Difference between revisions of "BeNeLux OWASP Day 2013"

From OWASP
Jump to: navigation, search
(Venue is)
m (added download link to presentation Jerome)
 
(71 intermediate revisions by 8 users not shown)
Line 1: Line 1:
<center>[[Image:owaspbnl12header.jpg]]<br></center>
+
<center>[[Image:Bnl13header-v.1.0.png]]<br></center>
 
<br><!-- Header -->
 
<br><!-- Header -->
  
Line 8: Line 8:
 
=== Welcome to OWASP BeNeLux 2013  ===
 
=== Welcome to OWASP BeNeLux 2013  ===
  
 +
'''Sorry, the registration is closed, no tickets left!'''
 +
 +
<!--[http://owaspbenelux2013.eventbrite.com/ http://www.owasp.org/images/7/77/Buttoncreate.png] -->
 +
 +
<!--
 
==== News ====
 
==== News ====
 
*  
 
*  
Line 22: Line 27:
 
<br>
 
<br>
  
==== Confirmed speakers Conferenceday ====
+
-->
 +
 
 +
==== Confirmed speakers Conference ====
 
{{#switchtablink:Conferenceday| <p>
 
{{#switchtablink:Conferenceday| <p>
* <br>
+
* Dick Berlijn (ex Chief of Defence NL)
* <br>
+
* Jan Joris Vereijken (ING)
* <br>
+
* Tom Van Goethem (University Leuven)
* <br>
+
* Jerome Nokin (Verizon Business)
* <br>
+
* Nick Nikiforakis (University Leuven)
* <br>
+
* Fakos Alexios and Jan Philipp (n.runs AG)
* <br>
+
* Migchiel de Jong (HP Fortify)
* <Br>
+
* Victor van der Veen (ITQ)
* <br>
+
 
}}
 
}}
 
<br>
 
<br>
Line 46: Line 52:
 
<br><br>
 
<br><br>
 
==== Donate to OWASP BeNeLux ====
 
==== Donate to OWASP BeNeLux ====
<paypal>BeNeLux OWASP Day 2013</paypal>
+
[https://co.clickandpledge.com/?wid=72689 Donate]
  
 
<!-- Second tab -->
 
<!-- Second tab -->
Line 54: Line 60:
 
==== OWASP BeNeLux training day and conference are free! ====  
 
==== OWASP BeNeLux training day and conference are free! ====  
  
=== Registration is not yet open: ===
+
=== Registration is closed ===
   
+
  Sorry but we already reached the maximum number of pariticipants.
[http://owaspbenelux2013.eventbrite.com/ http://www.owasp.org/images/7/77/Buttoncreate.png]
+
 
  
 
<br>
 
<br>
Line 71: Line 77:
 
=== Venue is  ===
 
=== Venue is  ===
  
''<br>
+
'''RAI Amsterdam - Entrance G'''
<br>
+
;Emerald Room
<br>''
+
;(On the first floor of the Auditorium Centre)
<br>
+
;Europaplein 2-22
 +
;1078 Amsterdam, THE NETHERLANDS
  
 
<br>'''Parking & roadmap''':
 
<br>'''Parking & roadmap''':
  
There is a public parking close to the conference venue.
+
There is a public parking at the conference venue.
  
 
Roadmap and parking:  
 
Roadmap and parking:  
Line 86: Line 93:
  
  
<!-- Fourth tab -->
+
<!-- Fourth tab - currently removed
  
 
= Trainingday =
 
= Trainingday =
Line 94: Line 101:
 
==== Location ====
 
==== Location ====
 
The training room is:  
 
The training room is:  
''Celestijnenlaan, 200A, fifth floor<br>
+
TBD
3001 Heverlee<br>
+
Belgium<br>''
+
 
<br>
 
<br>
  
Line 109: Line 114:
 
|-
 
|-
 
| 09h30 - 11h00 || Training
 
| 09h30 - 11h00 || Training
| rowspan="7" style="width:100px;" | [[#DinisCruz|Advanced O2, by Dinis Cruz <br/><br/> Room 04.112]]
+
| rowspan="7" style="width:100px;" | tbd
| rowspan="7" style="width:100px;" | [[#DanCornell|SDLC with Open Source tools, by Dan Cornell <br/><br/> Room 05.128]]
+
| rowspan="7" style="width:100px;" | tbd
| rowspan="7" style="width:100px;" | [[#VolkertDeBuisonje|Secure Java Development with ESAPI (hands-on), by Volkert de Buisonjé <br/><br/> Room 05.152]]
+
| rowspan="7" style="width:100px;" | tbd
| rowspan="7" style="width:100px;" | [[#MartinKnobloch|Essential Web Appplication Security (OWASP Top 10, Webgoat, WebScarab), by Martin Knobloch <br/><br/> Room 05.001]]
+
| rowspan="7" style="width:100px;" | tbd
 
|-
 
|-
 
| 11h00 - 11h30 ||  ''Coffee Break''
 
| 11h00 - 11h30 ||  ''Coffee Break''
Line 133: Line 138:
 
<br>
 
<br>
  
<div id="VolkertDeBuisonje"></div>
+
-->
 
+
=== Secure Java Development workshop with ESAPI, by Volkert de Buisonjé (Sogeti) ===
+
''Workshop:''<br>
+
First, attendees will receive a brief introduction on application awareness. Then they will get acquainted with Webgoat, a "deliberately insecure J2EE web application" designed as a practice tool for secure application development and testing. They will learn how to exploit some vulnerabilities in Webgoat, through for instance Cross-Site Scripting (CSS) and Cross-Site Request Forgery (CSRF) attacks. Finally, the ESAPI library will be introduced and the attendees will learn how to apply ESAPI to fix such vulnerabilities in Webgoat's source code.<br>
+
<br>
+
''Prerequisites for this workshop:''<br>
+
* Reasonable knowledge of and experience with Java development
+
* A laptop running a recent version of Linux, Mac OS X, or Windows
+
* The most recent version of VirtualBox (4.x) installed
+
* At least 2GB of RAM
+
* At least 2GB of disk space
+
<br>
+
''Bio:''<br>
+
Volkert de Buisonjé is a senior Java developer at Sogeti. He specializes in, and teaches application security courses, both to coworkers and to customers. Knowledge sharing (in both directions) is his passion. Volkert likes making friends and talking a lot. He never shuns a good discussion, and prefers to bring a high amount of interactivity to his classes. :-)<br>
+
<br>
+
<br>
+
 
+
<div id="DinisCruz"></div>
+
=== Advanced O2, by Dinis Cruz (Security Innovation) ===
+
''Workshop:''<br>
+
The O2 platform represents a new paradigm for how to perform, document and distribute Web Application security reviews. O2 is designed to Automate Security Consultants Knowledge and Workflows and to Allow non-security experts to access and consume Security Knowledge.
+
<br>
+
''Bio:''<br>
+
Dinis Cruz is a Security Consultant based in London (UK) and specialized in: ASP.NET/J2EE Application Security, Application Security audits and .NET Security Curriculum Development.<br>
+
For the past years Dinis has focused on the field of Static Source Code analysis, from May 2007 to Dec 2009 he worked as a independent consultant for Ounce Labs (bought by IBM in July 2009) where during active security engagements using Ounce's technology he developed the Open Source codebase which now is the foundation of the OWASP O2 Platform.<br>
+
Dinis is currently focused on making the O2 Platform the industry standard for consuming, instrumenting and data-sharing between the multiple WebAppSec tools, the Security consultants and the final developers. Dinis is a also active trainer on .Net security having written and delivered courses for IOActive, Foundstone, Intense School and KPMG (at multiple locations including BlackHat), and has delivered a number of presentations and keynote speeches at multiple OWASP and Security related conferences.<br>
+
At OWASP, Dinis is the leader of the OWASP O2 Platform project<br>
+
<br>
+
<br>
+
 
+
<div id="MartinKnobloch"></div>
+
 
+
=== Essential Web Appplication Security (OWASP Top 10, Webgoat, WebScarab), by Martin Knobloch (PervaSec) ===
+
''Abstract:''<br>
+
This workshop is an introduction into (web) application security with hands-on labs, using OWASP documentation and tooling.
+
You will be introduced into the security mindset, discus the OWASP TopTen 2010 and learn basic skills in how to find vulnerabilities in web applications. All tools and documentation are provided during the training.<br>
+
<b>As this is an hands-on workshop, please bring your own laptop!</b> <br>
+
Course structure:
+
*Introduction OWASP, OWASP tool and documentation
+
*Security Testing mindset               
+
*1st Lab: OWASP WebGoat / WebScarab                     
+
*OWASP Top Ten 2010
+
*OWASP Testing Guide                           
+
*2nd Lab: OWASP WebGoat / WebScarab             
+
*3rd Lab: OWASP Hackademic / ZAP                       
+
*Summary and completion 
+
Prerequisites for this workshop:
+
*Basic understanding of HTTP and web application testing/development
+
*An open mind
+
<br>
+
''Bio:''<br>
+
Martin is an independent security consultant and owner of PervaSec (http://www.pervasec.nl). His main working area is (software) security in general, from awareness to implementation. In his daily work, he is responsible for education in application security matters, advise and implementation of application security measures.<br>
+
At OWASP, Martin is member of the Dutch chapter board and chair of the Global Education Committee and contributes to several projects.<br>
+
Martin is a frequent speaker at conferences, universities and hacker spaces.
+
<br>
+
 
+
 
+
<div id="DanCornell"></div>
+
 
+
=== Building a Software Security Program On Open Source Tools, by Dan Cornell (Denim Group) ===
+
''Abstract:''<br>
+
Using the Software Assurance Maturity Model (OpenSAMM) as a framework, this course walks through the major components of a comprehensive software security program and highlights open source and other freely-available tools that can be used to help implement the activities involved in such a program. The focus of the course is on providing hands-on demonstrations of the tools with an emphasis on integrating tool results into the overall software security program. Featured tools include: ESAPI, Microsoft Web Protection Library, FindBugs, FxCop, CAT.NET, Brakeman, Agnitio, Arachini, w3af, ZAProxy, ThreadFix as well as other educational resources from OWASP. Attendees should finish the course with a solid understanding of the various components of a comprehensive software security program as well as hands-on experience with a variety of freely-available tools that they can use to implement portions of these programs.<br>
+
<br>
+
''Outline:''<br>
+
* So You Want To Roll Out A Software Security Program?
+
* The Software Assurance Maturity Model (OpenSAMM)
+
* ThreadFix: Overview
+
* Governance: Strategy and Metrics
+
** ThreadFix: Reporting
+
* Governance: Policy and Compliance
+
* Governance: Education and Guidance
+
** OWASP Development Guide
+
** OWASP Cheat Sheets
+
** OWASP Secure Coding Practices
+
* Construction: Threat Assessment
+
* Construction: Security Requirements
+
* Construction: Secure Architecture
+
** ESAPI overview
+
** Microsoft Web Protection Library (Anti-XSS) overview
+
* Verification: Design Review
+
** Microsoft Threat Analysis and Modeling Tool
+
* Verification: Code Review
+
** FindBugs
+
** FxCop
+
** CAT.NET
+
** Brakeman
+
** Agnitio
+
* Verification: Security Testing
+
** Arachni
+
** w3af
+
** ZAProxy
+
* Deployment: Vulnerability Management
+
** ThreadFix: Defect Tracker Integration
+
* Deployment: Environment Hardening
+
** Microsoft Baseline Security Analyzer (MBSA)
+
* Deployment: Operational Enablement
+
** mod_security
+
<br>
+
''Bio:''<br>
+
Dan Cornell has over fifteen years of experience architecting and developing web-based software systems. He leads Denim Group’s security research team in investigating the application of secure coding and development techniques to improve web-based software development methodologies.<br>
+
Dan was the founding coordinator and chairman for the Java Users Group of San Antonio (JUGSA) and currently serves as the OWASP San Antonio chapter leader, member of the OWASP Global Membership Committee and co-lead of the OWASP Open Review Project. Dan has spoken at such international conferences as RSA, OWASP AppSec USA, and OWASP EU Research in Greece.<br>
+
<br>
+
  
  
Line 242: Line 145:
 
= Conferenceday =
 
= Conferenceday =
  
==== Conferenceday, November 30th ====
+
==== Conferenceday, November 29th ====
  
 
==== Location ====
 
==== Location ====
The conference takes place in auditorium K.06, the registration and catering in the foyer of building 200A (ground floor)  (for details, check the {{#switchtablink:Venue|Venue}} tab)
+
TBD (for details, check the {{#switchtablink:Venue|Venue}} tab)
  
 
==== Agenda ====  
 
==== Agenda ====  
Line 255: Line 158:
 
| colspan="2" style="text-align: center; background: grey; color: white" | ''Registration''
 
| colspan="2" style="text-align: center; background: grey; color: white" | ''Registration''
 
|-  
 
|-  
| 10h00 - 10h15 || OWASP Benelux Organization || Welcome ([https://www.owasp.org/images/a/ad/OWASP_BeNeLux_Day_2012_-_Organization_welcome.ppt PPT])
+
| 10h00 - 10h15 || OWASP Benelux Organization || '''[[Media: OWASP_benelux-day_2013_opening_agenda_closing.pdf | Welcome]]'''
 +
|-
 +
| 10h15 - 10h30 || Sebastien Deleersnyder, OWASP Global || '''[https://www.owasp.org/images/4/49/OWASP_Update_BeNeLux_2013.pptx OWASP update]'''
 
|-
 
|-
| 10h15 - 10h30 || Sebastien Deleersnyder || OWASP update ([https://www.owasp.org/images/d/d7/OWASP-Update-BeNeLux-Day-2012_v1.pptx PPT])
+
| 10h30 - 11h10 || [[#JanJorisVereijken|Jan Joris Vereijken]] || '''Keynote: Inside the mind of the fraudster'''
 
|-
 
|-
| 10h30 - 11h10 || [[#JohnWilander|John Wilander]] || ''' Secure Web Integration Patterns in the Era of HTML5'''<br>''Abstract:'' Quite a few organizations are finding themselves in a legacy situation with their web applications. Over ten years have passed since the era of dynamic HTML and with the rise of HTML5 and mobile platforms there is now need to gradually move these legacy beasts into a new architecture. Additionally, more and more third party services are offered such as maps, tracking, social media tie-ins, video etc. What are the possible and suitable design patterns for bringing new web, old web, and third party web together? Can we isolate them from each other to secure the new apps from legacy and third party security vulnerabilities? We will dig into the postMessage api, the iframe sandbox directive, CORS, and the same-origin policy while comparing it to the previous generation of integration with jsonp and other hacks.
+
| 11h10 - 11h30
 +
| colspan="2" style="text-align: center;background: grey; color: white" | ''Morning Break''  
 
|-
 
|-
| 11h10 - 11h50 || [[#LievenDesmet|Lieven Desmet]] || '''Sandboxing Javascript''' ([https://www.owasp.org/images/1/10/Sandboxing-Javascript.pdf PDF])<br>''Abstract:'' The inclusion of third-party scripts in web pages is a common practice. A recent study has shown that more than half of the Alexa top 10 000 sites include scripts from more than 5 different origins. However, such script inclusions carry risks, as the included scripts operate with the privileges of the including website.<br>
+
| 11h30 - 12h10 || [[#TomVanGoethem|Tom Van Goethem]] || '''[[Media:RemoteCodeExecutionInWordPress-OWASPBeNeLux-Tom_Van_Goethem.pdf | Remote code execution in WordPress: an analysis]]'''
In this talk, we propose JSand, a server-driven but client-side JavaScript sandboxing framework. JSand requires no browser modifications: the sandboxing framework is implemented in JavaScript and is delivered to the browser by the websites that use it. Enforcement is done entirely at the client side: JSand enforces a server-specified policy on included scripts without requiring server-side filtering or rewriting of scripts.<br>
+
Most importantly, JSand is complete: access to all resources is mediated by the sandbox.<br>
+
We describe the design and implementation of JSand, and we show that it is secure, backwards compatible, and that it performs sufficiently well.<br>
+
 
|-
 
|-
| 11h50 - 12h30 || [[#ErwinGeirnaert|Erwin Geirnaert]] || '''OWASP Top 10 vs Drupal'''<br>''Abstract:'' Drupal is the most used and well-known open source content management system in the world. Created by Dries Buytaert years ago it has grown with the support of a big community. Drupal 7 is already released and there is an entire ecosystem for Drupal and Drupal web agencies.<br>
+
| 12h10 - 12h50 || [[#AlexiosFakosAndJanPhilipp|Alexios Fakos & Jan Philipp]] || '''[[Media:OWASP_BeNeLux-SharePoint-Comprehensive_Security_model_v1.0.pdf | Getting a handle on SharePoint security complexity]]'''
During this presentation we will discuss the findings of an automated static code analysis of Drupal 6 and Drupal 7 and how Drupal protects against the OWASP Top 10 Application Security Risks. We will explain the security weaknesses that remain when you use Drupal and what you can implement to have a secure cloud server running Drupal.<br>
+
 
|-
 
|-
| 12h30 - 13h30
+
| 12h50 - 13h30
 
| colspan="2" style="text-align: center;background: grey; color: white" | ''Lunch''  
 
| colspan="2" style="text-align: center;background: grey; color: white" | ''Lunch''  
 
|-
 
|-
| 13h30 - 14h10 || [[#AsiaSlowinska|Asia Slowinska]] || '''Body Armor for Binaries'''<br>''Abstract:'' BinArmor is a novel technique to protect existing C binaries from memory corruption attacks on both control data and non-control data. Without access to source code, non-control data attacks cannot be detected with current techniques. Our approach hardens binaries against both kinds of overflow, without requiring the pro- grams’ source or symbol tables. We show that BinArmor is able to stop real attacks—including the recent non- control data attack on Exim. Moreover, we did not in- cur a single false positive in practice. On the downside, the current overhead of BinArmor is high—although no worse than competing technologies like taint analysis that do not catch attacks on non-control data. Specifi- cally, we measured an overhead of 70% for gzip, 16%- 180% for lighttpd, and 190% for the nbench suite.
+
| 13h30 - 14h10 || [[#DickBerlijn|Dick Berlijn]] || '''Keynote: Cyber warfare'''  
 
|-
 
|-
| 14h10 - 14h50 || [[#MarcHullegieAndKeesMastwijk|Marc Hullegie and Kees Mastwijk]] || '''Forensics'''<br>''Abstract:'' In today’s investigations, forensics has become an important investigative method in fighting and solving (cyber)crimes and irregularities. During the session you will be briefly taken through the landscape of Forensics Basics; the Fraud Triangle and scenario's; What to look for and the appliance of Digital Forensics. What are the Challenges, the required Skills and Expertise and Solutions to these challenges. Specific focus on the Forensics of Web Applications and what you can do the create a more forensic ready system.<br>
+
| 14h10 - 14h50 || [[#MigchieldeJong|Migchiel de Jong]] || ''' [[Media:owasp2013-mdejong.pdf | Static Analysis and code review; A journey through time]]'''
 
|-
 
|-
| 14h50 - 15h30 || [[#DanCornell|Dan Cornell]] || '''Streamlining Application Vulnerability Management: Communication Between Development and Security Teams'''<br>''Abstract:'' Identifying application-level vulnerabilities via scanning, penetration tests and code reviews is only the first step in actually addressing the underlying risk. Managing vulnerabilities for applications is more challenging than dealing with traditional infrastructure-level vulnerabilities because they typically require the coordination of security teams with application development teams. The process also means that security managers need to get time from developers during already-cramped development and release schedules. In addition, fixes require changes to custom application code and application-specific business logic rather than the patches and configuration changes that are often sufficient to address infrastructure-level vulnerabilities. This presentation will illustrate the communication difficulties between security and development teams, and how this usually results in unactionable reports and fewer vulnerabilities remediated. In addition, the presentation will walk through an example workflow of addressing application vulnerabilities as software defects. This will be based on freely-available tools and show specific examples of how vulnerabilities can be grouped together, false positives can be culled out, and vulnerabilities transitioned to software defects, as well as how security managers can monitor and verify progress.<br>
+
| 14h50 - 15h30 || [[#NickNikiforakis|Nick Nikiforakis]] || '''[[Media:webfingerprinting_owaspBENELUX2013.pdf |Everything you always wanted to know about web-based device fingerprinting (but were afraid to ask)]]'''
 
|-
 
|-
 
| 15h30 - 15h50
 
| 15h30 - 15h50
 
| colspan="2" style="text-align: center;background: grey; color: white" | ''Break''  
 
| colspan="2" style="text-align: center;background: grey; color: white" | ''Break''  
 
|-
 
|-
| 15h50 - 16h30 || [[#RuedigerBachmann|Ruediger Bachmann]] || '''Code review for Large Companies'''<br>''Abstract:''Static source code analysis should be an essential part in the secure software development life cycle (SDLC) to start to minimize the number of potential vulnerabilities already in a very early stage in the software development process.<br>
+
| 16h30 - 17h10 || [[#JeromeNokin|Jerome Nokin]] || '''[http://funoverip.net/wp-content/uploads/2013/12/Turning-your-managed-AV-into-my-botnet_OWASP2013_Nokin-Jerome_v1.1.pdf Turning your managed Anti-Virus into my botnet]'''
The introduction of static code analysis at a large software manufacturer is a big challenge. In addition to the technical difficulties – based on the sheer number and size of the software projects or the number of different programing languages – there are also non-technical issues like creating new security awareness, trainings to use the provided tools efficiently and integration of analysis processes into the software development and maintenance life cycle.<br>
+
This talk gives an overview of the company-wide introduction of static code analysis at SAP AG.
+
 
|-
 
|-
| 16h30 - 17h10 || [[#DinisCruz|Dinis Cruz]] || '''Making Security Invisible by Becoming the Developer’s Best Friends'''<br>''Abstract:'' Coming soon!
+
| 17h10 - 17h50 || [[#VictorvanderVeen|Victor van der Veen]] || '''[[Media:TraceDroid.pdf | TraceDroid: A Fast and Complete Android Method Tracer]]'''
 
|-
 
|-
| 17h10 - 17h50 ||
+
| 17h50 - 18h00 || OWASP Benelux 2013 organization || '''Closing Notes'''
* Steven Wierckx
+
* Luc Beirens
+
* Jos Dumortier
+
* Dieter Sarrazyn
+
* Erwin Geirnaert
+
* John Wilander
+
|| '''Panel Discussion about the legal aspects of penetration testing'''<br> ''Abstract:'' In the past couple of years security has become a more visible topic in the media. As a result many companies are asking for security reviews in the form of a penetration test. A lot of entrepreneurs took the opportunity to form teams and/or companies that provide such services. There seems to be a lack of clear (standard) legal documentation to cover these activities both for the penetration tester and the company under review. With this panel discussion we would like to discuss this situation and to see if there is a possibility to have a standard document or framework that can be used as a starting point for companies and professionals to use as a contract. The purpose would be to end up with a (set of) documents similar to the “Testaankoop standard huurcontract”, this is a well-known Belgian contract framework for renting a house where both parties are protected and that is clear to both parties. It can be used without further legal intervention.
+
|-
+
| 17h50 - 18h00 || OWASP Benelux 2012 organization || '''Closing Notes'''
+
 
|}
 
|}
  
Line 302: Line 193:
 
<br>
 
<br>
  
<div id="AsiaSlowinska"></div>
 
  
=== Body Armor for Binaries, by Asia Slowinska (Vrije Universiteit Amsterdam) ===
+
<div id="JanJorisVereijken"></div>
 +
 
 +
=== Key note: Inside the mind of the fraudster, by Jan Joris Vereijken (Chief Security Architect, ING) ===
 
''Abstract:''<br>
 
''Abstract:''<br>
BinArmor is a novel technique to protect existing C binaries from memory corruption attacks on both control data and non-control data. Without access to source code, non-control data attacks cannot be detected with current techniques. Our approach hardens binaries against both kinds of overflow, without requiring the pro- grams’ source or symbol tables. We show that BinArmor is able to stop real attacks—including the recent non- control data attack on Exim. Moreover, we did not in- cur a single false positive in practice. On the downside, the current overhead of BinArmor is high—although no worse than competing technologies like taint analysis that do not catch attacks on non-control data. Specifi- cally, we measured an overhead of 70% for gzip, 16%- 180% for lighttpd, and 190% for the nbench suite.<br>
+
When we talk about banking malware, we typically think of bits and bytes: Zeus variants, field injections, Man-in-the-Browser attacks, or forensic analysis of infected PCs. What is actually much more interesting, is to understand what is driving the fraudster. He’s doesn’t care about bits and bytes, he’s just in it for the money. If we get into the mind of the fraudster, we can suddenly understand many issues much better. We’ll see that authentication is irrelevant, fraudsters don’t want to steal millions, that they hate the mobile app, and many more surprising things your never realized were keeping our poor fraudster awake at night.
 +
<br>
 
<br>
 
<br>
 
''Bio:''<br>
 
''Bio:''<br>
I am a postdoctoral researcher in the System and Network Security group at the Vrije Universiteit Amsterdam, under the guidance of Prof. dr. ir. Herbert Bos.<br>
+
'''Jan Joris Vereijken''' holds a Ph.D. in Computing Science from the Eindhoven University of Technology, where he worked on algebraic protocol verification. After a brief stint at Bell Laboratories to work on Software Engineering, he moved to ING, the Dutch banking conglomerate. <br>
I obtained my PhD from the Vrije Universiteit Amsterdam. My dissertation Using information flow tracking to protect legacy binaries was completed under the supervision of Prof. dr. ir. Herbert Bos, while my copromotor was Prof. dr. ir. Henri E. Bal.<br>
+
In his current role as Chief Security Architect, he is responsible for the security architecture in the 35-odd countries where ING has banking operations.<br>
During my PhD studies, I interned twice with Microsoft Research Cambridge, where I joined the Systems and Performance Group. I also spent few months interning with the Systems and Security Department at Institute for Infocomm Research in Singapore.<br>
+
My research focuses on developing techniques to automatically analyze and reverse engineer complex software that is available only in binary form. Further, I’ve been looking into mechanisms that proactively protect software from malicious activities. Currently, I am involved in a project on Reverse Engineering of binaries, known as Rosetta.<br>
+
 
<br>
 
<br>
  
<div id="RuedigerBachmann"></div>
+
<div id="TomVanGoethem"></div>
=== Code review for Large Companies, by Ruediger Bachmann (SAP) ===
+
=== Remote code exection in WordPress: an analysis, by Tom Van Goethem (PhD Researcher, University of Leuven) ===
 
''Abstract:''<br>
 
''Abstract:''<br>
Static source code analysis should be an essential part in the secure software development life cycle (SDLC) to start to minimize the number of potential vulnerabilities already in a very early stage in the software development process.<br>
+
With over 13 million downloads, WordPress is one of the most popular open source blog platforms and content management systems. One of its key features is the installation of plugins. These are developed by third parties, but WordPress has to maintain its legacy codebase in order to remain compatible with these plugins. As this codebase makes use of unsafe functions, vulnerabilities may arise, affecting thousands websites - if not more. This presentation will focus on a vulnerability that has been present in WordPress versions up to September 2013. This vulnerability, which may lead to Remote Code Execution, was found by a simple combination of two publicly known elements: PHP Object Injection and unexpected behaviour of MySQL regarding Unicode characters.
The introduction of static code analysis at a large software manufacturer is a big challenge. In addition to the technical difficulties – based on the sheer number and size of the software projects or the number of different programing languages – there are also non-technical issues like creating new security awareness, trainings to use the provided tools efficiently and integration of analysis processes into the software development and maintenance life cycle.<br>
+
<br>
This talk gives an overview of the company-wide introduction of static code analysis at SAP AG.
+
::[[Media:RemoteCodeExecutionInWordPress-OWASPBeNeLux-Tom_Van_Goethem.pdf | Download the presentation as PDF]]
 
<br>
 
<br>
 
''Bio:''<br>
 
''Bio:''<br>
After graduating with a degree in mathematics and computer science at the University of Giessen in 1997, Ruediger Bachmann worked at various software companies and IT service providers mainly in software development. Currently he is employed at SAP AG in Germany as a Development Architect in the central code analysis team. There he is focusing on application security and security code scans.<br>
+
'''Tom Van Goethem''' is passionate about web security. After getting a master's degree of Applied Informatics, he enrolled in a PhD at the University of Leuven. As a student with a chronic drinking problem, he still found some time to hunt bugs for fun (and profit).<br>
 +
<br>
  
<div id="LievenDesmet"></div>
+
<div id="AlexiosFakosAndJanPhilipp"></div>
 
+
=== Getting a handle on SharePoint security complexity, by Jan Philipp (Solutions Consultant Security, n.runs) and Alexios Fakos (Principal IT Security Consultant, n.runs) ===
=== Sandboxing JavaScript, by Lieven Desmet (Research Manager at KU Leuven) ===
+
 
''Abstract:''<br>
 
''Abstract:''<br>
The inclusion of third-party scripts in web pages is a common practice. A recent study has shown that more than half of the Alexa top 10 000 sites include scripts from more than 5 different origins. However, such script inclusions carry risks, as the included scripts operate with the privileges of the including website.<br>
+
This presentation’s main goal is to provide decision makers, architects, administrators and developers with a comprehensive SharePoint security overview. We will introduce a SharePoint security model applicable to SharePoint versions 2010 and 2013. Then we will take a closer look at the use of different types of security principals and their effective use. This will be followed by covering security aspects when implementing and extending SharePoint to meet business needs and will be emphasized by showcasing common security pitfalls with examples throughout the presentation. This will be demonstrated with security down to the “nitty-gritty” details based on actual use cases and tips and pitfalls that have been encountered during security assessments and implementation of SharePoint solutions.
In this talk, we propose JSand, a server-driven but client-side JavaScript sandboxing framework. JSand requires no browser modifications: the sandboxing framework is implemented in JavaScript and is delivered to the browser by the websites that use it. Enforcement is done entirely at the client side: JSand enforces a server-specified policy on included scripts without requiring server-side filtering or rewriting of scripts. Most importantly, JSand is complete: access to all resources is mediated by the sandbox.<br>
+
<br>
We describe the design and implementation of JSand, and we show that it is secure, backwards compatible, and that it performs sufficiently well.<br>
+
::[[Media:OWASP_BeNeLux-SharePoint-Comprehensive_Security_model_v1.0.pdf | Download the presentation as PDF]]
 
<br>
 
<br>
 
''Bio:''<br>
 
''Bio:''<br>
Lieven Desmet is Research Manager on Software Secure at the iMinds-DistriNet Research Group (KU Leuven, Belgium), where he coaches junior researchers in web application security and participates in dissemination and valorization activities. His interests are in security of middleware and web-enabled technologies. Lieven is actively engaged in OWASP and is board member of the OWASP Chapter Belgium.<br>
+
'''Jan Philipp''' (MCT since 1989, MCITP, MCSE) works as a security consultant at n.runs, where he is responsible for design and implementation security assessments of complex global SharePoint infrastructures and solutions for major German and international companies. He has been involved with SharePoint technologies from their inception with Digital Dashboards throughout their many development changes (TeamSpaces, MOSS etc.) to the present day SharePoint and SharePoint Live versions.<br>
 +
'''Alexios Fakos''' (CRISC, CSSLP) began his career in development as a Software Engineer back in 1999. After seven years of inspired insights in the software industry he joined n.runs to be part of the security team. Alexios is leading n.runs SDL services and he is since 2008 part of the German OWASP chapter. Alexios held presentations at OWASP AppSec US and Germany.
 
<br>
 
<br>
 
<br>
 
<br>
  
<div id="ErwinGeirnaert"></div>
+
 
=== OWASP Top 10 vs Drupal, by Erwin Geirnaert (Zion Security) ===
+
<div id="DickBerlijn"></div>
 +
=== Title, by Dick Berlijn ===
 
''Abstract:''<br>
 
''Abstract:''<br>
Drupal is the most used and well-known open source content management system in the world. Created by Dries Buytaert years ago it has grown with the support of a big community. Drupal 7 is already released and there is an entire ecosystem for Drupal and Drupal web agencies.<br>
+
[http://www.youtube.com/watch?feature=player_embedded&v=l_XOrcBxy-E Link to the movie on YouTube]
During this presentation we will discuss the findings of an automated static code analysis of Drupal 6 and Drupal 7 and how Drupal protects against the OWASP Top 10 Application Security Risks. We will explain the security weaknesses that remain when you use Drupal and what you can implement to have a secure cloud server running Drupal.<br>
+
<br>
 
<br>
 
<br>
 
''Bio:''<br>
 
''Bio:''<br>
Erwin founded ZION SECURITY in 2005 to help companies to protect against the latest threats, attacks against web applications. ZION SECURITY is nowadays a Belgian market leader in the field of security testing, vulnerability management, penetration testing and banking security. Erwin has more than 10 years of experience in web security, graduating with a Master of Science in Software Development from the University of Ghent. Erwin executes different types of projects for a lot of international software companies, financial institutions, telecom and web agencies. Specialist in executing code reviews in different development languages for critical applications, executing continuous penetration tests of their infrastructure and Internet applications. A specialist in J2EE, PHP, .NET, mobile app and web services security. Erwin architects secure e-business projects for web agencies and software companies. He is a recognized application security expert and speaker at international events like Javapolis, OWASP, Eurostar, LSEC,...<br>
+
'''Dick Berlijn'''
 +
<br>
 
<br>
 
<br>
  
<div id="MarcHullegieAndKeesMastwijk"></div>
+
<div id="MigchieldeJong"></div>
=== Forensics, by Marc Hullegie and Kees Mastwijk (Vest Information Security) ===  
+
 
 +
=== Static Analysis and code review; A journey through time, by Migchiel de Jong (Software Security Consultant, HP Fortify) ===
 
''Abstract:''<br>
 
''Abstract:''<br>
In today’s investigations, forensics has become an important investigative method in fighting and solving (cyber)crimes and irregularities. During the session you will be briefly taken through the landscape of Forensics Basics; the Fraud Triangle and scenario's; What to look for and the appliance of Digital Forensics. What are the Challenges, the required Skills and Expertise and Solutions to these challenges. Specific focus on the Forensics of Web Applications and what you can do the create a more forensic ready system.<br>
+
Static analysis techniques to support code review, not just for security, have been around for a long time. This talk will take you on journey from the early days of computer science to this modern day and age of cloud, BYOD and mobile apps and how the passing of time affected code review and the technology to support it. The takeaways from this session are; Understanding the fundamentals problems that have to be addressed to really get the benefits from using static analysis for code review. Trends in code review. Best practices for code review. What the future holds for code review.
 +
<br>
 +
::[[Media:owasp2013-mdejong.pdf | Download the presentation as PDF]]
 
<br>
 
<br>
 
''Bio:''<br>
 
''Bio:''<br>
Marc Hullegie is founder and CEO of Vest Information Security and is widely experienced in the information security business in all types of areas: Security Architecture and Infrastructure, Security Audits and Testing, Security Management, Awareness and Digital Forensics. He presents lectures at (international) conferences and is looking forward to share experiences at the OWASP Benelux days 2012 with you.<br>
+
'''Migchiel de Jong''' has developed hardware and software for the nuclear medicine and nuclear industry space for 10 years before joining Rational Software. During the 5 years at Rational Software (later acquired by IBM) he was involved in many software development process improvement projects. Having joined Fortify 9 years ago, Migchiel de Jong is currently working at HP Fortify, as a software security consultant helping large customers succeed with their software security assurance initiatives.<br>
<br>
+
''Bio:''<br>
+
Kees Mastwijk is a security consultant working with Vest, acting as Security Auditor, Awareness Program leader and security Manager. He has a long (and ongoing) experience history in Digital Forensic Research.<br>
+
 
<br>
 
<br>
  
<div id="JohnWilander"></div>
+
<div id="NickNikiforakis"></div>
=== Secure Web Integration Patterns in the Era of HTML5, by John Wilander (Svenska Handelbanken) ===
+
=== Everything you always wanted to know about web-based device fingerprinting (but were afraid to ask), by Nick Nikiforakis (Postdoctoral Researcher, University of Leuven) ===
 
''Abstract:''<br>
 
''Abstract:''<br>
Quite a few organizations are finding themselves in a legacy situation with their web applications. Over ten years have passed since the era of dynamic HTML and with the rise of HTML5 and mobile platforms there is now need to gradually move these legacy beasts into a new architecture. Additionally, more and more third party services are offered such as maps, tracking, social media tie-ins, video etc. What are the possible and suitable design patterns for bringing new web, old web, and third party web together? Can we isolate them from each other to secure the new apps from legacy and third party security vulnerabilities? We will dig into the postMessage api, the iframe sandbox directive, CORS, and the same-origin policy while comparing it to the previous generation of integration with jsonp and other hacks.
+
Billions of users browse the web on a daily basis,
 +
and there are single websites that have reached over one billion user
 +
accounts. In this environment, the ability to track users and their online habits can
 +
be very lucrative for advertising companies, yet very intrusive for the privacy of users.
 +
 
 +
In this talk, we are going to describe web-based device fingerprinting, i.e., the ability
 +
to tell users apart, without the use of cookies or any other client-side identifiers. We
 +
will explain how device fingerprinting works, who is using, for what reason, and how people
 +
are trying to defend against it today.
 +
<br>
 +
::[[Media:webfingerprinting_owaspBENELUX2013.pdf | Download the presentation as PDF]]
 
<br>
 
<br>
 
''Bio:''<br>
 
''Bio:''<br>
John Wilander is a frontend software developer at Svenska Handelbanken, the second strongest bank in the world according to Bloomberg Markets. He has been researching and working in application security for ten years and is an active leader in OWASP, the Open Web Application Security Project. In 2011 he organized the OWASP Summit Browser Security sessions in Portugal, with participants from the security teams behind Chrome, Firefox, Internet Explorer, Flash, and PayPal. During his years in academia he was elected best computer science teacher twice and nowadays gives 5-10 professional talks per year.<br>
+
'''Nick Nikiforakis''' is a Postdoctoral Researcher at KU Leuven in Belgium. Nick's interests lie
 +
in the analysis of online ecosystems from a security and privacy perspective and he has
 +
published his work in top conferences of his field. More information about him can be found
 +
on his personal page: http://www.securitee.org .<br>
 
<br>
 
<br>
<br>
 
 
<div id="DanCornell"></div>
 
  
=== Streamlining Application Vulnerability Management: Communication Between Development and Security Teams, by Dan Cornell (Denim Group) ===
+
<div id="JeromeNokin"></div>
 +
=== Turning your managed Anti-Virus into my botnet, by Jerome Nokin (Senior Security Consultant, Verizon Business) ===
 
''Abstract:''<br>
 
''Abstract:''<br>
Identifying application-level vulnerabilities via scanning, penetration tests and code reviews is only the first step in actually addressing the underlying risk. Managing vulnerabilities for applications is more challenging than dealing with traditional infrastructure-level vulnerabilities because they typically require the coordination of security teams with application development teams. The process also means that security managers need to get time from developers during already-cramped development and release schedules. In addition, fixes require changes to custom application code and application-specific business logic rather than the patches and configuration changes that are often sufficient to address infrastructure-level vulnerabilities. This presentation will illustrate the communication difficulties between security and development teams, and how this usually results in unactionable reports and fewer vulnerabilities remediated. In addition, the presentation will walk through an example workflow of addressing application vulnerabilities as software defects. This will be based on freely-available tools and show specific examples of how vulnerabilities can be grouped together, false positives can be culled out, and vulnerabilities transitioned to software defects, as well as how security managers can monitor and verify progress.<br>
+
Today centrally managed Anti-Virus (AV) solutions are used across all enterprises and are relied upon to provide central management, logging and enforcement. This talk presents the journey and the results of a reviewing the security posture of the core components of a few selected managed AV solutions, the central servers themselves.
<br>
+
Critical security vulnerabilities will be presented, covering SQL Injection, Directory Path Traversal and Buffer Overflow.
''Bio:''<br>
+
Particular focus will be given to the different steps required to analyze both protocols and management functionality and covers reverse-engineering, debugging and the creation of fuzzing tools. Who does not want to transform a major managed AV into his private botnet within minutes?
''Dan Cornell has over fifteen years of experience architecting and developing web-based software systems. He leads Denim Group’s security research team in investigating the application of secure coding and development techniques to improve web-based software development methodologies.<br>
+
Dan was the founding coordinator and chairman for the Java Users Group of San Antonio (JUGSA) and currently serves as the OWASP San Antonio chapter leader, member of the OWASP Global Membership Committee and co-lead of the OWASP Open Review Project. Dan has spoken at such international conferences as RSA, OWASP AppSec USA, and OWASP EU Research in Greece.''<br>
+
<br>
+
 
<br>
 
<br>
 +
::[http://funoverip.net/wp-content/uploads/2013/12/Turning-your-managed-AV-into-my-botnet_OWASP2013_Nokin-Jerome_v1.1.pdf Download the presentation as PDF]
  
<div id="DinisCruz"></div>
 
=== Making Security Invisible by Becoming the Developer’s Best Friends, by Dinis Cruz (Security Innovation) ===
 
''Abstract:''<br>
 
''Coming soon!''<br>
 
 
<br>
 
<br>
 
''Bio:''<br>
 
''Bio:''<br>
Dinis Cruz is a Security Consultant based in London (UK) and specialized in: ASP.NET/J2EE Application Security, Application Security audits and .NET Security Curriculum Development.<br>
+
'''Jerome Nokin''' works as a Security Consultant for Verizon Enterprise where he is a senior member of the Vulnerability Management Team mainly focusing on Penetration Tests
For the past years Dinis has focused on the field of Static Source Code analysis, from May 2007 to Dec 2009 he worked as a independent consultant for Ounce Labs (bought by IBM in July 2009) where during active security engagements using Ounce's technology he developed the Open Source codebase which now is the foundation of the OWASP O2 Platform.<br>
+
and Web Application Assessment. Prior to his role at Verizon he worked in the area of security covering both consultancy and ICT.<br>
Dinis is currently focused on making the O2 Platform the industry standard for consuming, instrumenting and data-sharing between the multiple WebAppSec tools, the Security consultants and the final developers. Dinis is a also active trainer on .Net security having written and delivered courses for IOActive, Foundstone, Intense School and KPMG (at multiple locations including BlackHat), and has delivered a number of presentations and keynote speeches at multiple OWASP and Security related conferences.<br>
+
At OWASP, Dinis is the leader of the OWASP O2 Platform project<br>
+
<br>
+
 
<br>
 
<br>
  
=== Panel discussion about the legal aspects of penetration testing ===
+
<div id="VictorvanderVeen"></div>
''with Steven Wierckx, Luc Beirens, Jos Dumortier, Dieter Sarrazyn, ...''<br><br>
+
=== TraceDroid: A Fast and Complete Android Method Tracer, by Victor van der Veen (Security Consultant, ITQ) ===
''Abstract:''<br> In the past couple of years security has become a more visible topic in the media. As a result many companies are asking for security reviews in the form of a penetration test. A lot of entrepreneurs took the opportunity to form teams and/or companies that provide such services. There seems to be a lack of clear (standard) legal documentation to cover these activities both for the penetration tester and the company under review. With this panel discussion we would like to discuss this situation and to see if there is a possibility to have a standard document or framework that can be used as a starting point for companies and professionals to use as a contract. The purpose would be to end up with a (set of) documents similar to the “Testaankoop standard huurcontract”, this is a well-known Belgian contract framework for renting a house where both parties are protected and that is clear to both parties. It can be used without further legal intervention.<br>
+
''Abstract:''<br>
 +
Tracedroid allows you to upload any Android APK file (i.e., an Android app) for automated analysis. Tracedroid records the behavior of the executed app, such as its network communication, the UI, but also its internal function calls and Java code that is executed. To trigger the app's real behavior, Tracedroid emulates a few actions, such as user interaction, incoming calls and SMS messages, etc. - this will reveal most malicious intents of an app (if any).<br>
 +
During this presentation, I will outline how Tracedroid is implemented and how its stimulation engine performs in terms of code coverage. I will also demonstrate how Tracedroid's output can help malware researchers to gain a better understanding of unknown Android applications during a live demo.<br>
 +
You can already give TraceDroid a try via http://tracedroid.few.vu.nl
 
<br>
 
<br>
<li>''Bio Steven Wierckx, ps_testware:''<br>
+
::[[Media:TraceDroid.pdf | Download the presentation as PDF]]
Steven Wierckx is currently working as Security Tester for [http://www.pstestware.com/ ps_testware], he specialises in web application security and keeps a security related blog [http://www.ihackforfun.eu/ ihackforfun]. He is also wrting articles and doing technical reviews for PenTest Magazine.<br>
+
<br>
+
<li>''Bio Luc Beirens, FCCU:''<br>
+
Head of Belgian Federal Computer Crime Unit & Chair EU Cybercrime Task Force trying to create partnerships and circumstances for a safer cyberspace.<br>
+
<br>
+
<li>''Bio Jos Dumortier, ICRI:''<br>
+
Jos Dumortier is Professor of ICT Law at the University of Leuven (Belgium) and the Director of the Interdisciplinary Research Centre for ICT and Law (ICRI) (www.icri.be). With his research team he participates in a series of R & D projects in the domain of telemedicine.<br>
+
He is also a member of the Bar of Brussels and partner in “time.lex”, a law firm specialized in information and technology law (www.timelex.eu).<br>
+
He participates in the boards of several national and international scientific and business associations and is a member of various editorial and program committees. <br>
+
He is the editor of the International Encyclopedia of Cyber Law and the author of more than one hundred books and articles on legal issues related to the information society.<br>
+
Jos Dumortier has taken the lead in a large number of European studies and projects in the area of information security, privacy and identity management. He worked on an assignment of the European Commission (DG INFSO) for a study on the legal obstacles for interoperable eHealth in Europe and on several studies for the Flemish government related to the implementation of a regional eHealth platform. He is also a member of the Flemish data protection supervisory authority for the health sector.<br>
+
<br>
+
<li>''Bio Dieter Sarrazyn, PWC:''<br>
+
Dieter is a senior manager and consultant within PwC and a team leader for Risk Management assessment services. His main focus is in performing penetration tests (external as well as internal), performing security audits, creating and evaluating security architectures,and creating and setting up vulnerability management frameworks & tools. He is a Certified Information Systems Security Professional (CISSP), a Certified Intrusion Analyst (GCIA), a Certified Incident Handling Analyst (GCIH), a Certified Intrusion Analyst (GCIA) a GIAC Systems and Network Auditor (GSNA). Dieter is also SANS Local Mentor and SANS Community Teacher<br>
+
 
<br>
 
<br>
 +
''Bio:''<br>
 +
'''Victor van der Veen''' is a security consultant at ITQ and holds a MSc degree in Computer Science from the VU University Amsterdam. TraceDroid is part of his master thesis titled ‘Dynamic Analysis of Android Malware’ for which he co-worked with the Andrubis team from Vienna’s iSecLab. His interests are low-level system topics that enhance system security, as well as reverse engineering and analyzing malicious code. His previous work involves the implementation of a (partial) thrust-worthy voting machine and an in depth analysis on trends in the field of memory errors (published at RAID 2012).
 
<br>
 
<br>
 +
  
 
<!-- Sixth tab -->
 
<!-- Sixth tab -->
Line 421: Line 309:
 
= Social Event =
 
= Social Event =
  
==== Social Event, November 29th ====
+
==== Social Event, November 28th ====
 +
'''You (still) got that swing, and what about the moves ? We've got the Balls!'''
  
==== <B>Important Update</B> ====
+
:So "Pin" your schedule to the OWASP Benelux Days - Social Event.
The brewery visit is limit to 60 people. Therefor, the 60 first registered people that indicated interest in the social event have been invited to participate. Any remaining tickets will be offered on Thursday around noon at the registration desk.
+
:Thursday Night the 28th of November, our partner Vest Information Security is happy to invite you at:
  
If you are going by car, there are paid parkings under the Railway station and at Kinepolis (follow the parking signs). If you want to go there from the venue without car, the best way to get there is to take bus No.2 that leaves next to the building and drives to the Railway station. From there, it is a 300 m. walk to the brewery.
+
:::Knijn Bowling
 +
:::Scheldeplein 3
 +
:::1078 GR  Amsterdam
 +
:::http://www.knijnbowling.nl/
  
All other people (and the people of the brewery tour after that has finished) are warmly invited to join us in the Downtown Jack, a pub with a number of pool and snooker tables. 5 pool tables have been exclusively reserved for us from 20h00 onwards. You can also have a drink and eat something there if you like.
+
;This is Amsterdams most famous retro-style bowling centre.
 
+
The address: Parkstraat 40, 3000 Leuven (see http://www.downtownjack.be/)
+
 
+
==== <B>Brewery Visit Information</B> ====
+
The social event will take place at the InBev Brewery in Leuven, where there will be a guided tour and a beer tasting.<br>
+
Unfortunately, the tour is limited to 60 people. Since we have more registered people than places, we will soon announce how we will
+
proceed.<br>
+
If you decide not to join, please inform the Benelux organisation, other participants will be happy to join.<br>
+
<br>
+
'''The entrance fee for the tour is 10 EUR'''. <br>
+
This amount will have to be paid to the Benelux organisation at the registration desk or upon entry in cash (please use correct notes).<br>
+
<br>
+
Below is the address where the event takes place. You can take your car, bus number 2 or a taxi to reach this.<br> '''The tour starts at 19h30 sharp'''.<br>
+
<br>
+
'''Address:''' <br>
+
Vuurkruisenlaan z/n <br>
+
3000 Leuven<br>
+
<br>
+
'''From the station:'''<br>
+
Take the street 'Diestepoort' (this street is parrallel with the railway behind the building)and walk straight through. You can see the brewery at the end of the street.<br>
+
'''By car:'''<br>
+
From the street diestesteenweg or beckeremieplein head to the railroadbridge. At the crossroad take first right, this is the entrance of the brewery. from the expressway R23 head to the Hotel ''NOVOTEL''. Take the street left from ''NOVOTEL'', this is the ''vuurkruisenlaan''. On your left side you can see the brewery. At the
+
next crossroad take the first left, this is the entrance of the brewery.<br>
+
<br>
+
'''ENTRANCE BREWERY:'''<br>
+
is also the entrance for the trucks, next to the railroadbridge.<br>
+
We will meet at the entrance at 19h30 where the tour will start.<br><br>
+
  
 +
:We are very happy to welcome you from 20:30.
 +
:Our Bowling Tracks are open from 21:30 - 24:00
  
 +
<hr>
 +
'''The OWASP BeNeLux-Day 2013 Social Event is sponsored by:"
 +
[http://www.vest.nl https://www.owasp.org/images/1/1d/Logo_Vest_BIG_170.gif]
 
<!-- Seventh tab -->
 
<!-- Seventh tab -->
  
Line 468: Line 338:
 
* Are you a hacker?
 
* Are you a hacker?
  
Whether you are an experienced hacker or new enthusiast you should come to OWASP BeNeLux 2012 and participate in the Capture the Flag event November 30th 2012.   
+
Whether you are an experienced hacker or new enthusiast you should come to OWASP BeNeLux 2013 and participate in the Capture the Flag event November 29th 2013.   
  
 
The OWASP CTF is especially designed to support challengers of all skill levels. The CTF contains multiple challenges in various fields related to application security. As every challenge gains you one point, you can pick and choose which challenge you want to play.
 
The OWASP CTF is especially designed to support challengers of all skill levels. The CTF contains multiple challenges in various fields related to application security. As every challenge gains you one point, you can pick and choose which challenge you want to play.
Line 485: Line 355:
 
==== Donate to OWASP BeNeLux ====
 
==== Donate to OWASP BeNeLux ====
  
<paypal>BeNeLux OWASP Day 2012</paypal>
+
[https://co.clickandpledge.com/?wid=72689 Sponsor]
  
  
Line 491: Line 361:
 
''Feel free to use the text below to promote our event!''
 
''Feel free to use the text below to promote our event!''
  
We invite you to our next OWASP event: the '''BeNeLux OWASP Days 2012!'''
+
We invite you to our next OWASP event: the '''BeNeLux OWASP Days 2013!'''
  
Free your agenda on the 29th and 30th of November, 2012.
+
Free your agenda on the 28th and 29th of November, 2013.
  
 
The good news: free! No fee!
 
The good news: free! No fee!
Line 503: Line 373:
 
__NOTOC__  
 
__NOTOC__  
 
<headertabs/>
 
<headertabs/>
 
 
==== Hosted and co-organized by: ====
 
 
[http://distrinet.cs.kuleuven.be https://www.owasp.org/images/4/4a/Logo_distrinet.png]
 
[http://www.nessos-project.eu/ https://www.owasp.org/images/5/52/Nessos.png]
 
  
 
==== Made possible by our {{#switchtablink:Sponsor|Sponsors}}====
 
==== Made possible by our {{#switchtablink:Sponsor|Sponsors}}====
  
==== OWASP Member Sponsor: ====
+
{{MemberLinks|link=http://www.pwc.com/|logo=PWC_log_resized.png}}
{{MemberLinks|link=http://www.pwc.com/|logo=PWC_log_resized.png}}  
+
[http://www.zionsecurity.com https://www.owasp.org/images/e/e6/Zionsecurity.jpg]
 +
[http://www.vest.nl https://www.owasp.org/images/1/1d/Logo_Vest_BIG_170.gif]
 +
[http://www.Checkmarx.com https://www.owasp.org/images/a/a2/Checkmarx.jpg]
 +
[http://www.sogeti.nl https://www.owasp.org/images/9/94/Sogeti_logo.png]
 +
[http://www.securify.nl https://www.owasp.org/images/7/7a/Securify_BV_logo.png]
 +
{{MemberLinks|link=https://www.whitehatsec.com/|logo=Whitehat.gif}}
 +
[http://www.nviso.be https://www.owasp.org/images/5/5e/Nviso_logo_RGB_baseline_200px.png]
 +
[https://informatiebeveiliging.nl/ https://www.owasp.org/images/9/9a/Logo_Informatiebeveiliging-200.png]
 +
[http://www8.hp.com/us/en/software-solutions/software-security/index.html https://www.owasp.org/images/a/af/HP_Blue_RGB_150_LG-200.png]
 +
[http://www.northwave.nl https://www.owasp.org/images/4/4c/LogoNorthwave.jpg]
 +
[http://www.cigital.com https://www.owasp.org/images/7/73/AppSecDC2012-Cigital.jpg]
 +
[[File:Deloitte.jpg||170px|link=http://www.deloitte.com/view/en_NL/nl]]
 +
[[File:Logo secwatch.jpg||170px|link=http://www.secwatch.nl]]
  
==== OWASP BeNeLux 2013 Sponsors: ====
 
[http://www.madisongurkha.nl https://www.owasp.org/images/6/6e/Madison-gurkha-logo.jpg]
 
[http://www.sogeti.nl https://www.owasp.org/images/9/94/Sogeti_logo.png]
 
[http://www.vest.nl https://www.owasp.org/images/1/1d/Logo_Vest_BIG_170.gif]
 
<br>
 
[http://www.iminds.be https://www.owasp.org/images/thumb/a/a1/Iminds-logo.png/200px-Iminds-logo.png]
 
[http://www.zionsecurity.com https://www.owasp.org/images/e/e6/Zionsecurity.jpg]
 
[http://on2it.net https://www.owasp.org/images/3/3d/On2it-sponsor.png]
 
 
<br>
 
<br>
  
  
 
[[Category:OWASP_AppSec_Conference]] [[Category:OWASP_BeNeLux_Archives]]
 
[[Category:OWASP_AppSec_Conference]] [[Category:OWASP_BeNeLux_Archives]]

Latest revision as of 05:48, 12 December 2013

Bnl13header-v.1.0.png



[edit]

Welcome to OWASP BeNeLux 2013

Sorry, the registration is closed, no tickets left!


Confirmed speakers Conference

  • Dick Berlijn (ex Chief of Defence NL)
  • Jan Joris Vereijken (ING)
  • Tom Van Goethem (University Leuven)
  • Jerome Nokin (Verizon Business)
  • Nick Nikiforakis (University Leuven)
  • Fakos Alexios and Jan Philipp (n.runs AG)
  • Migchiel de Jong (HP Fortify)
  • Victor van der Veen (ITQ)


The OWASP BeNeLux Program Committee

  • Bart De Win / Sebastien Deleersnyder/ Lieven Desmet/ David Mathy, OWASP Belgium
  • Martin Knobloch / Ferdinand Vroom, OWASP Netherlands
  • Jocelyn Aubert / Andre Adelsbach/ Thierry Zoller, OWASP Luxembourg


Tweet!

Event tag is #owaspbnl13

Donate


OWASP BeNeLux training day and conference are free!

Registration is closed

Sorry but we already reached the maximum number of pariticipants.



To support the OWASP organisation, consider to become a member, it's only US$50!
Check out the Membership page to find out more.


Venue is

RAI Amsterdam - Entrance G

Emerald Room
(On the first floor of the Auditorium Centre)
Europaplein 2-22
1078 Amsterdam, THE NETHERLANDS


Parking & roadmap:

There is a public parking at the conference venue.

Roadmap and parking:



Hotels nearby:



Conferenceday, November 29th

Location

TBD (for details, check the Venue tab)

Agenda

Time Speaker Topic
09h00 - 10h00 Registration
10h00 - 10h15 OWASP Benelux Organization Welcome
10h15 - 10h30 Sebastien Deleersnyder, OWASP Global OWASP update
10h30 - 11h10 Jan Joris Vereijken Keynote: Inside the mind of the fraudster
11h10 - 11h30 Morning Break
11h30 - 12h10 Tom Van Goethem Remote code execution in WordPress: an analysis
12h10 - 12h50 Alexios Fakos & Jan Philipp Getting a handle on SharePoint security complexity
12h50 - 13h30 Lunch
13h30 - 14h10 Dick Berlijn Keynote: Cyber warfare
14h10 - 14h50 Migchiel de Jong Static Analysis and code review; A journey through time
14h50 - 15h30 Nick Nikiforakis Everything you always wanted to know about web-based device fingerprinting (but were afraid to ask)
15h30 - 15h50 Break
16h30 - 17h10 Jerome Nokin Turning your managed Anti-Virus into my botnet
17h10 - 17h50 Victor van der Veen TraceDroid: A Fast and Complete Android Method Tracer
17h50 - 18h00 OWASP Benelux 2013 organization Closing Notes




Key note: Inside the mind of the fraudster, by Jan Joris Vereijken (Chief Security Architect, ING)

Abstract:
When we talk about banking malware, we typically think of bits and bytes: Zeus variants, field injections, Man-in-the-Browser attacks, or forensic analysis of infected PCs. What is actually much more interesting, is to understand what is driving the fraudster. He’s doesn’t care about bits and bytes, he’s just in it for the money. If we get into the mind of the fraudster, we can suddenly understand many issues much better. We’ll see that authentication is irrelevant, fraudsters don’t want to steal millions, that they hate the mobile app, and many more surprising things your never realized were keeping our poor fraudster awake at night.

Bio:
Jan Joris Vereijken holds a Ph.D. in Computing Science from the Eindhoven University of Technology, where he worked on algebraic protocol verification. After a brief stint at Bell Laboratories to work on Software Engineering, he moved to ING, the Dutch banking conglomerate.
In his current role as Chief Security Architect, he is responsible for the security architecture in the 35-odd countries where ING has banking operations.

Remote code exection in WordPress: an analysis, by Tom Van Goethem (PhD Researcher, University of Leuven)

Abstract:
With over 13 million downloads, WordPress is one of the most popular open source blog platforms and content management systems. One of its key features is the installation of plugins. These are developed by third parties, but WordPress has to maintain its legacy codebase in order to remain compatible with these plugins. As this codebase makes use of unsafe functions, vulnerabilities may arise, affecting thousands websites - if not more. This presentation will focus on a vulnerability that has been present in WordPress versions up to September 2013. This vulnerability, which may lead to Remote Code Execution, was found by a simple combination of two publicly known elements: PHP Object Injection and unexpected behaviour of MySQL regarding Unicode characters.

Download the presentation as PDF


Bio:
Tom Van Goethem is passionate about web security. After getting a master's degree of Applied Informatics, he enrolled in a PhD at the University of Leuven. As a student with a chronic drinking problem, he still found some time to hunt bugs for fun (and profit).

Getting a handle on SharePoint security complexity, by Jan Philipp (Solutions Consultant Security, n.runs) and Alexios Fakos (Principal IT Security Consultant, n.runs)

Abstract:
This presentation’s main goal is to provide decision makers, architects, administrators and developers with a comprehensive SharePoint security overview. We will introduce a SharePoint security model applicable to SharePoint versions 2010 and 2013. Then we will take a closer look at the use of different types of security principals and their effective use. This will be followed by covering security aspects when implementing and extending SharePoint to meet business needs and will be emphasized by showcasing common security pitfalls with examples throughout the presentation. This will be demonstrated with security down to the “nitty-gritty” details based on actual use cases and tips and pitfalls that have been encountered during security assessments and implementation of SharePoint solutions.

Download the presentation as PDF


Bio:
Jan Philipp (MCT since 1989, MCITP, MCSE) works as a security consultant at n.runs, where he is responsible for design and implementation security assessments of complex global SharePoint infrastructures and solutions for major German and international companies. He has been involved with SharePoint technologies from their inception with Digital Dashboards throughout their many development changes (TeamSpaces, MOSS etc.) to the present day SharePoint and SharePoint Live versions.
Alexios Fakos (CRISC, CSSLP) began his career in development as a Software Engineer back in 1999. After seven years of inspired insights in the software industry he joined n.runs to be part of the security team. Alexios is leading n.runs SDL services and he is since 2008 part of the German OWASP chapter. Alexios held presentations at OWASP AppSec US and Germany.


Title, by Dick Berlijn

Abstract:
Link to the movie on YouTube

Bio:
Dick Berlijn

Static Analysis and code review; A journey through time, by Migchiel de Jong (Software Security Consultant, HP Fortify)

Abstract:
Static analysis techniques to support code review, not just for security, have been around for a long time. This talk will take you on journey from the early days of computer science to this modern day and age of cloud, BYOD and mobile apps and how the passing of time affected code review and the technology to support it. The takeaways from this session are; Understanding the fundamentals problems that have to be addressed to really get the benefits from using static analysis for code review. Trends in code review. Best practices for code review. What the future holds for code review.

Download the presentation as PDF


Bio:
Migchiel de Jong has developed hardware and software for the nuclear medicine and nuclear industry space for 10 years before joining Rational Software. During the 5 years at Rational Software (later acquired by IBM) he was involved in many software development process improvement projects. Having joined Fortify 9 years ago, Migchiel de Jong is currently working at HP Fortify, as a software security consultant helping large customers succeed with their software security assurance initiatives.

Everything you always wanted to know about web-based device fingerprinting (but were afraid to ask), by Nick Nikiforakis (Postdoctoral Researcher, University of Leuven)

Abstract:
Billions of users browse the web on a daily basis, and there are single websites that have reached over one billion user accounts. In this environment, the ability to track users and their online habits can be very lucrative for advertising companies, yet very intrusive for the privacy of users.

In this talk, we are going to describe web-based device fingerprinting, i.e., the ability to tell users apart, without the use of cookies or any other client-side identifiers. We will explain how device fingerprinting works, who is using, for what reason, and how people are trying to defend against it today.

Download the presentation as PDF


Bio:
Nick Nikiforakis is a Postdoctoral Researcher at KU Leuven in Belgium. Nick's interests lie in the analysis of online ecosystems from a security and privacy perspective and he has published his work in top conferences of his field. More information about him can be found on his personal page: http://www.securitee.org .

Turning your managed Anti-Virus into my botnet, by Jerome Nokin (Senior Security Consultant, Verizon Business)

Abstract:
Today centrally managed Anti-Virus (AV) solutions are used across all enterprises and are relied upon to provide central management, logging and enforcement. This talk presents the journey and the results of a reviewing the security posture of the core components of a few selected managed AV solutions, the central servers themselves. Critical security vulnerabilities will be presented, covering SQL Injection, Directory Path Traversal and Buffer Overflow. Particular focus will be given to the different steps required to analyze both protocols and management functionality and covers reverse-engineering, debugging and the creation of fuzzing tools. Who does not want to transform a major managed AV into his private botnet within minutes?

Download the presentation as PDF


Bio:
Jerome Nokin works as a Security Consultant for Verizon Enterprise where he is a senior member of the Vulnerability Management Team mainly focusing on Penetration Tests and Web Application Assessment. Prior to his role at Verizon he worked in the area of security covering both consultancy and ICT.

TraceDroid: A Fast and Complete Android Method Tracer, by Victor van der Veen (Security Consultant, ITQ)

Abstract:
Tracedroid allows you to upload any Android APK file (i.e., an Android app) for automated analysis. Tracedroid records the behavior of the executed app, such as its network communication, the UI, but also its internal function calls and Java code that is executed. To trigger the app's real behavior, Tracedroid emulates a few actions, such as user interaction, incoming calls and SMS messages, etc. - this will reveal most malicious intents of an app (if any).
During this presentation, I will outline how Tracedroid is implemented and how its stimulation engine performs in terms of code coverage. I will also demonstrate how Tracedroid's output can help malware researchers to gain a better understanding of unknown Android applications during a live demo.
You can already give TraceDroid a try via http://tracedroid.few.vu.nl

Download the presentation as PDF


Bio:
Victor van der Veen is a security consultant at ITQ and holds a MSc degree in Computer Science from the VU University Amsterdam. TraceDroid is part of his master thesis titled ‘Dynamic Analysis of Android Malware’ for which he co-worked with the Andrubis team from Vienna’s iSecLab. His interests are low-level system topics that enhance system security, as well as reverse engineering and analyzing malicious code. His previous work involves the implementation of a (partial) thrust-worthy voting machine and an in depth analysis on trends in the field of memory errors (published at RAID 2012).


Social Event, November 28th

You (still) got that swing, and what about the moves ? We've got the Balls!

So "Pin" your schedule to the OWASP Benelux Days - Social Event.
Thursday Night the 28th of November, our partner Vest Information Security is happy to invite you at:
Knijn Bowling
Scheldeplein 3
1078 GR Amsterdam
http://www.knijnbowling.nl/
This is Amsterdams most famous retro-style bowling centre.
We are very happy to welcome you from 20:30.
Our Bowling Tracks are open from 21:30 - 24:00

The OWASP BeNeLux-Day 2013 Social Event is sponsored by:" Logo_Vest_BIG_170.gif

Capture the Flag!

  • Do you like puzzles?
  • Do you like challenges?
  • Are you a hacker?

Whether you are an experienced hacker or new enthusiast you should come to OWASP BeNeLux 2013 and participate in the Capture the Flag event November 29th 2013.

The OWASP CTF is especially designed to support challengers of all skill levels. The CTF contains multiple challenges in various fields related to application security. As every challenge gains you one point, you can pick and choose which challenge you want to play.

All you need is a laptop with a wifi card and your favorite (preferably) non-commercial tools.

So come, show off your skills, learn new tricks and above all have a good time at the CTF event.


Made possible by our Sponsors

PWC_log_resized.png        Zionsecurity.jpg Logo_Vest_BIG_170.gif Checkmarx.jpg Sogeti_logo.png Securify_BV_logo.png Whitehat.gif        Nviso_logo_RGB_baseline_200px.png Logo_Informatiebeveiliging-200.png HP_Blue_RGB_150_LG-200.png LogoNorthwave.jpg AppSecDC2012-Cigital.jpg Deloitte.jpg Logo secwatch.jpg