Overview of Available Training

The Mobile App Security Boot Camp

by Dominic Chell and Robert Miller

Duration: 2 days

The Mobile App Security Boot Camp is a 2-day training course covering both Android and iOS App security. As a new course for 2014, we provide the most comprehensive and cutting edge guide to mobile App security that is currently available, including in depth coverage of iOS 7.

The course is provided as a partnership between MDSec and MWR InfoSecurity, pioneers in mobile security.

Click here to register for this training course


The Art of Exploiting Injection Flaws

by Sumit Siddharth

Duration: 2 days

OWASP rates injection flaws as the most critical vulnerability within the Top 10 most Critical Web Application Security Risks under the OWASP Top 10 project.

https://www.owasp.org/index.php/Top_10_2013-A1-Injection

This hands-on session will only focus on the injection flaws and the attendees will get an in-depth understanding of the flaws arising from this vulnerability. The topics covered in the class are:

  • SQL Injection
  • XPATH Injection
  • LDAP Injection
  • Hibernate Query Language Injection
  • Direct OS Code Injection
  • XML Entity Injection

During the two-days course, the attendees will have access to a number of challenges for each flaw and they will learn a variety of exploitation techniques used by the attackers in the wild. Identify, extract, escalate, execute; we have got it all covered. The following are the objectives of the course:

  • Understand the problem of Injection Flaws
  • Learn a variety of advanced exploitation techniques which hackers use
  • learn how to fix these problems

Click here to register for this training course


WebHacking: Breaking, Building and Defence

by Jim Manico and Eoin Keary

Duration: 1 day

Writing Secure code is the most effective method to securing your web applications. Writing secure code takes skill and know-how but results in a more stable and robust application and assists in protecting an organisations brand.
The class is a combination of lecture, security testing demonstration and code review. Students will learn the most common threats against applications. More importantly, students will learn how to code secure web solutions via defense-based code samples.
As part of this course, we will explore the use of third-party security libraries and frameworks to speed and standardize secure development. We will highlight production quality API’s from various languages and frameworks that provide production quality and scalable security controls.
This course will include secure coding information for Java, PHP and .NET programmers, but any software developer building web applications or webservices will benefit.
This intensive 1-day course focuses on the most common web application security problems, including aspects of both the OWASP Top Ten (2013) and the MITRE Top 25. Several other OWASP secure coding projects will be featured. The course will introduce and demonstrate application assessment techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities in their code.

  • In-depth next-generation XSS attacks and defence, including demos.
  • Introducing students to both server side encoding using the OWASP Java Encoder project and client side controls such as ESAPI4JS with code examples.
  • Introducing students to next-generation web architectures that auto-defend against many classes of XSS.
  • Injection theory and defences for both client and server with code examples.
  • SQL Injection attacks, theory and defence with Labs covering typical SQL injection and more advanced OS/Command Injection attacks with code examples.
  • Comprehensive section covering crypto implementation techniques, best practice and pitfalls with code examples.
  • CSRF attacks and defence including Demos with code examples.
  • ClickJacking Defence and Demos
  • Next generation ABAC and capabilities-based web application access control with clear code samples and database design.
  • Authentication best practice with code examples.
  • Many interactive design discussions on a variety of other web application breaker, builder and defender topics.

Click here to register for this training course


Defensive Programming – JavaScript & HTML5

by Tiago Teles

Duration: 1 day

Understand JavaScript and HTML5 Features to Secure Your Client-side Code
HTML5 is the fifth revision of the HTML standard. HTML5, and its integration with JavaScript, introduces new security risks that we need to carefully consider when writing web front-end code. Modern web-based software, including mobile web front-end applications, makes heavy use of innovative JavaScript and HTML5 browser support to deliver advanced user experiences. Front-end developers focus their efforts on creating this experience and are generally not aware of the security implications of the technologies they use.
The Defensive Programming – JavaScript/HTML5 course helps web front-end developers understand the risks involved with manipulating the HTML Document Object Model (DOM) and using the advanced features of JavaScript and HTML 5 such as cross-domain requests and local storage. The course reinforces some important security aspects of modern browser architecture and presents the student with defensive programming techniques that can be immediately applied to prevent common vulnerabilities to be introduced. Additionally, the course provides a detailed description of typical JavaScript sources and sinks and explains how they can be used to detect problems in code.
This course is structured into modules that cover the areas of concentration for defensive programming in JavaScript and HTML5 and includes code analysis and remediation exercises. The high-level topics for this course are:

  • The HTML5 and JavaScript Risk Landscape
  • Storage of Sensitive Data
  • Secure Cross-domain Communications
  • Implementing Secure Dataflow
  • JSON-related Techniques

This course includes 2 labs with hands on exercises where students will learn to apply the defensive programming techniques learned in the course. Students are encouraged to bring laptops with VirtualBox installed to run the VM with the labs.

Click here to register for this training course


Defensive Programming in PHP

by Paco Hope

Duration: 1 day

This course provides hands-on training for PHP developers on how to build secure applications. It addresses both coding and configuration.
PHP is a powerful and versatile web development platform that is widely used throughout the industry. PHP applications are generally affected by the same risks that affect all web applications. There are some aspects of PHP, however, that set it apart from other web technologies. Some web security risks are unique to or are amplified by the PHP language and platform.
This course highlights the features and specifics of the platform that can potentially introduce risks including (but not limited to) unsafe PHP configuration, null-byte issues, dangerous APIs, cryptography, and dynamic file inclusion issues. Once PHP features and risks are understood by the student, this course builds upon this knowledge and teaches a set of defensive programming techniques that can be followed to create secure PHP applications including in the areas of file system access, session management, authentication, input validation/output encoding, cross-site request forgery, transport security, and injection attacks.

Students should plan to bring a laptop, install a VirtualBox virtual machine, and write some secure PHP code during this class.

Click here to register for this training course


TLS/SSL in Practice

by Achim Hoffmann

Duration: 1 day

SSL/TLS as used today has more and more problems and it’s difficult to understand, what are the root causes of these problems, and how to detect and finally avoid or fix them.
The course will be a hands-on-training showing by example how to check the established SSL connection (including ciphers) to a web server and show how to analyse the provided certificate. A great amount of tools will be explained and it will be demonstrated how these tools can be used to detect weaknesses in the SSL connection and such.

The main focus will be on SSL used in HTTPS. As a round-up there will be recommendations how to configure SSL securely.

Click here to register for this training course


Java Web Hacking & Hardening

by Christian Schneider

Duration: 1 day

This hands-on workshop focuses on securing Java web applications against malicious hacker attacks. During the workshop a Java web application (written specifically for this workshop) with lots of vulnerabilities is examined, exploited, and secured. We will start with common vulnerabilities found in web applications: Authentication bypasses, different flavours of XSS (reflected, stored, DOM-based), (blind) SQL-Injection, CSRF, Clickjacking, Command Injection, Path Traversals, SSRF, Session Attacks like Session Fixation, etc. and continue to more specialized security holes (covering XML like XXE Attacks and XPath Injections as well as REST-ful interfaces, JSON and WebSockets). Also prophylactic protection techniques are discussed like introducing protection tokens (e.g. OWASP’s CSRFGuard) as well as adding several security headers (CSP and more) and considering encryption techniques.

The main intention behind this course is to learn and practice web application hardening by stepwise finding security holes and closing them. In addition to the training’s custom Java demo application it includes a digital handout (PDF) of the course material (in English) full of information for the attendees.

Click here to register for this training course


Security of XML-based Web Services and Single Sign-On

by Christian Mainka and Juraj Somorovsky

Duration: 1 day

Web Services and Single Sign-On belong to the group of the most important Internet technologies. They are used in many fields such as automotive, healthcare, e-government, or military infrastructures. In recent years, it has been shown that these technologies allow for serious attacks. The attacks take advantage of the XML complexity and make it possible to read data from secured servers, authenticate as an arbitrary user in Single Sign-On scenarios, or decrypt confidential data.

In this training, we will give an overview of the most important XML-specific attacks. Participants will get the opportunity to carry out these attacks in a prepared virtual machine. The attacks will be first tested manually (e.g., with soapUI), in order to get a feeling for the attacks. Subsequently, we will present our penetration testing tool WS-Attacker, which will be used to execute the presented attacks automatically. For each of the attacks, countermeasures will be discussed.

Click here to register for this training course


MDSec’s Web Application Hacker’s Handbook, Live Edition

by Marcus Pinto

Duration: 2 days

Our “Web Application Hacker’s Handbook” Series is still the most deep and comprehensive general purpose guide to hacking web applications that is currently available. In late 2011, MDSec set up the online training labs: over 200 hacking labs hosted in the cloud. In this course, we bring you the solutions, demos, and much more material and technologies for you to try.
So if you’re a fan of the original want to try your hand exploiting everything in the new Second Edition, you’re in luck.

We have run courses for over 5 years at BlackHat, and we know what you want. This structured course is balanced at 120 slides with numerous opportunities to watch instructor-led demos, whilst hacking our library of over 150 lab exercises, spanning .Net, J2EE, PHP and finishing with a “Capture the Flag” contest.
In our labs, no question is left unanswered (or unasked)!

Click here to register for this training course


CISO training: Managing Web & Application Security – OWASP for senior managers

by Tobias Gondrom

Duration: 1 day

Managing Web & Application Security – OWASP for senior managers Setting up, managing and improving your global information security organisation using mature OWASP projects and tools. Achieving cost-effective application security and bringing it all together on the management level. How to use and leverage OWASP and other common best practices to improve your security programs and organization. The workshop will also discuss a number of quick wins and how to effectively manage global security initiatives and use OWASP tools inside your organisation. The author has extensive experience of managing his own secure development organization as well as advising to improve a number of global secure development organisations and processes.
Topics:

  • OWASP Top-10 and OWASP projects – how to use within your organisation
  • Risk management and threat modelling methods (OWASP risk analysis, ISO-27005,…)
  • Benchmarking & Maturity Models
  • Security Strategy
  • Organisational Design and managing change for global information security programs
  • SDLC
  • Training: OWASP Secure Coding Practices – Quick Reference Guide, Development Guide, Training tools for developers
  • Measuring & Verification: ASVS (Application Security Verification Standard) Project, Code Review Guide, Testing Guide
  • Development & Operation: Libraries and Frameworks (ESAPI (Enterprise Security API), AppSensor, …), Threat assessments using OWASP Cornucopia

All discussion and issues raised by participants at the workshop will be under the confidentiality
under the Chatham House Rule (http://en.wikipedia.org/wiki/Chatham_House_Rule).

Click here to register for this training course


Bootstrap and improve your SDLC with OpenSAMM

by Bart De Win and Sebastien Deleersnyder

Duration: 1 day

Building security into the software development and management practices of a company can be a daunting task.
There are many elements to the equasion: company structure, different stakeholders, technology stacks, tools and processes, and so forth.
Implementing software assurance can have a significant impact on the organisation. Yet, trying to achieve this without a good framework is most likely leading to just marginal and unsustainable improvements.
OWASP OpenSAMM gives you a structural and measurable framework to do just that.
It enables you to formulate and implement a strategy for software security that is tailored to the risk profile of your organisation.

The goal of this one-day training, which is conceived as a mix of training and workshop, is for the participants to get a more in-depth view on and practical feeling of the OpenSAMM model.
The training is setup in three different parts.

In a first part, an overview is presented of the OpenSAMM model and similarities and differences with other similar models are explained.
The different domains (governance, construction, verification, deployment), their activities and relations are explained.
Furthermore, different constituent elements (e.g., metrics) are discussed and the overall usage scenarios of the model are explained.

Next, approx. half a day will be spent on doing an actual OpenSAMM evaluation of your own organisation (or one that you have worked for).
We will go through an evaluation of all the OpenSAMM domains and discuss the results in group. This will give all participants a good indication of the organisation’s maturity wrt. software assurance.
In the same effort, we will define a target model for your organisation and identify the most important challenges in getting there.

The final part of the training will be dedicated to specific questions or challenges that you are facing wrt. secure development in your organisation. In this group discussion, experience
between the different participants will be shared to address these questions.

In case you haven’t started a secure software initiative in your organisation yet, this training should provide you with the necessary foundations and ideas to do so. Be prepared for a highly effective
and applicable treatment of this large domain ! And in case you would be concerned about confidentiality issues, we adhere to the Chatham House Rule.

After the conference the OpenSAMM project team comes together for their first OpenSAMM summit in Cambridge.
If you want to contribute to this flagship project, stay and join us at the summit. More details on www.opensamm.org.

Click here to register for this training course