AppSecAsiaPac2012/Training

Two Day Training Courses

Assessing & Exploiting Web Applications with Samurai-WTF

Trainer: Justin Searle
Audience & Level: Novice to intermediate level security professionals: developers, managers, or penetration testers
Date: Wednesday & Thursday, April 11-12

Course Summary:
Course Details & Instructor Bio

Come take the official two-day Samurai-WTF training course given by one of the founders and lead developers of the project! You will learn the latest Samurai-WTF open source tools and as well as the latest techniques to perform web application penetration tests. After a quick overview of pen testing methodology, the instructors will lead you through the end-to-end process of testing and exploiting several different web applications, including client side attacks using flaws within the application. Different sets of open source tools will be used on each web application, allowing you to learn first hand the pros and cons of each tool. Primary emphasis of these instructor lead exercises is how to integrate these tools into your own manual testing procedures to improve your overall workflow. After you have gained experience with the Samurai-WTF tools, you will be challenged with a capture the flag event. This final challenge will give you time to practice your new skills at your own pace and experiment with your favorite new tools. This experience will help you gain the confidence and knowledge necessary to perform web application assessments and expose you to the wealth of freely available, open source tools.

Mobile Penetration Testing: Start to Finish for iOS apps

Trainer: Jason Haddix
Audience: Technical
Level: Basic, Intermediate
Date: Date: Wednesday & Thursday, April 11-12

Course Summary:
Mobile apps are the new horizon for penetration testing and assessment. This class will go from start to finish on how to:

• Overview of Iphone platform
• Overview of 3rd Party application Threat Models
• Overview of Xcode and Obj-C
• Setup a mobile Penetration Testing lab/environment
• Performing Blackbox Assessments
• Performing Whitebox Assessment
• Finding Common Client/Phone Vulnerabilities
• Finding Common Server-side Vulnerabilities
• Tips and Tricks

This training is good for both new and seasoned mobile app security consultants.

Note: Students will need developer Apple licence, Xcode, Laptop

Jason Haddix is the Director of Penetration Testing at HP and develops and trains internal candidates on the mobile penetration testing team. He also has done several training for web application hacking and network penetration testing.

Hack Your Own Code: Advanced Training for Developers

Trainer: Mike Park & Marc Bown
Audience: Technical, Programmers
Level: Intermediate, Advanced, Programmers
Date: Wednesday & Thursday, April 11-12

Course Summary:
Course Outline

This class provides developers an exciting chance to hone their programming skills while also learning to exploit common web vulnerabilities. Unlike most training, this will not use static demos based on pre-canned source code. Students will program small parts of a larger application during the class’s lab periods. After the component has been written, students will review the code for the vulnerability being focused on in the lab. Vulnerable code will be run on a class-accessible server while the instructor guides students through exploiting the vulnerabilities. After the vulnerability has exploited, students will be shown how their own code can be fixed (if it was vulnerable) and the best way to prevent the flaw in the first place.

This full process will be performed for all major code vulnerabilities in the OWASP Top Ten. Exploitation and patching labs (but not programming) will be held for other vulnerabilities, including logic flaws that are hard to represent on the Top Ten. Several labs will feature prizes for the students that first find or exploit the targeted vulnerability. Environments and examples will be setup for all major platforms requested by pre-registered students. Students should bring a laptop with them, preferably with VMWare Player already installed. A virtual machine based on the OWASP Live Boot CD will be provided for lab work. The virtual machine will include development tools, but students should feel free to bring their favorite programs too.

Unlike many classes, this will allow programmers to focus on their own code. This makes the class far more interactive than a typical secure development class. The focus on lab work engage the students and make it a far more memorable experience.

Mike Park is a Managing Consultant at Trustwave. He is a member of Trustwave's SpiderLabs - the advanced security team focused on penetration testing, incident response, and application security. He has over 12 years experience building and securing software for a variety of companies. Mike is a CISSP and specializes in application security assessment, penetration testing, reverse engineering and secure development life cycle. Mike is an active member of the Ottawa ISSA.

One Day Training Courses

CANCELLED Threat Modeling: From the "cloud" on down CANCELLED

Trainer: Matt Tesauro
Audience: Technical
Level: Basic, Intermediate
Date: Wednesday April 11

Course Summary:
Everyone knows that catching software vulnerabilities early is the best way to create secure software with the least cost (and drama). However, how do you do this in the Agile, Cloud-based application environment that we face today? This training walks you trough an overview of threat modeling techniques and tools with an eye on pragmatic solutions to real world problems. Using the topics covered in this class, you will learn how to determine and describe an applications attack surface, understand the probability of an attack while gaining insight into its impact. Whether you're looking to find design flaws early, eliminate low-hanging vulnerabilities or improve and optimize testing, the discussion and hands-on portions of this class provide real-world examples of application security. The hands-on portion draws lessons from actual software such as those powering web-scale, cloud software stacks allowing you to gain practical experience working through tough software problems.

Matt Tesauro has worked in web application development and security since 2000. He has worn many different hats, from developer to DBA to System Administrator to Penetration Tester. Matt also taught graduate and undergraduate classes on web application development and XML at Texas A&M University. Currently, he's focused on application security risk assessments at Praetorian. Outside work, he is the project lead for the OWASP Live CD / WTE, a member of the OWASP Foundation board, and part of the Austin OWASP chapter leadership. Matt Tesauro has a B.S. in Economics and a M.S in Management Information Systems from Texas A&M University. He is also has the CISSP, CEH (Certified Ethical Hacker), RHCE (Red Hat Certified Engineer), and Linux+ certifications.

Mobile Applications & Security

Trainers: Prashant Verma & Dinesh Shetty
Audience: Management, Technical, Operations
Level: Basic, Intermediate, People with a background in security but no prior knowledge of mobile applications
Date: Thursday, April 12

Course Summary:
This course covers security tests that are conducted on mobile applications with a focus on iOS and Android platforms.

Students will first learn the basics of mobile applications followed by a brief background of iOS and Android platforms, their security models and an overview of their development basics.

They will then learn how to model a threat profile for mobile applications and then test and debug the mobile applications for security vulnerabilities.

Reading locally stored data in mobiles, setting up a proxy to intercept and test network traffic and reversing Android applications will be a few of the topics discussed. We will also discuss the challenges involved in reversing an iOS application. The course includes examples for both the platforms and sample code snippets will also be provided.

We will also discuss the best practices that have to be followed for secure development of mobile applications. The course would end with a discussion of the OWASP Mobile Top 10 risks.

Prashant Verma is a Senior Security Consultant and Competency Lead at Paladion Networks. He has 6 years of experience. He drives the Mobile Application Security Service and Research at Paladion. He is the co-author of the "Security Testing Handbook for Banking Applications". He has also authored security articles for the Hacki9 and Palisade magazines. He has given presentations at Club Hack 2011 on "Pentesting Mobile Applications". He has also given guest lectures and security trainings at various occasions, which include the National Institute of Bank Management (NIBM) and Babasaheb Ambedkar Marathwada University (BAMU). He is a "Digital Evidence Analyst" i.e. he has conducted Mobile Security Testing, Java, Android and iOS Security Code Reviews. He has also conducted numerous application and network penetration tests, vulnerability assessments, etc.

Dinesh Shetty is currently working as an Information Security Consultant at Paladion Networks. He is the principal researcher in the Mobile Application Security Team at Paladion, having developed Paladion's Android, iOS and BlackBerry Gray Box and Code Review checklists, and has trained 30+ engineers to detect security flaws in mobile applications. He has found flaws in leading Web and Mobile-based financial applications and helped the respective organizations fix those vulnerabilities. He has authored many white papers on information security and network-related research, which have been published in multiple information security magazines and international journals such as Packet Storm, Exploit-DB and the PenTest Magazine among others. He has conducted technical trainings and given presentations about various platforms for multiple customers and reputed institutes like the National Institute of Bank Management (NIBM). He is a Certified Ethical Hacker and an IBM Certified AppScan Specialist.

OWASP for CISO and Senior Managers

Trainer: Tobias Gondrom
Audience: Management
Level: Basic, Intermediate, Advanced
Date: Thursday, April 12

Course Summary:
Setting up, managing and improving your global information security organisation using mature OWASP projects and tools. Achieving cost-effective application security and bringing it all together on the management level. How to use and leverage OWASP and other common best practices to improve your security programs and organization. The workshop will also discuss a number of quick wins and how to effectively use OWASP tools inside your organisation. The author has extensive experience of managing his own secure development organization as well as advising to improve a number of global secure development organisations and processes.

Topics:

• OWASP Top-10 and OWASP projects - how to use within your organisation
• Risk management and threat modeling methods (OWASP risk analysis, ISO-27005,...)
• Benchmarking & Maturity Models
• Organisational Design for global information security programs
• SDLC
• Training: OWASP Secure Coding Practices - Quick Reference Guide, Development Guide, Training tools for developers
• Measuring & Verification: ASVS (Application Security Verification Standard) Project, Code Review Guide, Testing Guide
• Development & Operation: ESAPI (Enterprise Security API), AppSensor

Target audience: CISO and senior head of information security managers (VP/director level) - maximum number of seats should be limited to 20, only senior information security managers/leaders will be admitted.

All discussion and issues raised by participants at the workshop will be under the confidentiality under the Chatham House Rule (http://en.wikipedia.org/wiki/Chatham_House_Rule).

Tobias Gondrom is Managing Director of an IT Security & Risk Management Advisory based in the United Kingdom and Germany. He has twelve years of experience in software development, application security, cryptography, electronic signatures and global standardisation organisations working for independent software vendors and large global corporations in the financial, technology and government sector, in America, EMEA and APAC. As the Global Head of the Security Team at Open Text (2005-2007) and from 2000-2004 as the lead of the Security Task Force at IXOS Software AG, he was responsible for security, risk and incident management and introduced and implemented a secure SDLC used globally by development departments in the US, Canada, UK and Germany.

Since 2003 he is the chair of working groups of the IETF (www.ietf.org) in the security area, member of the IETF security directorate, and since 2010 chair of the formed web security WG at the IETF, and a former chapter lead of the German OWASP chapter from 2007 to 2008 and board member of OWASP London. Tobias is the author of the international standards RFC 4998, RFC 6283 and co-author and contributor to a number of internet standards and papers on security and electronic signatures, as well as the co-author of the book „Secure Electronic Archiving“, and frequent presenter at conferences and publication of articles (e.g. AppSec, ISSE, Moderner Staat, IETF, VOI-booklet “Electronic Signature“, iX).

Building Secure Web Applications

Trainer: Klaus Johannes Rusch
Audience: Management, Technical, Operations
Level: Basic, Intermediate
Date: Wednesday, April 11

Course Summary:
Course Outline

Web application security breaches on websites of major corporations and government entities have received significant media attention due to large number of users affected and the leaking of sensitive personal information.

This training will show how to develop secure Web applications and covers security aspects of the full software development life cycle (SDLC). Participants will learn about general security concepts and review common risks, including OWASP’s Top 10 list, assess the technical and business impact of security risks and apply mitigation strategies. The training includes several hands-on labs covering implementation, white-box analysis and black-box testing for security. While most code examples use PHP, MySQL and JavaScript, the content is equally applicable to other programming languages and database engines.

Participants are welcome to bring Web applications or code samples for review during the training also.

Klaus Johannes Rusch is a certified IT architect and manager at IBM, heading the Web Effectiveness group in the Global Web Services organization, which provides consulting services to business units in IBM for optimizing the Web experience as an in-house agency. Previously he was a team leader on the IBM Corporate Webmaster team that manages www.ibm.com.

Klaus Johannes Rusch has over 20 years of application development experience and a track record of hacking web applications. He received an award for best website back in 1995. He holds an MSc degree in computer science from Vienna University of Technology and was an adjunct professor of computer science at Webster University, where he taught web development and web animation. He lives in Vienna, Austria with his wife and two kids, and online at http://klausrusch.atmedia.net/.