Public and private secure development trainings.
We harden apps by mastering devs' skills.

defensive development [defdev] trainings are dedicated to helping teams and pros build and maintain secure software. Let's harden apps by strengthening security skills and through adopting practices that systematically reduce defects.

Catered to [senior/medior devs, architects, testers, devops, team leads and secengs] by experienced appsec/secdev authorities to expand individual careers and to harden deving teams by mastering the secure software production skills and practices.

We aren't a jazz concert, our hero image conveys the main feature: we deliver midsize security trainings with 2-3 days of advanced jazz on stage (intense secdev skills mastering).




 The jazz  The jazz (secdev skills mastering)
 

Our jazz is advanced and engaging. The defdev stage is for two trainers simultaneously, making the stage performance conversational and enjoyable. Our lecture content is lean and mean. We preach Application Security Verification Standard (OWASP ASVS) and practicable knowledge. The theory is minimalistic, dressed into stories and built onto meaningful concepts. The defdev floor is structured in cabaret/islands style, we assist the tables to perform as groups, many exercises are tabletop (TTX), our students engage to solve problems in teams.




 Devel hardening  Devel hardening
 

Let’s kill bugs early -- in developers minds and through adopting sticky devel practices that systematically reduce defects. Development is a collective process, our students become experts who improve local secure coding and practices by importing the skills learnt off-site into their workplaces. Teams working together in real-life projects are welcome. The goal is to deliver security skills useful in the modern deving practice. Solo professionals are our first class guests also! See the management pitch below...




 Learn-by-fixing  Learn-by-fixing
 

We teach how to fish amid threats instead of giving lessons about the species of fishes in OWASP Top 10. We make students engaged in the learning process by performing exercises. The trainers on stage demonstrate many practical aspects of hacking or defence practices and patterns. The students have to walk through many hands-on exercises, in teamwork or on their own. Our assistants on the floor ensure the smooth practicing. BYOD for the maximum experience. We are prepared to let our audience play with jailbroken devices also. Check out the planned exercises...

The defdev pitch for management

defdev trainings are designed to significantly improve the security quality of the software production by mastering secure coding skills and through adopting sticky devel practices that systematically reduce defects.

We do trainings on Java, Javascript/React/Angular, Node.js, iOS/Android, C#, Golang, Python, Kotlin and PHP secure coding, IoT and mainframe security, also S-SDLC (secdev playbook) and CI/CD pipeline (security testing automation and vulnerability management). Our courses are mostly structured around the OWASP Application Security Verification Standard (ASVS), and are based on cloud-hosted exercises and DIY tasks.

Features of the both public and private trainings:

  • Advanced and proficiency level courses. For dev professionals of senior and mid level, team leaders, security champions, architects and secengs.
  • Though we try to remain comprehensible and useful for any person interested in the development process.
  • We minimize lectures, we minimize the stuff developers forget by the second week. We do many demos and make students learn the material by hand with hacking and fixing codes, and with tabletop exercises in teams.
  • Intensive 2-3 days delivery. Performance-oriented both on the stage and the floor.
  • We monitor the individual learning style of students.
  • Our trainers are practitioners with authority and have years of experience in enterprise software production: such as security testers who are good at coding or senior developers who learnt security testing and S-SDLC.

With the format of the public/theater trainings (midsize events for 25+ students or 5+ teams from different companies) we try to achieve such quality and impact in training that it can substitute onsite trainings:

  • Disruption free environment. (In contrast, in the atmo of their workplaces the on-site training attendees may keep tracking their project or even check out from the training to an important meeting.)
  • The trainings are delivered by two trainers on stage simultaneously. We deliver staged performance, the interacting trainers enjoy the show, and the chemistry with the bigger audience is maintained.
  • The defdev floor is structured into tables, we assist students to perform as groups, which makes students engaged and serves deeper and more practical learning.
  • Professionals working together in real-life projects are welcome and we will change their practices. Teambuilding is a byproduct of the "teams hardening" we do.

Clients/visitors of public and private defdev [and also secmachine] trainings were/are: LogMeIn/LastPass/GoToMeeting/Boldchat, Ustream, JKU Institute für Netzwerke und Sicherheit, Siemens/evosoft, Nokia, GE Healthcare, Opera Software, SAP, Balabit, AEGON, KBC/KH Hungary, Ocado.

Check out further details in the respective sections below: current courses, announced events and the tickets guide.

Contact us at hello@defdev.eu, dm us @defdeveu, or call, or use the assistance (google) form. See the support section.


Recommendations

After the top notch Mobile ASVS-based trainings Zsombor and the defdev guys delivered onsite, our LogMeIn team is looking forward to attending Android secdev training in Vienna in May.
This and other appsec courses conducted by Glenn, Timur and team have been part of our training program at LogMeIn for several years. They give our developers a great foundation and then strengthen those skills with engaging, hands-on practice. Thanks, defdev!

-- LogMeIn, Dr. Márk Vinkovits, Manager of Application Security  


The upcoming events

The format of the public defdev trainings is of a middle scale: 25+ students, 10+ tables, 2-3 trainers, support stuff on the floor, teamwork.

And btw our events are an excellent professional networking opportunity.

(Also check out our past events.)

Interested in having a private defdev training at your company? Contact us regarding the onsite defdev courses.


Amsterdam, March
Amsterdam, March
€1500-1750 (Earlybird €1300-1500)
iOS/Android secdev

Amsterdam (NL), advanced intensive training, 2 combined tracks

Earlybird €1300 €1500 single track (platform) or €1500 €1750 for both tracks [per seat] (reservation option €50/seat)
(VAT is 0% for EU VAT subjects and non-EU visitors, 21.26% included otherwise)

Lunch on-site (or in a restaurant) and permanent coffee breaks included.

We will help you find an appropriate hotel or apartment


dates
TBA [Wednesday-Friday in March]
venue
TBA [max 12 tables]
trainers
 Glenn ten Cate  Zsombor Kovács
 Riccardo ten Cate
agenda
Android agenda iOS agenda
days
3 days event; D1: full, D2: am: ios, pm: android, D3: am: android, pm: ios
meet/subscribe
   ams meetups      Gitter

The courses

The menu: Java, Javascript/Angular/React, Node.js, iOS/Android, C# and PHP secure coding, IoT and mainframe security, and also S-SDLC (secdev playbook) and CI/CD pipeline (security testing automation and vulnerability management)

With the defdev format we try to achieve such quality and impact in training that it can substitute onsite trainings.

We deliver several courses from mobile secure development to secure development in different modern frontend and backend frameworks and also S-SDLS playbook courses.

The defdev trainings have been designed to significantly improve the security quality of the software production by mastering secure coding skills and through adopting sticky devel practices that systematically reduce defects.

The courses are catered to senior and medior level developers and also other professionals involved in mobile applications production: architects, testers, devops, team leads and security engineers. (And mostly comprehensible for juniors as well.)

Our trainers are senior enterprise devs converted to security specialists or bank security specialists working closely with developers.


The mobile secure development courses

The first part of the course covers general topics of the mobile application security and in half is dedicated to the security testing automation in the CI/CD pipeline of the mobile app production. The platform specific part of the course is structured according to the OWASP Mobile Application Security Verification Standard sections (mASVS).

The iOS and Android courses are usually delivered together, one common day and two half days for each track/platform. The tracks are not overlapping, so one can attend both in 3 days. In case of single track events a course takes 2 full days.


Android secdev &
test automation
course level
advanced (eg. no OWASP T10 intro)
audience
senior/medior developers, lead devs, testers, security champions and secengs (mostly comprehensible for juniors as well)
duration
single track version: 2 full days;
when combined with the iOS track: 3 days event:
D1: full (CICD), D2: half, D3: half*
equipment
laptop with a dev environment; optional: ability to run docker containers; recommended: a hackable device attached
prerequisite
familiarity with the mobile apps development process
references
Logmein, GoToMeeting
channels
     

Secure coding and design principles

D1 am
Introduction to Application security
Warm-up case study, when mobile security implementation failed in a row
Mobile architectures are secure by design, why do we care
Security by design
mASVS topics, an introduction to the areas to protect
How a properly designed infrastructure architecture should be built
Fundamental differences between Android vs. iOS platform approaches
Secure coding principles
Explanation of the secure coding principles
Practical hands-on tasks of the secure coding principles
Intro to practical secure development
Setting up the right security requirements
Create and train security champions

Automated security testing in CI/CD pipeline

D1 pm
Security test automation
Introduction to Docker
Containerize the security tooling
Setting up a docker registry
Introduction into CI tools
Setting up a scripted pipe-line
Security test automation philosophy
How to pick the right tools for the right job
Integrating the tools into the CI pipe-line
Code quality testing
Introduction to Sonarqube
Check for dead end code
Check for repudiated code
Check for over-complex code
Handling metric results on large scale
Introduction to the vulnerability management tools (VMT)
Delta reporting with the VMT
False positive suppression with the VMT
Learn to read and understand the tooling metrics
Learn how to do active verification on the metrics
Iteration and optimization of the pipeline
Kubernetes introduction
Optimize the pipe-line with Kubernetes
Intro to Behaviour-Driven Development, BDD-type testing
Calabash introduction

Android security principles, design and secure coding

D2 (*or D2 pm, D3 am)
Overview
Introduction, Android history
Security mechanisms in Android
Application Design
Common design patterns
Architecture of and Android app
Secure API design
Designing a reasonable communication flow
Hands-on: the manifest.xml
Secure data storage
Storage locations, which one to use?
Different formats (sqlite, xml, prefs file etc.) and security implications
Threats to stored data (backups, data leak etc.)
Hands-on: Exploiting weak data storage methods
Network security
Designing and implementing a secure communication flow
SSL issues
Hands-on: SSL cert pinning implementation and bypass
Inter-Process Communication
Securing activities
Securing content providers
Securing broadcast listeners
Hands-on: typical IPC issues
Secure crypto implementation
Crypto design issues
Libraries
Hands-on: extraction of hard coded crypto material
Tampering detection
Rooting, implications of running on a rooted device
Dynamic hooking
Hands-on: bypassing root detection in several ways
Special interest topics
Kotlin, Flutter, React, etc.

The mobile part of our course follows the OWASP Mobile ASVS sections. All classes are tuned for advanced audience, though are comprehensible for any person interested in the development process. The quarter of the course is dedicated to the integrated security testing automation and vulnerability management in the CI/CD pipeline (we introduce a ready to implement solution, which is mostly applicable to the serverside development as well).

iOS secdev &
test automation
course level
advanced (eg. no OWASP T10 intro)
audience
senior/medior developers, lead devs, testers, security champions and secengs (mostly comprehensible for juniors as well)
duration
single track version: 2 full days;
when combined with the Android track: 3 days event:
D1: full (CICD), D2: half, D3: half*
equipment
macbook with a dev environment; optional: ability to run docker containers; recommended: a hackable device attached
prerequisite
familiarity with the mobile apps development process
references
Logmein, GoToMeeting
channels
     

Secure coding and design principles

D1 am
Introduction to Application security
Warm-up case study, when mobile security implementation failed in a row
Secure coding principles, pt 1
Explanation of the secure coding principles
Secure coding principles, pt 2, practices
Practical hands-on tasks of the secure coding principles
Mobile architectures are secure by design, why do we care
Security by design
Separation of duties, trust boundaries, defence in depth, principle of least privilege, minimising the attack surface, risk driven mitigation, HTTP security, webservices, HTTPS/TLS
mASVS topics, an introduction to the areas to protect
Mobile architectures are secure by design, pt 2
How a properly designed infrastructure architecture should be built
Fundamental differences between Android vs. iOS platform approaches
Demo on stage
Intro to practical secure development
Setting up the right security requirements
Create and train security champions

Automated security testing in CI/CD pipeline

D1 pm
Automated testing in CI/CD pipelines
Setting up the right security requirements
Create and train security champions
Introduction to Docker
Containerize the security tooling
Setting up a docker registry
Introduction into CI tools
Setting up a scripted pipe-line
Security test automation philosophy
How to pick the right tools for the right job
Integrating the tools into the CI pipe-line
Calabash introduction
Code quality testing
Introduction to Sonarqube
Check for dead end code
Check for repudiated code
Check for over-complex code
Handling metric results on large scale
Introduction to the vulnerability management tools (VMT)
Delta reporting with the VMT
False positive suppression with the VMT
Learn to read and understand the tooling metrics
Learn how to do active verification on the metrics
Iteration and optimization of the pipeline
Kubernetes introduction
Optimize the pipe-line with Kubernetes

iOS security principles, design and secure coding

D2 (*or D2 am, D3 pm)
Overview
Introduction, iOS history
Security mechanisms in iOS
Application signing in iOS
Application design in iOS
Common design patterns
Architecture of an iOS app
Secure API design
Designing a reasonable communication flow
Secure data storage
iOS storage encryption
Protection classes, storage formats and security implications
Data storage and backups
Hands-on: (in)secure storage in applications
Network security
SSL issues
App Transport Security
Certificate pinning
Hands-on: certificate pinning implementation and bypass
Inter-Process communication
Custom protocol handlers
Issues
Hands-on: attacking and securing an insecure custom protocol handler
Secure crypto implementation
Cryptography 101
Do’s and don’ts of crypto implementation
Hands-on: insecure crypto examples and hardcoded encryption key extraction
Tampering detection
Jailbreaking, implications of running on a jailbroken device
Dynamic hooking and method swizzling
Hands-on: bypassing jailbreak detection in several ways

The agenda of the other courses will be published soon.



The manifesto

the developers are the key players of the software security at the end of the day, not the auditors

Secure software development is a professional field which has not many dedicated events yet, and especially not many events which educate and improve developers. Meanwhile the developers are the key players of the software security at the end of the day, not the ethical hackers or auditors.

Our ambition is to establish the #1 European event of the "securely developing" professionals. Our training events are purely about educating and improving our visitor developers and other professionals involved in the ssdlc.

def[dev]eu is a developers trainings series, it's not a hacking show, nor is it about boring security preaching. We are structured, practical, entertaining, and we see the challenge with the eyes of a software engineer.

"As an active hacker and penetration tester, I came to the conclusion that for most mobile application tests, application developers commit the same mistakes over and over again. The overall security posture of the published mobile applications could be significantly improved if the developers were aware of techniques, tools and methods used by real attackers and this knowledge should be used throughout the entire SDLC process. How differently would developers work if they had the opportunity to see their app through a hacker's eyes? "
-- Zsombor

The trainers

When leading security specialists come together on stage, be prepared to take in a wealth of online security knowledge

As a coder, hacker, speaker, trainer and security researcher employed at ING Belgium Glenn has over 10 years experience in the field of security. One of the founders of defensive development [defdev] a security trainings series dedicated to helping you build and maintain secure software and also speaking at multiple other security conferences in the world.

His goal is to create an open-source software development life cycle with the tools and knowledge gathered over the years.


From Glenn's trainings record:
LastPass, LogMeIn, defdev 1611

Zsombor Kovács is a security specialist with many years of hands-on experience in penetration testing in London, Zürich and Budapest. His main focus is mobile application security and infrastructure evaluation, implementation and design. Zsombor conducts penetration tests and malware analysis on a daily basis. He found vulnerabilities in all sorts of Android and iOS applications from e-banking, document management and MDM etc. fields.

Besides his main area, he also has been involved in projects dealing with incident response, forensic engineering, reversing and physical security. Zsombor is keen on everything related to hacking from finding bugs in mobile applications to secdev consulting, to lock picking and RFID hacking and exploring the human psyche.


From the trainings record of Zsombor:
LogMeIn, GoToMeeting, defdev 1611

As a penetration tester from the Netherlands Riccardo specializes in application security and has extensive knowledge in securing applications in multiple coding languages. Riccardo has many years of experience in training and guiding development teams becoming more mature and making their applications secure by design.

Not only does Riccardo train developers, he and his brother Glenn also donated an entire knowledge framework solely dedicated to help developers make their code secure by design to OWASP. See:
SKF (Security knowledge framework) .

Riccardo also has expertise on implementing security test automation in CI/CD pipelines. This helps create short feedback loops back to the developer and prevents bugs from getting into production into an early phase of the development lifecycle.

Marek Zachara graduated with MSc degree in Electrical and Electronic Engineering from University of Bristol, UK in 2000 and received his PhD in Computer Sciences in 2008 from AGH UST, Poland. He is assistant professor at AGH University of Science and Technology in Krakow. Since 2008 Marek have been working with Securing on security audits and development of tools and methods for security assessment.

For over five years he has been involved in a number of research activities centered around software quality and security, with special focus on simulation and analysis of users behavior.


The defdev events are delivered with many other enthusiastic and professional people helping our students on the floor and behind the scenes.

The past events

Vienna/Wien 1805
Vienna 1805 [past]
Android secdev & test automation

Vienna/Wien (AT), intensive training, 1 track, 2 topics

description:

All classes were tuned for advanced audience (mostly comprehensible for juniors though). The Android secure development and coding classes followed the OWASP Mobile ASVS sections. The quarter of the course was dedicated to the integrated security testing automation and vulnerability management in the CI/CD pipeline (we introduced a ready to implement solution).

 
dates
'18 MAY31-JUN01
venue
MuseumsQuartier Wien [4 tables]
trainers
 Glenn ten Cate  Zsombor Kovács
 Riccardo ten Cate
course
Android+CICD agendas
days
2 days event
local network partners:
Kotlin Vienna meetup group
IoT Austria - The Austrian Internet of Things Network
Budapest 1611
Budapest 1611 [past]
Secdev mastering & S-SDLC & Mobile

Budapest (HU), basic to advanced training, 1 track, 3 topics

description:

Our pilot event was in 2016 in Budapest where the idea of the project was born. The agenda in reverse order was as follows: The third day was a real tidbit, when secdev management practices were evaluated eg.: Secure SDLC and AppSec Management, DevOps security, Security testing, SIEM (Security Information Event Monitoring), IAM and the mobile application security from a defensive point of view. On the previous day, Jim and Glenn mastered the developers’ secure coding skills through modules like HTTP security, HTTPS/TLS best practices, Input validation, serialization, Solving input injections, CSRF and Clickjacking defense, Webservices security, AngularJS security. All these module required an advanced knowledge of the field. The entry level knowledge to these modules we delivered on the first day. So with those two first days defdev provided a complete secure coding course.

dates
'16 NOV17-19
venues
Marriott Courtyard Budapest City Center, Hotel Gellért [55-75 visitors]
trainers
 Jim Manico  Glenn ten Cate  Zsombor Kovács
days
3 days event; D1: secdev preps, D2: secdev mastering, D3: s-sdlc and mobile
promo
event trailer on youtube

Our distinguished clients


Our sponsors


Our partners


For sponsors

def[dev]eu events provide a unique opportunity for the secure development tooling and services providers to get in touch with developers and team leaders from cool European development teams and IT departments

Contact us at hello@defdev.eu, direct message us on twitter @defdeveu or call +12318468790 [Timur].




Assistance,
feedback, questions 

For assistance and questions contact our support!
hello@defdev.eu  select/copy assistance form  google form
@defdeveu  direct message us +12318468790   noon-8pm cet

Do not hesitate to ask questions, request assistance, call for support, ask about the courses, discounts, invoicing, payment options, team tickets, visa support, hotels, etc.

We also understand that buying 1KEUR+ tickets still requires a decision making process, even if our trainings are superior.

We suggest you walk through the following steps:

  • Start with our pitch above
  • If the flow requires involving others, we suggest you share that pitch: https://defdev.eu/#pitch
  • Examine the topics of the course in focus (https://defdev.eu/#courses)
  • Check out the details of the event (https://defdev.eu/#events)
  • Some details about ordering tickets are clarified right below (https://defdev.eu/#tickets)
  • Don't hesitate to contact us on the above channels: assistance form, email, twitter dm or call (https://defdev.eu/#support)

Tickets guide

What are the recommended flows to order tickets?
  • Business clients, to place your order, please, preferably first contact us via email (hello@defdev.eu) or by filling out the (google) assistance form, to check your EU VAT status and to settle all other invoice details.
  • Individual clients, please, preferably use Ticket Tailor (https://buytickets.at/defdev) and pay via Paypal there (including card payments) for obtaining tickets or to reserve your seat. We will send your invoice almost immediately. In case of any difficulty please contact us!
What payment options are available?

Paypal, credit cards via Paypal or wiretransfer.

What VAT rate applies/included/excluded?
  • In case of EU VAT subjects (except the Hungarian businesses) and of non-EU clients the rate is 0%.
    Thus ticket price of €1000 is net 1K + 0 VAT.
  • For all the other clients -- EU individuals and Hungarian companies -- the VAT is 27%, but that is included in the announced ticket prices then.
    Thus ticket price of €1000 means €787 + 27% VAT.

We issue the invoices accordingly.

Are there any hidden costs?

No.

Are the tickets refundable?

We refund the price you paid with deduction of a 50€ cancellation fee per ticket when cancellation is requested latest on the 30th day prior the event. In case of the later requests we are ready to suspend and reassign your order to an other training (50€ fee applies).

Who issues the invoices and is the beneficiary of payments?

azd.security Kft., Budapest, Hungary
VAT: HU13804079, Estd: 2006, EU ID: HUOCCSZ.01-09-874089 [in Hungarian only, but the official registry, pass the captcha first]

Other standard questions? (eg. discounts)

Please, browse the other FAQ section below. Also, don't hesitate to contact us on the above channels: assistance form, email, twitter dm, call.

FAQ

Is defdev a max two events per year project?

No, defdev is a series of training events in Europe throughout the year. After Austria the next stations will be the Netherlands, Poland, France and Germany.

What is the difference between secdev and secure coding?

We prefer to tag our secure development courses as "secdev", but usually this type of courses are referred to as secure coding courses. In our view, the secdev is a broader field than just secure coding, it includes S-SDLC. S-SDLC is not about coding but methods, approaches, practices and tools.

What kind of training can an attendee expect? Is it a hands-on training with computer labs or is it more like talks about certain topics?

The lectures are trimmed down, we deliver many demos and sustain involvement of the students with hands-ons and tabletops.

With what equipment should a student visit the trainings?

Bringing your own deving device (laptop) is the prerequisite. The device you use for hacking your code.

Who are the trainers on specific days?

The show is delivered by a mix of trainers. Two of us are always simultaneously on the stage, and one of us helps the audience with the exercises on the floor.

What packages do you offer for groups of attendees?

The training is also aimed at teams coming together from their workplace or a project. Thus the prices are tailored for both teams and individuals.

Are there discounts on professional membership or honoring other circumstances?

For OWASP members the discount is 8% (owasp), for ISACA members - 5% (isaca). For students with ISIC cards - 8% (isic). And 3% discount for those active in our Gitter groups/channels.

I would like to make a defdev event in my city, is it possible?

defdev is open for cooperation with local professionals. defdev has strict rules of quality and format. Please contact us.

We require special kind of invoice due to our local regulations, is it possible to get such?

Sure! Please contact us directly.

Dress code?

No dresscode.

Other questions?
  • Regarding tickets ordering check the Tickets guide section above.
  • For further details and assistance contact us or submit your question/request/complaints via our assistance form (google, no sign-in required), or via email and twitter dm.

Press releases

EN

Glenn ten Cate and Timur Khrotko introduce def[dev]eu, the defensive development education and mastering project. The def[dev]eu training events series is dedicated to helping developers and other professionals involved in the S-SDLC build and maintain secure software. The defdev events will pop up in several European locations.

Our last public event was delivered end of May in Wien. The next public events are purely mobile secdev trainings on secure coding and S-SDLC. The iOS and Android secdev trainings are prepared by Zsombor Kovács. The course for one platform is priced at 1300-1500 eur.

The following defdev events will cover Java, Javascript/Angular/React/Node, .net, PHP and IoT secure development.

The first defdev was held in November 2016 in Budapest together with Jim Manico.

See you in Vienna, Amsterdam, Berlin or Kraków and stay tuned for the continuation of the defdev series! https://defdev.eu https://twitter.com/defdeveu

))