- Author Event: Jeremy N. Smith - Breaking and Entering
They sent me this. >>Hi Ian — >>By way of introduction, I’m a longtime freelance journalist (New York Times, the Atlantic, etc.) and the author of the upcoming book BREAKING AND ENTERING (Houghton Mifflin Harcourt), the true story of a female white hat called “Alien” and the birth of our information insecurity age. Apple chose it as one of “Winter’s Most Anticipated Books” and it’s gotten some great early reviews, which you can check out on its Amazon page: https://www.amazon.com/dp/0544903218/ >>Can you help me spread the word about the book and my Seattle book tour stop, Friday, January 18, 2019, 7 p.m., at Elliott Bay Bookstore? I really want local InfoSec professionals represented! I noticed that some people I know had nice things to say about the book on the authors website, so I'm posting their book tour as requested.
- Free Event: Interface 2018
https://www.f2fevents.com/event/sea18 Free reg link: https://www.f2fevents.com/register/?att=SEA&ref=Advisor&par=The%20Advisory%20Council It's a Vendor Event, but I've enjoyed it more than Secure World. Since it's free, and we've had a lot of new people in town at our last meeting, I thought that I would mention it. It's a good chance to meet a lot of local vendors all at once, have a nice lunch, and hang out / network with all of your industry peers. Perhaps watch a talk or two and clock in some CPEs. I'll arrange a happy hour after if there's interest. Otherwise OWASP is off for the holidays. Make sure to watch the CCC streams and we'll see you in January (I'll post an announcement soon.) https://events.ccc.de/tag/streaming/
- An Evening with OWASP, eastside edition
T-Mobile is hosting OWASP on the eastside for a change. Location on T-Mobile campus: Newport 2, Room 1B Welcome/Intro Robert Savage, Director of Payments, T-Mobile Dr. Sunil Lingayat , Director & Chief of Cyber Strategy & Technology, T-Mobile Securing Payments and Payment Instruments in Transit and at rest in T-Mobile Kedar Pathak, Sr.Manager Payments https://www.linkedin.com/in/kedar-pathak-16aa478/ Amass Jeff Foley https://www.owasp.org/index.php/User:Caffix Amass is a tool suite that performs in-depth DNS enumeration and network mapping. It helps organizations fill in blind spots for their presence and exposure to the Internet. Amass reaches out to more than 30 passive data sources to learn about the DNS namespace of target domains. Jeff Foley will demonstrate the tool suite and answer questions about its use and future directions. Securing CI/CD pipelines OWASP project updates Venue has a hard stop, so after talks, so there'll be an after event at Sideline Sports Bar just down the street to continue conversations. Parking/venue info: The building where we have the meetup is NEWPORT TWO. This is also the building where we have the TMOBILE STORE. There are a few parking options : In front of NEWPORT TWO (about a dozen of spots here) In front of NEWPORT TOWER (about a dozen of spots here, needs a walk DOWN the hill) In front of NEWPORT FIVE (almost 60 parking spots there but this needs a walk UP the hill)
- Free Workshop - FIDO Authentication: Moving Beyond Passwords
Dave Bossio, Head of Operating System Security, Microsoft Christiaan Brand, Product Manager: Identity and Security, Google Rajiv Dholakia, VP Products & Business Development, Nok Nok Labs Brad Hill, Engineer, Facebook Bjorn Hjelm, Distinguished Member of Technical Staff, Verizon Manini Roy, Product Manager, Identity Division, Microsoft Andrew Shikiar, Chief Marketing Officer, FIDO Alliance Alex Takakuwa, PhD Student, Paul G. Allen Center for Computer Science & Engineering, University of Washington John Tolbert, Lead Analyst, KuppingerCole https://fidoalliance.org/events/consumer-identity-world/ -- provided text follows: > The conference put on by KuppingerCole is expensive but the FIDO pre-conference workshop is free and open to the public, not just attendees of the full conference. If people are interested in attending the full conference, we have a discount code for guaranteed early bird pricing (ciwusa2018-fido).` > registration link for the free workshop only: https://www.kuppingercole.com/book/ciw18usa-fido > $1500 conf: https://www.kuppingercole.com/events/ciwusa2018/agenda_overview
- Evening with OWASP
The homelab rules all: logging on the down low Jeremy Cohoe https://www.linkedin.com/in/jeremycohoe/ Are there debugging, security, or application events from your products and solution that are going into a black hole? Have you missed indicators of compromise, outages, or misconfigurations due to a lack of visibility and efficient tooling? Lets have a conversation about one approach to getting in front of these kinds of issues. We’ll focus on the Elastic stack, using Logstash and Kibana to ingest and visualize data, with the goal being quicker actions and response times for applications, servers, and the network. If you’ve ever seen an error message, then this session can be applicable to you -- Preventing SHA1 Collision Attacks in Web Applications Jack Xu Preventing SHA1 collision attack seems to be top priority for companies use SHA1 on PDF files. Yet, upgrading from SHA1 to a more secure hash algorithm is difficult for complex applications. In this talk, we will introduce SHA1 collision detection, a practical solution to SHA1 collision attack in web applications. Jack is a Computer Science major at University of Washington and currently work on Application Security team at DocuSign -- DevSkim Michael Scovetta https://linkedin.com/in/scovetta As everyone knows, the best time to fix a security bug is "earlier in the lifecycle". We built DevSkim to bring real-time, spellcheck-like squiggly underlines to modern IDEs. While DevSkim doesn't replace "real" static analysis, many security bugs can be found with a simple regular expression, which is where the tool excels. DevSkim is open source and supports Visual Studio, VS Code, and Sublime Text. https://github.com/Microsoft/DevSkim Michael Scovetta is a Principal Security Program Manager at Microsoft, where he leads the company's open source security program, amongst other security things.
- An evening with OWASP
Four speakers: [[ the first one ]] Integrated security testing: finding security vulnerabilities using your existing test framework Morgan Roman https://www.linkedin.com/in/morgan-roman/ Having a dedicated suite of a continuously run security tests seems out of reach for all but the most mature security programs. Scanners only scratch the surface or your application. Many companies already have integration tests that snake their way deeply into their web application, covering nearly every workflow. In this talk, we will use a minimal amount of work to transform these integration tests into a suite of security tests. Using Selenium and ZAP we will repurpose integration tests into security tests to search for common web application flaws such as XSS and SQLi with more context than a scanner. These security tests will traverse the web application the same way a real user would. We will then extend these tests to find subtle security bugs in authorization and business logic. This session is ideal for testers and developers interested in making security testing part of their continuous integration pipeline. [[ the second one ]] Pacu: a modular open source Amazon Web Services post exploitation attack tool Spencer Gietzen https://www.linkedin.com/in/spencer-gietzen/ Cloud infrastructure security and configuration has been shown to be a difficult task to master. Sysadmins and developers with years of traditional IT experience are now being pushed to the cloud, where there is a whole new set of rules. This is what makes AWS environments particularly exciting to attack as a penetration tester. Best practices are often overlooked or ignored, which can leave gaps throughout an AWS environment that are ripe for exploitation.With an increasing number of breaches leaking AWS secret keys, companies are working to be proactive and are looking for red-team-like post exploitation penetration tests, so that they can be sure that their client data is as safe as possible post-breach. Due to this need and the lack of AWS specific attack tools, I wrote Pacu, a modular, open source Amazon Web Services post exploitation attack tool created and used for Rhino Security Labs pentests. In this talk I'll give an overview of how red teamers can use Pacu to simulate real-world attack scenarios against AWS environments, starting from information enumeration and scanning through exploitation, privilege escalation, data exfiltration and even providing reporting documentation. It will be released early August as an open source project to encourage collaboration and discussion of different AWS attack techniques and methodologies with both attackers and defenders. [[ the third one ]] Entropy Jeff Costlow https://www.linkedin.com/in/jeffcostlow/ Entropy is a measurement of the amount of randomness in a system. All systems need entropy to run in a secure fashion. We'll do a deep dive into entropy; what entropy is, how it's used, and how it's generated and kept in a pool in the linux kernel. We'll also give some important safety tips. [[ the fourth one ]] Business problems suited for a blockchain solution Ashok Misra https://www.linkedin.com/in/paymentsnut/ Are there particularly good business problems suited for a blockchain solution? Blockchain technology is evolving at an exponential rate. There are numerous companies and projects claiming to be disrupting whichever space they claim to be disrupting. However, is blockchain a panacea for all business problems? This talk will drill into some atomic details of the technology with a view towards understanding what can possibly be disrupted.
- OWASP Partner Event: Second Annual Cyber Security Summit: Seattle
Free with code: OWASP18 (Standard Price $350) First 20 Registrants will Receive Complimentary Admission with Promo Code. After, Code Grants $95 Admission. All Registrations are Subject to Approval. Admission is for C-Suite / Sr. Level Executives Directors / Managers of IT Security ONLY. Students & Sales / Marketing Professionals will NOT be granted admission. Engage with fellow business leaders during a catered breakfast, lunch, and cocktail; cigar reception. https://www.eventbrite.com/e/cyber-security-summit-seattle-tickets-40909434219?discount=OWASP18
- Infosec social HH at SOURCE
The Source people have invited the greater Seattle/Bellevue infosec community to happy hour on Wednesday and are sponsoring refreshment. Conference attendance is not required and drinks are free, so why not hang out with keynoters and your peers. RSVPing is requested, but not required, here (https://app.icontact.com/icp/sub/survey/take).