Tel Aviv, MAY27-28
Tel Aviv, MAY27-28 [cancelled]
Mastering holistic WebAppSec

Was planned to happen at Global AppSec Tel Aviv (IL) as a 2-days training

* Note: the 1XL-day version of the training is available at Budapest (HU) later in June.

May 27-28 (Mon-Tue), 09:00-18:00
 Glenn ten Cate
course topics

Mastering holistic application security

Practice-changing impact, long lasting security knowledge and skills -- are the expected outcomes of this new-school webapp security training. The course is inclusive: the developers learn application security and hacking, improve their professional skills and are also introduced to the security design patterns for fixing the code. In the modern development process security testing is something shared among developers, devops, testers and auditors -- this mingled situation we recreate during exercises.

This is a training with minimum lectures and all focused on hands-on exercises. We start off with some understanding of secure development and the secure coding principles. Then we do basic hacking challenges and move gradually to the advanced topics, but after that we do exercises that are about fixing vulnerable code. The last day of the training the attendees need to show on a custom build vulnerable application the security testing skills and implement the code fixes, this will be reviewed by the trainer.

The attendees will have after this course a vast set of actionable knowledge and practise to be used straight away. Also using the OWASP SKF project will enable them after the course to build secure applications by design but also continue improving and training themselves.

Mastering holistic WebAppSec

from the 'DIY security testing' series

full title
Mastering holistic application security
(aka WebAppSec testing, hacking and fixing -- extended)
course level
from baseline to advanced practices
developers and general security newbies
2 days, 14 hrs education time
a laptop
KALI, Python2 and Python3, ZAP or Burp community edition; your favorite IDE (for the fixing of vulnerabilities)
qualification requirement
basic programming skills (for the Labs we will start from basic hands-on exploits to advanced ones)

Intro to principles and practice of secdev

Introduction to vulnerabilities
'Into the middle of things' hands-on hacking
Playing with untuned source code scanning
Playing with identifying real threats and security requirements
Intro to secure coding
OWASP ASVS topics, an introduction to the areas to protect
How a properly designed infrastructure architecture should be built
Intro to practical secure development
Setting up the right security requirements using OWASP SKF
Create and train security champions
S-SDLC basics, secure development as integral part of SDLC
Automatic tools and their values, non-automatic tools, pentests, peer code review, assisted code-review

Testing/hacking and fixing

Common server-side vulnerabilities and their defense
Injections: SQLi, XML injections, JSON, XPath, XSS, cookie injection, open redirection, http header injection, 2 deserialization attacks
Path traversal, XXE, Buffer overflow, Zip bomb, Million laugh, RFI, Insecure file upload, Code execution, Remote file inclusion
Command injection
Insecure direct object reference
Server side template injection
CSRF bypassing
Authorization bypasses
Common client-side vulnerabilities and their defense
XSS (types, impact, causes, defenses, other html injections, BeEF)
CSRF, Clickjacking, Same-origin policy, CORS
Client side template injection

Security design

Security by design
Threat modelling
Separation of duties, trust boundaries, security boundaries, defence in depth, principle of least privilege, minimising the attack surface, risk driven mitigation
Business logic vulnerabilities
Cryptography basics
TLS, ciphersuites
HTTP certificate pinning
Perfect forward secrecy, certificate transparency
Http configuration
CSP, HSTS, Cookie settings, x-content-type-options
Access management
Authentication principles, session management, authorization
Access management in a RESTful environment (to JWT or not to JWT)
OAuth2, OpenID Connect
Server-side defense
API security, design and implementation
Web service security
Attack surface
Input validation vs encoding

This workshop is delivered by

As a coder, hacker, speaker, trainer and security chapter leader employed at ING Belgium Glenn has over 15 years experience in the field of security. One of the founders of defensive development [defdev] a security trainings series dedicated to helping you build and maintain secure software and also speaking at multiple other security conferences in the world.

Glenn and his brother Riccardo also donated an entire knowledge framework solely dedicated to help developers make their code secure by design to OWASP. See:
SKF (Security knowledge framework) .

His goal is to create an open-source secure software development life cycle with the tools and knowledge gathered over the years and solving the SecDevOps challenges people face.

From Glenn's trainings record:
EC-Council, LastPass, LogMeIn, defdev1805, defdev1611

The workshop is hosted by

Booking assistance,
feedback, questions 

Do not hesitate to call or otherwise contact our support!
[email protected]  select/copy assistance form  google form
@defdeveu  direct message us +32476222722   from noon to 9pm

Do not hesitate to ask questions, request assistance, call for support, ask about the course, invoicing, payment options, visa support, hotels, etc.

We also understand that buying expensive tickets still requires a decision making process, even if our trainings are superior. ,)