The Mobile App Security Boot Camp
by Dominic Chell and Robert Miller
Duration: 2 days
The Mobile App Security Boot Camp is a 2-day training course covering both Android and iOS App security. As a new course for 2014, we provide the most comprehensive and cutting edge guide to mobile App security that is currently available, including in depth coverage of iOS 7.
The course is provided as a partnership between MDSec and MWR InfoSecurity, pioneers in mobile security.
The Art of Exploiting Injection Flaws
by Sumit Siddharth
Duration: 2 days
OWASP rates injection flaws as the most critical vulnerability within the Top 10 most Critical Web Application Security Risks under the OWASP Top 10 project.
This hands-on session will only focus on the injection flaws and the attendees will get an in-depth understanding of the flaws arising from this vulnerability. The topics covered in the class are:
- SQL Injection
- XPATH Injection
- LDAP Injection
- Hibernate Query Language Injection
- Direct OS Code Injection
- XML Entity Injection
During the two-days course, the attendees will have access to a number of challenges for each flaw and they will learn a variety of exploitation techniques used by the attackers in the wild. Identify, extract, escalate, execute; we have got it all covered. The following are the objectives of the course:
- Understand the problem of Injection Flaws
- Learn a variety of advanced exploitation techniques which hackers use
- learn how to fix these problems
WebHacking: Breaking, Building and Defence
by Jim Manico and Eoin Keary
Duration: 1 day
Writing Secure code is the most effective method to securing your web applications. Writing secure code takes skill and know-how but results in a more stable and robust application and assists in protecting an organisations brand.
The class is a combination of lecture, security testing demonstration and code review. Students will learn the most common threats against applications. More importantly, students will learn how to code secure web solutions via defense-based code samples.
As part of this course, we will explore the use of third-party security libraries and frameworks to speed and standardize secure development. We will highlight production quality API’s from various languages and frameworks that provide production quality and scalable security controls.
This course will include secure coding information for Java, PHP and .NET programmers, but any software developer building web applications or webservices will benefit.
This intensive 1-day course focuses on the most common web application security problems, including aspects of both the OWASP Top Ten (2013) and the MITRE Top 25. Several other OWASP secure coding projects will be featured. The course will introduce and demonstrate application assessment techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities in their code.
- In-depth next-generation XSS attacks and defence, including demos.
- Introducing students to both server side encoding using the OWASP Java Encoder project and client side controls such as ESAPI4JS with code examples.
- Introducing students to next-generation web architectures that auto-defend against many classes of XSS.
- Injection theory and defences for both client and server with code examples.
- SQL Injection attacks, theory and defence with Labs covering typical SQL injection and more advanced OS/Command Injection attacks with code examples.
- Comprehensive section covering crypto implementation techniques, best practice and pitfalls with code examples.
- CSRF attacks and defence including Demos with code examples.
- ClickJacking Defence and Demos
- Next generation ABAC and capabilities-based web application access control with clear code samples and database design.
- Authentication best practice with code examples.
- Many interactive design discussions on a variety of other web application breaker, builder and defender topics.
by Tiago Teles
Duration: 1 day
- Storage of Sensitive Data
- Secure Cross-domain Communications
- Implementing Secure Dataflow
- JSON-related Techniques
This course includes 2 labs with hands on exercises where students will learn to apply the defensive programming techniques learned in the course. Students are encouraged to bring laptops with VirtualBox installed to run the VM with the labs.
Defensive Programming in PHP
by Paco Hope
Duration: 1 day
This course provides hands-on training for PHP developers on how to build secure applications. It addresses both coding and configuration.
PHP is a powerful and versatile web development platform that is widely used throughout the industry. PHP applications are generally affected by the same risks that affect all web applications. There are some aspects of PHP, however, that set it apart from other web technologies. Some web security risks are unique to or are amplified by the PHP language and platform.
This course highlights the features and specifics of the platform that can potentially introduce risks including (but not limited to) unsafe PHP configuration, null-byte issues, dangerous APIs, cryptography, and dynamic file inclusion issues. Once PHP features and risks are understood by the student, this course builds upon this knowledge and teaches a set of defensive programming techniques that can be followed to create secure PHP applications including in the areas of file system access, session management, authentication, input validation/output encoding, cross-site request forgery, transport security, and injection attacks.
Students should plan to bring a laptop, install a VirtualBox virtual machine, and write some secure PHP code during this class.
TLS/SSL in Practice
by Achim Hoffmann
Duration: 1 day
SSL/TLS as used today has more and more problems and it’s difficult to understand, what are the root causes of these problems, and how to detect and finally avoid or fix them.
The course will be a hands-on-training showing by example how to check the established SSL connection (including ciphers) to a web server and show how to analyse the provided certificate. A great amount of tools will be explained and it will be demonstrated how these tools can be used to detect weaknesses in the SSL connection and such.
The main focus will be on SSL used in HTTPS. As a round-up there will be recommendations how to configure SSL securely.
Java Web Hacking & Hardening
by Christian Schneider
Duration: 1 day
This hands-on workshop focuses on securing Java web applications against malicious hacker attacks. During the workshop a Java web application (written specifically for this workshop) with lots of vulnerabilities is examined, exploited, and secured. We will start with common vulnerabilities found in web applications: Authentication bypasses, different flavours of XSS (reflected, stored, DOM-based), (blind) SQL-Injection, CSRF, Clickjacking, Command Injection, Path Traversals, SSRF, Session Attacks like Session Fixation, etc. and continue to more specialized security holes (covering XML like XXE Attacks and XPath Injections as well as REST-ful interfaces, JSON and WebSockets). Also prophylactic protection techniques are discussed like introducing protection tokens (e.g. OWASP’s CSRFGuard) as well as adding several security headers (CSP and more) and considering encryption techniques.
The main intention behind this course is to learn and practice web application hardening by stepwise finding security holes and closing them. In addition to the training’s custom Java demo application it includes a digital handout (PDF) of the course material (in English) full of information for the attendees.
Security of XML-based Web Services and Single Sign-On
by Christian Mainka and Juraj Somorovsky
Duration: 1 day
Web Services and Single Sign-On belong to the group of the most important Internet technologies. They are used in many fields such as automotive, healthcare, e-government, or military infrastructures. In recent years, it has been shown that these technologies allow for serious attacks. The attacks take advantage of the XML complexity and make it possible to read data from secured servers, authenticate as an arbitrary user in Single Sign-On scenarios, or decrypt confidential data.
In this training, we will give an overview of the most important XML-specific attacks. Participants will get the opportunity to carry out these attacks in a prepared virtual machine. The attacks will be first tested manually (e.g., with soapUI), in order to get a feeling for the attacks. Subsequently, we will present our penetration testing tool WS-Attacker, which will be used to execute the presented attacks automatically. For each of the attacks, countermeasures will be discussed.
MDSec’s Web Application Hacker’s Handbook, Live Edition
by Marcus Pinto
Duration: 2 days
Our “Web Application Hacker’s Handbook” Series is still the most deep and comprehensive general purpose guide to hacking web applications that is currently available. In late 2011, MDSec set up the online training labs: over 200 hacking labs hosted in the cloud. In this course, we bring you the solutions, demos, and much more material and technologies for you to try.
So if you’re a fan of the original want to try your hand exploiting everything in the new Second Edition, you’re in luck.
We have run courses for over 5 years at BlackHat, and we know what you want. This structured course is balanced at 120 slides with numerous opportunities to watch instructor-led demos, whilst hacking our library of over 150 lab exercises, spanning .Net, J2EE, PHP and finishing with a “Capture the Flag” contest.
In our labs, no question is left unanswered (or unasked)!
CISO training: Managing Web & Application Security – OWASP for senior managers
by Tobias Gondrom
Duration: 1 day
Managing Web & Application Security – OWASP for senior managers Setting up, managing and improving your global information security organisation using mature OWASP projects and tools. Achieving cost-effective application security and bringing it all together on the management level. How to use and leverage OWASP and other common best practices to improve your security programs and organization. The workshop will also discuss a number of quick wins and how to effectively manage global security initiatives and use OWASP tools inside your organisation. The author has extensive experience of managing his own secure development organization as well as advising to improve a number of global secure development organisations and processes.
- OWASP Top-10 and OWASP projects – how to use within your organisation
- Risk management and threat modelling methods (OWASP risk analysis, ISO-27005,…)
- Benchmarking & Maturity Models
- Security Strategy
- Organisational Design and managing change for global information security programs
- Training: OWASP Secure Coding Practices – Quick Reference Guide, Development Guide, Training tools for developers
- Measuring & Verification: ASVS (Application Security Verification Standard) Project, Code Review Guide, Testing Guide
- Development & Operation: Libraries and Frameworks (ESAPI (Enterprise Security API), AppSensor, …), Threat assessments using OWASP Cornucopia
All discussion and issues raised by participants at the workshop will be under the confidentiality
under the Chatham House Rule (http://en.wikipedia.org/wiki/Chatham_House_Rule).
Bootstrap and improve your SDLC with OpenSAMM
by Bart De Win and Sebastien Deleersnyder
Duration: 1 day
Building security into the software development and management practices of a company can be a daunting task.
There are many elements to the equasion: company structure, different stakeholders, technology stacks, tools and processes, and so forth.
Implementing software assurance can have a significant impact on the organisation. Yet, trying to achieve this without a good framework is most likely leading to just marginal and unsustainable improvements.
OWASP OpenSAMM gives you a structural and measurable framework to do just that.
It enables you to formulate and implement a strategy for software security that is tailored to the risk profile of your organisation.
The goal of this one-day training, which is conceived as a mix of training and workshop, is for the participants to get a more in-depth view on and practical feeling of the OpenSAMM model.
The training is setup in three different parts.
In a first part, an overview is presented of the OpenSAMM model and similarities and differences with other similar models are explained.
The different domains (governance, construction, verification, deployment), their activities and relations are explained.
Furthermore, different constituent elements (e.g., metrics) are discussed and the overall usage scenarios of the model are explained.
Next, approx. half a day will be spent on doing an actual OpenSAMM evaluation of your own organisation (or one that you have worked for).
We will go through an evaluation of all the OpenSAMM domains and discuss the results in group. This will give all participants a good indication of the organisation’s maturity wrt. software assurance.
In the same effort, we will define a target model for your organisation and identify the most important challenges in getting there.
The final part of the training will be dedicated to specific questions or challenges that you are facing wrt. secure development in your organisation. In this group discussion, experience
between the different participants will be shared to address these questions.
In case you haven’t started a secure software initiative in your organisation yet, this training should provide you with the necessary foundations and ideas to do so. Be prepared for a highly effective
and applicable treatment of this large domain ! And in case you would be concerned about confidentiality issues, we adhere to the Chatham House Rule.
After the conference the OpenSAMM project team comes together for their first OpenSAMM summit in Cambridge.
If you want to contribute to this flagship project, stay and join us at the summit. More details on www.opensamm.org.