This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP BeNeLux-Days 2018"

From OWASP
Jump to: navigation, search
(Gutted the page of the content from the previous edition and made some structure improvements.)
Line 1: Line 1:
<center>[[Image:Header-BNL-2018.png]]<br></center>
+
<center>[[Image:Header-BNL-2018.png]]</center>
  
 
<br><!-- Header -->
 
<br><!-- Header -->
Line 6: Line 6:
 
<!-- First tab -->
 
<!-- First tab -->
 
= Information  =
 
= Information  =
== Keynote speaker ==
+
 
{{#switchtablink:Conferenceday|<p>
+
== Keynote Speaker ==
 +
 
 +
{{#switchtablink:Conference Day|<p>
 
*  TBD
 
*  TBD
 
}}
 
}}
  
== Confirmed speakers Conference ==
+
== Confirmed Conference Speakers ==
{{#switchtablink:Conferenceday|<p>
+
 
 +
{{#switchtablink:Conference Day|<p>
 
* TBD
 
* TBD
 
}}
 
}}
  
== Confirmed trainers ==
+
== Confirmed Trainers ==
{{#switchtablink:Trainingday|<p>
+
 
 +
{{#switchtablink:Training Day|<p>
 
* TBD
 
* TBD
 
}}
 
}}
  
 
== OWASP BeNeLux conference is free, but registration is required! ==
 
== OWASP BeNeLux conference is free, but registration is required! ==
 +
 
[[image:Register_now_red.png|link=https://owasp-benelux-day-2018.eventbrite.com |alt=Register for the OWASP BeNeLux Day 2018 | Register for the OWASP BeNeLux Day 2018 ]]
 
[[image:Register_now_red.png|link=https://owasp-benelux-day-2018.eventbrite.com |alt=Register for the OWASP BeNeLux Day 2018 | Register for the OWASP BeNeLux Day 2018 ]]
  
 
== The OWASP BeNeLux Program Committee ==
 
== The OWASP BeNeLux Program Committee ==
 +
 
*Bart De Win / Sebastien Deleersnyder/ Lieven Desmet/ David Mathy, OWASP Belgium
 
*Bart De Win / Sebastien Deleersnyder/ Lieven Desmet/ David Mathy, OWASP Belgium
 
*Martin Knobloch / Joren Poll, OWASP Netherlands
 
*Martin Knobloch / Joren Poll, OWASP Netherlands
 
*Jocelyn Aubert, OWASP Luxembourg
 
*Jocelyn Aubert, OWASP Luxembourg
<br>
 
  
 
== Tweet! ==
 
== Tweet! ==
 +
 
Event tag is [http://twitter.com/#search?q=%23owaspbnl17 #owaspbnl18]
 
Event tag is [http://twitter.com/#search?q=%23owaspbnl17 #owaspbnl18]
<br><br>
+
 
 
== Donate to OWASP BeNeLux ==
 
== Donate to OWASP BeNeLux ==
 +
 
[https://co.clickandpledge.com/?wid=72689 Donate]
 
[https://co.clickandpledge.com/?wid=72689 Donate]
  
 
<!-- Second tab -->
 
<!-- Second tab -->
 
 
= Registration =
 
= Registration =
  
 +
== OWASP BeNeLux conference is free, but registration is required! ==
  
== OWASP BeNeLux conference is free, but registration is required! ==
 
 
<!--
 
<!--
 
[[image:Register_now_red.png|link=https://owasp-benelux-day-2018.eventbrite.com |alt=Register for the OWASP BeNeLux Day 2018 | Register for the OWASP BeNeLux Day 2018 ]]
 
[[image:Register_now_red.png|link=https://owasp-benelux-day-2018.eventbrite.com |alt=Register for the OWASP BeNeLux Day 2018 | Register for the OWASP BeNeLux Day 2018 ]]
Line 47: Line 53:
  
 
== OWASP BeNeLux training is reserved for OWASP members, and registration is required! ==
 
== OWASP BeNeLux training is reserved for OWASP members, and registration is required! ==
 +
 
To support the OWASP organisation, we ask training attendees to consider becoming an OWASP member, it's only US$50!
 
To support the OWASP organisation, we ask training attendees to consider becoming an OWASP member, it's only US$50!
 
Check out the [[Membership]] page to find out more.  
 
Check out the [[Membership]] page to find out more.  
Line 53: Line 60:
 
[https://owasp-benelux-day-2018.eventbrite.com Register now!]
 
[https://owasp-benelux-day-2018.eventbrite.com Register now!]
 
-->
 
-->
<br>
 
To support the OWASP organisation, consider to become a member, it's only US$50!
 
<br>
 
Check out the [[Membership]] page to find out more.
 
<br>
 
  
 +
To support the OWASP organisation, consider to become a member, it's only US$50! Check out the [[Membership]] page to find out more.
  
 
<!-- Third tab -->
 
<!-- Third tab -->
 +
= Venue =
  
= Venue =
+
== Address ==
  
== Venue ==
+
Venue:
  
 +
'''Congres- en Erfgoedcentrum Lamot'''
 +
Van Beethovenstraat 8-10
 +
2800 Mechelen
 +
Belgium
  
The venue is located:
+
[https://goo.gl/maps/gZ9icR178w52 Google map]
  
'''Congres- en Erfgoedcentrum Lamot'''
+
Parking:
:Van Beethovenstraat 8-10
 
:B – 2800 Mechelen
 
:Belgium
 
:[https://goo.gl/maps/gZ9icR178w52 Google map]
 
  
'''''Parking .....'''''
+
TBD
  
 
=== How to reach the venue? ===
 
=== How to reach the venue? ===
;'''Public transport '''<br>
+
 
 +
==== Public transport ====
 +
 
 
TBD
 
TBD
  
'''<u>By car</u>'''
+
==== By car ====
 +
 
 
TBD
 
TBD
  
=== Hotel nearby ===
+
=== Hotels Nearby ===
 +
 
 
[https://www.google.nl/maps/search/Hotels/@51.5571525,5.0821866,15z/data=!3m1!4b1 Hotels on Google Maps]
 
[https://www.google.nl/maps/search/Hotels/@51.5571525,5.0821866,15z/data=!3m1!4b1 Hotels on Google Maps]
 +
 +
TBD maybe Booking.com or others
 +
 
<!-- Fourth tab -->
 
<!-- Fourth tab -->
 +
= Training Day =
  
= Trainingday =
+
'''Training Day is November 29th'''
=== Trainingday is November 29rd  ===
 
  
== Location ==
+
== Agenda (TBD)==
  
== Agenda (TBD)==
 
 
{| class="wikitable"
 
{| class="wikitable"
 
! Time !! Description !! Room TBA !! Room TBA !! Room TBA
 
! Time !! Description !! Room TBA !! Room TBA !! Room TBA
Line 101: Line 111:
 
|-
 
|-
 
| 09h30 - 11h00 || Training
 
| 09h30 - 11h00 || Training
| rowspan="7" style="width:100px;" | [[OWASP_BeNeLux-Day_2017#WebGoat_-_Teaching_application_security_101_by_Nanne_Baars | WebGoat - Teaching application security 101]] <br>by [[OWASP_BeNeLux-Day_2017#WebGoat_-_Teaching_application_security_101_by_Nanne_Baars | Nanne Baars]]
+
| rowspan="7" style="width:100px;" | [[#TRAINING_1 | TRAINING_1_TITLE]] by TRAINING_1_TRAINER
| rowspan="7" style="width:100px;" | [[OWASP_BeNeLux-Day_2017#Whiteboard_Hacking_aka_Hands-on_Threat Modeling_by_Sebastien Deleersnyder  | Whiteboard Hacking aka Hands-on Threat Modeling]] <br>by [[OWASP_BeNeLux-Day_2017#Whiteboard_Hacking_aka_Hands-on_Threat Modeling_by_Sebastien Deleersnyder | Sebastien Deleersnyder]]
+
| rowspan="7" style="width:100px;" | [[#TRAINING_2 | TRAINING_2_TITLE]] by TRAINING_2_TRAINER
| rowspan="7" style="width:100px;" | [[OWASP_BeNeLux-Day_2017#Secure_Development:_Models_and_best_practices_by_Bart_De_Win | Secure Development: Models and best practices]] <br>by [[OWASP_BeNeLux-Day_2017#Secure_Development:_Models_and_best_practices_by_Bart_De_Win | Bart De Win]]
+
| rowspan="7" style="width:100px;" | [[#TRAINING_3 | TRAINING_3_TITLE]] by TRAINING_3_TRAINER
 
|-
 
|-
 
| 11h00 - 11h30 ||  ''Coffee Break''
 
| 11h00 - 11h30 ||  ''Coffee Break''
Line 119: Line 129:
  
 
== Trainings ==
 
== Trainings ==
=== WebGoat - Teaching application security 101 by Nanne Baars ===
 
====Topic(s) ====
 
* Web Application Breaker
 
* Other
 
====Keywords ====
 
WebGoat application, security teaching secure development
 
  
====Abstract ====
+
=== <span id="TRAINING_1">TRAINING_1_TITLE by TRAINING_1_TRAINER</span> ===
A good defense against insecure code requires understanding the mechanics behind how attackers exploit simple programming mistakes.
 
The WebGoat team will walk through exercises like SQL Injection, XSS, XXE, CSRF, ... and demonstrate how these exploits work.
 
 
We will show you how you can use WebGoat to train your developers to avoid these simple but common programming mistakes.
 
 
We also show you how to extend WebGoat to create lessons specific to your environment.
 
Join us to learn the most basic, but common, application security problems.
 
  
Tired of all the lessons? During the training we will host a small CTF competition which you can take a shot at and compete with each other...
+
==== Topic(s) ====
  
=== Requirements===
+
* TRAINING_1_TOPIC_1
Please find the course prerequisites here: https://github.com/nbaars/owasp-training
+
* TRAINING_1_TOPIC_2
  
====Bio====
+
==== Keywords ====
Nanne Baars works as a security consultant & developer at JDriven and is one of the primary developers of WebGoat.
+
 
 +
TRAINING_1_KEYWORD_1, TRAINING_1_KEYWORD_2
 +
 
 +
==== Abstract ====
 +
 
 +
TRAINING_1_ABSTRACT
 +
 
 +
==== Requirements ====
 +
 
 +
TRAINING_1_REQUIREMENTS
 +
 
 +
==== Bio ====
 +
 
 +
TRAINING_1_TRAINER_BIO
 +
 
 +
=== <span id="TRAINING_2">TRAINING_2_TITLE by TRAINING_2_TRAINER</span> ===
 +
 
 +
==== Topic(s) ====
 +
 
 +
* TRAINING_2_TOPIC_1
 +
* TRAINING_2_TOPIC_2
 +
* ...
 +
 
 +
==== Keywords ====
 +
 
 +
TRAINING_2_KEYWORD_1, TRAINING_2_KEYWORD_2, ...
 +
 
 +
==== Abstract ====
 +
 
 +
TRAINING_2_ABSTRACT
 +
 
 +
==== Requirements ====
 +
 
 +
TRAINING_2_REQUIREMENTS
 +
 
 +
==== Bio ====
 +
 
 +
TRAINING_2_TRAINER_BIO
  
=== Whiteboard Hacking aka Hands-on Threat Modeling by Sebastien Deleersnyder ===
+
=== <span id="TRAINING_3">TRAINING_3_TITLE by TRAINING_3_TRAINER</span> ===
====Topic(s) ====
 
* Threat modeling introduction
 
* Diagrams – what are you building?
 
* Identifying threats – what can go wrong?
 
* Hands-on: STRIDE analysis of an Internet of Things (IoT) deployment with an on premise gateway and secure update service
 
* Addressing each threats
 
* Hands-on: threat mitigations OAuth scenarios for web and mobile applications
 
  
====Keywords ====
+
==== Topic(s) ====
Threat Modeling, STRIDE, Technical risk assessment
 
  
====Abstract ====
+
* TRAINING_3_TOPIC_1
This is a one day version of our Black Hat training on Threat Modeling. The students will be challenged to perform practical threat modeling in groups of 3 to 4 people covering the different stages of threat modeling on:
+
* TRAINING_3_TOPIC_2
* An Internet of Things (IoT) deployment with an on premise gateway and secure update service
+
* ...
* An HR services OAuth scenario for mobile and web applications
 
Threat modeling is a structured activity for identifying and evaluating application threats and vulnerabilities. It also allows consideration of security issues at the component or application level. The threat modeling course will teach you to perform threat modeling through a series of workshops, where our trainer will guide you through the different stages of a practical threat model. <br>
 
This course is aimed at software developers, architects, system managers or security professionals. Before attending this course, students should be familiar with basic knowledge of web and mobile Applications, databases & Single sign on (SSO) principles.
 
  
 +
==== Keywords ====
  
====Bio====
+
TRAINING_3_KEYWORD_1, TRAINING_3_KEYWORD_2, ...
Sebastien (lead application security consultant Toreon) led engagements in the domain of ICT-security, Web and Mobile Security with several customers in the private and public sector. Sebastien is the Belgian OWASP Chapter Leader and is co-project leader of OWASP SAMM.
 
  
=== Secure Development: Models and best practices by Bart De Win ===
+
==== Abstract ====
====Topic(s) ====
 
* Software Assurance maturity models
 
* Secure Development in agile development
 
* Tips and tricks for practical SDLC
 
* Hands-on: SAMM analysis of your enterprise using SAMM 1.5
 
* Sneak preview of SAMM 2.0
 
  
====Keywords ====
+
TRAINING_3_ABSTRACT
SDLC, SAMM, Agile development,
 
  
====Abstract ====
+
==== Requirements ====
It takes much more than a good developer to build secure software within an organisation. Indeed, building secure software is about ensuring that security is taken into consideration during the entire software lifecycle. It is about ensuring that security best practices are being employed efficiently, and that uncovered risks are appropriately dealt with in due time.
 
  
During this one-day training, we will introduce and discuss different secure development approaches and models. We will look into waterfall vs. agile development and discuss different strategies to successfully run an SDLC program. Finally, we will also put theorie into practice and take your organisation to perform a mini SDLC assessment and improvement exercise.
+
TRAINING_3_REQUIREMENTS
[[File:Benelux2017 - Secure Development Training deck.pdf|thumb]]
 
The slides of this session are available for download in the media file.
 
  
====Bio====
+
==== Bio ====
Bart is an application security consultant and enthousiast and is spending considerable time on secure development projects. Bart is board member of the Belgian OWASP Chapter and is co-project leader of OWASP SAMM.
 
  
 +
TRAINING_3_TRAINER_BIO
  
 
<!-- Fifth tab -->
 
<!-- Fifth tab -->
 +
= Conference Day =
  
= Conferenceday =
+
'''Conference Day is November 30th'''
=== Conferenceday is November 30th ===
 
  
 +
== Agenda (TBD)==
  
== Agenda (TBD)==
 
 
{| class="wikitable"
 
{| class="wikitable"
 
! width="120pt" | Time
 
! width="120pt" | Time
Line 207: Line 220:
 
| colspan="3" style="text-align: center; background: grey; color: white" | ''Opening''
 
| colspan="3" style="text-align: center; background: grey; color: white" | ''Opening''
 
|-  
 
|-  
| 09h15 - 10h00 || [[OWASP_BeNeLux-Day_2017#Attribute Based Access Control. Why, what, how? by Jacoba Sieders | Jacoba Sieders]]
+
| 09h15 - 10h00
|| [[OWASP_BeNeLux-Day_2017#Attribute Based Access Control. Why, what, how? by Jacoba Sieders | Attribute Based Access Control. Why, what, how?]]  
+
| [[#TALK_0915 | TALK_0915_PRESENTER]]
|| [[Media:OWASP BeNeLux-Day 2017 AttributeBasedAccessControl WhyWhatHow JacobaSieders.pdf|Slides]]<br>[https://youtu.be/O7iWITnZGsk Video]
+
| [[#TALK_0915 | TALK_0915_TITLE]]
 +
| not yet available <!--[[Media:TALK_0915_SLIDES|Slides]] [TALK_0915_VIDEO Video]-->
 
|-
 
|-
| 10h00 - 10h45 || [[OWASP_BeNeLux-Day_2017#How to spend $3.6mil on one coding mistake, and other fun stuff you can do with $3.6mil by Matia Madou | Matias Madou]]
+
| 10h00 - 10h45
|[[OWASP_BeNeLux-Day_2017#How to spend $3.6mil on one coding mistake, and other fun stuff you can do with $3.6mil by Matia Madou | How to spend $3.6mil on one coding mistake, and other fun stuff you can do with $3.6mil]]
+
| [[#TALK_1000 | TALK_1000_PRESENTER]]
|| [[Media:OWASP_BeNeLux-Day_2017_how_to_spend_$3.6_mil_on_one_coding_mistake_by_Matias_Madou.pdf|Slides]] <br> [https://www.youtube.com/watch?v=dt5rFGBztJA&feature=youtu.be Video]
+
| [[#TALK_1000 | TALK_1000_TITLE]]
 
+
| not yet available <!--[[Media:TALK_1000_SLIDES|Slides]] [TALK_1000_VIDEO Video]-->
 
|-
 
|-
 
| 10h45 - 11h15  
 
| 10h45 - 11h15  
 
| colspan="3" style="text-align: center;background: grey; color: white" | ''Morning Break''  
 
| colspan="3" style="text-align: center;background: grey; color: white" | ''Morning Break''  
 
|-
 
|-
| 11h15 - 12h00 || [[OWASP_BeNeLux-Day_2017#The evil friend in your browser by Achim D. Brucker | Achim D. Brucker]]
+
| 11h15 - 12h00
|[[OWASP_BeNeLux-Day_2017#The evil friend in your browser by Achim D. Brucker | The evil friend in your browser]]
+
| [[#TALK_1115 | TALK_1115_PRESENTER]]
| [[Media:OWASP_BeNeLux-Day_2017_The evil friend in your browser_Achim_Brucker.pdf|Slides]]<br>[https://www.youtube.com/watch?v=_Uj-Ci37Rvw&feature=youtu.be Video]
+
| [[#TALK_1115 | TALK_1115_TITLE]]
 +
| not yet available <!--[[Media:TALK_1115_SLIDES|Slides]] [TALK_1115_VIDEO Video]-->
 
|-
 
|-
| 12h00 - 12h45 || [[OWASP_BeNeLux-Day_2017#Exploring the ecosystem of malicious domain registrations in the .eu TLD by Lieven Desmet | Lieven Desmet]]
+
| 12h00 - 12h45
|| [[OWASP_BeNeLux-Day_2017#Exploring the ecosystem of malicious domain registrations in the .eu TLD by Lieven Desmet | Exploring the ecosystem of malicious domain registrations in the .eu TLD]]
+
| [[#TALK_1200 | TALK_1200_PRESENTER]]
| [[Media:OWASP BeNeLux-Day 2017 Exploring the ecosystem of malicious domain registrations LievenDesmet.pdf|Slides]]<br>[https://www.youtube.com/watch?v=09SNSYHw8H0&feature=youtu.be Video]
+
| [[#TALK_1200 | TALK_1200_TITLE]]
 +
| not yet available <!--[[Media:TALK_1200_SLIDES|Slides]] [TALK_1200_VIDEO Video]-->
 
|-
 
|-
 
| 12h45 - 13h45
 
| 12h45 - 13h45
 
| colspan="3" style="text-align: center;background: grey; color: white" | ''Lunch''  
 
| colspan="3" style="text-align: center;background: grey; color: white" | ''Lunch''  
 
|-
 
|-
| 13h45 - 14h30 || [[OWASP_BeNeLux-Day_2017#Don't trust the DOM: Bypassing XSS mitigations via script gadgets by Sebastian Lekies | Sebastian Lekies]]
+
| 13h45 - 14h30
|| [[OWASP_BeNeLux-Day_2017#Don't trust the DOM: Bypassing XSS mitigations via script gadgets by Sebastian Lekies | Don't trust the DOM: Bypassing XSS mitigations via script gadgets]]
+
| [[#TALK_1345 | TALK_1345_PRESENTER]]
| [[Media:OWASP BeNeLux-Day 2017 Bypassing XSS mitigations via script gadgets Sebastian Lekies.pdf|Slides]]<br>[https://www.youtube.com/watch?v=rssg--FP1AE&feature=youtu.be Video]
+
| [[#TALK_1345 | TALK_1345_TITLE]]
 +
| not yet available <!--[[Media:TALK_1345_SLIDES|Slides]] [TALK_1345_VIDEO Video]-->
 
|-
 
|-
| 14h30 - 15h15 || [[OWASP_BeNeLux-Day_2017#A Series of Unfortunate Events: Where Malware Meets Murphy by Mattijs van Ommeren | Mattijs van Ommeren]]
+
| 14h30 - 15h15
|| [[OWASP_BeNeLux-Day_2017#A Series of Unfortunate Events: Where Malware Meets Murphy by Mattijs van Ommeren | A Series of Unfortunate Events: Where Malware Meets Murphy]]
+
| [[#TALK_1430 | TALK_1430_PRESENTER]]
| <!--[[Media:OWASP_Benelux-Day_2017_A_Series_Of_Unfortunate_Events-Where_Malware_Meets_Murphy_Mattijs_van_Ommeren.pdf|Slides]]<br> -->[https://www.youtube.com/watch?v=d67yxt3FdTA&feature=youtu.be Video]
+
| [[#TALK_1430 | TALK_1430_TITLE]]
 +
| not yet available <!--[[Media:TALK_1430_SLIDES|Slides]] [TALK_1430_VIDEO Video]-->
 
|-
 
|-
 
| 15h15 - 15h45
 
| 15h15 - 15h45
 
| colspan="3" style="text-align: center;background: grey; color: white" | ''Break''  
 
| colspan="3" style="text-align: center;background: grey; color: white" | ''Break''  
 
|-
 
|-
| 15h45 - 16h30 |[[OWASP_BeNeLux-Day_2017#Common REST API security pitfalls by Philippe De Ryck | Philippe De Ryck]]
+
| 15h45 - 16h30
|| [[OWASP_BeNeLux-Day_2017#Common REST API security pitfalls by Philippe De Ryck | Common REST API security pitfalls]]
+
| [[#TALK_1545 | TALK_1545_PRESENTER]]
| [[Media:OWASP BeNeLux-Day 2017 Common REST API security pitfalls Philippe De Ryck.pdf|Slides]]<br>[https://www.youtube.com/watch?v=Meh4EUmLCfM&feature=youtu.be Video]
+
| [[#TALK_1545 | TALK_1545_TITLE]]
 +
| not yet available <!--[[Media:TALK_1545_SLIDES|Slides]] [TALK_1545_VIDEO Video]-->
 
|-
 
|-
| 16h30 - 17h15 || [[OWASP_BeNeLux-Day_2017#Creating An AppSec Pipeline With Containers In A Week How We Failed And Succeeded by Jeroen Willemsen | Jeroen Willemsen]]
+
| 16h30 - 17h15
|| [[OWASP_BeNeLux-Day_2017#Creating An AppSec Pipeline With Containers In A Week How We Failed And Succeeded by Jeroen Willemsen | Creating An AppSec Pipeline With Containers In A Week How We Failed And Succeeded]]
+
| [[#TALK_1630 | TALK_1630_PRESENTER]]
| [[Media:OWASP BeNeLux-Day 2017 Creating An AppSec Pipeline With Containers In A Week How We Failed And Succeeded Jeroen Willemsen.pdf|Slides]]<br>[https://www.youtube.com/watch?v=Q3q1mdev5rs&feature=youtu.be Video]
+
| [[#TALK_1630 | TALK_1630_TITLE]]
 +
| not yet available <!--[[Media:TALK_1630_SLIDES|Slides]] [TALK_1630_VIDEO Video]-->
 
|-
 
|-
 
| 17h15 - 17h30
 
| 17h15 - 17h30
Line 253: Line 273:
 
|}
 
|}
  
<div id="TBD"></div>
+
== Talks ==
 +
 
 +
=== <span id="TALK_0915">TALK_0915_TITLE</span> ===
 +
 
 +
==== Abstract ====
 +
 
 +
TBD
  
== Talks ==  
+
==== Bio ====
 +
 
 +
TBD
 +
 
 +
=== <span id="TALK_1000">TALK_1000_TITLE</span> ===
 +
 
 +
==== Abstract ====
 +
 
 +
TBD
 +
 
 +
==== Bio ====
 +
 
 +
TBD
 +
 
 +
=== <span id="TALK_1115">TALK_1115_TITLE</span> ===
 +
 
 +
==== Abstract ====
 +
 
 +
TBD
 +
 
 +
==== Bio ====
 +
 
 +
TBD
 +
 
 +
=== <span id="TALK_1200">TALK_1200_TITLE</span> ===
 +
 
 +
==== Abstract ====
 +
 
 +
TBD
  
===Attribute Based Access Control. Why, what, how? by Jacoba Sieders===
 
====Abstract====
 
Digitization is rapidly transforming the traditional world and regulation on security and data protection is gaining weight. Digital identity, but also data protection become crucial capabilities for businesses.  What are the trends in IAM and what role can Attribute Based Access Control (ABAC) play here? ABNAMRO started implementing ABAC in 2014. What were the approach and the lessons learnt?
 
 
====Bio====
 
====Bio====
Jacoba Sieders, Head of Digital Identity- & Access, ABNAMRO Bank.<br />
 
Jacoba is an all-round Digital Identity and Information Security expert with 17 years of experience in the international finance industry, in technology, governance, consultancy, and implementation. She is accountable for digital identity services and access control for customers, employees and partners to the bank’s data and infrastructure.
 
Major topics on her agenda today are ABAC, data centric security, API-banking and PSDII requirements, the interaction of IAM tools with the rest of the bank’s cybersecurity landscape, and the new authentication concept for which ABNAMRO is acquiring a patent. Her special interests are legal requirements impacting identity, e.g. Generic Data Protection Regulation, the EU e-IDAS scheme, KYC and AML legislation. 
 
Jacoba is a member of the Advisory Board of the independent European think-tank ID Next and is regularly speaking on the topic of IAM. She holds a master degree in Classics from Leiden University (Greek, Latin, Hebrew).
 
  
 +
TBD
 +
 +
=== <span id="TALK_1345">TALK_1345_TITLE</span> ===
 +
 +
==== Abstract ====
  
===How to spend $3.6mil on one coding mistake, and other fun stuff you can do with $3.6mil by Matia Madou===
+
TBD
====Abstract====
 
In a recent global study, the average cost of a data breach is $3.62M globally. This session will discuss infamous examples of data breaches that has made headlines around the world. We will explore the technical details of the vulnerability itself and what a coding solution may have been to prevent the breach. We will also dive deeper on exploring different solutions, processes and techniques you can apply in your day-to-day to prevent application security vulnerabilities in your code.
 
====Bio====
 
Matias Madou is a Co-Founder and CTO of Secure Code Warrior where he is responsible for leading the company’s technology vision and overseeing the engineering team. Matias has more than 15 years of hands-on software security experience and has developed solution for companies such as HP Fortify, and founded a company called Sensei Security. Matias has led multiple application security research projects which have led to commercial products and boasts over 10 patents under his belt. When he is away from his desk, Matias has served as an instructor for advanced application security training courses and regularly speaks at global conferences including RSA Conference, Black Hat, DefCon, BSIMM, OWASP AppSec and BruCon. Matias holds a Ph.D. in Computer Engineering from Ghent University.
 
  
 +
==== Bio ====
  
===The evil friend in your browser by Achim D. Brucker===
+
TBD
====Abstract====
 
On the one hand, browser extensions, e.g., for Chrome, are very useful, as they extend web browsers with additional functionality
 
(e.g., blocking ads). On the other hand, they are the most dangerous code that runs in your browsers: extension can read and modify both the content displayed in the browser. As they also can communicate with any web-site or web-service, they can report both data and metadata to external parties.
 
  
The current security model for browser extensions seems to be inadequate for expressing the security or privacy needs of browser users. Consequently, browser extensions are a "juice target" for attackers targeting web users.
+
=== <span id="TALK_1430">TALK_1430_TITLE</span> ===
  
We present results of analysing over 60000 browser extensions on how they use the current security model and discuss examples of extensions that are potentially of high risk. Based on the results of our analysis of real world browser extensions as well as our own threat model, we discuss the limitations of the current security model form a user perspective.  need of browser users.
+
==== Abstract ====
  
====Bio====
+
TBD
Dr. Achim D. Brucker (www.brucker.uk) is a Senior Lecturer and consultant for software and systems assurance at the Computer Science Department of The University of Sheffield, UK.  Until December 2015, he was a Research Expert (Architect), Security Testing Strategist, and Project Lead in the Global Security Team of SAP SE, where he defined the risk-based security testing strategy of SAP that combines static, dynamic, and interactive security testing methods and integrates them deeply into SAP's Secure Software Development Lifecycle. He has experience in rolling out *AST tools to world-wide development organisations.
 
  
===Exploring the ecosystem of malicious domain registrations in the .eu TLD by Lieven Desmet===
+
==== Bio ====
====Abstract====
 
In this talk, we report on an extensive analysis of 14 months of domain registration in the .eu TLD. The purpose is to identify large-scale malicious campaigns. Overall, the dataset of this study contains 824,121 new domain registrations; 2.53% of which have been flagged as malicious by blacklisting services. We explore the ecosystem and modus operandi of elaborate cybercriminal entities that recurrently register large amounts of domains for one-shot, malicious use. Although these malicious domains are short-lived, we establish that at least 80.04% of them can be framed in to 20 larger campaigns with varying duration and intensity. We further report on insights in the operational aspects of this business and observe, amongst other findings, that their processes are only partially automated.
 
====Bio====
 
Lieven Desmet is a Senior Research Manager on Secure Software in the imec-DistriNet Research Group at the Katholieke Universiteit Leuven (Belgium), where he outlines and implements the research strategy, coaches junior researchers in application security, and participates in dissemination, valorisation and spin-off activities. Lieven is also involved in OWASP as a board member of the Belgium OWASP Chapter, and part of the organisation team of the OWASP BeNeLux Day.
 
  
===Don't trust the DOM: Bypassing XSS mitigations via script gadgets by Sebastian Lekies===
+
TBD
====Abstract====
 
Cross-Site Scripting is a constant problem of the Web platform. Over the years many techniques have been introduced to prevent or mitigate XSS. Most of these techniques, thereby, focus on script tags and event handlers. HTML sanitizers, for example, aim at removing potentially dangerous tags and attributes. Another example is the Content Security Policy, which forbids inline event handlers and aims at white listing of legitimate scripts.
 
  
In this talk, we present a novel Web hacking technique that enables an attacker to circumvent most XSS mitigations. In order to do so, the attacker abuses so-called script gadgets. A script gadget Is a legitimate piece of JavaScript in a page that reads elements from the DOM via selectors and processes them in a way that results in script execution. To abuse a script gadget, the attacker injects a benign looking element into the page that matches the gadget's selector. Subsequently, the gadget selects the benign-looking element and executes attacker-controlled scripts. As the initially injected element is benign it passes HTML sanitizers and security policies. The XSS only surfaces when the gadget mistakenly elevates the privileges of the element.
+
=== <span id="TALK_1545">TALK_1545_TITLE</span> ===
  
In this talk, we will demonstrate that these gadgets are present in almost all modern JavaScript libraries, APIs and applications. We will present several case studies and real-world examples that demonstrate that many mitigation techniques are not suited for modern applications. As a result, we argue that the Web should start focusing more on preventive mechanisms instead of mitigations.
+
==== Abstract ====
====Bio====
 
Sebastian Lekies is tech leading the Web application security scanning team at Google. Before joining Google, he was part of SAP's Security Research team, where he conducted academic research in the area of client-side Web application security. Sebastian is regularly speaking at academic and non-academic security conferences such as BlackHat US/EU/Asia, DeepSec, OWASP AppSec EU, Usenix Security, CCS, and many more...
 
  
 +
TBD
  
===A Series of Unfortunate Events: Where Malware Meets Murphy by Mattijs van Ommeren===
 
====Abstract====
 
When an end user reports some “strange looking file names”, which, after investigating, you discover include several hundreds of Gigabytes of encrypted data, you of course know you are going to have a bad day. Your AV solution has failed you, your firewall has failed you, and your SIEM has failed you. Basically, every piece of security infrastructure you have put your trust (and money) into has left you out in the cold and you thank <deity of choice> that at least the nightly backup was completed successfully. Spin up the tape drive, and soon you will be back in business, or not…?
 
 
This talk is about failure. Not only about a failing security infrastructure, but also about failure in doing the Right Thing™ as a first responder, about the failure of Operating System tools, failing APIs, and ironically, also the failure of malware (which is unfortunately not as positive as it may sound). The scenario presented comes pretty close to the worst chain of events you can imagine, in an attempt to recover from a ransomware incident.
 
 
Luckily – this story has a happy ending. We will reveal how one can be prepared for when both Count Olaf and Murphy come knocking on your door simultaneously.
 
 
====Bio====
 
====Bio====
Mattijs van Ommeren has been poking hardware and software for 15 years. He has spent most of his working life as a security consultant, attacking and defending both traditional IT environments as well as more esoteric embedded devices and industrial systems. Presently he has a lot of fun at Nixu.
 
  
 +
TBD
  
===Common REST API security pitfalls by Philippe De Ryck===
+
=== <span id="TALK_1630">TALK_1630_TITLE</span> ===
====Abstract====
 
The shift towards a REST API landscape indicates a significant evolution in the way we build applications. The rise of JavaScript and mobile applications have sparked an explosion of easily-accessible REST APIs. But how do you protect access to your API? Which security aspects are no longer relevant? Which security features are an absolutely must-have, and which additional security measures do you need to take into account?
 
  
These are hard questions, as evidenced by the deployment of numerous insecure REST APIs. Attend this session to find out about common API security pitfalls, that often result in compromised user accounts and unauthorized access to your data. We expose the problem that lies at the root of each of these pitfalls, and offer actionable advice to address these security problems. After this session, you will know how to assess the security of your APIs, and the best practices to improve them towards the future.
+
==== Abstract ====
====Bio====
 
Philippe De Ryck is a professional speaker and trainer on software security and web security. Since he obtained his PhD at the imec-DistriNet research group (KU Leuven, Belgium), he has been running the group's Web Security Training program, which ensures a sustainable knowledge transfer of the group’s security expertise towards practitioners.
 
  
 +
TBD
  
===Creating An AppSec Pipeline With Containers In A Week How We Failed And Succeeded by Jeroen Willemsen===
 
====Abstract====
 
Join us on our adventure of setting up a appsec pipeline with Docker containers. What did go wrong, how did we succeed? How do you fight false positives and how do you get the best out of the products out there without bothering the development teams too much.
 
 
====Bio====
 
====Bio====
Jeroen Willemsen is a security architect with a passion for mobile and risk management. He loves to work on secure building blocks, security automation pipelines and embedding information security risk management controls in an agile environment. He is dedicated to help developers, product owners and architects to take security seriously in their daily development life (but not too serious of course ;-)).In his spare time he loves to experiment with new technologies and frameworks.”
 
  
 +
TBD
  
 
<!-- Sixth tab -->
 
<!-- Sixth tab -->
 +
= Social Event =
  
= Social Event (TBD)=
+
'''The Social Event is on Thursday, November 29th'''
  
== Social Event,starting at 7PM ==
+
'''If you want to join the social event, don't forget to register for it via the registration:'''
Thursday, November 23rd
 
;Dudok Tilburg
 
:Veemarktstraat 33
 
:5038 CT Tilburg
 
:http://www.dudok.nl/
 
Menu:
 
:As we are a big group, Dudok will prepare the following [[Media:Dudok menu OWASP.pdf|menu]] for us!
 
'''If you want to join the social event, don't forget to register for the social event via the registration:'''
 
:[[image:Register_now_red.png|link=https://owasp-benelux-day-2017.eventbrite.com |200px|alt=Register for the OWASP BeNeLux Day 2017 | Register for the OWASP BeNeLux Day 2017 ]]
 
  
 +
<!--[[image:Register_now_red.png|link=https://owasp-benelux-day-2018.eventbrite.com |200px|alt=Register for the OWASP BeNeLux Day 2018 | Register for the OWASP BeNeLux Day 2018 ]] -->
  
(limited) open tap sponsored by :
+
Address: TBD
[[File:Avi Logo Transparent Background 300pix.png|200px|link=https://avinetworks.com/]]
+
 
 +
Menu:TBD
  
 
<!-- Seventh tab -->
 
<!-- Seventh tab -->
 
 
= Sponsor =
 
= Sponsor =
  
=== Become a sponsor of OWASP BeNeLux ===
+
''' Become a sponsor of OWASP BeNeLux! '''
  
 
There are 3 combined sponsorship packages (Gold, Silver or Bronze) that cover the BeNeLux chapter meetings 2019 and the BeNeLux OWASP Days 2018.
 
There are 3 combined sponsorship packages (Gold, Silver or Bronze) that cover the BeNeLux chapter meetings 2019 and the BeNeLux OWASP Days 2018.
Line 367: Line 385:
  
 
=== Made possible by our {{#switchtablink:Sponsor|Sponsors}}===
 
=== Made possible by our {{#switchtablink:Sponsor|Sponsors}}===
'''Hosted by'''
 
  
 +
==== Hosted by ====
 +
 +
TBD
  
'''Platinum:'''
+
==== Platinum ====
  
 +
TBD
  
'''Gold:'''
+
==== Gold ====
  
 +
TBD
  
'''Silver:'''
+
==== Silver ====
  
 +
TBD
  
'''Bronze:'''
+
==== Bronze ====
  
 +
TBD
  
 
[[Category:OWASP_AppSec_Conference]]  
 
[[Category:OWASP_AppSec_Conference]]  
 
[[Category:OWASP_BeNeLux_Archives]]
 
[[Category:OWASP_BeNeLux_Archives]]

Revision as of 19:35, 25 September 2018

Header-BNL-2018.png



Keynote Speaker

  • TBD

Confirmed Conference Speakers

  • TBD

Confirmed Trainers

  • TBD

OWASP BeNeLux conference is free, but registration is required!

Register for the OWASP BeNeLux Day 2018

The OWASP BeNeLux Program Committee

  • Bart De Win / Sebastien Deleersnyder/ Lieven Desmet/ David Mathy, OWASP Belgium
  • Martin Knobloch / Joren Poll, OWASP Netherlands
  • Jocelyn Aubert, OWASP Luxembourg

Tweet!

Event tag is #owaspbnl18

Donate

OWASP BeNeLux conference is free, but registration is required!

OWASP BeNeLux training is reserved for OWASP members, and registration is required!

To support the OWASP organisation, we ask training attendees to consider becoming an OWASP member, it's only US$50! Check out the Membership page to find out more.


To support the OWASP organisation, consider to become a member, it's only US$50! Check out the Membership page to find out more.

Address

Venue:

Congres- en Erfgoedcentrum Lamot
Van Beethovenstraat 8-10
2800 Mechelen
Belgium

Google map

Parking:

TBD

How to reach the venue?

Public transport

TBD

By car

TBD

Hotels Nearby

Hotels on Google Maps

TBD maybe Booking.com or others

Training Day is November 29th

Agenda (TBD)

Time Description Room TBA Room TBA Room TBA
08h30 - 9h30 Registration
09h30 - 11h00 Training TRAINING_1_TITLE by TRAINING_1_TRAINER TRAINING_2_TITLE by TRAINING_2_TRAINER TRAINING_3_TITLE by TRAINING_3_TRAINER
11h00 - 11h30 Coffee Break
11h30 - 13h00 Training
13h00 - 14h00 Lunch
14h00 - 15h30 Training
15h30 - 16h00 Coffee Break
16h00 - 17h30 Training

Trainings

TRAINING_1_TITLE by TRAINING_1_TRAINER

Topic(s)

  • TRAINING_1_TOPIC_1
  • TRAINING_1_TOPIC_2

Keywords

TRAINING_1_KEYWORD_1, TRAINING_1_KEYWORD_2

Abstract

TRAINING_1_ABSTRACT

Requirements

TRAINING_1_REQUIREMENTS

Bio

TRAINING_1_TRAINER_BIO

TRAINING_2_TITLE by TRAINING_2_TRAINER

Topic(s)

  • TRAINING_2_TOPIC_1
  • TRAINING_2_TOPIC_2
  • ...

Keywords

TRAINING_2_KEYWORD_1, TRAINING_2_KEYWORD_2, ...

Abstract

TRAINING_2_ABSTRACT

Requirements

TRAINING_2_REQUIREMENTS

Bio

TRAINING_2_TRAINER_BIO

TRAINING_3_TITLE by TRAINING_3_TRAINER

Topic(s)

  • TRAINING_3_TOPIC_1
  • TRAINING_3_TOPIC_2
  • ...

Keywords

TRAINING_3_KEYWORD_1, TRAINING_3_KEYWORD_2, ...

Abstract

TRAINING_3_ABSTRACT

Requirements

TRAINING_3_REQUIREMENTS

Bio

TRAINING_3_TRAINER_BIO

Conference Day is November 30th

Agenda (TBD)

Time Speaker Topic Media
08h30 - 09h00 Registration
09h00 - 09h15 Opening
09h15 - 10h00 TALK_0915_PRESENTER TALK_0915_TITLE not yet available
10h00 - 10h45 TALK_1000_PRESENTER TALK_1000_TITLE not yet available
10h45 - 11h15 Morning Break
11h15 - 12h00 TALK_1115_PRESENTER TALK_1115_TITLE not yet available
12h00 - 12h45 TALK_1200_PRESENTER TALK_1200_TITLE not yet available
12h45 - 13h45 Lunch
13h45 - 14h30 TALK_1345_PRESENTER TALK_1345_TITLE not yet available
14h30 - 15h15 TALK_1430_PRESENTER TALK_1430_TITLE not yet available
15h15 - 15h45 Break
15h45 - 16h30 TALK_1545_PRESENTER TALK_1545_TITLE not yet available
16h30 - 17h15 TALK_1630_PRESENTER TALK_1630_TITLE not yet available
17h15 - 17h30 Closing

Talks

TALK_0915_TITLE

Abstract

TBD

Bio

TBD

TALK_1000_TITLE

Abstract

TBD

Bio

TBD

TALK_1115_TITLE

Abstract

TBD

Bio

TBD

TALK_1200_TITLE

Abstract

TBD

Bio

TBD

TALK_1345_TITLE

Abstract

TBD

Bio

TBD

TALK_1430_TITLE

Abstract

TBD

Bio

TBD

TALK_1545_TITLE

Abstract

TBD

Bio

TBD

TALK_1630_TITLE

Abstract

TBD

Bio

TBD

The Social Event is on Thursday, November 29th

If you want to join the social event, don't forget to register for it via the registration:


Address: TBD

Menu:TBD

Made possible by our Sponsors

Hosted by

TBD

Platinum

TBD

Gold

TBD

Silver

TBD

Bronze

TBD