This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP Portland 2016 Training Day"
(25 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
This year the Portland OWASP chapter is hosting a training day. This will be an excellent opportunity for students to receive quality information security and application security training for next to nothing. It will also be a great chance to network with the local infosec community. | This year the Portland OWASP chapter is hosting a training day. This will be an excellent opportunity for students to receive quality information security and application security training for next to nothing. It will also be a great chance to network with the local infosec community. | ||
+ | |||
Line 7: | Line 8: | ||
== Morning Session == | == Morning Session == | ||
===Cyber Hygiene - Critical Security Controls=== | ===Cyber Hygiene - Critical Security Controls=== | ||
− | + | ''Instructor: Brian Ventura''<br> | |
− | + | ''Assistant: Anthony Gold''<br> | |
With so many types of network attacks and so many tools/solutions to combat these attacks, which should I implement first? Which should I buy? Can I build it myself? The CIS Critical Security Controls are a prioritized approach to ensuring information security. As a general risk assessment, the Critical Security Controls address the past, current and expected attacks occurring across the Internet. In this course we will outline the controls, discuss implementation and testing, and provide examples. | With so many types of network attacks and so many tools/solutions to combat these attacks, which should I implement first? Which should I buy? Can I build it myself? The CIS Critical Security Controls are a prioritized approach to ensuring information security. As a general risk assessment, the Critical Security Controls address the past, current and expected attacks occurring across the Internet. In this course we will outline the controls, discuss implementation and testing, and provide examples. | ||
===Introduction to Injection Vulnerabilities=== | ===Introduction to Injection Vulnerabilities=== | ||
− | + | ''Instructor: Timothy D. Morgan''<br> | |
+ | ''Assistant: Bhushan Gupta''<br> | ||
+ | ''Sponsored by [https://newrelic.com/ New Relic]'' | ||
Ever concatenated strings in your code? Did those strings include any kind of structured syntax? Then your code might be vulnerable to injection. Injection flaws are broad, common category of vulnerability in modern software. While many developers are aware of high-profile technical issues, such as SQL injection, any number of injection vulnerabilities are possible in other languages, protocols, and syntaxes. Upon studying these flaws in many contexts, an underlying "theory of injection" emerges. This simple concept can be applied to many situations (including new technologies and those yet to be invented) to help developers avoid the most common types of implementation vulnerabilities. The reason why "injection" is #1 on the OWASP Top 10 will become very clear by the end of this class. This course will provide students a detailed introduction to injection vulnerabilities and then get students busy with hands-on exercises where a variety of different injection flaws can be explored and understood in real-world contexts. | Ever concatenated strings in your code? Did those strings include any kind of structured syntax? Then your code might be vulnerable to injection. Injection flaws are broad, common category of vulnerability in modern software. While many developers are aware of high-profile technical issues, such as SQL injection, any number of injection vulnerabilities are possible in other languages, protocols, and syntaxes. Upon studying these flaws in many contexts, an underlying "theory of injection" emerges. This simple concept can be applied to many situations (including new technologies and those yet to be invented) to help developers avoid the most common types of implementation vulnerabilities. The reason why "injection" is #1 on the OWASP Top 10 will become very clear by the end of this class. This course will provide students a detailed introduction to injection vulnerabilities and then get students busy with hands-on exercises where a variety of different injection flaws can be explored and understood in real-world contexts. | ||
− | |||
== Afternoon Session == | == Afternoon Session == | ||
===Applied Physical Attacks on Embedded Systems, Introductory Version=== | ===Applied Physical Attacks on Embedded Systems, Introductory Version=== | ||
− | + | ''Instructor: Joe Fitzpatrick''<br> | |
− | + | ''Assistant: Scott Davis''<br> | |
This workshop introduces several different relatively accessible interfaces | This workshop introduces several different relatively accessible interfaces | ||
on embedded systems. Attendees will get hands-on experience with UART, SPI, | on embedded systems. Attendees will get hands-on experience with UART, SPI, | ||
Line 27: | Line 29: | ||
architectural overview of each interface, hands-on labs will guide through | architectural overview of each interface, hands-on labs will guide through | ||
the process understanding, observing, interacting with, and exploiting the | the process understanding, observing, interacting with, and exploiting the | ||
− | interface to potentially access a root shell on the target | + | interface to potentially access a root shell on the target. |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
+ | ===Communications Security in Modern Software=== | ||
+ | ''Instructor: Adam Russell''<br /> | ||
+ | ''Assistant: Sonny''<br> | ||
+ | ''Sponsored by [https://www.ohsu.edu/xd/education/schools/school-of-medicine/ OHSU School of Medicine]''<br> | ||
+ | Securing communications over untrusted networks is a critical | ||
+ | component to any modern application's security. However, far too | ||
+ | often developers and operations personnel become tripped up by the | ||
+ | many pitfalls of implementation in this area, which often leads to | ||
+ | complete failures to secure data on the wire. In this course we | ||
+ | discuss how attackers can gain access to other users' communication | ||
+ | through a variety of techniques and cover the strategies for | ||
+ | preventing this. The course covers specific topics ranging from the | ||
+ | SSL/TLS certificate authority system, to secure web session management | ||
+ | and mobile communications security. A hands-on exercise is included | ||
+ | in the course which helps students empirically test SSL/TLS certificate | ||
+ | validation in a realistic scenario. | ||
=Sponsors= | =Sponsors= | ||
+ | The following sponsors have made this event possible. | ||
− | Interested in becoming a sponsor? Please contact: tim ''DOT'' morgan ''AT'' owasp.org | + | '''Interested in becoming a sponsor? Please contact: tim ''DOT'' morgan ''AT'' owasp.org''' |
=== Mixer Sponsors=== | === Mixer Sponsors=== | ||
+ | [[File:github.png|link=https://github.com/]] | ||
− | |||
=== Training Session Sponsors === | === Training Session Sponsors === | ||
− | [[File:newrelic.png]] | + | [[File:newrelic.png|link=https://newrelic.com/]] [[File:OHSU.png|link=https://www.ohsu.edu/xd/education/schools/school-of-medicine/]] |
=== Morning Refreshments Sponsors === | === Morning Refreshments Sponsors === | ||
− | [[File: | + | [[File:pnsqc.png|link=http://pnsqc.org/]] |
− | |||
− | |||
− | |||
=== General Sponsors === | === General Sponsors === | ||
− | [[File:simple.png]] | + | [[File:simple.png|link=https://simple.com/]] [[File:summit.png|link=http://summitinfosec.com/]] |
− | |||
− | [[File:summit.png | ||
− | |||
− | |||
− | |||
− | |||
=Details= | =Details= | ||
Line 76: | Line 75: | ||
Portland, OR 97201 | Portland, OR 97201 | ||
− | Later in the evening, a social mixer will also be held at | + | Later in the evening, a social mixer will also be held at Rogue Hall, just a short walk away: |
+ | |||
+ | 1717 Southwest Park Ave. | ||
+ | Portland, OR 97201 | ||
+ | |||
===Schedule=== | ===Schedule=== | ||
Line 84: | Line 87: | ||
|- | |- | ||
| style="padding: 0.5em;"|8:00 AM - 9:00 AM | | style="padding: 0.5em;"|8:00 AM - 9:00 AM | ||
− | | colspan="2" style="padding: 0.5em;"|Morning Registration | + | | colspan="2" style="padding: 0.5em;"|Morning Registration (Near Room 298) |
|- | |- | ||
| style="padding: 0.5em;"|9:00 AM - 12:00 PM | | style="padding: 0.5em;"|9:00 AM - 12:00 PM | ||
− | | style="padding: 0.5em;"|Room | + | | style="padding: 0.5em;"|Room 298: Cyber Hygiene - Critical Security Controls |
− | | style="padding: 0.5em;"|Room | + | | style="padding: 0.5em;"|Room 333: Introduction to Injection Vulnerabilities |
|- | |- | ||
| style="padding: 0.5em;"|12:00 PM - 1:30 PM | | style="padding: 0.5em;"|12:00 PM - 1:30 PM | ||
Line 97: | Line 100: | ||
|- | |- | ||
| style="padding: 0.5em;"|1:30 PM - 5:00 PM | | style="padding: 0.5em;"|1:30 PM - 5:00 PM | ||
− | | style="padding: 0.5em;"|Room | + | | style="padding: 0.5em;"|Room 298: Applied Physical Attacks on Embedded Systems |
− | | style="padding: 0.5em;"|Room | + | | style="padding: 0.5em;"|Room 333: Communications Security in Modern Software |
|- | |- | ||
| style="padding: 0.5em;"|6:00 PM - 7:30 PM | | style="padding: 0.5em;"|6:00 PM - 7:30 PM | ||
− | | colspan="2" style="padding: 0.5em;"| Evening Mixer | + | | colspan="2" style="padding: 0.5em;"| Evening Mixer @ Rogue Hall |
|} | |} | ||
+ | |||
+ | |||
+ | === Lunch Ideas === | ||
+ | |||
+ | There are a '''large''' number of restaurants nearby, but in case you're having trouble deciding (or your phone battery died), here are some possibilities: | ||
+ | |||
+ | * Baan-Thai Restaurant, 1924 SW Broadway | ||
+ | * Hotlips Pizza, 1909 SW 6th Ave | ||
+ | * Laughing Planet Cafe, 1720 SW 4th Ave | ||
+ | * Love Belizean, 1503 SW Broadway | ||
+ | * McMenamins Market Street Pub, 1526 SW 10th Ave | ||
+ | * There is also a block of food carts on SW 4th Ave between Hall St & College St. | ||
+ | |||
=How to Register= | =How to Register= | ||
− | + | '''Please visit the registration page here to sign up: https://owasp-portland-training-2016.eventbrite.com/ ''' | |
+ | |||
+ | ''All classes are completely sold out. :-\ '' | ||
+ | |||
+ | ''Most of our seats sold out within 48 hours. Something to keep in mind next time we hold one of these events!'' |
Latest revision as of 02:20, 2 November 2016
This year the Portland OWASP chapter is hosting a training day. This will be an excellent opportunity for students to receive quality information security and application security training for next to nothing. It will also be a great chance to network with the local infosec community.
Courses
Courses are held in two tracks: two in the morning session, and two in the afternoon session. Each student can register for one morning course, or one afternoon course, or one of each. The four courses offered are as follows:
Morning Session
Cyber Hygiene - Critical Security Controls
Instructor: Brian Ventura
Assistant: Anthony Gold
With so many types of network attacks and so many tools/solutions to combat these attacks, which should I implement first? Which should I buy? Can I build it myself? The CIS Critical Security Controls are a prioritized approach to ensuring information security. As a general risk assessment, the Critical Security Controls address the past, current and expected attacks occurring across the Internet. In this course we will outline the controls, discuss implementation and testing, and provide examples.
Introduction to Injection Vulnerabilities
Instructor: Timothy D. Morgan
Assistant: Bhushan Gupta
Sponsored by New Relic
Ever concatenated strings in your code? Did those strings include any kind of structured syntax? Then your code might be vulnerable to injection. Injection flaws are broad, common category of vulnerability in modern software. While many developers are aware of high-profile technical issues, such as SQL injection, any number of injection vulnerabilities are possible in other languages, protocols, and syntaxes. Upon studying these flaws in many contexts, an underlying "theory of injection" emerges. This simple concept can be applied to many situations (including new technologies and those yet to be invented) to help developers avoid the most common types of implementation vulnerabilities. The reason why "injection" is #1 on the OWASP Top 10 will become very clear by the end of this class. This course will provide students a detailed introduction to injection vulnerabilities and then get students busy with hands-on exercises where a variety of different injection flaws can be explored and understood in real-world contexts.
Afternoon Session
Applied Physical Attacks on Embedded Systems, Introductory Version
Instructor: Joe Fitzpatrick
Assistant: Scott Davis
This workshop introduces several different relatively accessible interfaces
on embedded systems. Attendees will get hands-on experience with UART, SPI,
and JTAG interfaces on a MIPS-based wifi router. After a brief
architectural overview of each interface, hands-on labs will guide through
the process understanding, observing, interacting with, and exploiting the
interface to potentially access a root shell on the target.
Communications Security in Modern Software
Instructor: Adam Russell
Assistant: Sonny
Sponsored by OHSU School of Medicine
Securing communications over untrusted networks is a critical
component to any modern application's security. However, far too
often developers and operations personnel become tripped up by the
many pitfalls of implementation in this area, which often leads to
complete failures to secure data on the wire. In this course we
discuss how attackers can gain access to other users' communication
through a variety of techniques and cover the strategies for
preventing this. The course covers specific topics ranging from the
SSL/TLS certificate authority system, to secure web session management
and mobile communications security. A hands-on exercise is included
in the course which helps students empirically test SSL/TLS certificate
validation in a realistic scenario.
Sponsors
The following sponsors have made this event possible.
Interested in becoming a sponsor? Please contact: tim DOT morgan AT owasp.org
Mixer Sponsors
Training Session Sponsors
Morning Refreshments Sponsors
General Sponsors
Details
The training day will be held on Wednesday, November 2 at:
PSU - Smith Memorial Student Union Building 1825 SW Broadway Portland, OR 97201
Later in the evening, a social mixer will also be held at Rogue Hall, just a short walk away:
1717 Southwest Park Ave. Portland, OR 97201
Schedule
Time | Activity | |
---|---|---|
8:00 AM - 9:00 AM | Morning Registration (Near Room 298) | |
9:00 AM - 12:00 PM | Room 298: Cyber Hygiene - Critical Security Controls | Room 333: Introduction to Injection Vulnerabilities |
12:00 PM - 1:30 PM | Lunch on your own - Meet a new friend and grab a bite! | |
1:00 PM - 1:30 PM | Afternoon Registration (for those attending only in the afternoon) | |
1:30 PM - 5:00 PM | Room 298: Applied Physical Attacks on Embedded Systems | Room 333: Communications Security in Modern Software |
6:00 PM - 7:30 PM | Evening Mixer @ Rogue Hall |
Lunch Ideas
There are a large number of restaurants nearby, but in case you're having trouble deciding (or your phone battery died), here are some possibilities:
- Baan-Thai Restaurant, 1924 SW Broadway
- Hotlips Pizza, 1909 SW 6th Ave
- Laughing Planet Cafe, 1720 SW 4th Ave
- Love Belizean, 1503 SW Broadway
- McMenamins Market Street Pub, 1526 SW 10th Ave
- There is also a block of food carts on SW 4th Ave between Hall St & College St.
How to Register
Please visit the registration page here to sign up: https://owasp-portland-training-2016.eventbrite.com/
All classes are completely sold out. :-\
Most of our seats sold out within 48 hours. Something to keep in mind next time we hold one of these events!