This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Netherlands"

From OWASP
Jump to: navigation, search
(Meeting schedule 2007)
Line 17: Line 17:
 
Time        : 18.00 - 21.30
 
Time        : 18.00 - 21.30
 
Main Topic  : OWASP Netherlands chapter: putting initiatives into practice
 
Main Topic  : OWASP Netherlands chapter: putting initiatives into practice
Presentations:
+
Presentations: Security Best Practices for .NET, Boaz Shunami
 +
              Group discussion
 
Location    : Rivium Boulevard 102, 2909LK Capelle aan den IJssel  
 
Location    : Rivium Boulevard 102, 2909LK Capelle aan den IJssel  
 
Sponsor      : Comsec Consulting BV
 
Sponsor      : Comsec Consulting BV
Line 30: Line 31:
 
Sponsor      : ps_testware bv
 
Sponsor      : ps_testware bv
 
</pre>
 
</pre>
 +
 +
== Announcement 13 September: putting initiatives into practice ==
 +
 +
The main goal of the next OWASP meeting is finding a way to put initiatives and all offered help into a form of structural benefit for the OWASP Netherlands local chapter. As a starting point for the discussion, examples will be taken from other European chapters and input delivered by discussions that take place on the mailing list is considered too. Let this be a call to put your ideas on the mailing list before the next meeting!<br/>
 +
<br/>
 +
The location is provided by the sponsor of this meeting:<br/>
 +
Comsec Consulting BV<br/>
 +
Rivium Boulevard 102<br/>
 +
2909LK Capelle aan den IJssel<br/>
 +
<br/>
 +
The agenda:<br/>
 +
18.00 - 18.30 Check-In (catering included)<br/>
 +
18.30 - 18.45 OWASP update, Bert Koelewijn<br/>
 +
18.45 - 19.15 Security Best Practices for .NET, Boaz Shunami<br/>
 +
19.15 - 20.00 Discussion: collecting ideas and initiatives<br/>
 +
20.00 - 20.15 Coffee break<br/>
 +
20.15 - 21.00 Discussion: how to enable community commitment<br/>
 +
21.00 - 21.30 Closing discussion and coffee<br/>
 +
<br/>
 +
Boaz Shunami<br/>
 +
Boaz is manager of the Application Security department of Comsec Europe. He has 11 years of experience in the IT Security field, and a large part of them in Application Security.<br/>
 +
Boaz did numerous application security audits in very large organizations and is recognized as one of the greatest expert’s world wide. Boaz' expertise is broad, but especially in-depth for the .NET platform.<br/>
 +
<br/>
 +
Discussion input (until now)<br/>
 +
- division of local chapter work load by multiple people<br/>
 +
- collaboration with other organizations<br/>
 +
<br/>
 +
If you want to attend send an email to [email protected].<br/>
 +
<br/>
 +
All OWASP chapter meetings are free, there are never vendor pitches or sales presentations at OWASP meetings.<br/>
 +
<br/>
 +
NOTE TO CISSP's: OWASP Meetings count towards CPE Credits.<br/>
  
 
== OWASP Netherlands meeting minutes ==
 
== OWASP Netherlands meeting minutes ==

Revision as of 09:23, 23 August 2007

OWASP Netherlands

Welcome to the Netherlands chapter homepage. The chapter leader is Bert Koelewijn


Participation

OWASP Foundation (Overview Slides) is a professional association of global members and is open to anyone interested in learning more about software security. Local chapters are run independently and guided by the Chapter_Leader_Handbook. As a 501(c)(3) non-profit professional association your support and sponsorship of any meeting venue and/or refreshments is tax-deductible. Financial contributions should only be made online using the authorized online chapter donation button. To be a SPEAKER at ANY OWASP Chapter in the world simply review the speaker agreement and then contact the local chapter leader with details of what OWASP PROJECT, independent research or related software security topic you would like to present on.

Sponsorship/Membership

Btn donate SM.gif to this chapter or become a local chapter supporter. Or consider the value of Individual, Corporate, or Academic Supporter membership. Ready to become a member? Join Now BlueIcon.JPG


Meeting schedule 2007

This is an overview of the 2007 local chapter meeting schedule. Details of the meetings can be found in the announcements that will be posted below this schedule.

11 January
----------
Time         : 18.00 - 21.30
Main Topic   : Security in practice: how it's done!
Presentations: Implementation of Security by Design, Martin Knobloch
Location     : "La Charmille" building, Lange Dreef 17, 4131 NJ Vianen
Sponsor      : Sogeti Nederland B.V.


13 September
------------
Time         : 18.00 - 21.30
Main Topic   : OWASP Netherlands chapter: putting initiatives into practice
Presentations: Security Best Practices for .NET, Boaz Shunami
               Group discussion
Location     : Rivium Boulevard 102, 2909LK Capelle aan den IJssel 
Sponsor      : Comsec Consulting BV


13 December
-----------
Time         : 18.00 - 21.30
Main Topic   : Webapplication penetration testing
Presentations: John Troch of ITamon BV offered a demo/presentation, details will follow.
Location     : Dorpsstraat 26, 3941JM Doorn
Sponsor      : ps_testware bv

Announcement 13 September: putting initiatives into practice

The main goal of the next OWASP meeting is finding a way to put initiatives and all offered help into a form of structural benefit for the OWASP Netherlands local chapter. As a starting point for the discussion, examples will be taken from other European chapters and input delivered by discussions that take place on the mailing list is considered too. Let this be a call to put your ideas on the mailing list before the next meeting!

The location is provided by the sponsor of this meeting:
Comsec Consulting BV
Rivium Boulevard 102
2909LK Capelle aan den IJssel

The agenda:
18.00 - 18.30 Check-In (catering included)
18.30 - 18.45 OWASP update, Bert Koelewijn
18.45 - 19.15 Security Best Practices for .NET, Boaz Shunami
19.15 - 20.00 Discussion: collecting ideas and initiatives
20.00 - 20.15 Coffee break
20.15 - 21.00 Discussion: how to enable community commitment
21.00 - 21.30 Closing discussion and coffee

Boaz Shunami
Boaz is manager of the Application Security department of Comsec Europe. He has 11 years of experience in the IT Security field, and a large part of them in Application Security.
Boaz did numerous application security audits in very large organizations and is recognized as one of the greatest expert’s world wide. Boaz' expertise is broad, but especially in-depth for the .NET platform.

Discussion input (until now)
- division of local chapter work load by multiple people
- collaboration with other organizations

If you want to attend send an email to [email protected].

All OWASP chapter meetings are free, there are never vendor pitches or sales presentations at OWASP meetings.

NOTE TO CISSP's: OWASP Meetings count towards CPE Credits.

OWASP Netherlands meeting minutes

January 11th, the Dutch OWASP chapter came together at the office of Sogeti Netherlands. Subject of the evening was 'putting software security into practice'. The group was small but select.

The agenda:
18.00 - 18.30 Check-In (catering included)
18.30 - 18.45 Sponsor opening
18.45 - 19.00 OWASP update, Bert Koelewijn
19.00 - 19.30 Implementation of Security by Design, Martin Knobloch
19.30 - 19.45 Panel introduction
19.45 - 20.00 Coffee break
20.00 - 21.30 Panel discussion

After being welcomed by Frank Langeveld from Sogeti and Bert Koelewijn, Dutch chapter leader, the evening started with the presentation 'Security By Design'. During the presentation Martin Knobloch told about his experiences during the implementation of the Secure Development Life Cycle in a company like Sogeti Nederland B.V.

The presentation is available here:
Media:Implementation_of_Security_by_Design.ppt

After a small break, the panel discussion started with the following panel: Henk van der Heijden - Comsec Consulting, Dr.ir. Mario de Boer - LogicaCMG and Martin Knobloch - Sogeti Nederland.
During the discussion, it became clear people are struggling to get the Secure Development Life Cycle implemented in their company. The various experiences were shared with the panel and the others. Company typical problems and common misunderstandings about Software security where brought up.
The consensus of the discussion was that the main problem lies in the lack of security awareness and knowledge of the managers and the developers. And this of course is exactly where OWASP comes in…

Announcement 11 January meeting

The OWASP meeting of 11 January is about putting software security into practice. A lot of books, standards, organizations and consultants tell us how we should develop secure software. But which methods and measures are commonly adopted and which are not and why?
This will be the main focus of the discussion that we will have with a panel of people that experienced implementing software security in the field.

The location is provided by the sponsor of this meeting:
Sogeti Nederland B.V.
"La Charmille" building
Lange Dreef 17
4131 NJ Vianen

The agenda:
18.00 - 18.30 Check-In (catering included)
18.30 - 18.45 Sponsor opening
18.45 - 19.00 OWASP update, Bert Koelewijn
19.00 - 19.30 Implementation of Security by Design, Martin Knobloch
19.30 - 19.45 Panel introduction
19.45 - 20.00 Coffee break
20.00 - 21.30 Panel discussion

Implementation of Security by Design
What is needed to implement a 'Secure Development Life Cycle' within Sogeti Nederland? The speaker started a project called 'Security by Design' in march 2006 implementing a SDLC at Sogeti Nederland.
In his presentation, the speaker will share his technical and organizational experiences that he gained with the still ongoing implementation.

About the speaker
Martin Knobloch has more than 8 years experience in design and development of J2EE applications for customers in various sectors of the market. In September 2003 Martin Knobloch started working for Sogeti Nederland, where he does the design, development and review of J2EE applications and architectures.
From this background, Martin Knobloch experienced the threats of insecure software firsthand. In march 2006, Martin Knobloch started implementing a SDLC within Sogeti Nederland.

Panel discussion
The panel members are:
Henk van der Heijden, Managing Director - Comsec Consulting B.V.
Dr.ir. Mario de Boer, Security Consultant - LogicaCMG
Martin Knobloch, Senior Technologie Specialist - Sogeti Nederland B.V.

In the discussion, we will try to find answers to questions like:
- What are the most common security practices in software development?
- How effective are those practices?
- Where do we start practicing security?
- What should be the most common security practices in software development?
- How much does security cost?
- How does the Systems Security Engineering Capability Maturity Model (SSE-CMM) fit in?

If you want to attend send an email to [email protected].

All OWASP chapter meetings are free, there are never vendor pitches or sales presentations at OWASP meetings.

NOTE TO CISSP’s: OWASP Meetings count towards CPE Credits.

OWASP Netherlands meeting minutes

On 9 march, the second meeting of OWASP Netherlands local chapter took place. GetronicsPinkRoccade provided the venue, in their luxury conference centre: Connection I.

Agenda:
18.00 - 18.45 Check-In (bread & drinks)
18.45 - 19.00 Opening
19.00 - 20.00 Improving Security in the Application Development Life-cycle, Migchiel de Jong
20.00 - 20.15 Coffee break
20.15 - 22.00 Form focus groups

The presentation of Migchiel de Jong was found very interesting by the audience. At the end of his presentation, he demonstrated a static code analysis of the OWASP webgoat application.

After the coffee break, the attendances started discussing about the largest common topics of interest in the web application security field, in relation to the OWASP Netherlands chapter. As a result, the following focus groups are formed:

Testing
The current OWASP Testing project and the Open Source Security Testing Methodology Manual of ISECOM, provide guidelines and best practices for testers. These guidelines can be used to formalize a standard structure and a set of minimum requirements for a security test. Clients could ask a tester to adhere to these guidelines.
A second idea is to standardize the testing results management report. In practice, testing could result in piles of paper with all the findings. The real value is reporting it in a usable way. For example: mapping technical findings to business risks.

Frans v. Buul
Peter Gouwentak
Arthur Donkers
Eelco Klaver
Migchiel de Jong
Mario de Boer

First focus group meeting: Monday 27 march, 18:00h, PwC Utrecht


Public Relations
This focus group will try to make business aware of the security impact that developing, hosting and using web applications has. What OWASP is and how OWASP can help. This can be done by giving presentations, writing papers and articles, word of mouth, etc. etc.

Remco Bakker
Ronald Eygendaal
Bas van Vossen
Edwin van Vliet
Eelco Klaver

First presentation of OWASP materials: Edwin van Vliet, TestNet - Voorjaarsevenement, 5 april
First focus group meeting: To be planned!


Education
OWASP and universities/schools could benefit from working together. For example:
- OWASP provides lot's of materials usable in colleges.
- Develop OWASP training course.
- Students can participate in OWASP projects
- OWASP can provide a platform for supporting research. Such as thesis projects, etc.
- OWASP representatives could provide guest colleges.

Ronald Eygendaal
Erik Poll
Bas van Vossen
Edwin van Vliet

First focus group meeting: To be planned!

The presentation is available here:
Media:OWASP_NL_Fortify_Software.pdf

9 March: Second meeting of the OWASP Netherlands local chapter!

In this second meeting focus groups are to be formed, to discuss common problems, develop and research common solutions in a vendor neutral environment. So this is a very good opportunity to get in contact with others, to exchange knowledge and experiences on specific topics.

For every focus group the following questions has to be answered:
1. Which specific topic is to be addressed?
2. What are the deliverables?
3. What is the relation to OWASP? (Current projects, materials, expertise and knowledge interchange, etc.)
4. Who is the central contact of the subgroup?

It would be nice to have a bigger and more diverse group, compared to the first meeting. So let's recall: "Please, bring at least one friend, next time." And don't hesitate to send this announcement to everybody who may be interested!

We thank Getronics PinkRoccade for offering us a venue:
Getronics PinkRoccade
Fauststraat 1
7323 BA Apeldoorn

The agenda:
18.00 - 18.30 Check-In
18.30 - 18.45 Opening
18.45 - 19.30 Improving Security in the Application Development Life-cycle, Migchiel de Jong
19.30 - 20.00 Collecting focus group initiatives
19.45 - 20.00 Coffee break
20.00 - 21.00 Form focus groups

Presentation Abstract
Rather than spending large amounts of time and money on proving that we have security vulnerabilities after programs go into production, companies should go to the source and correct vulnerabilities as early as possible in the development stage. It is unquestionably faster, simpler, and cheaper for developers to correct vulnerabilities as they build programs.
But how can development management ensure that developers focus on security when there is no time or budget for security at the development stage? Even with the correct focus, how can they learn what to look for? How can they stay ahead of the dedicated and resourceful hacker?
The answer is effective processes and better tools. With advanced software security tools, a developer can pinpoint vulnerabilities in a matter of seconds — the same vulnerabilities that would take a hacker or manual code reviewer weeks or even months to find. These same tools can give development and information security managers useful metrics on application vulnerabilities before they are released into deployment.
This talk will walk through the Application Development Life-Cycle and discuss how tools can help come to grips with software security issues in a particular phase.

About the presenter
Migchiel de Jong has developed hardware and software for 10 years before joining Rational Software. During the 5 years at Rational Software (later acquired by IBM) he was involved in many software development process improvement projects. Currently Migchiel de Jong is working at Fortify Software, Palo Alto, California, as a software security engineer.

If you want to attend send an email to [email protected]. Please don't wait, 9 march is not that long anymore!

All OWASP chapter meetings are free, there are never vendor pitches or sales presentations at OWASP meetings.

NOTE TO CISSP’s: OWASP Meetings count towards CPE Credits.

OWASP Netherlands kick-off meeting minutes

On 17 November, OWASP Netherlands had it's first meeting. We moved to a bigger location, the Mercure hotel in Nieuwegein, to host all the 35 attendees.

The agenda:
18.00 - 18.30 Check-In (bread & drinks)
18.30 - 18.45 Chapter opening
18.45 - 19.30 Presentation - 'Top tien web applicatie kwetsbaarheden in J2EE', Eelco Klaver
19.30 - 19.45 Presentation - 'Veilige webapplicaties boven alles', Mike Wardi
19.45 - 20.00 Coffee break
20.00 - 21.00 Discussion - About the OWASP Netherlands local chapter

The discussion took place in a 'round table' session, where all attendees were able to take part. The focus of the discussion was how to give the OWASP Netherlands local chapter additional value, next to the OWASP project. What the goals and tasks will be. And which actions will have to be taken at short term.
Different people have interest in different subjects. In general meetings there is no time to address all subjects and address them specific enough. Therefore subgroups can be formed, focusing on specific topics. They can have their own communication channel and meetings, but should keep close contact with the OWASP body.

An inventarisation:

Discussion Topics
- Awareness: writing articles, press publications, interviews
- Education: contact universities, schools and their common boards. Develop and gather education materials.
- General: discuss ideas for OWASP NL

Focusgroup Topics
- (dutch) metrics project
- (dutch) legal project
- standard framework for pentest reports
- safe outsourcing

Actions that should be taken on short term are:
- provide communication channels
- plan next (sub)meetings
- start discussions and focusgroups

The presentations are available here:

Media:OWASP_NL_Top_Ten_Web_Application_Vulnerabilities_in_J2EE.pdf
Media:OWASP_NL_Veilige_Web_App_Boven_Alles.pdf

You are welcome to the OWASP Netherlands local chapter kick-off meeting!

Thursday, November 17th (2005) at 18.00h.

ATTENTION! Because of the large amount of attendees, the location has changed:

Hotel Mercure Utrecht/Nieuwegein
Buizerdlaan 10
3435 SB NIEUWEGEIN
Tel: 00 31 (0) 30 60 84 122
Fax: 00 31 (0) 30 60 38 374

This first meeting will be an introduction to the OWASP. A constructive discussion will be held about the actual form of the OWASP Netherlands local chapter.

The agenda:
18.00 - 18.30 Check-In (bread & drinks)
18.30 - 18.45 Chapter opening
18.45 - 19.30 Presentation - 'Top tien web applicatie kwetsbaarheden in J2EE', Eelco Klaver
19.30 - 19.45 Presentation - 'Veilige webapplicaties boven alles', Mike Wardi
19.45 - 20.00 Coffee break
20.00 - 21.00 Discussion - About the OWASP Netherlands local chapter

About the presenters

Eelco Klaver
Eelco Klaver is a senior consultant for Xebia IT Architects, since 2003. Doing software reviews, security audits and giving security workshops are part of his job. He has almost 10 years experience with developing enterprise applications in J2EE for different employees. At the moment, Eelco is the front man of the security business unit for Xebia, focussing on the security aspects of enterprise applications build on J2EE.

Mike Wardi
Mike Wardi is an internet application manager for a financial institute. He's responsible for the safety of internet applications provided to customers and the implementation of the security policies in software developement.


If you want to attend, please send an email to [email protected] or the mailing list.

All OWASP chapter meetings are free! There are never vendor pitches or sales presentations at OWASP meetings.

NOTE TO CISSP’s: OWASP Meetings count towards CPE Credits.