OWASP Portland 2017 Training Day

Once again this year the Portland OWASP chapter is hosting an information security training day! This will be an excellent opportunity for those interested to receive quality information security and application security training for next to nothing. It's also a great chance to network with the local infosec community and meet those who share your interests.

=Courses= Courses are held in two tracks: three in the morning session, and three in the afternoon session. Each participant can register for one morning course, or one afternoon course, or one of each. The six courses offered are as follows:

Client-side Security for Modern Web Applications (SOP, XSS, CSRF, CSP, etc)
Instructor: Timothy Morgan

Abstract: This course introduces the student to key concepts of browser security, such as the same-origin policy, and continues with a series of web-specific vulnerability classes, including: cross-site scripting, cross-site request forgery, clickjacking, and JSON hijacking. The course finishes up by covering new security mechanisms and standards, including cross-origin resource sharing (CORS) and content security policy (CSP).

Cyber Security Framework
Instructor: James Trumper

Abstract: Are you looking for a place to start addressing your information security posture, how to understand current maturity and plan future enhancements and budget? Have you been tasked with complying or using an information security framework? The CyberSecurity Framework (CSF) is a comprehensive information security framework developed by NIST (the National Institute of Standards and Technology). Although the framework is required for many federal agencies and used by State and local agencies, it is also recommended for use by non-governmental organizations including small to medium businesses. In this course, we will review the framework's structure and components, going into details around specific requirements as well as references to NIST 800-53. Once we have a good foundation around the CSF categories and sub-categories, we will transition into how we can manage our efforts to this framework. The course provides a creative-commons management tool to track current controls, maturity, existing budget, plan for future control enhancement projects, and future budget requests. The tool is both an internal tracking tool as well as a presentation layer to various teams and management based on their need-to-know.

Securing Your AWS Environment
Instructor: Derek Hill

Abstract: Are you looking to move your infrastructure into the cloud, but are worried about how to secure it? Are you ready to let go of all of your physical infrastructure? You are not alone in this journey. The cloud does not have to be this scary unknown black hole. Sure, things are certainly different and not everything that you used to do in your own infrastructure is easily repeatable in the cloud; however, there are many benefits. Thing are different, but many things are the same. We will discuss how to secure your cloud environment using both AWS tools and third party tools, including some custom applications that allow you to see what you have and how you need to secure it. We are successfully managing over 120 AWS accounts with approximately 3000 instances and many other AWS services. This class does not have any labs (due to the short duration). We will have some demos on how we accomplish certain tasks. We hope that you can take away some ideas on how to solve some of your current security problems and gain the confidence that security in the cloud can be achieved.

Burp and ZAP: Introduction into web intercept/scanning tools
Instructor: Alexei Kojenov

Abstract: The participants will learn how browsers communicate with web application back ends and how special tools such as Burp Suite and OWASP ZAP can be used to intercept, analyze and modify these communications to assess the application's security posture and, ultimately, to find and exploit vulnerabilities. We will discuss and try both passive and active attacks while diving deeper into each tool's functionality. We will talk about how to efficiently use the available features, as well as the ways to automate manual tasks. The participants will be able to immediately practice the learned skills during the class, and then apply them in their work environments. Prerequisites: A laptop (any OS) with Firefox or Chrome and Oracle VirtualBox (participants will be given a virtual machine with intentionally vulnerable web application for practice).

Applied Physical Attacks on Embedded Systems, Introductory Version
Instructor: Joe Fitzpatrick

Abstract: This workshop introduces several different relatively accessible interfaces on embedded systems. Attendees will get hands-on experience with UART, SPI, and JTAG interfaces on a MIPS-based wifi router. After a brief architectural overview of each interface, hands-on labs will guide through the process understanding, observing, interacting with, and exploiting the interface to potentially access a root shell on the target.

Cyber First-Aid: Introduction to Incident Response
Instructor: Kris Rosenberg

Abstract: In today’s world It is not a question of “if” you will get hacked, but “when”. More importantly. what are you going to do about it? When an incident occurs you need to be prepared to respond quickly to minimize losses and collect any potential evidence that could be used for a more detailed analysis of the incident. Much like a typical first aid course that prepares first responders to give immediate care needed to sustain life, this session is designed to give those who are typically the first on-scene to a cybersecurity event the skills they need to effectively identify and contain the incident, and preserve potentially valuable evidence for further forensic analysis.

=Sponsors=

We are finalizing our sponsors for this year's training day. It's not too late to sponsor! If interested, please contact ian DOT melven@owasp DOT org

=Details= The training day will be held on Wednesday, October 4 at:

PSU - Smith Memorial Student Union Building 1825 SW Broadway Portland, OR 97201

Later in the evening, a social mixer will also be held at Rogue Hall, just a short walk away:

1717 Southwest Park Ave. Portland, OR 97201

Lunch Ideas
There are a large number of restaurants nearby, but in case you're having trouble deciding (or your phone battery died), here are some possibilities:


 * Baan-Thai Restaurant, 1924 SW Broadway
 * Hotlips Pizza, 1909 SW 6th Ave
 * Laughing Planet Cafe, 1720 SW 4th Ave
 * Love Belizean, 1503 SW Broadway
 * McMenamins Market Street Pub, 1526 SW 10th Ave
 * There is also a block of food carts on SW 4th Ave between Hall St & College St.

=How to Register= Registration is via EventBrite : https://www.eventbrite.com/myevent?eid=37297273148

Registration will open soon - please follow @PortlandOWASP on Twitter for updates!