May 2023 OWASP Chapter Netherlands Meetup

Location: Exact
Address: Molengraaffsingel 33, 2629 JD Delft

See https://owasp.org/www-chapter-netherlands/upcomingevents for more information about the OWASP Netherlands chapter.

18:00 - 18:15 - Reception of attendees
18:15 - 19:00 - Pizza
19:00 - 19:15 - Welcome and OWASP updates
19:15 - 20:00 - AppSec in IT contracts by Sebastian Avarvarei
20:00 - 20:15- Break with drinks
20:15 - 21:00 - About containers and their escapes: understanding escape patterns and possibilities by Mauricio Cano

AppSec in IT contracts
Abstract:
Back in 2018 I wrote: “In today’s multi-sourced enterprise, your security is as good as your worst written contract.” We have gotten better at writing security into commercial contracts since I first did my talk on this topic, but the yellow brick road ahead of us still goes some ways.

But how about AppSec, how well is it covered in our IT contracts? What are the pitfalls and the solutions? How do we avoid that someone else’s security issues become our security problems? And, by all means, let’s learn how to be a bit lazy, and do better with less effort!
Bio:
Currently working as Information Security Manager at Canon EMEA, Sebastian has been in IT and Security for over 20 years, covering a multitude of roles ranging from Developer, Security Architect, Auditor and Consultant, before moving into security governance and management, giving him a unique multi-faceted view on today’s InfoSec challenges. He has led multiple security improvement programs and performed maturity assessments for a wide variety of organizations - while continuously asking himself:"Could we do this in another way?"

About containers and their escapes: understanding escape patterns and possibilities
Abstract:
Containers have become one of the most common underlying infrastructure for microservice architectures. As such, they can often be part of the external attack surface of enterprise systems and applications (e.g., whenever a web application hosted on a kubernetes cluster is Internet-facing). Thus, it is important to understand what types of (mis)configurations can make containers more vulnerable against attacks of different types. In this talk, Mauricio will deep dive into different techniques that can be used to escape containers. In particular, he will talk about how to escape privileged containers, the usage of different capabilities, the usage of kernel exploits and a few other ways in which attackers may use to gain access to the hosts of the containers.
Bio:
Mauricio Cano is a cloud pentester focused on container technologies. In particular, he focuses on the security of containers and serverless architectures. He has pentested Kubernetes clusters and serverless architectures for several multinational financial institutions. Prior to his security work, he has a background in academia and a Ph.D. in Computer Science from the University of Groningen, focused on programming language design and formal methods to ensure correctness. In his spare time, Cano enjoys reading, cooking, and solving puzzles.