Netherlands Previous Events 2007

From OWASP
Revision as of 08:28, 20 December 2008 by Martinknobloch (Talk | contribs)

Jump to: navigation, search

Contents

Meeting schedule 2007

This is an overview of the 2007 local chapter meeting schedule. Details of the meetings can be found in the announcements that will be posted below this schedule.

December 20th 2007 
----------
Time         : 17.30 - 21.30
Main Topic   : Creating secure (web)applications
Presentations: Practices of developing optimal security (dutch), Andre Post 
               Problems of developing secure and correct applications (dutch), Erik Poll 
               Protecting Web services and Web applications against security threats (dutch), Rix Groenboom
Location     : Comsec Consulting BV - Rivium Boulevard 102,2909LK Capelle aan den IJssel
Sponsor      : Comsec Consulting BV 

September 13th 2007
----------
Time         : 17.30 - 21.30
Main Topic   : putting initiatives into practice 
Presentations: Security Best Practices for .NET, Boaz Shunami
Location     : ps_testware B.V. - Dorpsstraat 26, 3941 JM DOORN
Sponsor      : ps_testware B.V.

Januar 11th 2007 
----------
Time         : 17.30 - 21.30
Main Topic   : Putting software security into practice
Presentations: Implementation of Security by Design, Martin Knobloch 
Location     : Sogeti Nederland B.V. - "La Charmille" Lange Dreef 17, 4131 NJ Vianen
Sponsor      : Sogeti Nederland B.V.


Meeting minutes December 20th 2007

At December 20th, the Dutch OWASP chapter came together at the office of ps_testware located in Doorn. The subject of the evening was 'creating secure (web)applications. There were 3 speakers and close to 30 attendees

First presentation: Practices of developing optimal security (dutch), Andre Post
Andre talked from his rich experience as software auditor and code reviewer. Based on his experience he stated that developing good, secure software can only be done with developers with the right set of mind. Security should not be tested into the software, but should be a natural thing for developers to develop into the software. For this you need developers who know by heart when security flaws start to exist and how to prevent them. Developers with the necessary experience are rare and often developer teams do not have the right expertise for developing secure software. The most important conclusion of his speech was that secure software starts with security aware developers.

Second presentation: Problems of developing secure and correct applications (dutch), Erik Poll
Erik Poll stated that besides having developers who are aware of security, you should also have developers that now the limitations and inherent security leaks of the used language. One of the problems is that many developers are not taught the inherent security holes in programming languages during their education.
Another problem is that software is often made secure for the wrong reasons. At this moment only two reasons appear to be the drive behind developing secure software: economics and laws. Security is mostly of secondary concern and as such will only be implemented at minimum requirements. Bad examples of big companies who develop insecure software and still be successful even further restrict the demand for secure software.
On the positive side many developers make the same mistakes so testing for common security holes can easily be done with checklists and validation tools. These validation tools can be made more successful with the use of metatags in the code.
Erik concluded his speech that improving the secureness of software can only be achieved when there is commitment, the knowledge is available and software is developed and implemented with a secure mind.

Third presentation: Protecting Web services and Web applications against security threats, Rix Groenboom
The third presentation was about a problem which probably will become bigger and bigger the coming years. Although security might be in the scope when developing software at this moment, it certainly was not a requirement 20 or more years ago. Despite their intrinsic insecureness, these systems are connected more and more to the world wide web to meet de demands for online availability. This imposes a major security risk which will become more evident in the years to come and might become bigger than the Y2K problem. Unlike modern software, these applications can only be made secure enough by using advanced testing strategies combined with the use of test-tools and thorough regression tests. Testing alone however is not enough; to accomplish maximum secureness all connections to these systems should be based on a 'deny unless' instead of an 'allow unless' basis.
The conclusion of Rix's talk was that old systems connected to new interfaces should be treated as insecure and all possible precautions should be taken to achieve an acceptable level of secureness.

Meeting December 20th 2007: Secure Development

Summary
The main goal of the upcoming OWASP-NL meeting is to provide information to developers and security professionals involved in creating secure (web-)applications. The general and specific security issues involved on project and programming level will be covered from a practical as well as a theoretical point of view. The speakers will give specific examples and of course there is time to ask questions about your own experiences.
Please register before December the 14th because of the necessary catering arrangements.

Location
The location and catering is provided by the sponsor of this meeting:

ps_testware B.V.
Dorpsstraat 26,
3941 JM DOORN

Pstestware.jpg

The location has parking facilities for 15 cars. However parking in the direct vicinity of ps_testware shouldn’t be a problem.

ps_testware delivers services related to software testing and software quality. In the field of software development, quality, time-to-market, business processes and software acceptance they play the role of "your devil's advocate" as an independent, flexible and specialized partner.
For more information please visit: www.pstestware.com.



Program
17.30 - 18.30 Check-In (catering included)

18.30 – 19:00 Introduction (OWASP organization, projects, sponsor)

19.00 - 19.30 Practices of developing optimal security (dutch), Andre Post
This presentation highlights a number of current practices that lead to sub-optimal security, and suggests ways of avoiding these problems, focusing on the technical side of development.
André Post works for Fox-IT on a variety of projects including core product development, software architecting, security code reviews, and software project management.

19.30 – 19:45 Break

19:45 – 20:30 Problems of developing secure and correct applications (dutch), Erik Poll (slides of the presentation)
This presentation will discuss different possibilities to improve software security. The problem of getting time and money available to be spend on security, not only for developing applications, but also for developing programming languages, will be raised.
Erik Poll is head of the Security of Systems (SoS) group at the Radboud University of Nijmegen. His research does focus on the security and correctness of software.

20.30 - 21.00 Protecting Web services and Web applications against security threats (dutch), Rix Groenboom
During this session, Rix will explore how to implement development and security best practices in the code to make sure that your webservices and applications perform solidly when they are being hacked or used in malicious ways.
Rix Groenboom supports fortune 2000 companies in field automated software error prevention and correction for Parasoft. His main area of expertise is in the use of formal languages for the specification, design and validation of software applications.

21.00 – 21:30 Discussion, questions and social

All OWASP chapter meetings are free of charge and you don’t have to be an OWASP member to attend. There are never any vendor pitches or sales presentations at OWASP meetings.

NOTE TO CISSP's: OWASP Meetings count towards CPE Credits.

The announcement and full descriptions can be found here:
Media:Announcement_20_December.pdf
Media:Announcement_20_December_2.pdf

Meeting September 13th: putting initiatives into practice

The main goal of the next OWASP meeting is finding a way to put initiatives and all offered help into a form of structural benefit for the OWASP Netherlands local chapter. As a starting point for the discussion, examples will be taken from other European chapters and input delivered by discussions that take place on the mailing list is considered too. Let this be a call to put your ideas on the mailing list before the next meeting!

The location is provided by the sponsor of this meeting:
Comsec Consulting BV
Rivium Boulevard 102
2909LK Capelle aan den IJssel

The agenda:
18.00 - 18.30 Check-In (catering included)
18.30 - 18.45 OWASP update, Bert Koelewijn
18.45 - 19.15 Security Best Practices for .NET, Boaz Shunami
19.15 - 20.00 Discussion: collecting ideas and initiatives
20.00 - 20.15 Coffee break
20.15 - 21.00 Discussion: how to enable community commitment
21.00 - 21.30 Closing discussion and coffee

Boaz Shunami
Boaz is manager of the Application Security department of Comsec Europe. He has 11 years of experience in the IT Security field, and a large part of them in Application Security.
Boaz did numerous application security audits in very large organizations and is recognized as one of the greatest expert’s world wide. Boaz' expertise is broad, but especially in-depth for the .NET platform.

Discussion input (until now)
- division of local chapter work load by multiple people
- collaboration with other organizations

If you want to attend send an email to owasp@irc2.com.

All OWASP chapter meetings are free, there are never vendor pitches or sales presentations at OWASP meetings.

NOTE TO CISSP's: OWASP Meetings count towards CPE Credits.

Meeting March 9th 2007: Second meeting of the OWASP Netherlands local chapter!

In this second meeting focus groups are to be formed, to discuss common problems, develop and research common solutions in a vendor neutral environment. So this is a very good opportunity to get in contact with others, to exchange knowledge and experiences on specific topics.

For every focus group the following questions has to be answered:
1. Which specific topic is to be addressed?
2. What are the deliverables?
3. What is the relation to OWASP? (Current projects, materials, expertise and knowledge interchange, etc.)
4. Who is the central contact of the subgroup?

It would be nice to have a bigger and more diverse group, compared to the first meeting. So let's recall: "Please, bring at least one friend, next time." And don't hesitate to send this announcement to everybody who may be interested!

We thank Getronics PinkRoccade for offering us a venue:
Getronics PinkRoccade
Fauststraat 1
7323 BA Apeldoorn

The agenda:
18.00 - 18.30 Check-In
18.30 - 18.45 Opening
18.45 - 19.30 Improving Security in the Application Development Life-cycle, Migchiel de Jong
19.30 - 20.00 Collecting focus group initiatives
19.45 - 20.00 Coffee break
20.00 - 21.00 Form focus groups

Presentation Abstract
Rather than spending large amounts of time and money on proving that we have security vulnerabilities after programs go into production, companies should go to the source and correct vulnerabilities as early as possible in the development stage. It is unquestionably faster, simpler, and cheaper for developers to correct vulnerabilities as they build programs.
But how can development management ensure that developers focus on security when there is no time or budget for security at the development stage? Even with the correct focus, how can they learn what to look for? How can they stay ahead of the dedicated and resourceful hacker?
The answer is effective processes and better tools. With advanced software security tools, a developer can pinpoint vulnerabilities in a matter of seconds — the same vulnerabilities that would take a hacker or manual code reviewer weeks or even months to find. These same tools can give development and information security managers useful metrics on application vulnerabilities before they are released into deployment.
This talk will walk through the Application Development Life-Cycle and discuss how tools can help come to grips with software security issues in a particular phase.

About the presenter
Migchiel de Jong has developed hardware and software for 10 years before joining Rational Software. During the 5 years at Rational Software (later acquired by IBM) he was involved in many software development process improvement projects. Currently Migchiel de Jong is working at Fortify Software, Palo Alto, California, as a software security engineer.

If you want to attend send an email to owasp@irc2.nl. Please don't wait, 9 march is not that long anymore!

All OWASP chapter meetings are free, there are never vendor pitches or sales presentations at OWASP meetings.

NOTE TO CISSP’s: OWASP Meetings count towards CPE Credits.

Meeting minutes Januar 11th 2007

January 11th, the Dutch OWASP chapter came together at the office of Sogeti Netherlands. Subject of the evening was 'putting software security into practice'. The group was small but select.

The agenda:
18.00 - 18.30 Check-In (catering included)
18.30 - 18.45 Sponsor opening
18.45 - 19.00 OWASP update, Bert Koelewijn
19.00 - 19.30 Implementation of Security by Design, Martin Knobloch
19.30 - 19.45 Panel introduction
19.45 - 20.00 Coffee break
20.00 - 21.30 Panel discussion

After being welcomed by Frank Langeveld from Sogeti and Bert Koelewijn, Dutch chapter leader, the evening started with the presentation 'Security By Design'. During the presentation Martin Knobloch told about his experiences during the implementation of the Secure Development Life Cycle in a company like Sogeti Nederland B.V.

The presentation is available here:
Media:Implementation_of_Security_by_Design.ppt

After a small break, the panel discussion started with the following panel: Henk van der Heijden - Comsec Consulting, Dr.ir. Mario de Boer - LogicaCMG and Martin Knobloch - Sogeti Nederland.
During the discussion, it became clear people are struggling to get the Secure Development Life Cycle implemented in their company. The various experiences were shared with the panel and the others. Company typical problems and common misunderstandings about Software security where brought up.
The consensus of the discussion was that the main problem lies in the lack of security awareness and knowledge of the managers and the developers. And this of course is exactly where OWASP comes in…

Meeting Januar 11th 2007

The OWASP meeting of 11 January is about putting software security into practice. A lot of books, standards, organizations and consultants tell us how we should develop secure software. But which methods and measures are commonly adopted and which are not and why?
This will be the main focus of the discussion that we will have with a panel of people that experienced implementing software security in the field.

The location is provided by the sponsor of this meeting:
Sogeti Nederland B.V.
"La Charmille" building
Lange Dreef 17
4131 NJ Vianen

The agenda:
18.00 - 18.30 Check-In (catering included)
18.30 - 18.45 Sponsor opening
18.45 - 19.00 OWASP update, Bert Koelewijn
19.00 - 19.30 Implementation of Security by Design, Martin Knobloch
19.30 - 19.45 Panel introduction
19.45 - 20.00 Coffee break
20.00 - 21.30 Panel discussion

Implementation of Security by Design
What is needed to implement a 'Secure Development Life Cycle' within Sogeti Nederland? The speaker started a project called 'Security by Design' in march 2006 implementing a SDLC at Sogeti Nederland.
In his presentation, the speaker will share his technical and organizational experiences that he gained with the still ongoing implementation.

About the speaker
Martin Knobloch has more than 8 years experience in design and development of J2EE applications for customers in various sectors of the market. In September 2003 Martin Knobloch started working for Sogeti Nederland, where he does the design, development and review of J2EE applications and architectures.
From this background, Martin Knobloch experienced the threats of insecure software firsthand. In march 2006, Martin Knobloch started implementing a SDLC within Sogeti Nederland.

Panel discussion
The panel members are:
Henk van der Heijden, Managing Director - Comsec Consulting B.V.
Dr.ir. Mario de Boer, Security Consultant - LogicaCMG
Martin Knobloch, Senior Technologie Specialist - Sogeti Nederland B.V.

In the discussion, we will try to find answers to questions like:
- What are the most common security practices in software development?
- How effective are those practices?
- Where do we start practicing security?
- What should be the most common security practices in software development?
- How much does security cost?
- How does the Systems Security Engineering Capability Maturity Model (SSE-CMM) fit in?

If you want to attend send an email to owasp@irc2.com.

All OWASP chapter meetings are free, there are never vendor pitches or sales presentations at OWASP meetings.

NOTE TO CISSP’s: OWASP Meetings count towards CPE Credits.