Viewing 0 current events matching “OWASP” by Date.

Sort By: Date Event Name, Location , Relevance , Default
No events were found.

Viewing 30 past events matching “OWASP” by Date.

Sort By: Date Event Name, Location , Relevance , Default
Thursday
Jan 18
Hacking a SaaS: A Practical Guide to Understanding Attack and Defense
Solutional Inc

Hacking a SaaS: A Practical Guide to Understanding Attackers and Defending Against Them

In this talk, we will delve into the mindset of an attacker and explore the vulnerabilities they exploit in SaaS systems. We will cover the following topics:

What motivates hackers to target SaaS systems (5%) How hackers conduct reconnaissance on SaaS systems (50%) The anatomy of exploit chains (40%) Strategies for defending against attacks (5%) Our goal is to provide a practical guide to understanding attackers and defending against them. We will share lots of hacker tips and tricks, and provide plenty of quiz moments to train your intuition. Our focus will be on vulnerabilities that hackers actually care about, rather than theoretical ones. All of our examples will be based on real-world exploit chains, and we will explore multiple vulnerabilities chained together to create media-news-headline-worthy outcomes. By the end of this talk, you will have a better understanding of how attackers think and operate, and you will be better equipped to defend against their attacks.

Our January host and sponsor is Solutional Inc, and the talk will take place in their Portland office at 301 SE 2nd Ave.

Please RSVP here if you are planning to attend.

This is a monthly event of OWASP's Portland chapter.

Website
Thursday
Sep 21, 2023
So you want a career in security?
NetSPI

Let’s talk about the different career options in the vast security field, how to prepare and gain the necessary skills in order to break in and succeed. Hopefully this will help you focus on a particular area of the security field that best matches your interests and skills. This is going to be a short presentation with hopefully lots of interactions and Q&A. Doors open at 5:30. The presentation will begin about 6:00. NetSPI is the sponsor for our September event. They are providing food as well as a location. They have sponsored us before, and we are grateful for their continuing support.

Website
Thursday
Sep 23, 2021
OWASP PDX - InfoSec Panel Discussion
Virtual

Let's talk InfoSec!

RSVP: https://www.meetup.com/OWASP-Portland-Chapter/events/280657220/

Bios:

Cassie Clark: Passionate about bringing humans into security. She develops awareness programs focused on behavior change, user enablement, and culture. As Security Awareness Lead Engineer at Brex, she built and leads security awareness for employees and customers. Prior to Brex, she built the security awareness function at Cruise and focused on security engagement at Salesforce. She holds a Master’s degree in Women’s Studies and can often be seen holding a cup of coffee.

Traci Esteve: As Director of Technology Governance and Risk for The Standard in Portland, Oregon, Traci Esteve is committed to protecting the confidentiality, integrity, and availability of information and processing resources. She began her career as a developer and infrastructure engineer. This led to her rise to a premier technical architect at Accenture and to expanding the practice in Asia and Europe. Her journey includes staying home to raise her two sons and serving as an advisor to organizations to increase profitability, maximize customer value, and effectively meet regulatory requirements. She has a BS in Applied Science, MBA certification from Miami University, and a certification in Cybersecurity Risk Management from Harvard University. Traci enjoys cooking with her family, drawing, hiking, and encouraging high-school students to believe in themselves.

Tuesday
Jun 29, 2021
OWASP PDX: My Journey to Becoming a CISSP : Study Tips and Life-lessons with Sarba Roy
Virtual

Sarba is currently the Product Security Consultant at Umpqua Bank where she is collaborating and acting as a security advisor to the Product teams when new digital technologies and/or business needs are identified. She is also the Membership Chair for the Women In Cybersecurity(WiCyS) Oregon Affiliate, the Chapter Lead for Infosec Girls - Oregon and the Founding member of WomenH2H, a global community for women leaders and changemakers. She is also a passionate volunteer and advocate for women’s empowerment, education equity while being a writer and mentor at heart, dedicated to helping individuals and organizations become more compassionate, curious and cybersmart.

RSVP: https://www.meetup.com/OWASP-Portland-Chapter/events/278536668/

Saturday
Jun 19, 2021
AppSec Pacific Northwest

PNWSEC, aka, Pacific Northwest Application Security Conference is a free application security conference that will be held Saturday, June 19th. It is a virtual, online event sponsored by the OWASP chapters of Portland, Vancouver, and Victoria.

Kymberlee Price and Jim Manico to keynote! All of the speakers and workshops can be found on the website: https://pnwcon.com/

Stretching the Truth: Attacking the Elastic Agent By Zander Work

Starting Left with Cloud Security By Stefania Chaplin

Fuzzing Python Native Extensions By Lucas Amorim

CVE-2020-17049: Kerberos Bronze Bit Attack By Jake Karnes

Zero-Trust - The Paradigm Shift Required in a Post-pandemic World By Timothy Morgan

Ad-Tech for Security People By Will Whittaker

Secure Coding of Industrial Control Systems By Vivek Ponnada

Six Ways Known-vulnerabilities Sneak Into Docker Containers By Julius Musseau

Effects Malware Hunting in Cloud Environment By Filipi Pires

Honeytokens: Detecting attacks to your web apps using decoys and deception By Dana Epp

Don’t B-MAD: Making Threat Modeling Less Painful By Adam Shostack

Women in Appsec: Advice to Differentiate Your Skills By Aarti Gadhia

Cultivating Cyber Warriors By Patterson Cake

Insiders Guide to Mobile AppSec with OWASP MASVS By Brian Reed

Follow us on Twitter at @pnwseccon to see when the workshops are going to be released.

Website
Wednesday
May 19, 2021
Application Security -- The Framework, Processes and Tools to Secure Your Apps
Virtual

RSVP: https://www.meetup.com/OWASP-Portland-Chapter/events/277480846/

Excerpt:

Traditionally, breaches that make the news are about stealing data and that data being resold for financial gains. Think Target, Ashley Madison, Marriott and so many more. Recently a spotlight was put on supply chain security via the SolarWinds breach and how that affected many companies. The adversaries were able to inject malicious code into applications that have a lot or rights and are widely deployed in many organizations, small and large alike.

We will discuss the framework, your SDLC (SDL, SSDLC, etc.) – Secure Development Lifecycle – to lay out how you are going to develop and secure your applications. Customers care about this. Once you have your SDLC, you need to define your processes, select your tools, integrate them into your SDLC and finally automate those tools. This is not a short process and often multiple iterations are necessary to get to a good place. The goal of this presentation is to make you aware of a variety of tools that are out there, the various steps along the way of your SDLC you need to take and how to complete each of these steps.

BIO:

Derek Hill has over 25 years of experience in Information Security and Information Technology. He is currently the Director of AppSec engineering at ForgeRock, an Identity and Access management company, based in Vancouver, WA. He is responsible for implementing and improving the company’s product security on a continual basis. He works closely with software engineers and security engineers in multiple countries to ensure the ForgeRock products are developed securely and tested in all phases of the development lifecycle. In addition to his full time job, Derek is also a SANS community instructor teaching Security Leadership and CISSP prep courses.

Prior to his current position, Derek held Information Security, IT management and technical roles at both large and small companies. In each role, he consistently focused on managing high-performing teams, delivering efficient solutions and providing excellent services to a variety of stakeholders, maximizing uptime and security. Derek also has significant experience in cloud technologies, responsible for moving, securing and maintaining them in various cloud environments through their lifecycle.

Wednesday
Feb 24, 2021
OWASP PDX - Game to Dethrone: A Least Privilege CTF with Wenjing Wu P2
Online via Zoom

Abstract: As more businesses migrate their workloads into cloud environments, the importance of following the principle of least privilege (PoLP) to mitigate security risks significantly increases. Unfortunately, the infrastructure being utilized and the mechanism for securing it in the cloud is complex and substantially different than traditional legacy infrastructure. As a result, the amount of practitioners that know how to secure cloud projects is insufficient compared to the number of cloud projects being created. To address this, this paper describes a Least Privilege CTF, a series of Google Cloud based exercises that can be quickly deployed at minimal cost, to allow players to practice applying PoLP in cloud deployments.

Joint work with Wu-chang Feng.

Bio: Current PHD student at PSU

RSVP https://www.meetup.com/OWASP-Portland-Chapter/events/276208217/

Wednesday
Feb 17, 2021
OWASP PDX - Thunder CTF: Learning Cloud Security on a Dime with Wu-chang Feng P1
Online via Zoom

Abstract: Organizations have rapidly shifted infrastructure and applications over to public cloud computing services such as AWS, Google Cloud Platform, and Azure. Unfortunately, such services have security models that are substantially different and more complex than traditional enterprise security models. As a result, misconfiguration errors in cloud deployments have led to dozens of well-publicized breaches. This paper describes Thunder CTF, a scaffolded, scenario-based CTF for helping students learn about and practice cloud security skills. Thunder CTF is easily deployed at minimal cost and is highly extensible to allow for crowd-sourced development of new levels as security issues evolve in the cloud.

Joint work with Nicholas Springer.

Bio: Wu-chang Feng is a professor in the Department of Computer Science at Portland State University where he works on topics in cloud computing and security. His current projects include developing CTFs and codelabs to teach advanced topics in security as well as performing outreach to high-schools via camps and internships through CyberPDX and Saturday Academy.

RSVP: https://www.meetup.com/OWASP-Portland-Chapter/events/276208151/

Wednesday
Nov 18, 2020
PDX OWASP - Automate OWASP ZAP Lunch and Learn with Roop Kaur
Online via Zoom

Overview: Use OWASP ZAP to detect web application vulnerabilities in a CI/CD pipeline; for this, how we automate ZAP with existing automation scripts.

Speaker: Roop Kaur, an engineer at Zapproved

RSVP: https://www.meetup.com/OWASP-Portland-Chapter/events/274622842/

Wednesday
Sep 16, 2020
PDX OWASP - Cloud Security Lunch and Learn with Ashish Patel
Virtual

Summary of the Talk: Automate The CloudSec Things - How to automate your response to security incidents within the public cloud space using your current security stack and AWS Lambda.

Speaker's Bio: Ashish Patel is a security engineer on the Box Infrastructure Security team. He usually lives in the realm of cloud security and automating security related tasks that scale across multiple clouds & attack surfaces.

RSVP: https://www.meetup.com/OWASP-Portland-Chapter/events/272846648/

Tuesday
Jul 21, 2020
OWASP Portland, Oregon - Secure Coding Tournament (Virtual)
through Virtual

Secure Code Warrior is going to be hosting a July virtual tournament for our OWASP Portland, Oregon chapter. It's free!

Improve your secure coding skills by joining the OWASP Portland Secure Coding tournament on July 21st 8:00AM PDT through July 24th 8:00PM PDT. The tournament allows you to compete against the other participants in a series of vulnerable code challenges that ask you to identify a problem, locate insecure code, and fix a vulnerability.

All challenges are based on the OWASP Top 10, and players can choose to compete in a range of software languages including Java EE, Java Spring, C# MVC, C# WebForms, Go, Ruby on Rails, Python Django & Flask, Scala Play, Node.JS, React, and both iOS and Android development languages.

Throughout the tournament, players earn points and watch as they climb to the top of the leaderboard. Prizes will be awarded to the top finishers! First place will receive a hoodie, and lots of bragging rights!

Tournament times: July 21- July 24th 8:00 AM 9:00 PM

Practice times: July 14th - July 21st 8:00 AM

RSVP: https://www.meetup.com/OWASP-Portland-Chapter/events/271638472/

Thursday
Jul 16, 2020
Portland OWASP Study Night - Secure Code Warrior Tournament Study Session
Virtual

Topic - Secure Code Warrior Tournament Study Session. We'll cover how to register for our upcoming tournament, cover the game rules, navigate through the menus and do a few practice challenges. Let's be new to this together! This meeting will also be recorded and posted to the PDX OWASP YouTube channel.

Host: Samuel Lemly

RSVP: https://www.meetup.com/OWASP-Portland-Chapter/events/271905106/

Tuesday
Jun 9, 2020
Portland, Oregon OWASP Study Night (Virtual) - Detect Complex Code Patterns Using Semantic Grep
Virtual Meeting

RSVP: https://www.meetup.com/OWASP-Portland-Chapter/events/271144214/

Abstract: We’ll discuss a program analysis tool we’re developing called Semgrep. It's a multilingual semantic tool for writing security and correctness queries on source code (for Python, Java, Go, C, and JS) with a simple “grep-like” interface. The original author, Yoann Padioleau, worked on Semgrep’s predecessor, Coccinelle, for Linux kernel refactoring, and later developed Semgrep while at Facebook. He’s now full time with us at r2c.

Semgrep is a free open-source program analysis toolkit that finds bugs using custom analysis we’ve written and OSS code checks. Semgrep is ideal for security researchers, product security engineers, and developers who want to find complex code patterns without extensive knowledge of ASTs or advanced program analysis concepts.

Speaker bio: Clint Gibler (@clintgibler) is the Head of Security Research for r2c, a small startup working on giving security tools directly to developers. Previously, Clint was a Research Director at NCC Group, a global security consulting firm, where he helped companies implement security automation and DevSecOps best practices as well as performed penetration tests for companies ranging from large enterprises to new startups.Clint has previously spoken at conferences including BlackHat USA, AppSec USA/EU/Cali, BSidesSF, and DevSecCon Seattle/London/Tel Aviv/Singapore. Clint holds a Ph.D. in Computer Science from the University of California, Davis.Want to keep up with security research? Check out tl;dr sec, Clint’s newsletter that contains summaries of artisanally curated, top talks and useful security links and resources from around the web.

RSVP: https://www.meetup.com/OWASP-Portland-Chapter/events/271144214/

Thursday
May 21, 2020
OWASP PDX - Yes, You Too Can Break Crypto: Exploiting Common Crypto Mistakes
Zoom Online - See link at Meetup page

Abstract Cryptography is tricky. Sure, everybody knows not to roll out their own crypto, but is it enough? Are the standard algorithms, libraries, and utilities always used the right way? This is of course a rhetorical question! Humans keep making mistakes that other humans can exploit, and Murphy’s law continues to prove true: “If there is a wrong way to do something, then someone will do it.” In this talk, not only will we discuss what can go wrong, but also how attackers could take advantage of that. Insufficient entropy? Static initialization vector? Key reuse in stream cipher? Lack of ciphertext integrity? We’ve heard these terms and may be familiar with them in theory, but let’s see actual examples of these and other crypto mistakes and corresponding exploits, and understand how they could lead to real life problems. Are you not on an offensive team and not interested in exploitation? Then this talk is for you too! Come and learn how to avoid common crypto mistakes in your code!

Bio Alexei began his career as a software developer. A decade later, he realized that breaking code was way more fun than writing code, and decided to switch direction. He is now a full-time application security professional, with several years of assisting various development teams in delivering secure code, as well as security consulting. He holds OSCP and CISSP, and currently works as a lead product security engineer for Salesforce.

RSVP: https://www.meetup.com/OWASP-Portland-Chapter/events/270404725/

Tuesday
Apr 21, 2020
Portland OWASP Training Night (Virtual) - Learn 10 Things About Wireshark
Online

In this class, we'll briefly go over the 10 things that I would like to show anyone using wireshark. There are no prerequisites for this presentation. If you would like to follow along please install the most recent 3.x version of Wireshark. Example packet captures will be provided.

Kevan Vanhoff is a Network Security Engineer living in Portland, Oregon.

RSVP: https://www.meetup.com/OWASP-Portland-Chapter/events/270075900/

Wednesday
Apr 15, 2020
Portland OWASP (Virtual) - Crypto 101 with Brian Ventura
Zoom Online - See link at Meetup page

They told me to use encryption and it will solve all our problems! What is encryption and cryptography, and why is it important? The web uses certificates to encrypt. How do they fit in? What are they? We will discuss the 3 types of encryption: symmetric, asymmetric and hashing, what they do, how are they different, and how are they used in the real world.

Bio: Brian Ventura is an Information Security Architect with 20 years of industry experience. With a diverse background in consulting, public and private sector, and project management; Brian brings a comprehensive view of security and technology. As an architect, he currently focuses on enterprise information security governance, risk and compliance. Brian advises public and private entities on security best practices generally and within large projects.

Additional meeting details will be messaged to all Meetup RSVP attendees later.

RSVP: https://www.meetup.com/OWASP-Portland-Chapter/events/269992111/

Wednesday
Mar 18, 2020
Portland OWASP - Kendra Ash - Security Mixer!
New Relic

Join us for a night of networking and discussion about security. Kendra will kick it off with a short talk about how to make friends with your developers through automation. Then we will split up into groups and allow people to discuss cloud security, application security, devops and jobs.

Bio: Kendra Ash (@securelykash) is a security engineer at Vacasa, actively building out an application security program by leveraging guidance from her network and incorporating industry standards. She is also actively involved with the Portland OWASP chapter.

RSVP: https://www.meetup.com/OWASP-Portland-Chapter/events/268903220/

Tuesday
Mar 3, 2020
Exploring OWASP Juice Shop (with Burp Suite)
CTRL-H

In this class, we’ll be exploring how to find the vulnerabilities in OWASP Juice Shop with Burp Suite (and maybe some other security tools if we get some time). You’ll learn to set up the environment to play with in your own time. As well as learning to practically apply the different features of Burp Suite and when it is and isn’t the most optimal tool. This will help you to reproduce security vulnerabilities or help find them for bug bounty programs.

Bio: Jordan is an Application Security Engineer at New Relic and a graduate from the University of Pittsburgh with a degree in computer science. She’s Champion ranked in Rocket League and does yoga in her free time.

Seating is limited

RSVP: https://www.meetup.com/OWASP-Portland-Chapter/events/269026936/

OWASP Juice Shop: https://owasp.org/www-project-juice-shop/

Burp Suite CE: https://portswigger.net/burp/releases/professional-community-2020-1?requestededition=community

Tuesday
Feb 18, 2020
Portland OWASP Study Night: Intro to Threat Modeling with Ray and Zak
CTRL-H

Threat modeling is a vital skill for security hats of all colors, as well as for product designers, managers and developers. Ray is a Life Coach and Conspiracy Theorist. He does AppSec in his non-spare time for money. Zak is an Application Security Engineer with many years of development experience.

Bring your own dinner/snacks. No provided pizza.

Study Nights are smaller, bitesize, digestible, skill building mini lectures or workshops for those interested in learning new skills, tools, tricks, or new CTF challenges. It’s also meant for members to practice communication skills and teamwork in a supportive environment.

Study Nights meet the first Tuesday of each month at the ^H hackerspace in North Portland. Doors will be at 7pm, event will start at 7:30pm and wrap up by 8:30. Please bring your computer with Burp Suite installed and preferred note taking mechanisms.

Seating is limited

RSVP: https://www.meetup.com/OWASP-Portland-Chapter/events/268231564/

Tuesday
Feb 11, 2020
Portland OWASP Chapter Meeting: CMD+CTRL Web Application Cyber Range
Zapproved

Want to test your skills in identifying web app vulnerabilities? Join OWASP Portland and Security Innovation as members compete in CMD+CTRL, a web application cyber range where players exploit their way through hundreds of vulnerabilities that lurk in business applications today. Success means learning quickly that attack and defense is all about thinking on your feet.

For each vulnerability you uncover, you are awarded points. Climb the interactive leaderboard for a chance to win fantastic prizes! CMD+CTRL is ideal for development teams to train and develop skills, but anyone involved in keeping your organization’s data secure can play - from developers and managers and even CISOs.

All you need is your laptop and your inner evil-doer.

Register early to reserve your spot and get a sneak peek at our cheat sheets and FAQs!

Website
Monday
Jan 13, 2020
Portland OWASP Chapter Meeting - Introduction to Burp Suite with Ryan Krause
Vacasa

Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities. Burp gives you full control, letting you combine advanced manual techniques with state-of-the-art automation, to make your work faster, more effective, and more fun.

The speaker covers the basics of the tool along with real-world experiences and techniques that can help you as a pen tester.

Speaker: Ryan Krause

Ryan is a penetration tester based in the Portland, Oregon area. He has worked in various areas of the security field for the past 11 years for companies such as HP, eEye Digital Security/BeyondTrust, and Comcast with a primary focus on application security and development. He is currently a consultant at NetSPI where he performs web and network penetration tests and assists clients with reducing their overall security exposure.

Website
Tuesday
Jan 7, 2020
Portland OWASP Study Night: Burp Suite Basics with Sophia Anderson
Ctrl-H / PDX Hackerspace

Happy New Year! Welcome to our second ever OWASP PDX study night. Our January topic will be "Burp Suite Basics" presented by Sophia Anderson. Sophia is a security consultant for NetSPI performing web application penetration tests for Fortune 500 clients to discover vulnerabilities. Sorry no pizza unless you want to bring :).

Study Nights are smaller, bitesize, digestible, skill building mini lectures or workshops for those interested in learning new skills, tools, tricks, or new CTF challenges. It’s also meant for members to practice communication skills and teamwork in a supportive environment.

Study Nights meet the first Tuesday of each month at the ^H hackerspace in North Portland. Doors will be at 7pm, event will start at 7:30pm and wrap up by 8:30. Please bring your computer with Burp Suite installed and preferred note taking mechanisms.

Seating is limited

RSVP: https://www.meetup.com/OWASP-Portland-Chapter/events/267644393/

Website
Tuesday
Dec 10, 2019
Portland OWASP Chapter Meeting: So You Want to Teach Security? Bully for You!
Autodesk Inc

This talk focuses on building a security curriculum and teaching it, whether individually, at the workplace or in academia. Start with the following question: Am I the right person to do it? A novice can be downright dangerous, while an expert who can't teach as useful as a waterproof teabag. Security education is the first line of defense, but who trains the trainers? Are students getting their money's worth? What differentiates your training from others? Join the speaker to share life lessons, funny anecdotes, and useful advice on lecturing, "curriculuming", and critiquing. Learn what it means to containerize a syllabus, deploy labs in a continuous integration-like environment using open source tools and why markdown is a better tool than PowerPoint for creating new content. Consider security textbooks as obsolete, "office hours" mandatory, and the impact of the Family Educational Rights and Privacy Act (FERPA). There will be a test at the end of the talk.

Speaker: John L. Whiteman

John is a product security expert and instructor at Intel in Oregon. He's also a part-time adjunct instructor teaching cybersecurity at the University of Portland. In a past life, John was a shipboard and classroom instructor in the United States Navy, training hundreds of sailors in the dark arts of passive sonar and torpedo countermeasure systems (in case the former didn't pan out). He also did a stint as a news director for a small radio station in Colorado. John has an M.S. in Computer Science from Georgia Tech and a B.A. in Asian Studies from the University of Maryland UC. He holds CISSP, CCSP and CEH security certifications. John blogs and loves to podcast for the OWASP chapter in Portland.

Website
Tuesday
Dec 3, 2019
Study Night: Introduction to the Command Line Debugger GDB
^H Hackerspace, 7608 North Interstate Avenue, Portland, OR, United States

The OWASP Portland Chapter is pleased to announce regular Study Nights. Study Nights are smaller, bitesize, digestible, skill building mini lectures or workshops for those interested in learning new skills, tools, tricks, or new CTF challenges. It’s also meant for members to practice communication skills and teamwork in a supportive environment.

Study Nights will meet the first Tuesday of each month at the ^H hackerspace in North Portland. Doors will be at 7pm, event will start at 7:30pm and wrap up by 8:30. Please bring your computer and preferred note taking mechanisms.

The December topic will be an introduction to the command line debugger GDB, presented by Allison Naaktgeboren. Please be sure to have GDB installed if it is not installed by default and your preferred command line interface available.

Website
Tuesday
Nov 12, 2019
Portland OWASP Chapter Meeting: Overcoming Your Greatest InfoSec Adversary: You!
Zapproved

Tips on formulating complete sentences without acronyms, learning to pretend you aren't the smartest person in the room, choosing the right animations for your PowerPoint presentations, and more! Let's be honest, you probably didn't get into info-sec because of your love for public speaking, your mastery of written and verbal communication, or your highly-tuned social skills! Regardless, these things are key to your success or failure in info-sec. Dare to join me for a frank if somewhat tongue-in-cheek conversation regarding strategies for simplifying complex conversations, recognizing and overcoming common communication obstacles, translating leet-speak to business language and creating effective visual presentations.

Speaker: Patterson Cake

Patterson has been in information technology for over 20 years, focusing on security for the past several years in offensive, defensive and leadership roles. He is the founder of Haven Information Security, an instructor for SANS, and the Principal Cybersecurity Engineer for PeaceHealth.

Website
Wednesday
Oct 9, 2019
Portland OWASP - Threat Modeling in 2019 with Adam Shostack
New Relic

Attacks always get better, so your threat modeling needs to evolve. Learn what's new and important in threat modeling in 2019. Computers that are things are subject to different threats, and systems face new threats from voice cloning and computational propaganda and the growing importance of threats “at the human layer.” Take home actionable ways to ensure your security engineering is up to date.

Speaker: Adam Shostack Adam is a leading expert on threat modeling, and a consultant, entrepreneur, technologist, author and game designer. He's a member of the BlackHat Review Board, and helped create the CVE and many other things. He currently helps many organizations improve their security via Shostack & Associates, and advises startups including as a Mach37 Star Mentor. While at Microsoft, he drove the Autorun fix into Windows Update, was the lead designer of the SDL Threat Modeling Tool v3 and created the "Elevation of Privilege" game. Adam is the author of Threat Modeling: Designing for Security, and the co-author of The New School of Information Security.

Website
Tuesday
Aug 13, 2019
Portland OWASP: Using Graph Theory to Understand Security with Tim Morgan
Simple

Using Graph Theory to Understand Security

Information security is hard. It must be, because we keep getting hacked. One aspect that makes it so difficult is the level of complexity that exists in even a modestly-sized digital infrastructure. Humans can consider only so many security relationships, trust boundaries, and attack scenarios at once. This complexity makes it hard to decide where to focus our defensive resources and we're regularly led astray by the latest shiny tool or security advisory. Remarkably, our adversaries actually have a similar challenge: once a digital intruder gains a foothold in an environment that is completely new to them, how do they know what next steps they should take to efficiently achieve their goal? The environments they attack are not only complex, they are also unexplored landscapes that must be mapped out.

This is where graph theory can lend a hand. Several open source tools, such as BloodHound and Infection Monkey, provide intruders (whether that be your friendly neighborhood pentester or your adversaries) with easy ways to map out infrastructures and identify the quickest path to your crown jewels. While this is certainly alarming, we can also use these tools ourselves to find out what our infrastructures look like in the eyes of an attacker.

In this talk, Tim will provide a brief introduction to graph theory, show some demos of the free tools that use it, and discuss how he is using these techniques to build automated threat models "at scale" to make defenders' lives easier.

Speaker: Timothy Morgan

After earning his computer science degrees (B.S., Harvey Mudd College and M.S., Northeastern University) and spending a short time as a software developer, Tim began his career in application security and vulnerability research. In his work as a consultant over the past 14 years, Tim has led projects as varied as application pentests, incident response, digital forensics, secure software development training, phishing exercises, and breach simulations. Tim has also presented his independent research on Windows registry forensics, XML external entities attacks, web application timing attacks, and practical application cryptanalysis at conferences such as DFRWS, OWASP's AppSec USA, BSidesPDX, and BlackHat USA.

For the past three years Tim has been building an innovative new risk-based vulnerability management product (DeepSurface) that helps his customers gain a much deeper understanding of the complex relationships present in their digital infrastructures. Visit kanchil.com to learn more about Tim's latest R&D effort.

Website
Wednesday
Jul 10, 2019
Portland OWASP - The Easy (and Secure!) Way to Build JavaScript Web Apps with OAuth 2 & OIDC with Jake Feasel
New Relic

What are the best current practices for building modern, completely standards-based (OIDC) web applications? Which flow should you use? How should you renew expired access tokens? How do you work with multiple resource servers? How do you achieve single-sign on? How can you make logging into your app as seamless as possible? We will demonstrate how simple it is to do all of this using open source libraries maintained by ForgeRock. Together we will deep dive into what these libraries are doing for you behind the scenes: PKCE, service workers, IndexedDB storage, hidden iframes, and more. In the end you will have all the tools at your disposal to easily build your next modern web app with OIDC.

Jake Feasel Developer Experience Lead; Forgerock

Jake has been working in the web platform for 20 years, all the while primarily interested in the use of standards and open source technologies. Jake is currently a senior engineer at ForgeRock, where he has been for the last seven years. He is most recently responsible for improving the ways in which developers interact with the ForgeRock Identity Platform.

Website
Wednesday
Jun 19, 2019
Portland OWASP - Security Requirement Elicitation with Bhushan Gupta
CloudBolt Software

Web Application Security spreads over the application functionality, the platform it is running on, the development and deployment environment, third-party applications used, and last but not least, the open source code it utilizes. The requirements breadth is mind-boggling. You ignore any of these aspects and you become vulnerable.

This talk will discuss a structured approach to establish essential security requirements based on the CIA triad. The discussion will then expand over how these requirements manifest in the industry standards such as PCI, Government agencies, and globally. It will also delve into third party and open source code scenarios. The audience will take home a checklist of different aspects of security requirements to consider when building a Web application.

Bio: Bhushan Gupta, Gupta Consulting, LLC.

Proven champion for quality and well-versed with software quality engineering, and an AppSec researcher, Bhushan is the principal consultant at Gupta Consulting, LLC. A Certified Six Sigma Black Belt (ASQ), he possesses deep and broad experience in solving complex problems, change management, and coaching and mentoring. As a member of Open Web Application Security Project (OWASP), he is dedicated to driving the AppSec to higher levels via integration of security into Agile software development life cycle. His research areas are: elicitation of security requirements, comprehensive testing approaches beyond penetration testing, application of test tools and use of AI (Machine Learning) in secure web application development.

Bhushan has a MS in Computer Science (1985) from New Mexico Tech and has worked at Hewlett-Packard and Nike Inc. in various roles. He was a faculty member at the Oregon Institute of Technology, Software Engineering department, from 1985 to 1995 and is currently an Adjunct Faculty member.

Website
Tuesday
May 14, 2019
Portland OWASP - InfoSec and AppSec: Recruiting, Interviewing, Hiring Q&A
Zapproved

Following up Ryan Krause's talk on breaking into the cybersecurity industry, May's chapter meeting hosted by Zapproved will offer attendees an opportunity to hear from hiring managers and InfoSec/AppSec leaders on what they look for in hiring for their roles and thoughts on career progression. Attendees will have ample opportunity to ask questions and engage our panel.

Panel:

Zefren Edior - Umpqua Bank

Zefren currently works at Umpqua Bank, and he is the Information Security Assurance Lead. He has 10 plus years of experience in IT operations, information security, risk management, compliance and audit. He mentors and advises students, who have worked at public accounting firms, big tech companies, and startups. He is passionate about technology, cybersecurity, and helping people align their knowledge, skills, and abilities to achieve personal and professional growth.

Patterson Cake - Haven Information Security / PeaceHealth

Patterson has been in information technology for over 20 years, focusing on security for the past several years in offensive, defensive and leadership roles. He is the founder of Haven Information Security, an instructor for SANS, and the Principal Cybersecurity Engineer for PeaceHealth.

Josha Bronson - Bronsec

Josha is a founder at bronsec, working with clients big and small on all aspects of security. Former security team founder at yammer.

Sam Harwin - Salesforce

Sam leads a technical team of security engineers that assess a wide variety of Enterprise facing infrastructure for the organization. They focus on performing technical security testing, risk assessments, and providing business risk guidance on a wide variety of infrastructure technologies such as operating systems (Mac, Linux, Windows, iOS, Android), devices (mobile, embedded technologies, IOT), networks (wired, wireless, cloud), and applications (endpoint, mobile, public cloud).

Philip Jenkins - Zapproved

Philip is director of compliance and IT at Zapproved. He has over 20 years’ experience in IT security, network management, system engineering, and IT processes. His past experience includes Director of Security at Jama Software and CISO at Strands Finance. Philip holds his CISSP and CISM certifications and is a recognized leader in information security. He is active in (ISC)2, ISACA, OWASP, InfraGard, and ISSA.

Website