This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP Portland 2019 Training Day"

From OWASP
Jump to: navigation, search
(2019 Sponsors)
Line 8: Line 8:
  
 
=Courses=
 
=Courses=
Courses will be held in two tracks: four in the morning session, and four in the afternoon session. Each participant can register for one morning course, one afternoon course, or one of each.  
+
Courses will be held in two tracks: four in the morning session, and four in the afternoon session. Each participant can register for one morning course, one afternoon course, or one of each.  
  
== All Day Session ==
+
== Morning Session 8:30 AM - Noon ==
  
=== OWASP Top 10 / Juice Shop Hack Session (all day) ===
+
=== AWS API Threat Modeling and Automated Testing ===
  
<span style="color:red">This course is subject to change from a full day course to either a morning or afternoon session - TBD</span>
+
''Instructor: Kendra Ash''
  
''Instructor: David Quisenberry (ALL DAY SESSION)''
+
Abstract: If you are a software, DevOps, QA or security engineer and want to learn how to threat model API's in AWS this course is for you. This course will cover the what, why, when, and how of threat modeling applications in your organization. The bulk of this course will be based on the book Threat Modeling by Adam Shostack and will leverage a variant of the Escalation of Privileges card game. Also, I will dive into the approach I have used to gain adoption from engineering teams as a security engineer.
 +
After gaining an understanding of threat modeling, we will dive into how we can automate security checks for an AWS environment — leveraging the AWS CLI tool to provide quick engineering feedback on ways to improve the security of their infrastructure.
  
Abstract: This session is meant for those new to OWASP Top Ten. We will go over the OWASP Top Ten - where it came from, what it’s good for, what are the top ten, etc. And illustrate the concepts in the OWASP Top Ten through another OWASP Flagship Project - The OWASP Juice Shop. This will be a hands on class so everyone can follow along in the Juice Shop to explore the concepts. There will be time at the end for everyone to continue on their vulnerability hunting and a friendly Juice Shop CTF.
+
Bio: Kendra Ash (@securelykash) is an information security engineer at Vacasa, actively building a security team and program by leveraging guidance from her network and industry standards.
  
Bio: David Quisenberry (@dmqpdx16) is a backend developer and security champion with Daylight Studio, a local Portland boutique web agency. He serves on the Portland OWASP board as Outreach/Events coordinator and does what he can to up the involvement of established and emerging software developers in security conversations. 
+
=== Applied Physical Attacks on Embedded Systems, Introductory Version ===
  
Prerequisites: Laptop capable of running docker and burpsuite.
+
''Instructor: Joe FitzPatrick''
  
== Morning Session 8:30 AM - Noon ==
+
Abstract: This workshop introduces several different relatively accessible interfaces on embedded systems. Attendees will get hands-on experience with UART, SPI, and JTAG interfaces on a MIPS-based wifi router. After a brief architectural overview of each interface, hands-on labs will guide through the process understanding, observing, interacting with, and exploiting the interface to potentially access a root shell on the target.
  
=== Android Apps Hands-On ===
+
=== Security Tools and Jenkins Pipeline ===
  
''Instructor: Alexei Kojenov''
+
''Instructor: Sneha Kokil''
  
Abstract: Mobile apps are released and updated with the speed of light (or faster??), and there is an app for every purpose. Naturally, one may wonder if these apps are secure, and if not, what can be done to improve them. But first, one must understand the common mobile app security considerations and vulnerabilities, and how an attacker would discover and exploit them. In this workshop, we’ll talk about the most common Android application vulnerabilities, and learn the ways to reverse engineer and pentest Android apps. Note: We’ll focus primarily on applications rather than the platform, and won’t go into debates like “Android vs. iOS” :) Also, you do not need to own an Android device in order to participate, as we’ll be using software emulation for our exercises.
+
Abstract: Modern application development embeds security activities in SDLC, while adopting DevSecOps culture. Security tools are being viewed in the context of continuous integration and automation, which are the key factors in achieving a successful DevSecOps implementation. Integrating security tools in the CI/CD pipelines has become a primary focus of most of the organizations, who are striving to build application security from within. This workshop focuses on getting a good understanding of how some of the open source security tools can be integrated in Jenkins CI/CD pipeline for languages such as Go and Java, along with application container scanning solutions. The workshop will be a hands-on experience, where the participants will write their own pipeline code for integrating security tools. The key takeaways from this workshop will help participants experience how security tooling fits into CI/CD pipelines. It will also help them appreciate the real-world challenges and possible solutions, when integrating security in existing SDLC.
  
Bio: Alexei Kojenov (@kojenov) is a Senior Product Security Engineer with years of prior software development experience. During his programming days at a large technology company, he gradually moved from writing code to breaking code, which he enjoyed a lot! Alexei then decided to go work for an application security consulting company, helping big and small businesses identify and fix security vulnerabilities and design secure applications. Currently, he is part of Salesforce’s product security team, helping to deliver on Salesforce's #1 value: Trust.
+
Bio: Sneha Kokil is a senior security consultant at Synopsys. With a master's degree in information security from Northeastern University, along with several years of development and security experience, she specializes in integrating software security toolchains within SDLC processes. She is immensely passionate about DevSecOps and how it helps building security in. Outside of work, she is an avid biography and science fiction reader, a swimmer, and a mother to a wonderful daughter.
  
Prerequisites: A laptop with Windows, MacOS, or Linux, and virtualization support.
+
=== OWASP Top 10 / Juice Shop Hack Session ===
  
=== AWS API Threat Modeling and Automated Testing ===
+
''Instructor: David Quisenberry''
  
''Instructor: Kendra Ash''
+
Abstract: This session is meant for those new to OWASP Top Ten. We will go over the OWASP Top Ten - where it came from, what it’s good for, what are the top ten, etc. And illustrate the concepts in the OWASP Top Ten through another OWASP Flagship Project - The OWASP Juice Shop. This will be a hands on class so everyone can follow along in the Juice Shop to explore the concepts. There will be time at the end for everyone to continue on their vulnerability hunting and a friendly Juice Shop CTF.
  
Abstract: If you are a software, DevOps, QA or security engineer and want to learn how to threat model API's in AWS this course is for you. This course will cover the what, why, when, and how of threat modeling applications in your organization. The bulk of this course will be based on the book Threat Modeling by Adam Shostack and will leverage a variant of the Escalation of Privileges card game. Also, I will dive into the approach I have used to gain adoption from engineering teams as a security engineer.
+
Bio: David Quisenberry (@dmqpdx16) is a backend developer and security champion with Daylight Studio, a local Portland boutique web agency. He serves on the Portland OWASP board as Outreach/Events coordinator and does what he can to up the involvement of established and emerging software developers in security conversations.  
After gaining an understanding of threat modeling, we will dive into how we can automate security checks for an AWS environment — leveraging the AWS CLI tool to provide quick engineering feedback on ways to improve the security of their infrastructure.
 
  
Bio: Kendra Ash (@securelykash) is an information security engineer at Vacasa, actively building a security team and program by leveraging guidance from her network and industry standards.
+
Prerequisites: Laptop capable of running docker and burpsuite.
  
Prerequisites: TBD
 
  
 
== Afternoon Session: 1:30 PM - 5:00 PM ==
 
== Afternoon Session: 1:30 PM - 5:00 PM ==
Line 74: Line 73:
 
* Basic experience with running docker containers
 
* Basic experience with running docker containers
 
* Laptop with docker for windows setup and tested
 
* Laptop with docker for windows setup and tested
 +
 +
=== Intro to Chrome Exploitation ===
 +
 +
''Instructor: Justin Angra''
 +
 +
Abstract: Over 3 billion browser devices are actively loading arbitrary data served by someone else. What happens if one of those pages contains maliciously crafted JavaScript? Could they capture your passwords, perform UXSS, or worse - execute local code on your machine? In this session, you will get the opportunity to explore the anatomy and play with common vulnerability patterns in the renderer process of Chrome. This will be an interactive class; please bring a laptop with Docker installed.
 +
 +
=== OWASP Amass: Discovering Your Exposure on the Internet ===
 +
 +
''Instructor: Jeff Foley ''
 +
 +
Abstract: Today, large organizations deal with the challenge of running their infrastructure across many networks and namespaces due to the use of cloud and hosting services, legacy environments and acquisitions. This can make it difficult to maintain visibility of Internet-facing assets and to track down systems that pose a risk to security. The OWASP Amass Project has developed a tool to help information security professionals perform network mapping of attack surfaces and perform external asset discovery. During this talk, the founder of the project will discuss how OWASP Amass uses OSINT, network reconnaissance, graph databases and information sharing to provide both attackers and defenders better visibility of target organizations.
 +
 +
Bio: Jeff Foley is the Founder and Project Leader of the OWASP Amass project. Mr. Foley has nearly 20 years of experience as an innovator for research & development, software engineering and red team activities in information security. He is a results-driven technical leader known for delivering game-changing research findings to overcome real-world challenges. Jeff serves as the Manager for Vulnerability Engineering at National Grid and is the CTO & Co-founder of ClaritySec, an Upstate New York based information security startup. Prior to this, he was the Director of Research for the Cyber Systems, Weapon Systems & Sensors Operation at Alion Science & Technology. While serving at Northrop Grumman, Jeff built and led the internal penetration testing team and was the program manager for offensive security research & development. Mr. Foley also shares his expertise and experience by supporting several local university information security programs and participating in information security competitions, such as the SUNY Polytechnic Institute Cybersecurity Advisory Board, Mohawk Valley Community College Computer Science Advisory Board and the CNY Hackathon Competition.
  
 
=2019 Sponsors=
 
=2019 Sponsors=
  
'''Interested in becoming a sponsor? Here is a document outlining the opportunities: [https://drive.google.com/file/d/0BydPdSuBlQ4scm1DRmlwMVNyUE11TzdxV1VoZ1lNRTdueTBv/view?usp=sharing Sponsorship-Doc]. Reach out to [email protected] to let us know.'''
+
'''Interested in becoming a sponsor? Here is a document outlining the opportunities: [https://drive.google.com/file/d/0BydPdSuBlQ4scm1DRmlwMVNyUE11TzdxV1VoZ1lNRTdueTBv/view?usp=sharing Sponsorship-Doc]. Reach out to [email protected] to let us know.'''
  
 
== 2018 Sponsors ==  
 
== 2018 Sponsors ==  
Line 102: Line 115:
  
 
=Details=
 
=Details=
OWASP Portland 2019 Training Day will be on September 25, 2019.
+
OWASP Portland 2019 Training Day will be on September 25, 2019.  
  
 
This year for the 2nd time, we'll be located at:
 
This year for the 2nd time, we'll be located at:
Line 124: Line 137:
 
|-
 
|-
 
| style="padding: 0.5em;" |8:30 AM - 12:00 PM
 
| style="padding: 0.5em;" |8:30 AM - 12:00 PM
| style="padding: 0.5em;" |OWASP Top 10 / Juice Shop Hack Session (ALL DAY) <br>(David Quisenberry)
 
| style="padding: 0.5em;" |Android Apps Hands-On <br>(Alexei Kojenov)
 
 
| style="padding: 0.5em;" |AWS API Threat Modeling and Automated Testing <br>(Kendra Ash)
 
| style="padding: 0.5em;" |AWS API Threat Modeling and Automated Testing <br>(Kendra Ash)
| style="padding: 0.5em;" |TBD <br>(TBD)
+
| style="padding: 0.5em;" |Applied Physical Attacks on Embedded Systems, Introductory Version <br>(Joe FitzPatrick)
 +
| style="padding: 0.5em;" |Security Tools and Jenkins Pipeline <br>(Sneha Kokil)
 +
| style="padding: 0.5em;" |OWASP Top 10 / Juice Shop Hack Session <br>(David Quisenberry)
 
|-
 
|-
 
| style="padding: 0.5em;" |12:00 PM - 1:30 PM
 
| style="padding: 0.5em;" |12:00 PM - 1:30 PM
Line 136: Line 149:
 
|-
 
|-
 
| style="padding: 0.5em;" |1:30 PM - 5:00 PM
 
| style="padding: 0.5em;" |1:30 PM - 5:00 PM
| style="padding: 0.5em;" |OWASP Top 10 / Juice Shop Hack Session (ALL DAY) <br>(David Quisenberry)
 
 
| style="padding: 0.5em;" |Advanced Application Security Testing <br>(Timothy Morgan)
 
| style="padding: 0.5em;" |Advanced Application Security Testing <br>(Timothy Morgan)
 
| style="padding: 0.5em;" |Container Security <br>(Alex Ivkin)
 
| style="padding: 0.5em;" |Container Security <br>(Alex Ivkin)
| style="padding: 0.5em;" |TBD <br>(TBD)
+
| style="padding: 0.5em;" |Intro to Chrome Exploitation <br>(Justin Angra)
 +
| style="padding: 0.5em;" |OWASP Amass: Discovering Your Exposure on the Internet <br>(Jeff Foley)
 
|-
 
|-
 
| style="padding: 0.5em;" |5:00 PM - 7:30 PM
 
| style="padding: 0.5em;" |5:00 PM - 7:30 PM

Revision as of 17:02, 30 July 2019

For the fourth year in a row, the Portland OWASP chapter is proud to host our information security training day! This is be an excellent opportunity for the local Portland security community to receive top quality information security and application security training for prices far lower than normally offered. It's also a great chance to network with other local infosec and appsec enthusiasts and meet those who share your interests.

The 4th annual OWASP Portland 2019 Training Day date will be on September 25, 2019. See Details for more info.

General registration date will be announced soon.

Want to get news and information on our 2019 Training Day? Subscribe to the [1] Portland OWASP mailing list or follow @PortlandOWASP on Twitter!

Courses

Courses will be held in two tracks: four in the morning session, and four in the afternoon session. Each participant can register for one morning course, one afternoon course, or one of each.

Morning Session 8:30 AM - Noon

AWS API Threat Modeling and Automated Testing

Instructor: Kendra Ash

Abstract: If you are a software, DevOps, QA or security engineer and want to learn how to threat model API's in AWS this course is for you. This course will cover the what, why, when, and how of threat modeling applications in your organization. The bulk of this course will be based on the book Threat Modeling by Adam Shostack and will leverage a variant of the Escalation of Privileges card game. Also, I will dive into the approach I have used to gain adoption from engineering teams as a security engineer. After gaining an understanding of threat modeling, we will dive into how we can automate security checks for an AWS environment — leveraging the AWS CLI tool to provide quick engineering feedback on ways to improve the security of their infrastructure.

Bio: Kendra Ash (@securelykash) is an information security engineer at Vacasa, actively building a security team and program by leveraging guidance from her network and industry standards.

Applied Physical Attacks on Embedded Systems, Introductory Version

Instructor: Joe FitzPatrick

Abstract: This workshop introduces several different relatively accessible interfaces on embedded systems. Attendees will get hands-on experience with UART, SPI, and JTAG interfaces on a MIPS-based wifi router. After a brief architectural overview of each interface, hands-on labs will guide through the process understanding, observing, interacting with, and exploiting the interface to potentially access a root shell on the target.

Security Tools and Jenkins Pipeline

Instructor: Sneha Kokil

Abstract: Modern application development embeds security activities in SDLC, while adopting DevSecOps culture. Security tools are being viewed in the context of continuous integration and automation, which are the key factors in achieving a successful DevSecOps implementation. Integrating security tools in the CI/CD pipelines has become a primary focus of most of the organizations, who are striving to build application security from within. This workshop focuses on getting a good understanding of how some of the open source security tools can be integrated in Jenkins CI/CD pipeline for languages such as Go and Java, along with application container scanning solutions. The workshop will be a hands-on experience, where the participants will write their own pipeline code for integrating security tools. The key takeaways from this workshop will help participants experience how security tooling fits into CI/CD pipelines. It will also help them appreciate the real-world challenges and possible solutions, when integrating security in existing SDLC.

Bio: Sneha Kokil is a senior security consultant at Synopsys. With a master's degree in information security from Northeastern University, along with several years of development and security experience, she specializes in integrating software security toolchains within SDLC processes. She is immensely passionate about DevSecOps and how it helps building security in. Outside of work, she is an avid biography and science fiction reader, a swimmer, and a mother to a wonderful daughter.

OWASP Top 10 / Juice Shop Hack Session

Instructor: David Quisenberry

Abstract: This session is meant for those new to OWASP Top Ten. We will go over the OWASP Top Ten - where it came from, what it’s good for, what are the top ten, etc. And illustrate the concepts in the OWASP Top Ten through another OWASP Flagship Project - The OWASP Juice Shop. This will be a hands on class so everyone can follow along in the Juice Shop to explore the concepts. There will be time at the end for everyone to continue on their vulnerability hunting and a friendly Juice Shop CTF.

Bio: David Quisenberry (@dmqpdx16) is a backend developer and security champion with Daylight Studio, a local Portland boutique web agency. He serves on the Portland OWASP board as Outreach/Events coordinator and does what he can to up the involvement of established and emerging software developers in security conversations.

Prerequisites: Laptop capable of running docker and burpsuite.


Afternoon Session: 1:30 PM - 5:00 PM

Advanced Application Security Testing

Instructor: Timothy Morgan

Abstract: This course takes students beyond the most basic web application exploitation scenarios, focusing on advanced SQL injection, XML eXternal Entities (XXE) and server-side request forgery (SSRF) attacks. The course also covers out-of-band detection and exfiltration using the DNS, which has recently become a popular technique used by penetration testers.

Prerequisites: Students should be familiar with popular web application testing proxies such as Burp Proxy or OWASP ZAP. Some experience with basic SQL injection attacks is recommended.

Container Security

Instructor: Alex Ivkin

Abstract: "When it comes to container security there are two prevailing schools of thought - either containers are secure by default, so you should not care much, or containers can not be secure in principle, so you should avoid them at all costs. In this training you will go through the real world examples of configuring and running containers in a secure manner. You will get insights into the security of both Windows and Linux containers, container infrastructure, such as container registries and orchestration platforms - docker swarm and kubernetes. We will examine real world vulnerabilities unique to different architectures of containers and how to address them.

Takeaways:

  1. Building and running docker containers securely
  2. Avoiding common pitfalls in docker infrastructure setup (dockerd, docker registry)
  3. Navigating security in the container orchestration platforms (docker swarm, kubernetes)"

Bio: Alex Ivkin (@alerxes) is a Director of Solutions at Eclypsium, a local Portland company, specializing in firmware, hardware and supply chain security. Alex has deep implementation experience in a long list of security domains, including cloud, application security and IAM. He co-authored the ISACA CSX Professional certification and is an alpine climber.

Prerequisites:

  • Mid to advanced level technical experience
  • Basic experience with running docker containers
  • Laptop with docker for windows setup and tested

Intro to Chrome Exploitation

Instructor: Justin Angra

Abstract: Over 3 billion browser devices are actively loading arbitrary data served by someone else. What happens if one of those pages contains maliciously crafted JavaScript? Could they capture your passwords, perform UXSS, or worse - execute local code on your machine? In this session, you will get the opportunity to explore the anatomy and play with common vulnerability patterns in the renderer process of Chrome. This will be an interactive class; please bring a laptop with Docker installed.

OWASP Amass: Discovering Your Exposure on the Internet

Instructor: Jeff Foley

Abstract: Today, large organizations deal with the challenge of running their infrastructure across many networks and namespaces due to the use of cloud and hosting services, legacy environments and acquisitions. This can make it difficult to maintain visibility of Internet-facing assets and to track down systems that pose a risk to security. The OWASP Amass Project has developed a tool to help information security professionals perform network mapping of attack surfaces and perform external asset discovery. During this talk, the founder of the project will discuss how OWASP Amass uses OSINT, network reconnaissance, graph databases and information sharing to provide both attackers and defenders better visibility of target organizations.

Bio: Jeff Foley is the Founder and Project Leader of the OWASP Amass project. Mr. Foley has nearly 20 years of experience as an innovator for research & development, software engineering and red team activities in information security. He is a results-driven technical leader known for delivering game-changing research findings to overcome real-world challenges. Jeff serves as the Manager for Vulnerability Engineering at National Grid and is the CTO & Co-founder of ClaritySec, an Upstate New York based information security startup. Prior to this, he was the Director of Research for the Cyber Systems, Weapon Systems & Sensors Operation at Alion Science & Technology. While serving at Northrop Grumman, Jeff built and led the internal penetration testing team and was the program manager for offensive security research & development. Mr. Foley also shares his expertise and experience by supporting several local university information security programs and participating in information security competitions, such as the SUNY Polytechnic Institute Cybersecurity Advisory Board, Mohawk Valley Community College Computer Science Advisory Board and the CNY Hackathon Competition.

2019 Sponsors

Interested in becoming a sponsor? Here is a document outlining the opportunities: Sponsorship-Doc. Reach out to [email protected] to let us know.

2018 Sponsors

Mixer Sponsors

Github.png

Training Session Sponsors

Newrelic.png               Summit.png               OCI Logo.png               ForgeRock logo.png               Security Innovation logo.png

Morning Coffee Sponsors

OCI Logo.png

General Sponsors

Simple.png              

Details

OWASP Portland 2019 Training Day will be on September 25, 2019.

This year for the 2nd time, we'll be located at:

World Trade Center Portland
121 SW Salmon St.
Portland, OR 97204. 

Later in the evening, a social mixer will also be held at Rock Bottom Restaurant & Brewery, just a short walk away:

206 SW Morrison St
Portland, OR 97204

Schedule

Time Activity
8:00 AM - 8:30 AM Morning Registration and Continental Breakfast
8:30 AM - 12:00 PM AWS API Threat Modeling and Automated Testing
(Kendra Ash)
Applied Physical Attacks on Embedded Systems, Introductory Version
(Joe FitzPatrick)
Security Tools and Jenkins Pipeline
(Sneha Kokil)
OWASP Top 10 / Juice Shop Hack Session
(David Quisenberry)
12:00 PM - 1:30 PM Lunch on your own - Meet a new friend and grab a bite!
1:00 PM - 1:30 PM Afternoon Registration (for those attending only in the afternoon)
1:30 PM - 5:00 PM Advanced Application Security Testing
(Timothy Morgan)
Container Security
(Alex Ivkin)
Intro to Chrome Exploitation
(Justin Angra)
OWASP Amass: Discovering Your Exposure on the Internet
(Jeff Foley)
5:00 PM - 7:30 PM Evening Mixer @ Rock Bottom Restaurant and Brewery

Interested in teaching a training at Training Day 2019? Contact Portland OWASP via the mailing list or Twitter!

Lunch Ideas

Here are some lunch ideas:

  • Farmhouse Cafe, 101 SW Main St.
  • The Good Earth Cafe, 1136 SW 3rd Ave.
  • Chipotle Mexican Grill, 240 SW Yamhill St.
  • Luc Lac Vietnamese Kitchen, 835 SW 2nd Ave.
  • Rock Bottom Restaurant & Brewery, 206 SW Morrison St.
  • Buffalo Wild Wings, 327 SW Morrison St.
  • Cafe Yumm, 301 SW Morrison St.
  • Killer Burger, 510 SW 3rd Ave.
  • House of Ramen, 223 SW Columbia St.
  • There are some food carts north of the World Trade Center on SW 3rd Ave. and SW Stark St.

How to Register

Registration will again be via EventBrite

Thank you to the OWASP Foundation and the many sponsors, trainers, volunteers and trainers that have helped make Training Day a success and allow us to continue!