Netherlands Previous Events 2011

OWASP Netherlands Chapter Meeting events held in 2011

Date &amp; Time: November 14th, 2011 - 19:00  Location: Rotterdam

We are glad to announce David Rook twitter @securityninja as guest speaker from Ireland! More details to come!

David Rook is the Application Security Lead at Realex Payments in Dublin. He is a contributor to several OWASP projects including the code review guide and the Cryptographic Storage Cheat Sheet. He has presented at leading information security conferences including DEF CON, BlackHat USA and RSA Europe. In addition to his work with OWASP David created a security resource website and blog called Security Ninja (http://www.securityninja.co.uk).

In 2010 the Security Ninja blog was nominated for five awards including the best technology blog at the Irish Blog Awards, the Computer Weekly IT Security blog award and was a finalist for the Irish Web Awards Best Technology Site. In 2011 David received a Developer Security MVP award from Microsoft. David has recently become one of the first mentors in the Information Security Mentors project helping young people progress their information security careers.

Abstract: Agnitio: the security code review Swiss army knife

Teaching developers to write secure code, helping security professionals find security flaws in source code, producing application security metrics and reports with integrity checks and audit trails. If you want to implement an SDLC that produces secure software with the audit trails and reports frequently demanded by auditors and management you need to acknowledge that these are key constituents and implement them in a form that is both easy to understand and use.

This is far easier to talk about than it is to implement in the real world where well structured SDLC’s are rare and application security programmes are usually under funded. Working with developers, security professionals and management to cultivate an environment where secure code is written and flaws found consistently requires both time and money. The same can be said for producing informative reports and metrics when all of your security code review data resides in notepad, Word and Excel files. With these problems in mind I developed Agnitio to be my security code review Swiss army knife and released it as a free tool in late 2010.

In this demonstration filled talk I will show how Agnitio can be used to addresses repeatability, integrity and audit trail concerns by requiring the creation of application profiles, the use of a security code review checklist consisting of over 80 application security questions and mandatory integrity checks for reviews and reports created using the tool. I will demonstrate how the inbuilt secure coding and security code review guidance modules allow developers and security professionals to access the information they need precisely when they need it. I will also show how Agnitio automatically creates metrics and reports bringing much needed visibility to the security code review process with no extra effort required from the reviewer, developers or management.

Agnitio v2.1 will be demonstrated during this talk which will show how Agnitio’s already powerful feature set has been expanded to guidance and questions linked to the OWASP top 10 mobile risks as well as the ability to decompile and analyse Android applications.

Alex Thissen is a principal architect at Achmea and concentrates on integration-architecture and security. You can meet hem at various conferences and seminars where he will share his experiences from the field. He likes just about everything related to Microsoft products and technologies, but tries to focus on building secure web-applications in distributed enterprise environments.

Abstract: Implementing SDLC and lessons learned Paying attention to security during application development is a must. Yet, often we find that security didn’t get the attention it should have had. One of the ways to force yourself to “think and act security” is to embed security in your development process. The Microsoft Security Development Lifecycle (SDL) is a platform-agnostic approach for applying security during the various stages of your development process. In this session you will get an overview of the Microsoft SDL and how it fits in “traditional” and agile projects. But, with just an approach you are not done. This session will also show the hurdles that Achmea encountered during the implementation of an SDL, and what should be done to make an SDL successful. You will get to see the lesson learned from the Microsoft Competence Centre at Achmea IT.

OWASP at the GovCert Symposium 2011
The OWASP Netherlands Chapter will be present as guest organisation at the GovCert Symposium 2011

OWASP BeNeLux Day 2011
Mark your calendar for the 2011 edition: 1st and 2nd of December 2011 in Luxemburg. The OWASP BeNeLux Day 2011 is scheduled for December 1st and 2nd.

Chapter Meeting July 6th 2011
Location: VU University Amsterdam, De Boelelaan 1081, 1081 HV Amsterdam

Speakers:

Nick Nikiforakis

Nick Nikiforakis is a PhD student at the Katholieke Universiteit Leuven, in Belgium.

He belongs in the DistriNet research group and specifically in the “Security &amp; Languages” task-force.

His current research interests include low-level security for unsafe languages and web application security

Nick holds a BSc in Computer Science and a MSc on Distributed Systems from the University of Crete in Greece.

He worked for 3 years as a research assistant in the Distributed Computing Systems group at the Foundation of Research and Technology in Crete where he did research in network data visualization, authentication schemes using mobile devices and phishing countermeasures.

In the past, Nick has presented his work in academic conferences as well as hacking conventions.

His work can be found online at www.securitee.org

Abstract: The increasing popularity of the World Wide Web has made more and more individuals and companies to identify the need of acquiring a Web presence. The most common way of acquiring such a presence is through Web hosting companies and the most popular hosting solution is shared Web hosting.

In this talk we investigate the workings of shared Web hosting and we point out the potential lack of session isolation between domains hosted on the same physical server. We present two novel server-side attacks against session storage which target the logic of a Web application instead of specific logged-in users. Due to the lack of isolation, an attacker with a domain under his control can force arbitrary sessions to co-located Web applications as well as inspect and edit the contents of their existing active sessions. Using these techniques, an attacker can circumvent authentication mechanisms, elevate his privileges, steal private information and conduct attacks that would be otherwise impossible. Finally, we test the applicability of our attacks against common open-source software and evaluate their effectiveness in the presence of generic server-side countermeasures.

Marco Balduzzi

Marco Balduzzi holds an MSc. in computer engineering and has been involved in IT-Security for more then 8 years with international experiences in both industrial and academic fields.

He worked as security consultant and engineer for different companies in Milan, Munich and Sophia-Antipolis, in south France, before joining EURECOM and the International Secure Systems Lab as Ph.D. researcher.

He attended well-known and high-profile conferences all over (Blackhat, OWASP AppSec, NDSS) and currently speak five different languages.

Being a Free Software sympathizer, in the year 2K, he cofounded the Bergamo Linux User Group and the University Laboratory of Applied Computing.

In former times, he was an active member of several open-source projects and Italian hacking groups

Abstract: The (in)security of File Hosting Services

File hosting services (FHSs) are used daily by thousands of people as a way of storing and sharing files. These services normally rely on a security-through-obscurity approach to enforce access control: for each uploaded file, the user is given a secret URI that she can share with other users of her choice. This talk presents a study of 100 file hosting services and shows that a significant percentage of them generate secret URIs in a predictable fashion, allowing attackers to enumerate their services and access their file list. An attacker can access hundreds of thousands of files in a short period of time, and this poses a very big risk for the privacy of FHS users. Indeed, using a novel approach, we show that attackers are aware of these vulnerabilities and are already exploiting them to get access to other users' files. The talk concludes by presenting SecureFS, a client-side protection mechanism which can protect a user's files when uploaded to insecure FHSs, even if the files end up in the possession of attackers.

Chapter Meeting May 19th 2011
Sogeti Nederland B.V. Wildenborch 3, 1112 XB Diemen

Speaker:

Jim Manico is a managing partner of Infrared Security with over 15 years of professional web development experience.

Jim is also the chair of the OWASP connections committee, one of the project managers of the OWASP ESAPI project, a participant and manager of the OWASP Cheatsheet series, the producer and host of the OWASP Podcast Series, the manager of the OWASP Java HTML Sanitizer project and the manager of the OWASP Java Encoder project.

When not OWASP'ing, Jim lives on of island of Kauai with his lovely wife Tracey.

Abstract Title: The Ghost of XSS Past, Present and Future. A Defensive Tale.

Description: This talk will discuss the past methods used for XSS defense that were only partially effective.

Learning from these lessons, will will also discuss present day defensive methodologies that are effective, but place an undue burden on the developer.

We will then finish with a discussion of future XSS defense mythologies that shift the burden of XSS defense from the developer to various frameworks.

These include auto-escaping template technologies, browser-based defenses such as Content Security Policy, and Javascript sandboxes such as the Google CAJA project and JSReg