BeNeLux OWASP Day 2016-2

From OWASP
Jump to: navigation, search
OWASP BeNeLux Day 2016 II.png



[edit]

OWASP BeNeLux conference is free, but registration is required!

Register for the OWASP BeNeLux Day 2016

OWASP BeNeLux training is reserved for OWASP members, and registration is required!

To support the OWASP organisation, we ask training attendees to become an OWASP member, it's only US$50! Students and faculty are invited to become member as well, but can freely attend. Check out the Membership page to find out more.

Register now!


To support the OWASP organisation, consider to become a member, it's only US$50!
Check out the Membership page to find out more.


Venue

The venue is hosted by imec-Distrinet Research Group (KU Leuven).

Address:
Department of Computer Science (foyer at ground floor)
Celestijnenlaan 200 A
3001 Heverlee

How to reach the venue?

https://distrinet.cs.kuleuven.be/about/route/

Hotel nearby

Trainingday is November 24th

Location

Agenda

Time Description Room TBA Room TBA Room TBA
08h30 - 9h30 Registration
09h30 - 11h00 Training Breakers, defenders and superheroes!
by Riccardo ten Cate
PWN Android Apps with your Custom Built Toolbox
by Steven Wierckx
Why simply deploying HTTPS will not get you an A+ grade
by Philippe De Ryck
11h00 - 11h30 Coffee Break
11h30 - 13h00 Training
13h00 - 14h00 Lunch
14h00 - 15h30 Training
15h30 - 16h00 Coffee Break
16h00 - 17h30 Training

Trainings

Breakers, defenders and superheroes!

In the wonderful world of application security we often learn to break stuff or we learn how to prevent hackers from breaking your stuff. In this training i would love to adres some basic and advanced topics and not only teach developers how to properly test their code like a penetration tester, but also learn the penetration tester to think like a developer so they really can deliver added value when instructing developers on how to fix their code like a baws!

Some of the topics i would like to adresss are:

  • Content security policy and how to defeat it with HTML injections
  • Advanced cross site scripting
  • Cross site request forgery
  • Mass Assignment (Parameter binding) attacks
  • External entity attacks
  • Path/directory traversal attacks (File inclusion attacks)
  • File upload injections
  • Server side template injections
  • Authentication and authorization


PWN Android Apps with your Custom Built Toolbox

Frustrated with the various tools and environments needed to perform mobile pentesting? All available Android test distributions have drawbacks and missing and/or non-working tools etc. Learn how to create your own customized mobile pentesting toolbox with the tools you really want/need.

Not sure which steps to follow when performing a mobile application security assessment? Our renowned trainer, Steven Wierckx, will show you which steps to follow and what issues to focus on.

More details in the course description

Download the full training description


Why simply deploying HTTPS will not get you an A+ grade

20 years after the introduction of HTTPS, it is finally moving towards widespread adoption. As more and more web sites are enabling HTTPS, the attention for correct deployments increases as well. Tools such as Qualys’ SSL Labs server test make it is easy to verify the quality of any domain’s HTTPS deployment, but at the same time show how challenging it is to receive an A+ grade. While the initial deployment of HTTPS may seem straightforward, correctly deploying HTTPS is a daunting task. In this session, participants will learn through hands-on experience how to deploy HTTPS correctly, and how it impacts a Web application. We will cover common Web attacks on HTTPS, and how they are countered by the newest HTTPS security policies, such as HTTP Strict Transport Security (HSTS) and HTTP Public Key Pinning (HPKP).

The learning objectives for this session are:

  • Learning how to deploy HTTPS correctly, with strong ciphers and forward secrecy
  • Understanding the intricacies of HTTPS, and its impact on a Web application, especially in combination with HTTP
  • Understanding common Web attacks against HTTPS, and the newest browser-enforced security policies that counter them

Trainers

Riccardo ten Cate

As a penetration tester and software developer from the Netherlands Riccardo is specialized in web-application security and has extensive knowledge in securing web applications in multiple coding languages.

Steven Wierckx

I’m a Software and Security Tester with 15 years of experience in programming, security testing, source code review, test automation, functional and technical analysis, development and database design. I’m a team player with a constant drive to learn new things. I have a passion for web application security and I write articles for several professional magazines with regards to that topic. I have created several courses on testing software for security problems and I teach courses on secure coding, security awareness, security testing and threat modelling.

Philippe De Ryck

Philippe De Ryck holds a PhD in computer science and is specialized in client-side Web security. Philippe focuses on a sustainable knowledge transfer of his expertise in Web security towards industry partners, mainly through training courses and public dissemination activities. Within iMinds-DistriNet , Philippe leads the Web Security-related training activities.

Conferenceday is November 25th

Agenda

Time Speaker Topic Slides
08h30 - 09h00 Registration
09h00 - 09h15 Opening
09h15 - 10h00 Dario Incalza Securing Android Applications Download
10h00 - 10h45 Yorick Koster The State of Security of WordPress (plugins) Download
10h45 - 11h15 Morning Break
11h15 - 12h00 Sebastian Lekies Securing AngularJS Applications Download
12h00 - 12h45 Giancarlo Pellegrino Compression Bombs Strike Back Download
12h45 - 13h45 Lunch
13h45 - 14h30 Zakaria Rachid Zap it !
14h30 - 15h15 Tom Van Goethem Stealing Secrets through Browser-based Side-channel Attacks
15h15 - 15h45 Break
15h45 - 16h30 Daniel Kefer Handling of Security Requirements in Software Development Lifecycle Download
16h30 - 17h15 Bart Preneel Closing Keynote: The Future of Security Download
17h15 - 17h30 Closing


Talks

The State of Security of WordPress (plugins)

Last July, we organised the Summer of Pwnage (sumofpwn.nl) targeting WordPress and WordPress Plugins. This has resulted in 118 findings; mostly affecting WordPress Plugins, but also WordPress Core. Looking at the reported types of vulnerabilities, by far the most reported type is Cross-Site Scripting. The majority of Cross-Site Scripting vulnerabilities were of the reflected type where the victim has to click on a malicious link or visit a malicious website (or advertisement). A fair share of them were stored though, and some of them even pre-auth.

Does this mean that WordPress is inherently insecure or is it just the Plugin eco system? In this talk, I'll present our view on the (in)security of WordPress and WordPress Plugins. In addition, I'll show how a WordPress installation can be compromised using Cross-Site Scripting (and how to protect) and a generic way to get remote code execution through PHP Object Injection will be demonstrated.

Securing AngularJS Applications

Since its birth, the Web evolved from a system to share and view scientific documents to a full-blown platform for sophisticated applications. While in the beginning most Web applications were implemented purely on the server-side, modern ones heavily rely on client-side components.

AnuglarJS is the latest addition in this process. Within an Angular application the server is merely a data storage facility with a few additional access checks. The core of the application is running on the client-side.

As Angular is specifically designed to work on the client-side, it attempts to remove the main points of friction for developers. By providing a templating system, two-way bindings and custom directives, DOM interactions can be reduced to a bare minimum.

From a security point of view this is very interesting as Angular removes the need for using some DOM APIs with very sharp edges (innerHTML, document.write). On the other hand, Angular introduces new ways of approaching application development that are largely unexplored in terms of security.

This talk provides an in-depth introduction to the security of Angular applications. It first introduces the core design ideas and security principles of AngularJS. Then, based on the experience of the Google Security Team, shows common security pitfalls that are specific to Angular applications. In general, the talk covers Angular's string interpolation functionality, strict auto-escaping templates, URL-based directives and insecure legacy APIs. All the presented issues are based on real-world bugs. The talk will demonstrate how to find and prevent these issues in practice.

Compression Bombs Strike Back

Network services often use data compression to reduce protocol message size. However, if data compression is not properly implemented, it can render entire applications vulnerable to DoS attacks. Abusing data compression to exhaust system resources is an old trick. For example, a zip bomb is a recursively highly-compressed file archive prepared with the only goal of exhausting the resources of programs that attempt to inspect its content. This attack was brought to the community attention in 1996 to mount DoS attacks against bulletin board systems.

While this may now seem an old, unsophisticated, and easily avoidable threat,we discovered that developers did not fully learn from prior mistakes. We looked at three protocols (i.e., HTTP, XMPP, and IMAP) and 11 network services including popular ones (e.g., Apache HTTPD, Tomcat, Prosody, and OpenFire) and discovered that the risks of supporting data compression are still often overlooked.

In this talk, we will walk through data amplification attacks starting from the ever-green zip bomb and xml bomb attacks until our recent results. We will present the current use of data compression in several popular protocol and network services, and 12 common mistakes that we observed at the implementation, specification, and configuration levels. In this talk, we will also present already patched resource exhaustion vulnerabilities which could have been used to perform Denial of Service attack against popular services.

Closing Keynote: The Future of Security

Computers are still getting faster by factor of two every 18 months, and the doubling time for memory and communications is even smaller. An increasing number of experts is developing and deploying ever more sophisticated security techniques. But cybersecurity incidents multiply and are more prominent in the media. Will the cloud and the Internet of Things offer us a secure infrastructure? Or are we heading for a security and privacy nightmare? What is the role of governments, companies and individuals? Do we need backdoors in security technologies to balance privacy and security? This seminar tries to answer these questions.

Handling of Security Requirements in Software Development Lifecycle

The bigger the company you're working in, the more technologies and methodologies used by development teams you are going to face. At the same time, you want to address security risks in an appropriate, reliable and traceable way for all of them.

After a short introduction of a unified process for handling security requirements in a large company, the main part of the talk is going to focus on a tool called SecurityRAT (Requirement Automation Tool) which has been developed in order to support and accelerate this process. The goal of the tool is first to provide a list of relevant security requirements according to properties of the developed software, and afterwards to handle these in a mostly automated way - integration with an issue tracker being used as a core feature. Work in progress and future plans will form the last part of the talk.

Zap it !

The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular and best maintained free security tools. In this talk we will cover some of the basic features of Zap and deep dive in some advanced features. We will also cover the ways you can use ZAP in your applications SDL.

Stealing Secrets through Browser-based Side-channel Attacks

Browsers are becoming increasingly more complex. New features are added on a virtually daily basis in order to accomodate the most exotic use cases, allow the millions of lines of JavaScript code to be executed even faster, or provide the foundation for extremely accurate analytics. Combined with the well-known security-principle that an increase in functionality results in a larger attack surface, browsers are becoming a more and more interesting target for adversaries. In this talk, we will focus on a class of attacks that is often overlooked, namely side-channel attacks. Among other things, we will explore the causes for these newly discovered side-channel attacks, and how these can be leveraged to extract sensitive information, such as CSRF tokens, from web pages. Finally, we will analyse the various techniques that can be used to defend against these attacks.

Securing Android Applications

In this talk we will discuss the attack surfaces of an Android application and some best practice security implementations specific for Android applications. We will cover cryptography, code protection techniques and network security implementations.

Speakers

Yorick Koster

Yorick Koster is co-founder of Securify, an information security company focusing on all aspects of software security. Securify helps organisations to (proactively) secure their web and mobile applications, from design to go-live. In this we take a proactive approach (Build Security In) to catch and prevent vulnerabilities early, when still easy and cheap to fix.

Yorick has more than 10 years of experience in the field of software security and has found security vulnerabilities in a wide range of applications, including Internet Explorer, Office, .NET Framework, Adobe Reader, and WordPress.

Sebastian Lekies

Sebastian Lekies is an Information Security Engineer at Google and a PhD Student at the Ruhr-University Bochum. His research interests encompass client-side Web application security and Web application security testing. He graduated from University of Mannheim with a M.Sc. in Business Information Systems. At Google, Sebastian is part of the Security Test Engineering team that develops Google’s internal Web application security scanner and the externally facing Cloud Security Scanner (https://cloud.google.com/tools/security-scanner/). Before joining Google, Sebastian was part of SAP’s Security Research team, where he conducted academic research in the area of client-side Web application security. Sebastian is regularly speaking at academic and non-academic security conferences all around the World. He spoke at BlackHat US/EU/Asia, DeepSec, OWASP AppSec EU, Usenix Security, CCS, and many more...

Giancarlo Pellegrino

Giancarlo Pellegrino, is a post doctoral researcher of the System Security group at CISPA, Saarland University, in Germany. His main research interests include all aspects of web application security in particular security testing (black and white-box) and vulnerability analysis. Prior joining CISPA, Giancarlo worked at TU Darmstadt, Germany, and was member of the S3 group at EURECOM, in France. Until August 2013, he was Researcher Associate in the "Security and Trust" research group at SAP SE.

Bart Preneel

Bart Preneel received the Electr. Eng. and Ph.D. degrees from the KU Leuven (Belgium). He is a Full Professor at the KU Leuven where he heads the COSIC research group. He was visiting professor at five universities in Europe. He has authored more than 400 scientific publications and is inventor of 4 patents. Bart Preneel has participated to more than 30 EU funded projects and has coordinated five of those including the EU NoE ECRYPT. He has served as panel member and chair for the European Research Council. Since 1997 he is serving on the Board of Directors of the IACR (International Association for Cryptologic Research), from 2002-2007 as vice president and from 2008-2013 as president. He is a member of the Permanent Stakeholders group of ENISA and of the Academia Europaea. He has served on the advisory board of several companies and EU projects. He has served as program chair of 15 international conferences and he has been invited speaker at more than 90 conferences in 40 countries. In 2014 he received the RSA Award for Excellence in the Field of Mathematics.

Daniel Kefer

Daniel Kefer has been working in the application security field since 2007. Having started as a penetration tester, he soon became passionate about proactive security efforts and working closely with developers. Since 2011 he has been working for 1&1 where he focuses on design and continuous improvement of the internal secure SDLC process and its implementation in different development departments. Apart from 1&1, he also works as a volunteer for the OWASP OpenSAMM project.

Zakaria Rachid

Zakaria Rachid is a security consultant with some years of intense computing and security experience in critical environments (Telcos, mil...). He specializes in penetration testing, web applications security and trolling.

Tom Van Goethem

Tom Van Goethem is a PhD researcher at the University of Leuven with a keen interest in web security and online privacy. In his research, Tom performs large-scale security experiments, both to analyze the presence of good and bad security practices on the web, as well as to demystify security claims. More recently, Tom started exploring side-channel attacks in the context of the web. In an attempt to make the web a safer place, Tom on occasion rummages the web in search for vulnerabilities.

Dario Incalza

I am a pre-sales and security engineer at GuardSquare. In my spare time I like breaking applications and most importantly securing them. I regularly speak at Android conferences about all things Android and security. I tweet at @h4oxer.


Social Event,starting at 7PM

For those who want to join for dinner, we would like to suggest to gather at the Wok Dynastie Heverlee restaurant.

The restaurant offers a nice open buffet for 25.50 EUR.

Wok%20Dynasty%20001.jpg


Wok%20Dynasty%20176.jpg


Call for Speakers

The call for Speakers is closed.

See you next year!

OWASP AppSec conferences are true security conferences with all talks and presentations focusing on various areas of information security. Topics should focus on the technical and social aspects of security, and should not contain marketing or sales pitches.

We encourage and prioritize submissions covering research and new work impacting:

  • Secure development of web applications.
  • Security testing of web applications.
  • Security of DevOps processes, architectures, and tools.
  • Security of applications designed for mobile devices.
  • Security of Internet of Things devices and platforms.
  • Cloud platform security
  • Browser security
  • HTML5 security
  • OWASP tools or projects in practice

Terms

By your submission you agree to the OWASP Speaker Agreement. It requires that you use an OWASP presentation template or other non-branded template. Presentations may not use company-themed decks or include a company logo except on the speaker bio slide. Failure to observe these requirements will result in talk removal.

All presentation slides will be published on the conference website. Pictures and other materials in presentations should not violate any copyrights. Presentation submitters are solely liable for copyright violations. You may choose any Creative Commons license for your slides, including CC0. OWASP suggests the use of open licenses.

We will cover your travel expenses or costs for accommodations.

Deadlines

  • Submission of proposal closes: 11 September, 2016 – 23:59
  • Notification of acceptance: 2 October, 2016
  • Conference Date: 25 November, 2016

Submission

To submit a proposal, please submit an abstract of your intended presentation (500 to 4000 characters), a brief biography (150 to 800 characters) and a headshot (combine multiple files in one zip file). Your planned presentation time is 40 minutes (excluding ~5 minutes for discussion and change of speaker). Feel free to attach a preliminary version of your presentation if available. Any proposal submitted is subject to a democratic vote by the program committee. Keep in mind: The better your description of the talk, the better picture the program committee will have to review your submission. Please proofread your submission; after approval your abstract, biography, and headshot will be published verbatim into the program and website.

Submission page: https://easychair.org/conferences/?conf=owaspbenelux162



Hosted and co-organized by

Logo_distrinet.png

Made possible by our Sponsors

Gold:

VeraCode logo.png Vest.jpg Intigriti_verticaal.jpg Ecurify-2016.png HPE_logo_250.png

Silver:

LogoToreon.jpg Zionsecurity.jpg Nviso_logo_RGB_baseline_200px.png Whitehat-security_hor.jpg Nixu-logo.png

Bronze:

Logo_Informatiebeveiliging-200.png 200x60_netsparker_logo.png