A [virtual] Evening with OWASP
Hosted by The OWASP Seattle Chapter
Details
[[ Streams and Chat ]]
Youtube livestream with chat
https://youtu.be/GzanZEfvvog
OWASP slack for collaborating on the CTF
https://owasp-slack.herokuapp.com/
Please use the #chapter-seattle channel to support each other and chats with the locals.
Telegram
https://t.me/seahax
[[ CTF ]]
Details
Join us for a gamified online secure coding tournament!
Compete against your fellow security & developer peers to identify & fix critical vulnerabilities in real-to-life code snippets! 21 frameworks available to play challenges in. Including .Net, Java, Python, Go, Angular, Node, React, iOS, Android, Scala, Ruby, PHP, C++, C, PL/SQL & COBOL!
Tournament Guide:
https://www.youtube.com/watch?v=TwbySIg2z2Y
Instructions for playing:
✅1) Register for the Secure Code Warrior platform here: https://discover.securecodewarrior.com/OWASPSeattle-tournament.html
✅2) Once logged in: click “Tournaments”
✅3) Join the OWASP Seattle Secure Coding Tournament
[[ Talks ]]
5pm Pacific
Secure Django / Flask Development
Isaac Evans
https://www.linkedin.com/in/isaacevans
Web frameworks often come with security best practices, idioms, and guardrails — but they’re not always built-in or properly understood. Having analyzed thousands of open source projects and spoken with hundreds of Python developers, we identified common security pitfalls that are specific to Python web apps. We partnered with authors of major web frameworks and created a set of automated checks that guard against security, reliability, and performance issues.
Attendees will learn about common security mistakes made when developing Django or Flask web apps and how to use free open-source program analysis tools to find and prevent those mistakes.
Isaac Evans is the leader of r2c, a small startup working on giving security tools directly to developers. Previously, he conducted research into binary exploitation bypasses for techniques like control-flow integrity and novel hardware defenses on new architectures like RISC-V as a researcher at the US Defense Department under a SFS program and at MIT Lincoln Laboratory. Isaac received his BS/MS degrees in EECS from MIT. Other interests include next-generation programming languages, secure-by-design frameworks, software-defined radio, and the intersection of cryptography and public policy.
6pm Pacific
The hitchhikers guide to secrets for cloud environments
Abhay Bhargav
https://www.linkedin.com/in/abhaybhargav
Secrets are ubiquitous. From API Keys to encryption keys, the number of secrets an average app requires for its ops, especially in the cloud, is increasing Unfortunately, developers and practitioners are unaware of secrets management, resulting in some very serious vulnerabilities.
In this talk, we discuss how to handle secrets the right way. Concretely, we look at vault-based secrets management for Kubernetes, AWS and Azure environments. Not only do we cover best practices, we also investigate gotchas and implementation nuances across platforms.
Abhay Bhargav is the Founder of we45, a focused Application Security Company. He is the Chief Architect of “Orchestron"", a leading Application Vulnerability Correlation and Orchestration Framework. Abhay is a speaker and trainer at major industry events including DEF CON, BlackHat, OWASP AppSecUSA, EU and AppSecCali. His trainings have been sold-out events at conferences like AppSecUSA, EU, AppSecDay Melbourne, CodeBlue (Japan), BlackHat USA 2019, SHACK and so on.
7pm Pacific
OSS Gadget; a new open source tool that we have in preview that's kind of like a 'sysinternals' for open source analysts
Michael Scovetta
https://www.linkedin.com/in/scovetta
Features:
- locate a package source code (from a package name)
- download and extract a package
- search for obfuscated strings, crypto implementations, backdoors
- calculate project health
- identify characteristics (e.g. "uses a database", "written in Python", etc.)
