This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP Bucharest AppSec Conference 2017 Workshops"

From OWASP
Jump to: navigation, search
(edit3)
(edit7)
 
(11 intermediate revisions by 2 users not shown)
Line 7: Line 7:
 
| style="width:40%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="0" | '''Description'''
 
| style="width:40%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="0" | '''Description'''
 
|-
 
|-
| style="width:10%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | 3 days training <br> 4th, 5th, 6th of October<br>daily: 9:00 - 17:00<br><br>
+
| style="width:10%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | Workshop <br> 13th of October<br> '''2 hours:'''<br>begins at 10:30 <br>'''Goga Room'''<br>
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | Secure Coding for Java<br>
+
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | Threat Modelling a fictitious payment web application<br>
  
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" |  [https://www.linkedin.com/uas/login?trk=ripf&trkInfo=AQGZrXdRLQZIhQAAAVzl2lyA3PTR0IMa5RMB9XWGetNgP8TxpIVu2QeYZJcI-min6w8vWm8Y6nxwtL-W8CPUjLjWEHKKFMrY_TMgVWBULZ9j8Y7h1-Oh1hNNBGv4z250VAix5jU=&session_redirect=https%3A%2F%2Fwww.linkedin.com%2Fin%2Frobertseacord Robert Seacord]
+
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" |  [https://uk.linkedin.com/in/mustafa-kasmani-7508b143 Mustafa Kasmani]
| style="width:40%" valign="middle" height="30" bgcolor="#CCEEEE" align="justify" colspan="0" | '''Description:'''<br> This three-day instructor-led Secure Coding for Java course provides developers with practical guidance for developing Java programs that are robust and secure. Material in this presentation was derived from the Addison-Wesley book The CERT Oracle Secure Coding Standard for Java and is supported by the Secure Coding Rules for Java Live Lessons videos. Participants should come away from the course with a working knowledge of common programming errors that lead to software vulnerabilities, how these errors can be exploited, and effective mitigation strategies for preventing the introduction of these errors.  
+
| style="width:40%" valign="middle" height="30" bgcolor="#CCEEEE" align="justify" colspan="0" | '''Description:'''<br>Following on from the Threat Modelling presentation by the same author, this workshop will aim to put the theory covered by that presentation into practice.
In particular, participants will learn how to: <br>
+
* Explain the need for secure coding Follow fundamental secure coding guidelines
+
The objective of doing so is to introduce the audience to the benefits of performing Threat Modelling on a system during the early stages of design / development. This ensures that key security threats are known and understood early on allowing remediation to be done in a more cost effective and pragmatic way than had they been found much later on during testing or when in production.
* Validate and sanitize data  
+
* Securely deserialize Java streams
+
A fictitious payment web application will be examined in this session – defining its business functionality, actors, assets and technology stack. Data flowing between the components will then be drawn out in the form of data-flow diagrams (DFD’s). Thereafter the attack-surface will be mapped out using the STRIDE methodology identifying threats pertaining to Spoofing, Tampering, Repudiation, Information disclosure, Denial of service and the Elevation of privilege. Finally, these will documented in a form allowing categorisation of risk together with identified security controls that should be tested. <br>
* Securely implement exception handling
+
'''Intended audience:''' Architects, Designers, Developers, Testers, Security professionals, Project managers. <br>
* Predict how the numerical types behave in Java
+
'''Skill level: '''The workshop does not assume an in-depth knowledge of software security.  <br>
* Avoid pitfalls in the use of characters and strings
+
'''Requirements:''' A mind-set of how an attacker might seek to compromise this system, so as to best identify the threats pertaining to it.
* Securely process input and output
 
Moreover, the course encourages programmers to adopt security best practices and develop a security mindset that can help protect software from tomorrow’s attacks, not just today’s. <br>
 
'''Intended audience:''' The course is designed primarily for Java SE 8 developers but should also be useful to developers using older versions of the SE platform as well as Java EE and ME developers. <br>
 
'''Skill level: The course assumes basic Java programming skills but does not assume an in-depth knowledge of software security.''' <br>
 
'''Requirements:'''laptop with Java 8 and an IDE installed
 
 
<br>
 
<br>
 
 
'''Seats available: '''20 (first-come, first served)<br>
 
'''Seats available: '''20 (first-come, first served)<br>
'''Price: '''1200 euros/person <br>
+
'''Price: '''free <br>
 
[https://www.eventbrite.com/e/owasp-bucharest-appsec-conference-2017-tickets-35356670754 Register here]
 
[https://www.eventbrite.com/e/owasp-bucharest-appsec-conference-2017-tickets-35356670754 Register here]
 
|-
 
|-
| style="width:10%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" |3 days training <br> 4th, 5th, 6th of October<br>daily: 9:00 - 17:00<br><br>
+
| style="width:10%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | Workshop <br> 13th of October<br><br> '''3 hours:'''<br>begins at 13:30 <br>'''Goga Room'''<br>
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | DFIR from Acquisition to Zbot - A comprehensive guide to real world incident handling<br>
+
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | AppSec Bucharest vs. OWASP Juice Shop<br>
 
 
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | [https://www.linkedin.com/uas/login?trk=ripf&trkInfo=AQF4NyQgGvi6uwAAAVzl75IwT7MBwugmEgdLz_SwcJoWYk_1Z7vU8s1CYx3Sxp3TuCvj4Z13LimS6vjJIGq2LcSnkXXslFYDo9u1XDfvz17JT2DnK0I49amHaxu3w6EeIw52vaI=&session_redirect=https%3A%2F%2Fwww.linkedin.com%2Fin%2Faarongoldstein Aaron Goldstein]'''  
 
| style="width:40%" valign="middle" height="30" bgcolor="#CCEEEE" align="justify" colspan="0" | '''Description:''' This training will outline a proven approach to resolving incidents in an efficient, consistent manner. Topics will cover everything from evidence acquisition and verification, through hard disk and memory forensic techniques. <br>
 
The agenda includes the following, typically between 1-2 hours per topic:
 
Evidence acquisition
 
* Methodology for acquisition (leave no trace)
 
* Media types
 
* Hashing and verification
 
* Physical vs Logical
 
* Standard Imaging Process
 
* Special cases (RAID, etc.)
 
* Open Source tools and overview (Windows / Linux)
 
 
Hard Disk Forensics Part 1
 
* File System Types;  Forensic Analysis Tools;  Forensic areas of interest
 
 
Hard Disk Forensics Part 2
 
* Registry Analysis: Key locations and format, Forensic areas of interest, NTUSER.DAT, Regripper, Regdecoder
 
* Automated Tools
 
Memory forensics
 
* Open Source tools and overview
 
* Memory Acquisition
 
*  Memory analysis with Volatility: Processes: Network Connections, User names / Passwords, Encryption Keys, Registry Hives, Malware
 
 
 
Log Analysis Techniques
 
* Common log sources
 
* Local vs Centralized Logging
 
* Retention
 
* Tampering
 
* Log analysis tools and techniques
 
 
Forensic Timeline Creation and Analysis
 
* Log2Timeline
 
 
 
Data Recovery Techniques
 
* Manual data carving
 
* Automated tools
 
  
Malware Analysis
+
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" |  [https://de.linkedin.com/in/bkimminich/en Björn Kimminich]
* Open Source Intelligence Gathering
+
| style="width:40%" valign="middle" height="30" bgcolor="#CCEEEE" align="justify" colspan="0" | '''Description:'''<br> In this *free* workshop you can test your skills in hacking modern web applications against the OWASP Juice Shop! There are 43+ challenge that are waiting to be solved, ranging from simple functional problems and the usual XSS/SQLi issues over severe authentication flaws to multi-step & multi-path attacks against the discount coupons issued by the application!<br>
* Malware Sandboxing and evasion techniques
 
* File Whitelisting
 
  
Advanced Persistent Threat
+
How many challenges can you beat? During the workshop you can get some first-hand hints in case you fell stuck. At the end of the workshop there will be a demo of some of the more mindboggling challenges - but only for those, who don't want to solve them on their own later! You will have an idea how good you and your tools are with <br>
* What an APT really is
+
'''Intended audience:''' Developers and pentesters with at least basic understanding of common web application vulnerabilities <br>
* Case Study - Operation Cleaver
+
'''Skill level: '''The workshop does not assume an in-depth knowledge of software security. <br>
 
 
Anti Forensics
 
* Data shredding
 
* Steganography
 
* Timestamp modification
 
'''Intended audience:''' Security minded individuals with basic level knowledge of linux operating systems.<br>
 
'''Outcome: '''Attendees will gain critical knowledge on how to appropriately triage, and contain an incident using up to date methodology and suggestions from a trainer with extensive background in real world attacks. In addition, several tips and tricks to build and maintain an effective IR team will be provided.<br>
 
'''Requirements:'''laptops for attendees, virtual box installed<br>
 
 
 
'''Seats available: '''20 (first-come, first served)<br>
 
'''Price:'''1200 euros/person<br>
 
[https://www.eventbrite.com/e/owasp-bucharest-appsec-conference-2017-tickets-35356670754 Register here]
 
 
 
 
 
|-
 
| style="width:10%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | 9:00 - 17:00<br><br>
 
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | '''<br>
 
 
 
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" |
 
| style="width:40%" valign="middle" height="30" bgcolor="#CCEEEE" align="justify" colspan="0" | '''Description:'''
 
 
 
'''Outcome:''' <br>
 
 
 
'''Intended Audience:''' <br>
 
 
'''Requirements:'''
 
'''Requirements:'''
 +
* laptop with OWASP Juice Shop installed using one of the setups described in https://github.com/bkimminich/juice-shop#setup
 +
* internet browser with some API testing plugin (e.g. PostMan for Chrome)
 +
* ''(optionally)'' any kind of pentesting tools
 
<br>
 
<br>
 
 
'''Seats available: '''20 (first-come, first served)<br>
 
'''Seats available: '''20 (first-come, first served)<br>
'''Price: '''200 euros/person <br>
+
'''Price: '''free <br>
[Registration link: TBD]
+
[https://www.eventbrite.com/e/owasp-bucharest-appsec-conference-2017-tickets-35356670754 Register here]
 
|-
 
|-
| style="width:10%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | 9:00 - 17:00<br><br>
+
| style="width:10%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | Workshop <br> 13th of October<br> '''3 hours:'''<br>begins at 9:30 <br>'''Slavici Room'''<br>
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | '''<br>
+
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | Free Diving into Android Security<br>
 
 
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" |
 
| style="width:40%" valign="middle" height="30" bgcolor="#CCEEEE" align="justify" colspan="0" | '''Description:'''
 
 
 
'''Outcome:'''
 
'''Intended Audience: '''
 
 
 
'''Skill Level:''' <br>
 
'''Requirements:'''<br>
 
  
 +
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | Nikhil P Kulkarni  and Ravi Kumar Kovela
 +
| style="width:40%" valign="middle" height="30" bgcolor="#CCEEEE" align="justify" colspan="0" | '''Description:'''<br> The agenda of this free workshop is to get the taste of working on Android Security. The workshop would involve the attendees to install and learn the tools used for android pentesting. The following would be the topics that would be covered during the 3 hour session:
 +
*Fundamentals of Android Operating System
 +
*Understanding the Android Security Architecture
 +
*Android Permission Model
 +
*Understanding how to setup a pentest environment
 +
*Understanding the Android Debug Bridge
 +
*Fundamentals of Android Application Signing
 +
*Understanding the working of app permissions using the Android Manifest File
 +
Though not in-depth but this workshop would definitely give a great push to start into the Mobile Security Scene. At the end of the workshop, the attendees would be given few challenges to be solved, giving them an understanding and idea on how to find some of the very well-known Android Security Issues.
 +
'''Intended Audience:'''
 +
Application Developers, Penetration Testers who plan to get into the field of Mobile Pentesting with basic knowledge and understanding of the Android Operating System.
 +
'''Prerequisites:'''
 +
*A Laptop with full administrative access since you will be installing software.
 +
*Make sure to have free space of atleast 10 GB on your laptop and with minimum 4 GB RAM
 +
*Basic knowledge on Android
 +
'''Software Requirements:'''
 +
*VirtualBox 5.x.x installed. Please have this installed before the session starts. VMWare will not be supported.
 +
*Any of the following OS : OSX , Win 7 and above, Ubuntu 12.0.4 and above
 
'''Seats available: '''20 (first-come, first served)<br>
 
'''Seats available: '''20 (first-come, first served)<br>
'''Price: '''200 euros/person <br>
+
'''Price: '''free <br>
[Registration link: TBD]
+
[https://www.eventbrite.com/e/owasp-bucharest-appsec-conference-2017-tickets-35356670754 Register here]
|-
 
 
|}
 
|}

Latest revision as of 15:06, 4 October 2017

Workshop

Time Title Trainers Description
Workshop
13th of October
2 hours:
begins at 10:30
Goga Room
 Threat Modelling a fictitious payment web application
 Mustafa Kasmani Description:
Following on from the Threat Modelling presentation by the same author, this workshop will aim to put the theory covered by that presentation into practice.

The objective of doing so is to introduce the audience to the benefits of performing Threat Modelling on a system during the early stages of design / development. This ensures that key security threats are known and understood early on allowing remediation to be done in a more cost effective and pragmatic way than had they been found much later on during testing or when in production.

A fictitious payment web application will be examined in this session – defining its business functionality, actors, assets and technology stack. Data flowing between the components will then be drawn out in the form of data-flow diagrams (DFD’s). Thereafter the attack-surface will be mapped out using the STRIDE methodology identifying threats pertaining to Spoofing, Tampering, Repudiation, Information disclosure, Denial of service and the Elevation of privilege. Finally, these will documented in a form allowing categorisation of risk together with identified security controls that should be tested.
Intended audience: Architects, Designers, Developers, Testers, Security professionals, Project managers.
Skill level: The workshop does not assume an in-depth knowledge of software security.
Requirements: A mind-set of how an attacker might seek to compromise this system, so as to best identify the threats pertaining to it.
Seats available: 20 (first-come, first served)
Price: free
Register here

Workshop
13th of October

3 hours:
begins at 13:30
Goga Room
 AppSec Bucharest vs. OWASP Juice Shop
 Björn Kimminich Description:
In this *free* workshop you can test your skills in hacking modern web applications against the OWASP Juice Shop! There are 43+ challenge that are waiting to be solved, ranging from simple functional problems and the usual XSS/SQLi issues over severe authentication flaws to multi-step & multi-path attacks against the discount coupons issued by the application!

How many challenges can you beat? During the workshop you can get some first-hand hints in case you fell stuck. At the end of the workshop there will be a demo of some of the more mindboggling challenges - but only for those, who don't want to solve them on their own later! You will have an idea how good you and your tools are with
Intended audience: Developers and pentesters with at least basic understanding of common web application vulnerabilities
Skill level: The workshop does not assume an in-depth knowledge of software security.
Requirements:

  • laptop with OWASP Juice Shop installed using one of the setups described in https://github.com/bkimminich/juice-shop#setup
  • internet browser with some API testing plugin (e.g. PostMan for Chrome)
  • (optionally) any kind of pentesting tools


Seats available: 20 (first-come, first served)
Price: free
Register here

Workshop
13th of October
3 hours:
begins at 9:30
Slavici Room
 Free Diving into Android Security
 Nikhil P Kulkarni and Ravi Kumar Kovela Description:
The agenda of this free workshop is to get the taste of working on Android Security. The workshop would involve the attendees to install and learn the tools used for android pentesting. The following would be the topics that would be covered during the 3 hour session:
  • Fundamentals of Android Operating System
  • Understanding the Android Security Architecture
  • Android Permission Model
  • Understanding how to setup a pentest environment
  • Understanding the Android Debug Bridge
  • Fundamentals of Android Application Signing
  • Understanding the working of app permissions using the Android Manifest File

Though not in-depth but this workshop would definitely give a great push to start into the Mobile Security Scene. At the end of the workshop, the attendees would be given few challenges to be solved, giving them an understanding and idea on how to find some of the very well-known Android Security Issues. Intended Audience: Application Developers, Penetration Testers who plan to get into the field of Mobile Pentesting with basic knowledge and understanding of the Android Operating System. Prerequisites:

  • A Laptop with full administrative access since you will be installing software.
  • Make sure to have free space of atleast 10 GB on your laptop and with minimum 4 GB RAM
  • Basic knowledge on Android

Software Requirements:

  • VirtualBox 5.x.x installed. Please have this installed before the session starts. VMWare will not be supported.
  • Any of the following OS : OSX , Win 7 and above, Ubuntu 12.0.4 and above

Seats available: 20 (first-come, first served)
Price: free
Register here

Retrieved from "https://wiki.owasp.org/index.php?title=OWASP_Bucharest_AppSec_Conference_2017_Workshops&oldid=234100"