OWASP Netherlands

Main    Supporters    Upcoming Events    Past Events    Resources

May 23 2024 - Cyber Booked

The local Dutch Chapters of OWASP, ISACA and ISC2 are, together with the Secure Software Alliance (SSA), joining forces to host a physical event called “Cyber Booked” which is going to be one of a kind. This event offers the opportunity to learn from and meet & greet with both new and well-respected (Dutch) Cybersecurity authors, who have been known to contribute to the security industry.

About the Event
The Cyber Booked event is expected to have an attendance of 100-150 people in total which will be a mix of different personas including but not limited to information security. It will be hosted on 23 of May 2024 in Hotel van der Valk in Breukelen.We have secured a lineup of both new and well-known Cybersecurity books of authors who reside and work in the Netherlands and contribute to or are part of the Cybersecurity industry. The event starts at 17:00 pm and will end at 22:00 pm. There will be ample opportunity during the break and drinks for participants to meet and greet the authors as well network and interact, not only with each other, but also with the sponsors.

Please register via: https://isaca.nl/events/cyber-booked-2024/

June 20 2024

Location: VU, Amsterdam
Address: De Boelelaan 1105

Please register via: https://www.meetup.com/owasp-chapter-netherlands-meetup/events/300855942

18:00 - 18:15 - Reception of attendees

18:15 - 19:00 - Pizza

19:00 - 19:15 - Welcome and OWASP updates

19:15 - 20:00 - Ship Happens: The Stormy Seas of Supply Chain Security by David Archer

20.00 - 20:15 - Break with drinks

20:15 - 21:00 - Technical leverage: dependencies are a mixed blessing by Fabio Massacci

Ship Happens: The Stormy Seas of Supply Chain Security


“The more I know about how software is made, the less I want to know” - Me

As a software developer with over a decade of experience and countless interactions with application security teams, I’ve discovered the unsettling complexities of modern software production. Despite what I thought I knew, the reality was far more intricate.

Modern software development is a sprawling network of open-source dependencies, sophisticated build tools, plugins, pipelines, and runtimes. These components are fundamental in securing critical sectors of our daily lives—finance, healthcare, infrastructure, transportation, and social interactions. However, this supply chain is under relentless attack and many of the potential threats are poorly understood.

This talk will delve into specific vulnerabilities, such as dependency poisoning and pipeline compromises, that exemplify the challenges we face. We’ll explore strategies to mitigate these threats and discuss practical takeaways that attendees can immediately implement in their software development practices. Expect to leave with a deeper understanding of supply chain security and with ideas to fortify your software factory against these escalating threats.

David Archer:
Profile picture David Archer David Archer is a Solution Architect at Endor Labs. He began his career as a software developer and witnessed significant shifts in how software is built over the last two decades. After spells as a development lead, product director and pre-sales consultancy roles David consistently saw a concerning trend: security often took a backseat amidst the hustle and bustle of development priorities.

Seeking to help address this balance David took an opportunity in 2018 to work full-time in the field of application security with a particular focus on technologies that promise to enhance security without impeding development speed. Through his extensive experience with secure coding practises and hands-on experience with the myriad of code analysis tools like IAST, SAST, DAST, RASP and SCA, he gained valuable insights into their relevance and effectiveness in a modern software factory.

Technical leverage: dependencies are a mixed blessing


Modern applications are build upon a large supply chain of (possibly open source) libraries and tools. In finance, leverage is the ratio of debts (other people’s money) vs equity (your money) and the Lehman Brothers have made that concept famous. For software, technical leverage is the ratio between other people’s code and your own code. I will argue with some examples from the Maven, Python and the NPM ecosystems that this is both a risk and an opportunity. The Lehmans Brothers were 30 to 1, what about the Software Sisters?

Fabio Massacci:
Profile picture Fabio Massacci Fabio Massacci is a co-author of CVSS v4. Among other things, he is also a professor at Vrije Universiteit. He has been a speaker at hackers’ venues (BlackHat USA, Asia) scientific security conferences (IEEE S&P, CCS), software engineering (ICSE,MSR) and risk analysis (SRA). He coordinates the EU project Sec4AI4Sec (name tells it all) and an NWO project on using AI for security threat intelligence. While almost all professors are sellers of tech (through their papers or their spin-offs) he was also for 7 years deputy for ICT procurements and services supervising a 70+ workforce and few millions Euro in outsourcing contracts. Being a buyer of tech makes a difference in perspective.