This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP Bucharest AppSec Conference 2017 Training2"

From OWASP
Jump to: navigation, search
Line 45: Line 45:
 
The knowledge of Mobile Security, especially Android has become essential in securing today’s digital environment. This workshop is developed to introduce and bring hands on experience of the exciting and growing field of Android Pentesting and its Security Essentials.<br>
 
The knowledge of Mobile Security, especially Android has become essential in securing today’s digital environment. This workshop is developed to introduce and bring hands on experience of the exciting and growing field of Android Pentesting and its Security Essentials.<br>
 
Upon completing this course, the participants are expected to:
 
Upon completing this course, the participants are expected to:
* Gain a set of techniques focused on the use of vendor-neutral, open source tools, Develop the skills to capture suspicious data.
+
 
* Discern unusual patterns hidden within seemingly normal applications.
+
*Gain a set of techniques focused on the use of vendor-neutral, open source tools, Develop the skills to capture suspicious data.
* Understand the basics of Android Security Architecture.
+
*Discern unusual patterns hidden within seemingly normal applications.
* Get trained enough to start into Mobile Pentesting as the new generation Mobile Security Researcher.
+
*Understand the basics of Android Security Architecture.
* Get prepared for active research at the forefront of these areas.
+
*Get trained enough to start into Mobile Pentesting as the new generation Mobile Security Researcher.
Throughout the course, real-world examples in conjunction with numerous hands-on exercises will provide android pentesting & analysis skills.<br>
+
*Get prepared for active research at the forefront of these areas.
 +
*Throughout the course, real-world examples in conjunction with numerous hands-on exercises will provide android pentesting & analysis skills.
 +
<br>
 
Outline: Android Security
 
Outline: Android Security
* Module 1
+
*Module 1:
*# Intro to Android
+
*#Introduction to Android OS
*# Android Security Architecture
+
*#Android Security Architecture
*# Android application structure
+
*#Android Permission Model
*# Signing Android applications
+
*#Sandboxing Applications
*# Android Debug Bridge
+
*#Setting up the Android Emulator
*# Understanding Android file system
+
*#Setting up a Mobile Pentest Environment
*# Permission Model Flaws
 
  
* Module 2
+
*Module 2:
*# Understanding Android Components
+
*#Inspecting Application Certificates and Signatures
*# Introducing Android Emulator
+
*#Signing/Resigning Android Applications
*# Introducing Android AVD
+
*#Application Signatures Verification
 +
*#Investigating app permissions through manifest file
 +
*#Working with Android Debug Bridge (ADB)
 +
*#Application Resources Extraction using ADB
  
* Module 3
+
*Module 3:
*# Proxying Android Traffic
+
*#Bypassing Android Permissions
*# Reverse Engineering for Android Apps
+
*#Introduction to Drozer
*# Dex Analysis and Obfuscation
+
*#Setting up and Running a Drozer Session
 +
*#Enumerating Packages and their Activities
 +
*#Enumerating Content Providers and Services
 +
*#Enumerating Broadcast Receivers
 +
*#Using Drozer to find vulnerabilities
  
* Module 4
+
*Module 4:
*# Attack Surfaces for Android applications
+
*#Reversing Android Applications
*# Exploiting Local Storage
+
*#Analysing DEX Files
*# Exploiting Weak Cryptography
+
*#Working with Logcat
*# Exploiting Side Channel Data Leakage
+
*#Network Traffic Inspection
*# Root Detection and Bypass
+
*#Passive Intent Sniffing
*# Exploiting Weak Authorization mechanism
+
*#Exploiting Services
*# Identifying and Exploiting Flawed Broadcast Receivers
+
*#Exploiting Broadcast Receivers
*# Identifying and Exploiting Flawed Intents
+
*#Exploiting Insecure Data Storage
*# Identifying and Exploiting Vulnerable Activity Components
+
*#Exploiting Poor Cryptography Implementation
*# Exploiting Backup and Debuggable apps
+
*#Exploiting Data Leakage vulnerabilities
*# Dynamic Analysis for Android Apps
+
*#Exploiting the Debuggable Applications
*# Analyzing Proguard, DexGuard and other Obfuscation Techniques
+
*#Static/Dynamic Analysis of Android Applications
 +
*#Working with Dexguard and Proguard  
 
<br>
 
<br>
 
'''Intended audience:''' This workshop is essential to information security, mobile security & risk management, loss prevention, corporate security and law enforcement personnel interested in Mobile Security. e.g. Security professionals, who possess basic general security knowledge. Personnel who have working knowledge of android security and pentesting and want to gain experience in the end-to-end mobile security process can attend this training.<br>
 
'''Intended audience:''' This workshop is essential to information security, mobile security & risk management, loss prevention, corporate security and law enforcement personnel interested in Mobile Security. e.g. Security professionals, who possess basic general security knowledge. Personnel who have working knowledge of android security and pentesting and want to gain experience in the end-to-end mobile security process can attend this training.<br>

Revision as of 18:24, 23 September 2017

Training

Time Title Trainers Description
2 days training
11th and 12th of October
daily: 9:00 - 17:00

 Assessing and securing applications using the OWASP ASVS (Application Security Verification Standard)
 Oana Cornea Description:

The focus of this training will be on how to build secure applications and how to evaluate them using real world scenarios. The attendees will learn the concepts solving exercises and using various OWASP resources like the OWASP ASVS (Application Security Verification Standard) and the OWASP Testing Guide. Topics covered:
Day 1:

  • Architecture design and threat modelling
  • Authentication Flaws
  • Session Management Flaws
  • Access Control Verification Requirements
  • Input Handling and Output Encoding/Escaping

Day 2:

  • Cryptography at Rest
  • Error Handling and Logging
  • Data Protection Verification
  • Communications Security
  • Business Logic Verification Requirements
  • Files and Resources
  • Mobile Security
  • Web Service Security


Intended audience: This training is suitable for developers, quality assurance, code reviewers and penetration testers
Skill level: Beginner - intermediate
Requirements: Basic web knowledge; laptop with at least 4GB RAM and virtualization software (VMware Workstation Player).
Seats available: 20 (first-come, first served)
Price: 400 euros/person
Register here

2 days training
11th and 12th of October
daily: 9:00 - 17:00

 Advanced Mobile Security Training
 Nikhil P Kulkarni and Ravi Kumar Description:

The knowledge of Mobile Security, especially Android has become essential in securing today’s digital environment. This workshop is developed to introduce and bring hands on experience of the exciting and growing field of Android Pentesting and its Security Essentials.
Upon completing this course, the participants are expected to:

  • Gain a set of techniques focused on the use of vendor-neutral, open source tools, Develop the skills to capture suspicious data.
  • Discern unusual patterns hidden within seemingly normal applications.
  • Understand the basics of Android Security Architecture.
  • Get trained enough to start into Mobile Pentesting as the new generation Mobile Security Researcher.
  • Get prepared for active research at the forefront of these areas.
  • Throughout the course, real-world examples in conjunction with numerous hands-on exercises will provide android pentesting & analysis skills.


Outline: Android Security

  • Module 1:
    1. Introduction to Android OS
    2. Android Security Architecture
    3. Android Permission Model
    4. Sandboxing Applications
    5. Setting up the Android Emulator
    6. Setting up a Mobile Pentest Environment
  • Module 2:
    1. Inspecting Application Certificates and Signatures
    2. Signing/Resigning Android Applications
    3. Application Signatures Verification
    4. Investigating app permissions through manifest file
    5. Working with Android Debug Bridge (ADB)
    6. Application Resources Extraction using ADB
  • Module 3:
    1. Bypassing Android Permissions
    2. Introduction to Drozer
    3. Setting up and Running a Drozer Session
    4. Enumerating Packages and their Activities
    5. Enumerating Content Providers and Services
    6. Enumerating Broadcast Receivers
    7. Using Drozer to find vulnerabilities
  • Module 4:
    1. Reversing Android Applications
    2. Analysing DEX Files
    3. Working with Logcat
    4. Network Traffic Inspection
    5. Passive Intent Sniffing
    6. Exploiting Services
    7. Exploiting Broadcast Receivers
    8. Exploiting Insecure Data Storage
    9. Exploiting Poor Cryptography Implementation
    10. Exploiting Data Leakage vulnerabilities
    11. Exploiting the Debuggable Applications
    12. Static/Dynamic Analysis of Android Applications
    13. Working with Dexguard and Proguard


Intended audience: This workshop is essential to information security, mobile security & risk management, loss prevention, corporate security and law enforcement personnel interested in Mobile Security. e.g. Security professionals, who possess basic general security knowledge. Personnel who have working knowledge of android security and pentesting and want to gain experience in the end-to-end mobile security process can attend this training.
Skill level: intermmediate - advanced
Requirements: Attendees must bring their laptop (with administrative privileges) to run all the tools and software. The laptop should atleast have 6 GB RAM and 100 GB of Hard Disk Space. The Laptop must have Java, VirtualBox, PuTTY pre-installed.
Seats available: 20 (first-come, first served)
Price: 1000 euros/person
Register here

2 days training
12th and 13th of October
daily: 9:00 - 17:00

 Advanced Malware Analysis
 Himanshu Khokhar Description:

Advanced Malware Analysis is a fast paced, full hands-on course which starts from the very basics of malware analysis and reverse engineering and then moves to advanced analysis of malwares (including malicious exe, js, pdf and word files as well) which then advances to analyze shellcodes, rootkits and ransomwares. Students taking this course will learn the tools and techniques to understand, analyze and defend against modern day malwares.

Syllabus

1. Malware ananlysis fundamentals

  • Malware analysis and Reverse Engineering
  • Setting up an environment for malware analysis
  • Setting up the toolkit to analyze malwares effectively
  • Performing basic static analysis
  • Performing basic dynamic analysis

2. Advanced Static Analysis

  • Revisiting x86 assembly concepts to apply it in malware analysis
  • Recognizing key data structures and language constructs in malware
  • Recognizing and locating common Windows API functions in malwares
  • Understanding and defeating anti-disassembly techniques

3. Advanced Dynamic malware analysis

  • Getting used to debuggers and debugging
  • Understanding and defeating anti-debugging techniques
  • Dealing with packed malwares
  • Unpacking packed malwares and challenges in unpacking
  • Dumping packed malwares in unpacked state from memory
  • Understanding Code injection in depth
  • Dissecting file-less malwares

4. Other major types of malware types

  • Understanding and dissecting JavaScript malwares
  • De-obfuscating JavaScript malwares
  • Understanding and dissecting PDF based malwares
  • Dissecting macro based malwares in Microsoft Office files

5. Shellcodes, Rootkits and Ransomwares

  • Understanding Shellcodes and performing Shellcode analysis
  • Understanding Rootkits and performing Rootkit analysis
  • Understanding Ransomwares and performing Ransomware analysis

Intended audience:Advanced Malware Analysis is a full hands-on course. It is useful both for beginners into the field of malware analysis, as well as for those who have been into this area for some time but want to polish their skills to a new level. Other than malware analysts, reverse engineers, forensic investigators, threat analysts, students, people wanting to get into malware analysis can take this course.
Skill level: Intermediate
Requirements: Knowledge of x86 Assembly lang, familiarity with debuggers, disassemblers, Windows OS. A Laptop with at least 8 GB of RAM. VMWare Workstation or Virtualbox.
Seats available: 20 (first-come, first served)
Price: 1000 euros/person
Register here

Retrieved from "https://wiki.owasp.org/index.php?title=OWASP_Bucharest_AppSec_Conference_2017_Training2&oldid=233614"