This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "BeNeLux OWASP Day 2016"
(→Trainingday) |
(→Agenda) |
||
Line 261: | Line 261: | ||
| 15h45 - 16h30 || Java Deserialization Security Issues || Christian Schneider | | 15h45 - 16h30 || Java Deserialization Security Issues || Christian Schneider | ||
|- | |- | ||
− | | 16h30 - 17h15 || Experiences with Paste-Monitoring || Michael Hamm | + | | 16h30 - 17h15 || Experiences with Paste-Monitoring || Michael Hamm |
|- | |- | ||
| 17h15 - 17h30 || OWASP Benelux 2015 organization || '''Closing Notes''' | | 17h15 - 17h30 || OWASP Benelux 2015 organization || '''Closing Notes''' |
Revision as of 09:01, 27 January 2016
OWASP BeNeLux Announcement
We are proud to announce the dates of the next edition of BeNeLux OWASP Day!
The event will take place on 17 and 18 March 2016, in Belval Campus, in Esch-sur-Alzette - Luxembourg.
More information on the venue can be found here.
Don't wait and register now!
Confirmed speakers Conference
- Stephen Burgmair (OWASP Germany)
- Jullie Gommes
- Erik Poll
- Arne Swinnen
- Glenn & Riccardo Ten Cate
- Christian Schneider
- Michael Hamm & Alexandre Dulaunoy (CIRCL)
- and a Mysterious speaker from Luxembourg University
The OWASP BeNeLux Program Committee
- Bart De Win / Sebastien Deleersnyder/ Lieven Desmet/ David Mathy, OWASP Belgium
- Martin Knobloch, OWASP Netherlands
- Jocelyn Aubert / Thierry Zoller, OWASP Luxembourg
Tweet!
Event tag is #owaspbnl16
Donate to OWASP BeNeLux
OWASP BeNeLux training day and conference are free, but registration is required!
Register today at https://owasp-benelux-day-2016.eventbrite.com . We only have a limited number of seats available for our trainings and conference. First come, first serve!
To support the OWASP organisation, consider to become a member, it's only US$50!
Check out the Membership page to find out more.
Venue is
University of Luxembourg
Maison du Savoir
2, avenue de l'Université
L-4365 Esch-sur-Alzette
How to reach the venue?
By car
Check the Belval Campus map - available on google maps - for route information.
Outdoor parking areas and underground car parks are available throughout the campus, particularly P+R Belval Université, or Square Mile parking or Belval Plaza.
By train
Trains departing every 15 minutes from Luxembourg Central Station are direct to "Belval-Université" - line is connection-free via Esch-sur-Alzette. Get information on train schedules on the CFL’s website.
When on site, access to buildings is easy on foot.
Hotel nearby
Hotel Ibis Esch-Belval
12, avenue du Rock'n'Roll
L-4361 Esch-sur-Alzette, Luxembourg
From 81 EUR per night
Trainingday
The training abstracts will be available soon
Location
The training venue is at the same location as the conference venue.
Agenda
Time | Description | Room 1 | Room 2 | Room 3 | Room 4 |
---|---|---|---|---|---|
08h30 - 9h30 | Registration | ||||
09h30 - 11h00 | Training | Application Security Primer by Martin Knobloch | Hands-on Threat Modeling by Sebastien Deleersnyder | Security Shepherd by Mark Denihan | O-saft by Achim Hoffman |
11h00 - 11h30 | Coffee Break | ||||
11h30 - 13h00 | Training | ||||
13h00 - 14h00 | Lunch | ||||
14h00 - 15h30 | Training | ||||
15h30 - 16h00 | Coffee Break | ||||
16h00 - 17h30 | Training |
Application Security Primer by Martin Knobloch
TBD
Hands-on Threat Modeling by Sebastien Deleersnyder
This is a 1 day, trainer-led, on-site, Threat Modeling course. The training material and hands-on workshops include real live Use Cases. The students will be challenged to perform practical threat modeling in groups of 3 to 4 people covering the different stages of threat modeling on:
- B2B web and mobile applications, sharing the same REST backend
- An Internet of Things (IoT) deployment with an on premise gateway and cloud-based secure update service
Threat modeling is the primary security analysis task performed during the software design stage. Threat modeling is a structured activity for identifying and evaluating application threats and vulnerabilities. The security objectives, threats, and attacks modeling activities during the threat modeling are designed to help you find vulnerabilities in your application. You can use the identified vulnerabilities to help shape your design and direct and scope your security testing.
Threat modeling allows you to consider, document, and discuss the security implications of designs in the context of their planned operational environment and in a structured fashion. Threat modeling also allows consideration of security issues at the component or application level. The threat modeling course will teach you to perform threat modeling through a series of workshops, where our trainer will guide you through the different stages of a practical threat model.
This course is aimed at software developers, architects, system managers or security professionals. Before attending this course, students should be familiar with basic knowledge of web and mobile Applications and databases. The students should bring their own laptop to the course.
Course topics (1 day)
Threat modeling introduction
- Threat modeling in a secure development lifecycle
- What is threat modeling
- Why threat modeling?
- Threat modeling stages
- Diagrams
- Identify threats
- Addressing threats
- Document a threat model
Diagrams – what are you building?
- Understanding context
- Doomsday scenarios
- Data flow diagrams
- Trust Boundaries
- Hands-on: diagram B2B web and mobile applications, sharing the same REST backend
Identifying threats – what can go wrong?
- STRIDE introduction
- Spoofing threats
- Tampering threats
- Repudiation threats
- Information disclosure threats
- Denial of service threats
- Elevation of privilege threats
- Hands-on: STRIDE analysis of an Internet of Things (IoT) deployment with an on premise gateway and cloud-based secure update service
Addressing each threat
- Mitigation patterns
- Authentication: mitigating spoofing
- Integrity: mitigating tampering
- Non-repudiation: mitigating repudiation
- Confidentiality: mitigating information disclosure
- Availability: mitigating denial of service
- Authorization: mitigating elevation of privilege
Threat modeling tools
- General tools
- Open-Source tools
- Commercial tools
The course students receive the following package as part of the course:
- Hand-outs of the presentations
- Work sheets of the use cases,
- Detailed solution descriptions of the use cases
- Template to document a threat model
- Template to calculate risk levels of identified threats
The students should bring their own laptop
Threat Modeling – real life use cases
As highly skilled professionals with years of experience under our belts we know that there is a gap between academic knowledge of threat modeling and the real world. In order to minimize that gap we have developed practical Use Cases, based on real life projects. Each use case includes a description of the environment, together with questions and templates to build a threat model. Using this methodology for the hands on workshops we provide our students with a robust training experience and the templates to incorporate threat modeling best practices in their daily work. The students will be challenged to perform the threat modeling in groups of 3 to 4 people performing the different stages of threat modeling on:
- B2B web and mobile applications, sharing the same REST backend
- An Internet of Things (IoT) deployment with an on premise gateway and cloud-based secure update service
After each hands-on workshop, the results are discussed, and the students receive a documented solution.
Sebastien Deleersnyder
Sebastien Deleersnyder, managing partner and application security consultant at Toreon will share his practical threat model experience. Sebastien led engagements in the domain of ICT-security, Web and Mobile Security with several customers including BNP Paribas Fortis, Atos Worldline, KBC, Nationale Nederlanden (ING), Isabel, Fluxys, OLAF, EU Council, TNT Post , Flemish Community, Agfa-Gevaert and ING Insurance International. Sebastien is the Belgian OWASP Chapter Leader, served as vice-chair of the global OWASP Foundation Board and performed several public presentations on Web Application, Mobile and Web Services Security. Furthermore, Sebastien co-founded the yearly BruCON conference.
Security Shepherd by Mark Denihan
TBD
O-saft by Achim Hoffman
TBD
Conferenceday, March 18th
Agenda
Time | Speaker | Topic |
---|---|---|
09h00 - 09h10 | Registration | |
09h15 - 10h00 | Gamers You're the new Botnets | Jullie Gommes |
10h00 - 10h45 | OWASP Top 10 Privacy Risks | Stephen Burgmair |
10h45 - 11h15 | Morning Break | |
11h15 - 12h00 | LangSec meets State Machines | Erik Poll |
12h00 - 12h45 | The Tales of a Bug Bounty Hunter: 10+ Interesting Vulnerabilities in Instagram | Arne Swinnen |
12h45 - 13h45 | Lunch | |
13h45 - 14h30 | OWASP Secure Knowledge Framework (SKF) | Glenn & Riccardo Ten Cate |
14h30 - 15h15 | Mobile Security | University Luxembourg |
15h15 - 15h45 | Break | |
15h45 - 16h30 | Java Deserialization Security Issues | Christian Schneider |
16h30 - 17h15 | Experiences with Paste-Monitoring | Michael Hamm |
17h15 - 17h30 | OWASP Benelux 2015 organization | Closing Notes |
Social Event
Wait for it...
Capture the Flag!
- Do you like puzzles?
- Do you like challenges?
- Are you a hacker?
Whether you are an experienced hacker or new enthusiast you should come to OWASP BeNeLux Day and participate in the Capture the Flag event.
The OWASP CTF is especially designed to support challengers of all skill levels. The CTF contains multiple challenges in various fields related to application security. As every challenge gains you one point, you can pick and choose which challenge you want to play.
All you need is a laptop with a wifi card and your favorite (preferably) non-commercial tools.
So come, show off your skills, learn new tricks and above all have a good time at the CTF event.
Become a sponsor of OWASP BeNeLux
Donate to OWASP BeNeLux
Promotion
Feel free to use the text below to promote our event!
We invite you to our next OWASP event: the BeNeLux OWASP Days 2016! The good news: free! No fee!
The bad news: there are only 280 seats available (first register, first serve)!
Made possible by our Sponsors