OWASP Waterloo

Waterloo Chapter Logo


Welcome to the Waterloo chapter homepage.

Meetings

We schedule our meetings on the OWASP Waterloo Meetup Group

Check our Upcoming Meetup Events:


———–

Meetup 2021-03 NOTE: New date for meetup

Date / Time: Dec 2, 2021 @ 7:30 PM
Location: Virtual (Link provided in Meetup)

We are trilled to have a guest speaker and recent member join us in a look back at lessons learned running a security champions program.

Almost a year ago Connor delivered a talk on what it took to create a security champions program from scratch. Now he is here to share what he has learned over the last year and answer outstanding questions. If you haven’t yet seen the original talk you should give it a once over, you can find it here OWASP Toronto - November 2020 Double Talk Event - Security Champions and Intro to Threat Modeling.

In this presentation we are going to quickly recap how to establish a program before diving right into how to improve your training, boost retention, and measure success. At the end of this discussion everyone should have a better understanding of how to better lead and measure a security champions program.


SPEAKER BIO

My name is Connor McKinnon, and I am the Engineering Manager for Platform Security at Wealthsimple. In my role, I have been very fortunate to have helped grow our organization by 10x in just the last 2 years, and I am looking forward to continuing to grow our amazing teams.

My team is made up of software engineers using code to solve security problems. I have often described us as “boots on the ground” for the security organization. If there is a problem that needs solving and off the shelf components won’t cut it, we are the team that gets tasked with finding a solution.

In my last role as Team Lead for the Application Security Team at Wealthsimple, I had the privilege of creating our wildly successful Security Champions program which continues to run to this day. Currently, I am working on developing solutions for a distributed authorization layer that makes security easy and improves the developer experience.

In my spare time I am an avid reader. Recently, I challenged myself to see how many books I could read in just two months and am pleased to report I tapped out at 17. I am always looking for suggestions as well! Please feel free to DM me your favorites :D

If you ever want to connect feel free to add me on LinkedIn (https://www.linkedin.com/in/connor-mckinnon/) or setting a meeting with me through Calendly (https://calendly.com/connormck/15min)


Presenters: Connor McKinnon, Scott Handfield, Kris Jamieson


———–

Our meetings are open to the public, and you do not need to be a member to attend. Please do consider joining OWASP if you find our community, projects, and meetings valuable, or sponsoring this chapter.


Recent/Past Events

Please use the tabs for all past events, links and reference materials


Past Events

2021

# Date / Time Title
2021-01 April 22, 2021 7:30 PM A Journey Through the Kubernetes Threat Matrix - Part 1
2021-02 June 24, 2021 7:30 PM A Journey Through the Kubernetes Threat Matrix - Part 2

———–

Meetup 2021-02

Date / Time: Jun 24, 2021 @ 7:30 PM
Location: Virtual (Link provided in Meetup)

A Journey Through the Kubernetes Threat Matrix - Part 2

Summary:

This presentation is a continuation from Part 1, where we switch focus to explore preventative and detective controls based on the Kubernetes Threat Matrix. We explore using OPA to create policies that prevent abuse of the Kubernetes CA, privileged pods, etc. As we journey through the Kubernetes threat matrix, we demonstrate how a defender might apply policy as code to identify and restrict vulnerable container and cluster misconfigurations. The focus of this talk is to explore best practices and guidance from the OWASP Kubernetes Security Cheat Sheet

Presenters: Scott Handfield, Kris Jamieson, Deepak Sharma


———–

Meetup 2021-01

Date / Time: April 22, 2021 @ 7:30 PM
Location: Virtual (Link provided in Meetup)

Welcome to OWASP Waterloo

This is our first meetup of 2021! We are excited to meet everyone and since this is the first OWASP waterloo meetup of 2021, will begin with an introduction, followed by a presentation and discussion.

A Journey Through the Kubernetes Threat Matrix - Part 1

Summary:

In this presentation we explore a Kubernetes Threat Matrix and the impact that a vulnerable application has on a poorly configured cluster. This talk draws from examples of teams that rush in to adopt Kubernetes without consideration for security guidance and best practices. In our example, a devops engineer deploys a vulnerable legacy application to an internet facing cluster and decides to use the Kubernetes CA for internal TLS certificates as an easy option since it is available and trusted in the cluster. As we journey through the Kubernetes threat matrix, we demonstrate how an attacker might take advantage of the vulnerable container and cluster misconfiguration for profit. The focus of this talk is to explore threats in Kubernetes and discuss security misconfigurations from the OWASP top 10

Presenters: Scott Handfield, Kris Jamieson, Deepak Sharma

2020



Downloads

# Date Title
2021-02 June 24, 2021 A Journey Through the Kubernetes Threat Matrix - Part 2
2021-01 April 22, 2021 A Journey Through the Kubernetes Threat Matrix - Part 1