Loading…
Welcome to the full schedule of the OWASP AppSec Research EU 2013 training days. You’ll find the schedule for the conference days at http://sched2013.appsec.eu

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Tuesday, August 20
 

8:00am CEST

Registration
Tuesday August 20, 2013 8:00am - 9:30am CEST
Foyer Emporio

9:00am CEST

Meeting of the teams
Tuesday August 20, 2013 9:00am - 9:30am CEST
Aussichtsreich Emporio

9:30am CEST

9:30am CEST

Defensive Programming for Javascript & HTML5
This full-day course helps web front-end developers understand the risks involved with manipulating JavaScript and HTML5 and apply defensive programming techniques in both languages. Some of the topics covered include, but are not limited to, important security aspects of modern browser architecture (DOM and SOP), XSS, CSRF, DOM manipulation, Sandboxing iframes, JavaScript Execution Contexts, CORS, Web Messaging, Web Storage, Geolocation, and JSON. This course is structured into modules and includes code analysis and remediation exercises. The high-level topics for this course are:
  • The HTML5 and JavaScript Risk Landscape
  • Storage of Sensitive Data
  • Secure Cross-domain Communications
  • Implementing Secure Dataflow
  • JSON-related Techniques

After completing this course, students will be able to:
  • Apply HTML5 Defensive Programming Techniques
  • Apply JavaScript Defensive Programming Techniques
  • Apply JSON Defensive Programming Techniques

Speakers
TT

Tiago Teles

Consultant
Tiago Teles is a Technical Consultant with 7 years of experience in clients across different sectors and countries, including banking, insurance, telecommunications and commercial organizations in a variety of roles: Delivering Training, Development, Business Intelligence and Quality... Read More →


Tuesday August 20, 2013 9:30am - 5:30pm CEST
Alsterpanorama I Emporio

9:30am CEST

SAP ABAP Penetration Testing
For many people SAP systems are like a black box even though these systems store critical business data. When talking about SAP security many people think of authorizations and segregations of duties but it isn’t that easy. Often these systems are vulnerable to attacks that are well known for years. The target group of this course are non-SAP specialists. We’ll give an introduction in a one day course how to do penetration testing on SAP NetWeaver ABAP systems. In a dedicated training environment the attendants will simulate attacks in hands-on exercises to get an understanding of the related threats and risks. Furthermore best practices and mitigation possibilities will be discussed.

Speakers
avatar for Frederik Weidemann

Frederik Weidemann

Frederik Weidemann is Head of Consulting at Virtual Forge GmbH with a focus on SAP Security for seven years. He is coauthor of the first book on ABAP Security “Sichere-ABAP Programmierung” by SAP Press and spoke at several SAP and Security related conferences like RSA, OWASP or... Read More →


Tuesday August 20, 2013 9:30am - 5:30pm CEST
Hafenpanorama II Emporio

9:30am CEST

Web Application, Web Service and Mobile Secure Coding
The major cause of web insecurity is poor development practices. This highly intensive 1-day bootcamp provides essential application security training for web application, webservices and mobile software developers and architects. The class is a combination of lecture, hands-on security testing and code review. Participants will not only learn the most common threats against applications, but more importantly they will learn how to also fix the problems and design secure solutions via defense-based code samples and review.

We provide free email support for life for all students.

Eoin Keary

Digital copies of all course ware will be provided.

Modules include:



  1. HTTP Basics and Introduction to Application Security



  2. Input Validation



  3. SQL and other Injection



  4. Access Control Design



  5. XSS Defense



  6. Advanced XSS Defense



  7. Authentication and Session Management



  8. CSRF



  9. Secure SDLC and Security Architecture



  10. Crypto Basics



  11. Crypto Advanced



  12. Mobile Security Basics



  13. Webservice Security Basics



Speakers
avatar for Eoin Keary

Eoin Keary

Eoin Keary is the CTO and founder of BCC Risk Advisory Ltd. (www.bccriskadvisory.com) an Irish company who specialise in secure application development, advisory, penetration testing, Mobile & Cloud security and training. Eoin is also an international board member, and vice chair... Read More →
avatar for Jim Manico

Jim Manico

Jim Manico is the VP of Security Architecture for WhiteHat Security, a web security firm. He authors and delivers developer security awareness training for WhiteHat Security and has a background building software as a developer and architect for over 20 years. Jim is also a global... Read More →


Tuesday August 20, 2013 9:30am - 5:30pm CEST
Ostsee Scandic

9:30am CEST

MDSec's Web Application Hacker's Handbook, Live Edition
The course follows the chapters of the Second Edition of The Web Application Hacker’s Handbook, with strong focus on practical attacks (there are only 136 slides in either of the 2 or 3 day courses). After a short introduction to the subject we delve into common insecurities in logical order:


  • Introduction to Web Application Security Assessment (Chapters 1-3)

  • Automating Bespoke Attacks: Practical hands-on experience with Burp Suite (Chapter 13)

  • Application mapping and bypassing client-side controls (Chapters 4-5)

  • Failures in Core Defense Mechanisms: Authentication, Session Management, Access Control, Input Validation (Chapters 6-8)

  • Injection and API flaws: (Chapters 9-10)

  • User-to-User Attacks (Chapters 12-13)


Attendees will gain theoretical and practical experience of:


  • How to quickly and efficiently pinpoint and exploit vulnerabilities in web applications

  • How to hack using LDAP, XPath, SOAP, HTTP Parameter Pollution (HPP), and HPI

  • Real-world, 2012 techniques in SQL Injection against Oracle, MySQL and MSSQL

  • The real risk: how to turn XSS/CSRF vulnerabilities into full account compromise

  • Harnessing new technologies such as HTML5, NoSQL, and Ajax

  • New attack types and techniques: Bit Flipping, Padding Oracle, Automated Access Control checking

  • How to immediately recognise and exploit Logic Flaws


Speakers
MP

Marcus Pinto

Marcus Pinto is a Director of MDSec and co-author of the Web Application Hacker’s Handbook, with over 13 years’ experience in technical security assessment and 8 years’ experience in delivering technical security training for global audiences such as Blackhat, Hack in the Box... Read More →


Tuesday August 20, 2013 9:30am - 5:30pm CEST
Freiraum I Emporio

9:30am CEST

Mobile Application Hacking and Security - OWASP Top 10 Way
Mobile application hacking and its security is becoming a major concern in today’s world. In the last few years we have seen a range of new attack vectors and methods of exploitation for these devices. Smart phones and tablets running on iPhone, Android, Windows and Blackberry have taken over the market in frenzy. With an introduction to html5 and native support on most of the mobile platforms, it really becomes interesting how security of mobile devices is shaping up. In today’s world email, social networking, banking everything is possible on the go with Smart phones and derived applications. These Smart phones are now equipped with features like data, Wi-Fi, voice and GPS functions and applications can leverage these features. The sudden growth in the number of applications available for these smart phones does raise a certain level of concern for the user’s security and server supporting these applications. Mobile applications are vulnerable to various sets of different attacks like local storage, user data harvesting, activity spying, unauthorized event injection, UI Jacking, Tab Jacking, Traffic redirection, Logical attacks, hard coded keys and a few other. At the same time Mobile applications are taken with server side over HTTP/HTTPS, it opens up few possible attacks on Web Services and APIs. The server side applications can be attacked with Injections. Several new technology stacks are evolving over Mobile like HTML5 and Silverlight which opens up new attack surface. In this context it is imperative for IT professional and corporate application owners understand these attack vectors along with a mechanism for securing. The class features real life cases, live demos, live hacking, code scanning and defense plans. The following topics will be covered during the class.

Speakers
avatar for Hemil Shah

Hemil Shah

Hemil Shah, CISSP, CSSLP, ACP is the founder and Director of eSphere Security, a company that provides Professional services in Security Arena. He has worked with HBO, KPMG, IL&FS and Net-Square in security space. He has published several advisories, tools, and Whitepapers, and has... Read More →


Tuesday August 20, 2013 9:30am - 5:30pm CEST
Freiraum II Emporio

9:30am CEST

Tactical Defense with ModSecurity
While application flaws should ideally be fixed in the source code, this is often not a feasible task for various reasons. Web application firewalls are often deployed as an additional layer of security that can monitor, detect and prevent attacks before they reach the web application. ModSecurity, an extremely popular open source web application firewall, is often used to help protect web applications against known and unknown vulnerabilities alike. This two-day boot-camp training is designed for people who want to quickly learn how to configure and deploy ModSecurity in the most effective manner possible. The course will cover topics such as the powerful ModSecurity rules language, extending functionality via the embedded Lua engine and managing suspicious events via AuditConsole. Documented hands-on labs help students understand the inner workings of ModSecurity and how to deploy ModSecurity securely. By leveraging the flexibility within ModSecurity, attendees will be able to write effective rules to mitigate complex web vulnerabilities. The bootcamp will cover the following topics:


  1. Introduction to Modsecurity

  2. Deployment Options and Deployment Issues

  3. ModSecurity Installation

  4. ModSecurity Rules Language Primer

    • Variables, Transformation Functions

    • Chain for Complex Rules

    • Persistent Collections

    • Anomaly Scoring, Rule Debugging


  5. OWASP Core Rule Set Overview

  6. Lua – Extending the Rules

  7. Handling False Positives and Creating Exceptions

  8. Rule Writing Tips, Cool Rules for Complex Problems 9. Virtual Patching Overview

  9. AuditConsole Installation, Configuration and Usage:

    • Multi-User Site Management

    • Automatic archiving of audit-data

    • Generating audit-data Reports, Report customization

    • Realtime Block List Management



Speakers
avatar for Christian Bockermann

Christian Bockermann

Starting with Linux/network security in 1996, Christian Bockermann has been working in computer security for over 10 years. While working as a Java web-application developer for several years he started concentrating on web-security as major subject. Alongside to working as a research... Read More →


Tuesday August 20, 2013 9:30am - 5:30pm CEST
Alsterpanorama II Emporio

10:00am CEST

Competition Part I
Tuesday August 20, 2013 10:00am - 5:00pm CEST
Aussichtsreich Emporio
 
Wednesday, August 21
 

8:00am CEST

Registration
Wednesday August 21, 2013 8:00am - 9:30am CEST
Foyer Emporio

9:00am CEST

Competition Part II
Wednesday August 21, 2013 9:00am - 4:00pm CEST
Aussichtsreich Emporio

9:30am CEST

CISO training - Managing Web & Application Security - OWASP for senior managers
CISO training: Managing Web & Application Security – OWASP for senior managers Setting up, managing and improving your global information security organisation using mature OWASP projects and tools. Achieving cost-effective application security and bringing it all together on the management level. How to use and leverage OWASP and other common best practices to improve your security programs and organization. The workshop will also discuss a number of quick wins and how to effectively manage global security initiatives and use OWASP tools inside your organisation. The author has extensive experience of managing his own secure development organization as well as advising to improve a number of global secure development organisations and processes.

Topics:


  • OWASP Top-10 and OWASP projects – how to use within your organisation

  • Risk management and threat modeling methods (OWASP risk analysis, ISO-27005,…)

  • Benchmarking & Maturity Models

  • Organisational Design and managing change for global information security programs

  • SDLC

  • Training: OWASP Secure Coding Practices – Quick Reference Guide, Development Guide, Training tools for developers

  • Measuring & Verification: ASVS (Application Security Verification Standard) Project, Code Review Guide, Testing Guide

  • Development & Operation: Libraries and Frameworks (ESAPI (Enterprise Security API), AppSensor, …)


All discussion and issues raised by participants at the workshop will be under the confidentiality under the Chatham House Rule.

Speakers
avatar for Tobias Gondrom

Tobias Gondrom

Managing Director, Thames Stanley: Information Security and Risk Management Advisory
Tobias Gondrom is Managing Director of Thames Stanley, a CISO and Information Security & Risk Management Advisory based in Hong Kong, United Kingdom and Germany. He has fifteen years of experience in software development, application security, cryptography, electronic signatures and... Read More →


Wednesday August 21, 2013 9:30am - 5:30pm CEST
Ostsee Scandic

9:30am CEST

Defensive Programming in PHP
This course explores measures that developers can take both from a coding and configuration perspective to secure their PHP applications.

PHP is a powerful and versatile web development platform that is widely used throughout the industry. PHP applications are generally affected by most of the same risks that affect web applications written in other languages. Although it has a lot in common with other web platforms, there are specific aspects of PHP that set it apart from the other technologies. This is also true from a risk perspective. Some PHP risks are unique or amplified by the platform.

This course highlights the features and specifics of the platform that can potentially introduce risks including (but not limited to) unsafe PHP configuration, null-byte issues, dangerous APIs, cryptography, and dynamic file inclusion issues. Once PHP features and risks are understood by the student, this course builds upon this knowledge and teaches a set of defensive programming techniques that can be followed to create secure PHP applications including in the areas of file system access, session management, authentication, input validation/output encoding, cross-site request forgery, transport security, and injection attacks.

This course is structured into modules that cover the areas of concentration for defensive programming for the PHP platform and includes code analysis and remediation exercises. The high-level topics for this course are:





  • PHP Platform Security



  • The PHP Application Risk Landscape



  • Secure Design Principles



  • Defensive Programming Techniques in PHP



  • Secure PHP Architecture and Configuration




Speakers
avatar for Paco Hope

Paco Hope

Principal Consultant, Cigital
Author of two security books and frequent conference speaker, Paco Hope is a Principal Consultant with Cigital Ltd and has been working in the field of software security for over 12 years. The oldest PHP code he could find on his systems was dated 3 November 1999. Paco helps clients... Read More →


Wednesday August 21, 2013 9:30am - 5:30pm CEST
Hafenpanorama II Emporio

9:30am CEST

Java Web Hacking & Hardening
This hands-on workshop focuses on securing Java web applications against malicious hacker attacks. During the complete day a Java web application (written specifically for this workshop) with lots of vulnerabilities is examined, exploited, and secured. We will start with common vulnerabilities found in web applications (XSS, SQL-Injection, CSRF, Command Injection, Session Attacks, etc.) and continue to more specialized security holes (covering XML as well as REST-ful interfaces and WebSockets). Also prophylactic protection techniques are discussed like introducing protection tokens (e.g. OWASP’s CSRFGuard) as well as adding specialized security headers and considering encryption techniques. The main intention behind this course is to learn and practice web application hardening by stepwise finding security holes and closing them.

Speakers
avatar for Christian Schneider

Christian Schneider

Freelancer, Christian Schneider
Christian has pursued a successful career as a freelance software developer since 1997 and expanded it in 2005 to include the focus on IT security. His major areas of work are penetration testing, security architecture consulting, and threat modeling. As a trainer, Christian regularly... Read More →


Wednesday August 21, 2013 9:30am - 5:30pm CEST
Alsterpanorama I Emporio

9:30am CEST

MDSec's Web Application Hacker's Handbook, Live Edition
The course follows the chapters of the Second Edition of The Web Application Hacker’s Handbook, with strong focus on practical attacks (there are only 136 slides in either of the 2 or 3 day courses). After a short introduction to the subject we delve into common insecurities in logical order:


  • Introduction to Web Application Security Assessment (Chapters 1-3)

  • Automating Bespoke Attacks: Practical hands-on experience with Burp Suite (Chapter 13)

  • Application mapping and bypassing client-side controls (Chapters 4-5)

  • Failures in Core Defense Mechanisms: Authentication, Session Management, Access Control, Input Validation (Chapters 6-8)

  • Injection and API flaws: (Chapters 9-10)

  • User-to-User Attacks (Chapters 12-13)


Attendees will gain theoretical and practical experience of:


  • How to quickly and efficiently pinpoint and exploit vulnerabilities in web applications

  • How to hack using LDAP, XPath, SOAP, HTTP Parameter Pollution (HPP), and HPI

  • Real-world, 2012 techniques in SQL Injection against Oracle, MySQL and MSSQL

  • The real risk: how to turn XSS/CSRF vulnerabilities into full account compromise

  • Harnessing new technologies such as HTML5, NoSQL, and Ajax

  • New attack types and techniques: Bit Flipping, Padding Oracle, Automated Access Control checking

  • How to immediately recognise and exploit Logic Flaws


Speakers
MP

Marcus Pinto

Marcus Pinto is a Director of MDSec and co-author of the Web Application Hacker’s Handbook, with over 13 years’ experience in technical security assessment and 8 years’ experience in delivering technical security training for global audiences such as Blackhat, Hack in the Box... Read More →


Wednesday August 21, 2013 9:30am - 5:30pm CEST
Freiraum I Emporio

9:30am CEST

Mobile Application Hacking and Security - OWASP Top 10 Way
Mobile application hacking and its security is becoming a major concern in today’s world. In the last few years we have seen a range of new attack vectors and methods of exploitation for these devices. Smart phones and tablets running on iPhone, Android, Windows and Blackberry have taken over the market in frenzy. With an introduction to html5 and native support on most of the mobile platforms, it really becomes interesting how security of mobile devices is shaping up. In today’s world email, social networking, banking everything is possible on the go with Smart phones and derived applications. These Smart phones are now equipped with features like data, Wi-Fi, voice and GPS functions and applications can leverage these features. The sudden growth in the number of applications available for these smart phones does raise a certain level of concern for the user’s security and server supporting these applications. Mobile applications are vulnerable to various sets of different attacks like local storage, user data harvesting, activity spying, unauthorized event injection, UI Jacking, Tab Jacking, Traffic redirection, Logical attacks, hard coded keys and a few other. At the same time Mobile applications are taken with server side over HTTP/HTTPS, it opens up few possible attacks on Web Services and APIs. The server side applications can be attacked with Injections. Several new technology stacks are evolving over Mobile like HTML5 and Silverlight which opens up new attack surface. In this context it is imperative for IT professional and corporate application owners understand these attack vectors along with a mechanism for securing. The class features real life cases, live demos, live hacking, code scanning and defense plans. The following topics will be covered during the class.

Speakers
avatar for Hemil Shah

Hemil Shah

Hemil Shah, CISSP, CSSLP, ACP is the founder and Director of eSphere Security, a company that provides Professional services in Security Arena. He has worked with HBO, KPMG, IL&FS and Net-Square in security space. He has published several advisories, tools, and Whitepapers, and has... Read More →


Wednesday August 21, 2013 9:30am - 5:30pm CEST
Freiraum II Emporio

9:30am CEST

Tactical Defense with ModSecurity
While application flaws should ideally be fixed in the source code, this is often not a feasible task for various reasons. Web application firewalls are often deployed as an additional layer of security that can monitor, detect and prevent attacks before they reach the web application. ModSecurity, an extremely popular open source web application firewall, is often used to help protect web applications against known and unknown vulnerabilities alike. This two-day boot-camp training is designed for people who want to quickly learn how to configure and deploy ModSecurity in the most effective manner possible. The course will cover topics such as the powerful ModSecurity rules language, extending functionality via the embedded Lua engine and managing suspicious events via AuditConsole. Documented hands-on labs help students understand the inner workings of ModSecurity and how to deploy ModSecurity securely. By leveraging the flexibility within ModSecurity, attendees will be able to write effective rules to mitigate complex web vulnerabilities. The bootcamp will cover the following topics:


  1. Introduction to Modsecurity

  2. Deployment Options and Deployment Issues

  3. ModSecurity Installation

  4. ModSecurity Rules Language Primer

    • Variables, Transformation Functions

    • Chain for Complex Rules

    • Persistent Collections

    • Anomaly Scoring, Rule Debugging


  5. OWASP Core Rule Set Overview

  6. Lua – Extending the Rules

  7. Handling False Positives and Creating Exceptions

  8. Rule Writing Tips, Cool Rules for Complex Problems 9. Virtual Patching Overview

  9. AuditConsole Installation, Configuration and Usage:

    • Multi-User Site Management

    • Automatic archiving of audit-data

    • Generating audit-data Reports, Report customization

    • Realtime Block List Management



Speakers
avatar for Christian Bockermann

Christian Bockermann

Starting with Linux/network security in 1996, Christian Bockermann has been working in computer security for over 10 years. While working as a Java web-application developer for several years he started concentrating on web-security as major subject. Alongside to working as a research... Read More →


Wednesday August 21, 2013 9:30am - 5:30pm CEST
Alsterpanorama II Emporio

4:00pm CEST

Chapters Workshop
2013 Chapters Workshop to be held at the Hotel Scandic in Hamburg on Wednesday afternoon, August 21th from 4:00 to 6:00 pm.

The chapter workshop will be a great learning opportunity for chapter leaders that have much experience as well as those who are new to their positions, or event looking to become a chapter leader in the future. In a style similar to the workshops held in the US, Latam, and AsiaPac over the past year, the Chapter Workshop at AppSec Research this year will be an interactive opportunity for lively discussion of the  guidelines and recommendations for chapter leaders as contained in the Chapter Leader’s Handbook. Additionally, we will look at what may be missing from the Chapter Leader Handbook and should be included or changed for the next version.

If you are interested in participating in either of these workshops, please register for the Conference and select the optional session “chapter leader’s workshop” as part of the registration process. Remember that conference attendance is free for current chapter and project leaders.

Sponsorship to Attend the Chapters Workshop

If you need financial assistance to attend the Chapter Leader Workshops please submit a request to via the Contact Us Form http://owasp4.owasp.org/contactus.html by the application deadline for each of the events.


  • July 15th – AppSec Research Chapters workshop sponsorship applications due

  • July 17th – Applicants notified of status


Additional Information for Applicants:


  • Priority of sponsorships will be given to those not covered by a sponsorship to attend a previous workshop. Additionally, we are looking for new or struggling chapter leaders who need assistance kick starting their chapter.

  • When you apply for funding, please let us know *why we should sponsor you*. While we prefer that chapter leaders use their own chapter’s funds before requesting a sponsorship, this is not a requirement for application.

  • If your chapter has fund but will not be using them to sponsor your attendance, please include why you will not be using the funds for this purpose (i.e. what are the other plans for those funds?).


 Questions?

If any questions, please contact us at: http://owasp4.owasp.org/contactus.html



Wednesday August 21, 2013 4:00pm - 6:00pm CEST
Alster Scandic

4:30pm CEST

Award Ceremony
Wednesday August 21, 2013 4:30pm - 5:00pm CEST
Aussichtsreich Emporio

6:00pm CEST

OWASP Board Open Town Hall
We'll be having an open town hall to meet with the OWASP board and the OWASP Executive Director to discuss anything on your mind. This will be an open discussion session. Please come with any questions or thoughts on your mind.

Wednesday August 21, 2013 6:00pm - 7:00pm CEST
Alster Scandic