This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

BeNeLux OWASP Day 2016-2

From OWASP
Revision as of 19:42, 9 November 2016 by Dm-17 (talk | contribs) (Talks)

Jump to: navigation, search
OWASP BeNeLux Day 2016 II.png



Confirmed speakers Conference

  • Bart Preneel > Closing keynote: The Future of Security
  • Yorick Koster - The State of Security of WordPress (plugins)
  • Daniel Kefer > Handling of Security Requirements in Software Development Lifecycle
  • Sebastian Lekies > Securing AngularJS Applications
  • Zakaria Rachid > Zap it !
  • Dario Incalza > Securing Android Applications
  • Giancarlo Pellegrino > Compression Bombs Strike Back
  • TBA

OWASP BeNeLux conference is free, but registration is required!

Registration via https://owasp-benelux-day-2016-2.eventbrite.com

The OWASP BeNeLux Program Committee

  • Bart De Win / Sebastien Deleersnyder/ Lieven Desmet/ David Mathy, OWASP Belgium
  • Martin Knobloch, OWASP Netherlands
  • Jocelyn Aubert, OWASP Luxembourg


Tweet!

Event tag is #owaspbnl16

Donate


OWASP BeNeLux conference is free, but registration is required!

Registration via https://owasp-benelux-day-2016-2.eventbrite.com


OWASP BeNeLux training is reserved for OWASP members, and registration is required!

To support the OWASP organisation, we ask training attendees to become an OWASP member, it's only US$50! Students and faculty are invited to become member as well, but can freely attend. Check out the Membership page to find out more.

Registration via https://owasp-benelux-day-2016-2.eventbrite.com


To support the OWASP organisation, consider to become a member, it's only US$50!
Check out the Membership page to find out more.


Venue is

Hosted by imec-Distrinet Research Group (KU Leuven).

Address:
Department of Computer Science (foyer at ground floor)
Celestijnenlaan 200 A
3001 Heverlee

How to reach the venue?

https://distrinet.cs.kuleuven.be/about/route/

Hotel nearby

  • Hotel The Lodge Heverlee
  • BoardHouse Hotel
  • B&B Lavan
  • Hotel Ibis Leuven Heverlee
  • Begijnhof Hotel Leuven

Trainingday is November 24th

Location

Agenda

Time Description Room TBA Room TBA Room TBA
08h30 - 9h30 Registration
09h30 - 11h00 Training Breakers, defenders and superheroes!
by Riccardo ten Cate
PWN Android Apps with your Custom Built Toolbox
by Steven Wierckx
Why simply deploying HTTPS will not get you an A+ grade
by Philippe De Ryck
11h00 - 11h30 Coffee Break
11h30 - 13h00 Training
13h00 - 14h00 Lunch
14h00 - 15h30 Training
15h30 - 16h00 Coffee Break
16h00 - 17h30 Training

Trainings

Breakers, defenders and superheroes!

In the wonderful world of application security we often learn to break stuff or we learn how to prevent hackers from breaking your stuff. In this training i would love to adres some basic and advanced topics and not only teach developers how to properly test their code like a penetration tester, but also learn the penetration tester to think like a developer so they really can deliver added value when instructing developers on how to fix their code like a baws!

Some of the topics i would like to adresss are:

  • Content security policy and how to defeat it with HTML injections
  • Advanced cross site scripting
  • Cross site request forgery
  • Mass Assignment (Parameter binding) attacks
  • External entity attacks
  • Path/directory traversal attacks (File inclusion attacks)
  • File upload injections
  • Server side template injections
  • Authentication and authorization


PWN Android Apps with your Custom Built Toolbox

Frustrated with the various tools and environments needed to perform mobile pentesting? All available Android test distributions have drawbacks and missing and/or non-working tools etc. Learn how to create your own customized mobile pentesting toolbox with the tools you really want/need.

Not sure which steps to follow when performing a mobile application security assessment? Our renowned trainer, Steven Wierckx, will show you which steps to follow and what issues to focus on.

More details in the course description

Download the full training description


Why simply deploying HTTPS will not get you an A+ grade

20 years after the introduction of HTTPS, it is finally moving towards widespread adoption. As more and more web sites are enabling HTTPS, the attention for correct deployments increases as well. Tools such as Qualys’ SSL Labs server test make it is easy to verify the quality of any domain’s HTTPS deployment, but at the same time show how challenging it is to receive an A+ grade. While the initial deployment of HTTPS may seem straightforward, correctly deploying HTTPS is a daunting task. In this session, participants will learn through hands-on experience how to deploy HTTPS correctly, and how it impacts a Web application. We will cover common Web attacks on HTTPS, and how they are countered by the newest HTTPS security policies, such as HTTP Strict Transport Security (HSTS) and HTTP Public Key Pinning (HPKP).

The learning objectives for this session are:

  • Learning how to deploy HTTPS correctly, with strong ciphers and forward secrecy
  • Understanding the intricacies of HTTPS, and its impact on a Web application, especially in combination with HTTP
  • Understanding common Web attacks against HTTPS, and the newest browser-enforced security policies that counter them

Trainers

Riccardo ten Cate

As a penetration tester and software developer from the Netherlands Riccardo is specialized in web-application security and has extensive knowledge in securing web applications in multiple coding languages.

Steven Wierckx

I’m a Software and Security Tester with 15 years of experience in programming, security testing, source code review, test automation, functional and technical analysis, development and database design. I’m a team player with a constant drive to learn new things. I have a passion for web application security and I write articles for several professional magazines with regards to that topic. I have created several courses on testing software for security problems and I teach courses on secure coding, security awareness, security testing and threat modelling.

Philippe De Ryck

Philippe De Ryck holds a PhD in computer science and is specialized in client-side Web security. Philippe focuses on a sustainable knowledge transfer of his expertise in Web security towards industry partners, mainly through training courses and public dissemination activities. Within iMinds-DistriNet , Philippe leads the Web Security-related training activities.

Conferenceday is November 25th

Agenda (tentative)

Time Speaker Topic
08h30 - 09h00 Registration
09h00 - 09h15 Opening
09h15 - 10h00 Dario Incalza Securing Android Applications
10h00 - 10h45 Yorick Koster The State of Security of WordPress (plugins)
10h45 - 11h15 Morning Break
11h15 - 12h00 Sebastian Lekies Securing AngularJS Applications
12h00 - 12h45 Giancarlo Pellegrino Compression Bombs Strike Back
12h45 - 13h45 Lunch
13h45 - 14h30 TBA TBA
14h30 - 15h15 Zakaria Rachid Zap it !
15h15 - 15h45 Break
15h45 - 16h30 Daniel Kefer Handling of Security Requirements in Software Development Lifecycle
16h30 - 17h15 Bart Preneel Closing Keynote: The Future of Security
17h15 - 17h30 Closing


Talks

The State of Security of WordPress (plugins)

Last July, we organised the Summer of Pwnage (sumofpwn.nl) targeting WordPress and WordPress Plugins. This has resulted in 118 findings; mostly affecting WordPress Plugins, but also WordPress Core. Looking at the reported types of vulnerabilities, by far the most reported type is Cross-Site Scripting. The majority of Cross-Site Scripting vulnerabilities were of the reflected type where the victim has to click on a malicious link or visit a malicious website (or advertisement). A fair share of them were stored though, and some of them even pre-auth.

Does this mean that WordPress is inherently insecure or is it just the Plugin eco system? In this talk, I'll present our view on the (in)security of WordPress and WordPress Plugins. In addition, I'll show how a WordPress installation can be compromised using Cross-Site Scripting (and how to protect) and a generic way to get remote code execution through PHP Object Injection will be demonstrated.

Securing AngularJS Applications

Since its birth, the Web evolved from a system to share and view scientific documents to a full-blown platform for sophisticated applications. While in the beginning most Web applications were implemented purely on the server-side, modern ones heavily rely on client-side components.

AnuglarJS is the latest addition in this process. Within an Angular application the server is merely a data storage facility with a few additional access checks. The core of the application is running on the client-side.

As Angular is specifically designed to work on the client-side, it attempts to remove the main points of friction for developers. By providing a templating system, two-way bindings and custom directives, DOM interactions can be reduced to a bare minimum.

From a security point of view this is very interesting as Angular removes the need for using some DOM APIs with very sharp edges (innerHTML, document.write). On the other hand, Angular introduces new ways of approaching application development that are largely unexplored in terms of security.

This talk provides an in-depth introduction to the security of Angular applications. It first introduces the core design ideas and security principles of AngularJS. Then, based on the experience of the Google Security Team, shows common security pitfalls that are specific to Angular applications. In general, the talk covers Angular's string interpolation functionality, strict auto-escaping templates, URL-based directives and insecure legacy APIs. All the presented issues are based on real-world bugs. The talk will demonstrate how to find and prevent these issues in practice.

Compression Bombs Strike Back

Network services often use data compression to reduce protocol message size. However, if data compression is not properly implemented, it can render entire applications vulnerable to DoS attacks. Abusing data compression to exhaust system resources is an old trick. For example, a zip bomb is a recursively highly-compressed file archive prepared with the only goal of exhausting the resources of programs that attempt to inspect its content. This attack was brought to the community attention in 1996 to mount DoS attacks against bulletin board systems.

While this may now seem an old, unsophisticated, and easily avoidable threat,we discovered that developers did not fully learn from prior mistakes. We looked at three protocols (i.e., HTTP, XMPP, and IMAP) and 11 network services including popular ones (e.g., Apache HTTPD, Tomcat, Prosody, and OpenFire) and discovered that the risks of supporting data compression are still often overlooked.

In this talk, we will walk through data amplification attacks starting from the ever-green zip bomb and xml bomb attacks until our recent results. We will present the current use of data compression in several popular protocol and network services, and 12 common mistakes that we observed at the implementation, specification, and configuration levels. In this talk, we will also present already patched resource exhaustion vulnerabilities which could have been used to perform Denial of Service attack against popular services.

Closing Keynote: The Future of Security

Computers are still getting faster by factor of two every 18 months, and the doubling time for memory and communications is even smaller. An increasing number of experts is developing and deploying ever more sophisticated security techniques. But cybersecurity incidents multiply and are more prominent in the media. Will the cloud and the Internet of Things offer us a secure infrastructure? Or are we heading for a security and privacy nightmare? What is the role of governments, companies and individuals? Do we need backdoors in security technologies to balance privacy and security? This seminar tries to answer these questions.

Speakers

Yorick Koster

Yorick Koster is co-founder of Securify, an information security company focusing on all aspects of software security. Securify helps organisations to (proactively) secure their web and mobile applications, from design to go-live. In this we take a proactive approach (Build Security In) to catch and prevent vulnerabilities early, when still easy and cheap to fix.

Yorick has more than 10 years of experience in the field of software security and has found security vulnerabilities in a wide range of applications, including Internet Explorer, Office, .NET Framework, Adobe Reader, and WordPress.

Sebastian Lekies

Sebastian Lekies is an Information Security Engineer at Google and a PhD Student at the Ruhr-University Bochum. His research interests encompass client-side Web application security and Web application security testing. He graduated from University of Mannheim with a M.Sc. in Business Information Systems. At Google, Sebastian is part of the Security Test Engineering team that develops Google’s internal Web application security scanner and the externally facing Cloud Security Scanner (https://cloud.google.com/tools/security-scanner/). Before joining Google, Sebastian was part of SAP’s Security Research team, where he conducted academic research in the area of client-side Web application security. Sebastian is regularly speaking at academic and non-academic security conferences all around the World. He spoke at BlackHat US/EU/Asia, DeepSec, OWASP AppSec EU, Usenix Security, CCS, and many more...

Giancarlo Pellegrino

Giancarlo Pellegrino, is a post doctoral researcher of the System Security group at CISPA, Saarland University, in Germany. His main research interests include all aspects of web application security in particular security testing (black and white-box) and vulnerability analysis. Prior joining CISPA, Giancarlo worked at TU Darmstadt, Germany, and was member of the S3 group at EURECOM, in France. Until August 2013, he was Researcher Associate in the "Security and Trust" research group at SAP SE.


Social Event,starting at 7PM

Social Event information


Call for Speakers

OWASP AppSec conferences are true security conferences with all talks and presentations focusing on various areas of information security. Topics should focus on the technical and social aspects of security, and should not contain marketing or sales pitches.

We encourage and prioritize submissions covering research and new work impacting:

  • Secure development of web applications.
  • Security testing of web applications.
  • Security of DevOps processes, architectures, and tools.
  • Security of applications designed for mobile devices.
  • Security of Internet of Things devices and platforms.
  • Cloud platform security
  • Browser security
  • HTML5 security
  • OWASP tools or projects in practice

Terms

By your submission you agree to the OWASP Speaker Agreement. It requires that you use an OWASP presentation template or other non-branded template. Presentations may not use company-themed decks or include a company logo except on the speaker bio slide. Failure to observe these requirements will result in talk removal.

All presentation slides will be published on the conference website. Pictures and other materials in presentations should not violate any copyrights. Presentation submitters are solely liable for copyright violations. You may choose any Creative Commons license for your slides, including CC0. OWASP suggests the use of open licenses.

We will cover your travel expenses or costs for accommodations.

Deadlines

  • Submission of proposal closes: 11 September, 2016 – 23:59
  • Notification of acceptance: 2 October, 2016
  • Conference Date: 25 November, 2016

Submission

To submit a proposal, please submit an abstract of your intended presentation (500 to 4000 characters), a brief biography (150 to 800 characters) and a headshot (combine multiple files in one zip file). Your planned presentation time is 40 minutes (excluding ~5 minutes for discussion and change of speaker). Feel free to attach a preliminary version of your presentation if available. Any proposal submitted is subject to a democratic vote by the program committee. Keep in mind: The better your description of the talk, the better picture the program committee will have to review your submission. Please proofread your submission; after approval your abstract, biography, and headshot will be published verbatim into the program and website.

Submission page: https://easychair.org/conferences/?conf=owaspbenelux162



Hosted and co-organized by

Logo_distrinet.png

Made possible by our Sponsors

Gold:

VeraCode logo.png Vest.jpg Intigriti_verticaal.jpg Ecurify-2016.png

Silver:

LogoToreon.jpg Zionsecurity.jpg Nviso_logo_RGB_baseline_200px.png Nixu-logo.png Whitehat-security_hor.jpg

Bronze:

Logo_Informatiebeveiliging-200.png 200x60_netsparker_logo.png