• August 2019 Event - OWASP Security with Azure App Gateway WAF and Azure Sentinel

    Date/Time: August 21, 2019, 6:30 PM to 8:30 PM EDT Location: Room 128 (on the first floor near the library), St. James Campus - Building A, George Brown College, 200 King Street East, Toronto, ON, M5A 3W8 Presentation summary: OWASP Security with Azure App Gateway WAF, Log Analytics Monitoring and Azure Sentinel Roy Kim will show an end to end configuration of Azure App Gateway in front of Azure App Service application with Log Analytics monitoring and Azure Sentinel. You will see a demo of a simple penetration test and how you can monitor and alert with Log Analytics and Azure Sentinel to detect common web attacks such as SQL injection and cross site scripting with the App Gateway’s Web Application Firewall. You will walk away with an understanding of how Azure App Gateway and Log Analytics is applied as a security solution. Presenter bio: Roy is an architect/developer, multi-disciplined in solutions such as architecture, advisory, technology leadership, developer team lead, project coordination, systems performance, infrastructure, security and systems architecture. He executes on multiple roles to deliver a projects at high performance and has deep expertise with SharePoint, .NET, JavaScript, BI development and Azure cloud services.

  • July 2019 Event - Export to RCE

    George Brown College

    Date/Time: July 17, 2019, 6:30 PM to 8:30 PM EDT Location: Room 128 (on the first floor near the library), St. James Campus - Building A, George Brown College, 200 King Street East, Toronto, ON, M5A 3W8 Presentation summary: Export to RCE Often web applications will allow users to export data within CSV files. Without proper output sanitization, poisoned CSV files can be created leading to remote code execution when they're opened. This presentation assumes no prior knowledge with CSV injection and will focus on all aspects of the vulnerability (how it works, how to prevent the issue, and more). Presenter bio: Adam Greenhill is a senior security consultant at Security Compass. He enjoys staying up to date with the latest security trends and researching new aspects of the industry. Adam is an active member of the security community and has presented at BSides Toronto, OWASP Toronto, Toronto's Cyber Security Meetup, and Sheridan College's ISSessions.

  • June 2019 Event - Bug Bounties: Good or Evil?

    George Brown College

    Date/Time: June 19, 2019, 6:30 PM to 8:30 PM EDT Location: Room 128 (on the first floor near the library), St. James Campus - Building A, George Brown College, 200 King Street East, Toronto, ON, M5A 3W8 Presentation summary: Bug Bounties: Good or Evil? Are Bug Bounty Programs (BBP) useful or not? How do you become a Bug Bounty Hunter and how do you run an effective BBP for your company? In this talk, Gurjant shares his experience as a Bug Bounty Hunter along with some interesting stories he’s encountered along the way. He will also discuss whether or not Bug Bounty Programs are beneficial for your company and how to get the most out of them. Presenter bio: Gurjant Singh is the Information Security Lead at Wealthsimple, a Toronto based Fintech company. In his spare time, Gurjant attempts to stay up to date with the most recent cyber security news and technologies. He also loves teaching and has been featured in the Times of India and Pentest Magazine.

  • May 2019 Event - Building a CTF: A Student's Perspective

    George Brown College

    Date/Time: May 15, 2019, 6:30 PM to 8:30 PM EDT Location: Room 128 (on the first floor near the library), St. James Campus - Building A, George Brown College, 200 King Street East, Toronto, ON, M5A 3W8 Presentation summary: Building a CTF: A Student's Perspective CTFs are fun, educational events that have become a staple in the information security community. But have you ever considered what actually goes on behind the scenes to make one happen? In this talk Cameron Novina will reflect on his experience organizing the first and second annual Sheridan CTFs. This year, a custom CTF platform was implemented, as well as an even larger selection of challenges; including cryptography, steganography and of course, application security. He will cover the obstacles he and the team overcame while implementing challenges that were designed to be attacked by budding information security professionals, using modern infrastructure and development practices on a tight budget. This talk is aimed at those who have enjoyed a CTF (or many) in their time, and want to know what goes into organizing these events, both from a technical and event planning perspective. Presenter bio: Cameron Novina Cameron is a Consultant with Deloitte’s Cyber Risk Advisory practice and is currently the Vice President of Sheridan College's Information Security Sessions Club. Cam has helped formulate and execute a variety of information security simulations for organizations in the National Capital Region and previously served as the club's president. While not at work or school, Cam wrecks n00bs in overwatch (Highest SR: 3440!) and enjoys tabletop games such as D&D as both a player and a Dungeon Master.

  • April 2019 Event - De-identification!

    George Brown College

    De-identification! Date/Time: April 17, 2019, 6:30 PM to 9:00 PM EST Location: Room 128 (on the first floor near the library), St. James Campus - Building A, George Brown College, 200 King Street East, Toronto, ON, M5A 3W8 Talk Synopsis De-identification is a way to make data sets containing personal information statistically safe for release. It is fundamentally a risk management solution designed to help companies comply with privacy legislation. This talk will go over: - The Data Problem: the raison d’être for de-identification - Implementation Overview: How it is done - Methodologies: 4 ways to secure personal data Speaker bio: Erik Service Erik Service is a data scientist working with Security Compass as a management consultant. Prior to this role, he was a technical lead at Privacy Analytics where he contributed to the commercialization of a de-identification methodology for pharmaceutical research. His professional interests lie at the intersection of technology and privacy law, with a focus on how people create and consume technology. He is a columnist for Mindthis magazine and plans to launch a blog looking at ways to inject privacy and security into the software development lifecycle. Erik holds a Master of Science from McGill University. He completed a B.A at the University of Ottawa and is credited as an author on 6 peer-reviewed science publications.

  • March 2019 Event - CMD+CTRL CTF!

    George Brown College

    CMD+CTRL CTF Date/Time: March 20, 2019, 6:30 PM to 9:00 PM EST Location: Room 128 (on the first floor near the library), St. James Campus - Building A, George Brown College, 200 King Street East, Toronto, ON, M5A 3W8 Web Application Cyber Range Want to test your skills in identifying web app vulnerabilities? Join OWASP Toronto and Security Innovation as members compete in CMD+CTRL, a web application cyber range where players exploit their way through hundreds of vulnerabilities that lurk in business applications today. Success means learning quickly that attack and defense is all about thinking on your feet. For each vulnerability you uncover, you are awarded points. Climb the interactive leaderboard for a chance to win fantastic prizes! CMD+CTRL is ideal for development teams to train and develop skills, but anyone involved in keeping your organization’s data secure can play - from developers and managers and even CISOs. Register early to reserve your spot ! In addition to signing up on the meetup page, you can also register at Security Innovation's page to receive helpful tips, FAQs, and access to cheat sheets: - https://web.securityinnovation.com/owasptoronto2019 ** Please keep in mind that spots are limited, and registration is a first come, first served basis! ** CTF Proctor bio: Geoff Vaughn Geoff is an Application & IT Security expert helping companies secure software and devices throughout all stages of development. He specializes in finding exploitable vulnerabilities in software applications as well as reverse engineering binaries to locate vulnerable code. Check out Geoff’s blog here: https://blog.securityinnovation.com/author/geoffrey-vaughan. Security Innovation Security Innovation is a pioneer in software security and trusted advisor to its clients. Since 2002, organizations have relied on our assessment and training solutions to make the use of software systems safer in the most challenging environments – whether in Web applications, IoT devices, or the cloud. The company’s flagship product, CMD+CTRL Cyber Range, is the industry’s only simulated Web site environment designed to build the skills teams need to protect the enterprise where it is most vulnerable – at the application layer. Security Innovation is privately held and headquartered in Wilmington, MA USA. For more information, visit www.securityinnovation.com or connect with us on LinkedIn or Twitter.

  • Feb 2019 Event - In Root we trust (no this is not a DNS talk)

    George Brown College St. James Campus

    In Root we trust (no this is not a DNS talk) Date/Time: February 20, 2019, 6:30 PM to 8:30 PM EST Location: Room 128, St. James Campus - Building A, George Brown College, 200 King Street East, Toronto, ON, M5A 3W8 Abstract What do airplanes, TSA pre-check, credit cards, Windows Updates, and HTTPS all have in common? They all rely on the use of digital certificates as a basis for the security they provide. In this talk Pavan and Lisa will share their expertise on what a digital certificate is, what they can be used for, and why we trust them (or not trust them in some cases...). They will cover the fundamentals of Public Key Infrastructure (PKI) and shed light on the critical role that Root Certification Authorities (CAs) play in all of our lives. This talk is aimed at those who are onboard for HTTPS everywhere but want to dive into the nuts and bolts of how certificates work and understand the broader applications of PKI. Speaker Bios: Pavan Pavan is a Manager with Deloitte’s Cyber Risk Advisory practice and has performed and led advisory work across a wide variety of domains with a focus on network security, vulnerability management, and data protection. Recently, Pavan’s focus has shifted to Public Key Infrastructure (PKI) and the Certification Authorities (CAs) that issue publicly trusted TLS certificates. He has performed audits of both public and enterprise CAs and has been an official witness to several root key generation ceremonies both in Canada and internationally. While not on an engagement, Pavan attempts to stay up to date on the latest memes by dedicating his time to mentoring youth at his local Air Cadet Squadron Lisa Lisa is a consultant in Deloitte’s Risk Advisory practice. Her specialties include trust considerations of Public Key Infrastructure, Cyber Security, Enterprise Risk, Internal Controls, Third Party Service Auditor Reporting, Data Quality, Confidentiality and Privacy. Furthermore, she is involved in the development and delivery of training courses within the practice, and internal innovation initiatives. In her spare time, Lisa is involved with a variety of charitable and not for profit organizations and initiatives. Lisa is a member of Deloitte’s United Way Campaign Committee, SickKids Campaign Committee and Advisor for the Junior Achievement Business Program. She previously led a Canada-Wide not-for-profit, Science Expo, and is currently in the process of developing her next passion project focused on youth education.

  • Jan 2019 Event - Back to the Future of AppSec: Developing Secure Smart Contracts

    Back to the Future of Application Security: Developing Secure Smart Contracts Date/Time: January 23, 2019, 6:30 PM to 8:30 PM EST Location: Room 128, St. James Campus - Building A, George Brown College, 200 King Street East, Toronto, ON, M5A 3W8 Abstract: Race-conditions, re-entrancy, bad randomness, unchecked calls and integer overflows! No, we’re not coding a C++98 application and worried about the Y2K bug; it’s 2019 and welcome to the world of smart contracts! Grab some avocado toast and GAS-up for a trip onto the blockchain, because where we're going, we don't need roads. We’ll start with an introduction to smart contracts and their place in the distributed ledger technology ecosystem. We’ll delve into key vulnerabilities from the SWC (Smart Contract Weakness) registry and link them to real world impacts. We’ll identify smart contract flaws in Solidity and ultimately how to mitigate them. Ending with some key principals in building secure smart contracts and suggested tooling to augment secure smart contract development flow. All with a dash of lamenting how by forgetting the past we are doomed to repeat it. And of course, no talk would be complete without a smart contract CTF challenge, or two, for the taking. Speaker Bio: Jamie Baxter, M. Eng., OSCP, OSCE, GPEN, CISSP Principal Consultant & Founder - SRNSEC Inc. Jamie is an independent security consultant specializing in security assessments, ranging from web application and infrastructure penetration tests to red teaming exercises. Prior to independent consulting, Jamie was the Director of Cyber Security Assessments at RBC, a Senior Penetration Tester for the Department of National Defense, and a developer for over 10 years. When not on an engagement, he can be found competing in and building CTFs or exploring the world of distributed ledger technology security.

  • OWASP Toronto - December 2018 Event: Web Application Penetration Testing

    Hello everyone! I am happy to announce our last chapter event for 2018. Our guest speakers will be talking about web application penetration testing. Please note that we have a new venue for this month. George Brown College has graciously offered to host us at their down St. James Campus. Also, please note that we are starting 30 minutes later than usual, at 6:30 PM EST. As usual, space is limited, so please RSVP on our Meetup event page to confirm your presence. Thanks, Yuk Fai ----- Date/Time: December 5, 2018, 6:30 PM to 8:30 PM EST Location: Lecture Hall Room 426A – St. James Campus Building A, George Brown College, 200 King Street East, Toronto, ON, M5A 3W8 Event page: Web Application Penetration Testing - Methodology and Approach Abstract: An introduction to web application penetration testing covering common methodologies and approaches. Topics are: An overview of the business side of how these engagements are commonly run, the methodology and mind-state of penetration testing vs. vulnerability assessments, and a demo using industry standard tools. Recommended for people who are new to the offensive side of security, those interested in learning more about the topic, or who are interested in potentially switching from blue to red team. Bios: Frank Coburn Frank is a Consultant who specializes in web application security testing and analysis, and cloud security. I began my career in Canada’s financial sector in 2015 and have been performing web application penetration tests for various local and remote clients ever since. I have managed many client relationships and a multitude of other projects in Information Security across various industries. In my copious free time I enjoy working on personal projects such as developing scripts, tooling, and creating testing environments. Haris Mahboob I work at Security Compass as a security consultant. I specialize in penetration testing web applications and network infrastructures. I have experience working with industry standard SAST/DAST tools and manual testing. I come from a healthcare background working with SIEM tools, vulnerability scanning and management, as well as secure auditing. I enjoy spending my free time honing my penetration testing skills by diving into vulnerable VMs and learning about exotic payloads.

  • OWASP Toronto - November 2018 Event: DevSecOps Community Survey Working Session

    Sonatype DevSecOps Community Survey - Working Session DevOps is Security’s New Front Line As we embrace movements like CI, CD and Devops to cut down on release cycles - and innovate faster, we as developers must also embrace the reality that the risk landscape is too complex to leave “security” to just those with security in their title. Traditional methods do not cut it anymore – it’s time for DevSecOps. In a recent 2018 DevSecOps Community report, where 2,076 IT professionals were surveyed, 48% of respondents admitted that developers know application security is important, but they don’t have the time to spend on it. Done properly, DevSecOps practices shouldn’t interrupt the DevOps pipeline - but instead aid it - preventing costly rebuilds and build breaks, down the road. Attendees of this session will walk away with: - Real-world examples of how large and small companies are implementing DevSecOps practices in their own delivery pipelines, and increasing developer awareness to risks - Key insights from 2,076 of their peers who participated in the 2018 DevSecOps community report - including where most mature DevOps practices are focusing their security efforts - A walkthrough of how security principles have been embedded in a CICD pipeline and what standards for implementation are beginning to follow suit. INSTRUCTIONS TO GET TO SECURITY COMPASS OFFICE: From 5pm-6:30PM, the front door will be open. When you reach 390 Queens Quay West, you'll see a big Security Compass sign. The stairs to the 2nd floor are right under the sign. After 6:30PM, you will need to go through the back door, straight past the concierge to the parking garage elevators and to P2. Security Compass is right at the elevator exit. Please press the doorbell when you arrive and someone will let you in.