Viewing 2 current events matching “owasp” by Date.

Sort By: Date Event Name, Location , Default
Tuesday
Apr 25
OWASP: Software Composition -- the other 95% of your app's attack surface
New Relic

Abstract

Nobody really writes their own code any more, right? We go out to GitHub and download some libraries for our favorite language to do all the hard things for us. Then we download half a dozen front end frameworks to make it all pretty and responsive and we’re off to the races. In my review I’ve found that more than 90% of the code that makes up an app these days is something we borrowed, not wrote ourselves. Now most of us scan our own code for flaws with Static Analysis tools, but what about all the stuff we didn’t write? How do we know what’s actually in there? I’ll tell you how to find out and keep track of what’s in there, and how to avoid getting pwned because you let a nasty in the back door with that whiz-bang library that does the really cool thing you couldn’t live without.

Speaker

Jeremy Anderson
Cambia Health Solutions

Jeremy Anderson is a Secure Software Architect and CSSLP, with experience developing software solutions for numerous fortune 500 companies for almost 20 years. In 2014 he had a run in with InfoSec that spurred him into action as an AppSec superhero where he’s worked for HP then Veracode. Since early 2016 he’s been working with Cambia Health Solutions, bootstrapping and scaling an Application Security program from the ground up supporting hundreds of developers for dozens of applications. He’s passionate about not just finding security defects, but training ninjas to destroy them.


The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. To sign up for future meeting notes and to discuss security topics with local gurus, sign up on the OWASP Portland mailing list: https://lists.owasp.org/mailman/listinfo/owasp-portland


Meetings are free and open to the public.

Website
Monday
Mar 27
OWASP/AngularJS combined: Boosting the Security of Your Angular Application
Cambia Health Solutions

This month PDX OWASP is joining forces with the local Angular JS meetup to feature:
Philippe De Ryck, PhD
Web Security Expert @ imec-DistriNet, KU Leuven

Abstract

Angular 2 is hot, and there is a huge amount of information available on building applications, improving performance, and various other topics. But do you know how to make your Angular 2 applications secure? What kind of security features does Angular 2 offer you, and which additional steps can you take to really boost the security of your applications?

In this session, we cover one of the biggest threats in modern web applications: untrusted JavaScript code. You will learn how Angular protects you against XSS, and why you shouldn't bypass this protection. We will also dive into new security mechanisms, such as Content Security Policy. Through a few examples, I will show you how you can use these mechanisms to enhance the security in your client-side context.

Speaker

Philippe De Ryck is a professional speaker and trainer on software security and web security. Since he obtained his PhD at the imec-DistriNet research group (KU Leuven, Belgium), he has been running the group's Web Security Training program, which ensures a sustainable knowledge transfer of the group’s security expertise towards practitioners.

You can find more about Philippe on https://www.websec.be


The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. To sign up for future meeting notes and to discuss security topics with local gurus, sign up on the OWASP Portland mailing list: https://lists.owasp.org/mailman/listinfo/owasp-portland


Meetings are free and open to the public.

Website

Viewing 32 past events matching “owasp” by Date.

Sort By: Date Event Name, Location , Default
Tuesday
Jan 19, 2010
Portland OWASP Chapter Meeting
U.S. Bancorp Tower

We'll meet in the Morrison room on the third floor. Stop at the security desk up front if you have any problems, or give me a call (801-372-9378).

Travis Spencer has offered to give us a talk about SAML, federation, and identity.

For notices on future meetings, please sign up on the Portland OWASP mailing list (low volume): https://lists.owasp.org/mailman/listinfo/owasp-portland

Website
Thursday
Apr 21, 2011
NW ISSA Security Summit

Hosted by the ISSA – Portland Chapter, the NW ISSA Security Summit, held in conjunction with InnoTech Oregon, returns April 21st to the Oregon Convention Center. Join us for this one-day, in-depth conference that highlights the latest in the IT Security landscape. If you only go to one conference this year, make this the one!

The NW ISSA Security Summit will feature three (3) distinct conference tracks: 1) Business

2) Application Development

3) Technology

Each track will be comprised of top notch sessions from leading industry professionals. Whether you are an application developer, security manager, IT manager, engineer, auditors, CISO, CTO, Project Manager, or just simply interested in the security sector, the Summit is meaningful to you. Mark your calendars for April 21st and we’ll see you there! Go to www.nwsecuritysummit.com to REGISTER and more information.

Website
Thursday
Aug 4, 2011
How to Avoid Being the Next Security Breach Headline (OWASP v3)
Kells Irish Restaurant & Pub

Join the SAO's QA Forum for another dynamic lunch program, to learn about the Open Web Application Security (OWASP) Testing Guide v3 and how to verify the security of your running applications. This is a great opportunity to network with a great local speaker (Mike Hryekewicz, Software Engineer V, Standard Insurance Company) and industry peers and to find out about Oregon job openings and upcoming community events.

OWASP Testing Guide describes a set of techniques for finding different kinds of security vulnerabilities within an application. This technique is used by testers and developers to help produce secure code and to supplement security reviewers application assessment efforts.

This presentation will provide an overview of the guide, a road map for where it is heading in the next release, and guidance for how it can be applied in the business of producing secure software solutions.

Who should attend? Anyone interested in Web Application Security, including management, security professionals, developers, students, etc..

Agenda 11:00am Doors open 11:00am-11:30am Registration, networking and lunch 11:30am Welcome & Community Announcements 11:45am Program starts 12:50pm Final questions 1:00pm Program ends

Website
Tuesday
Jan 24, 2012
OWASP Chapter Planning Meeting
Hopworks Urban Brewery

The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software.

The goal of this informal chapter meeting is to give people a chance to talk shop about security topics and to plan the future direction of the Portland OWASP chapter.

Website
Thursday
Mar 8, 2012
OWASP Chapter Meeting
Collective Agency

The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. To sign up for future meeting notes and to discuss security topics with local gurus, sign up on the OWASP Portland mailing list: https://lists.owasp.org/mailman/listinfo/owasp-portland

About Joe

This chapter meeting feature guest speaker Joe Basirico, Director of Security Services at Security Innovation. Joe is responsible for managing the professional services business at Security Innovation. He leverages his unique experience as a development lead, trainer, researcher, and test engineer to lead the security engineering team in their delivery of high-quality, impactful assessment and remediation solutions to the company’s customers. His ability to blend his technical skills with risk-based contextual analysis and unwavering customer commitment makes him an invaluable asset for each Security Innovation client.

Joe is an active member in the security and open-source communities, having contributed technology, training, utilities, expertise and methodologies. He manages the company’s engineering blog and has written several publications that focus on vulnerabilities at the source code level. Joe holds a B.S in Computer Science from Montana State University.

About the Talk - Thinking Like the Enemy

In this talk I will help you get into the Hacker's mindset from my ten years of experience as a penetration tester, assessing some of the most exciting applications in the world.

This talk will cover the most important qualities of a hacker or security tester, Top Vulnerabilities that you can't afford to miss as well as more difficult to tackle vulnerabilities that have caused tons of headaches and pain. By the end of the hour you'll better understand how to cause your application true pain, find a tiny weakness and cause the walls of security to crumble around it. After that we'll also talk about how to rebuild those walls to be more robust.

Website
Sunday
Jul 1, 2012
OWASP FLOSSHack - Ushahidi
Free Geek

FLOSSHack is an experimental workshop project designed to bring together those who want to learn more about "hacking" (secure programming and application penetration testing) with those who are in need of low cost or pro bono security auditing.

This first ever FLOSSHack event will be focused on the Ushahidi platform. Stay tuned for more details in the coming weeks.

The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. To sign up for future meeting notes and to discuss security topics with local gurus, sign up on the OWASP Portland mailing list: https://lists.owasp.org/mailman/listinfo/owasp-portland

Meetings are free and open to the public.

Wednesday
Aug 22, 2012
OWASP Chapter Meeting
Portland State University Fourth Avenue Building (FAB)

Double Feature! For this chapter meeting, we have two protocol-oriented talks at PSU. Basic refreshments will be provided.

Kevin P. Dyer presents:
What Encryption Leaks and Why Traffic Analysis Countermeasures Fail

As more applications become web-based, an increasing amount of client-server interactions are exposed to our networks and vulnerable to Traffic Analysis (TA) attacks. In one form, TA attacks exploit the lengths and timings of packets in a protocol's flow to infer sensitive information about communications. In the context of encrypted HTTP connections, such as HTTP over SSH, this means an adversary can determine which website a user is visiting. In the context of a specific web application, an adversary can determine user input by viewing only a few client-server interactions.

Recent advances in the application of Machine Learning tools demonstrate that TA attacks are possible despite industry-standard encryption such as TLS, SSH or IPSec. What is more, even if a protocol uses stronger countermeasures, such as fixed-length per-packet padding, this incurs significant overhead but only provides limited security benefit. These types of security vs. efficiency trade-offs are of immediate concern to security-aware applications such as Tor, and performance-sensitive application features such as Google Search Autocomplete.

In this talk, Kevin will address the state-of-the-art TA attacks and proposed countermeasures in the context of network and web application security. Most importantly, he will discuss open problems in this area and why a general-purpose TA countermeasure remains elusive.

Timothy D. Morgan presents:
HTTPS, Cookies, and Men-in-the-Middle: Why You Shouldn't Allow Marketing Departments to Design Your Security Protocols

Login session management in modern web applications is largely dominated by use of HTTP cookies. However, HTTP cookies were never designed for secure applications, which has led to a significant number of protocol security problems.

In this talk, Tim will start with a brief background on why HTTP cookies are a poorly-conceived mechanism to begin with, and continue with a discussion of how this impacts security. He will describe several lesser-known cookie-based session management problems that remain wide spread and allow for session hijacking through a variety of clever attacks.


Kevin P. Dyer is a PhD student at Portland State University. His research focuses on building protocols that are resistant to Traffic Analysis attacks. Prior to his academic life, Kevin worked as an engineer on various projects in telecommunications security, web security and network security. Kevin holds an MSc in the Mathematics of Cryptography and Communications from Royal

Holloway, University of London, and a BS in Computer Science and Mathematics from Santa Clara University.

Timothy D. Morgan is a consultant at Virtual Security Research, LLC (VSR). As an application security specialist and digital forensics researcher, Tim has been taking deep technical dives in security for over a decade. Tim resides in Oregon and works at VSR where he helps to secure his customers' environments through penetration testing, training, and forensics investigations. His past security research has culminated in the release of several responsibly disclosed vulnerabilities in popular software products. Tim also develops and maintains several open source digital forensics tools which implement novel data recovery algorithms.


The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. To sign up for future meeting notes and to discuss security topics with local gurus, sign up on the OWASP Portland mailing list: https://lists.owasp.org/mailman/listinfo/owasp-portland

Meetings are free and open to the public.

Website
Thursday
Dec 13, 2012
OWASP Chapter Meeting
Collective Agency

Matthew Lapworth will present a talk on static code analysis.

The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. To sign up for future meeting notes and to discuss security topics with local gurus, sign up on the OWASP Portland mailing list: https://lists.owasp.org/mailman/listinfo/owasp-portland

Chapter meetings are free and open to the public.

Wednesday
Jan 9, 2013
OWASP - How to (FLOSS)Hack
Collective Agency

Join us for a How to (FLOSS)Hack tutorial, which will introduce several common classes of web application vulnerabilities such as XSS, SQL injection, and XML External Entities flaws. The goal of the session is to bring novice FLOSSHack participants up to speed on how to identify new vulnerabilities that are likely to appear in the target software for this week's FLOSSHack. FLOSSHack is an experimental workshop project designed to bring together those who want to learn more about "hacking" (secure programming and application penetration testing) with those who are in need of low cost or pro bono security auditing.

NOTE: For best results, please bring a laptop to participate in the hands-on exercises.

The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. To sign up for future meeting notes and to discuss security topics with local gurus, sign up on the OWASP Portland mailing list: https://lists.owasp.org/mailman/listinfo/owasp-portland

Meetings are free and open to the public.

Website
Sunday
Jan 13, 2013
OWASP - FLOSSHack Returns
Free Geek

FLOSSHack is an experimental workshop project designed to bring together those who want to learn more about "hacking" (secure programming and application penetration testing) with those who are in need of low cost or pro bono security auditing.

The target software for this FLOSSHack event is OpenMRS. For more info, see the event page.

The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. To sign up for future meeting notes and to discuss security topics with local gurus, sign up on the OWASP Portland mailing list: https://lists.owasp.org/mailman/listinfo/owasp-portland

Meetings are free and open to the public.

Website
Wednesday
Jun 5, 2013
OWASP Chapter Meeting - Jim Manico
Collective Agency

Jim Manico has offered to come and give us another great talk. Topic will either be "Top Ten Web Defenses" or "Securing the Software Development Lifecycle".

We will serve Pizza! Please RSVP by emailing {tim . morgan at owasp.org} so we can better estimate how much to order.

The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. To sign up for future meeting notes and to discuss security topics with local gurus, sign up on the OWASP Portland mailing list: https://lists.owasp.org/mailman/listinfo/owasp-portland

Chapter meetings are free and open to the public.

Tuesday
Jul 2, 2013
OWASP Chapter Meeting
Portland State University Fourth Avenue Building (FAB)

Kevin P. Dyer presents:

P0wning DPI with Format-Transforming Encryption

Deep packet inspection (DPI) technologies provide much-needed visibility and control of network traffic using port- independent protocol identification (PIPI), where a network flow is labeled with its application-layer protocol based on packet contents. In many cases PIPI can be used for good. As one example, it allows network administrators to elevate priority of time-sensitive (e.g., VoIP) data streams. In other cases PIPI can be used for harm, nation-states employ PIPI to block censorship circumvention tools such as Tor. There are many ways to perform PIPI, however, at the core of nearly all modern PIPI systems are regular expressions --- an expressive tool to compactly specify sets of strings.

In this talk, Kevin reviews the state-of-the-art research on the capabilities of state-level DPI, then presents a novel cryptographic primitive called format-transforming encryption (FTE.) An FTE scheme, intuitively, extends conventional symmetric encryption with the ability to transform the ciphertext into a user-defined format using regular expressions. An FTE-based record layer will be presented that can encrypt arbitrary TCP traffic and coerce modern DPI systems into misclassifying any data stream as a target protocol (e.g., HTTP, SMB, RSTP, etc.) of the user's choosing. What's more, this work is not only theoretical in nature --- an open-source FTE prototype is publicly available and has had success in subverting modern DPI systems, including the Great Firewall of China.

PSU is kindly providing coffee, tea, and cookies for us.


Kevin P. Dyer is a PhD student at Portland State University. His research focuses on building protocols that are resistant to traffic-analysis attacks and discriminatory routing policies.. Previously, Kevin worked as a software engineer in telecommunications security, web security and network security. He holds an MSc in the Mathematics of Cryptography and Communications from Royal Holloway, University of London, and a BS in Computer Science and Mathematics from Santa Clara University.

The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. To sign up for future meeting notes and to discuss security topics with local gurus, sign up on the OWASP Portland mailing list:

 https://lists.owasp.org/mailman/listinfo/owasp-portland

Meetings are free and open to the public.

Website
Wednesday
Oct 30, 2013
OWASP Chapter Planning Meeting
Brix Tavern

This is a planning meeting for the Portland OWASP chapter. Please join us if you are interested in helping us plan and organize the activities of the chapter for the next year.

Please RSVP if you plan on showing up. Just shoot an email to

( tim DOT morgan AT owasp DOT org )

Some of the topics we expect to discuss at this meeting:

  • Chapter meetings
  • FLOSSHack events
  • Local/regional conferences and training events
  • Approaches to sponsorship
  • Long term group leadership and governance
  • YOUR ideas

The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. To sign up for future meeting notes and to discuss security topics with local gurus, sign up on the OWASP Portland mailing list: https://lists.owasp.org/mailman/listinfo/owasp-portland

Meetings are free and open to the public.

Website
Monday
Jan 6, 2014
OWASP Chapter Meeting
New Relic

Stephen A. Ridley will be presenting on the vulnerability of mobile applications

UPDATE: New Relic will be providing pizza for attendees. Yum.



Stephen A. Ridley is a security researcher and author with more than 10 years of experience in software development, software security, and reverse engineering. Within that last few years, he has presented his research and spoken about reverse engineering and software security research on every continent except Antarctica. Stephen and his work have been featured on NPR and NBC and in Wired, Washington Post, Fast Company, VentureBeat, Slashdot, The Register, and other publications. Prior to his current work Mr. Ridley previously served as the Chief Information Security Officer of a financial services firm. Prior to that, various information security researcher/consultant roles including his role as a founding member of the Security and Mission Assurance (SMA) group at a major U.S. Defense contractor where he did vulnerability research and reverse engineering in support of the U.S. Defense and Intelligence community. Mr. Ridley calls Portland home and was a recent speaker at the Chaos Communication Congress in Hamburg.

The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. To sign up for future meeting notes and to discuss security topics with local gurus, sign up on the OWASP Portland mailing list:

 https://lists.owasp.org/mailman/listinfo/owasp-portland

Meetings are free and open to the public.

Website
Wednesday
Apr 2, 2014
OWASP Chapter Meeting
Jive Software

Kevin Dyer will be presenting:


High-Profile Password Database Breaches: A Tale of (Avoidable) Blunders

Over the last few years, password database breaches reported in mainstream press have increased in frequency and magnitude. There is a typical pattern and service providers, such as Adobe or Yahoo or Snapchat, fail on at least two fronts: first, network perimeters and databases are breached and then, improperly secured user data and passwords are exfiltrated and shared in cleartext. Even if the former can't be prevented, there are security best practices to mitigate the impact of the latter, which are (seemingly) ignored.

In this talk, we'll discuss specific case studies and review the essential security best practices for storing sensitive user information. The goal is to show that in every case free, off-the-shelf tools are available, that would have mitigated the scope of the breach and (possibly) the onslaught of negative publicity. As one example, we'll build intuition for why using Scrypt (a memory-hard function) is superior to traditional cryptographic hash functions for storing passwords.

Kevin P. Dyer is a PhD student at Portland State University. His research focuses on network security and building protocols resistant to traffic-analysis attacks and censorship. Previously, Kevin worked as a software engineer in telecommunications security, web security and network security. He holds an MSc in the Mathematics of Cryptography and Communications from Royal Holloway, University of London, and a BS in Computer Science with Mathematics from Santa Clara University.


The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. To sign up for future meeting notes and to discuss security topics with local gurus, sign up on the OWASP Portland mailing list:

 https://lists.owasp.org/mailman/listinfo/owasp-portland

Meetings are free and open to the public.

Website
Thursday
May 29, 2014
OWASP Chapter Meeting
New Relic

Ian Melven will be presenting: The Evolving Web Security Model


Is there a single cohesive model for the web ? No, there is not. What exists today is the result of the original same-origin policy and its evolution in many directions as a response to new threats and attacks. Where did we start, what tools are available to web developers to protect their sites and users, and where might we go in the future as the line between websites and native applications continues to become more and more blurry ? Join us on a journey through the past, present, and future of the web security model and its continuing evolution.

Ian Melven is an application security engineer at New Relic. He has previously worked in technical security roles at companies including Mozilla, Adobe, McAfee, Symantec, and @stake.

The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. To sign up for future meeting notes and to discuss security topics with local gurus, sign up on the OWASP Portland mailing list:

 https://lists.owasp.org/mailman/listinfo/owasp-portland

Meetings are free and open to the public.

Website
Tuesday
Jul 22, 2014
OWASP Chapter Meeting
New Relic

Tim Morgan will be presenting: What You Didn't Know About XML External Entities Attacks

The eXtensible Markup Language (XML) is an extremely pervasive technology used in countless software projects. Certain features built into the design of XML, namely inline schemas and document type definitions (DTDs) are a well-known source of potential security problems. Despite being a publicly discussed for more than a decade, a significant percentage of software using XML remains vulnerable to malicious schemas and DTDs. This talk will describe a collection of techniques for exploiting XML external entities (XXE) vulnerabilities, some of which we believe are novel. These techniques can allow for more convenient file content theft, sending of arbitrary data to arbitrary internal TCP services, uploads of arbitrary files to known locations on a vulnerable system, as well as several possible denial of service attacks. We hope this talk will raise awareness about the overall risk associated with XXE attacks and will provide recommendations that developers and XML library implementors can use to help prevent these attacks.

Tim Morgan is credited with the discovery and responsible disclosure of several security vulnerabilities in commercial off-the-shelf and open source software including: IBM Tivoli Access Manager, Real Networks Real Player, Sun Java Runtime Environment, Google Chrome Web Browser, OpenOffice, and Oracle WebLogic Application Server. Tim develops and maintains several open source forensics tools as well as Bletchley, an application cryptanalysis tool kit. Tim regularly speaks and delivers technical training courses, his next of which will be on cryptography for developers at AppSecUSA 2014.


The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. To sign up for future meeting notes and to discuss security topics with local gurus, sign up on the OWASP Portland mailing list: https://lists.owasp.org/mailman/listinfo/owasp-portland


Meetings are free and open to the public.

Website
Monday
Oct 20, 2014
OWASP Chapter Planning Meeting
Tugboat Brewing Company

This is a planning meeting for the Portland OWASP chapter. Please join us if you are interested in helping us plan and organize the activities of the chapter for the next year.

Please RSVP if you plan on showing up. Just shoot an email to

( tim DOT morgan AT owasp DOT org )

Some of the topics we expect to discuss at this meeting:

  • Chapter meetings
  • FLOSSHack events
  • Approaches to sponsorship
  • Long term group leadership and governance
  • YOUR ideas

The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. To sign up for future meeting notes and to discuss security topics with local gurus, sign up on the OWASP Portland mailing list: https://lists.owasp.org/mailman/listinfo/owasp-portland

Meetings are free and open to the public.

Website
Thursday
Dec 4, 2014
OWASP Chapter Meeting
New Relic

Joseph Arpaia, MD will be presenting: Hiding in Plain Sight: A Mnemonic Method For Creating Secure Passwords

The human brain is not suited to recalling secure passwords composed of random sequences of characters especially if they are not used regularly. Humans are excellent at recalling sentences, even years after learning them, e.g. nursery rhymes, song lyrics. This ability can be used to create a mnemonic method for generating a large number of passwords from one remembered passphrase, even if the passphrase and the associated characters are not kept secret.

Joseph Arpaia received his BS in Chemistry from CalTech and his MD from UC Irvine where he also did research in electrophysiology and applications of chaos theory to psychiatry. He is a psychiatrist in private practice in Eugene, OR and applies heart rate variability analysis in his work with patients. He also teaches applications of mindfulness meditation to psychotherapy at the University of Oregon and is the co-author of Real Meditation in Minutes a Day. He has a long-standing interest in passwords and security which dates back to his experience at age 8 when he came up with a Vernam cipher in response to a challenge by his father to encrypt a text message.


The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. To sign up for future meeting notes and to discuss security topics with local gurus, sign up on the OWASP Portland mailing list: https://lists.owasp.org/mailman/listinfo/owasp-portland


Meetings are free and open to the public.

Website
Friday
Feb 13, 2015
OWASP Chapter Meeting
New Relic

Software development is speeding up; Waterfall to Agile to Continuous Integration to Continuous Deployment. Do we still have time for security? Of course we do! But many development shops are unaware how to add security to their development process and will often use "security slows us down" as a reason to produce insecure code. This talk focuses on how to add security into a speedy development process while still remaining fast and responsive to customer requests.

The speaker will be Joe Basirico - the VP of Services for Security Innovation. Before he started leading the team, he was a developer, trainer, researcher, and security engineer. Joe spent the majority of his professional career analyzing software security behavior and researching how software development organizations mature over time from a security perspective. Through this research, he developed an understanding of application threats, tools, and methodologies that assist in the discovery and removal of security problems both software- and process-related. He manages the company’s engineering blog and has written several publications and tools that focus on source code level vulnerabilities.

Website
Tuesday
Mar 31, 2015
OWASP Chapter Meeting
New Relic

People in Information Security say passwords are dead. Yet the replacement solutions are not available or main stream. An independent developer, Steve Gibson, decided to do something about it and created SQRL. From his website "Proposing a comprehensive, easy-to-use, high security replacement for usernames, passwords, reminders, one-time-code authenticators . . . and everything else." Let's talk about what SQRL is, how it works, how it could work in your solution and does it have competitors.? I am as interested in your feedback as I hope you are interested in resolving the password problem!

Brian Ventura is an Information Security Architect at the City of Portland and 21 years experience in IT. Brian has enterprise, consulting and project management experience, supplying secure solutions to internal and external customers. Brian is mentoring a SANS MGT414 course in Portland between April 14th and Jun 16th. You can find more information at https://www.sans.org/instructors/brian-ventura

Website
Wednesday
Jun 17, 2015
OWASP Chapter Meeting
Jive Software

Bob Loihl will be presenting:
Secure Software Development Life Cycle in an Agile World

In this day and age we must do everything we can to produce secure software. But how you ask? I will be talking about some of the options available and how to get an initiative started in your workplace/project. I will cover some of the choices out there for Agile Development and then we'll examine one choice, BSIMM (https://www.bsimm.com/), in more depth. I will follow that up with a discussion of some of the challenges and some of the benefits of implementing an SSDLC.

Bob Loihl is a Software Engineer with 20+ years of experience developing business applications, leading teams and spreading the security word. He has a strong interest in delivering applications that are secure by design in an agile world. He has been helping Tripwire grow and mature its development processes for the last 10 years and his current hobby is incorporating SSDLC (Secure Software Development Life-Cycle) processes into the software manufacturing process. Bob is passionate about family, software, canoes and guitars. In his spare time he works at Tripwire producing high quality software using Agile methodologies. Oh yeah, he cares a tiny bit about security.


The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. To sign up for future meeting notes and to discuss security topics with local gurus, sign up on the OWASP Portland mailing list:

 https://lists.owasp.org/mailman/listinfo/owasp-portland

Meetings are free and open to the public.

Website
Tuesday
Jul 21, 2015
OWASP Chapter Meeting
New Relic

Talk

At the end of the day, security depends on code. Secure software demands secure code, configuration, management, testing, and constant improvement.

Security automation aligns perfectly with the modern, fast-paced environments like continuous delivery that are quickly seeping into companies of all kinds.

Automation provides drastic results with little effort, but quickly reaches a plateau where the effort involved in finding better results that provide value rises above the value of focusing elsewhere.

In this talk, I will focus on some of the lesser discussed topics of security automation and how they relate to the lines of code that produce the reason why we are discussing security automation today. The goal is to give a complete understanding of the ways that companies like _ and _ have produced secure code that runs their web applications.

Speaker

Neil is currently an engineer at GitHub, co-founder of Brakeman Security Inc., and OWASP Orange County board member. Formerly, he was an application security engineer at Twitter, OC Ruby leader, and AppSec California organizer. Neil enjoys long walks on the beach, long walks in the woods, and long walks anywhere really. His turnoffs include noisy offices, noisy people, and noisy anything really.

Website
Wednesday
Oct 7, 2015
OWASP Chapter Planning Meeting
Mama Mia Trattoria

This is a planning meeting for the Portland OWASP chapter. Please join us if you are interested in helping us plan and organize the activities of the chapter for the next year.

Please RSVP if you plan on showing up. Just shoot an email to

( tim DOT morgan AT owasp DOT org )

Some of the topics we expect to discuss at this meeting:

  • Summary of AppSecUSA
  • Leads on speakers for Chapter Meetings
  • FLOSSHack events
  • A Possible Training Day
  • Long term group leadership and governance
  • YOUR ideas

The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. To sign up for future meeting notes and to discuss security topics with local gurus, sign up on the OWASP Portland mailing list: https://lists.owasp.org/mailman/listinfo/owasp-portland

Meetings are free and open to the public.

Website
Tuesday
Nov 17, 2015
OWASP: Antivirus in the Enterprise - Is it dead yet?
Jama Software (New Office)

This month's topic is "Antivirus in the Enterprise - is it dead yet?" Read almost any article about antivirus today, and there will be an opinion somewhere in the writings about the applicability and effectiveness of antivirus software in the enterprise today. Some say yes; some say no. We will open this meeting with a pro/con presentation by security professionals Tony Carothers and Timothy D. Morgan, followed by discussion and debate in a panel style, about antivirus software and it's effectiveness in software security today. Refreshments will be provided.


The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. To sign up for future meeting notes and to discuss security topics with local gurus, sign up on the OWASP Portland mailing list: https://lists.owasp.org/mailman/listinfo/owasp-portland


Meetings are free and open to the public.

Website
Wednesday
Feb 17, 2016
OWASP: Inspiring People to Embrace Risk Management
New Relic

This month's OWASP chapter meeting features Andrew Plato, President and CEO of Anitian.

Talk

Security leaders are under supreme pressure to build security programs that protect the business without disabling the business. However, the greatest impediment to success is not the technologies or regulations, but rather the people who must implement a security program. As a security leader, how do you communicate important risk, security, and compliance concepts to your team in a manner that inspires them to action? The answer is security vision. We live in world where people do not want more rules, they want meaning. The problem with so much of what we do in security is that it often seems annoying and unnecessary to users and executives. When people understand the mission and vision of the organization, they are naturally inclined to follow good practices. In this presentation, veteran security leader, as well as a CEO, Andrew Plato will discuss how to create, foster, and promote security vision to improve engagement with your co-workers. We will discuss communication, leadership, and motivational strategies that clarify and simplify security concepts to drive maximum employee engagement.

Speaker

Andrew Plato, CISSP, CISM, QSA

In 1995 while working at Microsoft, Andrew executed the first known instance of a SQL Injection attack against an early e-commerce site. When he demonstrated this attack to the developers, they dismissed the issue as irrelevant. This intrigued but also inspired Andrew to found Anitian with the goal of helping people understand the complexities of information security.
Today, Anitian is one of the most trusted names in security intelligence with clients worldwide. Anitian has a mission to Build Great Security Leaders. For the past 20 years, Andrew and Anitian have consistently executed on this mission with innovative, pragmatic answers to the most vexing security, compliance, and risk challenges. Andrew’s career encompasses nearly every dimension of information security. He has participated in thousands of security projects, written hundreds of articles, and advised hundreds of C-level executives. Being a both a business owner and security practitioner allows Andrew to bring a unique perspective to any discussion regarding security, technology, and governance. Andrew is well-known for delivering entertaining presentations that challenge conventional thinking and deliver practical answers to complex IT security challenges.


The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. To sign up for future meeting notes and to discuss security topics with local gurus, sign up on the OWASP Portland mailing list: https://lists.owasp.org/mailman/listinfo/owasp-portland


Meetings are free and open to the public.

Website
Monday
May 23, 2016
OWASP: Scanning APIs with OAS 2.0 (Swagger)
New Relic

Scanning APIs with OAS 2.0 (Swagger):

The Open API Specification is a relative newcomer in the history of web service interface documentation. It stands apart from its predecessors by not tying itself to a specific vendor technology, and aims to embrace all forms of RESTful HTTP. Leveraging this powerful specification for automated scanning of APIs will save time by providing a straightforward mechanism to evaluate APIs without having to proxy traffic or manually build attack vectors.

Topics covered

  • What is the OpenAPI Specification (Swagger)
  • How Swagger/REST relates to SOAP/XML
  • Tools for converting to/from swagger to 'X'.
  • Scanning a simple RESTful JSON based API with Swagger
  • Swaggering the SDLC.

Speaker

Scott Davis
Rapid7
Application Security Researcher
Portland, Oregon Area

Scott has been developing software professionally for over 15 years in a variety of contexts and technologies including wireless sensor networks, robotics, migration modeling & visualization, ERP, interactive projection art, product development and security services. Scott has spent as many years focusing on the security aspects of these technologies, and has leveraged this background to lead the engineering security team at Webtrends for several years. Currently, he serves as Application Security Research for Rapid7.


The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. To sign up for future meeting notes and to discuss security topics with local gurus, sign up on the OWASP Portland mailing list: https://lists.owasp.org/mailman/listinfo/owasp-portland


Meetings are free and open to the public.

Website
Tuesday
Jun 21, 2016
OWASP: Add TAL, improve a threat model!
WebMD

Add TAL, improve a threat model!

To improve your (threat) modeling career, you need a better (threat) agent (library)! Threat modeling is a process for capturing, organizing, and analyzing the security of a system based on the perspective of a threat agent. Threat modeling enables informed decision-making about application security risk. In addition to producing a model, typical threat modeling efforts also produce a prioritized list of security improvements to the concept, requirements, design, or implementation. In 2009, OWASP posted wiki pages on threat modeling. Although there was the start of a section on threat agents, it has yet to be completed.

Intel developed a unique standardized threat agent library (TAL) that provides a consistent, up-to-date reference describing the human agents that pose threats to IT systems and other information assets. Instead of picking threat agents based on vendor recommendations and space requirements in Powerpoint, the TAL produces a repeatable, yet flexible enough for a range of risk assessment uses. We will cover both the TAL, the Threat Agent Risk Assessment (TARA), how they can be used to improve threat modeling.

Speaker

Eric Jernigan
Information Security Architect
Umpqua Bank


Eric Jernigan is an Information Security Architect at Umpqua Bank and focuses on risk assessment, Secure project support, information security governance, and security awareness. Prior to this, Eric He has also served as an information security manager and adjunct instructor at PCC. He has also served as an active duty Information Warfare Analyst in the Air National Guard in support of NORTHCOM/NORAD. He has almost twenty years of intelligence, counter-terrorism, Information warfare, information security, and compliance experience. His current professional certifications include CISM, CRISC, and CISSP, so love him. A staunch privacy advocate, he hates Facebook.



The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. To sign up for future meeting notes and to discuss security topics with local gurus, sign up on the OWASP Portland mailing list: https://lists.owasp.org/mailman/listinfo/owasp-portland


Meetings are free and open to the public.

Website
Thursday
Jul 28, 2016
OWASP: Social Engineering -- How to Avoid Being a Victim 
Jama Software (New Office)

Social engineering (an act of exploiting people instead of computers) is one of the most dangerous tools in the hacker’s toolkit to breach internet security. The Ubiquiti Networks fell victim to a $39.1 M fraud as one of its staff members was hit by a fraudulent “Business Email Compromise” attack. Thousands of grandmas and grandpas are victim of phishing emails and are forced to pay ransom to have their data released.

In this new millennium, the cyber security game has changed significantly from annoying harmless viruses to stealing vital personal data, causing negative financial impact, demanding ransom, and spreading international political feud. Anyone with presence in the Cyber space has to protect himself/herself, the infrastructure, customers, and also deal with the legal repercussions in the event of a breach. In this talk Bhushan will present the different types of social engineering practices including use of social networks such as Facebook, Twitter, LinkedIn, the bad guys successfully use. The victims can range from the “C” levels (CEO, CFO, CTO) down to the individual contributors in an organization to a grandparent on her laptop. The presentation will also discuss a variety of ordinary but effective measures such as awareness campaign that organizations can take to minimize the risk of breach.


Speaker Bhushan Gupta

A principal consultant at Gupta Consulting LLC., Bhushan Gupta is passionate about the integration of web application security into Agile software development lifecycle. His interests extend to Social Engineering and Attack Surface Analysis. Bhushan worked at Hewlett-Packard for 13 years in various roles including quality engineer, software process architect, and software productivity manager. He then developed a strong interest in web application security while working as a quality engineer for Nike Inc. After 5 years at Nike, he retired and since has been studying various facets of web application security. Bhushan is a certified Six Sigma Black Belt (HP and ASQ) and an adjunct faculty member at the Oregon Institute of Technology in Software Engineering. To learn more about Bhushan, visit www.bgupta.com.


This meeting will be recorded! Feel free to tune in live, or catch the recording later (~24hrs after event).


The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. To sign up for future meeting notes and to discuss security topics with local gurus, sign up on the OWASP Portland mailing list: https://lists.owasp.org/mailman/listinfo/owasp-portland


Meetings are free and open to the public.

Website
Thursday
Aug 25, 2016
OWASP: Node.js Security
Simple

This talk will discuss the current state of Node.js security and the risks of the Node.js ecosystem and what vulnerabilities and patterns have we found in the hundreds of applications and the thousands of modules we have audited.


Speaker

Adam Baldwin

Adam is the team lead at ^Lift Security and he founded the Node Security Project 3 years ago & hasn’t stopped trying to make security a core value of the Node.js community since then. In his free time Adam enjoys doing basically the exact same stuff he does for work, also raising chickens, and spending as much time as possible with his wife and 2 children.


The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. To sign up for future meeting notes and to discuss security topics with local gurus, sign up on the OWASP Portland mailing list: https://lists.owasp.org/mailman/listinfo/owasp-portland


Meetings are free and open to the public.

Website
Wednesday
Nov 2, 2016
OWASP Training Day 2016
Portland State University (PSU) - Smith Memorial Center

This year the Portland OWASP chapter is hosting a training day. This will be an excellent opportunity for students to receive quality information security and application security training for next to nothing. (Similar training may cost more than 10 times as much in a conference setting.) It will also be a great chance to network with the local infosec community.

For more information on the schedule and how to register, see the main event page.

Courses are held in two tracks: two in the morning session, and two in the afternoon session. Each student can register for one morning course, or one afternoon course, or one of each!


Morning Session


Cyber Hygiene - Critical Security Controls

With so many types of network attacks and so many tools/solutions to combat these attacks, which should I implement first? Which should I buy? Can I build it myself? The CIS Critical Security Controls are a prioritized approach to ensuring information security. As a general risk assessment, the Critical Security Controls address the past, current and expected attacks occurring across the Internet. In this course we will outline the controls, discuss implementation and testing, and provide examples.


Introduction to Injection Vulnerabilities

Instructor: Timothy D. Morgan Ever concatenated strings in your code? Did those strings include any kind of structured syntax? Then your code might be vulnerable to injection. Injection flaws are broad, common category of vulnerability in modern software. While many developers are aware of high-profile technical issues, such as SQL injection, any number of injection vulnerabilities are possible in other languages, protocols, and syntaxes. Upon studying these flaws in many contexts, an underlying "theory of injection" emerges. This simple concept can be applied to many situations (including new technologies and those yet to be invented) to help developers avoid the most common types of implementation vulnerabilities. The reason why "injection" is #1 on the OWASP Top 10 will become very clear by the end of this class. This course will provide students a detailed introduction to injection vulnerabilities and then get students busy with hands-on exercises where a variety of different injection flaws can be explored and understood in real-world contexts.

Afternoon Session


Applied Physical Attacks on Embedded Systems, Introductory Version

This workshop introduces several different relatively accessible interfaces on embedded systems. Attendees will get hands-on experience with UART, SPI, and JTAG interfaces on a MIPS-based wifi router. After a brief architectural overview of each interface, hands-on labs will guide through the process understanding, observing, interacting with, and exploiting the interface to potentially access a root shell on the target.


Communications Security in Modern Software

Securing communications over untrusted networks is a critical component to any modern application's security. However, far too often developers and operations personnel become tripped up by the many pitfalls of implementation in this area, which often leads to complete failures to secure data on the wire. In this course we discuss how attackers can gain access to other users' communication through a variety of techniques and cover the strategies for preventing this. The course covers specific topics ranging from the SSL/TLS certificate authority system, to secure web session management and mobile communications security. A hands-on exercise is included in the course which helps students empirically test SSL/TLS certificate validation in a realistic scenario.


About OWASP

The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. To sign up for future meeting notes and to discuss security topics with local gurus, sign up on the OWASP Portland mailing list: https://lists.owasp.org/mailman/listinfo/owasp-portland


Website
Monday
Feb 13
OWASP Chapter Planning Meeting
Kells Irish Restaurant & Pub

NOTE THE LAST MINUTE VENUE CHANGE!

This is a planning meeting for the Portland OWASP chapter. Please join us if you are interested in helping us plan and organize the activities of the chapter for the next year.

Please RSVP if you plan on showing up. Just shoot an email to

( tim DOT morgan AT owasp DOT org )

Some of the topics we expect to discuss at this meeting:

  • Training day recap
  • Leadership roles and committments
  • Upcoming chapter meetings
  • YOUR ideas

The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. To sign up for future meeting notes and to discuss security topics with local gurus, sign up on the OWASP Portland mailing list: https://lists.owasp.org/mailman/listinfo/owasp-portland

Meetings are free and open to the public.

Website