Virtual, public and private development security trainings.
We harden apps by empowering devs' security mastery.

def.dev development security training ups the ante on virtual education. Our veteran delivery crew and seasoned trainers bridge the gap to make remote courses just as effective as in-person sessions.

Our defensive development (hence the name def.dev, /dɛfdɛf/) courses are dedicated to helping teams and pros build and maintain secure software. Let's harden apps by strengthening security skills and through adopting practices that systematically reduce defects.

Catered to [senior/medior engineers, security champions, architects, testers, devops and junior devsecops/cybersec folks] by experienced appsec/defsecops authorities to expand individual careers and to harden deving teams by mastering the secure software production skills and practices.




 Learn-by-fixing  Learn-by-fixing (testing and hacking)
 

We teach how to fish amid threats instead of giving lessons about the species of fishes in the OWASP Top 10. We make students engaged in the learning process by performing exercises. The trainers on stage demonstrate many practical aspects of hacking or defence practices and patterns. The students have to walk through many hands-on exercises, in teamwork or on their own. We preach Application Security Verification Standard (OWASP ASVS) and practicable knowledge. The theory is minimalistic, dressed into stories and built onto meaningful concepts.




 Devel hardening  Devel hardening
 

Let’s kill bugs early -- in developers minds and through adopting sticky devel practices that systematically reduce defects. Development is a collective process, our students become experts who improve secure coding and practices of their teams by importing the skills learnt off-site into their workplaces. Teams working together in real-life projects are welcome. The goal is to deliver security skills useful in the modern deving practice. Solo professionals are our first class guests also! See the management pitch below...




 Let us hack your codes!)  Let us hack your codes!)
 

Our twin project, secdev.eu is a hi-end service in auditing security quality of codes and improving S-SDLC practices. In case of private secure coding trainings we suggest to complete a workshop by reviewing production codes for security design and implementation problems together. We provide vulnerability audits and pentesting (VAPT) works the audit reports resulted from which can make subsequent trainings more meaningful for devs. We also help you to implement SKF, the security knowledge framework. Ask about the secdev.eu code audits!

The def.dev pitch for management

def.dev workshops are designed to significantly improve the security quality of the software production by mastering secure coding skills and through adopting sticky devel practices that systematically reduce defects.

We do trainings on Java/JEE, Javascript/React/Angular, Node.js, iOS/Android, C#/.net, C++, Golang, Python, Kotlin and PHP secure coding, IoT, docker, AWS and mainframe security, also S-SDLC (secdev playbook), CI/CD pipeline (security testing automation and vulnerability management) and even about testing w/ Burp for devs. Our courses are mostly structured around the OWASP Application Security Verification Standard (ASVS), and are based on cloud-hosted exercises and DIY tasks.

Features of the both public and private trainings:

  • Advanced and proficiency level courses. For dev professionals of senior and mid level, team leaders, security champions, architects and secengs.
  • Though we try to remain comprehensible and useful for any person interested in the development process.
  • We minimize lectures, we minimize the stuff developers forget by the second week. We do many demos and make students learn the material by hand with hacking and fixing codes, and with tabletop exercises in teams.
  • Intensive 1XL or 2-3 days delivery. Performance-oriented both on the stage and the floor.
  • We monitor the individual learning style of students.
  • Our trainers are practitioners with authority and have years of experience in enterprise software production: such as security testers who are good at coding or senior developers who learnt security testing and S-SDLC.

With the two formats of our public trainings, the hosted workshops and the theater trainings we try to achieve such quality and impact in training that the public ones can substitute private/onsite workshops:

  • Disruption free environment. (In contrast, in the atmo of their workplaces the on-site training attendees may keep tracking their project or even check out from the training to an important meeting.)
  • Professionals working together in real-life projects are welcome and we will change their practices. Teambuilding is a byproduct of the "teams hardening" we do.

At the theater trainings, our midsize events for 25+ students or 5+ teams from different companies:

  • The trainings are delivered by two trainers on stage simultaneously. We deliver staged performance, the interacting trainers enjoy the show, and the chemistry with the bigger audience is maintained.
  • The def.dev floor is structured into tables, we assist students to perform as groups, which makes students engaged and serves deeper and more practical learning.

Clients/visitors of public and private def.dev trainings were/are: ING Belgium/Netherlands, Payconiq, LogMeIn/LastPass/GoToMeeting/Boldchat, Ustream, JKU Institute für Netzwerke und Sicherheit, Siemens/evosoft, Nokia, GE Healthcare, Opera Software, SAP, Balabit, AEGON, KBC/KH Hungary, Vijfhart.

Check out further details in the respective sections below: the choice, the abstracts and topics of courses, announced events and the tickets guide.

Contact us at [email protected], dm us @defdeveu, or call, or use the assistance (google) form. See the support section.


Recommendations

After the top notch Mobile ASVS-based trainings Zsombor and the defdeveu guys delivered onsite, our LogMeIn team is looking forward to attending the next defsec training in Vienna.
This and other appsec courses conducted by Glenn, Timur and team have been part of our training program at LogMeIn for several years. They give our developers a great foundation and then strengthen those skills with engaging, hands-on practice. Thanks, defdeveu!

-- LogMeIn, Dr. Márk Vinkovits, Manager of Application Security  


The courses/workshops

The menu: Java, Angular/React, iOS/Android, Swift, Kotlin, C#, C++, Golang and Hack/PHP secure coding, cloud/edge security, also S-SDLC (secdev playbook) and DevSecOps methodology, or CI/CD pipeline (security testing automation and vulnerability management) and even Burp for devs.

The def.dev trainings have been designed to significantly improve the security quality of the software production by mastering secure coding skills and through adopting sticky devel practices that systematically reduce defects.

See the catalog of our courses with details and agendas at def.dev/dir.


Our popular trainngs are:

Redbelt Champion Mobile workshops

Mobile development security [blue]

WebApp/API development security

'DIY security testing' series

Testing automation


The upcoming events

With the two formats of our public trainings, the hosted workshops and the theater trainings we try to achieve such quality and impact in training that the public ones can substitute private/onsite workshops.

We minimize lectures, we minimize the stuff developers forget by the second week. We do many demos and make students learn the material by hand with hacking and fixing codes, and with tabletop exercises in teams.
Intensive 1XL or 2-3 days delivery. Performance-oriented both on the stage and the floor.

(Also check out our past events.)

Interested in having a private def.dev training at your company? Contact us regarding the onsite def.dev courses.


Virtual, TBA
Vienna, TBA
iOS/Android development security

Vienna, advanced intensive training, 2 combined tracks

Earlybird €1250 €1750 single track (platform) or €1750 €2250 for both tracks [per seat]


timing/
days
TBA [Wednesday-Friday in September]
3 days event; D1: full, D2: am: ios, pm: android, D3: am: android, pm: ios
venue/
seats
TBA
[max 12 tables]
trainers
 Zsombor Kovács
agenda
Android agenda iOS agenda
language
English
Registration opens later

The manifesto

the developers are the key players of the software security at the end of the day, not the auditors

Secure software development is a professional field which has not many dedicated events yet, and especially not many events which educate and improve developers. Meanwhile the developers are the key players of the software security at the end of the day, not the ethical hackers or auditors.

Our ambition is to establish the #1 European event of the "securely developing" professionals. Our training events are purely about educating and improving our visitor developers and other professionals involved in the ssdlc.

def[dev]eu is a developers trainings series, it's not a hacking show, nor is it about boring security preaching. We are structured, practical, entertaining, and we see the challenge with the eyes of a software engineer.

"As an active hacker and penetration tester, I came to the conclusion that for most mobile application tests, application developers commit the same mistakes over and over again. The overall security posture of the published mobile applications could be significantly improved if the developers were aware of techniques, tools and methods used by real attackers and this knowledge should be used throughout the entire SDLC process. How differently would developers work if they had the opportunity to see their app through a hacker's eyes? "
-- Zsombor

The trainers

When leading security specialists come together on stage, be prepared to take in a wealth of online security knowledge

Zsombor Kovács is a security specialist with many years of hands-on experience in penetration testing in Budapest, London and Zürich. Besides penetration tests performed on mobile devices (both iOS and Android), his main focus is application and infrastructure evaluation. Zsombor conducts penetration tests and malware analysis on a daily basis. He found vulnerabilities in all sorts of Android and iOS applications from e-banking and telecommunication to document management, to MDM software. He also has been involved in projects dealing with incident response, forensic engineering, reversing, physical security and social engineering. Zsombor is keen on everything related to hacking from finding bugs in mobile applications to devsec consulting, to lock picking and RFID hacking and exploring the human psyche.

Zsombor is involved in secure development trainings on both mobile platforms, malware and pentesting.


From the trainings record of Zsombor:
LogMeIn, GoToMeeting, 1611BUD, 1805VIE, 1906BUD

Péter has been doing enterprise web application development for more than a decade now mainly for financial institutions. He has exceptional knowledge of and strong experiences with Java and JEE, and also with several Javascript frameworks. In the recent years Péter turned to software security and does secure development consulting, ASVS-based application audits with secdev.eu and is a resident trainer with defdev.eu.

Meanwhile he stays current with the software production internals working also as a freelance software engineer. Péter also teaches Java for developers.

Marek Zachara graduated with MSc degree in Electrical and Electronic Engineering from University of Bristol, UK in 2000 and received his PhD in Computer Sciences in 2008 from AGH UST, Poland. He is assistant professor at AGH University of Science and Technology in Krakow. Since 2008 Marek have been working with Securing on security audits and development of tools and methods for security assessment.

For over five years he has been involved in a number of research activities centered around software quality and security, with special focus on simulation and analysis of users behavior.


The def.dev events are delivered with many other enthusiastic and professional people helping our students on the floor and behind the scenes.

Archive/pre-covid public events

Budapest, JUN13
Budapest, 1906 (done)
Burp for testers and developers

Budapest (HU), one-day intensive training

Early tickets till MAY31:
€470 net (148KHUF+VAT)

Final price:
€580 net (185KHUF+VAT)/seat.

description:

The purpose of the workshop is to provide testers and developers an overview how the Burp suite can be used for web testing work. Even though Burp is primarily designed for penetration testers, its sophisticated capabilities can come handy for everyone whose job is to perform general bug hunting in web applications.


timing/
days
'19 June 13 (Thu), 9:00-18:00
1 XL day (7hrs education time)
venue/
seats
Green Fox Academy
15+
trainer
 Zsombor Kovács
agenda
course desc.
language
English

* Note: there is also 'WebAppSec testing/fixing' workshop the following day.

Budapest, JUN14
Budapest, 1906 (done)
WebAppSec testing/fixing

Budapest (HU), one-day intensive training

Early tickets till MAY31:
€470 net (148KHUF+VAT)

Final price:
€580 net (185KHUF+VAT)/seat.

description:

Practice-changing impact, long lasting security knowledge and skills -- are the expected outcomes of this new-school webapp security training. This is a training with minimum lectures and all focused on hands-on exercises. We start off with some understanding of secure development and the secure coding principles. Then we do basic hacking challenges and move gradually to the advanced topics, but after that we do exercises that are about fixing vulnerable code. The attendees will have after this course a vast set of actionable knowledge and practise to be used straight away.


timing/
days
'19 June 14 (Fri), 9:00-18:00
1 XL day (7hrs education time)
venue/
seats
Green Fox Academy
15+
trainer
 Glenn ten Cate
agenda
course desc.
language
English

* Note: there is also a Burp workshop the previous day.

Budapest, APR25-26
Budapest, 1904 [past]
Secdev in Java
(Spring-flavored)

Budapest (HU), 2-days workshop

description:

The two-days Java secure development workshop will cover the fundamentals of secure coding in Java (extended with some Spring particulars). We will teach the most important webapp vulnerabilities from the perspective of a developer. Participants will learn how to find vulnerabilities during testing, how to recognize those within the source-code, how to avoid and mitigate those.


timing/
days
'19 APR25-26
venue/
seats
LogMeIn Labs, Budapest
15+
trainer
 Péter Nyilasy
agenda
course desc.
language
Hungarian
Tel Aviv, MAY27-28
Tel Aviv 1905 [cancelled]
Mastering holistic WebAppSec

Cancelled due to low demand.

description:

Practice-changing impact, long lasting security knowledge and skills -- are the expected outcomes of this new-school webapp security training. The course is inclusive: the developers learn application security and hacking, improve their professional skills and are also introduced to the security design patterns for fixing the code. In the modern development process security testing is something shared among developers, devops, testers and auditors -- this mingled situation we recreate during exercises.


timing/
days
was planned to
'19 MAY27-28
venue/
seats
OWASP Global AppSec
~15
trainer
 Glenn ten Cate
agenda
course desc.
language
English

Budapest, MAR21
Budapest, 1903 [past]
Péter Nyilasy
JavaScript secdev

Budapest (HU), one-day intensive training
1 XL day (7hrs education time)

description:

The one-day javascript security training will cover the fundamentals of secure coding in javascript. We will teach the most important web vulnerabilities related to javascript from the perspective of the developer. They will learn how to find vulnerabilities during testing, how to recognise them within the source-code, how to avoid, and how to mitigate them.


timing/
days
'19 MAR21
venue/
seats
One Identity Balabit HUB
15+
trainer
 Péter Nyilasy
agenda
course desc.
language
Hungarian
Vienna/Wien 1805
Vienna 1805 [past]
Android secdev & test automation

Vienna/Wien (AT), intensive training, 1 track, 2 topics

description:

All classes were tuned for advanced audience (mostly comprehensible for juniors though). The Android secure development and coding classes followed the OWASP Mobile ASVS sections. The quarter of the course was dedicated to the integrated security testing automation and vulnerability management in the CI/CD pipeline (we introduced a ready to implement solution).

 
dates
'18 MAY31-JUN01
venue
MuseumsQuartier Wien [4 tables]
trainers
 Glenn ten Cate  Zsombor Kovács
 Riccardo ten Cate
course
Android+CICD agendas
days
2 days event
Budapest 1611
Budapest 1611 [past]
Secdev mastering & S-SDLC & Mobile

Budapest (HU), basic to advanced training, 1 track, 3 topics

description:

Our pilot event was in 2016 in Budapest where the idea of the project was born. The agenda in reverse order was as follows: The third day was a real tidbit, when secdev management practices were evaluated eg.: Secure SDLC and AppSec Management, DevOps security, Security testing, SIEM (Security Information Event Monitoring), IAM and the mobile application security from a defensive point of view. On the previous day, Jim and Glenn mastered the developers’ secure coding skills through modules like HTTP security, HTTPS/TLS best practices, Input validation, serialization, Solving input injections, CSRF and Clickjacking defense, Webservices security, AngularJS security. All these module required an advanced knowledge of the field. The entry level knowledge to these modules we delivered on the first day. So with those two first days def.dev provided a complete secure coding course.

dates
'16 NOV17-19
venues
Marriott Courtyard Budapest City Center, Hotel Gellért [55-75 visitors]
trainers
 Jim Manico  Glenn ten Cate  Zsombor Kovács
days
3 days event; D1: secdev preps, D2: secdev mastering, D3: s-sdlc and mobile
promo
event trailer on youtube

Our distinguished clients


Our sponsors


Our partners


For sponsors

def[dev]eu events provide a unique opportunity for the secure development tooling and services providers to get in touch with developers and team leaders from cool European development teams and IT departments

Contact us at [email protected], direct message us on twitter @defdeveu or call +36309225777 [Timur].




Assistance,
feedback, questions 

For assistance and questions contact our support!
[email protected]  select/copy assistance form  google form
@defdeveu  direct message us +36309225777   11am-8pm Berlin time

Do not hesitate to ask questions, request assistance, call for support, ask about the courses, discounts, invoicing, payment options, team tickets, visa support, hotels, etc.

We also understand that buying expensive tickets still requires a decision making process, even if our trainings are superior. ,)

We suggest you walk through the following steps:

  • Start with our pitch above
  • If the flow requires involving others, we suggest you share that pitch: https://def.dev/#pitch
  • Check out the upcoming events (https://def.dev/#upcoming)
  • Review the catalog of our courses, details and agendas (https://def.dev/dir)
  • Some details about booking tickets are clarified right below (https://def.dev/#tickets)
  • Don't hesitate to contact us on the above channels: assistance form, email, twitter dm or call (https://def.dev/#support)

Tickets guide for the public trainings

The tickets flow in short
  • Booking: Alice books tickets for Bob and Eve or herself (via a corresponding google form) -> Alice gets a VAT invoice in email from def.dev to pay and pays via wiretransfer or Paypal -> Alice gets voucher(s) in an email ->
  • Enrollment: Bob and Eve (or Alice) use their personal vouchers to enroll (via a corresponding google form) -> done.
  • [Alternatively] Fast booking/reservation: If you are an individual visitor, you can also pay €50 now to reserve your seat, and pay the rest cca. 3 weeks before the event.
Booking
  • Use the corresponding booking form to indicate your order (the 'book tickets' button/tab on the event page will ignite a link similar to defdev.eu/e/1905.vie.xxx/book which will redirect to the google form).
    It doesn't matter at this step whether you book a seat for yourself or seats for others.
  • When booking please check the header of the form for details and instructions.
  • Upon receipt of your booking form we will contact you in email.
  • We send you an invoice when all the particulars are clear for us and confirmed on your side.
  • Upon receipt of payment we send you vouchers, one voucher per seat (visitor).
    The vouchers are 6 characters codes.
  • If your were helping your colleagues to book their seats, you forward the vouchers one-by-one to the eligible individuals.
Enrollment
  • The enrollment form is available via the 'Enroll w voucher' tab on the event page.
    The enrollment link is something similar to defdev.eu/e/1905.vie.xxx/enroll which will redirect to the google form.
  • A visitor enrolls herself to the course using her personal voucher code at the corresponding form.
  • When the event is approaching we will contact the enrolled/registered visitors with a so called "student's doc" which will contain all the details of the course. May that document not be shared with a student/visitor 5 days prior the event, please alarm us at the above channels!
Fast booking/reservation

May the above corporate flow not fit your situation, you can choose to pay €50 now as a deposit to reserve your seat at the price of today, receive your invoice, and pay the rest cca. 3 weeks before the event.

  • Hit the 'Reserve fast (€50 deposit)' button/tab on the event card. Pay that deposit instantly at PayPal / with any debit/credit card.
  • We will contact you in email within a day to confirm your reservation.
What payment options are available?

Wiretransfer (SEPA/SWIFT/Wise), online card payment (Visa, Master, etc via Revolut), Paypal-to-Paypal.

What VAT rate applies/payable/included/excluded?
  • In case of EU VAT subjects (except the Hungarian businesses) and of non-EU clients the rate is 0%.
    Thus ticket price of €1000 is net 1K + 0 VAT payable.
  • For all the other clients -- EU individuals and Hungarian companies -- the VAT is 27%, and is NOT included in the announced ticket prices.
    Thus the announced ticket price of €1000 means €1'270 payable for them (including VAT).
  • Note: special fiscal/taxation regulation cases may apply.
Are the tickets refundable?

We refund the price you paid with deduction of a €50 cancellation fee per seat when cancellation is requested by a client latest on the 32nd day prior the event. In case of the later requests we are ready to suspend and reassign your order to an other training (€50 re-booking fee per seat applies).

Why is that weird note at the event card: "In the unlikely case of low demand this training can be gracefully cancelled..."?

One of the standard conditions of our public trainings is that the booked tickets are to cover the costs. If on the 32nd day prior to the event we see that the announced training may end up in losses then we may cancel it with full rollback. All parties retire back to square one. You as the client get full refund of the money transfered for the tickets of the cancelled event.

Who issues the invoices and is the beneficiary of payments?

azd.security Kft., Budapest, Hungary
VAT: HU13804079, Estd: 2006, EU ID: HUOCCSZ.01-09-874089 [in Hungarian only, but the official registry, pass the captcha first]
PayPal merchant ID: FUBRZGH72QGZQ

eezza Kft., Budapest, Hungary
VAT: HU12099265, Estd: 1996, EU ID: HUOCCSZ.01-09-465607

We require special kind of invoice due to our local regulations, is it possible to get such?

Sure! Let's arrange that at the booking stage.

Other standard questions? (eg. discounts)

Please, browse the other FAQ section below. Also, don't hesitate to contact us on the above channels: assistance form, email, twitter dm, call.

FAQ

What is the difference between development security and secure coding?

We prefer to tag our development security courses as "devsec", but usually this type of courses are referred to as secure coding courses, or application security, or secure development courses. In our view, the devsec is a broader field than just secure coding, it includes S-SDLC. S-SDLC is not about coding but methods, approaches, practices and tools. It's also DevSecOps without Ops.

What kind of training can an attendee expect? Is it a hands-on training with computer labs or is it more like talks about certain topics?

The lectures are trimmed down, we deliver many demos and sustain involvement of the students with hands-ons and tabletops.

With what equipment should a student visit the trainings?

Bringing your own deving device (laptop) is the prerequisite. The device you use for hacking your code.

I would like to make a def.dev event in my city, is it possible?

def.dev is open for cooperation with local professionals. def.dev has strict rules of quality and format. Please contact us.

Is lunch included in the ticket price?

Unless otherwise indicated on the event card -- no. We supply some snacks, non-alcoholic drinks and coffee most of the times.

Dress code?

No dresscode.

Other questions?
  • Regarding tickets ordering check the Tickets guide section above.
  • For further details and assistance contact us or submit your question/request/complaints via our assistance form (google, no sign-in required), or via email and twitter dm.


The full catalog of our courses is available at def.dev/dir.


For press

EN

Glenn ten Cate and Timur Khrotko introduce def[dev]eu, the defensive development education and mastering project. The def[dev]eu training events series is dedicated to helping developers and other professionals involved in the S-SDLC build and maintain secure software. The def.dev events are popping up in different European locations.

The first defdeveu was held in November 2016 in Budapest together with Jim Manico.

See you in Vienna, Amsterdam, Berlin or Kraków, and stay tuned for the continuation of the def.dev series! https://def.dev https://twitter.com/defdeveu

))