Belgium Events 2007

These are the 2007 events of the OWASP Belgium Chapter.

Previous year: 2006. Next year: 2008.

WHEN
Tuesday, November 20th, 2007 (18pm-21pm)

WHERE
Pizza and drinks sponsored by NetAppSec

Katholieke Universiteit Leuven sponsored the venue

Location: Department of Computer Science (auditorium 00.225) Celestijnenlaan 200 A, 3001 Heverlee

The OWASP chapter meeting was co-organized with ISSA Belgium (http://www.issa-be.org).

PROGRAM
The agenda:

OWASP Update ISSA Intro
 * 18h00 - 18h30: Welcome, Pizza and drinks
 * 18h30 - 18h45: Sebastien Deleersnyder, OWASP BeLux
 * 18h45 - 19h00: Tomas Vanhoof, ISSA
 * 19h00 - 20h00: Patrick Debois
 * Operational security impact on developing secure applications
 * As an experienced programmer you are well experienced in applying the OWASP guidelines. At least we hope so ;-) Still we are ainly involved :within the creation of the application during a project phase. But good security management goes beyond that one phase, enter the operational security. Not having programming skills, these operationalunits over the years have created several security layers around the applications. Think firewalls, intrusion detection, prevention, antivirus systems... These server and network oriented security measures more and more influence application deployment and can also benefit from better application integration.
 * This presentation will show you the impact of f.i. central logmanagement, patch management, identity & access management, loadbalancing, antivirus .. can have on the application deployment and how with little modification of our application it can make a whole world of difference to the security in the trenches. They will be complementary to the OWASP set of guidelines. Also developers will get a better understanding of an additional set of non-functional requirements that are security related.
 * Patrick Debois has been an independent consultant for 15 years and is fascinated by the transition of a projects into operational mode. In order to better understand this interaction, he frequently changes his role from being a project manager, systems engineer, tester and developer.
 * His two main technical point of interests are:
 * portal, cms, dms, search (f.i. brussels airport, eurocontrol,www.vrtnieuws.net)
 * identity/access management: (f.i. ministry of Finance, flemish government, telenet).
 * Complementary to these technical skills, he stimulates the human factor within projects by using both coaching (NLP) and project manamagement skils(Lean, Scrum).In his latest assignment he is experimenting with Scrum and Coaching within an operational team.


 * 20h00 - 20h15: break
 * 20h15 - 21h15: Herman Stevens & Swa Frantzen, NET2S
 * Security awareness programs for development
 * Security awareness programs for developers are an effective tool to improve not just the security but can be used as a vehicle to improve efficiency in the development cycle just as well. This talk gives an overview of what the different roles in a development department need to know and introduces some key concepts in order to make such a program a success. Real examples from actual security awareness trainings will be given as well.
 * Swa Frantzen first encountered the Internet in its very early days at the KULeuven as a system administrator at the Computer Science department. Ever since he developed an active interest in the security consequences of that network of networks. Swa served in different functions at different levels between engineering and management in the security service industry (Ubizen, Telindus, SANS, NET2S) and the telecommunications world (EUnet, Scarlet). Currently he is an independent security consultant. He is also one of the handlers at the SANS Internet Storm Center.
 * Herman Stevens (CISA, CISSP) works in the information security field since nearly a decade. At Smals-MvM he developed applications regarding the Belgian social security system. He started at Ubizen as the security product trainer, and later was asked to become information security consultant. The bulk of his work became doing risk assessments, creating security policies, performing PCI audits and especially application security related work such as application security reviews, penetration testing, code review and training developers. Currently he works as a senior consultant at NET2S, where he focuses on security awareness training for development teams.

OWASP Day (6-Sep-2007)
On September 6th, OWASP organized OWASP Day conferences worldwide triggered by the Global Security Week idea.

In Belgium we organized the mini-conference in Brussels.

Speakers:
 * Mark Curphey, OWASP Founder, (Marc's blog)
 * Petko D. Petkov, a.k.a pdp (architect), founder of the GNUCITIZEN group. Co-author of the “XSS Attacks” book.
 * Bart De Win, postdoc researcher within the DistriNet research group, K.U.Leuven
 * David Kierznowski, founder of blogsecurity.net and active member of the GNUCITIZEN group.
 * Simon Roses Femerling, Security Technologist at ACE Team Microsoft
 * Luc Beirens, FCCU

WHEN
Thursday, September 6th, 2007 (2-7pm)

WHERE
Telindus, Belgacom ICT sponsored the venue:  Location: SURF House, Rue Stroobants 51, 1140 Evere.  You can find a map and itinary online. 

PROGRAM
The theme of the world-wide OWASP Day is “Privacy in the 21st Century”.

The event started with an introductory session on WebGoat & WebScarab at 12h30, the mini-conference itself at 14h.

The agenda:


 * 12h30 pre-event: Getting started with WebGoat & WebScarab (Erwin Geirnaert)
 * 14h00 Welcome & pre-recorded video of OWASP board (Sebastien Deleersnyder)
 * 14h20 Key note:OWASP Evaluation and Certification Criteria Draft (Mark Curphey)
 * 15h10 Automated Web FOO or FUD? (David Kierznowski)
 * 16h00 OWASP Pantera Unleashed (Simon Roses Femerling)
 * 16h40 Break
 * 17h00 CLASP, SDL and Touchpoints Compared (Bart De Win)
 * 17h25 Threats of e-insecurity in Belgium and the Belgian response (Luc Beirens - FCCU)
 * 17h50 For my next trick... hacking Web2.0 (pdp)
 * 18h40 Panel Discussion: “Privacy in the 21st Century?”, moderator: André Marien (Verizon Business - Cybertrust)
 * 19h30 Finish - Drinks !

Getting started with WebGoat & WebScarab (Erwin Geirnaert)
Download presentation.

In this tutorial you will learn how to use WebScarab to solve the lessons in WebGoat.

Following points will be explained:
 * Configure WebScarab as a local proxy
 * Intercepte HTTP requests and responses
 * Modify HTTP requests to solve the lesson “Hidden field manipulation”
 * Modify HTTP responses to solve the lesson “Bypass client-side Javascript validation”
 * Use the session analysis tab in WebScarab
 * Use the web services tab in WebScarab
 * Use WebScarab to analyze Ajax XML messages

!! Prerequisites:
 * Bring your own laptop with you!
 * Download WebScarab onto your laptop
 * Download WebGoat onto your laptop

Erwin Geirnaert is CEO and co-founder of ZION Security. He is a renowned application security expert and has presented on various conferences like Javapolis, Eurostar, Owasp,… about web security. He is board member of OWASP Belux and actively involved in various OWASP projects like OWASP Java and OWASP WebGoat. Because of his technical experience he loves to do security testing, code review, reverse engineering,.. for Fortune 1000 companies in Europe. More information can be found on his LinkedIn profile: http://www.linkedin.com/in/erwingeirnaert.

OWASP Evaluation and Certification Criteria Draft (Mark Curphey)
Download presentation.

As opposed to me continuing saying what’s wrong with PCI DSS, it seems to me that OWASP is a perfect forum to simply create and publish a “better criteria”. This can either be adopted and implemented by an organization like OWASP or considered to be incorporated into the PCI or other security standards. We won't get bogged down in the politics up-front, but hold something good up to the world for people to adopt. This project would of course draw on and bring together many of the other OWASP Projects including the Guide (What is a secure web app), Testing Guides (How to test for a secure web app), WebGoat (part of how to certify an individual understands and can find web app issues) etc. Many of those projects may not be complete or a perfect fit today, but this project can bring a common connecting theme to a lot of very valuable IP that OWASP has built over the years. I will also create it in such as way that a corporate could adopt/adapt it themseles as well as an industry. Where other OWASP projects are not complete or currently suitable I will build a requirements doc that can be considered by those teams if they feel appropriate.

Mark Curphey ran Foundstone consulting from 2003 until late 2006 during which time the company was sold to McAfee. Before joining Foundstone Mark was the Director of Information Security at Charles Schwab (responsible for the software security program) and has also worked for ISS and several financial services companies in Europe. Mark has a Masters degree in information security from Royal Holloway, University of London and was the original founder of the Open Web Application Security Project (OWASP).

Automated Web FOO or FUD? (David Kierznowski)
Download presentation.

We take a look into automated web application testing technologies and their effectiveness against real life applications.

Also, we look into one of GNUCITIZENs latest projects, The Technika Security Framework (TSF), which will enable users to automate security testing directly from their browser.

David Kierznowski currently works as a Senior Security Analyst for a leading penetration testing company in the UK. He has worked in the security industry for the past 6 years. David is also the founder of both michaeldaw.org and blogsecurity.net and is an active member of the GNUCITIZEN group.

OWASP Pantera Unleashed (Simon Roses Femerling)
Download presentation.

The presentation will provide a glimpse into what Pantera can offer when performing blackbox web assessments. In the age of Web 2.0 we need powerful tools that provide us rich and accurate information and allows us to manipulate that information into our advantage, that's what Pantera is all about.

Simon Roses Femerling is a Security Technologist at the ACE Team at Microsoft. Former PwC and @Stake. He has many years of security experience where he has authored and cooperated in several security Open Source projects and advisories. Simon is natural from wonderful Mallorca Island in the Mediterranean Sea. He holds a postgraduate in E-Commerce from Harvard University and a B.S. from Suffolk University at Boston, Massachusetts.

CLASP, SDL and Touchpoints Compared (Bart De Win)
Download presentation.

Over the years, specific methodologies and techniques for secure software engineering have been proposed, yet dedicated processes have become available only recently. In this presentation, the highlights of an activity-driven comparison of three high-profile processes for the development of secure software are presented.

Bart De Win is a postdoctoral researcher in the research group DistriNet, Department of Computer Science at the Katholieke Universiteit Leuven. His research interests are in secure software engineering, including software development processes, aspect-oriented software development and model driven security.

Threats of e-insecurity in Belgium and the Belgian response (Luc Beirens, FCCU)
Download presentation.

The presentation will give a short overview of the actual threats on the e-society in Belgium. How are public and private sector organized (or not) to tacle the different problems ? What are the tasks of the police within this framework ?

Since 1991, chief superintendent Luc Beirens is engaged in computer forensics and cyber crime investigations. He is head of the Federal Computer Crime Unit of the Federal Police since 2001. Aside consulting his detectives in current cyber crime investigations, he is responsible for the reorganization, the equipment and the training of Belgian police services concerned with cyber crime investigations. As member of the European Working Party on Information Technology Crime (EWPITC) of Interpol since 1995 and the EUROPOL cyber crime expert group since 2001, he has cooperated in writing several documents concerning computer forensics and cyber crime investigations. He lectures in these fields at several police academies and universities. His is involved in several organizations and platforms that are concerned with e-security, ICT forensics and cyber crime combating. Before his detective career, he has worked from 1987 till 1995 as analyst and project manager on the development of the Police Information System of the Belgian Gendarmerie. He holds master degrees in criminology and information technology.

For my next trick... hacking Web2.0 (pdp)
Download presentation.

Web2.0, if I can summarize it with a few simple words, is all about communication, distribution, information, agents, clients and servers. Those who understand the 2.0 fundamentals have the power to manipulate the global Web to suit their needs - hackers, the new digital breed of the 2.0 world. Web2.0 hacking is a mean for communicating and distributing critical information in a better way. It can be used to build ghost infrastructures from where to launch attacks - anonymously, no traces, nothing. Web2.0 hacking is also about the thin line between client-side and server-side security. It is about the endpoints and the electronic highways. It is about reaching the masses and yet being able to perform attacks on specific targets. Web2.0 hacking is also about distribution and influence, covert channels, bots, IA, ghosts inside the electronic frame. Web2.0 hacking is also a movement, a cyber subculture where individuals show their technical abilities, and understandings of the world and use that to manipulate their way through the system.

Web2.0 hacking practices should never be related to AJAX and JavaScript exploitation techniques only. Although it is true that client-side security has a significant part of the Web2.0 ecosystem, it is important to realize its role. There are far too many other aspects that we need to look into. My aim is to cover these aspects and reveal the hidden dangers.

Petko D. Petkov, a.k.a pdp (architect), is the founder and leading contributer of the GNUCITIZEN group. He is a senior IT security consultant based in London, UK. His day-to-day work involves identifying vulnerabilities, building attack strategies and creating attack tools and penetration testing infrastructures. Petko is known in the underground circles as pdp or architect but his name is well known in the IT security industry for his strong technical background and creative thinking. He has been working for some of the world's top companies, providing consultancy on the latest security vulnerabilities and attack technologies.

Chapter Meeting (Brussels, 22-June-2007)
During an extra edition we brought you 2 big names in web application security. F5 Networks sponsored Ivan Ristic and Dinis Cruz to come to Brussels on Friday 22nd of June to bring you hot items from the last conference in Italy last May (agenda with presentations online).

We also had the skipped presentation of last time: Hillar Leoste from Zone-H will provided us with an update on defacements in the BE domain for last year.

WHEN
Friday 22nd of June 2007

WHERE
Deloitte sponsored the venue, drinks and snacks: Location: Deloite Diegem

PROGRAM
OWASP Update 
 * 18h00 - 18h20: Welcome, coffee & sandwiches
 * 18h20 - 18h40: Sebastien Deleersnyder
 * 18h40 - 19h00: Hillar Leoste (Zone-H)
 * 19h00 – 20h00: Ivan Ristic, Chief Evangelist, Breach Security
 * Ivan Ristic is the creator of ModSecurity (an open source web application firewall and intrusion detection/prevention engine). Ivan also wrote Apache Security for O'Reilly, a web security guide for administrators, system architects, and programmers.
 * For more info, see Anurag Agarwal’s reflection on Ivan Ristic.


 * Presentation + A discussion of how weird the web application security world has become


 * 20h00 - 20h15: break
 * 20h15 - 21h15: Dinis Cruz, Chief Owasp Evangelist
 * Dinis Cruz is a renowned application security expert who is passionate about training developers to move beyond the ‘comfort zone’ of standard ASP.NET development and into the world of advanced security aware development with the aim of making the Web Applications as secure as possible against malware and malicious hackers. Dinis is also the project leader for the OWASP .Net Project and the and the main developer of several of OWASP .Net tools (SAM’SHE, ANBS, SiteGenerator, PenTest Reporter, ASP.Net Reflector, Online IIS Metabase Explorer). author of many Open Source security tools (see http://www.owasp.org/index.php/.Net).

Buffer Overflows on .Net and Asp.Net<BR>
 * One of the common myths about the .Net Framework is that it is immune to Buffer Overflows. Although this might be correct in pure managed and verifiable .Net code, large percentage of .Net and Asp.Net applications code is unmanaged code. In this talk Dinis will show the areas in .Net and Asp.Net applications that are vulnerable to Buffer Overflows (including the demo of a .Net Buffer Overflow Fuzzer).

Meeting Notes OWASP Chapter Meeting (Leuven, 10-May-2007)
WHEN May 10th 2007 WHERE ps_testware sponsored the venue: <BR> Location: Kasteel de Bunswyck, Tiensesteenweg 343, 3010 Leuven. <BR> You can find a map and itinary online. PROGRAM <BR>  (Presentation + Discussion)
 * 18h00 - 18h20: Welcome, coffee & sandwiches<BR>
 * 18h20 - 18h40: Sebastien Deleersnyder<BR>
 * 18h40 - 20h00: Jos Dumortier<BR>
 * Jos Dumortier discussed important questions such as:
 * How far can you go if you want to ‘test’ the security of a web site?
 * How much application security can you contractually demand for when you outsource your application development?
 * Who is legally responsible when you personal data is exposed through hacking activity in Belgium?
 * Jos Dumortier is Of Counsel in the ICT and e-Business department of Lawfort. He is also Professor of Law at the Faculty of Law (K.U.Leuven) and Director of the Interdisciplinary Centre for Law and Information Technology (http://www.icri.be).

 (Presentation + Discussion)<BR>
 * 20h00 - 20h15: break
 * 20h15 - 21h15: Lieven Desmet<BR>
 * Several research tracks focus on tools and techniques to verify or guarantee the absence of implementation bugs in web applications, either at compile-time or at run-time. By guaranteeing the absence of certain implementation bugs, the reliability and security of the application can be improved. In this presentation, we will focus on the absence of implementation bugs due to broken data dependencies.
 * Web applications typically share non-persistent session data between different parts of the application, e.g. a shopping cart in a e-commerce application. By doing so, implicit dependencies arise between the different parts of the application, and breaking these dependencies in an application may result in information leakage of erroneous behavior.
 * In our research, we explicitly model dependencies between components that indirectly share data. Next, we verify that in a given composition these dependencies are not broken by applying a combination of static verification and dynamic checking (e.g. by using a Web Application Firewall).
 * We validated the presented approach in two existing applications: a Struts-based, open-source webmail application (GatorMail) and an e-commerce site (Duke's BookStore from the J2EE 1.4 tutorial).


 * Lieven Desmet Lieven Desmet was born on January 16, 1979 in Roeselare. He received a Bachelor of Applied Sciences and Engineering degree and graduated magna cum laude in Master of Applied Sciences and Engineering: Computer Science from the Katholieke Universiteit Leuven in July 2002.
 * He started working as a Ph.D. student at the DistriNet (Distributed systems and computer Networks) research group of the Department of Computer Science at the Katholieke Universiteit Leuven. Within DistriNet, he was active in both the networking and security task forces. Lieven received his PhD on software security in January 2007 and is currently active as a post-doctoral security researcher within DistriNet.

OWASP Top 10 2007 Update (Infosecurity Belgium, 21 & &22 Mar 2007)
Seba presented the 2007 OWASP Top 10 (currently available as OWASP Top 10 2007 RC1) on the Infosecurity event in Belgium on the 21st and 22nd of March 2007. <BR>

The presentation is uploaded on:. <BR>

Meeting Notes OWASP Chapter Meeting (Brussels, 23-Jan-2007)
WHEN January 23rd 2007 WHERE Ernst&Young Offices (Business Centre) in Brussels. Parking places are available at nr 216.<BR> Here you can find. PROGRAM <BR> <BR> The OWASP presentation will shed a light on WEBGOAT and the Pantera Web Assessment Studio Project. Both OWASP projects will be covered and illustrated with a live demo, with a special focus on Webgoat and web services. <BR>        Presentation + Discussion?<BR> Philippe Bogaerts is an independent consultant specialized in network and application security testing, web application and XML firewalls.<BR> '''<BR> Over the last decade, Aspect Oriented Programming (AOP), a development paradigm that focuses on improving the modularisation of crosscutting concerns, has received a great deal of attention from the academic as well as from the industrial community. In the context of secure software development, AOP has been shown to bring a number of benefits, at least from a software engineering perspective. From a security perspective, the characteristics of AOP have been studied less. One of the key questions at this moment is whether we can really use AOP to build \emph{secure} software ?<BR> In this presentation we will address this key question by elaborating on a number of security implications of AOP. Risks will be shown to originate from the core concepts of AOP, as well as from tool-specific implementation strategies (with a specific focus on AspectJ). The presentation will be concluded by indicating how these risks could be mitigated, both from a theoretical and from a practical perspective.<BR> Presentation + Discussion?<BR> Bart De Win is a postdoctoral researcher in the research group DistriNet, Department of Computer Science at the Katholieke Universiteit Leuven. His research interests are in secure software engineering, including software development processes, aspect-oriented software development and model driven security. <BR>
 * 18h00 - 18h30: Welcome, get drink & sandwiches?<BR>
 * 18h20 - 18h40: Sebastien Deleersnyder<BR>
 * 18h45 – 19h45: Philippe Bogaerts<BR>
 * 19h45 - 20h00: break<BR>
 * 20h00 - 21h00: Bart De Win<BR>