Difference between revisions of "BeNeLux OWASP Day 2012"

Jump to: navigation, search
Line 95: Line 95:
(for details, check the {{#switchtablink:Venue|Venue}} tab)
(for details, check the {{#switchtablink:Venue|Venue}} tab)
==== Agenda ====  
==== Agenda ====  

Revision as of 15:50, 13 November 2012


Welcome to OWASP BeNeLux 2012

Confirmed trainers for Trainingday

  • Dan Cornell (Denim group) - SDLC with open source tools
  • Dinis Cruz (Security Innovation) - Advanced O2
  • Volkert de Buisonjé (Sogeti) - Secure Java Development with ESAPI (Hands-On )
  • Martin Knobloch (PervaSec) - Essential Web Appplication Security (OWASP Top 10, Webgoat, WebScarab)

Confirmed speakers Conferenceday

  • Dinis Cruz (Security Innovation) - Making Security Invisible by Becoming the Developer’s Best Friends
  • Rüdiger Bachmann (SAP) - Code review large companies
  • Lieven Desmet (Distrinet, KU Leuven) - Sandboxing JavaScript
  • Asia Slowinska (VU Amsterdam) - Body Armor for Binaries
  • Marc Hullegie and Kees Mastwijk (Vest) - Forensics
  • Dan Cornell (Denim group) - Streamlining Application Vulnerability Management: Communication Between Development and Security Teams
  • John Wilander (OWASP Sweden) - Browser security
  • Seba Deleersnyder (OWASP) - Update on OWASP

The OWASP BeNeLux Program Committee

  • Bart De Win / Sebastien Deleersnyder/ Lieven Desmet/ David Mathy, OWASP Belgium
  • Martin Knobloch / Ferdinand Vroom, OWASP Netherlands
  • Jocelyn Aubert / Andre Adelsbach, OWASP Luxembourg
  • Steven van der Baan, OWASP CTF Project


Event tag is #owaspbnl12

<paypal>BeNeLux OWASP Day 2012</paypal>

OWASP BeNeLux training day and conference are free!

Registration is open:


To support the OWASP organisation, consider to become a member, it's only US$50!
Check out the Membership page to find out more.

Venue is the iMinds-DistriNet Research Group @ KU Leuven

Celestijnenlaan, 200A
3001 Heverlee

Parking & roadmap:

There is a public parking close to the conference venue.

Roadmap and parking: http://distrinet.cs.kuleuven.be/about/route/

Hotels nearby:
Board house (close to the venue)
The lodge (close to the venue)
Begijnhof Congres Hotel (1 km from the venue)
La Royale (2 km from the venue)
Hotel Ibis (2 km from the venue)
Mercure (2 km from the venue)
New Damshire (2 km from the venue)

Trainingday, November 29th


The training room is: Celestijnenlaan, 200A, fifth floor
3001 Heverlee

(for details, check the Venue tab)


Time Description Room 1 Room 2 Room 3 Room 4
08h30 - 9h30 Registration
09h30 - 11h00 Training Advanced O2, by Dinis Cruz SDLC with Open Source tools, by Dan Cornell Secure Java Development with ESAPI (hands-on), by Volkert de Buisonjé Essential Web Appplication Security (OWASP Top 10, Webgoat, WebScarab), by Martin Knobloch
11h00 - 11h15 Coffee Break
11h15 - 12h45 Training
12h45 - 13h30 Lunch
13h30 - 15h00 Training
15h00 - 15h15 Coffee Break
15h15 - 17h00 Training

Secure Java Development workshop with ESAPI, by Volkert de Buisonjé (Sogeti)

First, attendees will receive a brief introduction on application awareness. Then they will get acquainted with Webgoat, a "deliberately insecure J2EE web application" designed as a practice tool for secure application development and testing. They will learn how to exploit some vulnerabilities in Webgoat, through for instance Cross-Site Scripting (CSS) and Cross-Site Request Forgery (CSRF) attacks. Finally, the ESAPI library will be introduced and the attendees will learn how to apply ESAPI to fix such vulnerabilities in Webgoat's source code.

Prerequisites for this workshop:

  • Reasonable knowledge of and experience with Java development
  • A laptop running a recent version of Linux, Mac OS X, or Windows
  • The most recent version of VirtualBox (4.x) installed
  • At least 2GB of RAM
  • At least 2GB of disk space

Volkert de Buisonjé is a senior Java developer at Sogeti. He specializes in, and teaches application security courses, both to coworkers and to customers. Knowledge sharing (in both directions) is his passion. Volkert likes making friends and talking a lot. He never shuns a good discussion, and prefers to bring a high amount of interactivity to his classes. :-)

Conferenceday, November 30th


The training room is: (TBD) (for details, check the Venue tab)



Time Topic Speaker
08h30 - 9h30 Registration
09h30 - 9h45 Welcome (PPT) OWASP Benelux Organization
09h45 - 10h00 OWASP update (PPT) Sebastien Deleersnyder
10h00 - 10h40
10h40 - 11h00 Break
11h00 - 11h40
11h40 - 12h20
12h20 - 13h00
13h00 - 14h00 Lunch
14h00 - 14h40
14h40 - 15h20
15h20 - 16h00
16h00 - 16h20 Break
16h20 - 17h00
17h00 - 17h40
17h40 - 18h00 Closing Notes OWASP Benelux 2012 organization

Sandboxing JavaScript, by Lieven Desmet (Research Manager at KU Leuven)

The inclusion of third-party scripts in web pages is a common practice. A recent study has shown that more than half of the Alexa top 10 000 sites include scripts from more than 5 different origins. However, such script inclusions carry risks, as the included scripts operate with the privileges of the including website.
In this talk, we propose JSand, a server-driven but client-side JavaScript sandboxing framework. JSand requires no browser modifications: the sandboxing framework is implemented in JavaScript and is delivered to the browser by the websites that use it. Enforcement is done entirely at the client side: JSand enforces a server-specified policy on included scripts without requiring server-side filtering or rewriting of scripts. Most importantly, JSand is complete: access to all resources is mediated by the sandbox.
We describe the design and implementation of JSand, and we show that it is secure, backwards compatible, and that it performs sufficiently well.

Lieven Desmet is Research Manager on Software Secure at the iMinds-DistriNet Research Group (KU Leuven, Belgium), where he coaches junior researchers in web application security and participates in dissemination and valorization activities. His interests are in security of middleware and web-enabled technologies. Lieven is actively engaged in OWASP and is board member of the OWASP Chapter Belgium.

OWASP Top 10 vs Drupal, by Erwin Geirnaert (Zion Security)

Drupal is the most used and well-known open source content management system in the world. Created by Dries Buytaert years ago it has grown with the support of a big community. Drupal 7 is already released and there is an entire ecosystem for Drupal and Drupal web agencies.
During this presentation we will discuss the findings of an automated static code analysis of Drupal 6 and Drupal 7 and how Drupal protects against the OWASP Top 10 Application Security Risks. We will explain the security weaknesses that remain when you use Drupal and what you can implement to have a secure cloud server running Drupal.

Erwin founded ZION SECURITY in 2005 to help companies to protect against the latest threats, attacks against web applications. ZION SECURITY is nowadays a Belgian market leader in the field of security testing, vulnerability management, penetration testing and banking security. Erwin has more than 10 years of experience in web security, graduating with a Master of Science in Software Development from the University of Ghent. Erwin executes different types of projects for a lot of international software companies, financial institutions, telecom and web agencies. Specialist in executing code reviews in different development languages for critical applications, executing continuous penetration tests of their infrastructure and Internet applications. A specialist in J2EE, PHP, .NET, mobile app and web services security. Erwin architects secure e-business projects for web agencies and software companies. He is a recognized application security expert and speaker at international events like Javapolis, OWASP, Eurostar, LSEC,...

Forensics, by Marc Hullegie and Kees Mastwijk (Vest Information Security)

In today’s investigations, forensics has become an important investigative method in fighting and solving (cyber)crimes and irregularities. During the session you will be briefly taken through the landscape of Forensics Basics; the Fraud Triangle and scenario's; What to look for and the appliance of Digital Forensics. What are the Challenges, the required Skills and Expertise and Solutions to these challenges. Specific focus on the Forensics of Web Applications and what you can do the create a more forensic ready system.

Marc Hullegie is founder and CEO of Vest Information Security and is widely experienced in the information security business in all types of areas: Security Architecture and Infrastructure, Security Audits and Testing, Security Management, Awareness and Digital Forensics. He presents lectures at (international) conferences and is looking forward to share experiences at the OWASP Benelux days 2012 with you.

Kees Mastwijk is a security consultant working with Vest, acting as Security Auditor, Awareness Program leader and security Manager. He has a long (and ongoing) experience history in Digital Forensic Research.

Browser Security, by John Wilander (Svenska Handelbanken)

Coming soon!

John Wilander is a frontend software developer at Svenska Handelbanken, the second strongest bank in the world according to Bloomberg Markets. He has been researching and working in application security for ten years and is an active leader in OWASP, the Open Web Application Security Project. In 2011 he organized the OWASP Summit Browser Security sessions in Portugal, with participants from the security teams behind Chrome, Firefox, Internet Explorer, Flash, and PayPal. During his years in academia he was elected best computer science teacher twice and nowadays gives 5-10 professional talks per year.

Streamlining Application Vulnerability Management: Communication Between Development and Security Teams, by Dan Cornell (Denim Group)

Identifying application-level vulnerabilities via scanning, penetration tests and code reviews is only the first step in actually addressing the underlying risk. Managing vulnerabilities for applications is more challenging than dealing with traditional infrastructure-level vulnerabilities because they typically require the coordination of security teams with application development teams. The process also means that security managers need to get time from developers during already-cramped development and release schedules. In addition, fixes require changes to custom application code and application-specific business logic rather than the patches and configuration changes that are often sufficient to address infrastructure-level vulnerabilities. This presentation will illustrate the communication difficulties between security and development teams, and how this usually results in unactionable reports and fewer vulnerabilities remediated. In addition, the presentation will walk through an example workflow of addressing application vulnerabilities as software defects. This will be based on freely-available tools and show specific examples of how vulnerabilities can be grouped together, false positives can be culled out, and vulnerabilities transitioned to software defects, as well as how security managers can monitor and verify progress.

Dan Cornell has over fifteen years of experience architecting and developing web-based software systems. He leads Denim Group’s security research team in investigating the application of secure coding and development techniques to improve web-based software development methodologies.
Dan was the founding coordinator and chairman for the Java Users Group of San Antonio (JUGSA) and currently serves as the OWASP San Antonio chapter leader, member of the OWASP Global Membership Committee and co-lead of the OWASP Open Review Project. Dan has spoken at such international conferences as RSA, OWASP AppSec USA, and OWASP EU Research in Greece.

Social Event, November 29th

The social event is scheduled for Thursday, 29th of November and will start at around 19:30


Leuven (TBD)

Remark: Costs are around eur. 10,00.

Capture the Flag!

  • Do you like puzzles?
  • Do you like challenges?
  • Are you a hacker?

Whether you are an experienced hacker or new enthusiast you should come to OWASP BeNeLux 2012 and participate in the Capture the Flag event November 30th 2012.

The OWASP CTF is especially designed to support challengers of all skill levels. The CTF contains multiple challenges in various fields related to application security. As every challenge gains you one point, you can pick and choose which challenge you want to play.

All you need is a laptop with a wifi card and your favorite (preferably) non-commercial tools.

So come, show off your skills, learn new tricks and above all have a good time at the CTF event.

Hosted and co-organized by:

Logo_distrinet.png Nessos.png

Made possible by our Sponsors

OWASP Member Sponsor:


OWASP BeNeLux 2012 Sponsors:

Madison-gurkha-logo.jpg Sogeti_logo.png Logo_Vest_BIG_170.gif
Approach-sponsor.jpg Zionsecurity.jpg On2it-sponsor.png