OWASP Ottawa October 2020 Meetup

Special Notice:

Due to the COVID-19 (Coronavirus) pandemic our events will continue online on our YouTube channel.

Subscribe to our YouTube channel, set a reminder and you’ll get a notification as soon as we go live!

https://www.youtube.com/watch?v=qHXOwEyRvLs

We will post information here and on all our other medias (email, twitter etc.) as we are closer to the date.

7:00 EDT PM: Technical Talks

1. Announcements

2. A Client-Side Data Encryption Solution for Cloud-Based Systems

Abstract:
Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS) solutions usually offer data at rest encryption for common storage solutions like databases and filesystems. This has the potential to reveal sensitive information to the third party’s employees or to any malicious actor. For highly sensitive information this could be undesirable and in these scenarios it could be highly desirable to encrypt data prior to storing it with a IaaS or PasS provider to mitigate this risk. . In this talk we’ll present two open source Ruby libraries that we have developed to aide in the deployment of solutions that require this degree of protection, we’ll cover the architecture of the solution and the third party services that they are currently compatible with.

Bio:
Brent Carrara is a software developer turned security professional passionate about building security into large scale systems. As the Head of Security at Ario, he is responsible for establishing and maintaining the security program for the financial technology startup. Brent holds a Bachelor’s degree from the University of Waterloo in Software Engineering, a Master’s degree from the University of Ottawa in Digital Identity and Biometrics and a PhD from the University of Ottawa in Covert Channels. He has published papers in various security topics including information hiding, digital credentials, biometric authentication and covert communication.

Weiyun Lu is a software developer at Thinking Capital with a focus on the security of the platform. He holds Masters degrees from the University of Ottawa in mathematics (algebras of many-valued and quantum logics) and computer science (formal verification of code obfuscation algorithms). At heart a pure mathematician, he transitioned to the software field out of his interest in cryptography and formal theorem proving. He also has a nocturnal alter ego as a bassist in a metal band that has played throughout Ontario and Quebec.

3. Enforcing Code & Security Standards with Semgrep

Abstract:
We’ll discuss a program analysis tool we’re developing called Semgrep (https://github.com/returntocorp/semgrep#semgrep). It's a multilingual semantic tool for writing security and correctness queries on source code (for Python, Java, Go, C, and JS) with a simple “grep-like” interface. The original author, Yoann Padioleau, worked on Semgrep’s predecessor, Coccinelle (http://coccinelle.lip6.fr/), for Linux kernel refactoring, and later developed Semgrep while at Facebook.

Semgrep is a free open-source program analysis toolkit that finds bugs using custom analysis we’ve written and OSS code checks. Semgrep is ideal for security researchers, product security engineers, and developers who want to find complex code patterns without extensive knowledge of ASTs or advanced program analysis concepts.

Bio:

Colleen Dai is a security software engineer at r2c, a startup working on building static analysis tools that focus on precision and being custom-fit to the consumer. At r2c, Colleen has worked on the language parsing along with AST matching. She is also writing rules to find security vulnerabilities in open source code. Colleen recently received her B.S. in Computer Science and M.S. in Statistics from Stanford. She regularly enjoys Brazilian Jiujitsu, drawing, and trying (and failing) not to eat everything in her fridge.