Viewing 1 current event matching “AppSec” by Date.

Sort By: Date Event Name, Location , Default
Tuesday
Aug 13
Portland OWASP: Using Graph Theory to Understand Security with Tim Morgan
Simple

Using Graph Theory to Understand Security

Information security is hard. It must be, because we keep getting hacked. One aspect that makes it so difficult is the level of complexity that exists in even a modestly-sized digital infrastructure. Humans can consider only so many security relationships, trust boundaries, and attack scenarios at once. This complexity makes it hard to decide where to focus our defensive resources and we're regularly led astray by the latest shiny tool or security advisory. Remarkably, our adversaries actually have a similar challenge: once a digital intruder gains a foothold in an environment that is completely new to them, how do they know what next steps they should take to efficiently achieve their goal? The environments they attack are not only complex, they are also unexplored landscapes that must be mapped out.

This is where graph theory can lend a hand. Several open source tools, such as BloodHound and Infection Monkey, provide intruders (whether that be your friendly neighborhood pentester or your adversaries) with easy ways to map out infrastructures and identify the quickest path to your crown jewels. While this is certainly alarming, we can also use these tools ourselves to find out what our infrastructures look like in the eyes of an attacker.

In this talk, Tim will provide a brief introduction to graph theory, show some demos of the free tools that use it, and discuss how he is using these techniques to build automated threat models "at scale" to make defenders' lives easier.

Speaker: Timothy Morgan

After earning his computer science degrees (B.S., Harvey Mudd College and M.S., Northeastern University) and spending a short time as a software developer, Tim began his career in application security and vulnerability research. In his work as a consultant over the past 14 years, Tim has led projects as varied as application pentests, incident response, digital forensics, secure software development training, phishing exercises, and breach simulations. Tim has also presented his independent research on Windows registry forensics, XML external entities attacks, web application timing attacks, and practical application cryptanalysis at conferences such as DFRWS, OWASP's AppSec USA, BSidesPDX, and BlackHat USA.

For the past three years Tim has been building an innovative new risk-based vulnerability management product (DeepSurface) that helps his customers gain a much deeper understanding of the complex relationships present in their digital infrastructures. Visit kanchil.com to learn more about Tim's latest R&D effort.

Website

Viewing 12 past events matching “AppSec” by Date.

Sort By: Date Event Name, Location , Default
Tuesday
Jan 23, 2018
OWASP: AppSec Testing Beyond Pen Test
Jama Software (New Office)

Abstract: Most web application security testing efforts are concentrated around penetration testing which is an art based on a hacker’s psyche, thought process, and determination to exploit vulnerabilities. But, does it yield a high level of confidence and sense of security in a developer’s mind? The answer is a “maybe” especially when the bad guy is obsessed with figuring out new exploits to hack your application. The web application developers have to think about intrinsic security - that is, building security throughout the SDLC. We build applications based upon well-formed customer requirements. Why should we not, then, build our applications based upon the fundamental principles of security and then harden security from the hacker’s perspective?

Bio: Principal consultant at Gupta Consulting LLC., Bhushan Gupta is passionate about development methods and tools that yield more secure web applications especially in the agile software development environment. As a researcher he has keen interest in understanding and applying fundamental principles and known methodologies to develop dependable and secure software solutions. His interests extend to Social Engineering and Attack Surface Analysis. Bhushan worked at Hewlett-Packard for 13 years in various roles including software quality lead, engineer, software process architect, and software productivity manager. He then developed a strong interest in web application security while working as a quality engineer for Nike Inc. Bhushan has been studying various facets of web application security and promoting how to apply common sense approach to build secure solutions. He is a certified Six Sigma Black Belt (HP and ASQ) and an adjunct faculty member at the Oregon Institute of Technology in Software Engineering. To learn more about Bhushan’s contributions to SDLC, visit www.bgupta.com

Website
Monday
Feb 26, 2018
OWASP February Chapter Meeting : Jon Bottarini on Bug Bounties
Jive Software

Jon Bottarini will be presenting on bug bounties (from both a hacker and a program perspective), common mistakes in the software development lifecycle that make it easier to find bugs, and what developers can do to understand their full attack surface.

Bio:

Jon Bottarini is a Technical Program Manager at HackerOne, where he is responsible for managing the bug bounty programs for the US Department of Defense and other companies looking to leverage talent from hacker-powered security. In his free time he is also a hacker and bug bounty hunter who has reported vulnerabilities to worldwide brands and organizations such as New Relic, Apple, Google, the US Department of Defense, and many more.

Twitter: https://www.twitter.com/jon_bottarini
LinkedIn: http://www.linkedin.com/in/jonbottarini

Website
Wednesday
Oct 3, 2018
OWASP Portland 2018 Training Day
World Trade Center

For the third year in a row, the Portland OWASP chapter is proud to host our information security training day! This is be an excellent opportunity for those interested to receive top quality information security and application security training for prices far lower than normally offered. It's also a great chance to network with the local infosec community and meet those who share your interests.

OWASP Portland 2018 Training Day will be October 3, 2018.

Courses Courses will be held in two tracks: four in the morning session, and four in the afternoon session. Each participant can register for one morning course, or one afternoon course, or one of each.

The Portland OWASP chapter is hosting its 3rd annual training day. This will be an excellent opportunity for students to receive quality information security and application security training for next to nothing. It will also be a great chance to network with the local infosec community. For more information, see the main event page.

Courses are held in four tracks: four in the morning session, and four in the afternoon session. Each student can register for one morning course, or one afternoon course, or one of each!

NOTE: If you see that a course is sold out, then it is unlikely we will have any additional seats in that course. You can email ian DOT melven AT owasp.org OR benny DOT zhao AT owasp.org OR bhushan DOT Gupta AT owasp.org to request being added to the waiting list. Please be sure to specify which class(es) you want to be added to the wait list for.

OWASP Portland 2018 Training Day will be October 3, 2018. This year we'll be located at:

World Trade Center Portland 121 SW Salmon St. Portland, OR 97204. Later in the evening, a social mixer will also be held at Rock Bottom Restaurant & Brewery, just a short walk away:

206 SW Morrison St Portland, OR 97204

Time Activity 8:00 AM - 8:30 AM Morning Registration and Continental Breakfast 8:30 AM - 12:00 PM Intro to Hacking Web 3.0 (Mick Ayzenberg)

Introduction to Computer Forensics (Kris Rosenberg)

Intro to Practical Internal Vulnerability Scanning (Patterson Cake)

Incident Handling in Cloud Environment - a primer (Derek Hill)

12:00 PM - 1:30 PM Lunch on your own - Meet a new friend and grab a bite!

1:00 PM - 1:30 PM Afternoon Registration (for those attending only in the afternoon)

1:30 PM - 5:00 PM Advanced Application Security Testing (Timothy Morgan)

AppSec Testing Beyond Pen Test (Bhushan Gupta)

Applied Physical Attacks on Embedded Systems, Introductory Version (Joe FitzPatrick)

Advanced Custom Network Protocol Fuzzing (Joshua Pereyda)

5:00 PM - 7:30 PM Evening Mixer @ Rock Bottom Restaurant and Brewery

Want to get news and information on our 2018 Training Day? Subscribe to the Portland OWASP mailing list or follow @PortlandOWASP on Twitter!

Website
Thursday
Nov 8, 2018
OWASP Portland Chapter Meeting - OWASP Juice Shop!
New Relic

The Portland Chapter of the Open Web Application Security Project (OWASP) will be hosting an introduction to OWASP Juice Shop [https://github.com/bkimminich/juice-shop]. OWASP Juice Shop is an intentionally insecure web application for security trainings written entirely in JavaScript which encompasses the entire OWASP Top Ten [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project] and other severe security flaws. The session will provide a top level overview of the Juice Shop playground and how to get started with it, as well as an opportunity for attendees to team up to teach and learn from each other in a fun Capture The Flag competition.

David Quisenberry (@dmqpdx16) will be facilitating the session. He's a developer with Daylight Studio and explorer of application security issues.

Website
Thursday
Dec 6, 2018
OWASP Portland Chapter Meeting
Jama Software (New Office)

Interested in web application security? OWASP is for you. The Open Web Application Security Project aims to improve the security of software. Portland has a vibrant chapter and this is our regular chapter meeting.

Unfortunately, our speaker this month has come down with laryngitis so we're going to be showing a few of the talks from this year's AppSecUSA conference with pizza. To vote on which talk you would be interested in viewing go to this tweet

Website
Wednesday
Jan 9
OWASP Portland Chapter Meeting - Docker Security
New Relic

Docker has become a very popular tool for deploying server applications. It aims to solve many problems with dependency management and drift between development and production environments, and make it easy for developers to deploy their software quickly.

This talk is about how to use all of this wonderful convenience for evil. It will cover Docker containers and how they work (and how to infect them with malware), some services commonly used in Docker infrastructure and how to find and exploit them, and some Docker-specific post-exploitation strategies. It will also cover best practices for mitigating and detecting attacks on your Docker infrastructure and how to create a healthy security culture among your Docker engineers.

Josh is a Linux security practitioner and developer based in Portland, Oregon. He works as a security engineer at New Relic, where he builds security visibility tools, breaks SaaS software, and helps developers build secure infrastructure.

Website
Tuesday
Feb 26
Portland OWASP Chapter Meeting - Building a Security Program From Nothing with Kendra Ash
Vacasa

Companies are starting to build security programs with no prior experience as awareness about cyber threats increases. Often this is at a later stage when the company has a fully staffed engineering team and accumulated security debt. This talk is about how to build a security program from nothing using stakeholder analysis and risk assessments to help prioritize remediation efforts and avoid getting overwhelmed. A healthy and effective security program relies on building relationships throughout the company, enlisting security champions, and leveraging tooling and automation as effectively as possible. Kendra Ash will be sharing some of the lessons learned on our journey building a security program from scratch over the last several months.

Kendra Ash (@securelykash) is an information security engineer at Vacasa, actively building a security team and program by leveraging guidance from her network and industry standards.

Website
Tuesday
Mar 12
Portland OWASP - Breaching the Cyber Security Job Industry with Ryan Krause
Simple 120 SE Clay St Floor 2, Portland, OR 97214

Breaching the Cyber Security Job Industry

Despite the growing popularity of the cyber security industry, many job hunters still find it challenging to break into the field. With numerous entry-level cyber security jobs requiring one, two, or sometimes even three years of security-related experience, how are inexperienced applicants supposed to get their foot in the door?

This talk will discuss some of the challenges that potential employees face while looking for careers in the cyber security industry. It will explore potential career paths for new high school and college graduates, mid-career employees with a technical background, as well as mid-career employees with no technical background. The discussion will also focus on ways to help position yourself for success in the industry, touching on security internships, university diplomas, industry certificates, Portland-based security meetings, and self-study resources.

Ryan Krause is a penetration tester based in the Portland, Oregon area. He has worked in various areas of the security field for the past 11 years for companies such as HP, eEye Digital Security/BeyondTrust, and Comcast with a primary focus on application security and development. He is currently a consultant at NetSPI where he performs web and network penetration tests and assists clients with reducing their overall security exposure.

Website
Wednesday
Apr 10
Portland OWASP - OWASP Top Ten For Javascript Developers with Lewis Ardern
New Relic

OWASP Top 10 for JavaScript Developers

The OWASP Top 10 is a powerful awareness document for web application security. It represents a broad consensus about the most critical security risks to web applications.

With the release of the OWASP TOP 10 2017 we saw new issues rise as contenders of most common issues in the web landscape. Much of the OWASP documentation displays issues, and remediation advice/code relating to Java, C++, and C#; however not much relating to JavaScript. JavaScript has drastically changed over the last few years with the release of Angular, React, and Vue, alongside the popular use of NodeJS and its libraries/frameworks. This talk will introduce you to the OWASP Top 10 explaining JavaScript client and server-side vulnerabilities.

Lewis Ardern is a Senior Security Consultant at Synopsys. His primary areas of expertise are in web security and security engineering. Lewis enjoys creating and delivering security training to various types of organizations and institutes in topics such as web and JavaScript security. He is also the founder of the Leeds Ethical Hacking Society and has helped develop projects such as bXSS (https://github.com/LewisArdern/bXSS) and SecGen (https://github.com/cliffe/secgen).

Website
Tuesday
May 14
Portland OWASP - InfoSec and AppSec: Recruiting, Interviewing, Hiring Q&A
Zapproved

Following up Ryan Krause's talk on breaking into the cybersecurity industry, May's chapter meeting hosted by Zapproved will offer attendees an opportunity to hear from hiring managers and InfoSec/AppSec leaders on what they look for in hiring for their roles and thoughts on career progression. Attendees will have ample opportunity to ask questions and engage our panel.

Panel:

Zefren Edior - Umpqua Bank

Zefren currently works at Umpqua Bank, and he is the Information Security Assurance Lead. He has 10 plus years of experience in IT operations, information security, risk management, compliance and audit. He mentors and advises students, who have worked at public accounting firms, big tech companies, and startups. He is passionate about technology, cybersecurity, and helping people align their knowledge, skills, and abilities to achieve personal and professional growth.

Patterson Cake - Haven Information Security / PeaceHealth

Patterson has been in information technology for over 20 years, focusing on security for the past several years in offensive, defensive and leadership roles. He is the founder of Haven Information Security, an instructor for SANS, and the Principal Cybersecurity Engineer for PeaceHealth.

Josha Bronson - Bronsec

Josha is a founder at bronsec, working with clients big and small on all aspects of security. Former security team founder at yammer.

Sam Harwin - Salesforce

Sam leads a technical team of security engineers that assess a wide variety of Enterprise facing infrastructure for the organization. They focus on performing technical security testing, risk assessments, and providing business risk guidance on a wide variety of infrastructure technologies such as operating systems (Mac, Linux, Windows, iOS, Android), devices (mobile, embedded technologies, IOT), networks (wired, wireless, cloud), and applications (endpoint, mobile, public cloud).

Philip Jenkins - Zapproved

Philip is director of compliance and IT at Zapproved. He has over 20 years’ experience in IT security, network management, system engineering, and IT processes. His past experience includes Director of Security at Jama Software and CISO at Strands Finance. Philip holds his CISSP and CISM certifications and is a recognized leader in information security. He is active in (ISC)2, ISACA, OWASP, InfraGard, and ISSA.

Website
Wednesday
Jun 19
Portland OWASP - Security Requirement Elicitation with Bhushan Gupta
CloudBolt Software

Web Application Security spreads over the application functionality, the platform it is running on, the development and deployment environment, third-party applications used, and last but not least, the open source code it utilizes. The requirements breadth is mind-boggling. You ignore any of these aspects and you become vulnerable.

This talk will discuss a structured approach to establish essential security requirements based on the CIA triad. The discussion will then expand over how these requirements manifest in the industry standards such as PCI, Government agencies, and globally. It will also delve into third party and open source code scenarios. The audience will take home a checklist of different aspects of security requirements to consider when building a Web application.

Bio: Bhushan Gupta, Gupta Consulting, LLC.

Proven champion for quality and well-versed with software quality engineering, and an AppSec researcher, Bhushan is the principal consultant at Gupta Consulting, LLC. A Certified Six Sigma Black Belt (ASQ), he possesses deep and broad experience in solving complex problems, change management, and coaching and mentoring. As a member of Open Web Application Security Project (OWASP), he is dedicated to driving the AppSec to higher levels via integration of security into Agile software development life cycle. His research areas are: elicitation of security requirements, comprehensive testing approaches beyond penetration testing, application of test tools and use of AI (Machine Learning) in secure web application development.

Bhushan has a MS in Computer Science (1985) from New Mexico Tech and has worked at Hewlett-Packard and Nike Inc. in various roles. He was a faculty member at the Oregon Institute of Technology, Software Engineering department, from 1985 to 1995 and is currently an Adjunct Faculty member.

Website
Wednesday
Jul 10
Portland OWASP - The Easy (and Secure!) Way to Build JavaScript Web Apps with OAuth 2 & OIDC with Jake Feasel
New Relic

What are the best current practices for building modern, completely standards-based (OIDC) web applications? Which flow should you use? How should you renew expired access tokens? How do you work with multiple resource servers? How do you achieve single-sign on? How can you make logging into your app as seamless as possible? We will demonstrate how simple it is to do all of this using open source libraries maintained by ForgeRock. Together we will deep dive into what these libraries are doing for you behind the scenes: PKCE, service workers, IndexedDB storage, hidden iframes, and more. In the end you will have all the tools at your disposal to easily build your next modern web app with OIDC.

Jake Feasel Developer Experience Lead; Forgerock

Jake has been working in the web platform for 20 years, all the while primarily interested in the use of standards and open source technologies. Jake is currently a senior engineer at ForgeRock, where he has been for the last seven years. He is most recently responsible for improving the ways in which developers interact with the ForgeRock Identity Platform.

Website