OWASP Bucharest AppSec Conference 2017 Training2

Training

The focus of this training will be on how to build secure applications and how to evaluate them using real world scenarios. The attendees will learn the concepts solving exercises and using various OWASP resources like the OWASP ASVS (Application Security Verification Standard) and the OWASP Testing Guide. Topics covered:
Day 1:

• Architecture design and threat modelling
• Authentication Flaws
• Session Management Flaws
• Access Control Verification Requirements
• Input Handling and Output Encoding/Escaping

Day 2:

• Criptography at Rest
• Error Handling and Logging
• Data Protection Verification
• Communications Security
• Business Logic Verification Requirements
• Files and Resources
• Mobile Security
• Web Service Security

Intended audience: This training is suitable for developers, quality assurance, code reviewers and penetration testers
Skill level: Beginner - intermediate
Requirements: Basic web knowledge; laptop with at least 4GB RAM and virtualization software (VMware Workstation Player).
Seats available: 20 (first-come, first served)
Price: 400 euros/person
Register here

The knowledge of Mobile Security, especially Android has become essential in securing today’s digital environment. This workshop is developed to introduce and bring hands on experience of the exciting and growing field of Android Pentesting and its Security Essentials.
Upon completing this course, the participants are expected to:

• Gain a set of techniques focused on the use of vendor-neutral, open source tools, Develop the skills to capture suspicious data.
• Discern unusual patterns hidden within seemingly normal applications.
• Understand the basics of Android Security Architecture.
• Get trained enough to start into Mobile Pentesting as the new generation Mobile Security Researcher.
• Get prepared for active research at the forefront of these areas.

Throughout the course, real-world examples in conjunction with numerous hands-on exercises will provide android pentesting & analysis skills.
Outline: Android Security

• Module 1
  1. Intro to Android
  2. Android Security Architecture
  3. Android application structure
  4. Signing Android applications
  5. Android Debug Bridge
  6. Understanding Android file system
  7. Permission Model Flaws

• Module 2
  1. Understanding Android Components
  2. Introducing Android Emulator
  3. Introducing Android AVD

• Module 3
  1. Proxying Android Traffic
  2. Reverse Engineering for Android Apps
  3. Dex Analysis and Obfuscation

• Module 4
  1. Attack Surfaces for Android applications
  2. Exploiting Local Storage
  3. Exploiting Weak Cryptography
  4. Exploiting Side Channel Data Leakage
  5. Root Detection and Bypass
  6. Exploiting Weak Authorization mechanism
  7. Identifying and Exploiting Flawed Broadcast Receivers
  8. Identifying and Exploiting Flawed Intents
  9. Identifying and Exploiting Vulnerable Activity Components
  10. Exploiting Backup and Debuggable apps
  11. Dynamic Analysis for Android Apps
  12. Analyzing Proguard, DexGuard and other Obfuscation Techniques

Intended audience: This workshop is essential to information security, mobile security & risk management, loss prevention, corporate security and law enforcement personnel interested in Mobile Security. e.g. Security professionals, who possess basic general security knowledge. Personnel who have working knowledge of android security and pentesting and want to gain experience in the end-to-end mobile security process can attend this training.
Skill level: intermmediate - advanced
Requirements: Attendees must bring their laptop (with administrative privileges) to run all the tools and software. The laptop should atleast have 6 GB RAM and 100 GB of Hard Disk Space. The Laptop must have Java, VirtualBox, PuTTY pre-installed.
Seats available: 20 (first-come, first served)
Price: 1000 euros/person
Register here