OWASP Nashville
Welcome to the OWASP Nashville Chapter!
Want to speak at a future meeting?
We have a CFP hosted by PaperCall.io. All talks are welcome that are germane to OWASP. We encourage Nashville community members, especially anyone who wants to speak for the first time, to submit a talk. We’ll have plenty of space for seasoned engineers and well-practiced talks just as much as we will those who are less-experienced, college students or want to be more involved or practice their public speaking.
Next Meeting / Event
May 22nd, 5:00 - 7:00 PM at Asurion Headquarters
Join the OWASP Nashville group on Meetup to be notified when the details of the next event are published.
Participation
The Open Web Application Security Project (OWASP) is a nonprofit foundation that works to improve the security of software. All of our projects, tools, documents, forums, and chapters are free and open to anyone interested in improving application security.
Chapters are led by local leaders in accordance with the Chapter Policy. Financial contributions should be made online using the authorized online donation channels. To be a speaker at any OWASP Chapter simply review the speaker agreement and then contact the local chapter leader with details of what OWASP Project, independent research, or related software security topic you would like to present.
Everyone is welcome and encouraged to participate in our Projects, Local Chapters, and Events. We especially encourage diversity in all our initiatives. OWASP is a fantastic place to learn about application security, to network, and even to build your reputation as an expert. We also encourage you to become a member or consider a donation to support our ongoing work.
Past Events
02/29/2024: Kubernetes Top 10 with Jimmy Mesta
Given the growth and adoption of Kubernetes, a number of projects have been published in the OWASP community to help practitioners assess and secure the security of their containerized infrastructure including the recently released Top Ten for Kubernetes. This OSS project is a community-curated list of the most common Kubernetes risks backed by data collected from organizations varying in maturity and complexity. This session will discuss the project in detail, examples for each of the risks in the list, and how you can get involved.
11/10/2021: AWS ID Prefixes: What AWS Doesn’t Cover is What You Need to Know
https://www.meetup.com/OWASP-Nashville-Chapter/events/281949599/
In this talk, we will showcase AWS Prefixes and go over those prefixes what they mean, how you can get them. Some resource types like S3 for example allow for the use of a unique ID rather than the full principal ARN that many know and understand. We can cover why use of the unique ID is fundamentally a bad idea, and how to handle them should you run into an environment that has them.
05/04/2021: Secure Coding Tournament with Secure Code Warrior
Secure Code Warrior brings you a defensive security-based tournament from a developer’s perspective. The tournament allows you to test your skill against the other participants in a series of vulnerable code challenges that ask you to identify a problem, locate insecure code, and fix a vulnerability. You don’t need programming knowledge as this will be a great way to learn the foundations and intermediates of leveraging code that is not only functional but is also secure. With a variety of languages to play with: C# .NET MVC, C# .NET WebForms, C# .NET Core, GO Basic, Java EE (JSP) & (JSF), Java Spring, JavaScript Node.JS (Express), Python Django, and last but not least, Pseudocode Basic for the non-coders.
03/02/2021: OWASP Threat and Safeguard Matrix (TaSM)
https://www.meetup.com/OWASP-Nashville-Chapter/events/276453229
The Threat and Safeguard Matrix or (TaSM) is an action oriented view to safeguard and enable the business created by Ross Young. Simply put if Cyber is in the business of Revenue Protection, then we need to have a defense in depth plan to combat the biggest threats to our companies. This matrix allows a company to overlay their major threats with the NIST Cyber Security Functions (Identify, Protect, Detect, Respond, & Recover) to build a robust security plan. Organizations which perform this activity will gain a better understanding of how to protect their company as they fill in safeguards which mitigate important threats. Remember the devil is in the details, hence why we chose a TaSManian Devil as the project logo.
Ross Young is the CISO of Caterpillar Financial, a lecturer at Johns Hopkins University, and a SANS instructor. Prior to this role, he was a divisional CISO at Capital One. His expertise ranges from attacking financial services for the federal government to defending organizations by automating defenses in DevSecOps pipelines. He is actively involved in all things cloud, container, and Kubernetes security. Ross holds master’s and bachelor’s degrees from Johns Hopkins University, Idaho State University, and Utah State University. Ross’s interest in pirates and ninjas have inspired him to stealthily enable and safeguard the business without the paperwork.
10/27/2020: Defending Multicloud Infrastructure
Senior Application Security Engineer at Asurion, Instructor for the SANS Institute, and OWASP Nashville Co-Leader Brandon Evans discussed how to defend infrastructure and applications running in Amazon Web Services (AWS), Microsoft Azure, and the Google Cloud Platform (GCP). Brandon is the lead author of SANS SEC510: Multicloud Security Assessment and Defense. For more information, visit: SANS.org/SEC510
05/19/2020: Web Application Cyber Range for Fun & Profit
For our first virtual Meetup, Security Innovation ran one of their CMD+CTRL Cyber Ranges in which our chapter competed:
Stuck at home, but still want to test your skills in identifying web app vulnerabilities? OWASP Nashville and Security Innovation invite you to virtually compete in CMD+CTRL, a web application cyber range where players exploit their way through hundreds of vulnerabilities that lurk in business applications today. Success means learning quickly that attack and defense is all about thinking on your feet.
For each vulnerability you uncover, you are awarded points. Climb the interactive leaderboard for a chance to win fantastic prizes! CMD+CTRL is ideal for development teams to train and develop skills, but anyone involved in keeping your organization’s data secure can play - from developers and managers and even CISOs.
All you need is your laptop and your mischievous, curious inner-self and you’ll be ready to hack away!
Sponsor
10/22/2019: Serverless Security for Dummies
Tal Melamed (@4ppsec), Head of Security Research at Protego Labs and Co-Leader of the OWASP Serverless Top 10, flew in to teach us about Serverless Security:
In moving to serverless technology, such as AWS Lambda or Azure Functions, we shift some security responsibilities to the infrastructure provider by eliminating the need to manage servers. Unfortunately, that doesn’t mean we’re entirely absolved of all security duties. Serverless functions still execute code and can still be vulnerable to application-level attacks. As a new type of architecture, serverless presents new security challenges. Some are equal to traditional application development, but some take a new form. Attackers are thinking differently, and developers must do so as well to gain the upper hand.
In this talk, Tal Melamed will dive into serverless risks. Discussing why they are different from traditional attacks, how to exploit them and how we should protect our application against them.
Sponsor
06/13/2019: MusicCityCon
Instead of a normal OWASP Meetup, we held our inaugural MusicCityCon conference.
Presentations Archived on YouTube Meetup Agenda and Sponsors
05/07/2019: CMD+CTRL Web Application Cyber Range
Security Innovation ran an instance of their Shadow Bank Cyber Range in which our chapter competed:
Want to test your skills in identifying web app vulnerabilities? Join OWASP Nashville and Security Innovation as members compete in CMD+CTRL, a web application cyber range where players exploit their way through hundreds of vulnerabilities that lurk in business applications today. Success means learning quickly that attack and defense is all about thinking on your feet.
For each vulnerability you uncover, you are awarded points. Climb the interactive leaderboard for a chance to win fantastic prizes! CMD+CTRL is ideal for development teams to train and develop skills, but anyone involved in keeping your organization’s data secure can play - from developers and managers and even CISOs.
Sponsors
03/19/2019: Exploring the Dark Web
For our inaugural OWASP Nashville Chapter Meetup, Chapter Co-Leader Joel Tomassini presented on how to explore the Dark Web securely.