WebAppSec fixing, BUD1906

Budapest, 1906 [past]

Done

WebAppSec testing/fixing

Budapest (HU), 1-day intensive training

Early tickets till MAY31: €470 net [148KHUF+VAT]
Final price: €580 net [185KHUF+VAT]/seat.

* Note: there was also a Burp workshop the previous day.

Onsite pizza lunch by

Green Fox Academy.

timing: June 14 (Fri), 9:00-18:00
venue: Green Fox Academy, Budapest
seats: 15+
trainer: Glenn ten Cate
agenda: course topics
language: English
upon completion: certificate of attendance

Webapp security testing, hacking and fixing

Practice-changing impact, long lasting security knowledge and skills -- are the expected outcomes of this new-school webapp security training. This is a training with minimum lectures and all focused on hands-on exercises. We start off with some understanding of secure development and the secure coding principles. Then we do basic hacking challenges and move gradually to the advanced topics, but after that we do exercises that are about fixing vulnerable code. The attendees will have after this course a vast set of actionable knowledge and practise to be used straight away.

Also using the OWASP SKF project will enable them after the course to build secure applications by design but also continue improving and training themselves.

: WebAppSec testing/fixing

from the 'DIY security testing' series

full title: Webapp security testing, hacking and fixing
course level: practical baseline+
audience: developers, testers, security specialists and champions
duration: 1 XL day, 7 hrs education time
gear: a laptop
preinstalled: KALI, Python2 and Python3, ZAP or Burp community edition; your favorite IDE (for the fixing of vulnerabilities)
qualification requirement: basic programming skills (for the Labs we will start from basic hands-on exploits to advanced ones)

Intro to principles and practice of secdev

Intro to practical secure development: Setting up the right security requirements using OWASP SKF; Create and train security champions; S-SDLC basics, secure development as integral part of SDLC; Automatic tools and their values, non-automatic tools, pentests, peer code review, assisted code-review

Testing/hacking and fixing

Common server-side vulnerabilities and their defense: Injections: SQLi, XML injections, JSON, XPath, XSS, cookie injection, open redirection, http header injection, 2 deserialization attacks; Path traversal, XXE, Buffer overflow, Zip bomb, Million laugh, RFI, Insecure file upload, Code execution, Remote file inclusion; Command injection; Insecure direct object reference; Server side template injection; CSRF bypassing; JWT; Authorization bypasses
Common client-side vulnerabilities and their defense: XSS (types, impact, causes, defenses, other html injections, BeEF); CSRF, Clickjacking, Same-origin policy, CORS; Tabnabbing; Client side template injection

Security design

Security by design: Threat modelling; Separation of duties, trust boundaries, security boundaries, defence in depth, principle of least privilege, minimising the attack surface, risk driven mitigation; Business logic vulnerabilities

Book tickets!

This workshop was delivered by

Glenn ten Cate

FooBar_testing_

As a coder, hacker, speaker, trainer and security chapter leader employed at ING Belgium Glenn has over 15 years experience in the field of security. One of the founders of defensive development [defdev] a security trainings series dedicated to helping you build and maintain secure software and also speaking at multiple other security conferences in the world.

Glenn and his brother Riccardo also donated an entire knowledge framework solely dedicated to help developers make their code secure by design to OWASP. See:
SKF (Security knowledge framework) .

His goal is to create an open-source secure software development life cycle with the tools and knowledge gathered over the years and solving the SecDevOps challenges people face.

From Glenn's trainings record:
EC-Council, LastPass, LogMeIn, defdev1805, defdev1611

The workshop was hosted by

For sponsors

def[dev]eu events provide a unique opportunity for the secure development tooling and services providers to get in touch with developers and team leaders from cool European development teams and IT departments

Contact us at [email protected], direct message us on twitter @defdeveu or call +32476222722 [Timur].