Belgium

Local News
You are invited to the next Chapter meeting! If you plan to come drop [mailto:seba@deleersnyder.eu me] a mail.

WHEN
January 23rd 2007

WHERE
Ernst&Young Offices (Business Centre) in Brussels. Parking places are available at nr 216. Here you can find.

PROGRAM
OWASP Update WEBGOAT and the Pantera Web Assessment Studio Project The OWASP presentation will shed a light on WEBGOAT and the Pantera Web Assessment Studio Project. Both OWASP projects will be covered and illustrated with a live demo, with a special focus on Webgoat and web services.         Presentation + Discussion? Philippe Bogaerts is an independent consultant specialized in network and application security testing, web application and XML firewalls. '''Security implications of AOP for secure software Over the last decade, Aspect Oriented Programming (AOP), a development paradigm that focuses on improving the modularisation of crosscutting concerns, has received a great deal of attention from the academic as well as from the industrial community. In the context of secure software development, AOP has been shown to bring a number of benefits, at least from a software engineering perspective. From a security perspective, the characteristics of AOP have been studied less. One of the key questions at this moment is whether we can really use AOP to build \emph{secure} software ? In this presentation we will address this key question by elaborating on a number of security implications of AOP. Risks will be shown to originate from the core concepts of AOP, as well as from tool-specific implementation strategies (with a specific focus on AspectJ). The presentation will be concluded by indicating how these risks could be mitigated, both from a theoretical and from a practical perspective. Presentation + Discussion? Bart De Win is a postdoctoral researcher in the research group DistriNet, Department of Computer Science at the Katholieke Universiteit Leuven. His research interests are in secure software engineering, including software development processes, aspect-oriented software development and model driven security. 
 * 18h00 - 18h30: Welcome, get drink & sandwiches?
 * 18h20 - 18h40: Sebastien Deleersnyder
 * 18h45 – 19h45: Philippe Bogaerts
 * 19h45 - 20h00: break
 * 20h00 - 21h00: Bart De Win

WHEN
Thursday 14th of September 2006, 18h00 - 21h00.

WHERE
ING sponsored the venue and sandwiches.

PROGRAM
<BR> <BR> <BR> Presentation + Discussion<BR> The presentation showed how ING has implemented business application security by implementing a risk management approach. By starting from the definition of risks and risk management, we have changed the program governance and project lifecycle to ensure that security is not seen as an add-on in a late stage of the project, but that the security requirements are defined in the early start of a project. By this approach the security requirements are becoming real functional requirements which are supported by the business. The net result is that security is not an after-thought anymore but totally integrated in the product and its (functional) requirements. As security requirements have become demands of the business, they are not taken out when the project is getting in time and budget constraints. These are all the positive consequences we have obtained from the method that will be explained throughout the presentation. <BR> Presentation + Discussion<BR> Web Services are becoming a very popular protocol for communication between IT systems within and between organizations. Web services offer a nice alternative for all sorts of communication middleware. The security of Web Services is a major attention point, now being well addressed with the WS-Security standards. Guy Crets not only explains what WS-Security is, but also opens up the subject by addressing many related topics: how does WS-* compare to B2B protocols such as EDIINT AS2, why not use SOAP over email or FTP, the importance of WS-Addressing, shortcomings in WS-ReliableMessaging, what is the importance of Microsoft WCF (aka Indigo), ... and many more.
 * 18h00 - 18h30: Welcome, get drink & sandwiches<BR>
 * 18h20 - 18h40: Sebastien Deleersnyder, Ascure <BR>
 * 18h45 – 19h00: Toon Mordijck, ISSA<BR>
 * 19h00 - 19h55: Serge Moreno, ING<BR>
 * 20h05 - 21h00: Guy Crets, Apogado<BR>

Meeting Notes OWASP Belgium Chapter Meeting (Brussels, 8-May-2006)
WHEN Monday 8th of May 2006, 18h30 - 22h30. WHERE Deloitte sponsored the venue, drinks and snacks. PROGRAM <BR>
 * 18h00 - 18h30: Welcome, get drink & snack <BR>
 * 18h20 - 18h40: Sebastien Deleersnyder, Ascure <BR>


 * 18h45 - 19h15: Hillar Leoste, Zone-H

Can "Agile" Development Produce Secure Applications? Received wisdom has it that secure development and agile processes do not mix. Is that really so? Agile practices have proven in many projects to yield applications with fewer functional defects. Can they also be put to work to reduce the number of security vulnerabilities? The audience added to the discussion with questions and remarks!
 * 19h15 - 20h30: Johan Peeters, Program Director secappdev.org

Meeting Notes OWASP Belgium Chapter Meeting (Leuven, 22-Feb-2006)
WHEN Wednesday 22nd of February 2006, 18h00 - 21h00.

WHERE KUL sponsored the venue:<BR> BeeWare sponsored the Pizza and Drinks!

PROGRAM 18h00 - 18h20: Welcome, get Pizza & Drink<BR> 18h20 - 18h40: Sebastien Deleersnyder, Ascure <BR> <BR> 18h40 - 19h30: Philippe Bogaerts, BeeWare  19h30 - 20h45: Web Application Firewalls (WAF): Panel Discussion  Then we organized a panel discussion with people from industry, vendors and research: How mature are WAFs? What do WAFs protect you from? What not? Where do you position WAFs in your architecture? What WAF functionality do you really need? … We then had an interesting panel Discussion with:
 * Philippe Bogaerts, BeeWare
 * Jaak Cuppens, F5 Networks
 * David Van der Linden, ING Belgium
 * Lieven Desmet, K.U.Leuven

The audience (up to 50 !) added to the discussion with questions and remarks!

Belgium OWASP 2006 New Year Drink
On January 19th we had a New Years Drink. It was sponsored by Zion Security 

Meeting Notes second OWASP Belgium Chapter meeting (Leuven, 28-Sep-2005)
On 28th of September 2005 we had our second OWASP Belgium Chapter meeting. We had nearly 50 people coming to the meeting!

WHEN Wednesday 28th of September 2005, 18h00 - 21h00 at Ubizen in Leuven.

PROGRAM 18h00 - 18h15: Welcome & get a drink

18h15 - 18h45: Sebastien Deleersnyder, Ascure 

18h45 - 19h30: Emmanuel Bergmans, I-logs  Emmanuel gave an interesting introduction on ModSecurity. The presentation is included as attachment and contains a lot of great pointers and SWOT analysis. Conclusions were: ModSecurity can be particularly useful in an ISP environment Increased effort is necessary to synchronize multiple ModSecurity configurations in a Webfarm

19h30 - 20h45: OWASP Top 10 Vulnerabilities: Panel Discussion  Then we had a lively panel Discussion with: We handled questions about the Top 10:
 * Erwin Geirnaert, Security Innovation
 * Dirk Dussart, Belgian Post
 * Eric Devolder, Mastercard
 * Herman Stevens, Ubizen
 * Frank Piessens, KU Leuven
 * Is the OWASP Top 10 still necessary?
 * Are we talking vulnerabilities, solutions or threats?
 * Can we base our best practices / standards on the Top 10?
 * How to test your web site security on the Top 10?

The overall discussion was interesting, and at times diverted to an overall application security discussion. Some of the remarkable opinions covered: Can / or should the OWASP Top 10 form the basis for a certification scheme If it is used as an awareness tool, can we promote it with an OWASP magazine? The OWASP Top 10 is too vague A bigger exhaustive list is needed with a clear classification and taxonomy It should be based on threat modelling. One of the more pertinent questions: how did the original authors come to the Top 10?

Meeting Notes First OWASP Belgium Chapter Meeting (Gent, 26-May-2005)
On 26th of May 2005 we held the first OWASP Belgium Chapter meeting!

It was a big success: we had nearly 40 people attending, despite the Belgium-unlike hot weather.

PROGRAM 17h30 - 18h00: Welcome & get a drink

18h00 - 18h45: Sebastien Deleersnyder, Ascure 

19h00 - 19h45: Erwin Geirnaert, Security Innovation 

20h00 - 20h45: professor Frank Piessens, KU Leuven 

We had some interesting discussions with Frank on the position of security controls: within the code or within the supporting infrastructure? Another idea is also to look for a top 10 solutions for Web Applications and have some guidance system when selecting countermeasures.