Belgium

OWASP Belgium

Welcome to the Belgium chapter homepage. The chapter leader is Sebastien Deleersnyder

Participation

OWASP Foundation (Overview Slides) is a professional association of global members and is open to anyone interested in learning more about software security. Local chapters are run independently and guided by the Chapter_Leader_Handbook. As a 501(c)(3) non-profit professional association your support and sponsorship of any meeting venue and/or refreshments is tax-deductible. Financial contributions should only be made online using the authorized online chapter donation button. To be a SPEAKER at ANY OWASP Chapter in the world simply review the speaker agreement and then contact the local chapter leader with details of what OWASP PROJECT, independent research or related software security topic you would like to present on.

Sponsorship/Membership

to this chapter or become a local chapter supporter. Or consider the value of Individual, Corporate, or Academic Supporter membership. Ready to become a member?

Local News

The OWASP Top 10 presentation from Infosecurity.be is now online for download.

Next extra chapter meeting is on June 16th.

Structural Sponsors 2010

OWASP Member affiliated to the Belgium chapter:

      

OWASP Belgium thanks its structural chapter supporters for 2010 and the OWASP BeNeLux Day 2010:

If you want to support our chapter, please contact Seba Deleersnyder

<paypal>Belgium</paypal>

Chapter Meetings

Next Meeting (June 16th 2010) in Brussels

WHEN

June 16th 2010 18h-20h

WHERE

Location is sponsored by Zenitel Belgium.

Location: Zenitel Belgium, Z.1. Research Park 110 – 1731 Zellik, Belgium (same building as http://www.u2u.net/Route.aspx)

PROGRAM

The agenda:

• 18h00 - 18h30: Welcome & Refreshments
  
• 18h30 - 18h45: OWASP Update (by Sebastien Deleersnyder, Zenitel, OWASP Board)
  
• 18h45 - 20h00: Advanced SQL Injection (by Joe McCray, Learn Security Online)
  

SQL Injection is a vulnerability that is often missed by web application security scanners, and it's a vulnerability that is often rated as NOT exploitable by security testers when it actually can be exploited. Advanced SQL Injection is a presentation geared toward showing security professionals advanced exploitation techniques for situations when you must prove to the customer the extent of compromise that is possible.

The key areas are:

• Re-Enabling stored procedures
• Old and new ways of obtaining an interactive command-shell
• Data Exfiltration via DNS
• IDS Evasion & Web Application Firewall Bypass
• Privilege Escalation

Joe McCray has 10 years of experience in the security industry with a diverse background that includes network and web application penetration testing, forensics, training, and regulatory compliance. Joe is a frequent presenter at security conferences, and has taught Ethical Hacking and Web Application Security at Johns Hopkins University (JHU), University of Maryland Baltimore College (UMBC), and several other technical training centers across the country.

REGISTRATION

Please send a mail to Belgium 'at' owasp.org if you plan to attend.

Previous Meeting (June 1st 2010) in Brussels

WHEN

June 1st 2010 18h-21h

WHERE

Location is sponsored by Cisco Belgium.

Location: Cisco, Pegasus Park, De Kleetlaan, 6A, B-1831 Diegem. See directions.

PROGRAM

The agenda:

• 18h00 - 18h30: Welcome & Refreshments
  
• 18h30 - 18h45: OWASP Update (by Sebastien Deleersnyder, Zenitel, OWASP Board)
  
• 19h00 - 20h00: The Belgian e-ID: hacker vs developer (by Erwin Geirnaert and Frank Cornelis)
  

Presentation + discussion: What can go wrong when implementing the Belgian eID in an unsecure way to authenticate a user? We will discuss the security issues, the problems with trust, SSL and some examples of a bad implementation. We will demo how to use WebScarab to intercept and change authentication data on the fly, impersonating somebody else.

To help developers to implement it correctly, we will give away best practices and a road map to do it properly using the new eID applet with entity authentication.

This presentation will be given by Frank Cornelis, Developer @ Fedict, who is responsible for the new eID applet and Erwin Geirnaert, co-founder & white-hat hacker @ ZION SECURITY, who has reviewed unsecure implementations of eID authentication

• 20h00 - 20h15: Break
  
• 20h15 - 21h15: Analyzing the Accuracy Of Web Application Scanners (by Larry Suto)
  

Presentation + discussion: Analyzing the Accuracy Of Web Application Scanners

This talk summarizes my recent study related to benchmarking a set of web application scanners against target test sites constructed by the scanner vendors themselves. I will review the methodology and some of the challenges that were faced as the tests were conducted. I have received some interesting feedback from the vendors and the security community. This new information will be integrated into the presentation. The controversial nature of "Point and Shoot" and "Trained" scanning will be addressed and scanning issues related to cloud computing/SaaS will be covered. The presentation will cover some thoughts on open source scanners such as Skipfish and W3AF. Finally I will go into the ideas for another round of testing and the possibility of soliciting target apps from the community.

Larry Suto is an application security consultant based in the San Francisco Bay Area. He is focused on software security analysis and the testing the effectiveness of software security tools.

Previous Meeting (Feb-1-2010) in Brussels

WHEN

Monday, February 1th, 2010 (18h00pm-21h00pm), together with ISSA Belgium.

WHERE

Location sponsored by Ernst&Young's Information Security Team.
address: De Kleetlaan 2, 1831 Diegem (Route + Google Maps)

PROGRAM

The agenda:

• 18h00 - 18h30: Welcome & Refreshments
  
• 18h30 - 18h45: OWASP Update (by Sebastien Deleersnyder, Zenitel, OWASP Board)
  
• 18h45 - 19h00: ISSA Update (by Bart Moerman, ISSA)
  
• 19h00 - 20h00: GreenSQL: an Open Source database firewall (by Yuli Stremovsky, VP of Research and Development at GreenSQL)
  

Presentation + discussion: GreenSQL, an open source database security solution, is available for three years. With the release of version 1.2 GreenSQL started providing support to PostgreSQL besides MySQL. GreenSQL provides a reverse proxy solution to SQL statements and during the reverse proxy process provides several security mechanisms. The lecture will focus on the latest version of GreenSQL and the solution for SQL injection and other attacks.

Yuli Stremovsky is a database security expert. He is responsible for design, development of novel database protection solution - GreenSQL. He is an experienced security consultant that worked for a number of leading financial institutions, telecom and health service companies. In the past, he was also involved in software development in a number of start-up companies including development of the security products.

• 20h00 - 20h15: Break
  
• 20h15 - 21h15: MOBILE MALWARE NOW AND IN THE FUTURE (by Mikko Hypponen, Chief Research Officer at F-Secure Corp)
  

Presentation + discussion:

• Mobile Platforms
• Situation 2005-2009
• Current threats
• Case: The Ikee / Duh botnet on jailbroken iPhones
• Case: Android banking trojans
• Future scenarios
• How to fight content security problems in mobile world?

Mikko Hypponen is the Chief Research Officer for F-Secure. He has worked with F-Secure since 1991 and has led his team through the biggest malware outbreaks in history. Mr. Hypponen has assisted law enforcment in USA, Europe and Asia on cybercrime cases. He has written for magazines such as Scientific American, Foreign Policy and Virus Bulletin.

REGISTRATION

There are only 100 seats available (first register, first serve)! Please send a mail to Belgium 'at' owasp.org if you plan to attend.

Past Events

• Events held in 2009
• Events held in 2008
• Events held in 2007
• Events held in 2006
• Events held in 2005

Belgium OWASP Chapter Leaders

The BeLux Chapter is supported by the following board:

• Erwin Geirnaert, Zion Security
• Philippe Bogaerts, F5
• André Mariën, Inno.com
• Lieven Desmet, K.U.Leuven
• Joël Quinet, Telindus
• Sebastien Deleersnyder, Zenitel
• Bart De Win, Ascure

Our goal is to professionalize the local OWASP functioning, provide in a bigger footprint to detect OWASP opportunities such as speakers/topics/sponsors/… and set a 5 year target on: Target audiences, Different events and Interactions of OWASP global – local projects.