Difference between revisions of "Netherlands Previous Events 2013"

From OWASP
Jump to: navigation, search
(Added Meeting details January 31st 2013)
m (added link to presentations of meeting October 31st)
(14 intermediate revisions by 2 users not shown)
Line 1: Line 1:
[[Netherlands]] events held in 2013
+
;[[Netherlands | OWASP Netherland Wiki]]  
 
+
;[[Netherlands October 31, 2013]]
= March 13, 2013 =
+
*[[Netherlands_October_31,_2013#Third_Party_Java_Libraries_for_Secure_Development - Jim Manico]] - [[Media:Top_10_Java_Defenses_for_Website_Security-Jim_Manico.pdf | Download the presentation as PDF]]
'''The Annual OWASP Netherlands Black Hat Edition Chapter meeting'''
+
*[[Netherlands_October_31,_2013#From_the_Trenches:_Real-World_Agile_SDLC - Chris Eng & Ryan O’Boyle]] - [[Media:Agile SDLC v1.1 - OWASP NL.pdf | Download the presentation as PDF]]
:Every year around Black Hat Europe we try to get Internationally well know speakers to talk at a Chapter Meeting. This year Colin Watson and Georgia Weidman are on the agenda!
+
;[[EUTour2013#tab.3DNetherlands | OWASP Europe Tour - The Netherlands 2013]]
:This chaptermeeting will be about web application logging, Access Control Design and the all new OWASP Cornucopia.
+
* The OWASP Zed Attack Proxy (ZAP) - [[User:Simon_Bennetts |Simon Bennetts]] - [[Media:OWASP_2013_EU_TOUR.pdf | Download the presentation as PDF]]
 
+
* Needles in haystacks, we we are not solving the appsec problem & html hacking the browser, CSP is dead - [[User:EoinKeary |Eoin Keary]] - [[Media:OWASP_EU_-_Tour_2103-abridged-Ned.pdf | Download the presentation as PDF]]
==Programme:==
+
* Secure Coding, some simple steps help - [[User:Steven_van_der_Baan |Steven van der Baan]] - [[Media:OWASP_EU_Tour_2013_-_Secure_Coding.pdf | Download the presentation as PDF]]
:18:30 - 19:15 Registration & Pizza
+
;[[Netherlands May 14, 2013]]
:19:15 - 19:35 "Record It" - Colin Watson
+
*[[Netherlands_May_14,_2013#Securing_Password_Storage_-_Increasing_Resistance_to_Brute_Force_Attacks|Securing Password Storage - Increasing Resistance to Brute Force Attacks - Tiago Teles]]
:19:35 - 19:40  Break
+
:[https://github.com/jsteven/psm/tree/master/presentations The presentation (with and without notes) can be found here]
:19:40 - 20:25  “The smartphone penetration testing framework”- Georgia Weidman
+
*[[Netherlands_May_14,_2013#Neutralizing_Peer-to-Peer_Botnets|Neutralizing Peer-to-Peer Botnets - Dennis Andriesse]] - ([[Media:Owaspnl_zeus-owasp-2013‎.pdf | Download the presentation as PDF]])
:20:25 - 20:30  Break
+
;[[Netherlands April 10, 2013]]
:20:30 - 21:00  OWASP Cornucopia - Colin Watson
+
*[[Netherlands_April_10,_2013#Access_Control_Design_Best_Practices|Access Control Design Best Practices - Jim Manico]] - ([[Media:Owaspnl-jimmanico-toptendefensesv8.pdf‎ | Download the presentation as PDF]])
:21:00 - 21:30  Networking
+
*[[Netherlands_April_10,_2013#RESTful_web_services.2C_the_web_security_blind_spot|RESTful web services, the web security blind spot - Ofer Shezaf]] - ([[Media:Owaspnl-oferschezaf-securitytestingforrestapplicationsv6april2013.pdf | Download the presentation as PDF]])
 
+
;[[Netherlands March 13, 2013]]
==Presentations==
+
*[[Netherlands_March_13,_2013#Record_It.21|Record It - Colin Watson]] - ([[Media:Owaspnl-colinwatson-recordit.pdf | Download the presentation as PDF]])
===Record It!===
+
*[[Netherlands_March_13,_2013#The_smartphone_penetration_testing_framework|The smartphone penetration testing framework - Georgia Weidman]] - ([[Media:The_smartphone_penetration_testing_framework-Georgia_Weidman.pdf | Download the presentation as PDF]])
Do you know security event information should be recorded by an application? Colin Watson will outline which event properties are useful, what should be avoided and how logging can be implemented. In this short presentation, the benefits of good application logging will also be described.
+
*[[Netherlands_March_13,_2013#OWASP_Cornucopia|OWASP Cornucopia - Colin Watson]] - ([[Media:Owaspnl-colinwatson-cornucopia.pdf | Download the presentation as PDF]])
===The smartphone penetration testing framework===
+
;[[Netherlands March 7, 2013]]
As smartphones enter the workplace, sharing the network and accessing sensitive data, it is crucial to be able to assess the security posture of these devices in much the same way we perform penetration tests on workstations and servers. However, smartphones have unique attack vectors that are not currently covered by available industry tools. The smartphone penetration testing framework, the result of a DARPA Cyber Fast Track project, aims to provide an open source toolkit that addresses the many facets of assessing the security posture of these devices. We will look at the functionality of the framework including information gathering, exploitation, social engineering, and post exploitation through both a traditional IP network and through the mobile modem, showing how this framework can be leveraged by security teams and penetration testers to gain an understanding of the security posture of the smartphones in an organization. We will also show how to use the framework through a command line console, a graphical user interface, and a smartphone based app. Demonstrations of the framework assessing multiple smartphone platforms will be shown.
+
*[[Netherlands March 7, 2013#Incident_Respons_in_a_Cyberwar_context|Incident Respons in a Cyberwar context - Dennis Lemckert ]]
===OWASP Cornucopia===
+
*[[Netherlands_March_7,_2013#Disclosure.2C_Prevention_is_better_than_to_cure|Disclosure - Lex Borger & André Koot ]]
Microsoft's Escalation of Privilege (EoP) threat modelling card game has been refreshed into a new version more suitable for common web applications, and aligned with OWASP advice and guides. "OWASP Cornucopia - Ecommerce Web Application Edition" will be presented and used to demonstrate how it can help developers identify security requirements from the OWASP Secure Coding Practices - Quick Reference Guide.
+
;[[Netherlands January 31, 2013]]:
==Speakers==
+
*[[Netherlands_January_31,_2013#The_Truth_about_the_e.dentifier2|The Truth about the e.dentifier2 - Erik Poll]]
===Colin Watson===
+
*[[Netherlands_January_31,_2013#OWASP_Update|OWASP Update - Martin Knobloch]]
Colin Watson is an application security consultant, based in London. He is project leader for the OWASP Codes of Conduct and OWASP Cornucopia projects, wrote the Application Logging Cheat sheet, contributes to a number of other OWASP projects including AppSensor,and is a member of the OWASP Global Industry Committee.
+
===Georgia Weidman===
+
Georgia Weidman is a penetration tester, security researcher, and trainer. She holds a Master of Science degree in computer science, secure software engineering, and information security as well as holding CISSP, CEH, NIST 4011, and OSCP certifications. Her work in the field of smartphone exploitation has been featured in print and on television internationally. She has presented her research at conferences around the world including Shmoocon, Hacker Halted, Security Zone, and Bsides. Georgia has delivered highly technical security training for conferences, schools, and corporate clients to excellent reviews. Building on her experience, Georgia recently founded Bulb Security LLC (http://www.bulbsecurity.com), a security consulting firm specializing in security assessments/penetration testing, security training, and research/development. She was awarded a DARPA Cyber Fast Track grant to continue her work in mobile device security.
+
= March 7, 2013 =
+
'''Incident Respons in a Cyberwar context and Responsible Disclosure'''
+
:This chaptermeeting will be about Incident respons in a cyberwar context and responsible disclosure.
+
==Programme:==
+
:18:30 - 19:00  Registration
+
:19:00 - 19:15  Welcome & Updates
+
:19:15 - 20:00  Incident Respons in a Cyberwar context - Dennis Lemckert
+
:20:00 - 20:15 Break
+
:20:15 - 21:00  Disclosure - Lex Borger & André Koot
+
==Presentations:==
+
===Incident Respons in a Cyberwar context===
+
Cyber Warfare is the new buzz in the IT security. However, is War to compare with today's interconnected world? Are breaches in Integrity, Continuity and Exclusivity similar to an attack on a state?
+
===Disclosure, Prevention is better than to cure===
+
In this presentation we explain what the background was behind our request to CPB to perform research of the Diagnostics for U case. We discuss recent incidents in healthcare (Henk Krol, the Groene Land Hospital), and the effects of the announcement for the companies involved. We will also discuss the practice of Responsible Disclosure (the initiatives of the NCSC and others) and the arise of Responsible Disclosure (Leak October and other hacks) and how companies can ensure that information is sufficiently protected against privacy leaks using data identification and classification.
+
==Speakers==
+
===Dennis Lemckert===
+
Dennis Lemckert is active in the IT world for almost 20 years. 12 Years thereof, he's operating in or around the IT security world. Some roles that at the time he has completed are: Pentester, Security Auditor, Security Architect, Incident Analyst, Security Analyst and Security
+
Advisor. During that time, Dennis has developed a no-nonsense approach on how to build, deliver and maintain secured environments.
+
However, telling others how to do something well, leaves Dennis little time to play with the latest and cool tools, so he spends most of his time writing documentation, both technical and non-technical, giving awareness training, providing training to both technical staff and management and analyzing and improving incident processes.
+
===Lex Borger===
+
Lex Borger is a consultant at Ideas to Interconnect (I-to-I). He has more than 20 years of experience in information security and system security. He was involved in the development of control systems, where he learned to apply security from within.
+
Gradually he broadened his view of information security to the entire field. Most of his experience he has gained in the United States of America. Lex is editor of the journal PvIB "Information"
+
===André Koot===
+
André Koot's Security Consultant with expertise in Identity Management and Access Control.
+
He is also editor of the PvIB journal "Information", trainer and lecturer at the International Management Forum, member EXIN examination committee, NL Chapter Board member CSA and Advisory Board member IDentity.Next. Previously, André worked for the IRS, and Unive VGZ.
+
 
+
= January 31, 2013 =
+
'''Broken Online Strong Authentication and OWASP update'''
+
:This chaptermeeting will be about broken online strong authentication with banking web applications and OWASP updates.  
+
==Programme:==
+
:18:30 - 19:00  Registration
+
:19:00 - 19:45  The Truth about the e.dentifier2 - Erik Poll
+
:19:45 - 20:00  Break
+
:20:00 - 20:45  OWASP Update - Martin Knobloch
+
:20:45 - 21:30  Networking
+
==Presentations==
+
===The Truth about the e.dentifier2===
+
We present a security analysis of an internet banking system used by one of the bigger banks in the Netherlands, in which customers use a USB-connected device – a smartcard reader with a display and numeric keyboard – to authorise transactions with their bank card and PIN code. Such a set-up could provide a very strong defence against online attackers, notably Man-in-the-Browser attacks, where an attacker controls the browser and host PC. However, we show that the system we studied is  flawed: an attacker who controls an infected host PC can get the smartcard to sign transactions that the user does not explicitly approve, which is precisely what the device is meant to prevent.
+
===OWASP Update===
+
News and updates on OWASP BeneLux 2013, OWASP Dutch Chapter meetings, AppSec EU 2013, OWASP Connector, the OWASP Newsletter and new OWASP initiatives.
+
==Speakers==
+
===Erik Poll===
+
Erik works in the Digital Security group of the Radboud University on a range of topics in security, including smartcards, security protocols, software security, and critical infrastructures (esp. the smart grid).
+
===Martin Knobloch===
+
Martin Knobloch is member of the Dutch chapter board and chair of the Global Education Committee. Next to this he contributes to several projects as the OWASP Education Project and the OWASP Academy Portal.
+
Martin is an independent security consultant and owner of PervaSec. His main working area is (software) security in general, from awareness to implementation. In his daily work, Martin is responsible for education in application security matters, advise and implementation of application security measures.
+

Revision as of 17:37, 4 November 2013

OWASP Netherland Wiki
Netherlands October 31, 2013
OWASP Europe Tour - The Netherlands 2013
Netherlands May 14, 2013
The presentation (with and without notes) can be found here
Netherlands April 10, 2013
Netherlands March 13, 2013
Netherlands March 7, 2013
Netherlands January 31, 2013