Belgium Events 2008

These are the 2008 events of the OWASP Belgium Chapter.

Previous year: 2007. Next year: 2009.

WHEN
Monday, November 17th, 2008 (18h00pm-21h00pm)

WHERE
Location was sponsored by Isabel, the catering was sponsored by ISSA

address: Isabel S.A./NV Putterijstraat 22 Rue de la Putterie, 1000 Brussels Routemap: Route Google Maps Link

PROGRAM
The agenda:


 * 18h00 - 18h30: Welcome & Refreshments
 * 18h30 - 19h00: OWASP / ISSA introduction (by Philippe Bogaerts, OWASP Belgium and Bart Moerman, ISSA Brussels-European Chapter)
 * 19h00 - 20h00: Risky PDF  (by Didier Stevens, Contraste Europe)
 * download presentation
 * Presentation + discussion: The Portable Document Format (PDF) is a file format created by Adobe for document exchange. The extensive features of this powerful page description language offer opportunities for malicious use. Using this file format exposes your organisation to particular security risks. SPAM and malware using PDF as a vector are not the sole risks that the Portable Document Format brings you. Lesser-known risks include phishing, information disclosure and copyright infringement. After a brief introduction to the structure of a PDF document, we will discuss the many risks associated with PDFs and show how to mitigate said risks.
 * Didier Stevens Didier Stevens (CISSP, GSSP-C, MCSE/Security, ...) is an IT Security Consultant currently working at a large Belgian financial corporation. He is employed by Contraste Europe NV, an IT Consulting Services company. Didier blogs at http://blog.didierstevens.com


 * 20h00 - 21h00: .NET Rootkits - Backdoors Inside Your Framework (by Erez Metula, 2BSecure)
 * download presentation
 * Presentation + discussion: It is considered relatively easy to reverse engineer compiled .NET EXE's and DLL's. This is a well known fact. But what happens if we will use this fact to reverse engineer and modify .NET Framework DLL's and recompile the code..? We can change the .NET language! Erez Metula will expose the methods required to modify the Framework, and how to bypass its own protection mechanisms. We will see how it is possible to write rootkits for the framework, that will enable the attacker to install a reverse shell inside the framework, to steal valuable information, to fixate encryption keys, disable security checks and more. In addition, a new tool (".NET-Sploit") for building MSIL rootkits will be released that will enable the user to inject preloaded/custom payload to the Framework core DLL.
 * Agenda:
 * Introduction .NET execution model & .NET reverse engineering
 * Modifying the Framework core
 * Function injection
 * Installing backdoors and root kits
 * Automating the process with .NET-Sploit
 * Things to consider when injecting
 * Presentation abstract online by Erez: http://www.applicationsecurity.co.il/.NET-Framework-Rootkits.aspx
 * Erez Metula is a senior application security consultant, working as the application security department manager at 2BSecure. He has extensive hands-on experience performing security assessments, secure development consulting & training for clients in Israel and abroad such as banks, financial organizations, military, software development companies, telecom, and more. Erez is also a leading instructor for many information security training, especially on secure software development methodologies & techniques. He had lectured on advanced .NET security (and other development platforms) for worldwide organizations and is constant speaker for conferences such as Microsoft .NET Security User Group, OWASP (Open Web Application Security Project), and more. He holds a CISSP certification and is toward graduation of Msc in computer science.

REGISTRATION
Please send a mail to Belgium 'at' owasp.org if you plan to attend, so we can size the venue appropriately and keep you updated on last-minute changes.

WHEN
Thursday, October 23rd, 2008 (18h00pm-21h00pm)

WHERE
Location was sponsored by RealDolmen

adres: Industriezone Zenneveld A. Vaucampslaan 42 1654 Huizingen Google Maps Link

PROGRAM
The agenda:


 * 18h00 - 18h30: Welcome & Refreshments
 * 18h30 - 19h00: OWASP Update (by Sebastien Deleersnyder, OWASP Belgium)
 * 19h00 - 20h00: Building a tool for Security consultants: A story of a customized source code scanner  (by Dinis Cruz, OWASP)
 * Presentation + discussion:
 * Dinis Cruz Dinis Cruz is a Security Consultant based in London (UK) and specialized in: ASP.NET Application Security, Active Directory deployments, Application Security audits and .NET Security Curriculum Development. Dinis is also Chief OWASP Evangelist!


 * 20h00 - 21h00: Logging: not just a good idea (download) (by Eddy Vanlerberghe)
 * Presentation + discussion: During the design and implementation of applications, logging is often not considered to be a vital factor in the overall security, but merely one of the tools of the trade used by developers so that runtime errors can easily be traced to their root cause in the application source. As a result, lack of decent security logs usually becomes clear when they are needed the most: when an incident has occurred. Incidents where logging plays a crucial role could be disputes over whether or not a customer issued a certain transaction (non-repudiation), intruders have compromised bank accounts (forensic investigation) or even foil an ongoing attack when suspicious traffic is being registered (e.g. lock out IP addresses of suspected attackers) This presentation will handle different aspects of what constitutes secure application logging: what to log, when to log, access to log information etc.
 * Eddy Vanlerberghe has extensive experience as a developer. He has been involved in development of commercial Internet Web applications since 1996. In 1999 he joined the company Netvision, which was first renamed to Ubizen and even later the company became Cybertrust. In 2007 the company was acquired by VerizonBusiness. Mr. Vanlerberghe was part of the development teams for security related products like ETS Multisecure, EasyPayment and the web application level firewall DMZShield. Since 2005 he has been part of the Application Security team where he was involved in all aspects of application security.

WHEN
Monday, April 21st, 2008 (16h30pm-19h30pm)

WHERE
Location: Centre de Recherche Public Henri Tudor

29, Avenue John F.Kennedy

L-1855 Luxembourg-Kirchberg

Download the access plan online.

PROGRAM
The agenda:


 * 16h00 - 16h30: Welcome & Sandwiches
 * 16h30 - 17h00: OWASP Introduction (by Sebastien Deleersnyder, OWASP BeLux)
 * 17h00 - 18h00: How to break Web Applications  (by Philippe Bogaerts, NetAppSec)
 * Presentation + discussion:Web applications are riddled with vulnerabilities. Philippe will provide an overview of the most common web application security problems and how to exploit them.
 * Philippe Bogaerts is an independent consultant specialized in network and application security testing, web application and XML firewalls.


 * 18h00 - 18h15: break
 * 18h15 - 19h15: How to secure Web Applications (the OWASP Way): (by Sebastien Deleersnyder, Telindus)
 * Presentation + discussion: There is no silver bullet when it comes to securing web applications. This problem has to be addressed from different angles, covering the involved actors, processes (development as well as deployment) and Technologies.
 * Sebastien Deleersnyder is responsible for the Telindus Application Security solutions. Sebastien has 5 years of development and 7 years of information security experience and is now specialized in application security. He started the Belgian OWASP Chapter and performed several public presentations on Web Application and Web Services Security.

WHEN
Wednesday, April 9th, 2008 (18h00-20h30)

WHERE
Location: Deloitte Diegem,

PROGRAM
The agenda:


 * 18h00 - 18h30: Welcome & Sandwiches
 * 18h30 - 18h40: OWASP Update (by Sebastien Deleersnyder, OWASP BeLux)
 * 18h40 - 20h30: Exploiting Oracle databases via the Web (by Alexander Kornbrust, Red Database Security GmbH)
 * Presentation + discussion
 * Alexander Kornbrust is the founder and CEO of Red-Database-Security GmbH, a company specialized in Oracle security. Red-Database-Security is one of the leading companies in Oracle security. He is responsible for Oracle security audits and Oracle anti-hacker trainings and gave various presentations on security conferences like Black Hat, Bluehat, IT Underground. Alexander Kornbrust has worked with Oracle products as an Oracle DBA and Oracle developer since 1992. During the last years, Alexander has found over 220 security bugs in different Oracle products.

WHEN
Thursday, March 20th, 2008 (15h00pm-16h00pm) in Room 2 of the Seminar Program

TOPIC: Web hacks of 2007 and how to protect your web applications in 2008 with OWASP
Presentation is online now.

The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software. Our mission is to make application security "visible," so that people and organizations can make informed decisions about application security risks.

First an overview of the major web hacks of 2007 will be given, including XSS Vulnerabilities in Common Shockwave Flash Files, Universal XSS in Adobe’s Acrobat Reader Plugin, Firefoxurl URI Handler Flaw, Anti-DNS Pinning ( DNS Rebinding ), Port Scan without JavaScript, …

Then some important OWASP projects are described, covering the OWASP Guide, the OWASP Top Ten, OWASP WebGoat, OWASP CLASP, OWASP WebScarab, OWASP Testing and OWASP Code Review. Using and improving these OWASP solution will aid organisations to prevent 2008 from being as bad as 2007.

Speaker: Sebastien Deleersnyder

Sebastien Deleersnyder started the successful Belgian OWASP Chapter and performed several public presentations on web application and web services security. Sebastien specialises in (web) application security, combining his application development and information security experience. He is currently OWASP board member and responsible for the Telindus, Belgacom ICT application security offering.

WHEN
Tuesday, March 4th, 2008 (18pm-21pm)

WHERE
Distrinet Research Group, Katholieke Universiteit Leuven sponsored the venue

Location: Department of Computer Science (auditorium 00.225) Celestijnenlaan 200 A, 3001 Heverlee

PROGRAM
The agenda:

OWASP Update
 * 18h00 - 18h30: Welcome, Refreshments and drinks<BR>
 * 18h30 - 18h45: Sebastien Deleersnyder, OWASP BeLux<BR>
 * 18h45 - 19h00: Kenneth Van Wyck,, KRvW Associates<BR>
 * CAcert.org and Thawte<BR>
 * If you're using either of these free x.509 certificate services, and are still trying to get the 50 assurance points necessary to have your real name on your certificates, stop by with two forms of government-issued ID (and photocopies, if using Thawte -- not necessary for CAcert). Ken will be happy to help out with either/both 10 Thawte points or 35 CAcert points.  No charge, of course.
 * If you also are a Thawte or CAcert.org notary, you can help by adding your points to Ken's and thereby allowing other attendees to obtain all the assurance points needed in one swift swoop.


 * 19h00 - 20h00: Ken Van Wyk, KRvW Associates<BR>
 * Development life cycle issues
 * Several secure software development processes have been published in the past few years. These include Microsoft's Secure Development Lifecycle, Cigital's "Touchpoints", and OWASP's own CLASP project. Which one is right for your organization, or would your needs be best  served by taking the best of each and coming up with "your own"  process?  In this talk, we'll compare and contrast each of these  approaches and talk about the practical aspects of putting them to  maximum use, including pitfalls to avoid.
 * Ken Van Wyk Ken van Wyk, has over 20 years of professional experience in IT Security and has worked at Carnegie Mellon University's CERT®, the U.S. Department of Defense, SAIC and Para-Protect. Co-author of two popular O'Reilly books, Incident Response: Planning & Management and Secure Coding: Principles and Practices, Ken also writes a monthly column for IT Security on-line news portal, eSecurityPlanet. He is one of the founders of the Carnegie Mellon CERT/CC, and a much sought after lecturer on security technology. He is a partner at KRvW Associates.


 * 20h00 - 20h15: break
 * 20h15 - 21h15: Bart De Win, DistriNet, K.U.Leuven<BR>
 * Structural improvements for SDLs<BR>
 * Based on an extensive study and comparison of a number of secure software development processes (the results of which have been presented during the Belgium OWASP day last year), we have identified a number of structural improvements for these processes. In this talk, I will present these improvements from a general perspective, give hints on how they could be addressed and I will elaborate on some of them (e.g., the integration of security principles in a process) in more detail with results of ongoing research.
 * Bart De Win Bart De Win is a postdoctoral researcher in the DistriNet research group at the Department of Computer Science, Katholieke Universiteit Leuven. His research focuses on secure software engineering, including software development processes, aspect-oriented software development and model-driven security. Bart has served on the organizing and program committees of several international secure software engineering workshops.