OWASP Global AppSec Lisbon 2024

PLEASE READ:

*Conference day tickets and Training day tickets are separate purchases.

**Student conference tickets are ONLY applicable to the conference dates of June 27-28.

***Training Dates: June 24-26, 2024

****Conference Dates: June 27-28, 2024

OWASP Global AppSec Lisbon is designed for private and public sector infosec professionals, the two day OWASP conferences equip developers, defenders, and advocates to build a more secure web. We are offering educational 1-day, 2-day, and 3-day training courses prior to the conference (separate ticket purchase). Training dates are June 24-26 and Conference dates June 27-28. Join us for leading application security technologies, speakers, prospects, and community, in a unique event that will build on everything you already know to expect from an OWASP Global Conference.For a complete list and description of each training, please click the green "Tickets" button above or see below. If you would like to see a more detailed outline of trainings or a bio of the trainer, please email events@owasp.com

*****************************************************************************************************************

TRAINING COURSE DESCRIPTIONS

3-day Training

Title: Web Application Security Essentials

Dates: June 24-26, 2024

Trainer: Fabio Cerullo

Audience: Beginner

This course provides the knowledge and resources required to evaluate the security of web applications. The participants, through the understanding of theory and a strong focus on practical exercises, will be able to identify critical vulnerabilities in web applications, understand how exploitation works and learn how to implement the necessary corrective measures.

The course is aligned with the OWASP 10 2021, a world-renowned reference document which describes the most critical web application security flaws.

The topics covered include:

Introduction to Web Application Security

Technologies used in Web Applications

The Security Tester Toolkit

Critical Areas in Web Applications

Broken Access Control

Cryptographic Failures

Injection

Insecure Design

Security Misconfiguration

Vulnerable and Outdated Components

Identification and Authentication Failures

Software and Data Integrity Failures

Security Logging and Monitoring Failures

Server Side Request Forgery (SSRF)

Format: The course combines theory and hands-on practical exercises. The participants start by learning about web application vulnerabilities. They are then given access to a purpose-built web application environment that contains the bugs and coding errors they have learned about. This provides an ideal ‘real-life’ opportunity to exploit these vulnerabilities in a safe environment.

********************

3-day Training

Title: Hacking Android, iOS and IoT apps by Example (In-person and online option)

Dates: June 24-26, 2024

Trainer: Abraham Aranguren

Audience: Intermediate

This course is a 100% hands-on deep dive into the OWASP Mobile Security Testing Guide (MSTG) and relevant items of the OWASP Mobile Application Security Verification Standard (MASVS), so this course covers and goes beyond the OWASP Mobile Top Ten.

Learn about Android, iOS and IoT app security by improving your mobile security testing kung-fu. Ideal for Penetration Testers, Mobile Developers and everybody interested in mobile app security.

All action, no fluff, improve your security analysis workflow and immediately apply these gained skills in your workplace, packed with exercises, extra mile challenges and CTF, self-paced and suitable for all skill levels, with continued education via unlimited email support and lifetime access to training portal with step-by-step video recordings and interesting apps to practice, including all future updates for free.

Get a FREE taste for this training, including access to video recording, slides and vulnerable apps to play with: 4 hour workshop - https://7asecurity.com/free-workshop-mobile-practical

Teaser Video: https://www.youtube.com/watch?v=Re5oqfVkgd4

********************

3-day Training

Title: Application Security Training with Jim Manico (In-person and online option)

Dates: June 24-26, 2024

Trainer: Jim Manico

Audience: Intermediate

Core Modules

00-00 Introduction to Application Security (1 hr): Goals and Threats in AppSec

00-01 Input Validation Basics (1 hr): Allowlist Validation, Safe Redirects

00-02 HTTP Security Basics (1.5 hrs): Response/Request Headers, Verbs, Secure Transport Basics

00-03 SOP and CORS (1 hr): Same-Origin Policy, Cross-Origin Resource Sharing Security

00-04 API and REST Security (2 hrs): REST Design, XML, XXE, JSON, API Access Control

00-05 Microservice Security (2 hrs): Security Architectures in Microservices

00-06 JSON Web Tokens (JWT) (1 hr): Addressing JWT Security Challenges

00-07 SQL and Other Injections (1.5 hrs): Parameterized Queries, Secure Database Configurations, Command Injection

00-08 Cross-Site Request Forgery (1.5 hrs): CSRF Defenses for Various Architectures

00-09 File Upload and File I/O Security (1 hr): Secure File Upload, File I/O Security

00-10 Deserialization Security (0.5 hr): Safe Deserialization Practices

00-11 Artificial Intelligence Security (1-8 hrs): Securing AI Implementations, Full Course

00-12 Third-Party Library Security Management (1 hr): Ensuring Third-Party Library Security

00-13 Introduction to Cloud Security (1 hr): Basics of Cloud Security Management

00-14 Introduction to iOS and Android Security (1 hr): Mobile Security Fundamentals

Standards

01-00 OWASP Top Ten (1-4 hrs): Top Ten Web Security Risks

01-01 Introduction to GDPR (1 hr): European Data Privacy Law

01-02 OWASP ASVS (1 hr): Comprehensive Secure Coding Standard

01-03 OWASP Top Ten Proactive Controls (1 hr): Web Security Defense Categories

01-04 PCI Secure SDLC Standard (1 hr): Credit Card SDLC Requirements

User Interface Security

02-00 XSS Defense (2 hrs): Client-Side Web Security

02-01 Content Security Policy (1 hr): Advanced Client-Side Web Security

02-02 Content Spoofing and HTML Hacking (.5 hr): HTML Client-Side Injection Attacks

02-03 React Security (1 hr): Secure React Application Development

02-04 Vue.js Security (1 hr): Secure Vue.js Application Development

02-05 Angular and AngularJS Security (1 hr): Secure Angular Application Development

02-06 Clickjacking (0.5 hr): UI Redress Attack Defense

Identity & Access Management

03-01 Authentication Best Practices (1.5 hrs): Web Authentication Practices

03-02 Session Management Best Practices (1.5 hrs): Web Session Management Practices

03-03 Multi-Factor Authentication (1 hr): NIST SP-800-63 Compliant MFA Implementation

03-04 Secure Password Policy and Storage (1 hr): Secure User Password Policy and Storage

03-05 Access Control Design (1 hr): ABAC/Capabilities-Based Access Control

03-06 OAuth2 Security (1 hr): OAuth2 Authorization Protocol

03-07 OpenID Connect Security (1 hr): OpenID Connect Federation Protocol

Crypto Modules

04-00 Secrets Management (1 hr): Key and Credential Storage Strategies

04-01 HTTPS/TLS Best Practices (1 hr): Transport Security Introduction

04-02 Cryptography Fundamentals - Part 1 (4 hrs): Terminology, Steganography, Attacks, Kerchoff's Principle, PFC

04-03 Cryptography Fundamentals - Part 2 (4 hrs): Hash Functions, Symmetric Cryptography, Randomness, Digital Signatures

Process

05-00 DevOps Best Practices (1 hr): DevOps and DevSecOps with a CD/CI Focus

05-01 Secure SDLC and AppSec Management (1 hr): Managing Secure Software Processes

Additional Topics

06-00 User and Helpdesk Awareness Training (1 hr): Security Awareness for Non-Technical Staff

06-01 Social Engineering for Developers (1 hr): Developer Protection Against Social Engineering

06-02 Application Layer Intrusion Detection (0.5 hr): Detecting App Layer Attacks

06-03 Threat Modeling Fundamentals (1 hr): Security Design via Threat Modeling

06-04 Forms and Workflows Security (0.5 hr): Secure Handling of Complex Forms

06-05 Java 8/9/10/11/12/13+ Security Controls (1 hr): Java Security Advances

06-06 Logging and Monitoring Security (0.5 hr): Security-Focused Logging

06-07 Subdomain Takeover (1 hr): Preventing Subdomain Takeover Scenarios

06-08 Laravel and PHP Security (1 hr): Focus on PHP Security

Lab Options

07-00 Competitive Web Hacking LABS (1-4 hrs): Hands-on Web Hacking Labs

07-01 Competitive API Hacking LABS (1-4 hrs): Hands-on API Hacking Labs

07-02 Secure Coding Knowledge LABS (4 hrs): Hands-on Secure Coding Labs

********************

2-day Training

Title: Adam Shostack's Threat Modeling Intensive

Dates: June 25-26, 2024

Trainer: Adam Shostack

Audience: Intermediate

This hands-on, interactive class will focus on learning to threat model by executing each of the steps. Students will start with a guided threat modeling exercise, and we'll then iterate and break down the skills they're learning in more depth. We'll progressing through the Four Questions of Threat Modeling: what are we working on, what can go wrong, what are we going to do about it and did we do a good job. This is capped off with an end-to-end exercise that brings the skills together.

********************

2-day Training

Title: Building a High-Value AppSec Scanning Programme

Dates: June 25-26, 2024

Trainer: Josh Grossman

Audience: Intermediate

You bought the application security tools, you have the findings, but now what? Many organisations find themselves drowning in “possible vulnerabilities”, struggling to streamline their processes and not sure how to measure their progress.

If you are involved in using SAST, DAST or SCA tools in your organisation, these may be familiar feelings to you. In this course you will learn how to address these problems and more (in a vendor-neutral way), with topics including:

● What to expect from these tools?

● Customising and optimising these tools effectively

● Building tool processes which fit your business

● Automating workflows using CI/CD without slowing it down.

● Showing the value and improvements you are making

● Faster and easier triage through smart filtering

● How to focus on fixing what matters and cut down noise

● Techniques for various alternative forms of remediation

● Comparison of the different tool types covered.

To bring the course to life and let you apply what you learn, you will work in teams on table-top exercises where you design processes to cover specific scenarios, explain and justify your decisions to simulated stakeholders and practice prioritising your remediation efforts.

For these exercises, you will work based on specially designed process templates (which we will provide) which you can use afterwards to apply these improvements within your own organisation.

Be ready to work in a group, take part in discussions and present your findings and leave the course with clear strategies and ideas on how to get less stress and more value from these tools.

********************

2-day Training

Title: Practical Privacy by Design - Building secure applications that respect privacy

Dates: June 25-26, 2024

Trainer: Kim Wuyts and Avi Douglen

Audience: Intermediate

Privacy is hot! Now is the time to embrace this in-demand skillset. Believe it or not, privacy will even strengthen your security posture. Join this course now to learn about privacy engineering essentials and practical privacy-by-design approaches. With the lessons we’ll teach you, you’ll be able to effectively integrate privacy in existing security practices!

Consumers are becoming more privacy-aware and expect privacy-oriented products. Likewise, globally emerging data protection legislations are forcing companies to integrate a technical approach for privacy into system design. With ever higher demands for privacy engineering, privacy by design, privacy-respecting systems - and increasing impact from the lack thereof - security teams are hard pressed to keep up with these emerging requirements and often feel like there is a substantial and growing skills gap.

Traditional security approaches do not typically focus on this aspect, leaving individuals at risk. Fortunately, privacy by design does not have to be difficult, and in fact, can be nicely aligned with secure design best practices. Incorporating privacy into security with a proactive approach is essential, and can even become a force multiplier for more secure systems!

This interactive hands-on training will introduce you to common privacy goals, and how these often fail. You'll learn about core privacy engineering fundamentals and get hands-on experience identifying and tackling potential privacy gaps and weaknesses, by leveraging by-design approaches such as threat modeling. As privacy shouldn’t be tackled in isolation, you will learn how to build privacy into the core of the software design and development process, aligned with security practices, showing how to gain increased efficiency and effectiveness in both domains.

The course will cover these main topics:

- Introduction to Privacy Essentials

- Architectural data mapping

- Tracing the functionality

- Overview of Privacy Threat Modeling

- Analyzing for Privacy Threats

- Privacy controls and mitigation strategies

- Putting it all together: Full Privacy Process

Each of these interactive modules will teach you both the technical skills and social aspects essential for successful privacy engineering, explain how they align with corresponding security practices, and highlight how these privacy skills can strengthen your security posture. With plenty of hands-on experience through a set of exercises, class discussions, and productive collaboration, you'll gain confidence to improve the privacy posture of your system using established design techniques, so you can take these practical skills back to your security practice.

********************

1-day Training

Title: Master AI security (In-person and online option)

Dates: June 26, 2024

Trainer: Rob van der Veer

Audience: Intermediate

See teaser video about this training!

This training is a unique opportunity to become proficient in the intricate and rapidly evolving field of AI security.

Soon, nearly every digital organization will be deploying systems that incorporate AI. This presents a significant challenge, regardless of whether you are an AppSec specialist, a developer, or a red teamer. What are your responsibilities? What constitutes the new AI attack surface, and what threats emerge from it? What measures can you take to mitigate these emerging risks?

This one-day intensive training program will equip you with the knowledge to tackle these AI-related challenges effectively, enabling you to apply what you learn immediately. Starting with a foundational overview of AI, the course then delivers an exhaustive exploration of the distinctive vulnerabilities AI introduces, the possible attack vectors, and the most current strategies to counteract threats like prompt injection, data poisoning, model theft, evasion, and more. Through practical exercises, you will gain hands-on experience in enacting strong security measures, attacking AI systems, conducting threat modelling on AI, and targeted vulnerability assessments for AI applications.

By day's end, you will possess a thorough comprehension of the core principles and techniques critical to strengthening AI systems. You will have gained practical insights and the confidence to implement cutting-edge AI security measures.

*******************

1-day Training

Title: The Dark Side of APIs - the Attacker way to protect software

Dates: June 26, 2024

Trainer: Paulo Silva

Audience: Beginner

Following a hands-on approach, attendees will be guided into exploiting the ten most common API security risks according to the OWASP API Security Top 10. The security issues will be discussed in-depth, also covering the mitigation. API protocol-specific security issues will be addressed and discussed to cover the most common API protocols. Training sessions are delivered by a security practitioner and OWASP project leader.

# Target Audience

API developers, DevSecOps, Pentesters, and systems integrators

# Training Program

Part 1

* Introduction to the Open Web Application Security Project (OWASP), the OWASP API Security Project, and the OWASP API Top 10
* The HTTP protocol and how APIs work on top of it

Part 2

For each of the ten most common API security risks (according to the OWASP API Top 10):

* Exploit the vulnerability
* Discuss the security issue, impact, and how to mitigate the risk GraphQL-specific security risks

# What You’ll Learn

* Relevant OWASP projects and how to use them to write secure code
* HTTP protocol fundamentals and how APIs work on top of it
* In-depth knowledge of the ten most common API security risks
* API protocol-specific risks (e.g. GraphQL)
* How threat agents exploit APIs vulnerabilities: tools and techniques
* How to avoid the most common API security issues

********************

1-day Training

Title: Intersectional Threat Modeling for Identifying, Ranking, and Mitigating Offline Threats, Risks, and Dangers

Dates: June 26, 2024

Trainer: Michael Loadenthal

Audience: Beginner

This workshop introduces a logic, methodology, and toolset for intersectional, risk-centric, attack-driven threat modeling, tailored to both technical (i.e., computer/network-based) and non-technical practitioners (e.g., journalists, human rights defenders). This approach focuses on promoting proactive harm reduction through a focus on the context-sensitive aspects of human, organizational, and networked digital systems. Backed by dozens of case studies and more than a decade of direct application, this session will help enumerate how ‘technical’ and ‘non-technical’ users can benefit from the logic and methods of threat modeling.

Participants will be challenged to consider their own threat environment and to actively engage with the process through in-session brainstorming activities, risk assessments, and other illustrative exercises. This workshop does not require any technical know-how, but participants should come prepared to investigate and explore their own security challenges. Through a combination of traditional lecture, applied discussion, and hands-on activities participants will engage directly with the process of intersectional threat modeling.