OWASP Toronto

Supporters

We would like to thank the following organizations for their support and contribution to the local Toronto chapter!

Past Events

• 2021
• 2020
• 2019
• 2018
• 2017
• 2016
• 2015
• 2014
• 2013
• 2012
• 2011
• 2010
• 2009
• 2008

2021

Date/Time: September 8, 2021, 6:30 PM to 8:30 PM EDT Location: online on YouTube: https://www.youtube.com/watch?v=Wyun6p1qfog

Introducing the OWASP TimeGap Theory project

Summary:

OWASP TimeGap Theory is a deliberately vulnerable application focusing on TOCTOU race condition vulnerabilities. In this talk, the presenter will be talking about TOCTOU race conditions and tools and techniques to find and exploit them.

Presenter:

Abhi Balakrishnan

Abhi Balakrishnan is the creator of the OWASP TimeGap Theory project. He has also authored a book on this topic. Currently, he is working as a senior security consultant in the DevSecOps division of SecurityCompass, Toronto.

Date/Time: August 11, 2021, 6:30 PM to 8:30 PM EDT

Location: online on YouTube: https://www.youtube.com/watch?v=zxCaPXCeqOM

Managing Secrets in Containers

Summary:

Containers need to store and access secrets for tasks such as communicating with other microservices, calling back-end databases, and accessing other resources. In this session, we will look at how secrets management works in container orchestration platforms like Kubernetes and in secret management solutions like HashiCorp Vault. We will also be looking at concepts such as dynamic secrets, secret rotation and expiration, and on attack vectors and misconfigurations that may allow an attacker to steal secrets.

Presenter:

Boominda Anushka

Boominda is a senior consultant at Security Compass with more than 8 years of experience in information security. He is an experienced penetration tester with in depth knowledge in application, network, cloud and container security. He has also worked as a systems integrator and have implemented security solutions such as SIEMs, PKI, WAFs and EDR solutions for enterprise clients. He holds a MSc in Information Security, BSc in IT along with certifications like CISSP, OSCP, CSSLP and CKS.

Date/Time: July 14, 2020, 6:30 PM to 8:30 PM EDT

Location: online on YouTube: https://www.youtube.com/watch?v=oj7THZ8SEto

DevSecOps: Why Aren’t IAST and RASP in Your Stack?

Summary:

Software is incredibly hard to secure because it’s a black box. We’ve spent decades trying to verify properties of software by analyzing the source code, scanning, fuzzing, pentesting, etc… But the lack of context always leads to false positives, manual effort, long feedback loops, large security backlogs, and MTTR measured in months not days. In this talk, Jeff will demonstrate the power of “security observability” by using instrumentation (like a profiler, debugger, or APM tool) to quickly and easily expose critical security vulnerabilities and attacks from inside an application while it’s running. First, Jeff will introduce Interactive Application Security Testing (IAST) and show you how anyone can use instrumentation to accurately identify complex vulnerabilities without scanning. Jeff will also show you how you can use Runtime Application Self-Protection (RASP) to leverage instrumentation to prevent your application from being exploited in production. Finally, Jeff will provide practical advice on DevSecOps transformation and building bridges between development and security.

Presenter:

Jeff Williams

Jeff brings more than 20 years of security leadership experience as co-founder and Chief Technology Officer of Contrast Security. Previously, Jeff was co-founder and CEO of Aspect Security, a successful and innovative application security consulting company acquired by EY. Jeff is also a founder and major contributor to OWASP, where he served as Global Chairman for 10 years, and created the OWASP Top 10, OWASP Enterprise Security API, OWASP Application Security Verification Standard, XSS Prevention Cheat Sheet, and many more popular open source projects. Jeff has a BA from Virginia, an MA from George Mason, and a JD from Georgetown. https://www.linkedin.com/in/planetlevel/@planetlevel

Date/Time: June 9, 2021, 6:30 PM EST Location: online on Youtube: https://youtu.be/zzUvwRRv1lQ

Bringing Order to Static Analysis Security Testing

Summary:

Software developers were always left with two hard choices, either use security tools that are not built for them, or use free/open-source tools that generate too many false positives and have poor coverage. One of the prime reasons for this dilemma is that traditionally the security workload was managed by application security teams who would find vulnerabilities and filter through false positives. Now with agile development and DevOps workflows, now there is no option for developers to opt out of secure development.

New technology called DataLog solves that problem in a fundamentally different way, giving developers new hope. During this presentation we will go over:

• how static code analysis has changed over the years
• how DataLog technology solves some of the inherent problems of static code analysis such as speed, accuracy and coverage
• how concepts like treating code as data, and partial evaluations are changing the game completely.

We will also introduce a new static code analysis tool called Reshift which is built on top of open source tools and leverages DataLog technology. Reshift is changing the bad reputation that static code analysis amassed over the years and now developers can finally have it all - accuracy, speed and coverage.

Presenter: Sherif Koussa

Sherif Koussa is OWASP Ottawa Chapter Co-Leader, Software Developer, Hacker, and founder and CEO of Software Secured (https://www.softwaresecured.com) and Reshift (https://www.reshiftsecurity.com). In addition to contributing to OWASP Ottawa for over 14 years, Sherif contributed to WebGoat, and OWASP Cheat Sheets. Sherif also helped the SANS and GIAC organizations launch their GSSP-Java and GSSP-NET exams and contributed a few of their courses. After switching from the software development field to the security field, Sherif took on the mission of supporting developers shifting security left, and ship more secure code organically. Whether through training, penetration testing as a service or coaching development teams through shifting security, Sherif believes that any AppSec without the developer wouldn’t yield the best results. Sherif’s current venture, Reshift Security, is a static code analysis tool that is built for developers from the IDE, over to the code review and CI phases.

Date/Time: April 29, 2021, 6:30 PM to 8:30 PM EDT

Location: online on YouTube: https://www.youtube.com/watch?v=4u94Arz2rO0

OWASP Toronto - April Event - Intro to OWASP Juice Shop, ZAP and other projects

Summary:

Join us for a session where we will be explore OWASP Juice Shop, a purposefully insecure web application and one of our flagship projects, with OWASP Zed Attack Proxy (ZAP), our open source tool for testing and scanning applications, as well as other great OWASP projects that may be helpful in your AppSec journey.

Presenter:

Opheliar Chan

Opheliar Chan spends most of her time trying to make software security more accessible, pragmatic, and FUD-free, in her role as Accenture’s Canadian Application Security Lead, while moonlighting as co-lead of the OWASP Toronto Chapter, or as a volunteer or advisor for other infosec groups. For over a decade, she has focused on application security, SDLC process consulting and implementations, program building, penetration testing/vulnerability assessments, and related. Prior to her career in consulting, she worked in security research, web application development, and technical writing.

You can usually find her in-person at OWASP Toronto Meetups, or at [email protected].

Yuk Fai Chan

Yuk Fai has been involved with OWASP since 2012 and is part of the team running the Toronto chapter.

Professionally, Yuk Fai is a Principal and Co-Founder at Proack Security Inc., a Toronto-based information security consulting firm. He specializes in application security, penetration testing, threat modelling, security incident simulations and breach preparedness, and security program advisory.

Date/Time: March 17, 2021, 6:30 PM to 8:30 PM EDT

Location: online on YouTube: https://www.youtube.com/watch?v=nK6UaKw-244

TALK #1

———–

Technical Writing 101: A Pentester’s Perspective

Summary:

This presentation is derived from my experience as an OffSec SME at KPMG. I’ve lead numerous pentest engagements, and when it comes down to doing QA on reports, I notice that a lot of people who are technically gifted are sometimes not able to communicate their amazing findings through a convincing and easy-to understand report that will be presented to people who are less technically inclined.

The focus of the talk is that, I hope to be able to help inform others on “good” vs “bad” writing language, format, and delivery from the offensive security stand point. Target audience is new grads, students, professionals, and pretty much anyone else including those at the executives level who are interested in creating impactful and easy-to-understand reports, as well as reading them and understanding the process of creating a pentest report.

Presenter:

Ignatius Michael

I’m security enthusiast, passionate in all things security specifically within offensive security. Currently serving my second year at KPMG as a penetration tester (mobile, web app, and network). Pretty much a glorified script kiddie with OSCP who is currently enrolled in OSEP.

TALK #2

———–

Cybersecurity Through the Eyes of Psychology

Summary:

This presentation takes a look at how social engineering attacks work from a psychology perspective. Many cybersecurity issues are human problems, and human behaviour has been studied for longer than cybersecurity has existed as an industry. By understanding and explaining the drivers behind human behaviour, people and organizations can learn how to better protect themselves from attacks.

Presenter:

Victoria Granova (ISC2)

Victoria is the President of the (ISC)² Toronto Chapter board, where she works to create professional education opportunities and connects security groups across the GTA to advance the industry together. In industry, she is a Senior Information Security Consultant at a Big 5 Bank specializing in cybersecurity incident management and governance. Victoria also contributes as an occasional Instructor at York University in the Cybersecurity Certificate Program.

Date/Time: February 17, 2021, 6:30 PM to 8:30 PM EDT

Location: online on YouTube: https://www.youtube.com/watch?v=ZbVqHx8cznw

Unicode vulnerabilities that could byͥte you

Summary:

The number of Unicode code points has never stopped growing just like its integration in modern technologies. Web applications you have developed or used are likely to support input and output formatted in UTF-8 character encoding.

In this talk, you will learn about the security implications of encoding conversion. Normalizing a UTF-8 string to ASCII only character has numerous potential side effects. The latest research affecting Unicode will be summarized including the HostSplit attack. The HostSplit attack abuses minor characters conversion to trigger open redirect or Server-Side Request Forgery (SSRF). Aside from normalization, uppercase and lowercase transformations can introduce vulnerabilities. Encoding can be used to circumvent security controls such as Web Application Firewalls. Additionally, punycode is the new representation to support domains with special characters outside of ASCII. This representation can be used to create visual confusion to end users.

While some issues were patched in major software, many risks remain or are likely to resurface. Get ready for a complete summary of everything security professionals should know about Unicode!

Presenter:

Philippe Arteau

Philippe is a security researcher working for GoSecure. His research is focused on Web application security. His past work experience includes pentesting, secure code review and software development. He is the author of the widely used Java static analysis tool OWASP Find Security Bugs (FSB). He is also a contributor to the static analysis tool for .NET called Security Code Scan. He built many plugins for Burp and ZAP proxy tools: Retire.js, Reissue Request Scripter, CSP Auditor and many others. Philippe has presented at several conferences including Black Hat Arsenal, SecTor, AppSec USA, ATLSecCon, NorthSec, and 44CON.

Date/Time: February 5, 2021, 11:00 AM to 1:00 PM EDT

Location: online using WealthSimple’s Zoom: https://wealthsimple.zoom.us/webinar/register/WN_IgZHxfX7RbO4cfvP9qs3UA

Threat Modelling: An objectives-based primer

Summary:

Millions of threat modelling talks, few talk about:

• Not how to do threat modelling but why we do it
• Not what activities do we do, but what those activities do for us.

Join Opheliar Chan to learn about key terms and concepts of threat modelling and threat assessment with a focus on the why. If you’re looking for a How-To, this is not the talk you’re looking for. If you’re looking to understand how threat modelling fits into the big picture, please join us!

Presenter:

Opheliar Chan

Opheliar Chan spends most of her time trying to make software security more accessible, pragmatic, and FUD-free, both as Director of Advisory at Security Compass, while moonlighting as co-lead of the OWASP Toronto Chapter, or as a volunteer or advisor for other infosec groups. For over a decade, she has focused on application security, SDLC process consulting and implementations, program building, penetration testing/vulnerability assessments, and related.

You can usually find her in-person at OWASP Toronto Meetups, or at [email protected].

Sponsor:

Wealthsimple is investing on autopilot. We build you a personal, low-cost portfolio and put your money to work like the world’s smartest investors. We’re on a mission to bring smarter financial services to everybody, regardless of age or net worth.

We’re hiring!

Date/Time: January 20, 2021, 6:30 PM to 8:30 PM EDT

Location: online on YouTube: https://youtu.be/HAj6qmHFpvY

TALK #1 ———–

Learn About Hackers for Change

Summary:

Hackers for Change provides a unique volunteering opportunity for students passionate about hacking, or a professionals making a career change, to gain hands on experience by conducting penetration testing engagements, alongside a senior resource, for the organizations that need it the most. Hackers for change founder Manny Mand will talk about the organization and highlight current volunteering opportunities.

Presenter:

Manny Mand

Manny is a cyber security consultant and the CEO of Hackers for Change. Manny channels his talents into securing the planet. He actively performs offensive security engagements for major financial institutions and fortune 500s. Additionally, Manny has collaborated on various vulnerability research projects. A notable example was OpenEMR, a medical record system that housed over 100 million patient records globally. A former assistant instructor at the University of Toronto, School of Continuing Studies, Manny strives to make cyber security programming accessible to all.

TALK #2 ————

Intro to OWASP’s ZED Attack Proxy

Summary:

Called OWASP’s most underappreciated project by some (i.e., me), Zed attack proxy (ZAP) is great for both scanning web applications and manually inspecting them. This presentation will provide an overview of ZAP, tips on how to configure it for a nicer user experience, demos of common manual penetration testing use cases, as well as how to leverage its scanning capabilities. This talk is designed to be approachable, and is aimed at people who are interested in seeing what ZAP has to offer from a penetration testing, and web application scanning point of view.

Presenter:

Jack Enders

Jack is a security consultant and volunteer with OWASP toronto. His interests include application and mobile security, as well as not getting enough sleep.

2020

Date/Time: December 16, 2020, 6:30 PM to 8:30 PM EDT

Location: online on YouTube: https://youtu.be/Y2D1sJ13yvA

EBS, TCF, SQLi, SMH: A cautionary tale about undocumented protocols and whac-a-mole patching

Summary:

With the massive complexity and closed source, hush-hush nature of many enterprise software suites, it is nearly impossible to properly evaluate the risks associated with a “known” vulnerability. Even in an ideal situation where patches may be applied immediately, short-sighted development procedures can provide clear directions to attackers looking for poorly written patches or nearly identical vulnerabilities elsewhere in the product, leaving business critical systems vulnerable until someone discovers and reports the additional flaws and a patch is released.

These problems become even more difficult to mitigate when vulnerabilities involve an undocumented component such as a custom protocol, especially when the mere existence of the protocol is hardly mentioned anywhere in the product documentation. While detecting malicious behaviour in a generic manner for well-known protocols is possible to some extent, detecting exploitation of a vulnerability involving a protocol that you didn’t even know existed is an incredibly tall order.

This talk aims to highlight the need for increased transparency from enterprise software vendors by showing the extensive effort required to truly understand the risks of a vulnerability involving an unknown protocol. It will detail the process behind researching a series of vulnerabilities in the undocumented Thin Client Framework (TCF) protocol, found in Oracle E-Business Suite, which were originally discovered by ERP security firm Onapsis. It will cover every aspect of the research process from the initial fact-finding stages, to developing a detailed understanding of TCF, analysis and exploitation of the vulnerabilities discovered by Onapsis, and finally how two additional vulnerabilities were discovered with near-zero effort.

Presenter:

John Simpson is a Staff Researcher and the Team Lead of the Vulnerability Research Service at Trend Micro in Toronto. He and his team specialize in N-day vulnerability research which involves root-cause analysis of vulnerabilities and devising network detection strategies for exploitation attempts. John graduated in 2015 from the Sheridan College Information Systems Security degree program and before his current position he worked as a consultant in roles such as SOC engineering, penetration testing, vulnerability assessments, and secure code auditing for a variety of industries including banking, insurance, and retail.

Date/Time: October 28, 2020, 6:30 PM to 8:30 PM EDT

Location: online on YouTube: https://www.youtube.com/watch?v=0fnEy1q0TZ0

TALK #1:

————

Designing a Security Champions Program From Scratch

Summary:

Security teams often have to try to foster a security culture in their organization while only representing a minuscule fraction of the entire engineering organization and competing against a number of other priorities. Security champions are seen as a way for security teams to extend their reach and impact. From a thousand foot view this can seem like an obvious solution; it doesn’t make plain the friction many security teams will experience trying to implement this themselves.

Presenter:

Connor McKinnon is a Security Engineer specializing in Application Security. His background includes extensive experience developing distributed full-stack web applications as well as project management in the roles of project lead, coach, and mentor. He is passionate about helping people better understand cyber security and inspiring developers and teams to adopt the mindset that security is everyone’s responsibility.

TALK #2:

————

Introduction to Threat Modeling

Summary:

This talk will introduce the concept of Threat Modeling, summarize existing Threat Modeling methodologies, and deep-dive into one of these methodologies – Synopsys Threat Modeling Approach. The approach consists of three steps: model the application, threat analysis, and threat prioritization – we will explore each of these steps in details during the presentation.

Presenter:

Eli Erlikhman is a managing principal at Synopsys. He has a proven record of building application security programs, trusted advisor relationships, and strong delivery teams. As a managing principal and a certified Building Security In Maturity Model (BSIMM) expert, Eli advises clients on how to build software security programs, measure improvements and security posture, empower development teams, and solve strategic challenges. Eli specializes in the areas of threat modeling, security architecture, security programs, and penetration testing.

Date/Time: October 28, 2020, 6:30 PM to 8:30 PM EDT

Location: online on YouTube: https://www.youtube.com/watch?v=ONJ4lsjxysU

TALK #1:

Frida 101 - Testing Mobile Apps

Summary: Frida is a world-renowned tool for security professionals in numerous fields. This open-source project gives analysts incredible visibility into executables at run time, allowing a security analyst to understand how a mobile app performs secure operations.

With support from the founder and many contributors to Frida, we have developed an introductory course for security professionals of all levels to begin to use this powerful tool. We will start at the beginning with reverse engineering basics, then move into Frida, and finally will provide some hands-on examples. We hope to empower security professionals to be more effective and build an important skill in the mobile appsec world.

Presenter: Brian Lawrence, Director of Solution Engineering, NowSecure

TALK #2:

**High-level tactics for reverse engineering software

Summary: Reverse engineering is difficult. It’s easy to get lost in a sea of assembly, not knowing what to review next. This quick talk provides guidance on how you can efficiently review a closed-source binary. The discussion will stick to reverse engineering in general and will not focus on any applied area like reviewing malware, performing exploit development, etc.

Presenter: Adam Greenhill

Adam is a Senior Security Consultant with in-depth knowledge about application security and penetration testing. He has conducted countless network and web/mobile application security assessments. Adam also works regularly on more specialized projects such as testing IoT devices.

Date/Time: August 19, 2020, 6:30 PM to 8:30 PM EDT

Location: Virtually on YouTube: https://www.youtube.com/watch?v=MMQtgV-yv8Y

Presentation summary:

How to Use Access Guardrails to Protect Your Cloud & Empower DevOps

Managing identities and access inside cloud environments is completely different from the corporate environment. We love Linux because it’s so fast to build and deploy web apps, but the minute you want to put any kind of centralized security or control over that environment, you risk running DevOps into the ground.

The fact is, we need DevOps to run fast and lean, but we also need a centralized way to manage access, secure cloud-based systems, and enforce security policies on cloud hosts, virtualized servers, and containers. In this session, we’ll talk about moving from heavy-handed access control to lightweight, agile access guardrails that are built specifically for DevOps.

Watch this presentation and learn how to implement:

• Real-time user session monitoring for visibility and audit/compliance
• Just-in-time access approvals and pre-execution blocks using 2FA or Slack/Teams
• Threat detection and alerting for Linux based attack vectors
• Identity-based policy for shared accounts and root-access users

Presenter bio:

Scott Holt

Scott is a security professional with experience working at both Lookout and Rapid7 previously. Today he works on ensuring users get the most out of their Linux infrastructure without compromising on best practices.

Date/Time: June 24, 2020, 6:30 PM to 8:30 PM EDT

Location: Virtually on YouTube: https://www.youtube.com/watch?v=OPauB_5ucaA

Presentation summary:

Privacy in the Times of COVID-19 Pandemic

The world post lock-down is changing. We are exploring how new ways of working and existing are introducing new privacy and security risks that we need to be aware of in this new Pandemic dominated world.

Presenter bio:

Amalia Barthel

Amalia is a GRC & Privacy professional who has made it her mission to educate businesses about the importance of privacy for their corporate reputation and resilience.

Amalia works with Chief Privacy and Compliance Officers and CISOs in the health/Pharma, banking, telecom, the FinTech industry and Tech. /Cloud companies, retail, advertising/marketing, aerospace and public sector around the world, to advise on structuring the privacy program and alignment with internal GRC and CyberSecurity efforts.

Amalia has authored/ co-authored many white papers and course material and is currently teaching business courses at University of Toronto, in the areas of IT Risk Management, Cybersecurity Risk Governance/Management and Privacy.

Amalia served on the Canadian IAPP Advisory Board, PMI (as Director on the Board of Directors of the Southern Ontario Chapter - SOC, now Toronto Chapter), and as an Advisor to the ISACA Toronto Chapter where she is actively managing a Mentoring program (as a volunteer) meant to help young professional enter the privacy profession.

Craig Barretto

Craig is an information security consultant and co-founder of Proack Security in Toronto. He has a keen interest in offensive security, specifically application and infrastructure penetration testing.

In his spare time, Craig enjoys staying up-to-date on the latest security trends and doing security research.

Date/Time: May 20, 2020, 6:30 PM to 8:30 PM EDT

Location: Virtually on YouTube: https://youtu.be/MkkP66tt5Ws

Presentation summary:

Software Security Initiative – The Basics

The presentation will explore what a software security program is, common problems organizations encounter when they try to build software security programs, what are the common success factors, and high level direction on how to measure success of the program

Presenter bio:

Eli Erlikhman

Eli Erlikhman is a managing principal at Synopsys. He has a proven record of building application security programs, trusted advisor relationships, and strong delivery teams. As a managing principal and a certified Building Security In Maturity Model (BSIMM) expert, Eli advises clients on how to build software security programs, measure improvements and security posture, empower development teams, and solve strategic challenges. Elispecializes in the areas of threat modeling, security architecture, security programs, and penetration testing.

Date/Time: May 6, 2020, 6:30 PM to 8:30 PM EDT

Location: Virtually on YouTube: https://www.youtube.com/watch?v=AJhn2aryehY

Presentation summary:

Detect complex code patterns using semantic grep

In this talk we’ll discuss a program analysis tool we’re developing called sgrep. It’s a multilingual semantic tool for writing security and correctness queries on source code (for Python, Java, Go, C, and JS) with a simple “grep-like” interface. The original author, Yoann Padioleau, worked on sgrep’s predecessor, Coccinelle, for Linux kernel refactoring, and later developed sgrep while at Facebook. He’s now full time with us at r2c.

sgrep is the query system underpinning Bento, a free open-source program analysis toolkit that finds bugs using custom analysis we’ve written and OSS code checks. Bento is ideal for security researchers, product security engineers, and developers who want to find complex code patterns without extensive knowledge of ASTs or advanced program analysis concepts.

For example, find subprocess calls with shell=True in Python using the query: subprocess.open(…, shell=True) This will even find snippets like: import subprocess as s s.open(f’rm {args}’, shell=True)

Or find hardcoded credentials using the query: boto3.client(…, aws_secret_access_key=”…”, aws_access_key_id=”…” )

Presenter bio:

Drew Dennison

Drew Dennison is the CTO & co-founder of r2c, a startup working to profoundly improve software security and reliability to safeguard human progress. Previously at Palantir, he led data-driven cyber insurance platform development and technical incident response on major data leaks for Fortune 100 companies. Drew received his degree in Computer Science from MIT. He lives in SF and spends his free time racing sailboats, camping, and trying to outsmart his two cats.

Date/Time: April 22, 2020, 6:30 PM to 8:30 PM EDT

Location: Virtually on YouTube: https://www.youtube.com/watch?v=RlKZXiHKaG4

Presentation summary:

Lift and Adrift: Understanding Threats in an AWS Environment

The security landscape continues to change as more workloads migrate to cloud services such as AWS. At this point, attacks targeting on-premise environments are generally well understood and mitigated. However, the complexity of cloud services and the ease with which they can be used lead to an array of new attack vectors arising from misconfigured resources.

This talk will provide examples of these new attack vectors in AWS environments, ways to identify these vectors, and finally steps to mitigate them (individually and across an organisation). It is intended to be an introductory talk, and does not require advanced knowledge of AWS services.

Presenter bio:

Jason Plummer

Jason Plummer is a Senior Security Consultant at Security Compass in Toronto, focusing on the offensive side of security. He spends most days at the intersection of application and cloud security. Prior to going on the offensive, Jason spent time on the defensive side with experience in the SOC and his national CSIRT.

Date/Time: March 24, 2020, 6:30 PM to 8:30 PM EDT

Location: Virtually at Okta’s Zoom: https://okta.zoom.us/j/442159392

Presentation summary:

Shifting Security Left: Creating a Security Centric Development Organization

Software as a Service(SaaS) delivery is agile, undergoes fast iterations and needs to ship early to provide value to customers. Security can be more often than not an after-thought and vulnerabilities found after release can be expensive to fix or re-architect. Security teams don’t scale with the size of the development organization and there is an increasing need to include security as early in the development lifecycle as possible. This talk will cover:

1. Strategies and tools to embed security early within the CI/CD pipeline with examples.
2. The need to build secure-by-default libraries and software design to abstract security away from the developer with focus on a JAVA stack
3. Fostering a culture of security within a development organization
4. Data driven approaches to reduce time to patch vulnerabilities while mitigating risk of regression

Who is this talk for? This talk is for security engineers looking to be closer to their development organization or developers looking to scale security within their organization.

Presenter bio:

Varrun Ramani

Varrun is the tech lead of the Engineering Security team at Okta, a cloud based enterprise identity company. His interest in security started with participating in CTFs and organizing them, leading to a stint on the offensive side as a security engineer at VMware. His passion for building things led him to Okta where he builds features and tools to keep the platform and product secure and evangelizes security among developers.

Date/Time: February 20, 2020, 6:30 PM to 8:30 PM EDT

Location: Room 128 (on the first floor near the library), St. James Campus - Building A, George Brown College, 200 King Street East, Toronto, ON, M5A 3W8

Presentation summary:

War in the Fifth Dimension: A Cyberwar Primer

What defines a cyberwar? Does cyberwarfare actually exist, or are cyber attacks just a means of enacting warfare in the kinetic world? And, more importantly, will escalating political tensions ever result in a cyber conflict, or are we already in the middle of a global cyber cold war?

War in the Fifth Dimension explores what military doctrines, academic literature, international legal frameworks, and the media have collectively coined as the newest domain of warfare. Despite this agreeance that cyberwarfare is a plausible concept in the real world, there is little surety as to what exactly counts as an “act of war” in the cyber realm. Where kinetic conflicts are defined by the injury, destruction, or loss of life of people and physically tangible “objects of war”, cyber attacks primarily target activities and “intangible” data that kinetic conflicts would separately consider to be espionage, terrorism, or psychological and economic manipulation – in other words, strictly the affairs of domestic law.

Despite some of the most paradigmatic cyber conflicts targeting electoral systems, civilian-serving infrastructure, or even the annihilation of physical buildings, international legal frameworks struggle to separate to find ways to frame these “domestic” affairs that could quickly and almost instantly have destructive effects on the international community. If the object and purpose of these regulations is to provide for the mutual de-escalation during international conflicts, then we must consider: are the current rules attractive enough for nation-states to willingly adhere to, despite the attractiveness of a cheap, fast, and effective means of attack? And what incentives might there be to inspire them to set regulatory precedent for the future of cyberwarfare?

Presenter bio:

Alana Staszczyszyn

Alana Staszczyszyn is a practicing security consultant. Her past and present work has focused on penetration testing as well as security governance in the public health sector. She is also heavily interested in various political, socioeconomic, and cultural aspects of cybersecurity, particularly on how the intersections of security and those domains have given rise to new risks in the cyber-threat landscape.

Date/Time: January 22, 2020, 6:30 PM to 8:30 PM EDT

Location: Room 128 (on the first floor near the library), St. James Campus - Building A, George Brown College, 200 King Street East, Toronto, ON, M5A 3W8

Presentation summary:

The Clutter that’s Choking AppSec

Increasingly shorter agile development sprints and mandatory security assessments are putting pressure on product teams to deliver secure applications faster than ever. Further, inorganic adoption of security tooling sometimes creates information overload that does more harm than good.

What’s going wrong:

• Results from SAST, DAST and SCA tools create large vulnerabilities data sets that are difficult to act upon.
• Automated scan results from security tools are replete with false positives and duplicate entries that make remediation troublesome.
• Manual methods of triaging vulnerability data sets are inefficient and lower productivity.
• Improper vulnerability management increases friction between security and engineering teams.

What the audience will glean from this talk:

• How automated methods of vulnerability correlation and de-duplication can significantly reduce your AppSec testing time.
• How to effectively integrate vulnerability remediation with the engineering workflow.
• Understand the basic anatomy of a vulnerability to effectively prioritise and fix security bugs faster and better!

Why should they care:

• Without a change in approach, application security professionals and engineering teams will continue to delay development schedules and product release dates, or risk releasing a product that is not entirely secure.

Who should attend:

• Security professionals who face problems managing vulnerabilities.
• Engineering teams who find the current vulnerability remediation workflow problematic.
• CISO’s who want to lay down a mature and efficient AppSec Program.

Presenter bio:

Rahul Raghavan

The sheer pervasiveness of applications, their associated software engineering process and therefore the variance of application security quotient across software teams is what drives Rahul’s primary role as an AppSec Advocate at we45.

Having worked on both the building and breaking sides of product engineering, Rahul appreciates both the constraints and the opportunities of imbibing security within the software lifecycle. This understanding created a natural segue for we45’s custom security solution engineering and enhanced AppSec service delivery models for its global customers.

As an active DevSecOps Marketer, Rahul works closely with the offices of CTOs and CIOs in the setting up of cross functional skill building and collaboration models between engineering, QA and security teams to build and manage software security maturity frameworks. Rahul is Certified Information Systems Auditor (CISA) and is a regular speaker at global conferences, seminars and meetup groups on the following topic areas

1. Application Security Automation and DevSecOps
2. AppSec Tooling
3. Threat Modeling in Agile Engineering
4. QA: Security Mapping
5. Automation ROI Modelling
6. AWS Security
7. Secure Software Maturity Models

2019

Date/Time: December 11, 2019, 6:30 PM to 8:30 PM EDT

Location: Room 128 (on the first floor near the library), St. James Campus - Building A, George Brown College, 200 King Street East, Toronto, ON, M5A 3W8

Presentation summary:

OWASP IoT Top 10 - Exploring Vulnerability Root Causes

The marketplace of Internet-connected devices for home, office and industry is competitive and IoT vendors must evolve new features and designs rapidly to capture market share. As a result, IoT vendors are faced with tight profit margins and challenging technical constraints which sometimes require them to compromise on security controls. This presentation will introduce the OWASP IoT top 10 vulnerabilities list and lead the attendees through common root causes for the top 10 vulnerabilities by leveraging some scaled-down practical examples. The presentation will conclude with a few ideas on affordable and accessible solutions for IoT product designers to consider.

Presenter bio:

Nicholas Johnston

Nick is a professor and the program coordinator Sheridan College’s cybersecurity bachelor’s degree program. Previous to his role in academia Nick led an incident response team, worked as a computer forensic investigator, programmer, penetration tester, secure code auditor and general cybersecurity consultant. You can find him on Twitter at @nickinfosec where he’ll either be tweeting cringe-worthy cyberpuns or sharing electronics and maker projects.

Date/Time: November 21, 2019, 6:30 PM to 8:30 PM EDT

Location: Room 128 (on the first floor near the library), St. James Campus - Building A, George Brown College, 200 King Street East, Toronto, ON, M5A 3W8

Presentation summary:

Introduction to Web Application PenTesting

Diving into web application penetration testing! Bobby will introduce concepts for web application security testing, common vulnerabilities, pen testing methodologies and resources to help you further develop skills. Recommended for students or individuals trying to breaking into the offensive security space.

Presenter bio:

Bobby is a recent graduate working with Security Compass as a Security Consultant. His experience and interests revolve around Application Security. Editor’s note: Bobby promises that the quality that would have been spent on the bio has been spent on the presentation.

Date/Time: October 24, 2019, 6:30 PM to 8:30 PM EDT

Location: Room 128 (on the first floor near the library), St. James Campus - Building A, George Brown College, 200 King Street East, Toronto, ON, M5A 3W8

Presentation summary:

Half a Decade in Review: On Accidental Hacking and the “Hard” Conversations

A lot can change in 5 years. Half a Decade in Review is exactly what it sounds like: an exploration of how cybersecurity has changed in half a decade, from the perspective of an accidental “hacker.”

The nature of cybersecurity is that it extends into every technological facet of life - so it’s not surprising that accidental hacking is not an uncommon story; many of us were not computer experts by nature. This facet also means that technology is still very widely operated by the human - and so the way cybersecurity is architected is at the mercy of human influence and temperament.

This review explores some of the human conversations that perhaps only marginally exist in the boardroom, yet thrive in Twitter echo chambers and Slack room gripes. They are conversations about how the cybersecurity talent gap is deeply entwined with human trends of health maintenance, diversity, education, and providing incentivization for talent. They are the conversations that can be controversial because they are deeply charged with emotions and can have significant real-world consequences, yet do not have dichotomic answers that can be easily expressed in the breadth of 280 characters.

Presenter bio:

Alana Staszczyszyn is a practicing security consultant. Her past and present work has focused on penetration testing as well as security governance in the public health sector. She is also heavily interested in various political, socioeconomic, and cultural aspects of cybersecurity, particularly on how the intersections of security and those domains have given rise to new risks in the cyber-threat landscape.

Date/Time: September 18, 2019, 6:30 PM to 8:30 PM EDT

Location: Room 128 (on the first floor near the library), St. James Campus - Building A, George Brown College, 200 King Street East, Toronto, ON, M5A 3W8

Presentation summary:

Attacking OAuth and SAML

OAuth 2.0 and SAML are well-known protocols used for authorization and authentication. From major applications like Facebook, Github to enterprise apps these protocols are commonly seen. OAuth 2 provides authorization flows for web and mobile apps and SAML is majorly used to enable Single Sign On. These protocols if implemented well could really be helpful, but considering the complexity involved with these protocols, developers may neglect certain security best practices which could lead to serious flaws.

This talk is to discuss the various known attacks against OAuth and SAML in-depth, but before we dive into vulnerabilities we will spend some time to understand how these protocols helping us understand the attack vectors better. We will also look at open-source tools which are available which can aid in assessments when we encounter these protocols.

Presenter bio:

Harish Ramadoss is a Senior Security Consultant with Trustwave Spiderlabs and has recently moved from UAE where he was Security Assurance Manager for Etihad Airways. Mostly involved in offensive security space focusing on application & infrastructure security, social engineering, and red team engagements.

He is also the co-author of DejaVU deception platform and has presented at a few global conferences including Blackhat and Defcon. Harish also holds a Master’s degree in Cyber Laws and Information Security.

Date/Time: August 21, 2019, 6:30 PM to 8:30 PM EDT

Location: Room 128 (on the first floor near the library), St. James Campus - Building A, George Brown College, 200 King Street East, Toronto, ON, M5A 3W8

Presentation summary:

OWASP Security with Azure App Gateway WAF, Log Analytics Monitoring and Azure Sentinel

Roy Kim will show an end to end configuration of Azure App Gateway in front of Azure App Service application with Log Analytics monitoring and Azure Sentinel. You will see a demo of a simple penetration test and how you can monitor and alert with Log Analytics and Azure Sentinel to detect common web attacks such as SQL injection and cross site scripting with the App Gateway’s Web Application Firewall. You will walk away with an understanding of how Azure App Gateway and Log Analytics is applied as a security solution.

Presenter bio:

Roy is an architect/developer, multi-disciplined in solutions such as architecture, advisory, technology leadership, developer team lead, project coordination, systems performance, infrastructure, security and systems architecture. He executes on multiple roles to deliver a projects at high performance and has deep expertise with SharePoint, .NET, JavaScript, BI development and Azure cloud services.

Date/Time: July 17, 2019, 6:30 PM to 8:30 PM EDT

Location: Room 128 (on the first floor near the library), St. James Campus - Building A, George Brown College, 200 King Street East, Toronto, ON, M5A 3W8

Presentation summary:

Export to RCE

Often web applications will allow users to export data within CSV files. Without proper output sanitization, poisoned CSV files can be created leading to remote code execution when they’re opened. This presentation assumes no prior knowledge with CSV injection and will focus on all aspects of the vulnerability (how it works, how to prevent the issue, and more).

Presenter bio:

Adam Greenhill is a senior security consultant at Security Compass. He enjoys staying up to date with the latest security trends and researching new aspects of the industry. Adam is an active member of the security community and has presented at BSides Toronto, OWASP Toronto, Toronto’s Cyber Security Meetup, and Sheridan College’s ISSessions.

Date/Time: June 19, 2019, 6:30 PM to 8:30 PM EDT

Location: Room 128 (on the first floor near the library), St. James Campus - Building A, George Brown College, 200 King Street East, Toronto, ON, M5A 3W8

Presentation summary:

Bug Bounties: Good or Evil?

Are Bug Bounty Programs (BBP) useful or not? How do you become a Bug Bounty Hunter and how do you run an effective BBP for your company?

In this talk, Gurjant shares his experience as a Bug Bounty Hunter along with some interesting stories he’s encountered along the way. He will also discuss whether or not Bug Bounty Programs are beneficial for your company and how to get the most out of them.

Presenter bio:

Gurjant Singh

Gurjant Singh is the Information Security Lead at Wealthsimple, a Toronto based Fintech company. In his spare time, Gurjant attempts to stay up to date with the most recent cyber security news and technologies. He also loves teaching and has been featured in the Times of India and Pentest Magazine.

Date/Time: May 15, 2019, 6:30 PM to 8:30 PM EDT

Location: Room 128 (on the first floor near the library), St. James Campus - Building A, George Brown College, 200 King Street East, Toronto, ON, M5A 3W8

Presentation summary:

Building a CTF: A Student’s Perspective

CTFs are fun, educational events that have become a staple in the information security community. But have you ever considered what actually goes on behind the scenes to make one happen?

In this talk Cameron Novina will reflect on his experience organizing the first and second annual Sheridan CTFs. This year, a custom CTF platform was implemented, as well as an even larger selection of challenges; including cryptography, stenography and of course, application security. He will cover the obstacles he and the team overcame while implementing challenges that were designed to be attacked by budding information security professionals, using modern infrastructure and development practices on a tight budget.

This talk is aimed at those who have enjoyed a CTF (or many) in their time, and want to know what goes into organizing these events, both from a technical and event planning perspective.

Presenter bio:

Cameron Novina

Cameron is a Consultant with Deloitte’s Cyber Risk Advisory practice and is currently the Vice President of Sheridan College’s Information Security Sessions Club. Cam has helped formulate and execute a variety of information security simulations for organizations in the National Capital Region and previously served as the club’s president.

While not at work or school, Cam wrecks n00bs in overwatch (Highest SR: 3440!) and enjoys tabletop games such as D&D as both a player and a Dungeon Master.

Date/Time: April 17, 2019, 6:30 PM to 9:00 PM EST

Location: Room 128 (on the first floor near the library), St. James Campus - Building A, George Brown College, 200 King Street East, Toronto, ON, M5A 3W8

De-identification!

De-identification is a way to make data sets containing personal information statistically safe for release. It is fundamentally a risk management solution designed to help companies comply with privacy legislation. This talk will go over:

• The Data Problem: the raison d’être for de-identification

• Implementation Overview: How it is done

• Methodologies: 4 ways to secure personal data

Speaker bio:

Erik Service

Erik Service is a data scientist working with Security Compass as a management consultant. Prior to this role, he was a technical lead at Privacy Analytics where he contributed to the commercialization of a de-identification methodology for pharmaceutical research.

His professional interests lie at the intersection of technology and privacy law, with a focus on how people create and consume technology. He is a columnist for Mindthis magazine and plans to launch a blog looking at ways to inject privacy and security into the software development lifecycle.

Erik holds a Master of Science from McGill University. He completed a B.A at the University of Ottawa and is credited as an author on 6 peer-reviewed science publications.

Presentation materials:

Below are the references to books written on the subject:

1. El Emam, K., & Arbuckle, L. (2013). Anonymizing health data: case studies and methods to get you started. “O’Reilly Media, Inc.”.

2. El Emam, K. (2013). Guide to the de-identification of personal health information. Auerbach Publications.

Here are some useful youtube videos:

Cynthia Dwork on e-differential privacy: https://www.youtube.com/watch?v=lg-VhHlztqoe
Differential privacy for dummies: https://www.youtube.com/watch?v=gI0wk1CXlsQ

Date/Time: March 20, 2019, 6:30 PM to 9:00 PM EST

Location: Room 128 (on the first floor near the library) – St. James Campus Building A, George Brown College, 200 King Street East, Toronto, ON, M5A 3W8

Space is limited, so please RSVP on our chapter event page.

[CMD+CTRL Web Application Cyber Range]

Want to test your skills in identifying web app vulnerabilities? Join OWASP Toronto and Security Innovation as members compete in CMD+CTRL, a web application cyber range where players exploit their way through hundreds of vulnerabilities that lurk in business applications today. Success means learning quickly that attack and defense is all about thinking on your feet.

For each vulnerability you uncover, you are awarded points. Climb the interactive leaderboard for a chance to win fantastic prizes! CMD+CTRL is ideal for development teams to train and develop skills, but anyone involved in keeping your organization’s data secure can play - from developers and managers and even CISOs. Register early to reserve your spot !

In addition to signing up on the meetup page, you can also register at Security Innovation’s page to receive helpful tips, FAQs, and access to cheat sheets: - https://web.securityinnovation.com/owasptoronto2019

Please keep in mind that spots are limited, and registration is a first come, first served basis!

CTF Proctor bio:

Geoff Vaughn

Geoff is an Application & IT Security expert helping companies secure software and devices throughout all stages of development. He specializes in finding exploitable vulnerabilities in software applications as well as reverse engineering binaries to locate vulnerable code. Check out Geoff’s blog here: https://blog.securityinnovation.com/author/geoffrey-vaughan.

Security Innovation

Security Innovation is a pioneer in software security and trusted advisor to its clients. Since 2002, organizations have relied on our assessment and training solutions to make the use of software systems safer in the most challenging environments – whether in Web applications, IoT devices, or the cloud. The company’s flagship product, CMD+CTRL Cyber Range, is the industry’s only simulated Web site environment designed to build the skills teams need to protect the enterprise where it is most vulnerable – at the application layer. Security Innovation is privately held and headquartered in Wilmington, MA USA. For more information, visit www.securityinnovation.com or connect with us on LinkedIn or Twitter.

Date/Time: February 20, 2019, 6:30 PM to 8:30 PM EST

Location: Room 128 – St. James Campus Building A, George Brown College, 200 King Street East, Toronto, ON, M5A 3W8

Space is limited, so please RSVP on our chapter event page.

In Root we trust (no this is not a DNS talk)

Abstract

What do airplanes, TSA pre-check, credit cards, Windows Updates, and HTTPS all have in common? They all rely on the use of digital certificates as a basis for the security they provide.

In this talk Pavan and Lisa will share their expertise on what a digital certificate is, what they can be used for, and why we trust them (or not trust them in some cases…). They will cover the fundamentals of Public Key Infrastructure (PKI) and shed light on the critical role that Root Certification Authorities (CAs) play in all of our lives.

This talk is aimed at those who are onboard for HTTPS everywhere but want to dive into the nuts and bolts of how certificates work and understand the broader applications of PKI.

Speaker Bios:

Pavan

Pavan is a Manager with Deloitte’s Cyber Risk Advisory practice and has performed and led advisory work across a wide variety of domains with a focus on network security, vulnerability management, and data protection.

Recently, Pavan’s focus has shifted to Public Key Infrastructure (PKI) and the Certification Authorities (CAs) that issue publicly trusted TLS certificates. He has performed audits of both public and enterprise CAs and has been an official witness to several root key generation ceremonies both in Canada and internationally.

While not on an engagement, Pavan attempts to stay up to date on the latest memes by dedicating his time to mentoring youth at his local Air Cadet Squadron

Lisa

Lisa is a consultant in Deloitte’s Risk Advisory practice. Her specialties include trust considerations of Public Key Infrastructure, Cyber Security, Enterprise Risk, Internal Controls, Third Party Service Auditor Reporting, Data Quality, Confidentiality and Privacy. Furthermore, she is involved in the development and delivery of training courses within the practice, and internal innovation initiatives.

Date/Time: Wednesday January 23, 2019, 6:30 PM to 8:30 PM EST

Location: Room 128 – St. James Campus Building A, George Brown College, 200 King Street East, Toronto, ON, M5A 3W8

Space is limited, so please RSVP on our chapter event page.

Back to the Future of Application Security: Developing Secure Smart Contracts

Abstract

Race-conditions, re-entrancy, bad randomness, unchecked calls and integer overflows! No, we’re not coding a C++98 application and worried about the Y2K bug; it’s 2019 and welcome to the world of smart contracts! Grab some avocado toast and GAS-up for a trip onto the blockchain, because where we’re going, we don’t need roads.

We’ll start with an introduction to smart contracts and their place in the distributed ledger technology ecosystem. We’ll delve into key vulnerabilities from the SWC (Smart Contract Weakness) registry and link them to real world impacts. We’ll identify smart contract flaws in Solidity and ultimately how to mitigate them.

Ending with some key principals in building secure smart contracts and suggested tooling to augment secure smart contract development flow. All with a dash of lamenting how by forgetting the past we are doomed to repeat it. And of course, no talk would be complete without a smart contract CTF challenge, or two, for the taking.

Speaker Bio:

Jamie Baxter, M. Eng., OSCP, OSCE, GPEN, CISSP

Principal Consultant & Founder - SRNSEC Inc.

Jamie is an independent security consultant specializing in security assessments, ranging from web application and infrastructure penetration tests to red teaming exercises.

Prior to independent consulting, Jamie was the Director of Cyber Security Assessments at RBC, a Senior Penetration Tester for the Department of National Defense, and a developer for over 10 years.

When not on an engagement, he can be found competing in and building CTFs or exploring the world of distributed ledger technology security.

2018

Date/Time: Wednesday December 5, 2018, 6:30 PM to 8:30 PM EST

Location: Lecture Hall Room 426A – St. James Campus Building A, George Brown College, 200 King Street East, Toronto, ON, M5A 3W8

Space is limited, so please RSVP on our chapter event page.

Web Application Penetration Testing - Methodology and Approach

Abstract

An introduction to web application penetration testing covering common methodologies and approaches. Topics are: An overview of the business side of how these engagements are commonly run, the methodology and mind-state of penetration testing vs. vulnerability assessments, and a demo using industry standard tools. Recommended for people who are new to the offensive side of security, those interested in learning more about the topic, or who are interested in potentially switching from blue to red team.

Bios:

Frank Coburn

Frank is a Consultant who specializes in web application security testing and analysis, and cloud security. I began my career in Canada’s financial sector in 2015 and have been performing web application penetration tests for various local and remote clients ever since. I have managed many client relationships and a multitude of other projects in Information Security across various industries. In my copious free time I enjoy working on personal projects such as developing scripts, tooling, and creating testing environments.

Haris Mahboob

I work at Security Compass as a security consultant. I specialize in penetration testing web applications and network infrastructures. I have experience working with industry standard SAST/DAST tools and manual testing. I come from a healthcare background working with SIEM tools, vulnerability scanning and management, as well as secure auditing. I enjoy spending my free time honing my penetration testing skills by diving into vulnerable VMs and learning about exotic payloads.

Date/Time: Wednesday November 14, 2018, 6:00 PM to 8 PM EST

Location: Security Compass, 390 Queens Quay West, Suite 209, Toronto ON, M5V 3A6

Space is limited, so please RSVP on our chapter event page.

Sonatype DevSecOps Community Survey - Working Session

DevOps is Security’s New Front Line

As we embrace movements like CI, CD and Devops to cut down on release cycles - and innovate faster, we as developers must also embrace the reality that the risk landscape is too complex to leave “security” to just those with security in their title. Traditional methods do not cut it anymore – it’s time for DevSecOps.

In a recent 2018 DevSecOps Community report, where 2,076 IT professionals were surveyed, 48% of respondents admitted that developers know application security is important, but they don’t have the time to spend on it. Done properly, DevSecOps practices shouldn’t interrupt the DevOps pipeline - but instead aid it - preventing costly rebuilds and build breaks, down the road.

Attendees of this session will walk away with:

• Real-world examples of how large and small companies are implementing DevSecOps practices in their own delivery pipelines, and increasing developer awareness to risks
• Key insights from 2,076 of their peers who participated in the 2018 DevSecOps community report - including where most mature DevOps practices are focusing their security efforts
• A walkthrough of how security principles have been embedded in a CICD pipeline and what standards for implementation are beginning to follow suit.

Date/Time: Monday September 17, 2018, 6:00 PM to 8 PM EDT

Location: 80 Spadina Avenue, Toronto, ON

Space is limited, so please RSVP on our chapter event page.

6-7 PM

“iOS App runtime manipulation” with Ivan Rodriguez

In this talk, we’ll learn how to decrypt and extract an iOS application from a device, and use reverse engineering techniques to manipulate the app at runtime.

Ivan Rodriguez is an Application Security Engineer at Shopify with a mobile development background, currently working in application security.

7-8PM

“Auditing/Pen Testing Android Apps” with Kristina Balaam

As our world becomes more dependent on mobile devices, it’s important to understand the risks we may unknowingly introduce to users through the applications we build. In this talk, we’ll cover general Android security best practices, discuss tools for auditing your own applications to find vulnerabilities, and resources for continued learning.

Kristina is a Security Intelligence Engineer at Lookout where she reverse engineers mobile malware. Prior to Lookout, she worked as an Application Security Engineer at Shopify focusing mostly on Android mobile security. Kristina graduated with a Bachelor of Computer Science from McGill University in 2012, and is currently pursuing a MSc. in Information Security Engineering from the SANS Institute of Technology. She blogs about computer security on Twitter, Instagram and Youtube under the handle @chmodxx.

Date/Time: Monday October 1, 2018, 6:00 PM to 8 PM EDT

Location: 80 Spadina Avenue, Toronto, ON

Space is limited, so please RSVP on our chapter event page.

Azure Cloud Security Workshop

By: Tanya Janca, OWASP Ottawa Chapter Co-Leader

Tanya Janca is a senior cloud developer advocate for Microsoft, specializing in application security; evangelizing software security and advocating for developers through public speaking, her open source project OWASP DevSlop, and various forms of teaching via workshops, blogs and community events. As an ethical hacker, OWASP Project and Chapter Leader, software developer and professional computer geek of 20+ years, she is a person who is truly fascinated by the ‘science’ of computer science.

You can find out more about Tanya here:

• @SheHacksPurple
• http://devslop.co/
• https://medium.com/@shehackspurple
• https://www.slideshare.net/TanyaJanca
• https://www.youtube.com/channel/UCyxbNw11fMUgoR3XpVYVPIQ
• https://www.twitch.tv/shehackspurple

Have you ever wondered how security is different ‘in the cloud’? Where do you store your certificates? Your keys? Your connection strings? How can you see what’s going on with your resources? How do you patch? Where can you see your server configs other important information? How do you manage an security incident? How do you even know that you’re having an incident?

This first half of this workshop will be a demo where the audience follows along, the second part will be for audience members to build things and secure them, in Azure.

Demo will include:

• Complete Azure Security Centre walkthrough
• Policy and compliance, including subscription coverage
• Resource Security Hygiene
• Azure Security Centre Recommendations (mitigation of one or more items, dependent on time)
• Threat Protection, Alerts and Threats
• Applying System Updates
• Key Vault

Audience Participation (people who do not have a laptop can follow along with the teacher)

• Create a DevOps project, from scratch, and publish to the internet. (20-30 mins)
• Turn on Security Centre (5 mins)
• Check your security configurations and settings to ensure your new app is safe. (10 mins)
• More as time permits.

What you will need if you want to participate after the demo:

• A laptop running any modern operating system (Mac OS, Windows, Linux)
• Modern web browser (Safari, Edge, Chrome, FireFox)
• Wi-fi and internet
• An activated Azure Trial. Please activate your trial before the workshop. The workshop will not wait if you have not activated your trail.

To activate your free Azure trail for this workshop please go here: https://aka.ms/Azure-Cloud-Security-Workshop

• If you have previously used your free Azure Trail you will not be able to have another one for this workshop.

• You will need to use a credit card to activate your trial, but the trial itself is free for 30 days, up to $200. We will use up to $30 of your credit with this workshop.

Date/Time: July 18, 2018, 6:00 PM to 8 PM EDT

Location: 420 Wellington Street West, Toronto, ON

Space is limited, so please RSVP on our chapter event page.

Panel Discussion: DevSecOps

We invite you to join us for a panel discussion on DevSecOps. Panelists will include AppSec professionals currently involved with growing their DevSecOps practice internally, or advising clients on DevSecOps initiatives in a consulting capacity. Our moderator will invite them to share their insights on topics that include:

• Role and current DevSecOps practices
• Success stories and challenges
• Advice for getting into DevSecOps
• Standards, tools, frameworks

Come prepared to learn, discuss, share and ask questions!

Date/Time: June 12, 2018, 6:00 PM to 8 PM EDT

Location: Suite 500, 257 Adelaide St. W., Toronto, ON

Space is limited, so please RSVP on our chapter event page.

How to stop worrying about Application Container Security (v2)

Containers make it easier to deploy the applications that drive business value, but also profoundly challenge existing security models. Learn from our journey as a security team that went from not knowing what containers were to championing their adoption in our production sensitive information workloads over traditional DevOps application deployments.

• About Us
• Our Application & Security Challenges
• Our Container Journey
• Building an Container Ecosystem
• Learning Secure Application Containers
• Benefits for DevOps and Security
• Our Container Security Maturity Model
• What’s Next

Presenter: Brian Andrzejewski (@DevSecOpsGeer)

Brian was the lead Information Security Engineer in the CyberDefense Branch at the United States Customs and Immigration Services (USCIS). He led, engineered, and architected several of USCIS’s security efforts and represented USCIS as a hands-on SME in several working groups within DHS and Federal government on DevSecOps, Application Security, Cloud Migration & Security, Container Security, and CyberDefense operations best practices.

Prior to USCIS, Brian brings his prior 17+ years of professional experiences in information security, risk management, IT Operations, system development & administration, & DFIR from the Department of Defense, healthcare, commercial, and academic sectors. He was a prior DoD SME representative in U.S. cybersecurity workforce development programs and operationalized machine-speed cyber threat information sharing between the five U.S. National Cyber Centers. He remains passionate about cybersecurity workforce development and information security education with non-profits and security researchers.

Date/Time: May 28, 2018, 6:00 PM to 8 PM EDT

Location: Suite 500, 257 Adelaide St. W., Toronto, ON

Space is limited, so please RSVP on our chapter event page.

OWASP SecurityRAT: Handling of Security Requirements in Software Development Lifecycle

The bigger the company you’re working in, the more technologies and methodologies used by development teams you are going to face. At the same time, you want to address security risks in an appropriate, reliable and traceable way for all of them.

After a short introduction of a unified process for handling security requirements in a large company, the main part of the talk is going to focus on a tool called SecurityRAT which we developed in order to support and accelerate this process.

The goal of the tool is first to provide a list of relevant security requirements according to properties of the developed software (e.g. type of software, criticality), and afterwards to handle these in a mostly automated way - integration with an issue tracker being used as a core feature.

Work in progress (currently targeting mainly integration to other systems, automated testing of requirements and reporting) as well as future plans will form the last part of the talk.

Speakers:

Daniel Kefer OWASP SecurityRAT - Project Leader

Daniel Kefer has been working in the application security field since 2007. Having started as a penetration tester, he soon became passionate about proactive security efforts and working closely with developers. Since 2011 he has been working for 1&1 where he currently leads an internal application security team supporting development teams with security challenges of their work. With OWASP, he leads the SecurityRAT project and contributes to the SAMM project.

René Reuter OWASP SecurityRAT - Project Leader

René Reuter is a security engineer with over 6 years of experience in the application security field. At Robert Bosch GmbH, he works as an IT Security Consultant responsible for identifying vulnerabilities and design flaws that may impact Robert Boschs’ applications and infrastructure. René holds a Master’s Degree in Computer Science from the University of Applied Sciences Karlsruhe.

Date/Time: April 26, 2018, 6:00 PM to 8 PM EDT

Location: Suite 500, 257 Adelaide St. W., Toronto, ON

Space is limited, so please RSVP on our Meetup.com chapter event page.

CISO’s 90 Day Plan

Agenda

Developing and deploying a security strategy from the ground up. Nelson will cover Security Policy development, Team Building, Data Classification, Assessment/Prioritization, Application Security, Security Awareness, Deployment and Monitoring / Incident Response. We will reserve ample time for Q&A.

Speaker: Nelson Chen

An accomplished 20+ year IT Security leader (CISSP/CISA/CISM) with global enterprise-wide responsibilities. Nelson has experience that ranges from startup to large, high-tech enterprise environments with extensive background with information systems management, information security practices, risk assessment, contingency planning, vendor management, merger & acquisition, project management and business development. He has deployed security policies and strategies for his previous employer to over two dozen acquisitions and today he works for Zenedge, a successful cybersecurity startup that was recently purchased by Oracle.

Date/Time: April 11, 2018, 6:00 PM to 8 PM EDT

Location: Suite 500, 257 Adelaide St. W., Toronto, ON

Space is limited, so please RSVP on our Meetup.com chapter event page.

Application Threat Modeling

This session will introduce you to the basics of application threat modeling using the OWASP Cornucopia and Microsoft Elevation of Privileges games. We will provide an introduction to the game concepts, and then attendees will join groups where they will get hands on game experience threat modeling a sample application. Come prepared to participate!

Date/Time: February 27, 2018, 6:00 - 8:00 PM EST

Location: Suite 500, 257 Adelaide St. W., Toronto, ON

Space is limited, so please RSVP on our Meetup.com chapter event page.

“How to Work a Room” Basic Networking Skills

Helping individuals achieve their personal goals by teaching and coaching effective networking

Intro by OWASP Toronto: As AppSec and information security professionals, we work in a field where technical knowledge is key, while networking and communications skills, which are just as important, are often overlooked. Marcel’s insights on effective networking will help you be more successful in your roles within your organizations, or help you be better prepared to enter the security workforce.”

Speaker: Marcel Gagnier

Marcel is a successful sales technology executive with over 20 years experence in sales and account management. He owes his success primarily to his networking skills.

Networking has allowed Marcel to develop relationships, and business, and to support a wide range of interests as well as lifelong friendships.

As with many people networking did not come easily to Marcel. It is a learned skill that he first developed while in the British Army starting with human intelligence (HUMINT) on operations. These skills became further refined when conducting threat assessments and social engineering. These networking skills allowed Marcel to easily transition into the civilian world in a variety of roles and in both small and large firms.

Marcel will share his insights in a workshop called “How to Work a Room” where basic networking skills will be covered.

You will learn the following: 


The basics of networking - how it works
What events to attend and what events not to attend
How to research the event and attendees
Setting event goals
What to wear
What to carry
When to arrive
How to read the room
How to engage the best prospects
How to make an introduction
How to engage in conversation
How to exchange contacts and business cards
How to disengage
How to follow-up

Date/Time: January 17, 2018, 6:00 - 8:00 PM EST

Location: Suite 500, 257 Adelaide St. W., Toronto, ON

Space is limited, so please RSVP on our Meetup.com chapter event page.

Hi, I am X. How do I get into AppSec / Security?

This will be a guided discussion about entering the world of application security, or information security in general. We will cover topics such as OWASP resources, tools, secure SDLC, agile, secure DevOps, training and certifications. We will also have some real life stories from folks in the industry about their path. Come prepared to participate!

2017

Date/Time: October 26, 2017, 6:00 - 8:00 PM EDT

Location: Suite 500, 257 Adelaide St. W., Toronto, ON

Space is limited, so please RSVP on our Meetup.com chapter event page.

** Swiss cheese security, or the real challenges faced by internet facing companies **

Summary

In this talk we will get an overview of which are the challenges faced by companies that have an internet presence, but instead of focusing on well know attacks we will focus on targeted and stealthy attacks.

Each scenario will be described and explained by using data collected over the years, and for each case we will discuss not only attack and defense strategies but also some legal implications and possible impact to the business.

Presenter bio:

Enrico Branca

Enrico Branca is an experienced researcher with specialist knowledge in Cyber Security. He has been working in Information Security for over a decade with experience in Software Security, Information Security Management, and Cyber Security R&D. He has been trained and worked in various roles during his career, including Senior Security Engineer, Security Architect, Disaster Recovery Specialist, Microsoft Security Specialist and others, always looking for new exiting opportunities.

Outline

• what main stream news say about cyber security
• what industry says about cyber security
• how can we dispute the claims with a reality check
• example 1: are financial and insurance companies well defended?
• example 2: web encryption with SSL/TLS, defending from unknown attacks
• example 3: the state of GPG public key cryptography, can we trust it?
• example 4: software companies and version controls, useful or useless?
• example 5: targeted data breach or “indirect” breach,
• what has been found without any sort of cyber attack
• what can be learned from others’ mistakes
• what can be done to make things better

Date/Time: August 23, 2017, 6:00 - 8:00 PM EDT

Location: Suite 500, 257 Adelaide St. W., Toronto, ON

Space is limited, so please RSVP on our Meetup.com chapter event page.

Session Description:

Cloud Security & Best Practice in AWS

• Few instances of breach in cloud (AWS): Account compromise via leak of AWS Keys on GitHub SSRF attack Publicly accessible S3 Bucket, folders, and files
• How Jenkins (CI) can lead to disaster
• Best practices to protect AWS account from unauthorized access and usage
• What and How to look for security loopholes
• Audit scripts

Presenter bio:

Ankit Giri

A complete tech enthusiast, who likes to learn new technologies. With his expertise in Application Security, Ankit works as Associate Security Consultant for Security Compass. A speaker, presenter, and a blogger, Ankit has a diverse background in writing informational blogs during his association with TO THE NEW Digital (last firm). He is a nature lover, photography enthusiast and avid follower of governance. Being in application security domain, Ankit also takes an interest in RTI activism and carry it as a skill with RTI certifications.Expertise: Penetration Tester, OWASP Top 10 Vulnerabilities understanding, detection, and remediation. Blogger, Bug Bounty enthusiast, One of the Top rated writer on Quora: The Most Viewed Writer in Web Application Security, The Most Viewed Writer in Pentest, Second Most Viewed Writers in Network Security. Featured in Hall of Fame of EFF, GM, HTC, Sony, Mobikwik, AT&T, PagerDuty and many others. He is a chapter leader of Peerlyst Delhi NCR Chapter. Special mention and a note of thank for posting the first SecLink on the platform Sectivenet.

Date/Time: June 13, 2017, 6:00 - 8:00 PM EDT

Location: Suite 500, 257 Adelaide St. W., Toronto, ON

Space is limited, so please RSVP here to confirm your presence.

Session Description:

The Node.js Highway: Attacks Are At Full Throttle

Node.js is the drive-and-go language and its popularity is soaring. Five years after its debut, and the language’s framework boasts more 2M downloads a month. Before accelerating too quickly, it is important to understand the power – and corresponding mishaps – of this language. In this talk, we demonstrate new attack techniques against applications built on top of the Node.js language. Attacks include:

• Application-layer DDoS attacks. Bringing a server to its knees with just 4(!) requests.
• Password exposure attacks. Leveraging the “Forgot My Password” feature of applications in order to reveal the passwords of all the application’s users
• Business logic attacks. Running malicious code on all machines of users of the applications when exploiting a weak business feature.

Presenter bio:

Susan St.Clair, CWAPT

Solution Engineer – Checkmarx

Susan currently works with organizations to help implement secure coding practices as part of their SDLC as part of the Checkmarx GTA team. She has over 15 years of experience working with application teams in the software industry.

She was previously a product manager and solution engineer with Codiscope, now part of Synopsys.

Date/Time: May 25, 2017, 6:00 - 8:00 PM EDT

Location: Suite 500, 257 Adelaide St. W., Toronto, ON

Space is limited, so please RSVP here to confirm your presence.

Session Description:

Category Web: Fantastic Tales of Capture-The-Flag (CTF) challenges past

We’ll dive into some of our favorite application security challenges from past Capture-The-Flag (CTF) competitions, including highlights from the recent 2017 edition of NorthSec, the largest applied security competition in North America. The challenges we’ll walk through were not only fun to solve but have a demonstrable real-world impact drawing on subtle flaws that lurk in many production applications. So bring your laptops and strap-in, this talk will be interactive and at the end of the night we’ll have a few challenges to take home with you.

Optional: If you want to follow along on your laptop as Jamie goes over the challenge walkthroughs, you will need at least VMware / Virtual Box to run a virtual machine, 8 GB of free space, and a web proxy such as Burp Suite or OWASP ZAP.

Presenter bio:

Jamie Baxter, GPEN, OSCE, OSCP, CISSP

Principal Consultant & Founder - SRNSEC Inc.

Jamie is the team captain of a successful CTF (Capture the Flag) team “SomeRandomName” (SrN), which regularly competes in and organizes CTF events. When not CTFing, Jamie is a independent information security consultant specializing in security assessments, performing infrastructure and application penetration testing engagements for clients in the government, retail and financial sectors.

Previously, Jamie was the Director of Cyber Security Assessments at the Royal Bank of Canada and a senior penetration tester for the Department of National Defense.

Date/Time: April 20, 2017, 6:00 - 8:00 PM EDT

Location: Auditorium, Lilian H Smith Library, 239 College Street, Toronto, ON M5T1R5

Agenda:

How Billion Dollar Enterprises Manage Application Security at Scale

Security Compass recently completed a comprehensive research study by surveying companies across multiple industries with the goal of discovering how large, complex organizations address application security at scale. The majority of respondents surveyed were multinational organizations who reported annual earnings greater than $1 billion USD. Through this new research study, we have gleamed novel insights on how large organizations manage application security at scale. Through this presentation, we will reveal aggregated insights, industry trends, and best practices that illuminate how organizations are addressing application security at scale, so that you may apply and compare these learnings to the state of application security at your own organization.

Altaz Valani is a Research Director at Security Compass responsible for managing the overall research vision and team. Prior to joining Security Compass, Altaz was a Senior Research Director in the Application Development Practice at Info-Tech Research Group providing IT managers, directors, and senior managers with guidance and analysis around application development – including Agile, Cloud, Mobile, and the overall SDLC. His other past positions include Senior Manager at KPMG, and various entrepreneurial and intrapreneurial positions where he worked side by side with senior-level stakeholders at blue chip clients to drive business value through software development.

Altaz enjoys coding, teaching, and the challenge of learning. He received his BEng in Computer Engineering from McMaster University, and his MBA from the University of Western Ontario.

Date/Time: March 15, 2017, 6:00 - 8:00 PM EDT

Location: Amazon, 120 Bremner Blvd, Suite 2600, Toronto, ON

IMPORTANT - We are making special changes to our RSVP process to adapt to this new venue:

• ONLY attendees who confirmed through our chapter’s Meetup.com event page will be allowed entry. So please confirm your presence if you are planning to come. This is required so that visitor badges can be created for those on the list and provided by the reception at the Amazon office.

• The RSVP period will run from March 3 to March 12. This is to allow enough time for visitor badges to be created, and to plan for the event’s logistics.

• If you need to make change to your attendance status, please do so by March 12. We understand that plans change, but given a limited space, please be mindful of others in the community who may benefit from the event.If you have any questions, please feel free to reach reach out to us.

Agenda:

1 - Overview and Intro to OWASP Projects - Yuk Fai Chan

A quick overview of the OWASP will be presented for those who are unfamiliar with the global organization, followed by a introduction of OWASP Projects - the process, the people, and some examples - from Flagship, Lab to Incubator.

Yuk Fai Chan is with the OWASP Toronto chapter. He also works as a security consultant.

2 - Vulnerabilities from upstream on down - Max Veytsman

Security vulnerabilities in open source software are patched by maintainers every day, but most of the software your servers have installed is coming from a package manager.

When a new vulnerability in openssl is disclosed, how does it make it to the corresponding Ubuntu package? How long does it take?

Every distribution has a security team. I’m going to describe the work that they do, talk about how vulnerabilities are prioritized and discuss some statistics about their operations.

Max Veytsman is a recovering pentester. Nowadays, he’s helping the world patch its software at Appcanary.

Date/Time: February 16, 2017, 6:00 - 8:00 PM EST

Location: Suite 500, 257 Adelaide St. W., Toronto, ON

Please RSVP here to confirm your presence.

Secure Programming with Static Analysis

Please join us at our next OWASP Toronto chapter event, where our guest speaker, Paul Kitor from HP Enterprise, will be sharing his thoughts on Secure Programming with Static Analysis.

Speaker: Paul Kitor

Paul Kitor, CISSP is a Senior Solution Architect focused on Fortify technologies within the Enterprise Security Products business unit at HP. In this role, Mr. Kitor acts as the primary technical advisor to develop and position a broad range of Application Security solutions with customers. In his responsibilities, Paul provides technical leadership and technical depth concerning HP Fortify solutions. He works closely with customers and partners in assisting them meet their strategic Application Security initiatives and also provides thought leadership and insight regarding the ever changing global threat landscape. He possesses 20+ years of Information Security experience in the areas of Application Architecture, Java/C/C++ Development, Agile SDLC, and Application Security. Prior to joining HP Canada, Paul worked as a Solution Architect at Oracle, BEA Systems, and Borland Software he also lead Java development teams at Airmiles.ca and Points.com.

Abstract:

Developing software securely is a very challenging task. Using a combination of theory, practice and technology gives you the best chance of success. This talk will introduce (for those practitioners among us – review) the theory, practices and technologies that comprise Static Analysis.

• The Software Security Problem
• Static Analysis
• Introduction
• As Part of the Code Review Process
• Internals
• Pervasive Problems
• Handling Input
• Buffer Overflow
• Bride of Buffer Overflow
• Errors and Exceptions

Date/Time: July 20, 2016, 6:00 - 8:00 PM EDT

Location: Suite 500, 257 Adelaide St. W., Toronto, ON

Please RSVP here to confirm your presence.

Panel Discussion: OWASP Top 10

We invite you to join us at our next chapter event, where panelists will discuss one of OWASP’s flagship projects, the OWASP Top 10 application security flaws. The discussion will include:

• Roundtable on select items on the OWASP Top 10 (e.g. injection flaws, security misconfigurations, CSRF, etc.)
• Thoughts on candidates for the 2016/2017 release of the OWASP Top 10 (e.g. what should be added? what should be removed?)

Come prepared to learn, discuss, share and ask questions!

Date/Time: June 8, 2016, 6:00 - 8:00 PM EDT

Location: Suite 500, 257 Adelaide St. W., Toronto, ON

Please RSVP here to confirm your presence.

Panel Discussion: Day in the Life of An Application Security Professional

We invite you to join us at our next OWASP Toronto chapter meeting, where panelists will discuss their day-to-day life as an application security professional, followed by an open discussion with the audience. Come prepared to learn, discuss, share, and ask questions!

Panelists:

• Steve Gienuisz, Software Security Specialist, BMO Financial Group
• Ramanan Sivaranjan, Director of Engineering, Security Compass
• Yuk Fai Chan, OWASP Toronto Chapter
• Tej Gandhi, Information Security Compliance Specialist, Engage People Inc.

Date/Time: January 20, 2016, 6:00 - 8:00 PM EST

Location: Suite 500, 257 Adelaide St. W., Toronto, ON

Please RSVP here to confirm your presence.

Speaker: Michael Bennet

Lead DDoS Strike Developer, Security Compass

Is your Application DDoS Ready?

Common issues that leave your application DDoS defences vulnerable

More and more DDoS attacks are targeting the Application Layer in order to knock your sites and services offline. These attacks need far less horsepower to drive results and often target weaknesses in an application and its defences in order to be effective. While there are solutions available to protect your application, they can only do so much and often are misconfigured for an application. In this presentation I’ll talk about common misconfigurations that we come across during our DDoS testing, as well as some web application design considerations that help some DDoS defences to be more effective.

2015

Date/Time: November 18, 2015, 6:00 - 8:00 PM EST

Location: Suite 500, 257 Adelaide St. W., Toronto, ON

Please RSVP here to confirm your presence.

Python Security

Speaker: Enrico Branca

Enrico Branca is an experienced researcher with specialist knowledge in Cyber Security. He has been working in Information Security for over a decade with experience in Software Security, Information Security Management, and Cyber Security R&D. He has been trained and worked in various roles during his career, including Senior Security Engineer, Security Architect, Disaster Recovery Specialist, and Microsoft Security Specialist. He is always looking for new and exciting opportunities.

Session Outline:

A deep dive into the security of the Python interpreter and its core libraries to discover how bad guys may attack it and how good guys can protect it, while providing examples and code snippets on how each goal may be achieved by any given party.

Enrico’s presentation slides can be found here.

Date/Time: May 20, 2015, 6:00 - 8:00 PM EDT

Location: Suite 500, 257 Adelaide St. W., Toronto, ON

Please RSVP here to confirm your presence.

Panel Discussion: State of Application Security in 2015

We invite you to join us at our next OWASP Toronto chapter meeting, where a panel of industry professionals will discuss the state of application security in 2015. Panelists will share their point of view on a number of topics, followed by an open discussion with the audience. Come prepared to learn, discuss, share, and ask questions!

• Appsec Wishlist: “If I could have one thing improved in application security in 2015, it would be …”
• Appsec Defenders: Offensive Security is obviously thriving, but how are the Defenders doing? Has there been improvement? There are plenty of blackhat/red team rock stars, but are we giving enough credit to the blue teams?
• Appsec Tools: Which application security tools are doing the job right? Which ones can be further improved?
• Evolution of Application Security Assessments: How will the industry effect a sea change in attitude towards assessing software for security issues? The tunnel-vision model (i.e., black-box only, source code review only, configuration review only) is deficient, and the best approach is to overlap as many techniques as possible. Time-boxed approaches compound the problem, and with the increasing proliferation and complexity of applications in any given organization, scaling assessment services to all targets is bottlenecked.
• Appsec Talent: There are too few skilled/trained information security professionals, and too much work to do. Scaling up to meet the demand can only partially be managed through automation. Where will the next wave of reliable security professionals come from? Is training for information security skills too expensive in the age Code School? Is North Armerica in need of a CREST-like certification to establish a baseline level of coverage by a practitioner?

Panelists

• Ehsan Foroughi, Security Compass

• Manish Khera, RBC

• Gonzalo Nunez, Deloitte

• Ann-Marie Westgate, eHealth Ontario

2014

Date/Time: September 10, 2014, 6:30 - 8:30 PM EDT

Location: Suite 500, 257 Adelaide St. W., Toronto, ON

Please RSVP here to confirm your presence.

Speaker:

Ryan Berg

Ryan is the Chief Security Officer at Sonatype. Before joining Sonatype, Ryan was a co-founder and chief scientist for Ounce Labs which was acquired by IBM in 2009. Ryan holds multiple patents and is a popular speaker, instructor and author, in the fields of security, risk management, and secure application development. Prior to Ounce Labs, Ryan co-founded Qiave Technologies, a pioneer in kernel-level security, which later sold to WatchGuard Technologies in 2000. In the late 1990’s, Ryan also designed and developed the infrastructure for GTE Internetworking/Genuity’s appliance-based managed security services.

Session Outline:

What’s Hiding in Your Software Components? Hidden Risks of Component-Based Software Development – Seeing the Forest Through the Trees

Software is no longer written, it’s assembled. With 80% of a typical application now being assembled from components, it’s time to take a hard look at the new risks posed by this type of development – and the processes and tools that we’ll need in order to keep them in check. Join Ryan Berg as he shares real world data on component risks, outlines the scope of the problem, and proposes approaches for managing these risks. You’ll learn how security professionals can work cooperatively with application developers to reduce risk AND boost developer efficiency.

Date/Time: July 16, 2014, 6:00 - 8:00 PM EDT

Location: Suite 500, 257 Adelaide St. W., Toronto, ON

Please RSVP at [email protected] to confirm your presence.

Speaker:

Dr. Mark Shtern, CISSP, Postdoctoral Fellow at York University

Session Outline:

DDoS Attacks and Mitigation in Cloud Environments

Distributed Denial of Service (DDoS) attacks are negatively impacting a broad spectrum of industries as they are increasing in number, sophistication, and cost. Researchers have noted that, when simple DDoS attacks fail, the attackers take aim at the application layer and these attacks become more prevalent. For example, in the first quarter of 2012, Layer 7/Application layer attacks increased by 25% compared to the year before. In the third quarter of 2013, the total number of layer 7 attacks increased by 101% compared to 2012. As a result, application layer attacks have been a growing concern for information technology security specialists.

I will present an adaptive management mechanism, which can correctly scale applications, mitigate a DDoS attack, or both, based on an assessment of the business value of workload. I will talk about the Cloud Efficiency (CE) metric, a runtime metric that assesses how effectively an application uses software-defined infrastructure. This is a business-driven metric that can be leveraged to detect various resource-consumption attacks on applications, including cost-of-service and low-and-slow DDoS attacks.

Date/Time: April 23rd, 2014, 5:30 - 7:30 PM EDT

Location: Telus Tower, 25 York, 3rd Floor

Please RSVP to [email protected] to confirm your presence.

Heartbleed! or Heart Bleed!

Heartbleed

Heartbleed! or Heart Bleed! The logo, the media coverage, the virus (no wait, it’s not a virus); reverse Heartbleed and client Heartbleed (the transfusion) - a tale of failure to validate inputs, trusting user-provided input and coding around good security. You’ve read the book! Seen the movie! Now see the live puppet show. (puppets not included, please bring your own batteries too).

Speaker: Ben Sapiro

Ben works for KPMG where he advises people on Cyber Security (we’re not entirely sure what that is yet either but we hear it’s the ‘new infosec’ which is the ‘new orange’ which is the ‘new black’). He’s also the founder of OpenCERT, a BSidesTO organizer, LiquidMatrix Podcaster, SECTOR Fail Panelist and occasional writer of things (which sometimes includes horrible code and bad prose). With 15 years in the biz, Ben’s hoping for parole soon; otherwise is going to have to find something else to do in infosec/cybersec besides product management, SecSDLC, consulting, insulting, and CISO’ing. Ben has advised a whole bunch of confidential clients on AppSec and Secure SDLC, but two he can talk about (when reliving the glory days) are Sybase and Motorola.

2013

Date/Time: December 3rd, 2013, 6:00 - 7:30 PM EST

Location: Telus Tower, 25 York, 3rd Floor, Room 39

Please RSVP to [email protected] to confirm your presence.

OWASP ASVS OWASP: Introducing ASVS 2013

Since the last release of the OWASP Application Security Verification Standard (ASVS) Project in 2009, significant improvements have been made, including but not limited to:

1. Content updates to add new relevant content and clarify existing content

2. Document segregation

3. Case studies

4. Mapping to other relevant standards

In this presentation, we will walk through the major changes that we believe will increase adoption of the standard in industry.

Presenter: Sahba Kazerooni

Sahba Kazerooni manages Security Compass’s internationally renowned consultants on cutting-edge consulting and training engagements across North America and around the world. His personal skillset ranges from hands-on assessments in application penetration testing, threat modeling, and source code review, to security advisory and technical training. Sahba has an advanced knowledge of the Software Development Life Cycle (SDLC) as well as the intricacies of the Java programming language. He is an internationally renowned speaker on software security topics, having delivered presentations at reputable security conferences around the world and having been recognized as an expert in application security by publications such as IT World Canada and the Information Security Media Group.

Date/Time: July 10, 2013, 6:30 - 8:00 PM EST

Location: Telus Tower, 25 York, 3rd Floor, Room 39

Please RSVP to [email protected] or [email protected] to confirm your presence.

OWASP: Beyond the Top 10

Presenter: Andre Rochefort, TELUS

Join us as we take a guided tour through some of OWASPs lesser-known projects – present and future. For students and new entrants to the application security profession, get practical advice on options for building and honing your skills. Developers and administrators alike might benefit from an overview of OWASPs projects for secure SDLC, source code review, and vulnerability assessment and mitigation. The seasoned professionals can engage in a lively discussion and critique of OWASP projects in the pipeline, and how the community as a whole is tackling security for the web, mobile, and beyond. An OWASP session featuring a buffet of OWASP offerings and a potluck of alternatives and enhancements.

Your host for this session is Andre Rochefort, an infosec veteran and lifelong computer geek. As a developer, a security auditor, and a loudmouth conference heckler, Andre offers a wealth of experience and anecdotes, with a generous helping of opinion. His day-to-day activities at TELUS include source code analysis, vulnerability assessments and penetration tests, with a heavy focus on web and mobile application security.

Date/Time: May 8th, 2013, 6:30 - 8:00 PM EST

Location: Telus Tower, 25 York, 3rd Floor, Room 39

Please RSVP to [email protected] to confirm your presence.

**Secure Code Review

Security Code Review

Presenter: Sherif Koussa**

Secure Code Review is the best approach to uncover the largest number ofsecurity flaws in addition to the most stealth and hard to uncover security vulnerabilities. During this session, you will learn how to perform security code review and uncover vulnerabilities such as OWASP Top 10: Cross-site Scripting, SQL Injection, Access Control and much more in early stages of development. You will use a real life application “SecureTickers” pulled from SourceForge. You will get an introduction to Static Code Analysis tools and how you can extend PMD (http://pmd.sourceforge.net/), the open source static code analysis tool, to catch security flaws like OWASP Top 10. Expect lots of code, tools, hacking and fun!

Date/Time: March 20th, 2013, 6:30 - 8:30 PM EST

Location: PwC Tower, 18 York Street, Suite 2600, Toronto ON M5J 0B2

Due to fire and building regulations, there is a maximum occupancy allowed in the venue, so if you would like to attend it is very important that you RSVP at [email protected] to confirm your presence!

**NFC Threat Landscape

Presenter: Geoff Vaughan, Security Compass**

Near Field Communication is on pace to be one of the most explosive technologies in North America for 2013. Over 2012 we’ve seen a number of industry steps to making this a reality. Nearly all phone makers are putting NFC into all new phones they develop. Over the last year we have also seen widespread adoption by a large number of financial institutions to put NFC into all their new credit cards and banking cards as well as many mobile payment systems now accepting the technology. At this point we need to take a step back and evaluate the implications of having NFC always enabled on a consumer phone and the implications of storing mobile payment data on an individuals phone. NFC technologies are intimately embedded into all core features of a smart phone and this presents a very large attack and vulnerability surface for an attacker to potentially exploit.

2012

Date/Time: Wednesday, July 11th 2012, 6:30-8:00 PM EDT - Security Community Engagement

Location: Suite 201, 425 Adelaide Street West, Toronto, ON M5V 3C1

Please RSVP to [email protected] to confirm your presence.

Description: Mozilla is one of the most successful open source projects in existence, and has helped transform the way users and developers interact with the Internet. In the last few years there has been many new ways to use the Internet, including new competitors in the Browser market, mobile and desktop Apps, and a proliferation of platforms, APIs, and new technologies. Mozilla has a strong base of contributors to many areas, including Firefox, Thunderbird, our huge Add-On collection, and our support sites, but not many people know that Mozilla is also open to community engagement with our Security program as well! In this discussion I will explain how our Security program functions, and how and where we are looking for improved engagement and contribution from the community, and some of the benefits to contributing!

Speaker Bio:

Yvan Boily is an Application Security Manager with Mozilla Corporation, where he manages one of two application security teams focused on the security of Mozilla web properties and end-user applications.

Date/Time: Thursday, May 10th 2012, 6:30-8:00 PM EDT - Application Security ISO

Location: RBC Auditorium C, 315 Front Street West, Toronto, ON M5V 3A4

Please RSVP to [email protected] to confirm your presence.

Description: ISO/IEC 27034 - Part 1 was published in November 2011 and the remaining parts (Part 2-6) are expected to be published soon. What does this mean to your organization or your clients who wish to adopt or incorporate this ISO standard for their software application? This overview will walk through the key sections of standard and highlight the process approach to specifying, designing, developing, testing, implementing and maintaining security functions and controls in application systems. We will also attempt to compare these key points against other industry guidelines to determine the overall intentions and objectives of the standard.

Speaker Bio: TAK CHIJIIIWA, CISSP, CSSLP

Tak Chijiiwa has over 12 years of IT security experience. Tak has been involved in a wide spectrum of information security strategy and advisory engagements for various Fortune 500 clients globally in the healthcare, financial, education, utilities, transportation and government sector. Prior to joining Security Compass, Tak worked at Deloitte & Touche, LLP as a Manager of the Vulnerability Management team in Toronto, Ontario for 6 years and at Kasten Chase Applied Research as a Development Manager in Mississauga, Ontario for 4 years.

2011

Date/Time: Wednesday, September 14th 2011, 6:30-8:00 PM EDT - Introducing Vega, a New Open Source Web Vulnerability Scanner

Location: Suite 201, 425 Adelaide Street West, Toronto, ON M5V 3C1

Please RSVP to [email protected] to confirm you attendance.

Description: David will be presenting Vega, a new free and open source vulnerability scanner for web applications developed by Subgraph, his Montreal-based security startup. Vega allows anyone to scan their web applications for vulnerabilities such as cross-site scripting or SQL injection. Written in Java, Vega is cross-platform. It’s also extensible, with a built-in Javascript interpreter and API for custom module development. Vega also includes an intercepting proxy for manual inspection of possible vulnerabilities and penetration testing.

Speaker bio: David has over 10 years in the information security business. He started his professional experience as a founding member of Security Focus, which was acquired by Symantec in 2002. David also moderated the Bugtraq mailing list, a historically important forum for discussion of security vulnerabilities, for over four years. He has spoken at Black Hat, Can Sec West, AusCERT and numerous other security conferences, as well as made contributions to books, magazines and other publications. David also participated in a NIAC working group on behalf of Symantec to develop the first version of the CVSS (Common Vulnerability Scoring System) model and was an editor for IEEE Security & Privacy. His current obsession is building Subgraph, his information security startup in Montréal.

Date/Time: Wednesday, May 11th 2011, 5:00-6:00 PM - Mobile Security for the Forgetful

Location: Auditorium C, 315 Front Street West, Toronto, ON M5V 3A4

Please RSVP to yukfai at securitycompass dotcom

Description: You’ve accidentally misplaced your company or personal mobile phone in a public location. In this scenario, what threats do you and/or your organization face?

This talk will be about the worst case scenario in mobile security: when the attacker has physical access to the phone. According to DataLossDB, about 1/5 of all data breaches they have recorded are due to lost or stolen laptops. Phones are much easier to lose (or steal) then laptops, and these days the data on our phones can be as confidential as the data on our laptops.

This talk will go over physical access attacks from an attacker’s perspective, discuss ways of coding mobile applications to defend against these kinds of attacks, and discuss some ways of securing our phones as users. Technical details in this talk will focus on the Android platform.

Length: 60 minutes

Speaker Bio: Max Veytsman is a Security Consultant with Security Compass. He specializes in web and mobile security assessments. Max also leads Security Compass’ training development in the mobile space. Max studied Computer Science at the University of Toronto. His interests include cryptography, programming language design, and computer vision.

Date/Time: Wednesday, February 16th, 6:00 PM- How Auditors Certify Computer Systems – A Look at Third Party, Non-Vendor, Legally Mandated System Certifications

Location: 425 Adelaide Street West, Suite 702

Please RSVP to laura at securitycompass dotcom

Description:“Certifications” abound in the world of IT – from signoffs by internal security professionals to the advertising claims of vendors, but few, if any of these, have true legal standing. As a consequence, customers and clients of organizations which process sensitive transactions or retain confidential data are increasingly demanding third party, non-vendor, legally mandated system certification as a pre-requisite to doing business.

• What are these certifications and who can issue them?

• Under what circumstances are certifications likely to be required?

• What standards do certifiers use – and does it matter?

• What information and evidence do auditors need in order to complete their work?

• How can information systems professionals prepare for a certification audit and ensure that the process is ultimately successful?

Our speaker, Jerrard Gaertner, CA•CISA/IT, CGEIT, CISSP, CIPP/IT, I.S.P., ITCP, CIA, CFI, Director of Technology Assurance Services at Soberman LLP, will address these and related questions based on his 25+ years as a systems auditor.

2009

Date/Time: Wednesday, November 10th, 6:30 PM- Using Open Standards to Break the Vulnerability Wheel of Pain

Location: 425 Adelaide Street West, Suite 702

Please RSVP to laura at securitycompass dotcom

Description: Ed is the Chief Information Security Officer responsible for the protection and security of all information and electronic assets as well as compliance and ethics across the wide array of business units that make up Orbitz Worldwide on a global basis. These assets include Orbitz, CheapTickets, eBookers, Away.com, HotelClub, RatesToGo, AsiaHotels, and Orbitz for Business.

With over 18 years of experience in information security and technology, Ed has worked with and been involved in protecting information assets at several Fortune 500 companies. Prior to joining Orbitz, Ed served as VP of Corporate Information Security for Bank of America within their Global Corporate and Investment Banking division. His credentials also include several security technology and management roles at organizations such as Ernst & Young, Ford Motor Company, and Young & Rubicam. Ed is a CISSP, CISM, a contributor to the ISM Community, serves on the advisory board to the Society of Payment Security Professionals as well as its Application Security Working Group.

Ed is a frequent speaker at information security events across North America and Europe. Past talks have included venues such as BlackHat, Metricon, CSO, OWASP, The MIS Institute, The Association of Information Technology Professionals, Technology Executives Club, and the National Business Travel Association. Additionally Ed is a contributing author to the O’Reilly book Beautiful Security.

Meetings November 5th, 2009 (THURSDAY)

Location: 285 Victoria Street, 3rd Floor (Room number VIC306) NEW Location.

Date/Time: : November 5th, 2009, 6:00-7:30 PM EST (THURSDAY)

Title: Software Assurance Maturity Model

Speaker: Pravir Chandra, Fortify Software

Description:Software Assurance Maturity Model (OpenSAMM) The Software Assurance Maturity Model (SAMM) into a software development organization. Covering more than typical SDLC-based models for security, SAMM enables organizations to self-assess their security assurance program and then use recommended roadmaps to improve in a way that’s aligned to the specific risks facing the organization. Beyond that, SAMM enables creation of scorecards for an organization’s effectiveness at secure software development throughout the typical governance, development, and deployment business functions. Scorecards also enable management within an organization to demonstrate quantitative improvements through iterations of building a security assurance program. This workshop will introduce the SAMM framework and walk through useful activities such as assessing an assurance program, mapping an existing organization to a recommended roadmap, and iteratively building an assurance program. Time allowing, additional case studies will also be discussed. OpenSAMM is an open a free project and has recently been donated to the Open Web Application Security Project (OWASP) Foundation. For more information on OpenSAMM, visit http://www.opensamm.org/

Bio: Pravir Chandra is Director of Strategic Services at Fortify Software and works with clients on software security assurance programs. Pravir is recognized for his expertise in software security, code analysis, and his ability to strategically apply technical knowledge. Prior to Fortify, he was a Principal Consultant affiliated with Cigital and led large software security programs at Fortune 500 companies. Pravir Co-Founded Secure Software, Inc. and was Chief Security Architect prior to its acquisition by Fortify. He recently created and led the Open Software Assurance Maturity Model (OpenSAMM) project with the OWASP Foundation, leads the OWASP CLASP project, and also serves as member of the OWASP Global Projects Committee. Pravir is author of the book Network Security with OpenSSL.

Meetings August 19th, 2009

Location: 285 Victoria Street, 4th Floor (Room number VIC405) NEW Location.

Date/Time: August 19th, 2009, 6:00-7:30 PM EST

Title: Will you be PCI DSS Compliant by September 2010?

Speaker: Michael D’Sa, Visa Canada

Description and Bio: At this informative session, Michael D’Sa, Visa Canada’s Senior Manager of Data Security and Investigations will talk to you about PCI DSS compliance within the Canadian marketplace. Michael will present the emerging data compromise trends, and will review the Canadian deadlines and mandates for Visa merchants. Michael D’Sa is the Senior Manager responsible for Data Security and Investigations at Visa Canada. Working at Visa Canada for over 14 years, Mr. D’Sa is currently in the Payment System Risk group. His responsibilities include managing the Account Information Security program, managing Data Compromise incidents, and supporting Visa banks on fraud investigations. Mr. D’Sa also acts as the primary liaison for Law Enforcement on Visa related fraud matters.

Meetings May 13th, 2009

Location: 4-179B, 121 King Street West, Toronto (same as last time)

Date/Time: May 13th, 2009, 6:45-8:00 PM EST

Title: Cross Site AJAX Hacking

Description: The era of AJAX technologies has only been possible after XMLHttpRequest released its full potential. But XMLHttpRequest has had a number of security concerns, in particular due to its ability to create flexible requests against web sites without the users knowledge. Up to now, the same origin policy limited the impact of this issue.

The Web 2.0 vision calls for the flexible use and rendering of information in mash-ups created by mixing content from various sources on the fly. This idea is not easily implemented in Javascript due to same origin restrictions. In order to allow for these features, XHR Level 2 and XDR have been developed to remove the same origin policy and allow the ability to request information from various sites. Current browsers make these functions available to developers and you will soon find sites that require them. The presentation will provide information on the mechanics of these cross site AJAX calls and their security impact.

As an add-on to the discussion - It has been a year since Johannes Ullrich have given a talk on Dshield Web App honeypot project. I will provide a small update on the progress of this project. It’s a low key project but you may be amazed at what we are doing.

Presenter: Jason Lam

BIO:Jason is a senior security analyst at a major financial institute in Canada. He is also an author and instructor for SANS Institute where he writes courses on pentesting and defending web applications. In his ever diminishing free time, he helps with the SANS Internet Storm Center as an incident handler. He took on the role to be a leader for the Dshield honeypot project where logs from web honeypot all over the world are collected and analyzed.

** Meetings April 8th 2009

Wednesday April 8th 2009, 6:00-8:00 PM EST at D&T, 4-179B, 121 King Street West, Toronto.

Topic: A Laugh RIAt – Rich Internet Application Security

Speaker: Rafal M. Los**

Description: Rich Internet Applications [RIA] are popping up everywhere! Enterprises and boutique online shops alike are rushing to adopt these technologies without really thinking of the implications of moving pseudo-server functionality to the user’s desktop and browser. Hacking these applications has now moved from the challenge of compromising the server, to the significantly smaller challenge of compromising the client. You’ll be able to witness (and try!) first-hand how to manipulate an AJAX-rich web application you or your colleagues probably use many times; as well as see and understand how breaking down a Flash binary object (SWF file) isn’t difficult. These types of applications are now treasure-troves of goodies… don’t miss out on the simple ways you can security test these technologies on your desktop today!

Future Talks: May: Douglas Simpson, Cenzic Jun: Jamie Gamble, Security Compass Jul: Jason Lam, Aug: Joe Bates Sep: Tyler Reguly, nCircle

We are looking for speakers, if you are interested in speaking on security topics please email Nish Bhalla

2008

Meetings November 13th 2008

Location: 4-179B, 121 King Street West, Toronto (same as last time)

Date/Time: November 13th 2008, 6:00-7:30 PM EST

Title: Web Application Security and the PA-DSS

Description: The Payment Card Industry’s (PCI) Payment Application Data Security Standards (PA-DSS) version 1.1 was released in April 2008, and has implications for every payment application vendor whose product is sold, distributed, or licensed “as is”. This discussion will provide a soft introduction to the payment application audit procedures and will match PA requirements to each phase of the software development lifecycle. Whether you are a web application developer, tester, vendor or just interested in PCI and Payment Applications, this talk will have a message for you.

Presenter: A M Westgate M.Sc., B.Ed., CISSP, QSA, PA-QSA

BIO: A M brings a range of experience as a security systems analyst, a software engineer and as an information security instructor. She has participated in PCI Compliance engagements and PCI gap assessments. In addition, she has been the primary consultant on PA-DSS Validation, PA gap assessments and remediation engagements. A M has over 5 years experience in security software engineering, and has worked in Canada, USA, Ireland and England. She is a confident speaker, and a part time instructor of the CISSP preparation course in the continuing education department at a local university.

Meetings August 14th 2008

Location: 4-179B, 121 King Street West, Toronto (same as last time)

Date/Time: August 14th 2008, 6:00-7:30 PM EST

Title: An Introduction To Reverse Engineering Malware

Session Abstract: This talk will cover the basics of setting up an environment to reverse engineer malware, and an introduction to some tools and techniques that can be used to determine what exactly that bit of unknown, potentially hostile code does. While this is an introductory talk, we’ll definitely cover more than “run strings on the binary and see what you get!”

Presenters: Seth Hardy, MessageLabs Inc.

BIO: Seth Hardy recently moved to Toronto to do reverse engineering work for MessageLabs, as part of their antivirus research and response group. Before that, he worked mostly in the areas of vulnerability research and cryptography. In his spare time, Seth likes to work on community-building projects both online and off. He currently holds the GIAC GREM certification, and should have the CISSP before this presentation; if not, feel free to mock him mercilessly for it.

Meetings July 16th 2008

Location: 4-179B, 121 King Street West, Toronto (same as last time)

Date/Time: July 16th 2008, 6:00-7:30 PM EST

Title: Business Logic Flaws

Session Abstract: How they put your Websites at Risk Session handling, credit card transactions, and password recovery are just a few examples of Web-enabled business logic processes that malicious hackers have abused to compromise major websites. These types of vulnerabilities are routinely overlooked during QA because the process is intended to test what a piece of code is supposed to do and not what it can be made to do. The other problem(s) with business logic flaws is scanners can’t identify them, IDS can’t detect them, and Web application firewalls can’t defend them. Plus, the more sophisticated and Web 2.0 feature-rich a website, the more prone it is to have flaws in business logic.The presentation will provide real-world examples of how pernicious and dangerous business logic flaws are to the security of a website. We’ll also show how best to spot them and provide organizations with a simple and rational game plan to prevent them.

Presenters: Trey Ford, Director, Solutions Architecture, WhiteHat Security, Inc.

BIO: Trey Ford is the Director of Solutions Architecture at WhiteHat Security, providing strategic guidance to WhiteHat customers and prospects on their website security programs. Mr. Ford also spearheads WhiteHat’s participation in the PCI Standards Council and assists customers in selecting WhiteHat services for compliance with the PCI Data Security Standard. In addition, Mr. Ford is a frequent speaker at industry events. Prior to WhiteHat, he was the Compliance Practice Lead at FishNet Security, an information security services provider based in Kansas City. Mr. Ford also founded and operated, Eclectix, a technology consultancy. He is a certified information system security professional (CISSP), a Microsoft Certified Systems Engineer, a Cisco Certified Networking Associate (CCNA), and a Payment Card Industry Qualified Data Security Professional.

Meetings June 18th 2008

Location: The next chapter meeting will be held on June 18th June at D&T, 4-179B, 121 King Street West, Toronto.

Date/Time: June 18th 2008, 6:00-7:30 PM EST

Description: Testing for certain web application vulnerabilities is tedious and time-consuming, and when combined with time constraints, full testing coverage is often not achieved. ExploitMe is a series of Open Source Firefox plugins released by Security Compass for this purpose - automated detection of XSS, SQL Injection, and access control (including the recently released HTTP verb tampering) vulnerabilities.

In this presentation Tom Aratyn and Sahba Kazerooni of Security Compass will demonstrate how the Exploit-Me series of tools can be used during penetration testing to find security vulnerabilities in real web applications.

Presenters: Tom Aratyn (Developer ExploitMe Series), Sahba Kazerooni (Security Consultant, Security Compass) [[Link title]]

May 13th 2008 Meeting The next chapter meeting will be held on May 13th at a Different Location Delta Meadowvale Resort & Conference Center, 6750 Mississauga Road, Mississauga, ON CA, Phone: 905-821-1981 Directions to the meetings

Topic: A Distributed Web Application Honeypot

Date/Time: May 13th 2008, 6:00-7:00 PM EST

Description: DShield.org has been extremely helpful in understanding network based attacks. However, over the last few years many interesting attacks target specific web application flaws which are not detected by DShield’s sensor system. Collecting similar data for web applications has been challenging for a number of reasons. First of all, the data needed to understand a web application attack is much richer and a simple efficient data model as the one used by DShield will not provide sufficient details. If more detailed data, like complete requests, are collected, data privacy issues become more of a problem. Simple obfuscation or pattern replacement techniques are usually not sufficient to safeguard this information, or they will make it impossible to understand the attack. Lastly, many web application attacks use search engines to find vulnerable systems, instead of just attacking random servers. Over the next few months we plan to roll out a distributed web application honeypot. We will describe how this honeypot will be implemented to address these issues.

Speaker BIO: Dr. Johannes Ullrich SANS Institute As Chief Research Officer for the SANS Institute, Johannes is currently responsible for the SANS Internet Storm Center (ISC) and the GIAC Gold program. He founded DShield.org in 2000, which is now the data collection engine behind the ISC. His work with the ISC has been widely recognized, and in 2004, Network World named him one of the 50 most powerful people in the networking industry. Prior to working for SANS, Johannes worked as a lead support engineer for a web development company and as a research physicist. Johannes holds a Ph.D. in Physics from SUNY Albany and is located in Jacksonville FL.

OWASP Toronto chapter meetings are open to the public RSVP is requested by sending an email

22nd January 2008 Meeting

The next chapter meeting will be held on Jan 22nd at 20the floor, 79 Wellington Street West, Toronto, ON M5K 1B9 . Directions to the meetings

Topic: Modern Trends in Network Fingerprinting

Description:

Speaker BIO: Jay Graver and Ryan Poppa are Lead Engineers at nCircle Network Security. They specialize in interrogating Applications and Services over the network. Their years of experience have been focused on the non invasive detection of vulnerabilities.

Current Areas of research include; HTTP server analysis, graph theory, SSL library fingerprinting and unobfuscation techniques.

Based in Toronto Ontario, they hold degrees from University of Guelph and the University of Waterloo. You can find their latest posts at blog.glaciertech.ca & numerophobe.com

Past Presentations for Download

The past presentations are available for download from here. If you have any comments on the presentations please send them to us. Please note some presenters choose not to share their material.

• The Current State of Insecure Deserialization Vulnerabilities by Guy Lederfein, December 14, 2022

• DevSecOps Transformation on a Shoestring Budget by Itay Gurvich, May 11, 2022

• OpenShift Container Platform – Security Features by Arvin Monie, October 6, 2021

• Testing OWASP Juice Shop with OWASP ZAP by Yuk Fai Chan, and Hackable OWASP Educational Resources by Opheliar Chan, April 29, 2021. [video]

• Unicode vulnerabilities that could byͥte you by Philippe Arteau, February 17, 2021. [video]

• Threat Modelling: An objectives-based primer by Opheliar Chan, Feb 5, 2021. [video]

• Introduction to OWASP Zap by Jack Enders, January 20, 2021

• OWASP Toronto x ISC2 Cyber Toronto 2020 - Presentation Slides by the OWASP Team, December 3, 2020

• Frida 101 - Testing Mobile Apps by Brian Lawrence, October 28, 2020

• High-level tactics for reverse engineering software by Adam Greenhill, October 28, 2020

• Privacy in the Times of COVID-19 Pandemic by Amalia Barthel and Craig Barretto, June 24, 2020 [Video]

• Software Security Initiative – The Basics by Eli Erlikhman, May 20, 2020 [Video]

• Detect complex code patterns using semantic grep by Drew Dennison, May 6, 2020 [Video]

• Lift and Adrift: Understanding Threats in an AWS Environment by Jason Plummer, April 22, 2020 [Video]

• Creating a Security Centric Development Organization by Varrun Ramani, March 24, 2020 [Video] [Examples]

• OWASP IoT Top 10 - Exploring Vulnerability Root Causes [Video] by Nicholas Johnston, December 2019

• Half a Decade in Review: On Accidental Hacking and the “Hard” Conversations by Alana Staszczyszyn, October 2019

• Security Monitoring with Azure App Gateway, Log Analytics and Azure Sentinel by Roy Kim, August 2019

• Export to RCE by Adam Greenhill, July 2019

• De-identification by Erik Service, April 2019, Additional resources: 1,2,3,4

• In Root we trust (no this is not a DNS talk) by Pavan Chander and Lisa Bui, February 2019

• Back to the Future of Application Security: Developing Secure Smart Contracts by Jamie Baxter, January 2019

• Web Application Penetration Testing by Frank Coburn and Haris Mahboob, December 2018

• How to stop worrying about Application Container Security (v2) by Brian Andrzejewski, June 2018

• CISO’s 90 Day Plan by Nelson Chen, April 2018

• Hi, I am X. How do I get into AppSec / Security? by OWASP Toronto, January 2018

• Swiss cheese security, or the real challenges faced by internet facing companies by Enrico Branca, October 2017

• Cloud Security & Best Practice in AWS by Ankit Giri, August 2017

• The Node.js Highway: Attacks Are At Full Throttle by Susan St. Clair, May 2017

• OWASP Overview & Intro to OWASP Projects by Yuk Fai Chan, March 2017

• Basic Web Application Testing Methodology by Nish Bhalla Security Compass

• Basic Web Services Security by Rohit Sethi Security Compass

• Authentication Security by Hui Zhu

• Identity Management Basics by Derek Browne

• Business Logic Flaws by Trey Ford

• A Laugh RIAt – Rich Internet Application Security by Rafal M. Los

• Will you be PCI DSS Compliant by September 2010? by Michael D’Sa

• Mobile Security for the Forgetful by Max Veytsman, Security Compass, May 2011

• Application Security ISO by Tak Chijiwa, Security Compass, May 2012

• NFC Threat Landscape by Geoff Vaughan, Security Compass, March 2013

• Security Code Review by Sherif Koussa, OWASP Ottawa Chapter Leader, May 2013

• OWASP: Beyond the Top 10 by Andre Rochefort, TELUS, July 2013

• Heartbleed by Ben Sapiro, April 2014

• DDoS Attacks and Mitigation in Cloud Environments by Mark Shtern, July 2014

• What’s Hiding in Your Software Components? Hidden Risks of Component-Based Software Development – Seeing the Forest Through the Trees by Ryan Berg, Sonatype, September 2014