OWASP Portland 2017 Training Day

From OWASP
Jump to: navigation, search

Once again this year the Portland OWASP chapter is hosting an information security training day! This will be an excellent opportunity for those interested to receive quality information security and application security training for next to nothing. It's also a great chance to network with the local infosec community and meet those who share your interests.

Courses

Courses are held in two tracks: three in the morning session, and three in the afternoon session. Each participant can register for one morning course, or one afternoon course, or one of each. The cost per course is $25. The six courses offered are as follows:

Morning Session 8:30 AM - Noon

Client-side Security for Modern Web Applications (SOP, XSS, CSRF, CSP, etc)

Instructor: Timothy Morgan

Abstract: This course introduces the student to key concepts of browser security, such as the same-origin policy, and continues with a series of web-specific vulnerability classes, including: cross-site scripting, cross-site request forgery, clickjacking, and JSON hijacking. The course finishes up by covering new security mechanisms and standards, including cross-origin resource sharing (CORS) and content security policy (CSP).

Cyber Security Framework

Instructor: James Trumper

Abstract: Are you looking for a place to start addressing your information security posture, how to understand current maturity and plan future enhancements and budget? Have you been tasked with complying or using an information security framework? The CyberSecurity Framework (CSF) is a comprehensive information security framework developed by NIST (the National Institute of Standards and Technology). Although the framework is required for many federal agencies and used by State and local agencies, it is also recommended for use by non-governmental organizations including small to medium businesses. In this course, we will review the framework's structure and components, going into details around specific requirements as well as references to NIST 800-53. Once we have a good foundation around the CSF categories and sub-categories, we will transition into how we can manage our efforts to this framework. The course provides a creative-commons management tool to track current controls, maturity, existing budget, plan for future control enhancement projects, and future budget requests. The tool is both an internal tracking tool as well as a presentation layer to various teams and management based on their need-to-know.

Securing Your AWS Environment

Instructor: Derek Hill

Abstract: Are you looking to move your infrastructure into the cloud, but are worried about how to secure it? Are you ready to let go of all of your physical infrastructure? You are not alone in this journey. The cloud does not have to be this scary unknown black hole. Sure, things are certainly different and not everything that you used to do in your own infrastructure is easily repeatable in the cloud; however, there are many benefits. Thing are different, but many things are the same. We will discuss how to secure your cloud environment using both AWS tools and third party tools, including some custom applications that allow you to see what you have and how you need to secure it. We are successfully managing over 120 AWS accounts with approximately 3000 instances and many other AWS services. This class does not have any labs (due to the short duration). We will have some demos on how we accomplish certain tasks. We hope that you can take away some ideas on how to solve some of your current security problems and gain the confidence that security in the cloud can be achieved.

Afternoon Session: 1:30 PM - 5:00 PM

Burp and ZAP: Introduction into web intercept/scanning tools

Instructor: Alexei Kojenov

Abstract: The participants will learn how browsers communicate with web application back ends and how special tools such as Burp Suite and OWASP ZAP can be used to intercept, analyze and modify these communications to assess the application's security posture and, ultimately, to find and exploit vulnerabilities. We will discuss and try both passive and active attacks while diving deeper into each tool's functionality. We will talk about how to efficiently use the available features, as well as the ways to automate manual tasks. The participants will be able to immediately practice the learned skills during the class, and then apply them in their work environments. Prerequisites: A laptop (any OS) with Firefox or Chrome and Oracle VirtualBox (participants will be given a virtual machine with intentionally vulnerable web application for practice).

Applied Physical Attacks on Embedded Systems, Introductory Version

Instructor: Joe Fitzpatrick

Abstract: This workshop introduces several different relatively accessible interfaces on embedded systems. Attendees will get hands-on experience with UART, SPI, and JTAG interfaces on a MIPS-based wifi router. After a brief architectural overview of each interface, hands-on labs will guide through the process understanding, observing, interacting with, and exploiting the interface to potentially access a root shell on the target.

Cyber First-Aid: Introduction to Incident Response

Instructor: Kris Rosenberg

Abstract: In today’s world It is not a question of “if” you will get hacked, but “when”. More importantly. what are you going to do about it? When an incident occurs you need to be prepared to respond quickly to minimize losses and collect any potential evidence that could be used for a more detailed analysis of the incident. Much like a typical first aid course that prepares first responders to give immediate care needed to sustain life, this session is designed to give those who are typically the first on-scene to a cybersecurity event the skills they need to effectively identify and contain the incident, and preserve potentially valuable evidence for further forensic analysis.

Sponsors

Interested in becoming a sponsor? Please contact: ian DOT melven AT owasp.org

The following sponsors have made this event possible:

Mixer Sponsors

Github.png

Training Session Sponsors

Newrelic.png   

           

Online Business Systems

General Sponsors

Summit.png

Details

The training day will be held on Wednesday, October 4 at:

PSU - Smith Memorial Student Union Building
1825 SW Broadway
Portland, OR 97201

Later in the evening, a social mixer will also be held at Rogue Hall, just a short walk away:

1717 Southwest Park Ave.
Portland, OR 97201
OWASP Training map.png

Schedule

Time Activity
8:00 AM - 9:00 AM Morning Registration (Near Room 298)
9:00 AM - 12:00 PM Room SMSU 327: Client-side Security for Modern Web Applications

(SOP, XSS, CSRF, CSP, etc)

Room SMSU 328:  Cyber Security

Framework

Room SMSU 329: Securing Your AWS Environment
12:00 PM - 1:30 PM Lunch on your own - Meet a new friend and grab a bite!
1:00 PM - 1:30 PM Afternoon Registration (for those attending only in the afternoon)
1:30 PM - 5:00 PM Room SMSU 327: Burp and ZAP: Introduction into web intercept/scanning tools Room SMSU 328: Applied Physical Attacks on Embedded Systems, Introductory Version Room SMSU 329: Cyber First-Aid: Introduction to Incident Response
5:00 PM - 7:30 PM Evening Mixer @ Rogue Hall

Lunch Ideas

There are a large number of restaurants nearby, but in case you're having trouble deciding (or your phone battery died), here are some possibilities:

  • Baan-Thai Restaurant, 1924 SW Broadway
  • Hotlips Pizza, 1909 SW 6th Ave
  • Laughing Planet Cafe, 1720 SW 4th Ave
  • Love Belizean, 1503 SW Broadway
  • McMenamins Market Street Pub, 1526 SW 10th Ave
  • There is also a block of food carts on SW 4th Ave between Hall St & College St.


How to Register

Registration is via EventBrite : https://www.eventbrite.com/e/portland-owasp-training-day-2017-tickets-37297273148?aff=es2