OWASP Netherlands
Main Supporters Upcoming Events Past Events Resources
2024 | 2023 | 2022 | 2021 | 2020 | 2019 | 2018 | 2017 | 2016
2024
November 28-29 2024 | October 17 2024 | June 20 2024 | May 23 2024 | April 18 2024 | March 21 2024 | February 15 2024 | January 18 2024
November 28-29 2024, BeNeLux Days
See https://www.owaspbenelux.eu for information.
October 17 2024
Location: Radboud University, Huygens building
Address: Nijmegen
Please register via: https://www.meetup.com/owasp-chapter-netherlands-meetup/events/302961495
18:00 - 18:15 - Reception of attendees
18:15 - 19:00 - Pizza
19:00 - 19:15 - Welcome and OWASP updates
19:15 - 20:00 - AI Security: Safeguarding Software from Code to Architecture by Feiyang Tang
20.00 - 20:15 - Break with drinks
20:15 - 21:00 - Securing GenAI Applications - a Point of View by Burc Yildirim
AI Security: Safeguarding Software from Code to Architecture
Abstract:
AI is rapidly transforming software development, offering unprecedented capabilities but also introducing new security challenges. As organizations rush to adopt AI technologies, they often overlook critical security implications, potentially exposing themselves to novel threats and vulnerabilities.
In this talk, we’ll explore how to build secure AI-powered software, covering both coding practices and system design. We’ll dive into specific scenarios where AI can introduce security risks and discuss practical strategies to mitigate these issues in software development. We’ll also touch on privacy concerns when implementing AI solutions. Through real-world examples, you’ll gain actionable insights to enhance the security of your AI projects, from individual algorithms to complete systems.
Bio:
Feiyang Tang:
Securing GenAI Applications - a Point of View
Abstract:
The POV discusses the importance of securing generative AI (GenAI) and the challenges associated with it. GenAI empowers organizations to unlock new opportunities, drive innovation, and deliver value in an increasingly digital and dynamic world. However, securing GenAI introduces new challenges that must be addressed, including adversarial risks across the AI pipeline, data privacy and security concerns, and the need for a unified approach to security. The POV highlights the importance of understanding the risks associated with input, training, and output data, as well as the need for data provenance, transparency, and accountability. Further to this, it looks into the risks posed by use of GenAI, the importance of security in a GenAI strategy, and how we need to go about mitigating risks in practice; factoring in the different GenAI consumption models and the impact these will have on Security Management.
The POV concludes by highlighting the importance of understanding GenAI’s risks and challenges and taking a proactive approach to securing it.
Bio:
Burc Yildirim:
Combining deep technical expertise with management experience, Burç has a unique ability to fully understand both the technical and business challenges organizations face. This skill set enables him to manage complex teams and projects effectively. Throughout his career, he has built and led high-performing teams at Deloitte Turkey, Deloitte Netherlands, and IBM.
With a strong background in both offensive and defensive security, Burç is dedicated to helping organizations enhance their cybersecurity posture in an ever-evolving digital landscape.
June 20 2024
Location: VU, Amsterdam
Address: De Boelelaan 1105
Please register via: https://www.meetup.com/owasp-chapter-netherlands-meetup/events/300855942
18:00 - 18:15 - Reception of attendees
18:15 - 19:00 - Pizza
19:00 - 19:15 - Welcome and OWASP updates
19:15 - 20:00 - Ship Happens: The Stormy Seas of Supply Chain Security by David Archer
20.00 - 20:15 - Break with drinks
20:15 - 21:00 - Technical leverage: dependencies are a mixed blessing by Fabio Massacci
Ship Happens: The Stormy Seas of Supply Chain Security
Abstract:
“The more I know about how software is made, the less I want to know” - Me
As a software developer with over a decade of experience and countless interactions with application security teams, I’ve discovered the unsettling complexities of modern software production. Despite what I thought I knew, the reality was far more intricate.
Modern software development is a sprawling network of open-source dependencies, sophisticated build tools, plugins, pipelines, and runtimes. These components are fundamental in securing critical sectors of our daily lives—finance, healthcare, infrastructure, transportation, and social interactions. However, this supply chain is under relentless attack and many of the potential threats are poorly understood.
This talk will delve into specific vulnerabilities, such as dependency poisoning and pipeline compromises, that exemplify the challenges we face. We’ll explore strategies to mitigate these threats and discuss practical takeaways that attendees can immediately implement in their software development practices. Expect to leave with a deeper understanding of supply chain security and with ideas to fortify your software factory against these escalating threats.
Bio:
David Archer:
Seeking to help address this balance David took an opportunity in 2018 to work full-time in the field of application security with a particular focus on technologies that promise to enhance security without impeding development speed. Through his extensive experience with secure coding practises and hands-on experience with the myriad of code analysis tools like IAST, SAST, DAST, RASP and SCA, he gained valuable insights into their relevance and effectiveness in a modern software factory.
Technical leverage: dependencies are a mixed blessing
Abstract:
Modern applications are build upon a large supply chain of (possibly open source) libraries and tools. In finance, leverage is the ratio of debts (other people’s money) vs equity (your money) and the Lehman Brothers have made that concept famous. For software, technical leverage is the ratio between other people’s code and your own code. I will argue with some examples from the Maven, Python and the NPM ecosystems that this is both a risk and an opportunity. The Lehmans Brothers were 30 to 1, what about the Software Sisters?
Bio:
Fabio Massacci:
May 23 2024 - Cyber Booked
The local Dutch Chapters of OWASP, ISACA and ISC2 are, together with the Secure Software Alliance (SSA), joining forces to host a physical event called “Cyber Booked” which is going to be one of a kind. This event offers the opportunity to learn from and meet & greet with both new and well-respected (Dutch) Cybersecurity authors, who have been known to contribute to the security industry.
About the Event
The Cyber Booked event is expected to have an attendance of 100-150 people in total which will be a mix of different personas including but not limited to information security. It will be hosted on 23 of May 2024 in Hotel van der Valk in Breukelen.We have secured a lineup of both new and well-known Cybersecurity books of authors who reside and work in the Netherlands and contribute to or are part of the Cybersecurity industry. The event starts at 17:00 pm and will end at 22:00 pm. There will be ample opportunity during the break and drinks for participants to meet and greet the authors as well network and interact, not only with each other, but also with the sponsors.
Please register via: https://isaca.nl/events/cyber-booked-2024/
April 18 2024
This is an online meeting and will be streamed on YouTube. The meeting will start at 19:00.
Please register via: https://www.meetup.com/owasp-chapter-netherlands-meetup/events/299755205/
19:00 - 19:10 - Welcome and OWASP updates
19:10 - 19:55 - API Security: OWASP API Top 10 Unlocked by Erez Yalon and Paulo Silva
19:55 - 20:00 - Questions and Break
20:00 - 20:15 - OWASP Security Champions Guide by Cheyenne Seur
20:15 - 21:00 - How (not) to use secrets with OWASP WrongSecrets by Ben de Haan
API Security: OWASP API Top 10 Unlocked
Abstract:
APIs play a central role in today’s economy, powering the exchange of data and services between applications and businesses. However, with great power comes great responsibility, and API security is more critical than ever.
In this session, we will discuss the OWASP API Security Top 10, a comprehensive guide to the most critical API security risks which was first released in 2019 and updated in 2023. We will then dive into real-world examples of API security issues found on well-known solutions powered by APIs, providing a detailed analysis of the vulnerabilities and the impact they could have had on the affected organizations.
By the end of this session, you will have a better understanding of the importance of API security and the steps you can take to protect your organization’s APIs from attacks.
Bio:
Erez Yalon:
Paulo Silva:
OWASP Security Champions Guide
Abstract:
OWASP Security Champions Guide project team will provide updates on the release of the next OWASP Security Champions Guide!
How (not) to use secrets with OWASP WrongSecrets
Abstract:
If you want to bring an app to production, you need to know where to put your secrets and how to access them safely. In this session, we’ll go into how to not use secrets with a purposefully vulnerable application. We hope you’ll take this knowledge and not make the same mistakes in your own app. Of course, you’ll also learn a thing or two on how to do secrets management properly. Alternatively, you can use this app to teach others!
Bio:
Ben de Haan:
March 21 2024
Location: Ordina
Address: Ringwade 1, 3439 LM Nieuwegein
Please register via: https://www.meetup.com/owasp-chapter-netherlands-meetup/events/299257952/
18:00 - 18:15 - Reception of attendees
18:15 - 19:00 - Pizza
19:00 - 19:15 - Welcome and OWASP updates
19:15 - 20:00 - How to get Dev(Ops) teams to start adopting DevSecOps by Sebastiaan Rijnbout
20.00 - 20:15 - Break with drinks
20:15 - 21:00 - Cracking the API: Challenges in IoT and Modern Applications by Yianna Paris
How to get Dev(Ops) teams to start adopting DevSecOps
Abstract:
In many development environments, security has long been seen as an afterthought or even a right-out hindrance. And forcing security onto developers often has an adverse effect. In this talk we will share the journey we have been making at the Dutch Chamber of Commerce (KVK) to get Development teams to adopt DevSecOps in a way that works best for them. Topics that will be discussed include Secure Development training, Security Champions, Threat Modeling and using the right tooling.
Bio:
Sebastiaan Rijnbout:
When getting teams and organisations to adopt DevSecOps, Sebastiaan will look at all aspects of DevSecOps (People, Process and Technology) like setting up developer training programs and security champion programs, rolling out company-wide Security tooling and improving working processes. But always keeping a focus on making things easy and efficient for developers.
In his current role at the Dutch Chamber of Commerce (KVK) Sebastiaan acts as Product Owner for 4 Dev(Sec)Ops support teams. These teams are responsible for enabling all development teams at KVK to deliver secure and high-quality software as efficiently as possible.
Cracking the API: Challenges in IoT and Modern Applications
Abstract:
Securing API’s is about more than just an endpoint, it’s about the data shared, customer privacy, and the access we give to unauthorised parties. Now as we are connecting more devices than ever, to more third parties than ever, securing APIs needs an offensive mindset from the design phase.
In this talk I’ll go over some of the techniques I use when testing, common issues I’ve found and their impact, and the state of IoT and modern web applications.
Security issues can arise from misconceptions early in the software process, so I’ll also discuss how we might mitigate some of these with thoughtful design, architecture and development.
Bio:
Yianna Paris:
February 15 2024
This is an online meeting and will be streamed on YouTube. The meeting will start at 19:00.
19:00 - 19:10 - Welcome and OWASP updates
19:10 - 19:55 - OWASP ModSecurity: A Few Plot Twists and What Feels Like a Happy End by Christian Folini
19:55 - 20:05 - Questions and Break
20:05 - 20:50 - OWASP Dependency-Track by Niklas Düster
OWASP ModSecurity: A Few Plot Twists and What Feels Like a Happy End
Abstract:
ModSecurity is an open-source, cross-platform web application firewall (WAF) engine. Originally written by Ivan Ristić, it was acquired by Trustwave and then developed for over 10 years by Trustwave’s SpiderLabs.
ModSecurity exists as a module for the Apache HTTP Server, Nginx, and IIS (v2) and it has also been released as standalone daemon for NGINX (v3), accessible via an API and a webserver specific connector module. It is able to inspect HTTP requests and HTTP responses and it configured via rules in a rather cumbersome config language called “SecLang”. OWASP CRS is the dominant rules project used by most ModSecurity users.
In 2021, Trustwave announced the end of support and the plan to hand over ModSecurity into the hands of the community by Summer 2024. OWASP tried to convince Trustwave to hand it over to the foundation several times, but only succeeded in November 2023. A plan was thus drawn and a new project was prepared from December 2023. The main repository was transferred on January 25 and OWASP ModSecurity was declared a “production level” OWASP project by the OWASP project committee.
The new project operates with a preliminary leader team, the first release is already out and the community is growing, all in line with the 3-6 month project plan drawn up in December 2023.
This talk gives an overview of this dynamics at play, how OWASP operates on projects like this and the perspectives are for ModSecurity and OWASP as a whole.
Bio:
Christian Folini:
OWASP Dependency-Track
Abstract:
Since its inception over a decade ago, OWASP Dependency-Track has pioneered many concepts in the realm of software supply chain security, and software bill of materials (SBOM).
With increasingly more governments, regulators and organizations asking for SBOMs, the project is more relevant than ever. On the other hand, a non-negligible portion of folks is still puzzled as to what to even do with SBOMs once they have them.
In this talk, we’ll explore what Dependency-Track is, how it can help organizations in identifying and reducing risk in their software supply chain, and give an outlook into what’s next!
Bio:
Niklas Düster:
January 18 2024
Location: Trend Micro Amsterdam
Address: Herikerbergweg 92, 1101 CM Amsterdam
Please register via: https://www.meetup.com/owasp-chapter-netherlands-meetup/events/297919320/
18:00 - 18:15 - Reception of attendees
18:15 - 19:00 - Pizza
19:00 - 19:15 - Welcome and OWASP updates
19:15 - 20:00 - Challenges in modern Red Teaming, external vs internal point of view by Marcin Wolak
20.00 - 20:15 - Break with drinks
20:15 - 21:00 - Red Teaming on MacOS by Ahmed Sherif and Ivan Kozlov
Challenges in modern Red Teaming, external vs internal point of view
Abstract:
The presentation will try to demonstrate limitations of external red teaming and show how internal red teaming could possibly fill in identified gaps.
Bio:
Marcin Wolak:
Red Teaming on MacOS
Abstract:
The focus of the Red Teaming has predominantly been on Windows environments, reflecting its widespread use in corporate settings. However, the recent shift in corporate preferences towards MacOS necessitates a reevaluation and development of Red Teaming strategies specific to this. Our presentation delves into the challenges in MacOS during the red teaming excercises.
Bio:
Ahmed Sherif:
Ivan Kozlov:
2023
November 23-24 2023 | October 19 2023 | September 21 2023 | June 7 2023 | May 25 2023 | April 20 2023 | March 16 2023 | January 19 2023
November 23-24 2023, BeNeLux Days
See https://www.owaspbenelux.eu for information.
October 19 2023
Location: Radboud University, Huygens building
Address: Heyendaalseweg 135, Nijmegen
Link: https://www.ru.nl/fnwi/faculteit/profiel/huygensgebouw
Please register via: https://www.meetup.com/owasp-chapter-netherlands-meetup/events/296179697/
18:00 - 18:15 - Reception of attendees
18:15 - 19:00 - Pizza
19:00 - 19:15 - Welcome and OWASP updates
19:15 - 20:00 - Hacking CI/CD Pipelines: Some use cases for hacking CI/CD orchestrators by Mauricio Cano
20.00 - 20:15 - Break with drinks
20:15 - 21:00 - Unveiling the secrets in your code: Detecting and Triaging exposed credentials at scale by Ingmar Vis
Hacking CI/CD Pipelines: Some use cases for hacking CI/CD orchestrators
Abstract:
In this talk, we will discuss the hacking of CI/CD orchestrators, with a focus on GitHub actions and what kind of things can be done from the perspective of a malicious insider. Some of the cases we will discuss are:
- Secret enumeration.
- Accessing infrastructure through runners.
- Public runners vs Private runners.
- Code injection in the pipeline and supply chain.
- GitHub commits information.
- Secret searching in the repository.
The goal is to provide a broad view on the attack surface that can be derived from CI/CD orchestrators and their runners, as well as to show a few demos on how this can be done.
Bio:
Mauricio Cano:
Unveiling the secrets in your code: Detecting and Triaging exposed credentials at scale
Abstract:
Security misconfigurations are often easy to exploit but also easy to avoid. How can we raise security awareness and at the same time prevent security misconfigurations (such as leaked credentials) from reaching production? Is there an easy way to scan, triage and follow-up on exposed secrets at enterprise scale? ABN Amro open sourced Repository Scanner and runs Repository Scanner internally at scale, exposing secrets in source code repositories and thereby raising security awareness while at the same time improving the security posture by remediating security misconfigurations.
Bio:
Ingmar Vis:
September 21 2023
Location: Hogeschool van Utrecht
Address: Heidelberglaan 15, 3584CS Utrecht
Please register via: https://www.meetup.com/owasp-chapter-netherlands-meetup/events/295296523/
18:00 - 18:15 - Reception of attendees
18:15 - 19:00 - Pizza
19:00 - 19:15 - Welcome and OWASP updates
19:15 - 20:00 - DAST in the world of DevSecOps by Amit Sharma
20.00 - 20:15 - Break with drinks
20:15 - 21:00 - SAST, DAST, IAST… xAST de-mystified by Martin Knobloch
DAST in the world of DevSecOps
Abstract:
-
Bio:
Amit Sharma:
SAST, DAST, IAST… xAST de-mystified
Abstract:
Dev[Sec]Ops has embraced CI/CD’s build, test and deployment approach, now pushing secure test automation into the dev’s build pipelines.
Now with SCA added to the xAST security verification in your pipeline, as more is better, right?
But, without clear expectation what to expect from your tool (usage), how to choose the right tool?
During this presentation, you will be guided to define the problem first, in order to choose the tools to solve it. Let’s grow maturity and not push on security test automation in the development pipelines but adding useful quality assurance in your production line!
Bio:
Martin Knobloch:
With a background in software development and architecture, his focus is on software security. Martin is actively involved in OWASP where he is a frequent contributor to various projects and initiatives. Martin is taking part in the organizing of local and global OWASP conferences and served more than 5 years as a member of the Board of Directors, two of them as Chairmen of the board.
During his career, Martin has been a recognized teacher, guest lecturer at various universities and invited speaker and trainer at local and international software development, testing and security conferences throughout the world.
June 7 2023
Want to learn more about Web Application Firewalls?
Join the Dutch Chapters of OWASP, ISACA, and ISC2 for their first-ever combined online webinar on Wednesday, June 7th, from 19:00 to 21:00 CET.
Please register via: https://www.meetup.com/owasp-chapter-netherlands-meetup/events/293379819
19:00 - 19:10 - Welcome
19:10 - 19:30 - Web Application Firewalls by Aatif Khan
19:30 - 20:55 - Panel Discussion on Web Application Firewalls by Aatif Khan and Menno Swam and Nico van Rooyen moderated by Ramzy Elmasry
20:55 - 21:00 - Closing and Next Steps
To receive the LIVE stream details, register via:
https://isaca.nl/events/isaca-owasp-and-isc2-web-application-firewalls-webinar/
With an expert presentation and a panel discussion, you will have the opportunity to learn about best practices and get your questions answered by professionals in the field.
By combining the focus areas and driving forces of each Chapter, this event ensures that this topic will be addressed from different perspectives, such as risk, compliance, audit,cybersecurity, and technical.
Aatif Khan, a data-driven AI and cybersecurity expert, will kick off the webinar with a compact presentation on Web Application Firewalls (WAFs). After which, we will open the panel discussion and answer questions from the audience. Our panel members are Aatif Khan, Menno Swam and Nico van Rooyen.
See below for more information on our panel members and the topic.
Register today for this unique opportunity!
Panel Discussion on Web Application Firewalls
Bio:
Aatif Khan:
With 15+ years of experience in information security, Aatif has spoken at numerous conferences such as BlackHat, SANS & UK NCSC CyberThreat London, Security BSides London, Cyber Security Asia Malaysia, @Hack, etc., amongst other conferences across the EMEA region. He has been interviewed by the Associated Press, Voice of America, Hakin9, and numerous other media channels for his expertise on emerging cybersecurity threats. Aatif holds a Master of Science in Artificial Intelligence from LJMU, UK, and is currently working on AI-driven advanced threat detection and response with modern security analytics.
Menno Swam:
Menno has experience in the field of Information Security and Risk Management for companies in the Financial services sector, due to his experience as an Information Security Officer and Internal Auditor. Moreover, he has specific knowledge of security frameworks (such as PCI-DSS and ISO27001) as well as the technical execution of financial law (such as WWFT and PSD2). While working in complex IT environments, Menno has been able to get accustomed with all facets of information security, both technical and non-technical. As such, he is able to translate technical findings and risks to business impact and opportunities.
Nico van Rooyen:
He started his career as an IT auditor specializing in information security, at KPMG in South Africa and for the past decade, he has deepened his experience in information security while obtaining various certifications such as CISA, CISM, CEH, and COBIT.
During this time, Nico worked across various countries including Australia, Denmark, Israel,Sweden, Europe, the UK, and the USA.
In 2017, he moved to the Netherlands with his wife, who is expecting their second baby boy in September of this year.
May 25 2023
Location: Exact
Address: Molengraaffsingel 33, 2629 JD Delft
Please register via: https://www.meetup.com/owasp-chapter-netherlands-meetup/events/292932837/
18:00 - 18:15 - Reception of attendees
18:15 - 19:00 - Pizza
19:00 - 19:15 - Welcome and OWASP updates
19:15 - 20:00 - AppSec in IT contracts by Sebastian Avarvarei
20.00 - 20:15 - Break with drinks
20:15 - 21:00 - About containers and their escapes: understanding escape patterns and possibilities by Mauricio Cano
AppSec in IT contracts
Abstract:
Back in 2018 I wrote: “In today’s multi-sourced enterprise, your security is as good as your worst written contract.” We have gotten better at writing security into commercial contracts since I first did my talk on this topic, but the yellow brick road ahead of us still goes some ways.
But how about AppSec, how well is it covered in our IT contracts? What are the pitfalls and the solutions? How do we avoid that someone else’s security issues become our security problems? And, by all means, let’s learn how to be a bit lazy, and do better with less effort!
Bio:
Sebastian Avarvarei:
About containers and their escapes: understanding escape patterns and possibilities
Abstract:
Containers have become one of the most common underlying infrastructure for microservice architectures. As such, they can often be part of the external attack surface of enterprise systems and applications (e.g., whenever a web application hosted on a kubernetes cluster is Internet-facing). Thus, it is important to understand what types of (mis)configurations can make containers more vulnerable against attacks of different types. In this talk, Mauricio will deep dive into different techniques that can be used to escape containers. In particular, he will talk about how to escape privileged containers, the usage of different capabilities, the usage of kernel exploits and a few other ways in which attackers may use to gain access to the hosts of the containers.
Bio:
Mauricio Cano:
April 20 2023
This is an online meeting and will be streamed on YouTube. The meeting will start at 19:00.
Please register via: https://www.meetup.com/owasp-chapter-netherlands-meetup/events/292323208/
OWASP Juice Shop
Download the presentation
Watch the recording
Abstract:
OWASP Juice Shop is probably the most modern and sophisticated insecure web application! It can be used in security training, awareness demos, CTFs and as a guinea pig for security tools!
Juice Shop encompasses vulnerabilities from the entire OWASP Top Ten along with many other security flaws found in real-world applications!
At this event, we will take a tour through the application, hack it live on screen, learn about Coding Challenges, CTF mode, cheat detection, custom theming, and more!
Bio:
Björn Kimminich:
The Rise of the Security Verification Standard
Abstract:
We are currently seeing a big uptick in the progression of the OWASP Application Security Verification Standard (ASVS) as well as the Mobile version (MASVS). Not only are two major releases in the pipeline (5.0 and 2.0 respectively) but we are now seeing industry stand up, take notice and start expecting more from applications, based on these standards. In this talk, Josh Grossman (one of the ASVS project leaders) will take you through these key developments including our vision for the upcoming version 5.0 of the ASVS and how you and your employer can be involved in the final release.
This will also be a chance to hear first-hand about a couple of new programmes where you will see the SVSs being more widely used and required and how you can prepare your organizations for this significant impact this will have, whether you are developing applications or you are assessing them.
Bio:
Josh Grossman:
Josh is currently CTO for Bounce Security where he helps clients improve and get better value from their application security processes and provides specialist application security advice. His consultancy work has led him to work, speak and deliver training both locally and worldwide including privately for ISACA and Manicode and publicly for OWASP's Global AppSec conferences. In his spare time, he co-leads the OWASP Application Security Verification Standard project and is on the OWASP Israel chapter board.
He was also recognized as a Key Contributor for the OWASP Proactive Controls project and has also contributed to the OWASP Top 10 Risks project and the OWASP JuiceShop project.
March 16 2023
Delegates may be asked to provide a valid proof of photo ID (such as a driving licence or passport) to enter the venue.
This meetup's sponsor, Adyen - a financial services institution - works within a highly regulated environment, so we kindly ask for your understanding if you are asked to provide ID during your visit.
Location: Adyen
Address: Rokin 49, Amsterdam
Please register via: https://www.meetup.com/owasp-chapter-netherlands-meetup/events/291470656/
18:00 - 18:15 - Reception of attendees
18:15 - 19:00 - Pizza
19:00 - 19:15 - Welcome and OWASP updates
20:15 - 21:00 - Crash course on the OWASP API Security Top 10 by Colin Domoney
20.00 - 20:15 - Break with drinks
19:15 - 20:00 - Managing APIs securely by Rob Blaauboer
Crash course on the OWASP API Security Top 10
Download the presentation
Watch the recording
Abstract:
With the recent breaches to Optus, Twitter, and T-Mobile, 2023 is destined to become the year API security becomes the number one concern for organizations, both at the board level and within security and development teams. API security poses unique challenges to builders and defenders, and many of your existing detection and protection measures may prove to be ineffective.
Join Colin as he draws on his experience from curating the industry's biggest API security resource (APISecurity.io) in exploring the following:
Crash course on the OWASP API Security Top 10 (and how it differs from the OWASP Top 10)
A whistle-stop tour of some of the biggest API breaches over the past 18 months, taking a look at what went wrong, the impact, and most importantly, how to prevent such attacks.
Finally, he will present the top techniques for protecting your APIs from attack, starting with secure development practices through to API protection and threat detection.
The content will be technical, with demos and code samples, and based on real-world breaches. By the end of the session, you will have an understanding of the API Security Top 10, and have a working knowledge of how to protect your APIs, either at a code level or using runtime protections.
Bio:
Colin Domoney:
Currently, he is the Chief Technology Evangelist with 42Crunch, the curator of the APISecurity.io newsletter, and is writing the industry’s first book on defending APIs.
Managing APIs securely
Abstract:
When an organization offers an API, the API needs to become a Managed API. This means that lifecycle management, security, and throttling resources become an important aspect of API Management, as well as the ability of developers to find, explore and subscribe to the API to use them.
During the presentation, Rob will zoom into these aspects and how an API Manager can help you with security and throttling (including schema validation and advanced scenarios) while at the same time making the API easily available to your target developers (inside or outside the organization).
In the second part, he will elaborate on the “shiny frontend / dirty backend”. This is an API frontend that accesses legacy systems, databases, but also the integration of a set of APIs etc., thus enabling services that use older technology or proprietary interfaces to have a modern appearance to the outside world, e.g. exposing a legacy insurance policy administration system as an API.
Thirdly, we will look at the way you can implement the Mastodon API. Since Elon Musk acquired Twitter l ast year, alternative platforms like Mastodon have become more popular. It might be that this becomes a viable channel to communicate with clients for some organizations.
Bio:
Rob Blaauboer:
Next to these responsibilities, Rob is also an avid blogger with almost 200 blogs on innovation on Frankwatching, more than 150 blogs on WSO2 on Yenlo’s website and many other blogs on various other sites. Rob is also a regular contributor to BNR Zaken Doen radio show on the area of technology and innovation.
January 19 2023
This is an online meeting and will be streamed on YouTube. The meeting will start at 19:00.
Bootstrap and increase your software assurance with OWASP SAMM v2.1
Abstract:
With our new release OWASP SAMM v2.1 - the prime maturity model for software assurance - we provide an effective and measurable way for all types of organizations to analyze and improve their software security posture.
OWASP SAMM supports the complete software lifecycle, including development and acquisition, and is technology and process agnostic. It is intentionally built to be evolutive and risk-driven in nature.
During this talk Sebastien (project co-leader) will explain how to use SAMM in your organization. And then continue on the added features in our new release 2.1:
The introduction of SAMM Practitioners
SAMM Guidance for all Security Practice streams, including:
OWASP projects and content references
Mappings to other standards and models (including NIST SSDF, ISO27001, BSIMM, …)
Best practices
Tools
New SAMM guidance for development teams
The updates resources, including the online SAMMwise tools, the new PDF and the updated toolbox.
We will conclude with the outcome of our 2022 SAMM survey and the rebooted SAMM benchmark initiative.
Bio:
Sebastien Deleersnyder:
OWASP Security Knowledge Framework
Abstract:
Education is the first step in the Secure Software Development Lifecycle. The free OWASP Security Knowledge Framework (SKF) is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. This talk will help you as a developer to become THE Neo of your development team. We will show how you can do security by design and introduce other quality gates into your development pipeline to ensure high end quality and security of your project.
Bio:
Glenn Ten Cate:
2022
November 24-25 2022 | October 20 2022 | September 15 2022 | June 16 2022 | May 19 2022 | April 21 2022 | March 17 2022 | February 17 2022 | January 20 2022
November 24-25 2022, BeNeLux Days
See https://2022.owaspbenelux.eu for information.
October 20 2022
Location: Ordina
Address: Ringwade 1, 3439 LM Nieuwegein
18:00 - 18:15 - Reception of attendees
18:15 - 19:00 - Food and beverages
19:00 - 19:15 - Welcome and OWASP updates
19:15 - 20:00 - Attacking and Defending Kubernetes by Akshit Sharma and Mauricio Cano
20.00 - 20:15 - Break with drinks
20:15 - 21:00 - TIBER-EU, the European framework for threat intelligence-based ethical red-teaming by Givan Kolster
Attacking and Defending Kubernetes
Abstract:
Organizations are increasingly moving to cloud-based managed Kubernetes deployments given the numerous benefits over self-managed deployments. However, it comes with different security and monitoring considerations. The reason behind these differences lies in the different management models used by different cloud service providers, which most of the time depend on the proposed Shared Responsibility Model.
This talk discusses some common security misconfigurations for Kubernetes clusters and how attackers can exploit them via live demonstrations. We will then focus on a custom cloud-native security monitoring solution built in AWS. The goal is to alert relevant stakeholders of potential misconfigurations and active breach attempts on an Amazon EKS Cluster. As mentioned above, this talk includes live demonstrations of some of the use-cases that have been implemented. The implemented solution leverages AWS native tools, as well as an infrastructure-as-code template for rapid deployment across accounts. Finally, we discuss potential use cases for this solution and propose a general roadmap for improvements and future capabilities.
This talk will be especially useful for individual contributors or professionals who want to understand and develop in-house security monitoring tools for Kubernetes without the need for expensive third-party platforms.
Bio:
Akshit Sharma:
Mauricio Cano:
TIBER-EU, the European framework for threat intelligence-based ethical red-teaming
Abstract:
The ECB launched the threat intelligence based ethical red teaming (TIBER-EU) framework some time ago. More and more central banks within Europe are adopting this framework to have their critical financial infrastructure tested against realistic threat. The presentation has a balanced mix of theory and examples from the field.
Givan will share his view from the years of experience with developing the framework and leading many red teaming engagements under the different TIBER ‘flavors’. He will walk through the framework and explain how it ‘works’ and zooms in on the delivery of the red and purple teaming parts. Giving you a glance at what is involved in performing a realistic attack on live critical systems of a large financial institution.
Bio:
Givan Kolster:
Givan focuses on delivering high-quality services to clients world-wide, both on offensive and defensive side. He has led many red and purple teaming engagements. He aims at making cohesive teams during purple teaming exercises, where he manages to change the perspective from ‘versus’ to ‘collaborative’. This is important to drive the learning experience for the defensive team.
In the past years, Givan was operationally involved in red teaming projects as a social engineer, and as a trainer for many professionals new to the field.
September 15 2022
Location: Radboud University, Huygens building, Room zaal HG00.307
Address: Heyendaalseweg 135, Nijmegen
Link: https://www.ru.nl/fnwi/faculteit/profiel/huygensgebouw
Please register via: https://www.meetup.com/owasp-chapter-netherlands-meetup/events/287743579/
18:00 - 18:15 - Reception of attendees
18:15 - 19:00 - Pizza
19:00 - 19:15 - Welcome and OWASP updates
19:15 - 20:00 - The Red Cross of the Internet by Shairesh Algoe
20.00 - 20:15 - Break with drinks
20:15 - 21:00 - Digitally securing The Netherlands - or convincing others to do it by Koen Sandbrink
The Red Cross of the Internet
Abstract:
Over the year 2021 the Dutch Institute for Vulnerability Disclosure (DIVD) notified a total of 86,427 IP addresses that were found to be vulnerable. Compared to 58,358 e-mails in 2020, that is a growth of more that 33%. This year we already sent out 141,078 emails.
The DIVD scans the internet for vulnerabilities and reports these to the people who can fix them. I will go into some of our recent cases, ranging from KaseyaVSA, to Log4j in 2021 and some of the 2022 highlights. Next to that you will get an introduction in how the DIVD has professionalise vulnerability disclosure and why we are allowed to somewhat break laws on computer crime and privacy.
Bio:
Shairesh Algoe:
His day job is being a Chief Information Security Officer for TM-Pro an FinTech company provides banking as a service platform to small, medium and lager financial institutions.
Beside that he is a board member at the DIVD and responsible together with the management team for the continuity of this hacker collective that helps to clean up the internet for free within our code of conduct.
In his other spare time, he is also an entrepreneur who delivers security products and services to multiple companies. He is also a speaker and teaches students about information security and quantum technology.
Digitally securing The Netherlands - or convincing others to do it
Abstract:
NCSC-NL has a clear mission: to make The Netherlands digitally secure. To achieve this, we need to understand what’s going on and connect all the relevant parties to exchange knowledge and provide a perspective for action, hopefully to prevent digital disruptions. But the NCSC does not own or control any part of the internet. We do not have actual buttons to push or knobs to turn. We need to make others do this for the greater good. Let’s take a dive into the efforts of the NCSC to help assess digital risks, help resolve vulnerabilities in systems and help respond to incidents.
Bio:
Koen Sandbrink:
June 16 2022
Meet-up setting: first physical meet-up in 2,5 years
Location: Trend Micro
Address: Herikerbergweg 92, 1101 CM Amsterdam
18:00 - 18:15 - Reception of attendees
18:15 - 19:00 - Pizza
19:15 - 20:00 - Staying in control of your cloud application landscape by Priyam Awasthy and Spandan Chandra
20:00 - 20:15 - Break with drinks
20:15 - 21:00 - OWASP Cloud-Native Application Security Top 10 by Filip
Staying in control of your cloud application landscape
Download the presentation
Watch the recording
Abstract:
At the end of 2021, 67% of all enterprise infrastructure was cloud-based. Cloud technologies are being consumed to host more and more applications. This talk will outline what security measures can an organization and self-governed DevOps teams implement to secure their cloud application landscape. During the session, we will talk about various strategies such as types of virtualization or sandboxing used to protect cloud applications, how to manage authentication and authorization, and data protection.
Bio:
Priyam Awasthy:
Spandan Chandra:
OWASP Cloud-Native Application Security Top 10
Download the presentation
Watch the recording
Abstract:
The cloud has lots of moving parts, things will go wrong. This talk aims to start a discussion around the OWASP Cloud-Native Application Security Top 10 and what can we, as engineers, do to address some of the challenges with cloud security.
Bio:
Filip:
May 19 2022
This is an online meeting and will be streamed on YouTube. The meeting will start at 19:00.
Comparing Static Analysis Security Testing (SAST) tools en dependency scanners
Abstract:
There are many SAST tools and dependency scanners in the market. In this talk, the comparison results will be discussed of some SAST tools and dependency scanners. The comparison includes human experiences like usability and developer friendliness, but also metrics like true and false positives and overlapping reports between the tools. Tools that were compared are: SonarQube, Npm audit, FindSecurityBugs, Snyk, Semgrep, ShiftLeft Scan, OWASP Dependency Check, and OSS Index. The comparison was performed by scanning a ready-for-market Java-React web application.
Bio:
Wibren Wiersma:
Infrastructure as Code (IaC) - security challenges and how KICS solves them
Abstract:
- What is IaC
- Security challenges around IaC
- KICS OSS tool powered by Checkmarx and how it solves the challenges
Bio:
Lior Kaplan:
Secret Scanning Solutions
Abstract:
Nowadays collaboration is key in software development. One way it is achieved is through software code repositories, but the open nature and convenience they provide are met with the downside of human error. The problem occurs when these public code repositories handle authentication secrets such as API keys or cryptographic secrets. These secrets should be kept confidential, but it often happens that practices like adding the secrets to the code repository lead to accidental leakage. To prevent this, secret scanning tools have arisen on the market. Rabobank is trying to prevent secret leakage within the company in which collaboration via code repositories is key. The company wishes to determine what would be the best performing secret scanning tools available on the market and compare them with the tool they are currently using, CredScan. This paper starts by presenting what secret scanning is, the most common types of secrets which exist, the most common detection techniques implemented by secret scanning tools, and an overview of the most popular tools available on the market. Further, it presents the steps taken during the internship: conducting interviews to compose a requirements list for the tool; shortlisting the tools based on the requirements; testing the shortlisted tools in a testing environment, and comparing the results. The top three best alternatives have proved to be SpectralOps, Whispers and TruffleHog. Only SpectralOps is objectively better than CredScan whereas Whispers and TruffleHog output false positives.
Bio:
Raluca Viziteu:
April 21 2022
This is an online meeting and will be streamed on YouTube. The meeting will start at 19:00.
Crawl Dutch government websites to collect statistics of SRI usage
Abstract:
In this work we crawled all major Dutch govern- ment websites to measure the adoption rate of Subresource Integrity Protection (SRI). We crawled and evaluated close to 150,000 different pages on 477 different domains using a crawler that we developed. This resulted in approximately 1,000,000 different cross origin script and link tags being evaluated. We found the adoption rate of SRI to be very low with 8.4% of the tags having implemented SRI. For sensitive pages, such as login and registration pages, this number was slightly lower at 8.3%. Our findings indicate that most of these SRI enabled references are due to Content Delivery Networks (CDN’s) and utility providers providing HTML resource links already with proper integrity and crossorigin attributes. This is due to CDN’s and utility providers being the most popular SRI enabled domains to reference to in combination with almost no Dutch government websites having complete SRI cover- age in their cross origin resource references.
Bio:
Tom Stock:
Web Security Map (basisbeveiliging.nl)
Abstract:
Absolute transparency moves people forward. What happens when plotting the state of security on a map? Organizations start to adapt and improve. This is an overview of the Web Security Map application, which can help you providing insight into a huge amounts of security info about companies up to entire countries. It’s an open source product which can help you change your part of the world. In this talk you’ll see the impact, how it works, what it does, where to get it and where to go from there.
Bio:
Elger Jonker:
Security Transformation Program
Abstract:
We are living in a fast changing and very demanding world. New and evolving technologies bring along new cybersecurity threats increasing the pressure on SAP to evolve the security level of its software. With the migration to the cloud we have the responsibility to securely operate our software adding a layer of complexity into the security landscape. And if that was not enough, more and more countries are releasing strict data privacy regulations. There is no “one size fits all” solution any longer so that all our teams are faced with technical and regulatory requirements. To overcome these challenges new requirements, standards, and frameworks for developers and operations experts are extended or created regularly – but more does not always mean better. These initiatives quickly become exercises to fill in yet another excel file. Therefore, the CX Trust Office has initiated a CX Security Transformation Program to make security easy to consume for developers and operations experts by simplifying, automating, and providing guidance. ### Story Line: NIST, Internal policies, external frameworks, SOC, ISO certifications come with a big list with repetitive requirements and very often the requirements are not build into the product, but driven by external audits. Changing architectures, products after they have been created and put in production. We have created a strategy with tool to translate the requirements to executable easy to understand instructions that removes complexity and removes duplications. We have setup our organization in cross functional and functional teams that support to execute the strategy. A tool to glue these things together and provide guidance, current status for all the frameworks and regulations.
Bio:
Dimitar Yanev:
Andreas Hauke:
March 17 2022
This is an online meeting and will be streamed on YouTube. The meeting will start at 19:00.
Another great OWASP meet-up promised: we have Steve Springett who will talk about OWASP Dependency-Check tool & OWASP Cyclone DX. He will share what is happing around these projects. Next to that we have Klaas Wijbrans sharing his industry insights on rules and regulation demanding SBOM, the challenges it brings and solution direction. We will also announce three (3) new OWASP projects that will be executed in 2022, so stay tuned!
Introducing: The Security Champions Guidebook
Introducing: Guidelines on embedding SBOM in your organization
OWASP Dependency Track and OWASP CycloneDX
Abstract:
Software Bill of Materials (SBOM) have gained wide-spread support from the software industry, to critical infrastructure, to the White House. In this session, the OWASP CycloneDX SBOM standard will be introduced along with strategies for effectively creating SBOMs. Also introduced will be OWASP Dependency-Track, a platform that consumes and continuously analyzes SBOMs for security, operational, and license risk. Both of these flagship OWASP projects work together to allow organizations to make better risk-based decisions.
Bio:
Steve:
Software Bill of Material – why do we need it, what is it and how can we overcome the current challenges
Abstract:
The Executive Order on Cybersecurity of the Biden administration caused a lot of activity on the ‘software bill of material’. This talk will go into the details why it is being asked, what it consists of, and the practical challenges the industry needs to solve to reliably and efficiently create and use it in an automated way.
Bio:
Klaas Wijbrans:
February 17 2022
This is an online meeting and will be streamed on YouTube. The meeting will start at 19:00.
How log4j became an epic - a story told by a developer and a product owner
Abstract:
This talk is will touch upon the log4j vulnerability, and how it has set everything on fire, what impact it had on our team, and what we have learned from the crisis.
Bio:
Rick te Brake:
Anna Rudenko:
Previously, she was doing her Ph.D. in Cognitive Linguistics.
The Long-Term Impact of Log4j
Abstract:
In its aftermath, Log4j vulnerabilities put the spotlight on vendor management and supply chain security practices. Now that the dust has settled and the worst of the fallout has passed, this talk presents perspectives on likely mid- and long-term changes that the security industry will see as a result of dealing with the Log4j issue as the latest in an escalating series of open source and software supply chain incidents.
Bio:
Dan Cornell:
Cornell is an active member of the development community and a sought-after speaker on topics of application and software security, speaking at international conferences including RSA Security Conference, OWASP AppSec USA and EU, TEDx, and Black Hat CISO Forum. He holds three patents in the area of software security.
How log4j ruined our Christmas
Abstract:
Early December a vulnerability was found in Log4j, an open-source logging library commonly used by apps and services across the internet. If left unfixed, attackers can break into systems, steal passwords and logins, extract data, and infect networks with malicious software.
This talk will outline why this vulnerability ruined Christmas and the potential impact log4j can or could have to your organisation.
Bio:
Owen:
Prior to joining Bank of Ireland, Owen led the Penetration Testing and Red Teaming functions for Deloitte Ireland. Furthermore, he acted as the Vulnerability Management Lead for the EMEA region.
Owen is an advocate of secure development and sat on the Global Board of Directors of OWASP for the last 4 years. Owen held the role of Secretary, Vice-Chair and Chair of the Global Foundation.
January 20 2022
This is an online meeting and will be streamed on YouTube. The meeting will start at 19:00.
A story on scaling threat modeling across 500+ DevOps teams
Abstract:
This talk is not about “what is threat modelling, and what are the different methodologies?”. This is well known and understood by now. With every organization moving towards DevSecOps, the difficult question is “how to do Threat Modeling at scale?”. I want to take this opportunity to share with you the ABN AMRO story about how we did this!
Bio:
Abhishek k. Goel:
Before ABN, he was a Lead Security Consultant with Deloitte USI and enabled security in CICD pipelines for clients across the globe.
Gamification of Threat Modelling
Abstract:
The talk is all about doing security architecture and threat modelling work as part of development planning.
The presentation starts by introducing OWASP Cornucopia and the simplified OWASP “Top 5” for developers and then moves into looking at how one can practically include a form of threat modelling (using Cornucopia) into one’s agile development practises in an effective manner.
There is a brief discussion on gamification, covering the usual FAQs on that and then it moves onto implementation at scale and some of the experiences we’ve had there.
Bio:
Grant Ongers:
Grant’s experience spans Dev - building platforms for Telcos, MSPs and Financial institutions for more than 10 years. 20+ years in Ops, running operational teams in global NOCs to managing mainframe and database systems. He also has over 30 years pushing the limits of (Info)Sec - mostly white-hat. He’s worked on both sides of the TPSA table, for and with regulated orgs ensuring compliance and matching “appetite for” with “acceptance of” risk.
Grant’s community involvement is global: Staff at BSides (London, Las Vegas, and Cape Town), Goon at DEF CON (USA) for over a decade and DC2721 co-founder, staff at BlackHat (USA and EU).
Alongside his role as CTO within Secure Delivery, Grant provides C-suite advice and guidance on security to FTSE100 enterprises and strategic risk analysis within M&A diligence teams.
2021
October 28 2021 | September 30 2021
October 28 2021
This is an online meeting and will be streamed on YouTube: https://youtu.be/qR6JCkZgOlY.
The meeting will start at 19:00.
Our Secrets Management Journey: From Code to Vault
Abstract:
So you have an access key that you need to store somewhere. Maybe it is better not to put it in your code, nor in your container. But what about Kubernetes? What about a custom secrets storage solution? Of course, we tried many, sometimes funny, things to get our secrets secured. And luckily we ended up with a combination of safe methods, with Vault at its core. Want to know more? Join us, as we will go through various examples and their challenges!
Bio:
Jeroen Willemsen:
Doing Security in DevOps, the right way!
Abstract:
Automation is not DevSecOps, but without automation there is no DevSecOps! Secret management, SAST, DAST, Pen Testing, Container Security, Secure Config Management etc. are about automating security. But let me ask you, can one reach nirvana in securing DevOps with solely automation? This talk will address ALL dimensions required for doing security in DevOps, so we get it right!
Bio:
Irfaan Santoe:
September 30 2021
On the 30th of September OWASP Netherlands will organize a pub quiz. The pub quiz will start at 20:00. To join the pub quiz, you need to join a Zoom meeting. Check the Meetup page for more information.
2020
November 23-27 2020 | May 14 2020 | April 9 2020
November 23-27 2020, BeNeLux Days
See https://2020.owaspbenelux.eu for information.
May 14 2020
This is an online meeting about the Mobile Security Testing Guide and the Mobile Application Security Verification Standard by Jeroen Willemsen.
The talk will start at 20:00.
Watch the livestream at https://youtu.be/cuB8TNT0rMw.
April 9 2020
The first talk will start at 20:00.
Schedule:
- SKF news by Riccardo ten Cate and Glenn ten Cate (Video)
- Break
- OWASP Integration Standards project update by Rob van der Veer (Video)
Watch the livestream at https://youtu.be/EtGyhWYSjVA.
2019
June 18 2019 | January 17 2019
June 18 2019
https://www.meetup.com/OWASP-Chapter-Netherlands-Meetup/events/261811435/
18:30 - 19:00 - Dinner
19:00 - 10:15 - Welcome
19:15 - 20:00 - Recon Recon by Martijn Baalman aka @x1m_martijn
20:00 - 20:15 - Break
20:15 - 21:00 - The Good, The Bad and The Ugly of Responsible Disclosure by Chrissy Morgan aka 5w0rdFish
Spaces Herengracht
Herengracht 124-128,
1015 BT Amsterdam
Recon Recon
Bio:
Martijn Baalman aka @x1m_martijn:
The Good, The Bad and The Ugly of Responsible Disclosure
Abstract:
So what’s has a JQuery bug that affected thousands of websites with one of the highest starred GitHub repos with 7,800 forks, a Domain Name Registrar vulnerability which allowed for full access to domain owner details (post GDPR) and data protection flaws within Microsoft’s Office365 all have in common? … Answer&58; Responsible Disclosure. This talk will feature disclosure on each of the bugs and others, the circumstances around these when reporting, to highlight the problems security researchers face today when trying to do the right thing and to raise awareness of the security flaws so we are better protected.
Bio:
Chrissy Morgan aka 5w0rdFish:
January 17 2019
https://www.meetup.com/OWASP-Chapter-Netherlands-Meetup/events/257707239/
18:30 - 19:00 - Dinner
19:00 - 19:15 - Welcome, OWASP update
19:15 - 20:00 - Machine Learning vs. Cryptocoin Miners by Jonn Callahan
20:00 - 20:15 - Break
20:15 - 21:00 - Running at Light Speed: Cloud Native Security Patterns by Jack Mannino
21:00 - - Closing
Xebia
Laapersveld 27
1213 VB Hilversum
Machine Learning vs. Cryptocoin Miners
Download the presentation
Watch the recording
Abstract:
With the advent of cryptocurrencies as a prevalent economic entity, attackers have begun turning compromised boxes and environments into cash via cryptocoin mining. This has given rise for the necessity to detect compromised environments by analyzing network traffic logs for evidence of cryptocoin miners operating within a given network. In this talk, I’ll be reviewing various ML and statistical analysis techniques leveraged against VPC Flow Logs for this very purpose. It will not be a deep dive of the math involved, but instead a general discussion of these techniques and why I chose them.
Bio:
Jonn Callahan:
Running at Light Speed: Cloud Native Security Patterns
Download the presentation
Watch the recording
Abstract:
No matter how fast you ship software, a good design is critical to security. Cloud native systems are no exception. Containerized microservices running on distributed management and orchestration platforms, bring new challenges to address as well as classic software problems that we’ve been dealing with for years. Secure software design patterns can be used to model security controls at different trust boundaries within your architecture, providing security in a repeatable and consumable way. Using patterns such as the Service Mesh or Ambassador pattern lets us focus on proper security control placement and lifting security outside of the core services we’ve traditionally bolted security onto later.
The goal of this presentation is to arm software developers and security architects with reference architecture guidance that can be used in any cloud native environment. The topics we’ll cover include multi-tenancy considerations, authentication, authorization, encryption, and more. We will focus on newer cloud native architecture patterns as well as some classic software design patterns that are still applicable. At the end of this presentation, you’ll have a greater understanding of cloud native security design at an architectural level and you’ll be eager to begin white-boarding your ideas.
Bio:
Jack Mannino:
2018
September 27 2018 | June 28 2018
September 27 2018
Location: Radboud Universiteit
19:15 - 20:00 - Serverless Security: Functions-as-a-Service (FaaS) by Niels Tanis
20:15 - 21:00 - Building A Security Test Automation Framework by Riccardo Ten Cate
Serverless Security: Functions-as-a-Service (FaaS)
Building A Security Test Automation Framework
June 28 2018
19:15 - 20:00 - Building A Security ‘Culture’ by Gareth O’Sullivan
20:15 - 21:00 - Building Secure Software With OWASP Tools And Guides by Martin Knobloch
Building A Security ‘Culture’
Building Secure Software With OWASP Tools And Guides
2017
October 12 2017
Location: Radboud Universiteit
19:15 - 20:00 - Playing in the Sandbox: Bypassing Adobe Flash Input Validation by Björn Ruytenberg
20:15 - 21:00 - How to rob a bank by Pieter Ceelen
Playing in the Sandbox: Bypassing Adobe Flash Input Validation
How to rob a bank
2016
November 7 2016 | September 22 2016 | July 7 2016 | April 21 2016 | February 18 2016
November 7 2016
Location: Hogeschool Rotterdam
19:15 - 20:00 - Web Security: Broken by default? by Niels Tanis
20:15 - 21:00 - Building A Software Security Program by Kuai Hinojosa
Web Security: Broken by default?
Building A Software Security Program
September 22 2016
Location: Radboud University
19:15 - 20:00 - Handling Of Security Requirements In Software Development Lifecycle by Daniel Kefer and René Reuter
20:15 - 21:00 - Hacking The OWASP Juice Shop by Björn Kimminich
Handling Of Security Requirements In Software Development Lifecycle
Hacking The OWASP Juice Shop
July 7 2016
Location: SurfNET
19:15 - 20:00 - Find and fix software security problems… by Matias Madou
20:15 - 21:00 - How To Keep Your Secrets Safe(r) On An Android Device by Jeroen Willemsen
Find and fix software security problems…
How To Keep Your Secrets Safe(r) On An Android Device
April 21 2016
Location: Universiteitsbibliotheek UvA
20:15 - 21:00 - Web Application Firewall, Filter and Bypass by Aatif Khan
Web Application Firewall, Filter and Bypass
February 18 2016
Location: De Haagse Hogeschool
19:15 - 20:00 - OWASP Security Knowledge Framework by Glenn Ten Cate and Riccardo Ten Cate