OWASP Global AppSec Washington, DC 2023

NOTE: This event has a reverse schedule than previous Global AppSec Events. Conference days will be first, October 30 - 31. The 1,2 and 3 day training classes will follow the conference and will take place on November 1-3.

Seperate tickets are needed for the training on November 1-3 and the conference on October 30-31.

For a complete list and description of each training, please click the green "Tickets" button above or see below. If you would like to see a more detailed outline of trainings or a bio of the trainer, please email events@owasp.com

Course 1: Web Application Security Essentials (3-day Training)

Trainer: Fabio Cerullo, Cycubix

Dates: November 1-3, 2023

Audience Level: Beginner

This course provides the knowledge and resources required to evaluate the security of web applications. The participants, through the understanding of theory and a strong focus on practical exercises, will be able to identify critical vulnerabilities in web applications, understand how exploitation works and learn how to implement the necessary corrective measures.

The course is aligned with the OWASP 10 2021, a world-renowned reference document which describes the most critical web application security flaws.

The topics covered include:

Introduction to Web Application Security

Technologies used in Web Applications

The Security Tester Toolkit

Critical Areas in Web Applications

Broken Access Control

Cryptographic Failures

Injection

Insecure Design

Security Misconfiguration

Vulnerable and Outdated Components

Identification and Authentication Failures

Software and Data Integrity Failures

Security Logging and Monitoring Failures

Server Side Request Forgery (SSRF)

Format: The course combines theory and hands-on practical exercises. The participants start by learning about web application vulnerabilities. They are then given access to a purpose-built web application environment that contains the bugs and coding errors they have learned about. This provides an ideal ‘real-life’ opportunity to exploit these vulnerabilities in a safe environment.

Course 2: Hacking Modern Web & Desktop apps: Master the Future of Attack Vectors(3-Day Training)

NOTE: THIS COURSE IS AVAILABLE IN-PERSON OR YOU MAY ATTEND VIRTUALLY.

Trainers: Abraham Aranguren and Anirudh Anand, 7ASecurity

Dates: November 1-3, 2023

Audience Level: Intermediate

This course is the culmination of years of experience gained via practical penetration testing of Modern Web and Desktop applications as well as countless hours spent doing research. We have structured this course around the OWASP Security Testing Guide, it covers the OWASP Top Ten and specific attack vectors against Modern Web and Desktop apps. This course provides participants with actionable skills that can be applied immediately from day 1.

Please note our courses are 100% hands-on, we do not lecture students with boring bullet points and theories, instead we give you practical challenges and help you solve them, teaching you how to troubleshoot common issues and get the most out of this training. Training then continues after the course through our frequently updated training portal, for which you keep lifetime access, as well as unlimited email support. Each day starts with a brief introduction to the Modern platform (i.e. Node.js, Electron)for that day and then continues with a look at static analysis, moves on to dynamic checks finishing off with a nice CTF session to test the skills gained.

Get a FREE taste for this training, including access to video recording, slides and vulnerable apps to play with:

1.5 hour workshop - https://7asecurity.com/free-workshop-desktop-apps

1 hour workshop - https://7asecurity.com/free-workshop-web-apps

Day 1: Focused specifically on Hacking Modern Web Apps: We start with understanding Modern Web Apps and then deep dive into static and dynamic analysis of the applications at hand. This day is packed with hands-on exercises and CTF-style challenges.

Day 2: Dedicated to Advanced Modern Web App Attacks: We cover advanced attacks specifically targeting Modern Web Apps, such as dumping memory, prototype pollution, deserialization attacks, OAuth, JWT flaws and more. The day is full of hands-on exercises and ends with CTF-style open challenges for additional practice.

Day 3: Focused on Hacking JavaScript Desktop Apps: We start with understanding JavaScript Desktop apps and various security considerations. We then focus on static and dynamic analysis of the applications at hand. The day is filled with hands-on exercises ending with a CTF for more practical fun.

Teaser Video: https://www.youtube.com/watch?v=Qckegc2gbfo

Course 3: Adam Shostack's Threat Modeling Intensive (2-Day Training)

Trainer: Adam Shostack, Shostack + Associates

Dates: November 1-2, 2023

Audience Level: Intermediate

This hands-on, interactive class will focus on learning to threat model by executing each of the steps. Students will start with a guided threat modeling exercise, and we'll then iterate and break down the skills they're learning in more depth. We'll progressing through the Four Questions of Threat Modeling: what are we working on, what can go wrong, what are we going to do about it and did we do a good job. This is capped off with an end-to-end exercise that brings the skills together.

Course 4: Advanced Whiteboard hacking – aka hands-on Threat Modeling (2-Day Training)

Trainer: Sebastien Deleersnyder, Toreon

Dates: November 1-2, 2023

Audience Level: Advanced

The threat modeling training based on real life hands-on practical threat modeling, and delivered every year at OWASP since 2016, and Black Hat USA since 2017. Our latest Black Hat training score was 4.7/5 with great feedback!

You will get insight into our practical industry experience, helping you to become a Threat Modeling Expert. We included an exercise on MITRE ATT&CK, and we focus on embedding threat modeling in Agile and DevOps practices.

We levelled up the threat modeling war game released at Black Hat 2023. Engaged in CTF-style challenges, your team will battle for control over an offshore wind turbine park.

The level of this training is Intermediate/Advanced. Participants who are new to threat modeling are required to follow our self-paced Threat Modeling Introduction training (which is about 2 hours and is included in this training).

As highly skilled professionals with years of experience under our belts, we're intimately familiar with the gap between academic knowledge of threat modeling and real-world practice. To minimize that gap, we have developed practical use cases, based on real-world projects. Each use case includes a description of the environment, together with questions and templates to build a threat model.

Students will be challenged in groups of 3 to 4 people to perform the different stages of threat modeling:

Diagram techniques applied on a travel booking service

Threat model a cloud-based update service for an IoT kiosk

Create an attack tree against a nuclear research facility

Create a SOC Risk Based Alerting system with MITRE ATT&CK

Mitigate threats in a payment service build with microservices and S3 buckets

Apply data protection by design and default on a loyalty app

Apply the OWASP Threat Modeling Playbook on agile development

Threat modeling the CI/CD pipeline

Battle for control over "Zwarte Wind", an offshore wind turbine park

After each hands-on exercise, the results are discussed, and students receive a documented solution.

All participants get a copy of “Threat Modeling: A Practical Guide for Development Teams”, by Izar Tarandach and Matt Coles, as well as our Threat Modeling Playbook to improve you threat modeling practice, and a one-year access to our online threat modeling learning platform.

As part of this training, you will be asked to create and submit your own threat model, on which you will get individual feedback. One month after the training we organize an online review session with all the participants.

Course 5: AppSec Automation Masterclass (2-Day Training)

NOTE: THIS COURSE IS AVAILABLE IN-PERSON OR YOU MAY ATTEND VIRTUALLY.

Trainer: Abhay Bhargav, We45

Dates: November 1-2, 2023

Audience Level: Beginner

This training takes a comprehensive, focused and practical approach at implementing DevSecOps Practices with a focus on Application Security Automation. The training is a glued-to-your-keyboard hands-on journey with labs that are backed by practical examples of DevSecOps and AppSec Automation.

The Training starts with a view of DevSecOps and AppSec Automation, specifically in terms of embedding security activities in multiple stages of the Software Development Lifecycle. Subsequently, the training delves into specific Application Security Automation approaches for SAST, SCA and Supply-Chain Security, DAST and Integration of these tools into CI/CD tools and Automation Pipelines.

In this edition, we’re completely rebuilding our existing DevSecOps content to reflect the very bleeding edge of Application Security Automation and DevSecOps Approaches. These include, but not limited to:

Hands-on SAST for Apps and Infrastructure-as-Code, with a focus on Semgrep and CodeQL. Develop Custom SAST rules like a bawse!

Supply-Chain Security Automation: SBOMs, Source Composition Analysis and Security Engineering techniques. This segment will additionally have several approaches to building secure base images for containers

Supply-Chain Assurance and Provenance for artifacts. Supply-Chain Security attacks are largely caused by lack of assurance and poor provenance of software supply-chain artifacts. We’ll be diving into the SLSA (Supply-Chain Levels for Software Artifacts) Standard and how automation can help achieve levels of compliance. In addition we’ll be diving into Cosign from Project sigstore. This can be used to generate keyed/keyless signatures for container images and other build artifacts including packages and SBOMs.

Secret Management - This segment of the class will dive into Secrets Management and Encryption tools like Hashicorp Vault. This will have examples of advanced implementations for Encryption, Key Management and Dynamic Secrets

DAST Automation with OWASP ZAP and Nuclei. We’ll be exploring API based scanning with OWASP ZAP and Test Automation Frameworks. In addition, we’ll explore using and building custom DAST automation with Nuclei. This will not only aid in integrating DAST into Automation Pipelines, but also be used for Security Regressions for more complex vulnerabilities

Policy-As-Code with Open Policy-Agent (OPA). OPA is a powerful framework that can be used to create and enforce policies across a variety of deployment environments. From being used to perform Access Control and Input Validation in API Gateways, to be used in Container Registries and Operating Systems for deploying and enforcing security policies. You’ll learn OPA’s Domain Specific Language, rego in order to understand policy-as-code frameworks.

Integrating Security Automation with CI/CD tooling. Here we’ll be exploring integrating Security Automation with CI/CD tools including Github Actions, Gitlab and Jenkins. In addition, we’ll be leveraging Data Flow Automation tools like Robot Framework, Gaia and Prefect to provide alternatives to typical CI/CD tools for AppSec Automation.

Each section of the training will contain a challenge section that will enable the trainees and the trainers to identify levels of student learning

Participants get a 2 month access to our online lab environment for DevSecOps training

Course 6: Mobile Application Security Testing Guide (MASTG) - Hands-On(2-Day Training)

NOTE: THIS COURSE IS AVAILABLE IN-PERSON OR YOU MAY ATTEND VIRTUALLY.

Trainer: Sven Schleier, WithSecure

Dates: November 1-2, 2023

Audience Level: Beginner

This 2-day hands-on training teaches you how to analyse Android and iOS apps for security vulnerabilities, by going through the different phases of testing, including dynamic testing, static analysis and reverse engineering by relying on the OWASP Mobile Application Security Testing Guide (MASTG). The OWASP MASTG is a comprehensive and open source guide about mobile security testing for both iOS and Android and offers a methodology and very detailed, technical test cases for penetration testers to ensure completeness and the latest attack techniques against mobile apps.

At the beginning of the first day we start by giving an overview of the Android Platform and it’s Security Architecture. It is no longer mandatory for students to bring their own Android device, instead a cloud-based virtualized Android device will be provided for each student, by using Corellium. Topics include:

- Frida crash course to kick-start with dynamic instrumentation on Android apps

- Intercepting network traffic of apps written in mobile app frameworks such as Google’s Flutter

- Identifying and exploiting a real word Deep-link vulnerability

- Explore the differences and effectiveness of Reverse Engineering Android Apps through patching Smali, Xposed and Dynamic Instrumentation with Frida

- Analyze Local Storage of an Android App

- Usage of dynamic Instrumentation with Frida to:

- bypass Frida detection mechanisms

- bypass multiple root detection mechanisms

On day 2 we are focusing on iOS and will begin with an overview of the iOS Platform and Security Architecture. After explaining what an IPA container is and the iOS file system structure, we start creating an iOS testing environment with Corellium and deep dive into various topics, including:

- Analyzing iOS applications that use non-HTTP traffic including ways of intercepting the traffic

- Frida crash course to kick-start with dynamic instrumentation for iOS apps

- Bypassing SSL Pinning with SSL Kill Switch and Objection (Frida)

- Testing methodology with a non-jailbroken device by repackaging an IPA with the Frida Gadget

- Using Frida for Runtime Instrumentation of iOS Apps to bypass:

- Anti-Jailbreaking mechanisms

- Frida detection mechanism

- and other client-side security controls

At the end of each day a CTF will be played to investigate two apps with the newly learned skills and you can win a prize!

Whether you are a beginner interested in learning mobile app testing from scratch or an experienced professional who would like to enhance their existing skills to perform more advanced attack techniques, or for fun, this training will help you accomplish your goals.

The course consists of many different labs developed by the trainer and the course is roughly 65% hands-on and 35% lecture.

After successful completion of this course, students will have a better understanding of how to test for vulnerabilities in mobile apps, how to propose the right mitigation techniques to developers and how to execute tests consistently.

Course 7: Application Security Testing: Verifying the Right Things Were Done Right (1-Day Training)

Trainer: John DiLeo, IriusRisk

Dates: November 1, 2023

Audience Level: Beginner

Software Security Testing is a key component of any organization’s software assurance program. The importance of these practices is reflected by their presence throughout OWASP's Software Assurance Maturity Model (SAMM), where they're represented by two of the model's 15 core Practices (Requirement-dren Testing and Security Testing), and factor into numerous activities in the remaining Practices.

This class covers recommended Application Security Testing (AST) practices, along with supporting AST tools and ways to better leverage penetration testing, to verify and validate an application’s security features:

Verify – How do we confirm our application’s security features were built right?

Validate – How do we confirm we built the right security features, to secure the application's functionality?

Topic coverage will include establishing your overall AST strategy and aligning it with the OWASP ASVS; defining and implementing security tests cases; utiliizing AST tools; and using third-party penetration tests effectively within your testing strategy.