This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

BeNeLux OWASP Day 2012

From OWASP
Revision as of 18:12, 25 November 2012 by Sdeleersnyder (talk | contribs) (OWASP BeNeLux 2012 Sponsors:)

Jump to: navigation, search
Owaspbnl12header.jpg



OWASP BeNeLux training day and conference are free!

Registration is open:

Buttoncreate.png


To support the OWASP organisation, consider to become a member, it's only US$50!
Check out the Membership page to find out more.


Venue is the iMinds-DistriNet Research Group @ KU Leuven

Celestijnenlaan, 200A
3001 Heverlee
Belgium


Parking & roadmap:

There is a public parking close to the conference venue.

Roadmap and parking: http://distrinet.cs.kuleuven.be/about/route/



Hotels nearby:
Board house (close to the venue)
http://www.boardhouse.be
The lodge (close to the venue)
http://www.booking.com/hotel/be/the-lodge-heverlee.en.html
Begijnhof Congres Hotel (1 km from the venue)
http://www.bchotel.be/
La Royale (2 km from the venue)
http://www.laroyale.be
Hotel Ibis (2 km from the venue)
http://www.accorhotels.com/gb/hotel-1457-ibis-leuven-centrum/index.shtml
Mercure (2 km from the venue)
http://www.mercure.com/gb/hotel-7862-hotel-mercure-leuven-center/index.shtml
New Damshire (2 km from the venue)
http://www.hotelnewdamshire.be


Trainingday, November 29th

Location

The training room is: Celestijnenlaan, 200A, fifth floor
3001 Heverlee
Belgium

(for details, check the Venue tab)

Agenda

Time Description Room 1 Room 2 Room 3 Room 4
08h30 - 9h30 Registration
09h30 - 11h00 Training Advanced O2, by Dinis Cruz SDLC with Open Source tools, by Dan Cornell Secure Java Development with ESAPI (hands-on), by Volkert de Buisonjé Essential Web Appplication Security (OWASP Top 10, Webgoat, WebScarab), by Martin Knobloch
11h00 - 11h30 Coffee Break
11h30 - 13h00 Training
13h00 - 14h00 Lunch
14h00 - 15h30 Training
15h30 - 16h00 Coffee Break
16h00 - 17h30 Training




Secure Java Development workshop with ESAPI, by Volkert de Buisonjé (Sogeti)

Workshop:
First, attendees will receive a brief introduction on application awareness. Then they will get acquainted with Webgoat, a "deliberately insecure J2EE web application" designed as a practice tool for secure application development and testing. They will learn how to exploit some vulnerabilities in Webgoat, through for instance Cross-Site Scripting (CSS) and Cross-Site Request Forgery (CSRF) attacks. Finally, the ESAPI library will be introduced and the attendees will learn how to apply ESAPI to fix such vulnerabilities in Webgoat's source code.

Prerequisites for this workshop:

  • Reasonable knowledge of and experience with Java development
  • A laptop running a recent version of Linux, Mac OS X, or Windows
  • The most recent version of VirtualBox (4.x) installed
  • At least 2GB of RAM
  • At least 2GB of disk space


Bio:
Volkert de Buisonjé is a senior Java developer at Sogeti. He specializes in, and teaches application security courses, both to coworkers and to customers. Knowledge sharing (in both directions) is his passion. Volkert likes making friends and talking a lot. He never shuns a good discussion, and prefers to bring a high amount of interactivity to his classes. :-)


Advanced O2, by Dinis Cruz (Security Innovation)

Workshop:
Coming soon!

Bio:
Dinis Cruz is a Security Consultant based in London (UK) and specialized in: ASP.NET/J2EE Application Security, Application Security audits and .NET Security Curriculum Development.
For the past years Dinis has focused on the field of Static Source Code analysis, from May 2007 to Dec 2009 he worked as a independent consultant for Ounce Labs (bought by IBM in July 2009) where during active security engagements using Ounce's technology he developed the Open Source codebase which now is the foundation of the OWASP O2 Platform.
Dinis is currently focused on making the O2 Platform the industry standard for consuming, instrumenting and data-sharing between the multiple WebAppSec tools, the Security consultants and the final developers. Dinis is a also active trainer on .Net security having written and delivered courses for IOActive, Foundstone, Intense School and KPMG (at multiple locations including BlackHat), and has delivered a number of presentations and keynote speeches at multiple OWASP and Security related conferences.
At OWASP, Dinis is the leader of the OWASP O2 Platform project


Essential Web Appplication Security (OWASP Top 10, Webgoat, WebScarab), by Martin Knobloch (PervaSec)

Abstract:
This workshop is an introduction into (web) application security with hands-on labs, using OWASP documentation and tooling. You will be introduced into the security mindset, discus the OWASP TopTen 2010 and learn basic skills in how to find vulnerabilities in web applications. All tools and documentation are provided during the training.
As this is an hands-on workshop, please bring your own laptop!
Course structure:

  • Introduction OWASP, OWASP tool and documentation
  • Security Testing mindset
  • 1st Lab: OWASP WebGoat / WebScarab
  • OWASP Top Ten 2010
  • OWASP Testing Guide
  • 2nd Lab: OWASP WebGoat / WebScarab
  • 3rd Lab: OWASP Hackademic / ZAP
  • Summary and completion

Prerequisites for this workshop:

  • Basic understanding of HTTP and web application testing/development
  • An open mind


Bio:
Martin is an independent security consultant and owner of PervaSec (http://www.pervasec.nl). His main working area is (software) security in general, from awareness to implementation. In his daily work, he is responsible for education in application security matters, advise and implementation of application security measures.
At OWASP, Martin is member of the Dutch chapter board and chair of the Global Education Committee and contributes to several projects.
Martin is a frequent speaker at conferences, universities and hacker spaces.


Building a Software Security Program On Open Source Tools, by Dan Cornell (Denim Group)

Abstract:
Using the Software Assurance Maturity Model (OpenSAMM) as a framework, this course walks through the major components of a comprehensive software security program and highlights open source and other freely-available tools that can be used to help implement the activities involved in such a program. The focus of the course is on providing hands-on demonstrations of the tools with an emphasis on integrating tool results into the overall software security program. Featured tools include: ESAPI, Microsoft Web Protection Library, FindBugs, FxCop, CAT.NET, Brakeman, Agnitio, Arachini, w3af, ZAProxy, ThreadFix as well as other educational resources from OWASP. Attendees should finish the course with a solid understanding of the various components of a comprehensive software security program as well as hands-on experience with a variety of freely-available tools that they can use to implement portions of these programs.

Outline:

  • So You Want To Roll Out A Software Security Program?
  • The Software Assurance Maturity Model (OpenSAMM)
  • ThreadFix: Overview
  • Governance: Strategy and Metrics
    • ThreadFix: Reporting
  • Governance: Policy and Compliance
  • Governance: Education and Guidance
    • OWASP Development Guide
    • OWASP Cheat Sheets
    • OWASP Secure Coding Practices
  • Construction: Threat Assessment
  • Construction: Security Requirements
  • Construction: Secure Architecture
    • ESAPI overview
    • Microsoft Web Protection Library (Anti-XSS) overview
  • Verification: Design Review
    • Microsoft Threat Analysis and Modeling Tool
  • Verification: Code Review
    • FindBugs
    • FxCop
    • CAT.NET
    • Brakeman
    • Agnitio
  • Verification: Security Testing
    • Arachni
    • w3af
    • ZAProxy
  • Deployment: Vulnerability Management
    • ThreadFix: Defect Tracker Integration
  • Deployment: Environment Hardening
    • Microsoft Baseline Security Analyzer (MBSA)
  • Deployment: Operational Enablement
    • mod_security


Bio:
Dan Cornell has over fifteen years of experience architecting and developing web-based software systems. He leads Denim Group’s security research team in investigating the application of secure coding and development techniques to improve web-based software development methodologies.
Dan was the founding coordinator and chairman for the Java Users Group of San Antonio (JUGSA) and currently serves as the OWASP San Antonio chapter leader, member of the OWASP Global Membership Committee and co-lead of the OWASP Open Review Project. Dan has spoken at such international conferences as RSA, OWASP AppSec USA, and OWASP EU Research in Greece.


Conferenceday, November 30th

Location

The training room is: (TBD) (for details, check the Venue tab)

Agenda

Time Speaker Topic
09h00 - 10h00 Registration
10h00 - 10h15 OWASP Benelux Organization Welcome (PPT)
10h15 - 10h30 Sebastien Deleersnyder OWASP update (PPT)
10h30 - 11h10 John Wilander Secure Web Integration Patterns in the Era of HTML5
Abstract: Quite a few organizations are finding themselves in a legacy situation with their web applications. Over ten years have passed since the era of dynamic HTML and with the rise of HTML5 and mobile platforms there is now need to gradually move these legacy beasts into a new architecture. Additionally, more and more third party services are offered such as maps, tracking, social media tie-ins, video etc. What are the possible and suitable design patterns for bringing new web, old web, and third party web together? Can we isolate them from each other to secure the new apps from legacy and third party security vulnerabilities? We will dig into the postMessage api, the iframe sandbox directive, CORS, and the same-origin policy while comparing it to the previous generation of integration with jsonp and other hacks.
11h10 - 11h50 Lieven Desmet Sandboxing Javascript
Abstract: The inclusion of third-party scripts in web pages is a common practice. A recent study has shown that more than half of the Alexa top 10 000 sites include scripts from more than 5 different origins. However, such script inclusions carry risks, as the included scripts operate with the privileges of the including website.

In this talk, we propose JSand, a server-driven but client-side JavaScript sandboxing framework. JSand requires no browser modifications: the sandboxing framework is implemented in JavaScript and is delivered to the browser by the websites that use it. Enforcement is done entirely at the client side: JSand enforces a server-specified policy on included scripts without requiring server-side filtering or rewriting of scripts.
Most importantly, JSand is complete: access to all resources is mediated by the sandbox.
We describe the design and implementation of JSand, and we show that it is secure, backwards compatible, and that it performs sufficiently well.

11h50 - 12h30 Erwin Geirnaert OWASP Top 10 vs Drupal
Abstract: Drupal is the most used and well-known open source content management system in the world. Created by Dries Buytaert years ago it has grown with the support of a big community. Drupal 7 is already released and there is an entire ecosystem for Drupal and Drupal web agencies.

During this presentation we will discuss the findings of an automated static code analysis of Drupal 6 and Drupal 7 and how Drupal protects against the OWASP Top 10 Application Security Risks. We will explain the security weaknesses that remain when you use Drupal and what you can implement to have a secure cloud server running Drupal.

12h30 - 13h30 Lunch
13h30 - 14h10 Asia Slowinska Body Armor for Binaries
Abstract: BinArmor is a novel technique to protect existing C binaries from memory corruption attacks on both control data and non-control data. Without access to source code, non-control data attacks cannot be detected with current techniques. Our approach hardens binaries against both kinds of overflow, without requiring the pro- grams’ source or symbol tables. We show that BinArmor is able to stop real attacks—including the recent non- control data attack on Exim. Moreover, we did not in- cur a single false positive in practice. On the downside, the current overhead of BinArmor is high—although no worse than competing technologies like taint analysis that do not catch attacks on non-control data. Specifi- cally, we measured an overhead of 70% for gzip, 16%- 180% for lighttpd, and 190% for the nbench suite.
14h10 - 14h50 Marc Hullegie and Kees Mastwijk Forensics
Abstract: In today’s investigations, forensics has become an important investigative method in fighting and solving (cyber)crimes and irregularities. During the session you will be briefly taken through the landscape of Forensics Basics; the Fraud Triangle and scenario's; What to look for and the appliance of Digital Forensics. What are the Challenges, the required Skills and Expertise and Solutions to these challenges. Specific focus on the Forensics of Web Applications and what you can do the create a more forensic ready system.
14h50 - 15h30 Dan Cornell Streamlining Application Vulnerability Management: Communication Between Development and Security Teams
Abstract: Identifying application-level vulnerabilities via scanning, penetration tests and code reviews is only the first step in actually addressing the underlying risk. Managing vulnerabilities for applications is more challenging than dealing with traditional infrastructure-level vulnerabilities because they typically require the coordination of security teams with application development teams. The process also means that security managers need to get time from developers during already-cramped development and release schedules. In addition, fixes require changes to custom application code and application-specific business logic rather than the patches and configuration changes that are often sufficient to address infrastructure-level vulnerabilities. This presentation will illustrate the communication difficulties between security and development teams, and how this usually results in unactionable reports and fewer vulnerabilities remediated. In addition, the presentation will walk through an example workflow of addressing application vulnerabilities as software defects. This will be based on freely-available tools and show specific examples of how vulnerabilities can be grouped together, false positives can be culled out, and vulnerabilities transitioned to software defects, as well as how security managers can monitor and verify progress.
15h30 - 15h50 Break
15h50 - 16h30 Ruediger Bachmann Code review for Large Companies
Abstract:Static source code analysis should be an essential part in the secure software development life cycle (SDLC) to start to minimize the number of potential vulnerabilities already in a very early stage in the software development process.

The introduction of static code analysis at a large software manufacturer is a big challenge. In addition to the technical difficulties – based on the sheer number and size of the software projects or the number of different programing languages – there are also non-technical issues like creating new security awareness, trainings to use the provided tools efficiently and integration of analysis processes into the software development and maintenance life cycle.
This talk gives an overview of the company-wide introduction of static code analysis at SAP AG.

16h30 - 17h10 Dinis Cruz Making Security Invisible by Becoming the Developer’s Best Friends
Abstract: Coming soon!
17h10 - 17h50
  • Steven Wierckx
  • Luc Beirens
  • Jos Dumortier
  • Dieter Sarrazyn
  • Erwin Geirnaert
  • John Wilander
Panel Discussion about the legal aspects of penetration testing
Abstract: In the past couple of years security has become a more visible topic in the media. As a result many companies are asking for security reviews in the form of a penetration test. A lot of entrepreneurs took the opportunity to form teams and/or companies that provide such services. There seems to be a lack of clear (standard) legal documentation to cover these activities both for the penetration tester and the company under review. With this panel discussion we would like to discuss this situation and to see if there is a possibility to have a standard document or framework that can be used as a starting point for companies and professionals to use as a contract. The purpose would be to end up with a (set of) documents similar to the “Testaankoop standard huurcontract”, this is a well-known Belgian contract framework for renting a house where both parties are protected and that is clear to both parties. It can be used without further legal intervention.
17h50 - 18h00 OWASP Benelux 2012 organization Closing Notes



Body Armor for Binaries, by Asia Slowinska (Vrije Universiteit Amsterdam)

Abstract:
BinArmor is a novel technique to protect existing C binaries from memory corruption attacks on both control data and non-control data. Without access to source code, non-control data attacks cannot be detected with current techniques. Our approach hardens binaries against both kinds of overflow, without requiring the pro- grams’ source or symbol tables. We show that BinArmor is able to stop real attacks—including the recent non- control data attack on Exim. Moreover, we did not in- cur a single false positive in practice. On the downside, the current overhead of BinArmor is high—although no worse than competing technologies like taint analysis that do not catch attacks on non-control data. Specifi- cally, we measured an overhead of 70% for gzip, 16%- 180% for lighttpd, and 190% for the nbench suite.

Bio:
I am a postdoctoral researcher in the System and Network Security group at the Vrije Universiteit Amsterdam, under the guidance of Prof. dr. ir. Herbert Bos.
I obtained my PhD from the Vrije Universiteit Amsterdam. My dissertation Using information flow tracking to protect legacy binaries was completed under the supervision of Prof. dr. ir. Herbert Bos, while my copromotor was Prof. dr. ir. Henri E. Bal.
During my PhD studies, I interned twice with Microsoft Research Cambridge, where I joined the Systems and Performance Group. I also spent few months interning with the Systems and Security Department at Institute for Infocomm Research in Singapore.
My research focuses on developing techniques to automatically analyze and reverse engineer complex software that is available only in binary form. Further, I’ve been looking into mechanisms that proactively protect software from malicious activities. Currently, I am involved in a project on Reverse Engineering of binaries, known as Rosetta.

Code review for Large Companies, by Ruediger Bachmann (SAP)

Abstract:
Static source code analysis should be an essential part in the secure software development life cycle (SDLC) to start to minimize the number of potential vulnerabilities already in a very early stage in the software development process.
The introduction of static code analysis at a large software manufacturer is a big challenge. In addition to the technical difficulties – based on the sheer number and size of the software projects or the number of different programing languages – there are also non-technical issues like creating new security awareness, trainings to use the provided tools efficiently and integration of analysis processes into the software development and maintenance life cycle.
This talk gives an overview of the company-wide introduction of static code analysis at SAP AG.
Bio:
After graduating with a degree in mathematics and computer science at the University of Giessen in 1997, Ruediger Bachmann worked at various software companies and IT service providers mainly in software development. Currently he is employed at SAP AG in Germany as a Development Architect in the central code analysis team. There he is focusing on application security and security code scans.

Sandboxing JavaScript, by Lieven Desmet (Research Manager at KU Leuven)

Abstract:
The inclusion of third-party scripts in web pages is a common practice. A recent study has shown that more than half of the Alexa top 10 000 sites include scripts from more than 5 different origins. However, such script inclusions carry risks, as the included scripts operate with the privileges of the including website.
In this talk, we propose JSand, a server-driven but client-side JavaScript sandboxing framework. JSand requires no browser modifications: the sandboxing framework is implemented in JavaScript and is delivered to the browser by the websites that use it. Enforcement is done entirely at the client side: JSand enforces a server-specified policy on included scripts without requiring server-side filtering or rewriting of scripts. Most importantly, JSand is complete: access to all resources is mediated by the sandbox.
We describe the design and implementation of JSand, and we show that it is secure, backwards compatible, and that it performs sufficiently well.

Bio:
Lieven Desmet is Research Manager on Software Secure at the iMinds-DistriNet Research Group (KU Leuven, Belgium), where he coaches junior researchers in web application security and participates in dissemination and valorization activities. His interests are in security of middleware and web-enabled technologies. Lieven is actively engaged in OWASP and is board member of the OWASP Chapter Belgium.


OWASP Top 10 vs Drupal, by Erwin Geirnaert (Zion Security)

Abstract:
Drupal is the most used and well-known open source content management system in the world. Created by Dries Buytaert years ago it has grown with the support of a big community. Drupal 7 is already released and there is an entire ecosystem for Drupal and Drupal web agencies.
During this presentation we will discuss the findings of an automated static code analysis of Drupal 6 and Drupal 7 and how Drupal protects against the OWASP Top 10 Application Security Risks. We will explain the security weaknesses that remain when you use Drupal and what you can implement to have a secure cloud server running Drupal.

Bio:
Erwin founded ZION SECURITY in 2005 to help companies to protect against the latest threats, attacks against web applications. ZION SECURITY is nowadays a Belgian market leader in the field of security testing, vulnerability management, penetration testing and banking security. Erwin has more than 10 years of experience in web security, graduating with a Master of Science in Software Development from the University of Ghent. Erwin executes different types of projects for a lot of international software companies, financial institutions, telecom and web agencies. Specialist in executing code reviews in different development languages for critical applications, executing continuous penetration tests of their infrastructure and Internet applications. A specialist in J2EE, PHP, .NET, mobile app and web services security. Erwin architects secure e-business projects for web agencies and software companies. He is a recognized application security expert and speaker at international events like Javapolis, OWASP, Eurostar, LSEC,...

Forensics, by Marc Hullegie and Kees Mastwijk (Vest Information Security)

Abstract:
In today’s investigations, forensics has become an important investigative method in fighting and solving (cyber)crimes and irregularities. During the session you will be briefly taken through the landscape of Forensics Basics; the Fraud Triangle and scenario's; What to look for and the appliance of Digital Forensics. What are the Challenges, the required Skills and Expertise and Solutions to these challenges. Specific focus on the Forensics of Web Applications and what you can do the create a more forensic ready system.

Bio:
Marc Hullegie is founder and CEO of Vest Information Security and is widely experienced in the information security business in all types of areas: Security Architecture and Infrastructure, Security Audits and Testing, Security Management, Awareness and Digital Forensics. He presents lectures at (international) conferences and is looking forward to share experiences at the OWASP Benelux days 2012 with you.

Bio:
Kees Mastwijk is a security consultant working with Vest, acting as Security Auditor, Awareness Program leader and security Manager. He has a long (and ongoing) experience history in Digital Forensic Research.

Secure Web Integration Patterns in the Era of HTML5, by John Wilander (Svenska Handelbanken)

Abstract:
Quite a few organizations are finding themselves in a legacy situation with their web applications. Over ten years have passed since the era of dynamic HTML and with the rise of HTML5 and mobile platforms there is now need to gradually move these legacy beasts into a new architecture. Additionally, more and more third party services are offered such as maps, tracking, social media tie-ins, video etc. What are the possible and suitable design patterns for bringing new web, old web, and third party web together? Can we isolate them from each other to secure the new apps from legacy and third party security vulnerabilities? We will dig into the postMessage api, the iframe sandbox directive, CORS, and the same-origin policy while comparing it to the previous generation of integration with jsonp and other hacks.
Bio:
John Wilander is a frontend software developer at Svenska Handelbanken, the second strongest bank in the world according to Bloomberg Markets. He has been researching and working in application security for ten years and is an active leader in OWASP, the Open Web Application Security Project. In 2011 he organized the OWASP Summit Browser Security sessions in Portugal, with participants from the security teams behind Chrome, Firefox, Internet Explorer, Flash, and PayPal. During his years in academia he was elected best computer science teacher twice and nowadays gives 5-10 professional talks per year.


Streamlining Application Vulnerability Management: Communication Between Development and Security Teams, by Dan Cornell (Denim Group)

Abstract:
Identifying application-level vulnerabilities via scanning, penetration tests and code reviews is only the first step in actually addressing the underlying risk. Managing vulnerabilities for applications is more challenging than dealing with traditional infrastructure-level vulnerabilities because they typically require the coordination of security teams with application development teams. The process also means that security managers need to get time from developers during already-cramped development and release schedules. In addition, fixes require changes to custom application code and application-specific business logic rather than the patches and configuration changes that are often sufficient to address infrastructure-level vulnerabilities. This presentation will illustrate the communication difficulties between security and development teams, and how this usually results in unactionable reports and fewer vulnerabilities remediated. In addition, the presentation will walk through an example workflow of addressing application vulnerabilities as software defects. This will be based on freely-available tools and show specific examples of how vulnerabilities can be grouped together, false positives can be culled out, and vulnerabilities transitioned to software defects, as well as how security managers can monitor and verify progress.

Bio:
Dan Cornell has over fifteen years of experience architecting and developing web-based software systems. He leads Denim Group’s security research team in investigating the application of secure coding and development techniques to improve web-based software development methodologies.
Dan was the founding coordinator and chairman for the Java Users Group of San Antonio (JUGSA) and currently serves as the OWASP San Antonio chapter leader, member of the OWASP Global Membership Committee and co-lead of the OWASP Open Review Project. Dan has spoken at such international conferences as RSA, OWASP AppSec USA, and OWASP EU Research in Greece.


Making Security Invisible by Becoming the Developer’s Best Friends, by Dinis Cruz (Security Innovation)

Abstract:
Coming soon!

Bio:
Dinis Cruz is a Security Consultant based in London (UK) and specialized in: ASP.NET/J2EE Application Security, Application Security audits and .NET Security Curriculum Development.
For the past years Dinis has focused on the field of Static Source Code analysis, from May 2007 to Dec 2009 he worked as a independent consultant for Ounce Labs (bought by IBM in July 2009) where during active security engagements using Ounce's technology he developed the Open Source codebase which now is the foundation of the OWASP O2 Platform.
Dinis is currently focused on making the O2 Platform the industry standard for consuming, instrumenting and data-sharing between the multiple WebAppSec tools, the Security consultants and the final developers. Dinis is a also active trainer on .Net security having written and delivered courses for IOActive, Foundstone, Intense School and KPMG (at multiple locations including BlackHat), and has delivered a number of presentations and keynote speeches at multiple OWASP and Security related conferences.
At OWASP, Dinis is the leader of the OWASP O2 Platform project


Panel discussion about the legal aspects of penetration testing

with Steven Wierckx, Luc Beirens, Jos Dumortier, Dieter Sarrazyn, ...

Abstract:
In the past couple of years security has become a more visible topic in the media. As a result many companies are asking for security reviews in the form of a penetration test. A lot of entrepreneurs took the opportunity to form teams and/or companies that provide such services. There seems to be a lack of clear (standard) legal documentation to cover these activities both for the penetration tester and the company under review. With this panel discussion we would like to discuss this situation and to see if there is a possibility to have a standard document or framework that can be used as a starting point for companies and professionals to use as a contract. The purpose would be to end up with a (set of) documents similar to the “Testaankoop standard huurcontract”, this is a well-known Belgian contract framework for renting a house where both parties are protected and that is clear to both parties. It can be used without further legal intervention.

  • Bio Steven Wierckx, ps_testware:
    Coming soon!

  • Bio Luc Beirens, FCCU:
    Head of Belgian Federal Computer Crime Unit & Chair EU Cybercrime Task Force trying to create partnerships and circumstances for a safer cyberspace.

  • Bio Jos Dumortier, ICRI:
    Jos Dumortier is Professor of ICT Law at the University of Leuven (Belgium) and the Director of the Interdisciplinary Research Centre for ICT and Law (ICRI) (www.icri.be). With his research team he participates in a series of R & D projects in the domain of telemedicine.
    He is also a member of the Bar of Brussels and partner in “time.lex”, a law firm specialized in information and technology law (www.timelex.eu).
    He participates in the boards of several national and international scientific and business associations and is a member of various editorial and program committees.
    He is the editor of the International Encyclopedia of Cyber Law and the author of more than one hundred books and articles on legal issues related to the information society.
    Jos Dumortier has taken the lead in a large number of European studies and projects in the area of information security, privacy and identity management. He worked on an assignment of the European Commission (DG INFSO) for a study on the legal obstacles for interoperable eHealth in Europe and on several studies for the Flemish government related to the implementation of a regional eHealth platform. He is also a member of the Flemish data protection supervisory authority for the health sector.

  • Bio Dieter Sarrazyn, PWC:
    Coming soon!


  • Social Event, November 29th

    The social event is scheduled for Thursday, 29th of November and will start at around 19:30

    Location

    Leuven (TBD)

    Remark: Costs are around eur. 10,00.

    Capture the Flag!

    • Do you like puzzles?
    • Do you like challenges?
    • Are you a hacker?

    Whether you are an experienced hacker or new enthusiast you should come to OWASP BeNeLux 2012 and participate in the Capture the Flag event November 30th 2012.

    The OWASP CTF is especially designed to support challengers of all skill levels. The CTF contains multiple challenges in various fields related to application security. As every challenge gains you one point, you can pick and choose which challenge you want to play.

    All you need is a laptop with a wifi card and your favorite (preferably) non-commercial tools.

    So come, show off your skills, learn new tricks and above all have a good time at the CTF event.



    Hosted and co-organized by:

    Logo_distrinet.png Nessos.png

    Made possible by our Sponsors

    OWASP Member Sponsor:

    PWC_log_resized.png       

    OWASP BeNeLux 2012 Sponsors:

    Madison-gurkha-logo.jpg Sogeti_logo.png Logo_Vest_BIG_170.gif
    Zionsecurity.jpg On2it-sponsor.png

    200px-Iminds-logo.png