OWASP AppSec Research 2013 Training

This full-day course helps web front-end developers understand the risks involved with manipulating JavaScript and HTML5 and apply defensive programming techniques in both languages. Some of the topics covered include, but are not limited to, important security aspects of modern browser architecture (DOM and SOP), XSS, CSRF, DOM manipulation, Sandboxing iframes, JavaScript Execution Contexts, CORS, Web Messaging, Web Storage, Geolocation, and JSON. This course is structured into modules and includes code analysis and remediation exercises. The high-level topics for this course are:

• The HTML5 and JavaScript Risk Landscape
• Storage of Sensitive Data
• Secure Cross-domain Communications
• Implementing Secure Dataflow
• JSON-related Techniques

After completing this course, students will be able to:

• Apply HTML5 Defensive Programming Techniques
• Apply JavaScript Defensive Programming Techniques
• Apply JSON Defensive Programming Techniques

For many people SAP systems are like a black box even though these systems store critical business data. When talking about SAP security many people think of authorizations and segregations of duties but it isn’t that easy. Often these systems are vulnerable to attacks that are well known for years. The target group of this course are non-SAP specialists. We’ll give an introduction in a one day course how to do penetration testing on SAP NetWeaver ABAP systems. In a dedicated training environment the attendants will simulate attacks in hands-on exercises to get an understanding of the related threats and risks. Furthermore best practices and mitigation possibilities will be discussed.

The major cause of web insecurity is poor development practices. This highly intensive 1-day bootcamp provides essential application security training for web application, webservices and mobile software developers and architects. The class is a combination of lecture, hands-on security testing and code review. Participants will not only learn the most common threats against applications, but more importantly they will learn how to also fix the problems and design secure solutions via defense-based code samples and review.

We provide free email support for life for all students.

Eoin Keary

Digital copies of all course ware will be provided.

Modules include:

1. HTTP Basics and Introduction to Application Security




2. Input Validation




3. SQL and other Injection




4. Access Control Design




5. XSS Defense




6. Advanced XSS Defense




7. Authentication and Session Management




8. CSRF




9. Secure SDLC and Security Architecture




10. Crypto Basics




11. Crypto Advanced




12. Mobile Security Basics




13. Webservice Security Basics

CISO training: Managing Web & Application Security – OWASP for senior managers Setting up, managing and improving your global information security organisation using mature OWASP projects and tools. Achieving cost-effective application security and bringing it all together on the management level. How to use and leverage OWASP and other common best practices to improve your security programs and organization. The workshop will also discuss a number of quick wins and how to effectively manage global security initiatives and use OWASP tools inside your organisation. The author has extensive experience of managing his own secure development organization as well as advising to improve a number of global secure development organisations and processes.

Topics:

• OWASP Top-10 and OWASP projects – how to use within your organisation


• Risk management and threat modeling methods (OWASP risk analysis, ISO-27005,…)


• Benchmarking & Maturity Models


• Organisational Design and managing change for global information security programs


• SDLC


• Training: OWASP Secure Coding Practices – Quick Reference Guide, Development Guide, Training tools for developers


• Measuring & Verification: ASVS (Application Security Verification Standard) Project, Code Review Guide, Testing Guide


• Development & Operation: Libraries and Frameworks (ESAPI (Enterprise Security API), AppSensor, …)

All discussion and issues raised by participants at the workshop will be under the confidentiality under the Chatham House Rule.

This course explores measures that developers can take both from a coding and configuration perspective to secure their PHP applications.

PHP is a powerful and versatile web development platform that is widely used throughout the industry. PHP applications are generally affected by most of the same risks that affect web applications written in other languages. Although it has a lot in common with other web platforms, there are specific aspects of PHP that set it apart from the other technologies. This is also true from a risk perspective. Some PHP risks are unique or amplified by the platform.

This course highlights the features and specifics of the platform that can potentially introduce risks including (but not limited to) unsafe PHP configuration, null-byte issues, dangerous APIs, cryptography, and dynamic file inclusion issues. Once PHP features and risks are understood by the student, this course builds upon this knowledge and teaches a set of defensive programming techniques that can be followed to create secure PHP applications including in the areas of file system access, session management, authentication, input validation/output encoding, cross-site request forgery, transport security, and injection attacks.

This course is structured into modules that cover the areas of concentration for defensive programming for the PHP platform and includes code analysis and remediation exercises. The high-level topics for this course are:

• PHP Platform Security




• The PHP Application Risk Landscape




• Secure Design Principles




• Defensive Programming Techniques in PHP




• Secure PHP Architecture and Configuration

This hands-on workshop focuses on securing Java web applications against malicious hacker attacks. During the complete day a Java web application (written specifically for this workshop) with lots of vulnerabilities is examined, exploited, and secured. We will start with common vulnerabilities found in web applications (XSS, SQL-Injection, CSRF, Command Injection, Session Attacks, etc.) and continue to more specialized security holes (covering XML as well as REST-ful interfaces and WebSockets). Also prophylactic protection techniques are discussed like introducing protection tokens (e.g. OWASP’s CSRFGuard) as well as adding specialized security headers and considering encryption techniques. The main intention behind this course is to learn and practice web application hardening by stepwise finding security holes and closing them.