Belgium Events 2007

Belgium events held in 2007

Last Chapter Meeting (Brussels, 22-June-2007)

During an extra edition we brought you 2 big names in web application security. F5 Networks sponsored Ivan Ristic and Dinis Cruz to come to Brussels on Friday 22nd of June to bring you hot items from the last conference in Italy last May (agenda with presentations online).

We also had the skipped presentation of last time: Hillar Leoste from Zone-H will provided us with an update on defacements in the BE domain for last year.

WHEN

Friday 22nd of June 2007

WHERE

Deloitte sponsored the venue, drinks and snacks: Location: Deloite Diegem

PROGRAM

• 18h00 - 18h20: Welcome, coffee & sandwiches
  
• 18h20 - 18h40: Sebastien Deleersnyder
  

        OWASP Update

• 18h40 - 19h00: Hillar Leoste (Zone-H)
  

        Update on Internet Attack Statistics for Belgium in 2006

• 19h00 – 20h00: Ivan Ristic, Chief Evangelist, Breach Security
  

Ivan Ristic is the creator of ModSecurity (an open source web application firewall and intrusion detection/prevention engine). Ivan also wrote Apache Security for O'Reilly, a web security guide for administrators, system architects, and programmers.

For more info, see Anurag Agarwal’s reflection on Ivan Ristic.

        Protecting Web Applications from Universal PDF XSS

Presentation + A discussion of how weird the web application security world has become

• 20h00 - 20h15: break
• 20h15 - 21h15: Dinis Cruz, Chief Owasp Evangelist
  

Dinis Cruz is a renowned application security expert who is passionate about training developers to move beyond the ‘comfort zone’ of standard ASP.NET development and into the world of advanced security aware development with the aim of making the Web Applications as secure as possible against malware and malicious hackers. Dinis is also the project leader for the OWASP .Net Project and the and the main developer of several of OWASP .Net tools (SAM’SHE, ANBS, SiteGenerator, PenTest Reporter, ASP.Net Reflector, Online IIS Metabase Explorer). author of many Open Source security tools (see http://www.owasp.org/index.php/.Net).

        Buffer Overflows on .Net and Asp.Net

One of the common myths about the .Net Framework is that it is immune to Buffer Overflows. Although this might be correct in pure managed and verifiable .Net code, large percentage of .Net and Asp.Net applications code is unmanaged code. In this talk Dinis will show the areas in .Net and Asp.Net applications that are vulnerable to Buffer Overflows (including the demo of a .Net Buffer Overflow Fuzzer).

Chapter Meeting Archive

Meeting Notes OWASP Chapter Meeting (Leuven, 10-May-2007)

WHEN
May 10th 2007
WHERE
ps_testware sponsored the venue:
Location: Kasteel de Bunswyck, Tiensesteenweg 343, 3010 Leuven.
You can find a map and itinary online. PROGRAM

• 18h00 - 18h20: Welcome, coffee & sandwiches
  
• 18h20 - 18h40: Sebastien Deleersnyder
  

        OWASP Update and OWASP BeLux Board Presentation

• 18h40 - 20h00: Jos Dumortier
  

        Legal Aspects of (Web) Application Security (Presentation + Discussion)

Jos Dumortier discussed important questions such as:

• How far can you go if you want to ‘test’ the security of a web site?
• How much application security can you contractually demand for when you outsource your application development?
• Who is legally responsible when you personal data is exposed through hacking activity in Belgium?

Jos Dumortier is Of Counsel in the ICT and e-Business department of Lawfort. He is also Professor of Law at the Faculty of Law (K.U.Leuven) and Director of the Interdisciplinary Centre for Law and Information Technology (http://www.icri.be).

• 20h00 - 20h15: break
• 20h15 - 21h15: Lieven Desmet
  

        Formal absence of implementation bugs in web applications: a case study on indirect data sharing (Presentation + Discussion)

Several research tracks focus on tools and techniques to verify or guarantee the absence of implementation bugs in web applications, either at compile-time or at run-time. By guaranteeing the absence of certain implementation bugs, the reliability and security of the application can be improved. In this presentation, we will focus on the absence of implementation bugs due to broken data dependencies.

Web applications typically share non-persistent session data between different parts of the application, e.g. a shopping cart in a e-commerce application. By doing so, implicit dependencies arise between the different parts of the application, and breaking these dependencies in an application may result in information leakage of erroneous behavior.

In our research, we explicitly model dependencies between components that indirectly share data. Next, we verify that in a given composition these dependencies are not broken by applying a combination of static verification and dynamic checking (e.g. by using a Web Application Firewall).

We validated the presented approach in two existing applications: a Struts-based, open-source webmail application (GatorMail) and an e-commerce site (Duke's BookStore from the J2EE 1.4 tutorial).

Lieven Desmet Lieven Desmet was born on January 16, 1979 in Roeselare. He received a Bachelor of Applied Sciences and Engineering degree and graduated magna cum laude in Master of Applied Sciences and Engineering: Computer Science from the Katholieke Universiteit Leuven in July 2002.

He started working as a Ph.D. student at the DistriNet (Distributed systems and computer Networks) research group of the Department of Computer Science at the Katholieke Universiteit Leuven. Within DistriNet, he was active in both the networking and security task forces. Lieven received his PhD on software security in January 2007 and is currently active as a post-doctoral security researcher within DistriNet.

OWASP Top 10 2007 Update (Infosecurity Belgium, 21 & &22 Mar 2007)

Seba presented the 2007 OWASP Top 10 (currently available as OWASP Top 10 2007 RC1) on the Infosecurity event in Belgium on the 21st and 22nd of March 2007.

The presentation is uploaded on: File:OWASP Intro and Top 10 2007.zip.

Meeting Notes OWASP Chapter Meeting (Brussels, 23-Jan-2007)

WHEN
January 23rd 2007
WHERE
Ernst&Young Offices (Business Centre) in Brussels. Parking places are available at nr 216.
Here you can find directions.
PROGRAM

• 18h00 - 18h30: Welcome, get drink & sandwiches?
  
• 18h20 - 18h40: Sebastien Deleersnyder
  

        OWASP Update

• 18h45 – 19h45: Philippe Bogaerts
  

        WEBGOAT and the Pantera Web Assessment Studio Project
The OWASP presentation will shed a light on WEBGOAT and the Pantera Web Assessment Studio Project. Both OWASP projects will be covered and illustrated with a live demo, with a special focus on Webgoat and web services.
        Presentation + Discussion?
Philippe Bogaerts is an independent consultant specialized in network and application security testing, web application and XML firewalls.

• 19h45 - 20h00: break
  
• 20h00 - 21h00: Bart De Win
  

        Security implications of AOP for secure software
Over the last decade, Aspect Oriented Programming (AOP), a development paradigm that focuses on improving the modularisation of crosscutting concerns, has received a great deal of attention from the academic as well as from the industrial community. In the context of secure software development, AOP has been shown to bring a number of benefits, at least from a software engineering perspective. From a security perspective, the characteristics of AOP have been studied less. One of the key questions at this moment is whether we can really use AOP to build \emph{secure} software ?
In this presentation we will address this key question by elaborating on a number of security implications of AOP. Risks will be shown to originate from the core concepts of AOP, as well as from tool-specific implementation strategies (with a specific focus on AspectJ). The presentation will be concluded by indicating how these risks could be mitigated, both from a theoretical and from a practical perspective.
        Presentation + Discussion?
Bart De Win is a postdoctoral researcher in the research group DistriNet, Department of Computer Science at the Katholieke Universiteit Leuven. His research interests are in secure software engineering, including software development processes, aspect-oriented software development and model driven security.