|
|
| (493 intermediate revisions by 16 users not shown) |
| Line 1: |
Line 1: |
| − | {{Chapter Template|chaptername=Belgium-Luxemburg|extra=The chapter leader is [mailto:seba@deleersnyder.eu Sebastien Deleersnyder]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-belgium|emailarchives=http://lists.owasp.org/pipermail/owasp-belgium}} | + | {{Chapter Template|chaptername=Belgium|extra=The chapter leaders are [mailto:seba@ owasp. org Sebastien Deleersnyder] , [mailto:[email protected] Lieven Desmet] and [mailto:[email protected] Bart De Win] |
| | + | |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-belgium|emailarchives=http://lists.owasp.org/pipermail/owasp-belgium}} |
| | | | |
| − | == Local News ==
| + | = Local News = |
| − | The next Belgium Chapter Event is on September 6 as part of [[OWASP Day]]. We are delighted to let you know Mark Curphey, Petko Petkov - pdp (architect), David Kierznowski and Bart De Win will be coming to the event. More details below. We have room for 400 people: everyone is challenged to invite an '''extra person new to OWASP'''!
| |
| | | | |
| | + | == Upcoming Chapter Meetings == |
| | | | |
| − | The chapter meeting after that is scheduled for Nov 20th.
| + | * OWASP BE chapter meeting: registration via https://owasp-belgium-2019-11-25.eventbrite.com/ |
| | | | |
| | + | See the {{#switchtablink:Chapter Meetings|Chapter Meetings}} tab for more details and older meetings. |
| | | | |
| − | We would also love to set up a first chapter meeting in October: host sponsor, speaker & topic suggestions are welcome!
| + | == Stay in Touch == |
| | | | |
| − | == Chapter Board == | + | <center> |
| − | The BeLux Chapter is now supported by an active board:
| + | {| cellspacing="15" |
| − | * Erwin Geirnaert, Zion Security
| + | |- |
| − | * Philippe Bogaerts, NetAppSec
| + | | [[Image:Meetup-logo-2x.png|120px|link=http://www.meetup.com/Belgium-OWASP-Open-Web-Application-Security-Project/]] |
| − | * André Mariën, Cybertrust
| + | | [[Image:Join the list.png|150px|link=http://lists.owasp.org/mailman/listinfo/owasp-belgium]] |
| − | * Lieven Desmet, K.U.Leuven
| + | | [[Image:Follow-us-on-twitter.png|175px|link=https://twitter.com/owasp_be]] |
| − | * Joël Quinet, Unisys
| + | | [[Image:Linkedin-button.gif|135px|link=https://www.linkedin.com/groups/37865]] |
| − | * Sebastien Deleersnyder, Telindus
| + | |} |
| − | Our goal is to professionalize the local OWASP functioning, provide in a bigger footprint to detect OWASP opportunities such as speakers/topics/sponsors/… and set a 5 year target on: Target audiences, Different events and Interactions of OWASP global – local projects.
| + | </center> |
| | + | If you want to be invited for the next OWASP Belgium Chapter meetings, please [http://eepurl.com/iFZtb drop us your contact info]. |
| | | | |
| − | == Structural Sponsors 2007 == | + | == Structural Sponsors 2019 == |
| − | OWASP BeLux would like to thank the following organizations for sponsoring this chapter. If you are interested in sponsoring the BeLux chapter please contact seba 'at' deleersnyder.eu .
| |
| | | | |
| − | [http://www.f5.com https://www.owasp.org/images/7/7e/50px-F5_50px.jpg]
| + | OWASP Belgium thanks its structural chapter supporters for 2019 and the OWASP BeNeLux Days 2018: |
| | | | |
| − | == Next Event: OWASP Day (6-Sep-2007)==
| + | <!-- Gold --> |
| − | On September 6th ,OWASP will be organizing [[OWASP Day]] conferences worldwide triggered by the [http://www.globalsecurityweek.com/ Global Security Week] idea.
| + | [[File:Vest.jpg|250px|link=http://www.vest.nl]] |
| | + | [[File:DavinsiLabs.png|250px|link=https://www.davinsilabs.com]] |
| | | | |
| − | In Belgium we organize the mini-conference in Brussels for which we already have an interesting agenda.
| + | <!-- Silver --> |
| | + | [[File:LogoToreon.jpg|250px|link=https://www.toreon.com]] |
| | + | [[File:Nviso_logo_RGB_baseline_200px.png|250px|link=http://www.nviso.be]] |
| | + | [[File:LogoIngenicoGroup.png|250px|link=https://ingenico.be]] |
| | | | |
| − | Confirmed speakers:
| + | If you want to support our chapter, please contact [mailto:seba@owasp.org Seba Deleersnyder] |
| − | * Mark Curphey, OWASP Founder, ([http://securitybuddha.com/about/ Marc's blog])
| |
| − | * [http://gnucitizen.org/about/pdp Petko D. Petkov], a.k.a pdp (architect), founder of the [http://gnucitizen.org GNUCITIZEN] group. Co-author of the “XSS Attacks” book.
| |
| − | * Bart De Win, postdoc researcher within the [http://www.cs.kuleuven.be/cwis/research/distrinet/public/index.php DistriNet research group], K.U.Leuven)
| |
| − | * [http://gnucitizen.org/about/dk David Kierznowski], founder of [http://blogsecurity.net blogsecurity.net] and active member of the [http://gnucitizen.org GNUCITIZEN] group.
| |
| | | | |
| − | ===WHEN=== | + | = Chapter Meetings = |
| − | Thursday, September 6th, 2007 (2-7pm)
| |
| | | | |
| − | ===WHERE===
| + | {{:Belgium_Events_2019}} |
| − | [http://www.telindus.be Telindus, Belgacom ICT] sponsors the venue: <BR>
| |
| − | Location: SURF House, Rue Stroobants 51, 1140 Evere. <BR>
| |
| − | You can find a map and itinary [http://www.surfhouse.be/plan.pdf online].
| |
| | | | |
| − | ===PROGRAM=== | + | == Previous Years == |
| − | The theme of the world-wide OWASP Day is “Privacy in the 21st Century”.
| |
| | | | |
| − | Currently we foresee to start with a introductory session on WebGoat & WebScarab
| + | Events held in |
| − | at 12h30, and start the mini-conference itself at 14h.
| + | [[Belgium Events 2018|2018]], |
| | + | [[Belgium Events 2017|2017]], |
| | + | [[Belgium Events 2016|2016]], |
| | + | [[Belgium Events 2015|2015]], |
| | + | [[Belgium Events 2014|2014]], |
| | + | [[Belgium Events 2013|2013]], |
| | + | [[Belgium Events 2012|2012]], |
| | + | [[Belgium Events 2011|2011]], |
| | + | [[Belgium Events 2010|2010]], |
| | + | [[Belgium Events 2009|2009]], |
| | + | [[Belgium Events 2008|2008]], |
| | + | [[Belgium Events 2007|2007]], |
| | + | [[Belgium Events 2006|2006]], |
| | + | [[Belgium Events 2005|2005]]. |
| | | | |
| − | See below for the agenda '''draft''',
| + | = Belgium OWASP Chapter Leaders = |
| | | | |
| − | * 12h30 pre-event: [[Belgium#Getting_started_with_WebGoat_.26_WebScarab_.28Erwin_Geirnaert.29|Getting started with WebGoat & WebScarab]] (Erwin Geirnaert)
| + | The Belgium Chapter is supported by the following board: |
| − | * 14h00 Welcome & pre-recorded video of OWASP board
| |
| − | * 14h20 [[Belgium#OWASP_Evaluation_and_Certification_Criteria_Draft_.28Mark_Curphey.29|OWASP Evaluation and Certification Criteria Draft]] (Mark Curphey)
| |
| − | * 15h10 [[Belgium#Automated_Web_FOO_or_FUD.3F_.28David_Kierznowski.29|Automated Web FOO or FUD?]] (David Kierznowski)
| |
| − | * 16h00 Break
| |
| − | * 16h20 [[Belgium#CLASP.2C_SDL_and_Touchpoints_Compared_.28Bart_De_Win.29|CLASP, SDL and Touchpoints Compared]] (Bart De Win)
| |
| − | * 17h10 [[Belgium#For_my_next_trick..._hacking_Web2.0_.28pdp.29|For my next trick... hacking Web2.0]] (pdp)
| |
| − | * 18h00 Panel Discussion: “Privacy in the 21st Century?”
| |
| − | * 19h00 Finish
| |
| | | | |
| − | Please send a mail to belgium 'at' owasp.org if you plan to attend, so we can size the venue appropriately and keep you updated on last-minute changes. Also, don't forget to indicate your attendance for the 'Getting started with WebGoat & WebScarab session.
| + | Chapter Leaders |
| | + | *Sebastien Deleersnyder, Toreon |
| | + | *Lieven Desmet, KU Leuven |
| | + | *Bart De Win, PWC |
| | | | |
| − | ==== Getting started with WebGoat & WebScarab (Erwin Geirnaert) ====
| + | Board Members |
| | + | *Erwin Geirnaert, Zion Security |
| | + | *David Mathy, Freelance |
| | + | *Adolfo Solero, Freelance |
| | + | *Stella Dineva, Ingenico Payment Services |
| | + | *Thomas Herlea, NVISO |
| | | | |
| − | ==== OWASP Evaluation and Certification Criteria Draft (Mark Curphey) ====
| + | Our goal is to professionalize the local OWASP functioning, provide in a bigger footprint to detect OWASP opportunities such as speakers/topics/sponsors/… and set a 5 year target on: Target audiences, Different events and Interactions of OWASP global – local projects. |
| − | As opposed to me continuing saying what’s wrong with PCI DSS, it seems to me that OWASP is a perfect forum to simply create and publish a “better criteria”. This can either be adopted and implemented by an organization like OWASP or considered to be incorporated into the PCI or other security standards. We won't get bogged down in the politics up-front, but hold something good up to the world for people to adopt. This project would of course draw on and bring together many of the other OWASP Projects including the Guide (What is a secure web app), Testing Guides (How to test for a secure web app), WebGoat (part of how to certify an individual understands and can find web app issues) etc. Many of those projects may not be complete or a perfect fit today, but this project can bring a common connecting theme to a lot of very valuable IP that OWASP has built over the years. I will also create it in such as way that a corporate could adopt/adapt it themseles as well as an industry. Where other OWASP projects are not complete or currently suitable I will build a requirements doc that can be considered by those teams if they feel appropriate.
| + | __NOTOC__ <headertabs></headertabs> |
| − | | + | [[Category:Europe]] |
| − | [http://securitybuddha.com/about/ Mark Curphey] ran Foundstone consulting from 2003 until late 2006 during which time the company was sold to McAfee. Before joining Foundstone Mark was the Director of Information Security at Charles Schwab (responsible for the software security program) and has also worked for ISS and several financial services companies in Europe. Mark has a Masters degree in information security from Royal Holloway, University of London and was the original founder of the Open Web Application Security Project (OWASP).
| |
| − | | |
| − | ==== Automated Web FOO or FUD? (David Kierznowski) ====
| |
| − | We take a look into automated web application testing technologies and their effectiveness against real life applications.
| |
| − | | |
| − | Also, we look into one of GNUCITIZENs latest projects, The Technika Security Framework (TSF), which will enable users to automate security testing directly from their browser.
| |
| − | | |
| − | [http://gnucitizen.org/about/dk David Kierznowski] currently works as a Senior Security Analyst for a leading penetration testing company in the UK. He has worked in the security industry for the past 6 years. David is also the founder of both [http://michaeldaw.org michaeldaw.org] and [http://blogsecurity.net blogsecurity.net] and is an active member of the [http://gnucitizen.org GNUCITIZEN] group.
| |
| − | | |
| − | ==== CLASP, SDL and Touchpoints Compared (Bart De Win) ====
| |
| − | tbd
| |
| − | | |
| − | Bart De Win is a postdoctoral researcher in the research group DistriNet, Department of Computer Science at the Katholieke Universiteit Leuven. His research interests are in secure software engineering, including software development processes, aspect-oriented software development and model driven security.
| |
| − | | |
| − | ==== For my next trick... hacking Web2.0 (pdp) ====
| |
| − | Web2.0, if I can summarize it with a few simple words, is all about communication, distribution, information, agents, clients and servers. Those who understand the 2.0 fundamentals have the power to manipulate the global Web to suit their needs - hackers, the new digital breed of the 2.0 world. Web2.0 hacking is a mean for communicating and distributing critical information in a better way. It can be used to build ghost infrastructures from where to launch attacks - anonymously, no traces, nothing. Web2.0 hacking is also about the thin line between client-side and server-side security. It is about the endpoints and the electronic highways. It is about reaching the masses and yet being able to perform attacks on specific targets. Web2.0 hacking is also about distribution and influence, covert channels, bots, IA, ghosts inside the electronic frame. Web2.0 hacking is also a movement, a cyber subculture where individuals show their technical abilities, and understandings of the world and use that to manipulate their way through the system.
| |
| − | | |
| − | Web2.0 hacking practices should never be related to AJAX and JavaScript exploitation techniques only. Although it is true that client-side security has a significant part of the Web2.0 ecosystem, it is important to realize its role. There are far too many other aspects that we need to look into. My aim is to cover these aspects and reveal the hidden dangers.
| |
| − | | |
| − | [http://gnucitizen.org/about/pdp Petko D. Petkov], a.k.a pdp (architect), is the founder and leading contributer of the [http://gnucitizen.org GNUCITIZEN] group. He is a senior IT security consultant based in London, UK. His day-to-day work involves identifying vulnerabilities, building attack strategies and creating attack tools and penetration testing infrastructures. Petko is known in the underground circles as pdp or architect but his name is well known in the IT security industry for his strong technical background and creative thinking. He has been working for some of the world's top companies, providing consultancy on the latest security vulnerabilities and attack technologies.
| |
| − | | |
| − | === REGISTRATION ===
| |
| − | Please send a mail to belgium 'at' owasp.org if you plan to attend, so we can size the venue appropriately and keep you updated on last-minute changes. Also, don't forget to indicate your attendance for the 'Getting started with WebGoat & WebScarab' session.
| |
| − | | |
| − | == Last Chapter Meeting (Brussels, 22-June-2007)==
| |
| − | During an extra edition we brought you 2 big names in web application security. [http://www.f5.com/ F5 Networks] sponsored Ivan Ristic and Dinis Cruz to come to Brussels on Friday 22nd of June to bring you hot items from the last conference in Italy last May (agenda with presentations [http://www.owasp.org/index.php/6th_OWASP_AppSec_Conference_-_Italy_2007/Agenda online]).
| |
| − | | |
| − | We also had the skipped presentation of last time: Hillar Leoste from Zone-H will provided us with an update on defacements in the BE domain for last year.
| |
| − | | |
| − | ===WHEN===
| |
| − | Friday 22nd of June 2007
| |
| − | ===WHERE===
| |
| − | [http://www.deloitte.be Deloitte] sponsored the venue, drinks and snacks:
| |
| − | Location: Deloite Diegem
| |
| − | | |
| − | ===PROGRAM===
| |
| − | * 18h00 - 18h20: Welcome, coffee & sandwiches<BR>
| |
| − | * 18h20 - 18h40: Sebastien Deleersnyder<BR>
| |
| − | '''OWASP Update'''<BR>
| |
| − | * 18h40 - 19h00: '''Hillar Leoste (Zone-H)'''<BR>
| |
| − | '''[http://www.owasp.org/index.php/Image:OWASP_BeLux_2007-06-22_Update_on_Internet_Attack_Statistics_for_Belgium_in_2006.ppt Update on Internet Attack Statistics for Belgium in 2006]'''
| |
| − | * 19h00 – 20h00: '''Ivan Ristic, Chief Evangelist, Breach Security'''<BR>
| |
| − | :Ivan Ristic is the creator of [http://www.modsecurity.org/ ModSecurity] (an open source web application firewall and intrusion detection/prevention engine). Ivan also wrote Apache Security for O'Reilly, a web security guide for administrators, system architects, and programmers.
| |
| − | :For more info, see Anurag Agarwal’s [http://myappsecurity.blogspot.com/2007/03/reflection-on-ivan-ristic.html reflection on Ivan Ristic].
| |
| − | '''[http://www.owasp.org/index.php/Image:OWASP_BeLux_2007-06-22_Protecting_Web_Applications_from_Universal_PDF_XSS.ppt Protecting Web Applications from Universal PDF XSS]'''
| |
| − | :Presentation + A discussion of how weird the web application security world has become
| |
| − | * 20h00 - 20h15: break
| |
| − | * 20h15 - 21h15: '''Dinis Cruz, Chief Owasp Evangelist'''<BR>
| |
| − | :Dinis Cruz is a renowned application security expert who is passionate about training developers to move beyond the ‘comfort zone’ of standard ASP.NET development and into the world of advanced security aware development with the aim of making the Web Applications as secure as possible against malware and malicious hackers. Dinis is also the project leader for the OWASP .Net Project and the and the main developer of several of OWASP .Net tools (SAM’SHE, ANBS, SiteGenerator, PenTest Reporter, ASP.Net Reflector, Online IIS Metabase Explorer). author of many Open Source security tools (see http://www.owasp.org/index.php/.Net).
| |
| − | '''Buffer Overflows on .Net and Asp.Net'''<BR>
| |
| − | :One of the common myths about the .Net Framework is that it is immune to Buffer Overflows. Although this might be correct in pure managed and verifiable .Net code, large percentage of .Net and Asp.Net applications code is unmanaged code. In this talk Dinis will show the areas in .Net and Asp.Net applications that are vulnerable to Buffer Overflows (including the demo of a .Net Buffer Overflow Fuzzer).
| |
| − | | |
| − | == Chapter Meeting Archive ==
| |
| − | === Meeting Notes OWASP Chapter Meeting (Leuven, 10-May-2007)===
| |
| − | '''WHEN'''<br>
| |
| − | May 10th 2007<br>
| |
| − | '''WHERE'''<br>
| |
| − | [http://www.pstestware.com ps_testware] sponsored the venue: <BR>
| |
| − | Location: Kasteel de Bunswyck, Tiensesteenweg 343, 3010 Leuven. <BR>
| |
| − | You can find a map and itinary [http://www.kasteeldebunswyck.be/contact.htm online].
| |
| − | '''PROGRAM'''<br>
| |
| − | * 18h00 - 18h20: Welcome, coffee & sandwiches<BR>
| |
| − | * 18h20 - 18h40: Sebastien Deleersnyder<BR>
| |
| − | '''[http://www.owasp.org/index.php/Image:OWASP_BeLux_2007-05-10_OWASP_Update.zip OWASP Update and OWASP BeLux Board Presentation]'''<BR>
| |
| − | * 18h40 - 20h00: Jos Dumortier<BR>
| |
| − | '''[http://www.owasp.org/index.php/Image:OWASP_BeLux_2007-05-10_Legal_Aspects_Jos_Dumortier.zip Legal Aspects of (Web) Application Security]''' ''(Presentation + Discussion)''
| |
| − | : Jos Dumortier discussed important questions such as:
| |
| − | :* How far can you go if you want to ‘test’ the security of a web site?
| |
| − | :* How much application security can you contractually demand for when you outsource your application development?
| |
| − | :* Who is legally responsible when you personal data is exposed through hacking activity in Belgium?
| |
| − | :'''Jos Dumortier''' is Of Counsel in the ICT and e-Business department of Lawfort. He is also Professor of Law at the Faculty of Law (K.U.Leuven) and Director of the Interdisciplinary Centre for Law and Information Technology (http://www.icri.be).
| |
| − | * 20h00 - 20h15: break
| |
| − | * 20h15 - 21h15: Lieven Desmet<BR>
| |
| − | '''[http://www.owasp.org/index.php/Image:OWASP_BeLux_2007-05-10_AppSec_Research_Lieven_Desmet.zip Formal absence of implementation bugs in web applications: a case study on indirect data sharing]''' ''(Presentation + Discussion)''<BR>
| |
| − | :Several research tracks focus on tools and techniques to verify or guarantee the absence of implementation bugs in web applications, either at compile-time or at run-time. By guaranteeing the absence of certain implementation bugs, the reliability and security of the application can be improved. In this presentation, we will focus on the absence of implementation bugs due to broken data dependencies.
| |
| − | :Web applications typically share non-persistent session data between different parts of the application, e.g. a shopping cart in a e-commerce application. By doing so, implicit dependencies arise between the different parts of the application, and breaking these dependencies in an application may result in information leakage of erroneous behavior.
| |
| − | :In our research, we explicitly model dependencies between components that indirectly share data. Next, we verify that in a given composition these dependencies are not broken by applying a combination of static verification and dynamic checking (e.g. by using a Web Application Firewall).
| |
| − | :We validated the presented approach in two existing applications: a Struts-based, open-source webmail application (GatorMail) and an e-commerce site (Duke's BookStore from the J2EE 1.4 tutorial).
| |
| − | | |
| − | :'''Lieven Desmet''' Lieven Desmet was born on January 16, 1979 in Roeselare. He received a Bachelor of Applied Sciences and Engineering degree and graduated magna cum laude in Master of Applied Sciences and Engineering: Computer Science from the Katholieke Universiteit Leuven in July 2002.
| |
| − | :He started working as a Ph.D. student at the DistriNet (Distributed systems and computer Networks) research group of the Department of Computer Science at the Katholieke Universiteit Leuven. Within DistriNet, he was active in both the networking and security task forces. Lieven received his PhD on software security in January 2007 and is currently active as a post-doctoral security researcher within DistriNet.
| |
| − | | |
| − | === OWASP Top 10 2007 Update (Infosecurity Belgium, 21 & &22 Mar 2007)===
| |
| − | Seba presented the 2007 OWASP Top 10 (currently available as [[Top 10 2007|OWASP Top 10 2007 RC1]]) on the [http://www.infosecurity.be Infosecurity event in Belgium] on the 21st and 22nd of March 2007. <BR>
| |
| − | | |
| − | The presentation is uploaded on: [[Image:OWASP_Intro_and_Top_10_2007.zip]]. <BR>
| |
| − | | |
| − | === Meeting Notes OWASP Chapter Meeting (Brussels, 23-Jan-2007)===
| |
| − | '''WHEN'''<br>
| |
| − | January 23rd 2007<br>
| |
| − | '''WHERE'''<br>
| |
| − | Ernst&Young Offices (Business Centre) in Brussels. Parking places are available at nr 216.<BR>
| |
| − | Here you can find [http://www.owasp.org/index.php/Image:EY_Brussels_Office_english.pdf directions].<br>
| |
| − | '''PROGRAM'''<br>
| |
| − | * 18h00 - 18h30: Welcome, get drink & sandwiches?<BR>
| |
| − | * 18h20 - 18h40: Sebastien Deleersnyder<BR>
| |
| − | '''[http://www.owasp.org/index.php/Image:OWASP_BE_2007-01-23_OWASP_Update.zip OWASP Update]'''<BR>
| |
| − | * 18h45 – 19h45: Philippe Bogaerts<BR>
| |
| − | '''[http://www.owasp.org/index.php/Image:OWASP_BE_2007-01-23_WebGoat-Pantera.zip WEBGOAT and the Pantera Web Assessment Studio Project]'''<BR>
| |
| − | The OWASP presentation will shed a light on WEBGOAT and the Pantera Web Assessment Studio Project. Both OWASP projects will be covered and illustrated with a live demo, with a special focus on Webgoat and web services. <BR> ''Presentation + Discussion?''<BR>
| |
| − | Philippe Bogaerts is an independent consultant specialized in network and application security testing, web application and XML firewalls.<BR>
| |
| − | * 19h45 - 20h00: break<BR>
| |
| − | * 20h00 - 21h00: Bart De Win<BR>
| |
| − | '''[http://www.owasp.org/index.php/Image:OWASP_BE_2007-01-23_AOP_security.zip Security implications of AOP for secure software]<BR>
| |
| − | Over the last decade, Aspect Oriented Programming (AOP), a development paradigm that focuses on improving the modularisation of crosscutting concerns, has received a great deal of attention from the academic as well as from the industrial community. In the context of secure software development, AOP has been shown to bring a number of benefits, at least from a software engineering perspective. From a security perspective, the characteristics of AOP have been studied less. One of the key questions at this moment is whether we can really use AOP to build \emph{secure} software ?<BR>
| |
| − | In this presentation we will address this key question by elaborating on a number of security implications of AOP. Risks will be shown to originate from the core concepts of AOP, as well as from tool-specific implementation strategies (with a specific focus on AspectJ). The presentation will be concluded by indicating how these risks could be mitigated, both from a theoretical and from a practical perspective.<BR>
| |
| − | ''Presentation + Discussion?''<BR>
| |
| − | Bart De Win is a postdoctoral researcher in the research group DistriNet, Department of Computer Science at the Katholieke Universiteit Leuven. His research interests are in secure software engineering, including software development processes, aspect-oriented software development and model driven security. <BR>
| |
| − | | |
| − | === JavaPolis 2006 - Stephen de Vries - Security Sins and their Solutions ===
| |
| − | Stephen de Vries (project leader of the [[:Category:OWASP Java Project|OWASP Java Project]]) did a talk at [http://www.javapolis.com JavaPolis in Belgium] about "Security Sins and their Solutions" that can be viewed again online on [http://www.bejug.org/confluenceBeJUG/display/PARLEYS/Security+Sins+and+their+Solutions Parleys].
| |
| − | | |
| − | The talk covers the most insidious security vulnerabilities in Java Web and EE applications through practical demonstration of how to exploit these vulnerabilities and recommendations on how to prevent them. The threat posed by each vulnerability is explained and strategies for mitigating the flaw are introduced.
| |
| − | | |
| − | ===Meeting Notes OWASP Belgium Chapter Meeting (Antwerp, 14-Sep-2006) ===
| |
| − | '''WHEN'''<br>
| |
| − | Thursday 14th of September 2006, 18h00 - 21h00.<BR>
| |
| − | '''WHERE'''<br>
| |
| − | ING sponsored the venue and sandwiches.<br>
| |
| − | '''PROGRAM'''<br>
| |
| − | * 18h00 - 18h30: Welcome, get drink & sandwiches<BR>
| |
| − | * 18h20 - 18h40: Sebastien Deleersnyder, Ascure <BR>
| |
| − | '''[http://www.owasp.org/index.php/Image:OWASP_Belgium_Chapter_Meeting_-_Antwerp_-_14_Sep_2006_-_1_OWASP_2.0_Update.ppt OWASP 2.0 Update]'''<BR>
| |
| − | * 18h45 – 19h00: Toon Mordijck, ISSA<BR>
| |
| − | '''[http://www.owasp.org/index.php/Image:OWASP_Belgium_Chapter_Meeting_-_Antwerp_-_14_Sep_2006_-_2_ISSA-BE_Presentation.ppt ISSA Introduction]'''<BR>
| |
| − | * 19h00 - 19h55: Serge Moreno, ING<BR>
| |
| − | '''[http://www.owasp.org/index.php/Image:OWASP_Belgium_Chapter_Meeting_-_Antwerp_-_14_Sep_2006_-_3_Business_Application_security_through_Information_Risk_Management_-_OWASPv1.2.ppt Business Application Security through Information Risk Management]'''<BR>
| |
| − | ''Presentation + Discussion''<BR>
| |
| − | The presentation showed how ING has implemented business application security by implementing a risk management approach. By starting from the definition of risks and risk management, we have changed the program governance and project lifecycle to ensure that security is not seen as an add-on in a late stage of the project, but that the security requirements are defined in the early start of a project. By this approach the security requirements are becoming real functional requirements which are supported by the business. The net result is that security is not an after-thought anymore but totally integrated in the product and its (functional) requirements. As security requirements have become demands of the business, they are not taken out when the project is getting in time and budget constraints. These are all the positive consequences we have obtained from the method that will be explained throughout the presentation.
| |
| − | *20h05 - 21h00: Guy Crets, Apogado<BR>
| |
| − | '''[http://www.owasp.org/index.php/Image:OWASP_Belgium_Chapter_Meeting_-_Antwerp_-_14_Sep_2006_-_4_Secure_and_Reliable_WS_Guy_Crets.pdf Secure and Reliable Web Services]'''<BR>
| |
| − | ''Presentation + Discussion''<BR>
| |
| − | Web Services are becoming a very popular protocol for communication between IT systems within and between organizations. Web services offer a nice alternative for all sorts of communication middleware. The security of Web Services is a major attention point, now being well addressed with the WS-Security standards. Guy Crets not only explains what WS-Security is, but also opens up the subject by addressing many related topics: how does WS-* compare to B2B protocols such as EDIINT AS2, why not use SOAP over email or FTP, the importance of WS-Addressing, shortcomings in WS-ReliableMessaging, what is the importance of Microsoft WCF (aka Indigo), ... and many more.
| |
| − | | |
| − | ===Meeting Notes OWASP Belgium Chapter Meeting (Brussels, 8-May-2006) ===
| |
| − | '''WHEN'''<br>
| |
| − | Monday 8th of May 2006, 18h30 - 22h30.<BR>
| |
| − | '''WHERE'''<br>
| |
| − | Deloitte sponsored the venue, drinks and snacks.<br>
| |
| − | '''PROGRAM'''<br>
| |
| − | * 18h00 - 18h30: Welcome, get drink & snack <BR>
| |
| − | * 18h20 - 18h40: Sebastien Deleersnyder, Ascure <BR>
| |
| − | '''[http://www.owasp.org/index.php/Image:OWASP_Belgium_Chapter_Meeting_-_Brussels_-_8_May_2006_-_1_OWASP_Update.ppt OWASP Update]'''<BR>
| |
| − | | |
| − | * 18h45 - 19h15: Hillar Leoste, Zone-H<br>
| |
| − | '''[http://www.owasp.org/index.php/Image:OWASP_Belgium_Chapter_Meeting_-_Brussels_-_8_May_2006_-_2_2005_Internet_Attack_Statistics_for_Belgium_v1_0.ppt Internet Attack Statistics for Belgium in 2005]'''<br>
| |
| − | | |
| − | * 19h15 - 20h30: Johan Peeters, Program Director secappdev.org <br>
| |
| − | Can "Agile" Development Produce Secure Applications?<br>
| |
| − | Received wisdom has it that secure development and agile processes do <br>
| |
| − | not mix. Is that really so? Agile practices have proven in many <br>
| |
| − | projects to yield applications with fewer functional defects. Can they <br>
| |
| − | also be put to work to reduce the number of security vulnerabilities?<br>
| |
| − | The audience added to the discussion with questions and remarks!<br>
| |
| − | | |
| − | ===Meeting Notes OWASP Belgium Chapter Meeting (Leuven, 22-Feb-2006) ===
| |
| − | '''WHEN'''<br>
| |
| − | Wednesday 22nd of February 2006, 18h00 - 21h00.<br>
| |
| − | | |
| − | '''WHERE'''<br>
| |
| − | KUL sponsored the venue:<BR>
| |
| − | BeeWare sponsored the Pizza and Drinks!<br>
| |
| − | | |
| − | '''PROGRAM'''<br>
| |
| − | 18h00 - 18h20: Welcome, get Pizza & Drink<BR>
| |
| − | 18h20 - 18h40: Sebastien Deleersnyder, Ascure <BR>
| |
| − | '''[http://www.owasp.org/index.php/Image:OWASP_Belgium_Chapter_Meeting_-_Leuven_-_22_Feb_2006_-_1_OWASP_and_OWASP_Membership.ppt OWASP (Membership) and new OWASP Projects]'''<BR>
| |
| − | 18h40 - 19h30: Philippe Bogaerts, BeeWare<br>
| |
| − | '''[http://www.owasp.org/index.php/Image:OWASP_Belgium_Chapter_Meeting_-_Leuven_-_22_Feb_2006_-_2_WebScarab_Demo.ppt WebScarab demonstration]'''<br>
| |
| − | 19h30 - 20h45: Web Application Firewalls (WAF): Panel Discussion<br>
| |
| − | '''[http://www.owasp.org/index.php/Image:OWASP_Belgium_Chapter_Meeting_-_Leuven_-_22_Feb_2006_-_3_WAF_Panel.ppt First a WAF Primer was presented.]'''<br>
| |
| − | Then we organized a panel discussion with people from industry, vendors and research:<br>
| |
| − | How mature are WAFs?<br>
| |
| − | What do WAFs protect you from? What not?<br>
| |
| − | Where do you position WAFs in your architecture?<br>
| |
| − | What WAF functionality do you really need?<br>
| |
| − | …<br>
| |
| − | We then had an interesting panel Discussion with: <br>
| |
| − | <br>
| |
| − | * Philippe Bogaerts, BeeWare<br>
| |
| − | * Jaak Cuppens, F5 Networks<br>
| |
| − | * David Van der Linden, ING Belgium<br>
| |
| − | * Lieven Desmet, K.U.Leuven<br>
| |
| − | | |
| − | The audience (up to 50 !) added to the discussion with questions and remarks!<br>
| |
| − | ----
| |
| − | | |
| − | ===Belgium OWASP 2006 New Year Drink ===
| |
| − | On January 19th we had a New Years Drink.<br>
| |
| − | It was sponsored by Zion Security<br>
| |
| − | '''[http://www.owasp.org/index.php/Image:Belgian_OWASP_Chapter_2006_New_Years_Drink_2006-01-19.ppt Presentation]'''
| |
| − | | |
| − | ----
| |
| − | | |
| − | ===Meeting Notes second OWASP Belgium Chapter meeting (Leuven, 28-Sep-2005)===
| |
| − | On 28th of September 2005 we had our second OWASP Belgium Chapter meeting. We had nearly 50 people coming to the meeting!<br>
| |
| − | | |
| − | '''WHEN'''<br>
| |
| − | Wednesday 28th of September 2005, 18h00 - 21h00 at Ubizen in Leuven.<br>
| |
| − | | |
| − | '''PROGRAM'''<br>
| |
| − | 18h00 - 18h15: Welcome & get a drink <br>
| |
| − | | |
| − | 18h15 - 18h45: Sebastien Deleersnyder, Ascure <br>
| |
| − | '''[http://www.owasp.org/index.php/Image:OWASP_Belgium_Chapter_Meeting_-_Leuven_-_28_Sep_2005_-_1_OWASP_and_OWASP_Membership.ppt OWASP & OWASP Membership]''' <br>
| |
| − | | |
| − | 18h45 - 19h30: Emmanuel Bergmans, I-logs<br>
| |
| − | '''[http://www.owasp.org/index.php/Image:OWASP_Belgium_Chapter_Meeting_-_Leuven_-_28_Sep_2005_-_2_Securing_Web_Applications_with_ModSecurity.ppt Securing Web Applications with ModSecurity]'''<br>
| |
| − | Emmanuel gave an interesting introduction on ModSecurity.<br>
| |
| − | The presentation is included as attachment and contains a lot of great pointers and SWOT analysis.<br>
| |
| − | Conclusions were:<br>
| |
| − | ModSecurity can be particularly useful in an ISP environment<br>
| |
| − | Increased effort is necessary to synchronize multiple ModSecurity configurations in a Webfarm<br>
| |
| − | | |
| − | 19h30 - 20h45: <br>
| |
| − | OWASP Top 10 Vulnerabilities: Panel Discussion<br>
| |
| − | '''[http://www.owasp.org/index.php/Image:OWASP_Belgium_Chapter_Meeting_-_Leuven_-_28_Sep_2005_-_3_OWASP_Top_10_-_Panel.ppt The presentation is included with an introduction of the TOP 10.]'''<br>
| |
| − | Then we had a lively panel Discussion with: <br>
| |
| − | * Erwin Geirnaert, Security Innovation<br>
| |
| − | * Dirk Dussart, Belgian Post<br>
| |
| − | * Eric Devolder, Mastercard<br>
| |
| − | * Herman Stevens, Ubizen<br>
| |
| − | * Frank Piessens, KU Leuven<br>
| |
| − | <br>
| |
| − | We handled questions about the Top 10:<br>
| |
| − | * Is the OWASP Top 10 still necessary?<br>
| |
| − | * Are we talking vulnerabilities, solutions or threats?<br>
| |
| − | * Can we base our best practices / standards on the Top 10?<br>
| |
| − | * How to test your web site security on the Top 10?<br>
| |
| − | * …<br>
| |
| − | | |
| − | The overall discussion was interesting, and at times diverted to an overall application security discussion. <br>
| |
| − | Some of the remarkable opinions covered:<br>
| |
| − | Can / or should the OWASP Top 10 form the basis for a certification scheme<br>
| |
| − | If it is used as an awareness tool, can we promote it with an OWASP magazine?<br>
| |
| − | The OWASP Top 10 is too vague<br>
| |
| − | A bigger exhaustive list is needed with a clear classification and taxonomy<br>
| |
| − | It should be based on threat modelling.<br>
| |
| − | One of the more pertinent questions: how did the original authors come to the Top 10?<br>
| |
| − | | |
| − | ----
| |
| − | | |
| − | ===Meeting Notes First OWASP Belgium Chapter Meeting (Gent, 26-May-2005)===
| |
| − | | |
| − | On 26th of May 2005 we held the first OWASP Belgium Chapter meeting!<br>
| |
| − | | |
| − | It was a big success: we had nearly 40 people attending, despite the Belgium-unlike hot weather.<br>
| |
| − | | |
| − | | |
| − | '''PROGRAM'''<br>
| |
| − | 17h30 - 18h00: Welcome & get a drink<br>
| |
| − | | |
| − | 18h00 - 18h45: Sebastien Deleersnyder, Ascure <br>
| |
| − | '''[http://www.owasp.org/index.php/Image:First_OWASP_Belgium_Chapter_Meeting_-_Gent_-_26_May_2005_-_I_OWASP_Introduction.ppt OWASP Introduction]'''<br>
| |
| − | | |
| − | 19h00 - 19h45: Erwin Geirnaert, Security Innovation<br>
| |
| − | '''[http://www.owasp.org/index.php/Image:First_OWASP_Belgium_Chapter_Meeting_-_Gent_-_26_May_2005_-_II_How_to_Break_Web_Application_Security.ppt How to Break Web Application Security]'''<br>
| |
| − | | |
| − | 20h00 - 20h45: professor Frank Piessens, KU Leuven<br>
| |
| − | '''[http://www.owasp.org/index.php/Image:First_OWASP_Belgium_Chapter_Meeting_-_Gent_-_26_May_2005_-_III_How_to_Build_Secure_Web_Applications.ppt How to Build Secure Web Applications]'''<br>
| |
| − | | |
| − | We had some interesting discussions with Frank on the position of security controls: within the code or within the supporting infrastructure?<br>
| |
| − | Another idea is also to look for a top 10 solutions for Web Applications and have some guidance system when selecting countermeasures.<br>
| |
to this chapter or become a local chapter supporter.
Or consider the value of Individual, Corporate, or Academic Supporter membership. Ready to become a member? 
