OWASP Portland Training Day

Training Day

For the fifth year, the Portland OWASP chapter is proud to host our information security training day! This will be an excellent opportunity for the local Portland security community to receive top quality information security and application security training for prices far lower than normally offered. This year’s training day will be a fully virtual event which includes a morning keynote, two morning sessions, a lunch panel, two afternoon sessions, and an all-day CTF.

The 5th annual OWASP Portland 2021 Training Day date will be on October 13, 2021.

Want to get news and information on our 2021 Training Day? Subscribe to the Portland OWASP mailing list or follow @PortlandOWASP on Twitter!


How to Register

Eventbrite Registration

Join our OWASP Slack channel

#owasppdx-training-day-2021


Schedule

Time Course Course CTF
8:45 AM - 9:20 AM Keynote - A Weighty Discussion of Frivolous Things (Adam Shostack)    
9:30 AM - 12:00 PM Intro to pen testing and Burp (Debolina De) Securing the Cloud, Basic Hygiene (Andrew Krug) CTF
12:15 PM - 1:15 PM Lunch Panel - Building a career in infosec (Dave Dyk, Hadas Cassorla, Jason Blanchard, Jay Berry, Mike Hanley, Deveeshree Nayak)    
1:30 PM - 4:00 PM Threat modeling with Threat Dragon (Jon Gadsden) Google Cloud Platform Security (Wu-chang Feng & Wenjing Wu) CTF

Thank you to the OWASP Foundation and the many sponsors, trainers, volunteers and trainers that have helped make Training Day a success and allow us to continue!


Example

Put whatever you like here: news, screenshots, features, supporters, or remove this file and don’t use tabs at all.


Training Day

For the fifth year, the Portland OWASP chapter is proud to host our information security training day! This will be an excellent opportunity for the local Portland security community to receive top quality information security and application security training for prices far lower than normally offered. This year’s training day will be a fully virtual event which includes a morning keynote, two morning sessions, a lunch panel, two afternoon sessions, and an all-day CTF.

The 5th annual OWASP Portland 2021 Training Day date will be on October 13, 2021.

Want to get news and information on our 2021 Training Day? Subscribe to the Portland OWASP mailing list or follow @PortlandOWASP on Twitter!


Courses

Courses will be held in two tracks: Morning sessions and Afternoon sessions. Each participant can register for one morning course, one afternoon course, or one of each. The maximum total number of courses you may register for is two, that is if you choose one in the morning and one in the afternoon.

Intro to pen testing and burp - Debolina De

Bio

Debolina is an experienced cybersecurity researcher and now professional driven by curiosity and a motto of knowledge being timeless. Having keen interest and acquired knowledge in security , she joined Ernst and Young as a CyberSecurity consultant where she had multiple Fortune 500 companies as her playground as part of their Center of Excellence. She then moved into the depths, actively researching IOT and 5G security under some of the brightest minds at Johns Hopkins University. The recognized results gave her the opportunity to interact and share her observations with peers across the globe as a speaker at the Grace Hopper. She now continues to do so at multiple conferences and has even joined Synopsys, California in their efforts to provide the best security in multiple platforms and paradigms.

Talk Description

The session aims to cover security at varied depths starting with an initial understanding of priorities in cybersecurity as well as vulnerability trends on multiple platforms. An in-depth workshop for tool: Burp Suite that not only highlights the usage of the tool as a powerful interceptor but also insight into what plays in one’s mind at various stages of the application given the opportunity to mend its behavior. This should help developers think what must be taken care of from the very initial stages of application planning. The platform would be open to approaches and experienced observations in both ways.


Threat modeling with Threat Dragon - Jon Gadsden

Bio

Jon is a software security engineer at ForgeRock with over eight years of experience in product security. He is more of a defender than an attacker, and concentrates on encouraging a secure development lifecycle within development teams - and in particular threat modeling. Jon has been a long term contributor to the OWASP Threat Dragon open source project and is co-leader of the project alongside Mike Goodwin, the founder of Threat Dragon. His interest in threat modeling started when he saw that it was an often neglected activity in the secure lifecycle, which puzzled him because it is a wide ranging task that is popular with development teams. From that time he has not looked back and works on threat modeling tools, presents threat modeling at OWASP chapter meetings and reassures development teams that threat modeling is both enjoyable and useful.

Talk Description

OWASP Threat Dragon is a tool used to help create threat models, usually as part of a secure software development lifecycle. It is a tool that has been written with a focus on simplicity and accessibility which makes it popular among development teams. This workshop session will be useful for engineers and managers alike who want to find out what Threat Dragon is and to then go on to create a real world threat model. No prior experience with Threat Dragon is necessary but a basic knowledge of threat modeling and risk analysis would certainly be an advantage. The workshop will start off with installation and running of Threat Dragon and then move on to interactively showcasing the various features of the tool. Once basic proficiency is gained then there is a run through of a simple threat model and then finishing off with a practical model. Questions are encouraged throughout the workshop and it is sure to be an interactive and fun session.


Google Cloud Platform Security - Wu-chang Feng & Wenjing Wu

Bio - Wu-chang Feng

Wu-chang Feng is a professor in the Department of Computer Science at Portland State University where he works on topics in cloud computing and security. His current projects include developing CTFs and codelabs to teach advanced topics in security as well as performing outreach to high-schools via camps and internships through CyberPDX and Saturday Academy.

Bio - Wenjing Wu

Current PHD student at PSU

Talk Description

Organizations have rapidly shifted infrastructure and applications over to public cloud computing services such as AWS, Google Cloud Platform, and Azure. Unfortunately, such services have security models that are substantially different and more complex than traditional enterprise security models. As a result, misconfiguration errors in cloud deployments have led to dozens of well-publicized breaches. In this workshop, we will walkthrough levels of Thunder CTF, a scaffolded, scenario-based CTF for helping students learn about and practice cloud security skills on Google Cloud Platform. Thunder CTF contains both an attack path and a forensic path to allow players to role-play both an offensive and defensive role in the cloud. The workshop will require access to a Google Cloud Platform account.


Securing the Cloud, Basic Hygiene - Andrew Krug

Bio

Andrew Krug is a Security Engineer specializing in Cloud Security and Identity and Access Management. Krug also works as a Cloud Security consultant and started the ThreatResponse project a toolkit for Amazon Web Services first responders. Krug has been a speaker at Black Hat USA, DerbyCon, and BSides PDX.

Talk Description

In this training session you’ll learn the basics of starting up an AWS Account. What to enable, disable, and lock down. We’ll wrap up the session with a little log exercise. Participants will need to have a brand new AWS Account registered already to a valid email address in order to participate. This is notably content in short-form from one of the days of https://wildwesthackinfest.com/antisyphon/securing-the-cloud/ – Also taught by the instructor.


2021 Sponsors

Keynote Sponsors

Github Logo

Oracle Logo

Training Session Sponsors

Cambia Health Solutions Logo

ForgeRock Logo

Guidepoint Security Logo

Synopsys Logo

CTF Sponsors

Summit Security Group LLC Logo

Lunch Panel Sponsors

WebMD Health Services Logo

Capsule8 Logo

DeepSurface Security Logo


Schedule

Time Course Course CTF
8:30 AM - 9:20 AM Keynote    
9:30 AM - 12:00 PM Course TBD Course TBD CTF
12:15 PM - 1:15 PM Lunch Panel    
1:30 PM - 4:00 PM Course TBD Course TBD CTF

How to Register

  • TBD

Thank you to the OWASP Foundation and the many sponsors, trainers, volunteers and trainers that have helped make Training Day a success and allow us to continue!


Keynote - A Weighty Discussion of Frivolous Things

In a world where our gas and our burgers are under threat by Russian CRIMINALS, how can anyone take their shoulder from the grindstone, their eye off the ball, their hands from the wheel … it all seems pretty convoluted, doesn’t it? Doing the same thing over and over doesn’t seem to be solving our problems, and Adam will share some tools and frames that have worked for him and will empower you to achieve more and have fun while making the world a better place.

Bio: Adam Shostack

Adam is a leading expert on threat modeling, and a consultant, entrepreneur, technologist, author and game designer. He’s a member of the BlackHat Review Board, and helped create the CVE and many other things. He currently helps many organizations improve their security via Shostack & Associates, and helps startups become great businesses as an advisor and mentor. While at Microsoft, he drove the Autorun fix into Windows Update, was the lead designer of the SDL Threat Modeling Tool v3 and created the “Elevation of Privilege” game. Adam is the author of Threat Modeling: Designing for Security, and the co-author of The New School of Information Security.


Lunch Panel - Building a career in infosec

Dave Dyk

Dave Dyk is the VP/Information Security & Risk at Betterment. Betterment is on a mission to empower people to do what’s best with their money so they can live better. Dave is responsible for the company information security program, ERM, and operational risk. Prior to joining Betterment, Dave has led information security risk management, product security, privacy, and other risk disciplines in financial services and as a consultant.

Hadas Cassorla

Hadas Cassorla, JD, MBA, CISSP has a lot of letters after her name, but the three letters she cares the most about are Y-E-S. Marrying her business, legal, IT and improv backgrounds, she is the CISO of M1 finance and has built her career helping organizations create strong, actionable and implementable security programs by getting buy-in from the boardroom to the basement. Her focus is on helping companies enable scaled, thoughtful security. She has built corporate security offices from ground-up and helped develop them into departments of Security as a Service. Hadas likes to find the fun in security enablement to make it more approachable.

Jason Blanchard

Jason Blanchard is the Content & Community Director for Black Hills Information Security and is responsible for creating and producing educational infosec content and for building and fostering the infosec community. He has a background in education, marketing, and content creation. Jason also does a livestream twice a week on Twitch for professionals that are job hunting, where he gives practical advice to viewers on the steps to take to land a new job. He enjoys doing stand-up comedy to practice his public speaking skills and shares his knowledge to anyone who’d like to hear it.

Jay Berry

Jay Berry obtained a degree in Computer Science at the University of Pittsburgh and now works as a Security Engineer at Community. She was a Java Engineer reformed to Application Security and has worked at companies of all sizes (from 3 to 12,000 people). She loves pole vaulting, yoga, video games, and her menagerie.

Mike Hanley

Mike Hanley is the Chief Security Officer at GitHub. Prior to GitHub, Mike was the Vice President of Security at Duo Security, where he built and led the security research, development, and operations functions. After Duo’s acquisition by Cisco for $2.35 billion in 2018, Mike led the transformation of Cisco’s cloud security framework and later served as CISO for the company. Mike also spent several years at CERT/CC as a Senior Member of the Technical Staff and security researcher focused on applied R&D programs for the US Department of Defense and the Intelligence Community. When he’s not talking about security at GitHub, Mike can be found enjoying Ann Arbor, MI with his wife and seven kids.

Deveeshree Nayak

Deveeshree is an Assistant Teaching Professor at the University of Washington who has a diverse background in the field of cybersecurity (Information System, Computer Engineering, and Criminology and Criminal justice). She teaches Cybersecurity. Deveeshree Nayak is a member of the inclusion working group of WiCyS and has been a member of WiCyS since 2014. She is also a lifetime member of OWASP. She has multiple masters in Information Security, Computer Engineering, and Criminology. So far she has taught/trained over 5,000 underrepresented people in Cyber Security and STEM as an Educator, as a volunteer, and as a trainer and passionately continues to do so. She is a part of the review and program committee for GHC Security and Privacy, I4CS, SciPy 2019, RESPECT 2020.


Courses

Courses will be held in two tracks: Morning sessions and Afternoon sessions. Each participant can register for one morning course, one afternoon course, or one of each. The maximum total number of courses you may register for is two, that is if you choose one in the morning and one in the afternoon.


Intro to pen testing and burp - Debolina De

Bio

Debolina is an experienced cybersecurity researcher and now professional driven by curiosity and a motto of knowledge being timeless. Having keen interest and acquired knowledge in security , she joined Ernst and Young as a CyberSecurity consultant where she had multiple Fortune 500 companies as her playground as part of their Center of Excellence. She then moved into the depths, actively researching IOT and 5G security under some of the brightest minds at Johns Hopkins University. The recognized results gave her the opportunity to interact and share her observations with peers across the globe as a speaker at the Grace Hopper. She now continues to do so at multiple conferences and has even joined Synopsys, California in their efforts to provide the best security in multiple platforms and paradigms.

Talk Description

The session aims to cover security at varied depths starting with an initial understanding of priorities in cybersecurity as well as vulnerability trends on multiple platforms. An in-depth workshop for tool: Burp Suite that not only highlights the usage of the tool as a powerful interceptor but also insight into what plays in one’s mind at various stages of the application given the opportunity to mend its behavior. This should help developers think what must be taken care of from the very initial stages of application planning. The platform would be open to approaches and experienced observations in both ways.


Threat modeling with Threat Dragon - Jon Gadsden

Bio

Jon is a software security engineer at ForgeRock with over eight years of experience in product security. He is more of a defender than an attacker, and concentrates on encouraging a secure development lifecycle within development teams - and in particular threat modeling. Jon has been a long term contributor to the OWASP Threat Dragon open source project and is co-leader of the project alongside Mike Goodwin, the founder of Threat Dragon. His interest in threat modeling started when he saw that it was an often neglected activity in the secure lifecycle, which puzzled him because it is a wide ranging task that is popular with development teams. From that time he has not looked back and works on threat modeling tools, presents threat modeling at OWASP chapter meetings and reassures development teams that threat modeling is both enjoyable and useful.

Talk Description

OWASP Threat Dragon is a tool used to help create threat models, usually as part of a secure software development lifecycle. It is a tool that has been written with a focus on simplicity and accessibility which makes it popular among development teams. This workshop session will be useful for engineers and managers alike who want to find out what Threat Dragon is and to then go on to create a real world threat model. No prior experience with Threat Dragon is necessary but a basic knowledge of threat modeling and risk analysis would certainly be an advantage. The workshop will start off with installation and running of Threat Dragon and then move on to interactively showcasing the various features of the tool. Once basic proficiency is gained then there is a run through of a simple threat model and then finishing off with a practical model. Questions are encouraged throughout the workshop and it is sure to be an interactive and fun session.


Google Cloud Platform Security - Wu-chang Feng & Wenjing Wu

Bio - Wu-chang Feng

Wu-chang Feng is a professor in the Department of Computer Science at Portland State University where he works on topics in cloud computing and security. His current projects include developing CTFs and codelabs to teach advanced topics in security as well as performing outreach to high-schools via camps and internships through CyberPDX and Saturday Academy.

Bio - Wenjing Wu

Current PHD student at PSU

Talk Description

Organizations have rapidly shifted infrastructure and applications over to public cloud computing services such as AWS, Google Cloud Platform, and Azure. Unfortunately, such services have security models that are substantially different and more complex than traditional enterprise security models. As a result, misconfiguration errors in cloud deployments have led to dozens of well-publicized breaches. In this workshop, we will walkthrough levels of Thunder CTF, a scaffolded, scenario-based CTF for helping students learn about and practice cloud security skills on Google Cloud Platform. Thunder CTF contains both an attack path and a forensic path to allow players to role-play both an offensive and defensive role in the cloud. The workshop will require access to a Google Cloud Platform account.


Securing the Cloud, Basic Hygiene - Andrew Krug

Bio

Andrew Krug is a Security Engineer specializing in Cloud Security and Identity and Access Management. Krug also works as a Cloud Security consultant and started the ThreatResponse project a toolkit for Amazon Web Services first responders. Krug has been a speaker at Black Hat USA, DerbyCon, and BSides PDX.

Talk Description

In this training session you’ll learn the basics of starting up an AWS Account. What to enable, disable, and lock down. We’ll wrap up the session with a little log exercise. Participants will need to have a brand new AWS Account registered already to a valid email address in order to participate. This is notably content in short-form from one of the days of https://wildwesthackinfest.com/antisyphon/securing-the-cloud/ – Also taught by the instructor.


Tournament registration:

https://discover.securecodewarrior.com/TrainingDay.html

Slack invite:

https://join.slack.com/t/owasppdxtrainingday/shared_invite/zt-vyzh40eb-5zuxoGObKkS9EEz5LnYLsA

When: October 13th, 9:30AM - 4:00PM PT

Secure Code Warrior brings you a defensive security-based tournament from a developer’s perspective. The tournament allows you to test your skill against the other participants in a series of vulnerable code challenges that ask you to identify a problem, locate insecure code, and fix a vulnerability. You don’t need extensive programming knowledge as this will be a great way to learn the foundations and intermediates of leveraging code that is not only functional but is also secure.

You can find the tournament step-by-step guide here: https://youtu.be/o8XhKK_eOOs

The tournament is run virtually so you can join through your laptop from the most convenient location and time. It should take only a few hours, drop-in as you see fit during the duration of the event to complete all the challenges and win prizes!

Instructions for playing:

1) Register for the Secure Code Warrior platform here: https://discover.securecodewarrior.com/TrainingDay.html

2) Check your email for the confirmation and access the unique link to create your profile.

3) Once logged in: click “Tournaments”

4) Join the Training Day 2021 Secure Coding Tournament

The Secure Code Warrior platform will be open before and after the tournament, so feel free to practice in the “Training” tab.

Monitor the live leaderboard to see how you’re performing!


2021 Sponsors

Sponsorship Opportunities

Keynote Sponsors

Github Logo

Oracle Logo


Training Session Sponsors

Cambia Health Solutions Logo

ForgeRock Logo

Guidepoint Security Logo


Synopsys Logo


CTF Sponsors

Summit Security Group LLC Logo


Lunch Panel Sponsors

WebMD Health Services Logo


Capsule8 Logo


DeepSurface Security Logo


HackerOne Logo



https://www.linkedin.com/jobs/view/2714178472

https://www.linkedin.com/jobs/view/2714192483

https://www.linkedin.com/jobs/view/2714192144

https://www.linkedin.com/jobs/view/2714161712

https://www.linkedin.com/jobs/view/2721005509