Budapest, JUN14
Budapest, 1906 [past]
WebAppSec testing/fixing

Budapest (HU), 1-day intensive training

Early tickets till MAY31: €470 net [148KHUF+VAT]
Final price: €580 net [185KHUF+VAT]/seat.

* Note: there was also a Burp workshop the previous day.

Onsite pizza lunch by
Green Fox Academy.

June 14 (Fri), 9:00-18:00
Green Fox Academy, Budapest
 Glenn ten Cate
course topics
upon completion
certificate of attendance

Webapp security testing, hacking and fixing

Practice-changing impact, long lasting security knowledge and skills -- are the expected outcomes of this new-school webapp security training. This is a training with minimum lectures and all focused on hands-on exercises. We start off with some understanding of secure development and the secure coding principles. Then we do basic hacking challenges and move gradually to the advanced topics, but after that we do exercises that are about fixing vulnerable code. The attendees will have after this course a vast set of actionable knowledge and practise to be used straight away.

Also using the OWASP SKF project will enable them after the course to build secure applications by design but also continue improving and training themselves.

WebAppSec testing/fixing

from the 'DIY security testing' series

full title
Webapp security testing, hacking and fixing
course level
practical baseline+
developers, testers, security specialists and champions
1 XL day, 7 hrs education time
a laptop
KALI, Python2 and Python3, ZAP or Burp community edition; your favorite IDE (for the fixing of vulnerabilities)
qualification requirement
basic programming skills (for the Labs we will start from basic hands-on exploits to advanced ones)

Intro to principles and practice of secdev

Intro to practical secure development
Setting up the right security requirements using OWASP SKF
Create and train security champions
S-SDLC basics, secure development as integral part of SDLC
Automatic tools and their values, non-automatic tools, pentests, peer code review, assisted code-review

Testing/hacking and fixing

Common server-side vulnerabilities and their defense
Injections: SQLi, XML injections, JSON, XPath, XSS, cookie injection, open redirection, http header injection, 2 deserialization attacks
Path traversal, XXE, Buffer overflow, Zip bomb, Million laugh, RFI, Insecure file upload, Code execution, Remote file inclusion
Command injection
Insecure direct object reference
Server side template injection
CSRF bypassing
Authorization bypasses
Common client-side vulnerabilities and their defense
XSS (types, impact, causes, defenses, other html injections, BeEF)
CSRF, Clickjacking, Same-origin policy, CORS
Client side template injection

Security design

Security by design
Threat modelling
Separation of duties, trust boundaries, security boundaries, defence in depth, principle of least privilege, minimising the attack surface, risk driven mitigation
Business logic vulnerabilities

This workshop was delivered by

As a coder, hacker, speaker, trainer and security chapter leader employed at ING Belgium Glenn has over 15 years experience in the field of security. One of the founders of defensive development [defdev] a security trainings series dedicated to helping you build and maintain secure software and also speaking at multiple other security conferences in the world.

Glenn and his brother Riccardo also donated an entire knowledge framework solely dedicated to help developers make their code secure by design to OWASP. See:
SKF (Security knowledge framework) .

His goal is to create an open-source secure software development life cycle with the tools and knowledge gathered over the years and solving the SecDevOps challenges people face.

From Glenn's trainings record:
EC-Council, LastPass, LogMeIn, defdev1805, defdev1611

The workshop was hosted by

For sponsors

def[dev]eu events provide a unique opportunity for the secure development tooling and services providers to get in touch with developers and team leaders from cool European development teams and IT departments

Contact us at [email protected], direct message us on twitter @defdeveu or call +32476222722 [Timur].

The training was supported by