- OWASP OC May meeting: CMD+CTRL Web App Cyber Range CTF, Training, Mentoring
Topic: CMD+CTRL Web Application Cyber Range Register early to reserve your spot! https://web.securityinnovation.com/owaspoc2019 Want to test your skills in identifying web app vulnerabilities? Join OWASP Orange County and Security Innovation as members compete in CMD+CTRL, a web application cyber range where players exploit their way through hundreds of vulnerabilities that lurk in business applications today. Success means learning quickly that attack and defense is all about thinking on your feet. For each vulnerability you uncover, you are awarded points. Climb the interactive leaderboard for a chance to win fantastic prizes! CMD+CTRL is ideal for development teams to train and develop skills, but anyone involved in keeping your organization’s data secure can play - from developers and managers and even CISOs. This workshop is ideal for all skill levels – beginner to advanced. * CMD+CTRL platform: a fully-featured Shadow Bank financial application to practice situational awareness like an attacker. Participants Will Need * A laptop to connect to our CMD+CTRL website…and your evil streak! BurpSuite or Zap are optional, for those already familiar with them. Schedule: 5:30 - 6:00 - Networking & dinner 6:00 - 6:15 - Welcome and Kickoff/Intro to CMD+CTRL – How to Think Like an Attacker 6:15 - 6:45 - Hack Away! 6:45 - 7:00 - Learning Lab #1 7:00 - 7:30 - More Hacking! 7:30 - 7:45 - Learning Lab #2 7:45 - 8:30 - Final Hacking Time! 8:30 - 9:00 - Wrap-up, Q&A, and Announce Winners, Prizes
- OWASP OC April meeting: Keeping Hacks Away from Your Hacked-Together App
Speaker: James Shewmaker, President, BLUEN0TCH Topic: Keeping Hacks Away from Your Hacked-Together App Abstract: The real word is ripe with kludgy systems. Scripts are the duct tape of the digital world—useful but not resilient. James will speak about security issues encountered during development of the Bunker011 Hacking Game Project: script security, REST shims, and "breakable" modules. Consider the fact that your application will be hacked; make it hackable in a specific way—for easy recovery. Speaker Bio: James Shewmaker is the founder and principal consultant at Bluenotch Corporation, Long Beach, California, which provides customized security services focusing on investigations, penetration testing, and analysis. James authored and maintains the post-exploitation content in the SANS Security 660: Advanced Penetration Testing, Exploit Writing, and Ethical Hacking course. Before becoming a SANS Certified Instructor in 2009, his creative technical work led him on many adventures, including "The Great Translator Invasion of 2003". James led the development and operations for NetWars as a US Cyber Challenge game in June 2009. He is currently developing an independent cyber challenge, Bunker011, and is involved in the US Cyber Challenge as an instructor at Cyber Camps. James regularly teaches a Tactical Offense and Defense day at SANS Security events. Schedule: 6:00pm Taco bar, Drinks & Networking 6:40pm Presentation (followed by Q&A) A raffle will be held at the end of the meeting for OWASP swag and free conference passes to the ISSA LA Summit, LayerOne and AppSec Cali 2020 conferences. You must be present to win.
- OWASP OC March meeting: API/REST/Webservice Security / Practicing Mindfulness
Speakers: Jim Manico, Founder, Manicode Security Topic: API/REST/Webservice Security Abstract: API's are built on the foundation of the same technology that is used to build web applications. Therefore, many of the standard web security defenses will apply when building webservices. However, stateless and other specialized patterns make defending API's different than normal web security in some regards. Access control, request forgery, session management, and other security layers, while familiar, often require different security designs in API's. This module will review these needed security patterns as well as review a host of other specialized attacks and defenses that developers need to be aware of when building secure API's. Speaker Bio: Jim Manico is the founder of Manicode Security where he trains software developers on secure coding and security engineering. He is an investor/advisor for Signal Sciences and BitDiscovery. Jim is also a frequent speaker on secure software practices, is a member of the JavaOne rockstar speaker and Java Champion community and is the author of "Iron-Clad Java: Building Secure Web Applications" from McGraw-Hill and Oracle Press. Jim also volunteers for the OWASP foundation where he helps build application security standards and other documentation. You can find Jim on Twitter at @manicode (https://twitter.com/manicode). ++++++++++++++++++++++++ Speaker: Vivek Kashyap, Sr Manager - IT Operations, AT&T, Coach/Motivational Speaker Mindfulness & Emotional Intelligence Topic: Practicing Mindfulness for Technical teams / Busting the Malware of Stress using the Anti-Virus of Mindfulness Abstract: Stress is a form of pain that comes to tell you there is something which you need to change. Do you know that more than 75 percent of physician office visits are for stress-related ailments and complaints? “Over 90% of disease and illness today is based on lifestyle and stress, not genetics.” Bruce Lipton Just like any dangerous virus/malware stress can infiltrate all aspects (mental, physical & emotional) of your being and reduce your ability to function at optimum levels. Mindfulness is the best antivirus to recognize, manage and remove stress from your system. Learn how to recognize stress and use the tools of mindfulness to manage it effectively. Research suggests that people who practice mindfulness: have more cognitive flexibility, are able to see beyond what they’ve already done, and are better at solving problems requiring insight. This facilitates what creativity experts refer to as the incubation and insight stages of the creative process. Mindfulness fuels creativity and innovation! Bio: Vivek Kashyap Is Technology professional and a Certified Heart Intelligence Coach who brings clarity and insight into his client’s lives. He has studied and taught meditation for over 25 years and has conducted many programs on: Emotional Mastery, Mindfulness, Stress Reduction, Empathic and Heart Intelligence. Vivek is also a technology professional who works with organizations to help facilitate their journey into Mindfulness, Heart Centered Leadership and Empathic Intelligence. As an experienced manager, he helps leaders increase their effectiveness through enhanced communication skills, enabling them to build more trusting and cohesive teams.He has successfully developed mindful communities, in corporate environments, which have created more open and connected cultures, increased engagement, and inspired innovation. Schedule: 6:00pm Food, Drinks & Networking 6:30pm Mindfulness presentation 7:00pm Webservice Security presentation (followed by Q&A) A raffle will be held at the end of the meeting for OWASP swag and a free conference pass to the AppSec Cali 2020 conference. You must be present to win.
- OWASP OC February meeting: I found a dangerous query! / Giving interesting talks
Speakers: Ken Kantzer, Founding Partner at PKC Security Josh Maddux, Software Engineer at PKC Security Topic: I found a dangerous query, now what?! Abstract: We’re all familiar with common SQLi/XSS/CSRF vulnerabilities you’d find in a generic app, but what happens when you’re facing an IoT device or a Salesforce integration, and a particular attack avenue that works elsewhere isn’t as easily exploitable? Finding vulnerabilities is still achievable, but exploitation requires a different set of techniques. We’ll be diving into several of real-life vulnerabilities to see what new things are being discovered in the AppSec world. Speaker Bio: Josh Maddux is a software engineer and security researcher at PKC. He got his start studying mathematics at the University of Oklahoma, where as an intern he wrote tools for MSCI in the portfolio analytics space. After graduating, he moved out to Los Angeles to write software. He's the proud holder of a CVE. When he's not coding, he enjoys playing violin, building robots, and thinking about timing attacks. Ken Kantzer leads PKC's security consulting efforts — conducting code security audits and developing secure applications for companies of all shapes and sizes. Before PKC, Ken was a Senior Consultant at Booz Allen Hamilton where he worked in cybersecurity for the defense and oil & gas sectors. Ken holds a Politics degree from Princeton University. ++++++++++++++++++++++++ Lightning Talk Speaker: Dominique Vance, actress, musician, teacher Lightning Talk Topic: Sidestepping performance anxiety & giving interesting talks Abstract: When surveyed, people consistently fear public speaking more than anything else. Yet we all have to do it to some extent. How can we be engaging, and most importantly not too terrified to actually speak? We will go over suggestions to mitigate performance anxiety and improve technical presentations. Bio: Dominique Vance runs small businesses and recently pivoted to CyberSecurity. She is also an actress, violinist, poker dealer and teacher, and management consultant. A child prodigy, she finished business and law degrees while performing all over the world on piano and violin. She has both soloed in Carnegie Hall and played CBGB’s. When not being an entrepreneur, she trains martial arts, studies Python and goes by Domino at cons. Schedule: 6:00pm Food, Drinks & Networking 6:40pm Lightning talk 7:00pm Technical presentation (followed by Q&A) A raffle will be held at the end of the meeting for OWASP swag and a free conference pass to the AppSec Cali 2020 conference. You must be present to win.
- Webster Univ CyberSecurity Series: Securing the Enterprise in a DevOps World
Webster Irvine Campus ∙ 32 Discovery, Suite 250 ∙ Irvine Presented by OWASP OC and Webster Irvine Please RSVP here: http://bit.ly/owaspwebsterfeb2019 Do not waitlist yourselves on this meetup page... Speaker: David Wayland, Director Information Security at a Fortune 500 financial company. Subject: Securing the Enterprise in a DevOps World Abstract: Today’s enterprises are really software companies. Securing a global enterprise requires security, development, vulnerability management and compliance and risk professionals to understand the engagement and inflection points in the software development life-cycle — and their roles in accelerating it. In this session, a Fortune 500 financial company will describe its journey to securing its highly regulated enterprise in a DevOps world—a technological and cultural transformation that secured its modern software “factory” while delivering on key business drivers. Speaker Bio: David Wayland (CISSP, ISSAP, ITIL, SCJP, CEA, CAN) is Director Information Security at a Fortune 500 financial company. He is a DevSecOpsevangelist, with over 20 years of experience in all aspects of the software development lifecycle and notable success leading small to large teams in a broad range of initiatives while in direct support of business objectives. Linkedin: https://www.linkedin.com/in/davidwayland/ The Cybersecurity Seminar Series is a partnership of OWASP, ISACA OC, IEEE OC Cybersecurity SIG, and ISSA-OC with Webster Irvine. Links available at Cybersecurity Seminar Series Eventbrite page. Seating is limited - no recruiters please for this event.
- AppSec California January 22-25, 2019
The Open Web Application Security Project (OWASP) chapters of California are teaming up to bring you the WORLD RENOWN Sixth annual AppSec California. The event is a one of a kind experience for information security professionals, developers, and QA and testing professionals, as they gather at the beach from around the world to learn and share knowledge and experiences about secure systems and secure development methodologies. The event takes place January 22-25 on the beach in Santa Monica, California at the Annenberg Beach House. One and Two-day full training classes on various subjects by expert trainers kick off the conference on the 22nd. World renown speakers follow on days three and four (Jan 24 & 25). A great opening party spills onto the beautiful deck of the landmark Annenberg pool on day three, as conference goers network, drink, and eat as they listen to the waves and gaze at the stars. New friendships will be born, new techniques for securing your environments and applications will be shared, as you become inspired by your peers. You MUST register here to gain admittance: https://2019.appseccalifornia.org/index.php/register/ The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications and APIs that can be trusted. At OWASP you'll find free and open: •Application security tools and standards •Complete books on application security testing, secure code development, and secure code review •Presentations and videos •Cheat sheets on many common topics •Standard security controls and libraries •Local chapters worldwide •Cutting edge research •Extensive conferences worldwide •Mailing lists Learn more at: https://www.owasp.org (https://www.owasp.org/) . All of the OWASP tools, documents, videos, presentations, and chapters are free and open to anyone interested in improving application security. We advocate approaching application security as a people, process, and technology problem, because the most effective approaches to application security require improvements in these areas. OWASP is a new kind of organization. Our freedom from commercial pressures allows us to provide unbiased, practical, cost-effective information about application security. OWASP is not affiliated with any technology company, although we support the informed use of commercial security technology. OWASP produces many types of materials in a collaborative, transparent and open way. The OWASP Foundation is the non-profit entity that ensures the project's long-term success. Almost everyone associated with OWASP is a volunteer, including the OWASP Board, Chapter Leaders, Project Leaders, and project members. We support innovative security research with grants and infrastructure. Come join us! Use promo code "OWASP25off" for a 25% discount off conference (only) registration.
- 3rd Annual OC User Groups (OCUG) Holiday BASH 2018
- OWASP OC November dinner meeting: Squashing Emotet
Speaker: Sig Murphy, Consulting Director, Cylance Topic: Squashing Emotet – Responding to 2018’s Most Active Threat Abstract: The threat landscape is changing once again – and the past couple months has seen the resurrection and resurgence of a familiar threat: Emotet. Emotet is a destructive piece of malware that has undertaken numerous purposes over the years, including stealing data and eavesdropping on network traffic. The malicious team that created Emotet has changed their business model. They now will create custom versions of malware that utilizes Emotet as the delivery mechanism to introduce other trojans. By doing this, they have effectively changed the threat landscape for millions of companies across the world. Don't leave your organization exposed. Join Cylance’s Consulting Director Sig Murphy, as he discusses: * The evolution of Emotet, including the latest variants * Recommended practices for mitigating the risk * Using prevention as a defensive strategy Speaker Bio: As a Consulting Director, Sig is responsible for business and personnel management, new business development, and services sales. In addition, Sig oversees the successful delivery of tactical and strategic services as well as the implementation and integration of Cylance's innovative and preventative cybersecurity solutions designed to improve the security posture of clients and safely enable their core business initiatives. Prior to joining Cylance, Sig served as Vice President of Services for Fidelis Cybersecurity where he was responsible for the success of Fidelis’ cybersecurity engagements. In that role, Sig served as the project lead for many high-visibility incident response matters, including the TJX intrusion, the 2016 DNC breach, and a breach at a major U.S. stock exchange. Prior to joining Fidelis, Sig served at the DoD Cyber Crime Center (DC3) for 12 years. Schedule: 6:00pm Food, Drinks & Networking 6:40pm Presentation (followed by Q&A) A raffle will be held at the end of the meeting for OWASP swag and a free conference pass to the AppSec Cali 2019 conference. You must be present to win.
- Webster U CyberSec: In-Vehicle Security: Implications for the Auto Supplier
Webster Irvine Campus ∙ 32 Discovery, Suite 250 ∙ Irvine Presented by OWASP OC and Webster Irvine RSVP here: http://bit.ly/owaspwebsteroct2018 Speaker: Aaron Guzman, Director, Aon’s Cyber Solutions Group Subject: In-Vehicle Security: Implications for the Auto Supplier Abstract: As the automotive industry continues to introduce bleeding edge technology, vehicles have become increasingly intelligent expanding the automotive attack surface far beyond traditional paradigms. We are living in a world of connected and autonomous vehicles with expectations that our means of transport are resilient in the face of malice. OEM’s along with numerous integrators and hardware/software suppliers support the daunting task of holistically securing a vehicle’s ecosystem. But how can we know this for sure? In this presentation, we will discuss the latest in-vehicle security attack trends, supplier third-party risk, and provide mitigative solutions suppliers can employ into their development processes. Speaker Bio: Aaron Guzman is a Director with Aon’s Cyber Solutions group, also serving as Head of Automotive & IoT. Aaron is well versed in performing application, IoT, automotive and embedded device security assessments. Mr. Guzman has extensive public speaking experience delivering conference presentations, trainings, and workshops globally. Aaron is a Board Member for the Open Web Application Security Project (OWASP) Los Angeles, Cloud Security Alliance SoCal (CSA SoCal), a Technical Editor for multiple IoT Security related books, and Co-Author of “IoT Penetration Testing Cookbook” with Packt Publishing. Over the years, he has contributed to many IoT security guidance publications and leads the OWASP Embedded Application Security project; providing practical guidance to address the most common firmware security vulnerabilities to the embedded and IoT community. Twitter: @scriptingxss Linkedin: https://www.linkedin.com/in/scriptingxss/ The Cybersecurity Seminar Series is a partnership of OWASP, ISACA OC, IEEE OC Cybersecurity SIG, and ISSA-OC with Webster Irvine. Links available at Cybersecurity Seminar Series Eventbrite page. Seating is limiited - no recruiters please.
- AppSec USA 2018
AppSec USA - October 8-12, 2018 Fairmont Hotel, San Jose, California Security through Enablement https://2018.appsecusa.org/ Welcome to OWASP Annual AppSec USA Security Conference, the premier application security conference for developers and security experts. AppSec USA provides attendees with insight into leading speakers for application security and cyber security, training sessions on various applications, networking, connections and exposure to the best practices in cybersecurity. The event begins with thirteen different hands-on pre conference training programs from October 8-10, 2018. This is an exceptional opportunity to attend one of the many hands-on training courses offered by various well known, industry experts, and future pioneers of the application security industry. The main conference spans two days from 11th to 12th of October 2018, offering four full tracks of talks, for pen-testers and ethical hackers, developers and security engineers, DevOps practices and GRC/risk level talks for managers and CISOs. The week is packed full of exciting opportunities and distractions such as the Women in Appsec gatherings, Capture The Flag, Career Fair and a great evening out at the AppSec USA 2018 Networking Event at the Science Museum of San Jose. There is so much to do at AppSec USA it’s a perfect blend of training, experiences, networking and fun. Why should you attend the AppSec USA 2018 Conference? Technical talks by experts in security, devOps and cloud Panels to debate tough topics Training sessions for hands on learning in top security areas Keynotes from well-known industry leaders Vendor booths to promote the latest advances in security technology services A variety of other activities such as capture the flag, security tool training, and more