OWASP Netherlands Chapter Meeting April 10th, 2013 Amsterdam NL

"In this Chapter meeting we will not REST until we have designed an access control mechanism to protect your web services..."

Programme:

18:30 - 19:15 Registration & Pizza

19:15 - 20:00 “Access Control Design Best Practices” – Jim Manico

20:00 - 20:15 Break

20:15 - 21:00 “RESTful services, the web security blind spot” – Ofer Shezaf

21:00 - 21:30 Networking

Access Control Design Best Practices

Access Control is a necessary security control at almost every layer within a web application.
This talk will discuss several of the key access control anti-patterns commonly found during
website security audits. These access control anti-patterns include hard-coded security
policies, lack of horizontal access control, and "fail open" access control mechanisms. In
reviewing these and other access control problems, we will discuss and design a positive
access control mechanism that is data contextual, activity based, configurable, flexible, and
deny-by-default - among other positive design attributes that make up a robust web-based
access-control mechanism.

RESTful web services, the web security blind spot

As a light weight alternative to web services, RESTful services are fast becoming a leading
technology for developing mobile applications and web 2.0 sites.
Upon first glance, RESTful services seem very different than web services and suspiciously similar
to regular web technology. The similarity of RESTful services to regular web leads to the misconception that RESTful services are secured in the same way. However, RESTful services share
many of the security risks of web services without the compensating Web Services security controls.
The presentation will describe RESTful services and their use, the complexities in protecting them
and common attack vectors that specific to REST services such as ULR embedded attacks. The
presentation concludes with a discussion of the challenges of security testing for RESTful services
and present novel approaches for automated testing of RESTful services using grey-box testing, a
method combining a client attack tool and a server based monitor.

Jim Manico

Jim Manico is the VP of Security Architecture for WhiteHat Security, a web security firm. He authors and delivers developer security awareness training for WhiteHat Security and has a background as a software developer and architect. Jim is also a global board member for the OWASP foundation. He manages and participates in several OWASP projects, including the OWASP cheat sheet series and the OWASP podcast series.

Ofer Shezaf

Ofer Shezaf is an internationally recognized application security expert. Ofer manages security solutions at HP ArcSight and prior to that managed web security research at HP Fortify and at Breach Security. Ofer is an OWASP (Open Web Application Security Project) leader, the founder of the OWASP Israeli chapter and a WASC (Web Application Security Consortium) officer. Ofer is leading the Web Application Firewall Evaluation criteria project and founded the ModSecurity core rule set project and the WASC web hacking incident database project. Ofer is blogging about the role and value of information security at www.xiom.com trying to separate myth and reality in the information security world.

Directions:

By public transport

From Amsterdam Central Station

• Metro tram 51, direction Amstelveen Westwijk (16 minutes), stop at: De Boelelaan/VU
• Tram 5, direction Amstelveen Binnenhof (25 minutes), stop at: De Boelelaan/VU
• Tram 16 or 24, direction VUmc, final stop

From Station Amsterdam Zuid

• Express tram 51 (1 minute), direction Amstelveen Westwijk
• Tram 5 (1 minute), direction Amstelveen Binnenhof
• It's a 10 minute walk to the VU from Station Amsterdam Zuid

By car

The A-10 Amsterdam ring road can be reached from all directions. Follow the A-10 to the Zuid/Amstelveen exit S 108. Turn left at the end of the slip road onto Amstelveenseweg: after about three hundred yards (at the VU University hospital building) turn left again onto De Boelelaan. VU University Amsterdam can be reached via city routes S 108 and S 109.

Parking

There is a limited amount of parking space around VU University Amsterdam itself in De Boelelaan, which has parking bays, and also in Karel Lotsylaan. There is paid parking on VU Amsterdam parking lot to the right of the Hospital Outpatient Clinic. There is even more parking space on the east side of Buitenveldertselaan at the junction with Willem van Weldammelaan, within 5 minutes walking distance of VU University Amsterdam. A number of parking places for the handicapped are reserved in front of the VU University Amsterdam Main Building and within its grounds.

Download the VU's visitorsguide here

Sponsor: