This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "BeNeLux OWASP Day 2016-2"

From OWASP
Jump to: navigation, search
(PWN Android Apps with your Custom Built Toolbox)
 
(94 intermediate revisions by 4 users not shown)
Line 7: Line 7:
 
= Information  =
 
= Information  =
  
== OWASP BeNeLux Announcement  ==
 
  
* The Call for speakers is open!
+
== Confirmed speakers Conference ==
 
+
{{#switchtablink:Conferenceday|<p>
== Call for Speakers ==
+
* Bart Preneel > <u>Closing keynote:</u> The Future of Security
 
+
* Yorick Koster - The State of Security of WordPress (plugins)
OWASP AppSec conferences are true security conferences with all talks and presentations focusing on various areas of information security. Topics should focus on the technical and social aspects of security, and should not contain marketing or sales pitches.
+
* Daniel Kefer > Handling of Security Requirements in Software Development Lifecycle
 
+
* Sebastian Lekies > Securing AngularJS Applications
We encourage and prioritize submissions covering research and new work impacting:
+
* Zakaria Rachid > Zap it !
 
+
* Dario Incalza > Securing Android Applications
* Secure development of web applications.
+
* Giancarlo Pellegrino > Compression Bombs Strike Back
* Security testing of web applications.
+
* Tom Van Goethem > Stealing Secrets through Browser-based Side-channel Attacks
* Security of DevOps processes, architectures, and tools.
+
}}
* Security of applications designed for mobile devices.
 
* Security of Internet of Things devices and platforms.
 
* Cloud platform security
 
* Browser security
 
* HTML5 security
 
* OWASP tools or projects in practice
 
  
'''Terms'''
 
 
By your submission you agree to the OWASP [https://www.owasp.org/index.php/Speaker_Agreement Speaker Agreement]. It requires that you use an OWASP [https://www.owasp.org/images/7/76/OWASP_Presentation_Template.zip presentation template] or other non-branded template. Presentations may not use company-themed decks or include a company logo except on the speaker bio slide. Failure to observe these requirements will result in talk removal.
 
 
All presentation slides will be published on the conference website. Pictures and other materials in presentations should not violate any copyrights. Presentation submitters are solely liable for copyright violations. You may choose any [http://creativecommons.org/licenses Creative Commons] license for your slides, including CC0. OWASP [http://creativecommons.org/licenses suggests the use of open licenses].
 
 
We will cover your travel expenses or costs for accommodations.
 
 
'''Deadlines'''
 
 
* Submission of proposal closes: 11 September, 2016 – 23:59
 
* Notification of acceptance: 2 October, 2016
 
* Conference Date:  25 November, 2016
 
 
'''Submission'''
 
 
To submit a proposal, please submit an abstract of your intended presentation (500 to 4000 characters), a brief biography (150 to 800 characters) and a headshot (combine multiple files in one zip file). Your planned presentation time is 40 minutes (excluding ~5 minutes for discussion and change of speaker). Feel free to attach a preliminary version of your presentation if available. Any proposal submitted is subject to a democratic vote by the program committee. Keep in mind: The better your description of the talk, the better picture the program committee will have to review your submission. Please proofread your submission; after approval your abstract, biography, and headshot will be published verbatim into the program and website.
 
 
Submission page: https://easychair.org/conferences/?conf=owaspbenelux162
 
 
 
 
== Confirmed speakers Conference ==
 
 
<!--
 
<!--
{{#switchtablink:Conferenceday| <p>
+
== OWASP BeNeLux conference is free, but registration is required! ==
* [[BeNeLux_OWASP_Day_2016#1st Speaker |TBD]]
+
[[image:Register_now_red.png|link=https://owasp-benelux-day-2016-2.eventbrite.com |alt=Register for the OWASP BeNeLux Day 2016 | Register for the OWASP BeNeLux Day 2016 ]]
* [[BeNeLux_OWASP_Day_2016#Stefan_Burgmair |Stefan Burgmair (OWASP Germany) ]]
 
* [[BeNeLux_OWASP_Day_2016#Erik_Poll |Erik Poll (Radboud University) ]]
 
* [[BeNeLux_OWASP_Day_2016#Arne_Swinnen | Arne Swinnen (Nviso)]]
 
* [[BeNeLux_OWASP_Day_2016#Glenn_Ten_Cate |Glenn Ten Cate]] & [[BeNeLux_OWASP_Day_2016#Riccardo_Ten_Cate | Riccardo Ten Cate ]]
 
* [[BeNeLux_OWASP_Day_2016#Christian Schneider | Christian Schneider]] & Alvaro Muñoz (HPE)
 
* [[BeNeLux_OWASP_Day_2016#Michael_Hamm | Michael Hamm (CIRCL - Computer Incident Response Center Luxembourg)]]
 
* [[BeNeLux_OWASP_Day_2016#Kevin_Allix | Kevin Allix (University of Luxembourg)]]
 
}}
 
 
-->
 
-->
  
Line 79: Line 41:
 
= Registration =
 
= Registration =
  
== OWASP BeNeLux training day and conference are free, but registration is required! ==
 
  
 +
== OWASP BeNeLux conference is free, but registration is required! ==
 +
[[image:Register_now_red.png|link=https://owasp-benelux-day-2016-2.eventbrite.com |alt=Register for the OWASP BeNeLux Day 2016 | Register for the OWASP BeNeLux Day 2016 ]]
 +
 +
== OWASP BeNeLux training is reserved for OWASP members, and registration is required! ==
 +
To support the OWASP organisation, we ask training attendees to become an OWASP member, it's only US$50!
 +
Students and faculty are invited to become member as well, but can freely attend.
 +
Check out the [[Membership]] page to find out more.
 +
 +
[https://owasp-benelux-day-2016-2.eventbrite.com Register now!]
  
 
<br>
 
<br>
Line 90: Line 60:
  
 
<!-- Third tab -->
 
<!-- Third tab -->
 +
 
= Venue =
 
= Venue =
  
== Venue is ==
+
== Venue  ==
  
Hosted by [https://distrinet.cs.kuleuven.be iMinds-Distrinet Research Group (KU Leuven)].
+
The venue is hosted by [https://distrinet.cs.kuleuven.be imec-Distrinet Research Group (KU Leuven)].
  
Address: <br>
+
'''Address:''' <br>
Department of Computer Science (foyer at ground floor)<br> Celestijnenlaan 200 A<br> 3001 Heverlee  
+
''Department of Computer Science (foyer at ground floor)''<br>
 +
''Celestijnenlaan 200 A''<br>
 +
''3001 Heverlee''
  
 
=== How to reach the venue? ===
 
=== How to reach the venue? ===
  
[http://googlemapsinterface.kuleuven.be/index.cgi?lang=N&nbol=(50.864186697481145,%204.678754210472107)&zoomlevel=17&plaatsnaam=Department+of+Computer+Science&maptype=roadmap google maps]
+
https://distrinet.cs.kuleuven.be/about/route/
 
 
==== By car ====
 
 
 
 
 
==== By train ====
 
  
 
=== Hotel nearby ===
 
=== Hotel nearby ===
  
 +
* [http://www.lodge-hotels.be/en/hotels/b/the-lodge-heverlee-1 Hotel The Lodge Heverlee]
 +
* [http://www.boardhouse.be/en/ BoardHouse Hotel]
 +
* [http://www.lavan.be B&B Lavan]
 +
* [http://www.accorhotels.com/gb/hotel-8519-ibis-leuven-heverlee/index.shtml Hotel Ibis Leuven Heverlee]
 +
* [http://www.bchotel.be/en/ Begijnhof Hotel Leuven]
 +
<!-- Fourth tab -->
  
<!-- Fourth tab -->
 
 
= Trainingday =
 
= Trainingday =
 
=== Trainingday is November 24th  ===
 
=== Trainingday is November 24th  ===
Line 119: Line 92:
 
== Agenda ==
 
== Agenda ==
 
{| class="wikitable"
 
{| class="wikitable"
! Time !! Description !! Room 4.320 !! Room 4.350 !! Room 4.360 !! Room 4.400
+
! Time !! Description !! Room TBA !! Room TBA !! Room TBA
 
|-
 
|-
 
| 08h30 - 9h30
 
| 08h30 - 9h30
Line 126: Line 99:
 
| 09h30 - 11h00 || Training
 
| 09h30 - 11h00 || Training
 
| rowspan="7" style="width:100px;" | [[BeNeLux_OWASP_Day_2016-2#Breakers, defenders and superheroes! | Breakers, defenders and superheroes!]] <br>by [[BeNeLux_OWASP_Day_2016-2#Riccardo ten Cate | Riccardo ten Cate]]
 
| rowspan="7" style="width:100px;" | [[BeNeLux_OWASP_Day_2016-2#Breakers, defenders and superheroes! | Breakers, defenders and superheroes!]] <br>by [[BeNeLux_OWASP_Day_2016-2#Riccardo ten Cate | Riccardo ten Cate]]
| rowspan="7" style="width:100px;" | [[BeNeLux_OWASP_Day_2016-2#Handling of Security Requirements in Development Lifecycle | Handling of Security Requirements in Development Lifecycle]] <br>by [[BeNeLux_OWASP_Day_2016-2#Daniel Kefer | Daniel Kefer]]
 
 
| rowspan="7" style="width:100px;" | [[BeNeLux_OWASP_Day_2016-2#PWN Android Apps with your Custom Built Toolbox | PWN Android Apps with your Custom Built Toolbox]] <br>by [[BeNeLux_OWASP_Day_2016-2#Steven Wierckx | Steven Wierckx]]
 
| rowspan="7" style="width:100px;" | [[BeNeLux_OWASP_Day_2016-2#PWN Android Apps with your Custom Built Toolbox | PWN Android Apps with your Custom Built Toolbox]] <br>by [[BeNeLux_OWASP_Day_2016-2#Steven Wierckx | Steven Wierckx]]
| rowspan="7" style="width:100px;" | Forth training 
+
| rowspan="7" style="width:100px;" | [[BeNeLux_OWASP_Day_2016-2#Why_simply_deploying_HTTPS_will_not_get_you_an_A.2B_grade | Why simply deploying HTTPS will not get you an A+ grade]] <br> by [[BeNeLux_OWASP_Day_2016-2#Philippe_De_Ryck | Philippe De Ryck]]
 
|-
 
|-
 
| 11h00 - 11h30 ||  ''Coffee Break''
 
| 11h00 - 11h30 ||  ''Coffee Break''
Line 157: Line 129:
 
* File upload injections  
 
* File upload injections  
 
* Server side template injections
 
* Server side template injections
* Authentication and authorization  
+
* Authentication and authorization
 
 
====Prerequisites for this workshop====
 
More's coming...
 
 
 
=== Handling of Security Requirements in Development Lifecycle ===
 
  
The bigger the company you're working in, the more technologies and
 
methodologies used by development teams you are going to face. At the
 
same time, you want to address security risks in an appropriate,
 
reliable and traceable way for all of them.
 
 
After a short introduction of a unified process for handling security
 
requirements in a large company, the main part of the talk is going to
 
focus on a tool called SecurityRAT (Requirement Automation Tool) which
 
has been developed in order to support and accelerate this process. The
 
goal of the tool is first to provide a list of relevant security
 
requirements according to properties of the developed software, and
 
afterwards to handle these in a mostly automated way - integration with
 
an issue tracker being used as a core feature.
 
 
The tool was open sourced in May 2016 (available at
 
https://github.com/SecurityRAT) and is continuously being further
 
developed since then. The newest implemented features, work in progress
 
and future plans will form the last part of the talk.
 
  
 
=== PWN Android Apps with your Custom Built Toolbox ===
 
=== PWN Android Apps with your Custom Built Toolbox ===
Line 191: Line 140:
  
 
====More details in the course description====
 
====More details in the course description====
Download the full training description
+
[https://www.owasp.org/images/c/ce/Androidapplicationtestingbootcamp_5_-_OWASP_BeNeLux_days_2016-2.pdf Download the full training description]
 +
 
 +
 
 +
=== Why simply deploying HTTPS will not get you an A+ grade ===
 +
20 years after the introduction of HTTPS, it is finally moving towards widespread adoption. As more and more web sites are enabling HTTPS, the attention for correct deployments increases as well. Tools such as Qualys’ SSL Labs server test make it is easy to verify the quality of any domain’s HTTPS deployment, but at the same time show how challenging it is to receive an A+ grade. While the initial deployment of HTTPS may seem straightforward, correctly deploying HTTPS is a daunting task. In this session, participants will learn through hands-on experience how to deploy HTTPS correctly, and how it impacts a Web application. We will cover common Web attacks on HTTPS, and how they are countered by the newest HTTPS security policies, such as HTTP Strict Transport Security (HSTS) and HTTP Public Key Pinning (HPKP).
 +
 
 +
The learning objectives for this session are:
 +
* Learning how to deploy HTTPS correctly, with strong ciphers and forward secrecy
 +
* Understanding the intricacies of HTTPS, and its impact on a Web application, especially in combination with HTTP
 +
* Understanding common Web attacks against HTTPS, and the newest browser-enforced security policies that counter them
  
 
== Trainers ==
 
== Trainers ==
 
===Riccardo ten Cate===
 
===Riccardo ten Cate===
 
As a penetration tester and software developer from the Netherlands Riccardo is specialized in web-application security and has extensive knowledge in securing web applications in multiple coding languages.
 
As a penetration tester and software developer from the Netherlands Riccardo is specialized in web-application security and has extensive knowledge in securing web applications in multiple coding languages.
 
===Daniel Kefer===
 
Daniel has been working in the application security field since 2007.
 
Having started as a penetration tester, he soon became passionate about
 
proactive security efforts and working closely with developers. Since
 
2011 he has been working for 1&1 where he focuses on design and
 
continuous improvement of the internal secure SDLC process and its
 
implementation in different development departments. Apart from 1&1, he
 
also works as a volunteer for the OWASP SAMM project.
 
  
 
===Steven Wierckx===
 
===Steven Wierckx===
 
I’m a Software and Security Tester with 15 years of experience in programming, security testing, source code review, test automation, functional and technical analysis, development and database design.  I’m a team player with a constant drive to learn new things. I have a passion for web application security and I write articles for several professional magazines with regards to that topic. I have created several courses on testing software for security problems and I teach courses on secure coding, security awareness, security testing and threat modelling.
 
I’m a Software and Security Tester with 15 years of experience in programming, security testing, source code review, test automation, functional and technical analysis, development and database design.  I’m a team player with a constant drive to learn new things. I have a passion for web application security and I write articles for several professional magazines with regards to that topic. I have created several courses on testing software for security problems and I teach courses on secure coding, security awareness, security testing and threat modelling.
  
 +
=== Philippe De Ryck ===
 +
Philippe De Ryck holds a PhD in computer science and is specialized in client-side Web security. Philippe focuses on a sustainable knowledge transfer of his expertise in Web security towards industry partners, mainly through training courses and public dissemination activities. Within iMinds-DistriNet , Philippe leads the Web Security-related training activities.
 
<!-- Fifth tab -->
 
<!-- Fifth tab -->
  
Line 218: Line 169:
 
{| class="wikitable"
 
{| class="wikitable"
 
! width="120pt" | Time
 
! width="120pt" | Time
! width="190pt" | Speaker !! Topic
+
! width="190pt" | Speaker  
! width="140pt" | Presentation
+
! width="400pt" | Topic
 +
! width="100pt" | Slides
 
|-  
 
|-  
 
| 08h30 - 09h00
 
| 08h30 - 09h00
Line 227: Line 179:
 
| colspan="3" style="text-align: center; background: grey; color: white" | ''Opening''
 
| colspan="3" style="text-align: center; background: grey; color: white" | ''Opening''
 
|-  
 
|-  
| 09h15 - 10h00 || 1st Speaker
+
| 09h15 - 10h00 || [[BeNeLux_OWASP_Day_2016-2#Dario Incalza | Dario Incalza]]
|| 1st talk
+
|| [[BeNeLux_OWASP_Day_2016-2#Securing Android Applications | Securing Android Applications]]
|| TBD
+
|| [https://www.owasp.org/images/6/67/Benelux_day_20161125_D_Incalza_Securing_Android_Applications.pdf Download]
 
|-
 
|-
| 10h00 - 10h45 || 2nd Speaker
+
| 10h00 - 10h45 || [[BeNeLux_OWASP_Day_2016-2#Yorick Koster | Yorick Koster]]
|| 2nd talk
+
||   [[BeNeLux_OWASP_Day_2016-2#The State of Security of WordPress (plugins) | The State of Security of WordPress (plugins)]]
|| TBD
+
|| [https://www.owasp.org/images/f/fc/Benelux_day_20161125_Y_Koster_State_security_wordpress_plugins.pdf Download]
 
|-
 
|-
 
| 10h45 - 11h15  
 
| 10h45 - 11h15  
 
| colspan="3" style="text-align: center;background: grey; color: white" | ''Morning Break''  
 
| colspan="3" style="text-align: center;background: grey; color: white" | ''Morning Break''  
 
|-
 
|-
| 11h15 - 12h00 || 3rd Speaker
+
| 11h15 - 12h00 || [[BeNeLux_OWASP_Day_2016-2#Sebastian Lekies | Sebastian Lekies]]
|| 3rd talk
+
|| [[BeNeLux_OWASP_Day_2016-2#Securing AngularJS Applications | Securing AngularJS Applications]]
|| TBD
+
|| [https://www.owasp.org/images/6/6e/Benelus_day_20161125_S_Lekies_Securing_AngularJS_Applications.pdf Download]
 
|-
 
|-
| 12h00 - 12h45 || 4th Speaker
+
| 12h00 - 12h45 || [[BeNeLux_OWASP_Day_2016-2#Giancarlo Pellegrino | Giancarlo Pellegrino]]
|| 4th Talk
+
|| [[BeNeLux_OWASP_Day_2016-2#Compression Bombs Strike Back | Compression Bombs Strike Back]]
|| TBD
+
|| [https://www.owasp.org/images/c/c9/Benelux_day_20161125_G_Pellegrino_CompressionBombsStrikeBack.pdf Download]
 
|-
 
|-
 
| 12h45 - 13h45
 
| 12h45 - 13h45
 
| colspan="3" style="text-align: center;background: grey; color: white" | ''Lunch''  
 
| colspan="3" style="text-align: center;background: grey; color: white" | ''Lunch''  
 
|-
 
|-
| 13h45 - 14h30 || 5th Speaker
+
| 13h45 - 14h30 || [[BeNeLux_OWASP_Day_2016-2#Zakaria Rachid | Zakaria Rachid]]
|| 5th Talk
+
|| [[BeNeLux_OWASP_Day_2016-2#Zap it ! | Zap it !]]
|| TBD
+
||
 
|-
 
|-
| 14h30 - 15h15 || 6th Speaker
+
| 14h30 - 15h15 || [[BeNeLux_OWASP_Day_2016-2#Tom Van Goethem | Tom Van Goethem]]
|| 6th Talk
+
|| [[BeNeLux_OWASP_Day_2016-2#Stealing Secrets through Browser-based Side-channel Attacks | Stealing Secrets through Browser-based Side-channel Attacks]]
|| TBD
+
||
 
|-
 
|-
 
| 15h15 - 15h45
 
| 15h15 - 15h45
 
| colspan="3" style="text-align: center;background: grey; color: white" | ''Break''  
 
| colspan="3" style="text-align: center;background: grey; color: white" | ''Break''  
 
|-
 
|-
| 15h45 - 16h30 || 7th Speaker
+
| 15h45 - 16h30 || [[BeNeLux_OWASP_Day_2016-2#Daniel Kefer | Daniel Kefer]]
|| 7th Talk
+
|| [[BeNeLux_OWASP_Day_2016-2#Handling of Security Requirements in Software Development Lifecycle | Handling of Security Requirements in Software Development Lifecycle]]
|| TBD
+
|| [https://www.owasp.org/images/9/91/Benelux_day_20161125_D_Kefer_Handling_of_Security_Requirements_in_Software_Development_Lifecycle.pdf Download]
 
|-
 
|-
| 15h15 - 15h45
+
| 16h30 - 17h15
 +
| [[BeNeLux_OWASP_Day_2016-2#Bart Preneel | Bart Preneel]]
 +
| [[BeNeLux_OWASP_Day_2016-2#Closing Keynote: The Future of Security | <u>Closing Keynote:</u> The Future of Security]]
 +
|| [https://www.owasp.org/images/2/2c/Benelux_day_20161125_B_Preneel_Future_security.pdf Download]
 +
|-
 +
| 17h15 - 17h30
 
| colspan="3" style="text-align: center;background: grey; color: white" | ''Closing''  
 
| colspan="3" style="text-align: center;background: grey; color: white" | ''Closing''  
 
|}
 
|}
Line 273: Line 230:
  
 
== Talks ==  
 
== Talks ==  
=== Placeholder ===
+
=== The State of Security of WordPress (plugins) ===
 +
Last July, we organised the Summer of Pwnage (sumofpwn.nl) targeting WordPress and WordPress Plugins. This has resulted in 118 findings; mostly affecting WordPress Plugins, but also WordPress Core. Looking at the reported types of vulnerabilities, by far the most reported type is Cross-Site Scripting. The majority of Cross-Site Scripting vulnerabilities were of the reflected type where the victim has to click on a malicious link or visit a malicious website (or advertisement). A fair share of them were stored though, and some of them even pre-auth.
 +
 
 +
Does this mean that WordPress is inherently insecure or is it just the Plugin eco system? In this talk, I'll present our view on the (in)security of WordPress and WordPress Plugins. In addition, I'll show how a WordPress installation can be compromised using Cross-Site Scripting (and how to protect) and a generic way to get remote code execution through PHP Object Injection will be demonstrated.
 +
 
 +
===Securing AngularJS Applications===
 +
Since its birth, the Web evolved from a system to share and view scientific documents to a full-blown platform for sophisticated applications. While in the beginning most Web applications were implemented purely on the server-side, modern ones heavily rely on client-side components.
 +
 
 +
AnuglarJS is the latest addition in this process. Within an Angular application the server is merely a data storage facility with a few additional access checks. The core of the application is running on the client-side.
 +
 
 +
As Angular is specifically designed to work on the client-side, it attempts to remove the main points of friction for developers. By providing a templating system, two-way bindings and custom directives, DOM interactions can be reduced to a bare minimum.
 +
 
 +
From a security point of view this is very interesting as Angular removes the need for using some DOM APIs with very sharp edges (innerHTML, document.write). On the other hand, Angular introduces new ways of approaching application development that are largely unexplored in terms of security.
 +
 
 +
This talk provides an in-depth introduction to the security of Angular applications. It first introduces the core design ideas and security principles of AngularJS. Then, based on the experience of the Google Security Team, shows common security pitfalls that are specific to Angular applications. In general, the talk covers Angular's string interpolation functionality, strict auto-escaping templates, URL-based directives and insecure legacy APIs. All the presented issues are based on real-world bugs. The talk will demonstrate how to find and prevent these issues in practice.
 +
 
 +
===Compression Bombs Strike Back===
 +
Network services often use data compression to reduce protocol message size. However, if data compression is not properly implemented, it can render entire applications vulnerable to DoS attacks. Abusing data compression to exhaust system resources is an old trick. For example, a zip bomb is a recursively highly-compressed file archive prepared with the only goal of exhausting the resources of programs that attempt to inspect its content. This attack was brought to the community attention in 1996 to mount DoS attacks against bulletin board systems.
 +
 
 +
While this may now seem an old, unsophisticated, and easily avoidable threat,we discovered that developers did not fully learn from prior mistakes. We looked at three protocols (i.e., HTTP, XMPP, and IMAP) and 11 network services including popular ones (e.g., Apache HTTPD, Tomcat, Prosody, and OpenFire) and discovered that the risks of supporting data compression are still often overlooked.
 +
 
 +
In this talk, we will walk through data amplification attacks starting from the ever-green zip bomb and xml bomb attacks until our recent results. We will present the current use of data compression in several popular protocol and network services, and 12 common mistakes that we observed at the implementation, specification, and configuration levels. In this talk, we will also present already patched resource exhaustion vulnerabilities which could have been used to perform Denial of Service attack against popular services.
 +
 
 +
===Closing Keynote: The Future of Security===
 +
Computers are still getting faster by factor of two every 18 months, and the doubling time for memory and communications is even smaller. An increasing number of experts is developing and deploying ever more sophisticated security techniques. But cybersecurity incidents multiply and are more prominent in the media. Will the cloud and the Internet of Things offer us a secure infrastructure? Or are we heading for a security and privacy nightmare? What is the role of governments, companies and individuals? Do we need backdoors in security technologies to balance privacy and security? This seminar tries to answer these questions.
 +
 
 +
===Handling of Security Requirements in Software Development Lifecycle===
 +
The bigger the company you're working in, the more technologies and methodologies used by development teams you are going to face. At the same time, you want to address security risks in an appropriate, reliable and traceable way for all of them.
 +
 
 +
After a short introduction of a unified process for handling security requirements in a large company, the main part of the talk is going to focus on a tool called SecurityRAT (Requirement Automation Tool) which has been developed in order to support and accelerate this process. The goal of the tool is first to provide a list of relevant security requirements according to properties of the developed software, and afterwards to handle these in a mostly automated way - integration with an issue tracker being used as a core feature. Work in progress and future plans will form the last part of the talk.
 +
 
 +
===Zap it !===
 +
The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular and best maintained free security tools. In this talk we will cover some of the basic features of Zap and deep dive in some advanced features. We will also cover the ways you can use ZAP in your applications SDL.
 +
 
 +
===Stealing Secrets through Browser-based Side-channel Attacks===
 +
Browsers are becoming increasingly more complex. New features are added on a virtually daily basis in order to accomodate the most exotic use cases, allow the millions of lines of JavaScript code to be executed even faster, or provide the foundation for extremely accurate analytics. Combined with the well-known security-principle that an increase in functionality results in a larger attack surface, browsers are becoming a more and more interesting target for adversaries.
 +
In this talk, we will focus on a class of attacks that is often overlooked, namely side-channel attacks. Among other things, we will explore the causes for these newly discovered side-channel attacks, and how these can be leveraged to extract sensitive information, such as CSRF tokens, from web pages. Finally, we will analyse the various techniques that can be used to defend against these attacks.
 +
 
 +
===Securing Android Applications===
 +
In this talk we will discuss the attack surfaces of an Android application and some best practice security implementations specific for Android applications. We will cover cryptography, code protection techniques and network security implementations.
 +
 
 
== Speakers ==  
 
== Speakers ==  
=== Placehoder===
+
===Yorick Koster===
Speaker information comes here
+
Yorick Koster is co-founder of Securify, an information security company focusing on all aspects of software security. Securify helps organisations to (proactively) secure their web and mobile applications, from design to go-live. In this we take a proactive approach (Build Security In) to catch and prevent vulnerabilities early, when still easy and cheap to fix.
 +
 
 +
Yorick has more than 10 years of experience in the field of software security and has found security vulnerabilities in a wide range of applications, including Internet Explorer, Office, .NET Framework, Adobe Reader, and WordPress.
 +
 
 +
===Sebastian Lekies===
 +
Sebastian Lekies is an Information Security Engineer at Google and a PhD Student at the Ruhr-University Bochum. His research interests encompass client-side Web application security and Web application security testing. He graduated from University of Mannheim with a M.Sc. in Business Information Systems. At Google, Sebastian is part of the Security Test Engineering team that develops Google’s internal Web application security scanner and the externally facing Cloud Security Scanner (https://cloud.google.com/tools/security-scanner/). Before joining Google, Sebastian was part of SAP’s Security Research team, where he conducted academic research in the area of client-side Web application security. Sebastian is regularly speaking at academic and non-academic security conferences all around the World. He spoke at BlackHat US/EU/Asia, DeepSec, OWASP AppSec EU, Usenix Security, CCS, and many more...
 +
 
 +
===Giancarlo Pellegrino===
 +
Giancarlo Pellegrino, is a post doctoral researcher of the System Security group at CISPA, Saarland University, in Germany. His main research interests include all aspects of web application security in particular security testing (black and white-box) and vulnerability analysis. Prior joining CISPA, Giancarlo worked at TU Darmstadt, Germany, and was member of the S3 group at EURECOM, in France. Until August 2013, he was Researcher Associate in the "Security and Trust" research group at SAP SE.
 +
 
 +
===Bart Preneel===
 +
Bart Preneel received the Electr. Eng. and Ph.D. degrees from the KU Leuven (Belgium). He is a Full Professor at the KU Leuven where he heads the COSIC research group. He was visiting professor at five universities in Europe. He has authored more than 400 scientific publications and is inventor of 4 patents. Bart Preneel has participated to more than 30 EU funded projects and has coordinated five of those including the EU NoE ECRYPT. He has served as panel member and chair for the European Research Council. Since 1997 he is serving on the Board of Directors of the IACR (International Association for Cryptologic Research), from 2002-2007 as vice president and from 2008-2013 as president. He is a member of the Permanent Stakeholders group of ENISA and of the Academia Europaea. He has served on the advisory board of several companies and EU projects. He has served as program chair of 15 international conferences and he has been invited speaker at more than 90 conferences in 40 countries. In 2014 he received the RSA Award for Excellence in the Field of Mathematics.
 +
 
 +
===Daniel Kefer===
 +
Daniel Kefer has been working in the application security field since 2007. Having started as a penetration tester, he soon became passionate about proactive security efforts and working closely with developers. Since 2011 he has been working for 1&1 where he focuses on design and continuous improvement of the internal secure SDLC process and its implementation in different development departments. Apart from 1&1, he also works as a volunteer for the OWASP OpenSAMM project.
 +
 
 +
===Zakaria Rachid===
 +
Zakaria Rachid is a security consultant with some years of intense computing and security experience in critical environments (Telcos, mil...). He specializes in penetration testing, web applications security and trolling.
 +
 
 +
===Tom Van Goethem===
 +
Tom Van Goethem is a PhD researcher at the University of Leuven with a keen interest in web security and online privacy. In his research, Tom performs large-scale security experiments, both to analyze the presence of good and bad security practices on the web, as well as to demystify security claims. More recently, Tom started exploring side-channel attacks in the context of the web. In an attempt to make the web a safer place, Tom on occasion rummages the web in search for vulnerabilities.
 +
 
 +
===Dario Incalza===
 +
I am a pre-sales and security engineer at GuardSquare. In my spare time I like breaking applications and most importantly securing them. I regularly speak at Android conferences about all things Android and security. I tweet at @h4oxer.
  
 
<!-- Sixth tab -->
 
<!-- Sixth tab -->
 +
 
= Social Event =
 
= Social Event =
  
 
== Social Event,starting at 7PM ==
 
== Social Event,starting at 7PM ==
Social Event information
+
 
 +
For those who want to join for dinner, we would like to suggest to gather at the '''[http://www.wokdynasty.be/heverlee/en/#!/home Wok Dynastie Heverlee] restaurant'''.
 +
 
 +
The restaurant offers a nice [http://www.wokdynasty.be/heverlee/en/#!/menu open buffet] for 25.50 EUR.
 +
 
 +
<div>http://www.wokdynasty.be/galleries/Heverlee/Wok%20Dynasty%20001.jpg</div>
 +
 
 +
 
 +
<div>http://www.wokdynasty.be/galleries/Heverlee/Wok%20Dynasty%20176.jpg</div>
  
 
<!-- Seventh tab -->
 
<!-- Seventh tab -->
Line 297: Line 326:
  
 
The sponsorship will also be dedicated to cover the costs of the OWASP 2016 BeNeLux event.
 
The sponsorship will also be dedicated to cover the costs of the OWASP 2016 BeNeLux event.
 +
 +
<!-- Eighth tab -->
 +
= Call for Speakers  =
 +
 +
== Call for Speakers ==
 +
 +
'''The call for Speakers is closed.
 +
See you next year!'''
 +
 +
OWASP AppSec conferences are true security conferences with all talks and presentations focusing on various areas of information security. Topics should focus on the technical and social aspects of security, and should not contain marketing or sales pitches.
 +
 +
We encourage and prioritize submissions covering research and new work impacting:
 +
 +
* Secure development of web applications.
 +
* Security testing of web applications.
 +
* Security of DevOps processes, architectures, and tools.
 +
* Security of applications designed for mobile devices.
 +
* Security of Internet of Things devices and platforms.
 +
* Cloud platform security
 +
* Browser security
 +
* HTML5 security
 +
* OWASP tools or projects in practice
 +
 +
'''Terms'''
 +
 +
By your submission you agree to the OWASP [https://www.owasp.org/index.php/Speaker_Agreement Speaker Agreement]. It requires that you use an OWASP [https://www.owasp.org/images/7/76/OWASP_Presentation_Template.zip presentation template] or other non-branded template. Presentations may not use company-themed decks or include a company logo except on the speaker bio slide. Failure to observe these requirements will result in talk removal.
 +
 +
All presentation slides will be published on the conference website. Pictures and other materials in presentations should not violate any copyrights. Presentation submitters are solely liable for copyright violations. You may choose any [http://creativecommons.org/licenses Creative Commons] license for your slides, including CC0. OWASP [http://creativecommons.org/licenses suggests the use of open licenses].
 +
 +
We will cover your travel expenses or costs for accommodations.
 +
 +
'''Deadlines'''
 +
 +
* Submission of proposal closes: 11 September, 2016 – 23:59
 +
* Notification of acceptance: 2 October, 2016
 +
* Conference Date:  25 November, 2016
 +
 +
'''Submission'''
 +
 +
To submit a proposal, please submit an abstract of your intended presentation (500 to 4000 characters), a brief biography (150 to 800 characters) and a headshot (combine multiple files in one zip file). Your planned presentation time is 40 minutes (excluding ~5 minutes for discussion and change of speaker). Feel free to attach a preliminary version of your presentation if available. Any proposal submitted is subject to a democratic vote by the program committee. Keep in mind: The better your description of the talk, the better picture the program committee will have to review your submission. Please proofread your submission; after approval your abstract, biography, and headshot will be published verbatim into the program and website.
 +
 +
Submission page: https://easychair.org/conferences/?conf=owaspbenelux162
 +
  
  
Line 304: Line 376:
 
<headertabs/>
 
<headertabs/>
  
=== Hosted and co-organized by ===  
+
=== Hosted and co-organized by ===
 +
 
 +
[https://distrinet.cs.kuleuven.be https://www.owasp.org/images/4/4a/Logo_distrinet.png]
  
 
=== Made possible by our {{#switchtablink:Sponsor|Sponsors}}===
 
=== Made possible by our {{#switchtablink:Sponsor|Sponsors}}===
  
<br>
+
'''Gold:'''
 +
 
 +
[[File:VeraCode logo.png|250px|link=https://www.veracode.com]]
 +
[http://www.vest.nl https://www.owasp.org/images/6/67/Vest.jpg]
 +
[http://www.intigriti.be https://www.owasp.org/images/5/54/Intigriti_verticaal.jpg]
 +
[http://www.securify.nl https://www.owasp.org/images/9/92/Ecurify-2016.png]
 +
[http://www8.hp.com/nl/nl/software-solutions/enterprise-security.html https://www.owasp.org/images/e/e3/HPE_logo_250.png]
 +
 
 +
'''Silver:'''
 +
 
 +
[[File:LogoToreon.jpg|250px|link=https://www.toreon.com]]
 +
[http://www.zionsecurity.com https://www.owasp.org/images/e/e6/Zionsecurity.jpg]
 +
[http://www.nviso.be https://www.owasp.org/images/5/5e/Nviso_logo_RGB_baseline_200px.png]
 +
[https://www.whitehatsec.com/ https://www.owasp.org/images/a/ac/Whitehat-security_hor.jpg]
 +
[https://www.nixu.com/en/nixubenelux https://www.owasp.org/images/5/50/Nixu-logo.png]
  
[[File:LogoToreon.jpg|250px|link=http://www.toreon.com]]
+
'''Bronze:'''
[[File:VeraCode logo.png|250px|link=http://www.veracode.com]]
 
  
 +
[https://informatiebeveiliging.nl/ https://www.owasp.org/images/9/9a/Logo_Informatiebeveiliging-200.png]
 +
[https://www.netsparker.com/ https://www.owasp.org/images/8/88/200x60_netsparker_logo.png]
  
 
[[Category:OWASP_AppSec_Conference]] [[Category:OWASP_BeNeLux_Archives]]
 
[[Category:OWASP_AppSec_Conference]] [[Category:OWASP_BeNeLux_Archives]]

Latest revision as of 12:27, 11 February 2017

OWASP BeNeLux Day 2016 II.png



OWASP BeNeLux conference is free, but registration is required!

Register for the OWASP BeNeLux Day 2016

OWASP BeNeLux training is reserved for OWASP members, and registration is required!

To support the OWASP organisation, we ask training attendees to become an OWASP member, it's only US$50! Students and faculty are invited to become member as well, but can freely attend. Check out the Membership page to find out more.

Register now!


To support the OWASP organisation, consider to become a member, it's only US$50!
Check out the Membership page to find out more.


Venue

The venue is hosted by imec-Distrinet Research Group (KU Leuven).

Address:
Department of Computer Science (foyer at ground floor)
Celestijnenlaan 200 A
3001 Heverlee

How to reach the venue?

https://distrinet.cs.kuleuven.be/about/route/

Hotel nearby

Trainingday is November 24th

Location

Agenda

Time Description Room TBA Room TBA Room TBA
08h30 - 9h30 Registration
09h30 - 11h00 Training Breakers, defenders and superheroes!
by Riccardo ten Cate
PWN Android Apps with your Custom Built Toolbox
by Steven Wierckx
Why simply deploying HTTPS will not get you an A+ grade
by Philippe De Ryck
11h00 - 11h30 Coffee Break
11h30 - 13h00 Training
13h00 - 14h00 Lunch
14h00 - 15h30 Training
15h30 - 16h00 Coffee Break
16h00 - 17h30 Training

Trainings

Breakers, defenders and superheroes!

In the wonderful world of application security we often learn to break stuff or we learn how to prevent hackers from breaking your stuff. In this training i would love to adres some basic and advanced topics and not only teach developers how to properly test their code like a penetration tester, but also learn the penetration tester to think like a developer so they really can deliver added value when instructing developers on how to fix their code like a baws!

Some of the topics i would like to adresss are:

  • Content security policy and how to defeat it with HTML injections
  • Advanced cross site scripting
  • Cross site request forgery
  • Mass Assignment (Parameter binding) attacks
  • External entity attacks
  • Path/directory traversal attacks (File inclusion attacks)
  • File upload injections
  • Server side template injections
  • Authentication and authorization


PWN Android Apps with your Custom Built Toolbox

Frustrated with the various tools and environments needed to perform mobile pentesting? All available Android test distributions have drawbacks and missing and/or non-working tools etc. Learn how to create your own customized mobile pentesting toolbox with the tools you really want/need.

Not sure which steps to follow when performing a mobile application security assessment? Our renowned trainer, Steven Wierckx, will show you which steps to follow and what issues to focus on.

More details in the course description

Download the full training description


Why simply deploying HTTPS will not get you an A+ grade

20 years after the introduction of HTTPS, it is finally moving towards widespread adoption. As more and more web sites are enabling HTTPS, the attention for correct deployments increases as well. Tools such as Qualys’ SSL Labs server test make it is easy to verify the quality of any domain’s HTTPS deployment, but at the same time show how challenging it is to receive an A+ grade. While the initial deployment of HTTPS may seem straightforward, correctly deploying HTTPS is a daunting task. In this session, participants will learn through hands-on experience how to deploy HTTPS correctly, and how it impacts a Web application. We will cover common Web attacks on HTTPS, and how they are countered by the newest HTTPS security policies, such as HTTP Strict Transport Security (HSTS) and HTTP Public Key Pinning (HPKP).

The learning objectives for this session are:

  • Learning how to deploy HTTPS correctly, with strong ciphers and forward secrecy
  • Understanding the intricacies of HTTPS, and its impact on a Web application, especially in combination with HTTP
  • Understanding common Web attacks against HTTPS, and the newest browser-enforced security policies that counter them

Trainers

Riccardo ten Cate

As a penetration tester and software developer from the Netherlands Riccardo is specialized in web-application security and has extensive knowledge in securing web applications in multiple coding languages.

Steven Wierckx

I’m a Software and Security Tester with 15 years of experience in programming, security testing, source code review, test automation, functional and technical analysis, development and database design. I’m a team player with a constant drive to learn new things. I have a passion for web application security and I write articles for several professional magazines with regards to that topic. I have created several courses on testing software for security problems and I teach courses on secure coding, security awareness, security testing and threat modelling.

Philippe De Ryck

Philippe De Ryck holds a PhD in computer science and is specialized in client-side Web security. Philippe focuses on a sustainable knowledge transfer of his expertise in Web security towards industry partners, mainly through training courses and public dissemination activities. Within iMinds-DistriNet , Philippe leads the Web Security-related training activities.

Conferenceday is November 25th

Agenda

Time Speaker Topic Slides
08h30 - 09h00 Registration
09h00 - 09h15 Opening
09h15 - 10h00 Dario Incalza Securing Android Applications Download
10h00 - 10h45 Yorick Koster The State of Security of WordPress (plugins) Download
10h45 - 11h15 Morning Break
11h15 - 12h00 Sebastian Lekies Securing AngularJS Applications Download
12h00 - 12h45 Giancarlo Pellegrino Compression Bombs Strike Back Download
12h45 - 13h45 Lunch
13h45 - 14h30 Zakaria Rachid Zap it !
14h30 - 15h15 Tom Van Goethem Stealing Secrets through Browser-based Side-channel Attacks
15h15 - 15h45 Break
15h45 - 16h30 Daniel Kefer Handling of Security Requirements in Software Development Lifecycle Download
16h30 - 17h15 Bart Preneel Closing Keynote: The Future of Security Download
17h15 - 17h30 Closing


Talks

The State of Security of WordPress (plugins)

Last July, we organised the Summer of Pwnage (sumofpwn.nl) targeting WordPress and WordPress Plugins. This has resulted in 118 findings; mostly affecting WordPress Plugins, but also WordPress Core. Looking at the reported types of vulnerabilities, by far the most reported type is Cross-Site Scripting. The majority of Cross-Site Scripting vulnerabilities were of the reflected type where the victim has to click on a malicious link or visit a malicious website (or advertisement). A fair share of them were stored though, and some of them even pre-auth.

Does this mean that WordPress is inherently insecure or is it just the Plugin eco system? In this talk, I'll present our view on the (in)security of WordPress and WordPress Plugins. In addition, I'll show how a WordPress installation can be compromised using Cross-Site Scripting (and how to protect) and a generic way to get remote code execution through PHP Object Injection will be demonstrated.

Securing AngularJS Applications

Since its birth, the Web evolved from a system to share and view scientific documents to a full-blown platform for sophisticated applications. While in the beginning most Web applications were implemented purely on the server-side, modern ones heavily rely on client-side components.

AnuglarJS is the latest addition in this process. Within an Angular application the server is merely a data storage facility with a few additional access checks. The core of the application is running on the client-side.

As Angular is specifically designed to work on the client-side, it attempts to remove the main points of friction for developers. By providing a templating system, two-way bindings and custom directives, DOM interactions can be reduced to a bare minimum.

From a security point of view this is very interesting as Angular removes the need for using some DOM APIs with very sharp edges (innerHTML, document.write). On the other hand, Angular introduces new ways of approaching application development that are largely unexplored in terms of security.

This talk provides an in-depth introduction to the security of Angular applications. It first introduces the core design ideas and security principles of AngularJS. Then, based on the experience of the Google Security Team, shows common security pitfalls that are specific to Angular applications. In general, the talk covers Angular's string interpolation functionality, strict auto-escaping templates, URL-based directives and insecure legacy APIs. All the presented issues are based on real-world bugs. The talk will demonstrate how to find and prevent these issues in practice.

Compression Bombs Strike Back

Network services often use data compression to reduce protocol message size. However, if data compression is not properly implemented, it can render entire applications vulnerable to DoS attacks. Abusing data compression to exhaust system resources is an old trick. For example, a zip bomb is a recursively highly-compressed file archive prepared with the only goal of exhausting the resources of programs that attempt to inspect its content. This attack was brought to the community attention in 1996 to mount DoS attacks against bulletin board systems.

While this may now seem an old, unsophisticated, and easily avoidable threat,we discovered that developers did not fully learn from prior mistakes. We looked at three protocols (i.e., HTTP, XMPP, and IMAP) and 11 network services including popular ones (e.g., Apache HTTPD, Tomcat, Prosody, and OpenFire) and discovered that the risks of supporting data compression are still often overlooked.

In this talk, we will walk through data amplification attacks starting from the ever-green zip bomb and xml bomb attacks until our recent results. We will present the current use of data compression in several popular protocol and network services, and 12 common mistakes that we observed at the implementation, specification, and configuration levels. In this talk, we will also present already patched resource exhaustion vulnerabilities which could have been used to perform Denial of Service attack against popular services.

Closing Keynote: The Future of Security

Computers are still getting faster by factor of two every 18 months, and the doubling time for memory and communications is even smaller. An increasing number of experts is developing and deploying ever more sophisticated security techniques. But cybersecurity incidents multiply and are more prominent in the media. Will the cloud and the Internet of Things offer us a secure infrastructure? Or are we heading for a security and privacy nightmare? What is the role of governments, companies and individuals? Do we need backdoors in security technologies to balance privacy and security? This seminar tries to answer these questions.

Handling of Security Requirements in Software Development Lifecycle

The bigger the company you're working in, the more technologies and methodologies used by development teams you are going to face. At the same time, you want to address security risks in an appropriate, reliable and traceable way for all of them.

After a short introduction of a unified process for handling security requirements in a large company, the main part of the talk is going to focus on a tool called SecurityRAT (Requirement Automation Tool) which has been developed in order to support and accelerate this process. The goal of the tool is first to provide a list of relevant security requirements according to properties of the developed software, and afterwards to handle these in a mostly automated way - integration with an issue tracker being used as a core feature. Work in progress and future plans will form the last part of the talk.

Zap it !

The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular and best maintained free security tools. In this talk we will cover some of the basic features of Zap and deep dive in some advanced features. We will also cover the ways you can use ZAP in your applications SDL.

Stealing Secrets through Browser-based Side-channel Attacks

Browsers are becoming increasingly more complex. New features are added on a virtually daily basis in order to accomodate the most exotic use cases, allow the millions of lines of JavaScript code to be executed even faster, or provide the foundation for extremely accurate analytics. Combined with the well-known security-principle that an increase in functionality results in a larger attack surface, browsers are becoming a more and more interesting target for adversaries. In this talk, we will focus on a class of attacks that is often overlooked, namely side-channel attacks. Among other things, we will explore the causes for these newly discovered side-channel attacks, and how these can be leveraged to extract sensitive information, such as CSRF tokens, from web pages. Finally, we will analyse the various techniques that can be used to defend against these attacks.

Securing Android Applications

In this talk we will discuss the attack surfaces of an Android application and some best practice security implementations specific for Android applications. We will cover cryptography, code protection techniques and network security implementations.

Speakers

Yorick Koster

Yorick Koster is co-founder of Securify, an information security company focusing on all aspects of software security. Securify helps organisations to (proactively) secure their web and mobile applications, from design to go-live. In this we take a proactive approach (Build Security In) to catch and prevent vulnerabilities early, when still easy and cheap to fix.

Yorick has more than 10 years of experience in the field of software security and has found security vulnerabilities in a wide range of applications, including Internet Explorer, Office, .NET Framework, Adobe Reader, and WordPress.

Sebastian Lekies

Sebastian Lekies is an Information Security Engineer at Google and a PhD Student at the Ruhr-University Bochum. His research interests encompass client-side Web application security and Web application security testing. He graduated from University of Mannheim with a M.Sc. in Business Information Systems. At Google, Sebastian is part of the Security Test Engineering team that develops Google’s internal Web application security scanner and the externally facing Cloud Security Scanner (https://cloud.google.com/tools/security-scanner/). Before joining Google, Sebastian was part of SAP’s Security Research team, where he conducted academic research in the area of client-side Web application security. Sebastian is regularly speaking at academic and non-academic security conferences all around the World. He spoke at BlackHat US/EU/Asia, DeepSec, OWASP AppSec EU, Usenix Security, CCS, and many more...

Giancarlo Pellegrino

Giancarlo Pellegrino, is a post doctoral researcher of the System Security group at CISPA, Saarland University, in Germany. His main research interests include all aspects of web application security in particular security testing (black and white-box) and vulnerability analysis. Prior joining CISPA, Giancarlo worked at TU Darmstadt, Germany, and was member of the S3 group at EURECOM, in France. Until August 2013, he was Researcher Associate in the "Security and Trust" research group at SAP SE.

Bart Preneel

Bart Preneel received the Electr. Eng. and Ph.D. degrees from the KU Leuven (Belgium). He is a Full Professor at the KU Leuven where he heads the COSIC research group. He was visiting professor at five universities in Europe. He has authored more than 400 scientific publications and is inventor of 4 patents. Bart Preneel has participated to more than 30 EU funded projects and has coordinated five of those including the EU NoE ECRYPT. He has served as panel member and chair for the European Research Council. Since 1997 he is serving on the Board of Directors of the IACR (International Association for Cryptologic Research), from 2002-2007 as vice president and from 2008-2013 as president. He is a member of the Permanent Stakeholders group of ENISA and of the Academia Europaea. He has served on the advisory board of several companies and EU projects. He has served as program chair of 15 international conferences and he has been invited speaker at more than 90 conferences in 40 countries. In 2014 he received the RSA Award for Excellence in the Field of Mathematics.

Daniel Kefer

Daniel Kefer has been working in the application security field since 2007. Having started as a penetration tester, he soon became passionate about proactive security efforts and working closely with developers. Since 2011 he has been working for 1&1 where he focuses on design and continuous improvement of the internal secure SDLC process and its implementation in different development departments. Apart from 1&1, he also works as a volunteer for the OWASP OpenSAMM project.

Zakaria Rachid

Zakaria Rachid is a security consultant with some years of intense computing and security experience in critical environments (Telcos, mil...). He specializes in penetration testing, web applications security and trolling.

Tom Van Goethem

Tom Van Goethem is a PhD researcher at the University of Leuven with a keen interest in web security and online privacy. In his research, Tom performs large-scale security experiments, both to analyze the presence of good and bad security practices on the web, as well as to demystify security claims. More recently, Tom started exploring side-channel attacks in the context of the web. In an attempt to make the web a safer place, Tom on occasion rummages the web in search for vulnerabilities.

Dario Incalza

I am a pre-sales and security engineer at GuardSquare. In my spare time I like breaking applications and most importantly securing them. I regularly speak at Android conferences about all things Android and security. I tweet at @h4oxer.


Social Event,starting at 7PM

For those who want to join for dinner, we would like to suggest to gather at the Wok Dynastie Heverlee restaurant.

The restaurant offers a nice open buffet for 25.50 EUR.

Wok%20Dynasty%20001.jpg


Wok%20Dynasty%20176.jpg


Call for Speakers

The call for Speakers is closed.

See you next year!

OWASP AppSec conferences are true security conferences with all talks and presentations focusing on various areas of information security. Topics should focus on the technical and social aspects of security, and should not contain marketing or sales pitches.

We encourage and prioritize submissions covering research and new work impacting:

  • Secure development of web applications.
  • Security testing of web applications.
  • Security of DevOps processes, architectures, and tools.
  • Security of applications designed for mobile devices.
  • Security of Internet of Things devices and platforms.
  • Cloud platform security
  • Browser security
  • HTML5 security
  • OWASP tools or projects in practice

Terms

By your submission you agree to the OWASP Speaker Agreement. It requires that you use an OWASP presentation template or other non-branded template. Presentations may not use company-themed decks or include a company logo except on the speaker bio slide. Failure to observe these requirements will result in talk removal.

All presentation slides will be published on the conference website. Pictures and other materials in presentations should not violate any copyrights. Presentation submitters are solely liable for copyright violations. You may choose any Creative Commons license for your slides, including CC0. OWASP suggests the use of open licenses.

We will cover your travel expenses or costs for accommodations.

Deadlines

  • Submission of proposal closes: 11 September, 2016 – 23:59
  • Notification of acceptance: 2 October, 2016
  • Conference Date: 25 November, 2016

Submission

To submit a proposal, please submit an abstract of your intended presentation (500 to 4000 characters), a brief biography (150 to 800 characters) and a headshot (combine multiple files in one zip file). Your planned presentation time is 40 minutes (excluding ~5 minutes for discussion and change of speaker). Feel free to attach a preliminary version of your presentation if available. Any proposal submitted is subject to a democratic vote by the program committee. Keep in mind: The better your description of the talk, the better picture the program committee will have to review your submission. Please proofread your submission; after approval your abstract, biography, and headshot will be published verbatim into the program and website.

Submission page: https://easychair.org/conferences/?conf=owaspbenelux162



Hosted and co-organized by

Logo_distrinet.png

Made possible by our Sponsors

Gold:

VeraCode logo.png Vest.jpg Intigriti_verticaal.jpg Ecurify-2016.png HPE_logo_250.png

Silver:

LogoToreon.jpg Zionsecurity.jpg Nviso_logo_RGB_baseline_200px.png Whitehat-security_hor.jpg Nixu-logo.png

Bronze:

Logo_Informatiebeveiliging-200.png 200x60_netsparker_logo.png