Toronto

Date/Time: November 21, 2019, 6:30 PM to 8:30 PM EDT

Location: Room 128 (on the first floor near the library), St. James Campus - Building A, George Brown College, 200 King Street East, Toronto, ON, M5A 3W8

Presentation summary:

Introduction to Web Application PenTesting

Diving into web application penetration testing! Bobby will introduce concepts for web application security testing, common vulnerabilities, pen testing methodologies and resources to help you further develop skills. Recommended for students or individuals trying to breaking into the offensive security space.

Presenter bio:

Bobby is a recent graduate working with Security Compass as a Security Consultant. His experience and interests revolve around Application Security. Editor's note: Bobby promises that the quality that would have been spent on the bio has been spent on the presentation.

---

Date/Time: October 24, 2019, 6:30 PM to 8:30 PM EDT

Location: Room 128 (on the first floor near the library), St. James Campus - Building A, George Brown College, 200 King Street East, Toronto, ON, M5A 3W8

Presentation summary:

Half a Decade in Review: On Accidental Hacking and the "Hard" Conversations

A lot can change in 5 years. Half a Decade in Review is exactly what it sounds like: an exploration of how cybersecurity has changed in half a decade, from the perspective of an accidental “hacker.”

The nature of cybersecurity is that it extends into every technological facet of life - so it’s not surprising that accidental hacking is not an uncommon story; many of us were not computer experts by nature. This facet also means that technology is still very widely operated by the human - and so the way cybersecurity is architected is at the mercy of human influence and temperament.

This review explores some of the human conversations that perhaps only marginally exist in the boardroom, yet thrive in Twitter echo chambers and Slack room gripes. They are conversations about how the cybersecurity talent gap is deeply entwined with human trends of health maintenance, diversity, education, and providing incentivization for talent. They are the conversations that can be controversial because they are deeply charged with emotions and can have significant real-world consequences, yet do not have dichotomic answers that can be easily expressed in the breadth of 280 characters.

Presenter bio:

Alana Staszczyszyn is a practicing security consultant. Her past and present work has focused on penetration testing as well as security governance in the public health sector. She is also heavily interested in various political, socioeconomic, and cultural aspects of cybersecurity, particularly on how the intersections of security and those domains have given rise to new risks in the cyber-threat landscape.

---

Date/Time: September 18, 2019, 6:30 PM to 8:30 PM EDT

Location: Room 128 (on the first floor near the library), St. James Campus - Building A, George Brown College, 200 King Street East, Toronto, ON, M5A 3W8

Presentation summary:

Attacking OAuth and SAML

OAuth 2.0 and SAML are well-known protocols used for authorization and authentication. From major applications like Facebook, Github to enterprise apps these protocols are commonly seen. OAuth 2 provides authorization flows for web and mobile apps and SAML is majorly used to enable Single Sign On. These protocols if implemented well could really be helpful, but considering the complexity involved with these protocols, developers may neglect certain security best practices which could lead to serious flaws.

This talk is to discuss the various known attacks against OAuth and SAML in-depth, but before we dive into vulnerabilities we will spend some time to understand how these protocols helping us understand the attack vectors better. We will also look at open-source tools which are available which can aid in assessments when we encounter these protocols.

Presenter bio:

Harish Ramadoss is a Senior Security Consultant with Trustwave Spiderlabs and has recently moved from UAE where he was Security Assurance Manager for Etihad Airways. Mostly involved in offensive security space focusing on application & infrastructure security, social engineering, and red team engagements.

He is also the co-author of DejaVU deception platform and has presented at a few global conferences including Blackhat and Defcon. Harish also holds a Master's degree in Cyber Laws and Information Security.

---

Date/Time: August 21, 2019, 6:30 PM to 8:30 PM EDT

Location: Room 128 (on the first floor near the library), St. James Campus - Building A, George Brown College, 200 King Street East, Toronto, ON, M5A 3W8

Presentation summary:

OWASP Security with Azure App Gateway WAF, Log Analytics Monitoring and Azure Sentinel

Roy Kim will show an end to end configuration of Azure App Gateway in front of Azure App Service application with Log Analytics monitoring and Azure Sentinel. You will see a demo of a simple penetration test and how you can monitor and alert with Log Analytics and Azure Sentinel to detect common web attacks such as SQL injection and cross site scripting with the App Gateway’s Web Application Firewall. You will walk away with an understanding of how Azure App Gateway and Log Analytics is applied as a security solution.

Presenter bio:

Roy is an architect/developer, multi-disciplined in solutions such as architecture, advisory, technology leadership, developer team lead, project coordination, systems performance, infrastructure, security and systems architecture. He executes on multiple roles to deliver a projects at high performance and has deep expertise with SharePoint, .NET, JavaScript, BI development and Azure cloud services.

---

Date/Time: July 17, 2019, 6:30 PM to 8:30 PM EDT

Location: Room 128 (on the first floor near the library), St. James Campus - Building A, George Brown College, 200 King Street East, Toronto, ON, M5A 3W8

Presentation summary:

Export to RCE

Often web applications will allow users to export data within CSV files. Without proper output sanitization, poisoned CSV files can be created leading to remote code execution when they're opened. This presentation assumes no prior knowledge with CSV injection and will focus on all aspects of the vulnerability (how it works, how to prevent the issue, and more).

Presenter bio:

Adam Greenhill is a senior security consultant at Security Compass. He enjoys staying up to date with the latest security trends and researching new aspects of the industry. Adam is an active member of the security community and has presented at BSides Toronto, OWASP Toronto, Toronto's Cyber Security Meetup, and Sheridan College's ISSessions.

---

Date/Time: June 19, 2019, 6:30 PM to 8:30 PM EDT

Location: Room 128 (on the first floor near the library), St. James Campus - Building A, George Brown College, 200 King Street East, Toronto, ON, M5A 3W8

Presentation summary:

Bug Bounties: Good or Evil?

Are Bug Bounty Programs (BBP) useful or not? How do you become a Bug Bounty Hunter and how do you run an effective BBP for your company?

In this talk, Gurjant shares his experience as a Bug Bounty Hunter along with some interesting stories he’s encountered along the way. He will also discuss whether or not Bug Bounty Programs are beneficial for your company and how to get the most out of them.

Presenter bio:

Gurjant Singh

Gurjant Singh is the Information Security Lead at Wealthsimple, a Toronto based Fintech company. In his spare time, Gurjant attempts to stay up to date with the most recent cyber security news and technologies. He also loves teaching and has been featured in the Times of India and Pentest Magazine.

---

Date/Time: May 15, 2019, 6:30 PM to 8:30 PM EDT

Location: Room 128 (on the first floor near the library), St. James Campus - Building A, George Brown College, 200 King Street East, Toronto, ON, M5A 3W8

Presentation summary:

Building a CTF: A Student's Perspective

CTFs are fun, educational events that have become a staple in the information security community. But have you ever considered what actually goes on behind the scenes to make one happen?

In this talk Cameron Novina will reflect on his experience organizing the first and second annual Sheridan CTFs. This year, a custom CTF platform was implemented, as well as an even larger selection of challenges; including cryptography, stenography and of course, application security. He will cover the obstacles he and the team overcame while implementing challenges that were designed to be attacked by budding information security professionals, using modern infrastructure and development practices on a tight budget.

This talk is aimed at those who have enjoyed a CTF (or many) in their time, and want to know what goes into organizing these events, both from a technical and event planning perspective.

Presenter bio:

Cameron Novina

Cameron is a Consultant with Deloitte’s Cyber Risk Advisory practice and is currently the Vice President of Sheridan College's Information Security Sessions Club. Cam has helped formulate and execute a variety of information security simulations for organizations in the National Capital Region and previously served as the club's president.

While not at work or school, Cam wrecks n00bs in overwatch (Highest SR: 3440!) and enjoys tabletop games such as D&D as both a player and a Dungeon Master.

---

Date/Time: April 17, 2019, 6:30 PM to 9:00 PM EST

Location: Room 128 (on the first floor near the library), St. James Campus - Building A, George Brown College, 200 King Street East, Toronto, ON, M5A 3W8

De-identification!

De-identification is a way to make data sets containing personal information statistically safe for release. It is fundamentally a risk management solution designed to help companies comply with privacy legislation. This talk will go over:

- The Data Problem: the raison d’être for de-identification

- Implementation Overview: How it is done

- Methodologies: 4 ways to secure personal data

Speaker bio:

Erik Service

Erik Service is a data scientist working with Security Compass as a management consultant. Prior to this role, he was a technical lead at Privacy Analytics where he contributed to the commercialization of a de-identification methodology for pharmaceutical research.

His professional interests lie at the intersection of technology and privacy law, with a focus on how people create and consume technology. He is a columnist for Mindthis magazine and plans to launch a blog looking at ways to inject privacy and security into the software development lifecycle.

Erik holds a Master of Science from McGill University. He completed a B.A at the University of Ottawa and is credited as an author on 6 peer-reviewed science publications.

Presentation materials:

Below are the references to books written on the subject:        

1. El Emam, K., & Arbuckle, L. (2013). Anonymizing health data: case studies and methods to get you started. "O'Reilly Media, Inc.". 

2. El Emam, K. (2013). Guide to the de-identification of personal health information. Auerbach Publications.

Here are some useful youtube videos: 

• Cynthia Dwork on e-differential privacy: https://www.youtube.com/watch?v=lg-VhHlztqoe
• Differential privacy for dummies: https://www.youtube.com/watch?v=gI0wk1CXlsQ

---

Date/Time: March 20, 2019, 6:30 PM to 9:00 PM EST

Location: Room 128 (on the first floor near the library) – St. James Campus Building A, George Brown College, 200 King Street East, Toronto, ON, M5A 3W8

Space is limited, so please RSVP on our chapter event page.

[CMD+CTRL Web Application Cyber Range]

Want to test your skills in identifying web app vulnerabilities? Join OWASP Toronto and Security Innovation as members compete in CMD+CTRL, a web application cyber range where players exploit their way through hundreds of vulnerabilities that lurk in business applications today. Success means learning quickly that attack and defense is all about thinking on your feet.

For each vulnerability you uncover, you are awarded points. Climb the interactive leaderboard for a chance to win fantastic prizes! CMD+CTRL is ideal for development teams to train and develop skills, but anyone involved in keeping your organization’s data secure can play - from developers and managers and even CISOs. Register early to reserve your spot !

In addition to signing up on the meetup page, you can also register at Security Innovation's page to receive helpful tips, FAQs, and access to cheat sheets: - https://web.securityinnovation.com/owasptoronto2019

Please keep in mind that spots are limited, and registration is a first come, first served basis!

CTF Proctor bio:

Geoff Vaughn

Geoff is an Application & IT Security expert helping companies secure software and devices throughout all stages of development. He specializes in finding exploitable vulnerabilities in software applications as well as reverse engineering binaries to locate vulnerable code. Check out Geoff’s blog here: https://blog.securityinnovation.com/author/geoffrey-vaughan.

Security Innovation

Security Innovation is a pioneer in software security and trusted advisor to its clients. Since 2002, organizations have relied on our assessment and training solutions to make the use of software systems safer in the most challenging environments – whether in Web applications, IoT devices, or the cloud. The company’s flagship product, CMD+CTRL Cyber Range, is the industry’s only simulated Web site environment designed to build the skills teams need to protect the enterprise where it is most vulnerable – at the application layer. Security Innovation is privately held and headquartered in Wilmington, MA USA. For more information, visit www.securityinnovation.com or connect with us on LinkedIn or Twitter.

---

Date/Time: February 20, 2019, 6:30 PM to 8:30 PM EST

Location: Room 128 – St. James Campus Building A, George Brown College, 200 King Street East, Toronto, ON, M5A 3W8

Space is limited, so please RSVP on our chapter event page.

In Root we trust (no this is not a DNS talk)

Abstract

What do airplanes, TSA pre-check, credit cards, Windows Updates, and HTTPS all have in common? They all rely on the use of digital certificates as a basis for the security they provide.

In this talk Pavan and Lisa will share their expertise on what a digital certificate is, what they can be used for, and why we trust them (or not trust them in some cases...). They will cover the fundamentals of Public Key Infrastructure (PKI) and shed light on the critical role that Root Certification Authorities (CAs) play in all of our lives.

This talk is aimed at those who are onboard for HTTPS everywhere but want to dive into the nuts and bolts of how certificates work and understand the broader applications of PKI.

Speaker Bios:

Pavan

Pavan is a Manager with Deloitte’s Cyber Risk Advisory practice and has performed and led advisory work across a wide variety of domains with a focus on network security, vulnerability management, and data protection.

Recently, Pavan’s focus has shifted to Public Key Infrastructure (PKI) and the Certification Authorities (CAs) that issue publicly trusted TLS certificates. He has performed audits of both public and enterprise CAs and has been an official witness to several root key generation ceremonies both in Canada and internationally.

While not on an engagement, Pavan attempts to stay up to date on the latest memes by dedicating his time to mentoring youth at his local Air Cadet Squadron

Lisa

Lisa is a consultant in Deloitte’s Risk Advisory practice. Her specialties include trust considerations of Public Key Infrastructure, Cyber Security, Enterprise Risk, Internal Controls, Third Party Service Auditor Reporting, Data Quality, Confidentiality and Privacy. Furthermore, she is involved in the development and delivery of training courses within the practice, and internal innovation initiatives.

---

Date/Time: Wednesday January 23, 2019, 6:30 PM to 8:30 PM EST

Location: Room 128 – St. James Campus Building A, George Brown College, 200 King Street East, Toronto, ON, M5A 3W8

Space is limited, so please RSVP on our chapter event page.

Back to the Future of Application Security: Developing Secure Smart Contracts

Abstract

Race-conditions, re-entrancy, bad randomness, unchecked calls and integer overflows! No, we’re not coding a C++98 application and worried about the Y2K bug; it’s 2019 and welcome to the world of smart contracts! Grab some avocado toast and GAS-up for a trip onto the blockchain, because where we're going, we don't need roads.

We’ll start with an introduction to smart contracts and their place in the distributed ledger technology ecosystem. We’ll delve into key vulnerabilities from the SWC (Smart Contract Weakness) registry and link them to real world impacts. We’ll identify smart contract flaws in Solidity and ultimately how to mitigate them.

Ending with some key principals in building secure smart contracts and suggested tooling to augment secure smart contract development flow. All with a dash of lamenting how by forgetting the past we are doomed to repeat it. And of course, no talk would be complete without a smart contract CTF challenge, or two, for the taking.

Speaker Bio:

Jamie Baxter, M. Eng., OSCP, OSCE, GPEN, CISSP

Principal Consultant & Founder - SRNSEC Inc.

Jamie is an independent security consultant specializing in security assessments, ranging from web application and infrastructure penetration tests to red teaming exercises.

Prior to independent consulting, Jamie was the Director of Cyber Security Assessments at RBC, a Senior Penetration Tester for the Department of National Defense, and a developer for over 10 years.

When not on an engagement, he can be found competing in and building CTFs or exploring the world of distributed ledger technology security.

---

Date/Time: Wednesday December 5, 2018, 6:30 PM to 8:30 PM EST

Location: Lecture Hall Room 426A – St. James Campus Building A, George Brown College, 200 King Street East, Toronto, ON, M5A 3W8

Space is limited, so please RSVP on our chapter event page.

Web Application Penetration Testing - Methodology and Approach

Abstract

An introduction to web application penetration testing covering common methodologies and approaches. Topics are: An overview of the business side of how these engagements are commonly run, the methodology and mind-state of penetration testing vs. vulnerability assessments, and a demo using industry standard tools. Recommended for people who are new to the offensive side of security, those interested in learning more about the topic, or who are interested in potentially switching from blue to red team.

Bios:

Frank Coburn

Frank is a Consultant who specializes in web application security testing and analysis, and cloud security. I began my career in Canada’s financial sector in 2015 and have been performing web application penetration tests for various local and remote clients ever since. I have managed many client relationships and a multitude of other projects in Information Security across various industries. In my copious free time I enjoy working on personal projects such as developing scripts, tooling, and creating testing environments.

Haris Mahboob

I work at Security Compass as a security consultant. I specialize in penetration testing web applications and network infrastructures. I have experience working with industry standard SAST/DAST tools and manual testing. I come from a healthcare background working with SIEM tools, vulnerability scanning and management, as well as secure auditing. I enjoy spending my free time honing my penetration testing skills by diving into vulnerable VMs and learning about exotic payloads.

---

Date/Time: Wednesday November 14, 2018, 6:00 PM to 8 PM EST

Location: Security Compass, 390 Queens Quay West, Suite 209, Toronto ON, M5V 3A6

Space is limited, so please RSVP on our chapter event page.

Sonatype DevSecOps Community Survey - Working Session

DevOps is Security’s New Front Line

As we embrace movements like CI, CD and Devops to cut down on release cycles - and innovate faster, we as developers must also embrace the reality that the risk landscape is too complex to leave “security” to just those with security in their title. Traditional methods do not cut it anymore – it’s time for DevSecOps.

In a recent 2018 DevSecOps Community report, where 2,076 IT professionals were surveyed, 48% of respondents admitted that developers know application security is important, but they don’t have the time to spend on it. Done properly, DevSecOps practices shouldn’t interrupt the DevOps pipeline - but instead aid it - preventing costly rebuilds and build breaks, down the road.

Attendees of this session will walk away with:

• Real-world examples of how large and small companies are implementing DevSecOps practices in their own delivery pipelines, and increasing developer awareness to risks
• Key insights from 2,076 of their peers who participated in the 2018 DevSecOps community report - including where most mature DevOps practices are focusing their security efforts
• A walkthrough of how security principles have been embedded in a CICD pipeline and what standards for implementation are beginning to follow suit.

---

Date/Time: Monday September 17, 2018, 6:00 PM to 8 PM EDT

Location: 80 Spadina Avenue, Toronto, ON

Space is limited, so please RSVP on our chapter event page.

6-7 PM

"iOS App runtime manipulation" with Ivan Rodriguez

In this talk, we'll learn how to decrypt and extract an iOS application from a device, and use reverse engineering techniques to manipulate the app at runtime.

Ivan Rodriguez is an Application Security Engineer at Shopify with a mobile development background, currently working in application security.

7-8PM

"Auditing/Pen Testing Android Apps" with Kristina Balaam

As our world becomes more dependent on mobile devices, it's important to understand the risks we may unknowingly introduce to users through the applications we build. In this talk, we'll cover general Android security best practices, discuss tools for auditing your own applications to find vulnerabilities, and resources for continued learning.

Kristina is a Security Intelligence Engineer at Lookout where she reverse engineers mobile malware. Prior to Lookout, she worked as an Application Security Engineer at Shopify focusing mostly on Android mobile security. Kristina graduated with a Bachelor of Computer Science from McGill University in 2012, and is currently pursuing a MSc. in Information Security Engineering from the SANS Institute of Technology. She blogs about computer security on Twitter, Instagram and Youtube under the handle @chmodxx.

---

Date/Time: Monday October 1, 2018, 6:00 PM to 8 PM EDT

Location: 80 Spadina Avenue, Toronto, ON

Space is limited, so please RSVP on our chapter event page.

Azure Cloud Security Workshop

By: Tanya Janca, OWASP Ottawa Chapter Co-Leader

Tanya Janca is a senior cloud developer advocate for Microsoft, specializing in application security; evangelizing software security and advocating for developers through public speaking, her open source project OWASP DevSlop, and various forms of teaching via workshops, blogs and community events. As an ethical hacker, OWASP Project and Chapter Leader, software developer and professional computer geek of 20+ years, she is a person who is truly fascinated by the ‘science’ of computer science.

You can find out more about Tanya here:

@SheHacksPurple

http://devslop.co/

https://medium.com/@shehackspurple

https://www.slideshare.net/TanyaJanca

https://www.youtube.com/channel/UCyxbNw11fMUgoR3XpVYVPIQ

https://www.twitch.tv/shehackspurple

Have you ever wondered how security is different ‘in the cloud’? Where do you store your certificates? Your keys? Your connection strings? How can you see what’s going on with your resources? How do you patch? Where can you see your server configs other important information? How do you manage an security incident? How do you even know that you’re having an incident?

This first half of this workshop will be a demo where the audience follows along, the second part will be for audience members to build things and secure them, in Azure.

Demo will include:

• Complete Azure Security Centre walkthrough
• Policy and compliance, including subscription coverage
• Resource Security Hygiene
• Azure Security Centre Recommendations (mitigation of one or more items, dependent on time)
• Threat Protection, Alerts and Threats
• Applying System Updates
• Key Vault

Audience Participation (people who do not have a laptop can follow along with the teacher)

• Create a DevOps project, from scratch, and publish to the internet. (20-30 mins)
• Turn on Security Centre (5 mins)
• Check your security configurations and settings to ensure your new app is safe. (10 mins)
• More as time permits.

What you will need if you want to participate after the demo:

• A laptop running any modern operating system (Mac OS, Windows, Linux)
• Modern web browser (Safari, Edge, Chrome, FireFox)
• Wi-fi and internet
• An activated Azure Trial. Please activate your trial before the workshop. The workshop will not wait if you have not activated your trail.

To activate your free Azure trail for this workshop please go here: https://aka.ms/Azure-Cloud-Security-Workshop

>> If you have previously used your free Azure Trail you will not be able to have another one for this workshop.

>> You will need to use a credit card to activate your trial, but the trial itself is free for 30 days, up to $200. We will use up to $30 of your credit with this workshop.

---

Date/Time: July 18, 2018, 6:00 PM to 8 PM EDT

Location: 420 Wellington Street West, Toronto, ON

Space is limited, so please RSVP on our chapter event page.

Panel Discussion: DevSecOps

We invite you to join us for a panel discussion on DevSecOps. Panelists will include AppSec professionals currently involved with growing their DevSecOps practice internally, or advising clients on DevSecOps initiatives in a consulting capacity. Our moderator will invite them to share their insights on topics that include:

• Role and current DevSecOps practices
• Success stories and challenges
• Advice for getting into DevSecOps
• Standards, tools, frameworks

Come prepared to learn, discuss, share and ask questions!

---

Date/Time: June 12, 2018, 6:00 PM to 8 PM EDT

Location: Suite 500, 257 Adelaide St. W., Toronto, ON

Space is limited, so please RSVP on our chapter event page.

How to stop worrying about Application Container Security (v2)

Containers make it easier to deploy the applications that drive business value, but also profoundly challenge existing security models. Learn from our journey as a security team that went from not knowing what containers were to championing their adoption in our production sensitive information workloads over traditional DevOps application deployments.

• About Us
• Our Application & Security Challenges
• Our Container Journey
• Building an Container Ecosystem
• Learning Secure Application Containers
• Benefits for DevOps and Security
• Our Container Security Maturity Model
• What’s Next

Presenter: Brian Andrzejewski (@DevSecOpsGeer)

Brian was the lead Information Security Engineer in the CyberDefense Branch at the United States Customs and Immigration Services (USCIS). He led, engineered, and architected several of USCIS’s security efforts and represented USCIS as a hands-on SME in several working groups within DHS and Federal government on DevSecOps, Application Security, Cloud Migration & Security, Container Security, and CyberDefense operations best practices.

Prior to USCIS, Brian brings his prior 17+ years of professional experiences in information security, risk management, IT Operations, system development & administration, & DFIR from the Department of Defense, healthcare, commercial, and academic sectors. He was a prior DoD SME representative in U.S. cybersecurity workforce development programs and operationalized machine-speed cyber threat information sharing between the five U.S. National Cyber Centers. He remains passionate about cybersecurity workforce development and information security education with non-profits and security researchers.

---

Date/Time: May 28, 2018, 6:00 PM to 8 PM EDT

Location: Suite 500, 257 Adelaide St. W., Toronto, ON

Space is limited, so please RSVP on our chapter event page.

OWASP SecurityRAT: Handling of Security Requirements in Software Development Lifecycle

The bigger the company you're working in, the more technologies and methodologies used by development teams you are going to face. At the same time, you want to address security risks in an appropriate, reliable and traceable way for all of them.

After a short introduction of a unified process for handling security requirements in a large company, the main part of the talk is going to focus on a tool called SecurityRAT which we developed in order to support and accelerate this process.

The goal of the tool is first to provide a list of relevant security requirements according to properties of the developed software (e.g. type of software, criticality), and afterwards to handle these in a mostly automated way - integration with an issue tracker being used as a core feature.

Work in progress (currently targeting mainly integration to other systems, automated testing of requirements and reporting) as well as future plans will form the last part of the talk.

Speakers:

Daniel Kefer OWASP SecurityRAT - Project Leader

Daniel Kefer has been working in the application security field since 2007. Having started as a penetration tester, he soon became passionate about proactive security efforts and working closely with developers. Since 2011 he has been working for 1&1 where he currently leads an internal application security team supporting development teams with security challenges of their work. With OWASP, he leads the SecurityRAT project and contributes to the SAMM project.

René Reuter OWASP SecurityRAT - Project Leader

René Reuter is a security engineer with over 6 years of experience in the application security field. At Robert Bosch GmbH, he works as an IT Security Consultant responsible for identifying vulnerabilities and design flaws that may impact Robert Boschs' applications and infrastructure. René holds a Master's Degree in Computer Science from the University of Applied Sciences Karlsruhe.

---

Date/Time: April 26, 2018, 6:00 PM to 8 PM EDT

Location: Suite 500, 257 Adelaide St. W., Toronto, ON

Space is limited, so please RSVP on our Meetup.com chapter event page.

CISO's 90 Day Plan

Agenda

Developing and deploying a security strategy from the ground up. Nelson will cover Security Policy development, Team Building, Data Classification, Assessment/Prioritization, Application Security, Security Awareness, Deployment and Monitoring / Incident Response. We will reserve ample time for Q&A.

Speaker: Nelson Chen

An accomplished 20+ year IT Security leader (CISSP/CISA/CISM) with global enterprise-wide responsibilities. Nelson has experience that ranges from startup to large, high-tech enterprise environments with extensive background with information systems management, information security practices, risk assessment, contingency planning, vendor management, merger & acquisition, project management and business development. He has deployed security policies and strategies for his previous employer to over two dozen acquisitions and today he works for Zenedge, a successful cybersecurity startup that was recently purchased by Oracle.

---

Date/Time: April 11, 2018, 6:00 PM to 8 PM EDT

Location: Suite 500, 257 Adelaide St. W., Toronto, ON

Space is limited, so please RSVP on our Meetup.com chapter event page.

Application Threat Modeling

This session will introduce you to the basics of application threat modeling using the OWASP Cornucopia and Microsoft Elevation of Privileges games. We will provide an introduction to the game concepts, and then attendees will join groups where they will get hands on game experience threat modeling a sample application. Come prepared to participate!

---

Date/Time: February 27, 2018, 6:00 - 8:00 PM EST

Location: Suite 500, 257 Adelaide St. W., Toronto, ON

Space is limited, so please RSVP on our Meetup.com chapter event page.

“How to Work a Room” Basic Networking Skills

Helping individuals achieve their personal goals by teaching and coaching effective networking

Intro by OWASP Toronto: As AppSec and information security professionals, we work in a field where technical knowledge is key, while networking and communications skills, which are just as important, are often overlooked. Marcel's insights on effective networking will help you be more successful in your roles within your organizations, or help you be better prepared to enter the security workforce."

Speaker: Marcel Gagnier

Marcel is a successful sales technology executive with over 20 years experence in sales and account management. He owes his success primarily to his networking skills.

Networking has allowed Marcel to develop relationships, and business, and to support a wide range of interests as well as lifelong friendships.

As with many people networking did not come easily to Marcel. It is a learned skill that he first developed while in the British Army starting with human intelligence (HUMINT) on operations. These skills became further refined when conducting threat assessments and social engineering. These networking skills allowed Marcel to easily transition into the civilian world in a variety of roles and in both small and large firms.

Marcel will share his insights in a workshop called “How to Work a Room” where basic networking skills will be covered.

You will learn the following: 


• The basics of networking - how it works
• What events to attend and what events not to attend
• How to research the event and attendees
• Setting event goals
• What to wear
• What to carry
• When to arrive
• How to read the room
• How to engage the best prospects
• How to make an introduction
• How to engage in conversation
• How to exchange contacts and business cards
• How to disengage
• How to follow-up

---

Date/Time: January 17, 2018, 6:00 - 8:00 PM EST

Location: Suite 500, 257 Adelaide St. W., Toronto, ON

Space is limited, so please RSVP on our Meetup.com chapter event page.

Hi, I am X. How do I get into AppSec / Security?

This will be a guided discussion about entering the world of application security, or information security in general. We will cover topics such as OWASP resources, tools, secure SDLC, agile, secure DevOps, training and certifications. We will also have some real life stories from folks in the industry about their path. Come prepared to participate!

---

Date/Time: October 26, 2017, 6:00 - 8:00 PM EDT

Location: Suite 500, 257 Adelaide St. W., Toronto, ON

Space is limited, so please RSVP on our Meetup.com chapter event page.

Swiss cheese security, or the real challenges faced by internet facing companies

Summary

In this talk we will get an overview of which are the challenges faced by companies that have an internet presence, but instead of focusing on well know attacks we will focus on targeted and stealthy attacks.

Each scenario will be described and explained by using data collected over the years, and for each case we will discuss not only attack and defense strategies but also some legal implications and possible impact to the business.

Brief Presenter Bio:

Enrico Branca

Enrico Branca is an experienced researcher with specialist knowledge in Cyber Security. He has been working in Information Security for over a decade with experience in Software Security, Information Security Management, and Cyber Security R&D. He has been trained and worked in various roles during his career, including Senior Security Engineer, Security Architect, Disaster Recovery Specialist, Microsoft Security Specialist and others, always looking for new exiting opportunities.

Outline

• what main stream news say about cyber security
• what industry says about cyber security
• how can we dispute the claims with a reality check
• example 1: are financial and insurance companies well defended?
• example 2: web encryption with SSL/TLS, defending from unknown attacks
• example 3: the state of GPG public key cryptography, can we trust it?
• example 4: software companies and version controls, useful or useless?
• example 5: targeted data breach or "indirect" breach,
• what has been found without any sort of cyber attack
• what can be learned from others' mistakes
• what can be done to make things better

---

Date/Time: August 23, 2017, 6:00 - 8:00 PM EDT

Location: Suite 500, 257 Adelaide St. W., Toronto, ON

Space is limited, so please RSVP on our Meetup.com chapter event page.

Session Description:

Cloud Security & Best Practice in AWS

• Few instances of breach in cloud (AWS): Account compromise via leak of AWS Keys on GitHub SSRF attack Publicly accessible S3 Bucket, folders, and files
• How Jenkins (CI) can lead to disaster
• Best practices to protect AWS account from unauthorized access and usage
• What and How to look for security loopholes
• Audit scripts

Presenter Bio:

Ankit Giri

A complete tech enthusiast, who likes to learn new technologies. With his expertise in Application Security, Ankit works as Associate Security Consultant for Security Compass. A speaker, presenter, and a blogger, Ankit has a diverse background in writing informational blogs during his association with TO THE NEW Digital (last firm). He is a nature lover, photography enthusiast and avid follower of governance. Being in application security domain, Ankit also takes an interest in RTI activism and carry it as a skill with RTI certifications.Expertise: Penetration Tester, OWASP Top 10 Vulnerabilities understanding, detection, and remediation. Blogger, Bug Bounty enthusiast, One of the Top rated writer on Quora: The Most Viewed Writer in Web Application Security, The Most Viewed Writer in Pentest, Second Most Viewed Writers in Network Security. Featured in Hall of Fame of EFF, GM, HTC, Sony, Mobikwik, AT&T, PagerDuty and many others. He is a chapter leader of Peerlyst Delhi NCR Chapter. Special mention and a note of thank for posting the first SecLink on the platform Sectivenet.

---

Date/Time: June 13, 2017, 6:00 - 8:00 PM EDT

Location: Suite 500, 257 Adelaide St. W., Toronto, ON

Space is limited, so please RSVP here to confirm your presence.

Session Description:

The Node.js Highway: Attacks Are At Full Throttle

Node.js is the drive-and-go language and its popularity is soaring. Five years after its debut, and the language’s framework boasts more 2M downloads a month. Before accelerating too quickly, it is important to understand the power – and corresponding mishaps – of this language. In this talk, we demonstrate new attack techniques against applications built on top of the Node.js language. Attacks include:

• Application-layer DDoS attacks. Bringing a server to its knees with just 4(!) requests.
• Password exposure attacks. Leveraging the “Forgot My Password” feature of applications in order to reveal the passwords of all the application’s users
• Business logic attacks. Running malicious code on all machines of users of the applications when exploiting a weak business feature.

Presenter Bio:

Susan St.Clair, CWAPT

Solution Engineer – Checkmarx

Susan currently works with organizations to help implement secure coding practices as part of their SDLC as part of the Checkmarx GTA team. She has over 15 years of experience working with application teams in the software industry.

She was previously a product manager and solution engineer with Codiscope, now part of Synopsys.

---

Date/Time: May 25, 2017, 6:00 - 8:00 PM EDT

Location: Suite 500, 257 Adelaide St. W., Toronto, ON

Space is limited, so please RSVP here to confirm your presence.

Session Description:

Category Web: Fantastic Tales of Capture-The-Flag (CTF) challenges past

We’ll dive into some of our favorite application security challenges from past Capture-The-Flag (CTF) competitions, including highlights from the recent 2017 edition of NorthSec, the largest applied security competition in North America. The challenges we’ll walk through were not only fun to solve but have a demonstrable real-world impact drawing on subtle flaws that lurk in many production applications. So bring your laptops and strap-in, this talk will be interactive and at the end of the night we’ll have a few challenges to take home with you.

Optional: If you want to follow along on your laptop as Jamie goes over the challenge walkthroughs, you will need at least VMware / Virtual Box to run a virtual machine, 8 GB of free space, and a web proxy such as Burp Suite or OWASP ZAP.

Presenter Bio:

Jamie Baxter, GPEN, OSCE, OSCP, CISSP

Principal Consultant & Founder - SRNSEC Inc.

Jamie is the team captain of a successful CTF (Capture the Flag) team “SomeRandomName” (SrN), which regularly competes in and organizes CTF events. When not CTFing, Jamie is a independent information security consultant specializing in security assessments, performing infrastructure and application penetration testing engagements for clients in the government, retail and financial sectors.

Previously, Jamie was the Director of Cyber Security Assessments at the Royal Bank of Canada and a senior penetration tester for the Department of National Defense.

---

Date/Time: April 20, 2017, 6:00 - 8:00 PM EDT

Location: Auditorium, Lilian H Smith Library, 239 College Street, Toronto, ON M5T1R5

Agenda:

How Billion Dollar Enterprises Manage Application Security at Scale

Security Compass recently completed a comprehensive research study by surveying companies across multiple industries with the goal of discovering how large, complex organizations address application security at scale. The majority of respondents surveyed were multinational organizations who reported annual earnings greater than $1 billion USD. Through this new research study, we have gleamed novel insights on how large organizations manage application security at scale. Through this presentation, we will reveal aggregated insights, industry trends, and best practices that illuminate how organizations are addressing application security at scale, so that you may apply and compare these learnings to the state of application security at your own organization.

Altaz Valani is a Research Director at Security Compass responsible for managing the overall research vision and team. Prior to joining Security Compass, Altaz was a Senior Research Director in the Application Development Practice at Info-Tech Research Group providing IT managers, directors, and senior managers with guidance and analysis around application development – including Agile, Cloud, Mobile, and the overall SDLC. His other past positions include Senior Manager at KPMG, and various entrepreneurial and intrapreneurial positions where he worked side by side with senior-level stakeholders at blue chip clients to drive business value through software development.

Altaz enjoys coding, teaching, and the challenge of learning. He received his BEng in Computer Engineering from McMaster University, and his MBA from the University of Western Ontario.

---

Date/Time: March 15, 2017, 6:00 - 8:00 PM EDT

Location: Amazon, 120 Bremner Blvd, Suite 2600, Toronto, ON

IMPORTANT - We are making special changes to our RSVP process to adapt to this new venue:

• ONLY attendees who confirmed through our chapter's Meetup.com event page will be allowed entry. So please confirm your presence if you are planning to come. This is required so that visitor badges can be created for those on the list and provided by the reception at the Amazon office.

• The RSVP period will run from March 3 to March 12. This is to allow enough time for visitor badges to be created, and to plan for the event's logistics.

• If you need to make change to your attendance status, please do so by March 12. We understand that plans change, but given a limited space, please be mindful of others in the community who may benefit from the event.If you have any questions, please feel free to reach reach out to us.

Agenda:

1 - Overview and Intro to OWASP Projects - Yuk Fai Chan

A quick overview of the OWASP will be presented for those who are unfamiliar with the global organization, followed by a introduction of OWASP Projects - the process, the people, and some examples - from Flagship, Lab to Incubator.

Yuk Fai Chan is with the OWASP Toronto chapter. He also works as a security consultant.

2 - Vulnerabilities from upstream on down - Max Veytsman

Security vulnerabilities in open source software are patched by maintainers every day, but most of the software your servers have installed is coming from a package manager.

When a new vulnerability in openssl is disclosed, how does it make it to the corresponding Ubuntu package? How long does it take?

Every distribution has a security team. I'm going to describe the work that they do, talk about how vulnerabilities are prioritized and discuss some statistics about their operations.

Max Veytsman is a recovering pentester. Nowadays, he's helping the world patch its software at Appcanary.

---

Date/Time: February 16, 2017, 6:00 - 8:00 PM EST

Location: Suite 500, 257 Adelaide St. W., Toronto, ON

Please RSVP here to confirm your presence.

Secure Programming with Static Analysis

Please join us at our next OWASP Toronto chapter event, where our guest speaker, Paul Kitor from HP Enterprise, will be sharing his thoughts on Secure Programming with Static Analysis.

Speaker: Paul Kitor

Paul Kitor, CISSP is a Senior Solution Architect focused on Fortify technologies within the Enterprise Security Products business unit at HP. In this role, Mr. Kitor acts as the primary technical advisor to develop and position a broad range of Application Security solutions with customers. In his responsibilities, Paul provides technical leadership and technical depth concerning HP Fortify solutions. He works closely with customers and partners in assisting them meet their strategic Application Security initiatives and also provides thought leadership and insight regarding the ever changing global threat landscape. He possesses 20+ years of Information Security experience in the areas of Application Architecture, Java/C/C++ Development, Agile SDLC, and Application Security. Prior to joining HP Canada, Paul worked as a Solution Architect at Oracle, BEA Systems, and Borland Software he also lead Java development teams at Airmiles.ca and Points.com.

Abstract:

Developing software securely is a very challenging task. Using a combination of theory, practice and technology gives you the best chance of success. This talk will introduce (for those practitioners among us – review) the theory, practices and technologies that comprise Static Analysis.

• The Software Security Problem
• Static Analysis
• Introduction
• As Part of the Code Review Process
• Internals
• Pervasive Problems
• Handling Input
• Buffer Overflow
• Bride of Buffer Overflow
• Errors and Exceptions

---

Date/Time: July 20, 2016, 6:00 - 8:00 PM EDT

Location: Suite 500, 257 Adelaide St. W., Toronto, ON

Please RSVP here to confirm your presence.

Panel Discussion: OWASP Top 10

We invite you to join us at our next chapter event, where panelists will discuss one of OWASP's flagship projects, the OWASP Top 10 application security flaws. The discussion will include:

• Roundtable on select items on the OWASP Top 10 (e.g. injection flaws, security misconfigurations, CSRF, etc.)
• Thoughts on candidates for the 2016/2017 release of the OWASP Top 10 (e.g. what should be added? what should be removed?)

Come prepared to learn, discuss, share and ask questions!

---

Date/Time: June 8, 2016, 6:00 - 8:00 PM EDT

Location: Suite 500, 257 Adelaide St. W., Toronto, ON

Please RSVP here to confirm your presence.

Panel Discussion: Day in the Life of An Application Security Professional

We invite you to join us at our next OWASP Toronto chapter meeting, where panelists will discuss their day-to-day life as an application security professional, followed by an open discussion with the audience. Come prepared to learn, discuss, share, and ask questions!

Panelists:

• Steve Gienuisz, Software Security Specialist, BMO Financial Group
• Ramanan Sivaranjan, Director of Engineering, Security Compass
• Yuk Fai Chan, OWASP Toronto Chapter
• Tej Gandhi, Information Security Compliance Specialist, Engage People Inc.

---

Date/Time: January 20, 2016, 6:00 - 8:00 PM EST

Location: Suite 500, 257 Adelaide St. W., Toronto, ON

Please RSVP here to confirm your presence.

Speaker: Michael Bennet

Lead DDoS Strike Developer, Security Compass

Is your Application DDoS Ready?

Common issues that leave your application DDoS defences vulnerable

More and more DDoS attacks are targeting the Application Layer in order to knock your sites and services offline. These attacks need far less horsepower to drive results and often target weaknesses in an application and its defences in order to be effective. While there are solutions available to protect your application, they can only do so much and often are misconfigured for an application. In this presentation I’ll talk about common misconfigurations that we come across during our DDoS testing, as well as some web application design considerations that help some DDoS defences to be more effective.

---

Date/Time: November 18, 2015, 6:00 - 8:00 PM EST

Location: Suite 500, 257 Adelaide St. W., Toronto, ON

Please RSVP here to confirm your presence.

Python Security

Speaker: Enrico Branca

Enrico Branca is an experienced researcher with specialist knowledge in Cyber Security. He has been working in Information Security for over a decade with experience in Software Security, Information Security Management, and Cyber Security R&D. He has been trained and worked in various roles during his career, including Senior Security Engineer, Security Architect, Disaster Recovery Specialist, and Microsoft Security Specialist. He is always looking for new and exciting opportunities.

Session Outline:

A deep dive into the security of the Python interpreter and its core libraries to discover how bad guys may attack it and how good guys can protect it, while providing examples and code snippets on how each goal may be achieved by any given party.

Enrico's presentation slides can be found here.

---

Date/Time: May 20, 2015, 6:00 - 8:00 PM EDT

Location: Suite 500, 257 Adelaide St. W., Toronto, ON

Please RSVP here to confirm your presence.

Panel Discussion: State of Application Security in 2015

We invite you to join us at our next OWASP Toronto chapter meeting, where a panel of industry professionals will discuss the state of application security in 2015. Panelists will share their point of view on a number of topics, followed by an open discussion with the audience. Come prepared to learn, discuss, share, and ask questions!

1. Appsec Wishlist: "If I could have one thing improved in application security in 2015, it would be ..."
2. Appsec Defenders: Offensive Security is obviously thriving, but how are the Defenders doing? Has there been improvement? There are plenty of blackhat/red team rock stars, but are we giving enough credit to the blue teams?
3. Appsec Tools: Which application security tools are doing the job right? Which ones can be further improved?
4. Evolution of Application Security Assessments: How will the industry effect a sea change in attitude towards assessing software for security issues? The tunnel-vision model (i.e., black-box only, source code review only, configuration review only) is deficient, and the best approach is to overlap as many techniques as possible. Time-boxed approaches compound the problem, and with the increasing proliferation and complexity of applications in any given organization, scaling assessment services to all targets is bottlenecked.
5. Appsec Talent: There are too few skilled/trained information security professionals, and too much work to do. Scaling up to meet the demand can only partially be managed through automation. Where will the next wave of reliable security professionals come from? Is training for information security skills too expensive in the age Code School? Is North Armerica in need of a CREST-like certification to establish a baseline level of coverage by a practitioner?

Panelists

Ehsan Foroughi, Security Compass

Manish Khera, RBC

Gonzalo Nunez, Deloitte

Ann-Marie Westgate, eHealth Ontario

---

Date/Time: September 10, 2014, 6:30 - 8:30 PM EDT

Location: Suite 500, 257 Adelaide St. W., Toronto, ON

Please RSVP here to confirm your presence.

Speaker:

Ryan Berg

Ryan is the Chief Security Officer at Sonatype. Before joining Sonatype, Ryan was a co-founder and chief scientist for Ounce Labs which was acquired by IBM in 2009. Ryan holds multiple patents and is a popular speaker, instructor and author, in the fields of security, risk management, and secure application development. Prior to Ounce Labs, Ryan co-founded Qiave Technologies, a pioneer in kernel-level security, which later sold to WatchGuard Technologies in 2000. In the late 1990's, Ryan also designed and developed the infrastructure for GTE Internetworking/Genuity's appliance-based managed security services.

Session Outline:

What's Hiding in Your Software Components? Hidden Risks of Component-Based Software Development – Seeing the Forest Through the Trees

Software is no longer written, it's assembled. With 80% of a typical application now being assembled from components, it's time to take a hard look at the new risks posed by this type of development -- and the processes and tools that we'll need in order to keep them in check. Join Ryan Berg as he shares real world data on component risks, outlines the scope of the problem, and proposes approaches for managing these risks. You'll learn how security professionals can work cooperatively with application developers to reduce risk AND boost developer efficiency.

---

Date/Time: July 16, 2014, 6:00 - 8:00 PM EDT

Location: Suite 500, 257 Adelaide St. W., Toronto, ON

Please RSVP at yuk.fai.chan@owasp.org to confirm your presence.

Speaker:

Dr. Mark Shtern, CISSP, Postdoctoral Fellow at York University

Session Outline:

DDoS Attacks and Mitigation in Cloud Environments

Distributed Denial of Service (DDoS) attacks are negatively impacting a broad spectrum of industries as they are increasing in number, sophistication, and cost. Researchers have noted that, when simple DDoS attacks fail, the attackers take aim at the application layer and these attacks become more prevalent. For example, in the first quarter of 2012, Layer 7/Application layer attacks increased by 25% compared to the year before. In the third quarter of 2013, the total number of layer 7 attacks increased by 101% compared to 2012. As a result, application layer attacks have been a growing concern for information technology security specialists.

I will present an adaptive management mechanism, which can correctly scale applications, mitigate a DDoS attack, or both, based on an assessment of the business value of workload. I will talk about the Cloud Efficiency (CE) metric, a runtime metric that assesses how effectively an application uses software-defined infrastructure. This is a business-driven metric that can be leveraged to detect various resource-consumption attacks on applications, including cost-of-service and low-and-slow DDoS attacks.

---

Date/Time: April 23rd, 2014, 5:30 - 7:30 PM EDT

Location: Telus Tower, 25 York, 3rd Floor

Please RSVP to yuk.fai.chan@owasp.org to confirm your presence.

Heartbleed! or Heart Bleed!

Heartbleed

Heartbleed! or Heart Bleed! The logo, the media coverage, the virus (no wait, it's not a virus); reverse Heartbleed and client Heartbleed (the transfusion) - a tale of failure to validate inputs, trusting user-provided input and coding around good security. You've read the book! Seen the movie! Now see the live puppet show*. (*puppets not included, please bring your own batteries too).

Speaker: Ben Sapiro

Ben works for KPMG where he advises people on Cyber Security (we're not entirely sure what that is yet either but we hear it's the 'new infosec' which is the 'new orange' which is the 'new black'). He's also the founder of OpenCERT, a BSidesTO organizer, LiquidMatrix Podcaster, SECTOR Fail Panelist and occasional writer of things (which sometimes includes horrible code and bad prose). With 15 years in the biz, Ben's hoping for parole soon; otherwise is going to have to find something else to do in infosec/cybersec besides product management, SecSDLC, consulting, insulting, and CISO'ing. Ben has advised a whole bunch of confidential clients on AppSec and Secure SDLC, but two he _can_ talk about (when reliving the glory days) are Sybase and Motorola.

---

Date/Time: December 3rd, 2013, 6:00 - 7:30 PM EST

Location: Telus Tower, 25 York, 3rd Floor, Room 39

Please RSVP to yuk.fai.chan@owasp.org to confirm your presence.

OWASP ASVS OWASP: Introducing ASVS 2013

Since the last release of the OWASP Application Security Verification Standard (ASVS) Project in 2009, significant improvements have been made, including but not limited to:

1. Content updates to add new relevant content and clarify existing content

2. Document segregation

3. Case studies

4. Mapping to other relevant standards

In this presentation, we will walk through the major changes that we believe will increase adoption of the standard in industry.

Presenter: Sahba Kazerooni

Sahba Kazerooni manages Security Compass's internationally renowned consultants on cutting-edge consulting and training engagements across North America and around the world. His personal skillset ranges from hands-on assessments in application penetration testing, threat modeling, and source code review, to security advisory and technical training. Sahba has an advanced knowledge of the Software Development Life Cycle (SDLC) as well as the intricacies of the Java programming language. He is an internationally renowned speaker on software security topics, having delivered presentations at reputable security conferences around the world and having been recognized as an expert in application security by publications such as IT World Canada and the Information Security Media Group.

---

Date/Time: July 10, 2013, 6:30 - 8:00 PM EST

Location: Telus Tower, 25 York, 3rd Floor, Room 39

Please RSVP to patrick.szeto@owasp.org or yuk.fai.chan@owasp.org to confirm your presence.

OWASP: Beyond the Top 10

OWASP: Beyond the Top 10

Presenter: Andre Rochefort, TELUS

Join us as we take a guided tour through some of OWASPs lesser-known projects -- present and future. For students and new entrants to the application security profession, get practical advice on options for building and honing your skills. Developers and administrators alike might benefit from an overview of OWASPs projects for secure SDLC, source code review, and vulnerability assessment and mitigation. The seasoned professionals can engage in a lively discussion and critique of OWASP projects in the pipeline, and how the community as a whole is tackling security for the web, mobile, and beyond. An OWASP session featuring a buffet of OWASP offerings and a potluck of alternatives and enhancements.

Your host for this session is Andre Rochefort, an infosec veteran and lifelong computer geek. As a developer, a security auditor, and a loudmouth conference heckler, Andre offers a wealth of experience and anecdotes, with a generous helping of opinion. His day-to-day activities at TELUS include source code analysis, vulnerability assessments and penetration tests, with a heavy focus on web and mobile application security.

---

Date/Time: May 8th, 2013, 6:30 - 8:00 PM EST

Location: Telus Tower, 25 York, 3rd Floor, Room 39

Please RSVP to yuk.fai.chan@owasp.org to confirm your presence.

Secure Code Review

Security Code Review

Presenter: Sherif Koussa

Secure Code Review is the best approach to uncover the largest number ofsecurity flaws in addition to the most stealth and hard to uncover security vulnerabilities. During this session, you will learn how to perform security code review and uncover vulnerabilities such as OWASP Top 10: Cross-site Scripting, SQL Injection, Access Control and much more in early stages of development. You will use a real life application "SecureTickers" pulled from SourceForge. You will get an introduction to Static Code Analysis tools and how you can extend PMD (http://pmd.sourceforge.net/), the open source static code analysis tool, to catch security flaws like OWASP Top 10. Expect lots of code, tools, hacking and fun!

---

Date/Time: March 20th, 2013, 6:30 - 8:30 PM EST

Location: PwC Tower, 18 York Street, Suite 2600, Toronto ON M5J 0B2

Due to fire and building regulations, there is a maximum occupancy allowed in the venue, so if you would like to attend it is very important that you RSVP at yuk.fai.chan@owasp.org to confirm your presence!

NFC Threat Landscape

Presenter: Geoff Vaughan, Security Compass

Near Field Communication is on pace to be one of the most explosive technologies in North America for 2013. Over 2012 we’ve seen a number of industry steps to making this a reality. Nearly all phone makers are putting NFC into all new phones they develop. Over the last year we have also seen widespread adoption by a large number of financial institutions to put NFC into all their new credit cards and banking cards as well as many mobile payment systems now accepting the technology. At this point we need to take a step back and evaluate the implications of having NFC always enabled on a consumer phone and the implications of storing mobile payment data on an individuals phone. NFC technologies are intimately embedded into all core features of a smart phone and this presents a very large attack and vulnerability surface for an attacker to potentially exploit.

---

Wednesday, July 11th 2012, 6:30-8:00 PM EDT - Security Community Engagement

Location: Suite 201, 425 Adelaide Street West, Toronto, ON M5V 3C1

Please RSVP to yuk.fai.chan@owasp.org to confirm your presence.

Description: Mozilla is one of the most successful open source projects in existence, and has helped transform the way users and developers interact with the Internet. In the last few years there has been many new ways to use the Internet, including new competitors in the Browser market, mobile and desktop Apps, and a proliferation of platforms, APIs, and new technologies. Mozilla has a strong base of contributors to many areas, including Firefox, Thunderbird, our huge Add-On collection, and our support sites, but not many people know that Mozilla is also open to community engagement with our Security program as well! In this discussion I will explain how our Security program functions, and how and where we are looking for improved engagement and contribution from the community, and some of the benefits to contributing!

Speaker Bio:

Yvan Boily is an Application Security Manager with Mozilla Corporation, where he manages one of two application security teams focused on the security of Mozilla web properties and end-user applications.

---

Thursday, May 10th 2012, 6:30-8:00 PM EDT - Application Security ISO

Location: RBC Auditorium C, 315 Front Street West, Toronto, ON M5V 3A4

Please RSVP to yuk.fai.chan@owasp.org to confirm your presence.

Description: ISO/IEC 27034 - Part 1 was published in November 2011 and the remaining parts (Part 2-6) are expected to be published soon. What does this mean to your organization or your clients who wish to adopt or incorporate this ISO standard for their software application? This overview will walk through the key sections of standard and highlight the process approach to specifying, designing, developing, testing, implementing and maintaining security functions and controls in application systems. We will also attempt to compare these key points against other industry guidelines to determine the overall intentions and objectives of the standard.

Speaker Bio: TAK CHIJIIIWA, CISSP, CSSLP

Tak Chijiiwa has over 12 years of IT security experience. Tak has been involved in a wide spectrum of information security strategy and advisory engagements for various Fortune 500 clients globally in the healthcare, financial, education, utilities, transportation and government sector. Prior to joining Security Compass, Tak worked at Deloitte & Touche, LLP as a Manager of the Vulnerability Management team in Toronto, Ontario for 6 years and at Kasten Chase Applied Research as a Development Manager in Mississauga, Ontario for 4 years.

---

Wednesday, September 14th 2011, 6:30-8:00 PM EDT - Introducing Vega, a New Open Source Web Vulnerability Scanner

Location: Suite 201, 425 Adelaide Street West, Toronto, ON M5V 3C1

Please RSVP to owasp-rsvp@securitycompass.com to confirm you attendance.

Description: David will be presenting Vega, a new free and open source vulnerability scanner for web applications developed by Subgraph, his Montreal-based security startup. Vega allows anyone to scan their web applications for vulnerabilities such as cross-site scripting or SQL injection. Written in Java, Vega is cross-platform. It's also extensible, with a built-in Javascript interpreter and API for custom module development. Vega also includes an intercepting proxy for manual inspection of possible vulnerabilities and penetration testing.

Speaker bio: David has over 10 years in the information security business. He started his professional experience as a founding member of Security Focus, which was acquired by Symantec in 2002. David also moderated the Bugtraq mailing list, a historically important forum for discussion of security vulnerabilities, for over four years. He has spoken at Black Hat, Can Sec West, AusCERT and numerous other security conferences, as well as made contributions to books, magazines and other publications. David also participated in a NIAC working group on behalf of Symantec to develop the first version of the CVSS (Common Vulnerability Scoring System) model and was an editor for IEEE Security & Privacy. His current obsession is building Subgraph, his information security startup in Montréal.

---

Wednesday, May 11th 2011, 5:00-6:00 PM - Mobile Security for the Forgetful

Location: Auditorium C, 315 Front Street West, Toronto, ON M5V 3A4

Please RSVP to yukfai at securitycompass dotcom

Description: You’ve accidentally misplaced your company or personal mobile phone in a public location. In this scenario, what threats do you and/or your organization face?

This talk will be about the worst case scenario in mobile security: when the attacker has physical access to the phone. According to DataLossDB, about 1/5 of all data breaches they have recorded are due to lost or stolen laptops. Phones are much easier to lose (or steal) then laptops, and these days the data on our phones can be as confidential as the data on our laptops.

This talk will go over physical access attacks from an attacker’s perspective, discuss ways of coding mobile applications to defend against these kinds of attacks, and discuss some ways of securing our phones as users. Technical details in this talk will focus on the Android platform.

Length: 60 minutes

Speaker Bio: Max Veytsman is a Security Consultant with Security Compass. He specializes in web and mobile security assessments. Max also leads Security Compass' training development in the mobile space. Max studied Computer Science at the University of Toronto. His interests include cryptography, programming language design, and computer vision.

---

Wednesday, February 16th, 6:00 PM- How Auditors Certify Computer Systems – A Look at Third Party, Non-Vendor, Legally Mandated System Certifications

Location: 425 Adelaide Street West, Suite 702

Please RSVP to laura at securitycompass dotcom

Description:“Certifications” abound in the world of IT – from signoffs by internal security professionals to the advertising claims of vendors, but few, if any of these, have true legal standing. As a consequence, customers and clients of organizations which process sensitive transactions or retain confidential data are increasingly demanding third party, non-vendor, legally mandated system certification as a pre-requisite to doing business.

• What are these certifications and who can issue them?

• Under what circumstances are certifications likely to be required?

• What standards do certifiers use – and does it matter?

• What information and evidence do auditors need in order to complete their work?

• How can information systems professionals prepare for a certification audit and ensure that the process is ultimately successful?

Our speaker, Jerrard Gaertner, CA•CISA/IT, CGEIT, CISSP, CIPP/IT, I.S.P., ITCP, CIA, CFI, Director of Technology Assurance Services at Soberman LLP, will address these and related questions based on his 25+ years as a systems auditor.

---

Wednesday, November 10th, 6:30 PM- Using Open Standards to Break the Vulnerability Wheel of Pain

Location: 425 Adelaide Street West, Suite 702

Please RSVP to laura at securitycompass dotcom

Description: Ed is the Chief Information Security Officer responsible for the protection and security of all information and electronic assets as well as compliance and ethics across the wide array of business units that make up Orbitz Worldwide on a global basis. These assets include Orbitz, CheapTickets, eBookers, Away.com, HotelClub, RatesToGo, AsiaHotels, and Orbitz for Business.

With over 18 years of experience in information security and technology, Ed has worked with and been involved in protecting information assets at several Fortune 500 companies. Prior to joining Orbitz, Ed served as VP of Corporate Information Security for Bank of America within their Global Corporate and Investment Banking division. His credentials also include several security technology and management roles at organizations such as Ernst & Young, Ford Motor Company, and Young & Rubicam. Ed is a CISSP, CISM, a contributor to the ISM Community, serves on the advisory board to the Society of Payment Security Professionals as well as its Application Security Working Group.

Ed is a frequent speaker at information security events across North America and Europe. Past talks have included venues such as BlackHat, Metricon, CSO, OWASP, The MIS Institute, The Association of Information Technology Professionals, Technology Executives Club, and the National Business Travel Association. Additionally Ed is a contributing author to the O’Reilly book Beautiful Security.

---

Meetings November 5th, 2009 (THURSDAY)

Location: 285 Victoria Street, 3rd Floor (Room number VIC306) NEW Location.

Date/Time: : November 5th, 2009, 6:00-7:30 PM EST (THURSDAY)

Title: Software Assurance Maturity Model

Speaker: Pravir Chandra, Fortify Software

Description:Software Assurance Maturity Model (OpenSAMM) The Software Assurance Maturity Model (SAMM) into a software development organization. Covering more than typical SDLC-based models for security, SAMM enables organizations to self-assess their security assurance program and then use recommended roadmaps to improve in a way that's aligned to the specific risks facing the organization. Beyond that, SAMM enables creation of scorecards for an organization's effectiveness at secure software development throughout the typical governance, development, and deployment business functions. Scorecards also enable management within an organization to demonstrate quantitative improvements through iterations of building a security assurance program. This workshop will introduce the SAMM framework and walk through useful activities such as assessing an assurance program, mapping an existing organization to a recommended roadmap, and iteratively building an assurance program. Time allowing, additional case studies will also be discussed. OpenSAMM is an open a free project and has recently been donated to the Open Web Application Security Project (OWASP) Foundation. For more information on OpenSAMM, visit http://www.opensamm.org/

Bio: Pravir Chandra is Director of Strategic Services at Fortify Software and works with clients on software security assurance programs. Pravir is recognized for his expertise in software security, code analysis, and his ability to strategically apply technical knowledge. Prior to Fortify, he was a Principal Consultant affiliated with Cigital and led large software security programs at Fortune 500 companies. Pravir Co-Founded Secure Software, Inc. and was Chief Security Architect prior to its acquisition by Fortify. He recently created and led the Open Software Assurance Maturity Model (OpenSAMM) project with the OWASP Foundation, leads the OWASP CLASP project, and also serves as member of the OWASP Global Projects Committee. Pravir is author of the book Network Security with OpenSSL.

---

Meetings August 19th, 2009

Location: 285 Victoria Street, 4th Floor (Room number VIC405) NEW Location.

Date/Time: August 19th, 2009, 6:00-7:30 PM EST

Title: Will you be PCI DSS Compliant by September 2010?

Speaker: Michael D’Sa, Visa Canada

Description and Bio: At this informative session, Michael D'Sa, Visa Canada's Senior Manager of Data Security and Investigations will talk to you about PCI DSS compliance within the Canadian marketplace. Michael will present the emerging data compromise trends, and will review the Canadian deadlines and mandates for Visa merchants. Michael D’Sa is the Senior Manager responsible for Data Security and Investigations at Visa Canada. Working at Visa Canada for over 14 years, Mr. D’Sa is currently in the Payment System Risk group. His responsibilities include managing the Account Information Security program, managing Data Compromise incidents, and supporting Visa banks on fraud investigations. Mr. D’Sa also acts as the primary liaison for Law Enforcement on Visa related fraud matters.

---

Meetings May 13th, 2009

Location: 4-179B, 121 King Street West, Toronto (same as last time)

Date/Time: May 13th, 2009, 6:45-8:00 PM EST

Title: Cross Site AJAX Hacking

Description: The era of AJAX technologies has only been possible after XMLHttpRequest released its full potential. But XMLHttpRequest has had a number of security concerns, in particular due to its ability to create flexible requests against web sites without the users knowledge. Up to now, the same origin policy limited the impact of this issue.

The Web 2.0 vision calls for the flexible use and rendering of information in mash-ups created by mixing content from various sources on the fly. This idea is not easily implemented in Javascript due to same origin restrictions. In order to allow for these features, XHR Level 2 and XDR have been developed to remove the same origin policy and allow the ability to request information from various sites. Current browsers make these functions available to developers and you will soon find sites that require them. The presentation will provide information on the mechanics of these cross site AJAX calls and their security impact.

As an add-on to the discussion - It has been a year since Johannes Ullrich have given a talk on Dshield Web App honeypot project. I will provide a small update on the progress of this project. It's a low key project but you may be amazed at what we are doing.

Presenter: Jason Lam

BIO:Jason is a senior security analyst at a major financial institute in Canada. He is also an author and instructor for SANS Institute where he writes courses on pentesting and defending web applications. In his ever diminishing free time, he helps with the SANS Internet Storm Center as an incident handler. He took on the role to be a leader for the Dshield honeypot project where logs from web honeypot all over the world are collected and analyzed.

---

Meetings April 8th 2009

Wednesday April 8th 2009, 6:00-8:00 PM EST at D&T, 4-179B, 121 King Street West, Toronto.

Topic: A Laugh RIAt – Rich Internet Application Security

Speaker: Rafal M. Los

Description: Rich Internet Applications [RIA] are popping up everywhere! Enterprises and boutique online shops alike are rushing to adopt these technologies without really thinking of the implications of moving pseudo-server functionality to the user’s desktop and browser. Hacking these applications has now moved from the challenge of compromising the server, to the significantly smaller challenge of compromising the client. You’ll be able to witness (and try!) first-hand how to manipulate an AJAX-rich web application you or your colleagues probably use many times; as well as see and understand how breaking down a Flash binary object (SWF file) isn’t difficult. These types of applications are now treasure-troves of goodies… don’t miss out on the simple ways you can security test these technologies on your desktop today!

Future Talks: May: Douglas Simpson, Cenzic Jun: Jamie Gamble, Security Compass Jul: Jason Lam, Aug: Joe Bates Sep: Tyler Reguly, nCircle

We are looking for speakers, if you are interested in speaking on security topics please email Nish Bhalla

---

Meetings November 13th 2008

Location: 4-179B, 121 King Street West, Toronto (same as last time)

Date/Time: November 13th 2008, 6:00-7:30 PM EST

Title: Web Application Security and the PA-DSS

Description: The Payment Card Industry's (PCI) Payment Application Data Security Standards (PA-DSS) version 1.1 was released in April 2008, and has implications for every payment application vendor whose product is sold, distributed, or licensed “as is”. This discussion will provide a soft introduction to the payment application audit procedures and will match PA requirements to each phase of the software development lifecycle. Whether you are a web application developer, tester, vendor or just interested in PCI and Payment Applications, this talk will have a message for you.

Presenter: A M Westgate M.Sc., B.Ed., CISSP, QSA, PA-QSA

BIO: A M brings a range of experience as a security systems analyst, a software engineer and as an information security instructor. She has participated in PCI Compliance engagements and PCI gap assessments. In addition, she has been the primary consultant on PA-DSS Validation, PA gap assessments and remediation engagements. A M has over 5 years experience in security software engineering, and has worked in Canada, USA, Ireland and England. She is a confident speaker, and a part time instructor of the CISSP preparation course in the continuing education department at a local university.

---

Meetings August 14th 2008

Location: 4-179B, 121 King Street West, Toronto (same as last time)

Date/Time: August 14th 2008, 6:00-7:30 PM EST

Title: An Introduction To Reverse Engineering Malware

Session Abstract: This talk will cover the basics of setting up an environment to reverse engineer malware, and an introduction to some tools and techniques that can be used to determine what exactly that bit of unknown, potentially hostile code does. While this is an introductory talk, we'll definitely cover more than "run strings on the binary and see what you get!"

Presenters: Seth Hardy, MessageLabs Inc.

BIO: Seth Hardy recently moved to Toronto to do reverse engineering work for MessageLabs, as part of their antivirus research and response group. Before that, he worked mostly in the areas of vulnerability research and cryptography. In his spare time, Seth likes to work on community-building projects both online and off. He currently holds the GIAC GREM certification, and should have the CISSP before this presentation; if not, feel free to mock him mercilessly for it.

---

Meetings July 16th 2008

Location: 4-179B, 121 King Street West, Toronto (same as last time)

Date/Time: July 16th 2008, 6:00-7:30 PM EST

Title: Business Logic Flaws

Session Abstract: How they put your Websites at Risk Session handling, credit card transactions, and password recovery are just a few examples of Web-enabled business logic processes that malicious hackers have abused to compromise major websites. These types of vulnerabilities are routinely overlooked during QA because the process is intended to test what a piece of code is supposed to do and not what it can be made to do. The other problem(s) with business logic flaws is scanners can't identify them, IDS can't detect them, and Web application firewalls can't defend them. Plus, the more sophisticated and Web 2.0 feature-rich a website, the more prone it is to have flaws in business logic.The presentation will provide real-world examples of how pernicious and dangerous business logic flaws are to the security of a website. We'll also show how best to spot them and provide organizations with a simple and rational game plan to prevent them.

Presenters: Trey Ford, Director, Solutions Architecture, WhiteHat Security, Inc.

BIO: Trey Ford is the Director of Solutions Architecture at WhiteHat Security, providing strategic guidance to WhiteHat customers and prospects on their website security programs. Mr. Ford also spearheads WhiteHat's participation in the PCI Standards Council and assists customers in selecting WhiteHat services for compliance with the PCI Data Security Standard. In addition, Mr. Ford is a frequent speaker at industry events. Prior to WhiteHat, he was the Compliance Practice Lead at FishNet Security, an information security services provider based in Kansas City. Mr. Ford also founded and operated, Eclectix, a technology consultancy. He is a certified information system security professional (CISSP), a Microsoft Certified Systems Engineer, a Cisco Certified Networking Associate (CCNA), and a Payment Card Industry Qualified Data Security Professional.

---

Meetings June 18th 2008

Location: The next chapter meeting will be held on June 18th June at D&T, 4-179B, 121 King Street West, Toronto.

Date/Time: June 18th 2008, 6:00-7:30 PM EST

Description: Testing for certain web application vulnerabilities is tedious and time-consuming, and when combined with time constraints, full testing coverage is often not achieved. ExploitMe is a series of Open Source Firefox plugins released by Security Compass for this purpose - automated detection of XSS, SQL Injection, and access control (including the recently released HTTP verb tampering) vulnerabilities.

In this presentation Tom Aratyn and Sahba Kazerooni of Security Compass will demonstrate how the Exploit-Me series of tools can be used during penetration testing to find security vulnerabilities in real web applications.

Presenters: Tom Aratyn (Developer ExploitMe Series), Sahba Kazerooni (Security Consultant, Security Compass) [[Link title]]

---

May 13th 2008 Meeting
The next chapter meeting will be held on May 13th at a Different Location Delta Meadowvale Resort & Conference Center, 6750 Mississauga Road, Mississauga, ON CA, Phone: 905-821-1981 Directions to the meetings

Topic: A Distributed Web Application Honeypot

Date/Time: May 13th 2008, 6:00-7:00 PM EST

Description: DShield.org has been extremely helpful in understanding network based attacks. However, over the last few years many interesting attacks target specific web application flaws which are not detected by DShield's sensor system. Collecting similar data for web applications has been challenging for a number of reasons. First of all, the data needed to understand a web application attack is much richer and a simple efficient data model as the one used by DShield will not provide sufficient details. If more detailed data, like complete requests, are collected, data privacy issues become more of a problem. Simple obfuscation or pattern replacement techniques are usually not sufficient to safeguard this information, or they will make it impossible to understand the attack. Lastly, many web application attacks use search engines to find vulnerable systems, instead of just attacking random servers. Over the next few months we plan to roll out a distributed web application honeypot. We will describe how this honeypot will be implemented to address these issues.

Speaker BIO: Dr. Johannes Ullrich SANS Institute As Chief Research Officer for the SANS Institute, Johannes is currently responsible for the SANS Internet Storm Center (ISC) and the GIAC Gold program. He founded DShield.org in 2000, which is now the data collection engine behind the ISC. His work with the ISC has been widely recognized, and in 2004, Network World named him one of the 50 most powerful people in the networking industry. Prior to working for SANS, Johannes worked as a lead support engineer for a web development company and as a research physicist. Johannes holds a Ph.D. in Physics from SUNY Albany and is located in Jacksonville FL.

OWASP Toronto chapter meetings are open to the public RSVP is requested by sending an email

---

22nd January 2008 Meeting

The next chapter meeting will be held on Jan 22nd at 20the floor, 79 Wellington Street West, Toronto, ON M5K 1B9 . Directions to the meetings

Topic: Modern Trends in Network Fingerprinting


Description:

Speaker BIO: Jay Graver and Ryan Poppa are Lead Engineers at nCircle Network Security. They specialize in interrogating Applications and Services over the network. Their years of experience have been focused on the non invasive detection of vulnerabilities.

Current Areas of research include; HTTP server analysis, graph theory, SSL library fingerprinting and unobfuscation techniques.

Based in Toronto Ontario, they hold degrees from University of Guelph and the University of Waterloo. You can find their latest posts at blog.glaciertech.ca & numerophobe.com

The past presentations are available for download from here. If you have any comments on the presentations please send them to us.

Security Monitoring with Azure App Gateway, Log Analytics and Azure Sentinel by Roy Kim, August 2019

Export to RCE by Adam Greenhill, July 2019

De-identification by Erik Service, April 2019 [1][2][3][4]

In Root we trust (no this is not a DNS talk) by Pavan Chander and Lisa Bui, February 2019

Back to the Future of Application Security: Developing Secure Smart Contracts by Jamie Baxter, January 2019

Web Application Penetration Testing by Frank Coburn and Haris Mahboob, December 2018

How to stop worrying about Application Container Security (v2) by Brian Andrzejewski, June 2018

CISO's 90 Day Plan by Nelson Chen, April 2018

Hi, I am X. How do I get into AppSec / Security? by OWASP Toronto, January 2018

Swiss cheese security, or the real challenges faced by internet facing companies by Enrico Branca, October 2017

Cloud Security & Best Practice in AWS by Ankit Giri, August 2017

The Node.js Highway: Attacks Are At Full Throttle by Susan St. Clair, May 2017

OWASP Overview & Intro to OWASP Projects by Yuk Fai Chan, March 2017

Basic Web Application Testing Methodology by Nish Bhalla Security Compass

Basic Web Services Security by Rohit Sethi Security Compass

Authentication Security by Hui Zhu

Identity Management Basics by Derek Browne

Business Logic Flaws by Trey Ford

A Laugh RIAt – Rich Internet Application Security by Rafal M. Los

Will you be PCI DSS Compliant by September 2010? by Michael D'Sa

Mobile Security for the Forgetful by Max Veytsman, Security Compass, May 2011

Application Security ISO by Tak Chijiwa, Security Compass, May 2012

NFC Threat Landscape by Geoff Vaughan, Security Compass, March 2013

Security Code Review by Sherif Koussa, OWASP Ottawa Chapter Leader, May 2013

OWASP: Beyond the Top 10 by Andre Rochefort, TELUS, July 2013

Heartbleed by Ben Sapiro, April 2014

DDoS Attacks and Mitigation in Cloud Environments by Mark Shtern, July 2014

What's Hiding in Your Software Components? Hidden Risks of Component-Based Software Development – Seeing the Forest Through the Trees by Ryan Berg, Sonatype, September 2014