Schedule & Trainings
Tuesday, August 25 and Wednesday, August 26
- Virtual Training Courses
- 12:00pm to 4:00pm EDT/1800pm to 2200pm CET
Please note: All courses take place simultaneously over two days, only register for one.
Training subject to change based on trainer availability.
DevSecOps Workshop: Putting Security Checks into your Build Pipeline
- This course gives insight into automation capabilities of security scans, which perfectly fit into many build pipelines. Taking into account frontends (Web) as well as backends (APIs), you will learn what steps of a security analysis can be best automated – and how. By focussing on OpenSource solutions (OWASP ZAP), you will get a tool arsenal with different automation options ready to test your application’s security on every build. During this workshop we will enhance a typical Jenkins-based CI/CD pipeline (every attendee will get an individual Jenkins server in the cloud ready to use with multiple levels of tool integrations) with a specially prepared vulnerable training application step by step into a full-fledged awesome DevSecOps AppSecPipeline.
Ethical Hacking for Beginners
- This course is based on Ethical Hacking also known as Penetration Testing. The hacking, when done in ethical ways with the permission of the asset owner, turns out to be quite effective for organizations to find out the vulnerabilities in their environment of information systems and enable them to fix those weaknesses before malicious hackers or adversaries may exploit their systems. This kind of hacking is classified as White Hat Hacking. This course is formulated to make the students aware of various hacking tools being used in the industry by cybersecurity professionals. The methodology of the course covers more than 90% practical hands-on approach.
Learning Outcomes: Students will be able to distinguish ethical hacking from malicious hacking knowing the concepts of White Hat and Black Hat hacking. They will get hands-on knowledge to perform the hacking tasks in ethical ways to improve the security of assets by using various hacking tools.
Resources for hands-on approach:
- Attack side: Kali Linux 2020.x, NMAP, Metasploit Framework (MSF).
- Victim side: Metasploitable, MS Windows 10, OWASP Resources i.e. Damn Vulnerable Web Application (DVWA) and buggy Web Application (bWAPP).
Fuzzing: An effective alternative to code review and penetration testing
- Conducting an effective application penetration testing requires specialized knowledge and experience. Penetration tests are costly and often only considered at, or towards the end of any software development process. On the other hand, most software companies and specially start-ups do not have any resources to invest in source code reviews. These considered, if done correctly, fuzzing can provide an effective alternative that can easily be included in any secure software development process.
This course aims to provide a strong base to use fuzzing as an effective alternative to discover vulnerabilities. Attendees will gain usable knowledge on fuzzing, learn to build an effective wordlist, use Python to build application specific fuzzing tools and see use cases to discover OWASP TOP 10 vulnerabilities using fuzzing. The course will also provide guidelines to include fuzzing in the software development process and the possible use of machine learning and baseline analysis to enrich returns from fuzzing.
Hacking Android & IoT apps by Example
- This course is a 100% hands-on deep dive into the OWASP Mobile Security Testing Guide (MSTG) and relevant items of the OWASP Mobile Application Security Verification Standard (MASVS), so this course covers and goes beyond the OWASP Mobile Top Ten.
Learn about Android and IoT app security by improving your mobile security testing kung-fu. Ideal for Penetration Testers, Mobile Developers and everybody interested in mobile app security.
All action, no fluff, improve your security analysis workflow and immediately apply these gained skills in your workplace, packed with exercises, extra mile challenges and CTF, self-paced and suitable for all skill levels, with continued education via unlimited email support and lifetime access to training portal with step-by-step video recordings and interesting apps to practice, including all future updates for free!
Hands-on threat modeling and tooling for DevSecOps
- Steven teaches you how to use threat modeling and tools to integrate security in DevOps. He teaches a risk-based unified threat modeling practice that is in close alignment with your business objectives. With hands-on practical threat modeling challenges, you will learn the different stages of threat modeling on an incremental CI/CD scenario.
Modern Web Application Hacking for Beginners
In this beginner-oriented training you can try out attacks against the modern web applications OWASP Juice Shop! There are almost 100 hacking challenges that are waiting to be solved, but in this training we will focus on up to four categories:
- Cross-Site Scripting
- Authentication Flaws
- Authorization Flaws
The training will consist of multiple short teasers to the above vulnerabilities and lots of time for hacking! Your pace is entirely up to you! Some challenges can optionally be tackled in a "swarm-hacking" style together via shared screen on Zoom. Over the entire duration of the training you can get first-hand hints by your trainer in case you get stuck on any challenge.
All participants must install OWASP Juice Shop before the training in a variant of their own choice - please test that the application starts without error! In case of problems with the installation, please check the troubleshooting guide or ask for assistance in the community chat.
Practical OWASP ZAP Scripting
- During this training (Workshop) you will learn how to write scripts to attack websites, and you will also learn to write your own malicious scripts In OWASP ZAP to run your arbitrary codes and security tests on your target.
This training (Workshop) will focus on deep understanding about one of the best penetration test tools 'OWASP ZAP' and techniques to write our own scripts in it.
Secure By Design: Threat Modeling For Developers
- You’ve decided that your products require a higher level of security, and now you need to start introducing security into your software design activities. But with a focus on quick delivery, your team doesn't have much bandwidth to discuss quality or security, let alone integrate heavyweight security activities into the development workflow...
*Threat Modeling* is one of the most effective security activities that can be performed for a software application. Using a structured methodology for security-based analysis of a complex system can help you identify and prioritize potential threats and attack vectors, and understand the appropriate mitigations. A good threat model is essential for a robust, secure design and architecture, and can support mitigation of all relevant threats. This can also build customer confidence.
As a developer, you want to be empowered to contribute to the security design, and take ownership of the security features in your products. With training and some tangible experience, you could independently create the threat models for your applications and design a more secure architecture, easing the load off your security team, and creating deeper integration and a higher level of security than enforcing it externally.
This Threat Modeling Workshop will kickstart your security design efforts, teach your developers the skills required to build their own threat models for your products, and train with actual hands-on experience so that you are confident to continue designing secure products based on threat modeling.
Web the API Security
- We see Developers moving from traditional 2-tier applications to an application which involves an API for fetching data to the application. Since Web APIs are platform independent they can be used by Mobile apps ,Web apps and with lots of other interfaces.This training session would include Penetration Testing of Web APIs , The best practices to be followed by Developers while creating such APIs and some labs/demo as an example.