Viewing 0 current events matching “OWASP” by Location.

Sort By: Date Event Name, Location , Relevance , Default
No events were found.

Viewing 30 past events matching “OWASP” by Location.

Sort By: Date Event Name, Location , Relevance , Default
Tuesday
Dec 13, 2011
OWASP Chapter Meeting
15300 SW Koll Parkway Beaverton, OR 97006

The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software.

This informal chapter meeting will give attendees a chance to chat about whatever application security topics they are most interested in. Matthew will discuss the OWASP Testing Framework. Tim will offer his impressions of the Zed Attack Proxy. Other topics are welcome.

Website
Thursday
Mar 21, 2019
Symposium: ½ Day Hackathon
2035 Northeast Cornelius Pass Road Hillsboro, OR 97124

A complimentary coffee bar, breakfast snacks and lunch will be provided.

We are partnering again with Security Innovation to provide an immersive hands-on hacking experience for our February 2019 ISSA symposium.

Compete against your fellow ISSA Portland members and guests in a contest of hacking skills to attack and breach the “Shred Retail” site.

This event will provide value for everyone from a non-coder with zero hacking experience to a seasoned penetration tester. There are challenges for all skill levels and interest built into the site and we will have expert help on hand to help anyone who wants it.

Those registering for the event will be provided with a complimentary code for 30-day access to the Security Innovations OWASP 2017 Series training. Course details can be found here:

https://www.securityinnovation.com/course-catalog/application-security/secure-design/owasp-2017-series

This code will be provided at least 14 days prior to the event.

Amazon gift cards will be given for:

Highest score - $100 Runner up - $50 Hardest vulnerability - $50 First vulnerability - $25 You will need to bring a laptop with the following:

Recent version of Firefox installed with the FireBug Extension Recent Java Runtime installed. Many thanks to Salesforce for the coffee bar and for hosting this event.

Snacks and lunch are sponsored by:

Space is limited, so please register soon.

Website
Tuesday
Dec 10, 2019
Portland OWASP Chapter Meeting: So You Want to Teach Security? Bully for You!
Autodesk Inc

This talk focuses on building a security curriculum and teaching it, whether individually, at the workplace or in academia. Start with the following question: Am I the right person to do it? A novice can be downright dangerous, while an expert who can't teach as useful as a waterproof teabag. Security education is the first line of defense, but who trains the trainers? Are students getting their money's worth? What differentiates your training from others? Join the speaker to share life lessons, funny anecdotes, and useful advice on lecturing, "curriculuming", and critiquing. Learn what it means to containerize a syllabus, deploy labs in a continuous integration-like environment using open source tools and why markdown is a better tool than PowerPoint for creating new content. Consider security textbooks as obsolete, "office hours" mandatory, and the impact of the Family Educational Rights and Privacy Act (FERPA). There will be a test at the end of the talk.

Speaker: John L. Whiteman

John is a product security expert and instructor at Intel in Oregon. He's also a part-time adjunct instructor teaching cybersecurity at the University of Portland. In a past life, John was a shipboard and classroom instructor in the United States Navy, training hundreds of sailors in the dark arts of passive sonar and torpedo countermeasure systems (in case the former didn't pan out). He also did a stint as a news director for a small radio station in Colorado. John has an M.S. in Computer Science from Georgia Tech and a B.A. in Asian Studies from the University of Maryland UC. He holds CISSP, CCSP and CEH security certifications. John blogs and loves to podcast for the OWASP chapter in Portland.

Website
Wednesday
Oct 30, 2013
OWASP Chapter Planning Meeting
Brix Tavern

This is a planning meeting for the Portland OWASP chapter. Please join us if you are interested in helping us plan and organize the activities of the chapter for the next year.

Please RSVP if you plan on showing up. Just shoot an email to

( tim DOT morgan AT owasp DOT org )

Some of the topics we expect to discuss at this meeting:

  • Chapter meetings
  • FLOSSHack events
  • Local/regional conferences and training events
  • Approaches to sponsorship
  • Long term group leadership and governance
  • YOUR ideas

The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. To sign up for future meeting notes and to discuss security topics with local gurus, sign up on the OWASP Portland mailing list: https://lists.owasp.org/mailman/listinfo/owasp-portland

Meetings are free and open to the public.

Website
Tuesday
Mar 3, 2020
Exploring OWASP Juice Shop (with Burp Suite)
CTRL-H

In this class, we’ll be exploring how to find the vulnerabilities in OWASP Juice Shop with Burp Suite (and maybe some other security tools if we get some time). You’ll learn to set up the environment to play with in your own time. As well as learning to practically apply the different features of Burp Suite and when it is and isn’t the most optimal tool. This will help you to reproduce security vulnerabilities or help find them for bug bounty programs.

Bio: Jordan is an Application Security Engineer at New Relic and a graduate from the University of Pittsburgh with a degree in computer science. She’s Champion ranked in Rocket League and does yoga in her free time.

Seating is limited

RSVP: https://www.meetup.com/OWASP-Portland-Chapter/events/269026936/

OWASP Juice Shop: https://owasp.org/www-project-juice-shop/

Burp Suite CE: https://portswigger.net/burp/releases/professional-community-2020-1?requestededition=community

Tuesday
Feb 18, 2020
Portland OWASP Study Night: Intro to Threat Modeling with Ray and Zak
CTRL-H

Threat modeling is a vital skill for security hats of all colors, as well as for product designers, managers and developers. Ray is a Life Coach and Conspiracy Theorist. He does AppSec in his non-spare time for money. Zak is an Application Security Engineer with many years of development experience.

Bring your own dinner/snacks. No provided pizza.

Study Nights are smaller, bitesize, digestible, skill building mini lectures or workshops for those interested in learning new skills, tools, tricks, or new CTF challenges. It’s also meant for members to practice communication skills and teamwork in a supportive environment.

Study Nights meet the first Tuesday of each month at the ^H hackerspace in North Portland. Doors will be at 7pm, event will start at 7:30pm and wrap up by 8:30. Please bring your computer with Burp Suite installed and preferred note taking mechanisms.

Seating is limited

RSVP: https://www.meetup.com/OWASP-Portland-Chapter/events/268231564/

Monday
Apr 16, 2018
OWASP Chapter Meeting: Alexei Kojenov on Deserialization Attacks
Cambia Health Solutions

Overview

Insecure deserialization was recently added to OWASP's list of the top 10 most critical web application security risks, yet it is by no means a new vulnerability category. Data serialization and deserialization have been used widely in applications, services and frameworks, with many programming languages supporting them natively. Deserialization got more attention recently as a potential vehicle to conduct several types of attacks: data tampering, authentication bypass, privilege escalation, various injections and, finally, remote code execution. Two recent vulnerabilities in Apache Commons and Apache Struts, both allowing remote code execution, helped raise awareness of this risk.

We will discuss how data serialization and deserialization are used in software, the dangers of deserializing untrusted input, and how to avoid insecure deserialization vulnerabilities.

Speaker

Alexei Kojenov is a Senior Application Security Consultant with years of prior software development experience. During his career with IBM, he gradually moved from writing code to breaking code. Since late 2016, Alexei has been working as a consultant at Aspect Security, helping businesses identify and fix vulnerabilities and design secure applications. Aspect Security was recently acquired by Ernst&Young and joined EY Advisory cybersecurity practice.



The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. To sign up for future meeting notes and to discuss security topics with local gurus, sign up on the OWASP Portland mailing list: https://lists.owasp.org/mailman/listinfo/owasp-portland

Meetings are free and open to the public.

Website
Monday
Mar 27, 2017
OWASP/AngularJS combined: Boosting the Security of Your Angular Application
Cambia Health Solutions

This month PDX OWASP is joining forces with the local Angular JS meetup to feature:
Philippe De Ryck, PhD
Web Security Expert @ imec-DistriNet, KU Leuven

Abstract

Angular 2 is hot, and there is a huge amount of information available on building applications, improving performance, and various other topics. But do you know how to make your Angular 2 applications secure? What kind of security features does Angular 2 offer you, and which additional steps can you take to really boost the security of your applications?

In this session, we cover one of the biggest threats in modern web applications: untrusted JavaScript code. You will learn how Angular protects you against XSS, and why you shouldn't bypass this protection. We will also dive into new security mechanisms, such as Content Security Policy. Through a few examples, I will show you how you can use these mechanisms to enhance the security in your client-side context.

Speaker

Philippe De Ryck is a professional speaker and trainer on software security and web security. Since he obtained his PhD at the imec-DistriNet research group (KU Leuven, Belgium), he has been running the group's Web Security Training program, which ensures a sustainable knowledge transfer of the group’s security expertise towards practitioners.

You can find more about Philippe on https://www.websec.be


The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. To sign up for future meeting notes and to discuss security topics with local gurus, sign up on the OWASP Portland mailing list: https://lists.owasp.org/mailman/listinfo/owasp-portland


Meetings are free and open to the public.

Website
Monday
May 21, 2018
2018 Spring Training: IT Security and Audit Symposium
through Clackamas Community College - Wilsonville

Spring Training

Day 1:

1) Keynote: Blockchain: More that Cryptocurrency: Michael Reed (Intel)

Presentation on the origin of blockchain technologies and its evolution to a key technology in pursuit of increased efficiencies and new business models. Is your enterprise ready for blockchain?

2) Micro Segmentation and Cloud-A blueprint for protecting your golden egg: Tyler Hardison (RedHawk Security) (EVENT SPONSOR)

3) Benefiting from PCI – Even if Compliance is Not Required: Bowe Hoy (Sword&Shield) and Mike Griffin (Circle K Stores, Inc.)

The Payment Card Industry Data Security Standard (PCI DSS) can be beneficial to your organization, even if compliance to it is not a requirement. PCI DSS features a number of valuable guidelines to help your organization improve its security posture, technology auditing, and business operations. This session will help you understand the key components of PCI DSS and how your organization can benefit from implementing it. You will receive practical lessons through case studies about organizations that have successfully implemented PCI DSS. Whether these organizations were required to comply with PCI DSS, or chose to adopt it – they became a better organization because of it. And you can learn how to do the same for your organization.

4) Certificate Security and Frameworks for a Public CA: Derek Thomas and Scott Perry

As the ubiquity of on-line shopping continues to amplify our digital environment, ensuring a trusted on-line transaction becomes critical to building the brand loyalty and experience once relished within the physical brick and mortar retailer. The ability to ensure a trusted and secure transaction is not new, however the scrutiny placed on that trust is at an all time high with significant changes in the issuing community and the scrutiny ensuing from the browser community for secure and reliable trusted certificates.

In this presentation, Scott Perry, Partner and Derek Thomas, Managing Director, of Scott Perry CPA, one of six licensed CPA firms performing Certificate Authority audits, will discuss the changing landscape of on-line transactional trust and the requirements of Certificate Authorities. The presentation will include a discussion and overview of an established but less known framework for evaluating and auditing the performance of Certificate Authority practices and considerations applied to evaluating the security of your on-line transactions.

Day 2: 5 Sessions: Various Presenters

5) Current Economics of Cyber: David Hobbs: Radware

Often we discuss the changing threat landscape from a pure technical or vulnerability picture, however this does an injustice to element of ease, cost and access to attacks. This presentation will provide attendees with an up-to-date picture of the rapidly changing landscape of attack tools and services, the buying criteria and locations for these the tools and ease of use. In addition, the presentation will provide an understanding of how the combination of the proliferation of these tools and their corresponding use has dramatically changed the dynamics of the return on defense strategies. This presentation will provide unique insight into the world of the Darknet, specific customer attack stories, new economic models of measuring security deployments and a refreshed look at how controls should be deployed going forward.

6) Cyber War Chronicles - Stories From the Virtual Trenches (ERT Report 2017): David Hobbs: Radware

From information shared by over 1250 companies on their top concerns, we talk about what happened in 2017 and predict the top trends of 2018 in cyber security. The first half of 2017 saw a continuation of some cyber-security threats, as well as the emergence of some attack types and trends. Ransom attacks, political hacks, and new dynamics around the accessibility and capability of attack tools have added even more challenges to security. This session will explore some of the latest evolutions of the threat landscape, through a combination of market intelligence, real-world case studies, and direct insights from those on the front lines of cyber-security.

7) OWASP Updated Top10: Alex Ivkin (ISACA Board)

 A detailed technical review of the OWASP top 10.

8) The Value of Cyber Certifications: Alex Ivkin (ISACA Board)

9) Fraud Audit in a Digital Environment: Sarah Dalton: E&Y

CPE: 14 CPE

Cost:

Regular Pricing: On or After 4/20/18:

ISACA or IIA Member: $185

Non-Member: $225

We hope to see you there!

Website
Wednesday
Jun 19, 2019
Portland OWASP - Security Requirement Elicitation with Bhushan Gupta
CloudBolt Software

Web Application Security spreads over the application functionality, the platform it is running on, the development and deployment environment, third-party applications used, and last but not least, the open source code it utilizes. The requirements breadth is mind-boggling. You ignore any of these aspects and you become vulnerable.

This talk will discuss a structured approach to establish essential security requirements based on the CIA triad. The discussion will then expand over how these requirements manifest in the industry standards such as PCI, Government agencies, and globally. It will also delve into third party and open source code scenarios. The audience will take home a checklist of different aspects of security requirements to consider when building a Web application.

Bio: Bhushan Gupta, Gupta Consulting, LLC.

Proven champion for quality and well-versed with software quality engineering, and an AppSec researcher, Bhushan is the principal consultant at Gupta Consulting, LLC. A Certified Six Sigma Black Belt (ASQ), he possesses deep and broad experience in solving complex problems, change management, and coaching and mentoring. As a member of Open Web Application Security Project (OWASP), he is dedicated to driving the AppSec to higher levels via integration of security into Agile software development life cycle. His research areas are: elicitation of security requirements, comprehensive testing approaches beyond penetration testing, application of test tools and use of AI (Machine Learning) in secure web application development.

Bhushan has a MS in Computer Science (1985) from New Mexico Tech and has worked at Hewlett-Packard and Nike Inc. in various roles. He was a faculty member at the Oregon Institute of Technology, Software Engineering department, from 1985 to 1995 and is currently an Adjunct Faculty member.

Website
Wednesday
Jun 5, 2013
OWASP Chapter Meeting - Jim Manico
Collective Agency Downtown

Jim Manico has offered to come and give us another great talk. Topic will either be "Top Ten Web Defenses" or "Securing the Software Development Lifecycle".

We will serve Pizza! Please RSVP by emailing {tim . morgan at owasp.org} so we can better estimate how much to order.

The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. To sign up for future meeting notes and to discuss security topics with local gurus, sign up on the OWASP Portland mailing list: https://lists.owasp.org/mailman/listinfo/owasp-portland

Chapter meetings are free and open to the public.

Wednesday
Jan 9, 2013
OWASP - How to (FLOSS)Hack
Collective Agency Downtown

Join us for a How to (FLOSS)Hack tutorial, which will introduce several common classes of web application vulnerabilities such as XSS, SQL injection, and XML External Entities flaws. The goal of the session is to bring novice FLOSSHack participants up to speed on how to identify new vulnerabilities that are likely to appear in the target software for this week's FLOSSHack. FLOSSHack is an experimental workshop project designed to bring together those who want to learn more about "hacking" (secure programming and application penetration testing) with those who are in need of low cost or pro bono security auditing.

NOTE: For best results, please bring a laptop to participate in the hands-on exercises.

The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. To sign up for future meeting notes and to discuss security topics with local gurus, sign up on the OWASP Portland mailing list: https://lists.owasp.org/mailman/listinfo/owasp-portland

Meetings are free and open to the public.

Website
Thursday
Dec 13, 2012
OWASP Chapter Meeting
Collective Agency Downtown

Matthew Lapworth will present a talk on static code analysis.

The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. To sign up for future meeting notes and to discuss security topics with local gurus, sign up on the OWASP Portland mailing list: https://lists.owasp.org/mailman/listinfo/owasp-portland

Chapter meetings are free and open to the public.

Monday
Apr 23, 2012
OWASP Chapter Meeting
Collective Agency Downtown

Jim Manico has offered to come to Portland and do a presentation on Top 10 web coding defenses. Jim has many years experience in the web application security space and currently works with WhiteHat Security & SANS.

The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. To sign up for future meeting notes and to discuss security topics with local gurus, sign up on the OWASP Portland mailing list: https://lists.owasp.org/mailman/listinfo/owasp-portland

Chapter meetings are free and open to the public.

Thursday
Mar 8, 2012
OWASP Chapter Meeting
Collective Agency Downtown

The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. To sign up for future meeting notes and to discuss security topics with local gurus, sign up on the OWASP Portland mailing list: https://lists.owasp.org/mailman/listinfo/owasp-portland

About Joe

This chapter meeting feature guest speaker Joe Basirico, Director of Security Services at Security Innovation. Joe is responsible for managing the professional services business at Security Innovation. He leverages his unique experience as a development lead, trainer, researcher, and test engineer to lead the security engineering team in their delivery of high-quality, impactful assessment and remediation solutions to the company’s customers. His ability to blend his technical skills with risk-based contextual analysis and unwavering customer commitment makes him an invaluable asset for each Security Innovation client.

Joe is an active member in the security and open-source communities, having contributed technology, training, utilities, expertise and methodologies. He manages the company’s engineering blog and has written several publications that focus on vulnerabilities at the source code level. Joe holds a B.S in Computer Science from Montana State University.

About the Talk - Thinking Like the Enemy

In this talk I will help you get into the Hacker's mindset from my ten years of experience as a penetration tester, assessing some of the most exciting applications in the world.

This talk will cover the most important qualities of a hacker or security tester, Top Vulnerabilities that you can't afford to miss as well as more difficult to tackle vulnerabilities that have caused tons of headaches and pain. By the end of the hour you'll better understand how to cause your application true pain, find a tiny weakness and cause the walls of security to crumble around it. After that we'll also talk about how to rebuild those walls to be more robust.

Website
Thursday
Oct 18, 2018
ISSA Portland panel discussion of current cyber threat landscape.
Columbia Square 8th Floor Conference Room

Join us for ISSA Portland panel discussion of current cyber threat landscape.

Thursday - October 18th, 2018 11:30AM - 1:00PM

Please go to the link below and check it out and register today.

Here is the link to the Eventbrite notice:

https://www.eventbrite.com/e/panel-discussion-tracking-the-current-cyber-threat-landscape-tickets-50695136518

Panel Participants:

Brian Ventura, Security Architect City of Portland Craig Schippers, Principal Field Engineer, Trend Micro Cam Naghdi, Sales Engineering Manager, Malwarebytes

Moderator:

Christopher Paidhrin, CISO, City of Portland Topics to include: Quarterly update Trends in threat intelligence The role of AI in malware detection Defense in depth techniques Cloud defenses Panel Participants:

Brian Ventura, Security Architect City of Portland About the panelist: Brian is an Information Security Architect for the City of Portland and a SANS Instructor. Brian volunteers with the ISSA Portland chapter as the Director of Education and with OWASP locally. Over the past 25 years, Brian achieved, holds, and now teaches various industry certifications including CISSP, GSEC, GCIH, GCFA, and GCCC. In addition to his Information Security persona, Brian is a member of the Timbers Army and Thorns Riveters, attending as many games as possible. Find Brian's teaching schedule: https://www.sans.org/instructors/brian-ventura

Cameron Naghdi, Systems Engineering Manager, Malwarebytes About the Panelist: Cameron Naghdi is the Systems Engineering Manager for US-West at Malwarebytes. Cameron has worked for multiple endpoint technology firms and has supported many vertical markets from retail and healthcare up to Federal/Civilian agencies and the Department of Defense. Cameron is also on the technology advisory board of 802Secure and is Co-Founder and CTO at FilecheckIO. Cameron specializes in understanding the threats of today and how to prepare solutions to address both today's and future security challenges.

Chris Sestito, Director of Threat Research, Cylance About the panelist: Chris Sestito manages the Cylance Threat Research Team, which consists of 30 researchers dedicated to data-science-based analysis and automation development. Chris is based in Austin, Texas and is an eight-year veteran in information security with a wealth of experience in malware analysis and malvertising that helps ensure the security of Cylance customers. Chris also holds Sec+ and C|EH certifications.

Craig Schippers, Principal Field Engineer, Trend Micro About the Panelist: Craig Schippers is a CISSP Certified Principal Field Engineer at Trend Micro. He has worked in the security industry for approximately 17 years, assisting customers with their Infrastructure Security needs. Craig lives in Portland, Oregon.

Moderator: Christopher Paidhrin, CISO, City of Portland and ISSA Portland Vice-President About the moderator: Christopher Paidhrin, is the Chief Information Security Officer for City of Portland, Oregon. For the past 17 years Christopher has been a nationally recognized healthcare Information Security authority, having received recognition, nominations and awards for service excellence, including Network World, ISE, SC Magazine, and Information Security magazine's 2011 "Security 7" Award. Christopher is a regular media consultant and presents at numerous events across the U.S. Christopher is an advocate of IT Service Management (ITSM) best practices and process improvement, including learning organizations and knowledge management.

This event is sponsored by: Malwarebytes and Trend Micro

Website
Thursday
Feb 20, 2014
ISSA February Luncheon meeting
Con-Way

Presentation: Pitfalls of Web Session Management

Login session management in modern web applications is largely applications dominated by use of HTTP cookies. However, HTTP cookies were never designed for secure applications, which has led to a significant number of protocol security problems. In this talk, the speaker will start with a brief background on why HTTP cookies are a poorly-conceived mechanism to begin with, and continue with a discussion of how this impacts security. He will describe several lesser-known cookie-based session management problems that remain wide spread and allow for session hijacking through a variety of clever attacks.

Who:
Timothy D. Morgan
Principal Security Consultant - Blindspot Security LLC
As an application security consultant and vulnerability researcher, Tim has been taking deep technical dives in security for over a decade. In that time, he has been credited with the discovery and responsible disclosure of numerous security vulnerabilities in a variety of software products, including: IBM Tivoli Access Manager, Sun Java Runtime Environment, Google Chrome Web Browser, OpenOffice, Oracle WebLogic Application Server, and IBM Websphere Commerce. His current research interests include applied cryptanalysis, IPv6 security and XML external entities attacks. Tim develops and maintains several open source forensics tools in addition to Bletchley, an application cryptanalysis toolkit.

Tim works to secure his customers' environments through black box testing, code reviews, social engineering evaluations, security training and a variety of other services. Tim earned his computer science degrees from Harvey Mudd College and Northeastern University and currently resides in Portland Oregon where he leads the local OWASP chapter

Cost: $10 (member) / $15 (non-member) / $2 (at-the-door)

CPEs: The ISSA meetings are appropriate for CPE credit. The chapter maintains proof of attendance for members but it is the members responsibility to ensure that these CPE's are credited to their respective accounts.

Website
Tuesday
Jan 7, 2020
Portland OWASP Study Night: Burp Suite Basics with Sophia Anderson
Ctrl-H / PDX Hackerspace

Happy New Year! Welcome to our second ever OWASP PDX study night. Our January topic will be "Burp Suite Basics" presented by Sophia Anderson. Sophia is a security consultant for NetSPI performing web application penetration tests for Fortune 500 clients to discover vulnerabilities. Sorry no pizza unless you want to bring :).

Study Nights are smaller, bitesize, digestible, skill building mini lectures or workshops for those interested in learning new skills, tools, tricks, or new CTF challenges. It’s also meant for members to practice communication skills and teamwork in a supportive environment.

Study Nights meet the first Tuesday of each month at the ^H hackerspace in North Portland. Doors will be at 7pm, event will start at 7:30pm and wrap up by 8:30. Please bring your computer with Burp Suite installed and preferred note taking mechanisms.

Seating is limited

RSVP: https://www.meetup.com/OWASP-Portland-Chapter/events/267644393/

Website
Sunday
Jan 13, 2013
OWASP - FLOSSHack Returns
Free Geek

FLOSSHack is an experimental workshop project designed to bring together those who want to learn more about "hacking" (secure programming and application penetration testing) with those who are in need of low cost or pro bono security auditing.

The target software for this FLOSSHack event is OpenMRS. For more info, see the event page.

The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. To sign up for future meeting notes and to discuss security topics with local gurus, sign up on the OWASP Portland mailing list: https://lists.owasp.org/mailman/listinfo/owasp-portland

Meetings are free and open to the public.

Website
Sunday
Jul 1, 2012
OWASP FLOSSHack - Ushahidi
Free Geek

FLOSSHack is an experimental workshop project designed to bring together those who want to learn more about "hacking" (secure programming and application penetration testing) with those who are in need of low cost or pro bono security auditing.

This first ever FLOSSHack event will be focused on the Ushahidi platform. Stay tuned for more details in the coming weeks.

The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. To sign up for future meeting notes and to discuss security topics with local gurus, sign up on the OWASP Portland mailing list: https://lists.owasp.org/mailman/listinfo/owasp-portland

Meetings are free and open to the public.

Saturday
Apr 2, 2016
SEC440: Critical Security Controls: Planning, Implementing and Auditing
Hilton Garden Inn Portland Airport

Save $200 if you register by March 2nd. This is a 2 day event, Saturday April 2nd and April 9th. Brian Ventura is a local community instructor for SANS and active with the Portland Chapter of ISSA, ISACA and OWASP.

This course helps you master specific, proven techniques and tools needed to implement and audit the Critical Security Controls as documented by the Center for Internet Security (CIS). These Critical Security Controls, listed below, are rapidly becoming accepted as the highest priority list of what must be done and proven before anything else at nearly all serious and sensitive organizations. These controls were selected and defined by the US military and other government and private organizations (including NSA, DHS, GAO, and many others) who are the most respected experts on how attacks actually work and what can be done to stop them. They defined these controls as their consensus for the best way to block the known attacks and the best way to help find and mitigate damage from the attacks that get through. For security professionals, the course enables you to see how to put the controls in place in your existing network though effective and widespread use of cost-effective automation. For auditors, CIOs, and risk officers, the course is the best way to understand how you will measure whether the controls are effectively implemented. SEC440 does not contain any labs. If the student is looking for hands on labs involving the Critical Controls, they should take SEC566.

The Critical Security Controls are listed below. You will find the full document describing the Critical Security Controls posted at the Center for Internet Security.

One of the best features of the course is that it uses offense to inform defense. In other words, you will learn about the actual attacks that you'll be stopping or mitigating. That makes the defenses very real, and it makes you a better security professional.

As a student of the Critical Security Controls two-day course, you'll learn important skills that you can take back to your workplace and use your first day back on the job in implementing and auditing each of the following controls:

CIS Critical Security Controls

CSC 1: Inventory of Authorized and Unauthorized Devices

CSC 2: Inventory of Authorized and Unauthorized Software

CSC 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers

CSC 4: Continuous Vulnerability Assessment and Remediation

CSC 5: Controlled Use of Administrative Privileges

CSC 6: Maintenance, Monitoring, and Analysis of Audit Logs

CSC 7: Email and Web Browser Protections

CSC 8: Malware Defenses

CSC 9: Limitation and Control of Network Ports, Protocols, and Services

CSC 10: Data Recovery Capability

CSC 11: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches

CSC 12: Boundary Defense

CSC 13: Data Protection

CSC 14: Controlled Access Based on the Need to Know

CSC 15: Wireless Access Control

CSC 16: Account Monitoring and Control

CSC 17: Security Skills Assessment and Appropriate Training to Fill Gaps

CSC 18: Application Software Security

CSC 19: Incident Response and Management

CSC 20: Penetration Tests and Red Team Exercises

Website
Tuesday
Jan 24, 2012
OWASP Chapter Planning Meeting
Hopworks Urban Brewery

The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software.

The goal of this informal chapter meeting is to give people a chance to talk shop about security topics and to plan the future direction of the Portland OWASP chapter.

Website
Thursday
Dec 6, 2018
OWASP Portland Chapter Meeting
Jama Software (New Office)

Interested in web application security? OWASP is for you. The Open Web Application Security Project aims to improve the security of software. Portland has a vibrant chapter and this is our regular chapter meeting.

Unfortunately, our speaker this month has come down with laryngitis so we're going to be showing a few of the talks from this year's AppSecUSA conference with pizza. To vote on which talk you would be interested in viewing go to this tweet

Website
Tuesday
May 22, 2018
OWASP Chapter Meeting - Pen Testing: How to Get Bigger Bang for your Buck
Jama Software (New Office)

Panel Discussion - Join local industry practitioners as they discuss the best practices used in getting superior results from your Pen Testing. Also share your ideas on Dos and Dont's of Pen testing.

Moderator - Brian Ventura

Panelists - Alexie Kojenov, Ian Melven, Benny Zhao, and Scott Cutler

Alexei Kojenov is a Senior Application Security Consultant with years of prior software development experience. During his career with IBM, he gradually moved from writing code to breaking code. Since late 2016, Alexei has been working as a consultant at Aspect Security, helping businesses identify and fix vulnerabilities and design secure applications. Aspect Security was recently acquired by Ernst&Young and joined EY Advisory cybersecurity practice.

Ian Melven is Principal Security Engineer at New Relic. He has worked in security for almost 20 years, including roles at Mozilla, Adobe, McAfee and @stake.

Benny Zhao is a Security Engineer at Jive Software. His experience focuses on identifying code vulnerabilities and securing software by building tools to help automate security testing.

Scott Cutler has been interested in computer security since he was a kid, and started attending DefCon in 2004. He got his Computer Science degree from UC Irvine in 2009 while working for the on-campus residential network department for 4 years. After graduating he worked first as QA for a SAN NIC card manufacturer, then switched to essentially create their DevOps program from scratch. From these jobs he has gained a lot of experience with networking, build processes, Linux/Unix administration and scripting, and Python development. In 2012 Scott began working in the security field full time as a FIPS, Common Criteria, and PCI Open Protocol evaluator for InfoGard Laboratories (now UL Transaction Security). During this time he got his OSCP and a good understanding of federal security requirements, assessment processes, and documentation (ask him about NIST SPs!). In 2015 scott switched over to Aspect Security (now EY) to put his OSCP to good use and became a full-time application security engineer, doing pen-tests as well as developing both internal and external training.

Website
Tuesday
Jan 23, 2018
OWASP: AppSec Testing Beyond Pen Test
Jama Software (New Office)

Abstract: Most web application security testing efforts are concentrated around penetration testing which is an art based on a hacker’s psyche, thought process, and determination to exploit vulnerabilities. But, does it yield a high level of confidence and sense of security in a developer’s mind? The answer is a “maybe” especially when the bad guy is obsessed with figuring out new exploits to hack your application. The web application developers have to think about intrinsic security - that is, building security throughout the SDLC. We build applications based upon well-formed customer requirements. Why should we not, then, build our applications based upon the fundamental principles of security and then harden security from the hacker’s perspective?

Bio: Principal consultant at Gupta Consulting LLC., Bhushan Gupta is passionate about development methods and tools that yield more secure web applications especially in the agile software development environment. As a researcher he has keen interest in understanding and applying fundamental principles and known methodologies to develop dependable and secure software solutions. His interests extend to Social Engineering and Attack Surface Analysis. Bhushan worked at Hewlett-Packard for 13 years in various roles including software quality lead, engineer, software process architect, and software productivity manager. He then developed a strong interest in web application security while working as a quality engineer for Nike Inc. Bhushan has been studying various facets of web application security and promoting how to apply common sense approach to build secure solutions. He is a certified Six Sigma Black Belt (HP and ASQ) and an adjunct faculty member at the Oregon Institute of Technology in Software Engineering. To learn more about Bhushan’s contributions to SDLC, visit www.bgupta.com

Website
Tuesday
Nov 14, 2017
OWASP: Cryptography 101/Part 2 - When Good Crypto Goes Bad
Jama Software (New Office)

Abstract

A well known security expert and cryptographer, Thomas H. Ptáček, once said:

"If You're Typing the Letters A-E-S Into Your Code You're Doing It Wrong".

Wait, what?!? Doesn't everyone use AES? Of course we do. Is AES broken? Nope. In this developer-oriented talk I'll explore the kinds of mistakes programmers commonly make when implementing cryptosystems; just how easily these problems can be exploited in the real world; and what Thomas meant by his statement.

Speaker's Bio

Tim taught himself how to write software at the age of twelve and has been a die-hard technologist ever since. After earning his computer science degrees (B.S., Harvey Mudd College and M.S., Northeastern University), Tim spent 8 years helping build a Boston-based information security consulting practice that was recently acquired. In 2014, Tim founded Blindspot Security where he has continued his work as a security consultant, helping his customers understand how digital intruders can gain access to their critical business assets through network, application, and comprehensive security assessments.

Website
Monday
May 22, 2017
OWASP: What the experts say about Web Application Security - A Panel Discussion
Jama Software (New Office)

We are often encountered with making non-trivial decisions about Appsec. Participate in an exciting open discussion with the experts on the following (and more) aspects of Appsec:

  • Challenges in establishing a Secure SDLC
  • Growing pains with increased need for security
  • Critical things to focus on for an effective security/Appsec program
  • Effectiveness and use of developer training on Appsec
  • Relevance of OWASP top 10 in today's security landscape?

Bring your burning questions to ask the panel and take this opportunity to share your experiences with others.

Panel Member's Bio:

Brian Ventura – Security Architect at the City Of Portland focused on Information Security program management, Brian also is a SANS Instructor and ISSA education director.

Ian Melven - Ian has worked in the security field for over 15 years in various roles at companies such as @stake, McAfee, Adobe and Mozilla. He currently leads product security at New Relic.

James Bohem - James is the Chief Security Architect at WebMD Health Services in Portland, OR. For the last 16 years he has held Information Security architect and consulting positions, with experience in application security, architecture and compliance strategy across healthcare, technology, retail, financial and manufacturing industries. Before focusing on security, he was a software developer and architect on the UNIX kernel, microkernels, distributed applications and standards development.

Eric Jernigan – Eric is the IT Security Manager at Genesis Financial Solutions and has broad security experience in financial industry.

The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. To sign up for future meeting notes and to discuss security topics with local gurus, sign up on the OWASP Portland mailing list: https://lists.owasp.org/mailman/listinfo/owasp-portland

Meetings are free and open to the public.

Website
Thursday
Jul 28, 2016
OWASP: Social Engineering -- How to Avoid Being a Victim 
Jama Software (New Office)

Social engineering (an act of exploiting people instead of computers) is one of the most dangerous tools in the hacker’s toolkit to breach internet security. The Ubiquiti Networks fell victim to a $39.1 M fraud as one of its staff members was hit by a fraudulent “Business Email Compromise” attack. Thousands of grandmas and grandpas are victim of phishing emails and are forced to pay ransom to have their data released.

In this new millennium, the cyber security game has changed significantly from annoying harmless viruses to stealing vital personal data, causing negative financial impact, demanding ransom, and spreading international political feud. Anyone with presence in the Cyber space has to protect himself/herself, the infrastructure, customers, and also deal with the legal repercussions in the event of a breach. In this talk Bhushan will present the different types of social engineering practices including use of social networks such as Facebook, Twitter, LinkedIn, the bad guys successfully use. The victims can range from the “C” levels (CEO, CFO, CTO) down to the individual contributors in an organization to a grandparent on her laptop. The presentation will also discuss a variety of ordinary but effective measures such as awareness campaign that organizations can take to minimize the risk of breach.


Speaker Bhushan Gupta

A principal consultant at Gupta Consulting LLC., Bhushan Gupta is passionate about the integration of web application security into Agile software development lifecycle. His interests extend to Social Engineering and Attack Surface Analysis. Bhushan worked at Hewlett-Packard for 13 years in various roles including quality engineer, software process architect, and software productivity manager. He then developed a strong interest in web application security while working as a quality engineer for Nike Inc. After 5 years at Nike, he retired and since has been studying various facets of web application security. Bhushan is a certified Six Sigma Black Belt (HP and ASQ) and an adjunct faculty member at the Oregon Institute of Technology in Software Engineering. To learn more about Bhushan, visit www.bgupta.com.


This meeting will be recorded! Feel free to tune in live, or catch the recording later (~24hrs after event).


The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. To sign up for future meeting notes and to discuss security topics with local gurus, sign up on the OWASP Portland mailing list: https://lists.owasp.org/mailman/listinfo/owasp-portland


Meetings are free and open to the public.

Website
Tuesday
Nov 17, 2015
OWASP: Antivirus in the Enterprise - Is it dead yet?
Jama Software (New Office)

This month's topic is "Antivirus in the Enterprise - is it dead yet?" Read almost any article about antivirus today, and there will be an opinion somewhere in the writings about the applicability and effectiveness of antivirus software in the enterprise today. Some say yes; some say no. We will open this meeting with a pro/con presentation by security professionals Tony Carothers and Timothy D. Morgan, followed by discussion and debate in a panel style, about antivirus software and it's effectiveness in software security today. Refreshments will be provided.


The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. To sign up for future meeting notes and to discuss security topics with local gurus, sign up on the OWASP Portland mailing list: https://lists.owasp.org/mailman/listinfo/owasp-portland


Meetings are free and open to the public.

Website
Monday
Feb 26, 2018
OWASP February Chapter Meeting : Jon Bottarini on Bug Bounties
Jive Software

Jon Bottarini will be presenting on bug bounties (from both a hacker and a program perspective), common mistakes in the software development lifecycle that make it easier to find bugs, and what developers can do to understand their full attack surface.

Bio:

Jon Bottarini is a Technical Program Manager at HackerOne, where he is responsible for managing the bug bounty programs for the US Department of Defense and other companies looking to leverage talent from hacker-powered security. In his free time he is also a hacker and bug bounty hunter who has reported vulnerabilities to worldwide brands and organizations such as New Relic, Apple, Google, the US Department of Defense, and many more.

Twitter: https://www.twitter.com/jon_bottarini
LinkedIn: http://www.linkedin.com/in/jonbottarini

Website