Difference between revisions of "Vancouver"

From OWASP
Jump to: navigation, search
(2012 Meetings: added may 2012 meeting)
m (Application Security Testing in the modern world: understanding various methodologies and where they fit in your development life-cycle)
 
(35 intermediate revisions by 5 users not shown)
Line 1: Line 1:
{{Chapter Template|chaptername=Vancouver|extra=The chapter leader is Yvan Boily (yvanboily at gmail.com).
+
= OWASP Vancouver =
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-vancouver|emailarchives=http://lists.owasp.org/pipermail/owasp-vancouver}}
+
Welcome to the Vancouver chapter homepage. The chapter leader is [mailto:farshad.abasi@owasp.org Farshad Abasi].<br>
 +
<b>[http://lists.owasp.org/mailman/listinfo/owasp-vancouver Click here] to join the local chapter mailing list. Mailing list archives can be found [http://lists.owasp.org/pipermail/owasp-vancouver here]</b>
  
== 2012 Meetings ==
+
= Events =
You can subscribe to the OWASP Vancouver Calendar [https://www.google.com/calendar/ical/osgb36r55fqlt3m10jc4e2ef70%40group.calendar.google.com/public/basic.ics here].
+
Upcoming events for Q1 and Q1 2018 are as follows:
  
=== May 2012 ===
+
== Finding High-Risk Web Vulnerabilities with a Small Number of Generic Payloads ==
 +
'''Date:''' Jan 25  // '''Location:''' Mozzila's Vancouver office (https://www.mozilla.org/en-US/contact/spaces/vancouver/, buzz 209)<br>
 +
'''Speaker:''' Miles (San-Tsai) Sun<br>
 +
'''Abstract:''' Using a small number of generic payloads to discover high-risk web vulnerabilities (e.g., SQL injection, Remote Code Execution) is highly desirable during a penetration test.  In this talk, I will present and demonstrate a lightweight vulnerability detection approach complimenting to traditional automatic scanners. Using an expression probing technique, this approach can systematically probe whether user-controlled input is treated as code by the server-side program logic, as well as the situational context of the injected payload, and its underlying language. Compared to automatic vulnerability scanners, this approach imposes tiny network footprint (e.g., quick, negligible system impact, avoid IP blocking), is agnostic to application platform/language, and friendly to Web Application Firewall/Intrusion Detection and Prevention System. This lightweight detection technique could address or reduce many common challenges faced by penetration testers. 
  
'''OAuth-based single sign-on in Real-world Implementations'''
+
'''Speaker Bio:'''
 +
San-Tsai Sun is a passionate information security professional and researcher. With more than 20 years of expertise in system development and application security, he is currently an Advanced Security Engineer at Staples, where he enjoys his work in penetration test, static/dynamic vulnerability scan, source code review, risk analysis/threat modeling, and application security design consultancy. Prior to Staples, he was a Senior Information Security Consultant at HSBC Bank. San-Tsai holds a PhD in Information Security from the University of British Columbia, and has been helping hundred of websites to address high risk security vulnerabilities found on their sites.
  
'''Speaker:''' San-Tsai Sung
+
== Managing an Application Security Testing and Vulnerability Management Program in a CI/CD Environment ==
 +
'''Date:''' March 29  ([https://goo.gl/t8zH4W registration] is free and required as capacity is limited).<br>
 +
'''Speaker:''' Karim Lalji // '''Location:''' Mozzila's Vancouver office (https://www.mozilla.org/en-US/contact/spaces/vancouver/, buzz 209)<br>
 +
'''Abstract:''' Modern software environments have adopted new methodologies to developing products including continuous integration and continuous delivery, more commonly referred to CI/CD. Application security testing and vulnerability management is an important aspect in software environments; unfortunately this practice is often lacking in both effectiveness and requisite knowledge when dealt with from an applications perspective as opposed to traditional IT infrastructures. The challenges are further extended in CI/CD environments where critical code is merging into production at regular intervals without proper security coverage.<br>
 +
This talk will aim to provide individuals with a working understanding of application security testing (AST) as well as vulnerability management in a modern software enterprise employing DevOps practices, and more specifically a CI/CD pipeline. The talk will discuss security testing at different stages of the S-SDLC from source code analysis to penetration testing and how to effectively manage vulnerabilities. The discussion is applicable to anyone with an interest in security or software in general but is of particular relevance to managers and architects interested in building an effective application security program.
  
'''Date & Time:''' Monday, May 28th, 2012 @ 5:30pm
+
'''Speaker Bio:''' Karim has a background in application security particularly in the banking/finance industries and currently works in a senior offensive security consulting role conducting penetration testing and threat/vulnerability assessments for a variety of clients. Karim was a software engineer in his past life and securing applications has been a strong focus for a good portion of his career.
  
Millions of web users today employ their Facebook accounts to sign into more than one million relying party (RP) websites. This web-based
+
==Application Security Testing in the modern world: understanding various methodologies and where they fit in your development life-cycle==
single sign-on (SSO) scheme is enabled by OAuth 2.0, a web resource authorization protocol that has been adopted by major service providers. The OAuth 2.0 protocol has proven secure by several formal methods, but whether it is indeed secure in practice remains an open
+
'''Date:''' May 31 // '''Location:''' Microsoft Canada, Suite 1100 - 1111 W. Georgia, Vancouver, BC<br>
question. We examine the implementations of three major OAuth identity providers (IdP) (Facebook, Microsoft, and Google) and 96 popular RP
+
'''Speaker:''' Roger Trevisan<br>
websites that support the use of Facebook accounts for login. Our results uncover several critical vulnerabilities that allow an attacker to gain unauthorized access to the victim user's profile and social graph, and impersonate the victim on the RP website. Closer
+
'''Abstract:''' If you are somewhat involved with the application security world, you probably have heard about some of the following acronyms when talking about security testing: MPT, SCA,  SSA, RASP, IAST, DAST and SAST. With all the new developments and technologies related to cybersecurity it may be challenging to understand what solutions are available and the advantages each of the alternative offers and how do they fit your software development lifecycle. This session will give you an overview on the most prevalent security testing technologies and highlight where they fit in the SDLC.<br>
examination reveals that these vulnerabilities are caused by a set of design decisions that trade security for implementation simplicity. To improve the security of OAuth 2.0 SSO systems in real-world settings, we suggest simple and practical improvements to the design and implementation of IdPs and RPs that can be adopted gradually by individual sites.
+
'''Speaker bio:''' Roger Trevisan is a CISSP certified security professional with 12+ years of experience with web application security, secure coding, secure development lifecycle, penetration testing, risk assessment, vulnerability management, network security and information systems administration. As a skilled penetration tester and application security professional, Roger has helped high-profile companies in industries such as financial, healthcare and telecommunication to identify and address a large number of critical security vulnerabilities.<br>
  
'''Registration:''' Registration is strongly recommended since an invite will be extended to other groups to try to improve participation in OWASP. If space runs out, preference will be given to those who have registered!
 
  
Please register at: [https://docs.google.com/spreadsheet/viewform?formkey=dHZSeTY1ZnFKTFo1elBRZ3BsenNvRnc6MQ here].
+
= Participation =
''(Registration details are not retained after the meeting, however a sign-up sheet will be available for those claiming CPEs)''
+
OWASP Foundation ([https://docs.google.com/a/owasp.org/presentation/d/10wi1EWFCPZwCpkB6qZaBNN8mR2XfQs8sLxcj9SCsP6c/edit?usp=sharing Overview Slides]) is a professional association of [[Membership | global members]] and is open to anyone interested in learning more about software security. Local chapters are run independently and guided by the [[Chapter_Leader_Handbook]].  As a [[About_OWASP | 501(c)(3)]] non-profit professional association your support and sponsorship of any meeting venue and/or refreshments is tax-deductible. Financial contributions should only be made online using the authorized online chapter donation button.  To be a <b>SPEAKER</b> at ANY OWASP Chapter in the world simply review the [[Speaker_Agreement | speaker agreement]] and then contact the local chapter leader with details of what OWASP PROJECT, independent research or related software security topic you would like to present on.
  
'''Location:'''
+
= Sponsorship/Membership  =
Mozilla Vancouver, Suite 209, 163 West Hastings,
 
Vancouver, BC (Buzzer code is in the directory)
 
  
 +
[[Image:Btn_donate_SM.gif|link=https://www.owasp.org/index.php/Local_Chapter_Supporter]] to this chapter or become a local chapter supporter.
  
=== January 2012 ===
 
  
'''Outsourcing Identity: Understanding Privacy and Security in Identity Services'''
 
  
'''Speaker:''' Yvan Boily, Web Security Engineer, Mozilla Corporation
+
Or consider the value of [[Membership | Individual, Corporate, or Academic Supporter membership]]. Ready to become a member? [[Image:Join_Now_BlueIcon.JPG|75px|link=https://www.owasp.org/index.php/Membership]]
  
'''Date & Time:''' Monday, January 23rd, 2012 @ 5:30pm
+
[[Category:OWASP Chapter]]
 
 
Social Media has taken over the online world; what Microsoft attempted with Passport has been made reality by Facebook, Twitter, Google, and other service providers.  In addition to the proprietary identity services these platforms offer, several support protocols such as OpenID, This will be a one hour presentation that will contrast the security and privacy features available in major online identity protocols, and contrast these with Mozilla's BrowserID protocol.
 
 
 
'''Registration:'''  Registration is strongly recommended since an invite will be extended to other groups to try to improve participation in OWASP.  If space runs out, preference will be given to those who have registered!
 
 
 
Please register [https://docs.google.com/spreadsheet/viewform?formkey=dHZSeTY1ZnFKTFo1elBRZ3BsenNvRnc6MQ here].
 
''(Registration details are not retained after the meeting, however a sign-up sheet will be available for those claiming CPEs)''
 
 
 
'''Location:'''
 
Ping Identity,
 
200 - 788 Beatty St,
 
Vancouver
 
 
 
'''About Ping Identity
 
'''
 
Ping Identity has generously offered their downtown office space, located on the corner of Beatty and Robson, to host our chapters meetings moving forward. The office is 6000sq/ft of a mostly open floor plan, so we should be able to accommodate a large group.
 
 
 
 
 
 
 
[[Category:British Columbia]]
 

Latest revision as of 18:45, 20 May 2018

OWASP Vancouver

Welcome to the Vancouver chapter homepage. The chapter leader is Farshad Abasi.
Click here to join the local chapter mailing list. Mailing list archives can be found here

Events

Upcoming events for Q1 and Q1 2018 are as follows:

Finding High-Risk Web Vulnerabilities with a Small Number of Generic Payloads

Date: Jan 25 // Location: Mozzila's Vancouver office (https://www.mozilla.org/en-US/contact/spaces/vancouver/, buzz 209)
Speaker: Miles (San-Tsai) Sun
Abstract: Using a small number of generic payloads to discover high-risk web vulnerabilities (e.g., SQL injection, Remote Code Execution) is highly desirable during a penetration test. In this talk, I will present and demonstrate a lightweight vulnerability detection approach complimenting to traditional automatic scanners. Using an expression probing technique, this approach can systematically probe whether user-controlled input is treated as code by the server-side program logic, as well as the situational context of the injected payload, and its underlying language. Compared to automatic vulnerability scanners, this approach imposes tiny network footprint (e.g., quick, negligible system impact, avoid IP blocking), is agnostic to application platform/language, and friendly to Web Application Firewall/Intrusion Detection and Prevention System. This lightweight detection technique could address or reduce many common challenges faced by penetration testers.

Speaker Bio: San-Tsai Sun is a passionate information security professional and researcher. With more than 20 years of expertise in system development and application security, he is currently an Advanced Security Engineer at Staples, where he enjoys his work in penetration test, static/dynamic vulnerability scan, source code review, risk analysis/threat modeling, and application security design consultancy. Prior to Staples, he was a Senior Information Security Consultant at HSBC Bank. San-Tsai holds a PhD in Information Security from the University of British Columbia, and has been helping hundred of websites to address high risk security vulnerabilities found on their sites.

Managing an Application Security Testing and Vulnerability Management Program in a CI/CD Environment

Date: March 29 (registration is free and required as capacity is limited).
Speaker: Karim Lalji // Location: Mozzila's Vancouver office (https://www.mozilla.org/en-US/contact/spaces/vancouver/, buzz 209)
Abstract: Modern software environments have adopted new methodologies to developing products including continuous integration and continuous delivery, more commonly referred to CI/CD. Application security testing and vulnerability management is an important aspect in software environments; unfortunately this practice is often lacking in both effectiveness and requisite knowledge when dealt with from an applications perspective as opposed to traditional IT infrastructures. The challenges are further extended in CI/CD environments where critical code is merging into production at regular intervals without proper security coverage.
This talk will aim to provide individuals with a working understanding of application security testing (AST) as well as vulnerability management in a modern software enterprise employing DevOps practices, and more specifically a CI/CD pipeline. The talk will discuss security testing at different stages of the S-SDLC from source code analysis to penetration testing and how to effectively manage vulnerabilities. The discussion is applicable to anyone with an interest in security or software in general but is of particular relevance to managers and architects interested in building an effective application security program.

Speaker Bio: Karim has a background in application security particularly in the banking/finance industries and currently works in a senior offensive security consulting role conducting penetration testing and threat/vulnerability assessments for a variety of clients. Karim was a software engineer in his past life and securing applications has been a strong focus for a good portion of his career.

Application Security Testing in the modern world: understanding various methodologies and where they fit in your development life-cycle

Date: May 31 // Location: Microsoft Canada, Suite 1100 - 1111 W. Georgia, Vancouver, BC
Speaker: Roger Trevisan
Abstract: If you are somewhat involved with the application security world, you probably have heard about some of the following acronyms when talking about security testing: MPT, SCA,  SSA, RASP, IAST, DAST and SAST. With all the new developments and technologies related to cybersecurity it may be challenging to understand what solutions are available and the advantages each of the alternative offers and how do they fit your software development lifecycle. This session will give you an overview on the most prevalent security testing technologies and highlight where they fit in the SDLC.
Speaker bio: Roger Trevisan is a CISSP certified security professional with 12+ years of experience with web application security, secure coding, secure development lifecycle, penetration testing, risk assessment, vulnerability management, network security and information systems administration. As a skilled penetration tester and application security professional, Roger has helped high-profile companies in industries such as financial, healthcare and telecommunication to identify and address a large number of critical security vulnerabilities.


Participation

OWASP Foundation (Overview Slides) is a professional association of global members and is open to anyone interested in learning more about software security. Local chapters are run independently and guided by the Chapter_Leader_Handbook. As a 501(c)(3) non-profit professional association your support and sponsorship of any meeting venue and/or refreshments is tax-deductible. Financial contributions should only be made online using the authorized online chapter donation button. To be a SPEAKER at ANY OWASP Chapter in the world simply review the speaker agreement and then contact the local chapter leader with details of what OWASP PROJECT, independent research or related software security topic you would like to present on.

Sponsorship/Membership

Btn donate SM.gif to this chapter or become a local chapter supporter.


Or consider the value of Individual, Corporate, or Academic Supporter membership. Ready to become a member? Join Now BlueIcon.JPG