• Free event: INTERFACE-VIRTUAL / Seattle 2020

    Online event


    Join us at INTERFACE Seattle
    The Advisory Council invites you to attend a CPE-accredited educational conference for IT professionals focusing on the latest developments in this constantly changing information technology environment. As a key-influencer on the evaluation of IT solutions, INTERFACE Seattle was developed for you.


    KEYNOTE: Seizing the Castle: A Medieval Battle Technique Workshop
    Presented by Chris Roberts • vCISO, Researcher, Hacker – HillBilly Hit Squad

    INTERFACE Seattle
    December 10th,[masked]:30am – 4:30pm

  • Free event: Virtual 4th Annual Cyber Summit Featuring US DHS

    Free Admission to Virtual 4th Annual Cyber Summit Featuring US DHS this Friday

    (Sounds like there is a limited number of passes in the discount code)

    OWASP is proud to partner with the Official Cyber Security Summit to offer our network in the Pacific Northwest exclusive Free Admission (regularly $95) to the Virtual 4th Annual Seattle Cyber Security Summit held this Friday, October 9th.

    We encourage you to attend this invitation-only event, rated Top 50 InfoSec Conference Worldwide.

    Learn from experts from the U.S. Dept. of Homeland Security, Darktrace, Verizon, IBM, Cisco, and more as they discuss the latest security threats, best practices to prevent a breach, and protocols if you are breached - all from the comfort & safety of your own home / office.

    Earn up to 6 Continuing Education Credits with your attendance.

    Secure Free Admission with Registration Code OWASP20SEA during checkout here:
    Free passes are limited.

    You may share this invitation with your colleagues in the Pacific Northwest area as well.

    Please note: Admission is for C-Suite/Senior Level Executives, Directors, Managers, and other IT Professionals. Those in Sales / Marketing and Students are not permitted.

    Partial List of Critical Cyber Security Discussions Include:
     Security Orchestration, Automation and How it Relates to Workforce Retention
     Insider Threat - How to Detect Malicious Attacks and Defend Your Organization from the Human Error
     Faking It – Combatting Email Impersonation with AI
     Security by the Numbers: Insights from Verizon’s Recent Research
     The Path to Security Effectiveness
     Navigating Complexity: A Path Through Too Much Choice
     Transparent Security to Enable End User Happiness
     Closing Security Briefing with the U.S. Department of Homeland Security / CISA

  • A [virtual] Evening with OWASP

    Online event

    [[ Streams and Chat ]]

    Youtube livestream with chat

    OWASP slack for collaborating on the CTF
    Please use the #chapter-seattle channel to support each other and chats with the locals.


    [[ CTF ]]

    Join us for a gamified online secure coding tournament!

    Compete against your fellow security & developer peers to identify & fix critical vulnerabilities in real-to-life code snippets! 21 frameworks available to play challenges in. Including .Net, Java, Python, Go, Angular, Node, React, iOS, Android, Scala, Ruby, PHP, C++, C, PL/SQL & COBOL!

    Tournament Guide:


    Instructions for playing:

    ✅1) Register for the Secure Code Warrior platform here: https://discover.securecodewarrior.com/OWASPSeattle-tournament.html
    ✅2) Once logged in: click “Tournaments”
    ✅3) Join the OWASP Seattle Secure Coding Tournament

    [[ Talks ]]

    5pm Pacific
    Secure Django / Flask Development
    Isaac Evans

    Web frameworks often come with security best practices, idioms, and guardrails — but they’re not always built-in or properly understood. Having analyzed thousands of open source projects and spoken with hundreds of Python developers, we identified common security pitfalls that are specific to Python web apps. We partnered with authors of major web frameworks and created a set of automated checks that guard against security, reliability, and performance issues.

    Attendees will learn about common security mistakes made when developing Django or Flask web apps and how to use free open-source program analysis tools to find and prevent those mistakes.

    Isaac Evans is the leader of r2c, a small startup working on giving security tools directly to developers. Previously, he conducted research into binary exploitation bypasses for techniques like control-flow integrity and novel hardware defenses on new architectures like RISC-V as a researcher at the US Defense Department under a SFS program and at MIT Lincoln Laboratory. Isaac received his BS/MS degrees in EECS from MIT. Other interests include next-generation programming languages, secure-by-design frameworks, software-defined radio, and the intersection of cryptography and public policy.

    6pm Pacific
    The hitchhikers guide to secrets for cloud environments
    Abhay Bhargav

    Secrets are ubiquitous. From API Keys to encryption keys, the number of secrets an average app requires for its ops, especially in the cloud, is increasing Unfortunately, developers and practitioners are unaware of secrets management, resulting in some very serious vulnerabilities.

    In this talk, we discuss how to handle secrets the right way. Concretely, we look at vault-based secrets management for Kubernetes, AWS and Azure environments. Not only do we cover best practices, we also investigate gotchas and implementation nuances across platforms.

    Abhay Bhargav is the Founder of we45, a focused Application Security Company. He is the Chief Architect of “Orchestron"", a leading Application Vulnerability Correlation and Orchestration Framework. Abhay is a speaker and trainer at major industry events including DEF CON, BlackHat, OWASP AppSecUSA, EU and AppSecCali. His trainings have been sold-out events at conferences like AppSecUSA, EU, AppSecDay Melbourne, CodeBlue (Japan), BlackHat USA 2019, SHACK and so on.

    7pm Pacific
    OSS Gadget; a new open source tool that we have in preview that's kind of like a 'sysinternals' for open source analysts
    Michael Scovetta

    * locate a package source code (from a package name)
    * download and extract a package
    * search for obfuscated strings, crypto implementations, backdoors
    * calculate project health
    * identify characteristics (e.g. "uses a database", "written in Python", etc.)


  • Cyber Forensics and Cybersecurity - February 29 Seminar: No Cost

    Edmonds Community College - Meadowdale Hall Room 124

    Steve Hailey is putting on a free seminar. Message follows:

    This seminar is appropriate for all audiences and experience levels and is open to the public. Please pass on to your coworkers, friends, and family. Two of our December 2019 seminar attendees discovered credit card skimmers during the holidays; one was installed in a gas station pump and one was being used in an ATM at a convenience store. Both said they would not have noticed these had it not been for what they learned in the seminar!

    Enroll In The Seminar: https://RealCSI.eventbrite.com

    Want to learn how hackers buy and sell your information using a little-known part of the World Wide Web called the Dark Web? How about ways to protect yourself from credit card scams? You'll learn about these topics and much, much more at this seminar. This is an educational seminar, not a four-hour sales pitch on taking classes at EdCC. EdCC's degree and certificate programs in cybersecurity and digital forensics will be covered at the start of the seminar, then we will move on to cover topics including:

    The Dark Web Versus Deep Web
    How Your Credit Card Data is Stolen and Sold
    Measures to Protect Yourself
    Cases Worked by Steve and Mike
    Digital Forensic Analysis Overview
    Advanced Data Recovery / Recovering Data for Oso
    Ethical Hacking and Cybersecurity

    Your instructors and hosts for this seminar are subject matter experts in Cyberterrorism for Department of Homeland Security (DHS) and Federal Emergency Management Agency (FEMA) programs and have trained Department of Defense (DoD) and Federal law enforcement personnel to protect some of the most aggressively targeted information systems in the world within our nation's critical infrastructure. Both Steve and Mike have served as cybersecurity instructors, subject matter experts, and curriculum developers for Texas A & M University. In addition, they have supported the Federal Bureau of Investigation on organized cybercrime matters, and are trusted consultants to the Fortune 500 regarding cybersecurity and digital forensics.

    Wireless access will be provided, but power outlets will be scarce. If you are bringing a computing device with you (not required whatsoever), be sure to bring it fully charged!

    You are welcome to bring food and drink into the classroom.

    If you have questions, please contact Steve Hailey: [masked]

    Enroll In The Seminar: https://RealCSI.eventbrite.com

  • An Evening with OWASP at Facebook Seattle

    333 8th Ave N

    Thank you to Facebook for hosting us and speaking about their appsec program!

    Please register at the eventbrite link with an accurate name and email for building access/badgeing to match ID. There is a site NDA.



    Francesco Logozzo, Software Engineer

    Facebook’s web codebase currently contains more than 100 million lines of Hack (https://hacklang.org/) code. The code changes thousands of times per day. No one has enough security engineers to review all this code. To keep up, we have focused on building systems that help our security engineers scale to become tens or hundreds of times more effective than they would be on their own.

    The talk will go into detail on one of our systems, called Zoncolan, and the process we followed to build “static analysis for security professionals, by security professionals.”

    See also blog
    and Wired article

    Zoncolan helps security engineers scale their work by using static analysis to automatically examine our code and detect potentially dangerous security or privacy issues. We started building Zoncolan by bringing together static analysis experts and security engineers to review reports of past security vulnerabilities, including bug reports, root causes, and corresponding code fixes. We have since built extensive infrastructure for running Zoncolan, tracking the results, and providing access to those results in context.

    Zoncolan has demonstrated a high signal-to-noise ratio, speed, extensibility, and a low rate of false negatives. It achieves this by focusing on issue classes that lend itself well to static analysis. Unlike previous methods, Zoncolan provides new static analysis algorithms (a non-uniform, modular, compositional, and parallel abstract interpretation) that enable to fine tune the accuracy/cost ratio of the analysis. In 2018, Zoncolan resulted in more than 1,100 security issues that required immediate action.


    Strategic code reviews
    Nathan Starr, Technical Program Manager

    Security reviews are one of the tools in a Product Security teams toolbelt to validate the design and implementation of products their organization ships. At Facebook, we perform hundreds of security reviews each year on well-scoped features across all of our product areas and tech stacks. Occasionally, we an encounter a company initiative where a singular security review will not suffice. In these instances we rely on a strategic review. A strategic review is a prolonged engagement where a security engineer performs an amalgamation of security reviews centered around a large initiative in the organization. Strategic reviews can either be, depth based, where the review goes on a singular product, or breadth based, where the review covers a single paradigm across multiple products. We will share how and why we've chosen to do strategic reviews and some of our success stories and lessons learned along the way.


    So Your Company Bought a Company - A Crash Course on Acquisitions Security
    Aaron Brown

    In this talk I'll cover threats, pitfalls, and best practices for security practitioners during company acquisition and integration. I will talk about what to look out for during pre-acquisition due diligence and how to manage onboarding and integrating an entire new company all at once. I'll include practical tips for assessing security maturity, best practices for different kinds of integrations, and a rundown of what to watch out for through out the process of securing a newly acquired subsidiary.

    This talk assumes no prior M&A knowledge or experience

  • OWASP meetup at Twitter


    On the evening of September 17th, OWASP is being hosted at Twitter's offices in downtown Seattle.


    Side Channel Attacks
    Speakers: Andrew Sorensen, Jessica Nguyen, Chris Petrilli

    Twitter will introduce side-channel attacks in the browser by exploring existing web security protections, limitations of this security control, and connect concepts with more well known side-channel issues.

    Learn how Twitter handled one such issue (Silhouette), what the landscape of side-channels looks like going forward and what some of the potential mitigations might look like.

    Andrew Sorensen is a security engineer at Twitter in the Application Security team. Prior to joining Twitter, Andrew previously worked at Leviathan Security Group.

    Jessica Nguyen is a security engineer at Twitter, working within the Application Security team. Jessica previously worked on the AppSec team at the T-Mobile USA, Inc. headquarters prior to joining Twitter.

    Chris Petrilli is a security engineer at Twitter in the Infrastructure Security team. In the security industry for over 20 years, Chris previously worked at Disney, Sprint, BBN, and multiple government organizations


    Privacy-Preserving Classification of Personal Text Messages with Secure Multi-Party Computation
    Anderson Nascimento

    Classification of personal text messages has many useful applications in surveillance, e-commerce, and mental health care, to name a few. Giving applications access to personal texts can easily lead to (un)intentional privacy violations. We propose the first privacy-preserving solution for text classification that is provably secure. Our method, which is based on Secure Multiparty Computation (SMC), encompasses both feature extraction from texts, and subsequent classification with logistic regression and tree ensembles. We prove that when using our secure text classification method, the application does not learn anything about the text, and the author of the text does not learn anything about the text classification model used by the application beyond what is given by the classification result itself. We perform end-to-end experiments with an application for detecting hate speech against women and immigrants, demonstrating excellent runtime results without loss of accuracy.

    Anderson C A Nascimento obtained his Ph.D. degree in 2004 from the University of Tokyo. He currently holds the endowed professorship in Information Systems and Information Security with the School of Engineering and Technology, University of Washington, Tacoma. Previously he was a professor at the University of Brasilia in Brazil and a research scientist with NTT Corp in Japan. Dr. Nascimento researches in cryptography and information security. He has edited four books, published over 80 papers in prestigious journals and conference proceedings. He was an editor for the IET Information Security Journal. He was the Technical Program Chair or General Chair of ISC 2016, ICITS 2016, SBSeg 2009, and SBSeg 2012. He was a panelist and reviewer for the National Science Foundation, the European Science Foundation, CAPES and CNPq. He enjoys writing in the third person.


    Instructions for Arrival: Guests arrive and[masked]th Ave Seattle WA, 98101 and head through the 4th Ave entrance. A guard will be available there to direct guests up the escalators to a 3rd floor checking booth. After checking in, a guard will badge guests up to the 19th floor where the event will be held.

    Twitter requires that attendees sign up using this link as well for badging/access


  • An Evening with OWASP

    1621 N 34th St

    Thank you Tableau Software for hosting us!


    Teri Radichel
    Cloud Pentesting

    What exactly is a cloud penetration test? A cloud penetration test may mean different things to different organizations. What are the rules for pentesting in the cloud? What's different about a cloud pentest? Do you know your test scope? Do you want an internal scan? An external scan? What about exploitation? Exfiltration? What about devices and software that are accessing your cloud? Social engineering and phishing? And are you ready for a penetration test? Learn what you can do to improve the results of your penetration test.



    Joe Salowey
    Tales from IETF TLS development

    Joe chairs the IETF TLS working group and has some good stories to share about the development of the protocol: What's new in TLS - We'll discuss the IETF and TLS working group, TLS 1.3 and future work.



    Frank Simorjay
    Secure Workstation manage your cloud services securely

    Microsoft effort to protect the admin has been evolving over the past several years. As attacks evolve it's essential to change the way we think about protecting high valued roles and assets. The Azure Secured Workstation is the cloud evolution of the concepts introduced in the Privileged Access Workstation (PAW) from several years ago. A secured workstation is designed to be a quick to set up, and to use admin workstation.

    The solution is designed to manage critical systems, social media account, and other highly sensitive workloads, such as a SWIFT payments with a higher confidence the device being used has not been tampered, or compromised.

    Frank will show us how this solution can break the killchain of side channel attacks and escalation using the strategy his team has developed.


  • An Evening with OWASP

    1621 N 34th St

  • Author Event: Jeremy N. Smith - Breaking and Entering

    Elliott Bay Book Company

    They sent me this.

    >>Hi Ian —

    >>By way of introduction, I’m a longtime freelance journalist (New York Times, the Atlantic, etc.) and the author of the upcoming book BREAKING AND ENTERING (Houghton Mifflin Harcourt), the true story of a female white hat called “Alien” and the birth of our information insecurity age. Apple chose it as one of “Winter’s Most Anticipated Books” and it’s gotten some great early reviews, which you can check out on its Amazon page: https://www.amazon.com/dp/0544903218/

    >>Can you help me spread the word about the book and my Seattle book tour stop, Friday, January 18, 2019, 7 p.m., at Elliott Bay Bookstore? I really want local InfoSec professionals represented!

    I noticed that some people I know had nice things to say about the book on the authors website, so I'm posting their book tour as requested.

  • Free Event: Interface 2018

    Meydenbauer Convention Center


    Free reg link:

    It's a Vendor Event, but I've enjoyed it more than Secure World.

    Since it's free, and we've had a lot of new people in town at our last meeting, I thought that I would mention it. It's a good chance to meet a lot of local vendors all at once, have a nice lunch, and hang out / network with all of your industry peers. Perhaps watch a talk or two and clock in some CPEs.

    I'll arrange a happy hour after if there's interest.

    Otherwise OWASP is off for the holidays. Make sure to watch the CCC streams and we'll see you in January (I'll post an announcement soon.)