Belgium

Local News
Belgium

Please block your agendas on September 15 18h-21h for the next OWASP chapter meeting. We will have Shreeraj Shah on "Hacking Web 2.0 Streams – Cross Domain Injection and Exploits"

Structural Sponsors 2008-2009
OWASP BeLux would like to thank the following organizations for sponsoring this chapter. If you are interested in sponsoring the Belgium chapter please contact seba 'at' owasp.org.

http://www.owasp.org/images/7/7e/50px-F5_50px.jpg http://www.owasp.org/images/b/b3/Telindus.jpg http://www.owasp.org/images/e/e6/Zionsecurity.jpg http://www.owasp.org/images/9/93/Radarsec.jpg http://www.owasp.org/images/8/82/Rad_logo.gif

WHEN
Wednesday, March 4th, 2009 (18h00pm-21h00pm)

WHERE
Location is sponsored by Telindus, Belgacom-ICT. Address: Geldenaaksebaan 335, B-3001 Heverlee (Route + Google Maps)

PROGRAM
The agenda:


 * 18h00 - 18h30: Welcome & Refreshments
 * 18h30 - 18h45: OWASP Update (by Sebastien Deleersnyder, Telindus, OWASP Board)
 * 18h45 - 20h45: A Software Security Maturity Model (by Gary McGraw, CTO of Cigital)
 * Presentation + discussion: As a discipline, software security has made great progress over the last decade. There are now at least 23 large scale software security initiatives underway in enterprises including global financial services firms, independent software vendors, defense organizations, and other verticals.  In 2008, Brian Chess, Sammy Migues and I interviewed the executives running nine initiatives using the twelve practices of the Software Security Framework as our guide.  The resulting data, drawn from real programs at different levels of maturity was used to guide the construction of a Software Security Maturity Model.  This talk will describe the maturity model, drawing examples from many real software security programs.  A maturity model is appropriate because improving software security almost always means changing the way an organization works ---people, process, and automation are all required.  While not all organizations need to achieve the same security goals, all successful large scale software security initiatives share common ideas and approaches.  Whether you rely on the Cigital Touchpoints, Microsoft's SDL, or OWASP CLASP, there is much to learn from practical experience.  Use the software security maturity model to determine where you stand and what kind of software security plan will work best for you.
 * Gary McGraw (aka gem) is the CTO of Cigital, Inc., a software security and quality consulting firm with headquarters in the Washington, D.C. area. He is a globally recognized authority on software security and the author of six best selling books on this topic. The latest, Exploiting Online Games was released in 2007. His other titles include Java Security, Building Secure Software, Exploiting Software, and Software Security; and he is editor of the Addison-Wesley Software Security series. Dr. McGraw has also written over 90 peer-reviewed scientific publications, authors a monthly security column for darkreading.com, and is frequently quoted in the press. Besides serving as a strategic counselor for top business and IT executives, Gary is on the Advisory Boards of Fortify Software and Raven White. His dual PhD is in Cognitive Science and Computer Science from Indiana University where he serves on the Dean's Advisory Council for the School of Informatics. Gary is an IEEE Computer Society Board of Governors member and produces the monthly Silver Bullet Security Podcast for IEEE Security & Privacy magazine.

REGISTRATION
Please send a mail to Belgium 'at' owasp.org if you plan to attend, so we can size the venue appropriately and keep you updated on last-minute changes.

Previous Meeting (Feb-4-2009) in Brussels
BLOG posts by security4all rootshell

WHEN
Wednesday, February 4th, 2009 (18h00pm-21h00pm)

WHERE
Location was sponsored by Ernst&Young's Information Security Team. address: De Kleetlaan 2, 1831 Diegem (Route + Google Maps)

PROGRAM
The agenda:


 * 18h00 - 18h30: Welcome & Refreshments
 * 18h30 - 18h40: OWASP Update (by Sebastien Deleersnyder, Telindus, OWASP Board)
 * 18h40 - 19h30: Best Practices Guide Web Application Firewalls (by Alexander Meisel, CTO and founder of Art of Defence)
 * Presentation + discussion: the OWASP German chapter has put together a paper to give a better understanding in how and where Web Application Firewalls should be used.
 * Alexander Meisel is CTO and founder of art of defence. He is in charge of product development, professional services and support. His interest and expertise in the area of security dates back to his thesis in which he wrote about avoiding and tracing distributed denial-of-service attacks. He worked for a Swiss IT service provider as a Web security expert; later he joined LINX, Europe’s largest Internet exchange, where he took care of member network security issues. After working for three years as a senior consultant designing and implementing large Web farms, including security audits with a leading producer of web servers, Alexander switched to a SPX Corporation company, where he was the main project manager for Web application solutions in the SAP area.


 * 19h30 - 20h00: I thought you were my friend - Evil Markup, browser issues and other obscurities (by Mario Heiderich)
 * Presentation: This talk is a preview of the upcoming Poland talk (still in selection process). The talk will cover a short exegesis of how and where browser vendors talk about security - and what can be seen from a security professionals perspective. The ratio between the growth of new browser technologies and the amount of time for developers to learn working with them could turn out to be a problem - especially when knowing that todays browsers support a vast amount of lost treasures. Amongst them various XML quirks, data islands, SVG fonts etc. which make it hard to protect rich web applications. Surprising but true: several of the most recent in-the-wild browser exploits were possible due to those legacy features like the IE6-8 code execution flaw. Reason enough to dive into a collection of weird techniques and standards exposing attack vectors and scenarios that WAF systems and filters might have some trouble with. The talk also shows some issues regarding IE8 and Opera 10 - as well as current Firefox versions. The conclusion of the talk features an overview of what we can expect during the next months, ways for developers and related parties to deal with those security risks.
 * Mario Heiderich, is a cologne based CTO for an online enterprise based in Cologne and New York. He was visitor and speaker on several OWASP conferences, maintains the PHPIDS and other security related projects and recently authored a German book on Web Security together with Christian Matthies, fukami and Johannes Dahse. He is currently into browser security and digging the HTML5 specifications.


 * 20h00 - 20h10: Break
 * 20h10 - 21h00: Research on Belgian bank trojan attacks (by Richard Bennett, software consultant)
 * Presentation + discussion: Richard will present results of his research on trojans attacking customers of Belgian banks.
 * The paper summarizes the following aspects:
 * What are these 'Banking Trojans'?
 * Who creates them and why?
 * What kind of infrastructure are they using?
 * Which banks and organizations are they targeting?
 * How do these trojans affect the target PC, and how are they spread?
 * How can they be detected and removed?
 * What are the risks to banking and e-commerce?
 * What are the CBFA's updated 2009 recommendations, and do they make sense?
 * How can we further mitigate this risk?
 * It is quite a high-level paper aimed to be used as input and context during a risk-analysis.
 * The PDF will be made available shortly.
 * Richard_Bennett is an OWASP member and consultant with Elmos NV, currently working for a Belgian business bank as test and QA engineer.

Past Events

 * Events held in 2008
 * Events held in 2007
 * Events held in 2006
 * Events held in 2005

Belgium OWASP Chapter Leaders
The BeLux Chapter is supported by the following board: Our goal is to professionalize the local OWASP functioning, provide in a bigger footprint to detect OWASP opportunities such as speakers/topics/sponsors/… and set a 5 year target on: Target audiences, Different events and Interactions of OWASP global – local projects.
 * Erwin Geirnaert, Zion Security
 * Philippe Bogaerts, NetAppSec
 * André Mariën, Inno.com
 * Lieven Desmet, K.U.Leuven
 * Joël Quinet, Telindus
 * Sebastien Deleersnyder, Telindus
 * Bart De Win, Ascure