This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

2016 BASC Training

From OWASP
Revision as of 01:51, 15 September 2016 by Tom Conner (talk | contribs)

Jump to: navigation, search
Boston-Banner-468x60.gif
Home | Agenda | Presentations | Workshops | Speakers | Resume Room | Registration | Twitter 32.png
Platinum Sponsors

Checkmarx HPE Rapid7 Veracode


Gold Sponsors

Contrast Security CyberSN

Silver Sponsors

StormpathQualys


Sponsorships are available: See Sponsorship Kit
Please help us keep BASC free by viewing and visiting all of our sponsors.


We would like to thank our speakers for donating their time and effort to help make this conference successful.


Highlights from the Matasano Crypto Challenges

Presented by: Matt Cheung

The Matasano Challenges were a collection of exercises to teach people about mistakes in the implementation and use of cryptography. These could be thought of as the homework problems in a course on how cryptography goes wrong. In this training I selected challenges that I think are illustrative of concepts that can be reused in multiple contexts as well as attacks that can be done in the short time we have for the training.

The format will alternate between a lecture portion explaining the necessary concepts to understand the attack and a lab portion where we will use what we just learned to attack CTF style versions of the challenges. The lab portion will be time bound, but the challenges are available over the internet so if you don't finish, you can continue working after the training.

Topics

  • Introduction to Block Ciphers
  • ECB Mode Attacks
  • CBC Mode Attacks
  • Introduction to Public Key Cryptography
  • (EC)DSA Attacks
  • RSA Attacks

Technical Requirements

Laptop with the following:

  • Web testing tools such as a MITM proxy (e.g. burp suite), or browser extensions
  • Development environment ready to support making web requests, socket programming, and large integer arithmetic
  • Experience programming with web request programming and socket programming will be useful
  • I recommend Python as that is what I use and the PyCrypto library will be useful


Painless Web and Mobile Hacking 101

Presented by: Apoorv Munshi

In this hands-on workshop, I will help the participants to set up an “efficient” environment for fast web and mobile application penetration testing. Instead of using traditional ready-to-go penetration testing distributions like Kali Linux, I will focus on setting the environment in Windows and Mac OS. After all , a browser and an intercepting proxy is all we need for most manual penetration testing tasks. Setting up a virtual machine and getting it working correctly can be difficult for beginners. I want to keep this simple and painless!

The topics that will be covered are:

  1. Preparing Chrome browser by creating a separate pen-testing profile and then installing foxyproxy for quickly switching proxies. I will also talk about how they can use Chrome’s extremely powerful developer tools for getting insights about the application.
  2. Installing and setting up OWASP ZAP to start intercepting and modifying the traffic. This section involves installing the root CA certificate in the browser’s certificate store. I will also cover Burp Suite if time permits. The reason I am focusing on OWASP ZAP is because it's free, awesome and some features which are really necessary for painless pen-testing are not present in free edition of Burp Suite. For mobile, I will talk about steps in setting up an Android device for penetration testing mobile apps. (Live demo for Android if time permits)
  3. The third step involves demonstration on a real world application listed on a bug bounty program and then helping the participants understand the traffic. I will show some tricks for focusing on important traffic such as setting up scope using the “context” feature in ZAP, using filters etc.
  4. The last and most important section will focus on sharing resources that I have gathered over last 2 years from twitter and security blogs. For people completely new to this domain, I will suggest a “study path”. I will talk about awesome books, blogs, bug bounty programs and some more tricks for painless pen-testing like using Gmail’s alias for creating test accounts and password managers for managing passwords.


Threat Modeling Workshop

Presented by: Robert Hurlbut

Threat modeling is a way of thinking about what could go wrong and how to prevent it. Instinctively, we all think this way in regards to our own personal security and safety. When it comes to building software, some teams either skip the important step of threat modeling in secure software design or, they have tried threat modeling before but haven't quite figured out how to connect the threat models to real world software development and its priorities. Threat modeling should be part of your secure software design process. Using threat modeling and some principals of risk management, you can design software in a way that makes security one of the top goals, along with performance, scalability, reliability, and maintenance.

Objectives

In this workshop, attendees will learn about Threat Modeling through understanding concepts and hands-on demos: Introduction to Threat Modeling, including how to conduct a typical Threat Modeling session Understand practical strategies in finding Threats, determine proper Mitigations, and how to apply Risk Management with the Mitigations Hands-on demo of one or two Real World Threat Modeling case studies Hands-on demo of the Microsoft Threat Modeling Tool 2016

Materials

Laptop with Microsoft Threat Modeling Tool 2016 installed (highly recommended, but not required)

You can find out more about this conference at the 2016 BASC Homepage
or by emailing [email protected]
Twitter 32.png
Retrieved from "https://wiki.owasp.org/index.php?title=2016_BASC_Training&oldid=221317"