= Main =
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

<div style="font-size:120%;border:none;margin: 0;color:#000">

'''OWASP SAMM v1.5 available in the downloads section!'''

We are now working on the Beta release of OWASP SAMMv2, our work in progress is available [https://owaspsamm.org online on our new web site]. <br>

'''Join our monthly calls'''
* The monthly call is on each 2nd Wednesday of the month at 21h30 CEST / 3:30pm EST. <br>
* Please join our GoToMeeting: https://global.gotomeeting.com/join/262891661 <br>
* The call is open for everybody interested in SAMM or who wants to work on SAMM. <br>

'''Join us on the OWASP SAMM project Slack channel'''
* Join our project slack channel on https://owasp.slack.com/messages/C0VF1EJGH
* If you do not have an OWASP Slack workspace account yet, contact one of our project leaders to get an invite link.

'''2018 OWASP SAMM Summit (4-8 JUNE 2018, London)'''
* Join our 2018 OWASP SAMM Summit near London as part of the [https://open-security-summit.org/ Open Security Summit].<br>
* We will organize working sessions in a 5-day sprint to draft SAMM v2.0.
* Register online [https://open-security-summit.org/tickets/ here]
* Sponsor the SAMM2, more details [https://www.owasp.org/index.php/OWASP_SAMM_Project#tab=Project_Sponsors here]

The Software Assurance Maturity Model (SAMM) is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. SAMM helps you:
* '''Evaluate an organization’s existing software security practices'''
* '''Build a balanced software security assurance program in well-defined iterations'''
* '''Demonstrate concrete improvements to a security assurance program'''
* '''Define and measure security-related activities throughout an organization'''

''Dell uses OWASP’s Software Assurance Maturity Model (Owasp SAMM) to help focus our resources and determine which components of our secure application development program to prioritize.'', ('''Michael J. Craigue, Information Security & Compliance, Dell, Inc.''')

Follow OWASP SAMM on twitter: [https://twitter.com/owaspsamm @owaspsamm]

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download v1.5 ==
[https://github.com/OWASP/samm/raw/master/Supporting%20Resources/v1.5/Final/OWASP_SAMM_v1.5.zip All SAMM v1.5 files (.zip)] <br>
[https://github.com/OWASP/samm/raw/master/Supporting%20Resources/v1.5/Final/SAMM_Core_V1-5_FINAL.pdf SAMM Core Model] <br>
[https://github.com/OWASP/samm/raw/master/Supporting%20Resources/v1.5/Final/SAMM_How_To_V1-5_FINAL.pdf How-To Guide] <br>
[https://github.com/OWASP/samm/raw/master/Supporting%20Resources/v1.5/Final/SAMM_Quick_Start_V1-5_FINAL.pdf Quick Start Guide] <br>
[https://github.com/OWASP/samm/raw/master/Supporting%20Resources/v1.5/Final/SAMM_Assessment_Toolbox_v1.5_FINAL.xlsx SAMM Toolbox] <br>
[https://github.com/OWASP/samm/raw/master/Supporting%20Resources/v1.5/Final/SAMM_Assessment_Toolbox_v1.5-Example_FINAL.xlsx SAMM Toolbox Example] <br>
[https://github.com/OWASP/samm/ OWASP SAMM on GitHub]

== Quick Download v1.1.1 ==

[https://github.com/OWASP/samm/raw/master/Supporting%20Resources/v1.1/Final/SAMM_Core_V1-1-Final-1page.pdf SAMM Core Model]<br>
[https://github.com/OWASP/samm/raw/master/Supporting%20Resources/v1.1/Final/SAMM_How_To_V1-1-Final-1page.pdf How-To Guide] <br>
[https://github.com/OWASP/samm/raw/master/Supporting%20Resources/v1.1/Final/SAMM_Quick_Start_V1-1-Final-1page.pdf Quick-Start Guide] <br>
[https://github.com/OWASP/samm/raw/master/Supporting%20Resources/v1.1/Final/SAMM_Assessment_Toolbox_v1-1-Final.xlsx Updated SAMM Tool Box]<br>
[https://github.com/OWASP/samm OWASP SAMM on GitHub]

== News and Events ==
Please see the [https://www.owasp.org/index.php/OWASP_SAMM_Project#News News] and [https://www.owasp.org/index.php/OWASP_SAMM_Project#Talks Talks] tabs

== Change Log ==
* OWASP SAMM v1.5 Released! ([http://www.prnewswire.com/news-releases/owasp-samm-v15-helps-organizations-improve-their-security-posture-300439237.html Press Release])
* OWASP SAMM v1.1 Released! ([http://www.prnewswire.com/news-releases/owasp-releases-software-assurance-maturity-model-samm-version-11-for-improving-software-security-300236836.html Press Release])
* OpenSAMM v1.1 RC - [http://lists.owasp.org/pipermail/samm/2015-December/000758.html available for review]

== Email List ==

Questions? Please ask on the [https://lists.owasp.org/mailman/listinfo/samm SAMM Mailing List]

== Project Leaders ==

[https://www.owasp.org/index.php/User:Sdeleersnyder Seba Deleersnyder] <br /> [https://www.owasp.org/index.php/User:Bart_De_Win Bart De Win]

== Related Projects ==

*

==Classifications==

{| width="200" cellpadding="2"
|-
| rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-flagship-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]
| align="center" valign="center" width="50%" | [[File:Owasp-defenders-small.png|link=]]
|
|-
| align="center" valign="center" width="50%" | [[File:Owasp-builders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Browse Online =
[[Image:OwaspSAMM.png|right]]

The foundation of the model is built upon the core business functions of software development with security practices tied to each (see diagram below). The building blocks of the model are the three maturity levels defined for each of the twelve security practices. These define a wide variety of activities in which an organization could engage to reduce security risks and increase software assurance. Additional details are included to measure successful activity performance, understand the associated assurance benefits, estimate personnel and other costs.

[[Image:SAMM-Overview.png|720px]]

===== Click on any badge to learn more =====

{| cellpadding="1"
|[https://www.owasp.org/index.php/SAMM_-_Governance https://www.owasp.org/images/f/f7/G.png]
|-
| align="center" |'''Strategy & Metrics'''
|{{SAMM-BadgeList|name=Strategy_&_Metrics|abbr=SM|padding=0}}
|-
| align="center" |'''Policy & Compliance'''
|{{SAMM-BadgeList|name=Policy_&_Compliance|abbr=PC|padding=0}}
|-
| align="center" |'''Education & Guidance'''
|{{SAMM-BadgeList|name=Education_&_Guidance|abbr=EG|padding=0}}
|-
|[https://www.owasp.org/index.php/SAMM_-_Construction https://www.owasp.org/images/e/ee/C.png]
|-
| align="center" |'''Threat Assessment'''
|{{SAMM-BadgeList|name=Threat_Assessment|abbr=TA|padding=0}}
|-
| align="center" |'''Security Requirements'''
|{{SAMM-BadgeList|name=Security_Requirements|abbr=SR|padding=0}}
|-
| align="center" |'''Secure Architecture'''
|{{SAMM-BadgeList|name=Secure_Architecture|abbr=SA|padding=0}}
|-
|[https://www.owasp.org/index.php/SAMM_-_Verification https://www.owasp.org/images/8/83/V.png]
|-
| align="center" |'''Design Review'''
|{{SAMM-BadgeList|name=Design_Review|abbr=DR|padding=0}}
|-
| align="center" |'''Code Review'''
|{{SAMM-BadgeList|name=Code_Review|abbr=CR|padding=0}}
|-
| align="center" |'''Security Testing'''
|{{SAMM-BadgeList|name=Security_Testing|abbr=ST|padding=0}}
|-
|[https://www.owasp.org/index.php/SAMM_-_Deployment https://www.owasp.org/images/5/54/D.png]
|-
| align="center" |'''Vulnerability Management'''
|{{SAMM-BadgeList|name=Vulnerability_Management|abbr=VM|padding=0}}
|-
| align="center" |'''Environment Hardening'''
|{{SAMM-BadgeList|name=Environment_Hardening|abbr=EH|padding=0}}
|-
| align="center" |'''Operational Enablement'''
|{{SAMM-BadgeList|name=Operational_Enablement|abbr=OE|padding=0}}
|-
|}

= Downloads =

The latest work in progress can be found on Github: https://github.com/OWASP/samm

Download SAMM v1.5
* [https://github.com/OWASP/samm/blob/master/v1.5/Final/OWASP_SAMM_v1.5.zip All SAMM v1.5 files (.zip)] Zip file containing all the v1.5 files below;
* [https://github.com/OWASP/samm/blob/master/v1.5/Final/SAMM_Core_V1-5_FINAL.pdf SAMM Core Model] document, explaining the maturity model;
* [https://github.com/OWASP/samm/blob/master/v1.5/Final/SAMM_How_To_V1-5_FINAL.pdf How-To Guide] with implementation guidance;
* [https://github.com/OWASP/samm/blob/master/v1.5/Final/SAMM_Quick_Start_V1-5_FINAL.pdf Quick-Start Guide] with different steps to improve your secure software practice;
* [https://github.com/OWASP/samm/blob/master/v1.5/Final/SAMM_Assessment_Toolbox_v1.5_FINAL.xlsx SAMM Toolbox] to perform SAMM assessments and create SAMM roadmaps;
* [https://github.com/OWASP/samm/blob/master/v1.5/Final/SAMM_Assessment_Toolbox_v1.5-Example_FINAL.xlsx SAMM Tool Box Example] to provide an example SAMM assessment;

Download SAMM v1.1
* [https://github.com/OWASP/samm/blob/master/v1.1/Final/SAMM_Core_V1-1-Final.pdf SAMM Core Model] document, explaining the maturity model;
* [https://github.com/OWASP/samm/blob/master/v1.1/Final/SAMM_How_To_V1-1-Final.pdf How-To Guide] with implementation guidance;
* [https://github.com/OWASP/samm/blob/master/v1.1/Final/SAMM_Quick_Start_V1-1-Final.pdf Quick-Start Guide] with different steps to improve your secure software practice;
* [https://github.com/OWASP/samm/blob/master/v1.1/Final/SAMM_Assessment_Toolbox_v1-1-Final.xlsx Updated SAMM Tool Box] to perform SAMM assessments and create SAMM roadmaps;

Download OpenSAMM v1.0:
* in [https://www.owasp.org/images/c/c0/SAMM-1.0.pdf English - PDF], [https://www.owasp.org/images/2/25/SAMM-1.0-en_US-0.3.xml.zip English - XML]
* in [https://www.owasp.org/images/a/a9/SAMM-1.0-es_MX.pdf Spanish - PDF], [https://www.owasp.org/images/a/a1/SAMM-1.0-es_MX-0.3.xml.zip Spanish - XML]
* in [https://www.owasp.org/images/a/a9/SAMM-1.0-ja_JP.pdf Japanese - PDF], not available as XML
* in [https://www.owasp.org/images/f/fd/SAMM-1.0-cn.pdf Chinese - PDF], not available as XML

Available resources to apply SAMM:
* Browse OWASP and other resources for SAMM Security practices: [[:Category:SAMM-Resources]]

Trainings:
* Recent OWASP SAMM 1-Day training slide deck delivered by Bart De Win and Sebastien Deleersnyder at AppSec Europe 2014 in Cambridge
** Slide deck download [https://www.owasp.org/images/d/df/OpenSAMM_Training_vFINAL.pptx here]
** Training description download [https://www.owasp.org/images/7/7c/Training_-_Bootstrap_and_improve_your_SDLC_with_OpenSAMM.docx here]

Assessments:
* SAMM v1.5 Toolbox
** Download the new v1.5 Toolbox with the updated scoring model [https://github.com/OWASP/samm/blob/master/v1.5/Final/SAMM_Assessment_Toolbox_v1.5_FINAL.xlsx SAMM v1.5 Toolbox]
* SAMM v1.1 Toolbox
** download the v1.1 toolbox, including the updated questions [https://github.com/OWASP/samm/blob/master/v1.1/Final/SAMM_Assessment_Toolbox_v1-1-Final.xlsx here]
* Assessment Interview Template by Nick Coblentz for SAMM V1.0
** This [https://www.owasp.org/images/c/cf/20090607-SAMMAssessmentInterviewTemplate-1.0.xls spreadsheet] breaks down the assessment questionnaire from the SAMM framework into assertion statements that can be used to drive assessment interviews.
* Roadmap Chart Template by Colin Watson for SAMM V1.0
** This [https://www.owasp.org/images/e/e2/20090610-Samm-roadmap-chart-template.xls spreadsheet] provides a simple way to capture the data for a SAMM roadmap and automatically generate graphics similar to those that appear in the framework.
* Assessment Worksheet by Christian Frichot for SAMM V1.0
** This is an easy-to-use [https://www.owasp.org/images/e/e2/20090610-Samm-roadmap-chart-template.xls spreadsheet] containing the assessment questionnaire from the SAMM framework. Features some auto-scoring to make the appearance very polished.
* Project Plan Template by Jim Weiler for SAMM V1.0
** This is a [https://www.owasp.org/images/3/33/SAMMProject.zip project plan template] (MS Project) that captures the activities from the SAMM levels. Useful for copying pieces into existing development project schedules.

Mappings:
* BSIMM-6 mapping to SAMM activities:
** Spreadsheet download [https://github.com/OWASP/opensamm/tree/master/v1.1/mapping here]
** Presentation with start of analysis download [https://www.owasp.org/images/6/66/OpenSAMM_-_BSIMM-V_mapping.pptx here]
* BSIMM mapping to SAMM during the 2011 Summit:
** This [https://www.owasp.org/images/2/2e/20110301-OpenSAMM-BSIMM-Mapping.xlsx spreadsheet] contains an activity-level mapping between OpenSAMM and BSIMM. Note that in some cases, multiple BSIMM activities map to a single SAMM activity (109 in BSIMM map to 72 in SAMM).

Tools:
*Javascript visualization framework for SAMM on [https://github.com/qudosoft-labs/SAMMCharts github]

= Community =

[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
{{:Projects/OWASP SAMM Project/Pages/Community | Community}}

</div>

= Summit =

[[Image:OwaspSAMM.png|right]]

In 2016 we organized our second OWASP SAMM Summit in New York on 20-21 April, details [https://www.owasp.org/index.php/OWASP_SAMM_Summit_2016 >here<] !!

Read the wrap-up of the Summit here: https://docs.google.com/document/d/19_LC1euR7ZuazRYgeblhPE1Fv6E8N56Bu8zANq2JB30/edit

In 2015 we organized our the first OWASP SAMM Summit in Dublin on 27-28 March, details [https://www.owasp.org/index.php/OWASP_SAMM_Summit_2015 >here<] !!

Summit Notes:
* 28 Mar 2015 - https://docs.google.com/document/d/1pC4har75olF1WPZaqRfXFG9T3SS_qoEUvHkEynE0iTI/edit
* Summit outcome is described [http://www.opensamm.org/2015/04/opensamm-summit-dublin-outcome/ here]
''"The SAMM summit provided an opportunity to breathe new life into a framework that I use to facilitate my day-to-day work and support my customers."'' Bruce C Jenkins, Fortify Security Lead, Hewlett-Packard Company

Previous workshop Notes:

During the AppSec conferences, the SAMM project team organises workshops for you to influence the direction SAMM evolves.

This is also an excellent opportunity to exchange experiences with your peers.

If you plan on attending http://appsec.eu be sure to get involved in the SAMM workshop (scheduled on Jun-23).
* The agenda for the SAMM Workshop in Cambridge on 23-Jun-2014 is available [https://docs.google.com/document/d/1tXqIovpSuFqycVYetdGSC2PiPygySymiLUhHT5yHR2M/edit here].

Previous workshop notes:
* The notes for the SAMM Workshop in New York on 21-Nov-2013 are available [https://docs.google.com/document/d/1PwoDVsWyhoWksBiLIRh8UOh-QCs8H7QMqrSUsS13WzU/edit here].
* The notes for the SAMM Workshop in Hamburg on 21-Aug-2013 are available [https://docs.google.com/document/d/12mB7FkmhcI04YDZle_VD90n1xcENgNhAGqZkCAb6EkM/edit here].

= Talks =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
Upcoming talks featuring SAMM are listed here:

* OWASP DC - Software Assurance Maturity Model (SAMM) with Brian Glas! (2017-03-15)
* OWASP NoVA - SAMM 1.5, what's changed and how it impacts you (2017-03-16)
* InfoSec World - Software Assurance Maturity Model Evolutions (2017-04-03)

past talks:

* OWASP SAMM v1.5 Webinar - Brian Glas discussing the SAMM model and changes in v1.5 (watch - [https://www.youtube.com/watch?v=4pKdwRb8fTI youtube]) - 2017
* OWASP 24/7 - Seba Deleersnyder discussing the upcoming SAMM Summit (listen - [https://soundcloud.com/owasp-podcast/seba-deleersnyder-discusses-samm-software-assurance-maturity-model-summit-in-dublin-ireland here]) - 2015
* OWASP Germany Day 2014: Seba Deleersnyder: OpenSAMM Best Practices: Lessons from the Trenches (download [https://www.owasp.org/images/f/fa/OpenSAMM_Best_Practices_Lessons_from_the_Trenches_-_Seba_Deleersnyder.pdf presentation]) - 2014
* AppSecEU14: Seba Deleersnyder & Bart De Win: OpenSAMM Best Practices: Lessons from the Trenches OpenSAMM Best Practices: Lessons from the Trenches (download [https://www.owasp.org/images/6/6f/OpenSAMM_-_AppSecEU_2014_-_Seba-Bart_v20140528.pptx presentation], see [https://www.youtube.com/watch?v=qcCgeBeBLUg video]) - 2014
* AppSecEU13 - Hamburg: Seba Deleersnyder presenting a project update (download [https://www.owasp.org/images/3/32/OpenSAMM_-_Project_Status_-_Hamburg_2013.pdf presentation]) - 2013
* OWASP Europe Tour 2013 - Geneva: Seba Deleersnyder presenting OpenSAMM and the renewed project (download [https://www.owasp.org/images/c/cd/OpenSAMM_-_OWASP_Tour_13_Talk_-_Seba.pptx presentation]) - 2013
* AppSecEU11 - Athens: Colin Watson presenting SAMM Training (download [https://www.owasp.org/images/1/18/Owasp-training-samm-greece.pdf presentation]) - 2011
* AppSecEU09: Pravir Chandra presenting OpenSAMM v1.0 (download [https://www.owasp.org/images/4/49/AppSecEU09_OpenSAMM-1.0.ppt presentation]) - 2009
* Matt Bartoldus presentation on new SAMM project during OWASP London chapter (download [https://www.owasp.org/images/d/df/OpenSAMM.pdf presentation]) - 2009
* Pravir Chandra - first presentation discussing the next generation to the CLASP Project- a complete working of the details into a Software Assurance Maturity Model (SAMM). (download [https://www.owasp.org/images/2/2e/OWASP_CLASP_SAMM.ppt presentation]) - 2009

</div>

= News =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Latest News on SAMM
* OWASP SAMM v2.0 workshop at the OWASP Project Summit June 2017
* OWASP SAMM v1.5 Released!
* SAMM Summit 2016 read the [https://docs.google.com/document/d/19_LC1euR7ZuazRYgeblhPE1Fv6E8N56Bu8zANq2JB30/edit wrap-up here]
* OWASP SAMM v1.1 Released! See the [http://www.prnewswire.com/news-releases/owasp-releases-software-assurance-maturity-model-samm-version-11-for-improving-software-security-300236836.html Press Release].
* OpenSAMM v1.1 RC - [http://lists.owasp.org/pipermail/samm/2015-December/000758.html available for review]

</div>

= Languages =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

'''SAMM v1.0 is available in the following languages:'''

* English
* Spanish
* Japanese
* Chinese

Carlos Allendes created a presentation in Spanish on SAMM during the 2011 LatAm tour, download the [https://www.owasp.org/images/c/cf/05_OWASP_LatamTur2011_OpenSAMM.pdf presentation].
Hubert Grégoire and Sebastien Gioria created a French translation of the OpenSAMM 1.0 Overview presentation available for download [https://www.owasp.org/images/f/fd/OpenSAMM-1.0-fr_FR.ppt here].

You can use [http://crowdin.net/project/owasp-samm Crowdin] to help improve these translations or add new ones right now!

</div>

= Roadmap =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Updated roadmap:
Next 1.5 release, updated scoring:
* Clarification of maturity levels (syntactic changes to keep the text consistent)
* Not change activities but try to impose the current scoring system on existing activities, i.e. move from binary yes/no to the multi-tiered questions/answers of the current proposal.
* Show improvements with every activity introduced
* Adapt for the new scoring method
* Update questions for 4-tiers
* Review and where necessary clarify current questions
* Consider v1.1 remarks that were not withheld for the previous release
Targeted completion date: February 28, 2017

SAMM version 2.0
* Core model changed
* Visualisations + flavours for a few development methodologies
* Update quickstart guide, TB, HTG.
* Success metrics: How well does the model work: Linked to the benchmarking project.
Timing: Workshops as part of OWASP Project Summit June 2017

</div>
= Get Involved =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Involvement in the development of SAMM is actively encouraged!

You do not have to be a security expert in order to contribute.

Some of the ways you can help:

==Feedback==

Please use the [https://lists.owasp.org/mailman/listinfo/samm Mailing List] for feedback:
* What do like?
* What don't you like?
* How can we make SAMM easier to use?
* How could SAMM be improved?

==Localization==

Are you fluent in another language? Can you help translate SAMM into that language?

You can use [http://crowdin.net/project/owasp-samm Crowdin] to do that!

</div>

= Project Sponsors =
[[Image:OwaspSAMM.png|right]]

<div style="font-size:120%;border:none;margin: 0;color:#000">

SAMM is developed and maintained by a worldwide team of volunteers. We have also been helped by many organizations, either financially or by encouraging their employees to work on SAMM.

==SAMM Adopters==
SAMM is the premier open source software assurance framework. You can find a list of [https://www.owasp.org/index.php/OpenSAMM_Adopters SAMM adopters] online.

==Call for SAMM2 Sponsors==
OWASP SAMM and the upcoming SAMM 2.0 release is the open source software security maturity model used to develop secure software for IT, application and software security technologists.

We are seeking sponsors to support OWASP SAMM. All proceeds from the sponsorship support the mission of the OWASP Foundation and the further development of SAMM. Supporting the project drives the funding for research grants, SAMM hosting, tools, templates, documents, promotion, and more.

By sponsoring SAMM, you not only support an important and flagship OWASP project, you will also get visibility during the next SAMM Summit (part of the OWASP Summit 2018) and recognition on the OWASP SAMM project web site and the next release of SAMM (version 2.0).

For more information: Contact [mailto:seba@owasp.org seba@owasp.org]

==== Acknowledgements ====

We would like to thank the following sponsors who donated funds to our project:

[[File:Fortify blue 800px.png|250px|link=https://www.microfocus.com/en-us/solutions/application-security]]

__NOTOC__ <headertabs></headertabs>

<br />
{{OWASP Book|6888083}}
<br />

[[Category:OWASP Project|Zed Attack Proxy Project]]
[[Category:OWASP_Tool]]
[[Category:OWASP Release Quality Tool|OWASP Release Quality Tool]]
[[Category:OWASP_Download]]
[[Category:Popular]]

File:Fortify blue 800px.png

2019-02-24T14:48:00Z

Sdeleersnyder:

Belgium Events 2019

2019-02-24T13:31:08Z

2018-10-10T05:07:58Z

Sdeleersnyder: Sdeleersnyder moved page OWASP BeNeLux-Day 2018 to OWASP BeNeLux-Days 2018: correct event name

OWASP BeNeLux-Day 2018

2018-10-10T05:07:58Z

Sdeleersnyder: Sdeleersnyder moved page OWASP BeNeLux-Day 2018 to OWASP BeNeLux-Days 2018: correct event name

#REDIRECT [[OWASP BeNeLux-Days 2018]]

OWASP BeNeLux-Days 2018

2018-10-04T05:05:20Z

Sdeleersnyder:

<center>[[Image:OBNL18 Banner v2.png]]</center>

<br>


= Information =

== Keynote Speaker ==

{{#switchtablink:Conference Day|<p>
* TBD
}}

== Confirmed Conference Speakers ==

{{#switchtablink:Conference Day|<p>
* TBD
}}

== Confirmed Trainers ==

{{#switchtablink:Training Day|<p>
* TBD
}}

== OWASP BeNeLux conference is free, but registration is required! ==

[[image:Register_now_red.png|link=https://owasp-benelux-day-2018.eventbrite.com |alt=Register for the OWASP BeNeLux Day 2018 | Register for the OWASP BeNeLux Day 2018 ]]

== The OWASP BeNeLux Program Committee ==

*Bart De Win / Sebastien Deleersnyder/ Lieven Desmet/ David Mathy, OWASP Belgium
*Martin Knobloch / Joren Poll, OWASP Netherlands
*Jocelyn Aubert, OWASP Luxembourg

== Tweet! ==

Event tag is [http://twitter.com/#search?q=%23owaspbnl17 #owaspbnl18]

== Donate to OWASP BeNeLux ==

[https://co.clickandpledge.com/?wid=72689 Donate]


= Registration =

== OWASP BeNeLux conference is free, but registration is required! ==



== OWASP BeNeLux training is reserved for OWASP members, and registration is required! ==

To support the OWASP organisation, we ask training attendees to consider becoming an OWASP member, it's only US$50!
Check out the [[Membership]] page to find out more.



To support the OWASP organisation, consider to become a member, it's only US$50! Check out the [[Membership]] page to find out more.


= Venue =

== Address ==

Venue:

'''Congres- en Erfgoedcentrum Lamot'''
Van Beethovenstraat 8-10
2800 Mechelen
Belgium

[https://goo.gl/maps/gZ9icR178w52 Google map]
<br />
[[File:Mechelen-Lamot.jpg|350px|Lamot conference center]]
[[File:Mechelen-lamot-center-auditorium.jpg|350px|Auditorium]]<br />

Parking:<br />
[[File:Parking lots around Lamot Conference center Mechelen.png|500px|Parking facilities]]<br />
[https://goo.gl/maps/Q5TD7hoTuUu Find your parking on Google Maps]

=== How to reach the venue? ===

==== Public transport ====

You can reach the Mechelen's train station from Antwerpen or Brussels.
The Lamot conference center is 10 min away by bus (line 1).

Or you can choose to walk for 15 min (1.2 km).

==== By car ====

===== From Brussels: =====
Follow the E19 Brussels / Antwerpen and take the exit 10. <br> Follow the N1 until the R12 (take a left) and turn to the right at the "Brusselpoort" into the Hoogstraat to reach one of the parkings.

===== From Antwerpen: =====
Follow the E19 Brussels / Antwerpen and take the exit 9. <br> Follow the N16 until the R12 (take a right) and turn to the left at the "Brusselpoort" into the Hoogstraat to reach one of the parkings.

=== Hotels Nearby ===
[https://www.google.com/maps/d/viewer?mid=1eYMYmwXKuAsTilKgpAtyYtfMA7A&ll=51.02648134397288%2C4.47819800000002&z=15 Hotels around the Lamot conference center]


= Training Day =

'''Training Day is November 29th'''

== Agenda (TBD)==

{| class="wikitable"
! Time !! Description !! Room TBA !! Room TBA !! Room TBA
|-
| 08h30 - 9h30
| colspan="5" style="text-align: center; background: grey; color: white;" | ''Registration''
|-
| 09h30 - 11h00 || Training
| rowspan="7" style="width:100px;" | [[#TRAINING_1 | TRAINING_1_TITLE]] by TRAINING_1_TRAINER
| rowspan="7" style="width:100px;" | [[#TRAINING_2 | TRAINING_2_TITLE]] by TRAINING_2_TRAINER
| rowspan="7" style="width:100px;" | [[#TRAINING_3 | TRAINING_3_TITLE]] by TRAINING_3_TRAINER
|-
| 11h00 - 11h30 || ''Coffee Break''
|-
| 11h30 - 13h00 || Training
|-
| 13h00 - 14h00 || ''Lunch''
|-
| 14h00 - 15h30 || Training
|-
| 15h30 - 16h00 || ''Coffee Break''
|-
| 16h00 - 17h30 || Training
|}

== Trainings ==

=== <span id="TRAINING_1">TRAINING_1_TITLE by TRAINING_1_TRAINER</span> ===

==== Topic(s) ====

* TRAINING_1_TOPIC_1
* TRAINING_1_TOPIC_2

==== Keywords ====

TRAINING_1_KEYWORD_1, TRAINING_1_KEYWORD_2

==== Abstract ====

TRAINING_1_ABSTRACT

==== Requirements ====

TRAINING_1_REQUIREMENTS

==== Bio ====

TRAINING_1_TRAINER_BIO

=== <span id="TRAINING_2">TRAINING_2_TITLE by TRAINING_2_TRAINER</span> ===

==== Topic(s) ====

* TRAINING_2_TOPIC_1
* TRAINING_2_TOPIC_2
* ...

==== Keywords ====

TRAINING_2_KEYWORD_1, TRAINING_2_KEYWORD_2, ...

==== Abstract ====

TRAINING_2_ABSTRACT

==== Requirements ====

TRAINING_2_REQUIREMENTS

==== Bio ====

TRAINING_2_TRAINER_BIO

=== <span id="TRAINING_3">TRAINING_3_TITLE by TRAINING_3_TRAINER</span> ===

==== Topic(s) ====

* TRAINING_3_TOPIC_1
* TRAINING_3_TOPIC_2
* ...

==== Keywords ====

TRAINING_3_KEYWORD_1, TRAINING_3_KEYWORD_2, ...

==== Abstract ====

TRAINING_3_ABSTRACT

==== Requirements ====

TRAINING_3_REQUIREMENTS

==== Bio ====

TRAINING_3_TRAINER_BIO


= Conference Day =

'''Conference Day is November 30th'''

== Agenda (TBD)==

{| class="wikitable"
! width="120pt" | Time
! width="190pt" | Speaker
! width="400pt" | Topic
! width="100pt" -- ! | Media
|-
| 08h30 - 09h00
| colspan="3" style="text-align: center; background: grey; color: white" | ''Registration''
|-
| 09h00 - 09h15
| colspan="3" style="text-align: center; background: grey; color: white" | ''Opening''
|-
| 09h15 - 10h00
| [[#TALK_0915 | TALK_0915_PRESENTER]]
| [[#TALK_0915 | TALK_0915_TITLE]]
| not yet available 
|-
| 10h00 - 10h45
| [[#TALK_1000 | TALK_1000_PRESENTER]]
| [[#TALK_1000 | TALK_1000_TITLE]]
| not yet available 
|-
| 10h45 - 11h15
| colspan="3" style="text-align: center;background: grey; color: white" | ''Morning Break''
|-
| 11h15 - 12h00
| [[#TALK_1115 | TALK_1115_PRESENTER]]
| [[#TALK_1115 | TALK_1115_TITLE]]
| not yet available 
|-
| 12h00 - 12h45
| [[#TALK_1200 | TALK_1200_PRESENTER]]
| [[#TALK_1200 | TALK_1200_TITLE]]
| not yet available 
|-
| 12h45 - 13h45
| colspan="3" style="text-align: center;background: grey; color: white" | ''Lunch''
|-
| 13h45 - 14h30
| [[#TALK_1345 | TALK_1345_PRESENTER]]
| [[#TALK_1345 | TALK_1345_TITLE]]
| not yet available 
|-
| 14h30 - 15h15
| [[#TALK_1430 | TALK_1430_PRESENTER]]
| [[#TALK_1430 | TALK_1430_TITLE]]
| not yet available 
|-
| 15h15 - 15h45
| colspan="3" style="text-align: center;background: grey; color: white" | ''Break''
|-
| 15h45 - 16h30
| [[#TALK_1545 | TALK_1545_PRESENTER]]
| [[#TALK_1545 | TALK_1545_TITLE]]
| not yet available 
|-
| 16h30 - 17h15
| [[#TALK_1630 | TALK_1630_PRESENTER]]
| [[#TALK_1630 | TALK_1630_TITLE]]
| not yet available 
|-
| 17h15 - 17h30
| colspan="3" style="text-align: center;background: grey; color: white" | ''Closing''
|}

== Talks ==

=== <span id="TALK_0915">TALK_0915_TITLE</span> ===

==== Abstract ====

TBD

==== Bio ====

TBD

=== <span id="TALK_1000">TALK_1000_TITLE</span> ===

==== Abstract ====

TBD

==== Bio ====

TBD

=== <span id="TALK_1115">TALK_1115_TITLE</span> ===

==== Abstract ====

TBD

==== Bio ====

TBD

=== <span id="TALK_1200">TALK_1200_TITLE</span> ===

==== Abstract ====

TBD

====Bio====

TBD

=== <span id="TALK_1345">TALK_1345_TITLE</span> ===

==== Abstract ====

TBD

==== Bio ====

TBD

=== <span id="TALK_1430">TALK_1430_TITLE</span> ===

==== Abstract ====

TBD

==== Bio ====

TBD

=== <span id="TALK_1545">TALK_1545_TITLE</span> ===

==== Abstract ====

TBD

====Bio====

TBD

=== <span id="TALK_1630">TALK_1630_TITLE</span> ===

==== Abstract ====

TBD

====Bio====

TBD


= Social Event =

'''The Social Event is on Thursday, November 29th'''

'''If you want to join the social event, don't forget to register for it via the registration:'''



Address: TBD

Menu:TBD


= Sponsor =

''' Become a sponsor of OWASP BeNeLux! '''

There are 3 combined sponsorship packages (Gold, Silver or Bronze) that cover the BeNeLux chapter meetings 2019 and the BeNeLux OWASP Days 2018.

Download our [https://www.owasp.org/images/8/8e/OWASP_BeNeLux_2018_Sponsorship_Form_v20181004.pdf sponsor brochure] and contact [mailto:seba@owasp.org us] for questions or sponsorship confirmation!

Your sponsorship will be invested directly in the chapter meetings, supporting speaker and catering expenses.

The sponsorship will also be dedicated to cover the costs of the OWASP 2018 BeNeLux event.

__NOTOC__
<headertabs></headertabs>

=== Made possible by our {{#switchtablink:Sponsor|Sponsors}}===

==== Hosted by ====

TBD

==== Platinum ====

TBD

==== Gold ====

TBD

==== Silver ====

TBD

==== Bronze ====

TBD

[[Category:OWASP_AppSec_Conference]]
[[Category:OWASP_BeNeLux_Archives]]

File:OWASP BeNeLux 2018 Sponsorship Form v20181004.pdf

2018-10-04T05:04:34Z

Sdeleersnyder:

OWASP BeNeLux-Days 2018

2018-10-04T05:00:21Z

OWASP BeNeLux-Days 2018

2018-09-19T12:58:00Z

Sdeleersnyder: /* Become a sponsor of OWASP BeNeLux */

<center>[[Image:Header-BNL-2018.png]]<br></center>

<br>


= Information =
== Keynote speaker ==
{{#switchtablink:Conferenceday|<p>
* TBD
}}

== Confirmed speakers Conference ==
{{#switchtablink:Conferenceday|<p>
* TBD
}}

== Confirmed trainers ==
{{#switchtablink:Trainingday|<p>
* TBD
}}

== OWASP BeNeLux conference is free, but registration is required! ==
[[image:Register_now_red.png|link=https://owasp-benelux-day-2018.eventbrite.com |alt=Register for the OWASP BeNeLux Day 2018 | Register for the OWASP BeNeLux Day 2018 ]]

== The OWASP BeNeLux Program Committee ==
*Bart De Win / Sebastien Deleersnyder/ Lieven Desmet/ David Mathy, OWASP Belgium
*Martin Knobloch / Joren Poll, OWASP Netherlands
*Jocelyn Aubert, OWASP Luxembourg
<br>

== Tweet! ==
Event tag is [http://twitter.com/#search?q=%23owaspbnl17 #owaspbnl18]
<br><br>
== Donate to OWASP BeNeLux ==
[https://co.clickandpledge.com/?wid=72689 Donate]



= Registration =

== OWASP BeNeLux conference is free, but registration is required! ==


== OWASP BeNeLux training is reserved for OWASP members, and registration is required! ==
To support the OWASP organisation, we ask training attendees to consider becoming an OWASP member, it's only US$50!
Check out the [[Membership]] page to find out more.


<br>
To support the OWASP organisation, consider to become a member, it's only US$50!
<br>
Check out the [[Membership]] page to find out more.
<br>



= Venue =

== Venue ==

The venue is located:

:'''TBD'''
:TBD
:TBD
:Belgium
:[https://goo.gl/maps/5CJYYSMAJD92 Google map]

'''''Parking .....'''''

=== How to reach the venue? ===
;'''Public transport '''<br>
TBD

'''<u>By car</u>'''
TBD

=== Hotel nearby ===
[https://www.google.nl/maps/search/Hotels/@51.5571525,5.0821866,15z/data=!3m1!4b1 Hotels on Google Maps]


= Trainingday =
=== Trainingday is November 29rd ===

== Location ==

== Agenda (TBD)==
{| class="wikitable"
! Time !! Description !! Room TBA !! Room TBA !! Room TBA
|-
| 08h30 - 9h30
| colspan="5" style="text-align: center; background: grey; color: white;" | ''Registration''
|-
| 09h30 - 11h00 || Training
| rowspan="7" style="width:100px;" | [[OWASP_BeNeLux-Day_2017#WebGoat_-_Teaching_application_security_101_by_Nanne_Baars | WebGoat - Teaching application security 101]] <br>by [[OWASP_BeNeLux-Day_2017#WebGoat_-_Teaching_application_security_101_by_Nanne_Baars | Nanne Baars]]
| rowspan="7" style="width:100px;" | [[OWASP_BeNeLux-Day_2017#Whiteboard_Hacking_aka_Hands-on_Threat Modeling_by_Sebastien Deleersnyder | Whiteboard Hacking aka Hands-on Threat Modeling]] <br>by [[OWASP_BeNeLux-Day_2017#Whiteboard_Hacking_aka_Hands-on_Threat Modeling_by_Sebastien Deleersnyder | Sebastien Deleersnyder]]
| rowspan="7" style="width:100px;" | [[OWASP_BeNeLux-Day_2017#Secure_Development:_Models_and_best_practices_by_Bart_De_Win | Secure Development: Models and best practices]] <br>by [[OWASP_BeNeLux-Day_2017#Secure_Development:_Models_and_best_practices_by_Bart_De_Win | Bart De Win]]
|-
| 11h00 - 11h30 || ''Coffee Break''
|-
| 11h30 - 13h00 || Training
|-
| 13h00 - 14h00 || ''Lunch''
|-
| 14h00 - 15h30 || Training
|-
| 15h30 - 16h00 || ''Coffee Break''
|-
| 16h00 - 17h30 || Training
|}

== Trainings ==
=== WebGoat - Teaching application security 101 by Nanne Baars ===
====Topic(s) ====
* Web Application Breaker
* Other
====Keywords ====
WebGoat application, security teaching secure development

====Abstract ====
A good defense against insecure code requires understanding the mechanics behind how attackers exploit simple programming mistakes.
The WebGoat team will walk through exercises like SQL Injection, XSS, XXE, CSRF, ... and demonstrate how these exploits work.

We will show you how you can use WebGoat to train your developers to avoid these simple but common programming mistakes.

We also show you how to extend WebGoat to create lessons specific to your environment.
Join us to learn the most basic, but common, application security problems.

Tired of all the lessons? During the training we will host a small CTF competition which you can take a shot at and compete with each other...

=== Requirements===
Please find the course prerequisites here: https://github.com/nbaars/owasp-training

====Bio====
Nanne Baars works as a security consultant & developer at JDriven and is one of the primary developers of WebGoat.

=== Whiteboard Hacking aka Hands-on Threat Modeling by Sebastien Deleersnyder ===
====Topic(s) ====
* Threat modeling introduction
* Diagrams – what are you building?
* Identifying threats – what can go wrong?
* Hands-on: STRIDE analysis of an Internet of Things (IoT) deployment with an on premise gateway and secure update service
* Addressing each threats
* Hands-on: threat mitigations OAuth scenarios for web and mobile applications

====Keywords ====
Threat Modeling, STRIDE, Technical risk assessment

====Abstract ====
This is a one day version of our Black Hat training on Threat Modeling. The students will be challenged to perform practical threat modeling in groups of 3 to 4 people covering the different stages of threat modeling on:
* An Internet of Things (IoT) deployment with an on premise gateway and secure update service
* An HR services OAuth scenario for mobile and web applications
Threat modeling is a structured activity for identifying and evaluating application threats and vulnerabilities. It also allows consideration of security issues at the component or application level. The threat modeling course will teach you to perform threat modeling through a series of workshops, where our trainer will guide you through the different stages of a practical threat model. <br>
This course is aimed at software developers, architects, system managers or security professionals. Before attending this course, students should be familiar with basic knowledge of web and mobile Applications, databases & Single sign on (SSO) principles.

====Bio====
Sebastien (lead application security consultant Toreon) led engagements in the domain of ICT-security, Web and Mobile Security with several customers in the private and public sector. Sebastien is the Belgian OWASP Chapter Leader and is co-project leader of OWASP SAMM.

=== Secure Development: Models and best practices by Bart De Win ===
====Topic(s) ====
* Software Assurance maturity models
* Secure Development in agile development
* Tips and tricks for practical SDLC
* Hands-on: SAMM analysis of your enterprise using SAMM 1.5
* Sneak preview of SAMM 2.0

====Keywords ====
SDLC, SAMM, Agile development,

====Abstract ====
It takes much more than a good developer to build secure software within an organisation. Indeed, building secure software is about ensuring that security is taken into consideration during the entire software lifecycle. It is about ensuring that security best practices are being employed efficiently, and that uncovered risks are appropriately dealt with in due time.

During this one-day training, we will introduce and discuss different secure development approaches and models. We will look into waterfall vs. agile development and discuss different strategies to successfully run an SDLC program. Finally, we will also put theorie into practice and take your organisation to perform a mini SDLC assessment and improvement exercise.
[[File:Benelux2017 - Secure Development Training deck.pdf|thumb]]
The slides of this session are available for download in the media file.

====Bio====
Bart is an application security consultant and enthousiast and is spending considerable time on secure development projects. Bart is board member of the Belgian OWASP Chapter and is co-project leader of OWASP SAMM.



= Conferenceday =
=== Conferenceday is November 30th ===

== Agenda (TBD)==
{| class="wikitable"
! width="120pt" | Time
! width="190pt" | Speaker
! width="400pt" | Topic
! width="100pt" -- ! | Media
|-
| 08h30 - 09h00
| colspan="3" style="text-align: center; background: grey; color: white" | ''Registration''
|-
| 09h00 - 09h15
| colspan="3" style="text-align: center; background: grey; color: white" | ''Opening''
|-
| 09h15 - 10h00 || [[OWASP_BeNeLux-Day_2017#Attribute Based Access Control. Why, what, how? by Jacoba Sieders | Jacoba Sieders]]
|| [[OWASP_BeNeLux-Day_2017#Attribute Based Access Control. Why, what, how? by Jacoba Sieders | Attribute Based Access Control. Why, what, how?]]
|| [[Media:OWASP BeNeLux-Day 2017 AttributeBasedAccessControl WhyWhatHow JacobaSieders.pdf|Slides]]<br>[https://youtu.be/O7iWITnZGsk Video]
|-
| 10h00 - 10h45 || [[OWASP_BeNeLux-Day_2017#How to spend $3.6mil on one coding mistake, and other fun stuff you can do with $3.6mil by Matia Madou | Matias Madou]]
|| [[OWASP_BeNeLux-Day_2017#How to spend $3.6mil on one coding mistake, and other fun stuff you can do with $3.6mil by Matia Madou | How to spend $3.6mil on one coding mistake, and other fun stuff you can do with $3.6mil]]
|| [[Media:OWASP_BeNeLux-Day_2017_how_to_spend_$3.6_mil_on_one_coding_mistake_by_Matias_Madou.pdf|Slides]] <br> [https://www.youtube.com/watch?v=dt5rFGBztJA&feature=youtu.be Video]

|-
| 10h45 - 11h15
| colspan="3" style="text-align: center;background: grey; color: white" | ''Morning Break''
|-
| 11h15 - 12h00 || [[OWASP_BeNeLux-Day_2017#The evil friend in your browser by Achim D. Brucker | Achim D. Brucker]]
|| [[OWASP_BeNeLux-Day_2017#The evil friend in your browser by Achim D. Brucker | The evil friend in your browser]]
| [[Media:OWASP_BeNeLux-Day_2017_The evil friend in your browser_Achim_Brucker.pdf|Slides]]<br>[https://www.youtube.com/watch?v=_Uj-Ci37Rvw&feature=youtu.be Video]
|-
| 12h00 - 12h45 || [[OWASP_BeNeLux-Day_2017#Exploring the ecosystem of malicious domain registrations in the .eu TLD by Lieven Desmet | Lieven Desmet]]
|| [[OWASP_BeNeLux-Day_2017#Exploring the ecosystem of malicious domain registrations in the .eu TLD by Lieven Desmet | Exploring the ecosystem of malicious domain registrations in the .eu TLD]]
| [[Media:OWASP BeNeLux-Day 2017 Exploring the ecosystem of malicious domain registrations LievenDesmet.pdf|Slides]]<br>[https://www.youtube.com/watch?v=09SNSYHw8H0&feature=youtu.be Video]
|-
| 12h45 - 13h45
| colspan="3" style="text-align: center;background: grey; color: white" | ''Lunch''
|-
| 13h45 - 14h30 || [[OWASP_BeNeLux-Day_2017#Don't trust the DOM: Bypassing XSS mitigations via script gadgets by Sebastian Lekies | Sebastian Lekies]]
|| [[OWASP_BeNeLux-Day_2017#Don't trust the DOM: Bypassing XSS mitigations via script gadgets by Sebastian Lekies | Don't trust the DOM: Bypassing XSS mitigations via script gadgets]]
| [[Media:OWASP BeNeLux-Day 2017 Bypassing XSS mitigations via script gadgets Sebastian Lekies.pdf|Slides]]<br>[https://www.youtube.com/watch?v=rssg--FP1AE&feature=youtu.be Video]
|-
| 14h30 - 15h15 || [[OWASP_BeNeLux-Day_2017#A Series of Unfortunate Events: Where Malware Meets Murphy by Mattijs van Ommeren | Mattijs van Ommeren]]
|| [[OWASP_BeNeLux-Day_2017#A Series of Unfortunate Events: Where Malware Meets Murphy by Mattijs van Ommeren | A Series of Unfortunate Events: Where Malware Meets Murphy]]
| [https://www.youtube.com/watch?v=d67yxt3FdTA&feature=youtu.be Video]
|-
| 15h15 - 15h45
| colspan="3" style="text-align: center;background: grey; color: white" | ''Break''
|-
| 15h45 - 16h30 || [[OWASP_BeNeLux-Day_2017#Common REST API security pitfalls by Philippe De Ryck | Philippe De Ryck]]
|| [[OWASP_BeNeLux-Day_2017#Common REST API security pitfalls by Philippe De Ryck | Common REST API security pitfalls]]
| [[Media:OWASP BeNeLux-Day 2017 Common REST API security pitfalls Philippe De Ryck.pdf|Slides]]<br>[https://www.youtube.com/watch?v=Meh4EUmLCfM&feature=youtu.be Video]
|-
| 16h30 - 17h15 || [[OWASP_BeNeLux-Day_2017#Creating An AppSec Pipeline With Containers In A Week How We Failed And Succeeded by Jeroen Willemsen | Jeroen Willemsen]]
|| [[OWASP_BeNeLux-Day_2017#Creating An AppSec Pipeline With Containers In A Week How We Failed And Succeeded by Jeroen Willemsen | Creating An AppSec Pipeline With Containers In A Week How We Failed And Succeeded]]
| [[Media:OWASP BeNeLux-Day 2017 Creating An AppSec Pipeline With Containers In A Week How We Failed And Succeeded Jeroen Willemsen.pdf|Slides]]<br>[https://www.youtube.com/watch?v=Q3q1mdev5rs&feature=youtu.be Video]
|-
| 17h15 - 17h30
| colspan="3" style="text-align: center;background: grey; color: white" | ''Closing''
|}

<div id="TBD"></div>

== Talks ==

===Attribute Based Access Control. Why, what, how? by Jacoba Sieders===
====Abstract====
Digitization is rapidly transforming the traditional world and regulation on security and data protection is gaining weight. Digital identity, but also data protection become crucial capabilities for businesses. What are the trends in IAM and what role can Attribute Based Access Control (ABAC) play here? ABNAMRO started implementing ABAC in 2014. What were the approach and the lessons learnt?
====Bio====
Jacoba Sieders, Head of Digital Identity- & Access, ABNAMRO Bank.<br />
Jacoba is an all-round Digital Identity and Information Security expert with 17 years of experience in the international finance industry, in technology, governance, consultancy, and implementation. She is accountable for digital identity services and access control for customers, employees and partners to the bank’s data and infrastructure.
Major topics on her agenda today are ABAC, data centric security, API-banking and PSDII requirements, the interaction of IAM tools with the rest of the bank’s cybersecurity landscape, and the new authentication concept for which ABNAMRO is acquiring a patent. Her special interests are legal requirements impacting identity, e.g. Generic Data Protection Regulation, the EU e-IDAS scheme, KYC and AML legislation.
Jacoba is a member of the Advisory Board of the independent European think-tank ID Next and is regularly speaking on the topic of IAM. She holds a master degree in Classics from Leiden University (Greek, Latin, Hebrew).

===How to spend $3.6mil on one coding mistake, and other fun stuff you can do with $3.6mil by Matia Madou===
====Abstract====
In a recent global study, the average cost of a data breach is $3.62M globally. This session will discuss infamous examples of data breaches that has made headlines around the world. We will explore the technical details of the vulnerability itself and what a coding solution may have been to prevent the breach. We will also dive deeper on exploring different solutions, processes and techniques you can apply in your day-to-day to prevent application security vulnerabilities in your code.
====Bio====
Matias Madou is a Co-Founder and CTO of Secure Code Warrior where he is responsible for leading the company’s technology vision and overseeing the engineering team. Matias has more than 15 years of hands-on software security experience and has developed solution for companies such as HP Fortify, and founded a company called Sensei Security. Matias has led multiple application security research projects which have led to commercial products and boasts over 10 patents under his belt. When he is away from his desk, Matias has served as an instructor for advanced application security training courses and regularly speaks at global conferences including RSA Conference, Black Hat, DefCon, BSIMM, OWASP AppSec and BruCon. Matias holds a Ph.D. in Computer Engineering from Ghent University.

===The evil friend in your browser by Achim D. Brucker===
====Abstract====
On the one hand, browser extensions, e.g., for Chrome, are very useful, as they extend web browsers with additional functionality
(e.g., blocking ads). On the other hand, they are the most dangerous code that runs in your browsers: extension can read and modify both the content displayed in the browser. As they also can communicate with any web-site or web-service, they can report both data and metadata to external parties.

The current security model for browser extensions seems to be inadequate for expressing the security or privacy needs of browser users. Consequently, browser extensions are a "juice target" for attackers targeting web users.

We present results of analysing over 60000 browser extensions on how they use the current security model and discuss examples of extensions that are potentially of high risk. Based on the results of our analysis of real world browser extensions as well as our own threat model, we discuss the limitations of the current security model form a user perspective. need of browser users.

====Bio====
Dr. Achim D. Brucker (www.brucker.uk) is a Senior Lecturer and consultant for software and systems assurance at the Computer Science Department of The University of Sheffield, UK. Until December 2015, he was a Research Expert (Architect), Security Testing Strategist, and Project Lead in the Global Security Team of SAP SE, where he defined the risk-based security testing strategy of SAP that combines static, dynamic, and interactive security testing methods and integrates them deeply into SAP's Secure Software Development Lifecycle. He has experience in rolling out *AST tools to world-wide development organisations.

===Exploring the ecosystem of malicious domain registrations in the .eu TLD by Lieven Desmet===
====Abstract====
In this talk, we report on an extensive analysis of 14 months of domain registration in the .eu TLD. The purpose is to identify large-scale malicious campaigns. Overall, the dataset of this study contains 824,121 new domain registrations; 2.53% of which have been flagged as malicious by blacklisting services. We explore the ecosystem and modus operandi of elaborate cybercriminal entities that recurrently register large amounts of domains for one-shot, malicious use. Although these malicious domains are short-lived, we establish that at least 80.04% of them can be framed in to 20 larger campaigns with varying duration and intensity. We further report on insights in the operational aspects of this business and observe, amongst other findings, that their processes are only partially automated.
====Bio====
Lieven Desmet is a Senior Research Manager on Secure Software in the imec-DistriNet Research Group at the Katholieke Universiteit Leuven (Belgium), where he outlines and implements the research strategy, coaches junior researchers in application security, and participates in dissemination, valorisation and spin-off activities. Lieven is also involved in OWASP as a board member of the Belgium OWASP Chapter, and part of the organisation team of the OWASP BeNeLux Day.

===Don't trust the DOM: Bypassing XSS mitigations via script gadgets by Sebastian Lekies===
====Abstract====
Cross-Site Scripting is a constant problem of the Web platform. Over the years many techniques have been introduced to prevent or mitigate XSS. Most of these techniques, thereby, focus on script tags and event handlers. HTML sanitizers, for example, aim at removing potentially dangerous tags and attributes. Another example is the Content Security Policy, which forbids inline event handlers and aims at white listing of legitimate scripts.

In this talk, we present a novel Web hacking technique that enables an attacker to circumvent most XSS mitigations. In order to do so, the attacker abuses so-called script gadgets. A script gadget Is a legitimate piece of JavaScript in a page that reads elements from the DOM via selectors and processes them in a way that results in script execution. To abuse a script gadget, the attacker injects a benign looking element into the page that matches the gadget's selector. Subsequently, the gadget selects the benign-looking element and executes attacker-controlled scripts. As the initially injected element is benign it passes HTML sanitizers and security policies. The XSS only surfaces when the gadget mistakenly elevates the privileges of the element.

In this talk, we will demonstrate that these gadgets are present in almost all modern JavaScript libraries, APIs and applications. We will present several case studies and real-world examples that demonstrate that many mitigation techniques are not suited for modern applications. As a result, we argue that the Web should start focusing more on preventive mechanisms instead of mitigations.
====Bio====
Sebastian Lekies is tech leading the Web application security scanning team at Google. Before joining Google, he was part of SAP's Security Research team, where he conducted academic research in the area of client-side Web application security. Sebastian is regularly speaking at academic and non-academic security conferences such as BlackHat US/EU/Asia, DeepSec, OWASP AppSec EU, Usenix Security, CCS, and many more...

===A Series of Unfortunate Events: Where Malware Meets Murphy by Mattijs van Ommeren===
====Abstract====
When an end user reports some “strange looking file names”, which, after investigating, you discover include several hundreds of Gigabytes of encrypted data, you of course know you are going to have a bad day. Your AV solution has failed you, your firewall has failed you, and your SIEM has failed you. Basically, every piece of security infrastructure you have put your trust (and money) into has left you out in the cold and you thank <deity of choice> that at least the nightly backup was completed successfully. Spin up the tape drive, and soon you will be back in business, or not…?

This talk is about failure. Not only about a failing security infrastructure, but also about failure in doing the Right Thing™ as a first responder, about the failure of Operating System tools, failing APIs, and ironically, also the failure of malware (which is unfortunately not as positive as it may sound). The scenario presented comes pretty close to the worst chain of events you can imagine, in an attempt to recover from a ransomware incident.

Luckily – this story has a happy ending. We will reveal how one can be prepared for when both Count Olaf and Murphy come knocking on your door simultaneously.
====Bio====
Mattijs van Ommeren has been poking hardware and software for 15 years. He has spent most of his working life as a security consultant, attacking and defending both traditional IT environments as well as more esoteric embedded devices and industrial systems. Presently he has a lot of fun at Nixu.

===Common REST API security pitfalls by Philippe De Ryck===
====Abstract====
The shift towards a REST API landscape indicates a significant evolution in the way we build applications. The rise of JavaScript and mobile applications have sparked an explosion of easily-accessible REST APIs. But how do you protect access to your API? Which security aspects are no longer relevant? Which security features are an absolutely must-have, and which additional security measures do you need to take into account?

These are hard questions, as evidenced by the deployment of numerous insecure REST APIs. Attend this session to find out about common API security pitfalls, that often result in compromised user accounts and unauthorized access to your data. We expose the problem that lies at the root of each of these pitfalls, and offer actionable advice to address these security problems. After this session, you will know how to assess the security of your APIs, and the best practices to improve them towards the future.
====Bio====
Philippe De Ryck is a professional speaker and trainer on software security and web security. Since he obtained his PhD at the imec-DistriNet research group (KU Leuven, Belgium), he has been running the group's Web Security Training program, which ensures a sustainable knowledge transfer of the group’s security expertise towards practitioners.

===Creating An AppSec Pipeline With Containers In A Week How We Failed And Succeeded by Jeroen Willemsen===
====Abstract====
Join us on our adventure of setting up a appsec pipeline with Docker containers. What did go wrong, how did we succeed? How do you fight false positives and how do you get the best out of the products out there without bothering the development teams too much.
====Bio====
Jeroen Willemsen is a security architect with a passion for mobile and risk management. He loves to work on secure building blocks, security automation pipelines and embedding information security risk management controls in an agile environment. He is dedicated to help developers, product owners and architects to take security seriously in their daily development life (but not too serious of course ;-)).In his spare time he loves to experiment with new technologies and frameworks.”



= Social Event (TBD)=

== Social Event,starting at 7PM ==
Thursday, November 23rd
;Dudok Tilburg
:Veemarktstraat 33
:5038 CT Tilburg
:http://www.dudok.nl/
Menu:
:As we are a big group, Dudok will prepare the following [[Media:Dudok menu OWASP.pdf|menu]] for us!
'''If you want to join the social event, don't forget to register for the social event via the registration:'''
:[[image:Register_now_red.png|link=https://owasp-benelux-day-2017.eventbrite.com |200px|alt=Register for the OWASP BeNeLux Day 2017 | Register for the OWASP BeNeLux Day 2017 ]]

(limited) open tap sponsored by :
[[File:Avi Logo Transparent Background 300pix.png|200px|link=https://avinetworks.com/]]



= Sponsor =

=== Become a sponsor of OWASP BeNeLux ===

There are 3 combined sponsorship packages (Gold, Silver or Bronze) that cover the BeNeLux chapter meetings 2019 and the BeNeLux OWASP Days 2018.

Download our [https://www.owasp.org/images/a/a9/OWASP_BeNeLux_2018_Sponsorship_Form_v20180919.pdf sponsor brochure] and contact [mailto:seba@owasp.org us] for questions or sponsorship confirmation!

Your sponsorship will be invested directly in the chapter meetings, supporting speaker and catering expenses.

The sponsorship will also be dedicated to cover the costs of the OWASP 2018 BeNeLux event.

__NOTOC__
<headertabs></headertabs>

=== Made possible by our {{#switchtablink:Sponsor|Sponsors}}===
'''Hosted by'''

'''Platinum:'''

'''Gold:'''

'''Silver:'''

'''Bronze:'''

[[Category:OWASP_AppSec_Conference]]
[[Category:OWASP_BeNeLux_Archives]]

File:OWASP BeNeLux 2018 Sponsorship Form v20180919.pdf

2018-09-19T12:57:31Z

Sdeleersnyder:

Belgium Events 2018

2018-09-19T08:33:30Z

Sdeleersnyder:

<noinclude>
These are the 2018 events of the [[Belgium|OWASP Belgium Chapter]].

Previous year: [[Belgium Events 2017|2017]].
</noinclude>
== 17 September 2018 Meeting ==

=== WHEN ===
Monday 17 September 2018

=== WHERE ===

; Host: European Commission
: Place Madou, 1
:1210 - Saint-Josse-Ten-Noode
<pre style="color: red">
Pre-registration of the participants' ID is needed to enter the venue; see registration link below!!!<br>
PARKING WILL NOT BE AVAILABLE
</pre>

=== PROGRAM ===
The agenda:

*18h00 - 18h50: '''Welcome & sandwiches''' <br>
*18h50 - 19h00: '''[https://www.owasp.org/images/9/9b/Owasp_Belgium_update_2018-09-17_v1.pptx OWASP Update]''' (by Sebastien Deleersnyder, OWASP) <br>
*19h00 - 19h10: '''Intro by the EC''' (by Miguel Soria Machado, Head of Sector (CSIRC), DIGIT IT Security Directorate, European Commission) <br>
*19h10 - 20h00: '''[https://www.owasp.org/images/1/17/Dirk_Wetter_-_Docker_Security_Brussels.pdf Docker Threat Modeling and Top 10]''' (by Dirk Wetter)<br>
:''Abstract:'' Docker containers offer several advantages for developers. Most notably they fit perfectly in software development processes, they enable fast, reproducible
deployments and when properly done, with little change the same container can
run either in a test or production environment.

Despite threatening information out there Docker offers per se also several
security advantages. However it is important to make use of them and as a
minimum avoid several pitfalls. In a worst case scenario this can lead
otherwise to less security or the security benefits which the containment
technology offers are not being used at all.

To avoid this a proper fundamental approach is needed.

Thus this talk models first the most important threats to containerized
environments out there. Based on that the speaker will present 10 security
bullet points which covers

* important Do's and Dont's,
* for advanced needs how to tighten security further.

At the end the speaker gives advice how to check your Docker and
Kubernetes security status yourself.

The talk is based on practical experiences at several costumers and on the
speaker's solid network and systems security expertise.

:''Bio:'' [https://twitter.com/drwetter Dirk Wetter (Ph.D.)] is an independent security consultant with more than 20 years professional experience in information security with a broad technical
and information security management background.

His primary focus nowadays is around web application security. He has also a
solid background on network and systems security.

He's also founder and maintainer of the open source project testssl.sh which
checks the encryption of every SSL/TLS enabled service.

*20h00 - 20h10: break <br>
*20h10 - 21h00: '''Securing Containers on the High Seas''' (by Jack Mannino)<br>
:''Abstract:'' It can be a difficult challenge for organizations to securely migrate to containers while shifting processes and security controls. Making the move from legacy virtualization and monolithic deployments to containers requires a solid strategy. Containers offer many inherent security benefits but it’s important to build controls in beyond the containers themselves. From development through container registries and deployment to a runtime environment, it’s important to enforce security and eliminate risks as they’re introduced.

This presentation will focus on scaling container security within an enterprise and building security controls into the way you build, ship, and run containerized services. We will discuss the modern container landscape including different container runtimes and isolation models. We will explore the container lifecycle from your developer’s laptop through your production environment and examine the key security problems to mitigate.

:''Bio:'' [https://twitter.com/jack_mannino Jack Mannino] is the CEO of nVisium. Passionate about security and impossible to keep away from a keyboard, his expertise spans over 15 years of building, breaking, and securing software. Jack founded nVisium in 2009, and since has helped the world's largest software teams enhance security across their software portfolios. He has spoken at conferences globally on topics such as secure design, mobile application security, and cloud-native security.

=== REGISTRATION ===
<pre style="color: red">
Two step registration:
Step 1: Registration via Eventbrite
Step 2: Pre-registration of participants'ID (European Commission)

Pre-registration of the participants' ID will be needed to enter the security on site!!!
</pre>

'''Step 1''': Registration via Eventbrite: https://owasp-belgium-2018-09-17.eventbrite.com

'''Step 2''': Pre-registration of participants'ID: https://ec.europa.eu/eusurvey/runner/OWASPBelgiumChapterMeetingSept17 .

'''The registration deadline for the participants' ID expires on ''Sunday, September 16th midnight''. After this time the registration and admission to the event will not be possible.'''

=== Coverage ===

== 19 March 2018 Meeting ==

=== Where ===

* Host: [https://www.ing.be ING Belgium]

* Address ([https://branches.ing.be/branch/1040_bxl-non-residents map])
Cours St Michel 60
1040 Brussel

=== Agenda ===

* 18h15 - 19h00: Welcome & sandwiches
* 19h00 - 19h10: OWASP Update (by Sebastien Deleersnyder, OWASP)
* 19h10 - 20h00: [[#2018-03-19 Talk 1|KRACKing WPA2 in Practice Using Key Reinstallation Attacks]] (by Mathy Vanhoef, imec-DistriNet-KU Leuven)
* 20h00 - 20h10: Break
* 20h10 - 21h00: [[#2018-03-19 Talk 2|Making the web secure by design]] (by Glenn Ten Cate, ING Belgium, and Riccardo Ten Cate, Xebia)
* 21h00 - 21h30: Networking drink

=== Program ===

==== <span id="2018-03-19 Talk 1">KRACKing WPA2 in Practice Using Key Reinstallation Attacks</span> ====

* Speaker: Mathy Vanhoef, imec-DistriNet-KU Leuven)

''Abstract''

This talk presents the key reinstallation attack against WPA2 (KRACK attack). It abuses design or implementation flaws in cryptographic protocols to reinstall an already-in-use key. This resets the key’s associated parameters such as transmit nonces and receive replay counters. Several cryptographic Wi-Fi handshakes are affected by the attack.

All protected Wi-Fi networks use the 4-way handshake to generate a fresh session key. So far, this 14-year-old handshake has remained free from attacks. However, we show that the 4-way handshake is vulnerable to a key reinstallation attack. Here, the adversary tricks a victim into reinstalling an already-in-use key. This is achieved by manipulating and replaying handshake messages. When reinstalling the key, associated parameters such as the incremental transmit packet number (nonce) and receive packet number (replay counter) are reset to their initial value.

The talk also discusses the vulnerability disclosure process that was followed. Since the discovery affected numerous vendors, coordinating the disclosure was non-trivial.

''Speaker Bio''

Mathy Vanhoef is a postdoctoral researcher at KU Leuven. He did his PhD on the security of WPA-TKIP, TLS, and RC4. His research interest is in computer security with a focus on wireless security (e.g. Wi-Fi), network protocols in general, the RC4 stream cipher (where he discovered the RC NOMORE attack), and software security (discovering and exploiting vulnerabilities). Currently his main research is about automatically discovering vulnerabilities in network protocol implementations, and proving the correctness of protocol implementations.

==== <span id="2018-03-19 Talk 2">Making the web secure by design</span> ====

* Speaker: Glenn Ten Cate, ING Belgium, and Riccardo Ten Cate, Xebia

''Abstract''

Education is the first step in the Secure Software Development Lifecycle. The free OWASP Security Knowledge Framework (SKF) is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. This talk will help you as a developer to become THE Neo of your development team. We will show how you can do security by design and introduce other quality gates into your development pipeline to ensure high end quality and security of your project.

''Speaker Bios''

As a coder, hacker, speaker, trainer and security researcher employed at ING Belgium, '''Glenn Ten Cate''' has over 10 years experience in the field of security. One of the founders of defensive development [defdev] a security training and conference series dedicated to helping you build and maintain secure software and also speaking at multiple other security conferences in the world. His goals is to create an open-source software development life cycle with the tools and knowledge gathered over the years.

As a penetration tester from the Netherlands employed at Xebia, '''Riccardo Ten Cate''' specialises in web-application security and has extensive knowledge in securing web applications in multiple coding languages. He is also a specialist in setting up Secure Software Development Life Cycles.

=== Registration ===

Registration was via EventBrite: https://owasp-belgium-2018-03-19.eventbrite.com

=== Coverage ===

== 20 February 2018 Meeting ==

=== Where ===

* Host: [https://distrinet.cs.kuleuven.be DistriNet Research Group (KU Leuven)] (Both speakers are faculty of the [https://www.secappdev.org/ Secure Application Development] course held in Leuven from 2018-02-19 to 2018-02-23.)

* Address ([http://googlemapsinterface.kuleuven.be/index.cgi?lang=N&nbol=(50.864186697481145,%204.678754210472107)&zoomlevel=17&plaatsnaam=Department+of+Computer+Science&maptype=roadmap map], [https://distrinet.cs.kuleuven.be/about/route/ directions]):
Department of Computer Science (foyer at ground floor)
Celestijnenlaan 200 A
3001 Heverlee

=== Agenda ===

*18h15 - 19h00: Welcome & sandwiches
*19h00 - 19h10: [https://www.owasp.org/images/7/7a/Owasp_Belgium_update_2018-02-20_v1.pdf OWASP Update] (by Sebastien Deleersnyder, OWASP)
*19h10 - 20h00: [[#2018-02-20 Talk 1|Developers are not the enemy -- Usable Security for Experts]] (by Prof. Matthew Smith, University of Bonn)
*20h00 - 20h10: Break
*20h10 - 21h00: [[#2018-02-20 Talk 2|The Code Behind The Vulnerability]] (by Barry Dorrans, Microsoft)

=== Program ===

==== <span id="2018-02-20 Talk 1">Developers are not the enemy -- Usable Security for Experts</span> ====

* Speaker: Prof. Matthew Smith, University of Bonn
* Presentation: https://schd.ws/hosted_files/secappdev2018/a9/Developer%20are%20not%20the%20enemy%20SecAppDev%20web.pdf

''Abstract''

Usability problems are a major cause of many of today's IT-security incidents. Security systems are often too complicated, time-consuming, and error prone. For more than a decade researchers in the domain of usable security (USEC) have attempted to combat these problems by conducting interdisciplinary research focusing on the root causes of the problems and on the creation of usable security mechanisms. While major improvements have been made, to date USEC research has focused almost entirely on the non-expert end-user. However, many of the most catastrophic security incidents were not caused by end-users, but by developers or administrators. Heartbleed and Shellshock were both caused by single developers yet had global consequences. The Sony hack in 2014 compromised an entire multi-national IT-infrastructure and misappropriated over 100 TB of data, unnoticed. Fundamentally, every software vulnerability and misconfigured system is caused by developers or administrators making mistakes, but very little research has been done into the underlying causalities and possible mitigation strategies. In this talk we will explore the transition from end-user to expert usable security research and look at several application areas, including TLS, passwords, malware analysis and vulnerability analysis.

''Speaker Bio''

Matthew Smith is a Professor for Usable Security and Privacy at the University of Bonn. His research is focused on human factors of security and privacy mechanisms with a wide range of application areas, including TLS and network security, authentication, mobile and app security and, most recently, usable security for developers and administrators. His work has been published at, among others, IEEE S&P, ACM CCS, USENIX Security, NDSS, ACM SIGCHI and SOUPS the Symposium on Usable Security and Privacy. In 2015 his ERC Starting Grant "Frontiers of Usable Security" was selected for funding.

==== <span id="2018-02-20 Talk 2">The Code Behind The Vulnerability</span> ====

* Speaker: Barry Dorrans, Microsoft
* Presentation: https://schd.ws/hosted_files/secappdev2018/75/The%20code%20behind%20the%20vulnerability.pdf

''Abstract''

Everyone makes security mistakes, and that includes Microsoft (seriously!). Many developers can spot and prevent vulnerabilities listed in the OWASP top 10. But that narrative changes when we look beyond the scope of the OWASP top 10. Compared to some more recent attacks, fixing XSS or SQL injection almost seems easy. In this session, we dive into a couple of .NET core cases that have been reported to the Microsoft Security Response Center (MSRC). Mind you; these vulnerabilities are not just framework vulnerabilities. Instead, they are coding patterns that you may have introduced in your applications. Examples are issues with hash tables, compression, encryption, regular expressions and more. In this session, you will learn how to spot these vulnerabilities in your code. On top of that, you will walk away with the skills to fix them.

''Speaker Bio''

Barry Dorrans is the .NET Security Czar, which means he tries to tell everyone else how to code securely and taking the credit when it goes right, as well as running the .NET Core Bug Bounty. He also ends up triaging publicly and privately reported vulnerabilities when it goes wrong before getting someone else to fix the mistakes. This he gets all the fun and none of the real work, aside from the endless stress wondering when the next vulnerability will be discovered.

=== Registration ===

Registration was via EventBrite: https://owasp-belgium-2018-02-20.eventbrite.com

=== Coverage ===

n/a

File:Owasp Belgium update 2018-09-17 v1.pptx

2018-09-19T08:33:07Z

Sdeleersnyder:

2018-09-15T05:30:01Z

Sdeleersnyder:

OWASP BeNeLux-Days 2018

2018-09-05T04:45:26Z

Sdeleersnyder: Created page with "<center>Image:Header-BNL-2017.png<br></center> <br>  = Information = == Keynote speaker == {{#switchtablink:Conferenceday|<p> * TBD }..."

<center>[[Image:Header-BNL-2017.png]]<br></center>

<br>


= Information =
== Keynote speaker ==
{{#switchtablink:Conferenceday|<p>
* TBD
}}

== Confirmed speakers Conference ==
{{#switchtablink:Conferenceday|<p>
* TBD
}}

== Confirmed trainers ==
{{#switchtablink:Trainingday|<p>
* TBD
}}

== OWASP BeNeLux conference is free, but registration is required! ==
[[image:Register_now_red.png|link=https://owasp-benelux-day-2018.eventbrite.com |alt=Register for the OWASP BeNeLux Day 2018 | Register for the OWASP BeNeLux Day 2018 ]]

== The OWASP BeNeLux Program Committee ==
*Bart De Win / Sebastien Deleersnyder/ Lieven Desmet/ David Mathy, OWASP Belgium
*Martin Knobloch / Joren Poll, OWASP Netherlands
*Jocelyn Aubert, OWASP Luxembourg
<br>

== Tweet! ==
Event tag is [http://twitter.com/#search?q=%23owaspbnl17 #owaspbnl18]
<br><br>
== Donate to OWASP BeNeLux ==
[https://co.clickandpledge.com/?wid=72689 Donate]



= Registration =

== OWASP BeNeLux conference is free, but registration is required! ==
[[image:Register_now_red.png|link=https://owasp-benelux-day-2018.eventbrite.com |alt=Register for the OWASP BeNeLux Day 2018 | Register for the OWASP BeNeLux Day 2018 ]]

== OWASP BeNeLux training is reserved for OWASP members, and registration is required! ==
To support the OWASP organisation, we ask training attendees to consider becoming an OWASP member, it's only US$50!
Check out the [[Membership]] page to find out more.


<br>
To support the OWASP organisation, consider to become a member, it's only US$50!
<br>
Check out the [[Membership]] page to find out more.
<br>



= Venue =

== Venue ==

The venue is located:

:'''TBD'''
:TBD
:TBD
:Belgium
:[https://goo.gl/maps/5CJYYSMAJD92 Google map]

'''''Parking .....'''''

=== How to reach the venue? ===
;'''Public transport '''<br>
TBD

'''<u>By car</u>'''
TBD

=== Hotel nearby ===
[https://www.google.nl/maps/search/Hotels/@51.5571525,5.0821866,15z/data=!3m1!4b1 Hotels on Google Maps]


= Trainingday =
=== Trainingday is November 29rd ===

== Location ==

== Agenda (TBD)==
{| class="wikitable"
! Time !! Description !! Room TBA !! Room TBA !! Room TBA
|-
| 08h30 - 9h30
| colspan="5" style="text-align: center; background: grey; color: white;" | ''Registration''
|-
| 09h30 - 11h00 || Training
| rowspan="7" style="width:100px;" | [[OWASP_BeNeLux-Day_2017#WebGoat_-_Teaching_application_security_101_by_Nanne_Baars | WebGoat - Teaching application security 101]] <br>by [[OWASP_BeNeLux-Day_2017#WebGoat_-_Teaching_application_security_101_by_Nanne_Baars | Nanne Baars]]
| rowspan="7" style="width:100px;" | [[OWASP_BeNeLux-Day_2017#Whiteboard_Hacking_aka_Hands-on_Threat Modeling_by_Sebastien Deleersnyder | Whiteboard Hacking aka Hands-on Threat Modeling]] <br>by [[OWASP_BeNeLux-Day_2017#Whiteboard_Hacking_aka_Hands-on_Threat Modeling_by_Sebastien Deleersnyder | Sebastien Deleersnyder]]
| rowspan="7" style="width:100px;" | [[OWASP_BeNeLux-Day_2017#Secure_Development:_Models_and_best_practices_by_Bart_De_Win | Secure Development: Models and best practices]] <br>by [[OWASP_BeNeLux-Day_2017#Secure_Development:_Models_and_best_practices_by_Bart_De_Win | Bart De Win]]
|-
| 11h00 - 11h30 || ''Coffee Break''
|-
| 11h30 - 13h00 || Training
|-
| 13h00 - 14h00 || ''Lunch''
|-
| 14h00 - 15h30 || Training
|-
| 15h30 - 16h00 || ''Coffee Break''
|-
| 16h00 - 17h30 || Training
|}

== Trainings ==
=== WebGoat - Teaching application security 101 by Nanne Baars ===
====Topic(s) ====
* Web Application Breaker
* Other
====Keywords ====
WebGoat application, security teaching secure development

====Abstract ====
A good defense against insecure code requires understanding the mechanics behind how attackers exploit simple programming mistakes.
The WebGoat team will walk through exercises like SQL Injection, XSS, XXE, CSRF, ... and demonstrate how these exploits work.

We will show you how you can use WebGoat to train your developers to avoid these simple but common programming mistakes.

We also show you how to extend WebGoat to create lessons specific to your environment.
Join us to learn the most basic, but common, application security problems.

Tired of all the lessons? During the training we will host a small CTF competition which you can take a shot at and compete with each other...

=== Requirements===
Please find the course prerequisites here: https://github.com/nbaars/owasp-training

====Bio====
Nanne Baars works as a security consultant & developer at JDriven and is one of the primary developers of WebGoat.

=== Whiteboard Hacking aka Hands-on Threat Modeling by Sebastien Deleersnyder ===
====Topic(s) ====
* Threat modeling introduction
* Diagrams – what are you building?
* Identifying threats – what can go wrong?
* Hands-on: STRIDE analysis of an Internet of Things (IoT) deployment with an on premise gateway and secure update service
* Addressing each threats
* Hands-on: threat mitigations OAuth scenarios for web and mobile applications

====Keywords ====
Threat Modeling, STRIDE, Technical risk assessment

====Abstract ====
This is a one day version of our Black Hat training on Threat Modeling. The students will be challenged to perform practical threat modeling in groups of 3 to 4 people covering the different stages of threat modeling on:
* An Internet of Things (IoT) deployment with an on premise gateway and secure update service
* An HR services OAuth scenario for mobile and web applications
Threat modeling is a structured activity for identifying and evaluating application threats and vulnerabilities. It also allows consideration of security issues at the component or application level. The threat modeling course will teach you to perform threat modeling through a series of workshops, where our trainer will guide you through the different stages of a practical threat model. <br>
This course is aimed at software developers, architects, system managers or security professionals. Before attending this course, students should be familiar with basic knowledge of web and mobile Applications, databases & Single sign on (SSO) principles.

====Bio====
Sebastien (lead application security consultant Toreon) led engagements in the domain of ICT-security, Web and Mobile Security with several customers in the private and public sector. Sebastien is the Belgian OWASP Chapter Leader and is co-project leader of OWASP SAMM.

=== Secure Development: Models and best practices by Bart De Win ===
====Topic(s) ====
* Software Assurance maturity models
* Secure Development in agile development
* Tips and tricks for practical SDLC
* Hands-on: SAMM analysis of your enterprise using SAMM 1.5
* Sneak preview of SAMM 2.0

====Keywords ====
SDLC, SAMM, Agile development,

====Abstract ====
It takes much more than a good developer to build secure software within an organisation. Indeed, building secure software is about ensuring that security is taken into consideration during the entire software lifecycle. It is about ensuring that security best practices are being employed efficiently, and that uncovered risks are appropriately dealt with in due time.

During this one-day training, we will introduce and discuss different secure development approaches and models. We will look into waterfall vs. agile development and discuss different strategies to successfully run an SDLC program. Finally, we will also put theorie into practice and take your organisation to perform a mini SDLC assessment and improvement exercise.
[[File:Benelux2017 - Secure Development Training deck.pdf|thumb]]
The slides of this session are available for download in the media file.

====Bio====
Bart is an application security consultant and enthousiast and is spending considerable time on secure development projects. Bart is board member of the Belgian OWASP Chapter and is co-project leader of OWASP SAMM.



= Conferenceday =
=== Conferenceday is November 30th ===

== Agenda (TBD)==
{| class="wikitable"
! width="120pt" | Time
! width="190pt" | Speaker
! width="400pt" | Topic
! width="100pt" -- ! | Media
|-
| 08h30 - 09h00
| colspan="3" style="text-align: center; background: grey; color: white" | ''Registration''
|-
| 09h00 - 09h15
| colspan="3" style="text-align: center; background: grey; color: white" | ''Opening''
|-
| 09h15 - 10h00 || [[OWASP_BeNeLux-Day_2017#Attribute Based Access Control. Why, what, how? by Jacoba Sieders | Jacoba Sieders]]
|| [[OWASP_BeNeLux-Day_2017#Attribute Based Access Control. Why, what, how? by Jacoba Sieders | Attribute Based Access Control. Why, what, how?]]
|| [[Media:OWASP BeNeLux-Day 2017 AttributeBasedAccessControl WhyWhatHow JacobaSieders.pdf|Slides]]<br>[https://youtu.be/O7iWITnZGsk Video]
|-
| 10h00 - 10h45 || [[OWASP_BeNeLux-Day_2017#How to spend $3.6mil on one coding mistake, and other fun stuff you can do with $3.6mil by Matia Madou | Matias Madou]]
|| [[OWASP_BeNeLux-Day_2017#How to spend $3.6mil on one coding mistake, and other fun stuff you can do with $3.6mil by Matia Madou | How to spend $3.6mil on one coding mistake, and other fun stuff you can do with $3.6mil]]
|| [[Media:OWASP_BeNeLux-Day_2017_how_to_spend_$3.6_mil_on_one_coding_mistake_by_Matias_Madou.pdf|Slides]] <br> [https://www.youtube.com/watch?v=dt5rFGBztJA&feature=youtu.be Video]

|-
| 10h45 - 11h15
| colspan="3" style="text-align: center;background: grey; color: white" | ''Morning Break''
|-
| 11h15 - 12h00 || [[OWASP_BeNeLux-Day_2017#The evil friend in your browser by Achim D. Brucker | Achim D. Brucker]]
|| [[OWASP_BeNeLux-Day_2017#The evil friend in your browser by Achim D. Brucker | The evil friend in your browser]]
| [[Media:OWASP_BeNeLux-Day_2017_The evil friend in your browser_Achim_Brucker.pdf|Slides]]<br>[https://www.youtube.com/watch?v=_Uj-Ci37Rvw&feature=youtu.be Video]
|-
| 12h00 - 12h45 || [[OWASP_BeNeLux-Day_2017#Exploring the ecosystem of malicious domain registrations in the .eu TLD by Lieven Desmet | Lieven Desmet]]
|| [[OWASP_BeNeLux-Day_2017#Exploring the ecosystem of malicious domain registrations in the .eu TLD by Lieven Desmet | Exploring the ecosystem of malicious domain registrations in the .eu TLD]]
| [[Media:OWASP BeNeLux-Day 2017 Exploring the ecosystem of malicious domain registrations LievenDesmet.pdf|Slides]]<br>[https://www.youtube.com/watch?v=09SNSYHw8H0&feature=youtu.be Video]
|-
| 12h45 - 13h45
| colspan="3" style="text-align: center;background: grey; color: white" | ''Lunch''
|-
| 13h45 - 14h30 || [[OWASP_BeNeLux-Day_2017#Don't trust the DOM: Bypassing XSS mitigations via script gadgets by Sebastian Lekies | Sebastian Lekies]]
|| [[OWASP_BeNeLux-Day_2017#Don't trust the DOM: Bypassing XSS mitigations via script gadgets by Sebastian Lekies | Don't trust the DOM: Bypassing XSS mitigations via script gadgets]]
| [[Media:OWASP BeNeLux-Day 2017 Bypassing XSS mitigations via script gadgets Sebastian Lekies.pdf|Slides]]<br>[https://www.youtube.com/watch?v=rssg--FP1AE&feature=youtu.be Video]
|-
| 14h30 - 15h15 || [[OWASP_BeNeLux-Day_2017#A Series of Unfortunate Events: Where Malware Meets Murphy by Mattijs van Ommeren | Mattijs van Ommeren]]
|| [[OWASP_BeNeLux-Day_2017#A Series of Unfortunate Events: Where Malware Meets Murphy by Mattijs van Ommeren | A Series of Unfortunate Events: Where Malware Meets Murphy]]
| [https://www.youtube.com/watch?v=d67yxt3FdTA&feature=youtu.be Video]
|-
| 15h15 - 15h45
| colspan="3" style="text-align: center;background: grey; color: white" | ''Break''
|-
| 15h45 - 16h30 || [[OWASP_BeNeLux-Day_2017#Common REST API security pitfalls by Philippe De Ryck | Philippe De Ryck]]
|| [[OWASP_BeNeLux-Day_2017#Common REST API security pitfalls by Philippe De Ryck | Common REST API security pitfalls]]
| [[Media:OWASP BeNeLux-Day 2017 Common REST API security pitfalls Philippe De Ryck.pdf|Slides]]<br>[https://www.youtube.com/watch?v=Meh4EUmLCfM&feature=youtu.be Video]
|-
| 16h30 - 17h15 || [[OWASP_BeNeLux-Day_2017#Creating An AppSec Pipeline With Containers In A Week How We Failed And Succeeded by Jeroen Willemsen | Jeroen Willemsen]]
|| [[OWASP_BeNeLux-Day_2017#Creating An AppSec Pipeline With Containers In A Week How We Failed And Succeeded by Jeroen Willemsen | Creating An AppSec Pipeline With Containers In A Week How We Failed And Succeeded]]
| [[Media:OWASP BeNeLux-Day 2017 Creating An AppSec Pipeline With Containers In A Week How We Failed And Succeeded Jeroen Willemsen.pdf|Slides]]<br>[https://www.youtube.com/watch?v=Q3q1mdev5rs&feature=youtu.be Video]
|-
| 17h15 - 17h30
| colspan="3" style="text-align: center;background: grey; color: white" | ''Closing''
|}

<div id="TBD"></div>

== Talks ==

===Attribute Based Access Control. Why, what, how? by Jacoba Sieders===
====Abstract====
Digitization is rapidly transforming the traditional world and regulation on security and data protection is gaining weight. Digital identity, but also data protection become crucial capabilities for businesses. What are the trends in IAM and what role can Attribute Based Access Control (ABAC) play here? ABNAMRO started implementing ABAC in 2014. What were the approach and the lessons learnt?
====Bio====
Jacoba Sieders, Head of Digital Identity- & Access, ABNAMRO Bank.<br />
Jacoba is an all-round Digital Identity and Information Security expert with 17 years of experience in the international finance industry, in technology, governance, consultancy, and implementation. She is accountable for digital identity services and access control for customers, employees and partners to the bank’s data and infrastructure.
Major topics on her agenda today are ABAC, data centric security, API-banking and PSDII requirements, the interaction of IAM tools with the rest of the bank’s cybersecurity landscape, and the new authentication concept for which ABNAMRO is acquiring a patent. Her special interests are legal requirements impacting identity, e.g. Generic Data Protection Regulation, the EU e-IDAS scheme, KYC and AML legislation.
Jacoba is a member of the Advisory Board of the independent European think-tank ID Next and is regularly speaking on the topic of IAM. She holds a master degree in Classics from Leiden University (Greek, Latin, Hebrew).

===How to spend $3.6mil on one coding mistake, and other fun stuff you can do with $3.6mil by Matia Madou===
====Abstract====
In a recent global study, the average cost of a data breach is $3.62M globally. This session will discuss infamous examples of data breaches that has made headlines around the world. We will explore the technical details of the vulnerability itself and what a coding solution may have been to prevent the breach. We will also dive deeper on exploring different solutions, processes and techniques you can apply in your day-to-day to prevent application security vulnerabilities in your code.
====Bio====
Matias Madou is a Co-Founder and CTO of Secure Code Warrior where he is responsible for leading the company’s technology vision and overseeing the engineering team. Matias has more than 15 years of hands-on software security experience and has developed solution for companies such as HP Fortify, and founded a company called Sensei Security. Matias has led multiple application security research projects which have led to commercial products and boasts over 10 patents under his belt. When he is away from his desk, Matias has served as an instructor for advanced application security training courses and regularly speaks at global conferences including RSA Conference, Black Hat, DefCon, BSIMM, OWASP AppSec and BruCon. Matias holds a Ph.D. in Computer Engineering from Ghent University.

===The evil friend in your browser by Achim D. Brucker===
====Abstract====
On the one hand, browser extensions, e.g., for Chrome, are very useful, as they extend web browsers with additional functionality
(e.g., blocking ads). On the other hand, they are the most dangerous code that runs in your browsers: extension can read and modify both the content displayed in the browser. As they also can communicate with any web-site or web-service, they can report both data and metadata to external parties.

The current security model for browser extensions seems to be inadequate for expressing the security or privacy needs of browser users. Consequently, browser extensions are a "juice target" for attackers targeting web users.

We present results of analysing over 60000 browser extensions on how they use the current security model and discuss examples of extensions that are potentially of high risk. Based on the results of our analysis of real world browser extensions as well as our own threat model, we discuss the limitations of the current security model form a user perspective. need of browser users.

====Bio====
Dr. Achim D. Brucker (www.brucker.uk) is a Senior Lecturer and consultant for software and systems assurance at the Computer Science Department of The University of Sheffield, UK. Until December 2015, he was a Research Expert (Architect), Security Testing Strategist, and Project Lead in the Global Security Team of SAP SE, where he defined the risk-based security testing strategy of SAP that combines static, dynamic, and interactive security testing methods and integrates them deeply into SAP's Secure Software Development Lifecycle. He has experience in rolling out *AST tools to world-wide development organisations.

===Exploring the ecosystem of malicious domain registrations in the .eu TLD by Lieven Desmet===
====Abstract====
In this talk, we report on an extensive analysis of 14 months of domain registration in the .eu TLD. The purpose is to identify large-scale malicious campaigns. Overall, the dataset of this study contains 824,121 new domain registrations; 2.53% of which have been flagged as malicious by blacklisting services. We explore the ecosystem and modus operandi of elaborate cybercriminal entities that recurrently register large amounts of domains for one-shot, malicious use. Although these malicious domains are short-lived, we establish that at least 80.04% of them can be framed in to 20 larger campaigns with varying duration and intensity. We further report on insights in the operational aspects of this business and observe, amongst other findings, that their processes are only partially automated.
====Bio====
Lieven Desmet is a Senior Research Manager on Secure Software in the imec-DistriNet Research Group at the Katholieke Universiteit Leuven (Belgium), where he outlines and implements the research strategy, coaches junior researchers in application security, and participates in dissemination, valorisation and spin-off activities. Lieven is also involved in OWASP as a board member of the Belgium OWASP Chapter, and part of the organisation team of the OWASP BeNeLux Day.

===Don't trust the DOM: Bypassing XSS mitigations via script gadgets by Sebastian Lekies===
====Abstract====
Cross-Site Scripting is a constant problem of the Web platform. Over the years many techniques have been introduced to prevent or mitigate XSS. Most of these techniques, thereby, focus on script tags and event handlers. HTML sanitizers, for example, aim at removing potentially dangerous tags and attributes. Another example is the Content Security Policy, which forbids inline event handlers and aims at white listing of legitimate scripts.

In this talk, we present a novel Web hacking technique that enables an attacker to circumvent most XSS mitigations. In order to do so, the attacker abuses so-called script gadgets. A script gadget Is a legitimate piece of JavaScript in a page that reads elements from the DOM via selectors and processes them in a way that results in script execution. To abuse a script gadget, the attacker injects a benign looking element into the page that matches the gadget's selector. Subsequently, the gadget selects the benign-looking element and executes attacker-controlled scripts. As the initially injected element is benign it passes HTML sanitizers and security policies. The XSS only surfaces when the gadget mistakenly elevates the privileges of the element.

In this talk, we will demonstrate that these gadgets are present in almost all modern JavaScript libraries, APIs and applications. We will present several case studies and real-world examples that demonstrate that many mitigation techniques are not suited for modern applications. As a result, we argue that the Web should start focusing more on preventive mechanisms instead of mitigations.
====Bio====
Sebastian Lekies is tech leading the Web application security scanning team at Google. Before joining Google, he was part of SAP's Security Research team, where he conducted academic research in the area of client-side Web application security. Sebastian is regularly speaking at academic and non-academic security conferences such as BlackHat US/EU/Asia, DeepSec, OWASP AppSec EU, Usenix Security, CCS, and many more...

===A Series of Unfortunate Events: Where Malware Meets Murphy by Mattijs van Ommeren===
====Abstract====
When an end user reports some “strange looking file names”, which, after investigating, you discover include several hundreds of Gigabytes of encrypted data, you of course know you are going to have a bad day. Your AV solution has failed you, your firewall has failed you, and your SIEM has failed you. Basically, every piece of security infrastructure you have put your trust (and money) into has left you out in the cold and you thank <deity of choice> that at least the nightly backup was completed successfully. Spin up the tape drive, and soon you will be back in business, or not…?

This talk is about failure. Not only about a failing security infrastructure, but also about failure in doing the Right Thing™ as a first responder, about the failure of Operating System tools, failing APIs, and ironically, also the failure of malware (which is unfortunately not as positive as it may sound). The scenario presented comes pretty close to the worst chain of events you can imagine, in an attempt to recover from a ransomware incident.

Luckily – this story has a happy ending. We will reveal how one can be prepared for when both Count Olaf and Murphy come knocking on your door simultaneously.
====Bio====
Mattijs van Ommeren has been poking hardware and software for 15 years. He has spent most of his working life as a security consultant, attacking and defending both traditional IT environments as well as more esoteric embedded devices and industrial systems. Presently he has a lot of fun at Nixu.

===Common REST API security pitfalls by Philippe De Ryck===
====Abstract====
The shift towards a REST API landscape indicates a significant evolution in the way we build applications. The rise of JavaScript and mobile applications have sparked an explosion of easily-accessible REST APIs. But how do you protect access to your API? Which security aspects are no longer relevant? Which security features are an absolutely must-have, and which additional security measures do you need to take into account?

These are hard questions, as evidenced by the deployment of numerous insecure REST APIs. Attend this session to find out about common API security pitfalls, that often result in compromised user accounts and unauthorized access to your data. We expose the problem that lies at the root of each of these pitfalls, and offer actionable advice to address these security problems. After this session, you will know how to assess the security of your APIs, and the best practices to improve them towards the future.
====Bio====
Philippe De Ryck is a professional speaker and trainer on software security and web security. Since he obtained his PhD at the imec-DistriNet research group (KU Leuven, Belgium), he has been running the group's Web Security Training program, which ensures a sustainable knowledge transfer of the group’s security expertise towards practitioners.

===Creating An AppSec Pipeline With Containers In A Week How We Failed And Succeeded by Jeroen Willemsen===
====Abstract====
Join us on our adventure of setting up a appsec pipeline with Docker containers. What did go wrong, how did we succeed? How do you fight false positives and how do you get the best out of the products out there without bothering the development teams too much.
====Bio====
Jeroen Willemsen is a security architect with a passion for mobile and risk management. He loves to work on secure building blocks, security automation pipelines and embedding information security risk management controls in an agile environment. He is dedicated to help developers, product owners and architects to take security seriously in their daily development life (but not too serious of course ;-)).In his spare time he loves to experiment with new technologies and frameworks.”



= Social Event (TBD)=

== Social Event,starting at 7PM ==
Thursday, November 23rd
;Dudok Tilburg
:Veemarktstraat 33
:5038 CT Tilburg
:http://www.dudok.nl/
Menu:
:As we are a big group, Dudok will prepare the following [[Media:Dudok menu OWASP.pdf|menu]] for us!
'''If you want to join the social event, don't forget to register for the social event via the registration:'''
:[[image:Register_now_red.png|link=https://owasp-benelux-day-2017.eventbrite.com |200px|alt=Register for the OWASP BeNeLux Day 2017 | Register for the OWASP BeNeLux Day 2017 ]]

(limited) open tap sponsored by :
[[File:Avi Logo Transparent Background 300pix.png|200px|link=https://avinetworks.com/]]



= Sponsor =

=== Become a sponsor of OWASP BeNeLux ===

There are 3 combined sponsorship packages (Gold, Silver or Bronze) that cover the BeNeLux chapter meetings 2019 and the BeNeLux OWASP Days 2018.

Download our sponsor brochure TBD and contact [mailto:seba@owasp.org us] for questions or sponsorship confirmation!

Your sponsorship will be invested directly in the chapter meetings, supporting speaker and catering expenses.

The sponsorship will also be dedicated to cover the costs of the OWASP 2018 BeNeLux event.

__NOTOC__
<headertabs></headertabs>

=== Made possible by our {{#switchtablink:Sponsor|Sponsors}}===
'''Hosted by'''

'''Platinum:'''

'''Gold:'''

'''Silver:'''

'''Bronze:'''

[[Category:OWASP_AppSec_Conference]]
[[Category:OWASP_BeNeLux_Archives]]

Belgium Events 2018

2018-08-29T14:55:18Z

Sdeleersnyder:

<noinclude>
These are the 2018 events of the [[Belgium|OWASP Belgium Chapter]].

Previous year: [[Belgium Events 2017|2017]].
</noinclude>
== 17 September 2018 Meeting ==

=== WHEN ===
Monday 17 September 2018

=== WHERE ===

; Host: European Commission
: Place Madou, 1
:1210 - Saint-Josse-Ten-Noode
<pre style="color: red">
Pre-registration of the participants' ID is needed to enter the venue; see registration link below!!!
</pre>

=== PROGRAM ===
The agenda:
*18h15 - 19h00: '''Welcome & sandwiches'''<br>
*19h00 - 19h10: '''OWASP Update''' (by Sebastien Deleersnyder, OWASP) <br>
*19h10 - 20h00: '''Docker Threat Modeling and Top 10''' (by Dirk Wetter)<br>
:''Abstract:'' Docker containers offer several advantages for developers. Most notably they fit perfectly in software development processes, they enable fast, reproducible
deployments and when properly done, with little change the same container can
run either in a test or production environment.

Despite threatening information out there Docker offers per se also several
security advantages. However it is important to make use of them and as a
minimum avoid several pitfalls. In a worst case scenario this can lead
otherwise to less security or the security benefits which the containment
technology offers are not being used at all.

To avoid this a proper fundamental approach is needed.

Thus this talk models first the most important threats to containerized
environments out there. Based on that the speaker will present 10 security
bullet points which covers

* important Do's and Dont's,
* for advanced needs how to tighten security further.

At the end the speaker gives advice how to check your Docker and
Kubernetes security status yourself.

The talk is based on practical experiences at several costumers and on the
speaker's solid network and systems security expertise.

:''Bio:'' [https://twitter.com/drwetter Dirk Wetter (Ph.D.)] is an independent security consultant with more than 20 years professional experience in information security with a broad technical
and information security management background.

His primary focus nowadays is around web application security. He has also a
solid background on network and systems security.

He's also founder and maintainer of the open source project testssl.sh which
checks the encryption of every SSL/TLS enabled service.

*20h00 - 20h10: break <br>
*20h10 - 21h00: '''Securing Containers on the High Seas''' (by Jack Mannino)<br>
:''Abstract:'' It can be a difficult challenge for organizations to securely migrate to containers while shifting processes and security controls. Making the move from legacy virtualization and monolithic deployments to containers requires a solid strategy. Containers offer many inherent security benefits but it’s important to build controls in beyond the containers themselves. From development through container registries and deployment to a runtime environment, it’s important to enforce security and eliminate risks as they’re introduced.

This presentation will focus on scaling container security within an enterprise and building security controls into the way you build, ship, and run containerized services. We will discuss the modern container landscape including different container runtimes and isolation models. We will explore the container lifecycle from your developer’s laptop through your production environment and examine the key security problems to mitigate.

:''Bio:'' [https://twitter.com/jack_mannino Jack Mannino] is the CEO of nVisium. Passionate about security and impossible to keep away from a keyboard, his expertise spans over 15 years of building, breaking, and securing software. Jack founded nVisium in 2009, and since has helped the world's largest software teams enhance security across their software portfolios. He has spoken at conferences globally on topics such as secure design, mobile application security, and cloud-native security.
*21h00 - 21h30: '''Networking drink''' <br>

=== REGISTRATION ===
<pre style="color: red">
Pre-registration of the participants' ID will be needed to enter the security on site.
</pre>
Therefore, please register via this form at the European Commission: https://ec.europa.eu/eusurvey/runner/OWASPBelgiumChapterMeetingSept17 .

'''The registration deadline expires on ''Sunday, September 16th midnight''. After this time the registration and admission to the event will not be possible.'''

=== Coverage ===

== 19 March 2018 Meeting ==

=== WHEN ===
Monday 19 March 2018

=== WHERE ===

; Host: ING Belgium
; Address
: Cours St Michel 60 - 1040 Brussel

=== PROGRAM ===
The agenda:
*18h15 - 19h00: '''Welcome & sandwiches'''<br>
*19h00 - 19h10: '''OWASP Update''' (by Sebastien Deleersnyder, OWASP) <br>
*19h10 - 20h00: '''KRACKing WPA2 in Practice Using Key Reinstallation Attacks''' (by Mathy Vanhoef, imec-DistriNet-KU Leuven)<br>
:''Abstract:'' This talk presents the key reinstallation attack against WPA2 (KRACK attack). It abuses design or implementation flaws in cryptographic protocols to reinstall an already-in-use key. This resets the key’s associated parameters such as transmit nonces and receive replay counters. Several cryptographic Wi-Fi handshakes are affected by the attack.
:All protected Wi-Fi networks use the 4-way handshake to generate a fresh session key. So far, this 14-year-old handshake has remained free from attacks. However, we show that the 4-way handshake is vulnerable to a key reinstallation attack. Here, the adversary tricks a victim into reinstalling an already-in-use key. This is achieved by manipulating and replaying handshake messages. When reinstalling the key, associated parameters such as the incremental transmit packet number (nonce) and receive packet number (replay counter) are reset to their initial value.
:Talk talk also discusses the vulnerability disclosure process that was followed. Since the discovery affected numerous vendors, coordinating the disclosure was non-trivial.
:''Bio:'' '''Mathy Vanhoef''' is a postdoctoral researcher at KU Leuven. He did his PhD on the security of WPA-TKIP, TLS, and RC4. His research interest is in computer security with a focus on wireless security (e.g. Wi-Fi), network protocols in general, the RC4 stream cipher (where is discovered the RC NOMORE attack), and software security (discovering and exploiting vulnerabilities). Currently his main research is about automatically discovering vulnerabilities in network protocol implementations, and proving the correctness of protocol implementations.
*20h00 - 20h10: break <br>
*20h10 - 21h00: '''Making the web secure by design''' (by Glenn Ten Cate, ING Belgium, and Riccardo Ten Cate, Xebia)<br>
:''Abstract:'' Education is the first step in the Secure Software Development Lifecycle. The free OWASP Security Knowledge Framework (SKF) is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. This talk will help you as a developer to become THE Neo of your development team. We will show how you can do security by design and introduce other quality gates into your development pipeline to ensure high end quality and security of your project.
:''Bio:'' As a coder, hacker, speaker, trainer and security researcher employed at ING Belgium, '''Glenn Ten Cate''' has over 10 years experience in the field of security. One of the founders of defensive development [defdev] a security training and conference series dedicated to helping you build and maintain secure software and also speaking at multiple other security conferences in the world. His goals is to create an open-source software development life cycle with the tools and knowledge gathered over the years.
:''Bio:'' As a penetration tester from the Netherlands employed at Xebia, '''Riccardo Ten Cate''' specialises in web-application security and has extensive knowledge in securing web applications in multiple coding languages. He is also a specialist in setting up Secure Software Development Life Cycles.
*21h00 - 21h30: '''Networking drink''' <br>

=== REGISTRATION ===
Please register via EventBrite: https://owasp-belgium-2018-03-19.eventbrite.com

=== Coverage ===

== 20 February 2018 Meeting ==

=== WHEN ===
Tuesday 20 February 2018

=== WHERE ===

; Host: [https://distrinet.cs.kuleuven.be DistriNet Research Group (KU Leuven)] (Both speakers are faculty of the [https://www.secappdev.org/ Secure Application Development] course held in Leuven from 2018-02-19 to 2018-02-23.)
; Address
: Department of Computer Science (foyer at ground floor)<br/>Celestijnenlaan 200 A<br/>3001 Heverlee
: ([http://googlemapsinterface.kuleuven.be/index.cgi?lang=N&nbol=(50.864186697481145,%204.678754210472107)&zoomlevel=17&plaatsnaam=Department+of+Computer+Science&maptype=roadmap map], [https://distrinet.cs.kuleuven.be/about/route/ directions])

=== PROGRAM ===
The agenda:
*18h15 - 19h00: '''Welcome & sandwiches'''<br>
*19h00 - 19h10: '''[https://www.owasp.org/images/7/7a/Owasp_Belgium_update_2018-02-20_v1.pdf OWASP Update]''' (by Sebastien Deleersnyder, OWASP) <br>
*19h10 - 20h00: '''[https://schd.ws/hosted_files/secappdev2018/a9/Developer%20are%20not%20the%20enemy%20SecAppDev%20web.pdf Developers are not the enemy -- Usable Security for Experts]''' (by Prof. Matthew Smith, University of Bonn)<br>
:''Abstract:'' Usability problems are a major cause of many of today's IT-security incidents. Security systems are often too complicated, time-consuming, and error prone. For more than a decade researchers in the domain of usable security (USEC) have attempted to combat these problems by conducting interdisciplinary research focusing on the root causes of the problems and on the creation of usable security mechanisms. While major improvements have been made, to date USEC research has focused almost entirely on the non-expert end-user. However, many of the most catastrophic security incidents were not caused by end-users, but by developers or administrators. Heartbleed and Shellshock were both caused by single developers yet had global consequences. The Sony hack in 2014 compromised an entire multi-national IT-infrastructure and misappropriated over 100 TB of data, unnoticed. Fundamentally, every software vulnerability and misconfigured system is caused by developers or administrators making mistakes, but very little research has been done into the underlying causalities and possible mitigation strategies. In this talk we will explore the transition from end-user to expert usable security research and look at several application areas, including TLS, passwords, malware analysis and vulnerability analysis.
:''Bio:'' '''Matthew Smith''' is a Professor for Usable Security and Privacy at the University of Bonn. His research is focused on human factors of security and privacy mechanisms with a wide range of application areas, including TLS and network security, authentication, mobile and app security and, most recently, usable security for developers and administrators. His work has been published at amongst others IEEE S&P, ACM CCS, USENIX Security, NDSS, ACM SIGCHI and SOUPS the Symposium on Usable Security and Privacy. In 2015 his ERC Starting Grant "Frontiers of Usable Security" was selected for funding.
*20h00 - 20h10: '''Break'''<br>
*20h10 - 21h00: '''[https://schd.ws/hosted_files/secappdev2018/75/The%20code%20behind%20the%20vulnerability.pdf The Code Behind The Vulnerability]''' (by Barry Dorrans)<br>
:''Abstract:'' Everyone makes security mistakes, and that includes Microsoft (seriously!). Many developers can spot and prevent vulnerabilities listed in the OWASP top 10. But that narrative changes when we look beyond the scope of the OWASP top 10. Compared to some more recent attacks, fixing XSS or SQL injection almost seems easy. In this session, we dive into a couple of .NET core cases that have been reported to the Microsoft Security Response Center (MSRC). Mind you; these vulnerabilities are not just framework vulnerabilities. Instead, they are coding patterns that you may have introduced in your applications. Examples are issues with hash tables, compression, encryption, regular expressions and more. In this session, you will learn how to spot these vulnerabilities in your code. On top of that, you will walk away with the skills to fix them.
:''Bio:'' '''Barry Dorrans''' is the .NET Security Czar, which means he tries to tell everyone else how to code securely and taking the credit when it goes right, as well as running the .NET Core Bug Bounty. He also ends up triaging publicly and privately reported vulnerabilities when it goes wrong before getting someone else to fix the mistakes. This he gets all the fun and none of the real work, aside from the endless stress wondering when the next vulnerability will be discovered.

=== REGISTRATION ===
Please register via EventBrite: https://owasp-belgium-2018-02-20.eventbrite.com

=== Coverage ===

Belgium Events 2018

2018-08-28T04:31:37Z

Sdeleersnyder:

<noinclude>
These are the 2018 events of the [[Belgium|OWASP Belgium Chapter]].

Previous year: [[Belgium Events 2017|2017]].
</noinclude>
== 17 September 2018 Meeting ==

=== WHEN ===
Monday 17 September 2018

=== WHERE ===

; Host: European Commission
: Place Madou, 1
:1210 - Saint-Josse-Ten-Noode
<pre style="color: red">
Pre-registration of the participants' ID is needed to enter the venue; see registration link below!!!
</pre>

=== PROGRAM ===
The agenda:
*18h15 - 19h00: '''Welcome & sandwiches'''<br>
*19h00 - 19h10: '''OWASP Update''' (by Sebastien Deleersnyder, OWASP) <br>
*19h10 - 20h00: '''Docker Threat Modeling and Top 10''' (by Dirk Wetter)<br>
:''Abstract:'' Docker containers offer several advantages for developers. Most notably they fit perfectly in software development processes, they enable fast, reproducible
deployments and when properly done, with little change the same container can
run either in a test or production environment.

Despite threatening information out there Docker offers per se also several
security advantages. However it is important to make use of them and as a
minimum avoid several pitfalls. In a worst case scenario this can lead
otherwise to less security or the security benefits which the containment
technology offers are not being used at all.

To avoid this a proper fundamental approach is needed.

Thus this talk models first the most important threats to containerized
environments out there. Based on that the speaker will present 10 security
bullet points which covers

* important Do's and Dont's,
* for advanced needs how to tighten security further.

At the end the speaker gives advice how to check your Docker and
Kubernetes security status yourself.

The talk is based on practical experiences at several costumers and on the
speaker's solid network and systems security expertise.

:''Bio:'' [https://twitter.com/drwetter Dirk Wetter (Ph.D.)] is an independent security consultant with more than 20 years professional experience in information security with a broad technical
and information security management background.

His primary focus nowadays is around web application security. He has also a
solid background on network and systems security.

He's also founder and maintainer of the open source project testssl.sh which
checks the encryption of every SSL/TLS enabled service.

*20h00 - 20h10: break <br>
*20h10 - 21h00: '''TBD''' (by TBD)<br>
:''Abstract:'' TBD
:''Bio:'' TBD
*21h00 - 21h30: '''Networking drink''' <br>

=== REGISTRATION ===
<pre style="color: red">
Pre-registration of the participants' ID will be needed to enter the security on site.
</pre>
Therefore, please register via this form at the European Commission: https://ec.europa.eu/eusurvey/runner/OWASPBelgiumChapterMeetingSept17 .

'''The registration deadline expires on ''Sunday, September 16th midnight''. After this time the registration and admission to the event will not be possible.'''

=== Coverage ===

== 19 March 2018 Meeting ==

=== WHEN ===
Monday 19 March 2018

=== WHERE ===

; Host: ING Belgium
; Address
: Cours St Michel 60 - 1040 Brussel

=== PROGRAM ===
The agenda:
*18h15 - 19h00: '''Welcome & sandwiches'''<br>
*19h00 - 19h10: '''OWASP Update''' (by Sebastien Deleersnyder, OWASP) <br>
*19h10 - 20h00: '''KRACKing WPA2 in Practice Using Key Reinstallation Attacks''' (by Mathy Vanhoef, imec-DistriNet-KU Leuven)<br>
:''Abstract:'' This talk presents the key reinstallation attack against WPA2 (KRACK attack). It abuses design or implementation flaws in cryptographic protocols to reinstall an already-in-use key. This resets the key’s associated parameters such as transmit nonces and receive replay counters. Several cryptographic Wi-Fi handshakes are affected by the attack.
:All protected Wi-Fi networks use the 4-way handshake to generate a fresh session key. So far, this 14-year-old handshake has remained free from attacks. However, we show that the 4-way handshake is vulnerable to a key reinstallation attack. Here, the adversary tricks a victim into reinstalling an already-in-use key. This is achieved by manipulating and replaying handshake messages. When reinstalling the key, associated parameters such as the incremental transmit packet number (nonce) and receive packet number (replay counter) are reset to their initial value.
:Talk talk also discusses the vulnerability disclosure process that was followed. Since the discovery affected numerous vendors, coordinating the disclosure was non-trivial.
:''Bio:'' '''Mathy Vanhoef''' is a postdoctoral researcher at KU Leuven. He did his PhD on the security of WPA-TKIP, TLS, and RC4. His research interest is in computer security with a focus on wireless security (e.g. Wi-Fi), network protocols in general, the RC4 stream cipher (where is discovered the RC NOMORE attack), and software security (discovering and exploiting vulnerabilities). Currently his main research is about automatically discovering vulnerabilities in network protocol implementations, and proving the correctness of protocol implementations.
*20h00 - 20h10: break <br>
*20h10 - 21h00: '''Making the web secure by design''' (by Glenn Ten Cate, ING Belgium, and Riccardo Ten Cate, Xebia)<br>
:''Abstract:'' Education is the first step in the Secure Software Development Lifecycle. The free OWASP Security Knowledge Framework (SKF) is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. This talk will help you as a developer to become THE Neo of your development team. We will show how you can do security by design and introduce other quality gates into your development pipeline to ensure high end quality and security of your project.
:''Bio:'' As a coder, hacker, speaker, trainer and security researcher employed at ING Belgium, '''Glenn Ten Cate''' has over 10 years experience in the field of security. One of the founders of defensive development [defdev] a security training and conference series dedicated to helping you build and maintain secure software and also speaking at multiple other security conferences in the world. His goals is to create an open-source software development life cycle with the tools and knowledge gathered over the years.
:''Bio:'' As a penetration tester from the Netherlands employed at Xebia, '''Riccardo Ten Cate''' specialises in web-application security and has extensive knowledge in securing web applications in multiple coding languages. He is also a specialist in setting up Secure Software Development Life Cycles.
*21h00 - 21h30: '''Networking drink''' <br>

=== REGISTRATION ===
Please register via EventBrite: https://owasp-belgium-2018-03-19.eventbrite.com

=== Coverage ===

== 20 February 2018 Meeting ==

=== WHEN ===
Tuesday 20 February 2018

=== WHERE ===

; Host: [https://distrinet.cs.kuleuven.be DistriNet Research Group (KU Leuven)] (Both speakers are faculty of the [https://www.secappdev.org/ Secure Application Development] course held in Leuven from 2018-02-19 to 2018-02-23.)
; Address
: Department of Computer Science (foyer at ground floor)<br/>Celestijnenlaan 200 A<br/>3001 Heverlee
: ([http://googlemapsinterface.kuleuven.be/index.cgi?lang=N&nbol=(50.864186697481145,%204.678754210472107)&zoomlevel=17&plaatsnaam=Department+of+Computer+Science&maptype=roadmap map], [https://distrinet.cs.kuleuven.be/about/route/ directions])

=== PROGRAM ===
The agenda:
*18h15 - 19h00: '''Welcome & sandwiches'''<br>
*19h00 - 19h10: '''[https://www.owasp.org/images/7/7a/Owasp_Belgium_update_2018-02-20_v1.pdf OWASP Update]''' (by Sebastien Deleersnyder, OWASP) <br>
*19h10 - 20h00: '''[https://schd.ws/hosted_files/secappdev2018/a9/Developer%20are%20not%20the%20enemy%20SecAppDev%20web.pdf Developers are not the enemy -- Usable Security for Experts]''' (by Prof. Matthew Smith, University of Bonn)<br>
:''Abstract:'' Usability problems are a major cause of many of today's IT-security incidents. Security systems are often too complicated, time-consuming, and error prone. For more than a decade researchers in the domain of usable security (USEC) have attempted to combat these problems by conducting interdisciplinary research focusing on the root causes of the problems and on the creation of usable security mechanisms. While major improvements have been made, to date USEC research has focused almost entirely on the non-expert end-user. However, many of the most catastrophic security incidents were not caused by end-users, but by developers or administrators. Heartbleed and Shellshock were both caused by single developers yet had global consequences. The Sony hack in 2014 compromised an entire multi-national IT-infrastructure and misappropriated over 100 TB of data, unnoticed. Fundamentally, every software vulnerability and misconfigured system is caused by developers or administrators making mistakes, but very little research has been done into the underlying causalities and possible mitigation strategies. In this talk we will explore the transition from end-user to expert usable security research and look at several application areas, including TLS, passwords, malware analysis and vulnerability analysis.
:''Bio:'' '''Matthew Smith''' is a Professor for Usable Security and Privacy at the University of Bonn. His research is focused on human factors of security and privacy mechanisms with a wide range of application areas, including TLS and network security, authentication, mobile and app security and, most recently, usable security for developers and administrators. His work has been published at amongst others IEEE S&P, ACM CCS, USENIX Security, NDSS, ACM SIGCHI and SOUPS the Symposium on Usable Security and Privacy. In 2015 his ERC Starting Grant "Frontiers of Usable Security" was selected for funding.
*20h00 - 20h10: '''Break'''<br>
*20h10 - 21h00: '''[https://schd.ws/hosted_files/secappdev2018/75/The%20code%20behind%20the%20vulnerability.pdf The Code Behind The Vulnerability]''' (by Barry Dorrans)<br>
:''Abstract:'' Everyone makes security mistakes, and that includes Microsoft (seriously!). Many developers can spot and prevent vulnerabilities listed in the OWASP top 10. But that narrative changes when we look beyond the scope of the OWASP top 10. Compared to some more recent attacks, fixing XSS or SQL injection almost seems easy. In this session, we dive into a couple of .NET core cases that have been reported to the Microsoft Security Response Center (MSRC). Mind you; these vulnerabilities are not just framework vulnerabilities. Instead, they are coding patterns that you may have introduced in your applications. Examples are issues with hash tables, compression, encryption, regular expressions and more. In this session, you will learn how to spot these vulnerabilities in your code. On top of that, you will walk away with the skills to fix them.
:''Bio:'' '''Barry Dorrans''' is the .NET Security Czar, which means he tries to tell everyone else how to code securely and taking the credit when it goes right, as well as running the .NET Core Bug Bounty. He also ends up triaging publicly and privately reported vulnerabilities when it goes wrong before getting someone else to fix the mistakes. This he gets all the fun and none of the real work, aside from the endless stress wondering when the next vulnerability will be discovered.

=== REGISTRATION ===
Please register via EventBrite: https://owasp-belgium-2018-02-20.eventbrite.com

=== Coverage ===

OWASP SAMM Project

2018-06-07T13:29:59Z

Sdeleersnyder:

= Main =
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

<div style="font-size:120%;border:none;margin: 0;color:#000">

'''OWASP SAMM v1.5 available in the downloads section!'''

'''Join our monthly calls'''
* The monthly call is on each 2nd Wednesday of the month at 21h30 CEST / 3:30pm EST. <br>
* Please join our GoToMeeting: https://global.gotomeeting.com/join/262891661 <br>
* The call is open for everybody interested in SAMM or who wants to work on SAMM. <br>

'''2018 OWASP SAMM Summit (4-8 JUNE 2018, London)'''
* Join our 2018 OWASP SAMM Summit near London as part of the [https://open-security-summit.org/ Open Security Summit].<br>
* We will organize working sessions in a 5-day sprint to draft SAMM v2.0.
* Register online [https://open-security-summit.org/tickets/ here]
* Sponsor the SAMM2, more details [https://www.owasp.org/index.php/OWASP_SAMM_Project#tab=Project_Sponsors here]

The Software Assurance Maturity Model (SAMM) is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. SAMM helps you:
* '''Evaluate an organization’s existing software security practices'''
* '''Build a balanced software security assurance program in well-defined iterations'''
* '''Demonstrate concrete improvements to a security assurance program'''
* '''Define and measure security-related activities throughout an organization'''

''Dell uses OWASP’s Software Assurance Maturity Model (Owasp SAMM) to help focus our resources and determine which components of our secure application development program to prioritize.'', ('''Michael J. Craigue, Information Security & Compliance, Dell, Inc.''')

Follow OWASP SAMM on twitter: [https://twitter.com/owaspsamm @owaspsamm]

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download v1.5 ==
[https://github.com/OWASP/samm/blob/master/v1.5/Final/OWASP_SAMM_v1.5.zip All SAMM v1.5 files (.zip)] <br>
[https://github.com/OWASP/samm/blob/master/v1.5/Final/SAMM_Core_V1-5_FINAL.pdf SAMM Core Model] <br>
[https://github.com/OWASP/samm/blob/master/v1.5/Final/SAMM_How_To_V1-5_FINAL.pdf How-To Guide] <br>
[https://github.com/OWASP/samm/blob/master/v1.5/Final/SAMM_Quick_Start_V1-5_FINAL.pdf Quick Start Guide] <br>
[https://github.com/OWASP/samm/blob/master/v1.5/Final/SAMM_Assessment_Toolbox_v1.5_FINAL.xlsx SAMM Toolbox] <br>
[https://github.com/OWASP/samm/blob/master/v1.5/Final/SAMM_Assessment_Toolbox_v1.5-Example_FINAL.xlsx SAMM Toolbox Example] <br>
[https://github.com/OWASP/samm/ OWASP SAMM on GitHub]

== Quick Download v1.1.1 ==

[https://github.com/OWASP/samm/blob/master/v1.1/Final/SAMM_Core_V1-1-Final-1page.pdf SAMM Core Model]<br>
[https://github.com/OWASP/samm/blob/master/v1.1/Final/SAMM_How_To_V1-1-Final-1page.pdf How-To Guide] <br>
[https://github.com/OWASP/samm/blob/master/v1.1/Final/SAMM_Quick_Start_V1-1-Final-1page.pdf Quick-Start Guide] <br>
[https://github.com/OWASP/samm/blob/master/v1.1/Final/SAMM_Assessment_Toolbox_v1-1-Final.xlsx Updated SAMM Tool Box]<br>
[https://github.com/OWASP/samm OWASP SAMM on GitHub]

== News and Events ==
Please see the [https://www.owasp.org/index.php/OWASP_SAMM_Project#News News] and [https://www.owasp.org/index.php/OWASP_SAMM_Project#Talks Talks] tabs

== Change Log ==
* OWASP SAMM v1.5 Released! ([http://www.prnewswire.com/news-releases/owasp-samm-v15-helps-organizations-improve-their-security-posture-300439237.html Press Release])
* OWASP SAMM v1.1 Released! ([http://www.prnewswire.com/news-releases/owasp-releases-software-assurance-maturity-model-samm-version-11-for-improving-software-security-300236836.html Press Release])
* OpenSAMM v1.1 RC - [http://lists.owasp.org/pipermail/samm/2015-December/000758.html available for review]

== Email List ==

Questions? Please ask on the [https://lists.owasp.org/mailman/listinfo/samm SAMM Mailing List]

== Project Leaders ==

[https://www.owasp.org/index.php/User:Sdeleersnyder Seba Deleersnyder] <br /> [https://www.owasp.org/index.php/User:Bart_De_Win Bart De Win]

== Related Projects ==

*

==Classifications==

{| width="200" cellpadding="2"
|-
| rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-flagship-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]
| align="center" valign="center" width="50%" | [[File:Owasp-defenders-small.png|link=]]
|
|-
| align="center" valign="center" width="50%" | [[File:Owasp-builders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Browse Online =
[[Image:OwaspSAMM.png|right]]

The foundation of the model is built upon the core business functions of software development with security practices tied to each (see diagram below). The building blocks of the model are the three maturity levels defined for each of the twelve security practices. These define a wide variety of activities in which an organization could engage to reduce security risks and increase software assurance. Additional details are included to measure successful activity performance, understand the associated assurance benefits, estimate personnel and other costs.

[[Image:SAMM-Overview.png|720px]]

===== Click on any badge to learn more =====

{| cellpadding="1"
|[https://www.owasp.org/index.php/SAMM_-_Governance https://www.owasp.org/images/f/f7/G.png]
|-
| align="center" |'''Strategy & Metrics'''
|{{SAMM-BadgeList|name=Strategy_&_Metrics|abbr=SM|padding=0}}
|-
| align="center" |'''Policy & Compliance'''
|{{SAMM-BadgeList|name=Policy_&_Compliance|abbr=PC|padding=0}}
|-
| align="center" |'''Education & Guidance'''
|{{SAMM-BadgeList|name=Education_&_Guidance|abbr=EG|padding=0}}
|-
|[https://www.owasp.org/index.php/SAMM_-_Construction https://www.owasp.org/images/e/ee/C.png]
|-
| align="center" |'''Threat Assessment'''
|{{SAMM-BadgeList|name=Threat_Assessment|abbr=TA|padding=0}}
|-
| align="center" |'''Security Requirements'''
|{{SAMM-BadgeList|name=Security_Requirements|abbr=SR|padding=0}}
|-
| align="center" |'''Secure Architecture'''
|{{SAMM-BadgeList|name=Secure_Architecture|abbr=SA|padding=0}}
|-
|[https://www.owasp.org/index.php/SAMM_-_Verification https://www.owasp.org/images/8/83/V.png]
|-
| align="center" |'''Design Review'''
|{{SAMM-BadgeList|name=Design_Review|abbr=DR|padding=0}}
|-
| align="center" |'''Code Review'''
|{{SAMM-BadgeList|name=Code_Review|abbr=CR|padding=0}}
|-
| align="center" |'''Security Testing'''
|{{SAMM-BadgeList|name=Security_Testing|abbr=ST|padding=0}}
|-
|[https://www.owasp.org/index.php/SAMM_-_Deployment https://www.owasp.org/images/5/54/D.png]
|-
| align="center" |'''Vulnerability Management'''
|{{SAMM-BadgeList|name=Vulnerability_Management|abbr=VM|padding=0}}
|-
| align="center" |'''Environment Hardening'''
|{{SAMM-BadgeList|name=Environment_Hardening|abbr=EH|padding=0}}
|-
| align="center" |'''Operational Enablement'''
|{{SAMM-BadgeList|name=Operational_Enablement|abbr=OE|padding=0}}
|-
|}

= Downloads =

The latest work in progress can be found on Github: https://github.com/OWASP/samm

Download SAMM v1.5
* [https://github.com/OWASP/samm/blob/master/v1.5/Final/OWASP_SAMM_v1.5.zip All SAMM v1.5 files (.zip)] Zip file containing all the v1.5 files below;
* [https://github.com/OWASP/samm/blob/master/v1.5/Final/SAMM_Core_V1-5_FINAL.pdf SAMM Core Model] document, explaining the maturity model;
* [https://github.com/OWASP/samm/blob/master/v1.5/Final/SAMM_How_To_V1-5_FINAL.pdf How-To Guide] with implementation guidance;
* [https://github.com/OWASP/samm/blob/master/v1.5/Final/SAMM_Quick_Start_V1-5_FINAL.pdf Quick-Start Guide] with different steps to improve your secure software practice;
* [https://github.com/OWASP/samm/blob/master/v1.5/Final/SAMM_Assessment_Toolbox_v1.5_FINAL.xlsx SAMM Toolbox] to perform SAMM assessments and create SAMM roadmaps;
* [https://github.com/OWASP/samm/blob/master/v1.5/Final/SAMM_Assessment_Toolbox_v1.5-Example_FINAL.xlsx SAMM Tool Box Example] to provide an example SAMM assessment;

Download SAMM v1.1
* [https://github.com/OWASP/samm/blob/master/v1.1/Final/SAMM_Core_V1-1-Final.pdf SAMM Core Model] document, explaining the maturity model;
* [https://github.com/OWASP/samm/blob/master/v1.1/Final/SAMM_How_To_V1-1-Final.pdf How-To Guide] with implementation guidance;
* [https://github.com/OWASP/samm/blob/master/v1.1/Final/SAMM_Quick_Start_V1-1-Final.pdf Quick-Start Guide] with different steps to improve your secure software practice;
* [https://github.com/OWASP/samm/blob/master/v1.1/Final/SAMM_Assessment_Toolbox_v1-1-Final.xlsx Updated SAMM Tool Box] to perform SAMM assessments and create SAMM roadmaps;

Download OpenSAMM v1.0:
* in [https://www.owasp.org/images/c/c0/SAMM-1.0.pdf English - PDF], [https://www.owasp.org/images/2/25/SAMM-1.0-en_US-0.3.xml.zip English - XML]
* in [https://www.owasp.org/images/a/a9/SAMM-1.0-es_MX.pdf Spanish - PDF], [https://www.owasp.org/images/a/a1/SAMM-1.0-es_MX-0.3.xml.zip Spanish - XML]
* in [https://www.owasp.org/images/a/a9/SAMM-1.0-ja_JP.pdf Japanese - PDF], not available as XML
* in [https://www.owasp.org/images/f/fd/SAMM-1.0-cn.pdf Chinese - PDF], not available as XML

Available resources to apply SAMM:
* Browse OWASP and other resources for SAMM Security practices: [[:Category:SAMM-Resources]]

Trainings:
* Recent OWASP SAMM 1-Day training slide deck delivered by Bart De Win and Sebastien Deleersnyder at AppSec Europe 2014 in Cambridge
** Slide deck download [https://www.owasp.org/images/d/df/OpenSAMM_Training_vFINAL.pptx here]
** Training description download [https://www.owasp.org/images/7/7c/Training_-_Bootstrap_and_improve_your_SDLC_with_OpenSAMM.docx here]

Assessments:
* SAMM v1.5 Toolbox
** Download the new v1.5 Toolbox with the updated scoring model [https://github.com/OWASP/samm/blob/master/v1.5/Final/SAMM_Assessment_Toolbox_v1.5_FINAL.xlsx SAMM v1.5 Toolbox]
* SAMM v1.1 Toolbox
** download the v1.1 toolbox, including the updated questions [https://github.com/OWASP/samm/blob/master/v1.1/Final/SAMM_Assessment_Toolbox_v1-1-Final.xlsx here]
* Assessment Interview Template by Nick Coblentz for SAMM V1.0
** This [https://www.owasp.org/images/c/cf/20090607-SAMMAssessmentInterviewTemplate-1.0.xls spreadsheet] breaks down the assessment questionnaire from the SAMM framework into assertion statements that can be used to drive assessment interviews.
* Roadmap Chart Template by Colin Watson for SAMM V1.0
** This [https://www.owasp.org/images/e/e2/20090610-Samm-roadmap-chart-template.xls spreadsheet] provides a simple way to capture the data for a SAMM roadmap and automatically generate graphics similar to those that appear in the framework.
* Assessment Worksheet by Christian Frichot for SAMM V1.0
** This is an easy-to-use [https://www.owasp.org/images/e/e2/20090610-Samm-roadmap-chart-template.xls spreadsheet] containing the assessment questionnaire from the SAMM framework. Features some auto-scoring to make the appearance very polished.
* Project Plan Template by Jim Weiler for SAMM V1.0
** This is a [https://www.owasp.org/images/3/33/SAMMProject.zip project plan template] (MS Project) that captures the activities from the SAMM levels. Useful for copying pieces into existing development project schedules.

Mappings:
* BSIMM-6 mapping to SAMM activities:
** Spreadsheet download [https://github.com/OWASP/opensamm/tree/master/v1.1/mapping here]
** Presentation with start of analysis download [https://www.owasp.org/images/6/66/OpenSAMM_-_BSIMM-V_mapping.pptx here]
* BSIMM mapping to SAMM during the 2011 Summit:
** This [https://www.owasp.org/images/2/2e/20110301-OpenSAMM-BSIMM-Mapping.xlsx spreadsheet] contains an activity-level mapping between OpenSAMM and BSIMM. Note that in some cases, multiple BSIMM activities map to a single SAMM activity (109 in BSIMM map to 72 in SAMM).

Tools:
*Javascript visualization framework for SAMM on [https://github.com/qudosoft-labs/SAMMCharts github]

= Community =

[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
{{:Projects/OWASP SAMM Project/Pages/Community | Community}}

</div>

= Summit =

[[Image:OwaspSAMM.png|right]]

In 2016 we organized our second OWASP SAMM Summit in New York on 20-21 April, details [https://www.owasp.org/index.php/OWASP_SAMM_Summit_2016 >here<] !!

Read the wrap-up of the Summit here: https://docs.google.com/document/d/19_LC1euR7ZuazRYgeblhPE1Fv6E8N56Bu8zANq2JB30/edit

In 2015 we organized our the first OWASP SAMM Summit in Dublin on 27-28 March, details [https://www.owasp.org/index.php/OWASP_SAMM_Summit_2015 >here<] !!

Summit Notes:
* 28 Mar 2015 - https://docs.google.com/document/d/1pC4har75olF1WPZaqRfXFG9T3SS_qoEUvHkEynE0iTI/edit
* Summit outcome is described [http://www.opensamm.org/2015/04/opensamm-summit-dublin-outcome/ here]
''"The SAMM summit provided an opportunity to breathe new life into a framework that I use to facilitate my day-to-day work and support my customers."'' Bruce C Jenkins, Fortify Security Lead, Hewlett-Packard Company

Previous workshop Notes:

During the AppSec conferences, the SAMM project team organises workshops for you to influence the direction SAMM evolves.

This is also an excellent opportunity to exchange experiences with your peers.

If you plan on attending http://appsec.eu be sure to get involved in the SAMM workshop (scheduled on Jun-23).
* The agenda for the SAMM Workshop in Cambridge on 23-Jun-2014 is available [https://docs.google.com/document/d/1tXqIovpSuFqycVYetdGSC2PiPygySymiLUhHT5yHR2M/edit here].

Previous workshop notes:
* The notes for the SAMM Workshop in New York on 21-Nov-2013 are available [https://docs.google.com/document/d/1PwoDVsWyhoWksBiLIRh8UOh-QCs8H7QMqrSUsS13WzU/edit here].
* The notes for the SAMM Workshop in Hamburg on 21-Aug-2013 are available [https://docs.google.com/document/d/12mB7FkmhcI04YDZle_VD90n1xcENgNhAGqZkCAb6EkM/edit here].

= Talks =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
Upcoming talks featuring SAMM are listed here:

* OWASP DC - Software Assurance Maturity Model (SAMM) with Brian Glas! (2017-03-15)
* OWASP NoVA - SAMM 1.5, what's changed and how it impacts you (2017-03-16)
* InfoSec World - Software Assurance Maturity Model Evolutions (2017-04-03)

past talks:

* OWASP SAMM v1.5 Webinar - Brian Glas discussing the SAMM model and changes in v1.5 (watch - [https://www.youtube.com/watch?v=4pKdwRb8fTI youtube]) - 2017
* OWASP 24/7 - Seba Deleersnyder discussing the upcoming SAMM Summit (listen - [https://soundcloud.com/owasp-podcast/seba-deleersnyder-discusses-samm-software-assurance-maturity-model-summit-in-dublin-ireland here]) - 2015
* OWASP Germany Day 2014: Seba Deleersnyder: OpenSAMM Best Practices: Lessons from the Trenches (download [https://www.owasp.org/images/f/fa/OpenSAMM_Best_Practices_Lessons_from_the_Trenches_-_Seba_Deleersnyder.pdf presentation]) - 2014
* AppSecEU14: Seba Deleersnyder & Bart De Win: OpenSAMM Best Practices: Lessons from the Trenches OpenSAMM Best Practices: Lessons from the Trenches (download [https://www.owasp.org/images/6/6f/OpenSAMM_-_AppSecEU_2014_-_Seba-Bart_v20140528.pptx presentation], see [https://www.youtube.com/watch?v=qcCgeBeBLUg video]) - 2014
* AppSecEU13 - Hamburg: Seba Deleersnyder presenting a project update (download [https://www.owasp.org/images/3/32/OpenSAMM_-_Project_Status_-_Hamburg_2013.pdf presentation]) - 2013
* OWASP Europe Tour 2013 - Geneva: Seba Deleersnyder presenting OpenSAMM and the renewed project (download [https://www.owasp.org/images/c/cd/OpenSAMM_-_OWASP_Tour_13_Talk_-_Seba.pptx presentation]) - 2013
* AppSecEU11 - Athens: Colin Watson presenting SAMM Training (download [https://www.owasp.org/images/1/18/Owasp-training-samm-greece.pdf presentation]) - 2011
* AppSecEU09: Pravir Chandra presenting OpenSAMM v1.0 (download [https://www.owasp.org/images/4/49/AppSecEU09_OpenSAMM-1.0.ppt presentation]) - 2009
* Matt Bartoldus presentation on new SAMM project during OWASP London chapter (download [https://www.owasp.org/images/d/df/OpenSAMM.pdf presentation]) - 2009
* Pravir Chandra - first presentation discussing the next generation to the CLASP Project- a complete working of the details into a Software Assurance Maturity Model (SAMM). (download [https://www.owasp.org/images/2/2e/OWASP_CLASP_SAMM.ppt presentation]) - 2009

</div>

= News =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Latest News on SAMM
* OWASP SAMM v2.0 workshop at the OWASP Project Summit June 2017
* OWASP SAMM v1.5 Released!
* SAMM Summit 2016 read the [https://docs.google.com/document/d/19_LC1euR7ZuazRYgeblhPE1Fv6E8N56Bu8zANq2JB30/edit wrap-up here]
* OWASP SAMM v1.1 Released! See the [http://www.prnewswire.com/news-releases/owasp-releases-software-assurance-maturity-model-samm-version-11-for-improving-software-security-300236836.html Press Release].
* OpenSAMM v1.1 RC - [http://lists.owasp.org/pipermail/samm/2015-December/000758.html available for review]

</div>

= Languages =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

'''SAMM v1.0 is available in the following languages:'''

* English
* Spanish
* Japanese
* Chinese

Carlos Allendes created a presentation in Spanish on SAMM during the 2011 LatAm tour, download the [https://www.owasp.org/images/c/cf/05_OWASP_LatamTur2011_OpenSAMM.pdf presentation].
Hubert Grégoire and Sebastien Gioria created a French translation of the OpenSAMM 1.0 Overview presentation available for download [https://www.owasp.org/images/f/fd/OpenSAMM-1.0-fr_FR.ppt here].

You can use [http://crowdin.net/project/owasp-samm Crowdin] to help improve these translations or add new ones right now!

</div>

= Roadmap =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Updated roadmap:
Next 1.5 release, updated scoring:
* Clarification of maturity levels (syntactic changes to keep the text consistent)
* Not change activities but try to impose the current scoring system on existing activities, i.e. move from binary yes/no to the multi-tiered questions/answers of the current proposal.
* Show improvements with every activity introduced
* Adapt for the new scoring method
* Update questions for 4-tiers
* Review and where necessary clarify current questions
* Consider v1.1 remarks that were not withheld for the previous release
Targeted completion date: February 28, 2017

SAMM version 2.0
* Core model changed
* Visualisations + flavours for a few development methodologies
* Update quickstart guide, TB, HTG.
* Success metrics: How well does the model work: Linked to the benchmarking project.
Timing: Workshops as part of OWASP Project Summit June 2017

</div>
= Get Involved =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Involvement in the development of SAMM is actively encouraged!

You do not have to be a security expert in order to contribute.

Some of the ways you can help:

==Feedback==

Please use the [https://lists.owasp.org/mailman/listinfo/samm Mailing List] for feedback:
* What do like?
* What don't you like?
* How can we make SAMM easier to use?
* How could SAMM be improved?

==Localization==

Are you fluent in another language? Can you help translate SAMM into that language?

You can use [http://crowdin.net/project/owasp-samm Crowdin] to do that!

</div>

= Project Sponsors =
[[Image:OwaspSAMM.png|right]]

<div style="font-size:120%;border:none;margin: 0;color:#000">

SAMM is developed and maintained by a worldwide team of volunteers. We have also been helped by many organizations, either financially or by encouraging their employees to work on SAMM.

==SAMM Adopters==
SAMM is the premier open source software assurance framework. You can find a list of [https://www.owasp.org/index.php/OpenSAMM_Adopters SAMM adopters] online.

==Call for SAMM2 Sponsors==
OWASP SAMM and the upcoming SAMM 2.0 release is the open source software security maturity model used to develop secure software for IT, application and software security technologists.

We are seeking sponsors to support OWASP SAMM. All proceeds from the sponsorship support the mission of the OWASP Foundation and the further development of SAMM. Supporting the project drives the funding for research grants, SAMM hosting, tools, templates, documents, promotion, and more.

By sponsoring SAMM, you not only support an important and flagship OWASP project, you will also get visibility during the next SAMM Summit (part of the OWASP Summit 2018) and recognition on the OWASP SAMM project web site and the next release of SAMM (version 2.0).

For more information: Download our [https://www.owasp.org/images/f/fb/OWASP_SAMM2_Sponsorship_Form_v20170212.pdf SAMM2 sponsorship brochure].

Contact [mailto:seba@owasp.org seba@owasp.org] to activate your sponsorship.

==== Acknowledgements ====

We would like to thank the following sponsors who donated funds to our project:

[[File:OWASP-NoVA-Chapter-Logo.PNG|250px|link=https://www.owasp.org/index.php/Virginia]]
[[File:Belgium_Chapter.PNG|250px|link=https://www.owasp.org/index.php/Belgium]]
[[File:London_Chapter.PNG|250px|link=https://www.owasp.org/index.php/London]]

[[File:Aspectsecurity.png|250px|link=http://www.aspectsecurity.com]]
[[File:Astech_Consulting_logo.png|250px|link=http://www.astechconsulting.com/]]
[[File:Denim_Group_logo.jpg|250px|link=http://www.denimgroup.com/]]
[[File:Gotham_Digital_Science_logo.jpg|250px|link=http://www.gdssecurity.com/]]

{{MemberLinksv2|link=http://www.hpenterprisesecurity.com|logo=HP_Blue_RGB_150_SM.png|size=300px90px}}
[[File:NetSPI_logo.png|250px|link=http://www.netspi.com/]]
[[Image:PwC_logo_4colourprint_(2)_Resized_good_one.jpg|150px|link=http://www.pwc.com]]
[[File:SI_Logo_Stacked_Application_Security.jpg|250px|link=http://www.securityinnovation.com/]]
[[File:LogoToreon.jpg|250px|link=http://www.toreon.com]]
[[File:Veracode-samm.png|250px|link=http://www.veracode.com]]

__NOTOC__ <headertabs></headertabs>

<br />
{{OWASP Book|6888083}}
<br />

[[Category:OWASP Project|Zed Attack Proxy Project]]
[[Category:OWASP_Tool]]
[[Category:OWASP Release Quality Tool|OWASP Release Quality Tool]]
[[Category:OWASP_Download]]
[[Category:Popular]]

OWASP SAMM Project

2018-06-07T13:29:19Z

Sdeleersnyder:

= Main =
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

<div style="font-size:120%;border:none;margin: 0;color:#000">

'''OWASP SAMM v1.5 available in the downloads section!'''

'''Join our monthly calls"""
The monthly call is on each 2nd Wednesday of the month at 21h30 CEST / 3:30pm EST. <br>
Please join our GoToMeeting: https://global.gotomeeting.com/join/262891661 <br>
The call is open for everybody interested in SAMM or who wants to work on SAMM. <br>

'''2018 OWASP SAMM Summit (4-8 JUNE 2018, London)'''
* Join our 2018 OWASP SAMM Summit near London as part of the [https://open-security-summit.org/ Open Security Summit].<br>
* We will organize working sessions in a 5-day sprint to draft SAMM v2.0.
* Register online [https://open-security-summit.org/tickets/ here]
* Sponsor the SAMM2, more details [https://www.owasp.org/index.php/OWASP_SAMM_Project#tab=Project_Sponsors here]

The Software Assurance Maturity Model (SAMM) is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. SAMM helps you:
* '''Evaluate an organization’s existing software security practices'''
* '''Build a balanced software security assurance program in well-defined iterations'''
* '''Demonstrate concrete improvements to a security assurance program'''
* '''Define and measure security-related activities throughout an organization'''

''Dell uses OWASP’s Software Assurance Maturity Model (Owasp SAMM) to help focus our resources and determine which components of our secure application development program to prioritize.'', ('''Michael J. Craigue, Information Security & Compliance, Dell, Inc.''')

Follow OWASP SAMM on twitter: [https://twitter.com/owaspsamm @owaspsamm]

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download v1.5 ==
[https://github.com/OWASP/samm/blob/master/v1.5/Final/OWASP_SAMM_v1.5.zip All SAMM v1.5 files (.zip)] <br>
[https://github.com/OWASP/samm/blob/master/v1.5/Final/SAMM_Core_V1-5_FINAL.pdf SAMM Core Model] <br>
[https://github.com/OWASP/samm/blob/master/v1.5/Final/SAMM_How_To_V1-5_FINAL.pdf How-To Guide] <br>
[https://github.com/OWASP/samm/blob/master/v1.5/Final/SAMM_Quick_Start_V1-5_FINAL.pdf Quick Start Guide] <br>
[https://github.com/OWASP/samm/blob/master/v1.5/Final/SAMM_Assessment_Toolbox_v1.5_FINAL.xlsx SAMM Toolbox] <br>
[https://github.com/OWASP/samm/blob/master/v1.5/Final/SAMM_Assessment_Toolbox_v1.5-Example_FINAL.xlsx SAMM Toolbox Example] <br>
[https://github.com/OWASP/samm/ OWASP SAMM on GitHub]

== Quick Download v1.1.1 ==

[https://github.com/OWASP/samm/blob/master/v1.1/Final/SAMM_Core_V1-1-Final-1page.pdf SAMM Core Model]<br>
[https://github.com/OWASP/samm/blob/master/v1.1/Final/SAMM_How_To_V1-1-Final-1page.pdf How-To Guide] <br>
[https://github.com/OWASP/samm/blob/master/v1.1/Final/SAMM_Quick_Start_V1-1-Final-1page.pdf Quick-Start Guide] <br>
[https://github.com/OWASP/samm/blob/master/v1.1/Final/SAMM_Assessment_Toolbox_v1-1-Final.xlsx Updated SAMM Tool Box]<br>
[https://github.com/OWASP/samm OWASP SAMM on GitHub]

== News and Events ==
Please see the [https://www.owasp.org/index.php/OWASP_SAMM_Project#News News] and [https://www.owasp.org/index.php/OWASP_SAMM_Project#Talks Talks] tabs

== Change Log ==
* OWASP SAMM v1.5 Released! ([http://www.prnewswire.com/news-releases/owasp-samm-v15-helps-organizations-improve-their-security-posture-300439237.html Press Release])
* OWASP SAMM v1.1 Released! ([http://www.prnewswire.com/news-releases/owasp-releases-software-assurance-maturity-model-samm-version-11-for-improving-software-security-300236836.html Press Release])
* OpenSAMM v1.1 RC - [http://lists.owasp.org/pipermail/samm/2015-December/000758.html available for review]

== Email List ==

Questions? Please ask on the [https://lists.owasp.org/mailman/listinfo/samm SAMM Mailing List]

== Project Leaders ==

[https://www.owasp.org/index.php/User:Sdeleersnyder Seba Deleersnyder] <br /> [https://www.owasp.org/index.php/User:Bart_De_Win Bart De Win]

== Related Projects ==

*

==Classifications==

{| width="200" cellpadding="2"
|-
| rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-flagship-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]
| align="center" valign="center" width="50%" | [[File:Owasp-defenders-small.png|link=]]
|
|-
| align="center" valign="center" width="50%" | [[File:Owasp-builders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Browse Online =
[[Image:OwaspSAMM.png|right]]

The foundation of the model is built upon the core business functions of software development with security practices tied to each (see diagram below). The building blocks of the model are the three maturity levels defined for each of the twelve security practices. These define a wide variety of activities in which an organization could engage to reduce security risks and increase software assurance. Additional details are included to measure successful activity performance, understand the associated assurance benefits, estimate personnel and other costs.

[[Image:SAMM-Overview.png|720px]]

===== Click on any badge to learn more =====

{| cellpadding="1"
|[https://www.owasp.org/index.php/SAMM_-_Governance https://www.owasp.org/images/f/f7/G.png]
|-
| align="center" |'''Strategy & Metrics'''
|{{SAMM-BadgeList|name=Strategy_&_Metrics|abbr=SM|padding=0}}
|-
| align="center" |'''Policy & Compliance'''
|{{SAMM-BadgeList|name=Policy_&_Compliance|abbr=PC|padding=0}}
|-
| align="center" |'''Education & Guidance'''
|{{SAMM-BadgeList|name=Education_&_Guidance|abbr=EG|padding=0}}
|-
|[https://www.owasp.org/index.php/SAMM_-_Construction https://www.owasp.org/images/e/ee/C.png]
|-
| align="center" |'''Threat Assessment'''
|{{SAMM-BadgeList|name=Threat_Assessment|abbr=TA|padding=0}}
|-
| align="center" |'''Security Requirements'''
|{{SAMM-BadgeList|name=Security_Requirements|abbr=SR|padding=0}}
|-
| align="center" |'''Secure Architecture'''
|{{SAMM-BadgeList|name=Secure_Architecture|abbr=SA|padding=0}}
|-
|[https://www.owasp.org/index.php/SAMM_-_Verification https://www.owasp.org/images/8/83/V.png]
|-
| align="center" |'''Design Review'''
|{{SAMM-BadgeList|name=Design_Review|abbr=DR|padding=0}}
|-
| align="center" |'''Code Review'''
|{{SAMM-BadgeList|name=Code_Review|abbr=CR|padding=0}}
|-
| align="center" |'''Security Testing'''
|{{SAMM-BadgeList|name=Security_Testing|abbr=ST|padding=0}}
|-
|[https://www.owasp.org/index.php/SAMM_-_Deployment https://www.owasp.org/images/5/54/D.png]
|-
| align="center" |'''Vulnerability Management'''
|{{SAMM-BadgeList|name=Vulnerability_Management|abbr=VM|padding=0}}
|-
| align="center" |'''Environment Hardening'''
|{{SAMM-BadgeList|name=Environment_Hardening|abbr=EH|padding=0}}
|-
| align="center" |'''Operational Enablement'''
|{{SAMM-BadgeList|name=Operational_Enablement|abbr=OE|padding=0}}
|-
|}

= Downloads =

The latest work in progress can be found on Github: https://github.com/OWASP/samm

Download SAMM v1.5
* [https://github.com/OWASP/samm/blob/master/v1.5/Final/OWASP_SAMM_v1.5.zip All SAMM v1.5 files (.zip)] Zip file containing all the v1.5 files below;
* [https://github.com/OWASP/samm/blob/master/v1.5/Final/SAMM_Core_V1-5_FINAL.pdf SAMM Core Model] document, explaining the maturity model;
* [https://github.com/OWASP/samm/blob/master/v1.5/Final/SAMM_How_To_V1-5_FINAL.pdf How-To Guide] with implementation guidance;
* [https://github.com/OWASP/samm/blob/master/v1.5/Final/SAMM_Quick_Start_V1-5_FINAL.pdf Quick-Start Guide] with different steps to improve your secure software practice;
* [https://github.com/OWASP/samm/blob/master/v1.5/Final/SAMM_Assessment_Toolbox_v1.5_FINAL.xlsx SAMM Toolbox] to perform SAMM assessments and create SAMM roadmaps;
* [https://github.com/OWASP/samm/blob/master/v1.5/Final/SAMM_Assessment_Toolbox_v1.5-Example_FINAL.xlsx SAMM Tool Box Example] to provide an example SAMM assessment;

Download SAMM v1.1
* [https://github.com/OWASP/samm/blob/master/v1.1/Final/SAMM_Core_V1-1-Final.pdf SAMM Core Model] document, explaining the maturity model;
* [https://github.com/OWASP/samm/blob/master/v1.1/Final/SAMM_How_To_V1-1-Final.pdf How-To Guide] with implementation guidance;
* [https://github.com/OWASP/samm/blob/master/v1.1/Final/SAMM_Quick_Start_V1-1-Final.pdf Quick-Start Guide] with different steps to improve your secure software practice;
* [https://github.com/OWASP/samm/blob/master/v1.1/Final/SAMM_Assessment_Toolbox_v1-1-Final.xlsx Updated SAMM Tool Box] to perform SAMM assessments and create SAMM roadmaps;

Download OpenSAMM v1.0:
* in [https://www.owasp.org/images/c/c0/SAMM-1.0.pdf English - PDF], [https://www.owasp.org/images/2/25/SAMM-1.0-en_US-0.3.xml.zip English - XML]
* in [https://www.owasp.org/images/a/a9/SAMM-1.0-es_MX.pdf Spanish - PDF], [https://www.owasp.org/images/a/a1/SAMM-1.0-es_MX-0.3.xml.zip Spanish - XML]
* in [https://www.owasp.org/images/a/a9/SAMM-1.0-ja_JP.pdf Japanese - PDF], not available as XML
* in [https://www.owasp.org/images/f/fd/SAMM-1.0-cn.pdf Chinese - PDF], not available as XML

Available resources to apply SAMM:
* Browse OWASP and other resources for SAMM Security practices: [[:Category:SAMM-Resources]]

Trainings:
* Recent OWASP SAMM 1-Day training slide deck delivered by Bart De Win and Sebastien Deleersnyder at AppSec Europe 2014 in Cambridge
** Slide deck download [https://www.owasp.org/images/d/df/OpenSAMM_Training_vFINAL.pptx here]
** Training description download [https://www.owasp.org/images/7/7c/Training_-_Bootstrap_and_improve_your_SDLC_with_OpenSAMM.docx here]

Assessments:
* SAMM v1.5 Toolbox
** Download the new v1.5 Toolbox with the updated scoring model [https://github.com/OWASP/samm/blob/master/v1.5/Final/SAMM_Assessment_Toolbox_v1.5_FINAL.xlsx SAMM v1.5 Toolbox]
* SAMM v1.1 Toolbox
** download the v1.1 toolbox, including the updated questions [https://github.com/OWASP/samm/blob/master/v1.1/Final/SAMM_Assessment_Toolbox_v1-1-Final.xlsx here]
* Assessment Interview Template by Nick Coblentz for SAMM V1.0
** This [https://www.owasp.org/images/c/cf/20090607-SAMMAssessmentInterviewTemplate-1.0.xls spreadsheet] breaks down the assessment questionnaire from the SAMM framework into assertion statements that can be used to drive assessment interviews.
* Roadmap Chart Template by Colin Watson for SAMM V1.0
** This [https://www.owasp.org/images/e/e2/20090610-Samm-roadmap-chart-template.xls spreadsheet] provides a simple way to capture the data for a SAMM roadmap and automatically generate graphics similar to those that appear in the framework.
* Assessment Worksheet by Christian Frichot for SAMM V1.0
** This is an easy-to-use [https://www.owasp.org/images/e/e2/20090610-Samm-roadmap-chart-template.xls spreadsheet] containing the assessment questionnaire from the SAMM framework. Features some auto-scoring to make the appearance very polished.
* Project Plan Template by Jim Weiler for SAMM V1.0
** This is a [https://www.owasp.org/images/3/33/SAMMProject.zip project plan template] (MS Project) that captures the activities from the SAMM levels. Useful for copying pieces into existing development project schedules.

Mappings:
* BSIMM-6 mapping to SAMM activities:
** Spreadsheet download [https://github.com/OWASP/opensamm/tree/master/v1.1/mapping here]
** Presentation with start of analysis download [https://www.owasp.org/images/6/66/OpenSAMM_-_BSIMM-V_mapping.pptx here]
* BSIMM mapping to SAMM during the 2011 Summit:
** This [https://www.owasp.org/images/2/2e/20110301-OpenSAMM-BSIMM-Mapping.xlsx spreadsheet] contains an activity-level mapping between OpenSAMM and BSIMM. Note that in some cases, multiple BSIMM activities map to a single SAMM activity (109 in BSIMM map to 72 in SAMM).

Tools:
*Javascript visualization framework for SAMM on [https://github.com/qudosoft-labs/SAMMCharts github]

= Community =

[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
{{:Projects/OWASP SAMM Project/Pages/Community | Community}}

</div>

= Summit =

[[Image:OwaspSAMM.png|right]]

In 2016 we organized our second OWASP SAMM Summit in New York on 20-21 April, details [https://www.owasp.org/index.php/OWASP_SAMM_Summit_2016 >here<] !!

Read the wrap-up of the Summit here: https://docs.google.com/document/d/19_LC1euR7ZuazRYgeblhPE1Fv6E8N56Bu8zANq2JB30/edit

In 2015 we organized our the first OWASP SAMM Summit in Dublin on 27-28 March, details [https://www.owasp.org/index.php/OWASP_SAMM_Summit_2015 >here<] !!

Summit Notes:
* 28 Mar 2015 - https://docs.google.com/document/d/1pC4har75olF1WPZaqRfXFG9T3SS_qoEUvHkEynE0iTI/edit
* Summit outcome is described [http://www.opensamm.org/2015/04/opensamm-summit-dublin-outcome/ here]
''"The SAMM summit provided an opportunity to breathe new life into a framework that I use to facilitate my day-to-day work and support my customers."'' Bruce C Jenkins, Fortify Security Lead, Hewlett-Packard Company

Previous workshop Notes:

During the AppSec conferences, the SAMM project team organises workshops for you to influence the direction SAMM evolves.

This is also an excellent opportunity to exchange experiences with your peers.

If you plan on attending http://appsec.eu be sure to get involved in the SAMM workshop (scheduled on Jun-23).
* The agenda for the SAMM Workshop in Cambridge on 23-Jun-2014 is available [https://docs.google.com/document/d/1tXqIovpSuFqycVYetdGSC2PiPygySymiLUhHT5yHR2M/edit here].

Previous workshop notes:
* The notes for the SAMM Workshop in New York on 21-Nov-2013 are available [https://docs.google.com/document/d/1PwoDVsWyhoWksBiLIRh8UOh-QCs8H7QMqrSUsS13WzU/edit here].
* The notes for the SAMM Workshop in Hamburg on 21-Aug-2013 are available [https://docs.google.com/document/d/12mB7FkmhcI04YDZle_VD90n1xcENgNhAGqZkCAb6EkM/edit here].

= Talks =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
Upcoming talks featuring SAMM are listed here:

* OWASP DC - Software Assurance Maturity Model (SAMM) with Brian Glas! (2017-03-15)
* OWASP NoVA - SAMM 1.5, what's changed and how it impacts you (2017-03-16)
* InfoSec World - Software Assurance Maturity Model Evolutions (2017-04-03)

past talks:

* OWASP SAMM v1.5 Webinar - Brian Glas discussing the SAMM model and changes in v1.5 (watch - [https://www.youtube.com/watch?v=4pKdwRb8fTI youtube]) - 2017
* OWASP 24/7 - Seba Deleersnyder discussing the upcoming SAMM Summit (listen - [https://soundcloud.com/owasp-podcast/seba-deleersnyder-discusses-samm-software-assurance-maturity-model-summit-in-dublin-ireland here]) - 2015
* OWASP Germany Day 2014: Seba Deleersnyder: OpenSAMM Best Practices: Lessons from the Trenches (download [https://www.owasp.org/images/f/fa/OpenSAMM_Best_Practices_Lessons_from_the_Trenches_-_Seba_Deleersnyder.pdf presentation]) - 2014
* AppSecEU14: Seba Deleersnyder & Bart De Win: OpenSAMM Best Practices: Lessons from the Trenches OpenSAMM Best Practices: Lessons from the Trenches (download [https://www.owasp.org/images/6/6f/OpenSAMM_-_AppSecEU_2014_-_Seba-Bart_v20140528.pptx presentation], see [https://www.youtube.com/watch?v=qcCgeBeBLUg video]) - 2014
* AppSecEU13 - Hamburg: Seba Deleersnyder presenting a project update (download [https://www.owasp.org/images/3/32/OpenSAMM_-_Project_Status_-_Hamburg_2013.pdf presentation]) - 2013
* OWASP Europe Tour 2013 - Geneva: Seba Deleersnyder presenting OpenSAMM and the renewed project (download [https://www.owasp.org/images/c/cd/OpenSAMM_-_OWASP_Tour_13_Talk_-_Seba.pptx presentation]) - 2013
* AppSecEU11 - Athens: Colin Watson presenting SAMM Training (download [https://www.owasp.org/images/1/18/Owasp-training-samm-greece.pdf presentation]) - 2011
* AppSecEU09: Pravir Chandra presenting OpenSAMM v1.0 (download [https://www.owasp.org/images/4/49/AppSecEU09_OpenSAMM-1.0.ppt presentation]) - 2009
* Matt Bartoldus presentation on new SAMM project during OWASP London chapter (download [https://www.owasp.org/images/d/df/OpenSAMM.pdf presentation]) - 2009
* Pravir Chandra - first presentation discussing the next generation to the CLASP Project- a complete working of the details into a Software Assurance Maturity Model (SAMM). (download [https://www.owasp.org/images/2/2e/OWASP_CLASP_SAMM.ppt presentation]) - 2009

</div>

= News =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Latest News on SAMM
* OWASP SAMM v2.0 workshop at the OWASP Project Summit June 2017
* OWASP SAMM v1.5 Released!
* SAMM Summit 2016 read the [https://docs.google.com/document/d/19_LC1euR7ZuazRYgeblhPE1Fv6E8N56Bu8zANq2JB30/edit wrap-up here]
* OWASP SAMM v1.1 Released! See the [http://www.prnewswire.com/news-releases/owasp-releases-software-assurance-maturity-model-samm-version-11-for-improving-software-security-300236836.html Press Release].
* OpenSAMM v1.1 RC - [http://lists.owasp.org/pipermail/samm/2015-December/000758.html available for review]

</div>

= Languages =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

'''SAMM v1.0 is available in the following languages:'''

* English
* Spanish
* Japanese
* Chinese

Carlos Allendes created a presentation in Spanish on SAMM during the 2011 LatAm tour, download the [https://www.owasp.org/images/c/cf/05_OWASP_LatamTur2011_OpenSAMM.pdf presentation].
Hubert Grégoire and Sebastien Gioria created a French translation of the OpenSAMM 1.0 Overview presentation available for download [https://www.owasp.org/images/f/fd/OpenSAMM-1.0-fr_FR.ppt here].

You can use [http://crowdin.net/project/owasp-samm Crowdin] to help improve these translations or add new ones right now!

</div>

= Roadmap =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Updated roadmap:
Next 1.5 release, updated scoring:
* Clarification of maturity levels (syntactic changes to keep the text consistent)
* Not change activities but try to impose the current scoring system on existing activities, i.e. move from binary yes/no to the multi-tiered questions/answers of the current proposal.
* Show improvements with every activity introduced
* Adapt for the new scoring method
* Update questions for 4-tiers
* Review and where necessary clarify current questions
* Consider v1.1 remarks that were not withheld for the previous release
Targeted completion date: February 28, 2017

SAMM version 2.0
* Core model changed
* Visualisations + flavours for a few development methodologies
* Update quickstart guide, TB, HTG.
* Success metrics: How well does the model work: Linked to the benchmarking project.
Timing: Workshops as part of OWASP Project Summit June 2017

</div>
= Get Involved =
[[Image:OwaspSAMM.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Involvement in the development of SAMM is actively encouraged!

You do not have to be a security expert in order to contribute.

Some of the ways you can help:

==Feedback==

Please use the [https://lists.owasp.org/mailman/listinfo/samm Mailing List] for feedback:
* What do like?
* What don't you like?
* How can we make SAMM easier to use?
* How could SAMM be improved?

==Localization==

Are you fluent in another language? Can you help translate SAMM into that language?

You can use [http://crowdin.net/project/owasp-samm Crowdin] to do that!

</div>

= Project Sponsors =
[[Image:OwaspSAMM.png|right]]

<div style="font-size:120%;border:none;margin: 0;color:#000">

SAMM is developed and maintained by a worldwide team of volunteers. We have also been helped by many organizations, either financially or by encouraging their employees to work on SAMM.

==SAMM Adopters==
SAMM is the premier open source software assurance framework. You can find a list of [https://www.owasp.org/index.php/OpenSAMM_Adopters SAMM adopters] online.

==Call for SAMM2 Sponsors==
OWASP SAMM and the upcoming SAMM 2.0 release is the open source software security maturity model used to develop secure software for IT, application and software security technologists.

We are seeking sponsors to support OWASP SAMM. All proceeds from the sponsorship support the mission of the OWASP Foundation and the further development of SAMM. Supporting the project drives the funding for research grants, SAMM hosting, tools, templates, documents, promotion, and more.

By sponsoring SAMM, you not only support an important and flagship OWASP project, you will also get visibility during the next SAMM Summit (part of the OWASP Summit 2018) and recognition on the OWASP SAMM project web site and the next release of SAMM (version 2.0).

For more information: Download our [https://www.owasp.org/images/f/fb/OWASP_SAMM2_Sponsorship_Form_v20170212.pdf SAMM2 sponsorship brochure].

Contact [mailto:seba@owasp.org seba@owasp.org] to activate your sponsorship.

==== Acknowledgements ====

We would like to thank the following sponsors who donated funds to our project:

[[File:OWASP-NoVA-Chapter-Logo.PNG|250px|link=https://www.owasp.org/index.php/Virginia]]
[[File:Belgium_Chapter.PNG|250px|link=https://www.owasp.org/index.php/Belgium]]
[[File:London_Chapter.PNG|250px|link=https://www.owasp.org/index.php/London]]

[[File:Aspectsecurity.png|250px|link=http://www.aspectsecurity.com]]
[[File:Astech_Consulting_logo.png|250px|link=http://www.astechconsulting.com/]]
[[File:Denim_Group_logo.jpg|250px|link=http://www.denimgroup.com/]]
[[File:Gotham_Digital_Science_logo.jpg|250px|link=http://www.gdssecurity.com/]]

{{MemberLinksv2|link=http://www.hpenterprisesecurity.com|logo=HP_Blue_RGB_150_SM.png|size=300px90px}}
[[File:NetSPI_logo.png|250px|link=http://www.netspi.com/]]
[[Image:PwC_logo_4colourprint_(2)_Resized_good_one.jpg|150px|link=http://www.pwc.com]]
[[File:SI_Logo_Stacked_Application_Security.jpg|250px|link=http://www.securityinnovation.com/]]
[[File:LogoToreon.jpg|250px|link=http://www.toreon.com]]
[[File:Veracode-samm.png|250px|link=http://www.veracode.com]]

__NOTOC__ <headertabs></headertabs>

<br />
{{OWASP Book|6888083}}
<br />

[[Category:OWASP Project|Zed Attack Proxy Project]]
[[Category:OWASP_Tool]]
[[Category:OWASP Release Quality Tool|OWASP Release Quality Tool]]
[[Category:OWASP_Download]]
[[Category:Popular]]