What we’re about
Follow this Meetup group to keep informed of all our upcoming in-person, virtual, and hybrid events - bringing the very latest in Cybersecurity to you live from across the Netherlands.
You don’t have to be a paid OWASP member to attend our meetups - registration is free for everyone. Registration is mandatory, and you may be refused access if you attempt to attend without a booking.
Visit the OWASP Netherlands webpage, with more information about the chapter, past presentations, and the benefits of membership, here: https://owasp.org/www-chapter-netherlands/
Follow us on Social Media:
Twitter: @OWASP_NL
LinkedIn: https://www.linkedin.com/groups/1987229/
Watch past presentations, event highlights, and chapter news here:
YouTube: https://www.youtube.com/c/OWASPNetherlands
Want to be the first to know of all upcoming events and opportunities?
Join our mailing list
Interested in becoming an OWASP Member? Consider our paid membership which gives you discounts on conferences and training, free and discounted access to AppSec training platforms, an @owasp.org email address, plus much more. All membership dues are donations to the OWASP Foundation. Find out more at https://www.owasp.org/index.php/Membership.
Upcoming events (2)
See all- June 2024 OWASP Chapter Netherlands MeetupVrije Universiteit Amsterdam, Amsterdam, NH
Location: VU, Amsterdam - Theater 7, 4E floor at the New University Building
Address: De Boelelaan 1105
Parking information: https://www.parkerenbijvu.nl/See https://owasp.org/www-chapter-netherlands/upcomingevents for more information about the OWASP Netherlands chapter.
18:00 - 18:15 - Reception of attendees
18:15 - 19:00 - Pizza
19:00 - 19:15 - Welcome and OWASP updates
19:15 - 20:00 - Ship Happens: The Stormy Seas of Supply Chain Security by David Archer
20.00 - 20:15 - Break with drinks
20:15 - 21:00 - Technical leverage: dependencies are a mixed blessing by Fabio MassacciShip Happens: The Stormy Seas of Supply Chain Security
Abstract:
“The more I know about how software is made, the less I want to know” - MeAs a software developer with over a decade of experience and countless interactions with application security teams, I’ve discovered the unsettling complexities of modern software production. Despite what I thought I knew, the reality was far more intricate.
Modern software development is a sprawling network of open-source dependencies, sophisticated build tools, plugins, pipelines, and runtimes. These components are fundamental in securing critical sectors of our daily lives—finance, healthcare, infrastructure, transportation, and social interactions. However, this supply chain is under relentless attack and many of the potential threats are poorly understood.
This talk will delve into specific vulnerabilities, such as dependency poisoning and pipeline compromises, that exemplify the challenges we face. We’ll explore strategies to mitigate these threats and discuss practical takeaways that attendees can immediately implement in their software development practices. Expect to leave with a deeper understanding of supply chain security and with ideas to fortify your software factory against these escalating threats.
Bio:
David Archer is a Solution Architect at Endor Labs. He began his career as a software developer and witnessed significant shifts in how software is built over the last two decades. After spells as a development lead, product director and pre-sales consultancy roles David consistently saw a concerning trend: security often took a backseat amidst the hustle and bustle of development priorities.Seeking to help address this balance David took an opportunity in 2018 to work full-time in the field of application security with a particular focus on technologies that promise to enhance security without impeding development speed. Through his extensive experience with secure coding practises and hands-on experience with the myriad of code analysis tools like IAST, SAST, DAST, RASP and SCA, he gained valuable insights into their relevance and effectiveness in a modern software factory.
Technical leverage: dependencies are a mixed blessing
Abstract:
Modern applications are build upon a large supply chain of (possibly open source) libraries and tools. In finance, leverage is the ratio of debts (other people’s money) vs equity (your money) and the Lehman Brothers have made that concept famous. For software, technical leverage is the ratio between other people’s code and your own code. I will argue with some examples from the Maven, Python and the NPM ecosystems that this is both a risk and an opportunity. The Lehmans Brothers were 30 to 1, what about the Software Sisters?Bio:
Fabio Massacci is a co-author of CVSS v4. Among other things, he is also a professor at Vrije Universiteit. He has been a speaker at hackers’ venues (BlackHat USA, Asia) scientific security conferences (IEEE S&P, CCS), software engineering (ICSE,MSR) and risk analysis (SRA). He coordinates the EU project Sec4AI4Sec (name tells it all) and an NWO project on using AI for security threat intelligence. While almost all professors are sellers of tech (through their papers or their spin-offs) he was also for 7 years deputy for ICT procurements and services supervising a 70+ workforce and few millions Euro in outsourcing contracts. Being a buyer of tech makes a difference in perspective.
