Difference between revisions of "BeNeLux OWASP Day 2016-2"

OWASP BeNeLux conference is free, but registration is required!

OWASP BeNeLux training is reserved for OWASP members, and registration is required!

To support the OWASP organisation, we ask training attendees to become an OWASP member, it's only US$50! Students and faculty are invited to become member as well, but can freely attend. Check out the Membership page to find out more.

Register now!

To support the OWASP organisation, consider to become a member, it's only US$50!
Check out the Membership page to find out more.

Venue

The venue is hosted by imec-Distrinet Research Group (KU Leuven).

Address:
Department of Computer Science (foyer at ground floor)
Celestijnenlaan 200 A
3001 Heverlee

How to reach the venue?

https://distrinet.cs.kuleuven.be/about/route/

Hotel nearby

• Hotel The Lodge Heverlee
• BoardHouse Hotel
• B&B Lavan
• Hotel Ibis Leuven Heverlee
• Begijnhof Hotel Leuven

Trainingday is November 24th

Location

Agenda

Trainings

Breakers, defenders and superheroes!

In the wonderful world of application security we often learn to break stuff or we learn how to prevent hackers from breaking your stuff. In this training i would love to adres some basic and advanced topics and not only teach developers how to properly test their code like a penetration tester, but also learn the penetration tester to think like a developer so they really can deliver added value when instructing developers on how to fix their code like a baws!

Some of the topics i would like to adresss are:

• Content security policy and how to defeat it with HTML injections
• Advanced cross site scripting
• Cross site request forgery
• Mass Assignment (Parameter binding) attacks
• External entity attacks
• Path/directory traversal attacks (File inclusion attacks)
• File upload injections
• Server side template injections
• Authentication and authorization

PWN Android Apps with your Custom Built Toolbox

Frustrated with the various tools and environments needed to perform mobile pentesting? All available Android test distributions have drawbacks and missing and/or non-working tools etc. Learn how to create your own customized mobile pentesting toolbox with the tools you really want/need.

Not sure which steps to follow when performing a mobile application security assessment? Our renowned trainer, Steven Wierckx, will show you which steps to follow and what issues to focus on.

More details in the course description

Download the full training description

Why simply deploying HTTPS will not get you an A+ grade

20 years after the introduction of HTTPS, it is finally moving towards widespread adoption. As more and more web sites are enabling HTTPS, the attention for correct deployments increases as well. Tools such as Qualys’ SSL Labs server test make it is easy to verify the quality of any domain’s HTTPS deployment, but at the same time show how challenging it is to receive an A+ grade. While the initial deployment of HTTPS may seem straightforward, correctly deploying HTTPS is a daunting task. In this session, participants will learn through hands-on experience how to deploy HTTPS correctly, and how it impacts a Web application. We will cover common Web attacks on HTTPS, and how they are countered by the newest HTTPS security policies, such as HTTP Strict Transport Security (HSTS) and HTTP Public Key Pinning (HPKP).

The learning objectives for this session are:

• Learning how to deploy HTTPS correctly, with strong ciphers and forward secrecy
• Understanding the intricacies of HTTPS, and its impact on a Web application, especially in combination with HTTP
• Understanding common Web attacks against HTTPS, and the newest browser-enforced security policies that counter them

Trainers

Riccardo ten Cate

As a penetration tester and software developer from the Netherlands Riccardo is specialized in web-application security and has extensive knowledge in securing web applications in multiple coding languages.

Steven Wierckx

I’m a Software and Security Tester with 15 years of experience in programming, security testing, source code review, test automation, functional and technical analysis, development and database design. I’m a team player with a constant drive to learn new things. I have a passion for web application security and I write articles for several professional magazines with regards to that topic. I have created several courses on testing software for security problems and I teach courses on secure coding, security awareness, security testing and threat modelling.

Philippe De Ryck

Philippe De Ryck holds a PhD in computer science and is specialized in client-side Web security. Philippe focuses on a sustainable knowledge transfer of his expertise in Web security towards industry partners, mainly through training courses and public dissemination activities. Within iMinds-DistriNet , Philippe leads the Web Security-related training activities.

Conferenceday is November 25th

Agenda

Talks

The State of Security of WordPress (plugins)

Last July, we organised the Summer of Pwnage (sumofpwn.nl) targeting WordPress and WordPress Plugins. This has resulted in 118 findings; mostly affecting WordPress Plugins, but also WordPress Core. Looking at the reported types of vulnerabilities, by far the most reported type is Cross-Site Scripting. The majority of Cross-Site Scripting vulnerabilities were of the reflected type where the victim has to click on a malicious link or visit a malicious website (or advertisement). A fair share of them were stored though, and some of them even pre-auth.

Does this mean that WordPress is inherently insecure or is it just the Plugin eco system? In this talk, I'll present our view on the (in)security of WordPress and WordPress Plugins. In addition, I'll show how a WordPress installation can be compromised using Cross-Site Scripting (and how to protect) and a generic way to get remote code execution through PHP Object Injection will be demonstrated.

Securing AngularJS Applications

Since its birth, the Web evolved from a system to share and view scientific documents to a full-blown platform for sophisticated applications. While in the beginning most Web applications were implemented purely on the server-side, modern ones heavily rely on client-side components.

AnuglarJS is the latest addition in this process. Within an Angular application the server is merely a data storage facility with a few additional access checks. The core of the application is running on the client-side.

As Angular is specifically designed to work on the client-side, it attempts to remove the main points of friction for developers. By providing a templating system, two-way bindings and custom directives, DOM interactions can be reduced to a bare minimum.

From a security point of view this is very interesting as Angular removes the need for using some DOM APIs with very sharp edges (innerHTML, document.write). On the other hand, Angular introduces new ways of approaching application development that are largely unexplored in terms of security.

This talk provides an in-depth introduction to the security of Angular applications. It first introduces the core design ideas and security principles of AngularJS. Then, based on the experience of the Google Security Team, shows common security pitfalls that are specific to Angular applications. In general, the talk covers Angular's string interpolation functionality, strict auto-escaping templates, URL-based directives and insecure legacy APIs. All the presented issues are based on real-world bugs. The talk will demonstrate how to find and prevent these issues in practice.

Compression Bombs Strike Back

Network services often use data compression to reduce protocol message size. However, if data compression is not properly implemented, it can render entire applications vulnerable to DoS attacks. Abusing data compression to exhaust system resources is an old trick. For example, a zip bomb is a recursively highly-compressed file archive prepared with the only goal of exhausting the resources of programs that attempt to inspect its content. This attack was brought to the community attention in 1996 to mount DoS attacks against bulletin board systems.

While this may now seem an old, unsophisticated, and easily avoidable threat,we discovered that developers did not fully learn from prior mistakes. We looked at three protocols (i.e., HTTP, XMPP, and IMAP) and 11 network services including popular ones (e.g., Apache HTTPD, Tomcat, Prosody, and OpenFire) and discovered that the risks of supporting data compression are still often overlooked.

In this talk, we will walk through data amplification attacks starting from the ever-green zip bomb and xml bomb attacks until our recent results. We will present the current use of data compression in several popular protocol and network services, and 12 common mistakes that we observed at the implementation, specification, and configuration levels. In this talk, we will also present already patched resource exhaustion vulnerabilities which could have been used to perform Denial of Service attack against popular services.

Closing Keynote: The Future of Security

Computers are still getting faster by factor of two every 18 months, and the doubling time for memory and communications is even smaller. An increasing number of experts is developing and deploying ever more sophisticated security techniques. But cybersecurity incidents multiply and are more prominent in the media. Will the cloud and the Internet of Things offer us a secure infrastructure? Or are we heading for a security and privacy nightmare? What is the role of governments, companies and individuals? Do we need backdoors in security technologies to balance privacy and security? This seminar tries to answer these questions.

Handling of Security Requirements in Software Development Lifecycle

The bigger the company you're working in, the more technologies and methodologies used by development teams you are going to face. At the same time, you want to address security risks in an appropriate, reliable and traceable way for all of them.

After a short introduction of a unified process for handling security requirements in a large company, the main part of the talk is going to focus on a tool called SecurityRAT (Requirement Automation Tool) which has been developed in order to support and accelerate this process. The goal of the tool is first to provide a list of relevant security requirements according to properties of the developed software, and afterwards to handle these in a mostly automated way - integration with an issue tracker being used as a core feature. Work in progress and future plans will form the last part of the talk.

Zap it !

The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular and best maintained free security tools. In this talk we will cover some of the basic features of Zap and deep dive in some advanced features. We will also cover the ways you can use ZAP in your applications SDL.

Speakers

Yorick Koster

Yorick Koster is co-founder of Securify, an information security company focusing on all aspects of software security. Securify helps organisations to (proactively) secure their web and mobile applications, from design to go-live. In this we take a proactive approach (Build Security In) to catch and prevent vulnerabilities early, when still easy and cheap to fix.

Yorick has more than 10 years of experience in the field of software security and has found security vulnerabilities in a wide range of applications, including Internet Explorer, Office, .NET Framework, Adobe Reader, and WordPress.

Sebastian Lekies

Sebastian Lekies is an Information Security Engineer at Google and a PhD Student at the Ruhr-University Bochum. His research interests encompass client-side Web application security and Web application security testing. He graduated from University of Mannheim with a M.Sc. in Business Information Systems. At Google, Sebastian is part of the Security Test Engineering team that develops Google’s internal Web application security scanner and the externally facing Cloud Security Scanner (https://cloud.google.com/tools/security-scanner/). Before joining Google, Sebastian was part of SAP’s Security Research team, where he conducted academic research in the area of client-side Web application security. Sebastian is regularly speaking at academic and non-academic security conferences all around the World. He spoke at BlackHat US/EU/Asia, DeepSec, OWASP AppSec EU, Usenix Security, CCS, and many more...

Giancarlo Pellegrino

Giancarlo Pellegrino, is a post doctoral researcher of the System Security group at CISPA, Saarland University, in Germany. His main research interests include all aspects of web application security in particular security testing (black and white-box) and vulnerability analysis. Prior joining CISPA, Giancarlo worked at TU Darmstadt, Germany, and was member of the S3 group at EURECOM, in France. Until August 2013, he was Researcher Associate in the "Security and Trust" research group at SAP SE.

Bart Preneel

Bart Preneel received the Electr. Eng. and Ph.D. degrees from the KU Leuven (Belgium). He is a Full Professor at the KU Leuven where he heads the COSIC research group. He was visiting professor at five universities in Europe. He has authored more than 400 scientific publications and is inventor of 4 patents. Bart Preneel has participated to more than 30 EU funded projects and has coordinated five of those including the EU NoE ECRYPT. He has served as panel member and chair for the European Research Council. Since 1997 he is serving on the Board of Directors of the IACR (International Association for Cryptologic Research), from 2002-2007 as vice president and from 2008-2013 as president. He is a member of the Permanent Stakeholders group of ENISA and of the Academia Europaea. He has served on the advisory board of several companies and EU projects. He has served as program chair of 15 international conferences and he has been invited speaker at more than 90 conferences in 40 countries. In 2014 he received the RSA Award for Excellence in the Field of Mathematics.

Daniel Kefer

Daniel Kefer has been working in the application security field since 2007. Having started as a penetration tester, he soon became passionate about proactive security efforts and working closely with developers. Since 2011 he has been working for 1&1 where he focuses on design and continuous improvement of the internal secure SDLC process and its implementation in different development departments. Apart from 1&1, he also works as a volunteer for the OWASP OpenSAMM project.

Zakaria Rachid

Zakaria Rachid is a security consultant with some years of intense computing and security experience in critical environments (Telcos, mil...). He specializes in penetration testing, web applications security and trolling.

Social Event,starting at 7PM

Social Event information

Become a sponsor of OWASP BeNeLux

There are 3 combined sponsorship packages (Gold, Silver or Bronze) that cover the BeNeLux chapter meetings 2017 and the BeNeLux OWASP Days 2016 in Leuven.

Download our sponsor brochure here and contact us for questions or sponsorship confirmation!

Your sponsorship will be invested directly in the chapter meetings, supporting speaker and catering expenses.

The sponsorship will also be dedicated to cover the costs of the OWASP 2016 BeNeLux event.

Call for Speakers

The call for Speakers is closed.

See you next year!

OWASP AppSec conferences are true security conferences with all talks and presentations focusing on various areas of information security. Topics should focus on the technical and social aspects of security, and should not contain marketing or sales pitches.

We encourage and prioritize submissions covering research and new work impacting:

• Secure development of web applications.
• Security testing of web applications.
• Security of DevOps processes, architectures, and tools.
• Security of applications designed for mobile devices.
• Security of Internet of Things devices and platforms.
• Cloud platform security
• Browser security
• HTML5 security
• OWASP tools or projects in practice

Terms

By your submission you agree to the OWASP Speaker Agreement. It requires that you use an OWASP presentation template or other non-branded template. Presentations may not use company-themed decks or include a company logo except on the speaker bio slide. Failure to observe these requirements will result in talk removal.

All presentation slides will be published on the conference website. Pictures and other materials in presentations should not violate any copyrights. Presentation submitters are solely liable for copyright violations. You may choose any Creative Commons license for your slides, including CC0. OWASP suggests the use of open licenses.

We will cover your travel expenses or costs for accommodations.

Deadlines

• Submission of proposal closes: 11 September, 2016 – 23:59
• Notification of acceptance: 2 October, 2016
• Conference Date: 25 November, 2016

Submission

To submit a proposal, please submit an abstract of your intended presentation (500 to 4000 characters), a brief biography (150 to 800 characters) and a headshot (combine multiple files in one zip file). Your planned presentation time is 40 minutes (excluding ~5 minutes for discussion and change of speaker). Feel free to attach a preliminary version of your presentation if available. Any proposal submitted is subject to a democratic vote by the program committee. Keep in mind: The better your description of the talk, the better picture the program committee will have to review your submission. Please proofread your submission; after approval your abstract, biography, and headshot will be published verbatim into the program and website.

Submission page: https://easychair.org/conferences/?conf=owaspbenelux162