OWASP - User contributions [en]

OWASP Portland 2019 Training Day

2019-09-21T01:29:38Z

Bzhao: Updated Summit Security logo

For the fourth year in a row, the Portland OWASP chapter is proud to host our information security training day! This is be an excellent opportunity for the local Portland security community to receive top quality information security and application security training for prices far lower than normally offered. It's also a great chance to network with other local infosec and appsec enthusiasts and meet those who share your interests.

The 4th annual OWASP Portland 2019 Training Day date will be on September 25, 2019. See [[#Details|Details]] for more info.

General Registration will open at 9am PST on August 15th. Tickets cost $25.00 per session.

Want to get news and information on our 2019 Training Day? Subscribe to the [https://groups.google.com/a/owasp.org/forum/#!forum/portland-chapter] Portland OWASP mailing list or follow [https://twitter.com/portlandowasp @PortlandOWASP] on Twitter!

=Courses=
Courses will be held in two tracks: four in the morning session, and four in the afternoon session. Each participant can register for one morning course, one afternoon course, or one of each.

== Morning Session 8:30 AM - Noon ==

=== AWS API Threat Modeling and Automated Testing ===

==== Sponsored by Cambia ====

''Instructor: Kendra Ash''

Abstract: If you are a software, DevOps, QA or security engineer and want to learn how to threat model API's in AWS this course is for you. This course will cover the what, why, when, and how of threat modeling applications in your organization. The bulk of this course will be based on the book Threat Modeling by Adam Shostack and will leverage a variant of the Escalation of Privileges card game. Also, I will dive into the approach I have used to gain adoption from engineering teams as a security engineer.
After gaining an understanding of threat modeling, we will dive into how we can automate security checks for an AWS environment — leveraging the AWS CLI tool to provide quick engineering feedback on ways to improve the security of their infrastructure.

Takeaways:
* Learn the basics of threat modeling
* Learn ways to gain adoption by your peers
* How to automate security checks for AWS

Bio: Kendra Ash (@securelykash) is an information security engineer at Vacasa, actively building a security team and program by leveraging guidance from her network and industry standards. Co presenting is Ryan Nixon (@taiidani) an experienced DevOps engineer who deeply cares about the security of all applications. Constantly looking for ways to keep all server and application configurations in order with proper auditing & pipelines.

Prerequisites: no previous knowledge is required, this course is for all levels and jobs (QA, DevOps, Security and Software Engineer)

=== Applied Physical Attacks on Embedded Systems, Introductory Version ===

==== Sponsored by New Relic ====

''Instructor: Joe FitzPatrick''

Abstract: This workshop introduces several different relatively accessible interfaces on embedded systems. Attendees will get hands-on experience with UART, SPI, and JTAG interfaces on a MIPS-based wifi router. After a brief architectural overview of each interface, hands-on labs will guide through the process understanding, observing, interacting with, and exploiting the interface to potentially access a root shell on the target.

=== Security Tools and Jenkins Pipeline ===

==== Sponsored by WebMD ====

''Instructor: Sneha Kokil''

Abstract: Modern application development embeds security activities in SDLC, while adopting DevSecOps culture. Security tools are being viewed in the context of continuous integration and automation, which are the key factors in achieving a successful DevSecOps implementation. Integrating security tools in the CI/CD pipelines has become a primary focus of most of the organizations, who are striving to build application security from within. This workshop focuses on getting a good understanding of how some of the open source security tools can be integrated in Jenkins CI/CD pipeline for languages such as Go and Java, along with application container scanning solutions. The workshop will be a hands-on experience, where the participants will write their own pipeline code for integrating security tools. The key takeaways from this workshop will help participants experience how security tooling fits into CI/CD pipelines. It will also help them appreciate the real-world challenges and possible solutions, when integrating security in existing SDLC.

Bio: Sneha Kokil is a senior security consultant at Synopsys. With a master's degree in information security from Northeastern University, along with several years of development and security experience, she specializes in integrating software security toolchains within SDLC processes. She is immensely passionate about DevSecOps and how it helps building security in. Outside of work, she is an avid biography and science fiction reader, a swimmer, and a mother to a wonderful daughter.

=== OWASP Top 10 / Juice Shop Hack Session ===

==== Sponsored by Kraken ====

''Instructor: David Quisenberry''

Abstract: This session is meant for those new to OWASP Top Ten. We will go over the OWASP Top Ten - where it came from, what it’s good for, what are the top ten, etc. And illustrate the concepts in the OWASP Top Ten through another OWASP Flagship Project - The OWASP Juice Shop. This will be a hands on class so everyone can follow along in the Juice Shop to explore the concepts. There will be time at the end for everyone to continue on their vulnerability hunting and a friendly Juice Shop CTF.

Bio: David Quisenberry (@QuizSec) is a backend developer and security champion with Daylight Studio, a local Portland boutique web agency. He serves on the Portland OWASP board as Outreach/Events coordinator and does what he can to up the involvement of established and emerging software developers in security conversations.

Prerequisites: Laptop capable of running docker and burpsuite.

== Afternoon Session: 1:30 PM - 5:00 PM ==

=== Web Applications and Filesystem Security / Deserialization Attacks ===

==== Sponsored by ForgeRock ====

''Instructor: Timothy Morgan''

Abstract: This course starts by exploring the security ramifications of filesystem semantics, security capabilities, and little known-features as they relate to web application development. Students will practice file upload attacks against a intentionally-vulnerable web application. Next, the course transitions to deserialization attacks, a recently added OWASP Top 10 item, using multiple practical examples to explain this tricky technical issue. Students will have an opportunity to try deserialization attacks in a realistic scenario.

Learning Objectives:
* To better appreciate the ways modern filesystems work on different platforms and what security impacts may result from certain unintuitive behaviors
* Explore the many challenges involved in safely processing file uploads
* Learn about deserialization attacks and how to identify when an application might be at risk

Prerequisites:
* A basic understanding of web application development is strongly recommended
* A laptop or workstation for each student (or pair of students)
* Ability to change proxy settings, install software and run executables on this system
* Please install VirtualBox 6 in order to run a small virtual machine
* If using a Mac, consider bringing a real mouse with 2 buttons. VirtualBox doesn't always play well with other pointing devices on Macs

=== Container Security ===

==== Sponsored by Summit Security ====

''Instructor: Alex Ivkin''

Abstract: "When it comes to container security there are two prevailing schools of thought - either containers are secure by default, so you should not care much, or containers can not be secure in principle, so you should avoid them at all costs. In this training you will go through the real world examples of configuring and running containers in a secure manner. You will get insights into the security of both Windows and Linux containers, container infrastructure, such as container registries and orchestration platforms - docker swarm and kubernetes. We will examine real world vulnerabilities unique to different architectures of containers and how to address them.

Takeaways:
# Building and running docker containers securely
# Avoiding common pitfalls in docker infrastructure setup (dockerd, docker registry)
# Navigating security in the container orchestration platforms (docker swarm, kubernetes)"

Bio: Alex Ivkin (@alexivkinx) is a director of solutions at Eclypsium, a local Portland security company. Alex specializes in security solution architecture, advisory and implementation of firmware and application security, container orchestration and IAM. Alex presented at numerous

security industry conferences, co-authored the ISACA CSX Professional certification and is an alpine climber.

Prerequisites:
* Mid to advanced level technical experience
* Basic experience with running docker containers
* Laptop with docker for windows setup and tested

=== Intro to Chrome Exploitation ===

==== Sponsored by Security Innovation ====

''Instructor: Justin Angra''

Abstract: Over 3 billion browser devices are actively loading arbitrary data served by someone else. What happens if one of those pages contains maliciously crafted JavaScript? Could they capture your passwords, perform UXSS, or worse - execute local code on your machine? In this session, you will get the opportunity to explore the anatomy and play with common vulnerability patterns in the renderer process of Chrome. This will be an interactive class; please bring a laptop with Docker installed.

=== OWASP Amass: Discovering Your Exposure on the Internet ===

==== Sponsored by Daylight Studio ====

''Instructor: Jeff Foley ''

Abstract: Today, large organizations deal with the challenge of running their infrastructure across many networks and namespaces due to the use of cloud and hosting services, legacy environments and acquisitions. This can make it difficult to maintain visibility of Internet-facing assets and to track down systems that pose a risk to security. The OWASP Amass Project has developed a tool to help information security professionals perform network mapping of attack surfaces and perform external asset discovery. During this talk, the founder of the project will discuss how OWASP Amass uses OSINT, network reconnaissance, graph databases and information sharing to provide both attackers and defenders better visibility of target organizations.

Bio: Jeff Foley is the Founder and Project Leader of the OWASP Amass project. Mr. Foley has nearly 20 years of experience as an innovator for research & development, software engineering and red team activities in information security. He is a results-driven technical leader known for delivering game-changing research findings to overcome real-world challenges. Jeff serves as the Manager for Vulnerability Engineering at National Grid and is the CTO & Co-founder of ClaritySec, an Upstate New York based information security startup. Prior to this, he was the Director of Research for the Cyber Systems, Weapon Systems & Sensors Operation at Alion Science & Technology. While serving at Northrop Grumman, Jeff built and led the internal penetration testing team and was the program manager for offensive security research & development. Mr. Foley also shares his expertise and experience by supporting several local university information security programs and participating in information security competitions, such as the SUNY Polytechnic Institute Cybersecurity Advisory Board, Mohawk Valley Community College Computer Science Advisory Board and the CNY Hackathon Competition.

=2019 Sponsors=

'''Interested in becoming a sponsor? Here is a document outlining the opportunities: [https://drive.google.com/file/d/0BydPdSuBlQ4scm1DRmlwMVNyUE11TzdxV1VoZ1lNRTdueTBv/view?usp=sharing Sponsorship-Doc]. Reach out to david.quisenberry@owasp.org to let us know.'''

=== Mixer Sponsors===

[[File:github.png|link=https://github.com/]]              
[[File:Dasher Technologies logo.png|link=https://www.dasher.com/]]

=== Training Session Sponsors ===

[[File:newrelic.png|link=https://newrelic.com/]]              
[[File:Cambia logo.png]]              
[[File:Security Innovation logo.png|link=https://www.securityinnovation.com/]]              
[[File:Daylight logo.png|link=https://thedaylightstudio.com/]]              
[[File:Kraken logo.png|link=https://www.kraken.com/en-us/features/security]]              
[[File:Summit Security logo 2019.png]]              
[[File:ForgeRock logo.png|link=https://www.forgerock.com/]]              
[[File:WebMD logo.jpg|link=https://www.webmd.com/]]

=== Morning Coffee Sponsors ===

[[File:OCI Logo.png|link=https://cloud.oracle.com/en_US/iaas]]              
[[File:NetSPI 2019 logo.png|link=https://www.netspi.com/]]

=== General Sponsors ===

[[File:Vacasa Logo .png|frameless|375x375px]]

=Details=
OWASP Portland 2019 Training Day will be on September 25, 2019.

This year for the 2nd time, we'll be located at:

World Trade Center Portland
121 SW Salmon St.
Portland, OR 97204.

Later in the evening, a social mixer will also be held at Rock Bottom Restaurant & Brewery, just a short walk away:

206 SW Morrison St
Portland, OR 97204

===Schedule===
{| class="wikitable"
! |Time
! colspan="4" |Activity
|-
| style="padding: 0.5em;" |8:00 AM - 8:30 AM
| colspan="4" style="padding: 0.5em;" |Morning Registration and Continental Breakfast
|-
| style="padding: 0.5em;" |8:30 AM - 12:00 PM
| style="padding: 0.5em;" |AWS API Threat Modeling and Automated Testing (Kendra Ash)
| style="padding: 0.5em;" |Applied Physical Attacks on Embedded Systems, Introductory Version (Joe FitzPatrick)
| style="padding: 0.5em;" |Security Tools and Jenkins Pipeline (Sneha Kokil)
| style="padding: 0.5em;" |OWASP Top 10 / Juice Shop Hack Session (David Quisenberry)
|-
| style="padding: 0.5em;" |12:00 PM - 1:30 PM
| colspan="4" style="padding: 0.5em;" | Lunch on your own - ''Meet a new friend and grab a bite!''
|-
| style="padding: 0.5em;" |1:00 PM - 1:30 PM
| colspan="4" style="padding: 0.5em;" | Afternoon Registration (for those attending only in the afternoon)
|-
| style="padding: 0.5em;" |1:30 PM - 5:00 PM
| style="padding: 0.5em;" |Web Applications and Filesystem Security / Deserialization Attacks (Timothy Morgan)
| style="padding: 0.5em;" |Container Security (Alex Ivkin)
| style="padding: 0.5em;" |Intro to Chrome Exploitation (Justin Angra)
| style="padding: 0.5em;" |OWASP Amass: Discovering Your Exposure on the Internet (Jeff Foley)
|-
| style="padding: 0.5em;" |5:00 PM - 7:30 PM
| colspan="4" style="padding: 0.5em;" | Evening Mixer @ Rock Bottom Restaurant and Brewery
|}

Interested in teaching a training at Training Day 2019? Contact Portland OWASP via the mailing list or Twitter!

=== Lunch Ideas ===

Here are some lunch ideas:
* Farmhouse Cafe, 101 SW Main St.
* The Good Earth Cafe, 1136 SW 3rd Ave.
* Chipotle Mexican Grill, 240 SW Yamhill St.
* Luc Lac Vietnamese Kitchen, 835 SW 2nd Ave.
* Rock Bottom Restaurant & Brewery, 206 SW Morrison St.
* Buffalo Wild Wings, 327 SW Morrison St.
* Cafe Yumm, 301 SW Morrison St.
* Killer Burger, 510 SW 3rd Ave.
* House of Ramen, 223 SW Columbia St.
* There are some food carts north of the World Trade Center on SW 3rd Ave. and SW Stark St.

=How to Register=

Registration will again be via [https://www.eventbrite.com/e/owasp-portland-2019-training-day-tickets-67270573095 EventBrite]

Thank you to the OWASP Foundation and the many sponsors, trainers, volunteers and trainers that have helped make Training Day a success and allow us to continue!

File:Summit Security logo 2019.png

2019-09-21T01:29:05Z

Bzhao:

Summit Security logo 2019

File:Summit 2019.png

2019-09-21T01:28:26Z

Bzhao: Bzhao uploaded a new version of File:Summit 2019.png

Summit Security Group logo

File:Summit 2019.png

2019-09-21T01:25:20Z

Bzhao: Bzhao uploaded a new version of File:Summit 2019.png

Summit Security Group logo

File:Summit 2019.png

2019-09-21T01:25:04Z

Bzhao: Bzhao uploaded a new version of File:Summit 2019.png

Summit Security Group logo

File:Summit 2019.png

2019-09-21T01:22:49Z

Bzhao: Bzhao uploaded a new version of File:Summit 2019.png

Summit Security Group logo

File:Summit Icon 2019.png

2019-09-20T23:27:59Z

Bzhao: Bzhao uploaded a new version of File:Summit Icon 2019.png

Summit Logo

File:Summit Icon 2019.png

2019-09-20T23:26:42Z

Bzhao:

Summit Logo

OWASP Portland 2019 Training Day

2019-09-20T20:18:22Z

Bzhao: Summit logo change

For the fourth year in a row, the Portland OWASP chapter is proud to host our information security training day! This is be an excellent opportunity for the local Portland security community to receive top quality information security and application security training for prices far lower than normally offered. It's also a great chance to network with other local infosec and appsec enthusiasts and meet those who share your interests.

The 4th annual OWASP Portland 2019 Training Day date will be on September 25, 2019. See [[#Details|Details]] for more info.

General Registration will open at 9am PST on August 15th. Tickets cost $25.00 per session.

Want to get news and information on our 2019 Training Day? Subscribe to the [https://groups.google.com/a/owasp.org/forum/#!forum/portland-chapter] Portland OWASP mailing list or follow [https://twitter.com/portlandowasp @PortlandOWASP] on Twitter!

=Courses=
Courses will be held in two tracks: four in the morning session, and four in the afternoon session. Each participant can register for one morning course, one afternoon course, or one of each.

== Morning Session 8:30 AM - Noon ==

=== AWS API Threat Modeling and Automated Testing ===

==== Sponsored by Cambia ====

''Instructor: Kendra Ash''

Abstract: If you are a software, DevOps, QA or security engineer and want to learn how to threat model API's in AWS this course is for you. This course will cover the what, why, when, and how of threat modeling applications in your organization. The bulk of this course will be based on the book Threat Modeling by Adam Shostack and will leverage a variant of the Escalation of Privileges card game. Also, I will dive into the approach I have used to gain adoption from engineering teams as a security engineer.
After gaining an understanding of threat modeling, we will dive into how we can automate security checks for an AWS environment — leveraging the AWS CLI tool to provide quick engineering feedback on ways to improve the security of their infrastructure.

Takeaways:
* Learn the basics of threat modeling
* Learn ways to gain adoption by your peers
* How to automate security checks for AWS

Bio: Kendra Ash (@securelykash) is an information security engineer at Vacasa, actively building a security team and program by leveraging guidance from her network and industry standards. Co presenting is Ryan Nixon (@taiidani) an experienced DevOps engineer who deeply cares about the security of all applications. Constantly looking for ways to keep all server and application configurations in order with proper auditing & pipelines.

Prerequisites: no previous knowledge is required, this course is for all levels and jobs (QA, DevOps, Security and Software Engineer)

=== Applied Physical Attacks on Embedded Systems, Introductory Version ===

==== Sponsored by New Relic ====

''Instructor: Joe FitzPatrick''

Abstract: This workshop introduces several different relatively accessible interfaces on embedded systems. Attendees will get hands-on experience with UART, SPI, and JTAG interfaces on a MIPS-based wifi router. After a brief architectural overview of each interface, hands-on labs will guide through the process understanding, observing, interacting with, and exploiting the interface to potentially access a root shell on the target.

=== Security Tools and Jenkins Pipeline ===

==== Sponsored by WebMD ====

''Instructor: Sneha Kokil''

Abstract: Modern application development embeds security activities in SDLC, while adopting DevSecOps culture. Security tools are being viewed in the context of continuous integration and automation, which are the key factors in achieving a successful DevSecOps implementation. Integrating security tools in the CI/CD pipelines has become a primary focus of most of the organizations, who are striving to build application security from within. This workshop focuses on getting a good understanding of how some of the open source security tools can be integrated in Jenkins CI/CD pipeline for languages such as Go and Java, along with application container scanning solutions. The workshop will be a hands-on experience, where the participants will write their own pipeline code for integrating security tools. The key takeaways from this workshop will help participants experience how security tooling fits into CI/CD pipelines. It will also help them appreciate the real-world challenges and possible solutions, when integrating security in existing SDLC.

Bio: Sneha Kokil is a senior security consultant at Synopsys. With a master's degree in information security from Northeastern University, along with several years of development and security experience, she specializes in integrating software security toolchains within SDLC processes. She is immensely passionate about DevSecOps and how it helps building security in. Outside of work, she is an avid biography and science fiction reader, a swimmer, and a mother to a wonderful daughter.

=== OWASP Top 10 / Juice Shop Hack Session ===

==== Sponsored by Kraken ====

''Instructor: David Quisenberry''

Abstract: This session is meant for those new to OWASP Top Ten. We will go over the OWASP Top Ten - where it came from, what it’s good for, what are the top ten, etc. And illustrate the concepts in the OWASP Top Ten through another OWASP Flagship Project - The OWASP Juice Shop. This will be a hands on class so everyone can follow along in the Juice Shop to explore the concepts. There will be time at the end for everyone to continue on their vulnerability hunting and a friendly Juice Shop CTF.

Bio: David Quisenberry (@QuizSec) is a backend developer and security champion with Daylight Studio, a local Portland boutique web agency. He serves on the Portland OWASP board as Outreach/Events coordinator and does what he can to up the involvement of established and emerging software developers in security conversations.

Prerequisites: Laptop capable of running docker and burpsuite.

== Afternoon Session: 1:30 PM - 5:00 PM ==

=== Web Applications and Filesystem Security / Deserialization Attacks ===

==== Sponsored by ForgeRock ====

''Instructor: Timothy Morgan''

Abstract: This course starts by exploring the security ramifications of filesystem semantics, security capabilities, and little known-features as they relate to web application development. Students will practice file upload attacks against a intentionally-vulnerable web application. Next, the course transitions to deserialization attacks, a recently added OWASP Top 10 item, using multiple practical examples to explain this tricky technical issue. Students will have an opportunity to try deserialization attacks in a realistic scenario.

Learning Objectives:
* To better appreciate the ways modern filesystems work on different platforms and what security impacts may result from certain unintuitive behaviors
* Explore the many challenges involved in safely processing file uploads
* Learn about deserialization attacks and how to identify when an application might be at risk

Prerequisites:
* A basic understanding of web application development is strongly recommended
* A laptop or workstation for each student (or pair of students)
* Ability to change proxy settings, install software and run executables on this system
* Please install VirtualBox 6 in order to run a small virtual machine
* If using a Mac, consider bringing a real mouse with 2 buttons. VirtualBox doesn't always play well with other pointing devices on Macs

=== Container Security ===

==== Sponsored by Summit Security ====

''Instructor: Alex Ivkin''

Abstract: "When it comes to container security there are two prevailing schools of thought - either containers are secure by default, so you should not care much, or containers can not be secure in principle, so you should avoid them at all costs. In this training you will go through the real world examples of configuring and running containers in a secure manner. You will get insights into the security of both Windows and Linux containers, container infrastructure, such as container registries and orchestration platforms - docker swarm and kubernetes. We will examine real world vulnerabilities unique to different architectures of containers and how to address them.

Takeaways:
# Building and running docker containers securely
# Avoiding common pitfalls in docker infrastructure setup (dockerd, docker registry)
# Navigating security in the container orchestration platforms (docker swarm, kubernetes)"

Bio: Alex Ivkin (@alexivkinx) is a director of solutions at Eclypsium, a local Portland security company. Alex specializes in security solution architecture, advisory and implementation of firmware and application security, container orchestration and IAM. Alex presented at numerous

security industry conferences, co-authored the ISACA CSX Professional certification and is an alpine climber.

Prerequisites:
* Mid to advanced level technical experience
* Basic experience with running docker containers
* Laptop with docker for windows setup and tested

=== Intro to Chrome Exploitation ===

==== Sponsored by Security Innovation ====

''Instructor: Justin Angra''

Abstract: Over 3 billion browser devices are actively loading arbitrary data served by someone else. What happens if one of those pages contains maliciously crafted JavaScript? Could they capture your passwords, perform UXSS, or worse - execute local code on your machine? In this session, you will get the opportunity to explore the anatomy and play with common vulnerability patterns in the renderer process of Chrome. This will be an interactive class; please bring a laptop with Docker installed.

=== OWASP Amass: Discovering Your Exposure on the Internet ===

==== Sponsored by Daylight Studio ====

''Instructor: Jeff Foley ''

Abstract: Today, large organizations deal with the challenge of running their infrastructure across many networks and namespaces due to the use of cloud and hosting services, legacy environments and acquisitions. This can make it difficult to maintain visibility of Internet-facing assets and to track down systems that pose a risk to security. The OWASP Amass Project has developed a tool to help information security professionals perform network mapping of attack surfaces and perform external asset discovery. During this talk, the founder of the project will discuss how OWASP Amass uses OSINT, network reconnaissance, graph databases and information sharing to provide both attackers and defenders better visibility of target organizations.

Bio: Jeff Foley is the Founder and Project Leader of the OWASP Amass project. Mr. Foley has nearly 20 years of experience as an innovator for research & development, software engineering and red team activities in information security. He is a results-driven technical leader known for delivering game-changing research findings to overcome real-world challenges. Jeff serves as the Manager for Vulnerability Engineering at National Grid and is the CTO & Co-founder of ClaritySec, an Upstate New York based information security startup. Prior to this, he was the Director of Research for the Cyber Systems, Weapon Systems & Sensors Operation at Alion Science & Technology. While serving at Northrop Grumman, Jeff built and led the internal penetration testing team and was the program manager for offensive security research & development. Mr. Foley also shares his expertise and experience by supporting several local university information security programs and participating in information security competitions, such as the SUNY Polytechnic Institute Cybersecurity Advisory Board, Mohawk Valley Community College Computer Science Advisory Board and the CNY Hackathon Competition.

=2019 Sponsors=

'''Interested in becoming a sponsor? Here is a document outlining the opportunities: [https://drive.google.com/file/d/0BydPdSuBlQ4scm1DRmlwMVNyUE11TzdxV1VoZ1lNRTdueTBv/view?usp=sharing Sponsorship-Doc]. Reach out to david.quisenberry@owasp.org to let us know.'''

=== Mixer Sponsors===

[[File:github.png|link=https://github.com/]]              
[[File:Dasher Technologies logo.png|link=https://www.dasher.com/]]

=== Training Session Sponsors ===

[[File:newrelic.png|link=https://newrelic.com/]]              
[[File:Cambia logo.png]]              
[[File:Security Innovation logo.png|link=https://www.securityinnovation.com/]]              
[[File:Daylight logo.png|link=https://thedaylightstudio.com/]]              
[[File:Kraken logo.png|link=https://www.kraken.com/en-us/features/security]]              
[[File:Summit 2019.png]]              
[[File:ForgeRock logo.png|link=https://www.forgerock.com/]]              
[[File:WebMD logo.jpg|link=https://www.webmd.com/]]

=== Morning Coffee Sponsors ===

[[File:OCI Logo.png|link=https://cloud.oracle.com/en_US/iaas]]              
[[File:NetSPI 2019 logo.png|link=https://www.netspi.com/]]

=== General Sponsors ===

[[File:Vacasa Logo .png|frameless|375x375px]]

=Details=
OWASP Portland 2019 Training Day will be on September 25, 2019.

This year for the 2nd time, we'll be located at:

World Trade Center Portland
121 SW Salmon St.
Portland, OR 97204.

Later in the evening, a social mixer will also be held at Rock Bottom Restaurant & Brewery, just a short walk away:

206 SW Morrison St
Portland, OR 97204

===Schedule===
{| class="wikitable"
! |Time
! colspan="4" |Activity
|-
| style="padding: 0.5em;" |8:00 AM - 8:30 AM
| colspan="4" style="padding: 0.5em;" |Morning Registration and Continental Breakfast
|-
| style="padding: 0.5em;" |8:30 AM - 12:00 PM
| style="padding: 0.5em;" |AWS API Threat Modeling and Automated Testing (Kendra Ash)
| style="padding: 0.5em;" |Applied Physical Attacks on Embedded Systems, Introductory Version (Joe FitzPatrick)
| style="padding: 0.5em;" |Security Tools and Jenkins Pipeline (Sneha Kokil)
| style="padding: 0.5em;" |OWASP Top 10 / Juice Shop Hack Session (David Quisenberry)
|-
| style="padding: 0.5em;" |12:00 PM - 1:30 PM
| colspan="4" style="padding: 0.5em;" | Lunch on your own - ''Meet a new friend and grab a bite!''
|-
| style="padding: 0.5em;" |1:00 PM - 1:30 PM
| colspan="4" style="padding: 0.5em;" | Afternoon Registration (for those attending only in the afternoon)
|-
| style="padding: 0.5em;" |1:30 PM - 5:00 PM
| style="padding: 0.5em;" |Web Applications and Filesystem Security / Deserialization Attacks (Timothy Morgan)
| style="padding: 0.5em;" |Container Security (Alex Ivkin)
| style="padding: 0.5em;" |Intro to Chrome Exploitation (Justin Angra)
| style="padding: 0.5em;" |OWASP Amass: Discovering Your Exposure on the Internet (Jeff Foley)
|-
| style="padding: 0.5em;" |5:00 PM - 7:30 PM
| colspan="4" style="padding: 0.5em;" | Evening Mixer @ Rock Bottom Restaurant and Brewery
|}

Interested in teaching a training at Training Day 2019? Contact Portland OWASP via the mailing list or Twitter!

=== Lunch Ideas ===

Here are some lunch ideas:
* Farmhouse Cafe, 101 SW Main St.
* The Good Earth Cafe, 1136 SW 3rd Ave.
* Chipotle Mexican Grill, 240 SW Yamhill St.
* Luc Lac Vietnamese Kitchen, 835 SW 2nd Ave.
* Rock Bottom Restaurant & Brewery, 206 SW Morrison St.
* Buffalo Wild Wings, 327 SW Morrison St.
* Cafe Yumm, 301 SW Morrison St.
* Killer Burger, 510 SW 3rd Ave.
* House of Ramen, 223 SW Columbia St.
* There are some food carts north of the World Trade Center on SW 3rd Ave. and SW Stark St.

=How to Register=

Registration will again be via [https://www.eventbrite.com/e/owasp-portland-2019-training-day-tickets-67270573095 EventBrite]

Thank you to the OWASP Foundation and the many sponsors, trainers, volunteers and trainers that have helped make Training Day a success and allow us to continue!

File:Summit 2019.png

2019-09-20T20:17:21Z

Bzhao:

Summit Security Group logo

OWASP Portland 2019 Training Day

2019-08-15T18:19:41Z

Bzhao:

For the fourth year in a row, the Portland OWASP chapter is proud to host our information security training day! This is be an excellent opportunity for the local Portland security community to receive top quality information security and application security training for prices far lower than normally offered. It's also a great chance to network with other local infosec and appsec enthusiasts and meet those who share your interests.

The 4th annual OWASP Portland 2019 Training Day date will be on September 25, 2019. See [[#Details|Details]] for more info.

General Registration will open at 9am PST on August 15th. Tickets cost $25.00 per session.

Want to get news and information on our 2019 Training Day? Subscribe to the [https://groups.google.com/a/owasp.org/forum/#!forum/portland-chapter] Portland OWASP mailing list or follow [https://twitter.com/portlandowasp @PortlandOWASP] on Twitter!

=Courses=
Courses will be held in two tracks: four in the morning session, and four in the afternoon session. Each participant can register for one morning course, one afternoon course, or one of each.

== Morning Session 8:30 AM - Noon ==

=== AWS API Threat Modeling and Automated Testing ===

==== Sponsored by Cambia ====

''Instructor: Kendra Ash''

Abstract: If you are a software, DevOps, QA or security engineer and want to learn how to threat model API's in AWS this course is for you. This course will cover the what, why, when, and how of threat modeling applications in your organization. The bulk of this course will be based on the book Threat Modeling by Adam Shostack and will leverage a variant of the Escalation of Privileges card game. Also, I will dive into the approach I have used to gain adoption from engineering teams as a security engineer.
After gaining an understanding of threat modeling, we will dive into how we can automate security checks for an AWS environment — leveraging the AWS CLI tool to provide quick engineering feedback on ways to improve the security of their infrastructure.

Takeaways:
* Learn the basics of threat modeling
* Learn ways to gain adoption by your peers
* How to automate security checks for AWS

Bio: Kendra Ash (@securelykash) is an information security engineer at Vacasa, actively building a security team and program by leveraging guidance from her network and industry standards. Co presenting is Ryan Nixon (@taiidani) an experienced DevOps engineer who deeply cares about the security of all applications. Constantly looking for ways to keep all server and application configurations in order with proper auditing & pipelines.

Prerequisites: no previous knowledge is required, this course is for all levels and jobs (QA, DevOps, Security and Software Engineer)

=== Applied Physical Attacks on Embedded Systems, Introductory Version ===

==== Sponsored by New Relic ====

''Instructor: Joe FitzPatrick''

Abstract: This workshop introduces several different relatively accessible interfaces on embedded systems. Attendees will get hands-on experience with UART, SPI, and JTAG interfaces on a MIPS-based wifi router. After a brief architectural overview of each interface, hands-on labs will guide through the process understanding, observing, interacting with, and exploiting the interface to potentially access a root shell on the target.

=== Security Tools and Jenkins Pipeline ===

==== Sponsored by WebMD ====

''Instructor: Sneha Kokil''

Abstract: Modern application development embeds security activities in SDLC, while adopting DevSecOps culture. Security tools are being viewed in the context of continuous integration and automation, which are the key factors in achieving a successful DevSecOps implementation. Integrating security tools in the CI/CD pipelines has become a primary focus of most of the organizations, who are striving to build application security from within. This workshop focuses on getting a good understanding of how some of the open source security tools can be integrated in Jenkins CI/CD pipeline for languages such as Go and Java, along with application container scanning solutions. The workshop will be a hands-on experience, where the participants will write their own pipeline code for integrating security tools. The key takeaways from this workshop will help participants experience how security tooling fits into CI/CD pipelines. It will also help them appreciate the real-world challenges and possible solutions, when integrating security in existing SDLC.

Bio: Sneha Kokil is a senior security consultant at Synopsys. With a master's degree in information security from Northeastern University, along with several years of development and security experience, she specializes in integrating software security toolchains within SDLC processes. She is immensely passionate about DevSecOps and how it helps building security in. Outside of work, she is an avid biography and science fiction reader, a swimmer, and a mother to a wonderful daughter.

=== OWASP Top 10 / Juice Shop Hack Session ===

==== Sponsored by Kraken ====

''Instructor: David Quisenberry''

Abstract: This session is meant for those new to OWASP Top Ten. We will go over the OWASP Top Ten - where it came from, what it’s good for, what are the top ten, etc. And illustrate the concepts in the OWASP Top Ten through another OWASP Flagship Project - The OWASP Juice Shop. This will be a hands on class so everyone can follow along in the Juice Shop to explore the concepts. There will be time at the end for everyone to continue on their vulnerability hunting and a friendly Juice Shop CTF.

Bio: David Quisenberry (@dmqpdx16) is a backend developer and security champion with Daylight Studio, a local Portland boutique web agency. He serves on the Portland OWASP board as Outreach/Events coordinator and does what he can to up the involvement of established and emerging software developers in security conversations.

Prerequisites: Laptop capable of running docker and burpsuite.

== Afternoon Session: 1:30 PM - 5:00 PM ==

=== Web Applications and Filesystem Security / Deserialization Attacks ===

==== Sponsored by ForgeRock ====

''Instructor: Timothy Morgan''

Abstract: This course starts by exploring the security ramifications of filesystem semantics, security capabilities, and little known-features as they relate to web application development. Students will practice file upload attacks against a intentionally-vulnerable web application. Next, the course transitions to deserialization attacks, a recently added OWASP Top 10 item, using multiple practical examples to explain this tricky technical issue. Students will have an opportunity to try deserialization attacks in a realistic scenario.

Learning Objectives:
* To better appreciate the ways modern filesystems work on different platforms and what security impacts may result from certain unintuitive behaviors
* Explore the many challenges involved in safely processing file uploads
* Learn about deserialization attacks and how to identify when an application might be at risk

Prerequisites:
* A basic understanding of web application development is strongly recommended
* A laptop or workstation for each student (or pair of students)
* Ability to change proxy settings, install software and run executables on this system
* Please install VirtualBox 6 in order to run a small virtual machine
* If using a Mac, consider bringing a real mouse with 2 buttons. VirtualBox doesn't always play well with other pointing devices on Macs

=== Container Security ===

==== Sponsored by Summit Security ====

''Instructor: Alex Ivkin''

Abstract: "When it comes to container security there are two prevailing schools of thought - either containers are secure by default, so you should not care much, or containers can not be secure in principle, so you should avoid them at all costs. In this training you will go through the real world examples of configuring and running containers in a secure manner. You will get insights into the security of both Windows and Linux containers, container infrastructure, such as container registries and orchestration platforms - docker swarm and kubernetes. We will examine real world vulnerabilities unique to different architectures of containers and how to address them.

Takeaways:
# Building and running docker containers securely
# Avoiding common pitfalls in docker infrastructure setup (dockerd, docker registry)
# Navigating security in the container orchestration platforms (docker swarm, kubernetes)"

Bio: Alex Ivkin (@alerxes) is a Director of Solutions at Eclypsium, a local Portland company, specializing in firmware, hardware and supply chain security. Alex has deep implementation experience in a long list of security domains, including cloud, application security and IAM. He co-authored the ISACA CSX Professional certification and is an alpine climber.

Prerequisites:
* Mid to advanced level technical experience
* Basic experience with running docker containers
* Laptop with docker for windows setup and tested

=== Intro to Chrome Exploitation ===

==== Sponsored by Security Innovation ====

''Instructor: Justin Angra''

Abstract: Over 3 billion browser devices are actively loading arbitrary data served by someone else. What happens if one of those pages contains maliciously crafted JavaScript? Could they capture your passwords, perform UXSS, or worse - execute local code on your machine? In this session, you will get the opportunity to explore the anatomy and play with common vulnerability patterns in the renderer process of Chrome. This will be an interactive class; please bring a laptop with Docker installed.

=== OWASP Amass: Discovering Your Exposure on the Internet ===

==== Sponsored by Daylight Studio ====

''Instructor: Jeff Foley ''

Abstract: Today, large organizations deal with the challenge of running their infrastructure across many networks and namespaces due to the use of cloud and hosting services, legacy environments and acquisitions. This can make it difficult to maintain visibility of Internet-facing assets and to track down systems that pose a risk to security. The OWASP Amass Project has developed a tool to help information security professionals perform network mapping of attack surfaces and perform external asset discovery. During this talk, the founder of the project will discuss how OWASP Amass uses OSINT, network reconnaissance, graph databases and information sharing to provide both attackers and defenders better visibility of target organizations.

Bio: Jeff Foley is the Founder and Project Leader of the OWASP Amass project. Mr. Foley has nearly 20 years of experience as an innovator for research & development, software engineering and red team activities in information security. He is a results-driven technical leader known for delivering game-changing research findings to overcome real-world challenges. Jeff serves as the Manager for Vulnerability Engineering at National Grid and is the CTO & Co-founder of ClaritySec, an Upstate New York based information security startup. Prior to this, he was the Director of Research for the Cyber Systems, Weapon Systems & Sensors Operation at Alion Science & Technology. While serving at Northrop Grumman, Jeff built and led the internal penetration testing team and was the program manager for offensive security research & development. Mr. Foley also shares his expertise and experience by supporting several local university information security programs and participating in information security competitions, such as the SUNY Polytechnic Institute Cybersecurity Advisory Board, Mohawk Valley Community College Computer Science Advisory Board and the CNY Hackathon Competition.

=2019 Sponsors=

'''Interested in becoming a sponsor? Here is a document outlining the opportunities: [https://drive.google.com/file/d/0BydPdSuBlQ4scm1DRmlwMVNyUE11TzdxV1VoZ1lNRTdueTBv/view?usp=sharing Sponsorship-Doc]. Reach out to david.quisenberry@owasp.org to let us know.'''

=== Mixer Sponsors===

[[File:github.png|link=https://github.com/]]              
[[File:Dasher Technologies logo.png|link=https://www.dasher.com/]]

=== Training Session Sponsors ===

[[File:newrelic.png|link=https://newrelic.com/]]              
[[File:Cambia logo.png]]              
[[File:Security Innovation logo.png|link=https://www.securityinnovation.com/]]              
[[File:Daylight logo.png|link=https://thedaylightstudio.com/]]              
[[File:Kraken logo.png|link=https://www.kraken.com/en-us/features/security]]              
[[File:summit.png|link=http://summitinfosec.com/]]              
[[File:ForgeRock logo.png|link=https://www.forgerock.com/]]              
[[File:WebMD logo.jpg|link=https://www.webmd.com/]]

=== Morning Coffee Sponsors ===

[[File:OCI Logo.png|link=https://cloud.oracle.com/en_US/iaas]]              
[[File:NetSPI 2019 logo.png|link=https://www.netspi.com/]]

=== General Sponsors ===

[[File:Vacasa Logo .png|frameless|375x375px]]

=Details=
OWASP Portland 2019 Training Day will be on September 25, 2019.

This year for the 2nd time, we'll be located at:

World Trade Center Portland
121 SW Salmon St.
Portland, OR 97204.

Later in the evening, a social mixer will also be held at Rock Bottom Restaurant & Brewery, just a short walk away:

206 SW Morrison St
Portland, OR 97204

===Schedule===
{| class="wikitable"
! |Time
! colspan="4" |Activity
|-
| style="padding: 0.5em;" |8:00 AM - 8:30 AM
| colspan="4" style="padding: 0.5em;" |Morning Registration and Continental Breakfast
|-
| style="padding: 0.5em;" |8:30 AM - 12:00 PM
| style="padding: 0.5em;" |AWS API Threat Modeling and Automated Testing (Kendra Ash)
| style="padding: 0.5em;" |Applied Physical Attacks on Embedded Systems, Introductory Version (Joe FitzPatrick)
| style="padding: 0.5em;" |Security Tools and Jenkins Pipeline (Sneha Kokil)
| style="padding: 0.5em;" |OWASP Top 10 / Juice Shop Hack Session (David Quisenberry)
|-
| style="padding: 0.5em;" |12:00 PM - 1:30 PM
| colspan="4" style="padding: 0.5em;" | Lunch on your own - ''Meet a new friend and grab a bite!''
|-
| style="padding: 0.5em;" |1:00 PM - 1:30 PM
| colspan="4" style="padding: 0.5em;" | Afternoon Registration (for those attending only in the afternoon)
|-
| style="padding: 0.5em;" |1:30 PM - 5:00 PM
| style="padding: 0.5em;" |Web Applications and Filesystem Security / Deserialization Attacks (Timothy Morgan)
| style="padding: 0.5em;" |Container Security (Alex Ivkin)
| style="padding: 0.5em;" |Intro to Chrome Exploitation (Justin Angra)
| style="padding: 0.5em;" |OWASP Amass: Discovering Your Exposure on the Internet (Jeff Foley)
|-
| style="padding: 0.5em;" |5:00 PM - 7:30 PM
| colspan="4" style="padding: 0.5em;" | Evening Mixer @ Rock Bottom Restaurant and Brewery
|}

Interested in teaching a training at Training Day 2019? Contact Portland OWASP via the mailing list or Twitter!

=== Lunch Ideas ===

Here are some lunch ideas:
* Farmhouse Cafe, 101 SW Main St.
* The Good Earth Cafe, 1136 SW 3rd Ave.
* Chipotle Mexican Grill, 240 SW Yamhill St.
* Luc Lac Vietnamese Kitchen, 835 SW 2nd Ave.
* Rock Bottom Restaurant & Brewery, 206 SW Morrison St.
* Buffalo Wild Wings, 327 SW Morrison St.
* Cafe Yumm, 301 SW Morrison St.
* Killer Burger, 510 SW 3rd Ave.
* House of Ramen, 223 SW Columbia St.
* There are some food carts north of the World Trade Center on SW 3rd Ave. and SW Stark St.

=How to Register=

Registration will again be via [https://www.eventbrite.com/e/owasp-portland-2019-training-day-tickets-67270573095 EventBrite]

Thank you to the OWASP Foundation and the many sponsors, trainers, volunteers and trainers that have helped make Training Day a success and allow us to continue!

OWASP Portland 2019 Training Day

2019-08-15T17:22:38Z

Bzhao:

For the fourth year in a row, the Portland OWASP chapter is proud to host our information security training day! This is be an excellent opportunity for the local Portland security community to receive top quality information security and application security training for prices far lower than normally offered. It's also a great chance to network with other local infosec and appsec enthusiasts and meet those who share your interests.

The 4th annual OWASP Portland 2019 Training Day date will be on September 25, 2019. See [[#Details|Details]] for more info.

General Registration will open at 9am PST on August 15th. Tickets cost $25.00 per session.

Want to get news and information on our 2019 Training Day? Subscribe to the [https://groups.google.com/a/owasp.org/forum/#!forum/portland-chapter] Portland OWASP mailing list or follow [https://twitter.com/portlandowasp @PortlandOWASP] on Twitter!

=Courses=
Courses will be held in two tracks: four in the morning session, and four in the afternoon session. Each participant can register for one morning course, one afternoon course, or one of each.

== Morning Session 8:30 AM - Noon ==

=== AWS API Threat Modeling and Automated Testing ===

==== Sponsored by Cambia ====

''Instructor: Kendra Ash''

Abstract: If you are a software, DevOps, QA or security engineer and want to learn how to threat model API's in AWS this course is for you. This course will cover the what, why, when, and how of threat modeling applications in your organization. The bulk of this course will be based on the book Threat Modeling by Adam Shostack and will leverage a variant of the Escalation of Privileges card game. Also, I will dive into the approach I have used to gain adoption from engineering teams as a security engineer.
After gaining an understanding of threat modeling, we will dive into how we can automate security checks for an AWS environment — leveraging the AWS CLI tool to provide quick engineering feedback on ways to improve the security of their infrastructure.

Takeaways:
* Learn the basics of threat modeling
* Learn ways to gain adoption by your peers
* How to automate security checks for AWS

Bio: Kendra Ash (@securelykash) is an information security engineer at Vacasa, actively building a security team and program by leveraging guidance from her network and industry standards. Co presenting is Ryan Nixon (@taiidani) an experienced DevOps engineer who deeply cares about the security of all applications. Constantly looking for ways to keep all server and application configurations in order with proper auditing & pipelines.

Prerequisites: no previous knowledge is required, this course is for all levels and jobs (QA, DevOps, Security and Software Engineer)

=== Applied Physical Attacks on Embedded Systems, Introductory Version ===

''Instructor: Joe FitzPatrick''

Abstract: This workshop introduces several different relatively accessible interfaces on embedded systems. Attendees will get hands-on experience with UART, SPI, and JTAG interfaces on a MIPS-based wifi router. After a brief architectural overview of each interface, hands-on labs will guide through the process understanding, observing, interacting with, and exploiting the interface to potentially access a root shell on the target.

=== Security Tools and Jenkins Pipeline ===

==== Sponsored by WebMD ====

''Instructor: Sneha Kokil''

Abstract: Modern application development embeds security activities in SDLC, while adopting DevSecOps culture. Security tools are being viewed in the context of continuous integration and automation, which are the key factors in achieving a successful DevSecOps implementation. Integrating security tools in the CI/CD pipelines has become a primary focus of most of the organizations, who are striving to build application security from within. This workshop focuses on getting a good understanding of how some of the open source security tools can be integrated in Jenkins CI/CD pipeline for languages such as Go and Java, along with application container scanning solutions. The workshop will be a hands-on experience, where the participants will write their own pipeline code for integrating security tools. The key takeaways from this workshop will help participants experience how security tooling fits into CI/CD pipelines. It will also help them appreciate the real-world challenges and possible solutions, when integrating security in existing SDLC.

Bio: Sneha Kokil is a senior security consultant at Synopsys. With a master's degree in information security from Northeastern University, along with several years of development and security experience, she specializes in integrating software security toolchains within SDLC processes. She is immensely passionate about DevSecOps and how it helps building security in. Outside of work, she is an avid biography and science fiction reader, a swimmer, and a mother to a wonderful daughter.

=== OWASP Top 10 / Juice Shop Hack Session ===

==== Sponsored by Kraken ====

''Instructor: David Quisenberry''

Abstract: This session is meant for those new to OWASP Top Ten. We will go over the OWASP Top Ten - where it came from, what it’s good for, what are the top ten, etc. And illustrate the concepts in the OWASP Top Ten through another OWASP Flagship Project - The OWASP Juice Shop. This will be a hands on class so everyone can follow along in the Juice Shop to explore the concepts. There will be time at the end for everyone to continue on their vulnerability hunting and a friendly Juice Shop CTF.

Bio: David Quisenberry (@dmqpdx16) is a backend developer and security champion with Daylight Studio, a local Portland boutique web agency. He serves on the Portland OWASP board as Outreach/Events coordinator and does what he can to up the involvement of established and emerging software developers in security conversations.

Prerequisites: Laptop capable of running docker and burpsuite.

== Afternoon Session: 1:30 PM - 5:00 PM ==

=== Web Applications and Filesystem Security / Deserialization Attacks ===

==== Sponsored by ForgeRock ====

''Instructor: Timothy Morgan''

Abstract: This course starts by exploring the security ramifications of filesystem semantics, security capabilities, and little known-features as they relate to web application development. Students will practice file upload attacks against a intentionally-vulnerable web application. Next, the course transitions to deserialization attacks, a recently added OWASP Top 10 item, using multiple practical examples to explain this tricky technical issue. Students will have an opportunity to try deserialization attacks in a realistic scenario.

Learning Objectives:
* To better appreciate the ways modern filesystems work on different platforms and what security impacts may result from certain unintuitive behaviors
* Explore the many challenges involved in safely processing file uploads
* Learn about deserialization attacks and how to identify when an application might be at risk

Prerequisites:
* A basic understanding of web application development is strongly recommended
* A laptop or workstation for each student (or pair of students)
* Ability to change proxy settings, install software and run executables on this system
* Please install VirtualBox 6 in order to run a small virtual machine
* If using a Mac, consider bringing a real mouse with 2 buttons. VirtualBox doesn't always play well with other pointing devices on Macs

=== Container Security ===

==== Sponsored by Summit Security ====

''Instructor: Alex Ivkin''

Abstract: "When it comes to container security there are two prevailing schools of thought - either containers are secure by default, so you should not care much, or containers can not be secure in principle, so you should avoid them at all costs. In this training you will go through the real world examples of configuring and running containers in a secure manner. You will get insights into the security of both Windows and Linux containers, container infrastructure, such as container registries and orchestration platforms - docker swarm and kubernetes. We will examine real world vulnerabilities unique to different architectures of containers and how to address them.

Takeaways:
# Building and running docker containers securely
# Avoiding common pitfalls in docker infrastructure setup (dockerd, docker registry)
# Navigating security in the container orchestration platforms (docker swarm, kubernetes)"

Bio: Alex Ivkin (@alerxes) is a Director of Solutions at Eclypsium, a local Portland company, specializing in firmware, hardware and supply chain security. Alex has deep implementation experience in a long list of security domains, including cloud, application security and IAM. He co-authored the ISACA CSX Professional certification and is an alpine climber.

Prerequisites:
* Mid to advanced level technical experience
* Basic experience with running docker containers
* Laptop with docker for windows setup and tested

=== Intro to Chrome Exploitation ===

==== Sponsored by Security Innovation ====

''Instructor: Justin Angra''

Abstract: Over 3 billion browser devices are actively loading arbitrary data served by someone else. What happens if one of those pages contains maliciously crafted JavaScript? Could they capture your passwords, perform UXSS, or worse - execute local code on your machine? In this session, you will get the opportunity to explore the anatomy and play with common vulnerability patterns in the renderer process of Chrome. This will be an interactive class; please bring a laptop with Docker installed.

=== OWASP Amass: Discovering Your Exposure on the Internet ===

==== Sponsored by Daylight Studio ====

''Instructor: Jeff Foley ''

Abstract: Today, large organizations deal with the challenge of running their infrastructure across many networks and namespaces due to the use of cloud and hosting services, legacy environments and acquisitions. This can make it difficult to maintain visibility of Internet-facing assets and to track down systems that pose a risk to security. The OWASP Amass Project has developed a tool to help information security professionals perform network mapping of attack surfaces and perform external asset discovery. During this talk, the founder of the project will discuss how OWASP Amass uses OSINT, network reconnaissance, graph databases and information sharing to provide both attackers and defenders better visibility of target organizations.

Bio: Jeff Foley is the Founder and Project Leader of the OWASP Amass project. Mr. Foley has nearly 20 years of experience as an innovator for research & development, software engineering and red team activities in information security. He is a results-driven technical leader known for delivering game-changing research findings to overcome real-world challenges. Jeff serves as the Manager for Vulnerability Engineering at National Grid and is the CTO & Co-founder of ClaritySec, an Upstate New York based information security startup. Prior to this, he was the Director of Research for the Cyber Systems, Weapon Systems & Sensors Operation at Alion Science & Technology. While serving at Northrop Grumman, Jeff built and led the internal penetration testing team and was the program manager for offensive security research & development. Mr. Foley also shares his expertise and experience by supporting several local university information security programs and participating in information security competitions, such as the SUNY Polytechnic Institute Cybersecurity Advisory Board, Mohawk Valley Community College Computer Science Advisory Board and the CNY Hackathon Competition.

=2019 Sponsors=

'''Interested in becoming a sponsor? Here is a document outlining the opportunities: [https://drive.google.com/file/d/0BydPdSuBlQ4scm1DRmlwMVNyUE11TzdxV1VoZ1lNRTdueTBv/view?usp=sharing Sponsorship-Doc]. Reach out to david.quisenberry@owasp.org to let us know.'''

=== Mixer Sponsors===

[[File:github.png|link=https://github.com/]]              
[[File:Dasher Technologies logo.png|link=https://www.dasher.com/]]

=== Training Session Sponsors ===

[[File:Cambia logo.png]]              
[[File:Security Innovation logo.png|link=https://www.securityinnovation.com/]]              
[[File:Daylight logo.png|link=https://thedaylightstudio.com/]]              
[[File:Kraken logo.png|link=https://www.kraken.com/en-us/features/security]]              
[[File:summit.png|link=http://summitinfosec.com/]]              
[[File:ForgeRock logo.png|link=https://www.forgerock.com/]]              
[[File:WebMD logo.jpg|link=https://www.webmd.com/]]

=== Morning Coffee Sponsors ===

[[File:OCI Logo.png|link=https://cloud.oracle.com/en_US/iaas]]              
[[File:NetSPI 2019 logo.png|link=https://www.netspi.com/]]

=== General Sponsors ===

[[File:Vacasa Logo .png|frameless|375x375px]]

=Details=
OWASP Portland 2019 Training Day will be on September 25, 2019.

This year for the 2nd time, we'll be located at:

World Trade Center Portland
121 SW Salmon St.
Portland, OR 97204.

Later in the evening, a social mixer will also be held at Rock Bottom Restaurant & Brewery, just a short walk away:

206 SW Morrison St
Portland, OR 97204

===Schedule===
{| class="wikitable"
! |Time
! colspan="4" |Activity
|-
| style="padding: 0.5em;" |8:00 AM - 8:30 AM
| colspan="4" style="padding: 0.5em;" |Morning Registration and Continental Breakfast
|-
| style="padding: 0.5em;" |8:30 AM - 12:00 PM
| style="padding: 0.5em;" |AWS API Threat Modeling and Automated Testing (Kendra Ash)
| style="padding: 0.5em;" |Applied Physical Attacks on Embedded Systems, Introductory Version (Joe FitzPatrick)
| style="padding: 0.5em;" |Security Tools and Jenkins Pipeline (Sneha Kokil)
| style="padding: 0.5em;" |OWASP Top 10 / Juice Shop Hack Session (David Quisenberry)
|-
| style="padding: 0.5em;" |12:00 PM - 1:30 PM
| colspan="4" style="padding: 0.5em;" | Lunch on your own - ''Meet a new friend and grab a bite!''
|-
| style="padding: 0.5em;" |1:00 PM - 1:30 PM
| colspan="4" style="padding: 0.5em;" | Afternoon Registration (for those attending only in the afternoon)
|-
| style="padding: 0.5em;" |1:30 PM - 5:00 PM
| style="padding: 0.5em;" |Web Applications and Filesystem Security / Deserialization Attacks (Timothy Morgan)
| style="padding: 0.5em;" |Container Security (Alex Ivkin)
| style="padding: 0.5em;" |Intro to Chrome Exploitation (Justin Angra)
| style="padding: 0.5em;" |OWASP Amass: Discovering Your Exposure on the Internet (Jeff Foley)
|-
| style="padding: 0.5em;" |5:00 PM - 7:30 PM
| colspan="4" style="padding: 0.5em;" | Evening Mixer @ Rock Bottom Restaurant and Brewery
|}

Interested in teaching a training at Training Day 2019? Contact Portland OWASP via the mailing list or Twitter!

=== Lunch Ideas ===

Here are some lunch ideas:
* Farmhouse Cafe, 101 SW Main St.
* The Good Earth Cafe, 1136 SW 3rd Ave.
* Chipotle Mexican Grill, 240 SW Yamhill St.
* Luc Lac Vietnamese Kitchen, 835 SW 2nd Ave.
* Rock Bottom Restaurant & Brewery, 206 SW Morrison St.
* Buffalo Wild Wings, 327 SW Morrison St.
* Cafe Yumm, 301 SW Morrison St.
* Killer Burger, 510 SW 3rd Ave.
* House of Ramen, 223 SW Columbia St.
* There are some food carts north of the World Trade Center on SW 3rd Ave. and SW Stark St.

=How to Register=

Registration will again be via [https://www.eventbrite.com/e/owasp-portland-2019-training-day-tickets-67270573095 EventBrite]

Thank you to the OWASP Foundation and the many sponsors, trainers, volunteers and trainers that have helped make Training Day a success and allow us to continue!

User:Bzhao

2019-08-15T17:01:56Z

Bzhao:

Benny works as an Application Security Engineer and has since grown an interest in cyber security when he took his first computer security course from his undergraduate studies. As for goals, he would like to learn more about application security, offensive security, and container security.

OWASP Portland 2019 Training Day

2019-08-13T06:03:38Z

Bzhao: Minor change to Tim's session

For the fourth year in a row, the Portland OWASP chapter is proud to host our information security training day! This is be an excellent opportunity for the local Portland security community to receive top quality information security and application security training for prices far lower than normally offered. It's also a great chance to network with other local infosec and appsec enthusiasts and meet those who share your interests.

The 4th annual OWASP Portland 2019 Training Day date will be on September 25, 2019. See [[#Details|Details]] for more info.

General Registration will open at 9am PST on August 15th. Tickets cost $25.00 per session.

Want to get news and information on our 2019 Training Day? Subscribe to the [https://groups.google.com/a/owasp.org/forum/#!forum/portland-chapter] Portland OWASP mailing list or follow [https://twitter.com/portlandowasp @PortlandOWASP] on Twitter!

=Courses=
Courses will be held in two tracks: four in the morning session, and four in the afternoon session. Each participant can register for one morning course, one afternoon course, or one of each.

== Morning Session 8:30 AM - Noon ==

=== AWS API Threat Modeling and Automated Testing ===

==== Sponsored by Cambia ====

''Instructor: Kendra Ash''

Abstract: If you are a software, DevOps, QA or security engineer and want to learn how to threat model API's in AWS this course is for you. This course will cover the what, why, when, and how of threat modeling applications in your organization. The bulk of this course will be based on the book Threat Modeling by Adam Shostack and will leverage a variant of the Escalation of Privileges card game. Also, I will dive into the approach I have used to gain adoption from engineering teams as a security engineer.
After gaining an understanding of threat modeling, we will dive into how we can automate security checks for an AWS environment — leveraging the AWS CLI tool to provide quick engineering feedback on ways to improve the security of their infrastructure.

Takeaways:
* Learn the basics of threat modeling
* Learn ways to gain adoption by your peers
* How to automate security checks for AWS

Bio: Kendra Ash (@securelykash) is an information security engineer at Vacasa, actively building a security team and program by leveraging guidance from her network and industry standards. Co presenting is Ryan Nixon (@taiidani) an experienced DevOps engineer who deeply cares about the security of all applications. Constantly looking for ways to keep all server and application configurations in order with proper auditing & pipelines.

Prerequisites: no previous knowledge is required, this course is for all levels and jobs (QA, DevOps, Security and Software Engineer)

=== Applied Physical Attacks on Embedded Systems, Introductory Version ===

''Instructor: Joe FitzPatrick''

Abstract: This workshop introduces several different relatively accessible interfaces on embedded systems. Attendees will get hands-on experience with UART, SPI, and JTAG interfaces on a MIPS-based wifi router. After a brief architectural overview of each interface, hands-on labs will guide through the process understanding, observing, interacting with, and exploiting the interface to potentially access a root shell on the target.

=== Security Tools and Jenkins Pipeline ===

==== Sponsored by WebMD ====

''Instructor: Sneha Kokil''

Abstract: Modern application development embeds security activities in SDLC, while adopting DevSecOps culture. Security tools are being viewed in the context of continuous integration and automation, which are the key factors in achieving a successful DevSecOps implementation. Integrating security tools in the CI/CD pipelines has become a primary focus of most of the organizations, who are striving to build application security from within. This workshop focuses on getting a good understanding of how some of the open source security tools can be integrated in Jenkins CI/CD pipeline for languages such as Go and Java, along with application container scanning solutions. The workshop will be a hands-on experience, where the participants will write their own pipeline code for integrating security tools. The key takeaways from this workshop will help participants experience how security tooling fits into CI/CD pipelines. It will also help them appreciate the real-world challenges and possible solutions, when integrating security in existing SDLC.

Bio: Sneha Kokil is a senior security consultant at Synopsys. With a master's degree in information security from Northeastern University, along with several years of development and security experience, she specializes in integrating software security toolchains within SDLC processes. She is immensely passionate about DevSecOps and how it helps building security in. Outside of work, she is an avid biography and science fiction reader, a swimmer, and a mother to a wonderful daughter.

=== OWASP Top 10 / Juice Shop Hack Session ===

==== Sponsored by Kraken ====

''Instructor: David Quisenberry''

Abstract: This session is meant for those new to OWASP Top Ten. We will go over the OWASP Top Ten - where it came from, what it’s good for, what are the top ten, etc. And illustrate the concepts in the OWASP Top Ten through another OWASP Flagship Project - The OWASP Juice Shop. This will be a hands on class so everyone can follow along in the Juice Shop to explore the concepts. There will be time at the end for everyone to continue on their vulnerability hunting and a friendly Juice Shop CTF.

Bio: David Quisenberry (@dmqpdx16) is a backend developer and security champion with Daylight Studio, a local Portland boutique web agency. He serves on the Portland OWASP board as Outreach/Events coordinator and does what he can to up the involvement of established and emerging software developers in security conversations.

Prerequisites: Laptop capable of running docker and burpsuite.

== Afternoon Session: 1:30 PM - 5:00 PM ==

=== Web Applications and Filesystem Security / Deserialization Attacks ===

==== Sponsored by ForgeRock ====

''Instructor: Timothy Morgan''

Abstract: This course starts by exploring the security ramifications of filesystem semantics, security capabilities, and little known-features as they relate to web application development. Students will practice file upload attacks against a intentionally-vulnerable web application. Next, the course transitions to deserialization attacks, a recently added OWASP Top 10 item, using multiple practical examples to explain this tricky technical issue. Students will have an opportunity to try deserialization attacks in a realistic scenario.

Learning Objectives:
* To better appreciate the ways modern filesystems work on different platforms and what security impacts may result from certain unintuitive behaviors
* Explore the many challenges involved in safely processing file uploads
* Learn about deserialization attacks and how to identify when an application might be at risk

Prerequisites:
* A basic understanding of web application development is strongly recommended
* A laptop or workstation for each student (or pair of students)
* Ability to change proxy settings, install software and run executables on this system
* Please install VirtualBox 6 in order to run a small virtual machine
* If using a Mac, consider bringing a real mouse with 2 buttons. VirtualBox doesn't always play well with other pointing devices on Macs

=== Container Security ===

==== Sponsored by Summit Security ====

''Instructor: Alex Ivkin''

Abstract: "When it comes to container security there are two prevailing schools of thought - either containers are secure by default, so you should not care much, or containers can not be secure in principle, so you should avoid them at all costs. In this training you will go through the real world examples of configuring and running containers in a secure manner. You will get insights into the security of both Windows and Linux containers, container infrastructure, such as container registries and orchestration platforms - docker swarm and kubernetes. We will examine real world vulnerabilities unique to different architectures of containers and how to address them.

Takeaways:
# Building and running docker containers securely
# Avoiding common pitfalls in docker infrastructure setup (dockerd, docker registry)
# Navigating security in the container orchestration platforms (docker swarm, kubernetes)"

Bio: Alex Ivkin (@alerxes) is a Director of Solutions at Eclypsium, a local Portland company, specializing in firmware, hardware and supply chain security. Alex has deep implementation experience in a long list of security domains, including cloud, application security and IAM. He co-authored the ISACA CSX Professional certification and is an alpine climber.

Prerequisites:
* Mid to advanced level technical experience
* Basic experience with running docker containers
* Laptop with docker for windows setup and tested

=== Intro to Chrome Exploitation ===

==== Sponsored by Security Innovation ====

''Instructor: Justin Angra''

Abstract: Over 3 billion browser devices are actively loading arbitrary data served by someone else. What happens if one of those pages contains maliciously crafted JavaScript? Could they capture your passwords, perform UXSS, or worse - execute local code on your machine? In this session, you will get the opportunity to explore the anatomy and play with common vulnerability patterns in the renderer process of Chrome. This will be an interactive class; please bring a laptop with Docker installed.

=== OWASP Amass: Discovering Your Exposure on the Internet ===

==== Sponsored by Daylight Studio ====

''Instructor: Jeff Foley ''

Abstract: Today, large organizations deal with the challenge of running their infrastructure across many networks and namespaces due to the use of cloud and hosting services, legacy environments and acquisitions. This can make it difficult to maintain visibility of Internet-facing assets and to track down systems that pose a risk to security. The OWASP Amass Project has developed a tool to help information security professionals perform network mapping of attack surfaces and perform external asset discovery. During this talk, the founder of the project will discuss how OWASP Amass uses OSINT, network reconnaissance, graph databases and information sharing to provide both attackers and defenders better visibility of target organizations.

Bio: Jeff Foley is the Founder and Project Leader of the OWASP Amass project. Mr. Foley has nearly 20 years of experience as an innovator for research & development, software engineering and red team activities in information security. He is a results-driven technical leader known for delivering game-changing research findings to overcome real-world challenges. Jeff serves as the Manager for Vulnerability Engineering at National Grid and is the CTO & Co-founder of ClaritySec, an Upstate New York based information security startup. Prior to this, he was the Director of Research for the Cyber Systems, Weapon Systems & Sensors Operation at Alion Science & Technology. While serving at Northrop Grumman, Jeff built and led the internal penetration testing team and was the program manager for offensive security research & development. Mr. Foley also shares his expertise and experience by supporting several local university information security programs and participating in information security competitions, such as the SUNY Polytechnic Institute Cybersecurity Advisory Board, Mohawk Valley Community College Computer Science Advisory Board and the CNY Hackathon Competition.

=2019 Sponsors=

'''Interested in becoming a sponsor? Here is a document outlining the opportunities: [https://drive.google.com/file/d/0BydPdSuBlQ4scm1DRmlwMVNyUE11TzdxV1VoZ1lNRTdueTBv/view?usp=sharing Sponsorship-Doc]. Reach out to david.quisenberry@owasp.org to let us know.'''

=== Mixer Sponsors===

[[File:github.png|link=https://github.com/]]              
[[File:Dasher Technologies logo.png|link=https://www.dasher.com/]]

=== Training Session Sponsors ===

[[File:Cambia logo.png]]              
[[File:Security Innovation logo.png|link=https://www.securityinnovation.com/]]              
[[File:Daylight logo.png|link=https://thedaylightstudio.com/]]              
[[File:Kraken logo.png|link=https://www.kraken.com/en-us/features/security]]              
[[File:summit.png|link=http://summitinfosec.com/]]              
[[File:ForgeRock logo.png|link=https://www.forgerock.com/]]              
[[File:WebMD logo.jpg|link=https://www.webmd.com/]]

=== Morning Coffee Sponsors ===

[[File:NetSPI 2019 logo.png|link=https://www.netspi.com/]]

=== General Sponsors ===

[[File:Vacasa Logo .png|frameless|375x375px]]

=Details=
OWASP Portland 2019 Training Day will be on September 25, 2019.

This year for the 2nd time, we'll be located at:

World Trade Center Portland
121 SW Salmon St.
Portland, OR 97204.

Later in the evening, a social mixer will also be held at Rock Bottom Restaurant & Brewery, just a short walk away:

206 SW Morrison St
Portland, OR 97204

===Schedule===
{| class="wikitable"
! |Time
! colspan="4" |Activity
|-
| style="padding: 0.5em;" |8:00 AM - 8:30 AM
| colspan="4" style="padding: 0.5em;" |Morning Registration and Continental Breakfast
|-
| style="padding: 0.5em;" |8:30 AM - 12:00 PM
| style="padding: 0.5em;" |AWS API Threat Modeling and Automated Testing (Kendra Ash)
| style="padding: 0.5em;" |Applied Physical Attacks on Embedded Systems, Introductory Version (Joe FitzPatrick)
| style="padding: 0.5em;" |Security Tools and Jenkins Pipeline (Sneha Kokil)
| style="padding: 0.5em;" |OWASP Top 10 / Juice Shop Hack Session (David Quisenberry)
|-
| style="padding: 0.5em;" |12:00 PM - 1:30 PM
| colspan="4" style="padding: 0.5em;" | Lunch on your own - ''Meet a new friend and grab a bite!''
|-
| style="padding: 0.5em;" |1:00 PM - 1:30 PM
| colspan="4" style="padding: 0.5em;" | Afternoon Registration (for those attending only in the afternoon)
|-
| style="padding: 0.5em;" |1:30 PM - 5:00 PM
| style="padding: 0.5em;" |Web Applications and Filesystem Security / Deserialization Attacks (Timothy Morgan)
| style="padding: 0.5em;" |Container Security (Alex Ivkin)
| style="padding: 0.5em;" |Intro to Chrome Exploitation (Justin Angra)
| style="padding: 0.5em;" |OWASP Amass: Discovering Your Exposure on the Internet (Jeff Foley)
|-
| style="padding: 0.5em;" |5:00 PM - 7:30 PM
| colspan="4" style="padding: 0.5em;" | Evening Mixer @ Rock Bottom Restaurant and Brewery
|}

Interested in teaching a training at Training Day 2019? Contact Portland OWASP via the mailing list or Twitter!

=== Lunch Ideas ===

Here are some lunch ideas:
* Farmhouse Cafe, 101 SW Main St.
* The Good Earth Cafe, 1136 SW 3rd Ave.
* Chipotle Mexican Grill, 240 SW Yamhill St.
* Luc Lac Vietnamese Kitchen, 835 SW 2nd Ave.
* Rock Bottom Restaurant & Brewery, 206 SW Morrison St.
* Buffalo Wild Wings, 327 SW Morrison St.
* Cafe Yumm, 301 SW Morrison St.
* Killer Burger, 510 SW 3rd Ave.
* House of Ramen, 223 SW Columbia St.
* There are some food carts north of the World Trade Center on SW 3rd Ave. and SW Stark St.

=How to Register=

Registration will again be via EventBrite

Thank you to the OWASP Foundation and the many sponsors, trainers, volunteers and trainers that have helped make Training Day a success and allow us to continue!

OWASP Portland 2019 Training Day

2019-08-13T06:01:49Z

Bzhao: Minor sponsorship logo add

For the fourth year in a row, the Portland OWASP chapter is proud to host our information security training day! This is be an excellent opportunity for the local Portland security community to receive top quality information security and application security training for prices far lower than normally offered. It's also a great chance to network with other local infosec and appsec enthusiasts and meet those who share your interests.

The 4th annual OWASP Portland 2019 Training Day date will be on September 25, 2019. See [[#Details|Details]] for more info.

General Registration will open at 9am PST on August 15th. Tickets cost $25.00 per session.

Want to get news and information on our 2019 Training Day? Subscribe to the [https://groups.google.com/a/owasp.org/forum/#!forum/portland-chapter] Portland OWASP mailing list or follow [https://twitter.com/portlandowasp @PortlandOWASP] on Twitter!

=Courses=
Courses will be held in two tracks: four in the morning session, and four in the afternoon session. Each participant can register for one morning course, one afternoon course, or one of each.

== Morning Session 8:30 AM - Noon ==

=== AWS API Threat Modeling and Automated Testing ===

==== Sponsored by Cambia ====

''Instructor: Kendra Ash''

Abstract: If you are a software, DevOps, QA or security engineer and want to learn how to threat model API's in AWS this course is for you. This course will cover the what, why, when, and how of threat modeling applications in your organization. The bulk of this course will be based on the book Threat Modeling by Adam Shostack and will leverage a variant of the Escalation of Privileges card game. Also, I will dive into the approach I have used to gain adoption from engineering teams as a security engineer.
After gaining an understanding of threat modeling, we will dive into how we can automate security checks for an AWS environment — leveraging the AWS CLI tool to provide quick engineering feedback on ways to improve the security of their infrastructure.

Takeaways:
* Learn the basics of threat modeling
* Learn ways to gain adoption by your peers
* How to automate security checks for AWS

Bio: Kendra Ash (@securelykash) is an information security engineer at Vacasa, actively building a security team and program by leveraging guidance from her network and industry standards. Co presenting is Ryan Nixon (@taiidani) an experienced DevOps engineer who deeply cares about the security of all applications. Constantly looking for ways to keep all server and application configurations in order with proper auditing & pipelines.

Prerequisites: no previous knowledge is required, this course is for all levels and jobs (QA, DevOps, Security and Software Engineer)

=== Applied Physical Attacks on Embedded Systems, Introductory Version ===

''Instructor: Joe FitzPatrick''

Abstract: This workshop introduces several different relatively accessible interfaces on embedded systems. Attendees will get hands-on experience with UART, SPI, and JTAG interfaces on a MIPS-based wifi router. After a brief architectural overview of each interface, hands-on labs will guide through the process understanding, observing, interacting with, and exploiting the interface to potentially access a root shell on the target.

=== Security Tools and Jenkins Pipeline ===

==== Sponsored by WebMD ====

''Instructor: Sneha Kokil''

Abstract: Modern application development embeds security activities in SDLC, while adopting DevSecOps culture. Security tools are being viewed in the context of continuous integration and automation, which are the key factors in achieving a successful DevSecOps implementation. Integrating security tools in the CI/CD pipelines has become a primary focus of most of the organizations, who are striving to build application security from within. This workshop focuses on getting a good understanding of how some of the open source security tools can be integrated in Jenkins CI/CD pipeline for languages such as Go and Java, along with application container scanning solutions. The workshop will be a hands-on experience, where the participants will write their own pipeline code for integrating security tools. The key takeaways from this workshop will help participants experience how security tooling fits into CI/CD pipelines. It will also help them appreciate the real-world challenges and possible solutions, when integrating security in existing SDLC.

Bio: Sneha Kokil is a senior security consultant at Synopsys. With a master's degree in information security from Northeastern University, along with several years of development and security experience, she specializes in integrating software security toolchains within SDLC processes. She is immensely passionate about DevSecOps and how it helps building security in. Outside of work, she is an avid biography and science fiction reader, a swimmer, and a mother to a wonderful daughter.

=== OWASP Top 10 / Juice Shop Hack Session ===

==== Sponsored by Kraken ====

''Instructor: David Quisenberry''

Abstract: This session is meant for those new to OWASP Top Ten. We will go over the OWASP Top Ten - where it came from, what it’s good for, what are the top ten, etc. And illustrate the concepts in the OWASP Top Ten through another OWASP Flagship Project - The OWASP Juice Shop. This will be a hands on class so everyone can follow along in the Juice Shop to explore the concepts. There will be time at the end for everyone to continue on their vulnerability hunting and a friendly Juice Shop CTF.

Bio: David Quisenberry (@dmqpdx16) is a backend developer and security champion with Daylight Studio, a local Portland boutique web agency. He serves on the Portland OWASP board as Outreach/Events coordinator and does what he can to up the involvement of established and emerging software developers in security conversations.

Prerequisites: Laptop capable of running docker and burpsuite.

== Afternoon Session: 1:30 PM - 5:00 PM ==

=== Web Applications and Filesystem Security / Deserialization Attacks ===

==== Sponsored by ForgeRock ====

''Instructor: Timothy Morgan''

Abstract: This course starts by exploring the security ramifications of filesystem semantics, security capabilities, and little known-features as they relate to web application development. Students will practice file upload attacks against a intentionally-vulnerable web application. Next, the course transitions to deserialization attacks, a recently added OWASP Top 10 item, using multiple practical examples to explain this tricky technical issue. Students will have an opportunity to try deserialization attacks in a realistic scenario.

Learning Objectives:
* To better appreciate the ways modern filesystems work on different platforms and what security impacts may result from certain unintuitive behaviors
* Explore the many challenges involved in safely processing file uploads
* Learn about deserialization attacks and how to identify when an application might be at risk

Prerequisites:
* A basic understanding of web application development is strongly recommended
* A laptop or workstation for each student (or pair of students)
* Ability to change proxy settings, install software and run executables on this system
* Please install VirtualBox 6 in order to run a small virtual machine
* If using a Mac, consider bringing a real mouse with 2 buttons. VirtualBox doesn't always play well with other pointing devices on Macs

=== Container Security ===

==== Sponsored by Summit Security ====

''Instructor: Alex Ivkin''

Abstract: "When it comes to container security there are two prevailing schools of thought - either containers are secure by default, so you should not care much, or containers can not be secure in principle, so you should avoid them at all costs. In this training you will go through the real world examples of configuring and running containers in a secure manner. You will get insights into the security of both Windows and Linux containers, container infrastructure, such as container registries and orchestration platforms - docker swarm and kubernetes. We will examine real world vulnerabilities unique to different architectures of containers and how to address them.

Takeaways:
# Building and running docker containers securely
# Avoiding common pitfalls in docker infrastructure setup (dockerd, docker registry)
# Navigating security in the container orchestration platforms (docker swarm, kubernetes)"

Bio: Alex Ivkin (@alerxes) is a Director of Solutions at Eclypsium, a local Portland company, specializing in firmware, hardware and supply chain security. Alex has deep implementation experience in a long list of security domains, including cloud, application security and IAM. He co-authored the ISACA CSX Professional certification and is an alpine climber.

Prerequisites:
* Mid to advanced level technical experience
* Basic experience with running docker containers
* Laptop with docker for windows setup and tested

=== Intro to Chrome Exploitation ===

==== Sponsored by Security Innovation ====

''Instructor: Justin Angra''

Abstract: Over 3 billion browser devices are actively loading arbitrary data served by someone else. What happens if one of those pages contains maliciously crafted JavaScript? Could they capture your passwords, perform UXSS, or worse - execute local code on your machine? In this session, you will get the opportunity to explore the anatomy and play with common vulnerability patterns in the renderer process of Chrome. This will be an interactive class; please bring a laptop with Docker installed.

=== OWASP Amass: Discovering Your Exposure on the Internet ===

==== Sponsored by Daylight Studio ====

''Instructor: Jeff Foley ''

Abstract: Today, large organizations deal with the challenge of running their infrastructure across many networks and namespaces due to the use of cloud and hosting services, legacy environments and acquisitions. This can make it difficult to maintain visibility of Internet-facing assets and to track down systems that pose a risk to security. The OWASP Amass Project has developed a tool to help information security professionals perform network mapping of attack surfaces and perform external asset discovery. During this talk, the founder of the project will discuss how OWASP Amass uses OSINT, network reconnaissance, graph databases and information sharing to provide both attackers and defenders better visibility of target organizations.

Bio: Jeff Foley is the Founder and Project Leader of the OWASP Amass project. Mr. Foley has nearly 20 years of experience as an innovator for research & development, software engineering and red team activities in information security. He is a results-driven technical leader known for delivering game-changing research findings to overcome real-world challenges. Jeff serves as the Manager for Vulnerability Engineering at National Grid and is the CTO & Co-founder of ClaritySec, an Upstate New York based information security startup. Prior to this, he was the Director of Research for the Cyber Systems, Weapon Systems & Sensors Operation at Alion Science & Technology. While serving at Northrop Grumman, Jeff built and led the internal penetration testing team and was the program manager for offensive security research & development. Mr. Foley also shares his expertise and experience by supporting several local university information security programs and participating in information security competitions, such as the SUNY Polytechnic Institute Cybersecurity Advisory Board, Mohawk Valley Community College Computer Science Advisory Board and the CNY Hackathon Competition.

=2019 Sponsors=

'''Interested in becoming a sponsor? Here is a document outlining the opportunities: [https://drive.google.com/file/d/0BydPdSuBlQ4scm1DRmlwMVNyUE11TzdxV1VoZ1lNRTdueTBv/view?usp=sharing Sponsorship-Doc]. Reach out to david.quisenberry@owasp.org to let us know.'''

=== Mixer Sponsors===

[[File:github.png|link=https://github.com/]]              
[[File:Dasher Technologies logo.png|link=https://www.dasher.com/]]

=== Training Session Sponsors ===

[[File:Cambia logo.png]]              
[[File:Security Innovation logo.png|link=https://www.securityinnovation.com/]]              
[[File:Daylight logo.png|link=https://thedaylightstudio.com/]]              
[[File:Kraken logo.png|link=https://www.kraken.com/en-us/features/security]]              
[[File:summit.png|link=http://summitinfosec.com/]]              
[[File:ForgeRock logo.png|link=https://www.forgerock.com/]]              
[[File:WebMD logo.jpg|link=https://www.webmd.com/]]

=== Morning Coffee Sponsors ===

[[File:NetSPI 2019 logo.png|link=https://www.netspi.com/]]

=== General Sponsors ===

[[File:Vacasa Logo .png|frameless|375x375px]]

=Details=
OWASP Portland 2019 Training Day will be on September 25, 2019.

This year for the 2nd time, we'll be located at:

World Trade Center Portland
121 SW Salmon St.
Portland, OR 97204.

Later in the evening, a social mixer will also be held at Rock Bottom Restaurant & Brewery, just a short walk away:

206 SW Morrison St
Portland, OR 97204

===Schedule===
{| class="wikitable"
! |Time
! colspan="4" |Activity
|-
| style="padding: 0.5em;" |8:00 AM - 8:30 AM
| colspan="4" style="padding: 0.5em;" |Morning Registration and Continental Breakfast
|-
| style="padding: 0.5em;" |8:30 AM - 12:00 PM
| style="padding: 0.5em;" |AWS API Threat Modeling and Automated Testing (Kendra Ash)
| style="padding: 0.5em;" |Applied Physical Attacks on Embedded Systems, Introductory Version (Joe FitzPatrick)
| style="padding: 0.5em;" |Security Tools and Jenkins Pipeline (Sneha Kokil)
| style="padding: 0.5em;" |OWASP Top 10 / Juice Shop Hack Session (David Quisenberry)
|-
| style="padding: 0.5em;" |12:00 PM - 1:30 PM
| colspan="4" style="padding: 0.5em;" | Lunch on your own - ''Meet a new friend and grab a bite!''
|-
| style="padding: 0.5em;" |1:00 PM - 1:30 PM
| colspan="4" style="padding: 0.5em;" | Afternoon Registration (for those attending only in the afternoon)
|-
| style="padding: 0.5em;" |1:30 PM - 5:00 PM
| style="padding: 0.5em;" |Advanced Application Security Testing (Timothy Morgan)
| style="padding: 0.5em;" |Container Security (Alex Ivkin)
| style="padding: 0.5em;" |Intro to Chrome Exploitation (Justin Angra)
| style="padding: 0.5em;" |OWASP Amass: Discovering Your Exposure on the Internet (Jeff Foley)
|-
| style="padding: 0.5em;" |5:00 PM - 7:30 PM
| colspan="4" style="padding: 0.5em;" | Evening Mixer @ Rock Bottom Restaurant and Brewery
|}

Interested in teaching a training at Training Day 2019? Contact Portland OWASP via the mailing list or Twitter!

=== Lunch Ideas ===

Here are some lunch ideas:
* Farmhouse Cafe, 101 SW Main St.
* The Good Earth Cafe, 1136 SW 3rd Ave.
* Chipotle Mexican Grill, 240 SW Yamhill St.
* Luc Lac Vietnamese Kitchen, 835 SW 2nd Ave.
* Rock Bottom Restaurant & Brewery, 206 SW Morrison St.
* Buffalo Wild Wings, 327 SW Morrison St.
* Cafe Yumm, 301 SW Morrison St.
* Killer Burger, 510 SW 3rd Ave.
* House of Ramen, 223 SW Columbia St.
* There are some food carts north of the World Trade Center on SW 3rd Ave. and SW Stark St.

=How to Register=

Registration will again be via EventBrite

Thank you to the OWASP Foundation and the many sponsors, trainers, volunteers and trainers that have helped make Training Day a success and allow us to continue!

File:Cambia logo.png

2019-08-13T05:56:04Z

Bzhao:

Cambia logo

OWASP Portland 2019 Training Day

2019-08-09T18:07:48Z

Bzhao: Added session sponsors to sessions

For the fourth year in a row, the Portland OWASP chapter is proud to host our information security training day! This is be an excellent opportunity for the local Portland security community to receive top quality information security and application security training for prices far lower than normally offered. It's also a great chance to network with other local infosec and appsec enthusiasts and meet those who share your interests.

The 4th annual OWASP Portland 2019 Training Day date will be on September 25, 2019. See [[#Details|Details]] for more info.

General Registration will open at 9am PST on August 15th.

Want to get news and information on our 2019 Training Day? Subscribe to the [https://groups.google.com/a/owasp.org/forum/#!forum/portland-chapter] Portland OWASP mailing list or follow [https://twitter.com/portlandowasp @PortlandOWASP] on Twitter!

=Courses=
Courses will be held in two tracks: four in the morning session, and four in the afternoon session. Each participant can register for one morning course, one afternoon course, or one of each.

== Morning Session 8:30 AM - Noon ==

=== AWS API Threat Modeling and Automated Testing ===

''Instructor: Kendra Ash''

Abstract: If you are a software, DevOps, QA or security engineer and want to learn how to threat model API's in AWS this course is for you. This course will cover the what, why, when, and how of threat modeling applications in your organization. The bulk of this course will be based on the book Threat Modeling by Adam Shostack and will leverage a variant of the Escalation of Privileges card game. Also, I will dive into the approach I have used to gain adoption from engineering teams as a security engineer.
After gaining an understanding of threat modeling, we will dive into how we can automate security checks for an AWS environment — leveraging the AWS CLI tool to provide quick engineering feedback on ways to improve the security of their infrastructure.

Takeaways:

- Learn the basics of threat modeling

- Learn ways to gain adoption by your peers

- How to automate security checks for AWS

Bio: Kendra Ash (@securelykash) is an information security engineer at Vacasa, actively building a security team and program by leveraging guidance from her network and industry standards. Co presenting is Ryan Nixon (@<code>taiidani)</code> an experienced DevOps engineer who deeply cares about the security of all applications. Constantly looking for ways to keep all server and application configurations in order with proper auditing & pipelines.

Prerequisites:- no previous knowledge is required- this course is for all levels and jobs (QA, DevOps, Security and Software Engineer)

=== Applied Physical Attacks on Embedded Systems, Introductory Version ===

''Instructor: Joe FitzPatrick''

Abstract: This workshop introduces several different relatively accessible interfaces on embedded systems. Attendees will get hands-on experience with UART, SPI, and JTAG interfaces on a MIPS-based wifi router. After a brief architectural overview of each interface, hands-on labs will guide through the process understanding, observing, interacting with, and exploiting the interface to potentially access a root shell on the target.

=== Security Tools and Jenkins Pipeline ===

==== Sponsored by WebMD ====

''Instructor: Sneha Kokil''

Abstract: Modern application development embeds security activities in SDLC, while adopting DevSecOps culture. Security tools are being viewed in the context of continuous integration and automation, which are the key factors in achieving a successful DevSecOps implementation. Integrating security tools in the CI/CD pipelines has become a primary focus of most of the organizations, who are striving to build application security from within. This workshop focuses on getting a good understanding of how some of the open source security tools can be integrated in Jenkins CI/CD pipeline for languages such as Go and Java, along with application container scanning solutions. The workshop will be a hands-on experience, where the participants will write their own pipeline code for integrating security tools. The key takeaways from this workshop will help participants experience how security tooling fits into CI/CD pipelines. It will also help them appreciate the real-world challenges and possible solutions, when integrating security in existing SDLC.

Bio: Sneha Kokil is a senior security consultant at Synopsys. With a master's degree in information security from Northeastern University, along with several years of development and security experience, she specializes in integrating software security toolchains within SDLC processes. She is immensely passionate about DevSecOps and how it helps building security in. Outside of work, she is an avid biography and science fiction reader, a swimmer, and a mother to a wonderful daughter.

=== OWASP Top 10 / Juice Shop Hack Session ===

==== Sponsored by Kraken ====

''Instructor: David Quisenberry''

Abstract: This session is meant for those new to OWASP Top Ten. We will go over the OWASP Top Ten - where it came from, what it’s good for, what are the top ten, etc. And illustrate the concepts in the OWASP Top Ten through another OWASP Flagship Project - The OWASP Juice Shop. This will be a hands on class so everyone can follow along in the Juice Shop to explore the concepts. There will be time at the end for everyone to continue on their vulnerability hunting and a friendly Juice Shop CTF.

Bio: David Quisenberry (@dmqpdx16) is a backend developer and security champion with Daylight Studio, a local Portland boutique web agency. He serves on the Portland OWASP board as Outreach/Events coordinator and does what he can to up the involvement of established and emerging software developers in security conversations.

Prerequisites: Laptop capable of running docker and burpsuite.

== Afternoon Session: 1:30 PM - 5:00 PM ==

=== Advanced Application Security Testing ===

==== Sponsored by ForgeRock ====

''Instructor: Timothy Morgan''

Abstract: This course takes students beyond the most basic web application exploitation scenarios, focusing on advanced SQL injection, XML eXternal Entities (XXE) and server-side request forgery (SSRF) attacks. The course also covers out-of-band detection and exfiltration using the DNS, which has recently become a popular technique used by penetration testers.

Prerequisites: Students should be familiar with popular web application testing proxies such as Burp Proxy or OWASP ZAP. Some experience with basic SQL injection attacks is recommended.

=== Container Security ===

==== Sponsored by Summit Security ====

''Instructor: Alex Ivkin''

Abstract: "When it comes to container security there are two prevailing schools of thought - either containers are secure by default, so you should not care much, or containers can not be secure in principle, so you should avoid them at all costs. In this training you will go through the real world examples of configuring and running containers in a secure manner. You will get insights into the security of both Windows and Linux containers, container infrastructure, such as container registries and orchestration platforms - docker swarm and kubernetes. We will examine real world vulnerabilities unique to different architectures of containers and how to address them.

Takeaways:
# Building and running docker containers securely
# Avoiding common pitfalls in docker infrastructure setup (dockerd, docker registry)
# Navigating security in the container orchestration platforms (docker swarm, kubernetes)"

Bio: Alex Ivkin (@alerxes) is a Director of Solutions at Eclypsium, a local Portland company, specializing in firmware, hardware and supply chain security. Alex has deep implementation experience in a long list of security domains, including cloud, application security and IAM. He co-authored the ISACA CSX Professional certification and is an alpine climber.

Prerequisites:
* Mid to advanced level technical experience
* Basic experience with running docker containers
* Laptop with docker for windows setup and tested

=== Intro to Chrome Exploitation ===

==== Sponsored by Security Innovation ====

''Instructor: Justin Angra''

Abstract: Over 3 billion browser devices are actively loading arbitrary data served by someone else. What happens if one of those pages contains maliciously crafted JavaScript? Could they capture your passwords, perform UXSS, or worse - execute local code on your machine? In this session, you will get the opportunity to explore the anatomy and play with common vulnerability patterns in the renderer process of Chrome. This will be an interactive class; please bring a laptop with Docker installed.

=== OWASP Amass: Discovering Your Exposure on the Internet ===

==== Sponsored by Daylight Studio ====

''Instructor: Jeff Foley ''

Abstract: Today, large organizations deal with the challenge of running their infrastructure across many networks and namespaces due to the use of cloud and hosting services, legacy environments and acquisitions. This can make it difficult to maintain visibility of Internet-facing assets and to track down systems that pose a risk to security. The OWASP Amass Project has developed a tool to help information security professionals perform network mapping of attack surfaces and perform external asset discovery. During this talk, the founder of the project will discuss how OWASP Amass uses OSINT, network reconnaissance, graph databases and information sharing to provide both attackers and defenders better visibility of target organizations.

Bio: Jeff Foley is the Founder and Project Leader of the OWASP Amass project. Mr. Foley has nearly 20 years of experience as an innovator for research & development, software engineering and red team activities in information security. He is a results-driven technical leader known for delivering game-changing research findings to overcome real-world challenges. Jeff serves as the Manager for Vulnerability Engineering at National Grid and is the CTO & Co-founder of ClaritySec, an Upstate New York based information security startup. Prior to this, he was the Director of Research for the Cyber Systems, Weapon Systems & Sensors Operation at Alion Science & Technology. While serving at Northrop Grumman, Jeff built and led the internal penetration testing team and was the program manager for offensive security research & development. Mr. Foley also shares his expertise and experience by supporting several local university information security programs and participating in information security competitions, such as the SUNY Polytechnic Institute Cybersecurity Advisory Board, Mohawk Valley Community College Computer Science Advisory Board and the CNY Hackathon Competition.

=2019 Sponsors=

'''Interested in becoming a sponsor? Here is a document outlining the opportunities: [https://drive.google.com/file/d/0BydPdSuBlQ4scm1DRmlwMVNyUE11TzdxV1VoZ1lNRTdueTBv/view?usp=sharing Sponsorship-Doc]. Reach out to david.quisenberry@owasp.org to let us know.'''

=== Mixer Sponsors===

[[File:github.png|link=https://github.com/]]              
[[File:Dasher Technologies logo.png|link=https://www.dasher.com/]]

=== Training Session Sponsors ===

[[File:ForgeRock logo.png|link=https://www.forgerock.com/]]              
[[File:Security Innovation logo.png|link=https://www.securityinnovation.com/]]              
[[File:Daylight logo.png|link=https://thedaylightstudio.com/]]              
[[File:Kraken logo.png|link=https://www.kraken.com/en-us/features/security]]              
[[File:summit.png|link=http://summitinfosec.com/]]              
[[File:WebMD logo.jpg|link=https://www.webmd.com/]]

=== Morning Coffee Sponsors ===

[[File:NetSPI 2019 logo.png|link=https://www.netspi.com/]]

=== General Sponsors ===

[[File:Vacasa Logo .png|frameless|375x375px]]

== 2018 Sponsors ==

=== Mixer Sponsors===

[[File:github.png|link=https://github.com/]]

=== Training Session Sponsors ===

[[File:newrelic.png|link=https://newrelic.com/]]              
[[File:summit.png|link=http://summitinfosec.com/]]              
[[File:OCI Logo.png|link=https://cloud.oracle.com/en_US/iaas]]              
[[File:ForgeRock logo.png|link=https://www.forgerock.com/]]              
[[File:Security Innovation logo.png|link=https://www.securityinnovation.com/]]

=== Morning Coffee Sponsors ===

[[File:OCI Logo.png|link=https://cloud.oracle.com/en_US/iaas]]

=== General Sponsors ===

[[File:simple.png|link=https://simple.com/]]              

=Details=
OWASP Portland 2019 Training Day will be on September 25, 2019.

This year for the 2nd time, we'll be located at:

World Trade Center Portland
121 SW Salmon St.
Portland, OR 97204.

Later in the evening, a social mixer will also be held at Rock Bottom Restaurant & Brewery, just a short walk away:

206 SW Morrison St
Portland, OR 97204

===Schedule===
{| class="wikitable"
! |Time
! colspan="4" |Activity
|-
| style="padding: 0.5em;" |8:00 AM - 8:30 AM
| colspan="4" style="padding: 0.5em;" |Morning Registration and Continental Breakfast
|-
| style="padding: 0.5em;" |8:30 AM - 12:00 PM
| style="padding: 0.5em;" |AWS API Threat Modeling and Automated Testing (Kendra Ash)
| style="padding: 0.5em;" |Applied Physical Attacks on Embedded Systems, Introductory Version (Joe FitzPatrick)
| style="padding: 0.5em;" |Security Tools and Jenkins Pipeline (Sneha Kokil)
| style="padding: 0.5em;" |OWASP Top 10 / Juice Shop Hack Session (David Quisenberry)
|-
| style="padding: 0.5em;" |12:00 PM - 1:30 PM
| colspan="4" style="padding: 0.5em;" | Lunch on your own - ''Meet a new friend and grab a bite!''
|-
| style="padding: 0.5em;" |1:00 PM - 1:30 PM
| colspan="4" style="padding: 0.5em;" | Afternoon Registration (for those attending only in the afternoon)
|-
| style="padding: 0.5em;" |1:30 PM - 5:00 PM
| style="padding: 0.5em;" |Advanced Application Security Testing (Timothy Morgan)
| style="padding: 0.5em;" |Container Security (Alex Ivkin)
| style="padding: 0.5em;" |Intro to Chrome Exploitation (Justin Angra)
| style="padding: 0.5em;" |OWASP Amass: Discovering Your Exposure on the Internet (Jeff Foley)
|-
| style="padding: 0.5em;" |5:00 PM - 7:30 PM
| colspan="4" style="padding: 0.5em;" | Evening Mixer @ Rock Bottom Restaurant and Brewery
|}

Interested in teaching a training at Training Day 2019? Contact Portland OWASP via the mailing list or Twitter!

=== Lunch Ideas ===

Here are some lunch ideas:
* Farmhouse Cafe, 101 SW Main St.
* The Good Earth Cafe, 1136 SW 3rd Ave.
* Chipotle Mexican Grill, 240 SW Yamhill St.
* Luc Lac Vietnamese Kitchen, 835 SW 2nd Ave.
* Rock Bottom Restaurant & Brewery, 206 SW Morrison St.
* Buffalo Wild Wings, 327 SW Morrison St.
* Cafe Yumm, 301 SW Morrison St.
* Killer Burger, 510 SW 3rd Ave.
* House of Ramen, 223 SW Columbia St.
* There are some food carts north of the World Trade Center on SW 3rd Ave. and SW Stark St.

=How to Register=

Registration will again be via EventBrite

Thank you to the OWASP Foundation and the many sponsors, trainers, volunteers and trainers that have helped make Training Day a success and allow us to continue!

OWASP Portland 2019 Training Day

2019-08-09T17:56:08Z

Bzhao: /* 2019 Sponsors */

For the fourth year in a row, the Portland OWASP chapter is proud to host our information security training day! This is be an excellent opportunity for the local Portland security community to receive top quality information security and application security training for prices far lower than normally offered. It's also a great chance to network with other local infosec and appsec enthusiasts and meet those who share your interests.

The 4th annual OWASP Portland 2019 Training Day date will be on September 25, 2019. See [[#Details|Details]] for more info.

General Registration will open at 9am PST on August 15th.

Want to get news and information on our 2019 Training Day? Subscribe to the [https://groups.google.com/a/owasp.org/forum/#!forum/portland-chapter] Portland OWASP mailing list or follow [https://twitter.com/portlandowasp @PortlandOWASP] on Twitter!

=Courses=
Courses will be held in two tracks: four in the morning session, and four in the afternoon session. Each participant can register for one morning course, one afternoon course, or one of each.

== Morning Session 8:30 AM - Noon ==

=== AWS API Threat Modeling and Automated Testing ===

''Instructor: Kendra Ash''

Abstract: If you are a software, DevOps, QA or security engineer and want to learn how to threat model API's in AWS this course is for you. This course will cover the what, why, when, and how of threat modeling applications in your organization. The bulk of this course will be based on the book Threat Modeling by Adam Shostack and will leverage a variant of the Escalation of Privileges card game. Also, I will dive into the approach I have used to gain adoption from engineering teams as a security engineer.
After gaining an understanding of threat modeling, we will dive into how we can automate security checks for an AWS environment — leveraging the AWS CLI tool to provide quick engineering feedback on ways to improve the security of their infrastructure.

Takeaways:

- Learn the basics of threat modeling

- Learn ways to gain adoption by your peers

- How to automate security checks for AWS

Bio: Kendra Ash (@securelykash) is an information security engineer at Vacasa, actively building a security team and program by leveraging guidance from her network and industry standards. Co presenting is Ryan Nixon (@<code>taiidani)</code> an experienced DevOps engineer who deeply cares about the security of all applications. Constantly looking for ways to keep all server and application configurations in order with proper auditing & pipelines.

Prerequisites:- no previous knowledge is required- this course is for all levels and jobs (QA, DevOps, Security and Software Engineer)

=== Applied Physical Attacks on Embedded Systems, Introductory Version ===

''Instructor: Joe FitzPatrick''

Abstract: This workshop introduces several different relatively accessible interfaces on embedded systems. Attendees will get hands-on experience with UART, SPI, and JTAG interfaces on a MIPS-based wifi router. After a brief architectural overview of each interface, hands-on labs will guide through the process understanding, observing, interacting with, and exploiting the interface to potentially access a root shell on the target.

=== Security Tools and Jenkins Pipeline ===

''Instructor: Sneha Kokil''

Abstract: Modern application development embeds security activities in SDLC, while adopting DevSecOps culture. Security tools are being viewed in the context of continuous integration and automation, which are the key factors in achieving a successful DevSecOps implementation. Integrating security tools in the CI/CD pipelines has become a primary focus of most of the organizations, who are striving to build application security from within. This workshop focuses on getting a good understanding of how some of the open source security tools can be integrated in Jenkins CI/CD pipeline for languages such as Go and Java, along with application container scanning solutions. The workshop will be a hands-on experience, where the participants will write their own pipeline code for integrating security tools. The key takeaways from this workshop will help participants experience how security tooling fits into CI/CD pipelines. It will also help them appreciate the real-world challenges and possible solutions, when integrating security in existing SDLC.

Bio: Sneha Kokil is a senior security consultant at Synopsys. With a master's degree in information security from Northeastern University, along with several years of development and security experience, she specializes in integrating software security toolchains within SDLC processes. She is immensely passionate about DevSecOps and how it helps building security in. Outside of work, she is an avid biography and science fiction reader, a swimmer, and a mother to a wonderful daughter.

=== OWASP Top 10 / Juice Shop Hack Session ===

''Instructor: David Quisenberry''

Abstract: This session is meant for those new to OWASP Top Ten. We will go over the OWASP Top Ten - where it came from, what it’s good for, what are the top ten, etc. And illustrate the concepts in the OWASP Top Ten through another OWASP Flagship Project - The OWASP Juice Shop. This will be a hands on class so everyone can follow along in the Juice Shop to explore the concepts. There will be time at the end for everyone to continue on their vulnerability hunting and a friendly Juice Shop CTF.

Bio: David Quisenberry (@dmqpdx16) is a backend developer and security champion with Daylight Studio, a local Portland boutique web agency. He serves on the Portland OWASP board as Outreach/Events coordinator and does what he can to up the involvement of established and emerging software developers in security conversations.

Prerequisites: Laptop capable of running docker and burpsuite.

== Afternoon Session: 1:30 PM - 5:00 PM ==

=== Advanced Application Security Testing ===

''Instructor: Timothy Morgan''

Abstract: This course takes students beyond the most basic web application exploitation scenarios, focusing on advanced SQL injection, XML eXternal Entities (XXE) and server-side request forgery (SSRF) attacks. The course also covers out-of-band detection and exfiltration using the DNS, which has recently become a popular technique used by penetration testers.

Prerequisites: Students should be familiar with popular web application testing proxies such as Burp Proxy or OWASP ZAP. Some experience with basic SQL injection attacks is recommended.

=== Container Security ===

''Instructor: Alex Ivkin''

Abstract: "When it comes to container security there are two prevailing schools of thought - either containers are secure by default, so you should not care much, or containers can not be secure in principle, so you should avoid them at all costs. In this training you will go through the real world examples of configuring and running containers in a secure manner. You will get insights into the security of both Windows and Linux containers, container infrastructure, such as container registries and orchestration platforms - docker swarm and kubernetes. We will examine real world vulnerabilities unique to different architectures of containers and how to address them.

Takeaways:
# Building and running docker containers securely
# Avoiding common pitfalls in docker infrastructure setup (dockerd, docker registry)
# Navigating security in the container orchestration platforms (docker swarm, kubernetes)"

Bio: Alex Ivkin (@alerxes) is a Director of Solutions at Eclypsium, a local Portland company, specializing in firmware, hardware and supply chain security. Alex has deep implementation experience in a long list of security domains, including cloud, application security and IAM. He co-authored the ISACA CSX Professional certification and is an alpine climber.

Prerequisites:
* Mid to advanced level technical experience
* Basic experience with running docker containers
* Laptop with docker for windows setup and tested

=== Intro to Chrome Exploitation ===

''Instructor: Justin Angra''

Abstract: Over 3 billion browser devices are actively loading arbitrary data served by someone else. What happens if one of those pages contains maliciously crafted JavaScript? Could they capture your passwords, perform UXSS, or worse - execute local code on your machine? In this session, you will get the opportunity to explore the anatomy and play with common vulnerability patterns in the renderer process of Chrome. This will be an interactive class; please bring a laptop with Docker installed.

=== OWASP Amass: Discovering Your Exposure on the Internet ===

''Instructor: Jeff Foley ''

Abstract: Today, large organizations deal with the challenge of running their infrastructure across many networks and namespaces due to the use of cloud and hosting services, legacy environments and acquisitions. This can make it difficult to maintain visibility of Internet-facing assets and to track down systems that pose a risk to security. The OWASP Amass Project has developed a tool to help information security professionals perform network mapping of attack surfaces and perform external asset discovery. During this talk, the founder of the project will discuss how OWASP Amass uses OSINT, network reconnaissance, graph databases and information sharing to provide both attackers and defenders better visibility of target organizations.

Bio: Jeff Foley is the Founder and Project Leader of the OWASP Amass project. Mr. Foley has nearly 20 years of experience as an innovator for research & development, software engineering and red team activities in information security. He is a results-driven technical leader known for delivering game-changing research findings to overcome real-world challenges. Jeff serves as the Manager for Vulnerability Engineering at National Grid and is the CTO & Co-founder of ClaritySec, an Upstate New York based information security startup. Prior to this, he was the Director of Research for the Cyber Systems, Weapon Systems & Sensors Operation at Alion Science & Technology. While serving at Northrop Grumman, Jeff built and led the internal penetration testing team and was the program manager for offensive security research & development. Mr. Foley also shares his expertise and experience by supporting several local university information security programs and participating in information security competitions, such as the SUNY Polytechnic Institute Cybersecurity Advisory Board, Mohawk Valley Community College Computer Science Advisory Board and the CNY Hackathon Competition.

=2019 Sponsors=

'''Interested in becoming a sponsor? Here is a document outlining the opportunities: [https://drive.google.com/file/d/0BydPdSuBlQ4scm1DRmlwMVNyUE11TzdxV1VoZ1lNRTdueTBv/view?usp=sharing Sponsorship-Doc]. Reach out to david.quisenberry@owasp.org to let us know.'''

=== Mixer Sponsors===

[[File:github.png|link=https://github.com/]]              
[[File:Dasher Technologies logo.png|link=https://www.dasher.com/]]

=== Training Session Sponsors ===

[[File:ForgeRock logo.png|link=https://www.forgerock.com/]]              
[[File:Security Innovation logo.png|link=https://www.securityinnovation.com/]]              
[[File:Daylight logo.png|link=https://thedaylightstudio.com/]]              
[[File:Kraken logo.png|link=https://www.kraken.com/en-us/features/security]]              
[[File:summit.png|link=http://summitinfosec.com/]]              
[[File:WebMD logo.jpg|link=https://www.webmd.com/]]

=== Morning Coffee Sponsors ===

[[File:NetSPI 2019 logo.png|link=https://www.netspi.com/]]

=== General Sponsors ===

[[File:Vacasa Logo .png|frameless|375x375px]]

== 2018 Sponsors ==

=== Mixer Sponsors===

[[File:github.png|link=https://github.com/]]

=== Training Session Sponsors ===

[[File:newrelic.png|link=https://newrelic.com/]]              
[[File:summit.png|link=http://summitinfosec.com/]]              
[[File:OCI Logo.png|link=https://cloud.oracle.com/en_US/iaas]]              
[[File:ForgeRock logo.png|link=https://www.forgerock.com/]]              
[[File:Security Innovation logo.png|link=https://www.securityinnovation.com/]]

=== Morning Coffee Sponsors ===

[[File:OCI Logo.png|link=https://cloud.oracle.com/en_US/iaas]]

=== General Sponsors ===

[[File:simple.png|link=https://simple.com/]]              

=Details=
OWASP Portland 2019 Training Day will be on September 25, 2019.

This year for the 2nd time, we'll be located at:

World Trade Center Portland
121 SW Salmon St.
Portland, OR 97204.

Later in the evening, a social mixer will also be held at Rock Bottom Restaurant & Brewery, just a short walk away:

206 SW Morrison St
Portland, OR 97204

===Schedule===
{| class="wikitable"
! |Time
! colspan="4" |Activity
|-
| style="padding: 0.5em;" |8:00 AM - 8:30 AM
| colspan="4" style="padding: 0.5em;" |Morning Registration and Continental Breakfast
|-
| style="padding: 0.5em;" |8:30 AM - 12:00 PM
| style="padding: 0.5em;" |AWS API Threat Modeling and Automated Testing (Kendra Ash)
| style="padding: 0.5em;" |Applied Physical Attacks on Embedded Systems, Introductory Version (Joe FitzPatrick)
| style="padding: 0.5em;" |Security Tools and Jenkins Pipeline (Sneha Kokil)
| style="padding: 0.5em;" |OWASP Top 10 / Juice Shop Hack Session (David Quisenberry)
|-
| style="padding: 0.5em;" |12:00 PM - 1:30 PM
| colspan="4" style="padding: 0.5em;" | Lunch on your own - ''Meet a new friend and grab a bite!''
|-
| style="padding: 0.5em;" |1:00 PM - 1:30 PM
| colspan="4" style="padding: 0.5em;" | Afternoon Registration (for those attending only in the afternoon)
|-
| style="padding: 0.5em;" |1:30 PM - 5:00 PM
| style="padding: 0.5em;" |Advanced Application Security Testing (Timothy Morgan)
| style="padding: 0.5em;" |Container Security (Alex Ivkin)
| style="padding: 0.5em;" |Intro to Chrome Exploitation (Justin Angra)
| style="padding: 0.5em;" |OWASP Amass: Discovering Your Exposure on the Internet (Jeff Foley)
|-
| style="padding: 0.5em;" |5:00 PM - 7:30 PM
| colspan="4" style="padding: 0.5em;" | Evening Mixer @ Rock Bottom Restaurant and Brewery
|}

Interested in teaching a training at Training Day 2019? Contact Portland OWASP via the mailing list or Twitter!

=== Lunch Ideas ===

Here are some lunch ideas:
* Farmhouse Cafe, 101 SW Main St.
* The Good Earth Cafe, 1136 SW 3rd Ave.
* Chipotle Mexican Grill, 240 SW Yamhill St.
* Luc Lac Vietnamese Kitchen, 835 SW 2nd Ave.
* Rock Bottom Restaurant & Brewery, 206 SW Morrison St.
* Buffalo Wild Wings, 327 SW Morrison St.
* Cafe Yumm, 301 SW Morrison St.
* Killer Burger, 510 SW 3rd Ave.
* House of Ramen, 223 SW Columbia St.
* There are some food carts north of the World Trade Center on SW 3rd Ave. and SW Stark St.

=How to Register=

Registration will again be via EventBrite

Thank you to the OWASP Foundation and the many sponsors, trainers, volunteers and trainers that have helped make Training Day a success and allow us to continue!

File:NetSPI 2019 logo.png

2019-08-09T17:54:39Z

Bzhao:

NetSPI 2019 logo

File:Dasher Technologies logo.png

2019-08-09T17:53:05Z

Bzhao:

Dasher Technologies logo

File:WebMD logo.jpg

2019-08-09T17:50:15Z

Bzhao:

WebMD logo

File:Kraken logo.png

2019-08-09T17:49:05Z

Bzhao:

Kraken logo

File:Daylight logo.png

2019-08-09T17:47:36Z

Bzhao:

Daylight Studio logo

OWASP Portland 2019 Training Day

2019-07-30T17:02:54Z

Bzhao:

For the fourth year in a row, the Portland OWASP chapter is proud to host our information security training day! This is be an excellent opportunity for the local Portland security community to receive top quality information security and application security training for prices far lower than normally offered. It's also a great chance to network with other local infosec and appsec enthusiasts and meet those who share your interests.

The 4th annual OWASP Portland 2019 Training Day date will be on September 25, 2019. See [[#Details|Details]] for more info.

General registration date will be announced soon.

Want to get news and information on our 2019 Training Day? Subscribe to the [https://groups.google.com/a/owasp.org/forum/#!forum/portland-chapter] Portland OWASP mailing list or follow [https://twitter.com/portlandowasp @PortlandOWASP] on Twitter!

=Courses=
Courses will be held in two tracks: four in the morning session, and four in the afternoon session. Each participant can register for one morning course, one afternoon course, or one of each.

== Morning Session 8:30 AM - Noon ==

=== AWS API Threat Modeling and Automated Testing ===

''Instructor: Kendra Ash''

Abstract: If you are a software, DevOps, QA or security engineer and want to learn how to threat model API's in AWS this course is for you. This course will cover the what, why, when, and how of threat modeling applications in your organization. The bulk of this course will be based on the book Threat Modeling by Adam Shostack and will leverage a variant of the Escalation of Privileges card game. Also, I will dive into the approach I have used to gain adoption from engineering teams as a security engineer.
After gaining an understanding of threat modeling, we will dive into how we can automate security checks for an AWS environment — leveraging the AWS CLI tool to provide quick engineering feedback on ways to improve the security of their infrastructure.

Bio: Kendra Ash (@securelykash) is an information security engineer at Vacasa, actively building a security team and program by leveraging guidance from her network and industry standards.

=== Applied Physical Attacks on Embedded Systems, Introductory Version ===

''Instructor: Joe FitzPatrick''

Abstract: This workshop introduces several different relatively accessible interfaces on embedded systems. Attendees will get hands-on experience with UART, SPI, and JTAG interfaces on a MIPS-based wifi router. After a brief architectural overview of each interface, hands-on labs will guide through the process understanding, observing, interacting with, and exploiting the interface to potentially access a root shell on the target.

=== Security Tools and Jenkins Pipeline ===

''Instructor: Sneha Kokil''

Abstract: Modern application development embeds security activities in SDLC, while adopting DevSecOps culture. Security tools are being viewed in the context of continuous integration and automation, which are the key factors in achieving a successful DevSecOps implementation. Integrating security tools in the CI/CD pipelines has become a primary focus of most of the organizations, who are striving to build application security from within. This workshop focuses on getting a good understanding of how some of the open source security tools can be integrated in Jenkins CI/CD pipeline for languages such as Go and Java, along with application container scanning solutions. The workshop will be a hands-on experience, where the participants will write their own pipeline code for integrating security tools. The key takeaways from this workshop will help participants experience how security tooling fits into CI/CD pipelines. It will also help them appreciate the real-world challenges and possible solutions, when integrating security in existing SDLC.

Bio: Sneha Kokil is a senior security consultant at Synopsys. With a master's degree in information security from Northeastern University, along with several years of development and security experience, she specializes in integrating software security toolchains within SDLC processes. She is immensely passionate about DevSecOps and how it helps building security in. Outside of work, she is an avid biography and science fiction reader, a swimmer, and a mother to a wonderful daughter.

=== OWASP Top 10 / Juice Shop Hack Session ===

''Instructor: David Quisenberry''

Abstract: This session is meant for those new to OWASP Top Ten. We will go over the OWASP Top Ten - where it came from, what it’s good for, what are the top ten, etc. And illustrate the concepts in the OWASP Top Ten through another OWASP Flagship Project - The OWASP Juice Shop. This will be a hands on class so everyone can follow along in the Juice Shop to explore the concepts. There will be time at the end for everyone to continue on their vulnerability hunting and a friendly Juice Shop CTF.

Bio: David Quisenberry (@dmqpdx16) is a backend developer and security champion with Daylight Studio, a local Portland boutique web agency. He serves on the Portland OWASP board as Outreach/Events coordinator and does what he can to up the involvement of established and emerging software developers in security conversations.

Prerequisites: Laptop capable of running docker and burpsuite.

== Afternoon Session: 1:30 PM - 5:00 PM ==

=== Advanced Application Security Testing ===

''Instructor: Timothy Morgan''

Abstract: This course takes students beyond the most basic web application exploitation scenarios, focusing on advanced SQL injection, XML eXternal Entities (XXE) and server-side request forgery (SSRF) attacks. The course also covers out-of-band detection and exfiltration using the DNS, which has recently become a popular technique used by penetration testers.

Prerequisites: Students should be familiar with popular web application testing proxies such as Burp Proxy or OWASP ZAP. Some experience with basic SQL injection attacks is recommended.

=== Container Security ===

''Instructor: Alex Ivkin''

Abstract: "When it comes to container security there are two prevailing schools of thought - either containers are secure by default, so you should not care much, or containers can not be secure in principle, so you should avoid them at all costs. In this training you will go through the real world examples of configuring and running containers in a secure manner. You will get insights into the security of both Windows and Linux containers, container infrastructure, such as container registries and orchestration platforms - docker swarm and kubernetes. We will examine real world vulnerabilities unique to different architectures of containers and how to address them.

Takeaways:
# Building and running docker containers securely
# Avoiding common pitfalls in docker infrastructure setup (dockerd, docker registry)
# Navigating security in the container orchestration platforms (docker swarm, kubernetes)"

Bio: Alex Ivkin (@alerxes) is a Director of Solutions at Eclypsium, a local Portland company, specializing in firmware, hardware and supply chain security. Alex has deep implementation experience in a long list of security domains, including cloud, application security and IAM. He co-authored the ISACA CSX Professional certification and is an alpine climber.

Prerequisites:
* Mid to advanced level technical experience
* Basic experience with running docker containers
* Laptop with docker for windows setup and tested

=== Intro to Chrome Exploitation ===

''Instructor: Justin Angra''

Abstract: Over 3 billion browser devices are actively loading arbitrary data served by someone else. What happens if one of those pages contains maliciously crafted JavaScript? Could they capture your passwords, perform UXSS, or worse - execute local code on your machine? In this session, you will get the opportunity to explore the anatomy and play with common vulnerability patterns in the renderer process of Chrome. This will be an interactive class; please bring a laptop with Docker installed.

=== OWASP Amass: Discovering Your Exposure on the Internet ===

''Instructor: Jeff Foley ''

Abstract: Today, large organizations deal with the challenge of running their infrastructure across many networks and namespaces due to the use of cloud and hosting services, legacy environments and acquisitions. This can make it difficult to maintain visibility of Internet-facing assets and to track down systems that pose a risk to security. The OWASP Amass Project has developed a tool to help information security professionals perform network mapping of attack surfaces and perform external asset discovery. During this talk, the founder of the project will discuss how OWASP Amass uses OSINT, network reconnaissance, graph databases and information sharing to provide both attackers and defenders better visibility of target organizations.

Bio: Jeff Foley is the Founder and Project Leader of the OWASP Amass project. Mr. Foley has nearly 20 years of experience as an innovator for research & development, software engineering and red team activities in information security. He is a results-driven technical leader known for delivering game-changing research findings to overcome real-world challenges. Jeff serves as the Manager for Vulnerability Engineering at National Grid and is the CTO & Co-founder of ClaritySec, an Upstate New York based information security startup. Prior to this, he was the Director of Research for the Cyber Systems, Weapon Systems & Sensors Operation at Alion Science & Technology. While serving at Northrop Grumman, Jeff built and led the internal penetration testing team and was the program manager for offensive security research & development. Mr. Foley also shares his expertise and experience by supporting several local university information security programs and participating in information security competitions, such as the SUNY Polytechnic Institute Cybersecurity Advisory Board, Mohawk Valley Community College Computer Science Advisory Board and the CNY Hackathon Competition.

=2019 Sponsors=

'''Interested in becoming a sponsor? Here is a document outlining the opportunities: [https://drive.google.com/file/d/0BydPdSuBlQ4scm1DRmlwMVNyUE11TzdxV1VoZ1lNRTdueTBv/view?usp=sharing Sponsorship-Doc]. Reach out to david.quisenberry@owasp.org to let us know.'''

== 2018 Sponsors ==

=== Mixer Sponsors===

[[File:github.png|link=https://github.com/]]

=== Training Session Sponsors ===

[[File:newrelic.png|link=https://newrelic.com/]]              
[[File:summit.png|link=http://summitinfosec.com/]]              
[[File:OCI Logo.png|link=https://cloud.oracle.com/en_US/iaas]]              
[[File:ForgeRock logo.png|link=https://www.forgerock.com/]]              
[[File:Security Innovation logo.png|link=https://www.securityinnovation.com/]]

=== Morning Coffee Sponsors ===

[[File:OCI Logo.png|link=https://cloud.oracle.com/en_US/iaas]]

=== General Sponsors ===

[[File:simple.png|link=https://simple.com/]]              

=Details=
OWASP Portland 2019 Training Day will be on September 25, 2019.

This year for the 2nd time, we'll be located at:

World Trade Center Portland
121 SW Salmon St.
Portland, OR 97204.

Later in the evening, a social mixer will also be held at Rock Bottom Restaurant & Brewery, just a short walk away:

206 SW Morrison St
Portland, OR 97204

===Schedule===
{| class="wikitable"
! |Time
! colspan="4" |Activity
|-
| style="padding: 0.5em;" |8:00 AM - 8:30 AM
| colspan="4" style="padding: 0.5em;" |Morning Registration and Continental Breakfast
|-
| style="padding: 0.5em;" |8:30 AM - 12:00 PM
| style="padding: 0.5em;" |AWS API Threat Modeling and Automated Testing (Kendra Ash)
| style="padding: 0.5em;" |Applied Physical Attacks on Embedded Systems, Introductory Version (Joe FitzPatrick)
| style="padding: 0.5em;" |Security Tools and Jenkins Pipeline (Sneha Kokil)
| style="padding: 0.5em;" |OWASP Top 10 / Juice Shop Hack Session (David Quisenberry)
|-
| style="padding: 0.5em;" |12:00 PM - 1:30 PM
| colspan="4" style="padding: 0.5em;" | Lunch on your own - ''Meet a new friend and grab a bite!''
|-
| style="padding: 0.5em;" |1:00 PM - 1:30 PM
| colspan="4" style="padding: 0.5em;" | Afternoon Registration (for those attending only in the afternoon)
|-
| style="padding: 0.5em;" |1:30 PM - 5:00 PM
| style="padding: 0.5em;" |Advanced Application Security Testing (Timothy Morgan)
| style="padding: 0.5em;" |Container Security (Alex Ivkin)
| style="padding: 0.5em;" |Intro to Chrome Exploitation (Justin Angra)
| style="padding: 0.5em;" |OWASP Amass: Discovering Your Exposure on the Internet (Jeff Foley)
|-
| style="padding: 0.5em;" |5:00 PM - 7:30 PM
| colspan="4" style="padding: 0.5em;" | Evening Mixer @ Rock Bottom Restaurant and Brewery
|}

Interested in teaching a training at Training Day 2019? Contact Portland OWASP via the mailing list or Twitter!

=== Lunch Ideas ===

Here are some lunch ideas:
* Farmhouse Cafe, 101 SW Main St.
* The Good Earth Cafe, 1136 SW 3rd Ave.
* Chipotle Mexican Grill, 240 SW Yamhill St.
* Luc Lac Vietnamese Kitchen, 835 SW 2nd Ave.
* Rock Bottom Restaurant & Brewery, 206 SW Morrison St.
* Buffalo Wild Wings, 327 SW Morrison St.
* Cafe Yumm, 301 SW Morrison St.
* Killer Burger, 510 SW 3rd Ave.
* House of Ramen, 223 SW Columbia St.
* There are some food carts north of the World Trade Center on SW 3rd Ave. and SW Stark St.

=How to Register=

Registration will again be via EventBrite

Thank you to the OWASP Foundation and the many sponsors, trainers, volunteers and trainers that have helped make Training Day a success and allow us to continue!

OWASP Portland 2019 Training Day

2019-07-09T05:16:37Z

Bzhao: Update available courses so far

Portland

2019-01-15T09:01:00Z

Bzhao: Add Vacasa Logo as Chapter Support

Welcome to the Portland, Oregon OWASP Chapter.

[[File:Portland_and_Mt_Hood.jpg]]

=Events=

Past and future event information can be found in [http://calagator.org/events/search?query=OWASP Calagator].

The Portland OWASP chapter aims to hold a chapter meeting once every month. There is also an OWASP training day held each year, featuring workshops ranging in multiple information security practices.

Feel free to join us on [https://www.meetup.com/OWASP-Portland-Chapter/ Meetup], [https://www.linkedin.com/groups/4223013/ LinkedIn], and follow us on [https://twitter.com/PortlandOWASP Twitter] for upcoming events!
=For Participants=
OWASP Foundation ([https://docs.google.com/a/owasp.org/presentation/d/1ZgY25F0F7QgScMlB1X7LAa70LtyJql8XqcYdR4suPUo/edit#slide=id.p Overview Slides]) is a professional association of[[Membership | global members]] and is and open to anyone interested in learning more about software security. Local chapters are run independently by volunteers and guided by the [[Chapter_Leader_Handbook|Handbook]].

If you are interested in attending chapter meetings or otherwise getting involved, we strongly encourage you to join the [http://lists.owasp.org/mailman/listinfo/owasp-Portland local chapter email list]. This list is low-volume, but acts as a great resource for local security information and announcements about chapter meetings.

=For Speakers=
We would be thrilled if you would like to come give a talk at one of our chapter meetings. Anything security-related is a good candidate for a talk and will likely draw an interested audience. Suggestions for possible topics for future meetings:

* Integrating security into an SDLC
* HTML5 security
* Social engineering
* Application Security Tools Review & Comparisons
* Discussion starters for controversial security topics
* Your experiences trying to implement a security solution
* Security basics talks; introductions to secure coding practices

Our OWASP meetings typically draw between 15 to 25 attendees. Chapter meetings are a great place to do a dry run of talks you intend to give at conferences or just to connect with locals. Before you present, please be sure you carefully review the [[Speaker_Agreement | speaker agreement]].

= OWASP Annual Training Day =
[[OWASP Portland 2018 Training Day|2018 Training Day]]

[[OWASP Portland 2017 Training Day|2017 Training Day]]

[[OWASP Portland 2016 Training Day|2016 Training Day]]

=Contact=

Your current Portland chapter board:

*Bhushan Gupta - 2018 Chapter Leader
*Ian Melven - 2019 Chapter Leader
*David Quisenberry - Community Outreach
*Sonny Nallamilli - 2018 Treasurer
*Benny Zhao - 2019 Treasurer

Other volunteers and organizers:

*James Bohem
*Adam Russell <adam . russell {a} owasp . org>
*Matthew Lapworth
*Katie Feucht
*Timothy D. Morgan <tim . morgan {a} owasp . org> - Founder
*AJ Dexter (aj.dexter 'at' gmail.com) - Founder (now retired)

__NOTOC__

<headertabs />

= Chapter Supporters =
Besides being funded through individual contributions and chapter memberships, our chapter is also supported through corporate sponsors. We would like to thank our sponsors for making many excellent activities possible:

== 2019 ==
=== Champion Supporters ===
[[File:simple-logo.png|x100px|link=https://simple.com/]]             
[[File:Newrelic-logo.png|x100px|frameless|link=https://newrelic.com/]]

[[File:Vacasa Logo .png|frameless|375x375px]]

[[OWASP Portland Sponsorship Archive|Past Chapter Supporters]]

<big>Want to become a chapter supporter? See the [[OWASP Portland Sponsorship Policy]] for more information.</big>

== Donate ==
OWASP is non-profit, volunteer-managed organization. All chapters are organized by volunteers. By donating to your local chapter or becoming an OWASP member, you help support a variety of activities and events including chapter meetings, competitions, and training. As a [[About_OWASP | 501(c)(3)]] non-profit professional association your support and sponsorship of any meeting venue and/or refreshments is tax-deductible. Financial contributions should only be made online using the authorized online chapter donation button.

[[Image:Btn_donate_SM.gif|link=http://www.regonline.com/donation_1044369]] to this chapter or become a local chapter supporter.

Or consider the value of [[Membership | Individual, Corporate, or Academic Supporter membership]]. Ready to become a member? [[Image:Join_Now_BlueIcon.JPG|75px|link=https://myowasp.force.com/memberappregion]]

[[Category:Oregon]]
[[Category:OWASP Chapter]]

File:Vacasa Logo .png

2019-01-15T08:57:50Z

Bzhao:

Vacasa Logo

File:Vacasa Logo.png

2019-01-15T08:55:58Z

Bzhao:

Vacasa Logo

Portland

2019-01-09T21:10:25Z

Bzhao: 2019 update on supporters for chapter

Welcome to the Portland, Oregon OWASP Chapter.

[[File:Portland_and_Mt_Hood.jpg]]

=Events=

Past and future event information can be found in [http://calagator.org/events/search?query=OWASP Calagator].

The Portland OWASP chapter aims to hold a chapter meeting once every month. There is also an OWASP training day held each year, featuring workshops ranging in multiple information security practices.

Feel free to join us on [https://www.meetup.com/OWASP-Portland-Chapter/ Meetup], [https://www.linkedin.com/groups/4223013/ LinkedIn], and follow us on [https://twitter.com/PortlandOWASP Twitter] for upcoming events!
=For Participants=
OWASP Foundation ([https://docs.google.com/a/owasp.org/presentation/d/1ZgY25F0F7QgScMlB1X7LAa70LtyJql8XqcYdR4suPUo/edit#slide=id.p Overview Slides]) is a professional association of[[Membership | global members]] and is and open to anyone interested in learning more about software security. Local chapters are run independently by volunteers and guided by the [[Chapter_Leader_Handbook|Handbook]].

If you are interested in attending chapter meetings or otherwise getting involved, we strongly encourage you to join the [http://lists.owasp.org/mailman/listinfo/owasp-Portland local chapter email list]. This list is low-volume, but acts as a great resource for local security information and announcements about chapter meetings.

=For Speakers=
We would be thrilled if you would like to come give a talk at one of our chapter meetings. Anything security-related is a good candidate for a talk and will likely draw an interested audience. Suggestions for possible topics for future meetings:

* Integrating security into an SDLC
* HTML5 security
* Social engineering
* Application Security Tools Review & Comparisons
* Discussion starters for controversial security topics
* Your experiences trying to implement a security solution
* Security basics talks; introductions to secure coding practices

Our OWASP meetings typically draw between 15 to 25 attendees. Chapter meetings are a great place to do a dry run of talks you intend to give at conferences or just to connect with locals. Before you present, please be sure you carefully review the [[Speaker_Agreement | speaker agreement]].

= OWASP Annual Training Day =
[[OWASP Portland 2018 Training Day|2018 Training Day]]

[[OWASP Portland 2017 Training Day|2017 Training Day]]

[[OWASP Portland 2016 Training Day|2016 Training Day]]

=Contact=

Your current Portland chapter board:

*Bhushan Gupta - 2018 Chapter Leader
*Ian Melven - 2019 Chapter Leader
*David Quisenberry - Community Outreach
*Sonny Nallamilli - 2018 Treasurer
*Benny Zhao - 2019 Treasurer

Other volunteers and organizers:

*James Bohem
*Adam Russell <adam . russell {a} owasp . org>
*Matthew Lapworth
*Katie Feucht
*Timothy D. Morgan <tim . morgan {a} owasp . org> - Founder
*AJ Dexter (aj.dexter 'at' gmail.com) - Founder (now retired)

__NOTOC__

<headertabs />

= Chapter Supporters =
Besides being funded through individual contributions and chapter memberships, our chapter is also supported through corporate sponsors. We would like to thank our sponsors for making many excellent activities possible:

== 2019 ==
=== Champion Supporters ===
[[File:simple-logo.png|x100px|link=https://simple.com/]]             
[[File:Newrelic-logo.png|x100px|frameless|link=https://newrelic.com/]]

[[OWASP Portland Sponsorship Archive|Past Chapter Supporters]]

<big>Want to become a chapter supporter? See the [[OWASP Portland Sponsorship Policy]] for more information.</big>

== Donate ==
OWASP is non-profit, volunteer-managed organization. All chapters are organized by volunteers. By donating to your local chapter or becoming an OWASP member, you help support a variety of activities and events including chapter meetings, competitions, and training. As a [[About_OWASP | 501(c)(3)]] non-profit professional association your support and sponsorship of any meeting venue and/or refreshments is tax-deductible. Financial contributions should only be made online using the authorized online chapter donation button.

[[Image:Btn_donate_SM.gif|link=http://www.regonline.com/donation_1044369]] to this chapter or become a local chapter supporter.

Or consider the value of [[Membership | Individual, Corporate, or Academic Supporter membership]]. Ready to become a member? [[Image:Join_Now_BlueIcon.JPG|75px|link=https://myowasp.force.com/memberappregion]]

[[Category:Oregon]]
[[Category:OWASP Chapter]]

OWASP Portland Sponsorship Archive

2019-01-09T21:00:09Z

Bzhao: Archive past supporters

Portland

2018-11-16T07:45:16Z

Bzhao: Add Meetup page, Twitter, and Training Day links

Welcome to the Portland, Oregon OWASP Chapter.

[[File:Portland_and_Mt_Hood.jpg]]

=Events=

Past and future event information can be found in [http://calagator.org/events/search?query=OWASP Calagator].

The Portland OWASP chapter aims to hold a chapter meeting once every month. There is also an OWASP training day held each year, featuring workshops ranging in multiple information security practices.

Feel free to join us on our [https://www.meetup.com/OWASP-Portland-Chapter/ Meetup Page] and follow us on [https://twitter.com/PortlandOWASP Twitter] for upcoming events!
=For Participants=
OWASP Foundation ([https://docs.google.com/a/owasp.org/presentation/d/1ZgY25F0F7QgScMlB1X7LAa70LtyJql8XqcYdR4suPUo/edit#slide=id.p Overview Slides]) is a professional association of[[Membership | global members]] and is and open to anyone interested in learning more about software security. Local chapters are run independently by volunteers and guided by the [[Chapter_Leader_Handbook|Handbook]].

If you are interested in attending chapter meetings or otherwise getting involved, we strongly encourage you to join the [http://lists.owasp.org/mailman/listinfo/owasp-Portland local chapter email list]. This list is low-volume, but acts as a great resource for local security information and announcements about chapter meetings.

=For Speakers=
We would be thrilled if you would like to come give a talk at one of our chapter meetings. Anything security-related is a good candidate for a talk and will likely draw an interested audience. Suggestions for possible topics for future meetings:

* Integrating security into an SDLC
* HTML5 security
* Social engineering
* Application Security Tools Review & Comparisons
* Discussion starters for controversial security topics
* Your experiences trying to implement a security solution
* Security basics talks; introductions to secure coding practices

Our OWASP meetings typically draw between 15 to 25 attendees. Chapter meetings are a great place to do a dry run of talks you intend to give at conferences or just to connect with locals. Before you present, please be sure you carefully review the [[Speaker_Agreement | speaker agreement]].

= OWASP Annual Training Day =
[[OWASP Portland 2018 Training Day|2018 Training Day]]

[[OWASP Portland 2017 Training Day|2017 Training Day]]

[[OWASP Portland 2016 Training Day|2016 Training Day]]

=Contact=

Your current Portland chapter board:

*Bhushan Gupta - Chapter Leader
*Ian Melven - Community Outreach
*Sonny Nallamilli - Treasurer

Other volunteers and organizers:

*James Bohem
*Adam Russell <adam . russell {a} owasp . org>
*Matthew Lapworth
*Katie Feucht
*Timothy D. Morgan <tim . morgan {a} owasp . org> - Founder
*AJ Dexter (aj.dexter 'at' gmail.com) - Founder (now retired)

__NOTOC__

<headertabs />

= Chapter Supporters =
Besides being funded through individual contributions and chapter memberships, our chapter is also supported through corporate sponsors. We would like to thank our sponsors for making many excellent activities possible:

== 2017 ==
=== Champion Supporters ===
None yet!

=== Signature Supporters ===
[[File:simple-logo.png|x100px|link=https://simple.com/]]

=== Patron Supporters ===
None yet!

== 2016 ==

=== Signature Supporters ===
[[File:simple-logo.png|x100px|link=https://simple.com/]]             
[[File:Newrelic-logo.png|x100px|frameless|link=https://newrelic.com/]]

=== Patron Supporters ===
[[File:Jama-logo.png|x100px|frameless|link=https://www.jamasoftware.com/]]             
[[File:webmd.png|x110px|frameless|link=https://www.webmdhealthservices.com/]]

[[OWASP Portland Sponsorship Archive|Past Chapter Supporters]]

<big>Want to become a chapter supporter? See the [[OWASP Portland Sponsorship Policy]] for more information.</big>

== Donate ==
OWASP is non-profit, volunteer-managed organization. All chapters are organized by volunteers. By donating to your local chapter or becoming an OWASP member, you help support a variety of activities and events including chapter meetings, competitions, and training. As a [[About_OWASP | 501(c)(3)]] non-profit professional association your support and sponsorship of any meeting venue and/or refreshments is tax-deductible. Financial contributions should only be made online using the authorized online chapter donation button.

[[Image:Btn_donate_SM.gif|link=http://www.regonline.com/donation_1044369]] to this chapter or become a local chapter supporter.

Or consider the value of [[Membership | Individual, Corporate, or Academic Supporter membership]]. Ready to become a member? [[Image:Join_Now_BlueIcon.JPG|75px|link=https://myowasp.force.com/memberappregion]]

[[Category:Oregon]]
[[Category:OWASP Chapter]]

OWASP Portland 2018 Training Day

2018-09-27T17:38:33Z

Bzhao:

For the third year in a row, the Portland OWASP chapter is proud to host our information security training day! This is be an excellent opportunity for those interested to receive top quality information security and application security training for prices far lower than normally offered. It's also a great chance to network with the local infosec community and meet those who share your interests.

OWASP Portland 2018 Training Day will be '''October 3, 2018.''' See [[#Details|Details]] for more info.

General registration is open on September 1, 2018. If you have recently donated to the OWASP Portland Chapter by accident (thinking you have registered for a course), we will issue you a refund. When registration is open, you should be able to select the available courses you want to take.

Want to get news and information on our 2018 Training Day? Subscribe to the Portland OWASP mailing list or follow @PortlandOWASP on Twitter!

=Courses=
Courses will be held in two tracks: four in the morning session, and four in the afternoon session. Each participant can register for one morning course, or one afternoon course, or one of each.

== Morning Session 8:30 AM - Noon ==

=== Intro to Hacking Web 3.0 ===

==== Sponsored by Security Innovation ====

''Instructor: Mick Ayzenberg''

Abstract: In this half day course, we will introduce several emerging Blockchain concepts such as Web 3.0, smart contracts, and decentralized applications (DApps). You will get the opportunity to explore and interact with applications on this platform, and will be introduced to several of the most common vulnerability categories found in smart contracts through a capture the flag platform. This class will be highly interactive, so bring a laptop. No previous Blockchain experience required.

=== Introduction to Computer Forensics ===

''Instructor: Kris Rosenberg''

Abstract: It’s 3AM and the phone rings… ok, maybe not 3AM, but you get the call that a computer system on your network is acting strange. After taking a look you realize that this system may be infected with malware, or possibly you have an active intruder inside your network. What do you do next? This session will guide you through the basic initial steps that can be taken in a security incident to effectively isolate and contain the attack and collect evidence for potential future prosecution. We will introduce the PICERL framework for incident handling and discuss each phase in detail: Planning, Identification, Containment, Eradication, Recovery, and Lessons Learned. At the end of the session you should have a basic understanding of how to respond to a potential security incident, and preserve any evidence that may be needed.

=== Intro to Practical Internal Vulnerability Scanning ===

==== Sponsored by Summit Security Group, LLC ====

''Instructor: Patterson Cake''

Abstract: If your organization has the resources to scan all of the things all of the time, this course may not be for you! If, however, you are like most organizations, struggling to keep up and to make tangible progress towards improving your security posture, read on! In this course, we'll discuss scanning tools and techniques to help you identify unknown devices, sensitive data exposure, and system misconfigurations within your environment, using open-source and built-in tools, like Nmap and PowerShell, along with some good old-fashioned NI (Natural Intelligence). We'll focus on practical, tactical ways to find things like unapproved IoT devices on your network, sensitive data shares with "Everyone" permissions, and web apps with default credentials, things you care about which are often easy to remediate but may not show up on traditional vulnerability or compliance scans.

Prerequisites: Laptop capable of running a recent version of Nmap (Windows, Linux or Mac) with admin/root privileges.

=== Incident Handling in Cloud Environment - a primer ===

==== Sponsored by ForgeRock ====

''Instructor: Derek Hill''

Abstract: Have you ever wondered what it takes to investigate an incident inside your company network? What about your assets stored in a public cloud? When does an event become an incident? Who decides this? We will cover the important steps of an incident handling process, including getting you started in creating your own incident handling plan. We will talk about the challenges of doing this in cloud, where you don't have physical access to the machines. You will walk away with an understanding of the fundamental steps of incident handling as well as some examples of what to look for, how to handle collection and preservation of evidence.

== Afternoon Session: 1:30 PM - 5:00 PM ==

=== Advanced Application Security Testing ===

==== Sponsored by New Relic ====

''Instructor: Timothy Morgan''

Abstract: This course takes students beyond the most basic web application exploitation scenarios, focusing on advanced SQL injection, XML eXternal Entities (XXE) and server-side request forgery (SSRF) attacks. The course also covers out-of-band detection and exfiltration using the DNS, which has recently become a popular technique used by penetration testers.

=== AppSec Testing Beyond Pen Test ===

''Instructor: Bhushan Gupta''

Abstract: Most web application security testing efforts are concentrated around penetration testing, which is an art based on hackers’ psyche, thought process, and determination to exploit software vulnerabilities. However, does it yield a high level of confidence and sense of security in a developer’s mind? The web application developers must begin to think of building security throughout the software development life cycle (SDLC). This workshop paper focuses on an approach that aligns the web application security testing with the three basic principles of security; confidentiality, integrity, and availability (CIA). Using a simple approach, workshop teaches how to identify the most vulnerable processes in an application, highlighting the test-intensive areas. The students will learn:
# How to identify the security requirements for their business
# How to plan security testing using both statics and dynamic code analysis
# How to apply STRIDE model to evaluate critical web application components
# How to prioritizing vulnerabilities based upon DREAD model to minimize breech impact

=== Applied Physical Attacks on Embedded Systems, Introductory Version ===

''Instructor: Joe FitzPatrick''

Abstract: This workshop introduces several different relatively accessible interfaces on embedded systems. Attendees will get hands-on experience with UART, SPI, and JTAG interfaces on a MIPS-based wifi router. After a brief architectural overview of each interface, hands-on labs will guide through the process understanding, observing, interacting with, and exploiting the interface to potentially access a root shell on the target.

=== Advanced Custom Network Protocol Fuzzing ===

==== Sponsored by Oracle Cloud Infrastructure ====

''Instructor: Joshua Pereyda''

Abstract: Get hands on experience writing custom network protocol fuzzers. This class will cover the basics of network protocol ""smart fuzzing."" Exercises will utilize the open source network protocol fuzzing framework, boofuzz. Attendees will gain practice reverse engineering a network protocol, implementing and iterating on a custom fuzzer, and identifying vulnerabilities. After the course:

# You will know the basics of fuzzing.
# You will know how to write custom network protocol fuzzers using state of the art open source tools.
# You will have hands on experience with this widely-discussed but still largely mysterious test method.

=Sponsors=

'''Interested in becoming a sponsor? Watch this space for 2018 sponsorship information!'''

=== Mixer Sponsors===

[[File:github.png|link=https://github.com/]]

=== Training Session Sponsors ===

[[File:newrelic.png|link=https://newrelic.com/]]              
[[File:summit.png|link=http://summitinfosec.com/]]              
[[File:OCI Logo.png|link=https://cloud.oracle.com/en_US/iaas]]              
[[File:ForgeRock logo.png|link=https://www.forgerock.com/]]              
[[File:Security Innovation logo.png|link=https://www.securityinnovation.com/]]

=== Morning Coffee Sponsors ===

[[File:OCI Logo.png|link=https://cloud.oracle.com/en_US/iaas]]

=== General Sponsors ===

[[File:simple.png|link=https://simple.com/]]              
[[File:PNSQC 2018 125x125.jpg|link=https://www.pnsqc.org/]]

=Details=
OWASP Portland 2018 Training Day will be October 3, 2018. This year we'll be located at:

World Trade Center Portland
121 SW Salmon St.
Portland, OR 97204.

Later in the evening, a social mixer will also be held at Rock Bottom Restaurant & Brewery, just a short walk away:

206 SW Morrison St
Portland, OR 97204

===Schedule===
{| class="wikitable"
! |Time
! colspan="4" |Activity
|-
| style="padding: 0.5em;" |8:00 AM - 8:30 AM
| colspan="4" style="padding: 0.5em;" |Morning Registration and Continental Breakfast
|-
| style="padding: 0.5em;" |8:30 AM - 12:00 PM
| style="padding: 0.5em;" |Intro to Hacking Web 3.0 (Mick Ayzenberg)
| style="padding: 0.5em;" |Introduction to Computer Forensics (Kris Rosenberg)
| style="padding: 0.5em;" |Intro to Practical Internal Vulnerability Scanning (Patterson Cake)
| style="padding: 0.5em;" |Incident Handling in Cloud Environment - a primer (Derek Hill)
|-
| style="padding: 0.5em;" |12:00 PM - 1:30 PM
| colspan="4" style="padding: 0.5em;" | Lunch on your own - ''Meet a new friend and grab a bite!''
|-
| style="padding: 0.5em;" |1:00 PM - 1:30 PM
| colspan="4" style="padding: 0.5em;" | Afternoon Registration (for those attending only in the afternoon)
|-
| style="padding: 0.5em;" |1:30 PM - 5:00 PM
| style="padding: 0.5em;" |Advanced Application Security Testing (Timothy Morgan)
| style="padding: 0.5em;" |AppSec Testing Beyond Pen Test (Bhushan Gupta)
| style="padding: 0.5em;" |Applied Physical Attacks on Embedded Systems, Introductory Version (Joe FitzPatrick)
| style="padding: 0.5em;" |Advanced Custom Network Protocol Fuzzing (Joshua Pereyda)
|-
| style="padding: 0.5em;" |5:00 PM - 7:30 PM
| colspan="4" style="padding: 0.5em;" | Evening Mixer @ Rock Bottom Restaurant and Brewery
|}

=== Lunch Ideas ===

Here are some lunch ideas:
* Farmhouse Cafe, 101 SW Main St.
* The Good Earth Cafe, 1136 SW 3rd Ave.
* Chipotle Mexican Grill, 240 SW Yamhill St.
* Luc Lac Vietnamese Kitchen, 835 SW 2nd Ave.
* Rock Bottom Restaurant & Brewery, 206 SW Morrison St.
* Buffalo Wild Wings, 327 SW Morrison St.
* Cafe Yumm, 301 SW Morrison St.
* Killer Burger, 510 SW 3rd Ave.
* House of Ramen, 223 SW Columbia St.
* There are some food carts north of the World Trade Center on SW 3rd Ave. and SW Stark St.

=How to Register=

Registration is via EventBrite: https://www.eventbrite.com/e/portland-owasp-training-day-2018-tickets-48203102778

File:PNSQC 2018 125x125.jpg

2018-09-27T17:36:33Z

Bzhao:

PNSQC logo

OWASP Portland 2018 Training Day

2018-08-27T22:24:41Z

Bzhao:

For the third year in a row, the Portland OWASP chapter is proud to host our information security training day! This is be an excellent opportunity for those interested to receive top quality information security and application security training for prices far lower than normally offered. It's also a great chance to network with the local infosec community and meet those who share your interests.

OWASP Portland 2018 Training Day will be '''October 3, 2018.''' See [[#Details|Details]] for more info.

General registration is open on September 1, 2018. If you have recently donated to the OWASP Portland Chapter by accident (thinking you have registered for a course), we will issue you a refund. When registration is open, you should be able to select the available courses you want to take.

Want to get news and information on our 2018 Training Day? Subscribe to the Portland OWASP mailing list or follow @PortlandOWASP on Twitter!

=Courses=
Courses will be held in two tracks: four in the morning session, and four in the afternoon session. Each participant can register for one morning course, or one afternoon course, or one of each.

== Morning Session 8:30 AM - Noon ==

=== Intro to Hacking Web 3.0 ===

==== Sponsored by Security Innovation ====

''Instructor: Mick Ayzenberg''

Abstract: In this half day course, we will introduce several emerging Blockchain concepts such as Web 3.0, smart contracts, and decentralized applications (DApps). You will get the opportunity to explore and interact with applications on this platform, and will be introduced to several of the most common vulnerability categories found in smart contracts through a capture the flag platform. This class will be highly interactive, so bring a laptop. No previous Blockchain experience required.

=== Introduction to Computer Forensics ===

''Instructor: Kris Rosenberg''

Abstract: It’s 3AM and the phone rings… ok, maybe not 3AM, but you get the call that a computer system on your network is acting strange. After taking a look you realize that this system may be infected with malware, or possibly you have an active intruder inside your network. What do you do next? This session will guide you through the basic initial steps that can be taken in a security incident to effectively isolate and contain the attack and collect evidence for potential future prosecution. We will introduce the PICERL framework for incident handling and discuss each phase in detail: Planning, Identification, Containment, Eradication, Recovery, and Lessons Learned. At the end of the session you should have a basic understanding of how to respond to a potential security incident, and preserve any evidence that may be needed.

=== Intro to Practical Internal Vulnerability Scanning ===

==== Sponsored by Summit Security Group, LLC ====

''Instructor: Patterson Cake''

Abstract: If your organization has the resources to scan all of the things all of the time, this course may not be for you! If, however, you are like most organizations, struggling to keep up and to make tangible progress towards improving your security posture, read on! In this course, we'll discuss scanning tools and techniques to help you identify unknown devices, sensitive data exposure, and system misconfigurations within your environment, using open-source and built-in tools, like Nmap and PowerShell, along with some good old-fashioned NI (Natural Intelligence). We'll focus on practical, tactical ways to find things like unapproved IoT devices on your network, sensitive data shares with "Everyone" permissions, and web apps with default credentials, things you care about which are often easy to remediate but may not show up on traditional vulnerability or compliance scans.

Prerequisites: Laptop capable of running a recent version of Nmap (Windows, Linux or Mac) with admin/root privileges.

=== Incident Handling in Cloud Environment - a primer ===

==== Sponsored by ForgeRock ====

''Instructor: Derek Hill''

Abstract: Have you ever wondered what it takes to investigate an incident inside your company network? What about your assets stored in a public cloud? When does an event become an incident? Who decides this? We will cover the important steps of an incident handling process, including getting you started in creating your own incident handling plan. We will talk about the challenges of doing this in cloud, where you don't have physical access to the machines. You will walk away with an understanding of the fundamental steps of incident handling as well as some examples of what to look for, how to handle collection and preservation of evidence.

== Afternoon Session: 1:30 PM - 5:00 PM ==

=== Advanced Application Security Testing ===

==== Sponsored by New Relic ====

''Instructor: Timothy Morgan''

Abstract: This course takes students beyond the most basic web application exploitation scenarios, focusing on advanced SQL injection, XML eXternal Entities (XXE) and server-side request forgery (SSRF) attacks. The course also covers out-of-band detection and exfiltration using the DNS, which has recently become a popular technique used by penetration testers.

=== AppSec Testing Beyond Pen Test ===

''Instructor: Bhushan Gupta''

Abstract: Most web application security testing efforts are concentrated around penetration testing, which is an art based on hackers’ psyche, thought process, and determination to exploit software vulnerabilities. However, does it yield a high level of confidence and sense of security in a developer’s mind? The web application developers must begin to think of building security throughout the software development life cycle (SDLC). This workshop paper focuses on an approach that aligns the web application security testing with the three basic principles of security; confidentiality, integrity, and availability (CIA). Using a simple approach, workshop teaches how to identify the most vulnerable processes in an application, highlighting the test-intensive areas. The students will learn:
# How to identify the security requirements for their business
# How to plan security testing using both statics and dynamic code analysis
# How to apply STRIDE model to evaluate critical web application components
# How to prioritizing vulnerabilities based upon DREAD model to minimize breech impact

=== Applied Physical Attacks on Embedded Systems, Introductory Version ===

''Instructor: Joe FitzPatrick''

Abstract: This workshop introduces several different relatively accessible interfaces on embedded systems. Attendees will get hands-on experience with UART, SPI, and JTAG interfaces on a MIPS-based wifi router. After a brief architectural overview of each interface, hands-on labs will guide through the process understanding, observing, interacting with, and exploiting the interface to potentially access a root shell on the target.

=== Advanced Custom Network Protocol Fuzzing ===

==== Sponsored by Oracle Cloud Infrastructure ====

''Instructor: Joshua Pereyda''

Abstract: Get hands on experience writing custom network protocol fuzzers. This class will cover the basics of network protocol ""smart fuzzing."" Exercises will utilize the open source network protocol fuzzing framework, boofuzz. Attendees will gain practice reverse engineering a network protocol, implementing and iterating on a custom fuzzer, and identifying vulnerabilities. After the course:

# You will know the basics of fuzzing.
# You will know how to write custom network protocol fuzzers using state of the art open source tools.
# You will have hands on experience with this widely-discussed but still largely mysterious test method.

=Sponsors=

'''Interested in becoming a sponsor? Watch this space for 2018 sponsorship information!'''

=== Mixer Sponsors===

[[File:github.png|link=https://github.com/]]

=== Training Session Sponsors ===

[[File:newrelic.png|link=https://newrelic.com/]]              
[[File:summit.png|link=http://summitinfosec.com/]]              
[[File:OCI Logo.png|link=https://cloud.oracle.com/en_US/iaas]]              
[[File:ForgeRock logo.png|link=https://www.forgerock.com/]]              
[[File:Security Innovation logo.png|link=https://www.securityinnovation.com/]]

=== Morning Coffee Sponsors ===

[[File:OCI Logo.png|link=https://cloud.oracle.com/en_US/iaas]]

=== General Sponsors ===

[[File:simple.png|link=https://simple.com/]]

=Details=
OWASP Portland 2018 Training Day will be October 3, 2018. This year we'll be located at:

World Trade Center Portland
121 SW Salmon St.
Portland, OR 97204.

Later in the evening, a social mixer will also be held at Rock Bottom Restaurant & Brewery, just a short walk away:

206 SW Morrison St
Portland, OR 97204

===Schedule===
{| class="wikitable"
! |Time
! colspan="4" |Activity
|-
| style="padding: 0.5em;" |8:00 AM - 8:30 AM
| colspan="4" style="padding: 0.5em;" |Morning Registration and Continental Breakfast
|-
| style="padding: 0.5em;" |8:30 AM - 12:00 PM
| style="padding: 0.5em;" |Intro to Hacking Web 3.0 (Mick Ayzenberg)
| style="padding: 0.5em;" |Introduction to Computer Forensics (Kris Rosenberg)
| style="padding: 0.5em;" |Intro to Practical Internal Vulnerability Scanning (Patterson Cake)
| style="padding: 0.5em;" |Incident Handling in Cloud Environment - a primer (Derek Hill)
|-
| style="padding: 0.5em;" |12:00 PM - 1:30 PM
| colspan="4" style="padding: 0.5em;" | Lunch on your own - ''Meet a new friend and grab a bite!''
|-
| style="padding: 0.5em;" |1:00 PM - 1:30 PM
| colspan="4" style="padding: 0.5em;" | Afternoon Registration (for those attending only in the afternoon)
|-
| style="padding: 0.5em;" |1:30 PM - 5:00 PM
| style="padding: 0.5em;" |Advanced Application Security Testing (Timothy Morgan)
| style="padding: 0.5em;" |AppSec Testing Beyond Pen Test (Bhushan Gupta)
| style="padding: 0.5em;" |Applied Physical Attacks on Embedded Systems, Introductory Version (Joe FitzPatrick)
| style="padding: 0.5em;" |Advanced Custom Network Protocol Fuzzing (Joshua Pereyda)
|-
| style="padding: 0.5em;" |5:00 PM - 7:30 PM
| colspan="4" style="padding: 0.5em;" | Evening Mixer @ Rock Bottom Restaurant and Brewery
|}

=== Lunch Ideas ===

Here are some lunch ideas:
* Farmhouse Cafe, 101 SW Main St.
* The Good Earth Cafe, 1136 SW 3rd Ave.
* Chipotle Mexican Grill, 240 SW Yamhill St.
* Luc Lac Vietnamese Kitchen, 835 SW 2nd Ave.
* Rock Bottom Restaurant & Brewery, 206 SW Morrison St.
* Buffalo Wild Wings, 327 SW Morrison St.
* Cafe Yumm, 301 SW Morrison St.
* Killer Burger, 510 SW 3rd Ave.
* House of Ramen, 223 SW Columbia St.
* There are some food carts north of the World Trade Center on SW 3rd Ave. and SW Stark St.

=How to Register=

Registration is via EventBrite: https://www.eventbrite.com/e/portland-owasp-training-day-2018-tickets-48203102778

OWASP Portland 2018 Training Day

2018-08-23T03:39:03Z

Bzhao: Added Security Innovation sponsorship

For the third year in a row, the Portland OWASP chapter is proud to host our information security training day! This is be an excellent opportunity for those interested to receive top quality information security and application security training for prices far lower than normally offered. It's also a great chance to network with the local infosec community and meet those who share your interests.

OWASP Portland 2018 Training Day will be '''October 3, 2018.''' See [[#Details|Details]] for more info.

Want to get news and information on our 2018 Training Day? Subscribe to the Portland OWASP mailing list or follow @PortlandOWASP on Twitter!

=Courses=
Courses will be held in two tracks: four in the morning session, and four in the afternoon session. Each participant can register for one morning course, or one afternoon course, or one of each.

== Morning Session 8:30 AM - Noon ==

=== Intro to Hacking Web 3.0 ===

==== Sponsored by Security Innovation ====

''Instructor: Mick Ayzenberg''

Abstract: In this half day course, we will introduce several emerging Blockchain concepts such as Web 3.0, smart contracts, and decentralized applications (DApps). You will get the opportunity to explore and interact with applications on this platform, and will be introduced to several of the most common vulnerability categories found in smart contracts through a capture the flag platform. This class will be highly interactive, so bring a laptop. No previous Blockchain experience required.

=== Introduction to Computer Forensics ===

''Instructor: Kris Rosenberg''

Abstract: It’s 3AM and the phone rings… ok, maybe not 3AM, but you get the call that a computer system on your network is acting strange. After taking a look you realize that this system may be infected with malware, or possibly you have an active intruder inside your network. What do you do next? This session will guide you through the basic initial steps that can be taken in a security incident to effectively isolate and contain the attack and collect evidence for potential future prosecution. We will introduce the PICERL framework for incident handling and discuss each phase in detail: Planning, Identification, Containment, Eradication, Recovery, and Lessons Learned. At the end of the session you should have a basic understanding of how to respond to a potential security incident, and preserve any evidence that may be needed.

=== Intro to Practical Internal Vulnerability Scanning ===

==== Sponsored by Summit Security Group, LLC ====

''Instructor: Patterson Cake''

Abstract: If your organization has the resources to scan all of the things all of the time, this course may not be for you! If, however, you are like most organizations, struggling to keep up and to make tangible progress towards improving your security posture, read on! In this course, we'll discuss scanning tools and techniques to help you identify unknown devices, sensitive data exposure, and system misconfigurations within your environment, using open-source and built-in tools, like Nmap and PowerShell, along with some good old-fashioned NI (Natural Intelligence). We'll focus on practical, tactical ways to find things like unapproved IoT devices on your network, sensitive data shares with "Everyone" permissions, and web apps with default credentials, things you care about which are often easy to remediate but may not show up on traditional vulnerability or compliance scans.

Prerequisites: Laptop capable of running a recent version of Nmap (Windows, Linux or Mac) with admin/root privileges.

=== Incident Handling in Cloud Environment - a primer ===

==== Sponsored by ForgeRock ====

''Instructor: Derek Hill''

Abstract: Have you ever wondered what it takes to investigate an incident inside your company network? What about your assets stored in a public cloud? When does an event become an incident? Who decides this? We will cover the important steps of an incident handling process, including getting you started in creating your own incident handling plan. We will talk about the challenges of doing this in cloud, where you don't have physical access to the machines. You will walk away with an understanding of the fundamental steps of incident handling as well as some examples of what to look for, how to handle collection and preservation of evidence.

== Afternoon Session: 1:30 PM - 5:00 PM ==

=== Advanced Application Security Testing ===

==== Sponsored by New Relic ====

''Instructor: Timothy Morgan''

Abstract: This course takes students beyond the most basic web application exploitation scenarios, focusing on advanced SQL injection, XML eXternal Entities (XXE) and server-side request forgery (SSRF) attacks. The course also covers out-of-band detection and exfiltration using the DNS, which has recently become a popular technique used by penetration testers.

=== AppSec Testing Beyond Pen Test ===

''Instructor: Bhushan Gupta''

Abstract: Most web application security testing efforts are concentrated around penetration testing, which is an art based on hackers’ psyche, thought process, and determination to exploit software vulnerabilities. However, does it yield a high level of confidence and sense of security in a developer’s mind? The web application developers must begin to think of building security throughout the software development life cycle (SDLC). This workshop paper focuses on an approach that aligns the web application security testing with the three basic principles of security; confidentiality, integrity, and availability (CIA). Using a simple approach, workshop teaches how to identify the most vulnerable processes in an application, highlighting the test-intensive areas. The students will learn:
# How to identify the security requirements for their business
# How to plan security testing using both statics and dynamic code analysis
# How to apply STRIDE model to evaluate critical web application components
# How to prioritizing vulnerabilities based upon DREAD model to minimize breech impact

=== Applied Physical Attacks on Embedded Systems, Introductory Version ===

''Instructor: Joe FitzPatrick''

Abstract: This workshop introduces several different relatively accessible interfaces on embedded systems. Attendees will get hands-on experience with UART, SPI, and JTAG interfaces on a MIPS-based wifi router. After a brief architectural overview of each interface, hands-on labs will guide through the process understanding, observing, interacting with, and exploiting the interface to potentially access a root shell on the target.

=== Advanced Custom Network Protocol Fuzzing ===

==== Sponsored by Oracle Cloud Infrastructure ====

''Instructor: Joshua Pereyda''

Abstract: Get hands on experience writing custom network protocol fuzzers. This class will cover the basics of network protocol ""smart fuzzing."" Exercises will utilize the open source network protocol fuzzing framework, boofuzz. Attendees will gain practice reverse engineering a network protocol, implementing and iterating on a custom fuzzer, and identifying vulnerabilities. After the course:

# You will know the basics of fuzzing.
# You will know how to write custom network protocol fuzzers using state of the art open source tools.
# You will have hands on experience with this widely-discussed but still largely mysterious test method.

=Sponsors=

'''Interested in becoming a sponsor? Watch this space for 2018 sponsorship information!'''

=== Mixer Sponsors===

[[File:github.png|link=https://github.com/]]

=== Training Session Sponsors ===

[[File:newrelic.png|link=https://newrelic.com/]]              
[[File:summit.png|link=http://summitinfosec.com/]]              
[[File:OCI Logo.png|link=https://cloud.oracle.com/en_US/iaas]]              
[[File:ForgeRock logo.png|link=https://www.forgerock.com/]]              
[[File:Security Innovation logo.png|link=https://www.securityinnovation.com/]]

=== Morning Coffee Sponsors ===

[[File:OCI Logo.png|link=https://cloud.oracle.com/en_US/iaas]]

=== General Sponsors ===

[[File:simple.png|link=https://simple.com/]]

=Details=
OWASP Portland 2018 Training Day will be October 3, 2018. This year we'll be located at:

World Trade Center Portland
121 SW Salmon St.
Portland, OR 97204.

Later in the evening, a social mixer will also be held at Rock Bottom Restaurant & Brewery, just a short walk away:

206 SW Morrison St
Portland, OR 97204

===Schedule===
{| class="wikitable"
! |Time
! colspan="4" |Activity
|-
| style="padding: 0.5em;" |8:00 AM - 8:30 AM
| colspan="4" style="padding: 0.5em;" |Morning Registration and Continental Breakfast
|-
| style="padding: 0.5em;" |8:30 AM - 12:00 PM
| style="padding: 0.5em;" |Intro to Hacking Web 3.0 (Mick Ayzenberg)
| style="padding: 0.5em;" |Introduction to Computer Forensics (Kris Rosenberg)
| style="padding: 0.5em;" |Intro to Practical Internal Vulnerability Scanning (Patterson Cake)
| style="padding: 0.5em;" |Incident Handling in Cloud Environment - a primer (Derek Hill)
|-
| style="padding: 0.5em;" |12:00 PM - 1:30 PM
| colspan="4" style="padding: 0.5em;" | Lunch on your own - ''Meet a new friend and grab a bite!''
|-
| style="padding: 0.5em;" |1:00 PM - 1:30 PM
| colspan="4" style="padding: 0.5em;" | Afternoon Registration (for those attending only in the afternoon)
|-
| style="padding: 0.5em;" |1:30 PM - 5:00 PM
| style="padding: 0.5em;" |Advanced Application Security Testing (Timothy Morgan)
| style="padding: 0.5em;" |AppSec Testing Beyond Pen Test (Bhushan Gupta)
| style="padding: 0.5em;" |Applied Physical Attacks on Embedded Systems, Introductory Version (Joe FitzPatrick)
| style="padding: 0.5em;" |Advanced Custom Network Protocol Fuzzing (Joshua Pereyda)
|-
| style="padding: 0.5em;" |5:00 PM - 7:30 PM
| colspan="4" style="padding: 0.5em;" | Evening Mixer @ Rock Bottom Restaurant and Brewery
|}

=== Lunch Ideas ===

Here are some lunch ideas:
* Farmhouse Cafe, 101 SW Main St.
* The Good Earth Cafe, 1136 SW 3rd Ave.
* Chipotle Mexican Grill, 240 SW Yamhill St.
* Luc Lac Vietnamese Kitchen, 835 SW 2nd Ave.
* Rock Bottom Restaurant & Brewery, 206 SW Morrison St.
* Buffalo Wild Wings, 327 SW Morrison St.
* Cafe Yumm, 301 SW Morrison St.
* Killer Burger, 510 SW 3rd Ave.
* House of Ramen, 223 SW Columbia St.
* There are some food carts north of the World Trade Center on SW 3rd Ave. and SW Stark St.

=How to Register=

Registration is via EventBrite: https://www.eventbrite.com/e/portland-owasp-training-day-2018-tickets-48203102778

File:Security Innovation logo.png

2018-08-23T03:36:39Z

Bzhao:

Security Innovation logo

OWASP Portland 2018 Training Day

2018-08-21T19:23:04Z

Bzhao: Added ForgeRock sponsor, lunch ideas, and registration link

For the third year in a row, the Portland OWASP chapter is proud to host our information security training day! This is be an excellent opportunity for those interested to receive top quality information security and application security training for prices far lower than normally offered. It's also a great chance to network with the local infosec community and meet those who share your interests.

OWASP Portland 2018 Training Day will be '''October 3, 2018.''' See [[#Details|Details]] for more info.

Want to get news and information on our 2018 Training Day? Subscribe to the Portland OWASP mailing list or follow @PortlandOWASP on Twitter!

=Courses=
Courses will be held in two tracks: four in the morning session, and four in the afternoon session. Each participant can register for one morning course, or one afternoon course, or one of each.

== Morning Session 8:30 AM - Noon ==

=== Intro to Hacking Web 3.0 ===

''Instructor: Mick Ayzenberg''

Abstract: In this half day course, we will introduce several emerging Blockchain concepts such as Web 3.0, smart contracts, and decentralized applications (DApps). You will get the opportunity to explore and interact with applications on this platform, and will be introduced to several of the most common vulnerability categories found in smart contracts through a capture the flag platform. This class will be highly interactive, so bring a laptop. No previous Blockchain experience required.

=== Introduction to Computer Forensics ===

''Instructor: Kris Rosenberg''

Abstract: It’s 3AM and the phone rings… ok, maybe not 3AM, but you get the call that a computer system on your network is acting strange. After taking a look you realize that this system may be infected with malware, or possibly you have an active intruder inside your network. What do you do next? This session will guide you through the basic initial steps that can be taken in a security incident to effectively isolate and contain the attack and collect evidence for potential future prosecution. We will introduce the PICERL framework for incident handling and discuss each phase in detail: Planning, Identification, Containment, Eradication, Recovery, and Lessons Learned. At the end of the session you should have a basic understanding of how to respond to a potential security incident, and preserve any evidence that may be needed.

=== Intro to Practical Internal Vulnerability Scanning ===

==== Sponsored by Summit Security Group, LLC ====

''Instructor: Patterson Cake''

Abstract: If your organization has the resources to scan all of the things all of the time, this course may not be for you! If, however, you are like most organizations, struggling to keep up and to make tangible progress towards improving your security posture, read on! In this course, we'll discuss scanning tools and techniques to help you identify unknown devices, sensitive data exposure, and system misconfigurations within your environment, using open-source and built-in tools, like Nmap and PowerShell, along with some good old-fashioned NI (Natural Intelligence). We'll focus on practical, tactical ways to find things like unapproved IoT devices on your network, sensitive data shares with "Everyone" permissions, and web apps with default credentials, things you care about which are often easy to remediate but may not show up on traditional vulnerability or compliance scans.

Prerequisites: Laptop capable of running a recent version of Nmap (Windows, Linux or Mac) with admin/root privileges.

=== Incident Handling in Cloud Environment - a primer ===

==== Sponsored by ForgeRock ====

''Instructor: Derek Hill''

Abstract: Have you ever wondered what it takes to investigate an incident inside your company network? What about your assets stored in a public cloud? When does an event become an incident? Who decides this? We will cover the important steps of an incident handling process, including getting you started in creating your own incident handling plan. We will talk about the challenges of doing this in cloud, where you don't have physical access to the machines. You will walk away with an understanding of the fundamental steps of incident handling as well as some examples of what to look for, how to handle collection and preservation of evidence.

== Afternoon Session: 1:30 PM - 5:00 PM ==

=== Advanced Application Security Testing ===

==== Sponsored by New Relic ====

''Instructor: Timothy Morgan''

Abstract: This course takes students beyond the most basic web application exploitation scenarios, focusing on advanced SQL injection, XML eXternal Entities (XXE) and server-side request forgery (SSRF) attacks. The course also covers out-of-band detection and exfiltration using the DNS, which has recently become a popular technique used by penetration testers.

=== AppSec Testing Beyond Pen Test ===

''Instructor: Bhushan Gupta''

Abstract: Most web application security testing efforts are concentrated around penetration testing, which is an art based on hackers’ psyche, thought process, and determination to exploit software vulnerabilities. However, does it yield a high level of confidence and sense of security in a developer’s mind? The web application developers must begin to think of building security throughout the software development life cycle (SDLC). This workshop paper focuses on an approach that aligns the web application security testing with the three basic principles of security; confidentiality, integrity, and availability (CIA). Using a simple approach, workshop teaches how to identify the most vulnerable processes in an application, highlighting the test-intensive areas. The students will learn:
# How to identify the security requirements for their business
# How to plan security testing using both statics and dynamic code analysis
# How to apply STRIDE model to evaluate critical web application components
# How to prioritizing vulnerabilities based upon DREAD model to minimize breech impact

=== Applied Physical Attacks on Embedded Systems, Introductory Version ===

''Instructor: Joe FitzPatrick''

Abstract: This workshop introduces several different relatively accessible interfaces on embedded systems. Attendees will get hands-on experience with UART, SPI, and JTAG interfaces on a MIPS-based wifi router. After a brief architectural overview of each interface, hands-on labs will guide through the process understanding, observing, interacting with, and exploiting the interface to potentially access a root shell on the target.

=== Advanced Custom Network Protocol Fuzzing ===

==== Sponsored by Oracle Cloud Infrastructure ====

''Instructor: Joshua Pereyda''

Abstract: Get hands on experience writing custom network protocol fuzzers. This class will cover the basics of network protocol ""smart fuzzing."" Exercises will utilize the open source network protocol fuzzing framework, boofuzz. Attendees will gain practice reverse engineering a network protocol, implementing and iterating on a custom fuzzer, and identifying vulnerabilities. After the course:

# You will know the basics of fuzzing.
# You will know how to write custom network protocol fuzzers using state of the art open source tools.
# You will have hands on experience with this widely-discussed but still largely mysterious test method.

=Sponsors=

'''Interested in becoming a sponsor? Watch this space for 2018 sponsorship information!'''

=== Mixer Sponsors===

[[File:github.png|link=https://github.com/]]

=== Training Session Sponsors ===

[[File:newrelic.png|link=https://newrelic.com/]]              
[[File:summit.png|link=http://summitinfosec.com/]]              
[[File:OCI Logo.png|link=https://cloud.oracle.com/en_US/iaas]]              
[[File:ForgeRock logo.png|link=https://www.forgerock.com/]]

=== Morning Coffee Sponsors ===

[[File:OCI Logo.png|link=https://cloud.oracle.com/en_US/iaas]]

=== General Sponsors ===

[[File:simple.png|link=https://simple.com/]]

=Details=
OWASP Portland 2018 Training Day will be October 3, 2018. This year we'll be located at:

World Trade Center Portland
121 SW Salmon St.
Portland, OR 97204.

Later in the evening, a social mixer will also be held at Rock Bottom Restaurant & Brewery, just a short walk away:

206 SW Morrison St
Portland, OR 97204

===Schedule===
{| class="wikitable"
! |Time
! colspan="4" |Activity
|-
| style="padding: 0.5em;" |8:00 AM - 8:30 AM
| colspan="4" style="padding: 0.5em;" |Morning Registration and Continental Breakfast
|-
| style="padding: 0.5em;" |8:30 AM - 12:00 PM
| style="padding: 0.5em;" |Intro to Hacking Web 3.0 (Mick Ayzenberg)
| style="padding: 0.5em;" |Introduction to Computer Forensics (Kris Rosenberg)
| style="padding: 0.5em;" |Intro to Practical Internal Vulnerability Scanning (Patterson Cake)
| style="padding: 0.5em;" |Incident Handling in Cloud Environment - a primer (Derek Hill)
|-
| style="padding: 0.5em;" |12:00 PM - 1:30 PM
| colspan="4" style="padding: 0.5em;" | Lunch on your own - ''Meet a new friend and grab a bite!''
|-
| style="padding: 0.5em;" |1:00 PM - 1:30 PM
| colspan="4" style="padding: 0.5em;" | Afternoon Registration (for those attending only in the afternoon)
|-
| style="padding: 0.5em;" |1:30 PM - 5:00 PM
| style="padding: 0.5em;" |Advanced Application Security Testing (Timothy Morgan)
| style="padding: 0.5em;" |AppSec Testing Beyond Pen Test (Bhushan Gupta)
| style="padding: 0.5em;" |Applied Physical Attacks on Embedded Systems, Introductory Version (Joe FitzPatrick)
| style="padding: 0.5em;" |Advanced Custom Network Protocol Fuzzing (Joshua Pereyda)
|-
| style="padding: 0.5em;" |5:00 PM - 7:30 PM
| colspan="4" style="padding: 0.5em;" | Evening Mixer @ Rock Bottom Restaurant and Brewery
|}

=== Lunch Ideas ===

Here are some lunch ideas:
* Farmhouse Cafe, 101 SW Main St.
* The Good Earth Cafe, 1136 SW 3rd Ave.
* Chipotle Mexican Grill, 240 SW Yamhill St.
* Luc Lac Vietnamese Kitchen, 835 SW 2nd Ave.
* Rock Bottom Restaurant & Brewery, 206 SW Morrison St.
* Buffalo Wild Wings, 327 SW Morrison St.
* Cafe Yumm, 301 SW Morrison St.
* Killer Burger, 510 SW 3rd Ave.
* House of Ramen, 223 SW Columbia St.
* There are some food carts north of the World Trade Center on SW 3rd Ave. and SW Stark St.

=How to Register=

Registration is via EventBrite: https://www.eventbrite.com/e/portland-owasp-training-day-2018-tickets-48203102778

File:ForgeRock logo.png

2018-08-21T18:03:19Z

Bzhao:

ForgeRock Logo

File:Forgerock logo.png

2018-08-21T17:48:59Z

Bzhao:

Forgerock logo

Talk:Portland

2018-08-17T08:09:53Z

Bzhao: Adding 2017 and 2018 Training Day links

[[OWASP Portland 2018 Training Day|2018 Training Day]]

[[OWASP Portland 2017 Training Day|2017 Training Day]]

[[OWASP Portland 2016 Training Day|2016 Training Day]]

OWASP Portland 2018 Training Day

2018-08-17T07:56:13Z

Bzhao: Adding sponsorship to session

For the third year in a row, the Portland OWASP chapter is proud to host our information security training day! This is be an excellent opportunity for those interested to receive top quality information security and application security training for prices far lower than normally offered. It's also a great chance to network with the local infosec community and meet those who share your interests.

OWASP Portland 2018 Training Day will be '''October 3, 2018.''' See [[#Details|Details]] for more info.

Want to get news and information on our 2018 Training Day? Subscribe to the Portland OWASP mailing list or follow @PortlandOWASP on Twitter!

=Courses=
Courses will be held in two tracks: four in the morning session, and four in the afternoon session. Each participant can register for one morning course, or one afternoon course, or one of each.

== Morning Session 8:30 AM - Noon ==

=== Intro to Hacking Web 3.0 ===

''Instructor: Mick Ayzenberg''

Abstract: In this half day course, we will introduce several emerging Blockchain concepts such as Web 3.0, smart contracts, and decentralized applications (DApps). You will get the opportunity to explore and interact with applications on this platform, and will be introduced to several of the most common vulnerability categories found in smart contracts through a capture the flag platform. This class will be highly interactive, so bring a laptop. No previous Blockchain experience required.

=== Introduction to Computer Forensics ===

''Instructor: Kris Rosenberg''

Abstract: It’s 3AM and the phone rings… ok, maybe not 3AM, but you get the call that a computer system on your network is acting strange. After taking a look you realize that this system may be infected with malware, or possibly you have an active intruder inside your network. What do you do next? This session will guide you through the basic initial steps that can be taken in a security incident to effectively isolate and contain the attack and collect evidence for potential future prosecution. We will introduce the PICERL framework for incident handling and discuss each phase in detail: Planning, Identification, Containment, Eradication, Recovery, and Lessons Learned. At the end of the session you should have a basic understanding of how to respond to a potential security incident, and preserve any evidence that may be needed.

=== Intro to Practical Internal Vulnerability Scanning ===

==== Sponsored by Summit Security Group, LLC ====

''Instructor: Patterson Cake''

Abstract: If your organization has the resources to scan all of the things all of the time, this course may not be for you! If, however, you are like most organizations, struggling to keep up and to make tangible progress towards improving your security posture, read on! In this course, we'll discuss scanning tools and techniques to help you identify unknown devices, sensitive data exposure, and system misconfigurations within your environment, using open-source and built-in tools, like Nmap and PowerShell, along with some good old-fashioned NI (Natural Intelligence). We'll focus on practical, tactical ways to find things like unapproved IoT devices on your network, sensitive data shares with "Everyone" permissions, and web apps with default credentials, things you care about which are often easy to remediate but may not show up on traditional vulnerability or compliance scans.

Prerequisites: Laptop capable of running a recent version of Nmap (Windows, Linux or Mac) with admin/root privileges.

=== Incident Handling in Cloud Environment - a primer ===

==== Sponsored by ForgeRock ====

''Instructor: Derek Hill''

Abstract: Have you ever wondered what it takes to investigate an incident inside your company network? What about your assets stored in a public cloud? When does an event become an incident? Who decides this? We will cover the important steps of an incident handling process, including getting you started in creating your own incident handling plan. We will talk about the challenges of doing this in cloud, where you don't have physical access to the machines. You will walk away with an understanding of the fundamental steps of incident handling as well as some examples of what to look for, how to handle collection and preservation of evidence.

== Afternoon Session: 1:30 PM - 5:00 PM ==

=== Advanced Application Security Testing ===

==== Sponsored by New Relic ====

''Instructor: Timothy Morgan''

Abstract: This course takes students beyond the most basic web application exploitation scenarios, focusing on advanced SQL injection, XML eXternal Entities (XXE) and server-side request forgery (SSRF) attacks. The course also covers out-of-band detection and exfiltration using the DNS, which has recently become a popular technique used by penetration testers.

=== AppSec Testing Beyond Pen Test ===

''Instructor: Bhushan Gupta''

Abstract: Most web application security testing efforts are concentrated around penetration testing, which is an art based on hackers’ psyche, thought process, and determination to exploit software vulnerabilities. However, does it yield a high level of confidence and sense of security in a developer’s mind? The web application developers must begin to think of building security throughout the software development life cycle (SDLC). This workshop paper focuses on an approach that aligns the web application security testing with the three basic principles of security; confidentiality, integrity, and availability (CIA). Using a simple approach, workshop teaches how to identify the most vulnerable processes in an application, highlighting the test-intensive areas. The students will learn:
# How to identify the security requirements for their business
# How to plan security testing using both statics and dynamic code analysis
# How to apply STRIDE model to evaluate critical web application components
# How to prioritizing vulnerabilities based upon DREAD model to minimize breech impact

=== Applied Physical Attacks on Embedded Systems, Introductory Version ===

''Instructor: Joe FitzPatrick''

Abstract: This workshop introduces several different relatively accessible interfaces on embedded systems. Attendees will get hands-on experience with UART, SPI, and JTAG interfaces on a MIPS-based wifi router. After a brief architectural overview of each interface, hands-on labs will guide through the process understanding, observing, interacting with, and exploiting the interface to potentially access a root shell on the target.

=== Advanced Custom Network Protocol Fuzzing ===

==== Sponsored by Oracle Cloud Infrastructure ====

''Instructor: Joshua Pereyda''

Abstract: Get hands on experience writing custom network protocol fuzzers. This class will cover the basics of network protocol ""smart fuzzing."" Exercises will utilize the open source network protocol fuzzing framework, boofuzz. Attendees will gain practice reverse engineering a network protocol, implementing and iterating on a custom fuzzer, and identifying vulnerabilities. After the course:

# You will know the basics of fuzzing.
# You will know how to write custom network protocol fuzzers using state of the art open source tools.
# You will have hands on experience with this widely-discussed but still largely mysterious test method.

=Sponsors=

'''Interested in becoming a sponsor? Watch this space for 2018 sponsorship information!'''

=== Mixer Sponsors===

[[File:github.png|link=https://github.com/]]

=== Training Session Sponsors ===

[[File:newrelic.png|link=https://newrelic.com/]]              
[[File:summit.png|link=http://summitinfosec.com/]]              
[[File:OCI Logo.png|link=https://cloud.oracle.com/en_US/iaas]]

=== Morning Coffee Sponsors ===

[[File:OCI Logo.png|link=https://cloud.oracle.com/en_US/iaas]]

=== General Sponsors ===

[[File:simple.png|link=https://simple.com/]]

=Details=
OWASP Portland 2018 Training Day will be October 3, 2018. This year we'll be located at:

World Trade Center Portland
121 SW Salmon St.
Portland, OR 97204.

Later in the evening, a social mixer will also be held at Rock Bottom Restaurant & Brewery, just a short walk away:

206 SW Morrison St
Portland, OR 97204

===Schedule===
{| class="wikitable"
! |Time
! colspan="4" |Activity
|-
| style="padding: 0.5em;" |8:00 AM - 8:30 AM
| colspan="4" style="padding: 0.5em;" |Morning Registration and Continental Breakfast
|-
| style="padding: 0.5em;" |8:30 AM - 12:00 PM
| style="padding: 0.5em;" |Intro to Hacking Web 3.0 (Mick Ayzenberg)
| style="padding: 0.5em;" |Introduction to Computer Forensics (Kris Rosenberg)
| style="padding: 0.5em;" |Intro to Practical Internal Vulnerability Scanning (Patterson Cake)
| style="padding: 0.5em;" |Incident Handling in Cloud Environment - a primer (Derek Hill)
|-
| style="padding: 0.5em;" |12:00 PM - 1:30 PM
| colspan="4" style="padding: 0.5em;" | Lunch on your own - ''Meet a new friend and grab a bite!''
|-
| style="padding: 0.5em;" |1:00 PM - 1:30 PM
| colspan="4" style="padding: 0.5em;" | Afternoon Registration (for those attending only in the afternoon)
|-
| style="padding: 0.5em;" |1:30 PM - 5:00 PM
| style="padding: 0.5em;" |Advanced Application Security Testing (Timothy Morgan)
| style="padding: 0.5em;" |AppSec Testing Beyond Pen Test (Bhushan Gupta)
| style="padding: 0.5em;" |Applied Physical Attacks on Embedded Systems, Introductory Version (Joe FitzPatrick)
| style="padding: 0.5em;" |Advanced Custom Network Protocol Fuzzing (Joshua Pereyda)
|-
| style="padding: 0.5em;" |5:00 PM - 7:30 PM
| colspan="4" style="padding: 0.5em;" | Evening Mixer @ Rock Bottom Restaurant and Brewery
|}

=== Lunch Ideas ===

Lunch ideas for 2018 coming soon!

=How to Register=
Registration information and dates coming soon!

OWASP Portland 2018 Training Day

2018-08-15T19:58:22Z

Bzhao: Small edits for Incident Handling workshop

For the third year in a row, the Portland OWASP chapter is proud to host our information security training day! This is be an excellent opportunity for those interested to receive top quality information security and application security training for prices far lower than normally offered. It's also a great chance to network with the local infosec community and meet those who share your interests.

Want to get news and information on our 2018 Training Day? Subscribe to the Portland OWASP mailing list or follow @PortlandOWASP on Twitter!

=Courses=
Courses will be held in two tracks: four in the morning session, and four in the afternoon session. Each participant can register for one morning course, or one afternoon course, or one of each.

== Morning Session 8:30 AM - Noon ==

=== Intro to Hacking Web 3.0 ===

''Instructor: Mick Ayzenberg''

Abstract: In this half day course, we will introduce several emerging Blockchain concepts such as Web 3.0, smart contracts, and decentralized applications (DApps). You will get the opportunity to explore and interact with applications on this platform, and will be introduced to several of the most common vulnerability categories found in smart contracts through a capture the flag platform. This class will be highly interactive, so bring a laptop. No previous Blockchain experience required.

=== Introduction to Computer Forensics ===

''Instructor: Kris Rosenberg''

Abstract: It’s 3AM and the phone rings… ok, maybe not 3AM, but you get the call that a computer system on your network is acting strange. After taking a look you realize that this system may be infected with malware, or possibly you have an active intruder inside your network. What do you do next? This session will guide you through the basic initial steps that can be taken in a security incident to effectively isolate and contain the attack and collect evidence for potential future prosecution. We will introduce the PICERL framework for incident handling and discuss each phase in detail: Planning, Identification, Containment, Eradication, Recovery, and Lessons Learned. At the end of the session you should have a basic understanding of how to respond to a potential security incident, and preserve any evidence that may be needed.

=== Intro to Practical Internal Vulnerability Scanning ===

==== Sponsored by Summit Security Group, LLC ====

''Instructor: Patterson Cake''

Abstract: If your organization has the resources to scan all of the things all of the time, this course may not be for you! If, however, you are like most organizations, struggling to keep up and to make tangible progress towards improving your security posture, read on! In this course, we'll discuss scanning tools and techniques to help you identify unknown devices, sensitive data exposure, and system misconfigurations within your environment, using open-source and built-in tools, like Nmap and PowerShell, along with some good old-fashioned NI (Natural Intelligence). We'll focus on practical, tactical ways to find things like unapproved IoT devices on your network, sensitive data shares with "Everyone" permissions, and web apps with default credentials, things you care about which are often easy to remediate but may not show up on traditional vulnerability or compliance scans.

Prerequisites: Laptop capable of running a recent version of Nmap (Windows, Linux or Mac) with admin/root privileges.

=== Incident Handling in Cloud Environment - a primer ===

==== Sponsored by ForgeRock ====

''Instructor: Derek Hill''

Abstract: Have you ever wondered what it takes to investigate an incident inside your company network? What about your assets stored in a public cloud? When does an event become an incident? Who decides this? We will cover the important steps of an incident handling process, including getting you started in creating your own incident handling plan. We will talk about the challenges of doing this in cloud, where you don't have physical access to the machines. You will walk away with an understanding of the fundamental steps of incident handling as well as some examples of what to look for, how to handle collection and preservation of evidence.

== Afternoon Session: 1:30 PM - 5:00 PM ==

=== Advanced Application Security Testing ===

''Instructor: Timothy Morgan''

Abstract: This course takes students beyond the most basic web application exploitation scenarios, focusing on advanced SQL injection, XML eXternal Entities (XXE) and server-side request forgery (SSRF) attacks. The course also covers out-of-band detection and exfiltration using the DNS, which has recently become a popular technique used by penetration testers.

=== AppSec Testing Beyond Pen Test ===

''Instructor: Bhushan Gupta''

Abstract: Most web application security testing efforts are concentrated around penetration testing, which is an art based on hackers’ psyche, thought process, and determination to exploit software vulnerabilities. However, does it yield a high level of confidence and sense of security in a developer’s mind? The web application developers must begin to think of building security throughout the software development life cycle (SDLC). This workshop paper focuses on an approach that aligns the web application security testing with the three basic principles of security; confidentiality, integrity, and availability (CIA). Using a simple approach, workshop teaches how to identify the most vulnerable processes in an application, highlighting the test-intensive areas. The students will learn:
# How to identify the security requirements for their business
# How to plan security testing using both statics and dynamic code analysis
# How to apply STRIDE model to evaluate critical web application components
# How to prioritizing vulnerabilities based upon DREAD model to minimize breech impact

=== Applied Physical Attacks on Embedded Systems, Introductory Version ===

''Instructor: Joe FitzPatrick''

Abstract: This workshop introduces several different relatively accessible interfaces on embedded systems. Attendees will get hands-on experience with UART, SPI, and JTAG interfaces on a MIPS-based wifi router. After a brief architectural overview of each interface, hands-on labs will guide through the process understanding, observing, interacting with, and exploiting the interface to potentially access a root shell on the target.

=== Advanced Custom Network Protocol Fuzzing ===

==== Sponsored by Oracle Cloud Infrastructure ====

''Instructor: Joshua Pereyda''

Abstract: Get hands on experience writing custom network protocol fuzzers. This class will cover the basics of network protocol ""smart fuzzing."" Exercises will utilize the open source network protocol fuzzing framework, boofuzz. Attendees will gain practice reverse engineering a network protocol, implementing and iterating on a custom fuzzer, and identifying vulnerabilities. After the course:

# You will know the basics of fuzzing.
# You will know how to write custom network protocol fuzzers using state of the art open source tools.
# You will have hands on experience with this widely-discussed but still largely mysterious test method.

=Sponsors=

'''Interested in becoming a sponsor? Watch this space for 2018 sponsorship information!'''

=== Mixer Sponsors===

[[File:github.png|link=https://github.com/]]

=== Training Session Sponsors ===

[[File:newrelic.png|link=https://newrelic.com/]]              
[[File:summit.png|link=http://summitinfosec.com/]]              
[[File:OCI Logo.png|link=https://cloud.oracle.com/en_US/iaas]]

=== Morning Coffee Sponsors ===

[[File:OCI Logo.png|link=https://cloud.oracle.com/en_US/iaas]]

=== General Sponsors ===

[[File:simple.png|link=https://simple.com/]]

=Details=
OWASP Portland 2018 Training Day will be October 3, 2018. This year we'll be located at:

World Trade Center Portland
121 SW Salmon St.
Portland, OR 97204.

Later in the evening, a social mixer will also be held at Rock Bottom Restaurant & Brewery, just a short walk away:

206 SW Morrison St
Portland, OR 97204

===Schedule===
{| class="wikitable"
! |Time
! colspan="4" |Activity
|-
| style="padding: 0.5em;" |8:00 AM - 8:30 AM
| colspan="4" style="padding: 0.5em;" |Morning Registration and Continental Breakfast
|-
| style="padding: 0.5em;" |8:30 AM - 12:00 PM
| style="padding: 0.5em;" |Intro to Hacking Web 3.0 (Mick Ayzenberg)
| style="padding: 0.5em;" |Introduction to Computer Forensics (Kris Rosenberg)
| style="padding: 0.5em;" |Intro to Practical Internal Vulnerability Scanning (Patterson Cake)
| style="padding: 0.5em;" |Incident Handling in Cloud Environment - a primer (Derek Hill)
|-
| style="padding: 0.5em;" |12:00 PM - 1:30 PM
| colspan="4" style="padding: 0.5em;" | Lunch on your own - ''Meet a new friend and grab a bite!''
|-
| style="padding: 0.5em;" |1:00 PM - 1:30 PM
| colspan="4" style="padding: 0.5em;" | Afternoon Registration (for those attending only in the afternoon)
|-
| style="padding: 0.5em;" |1:30 PM - 5:00 PM
| style="padding: 0.5em;" |Advanced Application Security Testing (Timothy Morgan)
| style="padding: 0.5em;" |AppSec Testing Beyond Pen Test (Bhushan Gupta)
| style="padding: 0.5em;" |Applied Physical Attacks on Embedded Systems, Introductory Version (Joe FitzPatrick)
| style="padding: 0.5em;" |Advanced Custom Network Protocol Fuzzing (Joshua Pereyda)
|-
| style="padding: 0.5em;" |5:00 PM - 7:30 PM
| colspan="4" style="padding: 0.5em;" | Evening Mixer @ Rock Bottom Restaurant and Brewery
|}

=== Lunch Ideas ===

Lunch ideas for 2018 coming soon!

=How to Register=
Registration information and dates coming soon!

OWASP Portland 2018 Training Day

2018-08-13T07:42:05Z

Bzhao: Sponsorship edits

For the third year in a row, the Portland OWASP chapter is proud to host our information security training day! This is be an excellent opportunity for those interested to receive top quality information security and application security training for prices far lower than normally offered. It's also a great chance to network with the local infosec community and meet those who share your interests.

Want to get news and information on our 2018 Training Day? Subscribe to the Portland OWASP mailing list or follow @PortlandOWASP on Twitter!

=Courses=
Courses will be held in two tracks: four in the morning session, and four in the afternoon session. Each participant can register for one morning course, or one afternoon course, or one of each.

== Morning Session 8:30 AM - Noon ==

=== Intro to Hacking Web 3.0 ===

''Instructor: Mick Ayzenberg''

Abstract: In this half day course, we will introduce several emerging Blockchain concepts such as Web 3.0, smart contracts, and decentralized applications (DApps). You will get the opportunity to explore and interact with applications on this platform, and will be introduced to several of the most common vulnerability categories found in smart contracts through a capture the flag platform. This class will be highly interactive, so bring a laptop. No previous Blockchain experience required.

=== Introduction to Computer Forensics ===

''Instructor: Kris Rosenberg''

Abstract: It’s 3AM and the phone rings… ok, maybe not 3AM, but you get the call that a computer system on your network is acting strange. After taking a look you realize that this system may be infected with malware, or possibly you have an active intruder inside your network. What do you do next? This session will guide you through the basic initial steps that can be taken in a security incident to effectively isolate and contain the attack and collect evidence for potential future prosecution. We will introduce the PICERL framework for incident handling and discuss each phase in detail: Planning, Identification, Containment, Eradication, Recovery, and Lessons Learned. At the end of the session you should have a basic understanding of how to respond to a potential security incident, and preserve any evidence that may be needed.

=== Intro to Practical Internal Vulnerability Scanning ===

==== Sponsored by Summit Security Group, LLC ====

''Instructor: Patterson Cake''

Abstract: If your organization has the resources to scan all of the things all of the time, this course may not be for you! If, however, you are like most organizations, struggling to keep up and to make tangible progress towards improving your security posture, read on! In this course, we'll discuss scanning tools and techniques to help you identify unknown devices, sensitive data exposure, and system misconfigurations within your environment, using open-source and built-in tools, like Nmap and PowerShell, along with some good old-fashioned NI (Natural Intelligence). We'll focus on practical, tactical ways to find things like unapproved IoT devices on your network, sensitive data shares with "Everyone" permissions, and web apps with default credentials, things you care about which are often easy to remediate but may not show up on traditional vulnerability or compliance scans.

Prerequisites: Laptop capable of running a recent version of Nmap (Windows, Linux or Mac) with admin/root privileges.

=== Incident Handling - a primer ===

''Instructor: Derek Hill''

Abstract: Have you ever wondered what it takes to investigate an incident inside your company network? What about your assets stored in a public cloud? When does an event become an incident? Who decides this? We will cover the important steps of an incident handling process, including getting you started in creating your own incident handling plan. We will talk about the challenges of doing this in cloud, where you don't have physical access to the machines. You will walk away with an understanding of the fundamental steps of incident handling as well as some examples of what to look for, how to handle collection and preservation of evidence.

== Afternoon Session: 1:30 PM - 5:00 PM ==

=== Advanced Application Security Testing ===

''Instructor: Timothy Morgan''

Abstract: This course takes students beyond the most basic web application exploitation scenarios, focusing on advanced SQL injection, XML eXternal Entities (XXE) and server-side request forgery (SSRF) attacks. The course also covers out-of-band detection and exfiltration using the DNS, which has recently become a popular technique used by penetration testers.

=== AppSec Testing Beyond Pen Test ===

''Instructor: Bhushan Gupta''

Abstract: Most web application security testing efforts are concentrated around penetration testing, which is an art based on hackers’ psyche, thought process, and determination to exploit software vulnerabilities. However, does it yield a high level of confidence and sense of security in a developer’s mind? The web application developers must begin to think of building security throughout the software development life cycle (SDLC). This workshop paper focuses on an approach that aligns the web application security testing with the three basic principles of security; confidentiality, integrity, and availability (CIA). Using a simple approach, workshop teaches how to identify the most vulnerable processes in an application, highlighting the test-intensive areas. The students will learn:
# How to identify the security requirements for their business
# How to plan security testing using both statics and dynamic code analysis
# How to apply STRIDE model to evaluate critical web application components
# How to prioritizing vulnerabilities based upon DREAD model to minimize breech impact

=== Applied Physical Attacks on Embedded Systems, Introductory Version ===

''Instructor: Joe FitzPatrick''

Abstract: This workshop introduces several different relatively accessible interfaces on embedded systems. Attendees will get hands-on experience with UART, SPI, and JTAG interfaces on a MIPS-based wifi router. After a brief architectural overview of each interface, hands-on labs will guide through the process understanding, observing, interacting with, and exploiting the interface to potentially access a root shell on the target.

=== Advanced Custom Network Protocol Fuzzing ===

==== Sponsored by Oracle Cloud Infrastructure ====

''Instructor: Joshua Pereyda''

Abstract: Get hands on experience writing custom network protocol fuzzers. This class will cover the basics of network protocol ""smart fuzzing."" Exercises will utilize the open source network protocol fuzzing framework, boofuzz. Attendees will gain practice reverse engineering a network protocol, implementing and iterating on a custom fuzzer, and identifying vulnerabilities. After the course:

# You will know the basics of fuzzing.
# You will know how to write custom network protocol fuzzers using state of the art open source tools.
# You will have hands on experience with this widely-discussed but still largely mysterious test method.

=Sponsors=

'''Interested in becoming a sponsor? Watch this space for 2018 sponsorship information!'''

=== Mixer Sponsors===

[[File:github.png|link=https://github.com/]]

=== Training Session Sponsors ===

[[File:newrelic.png|link=https://newrelic.com/]]              
[[File:summit.png|link=http://summitinfosec.com/]]

           

===== [https://cloud.oracle.com/en_US/cloud-infrastructure Oracle Cloud Infrastructure] =====

=== Morning Coffee Sponsors ===

===== [https://cloud.oracle.com/en_US/cloud-infrastructure Oracle Cloud Infrastructure] =====

=== General Sponsors ===

[[File:simple.png|link=https://simple.com/]]

=Details=
OWASP Portland 2018 Training Day will be October 3, 2018. This year we'll be located at:

World Trade Center Portland
121 SW Salmon St.
Portland, OR 97204.

Later in the evening, a social mixer will also be held at Rock Bottom Restaurant & Brewery, just a short walk away:

206 SW Morrison St
Portland, OR 97204

===Schedule===
{| class="wikitable"
! |Time
! colspan="4" |Activity
|-
| style="padding: 0.5em;" |8:00 AM - 8:30 AM
| colspan="4" style="padding: 0.5em;" |Morning Registration and Continental Breakfast
|-
| style="padding: 0.5em;" |8:30 AM - 12:00 PM
| style="padding: 0.5em;" |Intro to Hacking Web 3.0 (Mick Ayzenberg)
| style="padding: 0.5em;" |Introduction to Computer Forensics (Kris Rosenberg)
| style="padding: 0.5em;" |Intro to Practical Internal Vulnerability Scanning (Patterson Cake)
| style="padding: 0.5em;" |Incident Handling - a primer (Derek Hill)
|-
| style="padding: 0.5em;" |12:00 PM - 1:30 PM
| colspan="4" style="padding: 0.5em;" | Lunch on your own - ''Meet a new friend and grab a bite!''
|-
| style="padding: 0.5em;" |1:00 PM - 1:30 PM
| colspan="4" style="padding: 0.5em;" | Afternoon Registration (for those attending only in the afternoon)
|-
| style="padding: 0.5em;" |1:30 PM - 5:00 PM
| style="padding: 0.5em;" |Advanced Application Security Testing (Timothy Morgan)
| style="padding: 0.5em;" |AppSec Testing Beyond Pen Test (Bhushan Gupta)
| style="padding: 0.5em;" |Applied Physical Attacks on Embedded Systems, Introductory Version (Joe FitzPatrick)
| style="padding: 0.5em;" |Advanced Custom Network Protocol Fuzzing (Joshua Pereyda)
|-
| style="padding: 0.5em;" |5:00 PM - 7:30 PM
| colspan="4" style="padding: 0.5em;" | Evening Mixer @ Rock Bottom Restaurant and Brewery
|}

=== Lunch Ideas ===

Lunch ideas for 2018 coming soon!

=How to Register=
Registration information and dates coming soon!

OWASP Portland 2018 Training Day

2018-08-11T19:00:28Z

Bzhao: /* Schedule */

For the third year in a row, the Portland OWASP chapter is proud to host our information security training day! This is be an excellent opportunity for those interested to receive top quality information security and application security training for prices far lower than normally offered. It's also a great chance to network with the local infosec community and meet those who share your interests.

Want to get news and information on our 2018 Training Day? Subscribe to the Portland OWASP mailing list or follow @PortlandOWASP on Twitter!

=Courses=
Courses will be held in two tracks: four in the morning session, and four in the afternoon session. Each participant can register for one morning course, or one afternoon course, or one of each.

== Morning Session 8:30 AM - Noon ==

=== Intro to Hacking Web 3.0 ===

''Instructor: Mick Ayzenberg''

Abstract: In this half day course, we will introduce several emerging Blockchain concepts such as Web 3.0, smart contracts, and decentralized applications (DApps). You will get the opportunity to explore and interact with applications on this platform, and will be introduced to several of the most common vulnerability categories found in smart contracts through a capture the flag platform. This class will be highly interactive, so bring a laptop. No previous Blockchain experience required.

=== Introduction to Computer Forensics ===

''Instructor: Kris Rosenberg''

Abstract: It’s 3AM and the phone rings… ok, maybe not 3AM, but you get the call that a computer system on your network is acting strange. After taking a look you realize that this system may be infected with malware, or possibly you have an active intruder inside your network. What do you do next? This session will guide you through the basic initial steps that can be taken in a security incident to effectively isolate and contain the attack and collect evidence for potential future prosecution. We will introduce the PICERL framework for incident handling and discuss each phase in detail: Planning, Identification, Containment, Eradication, Recovery, and Lessons Learned. At the end of the session you should have a basic understanding of how to respond to a potential security incident, and preserve any evidence that may be needed.

=== Intro to Practical Internal Vulnerability Scanning ===

''Instructor: Patterson Cake''

Abstract: If your organization has the resources to scan all of the things all of the time, this course may not be for you! If, however, you are like most organizations, struggling to keep up and to make tangible progress towards improving your security posture, read on! In this course, we'll discuss scanning tools and techniques to help you identify unknown devices, sensitive data exposure, and system misconfigurations within your environment, using open-source and built-in tools, like Nmap and PowerShell, along with some good old-fashioned NI (Natural Intelligence). We'll focus on practical, tactical ways to find things like unapproved IoT devices on your network, sensitive data shares with "Everyone" permissions, and web apps with default credentials, things you care about which are often easy to remediate but may not show up on traditional vulnerability or compliance scans.

Prerequisites: Laptop capable of running a recent version of Nmap (Windows, Linux or Mac) with admin/root privileges.

=== Incident Handling - a primer ===

''Instructor: Derek Hill''

Abstract: Have you ever wondered what it takes to investigate an incident inside your company network? What about your assets stored in a public cloud? When does an event become an incident? Who decides this? We will cover the important steps of an incident handling process, including getting you started in creating your own incident handling plan. We will talk about the challenges of doing this in cloud, where you don't have physical access to the machines. You will walk away with an understanding of the fundamental steps of incident handling as well as some examples of what to look for, how to handle collection and preservation of evidence.

== Afternoon Session: 1:30 PM - 5:00 PM ==

=== Advanced Application Security Testing ===

''Instructor: Timothy Morgan''

Abstract: This course takes students beyond the most basic web application exploitation scenarios, focusing on advanced SQL injection, XML eXternal Entities (XXE) and server-side request forgery (SSRF) attacks. The course also covers out-of-band detection and exfiltration using the DNS, which has recently become a popular technique used by penetration testers.

=== AppSec Testing Beyond Pen Test ===

''Instructor: Bhushan Gupta''

Abstract: Most web application security testing efforts are concentrated around penetration testing, which is an art based on hackers’ psyche, thought process, and determination to exploit software vulnerabilities. However, does it yield a high level of confidence and sense of security in a developer’s mind? The web application developers must begin to think of building security throughout the software development life cycle (SDLC). This workshop paper focuses on an approach that aligns the web application security testing with the three basic principles of security; confidentiality, integrity, and availability (CIA). Using a simple approach, workshop teaches how to identify the most vulnerable processes in an application, highlighting the test-intensive areas. The students will learn:
# How to identify the security requirements for their business
# How to plan security testing using both statics and dynamic code analysis
# How to apply STRIDE model to evaluate critical web application components
# How to prioritizing vulnerabilities based upon DREAD model to minimize breech impact

=== Applied Physical Attacks on Embedded Systems, Introductory Version ===

''Instructor: Joe FitzPatrick''

Abstract: This workshop introduces several different relatively accessible interfaces on embedded systems. Attendees will get hands-on experience with UART, SPI, and JTAG interfaces on a MIPS-based wifi router. After a brief architectural overview of each interface, hands-on labs will guide through the process understanding, observing, interacting with, and exploiting the interface to potentially access a root shell on the target.

=== Advanced Custom Network Protocol Fuzzing ===

==== Sponsored by Oracle ====

''Instructor: Joshua Pereyda''

Abstract: Get hands on experience writing custom network protocol fuzzers. This class will cover the basics of network protocol ""smart fuzzing."" Exercises will utilize the open source network protocol fuzzing framework, boofuzz. Attendees will gain practice reverse engineering a network protocol, implementing and iterating on a custom fuzzer, and identifying vulnerabilities. After the course:

# You will know the basics of fuzzing.
# You will know how to write custom network protocol fuzzers using state of the art open source tools.
# You will have hands on experience with this widely-discussed but still largely mysterious test method.

=Sponsors=

'''Interested in becoming a sponsor? Watch this space for 2018 sponsorship information!'''

=== Mixer Sponsors===

[[File:github.png|link=https://github.com/]]

=== Training Session Sponsors ===

[[File:newrelic.png|link=https://newrelic.com/]]              
[[File:summit.png|link=http://summitinfosec.com/]]

=== General Sponsors ===

[[File:simple.png|link=https://simple.com/]]

=Details=
OWASP Portland 2018 Training Day will be October 3, 2018. This year we'll be located at:

World Trade Center Portland
121 SW Salmon St.
Portland, OR 97204.

Later in the evening, a social mixer will also be held at Rock Bottom Restaurant & Brewery, just a short walk away:

206 SW Morrison St
Portland, OR 97204

===Schedule===
{| class="wikitable"
! |Time
! colspan="4" |Activity
|-
| style="padding: 0.5em;" |8:00 AM - 8:30 AM
| colspan="4" style="padding: 0.5em;" |Morning Registration and Continental Breakfast
|-
| style="padding: 0.5em;" |8:30 AM - 12:00 PM
| style="padding: 0.5em;" |Intro to Hacking Web 3.0 (Mick Ayzenberg)
| style="padding: 0.5em;" |Introduction to Computer Forensics (Kris Rosenberg)
| style="padding: 0.5em;" |Intro to Practical Internal Vulnerability Scanning (Patterson Cake)
| style="padding: 0.5em;" |Incident Handling - a primer (Derek Hill)
|-
| style="padding: 0.5em;" |12:00 PM - 1:30 PM
| colspan="4" style="padding: 0.5em;" | Lunch on your own - ''Meet a new friend and grab a bite!''
|-
| style="padding: 0.5em;" |1:00 PM - 1:30 PM
| colspan="4" style="padding: 0.5em;" | Afternoon Registration (for those attending only in the afternoon)
|-
| style="padding: 0.5em;" |1:30 PM - 5:00 PM
| style="padding: 0.5em;" |Advanced Application Security Testing (Timothy Morgan)
| style="padding: 0.5em;" |AppSec Testing Beyond Pen Test (Bhushan Gupta)
| style="padding: 0.5em;" |Applied Physical Attacks on Embedded Systems, Introductory Version (Joe FitzPatrick)
| style="padding: 0.5em;" |Advanced Custom Network Protocol Fuzzing (Joshua Pereyda)
|-
| style="padding: 0.5em;" |5:00 PM - 7:30 PM
| colspan="4" style="padding: 0.5em;" | Evening Mixer @ Rock Bottom Restaurant and Brewery
|}

=== Lunch Ideas ===

Lunch ideas for 2018 coming soon!

=How to Register=
Registration information and dates coming soon!

OWASP Portland 2018 Training Day

2018-08-10T17:28:28Z

Bzhao: /* Schedule */

For the third year in a row, the Portland OWASP chapter is proud to host our information security training day! This is be an excellent opportunity for those interested to receive top quality information security and application security training for prices far lower than normally offered. It's also a great chance to network with the local infosec community and meet those who share your interests.

Want to get news and information on our 2018 Training Day? Subscribe to the Portland OWASP mailing list or follow @PortlandOWASP on Twitter!

=Courses=
Courses will be held in two tracks: four in the morning session, and four in the afternoon session. Each participant can register for one morning course, or one afternoon course, or one of each.

== Morning Session 8:30 AM - Noon ==

=== Intro to Hacking Web 3.0 ===

''Instructor: Mick Ayzenberg''

Abstract: In this half day course, we will introduce several emerging Blockchain concepts such as Web 3.0, smart contracts, and decentralized applications (DApps). You will get the opportunity to explore and interact with applications on this platform, and will be introduced to several of the most common vulnerability categories found in smart contracts through a capture the flag platform. This class will be highly interactive, so bring a laptop. No previous Blockchain experience required.

=== Introduction to Computer Forensics ===

''Instructor: Kris Rosenberg''

Abstract: It’s 3AM and the phone rings… ok, maybe not 3AM, but you get the call that a computer system on your network is acting strange. After taking a look you realize that this system may be infected with malware, or possibly you have an active intruder inside your network. What do you do next? This session will guide you through the basic initial steps that can be taken in a security incident to effectively isolate and contain the attack and collect evidence for potential future prosecution. We will introduce the PICERL framework for incident handling and discuss each phase in detail: Planning, Identification, Containment, Eradication, Recovery, and Lessons Learned. At the end of the session you should have a basic understanding of how to respond to a potential security incident, and preserve any evidence that may be needed.

=== Intro to Practical Internal Vulnerability Scanning ===

''Instructor: Patterson Cake''

Abstract: If your organization has the resources to scan all of the things all of the time, this course may not be for you! If, however, you are like most organizations, struggling to keep up and to make tangible progress towards improving your security posture, read on! In this course, we'll discuss scanning tools and techniques to help you identify unknown devices, sensitive data exposure, and system misconfigurations within your environment, using open-source and built-in tools, like Nmap and PowerShell, along with some good old-fashioned NI (Natural Intelligence). We'll focus on practical, tactical ways to find things like unapproved IoT devices on your network, sensitive data shares with "Everyone" permissions, and web apps with default credentials, things you care about which are often easy to remediate but may not show up on traditional vulnerability or compliance scans.

Prerequisites: Laptop capable of running a recent version of Nmap (Windows, Linux or Mac) with admin/root privileges.

=== Incident Handling - a primer ===

''Instructor: Derek Hill''

Abstract: Have you ever wondered what it takes to investigate an incident inside your company network? What about your assets stored in a public cloud? When does an event become an incident? Who decides this? We will cover the important steps of an incident handling process, including getting you started in creating your own incident handling plan. We will talk about the challenges of doing this in cloud, where you don't have physical access to the machines. You will walk away with an understanding of the fundamental steps of incident handling as well as some examples of what to look for, how to handle collection and preservation of evidence.

== Afternoon Session: 1:30 PM - 5:00 PM ==

=== Advanced Application Security Testing ===

''Instructor: Timothy Morgan''

Abstract: This course takes students beyond the most basic web application exploitation scenarios, focusing on advanced SQL injection, XML eXternal Entities (XXE) and server-side request forgery (SSRF) attacks. The course also covers out-of-band detection and exfiltration using the DNS, which has recently become a popular technique used by penetration testers.

=== AppSec Testing Beyond Pen Test ===

''Instructor: Bhushan Gupta''

Abstract: Most web application security testing efforts are concentrated around penetration testing, which is an art based on hackers’ psyche, thought process, and determination to exploit software vulnerabilities. However, does it yield a high level of confidence and sense of security in a developer’s mind? The web application developers must begin to think of building security throughout the software development life cycle (SDLC). This workshop paper focuses on an approach that aligns the web application security testing with the three basic principles of security; confidentiality, integrity, and availability (CIA). Using a simple approach, workshop teaches how to identify the most vulnerable processes in an application, highlighting the test-intensive areas. The students will learn:
# How to identify the security requirements for their business
# How to plan security testing using both statics and dynamic code analysis
# How to apply STRIDE model to evaluate critical web application components
# How to prioritizing vulnerabilities based upon DREAD model to minimize breech impact

=== Applied Physical Attacks on Embedded Systems, Introductory Version ===

''Instructor: Joe FitzPatrick''

Abstract: This workshop introduces several different relatively accessible interfaces on embedded systems. Attendees will get hands-on experience with UART, SPI, and JTAG interfaces on a MIPS-based wifi router. After a brief architectural overview of each interface, hands-on labs will guide through the process understanding, observing, interacting with, and exploiting the interface to potentially access a root shell on the target.

=== Advanced Custom Network Protocol Fuzzing ===

==== Sponsored by Oracle ====

''Instructor: Joshua Pereyda''

Abstract: Get hands on experience writing custom network protocol fuzzers. This class will cover the basics of network protocol ""smart fuzzing."" Exercises will utilize the open source network protocol fuzzing framework, boofuzz. Attendees will gain practice reverse engineering a network protocol, implementing and iterating on a custom fuzzer, and identifying vulnerabilities. After the course:

# You will know the basics of fuzzing.
# You will know how to write custom network protocol fuzzers using state of the art open source tools.
# You will have hands on experience with this widely-discussed but still largely mysterious test method.

=Sponsors=

'''Interested in becoming a sponsor? Watch this space for 2018 sponsorship information!'''

=== Mixer Sponsors===

[[File:github.png|link=https://github.com/]]

=== Training Session Sponsors ===

[[File:newrelic.png|link=https://newrelic.com/]]              
[[File:summit.png|link=http://summitinfosec.com/]]

=== General Sponsors ===

[[File:simple.png|link=https://simple.com/]]

=Details=
OWASP Portland 2018 Training Day will be October 3, 2018. This year we'll be located at:

World Trade Center Portland
121 SW Salmon St.
Portland, OR 97204.

Later in the evening, a social mixer will also be held at Rock Bottom Restaurant & Brewery, just a short walk away:

206 SW Morrison St
Portland, OR 97204

===Schedule===
{| class="wikitable"
! |Time
! colspan="4" |Activity
|-
| style="padding: 0.5em;" |8:00 AM - 9:00 AM
| colspan="4" style="padding: 0.5em;" |Morning Registration
|-
| style="padding: 0.5em;" |9:00 AM - 12:00 PM
| style="padding: 0.5em;" |Intro to Hacking Web 3.0 (Mick Ayzenberg)
| style="padding: 0.5em;" |Introduction to Computer Forensics (Kris Rosenberg)
| style="padding: 0.5em;" |Intro to Practical Internal Vulnerability Scanning (Patterson Cake)
| style="padding: 0.5em;" |Incident Handling - a primer (Derek Hill)
|-
| style="padding: 0.5em;" |12:00 PM - 1:30 PM
| colspan="4" style="padding: 0.5em;" | Lunch on your own - ''Meet a new friend and grab a bite!''
|-
| style="padding: 0.5em;" |1:00 PM - 1:30 PM
| colspan="4" style="padding: 0.5em;" | Afternoon Registration (for those attending only in the afternoon)
|-
| style="padding: 0.5em;" |1:30 PM - 5:00 PM
| style="padding: 0.5em;" |Advanced Application Security Testing (Timothy Morgan)
| style="padding: 0.5em;" |AppSec Testing Beyond Pen Test (Bhushan Gupta)
| style="padding: 0.5em;" |Applied Physical Attacks on Embedded Systems, Introductory Version (Joe FitzPatrick)
| style="padding: 0.5em;" |Advanced Custom Network Protocol Fuzzing (Joshua Pereyda)
|-
| style="padding: 0.5em;" |5:00 PM - 7:30 PM
| colspan="4" style="padding: 0.5em;" | Evening Mixer @ Rock Bottom Restaurant and Brewery
|}

=== Lunch Ideas ===

Lunch ideas for 2018 coming soon!

=How to Register=
Registration information and dates coming soon!

OWASP Portland 2018 Training Day

2018-08-10T17:26:33Z

Bzhao:

For the third year in a row, the Portland OWASP chapter is proud to host our information security training day! This is be an excellent opportunity for those interested to receive top quality information security and application security training for prices far lower than normally offered. It's also a great chance to network with the local infosec community and meet those who share your interests.

Want to get news and information on our 2018 Training Day? Subscribe to the Portland OWASP mailing list or follow @PortlandOWASP on Twitter!

=Courses=
Courses will be held in two tracks: four in the morning session, and four in the afternoon session. Each participant can register for one morning course, or one afternoon course, or one of each.

== Morning Session 8:30 AM - Noon ==

=== Intro to Hacking Web 3.0 ===

''Instructor: Mick Ayzenberg''

Abstract: In this half day course, we will introduce several emerging Blockchain concepts such as Web 3.0, smart contracts, and decentralized applications (DApps). You will get the opportunity to explore and interact with applications on this platform, and will be introduced to several of the most common vulnerability categories found in smart contracts through a capture the flag platform. This class will be highly interactive, so bring a laptop. No previous Blockchain experience required.

=== Introduction to Computer Forensics ===

''Instructor: Kris Rosenberg''

Abstract: It’s 3AM and the phone rings… ok, maybe not 3AM, but you get the call that a computer system on your network is acting strange. After taking a look you realize that this system may be infected with malware, or possibly you have an active intruder inside your network. What do you do next? This session will guide you through the basic initial steps that can be taken in a security incident to effectively isolate and contain the attack and collect evidence for potential future prosecution. We will introduce the PICERL framework for incident handling and discuss each phase in detail: Planning, Identification, Containment, Eradication, Recovery, and Lessons Learned. At the end of the session you should have a basic understanding of how to respond to a potential security incident, and preserve any evidence that may be needed.

=== Intro to Practical Internal Vulnerability Scanning ===

''Instructor: Patterson Cake''

Abstract: If your organization has the resources to scan all of the things all of the time, this course may not be for you! If, however, you are like most organizations, struggling to keep up and to make tangible progress towards improving your security posture, read on! In this course, we'll discuss scanning tools and techniques to help you identify unknown devices, sensitive data exposure, and system misconfigurations within your environment, using open-source and built-in tools, like Nmap and PowerShell, along with some good old-fashioned NI (Natural Intelligence). We'll focus on practical, tactical ways to find things like unapproved IoT devices on your network, sensitive data shares with "Everyone" permissions, and web apps with default credentials, things you care about which are often easy to remediate but may not show up on traditional vulnerability or compliance scans.

Prerequisites: Laptop capable of running a recent version of Nmap (Windows, Linux or Mac) with admin/root privileges.

=== Incident Handling - a primer ===

''Instructor: Derek Hill''

Abstract: Have you ever wondered what it takes to investigate an incident inside your company network? What about your assets stored in a public cloud? When does an event become an incident? Who decides this? We will cover the important steps of an incident handling process, including getting you started in creating your own incident handling plan. We will talk about the challenges of doing this in cloud, where you don't have physical access to the machines. You will walk away with an understanding of the fundamental steps of incident handling as well as some examples of what to look for, how to handle collection and preservation of evidence.

== Afternoon Session: 1:30 PM - 5:00 PM ==

=== Advanced Application Security Testing ===

''Instructor: Timothy Morgan''

Abstract: This course takes students beyond the most basic web application exploitation scenarios, focusing on advanced SQL injection, XML eXternal Entities (XXE) and server-side request forgery (SSRF) attacks. The course also covers out-of-band detection and exfiltration using the DNS, which has recently become a popular technique used by penetration testers.

=== AppSec Testing Beyond Pen Test ===

''Instructor: Bhushan Gupta''

Abstract: Most web application security testing efforts are concentrated around penetration testing, which is an art based on hackers’ psyche, thought process, and determination to exploit software vulnerabilities. However, does it yield a high level of confidence and sense of security in a developer’s mind? The web application developers must begin to think of building security throughout the software development life cycle (SDLC). This workshop paper focuses on an approach that aligns the web application security testing with the three basic principles of security; confidentiality, integrity, and availability (CIA). Using a simple approach, workshop teaches how to identify the most vulnerable processes in an application, highlighting the test-intensive areas. The students will learn:
# How to identify the security requirements for their business
# How to plan security testing using both statics and dynamic code analysis
# How to apply STRIDE model to evaluate critical web application components
# How to prioritizing vulnerabilities based upon DREAD model to minimize breech impact

=== Applied Physical Attacks on Embedded Systems, Introductory Version ===

''Instructor: Joe FitzPatrick''

Abstract: This workshop introduces several different relatively accessible interfaces on embedded systems. Attendees will get hands-on experience with UART, SPI, and JTAG interfaces on a MIPS-based wifi router. After a brief architectural overview of each interface, hands-on labs will guide through the process understanding, observing, interacting with, and exploiting the interface to potentially access a root shell on the target.

=== Advanced Custom Network Protocol Fuzzing ===

==== Sponsored by Oracle ====

''Instructor: Joshua Pereyda''

Abstract: Get hands on experience writing custom network protocol fuzzers. This class will cover the basics of network protocol ""smart fuzzing."" Exercises will utilize the open source network protocol fuzzing framework, boofuzz. Attendees will gain practice reverse engineering a network protocol, implementing and iterating on a custom fuzzer, and identifying vulnerabilities. After the course:

# You will know the basics of fuzzing.
# You will know how to write custom network protocol fuzzers using state of the art open source tools.
# You will have hands on experience with this widely-discussed but still largely mysterious test method.

=Sponsors=

'''Interested in becoming a sponsor? Watch this space for 2018 sponsorship information!'''

=== Mixer Sponsors===

[[File:github.png|link=https://github.com/]]

=== Training Session Sponsors ===

[[File:newrelic.png|link=https://newrelic.com/]]              
[[File:summit.png|link=http://summitinfosec.com/]]

=== General Sponsors ===

[[File:simple.png|link=https://simple.com/]]

=Details=
OWASP Portland 2018 Training Day will be October 3, 2018. This year we'll be located at:

World Trade Center Portland
121 SW Salmon St.
Portland, OR 97204.

Later in the evening, a social mixer will also be held at Rock Bottom Restaurant & Brewery, just a short walk away:

206 SW Morrison St
Portland, OR 97204

===Schedule===
{| class="wikitable"
! |Time
! colspan="4" |Activity
|-
| style="padding: 0.5em;" |8:00 AM - 9:00 AM
| colspan="4" style="padding: 0.5em;" |Morning Registration
|-
| style="padding: 0.5em;" |9:00 AM - 12:00 PM
| style="padding: 0.5em;" |Intro to Hacking Web 3.0 (Mick Ayzenberg)
| style="padding: 0.5em;" |Introduction to Computer Forensics (Kris Rosenberg)
| style="padding: 0.5em;" |Intro to Practical Internal Vulnerability Scanning (Patterson Cake)
| style="padding: 0.5em;" |Incident Handling - a primer (Derek Hill)
|-
| style="padding: 0.5em;" |12:00 PM - 1:30 PM
| colspan="4" style="padding: 0.5em;" | Lunch on your own - ''Meet a new friend and grab a bite!''
|-
| style="padding: 0.5em;" |1:00 PM - 1:30 PM
| colspan="4" style="padding: 0.5em;" | Afternoon Registration (for those attending only in the afternoon)
|-
| style="padding: 0.5em;" |1:30 PM - 5:00 PM
| style="padding: 0.5em;" |Advanced Application Security Testing (Timothy Morgan)
| style="padding: 0.5em;" |AppSec Testing Beyond Pen Test (Bhushan Gupta)
| style="padding: 0.5em;" |Applied Physical Attacks on Embedded Systems, Introductory Version (Joe FitzPatrick)
| style="padding: 0.5em;" |Advanced Custom Network Protocol Fuzzing (Joshua Pereyda)
|-
| style="padding: 0.5em;" |5:00 PM - 7:30 PM
| colspan="4" style="padding: 0.5em;" | Evening Mixer @ Rogue Hall
|}

=== Lunch Ideas ===

Lunch ideas for 2018 coming soon!

=How to Register=
Registration information and dates coming soon!