Netherlands September 22nd, 2016


 * OWASP Netherland Wiki
 * All OWASP NL Events 2016

= September 22nd, 2016 =

Registration
Click here to register'''

Venue
Radboud University Nijmegen Beta-faculty Huygensgebouw Heyendaalseweg 135, 6525 AJ Nijmegen Parkeergarage P11

Programme

 * 18:30 - 19:00 Registration & Pizzas
 * 19:00 - 19:15 OWASP Netherland and Foundation Updates
 * 19:15 - 20:00 Handling of Security Requirements in Software Development Lifecycle, Daniel Kefer, René Reuter
 * 20:00 - 20:15 break
 * 20-15 - 21:00 Hacking the OWASP Juice Shop, Björn Kimminich
 * 21:00 - 21:30 Networking

Handling of Security Requirements in Software Development Lifecycle
The bigger the company you're working in, the more technologies and methodologies used by development teams you are going to face. At the same time, you want to address security risks in an appropriate, reliable and measurable way for all of them.

After a short introduction of a unified process for handling security requirements in a large company, the main part of the talk is going to focus on a tool called SecurityRAT (Requirement Automation Tool) which has been developed in order to support and accelerate this process. The goal of the tool is first to provide a list of relevant security requirements according to properties of the developed software, and afterwards to handle these in a mostly automated way - integration with an issue tracker being used as a core feature.

The tool was open sourced in May 2016 (available at https://github.com/SecurityRAT) and is continuously being further developed since then. The newest implemented features, work in progress and future plans will form the last part of the talk.
 * [[Media:OWASP-NL_2016-09-22_Handling_Security_Requirements_in_SDLC.pdf | Download the presentation as PDF]]

Hacking the OWASP Juice Shop
OWASP Juice Shop* is an intentionally insecure web app suitable for pentesting and security awareness trainings written in Node.js, Express and AngularJS. It is the first application written entirely in JavaScript listed in the OWASP VWA Directory. It also seems to be the first broken web app that uses the currently popular architecture of an SPA/RIA frontend with a RESTful backend.

In this talk I will show why and how the app was created followed by a demo how to hack it. Prepare for some nasty XSS, SQLI and CSRF flaws bundled with some seriously broken access control and business logic - all in one single application!

(*Translating "dump" or "useless outfit" into German yields "Saftladen" which can be reverse-translated word by word into "juice shop". Hence the project name. That the initials "JS" match with those of "JavaScript" was purely coincidental!)

Coverage

 * Presentation online (HTML5)
 * Presentation on Slideshare (PDF)

Daniel Kefer
1&1 Mail & Media Development & Techhnology GmbH, Head of Application Security

Daniel Kefer has been working in the application security field since 2007. Having started as a penetration tester, he soon became passionate about proactive security efforts and working closely with developers. Since 2011 he has been working for 1&1 where he focuses on design and continuous improvement of the internal secure SDLC process and its implementation in different development departments. Apart from 1&1, he also works as a volunteer for the OWASP OpenSAMM project.

René Reuter
Robert Bosch GmbH, IT Security Consultant

René Reuter is a security engineer with over 4 years of experience in the application security field. At Robert Bosch GmbH, he works as an IT Security Consultant responsible for identifying vulnerabilities and design flaws that may impact Robert Boschs' applications and infrastructure. René holds a Master's Degree in Computer Science from the University of Applied Sciences Karlsruhe.

Björn Kimminich
Björn Kimminich is working in the area of software development for Kuehne + Nagel for over 8 years where he is now responsible for Global IT Architecture. His most sophisticated Open Source work is the intentionally insecure web application Juice Shop, which just recently was accepted as an OWASP Tool Project. As a side job he lectures software development at the UAS Nordakademie where he teaches Java to engineering students as their first programming language.

Sponsors

 * The OWASP Netherlands Chapter is sponsored by:

https://www.owasp.org/images/9/9a/Logo_Informatiebeveiliging-200.png https://www.owasp.org/images/9/92/Ecurify-2016.png https://www.owasp.org/images/5/50/Nixu-logo.png https://www.owasp.org/images/f/f9/Logo_xebia.jpg