OWASP Boulder

OWASP Boulder

Welcome to the OWASP Boulder chapter homepage!!

EVERYONE is welcome to attend our regular meetings, whether CSO, Developer, QA Engineer, Project Manager, …. whoever, welcome. We are dedicated to vendor neutral presentations that raise the security awareness of all attendees. Come join us!

Follow chapter news on Meetup

Join us on our Slack Channel

The chapter board is

Check our Upcoming Meetup Events:

Want to Present at OWASP Boulder Chapter Events??

Just email the proposed talk title, abstract and speaker bio to the Chapter Leaders via e-mail.

REMEMBER, ALL PRESENTATIONS MUST BE VENDOR NEUTRAL … NO SALES PITCHES!!!


Past Events


=================================================================================== 2021 May: Download presentation

Scale Your Security by Embracing Secure Defaults & Eliminating Bug Classes

We’re in the middle of a significant shift in how security teams operate and prioritize their limited budget and person-time. Historically, as an industry, we’ve focused on building tools to identify vulnerabilities. While we’ve built impressive tools, these approaches have failed to address the challenges of modern engineering teams. Specifically, these tools often are too slow, require a prohibitive amount of security engineer time and domain expertise to tune, overwhelm users with false positives, and most importantly, do not ultimately raise a company’s security bar. But there’s another way. Rather than investing in finding more bugs, some modern security teams are instead focusing on providing developers with frameworks and services with secure defaults (“guard rails”) so that developers can build features quickly and securely. When done correctly, combining secure defaults and lightweight checks that enforce invariants (properties that must always hold), organizations can solve classes of vulnerabilities by construction, preventing bug whack-a-mole. In this talk, we’ll present a practical step-by-step methodology for:

Choosing what to focus your AppSec resources on

How to combine secure defaults + lightweight invariant enforcement to eradicate entire vulnerability classes

How to integrate continuous code scanning into your CI/CD processes in a way that’s fast, high signal, and low friction for developers

How to use an open source, lightweight security linting tool to find bugs and anti-patterns specific to your company

Speaker: Adam Berman Adam Berman is lead product engineer for r2c. In this role, he focuses on building and scaling the semgrep application in order to make it intuitive, easy to use, and reliable. Previous to r2c, Adam led the engineering team for Meraki Insight at Cisco Meraki, using ML and AI techniques to identify and solve performance problems in networked applications. Adam holds an MS in Computer Science from the Georgia Institute of Technology and a BA in Philosophy from Dickinson College.

=================================================================================== 2021 April

Password Craziness and Authentication: Presentation/Discussion

Aaron and Steve will do a presentation focused on our authentication nemesis: passwords. It’s been a long ugly haul that we’ve been dealing with these beasts and they are still the predominant way we authenticate. Password guidelines change and we struggle with what is best; that users will do …. well. It’s not easy. So Aaron and Steve will present but also lead a discussion on this. What is everyone else doing and what is best?

Speaker: Aaron Cure and Steve Kosten Aaron is a principal security consultant for Cypress Data Defense where he does penetration testing, secure SDLC, static code review, and secure architecture work. He started out in the U.S. Army, spending 10 years as a Russian linguist and satellite repair technician. He then worked as a database administrator and programmer on the Iridium project, with subsequent positions as a telecommunications consultant, senior programmer, and security consultant. Aaron began his infosec career in 2006 expanding his expertise to developing security tools and performing secure code reviews, vulnerability assessments, penetration testing, risk assessments, static source code analysis, and security research. A SANS instructor since 2013 he currently teaches SANS SEC542: Web App Penetration Testing and Ethical Hacking.

Steve Kosten is Managing Director at Cypress Data Defense performing secure code reviews across multiple languages, web app and mobile penetration testing, vulnerability assessment and risk management, and helping clients create and grow a secure development lifecycle, working in sectors such as insurance, finance, real estate, transportation, and many more. He previously performed security work in the defense and financial sectors as well as non-profit and headed up the security department for a financial services firm. Steve has been teaching for SANS since 2013 and currently can be found teaching SANS SEC545: Cloud Security Architecture and Operations.

=================================================================================== 2021 February: Download presentation

You Don’t Have to Be Crazy to Work Here

Cybersecurity professionals spend most of their day focused on the health and wellbeing of the environments in their care. However, the cost of reducing risk and keeping our networks safe often comes at the price of our professionals’ mental health. Many InfoSec professionals burn out, suffer from anxiety and depression, and turn to unhealthy coping mechanisms, which further exacerbate underlying psychological and physical health issues.

This talk will alleviate the stigma around mental health and stress the importance of open and frank dialogs about this critical issue impacting our community. I will share my journey, reverse engineer the stigma of mental health in business, and look at ways to hack mental health in productive and meaningful ways.

Speaker: Douglas Brush Douglas is an information security executive with over 26 years of entrepreneurship and professional technology experience. He is a globally recognized expert in the field of cyber security, incident response, digital forensics, and information governance. In addition to serving as a CISO and leading enterprise security assessments, he has conducted hundreds of investigations involving hacking, data breaches, trade secret theft, employee malfeasance, and a variety of other legal and compliance issues. He also serves as a federally court-appointed Special Master and neutral expert in high profile litigation matters involving privacy, security, and eDiscovery.

He is the founder and host of Cyber Security Interviews, a popular information security podcast.

=================================================================================== 2021 January: Download presentation

Archetypal Secure Application Design Pattern: The Next Evolution

This is the next evolution of the App Sec Effort to move security left through repeatable secure software design patterns. Security responsibilities and controls are distributed across various levels of (IDE-consumable!) UML diagrams; they become Patterns as Code, Architecture as Code, Config as Code. Now the diagrams are actually useful to the builders and designers, so no effort is wasted, producing true agility through treating software archetypes as repeatable, solvable problems with appropriate security baked in, just in time, rather than bolted on as an afterthought. Bigger, better, and with real examples. Help us improve patterns to improve software security.

Speaker: Joe Gerber Joe Gerber is a Secure Software Architect and Secure Software Design practice lead with 10+ years of secure software design experience. He is also a recovering senior web developer and former embedded systems programmer. He deeply desires to use patterns to truly make secure software development a repeatable phenomenon.

He has previously presented at:

  • RMISC 2018
  • SnowFroc 2018
  • Three OWASP Chapter meetings
  • Local community IT professional groups
  • Lead App Sec presenter at quarterly classes held by my employer

He was a volunteer at Defcon’s inaugural App Sec Village

=================================================================================== 2020 October: Download presentation

Exploring Impostor Syndrome and Pluralistic Ignorance in Pentesting

“What if they find out I’m not as smart as they think I am?” “If I can do it, anyone can do it.” “I can’t pull this off? Who am I kidding?” “Lucky me, I was in the right place at the right time.”

Have you ever asked yourself these types of questions? Studies suggest that more than 70% of people experience the impostor syndrome phenomenon at some point in their career, no matter what field they are in. Impostor syndrome combined with pluralistic ignorance can be catastrophic. Pluralistic ignorance can be described as “no one believes, but everyone thinks that everyone else believes”. Together it can make you feel like you are constantly privately rejecting the norm, but publicly go along with it. You have mistakenly assumed everyone else accepts it because they are smarter/faster/better than you are.

This talk will help you identify those thought patterns that undermine your ability to feel as capable as others know you are and take ownership of your well deserved success. Being proactive, asking the right questions, and once you know there is a problem, start working on the solution.

=================================================================================== 2020 September: Download presentation

Account Takeover: Data Findings, Popular Tools, and Prevalent Actors

In our latest account takeover (ATO) findings, we have observed a significant increase in credentials listed on the deep and dark web (15 billion and counting), tools that enable account takeover, and account takeover service advertisements on criminal marketplaces. This presentation highlights the sheer volume of account takeover, how ATO can impact your organization, and mitigation recommendations to keep your credentials safe.

By attending this session, you will take away: • The size of the ATO problem • Tools that attackers use for conducting ATO • Current and evolved approaches to brute-forcing • Best practices for preventing ATO

=================================================================================== 2020 July:

Detect complex code patterns using semantic grep

We’ll discuss a static analysis tool we’re developing called Semgrep and compare it to tools like gosec. Semgrep is a tool for writing security and correctness queries on source code (for Go, Python, Java, C, and JS) with a simple grep-like interface. The original author, Yoann Padioleau, worked on Semgrep’s predecessor, Coccinelle, for Linux kernel refactoring, and later developed Semgrep while at Facebook. He’s now full time at r2c.

Semgrep is open-source and comes with a registry of OWASP Top 10 security checks. It’s ideal for security researchers, product security engineers, and developers who want to find complex code patterns without extensive knowledge of ASTs or advanced program analysis concepts.

For example, with Semgrep you can:

Simply match function calls. The pattern exec.Command(…) matches exec.Command() called with any arguments or across multiple lines - but not the string “exec” in comments or hard-coded strings, because it’s aware of the code structure.

Find use of SSLv3 tls.Config{…, MinVersion: $TLS.VersionSSL30, …}

Find hardcoded JWT tokens var $X = []byte(“…”) … $TOKEN := jwt.NewWithClaims(…) … $Y := $TOKEN.SignedString($X)

=================================================================================== 2020 June: Download presentation

How to Build Awesome Security Instrumentation to Automate AppSec Testing and Protection

Modern software demands velocity, and traditional “outside in” scanning and firewalling are creating bottlenecks and slowing things down. In this talk, Jeff will approach application security from the “inside out”. We will show you how to create simple agents that get inside a running application (like a profiler or debugger) and give you access to everything you might want to know. We’ll demonstrate real agents that identify vulnerabilities without changing any code, scanning, or extra steps. We’ll identify vulnerabilities, analyze access control, and even prevent RCE attacks. Unlike scanning and firewalling, this approach establishes a safe and powerful way for development, security, and operations teams to collaborate. We’ll discuss how software security instrumentation works, how it’s being used in many organizations, and the implications for the practice of application security.

Speaker: Jeff Williams

Jeff brings more than 20 years of security leadership experience as co-founder and Chief Technology Officer of Contrast Security. He recently authored the DZone DevSecOps, IAST, and RASP refcards and speaks frequently at conferences including JavaOne (Java Rockstar), BlackHat, QCon, RSA, OWASP, Velocity, and PivotalOne. Jeff is also a founder and major contributor to OWASP, where he served as Global Chairman for 9 years, and created the OWASP Top 10, OWASP Enterprise Security API, OWASP Application Security Verification Standard, XSS Prevention Cheat Sheet, and many more popular open source projects. Jeff has a BA from Virginia, an MA from George Mason, and a JD from Georgetown. Jeff’s LinkedIn page

=================================================================================== **2020 April: Download presentation **

You got Honey in my Web App
Let’s face it, attackers seem to be holding all the advantages… but it doesn’t have to be that way… With a little bit of creativity and understanding of how attackers actually do what they do, you can mount an effective defense that will leave your attackers openly weeping wondering where it all went wrong. Turns out… it was when they mistakenly started gunning for your web apps. Attendees of this talk will learn about how each layer of a web app stack can be made into the attackers’ worst nightmare.

Speaker: Michael Douglas
Even when his job title has indicated otherwise, Mick Douglas has been doing information security work for over 10 years. He received a bachelor’s degree in communications from Ohio State University. He is the managing partner for InfoSec Innovations. He is a SANS Instructor and a member of the IANS faculty.