OWASP Netherlands

Main    Supporters    Upcoming Events    Past Events    Resources

2022  |  2021  |  2020  |  2019  |  2018  |  2017  |  2016

2022

September 15 2022  |  June 16 2022  |  May 19 2022  |  April 21 2022  |  March 17 2022  |  February 17 2022  |  January 20 2022

September 15 2022

Location: Radboud University, Huygens building, Room zaal HG00.307
Address: Heyendaalseweg 135, Nijmegen
Link: https://www.ru.nl/fnwi/faculteit/profiel/huygensgebouw

Please register via: https://www.meetup.com/owasp-chapter-netherlands-meetup/events/287743579/

18:00 - 18:15 - Reception of attendees

18:15 - 19:00 - Pizza

19:00 - 19:15 - Welcome and OWASP updates

19:15 - 20:00 - The Red Cross of the Internet by Shairesh Algoe

20.00 - 20:15 - Break with drinks

20:15 - 21:00 - Digitally securing The Netherlands - or convincing others to do it by Koen Sandbrink

The Red Cross of the Internet

Abstract:

Over the year 2021 the Dutch Institute for Vulnerability Disclosure (DIVD) notified a total of 86,427 IP addresses that were found to be vulnerable. Compared to 58,358 e-mails in 2020, that is a growth of more that 33%. This year we already sent out 141,078 emails.
The DIVD scans the internet for vulnerabilities and reports these to the people who can fix them. I will go into some of our recent cases, ranging from KaseyaVSA, to Log4j in 2021 and some of the 2022 highlights. Next to that you will get an introduction in how the DIVD has professionalise vulnerability disclosure and why we are allowed to somewhat break laws on computer crime and privacy.

Bio:
Shairesh Algoe:

Shairesh Algoe is passionate about information security and tech and enjoys teaching and telling stories. He tries to keep information security simple with more than 12 years of experience and has had several security hats. From technical to leadership roles.
His day job is being a Chief Information Security Officer for TM-Pro an FinTech company provides banking as a service platform to small, medium and lager financial institutions.
Beside that he is a board member at the DIVD and responsible together with the management team for the continuity of this hacker collective that helps to clean up the internet for free within our code of conduct.
In his other spare time, he is also an entrepreneur who delivers security products and services to multiple companies. He is also a speaker and teaches students about information security and quantum technology.

Digitally securing The Netherlands - or convincing others to do it

Abstract:

NCSC-NL has a clear mission: to make The Netherlands digitally secure. To achieve this, we need to understand what’s going on and connect all the relevant parties to exchange knowledge and provide a perspective for action, hopefully to prevent digital disruptions. But the NCSC does not own or control any part of the internet. We do not have actual buttons to push or knobs to turn. We need to make others do this for the greater good. Let’s take a dive into the efforts of the NCSC to help assess digital risks, help resolve vulnerabilities in systems and help respond to incidents.

Bio:
Koen Sandbrink:

Koen Sandbrink is a cyber security advisor for the National Cyber Security Centre of The Netherlands (NCSC-NL). Originally educated to make IT, he started his career as a security tester to break IT. In the following decade, he has seen too many things gone wrong and has developed a few opinions on how not to do those things anymore. Koen likes trains, architecture and classical music and is also convinced that Ludwig van Beethoven was a hacker.

June 16 2022

Meet-up setting: first physical meet-up in 2,5 years

Location: Trend Micro
Address: Herikerbergweg 92, 1101 CM Amsterdam

18:00 - 18:15 - Reception of attendees

18:15 - 19:00 - Pizza

19:15 - 20:00 - Staying in control of your cloud application landscape by Priyam Awasthy and Spandan Chandra

20:00 - 20:15 - Break with drinks

20:15 - 21:00 - OWASP Cloud-Native Application Security Top 10 by Filip

Staying in control of your cloud application landscape

Download the presentation
Watch the recording

Abstract:

At the end of 2021, 67% of all enterprise infrastructure was cloud-based. Cloud technologies are being consumed to host more and more applications. This talk will outline what security measures can an organization and self-governed DevOps teams implement to secure their cloud application landscape. During the session, we will talk about various strategies such as types of virtualization or sandboxing used to protect cloud applications, how to manage authentication and authorization, and data protection.

Bio:
Priyam Awasthy:

Priyam has over 8 years of experience in Cyber Security with an emphasis on Penetration Testing and Cloud Security. He currently holds the position of Enterprise Application Security Lead at Canon EMEA where he is responsible for managing end-to-end security for applications and the cloud landscape. Priyam has deep experience across a range of Cyber Security domains having carried out a range of engagements servicing a diverse portfolio of clients across multiple industries. He has developed strong leadership and people management skills, having led a variety of diverse teams performing a range of services. Prior to joining Canon EMEA, Priyam led the Cloud Risk Advisory function for Deloitte Netherlands. He has wide experience in cyber security transformations (such as in Cloud and DevOps), technical security advisory and assessments, red teaming, security audits, and secure code development.

Spandan Chandra:

Spandan has over 7 years of experience in Cyber Security with an emphasis in Cloud Security and Risk & Compliance. He currently holds the position of Senior Auditor in Ahold Delhaize where he is responsible for leading IT risk and compliance audits, advice IT teams to secure their. IT environments including cloud landscapes. Prior to joining Ahold Delhaize, Spandan led cloud security team for Deloitte Netherlands. Furthermore, he acted as SME for cloud transformations and cloud security advisory Spandan is well known for propagating security, risk and compliance across IT organizations, he was responsible for representing an organization in global digital data lake initiative for Oil and Gas industry. Additionally, he has also conducted multiple talks at organizations and open forums.

OWASP Cloud-Native Application Security Top 10

Download the presentation
Watch the recording

Abstract:

The cloud has lots of moving parts, things will go wrong. This talk aims to start a discussion around the OWASP Cloud-Native Application Security Top 10 and what can we, as engineers, do to address some of the challenges with cloud security.

Bio:
Filip:

Filip has worked in IT for over 15 year, 8 of those years in cybersecurity with a focus on infrastructure and cloud security. Currently part of Xebia Security helping customers on their cloud journeys by using security to enable to organization to grow securely and most productively. His specialties are DevSecOps and cloud security. He likes to spend time researching new technologies in the cloud. Designing, analysing cloud environments and finding cloud integration with existing infrastructure. He’s passionate about using the defensive and offensive sides of security to bring additional value to projects he is involved in. Prior to joining Xebia, Filip worked at FlowTraders as a security engineer, helping with the cloud transformation and working to secure their high speed trading environments.

May 19 2022

This is an online meeting and will be streamed on YouTube. The meeting will start at 19:00.

Comparing Static Analysis Security Testing (SAST) tools en dependency scanners

Watch the recording

Abstract:

There are many SAST tools and dependency scanners in the market. In this talk, the comparison results will be discussed of some SAST tools and dependency scanners. The comparison includes human experiences like usability and developer friendliness, but also metrics like true and false positives and overlapping reports between the tools. Tools that were compared are: SonarQube, Npm audit, FindSecurityBugs, Snyk, Semgrep, ShiftLeft Scan, OWASP Dependency Check, and OSS Index. The comparison was performed by scanning a ready-for-market Java-React web application.

Bio:
Wibren Wiersma:

Wibren Wiersma is studying Cyber Security at the Radboud University in Nijmegen. He performed the SAST comparison as a research internship by Carthago-ICT. Before and during his study, Wibren worked for four years as a full stack developer for different ICT companies. Currently, he is working on his master thesis about a graph-based approach to detect outliers in academic publishing.

Infrastructure as Code (IaC) - security challenges and how KICS solves them

Watch the recording

Abstract:
  • What is IaC
  • Security challenges around IaC
  • KICS OSS tool powered by Checkmarx and how it solves the challenges
Bio:
Lior Kaplan:

Lior Kaplan is Checkmarx’s open source officer, leading KICS open source project to Keep IaC Secure.

Secret Scanning Solutions

Watch the recording

Abstract:

Nowadays collaboration is key in software development. One way it is achieved is through software code repositories, but the open nature and convenience they provide are met with the downside of human error. The problem occurs when these public code repositories handle authentication secrets such as API keys or cryptographic secrets. These secrets should be kept confidential, but it often happens that practices like adding the secrets to the code repository lead to accidental leakage. To prevent this, secret scanning tools have arisen on the market. Rabobank is trying to prevent secret leakage within the company in which collaboration via code repositories is key. The company wishes to determine what would be the best performing secret scanning tools available on the market and compare them with the tool they are currently using, CredScan. This paper starts by presenting what secret scanning is, the most common types of secrets which exist, the most common detection techniques implemented by secret scanning tools, and an overview of the most popular tools available on the market. Further, it presents the steps taken during the internship: conducting interviews to compose a requirements list for the tool; shortlisting the tools based on the requirements; testing the shortlisted tools in a testing environment, and comparing the results. The top three best alternatives have proved to be SpectralOps, Whispers and TruffleHog. Only SpectralOps is objectively better than CredScan whereas Whispers and TruffleHog output false positives.

Bio:
Raluca Viziteu:

Raluca Viziteu is studying Information Security Technology at Eindhoven University of Technology for her master degree. She performed a comparison of secret scanning tools as a research internship for Rabobank. Raluca has previously studied Computer Science and Engineering at Eindhoven University of Technology. Currently, she is working on her master thesis on building a practical threat modeling methodology for supporting ICS device manufacturers and system integrators for Secura.

April 21 2022

This is an online meeting and will be streamed on YouTube. The meeting will start at 19:00.

Crawl Dutch government websites to collect statistics of SRI usage

Watch the recording

Abstract:

In this work we crawled all major Dutch govern- ment websites to measure the adoption rate of Subresource Integrity Protection (SRI). We crawled and evaluated close to 150,000 different pages on 477 different domains using a crawler that we developed. This resulted in approximately 1,000,000 different cross origin script and link tags being evaluated. We found the adoption rate of SRI to be very low with 8.4% of the tags having implemented SRI. For sensitive pages, such as login and registration pages, this number was slightly lower at 8.3%. Our findings indicate that most of these SRI enabled references are due to Content Delivery Networks (CDN’s) and utility providers providing HTML resource links already with proper integrity and crossorigin attributes. This is due to CDN’s and utility providers being the most popular SRI enabled domains to reference to in combination with almost no Dutch government websites having complete SRI cover- age in their cross origin resource references.

Bio:
Tom Stock:

My name is Tom Stock, a cyber security master student at the Radboud University with a passion for computers, pretty code and solving complex problems with simple software.

Web Security Map (basisbeveiliging.nl)

Watch the recording

Abstract:

Absolute transparency moves people forward. What happens when plotting the state of security on a map? Organizations start to adapt and improve. This is an overview of the Web Security Map application, which can help you providing insight into a huge amounts of security info about companies up to entire countries. It’s an open source product which can help you change your part of the world. In this talk you’ll see the impact, how it works, what it does, where to get it and where to go from there.

Bio:
Elger Jonker:

Elger Jonker is an ethical hacker who wants to make the world a better place. Elger is currently working on the next Dutch hacker camp: May Contain Hackers 2022 and has co-founded two hackerspaces Hack42 in Arnhem and Awesome Space in Utrecht. Professionally Elger specializes in the combination of software security, security testing and application development. Elger is currently the lead developer for internet.nl and has worked on other similar projects for the internet society. Of course there is more but this bio should only be so long… Oh, and Elger is doing software things for over 25 years now… which makes them old, but not yet always grumpy.

Security Transformation Program

Watch the recording

Abstract:

We are living in a fast changing and very demanding world. New and evolving technologies bring along new cybersecurity threats increasing the pressure on SAP to evolve the security level of its software. With the migration to the cloud we have the responsibility to securely operate our software adding a layer of complexity into the security landscape. And if that was not enough, more and more countries are releasing strict data privacy regulations. There is no “one size fits all” solution any longer so that all our teams are faced with technical and regulatory requirements. To overcome these challenges new requirements, standards, and frameworks for developers and operations experts are extended or created regularly – but more does not always mean better. These initiatives quickly become exercises to fill in yet another excel file. Therefore, the CX Trust Office has initiated a CX Security Transformation Program to make security easy to consume for developers and operations experts by simplifying, automating, and providing guidance. ### Story Line: NIST, Internal policies, external frameworks, SOC, ISO certifications come with a big list with repetitive requirements and very often the requirements are not build into the product, but driven by external audits. Changing architectures, products after they have been created and put in production. We have created a strategy with tool to translate the requirements to executable easy to understand instructions that removes complexity and removes duplications. We have setup our organization in cross functional and functional teams that support to execute the strategy. A tool to glue these things together and provide guidance, current status for all the frameworks and regulations.

Bio:
Dimitar Yanev:

EA natural leader that foster collaboration with empathy and inspires team work by empowering people ability to unveil the best of themselves. Bringing experience of driving complex strategic cross-company projects to success. Recognized for demonstrating out of the box thinking and putting customers front and centre. Started his career in SAP Labs Sofia as a build engineer responsible for creating a home grown complex java build environment. Joined and lead a task force to roll out security static analysis in SAP. During the time gained in depth understanding on how leading SAST Tools works and how to manage cross company scaled projects. Lead the first the first Security Self-Service & Automation work stream for SAP. Today Dimitar is Head of SAP CX Product Security Transformation and DevOps defining, executing and developing tool support for security transformation program for SAP CX.

Andreas Hauke:

Andreas Hauke was born in Würzburg, North Bavaria - Germany. He founded his first IT company during his school time with the age of 18 years, to train employees how to use standard software and doing web development for small companies. He started studying computer science and economics and paused due to founding his second company in the e-commerce space to sell furniture online. In this time he was responsible to develop the e-commerce platform based on open-source, operate it in a co-location and also securing it against attacks. After the journey of an entrepreneur and closing the companies, he rejoined studies and finished his bachelor’s degree with focus on information security. During the study time he worked full-time as a consultant in different security projects to execute penetration tests or overall secure the environments, also in critical infrastructure of the government. After studies and being a freelancer, he joined Deutsche Telekom Cloud Services as a Cloud Architect and was responsible to establish security in the new developed Open-Stack platform and did due-diligences for security of the partner solutions hosted on the platform. Besides that, he also trained the German army for networking and security. After Telekom he joined SAP as a Security Architect to secure the first productive SAP micro service platform developed by the Hybris team and took over the responsibility to help securing other solutions in the portfolio. Being part of SAP he helped acquisitions to integrate to SAP, e.g. Callidus, Gigya and Coresystems. He also helped to pilot the first risk-based Secure SDL in SAP and initiated the first Security Self-Service & Automation work stream for SAP.He also is a certified Threat Model Expert & Trainer, ISO27001 lead auditor, data protection officer and did several courses on cryptography, security management and forensics. At the moment he is leading the SAP CX Trust Office as CISO for SAP Customer Experience (CX) and drives the security transformation for this portfolio.
Andreas Hauke joined SAP as a Security Architect to secure the first productive SAP micro service platform developed by the Hybris team and took over the responsibility to help securing other solutions in the portfolio. Being part of SAP he helped acquisitions to integrate to SAP, e.g. Callidus, Gigya and Coresystems. He also helped to pilot the first risk-based Secure SDL in SAP and initiated the first Security Self-Service & Automation work stream for SAP. Currently he is leading the SAP CX Trust Office as CISO for SAP Customer Experience (CX) and drives the security transformation for this portfolio.

March 17 2022

This is an online meeting and will be streamed on YouTube. The meeting will start at 19:00. Another great OWASP meet-up promised: we have Steve Springett who will talk about OWASP Dependency-Check tool & OWASP Cyclone DX. He will share what is happing around these projects. Next to that we have Klaas Wijbrans sharing his industry insights on rules and regulation demanding SBOM, the challenges it brings and solution direction. We will also announce three (3) new OWASP projects that will be executed in 2022, so stay tuned!
Introducing: The Security Champions Guidebook
Introducing: Guidelines on embedding SBOM in your organization

OWASP Dependency Track and OWASP CycloneDX

Watch the recording

Abstract:

Software Bill of Materials (SBOM) have gained wide-spread support from the software industry, to critical infrastructure, to the White House. In this session, the OWASP CycloneDX SBOM standard will be introduced along with strategies for effectively creating SBOMs. Also introduced will be OWASP Dependency-Track, a platform that consumes and continuously analyzes SBOMs for security, operational, and license risk. Both of these flagship OWASP projects work together to allow organizations to make better risk-based decisions.

Bio:
Steve:

Steve educates teams on the strategy and specifics of developing secure software. He practices security at every stage of the development lifecycle by leading sessions on threat modeling, secure architecture and design, static/dynamic/component analysis, offensive research, and defensive programming techniques. Steve’s passionate about helping organizations identify and reduce risk from the use of third-party and open source components. He is an open source advocate and leads the OWASP Dependency-Track project, OWASP Software Component Verification Standard (SCVS), and is the Chair of the OWASP CycloneDX Core Working Group, a Software Bill of Materials (SBOM) Standard.

Software Bill of Material – why do we need it, what is it and how can we overcome the current challenges

Watch the recording

Abstract:

The Executive Order on Cybersecurity of the Biden administration caused a lot of activity on the ‘software bill of material’. This talk will go into the details why it is being asked, what it consists of, and the practical challenges the industry needs to solve to reliably and efficiently create and use it in an automated way.

Bio:
Klaas Wijbrans:

Klaas is fellow architect in the Chief Architect Office of Philips. He has thirty years of experience in complex, software intensive systems and products like traffic control systems, storm surge barrier control system, telecommunications equipment and medical systems. In Philips he is driving the standardization of Philips products to a common architecture and common technologies.

February 17 2022

This is an online meeting and will be streamed on YouTube. The meeting will start at 19:00.

How log4j became an epic - a story told by a developer and a product owner

Watch the recording

Abstract:

This talk is will touch upon the log4j vulnerability, and how it has set everything on fire, what impact it had on our team, and what we have learned from the crisis.

Bio:
Rick te Brake:

Rick te Brake has 12 years of experience in java backend development. He has worked in banking and healthcare industries. He likes to work with reactive microservices and functional programming.

Anna Rudenko:

Anna Rudenko is product owner in the same team, she has over 7 years of experience as Project manager and Product owner in the areas of software development, media production, charity and scientific research.
Previously, she was doing her Ph.D. in Cognitive Linguistics.

The Long-Term Impact of Log4j

Watch the recording

Abstract:

In its aftermath, Log4j vulnerabilities put the spotlight on vendor management and supply chain security practices. Now that the dust has settled and the worst of the fallout has passed, this talk presents perspectives on likely mid- and long-term changes that the security industry will see as a result of dealing with the Log4j issue as the latest in an escalating series of open source and software supply chain incidents.

Bio:
Dan Cornell:

A globally recognized software security expert, Dan Cornell has over 20 years of experience architecting, developing and securing software systems. As Vice President of Product Strategy at Coalfire, Dan works with customers and industry partners to help drive the direction of their product portfolio. Prior to its acquisition by Coalfire, Dan was a founder of and the Chief Technology Officer at Denim Group, where he helped Fortune 500 companies and government organizations integrate security throughout the development process.
Cornell is an active member of the development community and a sought-after speaker on topics of application and software security, speaking at international conferences including RSA Security Conference, OWASP AppSec USA and EU, TEDx, and Black Hat CISO Forum. He holds three patents in the area of software security.

How log4j ruined our Christmas

Watch the recording

Abstract:

Early December a vulnerability was found in Log4j, an open-source logging library commonly used by apps and services across the internet. If left unfixed, attackers can break into systems, steal passwords and logins, extract data, and infect networks with malicious software.
This talk will outline why this vulnerability ruined Christmas and the potential impact log4j can or could have to your organisation.

Bio:
Owen:

Owen has over 11 years of experience in Cyber Security with an emphasis in Penetration Testing and Red Teaming. He currently holds the position of Head of Cyber Resilience in Bank of Ireland where he is responsible for leading out the Security Testing, Incident Response and Threat Intelligence functions. Owen has deep experience across a range of Cyber Security domains having carried out a range of engagements servicing a diverse portfolio of clients across multiple industries. He has developed strong leadership and people management skills, having led a variety of diverse teams performing a range of services.
Prior to joining Bank of Ireland, Owen led the Penetration Testing and Red Teaming functions for Deloitte Ireland. Furthermore, he acted as the Vulnerability Management Lead for the EMEA region.
Owen is an advocate of secure development and sat on the Global Board of Directors of OWASP for the last 4 years. Owen held the role of Secretary, Vice-Chair and Chair of the Global Foundation.

January 20 2022

This is an online meeting and will be streamed on YouTube. The meeting will start at 19:00.

A story on scaling threat modeling across 500+ DevOps teams

Watch the recording

Abstract:

This talk is not about “what is threat modelling, and what are the different methodologies?”. This is well known and understood by now. With every organization moving towards DevSecOps, the difficult question is “how to do Threat Modeling at scale?”. I want to take this opportunity to share with you the ABN AMRO story about how we did this!

Bio:
Abhishek k. Goel:

Abhishek k. Goel is a Security Consultant at ABN Amro and the IT lead for Threat Modelling capability at the bank. He is a senior security engineer responsible for enabling security in DevOps across the bank.
Before ABN, he was a Lead Security Consultant with Deloitte USI and enabled security in CICD pipelines for clients across the globe.

Gamification of Threat Modelling

Watch the recording

Abstract:

The talk is all about doing security architecture and threat modelling work as part of development planning.
The presentation starts by introducing OWASP Cornucopia and the simplified OWASP “Top 5” for developers and then moves into looking at how one can practically include a form of threat modelling (using Cornucopia) into one’s agile development practises in an effective manner.
There is a brief discussion on gamification, covering the usual FAQs on that and then it moves onto implementation at scale and some of the experiences we’ve had there.

Bio:
Grant Ongers:

Co-founder of Secure Delivery and current OWASP Global Foundation board member, Grant Ongers (@rewtd), is a firm believer in security enabling delivery not blocking it. The philosophy and purpose of Secure Delivery is in the name: optimal delivery and security in one nimble and adaptive offering.
Grant’s experience spans Dev - building platforms for Telcos, MSPs and Financial institutions for more than 10 years. 20+ years in Ops, running operational teams in global NOCs to managing mainframe and database systems. He also has over 30 years pushing the limits of (Info)Sec - mostly white-hat. He’s worked on both sides of the TPSA table, for and with regulated orgs ensuring compliance and matching “appetite for” with “acceptance of” risk.
Grant’s community involvement is global: Staff at BSides (London, Las Vegas, and Cape Town), Goon at DEF CON (USA) for over a decade and DC2721 co-founder, staff at BlackHat (USA and EU).
Alongside his role as CTO within Secure Delivery, Grant provides C-suite advice and guidance on security to FTSE100 enterprises and strategic risk analysis within M&A diligence teams.

2021

October 28 2021  |  September 30 2021

October 28 2021

This is an online meeting and will be streamed on YouTube: https://youtu.be/qR6JCkZgOlY.
The meeting will start at 19:00.

Our Secrets Management Journey: From Code to Vault

Watch the recording

Abstract:

So you have an access key that you need to store somewhere. Maybe it is better not to put it in your code, nor in your container. But what about Kubernetes? What about a custom secrets storage solution? Of course, we tried many, sometimes funny, things to get our secrets secured. And luckily we ended up with a combination of safe methods, with Vault at its core. Want to know more? Join us, as we will go through various examples and their challenges!

Bio:
Jeroen Willemsen:

Jeroen Willemsen is a Principal Security Architect at Xebia and a jack of all trades in security. He loves to develop new software, set up DevSecOps support tooling, and help companies with security programs. He enjoys sharing knowledge, which is why he published articles, blogs and gave trainings and talks about various subjects.

Doing Security in DevOps, the right way!

Watch the recording

Abstract:

Automation is not DevSecOps, but without automation there is no DevSecOps! Secret management, SAST, DAST, Pen Testing, Container Security, Secure Config Management etc. are about automating security. But let me ask you, can one reach nirvana in securing DevOps with solely automation? This talk will address ALL dimensions required for doing security in DevOps, so we get it right!

Bio:
Irfaan Santoe:

Irfaan Santoe is a Global Security Director at Wolters Kluwer advising the Business & IT on the information security ambition & implementation. Prior to Wolters Kluwer, Irfaan was the Global Head of Security Engineering at ABN AMRO bank and lead the security implementation of ABN AMRO’s IT transformation towards DevOps. This transformation program is set to uplift more than 500+ Dev-teams to become DevOps and increasing security without breaking DevOps! Irfaan is a Master in Computer Science (a programmer by heart) and is fascinated by the Inner Science of Yoga & Meditation.

September 30 2021

On the 30th of September OWASP Netherlands will organize a pub quiz. The pub quiz will start at 20:00. To join the pub quiz, you need to join a Zoom meeting. Check the Meetup page for more information.

2020

November 23-37 2020  |  May 14 2020  |  April 9 2020

November 23-37 2020

See https://www.owaspbenelux.eu for information.

May 14 2020

This is an online meeting about the Mobile Security Testing Guide and the Mobile Application Security Verification Standard by Jeroen Willemsen.
The talk will start at 20:00.

Watch the livestream at https://youtu.be/cuB8TNT0rMw.

April 9 2020

The first talk will start at 20:00.

Schedule:

Watch the livestream at https://youtu.be/EtGyhWYSjVA.

2019

June 18 2019  |  January 17 2019

June 18 2019

https://www.meetup.com/OWASP-Chapter-Netherlands-Meetup/events/261811435/

18:30 - 19:00 - Dinner

19:00 - 10:15 - Welcome

19:15 - 20:00 - Recon Recon by Martijn Baalman aka @x1m_martijn

20:00 - 20:15 - Break

20:15 - 21:00 - The Good, The Bad and The Ugly of Responsible Disclosure by Chrissy Morgan aka 5w0rdFish

Spaces Herengracht
Herengracht 124-128,
1015 BT Amsterdam

Recon Recon

Watch the recording

Bio:
Martijn Baalman aka @x1m_martijn:

In the daytime, Martijn is a pen tester at Qbit Cyber Security, and by night he is bug bounty hunting in the wild and sending PoCs to Detectify Crowdsource and other bug bounty platforms. Recon is key for finding vulnerabilities yet is tedious at times. Hackers, like developers, find that automation makes life easier, even recon. Martijn has developed something called ReconPi, a bug bounty reconnaissance tool that automates most of the (general) recon methods that hackers use. He’ll show you how he does all his recon, yes everything, on a Raspberry Pi 3 in his lightning talk.

The Good, The Bad and The Ugly of Responsible Disclosure

Watch the recording

Abstract:

So what’s has a JQuery bug that affected thousands of websites with one of the highest starred GitHub repos with 7,800 forks, a Domain Name Registrar vulnerability which allowed for full access to domain owner details (post GDPR) and data protection flaws within Microsoft’s Office365 all have in common? … Answer&58; Responsible Disclosure. This talk will feature disclosure on each of the bugs and others, the circumstances around these when reporting, to highlight the problems security researchers face today when trying to do the right thing and to raise awareness of the security flaws so we are better protected.

Bio:
Chrissy Morgan aka 5w0rdFish:

Chrissy leads the IT Security Operations for a Close Protection company and in her spare time Chrissy has carried out research in the areas of web application security, Steganography, RFID, Physical Cyber Systems Security and is actively involved within the information security community across a wealth of subjects. She also runs The Co-Lab in London, which is a hardware hacking security research workshop. As a recent Napier Masters Graduate, she has accomplished the following successes so far&58; Winner of Cyber Security Challenge UK (University Challenge - Team Edinburgh Napier), CTF Finalist for the Pragyan CTF (Team Edinburgh Napier) , A BlackHat Challenge Coin winner for OSINT from Social Engineer.org and Black Hat Scholarship, Steelcon Award, WISP Sponsorship, was the BSides London Rookie Track Speaker Winner for 2018 and most recently won the ISC(2) Up and coming Security Professional 2019.

January 17 2019

https://www.meetup.com/OWASP-Chapter-Netherlands-Meetup/events/257707239/

18:30 - 19:00 - Dinner

19:00 - 19:15 - Welcome, OWASP update

19:15 - 20:00 - Machine Learning vs. Cryptocoin Miners by Jonn Callahan

20:00 - 20:15 - Break

20:15 - 21:00 - Running at Light Speed: Cloud Native Security Patterns by Jack Mannino

21:00 - - Closing

Xebia
Laapersveld 27
1213 VB Hilversum

Machine Learning vs. Cryptocoin Miners

Download the presentation
Watch the recording

Abstract:

With the advent of cryptocurrencies as a prevalent economic entity, attackers have begun turning compromised boxes and environments into cash via cryptocoin mining. This has given rise for the necessity to detect compromised environments by analyzing network traffic logs for evidence of cryptocoin miners operating within a given network. In this talk, I’ll be reviewing various ML and statistical analysis techniques leveraged against VPC Flow Logs for this very purpose. It will not be a deep dive of the math involved, but instead a general discussion of these techniques and why I chose them.

Bio:
Jonn Callahan:

Jonn Callahan has worked in appsec for half a decade across a wide variety of languages, technologies, and sectors. While constantly looking for new things to play with, he rediscovered his love for the universal language of math and, consequentially, the power of statistical analysis and machine learning. He now seeks to dismantle the black magic of these techniques, showing that they don’t require an advanced mathematics degree to be leveraged, as well as to find novel ways to apply them within the security space

Running at Light Speed: Cloud Native Security Patterns

Download the presentation
Watch the recording

Abstract:

No matter how fast you ship software, a good design is critical to security. Cloud native systems are no exception. Containerized microservices running on distributed management and orchestration platforms, bring new challenges to address as well as classic software problems that we’ve been dealing with for years. Secure software design patterns can be used to model security controls at different trust boundaries within your architecture, providing security in a repeatable and consumable way. Using patterns such as the Service Mesh or Ambassador pattern lets us focus on proper security control placement and lifting security outside of the core services we’ve traditionally bolted security onto later.

The goal of this presentation is to arm software developers and security architects with reference architecture guidance that can be used in any cloud native environment. The topics we’ll cover include multi-tenancy considerations, authentication, authorization, encryption, and more. We will focus on newer cloud native architecture patterns as well as some classic software design patterns that are still applicable. At the end of this presentation, you’ll have a greater understanding of cloud native security design at an architectural level and you’ll be eager to begin white-boarding your ideas.

Bio:
Jack Mannino:

Jack Mannino is the CEO of nVisium. Passionate about security and impossible to keep away from a keyboard, his expertise spans over 15 years of building, breaking, and securing software. Jack founded nVisium in 2009, and since then has helped the world’s largest software teams enhance security across their software portfolios. He has spoken at conferences globally on topics such as secure design, mobile application security, and cloud-native security.

2018

September 27 2018  |  June 28 2018

September 27 2018

Location: Radboud Universiteit

19:15 - 20:00 - Serverless Security: Functions-as-a-Service (FaaS) by Niels Tanis

20:15 - 21:00 - Building A Security Test Automation Framework by Riccardo Ten Cate

Serverless Security: Functions-as-a-Service (FaaS)

Watch the recording

Building A Security Test Automation Framework

Watch the recording

June 28 2018

19:15 - 20:00 - Building A Security ‘Culture’ by Gareth O’Sullivan

20:15 - 21:00 - Building Secure Software With OWASP Tools And Guides by Martin Knobloch

Building A Security ‘Culture’

Watch the recording

Building Secure Software With OWASP Tools And Guides

Watch the recording

2017

October 12 2017

October 12 2017

Location: Radboud Universiteit

19:15 - 20:00 - Playing in the Sandbox: Bypassing Adobe Flash Input Validation by Björn Ruytenberg

20:15 - 21:00 - How to rob a bank by Pieter Ceelen

Playing in the Sandbox: Bypassing Adobe Flash Input Validation

Watch the recording

How to rob a bank

Watch the recording

2016

November 7 2016  |  September 22 2016  |  July 7 2016  |  April 21 2016  |  February 18 2016

November 7 2016

Location: Hogeschool Rotterdam

19:15 - 20:00 - Web Security: Broken by default? by Niels Tanis

20:15 - 21:00 - Building A Software Security Program by Kuai Hinojosa

Web Security: Broken by default?

Watch the recording

Building A Software Security Program

Watch the recording

September 22 2016

Location: Radboud University

19:15 - 20:00 - Handling Of Security Requirements In Software Development Lifecycle by Daniel Kefer and René Reuter

20:15 - 21:00 - Hacking The OWASP Juice Shop by Björn Kimminich

Handling Of Security Requirements In Software Development Lifecycle

Watch the recording

Hacking The OWASP Juice Shop

Watch the recording

July 7 2016

Location: SurfNET

19:15 - 20:00 - Find and fix software security problems… by Matias Madou

20:15 - 21:00 - How To Keep Your Secrets Safe(r) On An Android Device by Jeroen Willemsen

Find and fix software security problems…

Watch the recording

How To Keep Your Secrets Safe(r) On An Android Device

Watch the recording

April 21 2016

Location: Universiteitsbibliotheek UvA

20:15 - 21:00 - Web Application Firewall, Filter and Bypass by Aatif Khan

Web Application Firewall, Filter and Bypass

Watch the recording

February 18 2016

Location: De Haagse Hogeschool

19:15 - 20:00 - OWASP Security Knowledge Framework by Glenn Ten Cate and Riccardo Ten Cate

OWASP Security Knowledge Framework

Watch the recording