This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

OWASP Portland 2017 Training Day

From OWASP
Revision as of 16:15, 1 September 2017 by Imelven (talk | contribs) (Schedule)

Jump to: navigation, search

Once again this year the Portland OWASP chapter is hosting an information security training day! This will be an excellent opportunity for those interested to receive quality information security and application security training for next to nothing. It's also a great chance to network with the local infosec community and meet those who share your interests.

Courses

Courses are held in two tracks: three in the morning session, and three in the afternoon session. Each participant can register for one morning course, or one afternoon course, or one of each. The six courses offered are as follows:

Morning Session 8:30 AM - Noon

Client-side Security for Modern Web Applications (SOP, XSS, CSRF, CSP, etc)

Instructor: Timothy Morgan
Assistant: TBD

Abstract: This course introduces the student to key concepts of browser security, such as the same-origin policy, and continues with a series of web-specific vulnerability classes, including: cross-site scripting, cross-site request forgery, clickjacking, and JSON hijacking. The course finishes up by covering new security mechanisms and standards, including cross-origin resource sharing (CORS) and content security policy (CSP).

Cyber Security Framework

Instructor: James Trumper
Assistant: TBD

Abstract: Are you looking for a place to start addressing your information security posture, how to understand current maturity and plan future enhancements and budget? Have you been tasked with complying or using an information security framework? The CyberSecurity Framework (CSF) is a comprehensive information security framework developed by NIST (the National Institute of Standards and Technology). Although the framework is required for many federal agencies and used by State and local agencies, it is also recommended for use by non-governmental organizations including small to medium businesses. In this course, we will review the framework's structure and components, going into details around specific requirements as well as references to NIST 800-53. Once we have a good foundation around the CSF categories and sub-categories, we will transition into how we can manage our efforts to this framework. The course provides a creative-commons management tool to track current controls, maturity, existing budget, plan for future control enhancement projects, and future budget requests. The tool is both an internal tracking tool as well as a presentation layer to various teams and management based on their need-to-know.

Securing Your AWS Environment

Instructor: Derek Hill
Assistant: TBD

Abstract: Are you looking to move your infrastructure into the cloud, but are worried about how to secure it? Are you ready to let go of all of your physical infrastructure? You are not alone in this journey. The cloud does not have to be this scary unknown black hole. Sure, things are certainly different and not everything that you used to do in your own infrastructure is easily repeatable in the cloud; however, there are many benefits. Thing are different, but many things are the same. We will discuss how to secure your cloud environment using both AWS tools and third party tools, including some custom applications that allow you to see what you have and how you need to secure it. We are successfully managing over 120 AWS accounts with approximately 3000 instances and many other AWS services. This class does not have any labs (due to the short duration). We will have some demos on how we accomplish certain tasks. We hope that you can take away some ideas on how to solve some of your current security problems and gain the confidence that security in the cloud can be achieved.

Afternoon Session: 1:30 PM - 5:00 PM

Burp and ZAP: Introduction into web intercept/scanning tools

Instructor: Alexei Kojenov
Assistant: TBD

Abstract: The participants will learn how browsers communicate with web application back ends and how special tools such as Burp Suite and OWASP ZAP can be used to intercept, analyze and modify these communications to assess the application's security posture and, ultimately, to find and exploit vulnerabilities. We will discuss and try both passive and active attacks while diving deeper into each tool's functionality. We will talk about how to efficiently use the available features, as well as the ways to automate manual tasks. The participants will be able to immediately practice the learned skills during the class, and then apply them in their work environments. Prerequisites: A laptop (any OS) with Firefox or Chrome and Oracle VirtualBox (participants will be given a virtual machine with intentionally vulnerable web application for practice).

Applied Physical Attacks on Embedded Systems, Introductory Version

Instructor: Joe Fitzpatrick
Assistant: TBD

Abstract: This workshop introduces several different relatively accessible interfaces on embedded systems. Attendees will get hands-on experience with UART, SPI, and JTAG interfaces on a MIPS-based wifi router. After a brief architectural overview of each interface, hands-on labs will guide through the process understanding, observing, interacting with, and exploiting the interface to potentially access a root shell on the target.

Cyber First-Aid: Introduction to Incident Response

Instructor: Kris Rosenberg
Assistant: TBD

Abstract: In today’s world It is not a question of “if” you will get hacked, but “when”. More importantly. what are you going to do about it? When an incident occurs you need to be prepared to respond quickly to minimize losses and collect any potential evidence that could be used for a more detailed analysis of the incident. Much like a typical first aid course that prepares first responders to give immediate care needed to sustain life, this session is designed to give those who are typically the first on-scene to a cybersecurity event the skills they need to effectively identify and contain the incident, and preserve potentially valuable evidence for further forensic analysis.

Sponsors

We are finalizing our sponsors for this year's training day. It's not too late to sponsor! If interested, please contact ian DOT melven@owasp DOT org

Details

The training day will be held on Wednesday, October 4 at:

PSU - Smith Memorial Student Union Building
1825 SW Broadway
Portland, OR 97201

Later in the evening, a social mixer will also be held at Rogue Hall, just a short walk away:

1717 Southwest Park Ave.
Portland, OR 97201

Schedule

Time Activity
8:00 AM - 9:00 AM Morning Registration (Near Room 298)
9:00 AM - 12:00 PM Room TBD: Client-side Security for Modern Web Applications

(SOP, XSS, CSRF, CSP, etc)

Room TBD:  Cyber Security

Framework

Room TBD: Securing Your AWS Environment
12:00 PM - 1:30 PM Lunch on your own - Meet a new friend and grab a bite!
1:00 PM - 1:30 PM Afternoon Registration (for those attending only in the afternoon)
1:30 PM - 5:00 PM Room TBD: Burp and ZAP: Introduction into web intercept/scanning tools Room TBD: Applied Physical Attacks on Embedded Systems, Introductory Version Room TBD: Cyber First-Aid: Introduction to Incident Response
6:00 PM - 7:30 PM Evening Mixer @ Rogue Hall

Lunch Ideas

There are a large number of restaurants nearby, but in case you're having trouble deciding (or your phone battery died), here are some possibilities:

  • Baan-Thai Restaurant, 1924 SW Broadway
  • Hotlips Pizza, 1909 SW 6th Ave
  • Laughing Planet Cafe, 1720 SW 4th Ave
  • Love Belizean, 1503 SW Broadway
  • McMenamins Market Street Pub, 1526 SW 10th Ave
  • There is also a block of food carts on SW 4th Ave between Hall St & College St.


How to Register

Registration information is coming soon! Follow @PortlandOWASP on Twitter for updates!