This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP Bucharest AppSec Conference 2017 Workshops"

From OWASP
Jump to: navigation, search
Line 7: Line 7:
 
| style="width:40%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="0" | '''Description'''
 
| style="width:40%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="0" | '''Description'''
 
|-
 
|-
| style="width:10%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | Workshop <br> 13th of October<br> '''3 hours:'''<br>begins at 10:15 <br><br>
+
| style="width:10%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | Workshop <br> 13th of October<br> '''2 hours:'''<br>begins at 10:30 <br><br>
 +
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | Threat Modelling a fictitious payment web application<br>
 +
 
 +
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" |  [https://uk.linkedin.com/in/mustafa-kasmani-7508b143 Mustafa Kasmani]
 +
| style="width:40%" valign="middle" height="30" bgcolor="#CCEEEE" align="justify" colspan="0" | '''Description:'''<br>Following on from the Threat Modelling presentation by the same author, this workshop will aim to put the theory covered by that presentation into practice.
 +
 +
The objective of doing so is to introduce the audience to the benefits of performing Threat Modelling on a system during the early stages of design / development. This ensures that key security threats are known and understood early on allowing remediation to be done in a more cost effective and pragmatic way than had they been found much later on during testing or when in production.
 +
 +
A fictitious payment web application will be examined in this session – defining its business functionality, actors, assets and technology stack. Data flowing between the components will then be drawn out in the form of data-flow diagrams (DFD’s). Thereafter the attack-surface will be mapped out using the STRIDE methodology identifying threats pertaining to Spoofing, Tampering, Repudiation, Information disclosure, Denial of service and the Elevation of privilege. Finally, these will documented in a form allowing categorisation of risk together with identified security controls that should be tested.  <br>
 +
'''Intended audience:''' Architects, Designers, Developers, Testers, Security professionals, Project managers. <br>
 +
'''Skill level: '''The workshop does not assume an in-depth knowledge of software security.  <br>
 +
'''Requirements:''' A mind-set of how an attacker might seek to compromise this system, so as to best identify the threats pertaining to it.
 +
<br>
 +
'''Seats available: '''20 (first-come, first served)<br>
 +
'''Price: '''free <br>
 +
[https://www.eventbrite.com/e/owasp-bucharest-appsec-conference-2017-tickets-35356670754 Register here]
 +
|-
 +
| style="width:10%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | Workshop <br> 13th of October<br> '''3 hours:'''<br>begins at 13:30 <br><br>
 
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | AppSec Bucharest vs. OWASP Juice Shop<br>
 
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | AppSec Bucharest vs. OWASP Juice Shop<br>
  
Line 20: Line 37:
 
* internet browser with some API testing plugin (e.g. PostMan for Chrome)
 
* internet browser with some API testing plugin (e.g. PostMan for Chrome)
 
* ''(optionally)'' any kind of pentesting tools
 
* ''(optionally)'' any kind of pentesting tools
<br>
 
'''Seats available: '''20 (first-come, first served)<br>
 
'''Price: '''free <br>
 
[https://www.eventbrite.com/e/owasp-bucharest-appsec-conference-2017-tickets-35356670754 Register here]
 
|-
 
| style="width:10%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | Workshop <br> 13th of October<br> '''2 hours:'''<br>begins at 14:00 <br><br>
 
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | Threat Modelling a fictitious payment web application<br>
 
 
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" |  [https://uk.linkedin.com/in/mustafa-kasmani-7508b143 Mustafa Kasmani]
 
| style="width:40%" valign="middle" height="30" bgcolor="#CCEEEE" align="justify" colspan="0" | '''Description:'''<br>Following on from the Threat Modelling presentation by the same author, this workshop will aim to put the theory covered by that presentation into practice.
 
 
The objective of doing so is to introduce the audience to the benefits of performing Threat Modelling on a system during the early stages of design / development. This ensures that key security threats are known and understood early on allowing remediation to be done in a more cost effective and pragmatic way than had they been found much later on during testing or when in production.
 
 
A fictitious payment web application will be examined in this session – defining its business functionality, actors, assets and technology stack. Data flowing between the components will then be drawn out in the form of data-flow diagrams (DFD’s). Thereafter the attack-surface will be mapped out using the STRIDE methodology identifying threats pertaining to Spoofing, Tampering, Repudiation, Information disclosure, Denial of service and the Elevation of privilege. Finally, these will documented in a form allowing categorisation of risk together with identified security controls that should be tested.  <br>
 
'''Intended audience:''' Architects, Designers, Developers, Testers, Security professionals, Project managers. <br>
 
'''Skill level: '''The workshop does not assume an in-depth knowledge of software security.  <br>
 
'''Requirements:''' A mind-set of how an attacker might seek to compromise this system, so as to best identify the threats pertaining to it.
 
 
<br>
 
<br>
 
'''Seats available: '''20 (first-come, first served)<br>
 
'''Seats available: '''20 (first-come, first served)<br>

Revision as of 19:53, 22 September 2017

Workshop

Time Title Trainers Description
Workshop
13th of October
2 hours:
begins at 10:30

Threat Modelling a fictitious payment web application
 Mustafa Kasmani Description:
Following on from the Threat Modelling presentation by the same author, this workshop will aim to put the theory covered by that presentation into practice.

The objective of doing so is to introduce the audience to the benefits of performing Threat Modelling on a system during the early stages of design / development. This ensures that key security threats are known and understood early on allowing remediation to be done in a more cost effective and pragmatic way than had they been found much later on during testing or when in production.

A fictitious payment web application will be examined in this session – defining its business functionality, actors, assets and technology stack. Data flowing between the components will then be drawn out in the form of data-flow diagrams (DFD’s). Thereafter the attack-surface will be mapped out using the STRIDE methodology identifying threats pertaining to Spoofing, Tampering, Repudiation, Information disclosure, Denial of service and the Elevation of privilege. Finally, these will documented in a form allowing categorisation of risk together with identified security controls that should be tested.
Intended audience: Architects, Designers, Developers, Testers, Security professionals, Project managers.
Skill level: The workshop does not assume an in-depth knowledge of software security.
Requirements: A mind-set of how an attacker might seek to compromise this system, so as to best identify the threats pertaining to it.
Seats available: 20 (first-come, first served)
Price: free
Register here

Workshop
13th of October
3 hours:
begins at 13:30

AppSec Bucharest vs. OWASP Juice Shop
 Björn Kimminich Description:
In this *free* workshop you can test your skills in hacking modern web applications against the OWASP Juice Shop! There are 43+ challenge that are waiting to be solved, ranging from simple functional problems and the usual XSS/SQLi issues over severe authentication flaws to multi-step & multi-path attacks against the discount coupons issued by the application!

How many challenges can you beat? During the workshop you can get some first-hand hints in case you fell stuck. At the end of the workshop there will be a demo of some of the more mindboggling challenges - but only for those, who don't want to solve them on their own later! You will have an idea how good you and your tools are with
Intended audience: Developers and pentesters with at least basic understanding of common web application vulnerabilities
Skill level: The workshop does not assume an in-depth knowledge of software security.
Requirements:

  • laptop with OWASP Juice Shop installed using one of the setups described in https://github.com/bkimminich/juice-shop#setup
  • internet browser with some API testing plugin (e.g. PostMan for Chrome)
  • (optionally) any kind of pentesting tools


Seats available: 20 (first-come, first served)
Price: free
Register here

Retrieved from "https://wiki.owasp.org/index.php?title=OWASP_Bucharest_AppSec_Conference_2017_Workshops&oldid=233601"