Difference between revisions of "BeNeLux OWASP Day 2012"

From OWASP
Jump to: navigation, search
Line 2: Line 2:
 
<br><!-- Header -->
 
<br><!-- Header -->
  
==== Welcome  ====
 
  
<br>
+
<!-- First tab -->
<center>
+
= Welcome  =
=== Venue is the Department of Computer Science @ KU Leuven ===
+
Training and conference location, together with hotel information, can be found [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2012#tab=Venue here].
+
  
=== Training and first list of conference speakers confirmed! ===
+
=== Welcome to OWASP BeNeLux 2012  ===
  
'''Confirmed 1 day trainings on Thursday:'''<br>
+
==== Confirmed trainers for Trainingday ====
Dan Cornell (Denim group) - SDLC with open source tools <br>
+
Dinis Cruz (Security Innovation) -  Advanced O2<br>
+
Volkert de Buisonjé (Sogeti) Secure Java Development with ESAPI (Hands-On )<br>
+
  
 +
* Dan Cornell (Denim group) - SDLC with open source tools <br>
 +
* Dinis Cruz (Security Innovation) -  Advanced O2<br>
 +
* Volkert de Buisonjé (Sogeti) Secure Java Development with ESAPI (Hands-On )<br>
  
'''Confirmed speakers on Friday:'''<br>
+
==== Confirmed speakers Conferenceday ====
Dinis Cruz (Security Innovation) - Making Security Invisible by Becoming the Developer’s Best Friends<br>
+
Rüdiger Bachmann and Achim D. Brucker (SAP) - Code review large companies<br>
+
Lieven Desmet (Distrinet, KU Leuven) - Sandboxing JavaScript<br>
+
Herbert Bos and Asia Slowinska (VU Amsterdam) - Body Armor for Binaries<br>
+
Marc Hullegie and Kees Mastwijk (Vest) - Forensics<br>
+
Dan Cornell (Denim group) - Streamlining Application Vulnerability Management: Communication Between Development and Security Teams<br>
+
John Wilander (OWASP Sweden) - Browser security<br>
+
Seba Deleersnyder (OWASP) - Update on OWASP<br>
+
  
=== Tweet! ===
+
* Dinis Cruz (Security Innovation) - Making Security Invisible by Becoming the Developer’s Best Friends<br>
Event tag is [http://twitter.com/#search?q=%23owaspbnl12 #owaspbnl12]
+
* Rüdiger Bachmann and Achim D. Brucker (SAP) - Code review large companies<br>
 +
* Lieven Desmet (Distrinet, KU Leuven) - Sandboxing JavaScript<br>
 +
* Herbert Bos and Asia Slowinska (VU Amsterdam) - Body Armor for Binaries<br>
 +
* Marc Hullegie and Kees Mastwijk (Vest) - Forensics<br>
 +
* Dan Cornell (Denim group) - Streamlining Application Vulnerability Management: Communication Between Development and Security Teams<br>
 +
* John Wilander (OWASP Sweden) - Browser security<br>
 +
* Seba Deleersnyder (OWASP) - Update on OWASP<br>
  
=== Registrations are open: ===
 
  
[http://owaspbenelux2012.eventbrite.com/ http://www.owasp.org/images/7/77/Buttoncreate.png]
+
<!-- Second tab -->
 +
= Venue =
 +
=== Venue is the Department of Computer Science @ KU Leuven ===
 +
Training and conference location, together with hotel information, can be found [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2012#tab=Venue here].
  
=== Slides will be available online ===
+
<!-- Third tab -->
Check out the Conference tab of the website to download the presentations.
+
= Trainingday =
  
</center>
+
==== Trainingday, November 29th  ====
<br>
+
  
==== Training, November 29th  ====
 
CFP open!
 
<!--
 
Registration '''starts at 9h00'''
 
  
Training will start at '''10h00''' and we plan to stop at '''17h00'''. From '''17h00''' til '''18h00''', there will be an extra session on security testing by Yves Le Traon (see details below).
+
Registration '''starts at xxhxx'''
 +
 
 +
Training will start at '''xxhxx''' and we plan to stop at '''xxhxx'''.
 +
 
  
 
The training room is: '''Paul Feidert''' (for details, check the [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2012#tab=Venue venue] tab)
 
The training room is: '''Paul Feidert''' (for details, check the [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2012#tab=Venue venue] tab)
  
'''OWASP Training: Secure Application Development, by Eoin Keary'''
+
'''OWASP Training: Title of training here, by Trainername here'''
  
'''Abstract:''' Writing Secure code is the most effective method to securing your web applications. Writing secure code takes skill and know-how but results in a more stable and robust application and assists in protecting an organisations brand.
+
'''Abstract:''' Abstract here
Application security is not commonly a part of many computer science curricula today and most organizations have not focused on instituting a culture that includes application security as a core part of their software development training efforts. This intensive one-day course focuses on the most common web application security problems, including aspects of both the OWASP Top Ten (2010) and the MITRE Top 25.  The course will introduce and demonstrate application assessment techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities in their code.
+
  
 
'''This course includes coverage of the following areas:'''
 
'''This course includes coverage of the following areas:'''
  
* Unvalidated Input
+
* TOC here
* Injection Flaws, OS commanding, SQL Injection
+
* Cross-Site Scriping & Client-side security
+
* CSRF/XSRF
+
* Authentication & Session Management
+
* Access control & Authorisation
+
* Broken Caching
+
* Error Handling & Resource Management
+
* The Secure SDLC
+
* Fuzzing, Proxy use and testing approach
+
  
 
'''Hands on Exercises'''
 
'''Hands on Exercises'''
  
To cement the principles discussed, students can participate in a number of hands-on security testing exercises where they attack a live web application (i.e., OWASP Bank etc) that has been seeded with common web application vulnerabilities.
+
Instructions here]'''
 
+
The students will use proxy tools commonly used by the hacker community to complete the exercises. Students need to bring their own windows based laptop to participate in the exercises. Wireless capability is recommended.  '''Make sure to get a copy of BURP proxy prior to the training: [http://www.portswigger.net/burp/downloadfree.html http://www.portswigger.net/burp/downloadfree.html]'''
+
  
 
'''Audience'''
 
'''Audience'''
  
Developers who want to understand the most common web application security flaws, and how to avoid them and code in a secure manner.
+
Targeted audience here
  
Level: Beginner/Intermediate
+
Level: Select lever here (Beginner/ Intermediate/ Advanced)
  
Prerequisite: Basic knowledge of a web programming language like Java or .NET recommended but not required.
+
Prerequisite: Enter prerequisites here
  
Bringing your own windows based laptop is recommended so you can participate in the hands on exercises
+
e.g. Bring your laptop...
  
 
'''Trainer Bio:'''  
 
'''Trainer Bio:'''  
  
[[Eoin Keary]] is a Global OWASP board member since 2009. He is a long time member of OWASP and have contributed year on year to OWASP projects and the OWASP mission of fighting the causes of software insecurity. He is based in Dublin, Ireland and director of [http://www.bccriskadvisory.com Bccriskadvisory].
+
Enter trainerbio here
  
  
  
===== Extra session on Security testing: a key challenge for software engineering of web apps (17h00 - 18h00)=====  
+
= Conferenceday =
While important efforts are dedicated to system functional testing, very few works study how to specifically and systematically test security mechanisms. In this talk, we will present two categories of approaches.  
+
 
The first ones aim at assessing security mechanisms compliance with declared policies. Any security policy is strongly connected to system functionality: testing function includes exercising many security mechanisms. However, testing functionality does not intend at exercizing all security mechanisms. We thus propose test selection criteria to produce tests from a security policy. Empirical results will be presented about access control policies and about Android apps permission checks. 
+
 
+
= Registration =
The second ones concern the attack surface of web apps, with a particular focus on web browser sensitivity to XSS attacks. Indeed, one of the major threats against web applications is Cross-Site Scripting (XSS) that crosses several web components: web server, security components and finally the client’s web browser. The final target is thus the client running a particular web browser. During this last decade, several competing web browsers (IE, Netscape, Chrome, Firefox) have been upgraded to add new features for the final users benefit. However, the improvement of web browsers is not related with systematic security regression testing. Beginning with an analysis of their current exposure degree to XSS, we extend the empirical study to a decade of most popular web browser versions.The results reveal a chaotic behavior in the evolution of most web browsers attack surface over time. This particularly shows an urgent need for regression testing strategies to ensure that security is not sacrificed when a new version is delivered.
+
 
+
=== Registrations are open: ===
In both cases, security must become a specific target for testing in order to get a satisfying level of confidence in security mechanisms
+
 
 +
[http://owaspbenelux2012.eventbrite.com/ http://www.owasp.org/images/7/77/Buttoncreate.png]
 +
 
 +
= Social Media =
 +
 
 +
=== Tweet! ===
 +
Event tag is [http://twitter.com/#search?q=%23owaspbnl12 #owaspbnl12]
 +
 
 +
= Slides =
 +
 
 +
=== Slides will be available online ===
 +
Check out the Conference tab of the website to download the presentations.
  
'''Trainer bio:'''
 
  
Yves Le Traon is professor at University of Luxembourg in the domain of software engineering, reliability, validation and security. He is also a member of the Interdisciplinary Centre for Security, Reliability and Trust (SnT), where he leads the research group SERVAL (SEcuRity and VALidation of services and networks). His research interests include software testing, design for security, security testing, model-driven validation, model based testing, web application, mobile computing. 
 
  
Professor Le Traon received his engineering degree and his PhD in Computer Science at the “Institut National Polytechnique” in Grenoble, France, in 1997. From 1998 to 2004, he was an associate professor at the University of Rennes, in Brittany, France. He is the co-founder of the Triskell INRIA team, which focuses on innovating design, modeling and testing techniques, such as Model-driven Engineering. During this period, Professor Le Traon studied design for testability techniques, validation and diagnosis of object-oriented programs and component-based systems. From 2004 to 2006, he was an expert in Model-Driven Architecture and Validation in the EXA team (Requirements Engineering and Applications) at “France Télécom R&D”. In 2006, he became professor at Telecom Bretagne (Ecole Nationale des Télécommunications de Bretagne), where he pioneered the application of testing for security assessment of web-applications, P2P systems and the promotion of intrusion detection systems using contract-based techniques.
 
  
-->
 
  
 
==== Conference, November 30th  ====
 
==== Conference, November 30th  ====
Line 442: Line 432:
 
[http://www.f5.com https://www.owasp.org/images/f/fd/AppSec_Research_2010_sponsor_F5_logo.jpg]
 
[http://www.f5.com https://www.owasp.org/images/f/fd/AppSec_Research_2010_sponsor_F5_logo.jpg]
 
-->
 
-->
 
+
<!-- Don't remove this tag -->
 +
__NOTOC__
 +
<headertabs/>
  
 
<br>
 
<br>
 
</center>
 
</center>
 
[[Category:OWASP_AppSec_Conference]] [[Category:OWASP_BeNeLux_Archives]]
 
[[Category:OWASP_AppSec_Conference]] [[Category:OWASP_BeNeLux_Archives]]

Revision as of 03:56, 17 October 2012

Owaspbnl12header.jpg



[edit]

Welcome to OWASP BeNeLux 2012

Confirmed trainers for Trainingday

  • Dan Cornell (Denim group) - SDLC with open source tools
  • Dinis Cruz (Security Innovation) - Advanced O2
  • Volkert de Buisonjé (Sogeti) Secure Java Development with ESAPI (Hands-On )

Confirmed speakers Conferenceday

  • Dinis Cruz (Security Innovation) - Making Security Invisible by Becoming the Developer’s Best Friends
  • Rüdiger Bachmann and Achim D. Brucker (SAP) - Code review large companies
  • Lieven Desmet (Distrinet, KU Leuven) - Sandboxing JavaScript
  • Herbert Bos and Asia Slowinska (VU Amsterdam) - Body Armor for Binaries
  • Marc Hullegie and Kees Mastwijk (Vest) - Forensics
  • Dan Cornell (Denim group) - Streamlining Application Vulnerability Management: Communication Between Development and Security Teams
  • John Wilander (OWASP Sweden) - Browser security
  • Seba Deleersnyder (OWASP) - Update on OWASP


Venue is the Department of Computer Science @ KU Leuven

Training and conference location, together with hotel information, can be found here.

Trainingday, November 29th

Registration starts at xxhxx

Training will start at xxhxx and we plan to stop at xxhxx.


The training room is: Paul Feidert (for details, check the venue tab)

OWASP Training: Title of training here, by Trainername here

Abstract: Abstract here

This course includes coverage of the following areas:

  • TOC here

Hands on Exercises

Instructions here]

Audience

Targeted audience here

Level: Select lever here (Beginner/ Intermediate/ Advanced)

Prerequisite: Enter prerequisites here

e.g. Bring your laptop...

Trainer Bio:

Enter trainerbio here


Registrations are open:

Buttoncreate.png

Tweet!

Event tag is #owaspbnl12

Slides will be available online

Check out the Conference tab of the website to download the presentations.



Conference, November 30th

Stay tuned for the final agenda!

Agenda (TBD)


Speech 1
Speech 2

CTF

Do you like puzzles? Do you like challenges? Are you a hacker?

Whether you are an old hacker or new enthusiast you should come to OWASP BeNeLux days 2012 and participate in the Capture the Flag event November 30th 2012 in Leuven (place TBD).

The OWASP CTF is especially designed to support challengers of all skill levels. The CTF contains multiple challenges in various fields related to application security. As every challenge gains you one point, you can pick and choose which challenge you want to play.

All you need is a laptop with a wifi card and your favorite (preferably) non-commercial tools.

So come to Leuven, show off your skills, learn new tricks and above all have a good time at the CTF event.

Registration

The training day and the conference are free! 


Buttoncreate.png


To support the OWASP organisation, consider to become a member, it's only US$50!
Check out the Membership page to find out more.


Venue

Venue is the Department of Computer Science of the KU Leuven, in Heverlee:
Celestijnenlaan, 200a
3001 Heverlee
Belgium



Organisation

The BeNeLux Day 2012 Program Committee:

Local organization:

  • Thomas Engel
  • Radu State
  • Magali Martin
  • Aurel Machalek

Sponsorship

Contact seba <at> owasp.org for sponsorship

funds to OWASP earmarked for BeNeLux OWASP Day 2012.

Social Event

The social event is scheduled for Thursday, 29th of November, 19:00 at

Leuven (TBD)

Remark: split bill system - everyone has to cover own food & drinks.

Promotion

Feel free to use the text below to promote our event!

We invite you to our next OWASP event: the BeNeLux OWASP Days 2012!

Free your agenda on the 29th and 30th of November, 2012.

The good news: free! No fee!

The bad news: there are only 160 seats available (first register, first serve)!


PROGRAM Day 1

  • 10:00 AM - 18:00 PM: OWASP Training Day
  • 19:00 PM - ?: Social event


PROGRAM Day 2

  • 10:00 AM - 18:00 PM: OWASP Conference


ORGANIZATION
OWASP's all-volunteer participants produce free, professional quality, open-source documentation, tools, and standards on application security. An example of this is the famous OWASP top ten of most critical web application security flaws. The OWASP community facilitates conferences, local chapters, articles, and message forums. Participation in OWASP is free and open to all, as are all the materials we produce.

WHO should attend?
Anyone interested in Web Application Security (management, security professionals, developers, students, etc). OWASP Belgium, Netherlands and Luxembourg chapters membership is free. All meetings are free. There are never vendor pitches or sales presentations at OWASP meetings.
Check our chapter page http://www.owasp.org/index.php/Belgium on meeting details, sign up to the chapter mailing list and introduce yourself.
Check our chapter page http://www.owasp.org/index.php/Netherlands on meeting details, sign up to the chapter mailing list and introduce yourself.
Check our chapter page http://www.owasp.org/index.php/Luxembourg on meeting details, sign up to the chapter mailing list and introduce yourself.

WHEN
Thursday and Friday, 29th and 30th of November, 2012 (10 AM - 7 PM)

WHERE
University of Leuven
Department of Computer Science, KU Leuven
Celestijnenlaan 200A
3001 Heverlee
Belgium
Website

Attention: make sure to book your hotel in time, it will be difficult to find rooms in Leuven around Nov 29-30!
Hotel details https://www.owasp.org/index.php?title=BeNeLux_OWASP_Day_2012#tab=Venue

REGISTRATION
Only 160 places, please Register upfront: http://owaspbenelux2012.eventbrite.com !
All latest details are available on http://www.owaspbenelux.eu
Hope to see you all!

The BeNeLux Program Committee,

  • Martin Knobloch / Ferdinand Vroom, OWASP Netherlands
  • Bart De Win / Sebastien Deleersnyder, OWASP Belgium
  • Jocelyn Aubert / Andre Adelsbach, OWASP Luxembourg
  • Steven van der Baan, OWASP CTF Project


Hosted and co-organized by:





Made possible by our sponsors:
List is being updated... Stay tuned!