Belgium

Local News
OWASP members get 10% dicount on the 2011 SecAppDev course.

On Dec 1-2 we organized the OWASP BeNeLux days together with the chapters of he Netherlands and Luxembourg. You can download the presentations on the BeNeLux OWASP Day 2010 page.

The presentations from September 21st in Leuven with Samy (is my hero) Kamkar and Justin Searle are online.

Happy holiday season and see you next year!

Structural Sponsors 2010
OWASP Member affiliated to the Belgium chapter:

OWASP Belgium thanks its structural chapter supporters for 2010 and the OWASP BeNeLux Day 2010:

http://www.owasp.org/images/7/7e/50px-F5_50px.jpg http://www.owasp.org/images/e/e6/Zionsecurity.jpg http://www.owasp.org/images/8/82/Rad_logo.gif http://www.owasp.org/images/d/df/SAIT_Zenitel.jpg

If you want to support our chapter, please contact [mailto:seba@owasp.org Seba Deleersnyder]

Belgium

WHEN
March 1st 2011 18h-21h30

WHERE
Hosted by Distrinet Research Group (K.U.Leuven).

Address: Department of Computer Science (auditorium 00.225) Celestijnenlaan 200 A 3001 Heverlee

Routemap: http://distrinet.cs.kuleuven.be/about/route/

PROGRAM
The agenda:


 * 18h00 - 18h30: Welcome &amp; Sandwiches
 * 18h30 - 18h45: OWASP Update (by Sebastien Deleersnyder, SAIT Zenitel, OWASP Board)
 * 18h45 - 19h45: The Thinking Person's Guide to the Cloud. HOWTO: Keep your head in the clouds and your feet on the ground (by Gunnar Peterson, Arctec Group)
 * “Everything we think of as a computer today is really just a device that connects to the big computer that we are all collectively building"-Tim O'Reilly
 * My friend Chris Hoff asked this question in a recent podcast - "why is the OWASP Top Ten the same year after year? why don't these things gets fixed?"[1]. The reason is that software security and security architecture and design is nowhere near as a high priority as it needs to be.
 * If you look at the evolution of software over the years, you will see a history of more and more systems and data being connected together. Beginning with the Web through to component based application and then to Web services, at each step the common theme is more connectivity, more integration. Software is a rapidly changing universe
 * Unfortunately, Information Security has not kept up. Our field started out promisingly in the mid-90s with network firewalls and SSL for security mechanisms to defend websites, but that is about as far it got. In 1999 when SOAP emerged as a firewall-friendly protocol designed for the explicit reason to go through the firewall, that should have been a wake up call to Information Security that the "firewall + SSL" security architecture was past its prime, but here 10 years later we are still hitting the snooze button.
 * My view is that as technology is deployed we need security mechanisms that form fit to those new technologies, instead what we have is security technologies that form fit to auditor's excel spreadsheets.
 * Gunnar Peterson is a Managing Principal at Arctec Group. He is focused on distributed systems security for large mission critical financial, financial exchanges, healthcare, manufacturer, and insurance systems, as well as emerging start ups. Mr. Peterson is an internationally  recognized software security expert, frequently published, an Associate Editor for IEEE Security & Privacy Journal on Building Security In, a contributor to the SEI and DHS Build   Security In portal on software security, a Visiting Scientist at Carnegie Mellon Software Engineering Institute, and an in-demand speaker at security conferences. He maintains a popular informationsecurity blog at http://1raindrop.typepad.com.


 * 19h45 - 20h00: Break
 * 20h00 - 21h30: Threat modeling (by John Steven)
 * How will attackers break your web application? How much security testing is enough? Do I have to worry about insiders? Threat modeling, applied with a risk management approach can answer both of these questions if done correctly. This talk will present advanced threat modeling step-wise through examples and exercises using the Java EE platform and focusing on authentication, authorization, and session management. Participants will learn, through interactive exercise on real software architectures, how to use diagramming techniques to explicitly document threats their applications face, identify how assets worth protecting manifest themselves within the system, and enumerate the attack vectors these threats take advantage of. Participants will then engage in secure design activities, learning how to use the threat model to specify compensating controls for specified attack vectors. Finally, we'll discuss how the model can drive security testing and validate an application resists specified attack.
 * John Steven is Senior Director of Advanced Technology Consulting at Cigital with over a decade of hands-on experience in software security. John's expertise runs the gamut of software security from threat modeling and architectural risk analysis, through static analysis (with an emphasis on automation), to security testing. As a consultant, John has provided strategic direction as a trusted adviser to many multi-national corporations. John's keen interest in automation keeps Cigital technology at the cutting edge. He has served as co-editor of the Building Security In department of IEEE Security & Privacy magazine and speaks with regularity at conferences and trade shows. John holds a B.S. in Computer Engineering and an M.S. in Computer Science both from Case Western Reserve University.
 * John leads the Virginia OWASP Northern Virginia (NoVA) chapter.

REGISTRATION
Please send a mail to Belgium 'at' owasp.org if you plan to attend.

WHEN
September 21st 2010 18h-20h

WHERE
Hosted by Distrinet Research Group (K.U.Leuven).

Pizza's sponsored by F5 Networks

Address: Department of Computer Science (auditorium 00.225) Celestijnenlaan 200 A 3001 Heverlee

Routemap: http://distrinet.cs.kuleuven.be/about/route/

PROGRAM
The agenda:


 * 18h00 - 18h30: Welcome &amp; Pizza's
 * 18h30 - 18h45: OWASP Update (by Sebastien Deleersnyder, SAIT Zenitel, OWASP Board)
 * 18h45 - 19h45: Attacking and Defending the Grid (by Justin Searle)
 * The Smart Grid brings greater benefits for utilities and customer alike, however these benefits come at a cost from a security perspective. This presentation will explore how the increased functionality and complexity also increases the Smart Grid's attack surface, or in other words, increases the ways attackers can compromise the Smart Grid's new infrastructures, systems, and business models.  We'll discuss several specific attack avenues against the Smart Grid and recommendations for mitigating or blocking these attacks.
 * Justin Searle, a Senior Security Analyst with InGuardians, specializing in the penetration testing of web applications, networks, and embedded devices. Justin currently leads the Smart Grid Security Architecture group of the CSWG (Cyber Security Work Group) for NIST (National Institute of Standards and Technologies) and is a member of ASAP-SG (Advanced Security Acceleration Project for the Smart Grid).  Previously, Justin served as JetBlue Airway’s IT Security Architect, and has taught courses in hacking techniques, forensics, networking, and intrusion detection for multiple universities and corporations.  Justin has presented at top security conferences including DEFCON, ToorCon, ShmooCon, and SANS.  Justin co-leads prominent open source projects including the Samurai Web Testing Framework, Middler, Yokoso!, and Laudnum.  Justin has an MBA in International Technology and is CISSP and SANS GIAC-certified in incident handling and hacker techniques (GCIH) and intrusion analysis (GCIA).


 * 19h45 - 20h00: Break
 * 20h00 - 21h00: How I Met Your Girlfriend (by Samy Kampkar)
 * The discovery and execution of entirely new classes of attacks executed from the Web in order to meet your girlfriend. This includes newly discovered attacks including HTML5 client-side XSS (without XSS hitting the server!), PHP session hijacking and weak random numbers (accurately guessing PHP session cookies), browser protocol confusion (turning a browser into an SMTP server), firewall and NAT penetration via Javascript (turning your router against you), remote iPhone Google Maps hijacking (iPhone penetration combined with HTTP man-in-the-middle), extracting extremely accurate geolocation information from a Web browser (not using IP geolocation), and more.
 * Samy Kamkar is best known for the Samy worm, the first XSS worm, infecting over one million users on MySpace in less than 24 hours. A co-founder of Fonality, Inc., an IP PBX company, Samy previously led the development of all top-level domain name server software and systems for Global Domains International (.ws).
 * In the past 10 years, Samy has focused on evolutionary and genetic algorithmic software development, Voice over IP software development, automated security and vulnerability research in network security, reverse engineering, and network gaming. When not strapped behind the Matrix, Samy can be found stunt driving, getting involved in local community service projects, and continuing his focus on staying out of jail.

WHEN
June 16th 2010 18h-20h

WHERE
Location was sponsored by Zenitel Belgium.

Location: Zenitel Belgium, Z.1. Research Park 110 – 1731 Zellik, Belgium (same building as http://www.u2u.net/Route.aspx)

PROGRAM
The agenda:


 * 18h00 - 18h30: Welcome &amp; Refreshments
 * 18h30 - 18h45: OWASP Update (by Sebastien Deleersnyder, Zenitel, OWASP Board)
 * 18h45 - 20h00: Advanced SQL Injection (by Joe McCray, Learn Security Online)
 * SQL Injection is a vulnerability that is often missed by web application security scanners, and it's a vulnerability that is often rated as NOT exploitable by security testers when it actually can be exploited. Advanced SQL Injection is a presentation geared toward showing security professionals advanced exploitation techniques for situations when you must prove to the customer the extent of compromise that is possible.
 * The key areas are:
 * Re-Enabling stored procedures
 * Old and new ways of obtaining an interactive command-shell
 * Data Exfiltration via DNS
 * IDS Evasion & Web Application Firewall Bypass
 * Privilege Escalation
 * Joe McCray has 10 years of experience in the security industry with a diverse background that includes network and web application penetration testing, forensics, training, and regulatory compliance. Joe is a frequent presenter at security conferences, and has taught Ethical Hacking and Web Application Security at Johns Hopkins University (JHU), University of Maryland Baltimore College (UMBC), and several other technical training centers across the country.

WHEN
June 1st 2010 18h-21h

WHERE
Location is sponsored by Cisco Belgium.

Location: Cisco, Pegasus Park, De Kleetlaan, 6A, B-1831 Diegem. See directions.

PROGRAM
The agenda:


 * 18h00 - 18h30: Welcome &amp; Refreshments
 * 18h30 - 18h45: OWASP Update (by Sebastien Deleersnyder, Zenitel, OWASP Board)
 * 19h00 - 20h00: The Belgian e-ID: hacker vs developer (by Erwin Geirnaert and Frank Cornelis)
 * Presentation + discussion: What can go wrong when implementing the Belgian eID in an unsecure way to authenticate a user? We will discuss the security issues, the problems with trust, SSL and some examples of a bad implementation. We will demo how to use WebScarab to intercept and change authentication data on the fly, impersonating somebody else.
 * To help developers to implement it correctly, we will give away best practices and a road map to do it properly using the new eID applet with entity authentication.
 * This presentation will be given by Frank Cornelis, Developer @ Fedict, who is responsible for the new eID applet and Erwin Geirnaert, co-founder & white-hat hacker @ ZION SECURITY, who has reviewed unsecure implementations of eID authentication


 * 20h00 - 20h15: Break
 * 20h15 - 21h15: Analyzing the Accuracy Of Web Application Scanners (by Larry Suto)
 * Presentation + discussion: Analyzing the Accuracy Of Web Application Scanners
 * This talk summarizes my recent study related to benchmarking a set of web application scanners against target test sites constructed by the scanner vendors themselves. I will review the methodology and some of the challenges that were faced as the tests were conducted. I have received some interesting feedback from the vendors and the security community. This new information will be integrated into the presentation. The controversial nature of "Point and Shoot" and "Trained" scanning will be addressed and scanning issues related to cloud computing/SaaS will be covered. The presentation will cover some thoughts on open source scanners such as Skipfish and W3AF. Finally I will go into the ideas for another round of testing and the possibility of soliciting target apps from the community.
 * Larry Suto is an application security consultant based in the San Francisco Bay Area. He is focused on software security analysis and the testing the effectiveness of software security tools.

WHEN
Monday, February 1th, 2010 (18h00pm-21h00pm), together with ISSA Belgium.

WHERE
Location sponsored by Ernst&amp;Young's Information Security Team. address: De Kleetlaan 2, 1831 Diegem (Route + Google Maps)

PROGRAM
The agenda:


 * 18h00 - 18h30: Welcome &amp; Refreshments
 * 18h30 - 18h45: OWASP Update (by Sebastien Deleersnyder, Zenitel, OWASP Board)
 * 18h45 - 19h00: ISSA Update (by Bart Moerman, ISSA)
 * 19h00 - 20h00: GreenSQL: an Open Source database firewall (by Yuli Stremovsky, VP of Research and Development at GreenSQL)


 * Presentation + discussion: GreenSQL, an open source database security solution, is available for three years. With the release of version 1.2 GreenSQL started providing support to PostgreSQL besides MySQL. GreenSQL provides a reverse proxy solution to SQL statements and during the reverse proxy process provides several security mechanisms. The lecture will focus on the latest version of GreenSQL and the solution for SQL injection and other attacks.
 * Yuli Stremovsky is a database security expert. He is responsible for design, development of novel database protection solution - GreenSQL. He is an experienced security consultant that worked for a number of leading financial institutions, telecom and health service companies. In the past, he was also involved in software development in a number of start-up companies including development of the security products.


 * 20h00 - 20h15: Break
 * 20h15 - 21h15: MOBILE MALWARE NOW AND IN THE FUTURE (by Mikko Hypponen, Chief Research Officer at F-Secure Corp)


 * Presentation + discussion:
 * Mobile Platforms
 * Situation 2005-2009
 * Current threats
 * Case: The Ikee / Duh botnet on jailbroken iPhones
 * Case: Android banking trojans
 * Future scenarios
 * How to fight content security problems in mobile world?
 * Mikko Hypponen is the Chief Research Officer for F-Secure. He has worked with F-Secure since 1991 and has led his team through the biggest malware outbreaks in history. Mr. Hypponen has assisted law enforcment in USA, Europe and Asia on cybercrime cases. He has written for magazines such as Scientific American, Foreign Policy and Virus Bulletin.

REGISTRATION
There are only 100 seats available (first register, first serve)! Please send a mail to Belgium 'at' owasp.org if you plan to attend.

Past Events

 * Events held in 2009
 * Events held in 2008
 * Events held in 2007
 * Events held in 2006
 * Events held in 2005

Belgium OWASP Chapter Leaders
The BeLux Chapter is supported by the following board:


 * Erwin Geirnaert, Zion Security
 * Philippe Bogaerts, F5
 * André Mariën, Inno.com
 * Lieven Desmet, K.U.Leuven
 * Joël Quinet, Telindus
 * Sebastien Deleersnyder, Zenitel
 * Bart De Win, Ascure

Our goal is to professionalize the local OWASP functioning, provide in a bigger footprint to detect OWASP opportunities such as speakers/topics/sponsors/… and set a 5 year target on: Target audiences, Different events and Interactions of OWASP global – local projects.