<br />
<br />
=== Meeting minutes September 24th 2009 ===<br />
<br />
At September 24th 2009, the Dutch OWASP chapter met in Eindhoven. The sponsor of the evening was Madison Gurkha. The subject of the evening was Unautorized Access. There were 4 speakers and 21 attendees.<br/><br />
<br/><br />
After a short welcome talk by Ferdinand Vroom from OWASP, Madison Gurkha gave a small introduction to the company. Madison Gurkha is a small firm that focuses on the prevention, identification, and prevention of technical IT security problems throughout organizations. As such their scope reaches beyond that of web application testing up to the level of physical security. In practice they often see the OWASP top 10 vulnerabilities and use OWASP tools in their assessments, hence their interest in the OWASP.<br> <br />
<br><br />
'''First presentation:''' Unauthorized Access by Wil Allsopp. <br/><br />
Wil Allsopp performs Physical Penetration Tests at Madison Gurkha and recently wrote a book about the subject: Unauthorised Access: Physical Penetration Testing For IT Security Teams [http://www.amazon.com/Unauthorised-Access-Physical-Penetration-Security/dp/0470747617].<br/><br />
Physical Security is all hacking your way into physical locations, like buildings, by using a combination of reconnaissance, social engineering, and technical skills. Like all forms of testing these assessments can only be successful when performed in a structured manner. The first phase is the preparation phase in which the target is studied and a team with a balance of several expertises is selected. Obviously the legal consequences and risks for bodily harm can be more severe in conducting a physical security test. Therefore a careful preparation also includes covering these risks and defining solid boundary conditions. <br/><br />
In the second phase the actual test is done meaning that the team will try to enter a facility according to a well prepared plan. Since physical security deals with real people and other unpredictable circumstances, this phase heavily relies on social engineering skills and being creative. Test can be conducted in three modes of operation: overt (use the system as much as possible), covert (minimize contact), and unseen (apply stealth). The last phase is off course the reporting phase.<br/><br />
Wil cleary proved in his presentation that for testing physical security introduces whole new dimensions of interaction to take into account, but is in fact no different in approach as other forms of testing.<br/><br />
<br/><br />
'''Second presentation:''' Mini Meetings Results by Barry van Kampen en Dave van Stein. <br/><br />
As mentioned in the meeting minutes of May 28th 2009 [http://www.owasp.org/index.php/Netherlands#Meeting_minutes_May_28th_2009] the Dutch OWASP chapter decided to schedule mini-meetings. These meetings will facilitate an open discussion about a single topic of interest. Although only 1 of the 3 planned meetings actually took place, the results of this meeting were above expectations. The topic of this mini-meeting was "Quick-scans and other time-boxed test approaches". The conclusions were that these time-boxed test approaches are capable of quickly uncovering fundamental problems even while the scope is limited. Plans are to have a second meeting and maybe even start an OWASP project on the topic. <br/><br />
Since mini-meets are planned for and by the community, everybody is invited to check the mini-meet Wiki [http://www.owasp.org/index.php/Netherlands_Mini_Meeting_2009] and propose topics, dates or locations.<br/><br />
<br/><br />
'''Third presentation:''' OWASP Education Project by Martin Knobloch. <br/><br />
The awareness that application security is essential in the development and deployment of every web application is increasing, but it is often still applied as an end-of-pipe solution. The OWASP Education Project [http://www.owasp.org/index.php?title=Category:OWASP_Education_Project] tries to remediate this problem by delivering education material about OWASP tooling, methodologies, and principles. The project continuously creates educational & documentation papers, screen scrape video courses and learning environments and courses. By providing these materials to the community the OWASP body of knowledge can be spread in a controlled manner and deliver high quality training, both inside and outside of the OWASP community.<br/><br />
To improve the quality and progress of this project, contributors are needed on all areas. Therefore everybody is encouraged to take a look at the project Wiki and invited to help make the (virtual) world a better and safer place!<br/><br />
<br/><br />
----<br />
<br />
=== Meeting minutes May 28th 2009 ===<br />
<br />
At May 28th, the Dutch OWASP chapter came together at the ASR building in Amersfoort. The main topic of the evening was AppSec 2009. There were 2 speakers and approximately 20 attendees.<br> <br> There was no sponsor talk or general announcement so after a very short welcome talk by Bert the evening started.<br> <br> '''First presentation:''' AppSec 2009 by Sebastien Deleersnyder. <br> The first presentation of the evening was a recap of AppSec 2009 in Poland. The conference was a big success with around 170 attendees. The meeting preceded the 2009 edition of Confidence [http://2009.confidence.org.pl/] resulting in a week of security presentations and workshops. All AppSec presentations and many movies, pictures, and other material can be found on the AppSec wiki [http://www.owasp.org/index.php/OWASP_AppSec_Europe_2009_-_Poland] but a few items are worth mentioning in specific. First of all OWASP is growing and changing. These changes include a simplification of the membership fees, the introduction of a 'code of ethics', and a general review of all 120 projects. Other highlights are the project ASVS, which has reached an international standard status and updated versions of WebGoat and LabRat.<br> Lastly besides a Wiki and a LinkedIn group, OWASP is now also active on Twitter [http://twitter.com/owasp] &amp; [http://twitter.com/owasp_nl] and has two overview pages with all video [http://www.owasp.org/index.php/Category:OWASP_Video] and audio materials [http://www.owasp.org/index.php/OWASP_Podcast].<br> Feel free to use all the materials (as long as you abide by the new code of ethics off course) and visit the OWASP websites frequently for updates&nbsp;!<br> <br> '''Second presentation:''' VAC Cross-Site Request Forgery by Niels Teusink. <br> After succesfull VAC's about SQL injection and Cross-site scripting, the topic of this evening's VAC was Cross-site Request Forgery, also known as CSRF. CSRF is probably one of the least understood vulnerabilities, but can have tremendous consequences when succesfully exploited. In essence it is an attack that misuses the victim's autorisations with malicious scripts. CSRF attacks can also be easily combined with other attack, like e.g. XSS, making them even more dangerous. <br> Despite the name suggests, these attacks do not have to be on different websites (domains). With the continuing trend to combine multiple functionalities in a single application, so-called onsite request forgeries are becoming more and more frequent. Contrary to XSS and SQL injection, CSRF can not be blocked by input validation. In order to prevent these kind of attacks, an application has to able to verify the authenticity of a request. This can be achieved by several methods like using a unique identifier for a session or each request or requiring additional user input like a CAPTCHA or a one-time token. <br> <br> '''Open Discussion''' <br> The evening was closed with an open discussion about how to improve knowledge sharing among the OWASP members. Many interesting discussions start during the drinks after the presentations on the OWASP evenings, discussions that sadly often are stopped prematurly due to time restraints.<br> As an addition on the quarterly presentation evenings, the Dutch chapter decided to also start mini-meetings and the OWASP cafe.<br> Mini-meetings will not be planned on beforehand, but instead will be planned when a topic is proposed and enough attendees have stated an interest in the topic. The attendees will have to select a location themselves but can request a donation from the OWASP for drinks and snacks. Topics discussed at the mini-meeting will have to be listed in minutes so other members can also profit from this knowledge exchange.<br> The OWASP cafe will be planned each first thursday of the month on a location that will be listed on the OWASP Dutch chapter site. The rules are simple: the evening starts at a certain time, ends at a certain time and will be filled with drinks, snacks, and nerd/hacker/geek humor and discussions in between.<br> Check the website frequently for the location of the next mini-meeting and OWASP cafe&nbsp;!<br> <br> <br />
<br />
----<br />
<br />
=== Meeting minutes April 9th 2009 ===<br />
<br />
At April 9th, the Dutch OWASP chapter came together at the office of Sogeti in Vianen. The main topic of the evening was "knowing your enemy". There were 3 speakers and approximately 50 attendees.<br> <br> The sponsor of the evening started with a small welcome and an overview of their internal security program named PASS. After some small announcements from the OWASP the evening started.<br> <br> '''First presentation:''' Modern information gathering; how to abuse search engines by Dave van Stein.<br> The first presentation of the evening was about using search engines and crawlers to gain detailed information about webservers and websites. Ill configured webservers allow search engine crawlers to collect much information about a system, information that is stored and can be retrieved with search engines. Many websites and tools make use of this mechanism and, combined with DNS and WHOIS information, are able to provide detailed or sensitive information like usernames, vulnerabilities, present files or network topology about a system without targeting it directly.<br> Restricting crawlers to access a system can act as a first line of defence and reduce exposure and risks.<br> <br> '''Second presentation:''' VAC Cross-site scripting by Martin Visser. <br> The second VAC on an OWASP meeting was about Cross-site scripting also known as XSS. XSS vulnerabilities are often misunderstood and underestimated but facts show that XSS vulnerability abusing attacks are nowadys the fastest growing and most widespread type of exploit. In short XSS vulnerabilities allow for user input to be executed when containing javascript or HTML code. When combined with other vulnerabilities the possibilities of these attacks are vitually limitless.<br> The only way to prevent these attacks is to sanitize all input and output fields, but this can be more difficult than it appears to be. Simply blacklisting fragments like &lt;script&gt; is not sufficient due to the possibility of recursivity (e.g. &lt;scr&lt;script&gt;ipt&gt;) and encoding (e.g. URL encoding:&nbsp;%3C%73%63%72%69%70%74%3E). Using multiple layers of filters on various places is the only way to assure enough protection against these types of attacks.<br> <br> '''Third presentation:''' Beveiligingsaspecten van webapplicatie-ontwikkeling by Wouter van Kuipers. <br> The third presentation of the evening was about the efficiency of a source code analyer for php based websites. Approximately 33% of all websites use php and this can be explained by the low learning curve and ease of use of the language. Due to the low learning curve many php developers have little experience with programming and almost no awareness regading security resulting in many unsecure websites. Source code analysis can help preventing many security issues, but their usage does have some limitations. Firstly the scan on itself takes only a few minutes, but analysing the results requires much longer and depends greatly on how familiar the analyser is with the scanned source code. Second these analysers produce many flase positives, making analysis even more time consuming. Lastly not all vulnerabilities are detected with the same efficiency. Especially vulnerabilities that are dependent on the application logic like injection or XSS are not always efficiently detected.<br> Concluding, like all tools, a source code analyser can be a powerful tool, but one has to be aware of its limitations. These tools can provide results very fast, but when used on unfamiliar code the analysis can be very time consuming. <br><br />
<br />
== Scheduled OWASP NL Chapter Meetings: ==<br />
<br />
=== Meeting Schedule December 2nd 2009: BeNeLux OWASP Day 2009<br> ===<br />
<br />
Follow this link for more information: [[BeNeLux OWASP Day 2009]] <br />
<br />
[[Image:BeNeLux Day 2009 poster v1.png|200px]] <br />
<br />
----<br />
<br />
=== Meeting Schedule December 10th 2009: Secure Software Development, Testing, Deployment and Methodologies<br> ===<br />
<br />
'''Summary:''' The main goal of the upcoming OWASP-NL meeting is to provide information to managers, architects, designers, developers and security and risk professionals. The speakers will give specific examples and there will be time to ask questions.<br> <br />
<br />
{| width="500" cellspacing="1" cellpadding="1" border="0" align="left"<br />
|-<br />
| <br />
<br> ps_testware B.V. <br />
<br />
Dorpstraat 26<br>3941 JM&nbsp; Doorn<br> <br />
<br />
<br> <br />
<br />
| [[Image:Pstestware.png]]<br><br />
|}<br />
<br />
<br> <br />
<br />
<br> <br />
<br />
<br> <br />
<br />
<br> <br> <br />
<br />
<br> '''18:00 - 18:30 Check-In (catering included)'''<br> <br />
<br />
'''18:30 - 18:45 Introduction (OWASP organization, projects, sponsor)<br>''' <br />
<br />
'''18.45 - 19.45 How OWASP resources can be used by universities to develop, test and deploy secure web applications (Kuai Hinojosa)'''<br> Universities are key to making application security visible and the need to educate software developers about application security as an aspect of proper software development has never been more important. In this presentation I will share how OWASP resources can be used by universities to develop, test and deploy secure web applications. I will discuss challenges that Universities currently face integrating a pplication security best practices, describe how OWASP tools and resources are currently used at New York University to test for most common web application flaws. I will introduce projects such as the OWASP Enterprise Security API which can be used to mitigate most common flaws in web applications and share initiatives the OWASP Global Education Committee is currently working on. If you are interested in securing web applications, and supporting the OWASP Global Education Committee efforts you don't want to miss this! <br />
<br />
Kuai Hinojosa has been developing and securing web applications for about 12 years. He previously worked in the banking industry as a database security administrator for the 5th largest bank in the U.S. where he worked in a small team developing applications that protected company's assets. He now works for New York University as a Web Applications Specialist where he continues to use web application development and application security experience to protect university resources. In his spare time Kuai volunteers his time preaching the application security gospel and leading the Minneapolis OWASP chapter. Kuai is a member of the OWASP (Open Web Application Security Project) Global Education Committee.<br> <br />
<br />
'''19.45 – 20.00 Break''' <br />
<br />
'''20. 00 – 20.30 VAC REGEX Denial of Service Attacks''' '''(Adar Weidman, Senior Developer Checkmarx Ltd.)'''<br> <br />
<br />
This presentation explores the Regular Expression Denial of Service (ReDoS) attack and how it be used in order to implement new and old attacks. ReDoS is commonly known as a “bug” in systems, but the presentation will show how serious it is and how using this technique, various applications can be “ReDoSed”. These include, among others, Web Application, WAFs, IDS, AV, Web Servers, Client-side browsers (including cellular devices), and Database.<br> <br />
<br />
'''20.30 – 21.00 BSIMM Europe results (Florence Mottay, Managing Principal Citigal)'''<br> <br />
<br />
Most large organizations have practiced software security through many activities involving people, process and automation, but we are just now reaching the point where enough experience has been accumulated to compare notes and talk about what works at a macro level. Using the framework described in Gary McGraw’s book “Software Security: Building Security In” I will discuss and describe the state of the practice in software security. This talk is infused with real data from the field, based on my work with several large companies as a Cigital consultant.<br> <br />
<br />
Florence Mottay is a seasoned Business Manager and adept Security Expert. She is responsible for the long-term growth, stability, market leadership, and client satisfaction of the company's EMEA operations. At her former company, Security Innovation, she was the visionary behind Team Mentor, the company's first-of-a-kind software security knowledge management system that guides software development and test teams through the process of consistently developing secure applications. Other areas of expertise include Threat Modeling for the Enterprise and Customized Enterprise Security Solutions. Previously, Florence was a Software Test Engineer for JD Edwards. She was also a Project Leader at the Center for Software Engineering Research at the Florida Institute of Technology where she worked for Dr. Whittaker, the founder of Security Innovation. Florence has a BS in Applied Mathematics and an MS in Software Engineering from the Florida Institute of Technology.<br> <br />
<br />
'''21.00 – 21:30 Discussion, questions and social networking''' <br />
<br />
----<br />
<br />
=== Meeting Schedule September 24th 2009: Unautorized Access<br> ===<br />
<br />
'''Summary:''' The main goal of the upcoming OWASP-NL meeting is to provide information to managers, architects, designers, developers and security and risk professionals. The speakers will give specific examples and there will be time to ask questions.<br> <br />
<br />
{| width="500" cellspacing="1" cellpadding="1" border="0" align="left"<br />
|-<br />
| <br />
Madison Gurkha <br />
<br />
Sofitel Cocagne Eindhoven<br>Vestdijk 47<br>5611 CA Eindhoven<br> <br />
<br />
| [[Image:Logo Madison Gurkha.GIF|200px]]<br><br />
|}<br />
<br />
<br> <br />
<br />
<br> <br />
<br />
<br> <br />
<br />
<br> <br />
<br />
<br> '''18:00 - 18:30 Check-In (catering included)'''<br> <br />
<br />
'''18:30 - 18:45 Introduction (OWASP organization, projects, sponsor)'''<br> <br />
<br />
'''18.45 - 19.45 Unauthorized Access (Wil Allsopp)<br>''' <br />
<br />
Physical Penetration Testing and Social Engineering have been conducted by testing organisations for some time but there has been very little discussion within the industry regarding the use of formal approaches ensuring a consistently high quality and repeatability of the testing lifecycle. <br />
<br />
This was a problem I attempted to address in the book Unauthorized Access and is the focus of this discussion. <br />
<br />
We will look at the following: <br />
<br />
*What is physical penetration testing and what does it aim to achieve?<br> <br />
*Tactical approaches to Social Engineering in testing.<br> <br />
*The advantages and disadvantages of deploying SE.<br> <br />
*Training operators and building operating teams - what skill sets should you deploy? <br> <br />
*What are the legal aspects involved, how do these vary between jurisdictions? <br> <br />
*How should you plan a physical penetration test at strategic, tactical and operational levels? <br> <br />
*How do you gauge risk i.e. Contractual, Operational, Legal and Environmental?<br />
<br />
<br>The biggest problem currently facing physical penetration testing teams is that it's hard to prove a negative i.e. a failed test by no means guarantees the security of the client. By ensuring your team is trained and prepared you can mitigate this problem to a large degree.'''<br>'''<br> <br />
<br />
'''19.45 – 20.00 Break''' <br />
<br />
'''20. 00 – 20.30 Mini Meetings: Time- Box testing &amp; Test Tools (Barry van Kampen en Dave van Stein)''' <br />
<br />
'''20.30 – 21.00 Education Project (Martin Knobloch)''' <br />
<br />
'''21.00 – 21:30 Discussion, questions and social networking'''<br> <br />
<br />
----<br />
<br />
=== Meeting Schedule May 28th 2009: AppSec Europe 2009 ===<br />
<br />
'''Summary''' The main goal of the upcoming OWASP-NL meeting is to provide an abstract of the recently held AppSec Europe 2009, a VAC about CSRF and, new, an open discussion on application security subjects brought forward by the attendees. <br />
<br />
{|<br />
|-<br />
| width="350" | <br />
ASR Nederland<br> <br> MD0.60 - Auditorium<br> Smallepad 30<br> 3811MG Amersfoort<br> <br />
<br />
| width="650" | <br />
[[Image:ASR Nederland logo.jpg|200px]] <br />
<br />
|-<br />
| width="350" | <br> <br />
| width="650" | <br />
<br> <br />
<br />
<br> <br />
<br />
|}<br />
<br />
'''18.30 - 18.45 Introduction (OWASP organization, projects, sponsor) '''<br> <br />
<br />
'''18.45 - 19.45 AppSec-EU 2009 (Sebastien Deleersnyder, Telindus) '''<br> Update on the AppSec-EU 2009: <br> OWASP State of the union, an update on OWASP and OWASP projects and of course the highlights of the AppSec-EU 2009 presentations. <br />
<br />
'''19.45 - 20.00 Break '''<br> <br />
<br />
'''20.00 - 20.30 VAC Cross-Site Request Forgery (Niels Teusink, Fox-IT) ''' ([[Media:20090409_VAC-CSRF-Niels_Teusink.pdf]])<br> CSRF is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. With a little help of social engineering (like sending a link via email/chat), an attacker may force the users of a web application to execute actions of the attacker's choosing. A successful CSRF exploit can compromise end user data and operation in case of normal user. If the targeted end user is the administrator account, this can compromise the entire web application. <br />
<br />
Niels Teusink holds a bachelor degree in Computer Science and has been experimenting with IT security for over a decade. He has worked for Fox-IT since 2005; first as a software engineer and since 2007 as a penetration tester. He has since performed dozens of penetration tests for all sorts of companies, including governments, banks and nuclear installations. <br />
<br />
'''20.30 - 21.15 Open session / discussion (Martin Knobloch/Ferdinand Vroom/Peter Gouwentak) ''' <br> Open session / discussion about subjects brought forward by the attendees. <br />
<br />
The Announcement of this meeting: [[Media:Announcement_OWASP-NL_May_28th_2009.pdf]]<br> The flyer of this meeting: [[Media:Owasp_NL_may2009.pdf]] <br> <br />
<br />
----<br />
<br />
=== Meeting Schedule 9th April Knowing Your Enemy ===<br />
<br />
'''Summary''' The main goal of the upcoming OWASP-NL meeting is to provide information to managers, architects, designers, developers and security and risk professionals. The speakers will give specific examples and there will be time to ask questions. <br />
<br />
{|<br />
|-<br />
| width="350" | <br />
Lange Dreef 17<br> 4131 NJ Vianen<br> <br />
<br />
| width="650" | <br />
[[Image:Sogeti Nederland b v Logo.jpg|http:\\www.sogeti.nl]] <br />
<br />
|-<br />
| width="350" | <br> <br />
| width="650" | <br />
About Sogeti Nederland B.V. Sogeti Nederland B.V. is one of top-5 IT companies of the Netherlands. Our workforce of over 3,500 employees provides top quality IT consultancy and services to leading companies in several industry sectors in the Netherlands. Our focus is local, but we are part of Sogeti Worldwide, offering IT services in the American, German, French, Belgian, UK, Swedish, Swiss and Spanish markets. <br />
<br />
Our core business is the design, construction, deployment, testing and maintenance of IT solutions. We stand for quality and IT skills; this is visible in our service and in the methods developed by us such as DYA®, Regatta®, TMap®, TPI® , Inframe®, and TEmb. <br />
<br />
Vision Sogeti delivers value by aligning the results of her services to the strategic goals of the client, thereby committing herself to the success of the client. We prove our commitment by assuming responsibility in various forms and to various degrees. <br />
<br />
New trends Our own research institute ViNT (Institute for Research into New Technology) keeps us and our clients ahead of the newest technology trends and their potential influence, benefits and risks. <br> More information about Sogeti can be found on our website www.sogeti.nl. <br> <br />
<br />
|}<br />
<br />
'''18.30 - 18.45 Introduction (OWASP organization, projects, sponsor) '''<br> '''18.45 - 19.30 Modern information gathering; how to abuse search engines Dave van Stein '''([[Media:20090409_passsive_reconnaissance-Dave_van_Stein.pdf]])<br> Great generals already know the key to success is "knowing your enemy". In hacking terms this is called information gathering, fingerprinting or reconnaissance. Traditionally this phase consisted of using public records like WHOIS and DNS combined with active scans on servers. With the rise of advanced search engines like Yahoo, Live Search and Google a whole new type of reconnaissance has come to life; passive reconnaissance. Often servers are not properly configured which causes lots of valuable information to become available without accessing the server at all. Recently several hacker-tools appeared which use the full capabilities of these search engines giving hackers a head-start at mapping the network they plan to attack. The goal of this session is to give insight in the methods and tools hackers have at their disposal to gather information about systems they plan to attack without accessing the system itself. Dave van Stein has close to 8 years of experience in software testing. Since the beginning of 2008 he's working for ps_testware as a web application security testing specialist. <br />
<br />
'''19.30 - 20.00 VAC Cross-site scripting Martin Visser '''([[Media:20090409_VAC_Cross-site-scripting_Martin_Visser.pdf]])<br> Martin Visser is a software designer with Sogeti Nederland B.V. specialized in secure application development with Microsoft technologies. He has experience with Microsoft server technologies like ASP.NET, SharePoint and Biztalk. Martin also developed and teaches a 2-day "Application Security - Microsoft development" course both within and outside Sogeti. <br />
<br />
'''20.00 - 20.15 Break ''' <br> '''20.15 - 21.00 Beveiligingsaspecten van webapplicatie-ontwikkeling Wouter van Kuipers ''' ([[Media:20090409_presentatie_Wouter_van_Kuipers.pdf]])<br> Het ontwikkelen van webapplicaties verschilt op verschillende aspecten met het ontwikkelen van desktop applicaties, met name op het gebied van security. Voor grote bedrijven zijn er oplossingen beschikbaar als bijvoorbeeld SDL, maar voor het midden- en kleinbedrijf zijn dit soort oplossingen beperkt, omdat zij vaak niet de middelen hebben om dergelijke strategieën uit te kunnen voeren. Voor zijn scriptie heeft Wouter van Kuipers middels een literatuuronderzoek, interviews met ontwikkelaars en een onderzoek naar Fortify 360 gekeken hoe het midden- en kleinbedrijf omgaat met deze verschillen en hoe zij het ontwikkelproces kunnen optimaliseren op het gebied van security. <br />
<br />
Na een MBO opleiding in de IT is Wouter van Kuipers via de HBO opleiding 'Communicatie Systemen' begin 2007 begonnen met een master Informatiekunde aan de Radboud Universiteit Nijmegen, welke hij in maart dit jaar hoopt af te ronden. Tijdens zijn MBO studie is zijn interesse in het ontwikkelen van webapplicaties gewekt, wat in 2003 resulteerde in het opzetten van een eigen web-development bedrijf. Dit bedrijf is met name gespecialiseerd in het ontwikkelen van webapplicaties op maat, en het ondersteunen van bedrijven op het gebied van web-developement op freelance basis. <br />
<br />
The flyer of this meeting: [[Media:Owasp_NL_april2009.pdf]]<br />
<br />
== Past Events ==<br />
<br />
*Events held in [[Netherlands Previous Events 2008|2008]] <br />
*Events held in [[Netherlands Previous Events 2007|2007]] <br />
*Events held in [[Netherlands Previous Events 2006|2006]] <br />
*Events held in [[Netherlands Previous Events 2005|2005]]</div>Dvsteinhttps://wiki.owasp.org/index.php?title=Netherlands&diff=72811Netherlands2009-11-08T10:48:18Z<p>Dvstein: /* Meeting Minutes */</p>
<hr />
<div>{{Chapter Template|chaptername=Netherlands|extra=The chapter leader is [mailto:owasp@irc2.nl Bert Koelewijn]<br />
<paypal>Netherlands</paypal><br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-netherlands|emailarchives=http://lists.owasp.org/pipermail/owasp-netherlands}} <br />
<br />
== '''OWASP NL Chapter Meetings Schedule 2009''' ==<br />
<br />
This is an overview of the 2009 local chapter meeting schedule. Details of the meetings can be found in the announcements that will be posted below this schedule. <br />
<pre>December 2th<br />
----------<br />
Please block your agendas on December 2, 12h-22h for the BeNeLux OWASP Day 2009.<br />
<br />
<br />
December 10th<br />
----------<br />
Time &nbsp;: 18.00 - 21.30<br />
Main Topic &nbsp;: Secure Software Development<br />
Presentations: How OWASP resources can be used by universities to develop, test and deploy secure web applications<br />
By Kuai Hinojosa<br />
<br />
VAC Regular Expression Denial of Service<br />
By Adar Weidman, Checkmarx Ltd.<br />
<br />
BSIMM Europe results<br />
By Florance Mottay, Managing Principal Citigal<br />
<br />
Location &nbsp;: ps_testware, Dorpsstraat 26, 3941 JM Doorn<br />
Sponsor &nbsp;: ps_testware<br />
<br />
<br />
September 24th<br />
----------<br />
Time &nbsp;: 18.00 - 21.30<br />
Main Topic &nbsp;: Unauthorised Access<br />
Presentations: Unauthorised Access Wil Allsopp<br />
Mini Meetings report: Time- Box testing &amp; Test Tools Barry van Kampen/ Dave van Stein<br />
Education Project report Martin Knobloch<br />
Discussion, questions and social networking<br />
Location &nbsp;: Sofitel Cocagne<br />
Vestdijk 47<br />
5611 CA Eindhoven<br />
Google Maps Route: http://tiny.cc/24kWE<br />
Sponsor &nbsp;: Madison Gurkha<br />
<br />
<br />
May 28th<br />
----------<br />
Time &nbsp;: 18.00 - 21.30<br />
Main Topic &nbsp;: AppSec Europe 2009<br />
Presentations: AppSec-EU 2009 Sebastien Deleersnyder, Telindus <br />
VAC Cross-Site Request Forgery Niels Teusink<br />
Open session / discussion about subjects brought forward by <br />
the attendees Martin Knobloch/Ferdinand Vroom/Peter Gouwentak<br />
Location &nbsp;: ASR Nederland<br />
MD0.60 - Auditorium<br />
Smallepad 30<br />
3811MG Amersfoort<br />
Sponsor &nbsp;: ASR Nederland<br />
<br />
<br />
April 9th<br />
----------<br />
Time &nbsp;: 18.00 - 21.30<br />
Main Topic &nbsp;: Knowing Your Enemy<br />
Presentations: Modern information gathering; how to abuse search engines Dave van Stein<br />
VAC Cross-site scripting Martin Visser <br />
Beveiligingsaspecten van webapplicatie-ontwikkeling Wouter van Kuipers <br />
Location &nbsp;: Lange Dreef 17<br />
4131 NJ Vianen<br />
Sponsor &nbsp;: Sogeti Nederland B.V.<br />
</pre> <br />
<br> <br />
<br />
=== Call for Speakers ===<br />
<br />
We are continuously looking for speakers and presentations make the chapter meetings as interesting as possible. Therefore we are looking inside and outside OWASP for known international specialists. But we know, there is a lot interesting stuf happening inside the Netherlands, too! <br> '''Presentations:''' Are you working on interesting subject, you would like to share your experiences with the OWASP community. Any topic related to application security will be appreciated!<br> '''VAC, Vulnerability, Attack, Countermeasure:''' The goal is an half hour in-depth technical presentation about a vulnerability, how it can be exploited and how to prevent it!<br> <br />
<br />
<span style="font-weight: bold;">Links:<br />
</span><br />
<br />
[http://www.owasp.org/index.php/Speaker_Agreement Speaker Agreement] <br />
<br />
[http://www.owasp.org/images/5/54/Presentation_template.ppt Template]<br />
<br />
=== Sponsorship of a local chapter meeting ===<br />
<br />
We are continuously looking for locations to hold local chapter meetings. Therefore, we need companies willing to sponsor of host events.<br> '''Hosting a local chapter meeting:''' To host a local chapter meeting, you facilitate the meeting location and beverage for the attendees<br> '''Sponsorship of a local chapter meeting:''' You cover the cost of renting the location for the meeting and the payment of the beverages for the attendees<br> '''Please let us know via the OWASP chapter meeting questionnaire of via email to martin.knobloch@owasp.org<br>'''<br />
<br />
== '''OWASP NL Cafe''' ==<br />
<br />
<font color="red">'''NEW:'''</font> Monthly informal platform to speak about (Web) application security matters! No registration required, just drop by! <br />
<br />
*no programm <br />
*no agenda <br />
*whatever comes up!<br />
<br />
=== Next OWASP Cafe: ===<br />
Open and free event, just drop in and discuse what's on your mind about application security!<br />
<pre><br />
When: TBD<br />
Where: TBD<br />
</pre><br />
The flyer: [[File:OWASP_NL_Cafe_oct09.jpg|100px]]<br />
<br />
<br> <br />
<br />
'''Registration'''<br> If you want to attend, please send an email to: netherlands-board@lists.owasp.org <br> <br> All OWASP chapter meetings are free of charge and you don't have to be an OWASP member to attend. There are never any vendor pitches or sales presentations at OWASP meetings.<br> <br> NOTE TO CISSP's: OWASP Meetings count towards CPE Credits.<br> <br> <br><br />
<br />
== '''OWASP NL Mini-Meetings''' ==<br />
<br />
<font color="red">'''NEW:'''</font> Platform to discus on specific issues related to (Web) Application Security. The topic's are brought in by the OWASP NL community!<br> Something on your mind to discus, put your idea online at: Mini Meetings [[Netherlands Mini Meeting 2009|Netherlands_Mini_Meeting_2009]] To attend the meeting, send an email to the contact's email address! <br />
<br />
=== Next Mini-Meeting: ===<br />
<pre><br />
Topic : SAMM, ASVS and other methodologies<br />
Contact : Martin Knobloch, martin.knobloch@owasp.org<br />
----------<br />
Date : November 19th 2009<br />
Time : 18:00 (dinner provided) to 21:30 <br />
Location : Sogeti Nederland B.V.<br />
Plotterweg 31-33<br />
3821 BB Amersfoort<br />
Details : About ideas and experiences of using, implementing and verifying the different methodologies<br />
Attendees : Max 12 persons, currently 3, 9available<br />
</pre><br />
<br />
== '''Meeting Minutes''' ==<br />
<br />
=== Meeting minutes September 24th 2009 ===<br />
<br />
=== Meeting minutes May 28th 2009 ===<br />
<br />
At May 28th, the Dutch OWASP chapter came together at the ASR building in Amersfoort. The main topic of the evening was AppSec 2009. There were 2 speakers and approximately 20 attendees.<br> <br> There was no sponsor talk or general announcement so after a very short welcome talk by Bert the evening started.<br> <br> '''First presentation:''' AppSec 2009 by Sebastien Deleersnyder. <br> The first presentation of the evening was a recap of AppSec 2009 in Poland. The conference was a big success with around 170 attendees. The meeting preceded the 2009 edition of Confidence [http://2009.confidence.org.pl/] resulting in a week of security presentations and workshops. All AppSec presentations and many movies, pictures, and other material can be found on the AppSec wiki [http://www.owasp.org/index.php/OWASP_AppSec_Europe_2009_-_Poland] but a few items are worth mentioning in specific. First of all OWASP is growing and changing. These changes include a simplification of the membership fees, the introduction of a 'code of ethics', and a general review of all 120 projects. Other highlights are the project ASVS, which has reached an international standard status and updated versions of WebGoat and LabRat.<br> Lastly besides a Wiki and a LinkedIn group, OWASP is now also active on Twitter [http://twitter.com/owasp] &amp; [http://twitter.com/owasp_nl] and has two overview pages with all video [http://www.owasp.org/index.php/Category:OWASP_Video] and audio materials [http://www.owasp.org/index.php/OWASP_Podcast].<br> Feel free to use all the materials (as long as you abide by the new code of ethics off course) and visit the OWASP websites frequently for updates&nbsp;!<br> <br> '''Second presentation:''' VAC Cross-Site Request Forgery by Niels Teusink. <br> After succesfull VAC's about SQL injection and Cross-site scripting, the topic of this evening's VAC was Cross-site Request Forgery, also known as CSRF. CSRF is probably one of the least understood vulnerabilities, but can have tremendous consequences when succesfully exploited. In essence it is an attack that misuses the victim's autorisations with malicious scripts. CSRF attacks can also be easily combined with other attack, like e.g. XSS, making them even more dangerous. <br> Despite the name suggests, these attacks do not have to be on different websites (domains). With the continuing trend to combine multiple functionalities in a single application, so-called onsite request forgeries are becoming more and more frequent. Contrary to XSS and SQL injection, CSRF can not be blocked by input validation. In order to prevent these kind of attacks, an application has to able to verify the authenticity of a request. This can be achieved by several methods like using a unique identifier for a session or each request or requiring additional user input like a CAPTCHA or a one-time token. <br> <br> '''Open Discussion''' <br> The evening was closed with an open discussion about how to improve knowledge sharing among the OWASP members. Many interesting discussions start during the drinks after the presentations on the OWASP evenings, discussions that sadly often are stopped prematurly due to time restraints.<br> As an addition on the quarterly presentation evenings, the Dutch chapter decided to also start mini-meetings and the OWASP cafe.<br> Mini-meetings will not be planned on beforehand, but instead will be planned when a topic is proposed and enough attendees have stated an interest in the topic. The attendees will have to select a location themselves but can request a donation from the OWASP for drinks and snacks. Topics discussed at the mini-meeting will have to be listed in minutes so other members can also profit from this knowledge exchange.<br> The OWASP cafe will be planned each first thursday of the month on a location that will be listed on the OWASP Dutch chapter site. The rules are simple: the evening starts at a certain time, ends at a certain time and will be filled with drinks, snacks, and nerd/hacker/geek humor and discussions in between.<br> Check the website frequently for the location of the next mini-meeting and OWASP cafe&nbsp;!<br> <br> <br />
<br />
----<br />
<br />
=== Meeting minutes April 9th 2009 ===<br />
<br />
At April 9th, the Dutch OWASP chapter came together at the office of Sogeti in Vianen. The main topic of the evening was "knowing your enemy". There were 3 speakers and approximately 50 attendees.<br> <br> The sponsor of the evening started with a small welcome and an overview of their internal security program named PASS. After some small announcements from the OWASP the evening started.<br> <br> '''First presentation:''' Modern information gathering; how to abuse search engines by Dave van Stein.<br> The first presentation of the evening was about using search engines and crawlers to gain detailed information about webservers and websites. Ill configured webservers allow search engine crawlers to collect much information about a system, information that is stored and can be retrieved with search engines. Many websites and tools make use of this mechanism and, combined with DNS and WHOIS information, are able to provide detailed or sensitive information like usernames, vulnerabilities, present files or network topology about a system without targeting it directly.<br> Restricting crawlers to access a system can act as a first line of defence and reduce exposure and risks.<br> <br> '''Second presentation:''' VAC Cross-site scripting by Martin Visser. <br> The second VAC on an OWASP meeting was about Cross-site scripting also known as XSS. XSS vulnerabilities are often misunderstood and underestimated but facts show that XSS vulnerability abusing attacks are nowadys the fastest growing and most widespread type of exploit. In short XSS vulnerabilities allow for user input to be executed when containing javascript or HTML code. When combined with other vulnerabilities the possibilities of these attacks are vitually limitless.<br> The only way to prevent these attacks is to sanitize all input and output fields, but this can be more difficult than it appears to be. Simply blacklisting fragments like &lt;script&gt; is not sufficient due to the possibility of recursivity (e.g. &lt;scr&lt;script&gt;ipt&gt;) and encoding (e.g. URL encoding:&nbsp;%3C%73%63%72%69%70%74%3E). Using multiple layers of filters on various places is the only way to assure enough protection against these types of attacks.<br> <br> '''Third presentation:''' Beveiligingsaspecten van webapplicatie-ontwikkeling by Wouter van Kuipers. <br> The third presentation of the evening was about the efficiency of a source code analyer for php based websites. Approximately 33% of all websites use php and this can be explained by the low learning curve and ease of use of the language. Due to the low learning curve many php developers have little experience with programming and almost no awareness regading security resulting in many unsecure websites. Source code analysis can help preventing many security issues, but their usage does have some limitations. Firstly the scan on itself takes only a few minutes, but analysing the results requires much longer and depends greatly on how familiar the analyser is with the scanned source code. Second these analysers produce many flase positives, making analysis even more time consuming. Lastly not all vulnerabilities are detected with the same efficiency. Especially vulnerabilities that are dependent on the application logic like injection or XSS are not always efficiently detected.<br> Concluding, like all tools, a source code analyser can be a powerful tool, but one has to be aware of its limitations. These tools can provide results very fast, but when used on unfamiliar code the analysis can be very time consuming. <br><br />
<br />
== Scheduled OWASP NL Chapter Meetings: ==<br />
<br />
=== Meeting Schedule December 2nd 2009: BeNeLux OWASP Day 2009<br> ===<br />
<br />
Follow this link for more information: [[BeNeLux OWASP Day 2009]] <br />
<br />
[[Image:BeNeLux Day 2009 poster v1.png|200px]] <br />
<br />
----<br />
<br />
=== Meeting Schedule December 10th 2009: Secure Software Development, Testing, Deployment and Methodologies<br> ===<br />
<br />
'''Summary:''' The main goal of the upcoming OWASP-NL meeting is to provide information to managers, architects, designers, developers and security and risk professionals. The speakers will give specific examples and there will be time to ask questions.<br> <br />
<br />
{| width="500" cellspacing="1" cellpadding="1" border="0" align="left"<br />
|-<br />
| <br />
<br> ps_testware B.V. <br />
<br />
Dorpstraat 26<br>3941 JM&nbsp; Doorn<br> <br />
<br />
<br> <br />
<br />
| [[Image:Pstestware.png]]<br><br />
|}<br />
<br />
<br> <br />
<br />
<br> <br />
<br />
<br> <br />
<br />
<br> <br> <br />
<br />
<br> '''18:00 - 18:30 Check-In (catering included)'''<br> <br />
<br />
'''18:30 - 18:45 Introduction (OWASP organization, projects, sponsor)<br>''' <br />
<br />
'''18.45 - 19.45 How OWASP resources can be used by universities to develop, test and deploy secure web applications (Kuai Hinojosa)'''<br> Universities are key to making application security visible and the need to educate software developers about application security as an aspect of proper software development has never been more important. In this presentation I will share how OWASP resources can be used by universities to develop, test and deploy secure web applications. I will discuss challenges that Universities currently face integrating a pplication security best practices, describe how OWASP tools and resources are currently used at New York University to test for most common web application flaws. I will introduce projects such as the OWASP Enterprise Security API which can be used to mitigate most common flaws in web applications and share initiatives the OWASP Global Education Committee is currently working on. If you are interested in securing web applications, and supporting the OWASP Global Education Committee efforts you don't want to miss this! <br />
<br />
Kuai Hinojosa has been developing and securing web applications for about 12 years. He previously worked in the banking industry as a database security administrator for the 5th largest bank in the U.S. where he worked in a small team developing applications that protected company's assets. He now works for New York University as a Web Applications Specialist where he continues to use web application development and application security experience to protect university resources. In his spare time Kuai volunteers his time preaching the application security gospel and leading the Minneapolis OWASP chapter. Kuai is a member of the OWASP (Open Web Application Security Project) Global Education Committee.<br> <br />
<br />
'''19.45 – 20.00 Break''' <br />
<br />
'''20. 00 – 20.30 VAC REGEX Denial of Service Attacks''' '''(Adar Weidman, Senior Developer Checkmarx Ltd.)'''<br> <br />
<br />
This presentation explores the Regular Expression Denial of Service (ReDoS) attack and how it be used in order to implement new and old attacks. ReDoS is commonly known as a “bug” in systems, but the presentation will show how serious it is and how using this technique, various applications can be “ReDoSed”. These include, among others, Web Application, WAFs, IDS, AV, Web Servers, Client-side browsers (including cellular devices), and Database.<br> <br />
<br />
'''20.30 – 21.00 BSIMM Europe results (Florence Mottay, Managing Principal Citigal)'''<br> <br />
<br />
Most large organizations have practiced software security through many activities involving people, process and automation, but we are just now reaching the point where enough experience has been accumulated to compare notes and talk about what works at a macro level. Using the framework described in Gary McGraw’s book “Software Security: Building Security In” I will discuss and describe the state of the practice in software security. This talk is infused with real data from the field, based on my work with several large companies as a Cigital consultant.<br> <br />
<br />
Florence Mottay is a seasoned Business Manager and adept Security Expert. She is responsible for the long-term growth, stability, market leadership, and client satisfaction of the company's EMEA operations. At her former company, Security Innovation, she was the visionary behind Team Mentor, the company's first-of-a-kind software security knowledge management system that guides software development and test teams through the process of consistently developing secure applications. Other areas of expertise include Threat Modeling for the Enterprise and Customized Enterprise Security Solutions. Previously, Florence was a Software Test Engineer for JD Edwards. She was also a Project Leader at the Center for Software Engineering Research at the Florida Institute of Technology where she worked for Dr. Whittaker, the founder of Security Innovation. Florence has a BS in Applied Mathematics and an MS in Software Engineering from the Florida Institute of Technology.<br> <br />
<br />
'''21.00 – 21:30 Discussion, questions and social networking''' <br />
<br />
----<br />
<br />
=== Meeting Schedule September 24th 2009: Unautorized Access<br> ===<br />
<br />
'''Summary:''' The main goal of the upcoming OWASP-NL meeting is to provide information to managers, architects, designers, developers and security and risk professionals. The speakers will give specific examples and there will be time to ask questions.<br> <br />
<br />
{| width="500" cellspacing="1" cellpadding="1" border="0" align="left"<br />
|-<br />
| <br />
Madison Gurkha <br />
<br />
Sofitel Cocagne Eindhoven<br>Vestdijk 47<br>5611 CA Eindhoven<br> <br />
<br />
| [[Image:Logo Madison Gurkha.GIF|200px]]<br><br />
|}<br />
<br />
<br> <br />
<br />
<br> <br />
<br />
<br> <br />
<br />
<br> <br />
<br />
<br> '''18:00 - 18:30 Check-In (catering included)'''<br> <br />
<br />
'''18:30 - 18:45 Introduction (OWASP organization, projects, sponsor)'''<br> <br />
<br />
'''18.45 - 19.45 Unauthorized Access (Wil Allsopp)<br>''' <br />
<br />
Physical Penetration Testing and Social Engineering have been conducted by testing organisations for some time but there has been very little discussion within the industry regarding the use of formal approaches ensuring a consistently high quality and repeatability of the testing lifecycle. <br />
<br />
This was a problem I attempted to address in the book Unauthorized Access and is the focus of this discussion. <br />
<br />
We will look at the following: <br />
<br />
*What is physical penetration testing and what does it aim to achieve?<br> <br />
*Tactical approaches to Social Engineering in testing.<br> <br />
*The advantages and disadvantages of deploying SE.<br> <br />
*Training operators and building operating teams - what skill sets should you deploy? <br> <br />
*What are the legal aspects involved, how do these vary between jurisdictions? <br> <br />
*How should you plan a physical penetration test at strategic, tactical and operational levels? <br> <br />
*How do you gauge risk i.e. Contractual, Operational, Legal and Environmental?<br />
<br />
<br>The biggest problem currently facing physical penetration testing teams is that it's hard to prove a negative i.e. a failed test by no means guarantees the security of the client. By ensuring your team is trained and prepared you can mitigate this problem to a large degree.'''<br>'''<br> <br />
<br />
'''19.45 – 20.00 Break''' <br />
<br />
'''20. 00 – 20.30 Mini Meetings: Time- Box testing &amp; Test Tools (Barry van Kampen en Dave van Stein)''' <br />
<br />
'''20.30 – 21.00 Education Project (Martin Knobloch)''' <br />
<br />
'''21.00 – 21:30 Discussion, questions and social networking'''<br> <br />
<br />
----<br />
<br />
=== Meeting Schedule May 28th 2009: AppSec Europe 2009 ===<br />
<br />
'''Summary''' The main goal of the upcoming OWASP-NL meeting is to provide an abstract of the recently held AppSec Europe 2009, a VAC about CSRF and, new, an open discussion on application security subjects brought forward by the attendees. <br />
<br />
{|<br />
|-<br />
| width="350" | <br />
ASR Nederland<br> <br> MD0.60 - Auditorium<br> Smallepad 30<br> 3811MG Amersfoort<br> <br />
<br />
| width="650" | <br />
[[Image:ASR Nederland logo.jpg|200px]] <br />
<br />
|-<br />
| width="350" | <br> <br />
| width="650" | <br />
<br> <br />
<br />
<br> <br />
<br />
|}<br />
<br />
'''18.30 - 18.45 Introduction (OWASP organization, projects, sponsor) '''<br> <br />
<br />
'''18.45 - 19.45 AppSec-EU 2009 (Sebastien Deleersnyder, Telindus) '''<br> Update on the AppSec-EU 2009: <br> OWASP State of the union, an update on OWASP and OWASP projects and of course the highlights of the AppSec-EU 2009 presentations. <br />
<br />
'''19.45 - 20.00 Break '''<br> <br />
<br />
'''20.00 - 20.30 VAC Cross-Site Request Forgery (Niels Teusink, Fox-IT) ''' ([[Media:20090409_VAC-CSRF-Niels_Teusink.pdf]])<br> CSRF is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. With a little help of social engineering (like sending a link via email/chat), an attacker may force the users of a web application to execute actions of the attacker's choosing. A successful CSRF exploit can compromise end user data and operation in case of normal user. If the targeted end user is the administrator account, this can compromise the entire web application. <br />
<br />
Niels Teusink holds a bachelor degree in Computer Science and has been experimenting with IT security for over a decade. He has worked for Fox-IT since 2005; first as a software engineer and since 2007 as a penetration tester. He has since performed dozens of penetration tests for all sorts of companies, including governments, banks and nuclear installations. <br />
<br />
'''20.30 - 21.15 Open session / discussion (Martin Knobloch/Ferdinand Vroom/Peter Gouwentak) ''' <br> Open session / discussion about subjects brought forward by the attendees. <br />
<br />
The Announcement of this meeting: [[Media:Announcement_OWASP-NL_May_28th_2009.pdf]]<br> The flyer of this meeting: [[Media:Owasp_NL_may2009.pdf]] <br> <br />
<br />
----<br />
<br />
=== Meeting Schedule 9th April Knowing Your Enemy ===<br />
<br />
'''Summary''' The main goal of the upcoming OWASP-NL meeting is to provide information to managers, architects, designers, developers and security and risk professionals. The speakers will give specific examples and there will be time to ask questions. <br />
<br />
{|<br />
|-<br />
| width="350" | <br />
Lange Dreef 17<br> 4131 NJ Vianen<br> <br />
<br />
| width="650" | <br />
[[Image:Sogeti Nederland b v Logo.jpg|http:\\www.sogeti.nl]] <br />
<br />
|-<br />
| width="350" | <br> <br />
| width="650" | <br />
About Sogeti Nederland B.V. Sogeti Nederland B.V. is one of top-5 IT companies of the Netherlands. Our workforce of over 3,500 employees provides top quality IT consultancy and services to leading companies in several industry sectors in the Netherlands. Our focus is local, but we are part of Sogeti Worldwide, offering IT services in the American, German, French, Belgian, UK, Swedish, Swiss and Spanish markets. <br />
<br />
Our core business is the design, construction, deployment, testing and maintenance of IT solutions. We stand for quality and IT skills; this is visible in our service and in the methods developed by us such as DYA®, Regatta®, TMap®, TPI® , Inframe®, and TEmb. <br />
<br />
Vision Sogeti delivers value by aligning the results of her services to the strategic goals of the client, thereby committing herself to the success of the client. We prove our commitment by assuming responsibility in various forms and to various degrees. <br />
<br />
New trends Our own research institute ViNT (Institute for Research into New Technology) keeps us and our clients ahead of the newest technology trends and their potential influence, benefits and risks. <br> More information about Sogeti can be found on our website www.sogeti.nl. <br> <br />
<br />
|}<br />
<br />
'''18.30 - 18.45 Introduction (OWASP organization, projects, sponsor) '''<br> '''18.45 - 19.30 Modern information gathering; how to abuse search engines Dave van Stein '''([[Media:20090409_passsive_reconnaissance-Dave_van_Stein.pdf]])<br> Great generals already know the key to success is "knowing your enemy". In hacking terms this is called information gathering, fingerprinting or reconnaissance. Traditionally this phase consisted of using public records like WHOIS and DNS combined with active scans on servers. With the rise of advanced search engines like Yahoo, Live Search and Google a whole new type of reconnaissance has come to life; passive reconnaissance. Often servers are not properly configured which causes lots of valuable information to become available without accessing the server at all. Recently several hacker-tools appeared which use the full capabilities of these search engines giving hackers a head-start at mapping the network they plan to attack. The goal of this session is to give insight in the methods and tools hackers have at their disposal to gather information about systems they plan to attack without accessing the system itself. Dave van Stein has close to 8 years of experience in software testing. Since the beginning of 2008 he's working for ps_testware as a web application security testing specialist. <br />
<br />
'''19.30 - 20.00 VAC Cross-site scripting Martin Visser '''([[Media:20090409_VAC_Cross-site-scripting_Martin_Visser.pdf]])<br> Martin Visser is a software designer with Sogeti Nederland B.V. specialized in secure application development with Microsoft technologies. He has experience with Microsoft server technologies like ASP.NET, SharePoint and Biztalk. Martin also developed and teaches a 2-day "Application Security - Microsoft development" course both within and outside Sogeti. <br />
<br />
'''20.00 - 20.15 Break ''' <br> '''20.15 - 21.00 Beveiligingsaspecten van webapplicatie-ontwikkeling Wouter van Kuipers ''' ([[Media:20090409_presentatie_Wouter_van_Kuipers.pdf]])<br> Het ontwikkelen van webapplicaties verschilt op verschillende aspecten met het ontwikkelen van desktop applicaties, met name op het gebied van security. Voor grote bedrijven zijn er oplossingen beschikbaar als bijvoorbeeld SDL, maar voor het midden- en kleinbedrijf zijn dit soort oplossingen beperkt, omdat zij vaak niet de middelen hebben om dergelijke strategieën uit te kunnen voeren. Voor zijn scriptie heeft Wouter van Kuipers middels een literatuuronderzoek, interviews met ontwikkelaars en een onderzoek naar Fortify 360 gekeken hoe het midden- en kleinbedrijf omgaat met deze verschillen en hoe zij het ontwikkelproces kunnen optimaliseren op het gebied van security. <br />
<br />
Na een MBO opleiding in de IT is Wouter van Kuipers via de HBO opleiding 'Communicatie Systemen' begin 2007 begonnen met een master Informatiekunde aan de Radboud Universiteit Nijmegen, welke hij in maart dit jaar hoopt af te ronden. Tijdens zijn MBO studie is zijn interesse in het ontwikkelen van webapplicaties gewekt, wat in 2003 resulteerde in het opzetten van een eigen web-development bedrijf. Dit bedrijf is met name gespecialiseerd in het ontwikkelen van webapplicaties op maat, en het ondersteunen van bedrijven op het gebied van web-developement op freelance basis. <br />
<br />
The flyer of this meeting: [[Media:Owasp_NL_april2009.pdf]]<br />
<br />
== Past Events ==<br />
<br />
*Events held in [[Netherlands Previous Events 2008|2008]] <br />
*Events held in [[Netherlands Previous Events 2007|2007]] <br />
*Events held in [[Netherlands Previous Events 2006|2006]] <br />
*Events held in [[Netherlands Previous Events 2005|2005]]</div>Dvsteinhttps://wiki.owasp.org/index.php?title=Category:Tools_Categories&diff=71951Category:Tools Categories2009-10-21T19:58:19Z<p>Dvstein: /* References */</p>
<hr />
<div>{{Template:Stub}}<br />
[[Category:OWASP Tools Project]]<br />
<br />
== Tool Categories ==<br />
<br />
The web application security tools can be divided mainly in two categories. One that protect applications against vulnerabilities and the others that detect vulnerabilities within web applications. Therefore we will be categorizing tools under these headings. The categories of tools currently being addressed by this project are: <br />
<br />
=== Web Application Vulnerability Detection Tools ===<br />
*Threat Modeling Tools<br />
*Source Code Analysis Tools<br />
*Vulnerability Scanning Tools <br />
*Penetration Testing Tools<br />
<br />
=== Web Application Protection Tools === <br />
<br />
*Web Application Firewalls (WAFs) <br />
<br />
<br />
The goal is to provide the following information (at a minimum) in each tool category: <br />
<br />
*Description of this tool category <br />
*General strengths and weaknesses of tools in this category <br />
*Important selection criteria for comparing tools within the category (e.g. ease of use, performance, cost, likelihood of false positives)<br />
<br />
== References ==<br />
*[[Appendix_A:_Testing_Tools|OWASP Guide Testing Tools Listing]]<br />
*[[:Category:OWASP Tool|Tools from OWASP]]<br />
*[[:Category:Non-OWASP Open Tool|Open Source Tools]]<br />
*Samurai Web Testing Framework Tools: http://www.cgisecurity.com/2008/09/samurai-web-tes.html<br />
*Tools from OWASP Live CD Project: http://mtesauro.com/livecd/index.php?title=Potential_Tool_List<br />
*OWASP Phoenix Tools Project: http://www.owasp.org/index.php/Phoenix/Tools<br />
*Open Source Testing Tools: https://lists.owasp.org/pipermail/owasp-cincinnati/2009-February/000151.html<br />
*NIST SAMATE Project: http://samate.nist.gov/index.php/Main_Page.html<br />
*[[Source Code Analysis Tools]]<br />
*[[Web Application Firewalls]]</div>Dvsteinhttps://wiki.owasp.org/index.php?title=Netherlands&diff=68090Netherlands2009-08-27T08:38:36Z<p>Dvstein: /* OWASP NL Mini-Meetings */</p>
<hr />
<div>{{Chapter Template|chaptername=Netherlands|extra=The chapter leader is [mailto:owasp@irc2.nl Bert Koelewijn]<br />
<paypal>Netherlands</paypal><br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-netherlands|emailarchives=http://lists.owasp.org/pipermail/owasp-netherlands}}<br />
<br />
=== Call for Speakers ===<br />
We are continuously looking for speakers and presentations make the chapter meetings as interesting as possible. Therefore we are looking inside and outside OWASP for known international specialists. But we know, there is a lot interesting stuf happening inside the Netherlands, too! <br/><br />
'''Presentations:''' Are you working on interesting subject, you would like to share your experiences with the OWASP community. Any topic related to application security will be appreciated!<br/><br />
'''VAC, Vulnerability, Attack, Countermeasure:''' The goal is an half hour in-depth technical presentation about a vulnerability, how it can be exploited and how to prevent it!<br/><br />
<br />
=== Sponsorship of a local chapter meeting ===<br />
We are continuously looking for locations to hold local chapter meetings. Therefore, we need companies willing to sponsor of host events.<br><br />
'''Hosting a local chapter meeting:''' To host a local chapter meeting, you facilitate the meeting location and beverage for the attendees<br><br />
'''Sponsorship of a local chapter meeting:''' You cover the cost of renting the location for the meeting and the payment of the beverages for the attendees<br><br />
'''Please let us know via the OWASP chapter meeting questionnaire of via email to martin.knobloch@owasp.org<br>'''<br />
<br />
== '''OWASP NL Cafe''' == <br />
<font color="red">'''NEW:'''</font><br />
Monthly informal platform to speak about (Web) application security matters! No registration required, just drop by!<br />
* no programm<br />
* no agenda<br />
* whatever comes up!<br />
<br />
=== Next OWASP Cafe:===<br />
Tuesday August 6th, from 7 pm, drop in whenever you can!<br />
<br />
<pre><br />
As it's summertime and perfect weather, another time at my place!<br />
<br />
Where:<br />
Prof. Dr. Ornsteinlaan 14<br />
3431 EP Nieuwegein<br />
</pre><br />
<br />
== '''OWASP NL Chapter Meetings Schedule 2009''' ==<br />
This is an overview of the 2009 local chapter meeting schedule. Details of the meetings can be found in the announcements that will be posted below this schedule.<br />
<pre><br />
April 9th<br />
----------<br />
Time : 18.00 - 21.30<br />
Main Topic : Knowing Your Enemy<br />
Presentations: Modern information gathering; how to abuse search engines Dave van Stein<br />
VAC Cross-site scripting Martin Visser <br />
Beveiligingsaspecten van webapplicatie-ontwikkeling Wouter van Kuipers <br />
Location : Lange Dreef 17<br />
4131 NJ Vianen<br />
Sponsor : Sogeti Nederland B.V.<br />
<br />
May 28th<br />
----------<br />
Time : 18.00 - 21.30<br />
Main Topic : AppSec Europe 2009<br />
Presentations: AppSec-EU 2009 Sebastien Deleersnyder, Telindus <br />
VAC Cross-Site Request Forgery Niels Teusink<br />
Open session / discussion about subjects brought forward by <br />
the attendees Martin Knobloch/Ferdinand Vroom/Peter Gouwentak<br />
Location : ASR Nederland<br />
MD0.60 - Auditorium<br />
Smallepad 30<br />
3811MG Amersfoort<br />
Sponsor : ASR Nederland<br />
<br />
September 24th<br />
----------<br />
Time : 17.30 - 21.30<br />
Main Topic : <br />
Presentations: <br />
Location : <br />
Sponsor : <br />
<br />
December 10th<br />
----------<br />
Time : 17.30 - 21.30<br />
Main Topic : <br />
Presentations: <br />
Location : <br />
Sponsor : <br />
</pre><br />
<br />
<br />
<br />
'''Registration'''<br><br />
If you want to attend, please send an email to: netherlands-board@lists.owasp.org<br />
<br/><br />
<br/><br />
All OWASP chapter meetings are free of charge and you don't have to be an OWASP member to attend. There are never any vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP's: OWASP Meetings count towards CPE Credits.<br/><br />
<br/><br />
<br/><br />
<br />
=='''OWASP NL Mini-Meetings''' == <br />
<font color="red">'''NEW:'''</font><br />
Platform to discus on specific issues related to (Web) Application Security. The topic's are brought in by the OWASP NL community!<br><br />
Something on your mind to discus, put your idea online at: Mini Meetings [[Netherlands_Mini_Meeting_2009|Netherlands_Mini_Meeting_2009]]<br />
To attend the meeting, send an email to the contact's email address!<br />
<br />
=== Next Mini-Meeting: <font color="red">CANCELLED !!!</font>===<br />
<pre><br />
Topic : Tools of the trade; exchange real-life experiences<br />
Contact : Dave van Stein, dvstein+owasp [-at-] gmail [-dot-] com<br />
----------<br />
Date : cancelled<br />
Time : <br />
Location : <br />
Details : Exchange real-world experience about web testing tools. What is really useable and what is not.<br />
Attendees : Min 6, max 8, currently 3 attendees <br />
</pre><br />
<br />
== '''Meeting Minutes''' ==<br />
=== Meeting minutes May 28th 2009 ===<br />
<br />
At May 28th, the Dutch OWASP chapter came together at the ASR building in Amersfoort. The main topic of the evening was AppSec 2009. There were 2 speakers and approximately 20 attendees.<br/><br />
<br/><br />
There was no sponsor talk or general announcement so after a very short welcome talk by Bert the evening started.<br/><br />
<br/><br />
'''First presentation:''' AppSec 2009 by Sebastien Deleersnyder. <br/><br />
The first presentation of the evening was a recap of AppSec 2009 in Poland. The conference was a big success with around 170 attendees. The meeting preceded the 2009 edition of Confidence [http://2009.confidence.org.pl/] resulting in a week of security presentations and workshops. All AppSec presentations and many movies, pictures, and other material can be found on the AppSec wiki [http://www.owasp.org/index.php/OWASP_AppSec_Europe_2009_-_Poland] but a few items are worth mentioning in specific. First of all OWASP is growing and changing. These changes include a simplification of the membership fees, the introduction of a 'code of ethics', and a general review of all 120 projects. Other highlights are the project ASVS, which has reached an international standard status and updated versions of WebGoat and LabRat.<br/><br />
Lastly besides a Wiki and a LinkedIn group, OWASP is now also active on Twitter [http://twitter.com/owasp] & [http://twitter.com/owasp_nl] and has two overview pages with all video [http://www.owasp.org/index.php/Category:OWASP_Video] and audio materials [http://www.owasp.org/index.php/OWASP_Podcast].<br/><br />
Feel free to use all the materials (as long as you abide by the new code of ethics off course) and visit the OWASP websites frequently for updates !<br/><br />
<br/><br />
'''Second presentation:''' VAC Cross-Site Request Forgery by Niels Teusink. <br/><br />
After succesfull VAC's about SQL injection and Cross-site scripting, the topic of this evening's VAC was Cross-site Request Forgery, also known as CSRF. CSRF is probably one of the least understood vulnerabilities, but can have tremendous consequences when succesfully exploited. In essence it is an attack that misuses the victim's autorisations with malicious scripts. CSRF attacks can also be easily combined with other attack, like e.g. XSS, making them even more dangerous. <br/><br />
Despite the name suggests, these attacks do not have to be on different websites (domains). With the continuing trend to combine multiple functionalities in a single application, so-called onsite request forgeries are becoming more and more frequent. Contrary to XSS and SQL injection, CSRF can not be blocked by input validation. In order to prevent these kind of attacks, an application has to able to verify the authenticity of a request. This can be achieved by several methods like using a unique identifier for a session or each request or requiring additional user input like a CAPTCHA or a one-time token. <br/><br />
<br/><br />
'''Open Discussion''' <br/><br />
The evening was closed with an open discussion about how to improve knowledge sharing among the OWASP members. Many interesting discussions start during the drinks after the presentations on the OWASP evenings, discussions that sadly often are stopped prematurly due to time restraints.<br/><br />
As an addition on the quarterly presentation evenings, the Dutch chapter decided to also start mini-meetings and the OWASP cafe.<br/><br />
Mini-meetings will not be planned on beforehand, but instead will be planned when a topic is proposed and enough attendees have stated an interest in the topic. The attendees will have to select a location themselves but can request a donation from the OWASP for drinks and snacks. Topics discussed at the mini-meeting will have to be listed in minutes so other members can also profit from this knowledge exchange.<br/><br />
The OWASP cafe will be planned each first thursday of the month on a location that will be listed on the OWASP Dutch chapter site. The rules are simple: the evening starts at a certain time, ends at a certain time and will be filled with drinks, snacks, and nerd/hacker/geek humor and discussions in between.<br/><br />
Check the website frequently for the location of the next mini-meeting and OWASP cafe !<br/><br />
<br/><br />
<hr><br />
<br />
=== Meeting minutes April 9th 2009 ===<br />
<br />
At April 9th, the Dutch OWASP chapter came together at the office of Sogeti in Vianen. The main topic of the evening was "knowing your enemy". There were 3 speakers and approximately 50 attendees.<br/><br />
<br/><br />
The sponsor of the evening started with a small welcome and an overview of their internal security program named PASS. After some small announcements from the OWASP the evening started.<br/><br />
<br/><br />
'''First presentation:''' Modern information gathering; how to abuse search engines by Dave van Stein.<br/><br />
The first presentation of the evening was about using search engines and crawlers to gain detailed information about webservers and websites. Ill configured webservers allow search engine crawlers to collect much information about a system, information that is stored and can be retrieved with search engines. Many websites and tools make use of this mechanism and, combined with DNS and WHOIS information, are able to provide detailed or sensitive information like usernames, vulnerabilities, present files or network topology about a system without targeting it directly.<br/><br />
Restricting crawlers to access a system can act as a first line of defence and reduce exposure and risks.<br/> <br />
<br/><br />
'''Second presentation:''' VAC Cross-site scripting by Martin Visser. <br/><br />
The second VAC on an OWASP meeting was about Cross-site scripting also known as XSS. XSS vulnerabilities are often misunderstood and underestimated but facts show that XSS vulnerability abusing attacks are nowadys the fastest growing and most widespread type of exploit. In short XSS vulnerabilities allow for user input to be executed when containing javascript or HTML code. When combined with other vulnerabilities the possibilities of these attacks are vitually limitless.<br/><br />
The only way to prevent these attacks is to sanitize all input and output fields, but this can be more difficult than it appears to be. Simply blacklisting fragments like <script> is not sufficient due to the possibility of recursivity (e.g. <scr<script>ipt>) and encoding (e.g. URL encoding: %3C%73%63%72%69%70%74%3E). Using multiple layers of filters on various places is the only way to assure enough protection against these types of attacks.<br/><br />
<br/><br />
'''Third presentation:''' Beveiligingsaspecten van webapplicatie-ontwikkeling by Wouter van Kuipers. <br/><br />
The third presentation of the evening was about the efficiency of a source code analyer for php based websites. Approximately 33% of all websites use php and this can be explained by the low learning curve and ease of use of the language. Due to the low learning curve many php developers have little experience with programming and almost no awareness regading security resulting in many unsecure websites. Source code analysis can help preventing many security issues, but their usage does have some limitations. Firstly the scan on itself takes only a few minutes, but analysing the results requires much longer and depends greatly on how familiar the analyser is with the scanned source code. Second these analysers produce many flase positives, making analysis even more time consuming. Lastly not all vulnerabilities are detected with the same efficiency. Especially vulnerabilities that are dependent on the application logic like injection or XSS are not always efficiently detected.<br/><br />
Concluding, like all tools, a source code analyser can be a powerful tool, but one has to be aware of its limitations. These tools can provide results very fast, but when used on unfamiliar code the analysis can be very time consuming.<br />
<br/><br />
<br />
== Scheduled OWASP NL Chapter Meetings: ==<br />
=== Meeting Schedule May 28th 2009: AppSec Europe 2009 ===<br />
<br />
'''Summary'''<br />
The main goal of the upcoming OWASP-NL meeting is to provide an abstract of the recently held AppSec Europe 2009, a VAC about CSRF and, new, an open discussion on application security subjects brought forward by the attendees. <br />
<table><br />
<tr><br />
<td width="350"><br />
ASR Nederland<br/><br />
<br/><br />
MD0.60 - Auditorium<br/><br />
Smallepad 30<br/><br />
3811MG Amersfoort<br/><br />
</td><br />
<td width="650"><br />
[[Image:ASR Nederland logo.jpg|200px]]<br />
</td><br />
</tr><br />
<tr><br />
<td width="350"><br />
</td><br />
<td width="650"><br />
<br />
<br/><br />
<br />
<br/><br />
</td><br />
</tr><br />
</table><br />
<br />
'''18.30 - 18.45 Introduction (OWASP organization, projects, sponsor) '''<br><br />
<br />
'''18.45 - 19.45 AppSec-EU 2009 (Sebastien Deleersnyder, Telindus) '''<br><br />
Update on the AppSec-EU 2009: <br><br />
OWASP State of the union, an update on OWASP and OWASP projects and of course the highlights of the AppSec-EU 2009 presentations.<br />
<br />
'''19.45 - 20.00 Break '''<br><br />
<br />
'''20.00 - 20.30 VAC Cross-Site Request Forgery (Niels Teusink, Fox-IT) ''' ([[Media:20090409_VAC-CSRF-Niels_Teusink.pdf]])<br><br />
CSRF is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. With a little help of social engineering (like sending a link via email/chat), an attacker may force the users of a web application to execute actions of the attacker's choosing. A successful CSRF exploit can compromise end user data and operation in case of normal user. If the targeted end user is the administrator account, this can compromise the entire web application.<br />
<br />
Niels Teusink holds a bachelor degree in Computer Science and has been experimenting with IT security for over a decade. He has worked for Fox-IT since 2005; first as a software engineer and since 2007 as a penetration tester. He has since performed dozens of penetration tests for all sorts of companies, including governments, banks and nuclear installations.<br />
<br />
'''20.30 - 21.15 Open session / discussion (Martin Knobloch/Ferdinand Vroom/Peter Gouwentak) ''' <br><br />
Open session / discussion about subjects brought forward by the attendees.<br />
<br />
The Announcement of this meeting: [[Media:Announcement OWASP-NL May 28th 2009.pdf]]<br><br />
The flyer of this meeting: [[Media:owasp_NL_may2009.pdf]]<br />
<br/><br />
<hr><br />
=== Meeting Schedule 9th April Knowing Your Enemy ===<br />
<br />
'''Summary'''<br />
The main goal of the upcoming OWASP-NL meeting is to provide information to managers, architects, designers, developers and security and risk professionals. The speakers will give specific examples and there will be time to ask questions. <br />
<table><br />
<tr><br />
<td width="350"><br />
Lange Dreef 17<br/><br />
4131 NJ Vianen<br/><br />
</td><br />
<td width="650"><br />
[[Image:Sogeti_Nederland_b_v_Logo.jpg|http:\\www.sogeti.nl]]<br />
</td><br />
</tr><br />
<tr><br />
<td width="350"><br />
</td><br />
<td width="650"><br />
About Sogeti Nederland B.V.<br />
Sogeti Nederland B.V. is one of top-5 IT companies of the Netherlands. Our workforce of over 3,500 employees provides top quality IT consultancy and services to leading companies in several industry sectors in the Netherlands. Our focus is local, but we are part of Sogeti Worldwide, offering IT services in the American, German, French, Belgian, UK, Swedish, Swiss and Spanish markets. <br />
<br />
Our core business is the design, construction, deployment, testing and maintenance of IT solutions. We stand for quality and IT skills; this is visible in our service and in the methods developed by us such as DYA®, Regatta®, TMap®, TPI® , Inframe®, and TEmb. <br />
<br />
Vision<br />
Sogeti delivers value by aligning the results of her services to the strategic goals of the client, thereby committing herself to the success of the client. We prove our commitment by assuming responsibility in various forms and to various degrees. <br />
<br />
New trends<br />
Our own research institute ViNT (Institute for Research into New Technology) keeps us and our clients ahead of the newest technology trends and their potential influence, benefits and risks.<br />
<br/><br />
More information about Sogeti can be found on our website www.sogeti.nl.<br />
<br/><br />
</td><br />
</tr><br />
</table><br />
<br />
'''18.30 - 18.45 Introduction (OWASP organization, projects, sponsor) '''<br><br />
'''18.45 - 19.30 Modern information gathering; how to abuse search engines Dave van Stein '''([[Media:20090409_passsive_reconnaissance-Dave_van_Stein.pdf]])<br><br />
Great generals already know the key to success is "knowing your enemy". In hacking terms this is called information gathering, fingerprinting or reconnaissance. Traditionally this phase consisted of using public records like WHOIS and DNS combined with active scans on servers. With the rise of advanced search engines like Yahoo, Live Search and Google a whole new type of reconnaissance has come to life; passive reconnaissance. Often servers are not properly configured which causes lots of valuable information to become available without accessing the server at all. Recently several hacker-tools appeared which use the full capabilities of these search engines giving hackers a head-start at mapping the network they plan to attack. The goal of this session is to give insight in the methods and tools hackers have at their disposal to gather information about systems they plan to attack without accessing the system itself. <br />
Dave van Stein has close to 8 years of experience in software testing. Since the beginning of 2008 he's working for ps_testware as a web application security testing specialist. <br />
<br />
'''19.30 - 20.00 VAC Cross-site scripting Martin Visser '''([[Media:20090409_VAC_Cross-site-scripting_Martin_Visser.pdf]])<br><br />
Martin Visser is a software designer with Sogeti Nederland B.V. specialized in secure application development with Microsoft technologies. He has experience with Microsoft server technologies like ASP.NET, SharePoint and Biztalk. Martin also developed and teaches a 2-day "Application Security - Microsoft development" course both within and outside Sogeti. <br />
<br />
'''20.00 - 20.15 Break ''' <br><br />
'''20.15 - 21.00 Beveiligingsaspecten van webapplicatie-ontwikkeling Wouter van Kuipers ''' ([[Media:20090409_presentatie_Wouter_van_Kuipers.pdf]])<br><br />
Het ontwikkelen van webapplicaties verschilt op verschillende aspecten met het ontwikkelen van desktop applicaties, met name op het gebied van security. Voor grote bedrijven zijn er oplossingen beschikbaar als bijvoorbeeld SDL, maar voor het midden- en kleinbedrijf zijn dit soort oplossingen beperkt, omdat zij vaak niet de middelen hebben om dergelijke strategieën uit te kunnen voeren. Voor zijn scriptie heeft Wouter van Kuipers middels een literatuuronderzoek, interviews met ontwikkelaars en een onderzoek naar Fortify 360 gekeken hoe het midden- en kleinbedrijf omgaat met deze verschillen en hoe zij het ontwikkelproces kunnen optimaliseren op het gebied van security.<br />
<br />
Na een MBO opleiding in de IT is Wouter van Kuipers via de HBO opleiding 'Communicatie Systemen' begin 2007 begonnen met een master<br />
Informatiekunde aan de Radboud Universiteit Nijmegen, welke hij in maart dit jaar hoopt af te ronden. Tijdens zijn MBO studie is zijn interesse in het ontwikkelen van webapplicaties gewekt, wat in 2003 resulteerde in het opzetten van een eigen web-development bedrijf. Dit bedrijf is met name gespecialiseerd in het ontwikkelen van webapplicaties op maat, en het ondersteunen van bedrijven op het gebied van web-developement op freelance basis.<br />
<br />
The flyer of this meeting: [[Media:owasp_NL_april2009.pdf]]<br />
<br />
== Past Events ==<br />
* Events held in [[Netherlands_Previous_Events_2008|2008]]<br />
* Events held in [[Netherlands_Previous_Events_2007|2007]]<br />
* Events held in [[Netherlands_Previous_Events_2006|2006]]<br />
* Events held in [[Netherlands_Previous_Events_2005|2005]]</div>Dvsteinhttps://wiki.owasp.org/index.php?title=Netherlands_Mini_Meeting_2009&diff=66388Netherlands Mini Meeting 20092009-07-23T07:24:32Z<p>Dvstein: /* Mini Meeting Topics 2009 */</p>
<hr />
<div>[[Netherlands]] Calendar and Topics for OWASP NL Mini Meetings:<br />
The 'Mini Meetings' are a informal platform to discus on a specific topic in a small group.<br />
Chair is, whoever put's in a topic. You will get all support by the OWASP NL Chapter Board!<br />
Those meetings must result in meeting notes and can result in a presentation on a OWASP NL Chapter meeting!<br />
<br />
To attend one of the meetings below, send an email to the contact's email address!<br />
<br />
== Mini Meeting Topics 2009 ==<br />
<br />
Topics addressed at the open discussion on the May 28th meeting:<br />
<br />
<pre><br />
Topic : Tools of the trade; exchange real-life experiences<br />
Contact : Dave van Stein, dvstein+owasp [-at-] gmail [-dot-] com<br />
----------<br />
Date : 27th August 2009<br />
Time : 18:00 (sandwiches provided) to 21:30<br />
Location : ps_testware<br />
Dorpsstraat 26<br />
3941 JM Doorn<br />
Details : Exchange real-world experience about web testing tools. What is really useable and what is not.<br />
Attendees : Min 6, max 8, currently 3 attendees <br />
</pre><br />
<pre><br />
Topic : SAMM, ASVS and other methodologies<br />
Contact : Martin Knobloch, martin.knobloch@owasp.org<br />
----------<br />
Date : To be decided<br />
Time : 18:00 (dinner provided) to 21:30 <br />
Location : Sogeti Nederland B.V.<br />
Plotterweg 31-33<br />
3821 BB Amersfoort<br />
Details : About ideas and experiences of using, implementing and verifying the different methodologies<br />
Attendees : Max 10 persons, currently 3, 7 available<br />
</pre><br />
<pre><br />
Topic : Web Application Firewalls<br />
Contact : put in your contact details<br />
----------<br />
Date : suggest a date<br />
Time : suggest a time<br />
Location : suggest a location<br />
Attendees : Max 10 persons, currently 0<br />
</pre><br />
Add your own suggestions below:<br />
<pre><br />
Topic : suggest a topic<br />
Contact : put in your contact details<br />
----------<br />
Date : suggest a date<br />
Time : suggest a time<br />
Location : suggest a location<br />
Attendees : Max 10 persons, currently 0<br />
</pre><br />
<br />
== Past minimeetings ==<br />
<pre><br />
Topic : Quickscans and other timeboxed test approaches (discussion)<br />
Contact : Barry van Kampen<br />
----------<br />
Date : 25th June 2009<br />
Details : This discussion will be about the way quickscans can be performed.<br />
At least basic web application testing knowledge is needed for this session.<br />
Please send an email if you would like to attend.<br />
Total persons: 6 attendees.<br />
</pre><br />
<br />
== Mini Meeting minutes ==<br />
Space below is mend to put the Mini-Meeting-Note!<br />
<br />
'''Registration'''<br/><br />
If you want to attend, please send an email to the contact of the topic.<br/><br />
<br/><br />
All OWASP chapter meetings are free of charge and you don’t have to be an OWASP member to attend. There are never any vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/></div>Dvsteinhttps://wiki.owasp.org/index.php?title=Netherlands&diff=66387Netherlands2009-07-23T07:24:07Z<p>Dvstein: /* Next Mini-Meeting: */</p>
<hr />
<div>{{Chapter Template|chaptername=Netherlands|extra=The chapter leader is [mailto:owasp@irc2.nl Bert Koelewijn]<br />
<paypal>Netherlands</paypal><br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-netherlands|emailarchives=http://lists.owasp.org/pipermail/owasp-netherlands}}<br />
<br />
=== Call for Speakers ===<br />
We are continuously looking for speakers and presentations make the chapter meetings as interesting as possible. Therefore we are looking inside and outside OWASP for known international specialists. But we know, there is a lot interesting stuf happening inside the Netherlands, too! <br/><br />
'''Presentations:''' Are you working on interesting subject, you would like to share your experiences with the OWASP community. Any topic related to application security will be appreciated!<br/><br />
'''VAC, Vulnerability, Attack, Countermeasure:''' The goal is an half hour in-depth technical presentation about a vulnerability, how it can be exploited and how to prevent it!<br/><br />
<br />
=== Sponsorship of a local chapter meeting ===<br />
We are continuously looking for locations to hold local chapter meetings. Therefore, we need companies willing to sponsor of host events.<br><br />
'''Hosting a local chapter meeting:''' To host a local chapter meeting, you facilitate the meeting location and beverage for the attendees<br><br />
'''Sponsorship of a local chapter meeting:''' You cover the cost of renting the location for the meeting and the payment of the beverages for the attendees<br><br />
'''Please let us know via the OWASP chapter meeting questionnaire of via email to martin.knobloch@owasp.org<br>'''<br />
<br />
== '''OWASP NL Cafe''' == <br />
<font color="red">'''NEW:'''</font><br />
Monthly informal platform to speak about (Web) application security matters! No registration required, just drop by!<br />
* no programm<br />
* no agenda<br />
* whatever comes up!<br />
<br />
=== Next OWASP Cafe:===<br />
Tuesday August 6th, from 7 pm, drop in whenever you can!<br />
<br />
<pre><br />
Who is in for close to the Central Station in Utrecht?<br />
<br />
Where:<br />
To be decided! Any suggestions are welcome!<br />
</pre><br />
<br />
== '''OWASP NL Chapter Meetings Schedule 2009''' ==<br />
This is an overview of the 2009 local chapter meeting schedule. Details of the meetings can be found in the announcements that will be posted below this schedule.<br />
<pre><br />
April 9th<br />
----------<br />
Time : 18.00 - 21.30<br />
Main Topic : Knowing Your Enemy<br />
Presentations: Modern information gathering; how to abuse search engines Dave van Stein<br />
VAC Cross-site scripting Martin Visser <br />
Beveiligingsaspecten van webapplicatie-ontwikkeling Wouter van Kuipers <br />
Location : Lange Dreef 17<br />
4131 NJ Vianen<br />
Sponsor : Sogeti Nederland B.V.<br />
<br />
May 28th<br />
----------<br />
Time : 18.00 - 21.30<br />
Main Topic : AppSec Europe 2009<br />
Presentations: AppSec-EU 2009 Sebastien Deleersnyder, Telindus <br />
VAC Cross-Site Request Forgery Niels Teusink<br />
Open session / discussion about subjects brought forward by <br />
the attendees Martin Knobloch/Ferdinand Vroom/Peter Gouwentak<br />
Location : ASR Nederland<br />
MD0.60 - Auditorium<br />
Smallepad 30<br />
3811MG Amersfoort<br />
Sponsor : ASR Nederland<br />
<br />
September 24th<br />
----------<br />
Time : 17.30 - 21.30<br />
Main Topic : <br />
Presentations: <br />
Location : <br />
Sponsor : <br />
<br />
December 10th<br />
----------<br />
Time : 17.30 - 21.30<br />
Main Topic : <br />
Presentations: <br />
Location : <br />
Sponsor : <br />
</pre><br />
<br />
<br />
<br />
'''Registration'''<br><br />
If you want to attend, please send an email to: bert.koelewijn@owasp.org<br />
<br/><br />
<br/><br />
All OWASP chapter meetings are free of charge and you don't have to be an OWASP member to attend. There are never any vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP's: OWASP Meetings count towards CPE Credits.<br/><br />
<br/><br />
<br/><br />
<br />
=='''OWASP NL Mini-Meetings''' == <br />
<font color="red">'''NEW:'''</font><br />
Platform to discus on specific issues related to (Web) Application Security. The topic's are brought in by the OWASP NL community!<br><br />
Something on your mind to discus, put your idea online at: Mini Meetings [[Netherlands_Mini_Meeting_2009|Netherlands_Mini_Meeting_2009]]<br />
To attend the meeting, send an email to the contact's email address!<br />
<br />
=== Next Mini-Meeting: ===<br />
<pre><br />
Topic : Tools of the trade; exchange real-life experiences<br />
Contact : Dave van Stein, dvstein+owasp [-at-] gmail [-dot-] com<br />
----------<br />
Date : 27th August 2009<br />
Time : 18:00 (sandwiches provided) to 21:30<br />
Location : ps_testware<br />
Dorpsstraat 26<br />
3941 JM Doorn<br />
Details : Exchange real-world experience about web testing tools. What is really useable and what is not.<br />
Attendees : Min 6, max 8, currently 3 attendees <br />
</pre><br />
<br />
== '''Meeting Minutes''' ==<br />
=== Meeting minutes May 28th 2009 ===<br />
<br />
At May 28th, the Dutch OWASP chapter came together at the ASR building in Amersfoort. The main topic of the evening was AppSec 2009. There were 2 speakers and approximately 20 attendees.<br/><br />
<br/><br />
There was no sponsor talk or general announcement so after a very short welcome talk by Bert the evening started.<br/><br />
<br/><br />
'''First presentation:''' AppSec 2009 by Sebastien Deleersnyder. <br/><br />
The first presentation of the evening was a recap of AppSec 2009 in Poland. The conference was a big success with around 170 attendees. The meeting preceded the 2009 edition of Confidence [http://2009.confidence.org.pl/] resulting in a week of security presentations and workshops. All AppSec presentations and many movies, pictures, and other material can be found on the AppSec wiki [http://www.owasp.org/index.php/OWASP_AppSec_Europe_2009_-_Poland] but a few items are worth mentioning in specific. First of all OWASP is growing and changing. These changes include a simplification of the membership fees, the introduction of a 'code of ethics', and a general review of all 120 projects. Other highlights are the project ASVS, which has reached an international standard status and updated versions of WebGoat and LabRat.<br/><br />
Lastly besides a Wiki and a LinkedIn group, OWASP is now also active on Twitter [http://twitter.com/owasp] & [http://twitter.com/owasp_nl] and has two overview pages with all video [http://www.owasp.org/index.php/Category:OWASP_Video] and audio materials [http://www.owasp.org/index.php/OWASP_Podcast].<br/><br />
Feel free to use all the materials (as long as you abide by the new code of ethics off course) and visit the OWASP websites frequently for updates !<br/><br />
<br/><br />
'''Second presentation:''' VAC Cross-Site Request Forgery by Niels Teusink. <br/><br />
After succesfull VAC's about SQL injection and Cross-site scripting, the topic of this evening's VAC was Cross-site Request Forgery, also known as CSRF. CSRF is probably one of the least understood vulnerabilities, but can have tremendous consequences when succesfully exploited. In essence it is an attack that misuses the victim's autorisations with malicious scripts. CSRF attacks can also be easily combined with other attack, like e.g. XSS, making them even more dangerous. <br/><br />
Despite the name suggests, these attacks do not have to be on different websites (domains). With the continuing trend to combine multiple functionalities in a single application, so-called onsite request forgeries are becoming more and more frequent. Contrary to XSS and SQL injection, CSRF can not be blocked by input validation. In order to prevent these kind of attacks, an application has to able to verify the authenticity of a request. This can be achieved by several methods like using a unique identifier for a session or each request or requiring additional user input like a CAPTCHA or a one-time token. <br/><br />
<br/><br />
'''Open Discussion''' <br/><br />
The evening was closed with an open discussion about how to improve knowledge sharing among the OWASP members. Many interesting discussions start during the drinks after the presentations on the OWASP evenings, discussions that sadly often are stopped prematurly due to time restraints.<br/><br />
As an addition on the quarterly presentation evenings, the Dutch chapter decided to also start mini-meetings and the OWASP cafe.<br/><br />
Mini-meetings will not be planned on beforehand, but instead will be planned when a topic is proposed and enough attendees have stated an interest in the topic. The attendees will have to select a location themselves but can request a donation from the OWASP for drinks and snacks. Topics discussed at the mini-meeting will have to be listed in minutes so other members can also profit from this knowledge exchange.<br/><br />
The OWASP cafe will be planned each first thursday of the month on a location that will be listed on the OWASP Dutch chapter site. The rules are simple: the evening starts at a certain time, ends at a certain time and will be filled with drinks, snacks, and nerd/hacker/geek humor and discussions in between.<br/><br />
Check the website frequently for the location of the next mini-meeting and OWASP cafe !<br/><br />
<br/><br />
<hr><br />
<br />
=== Meeting minutes April 9th 2009 ===<br />
<br />
At April 9th, the Dutch OWASP chapter came together at the office of Sogeti in Vianen. The main topic of the evening was "knowing your enemy". There were 3 speakers and approximately 50 attendees.<br/><br />
<br/><br />
The sponsor of the evening started with a small welcome and an overview of their internal security program named PASS. After some small announcements from the OWASP the evening started.<br/><br />
<br/><br />
'''First presentation:''' Modern information gathering; how to abuse search engines by Dave van Stein.<br/><br />
The first presentation of the evening was about using search engines and crawlers to gain detailed information about webservers and websites. Ill configured webservers allow search engine crawlers to collect much information about a system, information that is stored and can be retrieved with search engines. Many websites and tools make use of this mechanism and, combined with DNS and WHOIS information, are able to provide detailed or sensitive information like usernames, vulnerabilities, present files or network topology about a system without targeting it directly.<br/><br />
Restricting crawlers to access a system can act as a first line of defence and reduce exposure and risks.<br/> <br />
<br/><br />
'''Second presentation:''' VAC Cross-site scripting by Martin Visser. <br/><br />
The second VAC on an OWASP meeting was about Cross-site scripting also known as XSS. XSS vulnerabilities are often misunderstood and underestimated but facts show that XSS vulnerability abusing attacks are nowadys the fastest growing and most widespread type of exploit. In short XSS vulnerabilities allow for user input to be executed when containing javascript or HTML code. When combined with other vulnerabilities the possibilities of these attacks are vitually limitless.<br/><br />
The only way to prevent these attacks is to sanitize all input and output fields, but this can be more difficult than it appears to be. Simply blacklisting fragments like <script> is not sufficient due to the possibility of recursivity (e.g. <scr<script>ipt>) and encoding (e.g. URL encoding: %3C%73%63%72%69%70%74%3E). Using multiple layers of filters on various places is the only way to assure enough protection against these types of attacks.<br/><br />
<br/><br />
'''Third presentation:''' Beveiligingsaspecten van webapplicatie-ontwikkeling by Wouter van Kuipers. <br/><br />
The third presentation of the evening was about the efficiency of a source code analyer for php based websites. Approximately 33% of all websites use php and this can be explained by the low learning curve and ease of use of the language. Due to the low learning curve many php developers have little experience with programming and almost no awareness regading security resulting in many unsecure websites. Source code analysis can help preventing many security issues, but their usage does have some limitations. Firstly the scan on itself takes only a few minutes, but analysing the results requires much longer and depends greatly on how familiar the analyser is with the scanned source code. Second these analysers produce many flase positives, making analysis even more time consuming. Lastly not all vulnerabilities are detected with the same efficiency. Especially vulnerabilities that are dependent on the application logic like injection or XSS are not always efficiently detected.<br/><br />
Concluding, like all tools, a source code analyser can be a powerful tool, but one has to be aware of its limitations. These tools can provide results very fast, but when used on unfamiliar code the analysis can be very time consuming.<br />
<br/><br />
<br />
== Scheduled OWASP NL Chapter Meetings: ==<br />
=== Meeting Schedule May 28th 2009: AppSec Europe 2009 ===<br />
<br />
'''Summary'''<br />
The main goal of the upcoming OWASP-NL meeting is to provide an abstract of the recently held AppSec Europe 2009, a VAC about CSRF and, new, an open discussion on application security subjects brought forward by the attendees. <br />
<table><br />
<tr><br />
<td width="350"><br />
ASR Nederland<br/><br />
<br/><br />
MD0.60 - Auditorium<br/><br />
Smallepad 30<br/><br />
3811MG Amersfoort<br/><br />
</td><br />
<td width="650"><br />
[[Image:ASR Nederland logo.jpg|200px]]<br />
</td><br />
</tr><br />
<tr><br />
<td width="350"><br />
</td><br />
<td width="650"><br />
<br />
<br/><br />
<br />
<br/><br />
</td><br />
</tr><br />
</table><br />
<br />
'''18.30 - 18.45 Introduction (OWASP organization, projects, sponsor) '''<br><br />
<br />
'''18.45 - 19.45 AppSec-EU 2009 (Sebastien Deleersnyder, Telindus) '''<br><br />
Update on the AppSec-EU 2009: <br><br />
OWASP State of the union, an update on OWASP and OWASP projects and of course the highlights of the AppSec-EU 2009 presentations.<br />
<br />
'''19.45 - 20.00 Break '''<br><br />
<br />
'''20.00 - 20.30 VAC Cross-Site Request Forgery (Niels Teusink, Fox-IT) ''' ([[Media:20090409_VAC-CSRF-Niels_Teusink.pdf]])<br><br />
CSRF is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. With a little help of social engineering (like sending a link via email/chat), an attacker may force the users of a web application to execute actions of the attacker's choosing. A successful CSRF exploit can compromise end user data and operation in case of normal user. If the targeted end user is the administrator account, this can compromise the entire web application.<br />
<br />
Niels Teusink holds a bachelor degree in Computer Science and has been experimenting with IT security for over a decade. He has worked for Fox-IT since 2005; first as a software engineer and since 2007 as a penetration tester. He has since performed dozens of penetration tests for all sorts of companies, including governments, banks and nuclear installations.<br />
<br />
'''20.30 - 21.15 Open session / discussion (Martin Knobloch/Ferdinand Vroom/Peter Gouwentak) ''' <br><br />
Open session / discussion about subjects brought forward by the attendees.<br />
<br />
The Announcement of this meeting: [[Media:Announcement OWASP-NL May 28th 2009.pdf]]<br><br />
The flyer of this meeting: [[Media:owasp_NL_may2009.pdf]]<br />
<br/><br />
<hr><br />
=== Meeting Schedule 9th April Knowing Your Enemy ===<br />
<br />
'''Summary'''<br />
The main goal of the upcoming OWASP-NL meeting is to provide information to managers, architects, designers, developers and security and risk professionals. The speakers will give specific examples and there will be time to ask questions. <br />
<table><br />
<tr><br />
<td width="350"><br />
Lange Dreef 17<br/><br />
4131 NJ Vianen<br/><br />
</td><br />
<td width="650"><br />
[[Image:Sogeti_Nederland_b_v_Logo.jpg|http:\\www.sogeti.nl]]<br />
</td><br />
</tr><br />
<tr><br />
<td width="350"><br />
</td><br />
<td width="650"><br />
About Sogeti Nederland B.V.<br />
Sogeti Nederland B.V. is one of top-5 IT companies of the Netherlands. Our workforce of over 3,500 employees provides top quality IT consultancy and services to leading companies in several industry sectors in the Netherlands. Our focus is local, but we are part of Sogeti Worldwide, offering IT services in the American, German, French, Belgian, UK, Swedish, Swiss and Spanish markets. <br />
<br />
Our core business is the design, construction, deployment, testing and maintenance of IT solutions. We stand for quality and IT skills; this is visible in our service and in the methods developed by us such as DYA®, Regatta®, TMap®, TPI® , Inframe®, and TEmb. <br />
<br />
Vision<br />
Sogeti delivers value by aligning the results of her services to the strategic goals of the client, thereby committing herself to the success of the client. We prove our commitment by assuming responsibility in various forms and to various degrees. <br />
<br />
New trends<br />
Our own research institute ViNT (Institute for Research into New Technology) keeps us and our clients ahead of the newest technology trends and their potential influence, benefits and risks.<br />
<br/><br />
More information about Sogeti can be found on our website www.sogeti.nl.<br />
<br/><br />
</td><br />
</tr><br />
</table><br />
<br />
'''18.30 - 18.45 Introduction (OWASP organization, projects, sponsor) '''<br><br />
'''18.45 - 19.30 Modern information gathering; how to abuse search engines Dave van Stein '''([[Media:20090409_passsive_reconnaissance-Dave_van_Stein.pdf]])<br><br />
Great generals already know the key to success is "knowing your enemy". In hacking terms this is called information gathering, fingerprinting or reconnaissance. Traditionally this phase consisted of using public records like WHOIS and DNS combined with active scans on servers. With the rise of advanced search engines like Yahoo, Live Search and Google a whole new type of reconnaissance has come to life; passive reconnaissance. Often servers are not properly configured which causes lots of valuable information to become available without accessing the server at all. Recently several hacker-tools appeared which use the full capabilities of these search engines giving hackers a head-start at mapping the network they plan to attack. The goal of this session is to give insight in the methods and tools hackers have at their disposal to gather information about systems they plan to attack without accessing the system itself. <br />
Dave van Stein has close to 8 years of experience in software testing. Since the beginning of 2008 he's working for ps_testware as a web application security testing specialist. <br />
<br />
'''19.30 - 20.00 VAC Cross-site scripting Martin Visser '''([[Media:20090409_VAC_Cross-site-scripting_Martin_Visser.pdf]])<br><br />
Martin Visser is a software designer with Sogeti Nederland B.V. specialized in secure application development with Microsoft technologies. He has experience with Microsoft server technologies like ASP.NET, SharePoint and Biztalk. Martin also developed and teaches a 2-day "Application Security - Microsoft development" course both within and outside Sogeti. <br />
<br />
'''20.00 - 20.15 Break ''' <br><br />
'''20.15 - 21.00 Beveiligingsaspecten van webapplicatie-ontwikkeling Wouter van Kuipers ''' ([[Media:20090409_presentatie_Wouter_van_Kuipers.pdf]])<br><br />
Het ontwikkelen van webapplicaties verschilt op verschillende aspecten met het ontwikkelen van desktop applicaties, met name op het gebied van security. Voor grote bedrijven zijn er oplossingen beschikbaar als bijvoorbeeld SDL, maar voor het midden- en kleinbedrijf zijn dit soort oplossingen beperkt, omdat zij vaak niet de middelen hebben om dergelijke strategieën uit te kunnen voeren. Voor zijn scriptie heeft Wouter van Kuipers middels een literatuuronderzoek, interviews met ontwikkelaars en een onderzoek naar Fortify 360 gekeken hoe het midden- en kleinbedrijf omgaat met deze verschillen en hoe zij het ontwikkelproces kunnen optimaliseren op het gebied van security.<br />
<br />
Na een MBO opleiding in de IT is Wouter van Kuipers via de HBO opleiding 'Communicatie Systemen' begin 2007 begonnen met een master<br />
Informatiekunde aan de Radboud Universiteit Nijmegen, welke hij in maart dit jaar hoopt af te ronden. Tijdens zijn MBO studie is zijn interesse in het ontwikkelen van webapplicaties gewekt, wat in 2003 resulteerde in het opzetten van een eigen web-development bedrijf. Dit bedrijf is met name gespecialiseerd in het ontwikkelen van webapplicaties op maat, en het ondersteunen van bedrijven op het gebied van web-developement op freelance basis.<br />
<br />
The flyer of this meeting: [[Media:owasp_NL_april2009.pdf]]<br />
<br />
== Past Events ==<br />
* Events held in [[Netherlands_Previous_Events_2008|2008]]<br />
* Events held in [[Netherlands_Previous_Events_2007|2007]]<br />
* Events held in [[Netherlands_Previous_Events_2006|2006]]<br />
* Events held in [[Netherlands_Previous_Events_2005|2005]]</div>Dvsteinhttps://wiki.owasp.org/index.php?title=Netherlands_Mini_Meeting_2009&diff=66386Netherlands Mini Meeting 20092009-07-23T07:23:36Z<p>Dvstein: /* Mini Meeting Topics 2009 */</p>
<hr />
<div>[[Netherlands]] Calendar and Topics for OWASP NL Mini Meetings:<br />
The 'Mini Meetings' are a informal platform to discus on a specific topic in a small group.<br />
Chair is, whoever put's in a topic. You will get all support by the OWASP NL Chapter Board!<br />
Those meetings must result in meeting notes and can result in a presentation on a OWASP NL Chapter meeting!<br />
<br />
To attend one of the meetings below, send an email to the contact's email address!<br />
<br />
== Mini Meeting Topics 2009 ==<br />
<br />
Topics addressed at the open discussion on the May 28th meeting:<br />
<br />
<pre><br />
Topic : Tools of the trade; exchange real-life experiences<br />
Contact : Dave van Stein, dvstein+owasp [-at-] gmail [-dot-] com<br />
----------<br />
Date : 27th August 2009<br />
Time : 18:00 (sandwiches provided) to 21:30<br />
Location : ps_testware<br />
Dorpsstraat 26<br />
3941 JM Doorn<br />
Details : Exchange real-world experience about web testing tools. What is really useable and what is not.<br />
Attendees : Min 6, max 8, currently 3 attendees <br />
</pre><br />
<pre><br />
Topic : SAMM, ASVS and other methodologies<br />
Contact : Martin Knobloch, martin.knobloch@owasp.org<br />
----------<br />
Date : To be decided<br />
Time : 18:00 (dinner provided) to 21:30 <br />
Location : Sogeti Nederland B.V.<br />
Plotterweg 31-33<br />
3821 BB Amersfoort<br />
Details : About ideas and experiences of using, implementing and verifying the different methodologies<br />
Attendees : Max 10 persons, currently 3, 7 available</pre><br />
</pre><br />
<pre><br />
Topic : Web Application Firewalls<br />
Contact : put in your contact details<br />
----------<br />
Date : suggest a date<br />
Time : suggest a time<br />
Location : suggest a location<br />
Attendees : Max 10 persons, currently 0<br />
</pre><br />
Add your own suggestions below:<br />
<pre><br />
Topic : suggest a topic<br />
Contact : put in your contact details<br />
----------<br />
Date : suggest a date<br />
Time : suggest a time<br />
Location : suggest a location<br />
Attendees : Max 10 persons, currently 0<br />
</pre><br />
<br />
== Past minimeetings ==<br />
<pre><br />
Topic : Quickscans and other timeboxed test approaches (discussion)<br />
Contact : Barry van Kampen<br />
----------<br />
Date : 25th June 2009<br />
Details : This discussion will be about the way quickscans can be performed.<br />
At least basic web application testing knowledge is needed for this session.<br />
Please send an email if you would like to attend.<br />
Total persons: 6 attendees.<br />
</pre><br />
<br />
== Mini Meeting minutes ==<br />
Space below is mend to put the Mini-Meeting-Note!<br />
<br />
'''Registration'''<br/><br />
If you want to attend, please send an email to the contact of the topic.<br/><br />
<br/><br />
All OWASP chapter meetings are free of charge and you don’t have to be an OWASP member to attend. There are never any vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/></div>Dvsteinhttps://wiki.owasp.org/index.php?title=Netherlands_Mini_Meeting_2009&diff=65789Netherlands Mini Meeting 20092009-07-12T18:01:25Z<p>Dvstein: /* Mini Meeting Topics 2009 */</p>
<hr />
<div>[[Netherlands]] Calendar and Topics for OWASP NL Mini Meetings:<br />
The 'Mini Meetings' are a informal platform to discus on a specific topic in a small group.<br />
Chair is, whoever put's in a topic. You will get all support by the OWASP NL Chapter Board!<br />
Those meetings must result in meeting notes and can result in a presentation on a OWASP NL Chapter meeting!<br />
<br />
To attend one of the meetings below, send an email to the contact's email address!<br />
<br />
== Mini Meeting Topics 2009 ==<br />
<br />
Topics addressed at the open discussion on the May 28th meeting:<br />
<br />
<pre><br />
Topic : SAMM, ASVS and other methodologies<br />
Contact : Martin Knobloch, martin.knobloch@owasp.org<br />
----------<br />
Date : 23rd July 2009<br />
Time : 18:00 (dinner provided) to 21:30 <br />
Location : Sogeti Nederland B.V.<br />
Plotterweg 31-33<br />
3821 BB Amersfoort<br />
Details : About ideas and experiences of using, implementing and verifying the different methodologies<br />
Attendees : Max 10 persons, currently 2</pre><br />
<pre><br />
Topic : Tools of the trade; exchange real-life experiences<br />
Contact : Dave van Stein, dvstein+owasp [-at-] gmail [-dot-] com<br />
----------<br />
Date : 27th August 2009<br />
Time : 18:00 (sandwiches provided) to 21:30<br />
Location : ps_testware<br />
Dorpsstraat 26<br />
3941 JM Doorn<br />
Details : Exchange real-world experience about web testing tools. What is really useable and what is not.<br />
Attendees : Max 8 persons, currently 2 <br />
</pre><br />
<pre><br />
Topic : Web Application Firewalls<br />
Contact : put in your contact details<br />
----------<br />
Date : suggest a date<br />
Time : suggest a time<br />
Location : suggest a location<br />
Attendees : Max 10 persons, currently 0<br />
</pre><br />
Add your own suggestions below:<br />
<pre><br />
Topic : suggest a topic<br />
Contact : put in your contact details<br />
----------<br />
Date : suggest a date<br />
Time : suggest a time<br />
Location : suggest a location<br />
Attendees : Max 10 persons, currently 0<br />
</pre><br />
<br />
<br />
== Past minimeetings ==<br />
<pre><br />
Topic : Quickscans and other timeboxed test approaches (discussion)<br />
Contact : Barry van Kampen<br />
----------<br />
Date : 25th June 2009<br />
Details : This discussion will be about the way quickscans can be performed.<br />
At least basic web application testing knowledge is needed for this session.<br />
Please send an email if you would like to attend.<br />
Total persons: 6 attendees.<br />
</pre><br />
<br />
== Mini Meeting minutes ==<br />
Space below is mend to put the Mini-Meeting-Note!<br />
<br />
'''Registration'''<br/><br />
If you want to attend, please send an email to the contact of the topic.<br/><br />
<br/><br />
All OWASP chapter meetings are free of charge and you don’t have to be an OWASP member to attend. There are never any vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/></div>Dvsteinhttps://wiki.owasp.org/index.php?title=Netherlands_Mini_Meeting_2009&diff=63695Netherlands Mini Meeting 20092009-06-06T11:11:35Z<p>Dvstein: /* Mini Meeting Topics 2009 */</p>
<hr />
<div>[[Netherlands]] Calendar and Topics for OWASP NL Mini Meetings:<br />
The 'Mini Meetings' are a informal platform to discus on a specific topic in a small group.<br />
Chair is, whoever put's in a topic. You will get all support by the OWASP NL Chapter Board!<br />
Those meetings must result in meeting notes and can result in a presentation on a OWASP NL Chapter meeting!<br />
<br />
== Mini Meeting Topics 2009 ==<br />
<br />
Topics addressed at the open discussion on the May 28th meeting:<br />
<br />
<pre><br />
Topic : Quickscans and other timeboxed test approaches (discussion)<br />
Contact : Barry van Kampen, owasp@itq.nl<br />
----------<br />
Date : 25th june 2009<br />
Time : 18:00 Dinner (free of charge), 19:00 Start of discussion, Till ca 21:30<br />
Location : ITQ Consultancy<br />
Joop Geesinkweg 701 <br />
1096 AZ Amsterdam<br />
Details : This discussion will be about the way quickscans can be performed.<br />
At least basic web application testing knowledge is needed for this session.<br />
Max 8 persons in total, please send an email if you would like to attend <br />
</pre><br />
<pre><br />
Topic : SAMM, ASVS and other methodologies<br />
Contact : Martin Knobloch<br />
----------<br />
Date : 23rd July 2009<br />
Time : 18:00 (dinner provided) to 21:30 <br />
Location : Sogeti Nederland B.V.<br />
Plotterweg 31-33<br />
3821 BB Amersfoort<br />
Details : About ideas and experiences of using, implementing and verifying the different methodologies<br />
</pre><br />
<pre><br />
Topic : Tools of the trade; exchange real-life experiences<br />
Contact : Dave van Stein<br />
----------<br />
Date : 27th August 2009<br />
Time : 18:00 (sandwiches provided) to 21:30<br />
Location : ps_testware<br />
Dorpsstraat 26<br />
3941 JM Doorn<br />
Details : Exchange real-world experience about web testing tools. What is really useable and what is not.<br />
Attendees : Max 8 persons, currently 2 <br />
</pre><br />
<pre><br />
Topic : Web Application Firewalls<br />
Contact : put in your contact details<br />
----------<br />
Date : suggest a date<br />
Time : suggest a time<br />
Location : suggest a location<br />
</pre><br />
Add your own suggestions below:<br />
<pre><br />
Topic : suggest a topic<br />
Contact : put in your contact details<br />
----------<br />
Date : suggest a date<br />
Time : suggest a time<br />
Location : suggest a location<br />
</pre><br />
<br />
== Mini Meeting minutes ==<br />
Space below is mend to put the Mini-Meeting-Note!<br />
<br />
'''Registration'''<br/><br />
If you want to attend, please send an email to the contact of the topic.<br/><br />
<br/><br />
All OWASP chapter meetings are free of charge and you don’t have to be an OWASP member to attend. There are never any vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/></div>Dvsteinhttps://wiki.owasp.org/index.php?title=Netherlands_Mini_Meeting_2009&diff=63673Netherlands Mini Meeting 20092009-06-05T18:49:12Z<p>Dvstein: /* Mini Meeting Topics 2009 */</p>
<hr />
<div>[[Netherlands]] Calendar and Topics for OWASP NL Mini Meetings:<br />
The 'Mini Meetings' are a informal platform to discus on a specific topic in a small group.<br />
Chair is, whoever put's in a topic. You will get all support by the OWASP NL Chapter Board!<br />
Those meetings must result in meeting notes and can result in a presentation on a OWASP NL Chapter meeting!<br />
<br />
== Mini Meeting Topics 2009 ==<br />
<br />
Topics addressed at the open discussion on the May 28th meeting:<br />
<br />
<pre><br />
Topic : Quickscans and other timeboxed test approaches (discussion)<br />
Contact : Barry van Kampen, owasp@itq.nl<br />
----------<br />
Date : 25th june 2009<br />
Time : 18:00 Dinner (free of charge), 19:00 Start of discussion, Till ca 21:30<br />
Location : ITQ Consultancy<br />
Joop Geesinkweg 701 <br />
1096 AZ Amsterdam<br />
Details : This discussion will be about the way quickscans can be performed.<br />
At least basic web application testing knowledge is needed for this session.<br />
Max 8 persons in total, please send an email if you would like to attend <br />
</pre><br />
<pre><br />
Topic : SAMM, ASVS and other methodologies<br />
Contact : Martin Knobloch<br />
----------<br />
Date : 23rd July 2009<br />
Time : 18:00 (dinner provided) to 21:30 <br />
Location : Sogeti Nederland B.V.<br />
Plotterweg 31-33<br />
3821 BB Amersfoort<br />
Details : About ideas and experiences of using, implementing and verifying the different methodologies<br />
</pre><br />
<pre><br />
Topic : Tools of the trade; exchange real-life experiences<br />
Contact : Dave van Stein<br />
----------<br />
Date : 27th August 2009<br />
Time : 18:00 (sandwiches provided) to 21:30<br />
Location : ps_testware<br />
Dorpsstraat 26<br />
3941 JM Doorn<br />
Details : Exchange real-world experience about web testing tools. What is really useable and what is not.<br />
</pre><br />
<pre><br />
Topic : Web Application Firewalls<br />
Contact : put in your contact details<br />
----------<br />
Date : suggest a date<br />
Time : suggest a time<br />
Location : suggest a location<br />
</pre><br />
Add your own suggestions below:<br />
<pre><br />
Topic : suggest a topic<br />
Contact : put in your contact details<br />
----------<br />
Date : suggest a date<br />
Time : suggest a time<br />
Location : suggest a location<br />
</pre><br />
<br />
== Mini Meeting minutes ==<br />
Space below is mend to put the Mini-Meeting-Note!<br />
<br />
'''Registration'''<br/><br />
If you want to attend, please send an email to the contact of the topic.<br/><br />
<br/><br />
All OWASP chapter meetings are free of charge and you don’t have to be an OWASP member to attend. There are never any vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/></div>Dvsteinhttps://wiki.owasp.org/index.php?title=Netherlands_Mini_Meeting_2009&diff=63672Netherlands Mini Meeting 20092009-06-05T18:38:45Z<p>Dvstein: /* Mini Meeting Topics 2009 */</p>
<hr />
<div>[[Netherlands]] Calendar and Topics for OWASP NL Mini Meetings:<br />
The 'Mini Meetings' are a informal platform to discus on a specific topic in a small group.<br />
Chair is, whoever put's in a topic. You will get all support by the OWASP NL Chapter Board!<br />
Those meetings must result in meeting notes and can result in a presentation on a OWASP NL Chapter meeting!<br />
<br />
== Mini Meeting Topics 2009 ==<br />
<br />
Topics addressed at the open discussion on the May 28th meeting:<br />
<br />
<pre><br />
Topic : Quickscans and other timeboxed test approaches (discussion)<br />
Contact : Barry van Kampen, owasp@itq.nl<br />
----------<br />
Date : 25th june 2009<br />
Time : 18:00 Dinner (free of charge), 19:00 Start of discussion, Till ca 21:30<br />
Location : ITQ Consultancy<br />
Joop Geesinkweg 701 <br />
1096 AZ Amsterdam<br />
Details : This discussion will be about the way quickscans can be performed.<br />
At least basic web application testing knowledge is needed for this session.<br />
Max 8 persons in total, please send an email if you would like to attend <br />
</pre><br />
<pre><br />
Topic : SAMM, ASVS and other methodologies<br />
Contact : Martin Knobloch<br />
----------<br />
Date : 23rd July 2009<br />
Time : 18:00 (dinner provided) to 21:30 <br />
Location : Sogeti Nederland B.V.<br />
Plotterweg 31-33<br />
3821 BB Amersfoort<br />
Details : About ideas and experiences of using, implementing and verifying the different methodologies<br />
</pre><br />
<pre><br />
Topic : Tools of the trade; exchange real-life experiences<br />
Contact : Dave van Stein<br />
----------<br />
Date : 27th August 2009<br />
Time : 18:00 (sandwiches provided) to 21:30<br />
Location : ps_testware<br />
Dorpsstraat 26<br />
3941 JM Doorn<br />
</pre><br />
<pre><br />
Topic : Web Application Firewalls<br />
Contact : put in your contact details<br />
----------<br />
Date : suggest a date<br />
Time : suggest a time<br />
Location : suggest a location<br />
</pre><br />
Add your own suggestions below:<br />
<pre><br />
Topic : suggest a topic<br />
Contact : put in your contact details<br />
----------<br />
Date : suggest a date<br />
Time : suggest a time<br />
Location : suggest a location<br />
</pre><br />
<br />
== Mini Meeting minutes ==<br />
Space below is mend to put the Mini-Meeting-Note!<br />
<br />
'''Registration'''<br/><br />
If you want to attend, please send an email to the contact of the topic.<br/><br />
<br/><br />
All OWASP chapter meetings are free of charge and you don’t have to be an OWASP member to attend. There are never any vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/></div>Dvsteinhttps://wiki.owasp.org/index.php?title=Netherlands&diff=63316Netherlands2009-05-31T12:05:03Z<p>Dvstein: /* Meeting Schedule May 28th 2009: AppSec Europe 2009 */</p>
<hr />
<div>{{Chapter Template|chaptername=Netherlands|extra=The chapter leader is [mailto:owasp@irc2.nl Bert Koelewijn]<br />
<paypal>Netherlands</paypal><br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-netherlands|emailarchives=http://lists.owasp.org/pipermail/owasp-netherlands}}<br />
<br />
=== Call for Speakers ===<br />
We are continuously looking for speakers and presentations make the chapter meetings as interesting as possible. Therefore we are looking inside and outside OWASP for known international specialists. But we know, there is a lot interesting stuf happening inside the Netherlands, too! <br/><br />
'''Presentations:''' Are you working on interesting subject, you would like to share your experiences with the OWASP community. Any topic related to application security will be appreciated!<br/><br />
'''VAC, Vulnerability, Attack, Countermeasure:''' The goal is an half hour in-depth technical presentation about a vulnerability, how it can be exploited and how to prevent it!<br/><br />
<br />
=== Sponsorship of a local chapter meeting ===<br />
We are continuously looking for locations to hold local chapter meetings. Therefore, we need companies willing to sponsor of host events.<br><br />
'''Hosting a local chapter meeting:''' To host a local chapter meeting, you facilitate the meeting location and beverage for the attendees<br><br />
'''Sponsorship of a local chapter meeting:''' You cover the cost of renting the location for the meeting and the payment of the beverages for the attendees<br><br />
'''Please let us know via the OWASP chapter meeting questionnaire of via email to martin.knobloch@owasp.org<br>'''<br />
<br />
== '''OWASP NL Cafe''' == <br />
<font color="red">'''NEW:'''</font><br />
Monthly informal platform to speak about (Web) application security matters! No registration required, just drop by!<br />
* no programm<br />
* no agenda<br />
* whatever comes up!<br />
<br />
Next (1st) OWASP Cafe, Thursday June 4th, from 7 pm, drop in whenever you can!<br />
As this is the first try, beverages, BBQ and some meat etc are on me (as long as stocks last)! Voluntary contributions welcome (food/beverages, no money)!<br />
<pre><br />
Where:<br />
Prof. Dr. Ornsteinlaan 14<br />
3431 EP Nieuwegein<br />
Public transport from Utrecht Centraal:<br />
Bus 74, bus stop "Zorgcentrum Zuilenstein" Nieuwegein (2 min walk)<br />
Streetcar / Tram stop: "Batau Noord" Nieuwegein (8 min walk)<br />
</pre><br />
Google map:<br />
http://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=prof.+dr.+ornsteinlaan+14,+3431+EP+Nieuwegein&sll=37.0625,-95.677068&sspn=42.901912,58.095703&ie=UTF8&z=16<br />
<br />
=='''OWASP NL Mini-Meetings''' == <br />
<font color="red">'''NEW:'''</font><br />
Platform to discus on specific issues related to (Web) Application Security. The topic's are brought in by the OWASP NL community!<br><br />
Something on your mind to discus, put your idea online at: Mini Meetings [[Netherlands_Mini_Meeting_2009|Netherlands_Mini_Meeting_2009]]<br />
<br />
== '''Meeting schedule 2009''' ==<br />
This is an overview of the 2009 local chapter meeting schedule. Details of the meetings can be found in the announcements that will be posted below this schedule.<br />
<pre><br />
April 9th<br />
----------<br />
Time : 18.00 - 21.30<br />
Main Topic : Knowing Your Enemy<br />
Presentations: Modern information gathering; how to abuse search engines Dave van Stein<br />
VAC Cross-site scripting Martin Visser <br />
Beveiligingsaspecten van webapplicatie-ontwikkeling Wouter van Kuipers <br />
Location : Lange Dreef 17<br />
4131 NJ Vianen<br />
Sponsor : Sogeti Nederland B.V.<br />
<br />
May 28th<br />
----------<br />
Time : 18.00 - 21.30<br />
Main Topic : AppSec Europe 2009<br />
Presentations: AppSec-EU 2009 Sebastien Deleersnyder, Telindus <br />
VAC Cross-Site Request Forgery Niels Teusink<br />
Open session / discussion about subjects brought forward by <br />
the attendees Martin Knobloch/Ferdinand Vroom/Peter Gouwentak<br />
Location : ASR Nederland<br />
MD0.60 - Auditorium<br />
Smallepad 30<br />
3811MG Amersfoort<br />
Sponsor : ASR Nederland<br />
<br />
September 24th<br />
----------<br />
Time : 17.30 - 21.30<br />
Main Topic : <br />
Presentations: <br />
Location : <br />
Sponsor : <br />
<br />
December 10th<br />
----------<br />
Time : 17.30 - 21.30<br />
Main Topic : <br />
Presentations: <br />
Location : <br />
Sponsor : <br />
</pre><br />
<br />
<br />
<br />
'''Registration'''<br><br />
If you want to attend, please send an email to: bert.koelewijn@owasp.org<br />
<br/><br />
<br/><br />
All OWASP chapter meetings are free of charge and you don't have to be an OWASP member to attend. There are never any vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP's: OWASP Meetings count towards CPE Credits.<br/><br />
<br/><br />
<br/><br />
<br />
== Meeting minutes May 28th 2009 ==<br />
<br />
At May 28th, the Dutch OWASP chapter came together at the ASR building in Amersfoort. The main topic of the evening was AppSec 2009. There were 2 speakers and approximately 20 attendees.<br/><br />
<br/><br />
There was no sponsor talk or general announcement so after a very short welcome talk by Bert the evening started.<br/><br />
<br/><br />
'''First presentation:''' AppSec 2009 by Sebastien Deleersnyder. <br/><br />
The first presentation of the evening was a recap of AppSec 2009 in Poland. The conference was a big success with around 170 attendees. The meeting preceded the 2009 edition of Confidence [http://2009.confidence.org.pl/] resulting in a week of security presentations and workshops. All AppSec presentations and many movies, pictures, and other material can be found on the AppSec wiki [http://www.owasp.org/index.php/OWASP_AppSec_Europe_2009_-_Poland] but a few items are worth mentioning in specific. First of all OWASP is growing and changing. These changes include a simplification of the membership fees, the introduction of a 'code of ethics', and a general review of all 120 projects. Other highlights are the project ASVS, which has reached an international standard status and updated versions of WebGoat and LabRat.<br/><br />
Lastly besides a Wiki and a LinkedIn group, OWASP is now also active on Twitter [http://twitter.com/owasp] and has two overview pages with all video [http://www.owasp.org/index.php/Category:OWASP_Video] and audio materials [http://www.owasp.org/index.php/OWASP_Podcast].<br/><br />
Feel free to use all the materials (as long as you abide by the new code of ethics off course) and visit the OWASP websites frequently for updates !<br/><br />
<br/><br />
'''Second presentation:''' VAC Cross-Site Request Forgery by Niels Teusink. <br/><br />
After succesfull VAC's about SQL injection and Cross-site scripting, the topic of this evening's VAC was Cross-site Request Forgery, also known as CSRF. CSRF is probably one of the least understood vulnerabilities, but can have tremendous consequences when succesfully exploited. In essence it is an attack that misuses the victim's autorisations with malicious scripts. CSRF attacks can also be easily combined with other attack, like e.g. XSS, making them even more dangerous. <br/><br />
Despite the name suggests, these attacks do not have to be on different websites (domains). With the continuing trend to combine multiple functionalities in a single application, so-called onsite request forgeries are becoming more and more frequent. Contrary to XSS and SQL injection, CSRF can not be blocked by input validation. In order to prevent these kind of attacks, an application has to able to verify the authenticity of a request. This can be achieved by several methods like using a unique identifier for a session or each request or requiring additional user input like a CAPTCHA or a one-time token. <br/><br />
<br/><br />
'''Open Discussion''' <br/><br />
The evening was closed with an open discussion about how to improve knowledge sharing among the OWASP members. Many interesting discussions start during the drinks after the presentations on the OWASP evenings, discussions that sadly often are stopped prematurly due to time restraints.<br/><br />
As an addition on the quarterly presentation evenings, the Dutch chapter decided to also start mini-meetings and the OWASP cafe.<br/><br />
Mini-meetings will not be planned on beforehand, but instead will be planned when a topic is proposed and enough attendees have stated an interest in the topic. The attendees will have to select a location themselves but can request a donation from the OWASP for drinks and snacks. Topics discussed at the mini-meeting will have to be listed in minutes so other members can also profit from this knowledge exchange.<br/><br />
The OWASP cafe will be planned each first thursday of the month on a location that will be listed on the OWASP Dutch chapter site. The rules are simple: the evening starts at a certain time, ends at a certain time and will be filled with drinks, snacks, and nerd/hacker/geek humor and discussions in between.<br/><br />
Check the website frequently for the location of the next mini-meeting and OWASP cafe !<br/><br />
<br/><br />
<br />
== Meeting Schedule May 28th 2009: AppSec Europe 2009 ==<br />
<br />
'''Summary'''<br />
The main goal of the upcoming OWASP-NL meeting is to provide an abstract of the recently held AppSec Europe 2009, a VAC about CSRF and, new, an open discussion on application security subjects brought forward by the attendees. <br />
<table><br />
<tr><br />
<td width="350"><br />
ASR Nederland<br/><br />
<br/><br />
MD0.60 - Auditorium<br/><br />
Smallepad 30<br/><br />
3811MG Amersfoort<br/><br />
</td><br />
<td width="650"><br />
[[Image:ASR Nederland logo.jpg|200px]]<br />
</td><br />
</tr><br />
<tr><br />
<td width="350"><br />
</td><br />
<td width="650"><br />
<br />
<br/><br />
<br />
<br/><br />
</td><br />
</tr><br />
</table><br />
<br />
'''18.30 - 18.45 Introduction (OWASP organization, projects, sponsor) '''<br><br />
<br />
'''18.45 - 19.45 AppSec-EU 2009 (Sebastien Deleersnyder, Telindus) '''<br><br />
Update on the AppSec-EU 2009: <br><br />
OWASP State of the union, an update on OWASP and OWASP projects and of course the highlights of the AppSec-EU 2009 presentations.<br />
<br />
'''19.45 - 20.00 Break '''<br><br />
<br />
'''20.00 - 20.30 VAC Cross-Site Request Forgery (Niels Teusink, Fox-IT) ''' ([[Media:20090409_VAC-CSRF-Niels_Teusink.pdf]])<br><br />
CSRF is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. With a little help of social engineering (like sending a link via email/chat), an attacker may force the users of a web application to execute actions of the attacker's choosing. A successful CSRF exploit can compromise end user data and operation in case of normal user. If the targeted end user is the administrator account, this can compromise the entire web application.<br />
<br />
Niels Teusink holds a bachelor degree in Computer Science and has been experimenting with IT security for over a decade. He has worked for Fox-IT since 2005; first as a software engineer and since 2007 as a penetration tester. He has since performed dozens of penetration tests for all sorts of companies, including governments, banks and nuclear installations.<br />
<br />
'''20.30 - 21.15 Open session / discussion (Martin Knobloch/Ferdinand Vroom/Peter Gouwentak) ''' <br><br />
Open session / discussion about subjects brought forward by the attendees.<br />
<br />
The Announcement of this meeting: [[Media:Announcement OWASP-NL May 28th 2009.pdf]]<br><br />
The flyer of this meeting: [[Media:owasp_NL_may2009.pdf]]<br />
<br/><br />
<br />
== Meeting minutes April 9th 2009 ==<br />
<br />
At April 9th, the Dutch OWASP chapter came together at the office of Sogeti in Vianen. The main topic of the evening was "knowing your enemy". There were 3 speakers and approximately 50 attendees.<br/><br />
<br/><br />
The sponsor of the evening started with a small welcome and an overview of their internal security program named PASS. After some small announcements from the OWASP the evening started.<br/><br />
<br/><br />
'''First presentation:''' Modern information gathering; how to abuse search engines by Dave van Stein.<br/><br />
The first presentation of the evening was about using search engines and crawlers to gain detailed information about webservers and websites. Ill configured webservers allow search engine crawlers to collect much information about a system, information that is stored and can be retrieved with search engines. Many websites and tools make use of this mechanism and, combined with DNS and WHOIS information, are able to provide detailed or sensitive information like usernames, vulnerabilities, present files or network topology about a system without targeting it directly.<br/><br />
Restricting crawlers to access a system can act as a first line of defence and reduce exposure and risks.<br/> <br />
<br/><br />
'''Second presentation:''' VAC Cross-site scripting by Martin Visser. <br/><br />
The second VAC on an OWASP meeting was about Cross-site scripting also known as XSS. XSS vulnerabilities are often misunderstood and underestimated but facts show that XSS vulnerability abusing attacks are nowadys the fastest growing and most widespread type of exploit. In short XSS vulnerabilities allow for user input to be executed when containing javascript or HTML code. When combined with other vulnerabilities the possibilities of these attacks are vitually limitless.<br/><br />
The only way to prevent these attacks is to sanitize all input and output fields, but this can be more difficult than it appears to be. Simply blacklisting fragments like <script> is not sufficient due to the possibility of recursivity (e.g. <scr<script>ipt>) and encoding (e.g. URL encoding: %3C%73%63%72%69%70%74%3E). Using multiple layers of filters on various places is the only way to assure enough protection against these types of attacks.<br/><br />
<br/><br />
'''Third presentation:''' Beveiligingsaspecten van webapplicatie-ontwikkeling by Wouter van Kuipers. <br/><br />
The third presentation of the evening was about the efficiency of a source code analyer for php based websites. Approximately 33% of all websites use php and this can be explained by the low learning curve and ease of use of the language. Due to the low learning curve many php developers have little experience with programming and almost no awareness regading security resulting in many unsecure websites. Source code analysis can help preventing many security issues, but their usage does have some limitations. Firstly the scan on itself takes only a few minutes, but analysing the results requires much longer and depends greatly on how familiar the analyser is with the scanned source code. Second these analysers produce many flase positives, making analysis even more time consuming. Lastly not all vulnerabilities are detected with the same efficiency. Especially vulnerabilities that are dependent on the application logic like injection or XSS are not always efficiently detected.<br/><br />
Concluding, like all tools, a source code analyser can be a powerful tool, but one has to be aware of its limitations. These tools can provide results very fast, but when used on unfamiliar code the analysis can be very time consuming.<br />
<br/><br />
<br />
<br />
== Meeting Schedule 9th April Knowing Your Enemy ==<br />
<br />
'''Summary'''<br />
The main goal of the upcoming OWASP-NL meeting is to provide information to managers, architects, designers, developers and security and risk professionals. The speakers will give specific examples and there will be time to ask questions. <br />
<table><br />
<tr><br />
<td width="350"><br />
Lange Dreef 17<br/><br />
4131 NJ Vianen<br/><br />
</td><br />
<td width="650"><br />
[[Image:Sogeti_Nederland_b_v_Logo.jpg|http:\\www.sogeti.nl]]<br />
</td><br />
</tr><br />
<tr><br />
<td width="350"><br />
</td><br />
<td width="650"><br />
About Sogeti Nederland B.V.<br />
Sogeti Nederland B.V. is one of top-5 IT companies of the Netherlands. Our workforce of over 3,500 employees provides top quality IT consultancy and services to leading companies in several industry sectors in the Netherlands. Our focus is local, but we are part of Sogeti Worldwide, offering IT services in the American, German, French, Belgian, UK, Swedish, Swiss and Spanish markets. <br />
<br />
Our core business is the design, construction, deployment, testing and maintenance of IT solutions. We stand for quality and IT skills; this is visible in our service and in the methods developed by us such as DYA®, Regatta®, TMap®, TPI® , Inframe®, and TEmb. <br />
<br />
Vision<br />
Sogeti delivers value by aligning the results of her services to the strategic goals of the client, thereby committing herself to the success of the client. We prove our commitment by assuming responsibility in various forms and to various degrees. <br />
<br />
New trends<br />
Our own research institute ViNT (Institute for Research into New Technology) keeps us and our clients ahead of the newest technology trends and their potential influence, benefits and risks.<br />
<br/><br />
More information about Sogeti can be found on our website www.sogeti.nl.<br />
<br/><br />
</td><br />
</tr><br />
</table><br />
<br />
'''18.30 - 18.45 Introduction (OWASP organization, projects, sponsor) '''<br><br />
'''18.45 - 19.30 Modern information gathering; how to abuse search engines Dave van Stein '''([[Media:20090409_passsive_reconnaissance-Dave_van_Stein.pdf]])<br><br />
Great generals already know the key to success is "knowing your enemy". In hacking terms this is called information gathering, fingerprinting or reconnaissance. Traditionally this phase consisted of using public records like WHOIS and DNS combined with active scans on servers. With the rise of advanced search engines like Yahoo, Live Search and Google a whole new type of reconnaissance has come to life; passive reconnaissance. Often servers are not properly configured which causes lots of valuable information to become available without accessing the server at all. Recently several hacker-tools appeared which use the full capabilities of these search engines giving hackers a head-start at mapping the network they plan to attack. The goal of this session is to give insight in the methods and tools hackers have at their disposal to gather information about systems they plan to attack without accessing the system itself. <br />
Dave van Stein has close to 8 years of experience in software testing. Since the beginning of 2008 he's working for ps_testware as a web application security testing specialist. <br />
<br />
'''19.30 - 20.00 VAC Cross-site scripting Martin Visser '''([[Media:20090409_VAC_Cross-site-scripting_Martin_Visser.pdf]])<br><br />
Martin Visser is a software designer with Sogeti Nederland B.V. specialized in secure application development with Microsoft technologies. He has experience with Microsoft server technologies like ASP.NET, SharePoint and Biztalk. Martin also developed and teaches a 2-day "Application Security - Microsoft development" course both within and outside Sogeti. <br />
<br />
'''20.00 - 20.15 Break ''' <br><br />
'''20.15 - 21.00 Beveiligingsaspecten van webapplicatie-ontwikkeling Wouter van Kuipers ''' ([[Media:20090409_presentatie_Wouter_van_Kuipers.pdf]])<br><br />
Het ontwikkelen van webapplicaties verschilt op verschillende aspecten met het ontwikkelen van desktop applicaties, met name op het gebied van security. Voor grote bedrijven zijn er oplossingen beschikbaar als bijvoorbeeld SDL, maar voor het midden- en kleinbedrijf zijn dit soort oplossingen beperkt, omdat zij vaak niet de middelen hebben om dergelijke strategieën uit te kunnen voeren. Voor zijn scriptie heeft Wouter van Kuipers middels een literatuuronderzoek, interviews met ontwikkelaars en een onderzoek naar Fortify 360 gekeken hoe het midden- en kleinbedrijf omgaat met deze verschillen en hoe zij het ontwikkelproces kunnen optimaliseren op het gebied van security.<br />
<br />
Na een MBO opleiding in de IT is Wouter van Kuipers via de HBO opleiding 'Communicatie Systemen' begin 2007 begonnen met een master<br />
Informatiekunde aan de Radboud Universiteit Nijmegen, welke hij in maart dit jaar hoopt af te ronden. Tijdens zijn MBO studie is zijn interesse in het ontwikkelen van webapplicaties gewekt, wat in 2003 resulteerde in het opzetten van een eigen web-development bedrijf. Dit bedrijf is met name gespecialiseerd in het ontwikkelen van webapplicaties op maat, en het ondersteunen van bedrijven op het gebied van web-developement op freelance basis.<br />
<br />
The flyer of this meeting: [[Media:owasp_NL_april2009.pdf]]<br />
<br />
== Past Events ==<br />
* Events held in [[Netherlands_Previous_Events_2008|2008]]<br />
* Events held in [[Netherlands_Previous_Events_2007|2007]]<br />
* Events held in [[Netherlands_Previous_Events_2006|2006]]<br />
* Events held in [[Netherlands_Previous_Events_2005|2005]]</div>Dvsteinhttps://wiki.owasp.org/index.php?title=Netherlands&diff=63315Netherlands2009-05-31T12:03:52Z<p>Dvstein: /* Meeting Schedule 9th April Knowing Your Enemy */</p>
<hr />
<div>{{Chapter Template|chaptername=Netherlands|extra=The chapter leader is [mailto:owasp@irc2.nl Bert Koelewijn]<br />
<paypal>Netherlands</paypal><br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-netherlands|emailarchives=http://lists.owasp.org/pipermail/owasp-netherlands}}<br />
<br />
=== Call for Speakers ===<br />
We are continuously looking for speakers and presentations make the chapter meetings as interesting as possible. Therefore we are looking inside and outside OWASP for known international specialists. But we know, there is a lot interesting stuf happening inside the Netherlands, too! <br/><br />
'''Presentations:''' Are you working on interesting subject, you would like to share your experiences with the OWASP community. Any topic related to application security will be appreciated!<br/><br />
'''VAC, Vulnerability, Attack, Countermeasure:''' The goal is an half hour in-depth technical presentation about a vulnerability, how it can be exploited and how to prevent it!<br/><br />
<br />
=== Sponsorship of a local chapter meeting ===<br />
We are continuously looking for locations to hold local chapter meetings. Therefore, we need companies willing to sponsor of host events.<br><br />
'''Hosting a local chapter meeting:''' To host a local chapter meeting, you facilitate the meeting location and beverage for the attendees<br><br />
'''Sponsorship of a local chapter meeting:''' You cover the cost of renting the location for the meeting and the payment of the beverages for the attendees<br><br />
'''Please let us know via the OWASP chapter meeting questionnaire of via email to martin.knobloch@owasp.org<br>'''<br />
<br />
== '''OWASP NL Cafe''' == <br />
<font color="red">'''NEW:'''</font><br />
Monthly informal platform to speak about (Web) application security matters! No registration required, just drop by!<br />
* no programm<br />
* no agenda<br />
* whatever comes up!<br />
<br />
Next (1st) OWASP Cafe, Thursday June 4th, from 7 pm, drop in whenever you can!<br />
As this is the first try, beverages, BBQ and some meat etc are on me (as long as stocks last)! Voluntary contributions welcome (food/beverages, no money)!<br />
<pre><br />
Where:<br />
Prof. Dr. Ornsteinlaan 14<br />
3431 EP Nieuwegein<br />
Public transport from Utrecht Centraal:<br />
Bus 74, bus stop "Zorgcentrum Zuilenstein" Nieuwegein (2 min walk)<br />
Streetcar / Tram stop: "Batau Noord" Nieuwegein (8 min walk)<br />
</pre><br />
Google map:<br />
http://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=prof.+dr.+ornsteinlaan+14,+3431+EP+Nieuwegein&sll=37.0625,-95.677068&sspn=42.901912,58.095703&ie=UTF8&z=16<br />
<br />
=='''OWASP NL Mini-Meetings''' == <br />
<font color="red">'''NEW:'''</font><br />
Platform to discus on specific issues related to (Web) Application Security. The topic's are brought in by the OWASP NL community!<br><br />
Something on your mind to discus, put your idea online at: Mini Meetings [[Netherlands_Mini_Meeting_2009|Netherlands_Mini_Meeting_2009]]<br />
<br />
== '''Meeting schedule 2009''' ==<br />
This is an overview of the 2009 local chapter meeting schedule. Details of the meetings can be found in the announcements that will be posted below this schedule.<br />
<pre><br />
April 9th<br />
----------<br />
Time : 18.00 - 21.30<br />
Main Topic : Knowing Your Enemy<br />
Presentations: Modern information gathering; how to abuse search engines Dave van Stein<br />
VAC Cross-site scripting Martin Visser <br />
Beveiligingsaspecten van webapplicatie-ontwikkeling Wouter van Kuipers <br />
Location : Lange Dreef 17<br />
4131 NJ Vianen<br />
Sponsor : Sogeti Nederland B.V.<br />
<br />
May 28th<br />
----------<br />
Time : 18.00 - 21.30<br />
Main Topic : AppSec Europe 2009<br />
Presentations: AppSec-EU 2009 Sebastien Deleersnyder, Telindus <br />
VAC Cross-Site Request Forgery Niels Teusink<br />
Open session / discussion about subjects brought forward by <br />
the attendees Martin Knobloch/Ferdinand Vroom/Peter Gouwentak<br />
Location : ASR Nederland<br />
MD0.60 - Auditorium<br />
Smallepad 30<br />
3811MG Amersfoort<br />
Sponsor : ASR Nederland<br />
<br />
September 24th<br />
----------<br />
Time : 17.30 - 21.30<br />
Main Topic : <br />
Presentations: <br />
Location : <br />
Sponsor : <br />
<br />
December 10th<br />
----------<br />
Time : 17.30 - 21.30<br />
Main Topic : <br />
Presentations: <br />
Location : <br />
Sponsor : <br />
</pre><br />
<br />
<br />
<br />
'''Registration'''<br><br />
If you want to attend, please send an email to: bert.koelewijn@owasp.org<br />
<br/><br />
<br/><br />
All OWASP chapter meetings are free of charge and you don't have to be an OWASP member to attend. There are never any vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP's: OWASP Meetings count towards CPE Credits.<br/><br />
<br/><br />
<br/><br />
<br />
== Meeting minutes May 28th 2009 ==<br />
<br />
At May 28th, the Dutch OWASP chapter came together at the ASR building in Amersfoort. The main topic of the evening was AppSec 2009. There were 2 speakers and approximately 20 attendees.<br/><br />
<br/><br />
There was no sponsor talk or general announcement so after a very short welcome talk by Bert the evening started.<br/><br />
<br/><br />
'''First presentation:''' AppSec 2009 by Sebastien Deleersnyder. <br/><br />
The first presentation of the evening was a recap of AppSec 2009 in Poland. The conference was a big success with around 170 attendees. The meeting preceded the 2009 edition of Confidence [http://2009.confidence.org.pl/] resulting in a week of security presentations and workshops. All AppSec presentations and many movies, pictures, and other material can be found on the AppSec wiki [http://www.owasp.org/index.php/OWASP_AppSec_Europe_2009_-_Poland] but a few items are worth mentioning in specific. First of all OWASP is growing and changing. These changes include a simplification of the membership fees, the introduction of a 'code of ethics', and a general review of all 120 projects. Other highlights are the project ASVS, which has reached an international standard status and updated versions of WebGoat and LabRat.<br/><br />
Lastly besides a Wiki and a LinkedIn group, OWASP is now also active on Twitter [http://twitter.com/owasp] and has two overview pages with all video [http://www.owasp.org/index.php/Category:OWASP_Video] and audio materials [http://www.owasp.org/index.php/OWASP_Podcast].<br/><br />
Feel free to use all the materials (as long as you abide by the new code of ethics off course) and visit the OWASP websites frequently for updates !<br/><br />
<br/><br />
'''Second presentation:''' VAC Cross-Site Request Forgery by Niels Teusink. <br/><br />
After succesfull VAC's about SQL injection and Cross-site scripting, the topic of this evening's VAC was Cross-site Request Forgery, also known as CSRF. CSRF is probably one of the least understood vulnerabilities, but can have tremendous consequences when succesfully exploited. In essence it is an attack that misuses the victim's autorisations with malicious scripts. CSRF attacks can also be easily combined with other attack, like e.g. XSS, making them even more dangerous. <br/><br />
Despite the name suggests, these attacks do not have to be on different websites (domains). With the continuing trend to combine multiple functionalities in a single application, so-called onsite request forgeries are becoming more and more frequent. Contrary to XSS and SQL injection, CSRF can not be blocked by input validation. In order to prevent these kind of attacks, an application has to able to verify the authenticity of a request. This can be achieved by several methods like using a unique identifier for a session or each request or requiring additional user input like a CAPTCHA or a one-time token. <br/><br />
<br/><br />
'''Open Discussion''' <br/><br />
The evening was closed with an open discussion about how to improve knowledge sharing among the OWASP members. Many interesting discussions start during the drinks after the presentations on the OWASP evenings, discussions that sadly often are stopped prematurly due to time restraints.<br/><br />
As an addition on the quarterly presentation evenings, the Dutch chapter decided to also start mini-meetings and the OWASP cafe.<br/><br />
Mini-meetings will not be planned on beforehand, but instead will be planned when a topic is proposed and enough attendees have stated an interest in the topic. The attendees will have to select a location themselves but can request a donation from the OWASP for drinks and snacks. Topics discussed at the mini-meeting will have to be listed in minutes so other members can also profit from this knowledge exchange.<br/><br />
The OWASP cafe will be planned each first thursday of the month on a location that will be listed on the OWASP Dutch chapter site. The rules are simple: the evening starts at a certain time, ends at a certain time and will be filled with drinks, snacks, and nerd/hacker/geek humor and discussions in between.<br/><br />
Check the website frequently for the location of the next mini-meeting and OWASP cafe !<br/><br />
<br/><br />
<br />
== Meeting Schedule May 28th 2009: AppSec Europe 2009 ==<br />
<br />
'''Summary'''<br />
The main goal of the upcoming OWASP-NL meeting is to provide an abstract of the recently held AppSec Europe 2009, a VAC about CSRF and, new, an open discussion on application security subjects brought forward by the attendees. <br />
<table><br />
<tr><br />
<td width="350"><br />
ASR Nederland<br/><br />
<br/><br />
MD0.60 - Auditorium<br/><br />
Smallepad 30<br/><br />
3811MG Amersfoort<br/><br />
</td><br />
<td width="650"><br />
[[Image:ASR Nederland logo.jpg|200px]]<br />
</td><br />
</tr><br />
<tr><br />
<td width="350"><br />
</td><br />
<td width="650"><br />
<br />
<br/><br />
<br />
<br/><br />
</td><br />
</tr><br />
</table><br />
<br />
'''18.30 - 18.45 Introduction (OWASP organization, projects, sponsor) '''<br><br />
<br />
'''18.45 - 19.45 AppSec-EU 2009 (Sebastien Deleersnyder, Telindus) '''<br><br />
Update on the AppSec-EU 2009: <br><br />
OWASP State of the union, an update on OWASP and OWASP projects and of course the highlights of the AppSec-EU 2009 presentations.<br />
<br />
'''19.45 - 20.00 Break '''<br><br />
<br />
'''20.00 - 20.30 VAC Cross-Site Request Forgery (Niels Teusink, Fox-IT) ''' ([[Media:20090409_VAC-CSRF-Niels_Teusink.pdf]])<br><br />
CSRF is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. With a little help of social engineering (like sending a link via email/chat), an attacker may force the users of a web application to execute actions of the attacker's choosing. A successful CSRF exploit can compromise end user data and operation in case of normal user. If the targeted end user is the administrator account, this can compromise the entire web application.<br />
<br />
Niels Teusink holds a bachelor degree in Computer Science and has been experimenting with IT security for over a decade. He has worked for Fox-IT since 2005; first as a software engineer and since 2007 as a penetration tester. He has since performed dozens of penetration tests for all sorts of companies, including governments, banks and nuclear installations.<br />
<br />
'''20.30 - 21.15 Open session / discussion (Martin Knobloch/Ferdinand Vroom/Peter Gouwentak) ''' <br><br />
Open session / discussion about subjects brought forward by the attendees.<br />
<br />
The Announcement of this meeting: [[Media:Announcement OWASP-NL May 28th 2009.pdf]]<br><br />
The flyer of this meeting: [[Media:owasp_NL_may2009.pdf]]<br />
<br />
== Meeting minutes April 9th 2009 ==<br />
<br />
At April 9th, the Dutch OWASP chapter came together at the office of Sogeti in Vianen. The main topic of the evening was "knowing your enemy". There were 3 speakers and approximately 50 attendees.<br/><br />
<br/><br />
The sponsor of the evening started with a small welcome and an overview of their internal security program named PASS. After some small announcements from the OWASP the evening started.<br/><br />
<br/><br />
'''First presentation:''' Modern information gathering; how to abuse search engines by Dave van Stein.<br/><br />
The first presentation of the evening was about using search engines and crawlers to gain detailed information about webservers and websites. Ill configured webservers allow search engine crawlers to collect much information about a system, information that is stored and can be retrieved with search engines. Many websites and tools make use of this mechanism and, combined with DNS and WHOIS information, are able to provide detailed or sensitive information like usernames, vulnerabilities, present files or network topology about a system without targeting it directly.<br/><br />
Restricting crawlers to access a system can act as a first line of defence and reduce exposure and risks.<br/> <br />
<br/><br />
'''Second presentation:''' VAC Cross-site scripting by Martin Visser. <br/><br />
The second VAC on an OWASP meeting was about Cross-site scripting also known as XSS. XSS vulnerabilities are often misunderstood and underestimated but facts show that XSS vulnerability abusing attacks are nowadys the fastest growing and most widespread type of exploit. In short XSS vulnerabilities allow for user input to be executed when containing javascript or HTML code. When combined with other vulnerabilities the possibilities of these attacks are vitually limitless.<br/><br />
The only way to prevent these attacks is to sanitize all input and output fields, but this can be more difficult than it appears to be. Simply blacklisting fragments like <script> is not sufficient due to the possibility of recursivity (e.g. <scr<script>ipt>) and encoding (e.g. URL encoding: %3C%73%63%72%69%70%74%3E). Using multiple layers of filters on various places is the only way to assure enough protection against these types of attacks.<br/><br />
<br/><br />
'''Third presentation:''' Beveiligingsaspecten van webapplicatie-ontwikkeling by Wouter van Kuipers. <br/><br />
The third presentation of the evening was about the efficiency of a source code analyer for php based websites. Approximately 33% of all websites use php and this can be explained by the low learning curve and ease of use of the language. Due to the low learning curve many php developers have little experience with programming and almost no awareness regading security resulting in many unsecure websites. Source code analysis can help preventing many security issues, but their usage does have some limitations. Firstly the scan on itself takes only a few minutes, but analysing the results requires much longer and depends greatly on how familiar the analyser is with the scanned source code. Second these analysers produce many flase positives, making analysis even more time consuming. Lastly not all vulnerabilities are detected with the same efficiency. Especially vulnerabilities that are dependent on the application logic like injection or XSS are not always efficiently detected.<br/><br />
Concluding, like all tools, a source code analyser can be a powerful tool, but one has to be aware of its limitations. These tools can provide results very fast, but when used on unfamiliar code the analysis can be very time consuming.<br />
<br/><br />
<br />
<br />
== Meeting Schedule 9th April Knowing Your Enemy ==<br />
<br />
'''Summary'''<br />
The main goal of the upcoming OWASP-NL meeting is to provide information to managers, architects, designers, developers and security and risk professionals. The speakers will give specific examples and there will be time to ask questions. <br />
<table><br />
<tr><br />
<td width="350"><br />
Lange Dreef 17<br/><br />
4131 NJ Vianen<br/><br />
</td><br />
<td width="650"><br />
[[Image:Sogeti_Nederland_b_v_Logo.jpg|http:\\www.sogeti.nl]]<br />
</td><br />
</tr><br />
<tr><br />
<td width="350"><br />
</td><br />
<td width="650"><br />
About Sogeti Nederland B.V.<br />
Sogeti Nederland B.V. is one of top-5 IT companies of the Netherlands. Our workforce of over 3,500 employees provides top quality IT consultancy and services to leading companies in several industry sectors in the Netherlands. Our focus is local, but we are part of Sogeti Worldwide, offering IT services in the American, German, French, Belgian, UK, Swedish, Swiss and Spanish markets. <br />
<br />
Our core business is the design, construction, deployment, testing and maintenance of IT solutions. We stand for quality and IT skills; this is visible in our service and in the methods developed by us such as DYA®, Regatta®, TMap®, TPI® , Inframe®, and TEmb. <br />
<br />
Vision<br />
Sogeti delivers value by aligning the results of her services to the strategic goals of the client, thereby committing herself to the success of the client. We prove our commitment by assuming responsibility in various forms and to various degrees. <br />
<br />
New trends<br />
Our own research institute ViNT (Institute for Research into New Technology) keeps us and our clients ahead of the newest technology trends and their potential influence, benefits and risks.<br />
<br/><br />
More information about Sogeti can be found on our website www.sogeti.nl.<br />
<br/><br />
</td><br />
</tr><br />
</table><br />
<br />
'''18.30 - 18.45 Introduction (OWASP organization, projects, sponsor) '''<br><br />
'''18.45 - 19.30 Modern information gathering; how to abuse search engines Dave van Stein '''([[Media:20090409_passsive_reconnaissance-Dave_van_Stein.pdf]])<br><br />
Great generals already know the key to success is "knowing your enemy". In hacking terms this is called information gathering, fingerprinting or reconnaissance. Traditionally this phase consisted of using public records like WHOIS and DNS combined with active scans on servers. With the rise of advanced search engines like Yahoo, Live Search and Google a whole new type of reconnaissance has come to life; passive reconnaissance. Often servers are not properly configured which causes lots of valuable information to become available without accessing the server at all. Recently several hacker-tools appeared which use the full capabilities of these search engines giving hackers a head-start at mapping the network they plan to attack. The goal of this session is to give insight in the methods and tools hackers have at their disposal to gather information about systems they plan to attack without accessing the system itself. <br />
Dave van Stein has close to 8 years of experience in software testing. Since the beginning of 2008 he's working for ps_testware as a web application security testing specialist. <br />
<br />
'''19.30 - 20.00 VAC Cross-site scripting Martin Visser '''([[Media:20090409_VAC_Cross-site-scripting_Martin_Visser.pdf]])<br><br />
Martin Visser is a software designer with Sogeti Nederland B.V. specialized in secure application development with Microsoft technologies. He has experience with Microsoft server technologies like ASP.NET, SharePoint and Biztalk. Martin also developed and teaches a 2-day "Application Security - Microsoft development" course both within and outside Sogeti. <br />
<br />
'''20.00 - 20.15 Break ''' <br><br />
'''20.15 - 21.00 Beveiligingsaspecten van webapplicatie-ontwikkeling Wouter van Kuipers ''' ([[Media:20090409_presentatie_Wouter_van_Kuipers.pdf]])<br><br />
Het ontwikkelen van webapplicaties verschilt op verschillende aspecten met het ontwikkelen van desktop applicaties, met name op het gebied van security. Voor grote bedrijven zijn er oplossingen beschikbaar als bijvoorbeeld SDL, maar voor het midden- en kleinbedrijf zijn dit soort oplossingen beperkt, omdat zij vaak niet de middelen hebben om dergelijke strategieën uit te kunnen voeren. Voor zijn scriptie heeft Wouter van Kuipers middels een literatuuronderzoek, interviews met ontwikkelaars en een onderzoek naar Fortify 360 gekeken hoe het midden- en kleinbedrijf omgaat met deze verschillen en hoe zij het ontwikkelproces kunnen optimaliseren op het gebied van security.<br />
<br />
Na een MBO opleiding in de IT is Wouter van Kuipers via de HBO opleiding 'Communicatie Systemen' begin 2007 begonnen met een master<br />
Informatiekunde aan de Radboud Universiteit Nijmegen, welke hij in maart dit jaar hoopt af te ronden. Tijdens zijn MBO studie is zijn interesse in het ontwikkelen van webapplicaties gewekt, wat in 2003 resulteerde in het opzetten van een eigen web-development bedrijf. Dit bedrijf is met name gespecialiseerd in het ontwikkelen van webapplicaties op maat, en het ondersteunen van bedrijven op het gebied van web-developement op freelance basis.<br />
<br />
The flyer of this meeting: [[Media:owasp_NL_april2009.pdf]]<br />
<br />
== Past Events ==<br />
* Events held in [[Netherlands_Previous_Events_2008|2008]]<br />
* Events held in [[Netherlands_Previous_Events_2007|2007]]<br />
* Events held in [[Netherlands_Previous_Events_2006|2006]]<br />
* Events held in [[Netherlands_Previous_Events_2005|2005]]</div>Dvsteinhttps://wiki.owasp.org/index.php?title=Netherlands_Mini_Meeting_2009&diff=63216Netherlands Mini Meeting 20092009-05-30T18:42:53Z<p>Dvstein: /* Mini Meeting Topics 2009 */</p>
<hr />
<div>[[Netherlands]] Calendar and Topics for OWASP NL Mini Meetings:<br />
The 'Mini Meetings' are a informal platform to discus on a specific topic in a small group.<br />
Chair is, whoever put's in a topic. You will get all support by the OWASP NL Chapter Board!<br />
Those meetings must result in meeting notes and can result in a presentation on a OWASP NL Chapter meeting!<br />
<br />
== Mini Meeting Topics 2009 ==<br />
<br />
Topics addressed at the open discussion on the May 28th meeting:<br />
<br />
<pre><br />
Topic : Quickscans and other timeboxed test approaches<br />
Contact : put in your contact details<br />
----------<br />
Date : suggest a date<br />
Time : suggest a time<br />
Location : suggest a location<br />
</pre><br />
<pre><br />
Topic : Tools of the trade; exchange real-life experiences<br />
Contact : put in your contact details<br />
----------<br />
Date : suggest a date<br />
Time : suggest a time<br />
Location : suggest a location<br />
</pre><br />
<pre><br />
Topic : Web Application Firewalls<br />
Contact : put in your contact details<br />
----------<br />
Date : suggest a date<br />
Time : suggest a time<br />
Location : suggest a location<br />
</pre><br />
<pre><br />
Topic : SAMM, ASVS and other methodologies<br />
Contact : put in your contact details<br />
----------<br />
Date : suggest a date<br />
Time : suggest a time<br />
Location : suggest a location<br />
</pre><br />
Add your own suggestions below:<br />
<pre><br />
Topic : suggest a topic<br />
Contact : put in your contact details<br />
----------<br />
Date : suggest a date<br />
Time : suggest a time<br />
Location : suggest a location<br />
</pre><br />
<br />
== Mini Meeting minutes ==<br />
Space below is mend to put the Mini-Meeting-Note!<br />
<br />
'''Registration'''<br/><br />
If you want to attend, please send an email to the contact of the topic.<br/><br />
<br/><br />
All OWASP chapter meetings are free of charge and you don’t have to be an OWASP member to attend. There are never any vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/></div>Dvsteinhttps://wiki.owasp.org/index.php?title=Netherlands_Mini_Meeting_2009&diff=63215Netherlands Mini Meeting 20092009-05-30T18:42:04Z<p>Dvstein: /* Mini Meeting Topics 2009 */</p>
<hr />
<div>[[Netherlands]] Calendar and Topics for OWASP NL Mini Meetings:<br />
The 'Mini Meetings' are a informal platform to discus on a specific topic in a small group.<br />
Chair is, whoever put's in a topic. You will get all support by the OWASP NL Chapter Board!<br />
Those meetings must result in meeting notes and can result in a presentation on a OWASP NL Chapter meeting!<br />
<br />
== Mini Meeting Topics 2009 ==<br />
<br />
Topics addressed at the open discussion on the May 28th meeting:<br />
<br />
<pre><br />
Topic : Quickscans and other timeboxed test approaches<br />
Contact : put in your contact details<br />
----------<br />
Date : suggest a date<br />
Time : suggest a time<br />
Location : suggest a location<br />
</pre><br />
<pre><br />
Topic : Tools of the trade; exchange real-life experiences<br />
Contact : put in your contact details<br />
----------<br />
Date : suggest a date<br />
Time : suggest a time<br />
Location : suggest a location<br />
</pre><br />
<pre><br />
Topic : Web Application Firewalls<br />
Contact : put in your contact details<br />
----------<br />
Date : suggest a date<br />
Time : suggest a time<br />
Location : suggest a location<br />
</pre><br />
<pre><br />
Topic : SAMM, ASVS and other methodologies<br />
Contact : put in your contact details<br />
----------<br />
Date : suggest a date<br />
Time : suggest a time<br />
Location : suggest a location<br />
</pre><br />
<pre><br />
Topic : suggest a topic<br />
Contact : put in your contact details<br />
----------<br />
Date : suggest a date<br />
Time : suggest a time<br />
Location : suggest a location<br />
</pre><br />
<br />
== Mini Meeting minutes ==<br />
Space below is mend to put the Mini-Meeting-Note!<br />
<br />
'''Registration'''<br/><br />
If you want to attend, please send an email to the contact of the topic.<br/><br />
<br/><br />
All OWASP chapter meetings are free of charge and you don’t have to be an OWASP member to attend. There are never any vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/></div>Dvsteinhttps://wiki.owasp.org/index.php?title=Netherlands_Mini_Meeting_2009&diff=63214Netherlands Mini Meeting 20092009-05-30T18:41:10Z<p>Dvstein: /* Mini Meeting Topics 2009 */</p>
<hr />
<div>[[Netherlands]] Calendar and Topics for OWASP NL Mini Meetings:<br />
The 'Mini Meetings' are a informal platform to discus on a specific topic in a small group.<br />
Chair is, whoever put's in a topic. You will get all support by the OWASP NL Chapter Board!<br />
Those meetings must result in meeting notes and can result in a presentation on a OWASP NL Chapter meeting!<br />
<br />
== Mini Meeting Topics 2009 ==<br />
<br />
Topics addressed at the open discussion on the May 28th meeting:<br />
<br />
<pre><br />
Topic : Quickscans and other timeboxed test approaches<br />
Contact : put in your contact details<br />
----------<br />
Date : suggest a date<br />
Time : suggest a time<br />
Location : suggest a location<br />
<br />
Topic : Tools of the trade; exchange real-life experiences<br />
Contact : put in your contact details<br />
----------<br />
Date : suggest a date<br />
Time : suggest a time<br />
Location : suggest a location<br />
<br />
Topic : Web Application Firewalls<br />
Contact : put in your contact details<br />
----------<br />
Date : suggest a date<br />
Time : suggest a time<br />
Location : suggest a location<br />
<br />
Topic : SAMM, ASVS and other methodologies<br />
Contact : put in your contact details<br />
----------<br />
Date : suggest a date<br />
Time : suggest a time<br />
Location : suggest a location<br />
</pre><br />
<br />
<pre><br />
Topic : suggest a topic<br />
Contact : put in your contact details<br />
----------<br />
Date : suggest a date<br />
Time : suggest a time<br />
Location : suggest a location<br />
</pre><br />
<br />
== Mini Meeting minutes ==<br />
Space below is mend to put the Mini-Meeting-Note!<br />
<br />
'''Registration'''<br/><br />
If you want to attend, please send an email to the contact of the topic.<br/><br />
<br/><br />
All OWASP chapter meetings are free of charge and you don’t have to be an OWASP member to attend. There are never any vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/></div>Dvsteinhttps://wiki.owasp.org/index.php?title=Netherlands&diff=63189Netherlands2009-05-29T20:30:10Z<p>Dvstein: /* Meeting minutes May 28th 2009 */</p>
<hr />
<div>{{Chapter Template|chaptername=Netherlands|extra=The chapter leader is [mailto:owasp@irc2.nl Bert Koelewijn]<br />
<paypal>Netherlands</paypal><br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-netherlands|emailarchives=http://lists.owasp.org/pipermail/owasp-netherlands}}<br />
<br />
=== Call for Speakers ===<br />
We are continuously looking for speakers and presentations make the chapter meetings as interesting as possible. Therefore we are looking inside and outside OWASP for known international specialists. But we know, there is a lot interesting stuf happening inside the Netherlands, too! <br/><br />
'''Presentations:''' Are you working on interesting subject, you would like to share your experiences with the OWASP community. Any topic related to application security will be appreciated!<br/><br />
'''VAC, Vulnerability, Attack, Countermeasure:''' The goal is an half hour in-depth technical presentation about a vulnerability, how it can be exploited and how to prevent it!<br/><br />
<br />
=== Sponsorship of a local chapter meeting ===<br />
We are continuously looking for locations to hold local chapter meetings. Therefore, we need companies willing to sponsor of host events.<br><br />
'''Hosting a local chapter meeting:''' To host a local chapter meeting, you facilitate the meeting location and beverage for the attendees<br><br />
'''Sponsorship of a local chapter meeting:''' You cover the cost of renting the location for the meeting and the payment of the beverages for the attendees<br><br />
'''Please let us know via the OWASP chapter meeting questionnaire of via email to martin.knobloch@owasp.org<br>'''<br />
<br />
== '''OWASP NL Cafe''' == <br />
<font color="red">'''NEW:'''</font><br />
Monthly informal platform to speak about (Web) application security matters! No registration required, just drop by!<br />
* no programm<br />
* no agenda<br />
* whatever comes up!<br />
<br />
Next (1st) OWASP Cafe, Thursday June 4th, from 7 pm, drop in whenever you can!<br />
As this is the first try, beverages, BBQ and some meat etc are on me (as long as stocks last)! Voluntary contributions welcome (food/beverages, no money)!<br />
<pre><br />
Where:<br />
Prof. Dr. Ornsteinlaan 14<br />
3431 EP Nieuwegein<br />
Public transport from Utrecht Centraal:<br />
Bus 74, bus stop "Zorgcentrum Zuilenstein" Nieuwegein (2 min walk)<br />
Streetcar / Tram stop: "Batau Noord" Nieuwegein (8 min walk)<br />
</pre><br />
Google map:<br />
http://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=prof.+dr.+ornsteinlaan+14,+3431+EP+Nieuwegein&sll=37.0625,-95.677068&sspn=42.901912,58.095703&ie=UTF8&z=16<br />
<br />
=='''OWASP NL Mini-Meetings''' == <br />
<font color="red">'''NEW:'''</font><br />
Platform to discus on specific issues related to (Web) Application Security. The topic's are brought in by the OWASP NL community!<br><br />
Something on your mind to discus, put your idea online at: Mini Meetings [[Netherlands_Mini_Meeting_2009|Netherlands_Mini_Meeting_2009]]<br />
<br />
== '''Meeting schedule 2009''' ==<br />
This is an overview of the 2009 local chapter meeting schedule. Details of the meetings can be found in the announcements that will be posted below this schedule.<br />
<pre><br />
April 9th<br />
----------<br />
Time : 18.00 - 21.30<br />
Main Topic : Knowing Your Enemy<br />
Presentations: Modern information gathering; how to abuse search engines Dave van Stein<br />
VAC Cross-site scripting Martin Visser <br />
Beveiligingsaspecten van webapplicatie-ontwikkeling Wouter van Kuipers <br />
Location : Lange Dreef 17<br />
4131 NJ Vianen<br />
Sponsor : Sogeti Nederland B.V.<br />
<br />
May 28th<br />
----------<br />
Time : 18.00 - 21.30<br />
Main Topic : AppSec Europe 2009<br />
Presentations: AppSec-EU 2009 Sebastien Deleersnyder, Telindus <br />
VAC Cross-Site Request Forgery Niels Teusink<br />
Open session / discussion about subjects brought forward by <br />
the attendees Martin Knobloch/Ferdinand Vroom/Peter Gouwentak<br />
Location : ASR Nederland<br />
MD0.60 - Auditorium<br />
Smallepad 30<br />
3811MG Amersfoort<br />
Sponsor : ASR Nederland<br />
<br />
September 24th<br />
----------<br />
Time : 17.30 - 21.30<br />
Main Topic : <br />
Presentations: <br />
Location : <br />
Sponsor : <br />
<br />
December 10th<br />
----------<br />
Time : 17.30 - 21.30<br />
Main Topic : <br />
Presentations: <br />
Location : <br />
Sponsor : <br />
</pre><br />
<br />
<br />
<br />
'''Registration'''<br><br />
If you want to attend, please send an email to: bert.koelewijn@owasp.org<br />
<br/><br />
<br/><br />
All OWASP chapter meetings are free of charge and you don't have to be an OWASP member to attend. There are never any vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP's: OWASP Meetings count towards CPE Credits.<br/><br />
<br/><br />
<br/><br />
<br />
== Meeting minutes May 28th 2009 ==<br />
<br />
At May 28th, the Dutch OWASP chapter came together at the ASR building in Amersfoort. The main topic of the evening was AppSec 2009. There were 2 speakers and approximately 20 attendees.<br/><br />
<br/><br />
There was no sponsor talk or general announcement so after a very short welcome talk by Bert the evening started.<br/><br />
<br/><br />
'''First presentation:''' AppSec 2009 by Sebastien Deleersnyder. <br/><br />
The first presentation of the evening was a recap of AppSec 2009 in Poland. The conference was a big success with around 170 attendees. The meeting preceded the 2009 edition of Confidence [http://2009.confidence.org.pl/] resulting in a week of security presentations and workshops. All AppSec presentations and many movies, pictures, and other material can be found on the AppSec wiki [http://www.owasp.org/index.php/OWASP_AppSec_Europe_2009_-_Poland] but a few items are worth mentioning in specific. First of all OWASP is growing and changing. These changes include a simplification of the membership fees, the introduction of a 'code of ethics', and a general review of all 120 projects. Other highlights are the project ASVS, which has reached an international standard status and updated versions of WebGoat and LabRat.<br/><br />
Lastly besides a Wiki and a LinkedIn group, OWASP is now also active on Twitter [http://twitter.com/owasp] and has two overview pages with all video [http://www.owasp.org/index.php/Category:OWASP_Video] and audio materials [http://www.owasp.org/index.php/OWASP_Podcast].<br/><br />
Feel free to use all the materials (as long as you abide by the new code of ethics off course) and visit the OWASP websites frequently for updates !<br/><br />
<br/><br />
'''Second presentation:''' VAC Cross-Site Request Forgery by Niels Teusink. <br/><br />
After succesfull VAC's about SQL injection and Cross-site scripting, the topic of this evening's VAC was Cross-site Request Forgery, also known as CSRF. CSRF is probably one of the least understood vulnerabilities, but can have tremendous consequences when succesfully exploited. In essence it is an attack that misuses the victim's autorisations with malicious scripts. CSRF attacks can also be easily combined with other attack, like e.g. XSS, making them even more dangerous. <br/><br />
Despite the name suggests, these attacks do not have to be on different websites (domains). With the continuing trend to combine multiple functionalities in a single application, so-called onsite request forgeries are becoming more and more frequent. Contrary to XSS and SQL injection, CSRF can not be blocked by input validation. In order to prevent these kind of attacks, an application has to able to verify the authenticity of a request. This can be achieved by several methods like using a unique identifier for a session or each request or requiring additional user input like a CAPTCHA or a one-time token. <br/><br />
<br/><br />
'''Open Discussion''' <br/><br />
The evening was closed with an open discussion about how to improve knowledge sharing among the OWASP members. Many interesting discussions start during the drinks after the presentations on the OWASP evenings, discussions that sadly often are stopped prematurly due to time restraints.<br/><br />
As an addition on the quarterly presentation evenings, the Dutch chapter decided to also start mini-meetings and the OWASP cafe.<br/><br />
Mini-meetings will not be planned on beforehand, but instead will be planned when a topic is proposed and enough attendees have stated an interest in the topic. The attendees will have to select a location themselves but can request a donation from the OWASP for drinks and snacks. Topics discussed at the mini-meeting will have to be listed in minutes so other members can also profit from this knowledge exchange.<br/><br />
The OWASP cafe will be planned each first thursday of the month on a location that will be listed on the OWASP Dutch chapter site. The rules are simple: the evening starts at a certain time, ends at a certain time and will be filled with drinks, snacks, and nerd/hacker/geek humor and discussions in between.<br/><br />
Check the website frequently for the location of the next mini-meeting and OWASP cafe !<br/><br />
<br/><br />
<br />
== Meeting Schedule May 28th 2009: AppSec Europe 2009 ==<br />
<br />
'''Summary'''<br />
The main goal of the upcoming OWASP-NL meeting is to provide an abstract of the recently held AppSec Europe 2009, a VAC about CSRF and, new, an open discussion on application security subjects brought forward by the attendees. <br />
<table><br />
<tr><br />
<td width="350"><br />
ASR Nederland<br/><br />
<br/><br />
MD0.60 - Auditorium<br/><br />
Smallepad 30<br/><br />
3811MG Amersfoort<br/><br />
</td><br />
<td width="650"><br />
[[Image:ASR Nederland logo.jpg|200px]]<br />
</td><br />
</tr><br />
<tr><br />
<td width="350"><br />
</td><br />
<td width="650"><br />
<br />
<br/><br />
<br />
<br/><br />
</td><br />
</tr><br />
</table><br />
<br />
'''18.30 - 18.45 Introduction (OWASP organization, projects, sponsor) '''<br><br />
<br />
'''18.45 - 19.45 AppSec-EU 2009 (Sebastien Deleersnyder, Telindus) '''<br><br />
Update on the AppSec-EU 2009: <br><br />
OWASP State of the union, an update on OWASP and OWASP projects and of course the highlights of the AppSec-EU 2009 presentations.<br />
<br />
'''19.45 - 20.00 Break '''<br><br />
<br />
'''20.00 - 20.30 VAC Cross-Site Request Forgery (Niels Teusink, Fox-IT) ''' ([[Media:20090409_VAC-CSRF-Niels_Teusink.pdf]])<br><br />
CSRF is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. With a little help of social engineering (like sending a link via email/chat), an attacker may force the users of a web application to execute actions of the attacker's choosing. A successful CSRF exploit can compromise end user data and operation in case of normal user. If the targeted end user is the administrator account, this can compromise the entire web application.<br />
<br />
Niels Teusink holds a bachelor degree in Computer Science and has been experimenting with IT security for over a decade. He has worked for Fox-IT since 2005; first as a software engineer and since 2007 as a penetration tester. He has since performed dozens of penetration tests for all sorts of companies, including governments, banks and nuclear installations.<br />
<br />
'''20.30 - 21.15 Open session / discussion (Martin Knobloch/Ferdinand Vroom/Peter Gouwentak) ''' <br><br />
Open session / discussion about subjects brought forward by the attendees.<br />
<br />
The Announcement of this meeting: [[Media:Announcement OWASP-NL May 28th 2009.pdf]]<br><br />
The flyer of this meeting: [[Media:owasp_NL_may2009.pdf]]<br />
<br />
== Meeting Schedule 9th April Knowing Your Enemy ==<br />
<br />
'''Summary'''<br />
The main goal of the upcoming OWASP-NL meeting is to provide information to managers, architects, designers, developers and security and risk professionals. The speakers will give specific examples and there will be time to ask questions. <br />
<table><br />
<tr><br />
<td width="350"><br />
Lange Dreef 17<br/><br />
4131 NJ Vianen<br/><br />
</td><br />
<td width="650"><br />
[[Image:Sogeti_Nederland_b_v_Logo.jpg|http:\\www.sogeti.nl]]<br />
</td><br />
</tr><br />
<tr><br />
<td width="350"><br />
</td><br />
<td width="650"><br />
About Sogeti Nederland B.V.<br />
Sogeti Nederland B.V. is one of top-5 IT companies of the Netherlands. Our workforce of over 3,500 employees provides top quality IT consultancy and services to leading companies in several industry sectors in the Netherlands. Our focus is local, but we are part of Sogeti Worldwide, offering IT services in the American, German, French, Belgian, UK, Swedish, Swiss and Spanish markets. <br />
<br />
Our core business is the design, construction, deployment, testing and maintenance of IT solutions. We stand for quality and IT skills; this is visible in our service and in the methods developed by us such as DYA®, Regatta®, TMap®, TPI® , Inframe®, and TEmb. <br />
<br />
Vision<br />
Sogeti delivers value by aligning the results of her services to the strategic goals of the client, thereby committing herself to the success of the client. We prove our commitment by assuming responsibility in various forms and to various degrees. <br />
<br />
New trends<br />
Our own research institute ViNT (Institute for Research into New Technology) keeps us and our clients ahead of the newest technology trends and their potential influence, benefits and risks.<br />
<br/><br />
More information about Sogeti can be found on our website www.sogeti.nl.<br />
<br/><br />
</td><br />
</tr><br />
</table><br />
<br />
'''18.30 - 18.45 Introduction (OWASP organization, projects, sponsor) '''<br><br />
'''18.45 - 19.30 Modern information gathering; how to abuse search engines Dave van Stein '''([[Media:20090409_passsive_reconnaissance-Dave_van_Stein.pdf]])<br><br />
Great generals already know the key to success is "knowing your enemy". In hacking terms this is called information gathering, fingerprinting or reconnaissance. Traditionally this phase consisted of using public records like WHOIS and DNS combined with active scans on servers. With the rise of advanced search engines like Yahoo, Live Search and Google a whole new type of reconnaissance has come to life; passive reconnaissance. Often servers are not properly configured which causes lots of valuable information to become available without accessing the server at all. Recently several hacker-tools appeared which use the full capabilities of these search engines giving hackers a head-start at mapping the network they plan to attack. The goal of this session is to give insight in the methods and tools hackers have at their disposal to gather information about systems they plan to attack without accessing the system itself. <br />
Dave van Stein has close to 8 years of experience in software testing. Since the beginning of 2008 he's working for ps_testware as a web application security testing specialist. <br />
<br />
'''19.30 - 20.00 VAC Cross-site scripting Martin Visser '''([[Media:20090409_VAC_Cross-site-scripting_Martin_Visser.pdf]])<br><br />
Martin Visser is a software designer with Sogeti Nederland B.V. specialized in secure application development with Microsoft technologies. He has experience with Microsoft server technologies like ASP.NET, SharePoint and Biztalk. Martin also developed and teaches a 2-day "Application Security - Microsoft development" course both within and outside Sogeti. <br />
<br />
'''20.00 - 20.15 Break ''' <br><br />
'''20.15 - 21.00 Beveiligingsaspecten van webapplicatie-ontwikkeling Wouter van Kuipers ''' ([[Media:20090409_presentatie_Wouter_van_Kuipers.pdf]])<br><br />
Het ontwikkelen van webapplicaties verschilt op verschillende aspecten met het ontwikkelen van desktop applicaties, met name op het gebied van security. Voor grote bedrijven zijn er oplossingen beschikbaar als bijvoorbeeld SDL, maar voor het midden- en kleinbedrijf zijn dit soort oplossingen beperkt, omdat zij vaak niet de middelen hebben om dergelijke strategieën uit te kunnen voeren. Voor zijn scriptie heeft Wouter van Kuipers middels een literatuuronderzoek, interviews met ontwikkelaars en een onderzoek naar Fortify 360 gekeken hoe het midden- en kleinbedrijf omgaat met deze verschillen en hoe zij het ontwikkelproces kunnen optimaliseren op het gebied van security.<br />
<br />
Na een MBO opleiding in de IT is Wouter van Kuipers via de HBO opleiding 'Communicatie Systemen' begin 2007 begonnen met een master<br />
Informatiekunde aan de Radboud Universiteit Nijmegen, welke hij in maart dit jaar hoopt af te ronden. Tijdens zijn MBO studie is zijn interesse in het ontwikkelen van webapplicaties gewekt, wat in 2003 resulteerde in het opzetten van een eigen web-development bedrijf. Dit bedrijf is met name gespecialiseerd in het ontwikkelen van webapplicaties op maat, en het ondersteunen van bedrijven op het gebied van web-developement op freelance basis.<br />
<br />
The flyer of this meeting: [[Media:owasp_NL_april2009.pdf]]<br />
<br />
== Past Events ==<br />
* Events held in [[Netherlands_Previous_Events_2008|2008]]<br />
* Events held in [[Netherlands_Previous_Events_2007|2007]]<br />
* Events held in [[Netherlands_Previous_Events_2006|2006]]<br />
* Events held in [[Netherlands_Previous_Events_2005|2005]]</div>Dvsteinhttps://wiki.owasp.org/index.php?title=Netherlands&diff=63188Netherlands2009-05-29T20:29:50Z<p>Dvstein: /* Meeting Schedule May 28th 2009: AppSec Europe 2009 */</p>
<hr />
<div>{{Chapter Template|chaptername=Netherlands|extra=The chapter leader is [mailto:owasp@irc2.nl Bert Koelewijn]<br />
<paypal>Netherlands</paypal><br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-netherlands|emailarchives=http://lists.owasp.org/pipermail/owasp-netherlands}}<br />
<br />
=== Call for Speakers ===<br />
We are continuously looking for speakers and presentations make the chapter meetings as interesting as possible. Therefore we are looking inside and outside OWASP for known international specialists. But we know, there is a lot interesting stuf happening inside the Netherlands, too! <br/><br />
'''Presentations:''' Are you working on interesting subject, you would like to share your experiences with the OWASP community. Any topic related to application security will be appreciated!<br/><br />
'''VAC, Vulnerability, Attack, Countermeasure:''' The goal is an half hour in-depth technical presentation about a vulnerability, how it can be exploited and how to prevent it!<br/><br />
<br />
=== Sponsorship of a local chapter meeting ===<br />
We are continuously looking for locations to hold local chapter meetings. Therefore, we need companies willing to sponsor of host events.<br><br />
'''Hosting a local chapter meeting:''' To host a local chapter meeting, you facilitate the meeting location and beverage for the attendees<br><br />
'''Sponsorship of a local chapter meeting:''' You cover the cost of renting the location for the meeting and the payment of the beverages for the attendees<br><br />
'''Please let us know via the OWASP chapter meeting questionnaire of via email to martin.knobloch@owasp.org<br>'''<br />
<br />
== '''OWASP NL Cafe''' == <br />
<font color="red">'''NEW:'''</font><br />
Monthly informal platform to speak about (Web) application security matters! No registration required, just drop by!<br />
* no programm<br />
* no agenda<br />
* whatever comes up!<br />
<br />
Next (1st) OWASP Cafe, Thursday June 4th, from 7 pm, drop in whenever you can!<br />
As this is the first try, beverages, BBQ and some meat etc are on me (as long as stocks last)! Voluntary contributions welcome (food/beverages, no money)!<br />
<pre><br />
Where:<br />
Prof. Dr. Ornsteinlaan 14<br />
3431 EP Nieuwegein<br />
Public transport from Utrecht Centraal:<br />
Bus 74, bus stop "Zorgcentrum Zuilenstein" Nieuwegein (2 min walk)<br />
Streetcar / Tram stop: "Batau Noord" Nieuwegein (8 min walk)<br />
</pre><br />
Google map:<br />
http://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=prof.+dr.+ornsteinlaan+14,+3431+EP+Nieuwegein&sll=37.0625,-95.677068&sspn=42.901912,58.095703&ie=UTF8&z=16<br />
<br />
=='''OWASP NL Mini-Meetings''' == <br />
<font color="red">'''NEW:'''</font><br />
Platform to discus on specific issues related to (Web) Application Security. The topic's are brought in by the OWASP NL community!<br><br />
Something on your mind to discus, put your idea online at: Mini Meetings [[Netherlands_Mini_Meeting_2009|Netherlands_Mini_Meeting_2009]]<br />
<br />
== '''Meeting schedule 2009''' ==<br />
This is an overview of the 2009 local chapter meeting schedule. Details of the meetings can be found in the announcements that will be posted below this schedule.<br />
<pre><br />
April 9th<br />
----------<br />
Time : 18.00 - 21.30<br />
Main Topic : Knowing Your Enemy<br />
Presentations: Modern information gathering; how to abuse search engines Dave van Stein<br />
VAC Cross-site scripting Martin Visser <br />
Beveiligingsaspecten van webapplicatie-ontwikkeling Wouter van Kuipers <br />
Location : Lange Dreef 17<br />
4131 NJ Vianen<br />
Sponsor : Sogeti Nederland B.V.<br />
<br />
May 28th<br />
----------<br />
Time : 18.00 - 21.30<br />
Main Topic : AppSec Europe 2009<br />
Presentations: AppSec-EU 2009 Sebastien Deleersnyder, Telindus <br />
VAC Cross-Site Request Forgery Niels Teusink<br />
Open session / discussion about subjects brought forward by <br />
the attendees Martin Knobloch/Ferdinand Vroom/Peter Gouwentak<br />
Location : ASR Nederland<br />
MD0.60 - Auditorium<br />
Smallepad 30<br />
3811MG Amersfoort<br />
Sponsor : ASR Nederland<br />
<br />
September 24th<br />
----------<br />
Time : 17.30 - 21.30<br />
Main Topic : <br />
Presentations: <br />
Location : <br />
Sponsor : <br />
<br />
December 10th<br />
----------<br />
Time : 17.30 - 21.30<br />
Main Topic : <br />
Presentations: <br />
Location : <br />
Sponsor : <br />
</pre><br />
<br />
<br />
<br />
'''Registration'''<br><br />
If you want to attend, please send an email to: bert.koelewijn@owasp.org<br />
<br/><br />
<br/><br />
All OWASP chapter meetings are free of charge and you don't have to be an OWASP member to attend. There are never any vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP's: OWASP Meetings count towards CPE Credits.<br/><br />
<br/><br />
<br/><br />
<br />
== Meeting minutes May 28th 2009 ==<br />
<br />
At May 28th, the Dutch OWASP chapter came together at the ASR building in Amersfoort. The main topic of the evening was AppSec 2009. There were 2 speakers and approximately 20 attendees.<br/><br />
<br/><br />
There was no sponsor talk or general announcement so after a very short welcome talk by Bert the evening started.<br/><br />
<br/><br />
'''First presentation:''' AppSec 2009 by Sebastien Deleersnyder. <br/><br />
The first presentation of the evening was a recap of AppSec 2009 in Poland. The conference was a big success with around 170 attendees. The meeting preceded the 2009 edition of Confidence [http://2009.confidence.org.pl/] resulting in a week of security presentations and workshops. All AppSec presentations and many movies, pictures, and other material can be found on the AppSec wiki [http://www.owasp.org/index.php/OWASP_AppSec_Europe_2009_-_Poland] but a few items are worth mentioning in specific. First of all OWASP is growing and changing. These changes include a simplification of the membership fees, the introduction of a 'code of ethics', and a general review of all 120 projects. Other highlights are the project ASVS, which has reached an international standard status and updated versions of WebGoat and LabRat.<br/><br />
Lastly besides a Wiki and a LinkedIn group, OWASP is now also active on Twitter [http://twitter.com/owasp] and has two overview pages with all video [http://www.owasp.org/index.php/Category:OWASP_Video] and audio materials [http://www.owasp.org/index.php/OWASP_Podcast].<br/><br />
Feel free to use all the materials (as long as you abide by the new code of ethics off course) and visit the OWASP websites frequently for updates !<br/><br />
<br/><br />
<br/><br />
'''Second presentation:''' VAC Cross-Site Request Forgery by Niels Teusink. <br/><br />
After succesfull VAC's about SQL injection and Cross-site scripting, the topic of this evening's VAC was Cross-site Request Forgery, also known as CSRF. CSRF is probably one of the least understood vulnerabilities, but can have tremendous consequences when succesfully exploited. In essence it is an attack that misuses the victim's autorisations with malicious scripts. CSRF attacks can also be easily combined with other attack, like e.g. XSS, making them even more dangerous. <br/><br />
Despite the name suggests, these attacks do not have to be on different websites (domains). With the continuing trend to combine multiple functionalities in a single application, so-called onsite request forgeries are becoming more and more frequent. Contrary to XSS and SQL injection, CSRF can not be blocked by input validation. In order to prevent these kind of attacks, an application has to able to verify the authenticity of a request. This can be achieved by several methods like using a unique identifier for a session or each request or requiring additional user input like a CAPTCHA or a one-time token. <br/><br />
<br/><br />
'''Open Discussion''' <br/><br />
The evening was closed with an open discussion about how to improve knowledge sharing among the OWASP members. Many interesting discussions start during the drinks after the presentations on the OWASP evenings, discussions that sadly often are stopped prematurly due to time restraints.<br/><br />
As an addition on the quarterly presentation evenings, the Dutch chapter decided to also start mini-meetings and the OWASP cafe.<br/><br />
Mini-meetings will not be planned on beforehand, but instead will be planned when a topic is proposed and enough attendees have stated an interest in the topic. The attendees will have to select a location themselves but can request a donation from the OWASP for drinks and snacks. Topics discussed at the mini-meeting will have to be listed in minutes so other members can also profit from this knowledge exchange.<br/><br />
The OWASP cafe will be planned each first thursday of the month on a location that will be listed on the OWASP Dutch chapter site. The rules are simple: the evening starts at a certain time, ends at a certain time and will be filled with drinks, snacks, and nerd/hacker/geek humor and discussions in between.<br/><br />
Check the website frequently for the location of the next mini-meeting and OWASP cafe !<br/><br />
<br/><br />
<br />
== Meeting Schedule May 28th 2009: AppSec Europe 2009 ==<br />
<br />
'''Summary'''<br />
The main goal of the upcoming OWASP-NL meeting is to provide an abstract of the recently held AppSec Europe 2009, a VAC about CSRF and, new, an open discussion on application security subjects brought forward by the attendees. <br />
<table><br />
<tr><br />
<td width="350"><br />
ASR Nederland<br/><br />
<br/><br />
MD0.60 - Auditorium<br/><br />
Smallepad 30<br/><br />
3811MG Amersfoort<br/><br />
</td><br />
<td width="650"><br />
[[Image:ASR Nederland logo.jpg|200px]]<br />
</td><br />
</tr><br />
<tr><br />
<td width="350"><br />
</td><br />
<td width="650"><br />
<br />
<br/><br />
<br />
<br/><br />
</td><br />
</tr><br />
</table><br />
<br />
'''18.30 - 18.45 Introduction (OWASP organization, projects, sponsor) '''<br><br />
<br />
'''18.45 - 19.45 AppSec-EU 2009 (Sebastien Deleersnyder, Telindus) '''<br><br />
Update on the AppSec-EU 2009: <br><br />
OWASP State of the union, an update on OWASP and OWASP projects and of course the highlights of the AppSec-EU 2009 presentations.<br />
<br />
'''19.45 - 20.00 Break '''<br><br />
<br />
'''20.00 - 20.30 VAC Cross-Site Request Forgery (Niels Teusink, Fox-IT) ''' ([[Media:20090409_VAC-CSRF-Niels_Teusink.pdf]])<br><br />
CSRF is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. With a little help of social engineering (like sending a link via email/chat), an attacker may force the users of a web application to execute actions of the attacker's choosing. A successful CSRF exploit can compromise end user data and operation in case of normal user. If the targeted end user is the administrator account, this can compromise the entire web application.<br />
<br />
Niels Teusink holds a bachelor degree in Computer Science and has been experimenting with IT security for over a decade. He has worked for Fox-IT since 2005; first as a software engineer and since 2007 as a penetration tester. He has since performed dozens of penetration tests for all sorts of companies, including governments, banks and nuclear installations.<br />
<br />
'''20.30 - 21.15 Open session / discussion (Martin Knobloch/Ferdinand Vroom/Peter Gouwentak) ''' <br><br />
Open session / discussion about subjects brought forward by the attendees.<br />
<br />
The Announcement of this meeting: [[Media:Announcement OWASP-NL May 28th 2009.pdf]]<br><br />
The flyer of this meeting: [[Media:owasp_NL_may2009.pdf]]<br />
<br />
== Meeting Schedule 9th April Knowing Your Enemy ==<br />
<br />
'''Summary'''<br />
The main goal of the upcoming OWASP-NL meeting is to provide information to managers, architects, designers, developers and security and risk professionals. The speakers will give specific examples and there will be time to ask questions. <br />
<table><br />
<tr><br />
<td width="350"><br />
Lange Dreef 17<br/><br />
4131 NJ Vianen<br/><br />
</td><br />
<td width="650"><br />
[[Image:Sogeti_Nederland_b_v_Logo.jpg|http:\\www.sogeti.nl]]<br />
</td><br />
</tr><br />
<tr><br />
<td width="350"><br />
</td><br />
<td width="650"><br />
About Sogeti Nederland B.V.<br />
Sogeti Nederland B.V. is one of top-5 IT companies of the Netherlands. Our workforce of over 3,500 employees provides top quality IT consultancy and services to leading companies in several industry sectors in the Netherlands. Our focus is local, but we are part of Sogeti Worldwide, offering IT services in the American, German, French, Belgian, UK, Swedish, Swiss and Spanish markets. <br />
<br />
Our core business is the design, construction, deployment, testing and maintenance of IT solutions. We stand for quality and IT skills; this is visible in our service and in the methods developed by us such as DYA®, Regatta®, TMap®, TPI® , Inframe®, and TEmb. <br />
<br />
Vision<br />
Sogeti delivers value by aligning the results of her services to the strategic goals of the client, thereby committing herself to the success of the client. We prove our commitment by assuming responsibility in various forms and to various degrees. <br />
<br />
New trends<br />
Our own research institute ViNT (Institute for Research into New Technology) keeps us and our clients ahead of the newest technology trends and their potential influence, benefits and risks.<br />
<br/><br />
More information about Sogeti can be found on our website www.sogeti.nl.<br />
<br/><br />
</td><br />
</tr><br />
</table><br />
<br />
'''18.30 - 18.45 Introduction (OWASP organization, projects, sponsor) '''<br><br />
'''18.45 - 19.30 Modern information gathering; how to abuse search engines Dave van Stein '''([[Media:20090409_passsive_reconnaissance-Dave_van_Stein.pdf]])<br><br />
Great generals already know the key to success is "knowing your enemy". In hacking terms this is called information gathering, fingerprinting or reconnaissance. Traditionally this phase consisted of using public records like WHOIS and DNS combined with active scans on servers. With the rise of advanced search engines like Yahoo, Live Search and Google a whole new type of reconnaissance has come to life; passive reconnaissance. Often servers are not properly configured which causes lots of valuable information to become available without accessing the server at all. Recently several hacker-tools appeared which use the full capabilities of these search engines giving hackers a head-start at mapping the network they plan to attack. The goal of this session is to give insight in the methods and tools hackers have at their disposal to gather information about systems they plan to attack without accessing the system itself. <br />
Dave van Stein has close to 8 years of experience in software testing. Since the beginning of 2008 he's working for ps_testware as a web application security testing specialist. <br />
<br />
'''19.30 - 20.00 VAC Cross-site scripting Martin Visser '''([[Media:20090409_VAC_Cross-site-scripting_Martin_Visser.pdf]])<br><br />
Martin Visser is a software designer with Sogeti Nederland B.V. specialized in secure application development with Microsoft technologies. He has experience with Microsoft server technologies like ASP.NET, SharePoint and Biztalk. Martin also developed and teaches a 2-day "Application Security - Microsoft development" course both within and outside Sogeti. <br />
<br />
'''20.00 - 20.15 Break ''' <br><br />
'''20.15 - 21.00 Beveiligingsaspecten van webapplicatie-ontwikkeling Wouter van Kuipers ''' ([[Media:20090409_presentatie_Wouter_van_Kuipers.pdf]])<br><br />
Het ontwikkelen van webapplicaties verschilt op verschillende aspecten met het ontwikkelen van desktop applicaties, met name op het gebied van security. Voor grote bedrijven zijn er oplossingen beschikbaar als bijvoorbeeld SDL, maar voor het midden- en kleinbedrijf zijn dit soort oplossingen beperkt, omdat zij vaak niet de middelen hebben om dergelijke strategieën uit te kunnen voeren. Voor zijn scriptie heeft Wouter van Kuipers middels een literatuuronderzoek, interviews met ontwikkelaars en een onderzoek naar Fortify 360 gekeken hoe het midden- en kleinbedrijf omgaat met deze verschillen en hoe zij het ontwikkelproces kunnen optimaliseren op het gebied van security.<br />
<br />
Na een MBO opleiding in de IT is Wouter van Kuipers via de HBO opleiding 'Communicatie Systemen' begin 2007 begonnen met een master<br />
Informatiekunde aan de Radboud Universiteit Nijmegen, welke hij in maart dit jaar hoopt af te ronden. Tijdens zijn MBO studie is zijn interesse in het ontwikkelen van webapplicaties gewekt, wat in 2003 resulteerde in het opzetten van een eigen web-development bedrijf. Dit bedrijf is met name gespecialiseerd in het ontwikkelen van webapplicaties op maat, en het ondersteunen van bedrijven op het gebied van web-developement op freelance basis.<br />
<br />
The flyer of this meeting: [[Media:owasp_NL_april2009.pdf]]<br />
<br />
== Past Events ==<br />
* Events held in [[Netherlands_Previous_Events_2008|2008]]<br />
* Events held in [[Netherlands_Previous_Events_2007|2007]]<br />
* Events held in [[Netherlands_Previous_Events_2006|2006]]<br />
* Events held in [[Netherlands_Previous_Events_2005|2005]]</div>Dvsteinhttps://wiki.owasp.org/index.php?title=Netherlands_Previous_Events_2008&diff=59624Netherlands Previous Events 20082009-04-28T19:49:44Z<p>Dvstein: /* Meeting minutes March 23th 2008 */</p>
<hr />
<div>[[Netherlands]] events held in 2008<br />
<br />
== Meeting schedule 2008 ==<br />
This is an overview of the 2008 local chapter meeting schedule. Details of the meetings can be found in the announcements that will be posted below this schedule.<br />
<pre><br />
March 26th<br />
----------<br />
Time : 17.30 - 21.30<br />
Main Topic : Software Vulnerability assessment<br />
Presentations: Complex(ity) matters, Mario de Boer (Dutch)<br />
V.A.C. SQL injection, Marinus Kuivenhoven (Dutch)<br />
Secure Programming with Static Analysis, Brian Chess (English) <br />
Location : Mercure Utrecht Nieuwegein, Buizerdlaan 10, 3435 SB Nieuwegein<br />
Sponsor : Fortify Software<br />
<br />
Oktober 27th<br />
----------<br />
Time : 17.30 - 21.30<br />
Main Topic : Privacy and the Internet<br />
Presentations: Privacy and Internet (Dutch), Frank Fruijthoff and Ellen Hoving<br />
Vulnerability and source code scanners. (Dutch) Emile Strijbos <br />
Location : ps_testware B.V., Dorpsstraat 26, 3941 JM DOORN<br />
Sponsor : ps_testware B.V.<br />
<br />
December 11th<br />
----------<br />
Time : 17.30 - 21.30<br />
Main Topic : Workshop: Architectural and design risk analysis<br />
Presentations: Architectural risk analyses (English), André N. Klingsheim and Lars-Helge Netland <br />
Location : TTY Amsterdam, Kerkstraat 342, 1017 JA Amsterdam<br />
Sponsor : TTY Internet Solutions<br />
</pre><br />
<br />
== Meeting minutes December 11th 2008 ==<br />
<br />
At December 11th, the Dutch OWASP chapter came together at the office of the sponsor of the evening; TTY in Amsterdam. The topic of the evening was 'Architectural and design risk analysis'. There were 2 speakers and approximately 28 attendees.<br/><br />
<br/><br />
The sponsor of the evening gave a small introduction about the company and the beautiful location they are housed in; a modernised old russian church in the centre of Amsterdam. After the introduction Bert Koelewijn asked for attention for the OWASP Education Project. This project aims to provide in building blocks of web application security information. Contributors are needed so if someone wants to participate please take a look at the project page [http://www.owasp.org/index.php/Category:OWASP_Education_Project].<br/><br />
<br/><br />
'''Presentation:''' Architectural and design risk analysis<br/><br />
After the introduction and the announcements the 2 Norwegian speakers of the evening were introduced: André N. Klingsheim & Lars-Helge Netland. <br />
During their PhD's both André & Lars-Helge researched the Norwegian banking systems and their vulnerabilities resulting in several papers and presentations [http://www.nowires.org/BankSecurity/]. The presentation of this evening focused on the current risks and the perception of these risks.<br/><br />
<br/><br />
Nowadays the trading in malware, botnets and vulnerabilities is maturing and industrializing. Attacks can be outsourced at bulk prices and threats no longer arise from a single or group of hackers, but can be bought as a service. This professionalisation requires a new approach in risk analysis and risk perception. The main problem in risk analysis is the human psyche; future risks are underestimated or tremendously overestimated, losses valued higher than gains, and attacks occured in the past are perceived 'more real'. This often results in inefficient investments in security contributing to the general perception that security is expensive.<br/><br />
<br/><br />
Another problem in risk analysis is the occurence of so-called 'black swans'. A black swan is a "large-impact, hard-to-predict, and rare event beyond the realm of normal expectations" [http://en.wikipedia.org/wiki/Black_swan_theory]. Due to the asymmetry in likehood and impact these events cannot be properly taken in to account for in traditional risk analysis models. A way of handling with these unforeseen risks is not using likelihood and impact to evaluate risks but instead look at the cost to fix and the cost of the consequence. <br/><br />
<br/><br />
The conclusions of the evening were that vulnerabilities will be more easily and quickly exploited and attacks more intense and coordinated in the coming years. This change requires a different approach in risk analysis. Vulnerabilities should be fixed as early and as many as possible without trying to estimate a likelihood of occuring. Implementing security as early as possible in the SDLC and increasing security awareness on all levels is the key in beating risks in a cost efficient way.<br/><br />
<br />
== Announcement December 11th 2008: Architectural and design risk analysis ==<br />
'''Summary'''<br/><br />
The main goal of the upcoming OWASP-NL meeting is to provide information to managers, architects, designers, developers and security and risk professionals about risk analyses in the architectural and design phases. The speakers will give specific examples and there will be time to ask questions.<br/><br />
Please register before December 8th because of the necessary catering arrangements.<br/><br />
<br/><br />
'''Location'''<br/><br />
The location and catering is provided by the sponsor of this meeting:<br/><br />
<table><br />
<tr><br />
<td width="350"><br />
TTY Internet Solutions<br/><br />
Kerkstraat 342<br/><br />
1017 JA Amsterdam<br/><br />
</td><br />
<td width="350"><br />
[[Image:TTYlogo.jpg|200px]]<br />
</td><br />
</tr><br />
<tr><br />
<td width="350"><br />
For the route by car or public transport please visit: http://tty.nl/nl/contact/amsterdam<br/><br />
</td><br />
<td width="350"><br />
TTY was founded in 1997 and has grown to be a solid Full Service Internet Partner. For a wide range of companies, large financial institutions, publishers and large insurance companies TTY develops high-traffic websites, shops, backoffice- and payment systems. TTY is especially known as a partner (and in some cases shareholder) of successful internet hits as<br />
2dehands.nl, ViaVia.nl, Nationale-Vacaturebank.nl, Sellaband.com, jaap.nl en Gekko.com.<br/><br />
For more information please visit: http://tty.nl<br/><br />
</td><br />
</tr><br />
</table><br />
<br/><br />
<br/><br />
'''Program'''<br/><br />
17.30 – 18.30 '''Check-In''' (catering included)<br/><br />
<br/><br />
18.30 – 19:00 '''Introduction''' (OWASP organization, projects, sponsor)<br/><br />
<br/><br />
19.00 – 21.00 '''Architectural risk analyses''' (English), André N. Klingsheim and Lars-Helge Netland<br/><br />
This workshop will explore how businesses can use risk analysis in the architecture/design phase of software development to produce more secure software. Participants will get an introduction to risk analysis, which will<br />
cover both definitions and how to apply the concepts in practice. The workshop consists of four parts: a short overview of current security threats; an introduction to risk management; an exploration of the limitations of risk management; and some real world applications of the presented techniques.<br/><br />
Lars-Helge Netland and André N. Klingsheim are software security analysts at, and co-owners of, NoWires Group AS. They both hold PhD degrees in applied software security, focused on risk analysis of software architecture and design.<br/><br />
<br/><br />
20.00 – 20:15 '''Break'''<br/><br />
<br/><br />
21.15 – 21:30 '''Discussion, questions and social'''<br/><br />
<br/><br />
If you want to attend, please send an email to: owasp@irc2.com.<br><br />
Please register before December 8th, because of the necessary catering arrangements.<br/><br />
<br/><br />
All OWASP chapter meetings are free of charge and you don’t have to be an OWASP member to attend. There are never any vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP's: OWASP Meetings count towards CPE Credits.<br/><br />
<br/><br />
The announcement and full descriptions can be found here:<br/><br />
[[Media:Announcement_11_December.pdf]]<br/><br />
<br />
== Meeting minutes October 27th 2008 ==<br />
<br />
At October 27th, the Dutch OWASP chapter came together at the office of the sponsor of the evening; ps_testware in Doorn. The subject of the evening was 'Privacy and the Internet’. There were 2 speakers and approximately 25 attendees.<br/><br />
<br/><br />
After a short welcome talk by both the sponsor and OWASP, Mario de Boer had an announcement about a new OWASP project; ORPRO, the Open Review Project. The goal of the project is to review Open Source Software from an independent point of view. Reviews will be done both manually and with the aid of source code analysis software provided by Fortify. The first software package to be reviewed is already available so reviewers are needed. More information can be found on the OWASP project page. [http://www.owasp.org/index.php/Category:OWASP_Open_Review_Project]<br/><br />
<br/><br />
'''First presentation:''' Privacy & the Internet presented by Frank Fruijthoff and Ellen Hoving. <br/><br />
The goal of this presentation was to show the problems in regulating privacy on the internet by law. The presentation was roughly split in 3 parts: definitions, requirements and context. <br/><br />
The main problem with regulating privacy is that the concept of privacy is very broad and not well defined. Privacy can have different meanings and consequences in different contexts. Most laws therefore focus on the individual and define privacy as 'protection of personal information' where 'personal information' is all data that can be tracked back to a single person. The last years many countries within the EU developed internet laws concerning privacy on the internet. These laws state that information can only be used what it originally was intended for and usage of that information must be reported at central register. This register also makes it possible to file a complaint and check what companies use personal information for what purposes. While these rules are mostly sufficient for local databases they often fail when applied to information stored on or with use of the internet. Problems encountered are captured in the "four D's";<br/><br />
- Internet is deterritorialized; internet has no boundaries.<br/><br />
- Internet is deregulated; internet has no law, only terms of use.<br/><br />
- Internet is dematerialized; internet is not physical.<br/><br />
- Internet is decentralized; there is no single regulating or controlling organization.<br/><br />
Although the protection of personal data is more and more covered by laws, the increasing usage of external storage and connections over the internet will make it harder to enforce them. The main conclusion of the evening was that, although many initiatives improving privacy exist, the very properties of the internet make it hard to ensure privacy completely. <br/><br />
<br/><br />
'''Second presentation:''' Vulnerability and source code scanners presented by E. Strijbos. This presentation showed the results of a research concerning the feasibility of a Web Application Security Certification by the usage of vulnerability scanners.<br/><br />
With the daily increasing amount of threads and vulnerabilities in web applications there is a market-driven demand for an independent and automated scan service. Current scan services often lack coverage and depth of scanning and give no details about the used scanning methods.<br/><br />
In this research several commercial vulnerability scanners and static analysis tools were compared and checked for scantime, accuracy, false positives, and ease of use. The results showed that almost all scanners find most of the vulnerabilities, but also produce many false positives. Also, without proper configuration the amount of results can be overwhelming and inconclusive. Furthermore results showed that static analysis scanners are much faster than vulnerability scanners, but have a more limited usage. The main conclusion was that although vulnerability scanners and static analysis tools can be very helpful in identifying vulnerabilities, their current efficiency is not high enough to use as the basis for an automated vulnerability scan.<br/><br />
<br />
== Meeting October 27th 2008: Privacy and the Internet ==<br />
'''Summary'''<br/><br />
The main goal of the upcoming OWASP-NL meeting is to provide information to developers and security professionals about personal and technical privacy on the internet. The speakers focus on privacy regulations related to the internet and on the mass amount of personal and technical information available about persons and companies on the internet, with and without their consent. Furthermore tools will be discussed that help prevent leakage of privacy related and other kind of data. They will give specific examples and there will be time to ask questions.<br/><br />
Please register before October 20th because of the necessary catering arrangements.<br/><br />
<br/><br />
'''Location'''<br/><br />
The location and catering is provided by the sponsor of this meeting:<br/><br />
<table><br />
<tr><br />
<td width="350"><br />
ps_testware B.V.<br/><br />
Dorpsstraat 26,<br/><br />
3941 JM DOORN<br/><br />
</td><br />
<td width="350"><br />
[[Image:Pstestware.jpg|100px]]<br />
</td><br />
</tr><br />
<tr><br />
<td width="350"><br />
The location has parking facilities for 15 cars. However parking in the direct vicinity of ps_testware shouldn’t be a problem.<br/><br />
</td><br />
<td width="350"><br />
ps_testware delivers services related to software testing and software quality. In the field of software development, quality, time-to-market, business processes and software acceptance they play the role of "your devil's advocate" as an independent, flexible and specialized partner.<br/><br />
For more information please visit: www.pstestware.com.<br/><br />
</td><br />
</tr><br />
</table><br />
<br/><br />
<br/><br />
'''Program'''<br/><br />
17.30 - 18.30 '''Check-In''' (catering included)<br/><br />
<br/><br />
18.30 – 19:00 '''Introduction''' (OWASP organization, projects, sponsor)<br/><br />
<br/><br />
19.00 - 20.15 '''Privacy and Internet''' (Dutch), Frank Fruijthoff and Ellen Hoving<br/><br />
In this presentation the general principles of privacy laws in the Netherlands and the EU and specifically privacy and the internet will be covered.<br/><br />
Frank Fruijthoff is a Compliance Officer with ING. He has a Compliance and Risk Management background and is specialised in privacy.<br/><br />
Ellen Hoving is a graduated lawyer. She works as an independent consultant specialized in compliance and privacy.<br/><br />
<br/><br />
20.15 – 20:30 '''Break'''<br/><br />
<br/><br />
20:30 – 21:00 '''Vulnerability and source code scanners''' (Dutch), Emile Strijbos<br />
<br/><br />
For his Master thesis in computer science at the Radboud Universiteit in Nijmegen, Emile Strijbos investigated vulnerability scanners and source code scanners. These are automated tools that try to detect security flaws, either in running web-applications or in their source code.<br/><br />
Emile tried out several of these tools, including both free and commercial ones, to see how good they are at detecting standard vulnerabilities, such as SQL injection, XSS, CSRF, etc.<br/><br />
<br/><br />
21.00 – 21:30 '''Discussion, questions and social'''<br/><br />
<br/><br />
If you want to attend, please send an email to: owasp@irc2.com.<br><br />
Please register before October 20th, because of the necessary catering arrangements. The number of registries is limited to 50 due to the capacity of the location and will be handled in order of receipt.<br/><br />
<br/><br />
All OWASP chapter meetings are free of charge and you don’t have to be an OWASP member to attend. There are never any vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP's: OWASP Meetings count towards CPE Credits.<br/><br />
<br/><br />
The announcement and full descriptions can be found here:<br/><br />
[[Media:Announcement_27_Oktober.pdf]]<br/><br />
<br />
== Meeting minutes March 26th 2008 ==<br />
<br />
At March 26th, the Dutch OWASP chapter came together in the Mercury hotel in Nieuwegein. The meeting was sponsored by Fortify Software. The subject of the evening was 'Software Vulnerability Assesment’. There were 3 speakers and approximately 40 attendees.<br/><br />
<br/><br />
After a short introduction of Migchiel de Jong (Fortify) about the subject of Static and Dynamic Analysis and the tools that Fortify provides the speakers of the evening where introduced.<br/><br />
<br/><br />
'''First presentation:''' Practices of Complex(ity) matters (Dutch), Mario de Boer<br/><br />
Mario de Boer has spent much of his free time the last 16 years into disassembling various pieces of software and analyzing the code and its statistics. The main advantage in analyzing binaries is that no access to source code is needed, all dependencies (i.e. the compiler) are included and it’s independent of the tool used. Disassembling compiled code gives great insight in the complexity of the software and the entry and exit points of data. Although there is no direct relation between the complexity of software and its security, statistically the most vulnerabilities appear in the most complex portions of a program. Data entry points in complex portions of the code can give rise to possible exploits so static analysis can give insight in the most vulnerable places in software which is useful information in testing.<br />
The disadvantages of static analysis are that an extensive knowledge of assembly is needed and, due to its statistic nature, it gives rise to many false positives. <br />
In conclusion static binary analysis, when used by experts, can be a powerful tool to gain insight in the most vulnerable parts of the software and be a valuable tool in both developing and testing software. <br/><br />
<br/><br />
'''Second presentation:''' V.A.C: SQL injection (Dutch), Marinus Kuivenhoven<br/><br />
A new reoccurring topic on OWASP presentations will be the so called VAC. In these presentations an expert will talk about a Vulnerability, how to Assess it and possible Countermeasures. This evening Marinus started with the second vulnerability in the OWASP top ten; SQL injections.<br/><br />
With the aid of Webgoat, a few simple examples and the possible consequences were shown. SQL injection is particularly useful exploit in the reconnaissance phase since it can be abused for information leakage and in getting information about e.g. the table structure. <br/><br />
On the internet and in literature many countermeasures against SQL injections are described. However, many of these countermeasures are not usable in a maintainable system or cannot prevent SQL injections completely. The most important conclusion was that input should never be trusted and should never be directly used.<br/><br />
<br/><br />
'''Third presentation:''' Secure Programming with Static Analysis (English), Brian Chess<br/><br />
The last speaker of the evening was Brian Chess who presented his new book ‘Secure Programming with Static Analysis’. Brian made clear that, although a powerful tool, static binary analysis is already too late in the SDLC to be successful in preventing vulnerabilities. Scanning for possible vulnerabilities should be implemented as early as possible i.e. during coding. The main advantages of static analysis are the cost and speed. Since errors and bad practices are identified in an early stage they can be solved at the spot, making auditing the software more efficient in term of time and depth. <br/><br />
Static analysis can successfully be used for style and type checking, program understanding and verification, and for security reviews. The success of static analysis, however, is fully depending on the rules implemented in the scanner. Static analysis is also unable to identify design flaws, right problems, or wrong user input. <br/><br />
The conclusion was that scanning for vulnerabilities can probably only be successful with the aid of static analysis, but many requirements should be met. Firstly it should become part of the SDLC and culture. Secondly the right tool should be picked and people should be trained in its use. Lastly investments should be made in building up a good rule set and metrics. <br/><br />
<br />
== Meeting March 26th 2008: Software Vulnerability assessment ==<br />
'''Summary'''<br/><br />
The main goal of the upcoming OWASP-NL meeting is to provide information to developers and security professionals involved in creating secure (web-)applications. The main focus will be on software vulnerability assessment. The speakers will give specific examples and of course there is time to ask questions about your own experiences.<br/><br />
<br/><br />
'''Location'''<br/><br />
The location and catering is provided by the sponsor of this meeting:<br/><br />
<table><br />
<tr><br />
<td width="350"><br />
Mercure Utrecht Nieuwegein<br/><br />
Buizerdlaan 10,<br/><br />
3435 SB Nieuwegein<br/><br />
</td><br />
<td width="350"><br />
[[Image:Fortify.JPG|143px]]<br />
</td><br />
</tr><br />
<tr><br />
<td width="350"><br />
</td><br />
<td width="350"><br />
Fortify Software products protect companies from today’s greatest security risk: the software applications that run their businesses. Combining deep application security expertise with extensive software development experience, Fortify Software has defined the market with award-winning products that span the software development cycle. Today, Fortify Software fortifies the software for the most demanding customer deployments, including the world’s largest, most varied code bases.<br/><br />
<br/><br />
For more information please visit:<br/><br />
www.fortify.com<br/><br />
</td><br />
</tr><br />
</table><br />
<br/><br />
<br/><br />
'''Program'''<br/><br />
17.30 - 18.30 '''Check-In''' (catering included)<br/><br />
<br/><br />
18.30 - 18:50 '''Introduction''' (OWASP, sponsor)<br/><br />
<br/><br />
18.50 - 19.30 '''Complex(ity) matters''' (Dutch), Mario de Boer<br/><br />
Various methods exist to locate specific vulnerabilities in software. In the presentation we will look at static analysis of binaries, and the problems we face when trying to locate vulnerabilities. Several ideas will be discussed to make the search easier, but at the same time less exact. The first idea is trivial: automate as much as possible. The second idea is nearly trivial: don't aim at exact vulnerabilities but relax the search to locating potential vulnerabilities. We will give examples that illustrate the results.<br/><br />
Mario de Boer is a senior security consultant at Logica, and as such focuses on security management aspects like security frameworks, compliance, monitoring and control and risk management. Before joining Logica, Mario worked at the Dutch ministries of Defense and Justice, he co-founded a security company and worked as a project manager in the financial sector. For several years he taught courses in software security analysis and secure software development. Besides security management, Mario has interest in software security, reverse engineering and cryptography. Within Logica Netherlands, he is knowledge manager application security. Mario holds a PhD in Mathematics and is CISA and CISSP.<br/><br />
<br/><br />
19.30 - 19:50 '''Break'''<br/><br />
<br/><br />
19:50 - 20:20 '''V.A.C: SQL injection''' (Dutch), Marinus Kuivenhoven<br />
<br/><br />
<u>'''V'''ulnerability:</u><br/><br />
An application which uses a database for its information needs, communicates with it trough SQL. SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of a Database for parsing and execution.<br/><br />
<u>'''A'''ssessment:</u><br/><br />
SQL injection can threaten the confidentiality, availability and integrity of the data. The various types of SQL injection and their impact will be shown.<br/><br />
<u>'''C'''ountermeasure:</u><br/><br />
Any procedure that constructs SQL statements should be reviewed for injection vulnerabilities because a database will execute all syntactically valid queries that it receives. How this should be done will be shown for the most popular languages.<br/><br />
Marinus is a Technology Specialist with Sogeti Nederland B.V. specializing in service oriented architectures and secure application development. His experience includes developing and administrating Oracle-based systems.<br/><br />
<br/><br />
20.20 - 21.00 '''Secure Programming with Static Analysis''' (English), Brian Chess<br/><br />
Creating secure code requires more than just good intentions. Programmers need to know how to make their code safe in an almost infinite number of scenarios and configurations. Static source code analysis gives users the ability to review their work with a fine tooth comb and uncover the kinds of errors that lead directly to vulnerabilities. This talk frames the software security problem and shows how static analysis is part of the solution. We will look at how static analysis works, how to integrate it into the software development processes, and how to make the most of it during security code review. Along the way we'll look at examples taken from real-world security incidents, showing how coding errors are exploited, how they could have been prevented, and how static analysis can rapidly uncover similar errors.<br/><br />
Brian Chess is a founder of Fortify Software and serves as Fortify's Chief Scientist, where his work focuses on practical methods for creating secure systems. His book, Secure Programming with Static Analysis, shows how static source code analysis is an indispensable tool for getting security right. Brian holds a Ph.D. in computer engineering from the University of California at Santa Cruz, where he studied the application of static analysis to the problem of finding security-relevant defects in source code. Before settling on security, Brian spent a decade in Silicon Valley working at huge companies and small startups. He has done research on a broad set of topics, ranging from integrated circuit design all the way to delivering software as a service.<br/><br />
<br/><br />
21.00 - 21:30 '''Discussion, questions and social'''<br/><br />
<br/><br />
'''Registration'''<br/><br />
If you want to attend, please send an email to: owasp@irc2.com.<br/><br />
<br/><br />
All OWASP chapter meetings are free of charge and you don’t have to be an OWASP member to attend. There are never any vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP's: OWASP Meetings count towards CPE Credits.<br/><br />
<br/></div>Dvsteinhttps://wiki.owasp.org/index.php?title=Netherlands_Previous_Events_2008&diff=59623Netherlands Previous Events 20082009-04-28T19:49:05Z<p>Dvstein: /* Announcement December 11th 2008: Architectural and design risk analysis */</p>
<hr />
<div>[[Netherlands]] events held in 2008<br />
<br />
== Meeting schedule 2008 ==<br />
This is an overview of the 2008 local chapter meeting schedule. Details of the meetings can be found in the announcements that will be posted below this schedule.<br />
<pre><br />
March 26th<br />
----------<br />
Time : 17.30 - 21.30<br />
Main Topic : Software Vulnerability assessment<br />
Presentations: Complex(ity) matters, Mario de Boer (Dutch)<br />
V.A.C. SQL injection, Marinus Kuivenhoven (Dutch)<br />
Secure Programming with Static Analysis, Brian Chess (English) <br />
Location : Mercure Utrecht Nieuwegein, Buizerdlaan 10, 3435 SB Nieuwegein<br />
Sponsor : Fortify Software<br />
<br />
Oktober 27th<br />
----------<br />
Time : 17.30 - 21.30<br />
Main Topic : Privacy and the Internet<br />
Presentations: Privacy and Internet (Dutch), Frank Fruijthoff and Ellen Hoving<br />
Vulnerability and source code scanners. (Dutch) Emile Strijbos <br />
Location : ps_testware B.V., Dorpsstraat 26, 3941 JM DOORN<br />
Sponsor : ps_testware B.V.<br />
<br />
December 11th<br />
----------<br />
Time : 17.30 - 21.30<br />
Main Topic : Workshop: Architectural and design risk analysis<br />
Presentations: Architectural risk analyses (English), André N. Klingsheim and Lars-Helge Netland <br />
Location : TTY Amsterdam, Kerkstraat 342, 1017 JA Amsterdam<br />
Sponsor : TTY Internet Solutions<br />
</pre><br />
<br />
== Meeting minutes December 11th 2008 ==<br />
<br />
At December 11th, the Dutch OWASP chapter came together at the office of the sponsor of the evening; TTY in Amsterdam. The topic of the evening was 'Architectural and design risk analysis'. There were 2 speakers and approximately 28 attendees.<br/><br />
<br/><br />
The sponsor of the evening gave a small introduction about the company and the beautiful location they are housed in; a modernised old russian church in the centre of Amsterdam. After the introduction Bert Koelewijn asked for attention for the OWASP Education Project. This project aims to provide in building blocks of web application security information. Contributors are needed so if someone wants to participate please take a look at the project page [http://www.owasp.org/index.php/Category:OWASP_Education_Project].<br/><br />
<br/><br />
'''Presentation:''' Architectural and design risk analysis<br/><br />
After the introduction and the announcements the 2 Norwegian speakers of the evening were introduced: André N. Klingsheim & Lars-Helge Netland. <br />
During their PhD's both André & Lars-Helge researched the Norwegian banking systems and their vulnerabilities resulting in several papers and presentations [http://www.nowires.org/BankSecurity/]. The presentation of this evening focused on the current risks and the perception of these risks.<br/><br />
<br/><br />
Nowadays the trading in malware, botnets and vulnerabilities is maturing and industrializing. Attacks can be outsourced at bulk prices and threats no longer arise from a single or group of hackers, but can be bought as a service. This professionalisation requires a new approach in risk analysis and risk perception. The main problem in risk analysis is the human psyche; future risks are underestimated or tremendously overestimated, losses valued higher than gains, and attacks occured in the past are perceived 'more real'. This often results in inefficient investments in security contributing to the general perception that security is expensive.<br/><br />
<br/><br />
Another problem in risk analysis is the occurence of so-called 'black swans'. A black swan is a "large-impact, hard-to-predict, and rare event beyond the realm of normal expectations" [http://en.wikipedia.org/wiki/Black_swan_theory]. Due to the asymmetry in likehood and impact these events cannot be properly taken in to account for in traditional risk analysis models. A way of handling with these unforeseen risks is not using likelihood and impact to evaluate risks but instead look at the cost to fix and the cost of the consequence. <br/><br />
<br/><br />
The conclusions of the evening were that vulnerabilities will be more easily and quickly exploited and attacks more intense and coordinated in the coming years. This change requires a different approach in risk analysis. Vulnerabilities should be fixed as early and as many as possible without trying to estimate a likelihood of occuring. Implementing security as early as possible in the SDLC and increasing security awareness on all levels is the key in beating risks in a cost efficient way.<br/><br />
<br />
== Announcement December 11th 2008: Architectural and design risk analysis ==<br />
'''Summary'''<br/><br />
The main goal of the upcoming OWASP-NL meeting is to provide information to managers, architects, designers, developers and security and risk professionals about risk analyses in the architectural and design phases. The speakers will give specific examples and there will be time to ask questions.<br/><br />
Please register before December 8th because of the necessary catering arrangements.<br/><br />
<br/><br />
'''Location'''<br/><br />
The location and catering is provided by the sponsor of this meeting:<br/><br />
<table><br />
<tr><br />
<td width="350"><br />
TTY Internet Solutions<br/><br />
Kerkstraat 342<br/><br />
1017 JA Amsterdam<br/><br />
</td><br />
<td width="350"><br />
[[Image:TTYlogo.jpg|200px]]<br />
</td><br />
</tr><br />
<tr><br />
<td width="350"><br />
For the route by car or public transport please visit: http://tty.nl/nl/contact/amsterdam<br/><br />
</td><br />
<td width="350"><br />
TTY was founded in 1997 and has grown to be a solid Full Service Internet Partner. For a wide range of companies, large financial institutions, publishers and large insurance companies TTY develops high-traffic websites, shops, backoffice- and payment systems. TTY is especially known as a partner (and in some cases shareholder) of successful internet hits as<br />
2dehands.nl, ViaVia.nl, Nationale-Vacaturebank.nl, Sellaband.com, jaap.nl en Gekko.com.<br/><br />
For more information please visit: http://tty.nl<br/><br />
</td><br />
</tr><br />
</table><br />
<br/><br />
<br/><br />
'''Program'''<br/><br />
17.30 – 18.30 '''Check-In''' (catering included)<br/><br />
<br/><br />
18.30 – 19:00 '''Introduction''' (OWASP organization, projects, sponsor)<br/><br />
<br/><br />
19.00 – 21.00 '''Architectural risk analyses''' (English), André N. Klingsheim and Lars-Helge Netland<br/><br />
This workshop will explore how businesses can use risk analysis in the architecture/design phase of software development to produce more secure software. Participants will get an introduction to risk analysis, which will<br />
cover both definitions and how to apply the concepts in practice. The workshop consists of four parts: a short overview of current security threats; an introduction to risk management; an exploration of the limitations of risk management; and some real world applications of the presented techniques.<br/><br />
Lars-Helge Netland and André N. Klingsheim are software security analysts at, and co-owners of, NoWires Group AS. They both hold PhD degrees in applied software security, focused on risk analysis of software architecture and design.<br/><br />
<br/><br />
20.00 – 20:15 '''Break'''<br/><br />
<br/><br />
21.15 – 21:30 '''Discussion, questions and social'''<br/><br />
<br/><br />
If you want to attend, please send an email to: owasp@irc2.com.<br><br />
Please register before December 8th, because of the necessary catering arrangements.<br/><br />
<br/><br />
All OWASP chapter meetings are free of charge and you don’t have to be an OWASP member to attend. There are never any vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP's: OWASP Meetings count towards CPE Credits.<br/><br />
<br/><br />
The announcement and full descriptions can be found here:<br/><br />
[[Media:Announcement_11_December.pdf]]<br/><br />
<br />
== Meeting minutes October 27th 2008 ==<br />
<br />
At October 27th, the Dutch OWASP chapter came together at the office of the sponsor of the evening; ps_testware in Doorn. The subject of the evening was 'Privacy and the Internet’. There were 2 speakers and approximately 25 attendees.<br/><br />
<br/><br />
After a short welcome talk by both the sponsor and OWASP, Mario de Boer had an announcement about a new OWASP project; ORPRO, the Open Review Project. The goal of the project is to review Open Source Software from an independent point of view. Reviews will be done both manually and with the aid of source code analysis software provided by Fortify. The first software package to be reviewed is already available so reviewers are needed. More information can be found on the OWASP project page. [http://www.owasp.org/index.php/Category:OWASP_Open_Review_Project]<br/><br />
<br/><br />
'''First presentation:''' Privacy & the Internet presented by Frank Fruijthoff and Ellen Hoving. <br/><br />
The goal of this presentation was to show the problems in regulating privacy on the internet by law. The presentation was roughly split in 3 parts: definitions, requirements and context. <br/><br />
The main problem with regulating privacy is that the concept of privacy is very broad and not well defined. Privacy can have different meanings and consequences in different contexts. Most laws therefore focus on the individual and define privacy as 'protection of personal information' where 'personal information' is all data that can be tracked back to a single person. The last years many countries within the EU developed internet laws concerning privacy on the internet. These laws state that information can only be used what it originally was intended for and usage of that information must be reported at central register. This register also makes it possible to file a complaint and check what companies use personal information for what purposes. While these rules are mostly sufficient for local databases they often fail when applied to information stored on or with use of the internet. Problems encountered are captured in the "four D's";<br/><br />
- Internet is deterritorialized; internet has no boundaries.<br/><br />
- Internet is deregulated; internet has no law, only terms of use.<br/><br />
- Internet is dematerialized; internet is not physical.<br/><br />
- Internet is decentralized; there is no single regulating or controlling organization.<br/><br />
Although the protection of personal data is more and more covered by laws, the increasing usage of external storage and connections over the internet will make it harder to enforce them. The main conclusion of the evening was that, although many initiatives improving privacy exist, the very properties of the internet make it hard to ensure privacy completely. <br/><br />
<br/><br />
'''Second presentation:''' Vulnerability and source code scanners presented by E. Strijbos. This presentation showed the results of a research concerning the feasibility of a Web Application Security Certification by the usage of vulnerability scanners.<br/><br />
With the daily increasing amount of threads and vulnerabilities in web applications there is a market-driven demand for an independent and automated scan service. Current scan services often lack coverage and depth of scanning and give no details about the used scanning methods.<br/><br />
In this research several commercial vulnerability scanners and static analysis tools were compared and checked for scantime, accuracy, false positives, and ease of use. The results showed that almost all scanners find most of the vulnerabilities, but also produce many false positives. Also, without proper configuration the amount of results can be overwhelming and inconclusive. Furthermore results showed that static analysis scanners are much faster than vulnerability scanners, but have a more limited usage. The main conclusion was that although vulnerability scanners and static analysis tools can be very helpful in identifying vulnerabilities, their current efficiency is not high enough to use as the basis for an automated vulnerability scan.<br/><br />
<br />
== Meeting October 27th 2008: Privacy and the Internet ==<br />
'''Summary'''<br/><br />
The main goal of the upcoming OWASP-NL meeting is to provide information to developers and security professionals about personal and technical privacy on the internet. The speakers focus on privacy regulations related to the internet and on the mass amount of personal and technical information available about persons and companies on the internet, with and without their consent. Furthermore tools will be discussed that help prevent leakage of privacy related and other kind of data. They will give specific examples and there will be time to ask questions.<br/><br />
Please register before October 20th because of the necessary catering arrangements.<br/><br />
<br/><br />
'''Location'''<br/><br />
The location and catering is provided by the sponsor of this meeting:<br/><br />
<table><br />
<tr><br />
<td width="350"><br />
ps_testware B.V.<br/><br />
Dorpsstraat 26,<br/><br />
3941 JM DOORN<br/><br />
</td><br />
<td width="350"><br />
[[Image:Pstestware.jpg|100px]]<br />
</td><br />
</tr><br />
<tr><br />
<td width="350"><br />
The location has parking facilities for 15 cars. However parking in the direct vicinity of ps_testware shouldn’t be a problem.<br/><br />
</td><br />
<td width="350"><br />
ps_testware delivers services related to software testing and software quality. In the field of software development, quality, time-to-market, business processes and software acceptance they play the role of "your devil's advocate" as an independent, flexible and specialized partner.<br/><br />
For more information please visit: www.pstestware.com.<br/><br />
</td><br />
</tr><br />
</table><br />
<br/><br />
<br/><br />
'''Program'''<br/><br />
17.30 - 18.30 '''Check-In''' (catering included)<br/><br />
<br/><br />
18.30 – 19:00 '''Introduction''' (OWASP organization, projects, sponsor)<br/><br />
<br/><br />
19.00 - 20.15 '''Privacy and Internet''' (Dutch), Frank Fruijthoff and Ellen Hoving<br/><br />
In this presentation the general principles of privacy laws in the Netherlands and the EU and specifically privacy and the internet will be covered.<br/><br />
Frank Fruijthoff is a Compliance Officer with ING. He has a Compliance and Risk Management background and is specialised in privacy.<br/><br />
Ellen Hoving is a graduated lawyer. She works as an independent consultant specialized in compliance and privacy.<br/><br />
<br/><br />
20.15 – 20:30 '''Break'''<br/><br />
<br/><br />
20:30 – 21:00 '''Vulnerability and source code scanners''' (Dutch), Emile Strijbos<br />
<br/><br />
For his Master thesis in computer science at the Radboud Universiteit in Nijmegen, Emile Strijbos investigated vulnerability scanners and source code scanners. These are automated tools that try to detect security flaws, either in running web-applications or in their source code.<br/><br />
Emile tried out several of these tools, including both free and commercial ones, to see how good they are at detecting standard vulnerabilities, such as SQL injection, XSS, CSRF, etc.<br/><br />
<br/><br />
21.00 – 21:30 '''Discussion, questions and social'''<br/><br />
<br/><br />
If you want to attend, please send an email to: owasp@irc2.com.<br><br />
Please register before October 20th, because of the necessary catering arrangements. The number of registries is limited to 50 due to the capacity of the location and will be handled in order of receipt.<br/><br />
<br/><br />
All OWASP chapter meetings are free of charge and you don’t have to be an OWASP member to attend. There are never any vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP's: OWASP Meetings count towards CPE Credits.<br/><br />
<br/><br />
The announcement and full descriptions can be found here:<br/><br />
[[Media:Announcement_27_Oktober.pdf]]<br/><br />
<br />
== Meeting minutes March 23th 2008 ==<br />
<br />
At March 23th, the Dutch OWASP chapter came together in the Mercury hotel in Nieuwegein. The meeting was sponsored by Fortify Software. The subject of the evening was 'Software Vulnerability Assesment’. There were 3 speakers and approximately 40 attendees.<br/><br />
<br/><br />
After a short introduction of Migchiel de Jong (Fortify) about the subject of Static and Dynamic Analysis and the tools that Fortify provides the speakers of the evening where introduced.<br/><br />
<br/><br />
'''First presentation:''' Practices of Complex(ity) matters (Dutch), Mario de Boer<br/><br />
Mario de Boer has spent much of his free time the last 16 years into disassembling various pieces of software and analyzing the code and its statistics. The main advantage in analyzing binaries is that no access to source code is needed, all dependencies (i.e. the compiler) are included and it’s independent of the tool used. Disassembling compiled code gives great insight in the complexity of the software and the entry and exit points of data. Although there is no direct relation between the complexity of software and its security, statistically the most vulnerabilities appear in the most complex portions of a program. Data entry points in complex portions of the code can give rise to possible exploits so static analysis can give insight in the most vulnerable places in software which is useful information in testing.<br />
The disadvantages of static analysis are that an extensive knowledge of assembly is needed and, due to its statistic nature, it gives rise to many false positives. <br />
In conclusion static binary analysis, when used by experts, can be a powerful tool to gain insight in the most vulnerable parts of the software and be a valuable tool in both developing and testing software. <br/><br />
<br/><br />
'''Second presentation:''' V.A.C: SQL injection (Dutch), Marinus Kuivenhoven<br/><br />
A new reoccurring topic on OWASP presentations will be the so called VAC. In these presentations an expert will talk about a Vulnerability, how to Assess it and possible Countermeasures. This evening Marinus started with the second vulnerability in the OWASP top ten; SQL injections.<br/><br />
With the aid of Webgoat, a few simple examples and the possible consequences were shown. SQL injection is particularly useful exploit in the reconnaissance phase since it can be abused for information leakage and in getting information about e.g. the table structure. <br/><br />
On the internet and in literature many countermeasures against SQL injections are described. However, many of these countermeasures are not usable in a maintainable system or cannot prevent SQL injections completely. The most important conclusion was that input should never be trusted and should never be directly used.<br/><br />
<br/><br />
'''Third presentation:''' Secure Programming with Static Analysis (English), Brian Chess<br/><br />
The last speaker of the evening was Brian Chess who presented his new book ‘Secure Programming with Static Analysis’. Brian made clear that, although a powerful tool, static binary analysis is already too late in the SDLC to be successful in preventing vulnerabilities. Scanning for possible vulnerabilities should be implemented as early as possible i.e. during coding. The main advantages of static analysis are the cost and speed. Since errors and bad practices are identified in an early stage they can be solved at the spot, making auditing the software more efficient in term of time and depth. <br/><br />
Static analysis can successfully be used for style and type checking, program understanding and verification, and for security reviews. The success of static analysis, however, is fully depending on the rules implemented in the scanner. Static analysis is also unable to identify design flaws, right problems, or wrong user input. <br/><br />
The conclusion was that scanning for vulnerabilities can probably only be successful with the aid of static analysis, but many requirements should be met. Firstly it should become part of the SDLC and culture. Secondly the right tool should be picked and people should be trained in its use. Lastly investments should be made in building up a good rule set and metrics. <br/><br />
<br />
== Meeting March 26th 2008: Software Vulnerability assessment ==<br />
'''Summary'''<br/><br />
The main goal of the upcoming OWASP-NL meeting is to provide information to developers and security professionals involved in creating secure (web-)applications. The main focus will be on software vulnerability assessment. The speakers will give specific examples and of course there is time to ask questions about your own experiences.<br/><br />
<br/><br />
'''Location'''<br/><br />
The location and catering is provided by the sponsor of this meeting:<br/><br />
<table><br />
<tr><br />
<td width="350"><br />
Mercure Utrecht Nieuwegein<br/><br />
Buizerdlaan 10,<br/><br />
3435 SB Nieuwegein<br/><br />
</td><br />
<td width="350"><br />
[[Image:Fortify.JPG|143px]]<br />
</td><br />
</tr><br />
<tr><br />
<td width="350"><br />
</td><br />
<td width="350"><br />
Fortify Software products protect companies from today’s greatest security risk: the software applications that run their businesses. Combining deep application security expertise with extensive software development experience, Fortify Software has defined the market with award-winning products that span the software development cycle. Today, Fortify Software fortifies the software for the most demanding customer deployments, including the world’s largest, most varied code bases.<br/><br />
<br/><br />
For more information please visit:<br/><br />
www.fortify.com<br/><br />
</td><br />
</tr><br />
</table><br />
<br/><br />
<br/><br />
'''Program'''<br/><br />
17.30 - 18.30 '''Check-In''' (catering included)<br/><br />
<br/><br />
18.30 - 18:50 '''Introduction''' (OWASP, sponsor)<br/><br />
<br/><br />
18.50 - 19.30 '''Complex(ity) matters''' (Dutch), Mario de Boer<br/><br />
Various methods exist to locate specific vulnerabilities in software. In the presentation we will look at static analysis of binaries, and the problems we face when trying to locate vulnerabilities. Several ideas will be discussed to make the search easier, but at the same time less exact. The first idea is trivial: automate as much as possible. The second idea is nearly trivial: don't aim at exact vulnerabilities but relax the search to locating potential vulnerabilities. We will give examples that illustrate the results.<br/><br />
Mario de Boer is a senior security consultant at Logica, and as such focuses on security management aspects like security frameworks, compliance, monitoring and control and risk management. Before joining Logica, Mario worked at the Dutch ministries of Defense and Justice, he co-founded a security company and worked as a project manager in the financial sector. For several years he taught courses in software security analysis and secure software development. Besides security management, Mario has interest in software security, reverse engineering and cryptography. Within Logica Netherlands, he is knowledge manager application security. Mario holds a PhD in Mathematics and is CISA and CISSP.<br/><br />
<br/><br />
19.30 - 19:50 '''Break'''<br/><br />
<br/><br />
19:50 - 20:20 '''V.A.C: SQL injection''' (Dutch), Marinus Kuivenhoven<br />
<br/><br />
<u>'''V'''ulnerability:</u><br/><br />
An application which uses a database for its information needs, communicates with it trough SQL. SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of a Database for parsing and execution.<br/><br />
<u>'''A'''ssessment:</u><br/><br />
SQL injection can threaten the confidentiality, availability and integrity of the data. The various types of SQL injection and their impact will be shown.<br/><br />
<u>'''C'''ountermeasure:</u><br/><br />
Any procedure that constructs SQL statements should be reviewed for injection vulnerabilities because a database will execute all syntactically valid queries that it receives. How this should be done will be shown for the most popular languages.<br/><br />
Marinus is a Technology Specialist with Sogeti Nederland B.V. specializing in service oriented architectures and secure application development. His experience includes developing and administrating Oracle-based systems.<br/><br />
<br/><br />
20.20 - 21.00 '''Secure Programming with Static Analysis''' (English), Brian Chess<br/><br />
Creating secure code requires more than just good intentions. Programmers need to know how to make their code safe in an almost infinite number of scenarios and configurations. Static source code analysis gives users the ability to review their work with a fine tooth comb and uncover the kinds of errors that lead directly to vulnerabilities. This talk frames the software security problem and shows how static analysis is part of the solution. We will look at how static analysis works, how to integrate it into the software development processes, and how to make the most of it during security code review. Along the way we'll look at examples taken from real-world security incidents, showing how coding errors are exploited, how they could have been prevented, and how static analysis can rapidly uncover similar errors.<br/><br />
Brian Chess is a founder of Fortify Software and serves as Fortify's Chief Scientist, where his work focuses on practical methods for creating secure systems. His book, Secure Programming with Static Analysis, shows how static source code analysis is an indispensable tool for getting security right. Brian holds a Ph.D. in computer engineering from the University of California at Santa Cruz, where he studied the application of static analysis to the problem of finding security-relevant defects in source code. Before settling on security, Brian spent a decade in Silicon Valley working at huge companies and small startups. He has done research on a broad set of topics, ranging from integrated circuit design all the way to delivering software as a service.<br/><br />
<br/><br />
21.00 - 21:30 '''Discussion, questions and social'''<br/><br />
<br/><br />
'''Registration'''<br/><br />
If you want to attend, please send an email to: owasp@irc2.com.<br/><br />
<br/><br />
All OWASP chapter meetings are free of charge and you don’t have to be an OWASP member to attend. There are never any vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP's: OWASP Meetings count towards CPE Credits.<br/><br />
<br/></div>Dvsteinhttps://wiki.owasp.org/index.php?title=Netherlands&diff=53011Netherlands2009-02-04T19:42:25Z<p>Dvstein: /* Announcement December 11th 2008: Architectural and design risk analysis */</p>
<hr />
<div>{{Chapter Template|chaptername=Netherlands|extra=The chapter leader is [mailto:owasp@irc2.nl Bert Koelewijn]<br />
<paypal>Netherlands</paypal><br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-netherlands|emailarchives=http://lists.owasp.org/pipermail/owasp-netherlands}}<br />
<br />
=== Call for Speakers===<br />
We are continuously looking for speakers and presentations make the chapter meetings as interesting as possible. Therefore we are looking inside and outside OWASP for known international specialists. But we know, there is a lot interesting stuf happening inside the Netherlands, too! <br/><br />
'''Presentations:'''<br/><br />
Are you working on interesting subject, you would like to share your experiences with the OWASP community.<br />
Any topic related to application security will be appreciated!<br/><br />
'''VAC, Vulnerability, Attack, Countermeasure:'''<br/><br />
The goal is an half hour in-depth technical presentation about a vulnerability, how it can be exploited and how to prevent it!<br/><br />
<br />
Please let us know via the OWASP chapter meeting questionnaire of via email to martin.knobloch@owasp.org<br><br />
<br />
<br />
== Meeting schedule 2009 ==<br />
This is an overview of the 2009 local chapter meeting schedule. Details of the meetings can be found in the announcements that will be posted below this schedule.<br />
<pre><br />
March 5th<br />
----------<br />
Time : 17.30 - 21.30<br />
Main Topic : <br />
Presentations: <br />
Location : <br />
Sponsor : <br />
<br />
May 28th<br />
----------<br />
Time : 17.30 - 21.30<br />
Main Topic : <br />
Presentations: <br />
Location : <br />
Sponsor : <br />
<br />
September 24th<br />
----------<br />
Time : 17.30 - 21.30<br />
Main Topic : <br />
Presentations: <br />
Location : <br />
Sponsor : <br />
<br />
December 10th<br />
----------<br />
Time : 17.30 - 21.30<br />
Main Topic : <br />
Presentations: <br />
Location : <br />
Sponsor : <br />
</pre><br />
<br />
== Meeting schedule 2008 ==<br />
This is an overview of the 2008 local chapter meeting schedule. Details of the meetings can be found in the announcements that will be posted below this schedule.<br />
<pre><br />
March 26th<br />
----------<br />
Time : 17.30 - 21.30<br />
Main Topic : Software Vulnerability assessment<br />
Presentations: Complex(ity) matters, Mario de Boer (Dutch)<br />
V.A.C. SQL injection, Marinus Kuivenhoven (Dutch)<br />
Secure Programming with Static Analysis, Brian Chess (English) <br />
Location : Mercure Utrecht Nieuwegein, Buizerdlaan 10, 3435 SB Nieuwegein<br />
Sponsor : Fortify Software<br />
<br />
Oktober 27th<br />
----------<br />
Time : 17.30 - 21.30<br />
Main Topic : Privacy and the Internet<br />
Presentations: Privacy and Internet (Dutch), Frank Fruijthoff and Ellen Hoving<br />
Vulnerability and source code scanners. (Dutch) Emile Strijbos <br />
Location : ps_testware B.V., Dorpsstraat 26, 3941 JM DOORN<br />
Sponsor : ps_testware B.V.<br />
<br />
December 11th<br />
----------<br />
Time : 17.30 - 21.30<br />
Main Topic : Workshop: Architectural and design risk analysis<br />
Presentations: Architectural risk analyses (English), André N. Klingsheim and Lars-Helge Netland <br />
Location : TTY Amsterdam, Kerkstraat 342, 1017 JA Amsterdam<br />
Sponsor : TTY Internet Solutions<br />
</pre><br />
<br />
== Meeting minutes December 11th 2008 ==<br />
<br />
At December 11th, the Dutch OWASP chapter came together at the office of the sponsor of the evening; TTY in Amsterdam. The topic of the evening was 'Architectural and design risk analysis'. There were 2 speakers and approximately 28 attendees.<br/><br />
<br/><br />
The sponsor of the evening gave a small introduction about the company and the beautiful location they are housed in; a modernised old russian church in the centre of Amsterdam. After the introduction Bert Koelewijn asked for attention for the OWASP Education Project. This project aims to provide in building blocks of web application security information. Contributors are needed so if someone wants to participate please take a look at the project page [http://www.owasp.org/index.php/Category:OWASP_Education_Project].<br/><br />
<br/><br />
'''Presentation:''' Architectural and design risk analysis<br/><br />
After the introduction and the announcements the 2 Norwegian speakers of the evening were introduced: André N. Klingsheim & Lars-Helge Netland. <br />
During their PhD's both André & Lars-Helge researched the Norwegian banking systems and their vulnerabilities resulting in several papers and presentations [http://www.nowires.org/BankSecurity/]. The presentation of this evening focused on the current risks and the perception of these risks.<br/><br />
<br/><br />
Nowadays the trading in malware, botnets and vulnerabilities is maturing and industrializing. Attacks can be outsourced at bulk prices and threats no longer arise from a single or group of hackers, but can be bought as a service. This professionalisation requires a new approach in risk analysis and risk perception. The main problem in risk analysis is the human psyche; future risks are underestimated or tremendously overestimated, losses valued higher than gains, and attacks occured in the past are perceived 'more real'. This often results in inefficient investments in security contributing to the general perception that security is expensive.<br/><br />
<br/><br />
Another problem in risk analysis is the occurence of so-called 'black swans'. A black swan is a "large-impact, hard-to-predict, and rare event beyond the realm of normal expectations" [http://en.wikipedia.org/wiki/Black_swan_theory]. Due to the asymmetry in likehood and impact these events cannot be properly taken in to account for in traditional risk analysis models. A way of handling with these unforeseen risks is not using likelihood and impact to evaluate risks but instead look at the cost to fix and the cost of the consequence. <br/><br />
<br/><br />
The conclusions of the evening were that vulnerabilities will be more easily and quickly exploited and attacks more intense and coordinated in the coming years. This change requires a different approach in risk analysis. Vulnerabilities should be fixed as early and as many as possible without trying to estimate a likelihood of occuring. Implementing security as early as possible in the SDLC and increasing security awareness on all levels is the key in beating risks in a cost efficient way.<br/><br />
<br />
== Announcement December 11th 2008: Architectural and design risk analysis ==<br />
'''Summary'''<br/><br />
The main goal of the upcoming OWASP-NL meeting is to provide information to managers, architects, designers, developers and security and risk professionals about risk analyses in the architectural and design phases. The speakers will give specific examples and there will be time to ask questions.<br/><br />
Please register before December 8th because of the necessary catering arrangements.<br/><br />
<br/><br />
'''Location'''<br/><br />
The location and catering is provided by the sponsor of this meeting:<br/><br />
<table><br />
<tr><br />
<td width="350"><br />
TTY Internet Solutions<br/><br />
Kerkstraat 342<br/><br />
1017 JA Amsterdam<br/><br />
</td><br />
<td width="350"><br />
[[Image:TTYlogo.jpg|200px]]<br />
</td><br />
</tr><br />
<tr><br />
<td width="350"><br />
For the route by car or public transport please visit: http://tty.nl/nl/contact/amsterdam<br/><br />
</td><br />
<td width="350"><br />
TTY was founded in 1997 and has grown to be a solid Full Service Internet Partner. For a wide range of companies, large financial institutions, publishers and large insurance companies TTY develops high-traffic websites, shops, backoffice- and payment systems. TTY is especially known as a partner (and in some cases shareholder) of successful internet hits as<br />
2dehands.nl, ViaVia.nl, Nationale-Vacaturebank.nl, Sellaband.com, jaap.nl en Gekko.com.<br/><br />
For more information please visit: http://tty.nl<br/><br />
</td><br />
</tr><br />
</table><br />
<br/><br />
<br/><br />
'''Program'''<br/><br />
17.30 – 18.30 '''Check-In''' (catering included)<br/><br />
<br/><br />
18.30 – 19:00 '''Introduction''' (OWASP organization, projects, sponsor)<br/><br />
<br/><br />
19.00 – 21.00 '''Architectural risk analyses''' (English), André N. Klingsheim and Lars-Helge Netland<br/><br />
This workshop will explore how businesses can use risk analysis in the architecture/design phase of software development to produce more secure software. Participants will get an introduction to risk analysis, which will<br />
cover both definitions and how to apply the concepts in practice. The workshop consists of four parts: a short overview of current security threats; an introduction to risk management; an exploration of the limitations of risk management; and some real world applications of the presented techniques.<br/><br />
Lars-Helge Netland and André N. Klingsheim are software security analysts at, and co-owners of, NoWires Group AS. They both hold PhD degrees in applied software security, focused on risk analysis of software architecture and design.<br/><br />
<br/><br />
20.00 – 20:15 '''Break'''<br/><br />
<br/><br />
21.15 – 21:30 '''Discussion, questions and social'''<br/><br />
<br/><br />
If you want to attend, please send an email to: owasp@irc2.com.<br><br />
Please register before December 8th, because of the necessary catering arrangements.<br/><br />
<br/><br />
All OWASP chapter meetings are free of charge and you don’t have to be an OWASP member to attend. There are never any vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP's: OWASP Meetings count towards CPE Credits.<br/><br />
<br/><br />
The announcement and full descriptions can be found here:<br/><br />
[[Media:Announcement_11_December.pdf]]<br/><br />
<br />
== Meeting minutes October 27th 2008 ==<br />
<br />
At October 27th, the Dutch OWASP chapter came together at the office of the sponsor of the evening; ps_testware in Doorn. The subject of the evening was 'Privacy and the Internet’. There were 2 speakers and approximately 25 attendees.<br/><br />
<br/><br />
After a short welcome talk by both the sponsor and OWASP, Mario de Boer had an announcement about a new OWASP project; ORPRO, the Open Review Project. The goal of the project is to review Open Source Software from an independent point of view. Reviews will be done both manually and with the aid of source code analysis software provided by Fortify. The first software package to be reviewed is already available so reviewers are needed. More information can be found on the OWASP project page. [http://www.owasp.org/index.php/Category:OWASP_Open_Review_Project]<br/><br />
<br/><br />
'''First presentation:''' Privacy & the Internet presented by Frank Fruijthoff and Ellen Hoving. <br/><br />
The goal of this presentation was to show the problems in regulating privacy on the internet by law. The presentation was roughly split in 3 parts: definitions, requirements and context. <br/><br />
The main problem with regulating privacy is that the concept of privacy is very broad and not well defined. Privacy can have different meanings and consequences in different contexts. Most laws therefore focus on the individual and define privacy as 'protection of personal information' where 'personal information' is all data that can be tracked back to a single person. The last years many countries within the EU developed internet laws concerning privacy on the internet. These laws state that information can only be used what it originally was intended for and usage of that information must be reported at central register. This register also makes it possible to file a complaint and check what companies use personal information for what purposes. While these rules are mostly sufficient for local databases they often fail when applied to information stored on or with use of the internet. Problems encountered are captured in the "four D's";<br/><br />
- Internet is deterritorialized; internet has no boundaries.<br/><br />
- Internet is deregulated; internet has no law, only terms of use.<br/><br />
- Internet is dematerialized; internet is not physical.<br/><br />
- Internet is decentralized; there is no single regulating or controlling organization.<br/><br />
Although the protection of personal data is more and more covered by laws, the increasing usage of external storage and connections over the internet will make it harder to enforce them. The main conclusion of the evening was that, although many initiatives improving privacy exist, the very properties of the internet make it hard to ensure privacy completely. <br/><br />
<br/><br />
'''Second presentation:''' Vulnerability and source code scanners presented by E. Strijbos. This presentation showed the results of a research concerning the feasibility of a Web Application Security Certification by the usage of vulnerability scanners.<br/><br />
With the daily increasing amount of threads and vulnerabilities in web applications there is a market-driven demand for an independent and automated scan service. Current scan services often lack coverage and depth of scanning and give no details about the used scanning methods.<br/><br />
In this research several commercial vulnerability scanners and static analysis tools were compared and checked for scantime, accuracy, false positives, and ease of use. The results showed that almost all scanners find most of the vulnerabilities, but also produce many false positives. Also, without proper configuration the amount of results can be overwhelming and inconclusive. Furthermore results showed that static analysis scanners are much faster than vulnerability scanners, but have a more limited usage. The main conclusion was that although vulnerability scanners and static analysis tools can be very helpful in identifying vulnerabilities, their current efficiency is not high enough to use as the basis for an automated vulnerability scan.<br/><br />
<br />
== Meeting October 27th 2008: Privacy and the Internet ==<br />
'''Summary'''<br/><br />
The main goal of the upcoming OWASP-NL meeting is to provide information to developers and security professionals about personal and technical privacy on the internet. The speakers focus on privacy regulations related to the internet and on the mass amount of personal and technical information available about persons and companies on the internet, with and without their consent. Furthermore tools will be discussed that help prevent leakage of privacy related and other kind of data. They will give specific examples and there will be time to ask questions.<br/><br />
Please register before October 20th because of the necessary catering arrangements.<br/><br />
<br/><br />
'''Location'''<br/><br />
The location and catering is provided by the sponsor of this meeting:<br/><br />
<table><br />
<tr><br />
<td width="350"><br />
ps_testware B.V.<br/><br />
Dorpsstraat 26,<br/><br />
3941 JM DOORN<br/><br />
</td><br />
<td width="350"><br />
[[Image:Pstestware.jpg|100px]]<br />
</td><br />
</tr><br />
<tr><br />
<td width="350"><br />
The location has parking facilities for 15 cars. However parking in the direct vicinity of ps_testware shouldn’t be a problem.<br/><br />
</td><br />
<td width="350"><br />
ps_testware delivers services related to software testing and software quality. In the field of software development, quality, time-to-market, business processes and software acceptance they play the role of "your devil's advocate" as an independent, flexible and specialized partner.<br/><br />
For more information please visit: www.pstestware.com.<br/><br />
</td><br />
</tr><br />
</table><br />
<br/><br />
<br/><br />
'''Program'''<br/><br />
17.30 - 18.30 '''Check-In''' (catering included)<br/><br />
<br/><br />
18.30 – 19:00 '''Introduction''' (OWASP organization, projects, sponsor)<br/><br />
<br/><br />
19.00 - 20.15 '''Privacy and Internet''' (Dutch), Frank Fruijthoff and Ellen Hoving<br/><br />
In this presentation the general principles of privacy laws in the Netherlands and the EU and specifically privacy and the internet will be covered.<br/><br />
Frank Fruijthoff is a Compliance Officer with ING. He has a Compliance and Risk Management background and is specialised in privacy.<br/><br />
Ellen Hoving is a graduated lawyer. She works as an independent consultant specialized in compliance and privacy.<br/><br />
<br/><br />
20.15 – 20:30 '''Break'''<br/><br />
<br/><br />
20:30 – 21:00 '''Vulnerability and source code scanners''' (Dutch), Emile Strijbos<br />
<br/><br />
For his Master thesis in computer science at the Radboud Universiteit in Nijmegen, Emile Strijbos investigated vulnerability scanners and source code scanners. These are automated tools that try to detect security flaws, either in running web-applications or in their source code.<br/><br />
Emile tried out several of these tools, including both free and commercial ones, to see how good they are at detecting standard vulnerabilities, such as SQL injection, XSS, CSRF, etc.<br/><br />
<br/><br />
21.00 – 21:30 '''Discussion, questions and social'''<br/><br />
<br/><br />
If you want to attend, please send an email to: owasp@irc2.com.<br><br />
Please register before October 20th, because of the necessary catering arrangements. The number of registries is limited to 50 due to the capacity of the location and will be handled in order of receipt.<br/><br />
<br/><br />
All OWASP chapter meetings are free of charge and you don’t have to be an OWASP member to attend. There are never any vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP's: OWASP Meetings count towards CPE Credits.<br/><br />
<br/><br />
The announcement and full descriptions can be found here:<br/><br />
[[Media:Announcement_27_Oktober.pdf]]<br/><br />
<br />
== Meeting minutes March 23th 2008 ==<br />
<br />
At March 23th, the Dutch OWASP chapter came together in the Mercury hotel in Nieuwegein. The meeting was sponsored by Fortify Software. The subject of the evening was 'Software Vulnerability Assesment’. There were 3 speakers and approximately 40 attendees.<br/><br />
<br/><br />
After a short introduction of Migchiel de Jong (Fortify) about the subject of Static and Dynamic Analysis and the tools that Fortify provides the speakers of the evening where introduced.<br/><br />
<br/><br />
'''First presentation:''' Practices of Complex(ity) matters (Dutch), Mario de Boer<br/><br />
Mario de Boer has spent much of his free time the last 16 years into disassembling various pieces of software and analyzing the code and its statistics. The main advantage in analyzing binaries is that no access to source code is needed, all dependencies (i.e. the compiler) are included and it’s independent of the tool used. Disassembling compiled code gives great insight in the complexity of the software and the entry and exit points of data. Although there is no direct relation between the complexity of software and its security, statistically the most vulnerabilities appear in the most complex portions of a program. Data entry points in complex portions of the code can give rise to possible exploits so static analysis can give insight in the most vulnerable places in software which is useful information in testing.<br />
The disadvantages of static analysis are that an extensive knowledge of assembly is needed and, due to its statistic nature, it gives rise to many false positives. <br />
In conclusion static binary analysis, when used by experts, can be a powerful tool to gain insight in the most vulnerable parts of the software and be a valuable tool in both developing and testing software. <br/><br />
<br/><br />
'''Second presentation:''' V.A.C: SQL injection (Dutch), Marinus Kuivenhoven<br/><br />
A new reoccurring topic on OWASP presentations will be the so called VAC. In these presentations an expert will talk about a Vulnerability, how to Assess it and possible Countermeasures. This evening Marinus started with the second vulnerability in the OWASP top ten; SQL injections.<br/><br />
With the aid of Webgoat, a few simple examples and the possible consequences were shown. SQL injection is particularly useful exploit in the reconnaissance phase since it can be abused for information leakage and in getting information about e.g. the table structure. <br/><br />
On the internet and in literature many countermeasures against SQL injections are described. However, many of these countermeasures are not usable in a maintainable system or cannot prevent SQL injections completely. The most important conclusion was that input should never be trusted and should never be directly used.<br/><br />
<br/><br />
'''Third presentation:''' Secure Programming with Static Analysis (English), Brian Chess<br/><br />
The last speaker of the evening was Brian Chess who presented his new book ‘Secure Programming with Static Analysis’. Brian made clear that, although a powerful tool, static binary analysis is already too late in the SDLC to be successful in preventing vulnerabilities. Scanning for possible vulnerabilities should be implemented as early as possible i.e. during coding. The main advantages of static analysis are the cost and speed. Since errors and bad practices are identified in an early stage they can be solved at the spot, making auditing the software more efficient in term of time and depth. <br/><br />
Static analysis can successfully be used for style and type checking, program understanding and verification, and for security reviews. The success of static analysis, however, is fully depending on the rules implemented in the scanner. Static analysis is also unable to identify design flaws, right problems, or wrong user input. <br/><br />
The conclusion was that scanning for vulnerabilities can probably only be successful with the aid of static analysis, but many requirements should be met. Firstly it should become part of the SDLC and culture. Secondly the right tool should be picked and people should be trained in its use. Lastly investments should be made in building up a good rule set and metrics. <br/><br />
<br />
== Meeting March 26th 2008: Software Vulnerability assessment ==<br />
'''Summary'''<br/><br />
The main goal of the upcoming OWASP-NL meeting is to provide information to developers and security professionals involved in creating secure (web-)applications. The main focus will be on software vulnerability assessment. The speakers will give specific examples and of course there is time to ask questions about your own experiences.<br/><br />
<br/><br />
'''Location'''<br/><br />
The location and catering is provided by the sponsor of this meeting:<br/><br />
<table><br />
<tr><br />
<td width="350"><br />
Mercure Utrecht Nieuwegein<br/><br />
Buizerdlaan 10,<br/><br />
3435 SB Nieuwegein<br/><br />
</td><br />
<td width="350"><br />
[[Image:Fortify.JPG|143px]]<br />
</td><br />
</tr><br />
<tr><br />
<td width="350"><br />
</td><br />
<td width="350"><br />
Fortify Software products protect companies from today’s greatest security risk: the software applications that run their businesses. Combining deep application security expertise with extensive software development experience, Fortify Software has defined the market with award-winning products that span the software development cycle. Today, Fortify Software fortifies the software for the most demanding customer deployments, including the world’s largest, most varied code bases.<br/><br />
<br/><br />
For more information please visit:<br/><br />
www.fortify.com<br/><br />
</td><br />
</tr><br />
</table><br />
<br/><br />
<br/><br />
'''Program'''<br/><br />
17.30 - 18.30 '''Check-In''' (catering included)<br/><br />
<br/><br />
18.30 - 18:50 '''Introduction''' (OWASP, sponsor)<br/><br />
<br/><br />
18.50 - 19.30 '''Complex(ity) matters''' (Dutch), Mario de Boer<br/><br />
Various methods exist to locate specific vulnerabilities in software. In the presentation we will look at static analysis of binaries, and the problems we face when trying to locate vulnerabilities. Several ideas will be discussed to make the search easier, but at the same time less exact. The first idea is trivial: automate as much as possible. The second idea is nearly trivial: don't aim at exact vulnerabilities but relax the search to locating potential vulnerabilities. We will give examples that illustrate the results.<br/><br />
Mario de Boer is a senior security consultant at Logica, and as such focuses on security management aspects like security frameworks, compliance, monitoring and control and risk management. Before joining Logica, Mario worked at the Dutch ministries of Defense and Justice, he co-founded a security company and worked as a project manager in the financial sector. For several years he taught courses in software security analysis and secure software development. Besides security management, Mario has interest in software security, reverse engineering and cryptography. Within Logica Netherlands, he is knowledge manager application security. Mario holds a PhD in Mathematics and is CISA and CISSP.<br/><br />
<br/><br />
19.30 - 19:50 '''Break'''<br/><br />
<br/><br />
19:50 - 20:20 '''V.A.C: SQL injection''' (Dutch), Marinus Kuivenhoven<br />
<br/><br />
<u>'''V'''ulnerability:</u><br/><br />
An application which uses a database for its information needs, communicates with it trough SQL. SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of a Database for parsing and execution.<br/><br />
<u>'''A'''ssessment:</u><br/><br />
SQL injection can threaten the confidentiality, availability and integrity of the data. The various types of SQL injection and their impact will be shown.<br/><br />
<u>'''C'''ountermeasure:</u><br/><br />
Any procedure that constructs SQL statements should be reviewed for injection vulnerabilities because a database will execute all syntactically valid queries that it receives. How this should be done will be shown for the most popular languages.<br/><br />
Marinus is a Technology Specialist with Sogeti Nederland B.V. specializing in service oriented architectures and secure application development. His experience includes developing and administrating Oracle-based systems.<br/><br />
<br/><br />
20.20 - 21.00 '''Secure Programming with Static Analysis''' (English), Brian Chess<br/><br />
Creating secure code requires more than just good intentions. Programmers need to know how to make their code safe in an almost infinite number of scenarios and configurations. Static source code analysis gives users the ability to review their work with a fine tooth comb and uncover the kinds of errors that lead directly to vulnerabilities. This talk frames the software security problem and shows how static analysis is part of the solution. We will look at how static analysis works, how to integrate it into the software development processes, and how to make the most of it during security code review. Along the way we'll look at examples taken from real-world security incidents, showing how coding errors are exploited, how they could have been prevented, and how static analysis can rapidly uncover similar errors.<br/><br />
Brian Chess is a founder of Fortify Software and serves as Fortify's Chief Scientist, where his work focuses on practical methods for creating secure systems. His book, Secure Programming with Static Analysis, shows how static source code analysis is an indispensable tool for getting security right. Brian holds a Ph.D. in computer engineering from the University of California at Santa Cruz, where he studied the application of static analysis to the problem of finding security-relevant defects in source code. Before settling on security, Brian spent a decade in Silicon Valley working at huge companies and small startups. He has done research on a broad set of topics, ranging from integrated circuit design all the way to delivering software as a service.<br/><br />
<br/><br />
21.00 - 21:30 '''Discussion, questions and social'''<br/><br />
<br/><br />
'''Registration'''<br/><br />
If you want to attend, please send an email to: owasp@irc2.com.<br/><br />
<br/><br />
All OWASP chapter meetings are free of charge and you don’t have to be an OWASP member to attend. There are never any vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP's: OWASP Meetings count towards CPE Credits.<br/><br />
<br/><br />
== Past Events ==<br />
* Events held in [[Netherlands_Previous_Events_2008|2008]]<br />
* Events held in [[Netherlands_Previous_Events_2007|2007]]<br />
* Events held in [[Netherlands_Previous_Events_2006|2006]]<br />
* Events held in [[Netherlands_Previous_Events_2005|2005]]</div>Dvsteinhttps://wiki.owasp.org/index.php?title=Netherlands&diff=46558Netherlands2008-11-19T16:59:15Z<p>Dvstein: /* OWASP Netherlands meeting minutes */</p>
<hr />
<div>{{Chapter Template|chaptername=Netherlands|extra=The chapter leader is [mailto:owasp@irc2.nl Bert Koelewijn]<br />
<paypal>Netherlands</paypal><br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-netherlands|emailarchives=http://lists.owasp.org/pipermail/owasp-netherlands}}<br />
<br />
== Meeting schedule 2008 ==<br />
This is an overview of the 2008 local chapter meeting schedule. Details of the meetings can be found in the announcements that will be posted below this schedule.<br />
<pre><br />
March 26th<br />
----------<br />
Time : 17.30 - 21.30<br />
Main Topic : Software Vulnerability assessment<br />
Presentations: Complex(ity) matters, Mario de Boer (Dutch)<br />
V.A.C. SQL injection, Marinus Kuivenhoven (Dutch)<br />
Secure Programming with Static Analysis, Brian Chess (English) <br />
Location : Mercure Utrecht Nieuwegein, Buizerdlaan 10, 3435 SB Nieuwegein<br />
Sponsor : Fortify Software<br />
<br />
Oktober 27th<br />
----------<br />
Time : 17.30 - 21.30<br />
Main Topic : Privacy and the Internet<br />
Presentations: Privacy and Internet (Dutch), Frank Fruijthoff and Ellen Hoving<br />
Vulnerability and source code scanners. (Dutch) Emile Strijbos <br />
Location : ps_testware B.V., Dorpsstraat 26, 3941 JM DOORN<br />
Sponsor : ps_testware B.V.<br />
</pre><br />
== Meeting minutes October 27th 2008 ==<br />
<br />
At October 27th, the Dutch OWASP chapter came together at the office of the sponsor of the evening; ps_testware in Doorn. The subject of the evening was 'Privacy and the Internet’. There were 2 speakers and approximately 25 attendees.<br/><br />
<br/><br />
After a short welcome talk by both the sponsor and OWASP, Mario de Boer had an announcement about a new OWASP project; ORPRO, the Open Review Project. The goal of the project is to review Open Source Software from an independent point of view. Reviews will be done both manually and with the aid of source code analysis software provided by Fortify. The first software package to be reviewed is already available so reviewers are needed. More information can be found on the OWASP project page. [http://www.owasp.org/index.php/Category:OWASP_Open_Review_Project]<br/><br />
<br/><br />
'''First presentation:''' Privacy & the Internet presented by Frank Fruijthoff and Ellen Hoving. <br/><br />
The goal of this presentation was to show the problems in regulating privacy on the internet by law. The presentation was roughly split in 3 parts: definitions, requirements and context. <br/><br />
The main problem with regulating privacy is that the concept of privacy is very broad and not well defined. Privacy can have different meanings and consequences in different contexts. Most laws therefore focus on the individual and define privacy as 'protection of personal information' where 'personal information' is all data that can be tracked back to a single person. The last years many countries within the EU developed internet laws concerning privacy on the internet. These laws state that information can only be used what it originally was intended for and usage of that information must be reported at central register. This register also makes it possible to file a complaint and check what companies use personal information for what purposes. While these rules are mostly sufficient for local databases they often fail when applied to information stored on or with use of the internet. Problems encountered are captured in the "four D's";<br/><br />
- Internet is deterritorialized; internet has no boundaries.<br/><br />
- Internet is deregulated; internet has no law, only terms of use.<br/><br />
- Internet is dematerialized; internet is not physical.<br/><br />
- Internet is decentralized; there is no single regulating or controlling organization.<br/><br />
Although the protection of personal data is more and more covered by laws, the increasing usage of external storage and connections over the internet will make it harder to enforce them. The main conclusion of the evening was that, although many initiatives improving privacy exist, the very properties of the internet make it hard to ensure privacy completely. <br/><br />
<br/><br />
'''Second presentation:''' Vulnerability and source code scanners presented by E. Strijbos. This presentation showed the results of a research concerning the feasibility of a Web Application Security Certification by the usage of vulnerability scanners.<br/><br />
With the daily increasing amount of threads and vulnerabilities in web applications there is a market-driven demand for an independent and automated scan service. Current scan services often lack coverage and depth of scanning and give no details about the used scanning methods.<br/><br />
In this research several commercial vulnerability scanners and static analysis tools were compared and checked for scantime, accuracy, false positives, and ease of use. The results showed that almost all scanners find most of the vulnerabilities, but also produce many false positives. Also, without proper configuration the amount of results can be overwhelming and inconclusive. Furthermore results showed that static analysis scanners are much faster than vulnerability scanners, but have a more limited usage. The main conclusion was that although vulnerability scanners and static analysis tools can be very helpful in identifying vulnerabilities, their current efficiency is not high enough to use as the basis for an automated vulnerability scan.<br/><br />
<br />
== Meeting October 27th 2008: Privacy and the Internet ==<br />
'''Summary'''<br/><br />
The main goal of the upcoming OWASP-NL meeting is to provide information to developers and security professionals about personal and technical privacy on the internet. The speakers focus on privacy regulations related to the internet and on the mass amount of personal and technical information available about persons and companies on the internet, with and without their consent. Furthermore tools will be discussed that help prevent leakage of privacy related and other kind of data. They will give specific examples and there will be time to ask questions.<br/><br />
Please register before October 20th because of the necessary catering arrangements.<br/><br />
<br/><br />
'''Location'''<br/><br />
The location and catering is provided by the sponsor of this meeting:<br/><br />
<table><br />
<tr><br />
<td width="350"><br />
ps_testware B.V.<br/><br />
Dorpsstraat 26,<br/><br />
3941 JM DOORN<br/><br />
</td><br />
<td width="350"><br />
[[Image:Pstestware.jpg|100px]]<br />
</td><br />
</tr><br />
<tr><br />
<td width="350"><br />
The location has parking facilities for 15 cars. However parking in the direct vicinity of ps_testware shouldn’t be a problem.<br/><br />
</td><br />
<td width="350"><br />
ps_testware delivers services related to software testing and software quality. In the field of software development, quality, time-to-market, business processes and software acceptance they play the role of "your devil's advocate" as an independent, flexible and specialized partner.<br/><br />
For more information please visit: www.pstestware.com.<br/><br />
</td><br />
</tr><br />
</table><br />
<br/><br />
<br/><br />
'''Program'''<br/><br />
17.30 - 18.30 '''Check-In''' (catering included)<br/><br />
<br/><br />
18.30 – 19:00 '''Introduction''' (OWASP organization, projects, sponsor)<br/><br />
<br/><br />
19.00 - 20.15 '''Privacy and Internet''' (Dutch), Frank Fruijthoff and Ellen Hoving<br/><br />
In this presentation the general principles of privacy laws in the Netherlands and the EU and specifically privacy and the internet will be covered.<br/><br />
Frank Fruijthoff is a Compliance Officer with ING. He has a Compliance and Risk Management background and is specialised in privacy.<br/><br />
Ellen Hoving is a graduated lawyer. She works as an independent consultant specialized in compliance and privacy.<br/><br />
<br/><br />
20.15 – 20:30 '''Break'''<br/><br />
<br/><br />
20:30 – 21:00 '''Vulnerability and source code scanners''' (Dutch), Emile Strijbos<br />
<br/><br />
For his Master thesis in computer science at the Radboud Universiteit in Nijmegen, Emile Strijbos investigated vulnerability scanners and source code scanners. These are automated tools that try to detect security flaws, either in running web-applications or in their source code.<br/><br />
Emile tried out several of these tools, including both free and commercial ones, to see how good they are at detecting standard vulnerabilities, such as SQL injection, XSS, CSRF, etc.<br/><br />
<br/><br />
21.00 – 21:30 '''Discussion, questions and social'''<br/><br />
<br/><br />
If you want to attend, please send an email to: owasp@irc2.com.<br><br />
Please register before October 20th, because of the necessary catering arrangements. The number of registries is limited to 50 due to the capacity of the location and will be handled in order of receipt.<br/><br />
<br/><br />
All OWASP chapter meetings are free of charge and you don’t have to be an OWASP member to attend. There are never any vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP's: OWASP Meetings count towards CPE Credits.<br/><br />
<br/><br />
The announcement and full descriptions can be found here:<br/><br />
[[Media:Announcement_27_Oktober.pdf]]<br/><br />
<br />
== Meeting minutes March 23th 2008 ==<br />
<br />
At March 23th, the Dutch OWASP chapter came together in the Mercury hotel in Nieuwegein. The meeting was sponsored by Fortify Software. The subject of the evening was 'Software Vulnerability Assesment’. There were 3 speakers and approximately 40 attendees.<br/><br />
<br/><br />
After a short introduction of Migchiel de Jong (Fortify) about the subject of Static and Dynamic Analysis and the tools that Fortify provides the speakers of the evening where introduced.<br/><br />
<br/><br />
'''First presentation:''' Practices of Complex(ity) matters (Dutch), Mario de Boer<br/><br />
Mario de Boer has spent much of his free time the last 16 years into disassembling various pieces of software and analyzing the code and its statistics. The main advantage in analyzing binaries is that no access to source code is needed, all dependencies (i.e. the compiler) are included and it’s independent of the tool used. Disassembling compiled code gives great insight in the complexity of the software and the entry and exit points of data. Although there is no direct relation between the complexity of software and its security, statistically the most vulnerabilities appear in the most complex portions of a program. Data entry points in complex portions of the code can give rise to possible exploits so static analysis can give insight in the most vulnerable places in software which is useful information in testing.<br />
The disadvantages of static analysis are that an extensive knowledge of assembly is needed and, due to its statistic nature, it gives rise to many false positives. <br />
In conclusion static binary analysis, when used by experts, can be a powerful tool to gain insight in the most vulnerable parts of the software and be a valuable tool in both developing and testing software. <br/><br />
<br/><br />
'''Second presentation:''' V.A.C: SQL injection (Dutch), Marinus Kuivenhoven<br/><br />
A new reoccurring topic on OWASP presentations will be the so called VAC. In these presentations an expert will talk about a Vulnerability, how to Assess it and possible Countermeasures. This evening Marinus started with the second vulnerability in the OWASP top ten; SQL injections.<br/><br />
With the aid of Webgoat, a few simple examples and the possible consequences were shown. SQL injection is particularly useful exploit in the reconnaissance phase since it can be abused for information leakage and in getting information about e.g. the table structure. <br/><br />
On the internet and in literature many countermeasures against SQL injections are described. However, many of these countermeasures are not usable in a maintainable system or cannot prevent SQL injections completely. The most important conclusion was that input should never be trusted and should never be directly used.<br/><br />
<br/><br />
'''Third presentation:''' Secure Programming with Static Analysis (English), Brian Chess<br/><br />
The last speaker of the evening was Brian Chess who presented his new book ‘Secure Programming with Static Analysis’. Brian made clear that, although a powerful tool, static binary analysis is already too late in the SDLC to be successful in preventing vulnerabilities. Scanning for possible vulnerabilities should be implemented as early as possible i.e. during coding. The main advantages of static analysis are the cost and speed. Since errors and bad practices are identified in an early stage they can be solved at the spot, making auditing the software more efficient in term of time and depth. <br/><br />
Static analysis can successfully be used for style and type checking, program understanding and verification, and for security reviews. The success of static analysis, however, is fully depending on the rules implemented in the scanner. Static analysis is also unable to identify design flaws, right problems, or wrong user input. <br/><br />
The conclusion was that scanning for vulnerabilities can probably only be successful with the aid of static analysis, but many requirements should be met. Firstly it should become part of the SDLC and culture. Secondly the right tool should be picked and people should be trained in its use. Lastly investments should be made in building up a good rule set and metrics. <br/><br />
<br />
== Meeting March 26th 2008: Software Vulnerability assessment ==<br />
'''Summary'''<br/><br />
The main goal of the upcoming OWASP-NL meeting is to provide information to developers and security professionals involved in creating secure (web-)applications. The main focus will be on software vulnerability assessment. The speakers will give specific examples and of course there is time to ask questions about your own experiences.<br/><br />
<br/><br />
'''Location'''<br/><br />
The location and catering is provided by the sponsor of this meeting:<br/><br />
<table><br />
<tr><br />
<td width="350"><br />
Mercure Utrecht Nieuwegein<br/><br />
Buizerdlaan 10,<br/><br />
3435 SB Nieuwegein<br/><br />
</td><br />
<td width="350"><br />
[[Image:Fortify.JPG|143px]]<br />
</td><br />
</tr><br />
<tr><br />
<td width="350"><br />
</td><br />
<td width="350"><br />
Fortify Software products protect companies from today’s greatest security risk: the software applications that run their businesses. Combining deep application security expertise with extensive software development experience, Fortify Software has defined the market with award-winning products that span the software development cycle. Today, Fortify Software fortifies the software for the most demanding customer deployments, including the world’s largest, most varied code bases.<br/><br />
<br/><br />
For more information please visit:<br/><br />
www.fortify.com<br/><br />
</td><br />
</tr><br />
</table><br />
<br/><br />
<br/><br />
'''Program'''<br/><br />
17.30 - 18.30 '''Check-In''' (catering included)<br/><br />
<br/><br />
18.30 - 18:50 '''Introduction''' (OWASP, sponsor)<br/><br />
<br/><br />
18.50 - 19.30 '''Complex(ity) matters''' (Dutch), Mario de Boer<br/><br />
Various methods exist to locate specific vulnerabilities in software. In the presentation we will look at static analysis of binaries, and the problems we face when trying to locate vulnerabilities. Several ideas will be discussed to make the search easier, but at the same time less exact. The first idea is trivial: automate as much as possible. The second idea is nearly trivial: don't aim at exact vulnerabilities but relax the search to locating potential vulnerabilities. We will give examples that illustrate the results.<br/><br />
Mario de Boer is a senior security consultant at Logica, and as such focuses on security management aspects like security frameworks, compliance, monitoring and control and risk management. Before joining Logica, Mario worked at the Dutch ministries of Defense and Justice, he co-founded a security company and worked as a project manager in the financial sector. For several years he taught courses in software security analysis and secure software development. Besides security management, Mario has interest in software security, reverse engineering and cryptography. Within Logica Netherlands, he is knowledge manager application security. Mario holds a PhD in Mathematics and is CISA and CISSP.<br/><br />
<br/><br />
19.30 - 19:50 '''Break'''<br/><br />
<br/><br />
19:50 - 20:20 '''V.A.C: SQL injection''' (Dutch), Marinus Kuivenhoven<br />
<br/><br />
<u>'''V'''ulnerability:</u><br/><br />
An application which uses a database for its information needs, communicates with it trough SQL. SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of a Database for parsing and execution.<br/><br />
<u>'''A'''ssessment:</u><br/><br />
SQL injection can threaten the confidentiality, availability and integrity of the data. The various types of SQL injection and their impact will be shown.<br/><br />
<u>'''C'''ountermeasure:</u><br/><br />
Any procedure that constructs SQL statements should be reviewed for injection vulnerabilities because a database will execute all syntactically valid queries that it receives. How this should be done will be shown for the most popular languages.<br/><br />
Marinus is a Technology Specialist with Sogeti Nederland B.V. specializing in service oriented architectures and secure application development. His experience includes developing and administrating Oracle-based systems.<br/><br />
<br/><br />
20.20 - 21.00 '''Secure Programming with Static Analysis''' (English), Brian Chess<br/><br />
Creating secure code requires more than just good intentions. Programmers need to know how to make their code safe in an almost infinite number of scenarios and configurations. Static source code analysis gives users the ability to review their work with a fine tooth comb and uncover the kinds of errors that lead directly to vulnerabilities. This talk frames the software security problem and shows how static analysis is part of the solution. We will look at how static analysis works, how to integrate it into the software development processes, and how to make the most of it during security code review. Along the way we'll look at examples taken from real-world security incidents, showing how coding errors are exploited, how they could have been prevented, and how static analysis can rapidly uncover similar errors.<br/><br />
Brian Chess is a founder of Fortify Software and serves as Fortify's Chief Scientist, where his work focuses on practical methods for creating secure systems. His book, Secure Programming with Static Analysis, shows how static source code analysis is an indispensable tool for getting security right. Brian holds a Ph.D. in computer engineering from the University of California at Santa Cruz, where he studied the application of static analysis to the problem of finding security-relevant defects in source code. Before settling on security, Brian spent a decade in Silicon Valley working at huge companies and small startups. He has done research on a broad set of topics, ranging from integrated circuit design all the way to delivering software as a service.<br/><br />
<br/><br />
21.00 - 21:30 '''Discussion, questions and social'''<br/><br />
<br/><br />
'''Registration'''<br/><br />
If you want to attend, please send an email to: owasp@irc2.com.<br/><br />
<br/><br />
All OWASP chapter meetings are free of charge and you don’t have to be an OWASP member to attend. There are never any vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP's: OWASP Meetings count towards CPE Credits.<br/><br />
<br/><br />
<br />
== Meeting minutes December 20th 2007 ==<br />
<br />
At December 20th, the Dutch OWASP chapter came together at the office of ps_testware located in Doorn. The subject of the evening was 'creating secure (web)applications. There were 3 speakers and close to 30 attendees <br/><br />
<br/><br />
'''First presentation:''' Practices of developing optimal security (dutch), Andre Post<br/><br />
Andre talked from his rich experience as software auditor and code reviewer. Based on his experience he stated that developing good, secure software can only be done with developers with the right set of mind. Security should not be tested into the software, but should be a natural thing for developers to develop into the software. For this you need developers who know by heart when security flaws start to exist and how to prevent them. Developers with the necessary experience are rare and often developer teams do not have the right expertise for developing secure software. The most important conclusion of his speech was that secure software starts with security aware developers.<br/><br />
<br/><br />
'''Second presentation:''' Problems of developing secure and correct applications (dutch), Erik Poll<br/><br />
Erik Poll stated that besides having developers who are aware of security, you should also have developers that now the limitations and inherent security leaks of the used language. One of the problems is that many developers are not taught the inherent security holes in programming languages during their education. <br/><br />
Another problem is that software is often made secure for the wrong reasons. At this moment only two reasons appear to be the drive behind developing secure software: economics and laws. Security is mostly of secondary concern and as such will only be implemented at minimum requirements. Bad examples of big companies who develop insecure software and still be successful even further restrict the demand for secure software.<br/><br />
On the positive side many developers make the same mistakes so testing for common security holes can easily be done with checklists and validation tools. These validation tools can be made more successful with the use of metatags in the code.<br/><br />
Erik concluded his speech that improving the secureness of software can only be achieved when there is commitment, the knowledge is available and software is developed and implemented with a secure mind. <br/><br />
<br/><br />
'''Third presentation:''' Protecting Web services and Web applications against security threats, Rix Groenboom<br/><br />
The third presentation was about a problem which probably will become bigger and bigger the coming years. Although security might be in the scope when developing software at this moment, it certainly was not a requirement 20 or more years ago. Despite their intrinsic insecureness, these systems are connected more and more to the world wide web to meet de demands for online availability. This imposes a major security risk which will become more evident in the years to come and might become bigger than the Y2K problem. Unlike modern software, these applications can only be made secure enough by using advanced testing strategies combined with the use of test-tools and thorough regression tests. Testing alone however is not enough; to accomplish maximum secureness all connections to these systems should be based on a 'deny unless' instead of an 'allow unless' basis. <br/><br />
The conclusion of Rix's talk was that old systems connected to new interfaces should be treated as insecure and all possible precautions should be taken to achieve an acceptable level of secureness.<br/><br />
<br />
== Meeting December 20th 2007: Secure Development ==<br />
'''Summary'''<br/><br />
The main goal of the upcoming OWASP-NL meeting is to provide information to developers and security professionals involved in creating secure (web-)applications. The general and specific security issues involved on project and programming level will be covered from a practical as well as a theoretical point of view. The speakers will give specific examples and of course there is time to ask questions about your own experiences.<br/><br />
Please register before December the 14th because of the necessary catering arrangements.<br/><br />
<br/><br />
'''Location'''<br/><br />
The location and catering is provided by the sponsor of this meeting:<br/><br />
<table><br />
<tr><br />
<td width="350"><br />
ps_testware B.V.<br/><br />
Dorpsstraat 26,<br/><br />
3941 JM DOORN<br/><br />
</td><br />
<td width="350"><br />
[[Image:Pstestware.jpg|100px]]<br />
</td><br />
</tr><br />
<tr><br />
<td width="350"><br />
The location has parking facilities for 15 cars. However parking in the direct vicinity of ps_testware shouldn’t be a problem.<br/><br />
</td><br />
<td width="350"><br />
ps_testware delivers services related to software testing and software quality. In the field of software development, quality, time-to-market, business processes and software acceptance they play the role of "your devil's advocate" as an independent, flexible and specialized partner.<br/><br />
For more information please visit: www.pstestware.com.<br/><br />
</td><br />
</tr><br />
</table><br />
<br/><br />
<br/><br />
'''Program'''<br/><br />
17.30 - 18.30 '''Check-In''' (catering included)<br/><br />
<br/><br />
18.30 – 19:00 '''Introduction''' (OWASP organization, projects, sponsor)<br/><br />
<br/><br />
19.00 - 19.30 '''Practices of developing optimal security''' (dutch), Andre Post<br/><br />
This presentation highlights a number of current practices that lead to sub-optimal security, and suggests ways of avoiding these problems, focusing on the technical side of development.<br/><br />
André Post works for Fox-IT on a variety of projects including core product development, software architecting, security code reviews, and software project management.<br/><br />
<br/><br />
19.30 – 19:45 '''Break'''<br/><br />
<br/><br />
19:45 – 20:30 '''Problems of developing secure and correct applications''' (dutch), Erik Poll [http://www.cs.ru.nl/~erikpoll/talks/OWASP2007.pdf (slides of the presentation)]<br />
<br/><br />
This presentation will discuss different possibilities to improve software security. The problem of getting time and money available to be spend on security, not only for developing applications, but also for developing programming languages, will be raised.<br/><br />
Erik Poll is head of the Security of Systems (SoS) group at the Radboud University of Nijmegen. His research does focus on the security and correctness of software.<br/><br />
<br/><br />
20.30 - 21.00 '''Protecting Web services and Web applications against security threats''' (dutch), Rix Groenboom<br/><br />
During this session, Rix will explore how to implement development and security best practices in the code to make sure that your webservices and applications perform solidly when they are being hacked or used in malicious ways.<br/><br />
Rix Groenboom supports fortune 2000 companies in field automated software error prevention and correction for Parasoft. His main area of expertise is in the use of formal languages for the specification, design and validation of software applications.<br/><br />
<br/><br />
21.00 – 21:30 '''Discussion, questions and social'''<br/><br />
<br/><br />
All OWASP chapter meetings are free of charge and you don’t have to be an OWASP member to attend. There are never any vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP's: OWASP Meetings count towards CPE Credits.<br/><br />
<br/><br />
The announcement and full descriptions can be found here:<br/><br />
[[Media:Announcement_20_December.pdf]]<br/><br />
[[Media:Announcement_20_December_2.pdf]]<br/><br />
<br />
== Meeting September 13th: putting initiatives into practice ==<br />
<br />
The main goal of the next OWASP meeting is finding a way to put initiatives and all offered help into a form of structural benefit for the OWASP Netherlands local chapter. As a starting point for the discussion, examples will be taken from other European chapters and input delivered by discussions that take place on the mailing list is considered too. Let this be a call to put your ideas on the mailing list before the next meeting!<br/><br />
<br/><br />
The location is provided by the sponsor of this meeting:<br/><br />
Comsec Consulting BV<br/><br />
Rivium Boulevard 102<br/><br />
2909LK Capelle aan den IJssel<br/><br />
<br/><br />
The agenda:<br/><br />
18.00 - 18.30 Check-In (catering included)<br/><br />
18.30 - 18.45 OWASP update, Bert Koelewijn<br/><br />
18.45 - 19.15 Security Best Practices for .NET, Boaz Shunami<br/><br />
19.15 - 20.00 Discussion: collecting ideas and initiatives<br/><br />
20.00 - 20.15 Coffee break<br/><br />
20.15 - 21.00 Discussion: how to enable community commitment<br/><br />
21.00 - 21.30 Closing discussion and coffee<br/><br />
<br/><br />
Boaz Shunami<br/><br />
Boaz is manager of the Application Security department of Comsec Europe. He has 11 years of experience in the IT Security field, and a large part of them in Application Security.<br/><br />
Boaz did numerous application security audits in very large organizations and is recognized as one of the greatest expert’s world wide. Boaz' expertise is broad, but especially in-depth for the .NET platform.<br/><br />
<br/><br />
Discussion input (until now)<br/><br />
- division of local chapter work load by multiple people<br/><br />
- collaboration with other organizations<br/><br />
<br/><br />
If you want to attend send an email to owasp@irc2.com.<br/><br />
<br/><br />
All OWASP chapter meetings are free, there are never vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP's: OWASP Meetings count towards CPE Credits.<br/><br />
<br />
== Meeting minutes Januar 11th 2007 ==<br />
<br />
January 11th, the Dutch OWASP chapter came together at the office of Sogeti Netherlands. Subject of the evening was 'putting software security into practice'. The group was small but select.<br/><br />
<br/><br />
The agenda:<br/><br />
18.00 - 18.30 Check-In (catering included)<br/><br />
18.30 - 18.45 Sponsor opening<br/><br />
18.45 - 19.00 OWASP update, Bert Koelewijn<br/><br />
19.00 - 19.30 Implementation of Security by Design, Martin Knobloch<br/><br />
19.30 - 19.45 Panel introduction<br/><br />
19.45 - 20.00 Coffee break<br/><br />
20.00 - 21.30 Panel discussion<br/><br />
<br/><br />
After being welcomed by Frank Langeveld from Sogeti and Bert Koelewijn, Dutch chapter leader, the evening started with the presentation 'Security By Design'. During the presentation Martin Knobloch told about his experiences during the implementation of the Secure Development Life Cycle in a company like Sogeti Nederland B.V.<br/><br />
<br/><br />
The presentation is available here:<br/><br />
[[Media:Implementation_of_Security_by_Design.ppt]]<br/><br />
<br/><br />
After a small break, the panel discussion started with the following panel: Henk van der Heijden - Comsec Consulting, Dr.ir. Mario de Boer - LogicaCMG and Martin Knobloch - Sogeti Nederland.<br/><br />
During the discussion, it became clear people are struggling to get the Secure Development Life Cycle implemented in their company. The various experiences were shared with the panel and the others. Company typical problems and common misunderstandings about Software security where brought up.<br/><br />
The consensus of the discussion was that the main problem lies in the lack of security awareness and knowledge of the managers and the developers. And this of course is exactly where OWASP comes in…<br/><br />
<br/><br />
<br />
== Meeting Januar 11th 2007 ==<br />
<br />
The OWASP meeting of 11 January is about putting software security into practice. A lot of books, standards, organizations and consultants tell us how we should develop secure software. But which methods and measures are commonly adopted and which are not and why?<br/><br />
This will be the main focus of the discussion that we will have with a panel of people that experienced implementing software security in the field.<br/><br />
<br/><br />
The location is provided by the sponsor of this meeting:<br/><br />
Sogeti Nederland B.V.<br/><br />
"La Charmille" building<br/><br />
Lange Dreef 17<br/><br />
4131 NJ Vianen<br/><br />
<br/><br />
The agenda:<br />
<br/><br />
18.00 - 18.30 Check-In (catering included)<br/><br />
18.30 - 18.45 Sponsor opening<br/><br />
18.45 - 19.00 OWASP update, Bert Koelewijn<br/><br />
19.00 - 19.30 Implementation of Security by Design, Martin Knobloch<br/><br />
19.30 - 19.45 Panel introduction<br/><br />
19.45 - 20.00 Coffee break<br/><br />
20.00 - 21.30 Panel discussion<br/><br />
<br/><br />
Implementation of Security by Design<br/><br />
What is needed to implement a 'Secure Development Life Cycle' within Sogeti Nederland? The speaker started a project called 'Security by Design' in march 2006 implementing a SDLC at Sogeti Nederland.<br/><br />
In his presentation, the speaker will share his technical and organizational experiences that he gained with the still ongoing implementation.<br/><br />
<br/><br />
About the speaker<br/><br />
Martin Knobloch has more than 8 years experience in design and development of J2EE applications for customers in various sectors of the market. In September 2003 Martin Knobloch started working for Sogeti Nederland, where he does the design, development and review of J2EE applications and architectures.<br/><br />
From this background, Martin Knobloch experienced the threats of insecure software firsthand. In march 2006, Martin Knobloch started implementing a SDLC within Sogeti Nederland.<br/><br />
<br/><br />
Panel discussion<br/><br />
The panel members are:<br/><br />
Henk van der Heijden, Managing Director - Comsec Consulting B.V.<br/><br />
Dr.ir. Mario de Boer, Security Consultant - LogicaCMG<br/><br />
Martin Knobloch, Senior Technologie Specialist - Sogeti Nederland B.V.<br/><br />
<br/><br />
In the discussion, we will try to find answers to questions like:<br/><br />
- What are the most common security practices in software development?<br/><br />
- How effective are those practices?<br/><br />
- Where do we start practicing security?<br/><br />
- What should be the most common security practices in software development?<br/><br />
- How much does security cost?<br/><br />
- How does the Systems Security Engineering Capability Maturity Model (SSE-CMM) fit in?<br/><br />
<br/><br />
If you want to attend send an email to owasp@irc2.com.<br/><br />
<br/><br />
All OWASP chapter meetings are free, there are never vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP’s: OWASP Meetings count towards CPE Credits.<br/><br />
<br />
== Meeting minutes March 9thh 2007 ==<br />
<br />
On 9 march, the second meeting of OWASP Netherlands local chapter took place. GetronicsPinkRoccade provided the venue, in their luxury conference centre: Connection I.<br/><br />
<br/><br />
Agenda:<br/><br />
18.00 - 18.45 Check-In (bread & drinks)<br/><br />
18.45 - 19.00 Opening<br/><br />
19.00 - 20.00 Improving Security in the Application Development Life-cycle, Migchiel de Jong<br/><br />
20.00 - 20.15 Coffee break<br/><br />
20.15 - 22.00 Form focus groups<br/><br />
<br/><br />
The presentation of Migchiel de Jong was found very interesting by the audience. At the end of his presentation, he demonstrated a static code analysis of the OWASP webgoat application.<br/><br />
<br/><br />
After the coffee break, the attendances started discussing about the largest common topics of interest in the web application security field, in relation to the OWASP Netherlands chapter. As a result, the following focus groups are formed:<br/><br />
<br/><br />
Testing<br/><br />
The current OWASP Testing project and the Open Source Security Testing Methodology Manual of ISECOM, provide guidelines and best practices for testers. These guidelines can be used to formalize a standard structure and a set of minimum requirements for a security test. Clients could ask a tester to adhere to these guidelines.<br/><br />
A second idea is to standardize the testing results management report. In practice, testing could result in piles of paper with all the findings. The real value is reporting it in a usable way. For example: mapping technical findings to business risks.<br/><br />
<br/><br />
Frans v. Buul<br/><br />
Peter Gouwentak<br/><br />
Arthur Donkers<br/><br />
Eelco Klaver<br/><br />
Migchiel de Jong<br/><br />
Mario de Boer<br/><br />
<br/><br />
First focus group meeting: Monday 27 march, 18:00h, PwC Utrecht<br/><br />
<br/><br />
<br/><br />
Public Relations<br/><br />
This focus group will try to make business aware of the security impact that developing, hosting and using web applications has. What OWASP is and how OWASP can help. This can be done by giving presentations, writing papers and articles, word of mouth, etc. etc.<br/><br />
<br/><br />
Remco Bakker<br/><br />
Ronald Eygendaal<br/><br />
Bas van Vossen<br/><br />
Edwin van Vliet<br/><br />
Eelco Klaver<br/><br />
<br/><br />
First presentation of OWASP materials: Edwin van Vliet, TestNet - Voorjaarsevenement, 5 april<br/><br />
First focus group meeting: To be planned!<br/><br />
<br/><br />
<br/><br />
Education<br/><br />
OWASP and universities/schools could benefit from working together. For example:<br/><br />
- OWASP provides lot's of materials usable in colleges.<br/><br />
- Develop OWASP training course.<br/><br />
- Students can participate in OWASP projects<br/><br />
- OWASP can provide a platform for supporting research. Such as thesis projects, etc.<br/><br />
- OWASP representatives could provide guest colleges.<br/><br />
<br/><br />
Ronald Eygendaal<br/><br />
Erik Poll<br/><br />
Bas van Vossen<br/><br />
Edwin van Vliet<br/><br />
<br/><br />
First focus group meeting: To be planned!<br/><br />
<br/><br />
The presentation is available here:<br/><br />
[[Media:OWASP_NL_Fortify_Software.pdf]]<br/><br />
<br />
== Meeting March 9th 2007: Second meeting of the OWASP Netherlands local chapter! ==<br />
<br />
In this second meeting focus groups are to be formed, to discuss common problems, develop and research common solutions in a vendor neutral environment. So this is a very good opportunity to get in contact with others, to exchange knowledge and experiences on specific topics.<br/><br />
<br/><br />
For every focus group the following questions has to be answered:<br/><br />
1. Which specific topic is to be addressed?<br/><br />
2. What are the deliverables?<br/><br />
3. What is the relation to OWASP? (Current projects, materials, expertise and knowledge interchange, etc.)<br/><br />
4. Who is the central contact of the subgroup?<br/><br />
<br/><br />
It would be nice to have a bigger and more diverse group, compared to the first meeting. So let's recall: "Please, bring at least one friend, next time." And don't hesitate to send this announcement to everybody who may be interested!<br/><br />
<br/><br />
We thank Getronics PinkRoccade for offering us a venue:<br/><br />
Getronics PinkRoccade<br/><br />
Fauststraat 1<br/><br />
7323 BA Apeldoorn <br/><br />
<br/><br />
The agenda:<br/><br />
18.00 - 18.30 Check-In<br/><br />
18.30 - 18.45 Opening<br/><br />
18.45 - 19.30 Improving Security in the Application Development Life-cycle, Migchiel de Jong<br/><br />
19.30 - 20.00 Collecting focus group initiatives<br/><br />
19.45 - 20.00 Coffee break<br/><br />
20.00 - 21.00 Form focus groups<br/><br />
<br/><br />
Presentation Abstract<br/><br />
Rather than spending large amounts of time and money on proving that we have security vulnerabilities after programs go into production, companies should go to the source and correct vulnerabilities as early as possible in the development stage. It is unquestionably faster, simpler, and cheaper for developers to correct vulnerabilities as they build programs.<br/><br />
But how can development management ensure that developers focus on security when there is no time or budget for security at the development stage? Even with the correct focus, how can they learn what to look for? How can they stay ahead of the dedicated and resourceful hacker?<br/><br />
The answer is effective processes and better tools. With advanced software security tools, a developer can pinpoint vulnerabilities in a matter of seconds — the same vulnerabilities that would take a hacker or manual code reviewer weeks or even months to find. These same tools can give development and information security managers useful metrics on application vulnerabilities before they are released into deployment.<br/><br />
This talk will walk through the Application Development Life-Cycle and discuss how tools can help come to grips with software security issues in a particular phase.<br/><br />
<br/><br />
About the presenter<br/><br />
Migchiel de Jong has developed hardware and software for 10 years before joining Rational Software. During the 5 years at Rational Software (later acquired by IBM) he was involved in many software development process improvement projects. Currently Migchiel de Jong is working at Fortify Software, Palo Alto, California, as a software security engineer.<br/><br />
<br/><br />
If you want to attend send an email to owasp@irc2.nl. Please don't wait, 9 march is not that long anymore!<br/><br />
<br/><br />
All OWASP chapter meetings are free, there are never vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP’s: OWASP Meetings count towards CPE Credits.<br/><br />
<br />
== OWASP Netherlands kick-off meeting minutes ==<br />
<br />
On 17 November, OWASP Netherlands had it's first meeting. We moved to a bigger location, the Mercure hotel in Nieuwegein, to host all the 35 attendees.<br/><br />
<br/><br />
The agenda:<br/><br />
18.00 - 18.30 Check-In (bread & drinks)<br/><br />
18.30 - 18.45 Chapter opening<br/><br />
18.45 - 19.30 Presentation - 'Top tien web applicatie kwetsbaarheden in J2EE', Eelco Klaver<br/><br />
19.30 - 19.45 Presentation - 'Veilige webapplicaties boven alles', Mike Wardi<br/><br />
19.45 - 20.00 Coffee break<br/><br />
20.00 - 21.00 Discussion - About the OWASP Netherlands local chapter<br/><br />
<br/><br />
The discussion took place in a 'round table' session, where all attendees were able to take part. The focus of the discussion was how to give the OWASP Netherlands local chapter additional value, next to the OWASP project. What the goals and tasks will be. And which actions will have to be taken at short term.<br/><br />
Different people have interest in different subjects. In general meetings there is no time to address all subjects and address them specific enough. Therefore subgroups can be formed, focusing on specific topics. They can have their own communication channel and meetings, but should keep close contact with the OWASP body.<br/><br />
<br/><br />
An inventarisation:<br/><br />
<br/><br />
Discussion Topics<br/><br />
- Awareness: writing articles, press publications, interviews<br/><br />
- Education: contact universities, schools and their common boards. Develop and gather education materials.<br/><br />
- General: discuss ideas for OWASP NL<br/><br />
<br/><br />
Focusgroup Topics<br/><br />
- (dutch) metrics project<br/><br />
- (dutch) legal project<br/><br />
- standard framework for pentest reports<br/><br />
- safe outsourcing<br/><br />
<br/><br />
Actions that should be taken on short term are:<br/><br />
- provide communication channels<br/><br />
- plan next (sub)meetings<br/><br />
- start discussions and focusgroups<br/><br />
<br/><br />
The presentations are available here:<br/><br />
<br/><br />
[[Media:OWASP_NL_Top_Ten_Web_Application_Vulnerabilities_in_J2EE.pdf]]<br/><br />
[[Media:OWASP_NL_Veilige_Web_App_Boven_Alles.pdf]]<br/><br />
<br />
== You are welcome to the OWASP Netherlands local chapter kick-off meeting! ==<br />
<br />
Thursday, November 17th (2005) at 18.00h.<br/><br />
<br/><br />
ATTENTION! Because of the large amount of attendees, the location has changed:<br/><br />
<br/><br />
Hotel Mercure Utrecht/Nieuwegein<br/><br />
Buizerdlaan 10<br/><br />
3435 SB NIEUWEGEIN<br/><br />
Tel: 00 31 (0) 30 60 84 122<br/><br />
Fax: 00 31 (0) 30 60 38 374<br/><br />
<br/><br />
This first meeting will be an introduction to the OWASP. A constructive discussion will be held about the actual form of the OWASP Netherlands local chapter.<br/><br />
<br/><br />
The agenda:<br/><br />
18.00 - 18.30 Check-In (bread & drinks)<br/><br />
18.30 - 18.45 Chapter opening<br/><br />
18.45 - 19.30 Presentation - 'Top tien web applicatie kwetsbaarheden in J2EE', Eelco Klaver<br/><br />
19.30 - 19.45 Presentation - 'Veilige webapplicaties boven alles', Mike Wardi<br/><br />
19.45 - 20.00 Coffee break<br/><br />
20.00 - 21.00 Discussion - About the OWASP Netherlands local chapter<br/><br />
<br/><br />
About the presenters<br/><br />
<br/><br />
Eelco Klaver<br/><br />
Eelco Klaver is a senior consultant for Xebia IT Architects, since 2003. Doing software reviews, security audits and giving security workshops are part of his job. He has almost 10 years experience with developing enterprise applications in J2EE for different employees. At the moment, Eelco is the front man of the security business unit for Xebia, focussing on the security aspects of enterprise applications build on J2EE.<br/><br />
<br/><br />
Mike Wardi<br/><br />
Mike Wardi is an internet application manager for a financial institute. He's responsible for the safety of internet applications provided to customers and the implementation of the security policies in software developement.<br/><br />
<br/><br />
<br/><br />
If you want to attend, please send an email to owasp-nl@ascure.com or the mailing list.<br/><br />
<br/><br />
All OWASP chapter meetings are free! There are never vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP’s: OWASP Meetings count towards CPE Credits.<br/><br />
<br/></div>Dvsteinhttps://wiki.owasp.org/index.php?title=Netherlands&diff=46557Netherlands2008-11-19T16:58:44Z<p>Dvstein: /* 9 March: Second meeting of the OWASP Netherlands local chapter! */</p>
<hr />
<div>{{Chapter Template|chaptername=Netherlands|extra=The chapter leader is [mailto:owasp@irc2.nl Bert Koelewijn]<br />
<paypal>Netherlands</paypal><br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-netherlands|emailarchives=http://lists.owasp.org/pipermail/owasp-netherlands}}<br />
<br />
== Meeting schedule 2008 ==<br />
This is an overview of the 2008 local chapter meeting schedule. Details of the meetings can be found in the announcements that will be posted below this schedule.<br />
<pre><br />
March 26th<br />
----------<br />
Time : 17.30 - 21.30<br />
Main Topic : Software Vulnerability assessment<br />
Presentations: Complex(ity) matters, Mario de Boer (Dutch)<br />
V.A.C. SQL injection, Marinus Kuivenhoven (Dutch)<br />
Secure Programming with Static Analysis, Brian Chess (English) <br />
Location : Mercure Utrecht Nieuwegein, Buizerdlaan 10, 3435 SB Nieuwegein<br />
Sponsor : Fortify Software<br />
<br />
Oktober 27th<br />
----------<br />
Time : 17.30 - 21.30<br />
Main Topic : Privacy and the Internet<br />
Presentations: Privacy and Internet (Dutch), Frank Fruijthoff and Ellen Hoving<br />
Vulnerability and source code scanners. (Dutch) Emile Strijbos <br />
Location : ps_testware B.V., Dorpsstraat 26, 3941 JM DOORN<br />
Sponsor : ps_testware B.V.<br />
</pre><br />
== Meeting minutes October 27th 2008 ==<br />
<br />
At October 27th, the Dutch OWASP chapter came together at the office of the sponsor of the evening; ps_testware in Doorn. The subject of the evening was 'Privacy and the Internet’. There were 2 speakers and approximately 25 attendees.<br/><br />
<br/><br />
After a short welcome talk by both the sponsor and OWASP, Mario de Boer had an announcement about a new OWASP project; ORPRO, the Open Review Project. The goal of the project is to review Open Source Software from an independent point of view. Reviews will be done both manually and with the aid of source code analysis software provided by Fortify. The first software package to be reviewed is already available so reviewers are needed. More information can be found on the OWASP project page. [http://www.owasp.org/index.php/Category:OWASP_Open_Review_Project]<br/><br />
<br/><br />
'''First presentation:''' Privacy & the Internet presented by Frank Fruijthoff and Ellen Hoving. <br/><br />
The goal of this presentation was to show the problems in regulating privacy on the internet by law. The presentation was roughly split in 3 parts: definitions, requirements and context. <br/><br />
The main problem with regulating privacy is that the concept of privacy is very broad and not well defined. Privacy can have different meanings and consequences in different contexts. Most laws therefore focus on the individual and define privacy as 'protection of personal information' where 'personal information' is all data that can be tracked back to a single person. The last years many countries within the EU developed internet laws concerning privacy on the internet. These laws state that information can only be used what it originally was intended for and usage of that information must be reported at central register. This register also makes it possible to file a complaint and check what companies use personal information for what purposes. While these rules are mostly sufficient for local databases they often fail when applied to information stored on or with use of the internet. Problems encountered are captured in the "four D's";<br/><br />
- Internet is deterritorialized; internet has no boundaries.<br/><br />
- Internet is deregulated; internet has no law, only terms of use.<br/><br />
- Internet is dematerialized; internet is not physical.<br/><br />
- Internet is decentralized; there is no single regulating or controlling organization.<br/><br />
Although the protection of personal data is more and more covered by laws, the increasing usage of external storage and connections over the internet will make it harder to enforce them. The main conclusion of the evening was that, although many initiatives improving privacy exist, the very properties of the internet make it hard to ensure privacy completely. <br/><br />
<br/><br />
'''Second presentation:''' Vulnerability and source code scanners presented by E. Strijbos. This presentation showed the results of a research concerning the feasibility of a Web Application Security Certification by the usage of vulnerability scanners.<br/><br />
With the daily increasing amount of threads and vulnerabilities in web applications there is a market-driven demand for an independent and automated scan service. Current scan services often lack coverage and depth of scanning and give no details about the used scanning methods.<br/><br />
In this research several commercial vulnerability scanners and static analysis tools were compared and checked for scantime, accuracy, false positives, and ease of use. The results showed that almost all scanners find most of the vulnerabilities, but also produce many false positives. Also, without proper configuration the amount of results can be overwhelming and inconclusive. Furthermore results showed that static analysis scanners are much faster than vulnerability scanners, but have a more limited usage. The main conclusion was that although vulnerability scanners and static analysis tools can be very helpful in identifying vulnerabilities, their current efficiency is not high enough to use as the basis for an automated vulnerability scan.<br/><br />
<br />
== Meeting October 27th 2008: Privacy and the Internet ==<br />
'''Summary'''<br/><br />
The main goal of the upcoming OWASP-NL meeting is to provide information to developers and security professionals about personal and technical privacy on the internet. The speakers focus on privacy regulations related to the internet and on the mass amount of personal and technical information available about persons and companies on the internet, with and without their consent. Furthermore tools will be discussed that help prevent leakage of privacy related and other kind of data. They will give specific examples and there will be time to ask questions.<br/><br />
Please register before October 20th because of the necessary catering arrangements.<br/><br />
<br/><br />
'''Location'''<br/><br />
The location and catering is provided by the sponsor of this meeting:<br/><br />
<table><br />
<tr><br />
<td width="350"><br />
ps_testware B.V.<br/><br />
Dorpsstraat 26,<br/><br />
3941 JM DOORN<br/><br />
</td><br />
<td width="350"><br />
[[Image:Pstestware.jpg|100px]]<br />
</td><br />
</tr><br />
<tr><br />
<td width="350"><br />
The location has parking facilities for 15 cars. However parking in the direct vicinity of ps_testware shouldn’t be a problem.<br/><br />
</td><br />
<td width="350"><br />
ps_testware delivers services related to software testing and software quality. In the field of software development, quality, time-to-market, business processes and software acceptance they play the role of "your devil's advocate" as an independent, flexible and specialized partner.<br/><br />
For more information please visit: www.pstestware.com.<br/><br />
</td><br />
</tr><br />
</table><br />
<br/><br />
<br/><br />
'''Program'''<br/><br />
17.30 - 18.30 '''Check-In''' (catering included)<br/><br />
<br/><br />
18.30 – 19:00 '''Introduction''' (OWASP organization, projects, sponsor)<br/><br />
<br/><br />
19.00 - 20.15 '''Privacy and Internet''' (Dutch), Frank Fruijthoff and Ellen Hoving<br/><br />
In this presentation the general principles of privacy laws in the Netherlands and the EU and specifically privacy and the internet will be covered.<br/><br />
Frank Fruijthoff is a Compliance Officer with ING. He has a Compliance and Risk Management background and is specialised in privacy.<br/><br />
Ellen Hoving is a graduated lawyer. She works as an independent consultant specialized in compliance and privacy.<br/><br />
<br/><br />
20.15 – 20:30 '''Break'''<br/><br />
<br/><br />
20:30 – 21:00 '''Vulnerability and source code scanners''' (Dutch), Emile Strijbos<br />
<br/><br />
For his Master thesis in computer science at the Radboud Universiteit in Nijmegen, Emile Strijbos investigated vulnerability scanners and source code scanners. These are automated tools that try to detect security flaws, either in running web-applications or in their source code.<br/><br />
Emile tried out several of these tools, including both free and commercial ones, to see how good they are at detecting standard vulnerabilities, such as SQL injection, XSS, CSRF, etc.<br/><br />
<br/><br />
21.00 – 21:30 '''Discussion, questions and social'''<br/><br />
<br/><br />
If you want to attend, please send an email to: owasp@irc2.com.<br><br />
Please register before October 20th, because of the necessary catering arrangements. The number of registries is limited to 50 due to the capacity of the location and will be handled in order of receipt.<br/><br />
<br/><br />
All OWASP chapter meetings are free of charge and you don’t have to be an OWASP member to attend. There are never any vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP's: OWASP Meetings count towards CPE Credits.<br/><br />
<br/><br />
The announcement and full descriptions can be found here:<br/><br />
[[Media:Announcement_27_Oktober.pdf]]<br/><br />
<br />
== Meeting minutes March 23th 2008 ==<br />
<br />
At March 23th, the Dutch OWASP chapter came together in the Mercury hotel in Nieuwegein. The meeting was sponsored by Fortify Software. The subject of the evening was 'Software Vulnerability Assesment’. There were 3 speakers and approximately 40 attendees.<br/><br />
<br/><br />
After a short introduction of Migchiel de Jong (Fortify) about the subject of Static and Dynamic Analysis and the tools that Fortify provides the speakers of the evening where introduced.<br/><br />
<br/><br />
'''First presentation:''' Practices of Complex(ity) matters (Dutch), Mario de Boer<br/><br />
Mario de Boer has spent much of his free time the last 16 years into disassembling various pieces of software and analyzing the code and its statistics. The main advantage in analyzing binaries is that no access to source code is needed, all dependencies (i.e. the compiler) are included and it’s independent of the tool used. Disassembling compiled code gives great insight in the complexity of the software and the entry and exit points of data. Although there is no direct relation between the complexity of software and its security, statistically the most vulnerabilities appear in the most complex portions of a program. Data entry points in complex portions of the code can give rise to possible exploits so static analysis can give insight in the most vulnerable places in software which is useful information in testing.<br />
The disadvantages of static analysis are that an extensive knowledge of assembly is needed and, due to its statistic nature, it gives rise to many false positives. <br />
In conclusion static binary analysis, when used by experts, can be a powerful tool to gain insight in the most vulnerable parts of the software and be a valuable tool in both developing and testing software. <br/><br />
<br/><br />
'''Second presentation:''' V.A.C: SQL injection (Dutch), Marinus Kuivenhoven<br/><br />
A new reoccurring topic on OWASP presentations will be the so called VAC. In these presentations an expert will talk about a Vulnerability, how to Assess it and possible Countermeasures. This evening Marinus started with the second vulnerability in the OWASP top ten; SQL injections.<br/><br />
With the aid of Webgoat, a few simple examples and the possible consequences were shown. SQL injection is particularly useful exploit in the reconnaissance phase since it can be abused for information leakage and in getting information about e.g. the table structure. <br/><br />
On the internet and in literature many countermeasures against SQL injections are described. However, many of these countermeasures are not usable in a maintainable system or cannot prevent SQL injections completely. The most important conclusion was that input should never be trusted and should never be directly used.<br/><br />
<br/><br />
'''Third presentation:''' Secure Programming with Static Analysis (English), Brian Chess<br/><br />
The last speaker of the evening was Brian Chess who presented his new book ‘Secure Programming with Static Analysis’. Brian made clear that, although a powerful tool, static binary analysis is already too late in the SDLC to be successful in preventing vulnerabilities. Scanning for possible vulnerabilities should be implemented as early as possible i.e. during coding. The main advantages of static analysis are the cost and speed. Since errors and bad practices are identified in an early stage they can be solved at the spot, making auditing the software more efficient in term of time and depth. <br/><br />
Static analysis can successfully be used for style and type checking, program understanding and verification, and for security reviews. The success of static analysis, however, is fully depending on the rules implemented in the scanner. Static analysis is also unable to identify design flaws, right problems, or wrong user input. <br/><br />
The conclusion was that scanning for vulnerabilities can probably only be successful with the aid of static analysis, but many requirements should be met. Firstly it should become part of the SDLC and culture. Secondly the right tool should be picked and people should be trained in its use. Lastly investments should be made in building up a good rule set and metrics. <br/><br />
<br />
== Meeting March 26th 2008: Software Vulnerability assessment ==<br />
'''Summary'''<br/><br />
The main goal of the upcoming OWASP-NL meeting is to provide information to developers and security professionals involved in creating secure (web-)applications. The main focus will be on software vulnerability assessment. The speakers will give specific examples and of course there is time to ask questions about your own experiences.<br/><br />
<br/><br />
'''Location'''<br/><br />
The location and catering is provided by the sponsor of this meeting:<br/><br />
<table><br />
<tr><br />
<td width="350"><br />
Mercure Utrecht Nieuwegein<br/><br />
Buizerdlaan 10,<br/><br />
3435 SB Nieuwegein<br/><br />
</td><br />
<td width="350"><br />
[[Image:Fortify.JPG|143px]]<br />
</td><br />
</tr><br />
<tr><br />
<td width="350"><br />
</td><br />
<td width="350"><br />
Fortify Software products protect companies from today’s greatest security risk: the software applications that run their businesses. Combining deep application security expertise with extensive software development experience, Fortify Software has defined the market with award-winning products that span the software development cycle. Today, Fortify Software fortifies the software for the most demanding customer deployments, including the world’s largest, most varied code bases.<br/><br />
<br/><br />
For more information please visit:<br/><br />
www.fortify.com<br/><br />
</td><br />
</tr><br />
</table><br />
<br/><br />
<br/><br />
'''Program'''<br/><br />
17.30 - 18.30 '''Check-In''' (catering included)<br/><br />
<br/><br />
18.30 - 18:50 '''Introduction''' (OWASP, sponsor)<br/><br />
<br/><br />
18.50 - 19.30 '''Complex(ity) matters''' (Dutch), Mario de Boer<br/><br />
Various methods exist to locate specific vulnerabilities in software. In the presentation we will look at static analysis of binaries, and the problems we face when trying to locate vulnerabilities. Several ideas will be discussed to make the search easier, but at the same time less exact. The first idea is trivial: automate as much as possible. The second idea is nearly trivial: don't aim at exact vulnerabilities but relax the search to locating potential vulnerabilities. We will give examples that illustrate the results.<br/><br />
Mario de Boer is a senior security consultant at Logica, and as such focuses on security management aspects like security frameworks, compliance, monitoring and control and risk management. Before joining Logica, Mario worked at the Dutch ministries of Defense and Justice, he co-founded a security company and worked as a project manager in the financial sector. For several years he taught courses in software security analysis and secure software development. Besides security management, Mario has interest in software security, reverse engineering and cryptography. Within Logica Netherlands, he is knowledge manager application security. Mario holds a PhD in Mathematics and is CISA and CISSP.<br/><br />
<br/><br />
19.30 - 19:50 '''Break'''<br/><br />
<br/><br />
19:50 - 20:20 '''V.A.C: SQL injection''' (Dutch), Marinus Kuivenhoven<br />
<br/><br />
<u>'''V'''ulnerability:</u><br/><br />
An application which uses a database for its information needs, communicates with it trough SQL. SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of a Database for parsing and execution.<br/><br />
<u>'''A'''ssessment:</u><br/><br />
SQL injection can threaten the confidentiality, availability and integrity of the data. The various types of SQL injection and their impact will be shown.<br/><br />
<u>'''C'''ountermeasure:</u><br/><br />
Any procedure that constructs SQL statements should be reviewed for injection vulnerabilities because a database will execute all syntactically valid queries that it receives. How this should be done will be shown for the most popular languages.<br/><br />
Marinus is a Technology Specialist with Sogeti Nederland B.V. specializing in service oriented architectures and secure application development. His experience includes developing and administrating Oracle-based systems.<br/><br />
<br/><br />
20.20 - 21.00 '''Secure Programming with Static Analysis''' (English), Brian Chess<br/><br />
Creating secure code requires more than just good intentions. Programmers need to know how to make their code safe in an almost infinite number of scenarios and configurations. Static source code analysis gives users the ability to review their work with a fine tooth comb and uncover the kinds of errors that lead directly to vulnerabilities. This talk frames the software security problem and shows how static analysis is part of the solution. We will look at how static analysis works, how to integrate it into the software development processes, and how to make the most of it during security code review. Along the way we'll look at examples taken from real-world security incidents, showing how coding errors are exploited, how they could have been prevented, and how static analysis can rapidly uncover similar errors.<br/><br />
Brian Chess is a founder of Fortify Software and serves as Fortify's Chief Scientist, where his work focuses on practical methods for creating secure systems. His book, Secure Programming with Static Analysis, shows how static source code analysis is an indispensable tool for getting security right. Brian holds a Ph.D. in computer engineering from the University of California at Santa Cruz, where he studied the application of static analysis to the problem of finding security-relevant defects in source code. Before settling on security, Brian spent a decade in Silicon Valley working at huge companies and small startups. He has done research on a broad set of topics, ranging from integrated circuit design all the way to delivering software as a service.<br/><br />
<br/><br />
21.00 - 21:30 '''Discussion, questions and social'''<br/><br />
<br/><br />
'''Registration'''<br/><br />
If you want to attend, please send an email to: owasp@irc2.com.<br/><br />
<br/><br />
All OWASP chapter meetings are free of charge and you don’t have to be an OWASP member to attend. There are never any vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP's: OWASP Meetings count towards CPE Credits.<br/><br />
<br/><br />
<br />
== Meeting minutes December 20th 2007 ==<br />
<br />
At December 20th, the Dutch OWASP chapter came together at the office of ps_testware located in Doorn. The subject of the evening was 'creating secure (web)applications. There were 3 speakers and close to 30 attendees <br/><br />
<br/><br />
'''First presentation:''' Practices of developing optimal security (dutch), Andre Post<br/><br />
Andre talked from his rich experience as software auditor and code reviewer. Based on his experience he stated that developing good, secure software can only be done with developers with the right set of mind. Security should not be tested into the software, but should be a natural thing for developers to develop into the software. For this you need developers who know by heart when security flaws start to exist and how to prevent them. Developers with the necessary experience are rare and often developer teams do not have the right expertise for developing secure software. The most important conclusion of his speech was that secure software starts with security aware developers.<br/><br />
<br/><br />
'''Second presentation:''' Problems of developing secure and correct applications (dutch), Erik Poll<br/><br />
Erik Poll stated that besides having developers who are aware of security, you should also have developers that now the limitations and inherent security leaks of the used language. One of the problems is that many developers are not taught the inherent security holes in programming languages during their education. <br/><br />
Another problem is that software is often made secure for the wrong reasons. At this moment only two reasons appear to be the drive behind developing secure software: economics and laws. Security is mostly of secondary concern and as such will only be implemented at minimum requirements. Bad examples of big companies who develop insecure software and still be successful even further restrict the demand for secure software.<br/><br />
On the positive side many developers make the same mistakes so testing for common security holes can easily be done with checklists and validation tools. These validation tools can be made more successful with the use of metatags in the code.<br/><br />
Erik concluded his speech that improving the secureness of software can only be achieved when there is commitment, the knowledge is available and software is developed and implemented with a secure mind. <br/><br />
<br/><br />
'''Third presentation:''' Protecting Web services and Web applications against security threats, Rix Groenboom<br/><br />
The third presentation was about a problem which probably will become bigger and bigger the coming years. Although security might be in the scope when developing software at this moment, it certainly was not a requirement 20 or more years ago. Despite their intrinsic insecureness, these systems are connected more and more to the world wide web to meet de demands for online availability. This imposes a major security risk which will become more evident in the years to come and might become bigger than the Y2K problem. Unlike modern software, these applications can only be made secure enough by using advanced testing strategies combined with the use of test-tools and thorough regression tests. Testing alone however is not enough; to accomplish maximum secureness all connections to these systems should be based on a 'deny unless' instead of an 'allow unless' basis. <br/><br />
The conclusion of Rix's talk was that old systems connected to new interfaces should be treated as insecure and all possible precautions should be taken to achieve an acceptable level of secureness.<br/><br />
<br />
== Meeting December 20th 2007: Secure Development ==<br />
'''Summary'''<br/><br />
The main goal of the upcoming OWASP-NL meeting is to provide information to developers and security professionals involved in creating secure (web-)applications. The general and specific security issues involved on project and programming level will be covered from a practical as well as a theoretical point of view. The speakers will give specific examples and of course there is time to ask questions about your own experiences.<br/><br />
Please register before December the 14th because of the necessary catering arrangements.<br/><br />
<br/><br />
'''Location'''<br/><br />
The location and catering is provided by the sponsor of this meeting:<br/><br />
<table><br />
<tr><br />
<td width="350"><br />
ps_testware B.V.<br/><br />
Dorpsstraat 26,<br/><br />
3941 JM DOORN<br/><br />
</td><br />
<td width="350"><br />
[[Image:Pstestware.jpg|100px]]<br />
</td><br />
</tr><br />
<tr><br />
<td width="350"><br />
The location has parking facilities for 15 cars. However parking in the direct vicinity of ps_testware shouldn’t be a problem.<br/><br />
</td><br />
<td width="350"><br />
ps_testware delivers services related to software testing and software quality. In the field of software development, quality, time-to-market, business processes and software acceptance they play the role of "your devil's advocate" as an independent, flexible and specialized partner.<br/><br />
For more information please visit: www.pstestware.com.<br/><br />
</td><br />
</tr><br />
</table><br />
<br/><br />
<br/><br />
'''Program'''<br/><br />
17.30 - 18.30 '''Check-In''' (catering included)<br/><br />
<br/><br />
18.30 – 19:00 '''Introduction''' (OWASP organization, projects, sponsor)<br/><br />
<br/><br />
19.00 - 19.30 '''Practices of developing optimal security''' (dutch), Andre Post<br/><br />
This presentation highlights a number of current practices that lead to sub-optimal security, and suggests ways of avoiding these problems, focusing on the technical side of development.<br/><br />
André Post works for Fox-IT on a variety of projects including core product development, software architecting, security code reviews, and software project management.<br/><br />
<br/><br />
19.30 – 19:45 '''Break'''<br/><br />
<br/><br />
19:45 – 20:30 '''Problems of developing secure and correct applications''' (dutch), Erik Poll [http://www.cs.ru.nl/~erikpoll/talks/OWASP2007.pdf (slides of the presentation)]<br />
<br/><br />
This presentation will discuss different possibilities to improve software security. The problem of getting time and money available to be spend on security, not only for developing applications, but also for developing programming languages, will be raised.<br/><br />
Erik Poll is head of the Security of Systems (SoS) group at the Radboud University of Nijmegen. His research does focus on the security and correctness of software.<br/><br />
<br/><br />
20.30 - 21.00 '''Protecting Web services and Web applications against security threats''' (dutch), Rix Groenboom<br/><br />
During this session, Rix will explore how to implement development and security best practices in the code to make sure that your webservices and applications perform solidly when they are being hacked or used in malicious ways.<br/><br />
Rix Groenboom supports fortune 2000 companies in field automated software error prevention and correction for Parasoft. His main area of expertise is in the use of formal languages for the specification, design and validation of software applications.<br/><br />
<br/><br />
21.00 – 21:30 '''Discussion, questions and social'''<br/><br />
<br/><br />
All OWASP chapter meetings are free of charge and you don’t have to be an OWASP member to attend. There are never any vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP's: OWASP Meetings count towards CPE Credits.<br/><br />
<br/><br />
The announcement and full descriptions can be found here:<br/><br />
[[Media:Announcement_20_December.pdf]]<br/><br />
[[Media:Announcement_20_December_2.pdf]]<br/><br />
<br />
== Meeting September 13th: putting initiatives into practice ==<br />
<br />
The main goal of the next OWASP meeting is finding a way to put initiatives and all offered help into a form of structural benefit for the OWASP Netherlands local chapter. As a starting point for the discussion, examples will be taken from other European chapters and input delivered by discussions that take place on the mailing list is considered too. Let this be a call to put your ideas on the mailing list before the next meeting!<br/><br />
<br/><br />
The location is provided by the sponsor of this meeting:<br/><br />
Comsec Consulting BV<br/><br />
Rivium Boulevard 102<br/><br />
2909LK Capelle aan den IJssel<br/><br />
<br/><br />
The agenda:<br/><br />
18.00 - 18.30 Check-In (catering included)<br/><br />
18.30 - 18.45 OWASP update, Bert Koelewijn<br/><br />
18.45 - 19.15 Security Best Practices for .NET, Boaz Shunami<br/><br />
19.15 - 20.00 Discussion: collecting ideas and initiatives<br/><br />
20.00 - 20.15 Coffee break<br/><br />
20.15 - 21.00 Discussion: how to enable community commitment<br/><br />
21.00 - 21.30 Closing discussion and coffee<br/><br />
<br/><br />
Boaz Shunami<br/><br />
Boaz is manager of the Application Security department of Comsec Europe. He has 11 years of experience in the IT Security field, and a large part of them in Application Security.<br/><br />
Boaz did numerous application security audits in very large organizations and is recognized as one of the greatest expert’s world wide. Boaz' expertise is broad, but especially in-depth for the .NET platform.<br/><br />
<br/><br />
Discussion input (until now)<br/><br />
- division of local chapter work load by multiple people<br/><br />
- collaboration with other organizations<br/><br />
<br/><br />
If you want to attend send an email to owasp@irc2.com.<br/><br />
<br/><br />
All OWASP chapter meetings are free, there are never vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP's: OWASP Meetings count towards CPE Credits.<br/><br />
<br />
== Meeting minutes Januar 11th 2007 ==<br />
<br />
January 11th, the Dutch OWASP chapter came together at the office of Sogeti Netherlands. Subject of the evening was 'putting software security into practice'. The group was small but select.<br/><br />
<br/><br />
The agenda:<br/><br />
18.00 - 18.30 Check-In (catering included)<br/><br />
18.30 - 18.45 Sponsor opening<br/><br />
18.45 - 19.00 OWASP update, Bert Koelewijn<br/><br />
19.00 - 19.30 Implementation of Security by Design, Martin Knobloch<br/><br />
19.30 - 19.45 Panel introduction<br/><br />
19.45 - 20.00 Coffee break<br/><br />
20.00 - 21.30 Panel discussion<br/><br />
<br/><br />
After being welcomed by Frank Langeveld from Sogeti and Bert Koelewijn, Dutch chapter leader, the evening started with the presentation 'Security By Design'. During the presentation Martin Knobloch told about his experiences during the implementation of the Secure Development Life Cycle in a company like Sogeti Nederland B.V.<br/><br />
<br/><br />
The presentation is available here:<br/><br />
[[Media:Implementation_of_Security_by_Design.ppt]]<br/><br />
<br/><br />
After a small break, the panel discussion started with the following panel: Henk van der Heijden - Comsec Consulting, Dr.ir. Mario de Boer - LogicaCMG and Martin Knobloch - Sogeti Nederland.<br/><br />
During the discussion, it became clear people are struggling to get the Secure Development Life Cycle implemented in their company. The various experiences were shared with the panel and the others. Company typical problems and common misunderstandings about Software security where brought up.<br/><br />
The consensus of the discussion was that the main problem lies in the lack of security awareness and knowledge of the managers and the developers. And this of course is exactly where OWASP comes in…<br/><br />
<br/><br />
<br />
== Meeting Januar 11th 2007 ==<br />
<br />
The OWASP meeting of 11 January is about putting software security into practice. A lot of books, standards, organizations and consultants tell us how we should develop secure software. But which methods and measures are commonly adopted and which are not and why?<br/><br />
This will be the main focus of the discussion that we will have with a panel of people that experienced implementing software security in the field.<br/><br />
<br/><br />
The location is provided by the sponsor of this meeting:<br/><br />
Sogeti Nederland B.V.<br/><br />
"La Charmille" building<br/><br />
Lange Dreef 17<br/><br />
4131 NJ Vianen<br/><br />
<br/><br />
The agenda:<br />
<br/><br />
18.00 - 18.30 Check-In (catering included)<br/><br />
18.30 - 18.45 Sponsor opening<br/><br />
18.45 - 19.00 OWASP update, Bert Koelewijn<br/><br />
19.00 - 19.30 Implementation of Security by Design, Martin Knobloch<br/><br />
19.30 - 19.45 Panel introduction<br/><br />
19.45 - 20.00 Coffee break<br/><br />
20.00 - 21.30 Panel discussion<br/><br />
<br/><br />
Implementation of Security by Design<br/><br />
What is needed to implement a 'Secure Development Life Cycle' within Sogeti Nederland? The speaker started a project called 'Security by Design' in march 2006 implementing a SDLC at Sogeti Nederland.<br/><br />
In his presentation, the speaker will share his technical and organizational experiences that he gained with the still ongoing implementation.<br/><br />
<br/><br />
About the speaker<br/><br />
Martin Knobloch has more than 8 years experience in design and development of J2EE applications for customers in various sectors of the market. In September 2003 Martin Knobloch started working for Sogeti Nederland, where he does the design, development and review of J2EE applications and architectures.<br/><br />
From this background, Martin Knobloch experienced the threats of insecure software firsthand. In march 2006, Martin Knobloch started implementing a SDLC within Sogeti Nederland.<br/><br />
<br/><br />
Panel discussion<br/><br />
The panel members are:<br/><br />
Henk van der Heijden, Managing Director - Comsec Consulting B.V.<br/><br />
Dr.ir. Mario de Boer, Security Consultant - LogicaCMG<br/><br />
Martin Knobloch, Senior Technologie Specialist - Sogeti Nederland B.V.<br/><br />
<br/><br />
In the discussion, we will try to find answers to questions like:<br/><br />
- What are the most common security practices in software development?<br/><br />
- How effective are those practices?<br/><br />
- Where do we start practicing security?<br/><br />
- What should be the most common security practices in software development?<br/><br />
- How much does security cost?<br/><br />
- How does the Systems Security Engineering Capability Maturity Model (SSE-CMM) fit in?<br/><br />
<br/><br />
If you want to attend send an email to owasp@irc2.com.<br/><br />
<br/><br />
All OWASP chapter meetings are free, there are never vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP’s: OWASP Meetings count towards CPE Credits.<br/><br />
<br />
== OWASP Netherlands meeting minutes ==<br />
<br />
On 9 march, the second meeting of OWASP Netherlands local chapter took place. GetronicsPinkRoccade provided the venue, in their luxury conference centre: Connection I.<br/><br />
<br/><br />
Agenda:<br/><br />
18.00 - 18.45 Check-In (bread & drinks)<br/><br />
18.45 - 19.00 Opening<br/><br />
19.00 - 20.00 Improving Security in the Application Development Life-cycle, Migchiel de Jong<br/><br />
20.00 - 20.15 Coffee break<br/><br />
20.15 - 22.00 Form focus groups<br/><br />
<br/><br />
The presentation of Migchiel de Jong was found very interesting by the audience. At the end of his presentation, he demonstrated a static code analysis of the OWASP webgoat application.<br/><br />
<br/><br />
After the coffee break, the attendances started discussing about the largest common topics of interest in the web application security field, in relation to the OWASP Netherlands chapter. As a result, the following focus groups are formed:<br/><br />
<br/><br />
Testing<br/><br />
The current OWASP Testing project and the Open Source Security Testing Methodology Manual of ISECOM, provide guidelines and best practices for testers. These guidelines can be used to formalize a standard structure and a set of minimum requirements for a security test. Clients could ask a tester to adhere to these guidelines.<br/><br />
A second idea is to standardize the testing results management report. In practice, testing could result in piles of paper with all the findings. The real value is reporting it in a usable way. For example: mapping technical findings to business risks.<br/><br />
<br/><br />
Frans v. Buul<br/><br />
Peter Gouwentak<br/><br />
Arthur Donkers<br/><br />
Eelco Klaver<br/><br />
Migchiel de Jong<br/><br />
Mario de Boer<br/><br />
<br/><br />
First focus group meeting: Monday 27 march, 18:00h, PwC Utrecht<br/><br />
<br/><br />
<br/><br />
Public Relations<br/><br />
This focus group will try to make business aware of the security impact that developing, hosting and using web applications has. What OWASP is and how OWASP can help. This can be done by giving presentations, writing papers and articles, word of mouth, etc. etc.<br/><br />
<br/><br />
Remco Bakker<br/><br />
Ronald Eygendaal<br/><br />
Bas van Vossen<br/><br />
Edwin van Vliet<br/><br />
Eelco Klaver<br/><br />
<br/><br />
First presentation of OWASP materials: Edwin van Vliet, TestNet - Voorjaarsevenement, 5 april<br/><br />
First focus group meeting: To be planned!<br/><br />
<br/><br />
<br/><br />
Education<br/><br />
OWASP and universities/schools could benefit from working together. For example:<br/><br />
- OWASP provides lot's of materials usable in colleges.<br/><br />
- Develop OWASP training course.<br/><br />
- Students can participate in OWASP projects<br/><br />
- OWASP can provide a platform for supporting research. Such as thesis projects, etc.<br/><br />
- OWASP representatives could provide guest colleges.<br/><br />
<br/><br />
Ronald Eygendaal<br/><br />
Erik Poll<br/><br />
Bas van Vossen<br/><br />
Edwin van Vliet<br/><br />
<br/><br />
First focus group meeting: To be planned!<br/><br />
<br/><br />
The presentation is available here:<br/><br />
[[Media:OWASP_NL_Fortify_Software.pdf]]<br/><br />
<br />
== Meeting March 9th 2007: Second meeting of the OWASP Netherlands local chapter! ==<br />
<br />
In this second meeting focus groups are to be formed, to discuss common problems, develop and research common solutions in a vendor neutral environment. So this is a very good opportunity to get in contact with others, to exchange knowledge and experiences on specific topics.<br/><br />
<br/><br />
For every focus group the following questions has to be answered:<br/><br />
1. Which specific topic is to be addressed?<br/><br />
2. What are the deliverables?<br/><br />
3. What is the relation to OWASP? (Current projects, materials, expertise and knowledge interchange, etc.)<br/><br />
4. Who is the central contact of the subgroup?<br/><br />
<br/><br />
It would be nice to have a bigger and more diverse group, compared to the first meeting. So let's recall: "Please, bring at least one friend, next time." And don't hesitate to send this announcement to everybody who may be interested!<br/><br />
<br/><br />
We thank Getronics PinkRoccade for offering us a venue:<br/><br />
Getronics PinkRoccade<br/><br />
Fauststraat 1<br/><br />
7323 BA Apeldoorn <br/><br />
<br/><br />
The agenda:<br/><br />
18.00 - 18.30 Check-In<br/><br />
18.30 - 18.45 Opening<br/><br />
18.45 - 19.30 Improving Security in the Application Development Life-cycle, Migchiel de Jong<br/><br />
19.30 - 20.00 Collecting focus group initiatives<br/><br />
19.45 - 20.00 Coffee break<br/><br />
20.00 - 21.00 Form focus groups<br/><br />
<br/><br />
Presentation Abstract<br/><br />
Rather than spending large amounts of time and money on proving that we have security vulnerabilities after programs go into production, companies should go to the source and correct vulnerabilities as early as possible in the development stage. It is unquestionably faster, simpler, and cheaper for developers to correct vulnerabilities as they build programs.<br/><br />
But how can development management ensure that developers focus on security when there is no time or budget for security at the development stage? Even with the correct focus, how can they learn what to look for? How can they stay ahead of the dedicated and resourceful hacker?<br/><br />
The answer is effective processes and better tools. With advanced software security tools, a developer can pinpoint vulnerabilities in a matter of seconds — the same vulnerabilities that would take a hacker or manual code reviewer weeks or even months to find. These same tools can give development and information security managers useful metrics on application vulnerabilities before they are released into deployment.<br/><br />
This talk will walk through the Application Development Life-Cycle and discuss how tools can help come to grips with software security issues in a particular phase.<br/><br />
<br/><br />
About the presenter<br/><br />
Migchiel de Jong has developed hardware and software for 10 years before joining Rational Software. During the 5 years at Rational Software (later acquired by IBM) he was involved in many software development process improvement projects. Currently Migchiel de Jong is working at Fortify Software, Palo Alto, California, as a software security engineer.<br/><br />
<br/><br />
If you want to attend send an email to owasp@irc2.nl. Please don't wait, 9 march is not that long anymore!<br/><br />
<br/><br />
All OWASP chapter meetings are free, there are never vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP’s: OWASP Meetings count towards CPE Credits.<br/><br />
<br />
== OWASP Netherlands kick-off meeting minutes ==<br />
<br />
On 17 November, OWASP Netherlands had it's first meeting. We moved to a bigger location, the Mercure hotel in Nieuwegein, to host all the 35 attendees.<br/><br />
<br/><br />
The agenda:<br/><br />
18.00 - 18.30 Check-In (bread & drinks)<br/><br />
18.30 - 18.45 Chapter opening<br/><br />
18.45 - 19.30 Presentation - 'Top tien web applicatie kwetsbaarheden in J2EE', Eelco Klaver<br/><br />
19.30 - 19.45 Presentation - 'Veilige webapplicaties boven alles', Mike Wardi<br/><br />
19.45 - 20.00 Coffee break<br/><br />
20.00 - 21.00 Discussion - About the OWASP Netherlands local chapter<br/><br />
<br/><br />
The discussion took place in a 'round table' session, where all attendees were able to take part. The focus of the discussion was how to give the OWASP Netherlands local chapter additional value, next to the OWASP project. What the goals and tasks will be. And which actions will have to be taken at short term.<br/><br />
Different people have interest in different subjects. In general meetings there is no time to address all subjects and address them specific enough. Therefore subgroups can be formed, focusing on specific topics. They can have their own communication channel and meetings, but should keep close contact with the OWASP body.<br/><br />
<br/><br />
An inventarisation:<br/><br />
<br/><br />
Discussion Topics<br/><br />
- Awareness: writing articles, press publications, interviews<br/><br />
- Education: contact universities, schools and their common boards. Develop and gather education materials.<br/><br />
- General: discuss ideas for OWASP NL<br/><br />
<br/><br />
Focusgroup Topics<br/><br />
- (dutch) metrics project<br/><br />
- (dutch) legal project<br/><br />
- standard framework for pentest reports<br/><br />
- safe outsourcing<br/><br />
<br/><br />
Actions that should be taken on short term are:<br/><br />
- provide communication channels<br/><br />
- plan next (sub)meetings<br/><br />
- start discussions and focusgroups<br/><br />
<br/><br />
The presentations are available here:<br/><br />
<br/><br />
[[Media:OWASP_NL_Top_Ten_Web_Application_Vulnerabilities_in_J2EE.pdf]]<br/><br />
[[Media:OWASP_NL_Veilige_Web_App_Boven_Alles.pdf]]<br/><br />
<br />
== You are welcome to the OWASP Netherlands local chapter kick-off meeting! ==<br />
<br />
Thursday, November 17th (2005) at 18.00h.<br/><br />
<br/><br />
ATTENTION! Because of the large amount of attendees, the location has changed:<br/><br />
<br/><br />
Hotel Mercure Utrecht/Nieuwegein<br/><br />
Buizerdlaan 10<br/><br />
3435 SB NIEUWEGEIN<br/><br />
Tel: 00 31 (0) 30 60 84 122<br/><br />
Fax: 00 31 (0) 30 60 38 374<br/><br />
<br/><br />
This first meeting will be an introduction to the OWASP. A constructive discussion will be held about the actual form of the OWASP Netherlands local chapter.<br/><br />
<br/><br />
The agenda:<br/><br />
18.00 - 18.30 Check-In (bread & drinks)<br/><br />
18.30 - 18.45 Chapter opening<br/><br />
18.45 - 19.30 Presentation - 'Top tien web applicatie kwetsbaarheden in J2EE', Eelco Klaver<br/><br />
19.30 - 19.45 Presentation - 'Veilige webapplicaties boven alles', Mike Wardi<br/><br />
19.45 - 20.00 Coffee break<br/><br />
20.00 - 21.00 Discussion - About the OWASP Netherlands local chapter<br/><br />
<br/><br />
About the presenters<br/><br />
<br/><br />
Eelco Klaver<br/><br />
Eelco Klaver is a senior consultant for Xebia IT Architects, since 2003. Doing software reviews, security audits and giving security workshops are part of his job. He has almost 10 years experience with developing enterprise applications in J2EE for different employees. At the moment, Eelco is the front man of the security business unit for Xebia, focussing on the security aspects of enterprise applications build on J2EE.<br/><br />
<br/><br />
Mike Wardi<br/><br />
Mike Wardi is an internet application manager for a financial institute. He's responsible for the safety of internet applications provided to customers and the implementation of the security policies in software developement.<br/><br />
<br/><br />
<br/><br />
If you want to attend, please send an email to owasp-nl@ascure.com or the mailing list.<br/><br />
<br/><br />
All OWASP chapter meetings are free! There are never vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP’s: OWASP Meetings count towards CPE Credits.<br/><br />
<br/></div>Dvsteinhttps://wiki.owasp.org/index.php?title=Netherlands&diff=46556Netherlands2008-11-19T16:57:20Z<p>Dvstein: /* Meeting December 20th 2007: Secure Development */</p>
<hr />
<div>{{Chapter Template|chaptername=Netherlands|extra=The chapter leader is [mailto:owasp@irc2.nl Bert Koelewijn]<br />
<paypal>Netherlands</paypal><br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-netherlands|emailarchives=http://lists.owasp.org/pipermail/owasp-netherlands}}<br />
<br />
== Meeting schedule 2008 ==<br />
This is an overview of the 2008 local chapter meeting schedule. Details of the meetings can be found in the announcements that will be posted below this schedule.<br />
<pre><br />
March 26th<br />
----------<br />
Time : 17.30 - 21.30<br />
Main Topic : Software Vulnerability assessment<br />
Presentations: Complex(ity) matters, Mario de Boer (Dutch)<br />
V.A.C. SQL injection, Marinus Kuivenhoven (Dutch)<br />
Secure Programming with Static Analysis, Brian Chess (English) <br />
Location : Mercure Utrecht Nieuwegein, Buizerdlaan 10, 3435 SB Nieuwegein<br />
Sponsor : Fortify Software<br />
<br />
Oktober 27th<br />
----------<br />
Time : 17.30 - 21.30<br />
Main Topic : Privacy and the Internet<br />
Presentations: Privacy and Internet (Dutch), Frank Fruijthoff and Ellen Hoving<br />
Vulnerability and source code scanners. (Dutch) Emile Strijbos <br />
Location : ps_testware B.V., Dorpsstraat 26, 3941 JM DOORN<br />
Sponsor : ps_testware B.V.<br />
</pre><br />
== Meeting minutes October 27th 2008 ==<br />
<br />
At October 27th, the Dutch OWASP chapter came together at the office of the sponsor of the evening; ps_testware in Doorn. The subject of the evening was 'Privacy and the Internet’. There were 2 speakers and approximately 25 attendees.<br/><br />
<br/><br />
After a short welcome talk by both the sponsor and OWASP, Mario de Boer had an announcement about a new OWASP project; ORPRO, the Open Review Project. The goal of the project is to review Open Source Software from an independent point of view. Reviews will be done both manually and with the aid of source code analysis software provided by Fortify. The first software package to be reviewed is already available so reviewers are needed. More information can be found on the OWASP project page. [http://www.owasp.org/index.php/Category:OWASP_Open_Review_Project]<br/><br />
<br/><br />
'''First presentation:''' Privacy & the Internet presented by Frank Fruijthoff and Ellen Hoving. <br/><br />
The goal of this presentation was to show the problems in regulating privacy on the internet by law. The presentation was roughly split in 3 parts: definitions, requirements and context. <br/><br />
The main problem with regulating privacy is that the concept of privacy is very broad and not well defined. Privacy can have different meanings and consequences in different contexts. Most laws therefore focus on the individual and define privacy as 'protection of personal information' where 'personal information' is all data that can be tracked back to a single person. The last years many countries within the EU developed internet laws concerning privacy on the internet. These laws state that information can only be used what it originally was intended for and usage of that information must be reported at central register. This register also makes it possible to file a complaint and check what companies use personal information for what purposes. While these rules are mostly sufficient for local databases they often fail when applied to information stored on or with use of the internet. Problems encountered are captured in the "four D's";<br/><br />
- Internet is deterritorialized; internet has no boundaries.<br/><br />
- Internet is deregulated; internet has no law, only terms of use.<br/><br />
- Internet is dematerialized; internet is not physical.<br/><br />
- Internet is decentralized; there is no single regulating or controlling organization.<br/><br />
Although the protection of personal data is more and more covered by laws, the increasing usage of external storage and connections over the internet will make it harder to enforce them. The main conclusion of the evening was that, although many initiatives improving privacy exist, the very properties of the internet make it hard to ensure privacy completely. <br/><br />
<br/><br />
'''Second presentation:''' Vulnerability and source code scanners presented by E. Strijbos. This presentation showed the results of a research concerning the feasibility of a Web Application Security Certification by the usage of vulnerability scanners.<br/><br />
With the daily increasing amount of threads and vulnerabilities in web applications there is a market-driven demand for an independent and automated scan service. Current scan services often lack coverage and depth of scanning and give no details about the used scanning methods.<br/><br />
In this research several commercial vulnerability scanners and static analysis tools were compared and checked for scantime, accuracy, false positives, and ease of use. The results showed that almost all scanners find most of the vulnerabilities, but also produce many false positives. Also, without proper configuration the amount of results can be overwhelming and inconclusive. Furthermore results showed that static analysis scanners are much faster than vulnerability scanners, but have a more limited usage. The main conclusion was that although vulnerability scanners and static analysis tools can be very helpful in identifying vulnerabilities, their current efficiency is not high enough to use as the basis for an automated vulnerability scan.<br/><br />
<br />
== Meeting October 27th 2008: Privacy and the Internet ==<br />
'''Summary'''<br/><br />
The main goal of the upcoming OWASP-NL meeting is to provide information to developers and security professionals about personal and technical privacy on the internet. The speakers focus on privacy regulations related to the internet and on the mass amount of personal and technical information available about persons and companies on the internet, with and without their consent. Furthermore tools will be discussed that help prevent leakage of privacy related and other kind of data. They will give specific examples and there will be time to ask questions.<br/><br />
Please register before October 20th because of the necessary catering arrangements.<br/><br />
<br/><br />
'''Location'''<br/><br />
The location and catering is provided by the sponsor of this meeting:<br/><br />
<table><br />
<tr><br />
<td width="350"><br />
ps_testware B.V.<br/><br />
Dorpsstraat 26,<br/><br />
3941 JM DOORN<br/><br />
</td><br />
<td width="350"><br />
[[Image:Pstestware.jpg|100px]]<br />
</td><br />
</tr><br />
<tr><br />
<td width="350"><br />
The location has parking facilities for 15 cars. However parking in the direct vicinity of ps_testware shouldn’t be a problem.<br/><br />
</td><br />
<td width="350"><br />
ps_testware delivers services related to software testing and software quality. In the field of software development, quality, time-to-market, business processes and software acceptance they play the role of "your devil's advocate" as an independent, flexible and specialized partner.<br/><br />
For more information please visit: www.pstestware.com.<br/><br />
</td><br />
</tr><br />
</table><br />
<br/><br />
<br/><br />
'''Program'''<br/><br />
17.30 - 18.30 '''Check-In''' (catering included)<br/><br />
<br/><br />
18.30 – 19:00 '''Introduction''' (OWASP organization, projects, sponsor)<br/><br />
<br/><br />
19.00 - 20.15 '''Privacy and Internet''' (Dutch), Frank Fruijthoff and Ellen Hoving<br/><br />
In this presentation the general principles of privacy laws in the Netherlands and the EU and specifically privacy and the internet will be covered.<br/><br />
Frank Fruijthoff is a Compliance Officer with ING. He has a Compliance and Risk Management background and is specialised in privacy.<br/><br />
Ellen Hoving is a graduated lawyer. She works as an independent consultant specialized in compliance and privacy.<br/><br />
<br/><br />
20.15 – 20:30 '''Break'''<br/><br />
<br/><br />
20:30 – 21:00 '''Vulnerability and source code scanners''' (Dutch), Emile Strijbos<br />
<br/><br />
For his Master thesis in computer science at the Radboud Universiteit in Nijmegen, Emile Strijbos investigated vulnerability scanners and source code scanners. These are automated tools that try to detect security flaws, either in running web-applications or in their source code.<br/><br />
Emile tried out several of these tools, including both free and commercial ones, to see how good they are at detecting standard vulnerabilities, such as SQL injection, XSS, CSRF, etc.<br/><br />
<br/><br />
21.00 – 21:30 '''Discussion, questions and social'''<br/><br />
<br/><br />
If you want to attend, please send an email to: owasp@irc2.com.<br><br />
Please register before October 20th, because of the necessary catering arrangements. The number of registries is limited to 50 due to the capacity of the location and will be handled in order of receipt.<br/><br />
<br/><br />
All OWASP chapter meetings are free of charge and you don’t have to be an OWASP member to attend. There are never any vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP's: OWASP Meetings count towards CPE Credits.<br/><br />
<br/><br />
The announcement and full descriptions can be found here:<br/><br />
[[Media:Announcement_27_Oktober.pdf]]<br/><br />
<br />
== Meeting minutes March 23th 2008 ==<br />
<br />
At March 23th, the Dutch OWASP chapter came together in the Mercury hotel in Nieuwegein. The meeting was sponsored by Fortify Software. The subject of the evening was 'Software Vulnerability Assesment’. There were 3 speakers and approximately 40 attendees.<br/><br />
<br/><br />
After a short introduction of Migchiel de Jong (Fortify) about the subject of Static and Dynamic Analysis and the tools that Fortify provides the speakers of the evening where introduced.<br/><br />
<br/><br />
'''First presentation:''' Practices of Complex(ity) matters (Dutch), Mario de Boer<br/><br />
Mario de Boer has spent much of his free time the last 16 years into disassembling various pieces of software and analyzing the code and its statistics. The main advantage in analyzing binaries is that no access to source code is needed, all dependencies (i.e. the compiler) are included and it’s independent of the tool used. Disassembling compiled code gives great insight in the complexity of the software and the entry and exit points of data. Although there is no direct relation between the complexity of software and its security, statistically the most vulnerabilities appear in the most complex portions of a program. Data entry points in complex portions of the code can give rise to possible exploits so static analysis can give insight in the most vulnerable places in software which is useful information in testing.<br />
The disadvantages of static analysis are that an extensive knowledge of assembly is needed and, due to its statistic nature, it gives rise to many false positives. <br />
In conclusion static binary analysis, when used by experts, can be a powerful tool to gain insight in the most vulnerable parts of the software and be a valuable tool in both developing and testing software. <br/><br />
<br/><br />
'''Second presentation:''' V.A.C: SQL injection (Dutch), Marinus Kuivenhoven<br/><br />
A new reoccurring topic on OWASP presentations will be the so called VAC. In these presentations an expert will talk about a Vulnerability, how to Assess it and possible Countermeasures. This evening Marinus started with the second vulnerability in the OWASP top ten; SQL injections.<br/><br />
With the aid of Webgoat, a few simple examples and the possible consequences were shown. SQL injection is particularly useful exploit in the reconnaissance phase since it can be abused for information leakage and in getting information about e.g. the table structure. <br/><br />
On the internet and in literature many countermeasures against SQL injections are described. However, many of these countermeasures are not usable in a maintainable system or cannot prevent SQL injections completely. The most important conclusion was that input should never be trusted and should never be directly used.<br/><br />
<br/><br />
'''Third presentation:''' Secure Programming with Static Analysis (English), Brian Chess<br/><br />
The last speaker of the evening was Brian Chess who presented his new book ‘Secure Programming with Static Analysis’. Brian made clear that, although a powerful tool, static binary analysis is already too late in the SDLC to be successful in preventing vulnerabilities. Scanning for possible vulnerabilities should be implemented as early as possible i.e. during coding. The main advantages of static analysis are the cost and speed. Since errors and bad practices are identified in an early stage they can be solved at the spot, making auditing the software more efficient in term of time and depth. <br/><br />
Static analysis can successfully be used for style and type checking, program understanding and verification, and for security reviews. The success of static analysis, however, is fully depending on the rules implemented in the scanner. Static analysis is also unable to identify design flaws, right problems, or wrong user input. <br/><br />
The conclusion was that scanning for vulnerabilities can probably only be successful with the aid of static analysis, but many requirements should be met. Firstly it should become part of the SDLC and culture. Secondly the right tool should be picked and people should be trained in its use. Lastly investments should be made in building up a good rule set and metrics. <br/><br />
<br />
== Meeting March 26th 2008: Software Vulnerability assessment ==<br />
'''Summary'''<br/><br />
The main goal of the upcoming OWASP-NL meeting is to provide information to developers and security professionals involved in creating secure (web-)applications. The main focus will be on software vulnerability assessment. The speakers will give specific examples and of course there is time to ask questions about your own experiences.<br/><br />
<br/><br />
'''Location'''<br/><br />
The location and catering is provided by the sponsor of this meeting:<br/><br />
<table><br />
<tr><br />
<td width="350"><br />
Mercure Utrecht Nieuwegein<br/><br />
Buizerdlaan 10,<br/><br />
3435 SB Nieuwegein<br/><br />
</td><br />
<td width="350"><br />
[[Image:Fortify.JPG|143px]]<br />
</td><br />
</tr><br />
<tr><br />
<td width="350"><br />
</td><br />
<td width="350"><br />
Fortify Software products protect companies from today’s greatest security risk: the software applications that run their businesses. Combining deep application security expertise with extensive software development experience, Fortify Software has defined the market with award-winning products that span the software development cycle. Today, Fortify Software fortifies the software for the most demanding customer deployments, including the world’s largest, most varied code bases.<br/><br />
<br/><br />
For more information please visit:<br/><br />
www.fortify.com<br/><br />
</td><br />
</tr><br />
</table><br />
<br/><br />
<br/><br />
'''Program'''<br/><br />
17.30 - 18.30 '''Check-In''' (catering included)<br/><br />
<br/><br />
18.30 - 18:50 '''Introduction''' (OWASP, sponsor)<br/><br />
<br/><br />
18.50 - 19.30 '''Complex(ity) matters''' (Dutch), Mario de Boer<br/><br />
Various methods exist to locate specific vulnerabilities in software. In the presentation we will look at static analysis of binaries, and the problems we face when trying to locate vulnerabilities. Several ideas will be discussed to make the search easier, but at the same time less exact. The first idea is trivial: automate as much as possible. The second idea is nearly trivial: don't aim at exact vulnerabilities but relax the search to locating potential vulnerabilities. We will give examples that illustrate the results.<br/><br />
Mario de Boer is a senior security consultant at Logica, and as such focuses on security management aspects like security frameworks, compliance, monitoring and control and risk management. Before joining Logica, Mario worked at the Dutch ministries of Defense and Justice, he co-founded a security company and worked as a project manager in the financial sector. For several years he taught courses in software security analysis and secure software development. Besides security management, Mario has interest in software security, reverse engineering and cryptography. Within Logica Netherlands, he is knowledge manager application security. Mario holds a PhD in Mathematics and is CISA and CISSP.<br/><br />
<br/><br />
19.30 - 19:50 '''Break'''<br/><br />
<br/><br />
19:50 - 20:20 '''V.A.C: SQL injection''' (Dutch), Marinus Kuivenhoven<br />
<br/><br />
<u>'''V'''ulnerability:</u><br/><br />
An application which uses a database for its information needs, communicates with it trough SQL. SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of a Database for parsing and execution.<br/><br />
<u>'''A'''ssessment:</u><br/><br />
SQL injection can threaten the confidentiality, availability and integrity of the data. The various types of SQL injection and their impact will be shown.<br/><br />
<u>'''C'''ountermeasure:</u><br/><br />
Any procedure that constructs SQL statements should be reviewed for injection vulnerabilities because a database will execute all syntactically valid queries that it receives. How this should be done will be shown for the most popular languages.<br/><br />
Marinus is a Technology Specialist with Sogeti Nederland B.V. specializing in service oriented architectures and secure application development. His experience includes developing and administrating Oracle-based systems.<br/><br />
<br/><br />
20.20 - 21.00 '''Secure Programming with Static Analysis''' (English), Brian Chess<br/><br />
Creating secure code requires more than just good intentions. Programmers need to know how to make their code safe in an almost infinite number of scenarios and configurations. Static source code analysis gives users the ability to review their work with a fine tooth comb and uncover the kinds of errors that lead directly to vulnerabilities. This talk frames the software security problem and shows how static analysis is part of the solution. We will look at how static analysis works, how to integrate it into the software development processes, and how to make the most of it during security code review. Along the way we'll look at examples taken from real-world security incidents, showing how coding errors are exploited, how they could have been prevented, and how static analysis can rapidly uncover similar errors.<br/><br />
Brian Chess is a founder of Fortify Software and serves as Fortify's Chief Scientist, where his work focuses on practical methods for creating secure systems. His book, Secure Programming with Static Analysis, shows how static source code analysis is an indispensable tool for getting security right. Brian holds a Ph.D. in computer engineering from the University of California at Santa Cruz, where he studied the application of static analysis to the problem of finding security-relevant defects in source code. Before settling on security, Brian spent a decade in Silicon Valley working at huge companies and small startups. He has done research on a broad set of topics, ranging from integrated circuit design all the way to delivering software as a service.<br/><br />
<br/><br />
21.00 - 21:30 '''Discussion, questions and social'''<br/><br />
<br/><br />
'''Registration'''<br/><br />
If you want to attend, please send an email to: owasp@irc2.com.<br/><br />
<br/><br />
All OWASP chapter meetings are free of charge and you don’t have to be an OWASP member to attend. There are never any vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP's: OWASP Meetings count towards CPE Credits.<br/><br />
<br/><br />
<br />
== Meeting minutes December 20th 2007 ==<br />
<br />
At December 20th, the Dutch OWASP chapter came together at the office of ps_testware located in Doorn. The subject of the evening was 'creating secure (web)applications. There were 3 speakers and close to 30 attendees <br/><br />
<br/><br />
'''First presentation:''' Practices of developing optimal security (dutch), Andre Post<br/><br />
Andre talked from his rich experience as software auditor and code reviewer. Based on his experience he stated that developing good, secure software can only be done with developers with the right set of mind. Security should not be tested into the software, but should be a natural thing for developers to develop into the software. For this you need developers who know by heart when security flaws start to exist and how to prevent them. Developers with the necessary experience are rare and often developer teams do not have the right expertise for developing secure software. The most important conclusion of his speech was that secure software starts with security aware developers.<br/><br />
<br/><br />
'''Second presentation:''' Problems of developing secure and correct applications (dutch), Erik Poll<br/><br />
Erik Poll stated that besides having developers who are aware of security, you should also have developers that now the limitations and inherent security leaks of the used language. One of the problems is that many developers are not taught the inherent security holes in programming languages during their education. <br/><br />
Another problem is that software is often made secure for the wrong reasons. At this moment only two reasons appear to be the drive behind developing secure software: economics and laws. Security is mostly of secondary concern and as such will only be implemented at minimum requirements. Bad examples of big companies who develop insecure software and still be successful even further restrict the demand for secure software.<br/><br />
On the positive side many developers make the same mistakes so testing for common security holes can easily be done with checklists and validation tools. These validation tools can be made more successful with the use of metatags in the code.<br/><br />
Erik concluded his speech that improving the secureness of software can only be achieved when there is commitment, the knowledge is available and software is developed and implemented with a secure mind. <br/><br />
<br/><br />
'''Third presentation:''' Protecting Web services and Web applications against security threats, Rix Groenboom<br/><br />
The third presentation was about a problem which probably will become bigger and bigger the coming years. Although security might be in the scope when developing software at this moment, it certainly was not a requirement 20 or more years ago. Despite their intrinsic insecureness, these systems are connected more and more to the world wide web to meet de demands for online availability. This imposes a major security risk which will become more evident in the years to come and might become bigger than the Y2K problem. Unlike modern software, these applications can only be made secure enough by using advanced testing strategies combined with the use of test-tools and thorough regression tests. Testing alone however is not enough; to accomplish maximum secureness all connections to these systems should be based on a 'deny unless' instead of an 'allow unless' basis. <br/><br />
The conclusion of Rix's talk was that old systems connected to new interfaces should be treated as insecure and all possible precautions should be taken to achieve an acceptable level of secureness.<br/><br />
<br />
== Meeting December 20th 2007: Secure Development ==<br />
'''Summary'''<br/><br />
The main goal of the upcoming OWASP-NL meeting is to provide information to developers and security professionals involved in creating secure (web-)applications. The general and specific security issues involved on project and programming level will be covered from a practical as well as a theoretical point of view. The speakers will give specific examples and of course there is time to ask questions about your own experiences.<br/><br />
Please register before December the 14th because of the necessary catering arrangements.<br/><br />
<br/><br />
'''Location'''<br/><br />
The location and catering is provided by the sponsor of this meeting:<br/><br />
<table><br />
<tr><br />
<td width="350"><br />
ps_testware B.V.<br/><br />
Dorpsstraat 26,<br/><br />
3941 JM DOORN<br/><br />
</td><br />
<td width="350"><br />
[[Image:Pstestware.jpg|100px]]<br />
</td><br />
</tr><br />
<tr><br />
<td width="350"><br />
The location has parking facilities for 15 cars. However parking in the direct vicinity of ps_testware shouldn’t be a problem.<br/><br />
</td><br />
<td width="350"><br />
ps_testware delivers services related to software testing and software quality. In the field of software development, quality, time-to-market, business processes and software acceptance they play the role of "your devil's advocate" as an independent, flexible and specialized partner.<br/><br />
For more information please visit: www.pstestware.com.<br/><br />
</td><br />
</tr><br />
</table><br />
<br/><br />
<br/><br />
'''Program'''<br/><br />
17.30 - 18.30 '''Check-In''' (catering included)<br/><br />
<br/><br />
18.30 – 19:00 '''Introduction''' (OWASP organization, projects, sponsor)<br/><br />
<br/><br />
19.00 - 19.30 '''Practices of developing optimal security''' (dutch), Andre Post<br/><br />
This presentation highlights a number of current practices that lead to sub-optimal security, and suggests ways of avoiding these problems, focusing on the technical side of development.<br/><br />
André Post works for Fox-IT on a variety of projects including core product development, software architecting, security code reviews, and software project management.<br/><br />
<br/><br />
19.30 – 19:45 '''Break'''<br/><br />
<br/><br />
19:45 – 20:30 '''Problems of developing secure and correct applications''' (dutch), Erik Poll [http://www.cs.ru.nl/~erikpoll/talks/OWASP2007.pdf (slides of the presentation)]<br />
<br/><br />
This presentation will discuss different possibilities to improve software security. The problem of getting time and money available to be spend on security, not only for developing applications, but also for developing programming languages, will be raised.<br/><br />
Erik Poll is head of the Security of Systems (SoS) group at the Radboud University of Nijmegen. His research does focus on the security and correctness of software.<br/><br />
<br/><br />
20.30 - 21.00 '''Protecting Web services and Web applications against security threats''' (dutch), Rix Groenboom<br/><br />
During this session, Rix will explore how to implement development and security best practices in the code to make sure that your webservices and applications perform solidly when they are being hacked or used in malicious ways.<br/><br />
Rix Groenboom supports fortune 2000 companies in field automated software error prevention and correction for Parasoft. His main area of expertise is in the use of formal languages for the specification, design and validation of software applications.<br/><br />
<br/><br />
21.00 – 21:30 '''Discussion, questions and social'''<br/><br />
<br/><br />
All OWASP chapter meetings are free of charge and you don’t have to be an OWASP member to attend. There are never any vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP's: OWASP Meetings count towards CPE Credits.<br/><br />
<br/><br />
The announcement and full descriptions can be found here:<br/><br />
[[Media:Announcement_20_December.pdf]]<br/><br />
[[Media:Announcement_20_December_2.pdf]]<br/><br />
<br />
== Meeting September 13th: putting initiatives into practice ==<br />
<br />
The main goal of the next OWASP meeting is finding a way to put initiatives and all offered help into a form of structural benefit for the OWASP Netherlands local chapter. As a starting point for the discussion, examples will be taken from other European chapters and input delivered by discussions that take place on the mailing list is considered too. Let this be a call to put your ideas on the mailing list before the next meeting!<br/><br />
<br/><br />
The location is provided by the sponsor of this meeting:<br/><br />
Comsec Consulting BV<br/><br />
Rivium Boulevard 102<br/><br />
2909LK Capelle aan den IJssel<br/><br />
<br/><br />
The agenda:<br/><br />
18.00 - 18.30 Check-In (catering included)<br/><br />
18.30 - 18.45 OWASP update, Bert Koelewijn<br/><br />
18.45 - 19.15 Security Best Practices for .NET, Boaz Shunami<br/><br />
19.15 - 20.00 Discussion: collecting ideas and initiatives<br/><br />
20.00 - 20.15 Coffee break<br/><br />
20.15 - 21.00 Discussion: how to enable community commitment<br/><br />
21.00 - 21.30 Closing discussion and coffee<br/><br />
<br/><br />
Boaz Shunami<br/><br />
Boaz is manager of the Application Security department of Comsec Europe. He has 11 years of experience in the IT Security field, and a large part of them in Application Security.<br/><br />
Boaz did numerous application security audits in very large organizations and is recognized as one of the greatest expert’s world wide. Boaz' expertise is broad, but especially in-depth for the .NET platform.<br/><br />
<br/><br />
Discussion input (until now)<br/><br />
- division of local chapter work load by multiple people<br/><br />
- collaboration with other organizations<br/><br />
<br/><br />
If you want to attend send an email to owasp@irc2.com.<br/><br />
<br/><br />
All OWASP chapter meetings are free, there are never vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP's: OWASP Meetings count towards CPE Credits.<br/><br />
<br />
== Meeting minutes Januar 11th 2007 ==<br />
<br />
January 11th, the Dutch OWASP chapter came together at the office of Sogeti Netherlands. Subject of the evening was 'putting software security into practice'. The group was small but select.<br/><br />
<br/><br />
The agenda:<br/><br />
18.00 - 18.30 Check-In (catering included)<br/><br />
18.30 - 18.45 Sponsor opening<br/><br />
18.45 - 19.00 OWASP update, Bert Koelewijn<br/><br />
19.00 - 19.30 Implementation of Security by Design, Martin Knobloch<br/><br />
19.30 - 19.45 Panel introduction<br/><br />
19.45 - 20.00 Coffee break<br/><br />
20.00 - 21.30 Panel discussion<br/><br />
<br/><br />
After being welcomed by Frank Langeveld from Sogeti and Bert Koelewijn, Dutch chapter leader, the evening started with the presentation 'Security By Design'. During the presentation Martin Knobloch told about his experiences during the implementation of the Secure Development Life Cycle in a company like Sogeti Nederland B.V.<br/><br />
<br/><br />
The presentation is available here:<br/><br />
[[Media:Implementation_of_Security_by_Design.ppt]]<br/><br />
<br/><br />
After a small break, the panel discussion started with the following panel: Henk van der Heijden - Comsec Consulting, Dr.ir. Mario de Boer - LogicaCMG and Martin Knobloch - Sogeti Nederland.<br/><br />
During the discussion, it became clear people are struggling to get the Secure Development Life Cycle implemented in their company. The various experiences were shared with the panel and the others. Company typical problems and common misunderstandings about Software security where brought up.<br/><br />
The consensus of the discussion was that the main problem lies in the lack of security awareness and knowledge of the managers and the developers. And this of course is exactly where OWASP comes in…<br/><br />
<br/><br />
<br />
== Meeting Januar 11th 2007 ==<br />
<br />
The OWASP meeting of 11 January is about putting software security into practice. A lot of books, standards, organizations and consultants tell us how we should develop secure software. But which methods and measures are commonly adopted and which are not and why?<br/><br />
This will be the main focus of the discussion that we will have with a panel of people that experienced implementing software security in the field.<br/><br />
<br/><br />
The location is provided by the sponsor of this meeting:<br/><br />
Sogeti Nederland B.V.<br/><br />
"La Charmille" building<br/><br />
Lange Dreef 17<br/><br />
4131 NJ Vianen<br/><br />
<br/><br />
The agenda:<br />
<br/><br />
18.00 - 18.30 Check-In (catering included)<br/><br />
18.30 - 18.45 Sponsor opening<br/><br />
18.45 - 19.00 OWASP update, Bert Koelewijn<br/><br />
19.00 - 19.30 Implementation of Security by Design, Martin Knobloch<br/><br />
19.30 - 19.45 Panel introduction<br/><br />
19.45 - 20.00 Coffee break<br/><br />
20.00 - 21.30 Panel discussion<br/><br />
<br/><br />
Implementation of Security by Design<br/><br />
What is needed to implement a 'Secure Development Life Cycle' within Sogeti Nederland? The speaker started a project called 'Security by Design' in march 2006 implementing a SDLC at Sogeti Nederland.<br/><br />
In his presentation, the speaker will share his technical and organizational experiences that he gained with the still ongoing implementation.<br/><br />
<br/><br />
About the speaker<br/><br />
Martin Knobloch has more than 8 years experience in design and development of J2EE applications for customers in various sectors of the market. In September 2003 Martin Knobloch started working for Sogeti Nederland, where he does the design, development and review of J2EE applications and architectures.<br/><br />
From this background, Martin Knobloch experienced the threats of insecure software firsthand. In march 2006, Martin Knobloch started implementing a SDLC within Sogeti Nederland.<br/><br />
<br/><br />
Panel discussion<br/><br />
The panel members are:<br/><br />
Henk van der Heijden, Managing Director - Comsec Consulting B.V.<br/><br />
Dr.ir. Mario de Boer, Security Consultant - LogicaCMG<br/><br />
Martin Knobloch, Senior Technologie Specialist - Sogeti Nederland B.V.<br/><br />
<br/><br />
In the discussion, we will try to find answers to questions like:<br/><br />
- What are the most common security practices in software development?<br/><br />
- How effective are those practices?<br/><br />
- Where do we start practicing security?<br/><br />
- What should be the most common security practices in software development?<br/><br />
- How much does security cost?<br/><br />
- How does the Systems Security Engineering Capability Maturity Model (SSE-CMM) fit in?<br/><br />
<br/><br />
If you want to attend send an email to owasp@irc2.com.<br/><br />
<br/><br />
All OWASP chapter meetings are free, there are never vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP’s: OWASP Meetings count towards CPE Credits.<br/><br />
<br />
== OWASP Netherlands meeting minutes ==<br />
<br />
On 9 march, the second meeting of OWASP Netherlands local chapter took place. GetronicsPinkRoccade provided the venue, in their luxury conference centre: Connection I.<br/><br />
<br/><br />
Agenda:<br/><br />
18.00 - 18.45 Check-In (bread & drinks)<br/><br />
18.45 - 19.00 Opening<br/><br />
19.00 - 20.00 Improving Security in the Application Development Life-cycle, Migchiel de Jong<br/><br />
20.00 - 20.15 Coffee break<br/><br />
20.15 - 22.00 Form focus groups<br/><br />
<br/><br />
The presentation of Migchiel de Jong was found very interesting by the audience. At the end of his presentation, he demonstrated a static code analysis of the OWASP webgoat application.<br/><br />
<br/><br />
After the coffee break, the attendances started discussing about the largest common topics of interest in the web application security field, in relation to the OWASP Netherlands chapter. As a result, the following focus groups are formed:<br/><br />
<br/><br />
Testing<br/><br />
The current OWASP Testing project and the Open Source Security Testing Methodology Manual of ISECOM, provide guidelines and best practices for testers. These guidelines can be used to formalize a standard structure and a set of minimum requirements for a security test. Clients could ask a tester to adhere to these guidelines.<br/><br />
A second idea is to standardize the testing results management report. In practice, testing could result in piles of paper with all the findings. The real value is reporting it in a usable way. For example: mapping technical findings to business risks.<br/><br />
<br/><br />
Frans v. Buul<br/><br />
Peter Gouwentak<br/><br />
Arthur Donkers<br/><br />
Eelco Klaver<br/><br />
Migchiel de Jong<br/><br />
Mario de Boer<br/><br />
<br/><br />
First focus group meeting: Monday 27 march, 18:00h, PwC Utrecht<br/><br />
<br/><br />
<br/><br />
Public Relations<br/><br />
This focus group will try to make business aware of the security impact that developing, hosting and using web applications has. What OWASP is and how OWASP can help. This can be done by giving presentations, writing papers and articles, word of mouth, etc. etc.<br/><br />
<br/><br />
Remco Bakker<br/><br />
Ronald Eygendaal<br/><br />
Bas van Vossen<br/><br />
Edwin van Vliet<br/><br />
Eelco Klaver<br/><br />
<br/><br />
First presentation of OWASP materials: Edwin van Vliet, TestNet - Voorjaarsevenement, 5 april<br/><br />
First focus group meeting: To be planned!<br/><br />
<br/><br />
<br/><br />
Education<br/><br />
OWASP and universities/schools could benefit from working together. For example:<br/><br />
- OWASP provides lot's of materials usable in colleges.<br/><br />
- Develop OWASP training course.<br/><br />
- Students can participate in OWASP projects<br/><br />
- OWASP can provide a platform for supporting research. Such as thesis projects, etc.<br/><br />
- OWASP representatives could provide guest colleges.<br/><br />
<br/><br />
Ronald Eygendaal<br/><br />
Erik Poll<br/><br />
Bas van Vossen<br/><br />
Edwin van Vliet<br/><br />
<br/><br />
First focus group meeting: To be planned!<br/><br />
<br/><br />
The presentation is available here:<br/><br />
[[Media:OWASP_NL_Fortify_Software.pdf]]<br/><br />
<br />
== 9 March: Second meeting of the OWASP Netherlands local chapter! ==<br />
<br />
In this second meeting focus groups are to be formed, to discuss common problems, develop and research common solutions in a vendor neutral environment. So this is a very good opportunity to get in contact with others, to exchange knowledge and experiences on specific topics.<br/><br />
<br/><br />
For every focus group the following questions has to be answered:<br/><br />
1. Which specific topic is to be addressed?<br/><br />
2. What are the deliverables?<br/><br />
3. What is the relation to OWASP? (Current projects, materials, expertise and knowledge interchange, etc.)<br/><br />
4. Who is the central contact of the subgroup?<br/><br />
<br/><br />
It would be nice to have a bigger and more diverse group, compared to the first meeting. So let's recall: "Please, bring at least one friend, next time." And don't hesitate to send this announcement to everybody who may be interested!<br/><br />
<br/><br />
We thank Getronics PinkRoccade for offering us a venue:<br/><br />
Getronics PinkRoccade<br/><br />
Fauststraat 1<br/><br />
7323 BA Apeldoorn <br/><br />
<br/><br />
The agenda:<br/><br />
18.00 - 18.30 Check-In<br/><br />
18.30 - 18.45 Opening<br/><br />
18.45 - 19.30 Improving Security in the Application Development Life-cycle, Migchiel de Jong<br/><br />
19.30 - 20.00 Collecting focus group initiatives<br/><br />
19.45 - 20.00 Coffee break<br/><br />
20.00 - 21.00 Form focus groups<br/><br />
<br/><br />
Presentation Abstract<br/><br />
Rather than spending large amounts of time and money on proving that we have security vulnerabilities after programs go into production, companies should go to the source and correct vulnerabilities as early as possible in the development stage. It is unquestionably faster, simpler, and cheaper for developers to correct vulnerabilities as they build programs.<br/><br />
But how can development management ensure that developers focus on security when there is no time or budget for security at the development stage? Even with the correct focus, how can they learn what to look for? How can they stay ahead of the dedicated and resourceful hacker?<br/><br />
The answer is effective processes and better tools. With advanced software security tools, a developer can pinpoint vulnerabilities in a matter of seconds — the same vulnerabilities that would take a hacker or manual code reviewer weeks or even months to find. These same tools can give development and information security managers useful metrics on application vulnerabilities before they are released into deployment.<br/><br />
This talk will walk through the Application Development Life-Cycle and discuss how tools can help come to grips with software security issues in a particular phase.<br/><br />
<br/><br />
About the presenter<br/><br />
Migchiel de Jong has developed hardware and software for 10 years before joining Rational Software. During the 5 years at Rational Software (later acquired by IBM) he was involved in many software development process improvement projects. Currently Migchiel de Jong is working at Fortify Software, Palo Alto, California, as a software security engineer.<br/><br />
<br/><br />
If you want to attend send an email to owasp@irc2.nl. Please don't wait, 9 march is not that long anymore!<br/><br />
<br/><br />
All OWASP chapter meetings are free, there are never vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP’s: OWASP Meetings count towards CPE Credits.<br/><br />
<br />
== OWASP Netherlands kick-off meeting minutes ==<br />
<br />
On 17 November, OWASP Netherlands had it's first meeting. We moved to a bigger location, the Mercure hotel in Nieuwegein, to host all the 35 attendees.<br/><br />
<br/><br />
The agenda:<br/><br />
18.00 - 18.30 Check-In (bread & drinks)<br/><br />
18.30 - 18.45 Chapter opening<br/><br />
18.45 - 19.30 Presentation - 'Top tien web applicatie kwetsbaarheden in J2EE', Eelco Klaver<br/><br />
19.30 - 19.45 Presentation - 'Veilige webapplicaties boven alles', Mike Wardi<br/><br />
19.45 - 20.00 Coffee break<br/><br />
20.00 - 21.00 Discussion - About the OWASP Netherlands local chapter<br/><br />
<br/><br />
The discussion took place in a 'round table' session, where all attendees were able to take part. The focus of the discussion was how to give the OWASP Netherlands local chapter additional value, next to the OWASP project. What the goals and tasks will be. And which actions will have to be taken at short term.<br/><br />
Different people have interest in different subjects. In general meetings there is no time to address all subjects and address them specific enough. Therefore subgroups can be formed, focusing on specific topics. They can have their own communication channel and meetings, but should keep close contact with the OWASP body.<br/><br />
<br/><br />
An inventarisation:<br/><br />
<br/><br />
Discussion Topics<br/><br />
- Awareness: writing articles, press publications, interviews<br/><br />
- Education: contact universities, schools and their common boards. Develop and gather education materials.<br/><br />
- General: discuss ideas for OWASP NL<br/><br />
<br/><br />
Focusgroup Topics<br/><br />
- (dutch) metrics project<br/><br />
- (dutch) legal project<br/><br />
- standard framework for pentest reports<br/><br />
- safe outsourcing<br/><br />
<br/><br />
Actions that should be taken on short term are:<br/><br />
- provide communication channels<br/><br />
- plan next (sub)meetings<br/><br />
- start discussions and focusgroups<br/><br />
<br/><br />
The presentations are available here:<br/><br />
<br/><br />
[[Media:OWASP_NL_Top_Ten_Web_Application_Vulnerabilities_in_J2EE.pdf]]<br/><br />
[[Media:OWASP_NL_Veilige_Web_App_Boven_Alles.pdf]]<br/><br />
<br />
== You are welcome to the OWASP Netherlands local chapter kick-off meeting! ==<br />
<br />
Thursday, November 17th (2005) at 18.00h.<br/><br />
<br/><br />
ATTENTION! Because of the large amount of attendees, the location has changed:<br/><br />
<br/><br />
Hotel Mercure Utrecht/Nieuwegein<br/><br />
Buizerdlaan 10<br/><br />
3435 SB NIEUWEGEIN<br/><br />
Tel: 00 31 (0) 30 60 84 122<br/><br />
Fax: 00 31 (0) 30 60 38 374<br/><br />
<br/><br />
This first meeting will be an introduction to the OWASP. A constructive discussion will be held about the actual form of the OWASP Netherlands local chapter.<br/><br />
<br/><br />
The agenda:<br/><br />
18.00 - 18.30 Check-In (bread & drinks)<br/><br />
18.30 - 18.45 Chapter opening<br/><br />
18.45 - 19.30 Presentation - 'Top tien web applicatie kwetsbaarheden in J2EE', Eelco Klaver<br/><br />
19.30 - 19.45 Presentation - 'Veilige webapplicaties boven alles', Mike Wardi<br/><br />
19.45 - 20.00 Coffee break<br/><br />
20.00 - 21.00 Discussion - About the OWASP Netherlands local chapter<br/><br />
<br/><br />
About the presenters<br/><br />
<br/><br />
Eelco Klaver<br/><br />
Eelco Klaver is a senior consultant for Xebia IT Architects, since 2003. Doing software reviews, security audits and giving security workshops are part of his job. He has almost 10 years experience with developing enterprise applications in J2EE for different employees. At the moment, Eelco is the front man of the security business unit for Xebia, focussing on the security aspects of enterprise applications build on J2EE.<br/><br />
<br/><br />
Mike Wardi<br/><br />
Mike Wardi is an internet application manager for a financial institute. He's responsible for the safety of internet applications provided to customers and the implementation of the security policies in software developement.<br/><br />
<br/><br />
<br/><br />
If you want to attend, please send an email to owasp-nl@ascure.com or the mailing list.<br/><br />
<br/><br />
All OWASP chapter meetings are free! There are never vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP’s: OWASP Meetings count towards CPE Credits.<br/><br />
<br/></div>Dvsteinhttps://wiki.owasp.org/index.php?title=Netherlands&diff=46555Netherlands2008-11-19T16:55:30Z<p>Dvstein: /* Meeting minutes October 27th 2008 */</p>
<hr />
<div>{{Chapter Template|chaptername=Netherlands|extra=The chapter leader is [mailto:owasp@irc2.nl Bert Koelewijn]<br />
<paypal>Netherlands</paypal><br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-netherlands|emailarchives=http://lists.owasp.org/pipermail/owasp-netherlands}}<br />
<br />
== Meeting schedule 2008 ==<br />
This is an overview of the 2008 local chapter meeting schedule. Details of the meetings can be found in the announcements that will be posted below this schedule.<br />
<pre><br />
March 26th<br />
----------<br />
Time : 17.30 - 21.30<br />
Main Topic : Software Vulnerability assessment<br />
Presentations: Complex(ity) matters, Mario de Boer (Dutch)<br />
V.A.C. SQL injection, Marinus Kuivenhoven (Dutch)<br />
Secure Programming with Static Analysis, Brian Chess (English) <br />
Location : Mercure Utrecht Nieuwegein, Buizerdlaan 10, 3435 SB Nieuwegein<br />
Sponsor : Fortify Software<br />
<br />
Oktober 27th<br />
----------<br />
Time : 17.30 - 21.30<br />
Main Topic : Privacy and the Internet<br />
Presentations: Privacy and Internet (Dutch), Frank Fruijthoff and Ellen Hoving<br />
Vulnerability and source code scanners. (Dutch) Emile Strijbos <br />
Location : ps_testware B.V., Dorpsstraat 26, 3941 JM DOORN<br />
Sponsor : ps_testware B.V.<br />
</pre><br />
== Meeting minutes October 27th 2008 ==<br />
<br />
At October 27th, the Dutch OWASP chapter came together at the office of the sponsor of the evening; ps_testware in Doorn. The subject of the evening was 'Privacy and the Internet’. There were 2 speakers and approximately 25 attendees.<br/><br />
<br/><br />
After a short welcome talk by both the sponsor and OWASP, Mario de Boer had an announcement about a new OWASP project; ORPRO, the Open Review Project. The goal of the project is to review Open Source Software from an independent point of view. Reviews will be done both manually and with the aid of source code analysis software provided by Fortify. The first software package to be reviewed is already available so reviewers are needed. More information can be found on the OWASP project page. [http://www.owasp.org/index.php/Category:OWASP_Open_Review_Project]<br/><br />
<br/><br />
'''First presentation:''' Privacy & the Internet presented by Frank Fruijthoff and Ellen Hoving. <br/><br />
The goal of this presentation was to show the problems in regulating privacy on the internet by law. The presentation was roughly split in 3 parts: definitions, requirements and context. <br/><br />
The main problem with regulating privacy is that the concept of privacy is very broad and not well defined. Privacy can have different meanings and consequences in different contexts. Most laws therefore focus on the individual and define privacy as 'protection of personal information' where 'personal information' is all data that can be tracked back to a single person. The last years many countries within the EU developed internet laws concerning privacy on the internet. These laws state that information can only be used what it originally was intended for and usage of that information must be reported at central register. This register also makes it possible to file a complaint and check what companies use personal information for what purposes. While these rules are mostly sufficient for local databases they often fail when applied to information stored on or with use of the internet. Problems encountered are captured in the "four D's";<br/><br />
- Internet is deterritorialized; internet has no boundaries.<br/><br />
- Internet is deregulated; internet has no law, only terms of use.<br/><br />
- Internet is dematerialized; internet is not physical.<br/><br />
- Internet is decentralized; there is no single regulating or controlling organization.<br/><br />
Although the protection of personal data is more and more covered by laws, the increasing usage of external storage and connections over the internet will make it harder to enforce them. The main conclusion of the evening was that, although many initiatives improving privacy exist, the very properties of the internet make it hard to ensure privacy completely. <br/><br />
<br/><br />
'''Second presentation:''' Vulnerability and source code scanners presented by E. Strijbos. This presentation showed the results of a research concerning the feasibility of a Web Application Security Certification by the usage of vulnerability scanners.<br/><br />
With the daily increasing amount of threads and vulnerabilities in web applications there is a market-driven demand for an independent and automated scan service. Current scan services often lack coverage and depth of scanning and give no details about the used scanning methods.<br/><br />
In this research several commercial vulnerability scanners and static analysis tools were compared and checked for scantime, accuracy, false positives, and ease of use. The results showed that almost all scanners find most of the vulnerabilities, but also produce many false positives. Also, without proper configuration the amount of results can be overwhelming and inconclusive. Furthermore results showed that static analysis scanners are much faster than vulnerability scanners, but have a more limited usage. The main conclusion was that although vulnerability scanners and static analysis tools can be very helpful in identifying vulnerabilities, their current efficiency is not high enough to use as the basis for an automated vulnerability scan.<br/><br />
<br />
== Meeting October 27th 2008: Privacy and the Internet ==<br />
'''Summary'''<br/><br />
The main goal of the upcoming OWASP-NL meeting is to provide information to developers and security professionals about personal and technical privacy on the internet. The speakers focus on privacy regulations related to the internet and on the mass amount of personal and technical information available about persons and companies on the internet, with and without their consent. Furthermore tools will be discussed that help prevent leakage of privacy related and other kind of data. They will give specific examples and there will be time to ask questions.<br/><br />
Please register before October 20th because of the necessary catering arrangements.<br/><br />
<br/><br />
'''Location'''<br/><br />
The location and catering is provided by the sponsor of this meeting:<br/><br />
<table><br />
<tr><br />
<td width="350"><br />
ps_testware B.V.<br/><br />
Dorpsstraat 26,<br/><br />
3941 JM DOORN<br/><br />
</td><br />
<td width="350"><br />
[[Image:Pstestware.jpg|100px]]<br />
</td><br />
</tr><br />
<tr><br />
<td width="350"><br />
The location has parking facilities for 15 cars. However parking in the direct vicinity of ps_testware shouldn’t be a problem.<br/><br />
</td><br />
<td width="350"><br />
ps_testware delivers services related to software testing and software quality. In the field of software development, quality, time-to-market, business processes and software acceptance they play the role of "your devil's advocate" as an independent, flexible and specialized partner.<br/><br />
For more information please visit: www.pstestware.com.<br/><br />
</td><br />
</tr><br />
</table><br />
<br/><br />
<br/><br />
'''Program'''<br/><br />
17.30 - 18.30 '''Check-In''' (catering included)<br/><br />
<br/><br />
18.30 – 19:00 '''Introduction''' (OWASP organization, projects, sponsor)<br/><br />
<br/><br />
19.00 - 20.15 '''Privacy and Internet''' (Dutch), Frank Fruijthoff and Ellen Hoving<br/><br />
In this presentation the general principles of privacy laws in the Netherlands and the EU and specifically privacy and the internet will be covered.<br/><br />
Frank Fruijthoff is a Compliance Officer with ING. He has a Compliance and Risk Management background and is specialised in privacy.<br/><br />
Ellen Hoving is a graduated lawyer. She works as an independent consultant specialized in compliance and privacy.<br/><br />
<br/><br />
20.15 – 20:30 '''Break'''<br/><br />
<br/><br />
20:30 – 21:00 '''Vulnerability and source code scanners''' (Dutch), Emile Strijbos<br />
<br/><br />
For his Master thesis in computer science at the Radboud Universiteit in Nijmegen, Emile Strijbos investigated vulnerability scanners and source code scanners. These are automated tools that try to detect security flaws, either in running web-applications or in their source code.<br/><br />
Emile tried out several of these tools, including both free and commercial ones, to see how good they are at detecting standard vulnerabilities, such as SQL injection, XSS, CSRF, etc.<br/><br />
<br/><br />
21.00 – 21:30 '''Discussion, questions and social'''<br/><br />
<br/><br />
If you want to attend, please send an email to: owasp@irc2.com.<br><br />
Please register before October 20th, because of the necessary catering arrangements. The number of registries is limited to 50 due to the capacity of the location and will be handled in order of receipt.<br/><br />
<br/><br />
All OWASP chapter meetings are free of charge and you don’t have to be an OWASP member to attend. There are never any vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP's: OWASP Meetings count towards CPE Credits.<br/><br />
<br/><br />
The announcement and full descriptions can be found here:<br/><br />
[[Media:Announcement_27_Oktober.pdf]]<br/><br />
<br />
== Meeting minutes March 23th 2008 ==<br />
<br />
At March 23th, the Dutch OWASP chapter came together in the Mercury hotel in Nieuwegein. The meeting was sponsored by Fortify Software. The subject of the evening was 'Software Vulnerability Assesment’. There were 3 speakers and approximately 40 attendees.<br/><br />
<br/><br />
After a short introduction of Migchiel de Jong (Fortify) about the subject of Static and Dynamic Analysis and the tools that Fortify provides the speakers of the evening where introduced.<br/><br />
<br/><br />
'''First presentation:''' Practices of Complex(ity) matters (Dutch), Mario de Boer<br/><br />
Mario de Boer has spent much of his free time the last 16 years into disassembling various pieces of software and analyzing the code and its statistics. The main advantage in analyzing binaries is that no access to source code is needed, all dependencies (i.e. the compiler) are included and it’s independent of the tool used. Disassembling compiled code gives great insight in the complexity of the software and the entry and exit points of data. Although there is no direct relation between the complexity of software and its security, statistically the most vulnerabilities appear in the most complex portions of a program. Data entry points in complex portions of the code can give rise to possible exploits so static analysis can give insight in the most vulnerable places in software which is useful information in testing.<br />
The disadvantages of static analysis are that an extensive knowledge of assembly is needed and, due to its statistic nature, it gives rise to many false positives. <br />
In conclusion static binary analysis, when used by experts, can be a powerful tool to gain insight in the most vulnerable parts of the software and be a valuable tool in both developing and testing software. <br/><br />
<br/><br />
'''Second presentation:''' V.A.C: SQL injection (Dutch), Marinus Kuivenhoven<br/><br />
A new reoccurring topic on OWASP presentations will be the so called VAC. In these presentations an expert will talk about a Vulnerability, how to Assess it and possible Countermeasures. This evening Marinus started with the second vulnerability in the OWASP top ten; SQL injections.<br/><br />
With the aid of Webgoat, a few simple examples and the possible consequences were shown. SQL injection is particularly useful exploit in the reconnaissance phase since it can be abused for information leakage and in getting information about e.g. the table structure. <br/><br />
On the internet and in literature many countermeasures against SQL injections are described. However, many of these countermeasures are not usable in a maintainable system or cannot prevent SQL injections completely. The most important conclusion was that input should never be trusted and should never be directly used.<br/><br />
<br/><br />
'''Third presentation:''' Secure Programming with Static Analysis (English), Brian Chess<br/><br />
The last speaker of the evening was Brian Chess who presented his new book ‘Secure Programming with Static Analysis’. Brian made clear that, although a powerful tool, static binary analysis is already too late in the SDLC to be successful in preventing vulnerabilities. Scanning for possible vulnerabilities should be implemented as early as possible i.e. during coding. The main advantages of static analysis are the cost and speed. Since errors and bad practices are identified in an early stage they can be solved at the spot, making auditing the software more efficient in term of time and depth. <br/><br />
Static analysis can successfully be used for style and type checking, program understanding and verification, and for security reviews. The success of static analysis, however, is fully depending on the rules implemented in the scanner. Static analysis is also unable to identify design flaws, right problems, or wrong user input. <br/><br />
The conclusion was that scanning for vulnerabilities can probably only be successful with the aid of static analysis, but many requirements should be met. Firstly it should become part of the SDLC and culture. Secondly the right tool should be picked and people should be trained in its use. Lastly investments should be made in building up a good rule set and metrics. <br/><br />
<br />
== Meeting March 26th 2008: Software Vulnerability assessment ==<br />
'''Summary'''<br/><br />
The main goal of the upcoming OWASP-NL meeting is to provide information to developers and security professionals involved in creating secure (web-)applications. The main focus will be on software vulnerability assessment. The speakers will give specific examples and of course there is time to ask questions about your own experiences.<br/><br />
<br/><br />
'''Location'''<br/><br />
The location and catering is provided by the sponsor of this meeting:<br/><br />
<table><br />
<tr><br />
<td width="350"><br />
Mercure Utrecht Nieuwegein<br/><br />
Buizerdlaan 10,<br/><br />
3435 SB Nieuwegein<br/><br />
</td><br />
<td width="350"><br />
[[Image:Fortify.JPG|143px]]<br />
</td><br />
</tr><br />
<tr><br />
<td width="350"><br />
</td><br />
<td width="350"><br />
Fortify Software products protect companies from today’s greatest security risk: the software applications that run their businesses. Combining deep application security expertise with extensive software development experience, Fortify Software has defined the market with award-winning products that span the software development cycle. Today, Fortify Software fortifies the software for the most demanding customer deployments, including the world’s largest, most varied code bases.<br/><br />
<br/><br />
For more information please visit:<br/><br />
www.fortify.com<br/><br />
</td><br />
</tr><br />
</table><br />
<br/><br />
<br/><br />
'''Program'''<br/><br />
17.30 - 18.30 '''Check-In''' (catering included)<br/><br />
<br/><br />
18.30 - 18:50 '''Introduction''' (OWASP, sponsor)<br/><br />
<br/><br />
18.50 - 19.30 '''Complex(ity) matters''' (Dutch), Mario de Boer<br/><br />
Various methods exist to locate specific vulnerabilities in software. In the presentation we will look at static analysis of binaries, and the problems we face when trying to locate vulnerabilities. Several ideas will be discussed to make the search easier, but at the same time less exact. The first idea is trivial: automate as much as possible. The second idea is nearly trivial: don't aim at exact vulnerabilities but relax the search to locating potential vulnerabilities. We will give examples that illustrate the results.<br/><br />
Mario de Boer is a senior security consultant at Logica, and as such focuses on security management aspects like security frameworks, compliance, monitoring and control and risk management. Before joining Logica, Mario worked at the Dutch ministries of Defense and Justice, he co-founded a security company and worked as a project manager in the financial sector. For several years he taught courses in software security analysis and secure software development. Besides security management, Mario has interest in software security, reverse engineering and cryptography. Within Logica Netherlands, he is knowledge manager application security. Mario holds a PhD in Mathematics and is CISA and CISSP.<br/><br />
<br/><br />
19.30 - 19:50 '''Break'''<br/><br />
<br/><br />
19:50 - 20:20 '''V.A.C: SQL injection''' (Dutch), Marinus Kuivenhoven<br />
<br/><br />
<u>'''V'''ulnerability:</u><br/><br />
An application which uses a database for its information needs, communicates with it trough SQL. SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of a Database for parsing and execution.<br/><br />
<u>'''A'''ssessment:</u><br/><br />
SQL injection can threaten the confidentiality, availability and integrity of the data. The various types of SQL injection and their impact will be shown.<br/><br />
<u>'''C'''ountermeasure:</u><br/><br />
Any procedure that constructs SQL statements should be reviewed for injection vulnerabilities because a database will execute all syntactically valid queries that it receives. How this should be done will be shown for the most popular languages.<br/><br />
Marinus is a Technology Specialist with Sogeti Nederland B.V. specializing in service oriented architectures and secure application development. His experience includes developing and administrating Oracle-based systems.<br/><br />
<br/><br />
20.20 - 21.00 '''Secure Programming with Static Analysis''' (English), Brian Chess<br/><br />
Creating secure code requires more than just good intentions. Programmers need to know how to make their code safe in an almost infinite number of scenarios and configurations. Static source code analysis gives users the ability to review their work with a fine tooth comb and uncover the kinds of errors that lead directly to vulnerabilities. This talk frames the software security problem and shows how static analysis is part of the solution. We will look at how static analysis works, how to integrate it into the software development processes, and how to make the most of it during security code review. Along the way we'll look at examples taken from real-world security incidents, showing how coding errors are exploited, how they could have been prevented, and how static analysis can rapidly uncover similar errors.<br/><br />
Brian Chess is a founder of Fortify Software and serves as Fortify's Chief Scientist, where his work focuses on practical methods for creating secure systems. His book, Secure Programming with Static Analysis, shows how static source code analysis is an indispensable tool for getting security right. Brian holds a Ph.D. in computer engineering from the University of California at Santa Cruz, where he studied the application of static analysis to the problem of finding security-relevant defects in source code. Before settling on security, Brian spent a decade in Silicon Valley working at huge companies and small startups. He has done research on a broad set of topics, ranging from integrated circuit design all the way to delivering software as a service.<br/><br />
<br/><br />
21.00 - 21:30 '''Discussion, questions and social'''<br/><br />
<br/><br />
'''Registration'''<br/><br />
If you want to attend, please send an email to: owasp@irc2.com.<br/><br />
<br/><br />
All OWASP chapter meetings are free of charge and you don’t have to be an OWASP member to attend. There are never any vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP's: OWASP Meetings count towards CPE Credits.<br/><br />
<br/><br />
<br />
== Meeting December 20th 2007: Secure Development ==<br />
'''Summary'''<br/><br />
The main goal of the upcoming OWASP-NL meeting is to provide information to developers and security professionals involved in creating secure (web-)applications. The general and specific security issues involved on project and programming level will be covered from a practical as well as a theoretical point of view. The speakers will give specific examples and of course there is time to ask questions about your own experiences.<br/><br />
Please register before December the 14th because of the necessary catering arrangements.<br/><br />
<br/><br />
'''Location'''<br/><br />
The location and catering is provided by the sponsor of this meeting:<br/><br />
<table><br />
<tr><br />
<td width="350"><br />
ps_testware B.V.<br/><br />
Dorpsstraat 26,<br/><br />
3941 JM DOORN<br/><br />
</td><br />
<td width="350"><br />
[[Image:Pstestware.jpg|100px]]<br />
</td><br />
</tr><br />
<tr><br />
<td width="350"><br />
The location has parking facilities for 15 cars. However parking in the direct vicinity of ps_testware shouldn’t be a problem.<br/><br />
</td><br />
<td width="350"><br />
ps_testware delivers services related to software testing and software quality. In the field of software development, quality, time-to-market, business processes and software acceptance they play the role of "your devil's advocate" as an independent, flexible and specialized partner.<br/><br />
For more information please visit: www.pstestware.com.<br/><br />
</td><br />
</tr><br />
</table><br />
<br/><br />
<br/><br />
'''Program'''<br/><br />
17.30 - 18.30 '''Check-In''' (catering included)<br/><br />
<br/><br />
18.30 – 19:00 '''Introduction''' (OWASP organization, projects, sponsor)<br/><br />
<br/><br />
19.00 - 19.30 '''Practices of developing optimal security''' (dutch), Andre Post<br/><br />
This presentation highlights a number of current practices that lead to sub-optimal security, and suggests ways of avoiding these problems, focusing on the technical side of development.<br/><br />
André Post works for Fox-IT on a variety of projects including core product development, software architecting, security code reviews, and software project management.<br/><br />
<br/><br />
19.30 – 19:45 '''Break'''<br/><br />
<br/><br />
19:45 – 20:30 '''Problems of developing secure and correct applications''' (dutch), Erik Poll [http://www.cs.ru.nl/~erikpoll/talks/OWASP2007.pdf (slides of the presentation)]<br />
<br/><br />
This presentation will discuss different possibilities to improve software security. The problem of getting time and money available to be spend on security, not only for developing applications, but also for developing programming languages, will be raised.<br/><br />
Erik Poll is head of the Security of Systems (SoS) group at the Radboud University of Nijmegen. His research does focus on the security and correctness of software.<br/><br />
<br/><br />
20.30 - 21.00 '''Protecting Web services and Web applications against security threats''' (dutch), Rix Groenboom<br/><br />
During this session, Rix will explore how to implement development and security best practices in the code to make sure that your webservices and applications perform solidly when they are being hacked or used in malicious ways.<br/><br />
Rix Groenboom supports fortune 2000 companies in field automated software error prevention and correction for Parasoft. His main area of expertise is in the use of formal languages for the specification, design and validation of software applications.<br/><br />
<br/><br />
21.00 – 21:30 '''Discussion, questions and social'''<br/><br />
<br/><br />
All OWASP chapter meetings are free of charge and you don’t have to be an OWASP member to attend. There are never any vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP's: OWASP Meetings count towards CPE Credits.<br/><br />
<br/><br />
The announcement and full descriptions can be found here:<br/><br />
[[Media:Announcement_20_December.pdf]]<br/><br />
[[Media:Announcement_20_December_2.pdf]]<br/><br />
<br />
== Meeting September 13th: putting initiatives into practice ==<br />
<br />
The main goal of the next OWASP meeting is finding a way to put initiatives and all offered help into a form of structural benefit for the OWASP Netherlands local chapter. As a starting point for the discussion, examples will be taken from other European chapters and input delivered by discussions that take place on the mailing list is considered too. Let this be a call to put your ideas on the mailing list before the next meeting!<br/><br />
<br/><br />
The location is provided by the sponsor of this meeting:<br/><br />
Comsec Consulting BV<br/><br />
Rivium Boulevard 102<br/><br />
2909LK Capelle aan den IJssel<br/><br />
<br/><br />
The agenda:<br/><br />
18.00 - 18.30 Check-In (catering included)<br/><br />
18.30 - 18.45 OWASP update, Bert Koelewijn<br/><br />
18.45 - 19.15 Security Best Practices for .NET, Boaz Shunami<br/><br />
19.15 - 20.00 Discussion: collecting ideas and initiatives<br/><br />
20.00 - 20.15 Coffee break<br/><br />
20.15 - 21.00 Discussion: how to enable community commitment<br/><br />
21.00 - 21.30 Closing discussion and coffee<br/><br />
<br/><br />
Boaz Shunami<br/><br />
Boaz is manager of the Application Security department of Comsec Europe. He has 11 years of experience in the IT Security field, and a large part of them in Application Security.<br/><br />
Boaz did numerous application security audits in very large organizations and is recognized as one of the greatest expert’s world wide. Boaz' expertise is broad, but especially in-depth for the .NET platform.<br/><br />
<br/><br />
Discussion input (until now)<br/><br />
- division of local chapter work load by multiple people<br/><br />
- collaboration with other organizations<br/><br />
<br/><br />
If you want to attend send an email to owasp@irc2.com.<br/><br />
<br/><br />
All OWASP chapter meetings are free, there are never vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP's: OWASP Meetings count towards CPE Credits.<br/><br />
<br />
== Meeting minutes Januar 11th 2007 ==<br />
<br />
January 11th, the Dutch OWASP chapter came together at the office of Sogeti Netherlands. Subject of the evening was 'putting software security into practice'. The group was small but select.<br/><br />
<br/><br />
The agenda:<br/><br />
18.00 - 18.30 Check-In (catering included)<br/><br />
18.30 - 18.45 Sponsor opening<br/><br />
18.45 - 19.00 OWASP update, Bert Koelewijn<br/><br />
19.00 - 19.30 Implementation of Security by Design, Martin Knobloch<br/><br />
19.30 - 19.45 Panel introduction<br/><br />
19.45 - 20.00 Coffee break<br/><br />
20.00 - 21.30 Panel discussion<br/><br />
<br/><br />
After being welcomed by Frank Langeveld from Sogeti and Bert Koelewijn, Dutch chapter leader, the evening started with the presentation 'Security By Design'. During the presentation Martin Knobloch told about his experiences during the implementation of the Secure Development Life Cycle in a company like Sogeti Nederland B.V.<br/><br />
<br/><br />
The presentation is available here:<br/><br />
[[Media:Implementation_of_Security_by_Design.ppt]]<br/><br />
<br/><br />
After a small break, the panel discussion started with the following panel: Henk van der Heijden - Comsec Consulting, Dr.ir. Mario de Boer - LogicaCMG and Martin Knobloch - Sogeti Nederland.<br/><br />
During the discussion, it became clear people are struggling to get the Secure Development Life Cycle implemented in their company. The various experiences were shared with the panel and the others. Company typical problems and common misunderstandings about Software security where brought up.<br/><br />
The consensus of the discussion was that the main problem lies in the lack of security awareness and knowledge of the managers and the developers. And this of course is exactly where OWASP comes in…<br/><br />
<br/><br />
<br />
== Meeting Januar 11th 2007 ==<br />
<br />
The OWASP meeting of 11 January is about putting software security into practice. A lot of books, standards, organizations and consultants tell us how we should develop secure software. But which methods and measures are commonly adopted and which are not and why?<br/><br />
This will be the main focus of the discussion that we will have with a panel of people that experienced implementing software security in the field.<br/><br />
<br/><br />
The location is provided by the sponsor of this meeting:<br/><br />
Sogeti Nederland B.V.<br/><br />
"La Charmille" building<br/><br />
Lange Dreef 17<br/><br />
4131 NJ Vianen<br/><br />
<br/><br />
The agenda:<br />
<br/><br />
18.00 - 18.30 Check-In (catering included)<br/><br />
18.30 - 18.45 Sponsor opening<br/><br />
18.45 - 19.00 OWASP update, Bert Koelewijn<br/><br />
19.00 - 19.30 Implementation of Security by Design, Martin Knobloch<br/><br />
19.30 - 19.45 Panel introduction<br/><br />
19.45 - 20.00 Coffee break<br/><br />
20.00 - 21.30 Panel discussion<br/><br />
<br/><br />
Implementation of Security by Design<br/><br />
What is needed to implement a 'Secure Development Life Cycle' within Sogeti Nederland? The speaker started a project called 'Security by Design' in march 2006 implementing a SDLC at Sogeti Nederland.<br/><br />
In his presentation, the speaker will share his technical and organizational experiences that he gained with the still ongoing implementation.<br/><br />
<br/><br />
About the speaker<br/><br />
Martin Knobloch has more than 8 years experience in design and development of J2EE applications for customers in various sectors of the market. In September 2003 Martin Knobloch started working for Sogeti Nederland, where he does the design, development and review of J2EE applications and architectures.<br/><br />
From this background, Martin Knobloch experienced the threats of insecure software firsthand. In march 2006, Martin Knobloch started implementing a SDLC within Sogeti Nederland.<br/><br />
<br/><br />
Panel discussion<br/><br />
The panel members are:<br/><br />
Henk van der Heijden, Managing Director - Comsec Consulting B.V.<br/><br />
Dr.ir. Mario de Boer, Security Consultant - LogicaCMG<br/><br />
Martin Knobloch, Senior Technologie Specialist - Sogeti Nederland B.V.<br/><br />
<br/><br />
In the discussion, we will try to find answers to questions like:<br/><br />
- What are the most common security practices in software development?<br/><br />
- How effective are those practices?<br/><br />
- Where do we start practicing security?<br/><br />
- What should be the most common security practices in software development?<br/><br />
- How much does security cost?<br/><br />
- How does the Systems Security Engineering Capability Maturity Model (SSE-CMM) fit in?<br/><br />
<br/><br />
If you want to attend send an email to owasp@irc2.com.<br/><br />
<br/><br />
All OWASP chapter meetings are free, there are never vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP’s: OWASP Meetings count towards CPE Credits.<br/><br />
<br />
== OWASP Netherlands meeting minutes ==<br />
<br />
On 9 march, the second meeting of OWASP Netherlands local chapter took place. GetronicsPinkRoccade provided the venue, in their luxury conference centre: Connection I.<br/><br />
<br/><br />
Agenda:<br/><br />
18.00 - 18.45 Check-In (bread & drinks)<br/><br />
18.45 - 19.00 Opening<br/><br />
19.00 - 20.00 Improving Security in the Application Development Life-cycle, Migchiel de Jong<br/><br />
20.00 - 20.15 Coffee break<br/><br />
20.15 - 22.00 Form focus groups<br/><br />
<br/><br />
The presentation of Migchiel de Jong was found very interesting by the audience. At the end of his presentation, he demonstrated a static code analysis of the OWASP webgoat application.<br/><br />
<br/><br />
After the coffee break, the attendances started discussing about the largest common topics of interest in the web application security field, in relation to the OWASP Netherlands chapter. As a result, the following focus groups are formed:<br/><br />
<br/><br />
Testing<br/><br />
The current OWASP Testing project and the Open Source Security Testing Methodology Manual of ISECOM, provide guidelines and best practices for testers. These guidelines can be used to formalize a standard structure and a set of minimum requirements for a security test. Clients could ask a tester to adhere to these guidelines.<br/><br />
A second idea is to standardize the testing results management report. In practice, testing could result in piles of paper with all the findings. The real value is reporting it in a usable way. For example: mapping technical findings to business risks.<br/><br />
<br/><br />
Frans v. Buul<br/><br />
Peter Gouwentak<br/><br />
Arthur Donkers<br/><br />
Eelco Klaver<br/><br />
Migchiel de Jong<br/><br />
Mario de Boer<br/><br />
<br/><br />
First focus group meeting: Monday 27 march, 18:00h, PwC Utrecht<br/><br />
<br/><br />
<br/><br />
Public Relations<br/><br />
This focus group will try to make business aware of the security impact that developing, hosting and using web applications has. What OWASP is and how OWASP can help. This can be done by giving presentations, writing papers and articles, word of mouth, etc. etc.<br/><br />
<br/><br />
Remco Bakker<br/><br />
Ronald Eygendaal<br/><br />
Bas van Vossen<br/><br />
Edwin van Vliet<br/><br />
Eelco Klaver<br/><br />
<br/><br />
First presentation of OWASP materials: Edwin van Vliet, TestNet - Voorjaarsevenement, 5 april<br/><br />
First focus group meeting: To be planned!<br/><br />
<br/><br />
<br/><br />
Education<br/><br />
OWASP and universities/schools could benefit from working together. For example:<br/><br />
- OWASP provides lot's of materials usable in colleges.<br/><br />
- Develop OWASP training course.<br/><br />
- Students can participate in OWASP projects<br/><br />
- OWASP can provide a platform for supporting research. Such as thesis projects, etc.<br/><br />
- OWASP representatives could provide guest colleges.<br/><br />
<br/><br />
Ronald Eygendaal<br/><br />
Erik Poll<br/><br />
Bas van Vossen<br/><br />
Edwin van Vliet<br/><br />
<br/><br />
First focus group meeting: To be planned!<br/><br />
<br/><br />
The presentation is available here:<br/><br />
[[Media:OWASP_NL_Fortify_Software.pdf]]<br/><br />
<br />
== 9 March: Second meeting of the OWASP Netherlands local chapter! ==<br />
<br />
In this second meeting focus groups are to be formed, to discuss common problems, develop and research common solutions in a vendor neutral environment. So this is a very good opportunity to get in contact with others, to exchange knowledge and experiences on specific topics.<br/><br />
<br/><br />
For every focus group the following questions has to be answered:<br/><br />
1. Which specific topic is to be addressed?<br/><br />
2. What are the deliverables?<br/><br />
3. What is the relation to OWASP? (Current projects, materials, expertise and knowledge interchange, etc.)<br/><br />
4. Who is the central contact of the subgroup?<br/><br />
<br/><br />
It would be nice to have a bigger and more diverse group, compared to the first meeting. So let's recall: "Please, bring at least one friend, next time." And don't hesitate to send this announcement to everybody who may be interested!<br/><br />
<br/><br />
We thank Getronics PinkRoccade for offering us a venue:<br/><br />
Getronics PinkRoccade<br/><br />
Fauststraat 1<br/><br />
7323 BA Apeldoorn <br/><br />
<br/><br />
The agenda:<br/><br />
18.00 - 18.30 Check-In<br/><br />
18.30 - 18.45 Opening<br/><br />
18.45 - 19.30 Improving Security in the Application Development Life-cycle, Migchiel de Jong<br/><br />
19.30 - 20.00 Collecting focus group initiatives<br/><br />
19.45 - 20.00 Coffee break<br/><br />
20.00 - 21.00 Form focus groups<br/><br />
<br/><br />
Presentation Abstract<br/><br />
Rather than spending large amounts of time and money on proving that we have security vulnerabilities after programs go into production, companies should go to the source and correct vulnerabilities as early as possible in the development stage. It is unquestionably faster, simpler, and cheaper for developers to correct vulnerabilities as they build programs.<br/><br />
But how can development management ensure that developers focus on security when there is no time or budget for security at the development stage? Even with the correct focus, how can they learn what to look for? How can they stay ahead of the dedicated and resourceful hacker?<br/><br />
The answer is effective processes and better tools. With advanced software security tools, a developer can pinpoint vulnerabilities in a matter of seconds — the same vulnerabilities that would take a hacker or manual code reviewer weeks or even months to find. These same tools can give development and information security managers useful metrics on application vulnerabilities before they are released into deployment.<br/><br />
This talk will walk through the Application Development Life-Cycle and discuss how tools can help come to grips with software security issues in a particular phase.<br/><br />
<br/><br />
About the presenter<br/><br />
Migchiel de Jong has developed hardware and software for 10 years before joining Rational Software. During the 5 years at Rational Software (later acquired by IBM) he was involved in many software development process improvement projects. Currently Migchiel de Jong is working at Fortify Software, Palo Alto, California, as a software security engineer.<br/><br />
<br/><br />
If you want to attend send an email to owasp@irc2.nl. Please don't wait, 9 march is not that long anymore!<br/><br />
<br/><br />
All OWASP chapter meetings are free, there are never vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP’s: OWASP Meetings count towards CPE Credits.<br/><br />
<br />
== OWASP Netherlands kick-off meeting minutes ==<br />
<br />
On 17 November, OWASP Netherlands had it's first meeting. We moved to a bigger location, the Mercure hotel in Nieuwegein, to host all the 35 attendees.<br/><br />
<br/><br />
The agenda:<br/><br />
18.00 - 18.30 Check-In (bread & drinks)<br/><br />
18.30 - 18.45 Chapter opening<br/><br />
18.45 - 19.30 Presentation - 'Top tien web applicatie kwetsbaarheden in J2EE', Eelco Klaver<br/><br />
19.30 - 19.45 Presentation - 'Veilige webapplicaties boven alles', Mike Wardi<br/><br />
19.45 - 20.00 Coffee break<br/><br />
20.00 - 21.00 Discussion - About the OWASP Netherlands local chapter<br/><br />
<br/><br />
The discussion took place in a 'round table' session, where all attendees were able to take part. The focus of the discussion was how to give the OWASP Netherlands local chapter additional value, next to the OWASP project. What the goals and tasks will be. And which actions will have to be taken at short term.<br/><br />
Different people have interest in different subjects. In general meetings there is no time to address all subjects and address them specific enough. Therefore subgroups can be formed, focusing on specific topics. They can have their own communication channel and meetings, but should keep close contact with the OWASP body.<br/><br />
<br/><br />
An inventarisation:<br/><br />
<br/><br />
Discussion Topics<br/><br />
- Awareness: writing articles, press publications, interviews<br/><br />
- Education: contact universities, schools and their common boards. Develop and gather education materials.<br/><br />
- General: discuss ideas for OWASP NL<br/><br />
<br/><br />
Focusgroup Topics<br/><br />
- (dutch) metrics project<br/><br />
- (dutch) legal project<br/><br />
- standard framework for pentest reports<br/><br />
- safe outsourcing<br/><br />
<br/><br />
Actions that should be taken on short term are:<br/><br />
- provide communication channels<br/><br />
- plan next (sub)meetings<br/><br />
- start discussions and focusgroups<br/><br />
<br/><br />
The presentations are available here:<br/><br />
<br/><br />
[[Media:OWASP_NL_Top_Ten_Web_Application_Vulnerabilities_in_J2EE.pdf]]<br/><br />
[[Media:OWASP_NL_Veilige_Web_App_Boven_Alles.pdf]]<br/><br />
<br />
== You are welcome to the OWASP Netherlands local chapter kick-off meeting! ==<br />
<br />
Thursday, November 17th (2005) at 18.00h.<br/><br />
<br/><br />
ATTENTION! Because of the large amount of attendees, the location has changed:<br/><br />
<br/><br />
Hotel Mercure Utrecht/Nieuwegein<br/><br />
Buizerdlaan 10<br/><br />
3435 SB NIEUWEGEIN<br/><br />
Tel: 00 31 (0) 30 60 84 122<br/><br />
Fax: 00 31 (0) 30 60 38 374<br/><br />
<br/><br />
This first meeting will be an introduction to the OWASP. A constructive discussion will be held about the actual form of the OWASP Netherlands local chapter.<br/><br />
<br/><br />
The agenda:<br/><br />
18.00 - 18.30 Check-In (bread & drinks)<br/><br />
18.30 - 18.45 Chapter opening<br/><br />
18.45 - 19.30 Presentation - 'Top tien web applicatie kwetsbaarheden in J2EE', Eelco Klaver<br/><br />
19.30 - 19.45 Presentation - 'Veilige webapplicaties boven alles', Mike Wardi<br/><br />
19.45 - 20.00 Coffee break<br/><br />
20.00 - 21.00 Discussion - About the OWASP Netherlands local chapter<br/><br />
<br/><br />
About the presenters<br/><br />
<br/><br />
Eelco Klaver<br/><br />
Eelco Klaver is a senior consultant for Xebia IT Architects, since 2003. Doing software reviews, security audits and giving security workshops are part of his job. He has almost 10 years experience with developing enterprise applications in J2EE for different employees. At the moment, Eelco is the front man of the security business unit for Xebia, focussing on the security aspects of enterprise applications build on J2EE.<br/><br />
<br/><br />
Mike Wardi<br/><br />
Mike Wardi is an internet application manager for a financial institute. He's responsible for the safety of internet applications provided to customers and the implementation of the security policies in software developement.<br/><br />
<br/><br />
<br/><br />
If you want to attend, please send an email to owasp-nl@ascure.com or the mailing list.<br/><br />
<br/><br />
All OWASP chapter meetings are free! There are never vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP’s: OWASP Meetings count towards CPE Credits.<br/><br />
<br/></div>Dvsteinhttps://wiki.owasp.org/index.php?title=Netherlands&diff=46553Netherlands2008-11-19T16:54:45Z<p>Dvstein: /* Meeting minutes October 27th 2008 */</p>
<hr />
<div>{{Chapter Template|chaptername=Netherlands|extra=The chapter leader is [mailto:owasp@irc2.nl Bert Koelewijn]<br />
<paypal>Netherlands</paypal><br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-netherlands|emailarchives=http://lists.owasp.org/pipermail/owasp-netherlands}}<br />
<br />
== Meeting schedule 2008 ==<br />
This is an overview of the 2008 local chapter meeting schedule. Details of the meetings can be found in the announcements that will be posted below this schedule.<br />
<pre><br />
March 26th<br />
----------<br />
Time : 17.30 - 21.30<br />
Main Topic : Software Vulnerability assessment<br />
Presentations: Complex(ity) matters, Mario de Boer (Dutch)<br />
V.A.C. SQL injection, Marinus Kuivenhoven (Dutch)<br />
Secure Programming with Static Analysis, Brian Chess (English) <br />
Location : Mercure Utrecht Nieuwegein, Buizerdlaan 10, 3435 SB Nieuwegein<br />
Sponsor : Fortify Software<br />
<br />
Oktober 27th<br />
----------<br />
Time : 17.30 - 21.30<br />
Main Topic : Privacy and the Internet<br />
Presentations: Privacy and Internet (Dutch), Frank Fruijthoff and Ellen Hoving<br />
Vulnerability and source code scanners. (Dutch) Emile Strijbos <br />
Location : ps_testware B.V., Dorpsstraat 26, 3941 JM DOORN<br />
Sponsor : ps_testware B.V.<br />
</pre><br />
== Meeting minutes October 27th 2008 ==<br />
<br />
At October 27th, the Dutch OWASP chapter came together at the office of the sponsor of the evening; ps_testware in Doorn. The subject of the evening was 'Privacy and the Internet’. There were 2 speakers and approximately 25 attendees.<br/><br />
<br/><br />
After a short welcome talk by both the sponsor and OWASP, Mario de Boer had an announcement about a new OWASP project; ORPRO, the Open Review Project. The goal of the project is to review Open Source Software from an independent point of view. Reviews will be done both manually and with the aid of source code analysis software provided by Fortify. The first software package to be reviewed is already available so reviewers are needed. More information can be found on the OWASP project page. [http://www.owasp.org/index.php/Category:OWASP_Open_Review_Project]<br/><br />
<br/><br />
'''First presentation:''' Privacy & the Internet presented by Frank Fruijthoff and Ellen Hoving. <br/><br />
The goal of this presentation was to show the problems in regulating privacy on the internet by law. The presentation was roughly split in 3 parts: definitions, requirements and context. <br/><br />
The main problem with regulating privacy is that the concept of privacy is very broad and not well defined. Privacy can have different meanings and consequences in different contexts. Most laws therefore focus on the individual and define privacy as 'protection of personal information' where 'personal information' is all data that can be tracked back to a single person. The last years many countries within the EU developed internet laws concerning privacy on the internet. These laws state that information can only be used what it originally was intended for and usage of that information must be reported at central register. This register also makes it possible to file a complaint and check what companies use personal information for what purposes. While these rules are mostly sufficient for local databases they often fail when applied to information stored on or with use of the internet. Problems encountered are captured in the "four D's";<br/><br />
- Internet is deterritorialized; internet has no boundaries.<br/><br />
- Internet is deregulated; internet has no law, only terms of use.<br/><br />
- Internet is dematerialized; internet is not physical.<br/><br />
- Internet is decentralized; there is no single regulating or controlling organization.<br/><br />
Although the protection of personal data is more and more covered by laws, the increasing usage of external storage and connections over the internet will make it harder to enforce them. The main conclusion of the evening was that, although many initiatives improving privacy exist, the very properties of the internet make it hard to ensure privacy completely. <br/><br />
<br/><br />
'''Second presentation:''' Vulnerability and source code scanners presented by E. Strijbos. He showed the results of his research concerning the feasibility of a Web Application Security Certification by the usage of vulnerability scanners.<br/><br />
With the daily increasing amount of threads and vulnerabilities in web applications there is a market-driven demand for an independent and automated scan service. Current scan services often lack coverage and depth of scanning and give no details about the used scanning methods.<br/><br />
In this research several commercial vulnerability scanners and static analysis tools were compared and checked for scantime, accuracy, false positives, and ease of use. The results showed that almost all scanners find most of the vulnerabilities, but also produce many false positives. Also, without proper configuration the amount of results can be overwhelming and inconclusive. Furthermore results showed that static analysis scanners are much faster than vulnerability scanners, but have a more limited usage. The main conclusion was that although vulnerability scanners and static analysis tools can be very helpful in identifying vulnerabilities, their current efficiency is not high enough to use as the basis for an automated vulnerability scan.<br/><br />
<br />
== Meeting October 27th 2008: Privacy and the Internet ==<br />
'''Summary'''<br/><br />
The main goal of the upcoming OWASP-NL meeting is to provide information to developers and security professionals about personal and technical privacy on the internet. The speakers focus on privacy regulations related to the internet and on the mass amount of personal and technical information available about persons and companies on the internet, with and without their consent. Furthermore tools will be discussed that help prevent leakage of privacy related and other kind of data. They will give specific examples and there will be time to ask questions.<br/><br />
Please register before October 20th because of the necessary catering arrangements.<br/><br />
<br/><br />
'''Location'''<br/><br />
The location and catering is provided by the sponsor of this meeting:<br/><br />
<table><br />
<tr><br />
<td width="350"><br />
ps_testware B.V.<br/><br />
Dorpsstraat 26,<br/><br />
3941 JM DOORN<br/><br />
</td><br />
<td width="350"><br />
[[Image:Pstestware.jpg|100px]]<br />
</td><br />
</tr><br />
<tr><br />
<td width="350"><br />
The location has parking facilities for 15 cars. However parking in the direct vicinity of ps_testware shouldn’t be a problem.<br/><br />
</td><br />
<td width="350"><br />
ps_testware delivers services related to software testing and software quality. In the field of software development, quality, time-to-market, business processes and software acceptance they play the role of "your devil's advocate" as an independent, flexible and specialized partner.<br/><br />
For more information please visit: www.pstestware.com.<br/><br />
</td><br />
</tr><br />
</table><br />
<br/><br />
<br/><br />
'''Program'''<br/><br />
17.30 - 18.30 '''Check-In''' (catering included)<br/><br />
<br/><br />
18.30 – 19:00 '''Introduction''' (OWASP organization, projects, sponsor)<br/><br />
<br/><br />
19.00 - 20.15 '''Privacy and Internet''' (Dutch), Frank Fruijthoff and Ellen Hoving<br/><br />
In this presentation the general principles of privacy laws in the Netherlands and the EU and specifically privacy and the internet will be covered.<br/><br />
Frank Fruijthoff is a Compliance Officer with ING. He has a Compliance and Risk Management background and is specialised in privacy.<br/><br />
Ellen Hoving is a graduated lawyer. She works as an independent consultant specialized in compliance and privacy.<br/><br />
<br/><br />
20.15 – 20:30 '''Break'''<br/><br />
<br/><br />
20:30 – 21:00 '''Vulnerability and source code scanners''' (Dutch), Emile Strijbos<br />
<br/><br />
For his Master thesis in computer science at the Radboud Universiteit in Nijmegen, Emile Strijbos investigated vulnerability scanners and source code scanners. These are automated tools that try to detect security flaws, either in running web-applications or in their source code.<br/><br />
Emile tried out several of these tools, including both free and commercial ones, to see how good they are at detecting standard vulnerabilities, such as SQL injection, XSS, CSRF, etc.<br/><br />
<br/><br />
21.00 – 21:30 '''Discussion, questions and social'''<br/><br />
<br/><br />
If you want to attend, please send an email to: owasp@irc2.com.<br><br />
Please register before October 20th, because of the necessary catering arrangements. The number of registries is limited to 50 due to the capacity of the location and will be handled in order of receipt.<br/><br />
<br/><br />
All OWASP chapter meetings are free of charge and you don’t have to be an OWASP member to attend. There are never any vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP's: OWASP Meetings count towards CPE Credits.<br/><br />
<br/><br />
The announcement and full descriptions can be found here:<br/><br />
[[Media:Announcement_27_Oktober.pdf]]<br/><br />
<br />
== Meeting minutes March 23th 2008 ==<br />
<br />
At March 23th, the Dutch OWASP chapter came together in the Mercury hotel in Nieuwegein. The meeting was sponsored by Fortify Software. The subject of the evening was 'Software Vulnerability Assesment’. There were 3 speakers and approximately 40 attendees.<br/><br />
<br/><br />
After a short introduction of Migchiel de Jong (Fortify) about the subject of Static and Dynamic Analysis and the tools that Fortify provides the speakers of the evening where introduced.<br/><br />
<br/><br />
'''First presentation:''' Practices of Complex(ity) matters (Dutch), Mario de Boer<br/><br />
Mario de Boer has spent much of his free time the last 16 years into disassembling various pieces of software and analyzing the code and its statistics. The main advantage in analyzing binaries is that no access to source code is needed, all dependencies (i.e. the compiler) are included and it’s independent of the tool used. Disassembling compiled code gives great insight in the complexity of the software and the entry and exit points of data. Although there is no direct relation between the complexity of software and its security, statistically the most vulnerabilities appear in the most complex portions of a program. Data entry points in complex portions of the code can give rise to possible exploits so static analysis can give insight in the most vulnerable places in software which is useful information in testing.<br />
The disadvantages of static analysis are that an extensive knowledge of assembly is needed and, due to its statistic nature, it gives rise to many false positives. <br />
In conclusion static binary analysis, when used by experts, can be a powerful tool to gain insight in the most vulnerable parts of the software and be a valuable tool in both developing and testing software. <br/><br />
<br/><br />
'''Second presentation:''' V.A.C: SQL injection (Dutch), Marinus Kuivenhoven<br/><br />
A new reoccurring topic on OWASP presentations will be the so called VAC. In these presentations an expert will talk about a Vulnerability, how to Assess it and possible Countermeasures. This evening Marinus started with the second vulnerability in the OWASP top ten; SQL injections.<br/><br />
With the aid of Webgoat, a few simple examples and the possible consequences were shown. SQL injection is particularly useful exploit in the reconnaissance phase since it can be abused for information leakage and in getting information about e.g. the table structure. <br/><br />
On the internet and in literature many countermeasures against SQL injections are described. However, many of these countermeasures are not usable in a maintainable system or cannot prevent SQL injections completely. The most important conclusion was that input should never be trusted and should never be directly used.<br/><br />
<br/><br />
'''Third presentation:''' Secure Programming with Static Analysis (English), Brian Chess<br/><br />
The last speaker of the evening was Brian Chess who presented his new book ‘Secure Programming with Static Analysis’. Brian made clear that, although a powerful tool, static binary analysis is already too late in the SDLC to be successful in preventing vulnerabilities. Scanning for possible vulnerabilities should be implemented as early as possible i.e. during coding. The main advantages of static analysis are the cost and speed. Since errors and bad practices are identified in an early stage they can be solved at the spot, making auditing the software more efficient in term of time and depth. <br/><br />
Static analysis can successfully be used for style and type checking, program understanding and verification, and for security reviews. The success of static analysis, however, is fully depending on the rules implemented in the scanner. Static analysis is also unable to identify design flaws, right problems, or wrong user input. <br/><br />
The conclusion was that scanning for vulnerabilities can probably only be successful with the aid of static analysis, but many requirements should be met. Firstly it should become part of the SDLC and culture. Secondly the right tool should be picked and people should be trained in its use. Lastly investments should be made in building up a good rule set and metrics. <br/><br />
<br />
== Meeting March 26th 2008: Software Vulnerability assessment ==<br />
'''Summary'''<br/><br />
The main goal of the upcoming OWASP-NL meeting is to provide information to developers and security professionals involved in creating secure (web-)applications. The main focus will be on software vulnerability assessment. The speakers will give specific examples and of course there is time to ask questions about your own experiences.<br/><br />
<br/><br />
'''Location'''<br/><br />
The location and catering is provided by the sponsor of this meeting:<br/><br />
<table><br />
<tr><br />
<td width="350"><br />
Mercure Utrecht Nieuwegein<br/><br />
Buizerdlaan 10,<br/><br />
3435 SB Nieuwegein<br/><br />
</td><br />
<td width="350"><br />
[[Image:Fortify.JPG|143px]]<br />
</td><br />
</tr><br />
<tr><br />
<td width="350"><br />
</td><br />
<td width="350"><br />
Fortify Software products protect companies from today’s greatest security risk: the software applications that run their businesses. Combining deep application security expertise with extensive software development experience, Fortify Software has defined the market with award-winning products that span the software development cycle. Today, Fortify Software fortifies the software for the most demanding customer deployments, including the world’s largest, most varied code bases.<br/><br />
<br/><br />
For more information please visit:<br/><br />
www.fortify.com<br/><br />
</td><br />
</tr><br />
</table><br />
<br/><br />
<br/><br />
'''Program'''<br/><br />
17.30 - 18.30 '''Check-In''' (catering included)<br/><br />
<br/><br />
18.30 - 18:50 '''Introduction''' (OWASP, sponsor)<br/><br />
<br/><br />
18.50 - 19.30 '''Complex(ity) matters''' (Dutch), Mario de Boer<br/><br />
Various methods exist to locate specific vulnerabilities in software. In the presentation we will look at static analysis of binaries, and the problems we face when trying to locate vulnerabilities. Several ideas will be discussed to make the search easier, but at the same time less exact. The first idea is trivial: automate as much as possible. The second idea is nearly trivial: don't aim at exact vulnerabilities but relax the search to locating potential vulnerabilities. We will give examples that illustrate the results.<br/><br />
Mario de Boer is a senior security consultant at Logica, and as such focuses on security management aspects like security frameworks, compliance, monitoring and control and risk management. Before joining Logica, Mario worked at the Dutch ministries of Defense and Justice, he co-founded a security company and worked as a project manager in the financial sector. For several years he taught courses in software security analysis and secure software development. Besides security management, Mario has interest in software security, reverse engineering and cryptography. Within Logica Netherlands, he is knowledge manager application security. Mario holds a PhD in Mathematics and is CISA and CISSP.<br/><br />
<br/><br />
19.30 - 19:50 '''Break'''<br/><br />
<br/><br />
19:50 - 20:20 '''V.A.C: SQL injection''' (Dutch), Marinus Kuivenhoven<br />
<br/><br />
<u>'''V'''ulnerability:</u><br/><br />
An application which uses a database for its information needs, communicates with it trough SQL. SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of a Database for parsing and execution.<br/><br />
<u>'''A'''ssessment:</u><br/><br />
SQL injection can threaten the confidentiality, availability and integrity of the data. The various types of SQL injection and their impact will be shown.<br/><br />
<u>'''C'''ountermeasure:</u><br/><br />
Any procedure that constructs SQL statements should be reviewed for injection vulnerabilities because a database will execute all syntactically valid queries that it receives. How this should be done will be shown for the most popular languages.<br/><br />
Marinus is a Technology Specialist with Sogeti Nederland B.V. specializing in service oriented architectures and secure application development. His experience includes developing and administrating Oracle-based systems.<br/><br />
<br/><br />
20.20 - 21.00 '''Secure Programming with Static Analysis''' (English), Brian Chess<br/><br />
Creating secure code requires more than just good intentions. Programmers need to know how to make their code safe in an almost infinite number of scenarios and configurations. Static source code analysis gives users the ability to review their work with a fine tooth comb and uncover the kinds of errors that lead directly to vulnerabilities. This talk frames the software security problem and shows how static analysis is part of the solution. We will look at how static analysis works, how to integrate it into the software development processes, and how to make the most of it during security code review. Along the way we'll look at examples taken from real-world security incidents, showing how coding errors are exploited, how they could have been prevented, and how static analysis can rapidly uncover similar errors.<br/><br />
Brian Chess is a founder of Fortify Software and serves as Fortify's Chief Scientist, where his work focuses on practical methods for creating secure systems. His book, Secure Programming with Static Analysis, shows how static source code analysis is an indispensable tool for getting security right. Brian holds a Ph.D. in computer engineering from the University of California at Santa Cruz, where he studied the application of static analysis to the problem of finding security-relevant defects in source code. Before settling on security, Brian spent a decade in Silicon Valley working at huge companies and small startups. He has done research on a broad set of topics, ranging from integrated circuit design all the way to delivering software as a service.<br/><br />
<br/><br />
21.00 - 21:30 '''Discussion, questions and social'''<br/><br />
<br/><br />
'''Registration'''<br/><br />
If you want to attend, please send an email to: owasp@irc2.com.<br/><br />
<br/><br />
All OWASP chapter meetings are free of charge and you don’t have to be an OWASP member to attend. There are never any vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP's: OWASP Meetings count towards CPE Credits.<br/><br />
<br/><br />
<br />
== Meeting December 20th 2007: Secure Development ==<br />
'''Summary'''<br/><br />
The main goal of the upcoming OWASP-NL meeting is to provide information to developers and security professionals involved in creating secure (web-)applications. The general and specific security issues involved on project and programming level will be covered from a practical as well as a theoretical point of view. The speakers will give specific examples and of course there is time to ask questions about your own experiences.<br/><br />
Please register before December the 14th because of the necessary catering arrangements.<br/><br />
<br/><br />
'''Location'''<br/><br />
The location and catering is provided by the sponsor of this meeting:<br/><br />
<table><br />
<tr><br />
<td width="350"><br />
ps_testware B.V.<br/><br />
Dorpsstraat 26,<br/><br />
3941 JM DOORN<br/><br />
</td><br />
<td width="350"><br />
[[Image:Pstestware.jpg|100px]]<br />
</td><br />
</tr><br />
<tr><br />
<td width="350"><br />
The location has parking facilities for 15 cars. However parking in the direct vicinity of ps_testware shouldn’t be a problem.<br/><br />
</td><br />
<td width="350"><br />
ps_testware delivers services related to software testing and software quality. In the field of software development, quality, time-to-market, business processes and software acceptance they play the role of "your devil's advocate" as an independent, flexible and specialized partner.<br/><br />
For more information please visit: www.pstestware.com.<br/><br />
</td><br />
</tr><br />
</table><br />
<br/><br />
<br/><br />
'''Program'''<br/><br />
17.30 - 18.30 '''Check-In''' (catering included)<br/><br />
<br/><br />
18.30 – 19:00 '''Introduction''' (OWASP organization, projects, sponsor)<br/><br />
<br/><br />
19.00 - 19.30 '''Practices of developing optimal security''' (dutch), Andre Post<br/><br />
This presentation highlights a number of current practices that lead to sub-optimal security, and suggests ways of avoiding these problems, focusing on the technical side of development.<br/><br />
André Post works for Fox-IT on a variety of projects including core product development, software architecting, security code reviews, and software project management.<br/><br />
<br/><br />
19.30 – 19:45 '''Break'''<br/><br />
<br/><br />
19:45 – 20:30 '''Problems of developing secure and correct applications''' (dutch), Erik Poll [http://www.cs.ru.nl/~erikpoll/talks/OWASP2007.pdf (slides of the presentation)]<br />
<br/><br />
This presentation will discuss different possibilities to improve software security. The problem of getting time and money available to be spend on security, not only for developing applications, but also for developing programming languages, will be raised.<br/><br />
Erik Poll is head of the Security of Systems (SoS) group at the Radboud University of Nijmegen. His research does focus on the security and correctness of software.<br/><br />
<br/><br />
20.30 - 21.00 '''Protecting Web services and Web applications against security threats''' (dutch), Rix Groenboom<br/><br />
During this session, Rix will explore how to implement development and security best practices in the code to make sure that your webservices and applications perform solidly when they are being hacked or used in malicious ways.<br/><br />
Rix Groenboom supports fortune 2000 companies in field automated software error prevention and correction for Parasoft. His main area of expertise is in the use of formal languages for the specification, design and validation of software applications.<br/><br />
<br/><br />
21.00 – 21:30 '''Discussion, questions and social'''<br/><br />
<br/><br />
All OWASP chapter meetings are free of charge and you don’t have to be an OWASP member to attend. There are never any vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP's: OWASP Meetings count towards CPE Credits.<br/><br />
<br/><br />
The announcement and full descriptions can be found here:<br/><br />
[[Media:Announcement_20_December.pdf]]<br/><br />
[[Media:Announcement_20_December_2.pdf]]<br/><br />
<br />
== Meeting September 13th: putting initiatives into practice ==<br />
<br />
The main goal of the next OWASP meeting is finding a way to put initiatives and all offered help into a form of structural benefit for the OWASP Netherlands local chapter. As a starting point for the discussion, examples will be taken from other European chapters and input delivered by discussions that take place on the mailing list is considered too. Let this be a call to put your ideas on the mailing list before the next meeting!<br/><br />
<br/><br />
The location is provided by the sponsor of this meeting:<br/><br />
Comsec Consulting BV<br/><br />
Rivium Boulevard 102<br/><br />
2909LK Capelle aan den IJssel<br/><br />
<br/><br />
The agenda:<br/><br />
18.00 - 18.30 Check-In (catering included)<br/><br />
18.30 - 18.45 OWASP update, Bert Koelewijn<br/><br />
18.45 - 19.15 Security Best Practices for .NET, Boaz Shunami<br/><br />
19.15 - 20.00 Discussion: collecting ideas and initiatives<br/><br />
20.00 - 20.15 Coffee break<br/><br />
20.15 - 21.00 Discussion: how to enable community commitment<br/><br />
21.00 - 21.30 Closing discussion and coffee<br/><br />
<br/><br />
Boaz Shunami<br/><br />
Boaz is manager of the Application Security department of Comsec Europe. He has 11 years of experience in the IT Security field, and a large part of them in Application Security.<br/><br />
Boaz did numerous application security audits in very large organizations and is recognized as one of the greatest expert’s world wide. Boaz' expertise is broad, but especially in-depth for the .NET platform.<br/><br />
<br/><br />
Discussion input (until now)<br/><br />
- division of local chapter work load by multiple people<br/><br />
- collaboration with other organizations<br/><br />
<br/><br />
If you want to attend send an email to owasp@irc2.com.<br/><br />
<br/><br />
All OWASP chapter meetings are free, there are never vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP's: OWASP Meetings count towards CPE Credits.<br/><br />
<br />
== Meeting minutes Januar 11th 2007 ==<br />
<br />
January 11th, the Dutch OWASP chapter came together at the office of Sogeti Netherlands. Subject of the evening was 'putting software security into practice'. The group was small but select.<br/><br />
<br/><br />
The agenda:<br/><br />
18.00 - 18.30 Check-In (catering included)<br/><br />
18.30 - 18.45 Sponsor opening<br/><br />
18.45 - 19.00 OWASP update, Bert Koelewijn<br/><br />
19.00 - 19.30 Implementation of Security by Design, Martin Knobloch<br/><br />
19.30 - 19.45 Panel introduction<br/><br />
19.45 - 20.00 Coffee break<br/><br />
20.00 - 21.30 Panel discussion<br/><br />
<br/><br />
After being welcomed by Frank Langeveld from Sogeti and Bert Koelewijn, Dutch chapter leader, the evening started with the presentation 'Security By Design'. During the presentation Martin Knobloch told about his experiences during the implementation of the Secure Development Life Cycle in a company like Sogeti Nederland B.V.<br/><br />
<br/><br />
The presentation is available here:<br/><br />
[[Media:Implementation_of_Security_by_Design.ppt]]<br/><br />
<br/><br />
After a small break, the panel discussion started with the following panel: Henk van der Heijden - Comsec Consulting, Dr.ir. Mario de Boer - LogicaCMG and Martin Knobloch - Sogeti Nederland.<br/><br />
During the discussion, it became clear people are struggling to get the Secure Development Life Cycle implemented in their company. The various experiences were shared with the panel and the others. Company typical problems and common misunderstandings about Software security where brought up.<br/><br />
The consensus of the discussion was that the main problem lies in the lack of security awareness and knowledge of the managers and the developers. And this of course is exactly where OWASP comes in…<br/><br />
<br/><br />
<br />
== Meeting Januar 11th 2007 ==<br />
<br />
The OWASP meeting of 11 January is about putting software security into practice. A lot of books, standards, organizations and consultants tell us how we should develop secure software. But which methods and measures are commonly adopted and which are not and why?<br/><br />
This will be the main focus of the discussion that we will have with a panel of people that experienced implementing software security in the field.<br/><br />
<br/><br />
The location is provided by the sponsor of this meeting:<br/><br />
Sogeti Nederland B.V.<br/><br />
"La Charmille" building<br/><br />
Lange Dreef 17<br/><br />
4131 NJ Vianen<br/><br />
<br/><br />
The agenda:<br />
<br/><br />
18.00 - 18.30 Check-In (catering included)<br/><br />
18.30 - 18.45 Sponsor opening<br/><br />
18.45 - 19.00 OWASP update, Bert Koelewijn<br/><br />
19.00 - 19.30 Implementation of Security by Design, Martin Knobloch<br/><br />
19.30 - 19.45 Panel introduction<br/><br />
19.45 - 20.00 Coffee break<br/><br />
20.00 - 21.30 Panel discussion<br/><br />
<br/><br />
Implementation of Security by Design<br/><br />
What is needed to implement a 'Secure Development Life Cycle' within Sogeti Nederland? The speaker started a project called 'Security by Design' in march 2006 implementing a SDLC at Sogeti Nederland.<br/><br />
In his presentation, the speaker will share his technical and organizational experiences that he gained with the still ongoing implementation.<br/><br />
<br/><br />
About the speaker<br/><br />
Martin Knobloch has more than 8 years experience in design and development of J2EE applications for customers in various sectors of the market. In September 2003 Martin Knobloch started working for Sogeti Nederland, where he does the design, development and review of J2EE applications and architectures.<br/><br />
From this background, Martin Knobloch experienced the threats of insecure software firsthand. In march 2006, Martin Knobloch started implementing a SDLC within Sogeti Nederland.<br/><br />
<br/><br />
Panel discussion<br/><br />
The panel members are:<br/><br />
Henk van der Heijden, Managing Director - Comsec Consulting B.V.<br/><br />
Dr.ir. Mario de Boer, Security Consultant - LogicaCMG<br/><br />
Martin Knobloch, Senior Technologie Specialist - Sogeti Nederland B.V.<br/><br />
<br/><br />
In the discussion, we will try to find answers to questions like:<br/><br />
- What are the most common security practices in software development?<br/><br />
- How effective are those practices?<br/><br />
- Where do we start practicing security?<br/><br />
- What should be the most common security practices in software development?<br/><br />
- How much does security cost?<br/><br />
- How does the Systems Security Engineering Capability Maturity Model (SSE-CMM) fit in?<br/><br />
<br/><br />
If you want to attend send an email to owasp@irc2.com.<br/><br />
<br/><br />
All OWASP chapter meetings are free, there are never vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP’s: OWASP Meetings count towards CPE Credits.<br/><br />
<br />
== OWASP Netherlands meeting minutes ==<br />
<br />
On 9 march, the second meeting of OWASP Netherlands local chapter took place. GetronicsPinkRoccade provided the venue, in their luxury conference centre: Connection I.<br/><br />
<br/><br />
Agenda:<br/><br />
18.00 - 18.45 Check-In (bread & drinks)<br/><br />
18.45 - 19.00 Opening<br/><br />
19.00 - 20.00 Improving Security in the Application Development Life-cycle, Migchiel de Jong<br/><br />
20.00 - 20.15 Coffee break<br/><br />
20.15 - 22.00 Form focus groups<br/><br />
<br/><br />
The presentation of Migchiel de Jong was found very interesting by the audience. At the end of his presentation, he demonstrated a static code analysis of the OWASP webgoat application.<br/><br />
<br/><br />
After the coffee break, the attendances started discussing about the largest common topics of interest in the web application security field, in relation to the OWASP Netherlands chapter. As a result, the following focus groups are formed:<br/><br />
<br/><br />
Testing<br/><br />
The current OWASP Testing project and the Open Source Security Testing Methodology Manual of ISECOM, provide guidelines and best practices for testers. These guidelines can be used to formalize a standard structure and a set of minimum requirements for a security test. Clients could ask a tester to adhere to these guidelines.<br/><br />
A second idea is to standardize the testing results management report. In practice, testing could result in piles of paper with all the findings. The real value is reporting it in a usable way. For example: mapping technical findings to business risks.<br/><br />
<br/><br />
Frans v. Buul<br/><br />
Peter Gouwentak<br/><br />
Arthur Donkers<br/><br />
Eelco Klaver<br/><br />
Migchiel de Jong<br/><br />
Mario de Boer<br/><br />
<br/><br />
First focus group meeting: Monday 27 march, 18:00h, PwC Utrecht<br/><br />
<br/><br />
<br/><br />
Public Relations<br/><br />
This focus group will try to make business aware of the security impact that developing, hosting and using web applications has. What OWASP is and how OWASP can help. This can be done by giving presentations, writing papers and articles, word of mouth, etc. etc.<br/><br />
<br/><br />
Remco Bakker<br/><br />
Ronald Eygendaal<br/><br />
Bas van Vossen<br/><br />
Edwin van Vliet<br/><br />
Eelco Klaver<br/><br />
<br/><br />
First presentation of OWASP materials: Edwin van Vliet, TestNet - Voorjaarsevenement, 5 april<br/><br />
First focus group meeting: To be planned!<br/><br />
<br/><br />
<br/><br />
Education<br/><br />
OWASP and universities/schools could benefit from working together. For example:<br/><br />
- OWASP provides lot's of materials usable in colleges.<br/><br />
- Develop OWASP training course.<br/><br />
- Students can participate in OWASP projects<br/><br />
- OWASP can provide a platform for supporting research. Such as thesis projects, etc.<br/><br />
- OWASP representatives could provide guest colleges.<br/><br />
<br/><br />
Ronald Eygendaal<br/><br />
Erik Poll<br/><br />
Bas van Vossen<br/><br />
Edwin van Vliet<br/><br />
<br/><br />
First focus group meeting: To be planned!<br/><br />
<br/><br />
The presentation is available here:<br/><br />
[[Media:OWASP_NL_Fortify_Software.pdf]]<br/><br />
<br />
== 9 March: Second meeting of the OWASP Netherlands local chapter! ==<br />
<br />
In this second meeting focus groups are to be formed, to discuss common problems, develop and research common solutions in a vendor neutral environment. So this is a very good opportunity to get in contact with others, to exchange knowledge and experiences on specific topics.<br/><br />
<br/><br />
For every focus group the following questions has to be answered:<br/><br />
1. Which specific topic is to be addressed?<br/><br />
2. What are the deliverables?<br/><br />
3. What is the relation to OWASP? (Current projects, materials, expertise and knowledge interchange, etc.)<br/><br />
4. Who is the central contact of the subgroup?<br/><br />
<br/><br />
It would be nice to have a bigger and more diverse group, compared to the first meeting. So let's recall: "Please, bring at least one friend, next time." And don't hesitate to send this announcement to everybody who may be interested!<br/><br />
<br/><br />
We thank Getronics PinkRoccade for offering us a venue:<br/><br />
Getronics PinkRoccade<br/><br />
Fauststraat 1<br/><br />
7323 BA Apeldoorn <br/><br />
<br/><br />
The agenda:<br/><br />
18.00 - 18.30 Check-In<br/><br />
18.30 - 18.45 Opening<br/><br />
18.45 - 19.30 Improving Security in the Application Development Life-cycle, Migchiel de Jong<br/><br />
19.30 - 20.00 Collecting focus group initiatives<br/><br />
19.45 - 20.00 Coffee break<br/><br />
20.00 - 21.00 Form focus groups<br/><br />
<br/><br />
Presentation Abstract<br/><br />
Rather than spending large amounts of time and money on proving that we have security vulnerabilities after programs go into production, companies should go to the source and correct vulnerabilities as early as possible in the development stage. It is unquestionably faster, simpler, and cheaper for developers to correct vulnerabilities as they build programs.<br/><br />
But how can development management ensure that developers focus on security when there is no time or budget for security at the development stage? Even with the correct focus, how can they learn what to look for? How can they stay ahead of the dedicated and resourceful hacker?<br/><br />
The answer is effective processes and better tools. With advanced software security tools, a developer can pinpoint vulnerabilities in a matter of seconds — the same vulnerabilities that would take a hacker or manual code reviewer weeks or even months to find. These same tools can give development and information security managers useful metrics on application vulnerabilities before they are released into deployment.<br/><br />
This talk will walk through the Application Development Life-Cycle and discuss how tools can help come to grips with software security issues in a particular phase.<br/><br />
<br/><br />
About the presenter<br/><br />
Migchiel de Jong has developed hardware and software for 10 years before joining Rational Software. During the 5 years at Rational Software (later acquired by IBM) he was involved in many software development process improvement projects. Currently Migchiel de Jong is working at Fortify Software, Palo Alto, California, as a software security engineer.<br/><br />
<br/><br />
If you want to attend send an email to owasp@irc2.nl. Please don't wait, 9 march is not that long anymore!<br/><br />
<br/><br />
All OWASP chapter meetings are free, there are never vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP’s: OWASP Meetings count towards CPE Credits.<br/><br />
<br />
== OWASP Netherlands kick-off meeting minutes ==<br />
<br />
On 17 November, OWASP Netherlands had it's first meeting. We moved to a bigger location, the Mercure hotel in Nieuwegein, to host all the 35 attendees.<br/><br />
<br/><br />
The agenda:<br/><br />
18.00 - 18.30 Check-In (bread & drinks)<br/><br />
18.30 - 18.45 Chapter opening<br/><br />
18.45 - 19.30 Presentation - 'Top tien web applicatie kwetsbaarheden in J2EE', Eelco Klaver<br/><br />
19.30 - 19.45 Presentation - 'Veilige webapplicaties boven alles', Mike Wardi<br/><br />
19.45 - 20.00 Coffee break<br/><br />
20.00 - 21.00 Discussion - About the OWASP Netherlands local chapter<br/><br />
<br/><br />
The discussion took place in a 'round table' session, where all attendees were able to take part. The focus of the discussion was how to give the OWASP Netherlands local chapter additional value, next to the OWASP project. What the goals and tasks will be. And which actions will have to be taken at short term.<br/><br />
Different people have interest in different subjects. In general meetings there is no time to address all subjects and address them specific enough. Therefore subgroups can be formed, focusing on specific topics. They can have their own communication channel and meetings, but should keep close contact with the OWASP body.<br/><br />
<br/><br />
An inventarisation:<br/><br />
<br/><br />
Discussion Topics<br/><br />
- Awareness: writing articles, press publications, interviews<br/><br />
- Education: contact universities, schools and their common boards. Develop and gather education materials.<br/><br />
- General: discuss ideas for OWASP NL<br/><br />
<br/><br />
Focusgroup Topics<br/><br />
- (dutch) metrics project<br/><br />
- (dutch) legal project<br/><br />
- standard framework for pentest reports<br/><br />
- safe outsourcing<br/><br />
<br/><br />
Actions that should be taken on short term are:<br/><br />
- provide communication channels<br/><br />
- plan next (sub)meetings<br/><br />
- start discussions and focusgroups<br/><br />
<br/><br />
The presentations are available here:<br/><br />
<br/><br />
[[Media:OWASP_NL_Top_Ten_Web_Application_Vulnerabilities_in_J2EE.pdf]]<br/><br />
[[Media:OWASP_NL_Veilige_Web_App_Boven_Alles.pdf]]<br/><br />
<br />
== You are welcome to the OWASP Netherlands local chapter kick-off meeting! ==<br />
<br />
Thursday, November 17th (2005) at 18.00h.<br/><br />
<br/><br />
ATTENTION! Because of the large amount of attendees, the location has changed:<br/><br />
<br/><br />
Hotel Mercure Utrecht/Nieuwegein<br/><br />
Buizerdlaan 10<br/><br />
3435 SB NIEUWEGEIN<br/><br />
Tel: 00 31 (0) 30 60 84 122<br/><br />
Fax: 00 31 (0) 30 60 38 374<br/><br />
<br/><br />
This first meeting will be an introduction to the OWASP. A constructive discussion will be held about the actual form of the OWASP Netherlands local chapter.<br/><br />
<br/><br />
The agenda:<br/><br />
18.00 - 18.30 Check-In (bread & drinks)<br/><br />
18.30 - 18.45 Chapter opening<br/><br />
18.45 - 19.30 Presentation - 'Top tien web applicatie kwetsbaarheden in J2EE', Eelco Klaver<br/><br />
19.30 - 19.45 Presentation - 'Veilige webapplicaties boven alles', Mike Wardi<br/><br />
19.45 - 20.00 Coffee break<br/><br />
20.00 - 21.00 Discussion - About the OWASP Netherlands local chapter<br/><br />
<br/><br />
About the presenters<br/><br />
<br/><br />
Eelco Klaver<br/><br />
Eelco Klaver is a senior consultant for Xebia IT Architects, since 2003. Doing software reviews, security audits and giving security workshops are part of his job. He has almost 10 years experience with developing enterprise applications in J2EE for different employees. At the moment, Eelco is the front man of the security business unit for Xebia, focussing on the security aspects of enterprise applications build on J2EE.<br/><br />
<br/><br />
Mike Wardi<br/><br />
Mike Wardi is an internet application manager for a financial institute. He's responsible for the safety of internet applications provided to customers and the implementation of the security policies in software developement.<br/><br />
<br/><br />
<br/><br />
If you want to attend, please send an email to owasp-nl@ascure.com or the mailing list.<br/><br />
<br/><br />
All OWASP chapter meetings are free! There are never vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP’s: OWASP Meetings count towards CPE Credits.<br/><br />
<br/></div>Dvsteinhttps://wiki.owasp.org/index.php?title=Netherlands&diff=46552Netherlands2008-11-19T16:54:05Z<p>Dvstein: /* Meeting minutes October 27th 2008 */</p>
<hr />
<div>{{Chapter Template|chaptername=Netherlands|extra=The chapter leader is [mailto:owasp@irc2.nl Bert Koelewijn]<br />
<paypal>Netherlands</paypal><br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-netherlands|emailarchives=http://lists.owasp.org/pipermail/owasp-netherlands}}<br />
<br />
== Meeting schedule 2008 ==<br />
This is an overview of the 2008 local chapter meeting schedule. Details of the meetings can be found in the announcements that will be posted below this schedule.<br />
<pre><br />
March 26th<br />
----------<br />
Time : 17.30 - 21.30<br />
Main Topic : Software Vulnerability assessment<br />
Presentations: Complex(ity) matters, Mario de Boer (Dutch)<br />
V.A.C. SQL injection, Marinus Kuivenhoven (Dutch)<br />
Secure Programming with Static Analysis, Brian Chess (English) <br />
Location : Mercure Utrecht Nieuwegein, Buizerdlaan 10, 3435 SB Nieuwegein<br />
Sponsor : Fortify Software<br />
<br />
Oktober 27th<br />
----------<br />
Time : 17.30 - 21.30<br />
Main Topic : Privacy and the Internet<br />
Presentations: Privacy and Internet (Dutch), Frank Fruijthoff and Ellen Hoving<br />
Vulnerability and source code scanners. (Dutch) Emile Strijbos <br />
Location : ps_testware B.V., Dorpsstraat 26, 3941 JM DOORN<br />
Sponsor : ps_testware B.V.<br />
</pre><br />
== Meeting minutes October 27th 2008 ==<br />
<br />
At October 27th, the Dutch OWASP chapter came together at the office of the sponsor of the evening; ps_testware in Doorn. The subject of the evening was 'Privacy and the Internet’. There were 2 speakers and approximately 25 attendees.<br/><br />
<br/><br />
After a short welcome talk by both the sponsor and OWASP, Mario de Boer had an announcement about a new OWASP project; ORPRO, the Open Review Project. The goal of the project is to review Open Source Software from an independent point of view. Reviews will be done both manually and with the aid of source code analysis software provided by Fortify. The first software package to be reviewed is already available so reviewers are needed. More information can be found on the OWASP project page. [http://www.owasp.org/index.php/Category:OWASP_Open_Review_Project]<br/><br />
<br/><br />
'''First presentation:''' Privacy & the Internet presented by Frank Fruijthoff and Ellen Hoving. <br/><br />
The goal of this presentation was to show the problems in regulating privacy on the internet by law. The presentation was roughly split in 3 parts: definitions, requirements and context. <br/><br />
The main problem with regulating privacy is that the concept of privacy is very broad and not well defined. Privacy can have different meanings and consequences in different contexts. Most laws therefore focus on the individual and define privacy as 'protection of personal information' where 'personal information' is all data that can be tracked back to a single person. The last years many countries within the EU developed internet laws concerning privacy on the internet. These laws state that information can only be used what it originally was intended for and usage of that information must be reported at central register. This register also makes it possible to file a complaint and check what companies use personal information for what purposes. While these rules are mostly sufficient for local databases they often fail when applied to information stored on or with use of the internet. Problems encountered are captured in the "four D's";<br/><br />
- Internet is deterritorialized; internet has no boundaries.<br/><br />
- Internet is deregulated; internet has no law, only terms of use.<br/><br />
- Internet is dematerialized; internet is not physical.<br/><br />
- Internet is decentralized; there is no single regulating or controlling organization.<br/><br />
Although the protection of personal data is more and more covered by laws, the increasing usage of external storage and connections over the internet will make it harder to enforce them. The main conclusion of the evening was that, although many initiatives improving privacy exist, the very properties of the internet make it hard to ensure privacy completely. <br/><br />
<br/><br />
'''Second presentation:''' presented by E. Strijbos. He showed the results of his research concerning the feasibility of a Web Application Security Certification by the usage of vulnerability scanners.<br/><br />
With the daily increasing amount of threads and vulnerabilities in web applications there is a market-driven demand for an independent and automated scan service. Current scan services often lack coverage and depth of scanning and give no details about the used scanning methods.<br/><br />
In this research several commercial vulnerability scanners and static analysis tools were compared and checked for scantime, accuracy, false positives, and ease of use. The results showed that almost all scanners find most of the vulnerabilities, but also produce many false positives. Also, without proper configuration the amount of results can be overwhelming and inconclusive. Furthermore results showed that static analysis scanners are much faster than vulnerability scanners, but have a more limited usage. The main conclusion was that although vulnerability scanners and static analysis tools can be very helpful in identifying vulnerabilities, their current efficiency is not high enough to use as the basis for an automated vulnerability scan.<br/><br />
<br />
== Meeting October 27th 2008: Privacy and the Internet ==<br />
'''Summary'''<br/><br />
The main goal of the upcoming OWASP-NL meeting is to provide information to developers and security professionals about personal and technical privacy on the internet. The speakers focus on privacy regulations related to the internet and on the mass amount of personal and technical information available about persons and companies on the internet, with and without their consent. Furthermore tools will be discussed that help prevent leakage of privacy related and other kind of data. They will give specific examples and there will be time to ask questions.<br/><br />
Please register before October 20th because of the necessary catering arrangements.<br/><br />
<br/><br />
'''Location'''<br/><br />
The location and catering is provided by the sponsor of this meeting:<br/><br />
<table><br />
<tr><br />
<td width="350"><br />
ps_testware B.V.<br/><br />
Dorpsstraat 26,<br/><br />
3941 JM DOORN<br/><br />
</td><br />
<td width="350"><br />
[[Image:Pstestware.jpg|100px]]<br />
</td><br />
</tr><br />
<tr><br />
<td width="350"><br />
The location has parking facilities for 15 cars. However parking in the direct vicinity of ps_testware shouldn’t be a problem.<br/><br />
</td><br />
<td width="350"><br />
ps_testware delivers services related to software testing and software quality. In the field of software development, quality, time-to-market, business processes and software acceptance they play the role of "your devil's advocate" as an independent, flexible and specialized partner.<br/><br />
For more information please visit: www.pstestware.com.<br/><br />
</td><br />
</tr><br />
</table><br />
<br/><br />
<br/><br />
'''Program'''<br/><br />
17.30 - 18.30 '''Check-In''' (catering included)<br/><br />
<br/><br />
18.30 – 19:00 '''Introduction''' (OWASP organization, projects, sponsor)<br/><br />
<br/><br />
19.00 - 20.15 '''Privacy and Internet''' (Dutch), Frank Fruijthoff and Ellen Hoving<br/><br />
In this presentation the general principles of privacy laws in the Netherlands and the EU and specifically privacy and the internet will be covered.<br/><br />
Frank Fruijthoff is a Compliance Officer with ING. He has a Compliance and Risk Management background and is specialised in privacy.<br/><br />
Ellen Hoving is a graduated lawyer. She works as an independent consultant specialized in compliance and privacy.<br/><br />
<br/><br />
20.15 – 20:30 '''Break'''<br/><br />
<br/><br />
20:30 – 21:00 '''Vulnerability and source code scanners''' (Dutch), Emile Strijbos<br />
<br/><br />
For his Master thesis in computer science at the Radboud Universiteit in Nijmegen, Emile Strijbos investigated vulnerability scanners and source code scanners. These are automated tools that try to detect security flaws, either in running web-applications or in their source code.<br/><br />
Emile tried out several of these tools, including both free and commercial ones, to see how good they are at detecting standard vulnerabilities, such as SQL injection, XSS, CSRF, etc.<br/><br />
<br/><br />
21.00 – 21:30 '''Discussion, questions and social'''<br/><br />
<br/><br />
If you want to attend, please send an email to: owasp@irc2.com.<br><br />
Please register before October 20th, because of the necessary catering arrangements. The number of registries is limited to 50 due to the capacity of the location and will be handled in order of receipt.<br/><br />
<br/><br />
All OWASP chapter meetings are free of charge and you don’t have to be an OWASP member to attend. There are never any vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP's: OWASP Meetings count towards CPE Credits.<br/><br />
<br/><br />
The announcement and full descriptions can be found here:<br/><br />
[[Media:Announcement_27_Oktober.pdf]]<br/><br />
<br />
== Meeting minutes March 23th 2008 ==<br />
<br />
At March 23th, the Dutch OWASP chapter came together in the Mercury hotel in Nieuwegein. The meeting was sponsored by Fortify Software. The subject of the evening was 'Software Vulnerability Assesment’. There were 3 speakers and approximately 40 attendees.<br/><br />
<br/><br />
After a short introduction of Migchiel de Jong (Fortify) about the subject of Static and Dynamic Analysis and the tools that Fortify provides the speakers of the evening where introduced.<br/><br />
<br/><br />
'''First presentation:''' Practices of Complex(ity) matters (Dutch), Mario de Boer<br/><br />
Mario de Boer has spent much of his free time the last 16 years into disassembling various pieces of software and analyzing the code and its statistics. The main advantage in analyzing binaries is that no access to source code is needed, all dependencies (i.e. the compiler) are included and it’s independent of the tool used. Disassembling compiled code gives great insight in the complexity of the software and the entry and exit points of data. Although there is no direct relation between the complexity of software and its security, statistically the most vulnerabilities appear in the most complex portions of a program. Data entry points in complex portions of the code can give rise to possible exploits so static analysis can give insight in the most vulnerable places in software which is useful information in testing.<br />
The disadvantages of static analysis are that an extensive knowledge of assembly is needed and, due to its statistic nature, it gives rise to many false positives. <br />
In conclusion static binary analysis, when used by experts, can be a powerful tool to gain insight in the most vulnerable parts of the software and be a valuable tool in both developing and testing software. <br/><br />
<br/><br />
'''Second presentation:''' V.A.C: SQL injection (Dutch), Marinus Kuivenhoven<br/><br />
A new reoccurring topic on OWASP presentations will be the so called VAC. In these presentations an expert will talk about a Vulnerability, how to Assess it and possible Countermeasures. This evening Marinus started with the second vulnerability in the OWASP top ten; SQL injections.<br/><br />
With the aid of Webgoat, a few simple examples and the possible consequences were shown. SQL injection is particularly useful exploit in the reconnaissance phase since it can be abused for information leakage and in getting information about e.g. the table structure. <br/><br />
On the internet and in literature many countermeasures against SQL injections are described. However, many of these countermeasures are not usable in a maintainable system or cannot prevent SQL injections completely. The most important conclusion was that input should never be trusted and should never be directly used.<br/><br />
<br/><br />
'''Third presentation:''' Secure Programming with Static Analysis (English), Brian Chess<br/><br />
The last speaker of the evening was Brian Chess who presented his new book ‘Secure Programming with Static Analysis’. Brian made clear that, although a powerful tool, static binary analysis is already too late in the SDLC to be successful in preventing vulnerabilities. Scanning for possible vulnerabilities should be implemented as early as possible i.e. during coding. The main advantages of static analysis are the cost and speed. Since errors and bad practices are identified in an early stage they can be solved at the spot, making auditing the software more efficient in term of time and depth. <br/><br />
Static analysis can successfully be used for style and type checking, program understanding and verification, and for security reviews. The success of static analysis, however, is fully depending on the rules implemented in the scanner. Static analysis is also unable to identify design flaws, right problems, or wrong user input. <br/><br />
The conclusion was that scanning for vulnerabilities can probably only be successful with the aid of static analysis, but many requirements should be met. Firstly it should become part of the SDLC and culture. Secondly the right tool should be picked and people should be trained in its use. Lastly investments should be made in building up a good rule set and metrics. <br/><br />
<br />
== Meeting March 26th 2008: Software Vulnerability assessment ==<br />
'''Summary'''<br/><br />
The main goal of the upcoming OWASP-NL meeting is to provide information to developers and security professionals involved in creating secure (web-)applications. The main focus will be on software vulnerability assessment. The speakers will give specific examples and of course there is time to ask questions about your own experiences.<br/><br />
<br/><br />
'''Location'''<br/><br />
The location and catering is provided by the sponsor of this meeting:<br/><br />
<table><br />
<tr><br />
<td width="350"><br />
Mercure Utrecht Nieuwegein<br/><br />
Buizerdlaan 10,<br/><br />
3435 SB Nieuwegein<br/><br />
</td><br />
<td width="350"><br />
[[Image:Fortify.JPG|143px]]<br />
</td><br />
</tr><br />
<tr><br />
<td width="350"><br />
</td><br />
<td width="350"><br />
Fortify Software products protect companies from today’s greatest security risk: the software applications that run their businesses. Combining deep application security expertise with extensive software development experience, Fortify Software has defined the market with award-winning products that span the software development cycle. Today, Fortify Software fortifies the software for the most demanding customer deployments, including the world’s largest, most varied code bases.<br/><br />
<br/><br />
For more information please visit:<br/><br />
www.fortify.com<br/><br />
</td><br />
</tr><br />
</table><br />
<br/><br />
<br/><br />
'''Program'''<br/><br />
17.30 - 18.30 '''Check-In''' (catering included)<br/><br />
<br/><br />
18.30 - 18:50 '''Introduction''' (OWASP, sponsor)<br/><br />
<br/><br />
18.50 - 19.30 '''Complex(ity) matters''' (Dutch), Mario de Boer<br/><br />
Various methods exist to locate specific vulnerabilities in software. In the presentation we will look at static analysis of binaries, and the problems we face when trying to locate vulnerabilities. Several ideas will be discussed to make the search easier, but at the same time less exact. The first idea is trivial: automate as much as possible. The second idea is nearly trivial: don't aim at exact vulnerabilities but relax the search to locating potential vulnerabilities. We will give examples that illustrate the results.<br/><br />
Mario de Boer is a senior security consultant at Logica, and as such focuses on security management aspects like security frameworks, compliance, monitoring and control and risk management. Before joining Logica, Mario worked at the Dutch ministries of Defense and Justice, he co-founded a security company and worked as a project manager in the financial sector. For several years he taught courses in software security analysis and secure software development. Besides security management, Mario has interest in software security, reverse engineering and cryptography. Within Logica Netherlands, he is knowledge manager application security. Mario holds a PhD in Mathematics and is CISA and CISSP.<br/><br />
<br/><br />
19.30 - 19:50 '''Break'''<br/><br />
<br/><br />
19:50 - 20:20 '''V.A.C: SQL injection''' (Dutch), Marinus Kuivenhoven<br />
<br/><br />
<u>'''V'''ulnerability:</u><br/><br />
An application which uses a database for its information needs, communicates with it trough SQL. SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of a Database for parsing and execution.<br/><br />
<u>'''A'''ssessment:</u><br/><br />
SQL injection can threaten the confidentiality, availability and integrity of the data. The various types of SQL injection and their impact will be shown.<br/><br />
<u>'''C'''ountermeasure:</u><br/><br />
Any procedure that constructs SQL statements should be reviewed for injection vulnerabilities because a database will execute all syntactically valid queries that it receives. How this should be done will be shown for the most popular languages.<br/><br />
Marinus is a Technology Specialist with Sogeti Nederland B.V. specializing in service oriented architectures and secure application development. His experience includes developing and administrating Oracle-based systems.<br/><br />
<br/><br />
20.20 - 21.00 '''Secure Programming with Static Analysis''' (English), Brian Chess<br/><br />
Creating secure code requires more than just good intentions. Programmers need to know how to make their code safe in an almost infinite number of scenarios and configurations. Static source code analysis gives users the ability to review their work with a fine tooth comb and uncover the kinds of errors that lead directly to vulnerabilities. This talk frames the software security problem and shows how static analysis is part of the solution. We will look at how static analysis works, how to integrate it into the software development processes, and how to make the most of it during security code review. Along the way we'll look at examples taken from real-world security incidents, showing how coding errors are exploited, how they could have been prevented, and how static analysis can rapidly uncover similar errors.<br/><br />
Brian Chess is a founder of Fortify Software and serves as Fortify's Chief Scientist, where his work focuses on practical methods for creating secure systems. His book, Secure Programming with Static Analysis, shows how static source code analysis is an indispensable tool for getting security right. Brian holds a Ph.D. in computer engineering from the University of California at Santa Cruz, where he studied the application of static analysis to the problem of finding security-relevant defects in source code. Before settling on security, Brian spent a decade in Silicon Valley working at huge companies and small startups. He has done research on a broad set of topics, ranging from integrated circuit design all the way to delivering software as a service.<br/><br />
<br/><br />
21.00 - 21:30 '''Discussion, questions and social'''<br/><br />
<br/><br />
'''Registration'''<br/><br />
If you want to attend, please send an email to: owasp@irc2.com.<br/><br />
<br/><br />
All OWASP chapter meetings are free of charge and you don’t have to be an OWASP member to attend. There are never any vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP's: OWASP Meetings count towards CPE Credits.<br/><br />
<br/><br />
<br />
== Meeting December 20th 2007: Secure Development ==<br />
'''Summary'''<br/><br />
The main goal of the upcoming OWASP-NL meeting is to provide information to developers and security professionals involved in creating secure (web-)applications. The general and specific security issues involved on project and programming level will be covered from a practical as well as a theoretical point of view. The speakers will give specific examples and of course there is time to ask questions about your own experiences.<br/><br />
Please register before December the 14th because of the necessary catering arrangements.<br/><br />
<br/><br />
'''Location'''<br/><br />
The location and catering is provided by the sponsor of this meeting:<br/><br />
<table><br />
<tr><br />
<td width="350"><br />
ps_testware B.V.<br/><br />
Dorpsstraat 26,<br/><br />
3941 JM DOORN<br/><br />
</td><br />
<td width="350"><br />
[[Image:Pstestware.jpg|100px]]<br />
</td><br />
</tr><br />
<tr><br />
<td width="350"><br />
The location has parking facilities for 15 cars. However parking in the direct vicinity of ps_testware shouldn’t be a problem.<br/><br />
</td><br />
<td width="350"><br />
ps_testware delivers services related to software testing and software quality. In the field of software development, quality, time-to-market, business processes and software acceptance they play the role of "your devil's advocate" as an independent, flexible and specialized partner.<br/><br />
For more information please visit: www.pstestware.com.<br/><br />
</td><br />
</tr><br />
</table><br />
<br/><br />
<br/><br />
'''Program'''<br/><br />
17.30 - 18.30 '''Check-In''' (catering included)<br/><br />
<br/><br />
18.30 – 19:00 '''Introduction''' (OWASP organization, projects, sponsor)<br/><br />
<br/><br />
19.00 - 19.30 '''Practices of developing optimal security''' (dutch), Andre Post<br/><br />
This presentation highlights a number of current practices that lead to sub-optimal security, and suggests ways of avoiding these problems, focusing on the technical side of development.<br/><br />
André Post works for Fox-IT on a variety of projects including core product development, software architecting, security code reviews, and software project management.<br/><br />
<br/><br />
19.30 – 19:45 '''Break'''<br/><br />
<br/><br />
19:45 – 20:30 '''Problems of developing secure and correct applications''' (dutch), Erik Poll [http://www.cs.ru.nl/~erikpoll/talks/OWASP2007.pdf (slides of the presentation)]<br />
<br/><br />
This presentation will discuss different possibilities to improve software security. The problem of getting time and money available to be spend on security, not only for developing applications, but also for developing programming languages, will be raised.<br/><br />
Erik Poll is head of the Security of Systems (SoS) group at the Radboud University of Nijmegen. His research does focus on the security and correctness of software.<br/><br />
<br/><br />
20.30 - 21.00 '''Protecting Web services and Web applications against security threats''' (dutch), Rix Groenboom<br/><br />
During this session, Rix will explore how to implement development and security best practices in the code to make sure that your webservices and applications perform solidly when they are being hacked or used in malicious ways.<br/><br />
Rix Groenboom supports fortune 2000 companies in field automated software error prevention and correction for Parasoft. His main area of expertise is in the use of formal languages for the specification, design and validation of software applications.<br/><br />
<br/><br />
21.00 – 21:30 '''Discussion, questions and social'''<br/><br />
<br/><br />
All OWASP chapter meetings are free of charge and you don’t have to be an OWASP member to attend. There are never any vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP's: OWASP Meetings count towards CPE Credits.<br/><br />
<br/><br />
The announcement and full descriptions can be found here:<br/><br />
[[Media:Announcement_20_December.pdf]]<br/><br />
[[Media:Announcement_20_December_2.pdf]]<br/><br />
<br />
== Meeting September 13th: putting initiatives into practice ==<br />
<br />
The main goal of the next OWASP meeting is finding a way to put initiatives and all offered help into a form of structural benefit for the OWASP Netherlands local chapter. As a starting point for the discussion, examples will be taken from other European chapters and input delivered by discussions that take place on the mailing list is considered too. Let this be a call to put your ideas on the mailing list before the next meeting!<br/><br />
<br/><br />
The location is provided by the sponsor of this meeting:<br/><br />
Comsec Consulting BV<br/><br />
Rivium Boulevard 102<br/><br />
2909LK Capelle aan den IJssel<br/><br />
<br/><br />
The agenda:<br/><br />
18.00 - 18.30 Check-In (catering included)<br/><br />
18.30 - 18.45 OWASP update, Bert Koelewijn<br/><br />
18.45 - 19.15 Security Best Practices for .NET, Boaz Shunami<br/><br />
19.15 - 20.00 Discussion: collecting ideas and initiatives<br/><br />
20.00 - 20.15 Coffee break<br/><br />
20.15 - 21.00 Discussion: how to enable community commitment<br/><br />
21.00 - 21.30 Closing discussion and coffee<br/><br />
<br/><br />
Boaz Shunami<br/><br />
Boaz is manager of the Application Security department of Comsec Europe. He has 11 years of experience in the IT Security field, and a large part of them in Application Security.<br/><br />
Boaz did numerous application security audits in very large organizations and is recognized as one of the greatest expert’s world wide. Boaz' expertise is broad, but especially in-depth for the .NET platform.<br/><br />
<br/><br />
Discussion input (until now)<br/><br />
- division of local chapter work load by multiple people<br/><br />
- collaboration with other organizations<br/><br />
<br/><br />
If you want to attend send an email to owasp@irc2.com.<br/><br />
<br/><br />
All OWASP chapter meetings are free, there are never vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP's: OWASP Meetings count towards CPE Credits.<br/><br />
<br />
== Meeting minutes Januar 11th 2007 ==<br />
<br />
January 11th, the Dutch OWASP chapter came together at the office of Sogeti Netherlands. Subject of the evening was 'putting software security into practice'. The group was small but select.<br/><br />
<br/><br />
The agenda:<br/><br />
18.00 - 18.30 Check-In (catering included)<br/><br />
18.30 - 18.45 Sponsor opening<br/><br />
18.45 - 19.00 OWASP update, Bert Koelewijn<br/><br />
19.00 - 19.30 Implementation of Security by Design, Martin Knobloch<br/><br />
19.30 - 19.45 Panel introduction<br/><br />
19.45 - 20.00 Coffee break<br/><br />
20.00 - 21.30 Panel discussion<br/><br />
<br/><br />
After being welcomed by Frank Langeveld from Sogeti and Bert Koelewijn, Dutch chapter leader, the evening started with the presentation 'Security By Design'. During the presentation Martin Knobloch told about his experiences during the implementation of the Secure Development Life Cycle in a company like Sogeti Nederland B.V.<br/><br />
<br/><br />
The presentation is available here:<br/><br />
[[Media:Implementation_of_Security_by_Design.ppt]]<br/><br />
<br/><br />
After a small break, the panel discussion started with the following panel: Henk van der Heijden - Comsec Consulting, Dr.ir. Mario de Boer - LogicaCMG and Martin Knobloch - Sogeti Nederland.<br/><br />
During the discussion, it became clear people are struggling to get the Secure Development Life Cycle implemented in their company. The various experiences were shared with the panel and the others. Company typical problems and common misunderstandings about Software security where brought up.<br/><br />
The consensus of the discussion was that the main problem lies in the lack of security awareness and knowledge of the managers and the developers. And this of course is exactly where OWASP comes in…<br/><br />
<br/><br />
<br />
== Meeting Januar 11th 2007 ==<br />
<br />
The OWASP meeting of 11 January is about putting software security into practice. A lot of books, standards, organizations and consultants tell us how we should develop secure software. But which methods and measures are commonly adopted and which are not and why?<br/><br />
This will be the main focus of the discussion that we will have with a panel of people that experienced implementing software security in the field.<br/><br />
<br/><br />
The location is provided by the sponsor of this meeting:<br/><br />
Sogeti Nederland B.V.<br/><br />
"La Charmille" building<br/><br />
Lange Dreef 17<br/><br />
4131 NJ Vianen<br/><br />
<br/><br />
The agenda:<br />
<br/><br />
18.00 - 18.30 Check-In (catering included)<br/><br />
18.30 - 18.45 Sponsor opening<br/><br />
18.45 - 19.00 OWASP update, Bert Koelewijn<br/><br />
19.00 - 19.30 Implementation of Security by Design, Martin Knobloch<br/><br />
19.30 - 19.45 Panel introduction<br/><br />
19.45 - 20.00 Coffee break<br/><br />
20.00 - 21.30 Panel discussion<br/><br />
<br/><br />
Implementation of Security by Design<br/><br />
What is needed to implement a 'Secure Development Life Cycle' within Sogeti Nederland? The speaker started a project called 'Security by Design' in march 2006 implementing a SDLC at Sogeti Nederland.<br/><br />
In his presentation, the speaker will share his technical and organizational experiences that he gained with the still ongoing implementation.<br/><br />
<br/><br />
About the speaker<br/><br />
Martin Knobloch has more than 8 years experience in design and development of J2EE applications for customers in various sectors of the market. In September 2003 Martin Knobloch started working for Sogeti Nederland, where he does the design, development and review of J2EE applications and architectures.<br/><br />
From this background, Martin Knobloch experienced the threats of insecure software firsthand. In march 2006, Martin Knobloch started implementing a SDLC within Sogeti Nederland.<br/><br />
<br/><br />
Panel discussion<br/><br />
The panel members are:<br/><br />
Henk van der Heijden, Managing Director - Comsec Consulting B.V.<br/><br />
Dr.ir. Mario de Boer, Security Consultant - LogicaCMG<br/><br />
Martin Knobloch, Senior Technologie Specialist - Sogeti Nederland B.V.<br/><br />
<br/><br />
In the discussion, we will try to find answers to questions like:<br/><br />
- What are the most common security practices in software development?<br/><br />
- How effective are those practices?<br/><br />
- Where do we start practicing security?<br/><br />
- What should be the most common security practices in software development?<br/><br />
- How much does security cost?<br/><br />
- How does the Systems Security Engineering Capability Maturity Model (SSE-CMM) fit in?<br/><br />
<br/><br />
If you want to attend send an email to owasp@irc2.com.<br/><br />
<br/><br />
All OWASP chapter meetings are free, there are never vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP’s: OWASP Meetings count towards CPE Credits.<br/><br />
<br />
== OWASP Netherlands meeting minutes ==<br />
<br />
On 9 march, the second meeting of OWASP Netherlands local chapter took place. GetronicsPinkRoccade provided the venue, in their luxury conference centre: Connection I.<br/><br />
<br/><br />
Agenda:<br/><br />
18.00 - 18.45 Check-In (bread & drinks)<br/><br />
18.45 - 19.00 Opening<br/><br />
19.00 - 20.00 Improving Security in the Application Development Life-cycle, Migchiel de Jong<br/><br />
20.00 - 20.15 Coffee break<br/><br />
20.15 - 22.00 Form focus groups<br/><br />
<br/><br />
The presentation of Migchiel de Jong was found very interesting by the audience. At the end of his presentation, he demonstrated a static code analysis of the OWASP webgoat application.<br/><br />
<br/><br />
After the coffee break, the attendances started discussing about the largest common topics of interest in the web application security field, in relation to the OWASP Netherlands chapter. As a result, the following focus groups are formed:<br/><br />
<br/><br />
Testing<br/><br />
The current OWASP Testing project and the Open Source Security Testing Methodology Manual of ISECOM, provide guidelines and best practices for testers. These guidelines can be used to formalize a standard structure and a set of minimum requirements for a security test. Clients could ask a tester to adhere to these guidelines.<br/><br />
A second idea is to standardize the testing results management report. In practice, testing could result in piles of paper with all the findings. The real value is reporting it in a usable way. For example: mapping technical findings to business risks.<br/><br />
<br/><br />
Frans v. Buul<br/><br />
Peter Gouwentak<br/><br />
Arthur Donkers<br/><br />
Eelco Klaver<br/><br />
Migchiel de Jong<br/><br />
Mario de Boer<br/><br />
<br/><br />
First focus group meeting: Monday 27 march, 18:00h, PwC Utrecht<br/><br />
<br/><br />
<br/><br />
Public Relations<br/><br />
This focus group will try to make business aware of the security impact that developing, hosting and using web applications has. What OWASP is and how OWASP can help. This can be done by giving presentations, writing papers and articles, word of mouth, etc. etc.<br/><br />
<br/><br />
Remco Bakker<br/><br />
Ronald Eygendaal<br/><br />
Bas van Vossen<br/><br />
Edwin van Vliet<br/><br />
Eelco Klaver<br/><br />
<br/><br />
First presentation of OWASP materials: Edwin van Vliet, TestNet - Voorjaarsevenement, 5 april<br/><br />
First focus group meeting: To be planned!<br/><br />
<br/><br />
<br/><br />
Education<br/><br />
OWASP and universities/schools could benefit from working together. For example:<br/><br />
- OWASP provides lot's of materials usable in colleges.<br/><br />
- Develop OWASP training course.<br/><br />
- Students can participate in OWASP projects<br/><br />
- OWASP can provide a platform for supporting research. Such as thesis projects, etc.<br/><br />
- OWASP representatives could provide guest colleges.<br/><br />
<br/><br />
Ronald Eygendaal<br/><br />
Erik Poll<br/><br />
Bas van Vossen<br/><br />
Edwin van Vliet<br/><br />
<br/><br />
First focus group meeting: To be planned!<br/><br />
<br/><br />
The presentation is available here:<br/><br />
[[Media:OWASP_NL_Fortify_Software.pdf]]<br/><br />
<br />
== 9 March: Second meeting of the OWASP Netherlands local chapter! ==<br />
<br />
In this second meeting focus groups are to be formed, to discuss common problems, develop and research common solutions in a vendor neutral environment. So this is a very good opportunity to get in contact with others, to exchange knowledge and experiences on specific topics.<br/><br />
<br/><br />
For every focus group the following questions has to be answered:<br/><br />
1. Which specific topic is to be addressed?<br/><br />
2. What are the deliverables?<br/><br />
3. What is the relation to OWASP? (Current projects, materials, expertise and knowledge interchange, etc.)<br/><br />
4. Who is the central contact of the subgroup?<br/><br />
<br/><br />
It would be nice to have a bigger and more diverse group, compared to the first meeting. So let's recall: "Please, bring at least one friend, next time." And don't hesitate to send this announcement to everybody who may be interested!<br/><br />
<br/><br />
We thank Getronics PinkRoccade for offering us a venue:<br/><br />
Getronics PinkRoccade<br/><br />
Fauststraat 1<br/><br />
7323 BA Apeldoorn <br/><br />
<br/><br />
The agenda:<br/><br />
18.00 - 18.30 Check-In<br/><br />
18.30 - 18.45 Opening<br/><br />
18.45 - 19.30 Improving Security in the Application Development Life-cycle, Migchiel de Jong<br/><br />
19.30 - 20.00 Collecting focus group initiatives<br/><br />
19.45 - 20.00 Coffee break<br/><br />
20.00 - 21.00 Form focus groups<br/><br />
<br/><br />
Presentation Abstract<br/><br />
Rather than spending large amounts of time and money on proving that we have security vulnerabilities after programs go into production, companies should go to the source and correct vulnerabilities as early as possible in the development stage. It is unquestionably faster, simpler, and cheaper for developers to correct vulnerabilities as they build programs.<br/><br />
But how can development management ensure that developers focus on security when there is no time or budget for security at the development stage? Even with the correct focus, how can they learn what to look for? How can they stay ahead of the dedicated and resourceful hacker?<br/><br />
The answer is effective processes and better tools. With advanced software security tools, a developer can pinpoint vulnerabilities in a matter of seconds — the same vulnerabilities that would take a hacker or manual code reviewer weeks or even months to find. These same tools can give development and information security managers useful metrics on application vulnerabilities before they are released into deployment.<br/><br />
This talk will walk through the Application Development Life-Cycle and discuss how tools can help come to grips with software security issues in a particular phase.<br/><br />
<br/><br />
About the presenter<br/><br />
Migchiel de Jong has developed hardware and software for 10 years before joining Rational Software. During the 5 years at Rational Software (later acquired by IBM) he was involved in many software development process improvement projects. Currently Migchiel de Jong is working at Fortify Software, Palo Alto, California, as a software security engineer.<br/><br />
<br/><br />
If you want to attend send an email to owasp@irc2.nl. Please don't wait, 9 march is not that long anymore!<br/><br />
<br/><br />
All OWASP chapter meetings are free, there are never vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP’s: OWASP Meetings count towards CPE Credits.<br/><br />
<br />
== OWASP Netherlands kick-off meeting minutes ==<br />
<br />
On 17 November, OWASP Netherlands had it's first meeting. We moved to a bigger location, the Mercure hotel in Nieuwegein, to host all the 35 attendees.<br/><br />
<br/><br />
The agenda:<br/><br />
18.00 - 18.30 Check-In (bread & drinks)<br/><br />
18.30 - 18.45 Chapter opening<br/><br />
18.45 - 19.30 Presentation - 'Top tien web applicatie kwetsbaarheden in J2EE', Eelco Klaver<br/><br />
19.30 - 19.45 Presentation - 'Veilige webapplicaties boven alles', Mike Wardi<br/><br />
19.45 - 20.00 Coffee break<br/><br />
20.00 - 21.00 Discussion - About the OWASP Netherlands local chapter<br/><br />
<br/><br />
The discussion took place in a 'round table' session, where all attendees were able to take part. The focus of the discussion was how to give the OWASP Netherlands local chapter additional value, next to the OWASP project. What the goals and tasks will be. And which actions will have to be taken at short term.<br/><br />
Different people have interest in different subjects. In general meetings there is no time to address all subjects and address them specific enough. Therefore subgroups can be formed, focusing on specific topics. They can have their own communication channel and meetings, but should keep close contact with the OWASP body.<br/><br />
<br/><br />
An inventarisation:<br/><br />
<br/><br />
Discussion Topics<br/><br />
- Awareness: writing articles, press publications, interviews<br/><br />
- Education: contact universities, schools and their common boards. Develop and gather education materials.<br/><br />
- General: discuss ideas for OWASP NL<br/><br />
<br/><br />
Focusgroup Topics<br/><br />
- (dutch) metrics project<br/><br />
- (dutch) legal project<br/><br />
- standard framework for pentest reports<br/><br />
- safe outsourcing<br/><br />
<br/><br />
Actions that should be taken on short term are:<br/><br />
- provide communication channels<br/><br />
- plan next (sub)meetings<br/><br />
- start discussions and focusgroups<br/><br />
<br/><br />
The presentations are available here:<br/><br />
<br/><br />
[[Media:OWASP_NL_Top_Ten_Web_Application_Vulnerabilities_in_J2EE.pdf]]<br/><br />
[[Media:OWASP_NL_Veilige_Web_App_Boven_Alles.pdf]]<br/><br />
<br />
== You are welcome to the OWASP Netherlands local chapter kick-off meeting! ==<br />
<br />
Thursday, November 17th (2005) at 18.00h.<br/><br />
<br/><br />
ATTENTION! Because of the large amount of attendees, the location has changed:<br/><br />
<br/><br />
Hotel Mercure Utrecht/Nieuwegein<br/><br />
Buizerdlaan 10<br/><br />
3435 SB NIEUWEGEIN<br/><br />
Tel: 00 31 (0) 30 60 84 122<br/><br />
Fax: 00 31 (0) 30 60 38 374<br/><br />
<br/><br />
This first meeting will be an introduction to the OWASP. A constructive discussion will be held about the actual form of the OWASP Netherlands local chapter.<br/><br />
<br/><br />
The agenda:<br/><br />
18.00 - 18.30 Check-In (bread & drinks)<br/><br />
18.30 - 18.45 Chapter opening<br/><br />
18.45 - 19.30 Presentation - 'Top tien web applicatie kwetsbaarheden in J2EE', Eelco Klaver<br/><br />
19.30 - 19.45 Presentation - 'Veilige webapplicaties boven alles', Mike Wardi<br/><br />
19.45 - 20.00 Coffee break<br/><br />
20.00 - 21.00 Discussion - About the OWASP Netherlands local chapter<br/><br />
<br/><br />
About the presenters<br/><br />
<br/><br />
Eelco Klaver<br/><br />
Eelco Klaver is a senior consultant for Xebia IT Architects, since 2003. Doing software reviews, security audits and giving security workshops are part of his job. He has almost 10 years experience with developing enterprise applications in J2EE for different employees. At the moment, Eelco is the front man of the security business unit for Xebia, focussing on the security aspects of enterprise applications build on J2EE.<br/><br />
<br/><br />
Mike Wardi<br/><br />
Mike Wardi is an internet application manager for a financial institute. He's responsible for the safety of internet applications provided to customers and the implementation of the security policies in software developement.<br/><br />
<br/><br />
<br/><br />
If you want to attend, please send an email to owasp-nl@ascure.com or the mailing list.<br/><br />
<br/><br />
All OWASP chapter meetings are free! There are never vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP’s: OWASP Meetings count towards CPE Credits.<br/><br />
<br/></div>Dvsteinhttps://wiki.owasp.org/index.php?title=Netherlands&diff=46551Netherlands2008-11-19T16:51:32Z<p>Dvstein: /* Meeting minutes March 23th 2008 */</p>
<hr />
<div>{{Chapter Template|chaptername=Netherlands|extra=The chapter leader is [mailto:owasp@irc2.nl Bert Koelewijn]<br />
<paypal>Netherlands</paypal><br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-netherlands|emailarchives=http://lists.owasp.org/pipermail/owasp-netherlands}}<br />
<br />
== Meeting schedule 2008 ==<br />
This is an overview of the 2008 local chapter meeting schedule. Details of the meetings can be found in the announcements that will be posted below this schedule.<br />
<pre><br />
March 26th<br />
----------<br />
Time : 17.30 - 21.30<br />
Main Topic : Software Vulnerability assessment<br />
Presentations: Complex(ity) matters, Mario de Boer (Dutch)<br />
V.A.C. SQL injection, Marinus Kuivenhoven (Dutch)<br />
Secure Programming with Static Analysis, Brian Chess (English) <br />
Location : Mercure Utrecht Nieuwegein, Buizerdlaan 10, 3435 SB Nieuwegein<br />
Sponsor : Fortify Software<br />
<br />
Oktober 27th<br />
----------<br />
Time : 17.30 - 21.30<br />
Main Topic : Privacy and the Internet<br />
Presentations: Privacy and Internet (Dutch), Frank Fruijthoff and Ellen Hoving<br />
Vulnerability and source code scanners. (Dutch) Emile Strijbos <br />
Location : ps_testware B.V., Dorpsstraat 26, 3941 JM DOORN<br />
Sponsor : ps_testware B.V.<br />
</pre><br />
== Meeting minutes October 27th 2008 ==<br />
<br />
At October 27th, the Dutch OWASP chapter came together at the office of the sponsor of the evening; ps_testware in Doorn. The subject of the evening was 'Privacy and the Internet’. There were 2 speakers and approximately 25 attendees.<br/><br />
<br/><br />
After a short welcome talk by both the sponsor and OWASP, Mario de Boer had an announcement about a new OWASP project; ORPRO, the Open Review Project. The goal of the project is to review Open Source Software from an independent point of view. Reviews will be done both manually and with the aid of source code analysis software provided by Fortify. The first software package to be reviewed is already available so reviewers are needed. More information can be found on the OWASP project page. [http://www.owasp.org/index.php/Category:OWASP_Open_Review_Project]v<br />
<br/><br />
The first presentation of the evening was about "Privacy & the Internet" which was presented by Frank Fruijthoff and Ellen Hoving. <br/><br />
The goal of this presentation was to show the problems in regulating privacy on the internet by law. The presentation was roughly split in 3 parts: definitions, requirements and context. <br/><br />
The main problem with regulating privacy is that the concept of privacy is very broad and not well defined. Privacy can have different meanings and consequences in different contexts. Most laws therefore focus on the individual and define privacy as 'protection of personal information' where 'personal information' is all data that can be tracked back to a single person. The last years many countries within the EU developed internet laws concerning privacy on the internet. These laws state that information can only be used what it originally was intended for and usage of that information must be reported at central register. This register also makes it possible to file a complaint and check what companies use personal information for what purposes. While these rules are mostly sufficient for local databases they often fail when applied to information stored on or with use of the internet. Problems encountered are captured in the "four D's";<br/><br />
- Internet is deterritorialized; internet has no boundaries.<br/><br />
- Internet is deregulated; internet has no law, only terms of use.<br/><br />
- Internet is dematerialized; internet is not physical.<br/><br />
- Internet is decentralized; there is no single regulating or controlling organization.<br/><br />
Although the protection of personal data is more and more covered by laws, the increasing usage of external storage and connections over the internet will make it harder to enforce them. The main conclusion of the evening was that, although many initiatives improving privacy exist, the very properties of the internet make it hard to ensure privacy completely. <br/><br />
<br/><br />
The second presentation of the evening was presented by E. Strijbos. He showed the results of his research concerning the feasibility of a Web Application Security Certification by the usage of vulnerability scanners.<br/><br />
With the daily increasing amount of threads and vulnerabilities in web applications there is a market-driven demand for an independent and automated scan service. Current scan services often lack coverage and depth of scanning and give no details about the used scanning methods.<br/><br />
In this research several commercial vulnerability scanners and static analysis tools were compared and checked for scantime, accuracy, false positives, and ease of use. The results showed that almost all scanners find most of the vulnerabilities, but also produce many false positives. Also, without proper configuration the amount of results can be overwhelming and inconclusive. Furthermore results showed that static analysis scanners are much faster than vulnerability scanners, but have a more limited usage. The main conclusion was that although vulnerability scanners and static analysis tools can be very helpful in identifying vulnerabilities, their current efficiency is not high enough to use as the basis for an automated vulnerability scan.<br/><br />
<br />
<br />
== Meeting October 27th 2008: Privacy and the Internet ==<br />
'''Summary'''<br/><br />
The main goal of the upcoming OWASP-NL meeting is to provide information to developers and security professionals about personal and technical privacy on the internet. The speakers focus on privacy regulations related to the internet and on the mass amount of personal and technical information available about persons and companies on the internet, with and without their consent. Furthermore tools will be discussed that help prevent leakage of privacy related and other kind of data. They will give specific examples and there will be time to ask questions.<br/><br />
Please register before October 20th because of the necessary catering arrangements.<br/><br />
<br/><br />
'''Location'''<br/><br />
The location and catering is provided by the sponsor of this meeting:<br/><br />
<table><br />
<tr><br />
<td width="350"><br />
ps_testware B.V.<br/><br />
Dorpsstraat 26,<br/><br />
3941 JM DOORN<br/><br />
</td><br />
<td width="350"><br />
[[Image:Pstestware.jpg|100px]]<br />
</td><br />
</tr><br />
<tr><br />
<td width="350"><br />
The location has parking facilities for 15 cars. However parking in the direct vicinity of ps_testware shouldn’t be a problem.<br/><br />
</td><br />
<td width="350"><br />
ps_testware delivers services related to software testing and software quality. In the field of software development, quality, time-to-market, business processes and software acceptance they play the role of "your devil's advocate" as an independent, flexible and specialized partner.<br/><br />
For more information please visit: www.pstestware.com.<br/><br />
</td><br />
</tr><br />
</table><br />
<br/><br />
<br/><br />
'''Program'''<br/><br />
17.30 - 18.30 '''Check-In''' (catering included)<br/><br />
<br/><br />
18.30 – 19:00 '''Introduction''' (OWASP organization, projects, sponsor)<br/><br />
<br/><br />
19.00 - 20.15 '''Privacy and Internet''' (Dutch), Frank Fruijthoff and Ellen Hoving<br/><br />
In this presentation the general principles of privacy laws in the Netherlands and the EU and specifically privacy and the internet will be covered.<br/><br />
Frank Fruijthoff is a Compliance Officer with ING. He has a Compliance and Risk Management background and is specialised in privacy.<br/><br />
Ellen Hoving is a graduated lawyer. She works as an independent consultant specialized in compliance and privacy.<br/><br />
<br/><br />
20.15 – 20:30 '''Break'''<br/><br />
<br/><br />
20:30 – 21:00 '''Vulnerability and source code scanners''' (Dutch), Emile Strijbos<br />
<br/><br />
For his Master thesis in computer science at the Radboud Universiteit in Nijmegen, Emile Strijbos investigated vulnerability scanners and source code scanners. These are automated tools that try to detect security flaws, either in running web-applications or in their source code.<br/><br />
Emile tried out several of these tools, including both free and commercial ones, to see how good they are at detecting standard vulnerabilities, such as SQL injection, XSS, CSRF, etc.<br/><br />
<br/><br />
21.00 – 21:30 '''Discussion, questions and social'''<br/><br />
<br/><br />
If you want to attend, please send an email to: owasp@irc2.com.<br><br />
Please register before October 20th, because of the necessary catering arrangements. The number of registries is limited to 50 due to the capacity of the location and will be handled in order of receipt.<br/><br />
<br/><br />
All OWASP chapter meetings are free of charge and you don’t have to be an OWASP member to attend. There are never any vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP's: OWASP Meetings count towards CPE Credits.<br/><br />
<br/><br />
The announcement and full descriptions can be found here:<br/><br />
[[Media:Announcement_27_Oktober.pdf]]<br/><br />
<br />
== Meeting minutes March 23th 2008 ==<br />
<br />
At March 23th, the Dutch OWASP chapter came together in the Mercury hotel in Nieuwegein. The meeting was sponsored by Fortify Software. The subject of the evening was 'Software Vulnerability Assesment’. There were 3 speakers and approximately 40 attendees.<br/><br />
<br/><br />
After a short introduction of Migchiel de Jong (Fortify) about the subject of Static and Dynamic Analysis and the tools that Fortify provides the speakers of the evening where introduced.<br/><br />
<br/><br />
'''First presentation:''' Practices of Complex(ity) matters (Dutch), Mario de Boer<br/><br />
Mario de Boer has spent much of his free time the last 16 years into disassembling various pieces of software and analyzing the code and its statistics. The main advantage in analyzing binaries is that no access to source code is needed, all dependencies (i.e. the compiler) are included and it’s independent of the tool used. Disassembling compiled code gives great insight in the complexity of the software and the entry and exit points of data. Although there is no direct relation between the complexity of software and its security, statistically the most vulnerabilities appear in the most complex portions of a program. Data entry points in complex portions of the code can give rise to possible exploits so static analysis can give insight in the most vulnerable places in software which is useful information in testing.<br />
The disadvantages of static analysis are that an extensive knowledge of assembly is needed and, due to its statistic nature, it gives rise to many false positives. <br />
In conclusion static binary analysis, when used by experts, can be a powerful tool to gain insight in the most vulnerable parts of the software and be a valuable tool in both developing and testing software. <br/><br />
<br/><br />
'''Second presentation:''' V.A.C: SQL injection (Dutch), Marinus Kuivenhoven<br/><br />
A new reoccurring topic on OWASP presentations will be the so called VAC. In these presentations an expert will talk about a Vulnerability, how to Assess it and possible Countermeasures. This evening Marinus started with the second vulnerability in the OWASP top ten; SQL injections.<br/><br />
With the aid of Webgoat, a few simple examples and the possible consequences were shown. SQL injection is particularly useful exploit in the reconnaissance phase since it can be abused for information leakage and in getting information about e.g. the table structure. <br/><br />
On the internet and in literature many countermeasures against SQL injections are described. However, many of these countermeasures are not usable in a maintainable system or cannot prevent SQL injections completely. The most important conclusion was that input should never be trusted and should never be directly used.<br/><br />
<br/><br />
'''Third presentation:''' Secure Programming with Static Analysis (English), Brian Chess<br/><br />
The last speaker of the evening was Brian Chess who presented his new book ‘Secure Programming with Static Analysis’. Brian made clear that, although a powerful tool, static binary analysis is already too late in the SDLC to be successful in preventing vulnerabilities. Scanning for possible vulnerabilities should be implemented as early as possible i.e. during coding. The main advantages of static analysis are the cost and speed. Since errors and bad practices are identified in an early stage they can be solved at the spot, making auditing the software more efficient in term of time and depth. <br/><br />
Static analysis can successfully be used for style and type checking, program understanding and verification, and for security reviews. The success of static analysis, however, is fully depending on the rules implemented in the scanner. Static analysis is also unable to identify design flaws, right problems, or wrong user input. <br/><br />
The conclusion was that scanning for vulnerabilities can probably only be successful with the aid of static analysis, but many requirements should be met. Firstly it should become part of the SDLC and culture. Secondly the right tool should be picked and people should be trained in its use. Lastly investments should be made in building up a good rule set and metrics. <br/><br />
<br />
== Meeting March 26th 2008: Software Vulnerability assessment ==<br />
'''Summary'''<br/><br />
The main goal of the upcoming OWASP-NL meeting is to provide information to developers and security professionals involved in creating secure (web-)applications. The main focus will be on software vulnerability assessment. The speakers will give specific examples and of course there is time to ask questions about your own experiences.<br/><br />
<br/><br />
'''Location'''<br/><br />
The location and catering is provided by the sponsor of this meeting:<br/><br />
<table><br />
<tr><br />
<td width="350"><br />
Mercure Utrecht Nieuwegein<br/><br />
Buizerdlaan 10,<br/><br />
3435 SB Nieuwegein<br/><br />
</td><br />
<td width="350"><br />
[[Image:Fortify.JPG|143px]]<br />
</td><br />
</tr><br />
<tr><br />
<td width="350"><br />
</td><br />
<td width="350"><br />
Fortify Software products protect companies from today’s greatest security risk: the software applications that run their businesses. Combining deep application security expertise with extensive software development experience, Fortify Software has defined the market with award-winning products that span the software development cycle. Today, Fortify Software fortifies the software for the most demanding customer deployments, including the world’s largest, most varied code bases.<br/><br />
<br/><br />
For more information please visit:<br/><br />
www.fortify.com<br/><br />
</td><br />
</tr><br />
</table><br />
<br/><br />
<br/><br />
'''Program'''<br/><br />
17.30 - 18.30 '''Check-In''' (catering included)<br/><br />
<br/><br />
18.30 - 18:50 '''Introduction''' (OWASP, sponsor)<br/><br />
<br/><br />
18.50 - 19.30 '''Complex(ity) matters''' (Dutch), Mario de Boer<br/><br />
Various methods exist to locate specific vulnerabilities in software. In the presentation we will look at static analysis of binaries, and the problems we face when trying to locate vulnerabilities. Several ideas will be discussed to make the search easier, but at the same time less exact. The first idea is trivial: automate as much as possible. The second idea is nearly trivial: don't aim at exact vulnerabilities but relax the search to locating potential vulnerabilities. We will give examples that illustrate the results.<br/><br />
Mario de Boer is a senior security consultant at Logica, and as such focuses on security management aspects like security frameworks, compliance, monitoring and control and risk management. Before joining Logica, Mario worked at the Dutch ministries of Defense and Justice, he co-founded a security company and worked as a project manager in the financial sector. For several years he taught courses in software security analysis and secure software development. Besides security management, Mario has interest in software security, reverse engineering and cryptography. Within Logica Netherlands, he is knowledge manager application security. Mario holds a PhD in Mathematics and is CISA and CISSP.<br/><br />
<br/><br />
19.30 - 19:50 '''Break'''<br/><br />
<br/><br />
19:50 - 20:20 '''V.A.C: SQL injection''' (Dutch), Marinus Kuivenhoven<br />
<br/><br />
<u>'''V'''ulnerability:</u><br/><br />
An application which uses a database for its information needs, communicates with it trough SQL. SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of a Database for parsing and execution.<br/><br />
<u>'''A'''ssessment:</u><br/><br />
SQL injection can threaten the confidentiality, availability and integrity of the data. The various types of SQL injection and their impact will be shown.<br/><br />
<u>'''C'''ountermeasure:</u><br/><br />
Any procedure that constructs SQL statements should be reviewed for injection vulnerabilities because a database will execute all syntactically valid queries that it receives. How this should be done will be shown for the most popular languages.<br/><br />
Marinus is a Technology Specialist with Sogeti Nederland B.V. specializing in service oriented architectures and secure application development. His experience includes developing and administrating Oracle-based systems.<br/><br />
<br/><br />
20.20 - 21.00 '''Secure Programming with Static Analysis''' (English), Brian Chess<br/><br />
Creating secure code requires more than just good intentions. Programmers need to know how to make their code safe in an almost infinite number of scenarios and configurations. Static source code analysis gives users the ability to review their work with a fine tooth comb and uncover the kinds of errors that lead directly to vulnerabilities. This talk frames the software security problem and shows how static analysis is part of the solution. We will look at how static analysis works, how to integrate it into the software development processes, and how to make the most of it during security code review. Along the way we'll look at examples taken from real-world security incidents, showing how coding errors are exploited, how they could have been prevented, and how static analysis can rapidly uncover similar errors.<br/><br />
Brian Chess is a founder of Fortify Software and serves as Fortify's Chief Scientist, where his work focuses on practical methods for creating secure systems. His book, Secure Programming with Static Analysis, shows how static source code analysis is an indispensable tool for getting security right. Brian holds a Ph.D. in computer engineering from the University of California at Santa Cruz, where he studied the application of static analysis to the problem of finding security-relevant defects in source code. Before settling on security, Brian spent a decade in Silicon Valley working at huge companies and small startups. He has done research on a broad set of topics, ranging from integrated circuit design all the way to delivering software as a service.<br/><br />
<br/><br />
21.00 - 21:30 '''Discussion, questions and social'''<br/><br />
<br/><br />
'''Registration'''<br/><br />
If you want to attend, please send an email to: owasp@irc2.com.<br/><br />
<br/><br />
All OWASP chapter meetings are free of charge and you don’t have to be an OWASP member to attend. There are never any vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP's: OWASP Meetings count towards CPE Credits.<br/><br />
<br/><br />
<br />
== Meeting December 20th 2007: Secure Development ==<br />
'''Summary'''<br/><br />
The main goal of the upcoming OWASP-NL meeting is to provide information to developers and security professionals involved in creating secure (web-)applications. The general and specific security issues involved on project and programming level will be covered from a practical as well as a theoretical point of view. The speakers will give specific examples and of course there is time to ask questions about your own experiences.<br/><br />
Please register before December the 14th because of the necessary catering arrangements.<br/><br />
<br/><br />
'''Location'''<br/><br />
The location and catering is provided by the sponsor of this meeting:<br/><br />
<table><br />
<tr><br />
<td width="350"><br />
ps_testware B.V.<br/><br />
Dorpsstraat 26,<br/><br />
3941 JM DOORN<br/><br />
</td><br />
<td width="350"><br />
[[Image:Pstestware.jpg|100px]]<br />
</td><br />
</tr><br />
<tr><br />
<td width="350"><br />
The location has parking facilities for 15 cars. However parking in the direct vicinity of ps_testware shouldn’t be a problem.<br/><br />
</td><br />
<td width="350"><br />
ps_testware delivers services related to software testing and software quality. In the field of software development, quality, time-to-market, business processes and software acceptance they play the role of "your devil's advocate" as an independent, flexible and specialized partner.<br/><br />
For more information please visit: www.pstestware.com.<br/><br />
</td><br />
</tr><br />
</table><br />
<br/><br />
<br/><br />
'''Program'''<br/><br />
17.30 - 18.30 '''Check-In''' (catering included)<br/><br />
<br/><br />
18.30 – 19:00 '''Introduction''' (OWASP organization, projects, sponsor)<br/><br />
<br/><br />
19.00 - 19.30 '''Practices of developing optimal security''' (dutch), Andre Post<br/><br />
This presentation highlights a number of current practices that lead to sub-optimal security, and suggests ways of avoiding these problems, focusing on the technical side of development.<br/><br />
André Post works for Fox-IT on a variety of projects including core product development, software architecting, security code reviews, and software project management.<br/><br />
<br/><br />
19.30 – 19:45 '''Break'''<br/><br />
<br/><br />
19:45 – 20:30 '''Problems of developing secure and correct applications''' (dutch), Erik Poll [http://www.cs.ru.nl/~erikpoll/talks/OWASP2007.pdf (slides of the presentation)]<br />
<br/><br />
This presentation will discuss different possibilities to improve software security. The problem of getting time and money available to be spend on security, not only for developing applications, but also for developing programming languages, will be raised.<br/><br />
Erik Poll is head of the Security of Systems (SoS) group at the Radboud University of Nijmegen. His research does focus on the security and correctness of software.<br/><br />
<br/><br />
20.30 - 21.00 '''Protecting Web services and Web applications against security threats''' (dutch), Rix Groenboom<br/><br />
During this session, Rix will explore how to implement development and security best practices in the code to make sure that your webservices and applications perform solidly when they are being hacked or used in malicious ways.<br/><br />
Rix Groenboom supports fortune 2000 companies in field automated software error prevention and correction for Parasoft. His main area of expertise is in the use of formal languages for the specification, design and validation of software applications.<br/><br />
<br/><br />
21.00 – 21:30 '''Discussion, questions and social'''<br/><br />
<br/><br />
All OWASP chapter meetings are free of charge and you don’t have to be an OWASP member to attend. There are never any vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP's: OWASP Meetings count towards CPE Credits.<br/><br />
<br/><br />
The announcement and full descriptions can be found here:<br/><br />
[[Media:Announcement_20_December.pdf]]<br/><br />
[[Media:Announcement_20_December_2.pdf]]<br/><br />
<br />
== Meeting September 13th: putting initiatives into practice ==<br />
<br />
The main goal of the next OWASP meeting is finding a way to put initiatives and all offered help into a form of structural benefit for the OWASP Netherlands local chapter. As a starting point for the discussion, examples will be taken from other European chapters and input delivered by discussions that take place on the mailing list is considered too. Let this be a call to put your ideas on the mailing list before the next meeting!<br/><br />
<br/><br />
The location is provided by the sponsor of this meeting:<br/><br />
Comsec Consulting BV<br/><br />
Rivium Boulevard 102<br/><br />
2909LK Capelle aan den IJssel<br/><br />
<br/><br />
The agenda:<br/><br />
18.00 - 18.30 Check-In (catering included)<br/><br />
18.30 - 18.45 OWASP update, Bert Koelewijn<br/><br />
18.45 - 19.15 Security Best Practices for .NET, Boaz Shunami<br/><br />
19.15 - 20.00 Discussion: collecting ideas and initiatives<br/><br />
20.00 - 20.15 Coffee break<br/><br />
20.15 - 21.00 Discussion: how to enable community commitment<br/><br />
21.00 - 21.30 Closing discussion and coffee<br/><br />
<br/><br />
Boaz Shunami<br/><br />
Boaz is manager of the Application Security department of Comsec Europe. He has 11 years of experience in the IT Security field, and a large part of them in Application Security.<br/><br />
Boaz did numerous application security audits in very large organizations and is recognized as one of the greatest expert’s world wide. Boaz' expertise is broad, but especially in-depth for the .NET platform.<br/><br />
<br/><br />
Discussion input (until now)<br/><br />
- division of local chapter work load by multiple people<br/><br />
- collaboration with other organizations<br/><br />
<br/><br />
If you want to attend send an email to owasp@irc2.com.<br/><br />
<br/><br />
All OWASP chapter meetings are free, there are never vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP's: OWASP Meetings count towards CPE Credits.<br/><br />
<br />
== Meeting minutes Januar 11th 2007 ==<br />
<br />
January 11th, the Dutch OWASP chapter came together at the office of Sogeti Netherlands. Subject of the evening was 'putting software security into practice'. The group was small but select.<br/><br />
<br/><br />
The agenda:<br/><br />
18.00 - 18.30 Check-In (catering included)<br/><br />
18.30 - 18.45 Sponsor opening<br/><br />
18.45 - 19.00 OWASP update, Bert Koelewijn<br/><br />
19.00 - 19.30 Implementation of Security by Design, Martin Knobloch<br/><br />
19.30 - 19.45 Panel introduction<br/><br />
19.45 - 20.00 Coffee break<br/><br />
20.00 - 21.30 Panel discussion<br/><br />
<br/><br />
After being welcomed by Frank Langeveld from Sogeti and Bert Koelewijn, Dutch chapter leader, the evening started with the presentation 'Security By Design'. During the presentation Martin Knobloch told about his experiences during the implementation of the Secure Development Life Cycle in a company like Sogeti Nederland B.V.<br/><br />
<br/><br />
The presentation is available here:<br/><br />
[[Media:Implementation_of_Security_by_Design.ppt]]<br/><br />
<br/><br />
After a small break, the panel discussion started with the following panel: Henk van der Heijden - Comsec Consulting, Dr.ir. Mario de Boer - LogicaCMG and Martin Knobloch - Sogeti Nederland.<br/><br />
During the discussion, it became clear people are struggling to get the Secure Development Life Cycle implemented in their company. The various experiences were shared with the panel and the others. Company typical problems and common misunderstandings about Software security where brought up.<br/><br />
The consensus of the discussion was that the main problem lies in the lack of security awareness and knowledge of the managers and the developers. And this of course is exactly where OWASP comes in…<br/><br />
<br/><br />
<br />
== Meeting Januar 11th 2007 ==<br />
<br />
The OWASP meeting of 11 January is about putting software security into practice. A lot of books, standards, organizations and consultants tell us how we should develop secure software. But which methods and measures are commonly adopted and which are not and why?<br/><br />
This will be the main focus of the discussion that we will have with a panel of people that experienced implementing software security in the field.<br/><br />
<br/><br />
The location is provided by the sponsor of this meeting:<br/><br />
Sogeti Nederland B.V.<br/><br />
"La Charmille" building<br/><br />
Lange Dreef 17<br/><br />
4131 NJ Vianen<br/><br />
<br/><br />
The agenda:<br />
<br/><br />
18.00 - 18.30 Check-In (catering included)<br/><br />
18.30 - 18.45 Sponsor opening<br/><br />
18.45 - 19.00 OWASP update, Bert Koelewijn<br/><br />
19.00 - 19.30 Implementation of Security by Design, Martin Knobloch<br/><br />
19.30 - 19.45 Panel introduction<br/><br />
19.45 - 20.00 Coffee break<br/><br />
20.00 - 21.30 Panel discussion<br/><br />
<br/><br />
Implementation of Security by Design<br/><br />
What is needed to implement a 'Secure Development Life Cycle' within Sogeti Nederland? The speaker started a project called 'Security by Design' in march 2006 implementing a SDLC at Sogeti Nederland.<br/><br />
In his presentation, the speaker will share his technical and organizational experiences that he gained with the still ongoing implementation.<br/><br />
<br/><br />
About the speaker<br/><br />
Martin Knobloch has more than 8 years experience in design and development of J2EE applications for customers in various sectors of the market. In September 2003 Martin Knobloch started working for Sogeti Nederland, where he does the design, development and review of J2EE applications and architectures.<br/><br />
From this background, Martin Knobloch experienced the threats of insecure software firsthand. In march 2006, Martin Knobloch started implementing a SDLC within Sogeti Nederland.<br/><br />
<br/><br />
Panel discussion<br/><br />
The panel members are:<br/><br />
Henk van der Heijden, Managing Director - Comsec Consulting B.V.<br/><br />
Dr.ir. Mario de Boer, Security Consultant - LogicaCMG<br/><br />
Martin Knobloch, Senior Technologie Specialist - Sogeti Nederland B.V.<br/><br />
<br/><br />
In the discussion, we will try to find answers to questions like:<br/><br />
- What are the most common security practices in software development?<br/><br />
- How effective are those practices?<br/><br />
- Where do we start practicing security?<br/><br />
- What should be the most common security practices in software development?<br/><br />
- How much does security cost?<br/><br />
- How does the Systems Security Engineering Capability Maturity Model (SSE-CMM) fit in?<br/><br />
<br/><br />
If you want to attend send an email to owasp@irc2.com.<br/><br />
<br/><br />
All OWASP chapter meetings are free, there are never vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP’s: OWASP Meetings count towards CPE Credits.<br/><br />
<br />
== OWASP Netherlands meeting minutes ==<br />
<br />
On 9 march, the second meeting of OWASP Netherlands local chapter took place. GetronicsPinkRoccade provided the venue, in their luxury conference centre: Connection I.<br/><br />
<br/><br />
Agenda:<br/><br />
18.00 - 18.45 Check-In (bread & drinks)<br/><br />
18.45 - 19.00 Opening<br/><br />
19.00 - 20.00 Improving Security in the Application Development Life-cycle, Migchiel de Jong<br/><br />
20.00 - 20.15 Coffee break<br/><br />
20.15 - 22.00 Form focus groups<br/><br />
<br/><br />
The presentation of Migchiel de Jong was found very interesting by the audience. At the end of his presentation, he demonstrated a static code analysis of the OWASP webgoat application.<br/><br />
<br/><br />
After the coffee break, the attendances started discussing about the largest common topics of interest in the web application security field, in relation to the OWASP Netherlands chapter. As a result, the following focus groups are formed:<br/><br />
<br/><br />
Testing<br/><br />
The current OWASP Testing project and the Open Source Security Testing Methodology Manual of ISECOM, provide guidelines and best practices for testers. These guidelines can be used to formalize a standard structure and a set of minimum requirements for a security test. Clients could ask a tester to adhere to these guidelines.<br/><br />
A second idea is to standardize the testing results management report. In practice, testing could result in piles of paper with all the findings. The real value is reporting it in a usable way. For example: mapping technical findings to business risks.<br/><br />
<br/><br />
Frans v. Buul<br/><br />
Peter Gouwentak<br/><br />
Arthur Donkers<br/><br />
Eelco Klaver<br/><br />
Migchiel de Jong<br/><br />
Mario de Boer<br/><br />
<br/><br />
First focus group meeting: Monday 27 march, 18:00h, PwC Utrecht<br/><br />
<br/><br />
<br/><br />
Public Relations<br/><br />
This focus group will try to make business aware of the security impact that developing, hosting and using web applications has. What OWASP is and how OWASP can help. This can be done by giving presentations, writing papers and articles, word of mouth, etc. etc.<br/><br />
<br/><br />
Remco Bakker<br/><br />
Ronald Eygendaal<br/><br />
Bas van Vossen<br/><br />
Edwin van Vliet<br/><br />
Eelco Klaver<br/><br />
<br/><br />
First presentation of OWASP materials: Edwin van Vliet, TestNet - Voorjaarsevenement, 5 april<br/><br />
First focus group meeting: To be planned!<br/><br />
<br/><br />
<br/><br />
Education<br/><br />
OWASP and universities/schools could benefit from working together. For example:<br/><br />
- OWASP provides lot's of materials usable in colleges.<br/><br />
- Develop OWASP training course.<br/><br />
- Students can participate in OWASP projects<br/><br />
- OWASP can provide a platform for supporting research. Such as thesis projects, etc.<br/><br />
- OWASP representatives could provide guest colleges.<br/><br />
<br/><br />
Ronald Eygendaal<br/><br />
Erik Poll<br/><br />
Bas van Vossen<br/><br />
Edwin van Vliet<br/><br />
<br/><br />
First focus group meeting: To be planned!<br/><br />
<br/><br />
The presentation is available here:<br/><br />
[[Media:OWASP_NL_Fortify_Software.pdf]]<br/><br />
<br />
== 9 March: Second meeting of the OWASP Netherlands local chapter! ==<br />
<br />
In this second meeting focus groups are to be formed, to discuss common problems, develop and research common solutions in a vendor neutral environment. So this is a very good opportunity to get in contact with others, to exchange knowledge and experiences on specific topics.<br/><br />
<br/><br />
For every focus group the following questions has to be answered:<br/><br />
1. Which specific topic is to be addressed?<br/><br />
2. What are the deliverables?<br/><br />
3. What is the relation to OWASP? (Current projects, materials, expertise and knowledge interchange, etc.)<br/><br />
4. Who is the central contact of the subgroup?<br/><br />
<br/><br />
It would be nice to have a bigger and more diverse group, compared to the first meeting. So let's recall: "Please, bring at least one friend, next time." And don't hesitate to send this announcement to everybody who may be interested!<br/><br />
<br/><br />
We thank Getronics PinkRoccade for offering us a venue:<br/><br />
Getronics PinkRoccade<br/><br />
Fauststraat 1<br/><br />
7323 BA Apeldoorn <br/><br />
<br/><br />
The agenda:<br/><br />
18.00 - 18.30 Check-In<br/><br />
18.30 - 18.45 Opening<br/><br />
18.45 - 19.30 Improving Security in the Application Development Life-cycle, Migchiel de Jong<br/><br />
19.30 - 20.00 Collecting focus group initiatives<br/><br />
19.45 - 20.00 Coffee break<br/><br />
20.00 - 21.00 Form focus groups<br/><br />
<br/><br />
Presentation Abstract<br/><br />
Rather than spending large amounts of time and money on proving that we have security vulnerabilities after programs go into production, companies should go to the source and correct vulnerabilities as early as possible in the development stage. It is unquestionably faster, simpler, and cheaper for developers to correct vulnerabilities as they build programs.<br/><br />
But how can development management ensure that developers focus on security when there is no time or budget for security at the development stage? Even with the correct focus, how can they learn what to look for? How can they stay ahead of the dedicated and resourceful hacker?<br/><br />
The answer is effective processes and better tools. With advanced software security tools, a developer can pinpoint vulnerabilities in a matter of seconds — the same vulnerabilities that would take a hacker or manual code reviewer weeks or even months to find. These same tools can give development and information security managers useful metrics on application vulnerabilities before they are released into deployment.<br/><br />
This talk will walk through the Application Development Life-Cycle and discuss how tools can help come to grips with software security issues in a particular phase.<br/><br />
<br/><br />
About the presenter<br/><br />
Migchiel de Jong has developed hardware and software for 10 years before joining Rational Software. During the 5 years at Rational Software (later acquired by IBM) he was involved in many software development process improvement projects. Currently Migchiel de Jong is working at Fortify Software, Palo Alto, California, as a software security engineer.<br/><br />
<br/><br />
If you want to attend send an email to owasp@irc2.nl. Please don't wait, 9 march is not that long anymore!<br/><br />
<br/><br />
All OWASP chapter meetings are free, there are never vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP’s: OWASP Meetings count towards CPE Credits.<br/><br />
<br />
== OWASP Netherlands kick-off meeting minutes ==<br />
<br />
On 17 November, OWASP Netherlands had it's first meeting. We moved to a bigger location, the Mercure hotel in Nieuwegein, to host all the 35 attendees.<br/><br />
<br/><br />
The agenda:<br/><br />
18.00 - 18.30 Check-In (bread & drinks)<br/><br />
18.30 - 18.45 Chapter opening<br/><br />
18.45 - 19.30 Presentation - 'Top tien web applicatie kwetsbaarheden in J2EE', Eelco Klaver<br/><br />
19.30 - 19.45 Presentation - 'Veilige webapplicaties boven alles', Mike Wardi<br/><br />
19.45 - 20.00 Coffee break<br/><br />
20.00 - 21.00 Discussion - About the OWASP Netherlands local chapter<br/><br />
<br/><br />
The discussion took place in a 'round table' session, where all attendees were able to take part. The focus of the discussion was how to give the OWASP Netherlands local chapter additional value, next to the OWASP project. What the goals and tasks will be. And which actions will have to be taken at short term.<br/><br />
Different people have interest in different subjects. In general meetings there is no time to address all subjects and address them specific enough. Therefore subgroups can be formed, focusing on specific topics. They can have their own communication channel and meetings, but should keep close contact with the OWASP body.<br/><br />
<br/><br />
An inventarisation:<br/><br />
<br/><br />
Discussion Topics<br/><br />
- Awareness: writing articles, press publications, interviews<br/><br />
- Education: contact universities, schools and their common boards. Develop and gather education materials.<br/><br />
- General: discuss ideas for OWASP NL<br/><br />
<br/><br />
Focusgroup Topics<br/><br />
- (dutch) metrics project<br/><br />
- (dutch) legal project<br/><br />
- standard framework for pentest reports<br/><br />
- safe outsourcing<br/><br />
<br/><br />
Actions that should be taken on short term are:<br/><br />
- provide communication channels<br/><br />
- plan next (sub)meetings<br/><br />
- start discussions and focusgroups<br/><br />
<br/><br />
The presentations are available here:<br/><br />
<br/><br />
[[Media:OWASP_NL_Top_Ten_Web_Application_Vulnerabilities_in_J2EE.pdf]]<br/><br />
[[Media:OWASP_NL_Veilige_Web_App_Boven_Alles.pdf]]<br/><br />
<br />
== You are welcome to the OWASP Netherlands local chapter kick-off meeting! ==<br />
<br />
Thursday, November 17th (2005) at 18.00h.<br/><br />
<br/><br />
ATTENTION! Because of the large amount of attendees, the location has changed:<br/><br />
<br/><br />
Hotel Mercure Utrecht/Nieuwegein<br/><br />
Buizerdlaan 10<br/><br />
3435 SB NIEUWEGEIN<br/><br />
Tel: 00 31 (0) 30 60 84 122<br/><br />
Fax: 00 31 (0) 30 60 38 374<br/><br />
<br/><br />
This first meeting will be an introduction to the OWASP. A constructive discussion will be held about the actual form of the OWASP Netherlands local chapter.<br/><br />
<br/><br />
The agenda:<br/><br />
18.00 - 18.30 Check-In (bread & drinks)<br/><br />
18.30 - 18.45 Chapter opening<br/><br />
18.45 - 19.30 Presentation - 'Top tien web applicatie kwetsbaarheden in J2EE', Eelco Klaver<br/><br />
19.30 - 19.45 Presentation - 'Veilige webapplicaties boven alles', Mike Wardi<br/><br />
19.45 - 20.00 Coffee break<br/><br />
20.00 - 21.00 Discussion - About the OWASP Netherlands local chapter<br/><br />
<br/><br />
About the presenters<br/><br />
<br/><br />
Eelco Klaver<br/><br />
Eelco Klaver is a senior consultant for Xebia IT Architects, since 2003. Doing software reviews, security audits and giving security workshops are part of his job. He has almost 10 years experience with developing enterprise applications in J2EE for different employees. At the moment, Eelco is the front man of the security business unit for Xebia, focussing on the security aspects of enterprise applications build on J2EE.<br/><br />
<br/><br />
Mike Wardi<br/><br />
Mike Wardi is an internet application manager for a financial institute. He's responsible for the safety of internet applications provided to customers and the implementation of the security policies in software developement.<br/><br />
<br/><br />
<br/><br />
If you want to attend, please send an email to owasp-nl@ascure.com or the mailing list.<br/><br />
<br/><br />
All OWASP chapter meetings are free! There are never vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP’s: OWASP Meetings count towards CPE Credits.<br/><br />
<br/></div>Dvsteinhttps://wiki.owasp.org/index.php?title=Netherlands&diff=46550Netherlands2008-11-19T16:50:32Z<p>Dvstein: /* Meeting March 26th 2008: Software Vulnerability assessment */</p>
<hr />
<div>{{Chapter Template|chaptername=Netherlands|extra=The chapter leader is [mailto:owasp@irc2.nl Bert Koelewijn]<br />
<paypal>Netherlands</paypal><br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-netherlands|emailarchives=http://lists.owasp.org/pipermail/owasp-netherlands}}<br />
<br />
== Meeting schedule 2008 ==<br />
This is an overview of the 2008 local chapter meeting schedule. Details of the meetings can be found in the announcements that will be posted below this schedule.<br />
<pre><br />
March 26th<br />
----------<br />
Time : 17.30 - 21.30<br />
Main Topic : Software Vulnerability assessment<br />
Presentations: Complex(ity) matters, Mario de Boer (Dutch)<br />
V.A.C. SQL injection, Marinus Kuivenhoven (Dutch)<br />
Secure Programming with Static Analysis, Brian Chess (English) <br />
Location : Mercure Utrecht Nieuwegein, Buizerdlaan 10, 3435 SB Nieuwegein<br />
Sponsor : Fortify Software<br />
<br />
Oktober 27th<br />
----------<br />
Time : 17.30 - 21.30<br />
Main Topic : Privacy and the Internet<br />
Presentations: Privacy and Internet (Dutch), Frank Fruijthoff and Ellen Hoving<br />
Vulnerability and source code scanners. (Dutch) Emile Strijbos <br />
Location : ps_testware B.V., Dorpsstraat 26, 3941 JM DOORN<br />
Sponsor : ps_testware B.V.<br />
</pre><br />
== Meeting minutes October 27th 2008 ==<br />
<br />
At October 27th, the Dutch OWASP chapter came together at the office of the sponsor of the evening; ps_testware in Doorn. The subject of the evening was 'Privacy and the Internet’. There were 2 speakers and approximately 25 attendees.<br/><br />
<br/><br />
After a short welcome talk by both the sponsor and OWASP, Mario de Boer had an announcement about a new OWASP project; ORPRO, the Open Review Project. The goal of the project is to review Open Source Software from an independent point of view. Reviews will be done both manually and with the aid of source code analysis software provided by Fortify. The first software package to be reviewed is already available so reviewers are needed. More information can be found on the OWASP project page. [http://www.owasp.org/index.php/Category:OWASP_Open_Review_Project]v<br />
<br/><br />
The first presentation of the evening was about "Privacy & the Internet" which was presented by Frank Fruijthoff and Ellen Hoving. <br/><br />
The goal of this presentation was to show the problems in regulating privacy on the internet by law. The presentation was roughly split in 3 parts: definitions, requirements and context. <br/><br />
The main problem with regulating privacy is that the concept of privacy is very broad and not well defined. Privacy can have different meanings and consequences in different contexts. Most laws therefore focus on the individual and define privacy as 'protection of personal information' where 'personal information' is all data that can be tracked back to a single person. The last years many countries within the EU developed internet laws concerning privacy on the internet. These laws state that information can only be used what it originally was intended for and usage of that information must be reported at central register. This register also makes it possible to file a complaint and check what companies use personal information for what purposes. While these rules are mostly sufficient for local databases they often fail when applied to information stored on or with use of the internet. Problems encountered are captured in the "four D's";<br/><br />
- Internet is deterritorialized; internet has no boundaries.<br/><br />
- Internet is deregulated; internet has no law, only terms of use.<br/><br />
- Internet is dematerialized; internet is not physical.<br/><br />
- Internet is decentralized; there is no single regulating or controlling organization.<br/><br />
Although the protection of personal data is more and more covered by laws, the increasing usage of external storage and connections over the internet will make it harder to enforce them. The main conclusion of the evening was that, although many initiatives improving privacy exist, the very properties of the internet make it hard to ensure privacy completely. <br/><br />
<br/><br />
The second presentation of the evening was presented by E. Strijbos. He showed the results of his research concerning the feasibility of a Web Application Security Certification by the usage of vulnerability scanners.<br/><br />
With the daily increasing amount of threads and vulnerabilities in web applications there is a market-driven demand for an independent and automated scan service. Current scan services often lack coverage and depth of scanning and give no details about the used scanning methods.<br/><br />
In this research several commercial vulnerability scanners and static analysis tools were compared and checked for scantime, accuracy, false positives, and ease of use. The results showed that almost all scanners find most of the vulnerabilities, but also produce many false positives. Also, without proper configuration the amount of results can be overwhelming and inconclusive. Furthermore results showed that static analysis scanners are much faster than vulnerability scanners, but have a more limited usage. The main conclusion was that although vulnerability scanners and static analysis tools can be very helpful in identifying vulnerabilities, their current efficiency is not high enough to use as the basis for an automated vulnerability scan.<br/><br />
<br />
<br />
== Meeting October 27th 2008: Privacy and the Internet ==<br />
'''Summary'''<br/><br />
The main goal of the upcoming OWASP-NL meeting is to provide information to developers and security professionals about personal and technical privacy on the internet. The speakers focus on privacy regulations related to the internet and on the mass amount of personal and technical information available about persons and companies on the internet, with and without their consent. Furthermore tools will be discussed that help prevent leakage of privacy related and other kind of data. They will give specific examples and there will be time to ask questions.<br/><br />
Please register before October 20th because of the necessary catering arrangements.<br/><br />
<br/><br />
'''Location'''<br/><br />
The location and catering is provided by the sponsor of this meeting:<br/><br />
<table><br />
<tr><br />
<td width="350"><br />
ps_testware B.V.<br/><br />
Dorpsstraat 26,<br/><br />
3941 JM DOORN<br/><br />
</td><br />
<td width="350"><br />
[[Image:Pstestware.jpg|100px]]<br />
</td><br />
</tr><br />
<tr><br />
<td width="350"><br />
The location has parking facilities for 15 cars. However parking in the direct vicinity of ps_testware shouldn’t be a problem.<br/><br />
</td><br />
<td width="350"><br />
ps_testware delivers services related to software testing and software quality. In the field of software development, quality, time-to-market, business processes and software acceptance they play the role of "your devil's advocate" as an independent, flexible and specialized partner.<br/><br />
For more information please visit: www.pstestware.com.<br/><br />
</td><br />
</tr><br />
</table><br />
<br/><br />
<br/><br />
'''Program'''<br/><br />
17.30 - 18.30 '''Check-In''' (catering included)<br/><br />
<br/><br />
18.30 – 19:00 '''Introduction''' (OWASP organization, projects, sponsor)<br/><br />
<br/><br />
19.00 - 20.15 '''Privacy and Internet''' (Dutch), Frank Fruijthoff and Ellen Hoving<br/><br />
In this presentation the general principles of privacy laws in the Netherlands and the EU and specifically privacy and the internet will be covered.<br/><br />
Frank Fruijthoff is a Compliance Officer with ING. He has a Compliance and Risk Management background and is specialised in privacy.<br/><br />
Ellen Hoving is a graduated lawyer. She works as an independent consultant specialized in compliance and privacy.<br/><br />
<br/><br />
20.15 – 20:30 '''Break'''<br/><br />
<br/><br />
20:30 – 21:00 '''Vulnerability and source code scanners''' (Dutch), Emile Strijbos<br />
<br/><br />
For his Master thesis in computer science at the Radboud Universiteit in Nijmegen, Emile Strijbos investigated vulnerability scanners and source code scanners. These are automated tools that try to detect security flaws, either in running web-applications or in their source code.<br/><br />
Emile tried out several of these tools, including both free and commercial ones, to see how good they are at detecting standard vulnerabilities, such as SQL injection, XSS, CSRF, etc.<br/><br />
<br/><br />
21.00 – 21:30 '''Discussion, questions and social'''<br/><br />
<br/><br />
If you want to attend, please send an email to: owasp@irc2.com.<br><br />
Please register before October 20th, because of the necessary catering arrangements. The number of registries is limited to 50 due to the capacity of the location and will be handled in order of receipt.<br/><br />
<br/><br />
All OWASP chapter meetings are free of charge and you don’t have to be an OWASP member to attend. There are never any vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP's: OWASP Meetings count towards CPE Credits.<br/><br />
<br/><br />
The announcement and full descriptions can be found here:<br/><br />
[[Media:Announcement_27_Oktober.pdf]]<br/><br />
<br />
== Meeting minutes March 23th 2008 ==<br />
<br />
At March 23th, the Dutch OWASP chapter came together in the Mercury hotel in Nieuwegein. The meeting was sponsored by Fortify Software. The subject of the evening was 'Software Vulnerability Assesment’. There were 3 speakers and approximately 40 attendees.<br/><br />
<br/><br />
After a short introduction of Migchiel de Jong (Fortify) about the subject of Static and Dynamic Analysis and the tools that Fortify provides the speakers of the evening where introduced.<br/><br />
<br/><br />
First presentation: Practices of Complex(ity) matters (Dutch), Mario de Boer<br/><br />
Mario de Boer has spent much of his free time the last 16 years into disassembling various pieces of software and analyzing the code and its statistics. The main advantage in analyzing binaries is that no access to source code is needed, all dependencies (i.e. the compiler) are included and it’s independent of the tool used. Disassembling compiled code gives great insight in the complexity of the software and the entry and exit points of data. Although there is no direct relation between the complexity of software and its security, statistically the most vulnerabilities appear in the most complex portions of a program. Data entry points in complex portions of the code can give rise to possible exploits so static analysis can give insight in the most vulnerable places in software which is useful information in testing.<br />
The disadvantages of static analysis are that an extensive knowledge of assembly is needed and, due to its statistic nature, it gives rise to many false positives. <br />
In conclusion static binary analysis, when used by experts, can be a powerful tool to gain insight in the most vulnerable parts of the software and be a valuable tool in both developing and testing software. <br/><br />
<br/><br />
Second presentation: V.A.C: SQL injection (Dutch), Marinus Kuivenhoven<br/><br />
A new reoccurring topic on OWASP presentations will be the so called VAC. In these presentations an expert will talk about a Vulnerability, how to Assess it and possible Countermeasures. This evening Marinus started with the second vulnerability in the OWASP top ten; SQL injections.<br/><br />
With the aid of Webgoat, a few simple examples and the possible consequences were shown. SQL injection is particularly useful exploit in the reconnaissance phase since it can be abused for information leakage and in getting information about e.g. the table structure. <br/><br />
On the internet and in literature many countermeasures against SQL injections are described. However, many of these countermeasures are not usable in a maintainable system or cannot prevent SQL injections completely. The most important conclusion was that input should never be trusted and should never be directly used.<br/><br />
<br/><br />
Third presentation: Secure Programming with Static Analysis (English), Brian Chess<br/><br />
The last speaker of the evening was Brian Chess who presented his new book ‘Secure Programming with Static Analysis’. Brian made clear that, although a powerful tool, static binary analysis is already too late in the SDLC to be successful in preventing vulnerabilities. Scanning for possible vulnerabilities should be implemented as early as possible i.e. during coding. The main advantages of static analysis are the cost and speed. Since errors and bad practices are identified in an early stage they can be solved at the spot, making auditing the software more efficient in term of time and depth. <br/><br />
Static analysis can successfully be used for style and type checking, program understanding and verification, and for security reviews. The success of static analysis, however, is fully depending on the rules implemented in the scanner. Static analysis is also unable to identify design flaws, right problems, or wrong user input. <br/><br />
The conclusion was that scanning for vulnerabilities can probably only be successful with the aid of static analysis, but many requirements should be met. Firstly it should become part of the SDLC and culture. Secondly the right tool should be picked and people should be trained in its use. Lastly investments should be made in building up a good rule set and metrics. <br/><br />
<br />
<br />
<br />
== Meeting March 26th 2008: Software Vulnerability assessment ==<br />
'''Summary'''<br/><br />
The main goal of the upcoming OWASP-NL meeting is to provide information to developers and security professionals involved in creating secure (web-)applications. The main focus will be on software vulnerability assessment. The speakers will give specific examples and of course there is time to ask questions about your own experiences.<br/><br />
<br/><br />
'''Location'''<br/><br />
The location and catering is provided by the sponsor of this meeting:<br/><br />
<table><br />
<tr><br />
<td width="350"><br />
Mercure Utrecht Nieuwegein<br/><br />
Buizerdlaan 10,<br/><br />
3435 SB Nieuwegein<br/><br />
</td><br />
<td width="350"><br />
[[Image:Fortify.JPG|143px]]<br />
</td><br />
</tr><br />
<tr><br />
<td width="350"><br />
</td><br />
<td width="350"><br />
Fortify Software products protect companies from today’s greatest security risk: the software applications that run their businesses. Combining deep application security expertise with extensive software development experience, Fortify Software has defined the market with award-winning products that span the software development cycle. Today, Fortify Software fortifies the software for the most demanding customer deployments, including the world’s largest, most varied code bases.<br/><br />
<br/><br />
For more information please visit:<br/><br />
www.fortify.com<br/><br />
</td><br />
</tr><br />
</table><br />
<br/><br />
<br/><br />
'''Program'''<br/><br />
17.30 - 18.30 '''Check-In''' (catering included)<br/><br />
<br/><br />
18.30 - 18:50 '''Introduction''' (OWASP, sponsor)<br/><br />
<br/><br />
18.50 - 19.30 '''Complex(ity) matters''' (Dutch), Mario de Boer<br/><br />
Various methods exist to locate specific vulnerabilities in software. In the presentation we will look at static analysis of binaries, and the problems we face when trying to locate vulnerabilities. Several ideas will be discussed to make the search easier, but at the same time less exact. The first idea is trivial: automate as much as possible. The second idea is nearly trivial: don't aim at exact vulnerabilities but relax the search to locating potential vulnerabilities. We will give examples that illustrate the results.<br/><br />
Mario de Boer is a senior security consultant at Logica, and as such focuses on security management aspects like security frameworks, compliance, monitoring and control and risk management. Before joining Logica, Mario worked at the Dutch ministries of Defense and Justice, he co-founded a security company and worked as a project manager in the financial sector. For several years he taught courses in software security analysis and secure software development. Besides security management, Mario has interest in software security, reverse engineering and cryptography. Within Logica Netherlands, he is knowledge manager application security. Mario holds a PhD in Mathematics and is CISA and CISSP.<br/><br />
<br/><br />
19.30 - 19:50 '''Break'''<br/><br />
<br/><br />
19:50 - 20:20 '''V.A.C: SQL injection''' (Dutch), Marinus Kuivenhoven<br />
<br/><br />
<u>'''V'''ulnerability:</u><br/><br />
An application which uses a database for its information needs, communicates with it trough SQL. SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of a Database for parsing and execution.<br/><br />
<u>'''A'''ssessment:</u><br/><br />
SQL injection can threaten the confidentiality, availability and integrity of the data. The various types of SQL injection and their impact will be shown.<br/><br />
<u>'''C'''ountermeasure:</u><br/><br />
Any procedure that constructs SQL statements should be reviewed for injection vulnerabilities because a database will execute all syntactically valid queries that it receives. How this should be done will be shown for the most popular languages.<br/><br />
Marinus is a Technology Specialist with Sogeti Nederland B.V. specializing in service oriented architectures and secure application development. His experience includes developing and administrating Oracle-based systems.<br/><br />
<br/><br />
20.20 - 21.00 '''Secure Programming with Static Analysis''' (English), Brian Chess<br/><br />
Creating secure code requires more than just good intentions. Programmers need to know how to make their code safe in an almost infinite number of scenarios and configurations. Static source code analysis gives users the ability to review their work with a fine tooth comb and uncover the kinds of errors that lead directly to vulnerabilities. This talk frames the software security problem and shows how static analysis is part of the solution. We will look at how static analysis works, how to integrate it into the software development processes, and how to make the most of it during security code review. Along the way we'll look at examples taken from real-world security incidents, showing how coding errors are exploited, how they could have been prevented, and how static analysis can rapidly uncover similar errors.<br/><br />
Brian Chess is a founder of Fortify Software and serves as Fortify's Chief Scientist, where his work focuses on practical methods for creating secure systems. His book, Secure Programming with Static Analysis, shows how static source code analysis is an indispensable tool for getting security right. Brian holds a Ph.D. in computer engineering from the University of California at Santa Cruz, where he studied the application of static analysis to the problem of finding security-relevant defects in source code. Before settling on security, Brian spent a decade in Silicon Valley working at huge companies and small startups. He has done research on a broad set of topics, ranging from integrated circuit design all the way to delivering software as a service.<br/><br />
<br/><br />
21.00 - 21:30 '''Discussion, questions and social'''<br/><br />
<br/><br />
'''Registration'''<br/><br />
If you want to attend, please send an email to: owasp@irc2.com.<br/><br />
<br/><br />
All OWASP chapter meetings are free of charge and you don’t have to be an OWASP member to attend. There are never any vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP's: OWASP Meetings count towards CPE Credits.<br/><br />
<br/><br />
<br />
== Meeting December 20th 2007: Secure Development ==<br />
'''Summary'''<br/><br />
The main goal of the upcoming OWASP-NL meeting is to provide information to developers and security professionals involved in creating secure (web-)applications. The general and specific security issues involved on project and programming level will be covered from a practical as well as a theoretical point of view. The speakers will give specific examples and of course there is time to ask questions about your own experiences.<br/><br />
Please register before December the 14th because of the necessary catering arrangements.<br/><br />
<br/><br />
'''Location'''<br/><br />
The location and catering is provided by the sponsor of this meeting:<br/><br />
<table><br />
<tr><br />
<td width="350"><br />
ps_testware B.V.<br/><br />
Dorpsstraat 26,<br/><br />
3941 JM DOORN<br/><br />
</td><br />
<td width="350"><br />
[[Image:Pstestware.jpg|100px]]<br />
</td><br />
</tr><br />
<tr><br />
<td width="350"><br />
The location has parking facilities for 15 cars. However parking in the direct vicinity of ps_testware shouldn’t be a problem.<br/><br />
</td><br />
<td width="350"><br />
ps_testware delivers services related to software testing and software quality. In the field of software development, quality, time-to-market, business processes and software acceptance they play the role of "your devil's advocate" as an independent, flexible and specialized partner.<br/><br />
For more information please visit: www.pstestware.com.<br/><br />
</td><br />
</tr><br />
</table><br />
<br/><br />
<br/><br />
'''Program'''<br/><br />
17.30 - 18.30 '''Check-In''' (catering included)<br/><br />
<br/><br />
18.30 – 19:00 '''Introduction''' (OWASP organization, projects, sponsor)<br/><br />
<br/><br />
19.00 - 19.30 '''Practices of developing optimal security''' (dutch), Andre Post<br/><br />
This presentation highlights a number of current practices that lead to sub-optimal security, and suggests ways of avoiding these problems, focusing on the technical side of development.<br/><br />
André Post works for Fox-IT on a variety of projects including core product development, software architecting, security code reviews, and software project management.<br/><br />
<br/><br />
19.30 – 19:45 '''Break'''<br/><br />
<br/><br />
19:45 – 20:30 '''Problems of developing secure and correct applications''' (dutch), Erik Poll [http://www.cs.ru.nl/~erikpoll/talks/OWASP2007.pdf (slides of the presentation)]<br />
<br/><br />
This presentation will discuss different possibilities to improve software security. The problem of getting time and money available to be spend on security, not only for developing applications, but also for developing programming languages, will be raised.<br/><br />
Erik Poll is head of the Security of Systems (SoS) group at the Radboud University of Nijmegen. His research does focus on the security and correctness of software.<br/><br />
<br/><br />
20.30 - 21.00 '''Protecting Web services and Web applications against security threats''' (dutch), Rix Groenboom<br/><br />
During this session, Rix will explore how to implement development and security best practices in the code to make sure that your webservices and applications perform solidly when they are being hacked or used in malicious ways.<br/><br />
Rix Groenboom supports fortune 2000 companies in field automated software error prevention and correction for Parasoft. His main area of expertise is in the use of formal languages for the specification, design and validation of software applications.<br/><br />
<br/><br />
21.00 – 21:30 '''Discussion, questions and social'''<br/><br />
<br/><br />
All OWASP chapter meetings are free of charge and you don’t have to be an OWASP member to attend. There are never any vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP's: OWASP Meetings count towards CPE Credits.<br/><br />
<br/><br />
The announcement and full descriptions can be found here:<br/><br />
[[Media:Announcement_20_December.pdf]]<br/><br />
[[Media:Announcement_20_December_2.pdf]]<br/><br />
<br />
== Meeting September 13th: putting initiatives into practice ==<br />
<br />
The main goal of the next OWASP meeting is finding a way to put initiatives and all offered help into a form of structural benefit for the OWASP Netherlands local chapter. As a starting point for the discussion, examples will be taken from other European chapters and input delivered by discussions that take place on the mailing list is considered too. Let this be a call to put your ideas on the mailing list before the next meeting!<br/><br />
<br/><br />
The location is provided by the sponsor of this meeting:<br/><br />
Comsec Consulting BV<br/><br />
Rivium Boulevard 102<br/><br />
2909LK Capelle aan den IJssel<br/><br />
<br/><br />
The agenda:<br/><br />
18.00 - 18.30 Check-In (catering included)<br/><br />
18.30 - 18.45 OWASP update, Bert Koelewijn<br/><br />
18.45 - 19.15 Security Best Practices for .NET, Boaz Shunami<br/><br />
19.15 - 20.00 Discussion: collecting ideas and initiatives<br/><br />
20.00 - 20.15 Coffee break<br/><br />
20.15 - 21.00 Discussion: how to enable community commitment<br/><br />
21.00 - 21.30 Closing discussion and coffee<br/><br />
<br/><br />
Boaz Shunami<br/><br />
Boaz is manager of the Application Security department of Comsec Europe. He has 11 years of experience in the IT Security field, and a large part of them in Application Security.<br/><br />
Boaz did numerous application security audits in very large organizations and is recognized as one of the greatest expert’s world wide. Boaz' expertise is broad, but especially in-depth for the .NET platform.<br/><br />
<br/><br />
Discussion input (until now)<br/><br />
- division of local chapter work load by multiple people<br/><br />
- collaboration with other organizations<br/><br />
<br/><br />
If you want to attend send an email to owasp@irc2.com.<br/><br />
<br/><br />
All OWASP chapter meetings are free, there are never vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP's: OWASP Meetings count towards CPE Credits.<br/><br />
<br />
== Meeting minutes Januar 11th 2007 ==<br />
<br />
January 11th, the Dutch OWASP chapter came together at the office of Sogeti Netherlands. Subject of the evening was 'putting software security into practice'. The group was small but select.<br/><br />
<br/><br />
The agenda:<br/><br />
18.00 - 18.30 Check-In (catering included)<br/><br />
18.30 - 18.45 Sponsor opening<br/><br />
18.45 - 19.00 OWASP update, Bert Koelewijn<br/><br />
19.00 - 19.30 Implementation of Security by Design, Martin Knobloch<br/><br />
19.30 - 19.45 Panel introduction<br/><br />
19.45 - 20.00 Coffee break<br/><br />
20.00 - 21.30 Panel discussion<br/><br />
<br/><br />
After being welcomed by Frank Langeveld from Sogeti and Bert Koelewijn, Dutch chapter leader, the evening started with the presentation 'Security By Design'. During the presentation Martin Knobloch told about his experiences during the implementation of the Secure Development Life Cycle in a company like Sogeti Nederland B.V.<br/><br />
<br/><br />
The presentation is available here:<br/><br />
[[Media:Implementation_of_Security_by_Design.ppt]]<br/><br />
<br/><br />
After a small break, the panel discussion started with the following panel: Henk van der Heijden - Comsec Consulting, Dr.ir. Mario de Boer - LogicaCMG and Martin Knobloch - Sogeti Nederland.<br/><br />
During the discussion, it became clear people are struggling to get the Secure Development Life Cycle implemented in their company. The various experiences were shared with the panel and the others. Company typical problems and common misunderstandings about Software security where brought up.<br/><br />
The consensus of the discussion was that the main problem lies in the lack of security awareness and knowledge of the managers and the developers. And this of course is exactly where OWASP comes in…<br/><br />
<br/><br />
<br />
== Meeting Januar 11th 2007 ==<br />
<br />
The OWASP meeting of 11 January is about putting software security into practice. A lot of books, standards, organizations and consultants tell us how we should develop secure software. But which methods and measures are commonly adopted and which are not and why?<br/><br />
This will be the main focus of the discussion that we will have with a panel of people that experienced implementing software security in the field.<br/><br />
<br/><br />
The location is provided by the sponsor of this meeting:<br/><br />
Sogeti Nederland B.V.<br/><br />
"La Charmille" building<br/><br />
Lange Dreef 17<br/><br />
4131 NJ Vianen<br/><br />
<br/><br />
The agenda:<br />
<br/><br />
18.00 - 18.30 Check-In (catering included)<br/><br />
18.30 - 18.45 Sponsor opening<br/><br />
18.45 - 19.00 OWASP update, Bert Koelewijn<br/><br />
19.00 - 19.30 Implementation of Security by Design, Martin Knobloch<br/><br />
19.30 - 19.45 Panel introduction<br/><br />
19.45 - 20.00 Coffee break<br/><br />
20.00 - 21.30 Panel discussion<br/><br />
<br/><br />
Implementation of Security by Design<br/><br />
What is needed to implement a 'Secure Development Life Cycle' within Sogeti Nederland? The speaker started a project called 'Security by Design' in march 2006 implementing a SDLC at Sogeti Nederland.<br/><br />
In his presentation, the speaker will share his technical and organizational experiences that he gained with the still ongoing implementation.<br/><br />
<br/><br />
About the speaker<br/><br />
Martin Knobloch has more than 8 years experience in design and development of J2EE applications for customers in various sectors of the market. In September 2003 Martin Knobloch started working for Sogeti Nederland, where he does the design, development and review of J2EE applications and architectures.<br/><br />
From this background, Martin Knobloch experienced the threats of insecure software firsthand. In march 2006, Martin Knobloch started implementing a SDLC within Sogeti Nederland.<br/><br />
<br/><br />
Panel discussion<br/><br />
The panel members are:<br/><br />
Henk van der Heijden, Managing Director - Comsec Consulting B.V.<br/><br />
Dr.ir. Mario de Boer, Security Consultant - LogicaCMG<br/><br />
Martin Knobloch, Senior Technologie Specialist - Sogeti Nederland B.V.<br/><br />
<br/><br />
In the discussion, we will try to find answers to questions like:<br/><br />
- What are the most common security practices in software development?<br/><br />
- How effective are those practices?<br/><br />
- Where do we start practicing security?<br/><br />
- What should be the most common security practices in software development?<br/><br />
- How much does security cost?<br/><br />
- How does the Systems Security Engineering Capability Maturity Model (SSE-CMM) fit in?<br/><br />
<br/><br />
If you want to attend send an email to owasp@irc2.com.<br/><br />
<br/><br />
All OWASP chapter meetings are free, there are never vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP’s: OWASP Meetings count towards CPE Credits.<br/><br />
<br />
== OWASP Netherlands meeting minutes ==<br />
<br />
On 9 march, the second meeting of OWASP Netherlands local chapter took place. GetronicsPinkRoccade provided the venue, in their luxury conference centre: Connection I.<br/><br />
<br/><br />
Agenda:<br/><br />
18.00 - 18.45 Check-In (bread & drinks)<br/><br />
18.45 - 19.00 Opening<br/><br />
19.00 - 20.00 Improving Security in the Application Development Life-cycle, Migchiel de Jong<br/><br />
20.00 - 20.15 Coffee break<br/><br />
20.15 - 22.00 Form focus groups<br/><br />
<br/><br />
The presentation of Migchiel de Jong was found very interesting by the audience. At the end of his presentation, he demonstrated a static code analysis of the OWASP webgoat application.<br/><br />
<br/><br />
After the coffee break, the attendances started discussing about the largest common topics of interest in the web application security field, in relation to the OWASP Netherlands chapter. As a result, the following focus groups are formed:<br/><br />
<br/><br />
Testing<br/><br />
The current OWASP Testing project and the Open Source Security Testing Methodology Manual of ISECOM, provide guidelines and best practices for testers. These guidelines can be used to formalize a standard structure and a set of minimum requirements for a security test. Clients could ask a tester to adhere to these guidelines.<br/><br />
A second idea is to standardize the testing results management report. In practice, testing could result in piles of paper with all the findings. The real value is reporting it in a usable way. For example: mapping technical findings to business risks.<br/><br />
<br/><br />
Frans v. Buul<br/><br />
Peter Gouwentak<br/><br />
Arthur Donkers<br/><br />
Eelco Klaver<br/><br />
Migchiel de Jong<br/><br />
Mario de Boer<br/><br />
<br/><br />
First focus group meeting: Monday 27 march, 18:00h, PwC Utrecht<br/><br />
<br/><br />
<br/><br />
Public Relations<br/><br />
This focus group will try to make business aware of the security impact that developing, hosting and using web applications has. What OWASP is and how OWASP can help. This can be done by giving presentations, writing papers and articles, word of mouth, etc. etc.<br/><br />
<br/><br />
Remco Bakker<br/><br />
Ronald Eygendaal<br/><br />
Bas van Vossen<br/><br />
Edwin van Vliet<br/><br />
Eelco Klaver<br/><br />
<br/><br />
First presentation of OWASP materials: Edwin van Vliet, TestNet - Voorjaarsevenement, 5 april<br/><br />
First focus group meeting: To be planned!<br/><br />
<br/><br />
<br/><br />
Education<br/><br />
OWASP and universities/schools could benefit from working together. For example:<br/><br />
- OWASP provides lot's of materials usable in colleges.<br/><br />
- Develop OWASP training course.<br/><br />
- Students can participate in OWASP projects<br/><br />
- OWASP can provide a platform for supporting research. Such as thesis projects, etc.<br/><br />
- OWASP representatives could provide guest colleges.<br/><br />
<br/><br />
Ronald Eygendaal<br/><br />
Erik Poll<br/><br />
Bas van Vossen<br/><br />
Edwin van Vliet<br/><br />
<br/><br />
First focus group meeting: To be planned!<br/><br />
<br/><br />
The presentation is available here:<br/><br />
[[Media:OWASP_NL_Fortify_Software.pdf]]<br/><br />
<br />
== 9 March: Second meeting of the OWASP Netherlands local chapter! ==<br />
<br />
In this second meeting focus groups are to be formed, to discuss common problems, develop and research common solutions in a vendor neutral environment. So this is a very good opportunity to get in contact with others, to exchange knowledge and experiences on specific topics.<br/><br />
<br/><br />
For every focus group the following questions has to be answered:<br/><br />
1. Which specific topic is to be addressed?<br/><br />
2. What are the deliverables?<br/><br />
3. What is the relation to OWASP? (Current projects, materials, expertise and knowledge interchange, etc.)<br/><br />
4. Who is the central contact of the subgroup?<br/><br />
<br/><br />
It would be nice to have a bigger and more diverse group, compared to the first meeting. So let's recall: "Please, bring at least one friend, next time." And don't hesitate to send this announcement to everybody who may be interested!<br/><br />
<br/><br />
We thank Getronics PinkRoccade for offering us a venue:<br/><br />
Getronics PinkRoccade<br/><br />
Fauststraat 1<br/><br />
7323 BA Apeldoorn <br/><br />
<br/><br />
The agenda:<br/><br />
18.00 - 18.30 Check-In<br/><br />
18.30 - 18.45 Opening<br/><br />
18.45 - 19.30 Improving Security in the Application Development Life-cycle, Migchiel de Jong<br/><br />
19.30 - 20.00 Collecting focus group initiatives<br/><br />
19.45 - 20.00 Coffee break<br/><br />
20.00 - 21.00 Form focus groups<br/><br />
<br/><br />
Presentation Abstract<br/><br />
Rather than spending large amounts of time and money on proving that we have security vulnerabilities after programs go into production, companies should go to the source and correct vulnerabilities as early as possible in the development stage. It is unquestionably faster, simpler, and cheaper for developers to correct vulnerabilities as they build programs.<br/><br />
But how can development management ensure that developers focus on security when there is no time or budget for security at the development stage? Even with the correct focus, how can they learn what to look for? How can they stay ahead of the dedicated and resourceful hacker?<br/><br />
The answer is effective processes and better tools. With advanced software security tools, a developer can pinpoint vulnerabilities in a matter of seconds — the same vulnerabilities that would take a hacker or manual code reviewer weeks or even months to find. These same tools can give development and information security managers useful metrics on application vulnerabilities before they are released into deployment.<br/><br />
This talk will walk through the Application Development Life-Cycle and discuss how tools can help come to grips with software security issues in a particular phase.<br/><br />
<br/><br />
About the presenter<br/><br />
Migchiel de Jong has developed hardware and software for 10 years before joining Rational Software. During the 5 years at Rational Software (later acquired by IBM) he was involved in many software development process improvement projects. Currently Migchiel de Jong is working at Fortify Software, Palo Alto, California, as a software security engineer.<br/><br />
<br/><br />
If you want to attend send an email to owasp@irc2.nl. Please don't wait, 9 march is not that long anymore!<br/><br />
<br/><br />
All OWASP chapter meetings are free, there are never vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP’s: OWASP Meetings count towards CPE Credits.<br/><br />
<br />
== OWASP Netherlands kick-off meeting minutes ==<br />
<br />
On 17 November, OWASP Netherlands had it's first meeting. We moved to a bigger location, the Mercure hotel in Nieuwegein, to host all the 35 attendees.<br/><br />
<br/><br />
The agenda:<br/><br />
18.00 - 18.30 Check-In (bread & drinks)<br/><br />
18.30 - 18.45 Chapter opening<br/><br />
18.45 - 19.30 Presentation - 'Top tien web applicatie kwetsbaarheden in J2EE', Eelco Klaver<br/><br />
19.30 - 19.45 Presentation - 'Veilige webapplicaties boven alles', Mike Wardi<br/><br />
19.45 - 20.00 Coffee break<br/><br />
20.00 - 21.00 Discussion - About the OWASP Netherlands local chapter<br/><br />
<br/><br />
The discussion took place in a 'round table' session, where all attendees were able to take part. The focus of the discussion was how to give the OWASP Netherlands local chapter additional value, next to the OWASP project. What the goals and tasks will be. And which actions will have to be taken at short term.<br/><br />
Different people have interest in different subjects. In general meetings there is no time to address all subjects and address them specific enough. Therefore subgroups can be formed, focusing on specific topics. They can have their own communication channel and meetings, but should keep close contact with the OWASP body.<br/><br />
<br/><br />
An inventarisation:<br/><br />
<br/><br />
Discussion Topics<br/><br />
- Awareness: writing articles, press publications, interviews<br/><br />
- Education: contact universities, schools and their common boards. Develop and gather education materials.<br/><br />
- General: discuss ideas for OWASP NL<br/><br />
<br/><br />
Focusgroup Topics<br/><br />
- (dutch) metrics project<br/><br />
- (dutch) legal project<br/><br />
- standard framework for pentest reports<br/><br />
- safe outsourcing<br/><br />
<br/><br />
Actions that should be taken on short term are:<br/><br />
- provide communication channels<br/><br />
- plan next (sub)meetings<br/><br />
- start discussions and focusgroups<br/><br />
<br/><br />
The presentations are available here:<br/><br />
<br/><br />
[[Media:OWASP_NL_Top_Ten_Web_Application_Vulnerabilities_in_J2EE.pdf]]<br/><br />
[[Media:OWASP_NL_Veilige_Web_App_Boven_Alles.pdf]]<br/><br />
<br />
== You are welcome to the OWASP Netherlands local chapter kick-off meeting! ==<br />
<br />
Thursday, November 17th (2005) at 18.00h.<br/><br />
<br/><br />
ATTENTION! Because of the large amount of attendees, the location has changed:<br/><br />
<br/><br />
Hotel Mercure Utrecht/Nieuwegein<br/><br />
Buizerdlaan 10<br/><br />
3435 SB NIEUWEGEIN<br/><br />
Tel: 00 31 (0) 30 60 84 122<br/><br />
Fax: 00 31 (0) 30 60 38 374<br/><br />
<br/><br />
This first meeting will be an introduction to the OWASP. A constructive discussion will be held about the actual form of the OWASP Netherlands local chapter.<br/><br />
<br/><br />
The agenda:<br/><br />
18.00 - 18.30 Check-In (bread & drinks)<br/><br />
18.30 - 18.45 Chapter opening<br/><br />
18.45 - 19.30 Presentation - 'Top tien web applicatie kwetsbaarheden in J2EE', Eelco Klaver<br/><br />
19.30 - 19.45 Presentation - 'Veilige webapplicaties boven alles', Mike Wardi<br/><br />
19.45 - 20.00 Coffee break<br/><br />
20.00 - 21.00 Discussion - About the OWASP Netherlands local chapter<br/><br />
<br/><br />
About the presenters<br/><br />
<br/><br />
Eelco Klaver<br/><br />
Eelco Klaver is a senior consultant for Xebia IT Architects, since 2003. Doing software reviews, security audits and giving security workshops are part of his job. He has almost 10 years experience with developing enterprise applications in J2EE for different employees. At the moment, Eelco is the front man of the security business unit for Xebia, focussing on the security aspects of enterprise applications build on J2EE.<br/><br />
<br/><br />
Mike Wardi<br/><br />
Mike Wardi is an internet application manager for a financial institute. He's responsible for the safety of internet applications provided to customers and the implementation of the security policies in software developement.<br/><br />
<br/><br />
<br/><br />
If you want to attend, please send an email to owasp-nl@ascure.com or the mailing list.<br/><br />
<br/><br />
All OWASP chapter meetings are free! There are never vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP’s: OWASP Meetings count towards CPE Credits.<br/><br />
<br/></div>Dvsteinhttps://wiki.owasp.org/index.php?title=Netherlands&diff=46549Netherlands2008-11-19T16:49:10Z<p>Dvstein: /* Meeting October 27th 2008: Privacy and the Internet */</p>
<hr />
<div>{{Chapter Template|chaptername=Netherlands|extra=The chapter leader is [mailto:owasp@irc2.nl Bert Koelewijn]<br />
<paypal>Netherlands</paypal><br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-netherlands|emailarchives=http://lists.owasp.org/pipermail/owasp-netherlands}}<br />
<br />
== Meeting schedule 2008 ==<br />
This is an overview of the 2008 local chapter meeting schedule. Details of the meetings can be found in the announcements that will be posted below this schedule.<br />
<pre><br />
March 26th<br />
----------<br />
Time : 17.30 - 21.30<br />
Main Topic : Software Vulnerability assessment<br />
Presentations: Complex(ity) matters, Mario de Boer (Dutch)<br />
V.A.C. SQL injection, Marinus Kuivenhoven (Dutch)<br />
Secure Programming with Static Analysis, Brian Chess (English) <br />
Location : Mercure Utrecht Nieuwegein, Buizerdlaan 10, 3435 SB Nieuwegein<br />
Sponsor : Fortify Software<br />
<br />
Oktober 27th<br />
----------<br />
Time : 17.30 - 21.30<br />
Main Topic : Privacy and the Internet<br />
Presentations: Privacy and Internet (Dutch), Frank Fruijthoff and Ellen Hoving<br />
Vulnerability and source code scanners. (Dutch) Emile Strijbos <br />
Location : ps_testware B.V., Dorpsstraat 26, 3941 JM DOORN<br />
Sponsor : ps_testware B.V.<br />
</pre><br />
== Meeting minutes October 27th 2008 ==<br />
<br />
At October 27th, the Dutch OWASP chapter came together at the office of the sponsor of the evening; ps_testware in Doorn. The subject of the evening was 'Privacy and the Internet’. There were 2 speakers and approximately 25 attendees.<br/><br />
<br/><br />
After a short welcome talk by both the sponsor and OWASP, Mario de Boer had an announcement about a new OWASP project; ORPRO, the Open Review Project. The goal of the project is to review Open Source Software from an independent point of view. Reviews will be done both manually and with the aid of source code analysis software provided by Fortify. The first software package to be reviewed is already available so reviewers are needed. More information can be found on the OWASP project page. [http://www.owasp.org/index.php/Category:OWASP_Open_Review_Project]v<br />
<br/><br />
The first presentation of the evening was about "Privacy & the Internet" which was presented by Frank Fruijthoff and Ellen Hoving. <br/><br />
The goal of this presentation was to show the problems in regulating privacy on the internet by law. The presentation was roughly split in 3 parts: definitions, requirements and context. <br/><br />
The main problem with regulating privacy is that the concept of privacy is very broad and not well defined. Privacy can have different meanings and consequences in different contexts. Most laws therefore focus on the individual and define privacy as 'protection of personal information' where 'personal information' is all data that can be tracked back to a single person. The last years many countries within the EU developed internet laws concerning privacy on the internet. These laws state that information can only be used what it originally was intended for and usage of that information must be reported at central register. This register also makes it possible to file a complaint and check what companies use personal information for what purposes. While these rules are mostly sufficient for local databases they often fail when applied to information stored on or with use of the internet. Problems encountered are captured in the "four D's";<br/><br />
- Internet is deterritorialized; internet has no boundaries.<br/><br />
- Internet is deregulated; internet has no law, only terms of use.<br/><br />
- Internet is dematerialized; internet is not physical.<br/><br />
- Internet is decentralized; there is no single regulating or controlling organization.<br/><br />
Although the protection of personal data is more and more covered by laws, the increasing usage of external storage and connections over the internet will make it harder to enforce them. The main conclusion of the evening was that, although many initiatives improving privacy exist, the very properties of the internet make it hard to ensure privacy completely. <br/><br />
<br/><br />
The second presentation of the evening was presented by E. Strijbos. He showed the results of his research concerning the feasibility of a Web Application Security Certification by the usage of vulnerability scanners.<br/><br />
With the daily increasing amount of threads and vulnerabilities in web applications there is a market-driven demand for an independent and automated scan service. Current scan services often lack coverage and depth of scanning and give no details about the used scanning methods.<br/><br />
In this research several commercial vulnerability scanners and static analysis tools were compared and checked for scantime, accuracy, false positives, and ease of use. The results showed that almost all scanners find most of the vulnerabilities, but also produce many false positives. Also, without proper configuration the amount of results can be overwhelming and inconclusive. Furthermore results showed that static analysis scanners are much faster than vulnerability scanners, but have a more limited usage. The main conclusion was that although vulnerability scanners and static analysis tools can be very helpful in identifying vulnerabilities, their current efficiency is not high enough to use as the basis for an automated vulnerability scan.<br/><br />
<br />
<br />
== Meeting October 27th 2008: Privacy and the Internet ==<br />
'''Summary'''<br/><br />
The main goal of the upcoming OWASP-NL meeting is to provide information to developers and security professionals about personal and technical privacy on the internet. The speakers focus on privacy regulations related to the internet and on the mass amount of personal and technical information available about persons and companies on the internet, with and without their consent. Furthermore tools will be discussed that help prevent leakage of privacy related and other kind of data. They will give specific examples and there will be time to ask questions.<br/><br />
Please register before October 20th because of the necessary catering arrangements.<br/><br />
<br/><br />
'''Location'''<br/><br />
The location and catering is provided by the sponsor of this meeting:<br/><br />
<table><br />
<tr><br />
<td width="350"><br />
ps_testware B.V.<br/><br />
Dorpsstraat 26,<br/><br />
3941 JM DOORN<br/><br />
</td><br />
<td width="350"><br />
[[Image:Pstestware.jpg|100px]]<br />
</td><br />
</tr><br />
<tr><br />
<td width="350"><br />
The location has parking facilities for 15 cars. However parking in the direct vicinity of ps_testware shouldn’t be a problem.<br/><br />
</td><br />
<td width="350"><br />
ps_testware delivers services related to software testing and software quality. In the field of software development, quality, time-to-market, business processes and software acceptance they play the role of "your devil's advocate" as an independent, flexible and specialized partner.<br/><br />
For more information please visit: www.pstestware.com.<br/><br />
</td><br />
</tr><br />
</table><br />
<br/><br />
<br/><br />
'''Program'''<br/><br />
17.30 - 18.30 '''Check-In''' (catering included)<br/><br />
<br/><br />
18.30 – 19:00 '''Introduction''' (OWASP organization, projects, sponsor)<br/><br />
<br/><br />
19.00 - 20.15 '''Privacy and Internet''' (Dutch), Frank Fruijthoff and Ellen Hoving<br/><br />
In this presentation the general principles of privacy laws in the Netherlands and the EU and specifically privacy and the internet will be covered.<br/><br />
Frank Fruijthoff is a Compliance Officer with ING. He has a Compliance and Risk Management background and is specialised in privacy.<br/><br />
Ellen Hoving is a graduated lawyer. She works as an independent consultant specialized in compliance and privacy.<br/><br />
<br/><br />
20.15 – 20:30 '''Break'''<br/><br />
<br/><br />
20:30 – 21:00 '''Vulnerability and source code scanners''' (Dutch), Emile Strijbos<br />
<br/><br />
For his Master thesis in computer science at the Radboud Universiteit in Nijmegen, Emile Strijbos investigated vulnerability scanners and source code scanners. These are automated tools that try to detect security flaws, either in running web-applications or in their source code.<br/><br />
Emile tried out several of these tools, including both free and commercial ones, to see how good they are at detecting standard vulnerabilities, such as SQL injection, XSS, CSRF, etc.<br/><br />
<br/><br />
21.00 – 21:30 '''Discussion, questions and social'''<br/><br />
<br/><br />
If you want to attend, please send an email to: owasp@irc2.com.<br><br />
Please register before October 20th, because of the necessary catering arrangements. The number of registries is limited to 50 due to the capacity of the location and will be handled in order of receipt.<br/><br />
<br/><br />
All OWASP chapter meetings are free of charge and you don’t have to be an OWASP member to attend. There are never any vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP's: OWASP Meetings count towards CPE Credits.<br/><br />
<br/><br />
The announcement and full descriptions can be found here:<br/><br />
[[Media:Announcement_27_Oktober.pdf]]<br/><br />
<br />
== Meeting March 26th 2008: Software Vulnerability assessment ==<br />
'''Summary'''<br/><br />
The main goal of the upcoming OWASP-NL meeting is to provide information to developers and security professionals involved in creating secure (web-)applications. The main focus will be on software vulnerability assessment. The speakers will give specific examples and of course there is time to ask questions about your own experiences.<br/><br />
<br/><br />
'''Location'''<br/><br />
The location and catering is provided by the sponsor of this meeting:<br/><br />
<table><br />
<tr><br />
<td width="350"><br />
Mercure Utrecht Nieuwegein<br/><br />
Buizerdlaan 10,<br/><br />
3435 SB Nieuwegein<br/><br />
</td><br />
<td width="350"><br />
[[Image:Fortify.JPG|143px]]<br />
</td><br />
</tr><br />
<tr><br />
<td width="350"><br />
</td><br />
<td width="350"><br />
Fortify Software products protect companies from today’s greatest security risk: the software applications that run their businesses. Combining deep application security expertise with extensive software development experience, Fortify Software has defined the market with award-winning products that span the software development cycle. Today, Fortify Software fortifies the software for the most demanding customer deployments, including the world’s largest, most varied code bases.<br/><br />
<br/><br />
For more information please visit:<br/><br />
www.fortify.com<br/><br />
</td><br />
</tr><br />
</table><br />
<br/><br />
<br/><br />
'''Program'''<br/><br />
17.30 - 18.30 '''Check-In''' (catering included)<br/><br />
<br/><br />
18.30 - 18:50 '''Introduction''' (OWASP, sponsor)<br/><br />
<br/><br />
18.50 - 19.30 '''Complex(ity) matters''' (Dutch), Mario de Boer<br/><br />
Various methods exist to locate specific vulnerabilities in software. In the presentation we will look at static analysis of binaries, and the problems we face when trying to locate vulnerabilities. Several ideas will be discussed to make the search easier, but at the same time less exact. The first idea is trivial: automate as much as possible. The second idea is nearly trivial: don't aim at exact vulnerabilities but relax the search to locating potential vulnerabilities. We will give examples that illustrate the results.<br/><br />
Mario de Boer is a senior security consultant at Logica, and as such focuses on security management aspects like security frameworks, compliance, monitoring and control and risk management. Before joining Logica, Mario worked at the Dutch ministries of Defense and Justice, he co-founded a security company and worked as a project manager in the financial sector. For several years he taught courses in software security analysis and secure software development. Besides security management, Mario has interest in software security, reverse engineering and cryptography. Within Logica Netherlands, he is knowledge manager application security. Mario holds a PhD in Mathematics and is CISA and CISSP.<br/><br />
<br/><br />
19.30 - 19:50 '''Break'''<br/><br />
<br/><br />
19:50 - 20:20 '''V.A.C: SQL injection''' (Dutch), Marinus Kuivenhoven<br />
<br/><br />
<u>'''V'''ulnerability:</u><br/><br />
An application which uses a database for its information needs, communicates with it trough SQL. SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of a Database for parsing and execution.<br/><br />
<u>'''A'''ssessment:</u><br/><br />
SQL injection can threaten the confidentiality, availability and integrity of the data. The various types of SQL injection and their impact will be shown.<br/><br />
<u>'''C'''ountermeasure:</u><br/><br />
Any procedure that constructs SQL statements should be reviewed for injection vulnerabilities because a database will execute all syntactically valid queries that it receives. How this should be done will be shown for the most popular languages.<br/><br />
Marinus is a Technology Specialist with Sogeti Nederland B.V. specializing in service oriented architectures and secure application development. His experience includes developing and administrating Oracle-based systems.<br/><br />
<br/><br />
20.20 - 21.00 '''Secure Programming with Static Analysis''' (English), Brian Chess<br/><br />
Creating secure code requires more than just good intentions. Programmers need to know how to make their code safe in an almost infinite number of scenarios and configurations. Static source code analysis gives users the ability to review their work with a fine tooth comb and uncover the kinds of errors that lead directly to vulnerabilities. This talk frames the software security problem and shows how static analysis is part of the solution. We will look at how static analysis works, how to integrate it into the software development processes, and how to make the most of it during security code review. Along the way we'll look at examples taken from real-world security incidents, showing how coding errors are exploited, how they could have been prevented, and how static analysis can rapidly uncover similar errors.<br/><br />
Brian Chess is a founder of Fortify Software and serves as Fortify's Chief Scientist, where his work focuses on practical methods for creating secure systems. His book, Secure Programming with Static Analysis, shows how static source code analysis is an indispensable tool for getting security right. Brian holds a Ph.D. in computer engineering from the University of California at Santa Cruz, where he studied the application of static analysis to the problem of finding security-relevant defects in source code. Before settling on security, Brian spent a decade in Silicon Valley working at huge companies and small startups. He has done research on a broad set of topics, ranging from integrated circuit design all the way to delivering software as a service.<br/><br />
<br/><br />
21.00 - 21:30 '''Discussion, questions and social'''<br/><br />
<br/><br />
'''Registration'''<br/><br />
If you want to attend, please send an email to: owasp@irc2.com.<br/><br />
<br/><br />
All OWASP chapter meetings are free of charge and you don’t have to be an OWASP member to attend. There are never any vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP's: OWASP Meetings count towards CPE Credits.<br/><br />
<br/><br />
<br />
== Meeting December 20th 2007: Secure Development ==<br />
'''Summary'''<br/><br />
The main goal of the upcoming OWASP-NL meeting is to provide information to developers and security professionals involved in creating secure (web-)applications. The general and specific security issues involved on project and programming level will be covered from a practical as well as a theoretical point of view. The speakers will give specific examples and of course there is time to ask questions about your own experiences.<br/><br />
Please register before December the 14th because of the necessary catering arrangements.<br/><br />
<br/><br />
'''Location'''<br/><br />
The location and catering is provided by the sponsor of this meeting:<br/><br />
<table><br />
<tr><br />
<td width="350"><br />
ps_testware B.V.<br/><br />
Dorpsstraat 26,<br/><br />
3941 JM DOORN<br/><br />
</td><br />
<td width="350"><br />
[[Image:Pstestware.jpg|100px]]<br />
</td><br />
</tr><br />
<tr><br />
<td width="350"><br />
The location has parking facilities for 15 cars. However parking in the direct vicinity of ps_testware shouldn’t be a problem.<br/><br />
</td><br />
<td width="350"><br />
ps_testware delivers services related to software testing and software quality. In the field of software development, quality, time-to-market, business processes and software acceptance they play the role of "your devil's advocate" as an independent, flexible and specialized partner.<br/><br />
For more information please visit: www.pstestware.com.<br/><br />
</td><br />
</tr><br />
</table><br />
<br/><br />
<br/><br />
'''Program'''<br/><br />
17.30 - 18.30 '''Check-In''' (catering included)<br/><br />
<br/><br />
18.30 – 19:00 '''Introduction''' (OWASP organization, projects, sponsor)<br/><br />
<br/><br />
19.00 - 19.30 '''Practices of developing optimal security''' (dutch), Andre Post<br/><br />
This presentation highlights a number of current practices that lead to sub-optimal security, and suggests ways of avoiding these problems, focusing on the technical side of development.<br/><br />
André Post works for Fox-IT on a variety of projects including core product development, software architecting, security code reviews, and software project management.<br/><br />
<br/><br />
19.30 – 19:45 '''Break'''<br/><br />
<br/><br />
19:45 – 20:30 '''Problems of developing secure and correct applications''' (dutch), Erik Poll [http://www.cs.ru.nl/~erikpoll/talks/OWASP2007.pdf (slides of the presentation)]<br />
<br/><br />
This presentation will discuss different possibilities to improve software security. The problem of getting time and money available to be spend on security, not only for developing applications, but also for developing programming languages, will be raised.<br/><br />
Erik Poll is head of the Security of Systems (SoS) group at the Radboud University of Nijmegen. His research does focus on the security and correctness of software.<br/><br />
<br/><br />
20.30 - 21.00 '''Protecting Web services and Web applications against security threats''' (dutch), Rix Groenboom<br/><br />
During this session, Rix will explore how to implement development and security best practices in the code to make sure that your webservices and applications perform solidly when they are being hacked or used in malicious ways.<br/><br />
Rix Groenboom supports fortune 2000 companies in field automated software error prevention and correction for Parasoft. His main area of expertise is in the use of formal languages for the specification, design and validation of software applications.<br/><br />
<br/><br />
21.00 – 21:30 '''Discussion, questions and social'''<br/><br />
<br/><br />
All OWASP chapter meetings are free of charge and you don’t have to be an OWASP member to attend. There are never any vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP's: OWASP Meetings count towards CPE Credits.<br/><br />
<br/><br />
The announcement and full descriptions can be found here:<br/><br />
[[Media:Announcement_20_December.pdf]]<br/><br />
[[Media:Announcement_20_December_2.pdf]]<br/><br />
<br />
== Meeting September 13th: putting initiatives into practice ==<br />
<br />
The main goal of the next OWASP meeting is finding a way to put initiatives and all offered help into a form of structural benefit for the OWASP Netherlands local chapter. As a starting point for the discussion, examples will be taken from other European chapters and input delivered by discussions that take place on the mailing list is considered too. Let this be a call to put your ideas on the mailing list before the next meeting!<br/><br />
<br/><br />
The location is provided by the sponsor of this meeting:<br/><br />
Comsec Consulting BV<br/><br />
Rivium Boulevard 102<br/><br />
2909LK Capelle aan den IJssel<br/><br />
<br/><br />
The agenda:<br/><br />
18.00 - 18.30 Check-In (catering included)<br/><br />
18.30 - 18.45 OWASP update, Bert Koelewijn<br/><br />
18.45 - 19.15 Security Best Practices for .NET, Boaz Shunami<br/><br />
19.15 - 20.00 Discussion: collecting ideas and initiatives<br/><br />
20.00 - 20.15 Coffee break<br/><br />
20.15 - 21.00 Discussion: how to enable community commitment<br/><br />
21.00 - 21.30 Closing discussion and coffee<br/><br />
<br/><br />
Boaz Shunami<br/><br />
Boaz is manager of the Application Security department of Comsec Europe. He has 11 years of experience in the IT Security field, and a large part of them in Application Security.<br/><br />
Boaz did numerous application security audits in very large organizations and is recognized as one of the greatest expert’s world wide. Boaz' expertise is broad, but especially in-depth for the .NET platform.<br/><br />
<br/><br />
Discussion input (until now)<br/><br />
- division of local chapter work load by multiple people<br/><br />
- collaboration with other organizations<br/><br />
<br/><br />
If you want to attend send an email to owasp@irc2.com.<br/><br />
<br/><br />
All OWASP chapter meetings are free, there are never vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP's: OWASP Meetings count towards CPE Credits.<br/><br />
<br />
== Meeting minutes Januar 11th 2007 ==<br />
<br />
January 11th, the Dutch OWASP chapter came together at the office of Sogeti Netherlands. Subject of the evening was 'putting software security into practice'. The group was small but select.<br/><br />
<br/><br />
The agenda:<br/><br />
18.00 - 18.30 Check-In (catering included)<br/><br />
18.30 - 18.45 Sponsor opening<br/><br />
18.45 - 19.00 OWASP update, Bert Koelewijn<br/><br />
19.00 - 19.30 Implementation of Security by Design, Martin Knobloch<br/><br />
19.30 - 19.45 Panel introduction<br/><br />
19.45 - 20.00 Coffee break<br/><br />
20.00 - 21.30 Panel discussion<br/><br />
<br/><br />
After being welcomed by Frank Langeveld from Sogeti and Bert Koelewijn, Dutch chapter leader, the evening started with the presentation 'Security By Design'. During the presentation Martin Knobloch told about his experiences during the implementation of the Secure Development Life Cycle in a company like Sogeti Nederland B.V.<br/><br />
<br/><br />
The presentation is available here:<br/><br />
[[Media:Implementation_of_Security_by_Design.ppt]]<br/><br />
<br/><br />
After a small break, the panel discussion started with the following panel: Henk van der Heijden - Comsec Consulting, Dr.ir. Mario de Boer - LogicaCMG and Martin Knobloch - Sogeti Nederland.<br/><br />
During the discussion, it became clear people are struggling to get the Secure Development Life Cycle implemented in their company. The various experiences were shared with the panel and the others. Company typical problems and common misunderstandings about Software security where brought up.<br/><br />
The consensus of the discussion was that the main problem lies in the lack of security awareness and knowledge of the managers and the developers. And this of course is exactly where OWASP comes in…<br/><br />
<br/><br />
<br />
== Meeting Januar 11th 2007 ==<br />
<br />
The OWASP meeting of 11 January is about putting software security into practice. A lot of books, standards, organizations and consultants tell us how we should develop secure software. But which methods and measures are commonly adopted and which are not and why?<br/><br />
This will be the main focus of the discussion that we will have with a panel of people that experienced implementing software security in the field.<br/><br />
<br/><br />
The location is provided by the sponsor of this meeting:<br/><br />
Sogeti Nederland B.V.<br/><br />
"La Charmille" building<br/><br />
Lange Dreef 17<br/><br />
4131 NJ Vianen<br/><br />
<br/><br />
The agenda:<br />
<br/><br />
18.00 - 18.30 Check-In (catering included)<br/><br />
18.30 - 18.45 Sponsor opening<br/><br />
18.45 - 19.00 OWASP update, Bert Koelewijn<br/><br />
19.00 - 19.30 Implementation of Security by Design, Martin Knobloch<br/><br />
19.30 - 19.45 Panel introduction<br/><br />
19.45 - 20.00 Coffee break<br/><br />
20.00 - 21.30 Panel discussion<br/><br />
<br/><br />
Implementation of Security by Design<br/><br />
What is needed to implement a 'Secure Development Life Cycle' within Sogeti Nederland? The speaker started a project called 'Security by Design' in march 2006 implementing a SDLC at Sogeti Nederland.<br/><br />
In his presentation, the speaker will share his technical and organizational experiences that he gained with the still ongoing implementation.<br/><br />
<br/><br />
About the speaker<br/><br />
Martin Knobloch has more than 8 years experience in design and development of J2EE applications for customers in various sectors of the market. In September 2003 Martin Knobloch started working for Sogeti Nederland, where he does the design, development and review of J2EE applications and architectures.<br/><br />
From this background, Martin Knobloch experienced the threats of insecure software firsthand. In march 2006, Martin Knobloch started implementing a SDLC within Sogeti Nederland.<br/><br />
<br/><br />
Panel discussion<br/><br />
The panel members are:<br/><br />
Henk van der Heijden, Managing Director - Comsec Consulting B.V.<br/><br />
Dr.ir. Mario de Boer, Security Consultant - LogicaCMG<br/><br />
Martin Knobloch, Senior Technologie Specialist - Sogeti Nederland B.V.<br/><br />
<br/><br />
In the discussion, we will try to find answers to questions like:<br/><br />
- What are the most common security practices in software development?<br/><br />
- How effective are those practices?<br/><br />
- Where do we start practicing security?<br/><br />
- What should be the most common security practices in software development?<br/><br />
- How much does security cost?<br/><br />
- How does the Systems Security Engineering Capability Maturity Model (SSE-CMM) fit in?<br/><br />
<br/><br />
If you want to attend send an email to owasp@irc2.com.<br/><br />
<br/><br />
All OWASP chapter meetings are free, there are never vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP’s: OWASP Meetings count towards CPE Credits.<br/><br />
<br />
== OWASP Netherlands meeting minutes ==<br />
<br />
On 9 march, the second meeting of OWASP Netherlands local chapter took place. GetronicsPinkRoccade provided the venue, in their luxury conference centre: Connection I.<br/><br />
<br/><br />
Agenda:<br/><br />
18.00 - 18.45 Check-In (bread & drinks)<br/><br />
18.45 - 19.00 Opening<br/><br />
19.00 - 20.00 Improving Security in the Application Development Life-cycle, Migchiel de Jong<br/><br />
20.00 - 20.15 Coffee break<br/><br />
20.15 - 22.00 Form focus groups<br/><br />
<br/><br />
The presentation of Migchiel de Jong was found very interesting by the audience. At the end of his presentation, he demonstrated a static code analysis of the OWASP webgoat application.<br/><br />
<br/><br />
After the coffee break, the attendances started discussing about the largest common topics of interest in the web application security field, in relation to the OWASP Netherlands chapter. As a result, the following focus groups are formed:<br/><br />
<br/><br />
Testing<br/><br />
The current OWASP Testing project and the Open Source Security Testing Methodology Manual of ISECOM, provide guidelines and best practices for testers. These guidelines can be used to formalize a standard structure and a set of minimum requirements for a security test. Clients could ask a tester to adhere to these guidelines.<br/><br />
A second idea is to standardize the testing results management report. In practice, testing could result in piles of paper with all the findings. The real value is reporting it in a usable way. For example: mapping technical findings to business risks.<br/><br />
<br/><br />
Frans v. Buul<br/><br />
Peter Gouwentak<br/><br />
Arthur Donkers<br/><br />
Eelco Klaver<br/><br />
Migchiel de Jong<br/><br />
Mario de Boer<br/><br />
<br/><br />
First focus group meeting: Monday 27 march, 18:00h, PwC Utrecht<br/><br />
<br/><br />
<br/><br />
Public Relations<br/><br />
This focus group will try to make business aware of the security impact that developing, hosting and using web applications has. What OWASP is and how OWASP can help. This can be done by giving presentations, writing papers and articles, word of mouth, etc. etc.<br/><br />
<br/><br />
Remco Bakker<br/><br />
Ronald Eygendaal<br/><br />
Bas van Vossen<br/><br />
Edwin van Vliet<br/><br />
Eelco Klaver<br/><br />
<br/><br />
First presentation of OWASP materials: Edwin van Vliet, TestNet - Voorjaarsevenement, 5 april<br/><br />
First focus group meeting: To be planned!<br/><br />
<br/><br />
<br/><br />
Education<br/><br />
OWASP and universities/schools could benefit from working together. For example:<br/><br />
- OWASP provides lot's of materials usable in colleges.<br/><br />
- Develop OWASP training course.<br/><br />
- Students can participate in OWASP projects<br/><br />
- OWASP can provide a platform for supporting research. Such as thesis projects, etc.<br/><br />
- OWASP representatives could provide guest colleges.<br/><br />
<br/><br />
Ronald Eygendaal<br/><br />
Erik Poll<br/><br />
Bas van Vossen<br/><br />
Edwin van Vliet<br/><br />
<br/><br />
First focus group meeting: To be planned!<br/><br />
<br/><br />
The presentation is available here:<br/><br />
[[Media:OWASP_NL_Fortify_Software.pdf]]<br/><br />
<br />
== 9 March: Second meeting of the OWASP Netherlands local chapter! ==<br />
<br />
In this second meeting focus groups are to be formed, to discuss common problems, develop and research common solutions in a vendor neutral environment. So this is a very good opportunity to get in contact with others, to exchange knowledge and experiences on specific topics.<br/><br />
<br/><br />
For every focus group the following questions has to be answered:<br/><br />
1. Which specific topic is to be addressed?<br/><br />
2. What are the deliverables?<br/><br />
3. What is the relation to OWASP? (Current projects, materials, expertise and knowledge interchange, etc.)<br/><br />
4. Who is the central contact of the subgroup?<br/><br />
<br/><br />
It would be nice to have a bigger and more diverse group, compared to the first meeting. So let's recall: "Please, bring at least one friend, next time." And don't hesitate to send this announcement to everybody who may be interested!<br/><br />
<br/><br />
We thank Getronics PinkRoccade for offering us a venue:<br/><br />
Getronics PinkRoccade<br/><br />
Fauststraat 1<br/><br />
7323 BA Apeldoorn <br/><br />
<br/><br />
The agenda:<br/><br />
18.00 - 18.30 Check-In<br/><br />
18.30 - 18.45 Opening<br/><br />
18.45 - 19.30 Improving Security in the Application Development Life-cycle, Migchiel de Jong<br/><br />
19.30 - 20.00 Collecting focus group initiatives<br/><br />
19.45 - 20.00 Coffee break<br/><br />
20.00 - 21.00 Form focus groups<br/><br />
<br/><br />
Presentation Abstract<br/><br />
Rather than spending large amounts of time and money on proving that we have security vulnerabilities after programs go into production, companies should go to the source and correct vulnerabilities as early as possible in the development stage. It is unquestionably faster, simpler, and cheaper for developers to correct vulnerabilities as they build programs.<br/><br />
But how can development management ensure that developers focus on security when there is no time or budget for security at the development stage? Even with the correct focus, how can they learn what to look for? How can they stay ahead of the dedicated and resourceful hacker?<br/><br />
The answer is effective processes and better tools. With advanced software security tools, a developer can pinpoint vulnerabilities in a matter of seconds — the same vulnerabilities that would take a hacker or manual code reviewer weeks or even months to find. These same tools can give development and information security managers useful metrics on application vulnerabilities before they are released into deployment.<br/><br />
This talk will walk through the Application Development Life-Cycle and discuss how tools can help come to grips with software security issues in a particular phase.<br/><br />
<br/><br />
About the presenter<br/><br />
Migchiel de Jong has developed hardware and software for 10 years before joining Rational Software. During the 5 years at Rational Software (later acquired by IBM) he was involved in many software development process improvement projects. Currently Migchiel de Jong is working at Fortify Software, Palo Alto, California, as a software security engineer.<br/><br />
<br/><br />
If you want to attend send an email to owasp@irc2.nl. Please don't wait, 9 march is not that long anymore!<br/><br />
<br/><br />
All OWASP chapter meetings are free, there are never vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP’s: OWASP Meetings count towards CPE Credits.<br/><br />
<br />
== OWASP Netherlands kick-off meeting minutes ==<br />
<br />
On 17 November, OWASP Netherlands had it's first meeting. We moved to a bigger location, the Mercure hotel in Nieuwegein, to host all the 35 attendees.<br/><br />
<br/><br />
The agenda:<br/><br />
18.00 - 18.30 Check-In (bread & drinks)<br/><br />
18.30 - 18.45 Chapter opening<br/><br />
18.45 - 19.30 Presentation - 'Top tien web applicatie kwetsbaarheden in J2EE', Eelco Klaver<br/><br />
19.30 - 19.45 Presentation - 'Veilige webapplicaties boven alles', Mike Wardi<br/><br />
19.45 - 20.00 Coffee break<br/><br />
20.00 - 21.00 Discussion - About the OWASP Netherlands local chapter<br/><br />
<br/><br />
The discussion took place in a 'round table' session, where all attendees were able to take part. The focus of the discussion was how to give the OWASP Netherlands local chapter additional value, next to the OWASP project. What the goals and tasks will be. And which actions will have to be taken at short term.<br/><br />
Different people have interest in different subjects. In general meetings there is no time to address all subjects and address them specific enough. Therefore subgroups can be formed, focusing on specific topics. They can have their own communication channel and meetings, but should keep close contact with the OWASP body.<br/><br />
<br/><br />
An inventarisation:<br/><br />
<br/><br />
Discussion Topics<br/><br />
- Awareness: writing articles, press publications, interviews<br/><br />
- Education: contact universities, schools and their common boards. Develop and gather education materials.<br/><br />
- General: discuss ideas for OWASP NL<br/><br />
<br/><br />
Focusgroup Topics<br/><br />
- (dutch) metrics project<br/><br />
- (dutch) legal project<br/><br />
- standard framework for pentest reports<br/><br />
- safe outsourcing<br/><br />
<br/><br />
Actions that should be taken on short term are:<br/><br />
- provide communication channels<br/><br />
- plan next (sub)meetings<br/><br />
- start discussions and focusgroups<br/><br />
<br/><br />
The presentations are available here:<br/><br />
<br/><br />
[[Media:OWASP_NL_Top_Ten_Web_Application_Vulnerabilities_in_J2EE.pdf]]<br/><br />
[[Media:OWASP_NL_Veilige_Web_App_Boven_Alles.pdf]]<br/><br />
<br />
== You are welcome to the OWASP Netherlands local chapter kick-off meeting! ==<br />
<br />
Thursday, November 17th (2005) at 18.00h.<br/><br />
<br/><br />
ATTENTION! Because of the large amount of attendees, the location has changed:<br/><br />
<br/><br />
Hotel Mercure Utrecht/Nieuwegein<br/><br />
Buizerdlaan 10<br/><br />
3435 SB NIEUWEGEIN<br/><br />
Tel: 00 31 (0) 30 60 84 122<br/><br />
Fax: 00 31 (0) 30 60 38 374<br/><br />
<br/><br />
This first meeting will be an introduction to the OWASP. A constructive discussion will be held about the actual form of the OWASP Netherlands local chapter.<br/><br />
<br/><br />
The agenda:<br/><br />
18.00 - 18.30 Check-In (bread & drinks)<br/><br />
18.30 - 18.45 Chapter opening<br/><br />
18.45 - 19.30 Presentation - 'Top tien web applicatie kwetsbaarheden in J2EE', Eelco Klaver<br/><br />
19.30 - 19.45 Presentation - 'Veilige webapplicaties boven alles', Mike Wardi<br/><br />
19.45 - 20.00 Coffee break<br/><br />
20.00 - 21.00 Discussion - About the OWASP Netherlands local chapter<br/><br />
<br/><br />
About the presenters<br/><br />
<br/><br />
Eelco Klaver<br/><br />
Eelco Klaver is a senior consultant for Xebia IT Architects, since 2003. Doing software reviews, security audits and giving security workshops are part of his job. He has almost 10 years experience with developing enterprise applications in J2EE for different employees. At the moment, Eelco is the front man of the security business unit for Xebia, focussing on the security aspects of enterprise applications build on J2EE.<br/><br />
<br/><br />
Mike Wardi<br/><br />
Mike Wardi is an internet application manager for a financial institute. He's responsible for the safety of internet applications provided to customers and the implementation of the security policies in software developement.<br/><br />
<br/><br />
<br/><br />
If you want to attend, please send an email to owasp-nl@ascure.com or the mailing list.<br/><br />
<br/><br />
All OWASP chapter meetings are free! There are never vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP’s: OWASP Meetings count towards CPE Credits.<br/><br />
<br/></div>Dvsteinhttps://wiki.owasp.org/index.php?title=Netherlands&diff=46548Netherlands2008-11-19T16:47:30Z<p>Dvstein: /* OWASP Netherlands meeting minutes */</p>
<hr />
<div>{{Chapter Template|chaptername=Netherlands|extra=The chapter leader is [mailto:owasp@irc2.nl Bert Koelewijn]<br />
<paypal>Netherlands</paypal><br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-netherlands|emailarchives=http://lists.owasp.org/pipermail/owasp-netherlands}}<br />
<br />
== Meeting schedule 2008 ==<br />
This is an overview of the 2008 local chapter meeting schedule. Details of the meetings can be found in the announcements that will be posted below this schedule.<br />
<pre><br />
March 26th<br />
----------<br />
Time : 17.30 - 21.30<br />
Main Topic : Software Vulnerability assessment<br />
Presentations: Complex(ity) matters, Mario de Boer (Dutch)<br />
V.A.C. SQL injection, Marinus Kuivenhoven (Dutch)<br />
Secure Programming with Static Analysis, Brian Chess (English) <br />
Location : Mercure Utrecht Nieuwegein, Buizerdlaan 10, 3435 SB Nieuwegein<br />
Sponsor : Fortify Software<br />
<br />
Oktober 27th<br />
----------<br />
Time : 17.30 - 21.30<br />
Main Topic : Privacy and the Internet<br />
Presentations: Privacy and Internet (Dutch), Frank Fruijthoff and Ellen Hoving<br />
Vulnerability and source code scanners. (Dutch) Emile Strijbos <br />
Location : ps_testware B.V., Dorpsstraat 26, 3941 JM DOORN<br />
Sponsor : ps_testware B.V.<br />
</pre><br />
== Meeting October 27th 2008: Privacy and the Internet ==<br />
'''Summary'''<br/><br />
The main goal of the upcoming OWASP-NL meeting is to provide information to developers and security professionals about personal and technical privacy on the internet. The speakers focus on privacy regulations related to the internet and on the mass amount of personal and technical information available about persons and companies on the internet, with and without their consent. Furthermore tools will be discussed that help prevent leakage of privacy related and other kind of data. They will give specific examples and there will be time to ask questions.<br/><br />
Please register before October 20th because of the necessary catering arrangements.<br/><br />
<br/><br />
'''Location'''<br/><br />
The location and catering is provided by the sponsor of this meeting:<br/><br />
<table><br />
<tr><br />
<td width="350"><br />
ps_testware B.V.<br/><br />
Dorpsstraat 26,<br/><br />
3941 JM DOORN<br/><br />
</td><br />
<td width="350"><br />
[[Image:Pstestware.jpg|100px]]<br />
</td><br />
</tr><br />
<tr><br />
<td width="350"><br />
The location has parking facilities for 15 cars. However parking in the direct vicinity of ps_testware shouldn’t be a problem.<br/><br />
</td><br />
<td width="350"><br />
ps_testware delivers services related to software testing and software quality. In the field of software development, quality, time-to-market, business processes and software acceptance they play the role of "your devil's advocate" as an independent, flexible and specialized partner.<br/><br />
For more information please visit: www.pstestware.com.<br/><br />
</td><br />
</tr><br />
</table><br />
<br/><br />
<br/><br />
'''Program'''<br/><br />
17.30 - 18.30 '''Check-In''' (catering included)<br/><br />
<br/><br />
18.30 – 19:00 '''Introduction''' (OWASP organization, projects, sponsor)<br/><br />
<br/><br />
19.00 - 20.15 '''Privacy and Internet''' (Dutch), Frank Fruijthoff and Ellen Hoving<br/><br />
In this presentation the general principles of privacy laws in the Netherlands and the EU and specifically privacy and the internet will be covered.<br/><br />
Frank Fruijthoff is a Compliance Officer with ING. He has a Compliance and Risk Management background and is specialised in privacy.<br/><br />
Ellen Hoving is a graduated lawyer. She works as an independent consultant specialized in compliance and privacy.<br/><br />
<br/><br />
20.15 – 20:30 '''Break'''<br/><br />
<br/><br />
20:30 – 21:00 '''Vulnerability and source code scanners''' (Dutch), Emile Strijbos<br />
<br/><br />
For his Master thesis in computer science at the Radboud Universiteit in Nijmegen, Emile Strijbos investigated vulnerability scanners and source code scanners. These are automated tools that try to detect security flaws, either in running web-applications or in their source code.<br/><br />
Emile tried out several of these tools, including both free and commercial ones, to see how good they are at detecting standard vulnerabilities, such as SQL injection, XSS, CSRF, etc.<br/><br />
<br/><br />
21.00 – 21:30 '''Discussion, questions and social'''<br/><br />
<br/><br />
If you want to attend, please send an email to: owasp@irc2.com.<br><br />
Please register before October 20th, because of the necessary catering arrangements. The number of registries is limited to 50 due to the capacity of the location and will be handled in order of receipt.<br/><br />
<br/><br />
All OWASP chapter meetings are free of charge and you don’t have to be an OWASP member to attend. There are never any vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP's: OWASP Meetings count towards CPE Credits.<br/><br />
<br/><br />
The announcement and full descriptions can be found here:<br/><br />
[[Media:Announcement_27_Oktober.pdf]]<br/><br />
<br />
== Meeting March 26th 2008: Software Vulnerability assessment ==<br />
'''Summary'''<br/><br />
The main goal of the upcoming OWASP-NL meeting is to provide information to developers and security professionals involved in creating secure (web-)applications. The main focus will be on software vulnerability assessment. The speakers will give specific examples and of course there is time to ask questions about your own experiences.<br/><br />
<br/><br />
'''Location'''<br/><br />
The location and catering is provided by the sponsor of this meeting:<br/><br />
<table><br />
<tr><br />
<td width="350"><br />
Mercure Utrecht Nieuwegein<br/><br />
Buizerdlaan 10,<br/><br />
3435 SB Nieuwegein<br/><br />
</td><br />
<td width="350"><br />
[[Image:Fortify.JPG|143px]]<br />
</td><br />
</tr><br />
<tr><br />
<td width="350"><br />
</td><br />
<td width="350"><br />
Fortify Software products protect companies from today’s greatest security risk: the software applications that run their businesses. Combining deep application security expertise with extensive software development experience, Fortify Software has defined the market with award-winning products that span the software development cycle. Today, Fortify Software fortifies the software for the most demanding customer deployments, including the world’s largest, most varied code bases.<br/><br />
<br/><br />
For more information please visit:<br/><br />
www.fortify.com<br/><br />
</td><br />
</tr><br />
</table><br />
<br/><br />
<br/><br />
'''Program'''<br/><br />
17.30 - 18.30 '''Check-In''' (catering included)<br/><br />
<br/><br />
18.30 - 18:50 '''Introduction''' (OWASP, sponsor)<br/><br />
<br/><br />
18.50 - 19.30 '''Complex(ity) matters''' (Dutch), Mario de Boer<br/><br />
Various methods exist to locate specific vulnerabilities in software. In the presentation we will look at static analysis of binaries, and the problems we face when trying to locate vulnerabilities. Several ideas will be discussed to make the search easier, but at the same time less exact. The first idea is trivial: automate as much as possible. The second idea is nearly trivial: don't aim at exact vulnerabilities but relax the search to locating potential vulnerabilities. We will give examples that illustrate the results.<br/><br />
Mario de Boer is a senior security consultant at Logica, and as such focuses on security management aspects like security frameworks, compliance, monitoring and control and risk management. Before joining Logica, Mario worked at the Dutch ministries of Defense and Justice, he co-founded a security company and worked as a project manager in the financial sector. For several years he taught courses in software security analysis and secure software development. Besides security management, Mario has interest in software security, reverse engineering and cryptography. Within Logica Netherlands, he is knowledge manager application security. Mario holds a PhD in Mathematics and is CISA and CISSP.<br/><br />
<br/><br />
19.30 - 19:50 '''Break'''<br/><br />
<br/><br />
19:50 - 20:20 '''V.A.C: SQL injection''' (Dutch), Marinus Kuivenhoven<br />
<br/><br />
<u>'''V'''ulnerability:</u><br/><br />
An application which uses a database for its information needs, communicates with it trough SQL. SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of a Database for parsing and execution.<br/><br />
<u>'''A'''ssessment:</u><br/><br />
SQL injection can threaten the confidentiality, availability and integrity of the data. The various types of SQL injection and their impact will be shown.<br/><br />
<u>'''C'''ountermeasure:</u><br/><br />
Any procedure that constructs SQL statements should be reviewed for injection vulnerabilities because a database will execute all syntactically valid queries that it receives. How this should be done will be shown for the most popular languages.<br/><br />
Marinus is a Technology Specialist with Sogeti Nederland B.V. specializing in service oriented architectures and secure application development. His experience includes developing and administrating Oracle-based systems.<br/><br />
<br/><br />
20.20 - 21.00 '''Secure Programming with Static Analysis''' (English), Brian Chess<br/><br />
Creating secure code requires more than just good intentions. Programmers need to know how to make their code safe in an almost infinite number of scenarios and configurations. Static source code analysis gives users the ability to review their work with a fine tooth comb and uncover the kinds of errors that lead directly to vulnerabilities. This talk frames the software security problem and shows how static analysis is part of the solution. We will look at how static analysis works, how to integrate it into the software development processes, and how to make the most of it during security code review. Along the way we'll look at examples taken from real-world security incidents, showing how coding errors are exploited, how they could have been prevented, and how static analysis can rapidly uncover similar errors.<br/><br />
Brian Chess is a founder of Fortify Software and serves as Fortify's Chief Scientist, where his work focuses on practical methods for creating secure systems. His book, Secure Programming with Static Analysis, shows how static source code analysis is an indispensable tool for getting security right. Brian holds a Ph.D. in computer engineering from the University of California at Santa Cruz, where he studied the application of static analysis to the problem of finding security-relevant defects in source code. Before settling on security, Brian spent a decade in Silicon Valley working at huge companies and small startups. He has done research on a broad set of topics, ranging from integrated circuit design all the way to delivering software as a service.<br/><br />
<br/><br />
21.00 - 21:30 '''Discussion, questions and social'''<br/><br />
<br/><br />
'''Registration'''<br/><br />
If you want to attend, please send an email to: owasp@irc2.com.<br/><br />
<br/><br />
All OWASP chapter meetings are free of charge and you don’t have to be an OWASP member to attend. There are never any vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP's: OWASP Meetings count towards CPE Credits.<br/><br />
<br/><br />
<br />
== Meeting December 20th 2007: Secure Development ==<br />
'''Summary'''<br/><br />
The main goal of the upcoming OWASP-NL meeting is to provide information to developers and security professionals involved in creating secure (web-)applications. The general and specific security issues involved on project and programming level will be covered from a practical as well as a theoretical point of view. The speakers will give specific examples and of course there is time to ask questions about your own experiences.<br/><br />
Please register before December the 14th because of the necessary catering arrangements.<br/><br />
<br/><br />
'''Location'''<br/><br />
The location and catering is provided by the sponsor of this meeting:<br/><br />
<table><br />
<tr><br />
<td width="350"><br />
ps_testware B.V.<br/><br />
Dorpsstraat 26,<br/><br />
3941 JM DOORN<br/><br />
</td><br />
<td width="350"><br />
[[Image:Pstestware.jpg|100px]]<br />
</td><br />
</tr><br />
<tr><br />
<td width="350"><br />
The location has parking facilities for 15 cars. However parking in the direct vicinity of ps_testware shouldn’t be a problem.<br/><br />
</td><br />
<td width="350"><br />
ps_testware delivers services related to software testing and software quality. In the field of software development, quality, time-to-market, business processes and software acceptance they play the role of "your devil's advocate" as an independent, flexible and specialized partner.<br/><br />
For more information please visit: www.pstestware.com.<br/><br />
</td><br />
</tr><br />
</table><br />
<br/><br />
<br/><br />
'''Program'''<br/><br />
17.30 - 18.30 '''Check-In''' (catering included)<br/><br />
<br/><br />
18.30 – 19:00 '''Introduction''' (OWASP organization, projects, sponsor)<br/><br />
<br/><br />
19.00 - 19.30 '''Practices of developing optimal security''' (dutch), Andre Post<br/><br />
This presentation highlights a number of current practices that lead to sub-optimal security, and suggests ways of avoiding these problems, focusing on the technical side of development.<br/><br />
André Post works for Fox-IT on a variety of projects including core product development, software architecting, security code reviews, and software project management.<br/><br />
<br/><br />
19.30 – 19:45 '''Break'''<br/><br />
<br/><br />
19:45 – 20:30 '''Problems of developing secure and correct applications''' (dutch), Erik Poll [http://www.cs.ru.nl/~erikpoll/talks/OWASP2007.pdf (slides of the presentation)]<br />
<br/><br />
This presentation will discuss different possibilities to improve software security. The problem of getting time and money available to be spend on security, not only for developing applications, but also for developing programming languages, will be raised.<br/><br />
Erik Poll is head of the Security of Systems (SoS) group at the Radboud University of Nijmegen. His research does focus on the security and correctness of software.<br/><br />
<br/><br />
20.30 - 21.00 '''Protecting Web services and Web applications against security threats''' (dutch), Rix Groenboom<br/><br />
During this session, Rix will explore how to implement development and security best practices in the code to make sure that your webservices and applications perform solidly when they are being hacked or used in malicious ways.<br/><br />
Rix Groenboom supports fortune 2000 companies in field automated software error prevention and correction for Parasoft. His main area of expertise is in the use of formal languages for the specification, design and validation of software applications.<br/><br />
<br/><br />
21.00 – 21:30 '''Discussion, questions and social'''<br/><br />
<br/><br />
All OWASP chapter meetings are free of charge and you don’t have to be an OWASP member to attend. There are never any vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP's: OWASP Meetings count towards CPE Credits.<br/><br />
<br/><br />
The announcement and full descriptions can be found here:<br/><br />
[[Media:Announcement_20_December.pdf]]<br/><br />
[[Media:Announcement_20_December_2.pdf]]<br/><br />
<br />
== Meeting September 13th: putting initiatives into practice ==<br />
<br />
The main goal of the next OWASP meeting is finding a way to put initiatives and all offered help into a form of structural benefit for the OWASP Netherlands local chapter. As a starting point for the discussion, examples will be taken from other European chapters and input delivered by discussions that take place on the mailing list is considered too. Let this be a call to put your ideas on the mailing list before the next meeting!<br/><br />
<br/><br />
The location is provided by the sponsor of this meeting:<br/><br />
Comsec Consulting BV<br/><br />
Rivium Boulevard 102<br/><br />
2909LK Capelle aan den IJssel<br/><br />
<br/><br />
The agenda:<br/><br />
18.00 - 18.30 Check-In (catering included)<br/><br />
18.30 - 18.45 OWASP update, Bert Koelewijn<br/><br />
18.45 - 19.15 Security Best Practices for .NET, Boaz Shunami<br/><br />
19.15 - 20.00 Discussion: collecting ideas and initiatives<br/><br />
20.00 - 20.15 Coffee break<br/><br />
20.15 - 21.00 Discussion: how to enable community commitment<br/><br />
21.00 - 21.30 Closing discussion and coffee<br/><br />
<br/><br />
Boaz Shunami<br/><br />
Boaz is manager of the Application Security department of Comsec Europe. He has 11 years of experience in the IT Security field, and a large part of them in Application Security.<br/><br />
Boaz did numerous application security audits in very large organizations and is recognized as one of the greatest expert’s world wide. Boaz' expertise is broad, but especially in-depth for the .NET platform.<br/><br />
<br/><br />
Discussion input (until now)<br/><br />
- division of local chapter work load by multiple people<br/><br />
- collaboration with other organizations<br/><br />
<br/><br />
If you want to attend send an email to owasp@irc2.com.<br/><br />
<br/><br />
All OWASP chapter meetings are free, there are never vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP's: OWASP Meetings count towards CPE Credits.<br/><br />
<br />
== Meeting minutes Januar 11th 2007 ==<br />
<br />
January 11th, the Dutch OWASP chapter came together at the office of Sogeti Netherlands. Subject of the evening was 'putting software security into practice'. The group was small but select.<br/><br />
<br/><br />
The agenda:<br/><br />
18.00 - 18.30 Check-In (catering included)<br/><br />
18.30 - 18.45 Sponsor opening<br/><br />
18.45 - 19.00 OWASP update, Bert Koelewijn<br/><br />
19.00 - 19.30 Implementation of Security by Design, Martin Knobloch<br/><br />
19.30 - 19.45 Panel introduction<br/><br />
19.45 - 20.00 Coffee break<br/><br />
20.00 - 21.30 Panel discussion<br/><br />
<br/><br />
After being welcomed by Frank Langeveld from Sogeti and Bert Koelewijn, Dutch chapter leader, the evening started with the presentation 'Security By Design'. During the presentation Martin Knobloch told about his experiences during the implementation of the Secure Development Life Cycle in a company like Sogeti Nederland B.V.<br/><br />
<br/><br />
The presentation is available here:<br/><br />
[[Media:Implementation_of_Security_by_Design.ppt]]<br/><br />
<br/><br />
After a small break, the panel discussion started with the following panel: Henk van der Heijden - Comsec Consulting, Dr.ir. Mario de Boer - LogicaCMG and Martin Knobloch - Sogeti Nederland.<br/><br />
During the discussion, it became clear people are struggling to get the Secure Development Life Cycle implemented in their company. The various experiences were shared with the panel and the others. Company typical problems and common misunderstandings about Software security where brought up.<br/><br />
The consensus of the discussion was that the main problem lies in the lack of security awareness and knowledge of the managers and the developers. And this of course is exactly where OWASP comes in…<br/><br />
<br/><br />
<br />
== Meeting Januar 11th 2007 ==<br />
<br />
The OWASP meeting of 11 January is about putting software security into practice. A lot of books, standards, organizations and consultants tell us how we should develop secure software. But which methods and measures are commonly adopted and which are not and why?<br/><br />
This will be the main focus of the discussion that we will have with a panel of people that experienced implementing software security in the field.<br/><br />
<br/><br />
The location is provided by the sponsor of this meeting:<br/><br />
Sogeti Nederland B.V.<br/><br />
"La Charmille" building<br/><br />
Lange Dreef 17<br/><br />
4131 NJ Vianen<br/><br />
<br/><br />
The agenda:<br />
<br/><br />
18.00 - 18.30 Check-In (catering included)<br/><br />
18.30 - 18.45 Sponsor opening<br/><br />
18.45 - 19.00 OWASP update, Bert Koelewijn<br/><br />
19.00 - 19.30 Implementation of Security by Design, Martin Knobloch<br/><br />
19.30 - 19.45 Panel introduction<br/><br />
19.45 - 20.00 Coffee break<br/><br />
20.00 - 21.30 Panel discussion<br/><br />
<br/><br />
Implementation of Security by Design<br/><br />
What is needed to implement a 'Secure Development Life Cycle' within Sogeti Nederland? The speaker started a project called 'Security by Design' in march 2006 implementing a SDLC at Sogeti Nederland.<br/><br />
In his presentation, the speaker will share his technical and organizational experiences that he gained with the still ongoing implementation.<br/><br />
<br/><br />
About the speaker<br/><br />
Martin Knobloch has more than 8 years experience in design and development of J2EE applications for customers in various sectors of the market. In September 2003 Martin Knobloch started working for Sogeti Nederland, where he does the design, development and review of J2EE applications and architectures.<br/><br />
From this background, Martin Knobloch experienced the threats of insecure software firsthand. In march 2006, Martin Knobloch started implementing a SDLC within Sogeti Nederland.<br/><br />
<br/><br />
Panel discussion<br/><br />
The panel members are:<br/><br />
Henk van der Heijden, Managing Director - Comsec Consulting B.V.<br/><br />
Dr.ir. Mario de Boer, Security Consultant - LogicaCMG<br/><br />
Martin Knobloch, Senior Technologie Specialist - Sogeti Nederland B.V.<br/><br />
<br/><br />
In the discussion, we will try to find answers to questions like:<br/><br />
- What are the most common security practices in software development?<br/><br />
- How effective are those practices?<br/><br />
- Where do we start practicing security?<br/><br />
- What should be the most common security practices in software development?<br/><br />
- How much does security cost?<br/><br />
- How does the Systems Security Engineering Capability Maturity Model (SSE-CMM) fit in?<br/><br />
<br/><br />
If you want to attend send an email to owasp@irc2.com.<br/><br />
<br/><br />
All OWASP chapter meetings are free, there are never vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP’s: OWASP Meetings count towards CPE Credits.<br/><br />
<br />
== OWASP Netherlands meeting minutes ==<br />
<br />
On 9 march, the second meeting of OWASP Netherlands local chapter took place. GetronicsPinkRoccade provided the venue, in their luxury conference centre: Connection I.<br/><br />
<br/><br />
Agenda:<br/><br />
18.00 - 18.45 Check-In (bread & drinks)<br/><br />
18.45 - 19.00 Opening<br/><br />
19.00 - 20.00 Improving Security in the Application Development Life-cycle, Migchiel de Jong<br/><br />
20.00 - 20.15 Coffee break<br/><br />
20.15 - 22.00 Form focus groups<br/><br />
<br/><br />
The presentation of Migchiel de Jong was found very interesting by the audience. At the end of his presentation, he demonstrated a static code analysis of the OWASP webgoat application.<br/><br />
<br/><br />
After the coffee break, the attendances started discussing about the largest common topics of interest in the web application security field, in relation to the OWASP Netherlands chapter. As a result, the following focus groups are formed:<br/><br />
<br/><br />
Testing<br/><br />
The current OWASP Testing project and the Open Source Security Testing Methodology Manual of ISECOM, provide guidelines and best practices for testers. These guidelines can be used to formalize a standard structure and a set of minimum requirements for a security test. Clients could ask a tester to adhere to these guidelines.<br/><br />
A second idea is to standardize the testing results management report. In practice, testing could result in piles of paper with all the findings. The real value is reporting it in a usable way. For example: mapping technical findings to business risks.<br/><br />
<br/><br />
Frans v. Buul<br/><br />
Peter Gouwentak<br/><br />
Arthur Donkers<br/><br />
Eelco Klaver<br/><br />
Migchiel de Jong<br/><br />
Mario de Boer<br/><br />
<br/><br />
First focus group meeting: Monday 27 march, 18:00h, PwC Utrecht<br/><br />
<br/><br />
<br/><br />
Public Relations<br/><br />
This focus group will try to make business aware of the security impact that developing, hosting and using web applications has. What OWASP is and how OWASP can help. This can be done by giving presentations, writing papers and articles, word of mouth, etc. etc.<br/><br />
<br/><br />
Remco Bakker<br/><br />
Ronald Eygendaal<br/><br />
Bas van Vossen<br/><br />
Edwin van Vliet<br/><br />
Eelco Klaver<br/><br />
<br/><br />
First presentation of OWASP materials: Edwin van Vliet, TestNet - Voorjaarsevenement, 5 april<br/><br />
First focus group meeting: To be planned!<br/><br />
<br/><br />
<br/><br />
Education<br/><br />
OWASP and universities/schools could benefit from working together. For example:<br/><br />
- OWASP provides lot's of materials usable in colleges.<br/><br />
- Develop OWASP training course.<br/><br />
- Students can participate in OWASP projects<br/><br />
- OWASP can provide a platform for supporting research. Such as thesis projects, etc.<br/><br />
- OWASP representatives could provide guest colleges.<br/><br />
<br/><br />
Ronald Eygendaal<br/><br />
Erik Poll<br/><br />
Bas van Vossen<br/><br />
Edwin van Vliet<br/><br />
<br/><br />
First focus group meeting: To be planned!<br/><br />
<br/><br />
The presentation is available here:<br/><br />
[[Media:OWASP_NL_Fortify_Software.pdf]]<br/><br />
<br />
== 9 March: Second meeting of the OWASP Netherlands local chapter! ==<br />
<br />
In this second meeting focus groups are to be formed, to discuss common problems, develop and research common solutions in a vendor neutral environment. So this is a very good opportunity to get in contact with others, to exchange knowledge and experiences on specific topics.<br/><br />
<br/><br />
For every focus group the following questions has to be answered:<br/><br />
1. Which specific topic is to be addressed?<br/><br />
2. What are the deliverables?<br/><br />
3. What is the relation to OWASP? (Current projects, materials, expertise and knowledge interchange, etc.)<br/><br />
4. Who is the central contact of the subgroup?<br/><br />
<br/><br />
It would be nice to have a bigger and more diverse group, compared to the first meeting. So let's recall: "Please, bring at least one friend, next time." And don't hesitate to send this announcement to everybody who may be interested!<br/><br />
<br/><br />
We thank Getronics PinkRoccade for offering us a venue:<br/><br />
Getronics PinkRoccade<br/><br />
Fauststraat 1<br/><br />
7323 BA Apeldoorn <br/><br />
<br/><br />
The agenda:<br/><br />
18.00 - 18.30 Check-In<br/><br />
18.30 - 18.45 Opening<br/><br />
18.45 - 19.30 Improving Security in the Application Development Life-cycle, Migchiel de Jong<br/><br />
19.30 - 20.00 Collecting focus group initiatives<br/><br />
19.45 - 20.00 Coffee break<br/><br />
20.00 - 21.00 Form focus groups<br/><br />
<br/><br />
Presentation Abstract<br/><br />
Rather than spending large amounts of time and money on proving that we have security vulnerabilities after programs go into production, companies should go to the source and correct vulnerabilities as early as possible in the development stage. It is unquestionably faster, simpler, and cheaper for developers to correct vulnerabilities as they build programs.<br/><br />
But how can development management ensure that developers focus on security when there is no time or budget for security at the development stage? Even with the correct focus, how can they learn what to look for? How can they stay ahead of the dedicated and resourceful hacker?<br/><br />
The answer is effective processes and better tools. With advanced software security tools, a developer can pinpoint vulnerabilities in a matter of seconds — the same vulnerabilities that would take a hacker or manual code reviewer weeks or even months to find. These same tools can give development and information security managers useful metrics on application vulnerabilities before they are released into deployment.<br/><br />
This talk will walk through the Application Development Life-Cycle and discuss how tools can help come to grips with software security issues in a particular phase.<br/><br />
<br/><br />
About the presenter<br/><br />
Migchiel de Jong has developed hardware and software for 10 years before joining Rational Software. During the 5 years at Rational Software (later acquired by IBM) he was involved in many software development process improvement projects. Currently Migchiel de Jong is working at Fortify Software, Palo Alto, California, as a software security engineer.<br/><br />
<br/><br />
If you want to attend send an email to owasp@irc2.nl. Please don't wait, 9 march is not that long anymore!<br/><br />
<br/><br />
All OWASP chapter meetings are free, there are never vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP’s: OWASP Meetings count towards CPE Credits.<br/><br />
<br />
== OWASP Netherlands kick-off meeting minutes ==<br />
<br />
On 17 November, OWASP Netherlands had it's first meeting. We moved to a bigger location, the Mercure hotel in Nieuwegein, to host all the 35 attendees.<br/><br />
<br/><br />
The agenda:<br/><br />
18.00 - 18.30 Check-In (bread & drinks)<br/><br />
18.30 - 18.45 Chapter opening<br/><br />
18.45 - 19.30 Presentation - 'Top tien web applicatie kwetsbaarheden in J2EE', Eelco Klaver<br/><br />
19.30 - 19.45 Presentation - 'Veilige webapplicaties boven alles', Mike Wardi<br/><br />
19.45 - 20.00 Coffee break<br/><br />
20.00 - 21.00 Discussion - About the OWASP Netherlands local chapter<br/><br />
<br/><br />
The discussion took place in a 'round table' session, where all attendees were able to take part. The focus of the discussion was how to give the OWASP Netherlands local chapter additional value, next to the OWASP project. What the goals and tasks will be. And which actions will have to be taken at short term.<br/><br />
Different people have interest in different subjects. In general meetings there is no time to address all subjects and address them specific enough. Therefore subgroups can be formed, focusing on specific topics. They can have their own communication channel and meetings, but should keep close contact with the OWASP body.<br/><br />
<br/><br />
An inventarisation:<br/><br />
<br/><br />
Discussion Topics<br/><br />
- Awareness: writing articles, press publications, interviews<br/><br />
- Education: contact universities, schools and their common boards. Develop and gather education materials.<br/><br />
- General: discuss ideas for OWASP NL<br/><br />
<br/><br />
Focusgroup Topics<br/><br />
- (dutch) metrics project<br/><br />
- (dutch) legal project<br/><br />
- standard framework for pentest reports<br/><br />
- safe outsourcing<br/><br />
<br/><br />
Actions that should be taken on short term are:<br/><br />
- provide communication channels<br/><br />
- plan next (sub)meetings<br/><br />
- start discussions and focusgroups<br/><br />
<br/><br />
The presentations are available here:<br/><br />
<br/><br />
[[Media:OWASP_NL_Top_Ten_Web_Application_Vulnerabilities_in_J2EE.pdf]]<br/><br />
[[Media:OWASP_NL_Veilige_Web_App_Boven_Alles.pdf]]<br/><br />
<br />
== You are welcome to the OWASP Netherlands local chapter kick-off meeting! ==<br />
<br />
Thursday, November 17th (2005) at 18.00h.<br/><br />
<br/><br />
ATTENTION! Because of the large amount of attendees, the location has changed:<br/><br />
<br/><br />
Hotel Mercure Utrecht/Nieuwegein<br/><br />
Buizerdlaan 10<br/><br />
3435 SB NIEUWEGEIN<br/><br />
Tel: 00 31 (0) 30 60 84 122<br/><br />
Fax: 00 31 (0) 30 60 38 374<br/><br />
<br/><br />
This first meeting will be an introduction to the OWASP. A constructive discussion will be held about the actual form of the OWASP Netherlands local chapter.<br/><br />
<br/><br />
The agenda:<br/><br />
18.00 - 18.30 Check-In (bread & drinks)<br/><br />
18.30 - 18.45 Chapter opening<br/><br />
18.45 - 19.30 Presentation - 'Top tien web applicatie kwetsbaarheden in J2EE', Eelco Klaver<br/><br />
19.30 - 19.45 Presentation - 'Veilige webapplicaties boven alles', Mike Wardi<br/><br />
19.45 - 20.00 Coffee break<br/><br />
20.00 - 21.00 Discussion - About the OWASP Netherlands local chapter<br/><br />
<br/><br />
About the presenters<br/><br />
<br/><br />
Eelco Klaver<br/><br />
Eelco Klaver is a senior consultant for Xebia IT Architects, since 2003. Doing software reviews, security audits and giving security workshops are part of his job. He has almost 10 years experience with developing enterprise applications in J2EE for different employees. At the moment, Eelco is the front man of the security business unit for Xebia, focussing on the security aspects of enterprise applications build on J2EE.<br/><br />
<br/><br />
Mike Wardi<br/><br />
Mike Wardi is an internet application manager for a financial institute. He's responsible for the safety of internet applications provided to customers and the implementation of the security policies in software developement.<br/><br />
<br/><br />
<br/><br />
If you want to attend, please send an email to owasp-nl@ascure.com or the mailing list.<br/><br />
<br/><br />
All OWASP chapter meetings are free! There are never vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP’s: OWASP Meetings count towards CPE Credits.<br/><br />
<br/></div>Dvsteinhttps://wiki.owasp.org/index.php?title=Netherlands&diff=46547Netherlands2008-11-19T16:46:53Z<p>Dvstein: /* Meeting Januar 11th 2007 */</p>
<hr />
<div>{{Chapter Template|chaptername=Netherlands|extra=The chapter leader is [mailto:owasp@irc2.nl Bert Koelewijn]<br />
<paypal>Netherlands</paypal><br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-netherlands|emailarchives=http://lists.owasp.org/pipermail/owasp-netherlands}}<br />
<br />
== Meeting schedule 2008 ==<br />
This is an overview of the 2008 local chapter meeting schedule. Details of the meetings can be found in the announcements that will be posted below this schedule.<br />
<pre><br />
March 26th<br />
----------<br />
Time : 17.30 - 21.30<br />
Main Topic : Software Vulnerability assessment<br />
Presentations: Complex(ity) matters, Mario de Boer (Dutch)<br />
V.A.C. SQL injection, Marinus Kuivenhoven (Dutch)<br />
Secure Programming with Static Analysis, Brian Chess (English) <br />
Location : Mercure Utrecht Nieuwegein, Buizerdlaan 10, 3435 SB Nieuwegein<br />
Sponsor : Fortify Software<br />
<br />
Oktober 27th<br />
----------<br />
Time : 17.30 - 21.30<br />
Main Topic : Privacy and the Internet<br />
Presentations: Privacy and Internet (Dutch), Frank Fruijthoff and Ellen Hoving<br />
Vulnerability and source code scanners. (Dutch) Emile Strijbos <br />
Location : ps_testware B.V., Dorpsstraat 26, 3941 JM DOORN<br />
Sponsor : ps_testware B.V.<br />
</pre><br />
== Meeting October 27th 2008: Privacy and the Internet ==<br />
'''Summary'''<br/><br />
The main goal of the upcoming OWASP-NL meeting is to provide information to developers and security professionals about personal and technical privacy on the internet. The speakers focus on privacy regulations related to the internet and on the mass amount of personal and technical information available about persons and companies on the internet, with and without their consent. Furthermore tools will be discussed that help prevent leakage of privacy related and other kind of data. They will give specific examples and there will be time to ask questions.<br/><br />
Please register before October 20th because of the necessary catering arrangements.<br/><br />
<br/><br />
'''Location'''<br/><br />
The location and catering is provided by the sponsor of this meeting:<br/><br />
<table><br />
<tr><br />
<td width="350"><br />
ps_testware B.V.<br/><br />
Dorpsstraat 26,<br/><br />
3941 JM DOORN<br/><br />
</td><br />
<td width="350"><br />
[[Image:Pstestware.jpg|100px]]<br />
</td><br />
</tr><br />
<tr><br />
<td width="350"><br />
The location has parking facilities for 15 cars. However parking in the direct vicinity of ps_testware shouldn’t be a problem.<br/><br />
</td><br />
<td width="350"><br />
ps_testware delivers services related to software testing and software quality. In the field of software development, quality, time-to-market, business processes and software acceptance they play the role of "your devil's advocate" as an independent, flexible and specialized partner.<br/><br />
For more information please visit: www.pstestware.com.<br/><br />
</td><br />
</tr><br />
</table><br />
<br/><br />
<br/><br />
'''Program'''<br/><br />
17.30 - 18.30 '''Check-In''' (catering included)<br/><br />
<br/><br />
18.30 – 19:00 '''Introduction''' (OWASP organization, projects, sponsor)<br/><br />
<br/><br />
19.00 - 20.15 '''Privacy and Internet''' (Dutch), Frank Fruijthoff and Ellen Hoving<br/><br />
In this presentation the general principles of privacy laws in the Netherlands and the EU and specifically privacy and the internet will be covered.<br/><br />
Frank Fruijthoff is a Compliance Officer with ING. He has a Compliance and Risk Management background and is specialised in privacy.<br/><br />
Ellen Hoving is a graduated lawyer. She works as an independent consultant specialized in compliance and privacy.<br/><br />
<br/><br />
20.15 – 20:30 '''Break'''<br/><br />
<br/><br />
20:30 – 21:00 '''Vulnerability and source code scanners''' (Dutch), Emile Strijbos<br />
<br/><br />
For his Master thesis in computer science at the Radboud Universiteit in Nijmegen, Emile Strijbos investigated vulnerability scanners and source code scanners. These are automated tools that try to detect security flaws, either in running web-applications or in their source code.<br/><br />
Emile tried out several of these tools, including both free and commercial ones, to see how good they are at detecting standard vulnerabilities, such as SQL injection, XSS, CSRF, etc.<br/><br />
<br/><br />
21.00 – 21:30 '''Discussion, questions and social'''<br/><br />
<br/><br />
If you want to attend, please send an email to: owasp@irc2.com.<br><br />
Please register before October 20th, because of the necessary catering arrangements. The number of registries is limited to 50 due to the capacity of the location and will be handled in order of receipt.<br/><br />
<br/><br />
All OWASP chapter meetings are free of charge and you don’t have to be an OWASP member to attend. There are never any vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP's: OWASP Meetings count towards CPE Credits.<br/><br />
<br/><br />
The announcement and full descriptions can be found here:<br/><br />
[[Media:Announcement_27_Oktober.pdf]]<br/><br />
<br />
== Meeting March 26th 2008: Software Vulnerability assessment ==<br />
'''Summary'''<br/><br />
The main goal of the upcoming OWASP-NL meeting is to provide information to developers and security professionals involved in creating secure (web-)applications. The main focus will be on software vulnerability assessment. The speakers will give specific examples and of course there is time to ask questions about your own experiences.<br/><br />
<br/><br />
'''Location'''<br/><br />
The location and catering is provided by the sponsor of this meeting:<br/><br />
<table><br />
<tr><br />
<td width="350"><br />
Mercure Utrecht Nieuwegein<br/><br />
Buizerdlaan 10,<br/><br />
3435 SB Nieuwegein<br/><br />
</td><br />
<td width="350"><br />
[[Image:Fortify.JPG|143px]]<br />
</td><br />
</tr><br />
<tr><br />
<td width="350"><br />
</td><br />
<td width="350"><br />
Fortify Software products protect companies from today’s greatest security risk: the software applications that run their businesses. Combining deep application security expertise with extensive software development experience, Fortify Software has defined the market with award-winning products that span the software development cycle. Today, Fortify Software fortifies the software for the most demanding customer deployments, including the world’s largest, most varied code bases.<br/><br />
<br/><br />
For more information please visit:<br/><br />
www.fortify.com<br/><br />
</td><br />
</tr><br />
</table><br />
<br/><br />
<br/><br />
'''Program'''<br/><br />
17.30 - 18.30 '''Check-In''' (catering included)<br/><br />
<br/><br />
18.30 - 18:50 '''Introduction''' (OWASP, sponsor)<br/><br />
<br/><br />
18.50 - 19.30 '''Complex(ity) matters''' (Dutch), Mario de Boer<br/><br />
Various methods exist to locate specific vulnerabilities in software. In the presentation we will look at static analysis of binaries, and the problems we face when trying to locate vulnerabilities. Several ideas will be discussed to make the search easier, but at the same time less exact. The first idea is trivial: automate as much as possible. The second idea is nearly trivial: don't aim at exact vulnerabilities but relax the search to locating potential vulnerabilities. We will give examples that illustrate the results.<br/><br />
Mario de Boer is a senior security consultant at Logica, and as such focuses on security management aspects like security frameworks, compliance, monitoring and control and risk management. Before joining Logica, Mario worked at the Dutch ministries of Defense and Justice, he co-founded a security company and worked as a project manager in the financial sector. For several years he taught courses in software security analysis and secure software development. Besides security management, Mario has interest in software security, reverse engineering and cryptography. Within Logica Netherlands, he is knowledge manager application security. Mario holds a PhD in Mathematics and is CISA and CISSP.<br/><br />
<br/><br />
19.30 - 19:50 '''Break'''<br/><br />
<br/><br />
19:50 - 20:20 '''V.A.C: SQL injection''' (Dutch), Marinus Kuivenhoven<br />
<br/><br />
<u>'''V'''ulnerability:</u><br/><br />
An application which uses a database for its information needs, communicates with it trough SQL. SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of a Database for parsing and execution.<br/><br />
<u>'''A'''ssessment:</u><br/><br />
SQL injection can threaten the confidentiality, availability and integrity of the data. The various types of SQL injection and their impact will be shown.<br/><br />
<u>'''C'''ountermeasure:</u><br/><br />
Any procedure that constructs SQL statements should be reviewed for injection vulnerabilities because a database will execute all syntactically valid queries that it receives. How this should be done will be shown for the most popular languages.<br/><br />
Marinus is a Technology Specialist with Sogeti Nederland B.V. specializing in service oriented architectures and secure application development. His experience includes developing and administrating Oracle-based systems.<br/><br />
<br/><br />
20.20 - 21.00 '''Secure Programming with Static Analysis''' (English), Brian Chess<br/><br />
Creating secure code requires more than just good intentions. Programmers need to know how to make their code safe in an almost infinite number of scenarios and configurations. Static source code analysis gives users the ability to review their work with a fine tooth comb and uncover the kinds of errors that lead directly to vulnerabilities. This talk frames the software security problem and shows how static analysis is part of the solution. We will look at how static analysis works, how to integrate it into the software development processes, and how to make the most of it during security code review. Along the way we'll look at examples taken from real-world security incidents, showing how coding errors are exploited, how they could have been prevented, and how static analysis can rapidly uncover similar errors.<br/><br />
Brian Chess is a founder of Fortify Software and serves as Fortify's Chief Scientist, where his work focuses on practical methods for creating secure systems. His book, Secure Programming with Static Analysis, shows how static source code analysis is an indispensable tool for getting security right. Brian holds a Ph.D. in computer engineering from the University of California at Santa Cruz, where he studied the application of static analysis to the problem of finding security-relevant defects in source code. Before settling on security, Brian spent a decade in Silicon Valley working at huge companies and small startups. He has done research on a broad set of topics, ranging from integrated circuit design all the way to delivering software as a service.<br/><br />
<br/><br />
21.00 - 21:30 '''Discussion, questions and social'''<br/><br />
<br/><br />
'''Registration'''<br/><br />
If you want to attend, please send an email to: owasp@irc2.com.<br/><br />
<br/><br />
All OWASP chapter meetings are free of charge and you don’t have to be an OWASP member to attend. There are never any vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP's: OWASP Meetings count towards CPE Credits.<br/><br />
<br/><br />
<br />
== Meeting December 20th 2007: Secure Development ==<br />
'''Summary'''<br/><br />
The main goal of the upcoming OWASP-NL meeting is to provide information to developers and security professionals involved in creating secure (web-)applications. The general and specific security issues involved on project and programming level will be covered from a practical as well as a theoretical point of view. The speakers will give specific examples and of course there is time to ask questions about your own experiences.<br/><br />
Please register before December the 14th because of the necessary catering arrangements.<br/><br />
<br/><br />
'''Location'''<br/><br />
The location and catering is provided by the sponsor of this meeting:<br/><br />
<table><br />
<tr><br />
<td width="350"><br />
ps_testware B.V.<br/><br />
Dorpsstraat 26,<br/><br />
3941 JM DOORN<br/><br />
</td><br />
<td width="350"><br />
[[Image:Pstestware.jpg|100px]]<br />
</td><br />
</tr><br />
<tr><br />
<td width="350"><br />
The location has parking facilities for 15 cars. However parking in the direct vicinity of ps_testware shouldn’t be a problem.<br/><br />
</td><br />
<td width="350"><br />
ps_testware delivers services related to software testing and software quality. In the field of software development, quality, time-to-market, business processes and software acceptance they play the role of "your devil's advocate" as an independent, flexible and specialized partner.<br/><br />
For more information please visit: www.pstestware.com.<br/><br />
</td><br />
</tr><br />
</table><br />
<br/><br />
<br/><br />
'''Program'''<br/><br />
17.30 - 18.30 '''Check-In''' (catering included)<br/><br />
<br/><br />
18.30 – 19:00 '''Introduction''' (OWASP organization, projects, sponsor)<br/><br />
<br/><br />
19.00 - 19.30 '''Practices of developing optimal security''' (dutch), Andre Post<br/><br />
This presentation highlights a number of current practices that lead to sub-optimal security, and suggests ways of avoiding these problems, focusing on the technical side of development.<br/><br />
André Post works for Fox-IT on a variety of projects including core product development, software architecting, security code reviews, and software project management.<br/><br />
<br/><br />
19.30 – 19:45 '''Break'''<br/><br />
<br/><br />
19:45 – 20:30 '''Problems of developing secure and correct applications''' (dutch), Erik Poll [http://www.cs.ru.nl/~erikpoll/talks/OWASP2007.pdf (slides of the presentation)]<br />
<br/><br />
This presentation will discuss different possibilities to improve software security. The problem of getting time and money available to be spend on security, not only for developing applications, but also for developing programming languages, will be raised.<br/><br />
Erik Poll is head of the Security of Systems (SoS) group at the Radboud University of Nijmegen. His research does focus on the security and correctness of software.<br/><br />
<br/><br />
20.30 - 21.00 '''Protecting Web services and Web applications against security threats''' (dutch), Rix Groenboom<br/><br />
During this session, Rix will explore how to implement development and security best practices in the code to make sure that your webservices and applications perform solidly when they are being hacked or used in malicious ways.<br/><br />
Rix Groenboom supports fortune 2000 companies in field automated software error prevention and correction for Parasoft. His main area of expertise is in the use of formal languages for the specification, design and validation of software applications.<br/><br />
<br/><br />
21.00 – 21:30 '''Discussion, questions and social'''<br/><br />
<br/><br />
All OWASP chapter meetings are free of charge and you don’t have to be an OWASP member to attend. There are never any vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP's: OWASP Meetings count towards CPE Credits.<br/><br />
<br/><br />
The announcement and full descriptions can be found here:<br/><br />
[[Media:Announcement_20_December.pdf]]<br/><br />
[[Media:Announcement_20_December_2.pdf]]<br/><br />
<br />
== Meeting September 13th: putting initiatives into practice ==<br />
<br />
The main goal of the next OWASP meeting is finding a way to put initiatives and all offered help into a form of structural benefit for the OWASP Netherlands local chapter. As a starting point for the discussion, examples will be taken from other European chapters and input delivered by discussions that take place on the mailing list is considered too. Let this be a call to put your ideas on the mailing list before the next meeting!<br/><br />
<br/><br />
The location is provided by the sponsor of this meeting:<br/><br />
Comsec Consulting BV<br/><br />
Rivium Boulevard 102<br/><br />
2909LK Capelle aan den IJssel<br/><br />
<br/><br />
The agenda:<br/><br />
18.00 - 18.30 Check-In (catering included)<br/><br />
18.30 - 18.45 OWASP update, Bert Koelewijn<br/><br />
18.45 - 19.15 Security Best Practices for .NET, Boaz Shunami<br/><br />
19.15 - 20.00 Discussion: collecting ideas and initiatives<br/><br />
20.00 - 20.15 Coffee break<br/><br />
20.15 - 21.00 Discussion: how to enable community commitment<br/><br />
21.00 - 21.30 Closing discussion and coffee<br/><br />
<br/><br />
Boaz Shunami<br/><br />
Boaz is manager of the Application Security department of Comsec Europe. He has 11 years of experience in the IT Security field, and a large part of them in Application Security.<br/><br />
Boaz did numerous application security audits in very large organizations and is recognized as one of the greatest expert’s world wide. Boaz' expertise is broad, but especially in-depth for the .NET platform.<br/><br />
<br/><br />
Discussion input (until now)<br/><br />
- division of local chapter work load by multiple people<br/><br />
- collaboration with other organizations<br/><br />
<br/><br />
If you want to attend send an email to owasp@irc2.com.<br/><br />
<br/><br />
All OWASP chapter meetings are free, there are never vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP's: OWASP Meetings count towards CPE Credits.<br/><br />
<br />
== OWASP Netherlands meeting minutes ==<br />
<br />
January 11th, the Dutch OWASP chapter came together at the office of Sogeti Netherlands. Subject of the evening was 'putting software security into practice'. The group was small but select.<br/><br />
<br/><br />
The agenda:<br/><br />
18.00 - 18.30 Check-In (catering included)<br/><br />
18.30 - 18.45 Sponsor opening<br/><br />
18.45 - 19.00 OWASP update, Bert Koelewijn<br/><br />
19.00 - 19.30 Implementation of Security by Design, Martin Knobloch<br/><br />
19.30 - 19.45 Panel introduction<br/><br />
19.45 - 20.00 Coffee break<br/><br />
20.00 - 21.30 Panel discussion<br/><br />
<br/><br />
After being welcomed by Frank Langeveld from Sogeti and Bert Koelewijn, Dutch chapter leader, the evening started with the presentation 'Security By Design'. During the presentation Martin Knobloch told about his experiences during the implementation of the Secure Development Life Cycle in a company like Sogeti Nederland B.V.<br/><br />
<br/><br />
The presentation is available here:<br/><br />
[[Media:Implementation_of_Security_by_Design.ppt]]<br/><br />
<br/><br />
After a small break, the panel discussion started with the following panel: Henk van der Heijden - Comsec Consulting, Dr.ir. Mario de Boer - LogicaCMG and Martin Knobloch - Sogeti Nederland.<br/><br />
During the discussion, it became clear people are struggling to get the Secure Development Life Cycle implemented in their company. The various experiences were shared with the panel and the others. Company typical problems and common misunderstandings about Software security where brought up.<br/><br />
The consensus of the discussion was that the main problem lies in the lack of security awareness and knowledge of the managers and the developers. And this of course is exactly where OWASP comes in…<br/><br />
<br/><br />
== Meeting Januar 11th 2007 ==<br />
<br />
The OWASP meeting of 11 January is about putting software security into practice. A lot of books, standards, organizations and consultants tell us how we should develop secure software. But which methods and measures are commonly adopted and which are not and why?<br/><br />
This will be the main focus of the discussion that we will have with a panel of people that experienced implementing software security in the field.<br/><br />
<br/><br />
The location is provided by the sponsor of this meeting:<br/><br />
Sogeti Nederland B.V.<br/><br />
"La Charmille" building<br/><br />
Lange Dreef 17<br/><br />
4131 NJ Vianen<br/><br />
<br/><br />
The agenda:<br />
<br/><br />
18.00 - 18.30 Check-In (catering included)<br/><br />
18.30 - 18.45 Sponsor opening<br/><br />
18.45 - 19.00 OWASP update, Bert Koelewijn<br/><br />
19.00 - 19.30 Implementation of Security by Design, Martin Knobloch<br/><br />
19.30 - 19.45 Panel introduction<br/><br />
19.45 - 20.00 Coffee break<br/><br />
20.00 - 21.30 Panel discussion<br/><br />
<br/><br />
Implementation of Security by Design<br/><br />
What is needed to implement a 'Secure Development Life Cycle' within Sogeti Nederland? The speaker started a project called 'Security by Design' in march 2006 implementing a SDLC at Sogeti Nederland.<br/><br />
In his presentation, the speaker will share his technical and organizational experiences that he gained with the still ongoing implementation.<br/><br />
<br/><br />
About the speaker<br/><br />
Martin Knobloch has more than 8 years experience in design and development of J2EE applications for customers in various sectors of the market. In September 2003 Martin Knobloch started working for Sogeti Nederland, where he does the design, development and review of J2EE applications and architectures.<br/><br />
From this background, Martin Knobloch experienced the threats of insecure software firsthand. In march 2006, Martin Knobloch started implementing a SDLC within Sogeti Nederland.<br/><br />
<br/><br />
Panel discussion<br/><br />
The panel members are:<br/><br />
Henk van der Heijden, Managing Director - Comsec Consulting B.V.<br/><br />
Dr.ir. Mario de Boer, Security Consultant - LogicaCMG<br/><br />
Martin Knobloch, Senior Technologie Specialist - Sogeti Nederland B.V.<br/><br />
<br/><br />
In the discussion, we will try to find answers to questions like:<br/><br />
- What are the most common security practices in software development?<br/><br />
- How effective are those practices?<br/><br />
- Where do we start practicing security?<br/><br />
- What should be the most common security practices in software development?<br/><br />
- How much does security cost?<br/><br />
- How does the Systems Security Engineering Capability Maturity Model (SSE-CMM) fit in?<br/><br />
<br/><br />
If you want to attend send an email to owasp@irc2.com.<br/><br />
<br/><br />
All OWASP chapter meetings are free, there are never vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP’s: OWASP Meetings count towards CPE Credits.<br/><br />
<br />
== OWASP Netherlands meeting minutes ==<br />
<br />
On 9 march, the second meeting of OWASP Netherlands local chapter took place. GetronicsPinkRoccade provided the venue, in their luxury conference centre: Connection I.<br/><br />
<br/><br />
Agenda:<br/><br />
18.00 - 18.45 Check-In (bread & drinks)<br/><br />
18.45 - 19.00 Opening<br/><br />
19.00 - 20.00 Improving Security in the Application Development Life-cycle, Migchiel de Jong<br/><br />
20.00 - 20.15 Coffee break<br/><br />
20.15 - 22.00 Form focus groups<br/><br />
<br/><br />
The presentation of Migchiel de Jong was found very interesting by the audience. At the end of his presentation, he demonstrated a static code analysis of the OWASP webgoat application.<br/><br />
<br/><br />
After the coffee break, the attendances started discussing about the largest common topics of interest in the web application security field, in relation to the OWASP Netherlands chapter. As a result, the following focus groups are formed:<br/><br />
<br/><br />
Testing<br/><br />
The current OWASP Testing project and the Open Source Security Testing Methodology Manual of ISECOM, provide guidelines and best practices for testers. These guidelines can be used to formalize a standard structure and a set of minimum requirements for a security test. Clients could ask a tester to adhere to these guidelines.<br/><br />
A second idea is to standardize the testing results management report. In practice, testing could result in piles of paper with all the findings. The real value is reporting it in a usable way. For example: mapping technical findings to business risks.<br/><br />
<br/><br />
Frans v. Buul<br/><br />
Peter Gouwentak<br/><br />
Arthur Donkers<br/><br />
Eelco Klaver<br/><br />
Migchiel de Jong<br/><br />
Mario de Boer<br/><br />
<br/><br />
First focus group meeting: Monday 27 march, 18:00h, PwC Utrecht<br/><br />
<br/><br />
<br/><br />
Public Relations<br/><br />
This focus group will try to make business aware of the security impact that developing, hosting and using web applications has. What OWASP is and how OWASP can help. This can be done by giving presentations, writing papers and articles, word of mouth, etc. etc.<br/><br />
<br/><br />
Remco Bakker<br/><br />
Ronald Eygendaal<br/><br />
Bas van Vossen<br/><br />
Edwin van Vliet<br/><br />
Eelco Klaver<br/><br />
<br/><br />
First presentation of OWASP materials: Edwin van Vliet, TestNet - Voorjaarsevenement, 5 april<br/><br />
First focus group meeting: To be planned!<br/><br />
<br/><br />
<br/><br />
Education<br/><br />
OWASP and universities/schools could benefit from working together. For example:<br/><br />
- OWASP provides lot's of materials usable in colleges.<br/><br />
- Develop OWASP training course.<br/><br />
- Students can participate in OWASP projects<br/><br />
- OWASP can provide a platform for supporting research. Such as thesis projects, etc.<br/><br />
- OWASP representatives could provide guest colleges.<br/><br />
<br/><br />
Ronald Eygendaal<br/><br />
Erik Poll<br/><br />
Bas van Vossen<br/><br />
Edwin van Vliet<br/><br />
<br/><br />
First focus group meeting: To be planned!<br/><br />
<br/><br />
The presentation is available here:<br/><br />
[[Media:OWASP_NL_Fortify_Software.pdf]]<br/><br />
<br />
== 9 March: Second meeting of the OWASP Netherlands local chapter! ==<br />
<br />
In this second meeting focus groups are to be formed, to discuss common problems, develop and research common solutions in a vendor neutral environment. So this is a very good opportunity to get in contact with others, to exchange knowledge and experiences on specific topics.<br/><br />
<br/><br />
For every focus group the following questions has to be answered:<br/><br />
1. Which specific topic is to be addressed?<br/><br />
2. What are the deliverables?<br/><br />
3. What is the relation to OWASP? (Current projects, materials, expertise and knowledge interchange, etc.)<br/><br />
4. Who is the central contact of the subgroup?<br/><br />
<br/><br />
It would be nice to have a bigger and more diverse group, compared to the first meeting. So let's recall: "Please, bring at least one friend, next time." And don't hesitate to send this announcement to everybody who may be interested!<br/><br />
<br/><br />
We thank Getronics PinkRoccade for offering us a venue:<br/><br />
Getronics PinkRoccade<br/><br />
Fauststraat 1<br/><br />
7323 BA Apeldoorn <br/><br />
<br/><br />
The agenda:<br/><br />
18.00 - 18.30 Check-In<br/><br />
18.30 - 18.45 Opening<br/><br />
18.45 - 19.30 Improving Security in the Application Development Life-cycle, Migchiel de Jong<br/><br />
19.30 - 20.00 Collecting focus group initiatives<br/><br />
19.45 - 20.00 Coffee break<br/><br />
20.00 - 21.00 Form focus groups<br/><br />
<br/><br />
Presentation Abstract<br/><br />
Rather than spending large amounts of time and money on proving that we have security vulnerabilities after programs go into production, companies should go to the source and correct vulnerabilities as early as possible in the development stage. It is unquestionably faster, simpler, and cheaper for developers to correct vulnerabilities as they build programs.<br/><br />
But how can development management ensure that developers focus on security when there is no time or budget for security at the development stage? Even with the correct focus, how can they learn what to look for? How can they stay ahead of the dedicated and resourceful hacker?<br/><br />
The answer is effective processes and better tools. With advanced software security tools, a developer can pinpoint vulnerabilities in a matter of seconds — the same vulnerabilities that would take a hacker or manual code reviewer weeks or even months to find. These same tools can give development and information security managers useful metrics on application vulnerabilities before they are released into deployment.<br/><br />
This talk will walk through the Application Development Life-Cycle and discuss how tools can help come to grips with software security issues in a particular phase.<br/><br />
<br/><br />
About the presenter<br/><br />
Migchiel de Jong has developed hardware and software for 10 years before joining Rational Software. During the 5 years at Rational Software (later acquired by IBM) he was involved in many software development process improvement projects. Currently Migchiel de Jong is working at Fortify Software, Palo Alto, California, as a software security engineer.<br/><br />
<br/><br />
If you want to attend send an email to owasp@irc2.nl. Please don't wait, 9 march is not that long anymore!<br/><br />
<br/><br />
All OWASP chapter meetings are free, there are never vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP’s: OWASP Meetings count towards CPE Credits.<br/><br />
<br />
== OWASP Netherlands kick-off meeting minutes ==<br />
<br />
On 17 November, OWASP Netherlands had it's first meeting. We moved to a bigger location, the Mercure hotel in Nieuwegein, to host all the 35 attendees.<br/><br />
<br/><br />
The agenda:<br/><br />
18.00 - 18.30 Check-In (bread & drinks)<br/><br />
18.30 - 18.45 Chapter opening<br/><br />
18.45 - 19.30 Presentation - 'Top tien web applicatie kwetsbaarheden in J2EE', Eelco Klaver<br/><br />
19.30 - 19.45 Presentation - 'Veilige webapplicaties boven alles', Mike Wardi<br/><br />
19.45 - 20.00 Coffee break<br/><br />
20.00 - 21.00 Discussion - About the OWASP Netherlands local chapter<br/><br />
<br/><br />
The discussion took place in a 'round table' session, where all attendees were able to take part. The focus of the discussion was how to give the OWASP Netherlands local chapter additional value, next to the OWASP project. What the goals and tasks will be. And which actions will have to be taken at short term.<br/><br />
Different people have interest in different subjects. In general meetings there is no time to address all subjects and address them specific enough. Therefore subgroups can be formed, focusing on specific topics. They can have their own communication channel and meetings, but should keep close contact with the OWASP body.<br/><br />
<br/><br />
An inventarisation:<br/><br />
<br/><br />
Discussion Topics<br/><br />
- Awareness: writing articles, press publications, interviews<br/><br />
- Education: contact universities, schools and their common boards. Develop and gather education materials.<br/><br />
- General: discuss ideas for OWASP NL<br/><br />
<br/><br />
Focusgroup Topics<br/><br />
- (dutch) metrics project<br/><br />
- (dutch) legal project<br/><br />
- standard framework for pentest reports<br/><br />
- safe outsourcing<br/><br />
<br/><br />
Actions that should be taken on short term are:<br/><br />
- provide communication channels<br/><br />
- plan next (sub)meetings<br/><br />
- start discussions and focusgroups<br/><br />
<br/><br />
The presentations are available here:<br/><br />
<br/><br />
[[Media:OWASP_NL_Top_Ten_Web_Application_Vulnerabilities_in_J2EE.pdf]]<br/><br />
[[Media:OWASP_NL_Veilige_Web_App_Boven_Alles.pdf]]<br/><br />
<br />
== You are welcome to the OWASP Netherlands local chapter kick-off meeting! ==<br />
<br />
Thursday, November 17th (2005) at 18.00h.<br/><br />
<br/><br />
ATTENTION! Because of the large amount of attendees, the location has changed:<br/><br />
<br/><br />
Hotel Mercure Utrecht/Nieuwegein<br/><br />
Buizerdlaan 10<br/><br />
3435 SB NIEUWEGEIN<br/><br />
Tel: 00 31 (0) 30 60 84 122<br/><br />
Fax: 00 31 (0) 30 60 38 374<br/><br />
<br/><br />
This first meeting will be an introduction to the OWASP. A constructive discussion will be held about the actual form of the OWASP Netherlands local chapter.<br/><br />
<br/><br />
The agenda:<br/><br />
18.00 - 18.30 Check-In (bread & drinks)<br/><br />
18.30 - 18.45 Chapter opening<br/><br />
18.45 - 19.30 Presentation - 'Top tien web applicatie kwetsbaarheden in J2EE', Eelco Klaver<br/><br />
19.30 - 19.45 Presentation - 'Veilige webapplicaties boven alles', Mike Wardi<br/><br />
19.45 - 20.00 Coffee break<br/><br />
20.00 - 21.00 Discussion - About the OWASP Netherlands local chapter<br/><br />
<br/><br />
About the presenters<br/><br />
<br/><br />
Eelco Klaver<br/><br />
Eelco Klaver is a senior consultant for Xebia IT Architects, since 2003. Doing software reviews, security audits and giving security workshops are part of his job. He has almost 10 years experience with developing enterprise applications in J2EE for different employees. At the moment, Eelco is the front man of the security business unit for Xebia, focussing on the security aspects of enterprise applications build on J2EE.<br/><br />
<br/><br />
Mike Wardi<br/><br />
Mike Wardi is an internet application manager for a financial institute. He's responsible for the safety of internet applications provided to customers and the implementation of the security policies in software developement.<br/><br />
<br/><br />
<br/><br />
If you want to attend, please send an email to owasp-nl@ascure.com or the mailing list.<br/><br />
<br/><br />
All OWASP chapter meetings are free! There are never vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP’s: OWASP Meetings count towards CPE Credits.<br/><br />
<br/></div>Dvsteinhttps://wiki.owasp.org/index.php?title=Netherlands&diff=46546Netherlands2008-11-19T16:46:05Z<p>Dvstein: /* Announcement 27 Oktober: Privacy and the Internet */</p>
<hr />
<div>{{Chapter Template|chaptername=Netherlands|extra=The chapter leader is [mailto:owasp@irc2.nl Bert Koelewijn]<br />
<paypal>Netherlands</paypal><br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-netherlands|emailarchives=http://lists.owasp.org/pipermail/owasp-netherlands}}<br />
<br />
== Meeting schedule 2008 ==<br />
This is an overview of the 2008 local chapter meeting schedule. Details of the meetings can be found in the announcements that will be posted below this schedule.<br />
<pre><br />
March 26th<br />
----------<br />
Time : 17.30 - 21.30<br />
Main Topic : Software Vulnerability assessment<br />
Presentations: Complex(ity) matters, Mario de Boer (Dutch)<br />
V.A.C. SQL injection, Marinus Kuivenhoven (Dutch)<br />
Secure Programming with Static Analysis, Brian Chess (English) <br />
Location : Mercure Utrecht Nieuwegein, Buizerdlaan 10, 3435 SB Nieuwegein<br />
Sponsor : Fortify Software<br />
<br />
Oktober 27th<br />
----------<br />
Time : 17.30 - 21.30<br />
Main Topic : Privacy and the Internet<br />
Presentations: Privacy and Internet (Dutch), Frank Fruijthoff and Ellen Hoving<br />
Vulnerability and source code scanners. (Dutch) Emile Strijbos <br />
Location : ps_testware B.V., Dorpsstraat 26, 3941 JM DOORN<br />
Sponsor : ps_testware B.V.<br />
</pre><br />
== Meeting October 27th 2008: Privacy and the Internet ==<br />
'''Summary'''<br/><br />
The main goal of the upcoming OWASP-NL meeting is to provide information to developers and security professionals about personal and technical privacy on the internet. The speakers focus on privacy regulations related to the internet and on the mass amount of personal and technical information available about persons and companies on the internet, with and without their consent. Furthermore tools will be discussed that help prevent leakage of privacy related and other kind of data. They will give specific examples and there will be time to ask questions.<br/><br />
Please register before October 20th because of the necessary catering arrangements.<br/><br />
<br/><br />
'''Location'''<br/><br />
The location and catering is provided by the sponsor of this meeting:<br/><br />
<table><br />
<tr><br />
<td width="350"><br />
ps_testware B.V.<br/><br />
Dorpsstraat 26,<br/><br />
3941 JM DOORN<br/><br />
</td><br />
<td width="350"><br />
[[Image:Pstestware.jpg|100px]]<br />
</td><br />
</tr><br />
<tr><br />
<td width="350"><br />
The location has parking facilities for 15 cars. However parking in the direct vicinity of ps_testware shouldn’t be a problem.<br/><br />
</td><br />
<td width="350"><br />
ps_testware delivers services related to software testing and software quality. In the field of software development, quality, time-to-market, business processes and software acceptance they play the role of "your devil's advocate" as an independent, flexible and specialized partner.<br/><br />
For more information please visit: www.pstestware.com.<br/><br />
</td><br />
</tr><br />
</table><br />
<br/><br />
<br/><br />
'''Program'''<br/><br />
17.30 - 18.30 '''Check-In''' (catering included)<br/><br />
<br/><br />
18.30 – 19:00 '''Introduction''' (OWASP organization, projects, sponsor)<br/><br />
<br/><br />
19.00 - 20.15 '''Privacy and Internet''' (Dutch), Frank Fruijthoff and Ellen Hoving<br/><br />
In this presentation the general principles of privacy laws in the Netherlands and the EU and specifically privacy and the internet will be covered.<br/><br />
Frank Fruijthoff is a Compliance Officer with ING. He has a Compliance and Risk Management background and is specialised in privacy.<br/><br />
Ellen Hoving is a graduated lawyer. She works as an independent consultant specialized in compliance and privacy.<br/><br />
<br/><br />
20.15 – 20:30 '''Break'''<br/><br />
<br/><br />
20:30 – 21:00 '''Vulnerability and source code scanners''' (Dutch), Emile Strijbos<br />
<br/><br />
For his Master thesis in computer science at the Radboud Universiteit in Nijmegen, Emile Strijbos investigated vulnerability scanners and source code scanners. These are automated tools that try to detect security flaws, either in running web-applications or in their source code.<br/><br />
Emile tried out several of these tools, including both free and commercial ones, to see how good they are at detecting standard vulnerabilities, such as SQL injection, XSS, CSRF, etc.<br/><br />
<br/><br />
21.00 – 21:30 '''Discussion, questions and social'''<br/><br />
<br/><br />
If you want to attend, please send an email to: owasp@irc2.com.<br><br />
Please register before October 20th, because of the necessary catering arrangements. The number of registries is limited to 50 due to the capacity of the location and will be handled in order of receipt.<br/><br />
<br/><br />
All OWASP chapter meetings are free of charge and you don’t have to be an OWASP member to attend. There are never any vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP's: OWASP Meetings count towards CPE Credits.<br/><br />
<br/><br />
The announcement and full descriptions can be found here:<br/><br />
[[Media:Announcement_27_Oktober.pdf]]<br/><br />
<br />
== Meeting March 26th 2008: Software Vulnerability assessment ==<br />
'''Summary'''<br/><br />
The main goal of the upcoming OWASP-NL meeting is to provide information to developers and security professionals involved in creating secure (web-)applications. The main focus will be on software vulnerability assessment. The speakers will give specific examples and of course there is time to ask questions about your own experiences.<br/><br />
<br/><br />
'''Location'''<br/><br />
The location and catering is provided by the sponsor of this meeting:<br/><br />
<table><br />
<tr><br />
<td width="350"><br />
Mercure Utrecht Nieuwegein<br/><br />
Buizerdlaan 10,<br/><br />
3435 SB Nieuwegein<br/><br />
</td><br />
<td width="350"><br />
[[Image:Fortify.JPG|143px]]<br />
</td><br />
</tr><br />
<tr><br />
<td width="350"><br />
</td><br />
<td width="350"><br />
Fortify Software products protect companies from today’s greatest security risk: the software applications that run their businesses. Combining deep application security expertise with extensive software development experience, Fortify Software has defined the market with award-winning products that span the software development cycle. Today, Fortify Software fortifies the software for the most demanding customer deployments, including the world’s largest, most varied code bases.<br/><br />
<br/><br />
For more information please visit:<br/><br />
www.fortify.com<br/><br />
</td><br />
</tr><br />
</table><br />
<br/><br />
<br/><br />
'''Program'''<br/><br />
17.30 - 18.30 '''Check-In''' (catering included)<br/><br />
<br/><br />
18.30 - 18:50 '''Introduction''' (OWASP, sponsor)<br/><br />
<br/><br />
18.50 - 19.30 '''Complex(ity) matters''' (Dutch), Mario de Boer<br/><br />
Various methods exist to locate specific vulnerabilities in software. In the presentation we will look at static analysis of binaries, and the problems we face when trying to locate vulnerabilities. Several ideas will be discussed to make the search easier, but at the same time less exact. The first idea is trivial: automate as much as possible. The second idea is nearly trivial: don't aim at exact vulnerabilities but relax the search to locating potential vulnerabilities. We will give examples that illustrate the results.<br/><br />
Mario de Boer is a senior security consultant at Logica, and as such focuses on security management aspects like security frameworks, compliance, monitoring and control and risk management. Before joining Logica, Mario worked at the Dutch ministries of Defense and Justice, he co-founded a security company and worked as a project manager in the financial sector. For several years he taught courses in software security analysis and secure software development. Besides security management, Mario has interest in software security, reverse engineering and cryptography. Within Logica Netherlands, he is knowledge manager application security. Mario holds a PhD in Mathematics and is CISA and CISSP.<br/><br />
<br/><br />
19.30 - 19:50 '''Break'''<br/><br />
<br/><br />
19:50 - 20:20 '''V.A.C: SQL injection''' (Dutch), Marinus Kuivenhoven<br />
<br/><br />
<u>'''V'''ulnerability:</u><br/><br />
An application which uses a database for its information needs, communicates with it trough SQL. SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of a Database for parsing and execution.<br/><br />
<u>'''A'''ssessment:</u><br/><br />
SQL injection can threaten the confidentiality, availability and integrity of the data. The various types of SQL injection and their impact will be shown.<br/><br />
<u>'''C'''ountermeasure:</u><br/><br />
Any procedure that constructs SQL statements should be reviewed for injection vulnerabilities because a database will execute all syntactically valid queries that it receives. How this should be done will be shown for the most popular languages.<br/><br />
Marinus is a Technology Specialist with Sogeti Nederland B.V. specializing in service oriented architectures and secure application development. His experience includes developing and administrating Oracle-based systems.<br/><br />
<br/><br />
20.20 - 21.00 '''Secure Programming with Static Analysis''' (English), Brian Chess<br/><br />
Creating secure code requires more than just good intentions. Programmers need to know how to make their code safe in an almost infinite number of scenarios and configurations. Static source code analysis gives users the ability to review their work with a fine tooth comb and uncover the kinds of errors that lead directly to vulnerabilities. This talk frames the software security problem and shows how static analysis is part of the solution. We will look at how static analysis works, how to integrate it into the software development processes, and how to make the most of it during security code review. Along the way we'll look at examples taken from real-world security incidents, showing how coding errors are exploited, how they could have been prevented, and how static analysis can rapidly uncover similar errors.<br/><br />
Brian Chess is a founder of Fortify Software and serves as Fortify's Chief Scientist, where his work focuses on practical methods for creating secure systems. His book, Secure Programming with Static Analysis, shows how static source code analysis is an indispensable tool for getting security right. Brian holds a Ph.D. in computer engineering from the University of California at Santa Cruz, where he studied the application of static analysis to the problem of finding security-relevant defects in source code. Before settling on security, Brian spent a decade in Silicon Valley working at huge companies and small startups. He has done research on a broad set of topics, ranging from integrated circuit design all the way to delivering software as a service.<br/><br />
<br/><br />
21.00 - 21:30 '''Discussion, questions and social'''<br/><br />
<br/><br />
'''Registration'''<br/><br />
If you want to attend, please send an email to: owasp@irc2.com.<br/><br />
<br/><br />
All OWASP chapter meetings are free of charge and you don’t have to be an OWASP member to attend. There are never any vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP's: OWASP Meetings count towards CPE Credits.<br/><br />
<br/><br />
<br />
== Meeting December 20th 2007: Secure Development ==<br />
'''Summary'''<br/><br />
The main goal of the upcoming OWASP-NL meeting is to provide information to developers and security professionals involved in creating secure (web-)applications. The general and specific security issues involved on project and programming level will be covered from a practical as well as a theoretical point of view. The speakers will give specific examples and of course there is time to ask questions about your own experiences.<br/><br />
Please register before December the 14th because of the necessary catering arrangements.<br/><br />
<br/><br />
'''Location'''<br/><br />
The location and catering is provided by the sponsor of this meeting:<br/><br />
<table><br />
<tr><br />
<td width="350"><br />
ps_testware B.V.<br/><br />
Dorpsstraat 26,<br/><br />
3941 JM DOORN<br/><br />
</td><br />
<td width="350"><br />
[[Image:Pstestware.jpg|100px]]<br />
</td><br />
</tr><br />
<tr><br />
<td width="350"><br />
The location has parking facilities for 15 cars. However parking in the direct vicinity of ps_testware shouldn’t be a problem.<br/><br />
</td><br />
<td width="350"><br />
ps_testware delivers services related to software testing and software quality. In the field of software development, quality, time-to-market, business processes and software acceptance they play the role of "your devil's advocate" as an independent, flexible and specialized partner.<br/><br />
For more information please visit: www.pstestware.com.<br/><br />
</td><br />
</tr><br />
</table><br />
<br/><br />
<br/><br />
'''Program'''<br/><br />
17.30 - 18.30 '''Check-In''' (catering included)<br/><br />
<br/><br />
18.30 – 19:00 '''Introduction''' (OWASP organization, projects, sponsor)<br/><br />
<br/><br />
19.00 - 19.30 '''Practices of developing optimal security''' (dutch), Andre Post<br/><br />
This presentation highlights a number of current practices that lead to sub-optimal security, and suggests ways of avoiding these problems, focusing on the technical side of development.<br/><br />
André Post works for Fox-IT on a variety of projects including core product development, software architecting, security code reviews, and software project management.<br/><br />
<br/><br />
19.30 – 19:45 '''Break'''<br/><br />
<br/><br />
19:45 – 20:30 '''Problems of developing secure and correct applications''' (dutch), Erik Poll [http://www.cs.ru.nl/~erikpoll/talks/OWASP2007.pdf (slides of the presentation)]<br />
<br/><br />
This presentation will discuss different possibilities to improve software security. The problem of getting time and money available to be spend on security, not only for developing applications, but also for developing programming languages, will be raised.<br/><br />
Erik Poll is head of the Security of Systems (SoS) group at the Radboud University of Nijmegen. His research does focus on the security and correctness of software.<br/><br />
<br/><br />
20.30 - 21.00 '''Protecting Web services and Web applications against security threats''' (dutch), Rix Groenboom<br/><br />
During this session, Rix will explore how to implement development and security best practices in the code to make sure that your webservices and applications perform solidly when they are being hacked or used in malicious ways.<br/><br />
Rix Groenboom supports fortune 2000 companies in field automated software error prevention and correction for Parasoft. His main area of expertise is in the use of formal languages for the specification, design and validation of software applications.<br/><br />
<br/><br />
21.00 – 21:30 '''Discussion, questions and social'''<br/><br />
<br/><br />
All OWASP chapter meetings are free of charge and you don’t have to be an OWASP member to attend. There are never any vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP's: OWASP Meetings count towards CPE Credits.<br/><br />
<br/><br />
The announcement and full descriptions can be found here:<br/><br />
[[Media:Announcement_20_December.pdf]]<br/><br />
[[Media:Announcement_20_December_2.pdf]]<br/><br />
<br />
== Meeting September 13th: putting initiatives into practice ==<br />
<br />
The main goal of the next OWASP meeting is finding a way to put initiatives and all offered help into a form of structural benefit for the OWASP Netherlands local chapter. As a starting point for the discussion, examples will be taken from other European chapters and input delivered by discussions that take place on the mailing list is considered too. Let this be a call to put your ideas on the mailing list before the next meeting!<br/><br />
<br/><br />
The location is provided by the sponsor of this meeting:<br/><br />
Comsec Consulting BV<br/><br />
Rivium Boulevard 102<br/><br />
2909LK Capelle aan den IJssel<br/><br />
<br/><br />
The agenda:<br/><br />
18.00 - 18.30 Check-In (catering included)<br/><br />
18.30 - 18.45 OWASP update, Bert Koelewijn<br/><br />
18.45 - 19.15 Security Best Practices for .NET, Boaz Shunami<br/><br />
19.15 - 20.00 Discussion: collecting ideas and initiatives<br/><br />
20.00 - 20.15 Coffee break<br/><br />
20.15 - 21.00 Discussion: how to enable community commitment<br/><br />
21.00 - 21.30 Closing discussion and coffee<br/><br />
<br/><br />
Boaz Shunami<br/><br />
Boaz is manager of the Application Security department of Comsec Europe. He has 11 years of experience in the IT Security field, and a large part of them in Application Security.<br/><br />
Boaz did numerous application security audits in very large organizations and is recognized as one of the greatest expert’s world wide. Boaz' expertise is broad, but especially in-depth for the .NET platform.<br/><br />
<br/><br />
Discussion input (until now)<br/><br />
- division of local chapter work load by multiple people<br/><br />
- collaboration with other organizations<br/><br />
<br/><br />
If you want to attend send an email to owasp@irc2.com.<br/><br />
<br/><br />
All OWASP chapter meetings are free, there are never vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP's: OWASP Meetings count towards CPE Credits.<br/><br />
<br />
== OWASP Netherlands meeting minutes ==<br />
<br />
January 11th, the Dutch OWASP chapter came together at the office of Sogeti Netherlands. Subject of the evening was 'putting software security into practice'. The group was small but select.<br/><br />
<br/><br />
The agenda:<br/><br />
18.00 - 18.30 Check-In (catering included)<br/><br />
18.30 - 18.45 Sponsor opening<br/><br />
18.45 - 19.00 OWASP update, Bert Koelewijn<br/><br />
19.00 - 19.30 Implementation of Security by Design, Martin Knobloch<br/><br />
19.30 - 19.45 Panel introduction<br/><br />
19.45 - 20.00 Coffee break<br/><br />
20.00 - 21.30 Panel discussion<br/><br />
<br/><br />
After being welcomed by Frank Langeveld from Sogeti and Bert Koelewijn, Dutch chapter leader, the evening started with the presentation 'Security By Design'. During the presentation Martin Knobloch told about his experiences during the implementation of the Secure Development Life Cycle in a company like Sogeti Nederland B.V.<br/><br />
<br/><br />
The presentation is available here:<br/><br />
[[Media:Implementation_of_Security_by_Design.ppt]]<br/><br />
<br/><br />
After a small break, the panel discussion started with the following panel: Henk van der Heijden - Comsec Consulting, Dr.ir. Mario de Boer - LogicaCMG and Martin Knobloch - Sogeti Nederland.<br/><br />
During the discussion, it became clear people are struggling to get the Secure Development Life Cycle implemented in their company. The various experiences were shared with the panel and the others. Company typical problems and common misunderstandings about Software security where brought up.<br/><br />
The consensus of the discussion was that the main problem lies in the lack of security awareness and knowledge of the managers and the developers. And this of course is exactly where OWASP comes in…<br/><br />
<br/><br />
== Announcement 11 January meeting ==<br />
<br />
The OWASP meeting of 11 January is about putting software security into practice. A lot of books, standards, organizations and consultants tell us how we should develop secure software. But which methods and measures are commonly adopted and which are not and why?<br/><br />
This will be the main focus of the discussion that we will have with a panel of people that experienced implementing software security in the field.<br/><br />
<br/><br />
The location is provided by the sponsor of this meeting:<br/><br />
Sogeti Nederland B.V.<br/><br />
"La Charmille" building<br/><br />
Lange Dreef 17<br/><br />
4131 NJ Vianen<br/><br />
<br/><br />
The agenda:<br />
<br/><br />
18.00 - 18.30 Check-In (catering included)<br/><br />
18.30 - 18.45 Sponsor opening<br/><br />
18.45 - 19.00 OWASP update, Bert Koelewijn<br/><br />
19.00 - 19.30 Implementation of Security by Design, Martin Knobloch<br/><br />
19.30 - 19.45 Panel introduction<br/><br />
19.45 - 20.00 Coffee break<br/><br />
20.00 - 21.30 Panel discussion<br/><br />
<br/><br />
Implementation of Security by Design<br/><br />
What is needed to implement a 'Secure Development Life Cycle' within Sogeti Nederland? The speaker started a project called 'Security by Design' in march 2006 implementing a SDLC at Sogeti Nederland.<br/><br />
In his presentation, the speaker will share his technical and organizational experiences that he gained with the still ongoing implementation.<br/><br />
<br/><br />
About the speaker<br/><br />
Martin Knobloch has more than 8 years experience in design and development of J2EE applications for customers in various sectors of the market. In September 2003 Martin Knobloch started working for Sogeti Nederland, where he does the design, development and review of J2EE applications and architectures.<br/><br />
From this background, Martin Knobloch experienced the threats of insecure software firsthand. In march 2006, Martin Knobloch started implementing a SDLC within Sogeti Nederland.<br/><br />
<br/><br />
Panel discussion<br/><br />
The panel members are:<br/><br />
Henk van der Heijden, Managing Director - Comsec Consulting B.V.<br/><br />
Dr.ir. Mario de Boer, Security Consultant - LogicaCMG<br/><br />
Martin Knobloch, Senior Technologie Specialist - Sogeti Nederland B.V.<br/><br />
<br/><br />
In the discussion, we will try to find answers to questions like:<br/><br />
- What are the most common security practices in software development?<br/><br />
- How effective are those practices?<br/><br />
- Where do we start practicing security?<br/><br />
- What should be the most common security practices in software development?<br/><br />
- How much does security cost?<br/><br />
- How does the Systems Security Engineering Capability Maturity Model (SSE-CMM) fit in?<br/><br />
<br/><br />
If you want to attend send an email to owasp@irc2.com.<br/><br />
<br/><br />
All OWASP chapter meetings are free, there are never vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP’s: OWASP Meetings count towards CPE Credits.<br/><br />
<br />
== OWASP Netherlands meeting minutes ==<br />
<br />
On 9 march, the second meeting of OWASP Netherlands local chapter took place. GetronicsPinkRoccade provided the venue, in their luxury conference centre: Connection I.<br/><br />
<br/><br />
Agenda:<br/><br />
18.00 - 18.45 Check-In (bread & drinks)<br/><br />
18.45 - 19.00 Opening<br/><br />
19.00 - 20.00 Improving Security in the Application Development Life-cycle, Migchiel de Jong<br/><br />
20.00 - 20.15 Coffee break<br/><br />
20.15 - 22.00 Form focus groups<br/><br />
<br/><br />
The presentation of Migchiel de Jong was found very interesting by the audience. At the end of his presentation, he demonstrated a static code analysis of the OWASP webgoat application.<br/><br />
<br/><br />
After the coffee break, the attendances started discussing about the largest common topics of interest in the web application security field, in relation to the OWASP Netherlands chapter. As a result, the following focus groups are formed:<br/><br />
<br/><br />
Testing<br/><br />
The current OWASP Testing project and the Open Source Security Testing Methodology Manual of ISECOM, provide guidelines and best practices for testers. These guidelines can be used to formalize a standard structure and a set of minimum requirements for a security test. Clients could ask a tester to adhere to these guidelines.<br/><br />
A second idea is to standardize the testing results management report. In practice, testing could result in piles of paper with all the findings. The real value is reporting it in a usable way. For example: mapping technical findings to business risks.<br/><br />
<br/><br />
Frans v. Buul<br/><br />
Peter Gouwentak<br/><br />
Arthur Donkers<br/><br />
Eelco Klaver<br/><br />
Migchiel de Jong<br/><br />
Mario de Boer<br/><br />
<br/><br />
First focus group meeting: Monday 27 march, 18:00h, PwC Utrecht<br/><br />
<br/><br />
<br/><br />
Public Relations<br/><br />
This focus group will try to make business aware of the security impact that developing, hosting and using web applications has. What OWASP is and how OWASP can help. This can be done by giving presentations, writing papers and articles, word of mouth, etc. etc.<br/><br />
<br/><br />
Remco Bakker<br/><br />
Ronald Eygendaal<br/><br />
Bas van Vossen<br/><br />
Edwin van Vliet<br/><br />
Eelco Klaver<br/><br />
<br/><br />
First presentation of OWASP materials: Edwin van Vliet, TestNet - Voorjaarsevenement, 5 april<br/><br />
First focus group meeting: To be planned!<br/><br />
<br/><br />
<br/><br />
Education<br/><br />
OWASP and universities/schools could benefit from working together. For example:<br/><br />
- OWASP provides lot's of materials usable in colleges.<br/><br />
- Develop OWASP training course.<br/><br />
- Students can participate in OWASP projects<br/><br />
- OWASP can provide a platform for supporting research. Such as thesis projects, etc.<br/><br />
- OWASP representatives could provide guest colleges.<br/><br />
<br/><br />
Ronald Eygendaal<br/><br />
Erik Poll<br/><br />
Bas van Vossen<br/><br />
Edwin van Vliet<br/><br />
<br/><br />
First focus group meeting: To be planned!<br/><br />
<br/><br />
The presentation is available here:<br/><br />
[[Media:OWASP_NL_Fortify_Software.pdf]]<br/><br />
<br />
== 9 March: Second meeting of the OWASP Netherlands local chapter! ==<br />
<br />
In this second meeting focus groups are to be formed, to discuss common problems, develop and research common solutions in a vendor neutral environment. So this is a very good opportunity to get in contact with others, to exchange knowledge and experiences on specific topics.<br/><br />
<br/><br />
For every focus group the following questions has to be answered:<br/><br />
1. Which specific topic is to be addressed?<br/><br />
2. What are the deliverables?<br/><br />
3. What is the relation to OWASP? (Current projects, materials, expertise and knowledge interchange, etc.)<br/><br />
4. Who is the central contact of the subgroup?<br/><br />
<br/><br />
It would be nice to have a bigger and more diverse group, compared to the first meeting. So let's recall: "Please, bring at least one friend, next time." And don't hesitate to send this announcement to everybody who may be interested!<br/><br />
<br/><br />
We thank Getronics PinkRoccade for offering us a venue:<br/><br />
Getronics PinkRoccade<br/><br />
Fauststraat 1<br/><br />
7323 BA Apeldoorn <br/><br />
<br/><br />
The agenda:<br/><br />
18.00 - 18.30 Check-In<br/><br />
18.30 - 18.45 Opening<br/><br />
18.45 - 19.30 Improving Security in the Application Development Life-cycle, Migchiel de Jong<br/><br />
19.30 - 20.00 Collecting focus group initiatives<br/><br />
19.45 - 20.00 Coffee break<br/><br />
20.00 - 21.00 Form focus groups<br/><br />
<br/><br />
Presentation Abstract<br/><br />
Rather than spending large amounts of time and money on proving that we have security vulnerabilities after programs go into production, companies should go to the source and correct vulnerabilities as early as possible in the development stage. It is unquestionably faster, simpler, and cheaper for developers to correct vulnerabilities as they build programs.<br/><br />
But how can development management ensure that developers focus on security when there is no time or budget for security at the development stage? Even with the correct focus, how can they learn what to look for? How can they stay ahead of the dedicated and resourceful hacker?<br/><br />
The answer is effective processes and better tools. With advanced software security tools, a developer can pinpoint vulnerabilities in a matter of seconds — the same vulnerabilities that would take a hacker or manual code reviewer weeks or even months to find. These same tools can give development and information security managers useful metrics on application vulnerabilities before they are released into deployment.<br/><br />
This talk will walk through the Application Development Life-Cycle and discuss how tools can help come to grips with software security issues in a particular phase.<br/><br />
<br/><br />
About the presenter<br/><br />
Migchiel de Jong has developed hardware and software for 10 years before joining Rational Software. During the 5 years at Rational Software (later acquired by IBM) he was involved in many software development process improvement projects. Currently Migchiel de Jong is working at Fortify Software, Palo Alto, California, as a software security engineer.<br/><br />
<br/><br />
If you want to attend send an email to owasp@irc2.nl. Please don't wait, 9 march is not that long anymore!<br/><br />
<br/><br />
All OWASP chapter meetings are free, there are never vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP’s: OWASP Meetings count towards CPE Credits.<br/><br />
<br />
== OWASP Netherlands kick-off meeting minutes ==<br />
<br />
On 17 November, OWASP Netherlands had it's first meeting. We moved to a bigger location, the Mercure hotel in Nieuwegein, to host all the 35 attendees.<br/><br />
<br/><br />
The agenda:<br/><br />
18.00 - 18.30 Check-In (bread & drinks)<br/><br />
18.30 - 18.45 Chapter opening<br/><br />
18.45 - 19.30 Presentation - 'Top tien web applicatie kwetsbaarheden in J2EE', Eelco Klaver<br/><br />
19.30 - 19.45 Presentation - 'Veilige webapplicaties boven alles', Mike Wardi<br/><br />
19.45 - 20.00 Coffee break<br/><br />
20.00 - 21.00 Discussion - About the OWASP Netherlands local chapter<br/><br />
<br/><br />
The discussion took place in a 'round table' session, where all attendees were able to take part. The focus of the discussion was how to give the OWASP Netherlands local chapter additional value, next to the OWASP project. What the goals and tasks will be. And which actions will have to be taken at short term.<br/><br />
Different people have interest in different subjects. In general meetings there is no time to address all subjects and address them specific enough. Therefore subgroups can be formed, focusing on specific topics. They can have their own communication channel and meetings, but should keep close contact with the OWASP body.<br/><br />
<br/><br />
An inventarisation:<br/><br />
<br/><br />
Discussion Topics<br/><br />
- Awareness: writing articles, press publications, interviews<br/><br />
- Education: contact universities, schools and their common boards. Develop and gather education materials.<br/><br />
- General: discuss ideas for OWASP NL<br/><br />
<br/><br />
Focusgroup Topics<br/><br />
- (dutch) metrics project<br/><br />
- (dutch) legal project<br/><br />
- standard framework for pentest reports<br/><br />
- safe outsourcing<br/><br />
<br/><br />
Actions that should be taken on short term are:<br/><br />
- provide communication channels<br/><br />
- plan next (sub)meetings<br/><br />
- start discussions and focusgroups<br/><br />
<br/><br />
The presentations are available here:<br/><br />
<br/><br />
[[Media:OWASP_NL_Top_Ten_Web_Application_Vulnerabilities_in_J2EE.pdf]]<br/><br />
[[Media:OWASP_NL_Veilige_Web_App_Boven_Alles.pdf]]<br/><br />
<br />
== You are welcome to the OWASP Netherlands local chapter kick-off meeting! ==<br />
<br />
Thursday, November 17th (2005) at 18.00h.<br/><br />
<br/><br />
ATTENTION! Because of the large amount of attendees, the location has changed:<br/><br />
<br/><br />
Hotel Mercure Utrecht/Nieuwegein<br/><br />
Buizerdlaan 10<br/><br />
3435 SB NIEUWEGEIN<br/><br />
Tel: 00 31 (0) 30 60 84 122<br/><br />
Fax: 00 31 (0) 30 60 38 374<br/><br />
<br/><br />
This first meeting will be an introduction to the OWASP. A constructive discussion will be held about the actual form of the OWASP Netherlands local chapter.<br/><br />
<br/><br />
The agenda:<br/><br />
18.00 - 18.30 Check-In (bread & drinks)<br/><br />
18.30 - 18.45 Chapter opening<br/><br />
18.45 - 19.30 Presentation - 'Top tien web applicatie kwetsbaarheden in J2EE', Eelco Klaver<br/><br />
19.30 - 19.45 Presentation - 'Veilige webapplicaties boven alles', Mike Wardi<br/><br />
19.45 - 20.00 Coffee break<br/><br />
20.00 - 21.00 Discussion - About the OWASP Netherlands local chapter<br/><br />
<br/><br />
About the presenters<br/><br />
<br/><br />
Eelco Klaver<br/><br />
Eelco Klaver is a senior consultant for Xebia IT Architects, since 2003. Doing software reviews, security audits and giving security workshops are part of his job. He has almost 10 years experience with developing enterprise applications in J2EE for different employees. At the moment, Eelco is the front man of the security business unit for Xebia, focussing on the security aspects of enterprise applications build on J2EE.<br/><br />
<br/><br />
Mike Wardi<br/><br />
Mike Wardi is an internet application manager for a financial institute. He's responsible for the safety of internet applications provided to customers and the implementation of the security policies in software developement.<br/><br />
<br/><br />
<br/><br />
If you want to attend, please send an email to owasp-nl@ascure.com or the mailing list.<br/><br />
<br/><br />
All OWASP chapter meetings are free! There are never vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP’s: OWASP Meetings count towards CPE Credits.<br/><br />
<br/></div>Dvsteinhttps://wiki.owasp.org/index.php?title=Netherlands&diff=46545Netherlands2008-11-19T16:45:28Z<p>Dvstein: /* Announcement March 26th: Software Vulnerability assessment */</p>
<hr />
<div>{{Chapter Template|chaptername=Netherlands|extra=The chapter leader is [mailto:owasp@irc2.nl Bert Koelewijn]<br />
<paypal>Netherlands</paypal><br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-netherlands|emailarchives=http://lists.owasp.org/pipermail/owasp-netherlands}}<br />
<br />
== Meeting schedule 2008 ==<br />
This is an overview of the 2008 local chapter meeting schedule. Details of the meetings can be found in the announcements that will be posted below this schedule.<br />
<pre><br />
March 26th<br />
----------<br />
Time : 17.30 - 21.30<br />
Main Topic : Software Vulnerability assessment<br />
Presentations: Complex(ity) matters, Mario de Boer (Dutch)<br />
V.A.C. SQL injection, Marinus Kuivenhoven (Dutch)<br />
Secure Programming with Static Analysis, Brian Chess (English) <br />
Location : Mercure Utrecht Nieuwegein, Buizerdlaan 10, 3435 SB Nieuwegein<br />
Sponsor : Fortify Software<br />
<br />
Oktober 27th<br />
----------<br />
Time : 17.30 - 21.30<br />
Main Topic : Privacy and the Internet<br />
Presentations: Privacy and Internet (Dutch), Frank Fruijthoff and Ellen Hoving<br />
Vulnerability and source code scanners. (Dutch) Emile Strijbos <br />
Location : ps_testware B.V., Dorpsstraat 26, 3941 JM DOORN<br />
Sponsor : ps_testware B.V.<br />
</pre><br />
== Announcement 27 Oktober: Privacy and the Internet ==<br />
'''Summary'''<br/><br />
The main goal of the upcoming OWASP-NL meeting is to provide information to developers and security professionals about personal and technical privacy on the internet. The speakers focus on privacy regulations related to the internet and on the mass amount of personal and technical information available about persons and companies on the internet, with and without their consent. Furthermore tools will be discussed that help prevent leakage of privacy related and other kind of data. They will give specific examples and there will be time to ask questions.<br/><br />
Please register before October 20th because of the necessary catering arrangements.<br/><br />
<br/><br />
'''Location'''<br/><br />
The location and catering is provided by the sponsor of this meeting:<br/><br />
<table><br />
<tr><br />
<td width="350"><br />
ps_testware B.V.<br/><br />
Dorpsstraat 26,<br/><br />
3941 JM DOORN<br/><br />
</td><br />
<td width="350"><br />
[[Image:Pstestware.jpg|100px]]<br />
</td><br />
</tr><br />
<tr><br />
<td width="350"><br />
The location has parking facilities for 15 cars. However parking in the direct vicinity of ps_testware shouldn’t be a problem.<br/><br />
</td><br />
<td width="350"><br />
ps_testware delivers services related to software testing and software quality. In the field of software development, quality, time-to-market, business processes and software acceptance they play the role of "your devil's advocate" as an independent, flexible and specialized partner.<br/><br />
For more information please visit: www.pstestware.com.<br/><br />
</td><br />
</tr><br />
</table><br />
<br/><br />
<br/><br />
'''Program'''<br/><br />
17.30 - 18.30 '''Check-In''' (catering included)<br/><br />
<br/><br />
18.30 – 19:00 '''Introduction''' (OWASP organization, projects, sponsor)<br/><br />
<br/><br />
19.00 - 20.15 '''Privacy and Internet''' (Dutch), Frank Fruijthoff and Ellen Hoving<br/><br />
In this presentation the general principles of privacy laws in the Netherlands and the EU and specifically privacy and the internet will be covered.<br/><br />
Frank Fruijthoff is a Compliance Officer with ING. He has a Compliance and Risk Management background and is specialised in privacy.<br/><br />
Ellen Hoving is a graduated lawyer. She works as an independent consultant specialized in compliance and privacy.<br/><br />
<br/><br />
20.15 – 20:30 '''Break'''<br/><br />
<br/><br />
20:30 – 21:00 '''Vulnerability and source code scanners''' (Dutch), Emile Strijbos<br />
<br/><br />
For his Master thesis in computer science at the Radboud Universiteit in Nijmegen, Emile Strijbos investigated vulnerability scanners and source code scanners. These are automated tools that try to detect security flaws, either in running web-applications or in their source code.<br/><br />
Emile tried out several of these tools, including both free and commercial ones, to see how good they are at detecting standard vulnerabilities, such as SQL injection, XSS, CSRF, etc.<br/><br />
<br/><br />
21.00 – 21:30 '''Discussion, questions and social'''<br/><br />
<br/><br />
If you want to attend, please send an email to: owasp@irc2.com.<br><br />
Please register before October 20th, because of the necessary catering arrangements. The number of registries is limited to 50 due to the capacity of the location and will be handled in order of receipt.<br/><br />
<br/><br />
All OWASP chapter meetings are free of charge and you don’t have to be an OWASP member to attend. There are never any vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP's: OWASP Meetings count towards CPE Credits.<br/><br />
<br/><br />
The announcement and full descriptions can be found here:<br/><br />
[[Media:Announcement_27_Oktober.pdf]]<br/><br />
<br />
== Meeting March 26th 2008: Software Vulnerability assessment ==<br />
'''Summary'''<br/><br />
The main goal of the upcoming OWASP-NL meeting is to provide information to developers and security professionals involved in creating secure (web-)applications. The main focus will be on software vulnerability assessment. The speakers will give specific examples and of course there is time to ask questions about your own experiences.<br/><br />
<br/><br />
'''Location'''<br/><br />
The location and catering is provided by the sponsor of this meeting:<br/><br />
<table><br />
<tr><br />
<td width="350"><br />
Mercure Utrecht Nieuwegein<br/><br />
Buizerdlaan 10,<br/><br />
3435 SB Nieuwegein<br/><br />
</td><br />
<td width="350"><br />
[[Image:Fortify.JPG|143px]]<br />
</td><br />
</tr><br />
<tr><br />
<td width="350"><br />
</td><br />
<td width="350"><br />
Fortify Software products protect companies from today’s greatest security risk: the software applications that run their businesses. Combining deep application security expertise with extensive software development experience, Fortify Software has defined the market with award-winning products that span the software development cycle. Today, Fortify Software fortifies the software for the most demanding customer deployments, including the world’s largest, most varied code bases.<br/><br />
<br/><br />
For more information please visit:<br/><br />
www.fortify.com<br/><br />
</td><br />
</tr><br />
</table><br />
<br/><br />
<br/><br />
'''Program'''<br/><br />
17.30 - 18.30 '''Check-In''' (catering included)<br/><br />
<br/><br />
18.30 - 18:50 '''Introduction''' (OWASP, sponsor)<br/><br />
<br/><br />
18.50 - 19.30 '''Complex(ity) matters''' (Dutch), Mario de Boer<br/><br />
Various methods exist to locate specific vulnerabilities in software. In the presentation we will look at static analysis of binaries, and the problems we face when trying to locate vulnerabilities. Several ideas will be discussed to make the search easier, but at the same time less exact. The first idea is trivial: automate as much as possible. The second idea is nearly trivial: don't aim at exact vulnerabilities but relax the search to locating potential vulnerabilities. We will give examples that illustrate the results.<br/><br />
Mario de Boer is a senior security consultant at Logica, and as such focuses on security management aspects like security frameworks, compliance, monitoring and control and risk management. Before joining Logica, Mario worked at the Dutch ministries of Defense and Justice, he co-founded a security company and worked as a project manager in the financial sector. For several years he taught courses in software security analysis and secure software development. Besides security management, Mario has interest in software security, reverse engineering and cryptography. Within Logica Netherlands, he is knowledge manager application security. Mario holds a PhD in Mathematics and is CISA and CISSP.<br/><br />
<br/><br />
19.30 - 19:50 '''Break'''<br/><br />
<br/><br />
19:50 - 20:20 '''V.A.C: SQL injection''' (Dutch), Marinus Kuivenhoven<br />
<br/><br />
<u>'''V'''ulnerability:</u><br/><br />
An application which uses a database for its information needs, communicates with it trough SQL. SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of a Database for parsing and execution.<br/><br />
<u>'''A'''ssessment:</u><br/><br />
SQL injection can threaten the confidentiality, availability and integrity of the data. The various types of SQL injection and their impact will be shown.<br/><br />
<u>'''C'''ountermeasure:</u><br/><br />
Any procedure that constructs SQL statements should be reviewed for injection vulnerabilities because a database will execute all syntactically valid queries that it receives. How this should be done will be shown for the most popular languages.<br/><br />
Marinus is a Technology Specialist with Sogeti Nederland B.V. specializing in service oriented architectures and secure application development. His experience includes developing and administrating Oracle-based systems.<br/><br />
<br/><br />
20.20 - 21.00 '''Secure Programming with Static Analysis''' (English), Brian Chess<br/><br />
Creating secure code requires more than just good intentions. Programmers need to know how to make their code safe in an almost infinite number of scenarios and configurations. Static source code analysis gives users the ability to review their work with a fine tooth comb and uncover the kinds of errors that lead directly to vulnerabilities. This talk frames the software security problem and shows how static analysis is part of the solution. We will look at how static analysis works, how to integrate it into the software development processes, and how to make the most of it during security code review. Along the way we'll look at examples taken from real-world security incidents, showing how coding errors are exploited, how they could have been prevented, and how static analysis can rapidly uncover similar errors.<br/><br />
Brian Chess is a founder of Fortify Software and serves as Fortify's Chief Scientist, where his work focuses on practical methods for creating secure systems. His book, Secure Programming with Static Analysis, shows how static source code analysis is an indispensable tool for getting security right. Brian holds a Ph.D. in computer engineering from the University of California at Santa Cruz, where he studied the application of static analysis to the problem of finding security-relevant defects in source code. Before settling on security, Brian spent a decade in Silicon Valley working at huge companies and small startups. He has done research on a broad set of topics, ranging from integrated circuit design all the way to delivering software as a service.<br/><br />
<br/><br />
21.00 - 21:30 '''Discussion, questions and social'''<br/><br />
<br/><br />
'''Registration'''<br/><br />
If you want to attend, please send an email to: owasp@irc2.com.<br/><br />
<br/><br />
All OWASP chapter meetings are free of charge and you don’t have to be an OWASP member to attend. There are never any vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP's: OWASP Meetings count towards CPE Credits.<br/><br />
<br/><br />
<br />
== Meeting December 20th 2007: Secure Development ==<br />
'''Summary'''<br/><br />
The main goal of the upcoming OWASP-NL meeting is to provide information to developers and security professionals involved in creating secure (web-)applications. The general and specific security issues involved on project and programming level will be covered from a practical as well as a theoretical point of view. The speakers will give specific examples and of course there is time to ask questions about your own experiences.<br/><br />
Please register before December the 14th because of the necessary catering arrangements.<br/><br />
<br/><br />
'''Location'''<br/><br />
The location and catering is provided by the sponsor of this meeting:<br/><br />
<table><br />
<tr><br />
<td width="350"><br />
ps_testware B.V.<br/><br />
Dorpsstraat 26,<br/><br />
3941 JM DOORN<br/><br />
</td><br />
<td width="350"><br />
[[Image:Pstestware.jpg|100px]]<br />
</td><br />
</tr><br />
<tr><br />
<td width="350"><br />
The location has parking facilities for 15 cars. However parking in the direct vicinity of ps_testware shouldn’t be a problem.<br/><br />
</td><br />
<td width="350"><br />
ps_testware delivers services related to software testing and software quality. In the field of software development, quality, time-to-market, business processes and software acceptance they play the role of "your devil's advocate" as an independent, flexible and specialized partner.<br/><br />
For more information please visit: www.pstestware.com.<br/><br />
</td><br />
</tr><br />
</table><br />
<br/><br />
<br/><br />
'''Program'''<br/><br />
17.30 - 18.30 '''Check-In''' (catering included)<br/><br />
<br/><br />
18.30 – 19:00 '''Introduction''' (OWASP organization, projects, sponsor)<br/><br />
<br/><br />
19.00 - 19.30 '''Practices of developing optimal security''' (dutch), Andre Post<br/><br />
This presentation highlights a number of current practices that lead to sub-optimal security, and suggests ways of avoiding these problems, focusing on the technical side of development.<br/><br />
André Post works for Fox-IT on a variety of projects including core product development, software architecting, security code reviews, and software project management.<br/><br />
<br/><br />
19.30 – 19:45 '''Break'''<br/><br />
<br/><br />
19:45 – 20:30 '''Problems of developing secure and correct applications''' (dutch), Erik Poll [http://www.cs.ru.nl/~erikpoll/talks/OWASP2007.pdf (slides of the presentation)]<br />
<br/><br />
This presentation will discuss different possibilities to improve software security. The problem of getting time and money available to be spend on security, not only for developing applications, but also for developing programming languages, will be raised.<br/><br />
Erik Poll is head of the Security of Systems (SoS) group at the Radboud University of Nijmegen. His research does focus on the security and correctness of software.<br/><br />
<br/><br />
20.30 - 21.00 '''Protecting Web services and Web applications against security threats''' (dutch), Rix Groenboom<br/><br />
During this session, Rix will explore how to implement development and security best practices in the code to make sure that your webservices and applications perform solidly when they are being hacked or used in malicious ways.<br/><br />
Rix Groenboom supports fortune 2000 companies in field automated software error prevention and correction for Parasoft. His main area of expertise is in the use of formal languages for the specification, design and validation of software applications.<br/><br />
<br/><br />
21.00 – 21:30 '''Discussion, questions and social'''<br/><br />
<br/><br />
All OWASP chapter meetings are free of charge and you don’t have to be an OWASP member to attend. There are never any vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP's: OWASP Meetings count towards CPE Credits.<br/><br />
<br/><br />
The announcement and full descriptions can be found here:<br/><br />
[[Media:Announcement_20_December.pdf]]<br/><br />
[[Media:Announcement_20_December_2.pdf]]<br/><br />
<br />
== Meeting September 13th: putting initiatives into practice ==<br />
<br />
The main goal of the next OWASP meeting is finding a way to put initiatives and all offered help into a form of structural benefit for the OWASP Netherlands local chapter. As a starting point for the discussion, examples will be taken from other European chapters and input delivered by discussions that take place on the mailing list is considered too. Let this be a call to put your ideas on the mailing list before the next meeting!<br/><br />
<br/><br />
The location is provided by the sponsor of this meeting:<br/><br />
Comsec Consulting BV<br/><br />
Rivium Boulevard 102<br/><br />
2909LK Capelle aan den IJssel<br/><br />
<br/><br />
The agenda:<br/><br />
18.00 - 18.30 Check-In (catering included)<br/><br />
18.30 - 18.45 OWASP update, Bert Koelewijn<br/><br />
18.45 - 19.15 Security Best Practices for .NET, Boaz Shunami<br/><br />
19.15 - 20.00 Discussion: collecting ideas and initiatives<br/><br />
20.00 - 20.15 Coffee break<br/><br />
20.15 - 21.00 Discussion: how to enable community commitment<br/><br />
21.00 - 21.30 Closing discussion and coffee<br/><br />
<br/><br />
Boaz Shunami<br/><br />
Boaz is manager of the Application Security department of Comsec Europe. He has 11 years of experience in the IT Security field, and a large part of them in Application Security.<br/><br />
Boaz did numerous application security audits in very large organizations and is recognized as one of the greatest expert’s world wide. Boaz' expertise is broad, but especially in-depth for the .NET platform.<br/><br />
<br/><br />
Discussion input (until now)<br/><br />
- division of local chapter work load by multiple people<br/><br />
- collaboration with other organizations<br/><br />
<br/><br />
If you want to attend send an email to owasp@irc2.com.<br/><br />
<br/><br />
All OWASP chapter meetings are free, there are never vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP's: OWASP Meetings count towards CPE Credits.<br/><br />
<br />
== OWASP Netherlands meeting minutes ==<br />
<br />
January 11th, the Dutch OWASP chapter came together at the office of Sogeti Netherlands. Subject of the evening was 'putting software security into practice'. The group was small but select.<br/><br />
<br/><br />
The agenda:<br/><br />
18.00 - 18.30 Check-In (catering included)<br/><br />
18.30 - 18.45 Sponsor opening<br/><br />
18.45 - 19.00 OWASP update, Bert Koelewijn<br/><br />
19.00 - 19.30 Implementation of Security by Design, Martin Knobloch<br/><br />
19.30 - 19.45 Panel introduction<br/><br />
19.45 - 20.00 Coffee break<br/><br />
20.00 - 21.30 Panel discussion<br/><br />
<br/><br />
After being welcomed by Frank Langeveld from Sogeti and Bert Koelewijn, Dutch chapter leader, the evening started with the presentation 'Security By Design'. During the presentation Martin Knobloch told about his experiences during the implementation of the Secure Development Life Cycle in a company like Sogeti Nederland B.V.<br/><br />
<br/><br />
The presentation is available here:<br/><br />
[[Media:Implementation_of_Security_by_Design.ppt]]<br/><br />
<br/><br />
After a small break, the panel discussion started with the following panel: Henk van der Heijden - Comsec Consulting, Dr.ir. Mario de Boer - LogicaCMG and Martin Knobloch - Sogeti Nederland.<br/><br />
During the discussion, it became clear people are struggling to get the Secure Development Life Cycle implemented in their company. The various experiences were shared with the panel and the others. Company typical problems and common misunderstandings about Software security where brought up.<br/><br />
The consensus of the discussion was that the main problem lies in the lack of security awareness and knowledge of the managers and the developers. And this of course is exactly where OWASP comes in…<br/><br />
<br/><br />
== Announcement 11 January meeting ==<br />
<br />
The OWASP meeting of 11 January is about putting software security into practice. A lot of books, standards, organizations and consultants tell us how we should develop secure software. But which methods and measures are commonly adopted and which are not and why?<br/><br />
This will be the main focus of the discussion that we will have with a panel of people that experienced implementing software security in the field.<br/><br />
<br/><br />
The location is provided by the sponsor of this meeting:<br/><br />
Sogeti Nederland B.V.<br/><br />
"La Charmille" building<br/><br />
Lange Dreef 17<br/><br />
4131 NJ Vianen<br/><br />
<br/><br />
The agenda:<br />
<br/><br />
18.00 - 18.30 Check-In (catering included)<br/><br />
18.30 - 18.45 Sponsor opening<br/><br />
18.45 - 19.00 OWASP update, Bert Koelewijn<br/><br />
19.00 - 19.30 Implementation of Security by Design, Martin Knobloch<br/><br />
19.30 - 19.45 Panel introduction<br/><br />
19.45 - 20.00 Coffee break<br/><br />
20.00 - 21.30 Panel discussion<br/><br />
<br/><br />
Implementation of Security by Design<br/><br />
What is needed to implement a 'Secure Development Life Cycle' within Sogeti Nederland? The speaker started a project called 'Security by Design' in march 2006 implementing a SDLC at Sogeti Nederland.<br/><br />
In his presentation, the speaker will share his technical and organizational experiences that he gained with the still ongoing implementation.<br/><br />
<br/><br />
About the speaker<br/><br />
Martin Knobloch has more than 8 years experience in design and development of J2EE applications for customers in various sectors of the market. In September 2003 Martin Knobloch started working for Sogeti Nederland, where he does the design, development and review of J2EE applications and architectures.<br/><br />
From this background, Martin Knobloch experienced the threats of insecure software firsthand. In march 2006, Martin Knobloch started implementing a SDLC within Sogeti Nederland.<br/><br />
<br/><br />
Panel discussion<br/><br />
The panel members are:<br/><br />
Henk van der Heijden, Managing Director - Comsec Consulting B.V.<br/><br />
Dr.ir. Mario de Boer, Security Consultant - LogicaCMG<br/><br />
Martin Knobloch, Senior Technologie Specialist - Sogeti Nederland B.V.<br/><br />
<br/><br />
In the discussion, we will try to find answers to questions like:<br/><br />
- What are the most common security practices in software development?<br/><br />
- How effective are those practices?<br/><br />
- Where do we start practicing security?<br/><br />
- What should be the most common security practices in software development?<br/><br />
- How much does security cost?<br/><br />
- How does the Systems Security Engineering Capability Maturity Model (SSE-CMM) fit in?<br/><br />
<br/><br />
If you want to attend send an email to owasp@irc2.com.<br/><br />
<br/><br />
All OWASP chapter meetings are free, there are never vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP’s: OWASP Meetings count towards CPE Credits.<br/><br />
<br />
== OWASP Netherlands meeting minutes ==<br />
<br />
On 9 march, the second meeting of OWASP Netherlands local chapter took place. GetronicsPinkRoccade provided the venue, in their luxury conference centre: Connection I.<br/><br />
<br/><br />
Agenda:<br/><br />
18.00 - 18.45 Check-In (bread & drinks)<br/><br />
18.45 - 19.00 Opening<br/><br />
19.00 - 20.00 Improving Security in the Application Development Life-cycle, Migchiel de Jong<br/><br />
20.00 - 20.15 Coffee break<br/><br />
20.15 - 22.00 Form focus groups<br/><br />
<br/><br />
The presentation of Migchiel de Jong was found very interesting by the audience. At the end of his presentation, he demonstrated a static code analysis of the OWASP webgoat application.<br/><br />
<br/><br />
After the coffee break, the attendances started discussing about the largest common topics of interest in the web application security field, in relation to the OWASP Netherlands chapter. As a result, the following focus groups are formed:<br/><br />
<br/><br />
Testing<br/><br />
The current OWASP Testing project and the Open Source Security Testing Methodology Manual of ISECOM, provide guidelines and best practices for testers. These guidelines can be used to formalize a standard structure and a set of minimum requirements for a security test. Clients could ask a tester to adhere to these guidelines.<br/><br />
A second idea is to standardize the testing results management report. In practice, testing could result in piles of paper with all the findings. The real value is reporting it in a usable way. For example: mapping technical findings to business risks.<br/><br />
<br/><br />
Frans v. Buul<br/><br />
Peter Gouwentak<br/><br />
Arthur Donkers<br/><br />
Eelco Klaver<br/><br />
Migchiel de Jong<br/><br />
Mario de Boer<br/><br />
<br/><br />
First focus group meeting: Monday 27 march, 18:00h, PwC Utrecht<br/><br />
<br/><br />
<br/><br />
Public Relations<br/><br />
This focus group will try to make business aware of the security impact that developing, hosting and using web applications has. What OWASP is and how OWASP can help. This can be done by giving presentations, writing papers and articles, word of mouth, etc. etc.<br/><br />
<br/><br />
Remco Bakker<br/><br />
Ronald Eygendaal<br/><br />
Bas van Vossen<br/><br />
Edwin van Vliet<br/><br />
Eelco Klaver<br/><br />
<br/><br />
First presentation of OWASP materials: Edwin van Vliet, TestNet - Voorjaarsevenement, 5 april<br/><br />
First focus group meeting: To be planned!<br/><br />
<br/><br />
<br/><br />
Education<br/><br />
OWASP and universities/schools could benefit from working together. For example:<br/><br />
- OWASP provides lot's of materials usable in colleges.<br/><br />
- Develop OWASP training course.<br/><br />
- Students can participate in OWASP projects<br/><br />
- OWASP can provide a platform for supporting research. Such as thesis projects, etc.<br/><br />
- OWASP representatives could provide guest colleges.<br/><br />
<br/><br />
Ronald Eygendaal<br/><br />
Erik Poll<br/><br />
Bas van Vossen<br/><br />
Edwin van Vliet<br/><br />
<br/><br />
First focus group meeting: To be planned!<br/><br />
<br/><br />
The presentation is available here:<br/><br />
[[Media:OWASP_NL_Fortify_Software.pdf]]<br/><br />
<br />
== 9 March: Second meeting of the OWASP Netherlands local chapter! ==<br />
<br />
In this second meeting focus groups are to be formed, to discuss common problems, develop and research common solutions in a vendor neutral environment. So this is a very good opportunity to get in contact with others, to exchange knowledge and experiences on specific topics.<br/><br />
<br/><br />
For every focus group the following questions has to be answered:<br/><br />
1. Which specific topic is to be addressed?<br/><br />
2. What are the deliverables?<br/><br />
3. What is the relation to OWASP? (Current projects, materials, expertise and knowledge interchange, etc.)<br/><br />
4. Who is the central contact of the subgroup?<br/><br />
<br/><br />
It would be nice to have a bigger and more diverse group, compared to the first meeting. So let's recall: "Please, bring at least one friend, next time." And don't hesitate to send this announcement to everybody who may be interested!<br/><br />
<br/><br />
We thank Getronics PinkRoccade for offering us a venue:<br/><br />
Getronics PinkRoccade<br/><br />
Fauststraat 1<br/><br />
7323 BA Apeldoorn <br/><br />
<br/><br />
The agenda:<br/><br />
18.00 - 18.30 Check-In<br/><br />
18.30 - 18.45 Opening<br/><br />
18.45 - 19.30 Improving Security in the Application Development Life-cycle, Migchiel de Jong<br/><br />
19.30 - 20.00 Collecting focus group initiatives<br/><br />
19.45 - 20.00 Coffee break<br/><br />
20.00 - 21.00 Form focus groups<br/><br />
<br/><br />
Presentation Abstract<br/><br />
Rather than spending large amounts of time and money on proving that we have security vulnerabilities after programs go into production, companies should go to the source and correct vulnerabilities as early as possible in the development stage. It is unquestionably faster, simpler, and cheaper for developers to correct vulnerabilities as they build programs.<br/><br />
But how can development management ensure that developers focus on security when there is no time or budget for security at the development stage? Even with the correct focus, how can they learn what to look for? How can they stay ahead of the dedicated and resourceful hacker?<br/><br />
The answer is effective processes and better tools. With advanced software security tools, a developer can pinpoint vulnerabilities in a matter of seconds — the same vulnerabilities that would take a hacker or manual code reviewer weeks or even months to find. These same tools can give development and information security managers useful metrics on application vulnerabilities before they are released into deployment.<br/><br />
This talk will walk through the Application Development Life-Cycle and discuss how tools can help come to grips with software security issues in a particular phase.<br/><br />
<br/><br />
About the presenter<br/><br />
Migchiel de Jong has developed hardware and software for 10 years before joining Rational Software. During the 5 years at Rational Software (later acquired by IBM) he was involved in many software development process improvement projects. Currently Migchiel de Jong is working at Fortify Software, Palo Alto, California, as a software security engineer.<br/><br />
<br/><br />
If you want to attend send an email to owasp@irc2.nl. Please don't wait, 9 march is not that long anymore!<br/><br />
<br/><br />
All OWASP chapter meetings are free, there are never vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP’s: OWASP Meetings count towards CPE Credits.<br/><br />
<br />
== OWASP Netherlands kick-off meeting minutes ==<br />
<br />
On 17 November, OWASP Netherlands had it's first meeting. We moved to a bigger location, the Mercure hotel in Nieuwegein, to host all the 35 attendees.<br/><br />
<br/><br />
The agenda:<br/><br />
18.00 - 18.30 Check-In (bread & drinks)<br/><br />
18.30 - 18.45 Chapter opening<br/><br />
18.45 - 19.30 Presentation - 'Top tien web applicatie kwetsbaarheden in J2EE', Eelco Klaver<br/><br />
19.30 - 19.45 Presentation - 'Veilige webapplicaties boven alles', Mike Wardi<br/><br />
19.45 - 20.00 Coffee break<br/><br />
20.00 - 21.00 Discussion - About the OWASP Netherlands local chapter<br/><br />
<br/><br />
The discussion took place in a 'round table' session, where all attendees were able to take part. The focus of the discussion was how to give the OWASP Netherlands local chapter additional value, next to the OWASP project. What the goals and tasks will be. And which actions will have to be taken at short term.<br/><br />
Different people have interest in different subjects. In general meetings there is no time to address all subjects and address them specific enough. Therefore subgroups can be formed, focusing on specific topics. They can have their own communication channel and meetings, but should keep close contact with the OWASP body.<br/><br />
<br/><br />
An inventarisation:<br/><br />
<br/><br />
Discussion Topics<br/><br />
- Awareness: writing articles, press publications, interviews<br/><br />
- Education: contact universities, schools and their common boards. Develop and gather education materials.<br/><br />
- General: discuss ideas for OWASP NL<br/><br />
<br/><br />
Focusgroup Topics<br/><br />
- (dutch) metrics project<br/><br />
- (dutch) legal project<br/><br />
- standard framework for pentest reports<br/><br />
- safe outsourcing<br/><br />
<br/><br />
Actions that should be taken on short term are:<br/><br />
- provide communication channels<br/><br />
- plan next (sub)meetings<br/><br />
- start discussions and focusgroups<br/><br />
<br/><br />
The presentations are available here:<br/><br />
<br/><br />
[[Media:OWASP_NL_Top_Ten_Web_Application_Vulnerabilities_in_J2EE.pdf]]<br/><br />
[[Media:OWASP_NL_Veilige_Web_App_Boven_Alles.pdf]]<br/><br />
<br />
== You are welcome to the OWASP Netherlands local chapter kick-off meeting! ==<br />
<br />
Thursday, November 17th (2005) at 18.00h.<br/><br />
<br/><br />
ATTENTION! Because of the large amount of attendees, the location has changed:<br/><br />
<br/><br />
Hotel Mercure Utrecht/Nieuwegein<br/><br />
Buizerdlaan 10<br/><br />
3435 SB NIEUWEGEIN<br/><br />
Tel: 00 31 (0) 30 60 84 122<br/><br />
Fax: 00 31 (0) 30 60 38 374<br/><br />
<br/><br />
This first meeting will be an introduction to the OWASP. A constructive discussion will be held about the actual form of the OWASP Netherlands local chapter.<br/><br />
<br/><br />
The agenda:<br/><br />
18.00 - 18.30 Check-In (bread & drinks)<br/><br />
18.30 - 18.45 Chapter opening<br/><br />
18.45 - 19.30 Presentation - 'Top tien web applicatie kwetsbaarheden in J2EE', Eelco Klaver<br/><br />
19.30 - 19.45 Presentation - 'Veilige webapplicaties boven alles', Mike Wardi<br/><br />
19.45 - 20.00 Coffee break<br/><br />
20.00 - 21.00 Discussion - About the OWASP Netherlands local chapter<br/><br />
<br/><br />
About the presenters<br/><br />
<br/><br />
Eelco Klaver<br/><br />
Eelco Klaver is a senior consultant for Xebia IT Architects, since 2003. Doing software reviews, security audits and giving security workshops are part of his job. He has almost 10 years experience with developing enterprise applications in J2EE for different employees. At the moment, Eelco is the front man of the security business unit for Xebia, focussing on the security aspects of enterprise applications build on J2EE.<br/><br />
<br/><br />
Mike Wardi<br/><br />
Mike Wardi is an internet application manager for a financial institute. He's responsible for the safety of internet applications provided to customers and the implementation of the security policies in software developement.<br/><br />
<br/><br />
<br/><br />
If you want to attend, please send an email to owasp-nl@ascure.com or the mailing list.<br/><br />
<br/><br />
All OWASP chapter meetings are free! There are never vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP’s: OWASP Meetings count towards CPE Credits.<br/><br />
<br/></div>Dvsteinhttps://wiki.owasp.org/index.php?title=Netherlands&diff=46544Netherlands2008-11-19T16:44:39Z<p>Dvstein: /* Meeting December 20th 2007: Secure Development */</p>
<hr />
<div>{{Chapter Template|chaptername=Netherlands|extra=The chapter leader is [mailto:owasp@irc2.nl Bert Koelewijn]<br />
<paypal>Netherlands</paypal><br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-netherlands|emailarchives=http://lists.owasp.org/pipermail/owasp-netherlands}}<br />
<br />
== Meeting schedule 2008 ==<br />
This is an overview of the 2008 local chapter meeting schedule. Details of the meetings can be found in the announcements that will be posted below this schedule.<br />
<pre><br />
March 26th<br />
----------<br />
Time : 17.30 - 21.30<br />
Main Topic : Software Vulnerability assessment<br />
Presentations: Complex(ity) matters, Mario de Boer (Dutch)<br />
V.A.C. SQL injection, Marinus Kuivenhoven (Dutch)<br />
Secure Programming with Static Analysis, Brian Chess (English) <br />
Location : Mercure Utrecht Nieuwegein, Buizerdlaan 10, 3435 SB Nieuwegein<br />
Sponsor : Fortify Software<br />
<br />
Oktober 27th<br />
----------<br />
Time : 17.30 - 21.30<br />
Main Topic : Privacy and the Internet<br />
Presentations: Privacy and Internet (Dutch), Frank Fruijthoff and Ellen Hoving<br />
Vulnerability and source code scanners. (Dutch) Emile Strijbos <br />
Location : ps_testware B.V., Dorpsstraat 26, 3941 JM DOORN<br />
Sponsor : ps_testware B.V.<br />
</pre><br />
== Announcement 27 Oktober: Privacy and the Internet ==<br />
'''Summary'''<br/><br />
The main goal of the upcoming OWASP-NL meeting is to provide information to developers and security professionals about personal and technical privacy on the internet. The speakers focus on privacy regulations related to the internet and on the mass amount of personal and technical information available about persons and companies on the internet, with and without their consent. Furthermore tools will be discussed that help prevent leakage of privacy related and other kind of data. They will give specific examples and there will be time to ask questions.<br/><br />
Please register before October 20th because of the necessary catering arrangements.<br/><br />
<br/><br />
'''Location'''<br/><br />
The location and catering is provided by the sponsor of this meeting:<br/><br />
<table><br />
<tr><br />
<td width="350"><br />
ps_testware B.V.<br/><br />
Dorpsstraat 26,<br/><br />
3941 JM DOORN<br/><br />
</td><br />
<td width="350"><br />
[[Image:Pstestware.jpg|100px]]<br />
</td><br />
</tr><br />
<tr><br />
<td width="350"><br />
The location has parking facilities for 15 cars. However parking in the direct vicinity of ps_testware shouldn’t be a problem.<br/><br />
</td><br />
<td width="350"><br />
ps_testware delivers services related to software testing and software quality. In the field of software development, quality, time-to-market, business processes and software acceptance they play the role of "your devil's advocate" as an independent, flexible and specialized partner.<br/><br />
For more information please visit: www.pstestware.com.<br/><br />
</td><br />
</tr><br />
</table><br />
<br/><br />
<br/><br />
'''Program'''<br/><br />
17.30 - 18.30 '''Check-In''' (catering included)<br/><br />
<br/><br />
18.30 – 19:00 '''Introduction''' (OWASP organization, projects, sponsor)<br/><br />
<br/><br />
19.00 - 20.15 '''Privacy and Internet''' (Dutch), Frank Fruijthoff and Ellen Hoving<br/><br />
In this presentation the general principles of privacy laws in the Netherlands and the EU and specifically privacy and the internet will be covered.<br/><br />
Frank Fruijthoff is a Compliance Officer with ING. He has a Compliance and Risk Management background and is specialised in privacy.<br/><br />
Ellen Hoving is a graduated lawyer. She works as an independent consultant specialized in compliance and privacy.<br/><br />
<br/><br />
20.15 – 20:30 '''Break'''<br/><br />
<br/><br />
20:30 – 21:00 '''Vulnerability and source code scanners''' (Dutch), Emile Strijbos<br />
<br/><br />
For his Master thesis in computer science at the Radboud Universiteit in Nijmegen, Emile Strijbos investigated vulnerability scanners and source code scanners. These are automated tools that try to detect security flaws, either in running web-applications or in their source code.<br/><br />
Emile tried out several of these tools, including both free and commercial ones, to see how good they are at detecting standard vulnerabilities, such as SQL injection, XSS, CSRF, etc.<br/><br />
<br/><br />
21.00 – 21:30 '''Discussion, questions and social'''<br/><br />
<br/><br />
If you want to attend, please send an email to: owasp@irc2.com.<br><br />
Please register before October 20th, because of the necessary catering arrangements. The number of registries is limited to 50 due to the capacity of the location and will be handled in order of receipt.<br/><br />
<br/><br />
All OWASP chapter meetings are free of charge and you don’t have to be an OWASP member to attend. There are never any vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP's: OWASP Meetings count towards CPE Credits.<br/><br />
<br/><br />
The announcement and full descriptions can be found here:<br/><br />
[[Media:Announcement_27_Oktober.pdf]]<br/><br />
<br />
== Announcement March 26th: Software Vulnerability assessment ==<br />
'''Summary'''<br/><br />
The main goal of the upcoming OWASP-NL meeting is to provide information to developers and security professionals involved in creating secure (web-)applications. The main focus will be on software vulnerability assessment. The speakers will give specific examples and of course there is time to ask questions about your own experiences.<br/><br />
<br/><br />
'''Location'''<br/><br />
The location and catering is provided by the sponsor of this meeting:<br/><br />
<table><br />
<tr><br />
<td width="350"><br />
Mercure Utrecht Nieuwegein<br/><br />
Buizerdlaan 10,<br/><br />
3435 SB Nieuwegein<br/><br />
</td><br />
<td width="350"><br />
[[Image:Fortify.JPG|143px]]<br />
</td><br />
</tr><br />
<tr><br />
<td width="350"><br />
</td><br />
<td width="350"><br />
Fortify Software products protect companies from today’s greatest security risk: the software applications that run their businesses. Combining deep application security expertise with extensive software development experience, Fortify Software has defined the market with award-winning products that span the software development cycle. Today, Fortify Software fortifies the software for the most demanding customer deployments, including the world’s largest, most varied code bases.<br/><br />
<br/><br />
For more information please visit:<br/><br />
www.fortify.com<br/><br />
</td><br />
</tr><br />
</table><br />
<br/><br />
<br/><br />
'''Program'''<br/><br />
17.30 - 18.30 '''Check-In''' (catering included)<br/><br />
<br/><br />
18.30 - 18:50 '''Introduction''' (OWASP, sponsor)<br/><br />
<br/><br />
18.50 - 19.30 '''Complex(ity) matters''' (Dutch), Mario de Boer<br/><br />
Various methods exist to locate specific vulnerabilities in software. In the presentation we will look at static analysis of binaries, and the problems we face when trying to locate vulnerabilities. Several ideas will be discussed to make the search easier, but at the same time less exact. The first idea is trivial: automate as much as possible. The second idea is nearly trivial: don't aim at exact vulnerabilities but relax the search to locating potential vulnerabilities. We will give examples that illustrate the results.<br/><br />
Mario de Boer is a senior security consultant at Logica, and as such focuses on security management aspects like security frameworks, compliance, monitoring and control and risk management. Before joining Logica, Mario worked at the Dutch ministries of Defense and Justice, he co-founded a security company and worked as a project manager in the financial sector. For several years he taught courses in software security analysis and secure software development. Besides security management, Mario has interest in software security, reverse engineering and cryptography. Within Logica Netherlands, he is knowledge manager application security. Mario holds a PhD in Mathematics and is CISA and CISSP.<br/><br />
<br/><br />
19.30 - 19:50 '''Break'''<br/><br />
<br/><br />
19:50 - 20:20 '''V.A.C: SQL injection''' (Dutch), Marinus Kuivenhoven<br />
<br/><br />
<u>'''V'''ulnerability:</u><br/><br />
An application which uses a database for its information needs, communicates with it trough SQL. SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of a Database for parsing and execution.<br/><br />
<u>'''A'''ssessment:</u><br/><br />
SQL injection can threaten the confidentiality, availability and integrity of the data. The various types of SQL injection and their impact will be shown.<br/><br />
<u>'''C'''ountermeasure:</u><br/><br />
Any procedure that constructs SQL statements should be reviewed for injection vulnerabilities because a database will execute all syntactically valid queries that it receives. How this should be done will be shown for the most popular languages.<br/><br />
Marinus is a Technology Specialist with Sogeti Nederland B.V. specializing in service oriented architectures and secure application development. His experience includes developing and administrating Oracle-based systems.<br/><br />
<br/><br />
20.20 - 21.00 '''Secure Programming with Static Analysis''' (English), Brian Chess<br/><br />
Creating secure code requires more than just good intentions. Programmers need to know how to make their code safe in an almost infinite number of scenarios and configurations. Static source code analysis gives users the ability to review their work with a fine tooth comb and uncover the kinds of errors that lead directly to vulnerabilities. This talk frames the software security problem and shows how static analysis is part of the solution. We will look at how static analysis works, how to integrate it into the software development processes, and how to make the most of it during security code review. Along the way we'll look at examples taken from real-world security incidents, showing how coding errors are exploited, how they could have been prevented, and how static analysis can rapidly uncover similar errors.<br/><br />
Brian Chess is a founder of Fortify Software and serves as Fortify's Chief Scientist, where his work focuses on practical methods for creating secure systems. His book, Secure Programming with Static Analysis, shows how static source code analysis is an indispensable tool for getting security right. Brian holds a Ph.D. in computer engineering from the University of California at Santa Cruz, where he studied the application of static analysis to the problem of finding security-relevant defects in source code. Before settling on security, Brian spent a decade in Silicon Valley working at huge companies and small startups. He has done research on a broad set of topics, ranging from integrated circuit design all the way to delivering software as a service.<br/><br />
<br/><br />
21.00 - 21:30 '''Discussion, questions and social'''<br/><br />
<br/><br />
'''Registration'''<br/><br />
If you want to attend, please send an email to: owasp@irc2.com.<br/><br />
<br/><br />
All OWASP chapter meetings are free of charge and you don’t have to be an OWASP member to attend. There are never any vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP's: OWASP Meetings count towards CPE Credits.<br/><br />
<br/><br />
== Meeting December 20th 2007: Secure Development ==<br />
'''Summary'''<br/><br />
The main goal of the upcoming OWASP-NL meeting is to provide information to developers and security professionals involved in creating secure (web-)applications. The general and specific security issues involved on project and programming level will be covered from a practical as well as a theoretical point of view. The speakers will give specific examples and of course there is time to ask questions about your own experiences.<br/><br />
Please register before December the 14th because of the necessary catering arrangements.<br/><br />
<br/><br />
'''Location'''<br/><br />
The location and catering is provided by the sponsor of this meeting:<br/><br />
<table><br />
<tr><br />
<td width="350"><br />
ps_testware B.V.<br/><br />
Dorpsstraat 26,<br/><br />
3941 JM DOORN<br/><br />
</td><br />
<td width="350"><br />
[[Image:Pstestware.jpg|100px]]<br />
</td><br />
</tr><br />
<tr><br />
<td width="350"><br />
The location has parking facilities for 15 cars. However parking in the direct vicinity of ps_testware shouldn’t be a problem.<br/><br />
</td><br />
<td width="350"><br />
ps_testware delivers services related to software testing and software quality. In the field of software development, quality, time-to-market, business processes and software acceptance they play the role of "your devil's advocate" as an independent, flexible and specialized partner.<br/><br />
For more information please visit: www.pstestware.com.<br/><br />
</td><br />
</tr><br />
</table><br />
<br/><br />
<br/><br />
'''Program'''<br/><br />
17.30 - 18.30 '''Check-In''' (catering included)<br/><br />
<br/><br />
18.30 – 19:00 '''Introduction''' (OWASP organization, projects, sponsor)<br/><br />
<br/><br />
19.00 - 19.30 '''Practices of developing optimal security''' (dutch), Andre Post<br/><br />
This presentation highlights a number of current practices that lead to sub-optimal security, and suggests ways of avoiding these problems, focusing on the technical side of development.<br/><br />
André Post works for Fox-IT on a variety of projects including core product development, software architecting, security code reviews, and software project management.<br/><br />
<br/><br />
19.30 – 19:45 '''Break'''<br/><br />
<br/><br />
19:45 – 20:30 '''Problems of developing secure and correct applications''' (dutch), Erik Poll [http://www.cs.ru.nl/~erikpoll/talks/OWASP2007.pdf (slides of the presentation)]<br />
<br/><br />
This presentation will discuss different possibilities to improve software security. The problem of getting time and money available to be spend on security, not only for developing applications, but also for developing programming languages, will be raised.<br/><br />
Erik Poll is head of the Security of Systems (SoS) group at the Radboud University of Nijmegen. His research does focus on the security and correctness of software.<br/><br />
<br/><br />
20.30 - 21.00 '''Protecting Web services and Web applications against security threats''' (dutch), Rix Groenboom<br/><br />
During this session, Rix will explore how to implement development and security best practices in the code to make sure that your webservices and applications perform solidly when they are being hacked or used in malicious ways.<br/><br />
Rix Groenboom supports fortune 2000 companies in field automated software error prevention and correction for Parasoft. His main area of expertise is in the use of formal languages for the specification, design and validation of software applications.<br/><br />
<br/><br />
21.00 – 21:30 '''Discussion, questions and social'''<br/><br />
<br/><br />
All OWASP chapter meetings are free of charge and you don’t have to be an OWASP member to attend. There are never any vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP's: OWASP Meetings count towards CPE Credits.<br/><br />
<br/><br />
The announcement and full descriptions can be found here:<br/><br />
[[Media:Announcement_20_December.pdf]]<br/><br />
[[Media:Announcement_20_December_2.pdf]]<br/><br />
<br />
== Meeting September 13th: putting initiatives into practice ==<br />
<br />
The main goal of the next OWASP meeting is finding a way to put initiatives and all offered help into a form of structural benefit for the OWASP Netherlands local chapter. As a starting point for the discussion, examples will be taken from other European chapters and input delivered by discussions that take place on the mailing list is considered too. Let this be a call to put your ideas on the mailing list before the next meeting!<br/><br />
<br/><br />
The location is provided by the sponsor of this meeting:<br/><br />
Comsec Consulting BV<br/><br />
Rivium Boulevard 102<br/><br />
2909LK Capelle aan den IJssel<br/><br />
<br/><br />
The agenda:<br/><br />
18.00 - 18.30 Check-In (catering included)<br/><br />
18.30 - 18.45 OWASP update, Bert Koelewijn<br/><br />
18.45 - 19.15 Security Best Practices for .NET, Boaz Shunami<br/><br />
19.15 - 20.00 Discussion: collecting ideas and initiatives<br/><br />
20.00 - 20.15 Coffee break<br/><br />
20.15 - 21.00 Discussion: how to enable community commitment<br/><br />
21.00 - 21.30 Closing discussion and coffee<br/><br />
<br/><br />
Boaz Shunami<br/><br />
Boaz is manager of the Application Security department of Comsec Europe. He has 11 years of experience in the IT Security field, and a large part of them in Application Security.<br/><br />
Boaz did numerous application security audits in very large organizations and is recognized as one of the greatest expert’s world wide. Boaz' expertise is broad, but especially in-depth for the .NET platform.<br/><br />
<br/><br />
Discussion input (until now)<br/><br />
- division of local chapter work load by multiple people<br/><br />
- collaboration with other organizations<br/><br />
<br/><br />
If you want to attend send an email to owasp@irc2.com.<br/><br />
<br/><br />
All OWASP chapter meetings are free, there are never vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP's: OWASP Meetings count towards CPE Credits.<br/><br />
<br />
== OWASP Netherlands meeting minutes ==<br />
<br />
January 11th, the Dutch OWASP chapter came together at the office of Sogeti Netherlands. Subject of the evening was 'putting software security into practice'. The group was small but select.<br/><br />
<br/><br />
The agenda:<br/><br />
18.00 - 18.30 Check-In (catering included)<br/><br />
18.30 - 18.45 Sponsor opening<br/><br />
18.45 - 19.00 OWASP update, Bert Koelewijn<br/><br />
19.00 - 19.30 Implementation of Security by Design, Martin Knobloch<br/><br />
19.30 - 19.45 Panel introduction<br/><br />
19.45 - 20.00 Coffee break<br/><br />
20.00 - 21.30 Panel discussion<br/><br />
<br/><br />
After being welcomed by Frank Langeveld from Sogeti and Bert Koelewijn, Dutch chapter leader, the evening started with the presentation 'Security By Design'. During the presentation Martin Knobloch told about his experiences during the implementation of the Secure Development Life Cycle in a company like Sogeti Nederland B.V.<br/><br />
<br/><br />
The presentation is available here:<br/><br />
[[Media:Implementation_of_Security_by_Design.ppt]]<br/><br />
<br/><br />
After a small break, the panel discussion started with the following panel: Henk van der Heijden - Comsec Consulting, Dr.ir. Mario de Boer - LogicaCMG and Martin Knobloch - Sogeti Nederland.<br/><br />
During the discussion, it became clear people are struggling to get the Secure Development Life Cycle implemented in their company. The various experiences were shared with the panel and the others. Company typical problems and common misunderstandings about Software security where brought up.<br/><br />
The consensus of the discussion was that the main problem lies in the lack of security awareness and knowledge of the managers and the developers. And this of course is exactly where OWASP comes in…<br/><br />
<br/><br />
== Announcement 11 January meeting ==<br />
<br />
The OWASP meeting of 11 January is about putting software security into practice. A lot of books, standards, organizations and consultants tell us how we should develop secure software. But which methods and measures are commonly adopted and which are not and why?<br/><br />
This will be the main focus of the discussion that we will have with a panel of people that experienced implementing software security in the field.<br/><br />
<br/><br />
The location is provided by the sponsor of this meeting:<br/><br />
Sogeti Nederland B.V.<br/><br />
"La Charmille" building<br/><br />
Lange Dreef 17<br/><br />
4131 NJ Vianen<br/><br />
<br/><br />
The agenda:<br />
<br/><br />
18.00 - 18.30 Check-In (catering included)<br/><br />
18.30 - 18.45 Sponsor opening<br/><br />
18.45 - 19.00 OWASP update, Bert Koelewijn<br/><br />
19.00 - 19.30 Implementation of Security by Design, Martin Knobloch<br/><br />
19.30 - 19.45 Panel introduction<br/><br />
19.45 - 20.00 Coffee break<br/><br />
20.00 - 21.30 Panel discussion<br/><br />
<br/><br />
Implementation of Security by Design<br/><br />
What is needed to implement a 'Secure Development Life Cycle' within Sogeti Nederland? The speaker started a project called 'Security by Design' in march 2006 implementing a SDLC at Sogeti Nederland.<br/><br />
In his presentation, the speaker will share his technical and organizational experiences that he gained with the still ongoing implementation.<br/><br />
<br/><br />
About the speaker<br/><br />
Martin Knobloch has more than 8 years experience in design and development of J2EE applications for customers in various sectors of the market. In September 2003 Martin Knobloch started working for Sogeti Nederland, where he does the design, development and review of J2EE applications and architectures.<br/><br />
From this background, Martin Knobloch experienced the threats of insecure software firsthand. In march 2006, Martin Knobloch started implementing a SDLC within Sogeti Nederland.<br/><br />
<br/><br />
Panel discussion<br/><br />
The panel members are:<br/><br />
Henk van der Heijden, Managing Director - Comsec Consulting B.V.<br/><br />
Dr.ir. Mario de Boer, Security Consultant - LogicaCMG<br/><br />
Martin Knobloch, Senior Technologie Specialist - Sogeti Nederland B.V.<br/><br />
<br/><br />
In the discussion, we will try to find answers to questions like:<br/><br />
- What are the most common security practices in software development?<br/><br />
- How effective are those practices?<br/><br />
- Where do we start practicing security?<br/><br />
- What should be the most common security practices in software development?<br/><br />
- How much does security cost?<br/><br />
- How does the Systems Security Engineering Capability Maturity Model (SSE-CMM) fit in?<br/><br />
<br/><br />
If you want to attend send an email to owasp@irc2.com.<br/><br />
<br/><br />
All OWASP chapter meetings are free, there are never vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP’s: OWASP Meetings count towards CPE Credits.<br/><br />
<br />
== OWASP Netherlands meeting minutes ==<br />
<br />
On 9 march, the second meeting of OWASP Netherlands local chapter took place. GetronicsPinkRoccade provided the venue, in their luxury conference centre: Connection I.<br/><br />
<br/><br />
Agenda:<br/><br />
18.00 - 18.45 Check-In (bread & drinks)<br/><br />
18.45 - 19.00 Opening<br/><br />
19.00 - 20.00 Improving Security in the Application Development Life-cycle, Migchiel de Jong<br/><br />
20.00 - 20.15 Coffee break<br/><br />
20.15 - 22.00 Form focus groups<br/><br />
<br/><br />
The presentation of Migchiel de Jong was found very interesting by the audience. At the end of his presentation, he demonstrated a static code analysis of the OWASP webgoat application.<br/><br />
<br/><br />
After the coffee break, the attendances started discussing about the largest common topics of interest in the web application security field, in relation to the OWASP Netherlands chapter. As a result, the following focus groups are formed:<br/><br />
<br/><br />
Testing<br/><br />
The current OWASP Testing project and the Open Source Security Testing Methodology Manual of ISECOM, provide guidelines and best practices for testers. These guidelines can be used to formalize a standard structure and a set of minimum requirements for a security test. Clients could ask a tester to adhere to these guidelines.<br/><br />
A second idea is to standardize the testing results management report. In practice, testing could result in piles of paper with all the findings. The real value is reporting it in a usable way. For example: mapping technical findings to business risks.<br/><br />
<br/><br />
Frans v. Buul<br/><br />
Peter Gouwentak<br/><br />
Arthur Donkers<br/><br />
Eelco Klaver<br/><br />
Migchiel de Jong<br/><br />
Mario de Boer<br/><br />
<br/><br />
First focus group meeting: Monday 27 march, 18:00h, PwC Utrecht<br/><br />
<br/><br />
<br/><br />
Public Relations<br/><br />
This focus group will try to make business aware of the security impact that developing, hosting and using web applications has. What OWASP is and how OWASP can help. This can be done by giving presentations, writing papers and articles, word of mouth, etc. etc.<br/><br />
<br/><br />
Remco Bakker<br/><br />
Ronald Eygendaal<br/><br />
Bas van Vossen<br/><br />
Edwin van Vliet<br/><br />
Eelco Klaver<br/><br />
<br/><br />
First presentation of OWASP materials: Edwin van Vliet, TestNet - Voorjaarsevenement, 5 april<br/><br />
First focus group meeting: To be planned!<br/><br />
<br/><br />
<br/><br />
Education<br/><br />
OWASP and universities/schools could benefit from working together. For example:<br/><br />
- OWASP provides lot's of materials usable in colleges.<br/><br />
- Develop OWASP training course.<br/><br />
- Students can participate in OWASP projects<br/><br />
- OWASP can provide a platform for supporting research. Such as thesis projects, etc.<br/><br />
- OWASP representatives could provide guest colleges.<br/><br />
<br/><br />
Ronald Eygendaal<br/><br />
Erik Poll<br/><br />
Bas van Vossen<br/><br />
Edwin van Vliet<br/><br />
<br/><br />
First focus group meeting: To be planned!<br/><br />
<br/><br />
The presentation is available here:<br/><br />
[[Media:OWASP_NL_Fortify_Software.pdf]]<br/><br />
<br />
== 9 March: Second meeting of the OWASP Netherlands local chapter! ==<br />
<br />
In this second meeting focus groups are to be formed, to discuss common problems, develop and research common solutions in a vendor neutral environment. So this is a very good opportunity to get in contact with others, to exchange knowledge and experiences on specific topics.<br/><br />
<br/><br />
For every focus group the following questions has to be answered:<br/><br />
1. Which specific topic is to be addressed?<br/><br />
2. What are the deliverables?<br/><br />
3. What is the relation to OWASP? (Current projects, materials, expertise and knowledge interchange, etc.)<br/><br />
4. Who is the central contact of the subgroup?<br/><br />
<br/><br />
It would be nice to have a bigger and more diverse group, compared to the first meeting. So let's recall: "Please, bring at least one friend, next time." And don't hesitate to send this announcement to everybody who may be interested!<br/><br />
<br/><br />
We thank Getronics PinkRoccade for offering us a venue:<br/><br />
Getronics PinkRoccade<br/><br />
Fauststraat 1<br/><br />
7323 BA Apeldoorn <br/><br />
<br/><br />
The agenda:<br/><br />
18.00 - 18.30 Check-In<br/><br />
18.30 - 18.45 Opening<br/><br />
18.45 - 19.30 Improving Security in the Application Development Life-cycle, Migchiel de Jong<br/><br />
19.30 - 20.00 Collecting focus group initiatives<br/><br />
19.45 - 20.00 Coffee break<br/><br />
20.00 - 21.00 Form focus groups<br/><br />
<br/><br />
Presentation Abstract<br/><br />
Rather than spending large amounts of time and money on proving that we have security vulnerabilities after programs go into production, companies should go to the source and correct vulnerabilities as early as possible in the development stage. It is unquestionably faster, simpler, and cheaper for developers to correct vulnerabilities as they build programs.<br/><br />
But how can development management ensure that developers focus on security when there is no time or budget for security at the development stage? Even with the correct focus, how can they learn what to look for? How can they stay ahead of the dedicated and resourceful hacker?<br/><br />
The answer is effective processes and better tools. With advanced software security tools, a developer can pinpoint vulnerabilities in a matter of seconds — the same vulnerabilities that would take a hacker or manual code reviewer weeks or even months to find. These same tools can give development and information security managers useful metrics on application vulnerabilities before they are released into deployment.<br/><br />
This talk will walk through the Application Development Life-Cycle and discuss how tools can help come to grips with software security issues in a particular phase.<br/><br />
<br/><br />
About the presenter<br/><br />
Migchiel de Jong has developed hardware and software for 10 years before joining Rational Software. During the 5 years at Rational Software (later acquired by IBM) he was involved in many software development process improvement projects. Currently Migchiel de Jong is working at Fortify Software, Palo Alto, California, as a software security engineer.<br/><br />
<br/><br />
If you want to attend send an email to owasp@irc2.nl. Please don't wait, 9 march is not that long anymore!<br/><br />
<br/><br />
All OWASP chapter meetings are free, there are never vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP’s: OWASP Meetings count towards CPE Credits.<br/><br />
<br />
== OWASP Netherlands kick-off meeting minutes ==<br />
<br />
On 17 November, OWASP Netherlands had it's first meeting. We moved to a bigger location, the Mercure hotel in Nieuwegein, to host all the 35 attendees.<br/><br />
<br/><br />
The agenda:<br/><br />
18.00 - 18.30 Check-In (bread & drinks)<br/><br />
18.30 - 18.45 Chapter opening<br/><br />
18.45 - 19.30 Presentation - 'Top tien web applicatie kwetsbaarheden in J2EE', Eelco Klaver<br/><br />
19.30 - 19.45 Presentation - 'Veilige webapplicaties boven alles', Mike Wardi<br/><br />
19.45 - 20.00 Coffee break<br/><br />
20.00 - 21.00 Discussion - About the OWASP Netherlands local chapter<br/><br />
<br/><br />
The discussion took place in a 'round table' session, where all attendees were able to take part. The focus of the discussion was how to give the OWASP Netherlands local chapter additional value, next to the OWASP project. What the goals and tasks will be. And which actions will have to be taken at short term.<br/><br />
Different people have interest in different subjects. In general meetings there is no time to address all subjects and address them specific enough. Therefore subgroups can be formed, focusing on specific topics. They can have their own communication channel and meetings, but should keep close contact with the OWASP body.<br/><br />
<br/><br />
An inventarisation:<br/><br />
<br/><br />
Discussion Topics<br/><br />
- Awareness: writing articles, press publications, interviews<br/><br />
- Education: contact universities, schools and their common boards. Develop and gather education materials.<br/><br />
- General: discuss ideas for OWASP NL<br/><br />
<br/><br />
Focusgroup Topics<br/><br />
- (dutch) metrics project<br/><br />
- (dutch) legal project<br/><br />
- standard framework for pentest reports<br/><br />
- safe outsourcing<br/><br />
<br/><br />
Actions that should be taken on short term are:<br/><br />
- provide communication channels<br/><br />
- plan next (sub)meetings<br/><br />
- start discussions and focusgroups<br/><br />
<br/><br />
The presentations are available here:<br/><br />
<br/><br />
[[Media:OWASP_NL_Top_Ten_Web_Application_Vulnerabilities_in_J2EE.pdf]]<br/><br />
[[Media:OWASP_NL_Veilige_Web_App_Boven_Alles.pdf]]<br/><br />
<br />
== You are welcome to the OWASP Netherlands local chapter kick-off meeting! ==<br />
<br />
Thursday, November 17th (2005) at 18.00h.<br/><br />
<br/><br />
ATTENTION! Because of the large amount of attendees, the location has changed:<br/><br />
<br/><br />
Hotel Mercure Utrecht/Nieuwegein<br/><br />
Buizerdlaan 10<br/><br />
3435 SB NIEUWEGEIN<br/><br />
Tel: 00 31 (0) 30 60 84 122<br/><br />
Fax: 00 31 (0) 30 60 38 374<br/><br />
<br/><br />
This first meeting will be an introduction to the OWASP. A constructive discussion will be held about the actual form of the OWASP Netherlands local chapter.<br/><br />
<br/><br />
The agenda:<br/><br />
18.00 - 18.30 Check-In (bread & drinks)<br/><br />
18.30 - 18.45 Chapter opening<br/><br />
18.45 - 19.30 Presentation - 'Top tien web applicatie kwetsbaarheden in J2EE', Eelco Klaver<br/><br />
19.30 - 19.45 Presentation - 'Veilige webapplicaties boven alles', Mike Wardi<br/><br />
19.45 - 20.00 Coffee break<br/><br />
20.00 - 21.00 Discussion - About the OWASP Netherlands local chapter<br/><br />
<br/><br />
About the presenters<br/><br />
<br/><br />
Eelco Klaver<br/><br />
Eelco Klaver is a senior consultant for Xebia IT Architects, since 2003. Doing software reviews, security audits and giving security workshops are part of his job. He has almost 10 years experience with developing enterprise applications in J2EE for different employees. At the moment, Eelco is the front man of the security business unit for Xebia, focussing on the security aspects of enterprise applications build on J2EE.<br/><br />
<br/><br />
Mike Wardi<br/><br />
Mike Wardi is an internet application manager for a financial institute. He's responsible for the safety of internet applications provided to customers and the implementation of the security policies in software developement.<br/><br />
<br/><br />
<br/><br />
If you want to attend, please send an email to owasp-nl@ascure.com or the mailing list.<br/><br />
<br/><br />
All OWASP chapter meetings are free! There are never vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP’s: OWASP Meetings count towards CPE Credits.<br/><br />
<br/></div>Dvsteinhttps://wiki.owasp.org/index.php?title=Netherlands&diff=46543Netherlands2008-11-19T16:43:54Z<p>Dvstein: /* Announcement 13 September: putting initiatives into practice */</p>
<hr />
<div>{{Chapter Template|chaptername=Netherlands|extra=The chapter leader is [mailto:owasp@irc2.nl Bert Koelewijn]<br />
<paypal>Netherlands</paypal><br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-netherlands|emailarchives=http://lists.owasp.org/pipermail/owasp-netherlands}}<br />
<br />
== Meeting schedule 2008 ==<br />
This is an overview of the 2008 local chapter meeting schedule. Details of the meetings can be found in the announcements that will be posted below this schedule.<br />
<pre><br />
March 26th<br />
----------<br />
Time : 17.30 - 21.30<br />
Main Topic : Software Vulnerability assessment<br />
Presentations: Complex(ity) matters, Mario de Boer (Dutch)<br />
V.A.C. SQL injection, Marinus Kuivenhoven (Dutch)<br />
Secure Programming with Static Analysis, Brian Chess (English) <br />
Location : Mercure Utrecht Nieuwegein, Buizerdlaan 10, 3435 SB Nieuwegein<br />
Sponsor : Fortify Software<br />
<br />
Oktober 27th<br />
----------<br />
Time : 17.30 - 21.30<br />
Main Topic : Privacy and the Internet<br />
Presentations: Privacy and Internet (Dutch), Frank Fruijthoff and Ellen Hoving<br />
Vulnerability and source code scanners. (Dutch) Emile Strijbos <br />
Location : ps_testware B.V., Dorpsstraat 26, 3941 JM DOORN<br />
Sponsor : ps_testware B.V.<br />
</pre><br />
== Announcement 27 Oktober: Privacy and the Internet ==<br />
'''Summary'''<br/><br />
The main goal of the upcoming OWASP-NL meeting is to provide information to developers and security professionals about personal and technical privacy on the internet. The speakers focus on privacy regulations related to the internet and on the mass amount of personal and technical information available about persons and companies on the internet, with and without their consent. Furthermore tools will be discussed that help prevent leakage of privacy related and other kind of data. They will give specific examples and there will be time to ask questions.<br/><br />
Please register before October 20th because of the necessary catering arrangements.<br/><br />
<br/><br />
'''Location'''<br/><br />
The location and catering is provided by the sponsor of this meeting:<br/><br />
<table><br />
<tr><br />
<td width="350"><br />
ps_testware B.V.<br/><br />
Dorpsstraat 26,<br/><br />
3941 JM DOORN<br/><br />
</td><br />
<td width="350"><br />
[[Image:Pstestware.jpg|100px]]<br />
</td><br />
</tr><br />
<tr><br />
<td width="350"><br />
The location has parking facilities for 15 cars. However parking in the direct vicinity of ps_testware shouldn’t be a problem.<br/><br />
</td><br />
<td width="350"><br />
ps_testware delivers services related to software testing and software quality. In the field of software development, quality, time-to-market, business processes and software acceptance they play the role of "your devil's advocate" as an independent, flexible and specialized partner.<br/><br />
For more information please visit: www.pstestware.com.<br/><br />
</td><br />
</tr><br />
</table><br />
<br/><br />
<br/><br />
'''Program'''<br/><br />
17.30 - 18.30 '''Check-In''' (catering included)<br/><br />
<br/><br />
18.30 – 19:00 '''Introduction''' (OWASP organization, projects, sponsor)<br/><br />
<br/><br />
19.00 - 20.15 '''Privacy and Internet''' (Dutch), Frank Fruijthoff and Ellen Hoving<br/><br />
In this presentation the general principles of privacy laws in the Netherlands and the EU and specifically privacy and the internet will be covered.<br/><br />
Frank Fruijthoff is a Compliance Officer with ING. He has a Compliance and Risk Management background and is specialised in privacy.<br/><br />
Ellen Hoving is a graduated lawyer. She works as an independent consultant specialized in compliance and privacy.<br/><br />
<br/><br />
20.15 – 20:30 '''Break'''<br/><br />
<br/><br />
20:30 – 21:00 '''Vulnerability and source code scanners''' (Dutch), Emile Strijbos<br />
<br/><br />
For his Master thesis in computer science at the Radboud Universiteit in Nijmegen, Emile Strijbos investigated vulnerability scanners and source code scanners. These are automated tools that try to detect security flaws, either in running web-applications or in their source code.<br/><br />
Emile tried out several of these tools, including both free and commercial ones, to see how good they are at detecting standard vulnerabilities, such as SQL injection, XSS, CSRF, etc.<br/><br />
<br/><br />
21.00 – 21:30 '''Discussion, questions and social'''<br/><br />
<br/><br />
If you want to attend, please send an email to: owasp@irc2.com.<br><br />
Please register before October 20th, because of the necessary catering arrangements. The number of registries is limited to 50 due to the capacity of the location and will be handled in order of receipt.<br/><br />
<br/><br />
All OWASP chapter meetings are free of charge and you don’t have to be an OWASP member to attend. There are never any vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP's: OWASP Meetings count towards CPE Credits.<br/><br />
<br/><br />
The announcement and full descriptions can be found here:<br/><br />
[[Media:Announcement_27_Oktober.pdf]]<br/><br />
<br />
== Announcement March 26th: Software Vulnerability assessment ==<br />
'''Summary'''<br/><br />
The main goal of the upcoming OWASP-NL meeting is to provide information to developers and security professionals involved in creating secure (web-)applications. The main focus will be on software vulnerability assessment. The speakers will give specific examples and of course there is time to ask questions about your own experiences.<br/><br />
<br/><br />
'''Location'''<br/><br />
The location and catering is provided by the sponsor of this meeting:<br/><br />
<table><br />
<tr><br />
<td width="350"><br />
Mercure Utrecht Nieuwegein<br/><br />
Buizerdlaan 10,<br/><br />
3435 SB Nieuwegein<br/><br />
</td><br />
<td width="350"><br />
[[Image:Fortify.JPG|143px]]<br />
</td><br />
</tr><br />
<tr><br />
<td width="350"><br />
</td><br />
<td width="350"><br />
Fortify Software products protect companies from today’s greatest security risk: the software applications that run their businesses. Combining deep application security expertise with extensive software development experience, Fortify Software has defined the market with award-winning products that span the software development cycle. Today, Fortify Software fortifies the software for the most demanding customer deployments, including the world’s largest, most varied code bases.<br/><br />
<br/><br />
For more information please visit:<br/><br />
www.fortify.com<br/><br />
</td><br />
</tr><br />
</table><br />
<br/><br />
<br/><br />
'''Program'''<br/><br />
17.30 - 18.30 '''Check-In''' (catering included)<br/><br />
<br/><br />
18.30 - 18:50 '''Introduction''' (OWASP, sponsor)<br/><br />
<br/><br />
18.50 - 19.30 '''Complex(ity) matters''' (Dutch), Mario de Boer<br/><br />
Various methods exist to locate specific vulnerabilities in software. In the presentation we will look at static analysis of binaries, and the problems we face when trying to locate vulnerabilities. Several ideas will be discussed to make the search easier, but at the same time less exact. The first idea is trivial: automate as much as possible. The second idea is nearly trivial: don't aim at exact vulnerabilities but relax the search to locating potential vulnerabilities. We will give examples that illustrate the results.<br/><br />
Mario de Boer is a senior security consultant at Logica, and as such focuses on security management aspects like security frameworks, compliance, monitoring and control and risk management. Before joining Logica, Mario worked at the Dutch ministries of Defense and Justice, he co-founded a security company and worked as a project manager in the financial sector. For several years he taught courses in software security analysis and secure software development. Besides security management, Mario has interest in software security, reverse engineering and cryptography. Within Logica Netherlands, he is knowledge manager application security. Mario holds a PhD in Mathematics and is CISA and CISSP.<br/><br />
<br/><br />
19.30 - 19:50 '''Break'''<br/><br />
<br/><br />
19:50 - 20:20 '''V.A.C: SQL injection''' (Dutch), Marinus Kuivenhoven<br />
<br/><br />
<u>'''V'''ulnerability:</u><br/><br />
An application which uses a database for its information needs, communicates with it trough SQL. SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of a Database for parsing and execution.<br/><br />
<u>'''A'''ssessment:</u><br/><br />
SQL injection can threaten the confidentiality, availability and integrity of the data. The various types of SQL injection and their impact will be shown.<br/><br />
<u>'''C'''ountermeasure:</u><br/><br />
Any procedure that constructs SQL statements should be reviewed for injection vulnerabilities because a database will execute all syntactically valid queries that it receives. How this should be done will be shown for the most popular languages.<br/><br />
Marinus is a Technology Specialist with Sogeti Nederland B.V. specializing in service oriented architectures and secure application development. His experience includes developing and administrating Oracle-based systems.<br/><br />
<br/><br />
20.20 - 21.00 '''Secure Programming with Static Analysis''' (English), Brian Chess<br/><br />
Creating secure code requires more than just good intentions. Programmers need to know how to make their code safe in an almost infinite number of scenarios and configurations. Static source code analysis gives users the ability to review their work with a fine tooth comb and uncover the kinds of errors that lead directly to vulnerabilities. This talk frames the software security problem and shows how static analysis is part of the solution. We will look at how static analysis works, how to integrate it into the software development processes, and how to make the most of it during security code review. Along the way we'll look at examples taken from real-world security incidents, showing how coding errors are exploited, how they could have been prevented, and how static analysis can rapidly uncover similar errors.<br/><br />
Brian Chess is a founder of Fortify Software and serves as Fortify's Chief Scientist, where his work focuses on practical methods for creating secure systems. His book, Secure Programming with Static Analysis, shows how static source code analysis is an indispensable tool for getting security right. Brian holds a Ph.D. in computer engineering from the University of California at Santa Cruz, where he studied the application of static analysis to the problem of finding security-relevant defects in source code. Before settling on security, Brian spent a decade in Silicon Valley working at huge companies and small startups. He has done research on a broad set of topics, ranging from integrated circuit design all the way to delivering software as a service.<br/><br />
<br/><br />
21.00 - 21:30 '''Discussion, questions and social'''<br/><br />
<br/><br />
'''Registration'''<br/><br />
If you want to attend, please send an email to: owasp@irc2.com.<br/><br />
<br/><br />
All OWASP chapter meetings are free of charge and you don’t have to be an OWASP member to attend. There are never any vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP's: OWASP Meetings count towards CPE Credits.<br/><br />
<br/><br />
== Announcement 20 december: Secure Development ==<br />
'''Summary'''<br/><br />
The main goal of the upcoming OWASP-NL meeting is to provide information to developers and security professionals involved in creating secure (web-)applications. The general and specific security issues involved on project and programming level will be covered from a practical as well as a theoretical point of view. The speakers will give specific examples and of course there is time to ask questions about your own experiences.<br/><br />
Please register before December the 14th because of the necessary catering arrangements.<br/><br />
<br/><br />
'''Location'''<br/><br />
The location and catering is provided by the sponsor of this meeting:<br/><br />
<table><br />
<tr><br />
<td width="350"><br />
ps_testware B.V.<br/><br />
Dorpsstraat 26,<br/><br />
3941 JM DOORN<br/><br />
</td><br />
<td width="350"><br />
[[Image:Pstestware.jpg|100px]]<br />
</td><br />
</tr><br />
<tr><br />
<td width="350"><br />
The location has parking facilities for 15 cars. However parking in the direct vicinity of ps_testware shouldn’t be a problem.<br/><br />
</td><br />
<td width="350"><br />
ps_testware delivers services related to software testing and software quality. In the field of software development, quality, time-to-market, business processes and software acceptance they play the role of "your devil's advocate" as an independent, flexible and specialized partner.<br/><br />
For more information please visit: www.pstestware.com.<br/><br />
</td><br />
</tr><br />
</table><br />
<br/><br />
<br/><br />
'''Program'''<br/><br />
17.30 - 18.30 '''Check-In''' (catering included)<br/><br />
<br/><br />
18.30 – 19:00 '''Introduction''' (OWASP organization, projects, sponsor)<br/><br />
<br/><br />
19.00 - 19.30 '''Practices of developing optimal security''' (dutch), Andre Post<br/><br />
This presentation highlights a number of current practices that lead to sub-optimal security, and suggests ways of avoiding these problems, focusing on the technical side of development.<br/><br />
André Post works for Fox-IT on a variety of projects including core product development, software architecting, security code reviews, and software project management.<br/><br />
<br/><br />
19.30 – 19:45 '''Break'''<br/><br />
<br/><br />
19:45 – 20:30 '''Problems of developing secure and correct applications''' (dutch), Erik Poll [http://www.cs.ru.nl/~erikpoll/talks/OWASP2007.pdf (slides of the presentation)]<br />
<br/><br />
This presentation will discuss different possibilities to improve software security. The problem of getting time and money available to be spend on security, not only for developing applications, but also for developing programming languages, will be raised.<br/><br />
Erik Poll is head of the Security of Systems (SoS) group at the Radboud University of Nijmegen. His research does focus on the security and correctness of software.<br/><br />
<br/><br />
20.30 - 21.00 '''Protecting Web services and Web applications against security threats''' (dutch), Rix Groenboom<br/><br />
During this session, Rix will explore how to implement development and security best practices in the code to make sure that your webservices and applications perform solidly when they are being hacked or used in malicious ways.<br/><br />
Rix Groenboom supports fortune 2000 companies in field automated software error prevention and correction for Parasoft. His main area of expertise is in the use of formal languages for the specification, design and validation of software applications.<br/><br />
<br/><br />
21.00 – 21:30 '''Discussion, questions and social'''<br/><br />
<br/><br />
All OWASP chapter meetings are free of charge and you don’t have to be an OWASP member to attend. There are never any vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP's: OWASP Meetings count towards CPE Credits.<br/><br />
<br/><br />
The announcement and full descriptions can be found here:<br/><br />
[[Media:Announcement_20_December.pdf]]<br/><br />
[[Media:Announcement_20_December_2.pdf]]<br/><br />
<br />
== Meeting September 13th: putting initiatives into practice ==<br />
<br />
The main goal of the next OWASP meeting is finding a way to put initiatives and all offered help into a form of structural benefit for the OWASP Netherlands local chapter. As a starting point for the discussion, examples will be taken from other European chapters and input delivered by discussions that take place on the mailing list is considered too. Let this be a call to put your ideas on the mailing list before the next meeting!<br/><br />
<br/><br />
The location is provided by the sponsor of this meeting:<br/><br />
Comsec Consulting BV<br/><br />
Rivium Boulevard 102<br/><br />
2909LK Capelle aan den IJssel<br/><br />
<br/><br />
The agenda:<br/><br />
18.00 - 18.30 Check-In (catering included)<br/><br />
18.30 - 18.45 OWASP update, Bert Koelewijn<br/><br />
18.45 - 19.15 Security Best Practices for .NET, Boaz Shunami<br/><br />
19.15 - 20.00 Discussion: collecting ideas and initiatives<br/><br />
20.00 - 20.15 Coffee break<br/><br />
20.15 - 21.00 Discussion: how to enable community commitment<br/><br />
21.00 - 21.30 Closing discussion and coffee<br/><br />
<br/><br />
Boaz Shunami<br/><br />
Boaz is manager of the Application Security department of Comsec Europe. He has 11 years of experience in the IT Security field, and a large part of them in Application Security.<br/><br />
Boaz did numerous application security audits in very large organizations and is recognized as one of the greatest expert’s world wide. Boaz' expertise is broad, but especially in-depth for the .NET platform.<br/><br />
<br/><br />
Discussion input (until now)<br/><br />
- division of local chapter work load by multiple people<br/><br />
- collaboration with other organizations<br/><br />
<br/><br />
If you want to attend send an email to owasp@irc2.com.<br/><br />
<br/><br />
All OWASP chapter meetings are free, there are never vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP's: OWASP Meetings count towards CPE Credits.<br/><br />
<br />
== OWASP Netherlands meeting minutes ==<br />
<br />
January 11th, the Dutch OWASP chapter came together at the office of Sogeti Netherlands. Subject of the evening was 'putting software security into practice'. The group was small but select.<br/><br />
<br/><br />
The agenda:<br/><br />
18.00 - 18.30 Check-In (catering included)<br/><br />
18.30 - 18.45 Sponsor opening<br/><br />
18.45 - 19.00 OWASP update, Bert Koelewijn<br/><br />
19.00 - 19.30 Implementation of Security by Design, Martin Knobloch<br/><br />
19.30 - 19.45 Panel introduction<br/><br />
19.45 - 20.00 Coffee break<br/><br />
20.00 - 21.30 Panel discussion<br/><br />
<br/><br />
After being welcomed by Frank Langeveld from Sogeti and Bert Koelewijn, Dutch chapter leader, the evening started with the presentation 'Security By Design'. During the presentation Martin Knobloch told about his experiences during the implementation of the Secure Development Life Cycle in a company like Sogeti Nederland B.V.<br/><br />
<br/><br />
The presentation is available here:<br/><br />
[[Media:Implementation_of_Security_by_Design.ppt]]<br/><br />
<br/><br />
After a small break, the panel discussion started with the following panel: Henk van der Heijden - Comsec Consulting, Dr.ir. Mario de Boer - LogicaCMG and Martin Knobloch - Sogeti Nederland.<br/><br />
During the discussion, it became clear people are struggling to get the Secure Development Life Cycle implemented in their company. The various experiences were shared with the panel and the others. Company typical problems and common misunderstandings about Software security where brought up.<br/><br />
The consensus of the discussion was that the main problem lies in the lack of security awareness and knowledge of the managers and the developers. And this of course is exactly where OWASP comes in…<br/><br />
<br/><br />
== Announcement 11 January meeting ==<br />
<br />
The OWASP meeting of 11 January is about putting software security into practice. A lot of books, standards, organizations and consultants tell us how we should develop secure software. But which methods and measures are commonly adopted and which are not and why?<br/><br />
This will be the main focus of the discussion that we will have with a panel of people that experienced implementing software security in the field.<br/><br />
<br/><br />
The location is provided by the sponsor of this meeting:<br/><br />
Sogeti Nederland B.V.<br/><br />
"La Charmille" building<br/><br />
Lange Dreef 17<br/><br />
4131 NJ Vianen<br/><br />
<br/><br />
The agenda:<br />
<br/><br />
18.00 - 18.30 Check-In (catering included)<br/><br />
18.30 - 18.45 Sponsor opening<br/><br />
18.45 - 19.00 OWASP update, Bert Koelewijn<br/><br />
19.00 - 19.30 Implementation of Security by Design, Martin Knobloch<br/><br />
19.30 - 19.45 Panel introduction<br/><br />
19.45 - 20.00 Coffee break<br/><br />
20.00 - 21.30 Panel discussion<br/><br />
<br/><br />
Implementation of Security by Design<br/><br />
What is needed to implement a 'Secure Development Life Cycle' within Sogeti Nederland? The speaker started a project called 'Security by Design' in march 2006 implementing a SDLC at Sogeti Nederland.<br/><br />
In his presentation, the speaker will share his technical and organizational experiences that he gained with the still ongoing implementation.<br/><br />
<br/><br />
About the speaker<br/><br />
Martin Knobloch has more than 8 years experience in design and development of J2EE applications for customers in various sectors of the market. In September 2003 Martin Knobloch started working for Sogeti Nederland, where he does the design, development and review of J2EE applications and architectures.<br/><br />
From this background, Martin Knobloch experienced the threats of insecure software firsthand. In march 2006, Martin Knobloch started implementing a SDLC within Sogeti Nederland.<br/><br />
<br/><br />
Panel discussion<br/><br />
The panel members are:<br/><br />
Henk van der Heijden, Managing Director - Comsec Consulting B.V.<br/><br />
Dr.ir. Mario de Boer, Security Consultant - LogicaCMG<br/><br />
Martin Knobloch, Senior Technologie Specialist - Sogeti Nederland B.V.<br/><br />
<br/><br />
In the discussion, we will try to find answers to questions like:<br/><br />
- What are the most common security practices in software development?<br/><br />
- How effective are those practices?<br/><br />
- Where do we start practicing security?<br/><br />
- What should be the most common security practices in software development?<br/><br />
- How much does security cost?<br/><br />
- How does the Systems Security Engineering Capability Maturity Model (SSE-CMM) fit in?<br/><br />
<br/><br />
If you want to attend send an email to owasp@irc2.com.<br/><br />
<br/><br />
All OWASP chapter meetings are free, there are never vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP’s: OWASP Meetings count towards CPE Credits.<br/><br />
<br />
== OWASP Netherlands meeting minutes ==<br />
<br />
On 9 march, the second meeting of OWASP Netherlands local chapter took place. GetronicsPinkRoccade provided the venue, in their luxury conference centre: Connection I.<br/><br />
<br/><br />
Agenda:<br/><br />
18.00 - 18.45 Check-In (bread & drinks)<br/><br />
18.45 - 19.00 Opening<br/><br />
19.00 - 20.00 Improving Security in the Application Development Life-cycle, Migchiel de Jong<br/><br />
20.00 - 20.15 Coffee break<br/><br />
20.15 - 22.00 Form focus groups<br/><br />
<br/><br />
The presentation of Migchiel de Jong was found very interesting by the audience. At the end of his presentation, he demonstrated a static code analysis of the OWASP webgoat application.<br/><br />
<br/><br />
After the coffee break, the attendances started discussing about the largest common topics of interest in the web application security field, in relation to the OWASP Netherlands chapter. As a result, the following focus groups are formed:<br/><br />
<br/><br />
Testing<br/><br />
The current OWASP Testing project and the Open Source Security Testing Methodology Manual of ISECOM, provide guidelines and best practices for testers. These guidelines can be used to formalize a standard structure and a set of minimum requirements for a security test. Clients could ask a tester to adhere to these guidelines.<br/><br />
A second idea is to standardize the testing results management report. In practice, testing could result in piles of paper with all the findings. The real value is reporting it in a usable way. For example: mapping technical findings to business risks.<br/><br />
<br/><br />
Frans v. Buul<br/><br />
Peter Gouwentak<br/><br />
Arthur Donkers<br/><br />
Eelco Klaver<br/><br />
Migchiel de Jong<br/><br />
Mario de Boer<br/><br />
<br/><br />
First focus group meeting: Monday 27 march, 18:00h, PwC Utrecht<br/><br />
<br/><br />
<br/><br />
Public Relations<br/><br />
This focus group will try to make business aware of the security impact that developing, hosting and using web applications has. What OWASP is and how OWASP can help. This can be done by giving presentations, writing papers and articles, word of mouth, etc. etc.<br/><br />
<br/><br />
Remco Bakker<br/><br />
Ronald Eygendaal<br/><br />
Bas van Vossen<br/><br />
Edwin van Vliet<br/><br />
Eelco Klaver<br/><br />
<br/><br />
First presentation of OWASP materials: Edwin van Vliet, TestNet - Voorjaarsevenement, 5 april<br/><br />
First focus group meeting: To be planned!<br/><br />
<br/><br />
<br/><br />
Education<br/><br />
OWASP and universities/schools could benefit from working together. For example:<br/><br />
- OWASP provides lot's of materials usable in colleges.<br/><br />
- Develop OWASP training course.<br/><br />
- Students can participate in OWASP projects<br/><br />
- OWASP can provide a platform for supporting research. Such as thesis projects, etc.<br/><br />
- OWASP representatives could provide guest colleges.<br/><br />
<br/><br />
Ronald Eygendaal<br/><br />
Erik Poll<br/><br />
Bas van Vossen<br/><br />
Edwin van Vliet<br/><br />
<br/><br />
First focus group meeting: To be planned!<br/><br />
<br/><br />
The presentation is available here:<br/><br />
[[Media:OWASP_NL_Fortify_Software.pdf]]<br/><br />
<br />
== 9 March: Second meeting of the OWASP Netherlands local chapter! ==<br />
<br />
In this second meeting focus groups are to be formed, to discuss common problems, develop and research common solutions in a vendor neutral environment. So this is a very good opportunity to get in contact with others, to exchange knowledge and experiences on specific topics.<br/><br />
<br/><br />
For every focus group the following questions has to be answered:<br/><br />
1. Which specific topic is to be addressed?<br/><br />
2. What are the deliverables?<br/><br />
3. What is the relation to OWASP? (Current projects, materials, expertise and knowledge interchange, etc.)<br/><br />
4. Who is the central contact of the subgroup?<br/><br />
<br/><br />
It would be nice to have a bigger and more diverse group, compared to the first meeting. So let's recall: "Please, bring at least one friend, next time." And don't hesitate to send this announcement to everybody who may be interested!<br/><br />
<br/><br />
We thank Getronics PinkRoccade for offering us a venue:<br/><br />
Getronics PinkRoccade<br/><br />
Fauststraat 1<br/><br />
7323 BA Apeldoorn <br/><br />
<br/><br />
The agenda:<br/><br />
18.00 - 18.30 Check-In<br/><br />
18.30 - 18.45 Opening<br/><br />
18.45 - 19.30 Improving Security in the Application Development Life-cycle, Migchiel de Jong<br/><br />
19.30 - 20.00 Collecting focus group initiatives<br/><br />
19.45 - 20.00 Coffee break<br/><br />
20.00 - 21.00 Form focus groups<br/><br />
<br/><br />
Presentation Abstract<br/><br />
Rather than spending large amounts of time and money on proving that we have security vulnerabilities after programs go into production, companies should go to the source and correct vulnerabilities as early as possible in the development stage. It is unquestionably faster, simpler, and cheaper for developers to correct vulnerabilities as they build programs.<br/><br />
But how can development management ensure that developers focus on security when there is no time or budget for security at the development stage? Even with the correct focus, how can they learn what to look for? How can they stay ahead of the dedicated and resourceful hacker?<br/><br />
The answer is effective processes and better tools. With advanced software security tools, a developer can pinpoint vulnerabilities in a matter of seconds — the same vulnerabilities that would take a hacker or manual code reviewer weeks or even months to find. These same tools can give development and information security managers useful metrics on application vulnerabilities before they are released into deployment.<br/><br />
This talk will walk through the Application Development Life-Cycle and discuss how tools can help come to grips with software security issues in a particular phase.<br/><br />
<br/><br />
About the presenter<br/><br />
Migchiel de Jong has developed hardware and software for 10 years before joining Rational Software. During the 5 years at Rational Software (later acquired by IBM) he was involved in many software development process improvement projects. Currently Migchiel de Jong is working at Fortify Software, Palo Alto, California, as a software security engineer.<br/><br />
<br/><br />
If you want to attend send an email to owasp@irc2.nl. Please don't wait, 9 march is not that long anymore!<br/><br />
<br/><br />
All OWASP chapter meetings are free, there are never vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP’s: OWASP Meetings count towards CPE Credits.<br/><br />
<br />
== OWASP Netherlands kick-off meeting minutes ==<br />
<br />
On 17 November, OWASP Netherlands had it's first meeting. We moved to a bigger location, the Mercure hotel in Nieuwegein, to host all the 35 attendees.<br/><br />
<br/><br />
The agenda:<br/><br />
18.00 - 18.30 Check-In (bread & drinks)<br/><br />
18.30 - 18.45 Chapter opening<br/><br />
18.45 - 19.30 Presentation - 'Top tien web applicatie kwetsbaarheden in J2EE', Eelco Klaver<br/><br />
19.30 - 19.45 Presentation - 'Veilige webapplicaties boven alles', Mike Wardi<br/><br />
19.45 - 20.00 Coffee break<br/><br />
20.00 - 21.00 Discussion - About the OWASP Netherlands local chapter<br/><br />
<br/><br />
The discussion took place in a 'round table' session, where all attendees were able to take part. The focus of the discussion was how to give the OWASP Netherlands local chapter additional value, next to the OWASP project. What the goals and tasks will be. And which actions will have to be taken at short term.<br/><br />
Different people have interest in different subjects. In general meetings there is no time to address all subjects and address them specific enough. Therefore subgroups can be formed, focusing on specific topics. They can have their own communication channel and meetings, but should keep close contact with the OWASP body.<br/><br />
<br/><br />
An inventarisation:<br/><br />
<br/><br />
Discussion Topics<br/><br />
- Awareness: writing articles, press publications, interviews<br/><br />
- Education: contact universities, schools and their common boards. Develop and gather education materials.<br/><br />
- General: discuss ideas for OWASP NL<br/><br />
<br/><br />
Focusgroup Topics<br/><br />
- (dutch) metrics project<br/><br />
- (dutch) legal project<br/><br />
- standard framework for pentest reports<br/><br />
- safe outsourcing<br/><br />
<br/><br />
Actions that should be taken on short term are:<br/><br />
- provide communication channels<br/><br />
- plan next (sub)meetings<br/><br />
- start discussions and focusgroups<br/><br />
<br/><br />
The presentations are available here:<br/><br />
<br/><br />
[[Media:OWASP_NL_Top_Ten_Web_Application_Vulnerabilities_in_J2EE.pdf]]<br/><br />
[[Media:OWASP_NL_Veilige_Web_App_Boven_Alles.pdf]]<br/><br />
<br />
== You are welcome to the OWASP Netherlands local chapter kick-off meeting! ==<br />
<br />
Thursday, November 17th (2005) at 18.00h.<br/><br />
<br/><br />
ATTENTION! Because of the large amount of attendees, the location has changed:<br/><br />
<br/><br />
Hotel Mercure Utrecht/Nieuwegein<br/><br />
Buizerdlaan 10<br/><br />
3435 SB NIEUWEGEIN<br/><br />
Tel: 00 31 (0) 30 60 84 122<br/><br />
Fax: 00 31 (0) 30 60 38 374<br/><br />
<br/><br />
This first meeting will be an introduction to the OWASP. A constructive discussion will be held about the actual form of the OWASP Netherlands local chapter.<br/><br />
<br/><br />
The agenda:<br/><br />
18.00 - 18.30 Check-In (bread & drinks)<br/><br />
18.30 - 18.45 Chapter opening<br/><br />
18.45 - 19.30 Presentation - 'Top tien web applicatie kwetsbaarheden in J2EE', Eelco Klaver<br/><br />
19.30 - 19.45 Presentation - 'Veilige webapplicaties boven alles', Mike Wardi<br/><br />
19.45 - 20.00 Coffee break<br/><br />
20.00 - 21.00 Discussion - About the OWASP Netherlands local chapter<br/><br />
<br/><br />
About the presenters<br/><br />
<br/><br />
Eelco Klaver<br/><br />
Eelco Klaver is a senior consultant for Xebia IT Architects, since 2003. Doing software reviews, security audits and giving security workshops are part of his job. He has almost 10 years experience with developing enterprise applications in J2EE for different employees. At the moment, Eelco is the front man of the security business unit for Xebia, focussing on the security aspects of enterprise applications build on J2EE.<br/><br />
<br/><br />
Mike Wardi<br/><br />
Mike Wardi is an internet application manager for a financial institute. He's responsible for the safety of internet applications provided to customers and the implementation of the security policies in software developement.<br/><br />
<br/><br />
<br/><br />
If you want to attend, please send an email to owasp-nl@ascure.com or the mailing list.<br/><br />
<br/><br />
All OWASP chapter meetings are free! There are never vendor pitches or sales presentations at OWASP meetings.<br/><br />
<br/><br />
NOTE TO CISSP’s: OWASP Meetings count towards CPE Credits.<br/><br />
<br/></div>Dvstein