The OWASP Portland Chapter is pleased to announce regular Study Nights. Study Nights are smaller, bitesize, digestible, skill building mini lectures or workshops for those interested in learning new skills, tools, tricks, or new CTF challenges. It’s also meant for members to practice communication skills and teamwork in a supportive environment.

Study Nights will meet the first Tuesday of each month at the ^H hackerspace in North Portland. Doors will be at 7pm, event will start at 7:30pm and wrap up by 8:30. Please bring your computer and preferred note taking mechanisms.

The December topic will be an introduction to the command line debugger GDB, presented by Allison Naaktgeboren. Please be sure to have GDB installed if it is not installed by default and your preferred command line interface available.

Deron Jensen, manager of the Product Security team at New Relic, will speak about container security!

This presentation will show how the Linux kernel and container technologies can isolate and control the processes to provide a secure, isolated compute system. Docker or other technologies can be used to manage capabilities and securely deploy containers. This will demonstrate vulnerabilities unique to containers, and techniques to break out of vulnerable containers. We will show examples of deploying microservices securely with containers and areas that need further research to allow other applications to run securely in a private or public cloud.

Abstract

A well known security expert and cryptographer, Thomas H. Ptáček, once said:

"If You're Typing the Letters A-E-S Into Your Code You're Doing It Wrong".

Wait, what?!? Doesn't everyone use AES? Of course we do. Is AES broken? Nope. In this developer-oriented talk I'll explore the kinds of mistakes programmers commonly make when implementing cryptosystems; just how easily these problems can be exploited in the real world; and what Thomas meant by his statement.

Speaker's Bio

Tim taught himself how to write software at the age of twelve and has been a die-hard technologist ever since. After earning his computer science degrees (B.S., Harvey Mudd College and M.S., Northeastern University), Tim spent 8 years helping build a Boston-based information security consulting practice that was recently acquired. In 2014, Tim founded Blindspot Security where he has continued his work as a security consultant, helping his customers understand how digital intruders can gain access to their critical business assets through network, application, and comprehensive security assessments.

The media keeps talking about this Cryptography thing. Information Security teams pressure internal operations and development, as well as, vendors to support encrypted data and transport.How can we responsibly implement cryptography in our projects?

In the first of a 2-part series, we will discuss major types of encryption, including symmetric, asymmetric and hashing. We will cover the simple principles behind symmetric encryption, then lightly touch modern asymmetric functions, without the math! We will also cover certificate usage.

After our talk, you will understand the difference between AES, RSA and SHA. You will also understand how the web uses encryption and certificates to keep our transactions secure.

The second part of the series presented by Tim Morgan, will focus on, SSL/TLS's PKI, certificate validation, how basic crypto goes wrong (lacking integrity protection, padding oracle attacks, weak password hashes, etc), and explore what safe cryptographic libraries are out there and how to use them.

SPEAKER: Brian Ventura

Brian is a SANS Instructor and works locally for the City of Portland as an Information Security Architect. Brian co-teaches a PCC course this fall, focused on preparing for the CISSP certification.

Abstract: Security Compass recently completed a research study by surveying companies across multiple industries with the goal of discovering how large, complex organizations address application security at scale. The majority of respondents surveyed were multinational organizations who reported annual earnings greater than $1 billion USD. Through this new research study, we have gleamed novel insights on how large organizations manage application security at scale. Through this presentation, we will reveal aggregated insights, industry trends, and best practices that illuminate how organizations are addressing application security at scale, so that you may apply and compare these learnings to the state of application security at your own organization.

Speaker: Rohit Sethi - Chief Operating Officer, Security Compass

Rohit Sethi joined Security Compass as the second full-time employee. As COO, Rohit is responsible for setting and achieving corporate objectives, company alignment and driving strategy to execution. Previous to this role, he managed the SD Elements team. Rohit specializes in building security into software, working with several large companies in different organizations. Rohit has appeared as a security expert on television outlets as such as Bloomberg, CNBC, FoxNews, and several others. He has also spoken at numerous industry conferences and/or written articles on major websites such as CNN.com, the Huffington Post and InfoQ.

Abstract

All modern software, but the most trivial one, relies on common libraries to perform routine work. Your software may be bastion of security, exhaustively tested and evaluated, but once a vulnerability is discovered in a library you depend on, all bets are off. These large and pervasive vulnerabilities quickly become popular targets, exploited by everybody from script kiddies, to professional hackers, to state actors. It is no surprise that the use of vulnerable libraries is included in the OWASP Top 10 list. The Australian Signals Directorate (ASD) lists patching operating systems and applications as two of their top four strategies to mitigate security incidents!

During a recent hacking game, we've identified and exploited a vulnerability not anticipated by the developers. One little crack in a widely used library gave us the footing we needed to construct an attack chain of remote code execution, file upload, data exfil, source code disassembly, and branching into a private network, all despite extremely high level of hardening on the target from unintended attacks. We'll share with you how a safe and fun library exploitation can be in the confines of a hacking game, and how there are serious implications for your corporate applications where the stakes are much higher.

Speakers:

Alexei Kojenov is a Senior Application Security Engineer with years of prior software development experience. During his career with IBM, he gradually moved from writing code to breaking code. Since late 2016, Alexei has been working as a consultant at Aspect Security, helping businesses identify and fix vulnerabilities and design secure applications.

Alex Ivkin is a senior security architect with experience in a broad array of computer security domains, focusing on Identity and Access Governance (IAG/IAM), Application Security, Security Information and Event management (SIEM), Governance, Risk and Compliance (GRC). Throughout his consulting career Alex has worked with large and small organizations to help drive security initiatives and deploy various types of enterprise-class identity management and application security systems. Alex is an established and recognized security expert, a speaker at various industry conferences, holds numerous security certifications, including CISSP and CISM, two bachelor’s degrees and a master’s degree in computer science with a minor in psychology.

We are often encountered with making non-trivial decisions about Appsec. Participate in an exciting open discussion with the experts on the following (and more) aspects of Appsec:

• Challenges in establishing a Secure SDLC
• Growing pains with increased need for security
• Critical things to focus on for an effective security/Appsec program
• Effectiveness and use of developer training on Appsec
• Relevance of OWASP top 10 in today's security landscape?

Bring your burning questions to ask the panel and take this opportunity to share your experiences with others.

Panel Member's Bio:

Brian Ventura – Security Architect at the City Of Portland focused on Information Security program management, Brian also is a SANS Instructor and ISSA education director.

Ian Melven - Ian has worked in the security field for over 15 years in various roles at companies such as @stake, McAfee, Adobe and Mozilla. He currently leads product security at New Relic.

James Bohem - James is the Chief Security Architect at WebMD Health Services in Portland, OR. For the last 16 years he has held Information Security architect and consulting positions, with experience in application security, architecture and compliance strategy across healthcare, technology, retail, financial and manufacturing industries. Before focusing on security, he was a software developer and architect on the UNIX kernel, microkernels, distributed applications and standards development.

Eric Jernigan – Eric is the IT Security Manager at Genesis Financial Solutions and has broad security experience in financial industry.

The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. To sign up for future meeting notes and to discuss security topics with local gurus, sign up on the OWASP Portland mailing list: https://lists.owasp.org/mailman/listinfo/owasp-portland

Meetings are free and open to the public.

Abstract

Nobody really writes their own code any more, right? We go out to GitHub and download some libraries for our favorite language to do all the hard things for us. Then we download half a dozen front end frameworks to make it all pretty and responsive and we’re off to the races. In my review I’ve found that more than 90% of the code that makes up an app these days is something we borrowed, not wrote ourselves. Now most of us scan our own code for flaws with Static Analysis tools, but what about all the stuff we didn’t write? How do we know what’s actually in there? I’ll tell you how to find out and keep track of what’s in there, and how to avoid getting pwned because you let a nasty in the back door with that whiz-bang library that does the really cool thing you couldn’t live without.

Speaker

Jeremy Anderson
Cambia Health Solutions

Jeremy Anderson is a Secure Software Architect and CSSLP, with experience developing software solutions for numerous fortune 500 companies for almost 20 years. In 2014 he had a run in with InfoSec that spurred him into action as an AppSec superhero where he’s worked for HP then Veracode. Since early 2016 he’s been working with Cambia Health Solutions, bootstrapping and scaling an Application Security program from the ground up supporting hundreds of developers for dozens of applications. He’s passionate about not just finding security defects, but training ninjas to destroy them.

---

The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. To sign up for future meeting notes and to discuss security topics with local gurus, sign up on the OWASP Portland mailing list: https://lists.owasp.org/mailman/listinfo/owasp-portland

Meetings are free and open to the public.

Software development is speeding up; Waterfall to Agile to Continuous Integration to Continuous Deployment. Do we still have time for security? Of course we do! But many development shops are unaware how to add security to their development process and will often use "security slows us down" as a reason to produce insecure code. This talk focuses on how to add security into a speedy development process while still remaining fast and responsive to customer requests.

The speaker will be Joe Basirico - the VP of Services for Security Innovation. Before he started leading the team, he was a developer, trainer, researcher, and security engineer. Joe spent the majority of his professional career analyzing software security behavior and researching how software development organizations mature over time from a security perspective. Through this research, he developed an understanding of application threats, tools, and methodologies that assist in the discovery and removal of security problems both software- and process-related. He manages the company’s engineering blog and has written several publications and tools that focus on source code level vulnerabilities.

Ian Melven will be presenting: The Evolving Web Security Model

Is there a single cohesive model for the web ? No, there is not. What exists today is the result of the original same-origin policy and its evolution in many directions as a response to new threats and attacks. Where did we start, what tools are available to web developers to protect their sites and users, and where might we go in the future as the line between websites and native applications continues to become more and more blurry ? Join us on a journey through the past, present, and future of the web security model and its continuing evolution.

Ian Melven is an application security engineer at New Relic. He has previously worked in technical security roles at companies including Mozilla, Adobe, McAfee, Symantec, and @stake.

---

The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. To sign up for future meeting notes and to discuss security topics with local gurus, sign up on the OWASP Portland mailing list:

 https://lists.owasp.org/mailman/listinfo/owasp-portland

Meetings are free and open to the public.

This is a planning meeting for the Portland OWASP chapter. Please join us if you are interested in helping us plan and organize the activities of the chapter for the next year.

Please RSVP if you plan on showing up. Just shoot an email to

( tim DOT morgan AT owasp DOT org )

Some of the topics we expect to discuss at this meeting:

• Chapter meetings
• FLOSSHack events
• Local/regional conferences and training events
• Approaches to sponsorship
• Long term group leadership and governance
• YOUR ideas

---

The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. To sign up for future meeting notes and to discuss security topics with local gurus, sign up on the OWASP Portland mailing list: https://lists.owasp.org/mailman/listinfo/owasp-portland

Meetings are free and open to the public.

Jim Manico has offered to come to Portland and do a presentation on Top 10 web coding defenses. Jim has many years experience in the web application security space and currently works with WhiteHat Security & SANS.

The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. To sign up for future meeting notes and to discuss security topics with local gurus, sign up on the OWASP Portland mailing list: https://lists.owasp.org/mailman/listinfo/owasp-portland

Chapter meetings are free and open to the public.

Panel Discussion - Join local industry practitioners as they discuss the best practices used in getting superior results from your Pen Testing. Also share your ideas on Dos and Dont's of Pen testing.

Moderator - Brian Ventura

Panelists - Alexie Kojenov, Ian Melven, Benny Zhao, and Scott Cutler

Alexei Kojenov is a Senior Application Security Consultant with years of prior software development experience. During his career with IBM, he gradually moved from writing code to breaking code. Since late 2016, Alexei has been working as a consultant at Aspect Security, helping businesses identify and fix vulnerabilities and design secure applications. Aspect Security was recently acquired by Ernst&Young and joined EY Advisory cybersecurity practice.

Ian Melven is Principal Security Engineer at New Relic. He has worked in security for almost 20 years, including roles at Mozilla, Adobe, McAfee and @stake.

Benny Zhao is a Security Engineer at Jive Software. His experience focuses on identifying code vulnerabilities and securing software by building tools to help automate security testing.

Scott Cutler has been interested in computer security since he was a kid, and started attending DefCon in 2004. He got his Computer Science degree from UC Irvine in 2009 while working for the on-campus residential network department for 4 years. After graduating he worked first as QA for a SAN NIC card manufacturer, then switched to essentially create their DevOps program from scratch. From these jobs he has gained a lot of experience with networking, build processes, Linux/Unix administration and scripting, and Python development. In 2012 Scott began working in the security field full time as a FIPS, Common Criteria, and PCI Open Protocol evaluator for InfoGard Laboratories (now UL Transaction Security). During this time he got his OSCP and a good understanding of federal security requirements, assessment processes, and documentation (ask him about NIST SPs!). In 2015 scott switched over to Aspect Security (now EY) to put his OSCP to good use and became a full-time application security engineer, doing pen-tests as well as developing both internal and external training.

The Portland Chapter of the Open Web Application Security Project (OWASP) will be hosting an introduction to OWASP Juice Shop [https://github.com/bkimminich/juice-shop]. OWASP Juice Shop is an intentionally insecure web application for security trainings written entirely in JavaScript which encompasses the entire OWASP Top Ten [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project] and other severe security flaws. The session will provide a top level overview of the Juice Shop playground and how to get started with it, as well as an opportunity for attendees to team up to teach and learn from each other in a fun Capture The Flag competition.

David Quisenberry (@dmqpdx16) will be facilitating the session. He's a developer with Daylight Studio and explorer of application security issues.

Let's talk InfoSec!

RSVP: https://www.meetup.com/OWASP-Portland-Chapter/events/280657220/

Bios:

Cassie Clark: Passionate about bringing humans into security. She develops awareness programs focused on behavior change, user enablement, and culture. As Security Awareness Lead Engineer at Brex, she built and leads security awareness for employees and customers. Prior to Brex, she built the security awareness function at Cruise and focused on security engagement at Salesforce. She holds a Master’s degree in Women’s Studies and can often be seen holding a cup of coffee.

Traci Esteve: As Director of Technology Governance and Risk for The Standard in Portland, Oregon, Traci Esteve is committed to protecting the confidentiality, integrity, and availability of information and processing resources. She began her career as a developer and infrastructure engineer. This led to her rise to a premier technical architect at Accenture and to expanding the practice in Asia and Europe. Her journey includes staying home to raise her two sons and serving as an advisor to organizations to increase profitability, maximize customer value, and effectively meet regulatory requirements. She has a BS in Applied Science, MBA certification from Miami University, and a certification in Cybersecurity Risk Management from Harvard University. Traci enjoys cooking with her family, drawing, hiking, and encouraging high-school students to believe in themselves.

Sarba is currently the Product Security Consultant at Umpqua Bank where she is collaborating and acting as a security advisor to the Product teams when new digital technologies and/or business needs are identified. She is also the Membership Chair for the Women In Cybersecurity(WiCyS) Oregon Affiliate, the Chapter Lead for Infosec Girls - Oregon and the Founding member of WomenH2H, a global community for women leaders and changemakers. She is also a passionate volunteer and advocate for women’s empowerment, education equity while being a writer and mentor at heart, dedicated to helping individuals and organizations become more compassionate, curious and cybersmart.

RSVP: https://www.meetup.com/OWASP-Portland-Chapter/events/278536668/

Overview: Use OWASP ZAP to detect web application vulnerabilities in a CI/CD pipeline; for this, how we automate ZAP with existing automation scripts.

Speaker: Roop Kaur, an engineer at Zapproved

RSVP: https://www.meetup.com/OWASP-Portland-Chapter/events/274622842/

RSVP: https://www.meetup.com/OWASP-Portland-Chapter/events/271144214/

Abstract: We’ll discuss a program analysis tool we’re developing called Semgrep. It's a multilingual semantic tool for writing security and correctness queries on source code (for Python, Java, Go, C, and JS) with a simple “grep-like” interface. The original author, Yoann Padioleau, worked on Semgrep’s predecessor, Coccinelle, for Linux kernel refactoring, and later developed Semgrep while at Facebook. He’s now full time with us at r2c.

Semgrep is a free open-source program analysis toolkit that finds bugs using custom analysis we’ve written and OSS code checks. Semgrep is ideal for security researchers, product security engineers, and developers who want to find complex code patterns without extensive knowledge of ASTs or advanced program analysis concepts.

Speaker bio: Clint Gibler (@clintgibler) is the Head of Security Research for r2c, a small startup working on giving security tools directly to developers. Previously, Clint was a Research Director at NCC Group, a global security consulting firm, where he helped companies implement security automation and DevSecOps best practices as well as performed penetration tests for companies ranging from large enterprises to new startups.Clint has previously spoken at conferences including BlackHat USA, AppSec USA/EU/Cali, BSidesSF, and DevSecCon Seattle/London/Tel Aviv/Singapore. Clint holds a Ph.D. in Computer Science from the University of California, Davis.Want to keep up with security research? Check out tl;dr sec, Clint’s newsletter that contains summaries of artisanally curated, top talks and useful security links and resources from around the web.

RSVP: https://www.meetup.com/OWASP-Portland-Chapter/events/271144214/

In this class, we'll briefly go over the 10 things that I would like to show anyone using wireshark. There are no prerequisites for this presentation. If you would like to follow along please install the most recent 3.x version of Wireshark. Example packet captures will be provided.

Kevan Vanhoff is a Network Security Engineer living in Portland, Oregon.

RSVP: https://www.meetup.com/OWASP-Portland-Chapter/events/270075900/

Join us for a night of networking and discussion about security. Kendra will kick it off with a short talk about how to make friends with your developers through automation. Then we will split up into groups and allow people to discuss cloud security, application security, devops and jobs.

Bio: Kendra Ash (@securelykash) is a security engineer at Vacasa, actively building out an application security program by leveraging guidance from her network and incorporating industry standards. She is also actively involved with the Portland OWASP chapter.

RSVP: https://www.meetup.com/OWASP-Portland-Chapter/events/268903220/

In this class, we’ll be exploring how to find the vulnerabilities in OWASP Juice Shop with Burp Suite (and maybe some other security tools if we get some time). You’ll learn to set up the environment to play with in your own time. As well as learning to practically apply the different features of Burp Suite and when it is and isn’t the most optimal tool. This will help you to reproduce security vulnerabilities or help find them for bug bounty programs.

Bio: Jordan is an Application Security Engineer at New Relic and a graduate from the University of Pittsburgh with a degree in computer science. She’s Champion ranked in Rocket League and does yoga in her free time.

Seating is limited

RSVP: https://www.meetup.com/OWASP-Portland-Chapter/events/269026936/

OWASP Juice Shop: https://owasp.org/www-project-juice-shop/

Burp Suite CE: https://portswigger.net/burp/releases/professional-community-2020-1?requestededition=community

Threat modeling is a vital skill for security hats of all colors, as well as for product designers, managers and developers. Ray is a Life Coach and Conspiracy Theorist. He does AppSec in his non-spare time for money. Zak is an Application Security Engineer with many years of development experience.

Bring your own dinner/snacks. No provided pizza.

Study Nights are smaller, bitesize, digestible, skill building mini lectures or workshops for those interested in learning new skills, tools, tricks, or new CTF challenges. It’s also meant for members to practice communication skills and teamwork in a supportive environment.

Study Nights meet the first Tuesday of each month at the ^H hackerspace in North Portland. Doors will be at 7pm, event will start at 7:30pm and wrap up by 8:30. Please bring your computer with Burp Suite installed and preferred note taking mechanisms.

Seating is limited

RSVP: https://www.meetup.com/OWASP-Portland-Chapter/events/268231564/

Want to test your skills in identifying web app vulnerabilities? Join OWASP Portland and Security Innovation as members compete in CMD+CTRL, a web application cyber range where players exploit their way through hundreds of vulnerabilities that lurk in business applications today. Success means learning quickly that attack and defense is all about thinking on your feet.

For each vulnerability you uncover, you are awarded points. Climb the interactive leaderboard for a chance to win fantastic prizes! CMD+CTRL is ideal for development teams to train and develop skills, but anyone involved in keeping your organization’s data secure can play - from developers and managers and even CISOs.

All you need is your laptop and your inner evil-doer.

Register early to reserve your spot and get a sneak peek at our cheat sheets and FAQs!

Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities. Burp gives you full control, letting you combine advanced manual techniques with state-of-the-art automation, to make your work faster, more effective, and more fun.

The speaker covers the basics of the tool along with real-world experiences and techniques that can help you as a pen tester.

Speaker: Ryan Krause

Ryan is a penetration tester based in the Portland, Oregon area. He has worked in various areas of the security field for the past 11 years for companies such as HP, eEye Digital Security/BeyondTrust, and Comcast with a primary focus on application security and development. He is currently a consultant at NetSPI where he performs web and network penetration tests and assists clients with reducing their overall security exposure.

Happy New Year! Welcome to our second ever OWASP PDX study night. Our January topic will be "Burp Suite Basics" presented by Sophia Anderson. Sophia is a security consultant for NetSPI performing web application penetration tests for Fortune 500 clients to discover vulnerabilities. Sorry no pizza unless you want to bring :).

Study Nights are smaller, bitesize, digestible, skill building mini lectures or workshops for those interested in learning new skills, tools, tricks, or new CTF challenges. It’s also meant for members to practice communication skills and teamwork in a supportive environment.

Study Nights meet the first Tuesday of each month at the ^H hackerspace in North Portland. Doors will be at 7pm, event will start at 7:30pm and wrap up by 8:30. Please bring your computer with Burp Suite installed and preferred note taking mechanisms.

Seating is limited

RSVP: https://www.meetup.com/OWASP-Portland-Chapter/events/267644393/

This talk focuses on building a security curriculum and teaching it, whether individually, at the workplace or in academia. Start with the following question: Am I the right person to do it? A novice can be downright dangerous, while an expert who can't teach as useful as a waterproof teabag. Security education is the first line of defense, but who trains the trainers? Are students getting their money's worth? What differentiates your training from others? Join the speaker to share life lessons, funny anecdotes, and useful advice on lecturing, "curriculuming", and critiquing. Learn what it means to containerize a syllabus, deploy labs in a continuous integration-like environment using open source tools and why markdown is a better tool than PowerPoint for creating new content. Consider security textbooks as obsolete, "office hours" mandatory, and the impact of the Family Educational Rights and Privacy Act (FERPA). There will be a test at the end of the talk.

Speaker: John L. Whiteman

John is a product security expert and instructor at Intel in Oregon. He's also a part-time adjunct instructor teaching cybersecurity at the University of Portland. In a past life, John was a shipboard and classroom instructor in the United States Navy, training hundreds of sailors in the dark arts of passive sonar and torpedo countermeasure systems (in case the former didn't pan out). He also did a stint as a news director for a small radio station in Colorado. John has an M.S. in Computer Science from Georgia Tech and a B.A. in Asian Studies from the University of Maryland UC. He holds CISSP, CCSP and CEH security certifications. John blogs and loves to podcast for the OWASP chapter in Portland.

Tips on formulating complete sentences without acronyms, learning to pretend you aren't the smartest person in the room, choosing the right animations for your PowerPoint presentations, and more! Let's be honest, you probably didn't get into info-sec because of your love for public speaking, your mastery of written and verbal communication, or your highly-tuned social skills! Regardless, these things are key to your success or failure in info-sec. Dare to join me for a frank if somewhat tongue-in-cheek conversation regarding strategies for simplifying complex conversations, recognizing and overcoming common communication obstacles, translating leet-speak to business language and creating effective visual presentations.

Speaker: Patterson Cake

Patterson has been in information technology for over 20 years, focusing on security for the past several years in offensive, defensive and leadership roles. He is the founder of Haven Information Security, an instructor for SANS, and the Principal Cybersecurity Engineer for PeaceHealth.

Web Application Security spreads over the application functionality, the platform it is running on, the development and deployment environment, third-party applications used, and last but not least, the open source code it utilizes. The requirements breadth is mind-boggling. You ignore any of these aspects and you become vulnerable.

This talk will discuss a structured approach to establish essential security requirements based on the CIA triad. The discussion will then expand over how these requirements manifest in the industry standards such as PCI, Government agencies, and globally. It will also delve into third party and open source code scenarios. The audience will take home a checklist of different aspects of security requirements to consider when building a Web application.

Bio: Bhushan Gupta, Gupta Consulting, LLC.

Proven champion for quality and well-versed with software quality engineering, and an AppSec researcher, Bhushan is the principal consultant at Gupta Consulting, LLC. A Certified Six Sigma Black Belt (ASQ), he possesses deep and broad experience in solving complex problems, change management, and coaching and mentoring. As a member of Open Web Application Security Project (OWASP), he is dedicated to driving the AppSec to higher levels via integration of security into Agile software development life cycle. His research areas are: elicitation of security requirements, comprehensive testing approaches beyond penetration testing, application of test tools and use of AI (Machine Learning) in secure web application development.

Bhushan has a MS in Computer Science (1985) from New Mexico Tech and has worked at Hewlett-Packard and Nike Inc. in various roles. He was a faculty member at the Oregon Institute of Technology, Software Engineering department, from 1985 to 1995 and is currently an Adjunct Faculty member.

Companies are starting to build security programs with no prior experience as awareness about cyber threats increases. Often this is at a later stage when the company has a fully staffed engineering team and accumulated security debt. This talk is about how to build a security program from nothing using stakeholder analysis and risk assessments to help prioritize remediation efforts and avoid getting overwhelmed. A healthy and effective security program relies on building relationships throughout the company, enlisting security champions, and leveraging tooling and automation as effectively as possible. Kendra Ash will be sharing some of the lessons learned on our journey building a security program from scratch over the last several months.

Kendra Ash (@securelykash) is an information security engineer at Vacasa, actively building a security team and program by leveraging guidance from her network and industry standards.

Interested in web application security? OWASP is for you. The Open Web Application Security Project aims to improve the security of software. Portland has a vibrant chapter and this is our regular chapter meeting.

Unfortunately, our speaker this month has come down with laryngitis so we're going to be showing a few of the talks from this year's AppSecUSA conference with pizza. To vote on which talk you would be interested in viewing go to this tweet