OWASP Nashville
Welcome to the OWASP Nashville Chapter
Want to speak at a future meeting?
We have a CFP hosted by PaperCall.io. All talks are welcome that are germane to OWASP. We encourage Nashville community members, especially anyone who wants to speak for the first time, to submit a talk. We’ll have plenty of space for seasoned engineers and well-practiced talks just as much as we will those who are less-experienced, college students or want to be more involved or practice their public speaking.
Next Meeting / Event
Join the OWASP Nashville group on Meetup to be notified when the details of the next event are published.
Participation
The Open Web Application Security Project (OWASP) is a nonprofit foundation that works to improve the security of software. All of our projects, tools, documents, forums, and chapters are free and open to anyone interested in improving application security.
Chapters are led by local leaders in accordance with the Chapter Policy. Financial contributions should be made online using the authorized online donation channels. To be a speaker at any OWASP Chapter simply review the speaker agreement and then contact the local chapter leader with details of what OWASP Project, independent research, or related software security topic you would like to present.
Everyone is welcome and encouraged to participate in our Projects, Local Chapters, and Events. We especially encourage diversity in all our initiatives. OWASP is a fantastic place to learn about application security, to network, and even to build your reputation as an expert. We also encourage you to become a member or consider a donation to support our ongoing work.
Past Events
08/14/2024: Capture the Flag - SHRED by Security Innovation
07/24/2024: Every app risk, everywhere, all at once
Security tooling will identify application security risks and multiple tools will deluge security folks and application developers with signal – to the degree that no human or group of humans can hope to tackle these with anything approaching sanity. In this talk, we’ll discuss a better way to operationalize reducing risk, some stories from the trenches and what both bad and good look like.
06/19/2024: Digital Safeguards: Your Essential Blueprint for Navigating Cyber Threats with Elizabeth Stephens
Outdated cybersecurity tactics leave us vulnerable. This thought-provoking talk introduces the “Cyber Risk Manifesto”, drawing upon the wisdom of military intelligence and corporate defense methodologies. Explore innovative strategies for predicting threats, reinforcing defenses, and empowering everyone to become cybersecurity guardians. Discover how outmaneuvering attackers is the key to digital resilience.
05/22/2024: Supply Chain Security with Dan Lorenc
Dan Lorenc is co-founder and CEO of Chainguard, a leading software supply chain security company. Dan has been working on and worrying about containers since 2015 as an engineer and manager. He started projects like Minikube, Skaffold, and Kaniko to make containers easy and fun, then got so worried about the state of OSS supply-chains he helped found the Tekton and Sigstore projects to make it easier to build and use containers securely; as well as SLSA to create a common language for software security and supply chain integrity. He has been involved with the Cloud Native Computing Foundation, chaired the Continuous Delivery Foundation technical oversight committee, and sits on the governing board for the Open Source Security Foundation. You can find him on Twitter @lorenc_dan.
05/01/2024: Understanding the Cyber Kill Chain with Elizabeth Stephens
This session will delve into the Cyber Kill Chain, a foundational framework for comprehending cyberattacks. We’ll explore how attackers operate and empower ourselves to build targeted defenses. While a valuable tool, we’ll also discuss the Kill Chain’s limitations and the evolving nature of attacker tactics.
02/29/2024: Kubernetes Top 10 with Jimmy Mesta
Given the growth and adoption of Kubernetes, a number of projects have been published in the OWASP community to help practitioners assess and secure the security of their containerized infrastructure including the recently released Top Ten for Kubernetes. This OSS project is a community-curated list of the most common Kubernetes risks backed by data collected from organizations varying in maturity and complexity. This session will discuss the project in detail, examples for each of the risks in the list, and how you can get involved.
11/10/2021: AWS ID Prefixes: What AWS Doesn’t Cover is What You Need to Know
https://www.meetup.com/OWASP-Nashville-Chapter/events/281949599/
In this talk, we will showcase AWS Prefixes and go over those prefixes what they mean, how you can get them. Some resource types like S3 for example allow for the use of a unique ID rather than the full principal ARN that many know and understand. We can cover why use of the unique ID is fundamentally a bad idea, and how to handle them should you run into an environment that has them.
05/04/2021: Secure Coding Tournament with Secure Code Warrior
Secure Code Warrior brings you a defensive security-based tournament from a developer’s perspective. The tournament allows you to test your skill against the other participants in a series of vulnerable code challenges that ask you to identify a problem, locate insecure code, and fix a vulnerability. You don’t need programming knowledge as this will be a great way to learn the foundations and intermediates of leveraging code that is not only functional but is also secure. With a variety of languages to play with: C# .NET MVC, C# .NET WebForms, C# .NET Core, GO Basic, Java EE (JSP) & (JSF), Java Spring, JavaScript Node.JS (Express), Python Django, and last but not least, Pseudocode Basic for the non-coders.
03/02/2021: OWASP Threat and Safeguard Matrix (TaSM)
https://www.meetup.com/OWASP-Nashville-Chapter/events/276453229
The Threat and Safeguard Matrix or (TaSM) is an action oriented view to safeguard and enable the business created by Ross Young. Simply put if Cyber is in the business of Revenue Protection, then we need to have a defense in depth plan to combat the biggest threats to our companies. This matrix allows a company to overlay their major threats with the NIST Cyber Security Functions (Identify, Protect, Detect, Respond, & Recover) to build a robust security plan. Organizations which perform this activity will gain a better understanding of how to protect their company as they fill in safeguards which mitigate important threats. Remember the devil is in the details, hence why we chose a TaSManian Devil as the project logo.
Ross Young is the CISO of Caterpillar Financial, a lecturer at Johns Hopkins University, and a SANS instructor. Prior to this role, he was a divisional CISO at Capital One. His expertise ranges from attacking financial services for the federal government to defending organizations by automating defenses in DevSecOps pipelines. He is actively involved in all things cloud, container, and Kubernetes security. Ross holds master’s and bachelor’s degrees from Johns Hopkins University, Idaho State University, and Utah State University. Ross’s interest in pirates and ninjas have inspired him to stealthily enable and safeguard the business without the paperwork.
10/27/2020: Defending Multicloud Infrastructure
Senior Application Security Engineer at Asurion, Instructor for the SANS Institute, and OWASP Nashville Co-Leader Brandon Evans discussed how to defend infrastructure and applications running in Amazon Web Services (AWS), Microsoft Azure, and the Google Cloud Platform (GCP). Brandon is the lead author of SANS SEC510: Multicloud Security Assessment and Defense. For more information, visit: SANS.org/SEC510
05/19/2020: Web Application Cyber Range for Fun & Profit
For our first virtual Meetup, Security Innovation ran one of their CMD+CTRL Cyber Ranges in which our chapter competed:
Stuck at home, but still want to test your skills in identifying web app vulnerabilities? OWASP Nashville and Security Innovation invite you to virtually compete in CMD+CTRL, a web application cyber range where players exploit their way through hundreds of vulnerabilities that lurk in business applications today. Success means learning quickly that attack and defense is all about thinking on your feet.
For each vulnerability you uncover, you are awarded points. Climb the interactive leaderboard for a chance to win fantastic prizes! CMD+CTRL is ideal for development teams to train and develop skills, but anyone involved in keeping your organization’s data secure can play - from developers and managers and even CISOs.
All you need is your laptop and your mischievous, curious inner-self and you’ll be ready to hack away!
Sponsor
10/22/2019: Serverless Security for Dummies
Tal Melamed (@4ppsec), Head of Security Research at Protego Labs and Co-Leader of the OWASP Serverless Top 10, flew in to teach us about Serverless Security:
In moving to serverless technology, such as AWS Lambda or Azure Functions, we shift some security responsibilities to the infrastructure provider by eliminating the need to manage servers. Unfortunately, that doesn’t mean we’re entirely absolved of all security duties. Serverless functions still execute code and can still be vulnerable to application-level attacks. As a new type of architecture, serverless presents new security challenges. Some are equal to traditional application development, but some take a new form. Attackers are thinking differently, and developers must do so as well to gain the upper hand.
In this talk, Tal Melamed will dive into serverless risks. Discussing why they are different from traditional attacks, how to exploit them and how we should protect our application against them.
Sponsor
06/13/2019: MusicCityCon
Instead of a normal OWASP Meetup, we held our inaugural MusicCityCon conference.
Presentations Archived on YouTube Meetup Agenda and Sponsors
05/07/2019: CMD+CTRL Web Application Cyber Range
Security Innovation ran an instance of their Shadow Bank Cyber Range in which our chapter competed:
Want to test your skills in identifying web app vulnerabilities? Join OWASP Nashville and Security Innovation as members compete in CMD+CTRL, a web application cyber range where players exploit their way through hundreds of vulnerabilities that lurk in business applications today. Success means learning quickly that attack and defense is all about thinking on your feet.
For each vulnerability you uncover, you are awarded points. Climb the interactive leaderboard for a chance to win fantastic prizes! CMD+CTRL is ideal for development teams to train and develop skills, but anyone involved in keeping your organization’s data secure can play - from developers and managers and even CISOs.
Sponsors
03/19/2019: Exploring the Dark Web
For our inaugural OWASP Nashville Chapter Meetup, Chapter Co-Leader Joel Tomassini presented on how to explore the Dark Web securely.