https://wiki.owasp.org/api.php?action=feedcontributions&feedformat=atom&user=FavroomOWASP - User contributions [en]2026-05-06T10:10:01ZUser contributionsMediaWiki 1.27.2https://wiki.owasp.org/index.php?title=BeNeLux_OWASP_Day_2014&diff=184900BeNeLux OWASP Day 20142014-11-06T21:57:14Z<p>Favroom: Blanked the page</p>
<hr />
<div></div>Favroomhttps://wiki.owasp.org/index.php?title=Netherlands&diff=166178Netherlands2014-01-21T14:24:02Z<p>Favroom: /* Other OWASP Events */</p>
<hr />
<div>{{Chapter Template|chaptername=Netherlands|extra=|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-netherlands|emailarchives=http://lists.owasp.org/pipermail/owasp-netherlands}} <br />
<br />
<paypal>Netherlands</paypal><br />
<br />
<!-- First tab --><br />
= Local News =<br />
=='''News'''==<br />
::; <br />
::;<br />
<br />
=='''Provisional 2014 Chapter Event Calendar'''==<br />
::*<br />
::*<br />
<br />
::;Slide Decks from past Chapter meetings can be downloaded from the [https://www.owasp.org/index.php/Netherlands#tab=Past_Events Past Events page].<br />
<br />
=='''Other OWASP Events'''==<br />
::;'''[https://www.owasp.org/index.php/OWASP_Events/upcoming_events OWASP Upcoming Events]'''<br />
::;'''[https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2014 OWASP benelux 2014]'''<br />
<br />
=='''Call for Presentations'''==<br />
::;[https://docs.google.com/a/owasp.org/spreadsheet/viewform?formkey=dGs1UFN0Ul9YR1pRcGdYRmtYallraUE6MQ#gid=0 OWASP NL Chapter Call For Presentation]<br />
<br />
=='''Stay in contact:'''==<br />
<center><br />
{| cellspacing="15"<br />
|-<br />
| [[Image:Join the list.png|150px|link=http://lists.owasp.org/mailman/listinfo/owasp-netherlands]] <br />
| [[Image:Follow-us-on-twitter.png|175px|link=http://www.twitter.com/owasp_NL]]<br />
| [[Image:Linkedin-button.gif|135px|link=http://www.linkedin.com/groups/OWASP-Netherlands-Chapter-1987229/about]]<br />
|}<br />
</center><br />
<br />
=='''Sponsors'''==<br />
::;Our structural Chapter and OWASP Benelux Days 2013 supporters: <br />
<br />
[http://www.cigital.com https://www.owasp.org/images/7/73/AppSecDC2012-Cigital.jpg]<br />
[http://www.Checkmarx.com https://www.owasp.org/images/a/a2/Checkmarx.jpg]<br />
[[File:Deloitte.jpg||170px|link=http://www.deloitte.com/view/en_NL/nl]]<br />
[http://www8.hp.com/us/en/software-solutions/software-security/index.html https://www.owasp.org/images/a/af/HP_Blue_RGB_150_LG-200.png]<br />
[https://informatiebeveiliging.nl/ https://www.owasp.org/images/9/9a/Logo_Informatiebeveiliging-200.png]<br />
[http://www.northwave.nl https://www.owasp.org/images/4/4c/LogoNorthwave.jpg]<br />
[http://www.securify.nl https://www.owasp.org/images/7/7a/Securify_BV_logo.png]<br />
[[File:Logo secwatch.jpg||170px|link=http://www.secwatch.nl]]<br />
[http://www.sogeti.nl https://www.owasp.org/images/9/94/Sogeti_logo.png]<br />
[http://www.vest.nl https://www.owasp.org/images/1/1d/Logo_Vest_BIG_170.gif]<br />
<!-- Second tab --><br />
<br />
= Calendar =<br />
== Provisional Chapter Event Calendar 2013 ==<br />
{|class="wikitable" border="1" style="text-align:center;"|<br />
! width="300" | Date<br />
! width="350" | Link<br />
! width="300" | Flyer<br />
|- align="center"<br />
| January 31st, 2013 <br />
| [[Netherlands January 31, 2013 | Agenda]] <br />
| <br />
|- align="center"<br />
| March 7th, 2013<br />
| [[Netherlands March 7, 2013 | Agenda]]<br />
| [[Media:OWASP Netherlands Chapter Meeting 2013-03-07.pdf | flyer]] <br />
|- align="center"<br />
| March 13th, 2013<br />
| [[Netherlands March 13, 2013 | Agenda]]<br />
| [[Media:OWASP Netherlands Chapter Meeting 2013-03-13.pdf | flyer]]<br />
|- align="center"<br />
| April 10th, 2013<br />
| [[Netherlands April 10, 2013 | Agenda]]<br />
| [[Media:OWASP Netherlands Chapter Meeting 2013-04-10.pdf | flyer]]<br />
|- align="center"<br />
| May 14, 2013<br />
| [[Netherlands May 14, 2013 | Agenda]]<br />
| [[Media:OWASP Netherlands Chapter Meeting 2013-04-10.pdf | flyer]]<br />
|- align="center"<br />
| June 20th, 2013<br />
| [[EUTour2013_Netherlands_Agenda | The Dutch OWASP European Tour 2013 Event]]<br />
| [[Media:OWASP Netherlands Chapter Meeting 2013-06-20.pdf | flyer]]<br />
|- align="center"<br />
| July 31st to August 4th<br />
| [https://ohm2013.org/wiki/Village:OWASP OWASP Village @ OHM2013]<br />
| <br />
|- align="center"<br />
| October 31st, 201<br />
| [[Netherlands October 31, 2013 | Agenda]]<br />
| [[Media:OWASP Netherlands Chapter Meeting 2013-10-31.pdf | flyer]]<br />
|- align="center"<br />
| November 29th<br />
| [https://www.owasp.org/index.php?title=BeNeLux_OWASP_Day_2013 OWASP Benelux Conference in the Netherlands!]<br />
|<br />
|}<br />
<br />
<!-- Third tab --><br />
<br />
= Past Events =<br />
*Events held in [[Netherlands Previous Events 2013|2013]]<br />
*Events held in [[Netherlands Previous Events 2012|2012]]<br />
*Events held in [[Netherlands Previous Events 2011|2011]]<br />
*Events held in [[Netherlands Previous Events 2010|2010]] <br />
*Events held in [[Netherlands Previous Events 2009|2009]] <br />
*Events held in [[Netherlands Previous Events 2008|2008]] <br />
*Events held in [[Netherlands Previous Events 2007|2007]] <br />
*Events held in [[Netherlands Previous Events 2006|2006]] <br />
*Events held in [[Netherlands Previous Events 2005|2005]]<br />
<br />
<!-- Fourth tab --><br />
= Chapter Leaders =<br />
The Netherlands Chapter is supported by the following board: <br />
*[https://www.owasp.org/index.php/User:Ferdinand_Vroom Ferdinand Vroom]<br />
*[https://www.owasp.org/index.php/User:Knoblochmartin Martin Knobloch], PervaSec<br />
<br> <br />
*[mailto:netherlands@owasp.org OWASP Netherlands], OWASP Netherlands board email adres<br />
Our goal is to professionalize the local OWASP functioning, provide in a bigger footprint to detect OWASP opportunities such as speakers/topics/sponsors/… and set a 5 year target on: Target audiences, Different events and Interactions of OWASP global – local projects. <br />
<br />
<!-- Fifth and last tab --><br />
= Chapter Support =<br />
=== Chapter Sponsoring ===<br />
OWASP Netherlands is looking for organizations to sponsor our chapter. <br />
If you are interested in sponsoring the Netherlands chapter please contact us via email: [mailto:netherlands@owasp.org netherlands 'at' owasp.org]. <br />
<br />
=== Donation ===<br />
If you would like to donate to our chapter, please use the PayPal link at the top of this page.<br />
;Thank you!<br />
<br />
=== Call for Speakers ===<br />
We are continuously looking for speakers.<br>'''Presentations:''' Are you working on an interesting subject, would you like to share your experience with the OWASP community and do you have presentation skills. Please let us know! Any topic related to web application security will be appreciated!<br>'''VAC, Vulnerability, Attack, Countermeasure:''' The VAC is a re occuring part of the chapter meetings. The VAC is a half hour in-depth technical presentation about a vulnerability, how it can be exploited and how to prevent it!<br> <br />
<span style="font-weight: bold;">Links: </span> <br />
[http://www.owasp.org/index.php/Speaker_Agreement Speaker Agreement] <br />
[http://www.owasp.org/images/5/54/Presentation_template.ppt Template] <br />
Interested in presenting at a local chapter meeting, please send an email to: netherlands 'at' owasp.org <br />
<br />
=== Call for Location ===<br />
For the OWASP Netherlands chapter meetings to come, we are continuously looking for locations! <br />
Most preferable, the location is good accessible with public transport and by car. Free parking should be provided. <br />
What do we expect: <br />
*meeting room for at least 50 people <br />
*lunch for attendees <br />
**drinks, sandwiches... <br />
*a small present for the speakers <br />
**(e.g. bottle of wine, for speakers from aboard alcohol might be less practical if flying in only with hand luggage)<br />
Interested in sponsoring a local chapter meeting, please send an email to: netherlands 'at' owasp.org <br />
<br />
<!-- Don't remove this tag --><br />
__NOTOC__ <br />
<headertabs/><br />
[[Category:Europe]]</div>Favroomhttps://wiki.owasp.org/index.php?title=Netherlands&diff=166176Netherlands2014-01-21T14:20:33Z<p>Favroom: /* News */</p>
<hr />
<div>{{Chapter Template|chaptername=Netherlands|extra=|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-netherlands|emailarchives=http://lists.owasp.org/pipermail/owasp-netherlands}} <br />
<br />
<paypal>Netherlands</paypal><br />
<br />
<!-- First tab --><br />
= Local News =<br />
=='''News'''==<br />
::; <br />
::;<br />
<br />
=='''Provisional 2014 Chapter Event Calendar'''==<br />
::*<br />
::*<br />
<br />
::;Slide Decks from past Chapter meetings can be downloaded from the [https://www.owasp.org/index.php/Netherlands#tab=Past_Events Past Events page].<br />
<br />
=='''Other OWASP Events'''==<br />
::;'''OWASP Upcoming Events''': https://www.owasp.org/index.php/OWASP_Events/upcoming_events<br />
::;'''[https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2014 OWASP benelux 2014]'''<br />
<br />
=='''Call for Presentations'''==<br />
::;[https://docs.google.com/a/owasp.org/spreadsheet/viewform?formkey=dGs1UFN0Ul9YR1pRcGdYRmtYallraUE6MQ#gid=0 OWASP NL Chapter Call For Presentation]<br />
<br />
=='''Stay in contact:'''==<br />
<center><br />
{| cellspacing="15"<br />
|-<br />
| [[Image:Join the list.png|150px|link=http://lists.owasp.org/mailman/listinfo/owasp-netherlands]] <br />
| [[Image:Follow-us-on-twitter.png|175px|link=http://www.twitter.com/owasp_NL]]<br />
| [[Image:Linkedin-button.gif|135px|link=http://www.linkedin.com/groups/OWASP-Netherlands-Chapter-1987229/about]]<br />
|}<br />
</center><br />
<br />
=='''Sponsors'''==<br />
::;Our structural Chapter and OWASP Benelux Days 2013 supporters: <br />
<br />
[http://www.cigital.com https://www.owasp.org/images/7/73/AppSecDC2012-Cigital.jpg]<br />
[http://www.Checkmarx.com https://www.owasp.org/images/a/a2/Checkmarx.jpg]<br />
[[File:Deloitte.jpg||170px|link=http://www.deloitte.com/view/en_NL/nl]]<br />
[http://www8.hp.com/us/en/software-solutions/software-security/index.html https://www.owasp.org/images/a/af/HP_Blue_RGB_150_LG-200.png]<br />
[https://informatiebeveiliging.nl/ https://www.owasp.org/images/9/9a/Logo_Informatiebeveiliging-200.png]<br />
[http://www.northwave.nl https://www.owasp.org/images/4/4c/LogoNorthwave.jpg]<br />
[http://www.securify.nl https://www.owasp.org/images/7/7a/Securify_BV_logo.png]<br />
[[File:Logo secwatch.jpg||170px|link=http://www.secwatch.nl]]<br />
[http://www.sogeti.nl https://www.owasp.org/images/9/94/Sogeti_logo.png]<br />
[http://www.vest.nl https://www.owasp.org/images/1/1d/Logo_Vest_BIG_170.gif]<br />
<!-- Second tab --><br />
<br />
= Calendar =<br />
== Provisional Chapter Event Calendar 2013 ==<br />
{|class="wikitable" border="1" style="text-align:center;"|<br />
! width="300" | Date<br />
! width="350" | Link<br />
! width="300" | Flyer<br />
|- align="center"<br />
| January 31st, 2013 <br />
| [[Netherlands January 31, 2013 | Agenda]] <br />
| <br />
|- align="center"<br />
| March 7th, 2013<br />
| [[Netherlands March 7, 2013 | Agenda]]<br />
| [[Media:OWASP Netherlands Chapter Meeting 2013-03-07.pdf | flyer]] <br />
|- align="center"<br />
| March 13th, 2013<br />
| [[Netherlands March 13, 2013 | Agenda]]<br />
| [[Media:OWASP Netherlands Chapter Meeting 2013-03-13.pdf | flyer]]<br />
|- align="center"<br />
| April 10th, 2013<br />
| [[Netherlands April 10, 2013 | Agenda]]<br />
| [[Media:OWASP Netherlands Chapter Meeting 2013-04-10.pdf | flyer]]<br />
|- align="center"<br />
| May 14, 2013<br />
| [[Netherlands May 14, 2013 | Agenda]]<br />
| [[Media:OWASP Netherlands Chapter Meeting 2013-04-10.pdf | flyer]]<br />
|- align="center"<br />
| June 20th, 2013<br />
| [[EUTour2013_Netherlands_Agenda | The Dutch OWASP European Tour 2013 Event]]<br />
| [[Media:OWASP Netherlands Chapter Meeting 2013-06-20.pdf | flyer]]<br />
|- align="center"<br />
| July 31st to August 4th<br />
| [https://ohm2013.org/wiki/Village:OWASP OWASP Village @ OHM2013]<br />
| <br />
|- align="center"<br />
| October 31st, 201<br />
| [[Netherlands October 31, 2013 | Agenda]]<br />
| [[Media:OWASP Netherlands Chapter Meeting 2013-10-31.pdf | flyer]]<br />
|- align="center"<br />
| November 29th<br />
| [https://www.owasp.org/index.php?title=BeNeLux_OWASP_Day_2013 OWASP Benelux Conference in the Netherlands!]<br />
|<br />
|}<br />
<br />
<!-- Third tab --><br />
<br />
= Past Events =<br />
*Events held in [[Netherlands Previous Events 2013|2013]]<br />
*Events held in [[Netherlands Previous Events 2012|2012]]<br />
*Events held in [[Netherlands Previous Events 2011|2011]]<br />
*Events held in [[Netherlands Previous Events 2010|2010]] <br />
*Events held in [[Netherlands Previous Events 2009|2009]] <br />
*Events held in [[Netherlands Previous Events 2008|2008]] <br />
*Events held in [[Netherlands Previous Events 2007|2007]] <br />
*Events held in [[Netherlands Previous Events 2006|2006]] <br />
*Events held in [[Netherlands Previous Events 2005|2005]]<br />
<br />
<!-- Fourth tab --><br />
= Chapter Leaders =<br />
The Netherlands Chapter is supported by the following board: <br />
*[https://www.owasp.org/index.php/User:Ferdinand_Vroom Ferdinand Vroom]<br />
*[https://www.owasp.org/index.php/User:Knoblochmartin Martin Knobloch], PervaSec<br />
<br> <br />
*[mailto:netherlands@owasp.org OWASP Netherlands], OWASP Netherlands board email adres<br />
Our goal is to professionalize the local OWASP functioning, provide in a bigger footprint to detect OWASP opportunities such as speakers/topics/sponsors/… and set a 5 year target on: Target audiences, Different events and Interactions of OWASP global – local projects. <br />
<br />
<!-- Fifth and last tab --><br />
= Chapter Support =<br />
=== Chapter Sponsoring ===<br />
OWASP Netherlands is looking for organizations to sponsor our chapter. <br />
If you are interested in sponsoring the Netherlands chapter please contact us via email: [mailto:netherlands@owasp.org netherlands 'at' owasp.org]. <br />
<br />
=== Donation ===<br />
If you would like to donate to our chapter, please use the PayPal link at the top of this page.<br />
;Thank you!<br />
<br />
=== Call for Speakers ===<br />
We are continuously looking for speakers.<br>'''Presentations:''' Are you working on an interesting subject, would you like to share your experience with the OWASP community and do you have presentation skills. Please let us know! Any topic related to web application security will be appreciated!<br>'''VAC, Vulnerability, Attack, Countermeasure:''' The VAC is a re occuring part of the chapter meetings. The VAC is a half hour in-depth technical presentation about a vulnerability, how it can be exploited and how to prevent it!<br> <br />
<span style="font-weight: bold;">Links: </span> <br />
[http://www.owasp.org/index.php/Speaker_Agreement Speaker Agreement] <br />
[http://www.owasp.org/images/5/54/Presentation_template.ppt Template] <br />
Interested in presenting at a local chapter meeting, please send an email to: netherlands 'at' owasp.org <br />
<br />
=== Call for Location ===<br />
For the OWASP Netherlands chapter meetings to come, we are continuously looking for locations! <br />
Most preferable, the location is good accessible with public transport and by car. Free parking should be provided. <br />
What do we expect: <br />
*meeting room for at least 50 people <br />
*lunch for attendees <br />
**drinks, sandwiches... <br />
*a small present for the speakers <br />
**(e.g. bottle of wine, for speakers from aboard alcohol might be less practical if flying in only with hand luggage)<br />
Interested in sponsoring a local chapter meeting, please send an email to: netherlands 'at' owasp.org <br />
<br />
<!-- Don't remove this tag --><br />
__NOTOC__ <br />
<headertabs/><br />
[[Category:Europe]]</div>Favroomhttps://wiki.owasp.org/index.php?title=Netherlands&diff=166174Netherlands2014-01-21T14:15:34Z<p>Favroom: /* Local News */</p>
<hr />
<div>{{Chapter Template|chaptername=Netherlands|extra=|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-netherlands|emailarchives=http://lists.owasp.org/pipermail/owasp-netherlands}} <br />
<br />
<paypal>Netherlands</paypal><br />
<br />
<!-- First tab --><br />
= Local News =<br />
=='''News'''==<br />
::;[http://www.owaspbenelux.eu OWASP BeNeLux-Day November 29th 2013 RAI Amsterdam] <br />
::; Registration has been closed we have no tickets left! <strike> Registration opened!</strike><br />
<br />
=='''Provisional 2014 Chapter Event Calendar'''==<br />
::*<br />
::*<br />
<br />
::;Slide Decks from past Chapter meetings can be downloaded from the [https://www.owasp.org/index.php/Netherlands#tab=Past_Events Past Events page].<br />
<br />
=='''Other OWASP Events'''==<br />
::;'''OWASP Upcoming Events''': https://www.owasp.org/index.php/OWASP_Events/upcoming_events<br />
::;'''[https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2014 OWASP benelux 2014]'''<br />
<br />
=='''Call for Presentations'''==<br />
::;[https://docs.google.com/a/owasp.org/spreadsheet/viewform?formkey=dGs1UFN0Ul9YR1pRcGdYRmtYallraUE6MQ#gid=0 OWASP NL Chapter Call For Presentation]<br />
<br />
=='''Stay in contact:'''==<br />
<center><br />
{| cellspacing="15"<br />
|-<br />
| [[Image:Join the list.png|150px|link=http://lists.owasp.org/mailman/listinfo/owasp-netherlands]] <br />
| [[Image:Follow-us-on-twitter.png|175px|link=http://www.twitter.com/owasp_NL]]<br />
| [[Image:Linkedin-button.gif|135px|link=http://www.linkedin.com/groups/OWASP-Netherlands-Chapter-1987229/about]]<br />
|}<br />
</center><br />
<br />
=='''Sponsors'''==<br />
::;Our structural Chapter and OWASP Benelux Days 2013 supporters: <br />
<br />
[http://www.cigital.com https://www.owasp.org/images/7/73/AppSecDC2012-Cigital.jpg]<br />
[http://www.Checkmarx.com https://www.owasp.org/images/a/a2/Checkmarx.jpg]<br />
[[File:Deloitte.jpg||170px|link=http://www.deloitte.com/view/en_NL/nl]]<br />
[http://www8.hp.com/us/en/software-solutions/software-security/index.html https://www.owasp.org/images/a/af/HP_Blue_RGB_150_LG-200.png]<br />
[https://informatiebeveiliging.nl/ https://www.owasp.org/images/9/9a/Logo_Informatiebeveiliging-200.png]<br />
[http://www.northwave.nl https://www.owasp.org/images/4/4c/LogoNorthwave.jpg]<br />
[http://www.securify.nl https://www.owasp.org/images/7/7a/Securify_BV_logo.png]<br />
[[File:Logo secwatch.jpg||170px|link=http://www.secwatch.nl]]<br />
[http://www.sogeti.nl https://www.owasp.org/images/9/94/Sogeti_logo.png]<br />
[http://www.vest.nl https://www.owasp.org/images/1/1d/Logo_Vest_BIG_170.gif]<br />
<!-- Second tab --><br />
<br />
= Calendar =<br />
== Provisional Chapter Event Calendar 2013 ==<br />
{|class="wikitable" border="1" style="text-align:center;"|<br />
! width="300" | Date<br />
! width="350" | Link<br />
! width="300" | Flyer<br />
|- align="center"<br />
| January 31st, 2013 <br />
| [[Netherlands January 31, 2013 | Agenda]] <br />
| <br />
|- align="center"<br />
| March 7th, 2013<br />
| [[Netherlands March 7, 2013 | Agenda]]<br />
| [[Media:OWASP Netherlands Chapter Meeting 2013-03-07.pdf | flyer]] <br />
|- align="center"<br />
| March 13th, 2013<br />
| [[Netherlands March 13, 2013 | Agenda]]<br />
| [[Media:OWASP Netherlands Chapter Meeting 2013-03-13.pdf | flyer]]<br />
|- align="center"<br />
| April 10th, 2013<br />
| [[Netherlands April 10, 2013 | Agenda]]<br />
| [[Media:OWASP Netherlands Chapter Meeting 2013-04-10.pdf | flyer]]<br />
|- align="center"<br />
| May 14, 2013<br />
| [[Netherlands May 14, 2013 | Agenda]]<br />
| [[Media:OWASP Netherlands Chapter Meeting 2013-04-10.pdf | flyer]]<br />
|- align="center"<br />
| June 20th, 2013<br />
| [[EUTour2013_Netherlands_Agenda | The Dutch OWASP European Tour 2013 Event]]<br />
| [[Media:OWASP Netherlands Chapter Meeting 2013-06-20.pdf | flyer]]<br />
|- align="center"<br />
| July 31st to August 4th<br />
| [https://ohm2013.org/wiki/Village:OWASP OWASP Village @ OHM2013]<br />
| <br />
|- align="center"<br />
| October 31st, 201<br />
| [[Netherlands October 31, 2013 | Agenda]]<br />
| [[Media:OWASP Netherlands Chapter Meeting 2013-10-31.pdf | flyer]]<br />
|- align="center"<br />
| November 29th<br />
| [https://www.owasp.org/index.php?title=BeNeLux_OWASP_Day_2013 OWASP Benelux Conference in the Netherlands!]<br />
|<br />
|}<br />
<br />
<!-- Third tab --><br />
<br />
= Past Events =<br />
*Events held in [[Netherlands Previous Events 2013|2013]]<br />
*Events held in [[Netherlands Previous Events 2012|2012]]<br />
*Events held in [[Netherlands Previous Events 2011|2011]]<br />
*Events held in [[Netherlands Previous Events 2010|2010]] <br />
*Events held in [[Netherlands Previous Events 2009|2009]] <br />
*Events held in [[Netherlands Previous Events 2008|2008]] <br />
*Events held in [[Netherlands Previous Events 2007|2007]] <br />
*Events held in [[Netherlands Previous Events 2006|2006]] <br />
*Events held in [[Netherlands Previous Events 2005|2005]]<br />
<br />
<!-- Fourth tab --><br />
= Chapter Leaders =<br />
The Netherlands Chapter is supported by the following board: <br />
*[https://www.owasp.org/index.php/User:Ferdinand_Vroom Ferdinand Vroom]<br />
*[https://www.owasp.org/index.php/User:Knoblochmartin Martin Knobloch], PervaSec<br />
<br> <br />
*[mailto:netherlands@owasp.org OWASP Netherlands], OWASP Netherlands board email adres<br />
Our goal is to professionalize the local OWASP functioning, provide in a bigger footprint to detect OWASP opportunities such as speakers/topics/sponsors/… and set a 5 year target on: Target audiences, Different events and Interactions of OWASP global – local projects. <br />
<br />
<!-- Fifth and last tab --><br />
= Chapter Support =<br />
=== Chapter Sponsoring ===<br />
OWASP Netherlands is looking for organizations to sponsor our chapter. <br />
If you are interested in sponsoring the Netherlands chapter please contact us via email: [mailto:netherlands@owasp.org netherlands 'at' owasp.org]. <br />
<br />
=== Donation ===<br />
If you would like to donate to our chapter, please use the PayPal link at the top of this page.<br />
;Thank you!<br />
<br />
=== Call for Speakers ===<br />
We are continuously looking for speakers.<br>'''Presentations:''' Are you working on an interesting subject, would you like to share your experience with the OWASP community and do you have presentation skills. Please let us know! Any topic related to web application security will be appreciated!<br>'''VAC, Vulnerability, Attack, Countermeasure:''' The VAC is a re occuring part of the chapter meetings. The VAC is a half hour in-depth technical presentation about a vulnerability, how it can be exploited and how to prevent it!<br> <br />
<span style="font-weight: bold;">Links: </span> <br />
[http://www.owasp.org/index.php/Speaker_Agreement Speaker Agreement] <br />
[http://www.owasp.org/images/5/54/Presentation_template.ppt Template] <br />
Interested in presenting at a local chapter meeting, please send an email to: netherlands 'at' owasp.org <br />
<br />
=== Call for Location ===<br />
For the OWASP Netherlands chapter meetings to come, we are continuously looking for locations! <br />
Most preferable, the location is good accessible with public transport and by car. Free parking should be provided. <br />
What do we expect: <br />
*meeting room for at least 50 people <br />
*lunch for attendees <br />
**drinks, sandwiches... <br />
*a small present for the speakers <br />
**(e.g. bottle of wine, for speakers from aboard alcohol might be less practical if flying in only with hand luggage)<br />
Interested in sponsoring a local chapter meeting, please send an email to: netherlands 'at' owasp.org <br />
<br />
<!-- Don't remove this tag --><br />
__NOTOC__ <br />
<headertabs/><br />
[[Category:Europe]]</div>Favroomhttps://wiki.owasp.org/index.php?title=BeNeLux_OWASP_Day_2013&diff=164197BeNeLux OWASP Day 20132013-12-03T16:00:36Z<p>Favroom: /* Title, by Dick Berlijn */</p>
<hr />
<div><center>[[Image:Bnl13header-v.1.0.png]]<br></center><br />
<br><!-- Header --><br />
<br />
<br />
<!-- First tab --><br />
= Welcome =<br />
<br />
=== Welcome to OWASP BeNeLux 2013 ===<br />
<br />
'''Sorry, the registration is closed, no tickets left!'''<br />
<br />
<!--[http://owaspbenelux2013.eventbrite.com/ http://www.owasp.org/images/7/77/Buttoncreate.png] --><br />
<br />
<!--<br />
==== News ====<br />
* <br />
* <br />
<br><br />
<br />
==== Confirmed trainers for Trainingday ====<br />
{{#switchtablink:Trainingday| <p><br />
* <br />
* <br />
* <br />
* <br />
}}<br />
<br><br />
<br />
--><br />
<br />
==== Confirmed speakers Conference ====<br />
{{#switchtablink:Conferenceday| <p><br />
* Dick Berlijn (ex Chief of Defence NL)<br />
* Jan Joris Vereijken (ING)<br />
* Tom Van Goethem (University Leuven)<br />
* Jerome Nokin (Verizon Business)<br />
* Nick Nikiforakis (University Leuven)<br />
* Fakos Alexios and Jan Philipp (n.runs AG)<br />
* Migchiel de Jong (HP Fortify)<br />
* Victor van der Veen (ITQ)<br />
}}<br />
<br><br />
<br />
==== The OWASP BeNeLux Program Committee ====<br />
*Bart De Win / Sebastien Deleersnyder/ Lieven Desmet/ David Mathy, OWASP Belgium<br />
*Martin Knobloch / Ferdinand Vroom, OWASP Netherlands<br />
*Jocelyn Aubert / Andre Adelsbach/ Thierry Zoller, OWASP Luxembourg<br />
<br><br />
<br />
=== Tweet! ===<br />
Event tag is [http://twitter.com/#search?q=%23owaspbnl13 #owaspbnl13]<br />
<br><br><br />
==== Donate to OWASP BeNeLux ====<br />
[https://co.clickandpledge.com/?wid=72689 Donate]<br />
<br />
<!-- Second tab --><br />
<br />
= Registration =<br />
<br />
==== OWASP BeNeLux training day and conference are free! ==== <br />
<br />
=== Registration is closed ===<br />
Sorry but we already reached the maximum number of pariticipants.<br />
<br />
<br />
<br><br />
To support the OWASP organisation, consider to become a member, it's only US$50!<br />
<br> <br />
Check out the [[Membership]] page to find out more. <br />
<br><br />
<br />
<br />
<!-- Third tab --><br />
<br />
= Venue =<br />
<br />
=== Venue is ===<br />
<br />
'''RAI Amsterdam - Entrance G'''<br />
;Emerald Room<br />
;(On the first floor of the Auditorium Centre)<br />
;Europaplein 2-22<br />
;1078 Amsterdam, THE NETHERLANDS <br />
<br />
<br>'''Parking & roadmap''':<br />
<br />
There is a public parking at the conference venue.<br />
<br />
Roadmap and parking: <br />
<br />
<br />
<br>'''Hotels nearby''': <br> <br />
<br />
<br />
<!-- Fourth tab - currently removed<br />
<br />
= Trainingday =<br />
<br />
==== Trainingday, November 29th ====<br />
<br />
==== Location ====<br />
The training room is: <br />
TBD<br />
<br><br />
<br />
(for details, check the {{#switchtablink:Venue|Venue}} tab)<br />
<br />
==== Agenda ==== <br />
{| class="wikitable"<br />
! Time !! Description !! Room 1 !! Room 2 !! Room 3 !! Room 4<br />
|-<br />
| 08h30 - 9h30<br />
| colspan="5" style="text-align: center; background: grey; color: white;" | ''Registration''<br />
|-<br />
| 09h30 - 11h00 || Training<br />
| rowspan="7" style="width:100px;" | tbd<br />
| rowspan="7" style="width:100px;" | tbd<br />
| rowspan="7" style="width:100px;" | tbd<br />
| rowspan="7" style="width:100px;" | tbd<br />
|-<br />
| 11h00 - 11h30 || ''Coffee Break''<br />
|-<br />
| 11h30 - 13h00 || Training<br />
|-<br />
| 13h00 - 14h00 || ''Lunch''<br />
|-<br />
| 14h00 - 15h30 || Training<br />
|-<br />
| 15h30 - 16h00 || ''Coffee Break''<br />
|-<br />
| 16h00 - 17h30 || Training<br />
|}<br />
<br />
<br />
<br />
<br />
<br />
<br><br />
<br />
--><br />
<br />
<br />
<!-- Fifth tab --><br />
<br />
= Conferenceday =<br />
<br />
==== Conferenceday, November 29th ====<br />
<br />
==== Location ====<br />
TBD (for details, check the {{#switchtablink:Venue|Venue}} tab)<br />
<br />
==== Agenda ==== <br />
{| class="wikitable"<br />
! width="90pt" | Time<br />
! width="130pt" | Speaker !! Topic<br />
|- <br />
| 09h00 - 10h00<br />
| colspan="2" style="text-align: center; background: grey; color: white" | ''Registration''<br />
|- <br />
| 10h00 - 10h15 || OWASP Benelux Organization || '''[[Media: OWASP_benelux-day_2013_opening_agenda_closing.pdf | Welcome]]''' <br />
|-<br />
| 10h15 - 10h30 || Sebastien Deleersnyder, OWASP Global || '''[https://www.owasp.org/images/4/49/OWASP_Update_BeNeLux_2013.pptx OWASP update]'''<br />
|-<br />
| 10h30 - 11h10 || [[#JanJorisVereijken|Jan Joris Vereijken]] || '''Keynote: Inside the mind of the fraudster'''<br />
|-<br />
| 11h10 - 11h30 <br />
| colspan="2" style="text-align: center;background: grey; color: white" | ''Morning Break'' <br />
|-<br />
| 11h30 - 12h10 || [[#TomVanGoethem|Tom Van Goethem]] || '''[[Media:RemoteCodeExecutionInWordPress-OWASPBeNeLux-Tom_Van_Goethem.pdf | Remote code execution in WordPress: an analysis]]'''<br />
|-<br />
| 12h10 - 12h50 || [[#AlexiosFakosAndJanPhilipp|Alexios Fakos & Jan Philipp]] || '''[[Media:OWASP_BeNeLux-SharePoint-Comprehensive_Security_model_v1.0.pdf | Getting a handle on SharePoint security complexity]]'''<br />
|-<br />
| 12h50 - 13h30<br />
| colspan="2" style="text-align: center;background: grey; color: white" | ''Lunch'' <br />
|-<br />
| 13h30 - 14h10 || [[#DickBerlijn|Dick Berlijn]] || '''Keynote: Cyber warfare''' <br />
|-<br />
| 14h10 - 14h50 || [[#MigchieldeJong|Migchiel de Jong]] || ''' [[Media:owasp2013-mdejong.pdf | Static Analysis and code review; A journey through time]]'''<br />
|-<br />
| 14h50 - 15h30 || [[#NickNikiforakis|Nick Nikiforakis]] || '''[[Media:webfingerprinting_owaspBENELUX2013.pdf |Everything you always wanted to know about web-based device fingerprinting (but were afraid to ask)]]'''<br />
|-<br />
| 15h30 - 15h50<br />
| colspan="2" style="text-align: center;background: grey; color: white" | ''Break'' <br />
|-<br />
| 16h30 - 17h10 || [[#JeromeNokin|Jerome Nokin]] || '''Turning your managed Anti-Virus into my botnet'''<br />
|-<br />
| 17h10 - 17h50 || [[#VictorvanderVeen|Victor van der Veen]] || '''[[Media:TraceDroid.pdf | TraceDroid: A Fast and Complete Android Method Tracer]]'''<br />
|-<br />
| 17h50 - 18h00 || OWASP Benelux 2013 organization || '''Closing Notes'''<br />
|}<br />
<br />
<br><br />
<br><br />
<br />
<br />
<div id="JanJorisVereijken"></div><br />
<br />
=== Key note: Inside the mind of the fraudster, by Jan Joris Vereijken (Chief Security Architect, ING) ===<br />
''Abstract:''<br><br />
When we talk about banking malware, we typically think of bits and bytes: Zeus variants, field injections, Man-in-the-Browser attacks, or forensic analysis of infected PCs. What is actually much more interesting, is to understand what is driving the fraudster. He’s doesn’t care about bits and bytes, he’s just in it for the money. If we get into the mind of the fraudster, we can suddenly understand many issues much better. We’ll see that authentication is irrelevant, fraudsters don’t want to steal millions, that they hate the mobile app, and many more surprising things your never realized were keeping our poor fraudster awake at night.<br />
<br><br />
<br><br />
''Bio:''<br><br />
'''Jan Joris Vereijken''' holds a Ph.D. in Computing Science from the Eindhoven University of Technology, where he worked on algebraic protocol verification. After a brief stint at Bell Laboratories to work on Software Engineering, he moved to ING, the Dutch banking conglomerate. <br><br />
In his current role as Chief Security Architect, he is responsible for the security architecture in the 35-odd countries where ING has banking operations.<br><br />
<br><br />
<br />
<div id="TomVanGoethem"></div><br />
=== Remote code exection in WordPress: an analysis, by Tom Van Goethem (PhD Researcher, University of Leuven) ===<br />
''Abstract:''<br><br />
With over 13 million downloads, WordPress is one of the most popular open source blog platforms and content management systems. One of its key features is the installation of plugins. These are developed by third parties, but WordPress has to maintain its legacy codebase in order to remain compatible with these plugins. As this codebase makes use of unsafe functions, vulnerabilities may arise, affecting thousands websites - if not more. This presentation will focus on a vulnerability that has been present in WordPress versions up to September 2013. This vulnerability, which may lead to Remote Code Execution, was found by a simple combination of two publicly known elements: PHP Object Injection and unexpected behaviour of MySQL regarding Unicode characters.<br />
<br><br />
::[[Media:RemoteCodeExecutionInWordPress-OWASPBeNeLux-Tom_Van_Goethem.pdf | Download the presentation as PDF]]<br />
<br><br />
''Bio:''<br><br />
'''Tom Van Goethem''' is passionate about web security. After getting a master's degree of Applied Informatics, he enrolled in a PhD at the University of Leuven. As a student with a chronic drinking problem, he still found some time to hunt bugs for fun (and profit).<br><br />
<br><br />
<br />
<div id="AlexiosFakosAndJanPhilipp"></div><br />
=== Getting a handle on SharePoint security complexity, by Jan Philipp (Solutions Consultant Security, n.runs) and Alexios Fakos (Principal IT Security Consultant, n.runs) ===<br />
''Abstract:''<br><br />
This presentation’s main goal is to provide decision makers, architects, administrators and developers with a comprehensive SharePoint security overview. We will introduce a SharePoint security model applicable to SharePoint versions 2010 and 2013. Then we will take a closer look at the use of different types of security principals and their effective use. This will be followed by covering security aspects when implementing and extending SharePoint to meet business needs and will be emphasized by showcasing common security pitfalls with examples throughout the presentation. This will be demonstrated with security down to the “nitty-gritty” details based on actual use cases and tips and pitfalls that have been encountered during security assessments and implementation of SharePoint solutions.<br />
<br><br />
::[[Media:OWASP_BeNeLux-SharePoint-Comprehensive_Security_model_v1.0.pdf | Download the presentation as PDF]]<br />
<br><br />
''Bio:''<br><br />
'''Jan Philipp''' (MCT since 1989, MCITP, MCSE) works as a security consultant at n.runs, where he is responsible for design and implementation security assessments of complex global SharePoint infrastructures and solutions for major German and international companies. He has been involved with SharePoint technologies from their inception with Digital Dashboards throughout their many development changes (TeamSpaces, MOSS etc.) to the present day SharePoint and SharePoint Live versions.<br><br />
'''Alexios Fakos''' (CRISC, CSSLP) began his career in development as a Software Engineer back in 1999. After seven years of inspired insights in the software industry he joined n.runs to be part of the security team. Alexios is leading n.runs SDL services and he is since 2008 part of the German OWASP chapter. Alexios held presentations at OWASP AppSec US and Germany.<br />
<br><br />
<br><br />
<br />
<br />
<div id="DickBerlijn"></div><br />
=== Title, by Dick Berlijn ===<br />
''Abstract:''<br><br />
[http://www.youtube.com/watch?feature=player_embedded&v=l_XOrcBxy-E Link to the movie on YouTube]<br />
<br><br />
<br><br />
''Bio:''<br><br />
'''Dick Berlijn'''<br />
<br><br />
<br><br />
<br />
<div id="MigchieldeJong"></div><br />
<br />
=== Static Analysis and code review; A journey through time, by Migchiel de Jong (Software Security Consultant, HP Fortify) ===<br />
''Abstract:''<br><br />
Static analysis techniques to support code review, not just for security, have been around for a long time. This talk will take you on journey from the early days of computer science to this modern day and age of cloud, BYOD and mobile apps and how the passing of time affected code review and the technology to support it. The takeaways from this session are; Understanding the fundamentals problems that have to be addressed to really get the benefits from using static analysis for code review. Trends in code review. Best practices for code review. What the future holds for code review.<br />
<br><br />
::[[Media:owasp2013-mdejong.pdf | Download the presentation as PDF]]<br />
<br><br />
''Bio:''<br><br />
'''Migchiel de Jong''' has developed hardware and software for the nuclear medicine and nuclear industry space for 10 years before joining Rational Software. During the 5 years at Rational Software (later acquired by IBM) he was involved in many software development process improvement projects. Having joined Fortify 9 years ago, Migchiel de Jong is currently working at HP Fortify, as a software security consultant helping large customers succeed with their software security assurance initiatives.<br><br />
<br><br />
<br />
<div id="NickNikiforakis"></div><br />
=== Everything you always wanted to know about web-based device fingerprinting (but were afraid to ask), by Nick Nikiforakis (Postdoctoral Researcher, University of Leuven) ===<br />
''Abstract:''<br><br />
Billions of users browse the web on a daily basis,<br />
and there are single websites that have reached over one billion user<br />
accounts. In this environment, the ability to track users and their online habits can<br />
be very lucrative for advertising companies, yet very intrusive for the privacy of users.<br />
<br />
In this talk, we are going to describe web-based device fingerprinting, i.e., the ability<br />
to tell users apart, without the use of cookies or any other client-side identifiers. We<br />
will explain how device fingerprinting works, who is using, for what reason, and how people<br />
are trying to defend against it today. <br />
<br><br />
::[[Media:webfingerprinting_owaspBENELUX2013.pdf | Download the presentation as PDF]]<br />
<br><br />
''Bio:''<br><br />
'''Nick Nikiforakis''' is a Postdoctoral Researcher at KU Leuven in Belgium. Nick's interests lie<br />
in the analysis of online ecosystems from a security and privacy perspective and he has<br />
published his work in top conferences of his field. More information about him can be found<br />
on his personal page: http://www.securitee.org .<br><br />
<br><br />
<br />
<div id="JeromeNokin"></div><br />
=== Turning your managed Anti-Virus into my botnet, by Jerome Nokin (Senior Security Consultant, Verizon Business) ===<br />
''Abstract:''<br><br />
Today centrally managed Anti-Virus (AV) solutions are used across all enterprises and are relied upon to provide central management, logging and enforcement. This talk presents the journey and the results of a reviewing the security posture of the core components of a few selected managed AV solutions, the central servers themselves. <br />
Critical security vulnerabilities will be presented, covering SQL Injection, Directory Path Traversal and Buffer Overflow.<br />
Particular focus will be given to the different steps required to analyze both protocols and management functionality and covers reverse-engineering, debugging and the creation of fuzzing tools. Who does not want to transform a major managed AV into his private botnet within minutes?<br />
<br><br />
<br><br />
''Bio:''<br><br />
'''Jerome Nokin''' works as a Security Consultant for Verizon Enterprise where he is a senior member of the Vulnerability Management Team mainly focusing on Penetration Tests<br />
and Web Application Assessment. Prior to his role at Verizon he worked in the area of security covering both consultancy and ICT.<br><br />
<br><br />
<br />
<div id="VictorvanderVeen"></div><br />
=== TraceDroid: A Fast and Complete Android Method Tracer, by Victor van der Veen (Security Consultant, ITQ) ===<br />
''Abstract:''<br><br />
Tracedroid allows you to upload any Android APK file (i.e., an Android app) for automated analysis. Tracedroid records the behavior of the executed app, such as its network communication, the UI, but also its internal function calls and Java code that is executed. To trigger the app's real behavior, Tracedroid emulates a few actions, such as user interaction, incoming calls and SMS messages, etc. - this will reveal most malicious intents of an app (if any).<br><br />
During this presentation, I will outline how Tracedroid is implemented and how its stimulation engine performs in terms of code coverage. I will also demonstrate how Tracedroid's output can help malware researchers to gain a better understanding of unknown Android applications during a live demo.<br><br />
You can already give TraceDroid a try via http://tracedroid.few.vu.nl<br />
<br><br />
::[[Media:TraceDroid.pdf | Download the presentation as PDF]]<br />
<br><br />
''Bio:''<br><br />
'''Victor van der Veen''' is a security consultant at ITQ and holds a MSc degree in Computer Science from the VU University Amsterdam. TraceDroid is part of his master thesis titled ‘Dynamic Analysis of Android Malware’ for which he co-worked with the Andrubis team from Vienna’s iSecLab. His interests are low-level system topics that enhance system security, as well as reverse engineering and analyzing malicious code. His previous work involves the implementation of a (partial) thrust-worthy voting machine and an in depth analysis on trends in the field of memory errors (published at RAID 2012).<br />
<br><br />
<br />
<br />
<!-- Sixth tab --><br />
<br />
= Social Event =<br />
<br />
==== Social Event, November 28th ====<br />
'''You (still) got that swing, and what about the moves ? We've got the Balls!'''<br />
<br />
:So "Pin" your schedule to the OWASP Benelux Days - Social Event.<br />
:Thursday Night the 28th of November, our partner Vest Information Security is happy to invite you at:<br />
<br />
:::Knijn Bowling<br />
:::Scheldeplein 3<br />
:::1078 GR Amsterdam<br />
:::http://www.knijnbowling.nl/<br />
<br />
;This is Amsterdams most famous retro-style bowling centre.<br />
<br />
:We are very happy to welcome you from 20:30.<br />
:Our Bowling Tracks are open from 21:30 - 24:00<br />
<br />
<hr><br />
'''The OWASP BeNeLux-Day 2013 Social Event is sponsored by:"<br />
[http://www.vest.nl https://www.owasp.org/images/1/1d/Logo_Vest_BIG_170.gif]<br />
<!-- Seventh tab --><br />
<br />
= CTF =<br />
<br />
==== Capture the Flag! ====<br />
<br />
* Do you like puzzles? <br />
* Do you like challenges? <br />
* Are you a hacker?<br />
<br />
Whether you are an experienced hacker or new enthusiast you should come to OWASP BeNeLux 2013 and participate in the Capture the Flag event November 29th 2013. <br />
<br />
The OWASP CTF is especially designed to support challengers of all skill levels. The CTF contains multiple challenges in various fields related to application security. As every challenge gains you one point, you can pick and choose which challenge you want to play.<br />
<br />
All you need is a laptop with a wifi card and your favorite (preferably) non-commercial tools. <br />
<br />
So come, show off your skills, learn new tricks and above all have a good time at the CTF event. <br />
<br />
<br />
<!-- Eighth tab --><br />
<br />
= Sponsor =<br />
<br />
==== Become a sponsor of OWASP BeNeLux ====<br />
<br />
==== Donate to OWASP BeNeLux ====<br />
<br />
[https://co.clickandpledge.com/?wid=72689 Sponsor] <br />
<br />
<br />
==== Promotion ====<br />
''Feel free to use the text below to promote our event!''<br />
<br />
We invite you to our next OWASP event: the '''BeNeLux OWASP Days 2013!'''<br />
<br />
Free your agenda on the 28th and 29th of November, 2013.<br />
<br />
The good news: free! No fee!<br />
<br />
The bad news: there are only 280 seats available (first register, first serve)!<br />
<br />
<br />
<!-- Don't remove these two lines! --><br />
__NOTOC__ <br />
<headertabs/><br />
<br />
==== Made possible by our {{#switchtablink:Sponsor|Sponsors}}====<br />
<br />
{{MemberLinks|link=http://www.pwc.com/|logo=PWC_log_resized.png}}<br />
[http://www.zionsecurity.com https://www.owasp.org/images/e/e6/Zionsecurity.jpg]<br />
[http://www.vest.nl https://www.owasp.org/images/1/1d/Logo_Vest_BIG_170.gif]<br />
[http://www.Checkmarx.com https://www.owasp.org/images/a/a2/Checkmarx.jpg]<br />
[http://www.sogeti.nl https://www.owasp.org/images/9/94/Sogeti_logo.png]<br />
[http://www.securify.nl https://www.owasp.org/images/7/7a/Securify_BV_logo.png]<br />
{{MemberLinks|link=https://www.whitehatsec.com/|logo=Whitehat.gif}}<br />
[http://www.nviso.be https://www.owasp.org/images/5/5e/Nviso_logo_RGB_baseline_200px.png]<br />
[https://informatiebeveiliging.nl/ https://www.owasp.org/images/9/9a/Logo_Informatiebeveiliging-200.png]<br />
[http://www8.hp.com/us/en/software-solutions/software-security/index.html https://www.owasp.org/images/a/af/HP_Blue_RGB_150_LG-200.png]<br />
[http://www.northwave.nl https://www.owasp.org/images/4/4c/LogoNorthwave.jpg]<br />
[http://www.cigital.com https://www.owasp.org/images/7/73/AppSecDC2012-Cigital.jpg]<br />
[[File:Deloitte.jpg||170px|link=http://www.deloitte.com/view/en_NL/nl]]<br />
[[File:Logo secwatch.jpg||170px|link=http://www.secwatch.nl]]<br />
<br />
<br><br />
<br />
<br />
[[Category:OWASP_AppSec_Conference]] [[Category:OWASP_BeNeLux_Archives]]</div>Favroomhttps://wiki.owasp.org/index.php?title=BeNeLux_OWASP_Day_2013&diff=164196BeNeLux OWASP Day 20132013-12-03T15:59:41Z<p>Favroom: /* Title, by Dick Berlijn */</p>
<hr />
<div><center>[[Image:Bnl13header-v.1.0.png]]<br></center><br />
<br><!-- Header --><br />
<br />
<br />
<!-- First tab --><br />
= Welcome =<br />
<br />
=== Welcome to OWASP BeNeLux 2013 ===<br />
<br />
'''Sorry, the registration is closed, no tickets left!'''<br />
<br />
<!--[http://owaspbenelux2013.eventbrite.com/ http://www.owasp.org/images/7/77/Buttoncreate.png] --><br />
<br />
<!--<br />
==== News ====<br />
* <br />
* <br />
<br><br />
<br />
==== Confirmed trainers for Trainingday ====<br />
{{#switchtablink:Trainingday| <p><br />
* <br />
* <br />
* <br />
* <br />
}}<br />
<br><br />
<br />
--><br />
<br />
==== Confirmed speakers Conference ====<br />
{{#switchtablink:Conferenceday| <p><br />
* Dick Berlijn (ex Chief of Defence NL)<br />
* Jan Joris Vereijken (ING)<br />
* Tom Van Goethem (University Leuven)<br />
* Jerome Nokin (Verizon Business)<br />
* Nick Nikiforakis (University Leuven)<br />
* Fakos Alexios and Jan Philipp (n.runs AG)<br />
* Migchiel de Jong (HP Fortify)<br />
* Victor van der Veen (ITQ)<br />
}}<br />
<br><br />
<br />
==== The OWASP BeNeLux Program Committee ====<br />
*Bart De Win / Sebastien Deleersnyder/ Lieven Desmet/ David Mathy, OWASP Belgium<br />
*Martin Knobloch / Ferdinand Vroom, OWASP Netherlands<br />
*Jocelyn Aubert / Andre Adelsbach/ Thierry Zoller, OWASP Luxembourg<br />
<br><br />
<br />
=== Tweet! ===<br />
Event tag is [http://twitter.com/#search?q=%23owaspbnl13 #owaspbnl13]<br />
<br><br><br />
==== Donate to OWASP BeNeLux ====<br />
[https://co.clickandpledge.com/?wid=72689 Donate]<br />
<br />
<!-- Second tab --><br />
<br />
= Registration =<br />
<br />
==== OWASP BeNeLux training day and conference are free! ==== <br />
<br />
=== Registration is closed ===<br />
Sorry but we already reached the maximum number of pariticipants.<br />
<br />
<br />
<br><br />
To support the OWASP organisation, consider to become a member, it's only US$50!<br />
<br> <br />
Check out the [[Membership]] page to find out more. <br />
<br><br />
<br />
<br />
<!-- Third tab --><br />
<br />
= Venue =<br />
<br />
=== Venue is ===<br />
<br />
'''RAI Amsterdam - Entrance G'''<br />
;Emerald Room<br />
;(On the first floor of the Auditorium Centre)<br />
;Europaplein 2-22<br />
;1078 Amsterdam, THE NETHERLANDS <br />
<br />
<br>'''Parking & roadmap''':<br />
<br />
There is a public parking at the conference venue.<br />
<br />
Roadmap and parking: <br />
<br />
<br />
<br>'''Hotels nearby''': <br> <br />
<br />
<br />
<!-- Fourth tab - currently removed<br />
<br />
= Trainingday =<br />
<br />
==== Trainingday, November 29th ====<br />
<br />
==== Location ====<br />
The training room is: <br />
TBD<br />
<br><br />
<br />
(for details, check the {{#switchtablink:Venue|Venue}} tab)<br />
<br />
==== Agenda ==== <br />
{| class="wikitable"<br />
! Time !! Description !! Room 1 !! Room 2 !! Room 3 !! Room 4<br />
|-<br />
| 08h30 - 9h30<br />
| colspan="5" style="text-align: center; background: grey; color: white;" | ''Registration''<br />
|-<br />
| 09h30 - 11h00 || Training<br />
| rowspan="7" style="width:100px;" | tbd<br />
| rowspan="7" style="width:100px;" | tbd<br />
| rowspan="7" style="width:100px;" | tbd<br />
| rowspan="7" style="width:100px;" | tbd<br />
|-<br />
| 11h00 - 11h30 || ''Coffee Break''<br />
|-<br />
| 11h30 - 13h00 || Training<br />
|-<br />
| 13h00 - 14h00 || ''Lunch''<br />
|-<br />
| 14h00 - 15h30 || Training<br />
|-<br />
| 15h30 - 16h00 || ''Coffee Break''<br />
|-<br />
| 16h00 - 17h30 || Training<br />
|}<br />
<br />
<br />
<br />
<br />
<br />
<br><br />
<br />
--><br />
<br />
<br />
<!-- Fifth tab --><br />
<br />
= Conferenceday =<br />
<br />
==== Conferenceday, November 29th ====<br />
<br />
==== Location ====<br />
TBD (for details, check the {{#switchtablink:Venue|Venue}} tab)<br />
<br />
==== Agenda ==== <br />
{| class="wikitable"<br />
! width="90pt" | Time<br />
! width="130pt" | Speaker !! Topic<br />
|- <br />
| 09h00 - 10h00<br />
| colspan="2" style="text-align: center; background: grey; color: white" | ''Registration''<br />
|- <br />
| 10h00 - 10h15 || OWASP Benelux Organization || '''[[Media: OWASP_benelux-day_2013_opening_agenda_closing.pdf | Welcome]]''' <br />
|-<br />
| 10h15 - 10h30 || Sebastien Deleersnyder, OWASP Global || '''[https://www.owasp.org/images/4/49/OWASP_Update_BeNeLux_2013.pptx OWASP update]'''<br />
|-<br />
| 10h30 - 11h10 || [[#JanJorisVereijken|Jan Joris Vereijken]] || '''Keynote: Inside the mind of the fraudster'''<br />
|-<br />
| 11h10 - 11h30 <br />
| colspan="2" style="text-align: center;background: grey; color: white" | ''Morning Break'' <br />
|-<br />
| 11h30 - 12h10 || [[#TomVanGoethem|Tom Van Goethem]] || '''[[Media:RemoteCodeExecutionInWordPress-OWASPBeNeLux-Tom_Van_Goethem.pdf | Remote code execution in WordPress: an analysis]]'''<br />
|-<br />
| 12h10 - 12h50 || [[#AlexiosFakosAndJanPhilipp|Alexios Fakos & Jan Philipp]] || '''[[Media:OWASP_BeNeLux-SharePoint-Comprehensive_Security_model_v1.0.pdf | Getting a handle on SharePoint security complexity]]'''<br />
|-<br />
| 12h50 - 13h30<br />
| colspan="2" style="text-align: center;background: grey; color: white" | ''Lunch'' <br />
|-<br />
| 13h30 - 14h10 || [[#DickBerlijn|Dick Berlijn]] || '''Keynote: Cyber warfare''' <br />
|-<br />
| 14h10 - 14h50 || [[#MigchieldeJong|Migchiel de Jong]] || ''' [[Media:owasp2013-mdejong.pdf | Static Analysis and code review; A journey through time]]'''<br />
|-<br />
| 14h50 - 15h30 || [[#NickNikiforakis|Nick Nikiforakis]] || '''[[Media:webfingerprinting_owaspBENELUX2013.pdf |Everything you always wanted to know about web-based device fingerprinting (but were afraid to ask)]]'''<br />
|-<br />
| 15h30 - 15h50<br />
| colspan="2" style="text-align: center;background: grey; color: white" | ''Break'' <br />
|-<br />
| 16h30 - 17h10 || [[#JeromeNokin|Jerome Nokin]] || '''Turning your managed Anti-Virus into my botnet'''<br />
|-<br />
| 17h10 - 17h50 || [[#VictorvanderVeen|Victor van der Veen]] || '''[[Media:TraceDroid.pdf | TraceDroid: A Fast and Complete Android Method Tracer]]'''<br />
|-<br />
| 17h50 - 18h00 || OWASP Benelux 2013 organization || '''Closing Notes'''<br />
|}<br />
<br />
<br><br />
<br><br />
<br />
<br />
<div id="JanJorisVereijken"></div><br />
<br />
=== Key note: Inside the mind of the fraudster, by Jan Joris Vereijken (Chief Security Architect, ING) ===<br />
''Abstract:''<br><br />
When we talk about banking malware, we typically think of bits and bytes: Zeus variants, field injections, Man-in-the-Browser attacks, or forensic analysis of infected PCs. What is actually much more interesting, is to understand what is driving the fraudster. He’s doesn’t care about bits and bytes, he’s just in it for the money. If we get into the mind of the fraudster, we can suddenly understand many issues much better. We’ll see that authentication is irrelevant, fraudsters don’t want to steal millions, that they hate the mobile app, and many more surprising things your never realized were keeping our poor fraudster awake at night.<br />
<br><br />
<br><br />
''Bio:''<br><br />
'''Jan Joris Vereijken''' holds a Ph.D. in Computing Science from the Eindhoven University of Technology, where he worked on algebraic protocol verification. After a brief stint at Bell Laboratories to work on Software Engineering, he moved to ING, the Dutch banking conglomerate. <br><br />
In his current role as Chief Security Architect, he is responsible for the security architecture in the 35-odd countries where ING has banking operations.<br><br />
<br><br />
<br />
<div id="TomVanGoethem"></div><br />
=== Remote code exection in WordPress: an analysis, by Tom Van Goethem (PhD Researcher, University of Leuven) ===<br />
''Abstract:''<br><br />
With over 13 million downloads, WordPress is one of the most popular open source blog platforms and content management systems. One of its key features is the installation of plugins. These are developed by third parties, but WordPress has to maintain its legacy codebase in order to remain compatible with these plugins. As this codebase makes use of unsafe functions, vulnerabilities may arise, affecting thousands websites - if not more. This presentation will focus on a vulnerability that has been present in WordPress versions up to September 2013. This vulnerability, which may lead to Remote Code Execution, was found by a simple combination of two publicly known elements: PHP Object Injection and unexpected behaviour of MySQL regarding Unicode characters.<br />
<br><br />
::[[Media:RemoteCodeExecutionInWordPress-OWASPBeNeLux-Tom_Van_Goethem.pdf | Download the presentation as PDF]]<br />
<br><br />
''Bio:''<br><br />
'''Tom Van Goethem''' is passionate about web security. After getting a master's degree of Applied Informatics, he enrolled in a PhD at the University of Leuven. As a student with a chronic drinking problem, he still found some time to hunt bugs for fun (and profit).<br><br />
<br><br />
<br />
<div id="AlexiosFakosAndJanPhilipp"></div><br />
=== Getting a handle on SharePoint security complexity, by Jan Philipp (Solutions Consultant Security, n.runs) and Alexios Fakos (Principal IT Security Consultant, n.runs) ===<br />
''Abstract:''<br><br />
This presentation’s main goal is to provide decision makers, architects, administrators and developers with a comprehensive SharePoint security overview. We will introduce a SharePoint security model applicable to SharePoint versions 2010 and 2013. Then we will take a closer look at the use of different types of security principals and their effective use. This will be followed by covering security aspects when implementing and extending SharePoint to meet business needs and will be emphasized by showcasing common security pitfalls with examples throughout the presentation. This will be demonstrated with security down to the “nitty-gritty” details based on actual use cases and tips and pitfalls that have been encountered during security assessments and implementation of SharePoint solutions.<br />
<br><br />
::[[Media:OWASP_BeNeLux-SharePoint-Comprehensive_Security_model_v1.0.pdf | Download the presentation as PDF]]<br />
<br><br />
''Bio:''<br><br />
'''Jan Philipp''' (MCT since 1989, MCITP, MCSE) works as a security consultant at n.runs, where he is responsible for design and implementation security assessments of complex global SharePoint infrastructures and solutions for major German and international companies. He has been involved with SharePoint technologies from their inception with Digital Dashboards throughout their many development changes (TeamSpaces, MOSS etc.) to the present day SharePoint and SharePoint Live versions.<br><br />
'''Alexios Fakos''' (CRISC, CSSLP) began his career in development as a Software Engineer back in 1999. After seven years of inspired insights in the software industry he joined n.runs to be part of the security team. Alexios is leading n.runs SDL services and he is since 2008 part of the German OWASP chapter. Alexios held presentations at OWASP AppSec US and Germany.<br />
<br><br />
<br><br />
<br />
<br />
<div id="DickBerlijn"></div><br />
=== Title, by Dick Berlijn ===<br />
''Abstract:''<br><br />
<br><br />
<br><br />
''Bio:''<br><br />
'''Dick Berlijn'''<br />
<br><br />
<br><br />
[http://www.youtube.com/watch?feature=player_embedded&v=l_XOrcBxy-E Link to the movie on YouTube]<br />
<div id="MigchieldeJong"></div><br />
<br />
=== Static Analysis and code review; A journey through time, by Migchiel de Jong (Software Security Consultant, HP Fortify) ===<br />
''Abstract:''<br><br />
Static analysis techniques to support code review, not just for security, have been around for a long time. This talk will take you on journey from the early days of computer science to this modern day and age of cloud, BYOD and mobile apps and how the passing of time affected code review and the technology to support it. The takeaways from this session are; Understanding the fundamentals problems that have to be addressed to really get the benefits from using static analysis for code review. Trends in code review. Best practices for code review. What the future holds for code review.<br />
<br><br />
::[[Media:owasp2013-mdejong.pdf | Download the presentation as PDF]]<br />
<br><br />
''Bio:''<br><br />
'''Migchiel de Jong''' has developed hardware and software for the nuclear medicine and nuclear industry space for 10 years before joining Rational Software. During the 5 years at Rational Software (later acquired by IBM) he was involved in many software development process improvement projects. Having joined Fortify 9 years ago, Migchiel de Jong is currently working at HP Fortify, as a software security consultant helping large customers succeed with their software security assurance initiatives.<br><br />
<br><br />
<br />
<div id="NickNikiforakis"></div><br />
=== Everything you always wanted to know about web-based device fingerprinting (but were afraid to ask), by Nick Nikiforakis (Postdoctoral Researcher, University of Leuven) ===<br />
''Abstract:''<br><br />
Billions of users browse the web on a daily basis,<br />
and there are single websites that have reached over one billion user<br />
accounts. In this environment, the ability to track users and their online habits can<br />
be very lucrative for advertising companies, yet very intrusive for the privacy of users.<br />
<br />
In this talk, we are going to describe web-based device fingerprinting, i.e., the ability<br />
to tell users apart, without the use of cookies or any other client-side identifiers. We<br />
will explain how device fingerprinting works, who is using, for what reason, and how people<br />
are trying to defend against it today. <br />
<br><br />
::[[Media:webfingerprinting_owaspBENELUX2013.pdf | Download the presentation as PDF]]<br />
<br><br />
''Bio:''<br><br />
'''Nick Nikiforakis''' is a Postdoctoral Researcher at KU Leuven in Belgium. Nick's interests lie<br />
in the analysis of online ecosystems from a security and privacy perspective and he has<br />
published his work in top conferences of his field. More information about him can be found<br />
on his personal page: http://www.securitee.org .<br><br />
<br><br />
<br />
<div id="JeromeNokin"></div><br />
=== Turning your managed Anti-Virus into my botnet, by Jerome Nokin (Senior Security Consultant, Verizon Business) ===<br />
''Abstract:''<br><br />
Today centrally managed Anti-Virus (AV) solutions are used across all enterprises and are relied upon to provide central management, logging and enforcement. This talk presents the journey and the results of a reviewing the security posture of the core components of a few selected managed AV solutions, the central servers themselves. <br />
Critical security vulnerabilities will be presented, covering SQL Injection, Directory Path Traversal and Buffer Overflow.<br />
Particular focus will be given to the different steps required to analyze both protocols and management functionality and covers reverse-engineering, debugging and the creation of fuzzing tools. Who does not want to transform a major managed AV into his private botnet within minutes?<br />
<br><br />
<br><br />
''Bio:''<br><br />
'''Jerome Nokin''' works as a Security Consultant for Verizon Enterprise where he is a senior member of the Vulnerability Management Team mainly focusing on Penetration Tests<br />
and Web Application Assessment. Prior to his role at Verizon he worked in the area of security covering both consultancy and ICT.<br><br />
<br><br />
<br />
<div id="VictorvanderVeen"></div><br />
=== TraceDroid: A Fast and Complete Android Method Tracer, by Victor van der Veen (Security Consultant, ITQ) ===<br />
''Abstract:''<br><br />
Tracedroid allows you to upload any Android APK file (i.e., an Android app) for automated analysis. Tracedroid records the behavior of the executed app, such as its network communication, the UI, but also its internal function calls and Java code that is executed. To trigger the app's real behavior, Tracedroid emulates a few actions, such as user interaction, incoming calls and SMS messages, etc. - this will reveal most malicious intents of an app (if any).<br><br />
During this presentation, I will outline how Tracedroid is implemented and how its stimulation engine performs in terms of code coverage. I will also demonstrate how Tracedroid's output can help malware researchers to gain a better understanding of unknown Android applications during a live demo.<br><br />
You can already give TraceDroid a try via http://tracedroid.few.vu.nl<br />
<br><br />
::[[Media:TraceDroid.pdf | Download the presentation as PDF]]<br />
<br><br />
''Bio:''<br><br />
'''Victor van der Veen''' is a security consultant at ITQ and holds a MSc degree in Computer Science from the VU University Amsterdam. TraceDroid is part of his master thesis titled ‘Dynamic Analysis of Android Malware’ for which he co-worked with the Andrubis team from Vienna’s iSecLab. His interests are low-level system topics that enhance system security, as well as reverse engineering and analyzing malicious code. His previous work involves the implementation of a (partial) thrust-worthy voting machine and an in depth analysis on trends in the field of memory errors (published at RAID 2012).<br />
<br><br />
<br />
<br />
<!-- Sixth tab --><br />
<br />
= Social Event =<br />
<br />
==== Social Event, November 28th ====<br />
'''You (still) got that swing, and what about the moves ? We've got the Balls!'''<br />
<br />
:So "Pin" your schedule to the OWASP Benelux Days - Social Event.<br />
:Thursday Night the 28th of November, our partner Vest Information Security is happy to invite you at:<br />
<br />
:::Knijn Bowling<br />
:::Scheldeplein 3<br />
:::1078 GR Amsterdam<br />
:::http://www.knijnbowling.nl/<br />
<br />
;This is Amsterdams most famous retro-style bowling centre.<br />
<br />
:We are very happy to welcome you from 20:30.<br />
:Our Bowling Tracks are open from 21:30 - 24:00<br />
<br />
<hr><br />
'''The OWASP BeNeLux-Day 2013 Social Event is sponsored by:"<br />
[http://www.vest.nl https://www.owasp.org/images/1/1d/Logo_Vest_BIG_170.gif]<br />
<!-- Seventh tab --><br />
<br />
= CTF =<br />
<br />
==== Capture the Flag! ====<br />
<br />
* Do you like puzzles? <br />
* Do you like challenges? <br />
* Are you a hacker?<br />
<br />
Whether you are an experienced hacker or new enthusiast you should come to OWASP BeNeLux 2013 and participate in the Capture the Flag event November 29th 2013. <br />
<br />
The OWASP CTF is especially designed to support challengers of all skill levels. The CTF contains multiple challenges in various fields related to application security. As every challenge gains you one point, you can pick and choose which challenge you want to play.<br />
<br />
All you need is a laptop with a wifi card and your favorite (preferably) non-commercial tools. <br />
<br />
So come, show off your skills, learn new tricks and above all have a good time at the CTF event. <br />
<br />
<br />
<!-- Eighth tab --><br />
<br />
= Sponsor =<br />
<br />
==== Become a sponsor of OWASP BeNeLux ====<br />
<br />
==== Donate to OWASP BeNeLux ====<br />
<br />
[https://co.clickandpledge.com/?wid=72689 Sponsor] <br />
<br />
<br />
==== Promotion ====<br />
''Feel free to use the text below to promote our event!''<br />
<br />
We invite you to our next OWASP event: the '''BeNeLux OWASP Days 2013!'''<br />
<br />
Free your agenda on the 28th and 29th of November, 2013.<br />
<br />
The good news: free! No fee!<br />
<br />
The bad news: there are only 280 seats available (first register, first serve)!<br />
<br />
<br />
<!-- Don't remove these two lines! --><br />
__NOTOC__ <br />
<headertabs/><br />
<br />
==== Made possible by our {{#switchtablink:Sponsor|Sponsors}}====<br />
<br />
{{MemberLinks|link=http://www.pwc.com/|logo=PWC_log_resized.png}}<br />
[http://www.zionsecurity.com https://www.owasp.org/images/e/e6/Zionsecurity.jpg]<br />
[http://www.vest.nl https://www.owasp.org/images/1/1d/Logo_Vest_BIG_170.gif]<br />
[http://www.Checkmarx.com https://www.owasp.org/images/a/a2/Checkmarx.jpg]<br />
[http://www.sogeti.nl https://www.owasp.org/images/9/94/Sogeti_logo.png]<br />
[http://www.securify.nl https://www.owasp.org/images/7/7a/Securify_BV_logo.png]<br />
{{MemberLinks|link=https://www.whitehatsec.com/|logo=Whitehat.gif}}<br />
[http://www.nviso.be https://www.owasp.org/images/5/5e/Nviso_logo_RGB_baseline_200px.png]<br />
[https://informatiebeveiliging.nl/ https://www.owasp.org/images/9/9a/Logo_Informatiebeveiliging-200.png]<br />
[http://www8.hp.com/us/en/software-solutions/software-security/index.html https://www.owasp.org/images/a/af/HP_Blue_RGB_150_LG-200.png]<br />
[http://www.northwave.nl https://www.owasp.org/images/4/4c/LogoNorthwave.jpg]<br />
[http://www.cigital.com https://www.owasp.org/images/7/73/AppSecDC2012-Cigital.jpg]<br />
[[File:Deloitte.jpg||170px|link=http://www.deloitte.com/view/en_NL/nl]]<br />
[[File:Logo secwatch.jpg||170px|link=http://www.secwatch.nl]]<br />
<br />
<br><br />
<br />
<br />
[[Category:OWASP_AppSec_Conference]] [[Category:OWASP_BeNeLux_Archives]]</div>Favroomhttps://wiki.owasp.org/index.php?title=BeNeLux_OWASP_Day_2013&diff=163330BeNeLux OWASP Day 20132013-11-15T08:18:09Z<p>Favroom: /* Key note: Inside the mind of the fraudster, by Jan Joris Vereijken (Chief Security Architect, ING) */</p>
<hr />
<div><center>[[Image:Bnl13header-v.1.0.png]]<br></center><br />
<br><!-- Header --><br />
<br />
<br />
<!-- First tab --><br />
= Welcome =<br />
<br />
=== Welcome to OWASP BeNeLux 2013 ===<br />
<br />
'''Registration is now open!'''<br />
<br />
[http://owaspbenelux2013.eventbrite.com/ http://www.owasp.org/images/7/77/Buttoncreate.png]<br />
<br />
<!--<br />
==== News ====<br />
* <br />
* <br />
<br><br />
<br />
==== Confirmed trainers for Trainingday ====<br />
{{#switchtablink:Trainingday| <p><br />
* <br />
* <br />
* <br />
* <br />
}}<br />
<br><br />
<br />
--><br />
<br />
==== Confirmed speakers Conference ====<br />
{{#switchtablink:Conferenceday| <p><br />
* Dick Berlijn (ex Chief of Defence NL)<br />
* Jan Joris Vereijken (ING)<br />
* Tom Van Goethem (University Leuven)<br />
* Jerome Nokin (Verizon Business)<br />
* Nick Nikiforakis (University Leuven)<br />
* Fakos Alexios and Jan Philipp (n.runs AG)<br />
* Migchiel de Jong (HP Fortify)<br />
* Victor van der Veen (ITQ)<br />
<br />
}}<br />
<br><br />
<br />
==== The OWASP BeNeLux Program Committee ====<br />
*Bart De Win / Sebastien Deleersnyder/ Lieven Desmet/ David Mathy, OWASP Belgium<br />
*Martin Knobloch / Ferdinand Vroom, OWASP Netherlands<br />
*Jocelyn Aubert / Andre Adelsbach/ Thierry Zoller, OWASP Luxembourg<br />
<br><br />
<br />
=== Tweet! ===<br />
Event tag is [http://twitter.com/#search?q=%23owaspbnl13 #owaspbnl13]<br />
<br><br><br />
==== Donate to OWASP BeNeLux ====<br />
[https://co.clickandpledge.com/?wid=72689 Donate]<br />
<br />
<!-- Second tab --><br />
<br />
= Registration =<br />
<br />
==== OWASP BeNeLux training day and conference are free! ==== <br />
<br />
=== Registration is not now open: ===<br />
<br />
[http://owaspbenelux2013.eventbrite.com/ http://www.owasp.org/images/7/77/Buttoncreate.png]<br />
<br />
<br><br />
To support the OWASP organisation, consider to become a member, it's only US$50!<br />
<br> <br />
Check out the [[Membership]] page to find out more. <br />
<br><br />
<br />
<br />
<!-- Third tab --><br />
<br />
= Venue =<br />
<br />
=== Venue is ===<br />
<br />
'''RAI Amsterdam - Entrance G'''<br />
;Emerald Room<br />
;(On the first floor of the Auditorium Centre)<br />
;Europaplein 2-22<br />
;1078 Amsterdam, THE NETHERLANDS <br />
<br />
<br>'''Parking & roadmap''':<br />
<br />
There is a public parking at the conference venue.<br />
<br />
Roadmap and parking: <br />
<br />
<br />
<br>'''Hotels nearby''': <br> <br />
<br />
<br />
<!-- Fourth tab - currently removed<br />
<br />
= Trainingday =<br />
<br />
==== Trainingday, November 29th ====<br />
<br />
==== Location ====<br />
The training room is: <br />
TBD<br />
<br><br />
<br />
(for details, check the {{#switchtablink:Venue|Venue}} tab)<br />
<br />
==== Agenda ==== <br />
{| class="wikitable"<br />
! Time !! Description !! Room 1 !! Room 2 !! Room 3 !! Room 4<br />
|-<br />
| 08h30 - 9h30<br />
| colspan="5" style="text-align: center; background: grey; color: white;" | ''Registration''<br />
|-<br />
| 09h30 - 11h00 || Training<br />
| rowspan="7" style="width:100px;" | tbd<br />
| rowspan="7" style="width:100px;" | tbd<br />
| rowspan="7" style="width:100px;" | tbd<br />
| rowspan="7" style="width:100px;" | tbd<br />
|-<br />
| 11h00 - 11h30 || ''Coffee Break''<br />
|-<br />
| 11h30 - 13h00 || Training<br />
|-<br />
| 13h00 - 14h00 || ''Lunch''<br />
|-<br />
| 14h00 - 15h30 || Training<br />
|-<br />
| 15h30 - 16h00 || ''Coffee Break''<br />
|-<br />
| 16h00 - 17h30 || Training<br />
|}<br />
<br />
<br />
<br />
<br />
<br />
<br><br />
<br />
--><br />
<br />
<br />
<!-- Fifth tab --><br />
<br />
= Conferenceday =<br />
<br />
==== Conferenceday, November 29th ====<br />
<br />
==== Location ====<br />
TBD (for details, check the {{#switchtablink:Venue|Venue}} tab)<br />
<br />
==== Agenda ==== <br />
{| class="wikitable"<br />
! width="90pt" | Time<br />
! width="130pt" | Speaker !! Topic<br />
|- <br />
| 09h00 - 10h00<br />
| colspan="2" style="text-align: center; background: grey; color: white" | ''Registration''<br />
|- <br />
| 10h00 - 10h15 || OWASP Benelux Organization || Welcome <br />
|-<br />
| 10h15 - 10h30 || Sebastien Deleersnyder, OWASP Global || OWASP update <br />
|-<br />
| 10h30 - 11h10 || [[#JanJorisVereijken|Jan Joris Vereijken]] || [['''insidethemindofthefraudster|Keynote: Inside the mind of the fraudster''']] <br>''Abstract:''<br />
|-<br />
| 11h10 - 11h50 || [[#TomVanGoethem|Tom Van Goethem]] || '''Remote code exection in WordPress: an analysis''' <br>''Abstract:''<br />
|-<br />
| 11h50 - 12h30 || [[#JanPhilipp|Alexios Fakos & Jan Philipp]] || '''Getting a handle on SharePoint security complexity''' <br>''Abstract:''<br />
|-<br />
| 12h30 - 13h30<br />
| colspan="2" style="text-align: center;background: grey; color: white" | ''Lunch'' <br />
|-<br />
| 13h30 - 14h10 || [[#DickBerlijn|Dick Berlijn]] || '''Keynote: Cyber warfare''' <br>''Abstract:''<br />
|-<br />
| 14h10 - 14h50 || Migchiel de Jong || ''' Static Analysis and code review; A journey through time, ''' <br>''Abstract:''<br />
|-<br />
| 14h50 - 15h30 || [[#NickNikiforakis|Nick Nikiforakis]] || '''Everything you always wanted to know about web-based device fingerprinting (but were afraid to ask)''' <br>''Abstract:''<br />
|-<br />
| 15h30 - 15h50<br />
| colspan="2" style="text-align: center;background: grey; color: white" | ''Break'' <br />
|-<br />
| 16h30 - 17h10 || [[#JeromeNokin|Jerome Nokin]] || '''Turning your managed Anti-Virus into my botnet''' <br>''Abstract:''<br />
|-<br />
| 17h10 - 17h50 || [[#VictorvanderVeen|Victor van der Veen]] || '''TraceDroid: A Fast and Complete Android Method Tracer'''<br />
|-<br />
| 17h50 - 18h00 || OWASP Benelux 2013 organization || '''Closing Notes'''<br />
|}<br />
<br />
<br><br />
<br><br />
<br />
<br />
<br />
<div id="'JanJorisVereijken"></div><br />
<br />
[[insidethemindofthefraudster]]=== Key note: Inside the mind of the fraudster, by Jan Joris Vereijken (Chief Security Architect, ING) ===<br />
''Abstract:''<br><br />
When we talk about banking malware, we typically think of bits and bytes: Zeus variants, field injections, Man-in-the-Browser attacks, or forensic analysis of infected PCs. What is actually much more interesting, is to understand what is driving the fraudster. He’s doesn’t care about bits and bytes, he’s just in it for the money. If we get into the mind of the fraudster, we can suddenly understand many issues much better. We’ll see that authentication is irrelevant, fraudsters don’t want to steal millions, that they hate the mobile app, and many more surprising things your never realized were keeping our poor fraudster awake at night.<br />
<br><br />
<br><br />
''Bio:''<br><br />
'''Jan Joris Vereijken''' holds a Ph.D. in Computing Science from the Eindhoven University of Technology, where he worked on algebraic protocol verification. After a brief stint at Bell Laboratories to work on Software Engineering, he moved to ING, the Dutch banking conglomerate. <br><br />
In his current role as Chief Security Architect, he is responsible for the security architecture in the 35-odd countries where ING has banking operations.<br><br />
<br><br />
<br />
=== Turning your managed Anti-Virus into my botnet, by Jerome Nokin (Senior Security Consultant, Verizon Business) ===<br />
''Abstract:''<br><br />
Today centrally managed Anti-Virus (AV) solutions are used across all enterprises and are relied upon to provide central management, logging and enforcement. This talk presents the journey and the results of a reviewing the security posture of the core components of a few selected managed AV solutions, the central servers themselves. <br />
Critical security vulnerabilities will be presented, covering SQL Injection, Directory Path Traversal and Buffer Overflow.<br />
Particular focus will be given to the different steps required to analyze both protocols and management functionality and covers reverse-engineering, debugging and the creation of fuzzing tools. Who does not want to transform a major managed AV into his private botnet within minutes?<br />
<br><br />
<br><br />
''Bio:''<br><br />
'''Jerome Nokin''' works as a Security Consultant for Verizon Enterprise where he is a senior member of the Vulnerability Management Team mainly focusing on Penetration Tests<br />
and Web Application Assessment. Prior to his role at Verizon he worked in the area of security covering both consultancy and ICT.<br><br />
<br><br />
<br />
<br />
<div id="'JanPhilipp"></div><br />
<br />
=== Getting a handle on SharePoint security complexity, by Jan Philipp (Solutions Consultant Security, n.runs) and Alexios Fakos (Principal IT Security Consultant, n.runs) ===<br />
''Abstract:''<br><br />
This presentation’s main goal is to provide decision makers, architects, administrators and developers with a comprehensive SharePoint security overview. We will introduce a SharePoint security model applicable to SharePoint versions 2010 and 2013. Then we will take a closer look at the use of different types of security principals and their effective use. This will be followed by covering security aspects when implementing and extending SharePoint to meet business needs and will be emphasized by showcasing common security pitfalls with examples throughout the presentation. This will be demonstrated with security down to the “nitty-gritty” details based on actual use cases and tips and pitfalls that have been encountered during security assessments and implementation of SharePoint solutions.<br />
<br><br />
<br><br />
''Bio:''<br><br />
'''Jan Philipp''' (MCT since 1989, MCITP, MCSE) works as a security consultant at n.runs, where he is responsible for design and implementation security assessments of complex global SharePoint infrastructures and solutions for major German and international companies. He has been involved with SharePoint technologies from their inception with Digital Dashboards throughout their many development changes (TeamSpaces, MOSS etc.) to the present day SharePoint and SharePoint Live versions.<br><br />
'''Alexios Fakos''' (CRISC, CSSLP) began his career in development as a Software Engineer back in 1999. After seven years of inspired insights in the software industry he joined n.runs to be part of the security team. Alexios is leading n.runs SDL services and he is since 2008 part of the German OWASP chapter. Alexios held presentations at OWASP AppSec US and Germany.<br><br />
<br><br />
<br />
<div id="TomVanGoethem"></div><br />
=== Remote code exection in WordPress: an analysis, by Tom Van Goethem (PhD Researcher, University of Leuven) ===<br />
''Abstract:''<br><br />
With over 13 million downloads, WordPress is one of the most popular open source blog platforms and content management systems. One of its key features is the installation of plugins. These are developed by third parties, but WordPress has to maintain its legacy codebase in order to remain compatible with these plugins. As this codebase makes use of unsafe functions, vulnerabilities may arise, affecting thousands websites - if not more. This presentation will focus on a vulnerability that has been present in WordPress versions up to September 2013. This vulnerability, which may lead to Remote Code Execution, was found by a simple combination of two publicly known elements: PHP Object Injection and unexpected behaviour of MySQL regarding Unicode characters.<br />
<br><br />
<br><br />
''Bio:''<br><br />
'''Tom Van Goethem''' is passionate about web security. After getting a master's degree of Applied Informatics, he enrolled in a PhD at the University of Leuven. As a student with a chronic drinking problem, he still found some time to hunt bugs for fun (and profit).<br><br />
<br><br />
<br />
<br />
=== Everything you always wanted to know about web-based device fingerprinting (but were afraid to ask), by Nick Nikiforakis (Postdoctoral Researcher, University of Leuven) ===<br />
''Abstract:''<br><br />
Billions of users browse the web on a daily basis,<br />
and there are single websites that have reached over one billion user<br />
accounts. In this environment, the ability to track users and their online habits can<br />
be very lucrative for advertising companies, yet very intrusive for the privacy of users.<br />
<br />
In this talk, we are going to describe web-based device fingerprinting, i.e., the ability<br />
to tell users apart, without the use of cookies or any other client-side identifiers. We<br />
will explain how device fingerprinting works, who is using, for what reason, and how people<br />
are trying to defend against it today. <br />
<br><br />
<br><br />
''Bio:''<br><br />
'''Nick Nikiforakis''' is a Postdoctoral Researcher at KU Leuven in Belgium. Nick's interests lie<br />
in the analysis of online ecosystems from a security and privacy perspective and he has<br />
published his work in top conferences of his field. More information about him can be found<br />
on his personal page: http://www.securitee.org .<br><br />
<br><br />
<br />
<br />
<br />
<div id="VictorvanderVeen"></div><br />
=== TraceDroid: A Fast and Complete Android Method Tracer, by Victor van der Veen (Security Consultant, ITQ) ===<br />
''Abstract:''<br><br />
Tracedroid allows you to upload any Android APK file (i.e., an Android app) for automated analysis. Tracedroid records the behavior of the executed app, such as its network communication, the UI, but also its internal function calls and Java code that is executed. To trigger the app's real behavior, Tracedroid emulates a few actions, such as user interaction, incoming calls and SMS messages, etc. - this will reveal most malicious intents of an app (if any).<br><br />
During this presentation, I will outline how Tracedroid is implemented and how its stimulation engine performs in terms of code coverage. I will also demonstrate how Tracedroid's output can help malware researchers to gain a better understanding of unknown Android applications during a live demo.<br><br />
You can already give TraceDroid a try via http://tracedroid.few.vu.nl<br />
<br><br />
<br><br />
''Bio:''<br><br />
Victor van der Veen is a security consultant at ITQ and holds a MSc degree in Computer Science from the VU University Amsterdam. TraceDroid is part of his master thesis titled ‘Dynamic Analysis of Android Malware’ for which he co-worked with the Andrubis team from Vienna’s iSecLab. His interests are low-level system topics that enhance system security, as well as reverse engineering and analyzing malicious code. His previous work involves the implementation of a (partial) thrust-worthy voting machine and an in depth analysis on trends in the field of memory errors (published at RAID 2012).<br />
<br><br />
<br />
<div id="MigchieldeJong"></div><br />
=== Static Analysis and code review; A journey through time, by Migchiel de Jong (Software Security Consultant, HP Fortify) ===<br />
''Abstract:''<br><br />
Static analysis techniques to support code review, not just for security, have been around for a long time. This talk will take you on journey from the early days of computer science to this modern day and age of cloud, BYOD and mobile apps and how the passing of time affected code review and the technology to support it. The takeaways from this session are; Understanding the fundamentals problems that have to be addressed to really get the benefits from using static analysis for code review. Trends in code review. Best practices for code review. What the future holds for code review.<br />
<br><br />
<br><br />
''Bio:''<br><br />
Migchiel de Jong has developed hardware and software for the nuclear medicine and nuclear industry space for 10 years before joining Rational Software. During the 5 years at Rational Software (later acquired by IBM) he was involved in many software development process improvement projects. Having joined Fortify 9 years ago, Migchiel de Jong is currently working at HP Fortify, as a software security consultant helping large customers succeed with their software security assurance initiatives.<br><br />
<br><br />
<br />
<br />
<br />
<!--<br />
<br />
<div id="TomVanGoethem"></div><br />
=== Remote Code Exection in WordPress: an analysis, by Tom Van Goethem (PhD University Leuven) ===<br />
''Abstract:''<br><br />
With over 13 million downloads, WordPress is one of the most popular open source blog platforms and content management systems. One of its key features is the installation of plugins. These are developed by third parties, but WordPress has to maintain its legacy codebase in order to remain compatible with these plugins. As this codebase makes use of unsafe functions, vulnerabilities may arise, affecting thousands websites - if not more. This presentation will focus on a vulnerability that has been present in WordPress versions up to September 2013. This vulnerability, which may lead to Remote Code Execution, was found by a simple combination of two publicly known elements: PHP Object Injection and unexpected behaviour of MySQL regarding Unicode characters.<br />
<br><br />
<br><br />
''Bio:''<br><br />
Tom Van Goethem is passionate about web security. After getting a master's degree of Applied Informatics, he enrolled in a PhD at the University of Leuven. As a student with a chronic drinking problem, he still found some time to hunt bugs for fun (and profit).<br><br />
<br><br />
<br />
=== Body Armor for Binaries, by Asia Slowinska (Vrije Universiteit Amsterdam) ===<br />
''Abstract:''<br><br />
BinArmor is a novel technique to protect existing C binaries from memory corruption attacks on both control data and non-control data. Without access to source code, non-control data attacks cannot be detected with current techniques. Our approach hardens binaries against both kinds of overflow, without requiring the pro- grams’ source or symbol tables. We show that BinArmor is able to stop real attacks—including the recent non- control data attack on Exim. Moreover, we did not in- cur a single false positive in practice. On the downside, the current overhead of BinArmor is high—although no worse than competing technologies like taint analysis that do not catch attacks on non-control data. Specifi- cally, we measured an overhead of 70% for gzip, 16%- 180% for lighttpd, and 190% for the nbench suite.<br><br />
<br><br />
''Bio:''<br><br />
I am a postdoctoral researcher in the System and Network Security group at the Vrije Universiteit Amsterdam, under the guidance of Prof. dr. ir. Herbert Bos.<br><br />
I obtained my PhD from the Vrije Universiteit Amsterdam. My dissertation Using information flow tracking to protect legacy binaries was completed under the supervision of Prof. dr. ir. Herbert Bos, while my copromotor was Prof. dr. ir. Henri E. Bal.<br><br />
During my PhD studies, I interned twice with Microsoft Research Cambridge, where I joined the Systems and Performance Group. I also spent few months interning with the Systems and Security Department at Institute for Infocomm Research in Singapore.<br><br />
My research focuses on developing techniques to automatically analyze and reverse engineer complex software that is available only in binary form. Further, I’ve been looking into mechanisms that proactively protect software from malicious activities. Currently, I am involved in a project on Reverse Engineering of binaries, known as Rosetta.<br><br />
<br><br />
<br />
--><br />
<br />
<!-- Sixth tab --><br />
<br />
= Social Event =<br />
<br />
==== Social Event, November 28th ====<br />
'''You (still) got that swing, and what about the moves ? We've got the Balls!'''<br />
<br />
:So "Pin" your schedule to the OWASP Benelux Days - Social Event.<br />
:Thursday Night the 28th of November, our partner Vest Information Security is happy to invite you at:<br />
<br />
:::Knijn Bowling<br />
:::Scheldeplein 3<br />
:::1078 GR Amsterdam<br />
:::http://www.knijnbowling.nl/<br />
<br />
;This is Amsterdams most famous retro-style bowling centre.<br />
<br />
:We are very happy to welcome you from 20:30.<br />
:Our Bowling Tracks are open from 21:30 - 24:00<br />
<br />
'''More details about the registration for the social event will be online soon!'''<br />
<hr><br />
'''The OWASP BeNeLux-Day 2013 Social Event is sponsored by:"<br />
[http://www.vest.nl https://www.owasp.org/images/1/1d/Logo_Vest_BIG_170.gif]<br />
<!-- Seventh tab --><br />
<br />
= CTF =<br />
<br />
==== Capture the Flag! ====<br />
<br />
* Do you like puzzles? <br />
* Do you like challenges? <br />
* Are you a hacker?<br />
<br />
Whether you are an experienced hacker or new enthusiast you should come to OWASP BeNeLux 2013 and participate in the Capture the Flag event November 29th 2013. <br />
<br />
The OWASP CTF is especially designed to support challengers of all skill levels. The CTF contains multiple challenges in various fields related to application security. As every challenge gains you one point, you can pick and choose which challenge you want to play.<br />
<br />
All you need is a laptop with a wifi card and your favorite (preferably) non-commercial tools. <br />
<br />
So come, show off your skills, learn new tricks and above all have a good time at the CTF event. <br />
<br />
<br />
<!-- Eighth tab --><br />
<br />
= Sponsor =<br />
<br />
==== Become a sponsor of OWASP BeNeLux ====<br />
<br />
==== Donate to OWASP BeNeLux ====<br />
<br />
[https://co.clickandpledge.com/?wid=72689 Sponsor] <br />
<br />
<br />
==== Promotion ====<br />
''Feel free to use the text below to promote our event!''<br />
<br />
We invite you to our next OWASP event: the '''BeNeLux OWASP Days 2013!'''<br />
<br />
Free your agenda on the 28th and 29th of November, 2013.<br />
<br />
The good news: free! No fee!<br />
<br />
The bad news: there are only 280 seats available (first register, first serve)!<br />
<br />
<br />
<!-- Don't remove these two lines! --><br />
__NOTOC__ <br />
<headertabs/><br />
<br />
==== Made possible by our {{#switchtablink:Sponsor|Sponsors}}====<br />
<br />
{{MemberLinks|link=http://www.pwc.com/|logo=PWC_log_resized.png}}<br />
[http://www.zionsecurity.com https://www.owasp.org/images/e/e6/Zionsecurity.jpg]<br />
[http://www.vest.nl https://www.owasp.org/images/1/1d/Logo_Vest_BIG_170.gif]<br />
[http://www.Checkmarx.com https://www.owasp.org/images/a/a2/Checkmarx.jpg]<br />
[http://www.sogeti.nl https://www.owasp.org/images/9/94/Sogeti_logo.png]<br />
[http://www.securify.nl https://www.owasp.org/images/7/7a/Securify_BV_logo.png]<br />
{{MemberLinks|link=https://www.whitehatsec.com/|logo=Whitehat.gif}}<br />
[http://www.nviso.be https://www.owasp.org/images/5/5e/Nviso_logo_RGB_baseline_200px.png]<br />
[https://informatiebeveiliging.nl/ https://www.owasp.org/images/9/9a/Logo_Informatiebeveiliging-200.png]<br />
[http://www8.hp.com/us/en/software-solutions/software-security/index.html https://www.owasp.org/images/a/af/HP_Blue_RGB_150_LG-200.png]<br />
<br />
<br />
<br />
<br><br />
<br />
<br />
[[Category:OWASP_AppSec_Conference]] [[Category:OWASP_BeNeLux_Archives]]</div>Favroomhttps://wiki.owasp.org/index.php?title=BeNeLux_OWASP_Day_2013&diff=163329BeNeLux OWASP Day 20132013-11-15T08:17:02Z<p>Favroom: /* Agenda */</p>
<hr />
<div><center>[[Image:Bnl13header-v.1.0.png]]<br></center><br />
<br><!-- Header --><br />
<br />
<br />
<!-- First tab --><br />
= Welcome =<br />
<br />
=== Welcome to OWASP BeNeLux 2013 ===<br />
<br />
'''Registration is now open!'''<br />
<br />
[http://owaspbenelux2013.eventbrite.com/ http://www.owasp.org/images/7/77/Buttoncreate.png]<br />
<br />
<!--<br />
==== News ====<br />
* <br />
* <br />
<br><br />
<br />
==== Confirmed trainers for Trainingday ====<br />
{{#switchtablink:Trainingday| <p><br />
* <br />
* <br />
* <br />
* <br />
}}<br />
<br><br />
<br />
--><br />
<br />
==== Confirmed speakers Conference ====<br />
{{#switchtablink:Conferenceday| <p><br />
* Dick Berlijn (ex Chief of Defence NL)<br />
* Jan Joris Vereijken (ING)<br />
* Tom Van Goethem (University Leuven)<br />
* Jerome Nokin (Verizon Business)<br />
* Nick Nikiforakis (University Leuven)<br />
* Fakos Alexios and Jan Philipp (n.runs AG)<br />
* Migchiel de Jong (HP Fortify)<br />
* Victor van der Veen (ITQ)<br />
<br />
}}<br />
<br><br />
<br />
==== The OWASP BeNeLux Program Committee ====<br />
*Bart De Win / Sebastien Deleersnyder/ Lieven Desmet/ David Mathy, OWASP Belgium<br />
*Martin Knobloch / Ferdinand Vroom, OWASP Netherlands<br />
*Jocelyn Aubert / Andre Adelsbach/ Thierry Zoller, OWASP Luxembourg<br />
<br><br />
<br />
=== Tweet! ===<br />
Event tag is [http://twitter.com/#search?q=%23owaspbnl13 #owaspbnl13]<br />
<br><br><br />
==== Donate to OWASP BeNeLux ====<br />
[https://co.clickandpledge.com/?wid=72689 Donate]<br />
<br />
<!-- Second tab --><br />
<br />
= Registration =<br />
<br />
==== OWASP BeNeLux training day and conference are free! ==== <br />
<br />
=== Registration is not now open: ===<br />
<br />
[http://owaspbenelux2013.eventbrite.com/ http://www.owasp.org/images/7/77/Buttoncreate.png]<br />
<br />
<br><br />
To support the OWASP organisation, consider to become a member, it's only US$50!<br />
<br> <br />
Check out the [[Membership]] page to find out more. <br />
<br><br />
<br />
<br />
<!-- Third tab --><br />
<br />
= Venue =<br />
<br />
=== Venue is ===<br />
<br />
'''RAI Amsterdam - Entrance G'''<br />
;Emerald Room<br />
;(On the first floor of the Auditorium Centre)<br />
;Europaplein 2-22<br />
;1078 Amsterdam, THE NETHERLANDS <br />
<br />
<br>'''Parking & roadmap''':<br />
<br />
There is a public parking at the conference venue.<br />
<br />
Roadmap and parking: <br />
<br />
<br />
<br>'''Hotels nearby''': <br> <br />
<br />
<br />
<!-- Fourth tab - currently removed<br />
<br />
= Trainingday =<br />
<br />
==== Trainingday, November 29th ====<br />
<br />
==== Location ====<br />
The training room is: <br />
TBD<br />
<br><br />
<br />
(for details, check the {{#switchtablink:Venue|Venue}} tab)<br />
<br />
==== Agenda ==== <br />
{| class="wikitable"<br />
! Time !! Description !! Room 1 !! Room 2 !! Room 3 !! Room 4<br />
|-<br />
| 08h30 - 9h30<br />
| colspan="5" style="text-align: center; background: grey; color: white;" | ''Registration''<br />
|-<br />
| 09h30 - 11h00 || Training<br />
| rowspan="7" style="width:100px;" | tbd<br />
| rowspan="7" style="width:100px;" | tbd<br />
| rowspan="7" style="width:100px;" | tbd<br />
| rowspan="7" style="width:100px;" | tbd<br />
|-<br />
| 11h00 - 11h30 || ''Coffee Break''<br />
|-<br />
| 11h30 - 13h00 || Training<br />
|-<br />
| 13h00 - 14h00 || ''Lunch''<br />
|-<br />
| 14h00 - 15h30 || Training<br />
|-<br />
| 15h30 - 16h00 || ''Coffee Break''<br />
|-<br />
| 16h00 - 17h30 || Training<br />
|}<br />
<br />
<br />
<br />
<br />
<br />
<br><br />
<br />
--><br />
<br />
<br />
<!-- Fifth tab --><br />
<br />
= Conferenceday =<br />
<br />
==== Conferenceday, November 29th ====<br />
<br />
==== Location ====<br />
TBD (for details, check the {{#switchtablink:Venue|Venue}} tab)<br />
<br />
==== Agenda ==== <br />
{| class="wikitable"<br />
! width="90pt" | Time<br />
! width="130pt" | Speaker !! Topic<br />
|- <br />
| 09h00 - 10h00<br />
| colspan="2" style="text-align: center; background: grey; color: white" | ''Registration''<br />
|- <br />
| 10h00 - 10h15 || OWASP Benelux Organization || Welcome <br />
|-<br />
| 10h15 - 10h30 || Sebastien Deleersnyder, OWASP Global || OWASP update <br />
|-<br />
| 10h30 - 11h10 || [[#JanJorisVereijken|Jan Joris Vereijken]] || [['''insidethemindofthefraudster|Keynote: Inside the mind of the fraudster''']] <br>''Abstract:''<br />
|-<br />
| 11h10 - 11h50 || [[#TomVanGoethem|Tom Van Goethem]] || '''Remote code exection in WordPress: an analysis''' <br>''Abstract:''<br />
|-<br />
| 11h50 - 12h30 || [[#JanPhilipp|Alexios Fakos & Jan Philipp]] || '''Getting a handle on SharePoint security complexity''' <br>''Abstract:''<br />
|-<br />
| 12h30 - 13h30<br />
| colspan="2" style="text-align: center;background: grey; color: white" | ''Lunch'' <br />
|-<br />
| 13h30 - 14h10 || [[#DickBerlijn|Dick Berlijn]] || '''Keynote: Cyber warfare''' <br>''Abstract:''<br />
|-<br />
| 14h10 - 14h50 || Migchiel de Jong || ''' Static Analysis and code review; A journey through time, ''' <br>''Abstract:''<br />
|-<br />
| 14h50 - 15h30 || [[#NickNikiforakis|Nick Nikiforakis]] || '''Everything you always wanted to know about web-based device fingerprinting (but were afraid to ask)''' <br>''Abstract:''<br />
|-<br />
| 15h30 - 15h50<br />
| colspan="2" style="text-align: center;background: grey; color: white" | ''Break'' <br />
|-<br />
| 16h30 - 17h10 || [[#JeromeNokin|Jerome Nokin]] || '''Turning your managed Anti-Virus into my botnet''' <br>''Abstract:''<br />
|-<br />
| 17h10 - 17h50 || [[#VictorvanderVeen|Victor van der Veen]] || '''TraceDroid: A Fast and Complete Android Method Tracer'''<br />
|-<br />
| 17h50 - 18h00 || OWASP Benelux 2013 organization || '''Closing Notes'''<br />
|}<br />
<br />
<br><br />
<br><br />
<br />
<br />
<br />
<div id="'JanJorisVereijken"></div><br />
<br />
=== Key note: Inside the mind of the fraudster, by Jan Joris Vereijken (Chief Security Architect, ING) ===<br />
''Abstract:''<br><br />
When we talk about banking malware, we typically think of bits and bytes: Zeus variants, field injections, Man-in-the-Browser attacks, or forensic analysis of infected PCs. What is actually much more interesting, is to understand what is driving the fraudster. He’s doesn’t care about bits and bytes, he’s just in it for the money. If we get into the mind of the fraudster, we can suddenly understand many issues much better. We’ll see that authentication is irrelevant, fraudsters don’t want to steal millions, that they hate the mobile app, and many more surprising things your never realized were keeping our poor fraudster awake at night.<br />
<br><br />
<br><br />
''Bio:''<br><br />
'''Jan Joris Vereijken''' holds a Ph.D. in Computing Science from the Eindhoven University of Technology, where he worked on algebraic protocol verification. After a brief stint at Bell Laboratories to work on Software Engineering, he moved to ING, the Dutch banking conglomerate. <br><br />
In his current role as Chief Security Architect, he is responsible for the security architecture in the 35-odd countries where ING has banking operations.<br><br />
<br><br />
<br />
=== Turning your managed Anti-Virus into my botnet, by Jerome Nokin (Senior Security Consultant, Verizon Business) ===<br />
''Abstract:''<br><br />
Today centrally managed Anti-Virus (AV) solutions are used across all enterprises and are relied upon to provide central management, logging and enforcement. This talk presents the journey and the results of a reviewing the security posture of the core components of a few selected managed AV solutions, the central servers themselves. <br />
Critical security vulnerabilities will be presented, covering SQL Injection, Directory Path Traversal and Buffer Overflow.<br />
Particular focus will be given to the different steps required to analyze both protocols and management functionality and covers reverse-engineering, debugging and the creation of fuzzing tools. Who does not want to transform a major managed AV into his private botnet within minutes?<br />
<br><br />
<br><br />
''Bio:''<br><br />
'''Jerome Nokin''' works as a Security Consultant for Verizon Enterprise where he is a senior member of the Vulnerability Management Team mainly focusing on Penetration Tests<br />
and Web Application Assessment. Prior to his role at Verizon he worked in the area of security covering both consultancy and ICT.<br><br />
<br><br />
<br />
<br />
<div id="'JanPhilipp"></div><br />
<br />
=== Getting a handle on SharePoint security complexity, by Jan Philipp (Solutions Consultant Security, n.runs) and Alexios Fakos (Principal IT Security Consultant, n.runs) ===<br />
''Abstract:''<br><br />
This presentation’s main goal is to provide decision makers, architects, administrators and developers with a comprehensive SharePoint security overview. We will introduce a SharePoint security model applicable to SharePoint versions 2010 and 2013. Then we will take a closer look at the use of different types of security principals and their effective use. This will be followed by covering security aspects when implementing and extending SharePoint to meet business needs and will be emphasized by showcasing common security pitfalls with examples throughout the presentation. This will be demonstrated with security down to the “nitty-gritty” details based on actual use cases and tips and pitfalls that have been encountered during security assessments and implementation of SharePoint solutions.<br />
<br><br />
<br><br />
''Bio:''<br><br />
'''Jan Philipp''' (MCT since 1989, MCITP, MCSE) works as a security consultant at n.runs, where he is responsible for design and implementation security assessments of complex global SharePoint infrastructures and solutions for major German and international companies. He has been involved with SharePoint technologies from their inception with Digital Dashboards throughout their many development changes (TeamSpaces, MOSS etc.) to the present day SharePoint and SharePoint Live versions.<br><br />
'''Alexios Fakos''' (CRISC, CSSLP) began his career in development as a Software Engineer back in 1999. After seven years of inspired insights in the software industry he joined n.runs to be part of the security team. Alexios is leading n.runs SDL services and he is since 2008 part of the German OWASP chapter. Alexios held presentations at OWASP AppSec US and Germany.<br><br />
<br><br />
<br />
<div id="TomVanGoethem"></div><br />
=== Remote code exection in WordPress: an analysis, by Tom Van Goethem (PhD Researcher, University of Leuven) ===<br />
''Abstract:''<br><br />
With over 13 million downloads, WordPress is one of the most popular open source blog platforms and content management systems. One of its key features is the installation of plugins. These are developed by third parties, but WordPress has to maintain its legacy codebase in order to remain compatible with these plugins. As this codebase makes use of unsafe functions, vulnerabilities may arise, affecting thousands websites - if not more. This presentation will focus on a vulnerability that has been present in WordPress versions up to September 2013. This vulnerability, which may lead to Remote Code Execution, was found by a simple combination of two publicly known elements: PHP Object Injection and unexpected behaviour of MySQL regarding Unicode characters.<br />
<br><br />
<br><br />
''Bio:''<br><br />
'''Tom Van Goethem''' is passionate about web security. After getting a master's degree of Applied Informatics, he enrolled in a PhD at the University of Leuven. As a student with a chronic drinking problem, he still found some time to hunt bugs for fun (and profit).<br><br />
<br><br />
<br />
<br />
=== Everything you always wanted to know about web-based device fingerprinting (but were afraid to ask), by Nick Nikiforakis (Postdoctoral Researcher, University of Leuven) ===<br />
''Abstract:''<br><br />
Billions of users browse the web on a daily basis,<br />
and there are single websites that have reached over one billion user<br />
accounts. In this environment, the ability to track users and their online habits can<br />
be very lucrative for advertising companies, yet very intrusive for the privacy of users.<br />
<br />
In this talk, we are going to describe web-based device fingerprinting, i.e., the ability<br />
to tell users apart, without the use of cookies or any other client-side identifiers. We<br />
will explain how device fingerprinting works, who is using, for what reason, and how people<br />
are trying to defend against it today. <br />
<br><br />
<br><br />
''Bio:''<br><br />
'''Nick Nikiforakis''' is a Postdoctoral Researcher at KU Leuven in Belgium. Nick's interests lie<br />
in the analysis of online ecosystems from a security and privacy perspective and he has<br />
published his work in top conferences of his field. More information about him can be found<br />
on his personal page: http://www.securitee.org .<br><br />
<br><br />
<br />
<br />
<br />
<div id="VictorvanderVeen"></div><br />
=== TraceDroid: A Fast and Complete Android Method Tracer, by Victor van der Veen (Security Consultant, ITQ) ===<br />
''Abstract:''<br><br />
Tracedroid allows you to upload any Android APK file (i.e., an Android app) for automated analysis. Tracedroid records the behavior of the executed app, such as its network communication, the UI, but also its internal function calls and Java code that is executed. To trigger the app's real behavior, Tracedroid emulates a few actions, such as user interaction, incoming calls and SMS messages, etc. - this will reveal most malicious intents of an app (if any).<br><br />
During this presentation, I will outline how Tracedroid is implemented and how its stimulation engine performs in terms of code coverage. I will also demonstrate how Tracedroid's output can help malware researchers to gain a better understanding of unknown Android applications during a live demo.<br><br />
You can already give TraceDroid a try via http://tracedroid.few.vu.nl<br />
<br><br />
<br><br />
''Bio:''<br><br />
Victor van der Veen is a security consultant at ITQ and holds a MSc degree in Computer Science from the VU University Amsterdam. TraceDroid is part of his master thesis titled ‘Dynamic Analysis of Android Malware’ for which he co-worked with the Andrubis team from Vienna’s iSecLab. His interests are low-level system topics that enhance system security, as well as reverse engineering and analyzing malicious code. His previous work involves the implementation of a (partial) thrust-worthy voting machine and an in depth analysis on trends in the field of memory errors (published at RAID 2012).<br />
<br><br />
<br />
<div id="MigchieldeJong"></div><br />
=== Static Analysis and code review; A journey through time, by Migchiel de Jong (Software Security Consultant, HP Fortify) ===<br />
''Abstract:''<br><br />
Static analysis techniques to support code review, not just for security, have been around for a long time. This talk will take you on journey from the early days of computer science to this modern day and age of cloud, BYOD and mobile apps and how the passing of time affected code review and the technology to support it. The takeaways from this session are; Understanding the fundamentals problems that have to be addressed to really get the benefits from using static analysis for code review. Trends in code review. Best practices for code review. What the future holds for code review.<br />
<br><br />
<br><br />
''Bio:''<br><br />
Migchiel de Jong has developed hardware and software for the nuclear medicine and nuclear industry space for 10 years before joining Rational Software. During the 5 years at Rational Software (later acquired by IBM) he was involved in many software development process improvement projects. Having joined Fortify 9 years ago, Migchiel de Jong is currently working at HP Fortify, as a software security consultant helping large customers succeed with their software security assurance initiatives.<br><br />
<br><br />
<br />
<br />
<br />
<!--<br />
<br />
<div id="TomVanGoethem"></div><br />
=== Remote Code Exection in WordPress: an analysis, by Tom Van Goethem (PhD University Leuven) ===<br />
''Abstract:''<br><br />
With over 13 million downloads, WordPress is one of the most popular open source blog platforms and content management systems. One of its key features is the installation of plugins. These are developed by third parties, but WordPress has to maintain its legacy codebase in order to remain compatible with these plugins. As this codebase makes use of unsafe functions, vulnerabilities may arise, affecting thousands websites - if not more. This presentation will focus on a vulnerability that has been present in WordPress versions up to September 2013. This vulnerability, which may lead to Remote Code Execution, was found by a simple combination of two publicly known elements: PHP Object Injection and unexpected behaviour of MySQL regarding Unicode characters.<br />
<br><br />
<br><br />
''Bio:''<br><br />
Tom Van Goethem is passionate about web security. After getting a master's degree of Applied Informatics, he enrolled in a PhD at the University of Leuven. As a student with a chronic drinking problem, he still found some time to hunt bugs for fun (and profit).<br><br />
<br><br />
<br />
=== Body Armor for Binaries, by Asia Slowinska (Vrije Universiteit Amsterdam) ===<br />
''Abstract:''<br><br />
BinArmor is a novel technique to protect existing C binaries from memory corruption attacks on both control data and non-control data. Without access to source code, non-control data attacks cannot be detected with current techniques. Our approach hardens binaries against both kinds of overflow, without requiring the pro- grams’ source or symbol tables. We show that BinArmor is able to stop real attacks—including the recent non- control data attack on Exim. Moreover, we did not in- cur a single false positive in practice. On the downside, the current overhead of BinArmor is high—although no worse than competing technologies like taint analysis that do not catch attacks on non-control data. Specifi- cally, we measured an overhead of 70% for gzip, 16%- 180% for lighttpd, and 190% for the nbench suite.<br><br />
<br><br />
''Bio:''<br><br />
I am a postdoctoral researcher in the System and Network Security group at the Vrije Universiteit Amsterdam, under the guidance of Prof. dr. ir. Herbert Bos.<br><br />
I obtained my PhD from the Vrije Universiteit Amsterdam. My dissertation Using information flow tracking to protect legacy binaries was completed under the supervision of Prof. dr. ir. Herbert Bos, while my copromotor was Prof. dr. ir. Henri E. Bal.<br><br />
During my PhD studies, I interned twice with Microsoft Research Cambridge, where I joined the Systems and Performance Group. I also spent few months interning with the Systems and Security Department at Institute for Infocomm Research in Singapore.<br><br />
My research focuses on developing techniques to automatically analyze and reverse engineer complex software that is available only in binary form. Further, I’ve been looking into mechanisms that proactively protect software from malicious activities. Currently, I am involved in a project on Reverse Engineering of binaries, known as Rosetta.<br><br />
<br><br />
<br />
--><br />
<br />
<!-- Sixth tab --><br />
<br />
= Social Event =<br />
<br />
==== Social Event, November 28th ====<br />
'''You (still) got that swing, and what about the moves ? We've got the Balls!'''<br />
<br />
:So "Pin" your schedule to the OWASP Benelux Days - Social Event.<br />
:Thursday Night the 28th of November, our partner Vest Information Security is happy to invite you at:<br />
<br />
:::Knijn Bowling<br />
:::Scheldeplein 3<br />
:::1078 GR Amsterdam<br />
:::http://www.knijnbowling.nl/<br />
<br />
;This is Amsterdams most famous retro-style bowling centre.<br />
<br />
:We are very happy to welcome you from 20:30.<br />
:Our Bowling Tracks are open from 21:30 - 24:00<br />
<br />
'''More details about the registration for the social event will be online soon!'''<br />
<hr><br />
'''The OWASP BeNeLux-Day 2013 Social Event is sponsored by:"<br />
[http://www.vest.nl https://www.owasp.org/images/1/1d/Logo_Vest_BIG_170.gif]<br />
<!-- Seventh tab --><br />
<br />
= CTF =<br />
<br />
==== Capture the Flag! ====<br />
<br />
* Do you like puzzles? <br />
* Do you like challenges? <br />
* Are you a hacker?<br />
<br />
Whether you are an experienced hacker or new enthusiast you should come to OWASP BeNeLux 2013 and participate in the Capture the Flag event November 29th 2013. <br />
<br />
The OWASP CTF is especially designed to support challengers of all skill levels. The CTF contains multiple challenges in various fields related to application security. As every challenge gains you one point, you can pick and choose which challenge you want to play.<br />
<br />
All you need is a laptop with a wifi card and your favorite (preferably) non-commercial tools. <br />
<br />
So come, show off your skills, learn new tricks and above all have a good time at the CTF event. <br />
<br />
<br />
<!-- Eighth tab --><br />
<br />
= Sponsor =<br />
<br />
==== Become a sponsor of OWASP BeNeLux ====<br />
<br />
==== Donate to OWASP BeNeLux ====<br />
<br />
[https://co.clickandpledge.com/?wid=72689 Sponsor] <br />
<br />
<br />
==== Promotion ====<br />
''Feel free to use the text below to promote our event!''<br />
<br />
We invite you to our next OWASP event: the '''BeNeLux OWASP Days 2013!'''<br />
<br />
Free your agenda on the 28th and 29th of November, 2013.<br />
<br />
The good news: free! No fee!<br />
<br />
The bad news: there are only 280 seats available (first register, first serve)!<br />
<br />
<br />
<!-- Don't remove these two lines! --><br />
__NOTOC__ <br />
<headertabs/><br />
<br />
==== Made possible by our {{#switchtablink:Sponsor|Sponsors}}====<br />
<br />
{{MemberLinks|link=http://www.pwc.com/|logo=PWC_log_resized.png}}<br />
[http://www.zionsecurity.com https://www.owasp.org/images/e/e6/Zionsecurity.jpg]<br />
[http://www.vest.nl https://www.owasp.org/images/1/1d/Logo_Vest_BIG_170.gif]<br />
[http://www.Checkmarx.com https://www.owasp.org/images/a/a2/Checkmarx.jpg]<br />
[http://www.sogeti.nl https://www.owasp.org/images/9/94/Sogeti_logo.png]<br />
[http://www.securify.nl https://www.owasp.org/images/7/7a/Securify_BV_logo.png]<br />
{{MemberLinks|link=https://www.whitehatsec.com/|logo=Whitehat.gif}}<br />
[http://www.nviso.be https://www.owasp.org/images/5/5e/Nviso_logo_RGB_baseline_200px.png]<br />
[https://informatiebeveiliging.nl/ https://www.owasp.org/images/9/9a/Logo_Informatiebeveiliging-200.png]<br />
[http://www8.hp.com/us/en/software-solutions/software-security/index.html https://www.owasp.org/images/a/af/HP_Blue_RGB_150_LG-200.png]<br />
<br />
<br />
<br />
<br><br />
<br />
<br />
[[Category:OWASP_AppSec_Conference]] [[Category:OWASP_BeNeLux_Archives]]</div>Favroomhttps://wiki.owasp.org/index.php?title=BeNeLux_OWASP_Day_2013&diff=163328BeNeLux OWASP Day 20132013-11-15T08:15:57Z<p>Favroom: /* Agenda */</p>
<hr />
<div><center>[[Image:Bnl13header-v.1.0.png]]<br></center><br />
<br><!-- Header --><br />
<br />
<br />
<!-- First tab --><br />
= Welcome =<br />
<br />
=== Welcome to OWASP BeNeLux 2013 ===<br />
<br />
'''Registration is now open!'''<br />
<br />
[http://owaspbenelux2013.eventbrite.com/ http://www.owasp.org/images/7/77/Buttoncreate.png]<br />
<br />
<!--<br />
==== News ====<br />
* <br />
* <br />
<br><br />
<br />
==== Confirmed trainers for Trainingday ====<br />
{{#switchtablink:Trainingday| <p><br />
* <br />
* <br />
* <br />
* <br />
}}<br />
<br><br />
<br />
--><br />
<br />
==== Confirmed speakers Conference ====<br />
{{#switchtablink:Conferenceday| <p><br />
* Dick Berlijn (ex Chief of Defence NL)<br />
* Jan Joris Vereijken (ING)<br />
* Tom Van Goethem (University Leuven)<br />
* Jerome Nokin (Verizon Business)<br />
* Nick Nikiforakis (University Leuven)<br />
* Fakos Alexios and Jan Philipp (n.runs AG)<br />
* Migchiel de Jong (HP Fortify)<br />
* Victor van der Veen (ITQ)<br />
<br />
}}<br />
<br><br />
<br />
==== The OWASP BeNeLux Program Committee ====<br />
*Bart De Win / Sebastien Deleersnyder/ Lieven Desmet/ David Mathy, OWASP Belgium<br />
*Martin Knobloch / Ferdinand Vroom, OWASP Netherlands<br />
*Jocelyn Aubert / Andre Adelsbach/ Thierry Zoller, OWASP Luxembourg<br />
<br><br />
<br />
=== Tweet! ===<br />
Event tag is [http://twitter.com/#search?q=%23owaspbnl13 #owaspbnl13]<br />
<br><br><br />
==== Donate to OWASP BeNeLux ====<br />
[https://co.clickandpledge.com/?wid=72689 Donate]<br />
<br />
<!-- Second tab --><br />
<br />
= Registration =<br />
<br />
==== OWASP BeNeLux training day and conference are free! ==== <br />
<br />
=== Registration is not now open: ===<br />
<br />
[http://owaspbenelux2013.eventbrite.com/ http://www.owasp.org/images/7/77/Buttoncreate.png]<br />
<br />
<br><br />
To support the OWASP organisation, consider to become a member, it's only US$50!<br />
<br> <br />
Check out the [[Membership]] page to find out more. <br />
<br><br />
<br />
<br />
<!-- Third tab --><br />
<br />
= Venue =<br />
<br />
=== Venue is ===<br />
<br />
'''RAI Amsterdam - Entrance G'''<br />
;Emerald Room<br />
;(On the first floor of the Auditorium Centre)<br />
;Europaplein 2-22<br />
;1078 Amsterdam, THE NETHERLANDS <br />
<br />
<br>'''Parking & roadmap''':<br />
<br />
There is a public parking at the conference venue.<br />
<br />
Roadmap and parking: <br />
<br />
<br />
<br>'''Hotels nearby''': <br> <br />
<br />
<br />
<!-- Fourth tab - currently removed<br />
<br />
= Trainingday =<br />
<br />
==== Trainingday, November 29th ====<br />
<br />
==== Location ====<br />
The training room is: <br />
TBD<br />
<br><br />
<br />
(for details, check the {{#switchtablink:Venue|Venue}} tab)<br />
<br />
==== Agenda ==== <br />
{| class="wikitable"<br />
! Time !! Description !! Room 1 !! Room 2 !! Room 3 !! Room 4<br />
|-<br />
| 08h30 - 9h30<br />
| colspan="5" style="text-align: center; background: grey; color: white;" | ''Registration''<br />
|-<br />
| 09h30 - 11h00 || Training<br />
| rowspan="7" style="width:100px;" | tbd<br />
| rowspan="7" style="width:100px;" | tbd<br />
| rowspan="7" style="width:100px;" | tbd<br />
| rowspan="7" style="width:100px;" | tbd<br />
|-<br />
| 11h00 - 11h30 || ''Coffee Break''<br />
|-<br />
| 11h30 - 13h00 || Training<br />
|-<br />
| 13h00 - 14h00 || ''Lunch''<br />
|-<br />
| 14h00 - 15h30 || Training<br />
|-<br />
| 15h30 - 16h00 || ''Coffee Break''<br />
|-<br />
| 16h00 - 17h30 || Training<br />
|}<br />
<br />
<br />
<br />
<br />
<br />
<br><br />
<br />
--><br />
<br />
<br />
<!-- Fifth tab --><br />
<br />
= Conferenceday =<br />
<br />
==== Conferenceday, November 29th ====<br />
<br />
==== Location ====<br />
TBD (for details, check the {{#switchtablink:Venue|Venue}} tab)<br />
<br />
==== Agenda ==== <br />
{| class="wikitable"<br />
! width="90pt" | Time<br />
! width="130pt" | Speaker !! Topic<br />
|- <br />
| 09h00 - 10h00<br />
| colspan="2" style="text-align: center; background: grey; color: white" | ''Registration''<br />
|- <br />
| 10h00 - 10h15 || OWASP Benelux Organization || Welcome <br />
|-<br />
| 10h15 - 10h30 || Sebastien Deleersnyder, OWASP Global || OWASP update <br />
|-<br />
| 10h30 - 11h10 || [[#JanJorisVereijken|Jan Joris Vereijken]] || '''[[insidethemindofthefraudster|Keynote: Inside the mind of the fraudster]]''' <br>''Abstract:''<br />
|-<br />
| 11h10 - 11h50 || [[#TomVanGoethem|Tom Van Goethem]] || '''Remote code exection in WordPress: an analysis''' <br>''Abstract:''<br />
|-<br />
| 11h50 - 12h30 || [[#JanPhilipp|Alexios Fakos & Jan Philipp]] || '''Getting a handle on SharePoint security complexity''' <br>''Abstract:''<br />
|-<br />
| 12h30 - 13h30<br />
| colspan="2" style="text-align: center;background: grey; color: white" | ''Lunch'' <br />
|-<br />
| 13h30 - 14h10 || [[#DickBerlijn|Dick Berlijn]] || '''Keynote: Cyber warfare''' <br>''Abstract:''<br />
|-<br />
| 14h10 - 14h50 || Migchiel de Jong || ''' Static Analysis and code review; A journey through time, ''' <br>''Abstract:''<br />
|-<br />
| 14h50 - 15h30 || [[#NickNikiforakis|Nick Nikiforakis]] || '''Everything you always wanted to know about web-based device fingerprinting (but were afraid to ask)''' <br>''Abstract:''<br />
|-<br />
| 15h30 - 15h50<br />
| colspan="2" style="text-align: center;background: grey; color: white" | ''Break'' <br />
|-<br />
| 16h30 - 17h10 || [[#JeromeNokin|Jerome Nokin]] || '''Turning your managed Anti-Virus into my botnet''' <br>''Abstract:''<br />
|-<br />
| 17h10 - 17h50 || [[#VictorvanderVeen|Victor van der Veen]] || '''TraceDroid: A Fast and Complete Android Method Tracer'''<br />
|-<br />
| 17h50 - 18h00 || OWASP Benelux 2013 organization || '''Closing Notes'''<br />
|}<br />
<br />
<br><br />
<br><br />
<br />
<br />
<br />
<div id="'JanJorisVereijken"></div><br />
<br />
=== Key note: Inside the mind of the fraudster, by Jan Joris Vereijken (Chief Security Architect, ING) ===<br />
''Abstract:''<br><br />
When we talk about banking malware, we typically think of bits and bytes: Zeus variants, field injections, Man-in-the-Browser attacks, or forensic analysis of infected PCs. What is actually much more interesting, is to understand what is driving the fraudster. He’s doesn’t care about bits and bytes, he’s just in it for the money. If we get into the mind of the fraudster, we can suddenly understand many issues much better. We’ll see that authentication is irrelevant, fraudsters don’t want to steal millions, that they hate the mobile app, and many more surprising things your never realized were keeping our poor fraudster awake at night.<br />
<br><br />
<br><br />
''Bio:''<br><br />
'''Jan Joris Vereijken''' holds a Ph.D. in Computing Science from the Eindhoven University of Technology, where he worked on algebraic protocol verification. After a brief stint at Bell Laboratories to work on Software Engineering, he moved to ING, the Dutch banking conglomerate. <br><br />
In his current role as Chief Security Architect, he is responsible for the security architecture in the 35-odd countries where ING has banking operations.<br><br />
<br><br />
<br />
=== Turning your managed Anti-Virus into my botnet, by Jerome Nokin (Senior Security Consultant, Verizon Business) ===<br />
''Abstract:''<br><br />
Today centrally managed Anti-Virus (AV) solutions are used across all enterprises and are relied upon to provide central management, logging and enforcement. This talk presents the journey and the results of a reviewing the security posture of the core components of a few selected managed AV solutions, the central servers themselves. <br />
Critical security vulnerabilities will be presented, covering SQL Injection, Directory Path Traversal and Buffer Overflow.<br />
Particular focus will be given to the different steps required to analyze both protocols and management functionality and covers reverse-engineering, debugging and the creation of fuzzing tools. Who does not want to transform a major managed AV into his private botnet within minutes?<br />
<br><br />
<br><br />
''Bio:''<br><br />
'''Jerome Nokin''' works as a Security Consultant for Verizon Enterprise where he is a senior member of the Vulnerability Management Team mainly focusing on Penetration Tests<br />
and Web Application Assessment. Prior to his role at Verizon he worked in the area of security covering both consultancy and ICT.<br><br />
<br><br />
<br />
<br />
<div id="'JanPhilipp"></div><br />
<br />
=== Getting a handle on SharePoint security complexity, by Jan Philipp (Solutions Consultant Security, n.runs) and Alexios Fakos (Principal IT Security Consultant, n.runs) ===<br />
''Abstract:''<br><br />
This presentation’s main goal is to provide decision makers, architects, administrators and developers with a comprehensive SharePoint security overview. We will introduce a SharePoint security model applicable to SharePoint versions 2010 and 2013. Then we will take a closer look at the use of different types of security principals and their effective use. This will be followed by covering security aspects when implementing and extending SharePoint to meet business needs and will be emphasized by showcasing common security pitfalls with examples throughout the presentation. This will be demonstrated with security down to the “nitty-gritty” details based on actual use cases and tips and pitfalls that have been encountered during security assessments and implementation of SharePoint solutions.<br />
<br><br />
<br><br />
''Bio:''<br><br />
'''Jan Philipp''' (MCT since 1989, MCITP, MCSE) works as a security consultant at n.runs, where he is responsible for design and implementation security assessments of complex global SharePoint infrastructures and solutions for major German and international companies. He has been involved with SharePoint technologies from their inception with Digital Dashboards throughout their many development changes (TeamSpaces, MOSS etc.) to the present day SharePoint and SharePoint Live versions.<br><br />
'''Alexios Fakos''' (CRISC, CSSLP) began his career in development as a Software Engineer back in 1999. After seven years of inspired insights in the software industry he joined n.runs to be part of the security team. Alexios is leading n.runs SDL services and he is since 2008 part of the German OWASP chapter. Alexios held presentations at OWASP AppSec US and Germany.<br><br />
<br><br />
<br />
<div id="TomVanGoethem"></div><br />
=== Remote code exection in WordPress: an analysis, by Tom Van Goethem (PhD Researcher, University of Leuven) ===<br />
''Abstract:''<br><br />
With over 13 million downloads, WordPress is one of the most popular open source blog platforms and content management systems. One of its key features is the installation of plugins. These are developed by third parties, but WordPress has to maintain its legacy codebase in order to remain compatible with these plugins. As this codebase makes use of unsafe functions, vulnerabilities may arise, affecting thousands websites - if not more. This presentation will focus on a vulnerability that has been present in WordPress versions up to September 2013. This vulnerability, which may lead to Remote Code Execution, was found by a simple combination of two publicly known elements: PHP Object Injection and unexpected behaviour of MySQL regarding Unicode characters.<br />
<br><br />
<br><br />
''Bio:''<br><br />
'''Tom Van Goethem''' is passionate about web security. After getting a master's degree of Applied Informatics, he enrolled in a PhD at the University of Leuven. As a student with a chronic drinking problem, he still found some time to hunt bugs for fun (and profit).<br><br />
<br><br />
<br />
<br />
=== Everything you always wanted to know about web-based device fingerprinting (but were afraid to ask), by Nick Nikiforakis (Postdoctoral Researcher, University of Leuven) ===<br />
''Abstract:''<br><br />
Billions of users browse the web on a daily basis,<br />
and there are single websites that have reached over one billion user<br />
accounts. In this environment, the ability to track users and their online habits can<br />
be very lucrative for advertising companies, yet very intrusive for the privacy of users.<br />
<br />
In this talk, we are going to describe web-based device fingerprinting, i.e., the ability<br />
to tell users apart, without the use of cookies or any other client-side identifiers. We<br />
will explain how device fingerprinting works, who is using, for what reason, and how people<br />
are trying to defend against it today. <br />
<br><br />
<br><br />
''Bio:''<br><br />
'''Nick Nikiforakis''' is a Postdoctoral Researcher at KU Leuven in Belgium. Nick's interests lie<br />
in the analysis of online ecosystems from a security and privacy perspective and he has<br />
published his work in top conferences of his field. More information about him can be found<br />
on his personal page: http://www.securitee.org .<br><br />
<br><br />
<br />
<br />
<br />
<div id="VictorvanderVeen"></div><br />
=== TraceDroid: A Fast and Complete Android Method Tracer, by Victor van der Veen (Security Consultant, ITQ) ===<br />
''Abstract:''<br><br />
Tracedroid allows you to upload any Android APK file (i.e., an Android app) for automated analysis. Tracedroid records the behavior of the executed app, such as its network communication, the UI, but also its internal function calls and Java code that is executed. To trigger the app's real behavior, Tracedroid emulates a few actions, such as user interaction, incoming calls and SMS messages, etc. - this will reveal most malicious intents of an app (if any).<br><br />
During this presentation, I will outline how Tracedroid is implemented and how its stimulation engine performs in terms of code coverage. I will also demonstrate how Tracedroid's output can help malware researchers to gain a better understanding of unknown Android applications during a live demo.<br><br />
You can already give TraceDroid a try via http://tracedroid.few.vu.nl<br />
<br><br />
<br><br />
''Bio:''<br><br />
Victor van der Veen is a security consultant at ITQ and holds a MSc degree in Computer Science from the VU University Amsterdam. TraceDroid is part of his master thesis titled ‘Dynamic Analysis of Android Malware’ for which he co-worked with the Andrubis team from Vienna’s iSecLab. His interests are low-level system topics that enhance system security, as well as reverse engineering and analyzing malicious code. His previous work involves the implementation of a (partial) thrust-worthy voting machine and an in depth analysis on trends in the field of memory errors (published at RAID 2012).<br />
<br><br />
<br />
<div id="MigchieldeJong"></div><br />
=== Static Analysis and code review; A journey through time, by Migchiel de Jong (Software Security Consultant, HP Fortify) ===<br />
''Abstract:''<br><br />
Static analysis techniques to support code review, not just for security, have been around for a long time. This talk will take you on journey from the early days of computer science to this modern day and age of cloud, BYOD and mobile apps and how the passing of time affected code review and the technology to support it. The takeaways from this session are; Understanding the fundamentals problems that have to be addressed to really get the benefits from using static analysis for code review. Trends in code review. Best practices for code review. What the future holds for code review.<br />
<br><br />
<br><br />
''Bio:''<br><br />
Migchiel de Jong has developed hardware and software for the nuclear medicine and nuclear industry space for 10 years before joining Rational Software. During the 5 years at Rational Software (later acquired by IBM) he was involved in many software development process improvement projects. Having joined Fortify 9 years ago, Migchiel de Jong is currently working at HP Fortify, as a software security consultant helping large customers succeed with their software security assurance initiatives.<br><br />
<br><br />
<br />
<br />
<br />
<!--<br />
<br />
<div id="TomVanGoethem"></div><br />
=== Remote Code Exection in WordPress: an analysis, by Tom Van Goethem (PhD University Leuven) ===<br />
''Abstract:''<br><br />
With over 13 million downloads, WordPress is one of the most popular open source blog platforms and content management systems. One of its key features is the installation of plugins. These are developed by third parties, but WordPress has to maintain its legacy codebase in order to remain compatible with these plugins. As this codebase makes use of unsafe functions, vulnerabilities may arise, affecting thousands websites - if not more. This presentation will focus on a vulnerability that has been present in WordPress versions up to September 2013. This vulnerability, which may lead to Remote Code Execution, was found by a simple combination of two publicly known elements: PHP Object Injection and unexpected behaviour of MySQL regarding Unicode characters.<br />
<br><br />
<br><br />
''Bio:''<br><br />
Tom Van Goethem is passionate about web security. After getting a master's degree of Applied Informatics, he enrolled in a PhD at the University of Leuven. As a student with a chronic drinking problem, he still found some time to hunt bugs for fun (and profit).<br><br />
<br><br />
<br />
=== Body Armor for Binaries, by Asia Slowinska (Vrije Universiteit Amsterdam) ===<br />
''Abstract:''<br><br />
BinArmor is a novel technique to protect existing C binaries from memory corruption attacks on both control data and non-control data. Without access to source code, non-control data attacks cannot be detected with current techniques. Our approach hardens binaries against both kinds of overflow, without requiring the pro- grams’ source or symbol tables. We show that BinArmor is able to stop real attacks—including the recent non- control data attack on Exim. Moreover, we did not in- cur a single false positive in practice. On the downside, the current overhead of BinArmor is high—although no worse than competing technologies like taint analysis that do not catch attacks on non-control data. Specifi- cally, we measured an overhead of 70% for gzip, 16%- 180% for lighttpd, and 190% for the nbench suite.<br><br />
<br><br />
''Bio:''<br><br />
I am a postdoctoral researcher in the System and Network Security group at the Vrije Universiteit Amsterdam, under the guidance of Prof. dr. ir. Herbert Bos.<br><br />
I obtained my PhD from the Vrije Universiteit Amsterdam. My dissertation Using information flow tracking to protect legacy binaries was completed under the supervision of Prof. dr. ir. Herbert Bos, while my copromotor was Prof. dr. ir. Henri E. Bal.<br><br />
During my PhD studies, I interned twice with Microsoft Research Cambridge, where I joined the Systems and Performance Group. I also spent few months interning with the Systems and Security Department at Institute for Infocomm Research in Singapore.<br><br />
My research focuses on developing techniques to automatically analyze and reverse engineer complex software that is available only in binary form. Further, I’ve been looking into mechanisms that proactively protect software from malicious activities. Currently, I am involved in a project on Reverse Engineering of binaries, known as Rosetta.<br><br />
<br><br />
<br />
--><br />
<br />
<!-- Sixth tab --><br />
<br />
= Social Event =<br />
<br />
==== Social Event, November 28th ====<br />
'''You (still) got that swing, and what about the moves ? We've got the Balls!'''<br />
<br />
:So "Pin" your schedule to the OWASP Benelux Days - Social Event.<br />
:Thursday Night the 28th of November, our partner Vest Information Security is happy to invite you at:<br />
<br />
:::Knijn Bowling<br />
:::Scheldeplein 3<br />
:::1078 GR Amsterdam<br />
:::http://www.knijnbowling.nl/<br />
<br />
;This is Amsterdams most famous retro-style bowling centre.<br />
<br />
:We are very happy to welcome you from 20:30.<br />
:Our Bowling Tracks are open from 21:30 - 24:00<br />
<br />
'''More details about the registration for the social event will be online soon!'''<br />
<hr><br />
'''The OWASP BeNeLux-Day 2013 Social Event is sponsored by:"<br />
[http://www.vest.nl https://www.owasp.org/images/1/1d/Logo_Vest_BIG_170.gif]<br />
<!-- Seventh tab --><br />
<br />
= CTF =<br />
<br />
==== Capture the Flag! ====<br />
<br />
* Do you like puzzles? <br />
* Do you like challenges? <br />
* Are you a hacker?<br />
<br />
Whether you are an experienced hacker or new enthusiast you should come to OWASP BeNeLux 2013 and participate in the Capture the Flag event November 29th 2013. <br />
<br />
The OWASP CTF is especially designed to support challengers of all skill levels. The CTF contains multiple challenges in various fields related to application security. As every challenge gains you one point, you can pick and choose which challenge you want to play.<br />
<br />
All you need is a laptop with a wifi card and your favorite (preferably) non-commercial tools. <br />
<br />
So come, show off your skills, learn new tricks and above all have a good time at the CTF event. <br />
<br />
<br />
<!-- Eighth tab --><br />
<br />
= Sponsor =<br />
<br />
==== Become a sponsor of OWASP BeNeLux ====<br />
<br />
==== Donate to OWASP BeNeLux ====<br />
<br />
[https://co.clickandpledge.com/?wid=72689 Sponsor] <br />
<br />
<br />
==== Promotion ====<br />
''Feel free to use the text below to promote our event!''<br />
<br />
We invite you to our next OWASP event: the '''BeNeLux OWASP Days 2013!'''<br />
<br />
Free your agenda on the 28th and 29th of November, 2013.<br />
<br />
The good news: free! No fee!<br />
<br />
The bad news: there are only 280 seats available (first register, first serve)!<br />
<br />
<br />
<!-- Don't remove these two lines! --><br />
__NOTOC__ <br />
<headertabs/><br />
<br />
==== Made possible by our {{#switchtablink:Sponsor|Sponsors}}====<br />
<br />
{{MemberLinks|link=http://www.pwc.com/|logo=PWC_log_resized.png}}<br />
[http://www.zionsecurity.com https://www.owasp.org/images/e/e6/Zionsecurity.jpg]<br />
[http://www.vest.nl https://www.owasp.org/images/1/1d/Logo_Vest_BIG_170.gif]<br />
[http://www.Checkmarx.com https://www.owasp.org/images/a/a2/Checkmarx.jpg]<br />
[http://www.sogeti.nl https://www.owasp.org/images/9/94/Sogeti_logo.png]<br />
[http://www.securify.nl https://www.owasp.org/images/7/7a/Securify_BV_logo.png]<br />
{{MemberLinks|link=https://www.whitehatsec.com/|logo=Whitehat.gif}}<br />
[http://www.nviso.be https://www.owasp.org/images/5/5e/Nviso_logo_RGB_baseline_200px.png]<br />
[https://informatiebeveiliging.nl/ https://www.owasp.org/images/9/9a/Logo_Informatiebeveiliging-200.png]<br />
[http://www8.hp.com/us/en/software-solutions/software-security/index.html https://www.owasp.org/images/a/af/HP_Blue_RGB_150_LG-200.png]<br />
<br />
<br />
<br />
<br><br />
<br />
<br />
[[Category:OWASP_AppSec_Conference]] [[Category:OWASP_BeNeLux_Archives]]</div>Favroomhttps://wiki.owasp.org/index.php?title=BeNeLux_OWASP_Day_2013&diff=163318BeNeLux OWASP Day 20132013-11-15T07:55:56Z<p>Favroom: /* Agenda */</p>
<hr />
<div><center>[[Image:Bnl13header-v.1.0.png]]<br></center><br />
<br><!-- Header --><br />
<br />
<br />
<!-- First tab --><br />
= Welcome =<br />
<br />
=== Welcome to OWASP BeNeLux 2013 ===<br />
<br />
'''Registration is now open!'''<br />
<br />
[http://owaspbenelux2013.eventbrite.com/ http://www.owasp.org/images/7/77/Buttoncreate.png]<br />
<br />
<!--<br />
==== News ====<br />
* <br />
* <br />
<br><br />
<br />
==== Confirmed trainers for Trainingday ====<br />
{{#switchtablink:Trainingday| <p><br />
* <br />
* <br />
* <br />
* <br />
}}<br />
<br><br />
<br />
--><br />
<br />
==== Confirmed speakers Conference ====<br />
{{#switchtablink:Conferenceday| <p><br />
* Dick Berlijn (ex Chief of Defence NL)<br />
* Jan Joris Vereijken (ING)<br />
* Tom Van Goethem (University Leuven)<br />
* Jerome Nokin (Verizon Business)<br />
* Nick Nikiforakis (University Leuven)<br />
* Fakos Alexios and Jan Philipp (n.runs AG)<br />
* Migchiel de Jong (HP Fortify)<br />
* Victor van der Veen (ITQ)<br />
<br />
}}<br />
<br><br />
<br />
==== The OWASP BeNeLux Program Committee ====<br />
*Bart De Win / Sebastien Deleersnyder/ Lieven Desmet/ David Mathy, OWASP Belgium<br />
*Martin Knobloch / Ferdinand Vroom, OWASP Netherlands<br />
*Jocelyn Aubert / Andre Adelsbach/ Thierry Zoller, OWASP Luxembourg<br />
<br><br />
<br />
=== Tweet! ===<br />
Event tag is [http://twitter.com/#search?q=%23owaspbnl13 #owaspbnl13]<br />
<br><br><br />
==== Donate to OWASP BeNeLux ====<br />
[https://co.clickandpledge.com/?wid=72689 Donate]<br />
<br />
<!-- Second tab --><br />
<br />
= Registration =<br />
<br />
==== OWASP BeNeLux training day and conference are free! ==== <br />
<br />
=== Registration is not now open: ===<br />
<br />
[http://owaspbenelux2013.eventbrite.com/ http://www.owasp.org/images/7/77/Buttoncreate.png]<br />
<br />
<br><br />
To support the OWASP organisation, consider to become a member, it's only US$50!<br />
<br> <br />
Check out the [[Membership]] page to find out more. <br />
<br><br />
<br />
<br />
<!-- Third tab --><br />
<br />
= Venue =<br />
<br />
=== Venue is ===<br />
<br />
'''RAI Amsterdam - Entrance G'''<br />
;Emerald Room<br />
;(On the first floor of the Auditorium Centre)<br />
;Europaplein 2-22<br />
;1078 Amsterdam, THE NETHERLANDS <br />
<br />
<br>'''Parking & roadmap''':<br />
<br />
There is a public parking at the conference venue.<br />
<br />
Roadmap and parking: <br />
<br />
<br />
<br>'''Hotels nearby''': <br> <br />
<br />
<br />
<!-- Fourth tab - currently removed<br />
<br />
= Trainingday =<br />
<br />
==== Trainingday, November 29th ====<br />
<br />
==== Location ====<br />
The training room is: <br />
TBD<br />
<br><br />
<br />
(for details, check the {{#switchtablink:Venue|Venue}} tab)<br />
<br />
==== Agenda ==== <br />
{| class="wikitable"<br />
! Time !! Description !! Room 1 !! Room 2 !! Room 3 !! Room 4<br />
|-<br />
| 08h30 - 9h30<br />
| colspan="5" style="text-align: center; background: grey; color: white;" | ''Registration''<br />
|-<br />
| 09h30 - 11h00 || Training<br />
| rowspan="7" style="width:100px;" | tbd<br />
| rowspan="7" style="width:100px;" | tbd<br />
| rowspan="7" style="width:100px;" | tbd<br />
| rowspan="7" style="width:100px;" | tbd<br />
|-<br />
| 11h00 - 11h30 || ''Coffee Break''<br />
|-<br />
| 11h30 - 13h00 || Training<br />
|-<br />
| 13h00 - 14h00 || ''Lunch''<br />
|-<br />
| 14h00 - 15h30 || Training<br />
|-<br />
| 15h30 - 16h00 || ''Coffee Break''<br />
|-<br />
| 16h00 - 17h30 || Training<br />
|}<br />
<br />
<br />
<br />
<br />
<br />
<br><br />
<br />
--><br />
<br />
<br />
<!-- Fifth tab --><br />
<br />
= Conferenceday =<br />
<br />
==== Conferenceday, November 29th ====<br />
<br />
==== Location ====<br />
TBD (for details, check the {{#switchtablink:Venue|Venue}} tab)<br />
<br />
==== Agenda ==== <br />
{| class="wikitable"<br />
! width="90pt" | Time<br />
! width="130pt" | Speaker !! Topic<br />
|- <br />
| 09h00 - 10h00<br />
| colspan="2" style="text-align: center; background: grey; color: white" | ''Registration''<br />
|- <br />
| 10h00 - 10h15 || OWASP Benelux Organization || Welcome <br />
|-<br />
| 10h15 - 10h30 || Sebastien Deleersnyder, OWASP Global || OWASP update <br />
|-<br />
| 10h30 - 11h10 || [[#JanJorisVereijken|Jan Joris Vereijken]] || '''Keynote: Inside the mind of the fraudster''' <br>''Abstract:''<br />
|-<br />
| 11h10 - 11h50 || [[#TomVanGoethem|Tom Van Goethem]] || '''Remote code exection in WordPress: an analysis''' <br>''Abstract:''<br />
|-<br />
| 11h50 - 12h30 || [[#JanPhilipp|Alexios Fakos & Jan Philipp]] || '''Getting a handle on SharePoint security complexity''' <br>''Abstract:''<br />
|-<br />
| 12h30 - 13h30<br />
| colspan="2" style="text-align: center;background: grey; color: white" | ''Lunch'' <br />
|-<br />
| 13h30 - 14h10 || [[#DickBerlijn|Dick Berlijn]] || '''Keynote: Cyber warfare''' <br>''Abstract:''<br />
|-<br />
| 14h10 - 14h50 || Migchiel de Jong || ''' Static Analysis and code review; A journey through time, ''' <br>''Abstract:''<br />
|-<br />
| 14h50 - 15h30 || [[#NickNikiforakis|Nick Nikiforakis]] || '''Everything you always wanted to know about web-based device fingerprinting (but were afraid to ask)''' <br>''Abstract:''<br />
|-<br />
| 15h30 - 15h50<br />
| colspan="2" style="text-align: center;background: grey; color: white" | ''Break'' <br />
|-<br />
| 16h30 - 17h10 || [[#JeromeNokin|Jerome Nokin]] || '''Turning your managed Anti-Virus into my botnet''' <br>''Abstract:''<br />
|-<br />
| 17h10 - 17h50 || [[#VictorvanderVeen|Victor van der Veen]] || '''TraceDroid: A Fast and Complete Android Method Tracer'''<br />
|-<br />
| 17h50 - 18h00 || OWASP Benelux 2013 organization || '''Closing Notes'''<br />
|}<br />
<br />
<br><br />
<br><br />
<br />
<br />
<br />
<div id="'JanJorisVereijken"></div><br />
<br />
=== Key note: Inside the mind of the fraudster, by Jan Joris Vereijken (Chief Security Architect, ING) ===<br />
''Abstract:''<br><br />
When we talk about banking malware, we typically think of bits and bytes: Zeus variants, field injections, Man-in-the-Browser attacks, or forensic analysis of infected PCs. What is actually much more interesting, is to understand what is driving the fraudster. He’s doesn’t care about bits and bytes, he’s just in it for the money. If we get into the mind of the fraudster, we can suddenly understand many issues much better. We’ll see that authentication is irrelevant, fraudsters don’t want to steal millions, that they hate the mobile app, and many more surprising things your never realized were keeping our poor fraudster awake at night.<br />
<br><br />
<br><br />
''Bio:''<br><br />
'''Jan Joris Vereijken''' holds a Ph.D. in Computing Science from the Eindhoven University of Technology, where he worked on algebraic protocol verification. After a brief stint at Bell Laboratories to work on Software Engineering, he moved to ING, the Dutch banking conglomerate. <br><br />
In his current role as Chief Security Architect, he is responsible for the security architecture in the 35-odd countries where ING has banking operations.<br><br />
<br><br />
<br />
=== Turning your managed Anti-Virus into my botnet, by Jerome Nokin (Senior Security Consultant, Verizon Business) ===<br />
''Abstract:''<br><br />
Today centrally managed Anti-Virus (AV) solutions are used across all enterprises and are relied upon to provide central management, logging and enforcement. This talk presents the journey and the results of a reviewing the security posture of the core components of a few selected managed AV solutions, the central servers themselves. <br />
Critical security vulnerabilities will be presented, covering SQL Injection, Directory Path Traversal and Buffer Overflow.<br />
Particular focus will be given to the different steps required to analyze both protocols and management functionality and covers reverse-engineering, debugging and the creation of fuzzing tools. Who does not want to transform a major managed AV into his private botnet within minutes?<br />
<br><br />
<br><br />
''Bio:''<br><br />
'''Jerome Nokin''' works as a Security Consultant for Verizon Enterprise where he is a senior member of the Vulnerability Management Team mainly focusing on Penetration Tests<br />
and Web Application Assessment. Prior to his role at Verizon he worked in the area of security covering both consultancy and ICT.<br><br />
<br><br />
<br />
<br />
<div id="'JanPhilipp"></div><br />
<br />
=== Getting a handle on SharePoint security complexity, by Jan Philipp (Solutions Consultant Security, n.runs) and Alexios Fakos (Principal IT Security Consultant, n.runs) ===<br />
''Abstract:''<br><br />
This presentation’s main goal is to provide decision makers, architects, administrators and developers with a comprehensive SharePoint security overview. We will introduce a SharePoint security model applicable to SharePoint versions 2010 and 2013. Then we will take a closer look at the use of different types of security principals and their effective use. This will be followed by covering security aspects when implementing and extending SharePoint to meet business needs and will be emphasized by showcasing common security pitfalls with examples throughout the presentation. This will be demonstrated with security down to the “nitty-gritty” details based on actual use cases and tips and pitfalls that have been encountered during security assessments and implementation of SharePoint solutions.<br />
<br><br />
<br><br />
''Bio:''<br><br />
'''Jan Philipp''' (MCT since 1989, MCITP, MCSE) works as a security consultant at n.runs, where he is responsible for design and implementation security assessments of complex global SharePoint infrastructures and solutions for major German and international companies. He has been involved with SharePoint technologies from their inception with Digital Dashboards throughout their many development changes (TeamSpaces, MOSS etc.) to the present day SharePoint and SharePoint Live versions.<br><br />
'''Alexios Fakos''' (CRISC, CSSLP) began his career in development as a Software Engineer back in 1999. After seven years of inspired insights in the software industry he joined n.runs to be part of the security team. Alexios is leading n.runs SDL services and he is since 2008 part of the German OWASP chapter. Alexios held presentations at OWASP AppSec US and Germany.<br><br />
<br><br />
<br />
<div id="TomVanGoethem"></div><br />
=== Remote code exection in WordPress: an analysis, by Tom Van Goethem (PhD Researcher, University of Leuven) ===<br />
''Abstract:''<br><br />
With over 13 million downloads, WordPress is one of the most popular open source blog platforms and content management systems. One of its key features is the installation of plugins. These are developed by third parties, but WordPress has to maintain its legacy codebase in order to remain compatible with these plugins. As this codebase makes use of unsafe functions, vulnerabilities may arise, affecting thousands websites - if not more. This presentation will focus on a vulnerability that has been present in WordPress versions up to September 2013. This vulnerability, which may lead to Remote Code Execution, was found by a simple combination of two publicly known elements: PHP Object Injection and unexpected behaviour of MySQL regarding Unicode characters.<br />
<br><br />
<br><br />
''Bio:''<br><br />
'''Tom Van Goethem''' is passionate about web security. After getting a master's degree of Applied Informatics, he enrolled in a PhD at the University of Leuven. As a student with a chronic drinking problem, he still found some time to hunt bugs for fun (and profit).<br><br />
<br><br />
<br />
<br />
=== Everything you always wanted to know about web-based device fingerprinting (but were afraid to ask), by Nick Nikiforakis (Postdoctoral Researcher, University of Leuven) ===<br />
''Abstract:''<br><br />
Billions of users browse the web on a daily basis,<br />
and there are single websites that have reached over one billion user<br />
accounts. In this environment, the ability to track users and their online habits can<br />
be very lucrative for advertising companies, yet very intrusive for the privacy of users.<br />
<br />
In this talk, we are going to describe web-based device fingerprinting, i.e., the ability<br />
to tell users apart, without the use of cookies or any other client-side identifiers. We<br />
will explain how device fingerprinting works, who is using, for what reason, and how people<br />
are trying to defend against it today. <br />
<br><br />
<br><br />
''Bio:''<br><br />
'''Nick Nikiforakis''' is a Postdoctoral Researcher at KU Leuven in Belgium. Nick's interests lie<br />
in the analysis of online ecosystems from a security and privacy perspective and he has<br />
published his work in top conferences of his field. More information about him can be found<br />
on his personal page: http://www.securitee.org .<br><br />
<br><br />
<br />
<br />
<br />
<div id="VictorvanderVeen"></div><br />
=== TraceDroid: A Fast and Complete Android Method Tracer, by Victor van der Veen (Security Consultant, ITQ) ===<br />
''Abstract:''<br><br />
Tracedroid allows you to upload any Android APK file (i.e., an Android app) for automated analysis. Tracedroid records the behavior of the executed app, such as its network communication, the UI, but also its internal function calls and Java code that is executed. To trigger the app's real behavior, Tracedroid emulates a few actions, such as user interaction, incoming calls and SMS messages, etc. - this will reveal most malicious intents of an app (if any).<br><br />
During this presentation, I will outline how Tracedroid is implemented and how its stimulation engine performs in terms of code coverage. I will also demonstrate how Tracedroid's output can help malware researchers to gain a better understanding of unknown Android applications during a live demo.<br><br />
You can already give TraceDroid a try via http://tracedroid.few.vu.nl<br />
<br><br />
<br><br />
''Bio:''<br><br />
Victor van der Veen is a security consultant at ITQ and holds a MSc degree in Computer Science from the VU University Amsterdam. TraceDroid is part of his master thesis titled ‘Dynamic Analysis of Android Malware’ for which he co-worked with the Andrubis team from Vienna’s iSecLab. His interests are low-level system topics that enhance system security, as well as reverse engineering and analyzing malicious code. His previous work involves the implementation of a (partial) thrust-worthy voting machine and an in depth analysis on trends in the field of memory errors (published at RAID 2012).<br />
<br><br />
<br />
<div id="MigchieldeJong"></div><br />
=== Static Analysis and code review; A journey through time, by Migchiel de Jong (Software Security Consultant, HP Fortify) ===<br />
''Abstract:''<br><br />
Static analysis techniques to support code review, not just for security, have been around for a long time. This talk will take you on journey from the early days of computer science to this modern day and age of cloud, BYOD and mobile apps and how the passing of time affected code review and the technology to support it. The takeaways from this session are; Understanding the fundamentals problems that have to be addressed to really get the benefits from using static analysis for code review. Trends in code review. Best practices for code review. What the future holds for code review.<br />
<br><br />
<br><br />
''Bio:''<br><br />
Migchiel de Jong has developed hardware and software for the nuclear medicine and nuclear industry space for 10 years before joining Rational Software. During the 5 years at Rational Software (later acquired by IBM) he was involved in many software development process improvement projects. Having joined Fortify 9 years ago, Migchiel de Jong is currently working at HP Fortify, as a software security consultant helping large customers succeed with their software security assurance initiatives.<br><br />
<br><br />
<br />
<br />
<br />
<!--<br />
<br />
<div id="TomVanGoethem"></div><br />
=== Remote Code Exection in WordPress: an analysis, by Tom Van Goethem (PhD University Leuven) ===<br />
''Abstract:''<br><br />
With over 13 million downloads, WordPress is one of the most popular open source blog platforms and content management systems. One of its key features is the installation of plugins. These are developed by third parties, but WordPress has to maintain its legacy codebase in order to remain compatible with these plugins. As this codebase makes use of unsafe functions, vulnerabilities may arise, affecting thousands websites - if not more. This presentation will focus on a vulnerability that has been present in WordPress versions up to September 2013. This vulnerability, which may lead to Remote Code Execution, was found by a simple combination of two publicly known elements: PHP Object Injection and unexpected behaviour of MySQL regarding Unicode characters.<br />
<br><br />
<br><br />
''Bio:''<br><br />
Tom Van Goethem is passionate about web security. After getting a master's degree of Applied Informatics, he enrolled in a PhD at the University of Leuven. As a student with a chronic drinking problem, he still found some time to hunt bugs for fun (and profit).<br><br />
<br><br />
<br />
=== Body Armor for Binaries, by Asia Slowinska (Vrije Universiteit Amsterdam) ===<br />
''Abstract:''<br><br />
BinArmor is a novel technique to protect existing C binaries from memory corruption attacks on both control data and non-control data. Without access to source code, non-control data attacks cannot be detected with current techniques. Our approach hardens binaries against both kinds of overflow, without requiring the pro- grams’ source or symbol tables. We show that BinArmor is able to stop real attacks—including the recent non- control data attack on Exim. Moreover, we did not in- cur a single false positive in practice. On the downside, the current overhead of BinArmor is high—although no worse than competing technologies like taint analysis that do not catch attacks on non-control data. Specifi- cally, we measured an overhead of 70% for gzip, 16%- 180% for lighttpd, and 190% for the nbench suite.<br><br />
<br><br />
''Bio:''<br><br />
I am a postdoctoral researcher in the System and Network Security group at the Vrije Universiteit Amsterdam, under the guidance of Prof. dr. ir. Herbert Bos.<br><br />
I obtained my PhD from the Vrije Universiteit Amsterdam. My dissertation Using information flow tracking to protect legacy binaries was completed under the supervision of Prof. dr. ir. Herbert Bos, while my copromotor was Prof. dr. ir. Henri E. Bal.<br><br />
During my PhD studies, I interned twice with Microsoft Research Cambridge, where I joined the Systems and Performance Group. I also spent few months interning with the Systems and Security Department at Institute for Infocomm Research in Singapore.<br><br />
My research focuses on developing techniques to automatically analyze and reverse engineer complex software that is available only in binary form. Further, I’ve been looking into mechanisms that proactively protect software from malicious activities. Currently, I am involved in a project on Reverse Engineering of binaries, known as Rosetta.<br><br />
<br><br />
<br />
--><br />
<br />
<!-- Sixth tab --><br />
<br />
= Social Event =<br />
<br />
==== Social Event, November 28th ====<br />
'''You (still) got that swing, and what about the moves ? We've got the Balls!'''<br />
<br />
:So "Pin" your schedule to the OWASP Benelux Days - Social Event.<br />
:Thursday Night the 28th of November, our partner Vest Information Security is happy to invite you at:<br />
<br />
:::Knijn Bowling<br />
:::Scheldeplein 3<br />
:::1078 GR Amsterdam<br />
:::http://www.knijnbowling.nl/<br />
<br />
;This is Amsterdams most famous retro-style bowling centre.<br />
<br />
:We are very happy to welcome you from 20:30.<br />
:Our Bowling Tracks are open from 21:30 - 24:00<br />
<br />
'''More details about the registration for the social event will be online soon!'''<br />
<hr><br />
'''The OWASP BeNeLux-Day 2013 Social Event is sponsored by:"<br />
[http://www.vest.nl https://www.owasp.org/images/1/1d/Logo_Vest_BIG_170.gif]<br />
<!-- Seventh tab --><br />
<br />
= CTF =<br />
<br />
==== Capture the Flag! ====<br />
<br />
* Do you like puzzles? <br />
* Do you like challenges? <br />
* Are you a hacker?<br />
<br />
Whether you are an experienced hacker or new enthusiast you should come to OWASP BeNeLux 2013 and participate in the Capture the Flag event November 29th 2013. <br />
<br />
The OWASP CTF is especially designed to support challengers of all skill levels. The CTF contains multiple challenges in various fields related to application security. As every challenge gains you one point, you can pick and choose which challenge you want to play.<br />
<br />
All you need is a laptop with a wifi card and your favorite (preferably) non-commercial tools. <br />
<br />
So come, show off your skills, learn new tricks and above all have a good time at the CTF event. <br />
<br />
<br />
<!-- Eighth tab --><br />
<br />
= Sponsor =<br />
<br />
==== Become a sponsor of OWASP BeNeLux ====<br />
<br />
==== Donate to OWASP BeNeLux ====<br />
<br />
[https://co.clickandpledge.com/?wid=72689 Sponsor] <br />
<br />
<br />
==== Promotion ====<br />
''Feel free to use the text below to promote our event!''<br />
<br />
We invite you to our next OWASP event: the '''BeNeLux OWASP Days 2013!'''<br />
<br />
Free your agenda on the 28th and 29th of November, 2013.<br />
<br />
The good news: free! No fee!<br />
<br />
The bad news: there are only 280 seats available (first register, first serve)!<br />
<br />
<br />
<!-- Don't remove these two lines! --><br />
__NOTOC__ <br />
<headertabs/><br />
<br />
==== Made possible by our {{#switchtablink:Sponsor|Sponsors}}====<br />
<br />
{{MemberLinks|link=http://www.pwc.com/|logo=PWC_log_resized.png}}<br />
[http://www.zionsecurity.com https://www.owasp.org/images/e/e6/Zionsecurity.jpg]<br />
[http://www.vest.nl https://www.owasp.org/images/1/1d/Logo_Vest_BIG_170.gif]<br />
[http://www.Checkmarx.com https://www.owasp.org/images/a/a2/Checkmarx.jpg]<br />
[http://www.sogeti.nl https://www.owasp.org/images/9/94/Sogeti_logo.png]<br />
[http://www.securify.nl https://www.owasp.org/images/7/7a/Securify_BV_logo.png]<br />
{{MemberLinks|link=https://www.whitehatsec.com/|logo=Whitehat.gif}}<br />
[http://www.nviso.be https://www.owasp.org/images/5/5e/Nviso_logo_RGB_baseline_200px.png]<br />
[https://informatiebeveiliging.nl/ https://www.owasp.org/images/9/9a/Logo_Informatiebeveiliging-200.png]<br />
[http://www8.hp.com/us/en/software-solutions/software-security/index.html https://www.owasp.org/images/a/af/HP_Blue_RGB_150_LG-200.png]<br />
<br />
<br />
<br />
<br><br />
<br />
<br />
[[Category:OWASP_AppSec_Conference]] [[Category:OWASP_BeNeLux_Archives]]</div>Favroomhttps://wiki.owasp.org/index.php?title=BeNeLux_OWASP_Day_2013&diff=163317BeNeLux OWASP Day 20132013-11-15T07:54:42Z<p>Favroom: /* Key note: Inside the mind of the fraudster, by Jan Joris Vereijken (Chief Security Architect, ING) */</p>
<hr />
<div><center>[[Image:Bnl13header-v.1.0.png]]<br></center><br />
<br><!-- Header --><br />
<br />
<br />
<!-- First tab --><br />
= Welcome =<br />
<br />
=== Welcome to OWASP BeNeLux 2013 ===<br />
<br />
'''Registration is now open!'''<br />
<br />
[http://owaspbenelux2013.eventbrite.com/ http://www.owasp.org/images/7/77/Buttoncreate.png]<br />
<br />
<!--<br />
==== News ====<br />
* <br />
* <br />
<br><br />
<br />
==== Confirmed trainers for Trainingday ====<br />
{{#switchtablink:Trainingday| <p><br />
* <br />
* <br />
* <br />
* <br />
}}<br />
<br><br />
<br />
--><br />
<br />
==== Confirmed speakers Conference ====<br />
{{#switchtablink:Conferenceday| <p><br />
* Dick Berlijn (ex Chief of Defence NL)<br />
* Jan Joris Vereijken (ING)<br />
* Tom Van Goethem (University Leuven)<br />
* Jerome Nokin (Verizon Business)<br />
* Nick Nikiforakis (University Leuven)<br />
* Fakos Alexios and Jan Philipp (n.runs AG)<br />
* Migchiel de Jong (HP Fortify)<br />
* Victor van der Veen (ITQ)<br />
<br />
}}<br />
<br><br />
<br />
==== The OWASP BeNeLux Program Committee ====<br />
*Bart De Win / Sebastien Deleersnyder/ Lieven Desmet/ David Mathy, OWASP Belgium<br />
*Martin Knobloch / Ferdinand Vroom, OWASP Netherlands<br />
*Jocelyn Aubert / Andre Adelsbach/ Thierry Zoller, OWASP Luxembourg<br />
<br><br />
<br />
=== Tweet! ===<br />
Event tag is [http://twitter.com/#search?q=%23owaspbnl13 #owaspbnl13]<br />
<br><br><br />
==== Donate to OWASP BeNeLux ====<br />
[https://co.clickandpledge.com/?wid=72689 Donate]<br />
<br />
<!-- Second tab --><br />
<br />
= Registration =<br />
<br />
==== OWASP BeNeLux training day and conference are free! ==== <br />
<br />
=== Registration is not now open: ===<br />
<br />
[http://owaspbenelux2013.eventbrite.com/ http://www.owasp.org/images/7/77/Buttoncreate.png]<br />
<br />
<br><br />
To support the OWASP organisation, consider to become a member, it's only US$50!<br />
<br> <br />
Check out the [[Membership]] page to find out more. <br />
<br><br />
<br />
<br />
<!-- Third tab --><br />
<br />
= Venue =<br />
<br />
=== Venue is ===<br />
<br />
'''RAI Amsterdam - Entrance G'''<br />
;Emerald Room<br />
;(On the first floor of the Auditorium Centre)<br />
;Europaplein 2-22<br />
;1078 Amsterdam, THE NETHERLANDS <br />
<br />
<br>'''Parking & roadmap''':<br />
<br />
There is a public parking at the conference venue.<br />
<br />
Roadmap and parking: <br />
<br />
<br />
<br>'''Hotels nearby''': <br> <br />
<br />
<br />
<!-- Fourth tab - currently removed<br />
<br />
= Trainingday =<br />
<br />
==== Trainingday, November 29th ====<br />
<br />
==== Location ====<br />
The training room is: <br />
TBD<br />
<br><br />
<br />
(for details, check the {{#switchtablink:Venue|Venue}} tab)<br />
<br />
==== Agenda ==== <br />
{| class="wikitable"<br />
! Time !! Description !! Room 1 !! Room 2 !! Room 3 !! Room 4<br />
|-<br />
| 08h30 - 9h30<br />
| colspan="5" style="text-align: center; background: grey; color: white;" | ''Registration''<br />
|-<br />
| 09h30 - 11h00 || Training<br />
| rowspan="7" style="width:100px;" | tbd<br />
| rowspan="7" style="width:100px;" | tbd<br />
| rowspan="7" style="width:100px;" | tbd<br />
| rowspan="7" style="width:100px;" | tbd<br />
|-<br />
| 11h00 - 11h30 || ''Coffee Break''<br />
|-<br />
| 11h30 - 13h00 || Training<br />
|-<br />
| 13h00 - 14h00 || ''Lunch''<br />
|-<br />
| 14h00 - 15h30 || Training<br />
|-<br />
| 15h30 - 16h00 || ''Coffee Break''<br />
|-<br />
| 16h00 - 17h30 || Training<br />
|}<br />
<br />
<br />
<br />
<br />
<br />
<br><br />
<br />
--><br />
<br />
<br />
<!-- Fifth tab --><br />
<br />
= Conferenceday =<br />
<br />
==== Conferenceday, November 29th ====<br />
<br />
==== Location ====<br />
TBD (for details, check the {{#switchtablink:Venue|Venue}} tab)<br />
<br />
==== Agenda ==== <br />
{| class="wikitable"<br />
! width="90pt" | Time<br />
! width="130pt" | Speaker !! Topic<br />
|- <br />
| 09h00 - 10h00<br />
| colspan="2" style="text-align: center; background: grey; color: white" | ''Registration''<br />
|- <br />
| 10h00 - 10h15 || OWASP Benelux Organization || Welcome <br />
|-<br />
| 10h15 - 10h30 || Sebastien Deleersnyder, OWASP Global || OWASP update <br />
|-<br />
| 10h30 - 11h10 || [[#JanJorisVereijken|Jan Joris Vereijken]] || '''Keynote: Cybersecurity (Banking)''' <br>''Abstract:''<br />
|-<br />
| 11h10 - 11h50 || [[#TomVanGoethem|Tom Van Goethem]] || '''Remote code exection in WordPress: an analysis''' <br>''Abstract:''<br />
|-<br />
| 11h50 - 12h30 || [[#JanPhilipp|Alexios Fakos & Jan Philipp]] || '''Getting a handle on SharePoint security complexity''' <br>''Abstract:''<br />
|-<br />
| 12h30 - 13h30<br />
| colspan="2" style="text-align: center;background: grey; color: white" | ''Lunch'' <br />
|-<br />
| 13h30 - 14h10 || [[#DickBerlijn|Dick Berlijn]] || '''Cyber warfare''' <br>''Abstract:''<br />
|-<br />
| 14h10 - 14h50 || Migchiel de Jong || ''' Static Analysis and code review; A journey through time, ''' <br>''Abstract:''<br />
|-<br />
| 14h50 - 15h30 || [[#NickNikiforakis|Nick Nikiforakis]] || '''Everything you always wanted to know about web-based device fingerprinting (but were afraid to ask)''' <br>''Abstract:''<br />
|-<br />
| 15h30 - 15h50<br />
| colspan="2" style="text-align: center;background: grey; color: white" | ''Break'' <br />
|-<br />
| 16h30 - 17h10 || [[#JeromeNokin|Jerome Nokin]] || '''Turning your managed Anti-Virus into my botnet''' <br>''Abstract:''<br />
|-<br />
| 17h10 - 17h50 || [[#VictorvanderVeen|Victor van der Veen]] || '''TraceDroid: A Fast and Complete Android Method Tracer'''<br />
|-<br />
| 17h50 - 18h00 || OWASP Benelux 2013 organization || '''Closing Notes'''<br />
|}<br />
<br />
<br><br />
<br><br />
<br />
<br />
<br />
<div id="'JanJorisVereijken"></div><br />
<br />
=== Key note: Inside the mind of the fraudster, by Jan Joris Vereijken (Chief Security Architect, ING) ===<br />
''Abstract:''<br><br />
When we talk about banking malware, we typically think of bits and bytes: Zeus variants, field injections, Man-in-the-Browser attacks, or forensic analysis of infected PCs. What is actually much more interesting, is to understand what is driving the fraudster. He’s doesn’t care about bits and bytes, he’s just in it for the money. If we get into the mind of the fraudster, we can suddenly understand many issues much better. We’ll see that authentication is irrelevant, fraudsters don’t want to steal millions, that they hate the mobile app, and many more surprising things your never realized were keeping our poor fraudster awake at night.<br />
<br><br />
<br><br />
''Bio:''<br><br />
'''Jan Joris Vereijken''' holds a Ph.D. in Computing Science from the Eindhoven University of Technology, where he worked on algebraic protocol verification. After a brief stint at Bell Laboratories to work on Software Engineering, he moved to ING, the Dutch banking conglomerate. <br><br />
In his current role as Chief Security Architect, he is responsible for the security architecture in the 35-odd countries where ING has banking operations.<br><br />
<br><br />
<br />
=== Turning your managed Anti-Virus into my botnet, by Jerome Nokin (Senior Security Consultant, Verizon Business) ===<br />
''Abstract:''<br><br />
Today centrally managed Anti-Virus (AV) solutions are used across all enterprises and are relied upon to provide central management, logging and enforcement. This talk presents the journey and the results of a reviewing the security posture of the core components of a few selected managed AV solutions, the central servers themselves. <br />
Critical security vulnerabilities will be presented, covering SQL Injection, Directory Path Traversal and Buffer Overflow.<br />
Particular focus will be given to the different steps required to analyze both protocols and management functionality and covers reverse-engineering, debugging and the creation of fuzzing tools. Who does not want to transform a major managed AV into his private botnet within minutes?<br />
<br><br />
<br><br />
''Bio:''<br><br />
'''Jerome Nokin''' works as a Security Consultant for Verizon Enterprise where he is a senior member of the Vulnerability Management Team mainly focusing on Penetration Tests<br />
and Web Application Assessment. Prior to his role at Verizon he worked in the area of security covering both consultancy and ICT.<br><br />
<br><br />
<br />
<br />
<div id="'JanPhilipp"></div><br />
<br />
=== Getting a handle on SharePoint security complexity, by Jan Philipp (Solutions Consultant Security, n.runs) and Alexios Fakos (Principal IT Security Consultant, n.runs) ===<br />
''Abstract:''<br><br />
This presentation’s main goal is to provide decision makers, architects, administrators and developers with a comprehensive SharePoint security overview. We will introduce a SharePoint security model applicable to SharePoint versions 2010 and 2013. Then we will take a closer look at the use of different types of security principals and their effective use. This will be followed by covering security aspects when implementing and extending SharePoint to meet business needs and will be emphasized by showcasing common security pitfalls with examples throughout the presentation. This will be demonstrated with security down to the “nitty-gritty” details based on actual use cases and tips and pitfalls that have been encountered during security assessments and implementation of SharePoint solutions.<br />
<br><br />
<br><br />
''Bio:''<br><br />
'''Jan Philipp''' (MCT since 1989, MCITP, MCSE) works as a security consultant at n.runs, where he is responsible for design and implementation security assessments of complex global SharePoint infrastructures and solutions for major German and international companies. He has been involved with SharePoint technologies from their inception with Digital Dashboards throughout their many development changes (TeamSpaces, MOSS etc.) to the present day SharePoint and SharePoint Live versions.<br><br />
'''Alexios Fakos''' (CRISC, CSSLP) began his career in development as a Software Engineer back in 1999. After seven years of inspired insights in the software industry he joined n.runs to be part of the security team. Alexios is leading n.runs SDL services and he is since 2008 part of the German OWASP chapter. Alexios held presentations at OWASP AppSec US and Germany.<br><br />
<br><br />
<br />
<div id="TomVanGoethem"></div><br />
=== Remote code exection in WordPress: an analysis, by Tom Van Goethem (PhD Researcher, University of Leuven) ===<br />
''Abstract:''<br><br />
With over 13 million downloads, WordPress is one of the most popular open source blog platforms and content management systems. One of its key features is the installation of plugins. These are developed by third parties, but WordPress has to maintain its legacy codebase in order to remain compatible with these plugins. As this codebase makes use of unsafe functions, vulnerabilities may arise, affecting thousands websites - if not more. This presentation will focus on a vulnerability that has been present in WordPress versions up to September 2013. This vulnerability, which may lead to Remote Code Execution, was found by a simple combination of two publicly known elements: PHP Object Injection and unexpected behaviour of MySQL regarding Unicode characters.<br />
<br><br />
<br><br />
''Bio:''<br><br />
'''Tom Van Goethem''' is passionate about web security. After getting a master's degree of Applied Informatics, he enrolled in a PhD at the University of Leuven. As a student with a chronic drinking problem, he still found some time to hunt bugs for fun (and profit).<br><br />
<br><br />
<br />
<br />
=== Everything you always wanted to know about web-based device fingerprinting (but were afraid to ask), by Nick Nikiforakis (Postdoctoral Researcher, University of Leuven) ===<br />
''Abstract:''<br><br />
Billions of users browse the web on a daily basis,<br />
and there are single websites that have reached over one billion user<br />
accounts. In this environment, the ability to track users and their online habits can<br />
be very lucrative for advertising companies, yet very intrusive for the privacy of users.<br />
<br />
In this talk, we are going to describe web-based device fingerprinting, i.e., the ability<br />
to tell users apart, without the use of cookies or any other client-side identifiers. We<br />
will explain how device fingerprinting works, who is using, for what reason, and how people<br />
are trying to defend against it today. <br />
<br><br />
<br><br />
''Bio:''<br><br />
'''Nick Nikiforakis''' is a Postdoctoral Researcher at KU Leuven in Belgium. Nick's interests lie<br />
in the analysis of online ecosystems from a security and privacy perspective and he has<br />
published his work in top conferences of his field. More information about him can be found<br />
on his personal page: http://www.securitee.org .<br><br />
<br><br />
<br />
<br />
<br />
<div id="VictorvanderVeen"></div><br />
=== TraceDroid: A Fast and Complete Android Method Tracer, by Victor van der Veen (Security Consultant, ITQ) ===<br />
''Abstract:''<br><br />
Tracedroid allows you to upload any Android APK file (i.e., an Android app) for automated analysis. Tracedroid records the behavior of the executed app, such as its network communication, the UI, but also its internal function calls and Java code that is executed. To trigger the app's real behavior, Tracedroid emulates a few actions, such as user interaction, incoming calls and SMS messages, etc. - this will reveal most malicious intents of an app (if any).<br><br />
During this presentation, I will outline how Tracedroid is implemented and how its stimulation engine performs in terms of code coverage. I will also demonstrate how Tracedroid's output can help malware researchers to gain a better understanding of unknown Android applications during a live demo.<br><br />
You can already give TraceDroid a try via http://tracedroid.few.vu.nl<br />
<br><br />
<br><br />
''Bio:''<br><br />
Victor van der Veen is a security consultant at ITQ and holds a MSc degree in Computer Science from the VU University Amsterdam. TraceDroid is part of his master thesis titled ‘Dynamic Analysis of Android Malware’ for which he co-worked with the Andrubis team from Vienna’s iSecLab. His interests are low-level system topics that enhance system security, as well as reverse engineering and analyzing malicious code. His previous work involves the implementation of a (partial) thrust-worthy voting machine and an in depth analysis on trends in the field of memory errors (published at RAID 2012).<br />
<br><br />
<br />
<div id="MigchieldeJong"></div><br />
=== Static Analysis and code review; A journey through time, by Migchiel de Jong (Software Security Consultant, HP Fortify) ===<br />
''Abstract:''<br><br />
Static analysis techniques to support code review, not just for security, have been around for a long time. This talk will take you on journey from the early days of computer science to this modern day and age of cloud, BYOD and mobile apps and how the passing of time affected code review and the technology to support it. The takeaways from this session are; Understanding the fundamentals problems that have to be addressed to really get the benefits from using static analysis for code review. Trends in code review. Best practices for code review. What the future holds for code review.<br />
<br><br />
<br><br />
''Bio:''<br><br />
Migchiel de Jong has developed hardware and software for the nuclear medicine and nuclear industry space for 10 years before joining Rational Software. During the 5 years at Rational Software (later acquired by IBM) he was involved in many software development process improvement projects. Having joined Fortify 9 years ago, Migchiel de Jong is currently working at HP Fortify, as a software security consultant helping large customers succeed with their software security assurance initiatives.<br><br />
<br><br />
<br />
<br />
<br />
<!--<br />
<br />
<div id="TomVanGoethem"></div><br />
=== Remote Code Exection in WordPress: an analysis, by Tom Van Goethem (PhD University Leuven) ===<br />
''Abstract:''<br><br />
With over 13 million downloads, WordPress is one of the most popular open source blog platforms and content management systems. One of its key features is the installation of plugins. These are developed by third parties, but WordPress has to maintain its legacy codebase in order to remain compatible with these plugins. As this codebase makes use of unsafe functions, vulnerabilities may arise, affecting thousands websites - if not more. This presentation will focus on a vulnerability that has been present in WordPress versions up to September 2013. This vulnerability, which may lead to Remote Code Execution, was found by a simple combination of two publicly known elements: PHP Object Injection and unexpected behaviour of MySQL regarding Unicode characters.<br />
<br><br />
<br><br />
''Bio:''<br><br />
Tom Van Goethem is passionate about web security. After getting a master's degree of Applied Informatics, he enrolled in a PhD at the University of Leuven. As a student with a chronic drinking problem, he still found some time to hunt bugs for fun (and profit).<br><br />
<br><br />
<br />
=== Body Armor for Binaries, by Asia Slowinska (Vrije Universiteit Amsterdam) ===<br />
''Abstract:''<br><br />
BinArmor is a novel technique to protect existing C binaries from memory corruption attacks on both control data and non-control data. Without access to source code, non-control data attacks cannot be detected with current techniques. Our approach hardens binaries against both kinds of overflow, without requiring the pro- grams’ source or symbol tables. We show that BinArmor is able to stop real attacks—including the recent non- control data attack on Exim. Moreover, we did not in- cur a single false positive in practice. On the downside, the current overhead of BinArmor is high—although no worse than competing technologies like taint analysis that do not catch attacks on non-control data. Specifi- cally, we measured an overhead of 70% for gzip, 16%- 180% for lighttpd, and 190% for the nbench suite.<br><br />
<br><br />
''Bio:''<br><br />
I am a postdoctoral researcher in the System and Network Security group at the Vrije Universiteit Amsterdam, under the guidance of Prof. dr. ir. Herbert Bos.<br><br />
I obtained my PhD from the Vrije Universiteit Amsterdam. My dissertation Using information flow tracking to protect legacy binaries was completed under the supervision of Prof. dr. ir. Herbert Bos, while my copromotor was Prof. dr. ir. Henri E. Bal.<br><br />
During my PhD studies, I interned twice with Microsoft Research Cambridge, where I joined the Systems and Performance Group. I also spent few months interning with the Systems and Security Department at Institute for Infocomm Research in Singapore.<br><br />
My research focuses on developing techniques to automatically analyze and reverse engineer complex software that is available only in binary form. Further, I’ve been looking into mechanisms that proactively protect software from malicious activities. Currently, I am involved in a project on Reverse Engineering of binaries, known as Rosetta.<br><br />
<br><br />
<br />
--><br />
<br />
<!-- Sixth tab --><br />
<br />
= Social Event =<br />
<br />
==== Social Event, November 28th ====<br />
'''You (still) got that swing, and what about the moves ? We've got the Balls!'''<br />
<br />
:So "Pin" your schedule to the OWASP Benelux Days - Social Event.<br />
:Thursday Night the 28th of November, our partner Vest Information Security is happy to invite you at:<br />
<br />
:::Knijn Bowling<br />
:::Scheldeplein 3<br />
:::1078 GR Amsterdam<br />
:::http://www.knijnbowling.nl/<br />
<br />
;This is Amsterdams most famous retro-style bowling centre.<br />
<br />
:We are very happy to welcome you from 20:30.<br />
:Our Bowling Tracks are open from 21:30 - 24:00<br />
<br />
'''More details about the registration for the social event will be online soon!'''<br />
<hr><br />
'''The OWASP BeNeLux-Day 2013 Social Event is sponsored by:"<br />
[http://www.vest.nl https://www.owasp.org/images/1/1d/Logo_Vest_BIG_170.gif]<br />
<!-- Seventh tab --><br />
<br />
= CTF =<br />
<br />
==== Capture the Flag! ====<br />
<br />
* Do you like puzzles? <br />
* Do you like challenges? <br />
* Are you a hacker?<br />
<br />
Whether you are an experienced hacker or new enthusiast you should come to OWASP BeNeLux 2013 and participate in the Capture the Flag event November 29th 2013. <br />
<br />
The OWASP CTF is especially designed to support challengers of all skill levels. The CTF contains multiple challenges in various fields related to application security. As every challenge gains you one point, you can pick and choose which challenge you want to play.<br />
<br />
All you need is a laptop with a wifi card and your favorite (preferably) non-commercial tools. <br />
<br />
So come, show off your skills, learn new tricks and above all have a good time at the CTF event. <br />
<br />
<br />
<!-- Eighth tab --><br />
<br />
= Sponsor =<br />
<br />
==== Become a sponsor of OWASP BeNeLux ====<br />
<br />
==== Donate to OWASP BeNeLux ====<br />
<br />
[https://co.clickandpledge.com/?wid=72689 Sponsor] <br />
<br />
<br />
==== Promotion ====<br />
''Feel free to use the text below to promote our event!''<br />
<br />
We invite you to our next OWASP event: the '''BeNeLux OWASP Days 2013!'''<br />
<br />
Free your agenda on the 28th and 29th of November, 2013.<br />
<br />
The good news: free! No fee!<br />
<br />
The bad news: there are only 280 seats available (first register, first serve)!<br />
<br />
<br />
<!-- Don't remove these two lines! --><br />
__NOTOC__ <br />
<headertabs/><br />
<br />
==== Made possible by our {{#switchtablink:Sponsor|Sponsors}}====<br />
<br />
{{MemberLinks|link=http://www.pwc.com/|logo=PWC_log_resized.png}}<br />
[http://www.zionsecurity.com https://www.owasp.org/images/e/e6/Zionsecurity.jpg]<br />
[http://www.vest.nl https://www.owasp.org/images/1/1d/Logo_Vest_BIG_170.gif]<br />
[http://www.Checkmarx.com https://www.owasp.org/images/a/a2/Checkmarx.jpg]<br />
[http://www.sogeti.nl https://www.owasp.org/images/9/94/Sogeti_logo.png]<br />
[http://www.securify.nl https://www.owasp.org/images/7/7a/Securify_BV_logo.png]<br />
{{MemberLinks|link=https://www.whitehatsec.com/|logo=Whitehat.gif}}<br />
[http://www.nviso.be https://www.owasp.org/images/5/5e/Nviso_logo_RGB_baseline_200px.png]<br />
[https://informatiebeveiliging.nl/ https://www.owasp.org/images/9/9a/Logo_Informatiebeveiliging-200.png]<br />
[http://www8.hp.com/us/en/software-solutions/software-security/index.html https://www.owasp.org/images/a/af/HP_Blue_RGB_150_LG-200.png]<br />
<br />
<br />
<br />
<br><br />
<br />
<br />
[[Category:OWASP_AppSec_Conference]] [[Category:OWASP_BeNeLux_Archives]]</div>Favroomhttps://wiki.owasp.org/index.php?title=BeNeLux_OWASP_Day_2013&diff=163314BeNeLux OWASP Day 20132013-11-15T07:52:11Z<p>Favroom: /* Key note, by Jan Joris Vereijken (Chief Security Architect, ING) */</p>
<hr />
<div><center>[[Image:Bnl13header-v.1.0.png]]<br></center><br />
<br><!-- Header --><br />
<br />
<br />
<!-- First tab --><br />
= Welcome =<br />
<br />
=== Welcome to OWASP BeNeLux 2013 ===<br />
<br />
'''Registration is now open!'''<br />
<br />
[http://owaspbenelux2013.eventbrite.com/ http://www.owasp.org/images/7/77/Buttoncreate.png]<br />
<br />
<!--<br />
==== News ====<br />
* <br />
* <br />
<br><br />
<br />
==== Confirmed trainers for Trainingday ====<br />
{{#switchtablink:Trainingday| <p><br />
* <br />
* <br />
* <br />
* <br />
}}<br />
<br><br />
<br />
--><br />
<br />
==== Confirmed speakers Conference ====<br />
{{#switchtablink:Conferenceday| <p><br />
* Dick Berlijn (ex Chief of Defence NL)<br />
* Jan Joris Vereijken (ING)<br />
* Tom Van Goethem (University Leuven)<br />
* Jerome Nokin (Verizon Business)<br />
* Nick Nikiforakis (University Leuven)<br />
* Fakos Alexios and Jan Philipp (n.runs AG)<br />
* Migchiel de Jong (HP Fortify)<br />
* Victor van der Veen (ITQ)<br />
<br />
}}<br />
<br><br />
<br />
==== The OWASP BeNeLux Program Committee ====<br />
*Bart De Win / Sebastien Deleersnyder/ Lieven Desmet/ David Mathy, OWASP Belgium<br />
*Martin Knobloch / Ferdinand Vroom, OWASP Netherlands<br />
*Jocelyn Aubert / Andre Adelsbach/ Thierry Zoller, OWASP Luxembourg<br />
<br><br />
<br />
=== Tweet! ===<br />
Event tag is [http://twitter.com/#search?q=%23owaspbnl13 #owaspbnl13]<br />
<br><br><br />
==== Donate to OWASP BeNeLux ====<br />
[https://co.clickandpledge.com/?wid=72689 Donate]<br />
<br />
<!-- Second tab --><br />
<br />
= Registration =<br />
<br />
==== OWASP BeNeLux training day and conference are free! ==== <br />
<br />
=== Registration is not now open: ===<br />
<br />
[http://owaspbenelux2013.eventbrite.com/ http://www.owasp.org/images/7/77/Buttoncreate.png]<br />
<br />
<br><br />
To support the OWASP organisation, consider to become a member, it's only US$50!<br />
<br> <br />
Check out the [[Membership]] page to find out more. <br />
<br><br />
<br />
<br />
<!-- Third tab --><br />
<br />
= Venue =<br />
<br />
=== Venue is ===<br />
<br />
'''RAI Amsterdam - Entrance G'''<br />
;Emerald Room<br />
;(On the first floor of the Auditorium Centre)<br />
;Europaplein 2-22<br />
;1078 Amsterdam, THE NETHERLANDS <br />
<br />
<br>'''Parking & roadmap''':<br />
<br />
There is a public parking at the conference venue.<br />
<br />
Roadmap and parking: <br />
<br />
<br />
<br>'''Hotels nearby''': <br> <br />
<br />
<br />
<!-- Fourth tab - currently removed<br />
<br />
= Trainingday =<br />
<br />
==== Trainingday, November 29th ====<br />
<br />
==== Location ====<br />
The training room is: <br />
TBD<br />
<br><br />
<br />
(for details, check the {{#switchtablink:Venue|Venue}} tab)<br />
<br />
==== Agenda ==== <br />
{| class="wikitable"<br />
! Time !! Description !! Room 1 !! Room 2 !! Room 3 !! Room 4<br />
|-<br />
| 08h30 - 9h30<br />
| colspan="5" style="text-align: center; background: grey; color: white;" | ''Registration''<br />
|-<br />
| 09h30 - 11h00 || Training<br />
| rowspan="7" style="width:100px;" | tbd<br />
| rowspan="7" style="width:100px;" | tbd<br />
| rowspan="7" style="width:100px;" | tbd<br />
| rowspan="7" style="width:100px;" | tbd<br />
|-<br />
| 11h00 - 11h30 || ''Coffee Break''<br />
|-<br />
| 11h30 - 13h00 || Training<br />
|-<br />
| 13h00 - 14h00 || ''Lunch''<br />
|-<br />
| 14h00 - 15h30 || Training<br />
|-<br />
| 15h30 - 16h00 || ''Coffee Break''<br />
|-<br />
| 16h00 - 17h30 || Training<br />
|}<br />
<br />
<br />
<br />
<br />
<br />
<br><br />
<br />
--><br />
<br />
<br />
<!-- Fifth tab --><br />
<br />
= Conferenceday =<br />
<br />
==== Conferenceday, November 29th ====<br />
<br />
==== Location ====<br />
TBD (for details, check the {{#switchtablink:Venue|Venue}} tab)<br />
<br />
==== Agenda ==== <br />
{| class="wikitable"<br />
! width="90pt" | Time<br />
! width="130pt" | Speaker !! Topic<br />
|- <br />
| 09h00 - 10h00<br />
| colspan="2" style="text-align: center; background: grey; color: white" | ''Registration''<br />
|- <br />
| 10h00 - 10h15 || OWASP Benelux Organization || Welcome <br />
|-<br />
| 10h15 - 10h30 || Sebastien Deleersnyder, OWASP Global || OWASP update <br />
|-<br />
| 10h30 - 11h10 || [[#JanJorisVereijken|Jan Joris Vereijken]] || '''Keynote: Cybersecurity (Banking)''' <br>''Abstract:''<br />
|-<br />
| 11h10 - 11h50 || [[#TomVanGoethem|Tom Van Goethem]] || '''Remote code exection in WordPress: an analysis''' <br>''Abstract:''<br />
|-<br />
| 11h50 - 12h30 || [[#JanPhilipp|Alexios Fakos & Jan Philipp]] || '''Getting a handle on SharePoint security complexity''' <br>''Abstract:''<br />
|-<br />
| 12h30 - 13h30<br />
| colspan="2" style="text-align: center;background: grey; color: white" | ''Lunch'' <br />
|-<br />
| 13h30 - 14h10 || [[#DickBerlijn|Dick Berlijn]] || '''Cyber warfare''' <br>''Abstract:''<br />
|-<br />
| 14h10 - 14h50 || Migchiel de Jong || ''' Static Analysis and code review; A journey through time, ''' <br>''Abstract:''<br />
|-<br />
| 14h50 - 15h30 || [[#NickNikiforakis|Nick Nikiforakis]] || '''Everything you always wanted to know about web-based device fingerprinting (but were afraid to ask)''' <br>''Abstract:''<br />
|-<br />
| 15h30 - 15h50<br />
| colspan="2" style="text-align: center;background: grey; color: white" | ''Break'' <br />
|-<br />
| 16h30 - 17h10 || [[#JeromeNokin|Jerome Nokin]] || '''Turning your managed Anti-Virus into my botnet''' <br>''Abstract:''<br />
|-<br />
| 17h10 - 17h50 || [[#VictorvanderVeen|Victor van der Veen]] || '''TraceDroid: A Fast and Complete Android Method Tracer'''<br />
|-<br />
| 17h50 - 18h00 || OWASP Benelux 2013 organization || '''Closing Notes'''<br />
|}<br />
<br />
<br><br />
<br><br />
<br />
<br />
<br />
<div id="'JanJorisVereijken"></div><br />
<br />
=== Key note: Inside the mind of the fraudster, by Jan Joris Vereijken (Chief Security Architect, ING) ===<br />
'''Jan Joris Vereijken''' holds a Ph.D. in Computing Science from the Eindhoven Univerisity of Technology, where he worked on algebraic protocol verification. After a brief stint at Bell Laboratories to work on Software Engineering, he moved to ING, the Dutch banking conglomerate. <br><br />
In his current role as Chief Security Architect, he is responsible for the security architecture in the 35-odd countries where ING has banking operations.<br><br />
<br><br />
<br />
<div id="'JeromeNokin"></div><br />
<br />
=== Turning your managed Anti-Virus into my botnet, by Jerome Nokin (Senior Security Consultant, Verizon Business) ===<br />
''Abstract:''<br><br />
Today centrally managed Anti-Virus (AV) solutions are used across all enterprises and are relied upon to provide central management, logging and enforcement. This talk presents the journey and the results of a reviewing the security posture of the core components of a few selected managed AV solutions, the central servers themselves. <br />
Critical security vulnerabilities will be presented, covering SQL Injection, Directory Path Traversal and Buffer Overflow.<br />
Particular focus will be given to the different steps required to analyze both protocols and management functionality and covers reverse-engineering, debugging and the creation of fuzzing tools. Who does not want to transform a major managed AV into his private botnet within minutes?<br />
<br><br />
<br><br />
''Bio:''<br><br />
'''Jerome Nokin''' works as a Security Consultant for Verizon Enterprise where he is a senior member of the Vulnerability Management Team mainly focusing on Penetration Tests<br />
and Web Application Assessment. Prior to his role at Verizon he worked in the area of security covering both consultancy and ICT.<br><br />
<br><br />
<br />
<br />
<div id="'JanPhilipp"></div><br />
<br />
=== Getting a handle on SharePoint security complexity, by Jan Philipp (Solutions Consultant Security, n.runs) and Alexios Fakos (Principal IT Security Consultant, n.runs) ===<br />
''Abstract:''<br><br />
This presentation’s main goal is to provide decision makers, architects, administrators and developers with a comprehensive SharePoint security overview. We will introduce a SharePoint security model applicable to SharePoint versions 2010 and 2013. Then we will take a closer look at the use of different types of security principals and their effective use. This will be followed by covering security aspects when implementing and extending SharePoint to meet business needs and will be emphasized by showcasing common security pitfalls with examples throughout the presentation. This will be demonstrated with security down to the “nitty-gritty” details based on actual use cases and tips and pitfalls that have been encountered during security assessments and implementation of SharePoint solutions.<br />
<br><br />
<br><br />
''Bio:''<br><br />
'''Jan Philipp''' (MCT since 1989, MCITP, MCSE) works as a security consultant at n.runs, where he is responsible for design and implementation security assessments of complex global SharePoint infrastructures and solutions for major German and international companies. He has been involved with SharePoint technologies from their inception with Digital Dashboards throughout their many development changes (TeamSpaces, MOSS etc.) to the present day SharePoint and SharePoint Live versions.<br><br />
'''Alexios Fakos''' (CRISC, CSSLP) began his career in development as a Software Engineer back in 1999. After seven years of inspired insights in the software industry he joined n.runs to be part of the security team. Alexios is leading n.runs SDL services and he is since 2008 part of the German OWASP chapter. Alexios held presentations at OWASP AppSec US and Germany.<br><br />
<br><br />
<br />
<div id="TomVanGoethem"></div><br />
=== Remote code exection in WordPress: an analysis, by Tom Van Goethem (PhD Researcher, University of Leuven) ===<br />
''Abstract:''<br><br />
With over 13 million downloads, WordPress is one of the most popular open source blog platforms and content management systems. One of its key features is the installation of plugins. These are developed by third parties, but WordPress has to maintain its legacy codebase in order to remain compatible with these plugins. As this codebase makes use of unsafe functions, vulnerabilities may arise, affecting thousands websites - if not more. This presentation will focus on a vulnerability that has been present in WordPress versions up to September 2013. This vulnerability, which may lead to Remote Code Execution, was found by a simple combination of two publicly known elements: PHP Object Injection and unexpected behaviour of MySQL regarding Unicode characters.<br />
<br><br />
<br><br />
''Bio:''<br><br />
'''Tom Van Goethem''' is passionate about web security. After getting a master's degree of Applied Informatics, he enrolled in a PhD at the University of Leuven. As a student with a chronic drinking problem, he still found some time to hunt bugs for fun (and profit).<br><br />
<br><br />
<br />
<br />
=== Everything you always wanted to know about web-based device fingerprinting (but were afraid to ask), by Nick Nikiforakis (Postdoctoral Researcher, University of Leuven) ===<br />
''Abstract:''<br><br />
Billions of users browse the web on a daily basis,<br />
and there are single websites that have reached over one billion user<br />
accounts. In this environment, the ability to track users and their online habits can<br />
be very lucrative for advertising companies, yet very intrusive for the privacy of users.<br />
<br />
In this talk, we are going to describe web-based device fingerprinting, i.e., the ability<br />
to tell users apart, without the use of cookies or any other client-side identifiers. We<br />
will explain how device fingerprinting works, who is using, for what reason, and how people<br />
are trying to defend against it today. <br />
<br><br />
<br><br />
''Bio:''<br><br />
'''Nick Nikiforakis''' is a Postdoctoral Researcher at KU Leuven in Belgium. Nick's interests lie<br />
in the analysis of online ecosystems from a security and privacy perspective and he has<br />
published his work in top conferences of his field. More information about him can be found<br />
on his personal page: http://www.securitee.org .<br><br />
<br><br />
<br />
<br />
<br />
<div id="VictorvanderVeen"></div><br />
=== TraceDroid: A Fast and Complete Android Method Tracer, by Victor van der Veen (Security Consultant, ITQ) ===<br />
''Abstract:''<br><br />
Tracedroid allows you to upload any Android APK file (i.e., an Android app) for automated analysis. Tracedroid records the behavior of the executed app, such as its network communication, the UI, but also its internal function calls and Java code that is executed. To trigger the app's real behavior, Tracedroid emulates a few actions, such as user interaction, incoming calls and SMS messages, etc. - this will reveal most malicious intents of an app (if any).<br><br />
During this presentation, I will outline how Tracedroid is implemented and how its stimulation engine performs in terms of code coverage. I will also demonstrate how Tracedroid's output can help malware researchers to gain a better understanding of unknown Android applications during a live demo.<br><br />
You can already give TraceDroid a try via http://tracedroid.few.vu.nl<br />
<br><br />
<br><br />
''Bio:''<br><br />
Victor van der Veen is a security consultant at ITQ and holds a MSc degree in Computer Science from the VU University Amsterdam. TraceDroid is part of his master thesis titled ‘Dynamic Analysis of Android Malware’ for which he co-worked with the Andrubis team from Vienna’s iSecLab. His interests are low-level system topics that enhance system security, as well as reverse engineering and analyzing malicious code. His previous work involves the implementation of a (partial) thrust-worthy voting machine and an in depth analysis on trends in the field of memory errors (published at RAID 2012).<br />
<br><br />
<br />
<div id="MigchieldeJong"></div><br />
=== Static Analysis and code review; A journey through time, by Migchiel de Jong (Software Security Consultant, HP Fortify) ===<br />
''Abstract:''<br><br />
Static analysis techniques to support code review, not just for security, have been around for a long time. This talk will take you on journey from the early days of computer science to this modern day and age of cloud, BYOD and mobile apps and how the passing of time affected code review and the technology to support it. The takeaways from this session are; Understanding the fundamentals problems that have to be addressed to really get the benefits from using static analysis for code review. Trends in code review. Best practices for code review. What the future holds for code review.<br />
<br><br />
<br><br />
''Bio:''<br><br />
Migchiel de Jong has developed hardware and software for the nuclear medicine and nuclear industry space for 10 years before joining Rational Software. During the 5 years at Rational Software (later acquired by IBM) he was involved in many software development process improvement projects. Having joined Fortify 9 years ago, Migchiel de Jong is currently working at HP Fortify, as a software security consultant helping large customers succeed with their software security assurance initiatives.<br><br />
<br><br />
<br />
<br />
<br />
<!--<br />
<br />
<div id="TomVanGoethem"></div><br />
=== Remote Code Exection in WordPress: an analysis, by Tom Van Goethem (PhD University Leuven) ===<br />
''Abstract:''<br><br />
With over 13 million downloads, WordPress is one of the most popular open source blog platforms and content management systems. One of its key features is the installation of plugins. These are developed by third parties, but WordPress has to maintain its legacy codebase in order to remain compatible with these plugins. As this codebase makes use of unsafe functions, vulnerabilities may arise, affecting thousands websites - if not more. This presentation will focus on a vulnerability that has been present in WordPress versions up to September 2013. This vulnerability, which may lead to Remote Code Execution, was found by a simple combination of two publicly known elements: PHP Object Injection and unexpected behaviour of MySQL regarding Unicode characters.<br />
<br><br />
<br><br />
''Bio:''<br><br />
Tom Van Goethem is passionate about web security. After getting a master's degree of Applied Informatics, he enrolled in a PhD at the University of Leuven. As a student with a chronic drinking problem, he still found some time to hunt bugs for fun (and profit).<br><br />
<br><br />
<br />
=== Body Armor for Binaries, by Asia Slowinska (Vrije Universiteit Amsterdam) ===<br />
''Abstract:''<br><br />
BinArmor is a novel technique to protect existing C binaries from memory corruption attacks on both control data and non-control data. Without access to source code, non-control data attacks cannot be detected with current techniques. Our approach hardens binaries against both kinds of overflow, without requiring the pro- grams’ source or symbol tables. We show that BinArmor is able to stop real attacks—including the recent non- control data attack on Exim. Moreover, we did not in- cur a single false positive in practice. On the downside, the current overhead of BinArmor is high—although no worse than competing technologies like taint analysis that do not catch attacks on non-control data. Specifi- cally, we measured an overhead of 70% for gzip, 16%- 180% for lighttpd, and 190% for the nbench suite.<br><br />
<br><br />
''Bio:''<br><br />
I am a postdoctoral researcher in the System and Network Security group at the Vrije Universiteit Amsterdam, under the guidance of Prof. dr. ir. Herbert Bos.<br><br />
I obtained my PhD from the Vrije Universiteit Amsterdam. My dissertation Using information flow tracking to protect legacy binaries was completed under the supervision of Prof. dr. ir. Herbert Bos, while my copromotor was Prof. dr. ir. Henri E. Bal.<br><br />
During my PhD studies, I interned twice with Microsoft Research Cambridge, where I joined the Systems and Performance Group. I also spent few months interning with the Systems and Security Department at Institute for Infocomm Research in Singapore.<br><br />
My research focuses on developing techniques to automatically analyze and reverse engineer complex software that is available only in binary form. Further, I’ve been looking into mechanisms that proactively protect software from malicious activities. Currently, I am involved in a project on Reverse Engineering of binaries, known as Rosetta.<br><br />
<br><br />
<br />
--><br />
<br />
<!-- Sixth tab --><br />
<br />
= Social Event =<br />
<br />
==== Social Event, November 28th ====<br />
'''You (still) got that swing, and what about the moves ? We've got the Balls!'''<br />
<br />
:So "Pin" your schedule to the OWASP Benelux Days - Social Event.<br />
:Thursday Night the 28th of November, our partner Vest Information Security is happy to invite you at:<br />
<br />
:::Knijn Bowling<br />
:::Scheldeplein 3<br />
:::1078 GR Amsterdam<br />
:::http://www.knijnbowling.nl/<br />
<br />
;This is Amsterdams most famous retro-style bowling centre.<br />
<br />
:We are very happy to welcome you from 20:30.<br />
:Our Bowling Tracks are open from 21:30 - 24:00<br />
<br />
'''More details about the registration for the social event will be online soon!'''<br />
<hr><br />
'''The OWASP BeNeLux-Day 2013 Social Event is sponsored by:"<br />
[http://www.vest.nl https://www.owasp.org/images/1/1d/Logo_Vest_BIG_170.gif]<br />
<!-- Seventh tab --><br />
<br />
= CTF =<br />
<br />
==== Capture the Flag! ====<br />
<br />
* Do you like puzzles? <br />
* Do you like challenges? <br />
* Are you a hacker?<br />
<br />
Whether you are an experienced hacker or new enthusiast you should come to OWASP BeNeLux 2013 and participate in the Capture the Flag event November 29th 2013. <br />
<br />
The OWASP CTF is especially designed to support challengers of all skill levels. The CTF contains multiple challenges in various fields related to application security. As every challenge gains you one point, you can pick and choose which challenge you want to play.<br />
<br />
All you need is a laptop with a wifi card and your favorite (preferably) non-commercial tools. <br />
<br />
So come, show off your skills, learn new tricks and above all have a good time at the CTF event. <br />
<br />
<br />
<!-- Eighth tab --><br />
<br />
= Sponsor =<br />
<br />
==== Become a sponsor of OWASP BeNeLux ====<br />
<br />
==== Donate to OWASP BeNeLux ====<br />
<br />
[https://co.clickandpledge.com/?wid=72689 Sponsor] <br />
<br />
<br />
==== Promotion ====<br />
''Feel free to use the text below to promote our event!''<br />
<br />
We invite you to our next OWASP event: the '''BeNeLux OWASP Days 2013!'''<br />
<br />
Free your agenda on the 28th and 29th of November, 2013.<br />
<br />
The good news: free! No fee!<br />
<br />
The bad news: there are only 280 seats available (first register, first serve)!<br />
<br />
<br />
<!-- Don't remove these two lines! --><br />
__NOTOC__ <br />
<headertabs/><br />
<br />
==== Made possible by our {{#switchtablink:Sponsor|Sponsors}}====<br />
<br />
{{MemberLinks|link=http://www.pwc.com/|logo=PWC_log_resized.png}}<br />
[http://www.zionsecurity.com https://www.owasp.org/images/e/e6/Zionsecurity.jpg]<br />
[http://www.vest.nl https://www.owasp.org/images/1/1d/Logo_Vest_BIG_170.gif]<br />
[http://www.Checkmarx.com https://www.owasp.org/images/a/a2/Checkmarx.jpg]<br />
[http://www.sogeti.nl https://www.owasp.org/images/9/94/Sogeti_logo.png]<br />
[http://www.securify.nl https://www.owasp.org/images/7/7a/Securify_BV_logo.png]<br />
{{MemberLinks|link=https://www.whitehatsec.com/|logo=Whitehat.gif}}<br />
[http://www.nviso.be https://www.owasp.org/images/5/5e/Nviso_logo_RGB_baseline_200px.png]<br />
[https://informatiebeveiliging.nl/ https://www.owasp.org/images/9/9a/Logo_Informatiebeveiliging-200.png]<br />
[http://www8.hp.com/us/en/software-solutions/software-security/index.html https://www.owasp.org/images/a/af/HP_Blue_RGB_150_LG-200.png]<br />
<br />
<br />
<br />
<br><br />
<br />
<br />
[[Category:OWASP_AppSec_Conference]] [[Category:OWASP_BeNeLux_Archives]]</div>Favroomhttps://wiki.owasp.org/index.php?title=File:OWASP_Benelux_2013_Logo.png&diff=160945File:OWASP Benelux 2013 Logo.png2013-10-16T21:35:45Z<p>Favroom: OWASP Benelux 2013 Logo</p>
<hr />
<div>OWASP Benelux 2013 Logo</div>Favroomhttps://wiki.owasp.org/index.php?title=BeNeLux_OWASP_Day_2013&diff=154432BeNeLux OWASP Day 20132013-06-25T20:08:33Z<p>Favroom: /* Venue is */</p>
<hr />
<div><center>[[Image:owaspbnl12header.jpg]]<br></center><br />
<br><!-- Header --><br />
<br />
<br />
<!-- First tab --><br />
= Welcome =<br />
<br />
=== Welcome to OWASP BeNeLux 2013 ===<br />
<br />
==== News ====<br />
* <br />
* <br />
<br><br />
<br />
==== Confirmed trainers for Trainingday ====<br />
{{#switchtablink:Trainingday| <p><br />
* <br />
* <br />
* <br />
* <br />
}}<br />
<br><br />
<br />
==== Confirmed speakers Conferenceday ====<br />
{{#switchtablink:Conferenceday| <p><br />
* <br><br />
* <br><br />
* <br><br />
* <br><br />
* <br><br />
* <br><br />
* <br><br />
* <Br><br />
* <br><br />
}}<br />
<br><br />
<br />
==== The OWASP BeNeLux Program Committee ====<br />
*Bart De Win / Sebastien Deleersnyder/ Lieven Desmet/ David Mathy, OWASP Belgium<br />
*Martin Knobloch / Ferdinand Vroom, OWASP Netherlands<br />
*Jocelyn Aubert / Andre Adelsbach/ Thierry Zoller, OWASP Luxembourg<br />
<br><br />
<br />
=== Tweet! ===<br />
Event tag is [http://twitter.com/#search?q=%23owaspbnl13 #owaspbnl13]<br />
<br><br><br />
==== Donate to OWASP BeNeLux ====<br />
<paypal>BeNeLux OWASP Day 2013</paypal><br />
<br />
<!-- Second tab --><br />
<br />
= Registration =<br />
<br />
==== OWASP BeNeLux training day and conference are free! ==== <br />
<br />
=== Registration is not yet open: ===<br />
<br />
[http://owaspbenelux2013.eventbrite.com/ http://www.owasp.org/images/7/77/Buttoncreate.png]<br />
<br />
<br><br />
To support the OWASP organisation, consider to become a member, it's only US$50!<br />
<br> <br />
Check out the [[Membership]] page to find out more. <br />
<br><br />
<br />
<br />
<!-- Third tab --><br />
<br />
= Venue =<br />
<br />
=== Venue is ===<br />
<br />
''<br><br />
<br><br />
<br>''<br />
<br><br />
<br />
<br>'''Parking & roadmap''':<br />
<br />
There is a public parking close to the conference venue.<br />
<br />
Roadmap and parking: <br />
<br />
<br />
<br>'''Hotels nearby''': <br> <br />
<br />
<br />
<!-- Fourth tab --><br />
<br />
= Trainingday =<br />
<br />
==== Trainingday, November 29th ====<br />
<br />
==== Location ====<br />
The training room is: <br />
''Celestijnenlaan, 200A, fifth floor<br><br />
3001 Heverlee<br><br />
Belgium<br>''<br />
<br><br />
<br />
(for details, check the {{#switchtablink:Venue|Venue}} tab)<br />
<br />
==== Agenda ==== <br />
{| class="wikitable"<br />
! Time !! Description !! Room 1 !! Room 2 !! Room 3 !! Room 4<br />
|-<br />
| 08h30 - 9h30<br />
| colspan="5" style="text-align: center; background: grey; color: white;" | ''Registration''<br />
|-<br />
| 09h30 - 11h00 || Training<br />
| rowspan="7" style="width:100px;" | [[#DinisCruz|Advanced O2, by Dinis Cruz <br/><br/> Room 04.112]]<br />
| rowspan="7" style="width:100px;" | [[#DanCornell|SDLC with Open Source tools, by Dan Cornell <br/><br/> Room 05.128]]<br />
| rowspan="7" style="width:100px;" | [[#VolkertDeBuisonje|Secure Java Development with ESAPI (hands-on), by Volkert de Buisonjé <br/><br/> Room 05.152]]<br />
| rowspan="7" style="width:100px;" | [[#MartinKnobloch|Essential Web Appplication Security (OWASP Top 10, Webgoat, WebScarab), by Martin Knobloch <br/><br/> Room 05.001]]<br />
|-<br />
| 11h00 - 11h30 || ''Coffee Break''<br />
|-<br />
| 11h30 - 13h00 || Training<br />
|-<br />
| 13h00 - 14h00 || ''Lunch''<br />
|-<br />
| 14h00 - 15h30 || Training<br />
|-<br />
| 15h30 - 16h00 || ''Coffee Break''<br />
|-<br />
| 16h00 - 17h30 || Training<br />
|}<br />
<br />
<br />
<br />
<br />
<br />
<br><br />
<br />
<div id="VolkertDeBuisonje"></div><br />
<br />
=== Secure Java Development workshop with ESAPI, by Volkert de Buisonjé (Sogeti) ===<br />
''Workshop:''<br><br />
First, attendees will receive a brief introduction on application awareness. Then they will get acquainted with Webgoat, a "deliberately insecure J2EE web application" designed as a practice tool for secure application development and testing. They will learn how to exploit some vulnerabilities in Webgoat, through for instance Cross-Site Scripting (CSS) and Cross-Site Request Forgery (CSRF) attacks. Finally, the ESAPI library will be introduced and the attendees will learn how to apply ESAPI to fix such vulnerabilities in Webgoat's source code.<br><br />
<br><br />
''Prerequisites for this workshop:''<br><br />
* Reasonable knowledge of and experience with Java development<br />
* A laptop running a recent version of Linux, Mac OS X, or Windows<br />
* The most recent version of VirtualBox (4.x) installed<br />
* At least 2GB of RAM<br />
* At least 2GB of disk space<br />
<br><br />
''Bio:''<br><br />
Volkert de Buisonjé is a senior Java developer at Sogeti. He specializes in, and teaches application security courses, both to coworkers and to customers. Knowledge sharing (in both directions) is his passion. Volkert likes making friends and talking a lot. He never shuns a good discussion, and prefers to bring a high amount of interactivity to his classes. :-)<br><br />
<br><br />
<br><br />
<br />
<div id="DinisCruz"></div><br />
=== Advanced O2, by Dinis Cruz (Security Innovation) ===<br />
''Workshop:''<br><br />
The O2 platform represents a new paradigm for how to perform, document and distribute Web Application security reviews. O2 is designed to Automate Security Consultants Knowledge and Workflows and to Allow non-security experts to access and consume Security Knowledge.<br />
<br><br />
''Bio:''<br><br />
Dinis Cruz is a Security Consultant based in London (UK) and specialized in: ASP.NET/J2EE Application Security, Application Security audits and .NET Security Curriculum Development.<br><br />
For the past years Dinis has focused on the field of Static Source Code analysis, from May 2007 to Dec 2009 he worked as a independent consultant for Ounce Labs (bought by IBM in July 2009) where during active security engagements using Ounce's technology he developed the Open Source codebase which now is the foundation of the OWASP O2 Platform.<br><br />
Dinis is currently focused on making the O2 Platform the industry standard for consuming, instrumenting and data-sharing between the multiple WebAppSec tools, the Security consultants and the final developers. Dinis is a also active trainer on .Net security having written and delivered courses for IOActive, Foundstone, Intense School and KPMG (at multiple locations including BlackHat), and has delivered a number of presentations and keynote speeches at multiple OWASP and Security related conferences.<br><br />
At OWASP, Dinis is the leader of the OWASP O2 Platform project<br><br />
<br><br />
<br><br />
<br />
<div id="MartinKnobloch"></div><br />
<br />
=== Essential Web Appplication Security (OWASP Top 10, Webgoat, WebScarab), by Martin Knobloch (PervaSec) ===<br />
''Abstract:''<br><br />
This workshop is an introduction into (web) application security with hands-on labs, using OWASP documentation and tooling.<br />
You will be introduced into the security mindset, discus the OWASP TopTen 2010 and learn basic skills in how to find vulnerabilities in web applications. All tools and documentation are provided during the training.<br><br />
<b>As this is an hands-on workshop, please bring your own laptop!</b> <br><br />
Course structure:<br />
*Introduction OWASP, OWASP tool and documentation<br />
*Security Testing mindset <br />
*1st Lab: OWASP WebGoat / WebScarab <br />
*OWASP Top Ten 2010<br />
*OWASP Testing Guide <br />
*2nd Lab: OWASP WebGoat / WebScarab <br />
*3rd Lab: OWASP Hackademic / ZAP <br />
*Summary and completion <br />
Prerequisites for this workshop:<br />
*Basic understanding of HTTP and web application testing/development<br />
*An open mind<br />
<br><br />
''Bio:''<br><br />
Martin is an independent security consultant and owner of PervaSec (http://www.pervasec.nl). His main working area is (software) security in general, from awareness to implementation. In his daily work, he is responsible for education in application security matters, advise and implementation of application security measures.<br><br />
At OWASP, Martin is member of the Dutch chapter board and chair of the Global Education Committee and contributes to several projects.<br><br />
Martin is a frequent speaker at conferences, universities and hacker spaces.<br />
<br><br />
<br />
<br />
<div id="DanCornell"></div><br />
<br />
=== Building a Software Security Program On Open Source Tools, by Dan Cornell (Denim Group) ===<br />
''Abstract:''<br><br />
Using the Software Assurance Maturity Model (OpenSAMM) as a framework, this course walks through the major components of a comprehensive software security program and highlights open source and other freely-available tools that can be used to help implement the activities involved in such a program. The focus of the course is on providing hands-on demonstrations of the tools with an emphasis on integrating tool results into the overall software security program. Featured tools include: ESAPI, Microsoft Web Protection Library, FindBugs, FxCop, CAT.NET, Brakeman, Agnitio, Arachini, w3af, ZAProxy, ThreadFix as well as other educational resources from OWASP. Attendees should finish the course with a solid understanding of the various components of a comprehensive software security program as well as hands-on experience with a variety of freely-available tools that they can use to implement portions of these programs.<br><br />
<br><br />
''Outline:''<br><br />
* So You Want To Roll Out A Software Security Program?<br />
* The Software Assurance Maturity Model (OpenSAMM)<br />
* ThreadFix: Overview<br />
* Governance: Strategy and Metrics<br />
** ThreadFix: Reporting<br />
* Governance: Policy and Compliance<br />
* Governance: Education and Guidance<br />
** OWASP Development Guide<br />
** OWASP Cheat Sheets<br />
** OWASP Secure Coding Practices<br />
* Construction: Threat Assessment<br />
* Construction: Security Requirements<br />
* Construction: Secure Architecture<br />
** ESAPI overview<br />
** Microsoft Web Protection Library (Anti-XSS) overview<br />
* Verification: Design Review<br />
** Microsoft Threat Analysis and Modeling Tool<br />
* Verification: Code Review<br />
** FindBugs<br />
** FxCop<br />
** CAT.NET<br />
** Brakeman<br />
** Agnitio<br />
* Verification: Security Testing<br />
** Arachni<br />
** w3af<br />
** ZAProxy<br />
* Deployment: Vulnerability Management<br />
** ThreadFix: Defect Tracker Integration<br />
* Deployment: Environment Hardening<br />
** Microsoft Baseline Security Analyzer (MBSA)<br />
* Deployment: Operational Enablement<br />
** mod_security<br />
<br><br />
''Bio:''<br><br />
Dan Cornell has over fifteen years of experience architecting and developing web-based software systems. He leads Denim Group’s security research team in investigating the application of secure coding and development techniques to improve web-based software development methodologies.<br><br />
Dan was the founding coordinator and chairman for the Java Users Group of San Antonio (JUGSA) and currently serves as the OWASP San Antonio chapter leader, member of the OWASP Global Membership Committee and co-lead of the OWASP Open Review Project. Dan has spoken at such international conferences as RSA, OWASP AppSec USA, and OWASP EU Research in Greece.<br><br />
<br><br />
<br />
<br />
<!-- Fifth tab --><br />
<br />
= Conferenceday =<br />
<br />
==== Conferenceday, November 30th ====<br />
<br />
==== Location ====<br />
The conference takes place in auditorium K.06, the registration and catering in the foyer of building 200A (ground floor) (for details, check the {{#switchtablink:Venue|Venue}} tab)<br />
<br />
==== Agenda ==== <br />
{| class="wikitable"<br />
! width="90pt" | Time<br />
! width="130pt" | Speaker !! Topic<br />
|- <br />
| 09h00 - 10h00<br />
| colspan="2" style="text-align: center; background: grey; color: white" | ''Registration''<br />
|- <br />
| 10h00 - 10h15 || OWASP Benelux Organization || Welcome ([https://www.owasp.org/images/a/ad/OWASP_BeNeLux_Day_2012_-_Organization_welcome.ppt PPT])<br />
|-<br />
| 10h15 - 10h30 || Sebastien Deleersnyder || OWASP update ([https://www.owasp.org/images/d/d7/OWASP-Update-BeNeLux-Day-2012_v1.pptx PPT])<br />
|-<br />
| 10h30 - 11h10 || [[#JohnWilander|John Wilander]] || ''' Secure Web Integration Patterns in the Era of HTML5'''<br>''Abstract:'' Quite a few organizations are finding themselves in a legacy situation with their web applications. Over ten years have passed since the era of dynamic HTML and with the rise of HTML5 and mobile platforms there is now need to gradually move these legacy beasts into a new architecture. Additionally, more and more third party services are offered such as maps, tracking, social media tie-ins, video etc. What are the possible and suitable design patterns for bringing new web, old web, and third party web together? Can we isolate them from each other to secure the new apps from legacy and third party security vulnerabilities? We will dig into the postMessage api, the iframe sandbox directive, CORS, and the same-origin policy while comparing it to the previous generation of integration with jsonp and other hacks.<br />
|-<br />
| 11h10 - 11h50 || [[#LievenDesmet|Lieven Desmet]] || '''Sandboxing Javascript''' ([https://www.owasp.org/images/1/10/Sandboxing-Javascript.pdf PDF])<br>''Abstract:'' The inclusion of third-party scripts in web pages is a common practice. A recent study has shown that more than half of the Alexa top 10 000 sites include scripts from more than 5 different origins. However, such script inclusions carry risks, as the included scripts operate with the privileges of the including website.<br><br />
In this talk, we propose JSand, a server-driven but client-side JavaScript sandboxing framework. JSand requires no browser modifications: the sandboxing framework is implemented in JavaScript and is delivered to the browser by the websites that use it. Enforcement is done entirely at the client side: JSand enforces a server-specified policy on included scripts without requiring server-side filtering or rewriting of scripts.<br><br />
Most importantly, JSand is complete: access to all resources is mediated by the sandbox.<br><br />
We describe the design and implementation of JSand, and we show that it is secure, backwards compatible, and that it performs sufficiently well.<br><br />
|-<br />
| 11h50 - 12h30 || [[#ErwinGeirnaert|Erwin Geirnaert]] || '''OWASP Top 10 vs Drupal'''<br>''Abstract:'' Drupal is the most used and well-known open source content management system in the world. Created by Dries Buytaert years ago it has grown with the support of a big community. Drupal 7 is already released and there is an entire ecosystem for Drupal and Drupal web agencies.<br><br />
During this presentation we will discuss the findings of an automated static code analysis of Drupal 6 and Drupal 7 and how Drupal protects against the OWASP Top 10 Application Security Risks. We will explain the security weaknesses that remain when you use Drupal and what you can implement to have a secure cloud server running Drupal.<br><br />
|-<br />
| 12h30 - 13h30<br />
| colspan="2" style="text-align: center;background: grey; color: white" | ''Lunch'' <br />
|-<br />
| 13h30 - 14h10 || [[#AsiaSlowinska|Asia Slowinska]] || '''Body Armor for Binaries'''<br>''Abstract:'' BinArmor is a novel technique to protect existing C binaries from memory corruption attacks on both control data and non-control data. Without access to source code, non-control data attacks cannot be detected with current techniques. Our approach hardens binaries against both kinds of overflow, without requiring the pro- grams’ source or symbol tables. We show that BinArmor is able to stop real attacks—including the recent non- control data attack on Exim. Moreover, we did not in- cur a single false positive in practice. On the downside, the current overhead of BinArmor is high—although no worse than competing technologies like taint analysis that do not catch attacks on non-control data. Specifi- cally, we measured an overhead of 70% for gzip, 16%- 180% for lighttpd, and 190% for the nbench suite.<br />
|-<br />
| 14h10 - 14h50 || [[#MarcHullegieAndKeesMastwijk|Marc Hullegie and Kees Mastwijk]] || '''Forensics'''<br>''Abstract:'' In today’s investigations, forensics has become an important investigative method in fighting and solving (cyber)crimes and irregularities. During the session you will be briefly taken through the landscape of Forensics Basics; the Fraud Triangle and scenario's; What to look for and the appliance of Digital Forensics. What are the Challenges, the required Skills and Expertise and Solutions to these challenges. Specific focus on the Forensics of Web Applications and what you can do the create a more forensic ready system.<br><br />
|-<br />
| 14h50 - 15h30 || [[#DanCornell|Dan Cornell]] || '''Streamlining Application Vulnerability Management: Communication Between Development and Security Teams'''<br>''Abstract:'' Identifying application-level vulnerabilities via scanning, penetration tests and code reviews is only the first step in actually addressing the underlying risk. Managing vulnerabilities for applications is more challenging than dealing with traditional infrastructure-level vulnerabilities because they typically require the coordination of security teams with application development teams. The process also means that security managers need to get time from developers during already-cramped development and release schedules. In addition, fixes require changes to custom application code and application-specific business logic rather than the patches and configuration changes that are often sufficient to address infrastructure-level vulnerabilities. This presentation will illustrate the communication difficulties between security and development teams, and how this usually results in unactionable reports and fewer vulnerabilities remediated. In addition, the presentation will walk through an example workflow of addressing application vulnerabilities as software defects. This will be based on freely-available tools and show specific examples of how vulnerabilities can be grouped together, false positives can be culled out, and vulnerabilities transitioned to software defects, as well as how security managers can monitor and verify progress.<br><br />
|-<br />
| 15h30 - 15h50<br />
| colspan="2" style="text-align: center;background: grey; color: white" | ''Break'' <br />
|-<br />
| 15h50 - 16h30 || [[#RuedigerBachmann|Ruediger Bachmann]] || '''Code review for Large Companies'''<br>''Abstract:''Static source code analysis should be an essential part in the secure software development life cycle (SDLC) to start to minimize the number of potential vulnerabilities already in a very early stage in the software development process.<br><br />
The introduction of static code analysis at a large software manufacturer is a big challenge. In addition to the technical difficulties – based on the sheer number and size of the software projects or the number of different programing languages – there are also non-technical issues like creating new security awareness, trainings to use the provided tools efficiently and integration of analysis processes into the software development and maintenance life cycle.<br><br />
This talk gives an overview of the company-wide introduction of static code analysis at SAP AG.<br />
|-<br />
| 16h30 - 17h10 || [[#DinisCruz|Dinis Cruz]] || '''Making Security Invisible by Becoming the Developer’s Best Friends'''<br>''Abstract:'' Coming soon!<br />
|-<br />
| 17h10 - 17h50 || <br />
* Steven Wierckx<br />
* Luc Beirens<br />
* Jos Dumortier<br />
* Dieter Sarrazyn<br />
* Erwin Geirnaert<br />
* John Wilander<br />
|| '''Panel Discussion about the legal aspects of penetration testing'''<br> ''Abstract:'' In the past couple of years security has become a more visible topic in the media. As a result many companies are asking for security reviews in the form of a penetration test. A lot of entrepreneurs took the opportunity to form teams and/or companies that provide such services. There seems to be a lack of clear (standard) legal documentation to cover these activities both for the penetration tester and the company under review. With this panel discussion we would like to discuss this situation and to see if there is a possibility to have a standard document or framework that can be used as a starting point for companies and professionals to use as a contract. The purpose would be to end up with a (set of) documents similar to the “Testaankoop standard huurcontract”, this is a well-known Belgian contract framework for renting a house where both parties are protected and that is clear to both parties. It can be used without further legal intervention.<br />
|-<br />
| 17h50 - 18h00 || OWASP Benelux 2012 organization || '''Closing Notes'''<br />
|}<br />
<br />
<br><br />
<br><br />
<br />
<div id="AsiaSlowinska"></div><br />
<br />
=== Body Armor for Binaries, by Asia Slowinska (Vrije Universiteit Amsterdam) ===<br />
''Abstract:''<br><br />
BinArmor is a novel technique to protect existing C binaries from memory corruption attacks on both control data and non-control data. Without access to source code, non-control data attacks cannot be detected with current techniques. Our approach hardens binaries against both kinds of overflow, without requiring the pro- grams’ source or symbol tables. We show that BinArmor is able to stop real attacks—including the recent non- control data attack on Exim. Moreover, we did not in- cur a single false positive in practice. On the downside, the current overhead of BinArmor is high—although no worse than competing technologies like taint analysis that do not catch attacks on non-control data. Specifi- cally, we measured an overhead of 70% for gzip, 16%- 180% for lighttpd, and 190% for the nbench suite.<br><br />
<br><br />
''Bio:''<br><br />
I am a postdoctoral researcher in the System and Network Security group at the Vrije Universiteit Amsterdam, under the guidance of Prof. dr. ir. Herbert Bos.<br><br />
I obtained my PhD from the Vrije Universiteit Amsterdam. My dissertation Using information flow tracking to protect legacy binaries was completed under the supervision of Prof. dr. ir. Herbert Bos, while my copromotor was Prof. dr. ir. Henri E. Bal.<br><br />
During my PhD studies, I interned twice with Microsoft Research Cambridge, where I joined the Systems and Performance Group. I also spent few months interning with the Systems and Security Department at Institute for Infocomm Research in Singapore.<br><br />
My research focuses on developing techniques to automatically analyze and reverse engineer complex software that is available only in binary form. Further, I’ve been looking into mechanisms that proactively protect software from malicious activities. Currently, I am involved in a project on Reverse Engineering of binaries, known as Rosetta.<br><br />
<br><br />
<br />
<div id="RuedigerBachmann"></div><br />
=== Code review for Large Companies, by Ruediger Bachmann (SAP) ===<br />
''Abstract:''<br><br />
Static source code analysis should be an essential part in the secure software development life cycle (SDLC) to start to minimize the number of potential vulnerabilities already in a very early stage in the software development process.<br><br />
The introduction of static code analysis at a large software manufacturer is a big challenge. In addition to the technical difficulties – based on the sheer number and size of the software projects or the number of different programing languages – there are also non-technical issues like creating new security awareness, trainings to use the provided tools efficiently and integration of analysis processes into the software development and maintenance life cycle.<br><br />
This talk gives an overview of the company-wide introduction of static code analysis at SAP AG.<br />
<br><br />
''Bio:''<br><br />
After graduating with a degree in mathematics and computer science at the University of Giessen in 1997, Ruediger Bachmann worked at various software companies and IT service providers mainly in software development. Currently he is employed at SAP AG in Germany as a Development Architect in the central code analysis team. There he is focusing on application security and security code scans.<br><br />
<br />
<div id="LievenDesmet"></div><br />
<br />
=== Sandboxing JavaScript, by Lieven Desmet (Research Manager at KU Leuven) ===<br />
''Abstract:''<br><br />
The inclusion of third-party scripts in web pages is a common practice. A recent study has shown that more than half of the Alexa top 10 000 sites include scripts from more than 5 different origins. However, such script inclusions carry risks, as the included scripts operate with the privileges of the including website.<br><br />
In this talk, we propose JSand, a server-driven but client-side JavaScript sandboxing framework. JSand requires no browser modifications: the sandboxing framework is implemented in JavaScript and is delivered to the browser by the websites that use it. Enforcement is done entirely at the client side: JSand enforces a server-specified policy on included scripts without requiring server-side filtering or rewriting of scripts. Most importantly, JSand is complete: access to all resources is mediated by the sandbox.<br><br />
We describe the design and implementation of JSand, and we show that it is secure, backwards compatible, and that it performs sufficiently well.<br><br />
<br><br />
''Bio:''<br><br />
Lieven Desmet is Research Manager on Software Secure at the iMinds-DistriNet Research Group (KU Leuven, Belgium), where he coaches junior researchers in web application security and participates in dissemination and valorization activities. His interests are in security of middleware and web-enabled technologies. Lieven is actively engaged in OWASP and is board member of the OWASP Chapter Belgium.<br><br />
<br><br />
<br><br />
<br />
<div id="ErwinGeirnaert"></div><br />
=== OWASP Top 10 vs Drupal, by Erwin Geirnaert (Zion Security) ===<br />
''Abstract:''<br><br />
Drupal is the most used and well-known open source content management system in the world. Created by Dries Buytaert years ago it has grown with the support of a big community. Drupal 7 is already released and there is an entire ecosystem for Drupal and Drupal web agencies.<br><br />
During this presentation we will discuss the findings of an automated static code analysis of Drupal 6 and Drupal 7 and how Drupal protects against the OWASP Top 10 Application Security Risks. We will explain the security weaknesses that remain when you use Drupal and what you can implement to have a secure cloud server running Drupal.<br><br />
<br><br />
''Bio:''<br><br />
Erwin founded ZION SECURITY in 2005 to help companies to protect against the latest threats, attacks against web applications. ZION SECURITY is nowadays a Belgian market leader in the field of security testing, vulnerability management, penetration testing and banking security. Erwin has more than 10 years of experience in web security, graduating with a Master of Science in Software Development from the University of Ghent. Erwin executes different types of projects for a lot of international software companies, financial institutions, telecom and web agencies. Specialist in executing code reviews in different development languages for critical applications, executing continuous penetration tests of their infrastructure and Internet applications. A specialist in J2EE, PHP, .NET, mobile app and web services security. Erwin architects secure e-business projects for web agencies and software companies. He is a recognized application security expert and speaker at international events like Javapolis, OWASP, Eurostar, LSEC,...<br><br />
<br><br />
<br />
<div id="MarcHullegieAndKeesMastwijk"></div><br />
=== Forensics, by Marc Hullegie and Kees Mastwijk (Vest Information Security) === <br />
''Abstract:''<br><br />
In today’s investigations, forensics has become an important investigative method in fighting and solving (cyber)crimes and irregularities. During the session you will be briefly taken through the landscape of Forensics Basics; the Fraud Triangle and scenario's; What to look for and the appliance of Digital Forensics. What are the Challenges, the required Skills and Expertise and Solutions to these challenges. Specific focus on the Forensics of Web Applications and what you can do the create a more forensic ready system.<br><br />
<br><br />
''Bio:''<br><br />
Marc Hullegie is founder and CEO of Vest Information Security and is widely experienced in the information security business in all types of areas: Security Architecture and Infrastructure, Security Audits and Testing, Security Management, Awareness and Digital Forensics. He presents lectures at (international) conferences and is looking forward to share experiences at the OWASP Benelux days 2012 with you.<br><br />
<br> <br />
''Bio:''<br><br />
Kees Mastwijk is a security consultant working with Vest, acting as Security Auditor, Awareness Program leader and security Manager. He has a long (and ongoing) experience history in Digital Forensic Research.<br><br />
<br><br />
<br />
<div id="JohnWilander"></div><br />
=== Secure Web Integration Patterns in the Era of HTML5, by John Wilander (Svenska Handelbanken) ===<br />
''Abstract:''<br><br />
Quite a few organizations are finding themselves in a legacy situation with their web applications. Over ten years have passed since the era of dynamic HTML and with the rise of HTML5 and mobile platforms there is now need to gradually move these legacy beasts into a new architecture. Additionally, more and more third party services are offered such as maps, tracking, social media tie-ins, video etc. What are the possible and suitable design patterns for bringing new web, old web, and third party web together? Can we isolate them from each other to secure the new apps from legacy and third party security vulnerabilities? We will dig into the postMessage api, the iframe sandbox directive, CORS, and the same-origin policy while comparing it to the previous generation of integration with jsonp and other hacks.<br />
<br><br />
''Bio:''<br><br />
John Wilander is a frontend software developer at Svenska Handelbanken, the second strongest bank in the world according to Bloomberg Markets. He has been researching and working in application security for ten years and is an active leader in OWASP, the Open Web Application Security Project. In 2011 he organized the OWASP Summit Browser Security sessions in Portugal, with participants from the security teams behind Chrome, Firefox, Internet Explorer, Flash, and PayPal. During his years in academia he was elected best computer science teacher twice and nowadays gives 5-10 professional talks per year.<br><br />
<br><br />
<br><br />
<br />
<div id="DanCornell"></div><br />
<br />
=== Streamlining Application Vulnerability Management: Communication Between Development and Security Teams, by Dan Cornell (Denim Group) ===<br />
''Abstract:''<br><br />
Identifying application-level vulnerabilities via scanning, penetration tests and code reviews is only the first step in actually addressing the underlying risk. Managing vulnerabilities for applications is more challenging than dealing with traditional infrastructure-level vulnerabilities because they typically require the coordination of security teams with application development teams. The process also means that security managers need to get time from developers during already-cramped development and release schedules. In addition, fixes require changes to custom application code and application-specific business logic rather than the patches and configuration changes that are often sufficient to address infrastructure-level vulnerabilities. This presentation will illustrate the communication difficulties between security and development teams, and how this usually results in unactionable reports and fewer vulnerabilities remediated. In addition, the presentation will walk through an example workflow of addressing application vulnerabilities as software defects. This will be based on freely-available tools and show specific examples of how vulnerabilities can be grouped together, false positives can be culled out, and vulnerabilities transitioned to software defects, as well as how security managers can monitor and verify progress.<br><br />
<br><br />
''Bio:''<br><br />
''Dan Cornell has over fifteen years of experience architecting and developing web-based software systems. He leads Denim Group’s security research team in investigating the application of secure coding and development techniques to improve web-based software development methodologies.<br><br />
Dan was the founding coordinator and chairman for the Java Users Group of San Antonio (JUGSA) and currently serves as the OWASP San Antonio chapter leader, member of the OWASP Global Membership Committee and co-lead of the OWASP Open Review Project. Dan has spoken at such international conferences as RSA, OWASP AppSec USA, and OWASP EU Research in Greece.''<br><br />
<br><br />
<br><br />
<br />
<div id="DinisCruz"></div><br />
=== Making Security Invisible by Becoming the Developer’s Best Friends, by Dinis Cruz (Security Innovation) ===<br />
''Abstract:''<br><br />
''Coming soon!''<br><br />
<br><br />
''Bio:''<br><br />
Dinis Cruz is a Security Consultant based in London (UK) and specialized in: ASP.NET/J2EE Application Security, Application Security audits and .NET Security Curriculum Development.<br><br />
For the past years Dinis has focused on the field of Static Source Code analysis, from May 2007 to Dec 2009 he worked as a independent consultant for Ounce Labs (bought by IBM in July 2009) where during active security engagements using Ounce's technology he developed the Open Source codebase which now is the foundation of the OWASP O2 Platform.<br><br />
Dinis is currently focused on making the O2 Platform the industry standard for consuming, instrumenting and data-sharing between the multiple WebAppSec tools, the Security consultants and the final developers. Dinis is a also active trainer on .Net security having written and delivered courses for IOActive, Foundstone, Intense School and KPMG (at multiple locations including BlackHat), and has delivered a number of presentations and keynote speeches at multiple OWASP and Security related conferences.<br><br />
At OWASP, Dinis is the leader of the OWASP O2 Platform project<br><br />
<br><br />
<br><br />
<br />
=== Panel discussion about the legal aspects of penetration testing ===<br />
''with Steven Wierckx, Luc Beirens, Jos Dumortier, Dieter Sarrazyn, ...''<br><br><br />
''Abstract:''<br> In the past couple of years security has become a more visible topic in the media. As a result many companies are asking for security reviews in the form of a penetration test. A lot of entrepreneurs took the opportunity to form teams and/or companies that provide such services. There seems to be a lack of clear (standard) legal documentation to cover these activities both for the penetration tester and the company under review. With this panel discussion we would like to discuss this situation and to see if there is a possibility to have a standard document or framework that can be used as a starting point for companies and professionals to use as a contract. The purpose would be to end up with a (set of) documents similar to the “Testaankoop standard huurcontract”, this is a well-known Belgian contract framework for renting a house where both parties are protected and that is clear to both parties. It can be used without further legal intervention.<br><br />
<br><br />
<li>''Bio Steven Wierckx, ps_testware:''<br><br />
Steven Wierckx is currently working as Security Tester for [http://www.pstestware.com/ ps_testware], he specialises in web application security and keeps a security related blog [http://www.ihackforfun.eu/ ihackforfun]. He is also wrting articles and doing technical reviews for PenTest Magazine.<br><br />
<br><br />
<li>''Bio Luc Beirens, FCCU:''<br><br />
Head of Belgian Federal Computer Crime Unit & Chair EU Cybercrime Task Force trying to create partnerships and circumstances for a safer cyberspace.<br><br />
<br><br />
<li>''Bio Jos Dumortier, ICRI:''<br><br />
Jos Dumortier is Professor of ICT Law at the University of Leuven (Belgium) and the Director of the Interdisciplinary Research Centre for ICT and Law (ICRI) (www.icri.be). With his research team he participates in a series of R & D projects in the domain of telemedicine.<br><br />
He is also a member of the Bar of Brussels and partner in “time.lex”, a law firm specialized in information and technology law (www.timelex.eu).<br><br />
He participates in the boards of several national and international scientific and business associations and is a member of various editorial and program committees. <br><br />
He is the editor of the International Encyclopedia of Cyber Law and the author of more than one hundred books and articles on legal issues related to the information society.<br><br />
Jos Dumortier has taken the lead in a large number of European studies and projects in the area of information security, privacy and identity management. He worked on an assignment of the European Commission (DG INFSO) for a study on the legal obstacles for interoperable eHealth in Europe and on several studies for the Flemish government related to the implementation of a regional eHealth platform. He is also a member of the Flemish data protection supervisory authority for the health sector.<br><br />
<br><br />
<li>''Bio Dieter Sarrazyn, PWC:''<br><br />
Dieter is a senior manager and consultant within PwC and a team leader for Risk Management assessment services. His main focus is in performing penetration tests (external as well as internal), performing security audits, creating and evaluating security architectures,and creating and setting up vulnerability management frameworks & tools. He is a Certified Information Systems Security Professional (CISSP), a Certified Intrusion Analyst (GCIA), a Certified Incident Handling Analyst (GCIH), a Certified Intrusion Analyst (GCIA) a GIAC Systems and Network Auditor (GSNA). Dieter is also SANS Local Mentor and SANS Community Teacher<br><br />
<br><br />
<br><br />
<br />
<!-- Sixth tab --><br />
<br />
= Social Event =<br />
<br />
==== Social Event, November 29th ====<br />
<br />
==== <B>Important Update</B> ====<br />
The brewery visit is limit to 60 people. Therefor, the 60 first registered people that indicated interest in the social event have been invited to participate. Any remaining tickets will be offered on Thursday around noon at the registration desk.<br />
<br />
If you are going by car, there are paid parkings under the Railway station and at Kinepolis (follow the parking signs). If you want to go there from the venue without car, the best way to get there is to take bus No.2 that leaves next to the building and drives to the Railway station. From there, it is a 300 m. walk to the brewery.<br />
<br />
All other people (and the people of the brewery tour after that has finished) are warmly invited to join us in the Downtown Jack, a pub with a number of pool and snooker tables. 5 pool tables have been exclusively reserved for us from 20h00 onwards. You can also have a drink and eat something there if you like.<br />
<br />
The address: Parkstraat 40, 3000 Leuven (see http://www.downtownjack.be/)<br />
<br />
==== <B>Brewery Visit Information</B> ====<br />
The social event will take place at the InBev Brewery in Leuven, where there will be a guided tour and a beer tasting.<br><br />
Unfortunately, the tour is limited to 60 people. Since we have more registered people than places, we will soon announce how we will<br />
proceed.<br><br />
If you decide not to join, please inform the Benelux organisation, other participants will be happy to join.<br><br />
<br><br />
'''The entrance fee for the tour is 10 EUR'''. <br><br />
This amount will have to be paid to the Benelux organisation at the registration desk or upon entry in cash (please use correct notes).<br><br />
<br><br />
Below is the address where the event takes place. You can take your car, bus number 2 or a taxi to reach this.<br> '''The tour starts at 19h30 sharp'''.<br><br />
<br><br />
'''Address:''' <br><br />
Vuurkruisenlaan z/n <br><br />
3000 Leuven<br><br />
<br><br />
'''From the station:'''<br><br />
Take the street 'Diestepoort' (this street is parrallel with the railway behind the building)and walk straight through. You can see the brewery at the end of the street.<br><br />
'''By car:'''<br><br />
From the street diestesteenweg or beckeremieplein head to the railroadbridge. At the crossroad take first right, this is the entrance of the brewery. from the expressway R23 head to the Hotel ''NOVOTEL''. Take the street left from ''NOVOTEL'', this is the ''vuurkruisenlaan''. On your left side you can see the brewery. At the<br />
next crossroad take the first left, this is the entrance of the brewery.<br><br />
<br><br />
'''ENTRANCE BREWERY:'''<br><br />
is also the entrance for the trucks, next to the railroadbridge.<br><br />
We will meet at the entrance at 19h30 where the tour will start.<br><br><br />
<br />
<br />
<!-- Seventh tab --><br />
<br />
= CTF =<br />
<br />
==== Capture the Flag! ====<br />
<br />
* Do you like puzzles? <br />
* Do you like challenges? <br />
* Are you a hacker?<br />
<br />
Whether you are an experienced hacker or new enthusiast you should come to OWASP BeNeLux 2012 and participate in the Capture the Flag event November 30th 2012. <br />
<br />
The OWASP CTF is especially designed to support challengers of all skill levels. The CTF contains multiple challenges in various fields related to application security. As every challenge gains you one point, you can pick and choose which challenge you want to play.<br />
<br />
All you need is a laptop with a wifi card and your favorite (preferably) non-commercial tools. <br />
<br />
So come, show off your skills, learn new tricks and above all have a good time at the CTF event. <br />
<br />
<br />
<!-- Eighth tab --><br />
<br />
= Sponsor =<br />
<br />
==== Become a sponsor of OWASP BeNeLux ====<br />
<br />
==== Donate to OWASP BeNeLux ====<br />
<br />
<paypal>BeNeLux OWASP Day 2012</paypal> <br />
<br />
<br />
==== Promotion ====<br />
''Feel free to use the text below to promote our event!''<br />
<br />
We invite you to our next OWASP event: the '''BeNeLux OWASP Days 2012!'''<br />
<br />
Free your agenda on the 29th and 30th of November, 2012.<br />
<br />
The good news: free! No fee!<br />
<br />
The bad news: there are only 280 seats available (first register, first serve)!<br />
<br />
<br />
<!-- Don't remove these two lines! --><br />
__NOTOC__ <br />
<headertabs/><br />
<br />
<br />
==== Hosted and co-organized by: ====<br />
<br />
[http://distrinet.cs.kuleuven.be https://www.owasp.org/images/4/4a/Logo_distrinet.png]<br />
[http://www.nessos-project.eu/ https://www.owasp.org/images/5/52/Nessos.png]<br />
<br />
==== Made possible by our {{#switchtablink:Sponsor|Sponsors}}====<br />
<br />
==== OWASP Member Sponsor: ====<br />
{{MemberLinks|link=http://www.pwc.com/|logo=PWC_log_resized.png}} <br />
<br />
==== OWASP BeNeLux 2013 Sponsors: ====<br />
[http://www.madisongurkha.nl https://www.owasp.org/images/6/6e/Madison-gurkha-logo.jpg]<br />
[http://www.sogeti.nl https://www.owasp.org/images/9/94/Sogeti_logo.png]<br />
[http://www.vest.nl https://www.owasp.org/images/1/1d/Logo_Vest_BIG_170.gif]<br />
<br><br />
[http://www.iminds.be https://www.owasp.org/images/thumb/a/a1/Iminds-logo.png/200px-Iminds-logo.png]<br />
[http://www.zionsecurity.com https://www.owasp.org/images/e/e6/Zionsecurity.jpg]<br />
[http://on2it.net https://www.owasp.org/images/3/3d/On2it-sponsor.png]<br />
<br><br />
<br />
<br />
[[Category:OWASP_AppSec_Conference]] [[Category:OWASP_BeNeLux_Archives]]</div>Favroomhttps://wiki.owasp.org/index.php?title=BeNeLux_OWASP_Day_2013&diff=154431BeNeLux OWASP Day 20132013-06-25T20:07:15Z<p>Favroom: /* Registration is open: */</p>
<hr />
<div><center>[[Image:owaspbnl12header.jpg]]<br></center><br />
<br><!-- Header --><br />
<br />
<br />
<!-- First tab --><br />
= Welcome =<br />
<br />
=== Welcome to OWASP BeNeLux 2013 ===<br />
<br />
==== News ====<br />
* <br />
* <br />
<br><br />
<br />
==== Confirmed trainers for Trainingday ====<br />
{{#switchtablink:Trainingday| <p><br />
* <br />
* <br />
* <br />
* <br />
}}<br />
<br><br />
<br />
==== Confirmed speakers Conferenceday ====<br />
{{#switchtablink:Conferenceday| <p><br />
* <br><br />
* <br><br />
* <br><br />
* <br><br />
* <br><br />
* <br><br />
* <br><br />
* <Br><br />
* <br><br />
}}<br />
<br><br />
<br />
==== The OWASP BeNeLux Program Committee ====<br />
*Bart De Win / Sebastien Deleersnyder/ Lieven Desmet/ David Mathy, OWASP Belgium<br />
*Martin Knobloch / Ferdinand Vroom, OWASP Netherlands<br />
*Jocelyn Aubert / Andre Adelsbach/ Thierry Zoller, OWASP Luxembourg<br />
<br><br />
<br />
=== Tweet! ===<br />
Event tag is [http://twitter.com/#search?q=%23owaspbnl13 #owaspbnl13]<br />
<br><br><br />
==== Donate to OWASP BeNeLux ====<br />
<paypal>BeNeLux OWASP Day 2013</paypal><br />
<br />
<!-- Second tab --><br />
<br />
= Registration =<br />
<br />
==== OWASP BeNeLux training day and conference are free! ==== <br />
<br />
=== Registration is not yet open: ===<br />
<br />
[http://owaspbenelux2013.eventbrite.com/ http://www.owasp.org/images/7/77/Buttoncreate.png]<br />
<br />
<br><br />
To support the OWASP organisation, consider to become a member, it's only US$50!<br />
<br> <br />
Check out the [[Membership]] page to find out more. <br />
<br><br />
<br />
<br />
<!-- Third tab --><br />
<br />
= Venue =<br />
<br />
=== Venue is the iMinds-DistriNet Research Group @ KU Leuven ===<br />
<br />
''Celestijnenlaan, 200A<br><br />
3001 Heverlee<br><br />
Belgium<br>''<br />
<br><br />
<br />
<br>'''Parking & roadmap''':<br />
<br />
There is a public parking close to the conference venue.<br />
<br />
Roadmap and parking: http://distrinet.cs.kuleuven.be/about/route/<br />
<br />
<br />
<br>'''Hotels nearby''': <br> <br />
Board house (close to the venue)<br> http://www.boardhouse.be<br><br />
The lodge (close to the venue)<br> http://www.booking.com/hotel/be/the-lodge-heverlee.en.html<br><br />
Begijnhof Congres Hotel (1 km from the venue)<br> http://www.bchotel.be/<br><br />
La Royale (2 km from the venue)<br> http://www.laroyale.be<br> <br />
Hotel Ibis (2 km from the venue)<br> http://www.accorhotels.com/gb/hotel-1457-ibis-leuven-centrum/index.shtml<br> <br />
Mercure (2 km from the venue) <br> http://www.mercure.com/gb/hotel-7862-hotel-mercure-leuven-center/index.shtml<br> <br />
New Damshire (2 km from the venue)<br> http://www.hotelnewdamshire.be<br> <br />
<br />
<br />
<!-- Fourth tab --><br />
<br />
= Trainingday =<br />
<br />
==== Trainingday, November 29th ====<br />
<br />
==== Location ====<br />
The training room is: <br />
''Celestijnenlaan, 200A, fifth floor<br><br />
3001 Heverlee<br><br />
Belgium<br>''<br />
<br><br />
<br />
(for details, check the {{#switchtablink:Venue|Venue}} tab)<br />
<br />
==== Agenda ==== <br />
{| class="wikitable"<br />
! Time !! Description !! Room 1 !! Room 2 !! Room 3 !! Room 4<br />
|-<br />
| 08h30 - 9h30<br />
| colspan="5" style="text-align: center; background: grey; color: white;" | ''Registration''<br />
|-<br />
| 09h30 - 11h00 || Training<br />
| rowspan="7" style="width:100px;" | [[#DinisCruz|Advanced O2, by Dinis Cruz <br/><br/> Room 04.112]]<br />
| rowspan="7" style="width:100px;" | [[#DanCornell|SDLC with Open Source tools, by Dan Cornell <br/><br/> Room 05.128]]<br />
| rowspan="7" style="width:100px;" | [[#VolkertDeBuisonje|Secure Java Development with ESAPI (hands-on), by Volkert de Buisonjé <br/><br/> Room 05.152]]<br />
| rowspan="7" style="width:100px;" | [[#MartinKnobloch|Essential Web Appplication Security (OWASP Top 10, Webgoat, WebScarab), by Martin Knobloch <br/><br/> Room 05.001]]<br />
|-<br />
| 11h00 - 11h30 || ''Coffee Break''<br />
|-<br />
| 11h30 - 13h00 || Training<br />
|-<br />
| 13h00 - 14h00 || ''Lunch''<br />
|-<br />
| 14h00 - 15h30 || Training<br />
|-<br />
| 15h30 - 16h00 || ''Coffee Break''<br />
|-<br />
| 16h00 - 17h30 || Training<br />
|}<br />
<br />
<br />
<br />
<br />
<br />
<br><br />
<br />
<div id="VolkertDeBuisonje"></div><br />
<br />
=== Secure Java Development workshop with ESAPI, by Volkert de Buisonjé (Sogeti) ===<br />
''Workshop:''<br><br />
First, attendees will receive a brief introduction on application awareness. Then they will get acquainted with Webgoat, a "deliberately insecure J2EE web application" designed as a practice tool for secure application development and testing. They will learn how to exploit some vulnerabilities in Webgoat, through for instance Cross-Site Scripting (CSS) and Cross-Site Request Forgery (CSRF) attacks. Finally, the ESAPI library will be introduced and the attendees will learn how to apply ESAPI to fix such vulnerabilities in Webgoat's source code.<br><br />
<br><br />
''Prerequisites for this workshop:''<br><br />
* Reasonable knowledge of and experience with Java development<br />
* A laptop running a recent version of Linux, Mac OS X, or Windows<br />
* The most recent version of VirtualBox (4.x) installed<br />
* At least 2GB of RAM<br />
* At least 2GB of disk space<br />
<br><br />
''Bio:''<br><br />
Volkert de Buisonjé is a senior Java developer at Sogeti. He specializes in, and teaches application security courses, both to coworkers and to customers. Knowledge sharing (in both directions) is his passion. Volkert likes making friends and talking a lot. He never shuns a good discussion, and prefers to bring a high amount of interactivity to his classes. :-)<br><br />
<br><br />
<br><br />
<br />
<div id="DinisCruz"></div><br />
=== Advanced O2, by Dinis Cruz (Security Innovation) ===<br />
''Workshop:''<br><br />
The O2 platform represents a new paradigm for how to perform, document and distribute Web Application security reviews. O2 is designed to Automate Security Consultants Knowledge and Workflows and to Allow non-security experts to access and consume Security Knowledge.<br />
<br><br />
''Bio:''<br><br />
Dinis Cruz is a Security Consultant based in London (UK) and specialized in: ASP.NET/J2EE Application Security, Application Security audits and .NET Security Curriculum Development.<br><br />
For the past years Dinis has focused on the field of Static Source Code analysis, from May 2007 to Dec 2009 he worked as a independent consultant for Ounce Labs (bought by IBM in July 2009) where during active security engagements using Ounce's technology he developed the Open Source codebase which now is the foundation of the OWASP O2 Platform.<br><br />
Dinis is currently focused on making the O2 Platform the industry standard for consuming, instrumenting and data-sharing between the multiple WebAppSec tools, the Security consultants and the final developers. Dinis is a also active trainer on .Net security having written and delivered courses for IOActive, Foundstone, Intense School and KPMG (at multiple locations including BlackHat), and has delivered a number of presentations and keynote speeches at multiple OWASP and Security related conferences.<br><br />
At OWASP, Dinis is the leader of the OWASP O2 Platform project<br><br />
<br><br />
<br><br />
<br />
<div id="MartinKnobloch"></div><br />
<br />
=== Essential Web Appplication Security (OWASP Top 10, Webgoat, WebScarab), by Martin Knobloch (PervaSec) ===<br />
''Abstract:''<br><br />
This workshop is an introduction into (web) application security with hands-on labs, using OWASP documentation and tooling.<br />
You will be introduced into the security mindset, discus the OWASP TopTen 2010 and learn basic skills in how to find vulnerabilities in web applications. All tools and documentation are provided during the training.<br><br />
<b>As this is an hands-on workshop, please bring your own laptop!</b> <br><br />
Course structure:<br />
*Introduction OWASP, OWASP tool and documentation<br />
*Security Testing mindset <br />
*1st Lab: OWASP WebGoat / WebScarab <br />
*OWASP Top Ten 2010<br />
*OWASP Testing Guide <br />
*2nd Lab: OWASP WebGoat / WebScarab <br />
*3rd Lab: OWASP Hackademic / ZAP <br />
*Summary and completion <br />
Prerequisites for this workshop:<br />
*Basic understanding of HTTP and web application testing/development<br />
*An open mind<br />
<br><br />
''Bio:''<br><br />
Martin is an independent security consultant and owner of PervaSec (http://www.pervasec.nl). His main working area is (software) security in general, from awareness to implementation. In his daily work, he is responsible for education in application security matters, advise and implementation of application security measures.<br><br />
At OWASP, Martin is member of the Dutch chapter board and chair of the Global Education Committee and contributes to several projects.<br><br />
Martin is a frequent speaker at conferences, universities and hacker spaces.<br />
<br><br />
<br />
<br />
<div id="DanCornell"></div><br />
<br />
=== Building a Software Security Program On Open Source Tools, by Dan Cornell (Denim Group) ===<br />
''Abstract:''<br><br />
Using the Software Assurance Maturity Model (OpenSAMM) as a framework, this course walks through the major components of a comprehensive software security program and highlights open source and other freely-available tools that can be used to help implement the activities involved in such a program. The focus of the course is on providing hands-on demonstrations of the tools with an emphasis on integrating tool results into the overall software security program. Featured tools include: ESAPI, Microsoft Web Protection Library, FindBugs, FxCop, CAT.NET, Brakeman, Agnitio, Arachini, w3af, ZAProxy, ThreadFix as well as other educational resources from OWASP. Attendees should finish the course with a solid understanding of the various components of a comprehensive software security program as well as hands-on experience with a variety of freely-available tools that they can use to implement portions of these programs.<br><br />
<br><br />
''Outline:''<br><br />
* So You Want To Roll Out A Software Security Program?<br />
* The Software Assurance Maturity Model (OpenSAMM)<br />
* ThreadFix: Overview<br />
* Governance: Strategy and Metrics<br />
** ThreadFix: Reporting<br />
* Governance: Policy and Compliance<br />
* Governance: Education and Guidance<br />
** OWASP Development Guide<br />
** OWASP Cheat Sheets<br />
** OWASP Secure Coding Practices<br />
* Construction: Threat Assessment<br />
* Construction: Security Requirements<br />
* Construction: Secure Architecture<br />
** ESAPI overview<br />
** Microsoft Web Protection Library (Anti-XSS) overview<br />
* Verification: Design Review<br />
** Microsoft Threat Analysis and Modeling Tool<br />
* Verification: Code Review<br />
** FindBugs<br />
** FxCop<br />
** CAT.NET<br />
** Brakeman<br />
** Agnitio<br />
* Verification: Security Testing<br />
** Arachni<br />
** w3af<br />
** ZAProxy<br />
* Deployment: Vulnerability Management<br />
** ThreadFix: Defect Tracker Integration<br />
* Deployment: Environment Hardening<br />
** Microsoft Baseline Security Analyzer (MBSA)<br />
* Deployment: Operational Enablement<br />
** mod_security<br />
<br><br />
''Bio:''<br><br />
Dan Cornell has over fifteen years of experience architecting and developing web-based software systems. He leads Denim Group’s security research team in investigating the application of secure coding and development techniques to improve web-based software development methodologies.<br><br />
Dan was the founding coordinator and chairman for the Java Users Group of San Antonio (JUGSA) and currently serves as the OWASP San Antonio chapter leader, member of the OWASP Global Membership Committee and co-lead of the OWASP Open Review Project. Dan has spoken at such international conferences as RSA, OWASP AppSec USA, and OWASP EU Research in Greece.<br><br />
<br><br />
<br />
<br />
<!-- Fifth tab --><br />
<br />
= Conferenceday =<br />
<br />
==== Conferenceday, November 30th ====<br />
<br />
==== Location ====<br />
The conference takes place in auditorium K.06, the registration and catering in the foyer of building 200A (ground floor) (for details, check the {{#switchtablink:Venue|Venue}} tab)<br />
<br />
==== Agenda ==== <br />
{| class="wikitable"<br />
! width="90pt" | Time<br />
! width="130pt" | Speaker !! Topic<br />
|- <br />
| 09h00 - 10h00<br />
| colspan="2" style="text-align: center; background: grey; color: white" | ''Registration''<br />
|- <br />
| 10h00 - 10h15 || OWASP Benelux Organization || Welcome ([https://www.owasp.org/images/a/ad/OWASP_BeNeLux_Day_2012_-_Organization_welcome.ppt PPT])<br />
|-<br />
| 10h15 - 10h30 || Sebastien Deleersnyder || OWASP update ([https://www.owasp.org/images/d/d7/OWASP-Update-BeNeLux-Day-2012_v1.pptx PPT])<br />
|-<br />
| 10h30 - 11h10 || [[#JohnWilander|John Wilander]] || ''' Secure Web Integration Patterns in the Era of HTML5'''<br>''Abstract:'' Quite a few organizations are finding themselves in a legacy situation with their web applications. Over ten years have passed since the era of dynamic HTML and with the rise of HTML5 and mobile platforms there is now need to gradually move these legacy beasts into a new architecture. Additionally, more and more third party services are offered such as maps, tracking, social media tie-ins, video etc. What are the possible and suitable design patterns for bringing new web, old web, and third party web together? Can we isolate them from each other to secure the new apps from legacy and third party security vulnerabilities? We will dig into the postMessage api, the iframe sandbox directive, CORS, and the same-origin policy while comparing it to the previous generation of integration with jsonp and other hacks.<br />
|-<br />
| 11h10 - 11h50 || [[#LievenDesmet|Lieven Desmet]] || '''Sandboxing Javascript''' ([https://www.owasp.org/images/1/10/Sandboxing-Javascript.pdf PDF])<br>''Abstract:'' The inclusion of third-party scripts in web pages is a common practice. A recent study has shown that more than half of the Alexa top 10 000 sites include scripts from more than 5 different origins. However, such script inclusions carry risks, as the included scripts operate with the privileges of the including website.<br><br />
In this talk, we propose JSand, a server-driven but client-side JavaScript sandboxing framework. JSand requires no browser modifications: the sandboxing framework is implemented in JavaScript and is delivered to the browser by the websites that use it. Enforcement is done entirely at the client side: JSand enforces a server-specified policy on included scripts without requiring server-side filtering or rewriting of scripts.<br><br />
Most importantly, JSand is complete: access to all resources is mediated by the sandbox.<br><br />
We describe the design and implementation of JSand, and we show that it is secure, backwards compatible, and that it performs sufficiently well.<br><br />
|-<br />
| 11h50 - 12h30 || [[#ErwinGeirnaert|Erwin Geirnaert]] || '''OWASP Top 10 vs Drupal'''<br>''Abstract:'' Drupal is the most used and well-known open source content management system in the world. Created by Dries Buytaert years ago it has grown with the support of a big community. Drupal 7 is already released and there is an entire ecosystem for Drupal and Drupal web agencies.<br><br />
During this presentation we will discuss the findings of an automated static code analysis of Drupal 6 and Drupal 7 and how Drupal protects against the OWASP Top 10 Application Security Risks. We will explain the security weaknesses that remain when you use Drupal and what you can implement to have a secure cloud server running Drupal.<br><br />
|-<br />
| 12h30 - 13h30<br />
| colspan="2" style="text-align: center;background: grey; color: white" | ''Lunch'' <br />
|-<br />
| 13h30 - 14h10 || [[#AsiaSlowinska|Asia Slowinska]] || '''Body Armor for Binaries'''<br>''Abstract:'' BinArmor is a novel technique to protect existing C binaries from memory corruption attacks on both control data and non-control data. Without access to source code, non-control data attacks cannot be detected with current techniques. Our approach hardens binaries against both kinds of overflow, without requiring the pro- grams’ source or symbol tables. We show that BinArmor is able to stop real attacks—including the recent non- control data attack on Exim. Moreover, we did not in- cur a single false positive in practice. On the downside, the current overhead of BinArmor is high—although no worse than competing technologies like taint analysis that do not catch attacks on non-control data. Specifi- cally, we measured an overhead of 70% for gzip, 16%- 180% for lighttpd, and 190% for the nbench suite.<br />
|-<br />
| 14h10 - 14h50 || [[#MarcHullegieAndKeesMastwijk|Marc Hullegie and Kees Mastwijk]] || '''Forensics'''<br>''Abstract:'' In today’s investigations, forensics has become an important investigative method in fighting and solving (cyber)crimes and irregularities. During the session you will be briefly taken through the landscape of Forensics Basics; the Fraud Triangle and scenario's; What to look for and the appliance of Digital Forensics. What are the Challenges, the required Skills and Expertise and Solutions to these challenges. Specific focus on the Forensics of Web Applications and what you can do the create a more forensic ready system.<br><br />
|-<br />
| 14h50 - 15h30 || [[#DanCornell|Dan Cornell]] || '''Streamlining Application Vulnerability Management: Communication Between Development and Security Teams'''<br>''Abstract:'' Identifying application-level vulnerabilities via scanning, penetration tests and code reviews is only the first step in actually addressing the underlying risk. Managing vulnerabilities for applications is more challenging than dealing with traditional infrastructure-level vulnerabilities because they typically require the coordination of security teams with application development teams. The process also means that security managers need to get time from developers during already-cramped development and release schedules. In addition, fixes require changes to custom application code and application-specific business logic rather than the patches and configuration changes that are often sufficient to address infrastructure-level vulnerabilities. This presentation will illustrate the communication difficulties between security and development teams, and how this usually results in unactionable reports and fewer vulnerabilities remediated. In addition, the presentation will walk through an example workflow of addressing application vulnerabilities as software defects. This will be based on freely-available tools and show specific examples of how vulnerabilities can be grouped together, false positives can be culled out, and vulnerabilities transitioned to software defects, as well as how security managers can monitor and verify progress.<br><br />
|-<br />
| 15h30 - 15h50<br />
| colspan="2" style="text-align: center;background: grey; color: white" | ''Break'' <br />
|-<br />
| 15h50 - 16h30 || [[#RuedigerBachmann|Ruediger Bachmann]] || '''Code review for Large Companies'''<br>''Abstract:''Static source code analysis should be an essential part in the secure software development life cycle (SDLC) to start to minimize the number of potential vulnerabilities already in a very early stage in the software development process.<br><br />
The introduction of static code analysis at a large software manufacturer is a big challenge. In addition to the technical difficulties – based on the sheer number and size of the software projects or the number of different programing languages – there are also non-technical issues like creating new security awareness, trainings to use the provided tools efficiently and integration of analysis processes into the software development and maintenance life cycle.<br><br />
This talk gives an overview of the company-wide introduction of static code analysis at SAP AG.<br />
|-<br />
| 16h30 - 17h10 || [[#DinisCruz|Dinis Cruz]] || '''Making Security Invisible by Becoming the Developer’s Best Friends'''<br>''Abstract:'' Coming soon!<br />
|-<br />
| 17h10 - 17h50 || <br />
* Steven Wierckx<br />
* Luc Beirens<br />
* Jos Dumortier<br />
* Dieter Sarrazyn<br />
* Erwin Geirnaert<br />
* John Wilander<br />
|| '''Panel Discussion about the legal aspects of penetration testing'''<br> ''Abstract:'' In the past couple of years security has become a more visible topic in the media. As a result many companies are asking for security reviews in the form of a penetration test. A lot of entrepreneurs took the opportunity to form teams and/or companies that provide such services. There seems to be a lack of clear (standard) legal documentation to cover these activities both for the penetration tester and the company under review. With this panel discussion we would like to discuss this situation and to see if there is a possibility to have a standard document or framework that can be used as a starting point for companies and professionals to use as a contract. The purpose would be to end up with a (set of) documents similar to the “Testaankoop standard huurcontract”, this is a well-known Belgian contract framework for renting a house where both parties are protected and that is clear to both parties. It can be used without further legal intervention.<br />
|-<br />
| 17h50 - 18h00 || OWASP Benelux 2012 organization || '''Closing Notes'''<br />
|}<br />
<br />
<br><br />
<br><br />
<br />
<div id="AsiaSlowinska"></div><br />
<br />
=== Body Armor for Binaries, by Asia Slowinska (Vrije Universiteit Amsterdam) ===<br />
''Abstract:''<br><br />
BinArmor is a novel technique to protect existing C binaries from memory corruption attacks on both control data and non-control data. Without access to source code, non-control data attacks cannot be detected with current techniques. Our approach hardens binaries against both kinds of overflow, without requiring the pro- grams’ source or symbol tables. We show that BinArmor is able to stop real attacks—including the recent non- control data attack on Exim. Moreover, we did not in- cur a single false positive in practice. On the downside, the current overhead of BinArmor is high—although no worse than competing technologies like taint analysis that do not catch attacks on non-control data. Specifi- cally, we measured an overhead of 70% for gzip, 16%- 180% for lighttpd, and 190% for the nbench suite.<br><br />
<br><br />
''Bio:''<br><br />
I am a postdoctoral researcher in the System and Network Security group at the Vrije Universiteit Amsterdam, under the guidance of Prof. dr. ir. Herbert Bos.<br><br />
I obtained my PhD from the Vrije Universiteit Amsterdam. My dissertation Using information flow tracking to protect legacy binaries was completed under the supervision of Prof. dr. ir. Herbert Bos, while my copromotor was Prof. dr. ir. Henri E. Bal.<br><br />
During my PhD studies, I interned twice with Microsoft Research Cambridge, where I joined the Systems and Performance Group. I also spent few months interning with the Systems and Security Department at Institute for Infocomm Research in Singapore.<br><br />
My research focuses on developing techniques to automatically analyze and reverse engineer complex software that is available only in binary form. Further, I’ve been looking into mechanisms that proactively protect software from malicious activities. Currently, I am involved in a project on Reverse Engineering of binaries, known as Rosetta.<br><br />
<br><br />
<br />
<div id="RuedigerBachmann"></div><br />
=== Code review for Large Companies, by Ruediger Bachmann (SAP) ===<br />
''Abstract:''<br><br />
Static source code analysis should be an essential part in the secure software development life cycle (SDLC) to start to minimize the number of potential vulnerabilities already in a very early stage in the software development process.<br><br />
The introduction of static code analysis at a large software manufacturer is a big challenge. In addition to the technical difficulties – based on the sheer number and size of the software projects or the number of different programing languages – there are also non-technical issues like creating new security awareness, trainings to use the provided tools efficiently and integration of analysis processes into the software development and maintenance life cycle.<br><br />
This talk gives an overview of the company-wide introduction of static code analysis at SAP AG.<br />
<br><br />
''Bio:''<br><br />
After graduating with a degree in mathematics and computer science at the University of Giessen in 1997, Ruediger Bachmann worked at various software companies and IT service providers mainly in software development. Currently he is employed at SAP AG in Germany as a Development Architect in the central code analysis team. There he is focusing on application security and security code scans.<br><br />
<br />
<div id="LievenDesmet"></div><br />
<br />
=== Sandboxing JavaScript, by Lieven Desmet (Research Manager at KU Leuven) ===<br />
''Abstract:''<br><br />
The inclusion of third-party scripts in web pages is a common practice. A recent study has shown that more than half of the Alexa top 10 000 sites include scripts from more than 5 different origins. However, such script inclusions carry risks, as the included scripts operate with the privileges of the including website.<br><br />
In this talk, we propose JSand, a server-driven but client-side JavaScript sandboxing framework. JSand requires no browser modifications: the sandboxing framework is implemented in JavaScript and is delivered to the browser by the websites that use it. Enforcement is done entirely at the client side: JSand enforces a server-specified policy on included scripts without requiring server-side filtering or rewriting of scripts. Most importantly, JSand is complete: access to all resources is mediated by the sandbox.<br><br />
We describe the design and implementation of JSand, and we show that it is secure, backwards compatible, and that it performs sufficiently well.<br><br />
<br><br />
''Bio:''<br><br />
Lieven Desmet is Research Manager on Software Secure at the iMinds-DistriNet Research Group (KU Leuven, Belgium), where he coaches junior researchers in web application security and participates in dissemination and valorization activities. His interests are in security of middleware and web-enabled technologies. Lieven is actively engaged in OWASP and is board member of the OWASP Chapter Belgium.<br><br />
<br><br />
<br><br />
<br />
<div id="ErwinGeirnaert"></div><br />
=== OWASP Top 10 vs Drupal, by Erwin Geirnaert (Zion Security) ===<br />
''Abstract:''<br><br />
Drupal is the most used and well-known open source content management system in the world. Created by Dries Buytaert years ago it has grown with the support of a big community. Drupal 7 is already released and there is an entire ecosystem for Drupal and Drupal web agencies.<br><br />
During this presentation we will discuss the findings of an automated static code analysis of Drupal 6 and Drupal 7 and how Drupal protects against the OWASP Top 10 Application Security Risks. We will explain the security weaknesses that remain when you use Drupal and what you can implement to have a secure cloud server running Drupal.<br><br />
<br><br />
''Bio:''<br><br />
Erwin founded ZION SECURITY in 2005 to help companies to protect against the latest threats, attacks against web applications. ZION SECURITY is nowadays a Belgian market leader in the field of security testing, vulnerability management, penetration testing and banking security. Erwin has more than 10 years of experience in web security, graduating with a Master of Science in Software Development from the University of Ghent. Erwin executes different types of projects for a lot of international software companies, financial institutions, telecom and web agencies. Specialist in executing code reviews in different development languages for critical applications, executing continuous penetration tests of their infrastructure and Internet applications. A specialist in J2EE, PHP, .NET, mobile app and web services security. Erwin architects secure e-business projects for web agencies and software companies. He is a recognized application security expert and speaker at international events like Javapolis, OWASP, Eurostar, LSEC,...<br><br />
<br><br />
<br />
<div id="MarcHullegieAndKeesMastwijk"></div><br />
=== Forensics, by Marc Hullegie and Kees Mastwijk (Vest Information Security) === <br />
''Abstract:''<br><br />
In today’s investigations, forensics has become an important investigative method in fighting and solving (cyber)crimes and irregularities. During the session you will be briefly taken through the landscape of Forensics Basics; the Fraud Triangle and scenario's; What to look for and the appliance of Digital Forensics. What are the Challenges, the required Skills and Expertise and Solutions to these challenges. Specific focus on the Forensics of Web Applications and what you can do the create a more forensic ready system.<br><br />
<br><br />
''Bio:''<br><br />
Marc Hullegie is founder and CEO of Vest Information Security and is widely experienced in the information security business in all types of areas: Security Architecture and Infrastructure, Security Audits and Testing, Security Management, Awareness and Digital Forensics. He presents lectures at (international) conferences and is looking forward to share experiences at the OWASP Benelux days 2012 with you.<br><br />
<br> <br />
''Bio:''<br><br />
Kees Mastwijk is a security consultant working with Vest, acting as Security Auditor, Awareness Program leader and security Manager. He has a long (and ongoing) experience history in Digital Forensic Research.<br><br />
<br><br />
<br />
<div id="JohnWilander"></div><br />
=== Secure Web Integration Patterns in the Era of HTML5, by John Wilander (Svenska Handelbanken) ===<br />
''Abstract:''<br><br />
Quite a few organizations are finding themselves in a legacy situation with their web applications. Over ten years have passed since the era of dynamic HTML and with the rise of HTML5 and mobile platforms there is now need to gradually move these legacy beasts into a new architecture. Additionally, more and more third party services are offered such as maps, tracking, social media tie-ins, video etc. What are the possible and suitable design patterns for bringing new web, old web, and third party web together? Can we isolate them from each other to secure the new apps from legacy and third party security vulnerabilities? We will dig into the postMessage api, the iframe sandbox directive, CORS, and the same-origin policy while comparing it to the previous generation of integration with jsonp and other hacks.<br />
<br><br />
''Bio:''<br><br />
John Wilander is a frontend software developer at Svenska Handelbanken, the second strongest bank in the world according to Bloomberg Markets. He has been researching and working in application security for ten years and is an active leader in OWASP, the Open Web Application Security Project. In 2011 he organized the OWASP Summit Browser Security sessions in Portugal, with participants from the security teams behind Chrome, Firefox, Internet Explorer, Flash, and PayPal. During his years in academia he was elected best computer science teacher twice and nowadays gives 5-10 professional talks per year.<br><br />
<br><br />
<br><br />
<br />
<div id="DanCornell"></div><br />
<br />
=== Streamlining Application Vulnerability Management: Communication Between Development and Security Teams, by Dan Cornell (Denim Group) ===<br />
''Abstract:''<br><br />
Identifying application-level vulnerabilities via scanning, penetration tests and code reviews is only the first step in actually addressing the underlying risk. Managing vulnerabilities for applications is more challenging than dealing with traditional infrastructure-level vulnerabilities because they typically require the coordination of security teams with application development teams. The process also means that security managers need to get time from developers during already-cramped development and release schedules. In addition, fixes require changes to custom application code and application-specific business logic rather than the patches and configuration changes that are often sufficient to address infrastructure-level vulnerabilities. This presentation will illustrate the communication difficulties between security and development teams, and how this usually results in unactionable reports and fewer vulnerabilities remediated. In addition, the presentation will walk through an example workflow of addressing application vulnerabilities as software defects. This will be based on freely-available tools and show specific examples of how vulnerabilities can be grouped together, false positives can be culled out, and vulnerabilities transitioned to software defects, as well as how security managers can monitor and verify progress.<br><br />
<br><br />
''Bio:''<br><br />
''Dan Cornell has over fifteen years of experience architecting and developing web-based software systems. He leads Denim Group’s security research team in investigating the application of secure coding and development techniques to improve web-based software development methodologies.<br><br />
Dan was the founding coordinator and chairman for the Java Users Group of San Antonio (JUGSA) and currently serves as the OWASP San Antonio chapter leader, member of the OWASP Global Membership Committee and co-lead of the OWASP Open Review Project. Dan has spoken at such international conferences as RSA, OWASP AppSec USA, and OWASP EU Research in Greece.''<br><br />
<br><br />
<br><br />
<br />
<div id="DinisCruz"></div><br />
=== Making Security Invisible by Becoming the Developer’s Best Friends, by Dinis Cruz (Security Innovation) ===<br />
''Abstract:''<br><br />
''Coming soon!''<br><br />
<br><br />
''Bio:''<br><br />
Dinis Cruz is a Security Consultant based in London (UK) and specialized in: ASP.NET/J2EE Application Security, Application Security audits and .NET Security Curriculum Development.<br><br />
For the past years Dinis has focused on the field of Static Source Code analysis, from May 2007 to Dec 2009 he worked as a independent consultant for Ounce Labs (bought by IBM in July 2009) where during active security engagements using Ounce's technology he developed the Open Source codebase which now is the foundation of the OWASP O2 Platform.<br><br />
Dinis is currently focused on making the O2 Platform the industry standard for consuming, instrumenting and data-sharing between the multiple WebAppSec tools, the Security consultants and the final developers. Dinis is a also active trainer on .Net security having written and delivered courses for IOActive, Foundstone, Intense School and KPMG (at multiple locations including BlackHat), and has delivered a number of presentations and keynote speeches at multiple OWASP and Security related conferences.<br><br />
At OWASP, Dinis is the leader of the OWASP O2 Platform project<br><br />
<br><br />
<br><br />
<br />
=== Panel discussion about the legal aspects of penetration testing ===<br />
''with Steven Wierckx, Luc Beirens, Jos Dumortier, Dieter Sarrazyn, ...''<br><br><br />
''Abstract:''<br> In the past couple of years security has become a more visible topic in the media. As a result many companies are asking for security reviews in the form of a penetration test. A lot of entrepreneurs took the opportunity to form teams and/or companies that provide such services. There seems to be a lack of clear (standard) legal documentation to cover these activities both for the penetration tester and the company under review. With this panel discussion we would like to discuss this situation and to see if there is a possibility to have a standard document or framework that can be used as a starting point for companies and professionals to use as a contract. The purpose would be to end up with a (set of) documents similar to the “Testaankoop standard huurcontract”, this is a well-known Belgian contract framework for renting a house where both parties are protected and that is clear to both parties. It can be used without further legal intervention.<br><br />
<br><br />
<li>''Bio Steven Wierckx, ps_testware:''<br><br />
Steven Wierckx is currently working as Security Tester for [http://www.pstestware.com/ ps_testware], he specialises in web application security and keeps a security related blog [http://www.ihackforfun.eu/ ihackforfun]. He is also wrting articles and doing technical reviews for PenTest Magazine.<br><br />
<br><br />
<li>''Bio Luc Beirens, FCCU:''<br><br />
Head of Belgian Federal Computer Crime Unit & Chair EU Cybercrime Task Force trying to create partnerships and circumstances for a safer cyberspace.<br><br />
<br><br />
<li>''Bio Jos Dumortier, ICRI:''<br><br />
Jos Dumortier is Professor of ICT Law at the University of Leuven (Belgium) and the Director of the Interdisciplinary Research Centre for ICT and Law (ICRI) (www.icri.be). With his research team he participates in a series of R & D projects in the domain of telemedicine.<br><br />
He is also a member of the Bar of Brussels and partner in “time.lex”, a law firm specialized in information and technology law (www.timelex.eu).<br><br />
He participates in the boards of several national and international scientific and business associations and is a member of various editorial and program committees. <br><br />
He is the editor of the International Encyclopedia of Cyber Law and the author of more than one hundred books and articles on legal issues related to the information society.<br><br />
Jos Dumortier has taken the lead in a large number of European studies and projects in the area of information security, privacy and identity management. He worked on an assignment of the European Commission (DG INFSO) for a study on the legal obstacles for interoperable eHealth in Europe and on several studies for the Flemish government related to the implementation of a regional eHealth platform. He is also a member of the Flemish data protection supervisory authority for the health sector.<br><br />
<br><br />
<li>''Bio Dieter Sarrazyn, PWC:''<br><br />
Dieter is a senior manager and consultant within PwC and a team leader for Risk Management assessment services. His main focus is in performing penetration tests (external as well as internal), performing security audits, creating and evaluating security architectures,and creating and setting up vulnerability management frameworks & tools. He is a Certified Information Systems Security Professional (CISSP), a Certified Intrusion Analyst (GCIA), a Certified Incident Handling Analyst (GCIH), a Certified Intrusion Analyst (GCIA) a GIAC Systems and Network Auditor (GSNA). Dieter is also SANS Local Mentor and SANS Community Teacher<br><br />
<br><br />
<br><br />
<br />
<!-- Sixth tab --><br />
<br />
= Social Event =<br />
<br />
==== Social Event, November 29th ====<br />
<br />
==== <B>Important Update</B> ====<br />
The brewery visit is limit to 60 people. Therefor, the 60 first registered people that indicated interest in the social event have been invited to participate. Any remaining tickets will be offered on Thursday around noon at the registration desk.<br />
<br />
If you are going by car, there are paid parkings under the Railway station and at Kinepolis (follow the parking signs). If you want to go there from the venue without car, the best way to get there is to take bus No.2 that leaves next to the building and drives to the Railway station. From there, it is a 300 m. walk to the brewery.<br />
<br />
All other people (and the people of the brewery tour after that has finished) are warmly invited to join us in the Downtown Jack, a pub with a number of pool and snooker tables. 5 pool tables have been exclusively reserved for us from 20h00 onwards. You can also have a drink and eat something there if you like.<br />
<br />
The address: Parkstraat 40, 3000 Leuven (see http://www.downtownjack.be/)<br />
<br />
==== <B>Brewery Visit Information</B> ====<br />
The social event will take place at the InBev Brewery in Leuven, where there will be a guided tour and a beer tasting.<br><br />
Unfortunately, the tour is limited to 60 people. Since we have more registered people than places, we will soon announce how we will<br />
proceed.<br><br />
If you decide not to join, please inform the Benelux organisation, other participants will be happy to join.<br><br />
<br><br />
'''The entrance fee for the tour is 10 EUR'''. <br><br />
This amount will have to be paid to the Benelux organisation at the registration desk or upon entry in cash (please use correct notes).<br><br />
<br><br />
Below is the address where the event takes place. You can take your car, bus number 2 or a taxi to reach this.<br> '''The tour starts at 19h30 sharp'''.<br><br />
<br><br />
'''Address:''' <br><br />
Vuurkruisenlaan z/n <br><br />
3000 Leuven<br><br />
<br><br />
'''From the station:'''<br><br />
Take the street 'Diestepoort' (this street is parrallel with the railway behind the building)and walk straight through. You can see the brewery at the end of the street.<br><br />
'''By car:'''<br><br />
From the street diestesteenweg or beckeremieplein head to the railroadbridge. At the crossroad take first right, this is the entrance of the brewery. from the expressway R23 head to the Hotel ''NOVOTEL''. Take the street left from ''NOVOTEL'', this is the ''vuurkruisenlaan''. On your left side you can see the brewery. At the<br />
next crossroad take the first left, this is the entrance of the brewery.<br><br />
<br><br />
'''ENTRANCE BREWERY:'''<br><br />
is also the entrance for the trucks, next to the railroadbridge.<br><br />
We will meet at the entrance at 19h30 where the tour will start.<br><br><br />
<br />
<br />
<!-- Seventh tab --><br />
<br />
= CTF =<br />
<br />
==== Capture the Flag! ====<br />
<br />
* Do you like puzzles? <br />
* Do you like challenges? <br />
* Are you a hacker?<br />
<br />
Whether you are an experienced hacker or new enthusiast you should come to OWASP BeNeLux 2012 and participate in the Capture the Flag event November 30th 2012. <br />
<br />
The OWASP CTF is especially designed to support challengers of all skill levels. The CTF contains multiple challenges in various fields related to application security. As every challenge gains you one point, you can pick and choose which challenge you want to play.<br />
<br />
All you need is a laptop with a wifi card and your favorite (preferably) non-commercial tools. <br />
<br />
So come, show off your skills, learn new tricks and above all have a good time at the CTF event. <br />
<br />
<br />
<!-- Eighth tab --><br />
<br />
= Sponsor =<br />
<br />
==== Become a sponsor of OWASP BeNeLux ====<br />
<br />
==== Donate to OWASP BeNeLux ====<br />
<br />
<paypal>BeNeLux OWASP Day 2012</paypal> <br />
<br />
<br />
==== Promotion ====<br />
''Feel free to use the text below to promote our event!''<br />
<br />
We invite you to our next OWASP event: the '''BeNeLux OWASP Days 2012!'''<br />
<br />
Free your agenda on the 29th and 30th of November, 2012.<br />
<br />
The good news: free! No fee!<br />
<br />
The bad news: there are only 280 seats available (first register, first serve)!<br />
<br />
<br />
<!-- Don't remove these two lines! --><br />
__NOTOC__ <br />
<headertabs/><br />
<br />
<br />
==== Hosted and co-organized by: ====<br />
<br />
[http://distrinet.cs.kuleuven.be https://www.owasp.org/images/4/4a/Logo_distrinet.png]<br />
[http://www.nessos-project.eu/ https://www.owasp.org/images/5/52/Nessos.png]<br />
<br />
==== Made possible by our {{#switchtablink:Sponsor|Sponsors}}====<br />
<br />
==== OWASP Member Sponsor: ====<br />
{{MemberLinks|link=http://www.pwc.com/|logo=PWC_log_resized.png}} <br />
<br />
==== OWASP BeNeLux 2013 Sponsors: ====<br />
[http://www.madisongurkha.nl https://www.owasp.org/images/6/6e/Madison-gurkha-logo.jpg]<br />
[http://www.sogeti.nl https://www.owasp.org/images/9/94/Sogeti_logo.png]<br />
[http://www.vest.nl https://www.owasp.org/images/1/1d/Logo_Vest_BIG_170.gif]<br />
<br><br />
[http://www.iminds.be https://www.owasp.org/images/thumb/a/a1/Iminds-logo.png/200px-Iminds-logo.png]<br />
[http://www.zionsecurity.com https://www.owasp.org/images/e/e6/Zionsecurity.jpg]<br />
[http://on2it.net https://www.owasp.org/images/3/3d/On2it-sponsor.png]<br />
<br><br />
<br />
<br />
[[Category:OWASP_AppSec_Conference]] [[Category:OWASP_BeNeLux_Archives]]</div>Favroomhttps://wiki.owasp.org/index.php?title=BeNeLux_OWASP_Day_2013&diff=154430BeNeLux OWASP Day 20132013-06-25T20:04:50Z<p>Favroom: /* OWASP BeNeLux 2012 Sponsors: */</p>
<hr />
<div><center>[[Image:owaspbnl12header.jpg]]<br></center><br />
<br><!-- Header --><br />
<br />
<br />
<!-- First tab --><br />
= Welcome =<br />
<br />
=== Welcome to OWASP BeNeLux 2013 ===<br />
<br />
==== News ====<br />
* <br />
* <br />
<br><br />
<br />
==== Confirmed trainers for Trainingday ====<br />
{{#switchtablink:Trainingday| <p><br />
* <br />
* <br />
* <br />
* <br />
}}<br />
<br><br />
<br />
==== Confirmed speakers Conferenceday ====<br />
{{#switchtablink:Conferenceday| <p><br />
* <br><br />
* <br><br />
* <br><br />
* <br><br />
* <br><br />
* <br><br />
* <br><br />
* <Br><br />
* <br><br />
}}<br />
<br><br />
<br />
==== The OWASP BeNeLux Program Committee ====<br />
*Bart De Win / Sebastien Deleersnyder/ Lieven Desmet/ David Mathy, OWASP Belgium<br />
*Martin Knobloch / Ferdinand Vroom, OWASP Netherlands<br />
*Jocelyn Aubert / Andre Adelsbach/ Thierry Zoller, OWASP Luxembourg<br />
<br><br />
<br />
=== Tweet! ===<br />
Event tag is [http://twitter.com/#search?q=%23owaspbnl13 #owaspbnl13]<br />
<br><br><br />
==== Donate to OWASP BeNeLux ====<br />
<paypal>BeNeLux OWASP Day 2013</paypal><br />
<br />
<!-- Second tab --><br />
<br />
= Registration =<br />
<br />
==== OWASP BeNeLux training day and conference are free! ==== <br />
<br />
=== Registration is open: ===<br />
<br />
[http://owaspbenelux2012.eventbrite.com/ http://www.owasp.org/images/7/77/Buttoncreate.png]<br />
<br />
<br><br />
To support the OWASP organisation, consider to become a member, it's only US$50!<br />
<br> <br />
Check out the [[Membership]] page to find out more. <br />
<br><br />
<br />
<br />
<!-- Third tab --><br />
= Venue =<br />
<br />
=== Venue is the iMinds-DistriNet Research Group @ KU Leuven ===<br />
<br />
''Celestijnenlaan, 200A<br><br />
3001 Heverlee<br><br />
Belgium<br>''<br />
<br><br />
<br />
<br>'''Parking & roadmap''':<br />
<br />
There is a public parking close to the conference venue.<br />
<br />
Roadmap and parking: http://distrinet.cs.kuleuven.be/about/route/<br />
<br />
<br />
<br>'''Hotels nearby''': <br> <br />
Board house (close to the venue)<br> http://www.boardhouse.be<br><br />
The lodge (close to the venue)<br> http://www.booking.com/hotel/be/the-lodge-heverlee.en.html<br><br />
Begijnhof Congres Hotel (1 km from the venue)<br> http://www.bchotel.be/<br><br />
La Royale (2 km from the venue)<br> http://www.laroyale.be<br> <br />
Hotel Ibis (2 km from the venue)<br> http://www.accorhotels.com/gb/hotel-1457-ibis-leuven-centrum/index.shtml<br> <br />
Mercure (2 km from the venue) <br> http://www.mercure.com/gb/hotel-7862-hotel-mercure-leuven-center/index.shtml<br> <br />
New Damshire (2 km from the venue)<br> http://www.hotelnewdamshire.be<br> <br />
<br />
<br />
<!-- Fourth tab --><br />
<br />
= Trainingday =<br />
<br />
==== Trainingday, November 29th ====<br />
<br />
==== Location ====<br />
The training room is: <br />
''Celestijnenlaan, 200A, fifth floor<br><br />
3001 Heverlee<br><br />
Belgium<br>''<br />
<br><br />
<br />
(for details, check the {{#switchtablink:Venue|Venue}} tab)<br />
<br />
==== Agenda ==== <br />
{| class="wikitable"<br />
! Time !! Description !! Room 1 !! Room 2 !! Room 3 !! Room 4<br />
|-<br />
| 08h30 - 9h30<br />
| colspan="5" style="text-align: center; background: grey; color: white;" | ''Registration''<br />
|-<br />
| 09h30 - 11h00 || Training<br />
| rowspan="7" style="width:100px;" | [[#DinisCruz|Advanced O2, by Dinis Cruz <br/><br/> Room 04.112]]<br />
| rowspan="7" style="width:100px;" | [[#DanCornell|SDLC with Open Source tools, by Dan Cornell <br/><br/> Room 05.128]]<br />
| rowspan="7" style="width:100px;" | [[#VolkertDeBuisonje|Secure Java Development with ESAPI (hands-on), by Volkert de Buisonjé <br/><br/> Room 05.152]]<br />
| rowspan="7" style="width:100px;" | [[#MartinKnobloch|Essential Web Appplication Security (OWASP Top 10, Webgoat, WebScarab), by Martin Knobloch <br/><br/> Room 05.001]]<br />
|-<br />
| 11h00 - 11h30 || ''Coffee Break''<br />
|-<br />
| 11h30 - 13h00 || Training<br />
|-<br />
| 13h00 - 14h00 || ''Lunch''<br />
|-<br />
| 14h00 - 15h30 || Training<br />
|-<br />
| 15h30 - 16h00 || ''Coffee Break''<br />
|-<br />
| 16h00 - 17h30 || Training<br />
|}<br />
<br />
<br />
<br />
<br />
<br />
<br><br />
<br />
<div id="VolkertDeBuisonje"></div><br />
<br />
=== Secure Java Development workshop with ESAPI, by Volkert de Buisonjé (Sogeti) ===<br />
''Workshop:''<br><br />
First, attendees will receive a brief introduction on application awareness. Then they will get acquainted with Webgoat, a "deliberately insecure J2EE web application" designed as a practice tool for secure application development and testing. They will learn how to exploit some vulnerabilities in Webgoat, through for instance Cross-Site Scripting (CSS) and Cross-Site Request Forgery (CSRF) attacks. Finally, the ESAPI library will be introduced and the attendees will learn how to apply ESAPI to fix such vulnerabilities in Webgoat's source code.<br><br />
<br><br />
''Prerequisites for this workshop:''<br><br />
* Reasonable knowledge of and experience with Java development<br />
* A laptop running a recent version of Linux, Mac OS X, or Windows<br />
* The most recent version of VirtualBox (4.x) installed<br />
* At least 2GB of RAM<br />
* At least 2GB of disk space<br />
<br><br />
''Bio:''<br><br />
Volkert de Buisonjé is a senior Java developer at Sogeti. He specializes in, and teaches application security courses, both to coworkers and to customers. Knowledge sharing (in both directions) is his passion. Volkert likes making friends and talking a lot. He never shuns a good discussion, and prefers to bring a high amount of interactivity to his classes. :-)<br><br />
<br><br />
<br><br />
<br />
<div id="DinisCruz"></div><br />
=== Advanced O2, by Dinis Cruz (Security Innovation) ===<br />
''Workshop:''<br><br />
The O2 platform represents a new paradigm for how to perform, document and distribute Web Application security reviews. O2 is designed to Automate Security Consultants Knowledge and Workflows and to Allow non-security experts to access and consume Security Knowledge.<br />
<br><br />
''Bio:''<br><br />
Dinis Cruz is a Security Consultant based in London (UK) and specialized in: ASP.NET/J2EE Application Security, Application Security audits and .NET Security Curriculum Development.<br><br />
For the past years Dinis has focused on the field of Static Source Code analysis, from May 2007 to Dec 2009 he worked as a independent consultant for Ounce Labs (bought by IBM in July 2009) where during active security engagements using Ounce's technology he developed the Open Source codebase which now is the foundation of the OWASP O2 Platform.<br><br />
Dinis is currently focused on making the O2 Platform the industry standard for consuming, instrumenting and data-sharing between the multiple WebAppSec tools, the Security consultants and the final developers. Dinis is a also active trainer on .Net security having written and delivered courses for IOActive, Foundstone, Intense School and KPMG (at multiple locations including BlackHat), and has delivered a number of presentations and keynote speeches at multiple OWASP and Security related conferences.<br><br />
At OWASP, Dinis is the leader of the OWASP O2 Platform project<br><br />
<br><br />
<br><br />
<br />
<div id="MartinKnobloch"></div><br />
<br />
=== Essential Web Appplication Security (OWASP Top 10, Webgoat, WebScarab), by Martin Knobloch (PervaSec) ===<br />
''Abstract:''<br><br />
This workshop is an introduction into (web) application security with hands-on labs, using OWASP documentation and tooling.<br />
You will be introduced into the security mindset, discus the OWASP TopTen 2010 and learn basic skills in how to find vulnerabilities in web applications. All tools and documentation are provided during the training.<br><br />
<b>As this is an hands-on workshop, please bring your own laptop!</b> <br><br />
Course structure:<br />
*Introduction OWASP, OWASP tool and documentation<br />
*Security Testing mindset <br />
*1st Lab: OWASP WebGoat / WebScarab <br />
*OWASP Top Ten 2010<br />
*OWASP Testing Guide <br />
*2nd Lab: OWASP WebGoat / WebScarab <br />
*3rd Lab: OWASP Hackademic / ZAP <br />
*Summary and completion <br />
Prerequisites for this workshop:<br />
*Basic understanding of HTTP and web application testing/development<br />
*An open mind<br />
<br><br />
''Bio:''<br><br />
Martin is an independent security consultant and owner of PervaSec (http://www.pervasec.nl). His main working area is (software) security in general, from awareness to implementation. In his daily work, he is responsible for education in application security matters, advise and implementation of application security measures.<br><br />
At OWASP, Martin is member of the Dutch chapter board and chair of the Global Education Committee and contributes to several projects.<br><br />
Martin is a frequent speaker at conferences, universities and hacker spaces.<br />
<br><br />
<br />
<br />
<div id="DanCornell"></div><br />
<br />
=== Building a Software Security Program On Open Source Tools, by Dan Cornell (Denim Group) ===<br />
''Abstract:''<br><br />
Using the Software Assurance Maturity Model (OpenSAMM) as a framework, this course walks through the major components of a comprehensive software security program and highlights open source and other freely-available tools that can be used to help implement the activities involved in such a program. The focus of the course is on providing hands-on demonstrations of the tools with an emphasis on integrating tool results into the overall software security program. Featured tools include: ESAPI, Microsoft Web Protection Library, FindBugs, FxCop, CAT.NET, Brakeman, Agnitio, Arachini, w3af, ZAProxy, ThreadFix as well as other educational resources from OWASP. Attendees should finish the course with a solid understanding of the various components of a comprehensive software security program as well as hands-on experience with a variety of freely-available tools that they can use to implement portions of these programs.<br><br />
<br><br />
''Outline:''<br><br />
* So You Want To Roll Out A Software Security Program?<br />
* The Software Assurance Maturity Model (OpenSAMM)<br />
* ThreadFix: Overview<br />
* Governance: Strategy and Metrics<br />
** ThreadFix: Reporting<br />
* Governance: Policy and Compliance<br />
* Governance: Education and Guidance<br />
** OWASP Development Guide<br />
** OWASP Cheat Sheets<br />
** OWASP Secure Coding Practices<br />
* Construction: Threat Assessment<br />
* Construction: Security Requirements<br />
* Construction: Secure Architecture<br />
** ESAPI overview<br />
** Microsoft Web Protection Library (Anti-XSS) overview<br />
* Verification: Design Review<br />
** Microsoft Threat Analysis and Modeling Tool<br />
* Verification: Code Review<br />
** FindBugs<br />
** FxCop<br />
** CAT.NET<br />
** Brakeman<br />
** Agnitio<br />
* Verification: Security Testing<br />
** Arachni<br />
** w3af<br />
** ZAProxy<br />
* Deployment: Vulnerability Management<br />
** ThreadFix: Defect Tracker Integration<br />
* Deployment: Environment Hardening<br />
** Microsoft Baseline Security Analyzer (MBSA)<br />
* Deployment: Operational Enablement<br />
** mod_security<br />
<br><br />
''Bio:''<br><br />
Dan Cornell has over fifteen years of experience architecting and developing web-based software systems. He leads Denim Group’s security research team in investigating the application of secure coding and development techniques to improve web-based software development methodologies.<br><br />
Dan was the founding coordinator and chairman for the Java Users Group of San Antonio (JUGSA) and currently serves as the OWASP San Antonio chapter leader, member of the OWASP Global Membership Committee and co-lead of the OWASP Open Review Project. Dan has spoken at such international conferences as RSA, OWASP AppSec USA, and OWASP EU Research in Greece.<br><br />
<br><br />
<br />
<br />
<!-- Fifth tab --><br />
<br />
= Conferenceday =<br />
<br />
==== Conferenceday, November 30th ====<br />
<br />
==== Location ====<br />
The conference takes place in auditorium K.06, the registration and catering in the foyer of building 200A (ground floor) (for details, check the {{#switchtablink:Venue|Venue}} tab)<br />
<br />
==== Agenda ==== <br />
{| class="wikitable"<br />
! width="90pt" | Time<br />
! width="130pt" | Speaker !! Topic<br />
|- <br />
| 09h00 - 10h00<br />
| colspan="2" style="text-align: center; background: grey; color: white" | ''Registration''<br />
|- <br />
| 10h00 - 10h15 || OWASP Benelux Organization || Welcome ([https://www.owasp.org/images/a/ad/OWASP_BeNeLux_Day_2012_-_Organization_welcome.ppt PPT])<br />
|-<br />
| 10h15 - 10h30 || Sebastien Deleersnyder || OWASP update ([https://www.owasp.org/images/d/d7/OWASP-Update-BeNeLux-Day-2012_v1.pptx PPT])<br />
|-<br />
| 10h30 - 11h10 || [[#JohnWilander|John Wilander]] || ''' Secure Web Integration Patterns in the Era of HTML5'''<br>''Abstract:'' Quite a few organizations are finding themselves in a legacy situation with their web applications. Over ten years have passed since the era of dynamic HTML and with the rise of HTML5 and mobile platforms there is now need to gradually move these legacy beasts into a new architecture. Additionally, more and more third party services are offered such as maps, tracking, social media tie-ins, video etc. What are the possible and suitable design patterns for bringing new web, old web, and third party web together? Can we isolate them from each other to secure the new apps from legacy and third party security vulnerabilities? We will dig into the postMessage api, the iframe sandbox directive, CORS, and the same-origin policy while comparing it to the previous generation of integration with jsonp and other hacks.<br />
|-<br />
| 11h10 - 11h50 || [[#LievenDesmet|Lieven Desmet]] || '''Sandboxing Javascript''' ([https://www.owasp.org/images/1/10/Sandboxing-Javascript.pdf PDF])<br>''Abstract:'' The inclusion of third-party scripts in web pages is a common practice. A recent study has shown that more than half of the Alexa top 10 000 sites include scripts from more than 5 different origins. However, such script inclusions carry risks, as the included scripts operate with the privileges of the including website.<br><br />
In this talk, we propose JSand, a server-driven but client-side JavaScript sandboxing framework. JSand requires no browser modifications: the sandboxing framework is implemented in JavaScript and is delivered to the browser by the websites that use it. Enforcement is done entirely at the client side: JSand enforces a server-specified policy on included scripts without requiring server-side filtering or rewriting of scripts.<br><br />
Most importantly, JSand is complete: access to all resources is mediated by the sandbox.<br><br />
We describe the design and implementation of JSand, and we show that it is secure, backwards compatible, and that it performs sufficiently well.<br><br />
|-<br />
| 11h50 - 12h30 || [[#ErwinGeirnaert|Erwin Geirnaert]] || '''OWASP Top 10 vs Drupal'''<br>''Abstract:'' Drupal is the most used and well-known open source content management system in the world. Created by Dries Buytaert years ago it has grown with the support of a big community. Drupal 7 is already released and there is an entire ecosystem for Drupal and Drupal web agencies.<br><br />
During this presentation we will discuss the findings of an automated static code analysis of Drupal 6 and Drupal 7 and how Drupal protects against the OWASP Top 10 Application Security Risks. We will explain the security weaknesses that remain when you use Drupal and what you can implement to have a secure cloud server running Drupal.<br><br />
|-<br />
| 12h30 - 13h30<br />
| colspan="2" style="text-align: center;background: grey; color: white" | ''Lunch'' <br />
|-<br />
| 13h30 - 14h10 || [[#AsiaSlowinska|Asia Slowinska]] || '''Body Armor for Binaries'''<br>''Abstract:'' BinArmor is a novel technique to protect existing C binaries from memory corruption attacks on both control data and non-control data. Without access to source code, non-control data attacks cannot be detected with current techniques. Our approach hardens binaries against both kinds of overflow, without requiring the pro- grams’ source or symbol tables. We show that BinArmor is able to stop real attacks—including the recent non- control data attack on Exim. Moreover, we did not in- cur a single false positive in practice. On the downside, the current overhead of BinArmor is high—although no worse than competing technologies like taint analysis that do not catch attacks on non-control data. Specifi- cally, we measured an overhead of 70% for gzip, 16%- 180% for lighttpd, and 190% for the nbench suite.<br />
|-<br />
| 14h10 - 14h50 || [[#MarcHullegieAndKeesMastwijk|Marc Hullegie and Kees Mastwijk]] || '''Forensics'''<br>''Abstract:'' In today’s investigations, forensics has become an important investigative method in fighting and solving (cyber)crimes and irregularities. During the session you will be briefly taken through the landscape of Forensics Basics; the Fraud Triangle and scenario's; What to look for and the appliance of Digital Forensics. What are the Challenges, the required Skills and Expertise and Solutions to these challenges. Specific focus on the Forensics of Web Applications and what you can do the create a more forensic ready system.<br><br />
|-<br />
| 14h50 - 15h30 || [[#DanCornell|Dan Cornell]] || '''Streamlining Application Vulnerability Management: Communication Between Development and Security Teams'''<br>''Abstract:'' Identifying application-level vulnerabilities via scanning, penetration tests and code reviews is only the first step in actually addressing the underlying risk. Managing vulnerabilities for applications is more challenging than dealing with traditional infrastructure-level vulnerabilities because they typically require the coordination of security teams with application development teams. The process also means that security managers need to get time from developers during already-cramped development and release schedules. In addition, fixes require changes to custom application code and application-specific business logic rather than the patches and configuration changes that are often sufficient to address infrastructure-level vulnerabilities. This presentation will illustrate the communication difficulties between security and development teams, and how this usually results in unactionable reports and fewer vulnerabilities remediated. In addition, the presentation will walk through an example workflow of addressing application vulnerabilities as software defects. This will be based on freely-available tools and show specific examples of how vulnerabilities can be grouped together, false positives can be culled out, and vulnerabilities transitioned to software defects, as well as how security managers can monitor and verify progress.<br><br />
|-<br />
| 15h30 - 15h50<br />
| colspan="2" style="text-align: center;background: grey; color: white" | ''Break'' <br />
|-<br />
| 15h50 - 16h30 || [[#RuedigerBachmann|Ruediger Bachmann]] || '''Code review for Large Companies'''<br>''Abstract:''Static source code analysis should be an essential part in the secure software development life cycle (SDLC) to start to minimize the number of potential vulnerabilities already in a very early stage in the software development process.<br><br />
The introduction of static code analysis at a large software manufacturer is a big challenge. In addition to the technical difficulties – based on the sheer number and size of the software projects or the number of different programing languages – there are also non-technical issues like creating new security awareness, trainings to use the provided tools efficiently and integration of analysis processes into the software development and maintenance life cycle.<br><br />
This talk gives an overview of the company-wide introduction of static code analysis at SAP AG.<br />
|-<br />
| 16h30 - 17h10 || [[#DinisCruz|Dinis Cruz]] || '''Making Security Invisible by Becoming the Developer’s Best Friends'''<br>''Abstract:'' Coming soon!<br />
|-<br />
| 17h10 - 17h50 || <br />
* Steven Wierckx<br />
* Luc Beirens<br />
* Jos Dumortier<br />
* Dieter Sarrazyn<br />
* Erwin Geirnaert<br />
* John Wilander<br />
|| '''Panel Discussion about the legal aspects of penetration testing'''<br> ''Abstract:'' In the past couple of years security has become a more visible topic in the media. As a result many companies are asking for security reviews in the form of a penetration test. A lot of entrepreneurs took the opportunity to form teams and/or companies that provide such services. There seems to be a lack of clear (standard) legal documentation to cover these activities both for the penetration tester and the company under review. With this panel discussion we would like to discuss this situation and to see if there is a possibility to have a standard document or framework that can be used as a starting point for companies and professionals to use as a contract. The purpose would be to end up with a (set of) documents similar to the “Testaankoop standard huurcontract”, this is a well-known Belgian contract framework for renting a house where both parties are protected and that is clear to both parties. It can be used without further legal intervention.<br />
|-<br />
| 17h50 - 18h00 || OWASP Benelux 2012 organization || '''Closing Notes'''<br />
|}<br />
<br />
<br><br />
<br><br />
<br />
<div id="AsiaSlowinska"></div><br />
<br />
=== Body Armor for Binaries, by Asia Slowinska (Vrije Universiteit Amsterdam) ===<br />
''Abstract:''<br><br />
BinArmor is a novel technique to protect existing C binaries from memory corruption attacks on both control data and non-control data. Without access to source code, non-control data attacks cannot be detected with current techniques. Our approach hardens binaries against both kinds of overflow, without requiring the pro- grams’ source or symbol tables. We show that BinArmor is able to stop real attacks—including the recent non- control data attack on Exim. Moreover, we did not in- cur a single false positive in practice. On the downside, the current overhead of BinArmor is high—although no worse than competing technologies like taint analysis that do not catch attacks on non-control data. Specifi- cally, we measured an overhead of 70% for gzip, 16%- 180% for lighttpd, and 190% for the nbench suite.<br><br />
<br><br />
''Bio:''<br><br />
I am a postdoctoral researcher in the System and Network Security group at the Vrije Universiteit Amsterdam, under the guidance of Prof. dr. ir. Herbert Bos.<br><br />
I obtained my PhD from the Vrije Universiteit Amsterdam. My dissertation Using information flow tracking to protect legacy binaries was completed under the supervision of Prof. dr. ir. Herbert Bos, while my copromotor was Prof. dr. ir. Henri E. Bal.<br><br />
During my PhD studies, I interned twice with Microsoft Research Cambridge, where I joined the Systems and Performance Group. I also spent few months interning with the Systems and Security Department at Institute for Infocomm Research in Singapore.<br><br />
My research focuses on developing techniques to automatically analyze and reverse engineer complex software that is available only in binary form. Further, I’ve been looking into mechanisms that proactively protect software from malicious activities. Currently, I am involved in a project on Reverse Engineering of binaries, known as Rosetta.<br><br />
<br><br />
<br />
<div id="RuedigerBachmann"></div><br />
=== Code review for Large Companies, by Ruediger Bachmann (SAP) ===<br />
''Abstract:''<br><br />
Static source code analysis should be an essential part in the secure software development life cycle (SDLC) to start to minimize the number of potential vulnerabilities already in a very early stage in the software development process.<br><br />
The introduction of static code analysis at a large software manufacturer is a big challenge. In addition to the technical difficulties – based on the sheer number and size of the software projects or the number of different programing languages – there are also non-technical issues like creating new security awareness, trainings to use the provided tools efficiently and integration of analysis processes into the software development and maintenance life cycle.<br><br />
This talk gives an overview of the company-wide introduction of static code analysis at SAP AG.<br />
<br><br />
''Bio:''<br><br />
After graduating with a degree in mathematics and computer science at the University of Giessen in 1997, Ruediger Bachmann worked at various software companies and IT service providers mainly in software development. Currently he is employed at SAP AG in Germany as a Development Architect in the central code analysis team. There he is focusing on application security and security code scans.<br><br />
<br />
<div id="LievenDesmet"></div><br />
<br />
=== Sandboxing JavaScript, by Lieven Desmet (Research Manager at KU Leuven) ===<br />
''Abstract:''<br><br />
The inclusion of third-party scripts in web pages is a common practice. A recent study has shown that more than half of the Alexa top 10 000 sites include scripts from more than 5 different origins. However, such script inclusions carry risks, as the included scripts operate with the privileges of the including website.<br><br />
In this talk, we propose JSand, a server-driven but client-side JavaScript sandboxing framework. JSand requires no browser modifications: the sandboxing framework is implemented in JavaScript and is delivered to the browser by the websites that use it. Enforcement is done entirely at the client side: JSand enforces a server-specified policy on included scripts without requiring server-side filtering or rewriting of scripts. Most importantly, JSand is complete: access to all resources is mediated by the sandbox.<br><br />
We describe the design and implementation of JSand, and we show that it is secure, backwards compatible, and that it performs sufficiently well.<br><br />
<br><br />
''Bio:''<br><br />
Lieven Desmet is Research Manager on Software Secure at the iMinds-DistriNet Research Group (KU Leuven, Belgium), where he coaches junior researchers in web application security and participates in dissemination and valorization activities. His interests are in security of middleware and web-enabled technologies. Lieven is actively engaged in OWASP and is board member of the OWASP Chapter Belgium.<br><br />
<br><br />
<br><br />
<br />
<div id="ErwinGeirnaert"></div><br />
=== OWASP Top 10 vs Drupal, by Erwin Geirnaert (Zion Security) ===<br />
''Abstract:''<br><br />
Drupal is the most used and well-known open source content management system in the world. Created by Dries Buytaert years ago it has grown with the support of a big community. Drupal 7 is already released and there is an entire ecosystem for Drupal and Drupal web agencies.<br><br />
During this presentation we will discuss the findings of an automated static code analysis of Drupal 6 and Drupal 7 and how Drupal protects against the OWASP Top 10 Application Security Risks. We will explain the security weaknesses that remain when you use Drupal and what you can implement to have a secure cloud server running Drupal.<br><br />
<br><br />
''Bio:''<br><br />
Erwin founded ZION SECURITY in 2005 to help companies to protect against the latest threats, attacks against web applications. ZION SECURITY is nowadays a Belgian market leader in the field of security testing, vulnerability management, penetration testing and banking security. Erwin has more than 10 years of experience in web security, graduating with a Master of Science in Software Development from the University of Ghent. Erwin executes different types of projects for a lot of international software companies, financial institutions, telecom and web agencies. Specialist in executing code reviews in different development languages for critical applications, executing continuous penetration tests of their infrastructure and Internet applications. A specialist in J2EE, PHP, .NET, mobile app and web services security. Erwin architects secure e-business projects for web agencies and software companies. He is a recognized application security expert and speaker at international events like Javapolis, OWASP, Eurostar, LSEC,...<br><br />
<br><br />
<br />
<div id="MarcHullegieAndKeesMastwijk"></div><br />
=== Forensics, by Marc Hullegie and Kees Mastwijk (Vest Information Security) === <br />
''Abstract:''<br><br />
In today’s investigations, forensics has become an important investigative method in fighting and solving (cyber)crimes and irregularities. During the session you will be briefly taken through the landscape of Forensics Basics; the Fraud Triangle and scenario's; What to look for and the appliance of Digital Forensics. What are the Challenges, the required Skills and Expertise and Solutions to these challenges. Specific focus on the Forensics of Web Applications and what you can do the create a more forensic ready system.<br><br />
<br><br />
''Bio:''<br><br />
Marc Hullegie is founder and CEO of Vest Information Security and is widely experienced in the information security business in all types of areas: Security Architecture and Infrastructure, Security Audits and Testing, Security Management, Awareness and Digital Forensics. He presents lectures at (international) conferences and is looking forward to share experiences at the OWASP Benelux days 2012 with you.<br><br />
<br> <br />
''Bio:''<br><br />
Kees Mastwijk is a security consultant working with Vest, acting as Security Auditor, Awareness Program leader and security Manager. He has a long (and ongoing) experience history in Digital Forensic Research.<br><br />
<br><br />
<br />
<div id="JohnWilander"></div><br />
=== Secure Web Integration Patterns in the Era of HTML5, by John Wilander (Svenska Handelbanken) ===<br />
''Abstract:''<br><br />
Quite a few organizations are finding themselves in a legacy situation with their web applications. Over ten years have passed since the era of dynamic HTML and with the rise of HTML5 and mobile platforms there is now need to gradually move these legacy beasts into a new architecture. Additionally, more and more third party services are offered such as maps, tracking, social media tie-ins, video etc. What are the possible and suitable design patterns for bringing new web, old web, and third party web together? Can we isolate them from each other to secure the new apps from legacy and third party security vulnerabilities? We will dig into the postMessage api, the iframe sandbox directive, CORS, and the same-origin policy while comparing it to the previous generation of integration with jsonp and other hacks.<br />
<br><br />
''Bio:''<br><br />
John Wilander is a frontend software developer at Svenska Handelbanken, the second strongest bank in the world according to Bloomberg Markets. He has been researching and working in application security for ten years and is an active leader in OWASP, the Open Web Application Security Project. In 2011 he organized the OWASP Summit Browser Security sessions in Portugal, with participants from the security teams behind Chrome, Firefox, Internet Explorer, Flash, and PayPal. During his years in academia he was elected best computer science teacher twice and nowadays gives 5-10 professional talks per year.<br><br />
<br><br />
<br><br />
<br />
<div id="DanCornell"></div><br />
<br />
=== Streamlining Application Vulnerability Management: Communication Between Development and Security Teams, by Dan Cornell (Denim Group) ===<br />
''Abstract:''<br><br />
Identifying application-level vulnerabilities via scanning, penetration tests and code reviews is only the first step in actually addressing the underlying risk. Managing vulnerabilities for applications is more challenging than dealing with traditional infrastructure-level vulnerabilities because they typically require the coordination of security teams with application development teams. The process also means that security managers need to get time from developers during already-cramped development and release schedules. In addition, fixes require changes to custom application code and application-specific business logic rather than the patches and configuration changes that are often sufficient to address infrastructure-level vulnerabilities. This presentation will illustrate the communication difficulties between security and development teams, and how this usually results in unactionable reports and fewer vulnerabilities remediated. In addition, the presentation will walk through an example workflow of addressing application vulnerabilities as software defects. This will be based on freely-available tools and show specific examples of how vulnerabilities can be grouped together, false positives can be culled out, and vulnerabilities transitioned to software defects, as well as how security managers can monitor and verify progress.<br><br />
<br><br />
''Bio:''<br><br />
''Dan Cornell has over fifteen years of experience architecting and developing web-based software systems. He leads Denim Group’s security research team in investigating the application of secure coding and development techniques to improve web-based software development methodologies.<br><br />
Dan was the founding coordinator and chairman for the Java Users Group of San Antonio (JUGSA) and currently serves as the OWASP San Antonio chapter leader, member of the OWASP Global Membership Committee and co-lead of the OWASP Open Review Project. Dan has spoken at such international conferences as RSA, OWASP AppSec USA, and OWASP EU Research in Greece.''<br><br />
<br><br />
<br><br />
<br />
<div id="DinisCruz"></div><br />
=== Making Security Invisible by Becoming the Developer’s Best Friends, by Dinis Cruz (Security Innovation) ===<br />
''Abstract:''<br><br />
''Coming soon!''<br><br />
<br><br />
''Bio:''<br><br />
Dinis Cruz is a Security Consultant based in London (UK) and specialized in: ASP.NET/J2EE Application Security, Application Security audits and .NET Security Curriculum Development.<br><br />
For the past years Dinis has focused on the field of Static Source Code analysis, from May 2007 to Dec 2009 he worked as a independent consultant for Ounce Labs (bought by IBM in July 2009) where during active security engagements using Ounce's technology he developed the Open Source codebase which now is the foundation of the OWASP O2 Platform.<br><br />
Dinis is currently focused on making the O2 Platform the industry standard for consuming, instrumenting and data-sharing between the multiple WebAppSec tools, the Security consultants and the final developers. Dinis is a also active trainer on .Net security having written and delivered courses for IOActive, Foundstone, Intense School and KPMG (at multiple locations including BlackHat), and has delivered a number of presentations and keynote speeches at multiple OWASP and Security related conferences.<br><br />
At OWASP, Dinis is the leader of the OWASP O2 Platform project<br><br />
<br><br />
<br><br />
<br />
=== Panel discussion about the legal aspects of penetration testing ===<br />
''with Steven Wierckx, Luc Beirens, Jos Dumortier, Dieter Sarrazyn, ...''<br><br><br />
''Abstract:''<br> In the past couple of years security has become a more visible topic in the media. As a result many companies are asking for security reviews in the form of a penetration test. A lot of entrepreneurs took the opportunity to form teams and/or companies that provide such services. There seems to be a lack of clear (standard) legal documentation to cover these activities both for the penetration tester and the company under review. With this panel discussion we would like to discuss this situation and to see if there is a possibility to have a standard document or framework that can be used as a starting point for companies and professionals to use as a contract. The purpose would be to end up with a (set of) documents similar to the “Testaankoop standard huurcontract”, this is a well-known Belgian contract framework for renting a house where both parties are protected and that is clear to both parties. It can be used without further legal intervention.<br><br />
<br><br />
<li>''Bio Steven Wierckx, ps_testware:''<br><br />
Steven Wierckx is currently working as Security Tester for [http://www.pstestware.com/ ps_testware], he specialises in web application security and keeps a security related blog [http://www.ihackforfun.eu/ ihackforfun]. He is also wrting articles and doing technical reviews for PenTest Magazine.<br><br />
<br><br />
<li>''Bio Luc Beirens, FCCU:''<br><br />
Head of Belgian Federal Computer Crime Unit & Chair EU Cybercrime Task Force trying to create partnerships and circumstances for a safer cyberspace.<br><br />
<br><br />
<li>''Bio Jos Dumortier, ICRI:''<br><br />
Jos Dumortier is Professor of ICT Law at the University of Leuven (Belgium) and the Director of the Interdisciplinary Research Centre for ICT and Law (ICRI) (www.icri.be). With his research team he participates in a series of R & D projects in the domain of telemedicine.<br><br />
He is also a member of the Bar of Brussels and partner in “time.lex”, a law firm specialized in information and technology law (www.timelex.eu).<br><br />
He participates in the boards of several national and international scientific and business associations and is a member of various editorial and program committees. <br><br />
He is the editor of the International Encyclopedia of Cyber Law and the author of more than one hundred books and articles on legal issues related to the information society.<br><br />
Jos Dumortier has taken the lead in a large number of European studies and projects in the area of information security, privacy and identity management. He worked on an assignment of the European Commission (DG INFSO) for a study on the legal obstacles for interoperable eHealth in Europe and on several studies for the Flemish government related to the implementation of a regional eHealth platform. He is also a member of the Flemish data protection supervisory authority for the health sector.<br><br />
<br><br />
<li>''Bio Dieter Sarrazyn, PWC:''<br><br />
Dieter is a senior manager and consultant within PwC and a team leader for Risk Management assessment services. His main focus is in performing penetration tests (external as well as internal), performing security audits, creating and evaluating security architectures,and creating and setting up vulnerability management frameworks & tools. He is a Certified Information Systems Security Professional (CISSP), a Certified Intrusion Analyst (GCIA), a Certified Incident Handling Analyst (GCIH), a Certified Intrusion Analyst (GCIA) a GIAC Systems and Network Auditor (GSNA). Dieter is also SANS Local Mentor and SANS Community Teacher<br><br />
<br><br />
<br><br />
<br />
<!-- Sixth tab --><br />
<br />
= Social Event =<br />
<br />
==== Social Event, November 29th ====<br />
<br />
==== <B>Important Update</B> ====<br />
The brewery visit is limit to 60 people. Therefor, the 60 first registered people that indicated interest in the social event have been invited to participate. Any remaining tickets will be offered on Thursday around noon at the registration desk.<br />
<br />
If you are going by car, there are paid parkings under the Railway station and at Kinepolis (follow the parking signs). If you want to go there from the venue without car, the best way to get there is to take bus No.2 that leaves next to the building and drives to the Railway station. From there, it is a 300 m. walk to the brewery.<br />
<br />
All other people (and the people of the brewery tour after that has finished) are warmly invited to join us in the Downtown Jack, a pub with a number of pool and snooker tables. 5 pool tables have been exclusively reserved for us from 20h00 onwards. You can also have a drink and eat something there if you like.<br />
<br />
The address: Parkstraat 40, 3000 Leuven (see http://www.downtownjack.be/)<br />
<br />
==== <B>Brewery Visit Information</B> ====<br />
The social event will take place at the InBev Brewery in Leuven, where there will be a guided tour and a beer tasting.<br><br />
Unfortunately, the tour is limited to 60 people. Since we have more registered people than places, we will soon announce how we will<br />
proceed.<br><br />
If you decide not to join, please inform the Benelux organisation, other participants will be happy to join.<br><br />
<br><br />
'''The entrance fee for the tour is 10 EUR'''. <br><br />
This amount will have to be paid to the Benelux organisation at the registration desk or upon entry in cash (please use correct notes).<br><br />
<br><br />
Below is the address where the event takes place. You can take your car, bus number 2 or a taxi to reach this.<br> '''The tour starts at 19h30 sharp'''.<br><br />
<br><br />
'''Address:''' <br><br />
Vuurkruisenlaan z/n <br><br />
3000 Leuven<br><br />
<br><br />
'''From the station:'''<br><br />
Take the street 'Diestepoort' (this street is parrallel with the railway behind the building)and walk straight through. You can see the brewery at the end of the street.<br><br />
'''By car:'''<br><br />
From the street diestesteenweg or beckeremieplein head to the railroadbridge. At the crossroad take first right, this is the entrance of the brewery. from the expressway R23 head to the Hotel ''NOVOTEL''. Take the street left from ''NOVOTEL'', this is the ''vuurkruisenlaan''. On your left side you can see the brewery. At the<br />
next crossroad take the first left, this is the entrance of the brewery.<br><br />
<br><br />
'''ENTRANCE BREWERY:'''<br><br />
is also the entrance for the trucks, next to the railroadbridge.<br><br />
We will meet at the entrance at 19h30 where the tour will start.<br><br><br />
<br />
<br />
<!-- Seventh tab --><br />
<br />
= CTF =<br />
<br />
==== Capture the Flag! ====<br />
<br />
* Do you like puzzles? <br />
* Do you like challenges? <br />
* Are you a hacker?<br />
<br />
Whether you are an experienced hacker or new enthusiast you should come to OWASP BeNeLux 2012 and participate in the Capture the Flag event November 30th 2012. <br />
<br />
The OWASP CTF is especially designed to support challengers of all skill levels. The CTF contains multiple challenges in various fields related to application security. As every challenge gains you one point, you can pick and choose which challenge you want to play.<br />
<br />
All you need is a laptop with a wifi card and your favorite (preferably) non-commercial tools. <br />
<br />
So come, show off your skills, learn new tricks and above all have a good time at the CTF event. <br />
<br />
<br />
<!-- Eighth tab --><br />
<br />
= Sponsor =<br />
<br />
==== Become a sponsor of OWASP BeNeLux ====<br />
<br />
==== Donate to OWASP BeNeLux ====<br />
<br />
<paypal>BeNeLux OWASP Day 2012</paypal> <br />
<br />
<br />
==== Promotion ====<br />
''Feel free to use the text below to promote our event!''<br />
<br />
We invite you to our next OWASP event: the '''BeNeLux OWASP Days 2012!'''<br />
<br />
Free your agenda on the 29th and 30th of November, 2012.<br />
<br />
The good news: free! No fee!<br />
<br />
The bad news: there are only 280 seats available (first register, first serve)!<br />
<br />
<br />
<!-- Don't remove these two lines! --><br />
__NOTOC__ <br />
<headertabs/><br />
<br />
<br />
==== Hosted and co-organized by: ====<br />
<br />
[http://distrinet.cs.kuleuven.be https://www.owasp.org/images/4/4a/Logo_distrinet.png]<br />
[http://www.nessos-project.eu/ https://www.owasp.org/images/5/52/Nessos.png]<br />
<br />
==== Made possible by our {{#switchtablink:Sponsor|Sponsors}}====<br />
<br />
==== OWASP Member Sponsor: ====<br />
{{MemberLinks|link=http://www.pwc.com/|logo=PWC_log_resized.png}} <br />
<br />
==== OWASP BeNeLux 2013 Sponsors: ====<br />
[http://www.madisongurkha.nl https://www.owasp.org/images/6/6e/Madison-gurkha-logo.jpg]<br />
[http://www.sogeti.nl https://www.owasp.org/images/9/94/Sogeti_logo.png]<br />
[http://www.vest.nl https://www.owasp.org/images/1/1d/Logo_Vest_BIG_170.gif]<br />
<br><br />
[http://www.iminds.be https://www.owasp.org/images/thumb/a/a1/Iminds-logo.png/200px-Iminds-logo.png]<br />
[http://www.zionsecurity.com https://www.owasp.org/images/e/e6/Zionsecurity.jpg]<br />
[http://on2it.net https://www.owasp.org/images/3/3d/On2it-sponsor.png]<br />
<br><br />
<br />
<br />
[[Category:OWASP_AppSec_Conference]] [[Category:OWASP_BeNeLux_Archives]]</div>Favroomhttps://wiki.owasp.org/index.php?title=BeNeLux_OWASP_Day_2013&diff=154429BeNeLux OWASP Day 20132013-06-25T20:03:27Z<p>Favroom: /* Tweet! */</p>
<hr />
<div><center>[[Image:owaspbnl12header.jpg]]<br></center><br />
<br><!-- Header --><br />
<br />
<br />
<!-- First tab --><br />
= Welcome =<br />
<br />
=== Welcome to OWASP BeNeLux 2013 ===<br />
<br />
==== News ====<br />
* <br />
* <br />
<br><br />
<br />
==== Confirmed trainers for Trainingday ====<br />
{{#switchtablink:Trainingday| <p><br />
* <br />
* <br />
* <br />
* <br />
}}<br />
<br><br />
<br />
==== Confirmed speakers Conferenceday ====<br />
{{#switchtablink:Conferenceday| <p><br />
* <br><br />
* <br><br />
* <br><br />
* <br><br />
* <br><br />
* <br><br />
* <br><br />
* <Br><br />
* <br><br />
}}<br />
<br><br />
<br />
==== The OWASP BeNeLux Program Committee ====<br />
*Bart De Win / Sebastien Deleersnyder/ Lieven Desmet/ David Mathy, OWASP Belgium<br />
*Martin Knobloch / Ferdinand Vroom, OWASP Netherlands<br />
*Jocelyn Aubert / Andre Adelsbach/ Thierry Zoller, OWASP Luxembourg<br />
<br><br />
<br />
=== Tweet! ===<br />
Event tag is [http://twitter.com/#search?q=%23owaspbnl13 #owaspbnl13]<br />
<br><br><br />
==== Donate to OWASP BeNeLux ====<br />
<paypal>BeNeLux OWASP Day 2013</paypal><br />
<br />
<!-- Second tab --><br />
<br />
= Registration =<br />
<br />
==== OWASP BeNeLux training day and conference are free! ==== <br />
<br />
=== Registration is open: ===<br />
<br />
[http://owaspbenelux2012.eventbrite.com/ http://www.owasp.org/images/7/77/Buttoncreate.png]<br />
<br />
<br><br />
To support the OWASP organisation, consider to become a member, it's only US$50!<br />
<br> <br />
Check out the [[Membership]] page to find out more. <br />
<br><br />
<br />
<br />
<!-- Third tab --><br />
= Venue =<br />
<br />
=== Venue is the iMinds-DistriNet Research Group @ KU Leuven ===<br />
<br />
''Celestijnenlaan, 200A<br><br />
3001 Heverlee<br><br />
Belgium<br>''<br />
<br><br />
<br />
<br>'''Parking & roadmap''':<br />
<br />
There is a public parking close to the conference venue.<br />
<br />
Roadmap and parking: http://distrinet.cs.kuleuven.be/about/route/<br />
<br />
<br />
<br>'''Hotels nearby''': <br> <br />
Board house (close to the venue)<br> http://www.boardhouse.be<br><br />
The lodge (close to the venue)<br> http://www.booking.com/hotel/be/the-lodge-heverlee.en.html<br><br />
Begijnhof Congres Hotel (1 km from the venue)<br> http://www.bchotel.be/<br><br />
La Royale (2 km from the venue)<br> http://www.laroyale.be<br> <br />
Hotel Ibis (2 km from the venue)<br> http://www.accorhotels.com/gb/hotel-1457-ibis-leuven-centrum/index.shtml<br> <br />
Mercure (2 km from the venue) <br> http://www.mercure.com/gb/hotel-7862-hotel-mercure-leuven-center/index.shtml<br> <br />
New Damshire (2 km from the venue)<br> http://www.hotelnewdamshire.be<br> <br />
<br />
<br />
<!-- Fourth tab --><br />
<br />
= Trainingday =<br />
<br />
==== Trainingday, November 29th ====<br />
<br />
==== Location ====<br />
The training room is: <br />
''Celestijnenlaan, 200A, fifth floor<br><br />
3001 Heverlee<br><br />
Belgium<br>''<br />
<br><br />
<br />
(for details, check the {{#switchtablink:Venue|Venue}} tab)<br />
<br />
==== Agenda ==== <br />
{| class="wikitable"<br />
! Time !! Description !! Room 1 !! Room 2 !! Room 3 !! Room 4<br />
|-<br />
| 08h30 - 9h30<br />
| colspan="5" style="text-align: center; background: grey; color: white;" | ''Registration''<br />
|-<br />
| 09h30 - 11h00 || Training<br />
| rowspan="7" style="width:100px;" | [[#DinisCruz|Advanced O2, by Dinis Cruz <br/><br/> Room 04.112]]<br />
| rowspan="7" style="width:100px;" | [[#DanCornell|SDLC with Open Source tools, by Dan Cornell <br/><br/> Room 05.128]]<br />
| rowspan="7" style="width:100px;" | [[#VolkertDeBuisonje|Secure Java Development with ESAPI (hands-on), by Volkert de Buisonjé <br/><br/> Room 05.152]]<br />
| rowspan="7" style="width:100px;" | [[#MartinKnobloch|Essential Web Appplication Security (OWASP Top 10, Webgoat, WebScarab), by Martin Knobloch <br/><br/> Room 05.001]]<br />
|-<br />
| 11h00 - 11h30 || ''Coffee Break''<br />
|-<br />
| 11h30 - 13h00 || Training<br />
|-<br />
| 13h00 - 14h00 || ''Lunch''<br />
|-<br />
| 14h00 - 15h30 || Training<br />
|-<br />
| 15h30 - 16h00 || ''Coffee Break''<br />
|-<br />
| 16h00 - 17h30 || Training<br />
|}<br />
<br />
<br />
<br />
<br />
<br />
<br><br />
<br />
<div id="VolkertDeBuisonje"></div><br />
<br />
=== Secure Java Development workshop with ESAPI, by Volkert de Buisonjé (Sogeti) ===<br />
''Workshop:''<br><br />
First, attendees will receive a brief introduction on application awareness. Then they will get acquainted with Webgoat, a "deliberately insecure J2EE web application" designed as a practice tool for secure application development and testing. They will learn how to exploit some vulnerabilities in Webgoat, through for instance Cross-Site Scripting (CSS) and Cross-Site Request Forgery (CSRF) attacks. Finally, the ESAPI library will be introduced and the attendees will learn how to apply ESAPI to fix such vulnerabilities in Webgoat's source code.<br><br />
<br><br />
''Prerequisites for this workshop:''<br><br />
* Reasonable knowledge of and experience with Java development<br />
* A laptop running a recent version of Linux, Mac OS X, or Windows<br />
* The most recent version of VirtualBox (4.x) installed<br />
* At least 2GB of RAM<br />
* At least 2GB of disk space<br />
<br><br />
''Bio:''<br><br />
Volkert de Buisonjé is a senior Java developer at Sogeti. He specializes in, and teaches application security courses, both to coworkers and to customers. Knowledge sharing (in both directions) is his passion. Volkert likes making friends and talking a lot. He never shuns a good discussion, and prefers to bring a high amount of interactivity to his classes. :-)<br><br />
<br><br />
<br><br />
<br />
<div id="DinisCruz"></div><br />
=== Advanced O2, by Dinis Cruz (Security Innovation) ===<br />
''Workshop:''<br><br />
The O2 platform represents a new paradigm for how to perform, document and distribute Web Application security reviews. O2 is designed to Automate Security Consultants Knowledge and Workflows and to Allow non-security experts to access and consume Security Knowledge.<br />
<br><br />
''Bio:''<br><br />
Dinis Cruz is a Security Consultant based in London (UK) and specialized in: ASP.NET/J2EE Application Security, Application Security audits and .NET Security Curriculum Development.<br><br />
For the past years Dinis has focused on the field of Static Source Code analysis, from May 2007 to Dec 2009 he worked as a independent consultant for Ounce Labs (bought by IBM in July 2009) where during active security engagements using Ounce's technology he developed the Open Source codebase which now is the foundation of the OWASP O2 Platform.<br><br />
Dinis is currently focused on making the O2 Platform the industry standard for consuming, instrumenting and data-sharing between the multiple WebAppSec tools, the Security consultants and the final developers. Dinis is a also active trainer on .Net security having written and delivered courses for IOActive, Foundstone, Intense School and KPMG (at multiple locations including BlackHat), and has delivered a number of presentations and keynote speeches at multiple OWASP and Security related conferences.<br><br />
At OWASP, Dinis is the leader of the OWASP O2 Platform project<br><br />
<br><br />
<br><br />
<br />
<div id="MartinKnobloch"></div><br />
<br />
=== Essential Web Appplication Security (OWASP Top 10, Webgoat, WebScarab), by Martin Knobloch (PervaSec) ===<br />
''Abstract:''<br><br />
This workshop is an introduction into (web) application security with hands-on labs, using OWASP documentation and tooling.<br />
You will be introduced into the security mindset, discus the OWASP TopTen 2010 and learn basic skills in how to find vulnerabilities in web applications. All tools and documentation are provided during the training.<br><br />
<b>As this is an hands-on workshop, please bring your own laptop!</b> <br><br />
Course structure:<br />
*Introduction OWASP, OWASP tool and documentation<br />
*Security Testing mindset <br />
*1st Lab: OWASP WebGoat / WebScarab <br />
*OWASP Top Ten 2010<br />
*OWASP Testing Guide <br />
*2nd Lab: OWASP WebGoat / WebScarab <br />
*3rd Lab: OWASP Hackademic / ZAP <br />
*Summary and completion <br />
Prerequisites for this workshop:<br />
*Basic understanding of HTTP and web application testing/development<br />
*An open mind<br />
<br><br />
''Bio:''<br><br />
Martin is an independent security consultant and owner of PervaSec (http://www.pervasec.nl). His main working area is (software) security in general, from awareness to implementation. In his daily work, he is responsible for education in application security matters, advise and implementation of application security measures.<br><br />
At OWASP, Martin is member of the Dutch chapter board and chair of the Global Education Committee and contributes to several projects.<br><br />
Martin is a frequent speaker at conferences, universities and hacker spaces.<br />
<br><br />
<br />
<br />
<div id="DanCornell"></div><br />
<br />
=== Building a Software Security Program On Open Source Tools, by Dan Cornell (Denim Group) ===<br />
''Abstract:''<br><br />
Using the Software Assurance Maturity Model (OpenSAMM) as a framework, this course walks through the major components of a comprehensive software security program and highlights open source and other freely-available tools that can be used to help implement the activities involved in such a program. The focus of the course is on providing hands-on demonstrations of the tools with an emphasis on integrating tool results into the overall software security program. Featured tools include: ESAPI, Microsoft Web Protection Library, FindBugs, FxCop, CAT.NET, Brakeman, Agnitio, Arachini, w3af, ZAProxy, ThreadFix as well as other educational resources from OWASP. Attendees should finish the course with a solid understanding of the various components of a comprehensive software security program as well as hands-on experience with a variety of freely-available tools that they can use to implement portions of these programs.<br><br />
<br><br />
''Outline:''<br><br />
* So You Want To Roll Out A Software Security Program?<br />
* The Software Assurance Maturity Model (OpenSAMM)<br />
* ThreadFix: Overview<br />
* Governance: Strategy and Metrics<br />
** ThreadFix: Reporting<br />
* Governance: Policy and Compliance<br />
* Governance: Education and Guidance<br />
** OWASP Development Guide<br />
** OWASP Cheat Sheets<br />
** OWASP Secure Coding Practices<br />
* Construction: Threat Assessment<br />
* Construction: Security Requirements<br />
* Construction: Secure Architecture<br />
** ESAPI overview<br />
** Microsoft Web Protection Library (Anti-XSS) overview<br />
* Verification: Design Review<br />
** Microsoft Threat Analysis and Modeling Tool<br />
* Verification: Code Review<br />
** FindBugs<br />
** FxCop<br />
** CAT.NET<br />
** Brakeman<br />
** Agnitio<br />
* Verification: Security Testing<br />
** Arachni<br />
** w3af<br />
** ZAProxy<br />
* Deployment: Vulnerability Management<br />
** ThreadFix: Defect Tracker Integration<br />
* Deployment: Environment Hardening<br />
** Microsoft Baseline Security Analyzer (MBSA)<br />
* Deployment: Operational Enablement<br />
** mod_security<br />
<br><br />
''Bio:''<br><br />
Dan Cornell has over fifteen years of experience architecting and developing web-based software systems. He leads Denim Group’s security research team in investigating the application of secure coding and development techniques to improve web-based software development methodologies.<br><br />
Dan was the founding coordinator and chairman for the Java Users Group of San Antonio (JUGSA) and currently serves as the OWASP San Antonio chapter leader, member of the OWASP Global Membership Committee and co-lead of the OWASP Open Review Project. Dan has spoken at such international conferences as RSA, OWASP AppSec USA, and OWASP EU Research in Greece.<br><br />
<br><br />
<br />
<br />
<!-- Fifth tab --><br />
<br />
= Conferenceday =<br />
<br />
==== Conferenceday, November 30th ====<br />
<br />
==== Location ====<br />
The conference takes place in auditorium K.06, the registration and catering in the foyer of building 200A (ground floor) (for details, check the {{#switchtablink:Venue|Venue}} tab)<br />
<br />
==== Agenda ==== <br />
{| class="wikitable"<br />
! width="90pt" | Time<br />
! width="130pt" | Speaker !! Topic<br />
|- <br />
| 09h00 - 10h00<br />
| colspan="2" style="text-align: center; background: grey; color: white" | ''Registration''<br />
|- <br />
| 10h00 - 10h15 || OWASP Benelux Organization || Welcome ([https://www.owasp.org/images/a/ad/OWASP_BeNeLux_Day_2012_-_Organization_welcome.ppt PPT])<br />
|-<br />
| 10h15 - 10h30 || Sebastien Deleersnyder || OWASP update ([https://www.owasp.org/images/d/d7/OWASP-Update-BeNeLux-Day-2012_v1.pptx PPT])<br />
|-<br />
| 10h30 - 11h10 || [[#JohnWilander|John Wilander]] || ''' Secure Web Integration Patterns in the Era of HTML5'''<br>''Abstract:'' Quite a few organizations are finding themselves in a legacy situation with their web applications. Over ten years have passed since the era of dynamic HTML and with the rise of HTML5 and mobile platforms there is now need to gradually move these legacy beasts into a new architecture. Additionally, more and more third party services are offered such as maps, tracking, social media tie-ins, video etc. What are the possible and suitable design patterns for bringing new web, old web, and third party web together? Can we isolate them from each other to secure the new apps from legacy and third party security vulnerabilities? We will dig into the postMessage api, the iframe sandbox directive, CORS, and the same-origin policy while comparing it to the previous generation of integration with jsonp and other hacks.<br />
|-<br />
| 11h10 - 11h50 || [[#LievenDesmet|Lieven Desmet]] || '''Sandboxing Javascript''' ([https://www.owasp.org/images/1/10/Sandboxing-Javascript.pdf PDF])<br>''Abstract:'' The inclusion of third-party scripts in web pages is a common practice. A recent study has shown that more than half of the Alexa top 10 000 sites include scripts from more than 5 different origins. However, such script inclusions carry risks, as the included scripts operate with the privileges of the including website.<br><br />
In this talk, we propose JSand, a server-driven but client-side JavaScript sandboxing framework. JSand requires no browser modifications: the sandboxing framework is implemented in JavaScript and is delivered to the browser by the websites that use it. Enforcement is done entirely at the client side: JSand enforces a server-specified policy on included scripts without requiring server-side filtering or rewriting of scripts.<br><br />
Most importantly, JSand is complete: access to all resources is mediated by the sandbox.<br><br />
We describe the design and implementation of JSand, and we show that it is secure, backwards compatible, and that it performs sufficiently well.<br><br />
|-<br />
| 11h50 - 12h30 || [[#ErwinGeirnaert|Erwin Geirnaert]] || '''OWASP Top 10 vs Drupal'''<br>''Abstract:'' Drupal is the most used and well-known open source content management system in the world. Created by Dries Buytaert years ago it has grown with the support of a big community. Drupal 7 is already released and there is an entire ecosystem for Drupal and Drupal web agencies.<br><br />
During this presentation we will discuss the findings of an automated static code analysis of Drupal 6 and Drupal 7 and how Drupal protects against the OWASP Top 10 Application Security Risks. We will explain the security weaknesses that remain when you use Drupal and what you can implement to have a secure cloud server running Drupal.<br><br />
|-<br />
| 12h30 - 13h30<br />
| colspan="2" style="text-align: center;background: grey; color: white" | ''Lunch'' <br />
|-<br />
| 13h30 - 14h10 || [[#AsiaSlowinska|Asia Slowinska]] || '''Body Armor for Binaries'''<br>''Abstract:'' BinArmor is a novel technique to protect existing C binaries from memory corruption attacks on both control data and non-control data. Without access to source code, non-control data attacks cannot be detected with current techniques. Our approach hardens binaries against both kinds of overflow, without requiring the pro- grams’ source or symbol tables. We show that BinArmor is able to stop real attacks—including the recent non- control data attack on Exim. Moreover, we did not in- cur a single false positive in practice. On the downside, the current overhead of BinArmor is high—although no worse than competing technologies like taint analysis that do not catch attacks on non-control data. Specifi- cally, we measured an overhead of 70% for gzip, 16%- 180% for lighttpd, and 190% for the nbench suite.<br />
|-<br />
| 14h10 - 14h50 || [[#MarcHullegieAndKeesMastwijk|Marc Hullegie and Kees Mastwijk]] || '''Forensics'''<br>''Abstract:'' In today’s investigations, forensics has become an important investigative method in fighting and solving (cyber)crimes and irregularities. During the session you will be briefly taken through the landscape of Forensics Basics; the Fraud Triangle and scenario's; What to look for and the appliance of Digital Forensics. What are the Challenges, the required Skills and Expertise and Solutions to these challenges. Specific focus on the Forensics of Web Applications and what you can do the create a more forensic ready system.<br><br />
|-<br />
| 14h50 - 15h30 || [[#DanCornell|Dan Cornell]] || '''Streamlining Application Vulnerability Management: Communication Between Development and Security Teams'''<br>''Abstract:'' Identifying application-level vulnerabilities via scanning, penetration tests and code reviews is only the first step in actually addressing the underlying risk. Managing vulnerabilities for applications is more challenging than dealing with traditional infrastructure-level vulnerabilities because they typically require the coordination of security teams with application development teams. The process also means that security managers need to get time from developers during already-cramped development and release schedules. In addition, fixes require changes to custom application code and application-specific business logic rather than the patches and configuration changes that are often sufficient to address infrastructure-level vulnerabilities. This presentation will illustrate the communication difficulties between security and development teams, and how this usually results in unactionable reports and fewer vulnerabilities remediated. In addition, the presentation will walk through an example workflow of addressing application vulnerabilities as software defects. This will be based on freely-available tools and show specific examples of how vulnerabilities can be grouped together, false positives can be culled out, and vulnerabilities transitioned to software defects, as well as how security managers can monitor and verify progress.<br><br />
|-<br />
| 15h30 - 15h50<br />
| colspan="2" style="text-align: center;background: grey; color: white" | ''Break'' <br />
|-<br />
| 15h50 - 16h30 || [[#RuedigerBachmann|Ruediger Bachmann]] || '''Code review for Large Companies'''<br>''Abstract:''Static source code analysis should be an essential part in the secure software development life cycle (SDLC) to start to minimize the number of potential vulnerabilities already in a very early stage in the software development process.<br><br />
The introduction of static code analysis at a large software manufacturer is a big challenge. In addition to the technical difficulties – based on the sheer number and size of the software projects or the number of different programing languages – there are also non-technical issues like creating new security awareness, trainings to use the provided tools efficiently and integration of analysis processes into the software development and maintenance life cycle.<br><br />
This talk gives an overview of the company-wide introduction of static code analysis at SAP AG.<br />
|-<br />
| 16h30 - 17h10 || [[#DinisCruz|Dinis Cruz]] || '''Making Security Invisible by Becoming the Developer’s Best Friends'''<br>''Abstract:'' Coming soon!<br />
|-<br />
| 17h10 - 17h50 || <br />
* Steven Wierckx<br />
* Luc Beirens<br />
* Jos Dumortier<br />
* Dieter Sarrazyn<br />
* Erwin Geirnaert<br />
* John Wilander<br />
|| '''Panel Discussion about the legal aspects of penetration testing'''<br> ''Abstract:'' In the past couple of years security has become a more visible topic in the media. As a result many companies are asking for security reviews in the form of a penetration test. A lot of entrepreneurs took the opportunity to form teams and/or companies that provide such services. There seems to be a lack of clear (standard) legal documentation to cover these activities both for the penetration tester and the company under review. With this panel discussion we would like to discuss this situation and to see if there is a possibility to have a standard document or framework that can be used as a starting point for companies and professionals to use as a contract. The purpose would be to end up with a (set of) documents similar to the “Testaankoop standard huurcontract”, this is a well-known Belgian contract framework for renting a house where both parties are protected and that is clear to both parties. It can be used without further legal intervention.<br />
|-<br />
| 17h50 - 18h00 || OWASP Benelux 2012 organization || '''Closing Notes'''<br />
|}<br />
<br />
<br><br />
<br><br />
<br />
<div id="AsiaSlowinska"></div><br />
<br />
=== Body Armor for Binaries, by Asia Slowinska (Vrije Universiteit Amsterdam) ===<br />
''Abstract:''<br><br />
BinArmor is a novel technique to protect existing C binaries from memory corruption attacks on both control data and non-control data. Without access to source code, non-control data attacks cannot be detected with current techniques. Our approach hardens binaries against both kinds of overflow, without requiring the pro- grams’ source or symbol tables. We show that BinArmor is able to stop real attacks—including the recent non- control data attack on Exim. Moreover, we did not in- cur a single false positive in practice. On the downside, the current overhead of BinArmor is high—although no worse than competing technologies like taint analysis that do not catch attacks on non-control data. Specifi- cally, we measured an overhead of 70% for gzip, 16%- 180% for lighttpd, and 190% for the nbench suite.<br><br />
<br><br />
''Bio:''<br><br />
I am a postdoctoral researcher in the System and Network Security group at the Vrije Universiteit Amsterdam, under the guidance of Prof. dr. ir. Herbert Bos.<br><br />
I obtained my PhD from the Vrije Universiteit Amsterdam. My dissertation Using information flow tracking to protect legacy binaries was completed under the supervision of Prof. dr. ir. Herbert Bos, while my copromotor was Prof. dr. ir. Henri E. Bal.<br><br />
During my PhD studies, I interned twice with Microsoft Research Cambridge, where I joined the Systems and Performance Group. I also spent few months interning with the Systems and Security Department at Institute for Infocomm Research in Singapore.<br><br />
My research focuses on developing techniques to automatically analyze and reverse engineer complex software that is available only in binary form. Further, I’ve been looking into mechanisms that proactively protect software from malicious activities. Currently, I am involved in a project on Reverse Engineering of binaries, known as Rosetta.<br><br />
<br><br />
<br />
<div id="RuedigerBachmann"></div><br />
=== Code review for Large Companies, by Ruediger Bachmann (SAP) ===<br />
''Abstract:''<br><br />
Static source code analysis should be an essential part in the secure software development life cycle (SDLC) to start to minimize the number of potential vulnerabilities already in a very early stage in the software development process.<br><br />
The introduction of static code analysis at a large software manufacturer is a big challenge. In addition to the technical difficulties – based on the sheer number and size of the software projects or the number of different programing languages – there are also non-technical issues like creating new security awareness, trainings to use the provided tools efficiently and integration of analysis processes into the software development and maintenance life cycle.<br><br />
This talk gives an overview of the company-wide introduction of static code analysis at SAP AG.<br />
<br><br />
''Bio:''<br><br />
After graduating with a degree in mathematics and computer science at the University of Giessen in 1997, Ruediger Bachmann worked at various software companies and IT service providers mainly in software development. Currently he is employed at SAP AG in Germany as a Development Architect in the central code analysis team. There he is focusing on application security and security code scans.<br><br />
<br />
<div id="LievenDesmet"></div><br />
<br />
=== Sandboxing JavaScript, by Lieven Desmet (Research Manager at KU Leuven) ===<br />
''Abstract:''<br><br />
The inclusion of third-party scripts in web pages is a common practice. A recent study has shown that more than half of the Alexa top 10 000 sites include scripts from more than 5 different origins. However, such script inclusions carry risks, as the included scripts operate with the privileges of the including website.<br><br />
In this talk, we propose JSand, a server-driven but client-side JavaScript sandboxing framework. JSand requires no browser modifications: the sandboxing framework is implemented in JavaScript and is delivered to the browser by the websites that use it. Enforcement is done entirely at the client side: JSand enforces a server-specified policy on included scripts without requiring server-side filtering or rewriting of scripts. Most importantly, JSand is complete: access to all resources is mediated by the sandbox.<br><br />
We describe the design and implementation of JSand, and we show that it is secure, backwards compatible, and that it performs sufficiently well.<br><br />
<br><br />
''Bio:''<br><br />
Lieven Desmet is Research Manager on Software Secure at the iMinds-DistriNet Research Group (KU Leuven, Belgium), where he coaches junior researchers in web application security and participates in dissemination and valorization activities. His interests are in security of middleware and web-enabled technologies. Lieven is actively engaged in OWASP and is board member of the OWASP Chapter Belgium.<br><br />
<br><br />
<br><br />
<br />
<div id="ErwinGeirnaert"></div><br />
=== OWASP Top 10 vs Drupal, by Erwin Geirnaert (Zion Security) ===<br />
''Abstract:''<br><br />
Drupal is the most used and well-known open source content management system in the world. Created by Dries Buytaert years ago it has grown with the support of a big community. Drupal 7 is already released and there is an entire ecosystem for Drupal and Drupal web agencies.<br><br />
During this presentation we will discuss the findings of an automated static code analysis of Drupal 6 and Drupal 7 and how Drupal protects against the OWASP Top 10 Application Security Risks. We will explain the security weaknesses that remain when you use Drupal and what you can implement to have a secure cloud server running Drupal.<br><br />
<br><br />
''Bio:''<br><br />
Erwin founded ZION SECURITY in 2005 to help companies to protect against the latest threats, attacks against web applications. ZION SECURITY is nowadays a Belgian market leader in the field of security testing, vulnerability management, penetration testing and banking security. Erwin has more than 10 years of experience in web security, graduating with a Master of Science in Software Development from the University of Ghent. Erwin executes different types of projects for a lot of international software companies, financial institutions, telecom and web agencies. Specialist in executing code reviews in different development languages for critical applications, executing continuous penetration tests of their infrastructure and Internet applications. A specialist in J2EE, PHP, .NET, mobile app and web services security. Erwin architects secure e-business projects for web agencies and software companies. He is a recognized application security expert and speaker at international events like Javapolis, OWASP, Eurostar, LSEC,...<br><br />
<br><br />
<br />
<div id="MarcHullegieAndKeesMastwijk"></div><br />
=== Forensics, by Marc Hullegie and Kees Mastwijk (Vest Information Security) === <br />
''Abstract:''<br><br />
In today’s investigations, forensics has become an important investigative method in fighting and solving (cyber)crimes and irregularities. During the session you will be briefly taken through the landscape of Forensics Basics; the Fraud Triangle and scenario's; What to look for and the appliance of Digital Forensics. What are the Challenges, the required Skills and Expertise and Solutions to these challenges. Specific focus on the Forensics of Web Applications and what you can do the create a more forensic ready system.<br><br />
<br><br />
''Bio:''<br><br />
Marc Hullegie is founder and CEO of Vest Information Security and is widely experienced in the information security business in all types of areas: Security Architecture and Infrastructure, Security Audits and Testing, Security Management, Awareness and Digital Forensics. He presents lectures at (international) conferences and is looking forward to share experiences at the OWASP Benelux days 2012 with you.<br><br />
<br> <br />
''Bio:''<br><br />
Kees Mastwijk is a security consultant working with Vest, acting as Security Auditor, Awareness Program leader and security Manager. He has a long (and ongoing) experience history in Digital Forensic Research.<br><br />
<br><br />
<br />
<div id="JohnWilander"></div><br />
=== Secure Web Integration Patterns in the Era of HTML5, by John Wilander (Svenska Handelbanken) ===<br />
''Abstract:''<br><br />
Quite a few organizations are finding themselves in a legacy situation with their web applications. Over ten years have passed since the era of dynamic HTML and with the rise of HTML5 and mobile platforms there is now need to gradually move these legacy beasts into a new architecture. Additionally, more and more third party services are offered such as maps, tracking, social media tie-ins, video etc. What are the possible and suitable design patterns for bringing new web, old web, and third party web together? Can we isolate them from each other to secure the new apps from legacy and third party security vulnerabilities? We will dig into the postMessage api, the iframe sandbox directive, CORS, and the same-origin policy while comparing it to the previous generation of integration with jsonp and other hacks.<br />
<br><br />
''Bio:''<br><br />
John Wilander is a frontend software developer at Svenska Handelbanken, the second strongest bank in the world according to Bloomberg Markets. He has been researching and working in application security for ten years and is an active leader in OWASP, the Open Web Application Security Project. In 2011 he organized the OWASP Summit Browser Security sessions in Portugal, with participants from the security teams behind Chrome, Firefox, Internet Explorer, Flash, and PayPal. During his years in academia he was elected best computer science teacher twice and nowadays gives 5-10 professional talks per year.<br><br />
<br><br />
<br><br />
<br />
<div id="DanCornell"></div><br />
<br />
=== Streamlining Application Vulnerability Management: Communication Between Development and Security Teams, by Dan Cornell (Denim Group) ===<br />
''Abstract:''<br><br />
Identifying application-level vulnerabilities via scanning, penetration tests and code reviews is only the first step in actually addressing the underlying risk. Managing vulnerabilities for applications is more challenging than dealing with traditional infrastructure-level vulnerabilities because they typically require the coordination of security teams with application development teams. The process also means that security managers need to get time from developers during already-cramped development and release schedules. In addition, fixes require changes to custom application code and application-specific business logic rather than the patches and configuration changes that are often sufficient to address infrastructure-level vulnerabilities. This presentation will illustrate the communication difficulties between security and development teams, and how this usually results in unactionable reports and fewer vulnerabilities remediated. In addition, the presentation will walk through an example workflow of addressing application vulnerabilities as software defects. This will be based on freely-available tools and show specific examples of how vulnerabilities can be grouped together, false positives can be culled out, and vulnerabilities transitioned to software defects, as well as how security managers can monitor and verify progress.<br><br />
<br><br />
''Bio:''<br><br />
''Dan Cornell has over fifteen years of experience architecting and developing web-based software systems. He leads Denim Group’s security research team in investigating the application of secure coding and development techniques to improve web-based software development methodologies.<br><br />
Dan was the founding coordinator and chairman for the Java Users Group of San Antonio (JUGSA) and currently serves as the OWASP San Antonio chapter leader, member of the OWASP Global Membership Committee and co-lead of the OWASP Open Review Project. Dan has spoken at such international conferences as RSA, OWASP AppSec USA, and OWASP EU Research in Greece.''<br><br />
<br><br />
<br><br />
<br />
<div id="DinisCruz"></div><br />
=== Making Security Invisible by Becoming the Developer’s Best Friends, by Dinis Cruz (Security Innovation) ===<br />
''Abstract:''<br><br />
''Coming soon!''<br><br />
<br><br />
''Bio:''<br><br />
Dinis Cruz is a Security Consultant based in London (UK) and specialized in: ASP.NET/J2EE Application Security, Application Security audits and .NET Security Curriculum Development.<br><br />
For the past years Dinis has focused on the field of Static Source Code analysis, from May 2007 to Dec 2009 he worked as a independent consultant for Ounce Labs (bought by IBM in July 2009) where during active security engagements using Ounce's technology he developed the Open Source codebase which now is the foundation of the OWASP O2 Platform.<br><br />
Dinis is currently focused on making the O2 Platform the industry standard for consuming, instrumenting and data-sharing between the multiple WebAppSec tools, the Security consultants and the final developers. Dinis is a also active trainer on .Net security having written and delivered courses for IOActive, Foundstone, Intense School and KPMG (at multiple locations including BlackHat), and has delivered a number of presentations and keynote speeches at multiple OWASP and Security related conferences.<br><br />
At OWASP, Dinis is the leader of the OWASP O2 Platform project<br><br />
<br><br />
<br><br />
<br />
=== Panel discussion about the legal aspects of penetration testing ===<br />
''with Steven Wierckx, Luc Beirens, Jos Dumortier, Dieter Sarrazyn, ...''<br><br><br />
''Abstract:''<br> In the past couple of years security has become a more visible topic in the media. As a result many companies are asking for security reviews in the form of a penetration test. A lot of entrepreneurs took the opportunity to form teams and/or companies that provide such services. There seems to be a lack of clear (standard) legal documentation to cover these activities both for the penetration tester and the company under review. With this panel discussion we would like to discuss this situation and to see if there is a possibility to have a standard document or framework that can be used as a starting point for companies and professionals to use as a contract. The purpose would be to end up with a (set of) documents similar to the “Testaankoop standard huurcontract”, this is a well-known Belgian contract framework for renting a house where both parties are protected and that is clear to both parties. It can be used without further legal intervention.<br><br />
<br><br />
<li>''Bio Steven Wierckx, ps_testware:''<br><br />
Steven Wierckx is currently working as Security Tester for [http://www.pstestware.com/ ps_testware], he specialises in web application security and keeps a security related blog [http://www.ihackforfun.eu/ ihackforfun]. He is also wrting articles and doing technical reviews for PenTest Magazine.<br><br />
<br><br />
<li>''Bio Luc Beirens, FCCU:''<br><br />
Head of Belgian Federal Computer Crime Unit & Chair EU Cybercrime Task Force trying to create partnerships and circumstances for a safer cyberspace.<br><br />
<br><br />
<li>''Bio Jos Dumortier, ICRI:''<br><br />
Jos Dumortier is Professor of ICT Law at the University of Leuven (Belgium) and the Director of the Interdisciplinary Research Centre for ICT and Law (ICRI) (www.icri.be). With his research team he participates in a series of R & D projects in the domain of telemedicine.<br><br />
He is also a member of the Bar of Brussels and partner in “time.lex”, a law firm specialized in information and technology law (www.timelex.eu).<br><br />
He participates in the boards of several national and international scientific and business associations and is a member of various editorial and program committees. <br><br />
He is the editor of the International Encyclopedia of Cyber Law and the author of more than one hundred books and articles on legal issues related to the information society.<br><br />
Jos Dumortier has taken the lead in a large number of European studies and projects in the area of information security, privacy and identity management. He worked on an assignment of the European Commission (DG INFSO) for a study on the legal obstacles for interoperable eHealth in Europe and on several studies for the Flemish government related to the implementation of a regional eHealth platform. He is also a member of the Flemish data protection supervisory authority for the health sector.<br><br />
<br><br />
<li>''Bio Dieter Sarrazyn, PWC:''<br><br />
Dieter is a senior manager and consultant within PwC and a team leader for Risk Management assessment services. His main focus is in performing penetration tests (external as well as internal), performing security audits, creating and evaluating security architectures,and creating and setting up vulnerability management frameworks & tools. He is a Certified Information Systems Security Professional (CISSP), a Certified Intrusion Analyst (GCIA), a Certified Incident Handling Analyst (GCIH), a Certified Intrusion Analyst (GCIA) a GIAC Systems and Network Auditor (GSNA). Dieter is also SANS Local Mentor and SANS Community Teacher<br><br />
<br><br />
<br><br />
<br />
<!-- Sixth tab --><br />
<br />
= Social Event =<br />
<br />
==== Social Event, November 29th ====<br />
<br />
==== <B>Important Update</B> ====<br />
The brewery visit is limit to 60 people. Therefor, the 60 first registered people that indicated interest in the social event have been invited to participate. Any remaining tickets will be offered on Thursday around noon at the registration desk.<br />
<br />
If you are going by car, there are paid parkings under the Railway station and at Kinepolis (follow the parking signs). If you want to go there from the venue without car, the best way to get there is to take bus No.2 that leaves next to the building and drives to the Railway station. From there, it is a 300 m. walk to the brewery.<br />
<br />
All other people (and the people of the brewery tour after that has finished) are warmly invited to join us in the Downtown Jack, a pub with a number of pool and snooker tables. 5 pool tables have been exclusively reserved for us from 20h00 onwards. You can also have a drink and eat something there if you like.<br />
<br />
The address: Parkstraat 40, 3000 Leuven (see http://www.downtownjack.be/)<br />
<br />
==== <B>Brewery Visit Information</B> ====<br />
The social event will take place at the InBev Brewery in Leuven, where there will be a guided tour and a beer tasting.<br><br />
Unfortunately, the tour is limited to 60 people. Since we have more registered people than places, we will soon announce how we will<br />
proceed.<br><br />
If you decide not to join, please inform the Benelux organisation, other participants will be happy to join.<br><br />
<br><br />
'''The entrance fee for the tour is 10 EUR'''. <br><br />
This amount will have to be paid to the Benelux organisation at the registration desk or upon entry in cash (please use correct notes).<br><br />
<br><br />
Below is the address where the event takes place. You can take your car, bus number 2 or a taxi to reach this.<br> '''The tour starts at 19h30 sharp'''.<br><br />
<br><br />
'''Address:''' <br><br />
Vuurkruisenlaan z/n <br><br />
3000 Leuven<br><br />
<br><br />
'''From the station:'''<br><br />
Take the street 'Diestepoort' (this street is parrallel with the railway behind the building)and walk straight through. You can see the brewery at the end of the street.<br><br />
'''By car:'''<br><br />
From the street diestesteenweg or beckeremieplein head to the railroadbridge. At the crossroad take first right, this is the entrance of the brewery. from the expressway R23 head to the Hotel ''NOVOTEL''. Take the street left from ''NOVOTEL'', this is the ''vuurkruisenlaan''. On your left side you can see the brewery. At the<br />
next crossroad take the first left, this is the entrance of the brewery.<br><br />
<br><br />
'''ENTRANCE BREWERY:'''<br><br />
is also the entrance for the trucks, next to the railroadbridge.<br><br />
We will meet at the entrance at 19h30 where the tour will start.<br><br><br />
<br />
<br />
<!-- Seventh tab --><br />
<br />
= CTF =<br />
<br />
==== Capture the Flag! ====<br />
<br />
* Do you like puzzles? <br />
* Do you like challenges? <br />
* Are you a hacker?<br />
<br />
Whether you are an experienced hacker or new enthusiast you should come to OWASP BeNeLux 2012 and participate in the Capture the Flag event November 30th 2012. <br />
<br />
The OWASP CTF is especially designed to support challengers of all skill levels. The CTF contains multiple challenges in various fields related to application security. As every challenge gains you one point, you can pick and choose which challenge you want to play.<br />
<br />
All you need is a laptop with a wifi card and your favorite (preferably) non-commercial tools. <br />
<br />
So come, show off your skills, learn new tricks and above all have a good time at the CTF event. <br />
<br />
<br />
<!-- Eighth tab --><br />
<br />
= Sponsor =<br />
<br />
==== Become a sponsor of OWASP BeNeLux ====<br />
<br />
==== Donate to OWASP BeNeLux ====<br />
<br />
<paypal>BeNeLux OWASP Day 2012</paypal> <br />
<br />
<br />
==== Promotion ====<br />
''Feel free to use the text below to promote our event!''<br />
<br />
We invite you to our next OWASP event: the '''BeNeLux OWASP Days 2012!'''<br />
<br />
Free your agenda on the 29th and 30th of November, 2012.<br />
<br />
The good news: free! No fee!<br />
<br />
The bad news: there are only 280 seats available (first register, first serve)!<br />
<br />
<br />
<!-- Don't remove these two lines! --><br />
__NOTOC__ <br />
<headertabs/><br />
<br />
<br />
==== Hosted and co-organized by: ====<br />
<br />
[http://distrinet.cs.kuleuven.be https://www.owasp.org/images/4/4a/Logo_distrinet.png]<br />
[http://www.nessos-project.eu/ https://www.owasp.org/images/5/52/Nessos.png]<br />
<br />
==== Made possible by our {{#switchtablink:Sponsor|Sponsors}}====<br />
<br />
==== OWASP Member Sponsor: ====<br />
{{MemberLinks|link=http://www.pwc.com/|logo=PWC_log_resized.png}} <br />
<br />
==== OWASP BeNeLux 2012 Sponsors: ====<br />
[http://www.madisongurkha.nl https://www.owasp.org/images/6/6e/Madison-gurkha-logo.jpg]<br />
[http://www.sogeti.nl https://www.owasp.org/images/9/94/Sogeti_logo.png]<br />
[http://www.vest.nl https://www.owasp.org/images/1/1d/Logo_Vest_BIG_170.gif]<br />
<br><br />
[http://www.iminds.be https://www.owasp.org/images/thumb/a/a1/Iminds-logo.png/200px-Iminds-logo.png]<br />
[http://www.zionsecurity.com https://www.owasp.org/images/e/e6/Zionsecurity.jpg]<br />
[http://on2it.net https://www.owasp.org/images/3/3d/On2it-sponsor.png]<br />
<br><br />
<br />
<br />
[[Category:OWASP_AppSec_Conference]] [[Category:OWASP_BeNeLux_Archives]]</div>Favroomhttps://wiki.owasp.org/index.php?title=BeNeLux_OWASP_Day_2013&diff=154428BeNeLux OWASP Day 20132013-06-25T20:02:58Z<p>Favroom: /* Welcome to OWASP BeNeLux 2013 */</p>
<hr />
<div><center>[[Image:owaspbnl12header.jpg]]<br></center><br />
<br><!-- Header --><br />
<br />
<br />
<!-- First tab --><br />
= Welcome =<br />
<br />
=== Welcome to OWASP BeNeLux 2013 ===<br />
<br />
==== News ====<br />
* <br />
* <br />
<br><br />
<br />
==== Confirmed trainers for Trainingday ====<br />
{{#switchtablink:Trainingday| <p><br />
* <br />
* <br />
* <br />
* <br />
}}<br />
<br><br />
<br />
==== Confirmed speakers Conferenceday ====<br />
{{#switchtablink:Conferenceday| <p><br />
* <br><br />
* <br><br />
* <br><br />
* <br><br />
* <br><br />
* <br><br />
* <br><br />
* <Br><br />
* <br><br />
}}<br />
<br><br />
<br />
==== The OWASP BeNeLux Program Committee ====<br />
*Bart De Win / Sebastien Deleersnyder/ Lieven Desmet/ David Mathy, OWASP Belgium<br />
*Martin Knobloch / Ferdinand Vroom, OWASP Netherlands<br />
*Jocelyn Aubert / Andre Adelsbach/ Thierry Zoller, OWASP Luxembourg<br />
<br><br />
<br />
=== Tweet! ===<br />
Event tag is [http://twitter.com/#search?q=%23owaspbnl12 #owaspbnl12]<br />
<br><br><br />
==== Donate to OWASP BeNeLux ====<br />
<paypal>BeNeLux OWASP Day 2012</paypal><br />
<br />
<!-- Second tab --><br />
= Registration =<br />
<br />
==== OWASP BeNeLux training day and conference are free! ==== <br />
<br />
=== Registration is open: ===<br />
<br />
[http://owaspbenelux2012.eventbrite.com/ http://www.owasp.org/images/7/77/Buttoncreate.png]<br />
<br />
<br><br />
To support the OWASP organisation, consider to become a member, it's only US$50!<br />
<br> <br />
Check out the [[Membership]] page to find out more. <br />
<br><br />
<br />
<br />
<!-- Third tab --><br />
= Venue =<br />
<br />
=== Venue is the iMinds-DistriNet Research Group @ KU Leuven ===<br />
<br />
''Celestijnenlaan, 200A<br><br />
3001 Heverlee<br><br />
Belgium<br>''<br />
<br><br />
<br />
<br>'''Parking & roadmap''':<br />
<br />
There is a public parking close to the conference venue.<br />
<br />
Roadmap and parking: http://distrinet.cs.kuleuven.be/about/route/<br />
<br />
<br />
<br>'''Hotels nearby''': <br> <br />
Board house (close to the venue)<br> http://www.boardhouse.be<br><br />
The lodge (close to the venue)<br> http://www.booking.com/hotel/be/the-lodge-heverlee.en.html<br><br />
Begijnhof Congres Hotel (1 km from the venue)<br> http://www.bchotel.be/<br><br />
La Royale (2 km from the venue)<br> http://www.laroyale.be<br> <br />
Hotel Ibis (2 km from the venue)<br> http://www.accorhotels.com/gb/hotel-1457-ibis-leuven-centrum/index.shtml<br> <br />
Mercure (2 km from the venue) <br> http://www.mercure.com/gb/hotel-7862-hotel-mercure-leuven-center/index.shtml<br> <br />
New Damshire (2 km from the venue)<br> http://www.hotelnewdamshire.be<br> <br />
<br />
<br />
<!-- Fourth tab --><br />
<br />
= Trainingday =<br />
<br />
==== Trainingday, November 29th ====<br />
<br />
==== Location ====<br />
The training room is: <br />
''Celestijnenlaan, 200A, fifth floor<br><br />
3001 Heverlee<br><br />
Belgium<br>''<br />
<br><br />
<br />
(for details, check the {{#switchtablink:Venue|Venue}} tab)<br />
<br />
==== Agenda ==== <br />
{| class="wikitable"<br />
! Time !! Description !! Room 1 !! Room 2 !! Room 3 !! Room 4<br />
|-<br />
| 08h30 - 9h30<br />
| colspan="5" style="text-align: center; background: grey; color: white;" | ''Registration''<br />
|-<br />
| 09h30 - 11h00 || Training<br />
| rowspan="7" style="width:100px;" | [[#DinisCruz|Advanced O2, by Dinis Cruz <br/><br/> Room 04.112]]<br />
| rowspan="7" style="width:100px;" | [[#DanCornell|SDLC with Open Source tools, by Dan Cornell <br/><br/> Room 05.128]]<br />
| rowspan="7" style="width:100px;" | [[#VolkertDeBuisonje|Secure Java Development with ESAPI (hands-on), by Volkert de Buisonjé <br/><br/> Room 05.152]]<br />
| rowspan="7" style="width:100px;" | [[#MartinKnobloch|Essential Web Appplication Security (OWASP Top 10, Webgoat, WebScarab), by Martin Knobloch <br/><br/> Room 05.001]]<br />
|-<br />
| 11h00 - 11h30 || ''Coffee Break''<br />
|-<br />
| 11h30 - 13h00 || Training<br />
|-<br />
| 13h00 - 14h00 || ''Lunch''<br />
|-<br />
| 14h00 - 15h30 || Training<br />
|-<br />
| 15h30 - 16h00 || ''Coffee Break''<br />
|-<br />
| 16h00 - 17h30 || Training<br />
|}<br />
<br />
<br />
<br />
<br />
<br />
<br><br />
<br />
<div id="VolkertDeBuisonje"></div><br />
<br />
=== Secure Java Development workshop with ESAPI, by Volkert de Buisonjé (Sogeti) ===<br />
''Workshop:''<br><br />
First, attendees will receive a brief introduction on application awareness. Then they will get acquainted with Webgoat, a "deliberately insecure J2EE web application" designed as a practice tool for secure application development and testing. They will learn how to exploit some vulnerabilities in Webgoat, through for instance Cross-Site Scripting (CSS) and Cross-Site Request Forgery (CSRF) attacks. Finally, the ESAPI library will be introduced and the attendees will learn how to apply ESAPI to fix such vulnerabilities in Webgoat's source code.<br><br />
<br><br />
''Prerequisites for this workshop:''<br><br />
* Reasonable knowledge of and experience with Java development<br />
* A laptop running a recent version of Linux, Mac OS X, or Windows<br />
* The most recent version of VirtualBox (4.x) installed<br />
* At least 2GB of RAM<br />
* At least 2GB of disk space<br />
<br><br />
''Bio:''<br><br />
Volkert de Buisonjé is a senior Java developer at Sogeti. He specializes in, and teaches application security courses, both to coworkers and to customers. Knowledge sharing (in both directions) is his passion. Volkert likes making friends and talking a lot. He never shuns a good discussion, and prefers to bring a high amount of interactivity to his classes. :-)<br><br />
<br><br />
<br><br />
<br />
<div id="DinisCruz"></div><br />
=== Advanced O2, by Dinis Cruz (Security Innovation) ===<br />
''Workshop:''<br><br />
The O2 platform represents a new paradigm for how to perform, document and distribute Web Application security reviews. O2 is designed to Automate Security Consultants Knowledge and Workflows and to Allow non-security experts to access and consume Security Knowledge.<br />
<br><br />
''Bio:''<br><br />
Dinis Cruz is a Security Consultant based in London (UK) and specialized in: ASP.NET/J2EE Application Security, Application Security audits and .NET Security Curriculum Development.<br><br />
For the past years Dinis has focused on the field of Static Source Code analysis, from May 2007 to Dec 2009 he worked as a independent consultant for Ounce Labs (bought by IBM in July 2009) where during active security engagements using Ounce's technology he developed the Open Source codebase which now is the foundation of the OWASP O2 Platform.<br><br />
Dinis is currently focused on making the O2 Platform the industry standard for consuming, instrumenting and data-sharing between the multiple WebAppSec tools, the Security consultants and the final developers. Dinis is a also active trainer on .Net security having written and delivered courses for IOActive, Foundstone, Intense School and KPMG (at multiple locations including BlackHat), and has delivered a number of presentations and keynote speeches at multiple OWASP and Security related conferences.<br><br />
At OWASP, Dinis is the leader of the OWASP O2 Platform project<br><br />
<br><br />
<br><br />
<br />
<div id="MartinKnobloch"></div><br />
<br />
=== Essential Web Appplication Security (OWASP Top 10, Webgoat, WebScarab), by Martin Knobloch (PervaSec) ===<br />
''Abstract:''<br><br />
This workshop is an introduction into (web) application security with hands-on labs, using OWASP documentation and tooling.<br />
You will be introduced into the security mindset, discus the OWASP TopTen 2010 and learn basic skills in how to find vulnerabilities in web applications. All tools and documentation are provided during the training.<br><br />
<b>As this is an hands-on workshop, please bring your own laptop!</b> <br><br />
Course structure:<br />
*Introduction OWASP, OWASP tool and documentation<br />
*Security Testing mindset <br />
*1st Lab: OWASP WebGoat / WebScarab <br />
*OWASP Top Ten 2010<br />
*OWASP Testing Guide <br />
*2nd Lab: OWASP WebGoat / WebScarab <br />
*3rd Lab: OWASP Hackademic / ZAP <br />
*Summary and completion <br />
Prerequisites for this workshop:<br />
*Basic understanding of HTTP and web application testing/development<br />
*An open mind<br />
<br><br />
''Bio:''<br><br />
Martin is an independent security consultant and owner of PervaSec (http://www.pervasec.nl). His main working area is (software) security in general, from awareness to implementation. In his daily work, he is responsible for education in application security matters, advise and implementation of application security measures.<br><br />
At OWASP, Martin is member of the Dutch chapter board and chair of the Global Education Committee and contributes to several projects.<br><br />
Martin is a frequent speaker at conferences, universities and hacker spaces.<br />
<br><br />
<br />
<br />
<div id="DanCornell"></div><br />
<br />
=== Building a Software Security Program On Open Source Tools, by Dan Cornell (Denim Group) ===<br />
''Abstract:''<br><br />
Using the Software Assurance Maturity Model (OpenSAMM) as a framework, this course walks through the major components of a comprehensive software security program and highlights open source and other freely-available tools that can be used to help implement the activities involved in such a program. The focus of the course is on providing hands-on demonstrations of the tools with an emphasis on integrating tool results into the overall software security program. Featured tools include: ESAPI, Microsoft Web Protection Library, FindBugs, FxCop, CAT.NET, Brakeman, Agnitio, Arachini, w3af, ZAProxy, ThreadFix as well as other educational resources from OWASP. Attendees should finish the course with a solid understanding of the various components of a comprehensive software security program as well as hands-on experience with a variety of freely-available tools that they can use to implement portions of these programs.<br><br />
<br><br />
''Outline:''<br><br />
* So You Want To Roll Out A Software Security Program?<br />
* The Software Assurance Maturity Model (OpenSAMM)<br />
* ThreadFix: Overview<br />
* Governance: Strategy and Metrics<br />
** ThreadFix: Reporting<br />
* Governance: Policy and Compliance<br />
* Governance: Education and Guidance<br />
** OWASP Development Guide<br />
** OWASP Cheat Sheets<br />
** OWASP Secure Coding Practices<br />
* Construction: Threat Assessment<br />
* Construction: Security Requirements<br />
* Construction: Secure Architecture<br />
** ESAPI overview<br />
** Microsoft Web Protection Library (Anti-XSS) overview<br />
* Verification: Design Review<br />
** Microsoft Threat Analysis and Modeling Tool<br />
* Verification: Code Review<br />
** FindBugs<br />
** FxCop<br />
** CAT.NET<br />
** Brakeman<br />
** Agnitio<br />
* Verification: Security Testing<br />
** Arachni<br />
** w3af<br />
** ZAProxy<br />
* Deployment: Vulnerability Management<br />
** ThreadFix: Defect Tracker Integration<br />
* Deployment: Environment Hardening<br />
** Microsoft Baseline Security Analyzer (MBSA)<br />
* Deployment: Operational Enablement<br />
** mod_security<br />
<br><br />
''Bio:''<br><br />
Dan Cornell has over fifteen years of experience architecting and developing web-based software systems. He leads Denim Group’s security research team in investigating the application of secure coding and development techniques to improve web-based software development methodologies.<br><br />
Dan was the founding coordinator and chairman for the Java Users Group of San Antonio (JUGSA) and currently serves as the OWASP San Antonio chapter leader, member of the OWASP Global Membership Committee and co-lead of the OWASP Open Review Project. Dan has spoken at such international conferences as RSA, OWASP AppSec USA, and OWASP EU Research in Greece.<br><br />
<br><br />
<br />
<br />
<!-- Fifth tab --><br />
<br />
= Conferenceday =<br />
<br />
==== Conferenceday, November 30th ====<br />
<br />
==== Location ====<br />
The conference takes place in auditorium K.06, the registration and catering in the foyer of building 200A (ground floor) (for details, check the {{#switchtablink:Venue|Venue}} tab)<br />
<br />
==== Agenda ==== <br />
{| class="wikitable"<br />
! width="90pt" | Time<br />
! width="130pt" | Speaker !! Topic<br />
|- <br />
| 09h00 - 10h00<br />
| colspan="2" style="text-align: center; background: grey; color: white" | ''Registration''<br />
|- <br />
| 10h00 - 10h15 || OWASP Benelux Organization || Welcome ([https://www.owasp.org/images/a/ad/OWASP_BeNeLux_Day_2012_-_Organization_welcome.ppt PPT])<br />
|-<br />
| 10h15 - 10h30 || Sebastien Deleersnyder || OWASP update ([https://www.owasp.org/images/d/d7/OWASP-Update-BeNeLux-Day-2012_v1.pptx PPT])<br />
|-<br />
| 10h30 - 11h10 || [[#JohnWilander|John Wilander]] || ''' Secure Web Integration Patterns in the Era of HTML5'''<br>''Abstract:'' Quite a few organizations are finding themselves in a legacy situation with their web applications. Over ten years have passed since the era of dynamic HTML and with the rise of HTML5 and mobile platforms there is now need to gradually move these legacy beasts into a new architecture. Additionally, more and more third party services are offered such as maps, tracking, social media tie-ins, video etc. What are the possible and suitable design patterns for bringing new web, old web, and third party web together? Can we isolate them from each other to secure the new apps from legacy and third party security vulnerabilities? We will dig into the postMessage api, the iframe sandbox directive, CORS, and the same-origin policy while comparing it to the previous generation of integration with jsonp and other hacks.<br />
|-<br />
| 11h10 - 11h50 || [[#LievenDesmet|Lieven Desmet]] || '''Sandboxing Javascript''' ([https://www.owasp.org/images/1/10/Sandboxing-Javascript.pdf PDF])<br>''Abstract:'' The inclusion of third-party scripts in web pages is a common practice. A recent study has shown that more than half of the Alexa top 10 000 sites include scripts from more than 5 different origins. However, such script inclusions carry risks, as the included scripts operate with the privileges of the including website.<br><br />
In this talk, we propose JSand, a server-driven but client-side JavaScript sandboxing framework. JSand requires no browser modifications: the sandboxing framework is implemented in JavaScript and is delivered to the browser by the websites that use it. Enforcement is done entirely at the client side: JSand enforces a server-specified policy on included scripts without requiring server-side filtering or rewriting of scripts.<br><br />
Most importantly, JSand is complete: access to all resources is mediated by the sandbox.<br><br />
We describe the design and implementation of JSand, and we show that it is secure, backwards compatible, and that it performs sufficiently well.<br><br />
|-<br />
| 11h50 - 12h30 || [[#ErwinGeirnaert|Erwin Geirnaert]] || '''OWASP Top 10 vs Drupal'''<br>''Abstract:'' Drupal is the most used and well-known open source content management system in the world. Created by Dries Buytaert years ago it has grown with the support of a big community. Drupal 7 is already released and there is an entire ecosystem for Drupal and Drupal web agencies.<br><br />
During this presentation we will discuss the findings of an automated static code analysis of Drupal 6 and Drupal 7 and how Drupal protects against the OWASP Top 10 Application Security Risks. We will explain the security weaknesses that remain when you use Drupal and what you can implement to have a secure cloud server running Drupal.<br><br />
|-<br />
| 12h30 - 13h30<br />
| colspan="2" style="text-align: center;background: grey; color: white" | ''Lunch'' <br />
|-<br />
| 13h30 - 14h10 || [[#AsiaSlowinska|Asia Slowinska]] || '''Body Armor for Binaries'''<br>''Abstract:'' BinArmor is a novel technique to protect existing C binaries from memory corruption attacks on both control data and non-control data. Without access to source code, non-control data attacks cannot be detected with current techniques. Our approach hardens binaries against both kinds of overflow, without requiring the pro- grams’ source or symbol tables. We show that BinArmor is able to stop real attacks—including the recent non- control data attack on Exim. Moreover, we did not in- cur a single false positive in practice. On the downside, the current overhead of BinArmor is high—although no worse than competing technologies like taint analysis that do not catch attacks on non-control data. Specifi- cally, we measured an overhead of 70% for gzip, 16%- 180% for lighttpd, and 190% for the nbench suite.<br />
|-<br />
| 14h10 - 14h50 || [[#MarcHullegieAndKeesMastwijk|Marc Hullegie and Kees Mastwijk]] || '''Forensics'''<br>''Abstract:'' In today’s investigations, forensics has become an important investigative method in fighting and solving (cyber)crimes and irregularities. During the session you will be briefly taken through the landscape of Forensics Basics; the Fraud Triangle and scenario's; What to look for and the appliance of Digital Forensics. What are the Challenges, the required Skills and Expertise and Solutions to these challenges. Specific focus on the Forensics of Web Applications and what you can do the create a more forensic ready system.<br><br />
|-<br />
| 14h50 - 15h30 || [[#DanCornell|Dan Cornell]] || '''Streamlining Application Vulnerability Management: Communication Between Development and Security Teams'''<br>''Abstract:'' Identifying application-level vulnerabilities via scanning, penetration tests and code reviews is only the first step in actually addressing the underlying risk. Managing vulnerabilities for applications is more challenging than dealing with traditional infrastructure-level vulnerabilities because they typically require the coordination of security teams with application development teams. The process also means that security managers need to get time from developers during already-cramped development and release schedules. In addition, fixes require changes to custom application code and application-specific business logic rather than the patches and configuration changes that are often sufficient to address infrastructure-level vulnerabilities. This presentation will illustrate the communication difficulties between security and development teams, and how this usually results in unactionable reports and fewer vulnerabilities remediated. In addition, the presentation will walk through an example workflow of addressing application vulnerabilities as software defects. This will be based on freely-available tools and show specific examples of how vulnerabilities can be grouped together, false positives can be culled out, and vulnerabilities transitioned to software defects, as well as how security managers can monitor and verify progress.<br><br />
|-<br />
| 15h30 - 15h50<br />
| colspan="2" style="text-align: center;background: grey; color: white" | ''Break'' <br />
|-<br />
| 15h50 - 16h30 || [[#RuedigerBachmann|Ruediger Bachmann]] || '''Code review for Large Companies'''<br>''Abstract:''Static source code analysis should be an essential part in the secure software development life cycle (SDLC) to start to minimize the number of potential vulnerabilities already in a very early stage in the software development process.<br><br />
The introduction of static code analysis at a large software manufacturer is a big challenge. In addition to the technical difficulties – based on the sheer number and size of the software projects or the number of different programing languages – there are also non-technical issues like creating new security awareness, trainings to use the provided tools efficiently and integration of analysis processes into the software development and maintenance life cycle.<br><br />
This talk gives an overview of the company-wide introduction of static code analysis at SAP AG.<br />
|-<br />
| 16h30 - 17h10 || [[#DinisCruz|Dinis Cruz]] || '''Making Security Invisible by Becoming the Developer’s Best Friends'''<br>''Abstract:'' Coming soon!<br />
|-<br />
| 17h10 - 17h50 || <br />
* Steven Wierckx<br />
* Luc Beirens<br />
* Jos Dumortier<br />
* Dieter Sarrazyn<br />
* Erwin Geirnaert<br />
* John Wilander<br />
|| '''Panel Discussion about the legal aspects of penetration testing'''<br> ''Abstract:'' In the past couple of years security has become a more visible topic in the media. As a result many companies are asking for security reviews in the form of a penetration test. A lot of entrepreneurs took the opportunity to form teams and/or companies that provide such services. There seems to be a lack of clear (standard) legal documentation to cover these activities both for the penetration tester and the company under review. With this panel discussion we would like to discuss this situation and to see if there is a possibility to have a standard document or framework that can be used as a starting point for companies and professionals to use as a contract. The purpose would be to end up with a (set of) documents similar to the “Testaankoop standard huurcontract”, this is a well-known Belgian contract framework for renting a house where both parties are protected and that is clear to both parties. It can be used without further legal intervention.<br />
|-<br />
| 17h50 - 18h00 || OWASP Benelux 2012 organization || '''Closing Notes'''<br />
|}<br />
<br />
<br><br />
<br><br />
<br />
<div id="AsiaSlowinska"></div><br />
<br />
=== Body Armor for Binaries, by Asia Slowinska (Vrije Universiteit Amsterdam) ===<br />
''Abstract:''<br><br />
BinArmor is a novel technique to protect existing C binaries from memory corruption attacks on both control data and non-control data. Without access to source code, non-control data attacks cannot be detected with current techniques. Our approach hardens binaries against both kinds of overflow, without requiring the pro- grams’ source or symbol tables. We show that BinArmor is able to stop real attacks—including the recent non- control data attack on Exim. Moreover, we did not in- cur a single false positive in practice. On the downside, the current overhead of BinArmor is high—although no worse than competing technologies like taint analysis that do not catch attacks on non-control data. Specifi- cally, we measured an overhead of 70% for gzip, 16%- 180% for lighttpd, and 190% for the nbench suite.<br><br />
<br><br />
''Bio:''<br><br />
I am a postdoctoral researcher in the System and Network Security group at the Vrije Universiteit Amsterdam, under the guidance of Prof. dr. ir. Herbert Bos.<br><br />
I obtained my PhD from the Vrije Universiteit Amsterdam. My dissertation Using information flow tracking to protect legacy binaries was completed under the supervision of Prof. dr. ir. Herbert Bos, while my copromotor was Prof. dr. ir. Henri E. Bal.<br><br />
During my PhD studies, I interned twice with Microsoft Research Cambridge, where I joined the Systems and Performance Group. I also spent few months interning with the Systems and Security Department at Institute for Infocomm Research in Singapore.<br><br />
My research focuses on developing techniques to automatically analyze and reverse engineer complex software that is available only in binary form. Further, I’ve been looking into mechanisms that proactively protect software from malicious activities. Currently, I am involved in a project on Reverse Engineering of binaries, known as Rosetta.<br><br />
<br><br />
<br />
<div id="RuedigerBachmann"></div><br />
=== Code review for Large Companies, by Ruediger Bachmann (SAP) ===<br />
''Abstract:''<br><br />
Static source code analysis should be an essential part in the secure software development life cycle (SDLC) to start to minimize the number of potential vulnerabilities already in a very early stage in the software development process.<br><br />
The introduction of static code analysis at a large software manufacturer is a big challenge. In addition to the technical difficulties – based on the sheer number and size of the software projects or the number of different programing languages – there are also non-technical issues like creating new security awareness, trainings to use the provided tools efficiently and integration of analysis processes into the software development and maintenance life cycle.<br><br />
This talk gives an overview of the company-wide introduction of static code analysis at SAP AG.<br />
<br><br />
''Bio:''<br><br />
After graduating with a degree in mathematics and computer science at the University of Giessen in 1997, Ruediger Bachmann worked at various software companies and IT service providers mainly in software development. Currently he is employed at SAP AG in Germany as a Development Architect in the central code analysis team. There he is focusing on application security and security code scans.<br><br />
<br />
<div id="LievenDesmet"></div><br />
<br />
=== Sandboxing JavaScript, by Lieven Desmet (Research Manager at KU Leuven) ===<br />
''Abstract:''<br><br />
The inclusion of third-party scripts in web pages is a common practice. A recent study has shown that more than half of the Alexa top 10 000 sites include scripts from more than 5 different origins. However, such script inclusions carry risks, as the included scripts operate with the privileges of the including website.<br><br />
In this talk, we propose JSand, a server-driven but client-side JavaScript sandboxing framework. JSand requires no browser modifications: the sandboxing framework is implemented in JavaScript and is delivered to the browser by the websites that use it. Enforcement is done entirely at the client side: JSand enforces a server-specified policy on included scripts without requiring server-side filtering or rewriting of scripts. Most importantly, JSand is complete: access to all resources is mediated by the sandbox.<br><br />
We describe the design and implementation of JSand, and we show that it is secure, backwards compatible, and that it performs sufficiently well.<br><br />
<br><br />
''Bio:''<br><br />
Lieven Desmet is Research Manager on Software Secure at the iMinds-DistriNet Research Group (KU Leuven, Belgium), where he coaches junior researchers in web application security and participates in dissemination and valorization activities. His interests are in security of middleware and web-enabled technologies. Lieven is actively engaged in OWASP and is board member of the OWASP Chapter Belgium.<br><br />
<br><br />
<br><br />
<br />
<div id="ErwinGeirnaert"></div><br />
=== OWASP Top 10 vs Drupal, by Erwin Geirnaert (Zion Security) ===<br />
''Abstract:''<br><br />
Drupal is the most used and well-known open source content management system in the world. Created by Dries Buytaert years ago it has grown with the support of a big community. Drupal 7 is already released and there is an entire ecosystem for Drupal and Drupal web agencies.<br><br />
During this presentation we will discuss the findings of an automated static code analysis of Drupal 6 and Drupal 7 and how Drupal protects against the OWASP Top 10 Application Security Risks. We will explain the security weaknesses that remain when you use Drupal and what you can implement to have a secure cloud server running Drupal.<br><br />
<br><br />
''Bio:''<br><br />
Erwin founded ZION SECURITY in 2005 to help companies to protect against the latest threats, attacks against web applications. ZION SECURITY is nowadays a Belgian market leader in the field of security testing, vulnerability management, penetration testing and banking security. Erwin has more than 10 years of experience in web security, graduating with a Master of Science in Software Development from the University of Ghent. Erwin executes different types of projects for a lot of international software companies, financial institutions, telecom and web agencies. Specialist in executing code reviews in different development languages for critical applications, executing continuous penetration tests of their infrastructure and Internet applications. A specialist in J2EE, PHP, .NET, mobile app and web services security. Erwin architects secure e-business projects for web agencies and software companies. He is a recognized application security expert and speaker at international events like Javapolis, OWASP, Eurostar, LSEC,...<br><br />
<br><br />
<br />
<div id="MarcHullegieAndKeesMastwijk"></div><br />
=== Forensics, by Marc Hullegie and Kees Mastwijk (Vest Information Security) === <br />
''Abstract:''<br><br />
In today’s investigations, forensics has become an important investigative method in fighting and solving (cyber)crimes and irregularities. During the session you will be briefly taken through the landscape of Forensics Basics; the Fraud Triangle and scenario's; What to look for and the appliance of Digital Forensics. What are the Challenges, the required Skills and Expertise and Solutions to these challenges. Specific focus on the Forensics of Web Applications and what you can do the create a more forensic ready system.<br><br />
<br><br />
''Bio:''<br><br />
Marc Hullegie is founder and CEO of Vest Information Security and is widely experienced in the information security business in all types of areas: Security Architecture and Infrastructure, Security Audits and Testing, Security Management, Awareness and Digital Forensics. He presents lectures at (international) conferences and is looking forward to share experiences at the OWASP Benelux days 2012 with you.<br><br />
<br> <br />
''Bio:''<br><br />
Kees Mastwijk is a security consultant working with Vest, acting as Security Auditor, Awareness Program leader and security Manager. He has a long (and ongoing) experience history in Digital Forensic Research.<br><br />
<br><br />
<br />
<div id="JohnWilander"></div><br />
=== Secure Web Integration Patterns in the Era of HTML5, by John Wilander (Svenska Handelbanken) ===<br />
''Abstract:''<br><br />
Quite a few organizations are finding themselves in a legacy situation with their web applications. Over ten years have passed since the era of dynamic HTML and with the rise of HTML5 and mobile platforms there is now need to gradually move these legacy beasts into a new architecture. Additionally, more and more third party services are offered such as maps, tracking, social media tie-ins, video etc. What are the possible and suitable design patterns for bringing new web, old web, and third party web together? Can we isolate them from each other to secure the new apps from legacy and third party security vulnerabilities? We will dig into the postMessage api, the iframe sandbox directive, CORS, and the same-origin policy while comparing it to the previous generation of integration with jsonp and other hacks.<br />
<br><br />
''Bio:''<br><br />
John Wilander is a frontend software developer at Svenska Handelbanken, the second strongest bank in the world according to Bloomberg Markets. He has been researching and working in application security for ten years and is an active leader in OWASP, the Open Web Application Security Project. In 2011 he organized the OWASP Summit Browser Security sessions in Portugal, with participants from the security teams behind Chrome, Firefox, Internet Explorer, Flash, and PayPal. During his years in academia he was elected best computer science teacher twice and nowadays gives 5-10 professional talks per year.<br><br />
<br><br />
<br><br />
<br />
<div id="DanCornell"></div><br />
<br />
=== Streamlining Application Vulnerability Management: Communication Between Development and Security Teams, by Dan Cornell (Denim Group) ===<br />
''Abstract:''<br><br />
Identifying application-level vulnerabilities via scanning, penetration tests and code reviews is only the first step in actually addressing the underlying risk. Managing vulnerabilities for applications is more challenging than dealing with traditional infrastructure-level vulnerabilities because they typically require the coordination of security teams with application development teams. The process also means that security managers need to get time from developers during already-cramped development and release schedules. In addition, fixes require changes to custom application code and application-specific business logic rather than the patches and configuration changes that are often sufficient to address infrastructure-level vulnerabilities. This presentation will illustrate the communication difficulties between security and development teams, and how this usually results in unactionable reports and fewer vulnerabilities remediated. In addition, the presentation will walk through an example workflow of addressing application vulnerabilities as software defects. This will be based on freely-available tools and show specific examples of how vulnerabilities can be grouped together, false positives can be culled out, and vulnerabilities transitioned to software defects, as well as how security managers can monitor and verify progress.<br><br />
<br><br />
''Bio:''<br><br />
''Dan Cornell has over fifteen years of experience architecting and developing web-based software systems. He leads Denim Group’s security research team in investigating the application of secure coding and development techniques to improve web-based software development methodologies.<br><br />
Dan was the founding coordinator and chairman for the Java Users Group of San Antonio (JUGSA) and currently serves as the OWASP San Antonio chapter leader, member of the OWASP Global Membership Committee and co-lead of the OWASP Open Review Project. Dan has spoken at such international conferences as RSA, OWASP AppSec USA, and OWASP EU Research in Greece.''<br><br />
<br><br />
<br><br />
<br />
<div id="DinisCruz"></div><br />
=== Making Security Invisible by Becoming the Developer’s Best Friends, by Dinis Cruz (Security Innovation) ===<br />
''Abstract:''<br><br />
''Coming soon!''<br><br />
<br><br />
''Bio:''<br><br />
Dinis Cruz is a Security Consultant based in London (UK) and specialized in: ASP.NET/J2EE Application Security, Application Security audits and .NET Security Curriculum Development.<br><br />
For the past years Dinis has focused on the field of Static Source Code analysis, from May 2007 to Dec 2009 he worked as a independent consultant for Ounce Labs (bought by IBM in July 2009) where during active security engagements using Ounce's technology he developed the Open Source codebase which now is the foundation of the OWASP O2 Platform.<br><br />
Dinis is currently focused on making the O2 Platform the industry standard for consuming, instrumenting and data-sharing between the multiple WebAppSec tools, the Security consultants and the final developers. Dinis is a also active trainer on .Net security having written and delivered courses for IOActive, Foundstone, Intense School and KPMG (at multiple locations including BlackHat), and has delivered a number of presentations and keynote speeches at multiple OWASP and Security related conferences.<br><br />
At OWASP, Dinis is the leader of the OWASP O2 Platform project<br><br />
<br><br />
<br><br />
<br />
=== Panel discussion about the legal aspects of penetration testing ===<br />
''with Steven Wierckx, Luc Beirens, Jos Dumortier, Dieter Sarrazyn, ...''<br><br><br />
''Abstract:''<br> In the past couple of years security has become a more visible topic in the media. As a result many companies are asking for security reviews in the form of a penetration test. A lot of entrepreneurs took the opportunity to form teams and/or companies that provide such services. There seems to be a lack of clear (standard) legal documentation to cover these activities both for the penetration tester and the company under review. With this panel discussion we would like to discuss this situation and to see if there is a possibility to have a standard document or framework that can be used as a starting point for companies and professionals to use as a contract. The purpose would be to end up with a (set of) documents similar to the “Testaankoop standard huurcontract”, this is a well-known Belgian contract framework for renting a house where both parties are protected and that is clear to both parties. It can be used without further legal intervention.<br><br />
<br><br />
<li>''Bio Steven Wierckx, ps_testware:''<br><br />
Steven Wierckx is currently working as Security Tester for [http://www.pstestware.com/ ps_testware], he specialises in web application security and keeps a security related blog [http://www.ihackforfun.eu/ ihackforfun]. He is also wrting articles and doing technical reviews for PenTest Magazine.<br><br />
<br><br />
<li>''Bio Luc Beirens, FCCU:''<br><br />
Head of Belgian Federal Computer Crime Unit & Chair EU Cybercrime Task Force trying to create partnerships and circumstances for a safer cyberspace.<br><br />
<br><br />
<li>''Bio Jos Dumortier, ICRI:''<br><br />
Jos Dumortier is Professor of ICT Law at the University of Leuven (Belgium) and the Director of the Interdisciplinary Research Centre for ICT and Law (ICRI) (www.icri.be). With his research team he participates in a series of R & D projects in the domain of telemedicine.<br><br />
He is also a member of the Bar of Brussels and partner in “time.lex”, a law firm specialized in information and technology law (www.timelex.eu).<br><br />
He participates in the boards of several national and international scientific and business associations and is a member of various editorial and program committees. <br><br />
He is the editor of the International Encyclopedia of Cyber Law and the author of more than one hundred books and articles on legal issues related to the information society.<br><br />
Jos Dumortier has taken the lead in a large number of European studies and projects in the area of information security, privacy and identity management. He worked on an assignment of the European Commission (DG INFSO) for a study on the legal obstacles for interoperable eHealth in Europe and on several studies for the Flemish government related to the implementation of a regional eHealth platform. He is also a member of the Flemish data protection supervisory authority for the health sector.<br><br />
<br><br />
<li>''Bio Dieter Sarrazyn, PWC:''<br><br />
Dieter is a senior manager and consultant within PwC and a team leader for Risk Management assessment services. His main focus is in performing penetration tests (external as well as internal), performing security audits, creating and evaluating security architectures,and creating and setting up vulnerability management frameworks & tools. He is a Certified Information Systems Security Professional (CISSP), a Certified Intrusion Analyst (GCIA), a Certified Incident Handling Analyst (GCIH), a Certified Intrusion Analyst (GCIA) a GIAC Systems and Network Auditor (GSNA). Dieter is also SANS Local Mentor and SANS Community Teacher<br><br />
<br><br />
<br><br />
<br />
<!-- Sixth tab --><br />
<br />
= Social Event =<br />
<br />
==== Social Event, November 29th ====<br />
<br />
==== <B>Important Update</B> ====<br />
The brewery visit is limit to 60 people. Therefor, the 60 first registered people that indicated interest in the social event have been invited to participate. Any remaining tickets will be offered on Thursday around noon at the registration desk.<br />
<br />
If you are going by car, there are paid parkings under the Railway station and at Kinepolis (follow the parking signs). If you want to go there from the venue without car, the best way to get there is to take bus No.2 that leaves next to the building and drives to the Railway station. From there, it is a 300 m. walk to the brewery.<br />
<br />
All other people (and the people of the brewery tour after that has finished) are warmly invited to join us in the Downtown Jack, a pub with a number of pool and snooker tables. 5 pool tables have been exclusively reserved for us from 20h00 onwards. You can also have a drink and eat something there if you like.<br />
<br />
The address: Parkstraat 40, 3000 Leuven (see http://www.downtownjack.be/)<br />
<br />
==== <B>Brewery Visit Information</B> ====<br />
The social event will take place at the InBev Brewery in Leuven, where there will be a guided tour and a beer tasting.<br><br />
Unfortunately, the tour is limited to 60 people. Since we have more registered people than places, we will soon announce how we will<br />
proceed.<br><br />
If you decide not to join, please inform the Benelux organisation, other participants will be happy to join.<br><br />
<br><br />
'''The entrance fee for the tour is 10 EUR'''. <br><br />
This amount will have to be paid to the Benelux organisation at the registration desk or upon entry in cash (please use correct notes).<br><br />
<br><br />
Below is the address where the event takes place. You can take your car, bus number 2 or a taxi to reach this.<br> '''The tour starts at 19h30 sharp'''.<br><br />
<br><br />
'''Address:''' <br><br />
Vuurkruisenlaan z/n <br><br />
3000 Leuven<br><br />
<br><br />
'''From the station:'''<br><br />
Take the street 'Diestepoort' (this street is parrallel with the railway behind the building)and walk straight through. You can see the brewery at the end of the street.<br><br />
'''By car:'''<br><br />
From the street diestesteenweg or beckeremieplein head to the railroadbridge. At the crossroad take first right, this is the entrance of the brewery. from the expressway R23 head to the Hotel ''NOVOTEL''. Take the street left from ''NOVOTEL'', this is the ''vuurkruisenlaan''. On your left side you can see the brewery. At the<br />
next crossroad take the first left, this is the entrance of the brewery.<br><br />
<br><br />
'''ENTRANCE BREWERY:'''<br><br />
is also the entrance for the trucks, next to the railroadbridge.<br><br />
We will meet at the entrance at 19h30 where the tour will start.<br><br><br />
<br />
<br />
<!-- Seventh tab --><br />
<br />
= CTF =<br />
<br />
==== Capture the Flag! ====<br />
<br />
* Do you like puzzles? <br />
* Do you like challenges? <br />
* Are you a hacker?<br />
<br />
Whether you are an experienced hacker or new enthusiast you should come to OWASP BeNeLux 2012 and participate in the Capture the Flag event November 30th 2012. <br />
<br />
The OWASP CTF is especially designed to support challengers of all skill levels. The CTF contains multiple challenges in various fields related to application security. As every challenge gains you one point, you can pick and choose which challenge you want to play.<br />
<br />
All you need is a laptop with a wifi card and your favorite (preferably) non-commercial tools. <br />
<br />
So come, show off your skills, learn new tricks and above all have a good time at the CTF event. <br />
<br />
<br />
<!-- Eighth tab --><br />
<br />
= Sponsor =<br />
<br />
==== Become a sponsor of OWASP BeNeLux ====<br />
<br />
==== Donate to OWASP BeNeLux ====<br />
<br />
<paypal>BeNeLux OWASP Day 2012</paypal> <br />
<br />
<br />
==== Promotion ====<br />
''Feel free to use the text below to promote our event!''<br />
<br />
We invite you to our next OWASP event: the '''BeNeLux OWASP Days 2012!'''<br />
<br />
Free your agenda on the 29th and 30th of November, 2012.<br />
<br />
The good news: free! No fee!<br />
<br />
The bad news: there are only 280 seats available (first register, first serve)!<br />
<br />
<br />
<!-- Don't remove these two lines! --><br />
__NOTOC__ <br />
<headertabs/><br />
<br />
<br />
==== Hosted and co-organized by: ====<br />
<br />
[http://distrinet.cs.kuleuven.be https://www.owasp.org/images/4/4a/Logo_distrinet.png]<br />
[http://www.nessos-project.eu/ https://www.owasp.org/images/5/52/Nessos.png]<br />
<br />
==== Made possible by our {{#switchtablink:Sponsor|Sponsors}}====<br />
<br />
==== OWASP Member Sponsor: ====<br />
{{MemberLinks|link=http://www.pwc.com/|logo=PWC_log_resized.png}} <br />
<br />
==== OWASP BeNeLux 2012 Sponsors: ====<br />
[http://www.madisongurkha.nl https://www.owasp.org/images/6/6e/Madison-gurkha-logo.jpg]<br />
[http://www.sogeti.nl https://www.owasp.org/images/9/94/Sogeti_logo.png]<br />
[http://www.vest.nl https://www.owasp.org/images/1/1d/Logo_Vest_BIG_170.gif]<br />
<br><br />
[http://www.iminds.be https://www.owasp.org/images/thumb/a/a1/Iminds-logo.png/200px-Iminds-logo.png]<br />
[http://www.zionsecurity.com https://www.owasp.org/images/e/e6/Zionsecurity.jpg]<br />
[http://on2it.net https://www.owasp.org/images/3/3d/On2it-sponsor.png]<br />
<br><br />
<br />
<br />
[[Category:OWASP_AppSec_Conference]] [[Category:OWASP_BeNeLux_Archives]]</div>Favroomhttps://wiki.owasp.org/index.php?title=Netherlands&diff=151137Netherlands2013-05-07T19:47:56Z<p>Favroom: </p>
<hr />
<div>{{Chapter Template|chaptername=Netherlands|extra=|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-netherlands|emailarchives=http://lists.owasp.org/pipermail/owasp-netherlands}} <br />
<br />
<br />
<paypal>Netherlands</paypal><br />
<br />
<!-- First tab --><br />
<br />
= Local News =<br />
<br />
;Registration to our next OWASP Netherlands Chapter meeting is now open!<br />
<br />
;Slide Decks from recent Chapter meetings can be downloaded from the [https://www.owasp.org/index.php/Netherlands_Previous_Events_2013 Past Events page].<br />
<br />
;'''Provisional 2013 Chapter Event Calendar'''<br />
*[[Netherlands May 14, 2013]] <b>[http://goo.gl/hajk2 Please register here]</b> [[Media:OWASP Netherlands Chapter Meeting 2013-04-10.pdf | flyer]]<br />
*June 27th, 2013<br />
*September 12th, 2013<br />
*November 7th, 2013<br />
*November 28th and 29th, 2013: [https://www.owasp.org/index.php?title=BeNeLux_OWASP_Day_2013 OWASP Benelux Conference]<br />
<br />
;'''Other OWASP Events'''<br />
;'''[https://www.owasp.org/index.php/AppSecEU2013 AppSec-EU Hambug August 2th to 23rd 2013]'''<br />
;'''[http://appsecusa.org/2013/ AppSec-USA New York November 18th to 21st 2013]'''<br />
<br />
;'''Call for Presentations'''<br />
;[https://docs.google.com/a/owasp.org/spreadsheet/viewform?formkey=dGs1UFN0Ul9YR1pRcGdYRmtYallraUE6MQ#gid=0 OWASP NL Chapter Call For Presentation]<br />
<br />
<br />
[[File:Follow-us-on-twitter.png|frameless|100px|link=http://www.twitter.com/owasp_NL]]<br />
<br />
<!-- Second tab --><br />
<br />
= Calendar =<br />
<br />
=== Provisional Chapter Event Calendar 2013 ===<br />
<br />
*<strike> January 31st, 2013 </strike> <br />
*<strike> March 7th, 2013</strike> [[Media:OWASP Netherlands Chapter Meeting 2013-03-07.pdf | flyer]] <br />
*<strike> March 13th, 2013</strike> [[Media:OWASP Netherlands Chapter Meeting 2013-03-13.pdf | flyer]]<br />
*<strike> April 10th, 2013</strike> [[Media:OWASP Netherlands Chapter Meeting 2013-04-10.pdf | flyer]]<br />
*<strike> May 14, 2013</strike> [[Media:OWASP Netherlands Chapter Meeting 2013-04-10.pdf | flyer]]<br />
*June 27th, 2013<br />
*September 12th, 2013<br />
*November 7th, 2012<br />
*November 28th and 29th, 2013 [https://www.owasp.org/index.php?title=BeNeLux_OWASP_Day_2013 OWASP Benelux Conference in the Netherlands!]'''<br />
<br />
<!-- Third tab --><br />
<br />
= Past Events =<br />
*Events held in [[Netherlands Previous Events 2013|2013]]<br />
*Events held in [[Netherlands Previous Events 2012|2012]]<br />
*Events held in [[Netherlands Previous Events 2011|2011]]<br />
*Events held in [[Netherlands Previous Events 2010|2010]] <br />
*Events held in [[Netherlands Previous Events 2009|2009]] <br />
*Events held in [[Netherlands Previous Events 2008|2008]] <br />
*Events held in [[Netherlands Previous Events 2007|2007]] <br />
*Events held in [[Netherlands Previous Events 2006|2006]] <br />
*Events held in [[Netherlands Previous Events 2005|2005]]<br />
<br />
<!-- Fourth tab --><br />
<br />
= Chapter Leaders =<br />
<br />
The Netherlands Chapter is supported by the following board: <br />
<br />
*[https://www.owasp.org/index.php/User:Ferdinand_Vroom Ferdinand Vroom]<br />
*[https://www.owasp.org/index.php/User:Knoblochmartin Martin Knobloch], PervaSec<br />
<br />
<br> <br />
<br />
*[mailto:netherlands@owasp.org OWASP Netherlands], OWASP Netherlands board email adres<br />
<br />
Our goal is to professionalize the local OWASP functioning, provide in a bigger footprint to detect OWASP opportunities such as speakers/topics/sponsors/… and set a 5 year target on: Target audiences, Different events and Interactions of OWASP global – local projects. <br />
<br />
<!-- Fifth and last tab --><br />
<br />
= Chapter Support =<br />
<br />
=== Chapter Sponsoring ===<br />
<br />
OWASP Netherlands is looking for organizations to sponsor our chapter. <br />
If you are interested in sponsoring the Netherlands chapter please contact us via email: [mailto:netherlands@owasp.org netherlands 'at' owasp.org]. <br />
<br />
=== Donation ===<br />
<br />
If you would like to donate to our chapter, please use the PayPal link at the top of this page.<br />
Thank you!<br />
<br />
=== Call for Speakers ===<br />
<br />
We are continuously looking for speakers.<br>'''Presentations:''' Are you working on an interesting subject, would you like to share your experience with the OWASP community and do you have presentation skills. Please let us know! Any topic related to web application security will be appreciated!<br>'''VAC, Vulnerability, Attack, Countermeasure:''' The VAC is a re occuring part of the chapter meetings. The VAC is a half hour in-depth technical presentation about a vulnerability, how it can be exploited and how to prevent it!<br> <br />
<br />
<span style="font-weight: bold;">Links: </span> <br />
<br />
[http://www.owasp.org/index.php/Speaker_Agreement Speaker Agreement] <br />
<br />
[http://www.owasp.org/images/5/54/Presentation_template.ppt Template] <br />
<br />
Interested in presenting at a local chapter meeting, please send an email to: netherlands 'at' owasp.org <br />
<br />
=== Call for Location ===<br />
<br />
For the OWASP Netherlands chapter meetings to come, we are continuously looking for locations! <br />
<br />
Most preferable, the location is good accessible with public transport and by car. Free parking should be provided. <br />
<br />
What do we expect: <br />
<br />
*meeting room for at least 50 people <br />
*lunch for attendees <br />
**drinks, sandwiches... <br />
*a small present for the speakers <br />
**(e.g. bottle of wine, for speakers from aboard alcohol might be less practical if flying in only with hand luggage)<br />
<br />
Interested in sponsoring a local chapter meeting, please send an email to: netherlands 'at' owasp.org <br />
<!-- Don't remove this tag --><br />
__NOTOC__ <br />
<headertabs/><br />
<br />
<br />
Our structural Chapter and OWASP Benelux Days 2012 supporters: <br />
<br />
[http://www.madisongurkha.nl https://www.owasp.org/images/6/6e/Madison-gurkha-logo.jpg]<br />
[http://www.sogeti.nl https://www.owasp.org/images/9/94/Sogeti_logo.png]<br />
[http://www.vest.nl https://www.owasp.org/images/1/1d/Logo_Vest_BIG_170.gif]<br />
<br />
[[Category:Europe]]</div>Favroomhttps://wiki.owasp.org/index.php?title=Netherlands&diff=149898Netherlands2013-04-15T19:22:34Z<p>Favroom: </p>
<hr />
<div>{{Chapter Template|chaptername=Netherlands|extra=|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-netherlands|emailarchives=http://lists.owasp.org/pipermail/owasp-netherlands}} <br />
<br />
<br />
<paypal>Netherlands</paypal><br />
<br />
<!-- First tab --><br />
<br />
= Local News =<br />
<br />
;Registration to our next OWASP Netherlands Chapter meeting is now open!<br />
[http://goo.gl/hajk2 Please register here]<br />
[https://www.owasp.org/index.php/Netherlands_May_14,_2013 The Program can be found here]<br />
<br />
;Slide Decks from recent Chapter meetings can be downloaded from the [https://www.owasp.org/index.php/Netherlands_Previous_Events_2013 Past Events page].<br />
<br />
;'''Provisional 2013 Chapter Event Calendar'''<br />
*May 14th, 2013<br />
*June 27th, 2013<br />
*September 12th, 2013<br />
*November 7th, 2013<br />
*November 28th and 29th, 2013: [https://www.owasp.org/index.php?title=BeNeLux_OWASP_Day_2013 OWASP Benelux Conference]<br />
<br />
;'''Other OWASP Events'''<br />
;'''[https://www.owasp.org/index.php/AppSecEU2013 AppSec-EU Hambug August 2th to 23rd 2013]'''<br />
;'''[http://appsecusa.org/2013/ AppSec-USA New York November 18th to 21st 2013]'''<br />
<br />
;'''Call for Presentations'''<br />
;[https://docs.google.com/a/owasp.org/spreadsheet/viewform?formkey=dGs1UFN0Ul9YR1pRcGdYRmtYallraUE6MQ#gid=0 OWASP NL Chapter Call For Presentation]<br />
<br />
<br />
[[File:Follow-us-on-twitter.png|frameless|100px|link=http://www.twitter.com/owasp_NL]]<br />
<br />
<!-- Second tab --><br />
<br />
= Calendar =<br />
<br />
=== Provisional Chapter Event Calendar 2013 ===<br />
<br />
*<strike> January 31st, 2013 </strike> <br />
*<strike> March 7th, 2013</strike> [[Media:OWASP Netherlands Chapter Meeting 2013-03-07.pdf | flyer]] <br />
*<strike> March 13th, 2013</strike> [[Media:OWASP Netherlands Chapter Meeting 2013-03-13.pdf | flyer]]<br />
*<strike> April 10th, 2013</strike> [[Media:OWASP Netherlands Chapter Meeting 2013-04-10.pdf | flyer]]<br />
*May 14th, 2013<br />
*June 27th, 2013<br />
*September 12th, 2013<br />
*November 7th, 2012<br />
*November 28th and 29th, 2013 [https://www.owasp.org/index.php?title=BeNeLux_OWASP_Day_2013 OWASP Benelux Conference in the Netherlands!]'''<br />
<br />
<!-- Third tab --><br />
<br />
= Past Events =<br />
*Events held in [[Netherlands Previous Events 2013|2013]]<br />
*Events held in [[Netherlands Previous Events 2012|2012]]<br />
*Events held in [[Netherlands Previous Events 2011|2011]]<br />
*Events held in [[Netherlands Previous Events 2010|2010]] <br />
*Events held in [[Netherlands Previous Events 2009|2009]] <br />
*Events held in [[Netherlands Previous Events 2008|2008]] <br />
*Events held in [[Netherlands Previous Events 2007|2007]] <br />
*Events held in [[Netherlands Previous Events 2006|2006]] <br />
*Events held in [[Netherlands Previous Events 2005|2005]]<br />
<br />
<!-- Fourth tab --><br />
<br />
= Chapter Leaders =<br />
<br />
The Netherlands Chapter is supported by the following board: <br />
<br />
*[https://www.owasp.org/index.php/User:Ferdinand_Vroom Ferdinand Vroom]<br />
*[https://www.owasp.org/index.php/User:Knoblochmartin Martin Knobloch], PervaSec<br />
<br />
<br> <br />
<br />
*[mailto:netherlands@owasp.org OWASP Netherlands], OWASP Netherlands board email adres<br />
<br />
Our goal is to professionalize the local OWASP functioning, provide in a bigger footprint to detect OWASP opportunities such as speakers/topics/sponsors/… and set a 5 year target on: Target audiences, Different events and Interactions of OWASP global – local projects. <br />
<br />
<!-- Fifth and last tab --><br />
<br />
= Chapter Support =<br />
<br />
=== Chapter Sponsoring ===<br />
<br />
OWASP Netherlands is looking for organizations to sponsor our chapter. <br />
If you are interested in sponsoring the Netherlands chapter please contact us via email: [mailto:netherlands@owasp.org netherlands 'at' owasp.org]. <br />
<br />
=== Donation ===<br />
<br />
If you would like to donate to our chapter, please use the PayPal link at the top of this page.<br />
Thank you!<br />
<br />
=== Call for Speakers ===<br />
<br />
We are continuously looking for speakers.<br>'''Presentations:''' Are you working on an interesting subject, would you like to share your experience with the OWASP community and do you have presentation skills. Please let us know! Any topic related to web application security will be appreciated!<br>'''VAC, Vulnerability, Attack, Countermeasure:''' The VAC is a re occuring part of the chapter meetings. The VAC is a half hour in-depth technical presentation about a vulnerability, how it can be exploited and how to prevent it!<br> <br />
<br />
<span style="font-weight: bold;">Links: </span> <br />
<br />
[http://www.owasp.org/index.php/Speaker_Agreement Speaker Agreement] <br />
<br />
[http://www.owasp.org/images/5/54/Presentation_template.ppt Template] <br />
<br />
Interested in presenting at a local chapter meeting, please send an email to: netherlands 'at' owasp.org <br />
<br />
=== Call for Location ===<br />
<br />
For the OWASP Netherlands chapter meetings to come, we are continuously looking for locations! <br />
<br />
Most preferable, the location is good accessible with public transport and by car. Free parking should be provided. <br />
<br />
What do we expect: <br />
<br />
*meeting room for at least 50 people <br />
*lunch for attendees <br />
**drinks, sandwiches... <br />
*a small present for the speakers <br />
**(e.g. bottle of wine, for speakers from aboard alcohol might be less practical if flying in only with hand luggage)<br />
<br />
Interested in sponsoring a local chapter meeting, please send an email to: netherlands 'at' owasp.org <br />
<!-- Don't remove this tag --><br />
__NOTOC__ <br />
<headertabs/><br />
<br />
<br />
Our structural Chapter and OWASP Benelux Days 2012 supporters: <br />
<br />
[http://www.madisongurkha.nl https://www.owasp.org/images/6/6e/Madison-gurkha-logo.jpg]<br />
[http://www.sogeti.nl https://www.owasp.org/images/9/94/Sogeti_logo.png]<br />
[http://www.vest.nl https://www.owasp.org/images/1/1d/Logo_Vest_BIG_170.gif]<br />
<br />
[[Category:Europe]]</div>Favroomhttps://wiki.owasp.org/index.php?title=Netherlands&diff=149896Netherlands2013-04-15T19:21:06Z<p>Favroom: </p>
<hr />
<div>{{Chapter Template|chaptername=Netherlands|extra=|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-netherlands|emailarchives=http://lists.owasp.org/pipermail/owasp-netherlands}} <br />
<br />
<br />
<paypal>Netherlands</paypal><br />
<br />
<!-- First tab --><br />
<br />
= Local News =<br />
<br />
;Registration to our next OWASP Netherlands Chapter meeting is now open!<br />
[http://goo.gl/hajk2 Please register here]<br />
<br />
;Slide Decks from recent Chapter meetings can be downloaded from the [https://www.owasp.org/index.php/Netherlands_Previous_Events_2013 Past Events page].<br />
<br />
;'''Provisional 2013 Chapter Event Calendar'''<br />
*May 14th, 2013<br />
*June 27th, 2013<br />
*September 12th, 2013<br />
*November 7th, 2013<br />
*November 28th and 29th, 2013: [https://www.owasp.org/index.php?title=BeNeLux_OWASP_Day_2013 OWASP Benelux Conference]<br />
<br />
;'''Other OWASP Events'''<br />
;'''[https://www.owasp.org/index.php/AppSecEU2013 AppSec-EU Hambug August 2th to 23rd 2013]'''<br />
;'''[http://appsecusa.org/2013/ AppSec-USA New York November 18th to 21st 2013]'''<br />
<br />
;'''Call for Presentations'''<br />
;[https://docs.google.com/a/owasp.org/spreadsheet/viewform?formkey=dGs1UFN0Ul9YR1pRcGdYRmtYallraUE6MQ#gid=0 OWASP NL Chapter Call For Presentation]<br />
<br />
<br />
[[File:Follow-us-on-twitter.png|frameless|100px|link=http://www.twitter.com/owasp_NL]]<br />
<br />
<!-- Second tab --><br />
<br />
= Calendar =<br />
<br />
=== Provisional Chapter Event Calendar 2013 ===<br />
<br />
*<strike> January 31st, 2013 </strike> <br />
*<strike> March 7th, 2013</strike> [[Media:OWASP Netherlands Chapter Meeting 2013-03-07.pdf | flyer]] <br />
*<strike> March 13th, 2013</strike> [[Media:OWASP Netherlands Chapter Meeting 2013-03-13.pdf | flyer]]<br />
*<strike> April 10th, 2013</strike> [[Media:OWASP Netherlands Chapter Meeting 2013-04-10.pdf | flyer]]<br />
*May 14th, 2013<br />
*June 27th, 2013<br />
*September 12th, 2013<br />
*November 7th, 2012<br />
*November 28th and 29th, 2013 [https://www.owasp.org/index.php?title=BeNeLux_OWASP_Day_2013 OWASP Benelux Conference in the Netherlands!]'''<br />
<br />
<!-- Third tab --><br />
<br />
= Past Events =<br />
*Events held in [[Netherlands Previous Events 2013|2013]]<br />
*Events held in [[Netherlands Previous Events 2012|2012]]<br />
*Events held in [[Netherlands Previous Events 2011|2011]]<br />
*Events held in [[Netherlands Previous Events 2010|2010]] <br />
*Events held in [[Netherlands Previous Events 2009|2009]] <br />
*Events held in [[Netherlands Previous Events 2008|2008]] <br />
*Events held in [[Netherlands Previous Events 2007|2007]] <br />
*Events held in [[Netherlands Previous Events 2006|2006]] <br />
*Events held in [[Netherlands Previous Events 2005|2005]]<br />
<br />
<!-- Fourth tab --><br />
<br />
= Chapter Leaders =<br />
<br />
The Netherlands Chapter is supported by the following board: <br />
<br />
*[https://www.owasp.org/index.php/User:Ferdinand_Vroom Ferdinand Vroom]<br />
*[https://www.owasp.org/index.php/User:Knoblochmartin Martin Knobloch], PervaSec<br />
<br />
<br> <br />
<br />
*[mailto:netherlands@owasp.org OWASP Netherlands], OWASP Netherlands board email adres<br />
<br />
Our goal is to professionalize the local OWASP functioning, provide in a bigger footprint to detect OWASP opportunities such as speakers/topics/sponsors/… and set a 5 year target on: Target audiences, Different events and Interactions of OWASP global – local projects. <br />
<br />
<!-- Fifth and last tab --><br />
<br />
= Chapter Support =<br />
<br />
=== Chapter Sponsoring ===<br />
<br />
OWASP Netherlands is looking for organizations to sponsor our chapter. <br />
If you are interested in sponsoring the Netherlands chapter please contact us via email: [mailto:netherlands@owasp.org netherlands 'at' owasp.org]. <br />
<br />
=== Donation ===<br />
<br />
If you would like to donate to our chapter, please use the PayPal link at the top of this page.<br />
Thank you!<br />
<br />
=== Call for Speakers ===<br />
<br />
We are continuously looking for speakers.<br>'''Presentations:''' Are you working on an interesting subject, would you like to share your experience with the OWASP community and do you have presentation skills. Please let us know! Any topic related to web application security will be appreciated!<br>'''VAC, Vulnerability, Attack, Countermeasure:''' The VAC is a re occuring part of the chapter meetings. The VAC is a half hour in-depth technical presentation about a vulnerability, how it can be exploited and how to prevent it!<br> <br />
<br />
<span style="font-weight: bold;">Links: </span> <br />
<br />
[http://www.owasp.org/index.php/Speaker_Agreement Speaker Agreement] <br />
<br />
[http://www.owasp.org/images/5/54/Presentation_template.ppt Template] <br />
<br />
Interested in presenting at a local chapter meeting, please send an email to: netherlands 'at' owasp.org <br />
<br />
=== Call for Location ===<br />
<br />
For the OWASP Netherlands chapter meetings to come, we are continuously looking for locations! <br />
<br />
Most preferable, the location is good accessible with public transport and by car. Free parking should be provided. <br />
<br />
What do we expect: <br />
<br />
*meeting room for at least 50 people <br />
*lunch for attendees <br />
**drinks, sandwiches... <br />
*a small present for the speakers <br />
**(e.g. bottle of wine, for speakers from aboard alcohol might be less practical if flying in only with hand luggage)<br />
<br />
Interested in sponsoring a local chapter meeting, please send an email to: netherlands 'at' owasp.org <br />
<!-- Don't remove this tag --><br />
__NOTOC__ <br />
<headertabs/><br />
<br />
<br />
Our structural Chapter and OWASP Benelux Days 2012 supporters: <br />
<br />
[http://www.madisongurkha.nl https://www.owasp.org/images/6/6e/Madison-gurkha-logo.jpg]<br />
[http://www.sogeti.nl https://www.owasp.org/images/9/94/Sogeti_logo.png]<br />
[http://www.vest.nl https://www.owasp.org/images/1/1d/Logo_Vest_BIG_170.gif]<br />
<br />
[[Category:Europe]]</div>Favroomhttps://wiki.owasp.org/index.php?title=Netherlands_May_14,_2013&diff=149886Netherlands May 14, 20132013-04-15T18:37:42Z<p>Favroom: </p>
<hr />
<div>= May 14, 2013 =<br />
"In this Chapter meeting you will learn how to protect your password storage and how to take down bots in a peer to peer network"<br />
<br />
==Programme==<br />
:18:30 - 19:15 Registration & Pizza<br />
:19:15 - 20:00 Securing Password Storage - Tiago Teles<br />
:20:00 - 20:15 Break<br />
:20:15 - 21:00 Neutralizing Peer-to-Peer Botnets - Dennis Andriesse<br />
:21:00 - 21:30 Networking<br />
==Presentations==<br />
===Securing Password Storage - Increasing Resistance to Brute Force Attacks===<br />
By Tiago Teles.<br />
<br />
In this talk Tiago Teles takes apart password protection scheme analyzing the attack<br />
resistance of hashes, hmacs, adaptive hashes (such as script), and encryption<br />
schemes. First, we present a threat model for password storage. Then audience<br />
members will learn the construction, performance, and protective properties of these<br />
primitives. Discussion of the primitives will be from a critical perspective modeled as<br />
an iterative secure design session.<br />
Ultimately, this session presents the solution and code donated as part of the on-<br />
going OWASP PSM (password storage module) project. Discussion of this solution<br />
will include key techniques for hardening PSM learned through years of delivering<br />
production JavaEE code to customers...<br />
<br />
===Neutralizing Peer-to-Peer Botnets===<br />
By Dennis Andriesse.<br />
<br />
This presentation is a case study on our takedown efforts against state-of-the-art peer-to-peer botnets.<br />
Unlike conventional botnets, peer-to-peer botnets are decentralized, and thus cannot be disabled by neutralizing centralized control facilities. Takedowns against peer-to-peer botnets require a highly decentralized approach targeting the infected drones themselves. We describe the technical and ethical challenges we faced in our own takedown attempts.<br />
<br />
==Speakers==<br />
===Tiago Teles===<br />
Tiago Teles is a Technical Consultant with 7 years of experience in clients across<br />
different sectors and countries, including banking, insurance, telecommunications<br />
and commercial organizations in a variety of roles, Development, Business<br />
Intelligence, Quality Assurance and Delivering Training.<br />
<br />
===Dennis Andriesse===<br />
Dennis Andriesse is a Ph.D. candidate in the System and Network Security Group at VU University Amsterdam. His research focuses on binary code (de)obfuscation and reverse engineering techniques. Next to that, he is also interested in advanced malware, particularly in the resilience of peer-to-peer botnets.<br />
<br />
==Venue==<br />
Avans Hogeschool<br />
Room: OB007<br />
Onderwijsboulevard 215<br />
5223 DE 's-Hertogenbosch<br />
<br />
==Sponsor==</div>Favroomhttps://wiki.owasp.org/index.php?title=Netherlands_May_14,_2013&diff=149885Netherlands May 14, 20132013-04-15T18:32:54Z<p>Favroom: </p>
<hr />
<div>= May 14, 2013 =<br />
"In this Chapter meeting you will learn how to protect your password storage and how to take down bots in a peer to peer network"<br />
<br />
==Programme==<br />
:18:30 - 19:15 Registration & Pizza<br />
:19:15 - 20:00 <br />
:20:00 - 20:15 Break<br />
:20:15 - 21:00 <br />
:21:00 - 21:30 Networking<br />
==Presentations==<br />
===Securing Password Storage - Increasing Resistance to Brute Force Attacks===<br />
By Tiago Teles.<br />
<br />
In this talk Tiago Teles takes apart password protection scheme analyzing the attack<br />
resistance of hashes, hmacs, adaptive hashes (such as script), and encryption<br />
schemes. First, we present a threat model for password storage. Then audience<br />
members will learn the construction, performance, and protective properties of these<br />
primitives. Discussion of the primitives will be from a critical perspective modeled as<br />
an iterative secure design session.<br />
Ultimately, this session presents the solution and code donated as part of the on-<br />
going OWASP PSM (password storage module) project. Discussion of this solution<br />
will include key techniques for hardening PSM learned through years of delivering<br />
production JavaEE code to customers...<br />
<br />
===Neutralizing Peer-to-Peer Botnets===<br />
By Dennis Andriesse.<br />
<br />
This presentation is a case study on our takedown efforts against state-of-the-art peer-to-peer botnets.<br />
Unlike conventional botnets, peer-to-peer botnets are decentralized, and thus cannot be disabled by neutralizing centralized control facilities. Takedowns against peer-to-peer botnets require a highly decentralized approach targeting the infected drones themselves. We describe the technical and ethical challenges we faced in our own takedown attempts.<br />
<br />
==Speakers==<br />
===Tiago Teles===<br />
Tiago Teles is a Technical Consultant with 7 years of experience in clients across<br />
different sectors and countries, including banking, insurance, telecommunications<br />
and commercial organizations in a variety of roles, Development, Business<br />
Intelligence, Quality Assurance and Delivering Training.<br />
<br />
===Dennis Andriesse===<br />
Dennis Andriesse is a Ph.D. candidate in the System and Network Security Group at VU University Amsterdam. His research focuses on binary code (de)obfuscation and reverse engineering techniques. Next to that, he is also interested in advanced malware, particularly in the resilience of peer-to-peer botnets.<br />
<br />
==Venue==<br />
Avans Hogeschool<br />
Room: OB007<br />
Onderwijsboulevard 215<br />
5223 DE 's-Hertogenbosch<br />
<br />
==Sponsor==</div>Favroomhttps://wiki.owasp.org/index.php?title=Netherlands_May_14,_2013&diff=149881Netherlands May 14, 20132013-04-15T18:04:51Z<p>Favroom: /* Sponsor */</p>
<hr />
<div>= May 14, 2013 =<br />
"In this Chapter meeting you will learn how to protect your password storage and how to take down bots in a peer to peer network"<br />
<br />
==Programme==<br />
:18:30 - 19:15 Registration & Pizza<br />
:19:15 - 20:00 <br />
:20:00 - 20:15 Break<br />
:20:15 - 21:00 <br />
:21:00 - 21:30 Networking<br />
==Presentations==<br />
===Neutralizing Peer-to-Peer Botnets===<br />
By Dennis Andriesse.<br />
<br />
This presentation is a case study on our takedown efforts against state-of-the-art peer-to-peer botnets.<br />
Unlike conventional botnets, peer-to-peer botnets are decentralized, and thus cannot be disabled by neutralizing centralized control facilities. Takedowns against peer-to-peer botnets require a highly decentralized approach targeting the infected drones themselves. We describe the technical and ethical challenges we faced in our own takedown attempts.<br />
<br />
===Securing Password Storage - Increasing Resistance to Brute Force Attacks===<br />
By Tiago Teles.<br />
<br />
In this talk Tiago Teles takes apart password protection scheme analyzing the attack<br />
resistance of hashes, hmacs, adaptive hashes (such as script), and encryption<br />
schemes. First, we present a threat model for password storage. Then audience<br />
members will learn the construction, performance, and protective properties of these<br />
primitives. Discussion of the primitives will be from a critical perspective modeled as<br />
an iterative secure design session.<br />
Ultimately, this session presents the solution and code donated as part of the on-<br />
going OWASP PSM (password storage module) project. Discussion of this solution<br />
will include key techniques for hardening PSM learned through years of delivering<br />
production JavaEE code to customers...<br />
<br />
==Speakers==<br />
===Dennis Andriesse===<br />
Dennis Andriesse is a Ph.D. candidate in the System and Network Security Group at VU University Amsterdam. His research focuses on binary code (de)obfuscation and reverse engineering techniques. Next to that, he is also interested in advanced malware, particularly in the resilience of peer-to-peer botnets.<br />
<br />
===Tiago Teles===<br />
Tiago Teles is a Technical Consultant with 7 years of experience in clients across<br />
different sectors and countries, including banking, insurance, telecommunications<br />
and commercial organizations in a variety of roles, Development, Business<br />
Intelligence, Quality Assurance and Delivering Training.<br />
<br />
==Venue==<br />
Avans Hogeschool<br />
Room: OB007<br />
Onderwijsboulevard 215<br />
5223 DE 's-Hertogenbosch<br />
<br />
==Sponsor==</div>Favroomhttps://wiki.owasp.org/index.php?title=Netherlands_May_14,_2013&diff=149880Netherlands May 14, 20132013-04-15T18:01:39Z<p>Favroom: </p>
<hr />
<div>= May 14, 2013 =<br />
"In this Chapter meeting you will learn how to protect your password storage and how to take down bots in a peer to peer network"<br />
<br />
==Programme==<br />
:18:30 - 19:15 Registration & Pizza<br />
:19:15 - 20:00 <br />
:20:00 - 20:15 Break<br />
:20:15 - 21:00 <br />
:21:00 - 21:30 Networking<br />
==Presentations==<br />
===Neutralizing Peer-to-Peer Botnets===<br />
By Dennis Andriesse.<br />
<br />
This presentation is a case study on our takedown efforts against state-of-the-art peer-to-peer botnets.<br />
Unlike conventional botnets, peer-to-peer botnets are decentralized, and thus cannot be disabled by neutralizing centralized control facilities. Takedowns against peer-to-peer botnets require a highly decentralized approach targeting the infected drones themselves. We describe the technical and ethical challenges we faced in our own takedown attempts.<br />
<br />
===Securing Password Storage - Increasing Resistance to Brute Force Attacks===<br />
By Tiago Teles.<br />
<br />
In this talk Tiago Teles takes apart password protection scheme analyzing the attack<br />
resistance of hashes, hmacs, adaptive hashes (such as script), and encryption<br />
schemes. First, we present a threat model for password storage. Then audience<br />
members will learn the construction, performance, and protective properties of these<br />
primitives. Discussion of the primitives will be from a critical perspective modeled as<br />
an iterative secure design session.<br />
Ultimately, this session presents the solution and code donated as part of the on-<br />
going OWASP PSM (password storage module) project. Discussion of this solution<br />
will include key techniques for hardening PSM learned through years of delivering<br />
production JavaEE code to customers...<br />
<br />
==Speakers==<br />
===Dennis Andriesse===<br />
Dennis Andriesse is a Ph.D. candidate in the System and Network Security Group at VU University Amsterdam. His research focuses on binary code (de)obfuscation and reverse engineering techniques. Next to that, he is also interested in advanced malware, particularly in the resilience of peer-to-peer botnets.<br />
<br />
===Tiago Teles===<br />
Tiago Teles is a Technical Consultant with 7 years of experience in clients across<br />
different sectors and countries, including banking, insurance, telecommunications<br />
and commercial organizations in a variety of roles, Development, Business<br />
Intelligence, Quality Assurance and Delivering Training.<br />
<br />
==Venue==<br />
Avans Hogeschool<br />
Room: OB007<br />
Onderwijsboulevard 215<br />
5223 DE 's-Hertogenbosch<br />
<br />
==Sponsor==<br />
[[[http://statischecontent.nl/img/etalage/92fd2d94-5328-4966-9ab5-5152d783ac12.jpg]]]</div>Favroomhttps://wiki.owasp.org/index.php?title=Netherlands_May_14,_2013&diff=149879Netherlands May 14, 20132013-04-15T17:58:59Z<p>Favroom: </p>
<hr />
<div>= May 14, 2013 =<br />
"In this Chapter meeting you will learn how to protect your password storage and how to take down bots in a peer to peer network"<br />
<br />
==Programme==<br />
:18:30 - 19:15 Registration & Pizza<br />
:19:15 - 20:00 <br />
:20:00 - 20:15 Break<br />
:20:15 - 21:00 <br />
:21:00 - 21:30 Networking<br />
==Presentations==<br />
===Neutralizing Peer-to-Peer Botnets===<br />
By Dennis Andriesse.<br />
<br />
This presentation is a case study on our takedown efforts against state-of-the-art peer-to-peer botnets.<br />
Unlike conventional botnets, peer-to-peer botnets are decentralized, and thus cannot be disabled by neutralizing centralized control facilities. Takedowns against peer-to-peer botnets require a highly decentralized approach targeting the infected drones themselves. We describe the technical and ethical challenges we faced in our own takedown attempts.<br />
<br />
===Securing Password Storage - Increasing Resistance to Brute Force Attacks===<br />
By Tiago Teles.<br />
<br />
In this talk Tiago Teles takes apart password protection scheme analyzing the attack<br />
resistance of hashes, hmacs, adaptive hashes (such as script), and encryption<br />
schemes. First, we present a threat model for password storage. Then audience<br />
members will learn the construction, performance, and protective properties of these<br />
primitives. Discussion of the primitives will be from a critical perspective modeled as<br />
an iterative secure design session.<br />
Ultimately, this session presents the solution and code donated as part of the on-<br />
going OWASP PSM (password storage module) project. Discussion of this solution<br />
will include key techniques for hardening PSM learned through years of delivering<br />
production JavaEE code to customers...<br />
<br />
==Speakers==<br />
===Dennis Andriesse===<br />
Dennis Andriesse is a Ph.D. candidate in the System and Network Security Group at VU University Amsterdam. His research focuses on binary code (de)obfuscation and reverse engineering techniques. Next to that, he is also interested in advanced malware, particularly in the resilience of peer-to-peer botnets.<br />
<br />
===Tiago Teles===<br />
Tiago Teles is a Technical Consultant with 7 years of experience in clients across<br />
different sectors and countries, including banking, insurance, telecommunications<br />
and commercial organizations in a variety of roles, Development, Business<br />
Intelligence, Quality Assurance and Delivering Training.<br />
<br />
==Venue==<br />
Avans Hogeschool<br />
Room: OB007<br />
Onderwijsboulevard 215<br />
5223 DE 's-Hertogenbosch<br />
<br />
==Sponsor==<br />
[[File:Avans.jpg]]</div>Favroomhttps://wiki.owasp.org/index.php?title=Netherlands_May_14,_2013&diff=149878Netherlands May 14, 20132013-04-15T17:41:36Z<p>Favroom: </p>
<hr />
<div>= May 14, 2013 =<br />
"In this Chapter meeting you will learn how to protect your password storage and how to take down bots in a peer to peer network"<br />
<br />
==Programme==<br />
:18:30 - 19:15 Registration & Pizza<br />
:19:15 - 20:00 <br />
:20:00 - 20:15 Break<br />
:20:15 - 21:00 <br />
:21:00 - 21:30 Networking<br />
==Presentations==<br />
===Neutralizing Peer-to-Peer Botnets===<br />
By Dennis Andriesse.<br />
<br />
This presentation is a case study on our takedown efforts against state-of-the-art peer-to-peer botnets.<br />
Unlike conventional botnets, peer-to-peer botnets are decentralized, and thus cannot be disabled by neutralizing centralized control facilities. Takedowns against peer-to-peer botnets require a highly decentralized approach targeting the infected drones themselves. We describe the technical and ethical challenges we faced in our own takedown attempts.<br />
<br />
===Securing Password Storage - Increasing Resistance to Brute Force Attacks===<br />
By Tiago Teles.<br />
<br />
In this talk Tiago Teles takes apart password protection scheme analyzing the attack<br />
resistance of hashes, hmacs, adaptive hashes (such as script), and encryption<br />
schemes. First, we present a threat model for password storage. Then audience<br />
members will learn the construction, performance, and protective properties of these<br />
primitives. Discussion of the primitives will be from a critical perspective modeled as<br />
an iterative secure design session.<br />
Ultimately, this session presents the solution and code donated as part of the on-<br />
going OWASP PSM (password storage module) project. Discussion of this solution<br />
will include key techniques for hardening PSM learned through years of delivering<br />
production JavaEE code to customers...<br />
<br />
==Speakers==<br />
===Dennis Andriesse===<br />
Dennis Andriesse is a Ph.D. candidate in the System and Network Security Group at VU University Amsterdam. His research focuses on binary code (de)obfuscation and reverse engineering techniques. Next to that, he is also interested in advanced malware, particularly in the resilience of peer-to-peer botnets.<br />
<br />
===Tiago Teles===<br />
Tiago Teles is a Technical Consultant with 7 years of experience in clients across<br />
different sectors and countries, including banking, insurance, telecommunications<br />
and commercial organizations in a variety of roles, Development, Business<br />
Intelligence, Quality Assurance and Delivering Training.<br />
<br />
==Venue==<br />
Avans Hogeschool<br />
Room: OB007<br />
Onderwijsboulevard 215<br />
5223 DE 's-Hertogenbosch</div>Favroomhttps://wiki.owasp.org/index.php?title=Netherlands_May_14,_2013&diff=149877Netherlands May 14, 20132013-04-15T17:38:12Z<p>Favroom: </p>
<hr />
<div>= May 14, 2013 =<br />
"In this Chapter meeting we will not REST until we have designed an access control mechanism to protect your web services..."<br />
<br />
==Programme==<br />
:18:30 - 19:15 Registration & Pizza<br />
:19:15 - 20:00 <br />
:20:00 - 20:15 Break<br />
:20:15 - 21:00 <br />
:21:00 - 21:30 Networking<br />
==Presentations==<br />
===Neutralizing Peer-to-Peer Botnets===<br />
By Dennis Andriesse.<br />
<br />
This presentation is a case study on our takedown efforts against state-of-the-art peer-to-peer botnets.<br />
Unlike conventional botnets, peer-to-peer botnets are decentralized, and thus cannot be disabled by neutralizing centralized control facilities. Takedowns against peer-to-peer botnets require a highly decentralized approach targeting the infected drones themselves. We describe the technical and ethical challenges we faced in our own takedown attempts.<br />
<br />
===Securing Password Storage - Increasing Resistance to Brute Force Attacks===<br />
By Tiago Teles.<br />
<br />
In this talk Tiago Teles takes apart password protection scheme analyzing the attack<br />
resistance of hashes, hmacs, adaptive hashes (such as script), and encryption<br />
schemes. First, we present a threat model for password storage. Then audience<br />
members will learn the construction, performance, and protective properties of these<br />
primitives. Discussion of the primitives will be from a critical perspective modeled as<br />
an iterative secure design session.<br />
Ultimately, this session presents the solution and code donated as part of the on-<br />
going OWASP PSM (password storage module) project. Discussion of this solution<br />
will include key techniques for hardening PSM learned through years of delivering<br />
production JavaEE code to customers...<br />
<br />
==Speakers==<br />
===Dennis Andriesse===<br />
Dennis Andriesse is a Ph.D. candidate in the System and Network Security Group at VU University Amsterdam. His research focuses on binary code (de)obfuscation and reverse engineering techniques. Next to that, he is also interested in advanced malware, particularly in the resilience of peer-to-peer botnets.<br />
<br />
===Tiago Teles===<br />
Tiago Teles is a Technical Consultant with 7 years of experience in clients across<br />
different sectors and countries, including banking, insurance, telecommunications<br />
and commercial organizations in a variety of roles, Development, Business<br />
Intelligence, Quality Assurance and Delivering Training.<br />
<br />
==Venue==<br />
Avans Hogeschool<br />
Room: OB007<br />
Onderwijsboulevard 215<br />
5223 DE 's-Hertogenbosch</div>Favroomhttps://wiki.owasp.org/index.php?title=Netherlands_May_14,_2013&diff=149876Netherlands May 14, 20132013-04-15T17:37:42Z<p>Favroom: </p>
<hr />
<div>= May 14, 2013 =<br />
"In this Chapter meeting we will not REST until we have designed an access control mechanism to protect your web services..."<br />
<br />
==Programme==<br />
:18:30 - 19:15 Registration & Pizza<br />
:19:15 - 20:00 <br />
:20:00 - 20:15 Break<br />
:20:15 - 21:00 <br />
:21:00 - 21:30 Networking<br />
==Presentations==<br />
===Neutralizing Peer-to-Peer Botnets===<br />
By Dennis Andriesse<br />
This presentation is a case study on our takedown efforts against state-of-the-art peer-to-peer botnets.<br />
Unlike conventional botnets, peer-to-peer botnets are decentralized, and thus cannot be disabled by neutralizing centralized control facilities. Takedowns against peer-to-peer botnets require a highly decentralized approach targeting the infected drones themselves. We describe the technical and ethical challenges we faced in our own takedown attempts.<br />
<br />
===Securing Password Storage - Increasing Resistance to Brute Force Attacks===<br />
By Tiago Teles<br />
In this talk Tiago Teles takes apart password protection scheme analyzing the attack<br />
resistance of hashes, hmacs, adaptive hashes (such as script), and encryption<br />
schemes. First, we present a threat model for password storage. Then audience<br />
members will learn the construction, performance, and protective properties of these<br />
primitives. Discussion of the primitives will be from a critical perspective modeled as<br />
an iterative secure design session.<br />
Ultimately, this session presents the solution and code donated as part of the on-<br />
going OWASP PSM (password storage module) project. Discussion of this solution<br />
will include key techniques for hardening PSM learned through years of delivering<br />
production JavaEE code to customers...<br />
<br />
==Speakers==<br />
===Dennis Andriesse===<br />
Dennis Andriesse is a Ph.D. candidate in the System and Network Security Group at VU University Amsterdam. His research focuses on binary code (de)obfuscation and reverse engineering techniques. Next to that, he is also interested in advanced malware, particularly in the resilience of peer-to-peer botnets.<br />
<br />
===Tiago Teles===<br />
Tiago Teles is a Technical Consultant with 7 years of experience in clients across<br />
different sectors and countries, including banking, insurance, telecommunications<br />
and commercial organizations in a variety of roles, Development, Business<br />
Intelligence, Quality Assurance and Delivering Training.<br />
<br />
==Venue==<br />
Avans Hogeschool<br />
Room: OB007<br />
Onderwijsboulevard 215<br />
5223 DE 's-Hertogenbosch</div>Favroomhttps://wiki.owasp.org/index.php?title=Netherlands_May_14,_2013&diff=149875Netherlands May 14, 20132013-04-15T17:36:16Z<p>Favroom: </p>
<hr />
<div>= May 14, 2013 =<br />
"In this Chapter meeting we will not REST until we have designed an access control mechanism to protect your web services..."<br />
<br />
==Programme==<br />
:18:30 - 19:15 Registration & Pizza<br />
:19:15 - 20:00 <br />
:20:00 - 20:15 Break<br />
:20:15 - 21:00 <br />
:21:00 - 21:30 Networking<br />
==Presentations==<br />
===Neutralizing Peer-to-Peer Botnets===<br />
By Tiago Teles<br />
This presentation is a case study on our takedown efforts against state-of-the-art peer-to-peer botnets.<br />
Unlike conventional botnets, peer-to-peer botnets are decentralized, and thus cannot be disabled by neutralizing centralized control facilities. Takedowns against peer-to-peer botnets require a highly decentralized approach targeting the infected drones themselves. We describe the technical and ethical challenges we faced in our own takedown attempts.<br />
<br />
===Securing Password Storage - Increasing Resistance to Brute Force Attacks===<br />
By Dennis Andriesse<br />
In this talk Tiago Teles takes apart password protection scheme analyzing the attack<br />
resistance of hashes, hmacs, adaptive hashes (such as script), and encryption<br />
schemes. First, we present a threat model for password storage. Then audience<br />
members will learn the construction, performance, and protective properties of these<br />
primitives. Discussion of the primitives will be from a critical perspective modeled as<br />
an iterative secure design session.<br />
Ultimately, this session presents the solution and code donated as part of the on-<br />
going OWASP PSM (password storage module) project. Discussion of this solution<br />
will include key techniques for hardening PSM learned through years of delivering<br />
production JavaEE code to customers...<br />
<br />
==Speakers==<br />
===Dennis Andriesse===<br />
Dennis Andriesse is a Ph.D. candidate in the System and Network Security Group at VU University Amsterdam. His research focuses on binary code (de)obfuscation and reverse engineering techniques. Next to that, he is also interested in advanced malware, particularly in the resilience of peer-to-peer botnets.<br />
<br />
===Tiago Teles===<br />
Tiago Teles is a Technical Consultant with 7 years of experience in clients across<br />
different sectors and countries, including banking, insurance, telecommunications<br />
and commercial organizations in a variety of roles, Development, Business<br />
Intelligence, Quality Assurance and Delivering Training.<br />
<br />
==Venue==<br />
Avans Hogeschool<br />
Room: OB007<br />
Onderwijsboulevard 215<br />
5223 DE 's-Hertogenbosch</div>Favroomhttps://wiki.owasp.org/index.php?title=Netherlands_May_14,_2013&diff=149874Netherlands May 14, 20132013-04-15T17:31:00Z<p>Favroom: </p>
<hr />
<div>= May 14, 2013 =<br />
"In this Chapter meeting we will not REST until we have designed an access control mechanism to protect your web services..."<br />
<br />
==Programme==<br />
:18:30 - 19:15 Registration & Pizza<br />
:19:15 - 20:00 <br />
:20:00 - 20:15 Break<br />
:20:15 - 21:00 <br />
:21:00 - 21:30 Networking<br />
==Presentations==<br />
===Neutralizing Peer-to-Peer Botnets===<br />
By Tiago Teles<br />
This presentation is a case study on our takedown efforts against state-of-the-art peer-to-peer botnets.<br />
Unlike conventional botnets, peer-to-peer botnets are decentralized, and thus cannot be disabled by neutralizing centralized control facilities. Takedowns against peer-to-peer botnets require a highly decentralized approach targeting the infected drones themselves. We describe the technical and ethical challenges we faced in our own takedown attempts.<br />
<br />
===Securing Password Storage - Increasing Resistance to Brute Force Attacks===<br />
By Dennis Andriesse<br />
In this talk Tiago Teles takes apart password protection scheme analyzing the attack<br />
resistance of hashes, hmacs, adaptive hashes (such as script), and encryption<br />
schemes. First, we present a threat model for password storage. Then audience<br />
members will learn the construction, performance, and protective properties of these<br />
primitives. Discussion of the primitives will be from a critical perspective modeled as<br />
an iterative secure design session.<br />
Ultimately, this session presents the solution and code donated as part of the on-<br />
going OWASP PSM (password storage module) project. Discussion of this solution<br />
will include key techniques for hardening PSM learned through years of delivering<br />
production JavaEE code to customers...<br />
<br />
===Neutralizing Peer-to-Peer Botnets===<br />
This presentation is a case study on our takedown efforts against state-of-the-art peer-to-peer botnets. Unlike conventional botnets, peer-to-peer botnets are decentralized, and thus cannot be disabled by neutralizing centralized control facilities. Takedowns against peer-to-peer botnets require a highly decentralized approach targeting the infected drones themselves. We describe the technical and ethical challenges we faced in our own takedown attempts.<br />
<br />
==Speakers==<br />
===Dennis Andriesse===<br />
Dennis Andriesse is a Ph.D. candidate in the System and Network Security Group at VU University Amsterdam. His research focuses on binary code (de)obfuscation and reverse engineering techniques. Next to that, he is also interested in advanced malware, particularly in the resilience of peer-to-peer botnets.<br />
<br />
===Tiago Teles===<br />
Tiago Teles is a Technical Consultant with 7 years of experience in clients across<br />
different sectors and countries, including banking, insurance, telecommunications<br />
and commercial organizations in a variety of roles, Development, Business<br />
Intelligence, Quality Assurance and Delivering Training.<br />
<br />
==Venue==<br />
Avans Hogeschool<br />
Room: OB007<br />
Onderwijsboulevard 215<br />
5223 DE 's-Hertogenbosch</div>Favroomhttps://wiki.owasp.org/index.php?title=Netherlands_May_14,_2013&diff=149873Netherlands May 14, 20132013-04-15T17:27:01Z<p>Favroom: </p>
<hr />
<div>= May 14, 2013 =<br />
"In this Chapter meeting we will not REST until we have designed an access control mechanism to protect your web services..."<br />
<br />
==Programme==<br />
:18:30 - 19:15 Registration & Pizza<br />
:19:15 - 20:00 <br />
:20:00 - 20:15 Break<br />
:20:15 - 21:00 <br />
:21:00 - 21:30 Networking<br />
==Presentations==<br />
===Neutralizing Peer-to-Peer Botnets===<br />
This presentation is a case study on our takedown efforts against state-of-the-art peer-to-peer botnets.<br />
Unlike conventional botnets, peer-to-peer botnets are decentralized, and thus cannot be disabled by neutralizing centralized control facilities. Takedowns against peer-to-peer botnets require a highly decentralized approach targeting the infected drones themselves. We describe the technical and ethical challenges we faced in our own takedown attempts.<br />
<br />
===Securing Password Storage - Increasing Resistance to Brute Force Attacks===<br />
In this talk Tiago Teles takes apart password protection scheme analyzing the attack<br />
resistance of hashes, hmacs, adaptive hashes (such as script), and encryption<br />
schemes. First, we present a threat model for password storage. Then audience<br />
members will learn the construction, performance, and protective properties of these<br />
primitives. Discussion of the primitives will be from a critical perspective modeled as<br />
an iterative secure design session.<br />
Ultimately, this session presents the solution and code donated as part of the on-<br />
going OWASP PSM (password storage module) project. Discussion of this solution<br />
will include key techniques for hardening PSM learned through years of delivering<br />
production JavaEE code to customers...<br />
<br />
===Neutralizing Peer-to-Peer Botnets===<br />
This presentation is a case study on our takedown efforts against state-of-the-art peer-to-peer botnets. Unlike conventional botnets, peer-to-peer botnets are decentralized, and thus cannot be disabled by neutralizing centralized control facilities. Takedowns against peer-to-peer botnets require a highly decentralized approach targeting the infected drones themselves. We describe the technical and ethical challenges we faced in our own takedown attempts.<br />
<br />
==Speakers==<br />
===Dennis Andriesse===<br />
Dennis Andriesse is a Ph.D. candidate in the System and Network Security Group at VU University Amsterdam. His research focuses on binary code (de)obfuscation and reverse engineering techniques. Next to that, he is also interested in advanced malware, particularly in the resilience of peer-to-peer botnets.<br />
<br />
===Tiago Teles===<br />
Tiago Teles is a Technical Consultant with 7 years of experience in clients across<br />
different sectors and countries, including banking, insurance, telecommunications<br />
and commercial organizations in a variety of roles, Development, Business<br />
Intelligence, Quality Assurance and Delivering Training.<br />
<br />
==Venue==<br />
Avans Hogeschool<br />
Room: OB007<br />
Onderwijsboulevard 215<br />
5223 DE 's-Hertogenbosch</div>Favroomhttps://wiki.owasp.org/index.php?title=Netherlands_May_14,_2013&diff=149869Netherlands May 14, 20132013-04-15T15:52:13Z<p>Favroom: </p>
<hr />
<div>= May 14, 2013 =<br />
"In this Chapter meeting we will not REST until we have designed an access control mechanism to protect your web services..."<br />
<br />
==Programme==<br />
:18:30 - 19:15 Registration & Pizza<br />
:19:15 - 20:00 <br />
:20:00 - 20:15 Break<br />
:20:15 - 21:00 <br />
:21:00 - 21:30 Networking<br />
==Presentations==<br />
===Neutralizing Peer-to-Peer Botnets===<br />
This presentation is a case study on our takedown efforts against state-of-the-art peer-to-peer botnets.<br />
Unlike conventional botnets, peer-to-peer botnets are decentralized, and thus cannot be disabled by neutralizing centralized control facilities. Takedowns against peer-to-peer botnets require a highly decentralized approach targeting the infected drones themselves. We describe the technical and ethical challenges we faced in our own takedown attempts.<br />
<br />
===Discovering flaws using JS-Enabled crawlers===<br />
Automated testing of security faults on a web page is common practice these days. However, most modern web application aren't a set of pages anymore. They load their content dynamically using AJAX and tailor the results to the user's needs using JavaScript. Running the automated tools on these applications is much harder, if not impossible. Using Crawljax, a JavaScript enabled Crawler, testing all pages and states of such web applications becomes possible again. In this presentation, I will give an overview of the possibilities Crawljax offers.<br />
<br />
===Securing Password Storage - Increasing Resistance to Brute Force Attacks===<br />
In this talk Tiago Teles takes apart password protection scheme analyzing the attack<br />
resistance of hashes, hmacs, adaptive hashes (such as script), and encryption<br />
schemes. First, we present a threat model for password storage. Then audience<br />
members will learn the construction, performance, and protective properties of these<br />
primitives. Discussion of the primitives will be from a critical perspective modeled as<br />
an iterative secure design session.<br />
Ultimately, this session presents the solution and code donated as part of the on-<br />
going OWASP PSM (password storage module) project. Discussion of this solution<br />
will include key techniques for hardening PSM learned through years of delivering<br />
production JavaEE code to customers...<br />
<br />
==Speakers==<br />
===Dennis Andriesse===<br />
Dennis Andriesse is a Ph.D. candidate in the System and Network Security Group at VU University Amsterdam. His research focuses on binary code (de)obfuscation and reverse engineering techniques. Next to that, he is also interested in advanced malware, particularly in the resilience of peer-to-peer botnets.<br />
===Alex Nederlof===<br />
Alex Nederlof is a Msc student in Compute Science, Software Engineering. Active in web application development for 4 years at E.Novation BTC. Now working on Crawljax, a JavaScript-enabled Crawler.<br />
===Tiago Teles===<br />
Tiago Teles is a Technical Consultant with 7 years of experience in clients across<br />
different sectors and countries, including banking, insurance, telecommunications<br />
and commercial organizations in a variety of roles, Development, Business<br />
Intelligence, Quality Assurance and Delivering Training.<br />
<br />
==Venue==<br />
Avans Hogeschool<br />
Room: OB007<br />
Onderwijsboulevard 215<br />
5223 DE 's-Hertogenbosch</div>Favroomhttps://wiki.owasp.org/index.php?title=Netherlands_May_14,_2013&diff=149868Netherlands May 14, 20132013-04-15T15:45:42Z<p>Favroom: </p>
<hr />
<div>= May 14, 2013 =<br />
"In this Chapter meeting we will not REST until we have designed an access control mechanism to protect your web services..."<br />
<br />
==Programme==<br />
:18:30 - 19:15 Registration & Pizza<br />
:19:15 - 20:00 <br />
:20:00 - 20:15 Break<br />
:20:15 - 21:00 <br />
:21:00 - 21:30 Networking<br />
==Presentations==<br />
===Neutralizing Peer-to-Peer Botnets===<br />
This presentation is a case study on our takedown efforts against state-of-the-art peer-to-peer botnets.<br />
Unlike conventional botnets, peer-to-peer botnets are decentralized, and thus cannot be disabled by neutralizing centralized control facilities. Takedowns against peer-to-peer botnets require a highly decentralized approach targeting the infected drones themselves. We describe the technical and ethical challenges we faced in our own takedown attempts.<br />
<br />
===Discovering flaws using JS-Enabled crawlers===<br />
Automated testing of security faults on a web page is common practice these days. However, most modern web application aren't a set of pages anymore. They load their content dynamically using AJAX and tailor the results to the user's needs using JavaScript. Running the automated tools on these applications is much harder, if not impossible. Using Crawljax, a JavaScript enabled Crawler, testing all pages and states of such web applications becomes possible again. In this presentation, I will give an overview of the possibilities Crawljax offers.<br />
<br />
==Speakers==<br />
===Dennis Andriesse===<br />
Dennis Andriesse is a Ph.D. candidate in the System and Network Security Group at VU University Amsterdam. His research focuses on binary code (de)obfuscation and reverse engineering techniques. Next to that, he is also interested in advanced malware, particularly in the resilience of peer-to-peer botnets.<br />
===Alex Nederlof===<br />
Alex Nederlof is a Msc student in Compute Science, Software Engineering. Active in web application development for 4 years at E.Novation BTC. Now working on Crawljax, a JavaScript-enabled Crawler.<br />
<br />
==Venue==<br />
Avans Hogeschool<br />
Room: OB007<br />
Onderwijsboulevard 215<br />
5223 DE 's-Hertogenbosch</div>Favroomhttps://wiki.owasp.org/index.php?title=Netherlands_May_14,_2013&diff=149866Netherlands May 14, 20132013-04-15T14:32:42Z<p>Favroom: Created page with "= May 14, 2013 = "In this Chapter meeting we will not REST until we have designed an access control mechanism to protect your web services..." ==Programme== :18:30 - 19:15 R..."</p>
<hr />
<div>= May 14, 2013 =<br />
"In this Chapter meeting we will not REST until we have designed an access control mechanism to protect your web services..."<br />
<br />
==Programme==<br />
:18:30 - 19:15 Registration & Pizza<br />
:19:15 - 20:00 <br />
:20:00 - 20:15 Break<br />
:20:15 - 21:00 <br />
:21:00 - 21:30 Networking<br />
==Presentations==<br />
===Neutralizing Peer-to-Peer Botnets===<br />
This presentation is a case study on our takedown efforts against state-of-the-art peer-to-peer botnets.<br />
Unlike conventional botnets, peer-to-peer botnets are decentralized, and thus cannot be disabled by neutralizing centralized control facilities. Takedowns against peer-to-peer botnets require a highly decentralized approach targeting the infected drones themselves. We describe the technical and ethical challenges we faced in our own takedown attempts.<br />
<br />
===x===<br />
==Speakers==<br />
===Dennis Andriesse===<br />
Dennis Andriesse is a Ph.D. candidate in the System and Network Security Group at VU University Amsterdam. His research focuses on binary code (de)obfuscation and reverse engineering techniques. Next to that, he is also interested in advanced malware, particularly in the resilience of peer-to-peer botnets.<br />
===x===</div>Favroomhttps://wiki.owasp.org/index.php?title=Netherlands_Previous_Events_2013&diff=149865Netherlands Previous Events 20132013-04-15T14:24:27Z<p>Favroom: </p>
<hr />
<div>[[Netherlands]] events held in 2013<br />
;[[Netherlands May 14, 2013]]<br />
*[[Netherlands_May_14,_2013#]]<br />
*[[Netherlands_May_14,_2013#]]<br />
;[[Netherlands April 10, 2013]]<br />
*[[Netherlands_April_10,_2013#Access_Control_Design_Best_Practices|Access Control Design Best Practices - Jim Manico]] - ([[Media:Owaspnl-jimmanico-toptendefensesv8.pdf | Download the presentation as PDF]])<br />
*[[Netherlands_April_10,_2013#RESTful_web_services.2C_the_web_security_blind_spot|RESTful web services, the web security blind spot - Ofer Shezaf]] - ([[Media:Owaspnl-oferschezaf-securitytestingforrestapplicationsv6april2013.pdf | Download the presentation as PDF]])<br />
;[[Netherlands March 13, 2013]]<br />
*[[Netherlands_March_13,_2013#Record_It.21|Record It - Colin Watson]] - ([[Media:Owaspnl-colinwatson-recordit.pdf | Download the presentation as PDF]])<br />
*[[Netherlands_March_13,_2013#The_smartphone_penetration_testing_framework|The smartphone penetration testing framework - Georgia Weidman]] - ([[Media:The_smartphone_penetration_testing_framework-Georgia_Weidman.pdf | Download the presentation as PDF]])<br />
*[[Netherlands_March_13,_2013#OWASP_Cornucopia|OWASP Cornucopia - Colin Watson]] - ([[Media:Owaspnl-colinwatson-cornucopia.pdf | Download the presentation as PDF]])<br />
;[[Netherlands March 7, 2013]]<br />
*[[Netherlands March 7, 2013#Incident_Respons_in_a_Cyberwar_context|Incident Respons in a Cyberwar context - Dennis Lemckert ]]<br />
*[[Netherlands_March_7,_2013#Disclosure.2C_Prevention_is_better_than_to_cure|Disclosure - Lex Borger & André Koot ]]<br />
;[[Netherlands January 31, 2013]]:<br />
*[[Netherlands_January_31,_2013#The_Truth_about_the_e.dentifier2|The Truth about the e.dentifier2 - Erik Poll]]<br />
*[[Netherlands_January_31,_2013#OWASP_Update|OWASP Update - Martin Knobloch]]</div>Favroomhttps://wiki.owasp.org/index.php?title=Netherlands&diff=149859Netherlands2013-04-15T13:58:14Z<p>Favroom: </p>
<hr />
<div>{{Chapter Template|chaptername=Netherlands|extra=|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-netherlands|emailarchives=http://lists.owasp.org/pipermail/owasp-netherlands}} <br />
<br />
<br />
<paypal>Netherlands</paypal><br />
<br />
<!-- First tab --><br />
<br />
= Local News =<br />
<br />
;The next OWASP Netherlands Chapter meeting will be on May 14th in 's Hertogenbosch, more details soon!<br />
<br />
;Slide Decks from recent Chapter meetings can be downloaded from the [https://www.owasp.org/index.php/Netherlands_Previous_Events_2013 Past Events page].<br />
<br />
;'''Provisional 2013 Chapter Event Calendar'''<br />
*May 14th, 2013<br />
*June 27th, 2013<br />
*September 12th, 2013<br />
*November 7th, 2013<br />
*November 28th and 29th, 2013: [https://www.owasp.org/index.php?title=BeNeLux_OWASP_Day_2013 OWASP Benelux Conference]<br />
<br />
;'''Other OWASP Events'''<br />
;'''[https://www.owasp.org/index.php/AppSecEU2013 AppSec-EU Hambug August 2th to 23rd 2013]'''<br />
;'''[http://appsecusa.org/2013/ AppSec-USA New York November 18th to 21st 2013]'''<br />
<br />
;'''Call for Presentations'''<br />
;[https://docs.google.com/a/owasp.org/spreadsheet/viewform?formkey=dGs1UFN0Ul9YR1pRcGdYRmtYallraUE6MQ#gid=0 OWASP NL Chapter Call For Presentation]<br />
<br />
<br />
[[File:Follow-us-on-twitter.png|frameless|100px|link=http://www.twitter.com/owasp_NL]]<br />
<br />
<!-- Second tab --><br />
<br />
= Calendar =<br />
<br />
=== Provisional Chapter Event Calendar 2013 ===<br />
<br />
*<strike> January 31st, 2013 </strike> <br />
*<strike> March 7th, 2013</strike> [[Media:OWASP Netherlands Chapter Meeting 2013-03-07.pdf | flyer]] <br />
*<strike> March 13th, 2013</strike> [[Media:OWASP Netherlands Chapter Meeting 2013-03-13.pdf | flyer]]<br />
*<strike> April 10th, 2013</strike> [[Media:OWASP Netherlands Chapter Meeting 2013-04-10.pdf | flyer]]<br />
*May 14th, 2013<br />
*June 27th, 2013<br />
*September 12th, 2013<br />
*November 7th, 2012<br />
*November 28th and 29th, 2013 [https://www.owasp.org/index.php?title=BeNeLux_OWASP_Day_2013 OWASP Benelux Conference in the Netherlands!]'''<br />
<br />
<!-- Third tab --><br />
<br />
= Past Events =<br />
*Events held in [[Netherlands Previous Events 2013|2013]]<br />
*Events held in [[Netherlands Previous Events 2012|2012]]<br />
*Events held in [[Netherlands Previous Events 2011|2011]]<br />
*Events held in [[Netherlands Previous Events 2010|2010]] <br />
*Events held in [[Netherlands Previous Events 2009|2009]] <br />
*Events held in [[Netherlands Previous Events 2008|2008]] <br />
*Events held in [[Netherlands Previous Events 2007|2007]] <br />
*Events held in [[Netherlands Previous Events 2006|2006]] <br />
*Events held in [[Netherlands Previous Events 2005|2005]]<br />
<br />
<!-- Fourth tab --><br />
<br />
= Chapter Leaders =<br />
<br />
The Netherlands Chapter is supported by the following board: <br />
<br />
*[https://www.owasp.org/index.php/User:Ferdinand_Vroom Ferdinand Vroom]<br />
*[https://www.owasp.org/index.php/User:Knoblochmartin Martin Knobloch], PervaSec<br />
<br />
<br> <br />
<br />
*[mailto:netherlands@owasp.org OWASP Netherlands], OWASP Netherlands board email adres<br />
<br />
Our goal is to professionalize the local OWASP functioning, provide in a bigger footprint to detect OWASP opportunities such as speakers/topics/sponsors/… and set a 5 year target on: Target audiences, Different events and Interactions of OWASP global – local projects. <br />
<br />
<!-- Fifth and last tab --><br />
<br />
= Chapter Support =<br />
<br />
=== Chapter Sponsoring ===<br />
<br />
OWASP Netherlands is looking for organizations to sponsor our chapter. <br />
If you are interested in sponsoring the Netherlands chapter please contact us via email: [mailto:netherlands@owasp.org netherlands 'at' owasp.org]. <br />
<br />
=== Donation ===<br />
<br />
If you would like to donate to our chapter, please use the PayPal link at the top of this page.<br />
Thank you!<br />
<br />
=== Call for Speakers ===<br />
<br />
We are continuously looking for speakers.<br>'''Presentations:''' Are you working on an interesting subject, would you like to share your experience with the OWASP community and do you have presentation skills. Please let us know! Any topic related to web application security will be appreciated!<br>'''VAC, Vulnerability, Attack, Countermeasure:''' The VAC is a re occuring part of the chapter meetings. The VAC is a half hour in-depth technical presentation about a vulnerability, how it can be exploited and how to prevent it!<br> <br />
<br />
<span style="font-weight: bold;">Links: </span> <br />
<br />
[http://www.owasp.org/index.php/Speaker_Agreement Speaker Agreement] <br />
<br />
[http://www.owasp.org/images/5/54/Presentation_template.ppt Template] <br />
<br />
Interested in presenting at a local chapter meeting, please send an email to: netherlands 'at' owasp.org <br />
<br />
=== Call for Location ===<br />
<br />
For the OWASP Netherlands chapter meetings to come, we are continuously looking for locations! <br />
<br />
Most preferable, the location is good accessible with public transport and by car. Free parking should be provided. <br />
<br />
What do we expect: <br />
<br />
*meeting room for at least 50 people <br />
*lunch for attendees <br />
**drinks, sandwiches... <br />
*a small present for the speakers <br />
**(e.g. bottle of wine, for speakers from aboard alcohol might be less practical if flying in only with hand luggage)<br />
<br />
Interested in sponsoring a local chapter meeting, please send an email to: netherlands 'at' owasp.org <br />
<!-- Don't remove this tag --><br />
__NOTOC__ <br />
<headertabs/><br />
<br />
<br />
Our structural Chapter and OWASP Benelux Days 2012 supporters: <br />
<br />
[http://www.madisongurkha.nl https://www.owasp.org/images/6/6e/Madison-gurkha-logo.jpg]<br />
[http://www.sogeti.nl https://www.owasp.org/images/9/94/Sogeti_logo.png]<br />
[http://www.vest.nl https://www.owasp.org/images/1/1d/Logo_Vest_BIG_170.gif]<br />
<br />
[[Category:Europe]]</div>Favroomhttps://wiki.owasp.org/index.php?title=Netherlands_Previous_Events_2013&diff=149858Netherlands Previous Events 20132013-04-15T13:55:00Z<p>Favroom: </p>
<hr />
<div>[[Netherlands]] events held in 2013<br />
;[[Netherlands April 10, 2013]]<br />
*[[Netherlands_April_10,_2013#Access_Control_Design_Best_Practices|Access Control Design Best Practices - Jim Manico]] - ([[Media:Owaspnl-jimmanico-toptendefensesv8.pdf | Download the presentation as PDF]])<br />
*[[Netherlands_April_10,_2013#RESTful_web_services.2C_the_web_security_blind_spot|RESTful web services, the web security blind spot - Ofer Shezaf]] - ([[Media:Owaspnl-oferschezaf-securitytestingforrestapplicationsv6april2013.pdf | Download the presentation as PDF]])<br />
;[[Netherlands March 13, 2013]]<br />
*[[Netherlands_March_13,_2013#Record_It.21|Record It - Colin Watson]] - ([[Media:Owaspnl-colinwatson-recordit.pdf | Download the presentation as PDF]])<br />
*[[Netherlands_March_13,_2013#The_smartphone_penetration_testing_framework|The smartphone penetration testing framework - Georgia Weidman]] - ([[Media:The_smartphone_penetration_testing_framework-Georgia_Weidman.pdf | Download the presentation as PDF]])<br />
*[[Netherlands_March_13,_2013#OWASP_Cornucopia|OWASP Cornucopia - Colin Watson]] - ([[Media:Owaspnl-colinwatson-cornucopia.pdf | Download the presentation as PDF]])<br />
;[[Netherlands March 7, 2013]]<br />
*[[Netherlands March 7, 2013#Incident_Respons_in_a_Cyberwar_context|Incident Respons in a Cyberwar context - Dennis Lemckert ]]<br />
*[[Netherlands_March_7,_2013#Disclosure.2C_Prevention_is_better_than_to_cure|Disclosure - Lex Borger & André Koot ]]<br />
;[[Netherlands January 31, 2013]]:<br />
*[[Netherlands_January_31,_2013#The_Truth_about_the_e.dentifier2|The Truth about the e.dentifier2 - Erik Poll]]<br />
*[[Netherlands_January_31,_2013#OWASP_Update|OWASP Update - Martin Knobloch]]</div>Favroomhttps://wiki.owasp.org/index.php?title=File:Owaspnl-oferschezaf-securitytestingforrestapplicationsv6april2013.pdf&diff=149856File:Owaspnl-oferschezaf-securitytestingforrestapplicationsv6april2013.pdf2013-04-15T13:53:58Z<p>Favroom: </p>
<hr />
<div></div>Favroomhttps://wiki.owasp.org/index.php?title=Netherlands_Previous_Events_2013&diff=149853Netherlands Previous Events 20132013-04-15T13:48:24Z<p>Favroom: </p>
<hr />
<div>[[Netherlands]] events held in 2013<br />
;[[Netherlands April 10, 2013]]<br />
*[[Netherlands_April_10,_2013#Access_Control_Design_Best_Practices|Access Control Design Best Practices - Jim Manico]] - ([[Media:Owaspnl-jimmanico-toptendefensesv8.pdf | Download the presentation as PDF]])<br />
*[[Netherlands_April_10,_2013#RESTful_web_services.2C_the_web_security_blind_spot|RESTful web services, the web security blind spot - Ofer Shezaf]]<br />
;[[Netherlands March 13, 2013]]<br />
*[[Netherlands_March_13,_2013#Record_It.21|Record It - Colin Watson]] - ([[Media:Owaspnl-colinwatson-recordit.pdf | Download the presentation as PDF]])<br />
*[[Netherlands_March_13,_2013#The_smartphone_penetration_testing_framework|The smartphone penetration testing framework - Georgia Weidman]] - ([[Media:The_smartphone_penetration_testing_framework-Georgia_Weidman.pdf | Download the presentation as PDF]])<br />
*[[Netherlands_March_13,_2013#OWASP_Cornucopia|OWASP Cornucopia - Colin Watson]] - ([[Media:Owaspnl-colinwatson-cornucopia.pdf | Download the presentation as PDF]])<br />
;[[Netherlands March 7, 2013]]<br />
*[[Netherlands March 7, 2013#Incident_Respons_in_a_Cyberwar_context|Incident Respons in a Cyberwar context - Dennis Lemckert ]]<br />
*[[Netherlands_March_7,_2013#Disclosure.2C_Prevention_is_better_than_to_cure|Disclosure - Lex Borger & André Koot ]]<br />
;[[Netherlands January 31, 2013]]:<br />
*[[Netherlands_January_31,_2013#The_Truth_about_the_e.dentifier2|The Truth about the e.dentifier2 - Erik Poll]]<br />
*[[Netherlands_January_31,_2013#OWASP_Update|OWASP Update - Martin Knobloch]]</div>Favroomhttps://wiki.owasp.org/index.php?title=File:Owaspnl-jimmanico-toptendefensesv8.pdf&diff=149852File:Owaspnl-jimmanico-toptendefensesv8.pdf2013-04-15T13:47:23Z<p>Favroom: </p>
<hr />
<div></div>Favroomhttps://wiki.owasp.org/index.php?title=Netherlands&diff=149849Netherlands2013-04-15T13:40:29Z<p>Favroom: </p>
<hr />
<div>{{Chapter Template|chaptername=Netherlands|extra=|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-netherlands|emailarchives=http://lists.owasp.org/pipermail/owasp-netherlands}} <br />
<br />
<br />
<paypal>Netherlands</paypal><br />
<br />
<!-- First tab --><br />
<br />
= Local News =<br />
<br />
;The next OWASP Netherlands Chapter meeting will be on May 14th in 's Hertogenbosch, more details soon!<br />
<br />
;'''Provisional 2013 Chapter Event Calendar'''<br />
*May 14th, 2013<br />
*June 27th, 2013<br />
*September 12th, 2013<br />
*November 7th, 2013<br />
*November 28th and 29th, 2013: [https://www.owasp.org/index.php?title=BeNeLux_OWASP_Day_2013 OWASP Benelux Conference]<br />
<br />
;'''Other OWASP Events'''<br />
;'''[https://www.owasp.org/index.php/AppSecEU2013 AppSec-EU Hambug August 2th to 23rd 2013]'''<br />
;'''[http://appsecusa.org/2013/ AppSec-USA New York November 18th to 21st 2013]'''<br />
<br />
;'''Call for Presentations'''<br />
;[https://docs.google.com/a/owasp.org/spreadsheet/viewform?formkey=dGs1UFN0Ul9YR1pRcGdYRmtYallraUE6MQ#gid=0 OWASP NL Chapter Call For Presentation]<br />
<br />
<br />
[[File:Follow-us-on-twitter.png|frameless|100px|link=http://www.twitter.com/owasp_NL]]<br />
<br />
<!-- Second tab --><br />
<br />
= Calendar =<br />
<br />
=== Provisional Chapter Event Calendar 2013 ===<br />
<br />
*<strike> January 31st, 2013 </strike> <br />
*<strike> March 7th, 2013</strike> [[Media:OWASP Netherlands Chapter Meeting 2013-03-07.pdf | flyer]] <br />
*<strike> March 13th, 2013</strike> [[Media:OWASP Netherlands Chapter Meeting 2013-03-13.pdf | flyer]]<br />
*<strike> April 10th, 2013</strike> [[Media:OWASP Netherlands Chapter Meeting 2013-04-10.pdf | flyer]]<br />
*May 14th, 2013<br />
*June 27th, 2013<br />
*September 12th, 2013<br />
*November 7th, 2012<br />
*November 28th and 29th, 2013 [https://www.owasp.org/index.php?title=BeNeLux_OWASP_Day_2013 OWASP Benelux Conference in the Netherlands!]'''<br />
<br />
<!-- Third tab --><br />
<br />
= Past Events =<br />
*Events held in [[Netherlands Previous Events 2013|2013]]<br />
*Events held in [[Netherlands Previous Events 2012|2012]]<br />
*Events held in [[Netherlands Previous Events 2011|2011]]<br />
*Events held in [[Netherlands Previous Events 2010|2010]] <br />
*Events held in [[Netherlands Previous Events 2009|2009]] <br />
*Events held in [[Netherlands Previous Events 2008|2008]] <br />
*Events held in [[Netherlands Previous Events 2007|2007]] <br />
*Events held in [[Netherlands Previous Events 2006|2006]] <br />
*Events held in [[Netherlands Previous Events 2005|2005]]<br />
<br />
<!-- Fourth tab --><br />
<br />
= Chapter Leaders =<br />
<br />
The Netherlands Chapter is supported by the following board: <br />
<br />
*[https://www.owasp.org/index.php/User:Ferdinand_Vroom Ferdinand Vroom]<br />
*[https://www.owasp.org/index.php/User:Knoblochmartin Martin Knobloch], PervaSec<br />
<br />
<br> <br />
<br />
*[mailto:netherlands@owasp.org OWASP Netherlands], OWASP Netherlands board email adres<br />
<br />
Our goal is to professionalize the local OWASP functioning, provide in a bigger footprint to detect OWASP opportunities such as speakers/topics/sponsors/… and set a 5 year target on: Target audiences, Different events and Interactions of OWASP global – local projects. <br />
<br />
<!-- Fifth and last tab --><br />
<br />
= Chapter Support =<br />
<br />
=== Chapter Sponsoring ===<br />
<br />
OWASP Netherlands is looking for organizations to sponsor our chapter. <br />
If you are interested in sponsoring the Netherlands chapter please contact us via email: [mailto:netherlands@owasp.org netherlands 'at' owasp.org]. <br />
<br />
=== Donation ===<br />
<br />
If you would like to donate to our chapter, please use the PayPal link at the top of this page.<br />
Thank you!<br />
<br />
=== Call for Speakers ===<br />
<br />
We are continuously looking for speakers.<br>'''Presentations:''' Are you working on an interesting subject, would you like to share your experience with the OWASP community and do you have presentation skills. Please let us know! Any topic related to web application security will be appreciated!<br>'''VAC, Vulnerability, Attack, Countermeasure:''' The VAC is a re occuring part of the chapter meetings. The VAC is a half hour in-depth technical presentation about a vulnerability, how it can be exploited and how to prevent it!<br> <br />
<br />
<span style="font-weight: bold;">Links: </span> <br />
<br />
[http://www.owasp.org/index.php/Speaker_Agreement Speaker Agreement] <br />
<br />
[http://www.owasp.org/images/5/54/Presentation_template.ppt Template] <br />
<br />
Interested in presenting at a local chapter meeting, please send an email to: netherlands 'at' owasp.org <br />
<br />
=== Call for Location ===<br />
<br />
For the OWASP Netherlands chapter meetings to come, we are continuously looking for locations! <br />
<br />
Most preferable, the location is good accessible with public transport and by car. Free parking should be provided. <br />
<br />
What do we expect: <br />
<br />
*meeting room for at least 50 people <br />
*lunch for attendees <br />
**drinks, sandwiches... <br />
*a small present for the speakers <br />
**(e.g. bottle of wine, for speakers from aboard alcohol might be less practical if flying in only with hand luggage)<br />
<br />
Interested in sponsoring a local chapter meeting, please send an email to: netherlands 'at' owasp.org <br />
<!-- Don't remove this tag --><br />
__NOTOC__ <br />
<headertabs/><br />
<br />
<br />
Our structural Chapter and OWASP Benelux Days 2012 supporters: <br />
<br />
[http://www.madisongurkha.nl https://www.owasp.org/images/6/6e/Madison-gurkha-logo.jpg]<br />
[http://www.sogeti.nl https://www.owasp.org/images/9/94/Sogeti_logo.png]<br />
[http://www.vest.nl https://www.owasp.org/images/1/1d/Logo_Vest_BIG_170.gif]<br />
<br />
[[Category:Europe]]</div>Favroomhttps://wiki.owasp.org/index.php?title=Netherlands&diff=149848Netherlands2013-04-15T13:39:49Z<p>Favroom: </p>
<hr />
<div>{{Chapter Template|chaptername=Netherlands|extra=|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-netherlands|emailarchives=http://lists.owasp.org/pipermail/owasp-netherlands}} <br />
<br />
<br />
<paypal>Netherlands</paypal><br />
<br />
<!-- First tab --><br />
<br />
= Local News =<br />
<br />
;The next OWASP Netherlands Chapter meeting will be on May 14th in 's Hertogenbosch, more details soon!<br />
<br />
;'''Provisional 2013 Chapter Event Calendar'''<br />
*May 14th, 2013<br />
*June 27th, 2013<br />
*September 12th, 2013<br />
*November 7th, 2013<br />
*November 28th and 29th, 2013: [https://www.owasp.org/index.php?title=BeNeLux_OWASP_Day_2013 OWASP Benelux Conference]<br />
<br />
;'''Other OWASP Events'''<br />
;'''[https://www.owasp.org/index.php/AppSecEU2013 AppSec-EU Hambug August 2th to 23rd 2013]'''<br />
;'''[http://appsecusa.org/2013/ AppSec-USA New York November 18th to 21st 2013]'''<br />
<br />
;'''Call for Presentations'''<br />
;[https://docs.google.com/a/owasp.org/spreadsheet/viewform?formkey=dGs1UFN0Ul9YR1pRcGdYRmtYallraUE6MQ#gid=0 OWASP NL Chapter Call For Presentation]<br />
<br />
<br />
[[File:Follow-us-on-twitter.png|frameless|100px|link=http://www.twitter.com/owasp_NL]]<br />
<br />
<!-- Second tab --><br />
<br />
= Calendar =<br />
<br />
=== Provisional Chapter Event Calendar 2013 ===<br />
<br />
*<strike> January 31st, 2013 </strike> <br />
*<strike> March 7th, 2013</strike> [[Media:OWASP Netherlands Chapter Meeting 2013-03-07.pdf | flyer]] <br />
*<strike> March 13th, 2013</strike> [Media:OWASP Netherlands Chapter Meeting 2013-03-13.pdf | flyer]]<br />
*<strike> April 10th, 2013</strike>[Media:OWASP Netherlands Chapter Meeting 2013-04-10.pdf | flyer]]<br />
*May 14th, 2013<br />
*June 27th, 2013<br />
*September 12th, 2013<br />
*November 7th, 2012<br />
*November 28th and 29th, 2013 [https://www.owasp.org/index.php?title=BeNeLux_OWASP_Day_2013 OWASP Benelux Conference in the Netherlands!]'''<br />
<br />
<!-- Third tab --><br />
<br />
= Past Events =<br />
*Events held in [[Netherlands Previous Events 2013|2013]]<br />
*Events held in [[Netherlands Previous Events 2012|2012]]<br />
*Events held in [[Netherlands Previous Events 2011|2011]]<br />
*Events held in [[Netherlands Previous Events 2010|2010]] <br />
*Events held in [[Netherlands Previous Events 2009|2009]] <br />
*Events held in [[Netherlands Previous Events 2008|2008]] <br />
*Events held in [[Netherlands Previous Events 2007|2007]] <br />
*Events held in [[Netherlands Previous Events 2006|2006]] <br />
*Events held in [[Netherlands Previous Events 2005|2005]]<br />
<br />
<!-- Fourth tab --><br />
<br />
= Chapter Leaders =<br />
<br />
The Netherlands Chapter is supported by the following board: <br />
<br />
*[https://www.owasp.org/index.php/User:Ferdinand_Vroom Ferdinand Vroom]<br />
*[https://www.owasp.org/index.php/User:Knoblochmartin Martin Knobloch], PervaSec<br />
<br />
<br> <br />
<br />
*[mailto:netherlands@owasp.org OWASP Netherlands], OWASP Netherlands board email adres<br />
<br />
Our goal is to professionalize the local OWASP functioning, provide in a bigger footprint to detect OWASP opportunities such as speakers/topics/sponsors/… and set a 5 year target on: Target audiences, Different events and Interactions of OWASP global – local projects. <br />
<br />
<!-- Fifth and last tab --><br />
<br />
= Chapter Support =<br />
<br />
=== Chapter Sponsoring ===<br />
<br />
OWASP Netherlands is looking for organizations to sponsor our chapter. <br />
If you are interested in sponsoring the Netherlands chapter please contact us via email: [mailto:netherlands@owasp.org netherlands 'at' owasp.org]. <br />
<br />
=== Donation ===<br />
<br />
If you would like to donate to our chapter, please use the PayPal link at the top of this page.<br />
Thank you!<br />
<br />
=== Call for Speakers ===<br />
<br />
We are continuously looking for speakers.<br>'''Presentations:''' Are you working on an interesting subject, would you like to share your experience with the OWASP community and do you have presentation skills. Please let us know! Any topic related to web application security will be appreciated!<br>'''VAC, Vulnerability, Attack, Countermeasure:''' The VAC is a re occuring part of the chapter meetings. The VAC is a half hour in-depth technical presentation about a vulnerability, how it can be exploited and how to prevent it!<br> <br />
<br />
<span style="font-weight: bold;">Links: </span> <br />
<br />
[http://www.owasp.org/index.php/Speaker_Agreement Speaker Agreement] <br />
<br />
[http://www.owasp.org/images/5/54/Presentation_template.ppt Template] <br />
<br />
Interested in presenting at a local chapter meeting, please send an email to: netherlands 'at' owasp.org <br />
<br />
=== Call for Location ===<br />
<br />
For the OWASP Netherlands chapter meetings to come, we are continuously looking for locations! <br />
<br />
Most preferable, the location is good accessible with public transport and by car. Free parking should be provided. <br />
<br />
What do we expect: <br />
<br />
*meeting room for at least 50 people <br />
*lunch for attendees <br />
**drinks, sandwiches... <br />
*a small present for the speakers <br />
**(e.g. bottle of wine, for speakers from aboard alcohol might be less practical if flying in only with hand luggage)<br />
<br />
Interested in sponsoring a local chapter meeting, please send an email to: netherlands 'at' owasp.org <br />
<!-- Don't remove this tag --><br />
__NOTOC__ <br />
<headertabs/><br />
<br />
<br />
Our structural Chapter and OWASP Benelux Days 2012 supporters: <br />
<br />
[http://www.madisongurkha.nl https://www.owasp.org/images/6/6e/Madison-gurkha-logo.jpg]<br />
[http://www.sogeti.nl https://www.owasp.org/images/9/94/Sogeti_logo.png]<br />
[http://www.vest.nl https://www.owasp.org/images/1/1d/Logo_Vest_BIG_170.gif]<br />
<br />
[[Category:Europe]]</div>Favroomhttps://wiki.owasp.org/index.php?title=Netherlands&diff=149845Netherlands2013-04-15T13:33:16Z<p>Favroom: </p>
<hr />
<div>{{Chapter Template|chaptername=Netherlands|extra=|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-netherlands|emailarchives=http://lists.owasp.org/pipermail/owasp-netherlands}} <br />
<br />
<br />
<paypal>Netherlands</paypal><br />
<br />
<!-- First tab --><br />
<br />
= Local News =<br />
<br />
;The next OWASP Netherlands Chapter meeting will be on May 14th in 's Hertogenbosch, more details soon!<br />
<br />
;'''Provisional 2013 Chapter Event Calendar'''<br />
*May 14th, 2013<br />
*June 27th, 2013<br />
*September 12th, 2013<br />
*November 7th, 2013<br />
*November 28th and 29th, 2013: [https://www.owasp.org/index.php?title=BeNeLux_OWASP_Day_2013 OWASP Benelux Conference]<br />
<br />
;'''Other OWASP Events'''<br />
;'''[https://www.owasp.org/index.php/AppSecEU2013 AppSec-EU Hambug August 2th to 23rd 2013]'''<br />
;'''[http://appsecusa.org/2013/ AppSec-USA New York November 18th to 21st 2013]'''<br />
<br />
;'''Call for Presentations'''<br />
;[https://docs.google.com/a/owasp.org/spreadsheet/viewform?formkey=dGs1UFN0Ul9YR1pRcGdYRmtYallraUE6MQ#gid=0 OWASP NL Chapter Call For Presentation]<br />
<br />
<br />
[[File:Follow-us-on-twitter.png|frameless|100px|link=http://www.twitter.com/owasp_NL]]<br />
<br />
<!-- Second tab --><br />
<br />
= Calendar =<br />
<br />
=== Provisional Chapter Event Calendar 2013 ===<br />
<br />
*<strike> January 31st, 2013 </strike> <br />
<br />
*<strike> [http://owaspdutchchaptermeeting07032013.eventbrite.nl March 7th, 2013]</strike> [[Media:OWASP Netherlands Chapter Meeting 2013-03-07.pdf | flyer]] <br />
*<strike> [[:Netherlands March 13, 2013]]</strike>[[Media:OWASP Netherlands Chapter Meeting 2013-03-13.pdf | flyer]]<br />
<!-- *<strike> [http://owaspdutchchaptermeeting13032013.eventbrite.nl March 13th, 2013]</strike> Radboud University Nijmegen, Beta-faculty Huygensgebouw, Heyendaalseweg 135, Nijmegen (Parkeergarage P11) --><br />
*<strike> [[Netherlands April 10, 2013 | Netherlands April 10, 2013 - Vrije Universiteit Amsterdam - De Boelelaan 1085, 1081 HV Amsterdam NL - Room: M129 in the FEW building]] - [[Media:OWASP Netherlands Chapter Meeting 2013-04-10.pdf | download the flyer]] - [[Media:OWASP Netherlands Chapter Meeting 2013-04-10_poster.pdf | download the poster]]</strike><br />
*; [http://owaspdutchchaptermeeting10042013.eventbrite.com/# Click here for registration]<br />
*May 14th, 2013<br />
*June 27, 2013<br />
*'''[https://www.owasp.org/index.php/AppSecEU2013 August 2th to 23rd 2013 AppSec-EU Hambug]'''<br />
*September 12, 2013<br />
*November 7, 2012<br />
*'''[https://www.owasp.org/index.php?title=BeNeLux_OWASP_Day_2013 November 28th and 29th 2013: OWASP Benelux meeting in the Netherlands!]'''<br />
<br />
<!-- Third tab --><br />
<br />
= Past Events =<br />
*Events held in [[Netherlands Previous Events 2013|2013]]<br />
*Events held in [[Netherlands Previous Events 2012|2012]]<br />
*Events held in [[Netherlands Previous Events 2011|2011]]<br />
*Events held in [[Netherlands Previous Events 2010|2010]] <br />
*Events held in [[Netherlands Previous Events 2009|2009]] <br />
*Events held in [[Netherlands Previous Events 2008|2008]] <br />
*Events held in [[Netherlands Previous Events 2007|2007]] <br />
*Events held in [[Netherlands Previous Events 2006|2006]] <br />
*Events held in [[Netherlands Previous Events 2005|2005]]<br />
<br />
<!-- Fourth tab --><br />
<br />
= Chapter Leaders =<br />
<br />
The Netherlands Chapter is supported by the following board: <br />
<br />
*[https://www.owasp.org/index.php/User:Ferdinand_Vroom Ferdinand Vroom]<br />
*[https://www.owasp.org/index.php/User:Knoblochmartin Martin Knobloch], PervaSec<br />
<br />
<br> <br />
<br />
*[mailto:netherlands@owasp.org OWASP Netherlands], OWASP Netherlands board email adres<br />
<br />
Our goal is to professionalize the local OWASP functioning, provide in a bigger footprint to detect OWASP opportunities such as speakers/topics/sponsors/… and set a 5 year target on: Target audiences, Different events and Interactions of OWASP global – local projects. <br />
<br />
<!-- Fifth and last tab --><br />
<br />
= Chapter Support =<br />
<br />
=== Chapter Sponsoring ===<br />
<br />
OWASP Netherlands is looking for organizations to sponsor our chapter. <br />
If you are interested in sponsoring the Netherlands chapter please contact us via email: [mailto:netherlands@owasp.org netherlands 'at' owasp.org]. <br />
<br />
=== Donation ===<br />
<br />
If you would like to donate to our chapter, please use the PayPal link at the top of this page.<br />
Thank you!<br />
<br />
=== Call for Speakers ===<br />
<br />
We are continuously looking for speakers.<br>'''Presentations:''' Are you working on an interesting subject, would you like to share your experience with the OWASP community and do you have presentation skills. Please let us know! Any topic related to web application security will be appreciated!<br>'''VAC, Vulnerability, Attack, Countermeasure:''' The VAC is a re occuring part of the chapter meetings. The VAC is a half hour in-depth technical presentation about a vulnerability, how it can be exploited and how to prevent it!<br> <br />
<br />
<span style="font-weight: bold;">Links: </span> <br />
<br />
[http://www.owasp.org/index.php/Speaker_Agreement Speaker Agreement] <br />
<br />
[http://www.owasp.org/images/5/54/Presentation_template.ppt Template] <br />
<br />
Interested in presenting at a local chapter meeting, please send an email to: netherlands 'at' owasp.org <br />
<br />
=== Call for Location ===<br />
<br />
For the OWASP Netherlands chapter meetings to come, we are continuously looking for locations! <br />
<br />
Most preferable, the location is good accessible with public transport and by car. Free parking should be provided. <br />
<br />
What do we expect: <br />
<br />
*meeting room for at least 50 people <br />
*lunch for attendees <br />
**drinks, sandwiches... <br />
*a small present for the speakers <br />
**(e.g. bottle of wine, for speakers from aboard alcohol might be less practical if flying in only with hand luggage)<br />
<br />
Interested in sponsoring a local chapter meeting, please send an email to: netherlands 'at' owasp.org <br />
<!-- Don't remove this tag --><br />
__NOTOC__ <br />
<headertabs/><br />
<br />
<br />
Our structural Chapter and OWASP Benelux Days 2012 supporters: <br />
<br />
[http://www.madisongurkha.nl https://www.owasp.org/images/6/6e/Madison-gurkha-logo.jpg]<br />
[http://www.sogeti.nl https://www.owasp.org/images/9/94/Sogeti_logo.png]<br />
[http://www.vest.nl https://www.owasp.org/images/1/1d/Logo_Vest_BIG_170.gif]<br />
<br />
[[Category:Europe]]</div>Favroomhttps://wiki.owasp.org/index.php?title=Netherlands&diff=149844Netherlands2013-04-15T13:31:48Z<p>Favroom: </p>
<hr />
<div>{{Chapter Template|chaptername=Netherlands|extra=|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-netherlands|emailarchives=http://lists.owasp.org/pipermail/owasp-netherlands}} <br />
<br />
<br />
<paypal>Netherlands</paypal><br />
<br />
<!-- First tab --><br />
<br />
= Local News =<br />
<br />
;The next OWASP Netherlands Chapter meeting will be on May 14th in 's Hertogenbosch, more details soon!<br />
<br />
;'''Provisional 2013 Chapter Event Calendar'''<br />
*May 14th, 2013<br />
*June 27th, 2013<br />
*September 12th, 2013<br />
*November 7th, 2013<br />
*November 28th and 29th, 2013: [https://www.owasp.org/index.php?title=BeNeLux_OWASP_Day_2013 OWASP Benelux Conference]<br />
<br />
;'''Other OWASP Events'''<br />
;'''[https://www.owasp.org/index.php/AppSecEU2013 AppSec-EU Hambug August 2th to 23rd 2013]'''<br />
;'''[http://appsecusa.org/2013/ AppSec-USA New York November 18th to 21st 2013]'''<br />
<br />
;'''Call for Presentations'''<br />
;[https://docs.google.com/a/owasp.org/spreadsheet/viewform?formkey=dGs1UFN0Ul9YR1pRcGdYRmtYallraUE6MQ#gid=0 OWASP NL Chapter Call For Presentation]<br />
<br />
<br />
[[File:Follow-us-on-twitter.png|frameless|100px|link=http://www.twitter.com/owasp_NL]]<br />
<br />
<!-- Second tab --><br />
<br />
= Calendar =<br />
<br />
=== Provisional Chapter Event Calendar 2013 ===<br />
<br />
*<strike> January 31st, 2013 </strike> <br />
<!-- *<strike> [[:Netherlands March 7, 2013]]</strike>[[Media:OWASP Netherlands Chapter Meeting 2013-03-07.pdf | flyer]] --><br />
*<strike> [http://owaspdutchchaptermeeting07032013.eventbrite.nl March 7th, 2013]</strike> [[Media:OWASP Netherlands Chapter Meeting 2013-03-07.pdf | flyer]] <br />
*<strike> [[:Netherlands March 13, 2013]]</strike>[[Media:OWASP Netherlands Chapter Meeting 2013-03-13.pdf | flyer]]<br />
<!-- *<strike> [http://owaspdutchchaptermeeting13032013.eventbrite.nl March 13th, 2013]</strike> Radboud University Nijmegen, Beta-faculty Huygensgebouw, Heyendaalseweg 135, Nijmegen (Parkeergarage P11) --><br />
*<strike> [[Netherlands April 10, 2013 | Netherlands April 10, 2013 - Vrije Universiteit Amsterdam - De Boelelaan 1085, 1081 HV Amsterdam NL - Room: M129 in the FEW building]] - [[Media:OWASP Netherlands Chapter Meeting 2013-04-10.pdf | download the flyer]] - [[Media:OWASP Netherlands Chapter Meeting 2013-04-10_poster.pdf | download the poster]]</strike><br />
*; [http://owaspdutchchaptermeeting10042013.eventbrite.com/# Click here for registration]<br />
*May 14th, 2013<br />
*June 27, 2013<br />
*'''[https://www.owasp.org/index.php/AppSecEU2013 August 2th to 23rd 2013 AppSec-EU Hambug]'''<br />
*September 12, 2013<br />
*November 7, 2012<br />
*'''[https://www.owasp.org/index.php?title=BeNeLux_OWASP_Day_2013 November 28th and 29th 2013: OWASP Benelux meeting in the Netherlands!]'''<br />
<br />
<!-- Third tab --><br />
<br />
= Past Events =<br />
*Events held in [[Netherlands Previous Events 2013|2013]]<br />
*Events held in [[Netherlands Previous Events 2012|2012]]<br />
*Events held in [[Netherlands Previous Events 2011|2011]]<br />
*Events held in [[Netherlands Previous Events 2010|2010]] <br />
*Events held in [[Netherlands Previous Events 2009|2009]] <br />
*Events held in [[Netherlands Previous Events 2008|2008]] <br />
*Events held in [[Netherlands Previous Events 2007|2007]] <br />
*Events held in [[Netherlands Previous Events 2006|2006]] <br />
*Events held in [[Netherlands Previous Events 2005|2005]]<br />
<br />
<!-- Fourth tab --><br />
<br />
= Chapter Leaders =<br />
<br />
The Netherlands Chapter is supported by the following board: <br />
<br />
*[https://www.owasp.org/index.php/User:Ferdinand_Vroom Ferdinand Vroom]<br />
*[https://www.owasp.org/index.php/User:Knoblochmartin Martin Knobloch], PervaSec<br />
<br />
<br> <br />
<br />
*[mailto:netherlands@owasp.org OWASP Netherlands], OWASP Netherlands board email adres<br />
<br />
Our goal is to professionalize the local OWASP functioning, provide in a bigger footprint to detect OWASP opportunities such as speakers/topics/sponsors/… and set a 5 year target on: Target audiences, Different events and Interactions of OWASP global – local projects. <br />
<br />
<!-- Fifth and last tab --><br />
<br />
= Chapter Support =<br />
<br />
=== Chapter Sponsoring ===<br />
<br />
OWASP Netherlands is looking for organizations to sponsor our chapter. <br />
If you are interested in sponsoring the Netherlands chapter please contact us via email: [mailto:netherlands@owasp.org netherlands 'at' owasp.org]. <br />
<br />
=== Donation ===<br />
<br />
If you would like to donate to our chapter, please use the PayPal link at the top of this page.<br />
Thank you!<br />
<br />
=== Call for Speakers ===<br />
<br />
We are continuously looking for speakers.<br>'''Presentations:''' Are you working on an interesting subject, would you like to share your experience with the OWASP community and do you have presentation skills. Please let us know! Any topic related to web application security will be appreciated!<br>'''VAC, Vulnerability, Attack, Countermeasure:''' The VAC is a re occuring part of the chapter meetings. The VAC is a half hour in-depth technical presentation about a vulnerability, how it can be exploited and how to prevent it!<br> <br />
<br />
<span style="font-weight: bold;">Links: </span> <br />
<br />
[http://www.owasp.org/index.php/Speaker_Agreement Speaker Agreement] <br />
<br />
[http://www.owasp.org/images/5/54/Presentation_template.ppt Template] <br />
<br />
Interested in presenting at a local chapter meeting, please send an email to: netherlands 'at' owasp.org <br />
<br />
=== Call for Location ===<br />
<br />
For the OWASP Netherlands chapter meetings to come, we are continuously looking for locations! <br />
<br />
Most preferable, the location is good accessible with public transport and by car. Free parking should be provided. <br />
<br />
What do we expect: <br />
<br />
*meeting room for at least 50 people <br />
*lunch for attendees <br />
**drinks, sandwiches... <br />
*a small present for the speakers <br />
**(e.g. bottle of wine, for speakers from aboard alcohol might be less practical if flying in only with hand luggage)<br />
<br />
Interested in sponsoring a local chapter meeting, please send an email to: netherlands 'at' owasp.org <br />
<!-- Don't remove this tag --><br />
__NOTOC__ <br />
<headertabs/><br />
<br />
<br />
Our structural Chapter and OWASP Benelux Days 2012 supporters: <br />
<br />
[http://www.madisongurkha.nl https://www.owasp.org/images/6/6e/Madison-gurkha-logo.jpg]<br />
[http://www.sogeti.nl https://www.owasp.org/images/9/94/Sogeti_logo.png]<br />
[http://www.vest.nl https://www.owasp.org/images/1/1d/Logo_Vest_BIG_170.gif]<br />
<br />
[[Category:Europe]]</div>Favroomhttps://wiki.owasp.org/index.php?title=Netherlands&diff=149836Netherlands2013-04-15T13:11:14Z<p>Favroom: </p>
<hr />
<div>{{Chapter Template|chaptername=Netherlands|extra=|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-netherlands|emailarchives=http://lists.owasp.org/pipermail/owasp-netherlands}} <br />
<br />
<br />
<paypal>Netherlands</paypal><br />
<br />
<!-- First tab --><br />
<br />
= Local News =<br />
<br />
;The next OWASP Netherlands Chapter meeting will be on May 14th in 's Hertogenbosch, more details soon!<br />
<br />
;'''Provisional 2013 Chapter Event Calendar'''<br />
*May 14th, 2013<br />
*June 27th, 2013<br />
*September 12th, 2013<br />
*November 7th, 2013<br />
*November 28th and 29th, 2013: [https://www.owasp.org/index.php?title=BeNeLux_OWASP_Day_2013 OWASP Benelux Conference]<br />
<br />
;'''Other OWASP Events'''<br />
;'''[https://www.owasp.org/index.php/AppSecEU2013 AppSec-EU Hambug August 2th to 23rd 2013]'''<br />
;'''[http://appsecusa.org/2013/ AppSec-USA New York November 18th to 21st 2013]'''<br />
<br />
;'''Call for Presentations'''<br />
;[https://docs.google.com/a/owasp.org/spreadsheet/viewform?formkey=dGs1UFN0Ul9YR1pRcGdYRmtYallraUE6MQ#gid=0 OWASP NL Chapter Call For Presentation]<br />
<br />
<br />
[[File:Follow-us-on-twitter.png|frameless|100px|link=http://www.twitter.com/owasp_NL]]<br />
<br />
<!-- Second tab --><br />
<br />
= Calendar =<br />
<br />
=== Provisional Chapter Event Calendar 2013 ===<br />
<br />
*<strike> January 31st, 2013 </strike> <br />
<!-- *<strike> [[:Netherlands March 7, 2013]]</strike>[[Media:OWASP Netherlands Chapter Meeting 2013-03-07.pdf | flyer]] --><br />
*<strike> [http://owaspdutchchaptermeeting07032013.eventbrite.nl March 7th, 2013]</strike> [[Media:OWASP Netherlands Chapter Meeting 2013-03-07.pdf | flyer]] <br />
*<strike> [[:Netherlands March 13, 2013]]</strike>[[Media:OWASP Netherlands Chapter Meeting 2013-03-13.pdf | flyer]]<br />
<!-- *<strike> [http://owaspdutchchaptermeeting13032013.eventbrite.nl March 13th, 2013]</strike> Radboud University Nijmegen, Beta-faculty Huygensgebouw, Heyendaalseweg 135, Nijmegen (Parkeergarage P11) --><br />
*<strike> [[Netherlands April 10, 2013 | Netherlands April 10, 2013 - Vrije Universiteit Amsterdam - De Boelelaan 1085, 1081 HV Amsterdam NL - Room: M129 in the FEW building]] - [[Media:OWASP Netherlands Chapter Meeting 2013-04-10.pdf | download the flyer]] - [[Media:OWASP Netherlands Chapter Meeting 2013-04-10_poster.pdf | download the poster]]</strike><br />
*; [http://owaspdutchchaptermeeting10042013.eventbrite.com/# Click here for registration]<br />
*May 14th, 2013<br />
*June 27, 2013<br />
*'''[https://www.owasp.org/index.php/AppSecEU2013 August 2th to 23rd 2013 AppSec-EU Hambug]'''<br />
*September 12, 2013<br />
*November 7, 2012<br />
*'''[https://www.owasp.org/index.php?title=BeNeLux_OWASP_Day_2013 November 28th and 29th 2013: OWASP Benelux meeting in the Netherlands!]'''<br />
<br />
<!-- Third tab --><br />
<br />
= Past Events =<br />
*Events held in [[Netherlands Previous Events 2013|2013]]<br />
*Events held in [[Netherlands Previous Events 2012|2012]]<br />
*Events held in [[Netherlands Previous Events 2011|2011]]<br />
*Events held in [[Netherlands Previous Events 2010|2010]] <br />
*Events held in [[Netherlands Previous Events 2009|2009]] <br />
*Events held in [[Netherlands Previous Events 2008|2008]] <br />
*Events held in [[Netherlands Previous Events 2007|2007]] <br />
*Events held in [[Netherlands Previous Events 2006|2006]] <br />
*Events held in [[Netherlands Previous Events 2005|2005]]<br />
<br />
<!-- Fourth tab --><br />
<br />
= Chapter Leaders =<br />
<br />
The Netherlands Chapter is supported by the following board: <br />
<br />
*[https://www.owasp.org/index.php/User:Ferdinand_Vroom Ferdinand Vroom]<br />
*[https://www.owasp.org/index.php/User:Knoblochmartin Martin Knobloch], PervaSec<br />
<br />
<br> <br />
<br />
*[mailto:netherlands@owasp.org OWASP Netherlands], OWASP Netherlands board email adres<br />
<br />
Our goal is to professionalize the local OWASP functioning, provide in a bigger footprint to detect OWASP opportunities such as speakers/topics/sponsors/… and set a 5 year target on: Target audiences, Different events and Interactions of OWASP global – local projects. <br />
<br />
<!-- Fifth and last tab --><br />
<br />
= Chapter Support =<br />
<br />
=== Chapter Sponsoring ===<br />
<br />
OWASP Netherlands is looking for organizations to sponsor our chapter. <br />
If you are interested in sponsoring the Netherlands chapter please contact us via email: [mailto:netherlands@owasp.org netherlands 'at' owasp.org]. <br />
<br />
=== Donation ===<br />
<br />
If you would like to donate to our chapter, please use the PayPal link at the top of this page.<br />
Thank you!<br />
<br />
=== Call for Speakers ===<br />
<br />
We are continuously looking for speakers.<br>'''Presentations:''' Are you working on an interesting subject, would you like to share your experience with the OWASP community and do you have presentation skills. Please let us know! Any topic related to web application security will be appreciated!<br>'''VAC, Vulnerability, Attack, Countermeasure:''' The VAC is a re occuring part of the chapter meetings. The VAC is a half hour in-depth technical presentation about a vulnerability, how it can be exploited and how to prevent it!<br> <br />
<br />
<span style="font-weight: bold;">Links: </span> <br />
<br />
[http://www.owasp.org/index.php/Speaker_Agreement Speaker Agreement] <br />
<br />
[http://www.owasp.org/images/5/54/Presentation_template.ppt Template] <br />
<br />
Interested in presenting at a local chapter meeting, please send an email to: netherlands 'at' owasp.org <br />
<br />
=== Call for Location ===<br />
<br />
For the OWASP Netherlands chapter meetings to come, we are continuously looking for locations! <br />
<br />
Most preferable, the location is good accessible with public transport and by car. Free parking should be provided. <br />
<br />
What do we expect: <br />
<br />
*meeting room for at least 50 people <br />
*lunch for attendees <br />
**drinks, sandwiches... <br />
*a small present for the speakers <br />
**(e.g. bottle of wine, for speakers from aboard alcohol might be less practical if flying in only with hand luggage)<br />
<br />
Interested in sponsoring a local chapter meeting, please send an email to: netherlands 'at' owasp.org <br />
<!-- Don't remove this tag --><br />
__NOTOC__ <br />
<headertabs/><br />
<br />
<br />
OWASP Netherlands thanks its structural chapter supporters for 2012 and the OWASP BeNeLux Days 2012: <br />
<br />
[http://www.madisongurkha.nl https://www.owasp.org/images/6/6e/Madison-gurkha-logo.jpg]<br />
[http://www.sogeti.nl https://www.owasp.org/images/9/94/Sogeti_logo.png]<br />
[http://www.vest.nl https://www.owasp.org/images/1/1d/Logo_Vest_BIG_170.gif]<br />
<br />
[[Category:Europe]]</div>Favroomhttps://wiki.owasp.org/index.php?title=Netherlands&diff=149835Netherlands2013-04-15T13:09:52Z<p>Favroom: </p>
<hr />
<div>{{Chapter Template|chaptername=Netherlands|extra=|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-netherlands|emailarchives=http://lists.owasp.org/pipermail/owasp-netherlands}} <br />
<br />
<br />
<paypal>Netherlands</paypal><br />
<br />
<!-- First tab --><br />
<br />
= Local News =<br />
<br />
;The next OWASP Netherlands Chapter meeting will be on May 14th in 's Hertogenbosch, more details soon!<br />
<br />
;'''Provisional 2013 Chapter Event Calendar'''<br />
*May 14th, 2013<br />
*June 27th, 2013<br />
*September 12th, 2013<br />
*November 7th, 2013<br />
*November 28th and 29th, 2013: [https://www.owasp.org/index.php?title=BeNeLux_OWASP_Day_2013 OWASP Benelux Conference]<br />
<br />
;'''Other OWASP Events'''<br />
;'''[https://www.owasp.org/index.php/AppSecEU2013 AppSec-EU Hambug August 2th to 23rd 2013]'''<br />
;'''[http://appsecusa.org/2013/ AppSec-USA New York November 18th to 21st 2013]'''<br />
<br />
;'''Call for Presentations'''<br />
;[https://docs.google.com/a/owasp.org/spreadsheet/viewform?formkey=dGs1UFN0Ul9YR1pRcGdYRmtYallraUE6MQ#gid=0 OWASP NL Chapter Call For Presentation]<br />
<br />
<br />
[[File:Follow-us-on-twitter.png|frameless|100px|link=http://www.twitter.com/owasp_NL]]<br />
<br />
<!-- Second tab --><br />
<br />
= Calendar =<br />
<br />
=== Provisional Chapter Event Calendar 2013 ===<br />
<br />
*<strike> January 31st, 2013 </strike> <br />
<!-- *<strike> [[:Netherlands March 7, 2013]]</strike>[[Media:OWASP Netherlands Chapter Meeting 2013-03-07.pdf | flyer]] --><br />
*<strike> [http://owaspdutchchaptermeeting07032013.eventbrite.nl March 7th, 2013]</strike> [[Media:OWASP Netherlands Chapter Meeting 2013-03-07.pdf | flyer]] <br />
*<strike> [[:Netherlands March 13, 2013]]</strike>[[Media:OWASP Netherlands Chapter Meeting 2013-03-13.pdf | flyer]]<br />
<!-- *<strike> [http://owaspdutchchaptermeeting13032013.eventbrite.nl March 13th, 2013]</strike> Radboud University Nijmegen, Beta-faculty Huygensgebouw, Heyendaalseweg 135, Nijmegen (Parkeergarage P11) --><br />
*<strike> [[Netherlands April 10, 2013 | Netherlands April 10, 2013 - Vrije Universiteit Amsterdam - De Boelelaan 1085, 1081 HV Amsterdam NL - Room: M129 in the FEW building]] - [[Media:OWASP Netherlands Chapter Meeting 2013-04-10.pdf | download the flyer]] - [[Media:OWASP Netherlands Chapter Meeting 2013-04-10_poster.pdf | download the poster]]</strike><br />
*; [http://owaspdutchchaptermeeting10042013.eventbrite.com/# Click here for registration]<br />
*May 14th, 2013<br />
*June 27, 2013<br />
*'''[https://www.owasp.org/index.php/AppSecEU2013 August 2th to 23rd 2013 AppSec-EU Hambug]'''<br />
*September 12, 2013<br />
*November 7, 2012<br />
*'''[https://www.owasp.org/index.php?title=BeNeLux_OWASP_Day_2013 November 28th and 29th 2013: OWASP Benelux meeting in the Netherlands!]'''<br />
<br />
<!-- Third tab --><br />
<br />
= Past Events =<br />
*Events held in [[Netherlands Previous Events 2013|2013]]<br />
*Events held in [[Netherlands Previous Events 2012|2012]]<br />
*Events held in [[Netherlands Previous Events 2011|2011]]<br />
*Events held in [[Netherlands Previous Events 2010|2010]] <br />
*Events held in [[Netherlands Previous Events 2009|2009]] <br />
*Events held in [[Netherlands Previous Events 2008|2008]] <br />
*Events held in [[Netherlands Previous Events 2007|2007]] <br />
*Events held in [[Netherlands Previous Events 2006|2006]] <br />
*Events held in [[Netherlands Previous Events 2005|2005]]<br />
<br />
<!-- Fourth tab --><br />
<br />
= Chapter Leaders =<br />
<br />
The Netherlands Chapter is supported by the following board: <br />
<br />
*[https://www.owasp.org/index.php/User:Ferdinand_Vroom Ferdinand Vroom]<br />
*[https://www.owasp.org/index.php/User:Knoblochmartin Martin Knobloch], PervaSec<br />
<br />
<br> <br />
<br />
*[mailto:netherlands@owasp.org OWASP Netherlands], OWASP Netherlands board email adres<br />
<br />
Our goal is to professionalize the local OWASP functioning, provide in a bigger footprint to detect OWASP opportunities such as speakers/topics/sponsors/… and set a 5 year target on: Target audiences, Different events and Interactions of OWASP global – local projects. <br />
<br />
<!-- Fifth and last tab --><br />
<br />
= Chapter Support =<br />
<br />
=== Chapter Sponsoring ===<br />
<br />
OWASP Netherlands is looking for organizations to sponsor our chapter. <br />
If you are interested in sponsoring the Netherlands chapter please contact us via email: [mailto:netherlands@owasp.org netherlands 'at' owasp.org]. <br />
<br />
=== Donation ===<br />
<br />
If you would like to donate to our chapter, please use the PayPal link at the top of this page.<br />
Thank you!<br />
<br />
=== Call for Speakers ===<br />
<br />
We are continuously looking for speakers.<br>'''Presentations:''' Are you working on an interesting subject, would you like to share your experience with the OWASP community and do you have presentation skills. Please let us know! Any topic related to web application security will be appreciated!<br>'''VAC, Vulnerability, Attack, Countermeasure:''' The VAC is a re occuring part of the chapter meetings. The VAC is a half hour in-depth technical presentation about a vulnerability, how it can be exploited and how to prevent it!<br> <br />
<br />
<span style="font-weight: bold;">Links: </span> <br />
<br />
[http://www.owasp.org/index.php/Speaker_Agreement Speaker Agreement] <br />
<br />
[http://www.owasp.org/images/5/54/Presentation_template.ppt Template] <br />
<br />
Interested in presenting at a local chapter meeting, please send an email to: netherlands 'at' owasp.org <br />
<br />
=== Call for Location ===<br />
<br />
For the OWASP Netherlands chapter meetings to come, we are continuously looking for locations! <br />
<br />
Most preferable, the location is good accessible with public transport and by car. Free parking should be provided. <br />
<br />
What do we expect: <br />
<br />
*meeting room for at least 50 people <br />
*lunch for attendees <br />
**drinks, sandwiches... <br />
*a small present for the speakers <br />
**(e.g. bottle of wine, for speakers from aboard alcohol might be less practical if flying in only with hand luggage)<br />
<br />
Interested in sponsoring a local chapter meeting, please send an email to: netherlands 'at' owasp.org <br />
<!-- Don't remove this tag --><br />
__NOTOC__ <br />
<headertabs/><br />
<br />
<br />
OWASP Belgium thanks its structural chapter supporters for 2012 and the OWASP BeNeLux Days 2012: <br />
<br />
[http://www.madisongurkha.nl https://www.owasp.org/images/6/6e/Madison-gurkha-logo.jpg]<br />
[http://www.sogeti.nl https://www.owasp.org/images/9/94/Sogeti_logo.png]<br />
[http://www.vest.nl https://www.owasp.org/images/1/1d/Logo_Vest_BIG_170.gif]<br />
<br />
[[Category:Europe]]</div>Favroomhttps://wiki.owasp.org/index.php?title=BeNeLux_OWASP_Day_2013&diff=149809BeNeLux OWASP Day 20132013-04-15T12:51:24Z<p>Favroom: Created page with "<center>Image:owaspbnl12header.jpg<br></center> <br><!-- Header --> <!-- First tab --> = Welcome = === Welcome to OWASP BeNeLux 2012 === ==== News ==== * Advanced O2..."</p>
<hr />
<div><center>[[Image:owaspbnl12header.jpg]]<br></center><br />
<br><!-- Header --><br />
<br />
<br />
<!-- First tab --><br />
= Welcome =<br />
<br />
=== Welcome to OWASP BeNeLux 2012 ===<br />
<br />
==== News ====<br />
* Advanced O2 training, by Dinis Cruz will start at 10:30 AM!<br />
* Update on the Social Event (places for the brewery visit are limited, and an alternative is offered)<br />
<br><br />
<br />
==== Confirmed trainers for Trainingday ====<br />
{{#switchtablink:Trainingday| <p><br />
* Dan Cornell (Denim group) - SDLC with open source tools<br />
* Dinis Cruz (Security Innovation) - Advanced O2<br />
* Volkert de Buisonjé (Sogeti) - Secure Java Development with ESAPI (Hands-On )<br />
* Martin Knobloch (PervaSec) - Essential Web Appplication Security (OWASP Top 10, Webgoat, WebScarab)<br />
}}<br />
<br><br />
<br />
==== Confirmed speakers Conferenceday ====<br />
{{#switchtablink:Conferenceday| <p><br />
* Dinis Cruz (Security Innovation) - Making Security Invisible by Becoming the Developer’s Best Friends<br><br />
* Rüdiger Bachmann (SAP) - Code review large companies<br><br />
* Lieven Desmet (Distrinet, KU Leuven) - Sandboxing JavaScript<br><br />
* Asia Slowinska (VU Amsterdam) - Body Armor for Binaries<br><br />
* Marc Hullegie and Kees Mastwijk (Vest) - Forensics<br><br />
* Dan Cornell (Denim group) - Streamlining Application Vulnerability Management: Communication Between Development and Security Teams<br><br />
* John Wilander (OWASP Sweden) - Browser security<br><br />
* Erwin Geirnaert (Zion security) - OWASP Top 10 vs Drupal<Br><br />
* Seba Deleersnyder (OWASP) - Update on OWASP<br><br />
}}<br />
<br><br />
<br />
==== The OWASP BeNeLux Program Committee ====<br />
*Bart De Win / Sebastien Deleersnyder/ Lieven Desmet/ David Mathy, OWASP Belgium<br />
*Martin Knobloch / Ferdinand Vroom, OWASP Netherlands<br />
*Jocelyn Aubert / Andre Adelsbach/ Thierry Zoller, OWASP Luxembourg<br />
*Steven van der Baan, OWASP CTF Project<br />
<br><br />
<br />
=== Tweet! ===<br />
Event tag is [http://twitter.com/#search?q=%23owaspbnl12 #owaspbnl12]<br />
<br><br><br />
==== Donate to OWASP BeNeLux ====<br />
<paypal>BeNeLux OWASP Day 2012</paypal><br />
<br />
<!-- Second tab --><br />
= Registration =<br />
<br />
==== OWASP BeNeLux training day and conference are free! ==== <br />
<br />
=== Registration is open: ===<br />
<br />
[http://owaspbenelux2012.eventbrite.com/ http://www.owasp.org/images/7/77/Buttoncreate.png]<br />
<br />
<br><br />
To support the OWASP organisation, consider to become a member, it's only US$50!<br />
<br> <br />
Check out the [[Membership]] page to find out more. <br />
<br><br />
<br />
<br />
<!-- Third tab --><br />
= Venue =<br />
<br />
=== Venue is the iMinds-DistriNet Research Group @ KU Leuven ===<br />
<br />
''Celestijnenlaan, 200A<br><br />
3001 Heverlee<br><br />
Belgium<br>''<br />
<br><br />
<br />
<br>'''Parking & roadmap''':<br />
<br />
There is a public parking close to the conference venue.<br />
<br />
Roadmap and parking: http://distrinet.cs.kuleuven.be/about/route/<br />
<br />
<br />
<br>'''Hotels nearby''': <br> <br />
Board house (close to the venue)<br> http://www.boardhouse.be<br><br />
The lodge (close to the venue)<br> http://www.booking.com/hotel/be/the-lodge-heverlee.en.html<br><br />
Begijnhof Congres Hotel (1 km from the venue)<br> http://www.bchotel.be/<br><br />
La Royale (2 km from the venue)<br> http://www.laroyale.be<br> <br />
Hotel Ibis (2 km from the venue)<br> http://www.accorhotels.com/gb/hotel-1457-ibis-leuven-centrum/index.shtml<br> <br />
Mercure (2 km from the venue) <br> http://www.mercure.com/gb/hotel-7862-hotel-mercure-leuven-center/index.shtml<br> <br />
New Damshire (2 km from the venue)<br> http://www.hotelnewdamshire.be<br> <br />
<br />
<br />
<!-- Fourth tab --><br />
<br />
= Trainingday =<br />
<br />
==== Trainingday, November 29th ====<br />
<br />
==== Location ====<br />
The training room is: <br />
''Celestijnenlaan, 200A, fifth floor<br><br />
3001 Heverlee<br><br />
Belgium<br>''<br />
<br><br />
<br />
(for details, check the {{#switchtablink:Venue|Venue}} tab)<br />
<br />
==== Agenda ==== <br />
{| class="wikitable"<br />
! Time !! Description !! Room 1 !! Room 2 !! Room 3 !! Room 4<br />
|-<br />
| 08h30 - 9h30<br />
| colspan="5" style="text-align: center; background: grey; color: white;" | ''Registration''<br />
|-<br />
| 09h30 - 11h00 || Training<br />
| rowspan="7" style="width:100px;" | [[#DinisCruz|Advanced O2, by Dinis Cruz <br/><br/> Room 04.112]]<br />
| rowspan="7" style="width:100px;" | [[#DanCornell|SDLC with Open Source tools, by Dan Cornell <br/><br/> Room 05.128]]<br />
| rowspan="7" style="width:100px;" | [[#VolkertDeBuisonje|Secure Java Development with ESAPI (hands-on), by Volkert de Buisonjé <br/><br/> Room 05.152]]<br />
| rowspan="7" style="width:100px;" | [[#MartinKnobloch|Essential Web Appplication Security (OWASP Top 10, Webgoat, WebScarab), by Martin Knobloch <br/><br/> Room 05.001]]<br />
|-<br />
| 11h00 - 11h30 || ''Coffee Break''<br />
|-<br />
| 11h30 - 13h00 || Training<br />
|-<br />
| 13h00 - 14h00 || ''Lunch''<br />
|-<br />
| 14h00 - 15h30 || Training<br />
|-<br />
| 15h30 - 16h00 || ''Coffee Break''<br />
|-<br />
| 16h00 - 17h30 || Training<br />
|}<br />
<br />
<br />
<br />
<br />
<br />
<br><br />
<br />
<div id="VolkertDeBuisonje"></div><br />
<br />
=== Secure Java Development workshop with ESAPI, by Volkert de Buisonjé (Sogeti) ===<br />
''Workshop:''<br><br />
First, attendees will receive a brief introduction on application awareness. Then they will get acquainted with Webgoat, a "deliberately insecure J2EE web application" designed as a practice tool for secure application development and testing. They will learn how to exploit some vulnerabilities in Webgoat, through for instance Cross-Site Scripting (CSS) and Cross-Site Request Forgery (CSRF) attacks. Finally, the ESAPI library will be introduced and the attendees will learn how to apply ESAPI to fix such vulnerabilities in Webgoat's source code.<br><br />
<br><br />
''Prerequisites for this workshop:''<br><br />
* Reasonable knowledge of and experience with Java development<br />
* A laptop running a recent version of Linux, Mac OS X, or Windows<br />
* The most recent version of VirtualBox (4.x) installed<br />
* At least 2GB of RAM<br />
* At least 2GB of disk space<br />
<br><br />
''Bio:''<br><br />
Volkert de Buisonjé is a senior Java developer at Sogeti. He specializes in, and teaches application security courses, both to coworkers and to customers. Knowledge sharing (in both directions) is his passion. Volkert likes making friends and talking a lot. He never shuns a good discussion, and prefers to bring a high amount of interactivity to his classes. :-)<br><br />
<br><br />
<br><br />
<br />
<div id="DinisCruz"></div><br />
=== Advanced O2, by Dinis Cruz (Security Innovation) ===<br />
''Workshop:''<br><br />
The O2 platform represents a new paradigm for how to perform, document and distribute Web Application security reviews. O2 is designed to Automate Security Consultants Knowledge and Workflows and to Allow non-security experts to access and consume Security Knowledge.<br />
<br><br />
''Bio:''<br><br />
Dinis Cruz is a Security Consultant based in London (UK) and specialized in: ASP.NET/J2EE Application Security, Application Security audits and .NET Security Curriculum Development.<br><br />
For the past years Dinis has focused on the field of Static Source Code analysis, from May 2007 to Dec 2009 he worked as a independent consultant for Ounce Labs (bought by IBM in July 2009) where during active security engagements using Ounce's technology he developed the Open Source codebase which now is the foundation of the OWASP O2 Platform.<br><br />
Dinis is currently focused on making the O2 Platform the industry standard for consuming, instrumenting and data-sharing between the multiple WebAppSec tools, the Security consultants and the final developers. Dinis is a also active trainer on .Net security having written and delivered courses for IOActive, Foundstone, Intense School and KPMG (at multiple locations including BlackHat), and has delivered a number of presentations and keynote speeches at multiple OWASP and Security related conferences.<br><br />
At OWASP, Dinis is the leader of the OWASP O2 Platform project<br><br />
<br><br />
<br><br />
<br />
<div id="MartinKnobloch"></div><br />
<br />
=== Essential Web Appplication Security (OWASP Top 10, Webgoat, WebScarab), by Martin Knobloch (PervaSec) ===<br />
''Abstract:''<br><br />
This workshop is an introduction into (web) application security with hands-on labs, using OWASP documentation and tooling.<br />
You will be introduced into the security mindset, discus the OWASP TopTen 2010 and learn basic skills in how to find vulnerabilities in web applications. All tools and documentation are provided during the training.<br><br />
<b>As this is an hands-on workshop, please bring your own laptop!</b> <br><br />
Course structure:<br />
*Introduction OWASP, OWASP tool and documentation<br />
*Security Testing mindset <br />
*1st Lab: OWASP WebGoat / WebScarab <br />
*OWASP Top Ten 2010<br />
*OWASP Testing Guide <br />
*2nd Lab: OWASP WebGoat / WebScarab <br />
*3rd Lab: OWASP Hackademic / ZAP <br />
*Summary and completion <br />
Prerequisites for this workshop:<br />
*Basic understanding of HTTP and web application testing/development<br />
*An open mind<br />
<br><br />
''Bio:''<br><br />
Martin is an independent security consultant and owner of PervaSec (http://www.pervasec.nl). His main working area is (software) security in general, from awareness to implementation. In his daily work, he is responsible for education in application security matters, advise and implementation of application security measures.<br><br />
At OWASP, Martin is member of the Dutch chapter board and chair of the Global Education Committee and contributes to several projects.<br><br />
Martin is a frequent speaker at conferences, universities and hacker spaces.<br />
<br><br />
<br />
<br />
<div id="DanCornell"></div><br />
<br />
=== Building a Software Security Program On Open Source Tools, by Dan Cornell (Denim Group) ===<br />
''Abstract:''<br><br />
Using the Software Assurance Maturity Model (OpenSAMM) as a framework, this course walks through the major components of a comprehensive software security program and highlights open source and other freely-available tools that can be used to help implement the activities involved in such a program. The focus of the course is on providing hands-on demonstrations of the tools with an emphasis on integrating tool results into the overall software security program. Featured tools include: ESAPI, Microsoft Web Protection Library, FindBugs, FxCop, CAT.NET, Brakeman, Agnitio, Arachini, w3af, ZAProxy, ThreadFix as well as other educational resources from OWASP. Attendees should finish the course with a solid understanding of the various components of a comprehensive software security program as well as hands-on experience with a variety of freely-available tools that they can use to implement portions of these programs.<br><br />
<br><br />
''Outline:''<br><br />
* So You Want To Roll Out A Software Security Program?<br />
* The Software Assurance Maturity Model (OpenSAMM)<br />
* ThreadFix: Overview<br />
* Governance: Strategy and Metrics<br />
** ThreadFix: Reporting<br />
* Governance: Policy and Compliance<br />
* Governance: Education and Guidance<br />
** OWASP Development Guide<br />
** OWASP Cheat Sheets<br />
** OWASP Secure Coding Practices<br />
* Construction: Threat Assessment<br />
* Construction: Security Requirements<br />
* Construction: Secure Architecture<br />
** ESAPI overview<br />
** Microsoft Web Protection Library (Anti-XSS) overview<br />
* Verification: Design Review<br />
** Microsoft Threat Analysis and Modeling Tool<br />
* Verification: Code Review<br />
** FindBugs<br />
** FxCop<br />
** CAT.NET<br />
** Brakeman<br />
** Agnitio<br />
* Verification: Security Testing<br />
** Arachni<br />
** w3af<br />
** ZAProxy<br />
* Deployment: Vulnerability Management<br />
** ThreadFix: Defect Tracker Integration<br />
* Deployment: Environment Hardening<br />
** Microsoft Baseline Security Analyzer (MBSA)<br />
* Deployment: Operational Enablement<br />
** mod_security<br />
<br><br />
''Bio:''<br><br />
Dan Cornell has over fifteen years of experience architecting and developing web-based software systems. He leads Denim Group’s security research team in investigating the application of secure coding and development techniques to improve web-based software development methodologies.<br><br />
Dan was the founding coordinator and chairman for the Java Users Group of San Antonio (JUGSA) and currently serves as the OWASP San Antonio chapter leader, member of the OWASP Global Membership Committee and co-lead of the OWASP Open Review Project. Dan has spoken at such international conferences as RSA, OWASP AppSec USA, and OWASP EU Research in Greece.<br><br />
<br><br />
<br />
<br />
<!-- Fifth tab --><br />
<br />
= Conferenceday =<br />
<br />
==== Conferenceday, November 30th ====<br />
<br />
==== Location ====<br />
The conference takes place in auditorium K.06, the registration and catering in the foyer of building 200A (ground floor) (for details, check the {{#switchtablink:Venue|Venue}} tab)<br />
<br />
==== Agenda ==== <br />
{| class="wikitable"<br />
! width="90pt" | Time<br />
! width="130pt" | Speaker !! Topic<br />
|- <br />
| 09h00 - 10h00<br />
| colspan="2" style="text-align: center; background: grey; color: white" | ''Registration''<br />
|- <br />
| 10h00 - 10h15 || OWASP Benelux Organization || Welcome ([https://www.owasp.org/images/a/ad/OWASP_BeNeLux_Day_2012_-_Organization_welcome.ppt PPT])<br />
|-<br />
| 10h15 - 10h30 || Sebastien Deleersnyder || OWASP update ([https://www.owasp.org/images/d/d7/OWASP-Update-BeNeLux-Day-2012_v1.pptx PPT])<br />
|-<br />
| 10h30 - 11h10 || [[#JohnWilander|John Wilander]] || ''' Secure Web Integration Patterns in the Era of HTML5'''<br>''Abstract:'' Quite a few organizations are finding themselves in a legacy situation with their web applications. Over ten years have passed since the era of dynamic HTML and with the rise of HTML5 and mobile platforms there is now need to gradually move these legacy beasts into a new architecture. Additionally, more and more third party services are offered such as maps, tracking, social media tie-ins, video etc. What are the possible and suitable design patterns for bringing new web, old web, and third party web together? Can we isolate them from each other to secure the new apps from legacy and third party security vulnerabilities? We will dig into the postMessage api, the iframe sandbox directive, CORS, and the same-origin policy while comparing it to the previous generation of integration with jsonp and other hacks.<br />
|-<br />
| 11h10 - 11h50 || [[#LievenDesmet|Lieven Desmet]] || '''Sandboxing Javascript''' ([https://www.owasp.org/images/1/10/Sandboxing-Javascript.pdf PDF])<br>''Abstract:'' The inclusion of third-party scripts in web pages is a common practice. A recent study has shown that more than half of the Alexa top 10 000 sites include scripts from more than 5 different origins. However, such script inclusions carry risks, as the included scripts operate with the privileges of the including website.<br><br />
In this talk, we propose JSand, a server-driven but client-side JavaScript sandboxing framework. JSand requires no browser modifications: the sandboxing framework is implemented in JavaScript and is delivered to the browser by the websites that use it. Enforcement is done entirely at the client side: JSand enforces a server-specified policy on included scripts without requiring server-side filtering or rewriting of scripts.<br><br />
Most importantly, JSand is complete: access to all resources is mediated by the sandbox.<br><br />
We describe the design and implementation of JSand, and we show that it is secure, backwards compatible, and that it performs sufficiently well.<br><br />
|-<br />
| 11h50 - 12h30 || [[#ErwinGeirnaert|Erwin Geirnaert]] || '''OWASP Top 10 vs Drupal'''<br>''Abstract:'' Drupal is the most used and well-known open source content management system in the world. Created by Dries Buytaert years ago it has grown with the support of a big community. Drupal 7 is already released and there is an entire ecosystem for Drupal and Drupal web agencies.<br><br />
During this presentation we will discuss the findings of an automated static code analysis of Drupal 6 and Drupal 7 and how Drupal protects against the OWASP Top 10 Application Security Risks. We will explain the security weaknesses that remain when you use Drupal and what you can implement to have a secure cloud server running Drupal.<br><br />
|-<br />
| 12h30 - 13h30<br />
| colspan="2" style="text-align: center;background: grey; color: white" | ''Lunch'' <br />
|-<br />
| 13h30 - 14h10 || [[#AsiaSlowinska|Asia Slowinska]] || '''Body Armor for Binaries'''<br>''Abstract:'' BinArmor is a novel technique to protect existing C binaries from memory corruption attacks on both control data and non-control data. Without access to source code, non-control data attacks cannot be detected with current techniques. Our approach hardens binaries against both kinds of overflow, without requiring the pro- grams’ source or symbol tables. We show that BinArmor is able to stop real attacks—including the recent non- control data attack on Exim. Moreover, we did not in- cur a single false positive in practice. On the downside, the current overhead of BinArmor is high—although no worse than competing technologies like taint analysis that do not catch attacks on non-control data. Specifi- cally, we measured an overhead of 70% for gzip, 16%- 180% for lighttpd, and 190% for the nbench suite.<br />
|-<br />
| 14h10 - 14h50 || [[#MarcHullegieAndKeesMastwijk|Marc Hullegie and Kees Mastwijk]] || '''Forensics'''<br>''Abstract:'' In today’s investigations, forensics has become an important investigative method in fighting and solving (cyber)crimes and irregularities. During the session you will be briefly taken through the landscape of Forensics Basics; the Fraud Triangle and scenario's; What to look for and the appliance of Digital Forensics. What are the Challenges, the required Skills and Expertise and Solutions to these challenges. Specific focus on the Forensics of Web Applications and what you can do the create a more forensic ready system.<br><br />
|-<br />
| 14h50 - 15h30 || [[#DanCornell|Dan Cornell]] || '''Streamlining Application Vulnerability Management: Communication Between Development and Security Teams'''<br>''Abstract:'' Identifying application-level vulnerabilities via scanning, penetration tests and code reviews is only the first step in actually addressing the underlying risk. Managing vulnerabilities for applications is more challenging than dealing with traditional infrastructure-level vulnerabilities because they typically require the coordination of security teams with application development teams. The process also means that security managers need to get time from developers during already-cramped development and release schedules. In addition, fixes require changes to custom application code and application-specific business logic rather than the patches and configuration changes that are often sufficient to address infrastructure-level vulnerabilities. This presentation will illustrate the communication difficulties between security and development teams, and how this usually results in unactionable reports and fewer vulnerabilities remediated. In addition, the presentation will walk through an example workflow of addressing application vulnerabilities as software defects. This will be based on freely-available tools and show specific examples of how vulnerabilities can be grouped together, false positives can be culled out, and vulnerabilities transitioned to software defects, as well as how security managers can monitor and verify progress.<br><br />
|-<br />
| 15h30 - 15h50<br />
| colspan="2" style="text-align: center;background: grey; color: white" | ''Break'' <br />
|-<br />
| 15h50 - 16h30 || [[#RuedigerBachmann|Ruediger Bachmann]] || '''Code review for Large Companies'''<br>''Abstract:''Static source code analysis should be an essential part in the secure software development life cycle (SDLC) to start to minimize the number of potential vulnerabilities already in a very early stage in the software development process.<br><br />
The introduction of static code analysis at a large software manufacturer is a big challenge. In addition to the technical difficulties – based on the sheer number and size of the software projects or the number of different programing languages – there are also non-technical issues like creating new security awareness, trainings to use the provided tools efficiently and integration of analysis processes into the software development and maintenance life cycle.<br><br />
This talk gives an overview of the company-wide introduction of static code analysis at SAP AG.<br />
|-<br />
| 16h30 - 17h10 || [[#DinisCruz|Dinis Cruz]] || '''Making Security Invisible by Becoming the Developer’s Best Friends'''<br>''Abstract:'' Coming soon!<br />
|-<br />
| 17h10 - 17h50 || <br />
* Steven Wierckx<br />
* Luc Beirens<br />
* Jos Dumortier<br />
* Dieter Sarrazyn<br />
* Erwin Geirnaert<br />
* John Wilander<br />
|| '''Panel Discussion about the legal aspects of penetration testing'''<br> ''Abstract:'' In the past couple of years security has become a more visible topic in the media. As a result many companies are asking for security reviews in the form of a penetration test. A lot of entrepreneurs took the opportunity to form teams and/or companies that provide such services. There seems to be a lack of clear (standard) legal documentation to cover these activities both for the penetration tester and the company under review. With this panel discussion we would like to discuss this situation and to see if there is a possibility to have a standard document or framework that can be used as a starting point for companies and professionals to use as a contract. The purpose would be to end up with a (set of) documents similar to the “Testaankoop standard huurcontract”, this is a well-known Belgian contract framework for renting a house where both parties are protected and that is clear to both parties. It can be used without further legal intervention.<br />
|-<br />
| 17h50 - 18h00 || OWASP Benelux 2012 organization || '''Closing Notes'''<br />
|}<br />
<br />
<br><br />
<br><br />
<br />
<div id="AsiaSlowinska"></div><br />
<br />
=== Body Armor for Binaries, by Asia Slowinska (Vrije Universiteit Amsterdam) ===<br />
''Abstract:''<br><br />
BinArmor is a novel technique to protect existing C binaries from memory corruption attacks on both control data and non-control data. Without access to source code, non-control data attacks cannot be detected with current techniques. Our approach hardens binaries against both kinds of overflow, without requiring the pro- grams’ source or symbol tables. We show that BinArmor is able to stop real attacks—including the recent non- control data attack on Exim. Moreover, we did not in- cur a single false positive in practice. On the downside, the current overhead of BinArmor is high—although no worse than competing technologies like taint analysis that do not catch attacks on non-control data. Specifi- cally, we measured an overhead of 70% for gzip, 16%- 180% for lighttpd, and 190% for the nbench suite.<br><br />
<br><br />
''Bio:''<br><br />
I am a postdoctoral researcher in the System and Network Security group at the Vrije Universiteit Amsterdam, under the guidance of Prof. dr. ir. Herbert Bos.<br><br />
I obtained my PhD from the Vrije Universiteit Amsterdam. My dissertation Using information flow tracking to protect legacy binaries was completed under the supervision of Prof. dr. ir. Herbert Bos, while my copromotor was Prof. dr. ir. Henri E. Bal.<br><br />
During my PhD studies, I interned twice with Microsoft Research Cambridge, where I joined the Systems and Performance Group. I also spent few months interning with the Systems and Security Department at Institute for Infocomm Research in Singapore.<br><br />
My research focuses on developing techniques to automatically analyze and reverse engineer complex software that is available only in binary form. Further, I’ve been looking into mechanisms that proactively protect software from malicious activities. Currently, I am involved in a project on Reverse Engineering of binaries, known as Rosetta.<br><br />
<br><br />
<br />
<div id="RuedigerBachmann"></div><br />
=== Code review for Large Companies, by Ruediger Bachmann (SAP) ===<br />
''Abstract:''<br><br />
Static source code analysis should be an essential part in the secure software development life cycle (SDLC) to start to minimize the number of potential vulnerabilities already in a very early stage in the software development process.<br><br />
The introduction of static code analysis at a large software manufacturer is a big challenge. In addition to the technical difficulties – based on the sheer number and size of the software projects or the number of different programing languages – there are also non-technical issues like creating new security awareness, trainings to use the provided tools efficiently and integration of analysis processes into the software development and maintenance life cycle.<br><br />
This talk gives an overview of the company-wide introduction of static code analysis at SAP AG.<br />
<br><br />
''Bio:''<br><br />
After graduating with a degree in mathematics and computer science at the University of Giessen in 1997, Ruediger Bachmann worked at various software companies and IT service providers mainly in software development. Currently he is employed at SAP AG in Germany as a Development Architect in the central code analysis team. There he is focusing on application security and security code scans.<br><br />
<br />
<div id="LievenDesmet"></div><br />
<br />
=== Sandboxing JavaScript, by Lieven Desmet (Research Manager at KU Leuven) ===<br />
''Abstract:''<br><br />
The inclusion of third-party scripts in web pages is a common practice. A recent study has shown that more than half of the Alexa top 10 000 sites include scripts from more than 5 different origins. However, such script inclusions carry risks, as the included scripts operate with the privileges of the including website.<br><br />
In this talk, we propose JSand, a server-driven but client-side JavaScript sandboxing framework. JSand requires no browser modifications: the sandboxing framework is implemented in JavaScript and is delivered to the browser by the websites that use it. Enforcement is done entirely at the client side: JSand enforces a server-specified policy on included scripts without requiring server-side filtering or rewriting of scripts. Most importantly, JSand is complete: access to all resources is mediated by the sandbox.<br><br />
We describe the design and implementation of JSand, and we show that it is secure, backwards compatible, and that it performs sufficiently well.<br><br />
<br><br />
''Bio:''<br><br />
Lieven Desmet is Research Manager on Software Secure at the iMinds-DistriNet Research Group (KU Leuven, Belgium), where he coaches junior researchers in web application security and participates in dissemination and valorization activities. His interests are in security of middleware and web-enabled technologies. Lieven is actively engaged in OWASP and is board member of the OWASP Chapter Belgium.<br><br />
<br><br />
<br><br />
<br />
<div id="ErwinGeirnaert"></div><br />
=== OWASP Top 10 vs Drupal, by Erwin Geirnaert (Zion Security) ===<br />
''Abstract:''<br><br />
Drupal is the most used and well-known open source content management system in the world. Created by Dries Buytaert years ago it has grown with the support of a big community. Drupal 7 is already released and there is an entire ecosystem for Drupal and Drupal web agencies.<br><br />
During this presentation we will discuss the findings of an automated static code analysis of Drupal 6 and Drupal 7 and how Drupal protects against the OWASP Top 10 Application Security Risks. We will explain the security weaknesses that remain when you use Drupal and what you can implement to have a secure cloud server running Drupal.<br><br />
<br><br />
''Bio:''<br><br />
Erwin founded ZION SECURITY in 2005 to help companies to protect against the latest threats, attacks against web applications. ZION SECURITY is nowadays a Belgian market leader in the field of security testing, vulnerability management, penetration testing and banking security. Erwin has more than 10 years of experience in web security, graduating with a Master of Science in Software Development from the University of Ghent. Erwin executes different types of projects for a lot of international software companies, financial institutions, telecom and web agencies. Specialist in executing code reviews in different development languages for critical applications, executing continuous penetration tests of their infrastructure and Internet applications. A specialist in J2EE, PHP, .NET, mobile app and web services security. Erwin architects secure e-business projects for web agencies and software companies. He is a recognized application security expert and speaker at international events like Javapolis, OWASP, Eurostar, LSEC,...<br><br />
<br><br />
<br />
<div id="MarcHullegieAndKeesMastwijk"></div><br />
=== Forensics, by Marc Hullegie and Kees Mastwijk (Vest Information Security) === <br />
''Abstract:''<br><br />
In today’s investigations, forensics has become an important investigative method in fighting and solving (cyber)crimes and irregularities. During the session you will be briefly taken through the landscape of Forensics Basics; the Fraud Triangle and scenario's; What to look for and the appliance of Digital Forensics. What are the Challenges, the required Skills and Expertise and Solutions to these challenges. Specific focus on the Forensics of Web Applications and what you can do the create a more forensic ready system.<br><br />
<br><br />
''Bio:''<br><br />
Marc Hullegie is founder and CEO of Vest Information Security and is widely experienced in the information security business in all types of areas: Security Architecture and Infrastructure, Security Audits and Testing, Security Management, Awareness and Digital Forensics. He presents lectures at (international) conferences and is looking forward to share experiences at the OWASP Benelux days 2012 with you.<br><br />
<br> <br />
''Bio:''<br><br />
Kees Mastwijk is a security consultant working with Vest, acting as Security Auditor, Awareness Program leader and security Manager. He has a long (and ongoing) experience history in Digital Forensic Research.<br><br />
<br><br />
<br />
<div id="JohnWilander"></div><br />
=== Secure Web Integration Patterns in the Era of HTML5, by John Wilander (Svenska Handelbanken) ===<br />
''Abstract:''<br><br />
Quite a few organizations are finding themselves in a legacy situation with their web applications. Over ten years have passed since the era of dynamic HTML and with the rise of HTML5 and mobile platforms there is now need to gradually move these legacy beasts into a new architecture. Additionally, more and more third party services are offered such as maps, tracking, social media tie-ins, video etc. What are the possible and suitable design patterns for bringing new web, old web, and third party web together? Can we isolate them from each other to secure the new apps from legacy and third party security vulnerabilities? We will dig into the postMessage api, the iframe sandbox directive, CORS, and the same-origin policy while comparing it to the previous generation of integration with jsonp and other hacks.<br />
<br><br />
''Bio:''<br><br />
John Wilander is a frontend software developer at Svenska Handelbanken, the second strongest bank in the world according to Bloomberg Markets. He has been researching and working in application security for ten years and is an active leader in OWASP, the Open Web Application Security Project. In 2011 he organized the OWASP Summit Browser Security sessions in Portugal, with participants from the security teams behind Chrome, Firefox, Internet Explorer, Flash, and PayPal. During his years in academia he was elected best computer science teacher twice and nowadays gives 5-10 professional talks per year.<br><br />
<br><br />
<br><br />
<br />
<div id="DanCornell"></div><br />
<br />
=== Streamlining Application Vulnerability Management: Communication Between Development and Security Teams, by Dan Cornell (Denim Group) ===<br />
''Abstract:''<br><br />
Identifying application-level vulnerabilities via scanning, penetration tests and code reviews is only the first step in actually addressing the underlying risk. Managing vulnerabilities for applications is more challenging than dealing with traditional infrastructure-level vulnerabilities because they typically require the coordination of security teams with application development teams. The process also means that security managers need to get time from developers during already-cramped development and release schedules. In addition, fixes require changes to custom application code and application-specific business logic rather than the patches and configuration changes that are often sufficient to address infrastructure-level vulnerabilities. This presentation will illustrate the communication difficulties between security and development teams, and how this usually results in unactionable reports and fewer vulnerabilities remediated. In addition, the presentation will walk through an example workflow of addressing application vulnerabilities as software defects. This will be based on freely-available tools and show specific examples of how vulnerabilities can be grouped together, false positives can be culled out, and vulnerabilities transitioned to software defects, as well as how security managers can monitor and verify progress.<br><br />
<br><br />
''Bio:''<br><br />
''Dan Cornell has over fifteen years of experience architecting and developing web-based software systems. He leads Denim Group’s security research team in investigating the application of secure coding and development techniques to improve web-based software development methodologies.<br><br />
Dan was the founding coordinator and chairman for the Java Users Group of San Antonio (JUGSA) and currently serves as the OWASP San Antonio chapter leader, member of the OWASP Global Membership Committee and co-lead of the OWASP Open Review Project. Dan has spoken at such international conferences as RSA, OWASP AppSec USA, and OWASP EU Research in Greece.''<br><br />
<br><br />
<br><br />
<br />
<div id="DinisCruz"></div><br />
=== Making Security Invisible by Becoming the Developer’s Best Friends, by Dinis Cruz (Security Innovation) ===<br />
''Abstract:''<br><br />
''Coming soon!''<br><br />
<br><br />
''Bio:''<br><br />
Dinis Cruz is a Security Consultant based in London (UK) and specialized in: ASP.NET/J2EE Application Security, Application Security audits and .NET Security Curriculum Development.<br><br />
For the past years Dinis has focused on the field of Static Source Code analysis, from May 2007 to Dec 2009 he worked as a independent consultant for Ounce Labs (bought by IBM in July 2009) where during active security engagements using Ounce's technology he developed the Open Source codebase which now is the foundation of the OWASP O2 Platform.<br><br />
Dinis is currently focused on making the O2 Platform the industry standard for consuming, instrumenting and data-sharing between the multiple WebAppSec tools, the Security consultants and the final developers. Dinis is a also active trainer on .Net security having written and delivered courses for IOActive, Foundstone, Intense School and KPMG (at multiple locations including BlackHat), and has delivered a number of presentations and keynote speeches at multiple OWASP and Security related conferences.<br><br />
At OWASP, Dinis is the leader of the OWASP O2 Platform project<br><br />
<br><br />
<br><br />
<br />
=== Panel discussion about the legal aspects of penetration testing ===<br />
''with Steven Wierckx, Luc Beirens, Jos Dumortier, Dieter Sarrazyn, ...''<br><br><br />
''Abstract:''<br> In the past couple of years security has become a more visible topic in the media. As a result many companies are asking for security reviews in the form of a penetration test. A lot of entrepreneurs took the opportunity to form teams and/or companies that provide such services. There seems to be a lack of clear (standard) legal documentation to cover these activities both for the penetration tester and the company under review. With this panel discussion we would like to discuss this situation and to see if there is a possibility to have a standard document or framework that can be used as a starting point for companies and professionals to use as a contract. The purpose would be to end up with a (set of) documents similar to the “Testaankoop standard huurcontract”, this is a well-known Belgian contract framework for renting a house where both parties are protected and that is clear to both parties. It can be used without further legal intervention.<br><br />
<br><br />
<li>''Bio Steven Wierckx, ps_testware:''<br><br />
Steven Wierckx is currently working as Security Tester for [http://www.pstestware.com/ ps_testware], he specialises in web application security and keeps a security related blog [http://www.ihackforfun.eu/ ihackforfun]. He is also wrting articles and doing technical reviews for PenTest Magazine.<br><br />
<br><br />
<li>''Bio Luc Beirens, FCCU:''<br><br />
Head of Belgian Federal Computer Crime Unit & Chair EU Cybercrime Task Force trying to create partnerships and circumstances for a safer cyberspace.<br><br />
<br><br />
<li>''Bio Jos Dumortier, ICRI:''<br><br />
Jos Dumortier is Professor of ICT Law at the University of Leuven (Belgium) and the Director of the Interdisciplinary Research Centre for ICT and Law (ICRI) (www.icri.be). With his research team he participates in a series of R & D projects in the domain of telemedicine.<br><br />
He is also a member of the Bar of Brussels and partner in “time.lex”, a law firm specialized in information and technology law (www.timelex.eu).<br><br />
He participates in the boards of several national and international scientific and business associations and is a member of various editorial and program committees. <br><br />
He is the editor of the International Encyclopedia of Cyber Law and the author of more than one hundred books and articles on legal issues related to the information society.<br><br />
Jos Dumortier has taken the lead in a large number of European studies and projects in the area of information security, privacy and identity management. He worked on an assignment of the European Commission (DG INFSO) for a study on the legal obstacles for interoperable eHealth in Europe and on several studies for the Flemish government related to the implementation of a regional eHealth platform. He is also a member of the Flemish data protection supervisory authority for the health sector.<br><br />
<br><br />
<li>''Bio Dieter Sarrazyn, PWC:''<br><br />
Dieter is a senior manager and consultant within PwC and a team leader for Risk Management assessment services. His main focus is in performing penetration tests (external as well as internal), performing security audits, creating and evaluating security architectures,and creating and setting up vulnerability management frameworks & tools. He is a Certified Information Systems Security Professional (CISSP), a Certified Intrusion Analyst (GCIA), a Certified Incident Handling Analyst (GCIH), a Certified Intrusion Analyst (GCIA) a GIAC Systems and Network Auditor (GSNA). Dieter is also SANS Local Mentor and SANS Community Teacher<br><br />
<br><br />
<br><br />
<br />
<!-- Sixth tab --><br />
<br />
= Social Event =<br />
<br />
==== Social Event, November 29th ====<br />
<br />
==== <B>Important Update</B> ====<br />
The brewery visit is limit to 60 people. Therefor, the 60 first registered people that indicated interest in the social event have been invited to participate. Any remaining tickets will be offered on Thursday around noon at the registration desk.<br />
<br />
If you are going by car, there are paid parkings under the Railway station and at Kinepolis (follow the parking signs). If you want to go there from the venue without car, the best way to get there is to take bus No.2 that leaves next to the building and drives to the Railway station. From there, it is a 300 m. walk to the brewery.<br />
<br />
All other people (and the people of the brewery tour after that has finished) are warmly invited to join us in the Downtown Jack, a pub with a number of pool and snooker tables. 5 pool tables have been exclusively reserved for us from 20h00 onwards. You can also have a drink and eat something there if you like.<br />
<br />
The address: Parkstraat 40, 3000 Leuven (see http://www.downtownjack.be/)<br />
<br />
==== <B>Brewery Visit Information</B> ====<br />
The social event will take place at the InBev Brewery in Leuven, where there will be a guided tour and a beer tasting.<br><br />
Unfortunately, the tour is limited to 60 people. Since we have more registered people than places, we will soon announce how we will<br />
proceed.<br><br />
If you decide not to join, please inform the Benelux organisation, other participants will be happy to join.<br><br />
<br><br />
'''The entrance fee for the tour is 10 EUR'''. <br><br />
This amount will have to be paid to the Benelux organisation at the registration desk or upon entry in cash (please use correct notes).<br><br />
<br><br />
Below is the address where the event takes place. You can take your car, bus number 2 or a taxi to reach this.<br> '''The tour starts at 19h30 sharp'''.<br><br />
<br><br />
'''Address:''' <br><br />
Vuurkruisenlaan z/n <br><br />
3000 Leuven<br><br />
<br><br />
'''From the station:'''<br><br />
Take the street 'Diestepoort' (this street is parrallel with the railway behind the building)and walk straight through. You can see the brewery at the end of the street.<br><br />
'''By car:'''<br><br />
From the street diestesteenweg or beckeremieplein head to the railroadbridge. At the crossroad take first right, this is the entrance of the brewery. from the expressway R23 head to the Hotel ''NOVOTEL''. Take the street left from ''NOVOTEL'', this is the ''vuurkruisenlaan''. On your left side you can see the brewery. At the<br />
next crossroad take the first left, this is the entrance of the brewery.<br><br />
<br><br />
'''ENTRANCE BREWERY:'''<br><br />
is also the entrance for the trucks, next to the railroadbridge.<br><br />
We will meet at the entrance at 19h30 where the tour will start.<br><br><br />
<br />
<br />
<!-- Seventh tab --><br />
<br />
= CTF =<br />
<br />
==== Capture the Flag! ====<br />
<br />
* Do you like puzzles? <br />
* Do you like challenges? <br />
* Are you a hacker?<br />
<br />
Whether you are an experienced hacker or new enthusiast you should come to OWASP BeNeLux 2012 and participate in the Capture the Flag event November 30th 2012. <br />
<br />
The OWASP CTF is especially designed to support challengers of all skill levels. The CTF contains multiple challenges in various fields related to application security. As every challenge gains you one point, you can pick and choose which challenge you want to play.<br />
<br />
All you need is a laptop with a wifi card and your favorite (preferably) non-commercial tools. <br />
<br />
So come, show off your skills, learn new tricks and above all have a good time at the CTF event. <br />
<br />
<br />
<!-- Eighth tab --><br />
<br />
= Sponsor =<br />
<br />
==== Become a sponsor of OWASP BeNeLux ====<br />
<br />
==== Donate to OWASP BeNeLux ====<br />
<br />
<paypal>BeNeLux OWASP Day 2012</paypal> <br />
<br />
<br />
==== Promotion ====<br />
''Feel free to use the text below to promote our event!''<br />
<br />
We invite you to our next OWASP event: the '''BeNeLux OWASP Days 2012!'''<br />
<br />
Free your agenda on the 29th and 30th of November, 2012.<br />
<br />
The good news: free! No fee!<br />
<br />
The bad news: there are only 280 seats available (first register, first serve)!<br />
<br />
<br />
<!-- Don't remove these two lines! --><br />
__NOTOC__ <br />
<headertabs/><br />
<br />
<br />
==== Hosted and co-organized by: ====<br />
<br />
[http://distrinet.cs.kuleuven.be https://www.owasp.org/images/4/4a/Logo_distrinet.png]<br />
[http://www.nessos-project.eu/ https://www.owasp.org/images/5/52/Nessos.png]<br />
<br />
==== Made possible by our {{#switchtablink:Sponsor|Sponsors}}====<br />
<br />
==== OWASP Member Sponsor: ====<br />
{{MemberLinks|link=http://www.pwc.com/|logo=PWC_log_resized.png}} <br />
<br />
==== OWASP BeNeLux 2012 Sponsors: ====<br />
[http://www.madisongurkha.nl https://www.owasp.org/images/6/6e/Madison-gurkha-logo.jpg]<br />
[http://www.sogeti.nl https://www.owasp.org/images/9/94/Sogeti_logo.png]<br />
[http://www.vest.nl https://www.owasp.org/images/1/1d/Logo_Vest_BIG_170.gif]<br />
<br><br />
[http://www.iminds.be https://www.owasp.org/images/thumb/a/a1/Iminds-logo.png/200px-Iminds-logo.png]<br />
[http://www.zionsecurity.com https://www.owasp.org/images/e/e6/Zionsecurity.jpg]<br />
[http://on2it.net https://www.owasp.org/images/3/3d/On2it-sponsor.png]<br />
<br><br />
<br />
<br />
[[Category:OWASP_AppSec_Conference]] [[Category:OWASP_BeNeLux_Archives]]</div>Favroomhttps://wiki.owasp.org/index.php?title=Netherlands&diff=149808Netherlands2013-04-15T12:50:09Z<p>Favroom: </p>
<hr />
<div>{{Chapter Template|chaptername=Netherlands|extra=|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-netherlands|emailarchives=http://lists.owasp.org/pipermail/owasp-netherlands}} <br />
<br />
<br />
<paypal>Netherlands</paypal><br />
<br />
<!-- First tab --><br />
<br />
= Local News =<br />
<br />
;The next OWASP Netherlands Chapter meeting will be on May 14th in 's Hertogenbosch, more details soon!<br />
<br />
;'''Provisional 2013 Chapter Event Calendar'''<br />
*May 14th, 2013<br />
*June 27th, 2013<br />
*September 12th, 2013<br />
*November 7th, 2013<br />
*November 28th and 29th, 2013: OWASP Benelux Conference<br />
<br />
;'''Other OWASP Events'''<br />
;'''[https://www.owasp.org/index.php/AppSecEU2013 AppSec-EU Hambug August 2th to 23rd 2013]'''<br />
;'''[https://www.owasp.org/index.php?title=BeNeLux_OWASP_Day_2013 November 28th and 29th 2013: OWASP Benelux meeting in the Netherlands!]'''<br />
;[https://docs.google.com/a/owasp.org/spreadsheet/viewform?formkey=dGs1UFN0Ul9YR1pRcGdYRmtYallraUE6MQ#gid=0 OWASP NL Chapter Call For Presentation]<br />
<br />
<br />
[[File:Follow-us-on-twitter.png|frameless|100px|link=http://www.twitter.com/owasp_NL]]<br />
<br />
<!-- Second tab --><br />
<br />
= Calendar =<br />
<br />
=== Provisional Chapter Event Calendar 2013 ===<br />
<br />
*<strike> January 31st, 2013 </strike> <br />
<!-- *<strike> [[:Netherlands March 7, 2013]]</strike>[[Media:OWASP Netherlands Chapter Meeting 2013-03-07.pdf | flyer]] --><br />
*<strike> [http://owaspdutchchaptermeeting07032013.eventbrite.nl March 7th, 2013]</strike> [[Media:OWASP Netherlands Chapter Meeting 2013-03-07.pdf | flyer]] <br />
*<strike> [[:Netherlands March 13, 2013]]</strike>[[Media:OWASP Netherlands Chapter Meeting 2013-03-13.pdf | flyer]]<br />
<!-- *<strike> [http://owaspdutchchaptermeeting13032013.eventbrite.nl March 13th, 2013]</strike> Radboud University Nijmegen, Beta-faculty Huygensgebouw, Heyendaalseweg 135, Nijmegen (Parkeergarage P11) --><br />
*<strike> [[Netherlands April 10, 2013 | Netherlands April 10, 2013 - Vrije Universiteit Amsterdam - De Boelelaan 1085, 1081 HV Amsterdam NL - Room: M129 in the FEW building]] - [[Media:OWASP Netherlands Chapter Meeting 2013-04-10.pdf | download the flyer]] - [[Media:OWASP Netherlands Chapter Meeting 2013-04-10_poster.pdf | download the poster]]</strike><br />
*; [http://owaspdutchchaptermeeting10042013.eventbrite.com/# Click here for registration]<br />
*May 14th, 2013<br />
*June 27, 2013<br />
*'''[https://www.owasp.org/index.php/AppSecEU2013 August 2th to 23rd 2013 AppSec-EU Hambug]'''<br />
*September 12, 2013<br />
*November 7, 2012<br />
*'''[https://www.owasp.org/index.php?title=BeNeLux_OWASP_Day_2013 November 28th and 29th 2013: OWASP Benelux meeting in the Netherlands!]'''<br />
<br />
<!-- Third tab --><br />
<br />
= Past Events =<br />
*Events held in [[Netherlands Previous Events 2013|2013]]<br />
*Events held in [[Netherlands Previous Events 2012|2012]]<br />
*Events held in [[Netherlands Previous Events 2011|2011]]<br />
*Events held in [[Netherlands Previous Events 2010|2010]] <br />
*Events held in [[Netherlands Previous Events 2009|2009]] <br />
*Events held in [[Netherlands Previous Events 2008|2008]] <br />
*Events held in [[Netherlands Previous Events 2007|2007]] <br />
*Events held in [[Netherlands Previous Events 2006|2006]] <br />
*Events held in [[Netherlands Previous Events 2005|2005]]<br />
<br />
<!-- Fourth tab --><br />
<br />
= Chapter Leaders =<br />
<br />
The Netherlands Chapter is supported by the following board: <br />
<br />
*[https://www.owasp.org/index.php/User:Ferdinand_Vroom Ferdinand Vroom]<br />
*[https://www.owasp.org/index.php/User:Knoblochmartin Martin Knobloch], PervaSec<br />
<br />
<br> <br />
<br />
*[mailto:netherlands@owasp.org OWASP Netherlands], OWASP Netherlands board email adres<br />
<br />
Our goal is to professionalize the local OWASP functioning, provide in a bigger footprint to detect OWASP opportunities such as speakers/topics/sponsors/… and set a 5 year target on: Target audiences, Different events and Interactions of OWASP global – local projects. <br />
<br />
<!-- Fifth and last tab --><br />
<br />
= Chapter Support =<br />
<br />
=== Chapter Sponsoring ===<br />
<br />
OWASP Netherlands is looking for organizations to sponsor our chapter. <br />
If you are interested in sponsoring the Netherlands chapter please contact us via email: [mailto:netherlands@owasp.org netherlands 'at' owasp.org]. <br />
<br />
=== Donation ===<br />
<br />
If you would like to donate to our chapter, please use the PayPal link at the top of this page.<br />
Thank you!<br />
<br />
=== Call for Speakers ===<br />
<br />
We are continuously looking for speakers.<br>'''Presentations:''' Are you working on an interesting subject, would you like to share your experience with the OWASP community and do you have presentation skills. Please let us know! Any topic related to web application security will be appreciated!<br>'''VAC, Vulnerability, Attack, Countermeasure:''' The VAC is a re occuring part of the chapter meetings. The VAC is a half hour in-depth technical presentation about a vulnerability, how it can be exploited and how to prevent it!<br> <br />
<br />
<span style="font-weight: bold;">Links: </span> <br />
<br />
[http://www.owasp.org/index.php/Speaker_Agreement Speaker Agreement] <br />
<br />
[http://www.owasp.org/images/5/54/Presentation_template.ppt Template] <br />
<br />
Interested in presenting at a local chapter meeting, please send an email to: netherlands 'at' owasp.org <br />
<br />
=== Call for Location ===<br />
<br />
For the OWASP Netherlands chapter meetings to come, we are continuously looking for locations! <br />
<br />
Most preferable, the location is good accessible with public transport and by car. Free parking should be provided. <br />
<br />
What do we expect: <br />
<br />
*meeting room for at least 50 people <br />
*lunch for attendees <br />
**drinks, sandwiches... <br />
*a small present for the speakers <br />
**(e.g. bottle of wine, for speakers from aboard alcohol might be less practical if flying in only with hand luggage)<br />
<br />
Interested in sponsoring a local chapter meeting, please send an email to: netherlands 'at' owasp.org <br />
<!-- Don't remove this tag --><br />
__NOTOC__ <br />
<headertabs/><br />
<br />
<br />
OWASP Belgium thanks its structural chapter supporters for 2012 and the OWASP BeNeLux Days 2012: <br />
<br />
[http://www.madisongurkha.nl https://www.owasp.org/images/6/6e/Madison-gurkha-logo.jpg]<br />
[http://www.sogeti.nl https://www.owasp.org/images/9/94/Sogeti_logo.png]<br />
[http://www.vest.nl https://www.owasp.org/images/1/1d/Logo_Vest_BIG_170.gif]<br />
<br />
[[Category:Europe]]</div>Favroomhttps://wiki.owasp.org/index.php?title=Netherlands&diff=149804Netherlands2013-04-15T12:10:45Z<p>Favroom: </p>
<hr />
<div>{{Chapter Template|chaptername=Netherlands|extra=|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-netherlands|emailarchives=http://lists.owasp.org/pipermail/owasp-netherlands}} <br />
<br />
<br />
<paypal>Netherlands</paypal><br />
<br />
<!-- First tab --><br />
<br />
= Local News =<br />
<br />
;The next OWASP Netherlands Chapter meeting will be on May 14th in 's Hertogenbosch, more details soon!<br />
<br />
;'''Provisional 2013 Chapter Event Calendar'''<br />
*May 14th, 2013<br />
*June 27th, 2013<br />
*September 12th, 2013<br />
*November 7th, 2013<br />
;'''[https://www.owasp.org/index.php/AppSecEU2013 AppSec-EU Hambug August 2th to 23rd 2013]'''<br />
;'''November 28th and 29th 2013: OWASP Benelux meeting in the Netherlands!'''<br />
;[https://docs.google.com/a/owasp.org/spreadsheet/viewform?formkey=dGs1UFN0Ul9YR1pRcGdYRmtYallraUE6MQ#gid=0 OWASP NL Chapter Call For Presentation]<br />
<br />
<br />
[[File:Follow-us-on-twitter.png|frameless|100px|link=http://www.twitter.com/owasp_NL]]<br />
<br />
<!-- Second tab --><br />
<br />
= Calendar =<br />
<br />
=== Provisional Chapter Event Calendar 2013 ===<br />
<br />
*<strike> January 31st, 2013 </strike> <br />
<!-- *<strike> [[:Netherlands March 7, 2013]]</strike>[[Media:OWASP Netherlands Chapter Meeting 2013-03-07.pdf | flyer]] --><br />
*<strike> [http://owaspdutchchaptermeeting07032013.eventbrite.nl March 7th, 2013]</strike> [[Media:OWASP Netherlands Chapter Meeting 2013-03-07.pdf | flyer]] <br />
*<strike> [[:Netherlands March 13, 2013]]</strike>[[Media:OWASP Netherlands Chapter Meeting 2013-03-13.pdf | flyer]]<br />
<!-- *<strike> [http://owaspdutchchaptermeeting13032013.eventbrite.nl March 13th, 2013]</strike> Radboud University Nijmegen, Beta-faculty Huygensgebouw, Heyendaalseweg 135, Nijmegen (Parkeergarage P11) --><br />
*<strike> [[Netherlands April 10, 2013 | Netherlands April 10, 2013 - Vrije Universiteit Amsterdam - De Boelelaan 1085, 1081 HV Amsterdam NL - Room: M129 in the FEW building]] - [[Media:OWASP Netherlands Chapter Meeting 2013-04-10.pdf | download the flyer]] - [[Media:OWASP Netherlands Chapter Meeting 2013-04-10_poster.pdf | download the poster]]</strike><br />
*; [http://owaspdutchchaptermeeting10042013.eventbrite.com/# Click here for registration]<br />
*May 14th, 2013<br />
*June 27, 2013<br />
*'''[https://www.owasp.org/index.php/AppSecEU2013 August 2th to 23rd 2013 AppSec-EU Hambug]'''<br />
*September 12, 2013<br />
*November 7, 2012<br />
*'''November 28th and 29th 2013: OWASP Benelux meeting in the Netherlands!'''<br />
<br />
<!-- Third tab --><br />
<br />
= Past Events =<br />
*Events held in [[Netherlands Previous Events 2013|2013]]<br />
*Events held in [[Netherlands Previous Events 2012|2012]]<br />
*Events held in [[Netherlands Previous Events 2011|2011]]<br />
*Events held in [[Netherlands Previous Events 2010|2010]] <br />
*Events held in [[Netherlands Previous Events 2009|2009]] <br />
*Events held in [[Netherlands Previous Events 2008|2008]] <br />
*Events held in [[Netherlands Previous Events 2007|2007]] <br />
*Events held in [[Netherlands Previous Events 2006|2006]] <br />
*Events held in [[Netherlands Previous Events 2005|2005]]<br />
<br />
<!-- Fourth tab --><br />
<br />
= Chapter Leaders =<br />
<br />
The Netherlands Chapter is supported by the following board: <br />
<br />
*[https://www.owasp.org/index.php/User:Ferdinand_Vroom Ferdinand Vroom]<br />
*[https://www.owasp.org/index.php/User:Knoblochmartin Martin Knobloch], PervaSec<br />
<br />
<br> <br />
<br />
*[mailto:netherlands@owasp.org OWASP Netherlands], OWASP Netherlands board email adres<br />
<br />
Our goal is to professionalize the local OWASP functioning, provide in a bigger footprint to detect OWASP opportunities such as speakers/topics/sponsors/… and set a 5 year target on: Target audiences, Different events and Interactions of OWASP global – local projects. <br />
<br />
<!-- Fifth and last tab --><br />
<br />
= Chapter Support =<br />
<br />
=== Chapter Sponsoring ===<br />
<br />
OWASP Netherlands is looking for organizations to sponsor our chapter. <br />
If you are interested in sponsoring the Netherlands chapter please contact us via email: [mailto:netherlands@owasp.org netherlands 'at' owasp.org]. <br />
<br />
=== Donation ===<br />
<br />
If you would like to donate to our chapter, please use the PayPal link at the top of this page.<br />
Thank you!<br />
<br />
=== Call for Speakers ===<br />
<br />
We are continuously looking for speakers.<br>'''Presentations:''' Are you working on an interesting subject, would you like to share your experience with the OWASP community and do you have presentation skills. Please let us know! Any topic related to web application security will be appreciated!<br>'''VAC, Vulnerability, Attack, Countermeasure:''' The VAC is a re occuring part of the chapter meetings. The VAC is a half hour in-depth technical presentation about a vulnerability, how it can be exploited and how to prevent it!<br> <br />
<br />
<span style="font-weight: bold;">Links: </span> <br />
<br />
[http://www.owasp.org/index.php/Speaker_Agreement Speaker Agreement] <br />
<br />
[http://www.owasp.org/images/5/54/Presentation_template.ppt Template] <br />
<br />
Interested in presenting at a local chapter meeting, please send an email to: netherlands 'at' owasp.org <br />
<br />
=== Call for Location ===<br />
<br />
For the OWASP Netherlands chapter meetings to come, we are continuously looking for locations! <br />
<br />
Most preferable, the location is good accessible with public transport and by car. Free parking should be provided. <br />
<br />
What do we expect: <br />
<br />
*meeting room for at least 50 people <br />
*lunch for attendees <br />
**drinks, sandwiches... <br />
*a small present for the speakers <br />
**(e.g. bottle of wine, for speakers from aboard alcohol might be less practical if flying in only with hand luggage)<br />
<br />
Interested in sponsoring a local chapter meeting, please send an email to: netherlands 'at' owasp.org <br />
<!-- Don't remove this tag --><br />
__NOTOC__ <br />
<headertabs/><br />
<br />
<br />
OWASP Belgium thanks its structural chapter supporters for 2012 and the OWASP BeNeLux Days 2012: <br />
<br />
[http://www.madisongurkha.nl https://www.owasp.org/images/6/6e/Madison-gurkha-logo.jpg]<br />
[http://www.sogeti.nl https://www.owasp.org/images/9/94/Sogeti_logo.png]<br />
[http://www.vest.nl https://www.owasp.org/images/1/1d/Logo_Vest_BIG_170.gif]<br />
<br />
[[Category:Europe]]</div>Favroom