2016-11-09

‎Agenda (tentative)

← Older revision

Revision as of 20:12, 9 November 2016

(24 intermediate revisions by the same user not shown)

Line 9:

Line 9:

== Confirmed speakers Conference ==

== Confirmed speakers Conference ==



{{#switchtablink:Conferenceday|<p>

{{#switchtablink:Conferenceday|<p>



*
[[BeNeLux_OWASP_Day_2016-2#Bart Preneel |
Bart Preneel > <u>Closing keynote:</u> The Future of Security
]]

+

* Bart Preneel > <u>Closing keynote:</u> The Future of Security



*
[[BeNeLux_OWASP_Day_2016-2#Yoris Koster |
Yorick Koster
>
The State of Security of WordPress (plugins)
]]

+

* Yorick Koster
-
The State of Security of WordPress (plugins)



*
[[BeNeLux_OWASP_Day_2016-2#Daniel Kefer |
Daniel Kefer > Handling of Security Requirements in Software Development Lifecycle
]]

+

* Daniel Kefer > Handling of Security Requirements in Software Development Lifecycle



*
[[BeNeLux_OWASP_Day_2016-2#Sebastian Lekies |
Sebastian Lekies > Securing AngularJS Applications
]]

+

* Sebastian Lekies > Securing AngularJS Applications

* Zakaria Rachid > Zap it !

* Zakaria Rachid > Zap it !

* Dario Incalza > Securing Android Applications

* Dario Incalza > Securing Android Applications

Line 180:

Line 179:

|| Securing Android Applications

|| Securing Android Applications

|-

|-



| 10h00 - 10h45 || Yorick Koster

+

| 10h00 - 10h45 ||
[[BeNeLux_OWASP_Day_2016-2#
Yorick Koster
| Yorick Koster]]



||  The State of Security of WordPress (plugins)

+

||
[[BeNeLux_OWASP_Day_2016-2#The State of Security of WordPress (plugins) |
The State of Security of WordPress (plugins)
]]

|-

|-

| 10h45 - 11h15

| 10h45 - 11h15

| colspan="2" style="text-align: center;background: grey; color: white" | ''Morning Break''

| colspan="2" style="text-align: center;background: grey; color: white" | ''Morning Break''

|-

|-



| 11h15 - 12h00 ||  Sebastian Lekies

+

| 11h15 - 12h00 ||
[[BeNeLux_OWASP_Day_2016-2#
Sebastian Lekies
| Sebastian Lekies]]



|| Securing AngularJS Applications

+

|
| [[BeNeLux_OWASP_Day_2016-2#Securing AngularJS Applications
| Securing AngularJS Applications
]]

|-

|-



| 12h00 - 12h45 || Giancarlo Pellegrino

+

| 12h00 - 12h45 ||
[[BeNeLux_OWASP_Day_2016-2#
Giancarlo Pellegrino
| Giancarlo Pellegrino]]



|| Compression Bombs Strike Back

+

|
| [[BeNeLux_OWASP_Day_2016-2#Compression Bombs Strike Back
| Compression Bombs Strike Back
]]

|-

|-

| 12h45 - 13h45

| 12h45 - 13h45

Line 198:

Line 197:

|| TBA

|| TBA

|-

|-



| 14h30 - 15h15 || Zakaria Rachid

+

| 14h30 - 15h15 ||
[[BeNeLux_OWASP_Day_2016-2#
Zakaria Rachid
| Zakaria Rachid]]



|| Zap it !

+

|
| [[BeNeLux_OWASP_Day_2016-2#Zap it !
| Zap it !
]]

|-

|-

| 15h15 - 15h45

| 15h15 - 15h45

| colspan="2" style="text-align: center;background: grey; color: white" | ''Break''

| colspan="2" style="text-align: center;background: grey; color: white" | ''Break''

|-

|-



| 15h45 - 16h30 || Daniel Kefer

+

| 15h45 - 16h30 ||
[[BeNeLux_OWASP_Day_2016-2#
Daniel Kefer
| Daniel Kefer]]



|| Handling of Security Requirements in Software Development Lifecycle

+

|
| [[BeNeLux_OWASP_Day_2016-2#Handling of Security Requirements in Software Development Lifecycle
| Handling of Security Requirements in Software Development Lifecycle
]]

|-

|-

| 16h30 - 17h15

| 16h30 - 17h15



| Bart Preneel

+

|
[[BeNeLux_OWASP_Day_2016-2#
Bart Preneel
| Bart Preneel]]



| <u>Closing Keynote:</u> The Future of Security

+

| [[BeNeLux_OWASP_Day_2016-2#Closing Keynote: The Future of Security
| <u>Closing Keynote:</u> The Future of Security
]]

|-

|-

| 17h15 - 17h30

| 17h15 - 17h30

Line 220:

Line 219:

== Talks ==

== Talks ==



===
Placeholder
===

+

===
The State of Security of WordPress (plugins)
===

+

Last July, we organised the Summer of Pwnage (sumofpwn.nl) targeting WordPress and WordPress Plugins. This has resulted in 118 findings; mostly affecting WordPress Plugins, but also WordPress Core. Looking at the reported types of vulnerabilities, by far the most reported type is Cross-Site Scripting. The majority of Cross-Site Scripting vulnerabilities were of the reflected type where the victim has to click on a malicious link or visit a malicious website (or advertisement). A fair share of them were stored though, and some of them even pre-auth.

+

+

Does this mean that WordPress is inherently insecure or is it just the Plugin eco system? In this talk, I'll present our view on the (in)security of WordPress and WordPress Plugins. In addition, I'll show how a WordPress installation can be compromised using Cross-Site Scripting (and how to protect) and a generic way to get remote code execution through PHP Object Injection will be demonstrated.

+

+

===Securing AngularJS Applications===

+

Since its birth, the Web evolved from a system to share and view scientific documents to a full-blown platform for sophisticated applications. While in the beginning most Web applications were implemented purely on the server-side, modern ones heavily rely on client-side components.

+

+

AnuglarJS is the latest addition in this process. Within an Angular application the server is merely a data storage facility with a few additional access checks. The core of the application is running on the client-side.

+

+

As Angular is specifically designed to work on the client-side, it attempts to remove the main points of friction for developers. By providing a templating system, two-way bindings and custom directives, DOM interactions can be reduced to a bare minimum.

+

+

From a security point of view this is very interesting as Angular removes the need for using some DOM APIs with very sharp edges (innerHTML, document.write). On the other hand, Angular introduces new ways of approaching application development that are largely unexplored in terms of security.

+

+

This talk provides an in-depth introduction to the security of Angular applications. It first introduces the core design ideas and security principles of AngularJS. Then, based on the experience of the Google Security Team, shows common security pitfalls that are specific to Angular applications. In general, the talk covers Angular's string interpolation functionality, strict auto-escaping templates, URL-based directives and insecure legacy APIs. All the presented issues are based on real-world bugs. The talk will demonstrate how to find and prevent these issues in practice.

+

+

===Compression Bombs Strike Back===

+

Network services often use data compression to reduce protocol message size. However, if data compression is not properly implemented, it can render entire applications vulnerable to DoS attacks. Abusing data compression to exhaust system resources is an old trick. For example, a zip bomb is a recursively highly-compressed file archive prepared with the only goal of exhausting the resources of programs that attempt to inspect its content. This attack was brought to the community attention in 1996 to mount DoS attacks against bulletin board systems.

+

+

While this may now seem an old, unsophisticated, and easily avoidable threat,we discovered that developers did not fully learn from prior mistakes. We looked at three protocols (i.e., HTTP, XMPP, and IMAP) and 11 network services including popular ones (e.g., Apache HTTPD, Tomcat, Prosody, and OpenFire) and discovered that the risks of supporting data compression are still often overlooked.

+

+

In this talk, we will walk through data amplification attacks starting from the ever-green zip bomb and xml bomb attacks until our recent results. We will present the current use of data compression in several popular protocol and network services, and 12 common mistakes that we observed at the implementation, specification, and configuration levels. In this talk, we will also present already patched resource exhaustion vulnerabilities which could have been used to perform Denial of Service attack against popular services.

+

+

===Closing Keynote: The Future of Security===

+

Computers are still getting faster by factor of two every 18 months, and the doubling time for memory and communications is even smaller. An increasing number of experts is developing and deploying ever more sophisticated security techniques. But cybersecurity incidents multiply and are more prominent in the media. Will the cloud and the Internet of Things offer us a secure infrastructure? Or are we heading for a security and privacy nightmare? What is the role of governments, companies and individuals? Do we need backdoors in security technologies to balance privacy and security? This seminar tries to answer these questions.

+

+

===Handling of Security Requirements in Software Development Lifecycle===

+

The bigger the company you're working in, the more technologies and methodologies used by development teams you are going to face. At the same time, you want to address security risks in an appropriate, reliable and traceable way for all of them.

+

+

After a short introduction of a unified process for handling security requirements in a large company, the main part of the talk is going to focus on a tool called SecurityRAT (Requirement Automation Tool) which has been developed in order to support and accelerate this process. The goal of the tool is first to provide a list of relevant security requirements according to properties of the developed software, and afterwards to handle these in a mostly automated way - integration with an issue tracker being used as a core feature. Work in progress and future plans will form the last part of the talk.

+

+

===Zap it !===

+

The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular and best maintained free security tools. In this talk we will cover some of the basic features of Zap and deep dive in some advanced features. We will also cover the ways you can use ZAP in your applications SDL.

+

== Speakers ==

== Speakers ==



===
Placehoder
===

+

===
Yorick Koster
===



Speaker
information
comes here

+

Yorick Koster is co-founder of Securify, an
information
security company focusing on all aspects of software security. Securify helps organisations to (proactively) secure their web and mobile applications, from design to go-live. In this we take a proactive approach (Build Security In) to catch and prevent vulnerabilities early, when still easy and cheap to fix.

+

+

Yorick has more than 10 years of experience in the field of software security and has found security vulnerabilities in a wide range of applications, including Internet Explorer, Office, .NET Framework, Adobe Reader, and WordPress.

+

+

===Sebastian Lekies===

+

Sebastian Lekies is an Information Security Engineer at Google and a PhD Student at the Ruhr-University Bochum. His research interests encompass client-side Web application security and Web application security testing. He graduated from University of Mannheim with a M.Sc. in Business Information Systems. At Google, Sebastian is part of the Security Test Engineering team that develops Google’s internal Web application security scanner and the externally facing Cloud Security Scanner (https://cloud.google.com/tools/security-scanner/). Before joining Google, Sebastian was part of SAP’s Security Research team, where he conducted academic research in the area of client-side Web application security. Sebastian is regularly speaking at academic and non-academic security conferences all around the World. He spoke at BlackHat US/EU/Asia, DeepSec, OWASP AppSec EU, Usenix Security, CCS, and many more...

+

+

===Giancarlo Pellegrino===

+

Giancarlo Pellegrino, is a post doctoral researcher of the System Security group at CISPA, Saarland University, in Germany. His main research interests include all aspects of web application security in particular security testing (black and white-box) and vulnerability analysis. Prior joining CISPA, Giancarlo worked at TU Darmstadt, Germany, and was member of the S3 group at EURECOM, in France. Until August 2013, he was Researcher Associate in the "Security and Trust" research group at SAP SE.

+

+

===Bart Preneel===

+

Bart Preneel received the Electr. Eng. and Ph.D. degrees from the KU Leuven (Belgium). He is a Full Professor at the KU Leuven where he heads the COSIC research group. He was visiting professor at five universities in Europe. He has authored more than 400 scientific publications and is inventor of 4 patents. Bart Preneel has participated to more than 30 EU funded projects and has coordinated five of those including the EU NoE ECRYPT. He has served as panel member and chair for the European Research Council. Since 1997 he is serving on the Board of Directors of the IACR (International Association for Cryptologic Research), from 2002-2007 as vice president and from 2008-2013 as president. He is a member of the Permanent Stakeholders group of ENISA and of the Academia Europaea. He has served on the advisory board of several companies and EU projects. He has served as program chair of 15 international conferences and he has been invited speaker at more than 90 conferences in 40 countries. In 2014 he received the RSA Award for Excellence in the Field of Mathematics.

+

+

===Daniel Kefer===

+

Daniel Kefer has been working in the application security field since 2007. Having started as a penetration tester, he soon became passionate about proactive security efforts and working closely with developers. Since 2011 he has been working for 1&1 where he focuses on design and continuous improvement of the internal secure SDLC process and its implementation in different development departments. Apart from 1&1, he also works as a volunteer for the OWASP OpenSAMM project.

+

+

===Zakaria Rachid===

+

Zakaria Rachid is a security consultant with some years of intense computing and security experience in critical environments (Telcos, mil...). He specializes in penetration testing, web applications security and trolling.

<!-- Sixth tab -->

<!-- Sixth tab -->

+

= Social Event =

= Social Event =

Show more