OWASP - User contributions [en]

Belgium Chapter Meeting CFT

2019-09-12T13:24:56Z

Thomas Herlea: Added to the procedure the sending of bio, affiliation and contact info and the advertising of the chapter meeting.

D R A F T

= Call For Talks =

; Do you have an interesting topic about which you would like to give a talk to the OWASP Belgium community?
: We'd like to help you make that happen!

= Benefits For You =

* Increase the popularity of your project / discovery / idea etc.
* Get feedback from the audience, so you can improve your project / discovery / idea etc.
* Raise your profile in the community.
* Add to the "Talks" section of your CV.
* Practice your public speaking.
* A good feeling from giving back to the community.

= Procedure =

# You get in touch with us (the OWASP Belgium Chapter board), proposing the topic (at least title and an abstract/summary):
#* Talk to one of us at a Chapter Meeting or at another conference.
#* Send an email to '''T.B.D.'''.
# We validate your proposal and respond whether we want to pursue your idea.
# You send us the presentation material (slide deck, video clips etc.).
# We send you feedback if necessary.
# We all find a chapter meeting which would work for everybody.
# You send us more context information for publication on the wiki page of the chapter meeting:
#* Your bio;
#* Possibly your affiliation if you present on behalf of an organisation;
#* If you so desire, contact information for you and for your organisation (social media handles, web page etc.).
# We publish information about the chapter meeting, including the information you've sent us, and we advertise it.
# You come to the agreed chapter meeting and give your presentation.

= Talk Format =

* The talk should take 50 minutes, of which you should allow at least 10 minutes for questions.
* The content of the talk must not be of a commercial nature.

= Logistics =

You will bring the computer from which you will present, especially if there is a demo part. We will provide a backup computer, projector, wireless presenter / laser pointer etc.
__NOTOC__

Belgium Chapter Meeting CFT

2019-09-12T13:03:38Z

Thomas Herlea: First draft

D R A F T

= Call For Talks =

; Do you have an interesting topic about which you would like to give a talk to the OWASP Belgium community?
: We'd like to help you make that happen!

= Benefits For You =

* Increase the popularity of your project / discovery / idea etc.
* Get feedback from the audience, so you can improve your project / discovery / idea etc.
* Raise your profile in the community.
* Add to the "Talks" section of your CV.
* Practice your public speaking.
* A good feeling from giving back to the community.

= Procedure =

# You get in touch with us (the OWASP Belgium Chapter board), proposing the topic (at least title and an abstract/summary):
#* Talk to one of us at a Chapter Meeting or at another conference.
#* Send an email to '''T.B.D.'''.
# We validate your proposal and respond whether we want to pursue your idea.
# You send us the presentation material (slide deck, video clips etc.).
# We send you feedback if necessary.
# We all find a Chapter Meeting which would work for everybody.
# You come to the agreed Chapter Meeting and give your presentation.

= Talk Format =

* The talk should take 50 minutes, of which you should allow at least 10 minutes for questions.
* The content of the talk must not be of a commercial nature.

= Logistics =

You will bring the computer from which you will present, especially if there is a demo part. We will provide a backup computer, projector, wireless presenter / laser pointer etc.

__NOTOC__

User:Thomas Herlea

2019-09-12T12:11:50Z

Thomas Herlea: Call For Talks, not Call For Papers.

==== Bio ====

* Born in Romania
* Studied computers in high school and at the university
* Moved to Belgium
* Studied crypto and computer security
* Works as an InfoSec consultant:
** security governance
** secure architecture
** secure development training
** secure development lifecycle advising
** source code review
** web application penetration testing

==== OWASP Wiki links ====

* [[Belgium]] chapter page ([[Belgium Chapter Meeting Template]], [[Belgium Chapter Meeting CFT]])
* [[OWASP_Code_Review_Guide_Table_of_Contents]]
* [[OWASP_Testing_Guide_v3_Table_of_Contents]]
* [[OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide]]

<headertabs />

Belgium

2019-09-12T12:06:22Z

Thomas Herlea: The same link for the second tab, now following the documentation of the Header Tabs extension.

{{Chapter Template|chaptername=Belgium|extra=The chapter leaders are [mailto:seba@owasp.org Sebastien Deleersnyder], [mailto:lieven.desmet@owasp.org Lieven Desmet] and [mailto:bart.dewin@owasp.org Bart De Win]
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-belgium|emailarchives=http://lists.owasp.org/pipermail/owasp-belgium}}

= Local News =

== Upcoming Chapter Meetings ==

* OWASP Belgium presents a summit working session on OWASP SAMM in Antwerp on 30 April: Registration via https://www.eventbrite.com/e/open-security-summit-working-session-tickets-60456102831

See the {{#switchtablink:Chapter Meetings|Chapter Meetings}} tab for more details and older meetings.

== Stay in Touch ==

<center>
{| cellspacing="15"
|-
| [[Image:Meetup-logo-2x.png|120px|link=http://www.meetup.com/Belgium-OWASP-Open-Web-Application-Security-Project/]]
| [[Image:Join the list.png|150px|link=http://lists.owasp.org/mailman/listinfo/owasp-belgium]]
| [[Image:Follow-us-on-twitter.png|175px|link=https://twitter.com/owasp_be]]
| [[Image:Linkedin-button.gif|135px|link=https://www.linkedin.com/groups/37865]]
|}
</center>
If you want to be invited for the next OWASP Belgium Chapter meetings, please [http://eepurl.com/iFZtb drop us your contact info].

== Structural Sponsors 2019 ==

OWASP Belgium thanks its structural chapter supporters for 2019 and the OWASP BeNeLux Days 2018:


[[File:Vest.jpg|250px|link=http://www.vest.nl]]
[[File:DavinsiLabs.png|250px|link=https://www.davinsilabs.com]]


[[File:LogoToreon.jpg|250px|link=https://www.toreon.com]]
[[File:Nviso_logo_RGB_baseline_200px.png|250px|link=http://www.nviso.be]]
 [[File:LogoIngenicoGroup.png|250px|link=https://ingenico.be]]

If you want to support our chapter, please contact [mailto:seba@owasp.org Seba Deleersnyder]

= Chapter Meetings =

{{:Belgium_Events_2019}}

== Previous Years ==

Events held in
[[Belgium Events 2018|2018]],
[[Belgium Events 2017|2017]],
[[Belgium Events 2016|2016]],
[[Belgium Events 2015|2015]],
[[Belgium Events 2014|2014]],
[[Belgium Events 2013|2013]],
[[Belgium Events 2012|2012]],
[[Belgium Events 2011|2011]],
[[Belgium Events 2010|2010]],
[[Belgium Events 2009|2009]],
[[Belgium Events 2008|2008]],
[[Belgium Events 2007|2007]],
[[Belgium Events 2006|2006]],
[[Belgium Events 2005|2005]].

= Belgium OWASP Chapter Leaders =

The Belgium Chapter is supported by the following board:

Chapter Leaders
*Sebastien Deleersnyder, Toreon
*Lieven Desmet, KU Leuven
*Bart De Win, PWC

Board Members
*Erwin Geirnaert, Zion Security
*David Mathy, Freelance
*Adolfo Solero, Freelance
*Stella Dineva, Ingenico Payment Services
*Thomas Herlea, NVISO

Our goal is to professionalize the local OWASP functioning, provide in a bigger footprint to detect OWASP opportunities such as speakers/topics/sponsors/… and set a 5 year target on: Target audiences, Different events and Interactions of OWASP global – local projects.
__NOTOC__ <headertabs></headertabs>
[[Category:Europe]]

Belgium

2019-09-12T11:55:10Z

Thomas Herlea: New link for the second tab, as the old link didn't work for me.

{{Chapter Template|chaptername=Belgium|extra=The chapter leaders are [mailto:seba@owasp.org Sebastien Deleersnyder], [mailto:lieven.desmet@owasp.org Lieven Desmet] and [mailto:bart.dewin@owasp.org Bart De Win]
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-belgium|emailarchives=http://lists.owasp.org/pipermail/owasp-belgium}}

= Local News =

== Upcoming Chapter Meetings ==

* OWASP Belgium presents a summit working session on OWASP SAMM in Antwerp on 30 April: Registration via https://www.eventbrite.com/e/open-security-summit-working-session-tickets-60456102831

See [[#Chapter_Meetings]] for more details and older meetings.

== Stay in Touch ==

<center>
{| cellspacing="15"
|-
| [[Image:Meetup-logo-2x.png|120px|link=http://www.meetup.com/Belgium-OWASP-Open-Web-Application-Security-Project/]]
| [[Image:Join the list.png|150px|link=http://lists.owasp.org/mailman/listinfo/owasp-belgium]]
| [[Image:Follow-us-on-twitter.png|175px|link=https://twitter.com/owasp_be]]
| [[Image:Linkedin-button.gif|135px|link=https://www.linkedin.com/groups/37865]]
|}
</center>
If you want to be invited for the next OWASP Belgium Chapter meetings, please [http://eepurl.com/iFZtb drop us your contact info].

== Structural Sponsors 2019 ==

OWASP Belgium thanks its structural chapter supporters for 2019 and the OWASP BeNeLux Days 2018:


[[File:Vest.jpg|250px|link=http://www.vest.nl]]
[[File:DavinsiLabs.png|250px|link=https://www.davinsilabs.com]]


[[File:LogoToreon.jpg|250px|link=https://www.toreon.com]]
[[File:Nviso_logo_RGB_baseline_200px.png|250px|link=http://www.nviso.be]]
 [[File:LogoIngenicoGroup.png|250px|link=https://ingenico.be]]

If you want to support our chapter, please contact [mailto:seba@owasp.org Seba Deleersnyder]

= Chapter Meetings =

{{:Belgium_Events_2019}}

== Previous Years ==

Events held in
[[Belgium Events 2018|2018]],
[[Belgium Events 2017|2017]],
[[Belgium Events 2016|2016]],
[[Belgium Events 2015|2015]],
[[Belgium Events 2014|2014]],
[[Belgium Events 2013|2013]],
[[Belgium Events 2012|2012]],
[[Belgium Events 2011|2011]],
[[Belgium Events 2010|2010]],
[[Belgium Events 2009|2009]],
[[Belgium Events 2008|2008]],
[[Belgium Events 2007|2007]],
[[Belgium Events 2006|2006]],
[[Belgium Events 2005|2005]].

= Belgium OWASP Chapter Leaders =

The Belgium Chapter is supported by the following board:

Chapter Leaders
*Sebastien Deleersnyder, Toreon
*Lieven Desmet, KU Leuven
*Bart De Win, PWC

Board Members
*Erwin Geirnaert, Zion Security
*David Mathy, Freelance
*Adolfo Solero, Freelance
*Stella Dineva, Ingenico Payment Services
*Thomas Herlea, NVISO

Our goal is to professionalize the local OWASP functioning, provide in a bigger footprint to detect OWASP opportunities such as speakers/topics/sponsors/… and set a 5 year target on: Target audiences, Different events and Interactions of OWASP global – local projects.
__NOTOC__ <headertabs></headertabs>
[[Category:Europe]]

User:Thomas Herlea

2019-09-12T11:49:58Z

Thomas Herlea: Added link to CFP page.

==== Bio ====

* Born in Romania
* Studied computers in high school and at the university
* Moved to Belgium
* Studied crypto and computer security
* Works as an InfoSec consultant:
** security governance
** secure architecture
** secure development training
** secure development lifecycle advising
** source code review
** web application penetration testing

==== OWASP Wiki links ====

* [[Belgium]] chapter page ([[Belgium Chapter Meeting Template]], [[Belgium Chapter Meeting CFP]])
* [[OWASP_Code_Review_Guide_Table_of_Contents]]
* [[OWASP_Testing_Guide_v3_Table_of_Contents]]
* [[OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide]]

<headertabs />

Belgium Events 2019

2019-02-06T17:18:43Z

Thomas Herlea: Aligned the 2019-02-20 section to the Belgium Chapter Meeting Template.

<noinclude>
These are the 2019 events of the [[Belgium|OWASP Belgium Chapter]]. 

Previous year: [[Belgium Events 2018|2018]].

</noinclude>
== 20 February 2019 Meeting ==



=== Where ===

* Host: [https://distrinet.cs.kuleuven.be DistriNet Research Group (KU Leuven)] (Both speakers are faculty of the [https://www.secappdev.org/ Secure Application Development] course held in Leuven from 2019-02-18 to 2018-02-22.)

* Address ([http://googlemapsinterface.kuleuven.be/index.cgi?lang=N&nbol=(50.864186697481145,%204.678754210472107)&zoomlevel=17&plaatsnaam=Department+of+Computer+Science&maptype=roadmap map], [https://distrinet.cs.kuleuven.be/about/route/ directions]):
Department of Computer Science (foyer at ground floor)
Celestijnenlaan 200 A
3001 Heverlee

=== Agenda ===

*18h15 - 19h00: Welcome & sandwiches
*19h00 - 19h10:  ''OWASP Update'' by Sebastien Deleersnyder (OWASP)
*19h10 - 20h00:  ''CSP in the age of Script Gadgets'' by Prof. Martin Johns (TU Braunschweig)
*20h00 - 20h10: Break
*20h10 - 21h00:  ''Zero to DevSecOps - security in a DevOps world'' by Jimmy Mesta (CTO, Manicode Security)

=== Program ===

==== CSP in the age of Script Gadgets ====

* Speaker:  Prof. Martin Johns (TU Braunschweig)
* Presentation:  not yet available

''Abstract''

Content Security Policy (CSP) was first introduced in 2012. It should have been a silver-bullet defense against various injection attacks, including the rampant Cross-Site Scripting vulnerabilities. Unfortunately, modern development practices and legacy code bases proved to be substantial obstacles. New versions of CSP were released to address usability and compatibility for developers. Unfortunately, researchers discovered many bypasses and vulnerabilities in real-world CSP policies. The latest problem is known as script gadgets, where data is turned into code by legitimate functionality.

In this session, we will take a look at the problems you might encounter when deploying CSP. We start at CSP level 1 and work towards the latest level 3 version. We discuss CSP's features, potential bypasses, and pitfalls to avoid. In the end, you will have gained the knowledge to deploy a secure and effective CSP policy.

''Speaker Bio''

Martin Johns is a full professor at the TU Braunschweig.

==== Zero to DevSecOps - security in a DevOps world ====

* Speaker:  Jimmy Mesta (CTO, Manicode Security)
* Presentation:  not yet available

''Abstract''

The way that software is being deployed is undergoing a massive transformation. As a result, security teams are at a point where they must adapt or be left in the dust. Traditional application security used to be heavyweight and human-driven. Tasks are more often than not mostly manual efforts. Time-consuming security testing often breaks down in an automated world. Dynamic vulnerability scanning and manual code reviews are incompatible with a world where code changes are automatically being pushed to production hundreds of times per day.

This talk will share lessons learned from helping teams of all sizes and maturity levels with their transformation to a DevSecOps model where security goes from being a blocker to an enabler. Specifically, we will cover some of the tools and processes you can start using right now. These tools allow you to start adding real value to your organization through enhanced visibility, vulnerability discovery, and feedback loops. It is time to adapt and embrace a new era of security.

''Speaker Bio''

Jimmy Mesta is CTO at Manicode Security. He is a DevSecOps, Mobile, and Kubernetes Secure Coding Instructor.

=== Registration ===

Registration is via EventBrite: https://owasp-belgium-2019-02-20.eventbrite.com.

=== Coverage ===

n/a

Belgium Events 2019

2019-02-06T17:07:07Z

Thomas Herlea: Added header with links to the previous and (not yet active) the following year.

<noinclude>
These are the 2019 events of the [[Belgium|OWASP Belgium Chapter]]. 

Previous year: [[Belgium Events 2018|2018]].

</noinclude>
== 20 February 2019 Meeting ==

=== Where ===

* Host: [https://distrinet.cs.kuleuven.be DistriNet Research Group (KU Leuven)] (Both speakers are faculty of the [https://www.secappdev.org/ Secure Application Development] course held in Leuven from 2019-02-18 to 2018-02-22.)

* Address ([http://googlemapsinterface.kuleuven.be/index.cgi?lang=N&nbol=(50.864186697481145,%204.678754210472107)&zoomlevel=17&plaatsnaam=Department+of+Computer+Science&maptype=roadmap map], [https://distrinet.cs.kuleuven.be/about/route/ directions]):
Department of Computer Science (foyer at ground floor)
Celestijnenlaan 200 A
3001 Heverlee

=== Agenda ===

*18h15 - 19h00: Welcome & sandwiches
*19h00 - 19h10: '''OWASP Update''' by Sebastien Deleersnyder (OWASP)
*19h10 - 20h00: '''CSP in the age of Script Gadgets''' by Prof. Martin Johns (TU Braunschweig)
*20h00 - 20h10: Break
*20h10 - 21h00: '''Zero to DevSecOps - security in a DevOps world''' by Jimmy Mesta (CTO, Manicode Security)

=== Program ===

==== CSP in the age of Script Gadgets ====

* Speaker: Prof. Martin Johns (TU Braunschweig)
* Presentation: (will be uploaded later)

''Abstract''

Content Security Policy (CSP) was first introduced in 2012. It should have been a silver-bullet defense against various injection attacks, including the rampant Cross-Site Scripting vulnerabilities. Unfortunately, modern development practices and legacy code bases proved to be substantial obstacles. New versions of CSP were released to address usability and compatibility for developers. Unfortunately, researchers discovered many bypasses and vulnerabilities in real-world CSP policies. The latest problem is known as script gadgets, where data is turned into code by legitimate functionality.

In this session, we will take a look at the problems you might encounter when deploying CSP. We start at CSP level 1 and work towards the latest level 3 version. We discuss CSP's features, potential bypasses, and pitfalls to avoid. In the end, you will have gained the knowledge to deploy a secure and effective CSP policy.

''Speaker Bio''

Martin Johns is a full professor at the TU Braunschweig.

==== Zero to DevSecOps - security in a DevOps world ====

* Speaker: Jimmy Mesta (CTO, Manicode Security)
* Presentation: (will be uploaded later)

''Abstract''

The way that software is being deployed is undergoing a massive transformation. As a result, security teams are at a point where they must adapt or be left in the dust. Traditional application security used to be heavyweight and human-driven. Tasks are more often than not mostly manual efforts. Time-consuming security testing often breaks down in an automated world. Dynamic vulnerability scanning and manual code reviews are incompatible with a world where code changes are automatically being pushed to production hundreds of times per day.

This talk will share lessons learned from helping teams of all sizes and maturity levels with their transformation to a DevSecOps model where security goes from being a blocker to an enabler. Specifically, we will cover some of the tools and processes you can start using right now. These tools allow you to start adding real value to your organization through enhanced visibility, vulnerability discovery, and feedback loops. It is time to adapt and embrace a new era of security.

''Speaker Bio''

Jimmy Mesta is CTO at Manicode Security. He is a DevSecOps, Mobile, and Kubernetes Secure Coding Instructor.

=== Registration ===

Registration via EventBrite: https://owasp-belgium-2019-02-20.eventbrite.com.

=== Coverage ===

n/a

Belgium Events 2018

2019-02-06T17:05:26Z

Thomas Herlea: Corrected year in link

<noinclude>
These are the 2018 events of the [[Belgium|OWASP Belgium Chapter]]. 

Previous year: [[Belgium Events 2017|2017]].
Next year: [[Belgium Events 2019|2019]].
</noinclude>
== OWASP BeNeLux Days 2018 ==

This conference has its own page: [[OWASP_BeNeLux-Days_2018]].

== 23 October 2018 Meeting ==

=== Where ===

* Host: [https://securecodewarrior.com/ Secure Code Warrior]

* Address ([https://goo.gl/maps/e6Ej1v44tf32 map], [https://goo.gl/maps/UoW1EM3kbfy directions], 10 minutes walk from Brugge train station)
Baron Ruzettelaan 1
8310 Assebroek

* Parking was available under the building, open from 5 p.m., the entrance is at the back:
Vestingstraat 88
8310 Assebroek

=== Agenda ===

* 18h00 - 18h50: Welcome & pizzas
* 18h50 - 19h00: [[Media:OWASP_Belgium_update_2018-10-23_v1.pptx|OWASP Update]] by Sebastien Deleersnyder (OWASP)
* 19h00 - 19h30: [[Media:OWASP_20181023_EffectivelyDistributeSoftwareSecurityKnowledge.pdf|Effectively Distribute Software Security Knowledge]] by Pieter De Cremer and Nathan Desmet (Secure Code Warrior)
* 19h30 - 19h45: Beers from Bruges break
* 19h45 - 20h25: [[Media:OWASP_20181023_CommonAPISecurityPitfalls.pdf|Common API Security Pitfalls]] by Philippe De Ryck (Pragmatic Web Security)
* 20h25 - 22h00: Networking and more beers from Bruges

=== Program ===

==== Effectively Distribute Software Security Knowledge ====

* Speaker: [https://www.linkedin.com/in/pdcremer/ Pieter De Cremer] ([https://twitter.com/pdcremer @pdcremer]) and [https://www.linkedin.com/in/nathan-desmet-687345aa/ Nathan Desmet] (Secure Code Warrior)
* Presentation attachment: [[:File:OWASP_20181023_EffectivelyDistributeSoftwareSecurityKnowledge.pdf]]

''Abstract''

Security is still a big concern in application development, as breaches appear in the media on a regular basis. Up to 90 percent of security issues are caused by problems or oversight in the code (U.S. Department of Homeland Security, “Infosheet Software Assurance”, https://www.us-cert.gov/sites/default/files/publications/infosheet_SoftwareAssurance.pdf, last accessed 2018-05-22). They are the result of errors made by the developers. At the same time, many of these issues are well known, well-documented problems. But the security experts in charge of securing the application are understaffed with an average of less than two security experts per hundred developers (Gary McGraw, Ph.D., Sammy Migues and Jacob West, “Building Security In Maturity Model (BSIMM)”, https://www.bsimm.com/, 2018). So the problem is not a lack of knowledge on security but the distribution of it without requiring costly, unscalable communication cycles between individual developers and security experts. In this talk we will outline the goal of a new approach to improve software security, focused on distributing software security knowledge so that software engineers can effectively put it into practice with minimal impact on their daily tasks.

''Speaker Bios''

'''Pieter De Cremer''' is an R&D Engineer and Security Researcher at Secure Code Warrior, where he is responsible for researching a wide variety of application vulnerabilities and developing this into new content and coding challenges for the Secure Code Warrior platform. His passion lies in empowering developers to be the first line of defence in their organisation by making security
easy to understand.

Pieter graduated with a Masters in Computer Science Engineering from the University of Ghent and is currently completing his PhD in Secure Design Programming Aid for the Internet of Things through a personal grant from the Flemish government. When he is away from his desk, Pieter has also facilitated a number of secure coding workshops with Ghent University, Howest Bruges and Antwerp University, helping students improve their secure coding skills. His repertoire of coding languages includes C, C++, Java, Python, node and Haskell.

'''Nathan Desmet''' is the Lead Engineer at Secure Code Warrior, where he is responsible for developing Sensei, a real-time correction and coaching IDE plug-in for secure coding. His passion lies in building world-class software applications that makes an impact in the way developers build software with a focus on security.

Prior to Secure Code Warrior, Nathan has worked for NVISO where he created the Cyber Security Challenge platform, the biggest computer security competition in Belgium. Nathan also co-founded Sensei Security, and founded Applix, a software consultancy firm. His clients include SMEs in the technology and legal sector.

Nathan graduated with a degree in Computer Science from the University of Howest Bruges, majoring in Computer and Cybercrime Professional.

==== Common API Security Pitfalls ====

* Speaker: [https://twitter.com/PhilippeDeRyck Philippe De Ryck] ([https://pragmaticwebsecurity.com/ Pragmatic Web Security])
* Presentation attachment: [[:File:OWASP_20181023_CommonAPISecurityPitfalls.pdf]]

''Abstract''

The shift towards an API landscape indicates a significant evolution in the way we build applications. The rise of JavaScript and mobile applications have sparked an explosion of easily-accessible REST APIs. But how do you protect access to your API? Which security aspects are no longer relevant? Which security features are an absolutely must-have, and which additional security measures do you need to take into account?

These are hard questions, as evidenced by the deployment of numerous insecure APIs. Attend this session to find out about common API security pitfalls, that often result in compromised user accounts and unauthorized access to your data. We expose the problem that lies at the root of each of these pitfalls, and offer actionable advice to address these security problems. After this session, you will know how to assess the security of your APIs, and the best practices to improve them towards the future.

''Speaker Bio''

Philippe De Ryck is the founder of Pragmatic Web Security, where he travels the world to train developers on web security and security engineering. He holds a Ph.D. in web security from KU Leuven. Google recognizes Philippe as a Google Developer Expert for his knowledge of web security and security in Angular applications.

=== Registration ===

Registration was via EventBrite: https://owasp-belgium-2018-10-23.eventbrite.com

=== Coverage ===

n/a

== 17 September 2018 Meeting ==

=== Where ===

* Host: [https://ec.europa.eu European Commission]

* Address ([https://www.google.com/maps/place/Place+Madou+1,+1210+Saint-Josse-ten-Noode/ map], [https://www.google.com/maps/dir//Place+Madou+1,+1210+Saint-Josse-ten-Noode directions])
Place Madou, 1
1210 Saint-Josse-Ten-Noode

=== Agenda ===

* 18h00 - 18h50: Welcome & sandwiches
* 18h50 - 19h00: [https://www.owasp.org/images/9/9b/Owasp_Belgium_update_2018-09-17_v1.pptx OWASP Update] by Sebastien Deleersnyder (OWASP)
* 19h00 - 19h10: ''Intro by the EC'' by Miguel Soria Machado (Head of Sector CSIRC, DIGIT IT Security Directorate, European Commission)
* 19h10 - 20h00: [https://www.owasp.org/images/1/17/Dirk_Wetter_-_Docker_Security_Brussels.pdf Docker Threat Modeling and Top 10] by Dirk Wetter
* 20h00 - 20h10: Break
* 20h10 - 21h00: [https://www.owasp.org/images/1/1c/Securing_Containers_on_the_High_Seas_%28OWASP_Belgium_September_17-09-2018%29.pdf Securing Containers on the High Seas] by Jack Mannino (nVisium)
* 21h00 - 21h30: Networking drink

=== Program ===

==== Docker Threat Modeling and Top 10 ====

* Speaker: [https://twitter.com/drwetter Dirk Wetter]
* Presentation: https://www.owasp.org/images/1/17/Dirk_Wetter_-_Docker_Security_Brussels.pdf

''Abstract''

Docker containers offer several advantages for developers. Most notably they fit perfectly in software development processes, they enable fast, reproducible deployments and when properly done, with little change the same container can run either in a test or production environment.

Despite threatening information out there Docker offers per se also several security advantages. However it is important to make use of them and as a minimum avoid several pitfalls. In a worst case scenario this can lead otherwise to less security or the security benefits which the containment
technology offers are not being used at all.

To avoid this a proper fundamental approach is needed.

Thus this talk models first the most important threats to containerized environments out there. Based on that the speaker will present 10 security bullet points which covers:

* important Do's and Dont's,
* for advanced needs how to tighten security further.

At the end the speaker gives advice how to check your Docker and Kubernetes security status yourself.

The talk is based on practical experiences at several costumers and on the speaker's solid network and systems security expertise.

''Speaker Bio''

Dirk Wetter (Ph.D.) is an independent security consultant with more than 20 years professional experience in information security with a broad technical and information security management background.

His primary focus nowadays is around web application security. He has also a solid background on network and systems security.

He's also founder and maintainer of the open source project testssl.sh which checks the encryption of every SSL/TLS enabled service.

==== Securing Containers on the High Seas ====

* Speaker: [https://twitter.com/jack_mannino Jack Mannino] (nVisium)
* Presentation: https://www.owasp.org/images/1/1c/Securing_Containers_on_the_High_Seas_%28OWASP_Belgium_September_17-09-2018%29.pdf

''Abstract''

It can be a difficult challenge for organizations to securely migrate to containers while shifting processes and security controls. Making the move from legacy virtualization and monolithic deployments to containers requires a solid strategy. Containers offer many inherent security benefits but it’s important to build controls in beyond the containers themselves. From development through container registries and deployment to a runtime environment, it’s important to enforce security and eliminate risks as they’re introduced.

This presentation will focus on scaling container security within an enterprise and building security controls into the way you build, ship, and run containerized services. We will discuss the modern container landscape including different container runtimes and isolation models. We will explore the container lifecycle from your developer’s laptop through your production environment and examine the key security problems to mitigate.

''Speaker Bios''

Jack Mannino is the CEO of nVisium. Passionate about security and impossible to keep away from a keyboard, his expertise spans over 15 years of building, breaking, and securing software. Jack founded nVisium in 2009, and since has helped the world's largest software teams enhance security across their software portfolios. He has spoken at conferences globally on topics such as secure design, mobile application security, and cloud-native security.

=== Registration ===

Two step registration:

# Registration was via EventBrite: https://owasp-belgium-2018-09-17.eventbrite.com.
# Pre-registration of participants' ID documents, necessary for passing security checkpoint at the entrance to the site was via: https://ec.europa.eu/eusurvey/runner/OWASPBelgiumChapterMeetingSept17. The deadline for this registration was ''Sunday, September 16th midnight''.

=== Coverage ===

n/a

== 19 March 2018 Meeting ==

=== Where ===

* Host: [https://www.ing.be ING Belgium]

* Address ([https://branches.ing.be/branch/1040_bxl-non-residents map])
Cours St Michel 60
1040 Brussel

=== Agenda ===

* 18h15 - 19h00: Welcome & sandwiches
* 19h00 - 19h10: ''OWASP Update'' by Sebastien Deleersnyder (OWASP)
* 19h10 - 20h00: ''KRACKing WPA2 in Practice Using Key Reinstallation Attacks''  by Mathy Vanhoef (imec-DistriNet-KU Leuven)
* 20h00 - 20h10: Break
* 20h10 - 21h00: ''Making the web secure by design''  by Glenn Ten Cate (ING Belgium) and Riccardo Ten Cate (Xebia)
* 21h00 - 21h30: Networking drink

=== Program ===

==== KRACKing WPA2 in Practice Using Key Reinstallation Attacks ====

* Speaker: Mathy Vanhoef (imec-DistriNet-KU Leuven)
* Presentation: not yet available 

''Abstract''

This talk presents the key reinstallation attack against WPA2 (KRACK attack). It abuses design or implementation flaws in cryptographic protocols to reinstall an already-in-use key. This resets the key’s associated parameters such as transmit nonces and receive replay counters. Several cryptographic Wi-Fi handshakes are affected by the attack.

All protected Wi-Fi networks use the 4-way handshake to generate a fresh session key. So far, this 14-year-old handshake has remained free from attacks. However, we show that the 4-way handshake is vulnerable to a key reinstallation attack. Here, the adversary tricks a victim into reinstalling an already-in-use key. This is achieved by manipulating and replaying handshake messages. When reinstalling the key, associated parameters such as the incremental transmit packet number (nonce) and receive packet number (replay counter) are reset to their initial value.

The talk also discusses the vulnerability disclosure process that was followed. Since the discovery affected numerous vendors, coordinating the disclosure was non-trivial.

''Speaker Bio''

Mathy Vanhoef is a postdoctoral researcher at KU Leuven. He did his PhD on the security of WPA-TKIP, TLS, and RC4. His research interest is in computer security with a focus on wireless security (e.g. Wi-Fi), network protocols in general, the RC4 stream cipher (where he discovered the RC NOMORE attack), and software security (discovering and exploiting vulnerabilities). Currently his main research is about automatically discovering vulnerabilities in network protocol implementations, and proving the correctness of protocol implementations.

==== Making the web secure by design ====

* Speaker: Glenn Ten Cate (ING Belgium) and Riccardo Ten Cate (Xebia)
* Presentation: not yet available 

''Abstract''

Education is the first step in the Secure Software Development Lifecycle. The free OWASP Security Knowledge Framework (SKF) is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. This talk will help you as a developer to become THE Neo of your development team. We will show how you can do security by design and introduce other quality gates into your development pipeline to ensure high end quality and security of your project.

''Speaker Bios''

As a coder, hacker, speaker, trainer and security researcher employed at ING Belgium, '''Glenn Ten Cate''' has over 10 years experience in the field of security. One of the founders of defensive development [defdev] a security training and conference series dedicated to helping you build and maintain secure software and also speaking at multiple other security conferences in the world. His goals is to create an open-source software development life cycle with the tools and knowledge gathered over the years.

As a penetration tester from the Netherlands employed at Xebia, '''Riccardo Ten Cate''' specialises in web-application security and has extensive knowledge in securing web applications in multiple coding languages. He is also a specialist in setting up Secure Software Development Life Cycles.

=== Registration ===

Registration was via EventBrite: https://owasp-belgium-2018-03-19.eventbrite.com.

=== Coverage ===

n/a

== 20 February 2018 Meeting ==

=== Where ===

* Host: [https://distrinet.cs.kuleuven.be DistriNet Research Group (KU Leuven)] (Both speakers are faculty of the [https://www.secappdev.org/ Secure Application Development] course held in Leuven from 2018-02-19 to 2018-02-23.)

* Address ([http://googlemapsinterface.kuleuven.be/index.cgi?lang=N&nbol=(50.864186697481145,%204.678754210472107)&zoomlevel=17&plaatsnaam=Department+of+Computer+Science&maptype=roadmap map], [https://distrinet.cs.kuleuven.be/about/route/ directions]):
Department of Computer Science (foyer at ground floor)
Celestijnenlaan 200 A
3001 Heverlee

=== Agenda ===

*18h15 - 19h00: Welcome & sandwiches
*19h00 - 19h10: [https://www.owasp.org/images/7/7a/Owasp_Belgium_update_2018-02-20_v1.pdf OWASP Update] by Sebastien Deleersnyder (OWASP)
*19h10 - 20h00: [https://schd.ws/hosted_files/secappdev2018/a9/Developer%20are%20not%20the%20enemy%20SecAppDev%20web.pdf Developers are not the enemy -- Usable Security for Experts] by Prof. Matthew Smith (University of Bonn)
*20h00 - 20h10: Break
*20h10 - 21h00: [https://schd.ws/hosted_files/secappdev2018/75/The%20code%20behind%20the%20vulnerability.pdf The Code Behind The Vulnerability] by Barry Dorrans (Microsoft)

=== Program ===

==== Developers are not the enemy -- Usable Security for Experts ====

* Speaker: Prof. Matthew Smith (University of Bonn)
* Presentation: https://schd.ws/hosted_files/secappdev2018/a9/Developer%20are%20not%20the%20enemy%20SecAppDev%20web.pdf

''Abstract''

Usability problems are a major cause of many of today's IT-security incidents. Security systems are often too complicated, time-consuming, and error prone. For more than a decade researchers in the domain of usable security (USEC) have attempted to combat these problems by conducting interdisciplinary research focusing on the root causes of the problems and on the creation of usable security mechanisms. While major improvements have been made, to date USEC research has focused almost entirely on the non-expert end-user. However, many of the most catastrophic security incidents were not caused by end-users, but by developers or administrators. Heartbleed and Shellshock were both caused by single developers yet had global consequences. The Sony hack in 2014 compromised an entire multi-national IT-infrastructure and misappropriated over 100 TB of data, unnoticed. Fundamentally, every software vulnerability and misconfigured system is caused by developers or administrators making mistakes, but very little research has been done into the underlying causalities and possible mitigation strategies. In this talk we will explore the transition from end-user to expert usable security research and look at several application areas, including TLS, passwords, malware analysis and vulnerability analysis.

''Speaker Bio''

Matthew Smith is a Professor for Usable Security and Privacy at the University of Bonn. His research is focused on human factors of security and privacy mechanisms with a wide range of application areas, including TLS and network security, authentication, mobile and app security and, most recently, usable security for developers and administrators. His work has been published at, among others, IEEE S&P, ACM CCS, USENIX Security, NDSS, ACM SIGCHI and SOUPS the Symposium on Usable Security and Privacy. In 2015 his ERC Starting Grant "Frontiers of Usable Security" was selected for funding.

==== The Code Behind The Vulnerability ====

* Speaker: Barry Dorrans (Microsoft)
* Presentation: https://schd.ws/hosted_files/secappdev2018/75/The%20code%20behind%20the%20vulnerability.pdf

''Abstract''

Everyone makes security mistakes, and that includes Microsoft (seriously!). Many developers can spot and prevent vulnerabilities listed in the OWASP top 10. But that narrative changes when we look beyond the scope of the OWASP top 10. Compared to some more recent attacks, fixing XSS or SQL injection almost seems easy. In this session, we dive into a couple of .NET core cases that have been reported to the Microsoft Security Response Center (MSRC). Mind you; these vulnerabilities are not just framework vulnerabilities. Instead, they are coding patterns that you may have introduced in your applications. Examples are issues with hash tables, compression, encryption, regular expressions and more. In this session, you will learn how to spot these vulnerabilities in your code. On top of that, you will walk away with the skills to fix them.

''Speaker Bio''

Barry Dorrans is the .NET Security Czar, which means he tries to tell everyone else how to code securely and taking the credit when it goes right, as well as running the .NET Core Bug Bounty. He also ends up triaging publicly and privately reported vulnerabilities when it goes wrong before getting someone else to fix the mistakes. This he gets all the fun and none of the real work, aside from the endless stress wondering when the next vulnerability will be discovered.

=== Registration ===

Registration was via EventBrite: https://owasp-belgium-2018-02-20.eventbrite.com.

=== Coverage ===

n/a

Belgium Events 2018

2019-02-06T17:04:21Z

Thomas Herlea: Added link to the following year.

<noinclude>
These are the 2018 events of the [[Belgium|OWASP Belgium Chapter]]. 

Previous year: [[Belgium Events 2017|2017]].
Next year: [[Belgium Events 2018|2018]].
</noinclude>
== OWASP BeNeLux Days 2018 ==

This conference has its own page: [[OWASP_BeNeLux-Days_2018]].

== 23 October 2018 Meeting ==

=== Where ===

* Host: [https://securecodewarrior.com/ Secure Code Warrior]

* Address ([https://goo.gl/maps/e6Ej1v44tf32 map], [https://goo.gl/maps/UoW1EM3kbfy directions], 10 minutes walk from Brugge train station)
Baron Ruzettelaan 1
8310 Assebroek

* Parking was available under the building, open from 5 p.m., the entrance is at the back:
Vestingstraat 88
8310 Assebroek

=== Agenda ===

* 18h00 - 18h50: Welcome & pizzas
* 18h50 - 19h00: [[Media:OWASP_Belgium_update_2018-10-23_v1.pptx|OWASP Update]] by Sebastien Deleersnyder (OWASP)
* 19h00 - 19h30: [[Media:OWASP_20181023_EffectivelyDistributeSoftwareSecurityKnowledge.pdf|Effectively Distribute Software Security Knowledge]] by Pieter De Cremer and Nathan Desmet (Secure Code Warrior)
* 19h30 - 19h45: Beers from Bruges break
* 19h45 - 20h25: [[Media:OWASP_20181023_CommonAPISecurityPitfalls.pdf|Common API Security Pitfalls]] by Philippe De Ryck (Pragmatic Web Security)
* 20h25 - 22h00: Networking and more beers from Bruges

=== Program ===

==== Effectively Distribute Software Security Knowledge ====

* Speaker: [https://www.linkedin.com/in/pdcremer/ Pieter De Cremer] ([https://twitter.com/pdcremer @pdcremer]) and [https://www.linkedin.com/in/nathan-desmet-687345aa/ Nathan Desmet] (Secure Code Warrior)
* Presentation attachment: [[:File:OWASP_20181023_EffectivelyDistributeSoftwareSecurityKnowledge.pdf]]

''Abstract''

Security is still a big concern in application development, as breaches appear in the media on a regular basis. Up to 90 percent of security issues are caused by problems or oversight in the code (U.S. Department of Homeland Security, “Infosheet Software Assurance”, https://www.us-cert.gov/sites/default/files/publications/infosheet_SoftwareAssurance.pdf, last accessed 2018-05-22). They are the result of errors made by the developers. At the same time, many of these issues are well known, well-documented problems. But the security experts in charge of securing the application are understaffed with an average of less than two security experts per hundred developers (Gary McGraw, Ph.D., Sammy Migues and Jacob West, “Building Security In Maturity Model (BSIMM)”, https://www.bsimm.com/, 2018). So the problem is not a lack of knowledge on security but the distribution of it without requiring costly, unscalable communication cycles between individual developers and security experts. In this talk we will outline the goal of a new approach to improve software security, focused on distributing software security knowledge so that software engineers can effectively put it into practice with minimal impact on their daily tasks.

''Speaker Bios''

'''Pieter De Cremer''' is an R&D Engineer and Security Researcher at Secure Code Warrior, where he is responsible for researching a wide variety of application vulnerabilities and developing this into new content and coding challenges for the Secure Code Warrior platform. His passion lies in empowering developers to be the first line of defence in their organisation by making security
easy to understand.

Pieter graduated with a Masters in Computer Science Engineering from the University of Ghent and is currently completing his PhD in Secure Design Programming Aid for the Internet of Things through a personal grant from the Flemish government. When he is away from his desk, Pieter has also facilitated a number of secure coding workshops with Ghent University, Howest Bruges and Antwerp University, helping students improve their secure coding skills. His repertoire of coding languages includes C, C++, Java, Python, node and Haskell.

'''Nathan Desmet''' is the Lead Engineer at Secure Code Warrior, where he is responsible for developing Sensei, a real-time correction and coaching IDE plug-in for secure coding. His passion lies in building world-class software applications that makes an impact in the way developers build software with a focus on security.

Prior to Secure Code Warrior, Nathan has worked for NVISO where he created the Cyber Security Challenge platform, the biggest computer security competition in Belgium. Nathan also co-founded Sensei Security, and founded Applix, a software consultancy firm. His clients include SMEs in the technology and legal sector.

Nathan graduated with a degree in Computer Science from the University of Howest Bruges, majoring in Computer and Cybercrime Professional.

==== Common API Security Pitfalls ====

* Speaker: [https://twitter.com/PhilippeDeRyck Philippe De Ryck] ([https://pragmaticwebsecurity.com/ Pragmatic Web Security])
* Presentation attachment: [[:File:OWASP_20181023_CommonAPISecurityPitfalls.pdf]]

''Abstract''

The shift towards an API landscape indicates a significant evolution in the way we build applications. The rise of JavaScript and mobile applications have sparked an explosion of easily-accessible REST APIs. But how do you protect access to your API? Which security aspects are no longer relevant? Which security features are an absolutely must-have, and which additional security measures do you need to take into account?

These are hard questions, as evidenced by the deployment of numerous insecure APIs. Attend this session to find out about common API security pitfalls, that often result in compromised user accounts and unauthorized access to your data. We expose the problem that lies at the root of each of these pitfalls, and offer actionable advice to address these security problems. After this session, you will know how to assess the security of your APIs, and the best practices to improve them towards the future.

''Speaker Bio''

Philippe De Ryck is the founder of Pragmatic Web Security, where he travels the world to train developers on web security and security engineering. He holds a Ph.D. in web security from KU Leuven. Google recognizes Philippe as a Google Developer Expert for his knowledge of web security and security in Angular applications.

=== Registration ===

Registration was via EventBrite: https://owasp-belgium-2018-10-23.eventbrite.com

=== Coverage ===

n/a

== 17 September 2018 Meeting ==

=== Where ===

* Host: [https://ec.europa.eu European Commission]

* Address ([https://www.google.com/maps/place/Place+Madou+1,+1210+Saint-Josse-ten-Noode/ map], [https://www.google.com/maps/dir//Place+Madou+1,+1210+Saint-Josse-ten-Noode directions])
Place Madou, 1
1210 Saint-Josse-Ten-Noode

=== Agenda ===

* 18h00 - 18h50: Welcome & sandwiches
* 18h50 - 19h00: [https://www.owasp.org/images/9/9b/Owasp_Belgium_update_2018-09-17_v1.pptx OWASP Update] by Sebastien Deleersnyder (OWASP)
* 19h00 - 19h10: ''Intro by the EC'' by Miguel Soria Machado (Head of Sector CSIRC, DIGIT IT Security Directorate, European Commission)
* 19h10 - 20h00: [https://www.owasp.org/images/1/17/Dirk_Wetter_-_Docker_Security_Brussels.pdf Docker Threat Modeling and Top 10] by Dirk Wetter
* 20h00 - 20h10: Break
* 20h10 - 21h00: [https://www.owasp.org/images/1/1c/Securing_Containers_on_the_High_Seas_%28OWASP_Belgium_September_17-09-2018%29.pdf Securing Containers on the High Seas] by Jack Mannino (nVisium)
* 21h00 - 21h30: Networking drink

=== Program ===

==== Docker Threat Modeling and Top 10 ====

* Speaker: [https://twitter.com/drwetter Dirk Wetter]
* Presentation: https://www.owasp.org/images/1/17/Dirk_Wetter_-_Docker_Security_Brussels.pdf

''Abstract''

Docker containers offer several advantages for developers. Most notably they fit perfectly in software development processes, they enable fast, reproducible deployments and when properly done, with little change the same container can run either in a test or production environment.

Despite threatening information out there Docker offers per se also several security advantages. However it is important to make use of them and as a minimum avoid several pitfalls. In a worst case scenario this can lead otherwise to less security or the security benefits which the containment
technology offers are not being used at all.

To avoid this a proper fundamental approach is needed.

Thus this talk models first the most important threats to containerized environments out there. Based on that the speaker will present 10 security bullet points which covers:

* important Do's and Dont's,
* for advanced needs how to tighten security further.

At the end the speaker gives advice how to check your Docker and Kubernetes security status yourself.

The talk is based on practical experiences at several costumers and on the speaker's solid network and systems security expertise.

''Speaker Bio''

Dirk Wetter (Ph.D.) is an independent security consultant with more than 20 years professional experience in information security with a broad technical and information security management background.

His primary focus nowadays is around web application security. He has also a solid background on network and systems security.

He's also founder and maintainer of the open source project testssl.sh which checks the encryption of every SSL/TLS enabled service.

==== Securing Containers on the High Seas ====

* Speaker: [https://twitter.com/jack_mannino Jack Mannino] (nVisium)
* Presentation: https://www.owasp.org/images/1/1c/Securing_Containers_on_the_High_Seas_%28OWASP_Belgium_September_17-09-2018%29.pdf

''Abstract''

It can be a difficult challenge for organizations to securely migrate to containers while shifting processes and security controls. Making the move from legacy virtualization and monolithic deployments to containers requires a solid strategy. Containers offer many inherent security benefits but it’s important to build controls in beyond the containers themselves. From development through container registries and deployment to a runtime environment, it’s important to enforce security and eliminate risks as they’re introduced.

This presentation will focus on scaling container security within an enterprise and building security controls into the way you build, ship, and run containerized services. We will discuss the modern container landscape including different container runtimes and isolation models. We will explore the container lifecycle from your developer’s laptop through your production environment and examine the key security problems to mitigate.

''Speaker Bios''

Jack Mannino is the CEO of nVisium. Passionate about security and impossible to keep away from a keyboard, his expertise spans over 15 years of building, breaking, and securing software. Jack founded nVisium in 2009, and since has helped the world's largest software teams enhance security across their software portfolios. He has spoken at conferences globally on topics such as secure design, mobile application security, and cloud-native security.

=== Registration ===

Two step registration:

# Registration was via EventBrite: https://owasp-belgium-2018-09-17.eventbrite.com.
# Pre-registration of participants' ID documents, necessary for passing security checkpoint at the entrance to the site was via: https://ec.europa.eu/eusurvey/runner/OWASPBelgiumChapterMeetingSept17. The deadline for this registration was ''Sunday, September 16th midnight''.

=== Coverage ===

n/a

== 19 March 2018 Meeting ==

=== Where ===

* Host: [https://www.ing.be ING Belgium]

* Address ([https://branches.ing.be/branch/1040_bxl-non-residents map])
Cours St Michel 60
1040 Brussel

=== Agenda ===

* 18h15 - 19h00: Welcome & sandwiches
* 19h00 - 19h10: ''OWASP Update'' by Sebastien Deleersnyder (OWASP)
* 19h10 - 20h00: ''KRACKing WPA2 in Practice Using Key Reinstallation Attacks''  by Mathy Vanhoef (imec-DistriNet-KU Leuven)
* 20h00 - 20h10: Break
* 20h10 - 21h00: ''Making the web secure by design''  by Glenn Ten Cate (ING Belgium) and Riccardo Ten Cate (Xebia)
* 21h00 - 21h30: Networking drink

=== Program ===

==== KRACKing WPA2 in Practice Using Key Reinstallation Attacks ====

* Speaker: Mathy Vanhoef (imec-DistriNet-KU Leuven)
* Presentation: not yet available 

''Abstract''

This talk presents the key reinstallation attack against WPA2 (KRACK attack). It abuses design or implementation flaws in cryptographic protocols to reinstall an already-in-use key. This resets the key’s associated parameters such as transmit nonces and receive replay counters. Several cryptographic Wi-Fi handshakes are affected by the attack.

All protected Wi-Fi networks use the 4-way handshake to generate a fresh session key. So far, this 14-year-old handshake has remained free from attacks. However, we show that the 4-way handshake is vulnerable to a key reinstallation attack. Here, the adversary tricks a victim into reinstalling an already-in-use key. This is achieved by manipulating and replaying handshake messages. When reinstalling the key, associated parameters such as the incremental transmit packet number (nonce) and receive packet number (replay counter) are reset to their initial value.

The talk also discusses the vulnerability disclosure process that was followed. Since the discovery affected numerous vendors, coordinating the disclosure was non-trivial.

''Speaker Bio''

Mathy Vanhoef is a postdoctoral researcher at KU Leuven. He did his PhD on the security of WPA-TKIP, TLS, and RC4. His research interest is in computer security with a focus on wireless security (e.g. Wi-Fi), network protocols in general, the RC4 stream cipher (where he discovered the RC NOMORE attack), and software security (discovering and exploiting vulnerabilities). Currently his main research is about automatically discovering vulnerabilities in network protocol implementations, and proving the correctness of protocol implementations.

==== Making the web secure by design ====

* Speaker: Glenn Ten Cate (ING Belgium) and Riccardo Ten Cate (Xebia)
* Presentation: not yet available 

''Abstract''

Education is the first step in the Secure Software Development Lifecycle. The free OWASP Security Knowledge Framework (SKF) is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. This talk will help you as a developer to become THE Neo of your development team. We will show how you can do security by design and introduce other quality gates into your development pipeline to ensure high end quality and security of your project.

''Speaker Bios''

As a coder, hacker, speaker, trainer and security researcher employed at ING Belgium, '''Glenn Ten Cate''' has over 10 years experience in the field of security. One of the founders of defensive development [defdev] a security training and conference series dedicated to helping you build and maintain secure software and also speaking at multiple other security conferences in the world. His goals is to create an open-source software development life cycle with the tools and knowledge gathered over the years.

As a penetration tester from the Netherlands employed at Xebia, '''Riccardo Ten Cate''' specialises in web-application security and has extensive knowledge in securing web applications in multiple coding languages. He is also a specialist in setting up Secure Software Development Life Cycles.

=== Registration ===

Registration was via EventBrite: https://owasp-belgium-2018-03-19.eventbrite.com.

=== Coverage ===

n/a

== 20 February 2018 Meeting ==

=== Where ===

* Host: [https://distrinet.cs.kuleuven.be DistriNet Research Group (KU Leuven)] (Both speakers are faculty of the [https://www.secappdev.org/ Secure Application Development] course held in Leuven from 2018-02-19 to 2018-02-23.)

* Address ([http://googlemapsinterface.kuleuven.be/index.cgi?lang=N&nbol=(50.864186697481145,%204.678754210472107)&zoomlevel=17&plaatsnaam=Department+of+Computer+Science&maptype=roadmap map], [https://distrinet.cs.kuleuven.be/about/route/ directions]):
Department of Computer Science (foyer at ground floor)
Celestijnenlaan 200 A
3001 Heverlee

=== Agenda ===

*18h15 - 19h00: Welcome & sandwiches
*19h00 - 19h10: [https://www.owasp.org/images/7/7a/Owasp_Belgium_update_2018-02-20_v1.pdf OWASP Update] by Sebastien Deleersnyder (OWASP)
*19h10 - 20h00: [https://schd.ws/hosted_files/secappdev2018/a9/Developer%20are%20not%20the%20enemy%20SecAppDev%20web.pdf Developers are not the enemy -- Usable Security for Experts] by Prof. Matthew Smith (University of Bonn)
*20h00 - 20h10: Break
*20h10 - 21h00: [https://schd.ws/hosted_files/secappdev2018/75/The%20code%20behind%20the%20vulnerability.pdf The Code Behind The Vulnerability] by Barry Dorrans (Microsoft)

=== Program ===

==== Developers are not the enemy -- Usable Security for Experts ====

* Speaker: Prof. Matthew Smith (University of Bonn)
* Presentation: https://schd.ws/hosted_files/secappdev2018/a9/Developer%20are%20not%20the%20enemy%20SecAppDev%20web.pdf

''Abstract''

Usability problems are a major cause of many of today's IT-security incidents. Security systems are often too complicated, time-consuming, and error prone. For more than a decade researchers in the domain of usable security (USEC) have attempted to combat these problems by conducting interdisciplinary research focusing on the root causes of the problems and on the creation of usable security mechanisms. While major improvements have been made, to date USEC research has focused almost entirely on the non-expert end-user. However, many of the most catastrophic security incidents were not caused by end-users, but by developers or administrators. Heartbleed and Shellshock were both caused by single developers yet had global consequences. The Sony hack in 2014 compromised an entire multi-national IT-infrastructure and misappropriated over 100 TB of data, unnoticed. Fundamentally, every software vulnerability and misconfigured system is caused by developers or administrators making mistakes, but very little research has been done into the underlying causalities and possible mitigation strategies. In this talk we will explore the transition from end-user to expert usable security research and look at several application areas, including TLS, passwords, malware analysis and vulnerability analysis.

''Speaker Bio''

Matthew Smith is a Professor for Usable Security and Privacy at the University of Bonn. His research is focused on human factors of security and privacy mechanisms with a wide range of application areas, including TLS and network security, authentication, mobile and app security and, most recently, usable security for developers and administrators. His work has been published at, among others, IEEE S&P, ACM CCS, USENIX Security, NDSS, ACM SIGCHI and SOUPS the Symposium on Usable Security and Privacy. In 2015 his ERC Starting Grant "Frontiers of Usable Security" was selected for funding.

==== The Code Behind The Vulnerability ====

* Speaker: Barry Dorrans (Microsoft)
* Presentation: https://schd.ws/hosted_files/secappdev2018/75/The%20code%20behind%20the%20vulnerability.pdf

''Abstract''

Everyone makes security mistakes, and that includes Microsoft (seriously!). Many developers can spot and prevent vulnerabilities listed in the OWASP top 10. But that narrative changes when we look beyond the scope of the OWASP top 10. Compared to some more recent attacks, fixing XSS or SQL injection almost seems easy. In this session, we dive into a couple of .NET core cases that have been reported to the Microsoft Security Response Center (MSRC). Mind you; these vulnerabilities are not just framework vulnerabilities. Instead, they are coding patterns that you may have introduced in your applications. Examples are issues with hash tables, compression, encryption, regular expressions and more. In this session, you will learn how to spot these vulnerabilities in your code. On top of that, you will walk away with the skills to fix them.

''Speaker Bio''

Barry Dorrans is the .NET Security Czar, which means he tries to tell everyone else how to code securely and taking the credit when it goes right, as well as running the .NET Core Bug Bounty. He also ends up triaging publicly and privately reported vulnerabilities when it goes wrong before getting someone else to fix the mistakes. This he gets all the fun and none of the real work, aside from the endless stress wondering when the next vulnerability will be discovered.

=== Registration ===

Registration was via EventBrite: https://owasp-belgium-2018-02-20.eventbrite.com.

=== Coverage ===

n/a

Belgium

2018-12-04T20:53:54Z

Thomas Herlea: Updated the sponsors set following clarification by User:Sdeleersnyder.

{{Chapter Template|chaptername=Belgium|extra=The chapter leaders are [mailto:seba@owasp.org Sebastien Deleersnyder], [mailto:lieven.desmet@owasp.org Lieven Desmet] and [mailto:bart.dewin@owasp.org Bart De Win]
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-belgium|emailarchives=http://lists.owasp.org/pipermail/owasp-belgium}}

= Local News =

== OWASP BeNeLux Days ==

* Our latest event, [[OWASP BeNeLux-Days 2018|OWASP BeNeLux Days]], took place on 29-30 November in the LAMOT conference center in Mechelen, Belgium.

== Upcoming Chapter Meetings ==

* The next chapter meeting will be in January 2019.

See https://www.owasp.org/index.php/Belgium#Chapter_Meetings for more details and older meetings.

== Stay in Touch ==

<center>
{| cellspacing="15"
|-
| [[Image:Meetup-logo-2x.png|120px|link=http://www.meetup.com/Belgium-OWASP-Open-Web-Application-Security-Project/]]
| [[Image:Join the list.png|150px|link=http://lists.owasp.org/mailman/listinfo/owasp-belgium]]
| [[Image:Follow-us-on-twitter.png|175px|link=https://twitter.com/owasp_be]]
| [[Image:Linkedin-button.gif|135px|link=https://www.linkedin.com/groups/37865]]
|}
</center>
If you want to be invited for the next OWASP Belgium Chapter meetings, please [http://eepurl.com/iFZtb drop us your contact info].

== Structural Sponsors 2019 ==

OWASP Belgium thanks its structural chapter supporters for 2019 and the OWASP BeNeLux Days 2018:


[[File:Vest.jpg|250px|link=http://www.vest.nl]]
[[File:DavinsiLabs.png|250px|link=https://www.davinsilabs.com]]


[[File:LogoToreon.jpg|250px|link=https://www.toreon.com]]
[[File:Nviso_logo_RGB_baseline_200px.png|250px|link=http://www.nviso.be]]
 [[File:LogoIngenicoGroup.png|250px|link=https://ingenico.be]]

If you want to support our chapter, please contact [mailto:seba@owasp.org Seba Deleersnyder]

= Chapter Meetings =

{{:Belgium_Events_2018}}

== Previous Years ==

Events held in
[[Belgium Events 2017|2017]],
[[Belgium Events 2016|2016]],
[[Belgium Events 2015|2015]],
[[Belgium Events 2014|2014]],
[[Belgium Events 2013|2013]],
[[Belgium Events 2012|2012]],
[[Belgium Events 2011|2011]],
[[Belgium Events 2010|2010]],
[[Belgium Events 2009|2009]],
[[Belgium Events 2008|2008]],
[[Belgium Events 2007|2007]],
[[Belgium Events 2006|2006]],
[[Belgium Events 2005|2005]].

= Belgium OWASP Chapter Leaders =

The Belgium Chapter is supported by the following board:

Chapter Leaders
*Sebastien Deleersnyder, Toreon
*Lieven Desmet, KU Leuven
*Bart De Win, PWC

Board Members
*Erwin Geirnaert, Zion Security
*David Mathy, Freelance
*Adolfo Solero, Freelance
*Stella Dineva, Ingenico Payment Services
*Thomas Herlea, NVISO

Our goal is to professionalize the local OWASP functioning, provide in a bigger footprint to detect OWASP opportunities such as speakers/topics/sponsors/… and set a 5 year target on: Target audiences, Different events and Interactions of OWASP global – local projects.
__NOTOC__ <headertabs></headertabs>
[[Category:Europe]]

Luxembourg

2018-12-04T20:49:16Z

Thomas Herlea: Updated sponsor logos following OWASP BeNeLux Days 2018.

{{Chapter Template|chaptername=Luxembourg|extra=The chapter leader is [mailto:jocelyn.aubert@owasp.org Jocelyn Aubert]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-luxemburg|emailarchives=http://lists.owasp.org/pipermail/owasp-luxemburg/}}

<paypal>Luxembourg</paypal>

== Local News ==

Join our [http://www.linkedin.com/groups?gid=1781989&trk=anetsrch_name&goback=.gdr_1238414238580_1 LinkedIn group]!

=== OWASP BeNeLux Day 2017 ===

We are proud to announce the dates of the next edition of BeNeLux OWASP Day! The event will take place on 23 (trainings) and 24 (conference) November 2017, in Tilburg - The Netherlands.

See [[OWASP_BeNeLux-Day_2017]] for more details.

=== OWASP BeNeLux Day 2016 - II ===

We are proud to announce the dates of the next edition of BeNeLux OWASP Day! The event will take place on 24 (trainings) and 25 (conference) November 2016, in Leuven - Belgium.

See [[BeNeLux OWASP Day 2016-2]] for more details.

=== OWASP BeNeLux Day, March 17 & 18, 2016 in Esch-sur-Alzette, Luxembourg ===

We are proud to announce that like in 2011, the OWASP BeNeLux Day will be held in Belval Campus, Esch-sur-Alzette, Luxembourg.
More information on [http://www.owaspbenelux.eu www.owaspbenelux.eu]!

=== OWASP AppSecEU 2015, 19-22 May 2015, Amsterdam, The Netherlands ===
The Luxembourg chapter is co-organizing together with Belgium and Netherlands chapters this amazing conference to be held in Amsterdam this spring!
More information on the [http://2015.appsec.eu conference website.]

Hope to see you there!

=== French translation of Top Ten ===
The Luxembourg chapter, in collaboration with other volunteers (French and Swiss) is currently involved in the French translation of the OWASP Top Ten for 2013 (available in release candidate here: [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013%20-%20RC1.pdf OWASP Top 10 - 2013 - Release Candidate]).

The final version of Top Ten should be available in May, and the French version should be available a few days after the release of the original version.
The document is usually translated into different languages (German, Spanish, Italian, Chinese, etc.)

People potentially interested to contribute to the German translation, can contact the [[OWASP_German_Language_Project]].

=== OWASP BeNeLux Day 2011, December 1st & 2nd 2011 @ University of Luxembourg ===

We are proud to announce that OWASP BeNeLux Day 2011 will take place on December 1st & 2nd 2011 at the University of Luxembourg.

*'''December 1st 2011: Training Day'''

OWASP Training: Secure Application Development, by Eoin Keary This intensive one-day training focuses on the most common web application security problems, including aspects of both the OWASP Top Ten (2010) and the MITRE Top 25. The training will introduce and demonstrate application assessment techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities in their code

 

*'''December 2nd 2011: Conference Day'''

List of confirmed speakers (more to be announced soon):

*Brenno De Winter (Journalist) on the Diginotar story
*Koen Vanderloock (Lead Security Competence Group at Cegeka) on the new OWASP Simba project
*Justin Clarke (Director and Co-Founder of Gotham Digital Science Ltd) on practical crypto attacks against web applications
*Lieven Desmet (Research Manager at University Leuven) on HTML5 security
*Andrey Belenko (Chief Security Researcher at ElcomSoft Co. Ltd) on iOS data protection internals
*Alexandre Dulaunoy (Incident Management - Security Research at CIRCL) on dynamic malware analysis
*Ludovic Petit (Group Fraud & Information Security Adviser at SFR, Vodafone Group) on WebApp Security and legal and regulatory aspects
*Seba Deleersnyder & Eoin Keary (OWASP Board) on OWASP Update

 For more information and updates, please check out [http://www.owaspbenelux.eu/ www.owaspbenelux.eu]

Interested in sponsoring the event and the Luxembourg Chapter in 2012? Please contact Jocelyn Aubert (Jocelyn.Aubert[at]owasp.org)! 

 

=== OWASP @ [http://www.yajug.org/ YAJUG] (Java User Group, Luxembourg) ===

The Luxembourg Chapter will participate to the next YAJUG (Java User Group, Luxembourg) event:

'''YAJUG - How to Secure your Java Applications''' ''Wednesday, May 27th 2009 - 17:45''

[http://www.tudor.lu Centre de Recherche Public Henri Tudor] - 29, avenue John F. Kennedy - L-1855 Luxembourg-Kirchberg

Agenda:

*17h45 - Welcome and registration
*18h00 - Introduction to Cryptography with JCA and JCE, Sébastien Stormacq, Sun Microsystems (French, slides in English)
*19h15 - [http://www.owasp.org/images/b/bb/2009-05-27_owasp%40yajug.ppt OWASP Top 10 Security Breaches for Java Web Applications], Jocelyn Aubert, OWASP-LU (French, slides in English)
*20h30 - Drink

The whole program is available on [http://www.yajug.org/confluence/display/Public/Future+Events YAJUG website].

'''Note:''' This event is NOT an OWASP event! You have to register on YAJUG website (fee: 40 euros).

=== OWASP @ [http://www.c3l.lu/ C3L] (Chaos Computer Club Lëtzebuerg) ===

''Monday, April 6th 2009'' - 20:00 (...until late in the night)

Brasserie [http://www.seppl.lu/ Seppl] (Club-Room) - Luxembourg-Limpertsberg

Agenda:

*15 minutes intro OWASP Luxembourg Chapter
*remaining time - Technical Chaos regarding OWASP

== Chapter Board ==

The Luxembourg chapter is supported by the following board:

*ADELSBACH André
*AUBERT Jocelyn
*DULAUNOY Alexandre
*RIGHETTO Dominique
*STEICHEN Pascal
*ZOLLER Thierry

== Chapter Sponsors ==
OWASP Luxembourg thanks its structural chapter supporters from OWASP BeNeLux Days 2018: 
<center>
[[File:Vest.jpg|250px|link=http://www.vest.nl]]
[[File:DavinsiLabs.png|250px|link=https://www.davinsilabs.com]]


</center>
[[Category:Europe]]

OWASP BeNeLux-Days 2018

2018-12-04T20:44:52Z

Thomas Herlea: Switched sponsor logos from generic link syntax to the syntax for MediaWiki resources.

<center>[[Image:OBNL18 Banner v2.png]]</center>

 


= Information =

== Confirmed Conference Speakers ==



* David Scrobonia
* Niels Tanis
* Jeroen Willemsen
* Björn Kimminich
* Ralph Moonen
* Jo Van Bulck
* Lennert Wouters
* Nick Drage


== Confirmed Trainers ==


* Andrew Martin
* David Scrobonia
* Jeroen Beckers - Stephanie Vanroelen



== OWASP BeNeLux conference is free, but registration is required! ==

[[image:Register_now_red.png|link=https://owasp-benelux-day-2018.eventbrite.com |alt=Register NOW! | Register NOW! ]]

'''To support the OWASP organisation, consider to become a member, it's only US$50! Check out the [[Membership]] page to find out more.'''
 

== The OWASP BeNeLux Program Committee ==

* Sebastien Deleersnyder / Lieven Desmet / David Mathy / Thomas Herlea / Stella Dineva / Adolfo Solero / Bart De Win, [[Belgium|OWASP Belgium]]
* Martin Knobloch / Joren Poll / Edwin Gozeling, [[Netherlands|OWASP Netherlands]]
* [[Luxembourg|OWASP Luxembourg]]

== Tweet! ==

Event tag is [http://twitter.com/#search?q=%23owaspbnl17 #owaspbnl18]

== Donate to OWASP BeNeLux ==

[https://co.clickandpledge.com/?wid=72689 Donate]


= Registration =

== OWASP BeNeLux conference and training days are free, but registration is required! ==

[[image:Register_now_red.png|link=https://owasp-benelux-day-2018.eventbrite.com |alt=Register NOW! | Register NOW! ]]

'''To support the OWASP organisation, consider to become a member, it's only US$50! Check out the [[Membership]] page to find out more.'''



= Venue =

== Address ==

<table width="100%">
<tr valign="top">
<td width="50%">
=== Training venue ===

'''Novotel Mechelen Centrum'''
Van Beethovenstraat 1
2800 Mechelen
Belgium

[https://goo.gl/maps/WxErtbWADqC2 Google maps]
</td>
<td width="50%">
=== Conference venue ===

'''Congres- en Erfgoedcentrum Lamot'''
Van Beethovenstraat 8-10
2800 Mechelen
Belgium

[https://goo.gl/maps/gZ9icR178w52 Google map]

</td>
</tr>
</table>
 
[[File:Mechelen-Lamot.jpg|350px|Lamot conference center]]
[[File:Mechelen-lamot-center-auditorium.jpg|350px|Auditorium]] 

Parking: 
[[File:Parking lots around Lamot Conference center Mechelen.png|500px|Parking facilities]] 
[https://goo.gl/maps/Q5TD7hoTuUu Find your parking on Google Maps]

=== How to reach the venue? ===

==== Public transport ====

You can reach the Mechelen's train station from Antwerpen or Brussels.
The Lamot conference center is 10 min away by bus (line 1).

Or you can choose to walk for 15 min (1.2 km).

==== By car ====

===== From Brussels: =====
Follow the E19 Brussels / Antwerpen and take the exit 10. Follow the N1 until the R12 (take a left) and turn to the right at the "Brusselpoort" into the Hoogstraat to reach one of the parkings.

===== From Antwerpen: =====
Follow the E19 Brussels / Antwerpen and take the exit 9. Follow the N16 until the R12 (take a right) and turn to the left at the "Brusselpoort" into the Hoogstraat to reach one of the parkings.

=== Hotels Nearby ===
[https://www.google.com/maps/d/viewer?mid=1eYMYmwXKuAsTilKgpAtyYtfMA7A&ll=51.02648134397288%2C4.47819800000002&z=15 Hotels around the Lamot conference center]



= Training Day =

'''Training Day is November 29th'''

== Training Venue ==

The trainings will take place in the '''Novotel Mechelen Centrum''' hotel: 
Van Beethovenstraat 1 
2800 Mechelen 
[https://goo.gl/maps/WxErtbWADqC2 Google maps]

== Agenda==

{| class="wikitable"
! Time !! Description !! Training 1 !! Training 2 !! Training 3
|-
! !! !! (Hof van Busleyden 1) !! (Hof van Busleyden 2) !! (Hof van Kamerijk)
|-
| 08h30 - 9h30
| style="text-align: center; background: grey; color: white;" colspan="5" | ''Registration''
|-
| 09h30 - 11h00 || Training
| style="width:100px;" rowspan="7" | [[#TRAINING_1 | Kubernetes security]] by Andrew Martin
| style="width:100px;" rowspan="7" | [[#TRAINING_2 | OWASP Zap Training]] by David Scrobonia
| style="width:100px;" rowspan="7" | [[#TRAINING_3 | Android security workshop]] by Jeroen Beckers & Stephanie Vanroelen
|-
| 11h00 - 11h30 || ''Coffee Break''
|-
| 11h30 - 13h00 || Training
|-
| 13h00 - 14h00 || ''Lunch''
|-
| 14h00 - 15h30 || Training
|-
| 15h30 - 16h00 || ''Coffee Break''
|-
| 16h00 - 17h30 || Training
|}

Choose the most appropriate training as they will be hosted at the same time.

== Trainings ==

=== Training 1 - Kubernetes security by Andrew Martin ===

==== Abstract ====

===== Course Description =====
The course guides attendees through Linux container security in general, and progresses to advanced Kubernetes cluster security. It emphasises pragmatic threat modelling and risk assessment based on an understanding of the tools and primitives available, rather than dogmatic dos and don’ts.

===== Course Outline =====
* How to attack containerised workloads
* Enhanced container security
* How to attack Kubernetes
* Interactive production cluster hacking
* Hardening Kubernetes
* Locking down applications
* Security tooling and vendor landscape

===== Who Should Attend =====
This course is suitable for intermediate to advanced Kubernetes users who want to strengthen their security understanding. It is particularly beneficial for those operating Kubernetes in a high-compliance domain, or for established security professionals looking to update their skills for the cloud native world.

===== Participant requirements =====
Just a laptop with an SSH client please, ssh or PuTTY.

==== Bio ====

Andrew has a strong test-first engineering ethos gained architecting and deploying high-traffic web applications. Proficient in systems development, testing, and maintenance, he is comfortable profiling and securing every tier of a bare metal or cloud native application, and has battle-hardened experience delivering containerised solutions to enterprise clients. He is a co-founder at https://control-plane.io

=== Training 2 - OWASP Zap Training by David Scrobonia ===

==== Abstract ====

This hands on course will start with the basics of using ZAP attack proxy and finish with leveraging it's API to integrate ZAP within you CI/CD processes. Along the way we will be practicing techniques by attacking the OWASP JuiceShop, an intentionally vulnerable web application.

==== Audience ====

This couse is designed for both new and experienced users. No knowledge or experience with ZAP is required, but even those familiar with ZAP will learn something new.

==== Contents ====
# Basic Techniques & Manual Testing
# Advanced Techniques & Automated Testing
# Scripting with ZAP
# Using ZAP within your CI/CD Pipeline

===== Participant requirements =====
Please come prepared with the following tools installed:
* ZAP (https://github.com/zaproxy/zaproxy/wiki/Downloads#zap-270-standard)
* docker

If you have any trouble with the setup please feel free to reach out to davidscrobonia at gmail with questions.

==== Bio ====

David Scrobonia is a part of the Security Engineering team at Segment working to secure modern web apps and AWS infrastructure. He contributes to open source in his spare time and is a core team member of the OWASP ZAP project.

=== Training 3 - Android security workshop by Jeroen Beckers & Stephanie Vanroelen ===

==== Abstract ====

In this workshop, participants will come in contact with the basics of
Android application security. Through hands-on exercises, Jeroen and
Stephanie will show which mistakes can be made, both at the design and
implementation level, that can compromise the security of both the
application and the backend server. Although no real prior experience
with Android is needed, some basic knowledge on programming is advised.

==== Participation requirements ====
* Basic linux / terminal knowledge
* Be able to understand the OWASP Top 10 (Not Mobile)
* Laptop with VirtualBox / VMWare (At least 8GB of RAM)

==== Bio ====

Jeroen Beckers is a security researcher at NVISO. He focusses mainly on
mobile applications for Android/iOS and sometimes even Windows Phone
(yes, some people actually use it!). Apart from breaking mobile
applications, he also gives security trainings and presentations at
conferences. 
 
Stephanie Vanroelen is an IT security consultant currently focussing on Web and
Mobile Application Security. Her experiences in organizing IT Security
conferences such as BruCON and CyberSKool help her with project
management and communication skills. In her free time she pretends to be
Godzilla :).


= Conference Day =

'''Conference Day is November 30th'''

== Agenda ==

{| class="wikitable"
! width="120pt" | Time
! width="190pt" | Speaker
! width="400pt" | Topic

|-
| 08h30 - 09h15
| style="text-align: center; background: grey; color: white" colspan="3" | ''Registration / [[#CyberWayFinder | Women in cybersecurity (CyberWayFinder)]]''
|-
| 09h15 - 09h30
| style="text-align: center; background: grey; color: white" colspan="3" | ''Opening''
|-
| 09h30 - 10h15
| [[#TALK_0930 | Lennert Wouters]]
| [[#TALK_0930 | Fast, Furious and Insecure: Passive Keyless Entry and Start in Modern Supercars]]

|-
| 10h15 - 11h00
| [[#TALK_1015 | Ralph Moonen]]
| [[#TALK_1015 | Weaknesses in our voice communications network: from Blue Boxing to VoLTE]]

|-
| 11h00 - 11h30
| style="text-align: center;background: grey; color: white" colspan="3" | ''Morning Break''
|-
| 11h30 - 12h15
| [[#TALK_1130 | Niels Tanis]]
| [[#TALK_1130 | When Serverless Met Security… Serverless Security & Functions-as-a-Service (FaaS)]]

|-
| 12h15 - 13h00
| [[#TALK_1215 | David Scrobonia]]
| [[#TALK_1215 | OWASP Zap]]

|-
| 13h00 - 14h00
| style="text-align: center;background: grey; color: white" colspan="3" | ''Lunch''
|-
| 14h00 - 14h45
| [[#TALK_1400 | Björn Kimminich]]
| [[#TALK_1400 | Juice Shop: OWASP's most broken Flagship]]

|-
| 14h45 - 15h30
| [[#TALK_1445 | Jo Van Bulck]]
| [[#TALK_1445 | Leaky Processors: Stealing Your Secrets with Foreshadow]]

|-
| 15h30 - 16h00
| style="text-align: center;background: grey; color: white" colspan="3" | ''Afternoon Break''
|-
| 16h00 - 16h45
| [[#TALK_1600 | Jeroen Willemsen]]
| [[#TALK_1600 | Fast forwarding Mobile Security with the MSTG]]

|-
| 16h45 - 17h30
| [[#TALK_1645 | Nick Drage]]
| [[#TALK_1645 | Lessons from the legion (The OWASP BeNeLux Remix)]]

|-
| 17h30 - 17h45
| style="text-align: center;background: grey; color: white" colspan="3" | ''Closing''
|}

== Talks ==

=== Fast, Furious and Insecure: Passive Keyless Entry and Start in Modern Supercars by Lennert Wouters ===

==== Abstract ====

The security of immobiliser and Remote Keyless Entry systems has been extensively studied over the past years. Passive Keyless Entry and Start systems, which are currently deployed in luxury vehicles, have not received as much attention.
During this presentation we will share the techniques used in reverse engineering the Tesla Model S Passive Keyless Entry and Start system. We will discuss multiple security weaknesses in the system including the use of an inadequate proprietary cipher using 40-bit keys, the lack of mutual authentication in the challenge-response protocol, hardware configuration mistakes and the absence of security partitioning. 
We verified our findings by implementing a proof of concept attack allowing us to clone a Tesla Model S key fob in a matter of seconds with low cost commercial off the shelf equipment. 
Finally, we will share our experience with the responsible disclosure of these finding to Tesla Motors and other likely affected manufacturers such as McLaren, Karma Automotive and Triumph Motorcycles as they all use the same system developed by Pektron.

====Bio====

Lennert Wouters is a PhD researcher at the Computer Security and Industrial Cryptography (COSIC) research group at KU Leuven. His research interests involve hardware security of connected embedded devices and side channel attacks.

=== Weaknesses in our voice communications network: from Blue Boxing to VoLTE by Ralph Moonen ===

==== Abstract ====

Voice over 4G, or VoLTE, brings back the phreaking 80's. Once again, after 3 decades, the signaling path of telephony is accessible to end users. No more R1, R2, C4 or C5 however: we now have SIP. As it turns out, the implementations of SIP and VoLTE in various European providers' 4G infrastructures, open up a host of possibilities. During our research over the past few years we have identified vulnerabilities in implementations such as txt message spoofing, subscriber enumeration, location determination (leakage of cell-ID and LAC), IMEI leakage and a potential SIM-card sharing attack. 
During this talk we will begin with a little historic stroll of phone phreaking through notable events and discoveries over the years. Bridging the narrative over the last few decades, new technologies such as VoIP, Volte, and VoWiFi are introduced, explaining the 4G and VoLTE infrastructure components and protocols. Next, on a rooted Android phone, we will show what control the user has over the VoLTE stack using some standard tools and the IPv6 stack. This includes hidden activities in Android and extraction of IPsec keys from the VoLTE stack. We will show that it is possible to import keys to Wireshark and monitor the IPv6 SIP traffic and components. Finally, examples of the vulnerabilities in implementations such as txt message spoofing, subscriber enumeration, location determination (leakage of cell-ID and LAC), IMEI leakage and a potential SIM-card sharing attack will be explained. 
Yes, a slightly technical nugget of knowledge, yet very accessible and a lot of fun! 
 
'''Importance of presentation for involved audience''' 
The phone systems of the world have always been of interest to everyone: from users who expect privacy, to intelligence agencies who want access. The privacy, integrity and confidentiality of voice communications over telecommunication networks is therefore of interest to anyone who uses mobile phones (i.e.: everyone). It is also typically a closed subject with very little research being done, relative to other security topics such as malware and application vulnerabilities. The combination of little research and high impact on everyone, makes that this topic deserves much more attention than it currently does. The VoLTE weaknesses we will describe are implementation dependent, and largely unpublished (i.e. new).

==== Bio ====

Ralph Moonen CISSP is Technical Director at Secura. Ralph is an old-school ethical hacker with 3 decades of experience as penetration tester, IT-auditor and security consultant. Now, as Technical Director, he is responsible for topics such as R&D and technical projects at Secura.

=== When Serverless Met Security… Serverless Security & Functions-as-a-Service (FaaS) by Niels Tanis ===

==== Abstract ====

Serverless is a design pattern for writing scalable applications in which Functions as a Service (FaaS) is one of the key building blocks. Every mayor Cloud Provider has got his own FaaS available. On Microsoft Azure there is Azure Functions, AWS has got Lambda and Cloud Functions can be used on the Google Cloud. All of these have a lot of similarities in the way they allow developers to create small event driven services. 
From security perspective there are a lot of benefits when moving to a serverless architecture. There is no need to manage any of the machines and the underlying infrastructure. Dealing with updates, patches and infrastructure is the responsibility of the platform provider. FaaS are short lived processes which will be instantiated and destroyed in a matter of milliseconds making it more resilient to denial-of-services (DoS) and also makes it harder to attack and compromise. 
But will all of this be sufficient to be ’secure’ or should we be worried about more? With serverless there is still a piece of software that will be developed, build, deployed and executed. It will also introduce a more complex architecture with corresponding attack surface which also makes it hard to monitor. What about the software supply chain and delivery pipeline? There still will be a need to patch your software for vulnerabilities in code and used 3rd party libraries. In this talk we will identify the security area’s we do need to focus on when developing serverless and define possible solutions for dealing with those problems.

==== Bio ====

Niels Tanis has got a background in .NET development, pentesting and security consultancy. He also holds the CSSLP certification and has been involved in breaking, defending and building secure applications. He joined Veracode in 2015 and right now he works as a security researcher on a variant of languages and technologies related to Veracode’s Binary Static Analysis service. He is married, father of 2 and lives in a small village just outside Amersfoort, The Netherlands.

=== OWASP Zap by David Scrobonia ===

==== Abstract ====

Intoducing security testing tools to a QA or developers workflow can be difficult when the tools aren't easy or intuitive to use. Even for security professionals, the friction of cumbersome security tooling can prevent them from getting the most from a tool or being effective with their time. 
The OWASP ZAP team is working to help enable developers, QA, and hackers alike with the ZAP Heads Up Display, a more user friendly way to engage with the security testing tool. The Heads Up Displays integrates ZAP directly in the browser providing all of the funcitonality of the tool via a heads up display. The goal is to make ZAP more accessible and enabling users, especially developers, to integrate security in their daily workflows. 
This talk will discuss the importance of usable tools, design tradeoffs made to improve usability, the various browser technologies powering the HUD, and how you can start hacking with a heads up display.

==== Bio ====

David Scrobonia is a part of the Security Engineering team at Segment working to secure modern web apps and AWS infrastructure. He contributes to open source in his spare time and is a core team member of the OWASP ZAP project.

=== Juice Shop: OWASP's most broken Flagship by Björn Kimminich ===

==== Abstract ====

OWASP Juice Shop is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and many more severe security flaws. In this talk, you'll learn about this open-source project and its capabilities first-hand from its creator. Join a “happy shopper round trip,” enjoy a hacking demo of some of the built-in challenges, witness how to re-theme the Juice Shop into a security awareness booster for your own company, and learn how to set it up for a capture-the-flag (CTF) event in less than 5 minutes!

====Bio====

Björn Kimminich is responsible for global IT architecture and application security at Kuehne + Nagel. On the side, he gives IT security lectures at the non-profit private university Nordakademie. Björn also is the project leader of the OWASP Juice Shop and a board member for the German OWASP chapter. 
[[File:GitHub-Mark_no_background.png|25px|link=https://github.com/bkimminich|GitHub]]
[[File:TwitterLogo.png|25px|link=http://twitter.com/bkimminich|Twitter]]
[[File:LinkedinSquareLogo.png|25px|link=https://www.linkedin.com/in/bkimminich|LinkedIn]]

=== Leaky Processors: Stealing Your Secrets with Foreshadow by Jo Van Bulck ===

==== Abstract ====

For decades, memory isolation has been one of the key principles of
secure system design. The recent wave of speculative execution attacks,
including Meltdown, Spectre, and Foreshadow abruptly showed, however,
that performance optimizations in modern processors fundamentally
undermine application security. 
This talk will review how speculative execution attacks work. What makes
them dangerous, and why they require a paradigm shift in the way we
think about application security. The talk will have a special focus on
the recently disclosed Foreshadow CPU vulnerability, which led to a
complete collapse of state-of-the-art Intel SGX technology, and
necessitated hardware and software patches for all major operating
systems and virtual machine hypervisors.

==== Bio ====

Jo Van Bulck is a PhD researcher at imec-DistriNet, KU Leuven, where he
investigates hardware-level trusted computing from an integrated attack
and defense perspective. His work resulted in a.o., the high-impact
Foreshadow CPU vulnerability announced in August 2018, and several
open-source secure processor prototypes.

=== Fast forwarding Mobile Security with the MSTG by Jeroen Willemsen ===

==== Abstract ====

After the startup of the mobile security project in 2010, the mobile security project and its testing guides have seen quiet some evolution. All of this changed quiet intensively when, in 2016, the Mobile Application Security Verification Standard (MASVS) and the Mobile Application Security Testing Guide (MSTG) were created. Now, two years fast forward: where are we now? How can you use it as a pentester or a developer? We will start with introducing the current state of the MSTG and its side-projects and then show various demos on iOS. 

==== Bio ====

Jeroen Willemsen is a Principal Security Architect at Xebia. With a love for mobile security, he recently became one of the projectleaders for the OMTG project (MASVS & MSTG). Jeroen is more or less a jack of all trades with interest in infrastructure security, risk management and application security.

=== Lessons From The Legion (The OWASP BeNeLux Remix) by Nick Drage ===

==== Abstract ====

Look at your job, your colleagues, your industry. Very smart people, working very hard... and yet it feels like we're losing. 
 
''Why?'' 
 
Cyber security has always been a technology driven, engineer led industry - self-taught practitioners have chosen tactics and point solutions based on what fits in with their preferred ways of working and studying. We need better strategies to make use of those tactics. We can learn those strategies from other contexts and conflicts to improve our own methods and practices. 
 
''Would you like to start winning?''
====Bio====

Nick is the Director of Path Dependence Limited, and has over two decades of experience in the cyber security field… previously he was "SecOps” before the term was invented, as well as having been a SysAdmin, PCI QSA, pre-sales analyst, CHECK Team Leader, and various other less well defined roles. Nick is currently a Cyber Security Consultant and Penetration Tester, with occasional forays into being a Wargame Umpire, Adversarial Analyst, or Professional Wildcard.

=== Women in cybersecurity (CyberWayFinder) ===
OWASP BeNeLux and CyberWayFinder would like to invite you to a '''breakfast with other women in cybersecurity'''. 
Since women make up 7% of the cybersecurity work force, they are a rare breed, and don't often meet each other. That is why "women in cybersecurity breakfasts" are popping up in conferences around the world.
A small gathering with the women who will be present at our OWASP conference in the morning provides an excellent network opportunity to meet one another. We'll make sure you don't start out the day on an empty stomach, and provide you with some contacts, without missing out on the rest of the conference. 
join us as of 08h30 at Lamot conference center, and also hear about the CyberWayFinder training program which is being created to help women transition their career into cybersecurity. 



= Social Event =

'''The Social Event is on Thursday, November 29th'''

The social event will be a unique opportunity to meet some of the trainers and speakers, as well the organisers or even peers. 

The social event will take place in restaurant [http://www.puro-mechelen.be/english Puro Mechelen], a couple of minutes from the conference center, on Thursday 29/11 at 19h00. 
There is a fixed group menu (meat or fish) for '''59€/person''', drinks included. 
Link to the [https://static1.squarespace.com/static/53bedc63e4b051fad94ee1f7/t/59b7d81ea803bbc8f65d85ee/1505220639318/Puro-groepsmenu.pdf Menus] (page 1), and the [https://static1.squarespace.com/static/53bedc63e4b051fad94ee1f7/t/54b57100e4b0ab0673e80e8d/1421177088856/drankenformules.doc.pdf drinks].
 

'''Any participant pays individually. Reservation via the form you'll receive after conference registration is mandatory.''' 

'''If you want to join the social event, don't forget to register for it via the registration:'''
[[image:Register_now_red.png|link=https://owasp-benelux-day-2018.eventbrite.com |200px|alt=Register for the OWASP BeNeLux Day 2018 | Register for the OWASP BeNeLux Day 2018 ]]



= Sponsor =

''' Become a sponsor of OWASP BeNeLux! '''

There are 3 combined sponsorship packages (Gold, Silver or Bronze) that cover the BeNeLux chapter meetings 2019 and the BeNeLux OWASP Days 2018.

Download our [https://www.owasp.org/images/8/8e/OWASP_BeNeLux_2018_Sponsorship_Form_v20181004.pdf sponsor brochure] and contact [mailto:seba@owasp.org us] for questions or sponsorship confirmation!

Your sponsorship will be invested directly in the chapter meetings, supporting speaker and catering expenses.

The sponsorship will also be dedicated to cover the costs of the OWASP 2018 BeNeLux event.

__NOTOC__
<headertabs></headertabs>

=== Made possible by our {{#switchtablink:Sponsor|Sponsors}}===

==== Gold ====

[[File:DavinsiLabs.png|250px|link=https://www.davinsilabs.com]]
[[File:Vest.jpg|250px|link=http://www.vest.nl]]

==== Silver ====

[[File:LogoIngenicoGroup.png|250px|link=https://ingenico.be]]
[[File:LogoToreon.jpg|250px|link=https://www.toreon.com]]
[[File:LogoSynopsys.png|250px|link=https://www.synopsys.com]]
[[File:Nviso_logo_RGB_baseline_200px.png|250px|link=http://www.nviso.be]]

==== Bronze ====

[[File:Logo_Informatiebeveiliging-200.png|250px|link=https://informatiebeveiliging.nl/]]

[[Category:OWASP_AppSec_Conference]]
[[Category:OWASP_BeNeLux_Archives]]

Belgium

2018-12-04T15:15:20Z

Thomas Herlea: Updated sponsors following the 2018 edition of the OWASP BeNeLux Days.

{{Chapter Template|chaptername=Belgium|extra=The chapter leaders are [mailto:seba@owasp.org Sebastien Deleersnyder], [mailto:lieven.desmet@owasp.org Lieven Desmet] and [mailto:bart.dewin@owasp.org Bart De Win]
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-belgium|emailarchives=http://lists.owasp.org/pipermail/owasp-belgium}}

= Local News =

== OWASP BeNeLux Days ==

* Our latest event, [[OWASP BeNeLux-Days 2018|OWASP BeNeLux Days]], took place on 29-30 November in the LAMOT conference center in Mechelen, Belgium.

== Upcoming Chapter Meetings ==

* The next chapter meeting will be in January 2019.

See https://www.owasp.org/index.php/Belgium#Chapter_Meetings for more details and older meetings.

== Stay in Touch ==

<center>
{| cellspacing="15"
|-
| [[Image:Meetup-logo-2x.png|120px|link=http://www.meetup.com/Belgium-OWASP-Open-Web-Application-Security-Project/]]
| [[Image:Join the list.png|150px|link=http://lists.owasp.org/mailman/listinfo/owasp-belgium]]
| [[Image:Follow-us-on-twitter.png|175px|link=https://twitter.com/owasp_be]]
| [[Image:Linkedin-button.gif|135px|link=https://www.linkedin.com/groups/37865]]
|}
</center>
If you want to be invited for the next OWASP Belgium Chapter meetings, please [http://eepurl.com/iFZtb drop us your contact info].

== Structural Sponsors 2019 ==

OWASP Belgium thanks its structural chapter supporters for 2019 and the OWASP BeNeLux Days 2018:


[[File:Vest.jpg|250px|link=http://www.vest.nl]]
[[File:DavinsiLabs.png|250px|link=https://www.davinsilabs.com]]




[[File:LogoToreon.jpg|250px|link=https://www.toreon.com]]
[[File:Nviso_logo_RGB_baseline_200px.png|250px|link=http://www.nviso.be]]
 [[File:LogoIngenicoGroup.png|250px|link=https://ingenico.be]] 
[[File:LogoSynopsys.png|250px|link=https://www.synopsys.com]]


[[File:Logo_Informatiebeveiliging-200.png|250px|link=https://informatiebeveiliging.nl/]]

If you want to support our chapter, please contact [mailto:seba@owasp.org Seba Deleersnyder]

= Chapter Meetings =

{{:Belgium_Events_2018}}

== Previous Years ==

Events held in
[[Belgium Events 2017|2017]],
[[Belgium Events 2016|2016]],
[[Belgium Events 2015|2015]],
[[Belgium Events 2014|2014]],
[[Belgium Events 2013|2013]],
[[Belgium Events 2012|2012]],
[[Belgium Events 2011|2011]],
[[Belgium Events 2010|2010]],
[[Belgium Events 2009|2009]],
[[Belgium Events 2008|2008]],
[[Belgium Events 2007|2007]],
[[Belgium Events 2006|2006]],
[[Belgium Events 2005|2005]].

= Belgium OWASP Chapter Leaders =

The Belgium Chapter is supported by the following board:

Chapter Leaders
*Sebastien Deleersnyder, Toreon
*Lieven Desmet, KU Leuven
*Bart De Win, PWC

Board Members
*Erwin Geirnaert, Zion Security
*David Mathy, Freelance
*Adolfo Solero, Freelance
*Stella Dineva, Ingenico Payment Services
*Thomas Herlea, NVISO

Our goal is to professionalize the local OWASP functioning, provide in a bigger footprint to detect OWASP opportunities such as speakers/topics/sponsors/… and set a 5 year target on: Target audiences, Different events and Interactions of OWASP global – local projects.
__NOTOC__ <headertabs></headertabs>
[[Category:Europe]]

Belgium

2018-12-04T10:47:24Z

Thomas Herlea: Rephrased the BeNeLux Days bit in the past tense.

{{Chapter Template|chaptername=Belgium|extra=The chapter leaders are [mailto:seba@owasp.org Sebastien Deleersnyder], [mailto:lieven.desmet@owasp.org Lieven Desmet] and [mailto:bart.dewin@owasp.org Bart De Win]
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-belgium|emailarchives=http://lists.owasp.org/pipermail/owasp-belgium}}

= Local News =

== OWASP BeNeLux Days ==

* Our latest event, [[OWASP BeNeLux-Days 2018|OWASP BeNeLux Days]], took place on 29-30 November in the LAMOT conference center in Mechelen, Belgium.

== Upcoming Chapter Meetings ==

* The next chapter meeting will be in January 2019.

See https://www.owasp.org/index.php/Belgium#Chapter_Meetings for more details and older meetings.

== Stay in Touch ==

<center>
{| cellspacing="15"
|-
| [[Image:Meetup-logo-2x.png|120px|link=http://www.meetup.com/Belgium-OWASP-Open-Web-Application-Security-Project/]]
| [[Image:Join the list.png|150px|link=http://lists.owasp.org/mailman/listinfo/owasp-belgium]]
| [[Image:Follow-us-on-twitter.png|175px|link=https://twitter.com/owasp_be]]
| [[Image:Linkedin-button.gif|135px|link=https://www.linkedin.com/groups/37865]]
|}
</center>
If you want to be invited for the next OWASP Belgium Chapter meetings, please [http://eepurl.com/iFZtb drop us your contact info].

== Structural Sponsors 2018 ==

OWASP Belgium thanks its structural chapter supporters for 2018 and the OWASP BeNeLux Days 2017:

[http://www.vest.nl https://www.owasp.org/images/6/67/Vest.jpg]
[https://secwatch.nl https://www.owasp.org/images/f/ff/Secwatch_logo_small.png]
[[File:Avi Logo Transparent Background 300pix.png|200px|link=https://avinetworks.com/]]
[[File:LogoToreon.jpg|250px|link=https://www.toreon.com]]
[[File:Nviso_logo_RGB_baseline_200px.png|link=http://www.nviso.be]]

If you want to support our chapter, please contact [mailto:seba@owasp.org Seba Deleersnyder]

= Chapter Meetings =

{{:Belgium_Events_2018}}

== Previous Years ==

Events held in
[[Belgium Events 2017|2017]],
[[Belgium Events 2016|2016]],
[[Belgium Events 2015|2015]],
[[Belgium Events 2014|2014]],
[[Belgium Events 2013|2013]],
[[Belgium Events 2012|2012]],
[[Belgium Events 2011|2011]],
[[Belgium Events 2010|2010]],
[[Belgium Events 2009|2009]],
[[Belgium Events 2008|2008]],
[[Belgium Events 2007|2007]],
[[Belgium Events 2006|2006]],
[[Belgium Events 2005|2005]].

= Belgium OWASP Chapter Leaders =

The Belgium Chapter is supported by the following board:

Chapter Leaders
*Sebastien Deleersnyder, Toreon
*Lieven Desmet, KU Leuven
*Bart De Win, PWC

Board Members
*Erwin Geirnaert, Zion Security
*David Mathy, Freelance
*Adolfo Solero, Freelance
*Stella Dineva, Ingenico Payment Services
*Thomas Herlea, NVISO

Our goal is to professionalize the local OWASP functioning, provide in a bigger footprint to detect OWASP opportunities such as speakers/topics/sponsors/… and set a 5 year target on: Target audiences, Different events and Interactions of OWASP global – local projects.
__NOTOC__ <headertabs></headertabs>
[[Category:Europe]]

OWASP BeNeLux-Days 2018

2018-11-20T19:08:12Z

Thomas Herlea: Added NVISO's logo to the sponsors.

<center>[[Image:OBNL18 Banner v2.png]]</center>

 


= Information =

== Confirmed Conference Speakers ==



* David Scrobonia
* Niels Tanis
* Jeroen Willemsen
* Björn Kimminich
* Ralph Moonen
* Jo Van Bulck
* Lennert Wouters
* Nick Drage


== Confirmed Trainers ==


* Andrew Martin
* David Scrobonia
* Jeroen Beckers - Stephanie Vanroelen



== OWASP BeNeLux conference is free, but registration is required! ==

[[image:Register_now_red.png|link=https://owasp-benelux-day-2018.eventbrite.com |alt=Register NOW! | Register NOW! ]]

'''To support the OWASP organisation, consider to become a member, it's only US$50! Check out the [[Membership]] page to find out more.'''
 

== The OWASP BeNeLux Program Committee ==

* Sebastien Deleersnyder / Lieven Desmet / David Mathy / Thomas Herlea / Stella Dineva / Adolfo Solero / Bart De Win, [[Belgium|OWASP Belgium]]
* Martin Knobloch / Joren Poll / Edwin Goweling, [[Netherlands|OWASP Netherlands]]
* [[Luxembourg|OWASP Luxembourg]]

== Tweet! ==

Event tag is [http://twitter.com/#search?q=%23owaspbnl17 #owaspbnl18]

== Donate to OWASP BeNeLux ==

[https://co.clickandpledge.com/?wid=72689 Donate]


= Registration =

== OWASP BeNeLux conference and training days are free, but registration is required! ==

[[image:Register_now_red.png|link=https://owasp-benelux-day-2018.eventbrite.com |alt=Register NOW! | Register NOW! ]]

'''To support the OWASP organisation, consider to become a member, it's only US$50! Check out the [[Membership]] page to find out more.'''



= Venue =

== Address ==

Venue:

'''Congres- en Erfgoedcentrum Lamot'''
Van Beethovenstraat 8-10
2800 Mechelen
Belgium

[https://goo.gl/maps/gZ9icR178w52 Google map]
 
[[File:Mechelen-Lamot.jpg|350px|Lamot conference center]]
[[File:Mechelen-lamot-center-auditorium.jpg|350px|Auditorium]] 

Parking: 
[[File:Parking lots around Lamot Conference center Mechelen.png|500px|Parking facilities]] 
[https://goo.gl/maps/Q5TD7hoTuUu Find your parking on Google Maps]

=== How to reach the venue? ===

==== Public transport ====

You can reach the Mechelen's train station from Antwerpen or Brussels.
The Lamot conference center is 10 min away by bus (line 1).

Or you can choose to walk for 15 min (1.2 km).

==== By car ====

===== From Brussels: =====
Follow the E19 Brussels / Antwerpen and take the exit 10. Follow the N1 until the R12 (take a left) and turn to the right at the "Brusselpoort" into the Hoogstraat to reach one of the parkings.

===== From Antwerpen: =====
Follow the E19 Brussels / Antwerpen and take the exit 9. Follow the N16 until the R12 (take a right) and turn to the left at the "Brusselpoort" into the Hoogstraat to reach one of the parkings.

=== Hotels Nearby ===
[https://www.google.com/maps/d/viewer?mid=1eYMYmwXKuAsTilKgpAtyYtfMA7A&ll=51.02648134397288%2C4.47819800000002&z=15 Hotels around the Lamot conference center]


= Training Day =

'''Training Day is November 29th'''
== Agenda==

{| class="wikitable"
! Time !! Description !! Training 1 !! Training 2 !! Training 3
|-
| 08h30 - 9h30
| colspan="5" style="text-align: center; background: grey; color: white;" | ''Registration''
|-
| 09h30 - 11h00 || Training
| rowspan="7" style="width:100px;" | [[#TRAINING_1 | Kubernetes security]] by Andrew Martin
| rowspan="7" style="width:100px;" | [[#TRAINING_2 | OWASP Zap Training]] by David Scrobonia
| rowspan="7" style="width:100px;" | [[#TRAINING_3 | Android security workshop]] by Jeroen Beckers & Stephanie Vanroelen
|-
| 11h00 - 11h30 || ''Coffee Break''
|-
| 11h30 - 13h00 || Training
|-
| 13h00 - 14h00 || ''Lunch''
|-
| 14h00 - 15h30 || Training
|-
| 15h30 - 16h00 || ''Coffee Break''
|-
| 16h00 - 17h30 || Training
|}

Choose the most appropriate training as they will be hosted at the same time.

== Trainings ==

=== Training 1 - Kubernetes security by Andrew Martin ===

==== Abstract ====

===== Course Description =====
The course guides attendees through Linux container security in general, and progresses to advanced Kubernetes cluster security. It emphasises pragmatic threat modelling and risk assessment based on an understanding of the tools and primitives available, rather than dogmatic dos and don’ts.

===== Course Outline =====
* How to attack containerised workloads
* Enhanced container security
* How to attack Kubernetes
* Interactive production cluster hacking
* Hardening Kubernetes
* Locking down applications
* Security tooling and vendor landscape

===== Who Should Attend =====
This course is suitable for intermediate to advanced Kubernetes users who want to strengthen their security understanding. It is particularly beneficial for those operating Kubernetes in a high-compliance domain, or for established security professionals looking to update their skills for the cloud native world.

==== Bio ====

Andrew has a strong test-first engineering ethos gained architecting and deploying high-traffic web applications. Proficient in systems development, testing, and maintenance, he is comfortable profiling and securing every tier of a bare metal or cloud native application, and has battle-hardened experience delivering containerised solutions to enterprise clients. He is a co-founder at https://control-plane.io

=== Training 2 - OWASP Zap Training by David Scrobonia ===

==== Abstract ====

This hands on course will start with the basics of using ZAP attack proxy and finish with leveraging it's API to integrate ZAP within you CI/CD processes. Along the way we will be practicing techniques by attacking the OWASP JuiceShop, an intentionally vulnerable web application.

==== Audience ====

This couse is designed for both new and experienced users. No knowledge or experience with ZAP is required, but even those familiar with ZAP will learn something new.

==== Contents ====
# Basic Techniques & Manual Testing
# Advanced Techniques & Automated Testing
# Scripting with ZAP
# Using ZAP within your CI/CD Pipeline

==== Bio ====

David Scrobonia is a part of the Security Engineering team at Segment working to secure modern web apps and AWS infrastructure. He contributes to open source in his spare time and is a core team member of the OWASP ZAP project.

=== Training 3 - Android security workshop by Jeroen Beckers & Stephanie Vanroelen ===

==== Abstract ====

In this workshop, participants will come in contact with the basics of
Android application security. Through hands-on exercises, Jeroen and
Stephanie will show which mistakes can be made, both at the design and
implementation level, that can compromise the security of both the
application and the backend server. Although no real prior experience
with Android is needed, some basic knowledge on programming is advised.

==== Participation requirements ====
* Basic linux / terminal knowledge
* Be able to understand the OWASP Top 10 (Not Mobile)
* Laptop with VirtualBox / VMWare (At least 8GB of RAM)

==== Bio ====

Jeroen Beckers is a security researcher at NVISO. He focusses mainly on
mobile applications for Android/iOS and sometimes even Windows Phone
(yes, some people actually use it!). Apart from breaking mobile
applications, he also gives security trainings and presentations at
conferences. 
 
Stephanie Vanroelen is an IT security consultant currently focussing on Web and
Mobile Application Security. Her experiences in organizing IT Security
conferences such as BruCON and CyberSKool help her with project
management and communication skills. In her free time she pretends to be
Godzilla :).



= Conference Day =

'''Conference Day is November 30th'''

== Agenda ==

{| class="wikitable"
! width="120pt" | Time
! width="190pt" | Speaker
! width="400pt" | Topic

|-
| 08h30 - 09h15
| colspan="3" style="text-align: center; background: grey; color: white" | ''Registration''
|-
| 09h15 - 09h30
| colspan="3" style="text-align: center; background: grey; color: white" | ''Opening''
|-
| 09h30 - 10h15
| [[#TALK_0930 | Lennert Wouters]]
| [[#TALK_0930 | Fast, Furious and Insecure: Passive Keyless Entry and Start in Modern Supercars]]

|-
| 10h15 - 11h00
| [[#TALK_1015 | Ralph Moonen]]
| [[#TALK_1015 | Weaknesses in our voice communications network: from Blue Boxing to VoLTE]]

|-
| 11h00 - 11h30
| colspan="3" style="text-align: center;background: grey; color: white" | ''Morning Break''
|-
| 11h30 - 12h15
| [[#TALK_1130 | Niels Tanis]]
| [[#TALK_1130 | When Serverless Met Security… Serverless Security & Functions-as-a-Service (FaaS)]]

|-
| 12h15 - 13h00
| [[#TALK_1215 | David Scrobonia]]
| [[#TALK_1215 | OWASP Zap]]

|-
| 13h00 - 14h00
| colspan="3" style="text-align: center;background: grey; color: white" | ''Lunch''
|-
| 14h00 - 14h45
| [[#TALK_1400 | Björn Kimminich]]
| [[#TALK_1400 | Juice Shop: OWASP's most broken Flagship]]

|-
| 14h45 - 15h30
| [[#TALK_1445 | Jo Van Bulck]]
| [[#TALK_1445 | Leaky Processors: Stealing Your Secrets with Foreshadow]]

|-
| 15h30 - 16h00
| colspan="3" style="text-align: center;background: grey; color: white" | ''Afternoon Break''
|-
| 16h00 - 16h45
| [[#TALK_1600 | Jeroen Willemsen]]
| [[#TALK_1600 | Fast forwarding Mobile Security with the MSTG]]

|-
| 16h45 - 17h30
| [[#TALK_1645 | Nick Drage]]
| [[#TALK_1645 | Lessons from the legion (The OWASP BeNeLux Remix)]]

|-
| 17h30 - 17h45
| colspan="3" style="text-align: center;background: grey; color: white" | ''Closing''
|}

== Talks ==

=== Fast, Furious and Insecure: Passive Keyless Entry and Start in Modern Supercars by Lennert Wouters ===

==== Abstract ====

The security of immobiliser and Remote Keyless Entry systems has been extensively studied over the past years. Passive Keyless Entry and Start systems, which are currently deployed in luxury vehicles, have not received as much attention.
During this presentation we will share the techniques used in reverse engineering the Tesla Model S Passive Keyless Entry and Start system. We will discuss multiple security weaknesses in the system including the use of an inadequate proprietary cipher using 40-bit keys, the lack of mutual authentication in the challenge-response protocol, hardware configuration mistakes and the absence of security partitioning. 
We verified our findings by implementing a proof of concept attack allowing us to clone a Tesla Model S key fob in a matter of seconds with low cost commercial off the shelf equipment. 
Finally, we will share our experience with the responsible disclosure of these finding to Tesla Motors and other likely affected manufacturers such as McLaren, Karma Automotive and Triumph Motorcycles as they all use the same system developed by Pektron.

====Bio====

Lennert Wouters is a PhD researcher at the Computer Security and Industrial Cryptography (COSIC) research group at KU Leuven. His research interests involve hardware security of connected embedded devices and side channel attacks.

=== Weaknesses in our voice communications network: from Blue Boxing to VoLTE by Ralph Moonen ===

==== Abstract ====

Voice over 4G, or VoLTE, brings back the phreaking 80's. Once again, after 3 decades, the signaling path of telephony is accessible to end users. No more R1, R2, C4 or C5 however: we now have SIP. As it turns out, the implementations of SIP and VoLTE in various European providers' 4G infrastructures, open up a host of possibilities. During our research over the past few years we have identified vulnerabilities in implementations such as txt message spoofing, subscriber enumeration, location determination (leakage of cell-ID and LAC), IMEI leakage and a potential SIM-card sharing attack. 
During this talk we will begin with a little historic stroll of phone phreaking through notable events and discoveries over the years. Bridging the narrative over the last few decades, new technologies such as VoIP, Volte, and VoWiFi are introduced, explaining the 4G and VoLTE infrastructure components and protocols. Next, on a rooted Android phone, we will show what control the user has over the VoLTE stack using some standard tools and the IPv6 stack. This includes hidden activities in Android and extraction of IPsec keys from the VoLTE stack. We will show that it is possible to import keys to Wireshark and monitor the IPv6 SIP traffic and components. Finally, examples of the vulnerabilities in implementations such as txt message spoofing, subscriber enumeration, location determination (leakage of cell-ID and LAC), IMEI leakage and a potential SIM-card sharing attack will be explained. 
Yes, a slightly technical nugget of knowledge, yet very accessible and a lot of fun! 
 
'''Importance of presentation for involved audience''' 
The phone systems of the world have always been of interest to everyone: from users who expect privacy, to intelligence agencies who want access. The privacy, integrity and confidentiality of voice communications over telecommunication networks is therefore of interest to anyone who uses mobile phones (i.e.: everyone). It is also typically a closed subject with very little research being done, relative to other security topics such as malware and application vulnerabilities. The combination of little research and high impact on everyone, makes that this topic deserves much more attention than it currently does. The VoLTE weaknesses we will describe are implementation dependent, and largely unpublished (i.e. new).

==== Bio ====

Ralph Moonen CISSP is Technical Director at Secura. Ralph is an old-school ethical hacker with 3 decades of experience as penetration tester, IT-auditor and security consultant. Now, as Technical Director, he is responsible for topics such as R&D and technical projects at Secura.

=== When Serverless Met Security… Serverless Security & Functions-as-a-Service (FaaS) by Niels Tanis ===

==== Abstract ====

Serverless is a design pattern for writing scalable applications in which Functions as a Service (FaaS) is one of the key building blocks. Every mayor Cloud Provider has got his own FaaS available. On Microsoft Azure there is Azure Functions, AWS has got Lambda and Cloud Functions can be used on the Google Cloud. All of these have a lot of similarities in the way they allow developers to create small event driven services. 
From security perspective there are a lot of benefits when moving to a serverless architecture. There is no need to manage any of the machines and the underlying infrastructure. Dealing with updates, patches and infrastructure is the responsibility of the platform provider. FaaS are short lived processes which will be instantiated and destroyed in a matter of milliseconds making it more resilient to denial-of-services (DoS) and also makes it harder to attack and compromise. 
But will all of this be sufficient to be ’secure’ or should we be worried about more? With serverless there is still a piece of software that will be developed, build, deployed and executed. It will also introduce a more complex architecture with corresponding attack surface which also makes it hard to monitor. What about the software supply chain and delivery pipeline? There still will be a need to patch your software for vulnerabilities in code and used 3rd party libraries. In this talk we will identify the security area’s we do need to focus on when developing serverless and define possible solutions for dealing with those problems.

==== Bio ====

Niels Tanis has got a background in .NET development, pentesting and security consultancy. He also holds the CSSLP certification and has been involved in breaking, defending and building secure applications. He joined Veracode in 2015 and right now he works as a security researcher on a variant of languages and technologies related to Veracode’s Binary Static Analysis service. He is married, father of 2 and lives in a small village just outside Amersfoort, The Netherlands.

=== OWASP Zap by David Scrobonia ===

==== Abstract ====

Intoducing security testing tools to a QA or developers workflow can be difficult when the tools aren't easy or intuitive to use. Even for security professionals, the friction of cumbersome security tooling can prevent them from getting the most from a tool or being effective with their time. 
The OWASP ZAP team is working to help enable developers, QA, and hackers alike with the ZAP Heads Up Display, a more user friendly way to engage with the security testing tool. The Heads Up Displays integrates ZAP directly in the browser providing all of the funcitonality of the tool via a heads up display. The goal is to make ZAP more accessible and enabling users, especially developers, to integrate security in their daily workflows. 
This talk will discuss the importance of usable tools, design tradeoffs made to improve usability, the various browser technologies powering the HUD, and how you can start hacking with a heads up display.

==== Bio ====

David Scrobonia is a part of the Security Engineering team at Segment working to secure modern web apps and AWS infrastructure. He contributes to open source in his spare time and is a core team member of the OWASP ZAP project.

=== Juice Shop: OWASP's most broken Flagship by Björn Kimminich ===

==== Abstract ====

OWASP Juice Shop is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and many more severe security flaws. In this talk, you'll learn about this open-source project and its capabilities first-hand from its creator. Join a “happy shopper round trip,” enjoy a hacking demo of some of the built-in challenges, witness how to re-theme the Juice Shop into a security awareness booster for your own company, and learn how to set it up for a capture-the-flag (CTF) event in less than 5 minutes!

====Bio====

Björn Kimminich is responsible for global IT architecture and application security at Kuehne + Nagel. On the side, he gives IT security lectures at the non-profit private university Nordakademie. Björn also is the project leader of the OWASP Juice Shop and a board member for the German OWASP chapter. 
[[File:GitHub-Mark_no_background.png|25px|link=https://github.com/bkimminich|GitHub]]
[[File:TwitterLogo.png|25px|link=http://twitter.com/bkimminich|Twitter]]
[[File:LinkedinSquareLogo.png|25px|link=https://www.linkedin.com/in/bkimminich|LinkedIn]]

=== Leaky Processors: Stealing Your Secrets with Foreshadow by Jo Van Bulck ===

==== Abstract ====

For decades, memory isolation has been one of the key principles of
secure system design. The recent wave of speculative execution attacks,
including Meltdown, Spectre, and Foreshadow abruptly showed, however,
that performance optimizations in modern processors fundamentally
undermine application security. 
This talk will review how speculative execution attacks work. What makes
them dangerous, and why they require a paradigm shift in the way we
think about application security. The talk will have a special focus on
the recently disclosed Foreshadow CPU vulnerability, which led to a
complete collapse of state-of-the-art Intel SGX technology, and
necessitated hardware and software patches for all major operating
systems and virtual machine hypervisors.

==== Bio ====

Jo Van Bulck is a PhD researcher at imec-DistriNet, KU Leuven, where he
investigates hardware-level trusted computing from an integrated attack
and defense perspective. His work resulted in a.o., the high-impact
Foreshadow CPU vulnerability announced in August 2018, and several
open-source secure processor prototypes.

=== Fast forwarding Mobile Security with the MSTG by Jeroen Willemsen ===

==== Abstract ====

After the startup of the mobile security project in 2010, the mobile security project and its testing guides have seen quiet some evolution. All of this changed quiet intensively when, in 2016, the Mobile Application Security Verification Standard (MASVS) and the Mobile Application Security Testing Guide (MSTG) were created. Now, two years fast forward: where are we now? How can you use it as a pentester or a developer? We will start with introducing the current state of the MSTG and its side-projects and then show various demos on iOS and Android. 

==== Bio ====

Jeroen Willemsen is a Principal Security Architect at Xebia. With a love for mobile security, he recently became one of the projectleaders for the OMTG project (MASV & MSTG). Jeroen is more or less a jack of all trades with interest in infrastructure security, risk management and application security.

=== Lessons From The Legion (The OWASP BeNeLux Remix) by Nick Drage ===

==== Abstract ====

Look at your job, your colleagues, your industry. Very smart people, working very hard... and yet it feels like we're losing. 
 
''Why?'' 
 
Cyber security has always been a technology driven, engineer led industry - self-taught practitioners have chosen tactics and point solutions based on what fits in with their preferred ways of working and studying. We need better strategies to make use of those tactics. We can learn those strategies from other contexts and conflicts to improve our own methods and practices. 
 
''Would you like to start winning?''
====Bio====

Nick is the Director of Path Dependence Limited, and has over two decades of experience in the cyber security field… previously he was "SecOps” before the term was invented, as well as having been a SysAdmin, PCI QSA, pre-sales analyst, CHECK Team Leader, and various other less well defined roles. Nick is currently a Cyber Security Consultant and Penetration Tester, with occasional forays into being a Wargame Umpire, Adversarial Analyst, or Professional Wildcard.



= Social Event =

'''The Social Event is on Thursday, November 29th'''

'''If you want to join the social event, don't forget to register for it via the registration:'''



The social event details will be published very soon! Stay tuned.


= Sponsor =

''' Become a sponsor of OWASP BeNeLux! '''

There are 3 combined sponsorship packages (Gold, Silver or Bronze) that cover the BeNeLux chapter meetings 2019 and the BeNeLux OWASP Days 2018.

Download our [https://www.owasp.org/images/8/8e/OWASP_BeNeLux_2018_Sponsorship_Form_v20181004.pdf sponsor brochure] and contact [mailto:seba@owasp.org us] for questions or sponsorship confirmation!

Your sponsorship will be invested directly in the chapter meetings, supporting speaker and catering expenses.

The sponsorship will also be dedicated to cover the costs of the OWASP 2018 BeNeLux event.

__NOTOC__
<headertabs></headertabs>

=== Made possible by our {{#switchtablink:Sponsor|Sponsors}}===

==== Gold ====

[[File:DavinsiLabs.png|250px|link=https://www.davinsilabs.com]]
[http://www.vest.nl https://www.owasp.org/images/6/67/Vest.jpg]

==== Silver ====

[[File:LogoIngenicoGroup.png|250px|link=https://ingenico.be]]
[[File:LogoToreon.jpg|250px|link=https://www.toreon.com]]
[[File:LogoSynopsys.png|250px|link=https://www.synopsys.com]]
[[File:Nviso_logo_RGB_baseline_200px.png|250px|link=http://www.nviso.be]]

==== Bronze ====

[https://informatiebeveiliging.nl/ https://www.owasp.org/images/9/9a/Logo_Informatiebeveiliging-200.png]

[[Category:OWASP_AppSec_Conference]]
[[Category:OWASP_BeNeLux_Archives]]

OWASP BeNeLux-Days 2018

2018-11-20T19:03:37Z

Thomas Herlea: Linkified the chapter names in the list of the organizing committee members to point to the respective homepages.

<center>[[Image:OBNL18 Banner v2.png]]</center>

 


= Information =

== Confirmed Conference Speakers ==



* David Scrobonia
* Niels Tanis
* Jeroen Willemsen
* Björn Kimminich
* Ralph Moonen
* Jo Van Bulck
* Lennert Wouters
* Nick Drage


== Confirmed Trainers ==


* Andrew Martin
* David Scrobonia
* Jeroen Beckers - Stephanie Vanroelen



== OWASP BeNeLux conference is free, but registration is required! ==

[[image:Register_now_red.png|link=https://owasp-benelux-day-2018.eventbrite.com |alt=Register NOW! | Register NOW! ]]

'''To support the OWASP organisation, consider to become a member, it's only US$50! Check out the [[Membership]] page to find out more.'''
 

== The OWASP BeNeLux Program Committee ==

* Sebastien Deleersnyder / Lieven Desmet / David Mathy / Thomas Herlea / Stella Dineva / Adolfo Solero / Bart De Win, [[Belgium|OWASP Belgium]]
* Martin Knobloch / Joren Poll / Edwin Goweling, [[Netherlands|OWASP Netherlands]]
* [[Luxembourg|OWASP Luxembourg]]

== Tweet! ==

Event tag is [http://twitter.com/#search?q=%23owaspbnl17 #owaspbnl18]

== Donate to OWASP BeNeLux ==

[https://co.clickandpledge.com/?wid=72689 Donate]


= Registration =

== OWASP BeNeLux conference and training days are free, but registration is required! ==

[[image:Register_now_red.png|link=https://owasp-benelux-day-2018.eventbrite.com |alt=Register NOW! | Register NOW! ]]

'''To support the OWASP organisation, consider to become a member, it's only US$50! Check out the [[Membership]] page to find out more.'''



= Venue =

== Address ==

Venue:

'''Congres- en Erfgoedcentrum Lamot'''
Van Beethovenstraat 8-10
2800 Mechelen
Belgium

[https://goo.gl/maps/gZ9icR178w52 Google map]
 
[[File:Mechelen-Lamot.jpg|350px|Lamot conference center]]
[[File:Mechelen-lamot-center-auditorium.jpg|350px|Auditorium]] 

Parking: 
[[File:Parking lots around Lamot Conference center Mechelen.png|500px|Parking facilities]] 
[https://goo.gl/maps/Q5TD7hoTuUu Find your parking on Google Maps]

=== How to reach the venue? ===

==== Public transport ====

You can reach the Mechelen's train station from Antwerpen or Brussels.
The Lamot conference center is 10 min away by bus (line 1).

Or you can choose to walk for 15 min (1.2 km).

==== By car ====

===== From Brussels: =====
Follow the E19 Brussels / Antwerpen and take the exit 10. Follow the N1 until the R12 (take a left) and turn to the right at the "Brusselpoort" into the Hoogstraat to reach one of the parkings.

===== From Antwerpen: =====
Follow the E19 Brussels / Antwerpen and take the exit 9. Follow the N16 until the R12 (take a right) and turn to the left at the "Brusselpoort" into the Hoogstraat to reach one of the parkings.

=== Hotels Nearby ===
[https://www.google.com/maps/d/viewer?mid=1eYMYmwXKuAsTilKgpAtyYtfMA7A&ll=51.02648134397288%2C4.47819800000002&z=15 Hotels around the Lamot conference center]


= Training Day =

'''Training Day is November 29th'''
== Agenda==

{| class="wikitable"
! Time !! Description !! Training 1 !! Training 2 !! Training 3
|-
| 08h30 - 9h30
| colspan="5" style="text-align: center; background: grey; color: white;" | ''Registration''
|-
| 09h30 - 11h00 || Training
| rowspan="7" style="width:100px;" | [[#TRAINING_1 | Kubernetes security]] by Andrew Martin
| rowspan="7" style="width:100px;" | [[#TRAINING_2 | OWASP Zap Training]] by David Scrobonia
| rowspan="7" style="width:100px;" | [[#TRAINING_3 | Android security workshop]] by Jeroen Beckers & Stephanie Vanroelen
|-
| 11h00 - 11h30 || ''Coffee Break''
|-
| 11h30 - 13h00 || Training
|-
| 13h00 - 14h00 || ''Lunch''
|-
| 14h00 - 15h30 || Training
|-
| 15h30 - 16h00 || ''Coffee Break''
|-
| 16h00 - 17h30 || Training
|}

Choose the most appropriate training as they will be hosted at the same time.

== Trainings ==

=== Training 1 - Kubernetes security by Andrew Martin ===

==== Abstract ====

===== Course Description =====
The course guides attendees through Linux container security in general, and progresses to advanced Kubernetes cluster security. It emphasises pragmatic threat modelling and risk assessment based on an understanding of the tools and primitives available, rather than dogmatic dos and don’ts.

===== Course Outline =====
* How to attack containerised workloads
* Enhanced container security
* How to attack Kubernetes
* Interactive production cluster hacking
* Hardening Kubernetes
* Locking down applications
* Security tooling and vendor landscape

===== Who Should Attend =====
This course is suitable for intermediate to advanced Kubernetes users who want to strengthen their security understanding. It is particularly beneficial for those operating Kubernetes in a high-compliance domain, or for established security professionals looking to update their skills for the cloud native world.

==== Bio ====

Andrew has a strong test-first engineering ethos gained architecting and deploying high-traffic web applications. Proficient in systems development, testing, and maintenance, he is comfortable profiling and securing every tier of a bare metal or cloud native application, and has battle-hardened experience delivering containerised solutions to enterprise clients. He is a co-founder at https://control-plane.io

=== Training 2 - OWASP Zap Training by David Scrobonia ===

==== Abstract ====

This hands on course will start with the basics of using ZAP attack proxy and finish with leveraging it's API to integrate ZAP within you CI/CD processes. Along the way we will be practicing techniques by attacking the OWASP JuiceShop, an intentionally vulnerable web application.

==== Audience ====

This couse is designed for both new and experienced users. No knowledge or experience with ZAP is required, but even those familiar with ZAP will learn something new.

==== Contents ====
# Basic Techniques & Manual Testing
# Advanced Techniques & Automated Testing
# Scripting with ZAP
# Using ZAP within your CI/CD Pipeline

==== Bio ====

David Scrobonia is a part of the Security Engineering team at Segment working to secure modern web apps and AWS infrastructure. He contributes to open source in his spare time and is a core team member of the OWASP ZAP project.

=== Training 3 - Android security workshop by Jeroen Beckers & Stephanie Vanroelen ===

==== Abstract ====

In this workshop, participants will come in contact with the basics of
Android application security. Through hands-on exercises, Jeroen and
Stephanie will show which mistakes can be made, both at the design and
implementation level, that can compromise the security of both the
application and the backend server. Although no real prior experience
with Android is needed, some basic knowledge on programming is advised.

==== Participation requirements ====
* Basic linux / terminal knowledge
* Be able to understand the OWASP Top 10 (Not Mobile)
* Laptop with VirtualBox / VMWare (At least 8GB of RAM)

==== Bio ====

Jeroen Beckers is a security researcher at NVISO. He focusses mainly on
mobile applications for Android/iOS and sometimes even Windows Phone
(yes, some people actually use it!). Apart from breaking mobile
applications, he also gives security trainings and presentations at
conferences. 
 
Stephanie Vanroelen is an IT security consultant currently focussing on Web and
Mobile Application Security. Her experiences in organizing IT Security
conferences such as BruCON and CyberSKool help her with project
management and communication skills. In her free time she pretends to be
Godzilla :).



= Conference Day =

'''Conference Day is November 30th'''

== Agenda ==

{| class="wikitable"
! width="120pt" | Time
! width="190pt" | Speaker
! width="400pt" | Topic

|-
| 08h30 - 09h15
| colspan="3" style="text-align: center; background: grey; color: white" | ''Registration''
|-
| 09h15 - 09h30
| colspan="3" style="text-align: center; background: grey; color: white" | ''Opening''
|-
| 09h30 - 10h15
| [[#TALK_0930 | Lennert Wouters]]
| [[#TALK_0930 | Fast, Furious and Insecure: Passive Keyless Entry and Start in Modern Supercars]]

|-
| 10h15 - 11h00
| [[#TALK_1015 | Ralph Moonen]]
| [[#TALK_1015 | Weaknesses in our voice communications network: from Blue Boxing to VoLTE]]

|-
| 11h00 - 11h30
| colspan="3" style="text-align: center;background: grey; color: white" | ''Morning Break''
|-
| 11h30 - 12h15
| [[#TALK_1130 | Niels Tanis]]
| [[#TALK_1130 | When Serverless Met Security… Serverless Security & Functions-as-a-Service (FaaS)]]

|-
| 12h15 - 13h00
| [[#TALK_1215 | David Scrobonia]]
| [[#TALK_1215 | OWASP Zap]]

|-
| 13h00 - 14h00
| colspan="3" style="text-align: center;background: grey; color: white" | ''Lunch''
|-
| 14h00 - 14h45
| [[#TALK_1400 | Björn Kimminich]]
| [[#TALK_1400 | Juice Shop: OWASP's most broken Flagship]]

|-
| 14h45 - 15h30
| [[#TALK_1445 | Jo Van Bulck]]
| [[#TALK_1445 | Leaky Processors: Stealing Your Secrets with Foreshadow]]

|-
| 15h30 - 16h00
| colspan="3" style="text-align: center;background: grey; color: white" | ''Afternoon Break''
|-
| 16h00 - 16h45
| [[#TALK_1600 | Jeroen Willemsen]]
| [[#TALK_1600 | Fast forwarding Mobile Security with the MSTG]]

|-
| 16h45 - 17h30
| [[#TALK_1645 | Nick Drage]]
| [[#TALK_1645 | Lessons from the legion (The OWASP BeNeLux Remix)]]

|-
| 17h30 - 17h45
| colspan="3" style="text-align: center;background: grey; color: white" | ''Closing''
|}

== Talks ==

=== Fast, Furious and Insecure: Passive Keyless Entry and Start in Modern Supercars by Lennert Wouters ===

==== Abstract ====

The security of immobiliser and Remote Keyless Entry systems has been extensively studied over the past years. Passive Keyless Entry and Start systems, which are currently deployed in luxury vehicles, have not received as much attention.
During this presentation we will share the techniques used in reverse engineering the Tesla Model S Passive Keyless Entry and Start system. We will discuss multiple security weaknesses in the system including the use of an inadequate proprietary cipher using 40-bit keys, the lack of mutual authentication in the challenge-response protocol, hardware configuration mistakes and the absence of security partitioning. 
We verified our findings by implementing a proof of concept attack allowing us to clone a Tesla Model S key fob in a matter of seconds with low cost commercial off the shelf equipment. 
Finally, we will share our experience with the responsible disclosure of these finding to Tesla Motors and other likely affected manufacturers such as McLaren, Karma Automotive and Triumph Motorcycles as they all use the same system developed by Pektron.

====Bio====

Lennert Wouters is a PhD researcher at the Computer Security and Industrial Cryptography (COSIC) research group at KU Leuven. His research interests involve hardware security of connected embedded devices and side channel attacks.

=== Weaknesses in our voice communications network: from Blue Boxing to VoLTE by Ralph Moonen ===

==== Abstract ====

Voice over 4G, or VoLTE, brings back the phreaking 80's. Once again, after 3 decades, the signaling path of telephony is accessible to end users. No more R1, R2, C4 or C5 however: we now have SIP. As it turns out, the implementations of SIP and VoLTE in various European providers' 4G infrastructures, open up a host of possibilities. During our research over the past few years we have identified vulnerabilities in implementations such as txt message spoofing, subscriber enumeration, location determination (leakage of cell-ID and LAC), IMEI leakage and a potential SIM-card sharing attack. 
During this talk we will begin with a little historic stroll of phone phreaking through notable events and discoveries over the years. Bridging the narrative over the last few decades, new technologies such as VoIP, Volte, and VoWiFi are introduced, explaining the 4G and VoLTE infrastructure components and protocols. Next, on a rooted Android phone, we will show what control the user has over the VoLTE stack using some standard tools and the IPv6 stack. This includes hidden activities in Android and extraction of IPsec keys from the VoLTE stack. We will show that it is possible to import keys to Wireshark and monitor the IPv6 SIP traffic and components. Finally, examples of the vulnerabilities in implementations such as txt message spoofing, subscriber enumeration, location determination (leakage of cell-ID and LAC), IMEI leakage and a potential SIM-card sharing attack will be explained. 
Yes, a slightly technical nugget of knowledge, yet very accessible and a lot of fun! 
 
'''Importance of presentation for involved audience''' 
The phone systems of the world have always been of interest to everyone: from users who expect privacy, to intelligence agencies who want access. The privacy, integrity and confidentiality of voice communications over telecommunication networks is therefore of interest to anyone who uses mobile phones (i.e.: everyone). It is also typically a closed subject with very little research being done, relative to other security topics such as malware and application vulnerabilities. The combination of little research and high impact on everyone, makes that this topic deserves much more attention than it currently does. The VoLTE weaknesses we will describe are implementation dependent, and largely unpublished (i.e. new).

==== Bio ====

Ralph Moonen CISSP is Technical Director at Secura. Ralph is an old-school ethical hacker with 3 decades of experience as penetration tester, IT-auditor and security consultant. Now, as Technical Director, he is responsible for topics such as R&D and technical projects at Secura.

=== When Serverless Met Security… Serverless Security & Functions-as-a-Service (FaaS) by Niels Tanis ===

==== Abstract ====

Serverless is a design pattern for writing scalable applications in which Functions as a Service (FaaS) is one of the key building blocks. Every mayor Cloud Provider has got his own FaaS available. On Microsoft Azure there is Azure Functions, AWS has got Lambda and Cloud Functions can be used on the Google Cloud. All of these have a lot of similarities in the way they allow developers to create small event driven services. 
From security perspective there are a lot of benefits when moving to a serverless architecture. There is no need to manage any of the machines and the underlying infrastructure. Dealing with updates, patches and infrastructure is the responsibility of the platform provider. FaaS are short lived processes which will be instantiated and destroyed in a matter of milliseconds making it more resilient to denial-of-services (DoS) and also makes it harder to attack and compromise. 
But will all of this be sufficient to be ’secure’ or should we be worried about more? With serverless there is still a piece of software that will be developed, build, deployed and executed. It will also introduce a more complex architecture with corresponding attack surface which also makes it hard to monitor. What about the software supply chain and delivery pipeline? There still will be a need to patch your software for vulnerabilities in code and used 3rd party libraries. In this talk we will identify the security area’s we do need to focus on when developing serverless and define possible solutions for dealing with those problems.

==== Bio ====

Niels Tanis has got a background in .NET development, pentesting and security consultancy. He also holds the CSSLP certification and has been involved in breaking, defending and building secure applications. He joined Veracode in 2015 and right now he works as a security researcher on a variant of languages and technologies related to Veracode’s Binary Static Analysis service. He is married, father of 2 and lives in a small village just outside Amersfoort, The Netherlands.

=== OWASP Zap by David Scrobonia ===

==== Abstract ====

Intoducing security testing tools to a QA or developers workflow can be difficult when the tools aren't easy or intuitive to use. Even for security professionals, the friction of cumbersome security tooling can prevent them from getting the most from a tool or being effective with their time. 
The OWASP ZAP team is working to help enable developers, QA, and hackers alike with the ZAP Heads Up Display, a more user friendly way to engage with the security testing tool. The Heads Up Displays integrates ZAP directly in the browser providing all of the funcitonality of the tool via a heads up display. The goal is to make ZAP more accessible and enabling users, especially developers, to integrate security in their daily workflows. 
This talk will discuss the importance of usable tools, design tradeoffs made to improve usability, the various browser technologies powering the HUD, and how you can start hacking with a heads up display.

==== Bio ====

David Scrobonia is a part of the Security Engineering team at Segment working to secure modern web apps and AWS infrastructure. He contributes to open source in his spare time and is a core team member of the OWASP ZAP project.

=== Juice Shop: OWASP's most broken Flagship by Björn Kimminich ===

==== Abstract ====

OWASP Juice Shop is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and many more severe security flaws. In this talk, you'll learn about this open-source project and its capabilities first-hand from its creator. Join a “happy shopper round trip,” enjoy a hacking demo of some of the built-in challenges, witness how to re-theme the Juice Shop into a security awareness booster for your own company, and learn how to set it up for a capture-the-flag (CTF) event in less than 5 minutes!

====Bio====

Björn Kimminich is responsible for global IT architecture and application security at Kuehne + Nagel. On the side, he gives IT security lectures at the non-profit private university Nordakademie. Björn also is the project leader of the OWASP Juice Shop and a board member for the German OWASP chapter. 
[[File:GitHub-Mark_no_background.png|25px|link=https://github.com/bkimminich|GitHub]]
[[File:TwitterLogo.png|25px|link=http://twitter.com/bkimminich|Twitter]]
[[File:LinkedinSquareLogo.png|25px|link=https://www.linkedin.com/in/bkimminich|LinkedIn]]

=== Leaky Processors: Stealing Your Secrets with Foreshadow by Jo Van Bulck ===

==== Abstract ====

For decades, memory isolation has been one of the key principles of
secure system design. The recent wave of speculative execution attacks,
including Meltdown, Spectre, and Foreshadow abruptly showed, however,
that performance optimizations in modern processors fundamentally
undermine application security. 
This talk will review how speculative execution attacks work. What makes
them dangerous, and why they require a paradigm shift in the way we
think about application security. The talk will have a special focus on
the recently disclosed Foreshadow CPU vulnerability, which led to a
complete collapse of state-of-the-art Intel SGX technology, and
necessitated hardware and software patches for all major operating
systems and virtual machine hypervisors.

==== Bio ====

Jo Van Bulck is a PhD researcher at imec-DistriNet, KU Leuven, where he
investigates hardware-level trusted computing from an integrated attack
and defense perspective. His work resulted in a.o., the high-impact
Foreshadow CPU vulnerability announced in August 2018, and several
open-source secure processor prototypes.

=== Fast forwarding Mobile Security with the MSTG by Jeroen Willemsen ===

==== Abstract ====

After the startup of the mobile security project in 2010, the mobile security project and its testing guides have seen quiet some evolution. All of this changed quiet intensively when, in 2016, the Mobile Application Security Verification Standard (MASVS) and the Mobile Application Security Testing Guide (MSTG) were created. Now, two years fast forward: where are we now? How can you use it as a pentester or a developer? We will start with introducing the current state of the MSTG and its side-projects and then show various demos on iOS and Android. 

==== Bio ====

Jeroen Willemsen is a Principal Security Architect at Xebia. With a love for mobile security, he recently became one of the projectleaders for the OMTG project (MASV & MSTG). Jeroen is more or less a jack of all trades with interest in infrastructure security, risk management and application security.

=== Lessons From The Legion (The OWASP BeNeLux Remix) by Nick Drage ===

==== Abstract ====

Look at your job, your colleagues, your industry. Very smart people, working very hard... and yet it feels like we're losing. 
 
''Why?'' 
 
Cyber security has always been a technology driven, engineer led industry - self-taught practitioners have chosen tactics and point solutions based on what fits in with their preferred ways of working and studying. We need better strategies to make use of those tactics. We can learn those strategies from other contexts and conflicts to improve our own methods and practices. 
 
''Would you like to start winning?''
====Bio====

Nick is the Director of Path Dependence Limited, and has over two decades of experience in the cyber security field… previously he was "SecOps” before the term was invented, as well as having been a SysAdmin, PCI QSA, pre-sales analyst, CHECK Team Leader, and various other less well defined roles. Nick is currently a Cyber Security Consultant and Penetration Tester, with occasional forays into being a Wargame Umpire, Adversarial Analyst, or Professional Wildcard.



= Social Event =

'''The Social Event is on Thursday, November 29th'''

'''If you want to join the social event, don't forget to register for it via the registration:'''



The social event details will be published very soon! Stay tuned.


= Sponsor =

''' Become a sponsor of OWASP BeNeLux! '''

There are 3 combined sponsorship packages (Gold, Silver or Bronze) that cover the BeNeLux chapter meetings 2019 and the BeNeLux OWASP Days 2018.

Download our [https://www.owasp.org/images/8/8e/OWASP_BeNeLux_2018_Sponsorship_Form_v20181004.pdf sponsor brochure] and contact [mailto:seba@owasp.org us] for questions or sponsorship confirmation!

Your sponsorship will be invested directly in the chapter meetings, supporting speaker and catering expenses.

The sponsorship will also be dedicated to cover the costs of the OWASP 2018 BeNeLux event.

__NOTOC__
<headertabs></headertabs>

=== Made possible by our {{#switchtablink:Sponsor|Sponsors}}===

==== Gold ====

[[File:DavinsiLabs.png|250px|link=https://www.davinsilabs.com]]
[http://www.vest.nl https://www.owasp.org/images/6/67/Vest.jpg]

==== Silver ====

[[File:LogoIngenicoGroup.png|250px|link=https://ingenico.be]]
[[File:LogoToreon.jpg|250px|link=https://www.toreon.com]]
[[File:LogoSynopsys.png|250px|link=https://www.synopsys.com]]

==== Bronze ====

[https://informatiebeveiliging.nl/ https://www.owasp.org/images/9/9a/Logo_Informatiebeveiliging-200.png]

[[Category:OWASP_AppSec_Conference]]
[[Category:OWASP_BeNeLux_Archives]]

Belgium Chapter Meeting Template

2018-10-29T11:08:05Z

Thomas Herlea: Factored out the template for meetings into its own page.

== YYYY-MM-DD Meeting ==



=== Where ===

* Host: [HOST_WEB_SITE HOST_INSTITUTION]

* Address ([https://MAP_FROM_HOSTS_SITE_OR_GOOGLE_MAPS map], [https://DIRECTIONS_PAGE_FROM_HOST_WEB_SITE_OR_GOOGLE_MAPS directions])
ADDRESS_STREET_AND_NUMBER_INDENTED_1_SPACE
ADDRESS_POSTCODE_AND_PLACE_INDENTED_1_SPACE

=== Agenda ===

* 18h15 - 19h00: Welcome & sandwiches
* 19h00 - 19h10:  ''OWASP Update'' by Sebastien Deleersnyder (OWASP)
* 19h10 - 20h00:  ''TITLE_TALK_1'' by PRESENTER_TALK_1 (INSTITUTION_PRESENTER_TALK_1)
* 20h00 - 20h10: Break
* 20h10 - 21h00:  ''TITLE_TALK_2'' by PRESENTER_TALK_2 (INSTITUTION_PRESENTER_TALK_2)
* 21h00 - 21h30: Networking drink

=== Program ===

==== TITLE_TALK_1 ====

* Speaker:  PRESENTER_TALK_1 (INSTITUTION_PRESENTER_TALK_1
* Presentation attachment:  not yet available

''Abstract''

ABSTRACT_TALK_1

''Speaker Bio''

BIO_PRESENTER_TALK_1

==== TITLE_TALK_2 ====

* Speaker:  PRESENTER_TALK_1(INSTITUTION_PRESENTER_TALK_2
* Presentation attachment:  not yet available

''Abstract''

ABSTRACT_TALK_2

''Speaker Bios''

BIO_PRESENTER_TALK_2

=== Registration ===

Registration will be via EventBrite:  coming soon

=== Coverage ===

Belgium Events 2018

2018-10-29T10:43:54Z

Thomas Herlea: Factored out the meeting template into its own page.

<noinclude>
These are the 2018 events of the [[Belgium|OWASP Belgium Chapter]]. 

Previous year: [[Belgium Events 2017|2017]].</noinclude>

== OWASP BeNeLux Days 2018 ==

This conference has its own page: [[OWASP_BeNeLux-Days_2018]].

== 23 October 2018 Meeting ==

=== Where ===

* Host: [https://securecodewarrior.com/ Secure Code Warrior]

* Address ([https://goo.gl/maps/e6Ej1v44tf32 map], [https://goo.gl/maps/UoW1EM3kbfy directions], 10 minutes walk from Brugge train station)
Baron Ruzettelaan 1
8310 Assebroek

* Parking is available under the building, open from 5 p.m., the entrance is at the back:
Vestingstraat 88
8310 Assebroek

=== Agenda ===

* 18h00 - 18h50: Welcome & pizzas
* 18h50 - 19h00: [[Media:OWASP_Belgium_update_2018-10-23_v1.pptx|OWASP Update]] by Sebastien Deleersnyder (OWASP)
* 19h00 - 19h30: [[Media:OWASP_20181023_EffectivelyDistributeSoftwareSecurityKnowledge.pdf|Effectively Distribute Software Security Knowledge]] by Pieter De Cremer and Nathan Desmet (Secure Code Warrior)
* 19h30 - 19h45: Beers from Bruges break
* 19h45 - 20h25: [[Media:OWASP_20181023_CommonAPISecurityPitfalls.pdf|Common API Security Pitfalls]] by Philippe De Ryck (Pragmatic Web Security)
* 20h25 - 22h00: Networking and more beers from Bruges

=== Program ===

==== Effectively Distribute Software Security Knowledge ====

* Speaker: [https://www.linkedin.com/in/pdcremer/ Pieter De Cremer] ([https://twitter.com/pdcremer @pdcremer]) and [https://www.linkedin.com/in/nathan-desmet-687345aa/ Nathan Desmet] (Secure Code Warrior)
* Presentation attachment: [[:File:OWASP_20181023_EffectivelyDistributeSoftwareSecurityKnowledge.pdf]]

''Abstract''

Security is still a big concern in application development, as breaches appear in the media on a regular basis. Up to 90 percent of security issues are caused by problems or oversight in the code (U.S. Department of Homeland Security, “Infosheet Software Assurance”, https://www.us-cert.gov/sites/default/files/publications/infosheet_SoftwareAssurance.pdf, last accessed 2018-05-22). They are the result of errors made by the developers. At the same time, many of these issues are well known, well-documented problems. But the security experts in charge of securing the application are understaffed with an average of less than two security experts per hundred developers (Gary McGraw, Ph.D., Sammy Migues and Jacob West, “Building Security In Maturity Model (BSIMM)”, https://www.bsimm.com/, 2018). So the problem is not a lack of knowledge on security but the distribution of it without requiring costly, unscalable communication cycles between individual developers and security experts. In this talk we will outline the goal of a new approach to improve software security, focused on distributing software security knowledge so that software engineers can effectively put it into practice with minimal impact on their daily tasks.

''Speaker Bios''

'''Pieter De Cremer''' is an R&D Engineer and Security Researcher at Secure Code Warrior, where he is responsible for researching a wide variety of application vulnerabilities and developing this into new content and coding challenges for the Secure Code Warrior platform. His passion lies in empowering developers to be the first line of defence in their organisation by making security
easy to understand.

Pieter graduated with a Masters in Computer Science Engineering from the University of Ghent and is currently completing his PhD in Secure Design Programming Aid for the Internet of Things through a personal grant from the Flemish government. When he is away from his desk, Pieter has also facilitated a number of secure coding workshops with Ghent University, Howest Bruges and Antwerp University, helping students improve their secure coding skills. His repertoire of coding languages includes C, C++, Java, Python, node and Haskell.

'''Nathan Desmet''' is the Lead Engineer at Secure Code Warrior, where he is responsible for developing Sensei, a real-time correction and coaching IDE plug-in for secure coding. His passion lies in building world-class software applications that makes an impact in the way developers build software with a focus on security.

Prior to Secure Code Warrior, Nathan has worked for NVISO where he created the Cyber Security Challenge platform, the biggest computer security competition in Belgium. Nathan also co-founded Sensei Security, and founded Applix, a software consultancy firm. His clients include SMEs in the technology and legal sector.

Nathan graduated with a degree in Computer Science from the University of Howest Bruges, majoring in Computer and Cybercrime Professional.

==== Common API Security Pitfalls ====

* Speaker: [https://twitter.com/PhilippeDeRyck Philippe De Ryck] ([https://pragmaticwebsecurity.com/ Pragmatic Web Security])
* Presentation attachment: [[:File:OWASP_20181023_CommonAPISecurityPitfalls.pdf]]

''Abstract''

The shift towards an API landscape indicates a significant evolution in the way we build applications. The rise of JavaScript and mobile applications have sparked an explosion of easily-accessible REST APIs. But how do you protect access to your API? Which security aspects are no longer relevant? Which security features are an absolutely must-have, and which additional security measures do you need to take into account?

These are hard questions, as evidenced by the deployment of numerous insecure APIs. Attend this session to find out about common API security pitfalls, that often result in compromised user accounts and unauthorized access to your data. We expose the problem that lies at the root of each of these pitfalls, and offer actionable advice to address these security problems. After this session, you will know how to assess the security of your APIs, and the best practices to improve them towards the future.

''Speaker Bio''

Philippe De Ryck is the founder of Pragmatic Web Security, where he travels the world to train developers on web security and security engineering. He holds a Ph.D. in web security from KU Leuven. Google recognizes Philippe as a Google Developer Expert for his knowledge of web security and security in Angular applications.

=== Registration ===

Registration was via EventBrite: https://owasp-belgium-2018-10-23.eventbrite.com

=== Coverage ===

n/a

== 17 September 2018 Meeting ==

=== Where ===

* Host: [https://ec.europa.eu European Commission]

* Address ([https://www.google.com/maps/place/Place+Madou+1,+1210+Saint-Josse-ten-Noode/ map], [https://www.google.com/maps/dir//Place+Madou+1,+1210+Saint-Josse-ten-Noode directions])
Place Madou, 1
1210 Saint-Josse-Ten-Noode

=== Agenda ===

* 18h00 - 18h50: Welcome & sandwiches
* 18h50 - 19h00: [https://www.owasp.org/images/9/9b/Owasp_Belgium_update_2018-09-17_v1.pptx OWASP Update] by Sebastien Deleersnyder (OWASP)
* 19h00 - 19h10: ''Intro by the EC'' by Miguel Soria Machado (Head of Sector CSIRC, DIGIT IT Security Directorate, European Commission)
* 19h10 - 20h00: [https://www.owasp.org/images/1/17/Dirk_Wetter_-_Docker_Security_Brussels.pdf Docker Threat Modeling and Top 10] by Dirk Wetter
* 20h00 - 20h10: Break
* 20h10 - 21h00: [https://www.owasp.org/images/1/1c/Securing_Containers_on_the_High_Seas_%28OWASP_Belgium_September_17-09-2018%29.pdf Securing Containers on the High Seas] by Jack Mannino (nVisium)
* 21h00 - 21h30: Networking drink

=== Program ===

==== Docker Threat Modeling and Top 10 ====

* Speaker: [https://twitter.com/drwetter Dirk Wetter]
* Presentation: https://www.owasp.org/images/1/17/Dirk_Wetter_-_Docker_Security_Brussels.pdf

''Abstract''

Docker containers offer several advantages for developers. Most notably they fit perfectly in software development processes, they enable fast, reproducible deployments and when properly done, with little change the same container can run either in a test or production environment.

Despite threatening information out there Docker offers per se also several security advantages. However it is important to make use of them and as a minimum avoid several pitfalls. In a worst case scenario this can lead otherwise to less security or the security benefits which the containment
technology offers are not being used at all.

To avoid this a proper fundamental approach is needed.

Thus this talk models first the most important threats to containerized environments out there. Based on that the speaker will present 10 security bullet points which covers:

* important Do's and Dont's,
* for advanced needs how to tighten security further.

At the end the speaker gives advice how to check your Docker and Kubernetes security status yourself.

The talk is based on practical experiences at several costumers and on the speaker's solid network and systems security expertise.

''Speaker Bio''

Dirk Wetter (Ph.D.) is an independent security consultant with more than 20 years professional experience in information security with a broad technical and information security management background.

His primary focus nowadays is around web application security. He has also a solid background on network and systems security.

He's also founder and maintainer of the open source project testssl.sh which checks the encryption of every SSL/TLS enabled service.

==== Securing Containers on the High Seas ====

* Speaker: [https://twitter.com/jack_mannino Jack Mannino] (nVisium)
* Presentation: https://www.owasp.org/images/1/1c/Securing_Containers_on_the_High_Seas_%28OWASP_Belgium_September_17-09-2018%29.pdf

''Abstract''

It can be a difficult challenge for organizations to securely migrate to containers while shifting processes and security controls. Making the move from legacy virtualization and monolithic deployments to containers requires a solid strategy. Containers offer many inherent security benefits but it’s important to build controls in beyond the containers themselves. From development through container registries and deployment to a runtime environment, it’s important to enforce security and eliminate risks as they’re introduced.

This presentation will focus on scaling container security within an enterprise and building security controls into the way you build, ship, and run containerized services. We will discuss the modern container landscape including different container runtimes and isolation models. We will explore the container lifecycle from your developer’s laptop through your production environment and examine the key security problems to mitigate.

''Speaker Bios''

Jack Mannino is the CEO of nVisium. Passionate about security and impossible to keep away from a keyboard, his expertise spans over 15 years of building, breaking, and securing software. Jack founded nVisium in 2009, and since has helped the world's largest software teams enhance security across their software portfolios. He has spoken at conferences globally on topics such as secure design, mobile application security, and cloud-native security.

=== Registration ===

Two step registration:

# Registration was via EventBrite: https://owasp-belgium-2018-09-17.eventbrite.com.
# Pre-registration of participants' ID documents, necessary for passing security checkpoint at the entrance to the site was via: https://ec.europa.eu/eusurvey/runner/OWASPBelgiumChapterMeetingSept17. The deadline for this registration was ''Sunday, September 16th midnight''.

=== Coverage ===

n/a

== 19 March 2018 Meeting ==

=== Where ===

* Host: [https://www.ing.be ING Belgium]

* Address ([https://branches.ing.be/branch/1040_bxl-non-residents map])
Cours St Michel 60
1040 Brussel

=== Agenda ===

* 18h15 - 19h00: Welcome & sandwiches
* 19h00 - 19h10: ''OWASP Update'' by Sebastien Deleersnyder (OWASP)
* 19h10 - 20h00: ''KRACKing WPA2 in Practice Using Key Reinstallation Attacks''  by Mathy Vanhoef (imec-DistriNet-KU Leuven)
* 20h00 - 20h10: Break
* 20h10 - 21h00: ''Making the web secure by design''  by Glenn Ten Cate (ING Belgium) and Riccardo Ten Cate (Xebia)
* 21h00 - 21h30: Networking drink

=== Program ===

==== KRACKing WPA2 in Practice Using Key Reinstallation Attacks ====

* Speaker: Mathy Vanhoef (imec-DistriNet-KU Leuven)
* Presentation: not yet available 

''Abstract''

This talk presents the key reinstallation attack against WPA2 (KRACK attack). It abuses design or implementation flaws in cryptographic protocols to reinstall an already-in-use key. This resets the key’s associated parameters such as transmit nonces and receive replay counters. Several cryptographic Wi-Fi handshakes are affected by the attack.

All protected Wi-Fi networks use the 4-way handshake to generate a fresh session key. So far, this 14-year-old handshake has remained free from attacks. However, we show that the 4-way handshake is vulnerable to a key reinstallation attack. Here, the adversary tricks a victim into reinstalling an already-in-use key. This is achieved by manipulating and replaying handshake messages. When reinstalling the key, associated parameters such as the incremental transmit packet number (nonce) and receive packet number (replay counter) are reset to their initial value.

The talk also discusses the vulnerability disclosure process that was followed. Since the discovery affected numerous vendors, coordinating the disclosure was non-trivial.

''Speaker Bio''

Mathy Vanhoef is a postdoctoral researcher at KU Leuven. He did his PhD on the security of WPA-TKIP, TLS, and RC4. His research interest is in computer security with a focus on wireless security (e.g. Wi-Fi), network protocols in general, the RC4 stream cipher (where he discovered the RC NOMORE attack), and software security (discovering and exploiting vulnerabilities). Currently his main research is about automatically discovering vulnerabilities in network protocol implementations, and proving the correctness of protocol implementations.

==== Making the web secure by design ====

* Speaker: Glenn Ten Cate (ING Belgium) and Riccardo Ten Cate (Xebia)
* Presentation: not yet available 

''Abstract''

Education is the first step in the Secure Software Development Lifecycle. The free OWASP Security Knowledge Framework (SKF) is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. This talk will help you as a developer to become THE Neo of your development team. We will show how you can do security by design and introduce other quality gates into your development pipeline to ensure high end quality and security of your project.

''Speaker Bios''

As a coder, hacker, speaker, trainer and security researcher employed at ING Belgium, '''Glenn Ten Cate''' has over 10 years experience in the field of security. One of the founders of defensive development [defdev] a security training and conference series dedicated to helping you build and maintain secure software and also speaking at multiple other security conferences in the world. His goals is to create an open-source software development life cycle with the tools and knowledge gathered over the years.

As a penetration tester from the Netherlands employed at Xebia, '''Riccardo Ten Cate''' specialises in web-application security and has extensive knowledge in securing web applications in multiple coding languages. He is also a specialist in setting up Secure Software Development Life Cycles.

=== Registration ===

Registration was via EventBrite: https://owasp-belgium-2018-03-19.eventbrite.com.

=== Coverage ===

n/a

== 20 February 2018 Meeting ==

=== Where ===

* Host: [https://distrinet.cs.kuleuven.be DistriNet Research Group (KU Leuven)] (Both speakers are faculty of the [https://www.secappdev.org/ Secure Application Development] course held in Leuven from 2018-02-19 to 2018-02-23.)

* Address ([http://googlemapsinterface.kuleuven.be/index.cgi?lang=N&nbol=(50.864186697481145,%204.678754210472107)&zoomlevel=17&plaatsnaam=Department+of+Computer+Science&maptype=roadmap map], [https://distrinet.cs.kuleuven.be/about/route/ directions]):
Department of Computer Science (foyer at ground floor)
Celestijnenlaan 200 A
3001 Heverlee

=== Agenda ===

*18h15 - 19h00: Welcome & sandwiches
*19h00 - 19h10: [https://www.owasp.org/images/7/7a/Owasp_Belgium_update_2018-02-20_v1.pdf OWASP Update] by Sebastien Deleersnyder (OWASP)
*19h10 - 20h00: [https://schd.ws/hosted_files/secappdev2018/a9/Developer%20are%20not%20the%20enemy%20SecAppDev%20web.pdf Developers are not the enemy -- Usable Security for Experts] by Prof. Matthew Smith (University of Bonn)
*20h00 - 20h10: Break
*20h10 - 21h00: [https://schd.ws/hosted_files/secappdev2018/75/The%20code%20behind%20the%20vulnerability.pdf The Code Behind The Vulnerability] by Barry Dorrans (Microsoft)

=== Program ===

==== Developers are not the enemy -- Usable Security for Experts ====

* Speaker: Prof. Matthew Smith (University of Bonn)
* Presentation: https://schd.ws/hosted_files/secappdev2018/a9/Developer%20are%20not%20the%20enemy%20SecAppDev%20web.pdf

''Abstract''

Usability problems are a major cause of many of today's IT-security incidents. Security systems are often too complicated, time-consuming, and error prone. For more than a decade researchers in the domain of usable security (USEC) have attempted to combat these problems by conducting interdisciplinary research focusing on the root causes of the problems and on the creation of usable security mechanisms. While major improvements have been made, to date USEC research has focused almost entirely on the non-expert end-user. However, many of the most catastrophic security incidents were not caused by end-users, but by developers or administrators. Heartbleed and Shellshock were both caused by single developers yet had global consequences. The Sony hack in 2014 compromised an entire multi-national IT-infrastructure and misappropriated over 100 TB of data, unnoticed. Fundamentally, every software vulnerability and misconfigured system is caused by developers or administrators making mistakes, but very little research has been done into the underlying causalities and possible mitigation strategies. In this talk we will explore the transition from end-user to expert usable security research and look at several application areas, including TLS, passwords, malware analysis and vulnerability analysis.

''Speaker Bio''

Matthew Smith is a Professor for Usable Security and Privacy at the University of Bonn. His research is focused on human factors of security and privacy mechanisms with a wide range of application areas, including TLS and network security, authentication, mobile and app security and, most recently, usable security for developers and administrators. His work has been published at, among others, IEEE S&P, ACM CCS, USENIX Security, NDSS, ACM SIGCHI and SOUPS the Symposium on Usable Security and Privacy. In 2015 his ERC Starting Grant "Frontiers of Usable Security" was selected for funding.

==== The Code Behind The Vulnerability ====

* Speaker: Barry Dorrans (Microsoft)
* Presentation: https://schd.ws/hosted_files/secappdev2018/75/The%20code%20behind%20the%20vulnerability.pdf

''Abstract''

Everyone makes security mistakes, and that includes Microsoft (seriously!). Many developers can spot and prevent vulnerabilities listed in the OWASP top 10. But that narrative changes when we look beyond the scope of the OWASP top 10. Compared to some more recent attacks, fixing XSS or SQL injection almost seems easy. In this session, we dive into a couple of .NET core cases that have been reported to the Microsoft Security Response Center (MSRC). Mind you; these vulnerabilities are not just framework vulnerabilities. Instead, they are coding patterns that you may have introduced in your applications. Examples are issues with hash tables, compression, encryption, regular expressions and more. In this session, you will learn how to spot these vulnerabilities in your code. On top of that, you will walk away with the skills to fix them.

''Speaker Bio''

Barry Dorrans is the .NET Security Czar, which means he tries to tell everyone else how to code securely and taking the credit when it goes right, as well as running the .NET Core Bug Bounty. He also ends up triaging publicly and privately reported vulnerabilities when it goes wrong before getting someone else to fix the mistakes. This he gets all the fun and none of the real work, aside from the endless stress wondering when the next vulnerability will be discovered.

=== Registration ===

Registration was via EventBrite: https://owasp-belgium-2018-02-20.eventbrite.com.

=== Coverage ===

n/a

User:Thomas Herlea

2018-10-29T10:39:56Z

Thomas Herlea: Added link to the Belgium chapter meeting template.

====Bio====

* Born in Romania
* Studied computers in high school and at the university
* Moved to Belgium
* Studied crypto and computer security
* Works as an InfoSec consultant:
** security governance
** secure architecture
** secure development training
** secure development lifecycle advising
** source code review
** web application penetration testing

====OWASP Wiki links====

* [[Belgium]] chapter page ([[Belgium Chapter Meeting Template]])
* [[OWASP_Code_Review_Guide_Table_of_Contents]]
* [[OWASP_Testing_Guide_v3_Table_of_Contents]]
* [[OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide]]

<headertabs />

User:Thomas Herlea

2018-10-29T10:36:35Z

Thomas Herlea: Updated work topics and linked to Belgium chapter.

====Bio====

* Born in Romania
* Studied computers in high school and at the university
* Moved to Belgium
* Studied crypto and computer security
* Works as an InfoSec consultant:
** security governance
** secure architecture
** secure development training
** secure development lifecycle advising
** source code review
** web application penetration testing

====OWASP Wiki links====

* [[Belgium]] chapter page
* [[OWASP_Code_Review_Guide_Table_of_Contents]]
* [[OWASP_Testing_Guide_v3_Table_of_Contents]]
* [[OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide]]

<headertabs />

Belgium Events 2018

2018-10-29T10:17:34Z

Thomas Herlea: Added the presentations from the 2018-10-23 chapter meeting.

<noinclude>
These are the 2018 events of the [[Belgium|OWASP Belgium Chapter]].

Previous year: [[Belgium Events 2017|2017]].
</noinclude>


== OWASP BeNeLux Days 2018 ==

This conference has its own page: [[OWASP_BeNeLux-Days_2018]].

== 23 October 2018 Meeting ==

=== Where ===

* Host: [https://securecodewarrior.com/ Secure Code Warrior]

* Address ([https://goo.gl/maps/e6Ej1v44tf32 map], [https://goo.gl/maps/UoW1EM3kbfy directions], 10 minutes walk from Brugge train station)
Baron Ruzettelaan 1
8310 Assebroek

* Parking is available under the building, open from 5 p.m., the entrance is at the back:
Vestingstraat 88
8310 Assebroek

=== Agenda ===

* 18h00 - 18h50: Welcome & pizzas
* 18h50 - 19h00: [[Media:OWASP_Belgium_update_2018-10-23_v1.pptx|OWASP Update]] by Sebastien Deleersnyder (OWASP)
* 19h00 - 19h30: [[Media:OWASP_20181023_EffectivelyDistributeSoftwareSecurityKnowledge.pdf|Effectively Distribute Software Security Knowledge]] by Pieter De Cremer and Nathan Desmet (Secure Code Warrior)
* 19h30 - 19h45: Beers from Bruges break
* 19h45 - 20h25: [[Media:OWASP_20181023_CommonAPISecurityPitfalls.pdf|Common API Security Pitfalls]] by Philippe De Ryck (Pragmatic Web Security)
* 20h25 - 22h00: Networking and more beers from Bruges

=== Program ===

==== Effectively Distribute Software Security Knowledge ====

* Speaker: [https://www.linkedin.com/in/pdcremer/ Pieter De Cremer] ([https://twitter.com/pdcremer @pdcremer]) and [https://www.linkedin.com/in/nathan-desmet-687345aa/ Nathan Desmet] (Secure Code Warrior)
* Presentation attachment: [[:File:OWASP_20181023_EffectivelyDistributeSoftwareSecurityKnowledge.pdf]]

''Abstract''

Security is still a big concern in application development, as breaches appear in the media on a regular basis. Up to 90 percent of security issues are caused by problems or oversight in the code (U.S. Department of Homeland Security, “Infosheet Software Assurance”, https://www.us-cert.gov/sites/default/files/publications/infosheet_SoftwareAssurance.pdf, last accessed 2018-05-22). They are the result of errors made by the developers. At the same time, many of these issues are well known, well-documented problems. But the security experts in charge of securing the application are understaffed with an average of less than two security experts per hundred developers (Gary McGraw, Ph.D., Sammy Migues and Jacob West, “Building Security In Maturity Model (BSIMM)”, https://www.bsimm.com/, 2018). So the problem is not a lack of knowledge on security but the distribution of it without requiring costly, unscalable communication cycles between individual developers and security experts. In this talk we will outline the goal of a new approach to improve software security, focused on distributing software security knowledge so that software engineers can effectively put it into practice with minimal impact on their daily tasks.

''Speaker Bios''

'''Pieter De Cremer''' is an R&D Engineer and Security Researcher at Secure Code Warrior, where he is responsible for researching a wide variety of application vulnerabilities and developing this into new content and coding challenges for the Secure Code Warrior platform. His passion lies in empowering developers to be the first line of defence in their organisation by making security
easy to understand.

Pieter graduated with a Masters in Computer Science Engineering from the University of Ghent and is currently completing his PhD in Secure Design Programming Aid for the Internet of Things through a personal grant from the Flemish government. When he is away from his desk, Pieter has also facilitated a number of secure coding workshops with Ghent University, Howest Bruges and Antwerp University, helping students improve their secure coding skills. His repertoire of coding languages includes C, C++, Java, Python, node and Haskell.

'''Nathan Desmet''' is the Lead Engineer at Secure Code Warrior, where he is responsible for developing Sensei, a real-time correction and coaching IDE plug-in for secure coding. His passion lies in building world-class software applications that makes an impact in the way developers build software with a focus on security.

Prior to Secure Code Warrior, Nathan has worked for NVISO where he created the Cyber Security Challenge platform, the biggest computer security competition in Belgium. Nathan also co-founded Sensei Security, and founded Applix, a software consultancy firm. His clients include SMEs in the technology and legal sector.

Nathan graduated with a degree in Computer Science from the University of Howest Bruges, majoring in Computer and Cybercrime Professional.

==== Common API Security Pitfalls ====

* Speaker: [https://twitter.com/PhilippeDeRyck Philippe De Ryck] ([https://pragmaticwebsecurity.com/ Pragmatic Web Security])
* Presentation attachment: [[:File:OWASP_20181023_CommonAPISecurityPitfalls.pdf]]

''Abstract''

The shift towards an API landscape indicates a significant evolution in the way we build applications. The rise of JavaScript and mobile applications have sparked an explosion of easily-accessible REST APIs. But how do you protect access to your API? Which security aspects are no longer relevant? Which security features are an absolutely must-have, and which additional security measures do you need to take into account?

These are hard questions, as evidenced by the deployment of numerous insecure APIs. Attend this session to find out about common API security pitfalls, that often result in compromised user accounts and unauthorized access to your data. We expose the problem that lies at the root of each of these pitfalls, and offer actionable advice to address these security problems. After this session, you will know how to assess the security of your APIs, and the best practices to improve them towards the future.

''Speaker Bio''

Philippe De Ryck is the founder of Pragmatic Web Security, where he travels the world to train developers on web security and security engineering. He holds a Ph.D. in web security from KU Leuven. Google recognizes Philippe as a Google Developer Expert for his knowledge of web security and security in Angular applications.

=== Registration ===

Registration was via EventBrite: https://owasp-belgium-2018-10-23.eventbrite.com

=== Coverage ===

n/a

== 17 September 2018 Meeting ==

=== Where ===

* Host: [https://ec.europa.eu European Commission]

* Address ([https://www.google.com/maps/place/Place+Madou+1,+1210+Saint-Josse-ten-Noode/ map], [https://www.google.com/maps/dir//Place+Madou+1,+1210+Saint-Josse-ten-Noode directions])
Place Madou, 1
1210 Saint-Josse-Ten-Noode

=== Agenda ===

* 18h00 - 18h50: Welcome & sandwiches
* 18h50 - 19h00: [https://www.owasp.org/images/9/9b/Owasp_Belgium_update_2018-09-17_v1.pptx OWASP Update] by Sebastien Deleersnyder (OWASP)
* 19h00 - 19h10: ''Intro by the EC'' by Miguel Soria Machado (Head of Sector CSIRC, DIGIT IT Security Directorate, European Commission)
* 19h10 - 20h00: [https://www.owasp.org/images/1/17/Dirk_Wetter_-_Docker_Security_Brussels.pdf Docker Threat Modeling and Top 10] by Dirk Wetter
* 20h00 - 20h10: Break
* 20h10 - 21h00: [https://www.owasp.org/images/1/1c/Securing_Containers_on_the_High_Seas_%28OWASP_Belgium_September_17-09-2018%29.pdf Securing Containers on the High Seas] by Jack Mannino (nVisium)
* 21h00 - 21h30: Networking drink

=== Program ===

==== Docker Threat Modeling and Top 10 ====

* Speaker: [https://twitter.com/drwetter Dirk Wetter]
* Presentation: https://www.owasp.org/images/1/17/Dirk_Wetter_-_Docker_Security_Brussels.pdf

''Abstract''

Docker containers offer several advantages for developers. Most notably they fit perfectly in software development processes, they enable fast, reproducible deployments and when properly done, with little change the same container can run either in a test or production environment.

Despite threatening information out there Docker offers per se also several security advantages. However it is important to make use of them and as a minimum avoid several pitfalls. In a worst case scenario this can lead otherwise to less security or the security benefits which the containment
technology offers are not being used at all.

To avoid this a proper fundamental approach is needed.

Thus this talk models first the most important threats to containerized environments out there. Based on that the speaker will present 10 security bullet points which covers:

* important Do's and Dont's,
* for advanced needs how to tighten security further.

At the end the speaker gives advice how to check your Docker and Kubernetes security status yourself.

The talk is based on practical experiences at several costumers and on the speaker's solid network and systems security expertise.

''Speaker Bio''

Dirk Wetter (Ph.D.) is an independent security consultant with more than 20 years professional experience in information security with a broad technical and information security management background.

His primary focus nowadays is around web application security. He has also a solid background on network and systems security.

He's also founder and maintainer of the open source project testssl.sh which checks the encryption of every SSL/TLS enabled service.

==== Securing Containers on the High Seas ====

* Speaker: [https://twitter.com/jack_mannino Jack Mannino] (nVisium)
* Presentation: https://www.owasp.org/images/1/1c/Securing_Containers_on_the_High_Seas_%28OWASP_Belgium_September_17-09-2018%29.pdf

''Abstract''

It can be a difficult challenge for organizations to securely migrate to containers while shifting processes and security controls. Making the move from legacy virtualization and monolithic deployments to containers requires a solid strategy. Containers offer many inherent security benefits but it’s important to build controls in beyond the containers themselves. From development through container registries and deployment to a runtime environment, it’s important to enforce security and eliminate risks as they’re introduced.

This presentation will focus on scaling container security within an enterprise and building security controls into the way you build, ship, and run containerized services. We will discuss the modern container landscape including different container runtimes and isolation models. We will explore the container lifecycle from your developer’s laptop through your production environment and examine the key security problems to mitigate.

''Speaker Bios''

Jack Mannino is the CEO of nVisium. Passionate about security and impossible to keep away from a keyboard, his expertise spans over 15 years of building, breaking, and securing software. Jack founded nVisium in 2009, and since has helped the world's largest software teams enhance security across their software portfolios. He has spoken at conferences globally on topics such as secure design, mobile application security, and cloud-native security.

=== Registration ===

Two step registration:

# Registration was via EventBrite: https://owasp-belgium-2018-09-17.eventbrite.com.
# Pre-registration of participants' ID documents, necessary for passing security checkpoint at the entrance to the site was via: https://ec.europa.eu/eusurvey/runner/OWASPBelgiumChapterMeetingSept17. The deadline for this registration was ''Sunday, September 16th midnight''.

=== Coverage ===

n/a

== 19 March 2018 Meeting ==

=== Where ===

* Host: [https://www.ing.be ING Belgium]

* Address ([https://branches.ing.be/branch/1040_bxl-non-residents map])
Cours St Michel 60
1040 Brussel

=== Agenda ===

* 18h15 - 19h00: Welcome & sandwiches
* 19h00 - 19h10: ''OWASP Update'' by Sebastien Deleersnyder (OWASP)
* 19h10 - 20h00: ''KRACKing WPA2 in Practice Using Key Reinstallation Attacks''  by Mathy Vanhoef (imec-DistriNet-KU Leuven)
* 20h00 - 20h10: Break
* 20h10 - 21h00: ''Making the web secure by design''  by Glenn Ten Cate (ING Belgium) and Riccardo Ten Cate (Xebia)
* 21h00 - 21h30: Networking drink

=== Program ===

==== KRACKing WPA2 in Practice Using Key Reinstallation Attacks ====

* Speaker: Mathy Vanhoef (imec-DistriNet-KU Leuven)
* Presentation: not yet available 

''Abstract''

This talk presents the key reinstallation attack against WPA2 (KRACK attack). It abuses design or implementation flaws in cryptographic protocols to reinstall an already-in-use key. This resets the key’s associated parameters such as transmit nonces and receive replay counters. Several cryptographic Wi-Fi handshakes are affected by the attack.

All protected Wi-Fi networks use the 4-way handshake to generate a fresh session key. So far, this 14-year-old handshake has remained free from attacks. However, we show that the 4-way handshake is vulnerable to a key reinstallation attack. Here, the adversary tricks a victim into reinstalling an already-in-use key. This is achieved by manipulating and replaying handshake messages. When reinstalling the key, associated parameters such as the incremental transmit packet number (nonce) and receive packet number (replay counter) are reset to their initial value.

The talk also discusses the vulnerability disclosure process that was followed. Since the discovery affected numerous vendors, coordinating the disclosure was non-trivial.

''Speaker Bio''

Mathy Vanhoef is a postdoctoral researcher at KU Leuven. He did his PhD on the security of WPA-TKIP, TLS, and RC4. His research interest is in computer security with a focus on wireless security (e.g. Wi-Fi), network protocols in general, the RC4 stream cipher (where he discovered the RC NOMORE attack), and software security (discovering and exploiting vulnerabilities). Currently his main research is about automatically discovering vulnerabilities in network protocol implementations, and proving the correctness of protocol implementations.

==== Making the web secure by design ====

* Speaker: Glenn Ten Cate (ING Belgium) and Riccardo Ten Cate (Xebia)
* Presentation: not yet available 

''Abstract''

Education is the first step in the Secure Software Development Lifecycle. The free OWASP Security Knowledge Framework (SKF) is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. This talk will help you as a developer to become THE Neo of your development team. We will show how you can do security by design and introduce other quality gates into your development pipeline to ensure high end quality and security of your project.

''Speaker Bios''

As a coder, hacker, speaker, trainer and security researcher employed at ING Belgium, '''Glenn Ten Cate''' has over 10 years experience in the field of security. One of the founders of defensive development [defdev] a security training and conference series dedicated to helping you build and maintain secure software and also speaking at multiple other security conferences in the world. His goals is to create an open-source software development life cycle with the tools and knowledge gathered over the years.

As a penetration tester from the Netherlands employed at Xebia, '''Riccardo Ten Cate''' specialises in web-application security and has extensive knowledge in securing web applications in multiple coding languages. He is also a specialist in setting up Secure Software Development Life Cycles.

=== Registration ===

Registration was via EventBrite: https://owasp-belgium-2018-03-19.eventbrite.com.

=== Coverage ===

n/a

== 20 February 2018 Meeting ==

=== Where ===

* Host: [https://distrinet.cs.kuleuven.be DistriNet Research Group (KU Leuven)] (Both speakers are faculty of the [https://www.secappdev.org/ Secure Application Development] course held in Leuven from 2018-02-19 to 2018-02-23.)

* Address ([http://googlemapsinterface.kuleuven.be/index.cgi?lang=N&nbol=(50.864186697481145,%204.678754210472107)&zoomlevel=17&plaatsnaam=Department+of+Computer+Science&maptype=roadmap map], [https://distrinet.cs.kuleuven.be/about/route/ directions]):
Department of Computer Science (foyer at ground floor)
Celestijnenlaan 200 A
3001 Heverlee

=== Agenda ===

*18h15 - 19h00: Welcome & sandwiches
*19h00 - 19h10: [https://www.owasp.org/images/7/7a/Owasp_Belgium_update_2018-02-20_v1.pdf OWASP Update] by Sebastien Deleersnyder (OWASP)
*19h10 - 20h00: [https://schd.ws/hosted_files/secappdev2018/a9/Developer%20are%20not%20the%20enemy%20SecAppDev%20web.pdf Developers are not the enemy -- Usable Security for Experts] by Prof. Matthew Smith (University of Bonn)
*20h00 - 20h10: Break
*20h10 - 21h00: [https://schd.ws/hosted_files/secappdev2018/75/The%20code%20behind%20the%20vulnerability.pdf The Code Behind The Vulnerability] by Barry Dorrans (Microsoft)

=== Program ===

==== Developers are not the enemy -- Usable Security for Experts ====

* Speaker: Prof. Matthew Smith (University of Bonn)
* Presentation: https://schd.ws/hosted_files/secappdev2018/a9/Developer%20are%20not%20the%20enemy%20SecAppDev%20web.pdf

''Abstract''

Usability problems are a major cause of many of today's IT-security incidents. Security systems are often too complicated, time-consuming, and error prone. For more than a decade researchers in the domain of usable security (USEC) have attempted to combat these problems by conducting interdisciplinary research focusing on the root causes of the problems and on the creation of usable security mechanisms. While major improvements have been made, to date USEC research has focused almost entirely on the non-expert end-user. However, many of the most catastrophic security incidents were not caused by end-users, but by developers or administrators. Heartbleed and Shellshock were both caused by single developers yet had global consequences. The Sony hack in 2014 compromised an entire multi-national IT-infrastructure and misappropriated over 100 TB of data, unnoticed. Fundamentally, every software vulnerability and misconfigured system is caused by developers or administrators making mistakes, but very little research has been done into the underlying causalities and possible mitigation strategies. In this talk we will explore the transition from end-user to expert usable security research and look at several application areas, including TLS, passwords, malware analysis and vulnerability analysis.

''Speaker Bio''

Matthew Smith is a Professor for Usable Security and Privacy at the University of Bonn. His research is focused on human factors of security and privacy mechanisms with a wide range of application areas, including TLS and network security, authentication, mobile and app security and, most recently, usable security for developers and administrators. His work has been published at, among others, IEEE S&P, ACM CCS, USENIX Security, NDSS, ACM SIGCHI and SOUPS the Symposium on Usable Security and Privacy. In 2015 his ERC Starting Grant "Frontiers of Usable Security" was selected for funding.

==== The Code Behind The Vulnerability ====

* Speaker: Barry Dorrans (Microsoft)
* Presentation: https://schd.ws/hosted_files/secappdev2018/75/The%20code%20behind%20the%20vulnerability.pdf

''Abstract''

Everyone makes security mistakes, and that includes Microsoft (seriously!). Many developers can spot and prevent vulnerabilities listed in the OWASP top 10. But that narrative changes when we look beyond the scope of the OWASP top 10. Compared to some more recent attacks, fixing XSS or SQL injection almost seems easy. In this session, we dive into a couple of .NET core cases that have been reported to the Microsoft Security Response Center (MSRC). Mind you; these vulnerabilities are not just framework vulnerabilities. Instead, they are coding patterns that you may have introduced in your applications. Examples are issues with hash tables, compression, encryption, regular expressions and more. In this session, you will learn how to spot these vulnerabilities in your code. On top of that, you will walk away with the skills to fix them.

''Speaker Bio''

Barry Dorrans is the .NET Security Czar, which means he tries to tell everyone else how to code securely and taking the credit when it goes right, as well as running the .NET Core Bug Bounty. He also ends up triaging publicly and privately reported vulnerabilities when it goes wrong before getting someone else to fix the mistakes. This he gets all the fun and none of the real work, aside from the endless stress wondering when the next vulnerability will be discovered.

=== Registration ===

Registration was via EventBrite: https://owasp-belgium-2018-02-20.eventbrite.com.

=== Coverage ===

n/a

File:OWASP 20181023 CommonAPISecurityPitfalls.pdf

2018-10-29T10:04:33Z

Thomas Herlea: Slides of talk presented at the Belgium chapter meeting on 2018-10-23.

Slides of talk presented at the Belgium chapter meeting on 2018-10-23.

File:OWASP 20181023 EffectivelyDistributeSoftwareSecurityKnowledge.pdf

2018-10-29T10:02:21Z

Thomas Herlea: Slides of talk presented at the Belgium chapter meeting on 2018-10-23.

Slides of talk presented at the Belgium chapter meeting on 2018-10-23.

File:OWASP Belgium update 2018-10-23 v1.pptx

2018-10-29T09:57:03Z

Thomas Herlea: Update on the state of the chapter, delivered at the Belgium chapter meeting on 2018-10-23.

Update on the state of the chapter, delivered at the Belgium chapter meeting on 2018-10-23.

Belgium Events 2018

2018-10-29T09:14:33Z

Thomas Herlea: Added the 2018 BeNeLux Days as an event.

<noinclude>
These are the 2018 events of the [[Belgium|OWASP Belgium Chapter]].

Previous year: [[Belgium Events 2017|2017]].
</noinclude>


== OWASP BeNeLux Days 2018 ==

This conference has its own page: [[OWASP_BeNeLux-Days_2018]].

== 23 October 2018 Meeting ==

=== Where ===

* Host: [https://securecodewarrior.com/ Secure Code Warrior]

* Address ([https://goo.gl/maps/e6Ej1v44tf32 map], [https://goo.gl/maps/UoW1EM3kbfy directions], 10 minutes walk from Brugge train station)
Baron Ruzettelaan 1
8310 Assebroek

* Parking is available under the building, open from 5 p.m., the entrance is at the back:
Vestingstraat 88
8310 Assebroek

=== Agenda ===

* 18h00 - 18h50: Welcome & pizzas
* 18h50 - 19h00:  ''OWASP Update'' by Sebastien Deleersnyder (OWASP)
* 19h00 - 19h30:  ''Effectively Distribute Software Security Knowledge'' by Pieter De Cremer and Nathan Desmet (Secure Code Warrior)
* 19h30 - 19h45: Beers from Bruges break
* 19h45 - 20h25:  ''Common API Security Pitfalls'' by Philippe De Ryck (Pragmatic Web Security)
* 20h25 - 22h00: Networking and more beers from Bruges

=== Program ===

==== Effectively Distribute Software Security Knowledge ====

* Speaker: [https://www.linkedin.com/in/pdcremer/ Pieter De Cremer] ([https://twitter.com/pdcremer @pdcremer]) and [https://www.linkedin.com/in/nathan-desmet-687345aa/ Nathan Desmet] (Secure Code Warrior)
* Presentation: not yet available 

''Abstract''

Security is still a big concern in application development, as breaches appear in the media on a regular basis. Up to 90 percent of security issues are caused by problems or oversight in the code (U.S. Department of Homeland Security, “Infosheet Software Assurance”, https://www.us-cert.gov/sites/default/files/publications/infosheet_SoftwareAssurance.pdf, last accessed 2018-05-22). They are the result of errors made by the developers. At the same time, many of these issues are well known, well-documented problems. But the security experts in charge of securing the application are understaffed with an average of less than two security experts per hundred developers (Gary McGraw, Ph.D., Sammy Migues and Jacob West, “Building Security In Maturity Model (BSIMM)”, https://www.bsimm.com/, 2018). So the problem is not a lack of knowledge on security but the distribution of it without requiring costly, unscalable communication cycles between individual developers and security experts. In this talk we will outline the goal of a new approach to improve software security, focused on distributing software security knowledge so that software engineers can effectively put it into practice with minimal impact on their daily tasks.

''Speaker Bios''

'''Pieter De Cremer''' is an R&D Engineer and Security Researcher at Secure Code Warrior, where he is responsible for researching a wide variety of application vulnerabilities and developing this into new content and coding challenges for the Secure Code Warrior platform. His passion lies in empowering developers to be the first line of defence in their organisation by making security
easy to understand.

Pieter graduated with a Masters in Computer Science Engineering from the University of Ghent and is currently completing his PhD in Secure Design Programming Aid for the Internet of Things through a personal grant from the Flemish government. When he is away from his desk, Pieter has also facilitated a number of secure coding workshops with Ghent University, Howest Bruges and Antwerp University, helping students improve their secure coding skills. His repertoire of coding languages includes C, C++, Java, Python, node and Haskell.

'''Nathan Desmet''' is the Lead Engineer at Secure Code Warrior, where he is responsible for developing Sensei, a real-time correction and coaching IDE plug-in for secure coding. His passion lies in building world-class software applications that makes an impact in the way developers build software with a focus on security.

Prior to Secure Code Warrior, Nathan has worked for NVISO where he created the Cyber Security Challenge platform, the biggest computer security competition in Belgium. Nathan also co-founded Sensei Security, and founded Applix, a software consultancy firm. His clients include SMEs in the technology and legal sector.

Nathan graduated with a degree in Computer Science from the University of Howest Bruges, majoring in Computer and Cybercrime Professional.

==== Common API Security Pitfalls ====

* Speaker: [https://twitter.com/PhilippeDeRyck Philippe De Ryck] ([https://pragmaticwebsecurity.com/ Pragmatic Web Security])
* Presentation: not yet available 

''Abstract''

The shift towards an API landscape indicates a significant evolution in the way we build applications. The rise of JavaScript and mobile applications have sparked an explosion of easily-accessible REST APIs. But how do you protect access to your API? Which security aspects are no longer relevant? Which security features are an absolutely must-have, and which additional security measures do you need to take into account?

These are hard questions, as evidenced by the deployment of numerous insecure APIs. Attend this session to find out about common API security pitfalls, that often result in compromised user accounts and unauthorized access to your data. We expose the problem that lies at the root of each of these pitfalls, and offer actionable advice to address these security problems. After this session, you will know how to assess the security of your APIs, and the best practices to improve them towards the future.

''Speaker Bio''

Philippe De Ryck is the founder of Pragmatic Web Security, where he travels the world to train developers on web security and security engineering. He holds a Ph.D. in web security from KU Leuven. Google recognizes Philippe as a Google Developer Expert for his knowledge of web security and security in Angular applications.

=== Registration ===

Registration via EventBrite: https://owasp-belgium-2018-10-23.eventbrite.com

=== Coverage ===

n/a

== 17 September 2018 Meeting ==

=== Where ===

* Host: [https://ec.europa.eu European Commission]

* Address ([https://www.google.com/maps/place/Place+Madou+1,+1210+Saint-Josse-ten-Noode/ map], [https://www.google.com/maps/dir//Place+Madou+1,+1210+Saint-Josse-ten-Noode directions])
Place Madou, 1
1210 Saint-Josse-Ten-Noode

=== Agenda ===

* 18h00 - 18h50: Welcome & sandwiches
* 18h50 - 19h00: [https://www.owasp.org/images/9/9b/Owasp_Belgium_update_2018-09-17_v1.pptx OWASP Update] by Sebastien Deleersnyder (OWASP)
* 19h00 - 19h10: ''Intro by the EC'' by Miguel Soria Machado (Head of Sector CSIRC, DIGIT IT Security Directorate, European Commission)
* 19h10 - 20h00: [https://www.owasp.org/images/1/17/Dirk_Wetter_-_Docker_Security_Brussels.pdf Docker Threat Modeling and Top 10] by Dirk Wetter
* 20h00 - 20h10: Break
* 20h10 - 21h00: [https://www.owasp.org/images/1/1c/Securing_Containers_on_the_High_Seas_%28OWASP_Belgium_September_17-09-2018%29.pdf Securing Containers on the High Seas] by Jack Mannino (nVisium)
* 21h00 - 21h30: Networking drink

=== Program ===

==== Docker Threat Modeling and Top 10 ====

* Speaker: [https://twitter.com/drwetter Dirk Wetter]
* Presentation: https://www.owasp.org/images/1/17/Dirk_Wetter_-_Docker_Security_Brussels.pdf

''Abstract''

Docker containers offer several advantages for developers. Most notably they fit perfectly in software development processes, they enable fast, reproducible deployments and when properly done, with little change the same container can run either in a test or production environment.

Despite threatening information out there Docker offers per se also several security advantages. However it is important to make use of them and as a minimum avoid several pitfalls. In a worst case scenario this can lead otherwise to less security or the security benefits which the containment
technology offers are not being used at all.

To avoid this a proper fundamental approach is needed.

Thus this talk models first the most important threats to containerized environments out there. Based on that the speaker will present 10 security bullet points which covers:

* important Do's and Dont's,
* for advanced needs how to tighten security further.

At the end the speaker gives advice how to check your Docker and Kubernetes security status yourself.

The talk is based on practical experiences at several costumers and on the speaker's solid network and systems security expertise.

''Speaker Bio''

Dirk Wetter (Ph.D.) is an independent security consultant with more than 20 years professional experience in information security with a broad technical and information security management background.

His primary focus nowadays is around web application security. He has also a solid background on network and systems security.

He's also founder and maintainer of the open source project testssl.sh which checks the encryption of every SSL/TLS enabled service.

==== Securing Containers on the High Seas ====

* Speaker: [https://twitter.com/jack_mannino Jack Mannino] (nVisium)
* Presentation: https://www.owasp.org/images/1/1c/Securing_Containers_on_the_High_Seas_%28OWASP_Belgium_September_17-09-2018%29.pdf

''Abstract''

It can be a difficult challenge for organizations to securely migrate to containers while shifting processes and security controls. Making the move from legacy virtualization and monolithic deployments to containers requires a solid strategy. Containers offer many inherent security benefits but it’s important to build controls in beyond the containers themselves. From development through container registries and deployment to a runtime environment, it’s important to enforce security and eliminate risks as they’re introduced.

This presentation will focus on scaling container security within an enterprise and building security controls into the way you build, ship, and run containerized services. We will discuss the modern container landscape including different container runtimes and isolation models. We will explore the container lifecycle from your developer’s laptop through your production environment and examine the key security problems to mitigate.

''Speaker Bios''

Jack Mannino is the CEO of nVisium. Passionate about security and impossible to keep away from a keyboard, his expertise spans over 15 years of building, breaking, and securing software. Jack founded nVisium in 2009, and since has helped the world's largest software teams enhance security across their software portfolios. He has spoken at conferences globally on topics such as secure design, mobile application security, and cloud-native security.

=== Registration ===

Two step registration:

# Registration was via EventBrite: https://owasp-belgium-2018-09-17.eventbrite.com.
# Pre-registration of participants' ID documents, necessary for passing security checkpoint at the entrance to the site was via: https://ec.europa.eu/eusurvey/runner/OWASPBelgiumChapterMeetingSept17. The deadline for this registration was ''Sunday, September 16th midnight''.

=== Coverage ===

n/a

== 19 March 2018 Meeting ==

=== Where ===

* Host: [https://www.ing.be ING Belgium]

* Address ([https://branches.ing.be/branch/1040_bxl-non-residents map])
Cours St Michel 60
1040 Brussel

=== Agenda ===

* 18h15 - 19h00: Welcome & sandwiches
* 19h00 - 19h10: ''OWASP Update'' by Sebastien Deleersnyder (OWASP)
* 19h10 - 20h00: ''KRACKing WPA2 in Practice Using Key Reinstallation Attacks''  by Mathy Vanhoef (imec-DistriNet-KU Leuven)
* 20h00 - 20h10: Break
* 20h10 - 21h00: ''Making the web secure by design''  by Glenn Ten Cate (ING Belgium) and Riccardo Ten Cate (Xebia)
* 21h00 - 21h30: Networking drink

=== Program ===

==== KRACKing WPA2 in Practice Using Key Reinstallation Attacks ====

* Speaker: Mathy Vanhoef (imec-DistriNet-KU Leuven)
* Presentation: not yet available 

''Abstract''

This talk presents the key reinstallation attack against WPA2 (KRACK attack). It abuses design or implementation flaws in cryptographic protocols to reinstall an already-in-use key. This resets the key’s associated parameters such as transmit nonces and receive replay counters. Several cryptographic Wi-Fi handshakes are affected by the attack.

All protected Wi-Fi networks use the 4-way handshake to generate a fresh session key. So far, this 14-year-old handshake has remained free from attacks. However, we show that the 4-way handshake is vulnerable to a key reinstallation attack. Here, the adversary tricks a victim into reinstalling an already-in-use key. This is achieved by manipulating and replaying handshake messages. When reinstalling the key, associated parameters such as the incremental transmit packet number (nonce) and receive packet number (replay counter) are reset to their initial value.

The talk also discusses the vulnerability disclosure process that was followed. Since the discovery affected numerous vendors, coordinating the disclosure was non-trivial.

''Speaker Bio''

Mathy Vanhoef is a postdoctoral researcher at KU Leuven. He did his PhD on the security of WPA-TKIP, TLS, and RC4. His research interest is in computer security with a focus on wireless security (e.g. Wi-Fi), network protocols in general, the RC4 stream cipher (where he discovered the RC NOMORE attack), and software security (discovering and exploiting vulnerabilities). Currently his main research is about automatically discovering vulnerabilities in network protocol implementations, and proving the correctness of protocol implementations.

==== Making the web secure by design ====

* Speaker: Glenn Ten Cate (ING Belgium) and Riccardo Ten Cate (Xebia)
* Presentation: not yet available 

''Abstract''

Education is the first step in the Secure Software Development Lifecycle. The free OWASP Security Knowledge Framework (SKF) is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. This talk will help you as a developer to become THE Neo of your development team. We will show how you can do security by design and introduce other quality gates into your development pipeline to ensure high end quality and security of your project.

''Speaker Bios''

As a coder, hacker, speaker, trainer and security researcher employed at ING Belgium, '''Glenn Ten Cate''' has over 10 years experience in the field of security. One of the founders of defensive development [defdev] a security training and conference series dedicated to helping you build and maintain secure software and also speaking at multiple other security conferences in the world. His goals is to create an open-source software development life cycle with the tools and knowledge gathered over the years.

As a penetration tester from the Netherlands employed at Xebia, '''Riccardo Ten Cate''' specialises in web-application security and has extensive knowledge in securing web applications in multiple coding languages. He is also a specialist in setting up Secure Software Development Life Cycles.

=== Registration ===

Registration was via EventBrite: https://owasp-belgium-2018-03-19.eventbrite.com.

=== Coverage ===

n/a

== 20 February 2018 Meeting ==

=== Where ===

* Host: [https://distrinet.cs.kuleuven.be DistriNet Research Group (KU Leuven)] (Both speakers are faculty of the [https://www.secappdev.org/ Secure Application Development] course held in Leuven from 2018-02-19 to 2018-02-23.)

* Address ([http://googlemapsinterface.kuleuven.be/index.cgi?lang=N&nbol=(50.864186697481145,%204.678754210472107)&zoomlevel=17&plaatsnaam=Department+of+Computer+Science&maptype=roadmap map], [https://distrinet.cs.kuleuven.be/about/route/ directions]):
Department of Computer Science (foyer at ground floor)
Celestijnenlaan 200 A
3001 Heverlee

=== Agenda ===

*18h15 - 19h00: Welcome & sandwiches
*19h00 - 19h10: [https://www.owasp.org/images/7/7a/Owasp_Belgium_update_2018-02-20_v1.pdf OWASP Update] by Sebastien Deleersnyder (OWASP)
*19h10 - 20h00: [https://schd.ws/hosted_files/secappdev2018/a9/Developer%20are%20not%20the%20enemy%20SecAppDev%20web.pdf Developers are not the enemy -- Usable Security for Experts] by Prof. Matthew Smith (University of Bonn)
*20h00 - 20h10: Break
*20h10 - 21h00: [https://schd.ws/hosted_files/secappdev2018/75/The%20code%20behind%20the%20vulnerability.pdf The Code Behind The Vulnerability] by Barry Dorrans (Microsoft)

=== Program ===

==== Developers are not the enemy -- Usable Security for Experts ====

* Speaker: Prof. Matthew Smith (University of Bonn)
* Presentation: https://schd.ws/hosted_files/secappdev2018/a9/Developer%20are%20not%20the%20enemy%20SecAppDev%20web.pdf

''Abstract''

Usability problems are a major cause of many of today's IT-security incidents. Security systems are often too complicated, time-consuming, and error prone. For more than a decade researchers in the domain of usable security (USEC) have attempted to combat these problems by conducting interdisciplinary research focusing on the root causes of the problems and on the creation of usable security mechanisms. While major improvements have been made, to date USEC research has focused almost entirely on the non-expert end-user. However, many of the most catastrophic security incidents were not caused by end-users, but by developers or administrators. Heartbleed and Shellshock were both caused by single developers yet had global consequences. The Sony hack in 2014 compromised an entire multi-national IT-infrastructure and misappropriated over 100 TB of data, unnoticed. Fundamentally, every software vulnerability and misconfigured system is caused by developers or administrators making mistakes, but very little research has been done into the underlying causalities and possible mitigation strategies. In this talk we will explore the transition from end-user to expert usable security research and look at several application areas, including TLS, passwords, malware analysis and vulnerability analysis.

''Speaker Bio''

Matthew Smith is a Professor for Usable Security and Privacy at the University of Bonn. His research is focused on human factors of security and privacy mechanisms with a wide range of application areas, including TLS and network security, authentication, mobile and app security and, most recently, usable security for developers and administrators. His work has been published at, among others, IEEE S&P, ACM CCS, USENIX Security, NDSS, ACM SIGCHI and SOUPS the Symposium on Usable Security and Privacy. In 2015 his ERC Starting Grant "Frontiers of Usable Security" was selected for funding.

==== The Code Behind The Vulnerability ====

* Speaker: Barry Dorrans (Microsoft)
* Presentation: https://schd.ws/hosted_files/secappdev2018/75/The%20code%20behind%20the%20vulnerability.pdf

''Abstract''

Everyone makes security mistakes, and that includes Microsoft (seriously!). Many developers can spot and prevent vulnerabilities listed in the OWASP top 10. But that narrative changes when we look beyond the scope of the OWASP top 10. Compared to some more recent attacks, fixing XSS or SQL injection almost seems easy. In this session, we dive into a couple of .NET core cases that have been reported to the Microsoft Security Response Center (MSRC). Mind you; these vulnerabilities are not just framework vulnerabilities. Instead, they are coding patterns that you may have introduced in your applications. Examples are issues with hash tables, compression, encryption, regular expressions and more. In this session, you will learn how to spot these vulnerabilities in your code. On top of that, you will walk away with the skills to fix them.

''Speaker Bio''

Barry Dorrans is the .NET Security Czar, which means he tries to tell everyone else how to code securely and taking the credit when it goes right, as well as running the .NET Core Bug Bounty. He also ends up triaging publicly and privately reported vulnerabilities when it goes wrong before getting someone else to fix the mistakes. This he gets all the fun and none of the real work, aside from the endless stress wondering when the next vulnerability will be discovered.

=== Registration ===

Registration was via EventBrite: https://owasp-belgium-2018-02-20.eventbrite.com.

=== Coverage ===

n/a

Belgium

2018-10-29T08:58:59Z

Thomas Herlea: Retired the link to the 2018-10-23 chapter meeting, which has passed.

{{Chapter Template|chaptername=Belgium|extra=The chapter leaders are [mailto:seba@owasp.org Sebastien Deleersnyder], [mailto:lieven.desmet@owasp.org Lieven Desmet] and [mailto:bart.dewin@owasp.org Bart De Win]
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-belgium|emailarchives=http://lists.owasp.org/pipermail/owasp-belgium}}

= Local News =

== OWASP BeNeLux Days ==

* Our next [[OWASP BeNeLux-Days 2018|OWASP BeNeLux Days]] is on 29-30 November in the LAMOT conference center in Mechelen, Belgium.

== Upcoming Chapter Meetings ==

* The next chapter meeting will be in January 2019.

See https://www.owasp.org/index.php/Belgium#Chapter_Meetings for more details and older meetings.

== Stay in Touch ==

<center>
{| cellspacing="15"
|-
| [[Image:Meetup-logo-2x.png|120px|link=http://www.meetup.com/Belgium-OWASP-Open-Web-Application-Security-Project/]]
| [[Image:Join the list.png|150px|link=http://lists.owasp.org/mailman/listinfo/owasp-belgium]]
| [[Image:Follow-us-on-twitter.png|175px|link=https://twitter.com/owasp_be]]
| [[Image:Linkedin-button.gif|135px|link=https://www.linkedin.com/groups/37865]]
|}
</center>
If you want to be invited for the next OWASP Belgium Chapter meetings, please [http://eepurl.com/iFZtb drop us your contact info].

== Structural Sponsors 2018 ==

OWASP Belgium thanks its structural chapter supporters for 2018 and the OWASP BeNeLux Days 2017:

[http://www.vest.nl https://www.owasp.org/images/6/67/Vest.jpg]
[https://secwatch.nl https://www.owasp.org/images/f/ff/Secwatch_logo_small.png]
[[File:Avi Logo Transparent Background 300pix.png|200px|link=https://avinetworks.com/]]
[[File:LogoToreon.jpg|250px|link=https://www.toreon.com]]
[[File:Nviso_logo_RGB_baseline_200px.png|link=http://www.nviso.be]]

If you want to support our chapter, please contact [mailto:seba@owasp.org Seba Deleersnyder]

= Chapter Meetings =

{{:Belgium_Events_2018}}

== Previous Years ==

Events held in
[[Belgium Events 2017|2017]],
[[Belgium Events 2016|2016]],
[[Belgium Events 2015|2015]],
[[Belgium Events 2014|2014]],
[[Belgium Events 2013|2013]],
[[Belgium Events 2012|2012]],
[[Belgium Events 2011|2011]],
[[Belgium Events 2010|2010]],
[[Belgium Events 2009|2009]],
[[Belgium Events 2008|2008]],
[[Belgium Events 2007|2007]],
[[Belgium Events 2006|2006]],
[[Belgium Events 2005|2005]].

= Belgium OWASP Chapter Leaders =

The Belgium Chapter is supported by the following board:

Chapter Leaders
*Sebastien Deleersnyder, Toreon
*Lieven Desmet, KU Leuven
*Bart De Win, PWC

Board Members
*Erwin Geirnaert, Zion Security
*David Mathy, Freelance
*Adolfo Solero, Freelance
*Stella Dineva, Ingenico Payment Services
*Thomas Herlea, NVISO

Our goal is to professionalize the local OWASP functioning, provide in a bigger footprint to detect OWASP opportunities such as speakers/topics/sponsors/… and set a 5 year target on: Target audiences, Different events and Interactions of OWASP global – local projects.
__NOTOC__ <headertabs></headertabs>
[[Category:Europe]]

Belgium Events 2018

2018-09-27T10:53:55Z

Thomas Herlea: /* Effectively Distribute Software Security Knowledge */ Finalised abstract.

<noinclude>
These are the 2018 events of the [[Belgium|OWASP Belgium Chapter]].

Previous year: [[Belgium Events 2017|2017]].
</noinclude>


== 23 October 2018 Meeting ==

=== Where ===

* Host: [https://securecodewarrior.com/ Secure Code Warrior]

* Address ([https://goo.gl/maps/e6Ej1v44tf32 map], [https://goo.gl/maps/UoW1EM3kbfy directions], 10 minutes walk from Brugge train station)
Baron Ruzettelaan 1
8310 Assebroek

* Parking is available under the building, open from 5 p.m., the entrance is at the back:
Vestingstraat 88
8310 Assebroek

=== Agenda ===

* 18h00 - 18h50: Welcome & pizzas
* 18h50 - 19h00:  ''OWASP Update'' by Sebastien Deleersnyder (OWASP)
* 19h00 - 19h30:  ''Effectively Distribute Software Security Knowledge'' by Pieter De Cremer and Nathan Desmet (Secure Code Warrior)
* 19h30 - 19h45: Beers from Bruges break
* 19h45 - 20h25:  ''Common API Security Pitfalls'' by Philippe De Ryck (Pragmatic Web Security)
* 20h25 - 20h40: ''Thank you note'' by Matias Madou (Secure Code Warrior)
* 20h40 - 22h00: Networking and more beers from Bruges

=== Program ===

==== Effectively Distribute Software Security Knowledge ====

* Speaker: [https://www.linkedin.com/in/pdcremer/ Pieter De Cremer] ([https://twitter.com/pdcremer @pdcremer]) and [https://www.linkedin.com/in/nathan-desmet-687345aa/ Nathan Desmet] (Secure Code Warrior)
* Presentation: not yet available 

''Abstract''

Security is still a big concern in application development, as breaches appear in the media on a regular basis. Up to 90 percent of security issues are caused by problems or oversight in the code (U.S. Department of Homeland Security, “Infosheet Software Assurance”, https://www.us-cert.gov/sites/default/files/publications/infosheet_SoftwareAssurance.pdf, last accessed 2018-05-22). They are the result of errors made by the developers. At the same time, many of these issues are well known, well-documented problems. But the security experts in charge of securing the application are understaffed with an average of less than two security experts per hundred developers (Gary McGraw, Ph.D., Sammy Migues and Jacob West, “Building Security In Maturity Model (BSIMM)”, https://www.bsimm.com/, 2018). So the problem is not a lack of knowledge on security but the distribution of it without requiring costly, unscalable communication cycles between individual developers and security experts. In this talk we will outline the goal of a new approach to improve software security, focused on distributing software security knowledge so that software engineers can effectively put it into practice with minimal impact on their daily tasks.

''Speaker Bios''

'''Pieter De Cremer''' is an R&D Engineer and Security Researcher at Secure Code Warrior, where he is responsible for researching a wide variety of application vulnerabilities and developing this into new content and coding challenges for the Secure Code Warrior platform. His passion lies in empowering developers to be the first line of defence in their organisation by making security
easy to understand.

Pieter graduated with a Masters in Computer Science Engineering from the University of Ghent and is currently completing his PhD in Secure Design Programming Aid for the Internet of Things through a personal grant from the Flemish government. When he is away from his desk, Pieter has also facilitated a number of secure coding workshops with Ghent University, Howest Bruges and Antwerp University, helping students improve their secure coding skills. His repertoire of coding languages includes C, C++, Java, Python, node and Haskell.

'''Nathan Desmet''' is the Lead Engineer at Secure Code Warrior, where he is responsible for developing Sensei, a real-time correction and coaching IDE plug-in for secure coding. His passion lies in building world-class software applications that makes an impact in the way developers build software with a focus on security.

Prior to Secure Code Warrior, Nathan has worked for NVISO where he created the Cyber Security Challenge platform, the biggest computer security competition in Belgium. Nathan also co-founded Sensei Security, and founded Applix, a software consultancy firm. His clients include SMEs in the technology and legal sector.

Nathan graduated with a degree in Computer Science from the University of Howest Bruges, majoring in Computer and Cybercrime Professional.

==== Common API Security Pitfalls ====

* Speaker: [https://twitter.com/PhilippeDeRyck Philippe De Ryck] ([https://pragmaticwebsecurity.com/ Pragmatic Web Security])
* Presentation: not yet available 

''Abstract''

The shift towards an API landscape indicates a significant evolution in the way we build applications. The rise of JavaScript and mobile applications have sparked an explosion of easily-accessible REST APIs. But how do you protect access to your API? Which security aspects are no longer relevant? Which security features are an absolutely must-have, and which additional security measures do you need to take into account?

These are hard questions, as evidenced by the deployment of numerous insecure APIs. Attend this session to find out about common API security pitfalls, that often result in compromised user accounts and unauthorized access to your data. We expose the problem that lies at the root of each of these pitfalls, and offer actionable advice to address these security problems. After this session, you will know how to assess the security of your APIs, and the best practices to improve them towards the future.

''Speaker Bio''

Philippe De Ryck is the founder of Pragmatic Web Security, where he travels the world to train developers on web security and security engineering. He holds a Ph.D. in web security from KU Leuven. Google recognizes Philippe as a Google Developer Expert for his knowledge of web security and security in Angular applications.

=== Registration ===

Registration via EventBrite: https://owasp-belgium-2018-10-23.eventbrite.com

=== Coverage ===

n/a

== 17 September 2018 Meeting ==

=== Where ===

* Host: [https://ec.europa.eu European Commission]

* Address ([https://www.google.com/maps/place/Place+Madou+1,+1210+Saint-Josse-ten-Noode/ map], [https://www.google.com/maps/dir//Place+Madou+1,+1210+Saint-Josse-ten-Noode directions])
Place Madou, 1
1210 Saint-Josse-Ten-Noode

=== Agenda ===

* 18h00 - 18h50: Welcome & sandwiches
* 18h50 - 19h00: [https://www.owasp.org/images/9/9b/Owasp_Belgium_update_2018-09-17_v1.pptx OWASP Update] by Sebastien Deleersnyder (OWASP)
* 19h00 - 19h10: ''Intro by the EC'' by Miguel Soria Machado (Head of Sector CSIRC, DIGIT IT Security Directorate, European Commission)
* 19h10 - 20h00: [https://www.owasp.org/images/1/17/Dirk_Wetter_-_Docker_Security_Brussels.pdf Docker Threat Modeling and Top 10] by Dirk Wetter
* 20h00 - 20h10: Break
* 20h10 - 21h00: [https://www.owasp.org/images/1/1c/Securing_Containers_on_the_High_Seas_%28OWASP_Belgium_September_17-09-2018%29.pdf Securing Containers on the High Seas] by Jack Mannino (nVisium)
* 21h00 - 21h30: Networking drink

=== Program ===

==== Docker Threat Modeling and Top 10 ====

* Speaker: [https://twitter.com/drwetter Dirk Wetter]
* Presentation: https://www.owasp.org/images/1/17/Dirk_Wetter_-_Docker_Security_Brussels.pdf

''Abstract''

Docker containers offer several advantages for developers. Most notably they fit perfectly in software development processes, they enable fast, reproducible deployments and when properly done, with little change the same container can run either in a test or production environment.

Despite threatening information out there Docker offers per se also several security advantages. However it is important to make use of them and as a minimum avoid several pitfalls. In a worst case scenario this can lead otherwise to less security or the security benefits which the containment
technology offers are not being used at all.

To avoid this a proper fundamental approach is needed.

Thus this talk models first the most important threats to containerized environments out there. Based on that the speaker will present 10 security bullet points which covers:

* important Do's and Dont's,
* for advanced needs how to tighten security further.

At the end the speaker gives advice how to check your Docker and Kubernetes security status yourself.

The talk is based on practical experiences at several costumers and on the speaker's solid network and systems security expertise.

''Speaker Bio''

Dirk Wetter (Ph.D.) is an independent security consultant with more than 20 years professional experience in information security with a broad technical and information security management background.

His primary focus nowadays is around web application security. He has also a solid background on network and systems security.

He's also founder and maintainer of the open source project testssl.sh which checks the encryption of every SSL/TLS enabled service.

==== Securing Containers on the High Seas ====

* Speaker: [https://twitter.com/jack_mannino Jack Mannino] (nVisium)
* Presentation: https://www.owasp.org/images/1/1c/Securing_Containers_on_the_High_Seas_%28OWASP_Belgium_September_17-09-2018%29.pdf

''Abstract''

It can be a difficult challenge for organizations to securely migrate to containers while shifting processes and security controls. Making the move from legacy virtualization and monolithic deployments to containers requires a solid strategy. Containers offer many inherent security benefits but it’s important to build controls in beyond the containers themselves. From development through container registries and deployment to a runtime environment, it’s important to enforce security and eliminate risks as they’re introduced.

This presentation will focus on scaling container security within an enterprise and building security controls into the way you build, ship, and run containerized services. We will discuss the modern container landscape including different container runtimes and isolation models. We will explore the container lifecycle from your developer’s laptop through your production environment and examine the key security problems to mitigate.

''Speaker Bios''

Jack Mannino is the CEO of nVisium. Passionate about security and impossible to keep away from a keyboard, his expertise spans over 15 years of building, breaking, and securing software. Jack founded nVisium in 2009, and since has helped the world's largest software teams enhance security across their software portfolios. He has spoken at conferences globally on topics such as secure design, mobile application security, and cloud-native security.

=== Registration ===

Two step registration:

# Registration was via EventBrite: https://owasp-belgium-2018-09-17.eventbrite.com.
# Pre-registration of participants' ID documents, necessary for passing security checkpoint at the entrance to the site was via: https://ec.europa.eu/eusurvey/runner/OWASPBelgiumChapterMeetingSept17. The deadline for this registration was ''Sunday, September 16th midnight''.

=== Coverage ===

n/a

== 19 March 2018 Meeting ==

=== Where ===

* Host: [https://www.ing.be ING Belgium]

* Address ([https://branches.ing.be/branch/1040_bxl-non-residents map])
Cours St Michel 60
1040 Brussel

=== Agenda ===

* 18h15 - 19h00: Welcome & sandwiches
* 19h00 - 19h10: ''OWASP Update'' by Sebastien Deleersnyder (OWASP)
* 19h10 - 20h00: ''KRACKing WPA2 in Practice Using Key Reinstallation Attacks''  by Mathy Vanhoef (imec-DistriNet-KU Leuven)
* 20h00 - 20h10: Break
* 20h10 - 21h00: ''Making the web secure by design''  by Glenn Ten Cate (ING Belgium) and Riccardo Ten Cate (Xebia)
* 21h00 - 21h30: Networking drink

=== Program ===

==== KRACKing WPA2 in Practice Using Key Reinstallation Attacks ====

* Speaker: Mathy Vanhoef (imec-DistriNet-KU Leuven)
* Presentation: not yet available 

''Abstract''

This talk presents the key reinstallation attack against WPA2 (KRACK attack). It abuses design or implementation flaws in cryptographic protocols to reinstall an already-in-use key. This resets the key’s associated parameters such as transmit nonces and receive replay counters. Several cryptographic Wi-Fi handshakes are affected by the attack.

All protected Wi-Fi networks use the 4-way handshake to generate a fresh session key. So far, this 14-year-old handshake has remained free from attacks. However, we show that the 4-way handshake is vulnerable to a key reinstallation attack. Here, the adversary tricks a victim into reinstalling an already-in-use key. This is achieved by manipulating and replaying handshake messages. When reinstalling the key, associated parameters such as the incremental transmit packet number (nonce) and receive packet number (replay counter) are reset to their initial value.

The talk also discusses the vulnerability disclosure process that was followed. Since the discovery affected numerous vendors, coordinating the disclosure was non-trivial.

''Speaker Bio''

Mathy Vanhoef is a postdoctoral researcher at KU Leuven. He did his PhD on the security of WPA-TKIP, TLS, and RC4. His research interest is in computer security with a focus on wireless security (e.g. Wi-Fi), network protocols in general, the RC4 stream cipher (where he discovered the RC NOMORE attack), and software security (discovering and exploiting vulnerabilities). Currently his main research is about automatically discovering vulnerabilities in network protocol implementations, and proving the correctness of protocol implementations.

==== Making the web secure by design ====

* Speaker: Glenn Ten Cate (ING Belgium) and Riccardo Ten Cate (Xebia)
* Presentation: not yet available 

''Abstract''

Education is the first step in the Secure Software Development Lifecycle. The free OWASP Security Knowledge Framework (SKF) is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. This talk will help you as a developer to become THE Neo of your development team. We will show how you can do security by design and introduce other quality gates into your development pipeline to ensure high end quality and security of your project.

''Speaker Bios''

As a coder, hacker, speaker, trainer and security researcher employed at ING Belgium, '''Glenn Ten Cate''' has over 10 years experience in the field of security. One of the founders of defensive development [defdev] a security training and conference series dedicated to helping you build and maintain secure software and also speaking at multiple other security conferences in the world. His goals is to create an open-source software development life cycle with the tools and knowledge gathered over the years.

As a penetration tester from the Netherlands employed at Xebia, '''Riccardo Ten Cate''' specialises in web-application security and has extensive knowledge in securing web applications in multiple coding languages. He is also a specialist in setting up Secure Software Development Life Cycles.

=== Registration ===

Registration was via EventBrite: https://owasp-belgium-2018-03-19.eventbrite.com.

=== Coverage ===

n/a

== 20 February 2018 Meeting ==

=== Where ===

* Host: [https://distrinet.cs.kuleuven.be DistriNet Research Group (KU Leuven)] (Both speakers are faculty of the [https://www.secappdev.org/ Secure Application Development] course held in Leuven from 2018-02-19 to 2018-02-23.)

* Address ([http://googlemapsinterface.kuleuven.be/index.cgi?lang=N&nbol=(50.864186697481145,%204.678754210472107)&zoomlevel=17&plaatsnaam=Department+of+Computer+Science&maptype=roadmap map], [https://distrinet.cs.kuleuven.be/about/route/ directions]):
Department of Computer Science (foyer at ground floor)
Celestijnenlaan 200 A
3001 Heverlee

=== Agenda ===

*18h15 - 19h00: Welcome & sandwiches
*19h00 - 19h10: [https://www.owasp.org/images/7/7a/Owasp_Belgium_update_2018-02-20_v1.pdf OWASP Update] by Sebastien Deleersnyder (OWASP)
*19h10 - 20h00: [https://schd.ws/hosted_files/secappdev2018/a9/Developer%20are%20not%20the%20enemy%20SecAppDev%20web.pdf Developers are not the enemy -- Usable Security for Experts] by Prof. Matthew Smith (University of Bonn)
*20h00 - 20h10: Break
*20h10 - 21h00: [https://schd.ws/hosted_files/secappdev2018/75/The%20code%20behind%20the%20vulnerability.pdf The Code Behind The Vulnerability] by Barry Dorrans (Microsoft)

=== Program ===

==== Developers are not the enemy -- Usable Security for Experts ====

* Speaker: Prof. Matthew Smith (University of Bonn)
* Presentation: https://schd.ws/hosted_files/secappdev2018/a9/Developer%20are%20not%20the%20enemy%20SecAppDev%20web.pdf

''Abstract''

Usability problems are a major cause of many of today's IT-security incidents. Security systems are often too complicated, time-consuming, and error prone. For more than a decade researchers in the domain of usable security (USEC) have attempted to combat these problems by conducting interdisciplinary research focusing on the root causes of the problems and on the creation of usable security mechanisms. While major improvements have been made, to date USEC research has focused almost entirely on the non-expert end-user. However, many of the most catastrophic security incidents were not caused by end-users, but by developers or administrators. Heartbleed and Shellshock were both caused by single developers yet had global consequences. The Sony hack in 2014 compromised an entire multi-national IT-infrastructure and misappropriated over 100 TB of data, unnoticed. Fundamentally, every software vulnerability and misconfigured system is caused by developers or administrators making mistakes, but very little research has been done into the underlying causalities and possible mitigation strategies. In this talk we will explore the transition from end-user to expert usable security research and look at several application areas, including TLS, passwords, malware analysis and vulnerability analysis.

''Speaker Bio''

Matthew Smith is a Professor for Usable Security and Privacy at the University of Bonn. His research is focused on human factors of security and privacy mechanisms with a wide range of application areas, including TLS and network security, authentication, mobile and app security and, most recently, usable security for developers and administrators. His work has been published at, among others, IEEE S&P, ACM CCS, USENIX Security, NDSS, ACM SIGCHI and SOUPS the Symposium on Usable Security and Privacy. In 2015 his ERC Starting Grant "Frontiers of Usable Security" was selected for funding.

==== The Code Behind The Vulnerability ====

* Speaker: Barry Dorrans (Microsoft)
* Presentation: https://schd.ws/hosted_files/secappdev2018/75/The%20code%20behind%20the%20vulnerability.pdf

''Abstract''

Everyone makes security mistakes, and that includes Microsoft (seriously!). Many developers can spot and prevent vulnerabilities listed in the OWASP top 10. But that narrative changes when we look beyond the scope of the OWASP top 10. Compared to some more recent attacks, fixing XSS or SQL injection almost seems easy. In this session, we dive into a couple of .NET core cases that have been reported to the Microsoft Security Response Center (MSRC). Mind you; these vulnerabilities are not just framework vulnerabilities. Instead, they are coding patterns that you may have introduced in your applications. Examples are issues with hash tables, compression, encryption, regular expressions and more. In this session, you will learn how to spot these vulnerabilities in your code. On top of that, you will walk away with the skills to fix them.

''Speaker Bio''

Barry Dorrans is the .NET Security Czar, which means he tries to tell everyone else how to code securely and taking the credit when it goes right, as well as running the .NET Core Bug Bounty. He also ends up triaging publicly and privately reported vulnerabilities when it goes wrong before getting someone else to fix the mistakes. This he gets all the fun and none of the real work, aside from the endless stress wondering when the next vulnerability will be discovered.

=== Registration ===

Registration was via EventBrite: https://owasp-belgium-2018-02-20.eventbrite.com.

=== Coverage ===

n/a

Belgium Events 2018

2018-09-26T22:17:21Z

Thomas Herlea: /* Effectively Distribute Software Security Knowledge */ Replaced references with simple parentheses, as the necessary module is not installed.

<noinclude>
These are the 2018 events of the [[Belgium|OWASP Belgium Chapter]].

Previous year: [[Belgium Events 2017|2017]].
</noinclude>


== 23 October 2018 Meeting ==

=== Where ===

* Host: [https://securecodewarrior.com/ Secure Code Warrior]

* Address ([https://goo.gl/maps/e6Ej1v44tf32 map], [https://goo.gl/maps/UoW1EM3kbfy directions], 10 minutes walk from Brugge train station)
Baron Ruzettelaan 1
8310 Assebroek

* Parking is available under the building, open from 5 p.m., the entrance is at the back:
Vestingstraat 88
8310 Assebroek

=== Agenda ===

* 18h00 - 18h50: Welcome & pizzas
* 18h50 - 19h00:  ''OWASP Update'' by Sebastien Deleersnyder (OWASP)
* 19h00 - 19h30:  ''Effectively Distribute Software Security Knowledge'' by Pieter De Cremer and Nathan Desmet (Secure Code Warrior)
* 19h30 - 19h45: Beers from Bruges break
* 19h45 - 20h25:  ''Common API Security Pitfalls'' by Philippe De Ryck (Pragmatic Web Security)
* 20h25 - 20h40: ''Thank you note'' by Matias Madou (Secure Code Warrior)
* 20h40 - 22h00: Networking and more beers from Bruges

=== Program ===

==== Effectively Distribute Software Security Knowledge ====

* Speaker: [https://www.linkedin.com/in/pdcremer/ Pieter De Cremer] ([https://twitter.com/pdcremer @pdcremer]) and [https://www.linkedin.com/in/nathan-desmet-687345aa/ Nathan Desmet] (Secure Code Warrior)
* Presentation: not yet available 

''Abstract''

Security is still a big concern in application development, as breaches appear in the media on a regular basis. Up to 90 percent of security issues are caused by problems or oversight in the code (U. D. of Homeland Security, “Infosheet Software Assurance”, https://www.us-cert.gov/sites/default/files/publications/infosheet_SoftwareAssurance.pdf, last accessed 2018-05-22). They are the result of errors made by the developers. At the same time, many of these issues are well known, well-documented problems. But the security experts in charge of securing the application are understaffed with an average of less than two security experts per hundred developers (S. M. Gary McGraw, Ph.D. and J. West, “Building Security In Maturity Model (BSIMM)”, https://www.bsimm.com/, 2018). So the problem is not a lack of knowledge on security but the distribution of it without requiring costly, unscalable communication cycles between individual developers and security experts. In this talk we will outline the goal of a new approach to improve software security, focused on distributing software security knowledge so that software engineers can effectively put it into practice with minimal impact on their daily tasks.

''Speaker Bios''

'''Pieter De Cremer''' is an R&D Engineer and Security Researcher at Secure Code Warrior, where he is responsible for researching a wide variety of application vulnerabilities and developing this into new content and coding challenges for the Secure Code Warrior platform. His passion lies in empowering developers to be the first line of defence in their organisation by making security
easy to understand.

Pieter graduated with a Masters in Computer Science Engineering from the University of Ghent and is currently completing his PhD in Secure Design Programming Aid for the Internet of Things through a personal grant from the Flemish government. When he is away from his desk, Pieter has also facilitated a number of secure coding workshops with Ghent University, Howest Bruges and Antwerp University, helping students improve their secure coding skills. His repertoire of coding languages includes C, C++, Java, Python, node and Haskell.

'''Nathan Desmet''' is the Lead Engineer at Secure Code Warrior, where he is responsible for developing Sensei, a real-time correction and coaching IDE plug-in for secure coding. His passion lies in building world-class software applications that makes an impact in the way developers build software with a focus on security.

Prior to Secure Code Warrior, Nathan has worked for NVISO where he created the Cyber Security Challenge platform, the biggest computer security competition in Belgium. Nathan also co-founded Sensei Security, and founded Applix, a software consultancy firm. His clients include SMEs in the technology and legal sector.

Nathan graduated with a degree in Computer Science from the University of Howest Bruges, majoring in Computer and Cybercrime Professional.

==== Common API Security Pitfalls ====

* Speaker: [https://twitter.com/PhilippeDeRyck Philippe De Ryck] ([https://pragmaticwebsecurity.com/ Pragmatic Web Security])
* Presentation: not yet available 

''Abstract''

The shift towards an API landscape indicates a significant evolution in the way we build applications. The rise of JavaScript and mobile applications have sparked an explosion of easily-accessible REST APIs. But how do you protect access to your API? Which security aspects are no longer relevant? Which security features are an absolutely must-have, and which additional security measures do you need to take into account?

These are hard questions, as evidenced by the deployment of numerous insecure APIs. Attend this session to find out about common API security pitfalls, that often result in compromised user accounts and unauthorized access to your data. We expose the problem that lies at the root of each of these pitfalls, and offer actionable advice to address these security problems. After this session, you will know how to assess the security of your APIs, and the best practices to improve them towards the future.

''Speaker Bio''

Philippe De Ryck is the founder of Pragmatic Web Security, where he travels the world to train developers on web security and security engineering. He holds a Ph.D. in web security from KU Leuven. Google recognizes Philippe as a Google Developer Expert for his knowledge of web security and security in Angular applications.

=== Registration ===

Registration via EventBrite: coming soon 

=== Coverage ===

n/a

== 17 September 2018 Meeting ==

=== Where ===

* Host: [https://ec.europa.eu European Commission]

* Address ([https://www.google.com/maps/place/Place+Madou+1,+1210+Saint-Josse-ten-Noode/ map], [https://www.google.com/maps/dir//Place+Madou+1,+1210+Saint-Josse-ten-Noode directions])
Place Madou, 1
1210 Saint-Josse-Ten-Noode

=== Agenda ===

* 18h00 - 18h50: Welcome & sandwiches
* 18h50 - 19h00: [https://www.owasp.org/images/9/9b/Owasp_Belgium_update_2018-09-17_v1.pptx OWASP Update] by Sebastien Deleersnyder (OWASP)
* 19h00 - 19h10: ''Intro by the EC'' by Miguel Soria Machado (Head of Sector CSIRC, DIGIT IT Security Directorate, European Commission)
* 19h10 - 20h00: [https://www.owasp.org/images/1/17/Dirk_Wetter_-_Docker_Security_Brussels.pdf Docker Threat Modeling and Top 10] by Dirk Wetter
* 20h00 - 20h10: Break
* 20h10 - 21h00: [https://www.owasp.org/images/1/1c/Securing_Containers_on_the_High_Seas_%28OWASP_Belgium_September_17-09-2018%29.pdf Securing Containers on the High Seas] by Jack Mannino (nVisium)
* 21h00 - 21h30: Networking drink

=== Program ===

==== Docker Threat Modeling and Top 10 ====

* Speaker: [https://twitter.com/drwetter Dirk Wetter]
* Presentation: https://www.owasp.org/images/1/17/Dirk_Wetter_-_Docker_Security_Brussels.pdf

''Abstract''

Docker containers offer several advantages for developers. Most notably they fit perfectly in software development processes, they enable fast, reproducible deployments and when properly done, with little change the same container can run either in a test or production environment.

Despite threatening information out there Docker offers per se also several security advantages. However it is important to make use of them and as a minimum avoid several pitfalls. In a worst case scenario this can lead otherwise to less security or the security benefits which the containment
technology offers are not being used at all.

To avoid this a proper fundamental approach is needed.

Thus this talk models first the most important threats to containerized environments out there. Based on that the speaker will present 10 security bullet points which covers:

* important Do's and Dont's,
* for advanced needs how to tighten security further.

At the end the speaker gives advice how to check your Docker and Kubernetes security status yourself.

The talk is based on practical experiences at several costumers and on the speaker's solid network and systems security expertise.

''Speaker Bio''

Dirk Wetter (Ph.D.) is an independent security consultant with more than 20 years professional experience in information security with a broad technical and information security management background.

His primary focus nowadays is around web application security. He has also a solid background on network and systems security.

He's also founder and maintainer of the open source project testssl.sh which checks the encryption of every SSL/TLS enabled service.

==== Securing Containers on the High Seas ====

* Speaker: [https://twitter.com/jack_mannino Jack Mannino] (nVisium)
* Presentation: https://www.owasp.org/images/1/1c/Securing_Containers_on_the_High_Seas_%28OWASP_Belgium_September_17-09-2018%29.pdf

''Abstract''

It can be a difficult challenge for organizations to securely migrate to containers while shifting processes and security controls. Making the move from legacy virtualization and monolithic deployments to containers requires a solid strategy. Containers offer many inherent security benefits but it’s important to build controls in beyond the containers themselves. From development through container registries and deployment to a runtime environment, it’s important to enforce security and eliminate risks as they’re introduced.

This presentation will focus on scaling container security within an enterprise and building security controls into the way you build, ship, and run containerized services. We will discuss the modern container landscape including different container runtimes and isolation models. We will explore the container lifecycle from your developer’s laptop through your production environment and examine the key security problems to mitigate.

''Speaker Bios''

Jack Mannino is the CEO of nVisium. Passionate about security and impossible to keep away from a keyboard, his expertise spans over 15 years of building, breaking, and securing software. Jack founded nVisium in 2009, and since has helped the world's largest software teams enhance security across their software portfolios. He has spoken at conferences globally on topics such as secure design, mobile application security, and cloud-native security.

=== Registration ===

Two step registration:

# Registration was via EventBrite: https://owasp-belgium-2018-09-17.eventbrite.com.
# Pre-registration of participants' ID documents, necessary for passing security checkpoint at the entrance to the site was via: https://ec.europa.eu/eusurvey/runner/OWASPBelgiumChapterMeetingSept17. The deadline for this registration was ''Sunday, September 16th midnight''.

=== Coverage ===

n/a

== 19 March 2018 Meeting ==

=== Where ===

* Host: [https://www.ing.be ING Belgium]

* Address ([https://branches.ing.be/branch/1040_bxl-non-residents map])
Cours St Michel 60
1040 Brussel

=== Agenda ===

* 18h15 - 19h00: Welcome & sandwiches
* 19h00 - 19h10: ''OWASP Update'' by Sebastien Deleersnyder (OWASP)
* 19h10 - 20h00: ''KRACKing WPA2 in Practice Using Key Reinstallation Attacks''  by Mathy Vanhoef (imec-DistriNet-KU Leuven)
* 20h00 - 20h10: Break
* 20h10 - 21h00: ''Making the web secure by design''  by Glenn Ten Cate (ING Belgium) and Riccardo Ten Cate (Xebia)
* 21h00 - 21h30: Networking drink

=== Program ===

==== KRACKing WPA2 in Practice Using Key Reinstallation Attacks ====

* Speaker: Mathy Vanhoef (imec-DistriNet-KU Leuven)
* Presentation: not yet available 

''Abstract''

This talk presents the key reinstallation attack against WPA2 (KRACK attack). It abuses design or implementation flaws in cryptographic protocols to reinstall an already-in-use key. This resets the key’s associated parameters such as transmit nonces and receive replay counters. Several cryptographic Wi-Fi handshakes are affected by the attack.

All protected Wi-Fi networks use the 4-way handshake to generate a fresh session key. So far, this 14-year-old handshake has remained free from attacks. However, we show that the 4-way handshake is vulnerable to a key reinstallation attack. Here, the adversary tricks a victim into reinstalling an already-in-use key. This is achieved by manipulating and replaying handshake messages. When reinstalling the key, associated parameters such as the incremental transmit packet number (nonce) and receive packet number (replay counter) are reset to their initial value.

The talk also discusses the vulnerability disclosure process that was followed. Since the discovery affected numerous vendors, coordinating the disclosure was non-trivial.

''Speaker Bio''

Mathy Vanhoef is a postdoctoral researcher at KU Leuven. He did his PhD on the security of WPA-TKIP, TLS, and RC4. His research interest is in computer security with a focus on wireless security (e.g. Wi-Fi), network protocols in general, the RC4 stream cipher (where he discovered the RC NOMORE attack), and software security (discovering and exploiting vulnerabilities). Currently his main research is about automatically discovering vulnerabilities in network protocol implementations, and proving the correctness of protocol implementations.

==== Making the web secure by design ====

* Speaker: Glenn Ten Cate (ING Belgium) and Riccardo Ten Cate (Xebia)
* Presentation: not yet available 

''Abstract''

Education is the first step in the Secure Software Development Lifecycle. The free OWASP Security Knowledge Framework (SKF) is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. This talk will help you as a developer to become THE Neo of your development team. We will show how you can do security by design and introduce other quality gates into your development pipeline to ensure high end quality and security of your project.

''Speaker Bios''

As a coder, hacker, speaker, trainer and security researcher employed at ING Belgium, '''Glenn Ten Cate''' has over 10 years experience in the field of security. One of the founders of defensive development [defdev] a security training and conference series dedicated to helping you build and maintain secure software and also speaking at multiple other security conferences in the world. His goals is to create an open-source software development life cycle with the tools and knowledge gathered over the years.

As a penetration tester from the Netherlands employed at Xebia, '''Riccardo Ten Cate''' specialises in web-application security and has extensive knowledge in securing web applications in multiple coding languages. He is also a specialist in setting up Secure Software Development Life Cycles.

=== Registration ===

Registration was via EventBrite: https://owasp-belgium-2018-03-19.eventbrite.com.

=== Coverage ===

n/a

== 20 February 2018 Meeting ==

=== Where ===

* Host: [https://distrinet.cs.kuleuven.be DistriNet Research Group (KU Leuven)] (Both speakers are faculty of the [https://www.secappdev.org/ Secure Application Development] course held in Leuven from 2018-02-19 to 2018-02-23.)

* Address ([http://googlemapsinterface.kuleuven.be/index.cgi?lang=N&nbol=(50.864186697481145,%204.678754210472107)&zoomlevel=17&plaatsnaam=Department+of+Computer+Science&maptype=roadmap map], [https://distrinet.cs.kuleuven.be/about/route/ directions]):
Department of Computer Science (foyer at ground floor)
Celestijnenlaan 200 A
3001 Heverlee

=== Agenda ===

*18h15 - 19h00: Welcome & sandwiches
*19h00 - 19h10: [https://www.owasp.org/images/7/7a/Owasp_Belgium_update_2018-02-20_v1.pdf OWASP Update] by Sebastien Deleersnyder (OWASP)
*19h10 - 20h00: [https://schd.ws/hosted_files/secappdev2018/a9/Developer%20are%20not%20the%20enemy%20SecAppDev%20web.pdf Developers are not the enemy -- Usable Security for Experts] by Prof. Matthew Smith (University of Bonn)
*20h00 - 20h10: Break
*20h10 - 21h00: [https://schd.ws/hosted_files/secappdev2018/75/The%20code%20behind%20the%20vulnerability.pdf The Code Behind The Vulnerability] by Barry Dorrans (Microsoft)

=== Program ===

==== Developers are not the enemy -- Usable Security for Experts ====

* Speaker: Prof. Matthew Smith (University of Bonn)
* Presentation: https://schd.ws/hosted_files/secappdev2018/a9/Developer%20are%20not%20the%20enemy%20SecAppDev%20web.pdf

''Abstract''

Usability problems are a major cause of many of today's IT-security incidents. Security systems are often too complicated, time-consuming, and error prone. For more than a decade researchers in the domain of usable security (USEC) have attempted to combat these problems by conducting interdisciplinary research focusing on the root causes of the problems and on the creation of usable security mechanisms. While major improvements have been made, to date USEC research has focused almost entirely on the non-expert end-user. However, many of the most catastrophic security incidents were not caused by end-users, but by developers or administrators. Heartbleed and Shellshock were both caused by single developers yet had global consequences. The Sony hack in 2014 compromised an entire multi-national IT-infrastructure and misappropriated over 100 TB of data, unnoticed. Fundamentally, every software vulnerability and misconfigured system is caused by developers or administrators making mistakes, but very little research has been done into the underlying causalities and possible mitigation strategies. In this talk we will explore the transition from end-user to expert usable security research and look at several application areas, including TLS, passwords, malware analysis and vulnerability analysis.

''Speaker Bio''

Matthew Smith is a Professor for Usable Security and Privacy at the University of Bonn. His research is focused on human factors of security and privacy mechanisms with a wide range of application areas, including TLS and network security, authentication, mobile and app security and, most recently, usable security for developers and administrators. His work has been published at, among others, IEEE S&P, ACM CCS, USENIX Security, NDSS, ACM SIGCHI and SOUPS the Symposium on Usable Security and Privacy. In 2015 his ERC Starting Grant "Frontiers of Usable Security" was selected for funding.

==== The Code Behind The Vulnerability ====

* Speaker: Barry Dorrans (Microsoft)
* Presentation: https://schd.ws/hosted_files/secappdev2018/75/The%20code%20behind%20the%20vulnerability.pdf

''Abstract''

Everyone makes security mistakes, and that includes Microsoft (seriously!). Many developers can spot and prevent vulnerabilities listed in the OWASP top 10. But that narrative changes when we look beyond the scope of the OWASP top 10. Compared to some more recent attacks, fixing XSS or SQL injection almost seems easy. In this session, we dive into a couple of .NET core cases that have been reported to the Microsoft Security Response Center (MSRC). Mind you; these vulnerabilities are not just framework vulnerabilities. Instead, they are coding patterns that you may have introduced in your applications. Examples are issues with hash tables, compression, encryption, regular expressions and more. In this session, you will learn how to spot these vulnerabilities in your code. On top of that, you will walk away with the skills to fix them.

''Speaker Bio''

Barry Dorrans is the .NET Security Czar, which means he tries to tell everyone else how to code securely and taking the credit when it goes right, as well as running the .NET Core Bug Bounty. He also ends up triaging publicly and privately reported vulnerabilities when it goes wrong before getting someone else to fix the mistakes. This he gets all the fun and none of the real work, aside from the endless stress wondering when the next vulnerability will be discovered.

=== Registration ===

Registration was via EventBrite: https://owasp-belgium-2018-02-20.eventbrite.com.

=== Coverage ===

n/a

Belgium Events 2018

2018-09-26T21:58:48Z

Thomas Herlea: /* Effectively Distribute Software Security Knowledge */ Added abstract with 1st attempt at references.

<noinclude>
These are the 2018 events of the [[Belgium|OWASP Belgium Chapter]].

Previous year: [[Belgium Events 2017|2017]].
</noinclude>


== 23 October 2018 Meeting ==

=== Where ===

* Host: [https://securecodewarrior.com/ Secure Code Warrior]

* Address ([https://goo.gl/maps/e6Ej1v44tf32 map], [https://goo.gl/maps/UoW1EM3kbfy directions], 10 minutes walk from Brugge train station)
Baron Ruzettelaan 1
8310 Assebroek

* Parking is available under the building, open from 5 p.m., the entrance is at the back:
Vestingstraat 88
8310 Assebroek

=== Agenda ===

* 18h00 - 18h50: Welcome & pizzas
* 18h50 - 19h00:  ''OWASP Update'' by Sebastien Deleersnyder (OWASP)
* 19h00 - 19h30:  ''Effectively Distribute Software Security Knowledge'' by Pieter De Cremer and Nathan Desmet (Secure Code Warrior)
* 19h30 - 19h45: Beers from Bruges break
* 19h45 - 20h25:  ''Common API Security Pitfalls'' by Philippe De Ryck (Pragmatic Web Security)
* 20h25 - 20h40: ''Thank you note'' by Matias Madou (Secure Code Warrior)
* 20h40 - 22h00: Networking and more beers from Bruges

=== Program ===

==== Effectively Distribute Software Security Knowledge ====

* Speaker: [https://www.linkedin.com/in/pdcremer/ Pieter De Cremer] ([https://twitter.com/pdcremer @pdcremer]) and [https://www.linkedin.com/in/nathan-desmet-687345aa/ Nathan Desmet] (Secure Code Warrior)
* Presentation: not yet available 

''Abstract''

Security is still a big concern in application development, as breaches appear in the media on a regular basis. Up to 90 percent of security issues are caused by problems or oversight in the code <ref>U. D. of Homeland Security, “Infosheet Software Assurance”, https://www.us-cert.gov/sites/default/files/publications/infosheet_SoftwareAssurance.pdf, last accessed 2018-05-22</ref>. They are the result of errors made by the developers. At the same time, many of these issues are well known, well-documented problems. But the security experts in charge of securing the application are understaffed with an average of less than two security experts per hundred developers <ref>S. M. Gary McGraw, Ph.D. and J. West, “Building Security In Maturity Model (BSIMM)”, https://www.bsimm.com/, 2018</ref>. So the problem is not a lack of knowledge on security but the distribution of it without requiring costly, unscalable communication cycles between individual developers and security experts. In this talk we will outline the goal of a new approach to improve software security, focused on distributing software security knowledge so that software engineers can effectively put it into practice with minimal impact on their daily tasks.

<references />

''Speaker Bios''

'''Pieter De Cremer''' is an R&D Engineer and Security Researcher at Secure Code Warrior, where he is responsible for researching a wide variety of application vulnerabilities and developing this into new content and coding challenges for the Secure Code Warrior platform. His passion lies in empowering developers to be the first line of defence in their organisation by making security
easy to understand.

Pieter graduated with a Masters in Computer Science Engineering from the University of Ghent and is currently completing his PhD in Secure Design Programming Aid for the Internet of Things through a personal grant from the Flemish government. When he is away from his desk, Pieter has also facilitated a number of secure coding workshops with Ghent University, Howest Bruges and Antwerp University, helping students improve their secure coding skills. His repertoire of coding languages includes C, C++, Java, Python, node and Haskell.

'''Nathan Desmet''' is the Lead Engineer at Secure Code Warrior, where he is responsible for developing Sensei, a real-time correction and coaching IDE plug-in for secure coding. His passion lies in building world-class software applications that makes an impact in the way developers build software with a focus on security.

Prior to Secure Code Warrior, Nathan has worked for NVISO where he created the Cyber Security Challenge platform, the biggest computer security competition in Belgium. Nathan also co-founded Sensei Security, and founded Applix, a software consultancy firm. His clients include SMEs in the technology and legal sector.

Nathan graduated with a degree in Computer Science from the University of Howest Bruges, majoring in Computer and Cybercrime Professional.

==== Common API Security Pitfalls ====

* Speaker: [https://twitter.com/PhilippeDeRyck Philippe De Ryck] ([https://pragmaticwebsecurity.com/ Pragmatic Web Security])
* Presentation: not yet available 

''Abstract''

The shift towards an API landscape indicates a significant evolution in the way we build applications. The rise of JavaScript and mobile applications have sparked an explosion of easily-accessible REST APIs. But how do you protect access to your API? Which security aspects are no longer relevant? Which security features are an absolutely must-have, and which additional security measures do you need to take into account?

These are hard questions, as evidenced by the deployment of numerous insecure APIs. Attend this session to find out about common API security pitfalls, that often result in compromised user accounts and unauthorized access to your data. We expose the problem that lies at the root of each of these pitfalls, and offer actionable advice to address these security problems. After this session, you will know how to assess the security of your APIs, and the best practices to improve them towards the future.

''Speaker Bio''

Philippe De Ryck is the founder of Pragmatic Web Security, where he travels the world to train developers on web security and security engineering. He holds a Ph.D. in web security from KU Leuven. Google recognizes Philippe as a Google Developer Expert for his knowledge of web security and security in Angular applications.

=== Registration ===

Registration via EventBrite: coming soon 

=== Coverage ===

n/a

== 17 September 2018 Meeting ==

=== Where ===

* Host: [https://ec.europa.eu European Commission]

* Address ([https://www.google.com/maps/place/Place+Madou+1,+1210+Saint-Josse-ten-Noode/ map], [https://www.google.com/maps/dir//Place+Madou+1,+1210+Saint-Josse-ten-Noode directions])
Place Madou, 1
1210 Saint-Josse-Ten-Noode

=== Agenda ===

* 18h00 - 18h50: Welcome & sandwiches
* 18h50 - 19h00: [https://www.owasp.org/images/9/9b/Owasp_Belgium_update_2018-09-17_v1.pptx OWASP Update] by Sebastien Deleersnyder (OWASP)
* 19h00 - 19h10: ''Intro by the EC'' by Miguel Soria Machado (Head of Sector CSIRC, DIGIT IT Security Directorate, European Commission)
* 19h10 - 20h00: [https://www.owasp.org/images/1/17/Dirk_Wetter_-_Docker_Security_Brussels.pdf Docker Threat Modeling and Top 10] by Dirk Wetter
* 20h00 - 20h10: Break
* 20h10 - 21h00: [https://www.owasp.org/images/1/1c/Securing_Containers_on_the_High_Seas_%28OWASP_Belgium_September_17-09-2018%29.pdf Securing Containers on the High Seas] by Jack Mannino (nVisium)
* 21h00 - 21h30: Networking drink

=== Program ===

==== Docker Threat Modeling and Top 10 ====

* Speaker: [https://twitter.com/drwetter Dirk Wetter]
* Presentation: https://www.owasp.org/images/1/17/Dirk_Wetter_-_Docker_Security_Brussels.pdf

''Abstract''

Docker containers offer several advantages for developers. Most notably they fit perfectly in software development processes, they enable fast, reproducible deployments and when properly done, with little change the same container can run either in a test or production environment.

Despite threatening information out there Docker offers per se also several security advantages. However it is important to make use of them and as a minimum avoid several pitfalls. In a worst case scenario this can lead otherwise to less security or the security benefits which the containment
technology offers are not being used at all.

To avoid this a proper fundamental approach is needed.

Thus this talk models first the most important threats to containerized environments out there. Based on that the speaker will present 10 security bullet points which covers:

* important Do's and Dont's,
* for advanced needs how to tighten security further.

At the end the speaker gives advice how to check your Docker and Kubernetes security status yourself.

The talk is based on practical experiences at several costumers and on the speaker's solid network and systems security expertise.

''Speaker Bio''

Dirk Wetter (Ph.D.) is an independent security consultant with more than 20 years professional experience in information security with a broad technical and information security management background.

His primary focus nowadays is around web application security. He has also a solid background on network and systems security.

He's also founder and maintainer of the open source project testssl.sh which checks the encryption of every SSL/TLS enabled service.

==== Securing Containers on the High Seas ====

* Speaker: [https://twitter.com/jack_mannino Jack Mannino] (nVisium)
* Presentation: https://www.owasp.org/images/1/1c/Securing_Containers_on_the_High_Seas_%28OWASP_Belgium_September_17-09-2018%29.pdf

''Abstract''

It can be a difficult challenge for organizations to securely migrate to containers while shifting processes and security controls. Making the move from legacy virtualization and monolithic deployments to containers requires a solid strategy. Containers offer many inherent security benefits but it’s important to build controls in beyond the containers themselves. From development through container registries and deployment to a runtime environment, it’s important to enforce security and eliminate risks as they’re introduced.

This presentation will focus on scaling container security within an enterprise and building security controls into the way you build, ship, and run containerized services. We will discuss the modern container landscape including different container runtimes and isolation models. We will explore the container lifecycle from your developer’s laptop through your production environment and examine the key security problems to mitigate.

''Speaker Bios''

Jack Mannino is the CEO of nVisium. Passionate about security and impossible to keep away from a keyboard, his expertise spans over 15 years of building, breaking, and securing software. Jack founded nVisium in 2009, and since has helped the world's largest software teams enhance security across their software portfolios. He has spoken at conferences globally on topics such as secure design, mobile application security, and cloud-native security.

=== Registration ===

Two step registration:

# Registration was via EventBrite: https://owasp-belgium-2018-09-17.eventbrite.com.
# Pre-registration of participants' ID documents, necessary for passing security checkpoint at the entrance to the site was via: https://ec.europa.eu/eusurvey/runner/OWASPBelgiumChapterMeetingSept17. The deadline for this registration was ''Sunday, September 16th midnight''.

=== Coverage ===

n/a

== 19 March 2018 Meeting ==

=== Where ===

* Host: [https://www.ing.be ING Belgium]

* Address ([https://branches.ing.be/branch/1040_bxl-non-residents map])
Cours St Michel 60
1040 Brussel

=== Agenda ===

* 18h15 - 19h00: Welcome & sandwiches
* 19h00 - 19h10: ''OWASP Update'' by Sebastien Deleersnyder (OWASP)
* 19h10 - 20h00: ''KRACKing WPA2 in Practice Using Key Reinstallation Attacks''  by Mathy Vanhoef (imec-DistriNet-KU Leuven)
* 20h00 - 20h10: Break
* 20h10 - 21h00: ''Making the web secure by design''  by Glenn Ten Cate (ING Belgium) and Riccardo Ten Cate (Xebia)
* 21h00 - 21h30: Networking drink

=== Program ===

==== KRACKing WPA2 in Practice Using Key Reinstallation Attacks ====

* Speaker: Mathy Vanhoef (imec-DistriNet-KU Leuven)
* Presentation: not yet available 

''Abstract''

This talk presents the key reinstallation attack against WPA2 (KRACK attack). It abuses design or implementation flaws in cryptographic protocols to reinstall an already-in-use key. This resets the key’s associated parameters such as transmit nonces and receive replay counters. Several cryptographic Wi-Fi handshakes are affected by the attack.

All protected Wi-Fi networks use the 4-way handshake to generate a fresh session key. So far, this 14-year-old handshake has remained free from attacks. However, we show that the 4-way handshake is vulnerable to a key reinstallation attack. Here, the adversary tricks a victim into reinstalling an already-in-use key. This is achieved by manipulating and replaying handshake messages. When reinstalling the key, associated parameters such as the incremental transmit packet number (nonce) and receive packet number (replay counter) are reset to their initial value.

The talk also discusses the vulnerability disclosure process that was followed. Since the discovery affected numerous vendors, coordinating the disclosure was non-trivial.

''Speaker Bio''

Mathy Vanhoef is a postdoctoral researcher at KU Leuven. He did his PhD on the security of WPA-TKIP, TLS, and RC4. His research interest is in computer security with a focus on wireless security (e.g. Wi-Fi), network protocols in general, the RC4 stream cipher (where he discovered the RC NOMORE attack), and software security (discovering and exploiting vulnerabilities). Currently his main research is about automatically discovering vulnerabilities in network protocol implementations, and proving the correctness of protocol implementations.

==== Making the web secure by design ====

* Speaker: Glenn Ten Cate (ING Belgium) and Riccardo Ten Cate (Xebia)
* Presentation: not yet available 

''Abstract''

Education is the first step in the Secure Software Development Lifecycle. The free OWASP Security Knowledge Framework (SKF) is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. This talk will help you as a developer to become THE Neo of your development team. We will show how you can do security by design and introduce other quality gates into your development pipeline to ensure high end quality and security of your project.

''Speaker Bios''

As a coder, hacker, speaker, trainer and security researcher employed at ING Belgium, '''Glenn Ten Cate''' has over 10 years experience in the field of security. One of the founders of defensive development [defdev] a security training and conference series dedicated to helping you build and maintain secure software and also speaking at multiple other security conferences in the world. His goals is to create an open-source software development life cycle with the tools and knowledge gathered over the years.

As a penetration tester from the Netherlands employed at Xebia, '''Riccardo Ten Cate''' specialises in web-application security and has extensive knowledge in securing web applications in multiple coding languages. He is also a specialist in setting up Secure Software Development Life Cycles.

=== Registration ===

Registration was via EventBrite: https://owasp-belgium-2018-03-19.eventbrite.com.

=== Coverage ===

n/a

== 20 February 2018 Meeting ==

=== Where ===

* Host: [https://distrinet.cs.kuleuven.be DistriNet Research Group (KU Leuven)] (Both speakers are faculty of the [https://www.secappdev.org/ Secure Application Development] course held in Leuven from 2018-02-19 to 2018-02-23.)

* Address ([http://googlemapsinterface.kuleuven.be/index.cgi?lang=N&nbol=(50.864186697481145,%204.678754210472107)&zoomlevel=17&plaatsnaam=Department+of+Computer+Science&maptype=roadmap map], [https://distrinet.cs.kuleuven.be/about/route/ directions]):
Department of Computer Science (foyer at ground floor)
Celestijnenlaan 200 A
3001 Heverlee

=== Agenda ===

*18h15 - 19h00: Welcome & sandwiches
*19h00 - 19h10: [https://www.owasp.org/images/7/7a/Owasp_Belgium_update_2018-02-20_v1.pdf OWASP Update] by Sebastien Deleersnyder (OWASP)
*19h10 - 20h00: [https://schd.ws/hosted_files/secappdev2018/a9/Developer%20are%20not%20the%20enemy%20SecAppDev%20web.pdf Developers are not the enemy -- Usable Security for Experts] by Prof. Matthew Smith (University of Bonn)
*20h00 - 20h10: Break
*20h10 - 21h00: [https://schd.ws/hosted_files/secappdev2018/75/The%20code%20behind%20the%20vulnerability.pdf The Code Behind The Vulnerability] by Barry Dorrans (Microsoft)

=== Program ===

==== Developers are not the enemy -- Usable Security for Experts ====

* Speaker: Prof. Matthew Smith (University of Bonn)
* Presentation: https://schd.ws/hosted_files/secappdev2018/a9/Developer%20are%20not%20the%20enemy%20SecAppDev%20web.pdf

''Abstract''

Usability problems are a major cause of many of today's IT-security incidents. Security systems are often too complicated, time-consuming, and error prone. For more than a decade researchers in the domain of usable security (USEC) have attempted to combat these problems by conducting interdisciplinary research focusing on the root causes of the problems and on the creation of usable security mechanisms. While major improvements have been made, to date USEC research has focused almost entirely on the non-expert end-user. However, many of the most catastrophic security incidents were not caused by end-users, but by developers or administrators. Heartbleed and Shellshock were both caused by single developers yet had global consequences. The Sony hack in 2014 compromised an entire multi-national IT-infrastructure and misappropriated over 100 TB of data, unnoticed. Fundamentally, every software vulnerability and misconfigured system is caused by developers or administrators making mistakes, but very little research has been done into the underlying causalities and possible mitigation strategies. In this talk we will explore the transition from end-user to expert usable security research and look at several application areas, including TLS, passwords, malware analysis and vulnerability analysis.

''Speaker Bio''

Matthew Smith is a Professor for Usable Security and Privacy at the University of Bonn. His research is focused on human factors of security and privacy mechanisms with a wide range of application areas, including TLS and network security, authentication, mobile and app security and, most recently, usable security for developers and administrators. His work has been published at, among others, IEEE S&P, ACM CCS, USENIX Security, NDSS, ACM SIGCHI and SOUPS the Symposium on Usable Security and Privacy. In 2015 his ERC Starting Grant "Frontiers of Usable Security" was selected for funding.

==== The Code Behind The Vulnerability ====

* Speaker: Barry Dorrans (Microsoft)
* Presentation: https://schd.ws/hosted_files/secappdev2018/75/The%20code%20behind%20the%20vulnerability.pdf

''Abstract''

Everyone makes security mistakes, and that includes Microsoft (seriously!). Many developers can spot and prevent vulnerabilities listed in the OWASP top 10. But that narrative changes when we look beyond the scope of the OWASP top 10. Compared to some more recent attacks, fixing XSS or SQL injection almost seems easy. In this session, we dive into a couple of .NET core cases that have been reported to the Microsoft Security Response Center (MSRC). Mind you; these vulnerabilities are not just framework vulnerabilities. Instead, they are coding patterns that you may have introduced in your applications. Examples are issues with hash tables, compression, encryption, regular expressions and more. In this session, you will learn how to spot these vulnerabilities in your code. On top of that, you will walk away with the skills to fix them.

''Speaker Bio''

Barry Dorrans is the .NET Security Czar, which means he tries to tell everyone else how to code securely and taking the credit when it goes right, as well as running the .NET Core Bug Bounty. He also ends up triaging publicly and privately reported vulnerabilities when it goes wrong before getting someone else to fix the mistakes. This he gets all the fun and none of the real work, aside from the endless stress wondering when the next vulnerability will be discovered.

=== Registration ===

Registration was via EventBrite: https://owasp-belgium-2018-02-20.eventbrite.com.

=== Coverage ===

n/a

OWASP BeNeLux-Days 2018

2018-09-25T19:35:52Z

Thomas Herlea: Gutted the page of the content from the previous edition and made some structure improvements.

<center>[[Image:Header-BNL-2018.png]]</center>

 


= Information =

== Keynote Speaker ==

{{#switchtablink:Conference Day|
* TBD
}}

== Confirmed Conference Speakers ==

{{#switchtablink:Conference Day|
* TBD
}}

== Confirmed Trainers ==

{{#switchtablink:Training Day|
* TBD
}}

== OWASP BeNeLux conference is free, but registration is required! ==

[[image:Register_now_red.png|link=https://owasp-benelux-day-2018.eventbrite.com |alt=Register for the OWASP BeNeLux Day 2018 | Register for the OWASP BeNeLux Day 2018 ]]

== The OWASP BeNeLux Program Committee ==

*Bart De Win / Sebastien Deleersnyder/ Lieven Desmet/ David Mathy, OWASP Belgium
*Martin Knobloch / Joren Poll, OWASP Netherlands
*Jocelyn Aubert, OWASP Luxembourg

== Tweet! ==

Event tag is [http://twitter.com/#search?q=%23owaspbnl17 #owaspbnl18]

== Donate to OWASP BeNeLux ==

[https://co.clickandpledge.com/?wid=72689 Donate]


= Registration =

== OWASP BeNeLux conference is free, but registration is required! ==



== OWASP BeNeLux training is reserved for OWASP members, and registration is required! ==

To support the OWASP organisation, we ask training attendees to consider becoming an OWASP member, it's only US$50!
Check out the [[Membership]] page to find out more.



To support the OWASP organisation, consider to become a member, it's only US$50! Check out the [[Membership]] page to find out more.


= Venue =

== Address ==

Venue:

'''Congres- en Erfgoedcentrum Lamot'''
Van Beethovenstraat 8-10
2800 Mechelen
Belgium

[https://goo.gl/maps/gZ9icR178w52 Google map]

Parking:

TBD

=== How to reach the venue? ===

==== Public transport ====

TBD

==== By car ====

TBD

=== Hotels Nearby ===

[https://www.google.nl/maps/search/Hotels/@51.5571525,5.0821866,15z/data=!3m1!4b1 Hotels on Google Maps]

TBD maybe Booking.com or others


= Training Day =

'''Training Day is November 29th'''

== Agenda (TBD)==

{| class="wikitable"
! Time !! Description !! Room TBA !! Room TBA !! Room TBA
|-
| 08h30 - 9h30
| colspan="5" style="text-align: center; background: grey; color: white;" | ''Registration''
|-
| 09h30 - 11h00 || Training
| rowspan="7" style="width:100px;" | [[#TRAINING_1 | TRAINING_1_TITLE]] by TRAINING_1_TRAINER
| rowspan="7" style="width:100px;" | [[#TRAINING_2 | TRAINING_2_TITLE]] by TRAINING_2_TRAINER
| rowspan="7" style="width:100px;" | [[#TRAINING_3 | TRAINING_3_TITLE]] by TRAINING_3_TRAINER
|-
| 11h00 - 11h30 || ''Coffee Break''
|-
| 11h30 - 13h00 || Training
|-
| 13h00 - 14h00 || ''Lunch''
|-
| 14h00 - 15h30 || Training
|-
| 15h30 - 16h00 || ''Coffee Break''
|-
| 16h00 - 17h30 || Training
|}

== Trainings ==

=== TRAINING_1_TITLE by TRAINING_1_TRAINER ===

==== Topic(s) ====

* TRAINING_1_TOPIC_1
* TRAINING_1_TOPIC_2

==== Keywords ====

TRAINING_1_KEYWORD_1, TRAINING_1_KEYWORD_2

==== Abstract ====

TRAINING_1_ABSTRACT

==== Requirements ====

TRAINING_1_REQUIREMENTS

==== Bio ====

TRAINING_1_TRAINER_BIO

=== TRAINING_2_TITLE by TRAINING_2_TRAINER ===

==== Topic(s) ====

* TRAINING_2_TOPIC_1
* TRAINING_2_TOPIC_2
* ...

==== Keywords ====

TRAINING_2_KEYWORD_1, TRAINING_2_KEYWORD_2, ...

==== Abstract ====

TRAINING_2_ABSTRACT

==== Requirements ====

TRAINING_2_REQUIREMENTS

==== Bio ====

TRAINING_2_TRAINER_BIO

=== TRAINING_3_TITLE by TRAINING_3_TRAINER ===

==== Topic(s) ====

* TRAINING_3_TOPIC_1
* TRAINING_3_TOPIC_2
* ...

==== Keywords ====

TRAINING_3_KEYWORD_1, TRAINING_3_KEYWORD_2, ...

==== Abstract ====

TRAINING_3_ABSTRACT

==== Requirements ====

TRAINING_3_REQUIREMENTS

==== Bio ====

TRAINING_3_TRAINER_BIO


= Conference Day =

'''Conference Day is November 30th'''

== Agenda (TBD)==

{| class="wikitable"
! width="120pt" | Time
! width="190pt" | Speaker
! width="400pt" | Topic
! width="100pt" -- ! | Media
|-
| 08h30 - 09h00
| colspan="3" style="text-align: center; background: grey; color: white" | ''Registration''
|-
| 09h00 - 09h15
| colspan="3" style="text-align: center; background: grey; color: white" | ''Opening''
|-
| 09h15 - 10h00
| [[#TALK_0915 | TALK_0915_PRESENTER]]
| [[#TALK_0915 | TALK_0915_TITLE]]
| not yet available 
|-
| 10h00 - 10h45
| [[#TALK_1000 | TALK_1000_PRESENTER]]
| [[#TALK_1000 | TALK_1000_TITLE]]
| not yet available 
|-
| 10h45 - 11h15
| colspan="3" style="text-align: center;background: grey; color: white" | ''Morning Break''
|-
| 11h15 - 12h00
| [[#TALK_1115 | TALK_1115_PRESENTER]]
| [[#TALK_1115 | TALK_1115_TITLE]]
| not yet available 
|-
| 12h00 - 12h45
| [[#TALK_1200 | TALK_1200_PRESENTER]]
| [[#TALK_1200 | TALK_1200_TITLE]]
| not yet available 
|-
| 12h45 - 13h45
| colspan="3" style="text-align: center;background: grey; color: white" | ''Lunch''
|-
| 13h45 - 14h30
| [[#TALK_1345 | TALK_1345_PRESENTER]]
| [[#TALK_1345 | TALK_1345_TITLE]]
| not yet available 
|-
| 14h30 - 15h15
| [[#TALK_1430 | TALK_1430_PRESENTER]]
| [[#TALK_1430 | TALK_1430_TITLE]]
| not yet available 
|-
| 15h15 - 15h45
| colspan="3" style="text-align: center;background: grey; color: white" | ''Break''
|-
| 15h45 - 16h30
| [[#TALK_1545 | TALK_1545_PRESENTER]]
| [[#TALK_1545 | TALK_1545_TITLE]]
| not yet available 
|-
| 16h30 - 17h15
| [[#TALK_1630 | TALK_1630_PRESENTER]]
| [[#TALK_1630 | TALK_1630_TITLE]]
| not yet available 
|-
| 17h15 - 17h30
| colspan="3" style="text-align: center;background: grey; color: white" | ''Closing''
|}

== Talks ==

=== TALK_0915_TITLE ===

==== Abstract ====

TBD

==== Bio ====

TBD

=== TALK_1000_TITLE ===

==== Abstract ====

TBD

==== Bio ====

TBD

=== TALK_1115_TITLE ===

==== Abstract ====

TBD

==== Bio ====

TBD

=== TALK_1200_TITLE ===

==== Abstract ====

TBD

====Bio====

TBD

=== TALK_1345_TITLE ===

==== Abstract ====

TBD

==== Bio ====

TBD

=== TALK_1430_TITLE ===

==== Abstract ====

TBD

==== Bio ====

TBD

=== TALK_1545_TITLE ===

==== Abstract ====

TBD

====Bio====

TBD

=== TALK_1630_TITLE ===

==== Abstract ====

TBD

====Bio====

TBD


= Social Event =

'''The Social Event is on Thursday, November 29th'''

'''If you want to join the social event, don't forget to register for it via the registration:'''



Address: TBD

Menu:TBD


= Sponsor =

''' Become a sponsor of OWASP BeNeLux! '''

There are 3 combined sponsorship packages (Gold, Silver or Bronze) that cover the BeNeLux chapter meetings 2019 and the BeNeLux OWASP Days 2018.

Download our [https://www.owasp.org/images/a/a9/OWASP_BeNeLux_2018_Sponsorship_Form_v20180919.pdf sponsor brochure] and contact [mailto:seba@owasp.org us] for questions or sponsorship confirmation!

Your sponsorship will be invested directly in the chapter meetings, supporting speaker and catering expenses.

The sponsorship will also be dedicated to cover the costs of the OWASP 2018 BeNeLux event.

__NOTOC__
<headertabs></headertabs>

=== Made possible by our {{#switchtablink:Sponsor|Sponsors}}===

==== Hosted by ====

TBD

==== Platinum ====

TBD

==== Gold ====

TBD

==== Silver ====

TBD

==== Bronze ====

TBD

[[Category:OWASP_AppSec_Conference]]
[[Category:OWASP_BeNeLux_Archives]]

OWASP BeNeLux-Day 2017

2018-09-25T18:53:11Z

Thomas Herlea: Fixed misspelled Matias' name in text and links.

<center>[[Image:Header-BNL-2017.png]] </center>

 


= Information =
== Keynote speaker ==
{{#switchtablink:Conferenceday|
* Jacoba Sieders
}}

== Confirmed speakers Conference ==
{{#switchtablink:Conferenceday|
* Achim D. Brucker
* Lieven Desmet
* Philippe De Ryck
* Sebastian Lekies
* Matias Madou
* Mattijs van Ommeren
* Jeroen Willemsen
}}

== Confirmed trainers ==
{{#switchtablink:Trainingday|
* Nanne Baars
* Sebastien Deleersnyder
* Bart De Win
}}

== OWASP BeNeLux conference is free, but registration is required! ==
[[image:Register_now_red.png|link=https://owasp-benelux-day-2017.eventbrite.com |alt=Register for the OWASP BeNeLux Day 2017 | Register for the OWASP BeNeLux Day 2017 ]]

== The OWASP BeNeLux Program Committee ==
*Bart De Win / Sebastien Deleersnyder/ Lieven Desmet/ David Mathy, OWASP Belgium
*Martin Knobloch / Joren Poll, OWASP Netherlands
*Jocelyn Aubert, OWASP Luxembourg
 

== Tweet! ==
Event tag is [http://twitter.com/#search?q=%23owaspbnl17 #owaspbnl17]
 
== Donate to OWASP BeNeLux ==
[https://co.clickandpledge.com/?wid=72689 Donate]



= Registration =

== OWASP BeNeLux conference is free, but registration is required! ==
[[image:Register_now_red.png|link=https://owasp-benelux-day-2017.eventbrite.com |alt=Register for the OWASP BeNeLux Day 2017 | Register for the OWASP BeNeLux Day 2017 ]]

== OWASP BeNeLux training is reserved for OWASP members, and registration is required! ==
To support the OWASP organisation, we ask training attendees to consider becoming an OWASP member, it's only US$50!
Check out the [[Membership]] page to find out more.


 
To support the OWASP organisation, consider to become a member, it's only US$50!
 
Check out the [[Membership]] page to find out more.
 



= Venue =

== Venue ==

The venue is located:

:'''Interpolis'''
:Spoorlaan 298
:5017JZ Tilburg
:Netherlands
:[https://goo.gl/maps/5CJYYSMAJD92 Google map]

'''''Parkeren kan in de gemeentelijke parkeergarage Tivoli, gelegen tussen de Rabobank en het Interpoliskantoor.'''''

=== How to reach the venue? ===
;'''Openbaar vervoer ''' 
Het Centraal Station en bushalte liggen aan de Spoorlaan op ± 10 minuten loopafstand van het Achmeakantoor.

'''Eigen vervoer'''
;'''Routebeschrijving vanuit Den Bosch'''
:Op A58 bij afslag 10 (Tilburg/ Hilvarenbeek) rechts af richting centrum (Ringbaan Oost). Na ongeveer 1 km, voor het spoorwegviaduct, links af richting centrum / Centraal Station (Spoorlaan). Na ongeveer 700 meter staat links het Interpoliskantoor.

;'''Routebeschrijving vanuit Waalwijk'''
:A261 richting Tilburg. Bij binnenkomst Tilburg rechtdoor, viaduct over. Bij de rotonde rechtdoor, 2e afslag (Ringbaan West) volgen. Na ongeveer 1km, ter hoogte van woontoren Westpoint, links af (Hart van Brabantlaan). Weg volgen, gaat over in Spoorlaan. Na ongeveer 2 km staat rechts het Interpoliskantoor.

;'''Routebeschrijving vanuit Dongen'''
:Vanuit Dongen de Burgemeester Letschertweg volgen tot de N261 Waalwijk/Tilburg. Neem de afslag Tilburg. Bij binnenkomst Tilburg rechtdoor, viaduct over. Bij de rotonde rechtdoor, 2e afslag (Ringbaan West) volgen. Na ongeveer 1km, ter hoogte van woontoren Westpoint, links af (Hart van Brabantlaan). Weg volgen, gaat over in Spoorlaan. Na ongeveer 2 km staat rechts het Interpoliskantoor.

;'''Routebeschrijving vanuit Utrecht/Breda (A27 richting Tilburg)'''
:Vanaf A58 afslag 11 (Tilburg West) rechts af richting centrum (Ringbaan West). Weg volgen. Na ongeveer 1,5 km, ter hoogte van woontoren Westpoint, rechts af (Hart van Brabantlaan). Weg volgen, gaat over in Spoorlaan. Na ongeveer 2 km staat rechts het Interpoliskantoor.

=== Hotel nearby ===
[https://www.google.nl/maps/search/Hotels/@51.5571525,5.0821866,15z/data=!3m1!4b1 Hotels on Google Maps]


= Trainingday =
=== Trainingday is November 23rd ===

== Location ==

== Agenda ==
{| class="wikitable"
! Time !! Description !! Room TBA !! Room TBA !! Room TBA
|-
| 08h30 - 9h30
| colspan="5" style="text-align: center; background: grey; color: white;" | ''Registration''
|-
| 09h30 - 11h00 || Training
| rowspan="7" style="width:100px;" | [[OWASP_BeNeLux-Day_2017#WebGoat_-_Teaching_application_security_101_by_Nanne_Baars | WebGoat - Teaching application security 101]] by [[OWASP_BeNeLux-Day_2017#WebGoat_-_Teaching_application_security_101_by_Nanne_Baars | Nanne Baars]]
| rowspan="7" style="width:100px;" | [[OWASP_BeNeLux-Day_2017#Whiteboard_Hacking_aka_Hands-on_Threat Modeling_by_Sebastien Deleersnyder | Whiteboard Hacking aka Hands-on Threat Modeling]] by [[OWASP_BeNeLux-Day_2017#Whiteboard_Hacking_aka_Hands-on_Threat Modeling_by_Sebastien Deleersnyder | Sebastien Deleersnyder]]
| rowspan="7" style="width:100px;" | [[OWASP_BeNeLux-Day_2017#Secure_Development:_Models_and_best_practices_by_Bart_De_Win | Secure Development: Models and best practices]] by [[OWASP_BeNeLux-Day_2017#Secure_Development:_Models_and_best_practices_by_Bart_De_Win | Bart De Win]]
|-
| 11h00 - 11h30 || ''Coffee Break''
|-
| 11h30 - 13h00 || Training
|-
| 13h00 - 14h00 || ''Lunch''
|-
| 14h00 - 15h30 || Training
|-
| 15h30 - 16h00 || ''Coffee Break''
|-
| 16h00 - 17h30 || Training
|}

== Trainings ==
=== WebGoat - Teaching application security 101 by Nanne Baars ===
====Topic(s) ====
* Web Application Breaker
* Other
====Keywords ====
WebGoat application, security teaching secure development

====Abstract ====
A good defense against insecure code requires understanding the mechanics behind how attackers exploit simple programming mistakes.
The WebGoat team will walk through exercises like SQL Injection, XSS, XXE, CSRF, ... and demonstrate how these exploits work.

We will show you how you can use WebGoat to train your developers to avoid these simple but common programming mistakes.

We also show you how to extend WebGoat to create lessons specific to your environment.
Join us to learn the most basic, but common, application security problems.

Tired of all the lessons? During the training we will host a small CTF competition which you can take a shot at and compete with each other...

=== Requirements===
Please find the course prerequisites here: https://github.com/nbaars/owasp-training

====Bio====
Nanne Baars works as a security consultant & developer at JDriven and is one of the primary developers of WebGoat.

=== Whiteboard Hacking aka Hands-on Threat Modeling by Sebastien Deleersnyder ===
====Topic(s) ====
* Threat modeling introduction
* Diagrams – what are you building?
* Identifying threats – what can go wrong?
* Hands-on: STRIDE analysis of an Internet of Things (IoT) deployment with an on premise gateway and secure update service
* Addressing each threats
* Hands-on: threat mitigations OAuth scenarios for web and mobile applications

====Keywords ====
Threat Modeling, STRIDE, Technical risk assessment

====Abstract ====
This is a one day version of our Black Hat training on Threat Modeling. The students will be challenged to perform practical threat modeling in groups of 3 to 4 people covering the different stages of threat modeling on:
* An Internet of Things (IoT) deployment with an on premise gateway and secure update service
* An HR services OAuth scenario for mobile and web applications
Threat modeling is a structured activity for identifying and evaluating application threats and vulnerabilities. It also allows consideration of security issues at the component or application level. The threat modeling course will teach you to perform threat modeling through a series of workshops, where our trainer will guide you through the different stages of a practical threat model. 
This course is aimed at software developers, architects, system managers or security professionals. Before attending this course, students should be familiar with basic knowledge of web and mobile Applications, databases & Single sign on (SSO) principles.

====Bio====
Sebastien (lead application security consultant Toreon) led engagements in the domain of ICT-security, Web and Mobile Security with several customers in the private and public sector. Sebastien is the Belgian OWASP Chapter Leader and is co-project leader of OWASP SAMM.

=== Secure Development: Models and best practices by Bart De Win ===
====Topic(s) ====
* Software Assurance maturity models
* Secure Development in agile development
* Tips and tricks for practical SDLC
* Hands-on: SAMM analysis of your enterprise using SAMM 1.5
* Sneak preview of SAMM 2.0

====Keywords ====
SDLC, SAMM, Agile development,

====Abstract ====
It takes much more than a good developer to build secure software within an organisation. Indeed, building secure software is about ensuring that security is taken into consideration during the entire software lifecycle. It is about ensuring that security best practices are being employed efficiently, and that uncovered risks are appropriately dealt with in due time.

During this one-day training, we will introduce and discuss different secure development approaches and models. We will look into waterfall vs. agile development and discuss different strategies to successfully run an SDLC program. Finally, we will also put theorie into practice and take your organisation to perform a mini SDLC assessment and improvement exercise.
[[File:Benelux2017 - Secure Development Training deck.pdf|thumb]]
The slides of this session are available for download in the media file.

====Bio====
Bart is an application security consultant and enthousiast and is spending considerable time on secure development projects. Bart is board member of the Belgian OWASP Chapter and is co-project leader of OWASP SAMM.



= Conferenceday =
=== Conferenceday is November 24th ===

== Agenda ==
{| class="wikitable"
! width="120pt" | Time
! width="190pt" | Speaker
! width="400pt" | Topic
! width="100pt" -- ! | Media
|-
| 08h30 - 09h00
| colspan="3" style="text-align: center; background: grey; color: white" | ''Registration''
|-
| 09h00 - 09h15
| colspan="3" style="text-align: center; background: grey; color: white" | ''Opening''
|-
| 09h15 - 10h00 || [[OWASP_BeNeLux-Day_2017#Attribute Based Access Control. Why, what, how? by Jacoba Sieders | Jacoba Sieders]]
|| [[OWASP_BeNeLux-Day_2017#Attribute Based Access Control. Why, what, how? by Jacoba Sieders | Attribute Based Access Control. Why, what, how?]]
|| [[Media:OWASP BeNeLux-Day 2017 AttributeBasedAccessControl WhyWhatHow JacobaSieders.pdf|Slides]] [https://youtu.be/O7iWITnZGsk Video]
|-
| 10h00 - 10h45 || [[OWASP_BeNeLux-Day_2017#How to spend $3.6mil on one coding mistake, and other fun stuff you can do with $3.6mil by Matias Madou | Matias Madou]]
|| [[OWASP_BeNeLux-Day_2017#How to spend $3.6mil on one coding mistake, and other fun stuff you can do with $3.6mil by Matias Madou | How to spend $3.6mil on one coding mistake, and other fun stuff you can do with $3.6mil]]
|| [[Media:OWASP_BeNeLux-Day_2017_how_to_spend_$3.6_mil_on_one_coding_mistake_by_Matias_Madou.pdf|Slides]] [https://www.youtube.com/watch?v=dt5rFGBztJA&feature=youtu.be Video]

|-
| 10h45 - 11h15
| colspan="3" style="text-align: center;background: grey; color: white" | ''Morning Break''
|-
| 11h15 - 12h00 || [[OWASP_BeNeLux-Day_2017#The evil friend in your browser by Achim D. Brucker | Achim D. Brucker]]
|| [[OWASP_BeNeLux-Day_2017#The evil friend in your browser by Achim D. Brucker | The evil friend in your browser]]
| [[Media:OWASP_BeNeLux-Day_2017_The evil friend in your browser_Achim_Brucker.pdf|Slides]] [https://www.youtube.com/watch?v=_Uj-Ci37Rvw&feature=youtu.be Video]
|-
| 12h00 - 12h45 || [[OWASP_BeNeLux-Day_2017#Exploring the ecosystem of malicious domain registrations in the .eu TLD by Lieven Desmet | Lieven Desmet]]
|| [[OWASP_BeNeLux-Day_2017#Exploring the ecosystem of malicious domain registrations in the .eu TLD by Lieven Desmet | Exploring the ecosystem of malicious domain registrations in the .eu TLD]]
| [[Media:OWASP BeNeLux-Day 2017 Exploring the ecosystem of malicious domain registrations LievenDesmet.pdf|Slides]] [https://www.youtube.com/watch?v=09SNSYHw8H0&feature=youtu.be Video]
|-
| 12h45 - 13h45
| colspan="3" style="text-align: center;background: grey; color: white" | ''Lunch''
|-
| 13h45 - 14h30 || [[OWASP_BeNeLux-Day_2017#Don't trust the DOM: Bypassing XSS mitigations via script gadgets by Sebastian Lekies | Sebastian Lekies]]
|| [[OWASP_BeNeLux-Day_2017#Don't trust the DOM: Bypassing XSS mitigations via script gadgets by Sebastian Lekies | Don't trust the DOM: Bypassing XSS mitigations via script gadgets]]
| [[Media:OWASP BeNeLux-Day 2017 Bypassing XSS mitigations via script gadgets Sebastian Lekies.pdf|Slides]] [https://www.youtube.com/watch?v=rssg--FP1AE&feature=youtu.be Video]
|-
| 14h30 - 15h15 || [[OWASP_BeNeLux-Day_2017#A Series of Unfortunate Events: Where Malware Meets Murphy by Mattijs van Ommeren | Mattijs van Ommeren]]
|| [[OWASP_BeNeLux-Day_2017#A Series of Unfortunate Events: Where Malware Meets Murphy by Mattijs van Ommeren | A Series of Unfortunate Events: Where Malware Meets Murphy]]
| [https://www.youtube.com/watch?v=d67yxt3FdTA&feature=youtu.be Video]
|-
| 15h15 - 15h45
| colspan="3" style="text-align: center;background: grey; color: white" | ''Break''
|-
| 15h45 - 16h30 || [[OWASP_BeNeLux-Day_2017#Common REST API security pitfalls by Philippe De Ryck | Philippe De Ryck]]
|| [[OWASP_BeNeLux-Day_2017#Common REST API security pitfalls by Philippe De Ryck | Common REST API security pitfalls]]
| [[Media:OWASP BeNeLux-Day 2017 Common REST API security pitfalls Philippe De Ryck.pdf|Slides]] [https://www.youtube.com/watch?v=Meh4EUmLCfM&feature=youtu.be Video]
|-
| 16h30 - 17h15 || [[OWASP_BeNeLux-Day_2017#Creating An AppSec Pipeline With Containers In A Week How We Failed And Succeeded by Jeroen Willemsen | Jeroen Willemsen]]
|| [[OWASP_BeNeLux-Day_2017#Creating An AppSec Pipeline With Containers In A Week How We Failed And Succeeded by Jeroen Willemsen | Creating An AppSec Pipeline With Containers In A Week How We Failed And Succeeded]]
| [[Media:OWASP BeNeLux-Day 2017 Creating An AppSec Pipeline With Containers In A Week How We Failed And Succeeded Jeroen Willemsen.pdf|Slides]] [https://www.youtube.com/watch?v=Q3q1mdev5rs&feature=youtu.be Video]
|-
| 17h15 - 17h30
| colspan="3" style="text-align: center;background: grey; color: white" | ''Closing''
|}

<div id="TBD"></div>

== Talks ==

===Attribute Based Access Control. Why, what, how? by Jacoba Sieders===
====Abstract====
Digitization is rapidly transforming the traditional world and regulation on security and data protection is gaining weight. Digital identity, but also data protection become crucial capabilities for businesses. What are the trends in IAM and what role can Attribute Based Access Control (ABAC) play here? ABNAMRO started implementing ABAC in 2014. What were the approach and the lessons learnt?
====Bio====
Jacoba Sieders, Head of Digital Identity- & Access, ABNAMRO Bank. 
Jacoba is an all-round Digital Identity and Information Security expert with 17 years of experience in the international finance industry, in technology, governance, consultancy, and implementation. She is accountable for digital identity services and access control for customers, employees and partners to the bank’s data and infrastructure.
Major topics on her agenda today are ABAC, data centric security, API-banking and PSDII requirements, the interaction of IAM tools with the rest of the bank’s cybersecurity landscape, and the new authentication concept for which ABNAMRO is acquiring a patent. Her special interests are legal requirements impacting identity, e.g. Generic Data Protection Regulation, the EU e-IDAS scheme, KYC and AML legislation.
Jacoba is a member of the Advisory Board of the independent European think-tank ID Next and is regularly speaking on the topic of IAM. She holds a master degree in Classics from Leiden University (Greek, Latin, Hebrew).

===How to spend $3.6mil on one coding mistake, and other fun stuff you can do with $3.6mil by Matias Madou===
====Abstract====
In a recent global study, the average cost of a data breach is $3.62M globally. This session will discuss infamous examples of data breaches that has made headlines around the world. We will explore the technical details of the vulnerability itself and what a coding solution may have been to prevent the breach. We will also dive deeper on exploring different solutions, processes and techniques you can apply in your day-to-day to prevent application security vulnerabilities in your code.
====Bio====
Matias Madou is a Co-Founder and CTO of Secure Code Warrior where he is responsible for leading the company’s technology vision and overseeing the engineering team. Matias has more than 15 years of hands-on software security experience and has developed solution for companies such as HP Fortify, and founded a company called Sensei Security. Matias has led multiple application security research projects which have led to commercial products and boasts over 10 patents under his belt. When he is away from his desk, Matias has served as an instructor for advanced application security training courses and regularly speaks at global conferences including RSA Conference, Black Hat, DefCon, BSIMM, OWASP AppSec and BruCon. Matias holds a Ph.D. in Computer Engineering from Ghent University.

===The evil friend in your browser by Achim D. Brucker===
====Abstract====
On the one hand, browser extensions, e.g., for Chrome, are very useful, as they extend web browsers with additional functionality
(e.g., blocking ads). On the other hand, they are the most dangerous code that runs in your browsers: extension can read and modify both the content displayed in the browser. As they also can communicate with any web-site or web-service, they can report both data and metadata to external parties.

The current security model for browser extensions seems to be inadequate for expressing the security or privacy needs of browser users. Consequently, browser extensions are a "juice target" for attackers targeting web users.

We present results of analysing over 60000 browser extensions on how they use the current security model and discuss examples of extensions that are potentially of high risk. Based on the results of our analysis of real world browser extensions as well as our own threat model, we discuss the limitations of the current security model form a user perspective. need of browser users.

====Bio====
Dr. Achim D. Brucker (www.brucker.uk) is a Senior Lecturer and consultant for software and systems assurance at the Computer Science Department of The University of Sheffield, UK. Until December 2015, he was a Research Expert (Architect), Security Testing Strategist, and Project Lead in the Global Security Team of SAP SE, where he defined the risk-based security testing strategy of SAP that combines static, dynamic, and interactive security testing methods and integrates them deeply into SAP's Secure Software Development Lifecycle. He has experience in rolling out *AST tools to world-wide development organisations.

===Exploring the ecosystem of malicious domain registrations in the .eu TLD by Lieven Desmet===
====Abstract====
In this talk, we report on an extensive analysis of 14 months of domain registration in the .eu TLD. The purpose is to identify large-scale malicious campaigns. Overall, the dataset of this study contains 824,121 new domain registrations; 2.53% of which have been flagged as malicious by blacklisting services. We explore the ecosystem and modus operandi of elaborate cybercriminal entities that recurrently register large amounts of domains for one-shot, malicious use. Although these malicious domains are short-lived, we establish that at least 80.04% of them can be framed in to 20 larger campaigns with varying duration and intensity. We further report on insights in the operational aspects of this business and observe, amongst other findings, that their processes are only partially automated.
====Bio====
Lieven Desmet is a Senior Research Manager on Secure Software in the imec-DistriNet Research Group at the Katholieke Universiteit Leuven (Belgium), where he outlines and implements the research strategy, coaches junior researchers in application security, and participates in dissemination, valorisation and spin-off activities. Lieven is also involved in OWASP as a board member of the Belgium OWASP Chapter, and part of the organisation team of the OWASP BeNeLux Day.

===Don't trust the DOM: Bypassing XSS mitigations via script gadgets by Sebastian Lekies===
====Abstract====
Cross-Site Scripting is a constant problem of the Web platform. Over the years many techniques have been introduced to prevent or mitigate XSS. Most of these techniques, thereby, focus on script tags and event handlers. HTML sanitizers, for example, aim at removing potentially dangerous tags and attributes. Another example is the Content Security Policy, which forbids inline event handlers and aims at white listing of legitimate scripts.

In this talk, we present a novel Web hacking technique that enables an attacker to circumvent most XSS mitigations. In order to do so, the attacker abuses so-called script gadgets. A script gadget Is a legitimate piece of JavaScript in a page that reads elements from the DOM via selectors and processes them in a way that results in script execution. To abuse a script gadget, the attacker injects a benign looking element into the page that matches the gadget's selector. Subsequently, the gadget selects the benign-looking element and executes attacker-controlled scripts. As the initially injected element is benign it passes HTML sanitizers and security policies. The XSS only surfaces when the gadget mistakenly elevates the privileges of the element.

In this talk, we will demonstrate that these gadgets are present in almost all modern JavaScript libraries, APIs and applications. We will present several case studies and real-world examples that demonstrate that many mitigation techniques are not suited for modern applications. As a result, we argue that the Web should start focusing more on preventive mechanisms instead of mitigations.
====Bio====
Sebastian Lekies is tech leading the Web application security scanning team at Google. Before joining Google, he was part of SAP's Security Research team, where he conducted academic research in the area of client-side Web application security. Sebastian is regularly speaking at academic and non-academic security conferences such as BlackHat US/EU/Asia, DeepSec, OWASP AppSec EU, Usenix Security, CCS, and many more...

===A Series of Unfortunate Events: Where Malware Meets Murphy by Mattijs van Ommeren===
====Abstract====
When an end user reports some “strange looking file names”, which, after investigating, you discover include several hundreds of Gigabytes of encrypted data, you of course know you are going to have a bad day. Your AV solution has failed you, your firewall has failed you, and your SIEM has failed you. Basically, every piece of security infrastructure you have put your trust (and money) into has left you out in the cold and you thank <deity of choice> that at least the nightly backup was completed successfully. Spin up the tape drive, and soon you will be back in business, or not…?

This talk is about failure. Not only about a failing security infrastructure, but also about failure in doing the Right Thing™ as a first responder, about the failure of Operating System tools, failing APIs, and ironically, also the failure of malware (which is unfortunately not as positive as it may sound). The scenario presented comes pretty close to the worst chain of events you can imagine, in an attempt to recover from a ransomware incident.

Luckily – this story has a happy ending. We will reveal how one can be prepared for when both Count Olaf and Murphy come knocking on your door simultaneously.
====Bio====
Mattijs van Ommeren has been poking hardware and software for 15 years. He has spent most of his working life as a security consultant, attacking and defending both traditional IT environments as well as more esoteric embedded devices and industrial systems. Presently he has a lot of fun at Nixu.

===Common REST API security pitfalls by Philippe De Ryck===
====Abstract====
The shift towards a REST API landscape indicates a significant evolution in the way we build applications. The rise of JavaScript and mobile applications have sparked an explosion of easily-accessible REST APIs. But how do you protect access to your API? Which security aspects are no longer relevant? Which security features are an absolutely must-have, and which additional security measures do you need to take into account?

These are hard questions, as evidenced by the deployment of numerous insecure REST APIs. Attend this session to find out about common API security pitfalls, that often result in compromised user accounts and unauthorized access to your data. We expose the problem that lies at the root of each of these pitfalls, and offer actionable advice to address these security problems. After this session, you will know how to assess the security of your APIs, and the best practices to improve them towards the future.
====Bio====
Philippe De Ryck is a professional speaker and trainer on software security and web security. Since he obtained his PhD at the imec-DistriNet research group (KU Leuven, Belgium), he has been running the group's Web Security Training program, which ensures a sustainable knowledge transfer of the group’s security expertise towards practitioners.

===Creating An AppSec Pipeline With Containers In A Week How We Failed And Succeeded by Jeroen Willemsen===
====Abstract====
Join us on our adventure of setting up a appsec pipeline with Docker containers. What did go wrong, how did we succeed? How do you fight false positives and how do you get the best out of the products out there without bothering the development teams too much.
====Bio====
Jeroen Willemsen is a security architect with a passion for mobile and risk management. He loves to work on secure building blocks, security automation pipelines and embedding information security risk management controls in an agile environment. He is dedicated to help developers, product owners and architects to take security seriously in their daily development life (but not too serious of course ;-)).In his spare time he loves to experiment with new technologies and frameworks.”



= Social Event =

== Social Event,starting at 7PM ==
Thursday, November 23rd
;Dudok Tilburg
:Veemarktstraat 33
:5038 CT Tilburg
:http://www.dudok.nl/
Menu:
:As we are a big group, Dudok will prepare the following [[Media:Dudok menu OWASP.pdf|menu]] for us!
'''If you want to join the social event, don't forget to register for the social event via the registration:'''
:[[image:Register_now_red.png|link=https://owasp-benelux-day-2017.eventbrite.com |200px|alt=Register for the OWASP BeNeLux Day 2017 | Register for the OWASP BeNeLux Day 2017 ]]

(limited) open tap sponsored by :
[[File:Avi Logo Transparent Background 300pix.png|200px|link=https://avinetworks.com/]]



= Sponsor =

=== Become a sponsor of OWASP BeNeLux ===

There are 3 combined sponsorship packages (Gold, Silver or Bronze) that cover the BeNeLux chapter meetings 2018 and the BeNeLux OWASP Days 2017 in Tilburg, the Netherlands.

Download our sponsor brochure TBD and contact [mailto:seba@owasp.org us] for questions or sponsorship confirmation!

Your sponsorship will be invested directly in the chapter meetings, supporting speaker and catering expenses.

The sponsorship will also be dedicated to cover the costs of the OWASP 2017 BeNeLux event.

__NOTOC__
<headertabs></headertabs>

=== Made possible by our {{#switchtablink:Sponsor|Sponsors}}===
'''Hosted by'''
[[File:Interpolis logo 2736.gif|200px|link=https://www.interpolis.nl/]]

'''Platinum:'''
[[File:Achmea_L1_RGB_colour.jpg|250px||link=https://www.achmea.nl/]]

'''Gold:'''
[http://www.vest.nl https://www.owasp.org/images/6/67/Vest.jpg]
[https://secwatch.nl https://www.owasp.org/images/f/ff/Secwatch_logo_small.png]
[[File:Avi Logo Transparent Background 300pix.png|200px|link=https://avinetworks.com/]]

'''Silver:'''
[[File:LogoToreon.jpg|250px|link=https://www.toreon.com]]
[http://www.nviso.be https://www.owasp.org/images/5/5e/Nviso_logo_RGB_baseline_200px.png]
[http://www.sig.eu/security https://www.owasp.org/images/9/99/SIG_LOGO.png]
[https://www.secura.com/ https://www.owasp.org/images/7/78/Secura_logo_small.png]
[[File:Xebia logo-large-transparent.png|200px|link=https://xebia.com/agile-software-security]]

'''Bronze:'''
[https://informatiebeveiliging.nl/ https://www.owasp.org/images/9/9a/Logo_Informatiebeveiliging-200.png]
[https://www.netsparker.com/ https://www.owasp.org/images/8/88/200x60_netsparker_logo.png]

[[Category:OWASP_AppSec_Conference]]
[[Category:OWASP_BeNeLux_Archives]]

Belgium Events 2018

2018-09-25T16:05:04Z

Thomas Herlea: Reduced the whitespace between meeting sections to one empty line, as the second one was creating an empty paragraph.

<noinclude>
These are the 2018 events of the [[Belgium|OWASP Belgium Chapter]].

Previous year: [[Belgium Events 2017|2017]].
</noinclude>


== 23 October 2018 Meeting ==

=== Where ===

* Host: [https://securecodewarrior.com/ Secure Code Warrior]

* Address ([https://goo.gl/maps/e6Ej1v44tf32 map], [https://goo.gl/maps/UoW1EM3kbfy directions], 10 minutes walk from Brugge train station)
Baron Ruzettelaan 1
8310 Assebroek

* Parking is available under the building, open from 5 p.m., the entrance is at the back:
Vestingstraat 88
8310 Assebroek

=== Agenda ===

* 18h00 - 18h50: Welcome & pizzas
* 18h50 - 19h00:  ''OWASP Update'' by Sebastien Deleersnyder (OWASP)
* 19h00 - 19h30:  ''Effectively Distribute Software Security Knowledge'' by Pieter De Cremer and Nathan Desmet (Secure Code Warrior)
* 19h30 - 19h45: Beers from Bruges break
* 19h45 - 20h25:  ''Common API Security Pitfalls'' by Philippe De Ryck (Pragmatic Web Security)
* 20h25 - 20h40: ''Thank you note'' by Matias Madou (Secure Code Warrior)
* 20h40 - 22h00: Networking and more beers from Bruges

=== Program ===

==== Effectively Distribute Software Security Knowledge ====

* Speaker: [https://www.linkedin.com/in/pdcremer/ Pieter De Cremer] ([https://twitter.com/pdcremer @pdcremer]) and [https://www.linkedin.com/in/nathan-desmet-687345aa/ Nathan Desmet] (Secure Code Warrior)
* Presentation: not yet available 

''Abstract''

not yet available 

''Speaker Bios''

'''Pieter De Cremer''' is an R&D Engineer and Security Researcher at Secure Code Warrior, where he is responsible for researching a wide variety of application vulnerabilities and developing this into new content and coding challenges for the Secure Code Warrior platform. His passion lies in empowering developers to be the first line of defence in their organisation by making security
easy to understand.

Pieter graduated with a Masters in Computer Science Engineering from the University of Ghent and is currently completing his PhD in Secure Design Programming Aid for the Internet of Things through a personal grant from the Flemish government. When he is away from his desk, Pieter has also facilitated a number of secure coding workshops with Ghent University, Howest Bruges and Antwerp University, helping students improve their secure coding skills. His repertoire of coding languages includes C, C++, Java, Python, node and Haskell.

'''Nathan Desmet''' is the Lead Engineer at Secure Code Warrior, where he is responsible for developing Sensei, a real-time correction and coaching IDE plug-in for secure coding. His passion lies in building world-class software applications that makes an impact in the way developers build software with a focus on security.

Prior to Secure Code Warrior, Nathan has worked for NVISO where he created the Cyber Security Challenge platform, the biggest computer security competition in Belgium. Nathan also co-founded Sensei Security, and founded Applix, a software consultancy firm. His clients include SMEs in the technology and legal sector.

Nathan graduated with a degree in Computer Science from the University of Howest Bruges, majoring in Computer and Cybercrime Professional.

==== Common API Security Pitfalls ====

* Speaker: [https://twitter.com/PhilippeDeRyck Philippe De Ryck] ([https://pragmaticwebsecurity.com/ Pragmatic Web Security])
* Presentation: not yet available 

''Abstract''

The shift towards an API landscape indicates a significant evolution in the way we build applications. The rise of JavaScript and mobile applications have sparked an explosion of easily-accessible REST APIs. But how do you protect access to your API? Which security aspects are no longer relevant? Which security features are an absolutely must-have, and which additional security measures do you need to take into account?

These are hard questions, as evidenced by the deployment of numerous insecure APIs. Attend this session to find out about common API security pitfalls, that often result in compromised user accounts and unauthorized access to your data. We expose the problem that lies at the root of each of these pitfalls, and offer actionable advice to address these security problems. After this session, you will know how to assess the security of your APIs, and the best practices to improve them towards the future.

''Speaker Bio''

Philippe De Ryck is the founder of Pragmatic Web Security, where he travels the world to train developers on web security and security engineering. He holds a Ph.D. in web security from KU Leuven. Google recognizes Philippe as a Google Developer Expert for his knowledge of web security and security in Angular applications.

=== Registration ===

Registration via EventBrite: coming soon 

=== Coverage ===

n/a

== 17 September 2018 Meeting ==

=== Where ===

* Host: [https://ec.europa.eu European Commission]

* Address ([https://www.google.com/maps/place/Place+Madou+1,+1210+Saint-Josse-ten-Noode/ map], [https://www.google.com/maps/dir//Place+Madou+1,+1210+Saint-Josse-ten-Noode directions])
Place Madou, 1
1210 Saint-Josse-Ten-Noode

=== Agenda ===

* 18h00 - 18h50: Welcome & sandwiches
* 18h50 - 19h00: [https://www.owasp.org/images/9/9b/Owasp_Belgium_update_2018-09-17_v1.pptx OWASP Update] by Sebastien Deleersnyder (OWASP)
* 19h00 - 19h10: ''Intro by the EC'' by Miguel Soria Machado (Head of Sector CSIRC, DIGIT IT Security Directorate, European Commission)
* 19h10 - 20h00: [https://www.owasp.org/images/1/17/Dirk_Wetter_-_Docker_Security_Brussels.pdf Docker Threat Modeling and Top 10] by Dirk Wetter
* 20h00 - 20h10: Break
* 20h10 - 21h00: [https://www.owasp.org/images/1/1c/Securing_Containers_on_the_High_Seas_%28OWASP_Belgium_September_17-09-2018%29.pdf Securing Containers on the High Seas] by Jack Mannino (nVisium)
* 21h00 - 21h30: Networking drink

=== Program ===

==== Docker Threat Modeling and Top 10 ====

* Speaker: [https://twitter.com/drwetter Dirk Wetter]
* Presentation: https://www.owasp.org/images/1/17/Dirk_Wetter_-_Docker_Security_Brussels.pdf

''Abstract''

Docker containers offer several advantages for developers. Most notably they fit perfectly in software development processes, they enable fast, reproducible deployments and when properly done, with little change the same container can run either in a test or production environment.

Despite threatening information out there Docker offers per se also several security advantages. However it is important to make use of them and as a minimum avoid several pitfalls. In a worst case scenario this can lead otherwise to less security or the security benefits which the containment
technology offers are not being used at all.

To avoid this a proper fundamental approach is needed.

Thus this talk models first the most important threats to containerized environments out there. Based on that the speaker will present 10 security bullet points which covers:

* important Do's and Dont's,
* for advanced needs how to tighten security further.

At the end the speaker gives advice how to check your Docker and Kubernetes security status yourself.

The talk is based on practical experiences at several costumers and on the speaker's solid network and systems security expertise.

''Speaker Bio''

Dirk Wetter (Ph.D.) is an independent security consultant with more than 20 years professional experience in information security with a broad technical and information security management background.

His primary focus nowadays is around web application security. He has also a solid background on network and systems security.

He's also founder and maintainer of the open source project testssl.sh which checks the encryption of every SSL/TLS enabled service.

==== Securing Containers on the High Seas ====

* Speaker: [https://twitter.com/jack_mannino Jack Mannino] (nVisium)
* Presentation: https://www.owasp.org/images/1/1c/Securing_Containers_on_the_High_Seas_%28OWASP_Belgium_September_17-09-2018%29.pdf

''Abstract''

It can be a difficult challenge for organizations to securely migrate to containers while shifting processes and security controls. Making the move from legacy virtualization and monolithic deployments to containers requires a solid strategy. Containers offer many inherent security benefits but it’s important to build controls in beyond the containers themselves. From development through container registries and deployment to a runtime environment, it’s important to enforce security and eliminate risks as they’re introduced.

This presentation will focus on scaling container security within an enterprise and building security controls into the way you build, ship, and run containerized services. We will discuss the modern container landscape including different container runtimes and isolation models. We will explore the container lifecycle from your developer’s laptop through your production environment and examine the key security problems to mitigate.

''Speaker Bios''

Jack Mannino is the CEO of nVisium. Passionate about security and impossible to keep away from a keyboard, his expertise spans over 15 years of building, breaking, and securing software. Jack founded nVisium in 2009, and since has helped the world's largest software teams enhance security across their software portfolios. He has spoken at conferences globally on topics such as secure design, mobile application security, and cloud-native security.

=== Registration ===

Two step registration:

# Registration was via EventBrite: https://owasp-belgium-2018-09-17.eventbrite.com.
# Pre-registration of participants' ID documents, necessary for passing security checkpoint at the entrance to the site was via: https://ec.europa.eu/eusurvey/runner/OWASPBelgiumChapterMeetingSept17. The deadline for this registration was ''Sunday, September 16th midnight''.

=== Coverage ===

n/a

== 19 March 2018 Meeting ==

=== Where ===

* Host: [https://www.ing.be ING Belgium]

* Address ([https://branches.ing.be/branch/1040_bxl-non-residents map])
Cours St Michel 60
1040 Brussel

=== Agenda ===

* 18h15 - 19h00: Welcome & sandwiches
* 19h00 - 19h10: ''OWASP Update'' by Sebastien Deleersnyder (OWASP)
* 19h10 - 20h00: ''KRACKing WPA2 in Practice Using Key Reinstallation Attacks''  by Mathy Vanhoef (imec-DistriNet-KU Leuven)
* 20h00 - 20h10: Break
* 20h10 - 21h00: ''Making the web secure by design''  by Glenn Ten Cate (ING Belgium) and Riccardo Ten Cate (Xebia)
* 21h00 - 21h30: Networking drink

=== Program ===

==== KRACKing WPA2 in Practice Using Key Reinstallation Attacks ====

* Speaker: Mathy Vanhoef (imec-DistriNet-KU Leuven)
* Presentation: not yet available 

''Abstract''

This talk presents the key reinstallation attack against WPA2 (KRACK attack). It abuses design or implementation flaws in cryptographic protocols to reinstall an already-in-use key. This resets the key’s associated parameters such as transmit nonces and receive replay counters. Several cryptographic Wi-Fi handshakes are affected by the attack.

All protected Wi-Fi networks use the 4-way handshake to generate a fresh session key. So far, this 14-year-old handshake has remained free from attacks. However, we show that the 4-way handshake is vulnerable to a key reinstallation attack. Here, the adversary tricks a victim into reinstalling an already-in-use key. This is achieved by manipulating and replaying handshake messages. When reinstalling the key, associated parameters such as the incremental transmit packet number (nonce) and receive packet number (replay counter) are reset to their initial value.

The talk also discusses the vulnerability disclosure process that was followed. Since the discovery affected numerous vendors, coordinating the disclosure was non-trivial.

''Speaker Bio''

Mathy Vanhoef is a postdoctoral researcher at KU Leuven. He did his PhD on the security of WPA-TKIP, TLS, and RC4. His research interest is in computer security with a focus on wireless security (e.g. Wi-Fi), network protocols in general, the RC4 stream cipher (where he discovered the RC NOMORE attack), and software security (discovering and exploiting vulnerabilities). Currently his main research is about automatically discovering vulnerabilities in network protocol implementations, and proving the correctness of protocol implementations.

==== Making the web secure by design ====

* Speaker: Glenn Ten Cate (ING Belgium) and Riccardo Ten Cate (Xebia)
* Presentation: not yet available 

''Abstract''

Education is the first step in the Secure Software Development Lifecycle. The free OWASP Security Knowledge Framework (SKF) is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. This talk will help you as a developer to become THE Neo of your development team. We will show how you can do security by design and introduce other quality gates into your development pipeline to ensure high end quality and security of your project.

''Speaker Bios''

As a coder, hacker, speaker, trainer and security researcher employed at ING Belgium, '''Glenn Ten Cate''' has over 10 years experience in the field of security. One of the founders of defensive development [defdev] a security training and conference series dedicated to helping you build and maintain secure software and also speaking at multiple other security conferences in the world. His goals is to create an open-source software development life cycle with the tools and knowledge gathered over the years.

As a penetration tester from the Netherlands employed at Xebia, '''Riccardo Ten Cate''' specialises in web-application security and has extensive knowledge in securing web applications in multiple coding languages. He is also a specialist in setting up Secure Software Development Life Cycles.

=== Registration ===

Registration was via EventBrite: https://owasp-belgium-2018-03-19.eventbrite.com.

=== Coverage ===

n/a

== 20 February 2018 Meeting ==

=== Where ===

* Host: [https://distrinet.cs.kuleuven.be DistriNet Research Group (KU Leuven)] (Both speakers are faculty of the [https://www.secappdev.org/ Secure Application Development] course held in Leuven from 2018-02-19 to 2018-02-23.)

* Address ([http://googlemapsinterface.kuleuven.be/index.cgi?lang=N&nbol=(50.864186697481145,%204.678754210472107)&zoomlevel=17&plaatsnaam=Department+of+Computer+Science&maptype=roadmap map], [https://distrinet.cs.kuleuven.be/about/route/ directions]):
Department of Computer Science (foyer at ground floor)
Celestijnenlaan 200 A
3001 Heverlee

=== Agenda ===

*18h15 - 19h00: Welcome & sandwiches
*19h00 - 19h10: [https://www.owasp.org/images/7/7a/Owasp_Belgium_update_2018-02-20_v1.pdf OWASP Update] by Sebastien Deleersnyder (OWASP)
*19h10 - 20h00: [https://schd.ws/hosted_files/secappdev2018/a9/Developer%20are%20not%20the%20enemy%20SecAppDev%20web.pdf Developers are not the enemy -- Usable Security for Experts] by Prof. Matthew Smith (University of Bonn)
*20h00 - 20h10: Break
*20h10 - 21h00: [https://schd.ws/hosted_files/secappdev2018/75/The%20code%20behind%20the%20vulnerability.pdf The Code Behind The Vulnerability] by Barry Dorrans (Microsoft)

=== Program ===

==== Developers are not the enemy -- Usable Security for Experts ====

* Speaker: Prof. Matthew Smith (University of Bonn)
* Presentation: https://schd.ws/hosted_files/secappdev2018/a9/Developer%20are%20not%20the%20enemy%20SecAppDev%20web.pdf

''Abstract''

Usability problems are a major cause of many of today's IT-security incidents. Security systems are often too complicated, time-consuming, and error prone. For more than a decade researchers in the domain of usable security (USEC) have attempted to combat these problems by conducting interdisciplinary research focusing on the root causes of the problems and on the creation of usable security mechanisms. While major improvements have been made, to date USEC research has focused almost entirely on the non-expert end-user. However, many of the most catastrophic security incidents were not caused by end-users, but by developers or administrators. Heartbleed and Shellshock were both caused by single developers yet had global consequences. The Sony hack in 2014 compromised an entire multi-national IT-infrastructure and misappropriated over 100 TB of data, unnoticed. Fundamentally, every software vulnerability and misconfigured system is caused by developers or administrators making mistakes, but very little research has been done into the underlying causalities and possible mitigation strategies. In this talk we will explore the transition from end-user to expert usable security research and look at several application areas, including TLS, passwords, malware analysis and vulnerability analysis.

''Speaker Bio''

Matthew Smith is a Professor for Usable Security and Privacy at the University of Bonn. His research is focused on human factors of security and privacy mechanisms with a wide range of application areas, including TLS and network security, authentication, mobile and app security and, most recently, usable security for developers and administrators. His work has been published at, among others, IEEE S&P, ACM CCS, USENIX Security, NDSS, ACM SIGCHI and SOUPS the Symposium on Usable Security and Privacy. In 2015 his ERC Starting Grant "Frontiers of Usable Security" was selected for funding.

==== The Code Behind The Vulnerability ====

* Speaker: Barry Dorrans (Microsoft)
* Presentation: https://schd.ws/hosted_files/secappdev2018/75/The%20code%20behind%20the%20vulnerability.pdf

''Abstract''

Everyone makes security mistakes, and that includes Microsoft (seriously!). Many developers can spot and prevent vulnerabilities listed in the OWASP top 10. But that narrative changes when we look beyond the scope of the OWASP top 10. Compared to some more recent attacks, fixing XSS or SQL injection almost seems easy. In this session, we dive into a couple of .NET core cases that have been reported to the Microsoft Security Response Center (MSRC). Mind you; these vulnerabilities are not just framework vulnerabilities. Instead, they are coding patterns that you may have introduced in your applications. Examples are issues with hash tables, compression, encryption, regular expressions and more. In this session, you will learn how to spot these vulnerabilities in your code. On top of that, you will walk away with the skills to fix them.

''Speaker Bio''

Barry Dorrans is the .NET Security Czar, which means he tries to tell everyone else how to code securely and taking the credit when it goes right, as well as running the .NET Core Bug Bounty. He also ends up triaging publicly and privately reported vulnerabilities when it goes wrong before getting someone else to fix the mistakes. This he gets all the fun and none of the real work, aside from the endless stress wondering when the next vulnerability will be discovered.

=== Registration ===

Registration was via EventBrite: https://owasp-belgium-2018-02-20.eventbrite.com.

=== Coverage ===

n/a

Belgium Events 2018

2018-09-25T16:00:59Z

Thomas Herlea: Changed talk titles in the 'Agenda' sections into links to the slides, when available. Put the presenters' institutions in parentheses after the presenter names.

<noinclude>
These are the 2018 events of the [[Belgium|OWASP Belgium Chapter]].

Previous year: [[Belgium Events 2017|2017]].
</noinclude>


== 23 October 2018 Meeting ==

=== Where ===

* Host: [https://securecodewarrior.com/ Secure Code Warrior]

* Address ([https://goo.gl/maps/e6Ej1v44tf32 map], [https://goo.gl/maps/UoW1EM3kbfy directions], 10 minutes walk from Brugge train station)
Baron Ruzettelaan 1
8310 Assebroek

* Parking is available under the building, open from 5 p.m., the entrance is at the back:
Vestingstraat 88
8310 Assebroek

=== Agenda ===

* 18h00 - 18h50: Welcome & pizzas
* 18h50 - 19h00:  ''OWASP Update'' by Sebastien Deleersnyder (OWASP)
* 19h00 - 19h30:  ''Effectively Distribute Software Security Knowledge'' by Pieter De Cremer and Nathan Desmet (Secure Code Warrior)
* 19h30 - 19h45: Beers from Bruges break
* 19h45 - 20h25:  ''Common API Security Pitfalls'' by Philippe De Ryck (Pragmatic Web Security)
* 20h25 - 20h40: ''Thank you note'' by Matias Madou (Secure Code Warrior)
* 20h40 - 22h00: Networking and more beers from Bruges

=== Program ===

==== Effectively Distribute Software Security Knowledge ====

* Speaker: [https://www.linkedin.com/in/pdcremer/ Pieter De Cremer] ([https://twitter.com/pdcremer @pdcremer]) and [https://www.linkedin.com/in/nathan-desmet-687345aa/ Nathan Desmet] (Secure Code Warrior)
* Presentation: not yet available 

''Abstract''

not yet available 

''Speaker Bios''

'''Pieter De Cremer''' is an R&D Engineer and Security Researcher at Secure Code Warrior, where he is responsible for researching a wide variety of application vulnerabilities and developing this into new content and coding challenges for the Secure Code Warrior platform. His passion lies in empowering developers to be the first line of defence in their organisation by making security
easy to understand.

Pieter graduated with a Masters in Computer Science Engineering from the University of Ghent and is currently completing his PhD in Secure Design Programming Aid for the Internet of Things through a personal grant from the Flemish government. When he is away from his desk, Pieter has also facilitated a number of secure coding workshops with Ghent University, Howest Bruges and Antwerp University, helping students improve their secure coding skills. His repertoire of coding languages includes C, C++, Java, Python, node and Haskell.

'''Nathan Desmet''' is the Lead Engineer at Secure Code Warrior, where he is responsible for developing Sensei, a real-time correction and coaching IDE plug-in for secure coding. His passion lies in building world-class software applications that makes an impact in the way developers build software with a focus on security.

Prior to Secure Code Warrior, Nathan has worked for NVISO where he created the Cyber Security Challenge platform, the biggest computer security competition in Belgium. Nathan also co-founded Sensei Security, and founded Applix, a software consultancy firm. His clients include SMEs in the technology and legal sector.

Nathan graduated with a degree in Computer Science from the University of Howest Bruges, majoring in Computer and Cybercrime Professional.

==== Common API Security Pitfalls ====

* Speaker: [https://twitter.com/PhilippeDeRyck Philippe De Ryck] ([https://pragmaticwebsecurity.com/ Pragmatic Web Security])
* Presentation: not yet available 

''Abstract''

The shift towards an API landscape indicates a significant evolution in the way we build applications. The rise of JavaScript and mobile applications have sparked an explosion of easily-accessible REST APIs. But how do you protect access to your API? Which security aspects are no longer relevant? Which security features are an absolutely must-have, and which additional security measures do you need to take into account?

These are hard questions, as evidenced by the deployment of numerous insecure APIs. Attend this session to find out about common API security pitfalls, that often result in compromised user accounts and unauthorized access to your data. We expose the problem that lies at the root of each of these pitfalls, and offer actionable advice to address these security problems. After this session, you will know how to assess the security of your APIs, and the best practices to improve them towards the future.

''Speaker Bio''

Philippe De Ryck is the founder of Pragmatic Web Security, where he travels the world to train developers on web security and security engineering. He holds a Ph.D. in web security from KU Leuven. Google recognizes Philippe as a Google Developer Expert for his knowledge of web security and security in Angular applications.

=== Registration ===

Registration via EventBrite: coming soon 

=== Coverage ===

n/a

== 17 September 2018 Meeting ==

=== Where ===

* Host: [https://ec.europa.eu European Commission]

* Address ([https://www.google.com/maps/place/Place+Madou+1,+1210+Saint-Josse-ten-Noode/ map], [https://www.google.com/maps/dir//Place+Madou+1,+1210+Saint-Josse-ten-Noode directions])
Place Madou, 1
1210 Saint-Josse-Ten-Noode

=== Agenda ===

* 18h00 - 18h50: Welcome & sandwiches
* 18h50 - 19h00: [https://www.owasp.org/images/9/9b/Owasp_Belgium_update_2018-09-17_v1.pptx OWASP Update] by Sebastien Deleersnyder (OWASP)
* 19h00 - 19h10: ''Intro by the EC'' by Miguel Soria Machado (Head of Sector CSIRC, DIGIT IT Security Directorate, European Commission)
* 19h10 - 20h00: [https://www.owasp.org/images/1/17/Dirk_Wetter_-_Docker_Security_Brussels.pdf Docker Threat Modeling and Top 10] by Dirk Wetter
* 20h00 - 20h10: Break
* 20h10 - 21h00: [https://www.owasp.org/images/1/1c/Securing_Containers_on_the_High_Seas_%28OWASP_Belgium_September_17-09-2018%29.pdf Securing Containers on the High Seas] by Jack Mannino (nVisium)
* 21h00 - 21h30: Networking drink

=== Program ===

==== Docker Threat Modeling and Top 10 ====

* Speaker: [https://twitter.com/drwetter Dirk Wetter]
* Presentation: https://www.owasp.org/images/1/17/Dirk_Wetter_-_Docker_Security_Brussels.pdf

''Abstract''

Docker containers offer several advantages for developers. Most notably they fit perfectly in software development processes, they enable fast, reproducible deployments and when properly done, with little change the same container can run either in a test or production environment.

Despite threatening information out there Docker offers per se also several security advantages. However it is important to make use of them and as a minimum avoid several pitfalls. In a worst case scenario this can lead otherwise to less security or the security benefits which the containment
technology offers are not being used at all.

To avoid this a proper fundamental approach is needed.

Thus this talk models first the most important threats to containerized environments out there. Based on that the speaker will present 10 security bullet points which covers:

* important Do's and Dont's,
* for advanced needs how to tighten security further.

At the end the speaker gives advice how to check your Docker and Kubernetes security status yourself.

The talk is based on practical experiences at several costumers and on the speaker's solid network and systems security expertise.

''Speaker Bio''

Dirk Wetter (Ph.D.) is an independent security consultant with more than 20 years professional experience in information security with a broad technical and information security management background.

His primary focus nowadays is around web application security. He has also a solid background on network and systems security.

He's also founder and maintainer of the open source project testssl.sh which checks the encryption of every SSL/TLS enabled service.

==== Securing Containers on the High Seas ====

* Speaker: [https://twitter.com/jack_mannino Jack Mannino] (nVisium)
* Presentation: https://www.owasp.org/images/1/1c/Securing_Containers_on_the_High_Seas_%28OWASP_Belgium_September_17-09-2018%29.pdf

''Abstract''

It can be a difficult challenge for organizations to securely migrate to containers while shifting processes and security controls. Making the move from legacy virtualization and monolithic deployments to containers requires a solid strategy. Containers offer many inherent security benefits but it’s important to build controls in beyond the containers themselves. From development through container registries and deployment to a runtime environment, it’s important to enforce security and eliminate risks as they’re introduced.

This presentation will focus on scaling container security within an enterprise and building security controls into the way you build, ship, and run containerized services. We will discuss the modern container landscape including different container runtimes and isolation models. We will explore the container lifecycle from your developer’s laptop through your production environment and examine the key security problems to mitigate.

''Speaker Bios''

Jack Mannino is the CEO of nVisium. Passionate about security and impossible to keep away from a keyboard, his expertise spans over 15 years of building, breaking, and securing software. Jack founded nVisium in 2009, and since has helped the world's largest software teams enhance security across their software portfolios. He has spoken at conferences globally on topics such as secure design, mobile application security, and cloud-native security.

=== Registration ===

Two step registration:

# Registration was via EventBrite: https://owasp-belgium-2018-09-17.eventbrite.com.
# Pre-registration of participants' ID documents, necessary for passing security checkpoint at the entrance to the site was via: https://ec.europa.eu/eusurvey/runner/OWASPBelgiumChapterMeetingSept17. The deadline for this registration was ''Sunday, September 16th midnight''.

=== Coverage ===

n/a

== 19 March 2018 Meeting ==

=== Where ===

* Host: [https://www.ing.be ING Belgium]

* Address ([https://branches.ing.be/branch/1040_bxl-non-residents map])
Cours St Michel 60
1040 Brussel

=== Agenda ===

* 18h15 - 19h00: Welcome & sandwiches
* 19h00 - 19h10: ''OWASP Update'' by Sebastien Deleersnyder (OWASP)
* 19h10 - 20h00: ''KRACKing WPA2 in Practice Using Key Reinstallation Attacks''  by Mathy Vanhoef (imec-DistriNet-KU Leuven)
* 20h00 - 20h10: Break
* 20h10 - 21h00: ''Making the web secure by design''  by Glenn Ten Cate (ING Belgium) and Riccardo Ten Cate (Xebia)
* 21h00 - 21h30: Networking drink

=== Program ===

==== KRACKing WPA2 in Practice Using Key Reinstallation Attacks ====

* Speaker: Mathy Vanhoef (imec-DistriNet-KU Leuven)
* Presentation: not yet available 

''Abstract''

This talk presents the key reinstallation attack against WPA2 (KRACK attack). It abuses design or implementation flaws in cryptographic protocols to reinstall an already-in-use key. This resets the key’s associated parameters such as transmit nonces and receive replay counters. Several cryptographic Wi-Fi handshakes are affected by the attack.

All protected Wi-Fi networks use the 4-way handshake to generate a fresh session key. So far, this 14-year-old handshake has remained free from attacks. However, we show that the 4-way handshake is vulnerable to a key reinstallation attack. Here, the adversary tricks a victim into reinstalling an already-in-use key. This is achieved by manipulating and replaying handshake messages. When reinstalling the key, associated parameters such as the incremental transmit packet number (nonce) and receive packet number (replay counter) are reset to their initial value.

The talk also discusses the vulnerability disclosure process that was followed. Since the discovery affected numerous vendors, coordinating the disclosure was non-trivial.

''Speaker Bio''

Mathy Vanhoef is a postdoctoral researcher at KU Leuven. He did his PhD on the security of WPA-TKIP, TLS, and RC4. His research interest is in computer security with a focus on wireless security (e.g. Wi-Fi), network protocols in general, the RC4 stream cipher (where he discovered the RC NOMORE attack), and software security (discovering and exploiting vulnerabilities). Currently his main research is about automatically discovering vulnerabilities in network protocol implementations, and proving the correctness of protocol implementations.

==== Making the web secure by design ====

* Speaker: Glenn Ten Cate (ING Belgium) and Riccardo Ten Cate (Xebia)
* Presentation: not yet available 

''Abstract''

Education is the first step in the Secure Software Development Lifecycle. The free OWASP Security Knowledge Framework (SKF) is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. This talk will help you as a developer to become THE Neo of your development team. We will show how you can do security by design and introduce other quality gates into your development pipeline to ensure high end quality and security of your project.

''Speaker Bios''

As a coder, hacker, speaker, trainer and security researcher employed at ING Belgium, '''Glenn Ten Cate''' has over 10 years experience in the field of security. One of the founders of defensive development [defdev] a security training and conference series dedicated to helping you build and maintain secure software and also speaking at multiple other security conferences in the world. His goals is to create an open-source software development life cycle with the tools and knowledge gathered over the years.

As a penetration tester from the Netherlands employed at Xebia, '''Riccardo Ten Cate''' specialises in web-application security and has extensive knowledge in securing web applications in multiple coding languages. He is also a specialist in setting up Secure Software Development Life Cycles.

=== Registration ===

Registration was via EventBrite: https://owasp-belgium-2018-03-19.eventbrite.com.

=== Coverage ===

n/a

== 20 February 2018 Meeting ==

=== Where ===

* Host: [https://distrinet.cs.kuleuven.be DistriNet Research Group (KU Leuven)] (Both speakers are faculty of the [https://www.secappdev.org/ Secure Application Development] course held in Leuven from 2018-02-19 to 2018-02-23.)

* Address ([http://googlemapsinterface.kuleuven.be/index.cgi?lang=N&nbol=(50.864186697481145,%204.678754210472107)&zoomlevel=17&plaatsnaam=Department+of+Computer+Science&maptype=roadmap map], [https://distrinet.cs.kuleuven.be/about/route/ directions]):
Department of Computer Science (foyer at ground floor)
Celestijnenlaan 200 A
3001 Heverlee

=== Agenda ===

*18h15 - 19h00: Welcome & sandwiches
*19h00 - 19h10: [https://www.owasp.org/images/7/7a/Owasp_Belgium_update_2018-02-20_v1.pdf OWASP Update] by Sebastien Deleersnyder (OWASP)
*19h10 - 20h00: [https://schd.ws/hosted_files/secappdev2018/a9/Developer%20are%20not%20the%20enemy%20SecAppDev%20web.pdf Developers are not the enemy -- Usable Security for Experts] by Prof. Matthew Smith (University of Bonn)
*20h00 - 20h10: Break
*20h10 - 21h00: [https://schd.ws/hosted_files/secappdev2018/75/The%20code%20behind%20the%20vulnerability.pdf The Code Behind The Vulnerability] by Barry Dorrans (Microsoft)

=== Program ===

==== Developers are not the enemy -- Usable Security for Experts ====

* Speaker: Prof. Matthew Smith (University of Bonn)
* Presentation: https://schd.ws/hosted_files/secappdev2018/a9/Developer%20are%20not%20the%20enemy%20SecAppDev%20web.pdf

''Abstract''

Usability problems are a major cause of many of today's IT-security incidents. Security systems are often too complicated, time-consuming, and error prone. For more than a decade researchers in the domain of usable security (USEC) have attempted to combat these problems by conducting interdisciplinary research focusing on the root causes of the problems and on the creation of usable security mechanisms. While major improvements have been made, to date USEC research has focused almost entirely on the non-expert end-user. However, many of the most catastrophic security incidents were not caused by end-users, but by developers or administrators. Heartbleed and Shellshock were both caused by single developers yet had global consequences. The Sony hack in 2014 compromised an entire multi-national IT-infrastructure and misappropriated over 100 TB of data, unnoticed. Fundamentally, every software vulnerability and misconfigured system is caused by developers or administrators making mistakes, but very little research has been done into the underlying causalities and possible mitigation strategies. In this talk we will explore the transition from end-user to expert usable security research and look at several application areas, including TLS, passwords, malware analysis and vulnerability analysis.

''Speaker Bio''

Matthew Smith is a Professor for Usable Security and Privacy at the University of Bonn. His research is focused on human factors of security and privacy mechanisms with a wide range of application areas, including TLS and network security, authentication, mobile and app security and, most recently, usable security for developers and administrators. His work has been published at, among others, IEEE S&P, ACM CCS, USENIX Security, NDSS, ACM SIGCHI and SOUPS the Symposium on Usable Security and Privacy. In 2015 his ERC Starting Grant "Frontiers of Usable Security" was selected for funding.

==== The Code Behind The Vulnerability ====

* Speaker: Barry Dorrans (Microsoft)
* Presentation: https://schd.ws/hosted_files/secappdev2018/75/The%20code%20behind%20the%20vulnerability.pdf

''Abstract''

Everyone makes security mistakes, and that includes Microsoft (seriously!). Many developers can spot and prevent vulnerabilities listed in the OWASP top 10. But that narrative changes when we look beyond the scope of the OWASP top 10. Compared to some more recent attacks, fixing XSS or SQL injection almost seems easy. In this session, we dive into a couple of .NET core cases that have been reported to the Microsoft Security Response Center (MSRC). Mind you; these vulnerabilities are not just framework vulnerabilities. Instead, they are coding patterns that you may have introduced in your applications. Examples are issues with hash tables, compression, encryption, regular expressions and more. In this session, you will learn how to spot these vulnerabilities in your code. On top of that, you will walk away with the skills to fix them.

''Speaker Bio''

Barry Dorrans is the .NET Security Czar, which means he tries to tell everyone else how to code securely and taking the credit when it goes right, as well as running the .NET Core Bug Bounty. He also ends up triaging publicly and privately reported vulnerabilities when it goes wrong before getting someone else to fix the mistakes. This he gets all the fun and none of the real work, aside from the endless stress wondering when the next vulnerability will be discovered.

=== Registration ===

Registration was via EventBrite: https://owasp-belgium-2018-02-20.eventbrite.com.

=== Coverage ===

n/a

Belgium Events 2018

2018-09-25T15:15:58Z

Thomas Herlea: /* 23 October 2018 Meeting */ Updated address details. Updated a speaker link.

<noinclude>
These are the 2018 events of the [[Belgium|OWASP Belgium Chapter]].

Previous year: [[Belgium Events 2017|2017]].
</noinclude>


== 23 October 2018 Meeting ==

=== Where ===

* Host: [https://securecodewarrior.com/ Secure Code Warrior]

* Address ([https://goo.gl/maps/e6Ej1v44tf32 map], [https://goo.gl/maps/UoW1EM3kbfy directions], 10 minutes walk from Brugge train station)
Baron Ruzettelaan 1
8310 Assebroek

* Parking is available under the building, open from 5 p.m., the entrance is at the back:
Vestingstraat 88
8310 Assebroek

=== Agenda ===

* 18h00 - 18h50: Welcome & pizzas
* 18h50 - 19h00:  OWASP Update (by Sebastien Deleersnyder, OWASP)
* 19h00 - 19h30: [[#2018-10-23 Talk 1|Effectively Distribute Software Security Knowledge]] (by Pieter De Cremer and Nathan Desmet, Secure Code Warrior)
* 19h30 - 19h45: Beers from Bruges break
* 19h45 - 20h25: [[#2018-10-23 Talk 2|Common API Security Pitfalls]] (by Philippe De Ryck, Pragmatic Web Security)
* 20h25 - 20h40: Thank you note (by Matias Madou, Secure Code Warrior)
* 20h40 - 22h00: Networking and more beers from Bruges

=== Program ===

==== Effectively Distribute Software Security Knowledge ====

* Speaker: [https://www.linkedin.com/in/pdcremer/ Pieter De Cremer] ([https://twitter.com/pdcremer @pdcremer]) and [https://www.linkedin.com/in/nathan-desmet-687345aa/ Nathan Desmet], Secure Code Warrior
* Presentation: not yet available 

''Abstract''

not yet available 

''Speaker Bios''

'''Pieter De Cremer''' is an R&D Engineer and Security Researcher at Secure Code Warrior, where he is responsible for researching a wide variety of application vulnerabilities and developing this into new content and coding challenges for the Secure Code Warrior platform. His passion lies in empowering developers to be the first line of defence in their organisation by making security
easy to understand.

Pieter graduated with a Masters in Computer Science Engineering from the University of Ghent and is currently completing his PhD in Secure Design Programming Aid for the Internet of Things through a personal grant from the Flemish government. When he is away from his desk, Pieter has also facilitated a number of secure coding workshops with Ghent University, Howest Bruges and Antwerp University, helping students improve their secure coding skills. His repertoire of coding languages includes C, C++, Java, Python, node and Haskell.

'''Nathan Desmet''' is the Lead Engineer at Secure Code Warrior, where he is responsible for developing Sensei, a real-time correction and coaching IDE plug-in for secure coding. His passion lies in building world-class software applications that makes an impact in the way developers build software with a focus on security.

Prior to Secure Code Warrior, Nathan has worked for NVISO where he created the Cyber Security Challenge platform, the biggest computer security competition in Belgium. Nathan also co-founded Sensei Security, and founded Applix, a software consultancy firm. His clients include SMEs in the technology and legal sector.

Nathan graduated with a degree in Computer Science from the University of Howest Bruges, majoring in Computer and Cybercrime Professional.

==== Common API Security Pitfalls ====

* Speaker: [https://twitter.com/PhilippeDeRyck Philippe De Ryck], [https://pragmaticwebsecurity.com/ Pragmatic Web Security]
* Presentation: not yet available 

''Abstract''

The shift towards an API landscape indicates a significant evolution in the way we build applications. The rise of JavaScript and mobile applications have sparked an explosion of easily-accessible REST APIs. But how do you protect access to your API? Which security aspects are no longer relevant? Which security features are an absolutely must-have, and which additional security measures do you need to take into account?

These are hard questions, as evidenced by the deployment of numerous insecure APIs. Attend this session to find out about common API security pitfalls, that often result in compromised user accounts and unauthorized access to your data. We expose the problem that lies at the root of each of these pitfalls, and offer actionable advice to address these security problems. After this session, you will know how to assess the security of your APIs, and the best practices to improve them towards the future.

''Speaker Bio''

Philippe De Ryck is the founder of Pragmatic Web Security, where he travels the world to train developers on web security and security engineering. He holds a Ph.D. in web security from KU Leuven. Google recognizes Philippe as a Google Developer Expert for his knowledge of web security and security in Angular applications.

=== Registration ===

Registration via EventBrite: coming soon 

=== Coverage ===

== 17 September 2018 Meeting ==

=== Where ===

* Host: [https://ec.europa.eu European Commission]

* Address ([https://www.google.com/maps/place/Place+Madou+1,+1210+Saint-Josse-ten-Noode/ map], [https://www.google.com/maps/dir//Place+Madou+1,+1210+Saint-Josse-ten-Noode directions])
Place Madou, 1
1210 Saint-Josse-Ten-Noode

=== Agenda ===

* 18h00 - 18h50: Welcome & sandwiches
* 18h50 - 19h00: [https://www.owasp.org/images/9/9b/Owasp_Belgium_update_2018-09-17_v1.pptx OWASP Update] (by Sebastien Deleersnyder, OWASP)
* 19h00 - 19h10: Intro by the EC (by Miguel Soria Machado, Head of Sector CSIRC, DIGIT IT Security Directorate, European Commission)
* 19h10 - 20h00: [[#2018-09-17 Talk 1|Docker Threat Modeling and Top 10]] (by Dirk Wetter)
* 20h00 - 20h10: Break
* 20h10 - 21h00: [[#2018-09-17 Talk 2|Securing Containers on the High Seas]] (by Jack Mannino, nVisium)
* 21h00 - 21h30: Networking drink

=== Program ===

==== Docker Threat Modeling and Top 10 ====

* Speaker: [https://twitter.com/drwetter Dirk Wetter]
* Presentation: https://www.owasp.org/images/1/17/Dirk_Wetter_-_Docker_Security_Brussels.pdf

''Abstract''

Docker containers offer several advantages for developers. Most notably they fit perfectly in software development processes, they enable fast, reproducible deployments and when properly done, with little change the same container can run either in a test or production environment.

Despite threatening information out there Docker offers per se also several security advantages. However it is important to make use of them and as a minimum avoid several pitfalls. In a worst case scenario this can lead otherwise to less security or the security benefits which the containment
technology offers are not being used at all.

To avoid this a proper fundamental approach is needed.

Thus this talk models first the most important threats to containerized environments out there. Based on that the speaker will present 10 security bullet points which covers:

* important Do's and Dont's,
* for advanced needs how to tighten security further.

At the end the speaker gives advice how to check your Docker and Kubernetes security status yourself.

The talk is based on practical experiences at several costumers and on the speaker's solid network and systems security expertise.

''Speaker Bio''

Dirk Wetter (Ph.D.) is an independent security consultant with more than 20 years professional experience in information security with a broad technical and information security management background.

His primary focus nowadays is around web application security. He has also a solid background on network and systems security.

He's also founder and maintainer of the open source project testssl.sh which checks the encryption of every SSL/TLS enabled service.

==== Securing Containers on the High Seas ====

* Speaker: [https://twitter.com/jack_mannino Jack Mannino], nVisium
* Presentation: https://www.owasp.org/images/1/1c/Securing_Containers_on_the_High_Seas_%28OWASP_Belgium_September_17-09-2018%29.pdf

''Abstract''

It can be a difficult challenge for organizations to securely migrate to containers while shifting processes and security controls. Making the move from legacy virtualization and monolithic deployments to containers requires a solid strategy. Containers offer many inherent security benefits but it’s important to build controls in beyond the containers themselves. From development through container registries and deployment to a runtime environment, it’s important to enforce security and eliminate risks as they’re introduced.

This presentation will focus on scaling container security within an enterprise and building security controls into the way you build, ship, and run containerized services. We will discuss the modern container landscape including different container runtimes and isolation models. We will explore the container lifecycle from your developer’s laptop through your production environment and examine the key security problems to mitigate.

''Speaker Bios''

Jack Mannino is the CEO of nVisium. Passionate about security and impossible to keep away from a keyboard, his expertise spans over 15 years of building, breaking, and securing software. Jack founded nVisium in 2009, and since has helped the world's largest software teams enhance security across their software portfolios. He has spoken at conferences globally on topics such as secure design, mobile application security, and cloud-native security.

=== Registration ===

Two step registration:

# Registration was via EventBrite: https://owasp-belgium-2018-09-17.eventbrite.com.
# Pre-registration of participants' ID documents, necessary for passing security checkpoint at the entrance to the site was via: https://ec.europa.eu/eusurvey/runner/OWASPBelgiumChapterMeetingSept17. The deadline for this registration was ''Sunday, September 16th midnight''.

=== Coverage ===

== 19 March 2018 Meeting ==

=== Where ===

* Host: [https://www.ing.be ING Belgium]

* Address ([https://branches.ing.be/branch/1040_bxl-non-residents map])
Cours St Michel 60
1040 Brussel

=== Agenda ===

* 18h15 - 19h00: Welcome & sandwiches
* 19h00 - 19h10: OWASP Update (by Sebastien Deleersnyder, OWASP)
* 19h10 - 20h00: [[#2018-03-19 Talk 1|KRACKing WPA2 in Practice Using Key Reinstallation Attacks]] (by Mathy Vanhoef, imec-DistriNet-KU Leuven)
* 20h00 - 20h10: Break
* 20h10 - 21h00: [[#2018-03-19 Talk 2|Making the web secure by design]] (by Glenn Ten Cate, ING Belgium, and Riccardo Ten Cate, Xebia)
* 21h00 - 21h30: Networking drink

=== Program ===

==== KRACKing WPA2 in Practice Using Key Reinstallation Attacks ====

* Speaker: Mathy Vanhoef, imec-DistriNet-KU Leuven

''Abstract''

This talk presents the key reinstallation attack against WPA2 (KRACK attack). It abuses design or implementation flaws in cryptographic protocols to reinstall an already-in-use key. This resets the key’s associated parameters such as transmit nonces and receive replay counters. Several cryptographic Wi-Fi handshakes are affected by the attack.

All protected Wi-Fi networks use the 4-way handshake to generate a fresh session key. So far, this 14-year-old handshake has remained free from attacks. However, we show that the 4-way handshake is vulnerable to a key reinstallation attack. Here, the adversary tricks a victim into reinstalling an already-in-use key. This is achieved by manipulating and replaying handshake messages. When reinstalling the key, associated parameters such as the incremental transmit packet number (nonce) and receive packet number (replay counter) are reset to their initial value.

The talk also discusses the vulnerability disclosure process that was followed. Since the discovery affected numerous vendors, coordinating the disclosure was non-trivial.

''Speaker Bio''

Mathy Vanhoef is a postdoctoral researcher at KU Leuven. He did his PhD on the security of WPA-TKIP, TLS, and RC4. His research interest is in computer security with a focus on wireless security (e.g. Wi-Fi), network protocols in general, the RC4 stream cipher (where he discovered the RC NOMORE attack), and software security (discovering and exploiting vulnerabilities). Currently his main research is about automatically discovering vulnerabilities in network protocol implementations, and proving the correctness of protocol implementations.

==== Making the web secure by design ====

* Speaker: Glenn Ten Cate, ING Belgium, and Riccardo Ten Cate, Xebia

''Abstract''

Education is the first step in the Secure Software Development Lifecycle. The free OWASP Security Knowledge Framework (SKF) is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. This talk will help you as a developer to become THE Neo of your development team. We will show how you can do security by design and introduce other quality gates into your development pipeline to ensure high end quality and security of your project.

''Speaker Bios''

As a coder, hacker, speaker, trainer and security researcher employed at ING Belgium, '''Glenn Ten Cate''' has over 10 years experience in the field of security. One of the founders of defensive development [defdev] a security training and conference series dedicated to helping you build and maintain secure software and also speaking at multiple other security conferences in the world. His goals is to create an open-source software development life cycle with the tools and knowledge gathered over the years.

As a penetration tester from the Netherlands employed at Xebia, '''Riccardo Ten Cate''' specialises in web-application security and has extensive knowledge in securing web applications in multiple coding languages. He is also a specialist in setting up Secure Software Development Life Cycles.

=== Registration ===

Registration was via EventBrite: https://owasp-belgium-2018-03-19.eventbrite.com.

=== Coverage ===

== 20 February 2018 Meeting ==

=== Where ===

* Host: [https://distrinet.cs.kuleuven.be DistriNet Research Group (KU Leuven)] (Both speakers are faculty of the [https://www.secappdev.org/ Secure Application Development] course held in Leuven from 2018-02-19 to 2018-02-23.)

* Address ([http://googlemapsinterface.kuleuven.be/index.cgi?lang=N&nbol=(50.864186697481145,%204.678754210472107)&zoomlevel=17&plaatsnaam=Department+of+Computer+Science&maptype=roadmap map], [https://distrinet.cs.kuleuven.be/about/route/ directions]):
Department of Computer Science (foyer at ground floor)
Celestijnenlaan 200 A
3001 Heverlee

=== Agenda ===

*18h15 - 19h00: Welcome & sandwiches
*19h00 - 19h10: [https://www.owasp.org/images/7/7a/Owasp_Belgium_update_2018-02-20_v1.pdf OWASP Update] (by Sebastien Deleersnyder, OWASP)
*19h10 - 20h00: [[#2018-02-20 Talk 1|Developers are not the enemy -- Usable Security for Experts]] (by Prof. Matthew Smith, University of Bonn)
*20h00 - 20h10: Break
*20h10 - 21h00: [[#2018-02-20 Talk 2|The Code Behind The Vulnerability]] (by Barry Dorrans, Microsoft)

=== Program ===

==== Developers are not the enemy -- Usable Security for Experts ====

* Speaker: Prof. Matthew Smith, University of Bonn
* Presentation: https://schd.ws/hosted_files/secappdev2018/a9/Developer%20are%20not%20the%20enemy%20SecAppDev%20web.pdf

''Abstract''

Usability problems are a major cause of many of today's IT-security incidents. Security systems are often too complicated, time-consuming, and error prone. For more than a decade researchers in the domain of usable security (USEC) have attempted to combat these problems by conducting interdisciplinary research focusing on the root causes of the problems and on the creation of usable security mechanisms. While major improvements have been made, to date USEC research has focused almost entirely on the non-expert end-user. However, many of the most catastrophic security incidents were not caused by end-users, but by developers or administrators. Heartbleed and Shellshock were both caused by single developers yet had global consequences. The Sony hack in 2014 compromised an entire multi-national IT-infrastructure and misappropriated over 100 TB of data, unnoticed. Fundamentally, every software vulnerability and misconfigured system is caused by developers or administrators making mistakes, but very little research has been done into the underlying causalities and possible mitigation strategies. In this talk we will explore the transition from end-user to expert usable security research and look at several application areas, including TLS, passwords, malware analysis and vulnerability analysis.

''Speaker Bio''

Matthew Smith is a Professor for Usable Security and Privacy at the University of Bonn. His research is focused on human factors of security and privacy mechanisms with a wide range of application areas, including TLS and network security, authentication, mobile and app security and, most recently, usable security for developers and administrators. His work has been published at, among others, IEEE S&P, ACM CCS, USENIX Security, NDSS, ACM SIGCHI and SOUPS the Symposium on Usable Security and Privacy. In 2015 his ERC Starting Grant "Frontiers of Usable Security" was selected for funding.

==== The Code Behind The Vulnerability ====

* Speaker: Barry Dorrans, Microsoft
* Presentation: https://schd.ws/hosted_files/secappdev2018/75/The%20code%20behind%20the%20vulnerability.pdf

''Abstract''

Everyone makes security mistakes, and that includes Microsoft (seriously!). Many developers can spot and prevent vulnerabilities listed in the OWASP top 10. But that narrative changes when we look beyond the scope of the OWASP top 10. Compared to some more recent attacks, fixing XSS or SQL injection almost seems easy. In this session, we dive into a couple of .NET core cases that have been reported to the Microsoft Security Response Center (MSRC). Mind you; these vulnerabilities are not just framework vulnerabilities. Instead, they are coding patterns that you may have introduced in your applications. Examples are issues with hash tables, compression, encryption, regular expressions and more. In this session, you will learn how to spot these vulnerabilities in your code. On top of that, you will walk away with the skills to fix them.

''Speaker Bio''

Barry Dorrans is the .NET Security Czar, which means he tries to tell everyone else how to code securely and taking the credit when it goes right, as well as running the .NET Core Bug Bounty. He also ends up triaging publicly and privately reported vulnerabilities when it goes wrong before getting someone else to fix the mistakes. This he gets all the fun and none of the real work, aside from the endless stress wondering when the next vulnerability will be discovered.

=== Registration ===

Registration was via EventBrite: https://owasp-belgium-2018-02-20.eventbrite.com.

=== Coverage ===

n/a

Belgium Events 2018

2018-09-23T12:59:04Z

Thomas Herlea: /* 23 October 2018 Meeting */ Added info for the API Security Pitfalls talk.

<noinclude>
These are the 2018 events of the [[Belgium|OWASP Belgium Chapter]].

Previous year: [[Belgium Events 2017|2017]].
</noinclude>


== 23 October 2018 Meeting ==

=== Where ===

* Host: [https://securecodewarrior.com/ Secure Code Warrior]

* Address ([https://goo.gl/maps/e6Ej1v44tf32 map], [https://goo.gl/maps/UoW1EM3kbfy directions], 10 minutes walk from Brugge train station)
Baron Ruzettelaan 7
8000 Brugge

Parking is possible under the office, the entrance is at the back on Vestingstraat. Further instructions will follow.

=== Agenda ===

* 18h00 - 18h50: Welcome & pizzas
* 18h50 - 19h00:  OWASP Update (by Sebastien Deleersnyder, OWASP)
* 19h00 - 19h30: [[#2018-10-23 Talk 1|Effectively Distribute Software Security Knowledge]] (by Pieter De Cremer and Nathan Desmet, Secure Code Warrior)
* 19h30 - 19h45: Beers from Bruges break
* 19h45 - 20h25: [[#2018-10-23 Talk 2|Common API Security Pitfalls]] (by Philippe De Ryck, Pragmatic Web Security)
* 20h25 - 20h40: Thank you note (by Matias Madou, Secure Code Warrior)
* 20h40 - 22h00: Networking and more beers from Bruges

=== Program ===

==== Effectively Distribute Software Security Knowledge ====

* Speaker: [https://www.linkedin.com/in/pdcremer/ Pieter De Cremer] ([https://twitter.com/pdcremer @pdcremer]) and [https://www.linkedin.com/in/nathan-desmet-687345aa/ Nathan Desmet], Secure Code Warrior
* Presentation: not yet available 

''Abstract''

not yet available 

''Speaker Bios''

'''Pieter De Cremer''' is an R&D Engineer and Security Researcher at Secure Code Warrior, where he is responsible for researching a wide variety of application vulnerabilities and developing this into new content and coding challenges for the Secure Code Warrior platform. His passion lies in empowering developers to be the first line of defence in their organisation by making security
easy to understand.

Pieter graduated with a Masters in Computer Science Engineering from the University of Ghent and is currently completing his PhD in Secure Design Programming Aid for the Internet of Things through a personal grant from the Flemish government. When he is away from his desk, Pieter has also facilitated a number of secure coding workshops with Ghent University, Howest Bruges and Antwerp University, helping students improve their secure coding skills. His repertoire of coding languages includes C, C++, Java, Python, node and Haskell.

'''Nathan Desmet''' is the Lead Engineer at Secure Code Warrior, where he is responsible for developing Sensei, a real-time correction and coaching IDE plug-in for secure coding. His passion lies in building world-class software applications that makes an impact in the way developers build software with a focus on security.

Prior to Secure Code Warrior, Nathan has worked for NVISO where he created the Cyber Security Challenge platform, the biggest computer security competition in Belgium. Nathan also co-founded Sensei Security, and founded Applix, a software consultancy firm. His clients include SMEs in the technology and legal sector.

Nathan graduated with a degree in Computer Science from the University of Howest Bruges, majoring in Computer and Cybercrime Professional.

==== Common API Security Pitfalls ====

* Speaker: Philippe De Ryck , [https://pragmaticwebsecurity.com/ Pragmatic Web Security]
* Presentation: not yet available 

''Abstract''

The shift towards an API landscape indicates a significant evolution in the way we build applications. The rise of JavaScript and mobile applications have sparked an explosion of easily-accessible REST APIs. But how do you protect access to your API? Which security aspects are no longer relevant? Which security features are an absolutely must-have, and which additional security measures do you need to take into account?

These are hard questions, as evidenced by the deployment of numerous insecure APIs. Attend this session to find out about common API security pitfalls, that often result in compromised user accounts and unauthorized access to your data. We expose the problem that lies at the root of each of these pitfalls, and offer actionable advice to address these security problems. After this session, you will know how to assess the security of your APIs, and the best practices to improve them towards the future.

''Speaker Bio''

Philippe De Ryck is the founder of Pragmatic Web Security, where he travels the world to train developers on web security and security engineering. He holds a Ph.D. in web security from KU Leuven. Google recognizes Philippe as a Google Developer Expert for his knowledge of web security and security in Angular applications.

=== Registration ===

Registration via EventBrite: coming soon 

=== Coverage ===

== 17 September 2018 Meeting ==

=== Where ===

* Host: [https://ec.europa.eu European Commission]

* Address ([https://www.google.com/maps/place/Place+Madou+1,+1210+Saint-Josse-ten-Noode/ map], [https://www.google.com/maps/dir//Place+Madou+1,+1210+Saint-Josse-ten-Noode directions])
Place Madou, 1
1210 Saint-Josse-Ten-Noode

=== Agenda ===

* 18h00 - 18h50: Welcome & sandwiches
* 18h50 - 19h00: [https://www.owasp.org/images/9/9b/Owasp_Belgium_update_2018-09-17_v1.pptx OWASP Update] (by Sebastien Deleersnyder, OWASP)
* 19h00 - 19h10: Intro by the EC (by Miguel Soria Machado, Head of Sector CSIRC, DIGIT IT Security Directorate, European Commission)
* 19h10 - 20h00: [[#2018-09-17 Talk 1|Docker Threat Modeling and Top 10]] (by Dirk Wetter)
* 20h00 - 20h10: Break
* 20h10 - 21h00: [[#2018-09-17 Talk 2|Securing Containers on the High Seas]] (by Jack Mannino, nVisium)
* 21h00 - 21h30: Networking drink

=== Program ===

==== Docker Threat Modeling and Top 10 ====

* Speaker: [https://twitter.com/drwetter Dirk Wetter]
* Presentation: https://www.owasp.org/images/1/17/Dirk_Wetter_-_Docker_Security_Brussels.pdf

''Abstract''

Docker containers offer several advantages for developers. Most notably they fit perfectly in software development processes, they enable fast, reproducible deployments and when properly done, with little change the same container can run either in a test or production environment.

Despite threatening information out there Docker offers per se also several security advantages. However it is important to make use of them and as a minimum avoid several pitfalls. In a worst case scenario this can lead otherwise to less security or the security benefits which the containment
technology offers are not being used at all.

To avoid this a proper fundamental approach is needed.

Thus this talk models first the most important threats to containerized environments out there. Based on that the speaker will present 10 security bullet points which covers:

* important Do's and Dont's,
* for advanced needs how to tighten security further.

At the end the speaker gives advice how to check your Docker and Kubernetes security status yourself.

The talk is based on practical experiences at several costumers and on the speaker's solid network and systems security expertise.

''Speaker Bio''

Dirk Wetter (Ph.D.) is an independent security consultant with more than 20 years professional experience in information security with a broad technical and information security management background.

His primary focus nowadays is around web application security. He has also a solid background on network and systems security.

He's also founder and maintainer of the open source project testssl.sh which checks the encryption of every SSL/TLS enabled service.

==== Securing Containers on the High Seas ====

* Speaker: [https://twitter.com/jack_mannino Jack Mannino], nVisium
* Presentation: n/a

''Abstract''

It can be a difficult challenge for organizations to securely migrate to containers while shifting processes and security controls. Making the move from legacy virtualization and monolithic deployments to containers requires a solid strategy. Containers offer many inherent security benefits but it’s important to build controls in beyond the containers themselves. From development through container registries and deployment to a runtime environment, it’s important to enforce security and eliminate risks as they’re introduced.

This presentation will focus on scaling container security within an enterprise and building security controls into the way you build, ship, and run containerized services. We will discuss the modern container landscape including different container runtimes and isolation models. We will explore the container lifecycle from your developer’s laptop through your production environment and examine the key security problems to mitigate.

''Speaker Bios''

Jack Mannino is the CEO of nVisium. Passionate about security and impossible to keep away from a keyboard, his expertise spans over 15 years of building, breaking, and securing software. Jack founded nVisium in 2009, and since has helped the world's largest software teams enhance security across their software portfolios. He has spoken at conferences globally on topics such as secure design, mobile application security, and cloud-native security.

=== Registration ===

Two step registration:

# Registration was via EventBrite: https://owasp-belgium-2018-09-17.eventbrite.com.
# Pre-registration of participants' ID documents, necessary for passing security checkpoint at the entrance to the site was via: https://ec.europa.eu/eusurvey/runner/OWASPBelgiumChapterMeetingSept17. The deadline for this registration was ''Sunday, September 16th midnight''.

=== Coverage ===

== 19 March 2018 Meeting ==

=== Where ===

* Host: [https://www.ing.be ING Belgium]

* Address ([https://branches.ing.be/branch/1040_bxl-non-residents map])
Cours St Michel 60
1040 Brussel

=== Agenda ===

* 18h15 - 19h00: Welcome & sandwiches
* 19h00 - 19h10: OWASP Update (by Sebastien Deleersnyder, OWASP)
* 19h10 - 20h00: [[#2018-03-19 Talk 1|KRACKing WPA2 in Practice Using Key Reinstallation Attacks]] (by Mathy Vanhoef, imec-DistriNet-KU Leuven)
* 20h00 - 20h10: Break
* 20h10 - 21h00: [[#2018-03-19 Talk 2|Making the web secure by design]] (by Glenn Ten Cate, ING Belgium, and Riccardo Ten Cate, Xebia)
* 21h00 - 21h30: Networking drink

=== Program ===

==== KRACKing WPA2 in Practice Using Key Reinstallation Attacks ====

* Speaker: Mathy Vanhoef, imec-DistriNet-KU Leuven

''Abstract''

This talk presents the key reinstallation attack against WPA2 (KRACK attack). It abuses design or implementation flaws in cryptographic protocols to reinstall an already-in-use key. This resets the key’s associated parameters such as transmit nonces and receive replay counters. Several cryptographic Wi-Fi handshakes are affected by the attack.

All protected Wi-Fi networks use the 4-way handshake to generate a fresh session key. So far, this 14-year-old handshake has remained free from attacks. However, we show that the 4-way handshake is vulnerable to a key reinstallation attack. Here, the adversary tricks a victim into reinstalling an already-in-use key. This is achieved by manipulating and replaying handshake messages. When reinstalling the key, associated parameters such as the incremental transmit packet number (nonce) and receive packet number (replay counter) are reset to their initial value.

The talk also discusses the vulnerability disclosure process that was followed. Since the discovery affected numerous vendors, coordinating the disclosure was non-trivial.

''Speaker Bio''

Mathy Vanhoef is a postdoctoral researcher at KU Leuven. He did his PhD on the security of WPA-TKIP, TLS, and RC4. His research interest is in computer security with a focus on wireless security (e.g. Wi-Fi), network protocols in general, the RC4 stream cipher (where he discovered the RC NOMORE attack), and software security (discovering and exploiting vulnerabilities). Currently his main research is about automatically discovering vulnerabilities in network protocol implementations, and proving the correctness of protocol implementations.

==== Making the web secure by design ====

* Speaker: Glenn Ten Cate, ING Belgium, and Riccardo Ten Cate, Xebia

''Abstract''

Education is the first step in the Secure Software Development Lifecycle. The free OWASP Security Knowledge Framework (SKF) is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. This talk will help you as a developer to become THE Neo of your development team. We will show how you can do security by design and introduce other quality gates into your development pipeline to ensure high end quality and security of your project.

''Speaker Bios''

As a coder, hacker, speaker, trainer and security researcher employed at ING Belgium, '''Glenn Ten Cate''' has over 10 years experience in the field of security. One of the founders of defensive development [defdev] a security training and conference series dedicated to helping you build and maintain secure software and also speaking at multiple other security conferences in the world. His goals is to create an open-source software development life cycle with the tools and knowledge gathered over the years.

As a penetration tester from the Netherlands employed at Xebia, '''Riccardo Ten Cate''' specialises in web-application security and has extensive knowledge in securing web applications in multiple coding languages. He is also a specialist in setting up Secure Software Development Life Cycles.

=== Registration ===

Registration was via EventBrite: https://owasp-belgium-2018-03-19.eventbrite.com.

=== Coverage ===

== 20 February 2018 Meeting ==

=== Where ===

* Host: [https://distrinet.cs.kuleuven.be DistriNet Research Group (KU Leuven)] (Both speakers are faculty of the [https://www.secappdev.org/ Secure Application Development] course held in Leuven from 2018-02-19 to 2018-02-23.)

* Address ([http://googlemapsinterface.kuleuven.be/index.cgi?lang=N&nbol=(50.864186697481145,%204.678754210472107)&zoomlevel=17&plaatsnaam=Department+of+Computer+Science&maptype=roadmap map], [https://distrinet.cs.kuleuven.be/about/route/ directions]):
Department of Computer Science (foyer at ground floor)
Celestijnenlaan 200 A
3001 Heverlee

=== Agenda ===

*18h15 - 19h00: Welcome & sandwiches
*19h00 - 19h10: [https://www.owasp.org/images/7/7a/Owasp_Belgium_update_2018-02-20_v1.pdf OWASP Update] (by Sebastien Deleersnyder, OWASP)
*19h10 - 20h00: [[#2018-02-20 Talk 1|Developers are not the enemy -- Usable Security for Experts]] (by Prof. Matthew Smith, University of Bonn)
*20h00 - 20h10: Break
*20h10 - 21h00: [[#2018-02-20 Talk 2|The Code Behind The Vulnerability]] (by Barry Dorrans, Microsoft)

=== Program ===

==== Developers are not the enemy -- Usable Security for Experts ====

* Speaker: Prof. Matthew Smith, University of Bonn
* Presentation: https://schd.ws/hosted_files/secappdev2018/a9/Developer%20are%20not%20the%20enemy%20SecAppDev%20web.pdf

''Abstract''

Usability problems are a major cause of many of today's IT-security incidents. Security systems are often too complicated, time-consuming, and error prone. For more than a decade researchers in the domain of usable security (USEC) have attempted to combat these problems by conducting interdisciplinary research focusing on the root causes of the problems and on the creation of usable security mechanisms. While major improvements have been made, to date USEC research has focused almost entirely on the non-expert end-user. However, many of the most catastrophic security incidents were not caused by end-users, but by developers or administrators. Heartbleed and Shellshock were both caused by single developers yet had global consequences. The Sony hack in 2014 compromised an entire multi-national IT-infrastructure and misappropriated over 100 TB of data, unnoticed. Fundamentally, every software vulnerability and misconfigured system is caused by developers or administrators making mistakes, but very little research has been done into the underlying causalities and possible mitigation strategies. In this talk we will explore the transition from end-user to expert usable security research and look at several application areas, including TLS, passwords, malware analysis and vulnerability analysis.

''Speaker Bio''

Matthew Smith is a Professor for Usable Security and Privacy at the University of Bonn. His research is focused on human factors of security and privacy mechanisms with a wide range of application areas, including TLS and network security, authentication, mobile and app security and, most recently, usable security for developers and administrators. His work has been published at, among others, IEEE S&P, ACM CCS, USENIX Security, NDSS, ACM SIGCHI and SOUPS the Symposium on Usable Security and Privacy. In 2015 his ERC Starting Grant "Frontiers of Usable Security" was selected for funding.

==== The Code Behind The Vulnerability ====

* Speaker: Barry Dorrans, Microsoft
* Presentation: https://schd.ws/hosted_files/secappdev2018/75/The%20code%20behind%20the%20vulnerability.pdf

''Abstract''

Everyone makes security mistakes, and that includes Microsoft (seriously!). Many developers can spot and prevent vulnerabilities listed in the OWASP top 10. But that narrative changes when we look beyond the scope of the OWASP top 10. Compared to some more recent attacks, fixing XSS or SQL injection almost seems easy. In this session, we dive into a couple of .NET core cases that have been reported to the Microsoft Security Response Center (MSRC). Mind you; these vulnerabilities are not just framework vulnerabilities. Instead, they are coding patterns that you may have introduced in your applications. Examples are issues with hash tables, compression, encryption, regular expressions and more. In this session, you will learn how to spot these vulnerabilities in your code. On top of that, you will walk away with the skills to fix them.

''Speaker Bio''

Barry Dorrans is the .NET Security Czar, which means he tries to tell everyone else how to code securely and taking the credit when it goes right, as well as running the .NET Core Bug Bounty. He also ends up triaging publicly and privately reported vulnerabilities when it goes wrong before getting someone else to fix the mistakes. This he gets all the fun and none of the real work, aside from the endless stress wondering when the next vulnerability will be discovered.

=== Registration ===

Registration was via EventBrite: https://owasp-belgium-2018-02-20.eventbrite.com.

=== Coverage ===

n/a

Belgium Events 2018

2018-09-23T12:52:14Z

Thomas Herlea: /* 23 October 2018 Meeting */ Added first part of the event's address and speaker bios.

<noinclude>
These are the 2018 events of the [[Belgium|OWASP Belgium Chapter]].

Previous year: [[Belgium Events 2017|2017]].
</noinclude>


== 23 October 2018 Meeting ==

=== Where ===

* Host: [https://securecodewarrior.com/ Secure Code Warrior]

* Address ([https://goo.gl/maps/e6Ej1v44tf32 map], [https://goo.gl/maps/UoW1EM3kbfy directions], 10 minutes walk from Brugge train station)
Baron Ruzettelaan 7
8000 Brugge

Parking is possible under the office, the entrance is at the back on Vestingstraat. Further instructions will follow.

=== Agenda ===

* 18h00 - 18h50: Welcome & pizzas
* 18h50 - 19h00:  OWASP Update (by Sebastien Deleersnyder, OWASP)
* 19h00 - 19h30: [[#2018-10-23 Talk 1|Effectively Distribute Software Security Knowledge]] (by Pieter De Cremer and Nathan Desmet, Secure Code Warrior)
* 19h30 - 19h45: Beers from Bruges break
* 19h45 - 20h25: [[#2018-10-23 Talk 2|Common API Security Pitfalls]] (by Philippe De Ryck, Pragmatic Web Security)
* 20h25 - 20h40: Thank you note (by Matias Madou, Secure Code Warrior)
* 20h40 - 22h00: Networking and more beers from Bruges

=== Program ===

==== Effectively Distribute Software Security Knowledge ====

* Speaker: [https://www.linkedin.com/in/pdcremer/ Pieter De Cremer] and [https://www.linkedin.com/in/nathan-desmet-687345aa/ Nathan Desmet], Secure Code Warrior
* Presentation: not yet available 

''Abstract''

not yet available 

''Speaker Bios''

'''Pieter De Cremer''' is an R&D Engineer and Security Researcher at Secure Code Warrior, where he is responsible for researching a wide variety of application vulnerabilities and developing this into new content and coding challenges for the Secure Code Warrior platform. His passion lies in empowering developers to be the first line of defence in their organisation by making security
easy to understand.

Pieter graduated with a Masters in Computer Science Engineering from the University of Ghent and is currently completing his PhD in Secure Design Programming Aid for the Internet of Things through a personal grant from the Flemish government. When he is away from his desk, Pieter has also facilitated a number of secure coding workshops with Ghent University, Howest Bruges and Antwerp University, helping students improve their secure coding skills. His repertoire of coding languages includes C, C++, Java, Python, node and Haskell.

'''Nathan Desmet''' is the Lead Engineer at Secure Code Warrior, where he is responsible for developing Sensei, a real-time correction and coaching IDE plug-in for secure coding. His passion lies in building world-class software applications that makes an impact in the way developers build software with a focus on security.

Prior to Secure Code Warrior, Nathan has worked for NVISO where he created the Cyber Security Challenge platform, the biggest computer security competition in Belgium. Nathan also co-founded Sensei Security, and founded Applix, a software consultancy firm. His clients include SMEs in the technology and legal sector.

Nathan graduated with a degree in Computer Science from the University of Howest Bruges, majoring in Computer and Cybercrime Professional.

==== Common API Security Pitfalls ====

* Speaker: Philippe De Ryck , [https://pragmaticwebsecurity.com/ Pragmatic Web Security]
* Presentation: not yet available 

''Abstract''

not yet available 

''Speaker Bios''

not yet available 

=== Registration ===

Registration via EventBrite: coming soon 

=== Coverage ===

== 17 September 2018 Meeting ==

=== Where ===

* Host: [https://ec.europa.eu European Commission]

* Address ([https://www.google.com/maps/place/Place+Madou+1,+1210+Saint-Josse-ten-Noode/ map], [https://www.google.com/maps/dir//Place+Madou+1,+1210+Saint-Josse-ten-Noode directions])
Place Madou, 1
1210 Saint-Josse-Ten-Noode

=== Agenda ===

* 18h00 - 18h50: Welcome & sandwiches
* 18h50 - 19h00: [https://www.owasp.org/images/9/9b/Owasp_Belgium_update_2018-09-17_v1.pptx OWASP Update] (by Sebastien Deleersnyder, OWASP)
* 19h00 - 19h10: Intro by the EC (by Miguel Soria Machado, Head of Sector CSIRC, DIGIT IT Security Directorate, European Commission)
* 19h10 - 20h00: [[#2018-09-17 Talk 1|Docker Threat Modeling and Top 10]] (by Dirk Wetter)
* 20h00 - 20h10: Break
* 20h10 - 21h00: [[#2018-09-17 Talk 2|Securing Containers on the High Seas]] (by Jack Mannino, nVisium)
* 21h00 - 21h30: Networking drink

=== Program ===

==== Docker Threat Modeling and Top 10 ====

* Speaker: [https://twitter.com/drwetter Dirk Wetter]
* Presentation: https://www.owasp.org/images/1/17/Dirk_Wetter_-_Docker_Security_Brussels.pdf

''Abstract''

Docker containers offer several advantages for developers. Most notably they fit perfectly in software development processes, they enable fast, reproducible deployments and when properly done, with little change the same container can run either in a test or production environment.

Despite threatening information out there Docker offers per se also several security advantages. However it is important to make use of them and as a minimum avoid several pitfalls. In a worst case scenario this can lead otherwise to less security or the security benefits which the containment
technology offers are not being used at all.

To avoid this a proper fundamental approach is needed.

Thus this talk models first the most important threats to containerized environments out there. Based on that the speaker will present 10 security bullet points which covers:

* important Do's and Dont's,
* for advanced needs how to tighten security further.

At the end the speaker gives advice how to check your Docker and Kubernetes security status yourself.

The talk is based on practical experiences at several costumers and on the speaker's solid network and systems security expertise.

''Speaker Bio''

Dirk Wetter (Ph.D.) is an independent security consultant with more than 20 years professional experience in information security with a broad technical and information security management background.

His primary focus nowadays is around web application security. He has also a solid background on network and systems security.

He's also founder and maintainer of the open source project testssl.sh which checks the encryption of every SSL/TLS enabled service.

==== Securing Containers on the High Seas ====

* Speaker: [https://twitter.com/jack_mannino Jack Mannino], nVisium
* Presentation: n/a

''Abstract''

It can be a difficult challenge for organizations to securely migrate to containers while shifting processes and security controls. Making the move from legacy virtualization and monolithic deployments to containers requires a solid strategy. Containers offer many inherent security benefits but it’s important to build controls in beyond the containers themselves. From development through container registries and deployment to a runtime environment, it’s important to enforce security and eliminate risks as they’re introduced.

This presentation will focus on scaling container security within an enterprise and building security controls into the way you build, ship, and run containerized services. We will discuss the modern container landscape including different container runtimes and isolation models. We will explore the container lifecycle from your developer’s laptop through your production environment and examine the key security problems to mitigate.

''Speaker Bios''

Jack Mannino is the CEO of nVisium. Passionate about security and impossible to keep away from a keyboard, his expertise spans over 15 years of building, breaking, and securing software. Jack founded nVisium in 2009, and since has helped the world's largest software teams enhance security across their software portfolios. He has spoken at conferences globally on topics such as secure design, mobile application security, and cloud-native security.

=== Registration ===

Two step registration:

# Registration was via EventBrite: https://owasp-belgium-2018-09-17.eventbrite.com.
# Pre-registration of participants' ID documents, necessary for passing security checkpoint at the entrance to the site was via: https://ec.europa.eu/eusurvey/runner/OWASPBelgiumChapterMeetingSept17. The deadline for this registration was ''Sunday, September 16th midnight''.

=== Coverage ===

== 19 March 2018 Meeting ==

=== Where ===

* Host: [https://www.ing.be ING Belgium]

* Address ([https://branches.ing.be/branch/1040_bxl-non-residents map])
Cours St Michel 60
1040 Brussel

=== Agenda ===

* 18h15 - 19h00: Welcome & sandwiches
* 19h00 - 19h10: OWASP Update (by Sebastien Deleersnyder, OWASP)
* 19h10 - 20h00: [[#2018-03-19 Talk 1|KRACKing WPA2 in Practice Using Key Reinstallation Attacks]] (by Mathy Vanhoef, imec-DistriNet-KU Leuven)
* 20h00 - 20h10: Break
* 20h10 - 21h00: [[#2018-03-19 Talk 2|Making the web secure by design]] (by Glenn Ten Cate, ING Belgium, and Riccardo Ten Cate, Xebia)
* 21h00 - 21h30: Networking drink

=== Program ===

==== KRACKing WPA2 in Practice Using Key Reinstallation Attacks ====

* Speaker: Mathy Vanhoef, imec-DistriNet-KU Leuven

''Abstract''

This talk presents the key reinstallation attack against WPA2 (KRACK attack). It abuses design or implementation flaws in cryptographic protocols to reinstall an already-in-use key. This resets the key’s associated parameters such as transmit nonces and receive replay counters. Several cryptographic Wi-Fi handshakes are affected by the attack.

All protected Wi-Fi networks use the 4-way handshake to generate a fresh session key. So far, this 14-year-old handshake has remained free from attacks. However, we show that the 4-way handshake is vulnerable to a key reinstallation attack. Here, the adversary tricks a victim into reinstalling an already-in-use key. This is achieved by manipulating and replaying handshake messages. When reinstalling the key, associated parameters such as the incremental transmit packet number (nonce) and receive packet number (replay counter) are reset to their initial value.

The talk also discusses the vulnerability disclosure process that was followed. Since the discovery affected numerous vendors, coordinating the disclosure was non-trivial.

''Speaker Bio''

Mathy Vanhoef is a postdoctoral researcher at KU Leuven. He did his PhD on the security of WPA-TKIP, TLS, and RC4. His research interest is in computer security with a focus on wireless security (e.g. Wi-Fi), network protocols in general, the RC4 stream cipher (where he discovered the RC NOMORE attack), and software security (discovering and exploiting vulnerabilities). Currently his main research is about automatically discovering vulnerabilities in network protocol implementations, and proving the correctness of protocol implementations.

==== Making the web secure by design ====

* Speaker: Glenn Ten Cate, ING Belgium, and Riccardo Ten Cate, Xebia

''Abstract''

Education is the first step in the Secure Software Development Lifecycle. The free OWASP Security Knowledge Framework (SKF) is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. This talk will help you as a developer to become THE Neo of your development team. We will show how you can do security by design and introduce other quality gates into your development pipeline to ensure high end quality and security of your project.

''Speaker Bios''

As a coder, hacker, speaker, trainer and security researcher employed at ING Belgium, '''Glenn Ten Cate''' has over 10 years experience in the field of security. One of the founders of defensive development [defdev] a security training and conference series dedicated to helping you build and maintain secure software and also speaking at multiple other security conferences in the world. His goals is to create an open-source software development life cycle with the tools and knowledge gathered over the years.

As a penetration tester from the Netherlands employed at Xebia, '''Riccardo Ten Cate''' specialises in web-application security and has extensive knowledge in securing web applications in multiple coding languages. He is also a specialist in setting up Secure Software Development Life Cycles.

=== Registration ===

Registration was via EventBrite: https://owasp-belgium-2018-03-19.eventbrite.com.

=== Coverage ===

== 20 February 2018 Meeting ==

=== Where ===

* Host: [https://distrinet.cs.kuleuven.be DistriNet Research Group (KU Leuven)] (Both speakers are faculty of the [https://www.secappdev.org/ Secure Application Development] course held in Leuven from 2018-02-19 to 2018-02-23.)

* Address ([http://googlemapsinterface.kuleuven.be/index.cgi?lang=N&nbol=(50.864186697481145,%204.678754210472107)&zoomlevel=17&plaatsnaam=Department+of+Computer+Science&maptype=roadmap map], [https://distrinet.cs.kuleuven.be/about/route/ directions]):
Department of Computer Science (foyer at ground floor)
Celestijnenlaan 200 A
3001 Heverlee

=== Agenda ===

*18h15 - 19h00: Welcome & sandwiches
*19h00 - 19h10: [https://www.owasp.org/images/7/7a/Owasp_Belgium_update_2018-02-20_v1.pdf OWASP Update] (by Sebastien Deleersnyder, OWASP)
*19h10 - 20h00: [[#2018-02-20 Talk 1|Developers are not the enemy -- Usable Security for Experts]] (by Prof. Matthew Smith, University of Bonn)
*20h00 - 20h10: Break
*20h10 - 21h00: [[#2018-02-20 Talk 2|The Code Behind The Vulnerability]] (by Barry Dorrans, Microsoft)

=== Program ===

==== Developers are not the enemy -- Usable Security for Experts ====

* Speaker: Prof. Matthew Smith, University of Bonn
* Presentation: https://schd.ws/hosted_files/secappdev2018/a9/Developer%20are%20not%20the%20enemy%20SecAppDev%20web.pdf

''Abstract''

Usability problems are a major cause of many of today's IT-security incidents. Security systems are often too complicated, time-consuming, and error prone. For more than a decade researchers in the domain of usable security (USEC) have attempted to combat these problems by conducting interdisciplinary research focusing on the root causes of the problems and on the creation of usable security mechanisms. While major improvements have been made, to date USEC research has focused almost entirely on the non-expert end-user. However, many of the most catastrophic security incidents were not caused by end-users, but by developers or administrators. Heartbleed and Shellshock were both caused by single developers yet had global consequences. The Sony hack in 2014 compromised an entire multi-national IT-infrastructure and misappropriated over 100 TB of data, unnoticed. Fundamentally, every software vulnerability and misconfigured system is caused by developers or administrators making mistakes, but very little research has been done into the underlying causalities and possible mitigation strategies. In this talk we will explore the transition from end-user to expert usable security research and look at several application areas, including TLS, passwords, malware analysis and vulnerability analysis.

''Speaker Bio''

Matthew Smith is a Professor for Usable Security and Privacy at the University of Bonn. His research is focused on human factors of security and privacy mechanisms with a wide range of application areas, including TLS and network security, authentication, mobile and app security and, most recently, usable security for developers and administrators. His work has been published at, among others, IEEE S&P, ACM CCS, USENIX Security, NDSS, ACM SIGCHI and SOUPS the Symposium on Usable Security and Privacy. In 2015 his ERC Starting Grant "Frontiers of Usable Security" was selected for funding.

==== The Code Behind The Vulnerability ====

* Speaker: Barry Dorrans, Microsoft
* Presentation: https://schd.ws/hosted_files/secappdev2018/75/The%20code%20behind%20the%20vulnerability.pdf

''Abstract''

Everyone makes security mistakes, and that includes Microsoft (seriously!). Many developers can spot and prevent vulnerabilities listed in the OWASP top 10. But that narrative changes when we look beyond the scope of the OWASP top 10. Compared to some more recent attacks, fixing XSS or SQL injection almost seems easy. In this session, we dive into a couple of .NET core cases that have been reported to the Microsoft Security Response Center (MSRC). Mind you; these vulnerabilities are not just framework vulnerabilities. Instead, they are coding patterns that you may have introduced in your applications. Examples are issues with hash tables, compression, encryption, regular expressions and more. In this session, you will learn how to spot these vulnerabilities in your code. On top of that, you will walk away with the skills to fix them.

''Speaker Bio''

Barry Dorrans is the .NET Security Czar, which means he tries to tell everyone else how to code securely and taking the credit when it goes right, as well as running the .NET Core Bug Bounty. He also ends up triaging publicly and privately reported vulnerabilities when it goes wrong before getting someone else to fix the mistakes. This he gets all the fun and none of the real work, aside from the endless stress wondering when the next vulnerability will be discovered.

=== Registration ===

Registration was via EventBrite: https://owasp-belgium-2018-02-20.eventbrite.com.

=== Coverage ===

n/a

Belgium

2018-09-20T10:40:06Z

Thomas Herlea: Replaced in ' Upcoming Meetings' the most recently held meeting with the next one from the calendar.

{{Chapter Template|chaptername=Belgium|extra=The chapter leader is [mailto:seba@owasp.org Sebastien Deleersnyder]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-belgium|emailarchives=http://lists.owasp.org/pipermail/owasp-belgium}}

= Local News =

== Upcoming Chapter Meetings ==

* [[Belgium_Events_2018#23_October_2018_Meeting|23 October 2018 Meeting in Bruges]]

See https://www.owasp.org/index.php/Belgium#Chapter_Meetings for more details and older meetings.

== Stay in Touch ==

<center>
{| cellspacing="15"
|-
| [[Image:Meetup-logo-2x.png|120px|link=http://www.meetup.com/Belgium-OWASP-Open-Web-Application-Security-Project/]]
| [[Image:Join the list.png|150px|link=http://lists.owasp.org/mailman/listinfo/owasp-belgium]]
| [[Image:Follow-us-on-twitter.png|175px|link=https://twitter.com/owasp_be]]
| [[Image:Linkedin-button.gif|135px|link=https://www.linkedin.com/groups/37865]]
|}
</center>
If you want to be invited for the next OWASP Belgium Chapter meetings, please [http://eepurl.com/iFZtb drop us your contact info].

== Structural Sponsors 2018 ==

OWASP Belgium thanks its structural chapter supporters for 2018 and the OWASP BeNeLux Days 2017:

[http://www.vest.nl https://www.owasp.org/images/6/67/Vest.jpg]
[https://secwatch.nl https://www.owasp.org/images/f/ff/Secwatch_logo_small.png]
[[File:Avi Logo Transparent Background 300pix.png|200px|link=https://avinetworks.com/]]
[[File:LogoToreon.jpg|250px|link=https://www.toreon.com]]
[[File:Nviso_logo_RGB_baseline_200px.png|link=http://www.nviso.be]]

If you want to support our chapter, please contact [mailto:seba@owasp.org Seba Deleersnyder]

= Chapter Meetings =

{{:Belgium_Events_2018}}

== Previous Years ==

Events held in
[[Belgium Events 2017|2017]],
[[Belgium Events 2016|2016]],
[[Belgium Events 2015|2015]],
[[Belgium Events 2014|2014]],
[[Belgium Events 2013|2013]],
[[Belgium Events 2012|2012]],
[[Belgium Events 2011|2011]],
[[Belgium Events 2010|2010]],
[[Belgium Events 2009|2009]],
[[Belgium Events 2008|2008]],
[[Belgium Events 2007|2007]],
[[Belgium Events 2006|2006]],
[[Belgium Events 2005|2005]].

= Belgium OWASP Chapter Leaders =

The Belgium Chapter is supported by the following board:

*Sebastien Deleersnyder, Toreon
*Erwin Geirnaert, Zion Security
*Lieven Desmet, KU Leuven
*Bart De Win, PWC
*David Mathy, Freelance
*Adolfo Solero, Freelance
*Stella Dineva, Ingenico Payment Services
*Thomas Herlea, NVISO

Our goal is to professionalize the local OWASP functioning, provide in a bigger footprint to detect OWASP opportunities such as speakers/topics/sponsors/… and set a 5 year target on: Target audiences, Different events and Interactions of OWASP global – local projects.
__NOTOC__ <headertabs></headertabs>
[[Category:Europe]]

Belgium Events 2018

2018-09-20T10:31:59Z

Thomas Herlea: Reverted section title of 2018-10-23 event to the format for date used in the older sections.

<noinclude>
These are the 2018 events of the [[Belgium|OWASP Belgium Chapter]].

Previous year: [[Belgium Events 2017|2017]].
</noinclude>


== 23 October 2018 Meeting ==

=== Where ===

not yet available


=== Agenda ===

* 18h00 - 18h50: Welcome & pizzas
* 18h50 - 19h00:  OWASP Update (by Sebastien Deleersnyder, OWASP)
* 19h00 - 19h30: [[#2018-10-23 Talk 1|Effectively Distribute Software Security Knowledge]] (by Pieter De Cremer and Nathan Desmet)
* 19h30 - 19h45: Beers from Bruges break
* 19h45 - 20h25: [[#2018-10-23 Talk 2|Common API Security Pitfalls]] (by Philippe De Ryck)
* 20h25 - 20h40: Thank you note (by Matias Madou, Secure Code Warrior)
* 20h40 - 22h00: Networking and more beers from Bruges

=== Program ===

==== Effectively Distribute Software Security Knowledge ====

* Speaker: Pieter De Cremer and Nathan Desmet 
* Presentation: not yet available 

''Abstract''

not yet available 

''Speaker Bio''

not yet available 

==== Common API Security Pitfalls ====

* Speaker: Philippe De Ryck 
* Presentation: not yet available 

''Abstract''

not yet available 

''Speaker Bios''

not yet available 

=== Registration ===

Registration via EventBrite: coming soon 

=== Coverage ===

== 17 September 2018 Meeting ==

=== Where ===

* Host: [https://ec.europa.eu European Commission]

* Address ([https://www.google.com/maps/place/Place+Madou+1,+1210+Saint-Josse-ten-Noode/ map], [https://www.google.com/maps/dir//Place+Madou+1,+1210+Saint-Josse-ten-Noode directions])
Place Madou, 1
1210 Saint-Josse-Ten-Noode

=== Agenda ===

* 18h00 - 18h50: Welcome & sandwiches
* 18h50 - 19h00: [https://www.owasp.org/images/9/9b/Owasp_Belgium_update_2018-09-17_v1.pptx OWASP Update] (by Sebastien Deleersnyder, OWASP)
* 19h00 - 19h10: Intro by the EC (by Miguel Soria Machado, Head of Sector CSIRC, DIGIT IT Security Directorate, European Commission)
* 19h10 - 20h00: [[#2018-09-17 Talk 1|Docker Threat Modeling and Top 10]] (by Dirk Wetter)
* 20h00 - 20h10: Break
* 20h10 - 21h00: [[#2018-09-17 Talk 2|Securing Containers on the High Seas]] (by Jack Mannino, nVisium)
* 21h00 - 21h30: Networking drink

=== Program ===

==== Docker Threat Modeling and Top 10 ====

* Speaker: [https://twitter.com/drwetter Dirk Wetter]
* Presentation: https://www.owasp.org/images/1/17/Dirk_Wetter_-_Docker_Security_Brussels.pdf

''Abstract''

Docker containers offer several advantages for developers. Most notably they fit perfectly in software development processes, they enable fast, reproducible deployments and when properly done, with little change the same container can run either in a test or production environment.

Despite threatening information out there Docker offers per se also several security advantages. However it is important to make use of them and as a minimum avoid several pitfalls. In a worst case scenario this can lead otherwise to less security or the security benefits which the containment
technology offers are not being used at all.

To avoid this a proper fundamental approach is needed.

Thus this talk models first the most important threats to containerized environments out there. Based on that the speaker will present 10 security bullet points which covers:

* important Do's and Dont's,
* for advanced needs how to tighten security further.

At the end the speaker gives advice how to check your Docker and Kubernetes security status yourself.

The talk is based on practical experiences at several costumers and on the speaker's solid network and systems security expertise.

''Speaker Bio''

Dirk Wetter (Ph.D.) is an independent security consultant with more than 20 years professional experience in information security with a broad technical and information security management background.

His primary focus nowadays is around web application security. He has also a solid background on network and systems security.

He's also founder and maintainer of the open source project testssl.sh which checks the encryption of every SSL/TLS enabled service.

==== Securing Containers on the High Seas ====

* Speaker: [https://twitter.com/jack_mannino Jack Mannino], nVisium
* Presentation: n/a

''Abstract''

It can be a difficult challenge for organizations to securely migrate to containers while shifting processes and security controls. Making the move from legacy virtualization and monolithic deployments to containers requires a solid strategy. Containers offer many inherent security benefits but it’s important to build controls in beyond the containers themselves. From development through container registries and deployment to a runtime environment, it’s important to enforce security and eliminate risks as they’re introduced.

This presentation will focus on scaling container security within an enterprise and building security controls into the way you build, ship, and run containerized services. We will discuss the modern container landscape including different container runtimes and isolation models. We will explore the container lifecycle from your developer’s laptop through your production environment and examine the key security problems to mitigate.

''Speaker Bios''

Jack Mannino is the CEO of nVisium. Passionate about security and impossible to keep away from a keyboard, his expertise spans over 15 years of building, breaking, and securing software. Jack founded nVisium in 2009, and since has helped the world's largest software teams enhance security across their software portfolios. He has spoken at conferences globally on topics such as secure design, mobile application security, and cloud-native security.

=== Registration ===

Two step registration:

# Registration was via EventBrite: https://owasp-belgium-2018-09-17.eventbrite.com.
# Pre-registration of participants' ID documents, necessary for passing security checkpoint at the entrance to the site was via: https://ec.europa.eu/eusurvey/runner/OWASPBelgiumChapterMeetingSept17. The deadline for this registration was ''Sunday, September 16th midnight''.

=== Coverage ===

== 19 March 2018 Meeting ==

=== Where ===

* Host: [https://www.ing.be ING Belgium]

* Address ([https://branches.ing.be/branch/1040_bxl-non-residents map])
Cours St Michel 60
1040 Brussel

=== Agenda ===

* 18h15 - 19h00: Welcome & sandwiches
* 19h00 - 19h10: OWASP Update (by Sebastien Deleersnyder, OWASP)
* 19h10 - 20h00: [[#2018-03-19 Talk 1|KRACKing WPA2 in Practice Using Key Reinstallation Attacks]] (by Mathy Vanhoef, imec-DistriNet-KU Leuven)
* 20h00 - 20h10: Break
* 20h10 - 21h00: [[#2018-03-19 Talk 2|Making the web secure by design]] (by Glenn Ten Cate, ING Belgium, and Riccardo Ten Cate, Xebia)
* 21h00 - 21h30: Networking drink

=== Program ===

==== KRACKing WPA2 in Practice Using Key Reinstallation Attacks ====

* Speaker: Mathy Vanhoef, imec-DistriNet-KU Leuven

''Abstract''

This talk presents the key reinstallation attack against WPA2 (KRACK attack). It abuses design or implementation flaws in cryptographic protocols to reinstall an already-in-use key. This resets the key’s associated parameters such as transmit nonces and receive replay counters. Several cryptographic Wi-Fi handshakes are affected by the attack.

All protected Wi-Fi networks use the 4-way handshake to generate a fresh session key. So far, this 14-year-old handshake has remained free from attacks. However, we show that the 4-way handshake is vulnerable to a key reinstallation attack. Here, the adversary tricks a victim into reinstalling an already-in-use key. This is achieved by manipulating and replaying handshake messages. When reinstalling the key, associated parameters such as the incremental transmit packet number (nonce) and receive packet number (replay counter) are reset to their initial value.

The talk also discusses the vulnerability disclosure process that was followed. Since the discovery affected numerous vendors, coordinating the disclosure was non-trivial.

''Speaker Bio''

Mathy Vanhoef is a postdoctoral researcher at KU Leuven. He did his PhD on the security of WPA-TKIP, TLS, and RC4. His research interest is in computer security with a focus on wireless security (e.g. Wi-Fi), network protocols in general, the RC4 stream cipher (where he discovered the RC NOMORE attack), and software security (discovering and exploiting vulnerabilities). Currently his main research is about automatically discovering vulnerabilities in network protocol implementations, and proving the correctness of protocol implementations.

==== Making the web secure by design ====

* Speaker: Glenn Ten Cate, ING Belgium, and Riccardo Ten Cate, Xebia

''Abstract''

Education is the first step in the Secure Software Development Lifecycle. The free OWASP Security Knowledge Framework (SKF) is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. This talk will help you as a developer to become THE Neo of your development team. We will show how you can do security by design and introduce other quality gates into your development pipeline to ensure high end quality and security of your project.

''Speaker Bios''

As a coder, hacker, speaker, trainer and security researcher employed at ING Belgium, '''Glenn Ten Cate''' has over 10 years experience in the field of security. One of the founders of defensive development [defdev] a security training and conference series dedicated to helping you build and maintain secure software and also speaking at multiple other security conferences in the world. His goals is to create an open-source software development life cycle with the tools and knowledge gathered over the years.

As a penetration tester from the Netherlands employed at Xebia, '''Riccardo Ten Cate''' specialises in web-application security and has extensive knowledge in securing web applications in multiple coding languages. He is also a specialist in setting up Secure Software Development Life Cycles.

=== Registration ===

Registration was via EventBrite: https://owasp-belgium-2018-03-19.eventbrite.com.

=== Coverage ===

== 20 February 2018 Meeting ==

=== Where ===

* Host: [https://distrinet.cs.kuleuven.be DistriNet Research Group (KU Leuven)] (Both speakers are faculty of the [https://www.secappdev.org/ Secure Application Development] course held in Leuven from 2018-02-19 to 2018-02-23.)

* Address ([http://googlemapsinterface.kuleuven.be/index.cgi?lang=N&nbol=(50.864186697481145,%204.678754210472107)&zoomlevel=17&plaatsnaam=Department+of+Computer+Science&maptype=roadmap map], [https://distrinet.cs.kuleuven.be/about/route/ directions]):
Department of Computer Science (foyer at ground floor)
Celestijnenlaan 200 A
3001 Heverlee

=== Agenda ===

*18h15 - 19h00: Welcome & sandwiches
*19h00 - 19h10: [https://www.owasp.org/images/7/7a/Owasp_Belgium_update_2018-02-20_v1.pdf OWASP Update] (by Sebastien Deleersnyder, OWASP)
*19h10 - 20h00: [[#2018-02-20 Talk 1|Developers are not the enemy -- Usable Security for Experts]] (by Prof. Matthew Smith, University of Bonn)
*20h00 - 20h10: Break
*20h10 - 21h00: [[#2018-02-20 Talk 2|The Code Behind The Vulnerability]] (by Barry Dorrans, Microsoft)

=== Program ===

==== Developers are not the enemy -- Usable Security for Experts ====

* Speaker: Prof. Matthew Smith, University of Bonn
* Presentation: https://schd.ws/hosted_files/secappdev2018/a9/Developer%20are%20not%20the%20enemy%20SecAppDev%20web.pdf

''Abstract''

Usability problems are a major cause of many of today's IT-security incidents. Security systems are often too complicated, time-consuming, and error prone. For more than a decade researchers in the domain of usable security (USEC) have attempted to combat these problems by conducting interdisciplinary research focusing on the root causes of the problems and on the creation of usable security mechanisms. While major improvements have been made, to date USEC research has focused almost entirely on the non-expert end-user. However, many of the most catastrophic security incidents were not caused by end-users, but by developers or administrators. Heartbleed and Shellshock were both caused by single developers yet had global consequences. The Sony hack in 2014 compromised an entire multi-national IT-infrastructure and misappropriated over 100 TB of data, unnoticed. Fundamentally, every software vulnerability and misconfigured system is caused by developers or administrators making mistakes, but very little research has been done into the underlying causalities and possible mitigation strategies. In this talk we will explore the transition from end-user to expert usable security research and look at several application areas, including TLS, passwords, malware analysis and vulnerability analysis.

''Speaker Bio''

Matthew Smith is a Professor for Usable Security and Privacy at the University of Bonn. His research is focused on human factors of security and privacy mechanisms with a wide range of application areas, including TLS and network security, authentication, mobile and app security and, most recently, usable security for developers and administrators. His work has been published at, among others, IEEE S&P, ACM CCS, USENIX Security, NDSS, ACM SIGCHI and SOUPS the Symposium on Usable Security and Privacy. In 2015 his ERC Starting Grant "Frontiers of Usable Security" was selected for funding.

==== The Code Behind The Vulnerability ====

* Speaker: Barry Dorrans, Microsoft
* Presentation: https://schd.ws/hosted_files/secappdev2018/75/The%20code%20behind%20the%20vulnerability.pdf

''Abstract''

Everyone makes security mistakes, and that includes Microsoft (seriously!). Many developers can spot and prevent vulnerabilities listed in the OWASP top 10. But that narrative changes when we look beyond the scope of the OWASP top 10. Compared to some more recent attacks, fixing XSS or SQL injection almost seems easy. In this session, we dive into a couple of .NET core cases that have been reported to the Microsoft Security Response Center (MSRC). Mind you; these vulnerabilities are not just framework vulnerabilities. Instead, they are coding patterns that you may have introduced in your applications. Examples are issues with hash tables, compression, encryption, regular expressions and more. In this session, you will learn how to spot these vulnerabilities in your code. On top of that, you will walk away with the skills to fix them.

''Speaker Bio''

Barry Dorrans is the .NET Security Czar, which means he tries to tell everyone else how to code securely and taking the credit when it goes right, as well as running the .NET Core Bug Bounty. He also ends up triaging publicly and privately reported vulnerabilities when it goes wrong before getting someone else to fix the mistakes. This he gets all the fun and none of the real work, aside from the endless stress wondering when the next vulnerability will be discovered.

=== Registration ===

Registration was via EventBrite: https://owasp-belgium-2018-02-20.eventbrite.com.

=== Coverage ===

n/a

Belgium Events 2018

2018-09-20T10:30:29Z

Thomas Herlea: Added section for the 2018-10-23 meeting and filled in the available information.

<noinclude>
These are the 2018 events of the [[Belgium|OWASP Belgium Chapter]].

Previous year: [[Belgium Events 2017|2017]].
</noinclude>


== 2018-10-23 Meeting ==

=== Where ===

not yet available


=== Agenda ===

* 18h00 - 18h50: Welcome & pizzas
* 18h50 - 19h00:  OWASP Update (by Sebastien Deleersnyder, OWASP)
* 19h00 - 19h30: [[#2018-10-23 Talk 1|Effectively Distribute Software Security Knowledge]] (by Pieter De Cremer and Nathan Desmet)
* 19h30 - 19h45: Beers from Bruges break
* 19h45 - 20h25: [[#2018-10-23 Talk 2|Common API Security Pitfalls]] (by Philippe De Ryck)
* 20h25 - 20h40: Thank you note (by Matias Madou, Secure Code Warrior)
* 20h40 - 22h00: Networking and more beers from Bruges

=== Program ===

==== Effectively Distribute Software Security Knowledge ====

* Speaker: Pieter De Cremer and Nathan Desmet 
* Presentation: not yet available 

''Abstract''

not yet available 

''Speaker Bio''

not yet available 

==== Common API Security Pitfalls ====

* Speaker: Philippe De Ryck 
* Presentation: not yet available 

''Abstract''

not yet available 

''Speaker Bios''

not yet available 

=== Registration ===

Registration via EventBrite: coming soon 

=== Coverage ===

== 17 September 2018 Meeting ==

=== Where ===

* Host: [https://ec.europa.eu European Commission]

* Address ([https://www.google.com/maps/place/Place+Madou+1,+1210+Saint-Josse-ten-Noode/ map], [https://www.google.com/maps/dir//Place+Madou+1,+1210+Saint-Josse-ten-Noode directions])
Place Madou, 1
1210 Saint-Josse-Ten-Noode

=== Agenda ===

* 18h00 - 18h50: Welcome & sandwiches
* 18h50 - 19h00: [https://www.owasp.org/images/9/9b/Owasp_Belgium_update_2018-09-17_v1.pptx OWASP Update] (by Sebastien Deleersnyder, OWASP)
* 19h00 - 19h10: Intro by the EC (by Miguel Soria Machado, Head of Sector CSIRC, DIGIT IT Security Directorate, European Commission)
* 19h10 - 20h00: [[#2018-09-17 Talk 1|Docker Threat Modeling and Top 10]] (by Dirk Wetter)
* 20h00 - 20h10: Break
* 20h10 - 21h00: [[#2018-09-17 Talk 2|Securing Containers on the High Seas]] (by Jack Mannino, nVisium)
* 21h00 - 21h30: Networking drink

=== Program ===

==== Docker Threat Modeling and Top 10 ====

* Speaker: [https://twitter.com/drwetter Dirk Wetter]
* Presentation: https://www.owasp.org/images/1/17/Dirk_Wetter_-_Docker_Security_Brussels.pdf

''Abstract''

Docker containers offer several advantages for developers. Most notably they fit perfectly in software development processes, they enable fast, reproducible deployments and when properly done, with little change the same container can run either in a test or production environment.

Despite threatening information out there Docker offers per se also several security advantages. However it is important to make use of them and as a minimum avoid several pitfalls. In a worst case scenario this can lead otherwise to less security or the security benefits which the containment
technology offers are not being used at all.

To avoid this a proper fundamental approach is needed.

Thus this talk models first the most important threats to containerized environments out there. Based on that the speaker will present 10 security bullet points which covers:

* important Do's and Dont's,
* for advanced needs how to tighten security further.

At the end the speaker gives advice how to check your Docker and Kubernetes security status yourself.

The talk is based on practical experiences at several costumers and on the speaker's solid network and systems security expertise.

''Speaker Bio''

Dirk Wetter (Ph.D.) is an independent security consultant with more than 20 years professional experience in information security with a broad technical and information security management background.

His primary focus nowadays is around web application security. He has also a solid background on network and systems security.

He's also founder and maintainer of the open source project testssl.sh which checks the encryption of every SSL/TLS enabled service.

==== Securing Containers on the High Seas ====

* Speaker: [https://twitter.com/jack_mannino Jack Mannino], nVisium
* Presentation: n/a

''Abstract''

It can be a difficult challenge for organizations to securely migrate to containers while shifting processes and security controls. Making the move from legacy virtualization and monolithic deployments to containers requires a solid strategy. Containers offer many inherent security benefits but it’s important to build controls in beyond the containers themselves. From development through container registries and deployment to a runtime environment, it’s important to enforce security and eliminate risks as they’re introduced.

This presentation will focus on scaling container security within an enterprise and building security controls into the way you build, ship, and run containerized services. We will discuss the modern container landscape including different container runtimes and isolation models. We will explore the container lifecycle from your developer’s laptop through your production environment and examine the key security problems to mitigate.

''Speaker Bios''

Jack Mannino is the CEO of nVisium. Passionate about security and impossible to keep away from a keyboard, his expertise spans over 15 years of building, breaking, and securing software. Jack founded nVisium in 2009, and since has helped the world's largest software teams enhance security across their software portfolios. He has spoken at conferences globally on topics such as secure design, mobile application security, and cloud-native security.

=== Registration ===

Two step registration:

# Registration was via EventBrite: https://owasp-belgium-2018-09-17.eventbrite.com.
# Pre-registration of participants' ID documents, necessary for passing security checkpoint at the entrance to the site was via: https://ec.europa.eu/eusurvey/runner/OWASPBelgiumChapterMeetingSept17. The deadline for this registration was ''Sunday, September 16th midnight''.

=== Coverage ===

== 19 March 2018 Meeting ==

=== Where ===

* Host: [https://www.ing.be ING Belgium]

* Address ([https://branches.ing.be/branch/1040_bxl-non-residents map])
Cours St Michel 60
1040 Brussel

=== Agenda ===

* 18h15 - 19h00: Welcome & sandwiches
* 19h00 - 19h10: OWASP Update (by Sebastien Deleersnyder, OWASP)
* 19h10 - 20h00: [[#2018-03-19 Talk 1|KRACKing WPA2 in Practice Using Key Reinstallation Attacks]] (by Mathy Vanhoef, imec-DistriNet-KU Leuven)
* 20h00 - 20h10: Break
* 20h10 - 21h00: [[#2018-03-19 Talk 2|Making the web secure by design]] (by Glenn Ten Cate, ING Belgium, and Riccardo Ten Cate, Xebia)
* 21h00 - 21h30: Networking drink

=== Program ===

==== KRACKing WPA2 in Practice Using Key Reinstallation Attacks ====

* Speaker: Mathy Vanhoef, imec-DistriNet-KU Leuven

''Abstract''

This talk presents the key reinstallation attack against WPA2 (KRACK attack). It abuses design or implementation flaws in cryptographic protocols to reinstall an already-in-use key. This resets the key’s associated parameters such as transmit nonces and receive replay counters. Several cryptographic Wi-Fi handshakes are affected by the attack.

All protected Wi-Fi networks use the 4-way handshake to generate a fresh session key. So far, this 14-year-old handshake has remained free from attacks. However, we show that the 4-way handshake is vulnerable to a key reinstallation attack. Here, the adversary tricks a victim into reinstalling an already-in-use key. This is achieved by manipulating and replaying handshake messages. When reinstalling the key, associated parameters such as the incremental transmit packet number (nonce) and receive packet number (replay counter) are reset to their initial value.

The talk also discusses the vulnerability disclosure process that was followed. Since the discovery affected numerous vendors, coordinating the disclosure was non-trivial.

''Speaker Bio''

Mathy Vanhoef is a postdoctoral researcher at KU Leuven. He did his PhD on the security of WPA-TKIP, TLS, and RC4. His research interest is in computer security with a focus on wireless security (e.g. Wi-Fi), network protocols in general, the RC4 stream cipher (where he discovered the RC NOMORE attack), and software security (discovering and exploiting vulnerabilities). Currently his main research is about automatically discovering vulnerabilities in network protocol implementations, and proving the correctness of protocol implementations.

==== Making the web secure by design ====

* Speaker: Glenn Ten Cate, ING Belgium, and Riccardo Ten Cate, Xebia

''Abstract''

Education is the first step in the Secure Software Development Lifecycle. The free OWASP Security Knowledge Framework (SKF) is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. This talk will help you as a developer to become THE Neo of your development team. We will show how you can do security by design and introduce other quality gates into your development pipeline to ensure high end quality and security of your project.

''Speaker Bios''

As a coder, hacker, speaker, trainer and security researcher employed at ING Belgium, '''Glenn Ten Cate''' has over 10 years experience in the field of security. One of the founders of defensive development [defdev] a security training and conference series dedicated to helping you build and maintain secure software and also speaking at multiple other security conferences in the world. His goals is to create an open-source software development life cycle with the tools and knowledge gathered over the years.

As a penetration tester from the Netherlands employed at Xebia, '''Riccardo Ten Cate''' specialises in web-application security and has extensive knowledge in securing web applications in multiple coding languages. He is also a specialist in setting up Secure Software Development Life Cycles.

=== Registration ===

Registration was via EventBrite: https://owasp-belgium-2018-03-19.eventbrite.com.

=== Coverage ===

== 20 February 2018 Meeting ==

=== Where ===

* Host: [https://distrinet.cs.kuleuven.be DistriNet Research Group (KU Leuven)] (Both speakers are faculty of the [https://www.secappdev.org/ Secure Application Development] course held in Leuven from 2018-02-19 to 2018-02-23.)

* Address ([http://googlemapsinterface.kuleuven.be/index.cgi?lang=N&nbol=(50.864186697481145,%204.678754210472107)&zoomlevel=17&plaatsnaam=Department+of+Computer+Science&maptype=roadmap map], [https://distrinet.cs.kuleuven.be/about/route/ directions]):
Department of Computer Science (foyer at ground floor)
Celestijnenlaan 200 A
3001 Heverlee

=== Agenda ===

*18h15 - 19h00: Welcome & sandwiches
*19h00 - 19h10: [https://www.owasp.org/images/7/7a/Owasp_Belgium_update_2018-02-20_v1.pdf OWASP Update] (by Sebastien Deleersnyder, OWASP)
*19h10 - 20h00: [[#2018-02-20 Talk 1|Developers are not the enemy -- Usable Security for Experts]] (by Prof. Matthew Smith, University of Bonn)
*20h00 - 20h10: Break
*20h10 - 21h00: [[#2018-02-20 Talk 2|The Code Behind The Vulnerability]] (by Barry Dorrans, Microsoft)

=== Program ===

==== Developers are not the enemy -- Usable Security for Experts ====

* Speaker: Prof. Matthew Smith, University of Bonn
* Presentation: https://schd.ws/hosted_files/secappdev2018/a9/Developer%20are%20not%20the%20enemy%20SecAppDev%20web.pdf

''Abstract''

Usability problems are a major cause of many of today's IT-security incidents. Security systems are often too complicated, time-consuming, and error prone. For more than a decade researchers in the domain of usable security (USEC) have attempted to combat these problems by conducting interdisciplinary research focusing on the root causes of the problems and on the creation of usable security mechanisms. While major improvements have been made, to date USEC research has focused almost entirely on the non-expert end-user. However, many of the most catastrophic security incidents were not caused by end-users, but by developers or administrators. Heartbleed and Shellshock were both caused by single developers yet had global consequences. The Sony hack in 2014 compromised an entire multi-national IT-infrastructure and misappropriated over 100 TB of data, unnoticed. Fundamentally, every software vulnerability and misconfigured system is caused by developers or administrators making mistakes, but very little research has been done into the underlying causalities and possible mitigation strategies. In this talk we will explore the transition from end-user to expert usable security research and look at several application areas, including TLS, passwords, malware analysis and vulnerability analysis.

''Speaker Bio''

Matthew Smith is a Professor for Usable Security and Privacy at the University of Bonn. His research is focused on human factors of security and privacy mechanisms with a wide range of application areas, including TLS and network security, authentication, mobile and app security and, most recently, usable security for developers and administrators. His work has been published at, among others, IEEE S&P, ACM CCS, USENIX Security, NDSS, ACM SIGCHI and SOUPS the Symposium on Usable Security and Privacy. In 2015 his ERC Starting Grant "Frontiers of Usable Security" was selected for funding.

==== The Code Behind The Vulnerability ====

* Speaker: Barry Dorrans, Microsoft
* Presentation: https://schd.ws/hosted_files/secappdev2018/75/The%20code%20behind%20the%20vulnerability.pdf

''Abstract''

Everyone makes security mistakes, and that includes Microsoft (seriously!). Many developers can spot and prevent vulnerabilities listed in the OWASP top 10. But that narrative changes when we look beyond the scope of the OWASP top 10. Compared to some more recent attacks, fixing XSS or SQL injection almost seems easy. In this session, we dive into a couple of .NET core cases that have been reported to the Microsoft Security Response Center (MSRC). Mind you; these vulnerabilities are not just framework vulnerabilities. Instead, they are coding patterns that you may have introduced in your applications. Examples are issues with hash tables, compression, encryption, regular expressions and more. In this session, you will learn how to spot these vulnerabilities in your code. On top of that, you will walk away with the skills to fix them.

''Speaker Bio''

Barry Dorrans is the .NET Security Czar, which means he tries to tell everyone else how to code securely and taking the credit when it goes right, as well as running the .NET Core Bug Bounty. He also ends up triaging publicly and privately reported vulnerabilities when it goes wrong before getting someone else to fix the mistakes. This he gets all the fun and none of the real work, aside from the endless stress wondering when the next vulnerability will be discovered.

=== Registration ===

Registration was via EventBrite: https://owasp-belgium-2018-02-20.eventbrite.com.

=== Coverage ===

n/a

Belgium Events 2018

2018-09-20T10:12:27Z

Thomas Herlea: Converted the 2018-09-17 event to the new event structure.

Belgium Events 2018

2018-09-20T09:30:02Z

Thomas Herlea: Factored out the new event format as a template in a comment.

Belgium Events 2018

2018-09-14T21:09:50Z

Thomas Herlea: Converted the 2018-03-19 event to the new event structure.

<noinclude>
These are the 2018 events of the [[Belgium|OWASP Belgium Chapter]].

Previous year: [[Belgium Events 2017|2017]].
</noinclude>
== 17 September 2018 Meeting ==

=== WHEN ===
Monday 17 September 2018

=== WHERE ===

; Host: European Commission
: Place Madou, 1
:1210 - Saint-Josse-Ten-Noode
<pre style="color: red">
Pre-registration of the participants' ID is needed to enter the venue; see registration link below!!!
</pre>

=== PROGRAM ===
The agenda:

*18h00 - 18h50: '''Welcome & sandwiches''' 
*18h50 - 19h00: '''OWASP Update''' (by Sebastien Deleersnyder, OWASP) 
*19h00 - 19h10: '''Intro by the EC''' (by TBD) 
*19h10 - 20h00: '''Docker Threat Modeling and Top 10''' (by Dirk Wetter) 
:''Abstract:'' Docker containers offer several advantages for developers. Most notably they fit perfectly in software development processes, they enable fast, reproducible
deployments and when properly done, with little change the same container can
run either in a test or production environment.

Despite threatening information out there Docker offers per se also several
security advantages. However it is important to make use of them and as a
minimum avoid several pitfalls. In a worst case scenario this can lead
otherwise to less security or the security benefits which the containment
technology offers are not being used at all.

To avoid this a proper fundamental approach is needed.

Thus this talk models first the most important threats to containerized
environments out there. Based on that the speaker will present 10 security
bullet points which covers

* important Do's and Dont's,
* for advanced needs how to tighten security further.

At the end the speaker gives advice how to check your Docker and
Kubernetes security status yourself.

The talk is based on practical experiences at several costumers and on the
speaker's solid network and systems security expertise.

:''Bio:'' [https://twitter.com/drwetter Dirk Wetter (Ph.D.)] is an independent security consultant with more than 20 years professional experience in information security with a broad technical
and information security management background.

His primary focus nowadays is around web application security. He has also a
solid background on network and systems security.

He's also founder and maintainer of the open source project testssl.sh which
checks the encryption of every SSL/TLS enabled service.

*20h00 - 20h10: break 
*20h10 - 21h00: '''Securing Containers on the High Seas''' (by Jack Mannino) 
:''Abstract:'' It can be a difficult challenge for organizations to securely migrate to containers while shifting processes and security controls. Making the move from legacy virtualization and monolithic deployments to containers requires a solid strategy. Containers offer many inherent security benefits but it’s important to build controls in beyond the containers themselves. From development through container registries and deployment to a runtime environment, it’s important to enforce security and eliminate risks as they’re introduced.

This presentation will focus on scaling container security within an enterprise and building security controls into the way you build, ship, and run containerized services. We will discuss the modern container landscape including different container runtimes and isolation models. We will explore the container lifecycle from your developer’s laptop through your production environment and examine the key security problems to mitigate.

:''Bio:'' [https://twitter.com/jack_mannino Jack Mannino] is the CEO of nVisium. Passionate about security and impossible to keep away from a keyboard, his expertise spans over 15 years of building, breaking, and securing software. Jack founded nVisium in 2009, and since has helped the world's largest software teams enhance security across their software portfolios. He has spoken at conferences globally on topics such as secure design, mobile application security, and cloud-native security.

=== REGISTRATION ===
<pre style="color: red">
Two step registration:
Step 1: Registration via Eventbrite
Step 2: Pre-registration of participants'ID (European Commission)

Pre-registration of the participants' ID will be needed to enter the security on site!!!
</pre>

'''Step 1''': Registration via Eventbrite: https://owasp-belgium-2018-09-17.eventbrite.com

'''Step 2''': Pre-registration of participants'ID: https://ec.europa.eu/eusurvey/runner/OWASPBelgiumChapterMeetingSept17 .

'''The registration deadline for the participants' ID expires on ''Sunday, September 16th midnight''. After this time the registration and admission to the event will not be possible.'''

=== Coverage ===

== 19 March 2018 Meeting ==

=== Where ===

* Host: [https://www.ing.be ING Belgium]

* Address ([https://branches.ing.be/branch/1040_bxl-non-residents map])
Cours St Michel 60
1040 Brussel

=== Agenda ===

* 18h15 - 19h00: Welcome & sandwiches
* 19h00 - 19h10: OWASP Update (by Sebastien Deleersnyder, OWASP)
* 19h10 - 20h00: [[#2018-03-19 Talk 1|KRACKing WPA2 in Practice Using Key Reinstallation Attacks]] (by Mathy Vanhoef, imec-DistriNet-KU Leuven)
* 20h00 - 20h10: Break
* 20h10 - 21h00: [[#2018-03-19 Talk 2|Making the web secure by design]] (by Glenn Ten Cate, ING Belgium, and Riccardo Ten Cate, Xebia)
* 21h00 - 21h30: Networking drink

=== Program ===

==== KRACKing WPA2 in Practice Using Key Reinstallation Attacks ====

* Speaker: Mathy Vanhoef, imec-DistriNet-KU Leuven)

''Abstract''

This talk presents the key reinstallation attack against WPA2 (KRACK attack). It abuses design or implementation flaws in cryptographic protocols to reinstall an already-in-use key. This resets the key’s associated parameters such as transmit nonces and receive replay counters. Several cryptographic Wi-Fi handshakes are affected by the attack.

All protected Wi-Fi networks use the 4-way handshake to generate a fresh session key. So far, this 14-year-old handshake has remained free from attacks. However, we show that the 4-way handshake is vulnerable to a key reinstallation attack. Here, the adversary tricks a victim into reinstalling an already-in-use key. This is achieved by manipulating and replaying handshake messages. When reinstalling the key, associated parameters such as the incremental transmit packet number (nonce) and receive packet number (replay counter) are reset to their initial value.

The talk also discusses the vulnerability disclosure process that was followed. Since the discovery affected numerous vendors, coordinating the disclosure was non-trivial.

''Speaker Bio''

Mathy Vanhoef is a postdoctoral researcher at KU Leuven. He did his PhD on the security of WPA-TKIP, TLS, and RC4. His research interest is in computer security with a focus on wireless security (e.g. Wi-Fi), network protocols in general, the RC4 stream cipher (where he discovered the RC NOMORE attack), and software security (discovering and exploiting vulnerabilities). Currently his main research is about automatically discovering vulnerabilities in network protocol implementations, and proving the correctness of protocol implementations.

==== Making the web secure by design ====

* Speaker: Glenn Ten Cate, ING Belgium, and Riccardo Ten Cate, Xebia

''Abstract''

Education is the first step in the Secure Software Development Lifecycle. The free OWASP Security Knowledge Framework (SKF) is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. This talk will help you as a developer to become THE Neo of your development team. We will show how you can do security by design and introduce other quality gates into your development pipeline to ensure high end quality and security of your project.

''Speaker Bios''

As a coder, hacker, speaker, trainer and security researcher employed at ING Belgium, '''Glenn Ten Cate''' has over 10 years experience in the field of security. One of the founders of defensive development [defdev] a security training and conference series dedicated to helping you build and maintain secure software and also speaking at multiple other security conferences in the world. His goals is to create an open-source software development life cycle with the tools and knowledge gathered over the years.

As a penetration tester from the Netherlands employed at Xebia, '''Riccardo Ten Cate''' specialises in web-application security and has extensive knowledge in securing web applications in multiple coding languages. He is also a specialist in setting up Secure Software Development Life Cycles.

=== Registration ===

Registration was via EventBrite: https://owasp-belgium-2018-03-19.eventbrite.com

=== Coverage ===

== 20 February 2018 Meeting ==

=== Where ===

* Host: [https://distrinet.cs.kuleuven.be DistriNet Research Group (KU Leuven)] (Both speakers are faculty of the [https://www.secappdev.org/ Secure Application Development] course held in Leuven from 2018-02-19 to 2018-02-23.)

* Address ([http://googlemapsinterface.kuleuven.be/index.cgi?lang=N&nbol=(50.864186697481145,%204.678754210472107)&zoomlevel=17&plaatsnaam=Department+of+Computer+Science&maptype=roadmap map], [https://distrinet.cs.kuleuven.be/about/route/ directions]):
Department of Computer Science (foyer at ground floor)
Celestijnenlaan 200 A
3001 Heverlee

=== Agenda ===

*18h15 - 19h00: Welcome & sandwiches
*19h00 - 19h10: [https://www.owasp.org/images/7/7a/Owasp_Belgium_update_2018-02-20_v1.pdf OWASP Update] (by Sebastien Deleersnyder, OWASP)
*19h10 - 20h00: [[#2018-02-20 Talk 1|Developers are not the enemy -- Usable Security for Experts]] (by Prof. Matthew Smith, University of Bonn)
*20h00 - 20h10: Break
*20h10 - 21h00: [[#2018-02-20 Talk 2|The Code Behind The Vulnerability]] (by Barry Dorrans, Microsoft)

=== Program ===

==== Developers are not the enemy -- Usable Security for Experts ====

* Speaker: Prof. Matthew Smith, University of Bonn
* Presentation: https://schd.ws/hosted_files/secappdev2018/a9/Developer%20are%20not%20the%20enemy%20SecAppDev%20web.pdf

''Abstract''

Usability problems are a major cause of many of today's IT-security incidents. Security systems are often too complicated, time-consuming, and error prone. For more than a decade researchers in the domain of usable security (USEC) have attempted to combat these problems by conducting interdisciplinary research focusing on the root causes of the problems and on the creation of usable security mechanisms. While major improvements have been made, to date USEC research has focused almost entirely on the non-expert end-user. However, many of the most catastrophic security incidents were not caused by end-users, but by developers or administrators. Heartbleed and Shellshock were both caused by single developers yet had global consequences. The Sony hack in 2014 compromised an entire multi-national IT-infrastructure and misappropriated over 100 TB of data, unnoticed. Fundamentally, every software vulnerability and misconfigured system is caused by developers or administrators making mistakes, but very little research has been done into the underlying causalities and possible mitigation strategies. In this talk we will explore the transition from end-user to expert usable security research and look at several application areas, including TLS, passwords, malware analysis and vulnerability analysis.

''Speaker Bio''

Matthew Smith is a Professor for Usable Security and Privacy at the University of Bonn. His research is focused on human factors of security and privacy mechanisms with a wide range of application areas, including TLS and network security, authentication, mobile and app security and, most recently, usable security for developers and administrators. His work has been published at, among others, IEEE S&P, ACM CCS, USENIX Security, NDSS, ACM SIGCHI and SOUPS the Symposium on Usable Security and Privacy. In 2015 his ERC Starting Grant "Frontiers of Usable Security" was selected for funding.

==== The Code Behind The Vulnerability ====

* Speaker: Barry Dorrans, Microsoft
* Presentation: https://schd.ws/hosted_files/secappdev2018/75/The%20code%20behind%20the%20vulnerability.pdf

''Abstract''

Everyone makes security mistakes, and that includes Microsoft (seriously!). Many developers can spot and prevent vulnerabilities listed in the OWASP top 10. But that narrative changes when we look beyond the scope of the OWASP top 10. Compared to some more recent attacks, fixing XSS or SQL injection almost seems easy. In this session, we dive into a couple of .NET core cases that have been reported to the Microsoft Security Response Center (MSRC). Mind you; these vulnerabilities are not just framework vulnerabilities. Instead, they are coding patterns that you may have introduced in your applications. Examples are issues with hash tables, compression, encryption, regular expressions and more. In this session, you will learn how to spot these vulnerabilities in your code. On top of that, you will walk away with the skills to fix them.

''Speaker Bio''

Barry Dorrans is the .NET Security Czar, which means he tries to tell everyone else how to code securely and taking the credit when it goes right, as well as running the .NET Core Bug Bounty. He also ends up triaging publicly and privately reported vulnerabilities when it goes wrong before getting someone else to fix the mistakes. This he gets all the fun and none of the real work, aside from the endless stress wondering when the next vulnerability will be discovered.

=== Registration ===

Registration was via EventBrite: https://owasp-belgium-2018-02-20.eventbrite.com

=== Coverage ===

n/a

Belgium Events 2018

2018-09-11T12:52:08Z

Thomas Herlea: /* 20 February 2018 Meeting */ Proposal new formatting for sections about meetings.

<noinclude>
These are the 2018 events of the [[Belgium|OWASP Belgium Chapter]].

Previous year: [[Belgium Events 2017|2017]].
</noinclude>
== 17 September 2018 Meeting ==

=== WHEN ===
Monday 17 September 2018

=== WHERE ===

; Host: European Commission
: Place Madou, 1
:1210 - Saint-Josse-Ten-Noode
<pre style="color: red">
Pre-registration of the participants' ID is needed to enter the venue; see registration link below!!!
</pre>

=== PROGRAM ===
The agenda:

*18h00 - 18h50: '''Welcome & sandwiches''' 
*18h50 - 19h00: '''OWASP Update''' (by Sebastien Deleersnyder, OWASP) 
*19h00 - 19h10: '''Intro by the EC''' (by TBD) 
*19h10 - 20h00: '''Docker Threat Modeling and Top 10''' (by Dirk Wetter) 
:''Abstract:'' Docker containers offer several advantages for developers. Most notably they fit perfectly in software development processes, they enable fast, reproducible
deployments and when properly done, with little change the same container can
run either in a test or production environment.

Despite threatening information out there Docker offers per se also several
security advantages. However it is important to make use of them and as a
minimum avoid several pitfalls. In a worst case scenario this can lead
otherwise to less security or the security benefits which the containment
technology offers are not being used at all.

To avoid this a proper fundamental approach is needed.

Thus this talk models first the most important threats to containerized
environments out there. Based on that the speaker will present 10 security
bullet points which covers

* important Do's and Dont's,
* for advanced needs how to tighten security further.

At the end the speaker gives advice how to check your Docker and
Kubernetes security status yourself.

The talk is based on practical experiences at several costumers and on the
speaker's solid network and systems security expertise.

:''Bio:'' [https://twitter.com/drwetter Dirk Wetter (Ph.D.)] is an independent security consultant with more than 20 years professional experience in information security with a broad technical
and information security management background.

His primary focus nowadays is around web application security. He has also a
solid background on network and systems security.

He's also founder and maintainer of the open source project testssl.sh which
checks the encryption of every SSL/TLS enabled service.

*20h00 - 20h10: break 
*20h10 - 21h00: '''Securing Containers on the High Seas''' (by Jack Mannino) 
:''Abstract:'' It can be a difficult challenge for organizations to securely migrate to containers while shifting processes and security controls. Making the move from legacy virtualization and monolithic deployments to containers requires a solid strategy. Containers offer many inherent security benefits but it’s important to build controls in beyond the containers themselves. From development through container registries and deployment to a runtime environment, it’s important to enforce security and eliminate risks as they’re introduced.

This presentation will focus on scaling container security within an enterprise and building security controls into the way you build, ship, and run containerized services. We will discuss the modern container landscape including different container runtimes and isolation models. We will explore the container lifecycle from your developer’s laptop through your production environment and examine the key security problems to mitigate.

:''Bio:'' [https://twitter.com/jack_mannino Jack Mannino] is the CEO of nVisium. Passionate about security and impossible to keep away from a keyboard, his expertise spans over 15 years of building, breaking, and securing software. Jack founded nVisium in 2009, and since has helped the world's largest software teams enhance security across their software portfolios. He has spoken at conferences globally on topics such as secure design, mobile application security, and cloud-native security.

=== REGISTRATION ===
<pre style="color: red">
Two step registration:
Step 1: Registration via Eventbrite
Step 2: Pre-registration of participants'ID (European Commission)

Pre-registration of the participants' ID will be needed to enter the security on site!!!
</pre>

'''Step 1''': Registration via Eventbrite: https://owasp-belgium-2018-09-17.eventbrite.com

'''Step 2''': Pre-registration of participants'ID: https://ec.europa.eu/eusurvey/runner/OWASPBelgiumChapterMeetingSept17 .

'''The registration deadline for the participants' ID expires on ''Sunday, September 16th midnight''. After this time the registration and admission to the event will not be possible.'''

=== Coverage ===

== 19 March 2018 Meeting ==

=== WHEN ===
Monday 19 March 2018

=== WHERE ===

; Host: ING Belgium
; Address
: Cours St Michel 60 - 1040 Brussel

=== PROGRAM ===
The agenda:
*18h15 - 19h00: '''Welcome & sandwiches''' 
*19h00 - 19h10: '''OWASP Update''' (by Sebastien Deleersnyder, OWASP) 
*19h10 - 20h00: '''KRACKing WPA2 in Practice Using Key Reinstallation Attacks''' (by Mathy Vanhoef, imec-DistriNet-KU Leuven) 
:''Abstract:'' This talk presents the key reinstallation attack against WPA2 (KRACK attack). It abuses design or implementation flaws in cryptographic protocols to reinstall an already-in-use key. This resets the key’s associated parameters such as transmit nonces and receive replay counters. Several cryptographic Wi-Fi handshakes are affected by the attack.
:All protected Wi-Fi networks use the 4-way handshake to generate a fresh session key. So far, this 14-year-old handshake has remained free from attacks. However, we show that the 4-way handshake is vulnerable to a key reinstallation attack. Here, the adversary tricks a victim into reinstalling an already-in-use key. This is achieved by manipulating and replaying handshake messages. When reinstalling the key, associated parameters such as the incremental transmit packet number (nonce) and receive packet number (replay counter) are reset to their initial value.
:Talk talk also discusses the vulnerability disclosure process that was followed. Since the discovery affected numerous vendors, coordinating the disclosure was non-trivial.
:''Bio:'' '''Mathy Vanhoef''' is a postdoctoral researcher at KU Leuven. He did his PhD on the security of WPA-TKIP, TLS, and RC4. His research interest is in computer security with a focus on wireless security (e.g. Wi-Fi), network protocols in general, the RC4 stream cipher (where is discovered the RC NOMORE attack), and software security (discovering and exploiting vulnerabilities). Currently his main research is about automatically discovering vulnerabilities in network protocol implementations, and proving the correctness of protocol implementations.
*20h00 - 20h10: break 
*20h10 - 21h00: '''Making the web secure by design''' (by Glenn Ten Cate, ING Belgium, and Riccardo Ten Cate, Xebia) 
:''Abstract:'' Education is the first step in the Secure Software Development Lifecycle. The free OWASP Security Knowledge Framework (SKF) is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. This talk will help you as a developer to become THE Neo of your development team. We will show how you can do security by design and introduce other quality gates into your development pipeline to ensure high end quality and security of your project.
:''Bio:'' As a coder, hacker, speaker, trainer and security researcher employed at ING Belgium, '''Glenn Ten Cate''' has over 10 years experience in the field of security. One of the founders of defensive development [defdev] a security training and conference series dedicated to helping you build and maintain secure software and also speaking at multiple other security conferences in the world. His goals is to create an open-source software development life cycle with the tools and knowledge gathered over the years.
:''Bio:'' As a penetration tester from the Netherlands employed at Xebia, '''Riccardo Ten Cate''' specialises in web-application security and has extensive knowledge in securing web applications in multiple coding languages. He is also a specialist in setting up Secure Software Development Life Cycles.
*21h00 - 21h30: '''Networking drink''' 

=== REGISTRATION ===
Please register via EventBrite: https://owasp-belgium-2018-03-19.eventbrite.com

=== Coverage ===

== 20 February 2018 Meeting ==

=== Where ===

* Host: [https://distrinet.cs.kuleuven.be DistriNet Research Group (KU Leuven)] (Both speakers are faculty of the [https://www.secappdev.org/ Secure Application Development] course held in Leuven from 2018-02-19 to 2018-02-23.)

* Address ([http://googlemapsinterface.kuleuven.be/index.cgi?lang=N&nbol=(50.864186697481145,%204.678754210472107)&zoomlevel=17&plaatsnaam=Department+of+Computer+Science&maptype=roadmap map], [https://distrinet.cs.kuleuven.be/about/route/ directions]):
Department of Computer Science (foyer at ground floor)
Celestijnenlaan 200 A
3001 Heverlee

=== Agenda ===

*18h15 - 19h00: Welcome & sandwiches
*19h00 - 19h10: [https://www.owasp.org/images/7/7a/Owasp_Belgium_update_2018-02-20_v1.pdf OWASP Update] (by Sebastien Deleersnyder, OWASP)
*19h10 - 20h00: [[#2018-02-20 Talk 1|Developers are not the enemy -- Usable Security for Experts]] (by Prof. Matthew Smith, University of Bonn)
*20h00 - 20h10: Break
*20h10 - 21h00: [[#2018-02-20 Talk 2|The Code Behind The Vulnerability]]

=== Program ===

==== Developers are not the enemy -- Usable Security for Experts ====

* Speaker: Prof. Matthew Smith, University of Bonn
* Presentation: https://schd.ws/hosted_files/secappdev2018/a9/Developer%20are%20not%20the%20enemy%20SecAppDev%20web.pdf

''Abstract''

Usability problems are a major cause of many of today's IT-security incidents. Security systems are often too complicated, time-consuming, and error prone. For more than a decade researchers in the domain of usable security (USEC) have attempted to combat these problems by conducting interdisciplinary research focusing on the root causes of the problems and on the creation of usable security mechanisms. While major improvements have been made, to date USEC research has focused almost entirely on the non-expert end-user. However, many of the most catastrophic security incidents were not caused by end-users, but by developers or administrators. Heartbleed and Shellshock were both caused by single developers yet had global consequences. The Sony hack in 2014 compromised an entire multi-national IT-infrastructure and misappropriated over 100 TB of data, unnoticed. Fundamentally, every software vulnerability and misconfigured system is caused by developers or administrators making mistakes, but very little research has been done into the underlying causalities and possible mitigation strategies. In this talk we will explore the transition from end-user to expert usable security research and look at several application areas, including TLS, passwords, malware analysis and vulnerability analysis.

''Speaker Bio''

Matthew Smith is a Professor for Usable Security and Privacy at the University of Bonn. His research is focused on human factors of security and privacy mechanisms with a wide range of application areas, including TLS and network security, authentication, mobile and app security and, most recently, usable security for developers and administrators. His work has been published at, among others, IEEE S&P, ACM CCS, USENIX Security, NDSS, ACM SIGCHI and SOUPS the Symposium on Usable Security and Privacy. In 2015 his ERC Starting Grant "Frontiers of Usable Security" was selected for funding.

==== The Code Behind The Vulnerability ====

* Speaker: Barry Dorrans, Microsoft
* Presentation: https://schd.ws/hosted_files/secappdev2018/75/The%20code%20behind%20the%20vulnerability.pdf

''Abstract''

Everyone makes security mistakes, and that includes Microsoft (seriously!). Many developers can spot and prevent vulnerabilities listed in the OWASP top 10. But that narrative changes when we look beyond the scope of the OWASP top 10. Compared to some more recent attacks, fixing XSS or SQL injection almost seems easy. In this session, we dive into a couple of .NET core cases that have been reported to the Microsoft Security Response Center (MSRC). Mind you; these vulnerabilities are not just framework vulnerabilities. Instead, they are coding patterns that you may have introduced in your applications. Examples are issues with hash tables, compression, encryption, regular expressions and more. In this session, you will learn how to spot these vulnerabilities in your code. On top of that, you will walk away with the skills to fix them.

''Speaker Bio''

Barry Dorrans is the .NET Security Czar, which means he tries to tell everyone else how to code securely and taking the credit when it goes right, as well as running the .NET Core Bug Bounty. He also ends up triaging publicly and privately reported vulnerabilities when it goes wrong before getting someone else to fix the mistakes. This he gets all the fun and none of the real work, aside from the endless stress wondering when the next vulnerability will be discovered.

=== Registration ===

Registration was via EventBrite: https://owasp-belgium-2018-02-20.eventbrite.com

=== Coverage ===

n/a

Belgium

2018-09-11T10:12:09Z

Thomas Herlea: Removed mentions to older meetings from section 'Upcoming chapter meetings'.

{{Chapter Template|chaptername=Belgium|extra=The chapter leader is [mailto:seba@owasp.org Sebastien Deleersnyder]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-belgium|emailarchives=http://lists.owasp.org/pipermail/owasp-belgium}}

= Local News =

== Upcoming chapter meetings ==
* '''17 September 2018: Brussels'''
<pre style="color: red">
Two step registration:
Step 1: Registration via Eventbrite
Step 2: Pre-registration of participants'ID (European Commission)

Pre-registration of the participants' ID will be needed to enter the security on site!!!
</pre>

'''Step 1''': Registration via Eventbrite: https://owasp-belgium-2018-09-17.eventbrite.com

'''Step 2''': Pre-registration of participants'ID: https://ec.europa.eu/eusurvey/runner/OWASPBelgiumChapterMeetingSept17 .

'''The registration deadline for the participants' ID expires on ''Sunday, September 16th midnight''. After this time the registration and admission to the event will not be possible.'''

See https://www.owasp.org/index.php/Belgium#Chapter_Meetings for more details and older meetings.

== '''Stay in touch''' ==

<center>
{| cellspacing="15"
|-
| [[Image:Meetup-logo-2x.png|120px|link=http://www.meetup.com/Belgium-OWASP-Open-Web-Application-Security-Project/]]
| [[Image:Join the list.png|150px|link=http://lists.owasp.org/mailman/listinfo/owasp-belgium]]
| [[Image:Follow-us-on-twitter.png|175px|link=https://twitter.com/owasp_be]]
| [[Image:Linkedin-button.gif|135px|link=https://www.linkedin.com/groups/37865]]
|}
</center>
If you want to be invited for the next OWASP Belgium Chapter meetings, please [http://eepurl.com/iFZtb drop us your contact info].

== Structural Sponsors 2018 ==

OWASP Belgium thanks its structural chapter supporters for 2018 and the OWASP BeNeLux Days 2017:

[http://www.vest.nl https://www.owasp.org/images/6/67/Vest.jpg]
[https://secwatch.nl https://www.owasp.org/images/f/ff/Secwatch_logo_small.png]
[[File:Avi Logo Transparent Background 300pix.png|200px|link=https://avinetworks.com/]]
[[File:LogoToreon.jpg|250px|link=https://www.toreon.com]]
[[File:Nviso_logo_RGB_baseline_200px.png|link=http://www.nviso.be]]

If you want to support our chapter, please contact [mailto:seba@owasp.org Seba Deleersnyder]

= Chapter Meetings =

{{:Belgium_Events_2018}}

== Previous Years ==

Events held in
[[Belgium Events 2017|2017]],
[[Belgium Events 2016|2016]],
[[Belgium Events 2015|2015]],
[[Belgium Events 2014|2014]],
[[Belgium Events 2013|2013]],
[[Belgium Events 2012|2012]],
[[Belgium Events 2011|2011]],
[[Belgium Events 2010|2010]],
[[Belgium Events 2009|2009]],
[[Belgium Events 2008|2008]],
[[Belgium Events 2007|2007]],
[[Belgium Events 2006|2006]],
[[Belgium Events 2005|2005]].

= Belgium OWASP Chapter Leaders =

The Belgium Chapter is supported by the following board:

*Sebastien Deleersnyder, Toreon
*Erwin Geirnaert, Zion Security
*Lieven Desmet, KU Leuven
*Bart De Win, PWC
*David Mathy, Freelance
*Adolfo Solero, Freelance
*Stella Dineva, Ingenico Payment Services
*Thomas Herlea, NVISO

Our goal is to professionalize the local OWASP functioning, provide in a bigger footprint to detect OWASP opportunities such as speakers/topics/sponsors/… and set a 5 year target on: Target audiences, Different events and Interactions of OWASP global – local projects.
__NOTOC__ <headertabs></headertabs>
[[Category:Europe]]

Belgium Events 2017

2018-03-07T08:36:54Z

Thomas Herlea: Added link to next year.

<noinclude>
These are the 2017 events of the [[Belgium|OWASP Belgium Chapter]].

Previous year: [[Belgium Events 2016|2016]].
Next year: [[Belgium Events 2018|2018]].
</noinclude>
== 19 June 2017 Meeting ==

=== WHEN ===
Monday 19 June 2017

=== WHERE ===

; Host: [https://www.nviso.be NVISO]
; Address
: Sinter-Goedelevoorplein 5 Parvis Sainte Gudule, 1000 Brussels
: ([https://www.google.com/maps/place/Place+Sainte-Gudule+5,+1000+Bruxelles,+Belgium/@50.8474433,4.3586377,151m/data=!3m2!1e3!4b1!4m5!3m4!1s0x47c3c4800313a0a5:0xb62b4416d53a6f8d!8m2!3d50.8474433!4d4.3591849 map], [https://www.google.com/maps/dir//Place+Sainte-Gudule+5,+1000+Bruxelles,+Belgium/@50.8474433,4.3586377,151m/data=!3m1!1e3!4m16!1m7!3m6!1s0x47c3c4800313a0a5:0xb62b4416d53a6f8d!2sPlace+Sainte-Gudule+5,+1000+Bruxelles,+Belgium!3b1!8m2!3d50.8474433!4d4.3591849!4m7!1m0!1m5!1m1!1s0x47c3c4800313a0a5:0xb62b4416d53a6f8d!2m2!1d4.3591849!2d50.8474433 directions])

=== PROGRAM ===
The agenda:
*18h00 - 18h50: '''Welcome & sandwiches'''

*18h50 - 19h00: '''OWASP Update''' (by Sebastien Deleersnyder, OWASP)

*19h00 - 19h45: '''[https://www.owasp.org/images/d/d7/Belgium_Chapter_Summit_Debrief_v20170619.pptx OWASP Summit Debrief]''' (by Sebastien Deleersnyder, OWASP)
:''Abstract:'' The [https://owaspsummit.org/ OWASP Summit 2017] is a 5-day participant driven event, dedicated to the collaboration of Development and Security professionals, with a strong focus on DevSecOps. This session will be a debriefing of what was delivered by 130+ participants in 145 Working Sessions :-).
:''Bio:'' Sebastien is an OWASP volunteer, Summit co-organizer and application security consultant at Toreon."

*19h45 - 20h30: ''''[https://www.youtube.com/watch?v=-2zvfevLnp4 Threat modeling lessons from Star Wars (BruCON Video)]''' (by Adam Shostack, freelance security consultant)
:''Abstract:'' Everyone knows you ought to threat model, but in practical reality it turns out to be tricky. If past efforts to threat model haven't panned out, perhaps part of the problem is confusion over what works, and how the various approaches conflict or align. This talk captures lessons from years of work helping people throughout the software industry threat model more effectively. It's designed to help security pros, developers and systems managers, all of whom will leave with both threat modeling lessons from Star Wars and a proven foundation, enabling them to threat model effectively.
:''Bio:'' Adam is a consultant, entrepreneur, technologist, author and game designer. He's a member of the BlackHat Review Board, and helped found the CVE and many other things. He's currently helping a variety of organizations improve their security, and advising and mentoring startups as a Mach37 Star Mentor. While at Microsoft, he drove the Autorun fix into Windows Update, was the lead designer of the SDL Threat Modeling Tool v3 and created the "Elevation of Privilege" game. Adam is the author of "Threat Modeling: Designing for Security," and the co-author of "The New School of Information Security."

*20h30 - ... : '''Reception'''

=== REGISTRATION ===
Please register via EventBrite: https://owasp-belgium-2017-06-19.eventbrite.com

=== Coverage ===

== 29 May 2017 Meeting ==

=== WHEN ===
Monday 29 May 2017

=== WHERE ===

; Host: [https://www.ey.com Ernst & Young]
; Address
: De Kleetlaan 2, 1831 Machelen
: ([https://www.google.com/maps/place/EY+Belgium/@50.88652,4.448027,605m/data=!3m1!1e3!4m5!3m4!1s0x0:0x1d0b0a9e75dc9641!8m2!3d50.8871901!4d4.4500013 map], [https://www.google.com/maps/dir//EY+Belgium,+De+Kleetlaan+2,+1831+Machelen,+Belgium/@50.88652,4.448027,746m/data=!3m1!1e3!4m15!1m6!3m5!1s0x0:0x1d0b0a9e75dc9641!2sEY+Belgium!8m2!3d50.8871901!4d4.4500013!4m7!1m0!1m5!1m1!1s0x47c3dd1d72c2032f:0x1d0b0a9e75dc9641!2m2!1d4.4500011!2d50.8871901 directions])

=== PROGRAM ===
The agenda:
*18h00 - 18h50: '''Welcome & sandwiches''' 
*18h50 - 19h00: '''[https://www.owasp.org/images/6/6c/Owasp_Belgium_update_2017-05-29.pdf OWASP Update]''' (by Lieven Desmet) 
*19h00 - 19h45: '''[[media:2017-05-29_OWASP-BE_HTTPForTheGoodOrTheBad.pdf|HTTP for the Good or the Bad]]''' (by Xavier Mertens, freelance security consultant) 
:''Abstract:'' Today, the classic infection vectors remain SMTP and HTTP. Many spam & phishing campaigns are delivered to the victim’s mailbox and usually the next step of the attack is performed on top of HTTP, by visiting a malicious website or downloading a piece of malicious code. This talk will be split in two parts. To begin, I’ll explain how HTTP techniques are used to make the life of security researchers and incident handlers more difficult (attackers use many techniques to prevent access to their juicy data). The next part will demonstrate that attackers are also humans and make mistakes like all of us. They also need to follow the OWASP Top-10! I’ll review some example of bad code / bad configuration that I found during my investigations.
:''Bio:'' '''Xavier Mertens''' is a freelance security consultant based in Belgium. His job focuses on protecting his customers by applying “offensive” (pentesting) as well as “defensive” security (incident handling, log management, SIEM, security visualisation, OSINT). Xavier is also a SANS Internet Storm Center handler (<nowiki>https://isc.sans.org</nowiki>). He’s also maintaining his security blog (<nowiki>https://blog.rootshell.be</nowiki>) and is a co-organizer of the BruCON security conference (<nowiki>http://www.brucon.org</nowiki>). 
*19h45 - 20h30: '''Reverse engineering with Panopticon: a Libre Cross-Platform Disassembler''' (by Kai Michaelis) 
:''Abstract:'' The Panopticon project aims to develop a tool to end the dominance of proprietary software for reverse engineering.
:Panopticon is a graphical disassembler written in Rust that runs on GNU/Linux, Windows and OS X, which aims to create a free replacement for tools like IDA Pro and BinDiff.
:What sets Panopticon apart from other free disassembler is the belief that an intuitive GUI is paramount to aid human analysts to understand as much of the binary as possible. As such Panopticon comes with an Qt 5 UI written in QML that allows browsing and annotating control flow graphs.
:''Bio:'' '''Kai Michaelis''' studies IT-Security in Bochum, Germany and works part-time on Free Software. When he's not on the campus you can meet him at the local hackerspace. His interests are program analysis, reverse engineering and cryptography.
*20h30 - ... : '''Reception'''

=== REGISTRATION ===
Please register via EventBrite: https://owasp-belgium-2017-05-29.eventbrite.com

=== Coverage ===

[[File:2017-05-29_OWASP_BE_ChapterMeeting.png|alt=Photo from the 2017-05-29 meeting of the Belgian OWASP chapter|Photo from this meeting]]

== 28 February 2017 Meeting ==

=== WHEN ===
Tuesday 28 Feburary 2017

=== WHERE ===

; Host: [https://distrinet.cs.kuleuven.be Distrinet Research Group (KU Leuven)] (Both speakers are faculty of the [https://www.secappdev.org/ Secure Application Development] course held in Leuven from 2017-02-27 to 2017-03-03.)
; Address
: Department of Computer Science (foyer at ground floor) Celestijnenlaan 200 A 3001 Heverlee
: ([http://googlemapsinterface.kuleuven.be/index.cgi?lang=N&nbol=(50.864186697481145,%204.678754210472107)&zoomlevel=17&plaatsnaam=Department+of+Computer+Science&maptype=roadmap map], [https://distrinet.cs.kuleuven.be/about/route/ directions])

=== PROGRAM ===
The agenda:
*18h15 - 19h00: '''Welcome & sandwiches''' 
*19h00 - 19h10: '''[https://www.owasp.org/images/2/24/Owasp_Belgium_update_2017-02-28.pdf OWASP Update]''' (by Lieven Desmet) 
*19h10 - 20h00: '''[https://www.owasp.org/images/c/c6/Manico_XSS_Defense_Summary_2017-02-28.pdf XSS defense strategies]''' (by Jim Manico, Manicode Security) 
:''Abstract:'' TBD
:''Bio:'' '''Jim Manico''' is the founder of Manicode Security where he trains software developers on secure coding and security engineering. Jim is a frequent speaker on secure software practices and is a member of the Java-One Rock Star speaker community. Jim was a Global Board Member for the OWASP foundation and is the author of "Iron-Clad Java: Building Secure Web Applications" from McGraw-Hill..
*20h00 - 20h10: '''Break''' 
*20h10 - 21h00: '''[https://www.owasp.org/images/d/db/DeRyck_OWASP_WebSecurityOverview_2017-02-28.pdf Why traditional Web security technologies no longer suffice]''' (by Philippe De Ryck, KU Leuven) 
:''Abstract:'' Not a day goes by without a story on a Web security incident somewhere. A data breach disclosing millions of people’s details. A defacement of a major Web site. Malware served from a legitimate Web site to thousands of users. Contrary to popular belief, the people running these Web sites are generally not clueless about security, but getting it right is just not that easy. Recent evolutions, like the rise of public networks, or the strong dependence on third-party code, have made it easier to attack Web sites, and harder to defend them. Join us to get an overview of these threats, and to take a dive into HTTP Strict Transport Security (HSTS), one of the latest Web security technologies that really help you improve security.
:''Bio:'' '''Philippe De Ryck''' is a professional speaker and trainer on software security and web security. Since he obtained his PhD at the imec-DistriNet research group (KU Leuven, Belgium), he has been running the group's Web Security Training program, which ensures a sustainable knowledge transfer of the group’s security expertise towards practitioners.

=== REGISTRATION ===
Please register via EventBrite: https://owasp-belgium-2017-02-28.eventbrite.com

=== Coverage ===

Belgium

2017-11-23T16:49:18Z

Thomas Herlea: Added the section "current event" and a link to OWASP BeNeLux Day 2017.

{{Chapter Template|chaptername=Belgium|extra=The chapter leader is [mailto:seba@owasp.org Sebastien Deleersnyder]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-belgium|emailarchives=http://lists.owasp.org/pipermail/owasp-belgium}}

= Local News =

== Current event ==

OWASP BeNeLux Day 2017 - the conference and associated training day: https://www.owasp.org/index.php/OWASP_BeNeLux-Day_2017

== Upcoming events ==

=== Upcoming chapter meetings ===
* We will welcome you again in autumn 2017!

See https://www.owasp.org/index.php/Belgium#Chapter_Meetings for more details.

== '''Stay in touch''' ==

<center>
{| cellspacing="15"
|-
| [[Image:Meetup-logo-2x.png|120px|link=http://www.meetup.com/Belgium-OWASP-Open-Web-Application-Security-Project/]]
| [[Image:Join the list.png|150px|link=http://lists.owasp.org/mailman/listinfo/owasp-belgium]]
| [[Image:Follow-us-on-twitter.png|175px|link=https://twitter.com/owasp_be]]
| [[Image:Linkedin-button.gif|135px|link=https://www.linkedin.com/groups/37865]]
|}
</center>
If you want to be invited for the next OWASP Belgium Chapter meetings, please [http://eepurl.com/iFZtb drop us your contact info].

== Structural Sponsors 2017 ==

OWASP Belgium thanks its structural chapter supporters for 2017 and the OWASP BeNeLux Days 2016:

[[File:VeraCode logo.png|250px|link=https://www.veracode.com]]
[[File:Vest.jpg|250px|link=http://www.vest.nl]]
[[File:Intigriti_verticaal.jpg|link=http://www.intigriti.be]]
[[File:Ecurify-2016.png|link=http://www.securify.nl]]
[[File:HPE_logo_250.png|link=http://www8.hp.com/nl/nl/software-solutions/enterprise-security.html]]
[[File:LogoToreon.jpg|250px|link=https://www.toreon.com]]
[[File:Zionsecurity.jpg|link=http://www.zionsecurity.com]]
[[File:Nviso_logo_RGB_baseline_200px.png|link=http://www.nviso.be]]
[[File:Whitehat-security_hor.jpg|link=http://www.whitehatsec.com]]

If you want to support our chapter, please contact [mailto:seba@owasp.org Seba Deleersnyder]

= Chapter Meetings =

{{:Belgium_Events_2017}}

== Previous Years ==

Events held in
[[Belgium Events 2016|2016]],
[[Belgium Events 2015|2015]],
[[Belgium Events 2014|2014]],
[[Belgium Events 2013|2013]],
[[Belgium Events 2012|2012]],
[[Belgium Events 2011|2011]],
[[Belgium Events 2010|2010]],
[[Belgium Events 2009|2009]],
[[Belgium Events 2008|2008]],
[[Belgium Events 2007|2007]],
[[Belgium Events 2006|2006]],
[[Belgium Events 2005|2005]].

= Belgium OWASP Chapter Leaders =

The Belgium Chapter is supported by the following board:

*Sebastien Deleersnyder, Toreon
*Erwin Geirnaert, Zion Security
*Lieven Desmet, KU Leuven
*Bart De Win, PWC
*David Mathy, Freelance
*Adolfo Solero, Freelance
*Stella Dineva, Ingenico Payment Services
*Thomas Herlea, NVISO

Our goal is to professionalize the local OWASP functioning, provide in a bigger footprint to detect OWASP opportunities such as speakers/topics/sponsors/… and set a 5 year target on: Target audiences, Different events and Interactions of OWASP global – local projects.
__NOTOC__ <headertabs></headertabs>
[[Category:Europe]]

Belgium

2017-11-23T16:31:33Z

Thomas Herlea: Yeah, we don't have the Greek god on the chapter board, just me.

{{Chapter Template|chaptername=Belgium|extra=The chapter leader is [mailto:seba@owasp.org Sebastien Deleersnyder]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-belgium|emailarchives=http://lists.owasp.org/pipermail/owasp-belgium}}

= Local News =

== Upcoming events ==

=== Upcoming chapter meetings ===
* We will welcome you again in autumn 2017!

See https://www.owasp.org/index.php/Belgium#Chapter_Meetings for more details.

== '''Stay in touch''' ==

<center>
{| cellspacing="15"
|-
| [[Image:Meetup-logo-2x.png|120px|link=http://www.meetup.com/Belgium-OWASP-Open-Web-Application-Security-Project/]]
| [[Image:Join the list.png|150px|link=http://lists.owasp.org/mailman/listinfo/owasp-belgium]]
| [[Image:Follow-us-on-twitter.png|175px|link=https://twitter.com/owasp_be]]
| [[Image:Linkedin-button.gif|135px|link=https://www.linkedin.com/groups/37865]]
|}
</center>
If you want to be invited for the next OWASP Belgium Chapter meetings, please [http://eepurl.com/iFZtb drop us your contact info].

== Structural Sponsors 2017 ==

OWASP Belgium thanks its structural chapter supporters for 2017 and the OWASP BeNeLux Days 2016:

[[File:VeraCode logo.png|250px|link=https://www.veracode.com]]
[[File:Vest.jpg|250px|link=http://www.vest.nl]]
[[File:Intigriti_verticaal.jpg|link=http://www.intigriti.be]]
[[File:Ecurify-2016.png|link=http://www.securify.nl]]
[[File:HPE_logo_250.png|link=http://www8.hp.com/nl/nl/software-solutions/enterprise-security.html]]
[[File:LogoToreon.jpg|250px|link=https://www.toreon.com]]
[[File:Zionsecurity.jpg|link=http://www.zionsecurity.com]]
[[File:Nviso_logo_RGB_baseline_200px.png|link=http://www.nviso.be]]
[[File:Whitehat-security_hor.jpg|link=http://www.whitehatsec.com]]

If you want to support our chapter, please contact [mailto:seba@owasp.org Seba Deleersnyder]

= Chapter Meetings =

{{:Belgium_Events_2017}}

== Previous Years ==

Events held in
[[Belgium Events 2016|2016]],
[[Belgium Events 2015|2015]],
[[Belgium Events 2014|2014]],
[[Belgium Events 2013|2013]],
[[Belgium Events 2012|2012]],
[[Belgium Events 2011|2011]],
[[Belgium Events 2010|2010]],
[[Belgium Events 2009|2009]],
[[Belgium Events 2008|2008]],
[[Belgium Events 2007|2007]],
[[Belgium Events 2006|2006]],
[[Belgium Events 2005|2005]].

= Belgium OWASP Chapter Leaders =

The Belgium Chapter is supported by the following board:

*Sebastien Deleersnyder, Toreon
*Erwin Geirnaert, Zion Security
*Lieven Desmet, KU Leuven
*Bart De Win, PWC
*David Mathy, Freelance
*Adolfo Solero, Freelance
*Stella Dineva, Ingenico Payment Services
*Thomas Herlea, NVISO

Our goal is to professionalize the local OWASP functioning, provide in a bigger footprint to detect OWASP opportunities such as speakers/topics/sponsors/… and set a 5 year target on: Target audiences, Different events and Interactions of OWASP global – local projects.
__NOTOC__ <headertabs></headertabs>
[[Category:Europe]]

Belgium

2017-11-23T16:30:51Z

Thomas Herlea: Undo revision 235713 by Thomas Herlea (talk)

{{Chapter Template|chaptername=Belgium|extra=The chapter leader is [mailto:seba@owasp.org Sebastien Deleersnyder]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-belgium|emailarchives=http://lists.owasp.org/pipermail/owasp-belgium}}

= Local News =

== Upcoming events ==

=== Upcoming chapter meetings ===
* We will welcome you again in autumn 2017!

See https://www.owasp.org/index.php/Belgium#Chapter_Meetings for more details.

== '''Stay in touch''' ==

<center>
{| cellspacing="15"
|-
| [[Image:Meetup-logo-2x.png|120px|link=http://www.meetup.com/Belgium-OWASP-Open-Web-Application-Security-Project/]]
| [[Image:Join the list.png|150px|link=http://lists.owasp.org/mailman/listinfo/owasp-belgium]]
| [[Image:Follow-us-on-twitter.png|175px|link=https://twitter.com/owasp_be]]
| [[Image:Linkedin-button.gif|135px|link=https://www.linkedin.com/groups/37865]]
|}
</center>
If you want to be invited for the next OWASP Belgium Chapter meetings, please [http://eepurl.com/iFZtb drop us your contact info].

== Structural Sponsors 2017 ==

OWASP Belgium thanks its structural chapter supporters for 2017 and the OWASP BeNeLux Days 2016:

[[File:VeraCode logo.png|250px|link=https://www.veracode.com]]
[[File:Vest.jpg|250px|link=http://www.vest.nl]]
[[File:Intigriti_verticaal.jpg|link=http://www.intigriti.be]]
[[File:Ecurify-2016.png|link=http://www.securify.nl]]
[[File:HPE_logo_250.png|link=http://www8.hp.com/nl/nl/software-solutions/enterprise-security.html]]
[[File:LogoToreon.jpg|250px|link=https://www.toreon.com]]
[[File:Zionsecurity.jpg|link=http://www.zionsecurity.com]]
[[File:Nviso_logo_RGB_baseline_200px.png|link=http://www.nviso.be]]
[[File:Whitehat-security_hor.jpg|link=http://www.whitehatsec.com]]

If you want to support our chapter, please contact [mailto:seba@owasp.org Seba Deleersnyder]

= Chapter Meetings =

{{:Belgium_Events_2017}}

== Previous Years ==

Events held in
[[Belgium Events 2016|2016]],
[[Belgium Events 2015|2015]],
[[Belgium Events 2014|2014]],
[[Belgium Events 2013|2013]],
[[Belgium Events 2012|2012]],
[[Belgium Events 2011|2011]],
[[Belgium Events 2010|2010]],
[[Belgium Events 2009|2009]],
[[Belgium Events 2008|2008]],
[[Belgium Events 2007|2007]],
[[Belgium Events 2006|2006]],
[[Belgium Events 2005|2005]].

= Belgium OWASP Chapter Leaders =

The Belgium Chapter is supported by the following board:

*Sebastien Deleersnyder, Toreon
*Erwin Geirnaert, Zion Security
*Lieven Desmet, KU Leuven
*Bart De Win, PWC
*David Mathy, Freelance
*Adolfo Solero, Freelance
*Stella Dineva, Ingenico Payment Services
*Thomas Hermes, NVISO

Our goal is to professionalize the local OWASP functioning, provide in a bigger footprint to detect OWASP opportunities such as speakers/topics/sponsors/… and set a 5 year target on: Target audiences, Different events and Interactions of OWASP global – local projects.
__NOTOC__ <headertabs></headertabs>
[[Category:Europe]]

Belgium

2017-11-23T16:29:14Z

Thomas Herlea: Yeah, we don't have the Greek god on the chapter board, just me.

{{Chapter Template|chaptername=Belgium|extra=The chapter leader is [mailto:seba@owasp.org Sebastien Deleersnyder]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-belgium|emailarchives=http://lists.owasp.org/pipermail/owasp-belgium}}

= Local News =

== Upcoming events ==

=== Upcoming chapter meetings ===
* [[Belgium_Events_2017#Upcoming_Meeting_.2829_May_2017.29_in_Machelen|29 May 2017 in Machelen]]
* others to be decided

See https://www.owasp.org/index.php/Belgium#Chapter_Meetings for more details.

== '''Stay in touch''' ==

<center>
{| cellspacing="15"
|-
| [[Image:Meetup-logo-2x.png|120px|link=http://www.meetup.com/Belgium-OWASP-Open-Web-Application-Security-Project/]]
| [[Image:Join the list.png|150px|link=http://lists.owasp.org/mailman/listinfo/owasp-belgium]]
| [[Image:Follow-us-on-twitter.png|175px|link=https://twitter.com/owasp_be]]
| [[Image:Linkedin-button.gif|135px|link=https://www.linkedin.com/groups/37865]]
|}
</center>
If you want to be invited for the next OWASP Belgium Chapter meetings, please [http://eepurl.com/iFZtb drop us your contact info].

== Structural Sponsors 2017 ==

OWASP Belgium thanks its structural chapter supporters for 2017 and the OWASP BeNeLux Days 2016:

[[File:VeraCode logo.png|250px|link=https://www.veracode.com]]
[[File:Vest.jpg|250px|link=http://www.vest.nl]]
[[File:Intigriti_verticaal.jpg|link=http://www.intigriti.be]]
[[File:Ecurify-2016.png|link=http://www.securify.nl]]
[[File:HPE_logo_250.png|link=http://www8.hp.com/nl/nl/software-solutions/enterprise-security.html]]
[[File:LogoToreon.jpg|250px|link=https://www.toreon.com]]
[[File:Zionsecurity.jpg|link=http://www.zionsecurity.com]]
[[File:Nviso_logo_RGB_baseline_200px.png|link=http://www.nviso.be]]
[[File:Whitehat-security_hor.jpg|link=http://www.whitehatsec.com]]

If you want to support our chapter, please contact [mailto:seba@owasp.org Seba Deleersnyder]

= Chapter Meetings =

{{:Belgium_Events_2017}}
{{:Belgium_Events_2016}}

== Previous Years ==
*Events held in [[Belgium Events 2015|2015]]
*Events held in [[Belgium Events 2014|2014]]
*Events held in [[Belgium Events 2013|2013]]
*Events held in [[Belgium Events 2012|2012]]
*Events held in [[Belgium Events 2011|2011]]
*Events held in [[Belgium Events 2010|2010]]
*Events held in [[Belgium Events 2009|2009]]
*Events held in [[Belgium Events 2008|2008]]
*Events held in [[Belgium Events 2007|2007]]
*Events held in [[Belgium Events 2006|2006]]
*Events held in [[Belgium Events 2005|2005]]

= Belgium OWASP Chapter Leaders =

The Belgium Chapter is supported by the following board:

*Sebastien Deleersnyder, Toreon
*Erwin Geirnaert, Zion Security
*Philippe Bogaerts, AviNetworks
*Lieven Desmet, KU Leuven
*Bart De Win, PWC
*David Mathy, Freelance
*Adolfo Solero, Freelance
*Stella Dineva, Ingenico Payment Services
*Thomas Herlea, NVISO

Our goal is to professionalize the local OWASP functioning, provide in a bigger footprint to detect OWASP opportunities such as speakers/topics/sponsors/… and set a 5 year target on: Target audiences, Different events and Interactions of OWASP global – local projects.
__NOTOC__ <headertabs></headertabs>
[[Category:Europe]]