This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP Portland 2016 Training Day"

From OWASP
Jump to: navigation, search
(Sponsors)
(Courses)
Line 2: Line 2:
  
 
=Courses=
 
=Courses=
Four courses will be offered in 2 separate tracks.  A full schedule has yet to be determined, but the courses offered will likely be as follows:
+
Courses are held in two tracks: two in the morning session, and two in the afternoon sessionEach student can register for one morning course, or one afternoon course, or one of each.  The four courses offered are as follows:
  
==Applied Physical Attacks on Embedded Systems, Introductory Version==
+
== Morning Session ==
 +
===Cyber Hygiene - Critical Security Controls===
 +
'''Instructor: Brian Ventura'''
 +
 
 +
With so many types of network attacks and so many tools/solutions to combat these attacks, which should I implement first? Which should I buy? Can I build it myself? The CIS Critical Security Controls are a prioritized approach to ensuring information security. As a general risk assessment, the Critical Security Controls address the past, current and expected attacks occurring across the Internet. In this course we will outline the controls, discuss implementation and testing, and provide examples.
 +
 
 +
 
 +
===Introduction to Injection Vulnerabilities===
 +
'''Instructor: Timothy D. Morgan'''
 +
 
 +
Ever concatenated strings in your code? Did those strings include any kind of structured syntax? Then your code might be vulnerable to injection.  Injection flaws are broad, common category of vulnerability in modern software. While many developers are aware of high-profile technical issues, such as SQL injection, any number of injection vulnerabilities are possible in other languages, protocols, and syntaxes. Upon studying these flaws in many contexts, an underlying "theory of injection" emerges. This simple concept can be applied to many situations (including new technologies and those yet to be invented) to help developers avoid the most common types of implementation vulnerabilities.  The reason why "injection" is #1 on the OWASP Top 10 will become very clear by the end of this class.  This course will provide students a detailed introduction to injection vulnerabilities and then get students busy with hands-on exercises where a variety of different injection flaws can be explored and understood in real-world contexts.
 +
 
 +
== Afternoon Session ==
 +
 
 +
===Applied Physical Attacks on Embedded Systems, Introductory Version===
 
'''Instructor: Joe Fitzpatrick'''
 
'''Instructor: Joe Fitzpatrick'''
  
Line 14: Line 28:
 
interface to potentially access a root shell on the target.   
 
interface to potentially access a root shell on the target.   
  
==Introduction to Injection Vulnerabilities==
 
'''Instructor: Timothy D. Morgan'''
 
 
Ever concatenated strings in your code? Did those strings include any kind of structured syntax? Then your code might be vulnerable to injection.  Injection flaws are broad, common category of vulnerability in modern software. While many developers are aware of high-profile technical issues, such as SQL injection, any number of injection vulnerabilities are possible in other languages, protocols, and syntaxes. Upon studying these flaws in many contexts, an underlying "theory of injection" emerges. This simple concept can be applied to many situations (including new technologies and those yet to be invented) to help developers avoid the most common types of implementation vulnerabilities.  The reason why "injection" is #1 on the OWASP Top 10 will become very clear by the end of this class.  This course will provide students a detailed introduction to injection vulnerabilities and then get students busy with hands-on exercises where a variety of different injection flaws can be explored and understood in real-world contexts.
 
  
==Fuzzing: Introduction & Practice==
+
===Fuzzing: Introduction & Practice===
 
'''Instructor: Adam Russell'''
 
'''Instructor: Adam Russell'''
  
Line 29: Line 39:
 
fuzzing tools. This training will equip participants with the necessary
 
fuzzing tools. This training will equip participants with the necessary
 
skills and knowledge to conduct basic fuzzing of products.
 
skills and knowledge to conduct basic fuzzing of products.
 
==Cyber Hygiene - Critical Security Controls==
 
'''Instructor: Brian Ventura'''
 
 
With so many types of network attacks and so many tools/solutions to combat these attacks, which should I implement first? Which should I buy? Can I build it myself? The CIS Critical Security Controls are a prioritized approach to ensuring information security. As a general risk assessment, the Critical Security Controls address the past, current and expected attacks occurring across the Internet. In this course we will outline the controls, discuss implementation and testing, and provide examples.
 
  
 
=Sponsors=
 
=Sponsors=

Revision as of 15:53, 30 September 2016

This year the Portland OWASP chapter is hosting a training day. This will be an excellent opportunity for students to receive quality information security and application security training for next to nothing. It will also be a great chance to network with the local infosec community.

Courses

Courses are held in two tracks: two in the morning session, and two in the afternoon session. Each student can register for one morning course, or one afternoon course, or one of each. The four courses offered are as follows:

Morning Session

Cyber Hygiene - Critical Security Controls

Instructor: Brian Ventura

With so many types of network attacks and so many tools/solutions to combat these attacks, which should I implement first? Which should I buy? Can I build it myself? The CIS Critical Security Controls are a prioritized approach to ensuring information security. As a general risk assessment, the Critical Security Controls address the past, current and expected attacks occurring across the Internet. In this course we will outline the controls, discuss implementation and testing, and provide examples.


Introduction to Injection Vulnerabilities

Instructor: Timothy D. Morgan

Ever concatenated strings in your code? Did those strings include any kind of structured syntax? Then your code might be vulnerable to injection. Injection flaws are broad, common category of vulnerability in modern software. While many developers are aware of high-profile technical issues, such as SQL injection, any number of injection vulnerabilities are possible in other languages, protocols, and syntaxes. Upon studying these flaws in many contexts, an underlying "theory of injection" emerges. This simple concept can be applied to many situations (including new technologies and those yet to be invented) to help developers avoid the most common types of implementation vulnerabilities. The reason why "injection" is #1 on the OWASP Top 10 will become very clear by the end of this class. This course will provide students a detailed introduction to injection vulnerabilities and then get students busy with hands-on exercises where a variety of different injection flaws can be explored and understood in real-world contexts.

Afternoon Session

Applied Physical Attacks on Embedded Systems, Introductory Version

Instructor: Joe Fitzpatrick

This workshop introduces several different relatively accessible interfaces on embedded systems. Attendees will get hands-on experience with UART, SPI, and JTAG interfaces on a MIPS-based wifi router. After a brief architectural overview of each interface, hands-on labs will guide through the process understanding, observing, interacting with, and exploiting the interface to potentially access a root shell on the target.


Fuzzing: Introduction & Practice

Instructor: Adam Russell

The training starts with the theory of fuzzing. No prior knowledge is assumed. Each fuzzing topic and technique utilizes interesting case studies and scenarios to highlight the use-cases of fuzzing and their practicality. The training utilizes practical sessions (e.g. fuzzing image formats, web application data flow, etc) to gain hands-on experience with fuzzing tools. This training will equip participants with the necessary skills and knowledge to conduct basic fuzzing of products.

Sponsors

Interested in becoming a sponsor? Please contact: tim DOT morgan AT owasp.org

Mixer Sponsors

None Yet!

Training Session Sponsors

Newrelic.png


Morning Refreshments Sponsors

Github.png

Pnsqc.png


General Sponsors

Simple.png

Summit.png

Github.png

Details

The training day will be held on Wednesday, November 2 in PSU's Smith Memorial Student Union Building at 1825 SW Broadway, Portland, OR 97201. Later in the evening, a social mixer will also be held at TODO.

Schedule

Time Activity
8:00 AM - 9:00 AM Morning Registration
9:00 AM - 12:00 PM Room TBD: Introduction to Injection Vulnerabilities Room TBD: Cyber Hygiene - Critical Security Controls
12:00 PM - 1:30 PM Lunch on your own - Meet a new friend and grab a bite!
1:00 PM - 1:30 PM Afternoon Registration (for those attending only in the afternoon)
1:30 PM - 5:00 PM Room TBD: Applied Physical Attacks on Embedded Systems Room TBD: Fuzzing: Introduction & Practice
6:00 PM - 7:30 PM Evening Mixer

How to Register

TODO