Meetup Welcome to the OWASP Toronto Hello, and happy 2018! · awesomeness) OWASP Zed Attack Proxy...
Transcript of Meetup Welcome to the OWASP Toronto Hello, and happy 2018! · awesomeness) OWASP Zed Attack Proxy...
![Page 1: Meetup Welcome to the OWASP Toronto Hello, and happy 2018! · awesomeness) OWASP Zed Attack Proxy (ZAP) Burp Suite Community Edition Kali Linux (+ forensics mode) Learn about the](https://reader033.fdocuments.us/reader033/viewer/2022060505/5f1e18cf75720d2bcf558a39/html5/thumbnails/1.jpg)
Welcome to the OWASP Toronto Meetup
Hello, and happy 2018!
![Page 2: Meetup Welcome to the OWASP Toronto Hello, and happy 2018! · awesomeness) OWASP Zed Attack Proxy (ZAP) Burp Suite Community Edition Kali Linux (+ forensics mode) Learn about the](https://reader033.fdocuments.us/reader033/viewer/2022060505/5f1e18cf75720d2bcf558a39/html5/thumbnails/2.jpg)
Announcement: OWASP Top 10 2017
![Page 3: Meetup Welcome to the OWASP Toronto Hello, and happy 2018! · awesomeness) OWASP Zed Attack Proxy (ZAP) Burp Suite Community Edition Kali Linux (+ forensics mode) Learn about the](https://reader033.fdocuments.us/reader033/viewer/2022060505/5f1e18cf75720d2bcf558a39/html5/thumbnails/3.jpg)
Changes between 2013 and 2017
![Page 4: Meetup Welcome to the OWASP Toronto Hello, and happy 2018! · awesomeness) OWASP Zed Attack Proxy (ZAP) Burp Suite Community Edition Kali Linux (+ forensics mode) Learn about the](https://reader033.fdocuments.us/reader033/viewer/2022060505/5f1e18cf75720d2bcf558a39/html5/thumbnails/4.jpg)
Hi, I am X. How do I get into AppSec/Security?
OWASP Toronto ChapterJanuary 17, 2018
![Page 5: Meetup Welcome to the OWASP Toronto Hello, and happy 2018! · awesomeness) OWASP Zed Attack Proxy (ZAP) Burp Suite Community Edition Kali Linux (+ forensics mode) Learn about the](https://reader033.fdocuments.us/reader033/viewer/2022060505/5f1e18cf75720d2bcf558a39/html5/thumbnails/5.jpg)
Topics
● Overviews, Career Paths, Advice● Secure SDLC frameworks● Tools & Training● Agile & DevSecOps● Real Life Stories● Training, Certifications and Career Fairs
![Page 6: Meetup Welcome to the OWASP Toronto Hello, and happy 2018! · awesomeness) OWASP Zed Attack Proxy (ZAP) Burp Suite Community Edition Kali Linux (+ forensics mode) Learn about the](https://reader033.fdocuments.us/reader033/viewer/2022060505/5f1e18cf75720d2bcf558a39/html5/thumbnails/6.jpg)
NICE Cybersecurity Workforce Framework
SANS CISO Mind Map (or, Refeeq Rehman’s)
Henry Jiang’s Map of Cyber Security Domains
Cyberseek Career Pathway
Getting the Lay of the land
Find out what jobs/roles are commonly out there, figure out where your skills overlap, find out what skills you need, etc.
![Page 7: Meetup Welcome to the OWASP Toronto Hello, and happy 2018! · awesomeness) OWASP Zed Attack Proxy (ZAP) Burp Suite Community Edition Kali Linux (+ forensics mode) Learn about the](https://reader033.fdocuments.us/reader033/viewer/2022060505/5f1e18cf75720d2bcf558a39/html5/thumbnails/7.jpg)
Advice
Wisdom, editorials, and on-point snark
Krebs on Security - How to break into Security Series
(Older, but still relevant advice)
![Page 8: Meetup Welcome to the OWASP Toronto Hello, and happy 2018! · awesomeness) OWASP Zed Attack Proxy (ZAP) Burp Suite Community Edition Kali Linux (+ forensics mode) Learn about the](https://reader033.fdocuments.us/reader033/viewer/2022060505/5f1e18cf75720d2bcf558a39/html5/thumbnails/8.jpg)
Secure SDLC: Some frameworks
OWASP SAMM BSIMM DOE-C2M2 NIST CSF
![Page 9: Meetup Welcome to the OWASP Toronto Hello, and happy 2018! · awesomeness) OWASP Zed Attack Proxy (ZAP) Burp Suite Community Edition Kali Linux (+ forensics mode) Learn about the](https://reader033.fdocuments.us/reader033/viewer/2022060505/5f1e18cf75720d2bcf558a39/html5/thumbnails/9.jpg)
OWASP Software Assurance Maturity Model
![Page 11: Meetup Welcome to the OWASP Toronto Hello, and happy 2018! · awesomeness) OWASP Zed Attack Proxy (ZAP) Burp Suite Community Edition Kali Linux (+ forensics mode) Learn about the](https://reader033.fdocuments.us/reader033/viewer/2022060505/5f1e18cf75720d2bcf558a39/html5/thumbnails/11.jpg)
US Dept of Energy Capability Maturity Model
![Page 12: Meetup Welcome to the OWASP Toronto Hello, and happy 2018! · awesomeness) OWASP Zed Attack Proxy (ZAP) Burp Suite Community Edition Kali Linux (+ forensics mode) Learn about the](https://reader033.fdocuments.us/reader033/viewer/2022060505/5f1e18cf75720d2bcf558a39/html5/thumbnails/12.jpg)
NIST Cyber Security Framework
![Page 13: Meetup Welcome to the OWASP Toronto Hello, and happy 2018! · awesomeness) OWASP Zed Attack Proxy (ZAP) Burp Suite Community Edition Kali Linux (+ forensics mode) Learn about the](https://reader033.fdocuments.us/reader033/viewer/2022060505/5f1e18cf75720d2bcf558a39/html5/thumbnails/13.jpg)
General Sources of Info
Teach yourself, then keep up with the field.
Infosec industry site has some recommendations you can pick through.
Blogs like SANS AppSec Blog and Google Project Zero
Twitter #appsec and major players, including Michael Geist and Office of the Privacy Commissioner of Canada
Security Podcasts like Defensive Security
![Page 14: Meetup Welcome to the OWASP Toronto Hello, and happy 2018! · awesomeness) OWASP Zed Attack Proxy (ZAP) Burp Suite Community Edition Kali Linux (+ forensics mode) Learn about the](https://reader033.fdocuments.us/reader033/viewer/2022060505/5f1e18cf75720d2bcf558a39/html5/thumbnails/14.jpg)
General Online Learning
Alternatives to Youtube, which actually has some pretty neat stuff on it too.
● Coursera● Cybrary● edX● Lynda (free via Library!)● MIT Open Coursewear● Udacity● Udemy
![Page 15: Meetup Welcome to the OWASP Toronto Hello, and happy 2018! · awesomeness) OWASP Zed Attack Proxy (ZAP) Burp Suite Community Edition Kali Linux (+ forensics mode) Learn about the](https://reader033.fdocuments.us/reader033/viewer/2022060505/5f1e18cf75720d2bcf558a39/html5/thumbnails/15.jpg)
Audience ...
What is your job title, and what sources of information do you use regularly?
http://money.cnn.com/2017/10/31/media/facebook-twitter-google-congress/index.html
![Page 16: Meetup Welcome to the OWASP Toronto Hello, and happy 2018! · awesomeness) OWASP Zed Attack Proxy (ZAP) Burp Suite Community Edition Kali Linux (+ forensics mode) Learn about the](https://reader033.fdocuments.us/reader033/viewer/2022060505/5f1e18cf75720d2bcf558a39/html5/thumbnails/16.jpg)
Point of View: Developers and Testers
![Page 17: Meetup Welcome to the OWASP Toronto Hello, and happy 2018! · awesomeness) OWASP Zed Attack Proxy (ZAP) Burp Suite Community Edition Kali Linux (+ forensics mode) Learn about the](https://reader033.fdocuments.us/reader033/viewer/2022060505/5f1e18cf75720d2bcf558a39/html5/thumbnails/17.jpg)
OWASP resources
OWASP has a lot of projects that can be helpful for developers to start learning about security. Two good starting points:
● A Quick Developer’s Guide● OWASP Security Knowledge Framework
https://create.piktochart.com/output/6400107-untitled-infographic
![Page 18: Meetup Welcome to the OWASP Toronto Hello, and happy 2018! · awesomeness) OWASP Zed Attack Proxy (ZAP) Burp Suite Community Edition Kali Linux (+ forensics mode) Learn about the](https://reader033.fdocuments.us/reader033/viewer/2022060505/5f1e18cf75720d2bcf558a39/html5/thumbnails/18.jpg)
Free Secure Coding Resources*
OWASP Resources
● OWASP Code Review Guide● OWASP Developer/Builder
Cheat Sheets
Secure Coding Exercises
● Hacksplaining● Code Bashing ● RIPSTECH PHP Security
Advent Calendar
Other Publications
● CERT Secure Coding ● Safecode training
* The latter resources also can be mined for other security-related info.
![Page 19: Meetup Welcome to the OWASP Toronto Hello, and happy 2018! · awesomeness) OWASP Zed Attack Proxy (ZAP) Burp Suite Community Edition Kali Linux (+ forensics mode) Learn about the](https://reader033.fdocuments.us/reader033/viewer/2022060505/5f1e18cf75720d2bcf558a39/html5/thumbnails/19.jpg)
Security Testing Resources
Deliberately Vulnerable Applications
● OWASP Juice Shop● OWASP WebGoat● OWASP Security Shepherd
HTTP Proxies (+ other awesomeness)
● OWASP Zed Attack Proxy (ZAP)
● Burp Suite Community Edition● Kali Linux (+ forensics mode)
Learn about the basic classes of application security vulnerabilities with hands-on, practical, guided lessons.
![Page 20: Meetup Welcome to the OWASP Toronto Hello, and happy 2018! · awesomeness) OWASP Zed Attack Proxy (ZAP) Burp Suite Community Edition Kali Linux (+ forensics mode) Learn about the](https://reader033.fdocuments.us/reader033/viewer/2022060505/5f1e18cf75720d2bcf558a39/html5/thumbnails/20.jpg)
Capture the Flag!
Training Wheels are off.... Go hack stuff.
An Intro to CTFs
CTF Time Calendar
Vulnerable VMs to practice on in a lab, often abstracted from CTFs.
● https://www.vulnhub.com/ (they also suggest some resources)
![Page 21: Meetup Welcome to the OWASP Toronto Hello, and happy 2018! · awesomeness) OWASP Zed Attack Proxy (ZAP) Burp Suite Community Edition Kali Linux (+ forensics mode) Learn about the](https://reader033.fdocuments.us/reader033/viewer/2022060505/5f1e18cf75720d2bcf558a39/html5/thumbnails/21.jpg)
Real Life Challenges
Legally try your skills against real targets.
Be sure to read the instructions, code of ethics, and bounty rules.
Whitehat CERN hacking challenge (students only)
Bug Bounty Programs
![Page 22: Meetup Welcome to the OWASP Toronto Hello, and happy 2018! · awesomeness) OWASP Zed Attack Proxy (ZAP) Burp Suite Community Edition Kali Linux (+ forensics mode) Learn about the](https://reader033.fdocuments.us/reader033/viewer/2022060505/5f1e18cf75720d2bcf558a39/html5/thumbnails/22.jpg)
Agile?
● Secure SDLC vs CI (Continuous Integration) and CD (Continuous Development / Delivery / Deployment)
● SDL-Agile Requirements?● Thoughts from the audience?
![Page 23: Meetup Welcome to the OWASP Toronto Hello, and happy 2018! · awesomeness) OWASP Zed Attack Proxy (ZAP) Burp Suite Community Edition Kali Linux (+ forensics mode) Learn about the](https://reader033.fdocuments.us/reader033/viewer/2022060505/5f1e18cf75720d2bcf558a39/html5/thumbnails/23.jpg)
Point of View: Dev Ops
![Page 24: Meetup Welcome to the OWASP Toronto Hello, and happy 2018! · awesomeness) OWASP Zed Attack Proxy (ZAP) Burp Suite Community Edition Kali Linux (+ forensics mode) Learn about the](https://reader033.fdocuments.us/reader033/viewer/2022060505/5f1e18cf75720d2bcf558a39/html5/thumbnails/24.jpg)
Secure DevOps Toolchain from SANS
https://www.sans.org/security-resources/posters/secure-devops-toolchain-swat-checklist/60/download
![Page 25: Meetup Welcome to the OWASP Toronto Hello, and happy 2018! · awesomeness) OWASP Zed Attack Proxy (ZAP) Burp Suite Community Edition Kali Linux (+ forensics mode) Learn about the](https://reader033.fdocuments.us/reader033/viewer/2022060505/5f1e18cf75720d2bcf558a39/html5/thumbnails/25.jpg)
Additional DevSecOps Resources
● OWASP Appsec Pipeline
● DevSecOps Studio
● Awesome DevSecOps
● AWS codepipeline devsecops
Whether you stay earthbound or go to the cloud.
![Page 26: Meetup Welcome to the OWASP Toronto Hello, and happy 2018! · awesomeness) OWASP Zed Attack Proxy (ZAP) Burp Suite Community Edition Kali Linux (+ forensics mode) Learn about the](https://reader033.fdocuments.us/reader033/viewer/2022060505/5f1e18cf75720d2bcf558a39/html5/thumbnails/26.jpg)
Point of View: Non-Devs
![Page 27: Meetup Welcome to the OWASP Toronto Hello, and happy 2018! · awesomeness) OWASP Zed Attack Proxy (ZAP) Burp Suite Community Edition Kali Linux (+ forensics mode) Learn about the](https://reader033.fdocuments.us/reader033/viewer/2022060505/5f1e18cf75720d2bcf558a39/html5/thumbnails/27.jpg)
Learn to Program Check out Laurence Bradford’s list of resources..
● Free Code Camp● Code Wars
Scripting experience and compiled language programming are both good to have.
![Page 28: Meetup Welcome to the OWASP Toronto Hello, and happy 2018! · awesomeness) OWASP Zed Attack Proxy (ZAP) Burp Suite Community Edition Kali Linux (+ forensics mode) Learn about the](https://reader033.fdocuments.us/reader033/viewer/2022060505/5f1e18cf75720d2bcf558a39/html5/thumbnails/28.jpg)
Security Origin Stories
![Page 29: Meetup Welcome to the OWASP Toronto Hello, and happy 2018! · awesomeness) OWASP Zed Attack Proxy (ZAP) Burp Suite Community Edition Kali Linux (+ forensics mode) Learn about the](https://reader033.fdocuments.us/reader033/viewer/2022060505/5f1e18cf75720d2bcf558a39/html5/thumbnails/29.jpg)
Certifications & Career Fairs
![Page 30: Meetup Welcome to the OWASP Toronto Hello, and happy 2018! · awesomeness) OWASP Zed Attack Proxy (ZAP) Burp Suite Community Edition Kali Linux (+ forensics mode) Learn about the](https://reader033.fdocuments.us/reader033/viewer/2022060505/5f1e18cf75720d2bcf558a39/html5/thumbnails/30.jpg)
(ISC)2
● Not free!● CISSP (Certified Information Systems Security Professional)
○ Concentrations:■ ISSAP (Architecture)■ ISSEP (Engineering)■ ISSMP (Manager)
● Relevant to application security:○ CSSLP (Certified Secure Software Lifecycle Professional)
● Others:○ CCSP (Cloud)
![Page 31: Meetup Welcome to the OWASP Toronto Hello, and happy 2018! · awesomeness) OWASP Zed Attack Proxy (ZAP) Burp Suite Community Edition Kali Linux (+ forensics mode) Learn about the](https://reader033.fdocuments.us/reader033/viewer/2022060505/5f1e18cf75720d2bcf558a39/html5/thumbnails/31.jpg)
SANS Courses / GIAC Certifications
● Not free!● SANS training courses with associated GIAC certifications● Relevant to application security:
○ GWAPT○ GWEB○ GSSP-JAVA, GSSP-NET
![Page 32: Meetup Welcome to the OWASP Toronto Hello, and happy 2018! · awesomeness) OWASP Zed Attack Proxy (ZAP) Burp Suite Community Edition Kali Linux (+ forensics mode) Learn about the](https://reader033.fdocuments.us/reader033/viewer/2022060505/5f1e18cf75720d2bcf558a39/html5/thumbnails/32.jpg)
Pen Testing Certifications
● Offensive Security Certified Professional (heavy focus on network-based content, but still somewhat relevant)
![Page 33: Meetup Welcome to the OWASP Toronto Hello, and happy 2018! · awesomeness) OWASP Zed Attack Proxy (ZAP) Burp Suite Community Edition Kali Linux (+ forensics mode) Learn about the](https://reader033.fdocuments.us/reader033/viewer/2022060505/5f1e18cf75720d2bcf558a39/html5/thumbnails/33.jpg)
Product Specific Certifications
● CCNA / CCNE● Security+
![Page 34: Meetup Welcome to the OWASP Toronto Hello, and happy 2018! · awesomeness) OWASP Zed Attack Proxy (ZAP) Burp Suite Community Edition Kali Linux (+ forensics mode) Learn about the](https://reader033.fdocuments.us/reader033/viewer/2022060505/5f1e18cf75720d2bcf558a39/html5/thumbnails/34.jpg)
Career Fairs
● Sheridan College Biztech: February 14, 2018● SecTor Expo: October 1-3, 2018● TASK: TBD
![Page 35: Meetup Welcome to the OWASP Toronto Hello, and happy 2018! · awesomeness) OWASP Zed Attack Proxy (ZAP) Burp Suite Community Edition Kali Linux (+ forensics mode) Learn about the](https://reader033.fdocuments.us/reader033/viewer/2022060505/5f1e18cf75720d2bcf558a39/html5/thumbnails/35.jpg)
Audience ...
● AppSec / Security professionals:
What training or certifications or skills have you found to be most useful to your career?
● Hiring managers:
What do you like to see in candidates?
![Page 36: Meetup Welcome to the OWASP Toronto Hello, and happy 2018! · awesomeness) OWASP Zed Attack Proxy (ZAP) Burp Suite Community Edition Kali Linux (+ forensics mode) Learn about the](https://reader033.fdocuments.us/reader033/viewer/2022060505/5f1e18cf75720d2bcf558a39/html5/thumbnails/36.jpg)
Questions? Closing Comments?