Public and private secure development trainings.
We harden apps by mastering devs' skills.

defensive development [defdev] trainings are dedicated to helping teams and pros build and maintain secure software. Let's harden apps by strengthening security skills and through adopting practices that systematically reduce defects.

Catered to [senior/medior devs, architects, testers, devops, team leads and secengs] by experienced appsec/secdev authorities to expand individual careers and to harden deving teams by mastering the secure software production skills and practices.

We aren't a jazz concert, our hero image conveys the main feature we deliver even at our midsize/theater security trainings with 1-3 days of advanced jazz on stage: the intense secdev skills mastering.




 Learn-by-fixing  Learn-by-fixing (testing and hacking)
 

We teach how to fish amid threats instead of giving lessons about the species of fishes in the OWASP Top 10. We make students engaged in the learning process by performing exercises. The trainers on stage demonstrate many practical aspects of hacking or defence practices and patterns. The students have to walk through many hands-on exercises, in teamwork or on their own. We preach Application Security Verification Standard (OWASP ASVS) and practicable knowledge. The theory is minimalistic, dressed into stories and built onto meaningful concepts.




 Devel hardening  Devel hardening
 

Let’s kill bugs early -- in developers minds and through adopting sticky devel practices that systematically reduce defects. Development is a collective process, our students become experts who improve secure coding and practices of their teams by importing the skills learnt off-site into their workplaces. Teams working together in real-life projects are welcome. The goal is to deliver security skills useful in the modern deving practice. Solo professionals are our first class guests also! See the management pitch below...




 Let us hack your codes!)  Let us hack your codes!)
 

Our twin project, secdev.eu is a hi-end service in auditing security quality of codes and improving S-SDLC practices. In case of private secure coding trainings we suggest to complete a workshop by reviewing production codes for security design and implementation problems together. We provide vulnerability audits and pentesting (VAPT) works the audit reports resulted from which can make subsequent trainings more meaningful for devs. We also help you to implement SKF, the security knowledge framework. Ask about the secdev.eu code audits!

The defdev pitch for management

defdev workshops are designed to significantly improve the security quality of the software production by mastering secure coding skills and through adopting sticky devel practices that systematically reduce defects.

We do trainings on Java/JEE, Javascript/React/Angular, Node.js, iOS/Android, C#/.net, C++, Golang, Python, Kotlin and PHP secure coding, IoT, docker, AWS and mainframe security, also S-SDLC (secdev playbook), CI/CD pipeline (security testing automation and vulnerability management) and even about testing w/ Burp for devs. Our courses are mostly structured around the OWASP Application Security Verification Standard (ASVS), and are based on cloud-hosted exercises and DIY tasks.

Features of the both public and private trainings:

  • Advanced and proficiency level courses. For dev professionals of senior and mid level, team leaders, security champions, architects and secengs.
  • Though we try to remain comprehensible and useful for any person interested in the development process.
  • We minimize lectures, we minimize the stuff developers forget by the second week. We do many demos and make students learn the material by hand with hacking and fixing codes, and with tabletop exercises in teams.
  • Intensive 1XL or 2-3 days delivery. Performance-oriented both on the stage and the floor.
  • We monitor the individual learning style of students.
  • Our trainers are practitioners with authority and have years of experience in enterprise software production: such as security testers who are good at coding or senior developers who learnt security testing and S-SDLC.

With the two formats of our public trainings, the hosted workshops and the theater trainings we try to achieve such quality and impact in training that the public ones can substitute private/onsite workshops:

  • Disruption free environment. (In contrast, in the atmo of their workplaces the on-site training attendees may keep tracking their project or even check out from the training to an important meeting.)
  • Professionals working together in real-life projects are welcome and we will change their practices. Teambuilding is a byproduct of the "teams hardening" we do.

At the theater trainings, our midsize events for 25+ students or 5+ teams from different companies:

  • The trainings are delivered by two trainers on stage simultaneously. We deliver staged performance, the interacting trainers enjoy the show, and the chemistry with the bigger audience is maintained.
  • The defdev floor is structured into tables, we assist students to perform as groups, which makes students engaged and serves deeper and more practical learning.

Clients/visitors of public and private defdev [and also secmachine] trainings were/are: LogMeIn/LastPass/GoToMeeting/Boldchat, Ustream, JKU Institute für Netzwerke und Sicherheit, Siemens/evosoft, Nokia, GE Healthcare, Opera Software, SAP, Balabit, AEGON, KBC/KH Hungary, Ocado, Vijfhart.

Check out further details in the respective sections below: the choice, the abstracts and topics of courses, announced events and the tickets guide.

Contact us at hello@defdev.eu, dm us @defdeveu, or call, or use the assistance (google) form. See the support section.


Recommendations

After the top notch Mobile ASVS-based trainings Zsombor and the defdev guys delivered onsite, our LogMeIn team is looking forward to attending the next secdev training in Vienna.
This and other appsec courses conducted by Glenn, Timur and team have been part of our training program at LogMeIn for several years. They give our developers a great foundation and then strengthen those skills with engaging, hands-on practice. Thanks, defdev!

-- LogMeIn, Dr. Márk Vinkovits, Manager of Application Security  


The courses/workshops

The menu: Java, Javascript/Angular/React, C#, Node.js, iOS/Android, C++, Kotlin, Golang and PHP secure coding, IoT, docker, AWS and mainframe security, also S-SDLC (secdev playbook) and CI/CD pipeline (security testing automation and vulnerability management) and even Burp for devs.

The defdev trainings have been designed to significantly improve the security quality of the software production by mastering secure coding skills and through adopting sticky devel practices that systematically reduce defects.

See the catalog of our courses with details and agendas at c.defdev.eu.


Our popular trainngs are:

WebApp secdev

Mobile secdev

Testing automation

'DIY security testing' series


The upcoming events

With the two formats of our public trainings, the hosted workshops and the theater trainings we try to achieve such quality and impact in training that the public ones can substitute private/onsite workshops.

We minimize lectures, we minimize the stuff developers forget by the second week. We do many demos and make students learn the material by hand with hacking and fixing codes, and with tabletop exercises in teams.
Intensive 1XL or 2-3 days delivery. Performance-oriented both on the stage and the floor.

(Also check out our past events.)

Interested in having a private defdev training at your company? Contact us regarding the onsite defdev courses.


Budapest, APR25-26
Budapest, APR25-26
Secdev in Java
(Spring-flavored)

Budapest (HU), 2-days workshop

Sold out.
Early tickets till APR18:
€580 net [185KHUF+VAT]

Final price:
€720 net [230KHUF+VAT]/seat.

description:

The two-days Java secure development workshop will cover the fundamentals of secure coding in Java (extended with some Spring particulars). We will teach the most important webapp vulnerabilities from the perspective of a developer. Participants will learn how to find vulnerabilities during testing, how to recognize those within the source-code, how to avoid and mitigate those.


timing/
days
Apr 25-26 (Thu-Fri), 9:30-17:30
venue/
seats
LogMeIn Labs, Budapest
15+
trainer
 Péter Nyilasy
agenda
course desc.
language
Hungarian
Budapest, JUN13
Budapest, JUN13
Burp for testers and developers

Budapest (HU), one-day intensive training

Early tickets till MAY13:
€470 net (148KHUF+VAT)

Final price:
€580 net (185KHUF+VAT)/seat.

description:

The purpose of the workshop is to provide testers and developers an overview how the Burp suite can be used for web testing work. Even though Burp is primarily designed for penetration testers, its sophisticated capabilities can come handy for everyone whose job is to perform general bug hunting in web applications.


timing/
days
June 13 (Thu), 10:00-19:00
1 XL day (7hrs education time)
venue/
seats
Green Fox Academy
15+
trainer
 Zsombor Kovács
agenda
course desc.
language
English

* Note: there is also 'WebAppSec testing/fixing' workshop the following day, and by booking to the both you'll get 10% off.

Budapest, JUN14
Budapest, JUN14
WebAppSec testing/fixing

Budapest (HU), one-day intensive training

Early tickets till MAY13:
€470 net (148KHUF+VAT)

Final price:
€580 net (185KHUF+VAT)/seat.

description:

Practice-changing impact, long lasting security knowledge and skills -- are the expected outcomes of this new-school webapp security training. This is a training with minimum lectures and all focused on hands-on exercises. We start off with some understanding of secure development and the secure coding principles. Then we do basic hacking challenges and move gradually to the advanced topics, but after that we do exercises that are about fixing vulnerable code. The attendees will have after this course a vast set of actionable knowledge and practise to be used straight away.


timing/
days
June 14 (Fri), 10:00-19:00
1 XL day (7hrs education time)
venue/
seats
Green Fox Academy
15+
trainer
 Glenn ten Cate
agenda
course desc.
language
English

* Note: there is also a Burp workshop the previous day, and by booking to the both you'll get 10% off.

Amsterdam, TBA
Amsterdam, TBA
iOS/Android secdev

Amsterdam (NL), advanced intensive training, 2 combined tracks

Earlybird €1300 €1500 single track (platform) or €1500 €1750 for both tracks [per seat]


timing/
days
TBA [Wednesday-Friday in September]
3 days event; D1: full, D2: am: ios, pm: android, D3: am: android, pm: ios
venue/
seats
TBA
[max 12 tables]
trainers
 Glenn ten Cate  Zsombor Kovács
 Riccardo ten Cate
agenda
Android agenda iOS agenda
language
English
Registration opens later

The manifesto

the developers are the key players of the software security at the end of the day, not the auditors

Secure software development is a professional field which has not many dedicated events yet, and especially not many events which educate and improve developers. Meanwhile the developers are the key players of the software security at the end of the day, not the ethical hackers or auditors.

Our ambition is to establish the #1 European event of the "securely developing" professionals. Our training events are purely about educating and improving our visitor developers and other professionals involved in the ssdlc.

def[dev]eu is a developers trainings series, it's not a hacking show, nor is it about boring security preaching. We are structured, practical, entertaining, and we see the challenge with the eyes of a software engineer.

"As an active hacker and penetration tester, I came to the conclusion that for most mobile application tests, application developers commit the same mistakes over and over again. The overall security posture of the published mobile applications could be significantly improved if the developers were aware of techniques, tools and methods used by real attackers and this knowledge should be used throughout the entire SDLC process. How differently would developers work if they had the opportunity to see their app through a hacker's eyes? "
-- Zsombor

The trainers

When leading security specialists come together on stage, be prepared to take in a wealth of online security knowledge

As a coder, hacker, speaker, trainer and security chapter leader employed at ING Belgium Glenn has over 15 years experience in the field of security. One of the founders of defensive development [defdev] a security trainings series dedicated to helping you build and maintain secure software and also speaking at multiple other security conferences in the world.

Glenn and his brother Riccardo also donated an entire knowledge framework solely dedicated to help developers make their code secure by design to OWASP. See:
SKF (Security knowledge framework) .

His goal is to create an open-source secure software development life cycle with the tools and knowledge gathered over the years and solving the SecDevOps challenges people face.


From Glenn's trainings record:
EC-Council, LastPass, LogMeIn, defdev1805, defdev1611

Zsombor Kovács is a security specialist with many years of hands-on experience in penetration testing in Budapest, London and Zürich. Besides penetration tests performed on mobile device (both iOS and Android) his main focus is application and infrastructure evaluation. Zsombor conducts penetration tests and malware analysis on a daily basis. He found vulnerabilities in all sorts of Android and iOS applications from e-banking and telecommunication to document management, to MDM. He also has been involved in projects dealing with incident response, forensic engineering, reversing, physical security and social engineering. Zsombor is keen on everything related to hacking from finding bugs in mobile applications to secdev consulting, to lock picking and RFID hacking and exploring the human psyche.

Recently, Zsombor got involved in secure development trainings on both mobile platforms.


From the trainings record of Zsombor:
LogMeIn, GoToMeeting, defdev1611, defdev1805

As a penetration tester from the Netherlands Riccardo ten Cate specializes in application security and has extensive knowledge in securing applications in multiple coding languages. Riccardo has many years of experience in training and guiding development teams becoming more mature and making their applications secure by design.

Not only does Riccardo train developers, he and his brother Glenn also donated an entire knowledge framework solely dedicated to help developers make their code secure by design to OWASP. See:
SKF (Security knowledge framework) .

Riccardo also has expertise on implementing security test automation in CI/CD pipelines. This helps create short feedback loops back to the developer and prevents bugs from getting into production in an early phase of the development lifecycle.

Marek Zachara graduated with MSc degree in Electrical and Electronic Engineering from University of Bristol, UK in 2000 and received his PhD in Computer Sciences in 2008 from AGH UST, Poland. He is assistant professor at AGH University of Science and Technology in Krakow. Since 2008 Marek have been working with Securing on security audits and development of tools and methods for security assessment.

For over five years he has been involved in a number of research activities centered around software quality and security, with special focus on simulation and analysis of users behavior.

Péter has been doing enterprise web application development for more than a decade now mainly for financial institutions. He has exceptional knowledge of and strong experiences with Java and JEE, and also with several Javascript frameworks. In the recent years Péter turned to software security and does secure development consulting, ASVS-based application audits with secdev.eu and is a resident trainer with defdev.eu.

Meanwhile he stays current with the software production internals working also as a freelance software engineer. Péter also teaches Java for developers.


The defdev events are delivered with many other enthusiastic and professional people helping our students on the floor and behind the scenes.

The past events

Tel Aviv, MAY27-28
Tel Aviv MAY27-28 [cancelled]
Mastering holistic WebAppSec

Cancelled due to low demand.

description:

Practice-changing impact, long lasting security knowledge and skills -- are the expected outcomes of this new-school webapp security training. The course is inclusive: the developers learn application security and hacking, improve their professional skills and are also introduced to the security design patterns for fixing the code. In the modern development process security testing is something shared among developers, devops, testers and auditors -- this mingled situation we recreate during exercises.


timing/
days
was planned to
'19 MAY27-28
venue/
seats
OWASP Global AppSec
~15
trainer
 Glenn ten Cate
agenda
course desc.
language
English

Budapest, MAR21
Budapest, 1903 [past]
Péter Nyilasy
JavaScript secdev

Budapest (HU), one-day intensive training
1 XL day (7hrs education time)

description:

The one-day javascript security training will cover the fundamentals of secure coding in javascript. We will teach the most important web vulnerabilities related to javascript from the perspective of the developer. They will learn how to find vulnerabilities during testing, how to recognise them within the source-code, how to avoid, and how to mitigate them.


timing/
days
'19 MAR21
venue/
seats
One Identity Balabit HUB
15+
trainer
 Péter Nyilasy
agenda
course desc.
language
Hungarian
Vienna/Wien 1805
Vienna 1805 [past]
Android secdev & test automation

Vienna/Wien (AT), intensive training, 1 track, 2 topics

description:

All classes were tuned for advanced audience (mostly comprehensible for juniors though). The Android secure development and coding classes followed the OWASP Mobile ASVS sections. The quarter of the course was dedicated to the integrated security testing automation and vulnerability management in the CI/CD pipeline (we introduced a ready to implement solution).

 
dates
'18 MAY31-JUN01
venue
MuseumsQuartier Wien [4 tables]
trainers
 Glenn ten Cate  Zsombor Kovács
 Riccardo ten Cate
course
Android+CICD agendas
days
2 days event
local network partners:
Kotlin Vienna meetup group
IoT Austria - The Austrian Internet of Things Network
Budapest 1611
Budapest 1611 [past]
Secdev mastering & S-SDLC & Mobile

Budapest (HU), basic to advanced training, 1 track, 3 topics

description:

Our pilot event was in 2016 in Budapest where the idea of the project was born. The agenda in reverse order was as follows: The third day was a real tidbit, when secdev management practices were evaluated eg.: Secure SDLC and AppSec Management, DevOps security, Security testing, SIEM (Security Information Event Monitoring), IAM and the mobile application security from a defensive point of view. On the previous day, Jim and Glenn mastered the developers’ secure coding skills through modules like HTTP security, HTTPS/TLS best practices, Input validation, serialization, Solving input injections, CSRF and Clickjacking defense, Webservices security, AngularJS security. All these module required an advanced knowledge of the field. The entry level knowledge to these modules we delivered on the first day. So with those two first days defdev provided a complete secure coding course.

dates
'16 NOV17-19
venues
Marriott Courtyard Budapest City Center, Hotel Gellért [55-75 visitors]
trainers
 Jim Manico  Glenn ten Cate  Zsombor Kovács
days
3 days event; D1: secdev preps, D2: secdev mastering, D3: s-sdlc and mobile
promo
event trailer on youtube

Our distinguished clients


Our sponsors


Our partners


For sponsors

def[dev]eu events provide a unique opportunity for the secure development tooling and services providers to get in touch with developers and team leaders from cool European development teams and IT departments

Contact us at hello@defdev.eu, direct message us on twitter @defdeveu or call +12318468790 [Timur].




Assistance,
feedback, questions 

For assistance and questions contact our support!
hello@defdev.eu  select/copy assistance form  google form
@defdeveu  direct message us +12318468790   11am-7pm UK time

Do not hesitate to ask questions, request assistance, call for support, ask about the courses, discounts, invoicing, payment options, team tickets, visa support, hotels, etc.

We also understand that buying expensive tickets still requires a decision making process, even if our trainings are superior. ,)

We suggest you walk through the following steps:

  • Start with our pitch above
  • If the flow requires involving others, we suggest you share that pitch: https://defdev.eu/#pitch
  • Check out the upcoming events (https://defdev.eu/#upcoming)
  • Review the catalog of our courses, details and agendas (https://c.defdev.eu)
  • Some details about booking tickets are clarified right below (https://defdev.eu/#tickets)
  • Don't hesitate to contact us on the above channels: assistance form, email, twitter dm or call (https://defdev.eu/#support)

Tickets guide for the public trainings

The tickets flow in short
  • Booking: Alice books tickets for Bob and Eve or herself (via a corresponding google form) -> Alice gets a VAT invoice in email from defdeveu/secdeveu to pay and pays via wiretransfer or Paypal -> Alice gets voucher(s) in an email ->
  • Enrollment: Bob and Eve (or Alice) use their personal vouchers to enroll (via a corresponding google form) -> done.
  • [Alternatively] Fast booking/reservation: If you are an individual visitor, you can also pay €50 now to reserve your seat, and pay the rest cca. 3 weeks before the event.
Booking
  • Use the corresponding booking form to indicate your order (the 'book tickets' button/tab on the event page will ignite a link similar to defdev.eu/e/1905.vie.xxx/book which will redirect to the google form).
    It doesn't matter at this step whether you book a seat for yourself or seats for others.
  • When booking please check the header of the form for details and instructions.
  • Upon receipt of your booking form we will contact you in email.
  • We send you an invoice when all the particulars are clear for us and confirmed on your side.
  • Upon receipt of payment we send you vouchers, one voucher per seat (visitor).
    The vouchers are 6 characters codes.
  • If your were helping your colleagues to book their seats, you forward the vouchers one-by-one to the eligible individuals.
Enrollment
  • The enrollment form is available via the 'Enroll w voucher' tab on the event page.
    The enrollment link is something similar to defdev.eu/e/1905.vie.xxx/enroll which will redirect to the google form.
  • A visitor enrolls herself to the course using her personal voucher code at the corresponding form.
  • When the event is approaching we will contact the enrolled/registered visitors with a so called "student's doc" which will contain all the details of the course. May that document not be shared with a student/visitor 5 days prior the event, please alarm us at the above channels!
Fast booking/reservation

May the above corporate flow not fit your situation, you can choose to pay €50 now as a deposit to reserve your seat at the price of today, receive your invoice, and pay the rest cca. 3 weeks before the event.

  • Hit the 'Reserve fast (€50 deposit)' button/tab on the event card. Pay that deposit instantly at PayPal / with any debit/credit card.
  • We will contact you in email within a day to confirm your reservation.
What payment options are available?

Wiretransfer (SEPA/SWIFT/TransferWise), credit/debit cards, Paypal-to-Paypal.

What VAT rate applies/payable/included/excluded?
  • In case of EU VAT subjects (except the Hungarian businesses) and of non-EU clients the rate is 0%.
    Thus ticket price of €1000 is net 1K + 0 VAT payable.
  • For all the other clients -- EU individuals and Hungarian companies -- the VAT is 27%, and is NOT included in the announced ticket prices.
    Thus the announced ticket price of €1000 means €1'270 payable for them (including VAT).
  • Note: special fiscal/taxation regulation cases may apply.
Are the tickets refundable?

We refund the price you paid with deduction of a €50 cancellation fee per seat when cancellation is requested by a client latest on the 32nd day prior the event. In case of the later requests we are ready to suspend and reassign your order to an other training (€50 re-booking fee per seat applies).

Why is that weird note at the event card: "In the unlikely case of low demand this training can be gracefully cancelled..."?

One of the standard conditions of our public trainings is that the booked tickets are to cover the costs. If on the 32nd day prior to the event we see that the announced training may end up in losses then we may cancel it with full rollback. All parties retire back to square one. You as the client get full refund of the money transfered for the tickets of the cancelled event.

Who issues the invoices and is the beneficiary of payments?

azd.security Kft., Budapest, Hungary
VAT: HU13804079, Estd: 2006, EU ID: HUOCCSZ.01-09-874089 [in Hungarian only, but the official registry, pass the captcha first]
PayPal merchant ID: FUBRZGH72QGZQ

We require special kind of invoice due to our local regulations, is it possible to get such?

Sure! Let's arrange that at the booking stage.

Other standard questions? (eg. discounts)

Please, browse the other FAQ section below. Also, don't hesitate to contact us on the above channels: assistance form, email, twitter dm, call.

FAQ

What is the difference between secdev and secure coding?

We prefer to tag our secure development courses as "secdev", but usually this type of courses are referred to as secure coding courses, or application security courses. In our view, the secdev is a broader field than just secure coding, it includes S-SDLC. S-SDLC is not about coding but methods, approaches, practices and tools.

What kind of training can an attendee expect? Is it a hands-on training with computer labs or is it more like talks about certain topics?

The lectures are trimmed down, we deliver many demos and sustain involvement of the students with hands-ons and tabletops.

With what equipment should a student visit the trainings?

Bringing your own deving device (laptop) is the prerequisite. The device you use for hacking your code.

Are there discounts on professional membership or honoring other circumstances?

OWASP, ISACA, etc. members are eligable for discounts only at courses offically co-marketed with those organizations.
For individual students with real ISIC cards - 10% (indicate in the booking form).

I would like to make a defdev event in my city, is it possible?

defdev is open for cooperation with local professionals. defdev has strict rules of quality and format. Please contact us.

Is lunch included in the ticket price?

Unless otherwise indicated on the event card -- no. We supply some snacks, non-alcoholic drinks and coffee most of the times.

Dress code?

No dresscode.

Other questions?
  • Regarding tickets ordering check the Tickets guide section above.
  • For further details and assistance contact us or submit your question/request/complaints via our assistance form (google, no sign-in required), or via email and twitter dm.


The full catalog of our courses is available at c.defdev.eu.


For press

EN

Glenn ten Cate and Timur Khrotko introduce def[dev]eu, the defensive development education and mastering project. The def[dev]eu training events series is dedicated to helping developers and other professionals involved in the S-SDLC build and maintain secure software. The defdev events are popping up in different European locations.

The first defdev was held in November 2016 in Budapest together with Jim Manico.

See you in Vienna, Amsterdam, Berlin or Kraków and stay tuned for the continuation of the defdev series! https://defdev.eu https://twitter.com/defdeveu

))