This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP Bucharest AppSec Conference 2017 Workshops"

From OWASP
Jump to: navigation, search
(edit3)
(p)
Line 7: Line 7:
 
| style="width:40%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="0" | '''Description'''
 
| style="width:40%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="0" | '''Description'''
 
|-
 
|-
| style="width:10%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | 3 days training <br> 4th, 5th, 6th of October<br>daily: 9:00 - 17:00<br><br>
+
| style="width:10%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | Workshop <br> 13th of October<br> '''Hour:'''11:00 <br><br>
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | Secure Coding for Java<br>
+
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | AppSec Bucharest vs. OWASP Juice Shop<br>
  
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" |  [https://www.linkedin.com/uas/login?trk=ripf&trkInfo=AQGZrXdRLQZIhQAAAVzl2lyA3PTR0IMa5RMB9XWGetNgP8TxpIVu2QeYZJcI-min6w8vWm8Y6nxwtL-W8CPUjLjWEHKKFMrY_TMgVWBULZ9j8Y7h1-Oh1hNNBGv4z250VAix5jU=&session_redirect=https%3A%2F%2Fwww.linkedin.com%2Fin%2Frobertseacord Robert Seacord]
+
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" |  [https://de.linkedin.com/in/bkimminich/en Björn Kimminich]
| style="width:40%" valign="middle" height="30" bgcolor="#CCEEEE" align="justify" colspan="0" | '''Description:'''<br> This three-day instructor-led Secure Coding for Java course provides developers with practical guidance for developing Java programs that are robust and secure. Material in this presentation was derived from the Addison-Wesley book The CERT Oracle Secure Coding Standard for Java and is supported by the Secure Coding Rules for Java Live Lessons videos. Participants should come away from the course with a working knowledge of common programming errors that lead to software vulnerabilities, how these errors can be exploited, and effective mitigation strategies for preventing the introduction of these errors.
+
| style="width:40%" valign="middle" height="30" bgcolor="#CCEEEE" align="justify" colspan="0" | '''Description:'''<br> In this *free* workshop you can test your skills in hacking modern web applications against the OWASP Juice Shop! There are 43+ challenge that are waiting to be solved, ranging from simple functional problems and the usual XSS/SQLi issues over severe authentication flaws to multi-step & multi-path attacks against the discount coupons issued by the application!<br>
In particular, participants will learn how to: <br>
 
* Explain the need for secure coding Follow fundamental secure coding guidelines
 
* Validate and sanitize data
 
* Securely deserialize Java streams
 
* Securely implement exception handling
 
* Predict how the numerical types behave in Java
 
* Avoid pitfalls in the use of characters and strings
 
* Securely process input and output
 
Moreover, the course encourages programmers to adopt security best practices and develop a security mindset that can help protect software from tomorrow’s attacks, not just today’s. <br>
 
'''Intended audience:''' The course is designed primarily for Java SE 8 developers but should also be useful to developers using older versions of the SE platform as well as Java EE and ME developers. <br>
 
'''Skill level: The course assumes basic Java programming skills but does not assume an in-depth knowledge of software security.'''  <br>
 
'''Requirements:'''laptop with Java 8 and an IDE installed
 
<br>
 
 
 
'''Seats available: '''20 (first-come, first served)<br>
 
'''Price: '''1200 euros/person <br>
 
[https://www.eventbrite.com/e/owasp-bucharest-appsec-conference-2017-tickets-35356670754 Register here]
 
|-
 
| style="width:10%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" |3 days training <br> 4th, 5th, 6th of October<br>daily: 9:00 - 17:00<br><br>
 
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | DFIR from Acquisition to Zbot - A comprehensive guide to real world incident handling<br>
 
 
 
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | [https://www.linkedin.com/uas/login?trk=ripf&trkInfo=AQF4NyQgGvi6uwAAAVzl75IwT7MBwugmEgdLz_SwcJoWYk_1Z7vU8s1CYx3Sxp3TuCvj4Z13LimS6vjJIGq2LcSnkXXslFYDo9u1XDfvz17JT2DnK0I49amHaxu3w6EeIw52vaI=&session_redirect=https%3A%2F%2Fwww.linkedin.com%2Fin%2Faarongoldstein Aaron Goldstein]'''
 
| style="width:40%" valign="middle" height="30" bgcolor="#CCEEEE" align="justify" colspan="0" | '''Description:''' This training will outline a proven approach to resolving incidents in an efficient, consistent manner. Topics will cover everything from evidence acquisition and verification, through hard disk and memory forensic techniques. <br>
 
The agenda includes the following, typically between 1-2 hours per topic:
 
Evidence acquisition
 
* Methodology for acquisition (leave no trace)
 
* Media types
 
* Hashing and verification
 
* Physical vs Logical
 
* Standard Imaging Process
 
* Special cases (RAID, etc.)
 
* Open Source tools and overview (Windows / Linux)
 
 
Hard Disk Forensics Part 1
 
* File System Types;  Forensic Analysis Tools;  Forensic areas of interest
 
 
Hard Disk Forensics Part 2
 
* Registry Analysis: Key locations and format, Forensic areas of interest, NTUSER.DAT, Regripper, Regdecoder
 
* Automated Tools
 
Memory forensics
 
* Open Source tools and overview
 
* Memory Acquisition
 
*  Memory analysis with Volatility: Processes: Network Connections, User names / Passwords, Encryption Keys, Registry Hives, Malware
 
 
 
Log Analysis Techniques
 
* Common log sources
 
* Local vs Centralized Logging
 
* Retention
 
* Tampering
 
* Log analysis tools and techniques
 
 
Forensic Timeline Creation and Analysis
 
* Log2Timeline
 
 
 
Data Recovery Techniques
 
* Manual data carving
 
* Automated tools
 
 
 
Malware Analysis
 
* Open Source Intelligence Gathering
 
* Malware Sandboxing and evasion techniques
 
* File Whitelisting
 
 
 
Advanced Persistent Threat
 
* What an APT really is
 
* Case Study - Operation Cleaver
 
 
 
Anti Forensics
 
* Data shredding
 
* Steganography
 
* Timestamp modification
 
'''Intended audience:''' Security minded individuals with basic level knowledge of linux operating systems.<br>
 
'''Outcome: '''Attendees will gain critical knowledge on how to appropriately triage, and contain an incident using up to date methodology and suggestions from a trainer with extensive background in real world attacks. In addition, several tips and tricks to build and maintain an effective IR team will be provided.<br>
 
'''Requirements:'''laptops for attendees, virtual box installed<br>
 
 
 
'''Seats available: '''20 (first-come, first served)<br>
 
'''Price:'''1200 euros/person<br>
 
[https://www.eventbrite.com/e/owasp-bucharest-appsec-conference-2017-tickets-35356670754 Register here]
 
 
 
 
 
|-
 
| style="width:10%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | 9:00 - 17:00<br><br>
 
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | '''<br>
 
 
 
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" |
 
| style="width:40%" valign="middle" height="30" bgcolor="#CCEEEE" align="justify" colspan="0" | '''Description:'''
 
  
'''Outcome:''' <br>
+
How many challenges can you beat? During the workshop you can get some first-hand hints in case you fell stuck. At the end of the workshop there will be a demo of some of the more mindboggling challenges - but only for those, who don't want to solve them on their own later! You will have an idea how good you and your tools are with <br>
 
+
'''Intended audience:''' Developers and pentesters with at least basic understanding of common web application vulnerabilities <br>
'''Intended Audience:''' <br>
+
'''Skill level: '''The workshop does not assume an in-depth knowledge of software security.  <br>
 
'''Requirements:'''
 
'''Requirements:'''
 +
*laptop with OWASP Juice Shop installed using one of the setups described in https://github.com/bkimminich/juice-shop#setup
 +
* modern Javascript-heavy web applications and their underlying RESTful APIs
 +
*internet browser with some API testing plugin (e.g. PostMan for Chrome)
 +
*(optionally) any kind of pentesting tools
 
<br>
 
<br>
 
 
'''Seats available: '''20 (first-come, first served)<br>
 
'''Seats available: '''20 (first-come, first served)<br>
'''Price: '''200 euros/person <br>
+
'''Price: '''free <br>
[Registration link: TBD]
+
[https://www.eventbrite.com/e/owasp-bucharest-appsec-conference-2017-tickets-35356670754 Register here]
|-
 
| style="width:10%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | 9:00 - 17:00<br><br>
 
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | '''<br>
 
 
 
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | 
 
| style="width:40%" valign="middle" height="30" bgcolor="#CCEEEE" align="justify" colspan="0" | '''Description:'''
 
 
 
'''Outcome:'''
 
'''Intended Audience: '''
 
 
 
'''Skill Level:''' <br>
 
'''Requirements:'''<br>
 
 
 
'''Seats available: '''20 (first-come, first served)<br>
 
'''Price: '''200 euros/person <br>
 
[Registration link: TBD]
 
 
|-
 
|-
 
|}
 
|}

Revision as of 17:20, 8 July 2017

Workshop

Time Title Trainers Description
Workshop
13th of October
Hour:11:00

AppSec Bucharest vs. OWASP Juice Shop
 Björn Kimminich Description:
In this *free* workshop you can test your skills in hacking modern web applications against the OWASP Juice Shop! There are 43+ challenge that are waiting to be solved, ranging from simple functional problems and the usual XSS/SQLi issues over severe authentication flaws to multi-step & multi-path attacks against the discount coupons issued by the application!

How many challenges can you beat? During the workshop you can get some first-hand hints in case you fell stuck. At the end of the workshop there will be a demo of some of the more mindboggling challenges - but only for those, who don't want to solve them on their own later! You will have an idea how good you and your tools are with
Intended audience: Developers and pentesters with at least basic understanding of common web application vulnerabilities
Skill level: The workshop does not assume an in-depth knowledge of software security.
Requirements:

  • laptop with OWASP Juice Shop installed using one of the setups described in https://github.com/bkimminich/juice-shop#setup
  • modern Javascript-heavy web applications and their underlying RESTful APIs
  • internet browser with some API testing plugin (e.g. PostMan for Chrome)
  • (optionally) any kind of pentesting tools


Seats available: 20 (first-come, first served)
Price: free
Register here

Retrieved from "https://wiki.owasp.org/index.php?title=OWASP_Bucharest_AppSec_Conference_2017_Workshops&oldid=231474"