|
|
| Line 23: |
Line 23: |
| | This is an overview of the 2009 local chapter meeting schedule. Details of the meetings can be found in the announcements that will be posted below this schedule. | | This is an overview of the 2009 local chapter meeting schedule. Details of the meetings can be found in the announcements that will be posted below this schedule. |
| | <pre> | | <pre> |
| − | March 5th
| + | April 9th |
| | ---------- | | ---------- |
| | Time : 17.30 - 21.30 | | Time : 17.30 - 21.30 |
| | Main Topic : | | Main Topic : |
| − | Presentations: | + | Presentations: Modern information gathering; how to abuse search engines Dave van Stein |
| − | Location : | + | VAC Cross-site scripting Martin Visser |
| − | Sponsor : | + | Beveiligingsaspecten van webapplicatie-ontwikkeling Wouter van Kuipers |
| | + | Location : Lange Dreef 17, 4131 NJ Vianen |
| | + | 088 - 660 66 00 |
| | + | Sponsor : Sogeti Nederland B.V. |
| | | | |
| | May 28th | | May 28th |
| Line 56: |
Line 59: |
| | </pre> | | </pre> |
| | | | |
| − | == Meeting schedule 2008 ==
| |
| − | This is an overview of the 2008 local chapter meeting schedule. Details of the meetings can be found in the announcements that will be posted below this schedule.
| |
| − | <pre>
| |
| − | March 26th
| |
| − | ----------
| |
| − | Time : 17.30 - 21.30
| |
| − | Main Topic : Software Vulnerability assessment
| |
| − | Presentations: Complex(ity) matters, Mario de Boer (Dutch)
| |
| − | V.A.C. SQL injection, Marinus Kuivenhoven (Dutch)
| |
| − | Secure Programming with Static Analysis, Brian Chess (English)
| |
| − | Location : Mercure Utrecht Nieuwegein, Buizerdlaan 10, 3435 SB Nieuwegein
| |
| − | Sponsor : Fortify Software
| |
| | | | |
| − | Oktober 27th
| |
| − | ----------
| |
| − | Time : 17.30 - 21.30
| |
| − | Main Topic : Privacy and the Internet
| |
| − | Presentations: Privacy and Internet (Dutch), Frank Fruijthoff and Ellen Hoving
| |
| − | Vulnerability and source code scanners. (Dutch) Emile Strijbos
| |
| − | Location : ps_testware B.V., Dorpsstraat 26, 3941 JM DOORN
| |
| − | Sponsor : ps_testware B.V.
| |
| | | | |
| − | December 11th
| + | '''Registration'''<br> |
| − | ----------
| + | If you want to attend, please send an email to: owasp@irc2.com. |
| − | Time : 17.30 - 21.30
| |
| − | Main Topic : Workshop: Architectural and design risk analysis
| |
| − | Presentations: Architectural risk analyses (English), André N. Klingsheim and Lars-Helge Netland
| |
| − | Location : TTY Amsterdam, Kerkstraat 342, 1017 JA Amsterdam
| |
| − | Sponsor : TTY Internet Solutions
| |
| − | </pre> | |
| − | | |
| − | == Meeting minutes December 11th 2008 ==
| |
| − | | |
| − | At December 11th, the Dutch OWASP chapter came together at the office of the sponsor of the evening; TTY in Amsterdam. The topic of the evening was 'Architectural and design risk analysis'. There were 2 speakers and approximately 28 attendees.<br/>
| |
| | <br/> | | <br/> |
| − | The sponsor of the evening gave a small introduction about the company and the beautiful location they are housed in; a modernised old russian church in the centre of Amsterdam. After the introduction Bert Koelewijn asked for attention for the OWASP Education Project. This project aims to provide in building blocks of web application security information. Contributors are needed so if someone wants to participate please take a look at the project page [http://www.owasp.org/index.php/Category:OWASP_Education_Project].<br/>
| |
| | <br/> | | <br/> |
| − | '''Presentation:''' Architectural and design risk analysis<br/>
| + | All OWASP chapter meetings are free of charge and you don’t have to be an OWASP member to attend. There are never any vendor pitches or sales presentations at OWASP meetings.<br/> |
| − | After the introduction and the announcements the 2 Norwegian speakers of the evening were introduced: André N. Klingsheim & Lars-Helge Netland.
| |
| − | During their PhD's both André & Lars-Helge researched the Norwegian banking systems and their vulnerabilities resulting in several papers and presentations [http://www.nowires.org/BankSecurity/]. The presentation of this evening focused on the current risks and the perception of these risks.<br/>
| |
| | <br/> | | <br/> |
| − | Nowadays the trading in malware, botnets and vulnerabilities is maturing and industrializing. Attacks can be outsourced at bulk prices and threats no longer arise from a single or group of hackers, but can be bought as a service. This professionalisation requires a new approach in risk analysis and risk perception. The main problem in risk analysis is the human psyche; future risks are underestimated or tremendously overestimated, losses valued higher than gains, and attacks occured in the past are perceived 'more real'. This often results in inefficient investments in security contributing to the general perception that security is expensive.<br/>
| + | NOTE TO CISSP's: OWASP Meetings count towards CPE Credits.<br/> |
| | <br/> | | <br/> |
| − | Another problem in risk analysis is the occurence of so-called 'black swans'. A black swan is a "large-impact, hard-to-predict, and rare event beyond the realm of normal expectations" [http://en.wikipedia.org/wiki/Black_swan_theory]. Due to the asymmetry in likehood and impact these events cannot be properly taken in to account for in traditional risk analysis models. A way of handling with these unforeseen risks is not using likelihood and impact to evaluate risks but instead look at the cost to fix and the cost of the consequence. <br/>
| |
| − | <br/>
| |
| − | The conclusions of the evening were that vulnerabilities will be more easily and quickly exploited and attacks more intense and coordinated in the coming years. This change requires a different approach in risk analysis. Vulnerabilities should be fixed as early and as many as possible without trying to estimate a likelihood of occuring. Implementing security as early as possible in the SDLC and increasing security awareness on all levels is the key in beating risks in a cost efficient way.<br/>
| |
| | | | |
| − | == Announcement December 11th 2008: Architectural and design risk analysis == | + | == Meeting Schedule 9th April == |
| − | '''Summary'''<br/> | + | |
| − | The main goal of the upcoming OWASP-NL meeting is to provide information to managers, architects, designers, developers and security and risk professionals about risk analyses in the architectural and design phases. The speakers will give specific examples and there will be time to ask questions.<br/> | + | '''Summary''' |
| − | Please register before December 8th because of the necessary catering arrangements.<br/>
| + | The main goal of the upcoming OWASP-NL meeting is to provide information to managers, architects, designers, developers and security and risk professionals. The speakers will give specific examples and there will be time to ask questions. |
| − | <br/>
| |
| − | '''Location'''<br/>
| |
| − | The location and catering is provided by the sponsor of this meeting:<br/>
| |
| | <table> | | <table> |
| | <tr> | | <tr> |
| | <td width="350"> | | <td width="350"> |
| − | TTY Internet Solutions<br/>
| + | Lange Dreef 17<br/> |
| − | Kerkstraat 342<br/>
| + | 4131 NJ Vianen<br/> |
| − | 1017 JA Amsterdam<br/>
| |
| | </td> | | </td> |
| | <td width="350"> | | <td width="350"> |
| − | [[Image:TTYlogo.jpg|200px]] | + | [[Image:Sogeti_Nederland_b_v_Logo.jpg|143px]] |
| | </td> | | </td> |
| | </tr> | | </tr> |
| | <tr> | | <tr> |
| | <td width="350"> | | <td width="350"> |
| − | For the route by car or public transport please visit: http://tty.nl/nl/contact/amsterdam<br/>
| |
| | </td> | | </td> |
| | <td width="350"> | | <td width="350"> |
| − | TTY was founded in 1997 and has grown to be a solid Full Service Internet Partner. For a wide range of companies, large financial institutions, publishers and large insurance companies TTY develops high-traffic websites, shops, backoffice- and payment systems. TTY is especially known as a partner (and in some cases shareholder) of successful internet hits as
| + | Sogeti Nederland B.V. (Sogeti) wil door gepassioneerd ICT-vakmanschap bijdragen aan het resultaat van haar klanten. De visie van Sogeti is daarom als volgt samen te vatten: ´Resultaat door gepassioneerd ICT-vakmanschap´ Dit betekent dat Sogeti de verantwoordelijkheid neemt voor haar activiteiten bij klanten. Ze verplicht zich aan het resultaat op basis van haar excellente professionaliteit en haar ondernemerschap. Door hechte en langdurige relaties met klanten zet Sogeti ICT dusdanig in, dat het bijdraagt aan de strategische doelstellingen van haar klanten. |
| − | 2dehands.nl, ViaVia.nl, Nationale-Vacaturebank.nl, Sellaband.com, jaap.nl en Gekko.com.<br/>
| + | br/> |
| − | For more information please visit: http://tty.nl<br/>
| + | <br/> |
| | + | Voor meer informatie zie:<br/> |
| | + | www.sogeti.nl<br/> |
| | </td> | | </td> |
| | </tr> | | </tr> |
| | </table> | | </table> |
| − | <br/>
| |
| − | <br/>
| |
| − | '''Program'''<br/>
| |
| − | 17.30 – 18.30 '''Check-In''' (catering included)<br/>
| |
| − | <br/>
| |
| − | 18.30 – 19:00 '''Introduction''' (OWASP organization, projects, sponsor)<br/>
| |
| − | <br/>
| |
| − | 19.00 – 21.00 '''Architectural risk analyses''' (English), André N. Klingsheim and Lars-Helge Netland<br/>
| |
| − | This workshop will explore how businesses can use risk analysis in the architecture/design phase of software development to produce more secure software. Participants will get an introduction to risk analysis, which will
| |
| − | cover both definitions and how to apply the concepts in practice. The workshop consists of four parts: a short overview of current security threats; an introduction to risk management; an exploration of the limitations of risk management; and some real world applications of the presented techniques.<br/>
| |
| − | Lars-Helge Netland and André N. Klingsheim are software security analysts at, and co-owners of, NoWires Group AS. They both hold PhD degrees in applied software security, focused on risk analysis of software architecture and design.<br/>
| |
| − | <br/>
| |
| − | 20.00 – 20:15 '''Break'''<br/>
| |
| − | <br/>
| |
| − | 21.15 – 21:30 '''Discussion, questions and social'''<br/>
| |
| − | <br/>
| |
| − | | |
| − | Please register before December 8th, because of the necessary catering arrangements.<br/>
| |
| − | <br/>
| |
| − | All OWASP chapter meetings are free of charge and you don’t have to be an OWASP member to attend. There are never any vendor pitches or sales presentations at OWASP meetings.<br/>
| |
| − | <br/>
| |
| − | NOTE TO CISSP's: OWASP Meetings count towards CPE Credits.<br/>
| |
| − | <br/>
| |
| − | The announcement and full descriptions can be found here:<br/>
| |
| − | [[Media:Announcement_11_December.pdf]]<br/>
| |
| | | | |
| − | == Meeting minutes October 27th 2008 ==
| + | '''18.30 – 19:00 Introduction (OWASP organization, projects, sponsor) '''<br> |
| | + | '''19.00 - 19.45 Modern information gathering; how to abuse search engines Dave van Stein '''<br> |
| | + | Great generals already know the key to success is "knowing your enemy". In hacking terms this is called information gathering, fingerprinting or reconnaissance. Traditionally this phase consisted of using public records like WHOIS and DNS combined with active scans on servers. With the rise of advanced search engines like Yahoo, Live Search and Google a whole new type of reconnaissance has come to live; passive reconnaissance. Often servers are not properly configured which causes lots of valuable information to become available without accessing the server at all. Recently several hacker-tools appeared which use the full capabilities of these search engines giving hackers a head-start at mapping the network they plan to attack. The goal of this session is to give insight in the methods and tools hackers have at their disposal to gather information about systems they plan to attack without accessing the system itself. |
| | + | Dave van Stein has close to 8 years of experience in software testing. Since the beginning of 2008 he’s working for ps_testware as a web application security testing specialist. |
| | | | |
| − | At October 27th, the Dutch OWASP chapter came together at the office of the sponsor of the evening; ps_testware in Doorn. The subject of the evening was 'Privacy and the Internet’. There were 2 speakers and approximately 25 attendees.<br/>
| + | '''19.45 – 20.00 VAC Cross-site scripting Martin Visser ''' <br> |
| − | <br/>
| |
| − | After a short welcome talk by both the sponsor and OWASP, Mario de Boer had an announcement about a new OWASP project; ORPRO, the Open Review Project. The goal of the project is to review Open Source Software from an independent point of view. Reviews will be done both manually and with the aid of source code analysis software provided by Fortify. The first software package to be reviewed is already available so reviewers are needed. More information can be found on the OWASP project page. [http://www.owasp.org/index.php/Category:OWASP_Open_Review_Project]<br/>
| |
| − | <br/>
| |
| − | '''First presentation:''' Privacy & the Internet presented by Frank Fruijthoff and Ellen Hoving. <br/> | |
| − | The goal of this presentation was to show the problems in regulating privacy on the internet by law. The presentation was roughly split in 3 parts: definitions, requirements and context. <br/>
| |
| − | The main problem with regulating privacy is that the concept of privacy is very broad and not well defined. Privacy can have different meanings and consequences in different contexts. Most laws therefore focus on the individual and define privacy as 'protection of personal information' where 'personal information' is all data that can be tracked back to a single person. The last years many countries within the EU developed internet laws concerning privacy on the internet. These laws state that information can only be used what it originally was intended for and usage of that information must be reported at central register. This register also makes it possible to file a complaint and check what companies use personal information for what purposes. While these rules are mostly sufficient for local databases they often fail when applied to information stored on or with use of the internet. Problems encountered are captured in the "four D's";<br/>
| |
| − | - Internet is deterritorialized; internet has no boundaries.<br/>
| |
| − | - Internet is deregulated; internet has no law, only terms of use.<br/>
| |
| − | - Internet is dematerialized; internet is not physical.<br/>
| |
| − | - Internet is decentralized; there is no single regulating or controlling organization.<br/> | |
| − | Although the protection of personal data is more and more covered by laws, the increasing usage of external storage and connections over the internet will make it harder to enforce them. The main conclusion of the evening was that, although many initiatives improving privacy exist, the very properties of the internet make it hard to ensure privacy completely. <br/>
| |
| − | <br/>
| |
| − | '''Second presentation:''' Vulnerability and source code scanners presented by E. Strijbos. This presentation showed the results of a research concerning the feasibility of a Web Application Security Certification by the usage of vulnerability scanners.<br/>
| |
| − | With the daily increasing amount of threads and vulnerabilities in web applications there is a market-driven demand for an independent and automated scan service. Current scan services often lack coverage and depth of scanning and give no details about the used scanning methods.<br/>
| |
| − | In this research several commercial vulnerability scanners and static analysis tools were compared and checked for scantime, accuracy, false positives, and ease of use. The results showed that almost all scanners find most of the vulnerabilities, but also produce many false positives. Also, without proper configuration the amount of results can be overwhelming and inconclusive. Furthermore results showed that static analysis scanners are much faster than vulnerability scanners, but have a more limited usage. The main conclusion was that although vulnerability scanners and static analysis tools can be very helpful in identifying vulnerabilities, their current efficiency is not high enough to use as the basis for an automated vulnerability scan.<br/>
| |
| | | | |
| − | == Meeting October 27th 2008: Privacy and the Internet ==
| + | Martin Visser is a software designer with Sogeti Nederland B.V. specialized in secure application development with Microsoft technologies. He has experience with Microsoft server technologies like ASP.NET, SharePoint and Biztalk. Martin also developed and teaches a 2-day "Application Security – Microsoft development" course both within and outside Sogeti. |
| − | '''Summary'''<br/>
| |
| − | The main goal of the upcoming OWASP-NL meeting is to provide information to developers and security professionals about personal and technical privacy on the internet. The speakers focus on privacy regulations related to the internet and on the mass amount of personal and technical information available about persons and companies on the internet, with and without their consent. Furthermore tools will be discussed that help prevent leakage of privacy related and other kind of data. They will give specific examples and there will be time to ask questions.<br/>
| |
| − | Please register before October 20th because of the necessary catering arrangements.<br/>
| |
| − | <br/>
| |
| − | '''Location'''<br/>
| |
| − | The location and catering is provided by the sponsor of this meeting:<br/>
| |
| − | <table>
| |
| − | <tr>
| |
| − | <td width="350">
| |
| − | ps_testware B.V.<br/>
| |
| − | Dorpsstraat 26,<br/>
| |
| − | 3941 JM DOORN<br/>
| |
| − | </td>
| |
| − | <td width="350">
| |
| − | [[Image:Pstestware.jpg|100px]]
| |
| − | </td>
| |
| − | </tr>
| |
| − | <tr>
| |
| − | <td width="350">
| |
| − | The location has parking facilities for 15 cars. However parking in the direct vicinity of ps_testware shouldn’t be a problem.<br/>
| |
| − | </td>
| |
| − | <td width="350">
| |
| − | ps_testware delivers services related to software testing and software quality. In the field of software development, quality, time-to-market, business processes and software acceptance they play the role of "your devil's advocate" as an independent, flexible and specialized partner.<br/>
| |
| − | For more information please visit: www.pstestware.com.<br/>
| |
| − | </td>
| |
| − | </tr>
| |
| − | </table>
| |
| − | <br/>
| |
| − | <br/>
| |
| − | '''Program'''<br/>
| |
| − | 17.30 - 18.30 '''Check-In''' (catering included)<br/>
| |
| − | <br/>
| |
| − | 18.30 – 19:00 '''Introduction''' (OWASP organization, projects, sponsor)<br/>
| |
| − | <br/>
| |
| − | 19.00 - 20.15 '''Privacy and Internet''' (Dutch), Frank Fruijthoff and Ellen Hoving<br/>
| |
| − | In this presentation the general principles of privacy laws in the Netherlands and the EU and specifically privacy and the internet will be covered.<br/>
| |
| − | Frank Fruijthoff is a Compliance Officer with ING. He has a Compliance and Risk Management background and is specialised in privacy.<br/>
| |
| − | Ellen Hoving is a graduated lawyer. She works as an independent consultant specialized in compliance and privacy.<br/>
| |
| − | <br/>
| |
| − | 20.15 – 20:30 '''Break'''<br/>
| |
| − | <br/>
| |
| − | 20:30 – 21:00 '''Vulnerability and source code scanners''' (Dutch), Emile Strijbos
| |
| − | <br/>
| |
| − | For his Master thesis in computer science at the Radboud Universiteit in Nijmegen, Emile Strijbos investigated vulnerability scanners and source code scanners. These are automated tools that try to detect security flaws, either in running web-applications or in their source code.<br/>
| |
| − | Emile tried out several of these tools, including both free and commercial ones, to see how good they are at detecting standard vulnerabilities, such as SQL injection, XSS, CSRF, etc.<br/>
| |
| − | <br/>
| |
| − | 21.00 – 21:30 '''Discussion, questions and social'''<br/>
| |
| − | <br/>
| |
| − | | |
| − | Please register before October 20th, because of the necessary catering arrangements. The number of registries is limited to 50 due to the capacity of the location and will be handled in order of receipt.<br/>
| |
| − | <br/>
| |
| − | All OWASP chapter meetings are free of charge and you don’t have to be an OWASP member to attend. There are never any vendor pitches or sales presentations at OWASP meetings.<br/>
| |
| − | <br/>
| |
| − | NOTE TO CISSP's: OWASP Meetings count towards CPE Credits.<br/>
| |
| − | <br/>
| |
| − | The announcement and full descriptions can be found here:<br/>
| |
| − | [[Media:Announcement_27_Oktober.pdf]]<br/>
| |
| | | | |
| − | == Meeting minutes March 23th 2008 ==
| + | '''20.00 – 20.15 Break ''' <br> |
| | + | '''20.15 – 21.00 Beveiligingsaspecten van webapplicatie-ontwikkeling Wouter van Kuipers '''<br> |
| | + | Het ontwikkelen van webapplicaties verschilt op verschillende aspecten met het ontwikkelen van desktop applicaties, met name op het gebied van security. Voor grote bedrijven zijn er oplossingen beschikbaar als bijvoorbeeld SDL, maar voor het midden- en kleinbedrijf zijn dit soort oplossingen beperkt, omdat zij vaak niet de middelen hebben om dergelijke strategieën uit te kunnen voeren. Voor mijn scriptie heb ik middels een literatuuronderzoek, interviews met ontwikkelaars en een onderzoek naar Fortify 360 gekeken hoe het midden- en kleinbedrijf omgaat met deze verschillen en hoe zij het ontwikkelproces kunnen optimaliseren op het gebied van security. |
| | | | |
| − | At March 23th, the Dutch OWASP chapter came together in the Mercury hotel in Nieuwegein. The meeting was sponsored by Fortify Software. The subject of the evening was 'Software Vulnerability Assesment’. There were 3 speakers and approximately 40 attendees.<br/>
| + | Na een MBO opleiding in de IT is Wouter Kuipers via de HBO opleiding 'Communicatie Systemen' begin 2007 begonnen met een master |
| − | <br/>
| + | Informatiekunde aan de Radboud Universiteit Nijmegen, welke hij in maart dit jaar hoopt af te ronden. Tijdens zijn MBO studie is zijn interesse in het ontwikkelen van webapplicaties gewekt, wat in 2003 resulteerde in het opzetten van een eigen web-development bedrijf. Dit bedrijf is met name gespecialiseerd in het ontwikkelen van webapplicaties op maat, en het ondersteunen van bedrijven op het gebied van web-developement op freelance basis. |
| − | After a short introduction of Migchiel de Jong (Fortify) about the subject of Static and Dynamic Analysis and the tools that Fortify provides the speakers of the evening where introduced.<br/>
| |
| − | <br/>
| |
| − | '''First presentation:''' Practices of Complex(ity) matters (Dutch), Mario de Boer<br/> | |
| − | Mario de Boer has spent much of his free time the last 16 years into disassembling various pieces of software and analyzing the code and its statistics. The main advantage in analyzing binaries is that no access to source code is needed, all dependencies (i.e. the compiler) are included and it’s independent of the tool used. Disassembling compiled code gives great insight in the complexity of the software and the entry and exit points of data. Although there is no direct relation between the complexity of software and its security, statistically the most vulnerabilities appear in the most complex portions of a program. Data entry points in complex portions of the code can give rise to possible exploits so static analysis can give insight in the most vulnerable places in software which is useful information in testing.
| |
| − | The disadvantages of static analysis are that an extensive knowledge of assembly is needed and, due to its statistic nature, it gives rise to many false positives.
| |
| − | In conclusion static binary analysis, when used by experts, can be a powerful tool to gain insight in the most vulnerable parts of the software and be a valuable tool in both developing and testing software. <br/>
| |
| − | <br/>
| |
| − | '''Second presentation:''' V.A.C: SQL injection (Dutch), Marinus Kuivenhoven<br/>
| |
| − | A new reoccurring topic on OWASP presentations will be the so called VAC. In these presentations an expert will talk about a Vulnerability, how to Assess it and possible Countermeasures. This evening Marinus started with the second vulnerability in the OWASP top ten; SQL injections.<br/>
| |
| − | With the aid of Webgoat, a few simple examples and the possible consequences were shown. SQL injection is particularly useful exploit in the reconnaissance phase since it can be abused for information leakage and in getting information about e.g. the table structure. <br/>
| |
| − | On the internet and in literature many countermeasures against SQL injections are described. However, many of these countermeasures are not usable in a maintainable system or cannot prevent SQL injections completely. The most important conclusion was that input should never be trusted and should never be directly used.<br/>
| |
| − | <br/>
| |
| − | '''Third presentation:''' Secure Programming with Static Analysis (English), Brian Chess<br/>
| |
| − | The last speaker of the evening was Brian Chess who presented his new book ‘Secure Programming with Static Analysis’. Brian made clear that, although a powerful tool, static binary analysis is already too late in the SDLC to be successful in preventing vulnerabilities. Scanning for possible vulnerabilities should be implemented as early as possible i.e. during coding. The main advantages of static analysis are the cost and speed. Since errors and bad practices are identified in an early stage they can be solved at the spot, making auditing the software more efficient in term of time and depth. <br/>
| |
| − | Static analysis can successfully be used for style and type checking, program understanding and verification, and for security reviews. The success of static analysis, however, is fully depending on the rules implemented in the scanner. Static analysis is also unable to identify design flaws, right problems, or wrong user input. <br/>
| |
| − | The conclusion was that scanning for vulnerabilities can probably only be successful with the aid of static analysis, but many requirements should be met. Firstly it should become part of the SDLC and culture. Secondly the right tool should be picked and people should be trained in its use. Lastly investments should be made in building up a good rule set and metrics. <br/>
| |
| | | | |
| − | == Meeting March 26th 2008: Software Vulnerability assessment ==
| |
| − | '''Summary'''<br/>
| |
| − | The main goal of the upcoming OWASP-NL meeting is to provide information to developers and security professionals involved in creating secure (web-)applications. The main focus will be on software vulnerability assessment. The speakers will give specific examples and of course there is time to ask questions about your own experiences.<br/>
| |
| − | <br/>
| |
| − | '''Location'''<br/>
| |
| − | The location and catering is provided by the sponsor of this meeting:<br/>
| |
| − | <table>
| |
| − | <tr>
| |
| − | <td width="350">
| |
| − | Mercure Utrecht Nieuwegein<br/>
| |
| − | Buizerdlaan 10,<br/>
| |
| − | 3435 SB Nieuwegein<br/>
| |
| − | </td>
| |
| − | <td width="350">
| |
| − | [[Image:Fortify.JPG|143px]]
| |
| − | </td>
| |
| − | </tr>
| |
| − | <tr>
| |
| − | <td width="350">
| |
| − | </td>
| |
| − | <td width="350">
| |
| − | Fortify Software products protect companies from today’s greatest security risk: the software applications that run their businesses. Combining deep application security expertise with extensive software development experience, Fortify Software has defined the market with award-winning products that span the software development cycle. Today, Fortify Software fortifies the software for the most demanding customer deployments, including the world’s largest, most varied code bases.<br/>
| |
| − | <br/>
| |
| − | For more information please visit:<br/>
| |
| − | www.fortify.com<br/>
| |
| − | </td>
| |
| − | </tr>
| |
| − | </table>
| |
| − | <br/>
| |
| − | <br/>
| |
| − | '''Program'''<br/>
| |
| − | 17.30 - 18.30 '''Check-In''' (catering included)<br/>
| |
| − | <br/>
| |
| − | 18.30 - 18:50 '''Introduction''' (OWASP, sponsor)<br/>
| |
| − | <br/>
| |
| − | 18.50 - 19.30 '''Complex(ity) matters''' (Dutch), Mario de Boer<br/>
| |
| − | Various methods exist to locate specific vulnerabilities in software. In the presentation we will look at static analysis of binaries, and the problems we face when trying to locate vulnerabilities. Several ideas will be discussed to make the search easier, but at the same time less exact. The first idea is trivial: automate as much as possible. The second idea is nearly trivial: don't aim at exact vulnerabilities but relax the search to locating potential vulnerabilities. We will give examples that illustrate the results.<br/>
| |
| − | Mario de Boer is a senior security consultant at Logica, and as such focuses on security management aspects like security frameworks, compliance, monitoring and control and risk management. Before joining Logica, Mario worked at the Dutch ministries of Defense and Justice, he co-founded a security company and worked as a project manager in the financial sector. For several years he taught courses in software security analysis and secure software development. Besides security management, Mario has interest in software security, reverse engineering and cryptography. Within Logica Netherlands, he is knowledge manager application security. Mario holds a PhD in Mathematics and is CISA and CISSP.<br/>
| |
| − | <br/>
| |
| − | 19.30 - 19:50 '''Break'''<br/>
| |
| − | <br/>
| |
| − | 19:50 - 20:20 '''V.A.C: SQL injection''' (Dutch), Marinus Kuivenhoven
| |
| − | <br/>
| |
| − | <u>'''V'''ulnerability:</u><br/>
| |
| − | An application which uses a database for its information needs, communicates with it trough SQL. SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of a Database for parsing and execution.<br/>
| |
| − | <u>'''A'''ssessment:</u><br/>
| |
| − | SQL injection can threaten the confidentiality, availability and integrity of the data. The various types of SQL injection and their impact will be shown.<br/>
| |
| − | <u>'''C'''ountermeasure:</u><br/>
| |
| − | Any procedure that constructs SQL statements should be reviewed for injection vulnerabilities because a database will execute all syntactically valid queries that it receives. How this should be done will be shown for the most popular languages.<br/>
| |
| − | Marinus is a Technology Specialist with Sogeti Nederland B.V. specializing in service oriented architectures and secure application development. His experience includes developing and administrating Oracle-based systems.<br/>
| |
| − | <br/>
| |
| − | 20.20 - 21.00 '''Secure Programming with Static Analysis''' (English), Brian Chess<br/>
| |
| − | Creating secure code requires more than just good intentions. Programmers need to know how to make their code safe in an almost infinite number of scenarios and configurations. Static source code analysis gives users the ability to review their work with a fine tooth comb and uncover the kinds of errors that lead directly to vulnerabilities. This talk frames the software security problem and shows how static analysis is part of the solution. We will look at how static analysis works, how to integrate it into the software development processes, and how to make the most of it during security code review. Along the way we'll look at examples taken from real-world security incidents, showing how coding errors are exploited, how they could have been prevented, and how static analysis can rapidly uncover similar errors.<br/>
| |
| − | Brian Chess is a founder of Fortify Software and serves as Fortify's Chief Scientist, where his work focuses on practical methods for creating secure systems. His book, Secure Programming with Static Analysis, shows how static source code analysis is an indispensable tool for getting security right. Brian holds a Ph.D. in computer engineering from the University of California at Santa Cruz, where he studied the application of static analysis to the problem of finding security-relevant defects in source code. Before settling on security, Brian spent a decade in Silicon Valley working at huge companies and small startups. He has done research on a broad set of topics, ranging from integrated circuit design all the way to delivering software as a service.<br/>
| |
| − | <br/>
| |
| − | 21.00 - 21:30 '''Discussion, questions and social'''<br/>
| |
| − | <br/>
| |
| − | '''Registration'''<br/>
| |
| − | | |
| − | <br/>
| |
| − | All OWASP chapter meetings are free of charge and you don’t have to be an OWASP member to attend. There are never any vendor pitches or sales presentations at OWASP meetings.<br/>
| |
| − | <br/>
| |
| − | NOTE TO CISSP's: OWASP Meetings count towards CPE Credits.<br/>
| |
| − | <br/>
| |
| | == Past Events == | | == Past Events == |
| | * Events held in [[Netherlands_Previous_Events_2008|2008]] | | * Events held in [[Netherlands_Previous_Events_2008|2008]] |
We are continuously looking for speakers and presentations make the chapter meetings as interesting as possible. Therefore we are looking inside and outside OWASP for known international specialists. But we know, there is a lot interesting stuf happening inside the Netherlands, too!
Presentations:
Are you working on interesting subject, you would like to share your experiences with the OWASP community.
Any topic related to application security will be appreciated!
VAC, Vulnerability, Attack, Countermeasure:
The goal is an half hour in-depth technical presentation about a vulnerability, how it can be exploited and how to prevent it!
We are continuously looking for locations to hold local chapter meetings. Therefore, we need companies willing to sponsor of host events.
Hosting a local chapter meeting:
To host a local chapter meeting, you facilitate the meeting location and beverage for the attendees
Sponsorship of a local chapter meeting:
You cover the cost of renting the location for the meeting and the payment of the beverages for the attendees
This is an overview of the 2009 local chapter meeting schedule. Details of the meetings can be found in the announcements that will be posted below this schedule.
Martin Visser is a software designer with Sogeti Nederland B.V. specialized in secure application development with Microsoft technologies. He has experience with Microsoft server technologies like ASP.NET, SharePoint and Biztalk. Martin also developed and teaches a 2-day "Application Security – Microsoft development" course both within and outside Sogeti.
Na een MBO opleiding in de IT is Wouter Kuipers via de HBO opleiding 'Communicatie Systemen' begin 2007 begonnen met een master
Informatiekunde aan de Radboud Universiteit Nijmegen, welke hij in maart dit jaar hoopt af te ronden. Tijdens zijn MBO studie is zijn interesse in het ontwikkelen van webapplicaties gewekt, wat in 2003 resulteerde in het opzetten van een eigen web-development bedrijf. Dit bedrijf is met name gespecialiseerd in het ontwikkelen van webapplicaties op maat, en het ondersteunen van bedrijven op het gebied van web-developement op freelance basis.
to this chapter or become a local chapter supporter.
Or consider the value of Individual, Corporate, or Academic Supporter membership. Ready to become a member? 
