Difference between revisions of "Vancouver"

From OWASP
Jump to: navigation, search
(added March 28 event)
m
 
(26 intermediate revisions by the same user not shown)
Line 1: Line 1:
= OWASP Vancouver =
+
Welcome to the OWASP [https://en.wikipedia.org/wiki/Vancouver Vancouver] chapter homepage. We are located in the beautiful province of [https://en.wikipedia.org/wiki/British_Columbia British Columbia], on the West Coast of [https://en.wikipedia.org/wiki/Canada Canada].
Welcome to the Vancouver chapter homepage. The chapter leader is [mailto:farshad.abasi@owasp.org Farshad Abasi].<br>
 
<b>[http://lists.owasp.org/mailman/listinfo/owasp-vancouver Click here] to join the local chapter mailing list. Mailing list archives can be found [http://lists.owasp.org/pipermail/owasp-vancouver here]</b>
 
  
= Watch Online =
+
Our mission is to enrich Vancouver's application security community. We hope you can join us in accomplishing that.
You can '''subscribe''' to the '''[https://www.youtube.com/channel/UCSXBb_cPvieNm-MoLjjtbXw OWASP Vancouver YouTube channel]''' [https://youtu.be/wsAC2EPuOG8 here] where you can also check out the archives (big thanks to George Pajari).
 
= Upcoming Events =
 
Upcoming events for 2019 are as follows:
 
  
== Exploit your way through vulnerabilities, and learn application security concepts ==
+
[[File:Vancouver1000x450.png]]
'''Date:''' March 28, 2019  // '''Location:''' Plenty of Fish, 25th floor, 555 W Hastings St, Vancouver, BC V6B 4N4, Canada<br>'''Registration''' is required and [https://www.eventbrite.ca/e/exploit-your-way-through-vulnerabilities-and-learn-application-security-concepts-tickets-57412103146 available here]
 
  
'''Overview:''' want to test your skills in identifying web application vulnerabilities? How about learning and applying real application security concepts? Here is your chance to do so using the CMD+CTRL cyber range, a unique, immersive environment where players exploit their way through hundreds of vulnerabilities that lurk in business applications today. Success means learning quickly that attack and defence is all about thinking on your feet.
+
= Events =
 +
Our monthly sessions take place on the 4th Thursday of each month. We also host one off events and workshops around town.  
  
For each vulnerability you uncover, you are awarded points. Climb the interactive leaderboard for a chance to win fantastic prizes! CMD+CTRL is ideal for development teams to train and develop skills, but anyone involved in keeping your organization’s data secure can play - from developers and managers and even CISOs.
+
Have a look at [http://owaspvancouver.eventbrite.com/ our calendar of awesome events] and join us!  
  
'''Requirements:''' participants will need the following:
+
= Contact  =
 +
The OWASP Vancouver chapter board members are:
 +
* [mailto:farshad.abasi@owasp.org Farshad Abasi](Chapter lead)
 +
* [mailto:me@jeevan.ca Jeevan Singh]<br>
 +
[https://groups.google.com/a/owasp.org/forum/#!forum/vancouver-chapter Click here] to join the local chapter mailing list and Google Group (pre-Google mailing list archives can be found [http://lists.owasp.org/pipermail/owasp-vancouver here])
  
• A laptop to connect to the CMD+CTRL website
+
= Watch Online =
 
+
'''Subscribe''' to the '''[https://www.youtube.com/channel/UCSXBb_cPvieNm-MoLjjtbXw OWASP Vancouver YouTube channel]''' where you can check out live streams of upcoming sessions as well as archives of previous sessions (big thanks to '''George Pajari''' and volunteers).
• Download and install Burp Suite (Community is okay) or OWASP ZAP
 
 
 
'''Live streaming:''' not available for this session.
 
 
 
'''Thank you:''' we would like to thank '''Security Innovation''' for coming to Vancouver and bringing us the CMD+CTRL platform for this session, '''Plenty of Fish''' for hosting and providing pizza + pop, and '''Jeevan Singh''' and all the volunteers for helping make this happen!<hr />
 
<p></p>
 
= Past Events =
 
The following is a listing of our past events:
 
 
 
== Double Header: Continuous Risk-based Authentication + AppSec Incident Response ==
 
'''Date:''' January 24, 2019  // '''Location:''' Ping Identity, 564 Beatty St. - Suite 700 (7F, buzz 0700), Vancouver<br>
 
This is a special double header edition of the OWASP Vancouer meet-up series with two great speakers: Tanya Janca, and Siva Ram. They will be speaking on Application Security Incident Response, and Continuous Risk-based Authentication respectively. Details are provided below.<p><strong><u>1st Speaker:</u></strong> <u>Tanya Janca (6-7pm)</u></p>
 
<p><strong>Title:</strong> Are You Ready for the Worst? Application Security Incident Response</p>
 
<p><strong>Abstract:</strong> No matter the size of your IT shop, if the first time you think about the security of the software is during a major incident, it&rsquo;s not going to go well.&nbsp; I will teach developers and security teams to prepare for, manage, and hopefully prevent, application security incidents.&nbsp; Starting with preparation; do you have a proper application inventory? How do you manage your technology stack?&nbsp; Disaster Recover?&nbsp; Backup strategy?&nbsp; Do you have a WAF?&nbsp; Monitoring? Tools that are at the ready when the s* hits the fan?&nbsp; During an incident; who&rsquo;s managing the incident? Do you know? What is triage? Who does the investigation? Do you have a &ldquo;safe&rdquo; place to do potentially destructive testing?&nbsp; This talk outlines an immediate plan for the audience to get started, with a list of open source tools the security team and/or developers will use to ensure that they are ready, for the worst.</p>
 
<p><strong>Speaker Bio:</strong> <span><span>Tanya&nbsp;Janca is a senior cloud advocate for Microsoft, specializing in application and cloud security; evangelizing software security and advocating for developers and operations folks alike through public speaking, her open source project OWASP DevSlop, and various forms of teaching via workshops, blogs and community events.&nbsp;As an ethical hacker, OWASP Project and Chapter Leader, Women in Security and Technology (WIST) chapter leader, software developer and professional computer geek of 20+ years, she is a person who is truly fascinated by the &lsquo;science&rsquo; of computer science.&nbsp; </span></span></p>
 
<p>'''Live recording:''' you can find a recording of this session here: https://youtu.be/_19DwUe3jG8<span><span><br /></span></span></p>
 
<p><strong><u>2nd Speaker:</u></strong> <u>Siva Ram (7-8pm)</u></p>
 
<p><strong>Title:</strong> Managing convenience and security: Moving towards continuous risk based authentication</p>
 
<p><strong>Abstract:</strong> Your organization does not have to be breached for you to end up having to send notification of a data compromise. All it takes is for one of the millions of websites to lose credentials and your site can be vulnerable, due to credential stuffing attacks. Attackers have also become very sophisticated in combining different data sources and attack vectors (phishing, social engineering, malware, etc) to launch successful attacks, resulting in account takeovers and data compromise. This presentation will discuss some of the attack trends on customer facing applications and how your authentication methods need to adapt to keep your sites secure.</p>
 
<p><strong><strong>Speaker Bio:</strong>&nbsp;</strong>Siva Ram is the Head of Security &amp; Fraud risk for commercial banking digital channels at a global bank. He started off as a developer and has 18 years experience in the security industry. He has been a pentester, PCI/PA QSA, and currently responsible for protecting mission critical banking applications against cyber and fraud attacks<span><span>. </span></span></p>
 
<p>'''Live recording:''' you can find a recording of this session here: https://youtu.be/RcoJrvJdH1g</p>
 
== Hunting for vulnerabilities in OWASP Juice Shop ==
 
'''Date:''' November 29, 2018  // '''Location:''' OpenDNS/CISCO, 675 W Hastings St, Suite 600, Vancouver, BC, Canada. 
 
 
 
'''Speaker:''' Jeevan Singh<br>'''Abstract:''' Have you ever wanted a hack a website?  Did you want to see the types of vulnerabilities which bad guys exploit?  This limited availability workshop will go through a purposefully vulnerable website and show you the different ways that individuals with malicious intent will look to do harm.  After a brief demo, you will have time to hack the website yourself to see if you can find holes yourself.. 
 
 
 
'''Speaker Bio:''' Jeevan Singh is a Senior Security Engineer for an HR software company, where he is embedding security into all aspects of the software development process.  Jeevan enjoys building security culture within organizations and educating staff on security best practices.  Jeevan is responsible for a wide variety of tasks including: architecting security solutions, working with development teams to resolve security vulnerabilities and building out security features. Before life in the security space, Jeevan had a wide variety of development and leadership roles over the past 15 years.
 
 
 
== Threat Modelling Gamification: How to get developers to think differently at secure coding ==
 
'''Date:''' September 27, 2018  // '''Location:''' OpenDNS/CISCO, 675 W Hastings St, Suite 600, Vancouver, BC, Canada. 
 
 
 
'''Speaker:''' Dana Epp<br>'''Abstract:''' The concept of writing safer, more resilient software against the threat landscape of today is a daunting task. Especially when tight budgets and deadlines are constantly under pressure and the rapid adoption of faster release cycles makes it far too easy to 'skip' thinking about the security of the systems and data we rely on to deliver our software. In this session, Dana will introduce threat modeling in a way to help you educate your developers and DevOps on how to look for threats and how to think like an attacker, all while having a bit of fun. From learning how to draw developers in with gamification using a simple card game called 'Elevation of Privilege' that focuses on identifying threats in your software to leveraging free tools published by Microsoft to aid you in documenting and responding to such threats, you will walk away with a better understanding of how to look at your software more defensively. Practical exercises and real world discussions will strengthen the presentation and re-enforce the learning objective... to write safer, more secure software in every sprint. 
 
 
 
'''Speaker Bio:''' Dana Epp has spent decades as an architect that focuses on helping secure software, data and infrastructure. When he's not helping to build and grow software companies he's advising others on adapting and embracing the ever changing landscape of IT. As both a Microsoft Regional Director and Azure Security MVP, he spends a great deal of time on security engineering in the cloud, focused on building safe, decoupled systems. His latest project is a cloud threat protection platform for Azure, which you can check out at www.auditwolf.com. You can also follow him at www.danaepp.com.
 
 
 
== What you need to know about Web Application Firewalls (WAF)                        ==
 
'''Date:''' July 26, 2018  // '''Location:''' ACL, 980 Howe Street, 13th floor, Vancouver, BC V6Z 1N9, Canada
 
 
 
'''Speaker:''' Yvan Boily
 
 
 
'''Abstract:''' Join Yvan Boily for an overview of WAF technologies, how they can be deployed to protect your application and organization, their weaknesses and strengths, and learn how you can use FTW and other tools to test the effectiveness of your firewall.
 
 
 
'''Speaker Bio:''' Yvan Boily has been working in IT Security for more than 15 years in the government and finance sector.  Previously the chapter lead for OWASP and a co-founder of BSidesVancouver and MARS, Yvan Boily is currently working with Fastly as a Security Researcher.
 
== Transitioning into DevSecOps ==
 
'''Date:''' May 31 // '''Location:''' Microsoft Canada, Suite 1100 - 1111 W. Georgia, Vancouver, BC
 
 
 
'''For those of you who are unable to make it in person, you can [https://youtu.be/wsAC2EPuOG8 watch the live-stream here]''' and '''subscribe to the [https://youtu.be/wsAC2EPuOG8 OWASP Vancouver YouTube channel]''' [https://youtu.be/wsAC2EPuOG8 here]. (big thanks to George Pajari)<br>
 
'''Speaker:''' Roger Trevisan<br>
 
'''Abstract:''' Software development practices have evolved quite a bit in the recent years, from Waterfall, to the multiple flavors of Agile and now into DevOps. Security teams often have challenges keeping up with the speed and scalability requirements from the new development and operations practices and end up creating barriers that may cause disruption into development and operations life-cycle.
 
  
This presentation aims to cover the main reasons why security teams are failing to bolt on security into the current development models. It also shine some light into the difference between traditional security, DevOps + Security and DevSecOps and expose some of the processes, tools and cultural changes required for a successful DevSecOps organization./<br>
+
= Speakers =
'''Speaker bio:''' Roger Trevisan is a CISSP certified security professional with 12+ years of experience with web application security, secure coding, secure development lifecycle, penetration testing, risk assessment, vulnerability management, network security and information systems administration. As a skilled penetration tester and application security professional, Roger has helped high-profile companies in industries such as financial, healthcare and telecommunication to identify and address a large number of critical security vulnerabilities.
+
We welcome speakers of all level! You don't have to be a pro to talk at one of our events, but we do ask that you talk be related to an application security domain and you provide value to attendees. To be a speaker, simply review the [[Speaker_Agreement |speaker agreement]] and then contact the our [mailto:farshad.abasi@owasp.org chapter lead] with details of what OWASP project, independent research or related application security topic you would like to present on.
  
== Managing an Application Security Testing and Vulnerability Management Program in a CI/CD Environment ==
+
= Membership =
'''Date:''' March 29  ([https://goo.gl/t8zH4W registration] is free and required as capacity is limited).<br>
+
OWASP Foundation ([https://docs.google.com/a/owasp.org/presentation/d/10wi1EWFCPZwCpkB6qZaBNN8mR2XfQs8sLxcj9SCsP6c/edit?usp=sharing Overview Slides]) is a professional association of [[Membership |global members]] and is open to anyone interested in learning more about software security. Local chapters are run independently and guided by the [[Chapter_Leader_Handbook]].  
'''Speaker:''' Karim Lalji // '''Location:''' Mozzila's Vancouver office (https://www.mozilla.org/en-US/contact/spaces/vancouver/, buzz 209)<br>
 
'''Abstract:''' Modern software environments have adopted new methodologies to developing products including continuous integration and continuous delivery, more commonly referred to CI/CD. Application security testing and vulnerability management is an important aspect in software environments; unfortunately this practice is often lacking in both effectiveness and requisite knowledge when dealt with from an applications perspective as opposed to traditional IT infrastructures. The challenges are further extended in CI/CD environments where critical code is merging into production at regular intervals without proper security coverage.<br>
 
This talk will aim to provide individuals with a working understanding of application security testing (AST) as well as vulnerability management in a modern software enterprise employing DevOps practices, and more specifically a CI/CD pipeline. The talk will discuss security testing at different stages of the S-SDLC from source code analysis to penetration testing and how to effectively manage vulnerabilities. The discussion is applicable to anyone with an interest in security or software in general but is of particular relevance to managers and architects interested in building an effective application security program.
 
  
'''Speaker Bio:''' Karim has a background in application security particularly in the banking/finance industries and currently works in a senior offensive security consulting role conducting penetration testing and threat/vulnerability assessments for a variety of clients. Karim was a software engineer in his past life and securing applications has been a strong focus for a good portion of his career.
+
Consider the value of [[Membership | Individual, Corporate, or Academic Supporter membership]]. Ready to become a member? [[Image:Join_Now_BlueIcon.JPG|75px|link=https://www.owasp.org/index.php/Membership]]
  
== Finding High-Risk Web Vulnerabilities with a Small Number of Generic Payloads ==
 
'''Date:''' Jan 25  // '''Location:''' Mozzila's Vancouver office (https://www.mozilla.org/en-US/contact/spaces/vancouver/, buzz 209)<br>
 
'''Speaker:''' Miles (San-Tsai) Sun<br>
 
'''Abstract:''' Using a small number of generic payloads to discover high-risk web vulnerabilities (e.g., SQL injection, Remote Code Execution) is highly desirable during a penetration test.  In this talk, I will present and demonstrate a lightweight vulnerability detection approach complimenting to traditional automatic scanners. Using an expression probing technique, this approach can systematically probe whether user-controlled input is treated as code by the server-side program logic, as well as the situational context of the injected payload, and its underlying language. Compared to automatic vulnerability scanners, this approach imposes tiny network footprint (e.g., quick, negligible system impact, avoid IP blocking), is agnostic to application platform/language, and friendly to Web Application Firewall/Intrusion Detection and Prevention System. This lightweight detection technique could address or reduce many common challenges faced by penetration testers. 
 
  
'''Speaker Bio:'''
+
__NOTOC__
San-Tsai Sun is a passionate information security professional and researcher. With more than 20 years of expertise in system development and application security, he is currently an Advanced Security Engineer at Staples, where he enjoys his work in penetration test, static/dynamic vulnerability scan, source code review, risk analysis/threat modeling, and application security design consultancy. Prior to Staples, he was a Senior Information Security Consultant at HSBC Bank. San-Tsai holds a PhD in Information Security from the University of British Columbia, and has been helping hundred of websites to address high risk security vulnerabilities found on their sites.
 
  
'''Presentation content:''' you can find the slide decks for this presentation [http://www.zyxgroup.com/presentations/OWASPVan-SanTsai-BreakFixProbingBasedVulnerabilityScan.pptx here].
+
<headertabs />
  
= Participation =
+
= Sponsors  =
OWASP Foundation ([https://docs.google.com/a/owasp.org/presentation/d/10wi1EWFCPZwCpkB6qZaBNN8mR2XfQs8sLxcj9SCsP6c/edit?usp=sharing Overview Slides]) is a professional association of [[Membership | global members]] and is open to anyone interested in learning more about software security. Local chapters are run independently and guided by the [[Chapter_Leader_Handbook]].  As a [[About_OWASP | 501(c)(3)]] non-profit professional association your support and sponsorship of any meeting venue and/or refreshments is tax-deductible. Financial contributions should only be made online using the authorized online chapter donation button.  To be a <b>SPEAKER</b> at ANY OWASP Chapter in the world simply review the [[Speaker_Agreement | speaker agreement]] and then contact the local chapter leader with details of what OWASP PROJECT, independent research or related software security topic you would like to present on.
 
  
= Sponsorship/Membership  =
+
As a [[About_OWASP | 501(c)(3)]] non-profit professional association your support and sponsorship of any meeting venue and/or refreshments is tax-deductible. Financial contributions should only be made online using the authorized online chapter donation button.
  
 
[[Image:Btn_donate_SM.gif|link=https://www.owasp.org/index.php/Local_Chapter_Supporter]] to this chapter or become a local chapter supporter.
 
[[Image:Btn_donate_SM.gif|link=https://www.owasp.org/index.php/Local_Chapter_Supporter]] to this chapter or become a local chapter supporter.
  
 +
= Our 2019 Sponsors  =
  
 +
We would like to thank the following companies for providing us with space, pizza and pop, and helping us with our mission to enrich Vancouver's application security community.
  
Or consider the value of [[Membership | Individual, Corporate, or Academic Supporter membership]]. Ready to become a member? [[Image:Join_Now_BlueIcon.JPG|75px|link=https://www.owasp.org/index.php/Membership]]
+
{|
 +
|-
 +
| &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;[[File:FwdSec.png|frameless|200px|thumb|left|link=https://www.forwardsecurity.com]] || &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;[[File:PlentyOfFish.png|frameless|200px|thumb|left|link=https://www.pof.com/en/press/]] || &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;[[File:zenefits.png|frameless|200px|thumb|left|link=https://www.zenefits.com]]
 +
|-
 +
| [[File:Galvanize.jpg|frameless|200px|thumb|left|link=https://www.wegalvanize.com/]] || [[File:CISCO.png|frameless|200px|thumb|left|link=https://www.cisco.com/c/en_ca/index.html]] || [[File:cmd.png|frameless|200px|thumb|left|link=https://www.cmd.com]]
 +
|}
  
 +
[[Category:Vancouver]]
 
[[Category:OWASP Chapter]]
 
[[Category:OWASP Chapter]]

Latest revision as of 02:49, 15 May 2019

Welcome to the OWASP Vancouver chapter homepage. We are located in the beautiful province of British Columbia, on the West Coast of Canada.

Our mission is to enrich Vancouver's application security community. We hope you can join us in accomplishing that.

Vancouver1000x450.png

Our monthly sessions take place on the 4th Thursday of each month. We also host one off events and workshops around town.

Have a look at our calendar of awesome events and join us!

The OWASP Vancouver chapter board members are:

Click here to join the local chapter mailing list and Google Group (pre-Google mailing list archives can be found here)

Subscribe to the OWASP Vancouver YouTube channel where you can check out live streams of upcoming sessions as well as archives of previous sessions (big thanks to George Pajari and volunteers).

We welcome speakers of all level! You don't have to be a pro to talk at one of our events, but we do ask that you talk be related to an application security domain and you provide value to attendees. To be a speaker, simply review the speaker agreement and then contact the our chapter lead with details of what OWASP project, independent research or related application security topic you would like to present on.

OWASP Foundation (Overview Slides) is a professional association of global members and is open to anyone interested in learning more about software security. Local chapters are run independently and guided by the Chapter_Leader_Handbook.

Consider the value of Individual, Corporate, or Academic Supporter membership. Ready to become a member? Join Now BlueIcon.JPG



Sponsors

As a 501(c)(3) non-profit professional association your support and sponsorship of any meeting venue and/or refreshments is tax-deductible. Financial contributions should only be made online using the authorized online chapter donation button.

Btn donate SM.gif to this chapter or become a local chapter supporter.

Our 2019 Sponsors

We would like to thank the following companies for providing us with space, pizza and pop, and helping us with our mission to enrich Vancouver's application security community.

          
thumb
          
thumb
          
thumb
thumb
thumb
thumb