OWASP 2023 Virtual June Training

The OWASP Foundation brings the AppSec community a fantastic set of live, virtual training offerings.

We are hosting 2-day training courses on Tuesday, June 6, 2023 and ending Wednesday, June 7, 2023.

Some courses are four (4) hours per day and others are eight (8) hours per day. Please be sure to read the ticket description and items below carefully before purchasing your ticket. Trainings beginning at 9 am/EDT (Eastern Daylight SavingsTime) and will either wrap up at 1:00pm EDT or 5 pm/EDT.

For a complete list and description of each training, please click the green "Tickets" button above and below. If you would like to see a more detailed outline of trainings or a bio of the trainer, please email [email protected]

This training course is designed to provide you with an overview into how to design secure software including the mindset and approach for balancing the needs of security with practicality.

You will go beyond the standard OWASP Top 10 to discuss a wider range of issues, using the comprehensive OWASP Application Security Verification Standard (ASVS) as a baseline to understand the requirements for secure software over the key areas defined in the ASVS. For each area, there is a table-top style exercise where you attempt to secure a sample application from a set of related attacks.

You will also learn how the ASVS can be customized and best suited to your use-case and not only the theoretical solutions but also practical options which are common in the industry for providing software security mechanisms.

This course is aimed at people in Product Management, Application Architect, or general Software Engineering roles. Attendees should be familiar with general software development practices and software architecture.

Affected by Paretto's law, this workshop intends to train developers’ eyes to catch early the 20% of the cases that produce 80% of the vulnerabilities.

A web application written in Java will be given to the participants, who will need to implement some empty code parts.

Then, the application will be analyzed based on the OWASP Top10 vulnerabilities, the corresponding attacks will be performed and effective ways to avoid them will be presented.

This training will provide hands-on serverless security experience. The attendees will create a serverless website, API and backend. Practical security measures will be implemented, e.g., authentication, authorization, principle of least privilege.

Learn how to prevent common threats from OWASP TOP 10 in your Angular Web application.

For each threat you will get an overview, how it can be detected and which protection to implement.

The training has dynamic activities and practical works which will help you understand the security practices very quickly.

This training provides a thorough introduction to AWS security. You will learn everything you need to do in order to create a secure environment in the cloud and safely deploy your applications there. At the same time you will have the chance to discuss real-life scenarios.

In detail, we will explain how you should architect your VPCs in AWS, leveraging the tools that Amazon offers. You will understand how Identity and Access Management works in AWS so that you can on-board your users and control access to your resources and data. We will focus a lot on data protection and present the different options that are provided for encrypting data at rest. Additionally, we will show how you can keep audit logs of security and compliance-related events as well as monitor your environments for security incidents.

By the end of this course you will have a very good understanding of what you need to do in order to create a secure architecture in AWS. You will become familiar with all the cloud security-related tools that Amazon provides and learn how to best use them in order to improve your security posture in the cloud.

If you just entered the domain of mobile security, or always wanted to but didn't know where to start, this workshop is ideal for you. We will answer the questions:

- How can I become more secure by design?

- How can I be better prepared against attackers (and survive the next penetration test)?

- What are hackers doing to attack my app?

The workshop is split into 2 x 4 hour sessions. In the first 4 hour session, Sven will be showing you how you can spot common vulnerabilities in your code (Swift) and more importantly how you can introduce continuous security checks into your build pipeline to "shift left" and make it a corner stone of your development. Students need to fork a Github repo and the training will be based on Github Actions and we will cover the following topics:

- Basics of Threat Modeling

- Analyzing the iOS App Sandbox for sensitive data

- Scanning for secrets in source code

- Static Scanning of Swift source code

- Software Composition Analysis (SCA) - Scanning of open source libraries

In the second 4 hour session, Sven will be showing you how your app might be attacked, including how various Reverse Engineering controls are implemented and how attackers are trying to bypass them. This session will be delivered by using Corellium, so every student will have their own jailbroken iOS instance:

- Dynamic Instrumentation 101 - Frida is a tool utilised by attackers to reverse engineers iOS Apps

- Intercepting network traffic of iOS apps (Man-in-the-middle Attacks)

- App Transport Security (ATS)

- Implementing and bypassing Certificate / Public Key Pinning

- Biometric Authentication - How to bypass FaceID by using Frida and how to make biometric authentication on iOS bulletproof

- Reverse engineering controls explained in detail, like bypassing Jailbreak detection or effectiveness of Code Obfuscation

- Capture-the-Flag (CTF)

- Show your new skills and be the first to find a vulnerability in an iOS App and win a prize!

The course is hands-on and labs will be provided, which was developed by the instructor. It is possible to explore and redo the labs after the training in your own pace, as all information needed is shared with the students.

After successful completion of this course, students will have a better understanding of the effectiveness of reverse engineering controls, how to identify common vulnerabilities in iOS apps, how to mitigate them and how to execute tests in a build pipeline continuously.

The goal of this course is to enable developers to have a pro-active approach to identify vulnerabilities, instead of a reactive (meaning after an incident happened or the latest penetration test report was shared).

The course is conducted by Sven Schleier, who is one of the project leads and main authors of the OWASP Mobile

Application Security Testing Guide (MASTG). The OWASP MASTG is the industry standard for mobile application security testing for both iOS and Android apps and is available as open source documentation project on Github ().

## Requirements for the training

- A macOS device is NOT needed (labs are in GIthub)

- An iOS device is NOT needed (labs are in Corellium using an emulated jailbroken device)

- Github account (free account is sufficient)

The threat modeling training based on real life hands-on practical threat modeling, and delivered every year at OWASP since 2016, and Black Hat since 2017. Our latest Black Hat training score was 4.7/5 with great feedback!.

In this edition we enhanced the section on privacy by design, compliance, and added a section on threat modeling medical devices. All participants get our Threat Modeling Playbook plus one year access to our online threat modeling learning platform. As part of this training, you will be asked to create your own threat model, on which you will get individual feedback. One month after the training we organize an online review session with all the participants.

As highly skilled professionals with years of experience under our belts, we’re intimately familiar with the gap between academic knowledge of threat modeling and real-world practice. To minimize that gap, we have developed practical use cases, based on real-life projects. Each use case includes a description of the environment, together with questions and templates to build a threat model.

Using this methodology for the hands-on workshops we provide our students with a challenging training experience and the templates to incorporate threat modeling best practices in their daily work. Students will be challenged in groups of 3 to 4 people to perform the different stages of threat modeling on the following:

Diagramming web and mobile applications, sharing the same REST backend

Threat modeling an IoT gateway with a cloud-based update service

Get into the defender's head - modeling points of attack against a nuclear facility

Threat mitigations of OAuth scenarios for an HR application

Privacy analysis of a new face recognition system in an airport

After each hands-on workshop, the results are discussed, and students receive a documented solution. Based on our successful trainings in the last years and the great and positive feedback, we release this updated threat modeling training at Global AppSec San Francisco 2022.

Course Outline

Threat modeling introduction

Diagrams – what are you building?

Identifying threats – what can go wrong?

Addressing each threat

Threat modeling and compliance

Penetration testing based on offensive threat models

Advanced threat modeling

Threat modeling resources

Examination

Review session (online session after 1 month)

This course is a 100% hands-on deep dive into the OWASP Mobile Security Testing Guide (MSTG) and relevant items of the OWASP Mobile Application Security Verification Standard (MASVS). This course covers and goes beyond the OWASP Mobile Top Ten.

Learn about Android and IoT app security by improving your mobile security testing kung-fu. Ideal for Penetration Testers, Mobile Developers and everybody interested in mobile app security.

All action, no fluff, improve your security analysis workflow and immediately apply these gained skills in your workplace, packed with exercises, extra mile challenges and CTF, self-paced and suitable for all skill levels, with continued education via unlimited email support, lifetime access, step-by-step video recordings and interesting apps to practice, including all future updates for free.

Get a FREE taste for this training, including access to video recording, slides and vulnerable apps to play with: 4 hour workshop - https://7asecurity.com/free-workshop-mobile-practical

Teaser Video:

This course is a 100% hands-on deep dive into the OWASP Security Testing Guide and relevant items of the OWASP Application Security Verification Standard (ASVS), so this course covers and goes beyond the OWASP Top Ten.

Long are the days since web servers were run by perl scripts apps written in Delphi. What is common between Walmart, eBay, PayPal, Microsoft, LinkedIn, Google and Netflix? They all use Node.js: JavaScript on the server.

Modern Web apps share traditional attack vectors and also introduce new opportunities to threat actors. This course will teach you how to review modern web apps, showcasing Node.js but using techniques that will also work against any other web app platform. Ideal for Penetration Testers, Web app Developers as well as everybody interested in JavaScript/Node.js and Modern app stack security.

Get a FREE taste for this training, including access to video recording, slides and vulnerable apps to play with:

1 hour workshop - https://7asecurity.com/free-workshop-web-apps

All action, no fluff, improve your security analysis workflow and immediately apply these gained skills in your workplace, packed with exercises, extra mile challenges and CTF, self-paced and suitable for all skill levels, with continued education via unlimited email support, lifetime access, step-by-step video recordings and interesting apps to practice, including all future updates for free.

This course is a 100% hands-on deep dive into the OWASP Security Testing Guide and relevant items of the OWASP Application Security Verification Standard (ASVS), so this course covers and goes beyond the OWASP Top Ten.

Long are the days since desktop apps were written in Delphi. What is common between Microsoft Teams, Skype, Bitwarden, Slack and Discord? All of them are written in Electron: JavaScript on the client.

JavaScript Desktop apps share traditional attack vectors and also introduce new opportunities to threat actors. This course will teach you how to review JavaScript desktop apps, showcasing Node.js and Electron but using techniques that will also work against any other desktop app platform. Ideal for Penetration Testers, Desktop app Developers as well as everybody interested in JavaScript/Node.js/Electron app security.

Get a FREE taste for this training, including access to video recording, slides and vulnerable apps to play with:

1.5 hour workshop - https://7asecurity.com/free-workshop-desktop-apps

All action, no fluff, improve your security analysis workflow and immediately apply these gained skills in your workplace, packed with exercises, extra mile challenges and CTF, self-paced and suitable for all skill levels, with continued education via unlimited email support, lifetime access, step-by-step video recordings and interesting apps to practice, including all future updates for free.

Teaser Video:

Fuzzing is a technique of identifying software vulnerabilities by automated corpus generation. It has produced immense results and attracted a lot of visibility from security researchers and professionals in the industry, today fuzzing can be utilized in various ways which can be incorporated into your secure SDLC to discover vulnerabilities in advance and fix them.

Finding vulnerabilities in software requires in-depth knowledge of different technology stacks. Modern day software’s have a huge codebase and may contain vulnerabilities. Manually verifying such vulnerabilities is a tedious task and may not be possible in all cases. This training is designed in such a way that it introduces the concept of fuzzing and vulnerability discovery in software’s covering multiple platforms such as Linux & Windows and triage analysis for those vulnerabilities.

During this training, attendees would be emulating techniques which would provide a comprehensive understanding of "Crash, Detect & Triage" of fuzzed binaries or software. In "Deep dive into fuzzing" we will be covering a detailed overview of fuzzing and how it can be beneficial to professionals in uncovering security vulnerabilities with a hands-on approach through focus on labs.

Event Venue

Online

Concerts, fests, parties, meetups - all the happenings, one place.

Get App