OWASP Portland 2018 Training Day

For the third year in a row, the Portland OWASP chapter is proud to host our information security training day! This is be an excellent opportunity for those interested to receive top quality information security and application security training for prices far lower than normally offered. It's also a great chance to network with the local infosec community and meet those who share your interests.

Want to get news and information on our 2018 Training Day? Subscribe to the Portland OWASP mailing list or follow @PortlandOWASP on Twitter!

=Courses= Courses will be held in two tracks: four in the morning session, and four in the afternoon session. Each participant can register for one morning course, or one afternoon course, or one of each.

Intro to Hacking Web 3.0
Instructor: Mick Ayzenberg

Abstract: In this half day course, we will introduce several emerging Blockchain concepts such as Web 3.0, smart contracts, and decentralized applications (DApps). You will get the opportunity to explore and interact with applications on this platform, and will be introduced to several of the most common vulnerability categories found in smart contracts through a capture the flag platform. This class will be highly interactive, so bring a laptop. No previous Blockchain experience required.

Introduction to Computer Forensics
Instructor: Kris Rosenberg

Abstract: It’s 3AM and the phone rings… ok, maybe not 3AM, but you get the call that a computer system on your network is acting strange. After taking a look you realize that this system may be infected with malware, or possibly you have an active intruder inside your network. What do you do next? This session will guide you through the basic initial steps that can be taken in a security incident to effectively isolate and contain the attack and collect evidence for potential future prosecution. We will introduce the PICERL framework for incident handling and discuss each phase in detail: Planning, Identification, Containment, Eradication, Recovery, and Lessons Learned. At the end of the session you should have a basic understanding of how to respond to a potential security incident, and preserve any evidence that may be needed.

Sponsored by Summit Security Group, LLC
Instructor: Patterson Cake

Abstract: If your organization has the resources to scan all of the things all of the time, this course may not be for you! If, however, you are like most organizations, struggling to keep up and to make tangible progress towards improving your security posture, read on! In this course, we'll discuss scanning tools and techniques to help you identify unknown devices, sensitive data exposure, and system misconfigurations within your environment, using open-source and built-in tools, like Nmap and PowerShell, along with some good old-fashioned NI (Natural Intelligence). We'll focus on practical, tactical ways to find things like unapproved IoT devices on your network, sensitive data shares with "Everyone" permissions, and web apps with default credentials, things you care about which are often easy to remediate but may not show up on traditional vulnerability or compliance scans.

Prerequisites: Laptop capable of running a recent version of Nmap (Windows, Linux or Mac) with admin/root privileges.

Incident Handling - a primer
Instructor: Derek Hill

Abstract: Have you ever wondered what it takes to investigate an incident inside your company network? What about your assets stored in a public cloud? When does an event become an incident? Who decides this? We will cover the important steps of an incident handling process, including getting you started in creating your own incident handling plan. We will talk about the challenges of doing this in cloud, where you don't have physical access to the machines. You will walk away with an understanding of the fundamental steps of incident handling as well as some examples of what to look for, how to handle collection and preservation of evidence.

Advanced Application Security Testing
Instructor: Timothy Morgan

Abstract: This course takes students beyond the most basic web application exploitation scenarios, focusing on advanced SQL injection, XML eXternal Entities (XXE) and server-side request forgery (SSRF) attacks. The course also covers out-of-band detection and exfiltration using the DNS, which has recently become a popular technique used by penetration testers.

AppSec Testing Beyond Pen Test
Instructor: Bhushan Gupta

Abstract: Most web application security testing efforts are concentrated around penetration testing, which is an art based on hackers’ psyche, thought process, and determination to exploit software vulnerabilities. However, does it yield a high level of confidence and sense of security in a developer’s mind? The web application developers must begin to think of building security throughout the software development life cycle (SDLC). This workshop paper focuses on an approach that aligns the web application security testing with the three basic principles of security; confidentiality, integrity, and availability (CIA). Using a simple approach, workshop teaches how to identify the most vulnerable processes in an application, highlighting the test-intensive areas. The students will learn:
 * 1) How to identify the security requirements for their business
 * 2) How to plan security testing using both statics and dynamic code analysis
 * 3) How to apply STRIDE model to evaluate critical web application components
 * 4) How to prioritizing vulnerabilities based upon DREAD model to minimize breech impact

Applied Physical Attacks on Embedded Systems, Introductory Version
Instructor: Joe FitzPatrick

Abstract: This workshop introduces several different relatively accessible interfaces on embedded systems. Attendees will get hands-on experience with UART, SPI, and JTAG interfaces on a MIPS-based wifi router. After a brief architectural overview of each interface, hands-on labs will guide through the process understanding, observing, interacting with, and exploiting the interface to potentially access a root shell on the target.

Sponsored by Oracle Cloud Infrastructure
Instructor: Joshua Pereyda

Abstract: Get hands on experience writing custom network protocol fuzzers. This class will cover the basics of network protocol ""smart fuzzing."" Exercises will utilize the open source network protocol fuzzing framework, boofuzz. Attendees will gain practice reverse engineering a network protocol, implementing and iterating on a custom fuzzer, and identifying vulnerabilities. After the course:


 * 1) You will know the basics of fuzzing.
 * 2) You will know how to write custom network protocol fuzzers using state of the art open source tools.
 * 3) You will have hands on experience with this widely-discussed but still largely mysterious test method.

=Sponsors=

'''Interested in becoming a sponsor? Watch this space for 2018 sponsorship information!'''

General Sponsors


=Details= OWASP Portland 2018 Training Day will be October 3, 2018. This year we'll be located at:

World Trade Center Portland 121 SW Salmon St. Portland, OR 97204.

Later in the evening, a social mixer will also be held at Rock Bottom Restaurant & Brewery, just a short walk away:

206 SW Morrison St Portland, OR 97204

Lunch Ideas
Lunch ideas for 2018 coming soon!

=How to Register= Registration information and dates coming soon!