2018 BASC Workshops - Revision history

Laberdale: Change PenTester to Penetration Tester.

2018-10-24T12:58:58Z

Change PenTester to Penetration Tester.

Laberdale: Updating with CTF descriptions

2018-10-22T21:32:20Z

Updating with CTF descriptions

Laberdale: Added Erik Costlow's workshop.

2018-10-04T21:15:31Z

Added Erik Costlow's workshop.

Laberdale: Added Intro to osquery

2018-10-02T21:07:11Z

Added Intro to osquery

Laberdale at 04:31, 2 October 2018

2018-10-02T04:31:19Z

Laberdale at 04:29, 2 October 2018

2018-10-02T04:29:53Z

Tom Conner: create

2018-06-26T01:48:44Z

create

New page

{{2018_BASC:Header_Template | Workshops}}

The call for workshops is open. Please submit your proposal [https://owasp.submittable.com/submit/118366/basc-cfw-boston-application-security-conference-october-27-2018 here].



{{2018_BASC:Footer_Template|Workshops}}

@@ Line 6: / Line 6: @@
 We would like to thank our workshop leaders for donating their time and effort to help make this conference successful.
-{{2018_BASC:Presentaton_Info_Template|PenTester & Network Defender Training Workshop|Phil Barrows, John Hammond, and Vik Solem| | | }}
+{{2018_BASC:Presentaton_Info_Template|Penetration Tester & Network Defender Training Workshop|Phil Barrows, John Hammond, and Vik Solem| | | }}
 This Training Session is designed to help penetration testers and network administrators up their games.  It is no secret that InfoSec professionals on both sides of the ball are in short supply.  Studies consistently show competition for savvy InfoSec practitioners is fierce and likely to get more intense as organizations climb the InfoSec maturity curve.
@@ Line 17: / Line 17: @@
-{{2018_BASC:Presentaton_Info_Template|PenTester & Network Defender Challenge|Phil Barrows, John Hammond, and Vik Solem| | | }}
+{{2018_BASC:Presentaton_Info_Template|Penetration Tester & Network Defender Challenge|Phil Barrows, John Hammond, and Vik Solem| | | }}
 Building on the Training Session is the Challenge Session.  For this challenge the red and blue team leads will not provide assistance, competitors will employ tools and skills to attack and/or defend assets as they see fit.  It is no secret that InfoSec professionals on both sides of the ball are in short supply.  Studies consistently show competition for savvy InfoSec practitioners is fierce and likely to get more intense as organizations climb the InfoSec maturity curve.

@@ Line 6: / Line 6: @@
 We would like to thank our workshop leaders for donating their time and effort to help make this conference successful.
-{{2018_BASC:Presentaton_Info_Template|PenTesting & Network Defense Arena Challenge|Phil Barrows and Vik Solem| | | }}
+{{2018_BASC:Presentaton_Info_Template|PenTester & Network Defender Training Workshop|Phil Barrows, John Hammond, and Vik Solem| | | }}
@@ Line 12: / Line 32: @@
 Join this live interactive tournament which is sure to a fun, challenging learning experience for all. Whether you are eager to prove your web application AppSec knowledge of the OWASP Top 10 and more….and watch as you climb to the top of the Leaderboard or simply want to learn more about how to code more securely – everyone is welcome and there will be prizes / SWAG for the winner(s).
-The tournament will be conducted using the Secure Code Warrior platform, an innovative online, hands-on, gamified SaaS Learning Platform that actively engages developers to Learn & Build their secure coding skills. This approach is changing the way developers think and behave as they build & test software. Bring your laptop (not tablet), choose your preferred language/framework, whether it be C# (.NET) MVC, C# (.NET) Web Forms, Java Enterprise Edition, Java Spring, Python Django, Ruby on Rails, or Scala Play, and launch into the AppSec Wars Challenge!
+The tournament will be conducted using the Secure Code Warrior platform, an innovative online, hands-on, gamified SaaS Learning Platform that actively engages developers to Learn & Build their secure coding skills. This approach is changing the way developers think and behave as they build & test software. '''''Bring your laptop (not tablet), choose your preferred language/framework, whether it be C# (.NET) MVC, C# (.NET) Web Forms, Java Enterprise Edition, Java Spring, Python Django, Ruby on Rails, or Scala Play, and launch into the AppSec Wars Challenge!'''''
@@ Line 20: / Line 40: @@
 Objective: In this workshop, attendees will be introduced to Threat Modeling, learn how to conduct a Threat Modeling session, learn how to use practical strategies in finding Threats and how to apply Risk Management in dealing with the threats. Depending on time, we will go through 1 or 2 Real World Threat Modeling case studies. Finally, we will end the day with common gotchas in Threat Modeling and how to watch out for them.
-Laptop recommended for some labs, but not required.  GitHub account recommended, but not required.
+'''''Laptop recommended for some labs, but not required.  GitHub account recommended, but not required.'''''
 {{2018_BASC:Presentaton_Info_Template|Advanced XXE Exploitation|Philippe Arteau| | | }}
 When conducting a penetration test for a web application, knowledge of technology-specific caveats becomes crucial. Knowing vulnerability basics is often insufficient to be effective. In this workshop, the latest XXE and XML related attack vectors will be presented. XXE is a vulnerability that affects any XML parser that evaluates external entities. It is gaining more visibility with its introduction to the OWASP Top10 2017 (A4). You might be able to detect the classic patterns, but can you convert the vulnerability into directory file listing, binary file exfiltration, file write or remote code execution? The focus of this workshop will be presenting various techniques and exploitation tricks for both PHP and Java applications. Four applications will be at your disposition to test your skills. For every exercise, sample payloads will be given so that the attendees save some time.
-Attendees must bring their own laptops with Burp Suite or ZAP pre-installed.
+'''''Attendees must bring their own laptops with Burp Suite or ZAP pre-installed.'''''
 {{2018_BASC:Presentaton_Info_Template|Application Cartography and Defense|Erik Costlow| | | }}
-A properly positioned defense will increase strength while decreasing the effort needed to maintain position. For applications, the best defense is both in and around the application. Through instrumentation, defenders can map the attack surface from the inside and add defenses against the right threat at the right location. In this workshop, we will use freely available tools to map an application and describe how instrumentation saves a defender’s time through compatibility, performance, and security.  Attendees require a laptop with internet connection and familiarity with coding, ideally in Java.
+A properly positioned defense will increase strength while decreasing the effort needed to maintain position. For applications, the best defense is both in and around the application. Through instrumentation, defenders can map the attack surface from the inside and add defenses against the right threat at the right location. In this workshop, we will use freely available tools to map an application and describe how instrumentation saves a defender’s time through compatibility, performance, and security.  '''''Attendees require a laptop with internet connection and familiarity with coding, ideally in Java.'''''
@@ Line 44: / Line 63: @@
 The hands-on portion will include installing and configuring osquery on linux, demonstrating how to run osquery in interactive mode, some basic osqueryi shell commands, how to use various facets of sql to write queries for osquery, how to configure osqueryi to listen for events and how to query events tables, and some examples of how osqueryi can be used to investigate a host. If time allows, additional lab sessions may be attempted.
 <!--
 -->

@@ Line 7: / Line 7: @@
 {{2018_BASC:Presentaton_Info_Template|PenTesting & Network Defense Arena Challenge|Phil Barrows and Vik Solem| | | }}
 {{2018_BASC:Presentaton_Info_Template|AppSec Wars Challenge|Stephen Allor| | | }}
@@ Line 12: / Line 13: @@
 The tournament will be conducted using the Secure Code Warrior platform, an innovative online, hands-on, gamified SaaS Learning Platform that actively engages developers to Learn & Build their secure coding skills. This approach is changing the way developers think and behave as they build & test software. Bring your laptop (not tablet), choose your preferred language/framework, whether it be C# (.NET) MVC, C# (.NET) Web Forms, Java Enterprise Edition, Java Spring, Python Django, Ruby on Rails, or Scala Play, and launch into the AppSec Wars Challenge!
 {{2018_BASC:Presentaton_Info_Template|Threat Modeling Workshop|Robert Hurlbut| | | }}
@@ Line 24: / Line 26: @@
 When conducting a penetration test for a web application, knowledge of technology-specific caveats becomes crucial. Knowing vulnerability basics is often insufficient to be effective. In this workshop, the latest XXE and XML related attack vectors will be presented. XXE is a vulnerability that affects any XML parser that evaluates external entities. It is gaining more visibility with its introduction to the OWASP Top10 2017 (A4). You might be able to detect the classic patterns, but can you convert the vulnerability into directory file listing, binary file exfiltration, file write or remote code execution? The focus of this workshop will be presenting various techniques and exploitation tricks for both PHP and Java applications. Four applications will be at your disposition to test your skills. For every exercise, sample payloads will be given so that the attendees save some time.
 Attendees must bring their own laptops with Burp Suite or ZAP pre-installed.

@@ Line 26: / Line 26: @@
+{{2018_BASC:Presentaton_Info_Template|Intro to Osquery Workshop - A Hands On Lab|Milan Shah| | | }}
 <!--
 -->

@@ Line 8: / Line 8: @@
 {{2018_BASC:Presentaton_Info_Template|PenTesting & Network Defense Arena Challenge|Phil Barrows and Vik Solem| | | }}
-{{2018_BASC:Presentaton_Info_Template|AppSec Wars Challenge|Stephen Allor| | | }
+{{2018_BASC:Presentaton_Info_Template|AppSec Wars Challenge|Stephen Allor| | | }}
 Join this live interactive tournament which is sure to a fun, challenging learning experience for all. Whether you are eager to prove your web application AppSec knowledge of the OWASP Top 10 and more….and watch as you climb to the top of the Leaderboard or simply want to learn more about how to code more securely – everyone is welcome and there will be prizes / SWAG for the winner(s).
 The tournament will be conducted using the Secure Code Warrior platform, an innovative online, hands-on, gamified SaaS Learning Platform that actively engages developers to Learn & Build their secure coding skills. This approach is changing the way developers think and behave as they build & test software. Bring your laptop (not tablet), choose your preferred language/framework, whether it be C# (.NET) MVC, C# (.NET) Web Forms, Java Enterprise Edition, Java Spring, Python Django, Ruby on Rails, or Scala Play, and launch into the AppSec Wars Challenge!
-{{2018_BASC:Presentaton_Info_Template|Threat Modeling Workshop|Robert Hurlbut| | | }
+{{2018_BASC:Presentaton_Info_Template|Threat Modeling Workshop|Robert Hurlbut| | | }}
 Threat modeling is a way of thinking about what could go wrong and how to prevent it. Instinctively, we all think this way in regards to our own personal security and safety. When it comes to building software, some software shops either skip the important step of threat modeling in secure software design or, they have tried threat modeling before but haven't quite figured out how to connect the threat models to real world software development and its priorities. Threat modeling should be part of your secure software design process. Using threat modeling and some principals of risk management, you can design software in a way that makes security one of the top goals, along with performance, scalability, reliability, and maintenance.
@@ Line 21: / Line 21: @@
-{{2018_BASC:Presentaton_Info_Template|Advanced XXE Exploitation|Philippe Arteau| | | }
+{{2018_BASC:Presentaton_Info_Template|Advanced XXE Exploitation|Philippe Arteau| | | }}
 When conducting a penetration test for a web application, knowledge of technology-specific caveats becomes crucial. Knowing vulnerability basics is often insufficient to be effective. In this workshop, the latest XXE and XML related attack vectors will be presented. XXE is a vulnerability that affects any XML parser that evaluates external entities. It is gaining more visibility with its introduction to the OWASP Top10 2017 (A4). You might be able to detect the classic patterns, but can you convert the vulnerability into directory file listing, binary file exfiltration, file write or remote code execution? The focus of this workshop will be presenting various techniques and exploitation tricks for both PHP and Java applications. Four applications will be at your disposition to test your skills. For every exercise, sample payloads will be given so that the attendees save some time.
 Attendees must bring their own laptops with Burp Suite or ZAP pre-installed.

@@ Line 3: / Line 3: @@
-The call for workshops is open. Please submit your proposal [https://owasp.submittable.com/submit/118366/basc-cfw-boston-application-security-conference-october-27-2018 here].
+__FORCETOC__
-{{2018_BASC:Presentaton_Info_Template|Capture the Flag Arena|Vik Solem and Phil Barrows| | | }}
+{{2018_BASC:Presentaton_Info_Template|Advanced XXE Exploitation|Philippe Arteau| | | }
 -->
 {{2018_BASC:Footer_Template|Workshops}}