OWASP Netherlands

News

Upcoming Meetings

We schedule our meetings on the OWASP Netherlands Meetup Group

Our meetings are open to the public, and you do not need to be a member to attend. Please do consider joining OWASP if you find our community, projects, and meetings valuable, or sponsoring this chapter.

Support the chapter

  • Speakers:
    We are continuously looking for speakers.
    Presentations: Are you working on an interesting subject, would you like to share your experience with the OWASP community and do you have presentation skills. Please let us know! Any topic related to web application security will be appreciated!
    VAC, Vulnerability, Attack, Countermeasure: The VAC is a re occuring part of the chapter meetings. The VAC is a half hour in-depth technical presentation about a vulnerability, how it can be exploited and how to prevent it!
    Links: Speaker Agreement Template Interested in presenting at a local chapter meeting, please send an email to: netherlands ‘at’ owasp.org
  • Locations
  • Volunteers

Sponsors

OWASP BeNeLux Days 2021 sponsors:

Micro Focus
Secura
SIG
Vest
Contrast Security
Securify

June 16 2022

Meet-up setting: first physical meet-up in 2,5 years

Location: Trend Micro
Address: Herikerbergweg 92, 1101 CM Amsterdam

18:00 - 18:15 - Reception of attendees
18:15 - 19:00 - Pizza
19:00 - 19:15 - Welcome and OWASP updates
19:15 - 20:00 - Staying in control of your cloud application landscape by Priyam Awasthy and Spandan Chandra
20:00 - 20:15 - Break with drinks
20:15 - 21:00 - OWASP Cloud-Native Application Security Top 10

Staying in control of your cloud application landscape

Abstract:

At the end of 2021, 67% of all enterprise infrastructure was cloud-based. Cloud technologies are being consumed to host more and more applications. This talk will outline what security measures can an organization and self-governed DevOps teams implement to secure their cloud application landscape. During the session, we will talk about various strategies such as types of virtualization or sandboxing used to protect cloud applications, how to manage authentication and authorization, and data protection.

Bio:
Priyam Awasthy:

Priyam has over 8 years of experience in Cyber Security with an emphasis on Penetration Testing and Cloud Security. He currently holds the position of Enterprise Application Security Lead at Canon EMEA where he is responsible for managing end-to-end security for applications and the cloud landscape.

Priyam has deep experience across a range of Cyber Security domains having carried out a range of engagements servicing a diverse portfolio of clients across multiple industries. He has developed strong leadership and people management skills, having led a variety of diverse teams performing a range of services.

Prior to joining Canon EMEA, Priyam led the Cloud Risk Advisory function for Deloitte Netherlands. He has wide experience in cyber security transformations (such as in Cloud and DevOps), technical security advisory and assessments, red teaming, security audits, and secure code development.

Spandan Chandra:

Spandan has over 7 years of experience in Cyber Security with an emphasis in Cloud Security and Risk & Compliance. He currently holds the position of Senior Auditor in Ahold Delhaize where he is responsible for leading IT risk and compliance audits, advice IT teams to secure their. IT environments including cloud landscapes.

Prior to joining Ahold Delhaize, Spandan led cloud security team for Deloitte Netherlands. Furthermore, he acted as SME for cloud transformations and cloud security advisory

Spandan is well known for propagating security, risk and compliance across IT organizations, he was responsible for representing an organization in global digital data lake initiative for Oil and Gas industry. Additionally, he has also conducted multiple talks at organizations and open forums.

OWASP Cloud-Native Application Security Top 10

Abstract:

The cloud has lots of moving parts, things will go wrong. This talk aims to start a discussion around the OWASP Cloud-Native Application Security Top 10 and what can we, as engineers, do to address some of the challenges with cloud security.

Bio:

Filip has worked in IT for over 15 year, 8 of those years in cybersecurity with a focus on infrastructure and cloud security. Currently part of Xebia Security helping customers on their cloud journeys by using security to enable to organization to grow securely and most productively. His specialties are DevSecOps and cloud security. He likes to spend time researching new technologies in the cloud. Designing, analysing cloud environments and finding cloud integration with existing infrastructure. He’s passionate about using the defensive and offensive sides of security to bring additional value to projects he is involved in. Prior to joining Xebia, Filip worked at FlowTraders as a security engineer, helping with the cloud transformation and working to secure their high speed trading environments.


2022

May 19 2022 | April 21 2022 | March 17 2022 | February 17 2022 | January 20 2022

May 19 2022

This is an online meeting and will be streamed on YouTube. The meeting will start at 19:00.

Comparing Static Analysis Security Testing (SAST) tools en dependency scanners

Abstract:

There are many SAST tools and dependency scanners in the market. In this talk, the comparison results will be discussed of some SAST tools and dependency scanners. The comparison includes human experiences like usability and developer friendliness, but also metrics like true and false positives and overlapping reports between the tools. Tools that were compared are: SonarQube, Npm audit, FindSecurityBugs, Snyk, Semgrep, ShiftLeft Scan, OWASP Dependency Check, and OSS Index. The comparison was performed by scanning a ready-for-market Java-React web application.

Bio:

Wibren Wiersma is studying Cyber Security at the Radboud University in Nijmegen. He performed the SAST comparison as a research internship by Carthago-ICT. Before and during his study, Wibren worked for four years as a full stack developer for different ICT companies. Currently, he is working on his master thesis about a graph-based approach to detect outliers in academic publishing.

Infrastructure as Code (IaC) - security challenges and how KICS solves them

Abstract:
  • What is IaC
  • Security challenges around IaC
  • KICS OSS tool powered by Checkmarx and how it solves the challenges
Bio:

Lior Kaplan is Checkmarx’s open source officer, leading KICS open source project to Keep IaC Secure.

Secret Scanning Solutions

Abstract:

Nowadays collaboration is key in software development. One way it is achieved is through software code repositories, but the open nature and convenience they provide are met with the downside of human error. The problem occurs when these public code repositories handle authentication secrets such as API keys or cryptographic secrets. These secrets should be kept confidential, but it often happens that practices like adding the secrets to the code repository lead to accidental leakage. To prevent this, secret scanning tools have arisen on the market. Rabobank is trying to prevent secret leakage within the company in which collaboration via code repositories is key. The company wishes to determine what would be the best performing secret scanning tools available on the market and compare them with the tool they are currently using, CredScan. This paper starts by presenting what secret scanning is, the most common types of secrets which exist, the most common detection techniques implemented by secret scanning tools, and an overview of the most popular tools available on the market. Further, it presents the steps taken during the internship: conducting interviews to compose a requirements list for the tool; shortlisting the tools based on the requirements; testing the shortlisted tools in a testing environment, and comparing the results. The top three best alternatives have proved to be SpectralOps, Whispers and TruffleHog. Only SpectralOps is objectively better than CredScan whereas Whispers and TruffleHog output false positives.

Bio:

Raluca Viziteu is studying Information Security Technology at Eindhoven University of Technology for her master degree. She performed a comparison of secret scanning tools as a research internship for Rabobank. Raluca has previously studied Computer Science and Engineering at Eindhoven University of Technology. Currently, she is working on her master thesis on building a practical threat modeling methodology for supporting ICS device manufacturers and system integrators for Secura.

April 21 2022

This is an online meeting and will be streamed on YouTube. The meeting will start at 19:00.

Crawl Dutch government websites to collect statistics of SRI usage

Abstract:

In this work we crawled all major Dutch govern- ment websites to measure the adoption rate of Subresource Integrity Protection (SRI). We crawled and evaluated close to 150,000 different pages on 477 different domains using a crawler that we developed. This resulted in approximately 1,000,000 different cross origin script and link tags being evaluated. We found the adoption rate of SRI to be very low with 8.4% of the tags having implemented SRI. For sensitive pages, such as login and registration pages, this number was slightly lower at 8.3%. Our findings indicate that most of these SRI enabled references are due to Content Delivery Networks (CDN’s) and utility providers providing HTML resource links already with proper integrity and crossorigin attributes. This is due to CDN’s and utility providers being the most popular SRI enabled domains to reference to in combination with almost no Dutch government websites having complete SRI cover- age in their cross origin resource references.

Bio:

My name is Tom Stock, a cyber security master student at the Radboud University with a passion for computers, pretty code and solving complex problems with simple software.

Web Security Map (basisbeveiliging.nl)

Abstract:

Absolute transparency moves people forward. What happens when plotting the state of security on a map? Organizations start to adapt and improve. This is an overview of the Web Security Map application, which can help you providing insight into a huge amounts of security info about companies up to entire countries. It’s an open source product which can help you change your part of the world. In this talk you’ll see the impact, how it works, what it does, where to get it and where to go from there.

Bio:

Elger Jonker is an ethical hacker who wants to make the world a better place. Elger is currently working on the next Dutch hacker camp: May Contain Hackers 2022 and has co-founded two hackerspaces Hack42 in Arnhem and Awesome Space in Utrecht. Professionally Elger specializes in the combination of software security, security testing and application development. Elger is currently the lead developer for internet.nl and has worked on other similar projects for the internet society. Of course there is more but this bio should only be so long… Oh, and Elger is doing software things for over 25 years now… which makes them old, but not yet always grumpy.

Security Transformation Program

Abstract:

We are living in a fast changing and very demanding world. New and evolving technologies bring along new cybersecurity threats increasing the pressure on SAP to evolve the security level of its software. With the migration to the cloud we have the responsibility to securely operate our software adding a layer of complexity into the security landscape. And if that was not enough, more and more countries are releasing strict data privacy regulations. There is no “one size fits all” solution any longer so that all our teams are faced with technical and regulatory requirements. To overcome these challenges new requirements, standards, and frameworks for developers and operations experts are extended or created regularly – but more does not always mean better. These initiatives quickly become exercises to fill in yet another excel file. Therefore, the CX Trust Office has initiated a CX Security Transformation Program to make security easy to consume for developers and operations experts by simplifying, automating, and providing guidance.

Story Line:

NIST, Internal policies, external frameworks, SOC, ISO certifications come with a big list with repetitive requirements and very often the requirements are not build into the product, but driven by external audits. Changing architectures, products after they have been created and put in production. We have created a strategy with tool to translate the requirements to executable easy to understand instructions that removes complexity and removes duplications. We have setup our organization in cross functional and functional teams that support to execute the strategy. A tool to glue these things together and provide guidance, current status for all the frameworks and regulations.

Bio:

Dimitar Yanev: A natural leader that foster collaboration with empathy and inspires team work by empowering people ability to unveil the best of themselves. Bringing experience of driving complex strategic cross-company projects to success. Recognized for demonstrating out of the box thinking and putting customers front and centre. Started his career in SAP Labs Sofia as a build engineer responsible for creating a home grown complex java build environment. Joined and lead a task force to roll out security static analysis in SAP. During the time gained in depth understanding on how leading SAST Tools works and how to manage cross company scaled projects. Lead the first the first Security Self-Service & Automation work stream for SAP. Today Dimitar is Head of SAP CX Product Security Transformation and DevOps defining, executing and developing tool support for security transformation program for SAP CX.

Andreas Hauke was born in Würzburg, North Bavaria - Germany. He founded his first IT company during his school time with the age of 18 years, to train employees how to use standard software and doing web development for small companies. He started studying computer science and economics and paused due to founding his second company in the e-commerce space to sell furniture online. In this time he was responsible to develop the e-commerce platform based on open-source, operate it in a co-location and also securing it against attacks. After the journey of an entrepreneur and closing the companies, he rejoined studies and finished his bachelor’s degree with focus on information security. During the study time he worked full-time as a consultant in different security projects to execute penetration tests or overall secure the environments, also in critical infrastructure of the government. After studies and being a freelancer, he joined Deutsche Telekom Cloud Services as a Cloud Architect and was responsible to establish security in the new developed Open-Stack platform and did due-diligences for security of the partner solutions hosted on the platform. Besides that, he also trained the German army for networking and security. After Telekom he joined SAP as a Security Architect to secure the first productive SAP micro service platform developed by the Hybris team and took over the responsibility to help securing other solutions in the portfolio. Being part of SAP he helped acquisitions to integrate to SAP, e.g. Callidus, Gigya and Coresystems. He also helped to pilot the first risk-based Secure SDL in SAP and initiated the first Security Self-Service & Automation work stream for SAP.He also is a certified Threat Model Expert & Trainer, ISO27001 lead auditor, data protection officer and did several courses on cryptography, security management and forensics. At the moment he is leading the SAP CX Trust Office as CISO for SAP Customer Experience (CX) and drives the security transformation for this portfolio.

Andreas Hauke joined SAP as a Security Architect to secure the first productive SAP micro service platform developed by the Hybris team and took over the responsibility to help securing other solutions in the portfolio. Being part of SAP he helped acquisitions to integrate to SAP, e.g. Callidus, Gigya and Coresystems. He also helped to pilot the first risk-based Secure SDL in SAP and initiated the first Security Self-Service & Automation work stream for SAP. Currently he is leading the SAP CX Trust Office as CISO for SAP Customer Experience (CX) and drives the security transformation for this portfolio.

March 17 2022

This is an online meeting and will be streamed on YouTube. The meeting will start at 19:00.

Another great OWASP meet-up promised: we have Steve Springett who will talk about OWASP Dependency-Check tool & OWASP Cyclone DX. He will share what is happing around these projects. Next to that we have Klaas Wijbrans sharing his industry insights on rules and regulation demanding SBOM, the challenges it brings and solution direction. We will also announce three (3) new OWASP projects that will be executed in 2022, so stay tuned!
Introducing: The Security Champions Guidebook
Introducing: Guidelines on embedding SBOM in your organization

OWASP Dependency Track and OWASP CycloneDX

Link to the recording

Abstract:

Software Bill of Materials (SBOM) have gained wide-spread support from the software industry, to critical infrastructure, to the White House. In this session, the OWASP CycloneDX SBOM standard will be introduced along with strategies for effectively creating SBOMs. Also introduced will be OWASP Dependency-Track, a platform that consumes and continuously analyzes SBOMs for security, operational, and license risk. Both of these flagship OWASP projects work together to allow organizations to make better risk-based decisions.

Bio:

Steve educates teams on the strategy and specifics of developing secure software. He practices security at every stage of the development lifecycle by leading sessions on threat modeling, secure architecture and design, static/dynamic/component analysis, offensive research, and defensive programming techniques. Steve’s passionate about helping organizations identify and reduce risk from the use of third-party and open source components. He is an open source advocate and leads the OWASP Dependency-Track project, OWASP Software Component Verification Standard (SCVS), and is the Chair of the OWASP CycloneDX Core Working Group, a Software Bill of Materials (SBOM) Standard.

Software Bill of Material – why do we need it, what is it and how can we overcome the current challenges

Link to the recording

Abstract:

The Executive Order on Cybersecurity of the Biden administration caused a lot of activity on the ‘software bill of material’. This talk will go into the details why it is being asked, what it consists of, and the practical challenges the industry needs to solve to reliably and efficiently create and use it in an automated way.

Bio:

Klaas Wijbrans Klaas is fellow architect in the Chief Architect Office of Philips. He has thirty years of experience in complex, software intensive systems and products like traffic control systems, storm surge barrier control system, telecommunications equipment and medical systems. In Philips he is driving the standardization of Philips products to a common architecture and common technologies.

February 17 2022

This is an online meeting and will be streamed on YouTube. The meeting will start at 19:00.

How log4j became an epic - a story told by a developer and a product owner

Link to the recording

Abstract:

This talk is will touch upon the log4j vulnerability, and how it has set everything on fire, what impact it had on our team, and what we have learned from the crisis.

Bio:

Rick te Brake has 12 years of experience in java backend development. He has worked in banking and healthcare industries. He likes to work with reactive microservices and functional programming.

Anna Rudenko is product owner in the same team, she has over 7 years of experience as Project manager and Product owner in the areas of software development, media production, charity and scientific research.
Previously, she was doing her Ph.D. in Cognitive Linguistics.

The Long-Term Impact of Log4j

Link to the recording

Abstract:

In its aftermath, Log4j vulnerabilities put the spotlight on vendor management and supply chain security practices. Now that the dust has settled and the worst of the fallout has passed, this talk presents perspectives on likely mid- and long-term changes that the security industry will see as a result of dealing with the Log4j issue as the latest in an escalating series of open source and software supply chain incidents.

Bio:

A globally recognized software security expert, Dan Cornell has over 20 years of experience architecting, developing and securing software systems. As Vice President of Product Strategy at Coalfire, Dan works with customers and industry partners to help drive the direction of their product portfolio. Prior to its acquisition by Coalfire, Dan was a founder of and the Chief Technology Officer at Denim Group, where he helped Fortune 500 companies and government organizations integrate security throughout the development process.

Cornell is an active member of the development community and a sought-after speaker on topics of application and software security, speaking at international conferences including RSA Security Conference, OWASP AppSec USA and EU, TEDx, and Black Hat CISO Forum. He holds three patents in the area of software security.

How log4j ruined our Christmas

Link to the recording

Abstract:

Early December a vulnerability was found in Log4j, an open-source logging library commonly used by apps and services across the internet. If left unfixed, attackers can break into systems, steal passwords and logins, extract data, and infect networks with malicious software.

This talk will outline why this vulnerability ruined Christmas and the potential impact log4j can or could have to your organisation.

Bio:

Owen has over 11 years of experience in Cyber Security with an emphasis in Penetration Testing and Red Teaming. He currently holds the position of Head of Cyber Resilience in Bank of Ireland where he is responsible for leading out the Security Testing, Incident Response and Threat Intelligence functions. Owen has deep experience across a range of Cyber Security domains having carried out a range of engagements servicing a diverse portfolio of clients across multiple industries. He has developed strong leadership and people management skills, having led a variety of diverse teams performing a range of services.

Prior to joining Bank of Ireland, Owen led the Penetration Testing and Red Teaming functions for Deloitte Ireland. Furthermore, he acted as the Vulnerability Management Lead for the EMEA region.

Owen is an advocate of secure development and sat on the Global Board of Directors of OWASP for the last 4 years. Owen held the role of Secretary, Vice-Chair and Chair of the Global Foundation.

January 20 2022

This is an online meeting and will be streamed on YouTube. The meeting will start at 19:00.

A story on scaling threat modeling across 500+ DevOps teams.

Link to the recording

Abstract:

This talk is not about “what is threat modelling, and what are the different methodologies?”. This is well known and understood by now. With every organization moving towards DevSecOps, the difficult question is “how to do Threat Modeling at scale?”. I want to take this opportunity to share with you the ABN AMRO story about how we did this!

Bio:

Abhishek k. Goel is a Security Consultant at ABN Amro and the IT lead for Threat Modelling capability at the bank. He is a senior security engineer responsible for enabling security in DevOps across the bank.
Before ABN, he was a Lead Security Consultant with Deloitte USI and enabled security in CICD pipelines for clients across the globe.

Gamification of Threat Modelling

Link to the recording

Abstract:

The talk is all about doing security architecture and threat modelling work as part of development planning.
The presentation starts by introducing OWASP Cornucopia and the simplified OWASP “Top 5” for developers and then moves into looking at how one can practically include a form of threat modelling (using Cornucopia) into one’s agile development practises in an effective manner.
There is a brief discussion on gamification, covering the usual FAQs on that and then it moves onto implementation at scale and some of the experiences we’ve had there.

Bio:

Co-founder of Secure Delivery and current OWASP Global Foundation board member, Grant Ongers (@rewtd), is a firm believer in security enabling delivery not blocking it. The philosophy and purpose of Secure Delivery is in the name: optimal delivery and security in one nimble and adaptive offering.
Grant’s experience spans Dev - building platforms for Telcos, MSPs and Financial institutions for more than 10 years. 20+ years in Ops, running operational teams in global NOCs to managing mainframe and database systems. He also has over 30 years pushing the limits of (Info)Sec - mostly white-hat. He’s worked on both sides of the TPSA table, for and with regulated orgs ensuring compliance and matching “appetite for” with “acceptance of” risk.
Grant’s community involvement is global: Staff at BSides (London, Las Vegas, and Cape Town), Goon at DEF CON (USA) for over a decade and DC2721 co-founder, staff at BlackHat (USA and EU).
Alongside his role as CTO within Secure Delivery, Grant provides C-suite advice and guidance on security to FTSE100 enterprises and strategic risk analysis within M&A diligence teams.

2021

October 28 2021 | September 30 2021

October 28 2021

This is an online meeting and will be streamed on YouTube: https://youtu.be/qR6JCkZgOlY.
The meeting will start at 19:00.

Our Secrets Management Journey: From Code to Vault

Abstract:

So you have an access key that you need to store somewhere. Maybe it is better not to put it in your code, nor in your container. But what about Kubernetes? What about a custom secrets storage solution? Of course, we tried many, sometimes funny, things to get our secrets secured. And luckily we ended up with a combination of safe methods, with Vault at its core. Want to know more? Join us, as we will go through various examples and their challenges!

Bio:

Jeroen Willemsen is a Principal Security Architect at Xebia and a jack of all trades in security. He loves to develop new software, set up DevSecOps support tooling, and help companies with security programs. He enjoys sharing knowledge, which is why he published articles, blogs and gave trainings and talks about various subjects.

Doing Security in DevOps, the right way!

Abstract:

Automation is not DevSecOps, but without automation there is no DevSecOps! Secret management, SAST, DAST, Pen Testing, Container Security, Secure Config Management etc. are about automating security. But let me ask you, can one reach nirvana in securing DevOps with solely automation? This talk will address ALL dimensions required for doing security in DevOps, so we get it right!

Bio:

Irfaan Santoe is a Global Security Director at Wolters Kluwer advising the Business & IT on the information security ambition & implementation. Prior to Wolters Kluwer, Irfaan was the Global Head of Security Engineering at ABN AMRO bank and lead the security implementation of ABN AMRO’s IT transformation towards DevOps. This transformation program is set to uplift more than 500+ Dev-teams to become DevOps and increasing security without breaking DevOps! Irfaan is a Master in Computer Science (a programmer by heart) and is fascinated by the Inner Science of Yoga & Meditation.

September 30 2021

On the 30th of September OWASP Netherlands will organize a pub quiz. The pub quiz will start at 20:00. To join the pub quiz, you need to join a Zoom meeting. Check the Meetup page for more information.

2020

November 23-27, 2020 | May 14, 2020 | April 9, 2020

November 23-27 2020, BeNeLux Days

See https://www.owaspbenelux.eu for information.

May 14, 2020

This is an online meeting about the Mobile Security Testing Guide and the Mobile Application Security Verification Standard by Jeroen Willemsen.
The talk will start at 20:00.

Watch the livestream at https://youtu.be/cuB8TNT0rMw.

April 9, 2020

The first talk will start at 20:00.

Schedule:

Watch the livestream at https://youtu.be/EtGyhWYSjVA.

2019

June 18, 2019 | January 17, 2019

June 18, 2019

https://www.meetup.com/OWASP-Chapter-Netherlands-Meetup/events/261811435/

18:30 - 19:00 Dinner
19:00 - 19:15 Welcome
19:15 - 20:00 Recon Recon by Martijn Baalman
20:00 - 20:15 Break
20:15 - 21:00 The Good, The Bad and The Ugly of Responsible Disclosure by Chrissy Morgan
21:00 - Closing and networking

Spaces Herengracht
Herengracht 124-128,
1015 BT Amsterdam

Martijn Baalman aka @x1m_martijn - “Recon Recon”:
In the daytime, Martijn is a pen tester at Qbit Cyber Security, and by night he is bug bounty hunting in the wild and sending PoCs to Detectify Crowdsource and other bug bounty platforms. Recon is key for finding vulnerabilities yet is tedious at times. Hackers, like developers, find that automation makes life easier, even recon. Martijn has developed something called ReconPi, a bug bounty reconnaissance tool that automates most of the (general) recon methods that hackers use. He’ll show you how he does all his recon, yes everything, on a Raspberry Pi 3 in his lightning talk.

Chrissy Morgan aka 5w0rdFish - “The Good, The Bad and The Ugly of Responsible Disclosure.”
So what’s has a JQuery bug that affected thousands of websites with one of the highest starred GitHub repos with 7,800 forks, a Domain Name Registrar vulnerability which allowed for full access to domain owner details (post GDPR) and data protection flaws within Microsoft’s Office365 all have in common? … Answer: Responsible Disclosure. This talk will feature disclosure on each of the bugs and others, the circumstances around these when reporting, to highlight the problems security researchers face today when trying to do the right thing and to raise awareness of the security flaws so we are better protected.

About Chrissy:
Chrissy leads the IT Security Operations for a Close Protection company and in her spare time Chrissy has carried out research in the areas of web application security, Steganography, RFID, Physical Cyber Systems Security and is actively involved within the information security community across a wealth of subjects. She also runs The Co-Lab in London, which is a hardware hacking security research workshop. As a recent Napier Masters Graduate, she has accomplished the following successes so far: Winner of Cyber Security Challenge UK (University Challenge - Team Edinburgh Napier), CTF Finalist for the Pragyan CTF (Team Edinburgh Napier) , A BlackHat Challenge Coin winner for OSINT from Social Engineer.org and Black Hat Scholarship, Steelcon Award, WISP Sponsorship, was the BSides London Rookie Track Speaker Winner for 2018 and most recently won the ISC(2) Up and coming Security Professional 2019.

January 17, 2019

https://www.meetup.com/OWASP-Chapter-Netherlands-Meetup/events/257707239/

18:30 - 19:00 Dinner
19:00 - 19:15 Welcome, OWASP update
19:15 - 20:00 Machine Learning vs. Cryptocoin Miners by Jonn Callahan
20:00 - 2-:15: Break
20:15 - 21:00 Running at Light Speed: Cloud Native Security Patterns by Jack Mannino
21:00 - Closing

Xebia
Laapersveld 27
1213 VB Hilversum

Machine Learning vs. Cryptocoin Miners:
With the advent of cryptocurrencies as a prevalent economic entity, attackers have begun turning compromised boxes and environments into cash via cryptocoin mining. This has given rise for the necessity to detect compromised environments by analyzing network traffic logs for evidence of cryptocoin miners operating within a given network. In this talk, I’ll be reviewing various ML and statistical analysis techniques leveraged against VPC Flow Logs for this very purpose. It will not be a deep dive of the math involved, but instead a general discussion of these techniques and why I chose them.

Download the presentation as PDF
Link to the recording

Running at Light Speed: Cloud Native Security Patterns
No matter how fast you ship software, a good design is critical to security. Cloud native systems are no exception. Containerized microservices running on distributed management and orchestration platforms, bring new challenges to address as well as classic software problems that we’ve been dealing with for years. Secure software design patterns can be used to model security controls at different trust boundaries within your architecture, providing security in a repeatable and consumable way. Using patterns such as the Service Mesh or Ambassador pattern lets us focus on proper security control placement and lifting security outside of the core services we’ve traditionally bolted security onto later.

The goal of this presentation is to arm software developers and security architects with reference architecture guidance that can be used in any cloud native environment. The topics we’ll cover include multi-tenancy considerations, authentication, authorization, encryption, and more. We will focus on newer cloud native architecture patterns as well as some classic software design patterns that are still applicable. At the end of this presentation, you’ll have a greater understanding of cloud native security design at an architectural level and you’ll be eager to begin white-boarding your ideas.

Download the presentation as PDF
Link to the recording

Speakers info: Jonn Callahan has worked in appsec for half a decade across a wide variety of languages, technologies, and sectors. While constantly looking for new things to play with, he rediscovered his love for the universal language of math and, consequentially, the power of statistical analysis and machine learning. He now seeks to dismantle the black magic of these techniques, showing that they don’t require an advanced mathematics degree to be leveraged, as well as to find novel ways to apply them within the security space Jack Mannino is the CEO of nVisium. Passionate about security and impossible to keep away from a keyboard, his expertise spans over 15 years of building, breaking, and securing software. Jack founded nVisium in 2009, and since then has helped the world’s largest software teams enhance security across their software portfolios. He has spoken at conferences globally on topics such as secure design, mobile application security, and cloud-native security.

2018

2017

2016

2015