This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
BeNeLux OWASP Day 2016-2
Confirmed speakers Conference
- Bart Preneel > Closing keynote: The Future of Security
- Yorick Koster - The State of Security of WordPress (plugins)
- Daniel Kefer > Handling of Security Requirements in Software Development Lifecycle
- Sebastian Lekies > Securing AngularJS Applications
- Zakaria Rachid > Zap it !
- Dario Incalza > Securing Android Applications
- Giancarlo Pellegrino > Compression Bombs Strike Back
- TBA
OWASP BeNeLux conference is free, but registration is required!
Registration via https://owasp-benelux-day-2016-2.eventbrite.com
The OWASP BeNeLux Program Committee
- Bart De Win / Sebastien Deleersnyder/ Lieven Desmet/ David Mathy, OWASP Belgium
- Martin Knobloch, OWASP Netherlands
- Jocelyn Aubert, OWASP Luxembourg
Tweet!
Event tag is #owaspbnl16
Donate to OWASP BeNeLux
OWASP BeNeLux conference is free, but registration is required!
Registration via https://owasp-benelux-day-2016-2.eventbrite.com
OWASP BeNeLux training is reserved for OWASP members, and registration is required!
To support the OWASP organisation, we ask training attendees to become an OWASP member, it's only US$50! Students and faculty are invited to become member as well, but can freely attend. Check out the Membership page to find out more.
Registration via https://owasp-benelux-day-2016-2.eventbrite.com
To support the OWASP organisation, consider to become a member, it's only US$50!
Check out the Membership page to find out more.
Venue is
Hosted by imec-Distrinet Research Group (KU Leuven).
Address:
Department of Computer Science (foyer at ground floor)
Celestijnenlaan 200 A
3001 Heverlee
How to reach the venue?
https://distrinet.cs.kuleuven.be/about/route/
Hotel nearby
- Hotel The Lodge Heverlee
- BoardHouse Hotel
- B&B Lavan
- Hotel Ibis Leuven Heverlee
- Begijnhof Hotel Leuven
Trainingday is November 24th
Location
Agenda
Time | Description | Room TBA | Room TBA | Room TBA | |
---|---|---|---|---|---|
08h30 - 9h30 | Registration | ||||
09h30 - 11h00 | Training | Breakers, defenders and superheroes! by Riccardo ten Cate |
PWN Android Apps with your Custom Built Toolbox by Steven Wierckx |
Why simply deploying HTTPS will not get you an A+ grade by Philippe De Ryck | |
11h00 - 11h30 | Coffee Break | ||||
11h30 - 13h00 | Training | ||||
13h00 - 14h00 | Lunch | ||||
14h00 - 15h30 | Training | ||||
15h30 - 16h00 | Coffee Break | ||||
16h00 - 17h30 | Training |
Trainings
Breakers, defenders and superheroes!
In the wonderful world of application security we often learn to break stuff or we learn how to prevent hackers from breaking your stuff. In this training i would love to adres some basic and advanced topics and not only teach developers how to properly test their code like a penetration tester, but also learn the penetration tester to think like a developer so they really can deliver added value when instructing developers on how to fix their code like a baws!
Some of the topics i would like to adresss are:
- Content security policy and how to defeat it with HTML injections
- Advanced cross site scripting
- Cross site request forgery
- Mass Assignment (Parameter binding) attacks
- External entity attacks
- Path/directory traversal attacks (File inclusion attacks)
- File upload injections
- Server side template injections
- Authentication and authorization
PWN Android Apps with your Custom Built Toolbox
Frustrated with the various tools and environments needed to perform mobile pentesting? All available Android test distributions have drawbacks and missing and/or non-working tools etc. Learn how to create your own customized mobile pentesting toolbox with the tools you really want/need.
Not sure which steps to follow when performing a mobile application security assessment? Our renowned trainer, Steven Wierckx, will show you which steps to follow and what issues to focus on.
More details in the course description
Download the full training description
Why simply deploying HTTPS will not get you an A+ grade
20 years after the introduction of HTTPS, it is finally moving towards widespread adoption. As more and more web sites are enabling HTTPS, the attention for correct deployments increases as well. Tools such as Qualys’ SSL Labs server test make it is easy to verify the quality of any domain’s HTTPS deployment, but at the same time show how challenging it is to receive an A+ grade. While the initial deployment of HTTPS may seem straightforward, correctly deploying HTTPS is a daunting task. In this session, participants will learn through hands-on experience how to deploy HTTPS correctly, and how it impacts a Web application. We will cover common Web attacks on HTTPS, and how they are countered by the newest HTTPS security policies, such as HTTP Strict Transport Security (HSTS) and HTTP Public Key Pinning (HPKP).
The learning objectives for this session are:
- Learning how to deploy HTTPS correctly, with strong ciphers and forward secrecy
- Understanding the intricacies of HTTPS, and its impact on a Web application, especially in combination with HTTP
- Understanding common Web attacks against HTTPS, and the newest browser-enforced security policies that counter them
Trainers
Riccardo ten Cate
As a penetration tester and software developer from the Netherlands Riccardo is specialized in web-application security and has extensive knowledge in securing web applications in multiple coding languages.
Steven Wierckx
I’m a Software and Security Tester with 15 years of experience in programming, security testing, source code review, test automation, functional and technical analysis, development and database design. I’m a team player with a constant drive to learn new things. I have a passion for web application security and I write articles for several professional magazines with regards to that topic. I have created several courses on testing software for security problems and I teach courses on secure coding, security awareness, security testing and threat modelling.
Philippe De Ryck
Philippe De Ryck holds a PhD in computer science and is specialized in client-side Web security. Philippe focuses on a sustainable knowledge transfer of his expertise in Web security towards industry partners, mainly through training courses and public dissemination activities. Within iMinds-DistriNet , Philippe leads the Web Security-related training activities.
Conferenceday is November 25th
Agenda (tentative)
Time | Speaker | Topic |
---|---|---|
08h30 - 09h00 | Registration | |
09h00 - 09h15 | Opening | |
09h15 - 10h00 | Dario Incalza | Securing Android Applications |
10h00 - 10h45 | Yorick Koster | The State of Security of WordPress (plugins) |
10h45 - 11h15 | Morning Break | |
11h15 - 12h00 | Sebastian Lekies | Securing AngularJS Applications |
12h00 - 12h45 | Giancarlo Pellegrino | Compression Bombs Strike Back |
12h45 - 13h45 | Lunch | |
13h45 - 14h30 | TBA | TBA |
14h30 - 15h15 | Zakaria Rachid | Zap it ! |
15h15 - 15h45 | Break | |
15h45 - 16h30 | Daniel Kefer | Handling of Security Requirements in Software Development Lifecycle |
16h30 - 17h15 | Bart Preneel | Closing Keynote: The Future of Security |
17h15 - 17h30 | Closing |
Talks
The State of Security of WordPress (plugins)
Last July, we organised the Summer of Pwnage (sumofpwn.nl) targeting WordPress and WordPress Plugins. This has resulted in 118 findings; mostly affecting WordPress Plugins, but also WordPress Core. Looking at the reported types of vulnerabilities, by far the most reported type is Cross-Site Scripting. The majority of Cross-Site Scripting vulnerabilities were of the reflected type where the victim has to click on a malicious link or visit a malicious website (or advertisement). A fair share of them were stored though, and some of them even pre-auth.
Does this mean that WordPress is inherently insecure or is it just the Plugin eco system? In this talk, I'll present our view on the (in)security of WordPress and WordPress Plugins. In addition, I'll show how a WordPress installation can be compromised using Cross-Site Scripting (and how to protect) and a generic way to get remote code execution through PHP Object Injection will be demonstrated.
Speakers
Yorick Koster
Yorick Koster is co-founder of Securify, an information security company focusing on all aspects of software security. Securify helps organisations to (proactively) secure their web and mobile applications, from design to go-live. In this we take a proactive approach (Build Security In) to catch and prevent vulnerabilities early, when still easy and cheap to fix.
Yorick has more than 10 years of experience in the field of software security and has found security vulnerabilities in a wide range of applications, including Internet Explorer, Office, .NET Framework, Adobe Reader, and WordPress.
Social Event,starting at 7PM
Social Event information
Become a sponsor of OWASP BeNeLux
There are 3 combined sponsorship packages (Gold, Silver or Bronze) that cover the BeNeLux chapter meetings 2017 and the BeNeLux OWASP Days 2016 in Leuven.
Download our sponsor brochure here and contact us for questions or sponsorship confirmation!
Your sponsorship will be invested directly in the chapter meetings, supporting speaker and catering expenses.
The sponsorship will also be dedicated to cover the costs of the OWASP 2016 BeNeLux event.
Call for Speakers
OWASP AppSec conferences are true security conferences with all talks and presentations focusing on various areas of information security. Topics should focus on the technical and social aspects of security, and should not contain marketing or sales pitches.
We encourage and prioritize submissions covering research and new work impacting:
- Secure development of web applications.
- Security testing of web applications.
- Security of DevOps processes, architectures, and tools.
- Security of applications designed for mobile devices.
- Security of Internet of Things devices and platforms.
- Cloud platform security
- Browser security
- HTML5 security
- OWASP tools or projects in practice
Terms
By your submission you agree to the OWASP Speaker Agreement. It requires that you use an OWASP presentation template or other non-branded template. Presentations may not use company-themed decks or include a company logo except on the speaker bio slide. Failure to observe these requirements will result in talk removal.
All presentation slides will be published on the conference website. Pictures and other materials in presentations should not violate any copyrights. Presentation submitters are solely liable for copyright violations. You may choose any Creative Commons license for your slides, including CC0. OWASP suggests the use of open licenses.
We will cover your travel expenses or costs for accommodations.
Deadlines
- Submission of proposal closes: 11 September, 2016 – 23:59
- Notification of acceptance: 2 October, 2016
- Conference Date: 25 November, 2016
Submission
To submit a proposal, please submit an abstract of your intended presentation (500 to 4000 characters), a brief biography (150 to 800 characters) and a headshot (combine multiple files in one zip file). Your planned presentation time is 40 minutes (excluding ~5 minutes for discussion and change of speaker). Feel free to attach a preliminary version of your presentation if available. Any proposal submitted is subject to a democratic vote by the program committee. Keep in mind: The better your description of the talk, the better picture the program committee will have to review your submission. Please proofread your submission; after approval your abstract, biography, and headshot will be published verbatim into the program and website.
Submission page: https://easychair.org/conferences/?conf=owaspbenelux162
Hosted and co-organized by
Made possible by our Sponsors
Gold:
Silver:
Bronze: