Viewing 1 current event matching “AppSec” by Date.

Sort By: Date Event Name, Location , Default
Feb 11
Portland OWASP Chapter Meeting: CMD+CTRL Web Application Cyber Range

Want to test your skills in identifying web app vulnerabilities? Join OWASP Portland and Security Innovation as members compete in CMD+CTRL, a web application cyber range where players exploit their way through hundreds of vulnerabilities that lurk in business applications today. Success means learning quickly that attack and defense is all about thinking on your feet.

For each vulnerability you uncover, you are awarded points. Climb the interactive leaderboard for a chance to win fantastic prizes! CMD+CTRL is ideal for development teams to train and develop skills, but anyone involved in keeping your organization’s data secure can play - from developers and managers and even CISOs.

All you need is your laptop and your inner evil-doer.

Register early to reserve your spot and get a sneak peek at our cheat sheets and FAQs!


Viewing 18 past events matching “AppSec” by Date.

Sort By: Date Event Name, Location , Default
Jan 23, 2018
OWASP: AppSec Testing Beyond Pen Test
Jama Software (New Office)

Abstract: Most web application security testing efforts are concentrated around penetration testing which is an art based on a hacker’s psyche, thought process, and determination to exploit vulnerabilities. But, does it yield a high level of confidence and sense of security in a developer’s mind? The answer is a “maybe” especially when the bad guy is obsessed with figuring out new exploits to hack your application. The web application developers have to think about intrinsic security - that is, building security throughout the SDLC. We build applications based upon well-formed customer requirements. Why should we not, then, build our applications based upon the fundamental principles of security and then harden security from the hacker’s perspective?

Bio: Principal consultant at Gupta Consulting LLC., Bhushan Gupta is passionate about development methods and tools that yield more secure web applications especially in the agile software development environment. As a researcher he has keen interest in understanding and applying fundamental principles and known methodologies to develop dependable and secure software solutions. His interests extend to Social Engineering and Attack Surface Analysis. Bhushan worked at Hewlett-Packard for 13 years in various roles including software quality lead, engineer, software process architect, and software productivity manager. He then developed a strong interest in web application security while working as a quality engineer for Nike Inc. Bhushan has been studying various facets of web application security and promoting how to apply common sense approach to build secure solutions. He is a certified Six Sigma Black Belt (HP and ASQ) and an adjunct faculty member at the Oregon Institute of Technology in Software Engineering. To learn more about Bhushan’s contributions to SDLC, visit

Feb 26, 2018
OWASP February Chapter Meeting : Jon Bottarini on Bug Bounties
Jive Software

Jon Bottarini will be presenting on bug bounties (from both a hacker and a program perspective), common mistakes in the software development lifecycle that make it easier to find bugs, and what developers can do to understand their full attack surface.


Jon Bottarini is a Technical Program Manager at HackerOne, where he is responsible for managing the bug bounty programs for the US Department of Defense and other companies looking to leverage talent from hacker-powered security. In his free time he is also a hacker and bug bounty hunter who has reported vulnerabilities to worldwide brands and organizations such as New Relic, Apple, Google, the US Department of Defense, and many more.


Oct 3, 2018
OWASP Portland 2018 Training Day
World Trade Center

For the third year in a row, the Portland OWASP chapter is proud to host our information security training day! This is be an excellent opportunity for those interested to receive top quality information security and application security training for prices far lower than normally offered. It's also a great chance to network with the local infosec community and meet those who share your interests.

OWASP Portland 2018 Training Day will be October 3, 2018.

Courses Courses will be held in two tracks: four in the morning session, and four in the afternoon session. Each participant can register for one morning course, or one afternoon course, or one of each.

The Portland OWASP chapter is hosting its 3rd annual training day. This will be an excellent opportunity for students to receive quality information security and application security training for next to nothing. It will also be a great chance to network with the local infosec community. For more information, see the main event page.

Courses are held in four tracks: four in the morning session, and four in the afternoon session. Each student can register for one morning course, or one afternoon course, or one of each!

NOTE: If you see that a course is sold out, then it is unlikely we will have any additional seats in that course. You can email ian DOT melven AT OR benny DOT zhao AT OR bhushan DOT Gupta AT to request being added to the waiting list. Please be sure to specify which class(es) you want to be added to the wait list for.

OWASP Portland 2018 Training Day will be October 3, 2018. This year we'll be located at:

World Trade Center Portland 121 SW Salmon St. Portland, OR 97204. Later in the evening, a social mixer will also be held at Rock Bottom Restaurant & Brewery, just a short walk away:

206 SW Morrison St Portland, OR 97204

Time Activity 8:00 AM - 8:30 AM Morning Registration and Continental Breakfast 8:30 AM - 12:00 PM Intro to Hacking Web 3.0 (Mick Ayzenberg)

Introduction to Computer Forensics (Kris Rosenberg)

Intro to Practical Internal Vulnerability Scanning (Patterson Cake)

Incident Handling in Cloud Environment - a primer (Derek Hill)

12:00 PM - 1:30 PM Lunch on your own - Meet a new friend and grab a bite!

1:00 PM - 1:30 PM Afternoon Registration (for those attending only in the afternoon)

1:30 PM - 5:00 PM Advanced Application Security Testing (Timothy Morgan)

AppSec Testing Beyond Pen Test (Bhushan Gupta)

Applied Physical Attacks on Embedded Systems, Introductory Version (Joe FitzPatrick)

Advanced Custom Network Protocol Fuzzing (Joshua Pereyda)

5:00 PM - 7:30 PM Evening Mixer @ Rock Bottom Restaurant and Brewery

Want to get news and information on our 2018 Training Day? Subscribe to the Portland OWASP mailing list or follow @PortlandOWASP on Twitter!

Nov 8, 2018
OWASP Portland Chapter Meeting - OWASP Juice Shop!
New Relic

The Portland Chapter of the Open Web Application Security Project (OWASP) will be hosting an introduction to OWASP Juice Shop []. OWASP Juice Shop is an intentionally insecure web application for security trainings written entirely in JavaScript which encompasses the entire OWASP Top Ten [] and other severe security flaws. The session will provide a top level overview of the Juice Shop playground and how to get started with it, as well as an opportunity for attendees to team up to teach and learn from each other in a fun Capture The Flag competition.

David Quisenberry (@dmqpdx16) will be facilitating the session. He's a developer with Daylight Studio and explorer of application security issues.

Dec 6, 2018
OWASP Portland Chapter Meeting
Jama Software (New Office)

Interested in web application security? OWASP is for you. The Open Web Application Security Project aims to improve the security of software. Portland has a vibrant chapter and this is our regular chapter meeting.

Unfortunately, our speaker this month has come down with laryngitis so we're going to be showing a few of the talks from this year's AppSecUSA conference with pizza. To vote on which talk you would be interested in viewing go to this tweet

Jan 9, 2019
OWASP Portland Chapter Meeting - Docker Security
New Relic

Docker has become a very popular tool for deploying server applications. It aims to solve many problems with dependency management and drift between development and production environments, and make it easy for developers to deploy their software quickly.

This talk is about how to use all of this wonderful convenience for evil. It will cover Docker containers and how they work (and how to infect them with malware), some services commonly used in Docker infrastructure and how to find and exploit them, and some Docker-specific post-exploitation strategies. It will also cover best practices for mitigating and detecting attacks on your Docker infrastructure and how to create a healthy security culture among your Docker engineers.

Josh is a Linux security practitioner and developer based in Portland, Oregon. He works as a security engineer at New Relic, where he builds security visibility tools, breaks SaaS software, and helps developers build secure infrastructure.

Feb 26, 2019
Portland OWASP Chapter Meeting - Building a Security Program From Nothing with Kendra Ash

Companies are starting to build security programs with no prior experience as awareness about cyber threats increases. Often this is at a later stage when the company has a fully staffed engineering team and accumulated security debt. This talk is about how to build a security program from nothing using stakeholder analysis and risk assessments to help prioritize remediation efforts and avoid getting overwhelmed. A healthy and effective security program relies on building relationships throughout the company, enlisting security champions, and leveraging tooling and automation as effectively as possible. Kendra Ash will be sharing some of the lessons learned on our journey building a security program from scratch over the last several months.

Kendra Ash (@securelykash) is an information security engineer at Vacasa, actively building a security team and program by leveraging guidance from her network and industry standards.

Mar 12, 2019
Portland OWASP - Breaching the Cyber Security Job Industry with Ryan Krause
Simple 120 SE Clay St Floor 2, Portland, OR 97214

Breaching the Cyber Security Job Industry

Despite the growing popularity of the cyber security industry, many job hunters still find it challenging to break into the field. With numerous entry-level cyber security jobs requiring one, two, or sometimes even three years of security-related experience, how are inexperienced applicants supposed to get their foot in the door?

This talk will discuss some of the challenges that potential employees face while looking for careers in the cyber security industry. It will explore potential career paths for new high school and college graduates, mid-career employees with a technical background, as well as mid-career employees with no technical background. The discussion will also focus on ways to help position yourself for success in the industry, touching on security internships, university diplomas, industry certificates, Portland-based security meetings, and self-study resources.

Ryan Krause is a penetration tester based in the Portland, Oregon area. He has worked in various areas of the security field for the past 11 years for companies such as HP, eEye Digital Security/BeyondTrust, and Comcast with a primary focus on application security and development. He is currently a consultant at NetSPI where he performs web and network penetration tests and assists clients with reducing their overall security exposure.

Apr 10, 2019
Portland OWASP - OWASP Top Ten For Javascript Developers with Lewis Ardern
New Relic

OWASP Top 10 for JavaScript Developers

The OWASP Top 10 is a powerful awareness document for web application security. It represents a broad consensus about the most critical security risks to web applications.

With the release of the OWASP TOP 10 2017 we saw new issues rise as contenders of most common issues in the web landscape. Much of the OWASP documentation displays issues, and remediation advice/code relating to Java, C++, and C#; however not much relating to JavaScript. JavaScript has drastically changed over the last few years with the release of Angular, React, and Vue, alongside the popular use of NodeJS and its libraries/frameworks. This talk will introduce you to the OWASP Top 10 explaining JavaScript client and server-side vulnerabilities.

Lewis Ardern is a Senior Security Consultant at Synopsys. His primary areas of expertise are in web security and security engineering. Lewis enjoys creating and delivering security training to various types of organizations and institutes in topics such as web and JavaScript security. He is also the founder of the Leeds Ethical Hacking Society and has helped develop projects such as bXSS ( and SecGen (

May 14, 2019
Portland OWASP - InfoSec and AppSec: Recruiting, Interviewing, Hiring Q&A

Following up Ryan Krause's talk on breaking into the cybersecurity industry, May's chapter meeting hosted by Zapproved will offer attendees an opportunity to hear from hiring managers and InfoSec/AppSec leaders on what they look for in hiring for their roles and thoughts on career progression. Attendees will have ample opportunity to ask questions and engage our panel.


Zefren Edior - Umpqua Bank

Zefren currently works at Umpqua Bank, and he is the Information Security Assurance Lead. He has 10 plus years of experience in IT operations, information security, risk management, compliance and audit. He mentors and advises students, who have worked at public accounting firms, big tech companies, and startups. He is passionate about technology, cybersecurity, and helping people align their knowledge, skills, and abilities to achieve personal and professional growth.

Patterson Cake - Haven Information Security / PeaceHealth

Patterson has been in information technology for over 20 years, focusing on security for the past several years in offensive, defensive and leadership roles. He is the founder of Haven Information Security, an instructor for SANS, and the Principal Cybersecurity Engineer for PeaceHealth.

Josha Bronson - Bronsec

Josha is a founder at bronsec, working with clients big and small on all aspects of security. Former security team founder at yammer.

Sam Harwin - Salesforce

Sam leads a technical team of security engineers that assess a wide variety of Enterprise facing infrastructure for the organization. They focus on performing technical security testing, risk assessments, and providing business risk guidance on a wide variety of infrastructure technologies such as operating systems (Mac, Linux, Windows, iOS, Android), devices (mobile, embedded technologies, IOT), networks (wired, wireless, cloud), and applications (endpoint, mobile, public cloud).

Philip Jenkins - Zapproved

Philip is director of compliance and IT at Zapproved. He has over 20 years’ experience in IT security, network management, system engineering, and IT processes. His past experience includes Director of Security at Jama Software and CISO at Strands Finance. Philip holds his CISSP and CISM certifications and is a recognized leader in information security. He is active in (ISC)2, ISACA, OWASP, InfraGard, and ISSA.

Jun 19, 2019
Portland OWASP - Security Requirement Elicitation with Bhushan Gupta
CloudBolt Software

Web Application Security spreads over the application functionality, the platform it is running on, the development and deployment environment, third-party applications used, and last but not least, the open source code it utilizes. The requirements breadth is mind-boggling. You ignore any of these aspects and you become vulnerable.

This talk will discuss a structured approach to establish essential security requirements based on the CIA triad. The discussion will then expand over how these requirements manifest in the industry standards such as PCI, Government agencies, and globally. It will also delve into third party and open source code scenarios. The audience will take home a checklist of different aspects of security requirements to consider when building a Web application.

Bio: Bhushan Gupta, Gupta Consulting, LLC.

Proven champion for quality and well-versed with software quality engineering, and an AppSec researcher, Bhushan is the principal consultant at Gupta Consulting, LLC. A Certified Six Sigma Black Belt (ASQ), he possesses deep and broad experience in solving complex problems, change management, and coaching and mentoring. As a member of Open Web Application Security Project (OWASP), he is dedicated to driving the AppSec to higher levels via integration of security into Agile software development life cycle. His research areas are: elicitation of security requirements, comprehensive testing approaches beyond penetration testing, application of test tools and use of AI (Machine Learning) in secure web application development.

Bhushan has a MS in Computer Science (1985) from New Mexico Tech and has worked at Hewlett-Packard and Nike Inc. in various roles. He was a faculty member at the Oregon Institute of Technology, Software Engineering department, from 1985 to 1995 and is currently an Adjunct Faculty member.

Jul 10, 2019
Portland OWASP - The Easy (and Secure!) Way to Build JavaScript Web Apps with OAuth 2 & OIDC with Jake Feasel
New Relic

What are the best current practices for building modern, completely standards-based (OIDC) web applications? Which flow should you use? How should you renew expired access tokens? How do you work with multiple resource servers? How do you achieve single-sign on? How can you make logging into your app as seamless as possible? We will demonstrate how simple it is to do all of this using open source libraries maintained by ForgeRock. Together we will deep dive into what these libraries are doing for you behind the scenes: PKCE, service workers, IndexedDB storage, hidden iframes, and more. In the end you will have all the tools at your disposal to easily build your next modern web app with OIDC.

Jake Feasel Developer Experience Lead; Forgerock

Jake has been working in the web platform for 20 years, all the while primarily interested in the use of standards and open source technologies. Jake is currently a senior engineer at ForgeRock, where he has been for the last seven years. He is most recently responsible for improving the ways in which developers interact with the ForgeRock Identity Platform.

Aug 13, 2019
Portland OWASP: Using Graph Theory to Understand Security with Tim Morgan

Using Graph Theory to Understand Security

Information security is hard. It must be, because we keep getting hacked. One aspect that makes it so difficult is the level of complexity that exists in even a modestly-sized digital infrastructure. Humans can consider only so many security relationships, trust boundaries, and attack scenarios at once. This complexity makes it hard to decide where to focus our defensive resources and we're regularly led astray by the latest shiny tool or security advisory. Remarkably, our adversaries actually have a similar challenge: once a digital intruder gains a foothold in an environment that is completely new to them, how do they know what next steps they should take to efficiently achieve their goal? The environments they attack are not only complex, they are also unexplored landscapes that must be mapped out.

This is where graph theory can lend a hand. Several open source tools, such as BloodHound and Infection Monkey, provide intruders (whether that be your friendly neighborhood pentester or your adversaries) with easy ways to map out infrastructures and identify the quickest path to your crown jewels. While this is certainly alarming, we can also use these tools ourselves to find out what our infrastructures look like in the eyes of an attacker.

In this talk, Tim will provide a brief introduction to graph theory, show some demos of the free tools that use it, and discuss how he is using these techniques to build automated threat models "at scale" to make defenders' lives easier.

Speaker: Timothy Morgan

After earning his computer science degrees (B.S., Harvey Mudd College and M.S., Northeastern University) and spending a short time as a software developer, Tim began his career in application security and vulnerability research. In his work as a consultant over the past 14 years, Tim has led projects as varied as application pentests, incident response, digital forensics, secure software development training, phishing exercises, and breach simulations. Tim has also presented his independent research on Windows registry forensics, XML external entities attacks, web application timing attacks, and practical application cryptanalysis at conferences such as DFRWS, OWASP's AppSec USA, BSidesPDX, and BlackHat USA.

For the past three years Tim has been building an innovative new risk-based vulnerability management product (DeepSurface) that helps his customers gain a much deeper understanding of the complex relationships present in their digital infrastructures. Visit to learn more about Tim's latest R&D effort.

Oct 9, 2019
Portland OWASP - Threat Modeling in 2019 with Adam Shostack
New Relic

Attacks always get better, so your threat modeling needs to evolve. Learn what's new and important in threat modeling in 2019. Computers that are things are subject to different threats, and systems face new threats from voice cloning and computational propaganda and the growing importance of threats “at the human layer.” Take home actionable ways to ensure your security engineering is up to date.

Speaker: Adam Shostack Adam is a leading expert on threat modeling, and a consultant, entrepreneur, technologist, author and game designer. He's a member of the BlackHat Review Board, and helped create the CVE and many other things. He currently helps many organizations improve their security via Shostack & Associates, and advises startups including as a Mach37 Star Mentor. While at Microsoft, he drove the Autorun fix into Windows Update, was the lead designer of the SDL Threat Modeling Tool v3 and created the "Elevation of Privilege" game. Adam is the author of Threat Modeling: Designing for Security, and the co-author of The New School of Information Security.

Nov 12, 2019
Portland OWASP Chapter Meeting: Overcoming Your Greatest InfoSec Adversary: You!

Tips on formulating complete sentences without acronyms, learning to pretend you aren't the smartest person in the room, choosing the right animations for your PowerPoint presentations, and more! Let's be honest, you probably didn't get into info-sec because of your love for public speaking, your mastery of written and verbal communication, or your highly-tuned social skills! Regardless, these things are key to your success or failure in info-sec. Dare to join me for a frank if somewhat tongue-in-cheek conversation regarding strategies for simplifying complex conversations, recognizing and overcoming common communication obstacles, translating leet-speak to business language and creating effective visual presentations.

Speaker: Patterson Cake

Patterson has been in information technology for over 20 years, focusing on security for the past several years in offensive, defensive and leadership roles. He is the founder of Haven Information Security, an instructor for SANS, and the Principal Cybersecurity Engineer for PeaceHealth.

Dec 10, 2019
Portland OWASP Chapter Meeting: So You Want to Teach Security? Bully for You!
Autodesk Inc

This talk focuses on building a security curriculum and teaching it, whether individually, at the workplace or in academia. Start with the following question: Am I the right person to do it? A novice can be downright dangerous, while an expert who can't teach as useful as a waterproof teabag. Security education is the first line of defense, but who trains the trainers? Are students getting their money's worth? What differentiates your training from others? Join the speaker to share life lessons, funny anecdotes, and useful advice on lecturing, "curriculuming", and critiquing. Learn what it means to containerize a syllabus, deploy labs in a continuous integration-like environment using open source tools and why markdown is a better tool than PowerPoint for creating new content. Consider security textbooks as obsolete, "office hours" mandatory, and the impact of the Family Educational Rights and Privacy Act (FERPA). There will be a test at the end of the talk.

Speaker: John L. Whiteman

John is a product security expert and instructor at Intel in Oregon. He's also a part-time adjunct instructor teaching cybersecurity at the University of Portland. In a past life, John was a shipboard and classroom instructor in the United States Navy, training hundreds of sailors in the dark arts of passive sonar and torpedo countermeasure systems (in case the former didn't pan out). He also did a stint as a news director for a small radio station in Colorado. John has an M.S. in Computer Science from Georgia Tech and a B.A. in Asian Studies from the University of Maryland UC. He holds CISSP, CCSP and CEH security certifications. John blogs and loves to podcast for the OWASP chapter in Portland.

Jan 7
Portland OWASP Study Night: Burp Suite Basics with Sophia Anderson
Ctrl-H / PDX Hackerspace

Happy New Year! Welcome to our second ever OWASP PDX study night. Our January topic will be "Burp Suite Basics" presented by Sophia Anderson. Sophia is a security consultant for NetSPI performing web application penetration tests for Fortune 500 clients to discover vulnerabilities. Sorry no pizza unless you want to bring :).

Study Nights are smaller, bitesize, digestible, skill building mini lectures or workshops for those interested in learning new skills, tools, tricks, or new CTF challenges. It’s also meant for members to practice communication skills and teamwork in a supportive environment.

Study Nights meet the first Tuesday of each month at the ^H hackerspace in North Portland. Doors will be at 7pm, event will start at 7:30pm and wrap up by 8:30. Please bring your computer with Burp Suite installed and preferred note taking mechanisms.

Seating is limited


Jan 13
Portland OWASP Chapter Meeting - Introduction to Burp Suite with Ryan Krause

Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities. Burp gives you full control, letting you combine advanced manual techniques with state-of-the-art automation, to make your work faster, more effective, and more fun.

The speaker covers the basics of the tool along with real-world experiences and techniques that can help you as a pen tester.

Speaker: Ryan Krause

Ryan is a penetration tester based in the Portland, Oregon area. He has worked in various areas of the security field for the past 11 years for companies such as HP, eEye Digital Security/BeyondTrust, and Comcast with a primary focus on application security and development. He is currently a consultant at NetSPI where he performs web and network penetration tests and assists clients with reducing their overall security exposure.