OWASP Netherlands

Main    Supporters    Upcoming Events    Past Events    Resources

2024  |  2023  |  2022  |  2021  |  2020  |  2019  |  2018  |  2017  |  2016

2024

June 20 2024  |  May 23 2024  |  April 18 2024  |  March 21 2024  |  February 15 2024  |  January 18 2024

June 20 2024

Location: VU, Amsterdam
Address: De Boelelaan 1105

Please register via: https://www.meetup.com/owasp-chapter-netherlands-meetup/events/300855942

18:00 - 18:15 - Reception of attendees

18:15 - 19:00 - Pizza

19:00 - 19:15 - Welcome and OWASP updates

19:15 - 20:00 - Ship Happens: The Stormy Seas of Supply Chain Security by David Archer

20.00 - 20:15 - Break with drinks

20:15 - 21:00 - Technical leverage: dependencies are a mixed blessing by Fabio Massacci

Ship Happens: The Stormy Seas of Supply Chain Security

Abstract:

“The more I know about how software is made, the less I want to know” - Me

As a software developer with over a decade of experience and countless interactions with application security teams, I’ve discovered the unsettling complexities of modern software production. Despite what I thought I knew, the reality was far more intricate.

Modern software development is a sprawling network of open-source dependencies, sophisticated build tools, plugins, pipelines, and runtimes. These components are fundamental in securing critical sectors of our daily lives—finance, healthcare, infrastructure, transportation, and social interactions. However, this supply chain is under relentless attack and many of the potential threats are poorly understood.

This talk will delve into specific vulnerabilities, such as dependency poisoning and pipeline compromises, that exemplify the challenges we face. We’ll explore strategies to mitigate these threats and discuss practical takeaways that attendees can immediately implement in their software development practices. Expect to leave with a deeper understanding of supply chain security and with ideas to fortify your software factory against these escalating threats.

Bio:
David Archer:
Profile picture David Archer David Archer is a Solution Architect at Endor Labs. He began his career as a software developer and witnessed significant shifts in how software is built over the last two decades. After spells as a development lead, product director and pre-sales consultancy roles David consistently saw a concerning trend: security often took a backseat amidst the hustle and bustle of development priorities.

Seeking to help address this balance David took an opportunity in 2018 to work full-time in the field of application security with a particular focus on technologies that promise to enhance security without impeding development speed. Through his extensive experience with secure coding practises and hands-on experience with the myriad of code analysis tools like IAST, SAST, DAST, RASP and SCA, he gained valuable insights into their relevance and effectiveness in a modern software factory.

Technical leverage: dependencies are a mixed blessing

Abstract:

Modern applications are build upon a large supply chain of (possibly open source) libraries and tools. In finance, leverage is the ratio of debts (other people’s money) vs equity (your money) and the Lehman Brothers have made that concept famous. For software, technical leverage is the ratio between other people’s code and your own code. I will argue with some examples from the Maven, Python and the NPM ecosystems that this is both a risk and an opportunity. The Lehmans Brothers were 30 to 1, what about the Software Sisters?

Bio:
Fabio Massacci:
Profile picture Fabio Massacci Fabio Massacci is a co-author of CVSS v4. Among other things, he is also a professor at Vrije Universiteit. He has been a speaker at hackers’ venues (BlackHat USA, Asia) scientific security conferences (IEEE S&P, CCS), software engineering (ICSE,MSR) and risk analysis (SRA). He coordinates the EU project Sec4AI4Sec (name tells it all) and an NWO project on using AI for security threat intelligence. While almost all professors are sellers of tech (through their papers or their spin-offs) he was also for 7 years deputy for ICT procurements and services supervising a 70+ workforce and few millions Euro in outsourcing contracts. Being a buyer of tech makes a difference in perspective.

May 23 2024 - Cyber Booked

The local Dutch Chapters of OWASP, ISACA and ISC2 are, together with the Secure Software Alliance (SSA), joining forces to host a physical event called “Cyber Booked” which is going to be one of a kind. This event offers the opportunity to learn from and meet & greet with both new and well-respected (Dutch) Cybersecurity authors, who have been known to contribute to the security industry.

About the Event
The Cyber Booked event is expected to have an attendance of 100-150 people in total which will be a mix of different personas including but not limited to information security. It will be hosted on 23 of May 2024 in Hotel van der Valk in Breukelen.We have secured a lineup of both new and well-known Cybersecurity books of authors who reside and work in the Netherlands and contribute to or are part of the Cybersecurity industry. The event starts at 17:00 pm and will end at 22:00 pm. There will be ample opportunity during the break and drinks for participants to meet and greet the authors as well network and interact, not only with each other, but also with the sponsors.

Please register via: https://isaca.nl/events/cyber-booked-2024/

April 18 2024

This is an online meeting and will be streamed on YouTube. The meeting will start at 19:00.

Please register via: https://www.meetup.com/owasp-chapter-netherlands-meetup/events/299755205/

19:00 - 19:10 - Welcome and OWASP updates

19:10 - 19:55 - API Security: OWASP API Top 10 Unlocked by Erez Yalon and Paulo Silva

19:55 - 20:00 - Questions and Break

20:00 - 20:15 - OWASP Security Champions Guide by Cheyenne Seur

20:15 - 21:00 - How (not) to use secrets with OWASP WrongSecrets by Ben de Haan

API Security: OWASP API Top 10 Unlocked

Watch the recording

Abstract:

APIs play a central role in today’s economy, powering the exchange of data and services between applications and businesses. However, with great power comes great responsibility, and API security is more critical than ever.

In this session, we will discuss the OWASP API Security Top 10, a comprehensive guide to the most critical API security risks which was first released in 2019 and updated in 2023. We will then dive into real-world examples of API security issues found on well-known solutions powered by APIs, providing a detailed analysis of the vulnerabilities and the impact they could have had on the affected organizations.

By the end of this session, you will have a better understanding of the importance of API security and the steps you can take to protect your organization’s APIs from attacks.

Bio:
Erez Yalon:
Profile picture Erez Yalon Erez Yalon is the VP of Security Research at Checkmarx. Yalon oversees Checkmarx’s research team comprising analysts, pen testers, security engineers, and bug bounty hunters. He brings vast experience to his position and his efforts to empower today’s developers and organizations to deliver more secure applications. Yalon is the Founder of the DEF CON AppSec Village and co-leads the OWASP API Security Project. Over the years, Yalon has been invited to speak at prominent events, including RSAC, Black Hat, DEF CON, and OWASP’s global conferences, and featured in news outlets such as Fortune, Forbes, Wired, TechCrunch, and Dark Reading.
Paulo Silva:
Profile picture Paulo Silva Paulo Silva is a security practitioner with a solid background in software development, who has spent the last decade focused on identifying critical vulnerabilities and breaking software. Paulo is a long-time OWASP volunteer and co-leader of the OWASP API Security Project, where he advocates for secure API practices and contributes significantly to mitigating security risks in the API landscape.

OWASP Security Champions Guide

Watch the recording

Abstract:

OWASP Security Champions Guide project team will provide updates on the release of the next OWASP Security Champions Guide!

How (not) to use secrets with OWASP WrongSecrets

Watch the recording

Abstract:

If you want to bring an app to production, you need to know where to put your secrets and how to access them safely. In this session, we’ll go into how to not use secrets with a purposefully vulnerable application. We hope you’ll take this knowledge and not make the same mistakes in your own app. Of course, you’ll also learn a thing or two on how to do secrets management properly. Alternatively, you can use this app to teach others!

Bio:
Ben de Haan:
Profile picture Ben de Haan I am a Freelance Security Consultant and engineer, and co-project lead of OWASP WrongSecrets. My specialties are security in application development/SRE and cloud. Outside of regular work, I like to spend time creating cool (and secure) apps.

March 21 2024

Location: Ordina
Address: Ringwade 1, 3439 LM Nieuwegein

Please register via: https://www.meetup.com/owasp-chapter-netherlands-meetup/events/299257952/

18:00 - 18:15 - Reception of attendees

18:15 - 19:00 - Pizza

19:00 - 19:15 - Welcome and OWASP updates

19:15 - 20:00 - How to get Dev(Ops) teams to start adopting DevSecOps by Sebastiaan Rijnbout

20.00 - 20:15 - Break with drinks

20:15 - 21:00 - Cracking the API: Challenges in IoT and Modern Applications by Yianna Paris

How to get Dev(Ops) teams to start adopting DevSecOps

Download the presentation

Abstract:

In many development environments, security has long been seen as an afterthought or even a right-out hindrance. And forcing security onto developers often has an adverse effect. In this talk we will share the journey we have been making at the Dutch Chamber of Commerce (KVK) to get Development teams to adopt DevSecOps in a way that works best for them. Topics that will be discussed include Secure Development training, Security Champions, Threat Modeling and using the right tooling.

Bio:
Sebastiaan Rijnbout:
Profile picture Sebastiaan Rijnbout Sebastiaan Rijnbout has a background as .NET developer and has worked in that field for over 12 years, but since 2017 he has started focusing on AppSec and Dev(Sec)Ops.

When getting teams and organisations to adopt DevSecOps, Sebastiaan will look at all aspects of DevSecOps (People, Process and Technology) like setting up developer training programs and security champion programs, rolling out company-wide Security tooling and improving working processes. But always keeping a focus on making things easy and efficient for developers.

In his current role at the Dutch Chamber of Commerce (KVK) Sebastiaan acts as Product Owner for 4 Dev(Sec)Ops support teams. These teams are responsible for enabling all development teams at KVK to deliver secure and high-quality software as efficiently as possible.

Cracking the API: Challenges in IoT and Modern Applications

Download the presentation

Abstract:

Securing API’s is about more than just an endpoint, it’s about the data shared, customer privacy, and the access we give to unauthorised parties. Now as we are connecting more devices than ever, to more third parties than ever, securing APIs needs an offensive mindset from the design phase.

In this talk I’ll go over some of the techniques I use when testing, common issues I’ve found and their impact, and the state of IoT and modern web applications.

Security issues can arise from misconceptions early in the software process, so I’ll also discuss how we might mitigate some of these with thoughtful design, architecture and development.

Bio:
Yianna Paris:
Profile picture Yianna Paris From user experience to software engineering, Yianna has a diverse background with one thing in common - exploring the intersection between human interaction and technology. Currently she is an Offensive and Application Security Engineer at Xebia. Working in tech teams and researching new offensive techniques remains a daily drive for her. She's passionate about giving back to the community, having presented at DEFCON, hosted security meetups, delivered workshops, contributed to OWASP Low Code / No Code, as well as building and contributing to open source tooling.

February 15 2024

This is an online meeting and will be streamed on YouTube. The meeting will start at 19:00.

19:00 - 19:10 - Welcome and OWASP updates

19:10 - 19:55 - OWASP ModSecurity: A Few Plot Twists and What Feels Like a Happy End by Christian Folini

19:55 - 20:05 - Questions and Break

20:05 - 20:50 - OWASP Dependency-Track by Niklas Düster

OWASP ModSecurity: A Few Plot Twists and What Feels Like a Happy End

Watch the recording

Abstract:

ModSecurity is an open-source, cross-platform web application firewall (WAF) engine. Originally written by Ivan Ristić, it was acquired by Trustwave and then developed for over 10 years by Trustwave’s SpiderLabs.

ModSecurity exists as a module for the Apache HTTP Server, Nginx, and IIS (v2) and it has also been released as standalone daemon for NGINX (v3), accessible via an API and a webserver specific connector module. It is able to inspect HTTP requests and HTTP responses and it configured via rules in a rather cumbersome config language called “SecLang”. OWASP CRS is the dominant rules project used by most ModSecurity users.

In 2021, Trustwave announced the end of support and the plan to hand over ModSecurity into the hands of the community by Summer 2024. OWASP tried to convince Trustwave to hand it over to the foundation several times, but only succeeded in November 2023. A plan was thus drawn and a new project was prepared from December 2023. The main repository was transferred on January 25 and OWASP ModSecurity was declared a “production level” OWASP project by the OWASP project committee.

The new project operates with a preliminary leader team, the first release is already out and the community is growing, all in line with the 3-6 month project plan drawn up in December 2023.

This talk gives an overview of this dynamics at play, how OWASP operates on projects like this and the perspectives are for ModSecurity and OWASP as a whole.

Bio:
Christian Folini:
Profile picture Christian Folini Dr. Christian Folini is a Swiss security engineer and open source enthusiast. He brings 15 years of experience with ModSecurity configuration in high security environments, DDoS defense and threat modeling. Christian Folini is the author of the 2nd edition of the ModSecurity Handbook and the best known teacher on the subject. He co-leads the OWASP ModSecurity Core Rule Set project and serves as the program chair of the “Swiss Cyber Storm” conference.

OWASP Dependency-Track

Watch the recording

Abstract:

Since its inception over a decade ago, OWASP Dependency-Track has pioneered many concepts in the realm of software supply chain security, and software bill of materials (SBOM).

With increasingly more governments, regulators and organizations asking for SBOMs, the project is more relevant than ever. On the other hand, a non-negligible portion of folks is still puzzled as to what to even do with SBOMs once they have them.

In this talk, we’ll explore what Dependency-Track is, how it can help organizations in identifying and reducing risk in their software supply chain, and give an outlook into what’s next!

Bio:
Niklas Düster:
Profile picture Niklas Düster After years as Security Engineer for a large European payment service provider, Niklas currently works as Cloud Native Engineer for ControlPlane. He is passionate about AppSec, DevSecOps and Open Source. He co-leads the OWASP Dependency-Track project and is a contributor to the OWASP CycloneDX Bill of Materials standard, for which he maintains the official Go tooling.

January 18 2024

Location: Trend Micro Amsterdam
Address: Herikerbergweg 92, 1101 CM Amsterdam

Please register via: https://www.meetup.com/owasp-chapter-netherlands-meetup/events/297919320/

18:00 - 18:15 - Reception of attendees

18:15 - 19:00 - Pizza

19:00 - 19:15 - Welcome and OWASP updates

19:15 - 20:00 - Challenges in modern Red Teaming, external vs internal point of view by Marcin Wolak

20.00 - 20:15 - Break with drinks

20:15 - 21:00 - Red Teaming on MacOS by Ahmed Sherif and Ivan Kozlov

Challenges in modern Red Teaming, external vs internal point of view

Abstract:

The presentation will try to demonstrate limitations of external red teaming and show how internal red teaming could possibly fill in identified gaps.

Bio:
Marcin Wolak:
Marcin is a well renowned ethical hacker / red teamer, blogger & researcher with over twenty years experience in IT and cybersecurity.

Red Teaming on MacOS

Abstract:

The focus of the Red Teaming has predominantly been on Windows environments, reflecting its widespread use in corporate settings. However, the recent shift in corporate preferences towards MacOS necessitates a reevaluation and development of Red Teaming strategies specific to this. Our presentation delves into the challenges in MacOS during the red teaming excercises.

Bio:
Ahmed Sherif:
A professional offensive security expert with 7 years of experience in pentesting / red teaming. Ahmed is working at ING global CISO.
Ivan Kozlov:
Red teamer at Global CISO of ING who hated macOS so hard that decided to dedicate his spare time in finding vulnerabilities and new red teaming tricks on Apple workstations. Reverse engineered and decrypted state actor malware using MS Paint.

2023

November 23-24 2023  |  October 19 2023  |  September 21 2023  |  June 7 2023  |  May 25 2023  |  April 20 2023  |  March 16 2023  |  January 19 2023

November 23-24 2023, BeNeLux Days

See https://www.owaspbenelux.eu for information.

October 19 2023

Location: Radboud University, Huygens building
Address: Heyendaalseweg 135, Nijmegen
Link: https://www.ru.nl/fnwi/faculteit/profiel/huygensgebouw

Please register via: https://www.meetup.com/owasp-chapter-netherlands-meetup/events/296179697/

18:00 - 18:15 - Reception of attendees

18:15 - 19:00 - Pizza

19:00 - 19:15 - Welcome and OWASP updates

19:15 - 20:00 - Hacking CI/CD Pipelines: Some use cases for hacking CI/CD orchestrators by Mauricio Cano

20.00 - 20:15 - Break with drinks

20:15 - 21:00 - Unveiling the secrets in your code: Detecting and Triaging exposed credentials at scale by Ingmar Vis

Hacking CI/CD Pipelines: Some use cases for hacking CI/CD orchestrators

Watch the recording

Abstract:

In this talk, we will discuss the hacking of CI/CD orchestrators, with a focus on GitHub actions and what kind of things can be done from the perspective of a malicious insider. Some of the cases we will discuss are:
- Secret enumeration.
- Accessing infrastructure through runners.
- Public runners vs Private runners.
- Code injection in the pipeline and supply chain.
- GitHub commits information.
- Secret searching in the repository.
The goal is to provide a broad view on the attack surface that can be derived from CI/CD orchestrators and their runners, as well as to show a few demos on how this can be done.

Bio:
Mauricio Cano:
Mauricio Cano is a cloud pentester focused on container technologies. In particular, he focuses on the security of containers and serverless architectures. He has pentested Kubernetes clusters and serverless architectures for several multinational financial institutions. Prior to his security work, he has a background in academia and a Ph.D. in Computer Science from the University of Groningen, focused on programming language design and formal methods to ensure correctness. In his spare time, Cano enjoys reading, cooking, and solving puzzles.

Unveiling the secrets in your code: Detecting and Triaging exposed credentials at scale

Watch the recording

Abstract:

Security misconfigurations are often easy to exploit but also easy to avoid. How can we raise security awareness and at the same time prevent security misconfigurations (such as leaked credentials) from reaching production? Is there an easy way to scan, triage and follow-up on exposed secrets at enterprise scale? ABN Amro open sourced Repository Scanner and runs Repository Scanner internally at scale, exposing secrets in source code repositories and thereby raising security awareness while at the same time improving the security posture by remediating security misconfigurations.

Bio:
Ingmar Vis:
Ingmar Vis has been working in CICD for 7 years. In his current role, Ingmar acts as a Product Owner for 2 teams at ABN Amro. 1 team is responsible for delivering the Secure Coding capability for all developers, the 2nd team is responsible for the infrastructure and automation of CICD tooling. Ingmar works on aspects such as Static Analysis, Software Composition Analysis, Container Security, and Secret Detection.

September 21 2023

Location: Hogeschool van Utrecht
Address: Heidelberglaan 15, 3584CS Utrecht

Please register via: https://www.meetup.com/owasp-chapter-netherlands-meetup/events/295296523/

18:00 - 18:15 - Reception of attendees

18:15 - 19:00 - Pizza

19:00 - 19:15 - Welcome and OWASP updates

19:15 - 20:00 - DAST in the world of DevSecOps by Amit Sharma

20.00 - 20:15 - Break with drinks

20:15 - 21:00 - SAST, DAST, IAST… xAST de-mystified by Martin Knobloch

DAST in the world of DevSecOps

Watch the recording

Abstract:

-

Bio:
Amit Sharma:
Profile picture Amit Sharma Amit Kumar Sharma is a Security Evangelist with more than a decade of experience in Application Security and Fuzz testing. He has worked in various roles including but not limited to Penetration Testing and Red Teaming. During his career he got a chance to work with various technologies in the domain of Telecom, Medical, ICS and Automotive Security. He works as a Security Specialist with Synopsys Inc , an organization which provides Products and Consultation on how security fits in the SDLC and evangelizing technologies like IAST, Open Source Security, Binary Analysis and Fuzz testing to uncover security issues. Currently his areas of research includes DevSecOps, Security in SDLC, Kubernetes Security and Secrets Management.

SAST, DAST, IAST… xAST de-mystified

Watch the recording

Abstract:

Dev[Sec]Ops has embraced CI/CD’s build, test and deployment approach, now pushing secure test automation into the dev’s build pipelines.
Now with SCA added to the xAST security verification in your pipeline, as more is better, right?
But, without clear expectation what to expect from your tool (usage), how to choose the right tool?
During this presentation, you will be guided to define the problem first, in order to choose the tools to solve it. Let’s grow maturity and not push on security test automation in the development pipelines but adding useful quality assurance in your production line!

Bio:
Martin Knobloch:
Profile picture Martin Knobloch Martin Knobloch, Global AppSec Strategist with Fortify, part of OpenText, is a long-time security leader with more than 25 years of experience in the field of IT and +15 in Cyber security.
With a background in software development and architecture, his focus is on software security. Martin is actively involved in OWASP where he is a frequent contributor to various projects and initiatives. Martin is taking part in the organizing of local and global OWASP conferences and served more than 5 years as a member of the Board of Directors, two of them as Chairmen of the board.
During his career, Martin has been a recognized teacher, guest lecturer at various universities and invited speaker and trainer at local and international software development, testing and security conferences throughout the world.

June 7 2023

Want to learn more about Web Application Firewalls?

Join the Dutch Chapters of OWASP, ISACA, and ISC2 for their first-ever combined online webinar on Wednesday, June 7th,  from 19:00 to 21:00 CET.

Please register via: https://www.meetup.com/owasp-chapter-netherlands-meetup/events/293379819

19:00 - 19:10 - Welcome

19:10 - 19:30 - Web Application Firewalls by Aatif Khan

19:30 - 20:55 - Panel Discussion on Web Application Firewalls by Aatif Khan and Menno Swam and Nico van Rooyen moderated by Ramzy Elmasry

20:55 - 21:00 - Closing and Next Steps

To receive the LIVE stream details, register via:
https://isaca.nl/events/isaca-owasp-and-isc2-web-application-firewalls-webinar/

With an expert presentation and a panel discussion, you will have the opportunity to learn about best practices and get your questions answered by professionals in the field.

By combining the focus areas and driving forces of each Chapter, this event ensures that this topic will be addressed from different perspectives, such as risk, compliance, audit,cybersecurity, and technical.

Aatif Khan, a data-driven AI and cybersecurity expert, will kick off the webinar with a compact presentation on Web Application Firewalls (WAFs). After which, we will open the panel discussion and answer questions from the audience. Our panel members are Aatif Khan, Menno Swam and Nico van Rooyen.

See below for more information on our panel members and the topic.

Register today for this unique opportunity!

Panel Discussion on Web Application Firewalls

Watch the recording

Bio:
Aatif Khan:
Aatif Khan is a data-driven, seasoned AI & cyber security expert who is passionate about creating Aatif Khan is a data-driven, seasoned AI & cyber security expert who is passionate about creating customer-focused products. His focus centers around developing cyber defense strategies, establishing  security operations centers for large enterprises, developing data protection strategies, implementing data privacy in day-to-day operations, and developing AI strategy, governance, and risk management programs for enterprises. He specializes in building and scaling security programmes from startups to Fortune 500 organizations.

With 15+ years of experience in information security, Aatif has spoken at numerous conferences such as BlackHat, SANS & UK NCSC CyberThreat London, Security BSides London, Cyber Security Asia Malaysia, @Hack, etc., amongst other conferences across the EMEA region. He has been interviewed by the Associated Press, Voice of America, Hakin9, and numerous other media channels for his expertise on emerging cybersecurity threats. Aatif holds a Master of Science in Artificial Intelligence from LJMU, UK, and is currently working on AI-driven advanced threat detection and response with modern security analytics.
Menno Swam:
Menno is a Senior Specialist at KPMG IT Advisory The Netherlands, and part of the Cyber Assessment (CA) team. The CA team consists of cyber security specialists executing technical IT Advisory engagements, IT Auditing and management of IT infrastructure, IT processes and IT organizations.

Menno has experience in the field of Information Security and Risk Management for companies in the Financial services sector, due to his experience as an Information Security Officer and Internal Auditor. Moreover, he has specific knowledge of security frameworks (such as PCI-DSS and ISO27001) as well as the technical execution of financial law (such as WWFT and PSD2). While working in complex IT environments, Menno has been able to get accustomed with all facets of information security, both technical and non-technical. As such, he is able to translate technical findings and risks to business impact and opportunities.
Nico van Rooyen:
Nico is currently the CISO at CPro, a cyber security consulting firm and the one-stop shop for specialized cyber security services. They offer complete solutions that enable organizations of all sizes to protect their systems, networks, and data from digital threats. He is also a proud Executive Board Member of the ISACA NL chapter and has been an active member for many years.

He started his career as an IT auditor specializing in information security, at KPMG in South Africa and for the past decade, he has deepened his experience in information security while obtaining various certifications such as CISA, CISM, CEH, and COBIT.
During this time, Nico worked across various countries including Australia, Denmark, Israel,Sweden, Europe, the UK, and the USA.

In 2017, he moved to the Netherlands with his wife, who is expecting their second baby boy in September of this year.

May 25 2023

Location: Exact
Address: Molengraaffsingel 33, 2629 JD Delft

Please register via: https://www.meetup.com/owasp-chapter-netherlands-meetup/events/292932837/

18:00 - 18:15 - Reception of attendees

18:15 - 19:00 - Pizza

19:00 - 19:15 - Welcome and OWASP updates

19:15 - 20:00 - AppSec in IT contracts by Sebastian Avarvarei

20.00 - 20:15 - Break with drinks

20:15 - 21:00 - About containers and their escapes: understanding escape patterns and possibilities by Mauricio Cano

AppSec in IT contracts

Watch the recording

Abstract:

Back in 2018 I wrote: “In today’s multi-sourced enterprise, your security is as good as your worst written contract.” We have gotten better at writing security into commercial contracts since I first did my talk on this topic, but the yellow brick road ahead of us still goes some ways.

But how about AppSec, how well is it covered in our IT contracts? What are the pitfalls and the solutions? How do we avoid that someone else’s security issues become our security problems? And, by all means, let’s learn how to be a bit lazy, and do better with less effort!

Bio:
Sebastian Avarvarei:
Profile picture Sebastian Avarvarei Currently working as Information Security Manager at Canon EMEA, Sebastian has been in IT and Security for over 20 years, covering a multitude of roles ranging from Developer, Security Architect, Auditor and Consultant, before moving into security governance and management, giving him a unique multi-faceted view on today’s InfoSec challenges. He has led multiple security improvement programs and performed maturity assessments for a wide variety of organizations - while continuously asking himself:’’Could we do this in another way?’’

About containers and their escapes: understanding escape patterns and possibilities

Watch the recording

Abstract:

Containers have become one of the most common underlying infrastructure for microservice architectures. As such, they can often be part of the external attack surface of enterprise systems and applications (e.g., whenever a web application hosted on a kubernetes cluster is Internet-facing). Thus, it is important to understand what types of (mis)configurations can make containers more vulnerable against attacks of different types. In this talk, Mauricio will deep dive into different techniques that can be used to escape containers. In particular, he will talk about how to escape privileged containers, the usage of different capabilities, the usage of kernel exploits and a few other ways in which attackers may use to gain access to the hosts of the containers.

Bio:
Mauricio Cano:
Profile picture Mauricio Cano Mauricio Cano is a cloud pentester focused on container technologies. In particular, he focuses on the security of containers and serverless architectures. He has pentested Kubernetes clusters and serverless architectures for several multinational financial institutions. Prior to his security work, he has a background in academia and a Ph.D. in Computer Science from the University of Groningen, focused on programming language design and formal methods to ensure correctness. In his spare time, Cano enjoys reading, cooking, and solving puzzles.

April 20 2023

This is an online meeting and will be streamed on YouTube. The meeting will start at 19:00.

Please register via: https://www.meetup.com/owasp-chapter-netherlands-meetup/events/292323208/

OWASP Juice Shop

Download the presentation
Watch the recording

Abstract:

OWASP Juice Shop is probably the most modern and sophisticated insecure web application! It can be used in security training, awareness demos, CTFs and as a guinea pig for security tools!

Juice Shop encompasses vulnerabilities from the entire OWASP Top Ten along with many other security flaws found in real-world applications!

At this event, we will take a tour through the application, hack it live on screen, learn about Coding Challenges, CTF mode, cheat detection, custom theming, and more!

Bio:
Björn Kimminich:
Profile picture Björn Kimminich Bjoern Kimminich works as Product Group Lead Application Ecosystem at Kuehne + Nagel, responsible – among other things – for the Application Security program in corporate IT. He is an OWASP Lifetime Member, the project leader of the OWASP Juice Shop, and a co-chapter leader for the OWASP Germany Chapter. Björn also currently chairs the OWASP Project Committee.

The Rise of the Security Verification Standard

Watch the recording

Abstract:

We are currently seeing a big uptick in the progression of the OWASP Application Security Verification Standard (ASVS) as well as the Mobile version (MASVS). Not only are two major releases in the pipeline (5.0 and 2.0 respectively) but we are now seeing industry stand up, take notice and start expecting more from applications, based on these standards. In this talk, Josh Grossman (one of the ASVS project leaders) will take you through these key developments including our vision for the upcoming version 5.0 of the ASVS and how you and your employer can be involved in the final release.
This will also be a chance to hear first-hand about a couple of new programmes where you will see the SVSs being more widely used and required and how you can prepare your organizations for this significant impact this will have, whether you are developing applications or you are assessing them.

Bio:
Josh Grossman:
Profile picture Josh Grossman Josh Grossman has worked as a consultant in IT and Application Security and Risk for 15 years now, as well as a Software Developer. This has given him an in-depth understanding of how to manage the balance between business needs, developer needs and security needs which goes into a successful software security programme.

Josh is currently CTO for Bounce Security where he helps clients improve and get better value from their application security processes and provides specialist application security advice. His consultancy work has led him to work, speak and deliver training both locally and worldwide including privately for ISACA and Manicode and publicly for OWASP's Global AppSec conferences. In his spare time, he co-leads the OWASP Application Security Verification Standard project and is on the OWASP Israel chapter board.

He was also recognized as a Key Contributor for the OWASP Proactive Controls project and has also contributed to the OWASP Top 10 Risks project and the OWASP JuiceShop project.

March 16 2023

Delegates may be asked to provide a valid proof of photo ID (such as a driving licence or passport) to enter the venue.
This meetup's sponsor, Adyen - a financial services institution - works within a highly regulated environment, so we kindly ask for your understanding if you are asked to provide ID during your visit.

Location: Adyen
Address: Rokin 49, Amsterdam

Please register via: https://www.meetup.com/owasp-chapter-netherlands-meetup/events/291470656/

18:00 - 18:15 - Reception of attendees

18:15 - 19:00 - Pizza

19:00 - 19:15 - Welcome and OWASP updates

20:15 - 21:00 - Crash course on the OWASP API Security Top 10 by Colin Domoney

20.00 - 20:15 - Break with drinks

19:15 - 20:00 - Managing APIs securely by Rob Blaauboer

Crash course on the OWASP API Security Top 10

Download the presentation
Watch the recording

Abstract:

With the recent breaches to Optus, Twitter, and T-Mobile, 2023 is destined to become the year API security becomes the number one concern for organizations, both at the board level and within security and development teams. API security poses unique challenges to builders and defenders, and many of your existing detection and protection measures may prove to be ineffective.

Join Colin as he draws on his experience from curating the industry's biggest API security resource (APISecurity.io) in exploring the following:
Crash course on the OWASP API Security Top 10 (and how it differs from the OWASP Top 10)
A whistle-stop tour of some of the biggest API breaches over the past 18 months, taking a look at what went wrong, the impact, and most importantly, how to prevent such attacks.
Finally, he will present the top techniques for protecting your APIs from attack, starting with secure development practices through to API protection and threat detection.

The content will be technical, with demos and code samples, and based on real-world breaches. By the end of the session, you will have an understanding of the API Security Top 10, and have a working knowledge of how to protect your APIs, either at a code level or using runtime protections.

Bio:
Colin Domoney:
Colin has a long and varied career in producing secure, rugged, and trustable software and hardware products covering a range of industries from military, consumer, medical, automotive to financial services. In the last decade, he has become a sought-after evangelist and consultant in building AppSec programs, and the latest developments in DevSecOps. His greatest passion is for teaching and inspiring others to produce software we can trust, either delivering webinars, in-person events or speaking to the C-level.

Currently, he is the Chief Technology Evangelist with 42Crunch, the curator of the APISecurity.io newsletter, and is writing the industry’s first book on defending APIs.

Managing APIs securely

Abstract:

When an organization offers an API, the API needs to become a Managed API. This means that lifecycle management, security, and throttling resources become an important aspect of API Management, as well as the ability of developers to find, explore and subscribe to the API to use them.

During the presentation, Rob will zoom into these aspects and how an API Manager can help you with security and throttling (including schema validation and advanced scenarios) while at the same time making the API easily available to your target developers (inside or outside the organization).

In the second part, he will elaborate on the “shiny frontend / dirty backend”. This is an API frontend that accesses legacy systems, databases, but also the integration of a set of APIs etc., thus enabling services that use older technology or proprietary interfaces to have a modern appearance to the outside world, e.g. exposing a legacy insurance policy administration system as an API.

Thirdly, we will look at the way you can implement the Mastodon API. Since Elon Musk acquired Twitter l ast year, alternative platforms like Mastodon have become more popular. It might be that this becomes a viable channel to communicate with clients for some organizations.

Bio:
Rob Blaauboer:
Rob has 30 years of experience in IT in such roles as developer, analyst, project manager, business consultant, and management consultant. He is currently Head of Training Services and Integration Consultant at Yenlo, responsible for the development and the actual training of Yenlo’s clients and consultants.

Next to these responsibilities, Rob is also an avid blogger with almost 200 blogs on innovation on Frankwatching, more than 150 blogs on WSO2 on Yenlo’s website and many other blogs on various other sites. Rob is also a regular contributor to BNR Zaken Doen radio show on the area of technology and innovation.

January 19 2023

This is an online meeting and will be streamed on YouTube. The meeting will start at 19:00.

Bootstrap and increase your software assurance with OWASP SAMM v2.1

Download the presentation

Abstract:

With our new release OWASP SAMM v2.1 - the prime maturity model for software assurance - we provide an effective and measurable way for all types of organizations to analyze and improve their software security posture.

OWASP SAMM supports the complete software lifecycle, including development and acquisition, and is technology and process agnostic. It is intentionally built to be evolutive and risk-driven in nature.

During this talk Sebastien (project co-leader) will explain how to use SAMM in your organization. And then continue on the added features in our new release 2.1:
The introduction of SAMM Practitioners
SAMM Guidance for all Security Practice streams, including:
OWASP projects and content references
Mappings to other standards and models (including NIST SSDF, ISO27001, BSIMM, …)
Best practices
Tools
New SAMM guidance for development teams
The updates resources, including the online SAMMwise tools, the new PDF and the updated toolbox.

We will conclude with the outcome of our 2022 SAMM survey and the rebooted SAMM benchmark initiative.

Bio:
Sebastien Deleersnyder:
Sebastien (Seba) Deleersnyder is co-founder and CTO of Toreon. He started the Belgian OWASP chapter and was an OWASP Foundation Board member. With a development background and years of security experience, he has trained countless developers to create more secure software. Leading OWASP projects such as OWASP SAMM, he has genuinely helped make the world a safer place. What’s he currently up to? Right now, he’s busy adapting application security models to the evolving field of DevOps and is also focused on getting the word out on Threat Modeling to a broader audience.

OWASP Security Knowledge Framework

Abstract:

Education is the first step in the Secure Software Development Lifecycle. The free OWASP Security Knowledge Framework (SKF) is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. This talk will help you as a developer to become THE Neo of your development team. We will show how you can do security by design and introduce other quality gates into your development pipeline to ensure high end quality and security of your project.

Bio:
Glenn Ten Cate:
As a coder, hacker, speaker, trainer, and security chapter leader employed at ING Belgium Glenn has over 20 years of experience in the field of security. One of the founders of defensive development [defdev] is a security training series dedicated to helping you build and maintain secureeaking at multiple other security conferences worldwide software and sp. Glenn and his brother Riccardo also donated an entire knowledge framework solely dedicated to helping developers make their code secure by design to OWASP. See SKF (Security knowledge framework).

2022

November 24-25 2022  |  October 20 2022  |  September 15 2022  |  June 16 2022  |  May 19 2022  |  April 21 2022  |  March 17 2022  |  February 17 2022  |  January 20 2022

November 24-25 2022, BeNeLux Days

See https://2022.owaspbenelux.eu for information.

October 20 2022

Location: Ordina
Address: Ringwade 1, 3439 LM Nieuwegein

18:00 - 18:15 - Reception of attendees

18:15 - 19:00 - Food and beverages

19:00 - 19:15 - Welcome and OWASP updates

19:15 - 20:00 - Attacking and Defending Kubernetes by Akshit Sharma and Mauricio Cano

20.00 - 20:15 - Break with drinks

20:15 - 21:00 - TIBER-EU, the European framework for threat intelligence-based ethical red-teaming by Givan Kolster

Attacking and Defending Kubernetes

Abstract:

Organizations are increasingly moving to cloud-based managed Kubernetes deployments given the numerous benefits over self-managed deployments. However, it comes with different security and monitoring considerations. The reason behind these differences lies in the different management models used by different cloud service providers, which most of the time depend on the proposed Shared Responsibility Model.
This talk discusses some common security misconfigurations for Kubernetes clusters and how attackers can exploit them via live demonstrations. We will then focus on a custom cloud-native security monitoring solution built in AWS. The goal is to alert relevant stakeholders of potential misconfigurations and active breach attempts on an Amazon EKS Cluster. As mentioned above, this talk includes live demonstrations of some of the use-cases that have been implemented. The implemented solution leverages AWS native tools, as well as an infrastructure-as-code template for rapid deployment across accounts. Finally, we discuss potential use cases for this solution and propose a general roadmap for improvements and future capabilities.
This talk will be especially useful for individual contributors or professionals who want to understand and develop in-house security monitoring tools for Kubernetes without the need for expensive third-party platforms.

Bio:
Akshit Sharma:
Akshit is a cyber security consultant focused on Cloud Security and DevSecOps. He has over six years of experience working with numerous clients in different industries. He has focused on conceiving, designing, and implementing security programs with special focus on building integrations and automation accelerators. He was the lead implementer of a cloud-native security monitoring solution for one of the largest Dutch financial institutions. His academic background is in the field of Information Technology. Outside work Akshit likes delving into the topic of international relations, going on hikes, listening to music, traveling and enjoying good food.
Mauricio Cano:
Mauricio Cano is a cloud pentester focused on container technologies. In particular, he focuses on the security of containers and serverless architectures. He has pentested Kubernetes clusters and serverless architectures for several multinational financial institutions. Prior to his security work, he has a background in academia and a Ph.D. in Computer Science from the University of Groningen, focused on programming language design and formal methods to ensure correctness. In his spare time, Cano enjoys reading, cooking, and solving puzzles.

TIBER-EU, the European framework for threat intelligence-based ethical red-teaming

Abstract:

The ECB launched the threat intelligence based ethical red teaming (TIBER-EU) framework some time ago. More and more central banks within Europe are adopting this framework to have their critical financial infrastructure tested against realistic threat. The presentation has a balanced mix of theory and examples from the field.
Givan will share his view from the years of experience with developing the framework and leading many red teaming engagements under the different TIBER ‘flavors’. He will walk through the framework and explain how it ‘works’ and zooms in on the delivery of the red and purple teaming parts. Giving you a glance at what is involved in performing a realistic attack on live critical systems of a large financial institution.

Bio:
Givan Kolster:
With a passion for digital security, Givan Kolster co-founded FalconForce in 2020. He is an offensive security specialist with over 10 years of experience in the field of offensive security.
Givan focuses on delivering high-quality services to clients world-wide, both on offensive and defensive side. He has led many red and purple teaming engagements. He aims at making cohesive teams during purple teaming exercises, where he manages to change the perspective from ‘versus’ to ‘collaborative’. This is important to drive the learning experience for the defensive team.
In the past years, Givan was operationally involved in red teaming projects as a social engineer, and as a trainer for many professionals new to the field.

September 15 2022

Location: Radboud University, Huygens building, Room zaal HG00.307
Address: Heyendaalseweg 135, Nijmegen
Link: https://www.ru.nl/fnwi/faculteit/profiel/huygensgebouw

Please register via: https://www.meetup.com/owasp-chapter-netherlands-meetup/events/287743579/

18:00 - 18:15 - Reception of attendees

18:15 - 19:00 - Pizza

19:00 - 19:15 - Welcome and OWASP updates

19:15 - 20:00 - The Red Cross of the Internet by Shairesh Algoe

20.00 - 20:15 - Break with drinks

20:15 - 21:00 - Digitally securing The Netherlands - or convincing others to do it by Koen Sandbrink

The Red Cross of the Internet

Watch the recording

Abstract:

Over the year 2021 the Dutch Institute for Vulnerability Disclosure (DIVD) notified a total of 86,427 IP addresses that were found to be vulnerable. Compared to 58,358 e-mails in 2020, that is a growth of more that 33%. This year we already sent out 141,078 emails.
The DIVD scans the internet for vulnerabilities and reports these to the people who can fix them. I will go into some of our recent cases, ranging from KaseyaVSA, to Log4j in 2021 and some of the 2022 highlights. Next to that you will get an introduction in how the DIVD has professionalise vulnerability disclosure and why we are allowed to somewhat break laws on computer crime and privacy.

Bio:
Shairesh Algoe:
Profile picture Shairesh Algoe Shairesh Algoe is passionate about information security and tech and enjoys teaching and telling stories. He tries to keep information security simple with more than 12 years of experience and has had several security hats. From technical to leadership roles.
His day job is being a Chief Information Security Officer for TM-Pro an FinTech company provides banking as a service platform to small, medium and lager financial institutions.
Beside that he is a board member at the DIVD and responsible together with the management team for the continuity of this hacker collective that helps to clean up the internet for free within our code of conduct.
In his other spare time, he is also an entrepreneur who delivers security products and services to multiple companies. He is also a speaker and teaches students about information security and quantum technology.

Digitally securing The Netherlands - or convincing others to do it

Watch the recording

Abstract:

NCSC-NL has a clear mission: to make The Netherlands digitally secure. To achieve this, we need to understand what’s going on and connect all the relevant parties to exchange knowledge and provide a perspective for action, hopefully to prevent digital disruptions. But the NCSC does not own or control any part of the internet. We do not have actual buttons to push or knobs to turn. We need to make others do this for the greater good. Let’s take a dive into the efforts of the NCSC to help assess digital risks, help resolve vulnerabilities in systems and help respond to incidents.

Bio:
Koen Sandbrink:
Koen Sandbrink is a cyber security advisor for the National Cyber Security Centre of The Netherlands (NCSC-NL). Originally educated to make IT, he started his career as a security tester to break IT. In the following decade, he has seen too many things gone wrong and has developed a few opinions on how not to do those things anymore. Koen likes trains, architecture and classical music and is also convinced that Ludwig van Beethoven was a hacker.

June 16 2022

Meet-up setting: first physical meet-up in 2,5 years

Location: Trend Micro
Address: Herikerbergweg 92, 1101 CM Amsterdam

18:00 - 18:15 - Reception of attendees

18:15 - 19:00 - Pizza

19:15 - 20:00 - Staying in control of your cloud application landscape by Priyam Awasthy and Spandan Chandra

20:00 - 20:15 - Break with drinks

20:15 - 21:00 - OWASP Cloud-Native Application Security Top 10 by Filip

Staying in control of your cloud application landscape

Download the presentation
Watch the recording

Abstract:

At the end of 2021, 67% of all enterprise infrastructure was cloud-based. Cloud technologies are being consumed to host more and more applications. This talk will outline what security measures can an organization and self-governed DevOps teams implement to secure their cloud application landscape. During the session, we will talk about various strategies such as types of virtualization or sandboxing used to protect cloud applications, how to manage authentication and authorization, and data protection.

Bio:
Priyam Awasthy:
Priyam has over 8 years of experience in Cyber Security with an emphasis on Penetration Testing and Cloud Security. He currently holds the position of Enterprise Application Security Lead at Canon EMEA where he is responsible for managing end-to-end security for applications and the cloud landscape. Priyam has deep experience across a range of Cyber Security domains having carried out a range of engagements servicing a diverse portfolio of clients across multiple industries. He has developed strong leadership and people management skills, having led a variety of diverse teams performing a range of services. Prior to joining Canon EMEA, Priyam led the Cloud Risk Advisory function for Deloitte Netherlands. He has wide experience in cyber security transformations (such as in Cloud and DevOps), technical security advisory and assessments, red teaming, security audits, and secure code development.
Spandan Chandra:
Spandan has over 7 years of experience in Cyber Security with an emphasis in Cloud Security and Risk & Compliance. He currently holds the position of Senior Auditor in Ahold Delhaize where he is responsible for leading IT risk and compliance audits, advice IT teams to secure their. IT environments including cloud landscapes. Prior to joining Ahold Delhaize, Spandan led cloud security team for Deloitte Netherlands. Furthermore, he acted as SME for cloud transformations and cloud security advisory Spandan is well known for propagating security, risk and compliance across IT organizations, he was responsible for representing an organization in global digital data lake initiative for Oil and Gas industry. Additionally, he has also conducted multiple talks at organizations and open forums.

OWASP Cloud-Native Application Security Top 10

Download the presentation
Watch the recording

Abstract:

The cloud has lots of moving parts, things will go wrong. This talk aims to start a discussion around the OWASP Cloud-Native Application Security Top 10 and what can we, as engineers, do to address some of the challenges with cloud security.

Bio:
Filip:
Filip has worked in IT for over 15 year, 8 of those years in cybersecurity with a focus on infrastructure and cloud security. Currently part of Xebia Security helping customers on their cloud journeys by using security to enable to organization to grow securely and most productively. His specialties are DevSecOps and cloud security. He likes to spend time researching new technologies in the cloud. Designing, analysing cloud environments and finding cloud integration with existing infrastructure. He’s passionate about using the defensive and offensive sides of security to bring additional value to projects he is involved in. Prior to joining Xebia, Filip worked at FlowTraders as a security engineer, helping with the cloud transformation and working to secure their high speed trading environments.

May 19 2022

This is an online meeting and will be streamed on YouTube. The meeting will start at 19:00.

Comparing Static Analysis Security Testing (SAST) tools en dependency scanners

Watch the recording

Abstract:

There are many SAST tools and dependency scanners in the market. In this talk, the comparison results will be discussed of some SAST tools and dependency scanners. The comparison includes human experiences like usability and developer friendliness, but also metrics like true and false positives and overlapping reports between the tools. Tools that were compared are: SonarQube, Npm audit, FindSecurityBugs, Snyk, Semgrep, ShiftLeft Scan, OWASP Dependency Check, and OSS Index. The comparison was performed by scanning a ready-for-market Java-React web application.

Bio:
Wibren Wiersma:
Wibren Wiersma is studying Cyber Security at the Radboud University in Nijmegen. He performed the SAST comparison as a research internship by Carthago-ICT. Before and during his study, Wibren worked for four years as a full stack developer for different ICT companies. Currently, he is working on his master thesis about a graph-based approach to detect outliers in academic publishing.

Infrastructure as Code (IaC) - security challenges and how KICS solves them

Watch the recording

Abstract:
  • What is IaC
  • Security challenges around IaC
  • KICS OSS tool powered by Checkmarx and how it solves the challenges
Bio:
Lior Kaplan:
Lior Kaplan is Checkmarx’s open source officer, leading KICS open source project to Keep IaC Secure.

Secret Scanning Solutions

Watch the recording

Abstract:

Nowadays collaboration is key in software development. One way it is achieved is through software code repositories, but the open nature and convenience they provide are met with the downside of human error. The problem occurs when these public code repositories handle authentication secrets such as API keys or cryptographic secrets. These secrets should be kept confidential, but it often happens that practices like adding the secrets to the code repository lead to accidental leakage. To prevent this, secret scanning tools have arisen on the market. Rabobank is trying to prevent secret leakage within the company in which collaboration via code repositories is key. The company wishes to determine what would be the best performing secret scanning tools available on the market and compare them with the tool they are currently using, CredScan. This paper starts by presenting what secret scanning is, the most common types of secrets which exist, the most common detection techniques implemented by secret scanning tools, and an overview of the most popular tools available on the market. Further, it presents the steps taken during the internship: conducting interviews to compose a requirements list for the tool; shortlisting the tools based on the requirements; testing the shortlisted tools in a testing environment, and comparing the results. The top three best alternatives have proved to be SpectralOps, Whispers and TruffleHog. Only SpectralOps is objectively better than CredScan whereas Whispers and TruffleHog output false positives.

Bio:
Raluca Viziteu:
Raluca Viziteu is studying Information Security Technology at Eindhoven University of Technology for her master degree. She performed a comparison of secret scanning tools as a research internship for Rabobank. Raluca has previously studied Computer Science and Engineering at Eindhoven University of Technology. Currently, she is working on her master thesis on building a practical threat modeling methodology for supporting ICS device manufacturers and system integrators for Secura.

April 21 2022

This is an online meeting and will be streamed on YouTube. The meeting will start at 19:00.

Crawl Dutch government websites to collect statistics of SRI usage

Watch the recording

Abstract:

In this work we crawled all major Dutch govern- ment websites to measure the adoption rate of Subresource Integrity Protection (SRI). We crawled and evaluated close to 150,000 different pages on 477 different domains using a crawler that we developed. This resulted in approximately 1,000,000 different cross origin script and link tags being evaluated. We found the adoption rate of SRI to be very low with 8.4% of the tags having implemented SRI. For sensitive pages, such as login and registration pages, this number was slightly lower at 8.3%. Our findings indicate that most of these SRI enabled references are due to Content Delivery Networks (CDN’s) and utility providers providing HTML resource links already with proper integrity and crossorigin attributes. This is due to CDN’s and utility providers being the most popular SRI enabled domains to reference to in combination with almost no Dutch government websites having complete SRI cover- age in their cross origin resource references.

Bio:
Tom Stock:
My name is Tom Stock, a cyber security master student at the Radboud University with a passion for computers, pretty code and solving complex problems with simple software.

Web Security Map (basisbeveiliging.nl)

Watch the recording

Abstract:

Absolute transparency moves people forward. What happens when plotting the state of security on a map? Organizations start to adapt and improve. This is an overview of the Web Security Map application, which can help you providing insight into a huge amounts of security info about companies up to entire countries. It’s an open source product which can help you change your part of the world. In this talk you’ll see the impact, how it works, what it does, where to get it and where to go from there.

Bio:
Elger Jonker:
Elger Jonker is an ethical hacker who wants to make the world a better place. Elger is currently working on the next Dutch hacker camp: May Contain Hackers 2022 and has co-founded two hackerspaces Hack42 in Arnhem and Awesome Space in Utrecht. Professionally Elger specializes in the combination of software security, security testing and application development. Elger is currently the lead developer for internet.nl and has worked on other similar projects for the internet society. Of course there is more but this bio should only be so long… Oh, and Elger is doing software things for over 25 years now… which makes them old, but not yet always grumpy.

Security Transformation Program

Watch the recording

Abstract:

We are living in a fast changing and very demanding world. New and evolving technologies bring along new cybersecurity threats increasing the pressure on SAP to evolve the security level of its software. With the migration to the cloud we have the responsibility to securely operate our software adding a layer of complexity into the security landscape. And if that was not enough, more and more countries are releasing strict data privacy regulations. There is no “one size fits all” solution any longer so that all our teams are faced with technical and regulatory requirements. To overcome these challenges new requirements, standards, and frameworks for developers and operations experts are extended or created regularly – but more does not always mean better. These initiatives quickly become exercises to fill in yet another excel file. Therefore, the CX Trust Office has initiated a CX Security Transformation Program to make security easy to consume for developers and operations experts by simplifying, automating, and providing guidance. ### Story Line: NIST, Internal policies, external frameworks, SOC, ISO certifications come with a big list with repetitive requirements and very often the requirements are not build into the product, but driven by external audits. Changing architectures, products after they have been created and put in production. We have created a strategy with tool to translate the requirements to executable easy to understand instructions that removes complexity and removes duplications. We have setup our organization in cross functional and functional teams that support to execute the strategy. A tool to glue these things together and provide guidance, current status for all the frameworks and regulations.

Bio:
Dimitar Yanev:
EA natural leader that foster collaboration with empathy and inspires team work by empowering people ability to unveil the best of themselves. Bringing experience of driving complex strategic cross-company projects to success. Recognized for demonstrating out of the box thinking and putting customers front and centre. Started his career in SAP Labs Sofia as a build engineer responsible for creating a home grown complex java build environment. Joined and lead a task force to roll out security static analysis in SAP. During the time gained in depth understanding on how leading SAST Tools works and how to manage cross company scaled projects. Lead the first the first Security Self-Service & Automation work stream for SAP. Today Dimitar is Head of SAP CX Product Security Transformation and DevOps defining, executing and developing tool support for security transformation program for SAP CX.
Andreas Hauke:
Andreas Hauke was born in Würzburg, North Bavaria - Germany. He founded his first IT company during his school time with the age of 18 years, to train employees how to use standard software and doing web development for small companies. He started studying computer science and economics and paused due to founding his second company in the e-commerce space to sell furniture online. In this time he was responsible to develop the e-commerce platform based on open-source, operate it in a co-location and also securing it against attacks. After the journey of an entrepreneur and closing the companies, he rejoined studies and finished his bachelor’s degree with focus on information security. During the study time he worked full-time as a consultant in different security projects to execute penetration tests or overall secure the environments, also in critical infrastructure of the government. After studies and being a freelancer, he joined Deutsche Telekom Cloud Services as a Cloud Architect and was responsible to establish security in the new developed Open-Stack platform and did due-diligences for security of the partner solutions hosted on the platform. Besides that, he also trained the German army for networking and security. After Telekom he joined SAP as a Security Architect to secure the first productive SAP micro service platform developed by the Hybris team and took over the responsibility to help securing other solutions in the portfolio. Being part of SAP he helped acquisitions to integrate to SAP, e.g. Callidus, Gigya and Coresystems. He also helped to pilot the first risk-based Secure SDL in SAP and initiated the first Security Self-Service & Automation work stream for SAP.He also is a certified Threat Model Expert & Trainer, ISO27001 lead auditor, data protection officer and did several courses on cryptography, security management and forensics. At the moment he is leading the SAP CX Trust Office as CISO for SAP Customer Experience (CX) and drives the security transformation for this portfolio. Andreas Hauke joined SAP as a Security Architect to secure the first productive SAP micro service platform developed by the Hybris team and took over the responsibility to help securing other solutions in the portfolio. Being part of SAP he helped acquisitions to integrate to SAP, e.g. Callidus, Gigya and Coresystems. He also helped to pilot the first risk-based Secure SDL in SAP and initiated the first Security Self-Service & Automation work stream for SAP. Currently he is leading the SAP CX Trust Office as CISO for SAP Customer Experience (CX) and drives the security transformation for this portfolio.

March 17 2022

This is an online meeting and will be streamed on YouTube. The meeting will start at 19:00. Another great OWASP meet-up promised: we have Steve Springett who will talk about OWASP Dependency-Check tool & OWASP Cyclone DX. He will share what is happing around these projects. Next to that we have Klaas Wijbrans sharing his industry insights on rules and regulation demanding SBOM, the challenges it brings and solution direction. We will also announce three (3) new OWASP projects that will be executed in 2022, so stay tuned!
Introducing: The Security Champions Guidebook
Introducing: Guidelines on embedding SBOM in your organization

OWASP Dependency Track and OWASP CycloneDX

Watch the recording

Abstract:

Software Bill of Materials (SBOM) have gained wide-spread support from the software industry, to critical infrastructure, to the White House. In this session, the OWASP CycloneDX SBOM standard will be introduced along with strategies for effectively creating SBOMs. Also introduced will be OWASP Dependency-Track, a platform that consumes and continuously analyzes SBOMs for security, operational, and license risk. Both of these flagship OWASP projects work together to allow organizations to make better risk-based decisions.

Bio:
Steve:
Steve educates teams on the strategy and specifics of developing secure software. He practices security at every stage of the development lifecycle by leading sessions on threat modeling, secure architecture and design, static/dynamic/component analysis, offensive research, and defensive programming techniques. Steve’s passionate about helping organizations identify and reduce risk from the use of third-party and open source components. He is an open source advocate and leads the OWASP Dependency-Track project, OWASP Software Component Verification Standard (SCVS), and is the Chair of the OWASP CycloneDX Core Working Group, a Software Bill of Materials (SBOM) Standard.

Software Bill of Material – why do we need it, what is it and how can we overcome the current challenges

Watch the recording

Abstract:

The Executive Order on Cybersecurity of the Biden administration caused a lot of activity on the ‘software bill of material’. This talk will go into the details why it is being asked, what it consists of, and the practical challenges the industry needs to solve to reliably and efficiently create and use it in an automated way.

Bio:
Klaas Wijbrans:
Klaas is fellow architect in the Chief Architect Office of Philips. He has thirty years of experience in complex, software intensive systems and products like traffic control systems, storm surge barrier control system, telecommunications equipment and medical systems. In Philips he is driving the standardization of Philips products to a common architecture and common technologies.

February 17 2022

This is an online meeting and will be streamed on YouTube. The meeting will start at 19:00.

How log4j became an epic - a story told by a developer and a product owner

Watch the recording

Abstract:

This talk is will touch upon the log4j vulnerability, and how it has set everything on fire, what impact it had on our team, and what we have learned from the crisis.

Bio:
Rick te Brake:
Rick te Brake has 12 years of experience in java backend development. He has worked in banking and healthcare industries. He likes to work with reactive microservices and functional programming.
Anna Rudenko:
Anna Rudenko is product owner in the same team, she has over 7 years of experience as Project manager and Product owner in the areas of software development, media production, charity and scientific research.
Previously, she was doing her Ph.D. in Cognitive Linguistics.

The Long-Term Impact of Log4j

Watch the recording

Abstract:

In its aftermath, Log4j vulnerabilities put the spotlight on vendor management and supply chain security practices. Now that the dust has settled and the worst of the fallout has passed, this talk presents perspectives on likely mid- and long-term changes that the security industry will see as a result of dealing with the Log4j issue as the latest in an escalating series of open source and software supply chain incidents.

Bio:
Dan Cornell:
A globally recognized software security expert, Dan Cornell has over 20 years of experience architecting, developing and securing software systems. As Vice President of Product Strategy at Coalfire, Dan works with customers and industry partners to help drive the direction of their product portfolio. Prior to its acquisition by Coalfire, Dan was a founder of and the Chief Technology Officer at Denim Group, where he helped Fortune 500 companies and government organizations integrate security throughout the development process.
Cornell is an active member of the development community and a sought-after speaker on topics of application and software security, speaking at international conferences including RSA Security Conference, OWASP AppSec USA and EU, TEDx, and Black Hat CISO Forum. He holds three patents in the area of software security.

How log4j ruined our Christmas

Watch the recording

Abstract:

Early December a vulnerability was found in Log4j, an open-source logging library commonly used by apps and services across the internet. If left unfixed, attackers can break into systems, steal passwords and logins, extract data, and infect networks with malicious software.
This talk will outline why this vulnerability ruined Christmas and the potential impact log4j can or could have to your organisation.

Bio:
Owen:
Owen has over 11 years of experience in Cyber Security with an emphasis in Penetration Testing and Red Teaming. He currently holds the position of Head of Cyber Resilience in Bank of Ireland where he is responsible for leading out the Security Testing, Incident Response and Threat Intelligence functions. Owen has deep experience across a range of Cyber Security domains having carried out a range of engagements servicing a diverse portfolio of clients across multiple industries. He has developed strong leadership and people management skills, having led a variety of diverse teams performing a range of services.
Prior to joining Bank of Ireland, Owen led the Penetration Testing and Red Teaming functions for Deloitte Ireland. Furthermore, he acted as the Vulnerability Management Lead for the EMEA region.
Owen is an advocate of secure development and sat on the Global Board of Directors of OWASP for the last 4 years. Owen held the role of Secretary, Vice-Chair and Chair of the Global Foundation.

January 20 2022

This is an online meeting and will be streamed on YouTube. The meeting will start at 19:00.

A story on scaling threat modeling across 500+ DevOps teams

Watch the recording

Abstract:

This talk is not about “what is threat modelling, and what are the different methodologies?”. This is well known and understood by now. With every organization moving towards DevSecOps, the difficult question is “how to do Threat Modeling at scale?”. I want to take this opportunity to share with you the ABN AMRO story about how we did this!

Bio:
Abhishek k. Goel:
Abhishek k. Goel is a Security Consultant at ABN Amro and the IT lead for Threat Modelling capability at the bank. He is a senior security engineer responsible for enabling security in DevOps across the bank.
Before ABN, he was a Lead Security Consultant with Deloitte USI and enabled security in CICD pipelines for clients across the globe.

Gamification of Threat Modelling

Watch the recording

Abstract:

The talk is all about doing security architecture and threat modelling work as part of development planning.
The presentation starts by introducing OWASP Cornucopia and the simplified OWASP “Top 5” for developers and then moves into looking at how one can practically include a form of threat modelling (using Cornucopia) into one’s agile development practises in an effective manner.
There is a brief discussion on gamification, covering the usual FAQs on that and then it moves onto implementation at scale and some of the experiences we’ve had there.

Bio:
Grant Ongers:
Co-founder of Secure Delivery and current OWASP Global Foundation board member, Grant Ongers (@rewtd), is a firm believer in security enabling delivery not blocking it. The philosophy and purpose of Secure Delivery is in the name: optimal delivery and security in one nimble and adaptive offering.
Grant’s experience spans Dev - building platforms for Telcos, MSPs and Financial institutions for more than 10 years. 20+ years in Ops, running operational teams in global NOCs to managing mainframe and database systems. He also has over 30 years pushing the limits of (Info)Sec - mostly white-hat. He’s worked on both sides of the TPSA table, for and with regulated orgs ensuring compliance and matching “appetite for” with “acceptance of” risk.
Grant’s community involvement is global: Staff at BSides (London, Las Vegas, and Cape Town), Goon at DEF CON (USA) for over a decade and DC2721 co-founder, staff at BlackHat (USA and EU).
Alongside his role as CTO within Secure Delivery, Grant provides C-suite advice and guidance on security to FTSE100 enterprises and strategic risk analysis within M&A diligence teams.

2021

October 28 2021  |  September 30 2021

October 28 2021

This is an online meeting and will be streamed on YouTube: https://youtu.be/qR6JCkZgOlY.
The meeting will start at 19:00.

Our Secrets Management Journey: From Code to Vault

Watch the recording

Abstract:

So you have an access key that you need to store somewhere. Maybe it is better not to put it in your code, nor in your container. But what about Kubernetes? What about a custom secrets storage solution? Of course, we tried many, sometimes funny, things to get our secrets secured. And luckily we ended up with a combination of safe methods, with Vault at its core. Want to know more? Join us, as we will go through various examples and their challenges!

Bio:
Jeroen Willemsen:
Jeroen Willemsen is a Principal Security Architect at Xebia and a jack of all trades in security. He loves to develop new software, set up DevSecOps support tooling, and help companies with security programs. He enjoys sharing knowledge, which is why he published articles, blogs and gave trainings and talks about various subjects.

Doing Security in DevOps, the right way!

Watch the recording

Abstract:

Automation is not DevSecOps, but without automation there is no DevSecOps! Secret management, SAST, DAST, Pen Testing, Container Security, Secure Config Management etc. are about automating security. But let me ask you, can one reach nirvana in securing DevOps with solely automation? This talk will address ALL dimensions required for doing security in DevOps, so we get it right!

Bio:
Irfaan Santoe:
Irfaan Santoe is a Global Security Director at Wolters Kluwer advising the Business & IT on the information security ambition & implementation. Prior to Wolters Kluwer, Irfaan was the Global Head of Security Engineering at ABN AMRO bank and lead the security implementation of ABN AMRO’s IT transformation towards DevOps. This transformation program is set to uplift more than 500+ Dev-teams to become DevOps and increasing security without breaking DevOps! Irfaan is a Master in Computer Science (a programmer by heart) and is fascinated by the Inner Science of Yoga & Meditation.

September 30 2021

On the 30th of September OWASP Netherlands will organize a pub quiz. The pub quiz will start at 20:00. To join the pub quiz, you need to join a Zoom meeting. Check the Meetup page for more information.

2020

November 23-27 2020  |  May 14 2020  |  April 9 2020

November 23-27 2020, BeNeLux Days

See https://2020.owaspbenelux.eu for information.

May 14 2020

This is an online meeting about the Mobile Security Testing Guide and the Mobile Application Security Verification Standard by Jeroen Willemsen.
The talk will start at 20:00.

Watch the livestream at https://youtu.be/cuB8TNT0rMw.

April 9 2020

The first talk will start at 20:00.

Schedule:

Watch the livestream at https://youtu.be/EtGyhWYSjVA.

2019

June 18 2019  |  January 17 2019

June 18 2019

https://www.meetup.com/OWASP-Chapter-Netherlands-Meetup/events/261811435/

18:30 - 19:00 - Dinner

19:00 - 10:15 - Welcome

19:15 - 20:00 - Recon Recon by Martijn Baalman aka @x1m_martijn

20:00 - 20:15 - Break

20:15 - 21:00 - The Good, The Bad and The Ugly of Responsible Disclosure by Chrissy Morgan aka 5w0rdFish

Spaces Herengracht
Herengracht 124-128,
1015 BT Amsterdam

Recon Recon

Watch the recording

Bio:
Martijn Baalman aka @x1m_martijn:
In the daytime, Martijn is a pen tester at Qbit Cyber Security, and by night he is bug bounty hunting in the wild and sending PoCs to Detectify Crowdsource and other bug bounty platforms. Recon is key for finding vulnerabilities yet is tedious at times. Hackers, like developers, find that automation makes life easier, even recon. Martijn has developed something called ReconPi, a bug bounty reconnaissance tool that automates most of the (general) recon methods that hackers use. He’ll show you how he does all his recon, yes everything, on a Raspberry Pi 3 in his lightning talk.

The Good, The Bad and The Ugly of Responsible Disclosure

Watch the recording

Abstract:

So what’s has a JQuery bug that affected thousands of websites with one of the highest starred GitHub repos with 7,800 forks, a Domain Name Registrar vulnerability which allowed for full access to domain owner details (post GDPR) and data protection flaws within Microsoft’s Office365 all have in common? … Answer&58; Responsible Disclosure. This talk will feature disclosure on each of the bugs and others, the circumstances around these when reporting, to highlight the problems security researchers face today when trying to do the right thing and to raise awareness of the security flaws so we are better protected.

Bio:
Chrissy Morgan aka 5w0rdFish:
Chrissy leads the IT Security Operations for a Close Protection company and in her spare time Chrissy has carried out research in the areas of web application security, Steganography, RFID, Physical Cyber Systems Security and is actively involved within the information security community across a wealth of subjects. She also runs The Co-Lab in London, which is a hardware hacking security research workshop. As a recent Napier Masters Graduate, she has accomplished the following successes so far&58; Winner of Cyber Security Challenge UK (University Challenge - Team Edinburgh Napier), CTF Finalist for the Pragyan CTF (Team Edinburgh Napier) , A BlackHat Challenge Coin winner for OSINT from Social Engineer.org and Black Hat Scholarship, Steelcon Award, WISP Sponsorship, was the BSides London Rookie Track Speaker Winner for 2018 and most recently won the ISC(2) Up and coming Security Professional 2019.

January 17 2019

https://www.meetup.com/OWASP-Chapter-Netherlands-Meetup/events/257707239/

18:30 - 19:00 - Dinner

19:00 - 19:15 - Welcome, OWASP update

19:15 - 20:00 - Machine Learning vs. Cryptocoin Miners by Jonn Callahan

20:00 - 20:15 - Break

20:15 - 21:00 - Running at Light Speed: Cloud Native Security Patterns by Jack Mannino

21:00 - - Closing

Xebia
Laapersveld 27
1213 VB Hilversum

Machine Learning vs. Cryptocoin Miners

Download the presentation
Watch the recording

Abstract:

With the advent of cryptocurrencies as a prevalent economic entity, attackers have begun turning compromised boxes and environments into cash via cryptocoin mining. This has given rise for the necessity to detect compromised environments by analyzing network traffic logs for evidence of cryptocoin miners operating within a given network. In this talk, I’ll be reviewing various ML and statistical analysis techniques leveraged against VPC Flow Logs for this very purpose. It will not be a deep dive of the math involved, but instead a general discussion of these techniques and why I chose them.

Bio:
Jonn Callahan:
Jonn Callahan has worked in appsec for half a decade across a wide variety of languages, technologies, and sectors. While constantly looking for new things to play with, he rediscovered his love for the universal language of math and, consequentially, the power of statistical analysis and machine learning. He now seeks to dismantle the black magic of these techniques, showing that they don’t require an advanced mathematics degree to be leveraged, as well as to find novel ways to apply them within the security space

Running at Light Speed: Cloud Native Security Patterns

Download the presentation
Watch the recording

Abstract:

No matter how fast you ship software, a good design is critical to security. Cloud native systems are no exception. Containerized microservices running on distributed management and orchestration platforms, bring new challenges to address as well as classic software problems that we’ve been dealing with for years. Secure software design patterns can be used to model security controls at different trust boundaries within your architecture, providing security in a repeatable and consumable way. Using patterns such as the Service Mesh or Ambassador pattern lets us focus on proper security control placement and lifting security outside of the core services we’ve traditionally bolted security onto later.

The goal of this presentation is to arm software developers and security architects with reference architecture guidance that can be used in any cloud native environment. The topics we’ll cover include multi-tenancy considerations, authentication, authorization, encryption, and more. We will focus on newer cloud native architecture patterns as well as some classic software design patterns that are still applicable. At the end of this presentation, you’ll have a greater understanding of cloud native security design at an architectural level and you’ll be eager to begin white-boarding your ideas.

Bio:
Jack Mannino:
Jack Mannino is the CEO of nVisium. Passionate about security and impossible to keep away from a keyboard, his expertise spans over 15 years of building, breaking, and securing software. Jack founded nVisium in 2009, and since then has helped the world’s largest software teams enhance security across their software portfolios. He has spoken at conferences globally on topics such as secure design, mobile application security, and cloud-native security.

2018

September 27 2018  |  June 28 2018

September 27 2018

Location: Radboud Universiteit

19:15 - 20:00 - Serverless Security: Functions-as-a-Service (FaaS) by Niels Tanis

20:15 - 21:00 - Building A Security Test Automation Framework by Riccardo Ten Cate

Serverless Security: Functions-as-a-Service (FaaS)

Watch the recording

Building A Security Test Automation Framework

Watch the recording

June 28 2018

19:15 - 20:00 - Building A Security ‘Culture’ by Gareth O’Sullivan

20:15 - 21:00 - Building Secure Software With OWASP Tools And Guides by Martin Knobloch

Building A Security ‘Culture’

Watch the recording

Building Secure Software With OWASP Tools And Guides

Watch the recording

2017

October 12 2017

October 12 2017

Location: Radboud Universiteit

19:15 - 20:00 - Playing in the Sandbox: Bypassing Adobe Flash Input Validation by Björn Ruytenberg

20:15 - 21:00 - How to rob a bank by Pieter Ceelen

Playing in the Sandbox: Bypassing Adobe Flash Input Validation

Watch the recording

How to rob a bank

Watch the recording

2016

November 7 2016  |  September 22 2016  |  July 7 2016  |  April 21 2016  |  February 18 2016

November 7 2016

Location: Hogeschool Rotterdam

19:15 - 20:00 - Web Security: Broken by default? by Niels Tanis

20:15 - 21:00 - Building A Software Security Program by Kuai Hinojosa

Web Security: Broken by default?

Watch the recording

Building A Software Security Program

Watch the recording

September 22 2016

Location: Radboud University

19:15 - 20:00 - Handling Of Security Requirements In Software Development Lifecycle by Daniel Kefer and René Reuter

20:15 - 21:00 - Hacking The OWASP Juice Shop by Björn Kimminich

Handling Of Security Requirements In Software Development Lifecycle

Watch the recording

Hacking The OWASP Juice Shop

Watch the recording

July 7 2016

Location: SurfNET

19:15 - 20:00 - Find and fix software security problems… by Matias Madou

20:15 - 21:00 - How To Keep Your Secrets Safe(r) On An Android Device by Jeroen Willemsen

Find and fix software security problems…

Watch the recording

How To Keep Your Secrets Safe(r) On An Android Device

Watch the recording

April 21 2016

Location: Universiteitsbibliotheek UvA

20:15 - 21:00 - Web Application Firewall, Filter and Bypass by Aatif Khan

Web Application Firewall, Filter and Bypass

Watch the recording

February 18 2016

Location: De Haagse Hogeschool

19:15 - 20:00 - OWASP Security Knowledge Framework by Glenn Ten Cate and Riccardo Ten Cate

OWASP Security Knowledge Framework

Watch the recording

Watch Star