Loading…
Attending this event?
Sunday, October 29
 

5:00pm EDT

Women in AppSec Reception
Sunday October 29, 2023 5:00pm - 6:00pm EDT
TBA

6:00pm EDT

New Global AppSec Conference Attendee Icebreaker Reception
**For first time OWASP Global AppSec Conference Attendees**

Come network and meet with OWASP board members and leaders during this icebreaker event.  Drinks and appetizers will be served.
Sunday October 29, 2023 6:00pm - 7:00pm EDT
TBA
 
Monday, October 30
 

7:30am EDT

Speaker Ready Room
Monday October 30, 2023 7:30am - 5:00pm EDT

8:00am EDT

Breakfast
Monday October 30, 2023 8:00am - 9:00am EDT

9:00am EDT

Keynote
Monday October 30, 2023 9:00am - 10:00am EDT

10:00am EDT

AM Break
Monday October 30, 2023 10:00am - 10:30am EDT

10:30am EDT

Breaker Track
Monday October 30, 2023 10:30am - 11:30am EDT

10:30am EDT

Builder Track
Monday October 30, 2023 10:30am - 11:30am EDT

10:30am EDT

Defender Track
Monday October 30, 2023 10:30am - 11:30am EDT

10:30am EDT

DevSecOps Track
Monday October 30, 2023 10:30am - 11:30am EDT

10:30am EDT

Project Showcase
Monday October 30, 2023 10:30am - 11:30am EDT

11:30am EDT

Breaker Track
Monday October 30, 2023 11:30am - 12:30pm EDT

11:30am EDT

Builder Track
Monday October 30, 2023 11:30am - 12:30pm EDT

11:30am EDT

Defender Track
Monday October 30, 2023 11:30am - 12:30pm EDT

11:30am EDT

DevSecOps Track
Monday October 30, 2023 11:30am - 12:30pm EDT

11:30am EDT

Project Track
Monday October 30, 2023 11:30am - 12:30pm EDT

12:30pm EDT

Lunch
Monday October 30, 2023 12:30pm - 2:00pm EDT

2:00pm EDT

Keynote 2
Monday October 30, 2023 2:00pm - 3:00pm EDT

3:00pm EDT

PM Break
Monday October 30, 2023 3:00pm - 3:30pm EDT

3:30pm EDT

Breaker Track
Monday October 30, 2023 3:30pm - 4:30pm EDT

3:30pm EDT

Builder Track
Monday October 30, 2023 3:30pm - 4:30pm EDT

3:30pm EDT

Defender Track
Monday October 30, 2023 3:30pm - 4:30pm EDT

3:30pm EDT

DevSecOps Track
Monday October 30, 2023 3:30pm - 4:30pm EDT

3:30pm EDT

Project Track
Monday October 30, 2023 3:30pm - 4:30pm EDT

4:30pm EDT

Breaker Track
Monday October 30, 2023 4:30pm - 5:30pm EDT

4:30pm EDT

Builder Track
Monday October 30, 2023 4:30pm - 5:30pm EDT

4:30pm EDT

Defender Track
Monday October 30, 2023 4:30pm - 5:30pm EDT

4:30pm EDT

DevSecOps Track
Monday October 30, 2023 4:30pm - 5:30pm EDT

4:30pm EDT

Project Track
Monday October 30, 2023 4:30pm - 5:30pm EDT

5:30pm EDT

Networking Reception
Monday October 30, 2023 5:30pm - 7:30pm EDT

7:30pm EDT

Leaders Meeting
Monday October 30, 2023 7:30pm - 9:30pm EDT
 
Tuesday, October 31
 

7:30am EDT

Speaker Ready Room
Tuesday October 31, 2023 7:30am - 5:00pm EDT

8:00am EDT

Breakfast
Tuesday October 31, 2023 8:00am - 9:00am EDT

9:00am EDT

Keynote
Tuesday October 31, 2023 9:00am - 10:00am EDT

10:00am EDT

AM Break
Tuesday October 31, 2023 10:00am - 10:30am EDT

10:30am EDT

Breaker Track
Tuesday October 31, 2023 10:30am - 11:30am EDT

10:30am EDT

Builder Track
Tuesday October 31, 2023 10:30am - 11:30am EDT

10:30am EDT

DevSecOps Track
Tuesday October 31, 2023 10:30am - 11:30am EDT

10:30am EDT

Project Track
Tuesday October 31, 2023 10:30am - 11:30am EDT

12:30pm EDT

Lunch
Tuesday October 31, 2023 12:30pm - 2:00pm EDT

2:00pm EDT

Keynote 2
Tuesday October 31, 2023 2:00pm - 3:00pm EDT

3:00pm EDT

PM Break
Tuesday October 31, 2023 3:00pm - 3:30pm EDT

3:30pm EDT

Breaker Track
Tuesday October 31, 2023 3:30pm - 4:30pm EDT

3:30pm EDT

Builder Track
Tuesday October 31, 2023 3:30pm - 4:30pm EDT

3:30pm EDT

Defender Track
Tuesday October 31, 2023 3:30pm - 4:30pm EDT

3:30pm EDT

DevSecOps Track
Tuesday October 31, 2023 3:30pm - 4:30pm EDT

3:30pm EDT

Project Track
Tuesday October 31, 2023 3:30pm - 4:30pm EDT

4:30pm EDT

Breaker Track
Tuesday October 31, 2023 4:30pm - 5:30pm EDT

4:30pm EDT

Builder Track
Tuesday October 31, 2023 4:30pm - 5:30pm EDT

4:30pm EDT

Defender Track
Tuesday October 31, 2023 4:30pm - 5:30pm EDT

4:30pm EDT

DevSecOps Track
Tuesday October 31, 2023 4:30pm - 5:30pm EDT

4:30pm EDT

Project Track
Tuesday October 31, 2023 4:30pm - 5:30pm EDT

5:30pm EDT

Closing Ceremony
Attendance is mandatory to receive raffle prizes
Tuesday October 31, 2023 5:30pm - 6:00pm EDT
 
Wednesday, November 1
 

9:00am EDT

SAMM User Day
Wednesday November 1, 2023 9:00am - 5:00pm EDT

9:00am EDT

1-Day Training:Application Security Testing: Verifying the Right Things Were Done Right
Software Security Testing is a key component of any organization’s software assurance program. The importance of these practices is reflected by their presence throughout OWASP's Software Assurance Maturity Model (SAMM), where they're represented by two of the model's 15 core Practices (Requirement-driven Testing and Security Testing), and factor into numerous activities in the remaining Practices.


This class covers recommended Application Security Testing (AST) practices, along with supporting AST tools and ways to better leverage penetration testing, to verify and validate an application’s security features:

  • Verify – How do we confirm our application’s security features were built right?
  • Validate – How do we confirm we built the right security features, to secure the application's functionality?
Topic coverage will include establishing your overall AST strategy and aligning it with the OWASP ASVS; defining and implementing security tests cases; utiliizing AST tools; and using third-party penetration tests effectively within your testing strategy.

Speakers
avatar for Dr. John DiLeo

Dr. John DiLeo

Solution Architect, IriusRisk
Dr. John DiLeo is the Auckland-area leader of the OWASP New Zealand Chapter and, for his day job, is a lead Solution Architect at IriusRisk, covering the Asia/Pacific region. Before joining IriusRisk, John led the Application Security Services team at Datacom, providing support and... Read More →

Wednesday November 1, 2023 9:00am - 5:00pm EDT
TBA
  1-Day Training
  • Audience Beginner
  • about Dr. John DiLeo is the Auckland-area leader of the OWASP New Zealand Chapter and, for his day job, is a lead Solution Architect at IriusRisk, covering the Asia/Pacific region. Before joining IriusRisk, John led the Application Security Services team at Datacom, providing support and guidance to clients in launching, managing, and maturing their enterprise software assurance programs.<br><br>Before turning to full-time roles in security, John was active as a Java enterprise architect and Web application developer. In earlier lives, John has been a full-time professor, and had specialised in developing discrete-event simulations of large distributed systems.<br><br>John is on the core team for the OWASP Software Assurance Maturity Model (SAMM) Project, leads the OWASP State of AppSec Survey Project, and is a member of the OWASP Education and Training Committee.

9:00am EDT

2 Day Training:Adam Shostack's Threat Modeling Intensive
This hands-on, interactive class will focus on learning to threat model by executing each of the steps. Students will start with a guided threat modeling exercise, and we'll then iterate and break down the skills they're learning in more depth. We'll progressing through the Four Questions of Threat Modeling: what are we working on, what can go wrong, what are we going to do about it and did we do a good job. This is capped off with an end-to-end exercise that brings the skills together.
Speakers
avatar for Adam Shostack

Adam Shostack

Shostack + Associates
Adam Shostack is a leading expert in threat modeling, and the author of "Threats: What Every Engineer Should Learn from Star Wars" and "Threat Modeling: Designing for Security"

Wednesday November 1, 2023 9:00am - 5:00pm EDT
TBA
  2-Day Training

9:00am EDT

2 Day Training:Advanced Whiteboard hacking – aka hands-on Threat Modeling
The threat modeling training based on real life hands-on practical threat modeling, and delivered every year at OWASP since 2016, and Black Hat USA since 2017. Our latest Black Hat training score was 4.7/5 with great feedback!


You will get insight into our practical industry experience, helping you to become a Threat Modeling Expert. We included an exercise on MITRE ATT&CK, and we focus on embedding threat modeling in Agile and DevOps practices.

We levelled up the threat modeling war game released at Black Hat 2023. Engaged in CTF-style challenges, your team will battle for control over an offshore wind turbine park.


The level of this training is Intermediate/Advanced. Participants who are new to threat modeling are required to follow our self-paced Threat Modeling Introduction training (which is about 2 hours and is included in this training). As highly skilled professionals with years of experience under our belts, we're intimately familiar with the gap between academic knowledge of threat modeling and real-world practice. To minimize that gap, we have developed practical use cases, based on real-world projects. Each use case includes a description of the environment, together with questions and templates to build a threat model. Students will be challenged in groups of 3 to 4 people to perform the different stages of threat modeling:

  • Diagram techniques applied on a travel booking service 
  • Threat model a cloud-based update service for an IoT kiosk
  • Create an attack tree against a nuclear research facility
  • Create a SOC Risk Based Alerting system with MITRE ATT&CK
  • Mitigate threats in a payment service build with microservices and S3 buckets 
  • Apply data protection by design and default on a loyalty app
  • Apply the OWASP Threat Modeling Playbook on agile development
  • Threat modeling the CI/CD pipeline
  • Battle for control over "Zwarte Wind", an offshore wind turbine park
After each hands-on exercise, the results are discussed, and students receive a documented solution. 

All participants get a copy of “Threat Modeling: A Practical Guide for Development Teams”, by Izar Tarandach and Matt Coles, as well as our Threat Modeling Playbook to improve you threat modeling practice, and a one-year access to our online threat modeling learning platform. 


As part of this training, you will be asked to create and submit your own threat model, on which you will get individual feedback. One month after the training we organize an online review session with all the participants.

Speakers
avatar for Sebastien Deleersnyder

Sebastien Deleersnyder

CTO and Co-Founder, Toreon
Sebastien Deleersnyder, also known as Seba, is a highly accomplished individual in the field of cybersecurity. He is the CTO and co-founder of Toreon, as well as the COO and lead threat modeling trainer of Data Protection Institute. Seba holds a Master's degree in Software Engineering... Read More →

Wednesday November 1, 2023 9:00am - 5:00pm EDT
  2-Day Training

9:00am EDT

2 Day Training:AppSec Automation Masterclass
This training takes a comprehensive, focused and practical approach at implementing DevSecOps Practices with a focus on Application Security Automation. The training is a glued-to-your-keyboard hands-on journey with labs that are backed by practical examples of DevSecOps and AppSec Automation. 




The Training starts with a view of DevSecOps and AppSec Automation, specifically in terms of embedding security activities in multiple stages of the Software Development Lifecycle. Subsequently, the training delves into specific Application Security Automation approaches for SAST, SCA and Supply-Chain Security, DAST and Integration of these tools into CI/CD tools and Automation Pipelines. 




In this edition, we’re completely rebuilding our existing DevSecOps content to reflect the very bleeding edge of Application Security Automation and DevSecOps Approaches. These include, but not limited to: 

  • Hands-on SAST for Apps and Infrastructure-as-Code, with a focus on Semgrep and CodeQL. Develop Custom SAST rules like a bawse!
  • Supply-Chain Security Automation: SBOMs, Source Composition Analysis and Security Engineering techniques. This segment will additionally have several approaches to building secure base images for containers
  • Supply-Chain Assurance and Provenance for artifacts. Supply-Chain Security attacks are largely caused by lack of assurance and poor provenance of software supply-chain artifacts. We’ll be diving into the SLSA (Supply-Chain Levels for Software Artifacts) Standard and how automation can help achieve levels of compliance. In addition we’ll be diving into Cosign from Project sigstore. This can be used to generate keyed/keyless signatures for container images and other build artifacts including packages and SBOMs. 
  • Secret Management - This segment of the class will dive into Secrets Management and Encryption tools like Hashicorp Vault. This will have examples of advanced implementations for Encryption, Key Management and Dynamic Secrets
  • DAST Automation with OWASP ZAP and Nuclei. We’ll be exploring API based scanning with OWASP ZAP and Test Automation Frameworks. In addition, we’ll explore using and building custom DAST automation with Nuclei. This will not only aid in integrating DAST into Automation Pipelines, but also be used for Security Regressions for more complex vulnerabilities
  • Policy-As-Code with Open Policy-Agent (OPA). OPA is a powerful framework that can be used to create and enforce policies across a variety of deployment environments. From being used to perform Access Control and Input Validation in API Gateways, to be used in Container Registries and Operating Systems for deploying and enforcing security policies. You’ll learn OPA’s Domain Specific Language, rego in order to understand policy-as-code frameworks. 
  • Integrating Security Automation with CI/CD tooling. Here we’ll be exploring integrating Security Automation with CI/CD tools including Github Actions, Gitlab and Jenkins. In addition, we’ll be leveraging Data Flow Automation tools like Robot Framework, Gaia and Prefect to provide alternatives to typical CI/CD tools for AppSec Automation. 



Each section of the training will contain a challenge section that will enable the trainees and the trainers to identify levels of student learning

Participants get a 2 month access to our online lab environment for DevSecOps training

Speakers
avatar for Abhay Bhargav

Abhay Bhargav

Founder, AppSecEnginner
Abhay Bhargav is the founder at AppSecEngineer, a revolutionary training platform committed to solving the Security Skills Shortage. He has created some pioneering works in the area of DevSecOps and AppSec Automation, including the world’s first hands-on training program on DevSecOps... Read More →

Wednesday November 1, 2023 9:00am - 5:00pm EDT
TBA
  2-Day Training

9:00am EDT

2-Day Training: Mobile Application Security Testing Guide (MASTG) - Hands-On
This 2-day hands-on training teaches you how to analyse Android and iOS apps for security vulnerabilities, by going through the different phases of testing, including dynamic testing, static analysis and reverse engineering by relying on the OWASP Mobile Application Security Testing Guide (MASTG). The OWASP MASTG is a comprehensive and open source guide about mobile security testing for both iOS and Android and offers a methodology and very detailed, technical test cases for penetration testers to ensure completeness and the latest attack techniques against mobile apps.


At the beginning of the first day we start by giving an overview of the Android Platform and it’s Security Architecture. It is no longer mandatory for students to bring their own Android device, instead a cloud-based virtualized Android device will be provided for each student, by using Corellium. Topics include:

- Frida crash course to kick-start with dynamic instrumentation on Android apps

- Intercepting network traffic of apps written in mobile app frameworks such as Google’s Flutter

- Identifying and exploiting a real word Deep-link vulnerability

- Explore the differences and effectiveness of Reverse Engineering Android Apps through patching Smali, Xposed and Dynamic Instrumentation with Frida

- Analyze Local Storage of an Android App

- Usage of dynamic Instrumentation with Frida to:

  - bypass Frida detection mechanisms

  - bypass multiple root detection mechanisms




On day 2 we are focusing on iOS and will begin with an overview of the iOS Platform and Security Architecture. After explaining what an IPA container is and the iOS file system structure, we start creating an iOS testing environment with Corellium and deep dive into various topics, including:




- Analyzing iOS applications that use non-HTTP traffic including ways of intercepting the traffic

- Frida crash course to kick-start with dynamic instrumentation for iOS apps

- Bypassing SSL Pinning with SSL Kill Switch and Objection (Frida)

- Testing methodology with a non-jailbroken device by repackaging an IPA with the Frida Gadget

- Using Frida for Runtime Instrumentation of iOS Apps to bypass:

  - Anti-Jailbreaking mechanisms

  - Frida detection mechanism

  - and other client-side security controls




At the end of each day a CTF will be played to investigate two apps with the newly learned skills and you can win a prize!


Whether you are a beginner interested in learning mobile app testing from scratch or an experienced professional who would like to enhance their existing skills to perform more advanced attack techniques, or for fun, this training will help you accomplish your goals.

The course consists of many different labs developed by the trainer and the course is roughly 65% hands-on and 35% lecture.


After successful completion of this course, students will have a better understanding of how to test for vulnerabilities in mobile apps, how to propose the right mitigation techniques to developers and how to execute tests consistently.

Speakers
avatar for Sven Schleier

Sven Schleier

Technical Director, WithSecure
Sven is the Technical Director of WithSecure in Singapore and is specialized in penetration testing and application security. Next to offensive security engagements he has supported and guided software development projects for Mobile and Web Applications during the whole SDLC to build... Read More →

Wednesday November 1, 2023 9:00am - 5:00pm EDT
TBA
  2-Day Training

9:00am EDT

3 Day Training -Web Application Security Essentials
his course provides the knowledge and resources required to evaluate the security of web applications. The participants, through the understanding of theory and a strong focus on practical exercises, will be able to identify critical vulnerabilities in web applications, understand how exploitation works and learn how to implement the necessary corrective measures.  

The course is aligned with the OWASP 10 2021, a world-renowned reference document which describes the most critical web application security flaws.  

The topics covered include:  

  • Introduction to Web Application Security 
  • Technologies used in Web Applications 
  • The Security Tester Toolkit 
  • Critical Areas in Web Applications 
  • Broken Access Control 
  • Cryptographic Failures 
  • Injection 
  • Insecure Design 
  • Security Misconfiguration 
  • Vulnerable and Outdated Components 
  • Identification and Authentication Failures 
  • Software and Data Integrity Failures 
  • Security Logging and Monitoring Failures 
  • Server Side Request Forgery (SSRF)  
Format: The course combines theory and hands-on practical exercises. The participants start by learning about web application vulnerabilities. They are then given access to a purpose-built web application environment that contains the bugs and coding errors they have learned about. This provides an ideal ‘real-life’ opportunity to exploit these vulnerabilities in a safe environment.



Speakers
avatar for Fabio Cerullo

Fabio Cerullo

Certified Instructor, Cycubix
Fabio delivered this training to thousands of developers and security professionals. He also regularly delivers training to technical audiences on various topics such as application security, cloud security, and information security. Here is a reference from one attendee of his courses... Read More →

Wednesday November 1, 2023 9:00am - 5:00pm EDT
TBA
  3 Day Training

9:00am EDT

3 Day Training: Hacking Modern Web & Desktop apps: Master the Future of Attack Vectors
This course is the culmination of years of experience gained via practical penetration testing of Modern Web and Desktop applications as well as countless hours spent doing research. We have structured this course around the OWASP Security Testing Guide, it covers the OWASP Top Ten and specific attack vectors against Modern Web and Desktop apps. This course provides participants with actionable skills that can be applied immediately from day 1.




Please note our courses are 100% hands-on, we do not lecture students with boring bullet points and theories, instead we give you practical challenges and help you solve them, teaching you how to troubleshoot common issues and get the most out of this training. Training then continues after the course through our frequently updated training portal, for which you keep lifetime access, as well as unlimited email support.




Each day starts with a brief introduction to the Modern platform (i.e. Node.js, Electron) for that day and then continues with a look at static analysis, moves on to dynamic checks finishing off with a nice CTF session to test the skills gained.

 

Day 1: Focused specifically on Hacking Modern Web Apps: We start with understanding Modern Web Apps and then deep dive into static and dynamic analysis of the applications at hand. This day is packed with hands-on exercises and CTF-style challenges.




Day 2: Focused on Hacking Modern Desktop Apps: We start with understanding Modern Desktop apps and various security considerations. We then focus on static and dynamic analysis of the applications at hand. The day is filled with hands-on exercises ending with a CTF for more practical fun.




Day 3: Dedicated to Advanced Modern Web & Desktop App Attacks: We cover advanced attacks specifically targeting Modern Web & Desktop Apps, such as dumping memory, prototype pollution, deserialization attacks, OAuth, JWT flaws and more. The day is full of hands-on exercises and ends with CTF-style open challenges for additional practice.

Speakers
avatar for Anirudh Anand

Anirudh Anand

Security Engineer, 7aSecurity
Anirudh Anand is a security engineer with a primary focus on Web and Mobile Application Security. He is currently working as a Lead Security Engineer at CRED and also Security Trainer at 7asecurity. He has been submitting bugs and contributing to security tools for over 8 years. In... Read More →
avatar for Abraham Aranguren

Abraham Aranguren

CEO, 7aSecurity
After 15 years in itsec and 22 in IT Abraham is now the CEO of 7ASecurity (7asecurity.com), a company specializing in penetration testing of web/mobile apps, infrastructure, code reviews and training. Co-Author of the Mobile, Web and Desktop (Electron) app 7ASecurity courses. Security... Read More →

Wednesday November 1, 2023 9:00am - 5:00pm EDT
TBA
  3 Day Training

10:00am EDT

AM Break
Wednesday November 1, 2023 10:00am - 10:30am EDT
TBA

12:30pm EDT

Lunch
Wednesday November 1, 2023 12:30pm - 1:30pm EDT
TBA

3:00pm EDT

PM Break
Wednesday November 1, 2023 3:00pm - 3:30pm EDT
TBA
 
Thursday, November 2
 

8:00am EDT

Breakfast
Thursday November 2, 2023 8:00am - 9:00am EDT
TBA

9:00am EDT

2 Day Training:Adam Shostack's Threat Modeling Intensive
Speakers
avatar for Adam Shostack

Adam Shostack

Shostack + Associates
Adam Shostack is a leading expert in threat modeling, and the author of "Threats: What Every Engineer Should Learn from Star Wars" and "Threat Modeling: Designing for Security"

Thursday November 2, 2023 9:00am - 5:00pm EDT
TBA
  2-Day Training

9:00am EDT

2 Day Training:Advanced Whiteboard hacking – aka hands-on Threat Modeling
The threat modeling training based on real life hands-on practical threat modeling, and delivered every year at OWASP since 2016, and Black Hat USA since 2017. Our latest Black Hat training score was 4.7/5 with great feedback!


You will get insight into our practical industry experience, helping you to become a Threat Modeling Expert. We included an exercise on MITRE ATT&CK, and we focus on embedding threat modeling in Agile and DevOps practices.

We levelled up the threat modeling war game released at Black Hat 2023. Engaged in CTF-style challenges, your team will battle for control over an offshore wind turbine park.


The level of this training is Intermediate/Advanced. Participants who are new to threat modeling are required to follow our self-paced Threat Modeling Introduction training (which is about 2 hours and is included in this training). As highly skilled professionals with years of experience under our belts, we're intimately familiar with the gap between academic knowledge of threat modeling and real-world practice. To minimize that gap, we have developed practical use cases, based on real-world projects. Each use case includes a description of the environment, together with questions and templates to build a threat model. Students will be challenged in groups of 3 to 4 people to perform the different stages of threat modeling:

  • Diagram techniques applied on a travel booking service 
  • Threat model a cloud-based update service for an IoT kiosk
  • Create an attack tree against a nuclear research facility
  • Create a SOC Risk Based Alerting system with MITRE ATT&CK
  • Mitigate threats in a payment service build with microservices and S3 buckets 
  • Apply data protection by design and default on a loyalty app
  • Apply the OWASP Threat Modeling Playbook on agile development
  • Threat modeling the CI/CD pipeline
  • Battle for control over "Zwarte Wind", an offshore wind turbine park
After each hands-on exercise, the results are discussed, and students receive a documented solution. 

All participants get a copy of “Threat Modeling: A Practical Guide for Development Teams”, by Izar Tarandach and Matt Coles, as well as our Threat Modeling Playbook to improve you threat modeling practice, and a one-year access to our online threat modeling learning platform. 


As part of this training, you will be asked to create and submit your own threat model, on which you will get individual feedback. One month after the training we organize an online review session with all the participants.

Speakers
avatar for Sebastien Deleersnyder

Sebastien Deleersnyder

CTO and Co-Founder, Toreon
Sebastien Deleersnyder, also known as Seba, is a highly accomplished individual in the field of cybersecurity. He is the CTO and co-founder of Toreon, as well as the COO and lead threat modeling trainer of Data Protection Institute. Seba holds a Master's degree in Software Engineering... Read More →

Thursday November 2, 2023 9:00am - 5:00pm EDT
  2-Day Training

9:00am EDT

2 Day Training:AppSec Automation Masterclass
This training takes a comprehensive, focused and practical approach at implementing DevSecOps Practices with a focus on Application Security Automation. The training is a glued-to-your-keyboard hands-on journey with labs that are backed by practical examples of DevSecOps and AppSec Automation. 




The Training starts with a view of DevSecOps and AppSec Automation, specifically in terms of embedding security activities in multiple stages of the Software Development Lifecycle. Subsequently, the training delves into specific Application Security Automation approaches for SAST, SCA and Supply-Chain Security, DAST and Integration of these tools into CI/CD tools and Automation Pipelines. 




In this edition, we’re completely rebuilding our existing DevSecOps content to reflect the very bleeding edge of Application Security Automation and DevSecOps Approaches. These include, but not limited to: 

  • Hands-on SAST for Apps and Infrastructure-as-Code, with a focus on Semgrep and CodeQL. Develop Custom SAST rules like a bawse!
  • Supply-Chain Security Automation: SBOMs, Source Composition Analysis and Security Engineering techniques. This segment will additionally have several approaches to building secure base images for containers
  • Supply-Chain Assurance and Provenance for artifacts. Supply-Chain Security attacks are largely caused by lack of assurance and poor provenance of software supply-chain artifacts. We’ll be diving into the SLSA (Supply-Chain Levels for Software Artifacts) Standard and how automation can help achieve levels of compliance. In addition we’ll be diving into Cosign from Project sigstore. This can be used to generate keyed/keyless signatures for container images and other build artifacts including packages and SBOMs. 
  • Secret Management - This segment of the class will dive into Secrets Management and Encryption tools like Hashicorp Vault. This will have examples of advanced implementations for Encryption, Key Management and Dynamic Secrets
  • DAST Automation with OWASP ZAP and Nuclei. We’ll be exploring API based scanning with OWASP ZAP and Test Automation Frameworks. In addition, we’ll explore using and building custom DAST automation with Nuclei. This will not only aid in integrating DAST into Automation Pipelines, but also be used for Security Regressions for more complex vulnerabilities
  • Policy-As-Code with Open Policy-Agent (OPA). OPA is a powerful framework that can be used to create and enforce policies across a variety of deployment environments. From being used to perform Access Control and Input Validation in API Gateways, to be used in Container Registries and Operating Systems for deploying and enforcing security policies. You’ll learn OPA’s Domain Specific Language, rego in order to understand policy-as-code frameworks. 
  • Integrating Security Automation with CI/CD tooling. Here we’ll be exploring integrating Security Automation with CI/CD tools including Github Actions, Gitlab and Jenkins. In addition, we’ll be leveraging Data Flow Automation tools like Robot Framework, Gaia and Prefect to provide alternatives to typical CI/CD tools for AppSec Automation. 



Each section of the training will contain a challenge section that will enable the trainees and the trainers to identify levels of student learning

Participants get a 2 month access to our online lab environment for DevSecOps training

Speakers
avatar for Abhay Bhargav

Abhay Bhargav

Founder, AppSecEnginner
Abhay Bhargav is the founder at AppSecEngineer, a revolutionary training platform committed to solving the Security Skills Shortage. He has created some pioneering works in the area of DevSecOps and AppSec Automation, including the world’s first hands-on training program on DevSecOps... Read More →

Thursday November 2, 2023 9:00am - 5:00pm EDT
TBA
  2-Day Training

9:00am EDT

2-Day Training: Mobile Application Security Testing Guide (MASTG) - Hands-On
This 2-day hands-on training teaches you how to analyse Android and iOS apps for security vulnerabilities, by going through the different phases of testing, including dynamic testing, static analysis and reverse engineering by relying on the OWASP Mobile Application Security Testing Guide (MASTG). The OWASP MASTG is a comprehensive and open source guide about mobile security testing for both iOS and Android and offers a methodology and very detailed, technical test cases for penetration testers to ensure completeness and the latest attack techniques against mobile apps.


At the beginning of the first day we start by giving an overview of the Android Platform and it’s Security Architecture. It is no longer mandatory for students to bring their own Android device, instead a cloud-based virtualized Android device will be provided for each student, by using Corellium. Topics include:

- Frida crash course to kick-start with dynamic instrumentation on Android apps

- Intercepting network traffic of apps written in mobile app frameworks such as Google’s Flutter

- Identifying and exploiting a real word Deep-link vulnerability

- Explore the differences and effectiveness of Reverse Engineering Android Apps through patching Smali, Xposed and Dynamic Instrumentation with Frida

- Analyze Local Storage of an Android App

- Usage of dynamic Instrumentation with Frida to:

  - bypass Frida detection mechanisms

  - bypass multiple root detection mechanisms




On day 2 we are focusing on iOS and will begin with an overview of the iOS Platform and Security Architecture. After explaining what an IPA container is and the iOS file system structure, we start creating an iOS testing environment with Corellium and deep dive into various topics, including:




- Analyzing iOS applications that use non-HTTP traffic including ways of intercepting the traffic

- Frida crash course to kick-start with dynamic instrumentation for iOS apps

- Bypassing SSL Pinning with SSL Kill Switch and Objection (Frida)

- Testing methodology with a non-jailbroken device by repackaging an IPA with the Frida Gadget

- Using Frida for Runtime Instrumentation of iOS Apps to bypass:

  - Anti-Jailbreaking mechanisms

  - Frida detection mechanism

  - and other client-side security controls




At the end of each day a CTF will be played to investigate two apps with the newly learned skills and you can win a prize!


Whether you are a beginner interested in learning mobile app testing from scratch or an experienced professional who would like to enhance their existing skills to perform more advanced attack techniques, or for fun, this training will help you accomplish your goals.

The course consists of many different labs developed by the trainer and the course is roughly 65% hands-on and 35% lecture.


After successful completion of this course, students will have a better understanding of how to test for vulnerabilities in mobile apps, how to propose the right mitigation techniques to developers and how to execute tests consistently.

Speakers
avatar for Sven Schleier

Sven Schleier

Technical Director, WithSecure
Sven is the Technical Director of WithSecure in Singapore and is specialized in penetration testing and application security. Next to offensive security engagements he has supported and guided software development projects for Mobile and Web Applications during the whole SDLC to build... Read More →

Thursday November 2, 2023 9:00am - 5:00pm EDT
TBA
  2-Day Training

9:00am EDT

3 Day Training -Web Application Security Essentials
his course provides the knowledge and resources required to evaluate the security of web applications. The participants, through the understanding of theory and a strong focus on practical exercises, will be able to identify critical vulnerabilities in web applications, understand how exploitation works and learn how to implement the necessary corrective measures.  

The course is aligned with the OWASP 10 2021, a world-renowned reference document which describes the most critical web application security flaws.  

The topics covered include:  

  • Introduction to Web Application Security 
  • Technologies used in Web Applications 
  • The Security Tester Toolkit 
  • Critical Areas in Web Applications 
  • Broken Access Control 
  • Cryptographic Failures 
  • Injection 
  • Insecure Design 
  • Security Misconfiguration 
  • Vulnerable and Outdated Components 
  • Identification and Authentication Failures 
  • Software and Data Integrity Failures 
  • Security Logging and Monitoring Failures 
  • Server Side Request Forgery (SSRF)  
Format: The course combines theory and hands-on practical exercises. The participants start by learning about web application vulnerabilities. They are then given access to a purpose-built web application environment that contains the bugs and coding errors they have learned about. This provides an ideal ‘real-life’ opportunity to exploit these vulnerabilities in a safe environment.



Speakers
avatar for Fabio Cerullo

Fabio Cerullo

Certified Instructor, Cycubix
Fabio delivered this training to thousands of developers and security professionals. He also regularly delivers training to technical audiences on various topics such as application security, cloud security, and information security. Here is a reference from one attendee of his courses... Read More →

Thursday November 2, 2023 9:00am - 5:00pm EDT
TBA
  3 Day Training

9:00am EDT

3 Day Training: Hacking Modern Web & Desktop apps: Master the Future of Attack Vectors
This course is the culmination of years of experience gained via practical penetration testing of Modern Web and Desktop applications as well as countless hours spent doing research. We have structured this course around the OWASP Security Testing Guide, it covers the OWASP Top Ten and specific attack vectors against Modern Web and Desktop apps. This course provides participants with actionable skills that can be applied immediately from day 1.




Please note our courses are 100% hands-on, we do not lecture students with boring bullet points and theories, instead we give you practical challenges and help you solve them, teaching you how to troubleshoot common issues and get the most out of this training. Training then continues after the course through our frequently updated training portal, for which you keep lifetime access, as well as unlimited email support.




Each day starts with a brief introduction to the Modern platform (i.e. Node.js, Electron) for that day and then continues with a look at static analysis, moves on to dynamic checks finishing off with a nice CTF session to test the skills gained.

 

Day 1: Focused specifically on Hacking Modern Web Apps: We start with understanding Modern Web Apps and then deep dive into static and dynamic analysis of the applications at hand. This day is packed with hands-on exercises and CTF-style challenges.




Day 2: Focused on Hacking Modern Desktop Apps: We start with understanding Modern Desktop apps and various security considerations. We then focus on static and dynamic analysis of the applications at hand. The day is filled with hands-on exercises ending with a CTF for more practical fun.




Day 3: Dedicated to Advanced Modern Web & Desktop App Attacks: We cover advanced attacks specifically targeting Modern Web & Desktop Apps, such as dumping memory, prototype pollution, deserialization attacks, OAuth, JWT flaws and more. The day is full of hands-on exercises and ends with CTF-style open challenges for additional practice.

Thursday November 2, 2023 9:00am - 5:00pm EDT
TBA
  3 Day Training

10:00am EDT

AM Break
Thursday November 2, 2023 10:00am - 10:30am EDT
TBA

12:30pm EDT

Lunch
Thursday November 2, 2023 12:30pm - 1:30pm EDT
TBA

3:00pm EDT

PM Break
Thursday November 2, 2023 3:00pm - 3:30pm EDT
TBA
 
Friday, November 3
 

8:00am EDT

Breakfast
Friday November 3, 2023 8:00am - 9:00am EDT
TBA

9:00am EDT

3 Day Training -Web Application Security Essentials
his course provides the knowledge and resources required to evaluate the security of web applications. The participants, through the understanding of theory and a strong focus on practical exercises, will be able to identify critical vulnerabilities in web applications, understand how exploitation works and learn how to implement the necessary corrective measures.  

The course is aligned with the OWASP 10 2021, a world-renowned reference document which describes the most critical web application security flaws.  

The topics covered include:  

  • Introduction to Web Application Security 
  • Technologies used in Web Applications 
  • The Security Tester Toolkit 
  • Critical Areas in Web Applications 
  • Broken Access Control 
  • Cryptographic Failures 
  • Injection 
  • Insecure Design 
  • Security Misconfiguration 
  • Vulnerable and Outdated Components 
  • Identification and Authentication Failures 
  • Software and Data Integrity Failures 
  • Security Logging and Monitoring Failures 
  • Server Side Request Forgery (SSRF)  
Format: The course combines theory and hands-on practical exercises. The participants start by learning about web application vulnerabilities. They are then given access to a purpose-built web application environment that contains the bugs and coding errors they have learned about. This provides an ideal ‘real-life’ opportunity to exploit these vulnerabilities in a safe environment.



Speakers
avatar for Fabio Cerullo

Fabio Cerullo

Certified Instructor, Cycubix
Fabio delivered this training to thousands of developers and security professionals. He also regularly delivers training to technical audiences on various topics such as application security, cloud security, and information security. Here is a reference from one attendee of his courses... Read More →

Friday November 3, 2023 9:00am - 5:00pm EDT
TBA
  3 Day Training

9:00am EDT

3 Day Training: Hacking Modern Web & Desktop apps: Master the Future of Attack Vectors
This course is the culmination of years of experience gained via practical penetration testing of Modern Web and Desktop applications as well as countless hours spent doing research. We have structured this course around the OWASP Security Testing Guide, it covers the OWASP Top Ten and specific attack vectors against Modern Web and Desktop apps. This course provides participants with actionable skills that can be applied immediately from day 1.




Please note our courses are 100% hands-on, we do not lecture students with boring bullet points and theories, instead we give you practical challenges and help you solve them, teaching you how to troubleshoot common issues and get the most out of this training. Training then continues after the course through our frequently updated training portal, for which you keep lifetime access, as well as unlimited email support.




Each day starts with a brief introduction to the Modern platform (i.e. Node.js, Electron) for that day and then continues with a look at static analysis, moves on to dynamic checks finishing off with a nice CTF session to test the skills gained.

 

Day 1: Focused specifically on Hacking Modern Web Apps: We start with understanding Modern Web Apps and then deep dive into static and dynamic analysis of the applications at hand. This day is packed with hands-on exercises and CTF-style challenges.




Day 2: Focused on Hacking Modern Desktop Apps: We start with understanding Modern Desktop apps and various security considerations. We then focus on static and dynamic analysis of the applications at hand. The day is filled with hands-on exercises ending with a CTF for more practical fun.




Day 3: Dedicated to Advanced Modern Web & Desktop App Attacks: We cover advanced attacks specifically targeting Modern Web & Desktop Apps, such as dumping memory, prototype pollution, deserialization attacks, OAuth, JWT flaws and more. The day is full of hands-on exercises and ends with CTF-style open challenges for additional practice.

Friday November 3, 2023 9:00am - 5:00pm EDT
TBA
  3 Day Training

10:00am EDT

AM Break
Friday November 3, 2023 10:00am - 10:30am EDT
TBA

12:30pm EDT

Lunch
Friday November 3, 2023 12:30pm - 1:30pm EDT
TBA

3:00pm EDT

PM Break
Friday November 3, 2023 3:00pm - 3:30pm EDT
TBA
 
Filter sessions
Apply filters to sessions.
Sunday, October 29
Monday, October 30
Tuesday, October 31
Wednesday, November 1
Thursday, November 2
Friday, November 3
  • 1-Day Training
  • 2-Day Training
  • 3 Day Training
    • TBA