Netherlands September 22nd, 2016

From OWASP
Jump to: navigation, search
OWASP Netherland Wiki
All OWASP NL Events 2016

September 22nd, 2016

Registration

Click here to register

Venue

Radboud University Nijmegen

   Beta-faculty Huygensgebouw 
   Heyendaalseweg 135, 6525 AJ Nijmegen 
   Parkeergarage P11 

Programme

18:30 - 19:00 Registration & Pizzas
19:00 - 19:15 OWASP Netherland and Foundation Updates
19:15 - 20:00 Handling of Security Requirements in Software Development Lifecycle, Daniel Kefer, René Reuter
20:00 - 20:15 break
20-15 - 21:00 Hacking the OWASP Juice Shop, Björn Kimminich
21:00 - 21:30 Networking

Presentations

Handling of Security Requirements in Software Development Lifecycle

The bigger the company you're working in, the more technologies and methodologies used by development teams you are going to face. At the same time, you want to address security risks in an appropriate, reliable and measurable way for all of them.

After a short introduction of a unified process for handling security requirements in a large company, the main part of the talk is going to focus on a tool called SecurityRAT (Requirement Automation Tool) which has been developed in order to support and accelerate this process. The goal of the tool is first to provide a list of relevant security requirements according to properties of the developed software, and afterwards to handle these in a mostly automated way - integration with an issue tracker being used as a core feature.

The tool was open sourced in May 2016 (available at https://github.com/SecurityRAT) and is continuously being further developed since then. The newest implemented features, work in progress and future plans will form the last part of the talk.

Download the presentation as PDF

Hacking the OWASP Juice Shop

OWASP Juice Shop* is an intentionally insecure web app suitable for pentesting and security awareness trainings written in Node.js, Express and AngularJS. It is the first application written entirely in JavaScript listed in the OWASP VWA Directory. It also seems to be the first broken web app that uses the currently popular architecture of an SPA/RIA frontend with a RESTful backend.

In this talk I will show why and how the app was created followed by a demo how to hack it. Prepare for some nasty XSS, SQLI and CSRF flaws bundled with some seriously broken access control and business logic - all in one single application!

(*Translating "dump" or "useless outfit" into German yields "Saftladen" which can be reverse-translated word by word into "juice shop". Hence the project name. That the initials "JS" match with those of "JavaScript" was purely coincidental!)

Coverage

Speakers

Daniel Kefer

1&1 Mail & Media Development & Techhnology GmbH, Head of Application Security

Daniel Kefer has been working in the application security field since 2007. Having started as a penetration tester, he soon became passionate about proactive security efforts and working closely with developers. Since 2011 he has been working for 1&1 where he focuses on design and continuous improvement of the internal secure SDLC process and its implementation in different development departments. Apart from 1&1, he also works as a volunteer for the OWASP OpenSAMM project.

René Reuter

Robert Bosch GmbH, IT Security Consultant

René Reuter is a security engineer with over 4 years of experience in the application security field. At Robert Bosch GmbH, he works as an IT Security Consultant responsible for identifying vulnerabilities and design flaws that may impact Robert Boschs' applications and infrastructure. René holds a Master's Degree in Computer Science from the University of Applied Sciences Karlsruhe.

Björn Kimminich

Björn Kimminich is working in the area of software development for Kuehne + Nagel for over 8 years where he is now responsible for Global IT Architecture. His most sophisticated Open Source work is the intentionally insecure web application Juice Shop, which just recently was accepted as an OWASP Tool Project. As a side job he lectures software development at the UAS Nordakademie where he teaches Java to engineering students as their first programming language.


Sponsors

The OWASP Netherlands Chapter is sponsored by

Logo_Informatiebeveiliging-200.png Ecurify-2016.png Nixu-logo.png Logo_xebia.jpg