OWASP Global AppSec Lisbon 2024
Join us in Lisbon for various days of training June 24-26, followed by two conference and expo days on June 27-28 with multiple tracks.
Date and time
Location
Lisbon Congress Centre
1 Praça das Indústrias 1300-307 Lisboa PortugalRefund Policy
About this event
PLEASE READ:
*Conference day tickets and Training day tickets are separate purchases.
**Student conference tickets are ONLY applicable to the conference dates of June 27-28.
***Training Dates: June 24-26, 2024
****Conference Dates: June 27-28, 2024
OWASP Global AppSec Lisbon is designed for private and public sector infosec professionals, the two day OWASP conferences equip developers, defenders, and advocates to build a more secure web. We are offering educational 1-day, 2-day, and 3-day training courses prior to the conference (separate ticket purchase). Training dates are June 24-26 and Conference dates June 27-28. Join us for leading application security technologies, speakers, prospects, and community, in a unique event that will build on everything you already know to expect from an OWASP Global Conference.For a complete list and description of each training, please click the green "Tickets" button above or see below. If you would like to see a more detailed outline of trainings or a bio of the trainer, please email events@owasp.com
*****************************************************************************************************************
TRAINING COURSE DESCRIPTIONS
3-day Training
Title: Web Application Security Essentials
Dates: June 24-26, 2024
Trainer: Fabio Cerullo
Audience: Beginner
This course provides the knowledge and resources required to evaluate the security of web applications. The participants, through the understanding of theory and a strong focus on practical exercises, will be able to identify critical vulnerabilities in web applications, understand how exploitation works and learn how to implement the necessary corrective measures.
The course is aligned with the OWASP 10 2021, a world-renowned reference document which describes the most critical web application security flaws.
The topics covered include:
Introduction to Web Application Security
Technologies used in Web Applications
The Security Tester Toolkit
Critical Areas in Web Applications
Broken Access Control
Cryptographic Failures
Injection
Insecure Design
Security Misconfiguration
Vulnerable and Outdated Components
Identification and Authentication Failures
Software and Data Integrity Failures
Security Logging and Monitoring Failures
Server Side Request Forgery (SSRF)
Format: The course combines theory and hands-on practical exercises. The participants start by learning about web application vulnerabilities. They are then given access to a purpose-built web application environment that contains the bugs and coding errors they have learned about. This provides an ideal ‘real-life’ opportunity to exploit these vulnerabilities in a safe environment.
********************
3-day Training
Title: Hacking Android, iOS and IoT apps by Example (In-person and online option)
Dates: June 24-26, 2024
Trainer: Abraham Aranguren
Audience: Intermediate
This course is a 100% hands-on deep dive into the OWASP Mobile Security Testing Guide (MSTG) and relevant items of the OWASP Mobile Application Security Verification Standard (MASVS), so this course covers and goes beyond the OWASP Mobile Top Ten.
Learn about Android, iOS and IoT app security by improving your mobile security testing kung-fu. Ideal for Penetration Testers, Mobile Developers and everybody interested in mobile app security.
All action, no fluff, improve your security analysis workflow and immediately apply these gained skills in your workplace, packed with exercises, extra mile challenges and CTF, self-paced and suitable for all skill levels, with continued education via unlimited email support and lifetime access to training portal with step-by-step video recordings and interesting apps to practice, including all future updates for free.
Get a FREE taste for this training, including access to video recording, slides and vulnerable apps to play with: 4 hour workshop - https://7asecurity.com/free-workshop-mobile-practical
Teaser Video: https://www.youtube.com/watch?v=Re5oqfVkgd4
********************
3-day Training
Title: Application Security Training with Jim Manico (In-person and online option)
Dates: June 24-26, 2024
Trainer: Jim Manico
Audience: Intermediate
Core Modules
00-00 Introduction to Application Security (1 hr): Goals and Threats in AppSec
00-01 Input Validation Basics (1 hr): Allowlist Validation, Safe Redirects
00-02 HTTP Security Basics (1.5 hrs): Response/Request Headers, Verbs, Secure Transport Basics
00-03 SOP and CORS (1 hr): Same-Origin Policy, Cross-Origin Resource Sharing Security
00-04 API and REST Security (2 hrs): REST Design, XML, XXE, JSON, API Access Control
00-05 Microservice Security (2 hrs): Security Architectures in Microservices
00-06 JSON Web Tokens (JWT) (1 hr): Addressing JWT Security Challenges
00-07 SQL and Other Injections (1.5 hrs): Parameterized Queries, Secure Database Configurations, Command Injection
00-08 Cross-Site Request Forgery (1.5 hrs): CSRF Defenses for Various Architectures
00-09 File Upload and File I/O Security (1 hr): Secure File Upload, File I/O Security
00-10 Deserialization Security (0.5 hr): Safe Deserialization Practices
00-11 Artificial Intelligence Security (1-8 hrs): Securing AI Implementations, Full Course
00-12 Third-Party Library Security Management (1 hr): Ensuring Third-Party Library Security
00-13 Introduction to Cloud Security (1 hr): Basics of Cloud Security Management
00-14 Introduction to iOS and Android Security (1 hr): Mobile Security Fundamentals
Standards
01-00 OWASP Top Ten (1-4 hrs): Top Ten Web Security Risks
01-01 Introduction to GDPR (1 hr): European Data Privacy Law
01-02 OWASP ASVS (1 hr): Comprehensive Secure Coding Standard
01-03 OWASP Top Ten Proactive Controls (1 hr): Web Security Defense Categories
01-04 PCI Secure SDLC Standard (1 hr): Credit Card SDLC Requirements
User Interface Security
02-00 XSS Defense (2 hrs): Client-Side Web Security
02-01 Content Security Policy (1 hr): Advanced Client-Side Web Security
02-02 Content Spoofing and HTML Hacking (.5 hr): HTML Client-Side Injection Attacks
02-03 React Security (1 hr): Secure React Application Development
02-04 Vue.js Security (1 hr): Secure Vue.js Application Development
02-05 Angular and AngularJS Security (1 hr): Secure Angular Application Development
02-06 Clickjacking (0.5 hr): UI Redress Attack Defense
Identity & Access Management
03-01 Authentication Best Practices (1.5 hrs): Web Authentication Practices
03-02 Session Management Best Practices (1.5 hrs): Web Session Management Practices
03-03 Multi-Factor Authentication (1 hr): NIST SP-800-63 Compliant MFA Implementation
03-04 Secure Password Policy and Storage (1 hr): Secure User Password Policy and Storage
03-05 Access Control Design (1 hr): ABAC/Capabilities-Based Access Control
03-06 OAuth2 Security (1 hr): OAuth2 Authorization Protocol
03-07 OpenID Connect Security (1 hr): OpenID Connect Federation Protocol
Crypto Modules
04-00 Secrets Management (1 hr): Key and Credential Storage Strategies
04-01 HTTPS/TLS Best Practices (1 hr): Transport Security Introduction
04-02 Cryptography Fundamentals - Part 1 (4 hrs): Terminology, Steganography, Attacks, Kerchoff's Principle, PFC
04-03 Cryptography Fundamentals - Part 2 (4 hrs): Hash Functions, Symmetric Cryptography, Randomness, Digital Signatures
Process
05-00 DevOps Best Practices (1 hr): DevOps and DevSecOps with a CD/CI Focus
05-01 Secure SDLC and AppSec Management (1 hr): Managing Secure Software Processes
Additional Topics
06-00 User and Helpdesk Awareness Training (1 hr): Security Awareness for Non-Technical Staff
06-01 Social Engineering for Developers (1 hr): Developer Protection Against Social Engineering
06-02 Application Layer Intrusion Detection (0.5 hr): Detecting App Layer Attacks
06-03 Threat Modeling Fundamentals (1 hr): Security Design via Threat Modeling
06-04 Forms and Workflows Security (0.5 hr): Secure Handling of Complex Forms
06-05 Java 8/9/10/11/12/13+ Security Controls (1 hr): Java Security Advances
06-06 Logging and Monitoring Security (0.5 hr): Security-Focused Logging
06-07 Subdomain Takeover (1 hr): Preventing Subdomain Takeover Scenarios
06-08 Laravel and PHP Security (1 hr): Focus on PHP Security
Lab Options
07-00 Competitive Web Hacking LABS (1-4 hrs): Hands-on Web Hacking Labs
07-01 Competitive API Hacking LABS (1-4 hrs): Hands-on API Hacking Labs
07-02 Secure Coding Knowledge LABS (4 hrs): Hands-on Secure Coding Labs
********************
2-day Training
Title: Adam Shostack's Threat Modeling Intensive
Dates: June 25-26, 2024
Trainer: Adam Shostack
Audience: Intermediate
This hands-on, interactive class will focus on learning to threat model by executing each of the steps. Students will start with a guided threat modeling exercise, and we'll then iterate and break down the skills they're learning in more depth. We'll progressing through the Four Questions of Threat Modeling: what are we working on, what can go wrong, what are we going to do about it and did we do a good job. This is capped off with an end-to-end exercise that brings the skills together.
********************
2-day Training
Title: Building a High-Value AppSec Scanning Programme
Dates: June 25-26, 2024
Trainer: Josh Grossman
Audience: Intermediate
You bought the application security tools, you have the findings, but now what? Many organisations find themselves drowning in “possible vulnerabilities”, struggling to streamline their processes and not sure how to measure their progress.
If you are involved in using SAST, DAST or SCA tools in your organisation, these may be familiar feelings to you. In this course you will learn how to address these problems and more (in a vendor-neutral way), with topics including:
● What to expect from these tools?
● Customising and optimising these tools effectively
● Building tool processes which fit your business
● Automating workflows using CI/CD without slowing it down.
● Showing the value and improvements you are making
● Faster and easier triage through smart filtering
● How to focus on fixing what matters and cut down noise
● Techniques for various alternative forms of remediation
● Comparison of the different tool types covered.
To bring the course to life and let you apply what you learn, you will work in teams on table-top exercises where you design processes to cover specific scenarios, explain and justify your decisions to simulated stakeholders and practice prioritising your remediation efforts.
For these exercises, you will work based on specially designed process templates (which we will provide) which you can use afterwards to apply these improvements within your own organisation.
Be ready to work in a group, take part in discussions and present your findings and leave the course with clear strategies and ideas on how to get less stress and more value from these tools.
********************
2-day Training
Title: Practical Privacy by Design - Building secure applications that respect privacy
Dates: June 25-26, 2024
Trainer: Kim Wuyts and Avi Douglen
Audience: Intermediate
Privacy is hot! Now is the time to embrace this in-demand skillset. Believe it or not, privacy will even strengthen your security posture. Join this course now to learn about privacy engineering essentials and practical privacy-by-design approaches. With the lessons we’ll teach you, you’ll be able to effectively integrate privacy in existing security practices!
Consumers are becoming more privacy-aware and expect privacy-oriented products. Likewise, globally emerging data protection legislations are forcing companies to integrate a technical approach for privacy into system design. With ever higher demands for privacy engineering, privacy by design, privacy-respecting systems - and increasing impact from the lack thereof - security teams are hard pressed to keep up with these emerging requirements and often feel like there is a substantial and growing skills gap.
Traditional security approaches do not typically focus on this aspect, leaving individuals at risk. Fortunately, privacy by design does not have to be difficult, and in fact, can be nicely aligned with secure design best practices. Incorporating privacy into security with a proactive approach is essential, and can even become a force multiplier for more secure systems!
This interactive hands-on training will introduce you to common privacy goals, and how these often fail. You'll learn about core privacy engineering fundamentals and get hands-on experience identifying and tackling potential privacy gaps and weaknesses, by leveraging by-design approaches such as threat modeling. As privacy shouldn’t be tackled in isolation, you will learn how to build privacy into the core of the software design and development process, aligned with security practices, showing how to gain increased efficiency and effectiveness in both domains.
The course will cover these main topics:
- Introduction to Privacy Essentials
- Architectural data mapping
- Tracing the functionality
- Overview of Privacy Threat Modeling
- Analyzing for Privacy Threats
- Privacy controls and mitigation strategies
- Putting it all together: Full Privacy Process
Each of these interactive modules will teach you both the technical skills and social aspects essential for successful privacy engineering, explain how they align with corresponding security practices, and highlight how these privacy skills can strengthen your security posture. With plenty of hands-on experience through a set of exercises, class discussions, and productive collaboration, you'll gain confidence to improve the privacy posture of your system using established design techniques, so you can take these practical skills back to your security practice.
********************
1-day Training
Title: Master AI security (In-person and online option)
Dates: June 26, 2024
Trainer: Rob van der Veer
Audience: Intermediate
See teaser video about this training!
This training is a unique opportunity to become proficient in the intricate and rapidly evolving field of AI security.
Soon, nearly every digital organization will be deploying systems that incorporate AI. This presents a significant challenge, regardless of whether you are an AppSec specialist, a developer, or a red teamer. What are your responsibilities? What constitutes the new AI attack surface, and what threats emerge from it? What measures can you take to mitigate these emerging risks?
This one-day intensive training program will equip you with the knowledge to tackle these AI-related challenges effectively, enabling you to apply what you learn immediately. Starting with a foundational overview of AI, the course then delivers an exhaustive exploration of the distinctive vulnerabilities AI introduces, the possible attack vectors, and the most current strategies to counteract threats like prompt injection, data poisoning, model theft, evasion, and more. Through practical exercises, you will gain hands-on experience in enacting strong security measures, attacking AI systems, conducting threat modelling on AI, and targeted vulnerability assessments for AI applications.
By day's end, you will possess a thorough comprehension of the core principles and techniques critical to strengthening AI systems. You will have gained practical insights and the confidence to implement cutting-edge AI security measures.
*******************
1-day Training
Title: The Dark Side of APIs - the Attacker way to protect software
Dates: June 26, 2024
Trainer: Paulo Silva
Audience: Beginner
Following a hands-on approach, attendees will be guided into exploiting the ten most common API security risks according to the OWASP API Security Top 10. The security issues will be discussed in-depth, also covering the mitigation. API protocol-specific security issues will be addressed and discussed to cover the most common API protocols. Training sessions are delivered by a security practitioner and OWASP project leader.
# Target Audience
API developers, DevSecOps, Pentesters, and systems integrators
# Training Program
Part 1
* Introduction to the Open Web Application Security Project (OWASP), the OWASP API Security Project, and the OWASP API Top 10
* The HTTP protocol and how APIs work on top of it
Part 2
For each of the ten most common API security risks (according to the OWASP API Top 10):
* Exploit the vulnerability
* Discuss the security issue, impact, and how to mitigate the risk GraphQL-specific security risks
# What You’ll Learn
* Relevant OWASP projects and how to use them to write secure code
* HTTP protocol fundamentals and how APIs work on top of it
* In-depth knowledge of the ten most common API security risks
* API protocol-specific risks (e.g. GraphQL)
* How threat agents exploit APIs vulnerabilities: tools and techniques
* How to avoid the most common API security issues
********************
1-day Training
Title: Intersectional Threat Modeling for Identifying, Ranking, and Mitigating Offline Threats, Risks, and Dangers
Dates: June 26, 2024
Trainer: Michael Loadenthal
Audience: Beginner
This workshop introduces a logic, methodology, and toolset for intersectional, risk-centric, attack-driven threat modeling, tailored to both technical (i.e., computer/network-based) and non-technical practitioners (e.g., journalists, human rights defenders). This approach focuses on promoting proactive harm reduction through a focus on the context-sensitive aspects of human, organizational, and networked digital systems. Backed by dozens of case studies and more than a decade of direct application, this session will help enumerate how ‘technical’ and ‘non-technical’ users can benefit from the logic and methods of threat modeling.
Participants will be challenged to consider their own threat environment and to actively engage with the process through in-session brainstorming activities, risk assessments, and other illustrative exercises. This workshop does not require any technical know-how, but participants should come prepared to investigate and explore their own security challenges. Through a combination of traditional lecture, applied discussion, and hands-on activities participants will engage directly with the process of intersectional threat modeling.