Difference between revisions of "OWASP BeNeLux-Days 2018"

From OWASP
Jump to: navigation, search
(Created page with "<center>Image:Header-BNL-2017.png<br></center> <br><!-- Header --> <!-- First tab --> = Information = == Keynote speaker == {{#switchtablink:Conferenceday|<p> * TBD }...")
 
 
(122 intermediate revisions by 7 users not shown)
Line 1: Line 1:
<center>[[Image:Header-BNL-2017.png]]<br></center>
+
<center>[[Image:OBNL18 Banner v2.png]]</center>
  
 
<br><!-- Header -->
 
<br><!-- Header -->
Line 6: Line 6:
 
<!-- First tab -->
 
<!-- First tab -->
 
= Information  =
 
= Information  =
== Keynote speaker ==
+
 
{{#switchtablink:Conferenceday|<p>
+
<p style="text-align:center">'''Thanks to all speakers and trainers, sponsors and volunteers who could make this 2018 edition a success.<br>'''</p>
* TBD
+
 
 +
Sad you missed the conference? No problem, just have a look at the {{#switchtablink:Conference_Day|video recordings}}!
 +
 
 +
 
 +
== Save the date ==
 +
 
 +
<p style="text-align:center"><font color="red">'''See you next year in the Netherlands: 28 and 29 November 2019'''</font></p>
 +
 
 +
 
 +
== Confirmed Conference Speakers ==
 +
 
 +
<!--{{#switchtablink:Conference_Day|<p>-->
 +
 
 +
* David Scrobonia
 +
* Niels Tanis
 +
* Jeroen Willemsen
 +
* Björn Kimminich
 +
* Ralph Moonen
 +
* Jo Van Bulck
 +
* Lennert Wouters
 +
* Nick Drage
 +
<!--
 
}}
 
}}
 +
-->
  
== Confirmed speakers Conference ==
+
== Confirmed Trainers ==
{{#switchtablink:Conferenceday|<p>
+
 
* TBD
+
<!--
}}
+
{{#switchtablink:Training Day|<p>
 +
-->
 +
* Andrew Martin
 +
* David Scrobonia
 +
* Jeroen Beckers - Stephanie Vanroelen
  
== Confirmed trainers ==
+
<!--
{{#switchtablink:Trainingday|<p>
 
* TBD
 
 
}}
 
}}
 +
-->
  
 
== OWASP BeNeLux conference is free, but registration is required! ==
 
== OWASP BeNeLux conference is free, but registration is required! ==
[[image:Register_now_red.png|link=https://owasp-benelux-day-2018.eventbrite.com |alt=Register for the OWASP BeNeLux Day 2018 | Register for the OWASP BeNeLux Day 2018 ]]
+
The conference is closed.<br>
 +
 
 +
'''To support the OWASP organisation, consider to become a member, it's only US$50! Check out the [[Membership]] page to find out more.'''
 +
<br>
  
 
== The OWASP BeNeLux Program Committee ==
 
== The OWASP BeNeLux Program Committee ==
*Bart De Win / Sebastien Deleersnyder/ Lieven Desmet/ David Mathy, OWASP Belgium
+
 
*Martin Knobloch / Joren Poll, OWASP Netherlands
+
* Sebastien Deleersnyder / Lieven Desmet / David Mathy / Thomas Herlea / Stella Dineva / Adolfo Solero / Bart De Win, [[Belgium|OWASP Belgium]]
*Jocelyn Aubert, OWASP Luxembourg
+
* Martin Knobloch / Joren Poll / Edwin Gozeling, [[Netherlands|OWASP Netherlands]]
<br>
+
* [[Luxembourg|OWASP Luxembourg]]
  
 
== Tweet! ==
 
== Tweet! ==
 +
 
Event tag is [http://twitter.com/#search?q=%23owaspbnl17 #owaspbnl18]
 
Event tag is [http://twitter.com/#search?q=%23owaspbnl17 #owaspbnl18]
<br><br>
+
 
 
== Donate to OWASP BeNeLux ==
 
== Donate to OWASP BeNeLux ==
 +
 
[https://co.clickandpledge.com/?wid=72689 Donate]
 
[https://co.clickandpledge.com/?wid=72689 Donate]
  
 
<!-- Second tab -->
 
<!-- Second tab -->
 +
= Registration =
  
= Registration =
+
== Registration is closed ==
 +
 
 +
'''To support the OWASP organisation, consider to become a member, it's only US$50! Check out the [[Membership]] page to find out more.'''
  
 +
<!-- Third tab -->
  
== OWASP BeNeLux conference is free, but registration is required! ==
+
= Venue =
[[image:Register_now_red.png|link=https://owasp-benelux-day-2018.eventbrite.com |alt=Register for the OWASP BeNeLux Day 2018 | Register for the OWASP BeNeLux Day 2018 ]]
 
  
== OWASP BeNeLux training is reserved for OWASP members, and registration is required! ==
+
== Address ==
To support the OWASP organisation, we ask training attendees to consider becoming an OWASP member, it's only US$50!
 
Check out the [[Membership]] page to find out more.
 
  
<!--
+
<table width="100%">
[https://owasp-benelux-day-2018.eventbrite.com Register now!]
+
<tr valign="top">
-->
+
<td width="50%">
<br>
+
=== Training venue ===
To support the OWASP organisation, consider to become a member, it's only US$50!
 
<br>  
 
Check out the [[Membership]] page to find out more.
 
<br>
 
  
 +
'''Novotel Mechelen Centrum'''
 +
Van Beethovenstraat 1
 +
2800 Mechelen
 +
Belgium
  
<!-- Third tab -->
+
[https://goo.gl/maps/WxErtbWADqC2 Google maps]
 +
</td>
 +
<td width="50%">
 +
=== Conference venue ===
  
= Venue =
+
'''Congres- en Erfgoedcentrum Lamot'''
 +
Van Beethovenstraat 8-10
 +
2800 Mechelen
 +
Belgium
  
== Venue  ==
+
[https://goo.gl/maps/gZ9icR178w52 Google map]
  
 +
</td>
 +
</tr>
 +
</table>
 +
<br />
 +
[[File:Mechelen-Lamot.jpg|350px|Lamot conference center]]
 +
[[File:Mechelen-lamot-center-auditorium.jpg|350px|Auditorium]]<br />
  
The venue is located:
 
  
:'''TBD'''
 
:TBD
 
:TBD
 
:Belgium
 
:[https://goo.gl/maps/5CJYYSMAJD92 Google map]
 
  
'''''Parking .....'''''
+
Parking:<br />
 +
[[File:Parking lots around Lamot Conference center Mechelen.png|500px|Parking facilities]]<br />
 +
[https://goo.gl/maps/Q5TD7hoTuUu Find your parking on Google Maps]
  
 
=== How to reach the venue? ===
 
=== How to reach the venue? ===
;'''Public transport '''<br>
 
TBD
 
  
'''<u>By car</u>'''
+
==== Public transport ====
TBD
+
 
 +
You can reach the Mechelen's train station from Antwerpen or Brussels.
 +
The Lamot conference center is 10 min away by bus (line 1).
 +
 
 +
Or you can choose to walk for 15 min (1.2 km).
 +
 
 +
 
 +
==== By car ====
 +
 
 +
===== From Brussels: =====
 +
Follow the E19 Brussels / Antwerpen and take the exit 10. <br> Follow the N1 until the R12 (take a left) and turn to the right at the "Brusselpoort" into the Hoogstraat to reach one of the parkings.
 +
 
 +
===== From Antwerpen: =====
 +
Follow the E19 Brussels / Antwerpen and take the exit 9. <br> Follow the N16 until the R12 (take a right) and turn to the left at the "Brusselpoort" into the Hoogstraat to reach one of the parkings.
 +
 
 +
 
 +
=== Hotels Nearby ===
 +
[https://www.google.com/maps/d/viewer?mid=1eYMYmwXKuAsTilKgpAtyYtfMA7A&ll=51.02648134397288%2C4.47819800000002&z=15 Hotels around the Lamot conference center]
  
=== Hotel nearby ===
 
[https://www.google.nl/maps/search/Hotels/@51.5571525,5.0821866,15z/data=!3m1!4b1 Hotels on Google Maps]
 
 
<!-- Fourth tab -->
 
<!-- Fourth tab -->
  
= Trainingday =
+
= Training Day =
=== Trainingday is November 29rd  ===
+
 
 +
'''Training Day is November 29th'''
  
== Location ==
+
== Training Venue ==
 +
 
 +
The trainings will take place in the '''Novotel Mechelen Centrum''' hotel:<br>
 +
Van Beethovenstraat 1<br>
 +
2800 Mechelen<br>
 +
[https://goo.gl/maps/WxErtbWADqC2 Google maps]
 +
 
 +
== Agenda==
  
== Agenda (TBD)==
 
 
{| class="wikitable"
 
{| class="wikitable"
! Time !! Description !! Room TBA !! Room TBA !! Room TBA
+
! Time !! Description !! Training 1 !! Training 2 !! Training 3
 +
|-
 +
! !!  !! (Hof van Busleyden 1) !! (Hof van Busleyden 2) !! (Hof van Kamerijk)
 
|-
 
|-
 
| 08h30 - 9h30
 
| 08h30 - 9h30
| colspan="5" style="text-align: center; background: grey; color: white;" | ''Registration''
+
| style="text-align: center; background: grey; color: white;" colspan="5" | ''Registration''
 
|-
 
|-
 
| 09h30 - 11h00 || Training
 
| 09h30 - 11h00 || Training
| rowspan="7" style="width:100px;" | [[OWASP_BeNeLux-Day_2017#WebGoat_-_Teaching_application_security_101_by_Nanne_Baars | WebGoat - Teaching application security 101]] <br>by [[OWASP_BeNeLux-Day_2017#WebGoat_-_Teaching_application_security_101_by_Nanne_Baars | Nanne Baars]]
+
| style="width:100px;" rowspan="7" | [[#TRAINING_1 | Kubernetes security]] by Andrew Martin
| rowspan="7" style="width:100px;" | [[OWASP_BeNeLux-Day_2017#Whiteboard_Hacking_aka_Hands-on_Threat Modeling_by_Sebastien Deleersnyder  | Whiteboard Hacking aka Hands-on Threat Modeling]] <br>by [[OWASP_BeNeLux-Day_2017#Whiteboard_Hacking_aka_Hands-on_Threat Modeling_by_Sebastien Deleersnyder | Sebastien Deleersnyder]]
+
| style="width:100px;" rowspan="7" | [[#TRAINING_2 | OWASP Zap Training]] by David Scrobonia
| rowspan="7" style="width:100px;" | [[OWASP_BeNeLux-Day_2017#Secure_Development:_Models_and_best_practices_by_Bart_De_Win | Secure Development: Models and best practices]] <br>by [[OWASP_BeNeLux-Day_2017#Secure_Development:_Models_and_best_practices_by_Bart_De_Win | Bart De Win]]
+
| style="width:100px;" rowspan="7" | [[#TRAINING_3 | Android security workshop]] by Jeroen Beckers & Stephanie Vanroelen
 
|-
 
|-
 
| 11h00 - 11h30 ||  ''Coffee Break''
 
| 11h00 - 11h30 ||  ''Coffee Break''
Line 115: Line 176:
 
| 16h00 - 17h30 || Training
 
| 16h00 - 17h30 || Training
 
|}
 
|}
 +
 +
<font color="red">Choose the most appropriate training as they will be hosted at the same time.</font>
  
 
== Trainings ==
 
== Trainings ==
=== WebGoat - Teaching application security 101 by Nanne Baars ===
 
====Topic(s) ====
 
* Web Application Breaker
 
* Other
 
====Keywords ====
 
WebGoat application, security teaching secure development
 
  
====Abstract ====
+
=== <span id="TRAINING_1">Training 1 - Kubernetes security by Andrew Martin</span> ===
A good defense against insecure code requires understanding the mechanics behind how attackers exploit simple programming mistakes.
+
 
The WebGoat team will walk through exercises like SQL Injection, XSS, XXE, CSRF, ... and demonstrate how these exploits work.
+
==== Abstract ====
+
 
We will show you how you can use WebGoat to train your developers to avoid these simple but common programming mistakes.
+
===== Course Description =====
+
The course guides attendees through Linux container security in general, and progresses to advanced Kubernetes cluster security. It emphasises pragmatic threat modelling and risk assessment based on an understanding of the tools and primitives available, rather than dogmatic dos and don’ts.
We also show you how to extend WebGoat to create lessons specific to your environment.
+
 
Join us to learn the most basic, but common, application security problems.
+
===== Course Outline =====
 +
* How to attack containerised workloads
 +
* Enhanced container security
 +
* How to attack Kubernetes
 +
* Interactive production cluster hacking
 +
* Hardening Kubernetes
 +
* Locking down applications
 +
* Security tooling and vendor landscape
 +
 
 +
===== Who Should Attend =====
 +
This course is suitable for intermediate to advanced Kubernetes users who want to strengthen their security understanding. It is particularly beneficial for those operating Kubernetes in a high-compliance domain, or for established security professionals looking to update their skills for the cloud native world.
 +
 
 +
===== Participant requirements =====
 +
Just a laptop with an SSH client please, ssh or PuTTY.
 +
 
 +
==== Bio ====
 +
 
 +
Andrew has a strong test-first engineering ethos gained architecting and deploying high-traffic web applications. Proficient in systems development, testing, and maintenance, he is comfortable profiling and securing every tier of a bare metal or cloud native application, and has battle-hardened experience delivering containerised solutions to enterprise clients. He is a co-founder at https://control-plane.io
 +
 
 +
=== <span id="TRAINING_2">Training 2 - OWASP Zap Training by David Scrobonia</span> ===
 +
 
 +
==== Abstract ====
 +
 
 +
This hands on course will start with the basics of using ZAP attack proxy and finish with leveraging it's API to integrate ZAP within you CI/CD processes. Along the way we will be practicing techniques by attacking the OWASP JuiceShop, an intentionally vulnerable web application.  
  
Tired of all the lessons? During the training we will host a small CTF competition which you can take a shot at and compete with each other...
+
==== Audience ====
  
=== Requirements===
+
This couse is designed for both new and experienced users. No knowledge or experience with ZAP is required, but even those familiar with ZAP will learn something new.
Please find the course prerequisites here: https://github.com/nbaars/owasp-training
 
  
====Bio====
+
==== Contents ====
Nanne Baars works as a security consultant & developer at JDriven and is one of the primary developers of WebGoat.
+
# Basic Techniques & Manual Testing
 +
# Advanced Techniques & Automated Testing
 +
# Scripting with ZAP
 +
# Using ZAP within your CI/CD Pipeline
 +
 +
===== Participant requirements =====
 +
Please come prepared with the following tools installed:
 +
* ZAP (https://github.com/zaproxy/zaproxy/wiki/Downloads#zap-270-standard)
 +
* docker
  
=== Whiteboard Hacking aka Hands-on Threat Modeling by Sebastien Deleersnyder ===
+
If you have any trouble with the setup please feel free to reach out to davidscrobonia at gmail with questions.
====Topic(s) ====
 
* Threat modeling introduction
 
* Diagrams – what are you building?
 
* Identifying threats – what can go wrong?
 
* Hands-on: STRIDE analysis of an Internet of Things (IoT) deployment with an on premise gateway and secure update service
 
* Addressing each threats
 
* Hands-on: threat mitigations OAuth scenarios for web and mobile applications
 
  
====Keywords ====
+
==== Bio ====
Threat Modeling, STRIDE, Technical risk assessment
 
  
====Abstract ====
+
David Scrobonia is a part of the Security Engineering team at Segment working to secure modern web apps and AWS infrastructure. He contributes to open source in his spare time and is a core team member of the OWASP ZAP project.
This is a one day version of our Black Hat training on Threat Modeling. The students will be challenged to perform practical threat modeling in groups of 3 to 4 people covering the different stages of threat modeling on:
 
* An Internet of Things (IoT) deployment with an on premise gateway and secure update service
 
* An HR services OAuth scenario for mobile and web applications
 
Threat modeling is a structured activity for identifying and evaluating application threats and vulnerabilities. It also allows consideration of security issues at the component or application level. The threat modeling course will teach you to perform threat modeling through a series of workshops, where our trainer will guide you through the different stages of a practical threat model. <br>
 
This course is aimed at software developers, architects, system managers or security professionals. Before attending this course, students should be familiar with basic knowledge of web and mobile Applications, databases & Single sign on (SSO) principles.
 
  
 +
=== <span id="TRAINING_3">Training 3 - Android security workshop by Jeroen Beckers & Stephanie Vanroelen</span> ===
  
====Bio====
+
==== Abstract ====
Sebastien (lead application security consultant Toreon) led engagements in the domain of ICT-security, Web and Mobile Security with several customers in the private and public sector. Sebastien is the Belgian OWASP Chapter Leader and is co-project leader of OWASP SAMM.
 
  
=== Secure Development: Models and best practices by Bart De Win ===
+
In this workshop, participants will come in contact with the basics of
====Topic(s) ====
+
Android application security. Through hands-on exercises, Jeroen and
* Software Assurance maturity models
+
Stephanie will show which mistakes can be made, both at the design and
* Secure Development in agile development
+
implementation level, that can compromise the security of both the
* Tips and tricks for practical SDLC
+
application and the backend server. Although no real prior experience
* Hands-on: SAMM analysis of your enterprise using SAMM 1.5
+
with Android is needed, some basic knowledge on programming is advised.
* Sneak preview of SAMM 2.0
 
  
====Keywords ====
+
==== Participation requirements ====
SDLC, SAMM, Agile development,
+
* Basic linux / terminal knowledge
 +
* Be able to understand the OWASP Top 10 (Not Mobile)
 +
* Laptop with VirtualBox / VMWare (At least 8GB of RAM)
  
====Abstract ====
+
==== Bio ====
It takes much more than a good developer to build secure software within an organisation. Indeed, building secure software is about ensuring that security is taken into consideration during the entire software lifecycle. It is about ensuring that security best practices are being employed efficiently, and that uncovered risks are appropriately dealt with in due time.
 
  
During this one-day training, we will introduce and discuss different secure development approaches and models. We will look into waterfall vs. agile development and discuss different strategies to successfully run an SDLC program. Finally, we will also put theorie into practice and take your organisation to perform a mini SDLC assessment and improvement exercise.
+
Jeroen Beckers is a security researcher at NVISO. He focusses mainly on
[[File:Benelux2017 - Secure Development Training deck.pdf|thumb]]
+
mobile applications for Android/iOS and sometimes even Windows Phone
The slides of this session are available for download in the media file.
+
(yes, some people actually use it!). Apart from breaking mobile
 +
applications, he also gives security trainings and presentations at
 +
conferences.<br>
 +
<br>
 +
Stephanie Vanroelen is an IT security consultant currently focussing on Web and
 +
Mobile Application Security. Her experiences in organizing IT Security
 +
conferences such as BruCON and CyberSKool help her with project
 +
management and communication skills. In her free time she pretends to be
 +
Godzilla :).
  
====Bio====
 
Bart is an application security consultant and enthousiast and is spending considerable time on secure development projects. Bart is board member of the Belgian OWASP Chapter and is co-project leader of OWASP SAMM.
 
  
  
 
<!-- Fifth tab -->
 
<!-- Fifth tab -->
 +
= Conference Day =
  
= Conferenceday =
+
'''Conference Day is November 30th'''
=== Conferenceday is November 30th ===
 
  
 +
== Agenda ==
  
== Agenda (TBD)==
 
 
{| class="wikitable"
 
{| class="wikitable"
 
! width="120pt" | Time
 
! width="120pt" | Time
 
! width="190pt" | Speaker  
 
! width="190pt" | Speaker  
 
! width="400pt" | Topic
 
! width="400pt" | Topic
! width="100pt" -- ! | Media
+
! width="100pt" | Media
 
|-  
 
|-  
| 08h30 - 09h00
+
| 08h30 - 09h15
| colspan="3" style="text-align: center; background: grey; color: white" | ''Registration''
+
| style="text-align: center; background: grey; color: white" colspan="3" | ''Registration / [[#CyberWayFinder | Women in cybersecurity (CyberWayFinder)]]''
 
|-  
 
|-  
| 09h00 - 09h15
+
| 09h15 - 09h30
| colspan="3" style="text-align: center; background: grey; color: white" | ''Opening''
+
| style="text-align: center; background: grey; color: white" colspan="3" | ''Opening''
 
|-  
 
|-  
| 09h15 - 10h00 || [[OWASP_BeNeLux-Day_2017#Attribute Based Access Control. Why, what, how? by Jacoba Sieders | Jacoba Sieders]]
+
| 09h30 - 10h15
|| [[OWASP_BeNeLux-Day_2017#Attribute Based Access Control. Why, what, how? by Jacoba Sieders | Attribute Based Access Control. Why, what, how?]]  
+
| [[#TALK_0930 | Lennert Wouters]]
|| [[Media:OWASP BeNeLux-Day 2017 AttributeBasedAccessControl WhyWhatHow JacobaSieders.pdf|Slides]]<br>[https://youtu.be/O7iWITnZGsk Video]
+
| [[#TALK_0930 | Fast, Furious and Insecure: Passive Keyless Entry and Start in Modern Supercars]]
 +
|
 
|-
 
|-
| 10h00 - 10h45 || [[OWASP_BeNeLux-Day_2017#How to spend $3.6mil on one coding mistake, and other fun stuff you can do with $3.6mil by Matia Madou | Matias Madou]]
+
| 10h15 - 11h00
|[[OWASP_BeNeLux-Day_2017#How to spend $3.6mil on one coding mistake, and other fun stuff you can do with $3.6mil by Matia Madou | How to spend $3.6mil on one coding mistake, and other fun stuff you can do with $3.6mil]]
+
| [[#TALK_1015 | Ralph Moonen]]
|| [[Media:OWASP_BeNeLux-Day_2017_how_to_spend_$3.6_mil_on_one_coding_mistake_by_Matias_Madou.pdf|Slides]] <br> [https://www.youtube.com/watch?v=dt5rFGBztJA&feature=youtu.be Video]
+
| [[#TALK_1015 | Weaknesses in our voice communications network: from Blue Boxing to VoLTE]]
 
+
| [[Media:OWASP BeNeLux 2018 Ralph Moonen - Weaknesses in our voice communications network - from Blue Boxing to VoLTE compressed.pdf | Slides]]<br>
 +
[https://youtu.be/Rl7VabjEd_A Video]
 
|-
 
|-
| 10h45 - 11h15
+
| 11h00 - 11h30
| colspan="3" style="text-align: center;background: grey; color: white" | ''Morning Break''  
+
| style="text-align: center;background: grey; color: white" colspan="3" | ''Morning Break''  
 
|-
 
|-
| 11h15 - 12h00 || [[OWASP_BeNeLux-Day_2017#The evil friend in your browser by Achim D. Brucker | Achim D. Brucker]]
+
| 11h30 - 12h15
|[[OWASP_BeNeLux-Day_2017#The evil friend in your browser by Achim D. Brucker | The evil friend in your browser]]
+
| [[#TALK_1130 | Niels Tanis]]
| [[Media:OWASP_BeNeLux-Day_2017_The evil friend in your browser_Achim_Brucker.pdf|Slides]]<br>[https://www.youtube.com/watch?v=_Uj-Ci37Rvw&feature=youtu.be Video]
+
| [[#TALK_1130 | When Serverless Met Security… Serverless Security & Functions-as-a-Service (FaaS)]]
 +
| [[Media:OWASP BeNeLux 2018 Niels Tanis - When Serverless Met Security.pdf | Slides]] <br>
 +
[https://youtu.be/wuvGmXN0n6Q Video]
 
|-
 
|-
| 12h00 - 12h45 || [[OWASP_BeNeLux-Day_2017#Exploring the ecosystem of malicious domain registrations in the .eu TLD by Lieven Desmet | Lieven Desmet]]
+
| 12h15 - 13h00
|| [[OWASP_BeNeLux-Day_2017#Exploring the ecosystem of malicious domain registrations in the .eu TLD by Lieven Desmet | Exploring the ecosystem of malicious domain registrations in the .eu TLD]]
+
| [[#TALK_1215 | David Scrobonia]]
| [[Media:OWASP BeNeLux-Day 2017 Exploring the ecosystem of malicious domain registrations LievenDesmet.pdf|Slides]]<br>[https://www.youtube.com/watch?v=09SNSYHw8H0&feature=youtu.be Video]
+
| [[#TALK_1215 | OWASP Zap]]
 +
| [[Media:OWASP BeNeLux 2018 David Scrobonia OWASP Zap.pdf | Slides]]<br>
 +
[https://youtu.be/iaZaPuQ6ams Video]
 
|-
 
|-
| 12h45 - 13h45
+
| 13h00 - 14h00
| colspan="3" style="text-align: center;background: grey; color: white" | ''Lunch''  
+
| style="text-align: center;background: grey; color: white" colspan="3" | ''Lunch''  
 
|-
 
|-
| 13h45 - 14h30 || [[OWASP_BeNeLux-Day_2017#Don't trust the DOM: Bypassing XSS mitigations via script gadgets by Sebastian Lekies | Sebastian Lekies]]
+
| 14h00 - 14h45
|| [[OWASP_BeNeLux-Day_2017#Don't trust the DOM: Bypassing XSS mitigations via script gadgets by Sebastian Lekies | Don't trust the DOM: Bypassing XSS mitigations via script gadgets]]
+
| [[#TALK_1400 | Björn Kimminich]]
| [[Media:OWASP BeNeLux-Day 2017 Bypassing XSS mitigations via script gadgets Sebastian Lekies.pdf|Slides]]<br>[https://www.youtube.com/watch?v=rssg--FP1AE&feature=youtu.be Video]
+
| [[#TALK_1400 | Juice Shop: OWASP's most broken Flagship]]
 +
| [[Media:OWASP BeNeLux 2018 Bjoern Kimminich - Juice Shop - OWASP's most broken Flagship.pdf | Slides]]<br>
 +
[https://youtu.be/Lu0-kDdtVf4 Video]
 
|-
 
|-
| 14h30 - 15h15 || [[OWASP_BeNeLux-Day_2017#A Series of Unfortunate Events: Where Malware Meets Murphy by Mattijs van Ommeren | Mattijs van Ommeren]]
+
| 14h45 - 15h30
|| [[OWASP_BeNeLux-Day_2017#A Series of Unfortunate Events: Where Malware Meets Murphy by Mattijs van Ommeren | A Series of Unfortunate Events: Where Malware Meets Murphy]]
+
| [[#TALK_1445 | Jo Van Bulck]]
| <!--[[Media:OWASP_Benelux-Day_2017_A_Series_Of_Unfortunate_Events-Where_Malware_Meets_Murphy_Mattijs_van_Ommeren.pdf|Slides]]<br> -->[https://www.youtube.com/watch?v=d67yxt3FdTA&feature=youtu.be Video]
+
| [[#TALK_1445 | Leaky Processors: Stealing Your Secrets with Foreshadow]]
 +
| [[Media:OWASP BeNeLux 2018 Jo Van Bulck - Leaky Processors - Stealing Your Secrets with Foreshadow.pdf | Slides]] <br>
 +
[https://youtu.be/le60NzmxU6s Video]
 
|-
 
|-
| 15h15 - 15h45
+
| 15h30 - 16h00
| colspan="3" style="text-align: center;background: grey; color: white" | ''Break''  
+
| style="text-align: center;background: grey; color: white" colspan="3" | ''Afternoon Break''  
 
|-
 
|-
| 15h45 - 16h30 |[[OWASP_BeNeLux-Day_2017#Common REST API security pitfalls by Philippe De Ryck | Philippe De Ryck]]
+
| 16h00 - 16h45
|| [[OWASP_BeNeLux-Day_2017#Common REST API security pitfalls by Philippe De Ryck | Common REST API security pitfalls]]
+
| [[#TALK_1600 | Jeroen Willemsen]]
| [[Media:OWASP BeNeLux-Day 2017 Common REST API security pitfalls Philippe De Ryck.pdf|Slides]]<br>[https://www.youtube.com/watch?v=Meh4EUmLCfM&feature=youtu.be Video]
+
| [[#TALK_1600 | Fast forwarding Mobile Security with the MSTG]]
 +
| [[Media:OWASP BeNeLux 2018 Jeroen Willemsen - Fast forwarding Mobile Security with the MSTG compressed.pdf | Slides ]]<br>
 +
[https://youtu.be/WI2_cP48TnA Video]
 
|-
 
|-
| 16h30 - 17h15 || [[OWASP_BeNeLux-Day_2017#Creating An AppSec Pipeline With Containers In A Week How We Failed And Succeeded by Jeroen Willemsen | Jeroen Willemsen]]
+
| 16h45 - 17h30
|| [[OWASP_BeNeLux-Day_2017#Creating An AppSec Pipeline With Containers In A Week How We Failed And Succeeded by Jeroen Willemsen | Creating An AppSec Pipeline With Containers In A Week How We Failed And Succeeded]]
+
| [[#TALK_1645 | Nick Drage]]
| [[Media:OWASP BeNeLux-Day 2017 Creating An AppSec Pipeline With Containers In A Week How We Failed And Succeeded Jeroen Willemsen.pdf|Slides]]<br>[https://www.youtube.com/watch?v=Q3q1mdev5rs&feature=youtu.be Video]
+
| [[#TALK_1645 | Lessons from the legion (The OWASP BeNeLux Remix)]]
 +
| [[Media:OWASP BeNeLux 2018 Nick Drage - Lessons from the Legion compressed.pdf | Slides]]<br>
 +
[https://youtu.be/516Z420BgkE Video]
 
|-
 
|-
| 17h15 - 17h30
+
| 17h30 - 17h45
| colspan="3" style="text-align: center;background: grey; color: white" | ''Closing''  
+
| style="text-align: center;background: grey; color: white" colspan="3" | ''Closing''  
 
|}
 
|}
  
<div id="TBD"></div>
+
== Talks ==
 +
 
 +
=== <span id="TALK_0930">Fast, Furious and Insecure: Passive Keyless Entry and Start in Modern Supercars by Lennert Wouters</span> ===
 +
 
 +
==== Abstract ====
  
== Talks ==
+
The security of immobiliser and Remote Keyless Entry systems has been extensively studied over the past years. Passive Keyless Entry and Start systems, which are currently deployed in luxury vehicles, have not received as much attention.
 +
During this presentation we will share the techniques used in reverse engineering the Tesla Model S Passive Keyless Entry and Start system. We will discuss multiple security weaknesses in the system including the use of an inadequate proprietary cipher using 40-bit keys, the lack of mutual authentication in the challenge-response protocol, hardware configuration mistakes and the absence of security partitioning.<br>
 +
We verified our findings by implementing a proof of concept attack allowing us to clone a Tesla Model S key fob in a matter of seconds with low cost commercial off the shelf equipment.<br>
 +
Finally, we will share our experience with the responsible disclosure of these finding to Tesla Motors and other likely affected manufacturers such as McLaren, Karma Automotive and Triumph Motorcycles as they all use the same system developed by Pektron.
  
===Attribute Based Access Control. Why, what, how? by Jacoba Sieders===
 
====Abstract====
 
Digitization is rapidly transforming the traditional world and regulation on security and data protection is gaining weight. Digital identity, but also data protection become crucial capabilities for businesses.  What are the trends in IAM and what role can Attribute Based Access Control (ABAC) play here? ABNAMRO started implementing ABAC in 2014. What were the approach and the lessons learnt?
 
 
====Bio====
 
====Bio====
Jacoba Sieders, Head of Digital Identity- & Access, ABNAMRO Bank.<br />
 
Jacoba is an all-round Digital Identity and Information Security expert with 17 years of experience in the international finance industry, in technology, governance, consultancy, and implementation. She is accountable for digital identity services and access control for customers, employees and partners to the bank’s data and infrastructure.
 
Major topics on her agenda today are ABAC, data centric security, API-banking and PSDII requirements, the interaction of IAM tools with the rest of the bank’s cybersecurity landscape, and the new authentication concept for which ABNAMRO is acquiring a patent. Her special interests are legal requirements impacting identity, e.g. Generic Data Protection Regulation, the EU e-IDAS scheme, KYC and AML legislation. 
 
Jacoba is a member of the Advisory Board of the independent European think-tank ID Next and is regularly speaking on the topic of IAM. She holds a master degree in Classics from Leiden University (Greek, Latin, Hebrew).
 
  
 +
Lennert Wouters is a PhD researcher at the Computer Security and Industrial Cryptography (COSIC) research group at KU Leuven. His research interests involve hardware security of connected embedded devices and side channel attacks.
 +
 +
=== <span id="TALK_1015">Weaknesses in our voice communications network: from Blue Boxing to VoLTE by Ralph Moonen</span> ===
 +
 +
==== Abstract ====
 +
 +
Voice over 4G, or VoLTE, brings back the phreaking 80's. Once again, after 3 decades, the signaling path of telephony is accessible to end users. No more R1, R2, C4 or C5 however: we now have SIP. As it turns out, the implementations of SIP and VoLTE in various European providers' 4G infrastructures, open up a host of possibilities. During our research over the past few years we have identified vulnerabilities in implementations such as txt message spoofing, subscriber enumeration, location determination (leakage of cell-ID and LAC), IMEI leakage and a potential SIM-card sharing attack.<br>
 +
During this talk we will begin with a little historic stroll of phone phreaking through notable events and discoveries over the years. Bridging the narrative over the last few decades, new technologies such as VoIP, Volte, and VoWiFi are introduced, explaining the 4G and VoLTE infrastructure components and protocols. Next, on a rooted Android phone, we will show what control the user has over the VoLTE stack using some standard tools and the IPv6 stack. This includes hidden activities in Android and extraction of IPsec keys from the VoLTE stack. We will show that it is possible to import keys to Wireshark and monitor the IPv6 SIP traffic and components. Finally, examples of the vulnerabilities in implementations such as txt message spoofing, subscriber enumeration, location determination (leakage of cell-ID and LAC), IMEI leakage and a potential SIM-card sharing attack will be explained.<br>
 +
Yes, a slightly technical nugget of knowledge, yet very accessible and a lot of fun!<br>
 +
<br>
 +
'''Importance of presentation for involved audience'''<br>
 +
The phone systems of the world have always been of interest to everyone: from users who expect privacy, to intelligence agencies who want access. The privacy, integrity and confidentiality of voice communications over telecommunication networks is therefore of interest to anyone who uses mobile phones (i.e.: everyone). It is also typically a closed subject with very little research being done, relative to other security topics such as malware and application vulnerabilities. The combination of little research and high impact on everyone, makes that this topic deserves much more attention than it currently does. The VoLTE weaknesses we will describe are implementation dependent, and largely unpublished (i.e. new).
 +
 +
==== Bio ====
 +
 +
Ralph Moonen CISSP is Technical Director at Secura. Ralph is an old-school ethical hacker with 3 decades of experience as penetration tester, IT-auditor and security consultant. Now, as Technical Director, he is responsible for topics such as R&D and technical projects at Secura.
 +
 +
=== <span id="TALK_1130">When Serverless Met Security… Serverless Security & Functions-as-a-Service (FaaS) by Niels Tanis</span> ===
 +
 +
==== Abstract ====
 +
 +
Serverless is a design pattern for writing scalable applications in which Functions as a Service (FaaS) is one of the key building blocks. Every mayor Cloud Provider has got his own FaaS available. On Microsoft Azure there is Azure Functions, AWS has got Lambda and Cloud Functions can be used on the Google Cloud. All of these have a lot of similarities in the way they allow developers to create small event driven services. <br>
 +
From security perspective there are a lot of benefits when moving to a serverless architecture. There is no need to manage any of the machines and the underlying infrastructure. Dealing with updates, patches and infrastructure is the responsibility of the platform provider. FaaS are short lived processes which will be instantiated and destroyed in a matter of milliseconds making it more resilient to denial-of-services (DoS) and also makes it harder to attack and compromise. <br>
 +
But will all of this be sufficient to be ’secure’ or should we be worried about more? With serverless there is still a piece of software that will be developed, build, deployed and executed. It will also introduce a more complex architecture with corresponding attack surface which also makes it hard to monitor. What about the software supply chain and delivery pipeline? There still will be a need to patch your software for vulnerabilities in code and used 3rd party libraries. In this talk we will identify the security area’s we do need to focus on when developing serverless and define possible solutions for dealing with those problems.
 +
 +
==== Bio ====
 +
 +
Niels Tanis has got a background in .NET development, pentesting and security consultancy. He also holds the CSSLP certification and has been involved in breaking, defending and building secure applications. He joined Veracode in 2015 and right now he works as a security researcher on a variant of languages and technologies related to Veracode’s Binary Static Analysis service. He is married, father of 2 and lives in a small village just outside Amersfoort, The Netherlands.
 +
 +
 +
=== <span id="TALK_1215">OWASP Zap by David Scrobonia</span> ===
 +
 +
==== Abstract ====
 +
 +
Intoducing security testing tools to a QA or developers workflow can be difficult when the tools aren't easy or intuitive to use. Even for security professionals, the friction of cumbersome security tooling can prevent them from getting the most from a tool or being effective with their time.<br>
 +
The OWASP ZAP team is working to help enable developers, QA, and hackers alike with the ZAP Heads Up Display, a more user friendly way to engage with the security testing tool. The Heads Up Displays integrates ZAP directly in the browser providing all of the funcitonality of the tool via a heads up display. The goal is to make ZAP more accessible and enabling users, especially developers, to integrate security in their daily workflows.<br>
 +
This talk will discuss the importance of usable tools, design tradeoffs made to improve usability, the various browser technologies powering the HUD, and how you can start hacking with a heads up display.
 +
 +
==== Bio ====
 +
 +
David Scrobonia is a part of the Security Engineering team at Segment working to secure modern web apps and AWS infrastructure. He contributes to open source in his spare time and is a core team member of the OWASP ZAP project.
 +
 +
 +
=== <span id="TALK_1400">Juice Shop: OWASP's most broken Flagship by Björn Kimminich</span> ===
 +
 +
==== Abstract ====
 +
 +
OWASP Juice Shop is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and many more severe security flaws. In this talk, you'll learn about this open-source project and its capabilities first-hand from its creator. Join a “happy shopper round trip,” enjoy a hacking demo of some of the built-in challenges, witness how to re-theme the Juice Shop into a security awareness booster for your own company, and learn how to set it up for a capture-the-flag (CTF) event in less than 5 minutes!
  
===How to spend $3.6mil on one coding mistake, and other fun stuff you can do with $3.6mil by Matia Madou===
 
====Abstract====
 
In a recent global study, the average cost of a data breach is $3.62M globally. This session will discuss infamous examples of data breaches that has made headlines around the world. We will explore the technical details of the vulnerability itself and what a coding solution may have been to prevent the breach. We will also dive deeper on exploring different solutions, processes and techniques you can apply in your day-to-day to prevent application security vulnerabilities in your code.
 
 
====Bio====
 
====Bio====
Matias Madou is a Co-Founder and CTO of Secure Code Warrior where he is responsible for leading the company’s technology vision and overseeing the engineering team. Matias has more than 15 years of hands-on software security experience and has developed solution for companies such as HP Fortify, and founded a company called Sensei Security. Matias has led multiple application security research projects which have led to commercial products and boasts over 10 patents under his belt. When he is away from his desk, Matias has served as an instructor for advanced application security training courses and regularly speaks at global conferences including RSA Conference, Black Hat, DefCon, BSIMM, OWASP AppSec and BruCon. Matias holds a Ph.D. in Computer Engineering from Ghent University.
 
  
 +
Björn Kimminich is responsible for global IT architecture and application security at Kuehne + Nagel. On the side, he gives IT security lectures at the non-profit private university Nordakademie. Björn also is the project leader of the OWASP Juice Shop and a board member for the German OWASP chapter. <br>
 +
[[File:GitHub-Mark_no_background.png|25px|link=https://github.com/bkimminich|GitHub]]
 +
[[File:TwitterLogo.png|25px|link=http://twitter.com/bkimminich|Twitter]]
 +
[[File:LinkedinSquareLogo.png|25px|link=https://www.linkedin.com/in/bkimminich|LinkedIn]]
  
===The evil friend in your browser by Achim D. Brucker===
 
====Abstract====
 
On the one hand, browser extensions, e.g., for Chrome, are very useful, as they extend web browsers with additional functionality
 
(e.g., blocking ads). On the other hand, they are the most dangerous code that runs in your browsers: extension can read and modify both the content displayed in the browser. As they also can communicate with any web-site or web-service, they can report both data and metadata to external parties.
 
  
The current security model for browser extensions seems to be inadequate for expressing the security or privacy needs of browser users. Consequently, browser extensions are a "juice target" for attackers targeting web users.
+
=== <span id="TALK_1445">Leaky Processors: Stealing Your Secrets with Foreshadow by Jo Van Bulck</span> ===
  
We present results of analysing over 60000 browser extensions on how they use the current security model and discuss examples of extensions that are potentially of high risk. Based on the results of our analysis of real world browser extensions as well as our own threat model, we discuss the limitations of the current security model form a user perspective.  need of browser users.
+
==== Abstract ====
  
====Bio====
+
For decades, memory isolation has been one of the key principles of
Dr. Achim D. Brucker (www.brucker.uk) is a Senior Lecturer and consultant for software and systems assurance at the Computer Science Department of The University of Sheffield, UK.  Until December 2015, he was a Research Expert (Architect), Security Testing Strategist, and Project Lead in the Global Security Team of SAP SE, where he defined the risk-based security testing strategy of SAP that combines static, dynamic, and interactive security testing methods and integrates them deeply into SAP's Secure Software Development Lifecycle. He has experience in rolling out *AST tools to world-wide development organisations.
+
secure system design. The recent wave of speculative execution attacks,
 +
including Meltdown, Spectre, and Foreshadow abruptly showed, however,
 +
that performance optimizations in modern processors fundamentally
 +
undermine application security.<br>
 +
This talk will review how speculative execution attacks work. What makes
 +
them dangerous, and why they require a paradigm shift in the way we
 +
think about application security. The talk will have a special focus on
 +
the recently disclosed Foreshadow CPU vulnerability, which led to a
 +
complete collapse of state-of-the-art Intel SGX technology, and
 +
necessitated hardware and software patches for all major operating
 +
systems and virtual machine hypervisors.
  
===Exploring the ecosystem of malicious domain registrations in the .eu TLD by Lieven Desmet===
+
==== Bio ====
====Abstract====
 
In this talk, we report on an extensive analysis of 14 months of domain registration in the .eu TLD. The purpose is to identify large-scale malicious campaigns. Overall, the dataset of this study contains 824,121 new domain registrations; 2.53% of which have been flagged as malicious by blacklisting services. We explore the ecosystem and modus operandi of elaborate cybercriminal entities that recurrently register large amounts of domains for one-shot, malicious use. Although these malicious domains are short-lived, we establish that at least 80.04% of them can be framed in to 20 larger campaigns with varying duration and intensity. We further report on insights in the operational aspects of this business and observe, amongst other findings, that their processes are only partially automated.
 
====Bio====
 
Lieven Desmet is a Senior Research Manager on Secure Software in the imec-DistriNet Research Group at the Katholieke Universiteit Leuven (Belgium), where he outlines and implements the research strategy, coaches junior researchers in application security, and participates in dissemination, valorisation and spin-off activities. Lieven is also involved in OWASP as a board member of the Belgium OWASP Chapter, and part of the organisation team of the OWASP BeNeLux Day.
 
  
===Don't trust the DOM: Bypassing XSS mitigations via script gadgets by Sebastian Lekies===
+
Jo Van Bulck is a PhD researcher at imec-DistriNet, KU Leuven, where he
====Abstract====
+
investigates hardware-level trusted computing from an integrated attack
Cross-Site Scripting is a constant problem of the Web platform. Over the years many techniques have been introduced to prevent or mitigate XSS. Most of these techniques, thereby, focus on script tags and event handlers. HTML sanitizers, for example, aim at removing potentially dangerous tags and attributes. Another example is the Content Security Policy, which forbids inline event handlers and aims at white listing of legitimate scripts.
+
and defense perspective. His work resulted in a.o., the high-impact
 +
Foreshadow CPU vulnerability announced in August 2018, and several
 +
open-source secure processor prototypes.
  
In this talk, we present a novel Web hacking technique that enables an attacker to circumvent most XSS mitigations. In order to do so, the attacker abuses so-called script gadgets. A script gadget Is a legitimate piece of JavaScript in a page that reads elements from the DOM via selectors and processes them in a way that results in script execution. To abuse a script gadget, the attacker injects a benign looking element into the page that matches the gadget's selector. Subsequently, the gadget selects the benign-looking element and executes attacker-controlled scripts. As the initially injected element is benign it passes HTML sanitizers and security policies. The XSS only surfaces when the gadget mistakenly elevates the privileges of the element.
 
  
In this talk, we will demonstrate that these gadgets are present in almost all modern JavaScript libraries, APIs and applications. We will present several case studies and real-world examples that demonstrate that many mitigation techniques are not suited for modern applications. As a result, we argue that the Web should start focusing more on preventive mechanisms instead of mitigations.
+
=== <span id="TALK_1600">Fast forwarding Mobile Security with the MSTG by Jeroen Willemsen</span> ===
====Bio====
 
Sebastian Lekies is tech leading the Web application security scanning team at Google. Before joining Google, he was part of SAP's Security Research team, where he conducted academic research in the area of client-side Web application security. Sebastian is regularly speaking at academic and non-academic security conferences such as BlackHat US/EU/Asia, DeepSec, OWASP AppSec EU, Usenix Security, CCS, and many more...
 
  
 +
==== Abstract ====
  
===A Series of Unfortunate Events: Where Malware Meets Murphy by Mattijs van Ommeren===
+
After the startup of the mobile security project in 2010, the mobile security project and its testing guides have seen quiet some evolution. All of this changed quiet intensively when, in 2016, the Mobile Application Security Verification Standard (MASVS) and the Mobile Application Security Testing Guide (MSTG) were created. Now, two years fast forward: where are we now? How can you use it as a pentester or a developer? We will start with introducing the current state of the MSTG and its side-projects and then show various demos on iOS.<br>
====Abstract====
 
When an end user reports some “strange looking file names”, which, after investigating, you discover include several hundreds of Gigabytes of encrypted data, you of course know you are going to have a bad day. Your AV solution has failed you, your firewall has failed you, and your SIEM has failed you. Basically, every piece of security infrastructure you have put your trust (and money) into has left you out in the cold and you thank <deity of choice> that at least the nightly backup was completed successfully. Spin up the tape drive, and soon you will be back in business, or not…?
 
 
This talk is about failure. Not only about a failing security infrastructure, but also about failure in doing the Right Thing™ as a first responder, about the failure of Operating System tools, failing APIs, and ironically, also the failure of malware (which is unfortunately not as positive as it may sound). The scenario presented comes pretty close to the worst chain of events you can imagine, in an attempt to recover from a ransomware incident.
 
 
Luckily – this story has a happy ending. We will reveal how one can be prepared for when both Count Olaf and Murphy come knocking on your door simultaneously.
 
====Bio====
 
Mattijs van Ommeren has been poking hardware and software for 15 years. He has spent most of his working life as a security consultant, attacking and defending both traditional IT environments as well as more esoteric embedded devices and industrial systems. Presently he has a lot of fun at Nixu.
 
  
 +
==== Bio ====
  
===Common REST API security pitfalls by Philippe De Ryck===
+
Jeroen Willemsen is a Principal Security Architect at Xebia. With a love for mobile security, he recently became one of the projectleaders for the OMTG project (MASVS & MSTG). Jeroen is more or less a jack of all trades with interest in infrastructure security, risk management and application security.
====Abstract====
 
The shift towards a REST API landscape indicates a significant evolution in the way we build applications. The rise of JavaScript and mobile applications have sparked an explosion of easily-accessible REST APIs. But how do you protect access to your API? Which security aspects are no longer relevant? Which security features are an absolutely must-have, and which additional security measures do you need to take into account?
 
  
These are hard questions, as evidenced by the deployment of numerous insecure REST APIs. Attend this session to find out about common API security pitfalls, that often result in compromised user accounts and unauthorized access to your data. We expose the problem that lies at the root of each of these pitfalls, and offer actionable advice to address these security problems. After this session, you will know how to assess the security of your APIs, and the best practices to improve them towards the future.
+
=== <span id="TALK_1645">Lessons From The Legion (The OWASP BeNeLux Remix) by Nick Drage</span> ===
====Bio====
 
Philippe De Ryck is a professional speaker and trainer on software security and web security. Since he obtained his PhD at the imec-DistriNet research group (KU Leuven, Belgium), he has been running the group's Web Security Training program, which ensures a sustainable knowledge transfer of the group’s security expertise towards practitioners.
 
  
 +
==== Abstract ====
  
===Creating An AppSec Pipeline With Containers In A Week How We Failed And Succeeded by Jeroen Willemsen===
+
Look at your job, your colleagues, your industry. Very smart people, working very hard... and yet it feels like we're losing.<br>
====Abstract====
+
<br>
Join us on our adventure of setting up a appsec pipeline with Docker containers. What did go wrong, how did we succeed? How do you fight false positives and how do you get the best out of the products out there without bothering the development teams too much.
+
''Why?''<br>
 +
<br>
 +
Cyber security has always been a technology driven, engineer led industry - self-taught practitioners have chosen tactics and point solutions based on what fits in with their preferred ways of working and studying. We need better strategies to make use of those tactics. We can learn those strategies from other contexts and conflicts to improve our own methods and practices.<br>
 +
<br>
 +
''Would you like to start winning?''
 
====Bio====
 
====Bio====
Jeroen Willemsen is a security architect with a passion for mobile and risk management. He loves to work on secure building blocks, security automation pipelines and embedding information security risk management controls in an agile environment. He is dedicated to help developers, product owners and architects to take security seriously in their daily development life (but not too serious of course ;-)).In his spare time he loves to experiment with new technologies and frameworks.”
 
  
 +
Nick is the Director of Path Dependence Limited, and has over two decades of experience in the cyber security field… previously he was "SecOps” before the term was invented, as well as having been a SysAdmin, PCI QSA, pre-sales analyst, CHECK Team Leader, and various other less well defined roles. Nick is currently a Cyber Security Consultant and Penetration Tester, with occasional forays into being a Wargame Umpire, Adversarial Analyst, or Professional Wildcard.
 +
 +
=== <span id="CyberWayFinder">Women in cybersecurity (CyberWayFinder)</span> ===
 +
OWASP BeNeLux and CyberWayFinder would like to invite you to a '''breakfast with other women in cybersecurity'''.<br>
 +
Since women make up 7% of the cybersecurity work force, they are a rare breed, and don't often meet each other. That is why "women in cybersecurity breakfasts" are popping up in conferences around the world.
 +
A small gathering with the women who will be present at our OWASP conference in the morning provides an excellent network opportunity to meet one another. We'll make sure you don't start out the day on an empty stomach, and provide you with some contacts, without missing out on the rest of the conference.<br>
 +
join us as of 08h30 at Lamot conference center, and also hear about the CyberWayFinder training program which is being created to help women transition their career into cybersecurity.<br>
  
 
<!-- Sixth tab -->
 
<!-- Sixth tab -->
  
= Social Event (TBD)=
+
= Social Event =
 +
 
 +
'''The Social Event is on Thursday, November 29th'''
 +
 
 +
The social event will be a unique opportunity to meet some of the trainers and speakers, as well the organisers or even peers.<br><br>
 +
 
 +
The social event will take place in restaurant [http://www.puro-mechelen.be/english Puro Mechelen], a couple of minutes from the conference center, on Thursday 29/11 at 19h00.<br><br>
 +
There is a fixed group menu (meat or fish) for '''59€/person''', drinks included.<br><br>
 +
Link to the [https://static1.squarespace.com/static/53bedc63e4b051fad94ee1f7/t/59b7d81ea803bbc8f65d85ee/1505220639318/Puro-groepsmenu.pdf Menus] (page 1), and the [https://static1.squarespace.com/static/53bedc63e4b051fad94ee1f7/t/54b57100e4b0ab0673e80e8d/1421177088856/drankenformules.doc.pdf drinks].
 +
<br>
  
== Social Event,starting at 7PM ==
+
'''Any participant pays individually. <br>Reservation via the form you'll receive after conference registration is mandatory.'''<br>
Thursday, November 23rd
 
;Dudok Tilburg
 
:Veemarktstraat 33
 
:5038 CT Tilburg
 
:http://www.dudok.nl/
 
Menu:
 
:As we are a big group, Dudok will prepare the following [[Media:Dudok menu OWASP.pdf|menu]] for us!
 
'''If you want to join the social event, don't forget to register for the social event via the registration:'''
 
:[[image:Register_now_red.png|link=https://owasp-benelux-day-2017.eventbrite.com |200px|alt=Register for the OWASP BeNeLux Day 2017 | Register for the OWASP BeNeLux Day 2017 ]]
 
  
  
(limited) open tap sponsored by :
+
<!--
[[File:Avi Logo Transparent Background 300pix.png|200px|link=https://avinetworks.com/]]
+
Address: TBD
  
 +
Menu:TBD
 +
-->
 
<!-- Seventh tab -->
 
<!-- Seventh tab -->
 
 
= Sponsor =
 
= Sponsor =
  
=== Become a sponsor of OWASP BeNeLux ===
+
''' Become a sponsor of OWASP BeNeLux! '''
  
 
There are 3 combined sponsorship packages (Gold, Silver or Bronze) that cover the BeNeLux chapter meetings 2019 and the BeNeLux OWASP Days 2018.
 
There are 3 combined sponsorship packages (Gold, Silver or Bronze) that cover the BeNeLux chapter meetings 2019 and the BeNeLux OWASP Days 2018.
  
Download our sponsor brochure TBD and contact [mailto:seba@owasp.org us] for questions or sponsorship confirmation!
+
Download our [https://www.owasp.org/images/8/8e/OWASP_BeNeLux_2018_Sponsorship_Form_v20181004.pdf sponsor brochure] and contact [mailto:seba@owasp.org us] for questions or sponsorship confirmation!
  
 
Your sponsorship will be invested directly in the chapter meetings, supporting speaker and catering expenses.  
 
Your sponsorship will be invested directly in the chapter meetings, supporting speaker and catering expenses.  
Line 363: Line 508:
 
<!-- Don't remove these two lines! -->__NOTOC__  
 
<!-- Don't remove these two lines! -->__NOTOC__  
 
<headertabs></headertabs>
 
<headertabs></headertabs>
 
 
  
 
=== Made possible by our {{#switchtablink:Sponsor|Sponsors}}===
 
=== Made possible by our {{#switchtablink:Sponsor|Sponsors}}===
'''Hosted by'''
 
  
 +
==== Gold ====
  
'''Platinum:'''
+
[[File:DavinsiLabs.png|250px|link=https://www.davinsilabs.com]]
 +
[[File:Vest.jpg|250px|link=http://www.vest.nl]]
  
  
'''Gold:'''
+
==== Silver ====
  
 +
[[File:LogoIngenicoGroup.png|250px|link=https://ingenico.be]]
 +
[[File:LogoToreon.jpg|250px|link=https://www.toreon.com]]
 +
[[File:LogoSynopsys.png|250px|link=https://www.synopsys.com]]
 +
[[File:Nviso_logo_RGB_baseline_200px.png|250px|link=http://www.nviso.be]]
  
'''Silver:'''
 
  
  
'''Bronze:'''
+
==== Bronze ====
  
 +
[[File:Logo_Informatiebeveiliging-200.png|250px|link=https://informatiebeveiliging.nl/]]
  
 
[[Category:OWASP_AppSec_Conference]]  
 
[[Category:OWASP_AppSec_Conference]]  
 
[[Category:OWASP_BeNeLux_Archives]]
 
[[Category:OWASP_BeNeLux_Archives]]

Latest revision as of 14:52, 13 December 2018

OBNL18 Banner v2.png



Thanks to all speakers and trainers, sponsors and volunteers who could make this 2018 edition a success.

Sad you missed the conference? No problem, just have a look at the video recordings!


Save the date

See you next year in the Netherlands: 28 and 29 November 2019


Confirmed Conference Speakers

  • David Scrobonia
  • Niels Tanis
  • Jeroen Willemsen
  • Björn Kimminich
  • Ralph Moonen
  • Jo Van Bulck
  • Lennert Wouters
  • Nick Drage

Confirmed Trainers

  • Andrew Martin
  • David Scrobonia
  • Jeroen Beckers - Stephanie Vanroelen


OWASP BeNeLux conference is free, but registration is required!

The conference is closed.

To support the OWASP organisation, consider to become a member, it's only US$50! Check out the Membership page to find out more.

The OWASP BeNeLux Program Committee

Tweet!

Event tag is #owaspbnl18

Donate

Registration is closed

To support the OWASP organisation, consider to become a member, it's only US$50! Check out the Membership page to find out more.


Address

Training venue

Novotel Mechelen Centrum
Van Beethovenstraat 1
2800 Mechelen
Belgium

Google maps

Conference venue

Congres- en Erfgoedcentrum Lamot
Van Beethovenstraat 8-10
2800 Mechelen
Belgium

Google map


Lamot conference center Auditorium


Parking:
Parking facilities
Find your parking on Google Maps

How to reach the venue?

Public transport

You can reach the Mechelen's train station from Antwerpen or Brussels. The Lamot conference center is 10 min away by bus (line 1).

Or you can choose to walk for 15 min (1.2 km).


By car

From Brussels:

Follow the E19 Brussels / Antwerpen and take the exit 10.
Follow the N1 until the R12 (take a left) and turn to the right at the "Brusselpoort" into the Hoogstraat to reach one of the parkings.

From Antwerpen:

Follow the E19 Brussels / Antwerpen and take the exit 9.
Follow the N16 until the R12 (take a right) and turn to the left at the "Brusselpoort" into the Hoogstraat to reach one of the parkings.


Hotels Nearby

Hotels around the Lamot conference center


Training Day is November 29th

Training Venue

The trainings will take place in the Novotel Mechelen Centrum hotel:
Van Beethovenstraat 1
2800 Mechelen
Google maps

Agenda

Time Description Training 1 Training 2 Training 3
(Hof van Busleyden 1) (Hof van Busleyden 2) (Hof van Kamerijk)
08h30 - 9h30 Registration
09h30 - 11h00 Training Kubernetes security by Andrew Martin OWASP Zap Training by David Scrobonia Android security workshop by Jeroen Beckers & Stephanie Vanroelen
11h00 - 11h30 Coffee Break
11h30 - 13h00 Training
13h00 - 14h00 Lunch
14h00 - 15h30 Training
15h30 - 16h00 Coffee Break
16h00 - 17h30 Training

Choose the most appropriate training as they will be hosted at the same time.

Trainings

Training 1 - Kubernetes security by Andrew Martin

Abstract

Course Description

The course guides attendees through Linux container security in general, and progresses to advanced Kubernetes cluster security. It emphasises pragmatic threat modelling and risk assessment based on an understanding of the tools and primitives available, rather than dogmatic dos and don’ts.

Course Outline
  • How to attack containerised workloads
  • Enhanced container security
  • How to attack Kubernetes
  • Interactive production cluster hacking
  • Hardening Kubernetes
  • Locking down applications
  • Security tooling and vendor landscape
Who Should Attend

This course is suitable for intermediate to advanced Kubernetes users who want to strengthen their security understanding. It is particularly beneficial for those operating Kubernetes in a high-compliance domain, or for established security professionals looking to update their skills for the cloud native world.

Participant requirements

Just a laptop with an SSH client please, ssh or PuTTY.

Bio

Andrew has a strong test-first engineering ethos gained architecting and deploying high-traffic web applications. Proficient in systems development, testing, and maintenance, he is comfortable profiling and securing every tier of a bare metal or cloud native application, and has battle-hardened experience delivering containerised solutions to enterprise clients. He is a co-founder at https://control-plane.io

Training 2 - OWASP Zap Training by David Scrobonia

Abstract

This hands on course will start with the basics of using ZAP attack proxy and finish with leveraging it's API to integrate ZAP within you CI/CD processes. Along the way we will be practicing techniques by attacking the OWASP JuiceShop, an intentionally vulnerable web application.

Audience

This couse is designed for both new and experienced users. No knowledge or experience with ZAP is required, but even those familiar with ZAP will learn something new.

Contents

  1. Basic Techniques & Manual Testing
  2. Advanced Techniques & Automated Testing
  3. Scripting with ZAP
  4. Using ZAP within your CI/CD Pipeline
Participant requirements

Please come prepared with the following tools installed:

If you have any trouble with the setup please feel free to reach out to davidscrobonia at gmail with questions.

Bio

David Scrobonia is a part of the Security Engineering team at Segment working to secure modern web apps and AWS infrastructure. He contributes to open source in his spare time and is a core team member of the OWASP ZAP project.

Training 3 - Android security workshop by Jeroen Beckers & Stephanie Vanroelen

Abstract

In this workshop, participants will come in contact with the basics of Android application security. Through hands-on exercises, Jeroen and Stephanie will show which mistakes can be made, both at the design and implementation level, that can compromise the security of both the application and the backend server. Although no real prior experience with Android is needed, some basic knowledge on programming is advised.

Participation requirements

  • Basic linux / terminal knowledge
  • Be able to understand the OWASP Top 10 (Not Mobile)
  • Laptop with VirtualBox / VMWare (At least 8GB of RAM)

Bio

Jeroen Beckers is a security researcher at NVISO. He focusses mainly on mobile applications for Android/iOS and sometimes even Windows Phone (yes, some people actually use it!). Apart from breaking mobile applications, he also gives security trainings and presentations at conferences.

Stephanie Vanroelen is an IT security consultant currently focussing on Web and Mobile Application Security. Her experiences in organizing IT Security conferences such as BruCON and CyberSKool help her with project management and communication skills. In her free time she pretends to be Godzilla :).


Conference Day is November 30th

Agenda

Time Speaker Topic Media
08h30 - 09h15 Registration / Women in cybersecurity (CyberWayFinder)
09h15 - 09h30 Opening
09h30 - 10h15 Lennert Wouters Fast, Furious and Insecure: Passive Keyless Entry and Start in Modern Supercars
10h15 - 11h00 Ralph Moonen Weaknesses in our voice communications network: from Blue Boxing to VoLTE Slides

Video

11h00 - 11h30 Morning Break
11h30 - 12h15 Niels Tanis When Serverless Met Security… Serverless Security & Functions-as-a-Service (FaaS) Slides

Video

12h15 - 13h00 David Scrobonia OWASP Zap Slides

Video

13h00 - 14h00 Lunch
14h00 - 14h45 Björn Kimminich Juice Shop: OWASP's most broken Flagship Slides

Video

14h45 - 15h30 Jo Van Bulck Leaky Processors: Stealing Your Secrets with Foreshadow Slides

Video

15h30 - 16h00 Afternoon Break
16h00 - 16h45 Jeroen Willemsen Fast forwarding Mobile Security with the MSTG Slides

Video

16h45 - 17h30 Nick Drage Lessons from the legion (The OWASP BeNeLux Remix) Slides

Video

17h30 - 17h45 Closing

Talks

Fast, Furious and Insecure: Passive Keyless Entry and Start in Modern Supercars by Lennert Wouters

Abstract

The security of immobiliser and Remote Keyless Entry systems has been extensively studied over the past years. Passive Keyless Entry and Start systems, which are currently deployed in luxury vehicles, have not received as much attention. During this presentation we will share the techniques used in reverse engineering the Tesla Model S Passive Keyless Entry and Start system. We will discuss multiple security weaknesses in the system including the use of an inadequate proprietary cipher using 40-bit keys, the lack of mutual authentication in the challenge-response protocol, hardware configuration mistakes and the absence of security partitioning.
We verified our findings by implementing a proof of concept attack allowing us to clone a Tesla Model S key fob in a matter of seconds with low cost commercial off the shelf equipment.
Finally, we will share our experience with the responsible disclosure of these finding to Tesla Motors and other likely affected manufacturers such as McLaren, Karma Automotive and Triumph Motorcycles as they all use the same system developed by Pektron.

Bio

Lennert Wouters is a PhD researcher at the Computer Security and Industrial Cryptography (COSIC) research group at KU Leuven. His research interests involve hardware security of connected embedded devices and side channel attacks.

Weaknesses in our voice communications network: from Blue Boxing to VoLTE by Ralph Moonen

Abstract

Voice over 4G, or VoLTE, brings back the phreaking 80's. Once again, after 3 decades, the signaling path of telephony is accessible to end users. No more R1, R2, C4 or C5 however: we now have SIP. As it turns out, the implementations of SIP and VoLTE in various European providers' 4G infrastructures, open up a host of possibilities. During our research over the past few years we have identified vulnerabilities in implementations such as txt message spoofing, subscriber enumeration, location determination (leakage of cell-ID and LAC), IMEI leakage and a potential SIM-card sharing attack.
During this talk we will begin with a little historic stroll of phone phreaking through notable events and discoveries over the years. Bridging the narrative over the last few decades, new technologies such as VoIP, Volte, and VoWiFi are introduced, explaining the 4G and VoLTE infrastructure components and protocols. Next, on a rooted Android phone, we will show what control the user has over the VoLTE stack using some standard tools and the IPv6 stack. This includes hidden activities in Android and extraction of IPsec keys from the VoLTE stack. We will show that it is possible to import keys to Wireshark and monitor the IPv6 SIP traffic and components. Finally, examples of the vulnerabilities in implementations such as txt message spoofing, subscriber enumeration, location determination (leakage of cell-ID and LAC), IMEI leakage and a potential SIM-card sharing attack will be explained.
Yes, a slightly technical nugget of knowledge, yet very accessible and a lot of fun!

Importance of presentation for involved audience
The phone systems of the world have always been of interest to everyone: from users who expect privacy, to intelligence agencies who want access. The privacy, integrity and confidentiality of voice communications over telecommunication networks is therefore of interest to anyone who uses mobile phones (i.e.: everyone). It is also typically a closed subject with very little research being done, relative to other security topics such as malware and application vulnerabilities. The combination of little research and high impact on everyone, makes that this topic deserves much more attention than it currently does. The VoLTE weaknesses we will describe are implementation dependent, and largely unpublished (i.e. new).

Bio

Ralph Moonen CISSP is Technical Director at Secura. Ralph is an old-school ethical hacker with 3 decades of experience as penetration tester, IT-auditor and security consultant. Now, as Technical Director, he is responsible for topics such as R&D and technical projects at Secura.

When Serverless Met Security… Serverless Security & Functions-as-a-Service (FaaS) by Niels Tanis

Abstract

Serverless is a design pattern for writing scalable applications in which Functions as a Service (FaaS) is one of the key building blocks. Every mayor Cloud Provider has got his own FaaS available. On Microsoft Azure there is Azure Functions, AWS has got Lambda and Cloud Functions can be used on the Google Cloud. All of these have a lot of similarities in the way they allow developers to create small event driven services.
From security perspective there are a lot of benefits when moving to a serverless architecture. There is no need to manage any of the machines and the underlying infrastructure. Dealing with updates, patches and infrastructure is the responsibility of the platform provider. FaaS are short lived processes which will be instantiated and destroyed in a matter of milliseconds making it more resilient to denial-of-services (DoS) and also makes it harder to attack and compromise.
But will all of this be sufficient to be ’secure’ or should we be worried about more? With serverless there is still a piece of software that will be developed, build, deployed and executed. It will also introduce a more complex architecture with corresponding attack surface which also makes it hard to monitor. What about the software supply chain and delivery pipeline? There still will be a need to patch your software for vulnerabilities in code and used 3rd party libraries. In this talk we will identify the security area’s we do need to focus on when developing serverless and define possible solutions for dealing with those problems.

Bio

Niels Tanis has got a background in .NET development, pentesting and security consultancy. He also holds the CSSLP certification and has been involved in breaking, defending and building secure applications. He joined Veracode in 2015 and right now he works as a security researcher on a variant of languages and technologies related to Veracode’s Binary Static Analysis service. He is married, father of 2 and lives in a small village just outside Amersfoort, The Netherlands.


OWASP Zap by David Scrobonia

Abstract

Intoducing security testing tools to a QA or developers workflow can be difficult when the tools aren't easy or intuitive to use. Even for security professionals, the friction of cumbersome security tooling can prevent them from getting the most from a tool or being effective with their time.
The OWASP ZAP team is working to help enable developers, QA, and hackers alike with the ZAP Heads Up Display, a more user friendly way to engage with the security testing tool. The Heads Up Displays integrates ZAP directly in the browser providing all of the funcitonality of the tool via a heads up display. The goal is to make ZAP more accessible and enabling users, especially developers, to integrate security in their daily workflows.
This talk will discuss the importance of usable tools, design tradeoffs made to improve usability, the various browser technologies powering the HUD, and how you can start hacking with a heads up display.

Bio

David Scrobonia is a part of the Security Engineering team at Segment working to secure modern web apps and AWS infrastructure. He contributes to open source in his spare time and is a core team member of the OWASP ZAP project.


Juice Shop: OWASP's most broken Flagship by Björn Kimminich

Abstract

OWASP Juice Shop is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and many more severe security flaws. In this talk, you'll learn about this open-source project and its capabilities first-hand from its creator. Join a “happy shopper round trip,” enjoy a hacking demo of some of the built-in challenges, witness how to re-theme the Juice Shop into a security awareness booster for your own company, and learn how to set it up for a capture-the-flag (CTF) event in less than 5 minutes!

Bio

Björn Kimminich is responsible for global IT architecture and application security at Kuehne + Nagel. On the side, he gives IT security lectures at the non-profit private university Nordakademie. Björn also is the project leader of the OWASP Juice Shop and a board member for the German OWASP chapter.
GitHub Twitter LinkedIn


Leaky Processors: Stealing Your Secrets with Foreshadow by Jo Van Bulck

Abstract

For decades, memory isolation has been one of the key principles of secure system design. The recent wave of speculative execution attacks, including Meltdown, Spectre, and Foreshadow abruptly showed, however, that performance optimizations in modern processors fundamentally undermine application security.
This talk will review how speculative execution attacks work. What makes them dangerous, and why they require a paradigm shift in the way we think about application security. The talk will have a special focus on the recently disclosed Foreshadow CPU vulnerability, which led to a complete collapse of state-of-the-art Intel SGX technology, and necessitated hardware and software patches for all major operating systems and virtual machine hypervisors.

Bio

Jo Van Bulck is a PhD researcher at imec-DistriNet, KU Leuven, where he investigates hardware-level trusted computing from an integrated attack and defense perspective. His work resulted in a.o., the high-impact Foreshadow CPU vulnerability announced in August 2018, and several open-source secure processor prototypes.


Fast forwarding Mobile Security with the MSTG by Jeroen Willemsen

Abstract

After the startup of the mobile security project in 2010, the mobile security project and its testing guides have seen quiet some evolution. All of this changed quiet intensively when, in 2016, the Mobile Application Security Verification Standard (MASVS) and the Mobile Application Security Testing Guide (MSTG) were created. Now, two years fast forward: where are we now? How can you use it as a pentester or a developer? We will start with introducing the current state of the MSTG and its side-projects and then show various demos on iOS.

Bio

Jeroen Willemsen is a Principal Security Architect at Xebia. With a love for mobile security, he recently became one of the projectleaders for the OMTG project (MASVS & MSTG). Jeroen is more or less a jack of all trades with interest in infrastructure security, risk management and application security.

Lessons From The Legion (The OWASP BeNeLux Remix) by Nick Drage

Abstract

Look at your job, your colleagues, your industry. Very smart people, working very hard... and yet it feels like we're losing.

Why?

Cyber security has always been a technology driven, engineer led industry - self-taught practitioners have chosen tactics and point solutions based on what fits in with their preferred ways of working and studying. We need better strategies to make use of those tactics. We can learn those strategies from other contexts and conflicts to improve our own methods and practices.

Would you like to start winning?

Bio

Nick is the Director of Path Dependence Limited, and has over two decades of experience in the cyber security field… previously he was "SecOps” before the term was invented, as well as having been a SysAdmin, PCI QSA, pre-sales analyst, CHECK Team Leader, and various other less well defined roles. Nick is currently a Cyber Security Consultant and Penetration Tester, with occasional forays into being a Wargame Umpire, Adversarial Analyst, or Professional Wildcard.

Women in cybersecurity (CyberWayFinder)

OWASP BeNeLux and CyberWayFinder would like to invite you to a breakfast with other women in cybersecurity.
Since women make up 7% of the cybersecurity work force, they are a rare breed, and don't often meet each other. That is why "women in cybersecurity breakfasts" are popping up in conferences around the world. A small gathering with the women who will be present at our OWASP conference in the morning provides an excellent network opportunity to meet one another. We'll make sure you don't start out the day on an empty stomach, and provide you with some contacts, without missing out on the rest of the conference.
join us as of 08h30 at Lamot conference center, and also hear about the CyberWayFinder training program which is being created to help women transition their career into cybersecurity.


The Social Event is on Thursday, November 29th

The social event will be a unique opportunity to meet some of the trainers and speakers, as well the organisers or even peers.

The social event will take place in restaurant Puro Mechelen, a couple of minutes from the conference center, on Thursday 29/11 at 19h00.

There is a fixed group menu (meat or fish) for 59€/person, drinks included.

Link to the Menus (page 1), and the drinks.

Any participant pays individually.
Reservation via the form you'll receive after conference registration is mandatory.


Made possible by our Sponsors

Gold

DavinsiLabs.png Vest.jpg


Silver

LogoIngenicoGroup.png LogoToreon.jpg LogoSynopsys.png Nviso logo RGB baseline 200px.png


Bronze

Logo Informatiebeveiliging-200.png