Vancouver

= OWASP Vancouver = Welcome to the Vancouver chapter homepage. The chapter leader is [mailto:farshad.abasi@owasp.org Farshad Abasi]. '''Click here to join the local chapter mailing list. Mailing list archives can be found here'''

= Watch Online = You can watch the live-stream here, and subscribe to the OWASP Vancouver YouTube channel here where you can also check out the archives (big thanks to George Pajari). = Upcoming Events = Upcoming events for 2018 are as follows:

Threat Modelling Gamification: How to get developers to think differently at secure coding
Date: September 27, 2018 // Location: TBD Registration is required and available here.

Speaker: Dana Epp Abstract: The concept of writing safer, more resilient software against the threat landscape of today is a daunting task. Especially when tight budgets and deadlines are constantly under pressure and the rapid adoption of faster release cycles makes it far too easy to 'skip' thinking about the security of the systems and data we rely on to deliver our software. In this session, Dana will introduce threat modeling in a way to help you educate your developers and DevOps on how to look for threats and how to think like an attacker, all while having a bit of fun. From learning how to draw developers in with gamification using a simple card game called 'Elevation of Privilege' that focuses on identifying threats in your software to leveraging free tools published by Microsoft to aid you in documenting and responding to such threats, you will walk away with a better understanding of how to look at your software more defensively. Practical exercises and real world discussions will strengthen the presentation and re-enforce the learning objective... to write safer, more secure software in every sprint.

Speaker Bio: Dana Epp has spent decades as an architect that focuses on helping secure software, data and infrastructure. When he's not helping to build and grow software companies he's advising others on adapting and embracing the ever changing landscape of IT. As both a Microsoft Regional Director and Azure Security MVP, he spends a great deal of time on security engineering in the cloud, focused on building safe, decoupled systems. His latest project is a cloud threat protection platform for Azure, which you can check out at www.auditwolf.com. You can also follow him at www.danaepp.com.

= Past Events = The following is a listing of our past events:

Transitioning into DevSecOps
Date: May 31 // Location: Microsoft Canada, Suite 1100 - 1111 W. Georgia, Vancouver, BC

For those of you who are unable to make it in person, you can watch the live-stream here and subscribe to the OWASP Vancouver YouTube channel here. (big thanks to George Pajari) Speaker: Roger Trevisan Abstract: Software development practices have evolved quite a bit in the recent years, from Waterfall, to the multiple flavors of Agile and now into DevOps. Security teams often have challenges keeping up with the speed and scalability requirements from the new development and operations practices and end up creating barriers that may cause disruption into development and operations life-cycle.

This presentation aims to cover the main reasons why security teams are failing to bolt on security into the current development models. It also shine some light into the difference between traditional security, DevOps + Security and DevSecOps and expose some of the processes, tools and cultural changes required for a successful DevSecOps organization./ Speaker bio: Roger Trevisan is a CISSP certified security professional with 12+ years of experience with web application security, secure coding, secure development lifecycle, penetration testing, risk assessment, vulnerability management, network security and information systems administration. As a skilled penetration tester and application security professional, Roger has helped high-profile companies in industries such as financial, healthcare and telecommunication to identify and address a large number of critical security vulnerabilities.

Managing an Application Security Testing and Vulnerability Management Program in a CI/CD Environment
Date: March 29 (registration is free and required as capacity is limited). Speaker: Karim Lalji // Location: Mozzila's Vancouver office (https://www.mozilla.org/en-US/contact/spaces/vancouver/, buzz 209) Abstract: Modern software environments have adopted new methodologies to developing products including continuous integration and continuous delivery, more commonly referred to CI/CD. Application security testing and vulnerability management is an important aspect in software environments; unfortunately this practice is often lacking in both effectiveness and requisite knowledge when dealt with from an applications perspective as opposed to traditional IT infrastructures. The challenges are further extended in CI/CD environments where critical code is merging into production at regular intervals without proper security coverage. This talk will aim to provide individuals with a working understanding of application security testing (AST) as well as vulnerability management in a modern software enterprise employing DevOps practices, and more specifically a CI/CD pipeline. The talk will discuss security testing at different stages of the S-SDLC from source code analysis to penetration testing and how to effectively manage vulnerabilities. The discussion is applicable to anyone with an interest in security or software in general but is of particular relevance to managers and architects interested in building an effective application security program.

Speaker Bio: Karim has a background in application security particularly in the banking/finance industries and currently works in a senior offensive security consulting role conducting penetration testing and threat/vulnerability assessments for a variety of clients. Karim was a software engineer in his past life and securing applications has been a strong focus for a good portion of his career.

Finding High-Risk Web Vulnerabilities with a Small Number of Generic Payloads
Date: Jan 25 // Location: Mozzila's Vancouver office (https://www.mozilla.org/en-US/contact/spaces/vancouver/, buzz 209) Speaker: Miles (San-Tsai) Sun Abstract: Using a small number of generic payloads to discover high-risk web vulnerabilities (e.g., SQL injection, Remote Code Execution) is highly desirable during a penetration test. In this talk, I will present and demonstrate a lightweight vulnerability detection approach complimenting to traditional automatic scanners. Using an expression probing technique, this approach can systematically probe whether user-controlled input is treated as code by the server-side program logic, as well as the situational context of the injected payload, and its underlying language. Compared to automatic vulnerability scanners, this approach imposes tiny network footprint (e.g., quick, negligible system impact, avoid IP blocking), is agnostic to application platform/language, and friendly to Web Application Firewall/Intrusion Detection and Prevention System. This lightweight detection technique could address or reduce many common challenges faced by penetration testers.

Speaker Bio: San-Tsai Sun is a passionate information security professional and researcher. With more than 20 years of expertise in system development and application security, he is currently an Advanced Security Engineer at Staples, where he enjoys his work in penetration test, static/dynamic vulnerability scan, source code review, risk analysis/threat modeling, and application security design consultancy. Prior to Staples, he was a Senior Information Security Consultant at HSBC Bank. San-Tsai holds a PhD in Information Security from the University of British Columbia, and has been helping hundred of websites to address high risk security vulnerabilities found on their sites.\ = Participation = OWASP Foundation (Overview Slides) is a professional association of global members and is open to anyone interested in learning more about software security. Local chapters are run independently and guided by the Chapter_Leader_Handbook. As a 501(c)(3) non-profit professional association your support and sponsorship of any meeting venue and/or refreshments is tax-deductible. Financial contributions should only be made online using the authorized online chapter donation button. To be a SPEAKER at ANY OWASP Chapter in the world simply review the speaker agreement and then contact the local chapter leader with details of what OWASP PROJECT, independent research or related software security topic you would like to present on.

= Sponsorship/Membership =

to this chapter or become a local chapter supporter.

Or consider the value of Individual, Corporate, or Academic Supporter membership. Ready to become a member?