This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Belgium Events 2018"
m (Corrected year in link) |
|||
(30 intermediate revisions by 3 users not shown) | |||
Line 1: | Line 1: | ||
<noinclude> | <noinclude> | ||
− | These are the 2018 events of the [[Belgium|OWASP Belgium Chapter]]. | + | These are the 2018 events of the [[Belgium|OWASP Belgium Chapter]]. <!-- Copy the source from [[Belgium Chapter Meeting Template]] to start a new chapter meeting event! --> |
Previous year: [[Belgium Events 2017|2017]]. | Previous year: [[Belgium Events 2017|2017]]. | ||
+ | Next year: [[Belgium Events 2019|2019]]. | ||
</noinclude> | </noinclude> | ||
+ | == OWASP BeNeLux Days 2018 == | ||
+ | |||
+ | This conference has its own page: [[OWASP_BeNeLux-Days_2018]]. | ||
+ | |||
+ | == 23 October 2018 Meeting == | ||
+ | |||
+ | === Where === | ||
+ | |||
+ | * Host: [https://securecodewarrior.com/ Secure Code Warrior] | ||
+ | |||
+ | * Address ([https://goo.gl/maps/e6Ej1v44tf32 map], [https://goo.gl/maps/UoW1EM3kbfy directions], 10 minutes walk from Brugge train station) | ||
+ | Baron Ruzettelaan 1 | ||
+ | 8310 Assebroek | ||
+ | |||
+ | * Parking was available under the building, open from 5 p.m., the entrance is at the back: | ||
+ | Vestingstraat 88 | ||
+ | 8310 Assebroek | ||
+ | |||
+ | === Agenda === | ||
+ | |||
+ | * 18h00 - 18h50: Welcome & pizzas | ||
+ | * 18h50 - 19h00: [[Media:OWASP_Belgium_update_2018-10-23_v1.pptx|OWASP Update]] by Sebastien Deleersnyder (OWASP) | ||
+ | * 19h00 - 19h30: [[Media:OWASP_20181023_EffectivelyDistributeSoftwareSecurityKnowledge.pdf|Effectively Distribute Software Security Knowledge]] by Pieter De Cremer and Nathan Desmet (Secure Code Warrior) | ||
+ | * 19h30 - 19h45: Beers from Bruges break | ||
+ | * 19h45 - 20h25: [[Media:OWASP_20181023_CommonAPISecurityPitfalls.pdf|Common API Security Pitfalls]] by Philippe De Ryck (Pragmatic Web Security) | ||
+ | * 20h25 - 22h00: Networking and more beers from Bruges | ||
+ | |||
+ | === Program === | ||
+ | |||
+ | ==== Effectively Distribute Software Security Knowledge ==== | ||
+ | |||
+ | * Speaker: [https://www.linkedin.com/in/pdcremer/ Pieter De Cremer] ([https://twitter.com/pdcremer @pdcremer]) and [https://www.linkedin.com/in/nathan-desmet-687345aa/ Nathan Desmet] (Secure Code Warrior) | ||
+ | * Presentation attachment: [[:File:OWASP_20181023_EffectivelyDistributeSoftwareSecurityKnowledge.pdf]] | ||
+ | |||
+ | ''Abstract'' | ||
+ | |||
+ | Security is still a big concern in application development, as breaches appear in the media on a regular basis. Up to 90 percent of security issues are caused by problems or oversight in the code (U.S. Department of Homeland Security, “Infosheet Software Assurance”, https://www.us-cert.gov/sites/default/files/publications/infosheet_SoftwareAssurance.pdf, last accessed 2018-05-22). They are the result of errors made by the developers. At the same time, many of these issues are well known, well-documented problems. But the security experts in charge of securing the application are understaffed with an average of less than two security experts per hundred developers (Gary McGraw, Ph.D., Sammy Migues and Jacob West, “Building Security In Maturity Model (BSIMM)”, https://www.bsimm.com/, 2018). So the problem is not a lack of knowledge on security but the distribution of it without requiring costly, unscalable communication cycles between individual developers and security experts. In this talk we will outline the goal of a new approach to improve software security, focused on distributing software security knowledge so that software engineers can effectively put it into practice with minimal impact on their daily tasks. | ||
+ | |||
+ | ''Speaker Bios'' | ||
+ | |||
+ | '''Pieter De Cremer''' is an R&D Engineer and Security Researcher at Secure Code Warrior, where he is responsible for researching a wide variety of application vulnerabilities and developing this into new content and coding challenges for the Secure Code Warrior platform. His passion lies in empowering developers to be the first line of defence in their organisation by making security | ||
+ | easy to understand. | ||
+ | |||
+ | Pieter graduated with a Masters in Computer Science Engineering from the University of Ghent and is currently completing his PhD in Secure Design Programming Aid for the Internet of Things through a personal grant from the Flemish government. When he is away from his desk, Pieter has also facilitated a number of secure coding workshops with Ghent University, Howest Bruges and Antwerp University, helping students improve their secure coding skills. His repertoire of coding languages includes C, C++, Java, Python, node and Haskell. | ||
+ | |||
+ | '''Nathan Desmet''' is the Lead Engineer at Secure Code Warrior, where he is responsible for developing Sensei, a real-time correction and coaching IDE plug-in for secure coding. His passion lies in building world-class software applications that makes an impact in the way developers build software with a focus on security. | ||
+ | |||
+ | Prior to Secure Code Warrior, Nathan has worked for NVISO where he created the Cyber Security Challenge platform, the biggest computer security competition in Belgium. Nathan also co-founded Sensei Security, and founded Applix, a software consultancy firm. His clients include SMEs in the technology and legal sector. | ||
+ | |||
+ | Nathan graduated with a degree in Computer Science from the University of Howest Bruges, majoring in Computer and Cybercrime Professional. | ||
+ | |||
+ | ==== Common API Security Pitfalls ==== | ||
+ | |||
+ | * Speaker: [https://twitter.com/PhilippeDeRyck Philippe De Ryck] ([https://pragmaticwebsecurity.com/ Pragmatic Web Security]) | ||
+ | * Presentation attachment: [[:File:OWASP_20181023_CommonAPISecurityPitfalls.pdf]] | ||
+ | |||
+ | ''Abstract'' | ||
+ | |||
+ | The shift towards an API landscape indicates a significant evolution in the way we build applications. The rise of JavaScript and mobile applications have sparked an explosion of easily-accessible REST APIs. But how do you protect access to your API? Which security aspects are no longer relevant? Which security features are an absolutely must-have, and which additional security measures do you need to take into account? | ||
+ | |||
+ | These are hard questions, as evidenced by the deployment of numerous insecure APIs. Attend this session to find out about common API security pitfalls, that often result in compromised user accounts and unauthorized access to your data. We expose the problem that lies at the root of each of these pitfalls, and offer actionable advice to address these security problems. After this session, you will know how to assess the security of your APIs, and the best practices to improve them towards the future. | ||
+ | |||
+ | ''Speaker Bio'' | ||
+ | |||
+ | Philippe De Ryck is the founder of Pragmatic Web Security, where he travels the world to train developers on web security and security engineering. He holds a Ph.D. in web security from KU Leuven. Google recognizes Philippe as a Google Developer Expert for his knowledge of web security and security in Angular applications. | ||
+ | |||
+ | === Registration === | ||
+ | |||
+ | Registration was via EventBrite: https://owasp-belgium-2018-10-23.eventbrite.com | ||
+ | |||
+ | === Coverage === | ||
+ | |||
+ | n/a | ||
+ | |||
== 17 September 2018 Meeting == | == 17 September 2018 Meeting == | ||
− | === | + | === Where === |
− | + | ||
+ | * Host: [https://ec.europa.eu European Commission] | ||
+ | |||
+ | * Address ([https://www.google.com/maps/place/Place+Madou+1,+1210+Saint-Josse-ten-Noode/ map], [https://www.google.com/maps/dir//Place+Madou+1,+1210+Saint-Josse-ten-Noode directions]) | ||
+ | Place Madou, 1 | ||
+ | 1210 Saint-Josse-Ten-Noode | ||
+ | |||
+ | === Agenda === | ||
+ | |||
+ | * 18h00 - 18h50: Welcome & sandwiches | ||
+ | * 18h50 - 19h00: [https://www.owasp.org/images/9/9b/Owasp_Belgium_update_2018-09-17_v1.pptx OWASP Update] by Sebastien Deleersnyder (OWASP) | ||
+ | * 19h00 - 19h10: ''Intro by the EC'' by Miguel Soria Machado (Head of Sector CSIRC, DIGIT IT Security Directorate, European Commission) | ||
+ | * 19h10 - 20h00: [https://www.owasp.org/images/1/17/Dirk_Wetter_-_Docker_Security_Brussels.pdf Docker Threat Modeling and Top 10] by Dirk Wetter | ||
+ | * 20h00 - 20h10: Break | ||
+ | * 20h10 - 21h00: [https://www.owasp.org/images/1/1c/Securing_Containers_on_the_High_Seas_%28OWASP_Belgium_September_17-09-2018%29.pdf Securing Containers on the High Seas] by Jack Mannino (nVisium) | ||
+ | * 21h00 - 21h30: Networking drink | ||
− | === | + | === Program === |
− | + | ==== Docker Threat Modeling and Top 10 ==== | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | + | * Speaker: [https://twitter.com/drwetter Dirk Wetter] | |
− | + | * Presentation: https://www.owasp.org/images/1/17/Dirk_Wetter_-_Docker_Security_Brussels.pdf | |
− | * | ||
− | |||
− | |||
− | : | ||
− | |||
− | |||
− | Despite threatening information out there Docker offers per se also several | + | ''Abstract'' |
− | security advantages. However it is important to make use of them and as a | + | |
− | minimum avoid several pitfalls. In a worst case scenario this can lead | + | Docker containers offer several advantages for developers. Most notably they fit perfectly in software development processes, they enable fast, reproducible deployments and when properly done, with little change the same container can run either in a test or production environment. |
− | otherwise to less security or the security benefits which the containment | + | |
+ | Despite threatening information out there Docker offers per se also several security advantages. However it is important to make use of them and as a minimum avoid several pitfalls. In a worst case scenario this can lead otherwise to less security or the security benefits which the containment | ||
technology offers are not being used at all. | technology offers are not being used at all. | ||
To avoid this a proper fundamental approach is needed. | To avoid this a proper fundamental approach is needed. | ||
− | Thus this talk models first the most important threats to containerized | + | Thus this talk models first the most important threats to containerized environments out there. Based on that the speaker will present 10 security bullet points which covers: |
− | environments out there. Based on that the speaker will present 10 security | ||
− | bullet points which covers | ||
* important Do's and Dont's, | * important Do's and Dont's, | ||
* for advanced needs how to tighten security further. | * for advanced needs how to tighten security further. | ||
− | At the end the speaker gives advice how to check your Docker and | + | At the end the speaker gives advice how to check your Docker and Kubernetes security status yourself. |
− | Kubernetes security status yourself. | ||
− | The talk is based on practical experiences at several costumers and on the | + | The talk is based on practical experiences at several costumers and on the speaker's solid network and systems security expertise. |
− | speaker's solid network and systems security expertise. | ||
− | + | ''Speaker Bio'' | |
− | |||
− | + | Dirk Wetter (Ph.D.) is an independent security consultant with more than 20 years professional experience in information security with a broad technical and information security management background. | |
− | |||
− | He | + | His primary focus nowadays is around web application security. He has also a solid background on network and systems security. |
− | |||
− | + | He's also founder and maintainer of the open source project testssl.sh which checks the encryption of every SSL/TLS enabled service. | |
− | + | ||
− | :''Abstract | + | ==== Securing Containers on the High Seas ==== |
+ | |||
+ | * Speaker: [https://twitter.com/jack_mannino Jack Mannino] (nVisium) | ||
+ | * Presentation: https://www.owasp.org/images/1/1c/Securing_Containers_on_the_High_Seas_%28OWASP_Belgium_September_17-09-2018%29.pdf | ||
+ | |||
+ | ''Abstract'' | ||
+ | |||
+ | It can be a difficult challenge for organizations to securely migrate to containers while shifting processes and security controls. Making the move from legacy virtualization and monolithic deployments to containers requires a solid strategy. Containers offer many inherent security benefits but it’s important to build controls in beyond the containers themselves. From development through container registries and deployment to a runtime environment, it’s important to enforce security and eliminate risks as they’re introduced. | ||
This presentation will focus on scaling container security within an enterprise and building security controls into the way you build, ship, and run containerized services. We will discuss the modern container landscape including different container runtimes and isolation models. We will explore the container lifecycle from your developer’s laptop through your production environment and examine the key security problems to mitigate. | This presentation will focus on scaling container security within an enterprise and building security controls into the way you build, ship, and run containerized services. We will discuss the modern container landscape including different container runtimes and isolation models. We will explore the container lifecycle from your developer’s laptop through your production environment and examine the key security problems to mitigate. | ||
− | + | ''Speaker Bios'' | |
− | |||
− | + | Jack Mannino is the CEO of nVisium. Passionate about security and impossible to keep away from a keyboard, his expertise spans over 15 years of building, breaking, and securing software. Jack founded nVisium in 2009, and since has helped the world's largest software teams enhance security across their software portfolios. He has spoken at conferences globally on topics such as secure design, mobile application security, and cloud-native security. | |
− | |||
− | |||
− | |||
− | |||
− | ' | + | === Registration === |
+ | |||
+ | Two step registration: | ||
+ | |||
+ | # Registration was via EventBrite: https://owasp-belgium-2018-09-17.eventbrite.com. | ||
+ | # Pre-registration of participants' ID documents, necessary for passing security checkpoint at the entrance to the site was via: https://ec.europa.eu/eusurvey/runner/OWASPBelgiumChapterMeetingSept17. The deadline for this registration was ''Sunday, September 16th midnight''. | ||
=== Coverage === | === Coverage === | ||
+ | n/a | ||
== 19 March 2018 Meeting == | == 19 March 2018 Meeting == | ||
− | === | + | === Where === |
− | + | ||
+ | * Host: [https://www.ing.be ING Belgium] | ||
+ | |||
+ | * Address ([https://branches.ing.be/branch/1040_bxl-non-residents map]) | ||
+ | Cours St Michel 60 | ||
+ | 1040 Brussel | ||
+ | |||
+ | === Agenda === | ||
+ | |||
+ | * 18h15 - 19h00: Welcome & sandwiches | ||
+ | * 19h00 - 19h10: ''OWASP Update'' by Sebastien Deleersnyder (OWASP) | ||
+ | * 19h10 - 20h00: ''KRACKing WPA2 in Practice Using Key Reinstallation Attacks'' <!--[https://LINK_SLIDES_TALK_1 KRACKing WPA2 in Practice Using Key Reinstallation Attacks]--> by Mathy Vanhoef (imec-DistriNet-KU Leuven) | ||
+ | * 20h00 - 20h10: Break | ||
+ | * 20h10 - 21h00: ''Making the web secure by design'' <!--[https://LINK_SLIDES_TALK_2 Making the web secure by design]--> by Glenn Ten Cate (ING Belgium) and Riccardo Ten Cate (Xebia) | ||
+ | * 21h00 - 21h30: Networking drink | ||
+ | |||
+ | === Program === | ||
+ | |||
+ | ==== KRACKing WPA2 in Practice Using Key Reinstallation Attacks ==== | ||
+ | |||
+ | * Speaker: Mathy Vanhoef (imec-DistriNet-KU Leuven) | ||
+ | * Presentation: not yet available <!--https://LINK_SLIDES_TALK_1--> | ||
+ | |||
+ | ''Abstract'' | ||
+ | |||
+ | This talk presents the key reinstallation attack against WPA2 (KRACK attack). It abuses design or implementation flaws in cryptographic protocols to reinstall an already-in-use key. This resets the key’s associated parameters such as transmit nonces and receive replay counters. Several cryptographic Wi-Fi handshakes are affected by the attack. | ||
+ | |||
+ | All protected Wi-Fi networks use the 4-way handshake to generate a fresh session key. So far, this 14-year-old handshake has remained free from attacks. However, we show that the 4-way handshake is vulnerable to a key reinstallation attack. Here, the adversary tricks a victim into reinstalling an already-in-use key. This is achieved by manipulating and replaying handshake messages. When reinstalling the key, associated parameters such as the incremental transmit packet number (nonce) and receive packet number (replay counter) are reset to their initial value. | ||
+ | |||
+ | The talk also discusses the vulnerability disclosure process that was followed. Since the discovery affected numerous vendors, coordinating the disclosure was non-trivial. | ||
+ | |||
+ | ''Speaker Bio'' | ||
− | + | Mathy Vanhoef is a postdoctoral researcher at KU Leuven. He did his PhD on the security of WPA-TKIP, TLS, and RC4. His research interest is in computer security with a focus on wireless security (e.g. Wi-Fi), network protocols in general, the RC4 stream cipher (where he discovered the RC NOMORE attack), and software security (discovering and exploiting vulnerabilities). Currently his main research is about automatically discovering vulnerabilities in network protocol implementations, and proving the correctness of protocol implementations. | |
− | + | ==== Making the web secure by design ==== | |
− | |||
− | |||
− | + | * Speaker: Glenn Ten Cate (ING Belgium) and Riccardo Ten Cate (Xebia) | |
− | + | * Presentation: not yet available <!-- https://LINK_SLIDES_TALK_2--> | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | * | ||
− | : | ||
− | |||
− | : | ||
− | |||
− | === | + | ''Abstract'' |
− | + | ||
+ | Education is the first step in the Secure Software Development Lifecycle. The free OWASP Security Knowledge Framework (SKF) is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. This talk will help you as a developer to become THE Neo of your development team. We will show how you can do security by design and introduce other quality gates into your development pipeline to ensure high end quality and security of your project. | ||
+ | |||
+ | ''Speaker Bios'' | ||
+ | |||
+ | As a coder, hacker, speaker, trainer and security researcher employed at ING Belgium, '''Glenn Ten Cate''' has over 10 years experience in the field of security. One of the founders of defensive development [defdev] a security training and conference series dedicated to helping you build and maintain secure software and also speaking at multiple other security conferences in the world. His goals is to create an open-source software development life cycle with the tools and knowledge gathered over the years. | ||
+ | |||
+ | As a penetration tester from the Netherlands employed at Xebia, '''Riccardo Ten Cate''' specialises in web-application security and has extensive knowledge in securing web applications in multiple coding languages. He is also a specialist in setting up Secure Software Development Life Cycles. | ||
+ | |||
+ | === Registration === | ||
+ | |||
+ | Registration was via EventBrite: https://owasp-belgium-2018-03-19.eventbrite.com. | ||
=== Coverage === | === Coverage === | ||
+ | |||
+ | n/a | ||
== 20 February 2018 Meeting == | == 20 February 2018 Meeting == | ||
− | === | + | === Where === |
− | + | ||
+ | * Host: [https://distrinet.cs.kuleuven.be DistriNet Research Group (KU Leuven)] (Both speakers are faculty of the [https://www.secappdev.org/ Secure Application Development] course held in Leuven from 2018-02-19 to 2018-02-23.) | ||
+ | |||
+ | * Address ([http://googlemapsinterface.kuleuven.be/index.cgi?lang=N&nbol=(50.864186697481145,%204.678754210472107)&zoomlevel=17&plaatsnaam=Department+of+Computer+Science&maptype=roadmap map], [https://distrinet.cs.kuleuven.be/about/route/ directions]): | ||
+ | Department of Computer Science (foyer at ground floor) | ||
+ | Celestijnenlaan 200 A | ||
+ | 3001 Heverlee | ||
+ | |||
+ | === Agenda === | ||
− | + | *18h15 - 19h00: Welcome & sandwiches | |
+ | *19h00 - 19h10: [https://www.owasp.org/images/7/7a/Owasp_Belgium_update_2018-02-20_v1.pdf OWASP Update] by Sebastien Deleersnyder (OWASP) | ||
+ | *19h10 - 20h00: [https://schd.ws/hosted_files/secappdev2018/a9/Developer%20are%20not%20the%20enemy%20SecAppDev%20web.pdf Developers are not the enemy -- Usable Security for Experts] by Prof. Matthew Smith (University of Bonn) | ||
+ | *20h00 - 20h10: Break | ||
+ | *20h10 - 21h00: [https://schd.ws/hosted_files/secappdev2018/75/The%20code%20behind%20the%20vulnerability.pdf The Code Behind The Vulnerability] by Barry Dorrans (Microsoft) | ||
− | + | === Program === | |
− | |||
− | |||
− | |||
− | === | + | ==== Developers are not the enemy -- Usable Security for Experts ==== |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | === | + | * Speaker: Prof. Matthew Smith (University of Bonn) |
− | + | * Presentation: https://schd.ws/hosted_files/secappdev2018/a9/Developer%20are%20not%20the%20enemy%20SecAppDev%20web.pdf | |
+ | |||
+ | ''Abstract'' | ||
+ | |||
+ | Usability problems are a major cause of many of today's IT-security incidents. Security systems are often too complicated, time-consuming, and error prone. For more than a decade researchers in the domain of usable security (USEC) have attempted to combat these problems by conducting interdisciplinary research focusing on the root causes of the problems and on the creation of usable security mechanisms. While major improvements have been made, to date USEC research has focused almost entirely on the non-expert end-user. However, many of the most catastrophic security incidents were not caused by end-users, but by developers or administrators. Heartbleed and Shellshock were both caused by single developers yet had global consequences. The Sony hack in 2014 compromised an entire multi-national IT-infrastructure and misappropriated over 100 TB of data, unnoticed. Fundamentally, every software vulnerability and misconfigured system is caused by developers or administrators making mistakes, but very little research has been done into the underlying causalities and possible mitigation strategies. In this talk we will explore the transition from end-user to expert usable security research and look at several application areas, including TLS, passwords, malware analysis and vulnerability analysis. | ||
+ | |||
+ | ''Speaker Bio'' | ||
+ | |||
+ | Matthew Smith is a Professor for Usable Security and Privacy at the University of Bonn. His research is focused on human factors of security and privacy mechanisms with a wide range of application areas, including TLS and network security, authentication, mobile and app security and, most recently, usable security for developers and administrators. His work has been published at, among others, IEEE S&P, ACM CCS, USENIX Security, NDSS, ACM SIGCHI and SOUPS the Symposium on Usable Security and Privacy. In 2015 his ERC Starting Grant "Frontiers of Usable Security" was selected for funding. | ||
+ | |||
+ | ==== The Code Behind The Vulnerability ==== | ||
+ | |||
+ | * Speaker: Barry Dorrans (Microsoft) | ||
+ | * Presentation: https://schd.ws/hosted_files/secappdev2018/75/The%20code%20behind%20the%20vulnerability.pdf | ||
+ | |||
+ | ''Abstract'' | ||
+ | |||
+ | Everyone makes security mistakes, and that includes Microsoft (seriously!). Many developers can spot and prevent vulnerabilities listed in the OWASP top 10. But that narrative changes when we look beyond the scope of the OWASP top 10. Compared to some more recent attacks, fixing XSS or SQL injection almost seems easy. In this session, we dive into a couple of .NET core cases that have been reported to the Microsoft Security Response Center (MSRC). Mind you; these vulnerabilities are not just framework vulnerabilities. Instead, they are coding patterns that you may have introduced in your applications. Examples are issues with hash tables, compression, encryption, regular expressions and more. In this session, you will learn how to spot these vulnerabilities in your code. On top of that, you will walk away with the skills to fix them. | ||
+ | |||
+ | ''Speaker Bio'' | ||
+ | |||
+ | Barry Dorrans is the .NET Security Czar, which means he tries to tell everyone else how to code securely and taking the credit when it goes right, as well as running the .NET Core Bug Bounty. He also ends up triaging publicly and privately reported vulnerabilities when it goes wrong before getting someone else to fix the mistakes. This he gets all the fun and none of the real work, aside from the endless stress wondering when the next vulnerability will be discovered. | ||
+ | |||
+ | === Registration === | ||
+ | |||
+ | Registration was via EventBrite: https://owasp-belgium-2018-02-20.eventbrite.com. | ||
=== Coverage === | === Coverage === | ||
+ | |||
+ | n/a |
Latest revision as of 17:05, 6 February 2019
These are the 2018 events of the OWASP Belgium Chapter.
Previous year: 2017. Next year: 2019.
OWASP BeNeLux Days 2018
This conference has its own page: OWASP_BeNeLux-Days_2018.
23 October 2018 Meeting
Where
- Host: Secure Code Warrior
- Address (map, directions, 10 minutes walk from Brugge train station)
Baron Ruzettelaan 1 8310 Assebroek
- Parking was available under the building, open from 5 p.m., the entrance is at the back:
Vestingstraat 88 8310 Assebroek
Agenda
- 18h00 - 18h50: Welcome & pizzas
- 18h50 - 19h00: OWASP Update by Sebastien Deleersnyder (OWASP)
- 19h00 - 19h30: Effectively Distribute Software Security Knowledge by Pieter De Cremer and Nathan Desmet (Secure Code Warrior)
- 19h30 - 19h45: Beers from Bruges break
- 19h45 - 20h25: Common API Security Pitfalls by Philippe De Ryck (Pragmatic Web Security)
- 20h25 - 22h00: Networking and more beers from Bruges
Program
Effectively Distribute Software Security Knowledge
- Speaker: Pieter De Cremer (@pdcremer) and Nathan Desmet (Secure Code Warrior)
- Presentation attachment: File:OWASP_20181023_EffectivelyDistributeSoftwareSecurityKnowledge.pdf
Abstract
Security is still a big concern in application development, as breaches appear in the media on a regular basis. Up to 90 percent of security issues are caused by problems or oversight in the code (U.S. Department of Homeland Security, “Infosheet Software Assurance”, https://www.us-cert.gov/sites/default/files/publications/infosheet_SoftwareAssurance.pdf, last accessed 2018-05-22). They are the result of errors made by the developers. At the same time, many of these issues are well known, well-documented problems. But the security experts in charge of securing the application are understaffed with an average of less than two security experts per hundred developers (Gary McGraw, Ph.D., Sammy Migues and Jacob West, “Building Security In Maturity Model (BSIMM)”, https://www.bsimm.com/, 2018). So the problem is not a lack of knowledge on security but the distribution of it without requiring costly, unscalable communication cycles between individual developers and security experts. In this talk we will outline the goal of a new approach to improve software security, focused on distributing software security knowledge so that software engineers can effectively put it into practice with minimal impact on their daily tasks.
Speaker Bios
Pieter De Cremer is an R&D Engineer and Security Researcher at Secure Code Warrior, where he is responsible for researching a wide variety of application vulnerabilities and developing this into new content and coding challenges for the Secure Code Warrior platform. His passion lies in empowering developers to be the first line of defence in their organisation by making security easy to understand.
Pieter graduated with a Masters in Computer Science Engineering from the University of Ghent and is currently completing his PhD in Secure Design Programming Aid for the Internet of Things through a personal grant from the Flemish government. When he is away from his desk, Pieter has also facilitated a number of secure coding workshops with Ghent University, Howest Bruges and Antwerp University, helping students improve their secure coding skills. His repertoire of coding languages includes C, C++, Java, Python, node and Haskell.
Nathan Desmet is the Lead Engineer at Secure Code Warrior, where he is responsible for developing Sensei, a real-time correction and coaching IDE plug-in for secure coding. His passion lies in building world-class software applications that makes an impact in the way developers build software with a focus on security.
Prior to Secure Code Warrior, Nathan has worked for NVISO where he created the Cyber Security Challenge platform, the biggest computer security competition in Belgium. Nathan also co-founded Sensei Security, and founded Applix, a software consultancy firm. His clients include SMEs in the technology and legal sector.
Nathan graduated with a degree in Computer Science from the University of Howest Bruges, majoring in Computer and Cybercrime Professional.
Common API Security Pitfalls
- Speaker: Philippe De Ryck (Pragmatic Web Security)
- Presentation attachment: File:OWASP_20181023_CommonAPISecurityPitfalls.pdf
Abstract
The shift towards an API landscape indicates a significant evolution in the way we build applications. The rise of JavaScript and mobile applications have sparked an explosion of easily-accessible REST APIs. But how do you protect access to your API? Which security aspects are no longer relevant? Which security features are an absolutely must-have, and which additional security measures do you need to take into account?
These are hard questions, as evidenced by the deployment of numerous insecure APIs. Attend this session to find out about common API security pitfalls, that often result in compromised user accounts and unauthorized access to your data. We expose the problem that lies at the root of each of these pitfalls, and offer actionable advice to address these security problems. After this session, you will know how to assess the security of your APIs, and the best practices to improve them towards the future.
Speaker Bio
Philippe De Ryck is the founder of Pragmatic Web Security, where he travels the world to train developers on web security and security engineering. He holds a Ph.D. in web security from KU Leuven. Google recognizes Philippe as a Google Developer Expert for his knowledge of web security and security in Angular applications.
Registration
Registration was via EventBrite: https://owasp-belgium-2018-10-23.eventbrite.com
Coverage
n/a
17 September 2018 Meeting
Where
- Host: European Commission
- Address (map, directions)
Place Madou, 1 1210 Saint-Josse-Ten-Noode
Agenda
- 18h00 - 18h50: Welcome & sandwiches
- 18h50 - 19h00: OWASP Update by Sebastien Deleersnyder (OWASP)
- 19h00 - 19h10: Intro by the EC by Miguel Soria Machado (Head of Sector CSIRC, DIGIT IT Security Directorate, European Commission)
- 19h10 - 20h00: Docker Threat Modeling and Top 10 by Dirk Wetter
- 20h00 - 20h10: Break
- 20h10 - 21h00: Securing Containers on the High Seas by Jack Mannino (nVisium)
- 21h00 - 21h30: Networking drink
Program
Docker Threat Modeling and Top 10
- Speaker: Dirk Wetter
- Presentation: https://www.owasp.org/images/1/17/Dirk_Wetter_-_Docker_Security_Brussels.pdf
Abstract
Docker containers offer several advantages for developers. Most notably they fit perfectly in software development processes, they enable fast, reproducible deployments and when properly done, with little change the same container can run either in a test or production environment.
Despite threatening information out there Docker offers per se also several security advantages. However it is important to make use of them and as a minimum avoid several pitfalls. In a worst case scenario this can lead otherwise to less security or the security benefits which the containment technology offers are not being used at all.
To avoid this a proper fundamental approach is needed.
Thus this talk models first the most important threats to containerized environments out there. Based on that the speaker will present 10 security bullet points which covers:
- important Do's and Dont's,
- for advanced needs how to tighten security further.
At the end the speaker gives advice how to check your Docker and Kubernetes security status yourself.
The talk is based on practical experiences at several costumers and on the speaker's solid network and systems security expertise.
Speaker Bio
Dirk Wetter (Ph.D.) is an independent security consultant with more than 20 years professional experience in information security with a broad technical and information security management background.
His primary focus nowadays is around web application security. He has also a solid background on network and systems security.
He's also founder and maintainer of the open source project testssl.sh which checks the encryption of every SSL/TLS enabled service.
Securing Containers on the High Seas
- Speaker: Jack Mannino (nVisium)
- Presentation: https://www.owasp.org/images/1/1c/Securing_Containers_on_the_High_Seas_%28OWASP_Belgium_September_17-09-2018%29.pdf
Abstract
It can be a difficult challenge for organizations to securely migrate to containers while shifting processes and security controls. Making the move from legacy virtualization and monolithic deployments to containers requires a solid strategy. Containers offer many inherent security benefits but it’s important to build controls in beyond the containers themselves. From development through container registries and deployment to a runtime environment, it’s important to enforce security and eliminate risks as they’re introduced.
This presentation will focus on scaling container security within an enterprise and building security controls into the way you build, ship, and run containerized services. We will discuss the modern container landscape including different container runtimes and isolation models. We will explore the container lifecycle from your developer’s laptop through your production environment and examine the key security problems to mitigate.
Speaker Bios
Jack Mannino is the CEO of nVisium. Passionate about security and impossible to keep away from a keyboard, his expertise spans over 15 years of building, breaking, and securing software. Jack founded nVisium in 2009, and since has helped the world's largest software teams enhance security across their software portfolios. He has spoken at conferences globally on topics such as secure design, mobile application security, and cloud-native security.
Registration
Two step registration:
- Registration was via EventBrite: https://owasp-belgium-2018-09-17.eventbrite.com.
- Pre-registration of participants' ID documents, necessary for passing security checkpoint at the entrance to the site was via: https://ec.europa.eu/eusurvey/runner/OWASPBelgiumChapterMeetingSept17. The deadline for this registration was Sunday, September 16th midnight.
Coverage
n/a
19 March 2018 Meeting
Where
- Host: ING Belgium
- Address (map)
Cours St Michel 60 1040 Brussel
Agenda
- 18h15 - 19h00: Welcome & sandwiches
- 19h00 - 19h10: OWASP Update by Sebastien Deleersnyder (OWASP)
- 19h10 - 20h00: KRACKing WPA2 in Practice Using Key Reinstallation Attacks by Mathy Vanhoef (imec-DistriNet-KU Leuven)
- 20h00 - 20h10: Break
- 20h10 - 21h00: Making the web secure by design by Glenn Ten Cate (ING Belgium) and Riccardo Ten Cate (Xebia)
- 21h00 - 21h30: Networking drink
Program
KRACKing WPA2 in Practice Using Key Reinstallation Attacks
- Speaker: Mathy Vanhoef (imec-DistriNet-KU Leuven)
- Presentation: not yet available
Abstract
This talk presents the key reinstallation attack against WPA2 (KRACK attack). It abuses design or implementation flaws in cryptographic protocols to reinstall an already-in-use key. This resets the key’s associated parameters such as transmit nonces and receive replay counters. Several cryptographic Wi-Fi handshakes are affected by the attack.
All protected Wi-Fi networks use the 4-way handshake to generate a fresh session key. So far, this 14-year-old handshake has remained free from attacks. However, we show that the 4-way handshake is vulnerable to a key reinstallation attack. Here, the adversary tricks a victim into reinstalling an already-in-use key. This is achieved by manipulating and replaying handshake messages. When reinstalling the key, associated parameters such as the incremental transmit packet number (nonce) and receive packet number (replay counter) are reset to their initial value.
The talk also discusses the vulnerability disclosure process that was followed. Since the discovery affected numerous vendors, coordinating the disclosure was non-trivial.
Speaker Bio
Mathy Vanhoef is a postdoctoral researcher at KU Leuven. He did his PhD on the security of WPA-TKIP, TLS, and RC4. His research interest is in computer security with a focus on wireless security (e.g. Wi-Fi), network protocols in general, the RC4 stream cipher (where he discovered the RC NOMORE attack), and software security (discovering and exploiting vulnerabilities). Currently his main research is about automatically discovering vulnerabilities in network protocol implementations, and proving the correctness of protocol implementations.
Making the web secure by design
- Speaker: Glenn Ten Cate (ING Belgium) and Riccardo Ten Cate (Xebia)
- Presentation: not yet available
Abstract
Education is the first step in the Secure Software Development Lifecycle. The free OWASP Security Knowledge Framework (SKF) is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. This talk will help you as a developer to become THE Neo of your development team. We will show how you can do security by design and introduce other quality gates into your development pipeline to ensure high end quality and security of your project.
Speaker Bios
As a coder, hacker, speaker, trainer and security researcher employed at ING Belgium, Glenn Ten Cate has over 10 years experience in the field of security. One of the founders of defensive development [defdev] a security training and conference series dedicated to helping you build and maintain secure software and also speaking at multiple other security conferences in the world. His goals is to create an open-source software development life cycle with the tools and knowledge gathered over the years.
As a penetration tester from the Netherlands employed at Xebia, Riccardo Ten Cate specialises in web-application security and has extensive knowledge in securing web applications in multiple coding languages. He is also a specialist in setting up Secure Software Development Life Cycles.
Registration
Registration was via EventBrite: https://owasp-belgium-2018-03-19.eventbrite.com.
Coverage
n/a
20 February 2018 Meeting
Where
- Host: DistriNet Research Group (KU Leuven) (Both speakers are faculty of the Secure Application Development course held in Leuven from 2018-02-19 to 2018-02-23.)
- Address (map, directions):
Department of Computer Science (foyer at ground floor) Celestijnenlaan 200 A 3001 Heverlee
Agenda
- 18h15 - 19h00: Welcome & sandwiches
- 19h00 - 19h10: OWASP Update by Sebastien Deleersnyder (OWASP)
- 19h10 - 20h00: Developers are not the enemy -- Usable Security for Experts by Prof. Matthew Smith (University of Bonn)
- 20h00 - 20h10: Break
- 20h10 - 21h00: The Code Behind The Vulnerability by Barry Dorrans (Microsoft)
Program
Developers are not the enemy -- Usable Security for Experts
- Speaker: Prof. Matthew Smith (University of Bonn)
- Presentation: https://schd.ws/hosted_files/secappdev2018/a9/Developer%20are%20not%20the%20enemy%20SecAppDev%20web.pdf
Abstract
Usability problems are a major cause of many of today's IT-security incidents. Security systems are often too complicated, time-consuming, and error prone. For more than a decade researchers in the domain of usable security (USEC) have attempted to combat these problems by conducting interdisciplinary research focusing on the root causes of the problems and on the creation of usable security mechanisms. While major improvements have been made, to date USEC research has focused almost entirely on the non-expert end-user. However, many of the most catastrophic security incidents were not caused by end-users, but by developers or administrators. Heartbleed and Shellshock were both caused by single developers yet had global consequences. The Sony hack in 2014 compromised an entire multi-national IT-infrastructure and misappropriated over 100 TB of data, unnoticed. Fundamentally, every software vulnerability and misconfigured system is caused by developers or administrators making mistakes, but very little research has been done into the underlying causalities and possible mitigation strategies. In this talk we will explore the transition from end-user to expert usable security research and look at several application areas, including TLS, passwords, malware analysis and vulnerability analysis.
Speaker Bio
Matthew Smith is a Professor for Usable Security and Privacy at the University of Bonn. His research is focused on human factors of security and privacy mechanisms with a wide range of application areas, including TLS and network security, authentication, mobile and app security and, most recently, usable security for developers and administrators. His work has been published at, among others, IEEE S&P, ACM CCS, USENIX Security, NDSS, ACM SIGCHI and SOUPS the Symposium on Usable Security and Privacy. In 2015 his ERC Starting Grant "Frontiers of Usable Security" was selected for funding.
The Code Behind The Vulnerability
- Speaker: Barry Dorrans (Microsoft)
- Presentation: https://schd.ws/hosted_files/secappdev2018/75/The%20code%20behind%20the%20vulnerability.pdf
Abstract
Everyone makes security mistakes, and that includes Microsoft (seriously!). Many developers can spot and prevent vulnerabilities listed in the OWASP top 10. But that narrative changes when we look beyond the scope of the OWASP top 10. Compared to some more recent attacks, fixing XSS or SQL injection almost seems easy. In this session, we dive into a couple of .NET core cases that have been reported to the Microsoft Security Response Center (MSRC). Mind you; these vulnerabilities are not just framework vulnerabilities. Instead, they are coding patterns that you may have introduced in your applications. Examples are issues with hash tables, compression, encryption, regular expressions and more. In this session, you will learn how to spot these vulnerabilities in your code. On top of that, you will walk away with the skills to fix them.
Speaker Bio
Barry Dorrans is the .NET Security Czar, which means he tries to tell everyone else how to code securely and taking the credit when it goes right, as well as running the .NET Core Bug Bounty. He also ends up triaging publicly and privately reported vulnerabilities when it goes wrong before getting someone else to fix the mistakes. This he gets all the fun and none of the real work, aside from the endless stress wondering when the next vulnerability will be discovered.
Registration
Registration was via EventBrite: https://owasp-belgium-2018-02-20.eventbrite.com.
Coverage
n/a