Loading…
AppSec Europe 2016 has ended

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Training [clear filter]
Monday, June 27
 

09:00

Day 1/2 - Assessing and Securing MEAN (MongoDB, Express.js, Angular.js, and Node.js)
MEAN is a free and open-source JavaScript software stack for building dynamic web sites and web applications and has gained momentum in the last years: 
- MongoDB, a NoSQL database 
- Express.js, a web application framework that runs on Node.js 
- Angular.js, a JavaScript MVC framework that runs in browser JavaScript engines developed by Google 
- Node.js, an execution environment for event-driven server-side and networking applications 
Every developer has heard of it and many organisations are moving their production applications to MEAN stack. 

This one day training will teach you how web application vulnerabilities change in the MEAN stack. We are going to explore these technologies and talk about the main issues you can encounter while either assessing or writing MEAN applications: 
1) Security Fundamentals and Implications of using MongoDB, Express.js Angular.js and Node.js 
2) OWASP Top 10 in MEAN 
3) Typical exploitation of MEAN and how to stop these attacks 
- NoSQL injections 
- Server-side JavaScript injections 

This course will be 50% hands-on using: 
- Secure Code Warrior (https://www.securecodewarrior.com), a platform where software developers use hands-on learning to build secure-coding skills and are benchmarked versus their peers. A month full access to the SCW platform is included in the training. 
- OWASP NodeGoat (https://www.owasp.org/index.php/OWASP_Node_js_Goat_Project) 

Trainer
avatar for Jaap Karan

Jaap Karan

Chief Singh, Secure Code Warrior
Jaap is coder, hacker and Chief Singh at Secure Code Warrior in Australia. After having done security testing at BAE Systems in Australia, he moved back to building great things instead of breaking them. He is one of the brains behind the Secure Code Warrior platform, mainly focussing... Read More →

Monday June 27, 2016 09:00 - 17:00
Bramante 14

09:00

Day 1/2 - Hands on Web App Testing with Python
Hands on Web App Testing with Python is a two-day training class that provides students with basic, intermediate, and advanced python scripting essentials to perform website security testing exploitation. The class will prepare students to write their own Python tools to aid in performing web application testing against commonly found vulnerabilities. Class Requirements: Students must come to class prepared with the following: 1.    Laptop with at least 8GB of RAM, and a Quad-Core processor 2.    Virtualization platform (A Virtualbox and VMWare image of the Vulnerable Web App VM will be made available 1 month before the class) 3.    A Kali Linux VM with Python 2.7 or Python 3 configured and installed (all scripts will be developed in Kali to attack the VM) 4.    The Custom Vulnerable Virtual Machine image loaded and ready to go BEFORE the class starts. (a download link will be provided 1 month before the class) 5.    Additional Python libraries to be determined as necessary and communicated before the class (these must be installed b

Trainer
avatar for Michael Born

Michael Born

Senior Security Consultant, Threat Services, NTT Security (US), Inc.
I enjoy breaking into things more than defending, I love Python, can tolerate Ruby, and am always trying to improve at C and Assembly. My current security testing focus is network penetration testing, application penetration testing, mobile application penetration testing, and social... Read More →
avatar for Fred Donovan

Fred Donovan

Application Security Architect Enjoy discussions on "hacking back" Friend and brother to many

Monday June 27, 2016 09:00 - 17:00
Bramante 10

09:00

Day 1/2 - OWASP Application Security Verification Standard 3.0 Developer and QA
In 2015, OWASP released the Application Security Verification Standard 3.0. Andrew van der Stock and Daniel Cuthbert, ASVS Project Leads and noted presenters and trainers, will take developers and testers through all Level 1 and a few key Level 2 controls, with live labs using OWASP Security Shepherd to demonstrate the issues, and working on code fixes to resolve those issues. This training is suitable for all developers, quality assurance, code reviewers, and penetration testers, but a distinct focus will be on code security and how to build secure applications using the ASVS in real world scenarios.

Trainer
avatar for Andrew van der Stock

Andrew van der Stock

Andrew van der Stock is a long time OWASP contributor, project leader, and Global Board Member. Some of his projects include the OWASP Developer Guide 2.0, OWASP Top 10 2007, OWASP Application Security Verification Project 2.0 and 3.0, and ESAPI for PHP. He specialises in agile secure... Read More →

Monday June 27, 2016 09:00 - 17:00
Bramante 11

09:00

Day 1/3 - Droid-Sec Exploitation
The Droid-Sec Exploitation workshop will enable attendees to master various android application penetration testing techniques and exploitation methods. The workshop focuses on practical hands-on exercises on several dedicated vulnerable apps, with the basic theory explained prior to the Do-It-Yourself mind-bending exercise

Trainer
avatar for Gordon Gonsalves

Gordon Gonsalves

Gordon Gonsalves Gordon Gonsalves is a Certified Ethical hacker and Certified Security Analyst from EC-Council and a Microsoft certified technology specialist. He has more than 10 years’ experience in IT, network and applications security testing and has been a speaker and trainer... Read More →
avatar for Blessen Thomas

Blessen Thomas

Senior Security Consultant
Blessen Thomas@pentagramzBlessen Thomas is an Independent Security Researcher & Senior Security Consultant & delivers Web Application Penetration Test, Smart Watch Wearable Application Penetration Testing, Mobile Penetration Test (iOS,Android,Windows platform), Vulnerability Assessment... Read More →

Monday June 27, 2016 09:00 - 17:00
Bramante 07

09:00

Day 1/3 - Exploiting Websites by using offensive HTML, SVG, CSS and other Browser-Evil
More and more web applications delegate business logic to the client. HTML.next, JavaScript, SVG, Canvas, ECMAScript 7/ES2016, AngularJS and ReactJS are just some terms that describe the contents of the modern web stack. But how does the attack surface look for those? What if there’s not GET parameters anymore that our scanner scan tamper with? What can we do when the server just delivers raw data and the rest is done by the browser? Classic web-pentests are “so nineties” in this realm. And keeping up the pace with progress is getting harder and harder.

But there is hope. The focus of this workshop is on the offensive and dangerous parts of HTML, JavaScript and related technologies, the nasty and undocumented stuff, dozens of new attack techniques straight from the laboratory of horrors of those maintaining the HTML5 Security Cheatsheet. We’ll learn how to attack any web-application with either unknown legacy features – or the half-baked results coming to your browser from the labs of W3C, WHATWG and the ES2016 mailing lists. Whether you want to attack modern web applications or shiny browser extensions and Chrome Packaged Apps – we have that covered.

Whoever works with or against the security of modern web applications will enjoy and benefit from this workshop. A bit of knowledge on HTML and JavaScript is required, but rookies and rocket scientists will be satisfied equally.

HTML is a living standard. And so is this workshop. The course material will be provided on-site and via access to a private Github repository so all attendees will be receive updated material even months after the actual training. All attendees are granted perpetual access to updated slides and material.

Speakers
avatar for Mario Heiderich Keynote Speaker

Mario Heiderich Keynote Speaker

Founder, Cure 53
Dr.-Ing. Mario Heiderich, handsome heart-breaker, bon-vivant and (as he loves to call himself) "security researcher" is from Berlin, likes everything between lesser- and greater-than and leads a small yet exquisite pen-test company. He commonly pesters peaceful attendees on various... Read More →



Monday June 27, 2016 09:00 - 17:00
Bramante 04

09:00

Day 1/3 - OWASP Top 10: Exploitation and Effective Safeguards
Video presentation of this training

The OWASP Top 10 web application vulnerabilities has done a great job promoting awareness for the developers. Along with many cheat sheets, they provide valuable tools and techniques to web developers. But such a great source of information could be overwhelming for the programmer who wants to learn about security. This course aims at providing all web developers deep hands-on knowledge on the subject.

To achieve this goal, participants will first learn the technical details about each OWASP Top 10 vulnerability. Then the instructor will give demos on how attacks are performed against each of them. After that, participants will use virtual machines and follow step by step procedures to launch attacks against a vulnerable web site. This step is key in understanding how exploitation works so they can later implement effective safeguards in their systems. Our experience is that participants who have had hands-on experience at exploiting vulnerabilities will always remember how to prevent them.

We will conclude the class with a Capture the Flag (CTF) event, where participants will be able to apply the techniques they have learned in a fun and friendly environment.

The course will cover the following topics:
  1. OWASP Top 10 web application vulnerabilities:
    A1 - Injection Attacks (Command Injection and SQL Injection)
    A2 - Broken Authentication and Session Management
    A3 - Cross-Site Scripting (XSS)
    A4 - Insecure Direct Object References
    A5 - Security Misconfiguration
    A6 - Sensitive Data Exposure
    A7 - Missing Function Level Access Control
    A8 - Cross-Site Request Forgery (CSRF)
    A9 - Using Known Vulnerable Components
    A10- Unvalidated Redirects and Forwards
  2. SSL Certificates
  3. Password Management
  4. OWASP Application Security Verification Standard (ASVS)
  5. Securing AJAX and Web Services (REST and SOAP)
  6. Web Application Firewalls (WAF)
  7. Using a Vulnerability Scanner
  8. Effective Code Review Techniques
  9. OWASP Enterprise Security API (ESAPI)
  10. Secure Coding Best Practices
  11. Effective Security Safeguards

Demos from the instructor
  1. SQL Injection
  2. Cross-Site Scripting
  3. Insecure Direct Object References
  4. Sensitive Data Exposure
  5. Cross-Site Request Forgery
  6. Blind SQL Injection
  7. Remote File Injection
  8. Using Known Vulnerable Components
  9. Unvalidated Redirects and Forwards

Hands-on exercises
  1. Session Initialization and Client-Side Validation
  2. Sniffing Encrypted Traffic
  3. Online Password Guessing Attack
  4. Account Harvesting
  5. Command Injection Attacks
  6. Using a Web Application Vulnerability Scanner
  7. Create Self-Signed SSL certificates (Root CA and Server certificates)
  8. Capture the Flag (CTF) - A longer exercise at the end of the last day where participants try to find hidden vulnerabilities by themselves using techniques they have learned in the class.  
Who Should Take This Course?
This course is designed to help intermediate to expert web developers and security professionals understand how to secure web applications. Candidates are expected to have basic knowledge of web technologies, but no experience in security is required prior to taking this course. However, security professionals who want to learn more about web security will benefit from this class.

What Should Participants Bring?
Participants are required to bring a laptop (Windows, Mac or Linux) with at least 3 GB of RAM, 20 GB of free disk space along with either VMWare Workstation Player (free), VMWare Workstation, VMWare Fusion or Oracle VirtualBox (free) pre-installed. They must also have an administrator/root account on their laptop. At the beginning of the course, participants will receive a USB thumb drive containing a pre-configured virtual machine.

Trainer
avatar for David Caissy

David Caissy

Penetration Tester, Bank of Canada
David Caissy is a web application penetration tester with in-depth developer and IT Security background spanning over 17 years. He has extensive experience in conducting vulnerability assessments and penetration tests as well as providing training globally, amongst numerous other... Read More →

Monday June 27, 2016 09:00 - 17:00
Bramante 05
 
Tuesday, June 28
 

09:00

Day 1/1 - CISO training: Managing Web & Application Security - OWASP for senior managers
Managing and improving your global information security organization, Leverage OWASP and common best practices to improve your security programs and organization. Achieving cost-effective application security, bringing it all together on the management level. Presentation Type: training Duration: 1 day Language: English Target Audience: Management Skill Level: Beginner – Medium

Trainer
avatar for Tobias Gondrom

Tobias Gondrom

Global Board Member, OWASP
Tobias Gondrom is a global board member of OWASP (Open Web Application Security Project) and former chairman until December 2015. And until April 2015, he was leading a boutique Global CISO and Information Security & Risk Management Advisory based in Hong Kong, United Kingdom and... Read More →

Tuesday June 28, 2016 09:00 - 17:00
Bramante 08

09:00

Day 1/2 - Hands-on Threat Modeling

Threat modeling is the primary security analysis task performed during the software design stage. Threat modeling is a structured activity for identifying and evaluating application threats and vulnerabilities. The security objectives, threats, and attacks modeling activities during the threat modeling are designed to help you find vulnerabilities in your application and the supporting architecture. You can use the identified vulnerabilities to help shape your design and direct and scope your security testing.

Threat modeling allows you to consider, document, and discuss the security implications of designs in the context of their planned operational environment and in a structured fashion. It also allows consideration of security issues at the component or application level. The threat modeling course will teach you to perform threat modeling through a series of workshops, where our trainer will guide you through the different stages of a practical threat model.

This course is aimed at software developers, architects, system managers or security professionals. Before attending this course, students should be familiar with basic knowledge of web and mobile Applications, databases & Single sign on (SSO) principles. The students should bring their own laptop to the course.

 
Course topics  
Threat modeling introduction
  • Threat modeling in a secure development lifecycle
  • What is threat modeling?
  • Why perform threat modeling?
  • Threat modeling stages
  • Diagrams
  • Identify threats
  • Addressing threats
  • Document a threat model


Diagrams – what are you building?

  • Understanding context
  • Doomsday scenarios
  • Data flow diagrams
  • Trust Boundaries
  • Hands-on: diagram B2B web and mobile applications, sharing the same REST backend


Identifying threats – what can go wrong?

  • STRIDE introduction
  • Spoofing threats
  • Tampering threats
  • Repudiation threats
  • Information disclosure threats
  • Denial of service threats
  • Elevation of privilege threats
  • Privacy threats
  • Attack trees
  • Hands-on: STRIDE analysis of an Internet of Things (IoT) deployment with an on premise gateway and secure update service

Addressing each threat

  • Mitigation patterns
  • Authentication: mitigating spoofing
  • Integrity: mitigating tampering
  • Non-repudiation: mitigating repudiation
  • Confidentiality: mitigating information disclosure
  • Availability: mitigating denial of service
  • Authorization: mitigating elevation of privilege
  • Mitigating privacy threats
  • Hands-on: Threat mitigations OAuth scenarios for web and mobile applications


Practical threat modeling

  • Strategies for risk management
  • Selecting mitigations
  • Threat ranking
  • Risk acceptance
  • Validating threat mitigations


Threat modeling tools

  • General tools
  • Open-Source tools
  • Commercial tools


Attack libraries

  • Libraries and checklists
  • CAPEC
  • OWASP Top 10
  • Building your own library


Examination

  • Hands-on examination 
  • Grading and certification
 

Student package

The course students receive the following package as part of the course:

  • Each student will receive a hard copy of the book: Threat Modeling, designing for security by Adam Shostack (2014, Wiley)
  • Hand-outs of the presentations
  • Work sheets of the use cases,
  • Detailed solution descriptions of the use cases
  • Template to document a threat model
  • Template to calculate risk levels of identified threats
  • Receive certificate: Following a successful exam (passing grade defined at 70%) the student will receive certification for successful completion of course

Trainer
avatar for Sebastien Deleersnyder

Sebastien Deleersnyder

Managing partner Application Security, Toreon
Seba is co-founder, CEO of Toreon and a proponent of application security as a holistic endeavor. He started the Belgian OWASP chapter, was a member of the OWASP Foundation Board and performed several public presentations on Application Security. Seba also co-founded the yearly security... Read More →

Tuesday June 28, 2016 09:00 - 17:00
Bramante 09

09:00

Day 1/2 - Web Service and Single Sign-On Security
Web Services and Single Sign-On belong to a group of most important Internet technologies. However, in recent years, it has been shown that these technologies allow for serious attacks. The attacks take advantage of the XML complexity and make it possible to read data from secured servers, authenticate as an arbitrary user in Single Sign-On scenarios, or decrypt confidential data. In this training, we will give an overview of the most important Web Service and Single Sign-On specific attacks. Participants will get the opportunity to carry out these attacks in a prepared virtual machine. The attacks will be first tested manually (e.g., with soapUI), in order to get a feeling for the attacks. Subsequently, we will present our penetration testing tool WS-Attacker, which will be used to execute the presented attacks automatically. For each of the attacks, countermeasures will be discussed, and it will be shown how to deploy them on widely used systems and firewalls, including IBM Datapower or Axway.

 Training attendees

The training is dedicated to two groups:

– First, developers who implement XML, Web Services and Single Sign-On in their applications. They learn the dangers that are combined with the usage of these standards and how to circumvent the resulting attacks. In addition, they learn how to automatically test their newly developed applications for the discussed vulnerabilities.

– Second, security researchers and penetration testers, who want to get familiar with  XML, Web Services and Single Sign-On. In this course, you will get a good overview of the most relevant technologies in this complex area, which will give you the opportunity to execute your first XML-specific evaluations.

There are no specific prerequisites for this course. However, basic knowledge of tools like SoapUI or Burpsuite, or some familiarity with Web Services or SSO technologies would be of advantage.

Contents

The course will contain the following topics. In each topic, the attendants will get the opportunity to execute practical evaluations using SoapUI, WS-Attacker, Burpsuite, or a different application:

  • • XML and SOAP-based Web Services
  • • XML Schema and WS-Policy
  • • WS-Addressing und WS-Addressing Spoofing
  • • XML parsing
  • • DTD and XML External Entity (XXE) attacks
  • • XSLT and XInclude attacks
  • • XML-specific Denial-of-Service attacks
  • • XML Security and WS-Security
  • • XML Signature
  • • XML Encryption and applied crypto attacks
  • • WS-Attacker
  • • SAML-based Single-Sign On
  • • OAuth
  • • REST-based Web Services
  • • Converting SOAP to REST: security dangers
Requirements

– A laptop with a recent version of “Virtual Box“ (the virtual machine will be provided). 
VMWare and other virtualization software should also work but cannot be supported.

– Proposed max number of participants: 15

– Duration: 2 days


Trainer
avatar for Christian Mainka

Christian Mainka

Security Consultant, Horst Görtz Institute for IT Security, Chair for Network and Data Security, Ruhr-University Bochum
Christian Mainka is a Security Researcher at the Ruhr University Bochum, Chair for Network and Data Security. Since 2009, he focuses on XML and Web Services technologies and develops his penetration testing tool WS-Attacker and has published several papers in the field of XML security... Read More →
avatar for Juraj Somorovsky

Juraj Somorovsky

Security Consultant, Ruhr-University Bochum
Juraj Somorovsky finished his PhD in the area of XML Security in 2013. In his thesis „On the Insecurity of XML Security“ he analyzes various attacks on Web Services and presents practical countermeasures against these attacks, which were applied in XML Security specifications... Read More →

Tuesday June 28, 2016 09:00 - 17:00
Bramante 12

09:00

Day 2/2 - Assessing and Securing MEAN (MongoDB, Express.js, Angular.js, and Node.js)
MEAN is a free and open-source JavaScript software stack for building dynamic web sites and web applications and has gained momentum in the last years: 
- MongoDB, a NoSQL database 
- Express.js, a web application framework that runs on Node.js 
- Angular.js, a JavaScript MVC framework that runs in browser JavaScript engines developed by Google 
- Node.js, an execution environment for event-driven server-side and networking applications 
Every developer has heard of it and many organisations are moving their production applications to MEAN stack. 

This one day training will teach you how web application vulnerabilities change in the MEAN stack. We are going to explore these technologies and talk about the main issues you can encounter while either assessing or writing MEAN applications: 
1) Security Fundamentals and Implications of using MongoDB, Express.js Angular.js and Node.js 
2) OWASP Top 10 in MEAN 
3) Typical exploitation of MEAN and how to stop these attacks 
- NoSQL injections 
- Server-side JavaScript injections 

This course will be 50% hands-on using: 
- Secure Code Warrior (https://www.securecodewarrior.com), a platform where software developers use hands-on learning to build secure-coding skills and are benchmarked versus their peers. A month full access to the SCW platform is included in the training. 
- OWASP NodeGoat (https://www.owasp.org/index.php/OWASP_Node_js_Goat_Project) 

Trainer
avatar for Jaap Karan

Jaap Karan

Chief Singh, Secure Code Warrior
Jaap is coder, hacker and Chief Singh at Secure Code Warrior in Australia. After having done security testing at BAE Systems in Australia, he moved back to building great things instead of breaking them. He is one of the brains behind the Secure Code Warrior platform, mainly focussing... Read More →

Tuesday June 28, 2016 09:00 - 17:00
Bramante 14

09:00

Day 2/2 - Hands on Web App Testing with Python
Hands on Web App Testing with Python is a two-day training class that provides students with basic, intermediate, and advanced python scripting essentials to perform website security testing exploitation. The class will prepare students to write their own Python tools to aid in performing web application testing against commonly found vulnerabilities. Class Requirements: Students must come to class prepared with the following: 1.    Laptop with at least 8GB of RAM, and a Quad-Core processor 2.    Virtualization platform (A Virtualbox and VMWare image of the Vulnerable Web App VM will be made available 1 month before the class) 3.    A Kali Linux VM with Python 2.7 or Python 3 configured and installed (all scripts will be developed in Kali to attack the VM) 4.    The Custom Vulnerable Virtual Machine image loaded and ready to go BEFORE the class starts. (a download link will be provided 1 month before the class) 5.    Additional Python libraries to be determined as necessary and communicated before the class (these must be installed b

Trainer
avatar for Michael Born

Michael Born

Senior Security Consultant, Threat Services, NTT Security (US), Inc.
I enjoy breaking into things more than defending, I love Python, can tolerate Ruby, and am always trying to improve at C and Assembly. My current security testing focus is network penetration testing, application penetration testing, mobile application penetration testing, and social... Read More →
avatar for Fred Donovan

Fred Donovan

Application Security Architect Enjoy discussions on "hacking back" Friend and brother to many

Tuesday June 28, 2016 09:00 - 17:00
Bramante 10

09:00

Day 2/2 - OWASP Application Security Verification Standard 3.0 Developer and QA
In 2015, OWASP released the Application Security Verification Standard 3.0. Andrew van der Stock and Daniel Cuthbert, ASVS Project Leads and noted presenters and trainers, will take developers and testers through all Level 1 and a few key Level 2 controls, with live labs using OWASP Security Shepherd to demonstrate the issues, and working on code fixes to resolve those issues. This training is suitable for all developers, quality assurance, code reviewers, and penetration testers, but a distinct focus will be on code security and how to build secure applications using the ASVS in real world scenarios.

Trainer
avatar for Andrew van der Stock

Andrew van der Stock

Andrew van der Stock is a long time OWASP contributor, project leader, and Global Board Member. Some of his projects include the OWASP Developer Guide 2.0, OWASP Top 10 2007, OWASP Application Security Verification Project 2.0 and 3.0, and ESAPI for PHP. He specialises in agile secure... Read More →

Tuesday June 28, 2016 09:00 - 17:00
Bramante 11

09:00

Day 2/3 - Droid-Sec Exploitation
The Droid-Sec Exploitation workshop will enable attendees to master various android application penetration testing techniques and exploitation methods. The workshop focuses on practical hands-on exercises on several dedicated vulnerable apps, with the basic theory explained prior to the Do-It-Yourself mind-bending exercise

Trainer
avatar for Gordon Gonsalves

Gordon Gonsalves

Gordon Gonsalves Gordon Gonsalves is a Certified Ethical hacker and Certified Security Analyst from EC-Council and a Microsoft certified technology specialist. He has more than 10 years’ experience in IT, network and applications security testing and has been a speaker and trainer... Read More →
avatar for Blessen Thomas

Blessen Thomas

Senior Security Consultant
Blessen Thomas@pentagramzBlessen Thomas is an Independent Security Researcher & Senior Security Consultant & delivers Web Application Penetration Test, Smart Watch Wearable Application Penetration Testing, Mobile Penetration Test (iOS,Android,Windows platform), Vulnerability Assessment... Read More →

Tuesday June 28, 2016 09:00 - 17:00
Bramante 07

09:00

Day 2/3 - Exploiting Websites by using offensive HTML, SVG, CSS and other Browser-Evil
More and more web applications delegate business logic to the client. HTML.next, JavaScript, SVG, Canvas, ECMAScript 7/ES2016, AngularJS and ReactJS are just some terms that describe the contents of the modern web stack. But how does the attack surface look for those? What if there’s not GET parameters anymore that our scanner scan tamper with? What can we do when the server just delivers raw data and the rest is done by the browser? Classic web-pentests are “so nineties” in this realm. And keeping up the pace with progress is getting harder and harder.

But there is hope. The focus of this workshop is on the offensive and dangerous parts of HTML, JavaScript and related technologies, the nasty and undocumented stuff, dozens of new attack techniques straight from the laboratory of horrors of those maintaining the HTML5 Security Cheatsheet. We’ll learn how to attack any web-application with either unknown legacy features – or the half-baked results coming to your browser from the labs of W3C, WHATWG and the ES2016 mailing lists. Whether you want to attack modern web applications or shiny browser extensions and Chrome Packaged Apps – we have that covered.

Whoever works with or against the security of modern web applications will enjoy and benefit from this workshop. A bit of knowledge on HTML and JavaScript is required, but rookies and rocket scientists will be satisfied equally.

HTML is a living standard. And so is this workshop. The course material will be provided on-site and via access to a private Github repository so all attendees will be receive updated material even months after the actual training. All attendees are granted perpetual access to updated slides and material.

Speakers
avatar for Mario Heiderich Keynote Speaker

Mario Heiderich Keynote Speaker

Founder, Cure 53
Dr.-Ing. Mario Heiderich, handsome heart-breaker, bon-vivant and (as he loves to call himself) "security researcher" is from Berlin, likes everything between lesser- and greater-than and leads a small yet exquisite pen-test company. He commonly pesters peaceful attendees on various... Read More →



Tuesday June 28, 2016 09:00 - 17:00
Bramante 04

09:00

Day 2/3 - OWASP Top 10: Exploitation and Effective Safeguards
The OWASP Top 10 web application vulnerabilities has done a great job promoting awareness for the developers. Along with many cheat sheets, they provide valuable tools and techniques to web developers. But such a great source of information could be overwhelming for the programmer who wants to learn about security. This course aims at providing all web developers deep hands-on knowledge on the subject. To achieve this goal, participants will first learn the technical details about each OWASP Top 10 vulnerability. Then the instructor will give demos on how attacks are performed against each of them. After that, participants will use virtual machines and follow step by step procedures to launch attacks against a vulnerable web site. This step is key in understanding how exploitation works so they can later implement effective safeguards in their systems. Our experience is that participants who have had hands-on experience at exploiting vulnerabilities will always remember how to prevent them. Topics such as SSL Certificates, Password Management, the OWASP Top 10 web application vulnerabilities, SQL Injection Attacks, Broken Authentication and Session Management, Cross-Site Scripting (XSS), Insecure Direct Object References, Cross-Site Request Forgery (CSRF), Web Application Firewalls (WAF), Using a Vulnerability Scanner, Effective Code Review Techniques, Sniffing Encrypted Traffic, Online Password Guessing Attack and Account Harvesting will all be covered in this class.

Trainer
avatar for David Caissy

David Caissy

Penetration Tester, Bank of Canada
David Caissy is a web application penetration tester with in-depth developer and IT Security background spanning over 17 years. He has extensive experience in conducting vulnerability assessments and penetration tests as well as providing training globally, amongst numerous other... Read More →

Tuesday June 28, 2016 09:00 - 17:00
Bramante 05
 
Wednesday, June 29
 

09:00

Day 1/1 - Bootstrap and improve your SDLC with OpenSAMM
Building security into the software development and management practices of a company can be a daunting task. OWASP OpenSAMM gives you a structural and measurable framework to do just that. The goal of this one-day training, which is conceived as a mix of training and workshop, is for the participants to get a more in-depth view on and practical feeling of the OpenSAMM model. The training has run successfully for several years now. The training is setup in three different parts. In a first part, an overview is presented of the OpenSAMM model and similarities and differences with other similar models are explained. This will incorporate the updates of the soon-to-be-published v1.1 of the model. Next, approx. half a day will be spent on doing an actual OpenSAMM evaluation of your own organisation (or one that you have worked for). In the same effort, we will define a target model for your organisation and identify the most important challenges in getting there. The final part of the training will be dedicated to specific questions or challenges that you are facing wrt. secure development in your organisation. In case you haven't started a secure software initiative in your organisation yet, this training should provide you with the necessary foundations and ideas to do so. Be prepared for a highly effective and applicable treatment of this large domain !

Trainer
avatar for Bart De Win

Bart De Win

Bart De Win has over 15 years of experience in software security. He has an extensive background in the field, including his Ph.D. and research work on methods and techniques for software protection.  Since 2009, Bart has been responsible for all application security services within... Read More →

Wednesday June 29, 2016 09:00 - 17:00
Bramante 08

09:00

Day 1/1 - Defensive Programming for JavaScript & HTML5

This one-day course helps web front-end developers understand the risks involved with manipulating JavaScript and HTML5 and apply defensive programming techniques in both languages.

Some of the topics covered include, but are not limited to, important security aspects of modern browser architecture (Document Object Model and Same Origin Policy), common web vulnerabilities, like XSS, CSRF, DOM manipulation, and new HTML5 technologies, like sandboxing iframes, Cross-origin Resource Sharing, Content Security Policy, Web Messaging, Web Storage, and specifics of using JSON.

The JavaScript section will talk about vulnerabilities in Node.js, Express.js and AngularJS

This course is structured into modules and includes exploitation and remediation exercises. The high-level topics for this course are:

•             The HTML5 and JavaScript Risk Landscape
•             Storage of Sensitive Data

•             Secure Cross-domain Communications (CORS, web messaging)

•             Protecting from Cross-site Scripting (CSP, JavaScript Execution Contexts, Output Encoding)

•             Implementing Secure Dataflow

•             Securing AJAX Requests and JSON Data

•             Securing Server-side JavaScript (Node.js and Express.js)

•             Securing Client-side JavaScript (AngularJS)

 

Objectives:

After completing this course, students will be able to:

•             Apply HTML5 Defensive Programming Techniques

•             Apply JavaScript Defensive Programming Techniques

•             Apply JSON Defensive Programming Techniques

 

Labs and Demonstrations:

If students bring their own laptops with internet connectivity, they will be able to access online Virtual Machines with labs. In lab sessions students will learn to fix issues related to localStorage, web messaging, sandbox attribute for iframes, CORS, CSP, parsing JSON data, JavaScript injections, and DOM-based cross-site scripting. The course also includes several interactive demonstrations showing how to tamper with client-side data, evade client-side filters, and work with Firebug. The labs are not compulsory to get the full value of the course but strongly recommended.

Video about the training: https://www.youtube.com/watch?v=p0LxLUMXntc  


Trainer
avatar for Ksenia Dmitrieva

Ksenia Dmitrieva

Associate Principal Consultant, Cigital
Ksenia Dmitrieva is an Associate Principal Consultant at Cigital with over six years of experience in securing web applications and five years of development experience. She performs penetration testing and code review for clients in financial services, entertainment, telecommunications... Read More →

Wednesday June 29, 2016 09:00 - 17:00
Bramante 14

09:00

Day 1/1 - Hacking and Securing iOS Applications
Hacking and Securing iOS Applications" is a one day course focused on learning how to successfully perform a Security Assessment of modern and complex iOS Applications and provide appropriate remediations for all the vulnerabilities found. This highly practical course is designed around the security issues that were often observed by the trainers during their application security assessments. This up-to-date training will be also very useful for all the iOS developers that want to know the security best-practices that are mandatory to build an application that should be able to face modern threats. Attendees will get familiar with the following topics during the class (mostly based on the OWASP Top Ten): - A thorough overview about the iOS security model, updated to iOS 9; - How to setup a lab with all the tools needed to successfully perform iOS security assessments; - Checking for local storage vulnerabilities and learning on how to correctly save sensitive files on the device; - How to check and prevent unintended data leakages; - How to safely implement SSL Pinning and check for the most common SSL vulnerabilities; - How to take advantage of some of the most useful security assessment tools through practical examples (Frida, Cycript, Snoop-it, idb, etc.) - How to obfuscate iOS code and implement appropriate checks to detect jailbroken devices; - How to reverse engineering iOS applications and acquire knowledge about the inner details of the target application.

Trainer
avatar for Simone Bovi

Simone Bovi

Security Consultant, Minded Security
Simone Bovi is a Security Consultant at Minded Security where he delivers Web Application Penetration Test, Mobile Penetration Test (iOS and Android platform), Vulnerability Assessment and Network Penetration Test for several enterprise companies and financial institutions. He holds... Read More →
avatar for Davide Danelon

Davide Danelon

Senior Security Consultant, Minded Security
Davide Danelon is a Senior Security Consultant at Minded Security, where he delivers security assessments and penetration test of web and mobile applications. He also delivers courses about application security. Prior joining Minded Security, Davide was an Analyst at Deloitte Enterprise... Read More →

Wednesday June 29, 2016 09:00 - 17:00
Bramante 11

09:00

Day 1/1 - How to FIDO-enable your web-application for Strong-Authentication
Authenticating users with userid/passwords is simple, easy and well-understood. It is also notoriously vulnerable to attack. Most authentication schemes in use today such as passwords, OTP, KBA, biometrics have a fundamental flaw in their paradigm: shared-secrets. As long as the user and the server share a secret to authenticate the user, the user and the application are vulnerable to password-breaches and phishing attacks. The FIDO Alliance - a consortium of 250 companies worldwide - has been attempting to address the password-problem for the last two years and has created the Universal 2nd Factor (U2F) protocol Specifically designed for human authentication to web-applications, its goals were to eliminate password-based authentication and phishing attacks while using asymmetric-key cryptography coupled with hardware-based authenticators simple enough to use for consumers. A web-application, taking advantage of the U2F protocol and its Authenticators/Servers can protect itself the from attacks mentioned above. This training session will cover the following:
  • An overview of the FIDO Alliance, its mission and protocols;
  • The differences between the U2F, UAF and FIDO 2.0 protocols; 
  • The differences between FIDO and PKI; 
  • An in-depth presentation of the FIDO U2F protocol and its mechanics; 
  • A step-by-step tutorial on how to FIDO-enable a simple web-application using the simplest of the three protocols: U2F; 
  • A discussion of issues related FIDO-enablement: application design, performance, security, supporting users without FIDO Authenticators, dealing with lost/stolen Authenticators, etc. 
All attendees of this session will be given a FIDO Certified U2F Authenticator as part of the training session. The course will be based on the use of a FIDO Certified open-source U2F server, and other open-source tools.

Some FIDO related information from the author of this training:
https://alesa.website/ 
https://www.linkedin.com/pulse/all-biometric-authentication-equal-arshad-noor 

Trainer
avatar for Arshad Noor

Arshad Noor

CTO, StrongAuth, Inc.
Arshad Noor is CTO of StrongAuth, Inc., a Silicon Valley company that has been building open-source data-protection solutions for 14 years. With over 29 years in the IT industry, he has developed applications, managed systems and defined architecture for some of the world's largest... Read More →

Wednesday June 29, 2016 09:00 - 17:00
Bramante 10

09:00

Day 2/2 - Hands-on Threat Modeling

Threat modeling is the primary security analysis task performed during the software design stage. Threat modeling is a structured activity for identifying and evaluating application threats and vulnerabilities. The security objectives, threats, and attacks modeling activities during the threat modeling are designed to help you find vulnerabilities in your application and the supporting architecture. You can use the identified vulnerabilities to help shape your design and direct and scope your security testing.

Threat modeling allows you to consider, document, and discuss the security implications of designs in the context of their planned operational environment and in a structured fashion. It also allows consideration of security issues at the component or application level. The threat modeling course will teach you to perform threat modeling through a series of workshops, where our trainer will guide you through the different stages of a practical threat model.

This course is aimed at software developers, architects, system managers or security professionals. Before attending this course, students should be familiar with basic knowledge of web and mobile Applications, databases & Single sign on (SSO) principles. The students should bring their own laptop to the course.

 
Course topics  
Threat modeling introduction
  • Threat modeling in a secure development lifecycle
  • What is threat modeling?
  • Why perform threat modeling?
  • Threat modeling stages
  • Diagrams
  • Identify threats
  • Addressing threats
  • Document a threat model


Diagrams – what are you building?

  • Understanding context
  • Doomsday scenarios
  • Data flow diagrams
  • Trust Boundaries
  • Hands-on: diagram B2B web and mobile applications, sharing the same REST backend


Identifying threats – what can go wrong?

  • STRIDE introduction
  • Spoofing threats
  • Tampering threats
  • Repudiation threats
  • Information disclosure threats
  • Denial of service threats
  • Elevation of privilege threats
  • Privacy threats
  • Attack trees
  • Hands-on: STRIDE analysis of an Internet of Things (IoT) deployment with an on premise gateway and secure update service

Addressing each threat

  • Mitigation patterns
  • Authentication: mitigating spoofing
  • Integrity: mitigating tampering
  • Non-repudiation: mitigating repudiation
  • Confidentiality: mitigating information disclosure
  • Availability: mitigating denial of service
  • Authorization: mitigating elevation of privilege
  • Mitigating privacy threats
  • Hands-on: Threat mitigations OAuth scenarios for web and mobile applications


Practical threat modeling

  • Strategies for risk management
  • Selecting mitigations
  • Threat ranking
  • Risk acceptance
  • Validating threat mitigations


Threat modeling tools

  • General tools
  • Open-Source tools
  • Commercial tools


Attack libraries

  • Libraries and checklists
  • CAPEC
  • OWASP Top 10
  • Building your own library


Examination

  • Hands-on examination 
  • Grading and certification
 

Student package

The course students receive the following package as part of the course:

  • Each student will receive a hard copy of the book: Threat Modeling, designing for security by Adam Shostack (2014, Wiley)
  • Hand-outs of the presentations
  • Work sheets of the use cases,
  • Detailed solution descriptions of the use cases
  • Template to document a threat model
  • Template to calculate risk levels of identified threats
  • Receive certificate: Following a successful exam (passing grade defined at 70%) the student will receive certification for successful completion of course

Trainer
avatar for Sebastien Deleersnyder

Sebastien Deleersnyder

Managing partner Application Security, Toreon
Seba is co-founder, CEO of Toreon and a proponent of application security as a holistic endeavor. He started the Belgian OWASP chapter, was a member of the OWASP Foundation Board and performed several public presentations on Application Security. Seba also co-founded the yearly security... Read More →

Wednesday June 29, 2016 09:00 - 17:00
Bramante 09

09:00

Day 2/2 - Web Service and Single Sign-On Security
Web Services and Single Sign-On belong to a group of most important Internet technologies. However, in recent years, it has been shown that these technologies allow for serious attacks. The attacks take advantage of the XML complexity and make it possible to read data from secured servers, authenticate as an arbitrary user in Single Sign-On scenarios, or decrypt confidential data. In this training, we will give an overview of the most important Web Service and Single Sign-On specific attacks. Participants will get the opportunity to carry out these attacks in a prepared virtual machine. The attacks will be first tested manually (e.g., with soapUI), in order to get a feeling for the attacks. Subsequently, we will present our penetration testing tool WS-Attacker, which will be used to execute the presented attacks automatically. For each of the attacks, countermeasures will be discussed, and it will be shown how to deploy them on widely used systems and firewalls, including IBM Datapower or Axway.

Trainer
avatar for Christian Mainka

Christian Mainka

Security Consultant, Horst Görtz Institute for IT Security, Chair for Network and Data Security, Ruhr-University Bochum
Christian Mainka is a Security Researcher at the Ruhr University Bochum, Chair for Network and Data Security. Since 2009, he focuses on XML and Web Services technologies and develops his penetration testing tool WS-Attacker and has published several papers in the field of XML security... Read More →
avatar for Juraj Somorovsky

Juraj Somorovsky

Security Consultant, Ruhr-University Bochum
Juraj Somorovsky finished his PhD in the area of XML Security in 2013. In his thesis „On the Insecurity of XML Security“ he analyzes various attacks on Web Services and presents practical countermeasures against these attacks, which were applied in XML Security specifications... Read More →

Wednesday June 29, 2016 09:00 - 17:00
Bramante 12

09:00

Day 3/3 - Droid-Sec Exploitation
This is a 3 - Day Training Course 

The Droid-Sec Exploitation workshop will enable attendees to master various android application penetration testing techniques and exploitation methods. The workshop focuses on practical hands-on exercises on several dedicated vulnerable apps, with the basic theory explained prior to the Do-It-Yourself mind-bending exercise

Trainer
avatar for Gordon Gonsalves

Gordon Gonsalves

Gordon Gonsalves Gordon Gonsalves is a Certified Ethical hacker and Certified Security Analyst from EC-Council and a Microsoft certified technology specialist. He has more than 10 years’ experience in IT, network and applications security testing and has been a speaker and trainer... Read More →
avatar for Blessen Thomas

Blessen Thomas

Senior Security Consultant
Blessen Thomas@pentagramzBlessen Thomas is an Independent Security Researcher & Senior Security Consultant & delivers Web Application Penetration Test, Smart Watch Wearable Application Penetration Testing, Mobile Penetration Test (iOS,Android,Windows platform), Vulnerability Assessment... Read More →

Wednesday June 29, 2016 09:00 - 17:00
Bramante 07

09:00

Day 3/3 - Exploiting Websites by using offensive HTML, SVG, CSS and other Browser-Evil
This is a 3 - Day Training Course 

More and more web applications delegate business logic to the client. HTML.next, JavaScript, SVG, Canvas, ECMAScript 7/ES2016, AngularJS and ReactJS are just some terms that describe the contents of the modern web stack. But how does the attack surface look for those? What if there’s not GET parameters anymore that our scanner scan tamper with? What can we do when the server just delivers raw data and the rest is done by the browser? Classic web-pentests are “so nineties” in this realm. And keeping up the pace with progress is getting harder and harder.

But there is hope. The focus of this workshop is on the offensive and dangerous parts of HTML, JavaScript and related technologies, the nasty and undocumented stuff, dozens of new attack techniques straight from the laboratory of horrors of those maintaining the HTML5 Security Cheatsheet. We’ll learn how to attack any web-application with either unknown legacy features – or the half-baked results coming to your browser from the labs of W3C, WHATWG and the ES2016 mailing lists. Whether you want to attack modern web applications or shiny browser extensions and Chrome Packaged Apps – we have that covered.

Whoever works with or against the security of modern web applications will enjoy and benefit from this workshop. A bit of knowledge on HTML and JavaScript is required, but rookies and rocket scientists will be satisfied equally.

HTML is a living standard. And so is this workshop. The course material will be provided on-site and via access to a private Github repository so all attendees will be receive updated material even months after the actual training. All attendees are granted perpetual access to updated slides and material.

Speakers
avatar for Mario Heiderich Keynote Speaker

Mario Heiderich Keynote Speaker

Founder, Cure 53
Dr.-Ing. Mario Heiderich, handsome heart-breaker, bon-vivant and (as he loves to call himself) "security researcher" is from Berlin, likes everything between lesser- and greater-than and leads a small yet exquisite pen-test company. He commonly pesters peaceful attendees on various... Read More →



Wednesday June 29, 2016 09:00 - 17:00
Bramante 04

09:00

Day 3/3 - OWASP Top 10: Exploitation and Effective Safeguards
The OWASP Top 10 web application vulnerabilities has done a great job promoting awareness for the developers. Along with many cheat sheets, they provide valuable tools and techniques to web developers. But such a great source of information could be overwhelming for the programmer who wants to learn about security. This course aims at providing all web developers deep hands-on knowledge on the subject. To achieve this goal, participants will first learn the technical details about each OWASP Top 10 vulnerability. Then the instructor will give demos on how attacks are performed against each of them. After that, participants will use virtual machines and follow step by step procedures to launch attacks against a vulnerable web site. This step is key in understanding how exploitation works so they can later implement effective safeguards in their systems. Our experience is that participants who have had hands-on experience at exploiting vulnerabilities will always remember how to prevent them. Topics such as SSL Certificates, Password Management, the OWASP Top 10 web application vulnerabilities, SQL Injection Attacks, Broken Authentication and Session Management, Cross-Site Scripting (XSS), Insecure Direct Object References, Cross-Site Request Forgery (CSRF), Web Application Firewalls (WAF), Using a Vulnerability Scanner, Effective Code Review Techniques, Sniffing Encrypted Traffic, Online Password Guessing Attack and Account Harvesting will all be covered in this class.

Trainer
avatar for David Caissy

David Caissy

Penetration Tester, Bank of Canada
David Caissy is a web application penetration tester with in-depth developer and IT Security background spanning over 17 years. He has extensive experience in conducting vulnerability assessments and penetration tests as well as providing training globally, amongst numerous other... Read More →

Wednesday June 29, 2016 09:00 - 17:00
Bramante 05