Schedule & Trainings
Tuesday, August 25 and Wednesday, August 26
- Virtual Training Courses
- 12:00pm to 4:00pm EDT/1800pm to 2200pm CET
Please note: All courses take place simultaneously over two days, only register for one.
Training subject to change based on trainer availability.
DevSecOps Workshop: Putting Security Checks into your Build Pipeline
- This course gives insight into automation capabilities of security scans, which perfectly fit into many build pipelines. Taking into account frontends (Web) as well as backends (APIs), you will learn what steps of a security analysis can be best automated – and how. By focussing on OpenSource solutions (OWASP ZAP), you will get a tool arsenal with different automation options ready to test your application’s security on every build. During this workshop we will enhance a typical Jenkins-based CI/CD pipeline (every attendee will get an individual Jenkins server in the cloud ready to use with multiple levels of tool integrations) with a specially prepared vulnerable training application step by step into a full-fledged awesome DevSecOps AppSecPipeline.
DevSecOps with GitHub Actions and Azure
- DevSecOps, as defined for this course, is performing application security activities, in a DevOps environment. This course will kick off with brief theory about AppSec and DevOps, and then spend the rest of the day locking down your GitHub repo, creating a CI/CD using GitHub Actions, adding several security tools to your CI/CD, finding security bugs, deploying your app to Azure, and then locking down your infrastructure in Azure.
Tooling: GitHub Actions, SCA, Secret Scanning, DAST, GitHub Secret Store, Azure Security Center
This course is hands-on. You will need a GitHub account and Azure Trial ready *before* the course starts. Do NOT use your work Azure account, we will be adding an insecure app to your trial instance.
Ethical Hacking - security seen from an offensive perspective
- Course learning objectives:
• Develop ”Out-of-box” thinking
• See security from an offensive perspective
Course learning modules:
• Penetration testing overview
• Various types of footprinting, footprinting tools, and countermeasures
• Network scanning techniques and scanning countermeasures
• Enumeration techniques and enumeration countermeasures
• System hacking methodology
• Packet sniffing techniques and how to defend against sniffing, session hijacking, HSTS bypass
Ethical Hacking for Beginners
- This course is based on Ethical Hacking also known as Penetration Testing. The hacking, when done in ethical ways with the permission of the asset owner, turns out to be quite effective for organizations to find out the vulnerabilities in their environment of information systems and enable them to fix those weaknesses before malicious hackers or adversaries may exploit their systems. This kind of hacking is classified as White Hat Hacking. This course is formulated to make the students aware of various hacking tools being used in the industry by cybersecurity professionals. The methodology of the course covers more than 90% practical hands-on approach.
Learning Outcomes: Students will be able to distinguish ethical hacking from malicious hacking knowing the concepts of White Hat and Black Hat hacking. They will get hands-on knowledge to perform the hacking tasks in ethical ways to improve the security of assets by using various hacking tools.
Resources for hands-on approach:
- Attack side: Kali Linux 2020.x, NMAP, Metasploit Framework (MSF).
- Victim side: Metasploitable, MS Windows 10, OWASP Resources i.e. Damn Vulnerable Web Application (DVWA) and buggy Web Application (bWAPP).
Fuzzing: An effective alternative to code review and penetration testing
- Conducting an effective application penetration testing requires specialized knowledge and experience. Penetration tests are costly and often only considered at, or towards the end of any software development process. On the other hand, most software companies and specially start-ups do not have any resources to invest in source code reviews. These considered, if done correctly, fuzzing can provide an effective alternative that can easily be included in any secure software development process.
This course aims to provide a strong base to use fuzzing as an effective alternative to discover vulnerabilities. Attendees will gain usable knowledge on fuzzing, learn to build an effective wordlist, use Python to build application specific fuzzing tools and see use cases to discover OWASP TOP 10 vulnerabilities using fuzzing. The course will also provide guidelines to include fuzzing in the software development process and the possible use of machine learning and baseline analysis to enrich returns from fuzzing.
Hacking Android & IoT apps by Example
- This course is a 100% hands-on deep dive into the OWASP Mobile Security Testing Guide (MSTG) and relevant items of the OWASP Mobile Application Security Verification Standard (MASVS), so this course covers and goes beyond the OWASP Mobile Top Ten.
Learn about Android and IoT app security by improving your mobile security testing kung-fu. Ideal for Penetration Testers, Mobile Developers and everybody interested in mobile app security.
All action, no fluff, improve your security analysis workflow and immediately apply these gained skills in your workplace, packed with exercises, extra mile challenges and CTF, self-paced and suitable for all skill levels, with continued education via unlimited email support and lifetime access to training portal with step-by-step video recordings and interesting apps to practice, including all future updates for free!
Hands-on threat modeling and tooling for DevSecOps
- Steven teaches you how to use threat modeling and tools to integrate security in DevOps. He teaches a risk-based unified threat modeling practice that is in close alignment with your business objectives. With hands-on practical threat modeling challenges, you will learn the different stages of threat modeling on an incremental CI/CD scenario.
Practical OWASP ZAP Scripting
- During this training (Workshop) you will learn how to write scripts to attack websites, and you will also learn to write your own malicious scripts In OWASP ZAP to run your arbitrary codes and security tests on your target.
This training (Workshop) will focus on deep understanding about one of the best penetration test tools 'OWASP ZAP' and techniques to write our own scripts in it.
Secure By Design: Threat Modeling For Developers
- You’ve decided that your products require a higher level of security, and now you need to start introducing security into your software design activities. But with a focus on quick delivery, your team doesn't have much bandwidth to discuss quality or security, let alone integrate heavyweight security activities into the development workflow...
*Threat Modeling* is one of the most effective security activities that can be performed for a software application. Using a structured methodology for security-based analysis of a complex system can help you identify and prioritize potential threats and attack vectors, and understand the appropriate mitigations. A good threat model is essential for a robust, secure design and architecture, and can support mitigation of all relevant threats. This can also build customer confidence.
As a developer, you want to be empowered to contribute to the security design, and take ownership of the security features in your products. With training and some tangible experience, you could independently create the threat models for your applications and design a more secure architecture, easing the load off your security team, and creating deeper integration and a higher level of security than enforcing it externally.
This Threat Modeling Workshop will kickstart your security design efforts, teach your developers the skills required to build their own threat models for your products, and train with actual hands-on experience so that you are confident to continue designing secure products based on threat modeling.
Securing the Container Platform
- Containers are in popular use as the distribution vehicle for cloud-native application services. In this workshop, you'll learn about the fundamental aspects of security that associate with the platform components.
Web the API Security
- We see Developers moving from traditional 2-tier applications to an application which involves an API for fetching data to the application. Since Web APIs are platform independent they can be used by Mobile apps ,Web apps and with lots of other interfaces.This training session would include Penetration Testing of Web APIs , The best practices to be followed by Developers while creating such APIs and some labs/demo as an example.