Netherlands Previous Events 2009

Netherlands events held in 2009

2009 Schedule
This is an overview of the 2009 local chapter meeting schedule. Details of the meetings can be found in the announcements that will be posted below this schedule. December 2th -- Please block your agendas on December 2, 12h-22h for the BeNeLux OWASP Day 2009.

December 10th -- Time        : 18.00 - 21.30 Main Topic  : Secure Software Development Presentations: How OWASP resources can be used by universities to develop, test and deploy secure web applications By Kuai Hinojosa

VAC Regular Expression Denial of Service By Adar Weidman, Checkmarx Ltd.

BSIMM Europe results By Florance Mottay, Managing Principal Citigal

Location    : ps_testware, Dorpsstraat 26, 3941 JM Doorn Sponsor     : ps_testware

September 24th -- Time        : 18.00 - 21.30 Main Topic  : Unauthorised Access Presentations: Unauthorised Access                                              Wil Allsopp Mini Meetings report: Time- Box testing &amp; Test Tools             Barry van Kampen/ Dave van Stein Education Project report                                         Martin Knobloch Discussion, questions and social networking Location    : Sofitel Cocagne Vestdijk 47 5611 CA Eindhoven Google Maps Route: http://tiny.cc/24kWE Sponsor     : Madison Gurkha

May 28th -- Time        : 18.00 - 21.30 Main Topic  : AppSec Europe 2009 Presentations: AppSec-EU 2009                                                   Sebastien Deleersnyder, Telindus VAC Cross-Site Request Forgery                                   Niels Teusink Open session / discussion about subjects brought forward by               the attendees                                                     Martin Knobloch/Ferdinand Vroom/Peter Gouwentak Location    : ASR Nederland MD0.60 - Auditorium Smallepad 30 3811MG Amersfoort Sponsor     : ASR Nederland

April 9th -- Time        : 18.00 - 21.30 Main Topic  : Knowing Your Enemy Presentations: Modern information gathering; how to abuse search engines        Dave van Stein VAC Cross-site scripting                                         Martin Visser Beveiligingsaspecten van webapplicatie-ontwikkeling              Wouter van Kuipers Location    : Lange Dreef 17 4131 NJ Vianen Sponsor     : Sogeti Nederland B.V.

Meeting Schedule December 10th 2009: Secure Software Development, Testing, Deployment and Methodologies
Summary: The main goal of the upcoming OWASP-NL meeting is to provide information to managers, architects, designers, developers and security and risk professionals. The speakers will give specific examples and there will be time to ask questions.

18:00 - 18:30 Check-In (catering included)

18:30 - 18:45 Introduction (OWASP organization, projects, sponsor) 

18.45 - 19.45 How OWASP resources can be used by universities to develop, test and deploy secure web applications (Kuai Hinojosa) Universities are key to making application security visible and the need to educate software developers about application security as an aspect of proper software development has never been more important. In this presentation I will share how OWASP resources can be used by universities to develop, test and deploy secure web applications. I will discuss challenges that Universities currently face integrating a pplication security best practices, describe how OWASP tools and resources are currently used at New York University to test for most common web application flaws. I will introduce projects such as the OWASP Enterprise Security API which can be used to mitigate most common flaws in web applications and share initiatives the OWASP Global Education Committee is currently working on. If you are interested in securing web applications, and supporting the OWASP Global Education Committee efforts you don't want to miss this!

Kuai Hinojosa has been developing and securing web applications for about 12 years. He previously worked in the banking industry as a database security administrator for the 5th largest bank in the U.S. where he worked in a small team developing applications that protected company's assets. He now works for New York University as a Web Applications Specialist where he continues to use web application development and application security experience to protect university resources. In his spare time Kuai volunteers his time preaching the application security gospel and leading the Minneapolis OWASP chapter. Kuai is a member of the OWASP (Open Web Application Security Project) Global Education Committee.

19.45 – 20.00 Break

20. 00 – 20.30 VAC REGEX Denial of Service Attacks (Adar Weidman, Senior Developer Checkmarx Ltd.) ([[Media:20091210_VAC-REGEX_DOS-Adar_Weidman.pdf]])

This presentation explores the Regular Expression Denial of Service (ReDoS) attack and how it be used in order to implement new and old attacks. ReDoS is commonly known as a “bug” in systems, but the presentation will show how serious it is and how using this technique, various applications can be “ReDoSed”. These include, among others, Web Application, WAFs, IDS, AV, Web Servers, Client-side browsers (including cellular devices), and Database.

20.30 – 21.00 BSIMM Europe results (Florence Mottay, Managing Principal Citigal)

Most large organizations have practiced software security through many activities involving people, process and automation, but we are just now reaching the point where enough experience has been accumulated to compare notes and talk about what works at a macro level. Using the framework described in Gary McGraw’s book “Software Security: Building Security In” I will discuss and describe the state of the practice in software security. This talk is infused with real data from the field, based on my work with several large companies as a Cigital consultant.

Florence Mottay is a seasoned Business Manager and adept Security Expert. She is responsible for the long-term growth, stability, market leadership, and client satisfaction of the company's EMEA operations. At her former company, Security Innovation, she was the visionary behind Team Mentor, the company's first-of-a-kind software security knowledge management system that guides software development and test teams through the process of consistently developing secure applications. Other areas of expertise include Threat Modeling for the Enterprise and Customized Enterprise Security Solutions. Previously, Florence was a Software Test Engineer for JD Edwards. She was also a Project Leader at the Center for Software Engineering Research at the Florida Institute of Technology where she worked for Dr. Whittaker, the founder of Security Innovation. Florence has a BS in Applied Mathematics and an MS in Software Engineering from the Florida Institute of Technology.

21.00 – 21:30 Discussion, questions and social networking

Meeting Schedule December 2nd 2009: BeNeLux OWASP Day 2009
Follow this link for more information: BeNeLux OWASP Day 2009



Meeting Schedule September 24th 2009: Unautorized Access
Summary: The main goal of the upcoming OWASP-NL meeting is to provide information to managers, architects, designers, developers and security and risk professionals. The speakers will give specific examples and there will be time to ask questions.

18:00 - 18:30 Check-In (catering included)

18:30 - 18:45 Introduction (OWASP organization, projects, sponsor)

18.45 - 19.45 Unauthorized Access (Wil Allsopp) 

Physical Penetration Testing and Social Engineering have been conducted by testing organisations for some time but there has been very little discussion within the industry regarding the use of formal approaches ensuring a consistently high quality and repeatability of the testing lifecycle.

This was a problem I attempted to address in the book Unauthorized Access and is the focus of this discussion.

We will look at the following:


 * What is physical penetration testing and what does it aim to achieve?
 * Tactical approaches to Social Engineering in testing.
 * The advantages and disadvantages of deploying SE.
 * Training operators and building operating teams - what skill sets should you deploy?
 * What are the legal aspects involved, how do these vary between jurisdictions?
 * How should you plan a physical penetration test at strategic, tactical and operational levels?
 * How do you gauge risk i.e. Contractual, Operational, Legal and Environmental?

The biggest problem currently facing physical penetration testing teams is that it's hard to prove a negative i.e. a failed test by no means guarantees the security of the client. By ensuring your team is trained and prepared you can mitigate this problem to a large degree. 

19.45 – 20.00 Break

20. 00 – 20.30 Mini Meetings: Time- Box testing &amp; Test Tools (Barry van Kampen en Dave van Stein)

20.30 – 21.00 Education Project (Martin Knobloch)

21.00 – 21:30 Discussion, questions and social networking

Meeting Schedule May 28th 2009: AppSec Europe 2009
Summary The main goal of the upcoming OWASP-NL meeting is to provide an abstract of the recently held AppSec Europe 2009, a VAC about CSRF and, new, an open discussion on application security subjects brought forward by the attendees.

18.30 - 18.45 Introduction (OWASP organization, projects, sponsor) 

18.45 - 19.45 AppSec-EU 2009 (Sebastien Deleersnyder, Telindus)  Update on the AppSec-EU 2009: OWASP State of the union, an update on OWASP and OWASP projects and of course the highlights of the AppSec-EU 2009 presentations.

19.45 - 20.00 Break 

20.00 - 20.30 VAC Cross-Site Request Forgery (Niels Teusink, Fox-IT)  ([[Media:20090409_VAC-CSRF-Niels_Teusink.pdf]]) CSRF is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. With a little help of social engineering (like sending a link via email/chat), an attacker may force the users of a web application to execute actions of the attacker's choosing. A successful CSRF exploit can compromise end user data and operation in case of normal user. If the targeted end user is the administrator account, this can compromise the entire web application.

Niels Teusink holds a bachelor degree in Computer Science and has been experimenting with IT security for over a decade. He has worked for Fox-IT since 2005; first as a software engineer and since 2007 as a penetration tester. He has since performed dozens of penetration tests for all sorts of companies, including governments, banks and nuclear installations.

20.30 - 21.15 Open session / discussion (Martin Knobloch/Ferdinand Vroom/Peter Gouwentak)  Open session / discussion about subjects brought forward by the attendees.

The Announcement of this meeting: [[Media:Announcement_OWASP-NL_May_28th_2009.pdf]] The flyer of this meeting: [[Media:Owasp_NL_may2009.pdf]]

Meeting Schedule 9th April Knowing Your Enemy
Summary The main goal of the upcoming OWASP-NL meeting is to provide information to managers, architects, designers, developers and security and risk professionals. The speakers will give specific examples and there will be time to ask questions.

18.30 - 18.45 Introduction (OWASP organization, projects, sponsor)  18.45 - 19.30 Modern information gathering; how to abuse search engines Dave van Stein ([[Media:20090409_passsive_reconnaissance-Dave_van_Stein.pdf]]) Great generals already know the key to success is "knowing your enemy". In hacking terms this is called information gathering, fingerprinting or reconnaissance. Traditionally this phase consisted of using public records like WHOIS and DNS combined with active scans on servers. With the rise of advanced search engines like Yahoo, Live Search and Google a whole new type of reconnaissance has come to life; passive reconnaissance. Often servers are not properly configured which causes lots of valuable information to become available without accessing the server at all. Recently several hacker-tools appeared which use the full capabilities of these search engines giving hackers a head-start at mapping the network they plan to attack. The goal of this session is to give insight in the methods and tools hackers have at their disposal to gather information about systems they plan to attack without accessing the system itself. Dave van Stein has close to 8 years of experience in software testing. Since the beginning of 2008 he's working for ps_testware as a web application security testing specialist.

19.30 - 20.00 VAC Cross-site scripting Martin Visser ([[Media:20090409_VAC_Cross-site-scripting_Martin_Visser.pdf]]) Martin Visser is a software designer with Sogeti Nederland B.V. specialized in secure application development with Microsoft technologies. He has experience with Microsoft server technologies like ASP.NET, SharePoint and Biztalk. Martin also developed and teaches a 2-day "Application Security - Microsoft development" course both within and outside Sogeti.

20.00 - 20.15 Break  20.15 - 21.00 Beveiligingsaspecten van webapplicatie-ontwikkeling Wouter van Kuipers  ([[Media:20090409_presentatie_Wouter_van_Kuipers.pdf]]) Het ontwikkelen van webapplicaties verschilt op verschillende aspecten met het ontwikkelen van desktop applicaties, met name op het gebied van security. Voor grote bedrijven zijn er oplossingen beschikbaar als bijvoorbeeld SDL, maar voor het midden- en kleinbedrijf zijn dit soort oplossingen beperkt, omdat zij vaak niet de middelen hebben om dergelijke strategieën uit te kunnen voeren. Voor zijn scriptie heeft Wouter van Kuipers middels een literatuuronderzoek, interviews met ontwikkelaars en een onderzoek naar Fortify 360 gekeken hoe het midden- en kleinbedrijf omgaat met deze verschillen en hoe zij het ontwikkelproces kunnen optimaliseren op het gebied van security.

Na een MBO opleiding in de IT is Wouter van Kuipers via de HBO opleiding 'Communicatie Systemen' begin 2007 begonnen met een master Informatiekunde aan de Radboud Universiteit Nijmegen, welke hij in maart dit jaar hoopt af te ronden. Tijdens zijn MBO studie is zijn interesse in het ontwikkelen van webapplicaties gewekt, wat in 2003 resulteerde in het opzetten van een eigen web-development bedrijf. Dit bedrijf is met name gespecialiseerd in het ontwikkelen van webapplicaties op maat, en het ondersteunen van bedrijven op het gebied van web-developement op freelance basis.

The flyer of this meeting: [[Media:Owasp_NL_april2009.pdf]]

Meeting minutes December 10th 2009
At December 10th 2009, the Dutch OWASP chapter met in Doorn. The sponsor of the evening was ps_testware. The subject of the evening was Secure Development. There were 4 speakers planned, but only one showed up. Other were sick or were having travel difficulties. Due to bad weather and extremely long traffic jams, only 8 attendees joined us in two great presentations.

Adar Weidman presented his research on Regular Expressions Denial of Service. The presentation can be downloaden from here.

Martin Knobloch filled in the slot that was left and talked about several OWASP projects.

Great stuff as you can see! We hope to see you on our next Chapter meeting

Meeting minutes September 24th 2009
At September 24th 2009, the Dutch OWASP chapter met in Eindhoven. The sponsor of the evening was Madison Gurkha. The subject of the evening was Unautorized Access. There were 4 speakers and 21 attendees. After a short welcome talk by Ferdinand Vroom from OWASP, Madison Gurkha gave a small introduction to the company. Madison Gurkha is a small firm that focuses on the prevention, identification, and prevention of technical IT security problems throughout organizations. As such their scope reaches beyond that of web application testing up to the level of physical security. In practice they often see the OWASP top 10 vulnerabilities and use OWASP tools in their assessments, hence their interest in the OWASP. First presentation: Unauthorized Access by Wil Allsopp. Wil Allsopp performs Physical Penetration Tests at Madison Gurkha and recently wrote a book about the subject: Unauthorised Access: Physical Penetration Testing For IT Security Teams. Physical Security is all hacking your way into physical locations, like buildings, by using a combination of reconnaissance, social engineering, and technical skills. Like all forms of testing these assessments can only be successful when performed in a structured manner. The first phase is the preparation phase in which the target is studied and a team with a balance of several expertises is selected. Obviously the legal consequences and risks for bodily harm can be more severe in conducting a physical security test. Therefore a careful preparation also includes covering these risks and defining solid boundary conditions. In the second phase the actual test is done meaning that the team will try to enter a facility according to a well prepared plan. Since physical security deals with real people and other unpredictable circumstances, this phase heavily relies on social engineering skills and being creative. Test can be conducted in three modes of operation: overt (use the system as much as possible), covert (minimize contact), and unseen (apply stealth). The last phase is off course the reporting phase. Wil clearly showed in his presentation that testing for physical security introduces whole new dimensions of interaction to take into account, but is in fact no different in approach than other forms of testing. Second presentation: Mini Meetings Results by Barry van Kampen en Dave van Stein. As mentioned in the meeting minutes of May 28th 2009 the Dutch OWASP chapter decided to schedule mini-meetings. These meetings will facilitate an open discussion about a single topic of interest. Although only 1 of the 3 planned meetings actually took place, the results of this meeting were above expectations. The topic of this mini-meeting was "Quick-scans and other time-boxed test approaches". The conclusions were that these time-boxed test approaches are capable of quickly uncovering fundamental problems even while the scope is limited. Plans are to have a second meeting and maybe even start an OWASP project on the topic. Since mini-meets are planned for and by the community, everybody is invited to check the mini-meet Wiki and propose topics, dates or locations. Third presentation: OWASP Education Project by Martin Knobloch. The awareness that application security is essential in the development and deployment of every web application is increasing, but it is often still applied as an end-of-pipe solution. The OWASP Education Project tries to remediate this problem by delivering education material about OWASP tooling, methodologies, and principles. The project continuously creates educational &amp; documentation papers, screen scrape video courses and learning environments and courses. By providing these materials to the community the OWASP body of knowledge can be spread in a controlled manner and deliver high quality training, both inside and outside of the OWASP community. To improve the quality and progress of this project, contributors are needed on all areas. Therefore everybody is encouraged to take a look at the project Wiki and invited to help make the (virtual) world a better and safer place!

Meeting minutes May 28th 2009
At May 28th, the Dutch OWASP chapter came together at the ASR building in Amersfoort. The main topic of the evening was AppSec 2009. There were 2 speakers and approximately 20 attendees. There was no sponsor talk or general announcement so after a very short welcome talk by Bert the evening started. First presentation: AppSec 2009 by Sebastien Deleersnyder. The first presentation of the evening was a recap of AppSec 2009 in Poland. The conference was a big success with around 170 attendees. The meeting preceded the 2009 edition of Confidence resulting in a week of security presentations and workshops. All AppSec presentations and many movies, pictures, and other material can be found on the AppSec wiki but a few items are worth mentioning in specific. First of all OWASP is growing and changing. These changes include a simplification of the membership fees, the introduction of a 'code of ethics', and a general review of all 120 projects. Other highlights are the project ASVS, which has reached an international standard status and updated versions of WebGoat and LabRat. Lastly besides a Wiki and a LinkedIn group, OWASP is now also active on Twitter &amp;  and has two overview pages with all video  and audio materials. Feel free to use all the materials (as long as you abide by the new code of ethics off course) and visit the OWASP websites frequently for updates ! Second presentation: VAC Cross-Site Request Forgery by Niels Teusink. After succesfull VAC's about SQL injection and Cross-site scripting, the topic of this evening's VAC was Cross-site Request Forgery, also known as CSRF. CSRF is probably one of the least understood vulnerabilities, but can have tremendous consequences when succesfully exploited. In essence it is an attack that misuses the victim's autorisations with malicious scripts. CSRF attacks can also be easily combined with other attack, like e.g. XSS, making them even more dangerous. Despite the name suggests, these attacks do not have to be on different websites (domains). With the continuing trend to combine multiple functionalities in a single application, so-called onsite request forgeries are becoming more and more frequent. Contrary to XSS and SQL injection, CSRF can not be blocked by input validation. In order to prevent these kind of attacks, an application has to able to verify the authenticity of a request. This can be achieved by several methods like using a unique identifier for a session or each request or requiring additional user input like a CAPTCHA or a one-time token. Open Discussion The evening was closed with an open discussion about how to improve knowledge sharing among the OWASP members. Many interesting discussions start during the drinks after the presentations on the OWASP evenings, discussions that sadly often are stopped prematurly due to time restraints. As an addition on the quarterly presentation evenings, the Dutch chapter decided to also start mini-meetings and the OWASP cafe. Mini-meetings will not be planned on beforehand, but instead will be planned when a topic is proposed and enough attendees have stated an interest in the topic. The attendees will have to select a location themselves but can request a donation from the OWASP for drinks and snacks. Topics discussed at the mini-meeting will have to be listed in minutes so other members can also profit from this knowledge exchange. The OWASP cafe will be planned each first thursday of the month on a location that will be listed on the OWASP Dutch chapter site. The rules are simple: the evening starts at a certain time, ends at a certain time and will be filled with drinks, snacks, and nerd/hacker/geek humor and discussions in between. Check the website frequently for the location of the next mini-meeting and OWASP cafe !

Meeting minutes April 9th 2009
At April 9th, the Dutch OWASP chapter came together at the office of Sogeti in Vianen. The main topic of the evening was "knowing your enemy". There were 3 speakers and approximately 50 attendees. The sponsor of the evening started with a small welcome and an overview of their internal security program named PASS. After some small announcements from the OWASP the evening started. First presentation: Modern information gathering; how to abuse search engines by Dave van Stein. The first presentation of the evening was about using search engines and crawlers to gain detailed information about webservers and websites. Ill configured webservers allow search engine crawlers to collect much information about a system, information that is stored and can be retrieved with search engines. Many websites and tools make use of this mechanism and, combined with DNS and WHOIS information, are able to provide detailed or sensitive information like usernames, vulnerabilities, present files or network topology about a system without targeting it directly. Restricting crawlers to access a system can act as a first line of defence and reduce exposure and risks. Second presentation: VAC Cross-site scripting by Martin Visser. The second VAC on an OWASP meeting was about Cross-site scripting also known as XSS. XSS vulnerabilities are often misunderstood and underestimated but facts show that XSS vulnerability abusing attacks are nowadys the fastest growing and most widespread type of exploit. In short XSS vulnerabilities allow for user input to be executed when containing javascript or HTML code. When combined with other vulnerabilities the possibilities of these attacks are vitually limitless. The only way to prevent these attacks is to sanitize all input and output fields, but this can be more difficult than it appears to be. Simply blacklisting fragments like &lt;script&gt; is not sufficient due to the possibility of recursivity (e.g. &lt;scr&lt;script&gt;ipt&gt;) and encoding (e.g. URL encoding: %3C%73%63%72%69%70%74%3E). Using multiple layers of filters on various places is the only way to assure enough protection against these types of attacks. Third presentation: Beveiligingsaspecten van webapplicatie-ontwikkeling by Wouter van Kuipers. The third presentation of the evening was about the efficiency of a source code analyer for php based websites. Approximately 33% of all websites use php and this can be explained by the low learning curve and ease of use of the language. Due to the low learning curve many php developers have little experience with programming and almost no awareness regading security resulting in many unsecure websites. Source code analysis can help preventing many security issues, but their usage does have some limitations. Firstly the scan on itself takes only a few minutes, but analysing the results requires much longer and depends greatly on how familiar the analyser is with the scanned source code. Second these analysers produce many flase positives, making analysis even more time consuming. Lastly not all vulnerabilities are detected with the same efficiency. Especially vulnerabilities that are dependent on the application logic like injection or XSS are not always efficiently detected. Concluding, like all tools, a source code analyser can be a powerful tool, but one has to be aware of its limitations. These tools can provide results very fast, but when used on unfamiliar code the analysis can be very time consuming.