OWASP Netherlands


  • On the 28th of October OWASP Netherlands will have an online Meetup. The Meetup will be streamed on YouTube. Check the “Upcoming Events” tab or the Meetup page for more information.
  • On the 30th of September OWASP Netherlands will organize a pub quiz. Check the Meetup page for more information.
  • Our neighbours to the south (Belgium) is holding a series of online events, on the third thursday of every month.
  • We are working on providing events in between, the first thursday of every month. (work in progress)
  • Scheduled physical meetings are postponed. Check the “Upcoming Events” tab or the mailing list for new meetings.

Upcoming Meetings

We schedule our meetings on the OWASP Netherlands Meetup Group

Our meetings are open to the public, and you do not need to be a member to attend. Please do consider joining OWASP if you find our community, projects, and meetings valuable, or sponsoring this chapter.

Past events

  • OWASP BeNeLux Days 2020, 23-26 November 2020: details on https://www.owaspbenelux.eu
  • May 14th 2020, there was a video presentation about the Mobile Security Testing Guide and the Mobile Application Security Verification Standard by Jeroen Willemsen. Watch the presentation at https://youtu.be/cuB8TNT0rMw.
  • April 9th 2020, there was a video presentation about SKF news by Riccardo ten Cate. Watch the presentation https://youtu.be/EtGyhWYSjVA.

Support the chapter

  • Speakers:
    We are continuously looking for speakers.
    Presentations: Are you working on an interesting subject, would you like to share your experience with the OWASP community and do you have presentation skills. Please let us know! Any topic related to web application security will be appreciated!
    VAC, Vulnerability, Attack, Countermeasure: The VAC is a re occuring part of the chapter meetings. The VAC is a half hour in-depth technical presentation about a vulnerability, how it can be exploited and how to prevent it!
    Links: Speaker Agreement Template Interested in presenting at a local chapter meeting, please send an email to: netherlands ‘at’ owasp.org
  • Locations
  • Volunteers


OWASP Corporate Member:


OWASP BeNeLux-Day 2017 sponsor:


Vest Secwatch Avi

SIG Secura Xebia Informatiebeveiliging

January 20 2022

This is an online meeting and will be streamed on YouTube. The meeting will start at 19:00.

A story on scaling threat modeling across 500+ DevOps teams.


This talk is not about “what is threat modelling, and what are the different methodologies?”. This is well known and understood by now. With every organization moving towards DevSecOps, the difficult question is “how to do Threat Modeling at scale?”. I want to take this opportunity to share with you the ABN AMRO story about how we did this!


Abhishek k. Goel is a Security Consultant at ABN Amro and the IT lead for Threat Modelling capability at the bank. He is a senior security engineer responsible for enabling security in DevOps across the bank.
Before ABN, he was a Lead Security Consultant with Deloitte USI and enabled security in CICD pipelines for clients across the globe.

Gamification of Threat Modelling


The talk is all about doing security architecture and threat modelling work as part of development planning.
The presentation starts by introducing OWASP Cornucopia and the simplified OWASP “Top 5” for developers and then moves into looking at how one can practically include a form of threat modelling (using Cornucopia) into one’s agile development practises in an effective manner.
There is a brief discussion on gamification, covering the usual FAQs on that and then it moves onto implementation at scale and some of the experiences we’ve had there.


Co-founder of Secure Delivery and current OWASP Global Foundation board member, Grant Ongers (@rewtd), is a firm believer in security enabling delivery not blocking it. The philosophy and purpose of Secure Delivery is in the name: optimal delivery and security in one nimble and adaptive offering.
Grant’s experience spans Dev - building platforms for Telcos, MSPs and Financial institutions for more than 10 years. 20+ years in Ops, running operational teams in global NOCs to managing mainframe and database systems. He also has over 30 years pushing the limits of (Info)Sec - mostly white-hat. He’s worked on both sides of the TPSA table, for and with regulated orgs ensuring compliance and matching “appetite for” with “acceptance of” risk.
Grant’s community involvement is global: Staff at BSides (London, Las Vegas, and Cape Town), Goon at DEF CON (USA) for over a decade and DC2721 co-founder, staff at BlackHat (USA and EU).
Alongside his role as CTO within Secure Delivery, Grant provides C-suite advice and guidance on security to FTSE100 enterprises and strategic risk analysis within M&A diligence teams.

February 12 2022

March 17 2022

April 21 2022

May 19 2022

June 16 2022


October 28 2021 | September 30 2021

October 28 2021

This is an online meeting and will be streamed on YouTube: https://youtu.be/qR6JCkZgOlY.
The meeting will start at 19:00.

Our Secrets Management Journey: From Code to Vault


So you have an access key that you need to store somewhere. Maybe it is better not to put it in your code, nor in your container. But what about Kubernetes? What about a custom secrets storage solution? Of course, we tried many, sometimes funny, things to get our secrets secured. And luckily we ended up with a combination of safe methods, with Vault at its core. Want to know more? Join us, as we will go through various examples and their challenges!


Jeroen Willemsen is a Principal Security Architect at Xebia and a jack of all trades in security. He loves to develop new software, set up DevSecOps support tooling, and help companies with security programs. He enjoys sharing knowledge, which is why he published articles, blogs and gave trainings and talks about various subjects.

Doing Security in DevOps, the right way!


Automation is not DevSecOps, but without automation there is no DevSecOps! Secret management, SAST, DAST, Pen Testing, Container Security, Secure Config Management etc. are about automating security. But let me ask you, can one reach nirvana in securing DevOps with solely automation? This talk will address ALL dimensions required for doing security in DevOps, so we get it right!


Irfaan Santoe is a Global Security Director at Wolters Kluwer advising the Business & IT on the information security ambition & implementation. Prior to Wolters Kluwer, Irfaan was the Global Head of Security Engineering at ABN AMRO bank and lead the security implementation of ABN AMRO’s IT transformation towards DevOps. This transformation program is set to uplift more than 500+ Dev-teams to become DevOps and increasing security without breaking DevOps! Irfaan is a Master in Computer Science (a programmer by heart) and is fascinated by the Inner Science of Yoga & Meditation.

September 30 2021

On the 30th of September OWASP Netherlands will organize a pub quiz. The pub quiz will start at 20:00. To join the pub quiz, you need to join a Zoom meeting. Check the Meetup page for more information.


November 23-27, 2020 | May 14, 2020 | April 9, 2020

November 23-27 2020, BeNeLux Days

See https://www.owaspbenelux.eu for information.

May 14, 2020

This is an online meeting about the Mobile Security Testing Guide and the Mobile Application Security Verification Standard by Jeroen Willemsen.
The talk will start at 20:00.

Watch the livestream at https://youtu.be/cuB8TNT0rMw.

April 9, 2020

The first talk will start at 20:00.


Watch the livestream at https://youtu.be/EtGyhWYSjVA.


June 18, 2019 | January 17, 2019

June 18, 2019


18:30 - 19:00 Dinner
19:00 - 19:15 Welcome
19:15 - 20:00 Recon Recon by Martijn Baalman
20:00 - 20:15 Break
20:15 - 21:00 The Good, The Bad and The Ugly of Responsible Disclosure by Chrissy Morgan
21:00 - Closing and networking

Spaces Herengracht
Herengracht 124-128,
1015 BT Amsterdam

Martijn Baalman aka @x1m_martijn - “Recon Recon”:
In the daytime, Martijn is a pen tester at Qbit Cyber Security, and by night he is bug bounty hunting in the wild and sending PoCs to Detectify Crowdsource and other bug bounty platforms. Recon is key for finding vulnerabilities yet is tedious at times. Hackers, like developers, find that automation makes life easier, even recon. Martijn has developed something called ReconPi, a bug bounty reconnaissance tool that automates most of the (general) recon methods that hackers use. He’ll show you how he does all his recon, yes everything, on a Raspberry Pi 3 in his lightning talk.

Chrissy Morgan aka 5w0rdFish - “The Good, The Bad and The Ugly of Responsible Disclosure.”
So what’s has a JQuery bug that affected thousands of websites with one of the highest starred GitHub repos with 7,800 forks, a Domain Name Registrar vulnerability which allowed for full access to domain owner details (post GDPR) and data protection flaws within Microsoft’s Office365 all have in common? … Answer: Responsible Disclosure. This talk will feature disclosure on each of the bugs and others, the circumstances around these when reporting, to highlight the problems security researchers face today when trying to do the right thing and to raise awareness of the security flaws so we are better protected.

About Chrissy:
Chrissy leads the IT Security Operations for a Close Protection company and in her spare time Chrissy has carried out research in the areas of web application security, Steganography, RFID, Physical Cyber Systems Security and is actively involved within the information security community across a wealth of subjects. She also runs The Co-Lab in London, which is a hardware hacking security research workshop. As a recent Napier Masters Graduate, she has accomplished the following successes so far: Winner of Cyber Security Challenge UK (University Challenge - Team Edinburgh Napier), CTF Finalist for the Pragyan CTF (Team Edinburgh Napier) , A BlackHat Challenge Coin winner for OSINT from Social Engineer.org and Black Hat Scholarship, Steelcon Award, WISP Sponsorship, was the BSides London Rookie Track Speaker Winner for 2018 and most recently won the ISC(2) Up and coming Security Professional 2019.

January 17, 2019


18:30 - 19:00 Dinner
19:00 - 19:15 Welcome, OWASP update
19:15 - 20:00 Machine Learning vs. Cryptocoin Miners by Jonn Callahan
20:00 - 2-:15: Break
20:15 - 21:00 Running at Light Speed: Cloud Native Security Patterns by Jack Mannino
21:00 - Closing

Laapersveld 27
1213 VB Hilversum

Machine Learning vs. Cryptocoin Miners:
With the advent of cryptocurrencies as a prevalent economic entity, attackers have begun turning compromised boxes and environments into cash via cryptocoin mining. This has given rise for the necessity to detect compromised environments by analyzing network traffic logs for evidence of cryptocoin miners operating within a given network. In this talk, I’ll be reviewing various ML and statistical analysis techniques leveraged against VPC Flow Logs for this very purpose. It will not be a deep dive of the math involved, but instead a general discussion of these techniques and why I chose them.

Download the presentation as PDF
Link to the recording

Running at Light Speed: Cloud Native Security Patterns
No matter how fast you ship software, a good design is critical to security. Cloud native systems are no exception. Containerized microservices running on distributed management and orchestration platforms, bring new challenges to address as well as classic software problems that we’ve been dealing with for years. Secure software design patterns can be used to model security controls at different trust boundaries within your architecture, providing security in a repeatable and consumable way. Using patterns such as the Service Mesh or Ambassador pattern lets us focus on proper security control placement and lifting security outside of the core services we’ve traditionally bolted security onto later.

The goal of this presentation is to arm software developers and security architects with reference architecture guidance that can be used in any cloud native environment. The topics we’ll cover include multi-tenancy considerations, authentication, authorization, encryption, and more. We will focus on newer cloud native architecture patterns as well as some classic software design patterns that are still applicable. At the end of this presentation, you’ll have a greater understanding of cloud native security design at an architectural level and you’ll be eager to begin white-boarding your ideas.

Download the presentation as PDF
Link to the recording

Speakers info: Jonn Callahan has worked in appsec for half a decade across a wide variety of languages, technologies, and sectors. While constantly looking for new things to play with, he rediscovered his love for the universal language of math and, consequentially, the power of statistical analysis and machine learning. He now seeks to dismantle the black magic of these techniques, showing that they don’t require an advanced mathematics degree to be leveraged, as well as to find novel ways to apply them within the security space Jack Mannino is the CEO of nVisium. Passionate about security and impossible to keep away from a keyboard, his expertise spans over 15 years of building, breaking, and securing software. Jack founded nVisium in 2009, and since then has helped the world’s largest software teams enhance security across their software portfolios. He has spoken at conferences globally on topics such as secure design, mobile application security, and cloud-native security.