background image

Training

The OWASP Appsec Research 2012 conference is offering world class application security training courses for a variety of skill levels and interests. This year the available training modules address hot topics like mobile security and at the same time cover every aspect of software security: building, breaking and defending.

Time schedule for training sessions will be:

9:30 – 11:00: First Session

11:00 – 11:30: Coffee Break

11:30 – 13:00: Second Session

13:00 – 14:00: Lunch Break

14:00 – 15:30: Third Session

15:30 – 16:00: Coffee Break

16:00 – 17:30: Fourth Session

Room allocation:

Elite Web Defense – How to build robust and secure web applications: B

Assessing and Exploiting Web Applications with Samurai-WTF: C

Hack Your Own Code: Advanced training for developers: E

Mobile Security: Securing Your Small, Smart Devices: ST

See the venue map for more information.

Bellow you can find brief descriptions of the available training courses. For any further inquiries you can contact us at: appseceu+training@owasp.org

All 1-day trainings cost 495€ and all 2-day trainings cost 990€.

Mobile Security: Securing Your Small, Smart Devices

Trainer: David Wichers (Aspect Security)

Audience Background: Technical

Audience Skill: Intermediate

Duration: 2 Days – July 10-11, 2012 (cost: 990 €)

Training Summary: Smart phones and tablets are everywhere these days. These small, smart devices provide as much functionality as a desktop or laptop. Chances of misplacing or losing these mobile devices are high. The risks of breaching an organization’s and/or user’s data are probable. Securing the applications and connectivity is crucial.

Because we believe that the best way to learn is by doing, much of the course’s content will be delivered in a lab environment. This approach enables students to have hands-on experience with attack tools and flawed applications so that they can learn how to identify vulnerabilities using real-world scenarios.

More information about the training as well as a short bio about the trainer can be found here.

 

Building a Software Security Program On Open Source Tools

Trainer: Dan Cornell (Denim Group)

Duration: 2 days – July 10-11, 2012 (cost 990 €)

Training Summary: Using the Software Assurance Maturity Model (OpenSAMM) as a framework, this course walks through the major components of a comprehensive software security program and highlights open source and other freely-available tools that can be used to help implement the activities involved in such a program. The focus of the course is on providing hands-on demonstrations of the tools with an emphasis on integrating tool results into the overall software security program. Featured tools include: ESAPI, Microsoft Web Protection Library, FindBugs, FxCop, CAT.NET, Brakeman, Agnitio, Arachni, w3af, ZAProxy, ThreadFix as well as other educational resources from OWASP. Attendees should finish the course with a solid understanding of the various components of a comprehensive software security program as well as hands-on experience with a variety of freely-available tools that they can use to implement portions of these programs.

More information about the training as well as a short bio about the trainer can be found here.

 

Assessing and Exploiting Web Applications with Samurai-WTF

Trainer: Justin Searle (Meeas Security)

Audience Background: Technical

Skill Level: Basic/Intermediate

Duration: 2 Days – July 10-11, 2012 (cost 990 €)

Training Summary: Come take the official Samurai-WTF training course given by one of the founders and lead developers of the project! You will learn the latest Samurai-WTF open source tools and as well as the latest techniques to perform web application penetration tests. After a quick overview of pen testing methodology, the instructors will lead you through the penetration and exploitation of various web applications, including client side attacks using flaws within the application. Different sets of open source tools will be used on each web application, allowing you to learn first hand the pros and cons of each tool. After you have gained experience with the Samurai-WTF tools, you will be challenged with a capture the flag event. This final challenge will give you time to practice your new skills at your own pace and experiment with your favorite new tools. This experience will help you gain the confidence and knowledge necessary to perform web application assessments and expose you to the wealth of freely available, open source tools.

More information about the training as well as a short bio about the trainer can be found here.

Hack Your Own Code: Advanced training for developers

Trainer: David Byrne, Charles Henderson (Trustwave)

Audience Background: Technical, Programmers

Skill Level: Intermediate, Advanced, Programmers

Duration: 2 days – July 10-11, 2012 (cost 990 €)

Training Summary: This class provides developers an exciting chance to hone their programming skills while also learning to exploit common web vulnerabilities. Unlike most training, this will not use static demos based on pre-canned source code. Students will program small parts of a larger application during the class’s lab periods. After the component has been written, students will review the code for the vulnerability being focused on in the lab. Vulnerable code will be run on a class-accessible server while the instructor guides students through exploiting the vulnerabilities. After the vulnerability has exploited, students will be shown how their own code can be fixed (if it was vulnerable) and the best way to prevent the flaw in the first place.

This full process will be performed for all major code vulnerabilities in the OWASP Top Ten. Exploitation and patching labs (but not programming) will be held for other vulnerabilities, including logic flaws that are hard to represent on the Top Ten. Several labs will feature prizes for the students that first find or exploit the targeted vulnerability. Environments and examples will be setup for all major platforms requested by pre-registered students. Students should bring a laptop with them, preferably with VMWare Player already installed. A virtual machine based on the OWASP Live Boot CD will be provided for lab work. The virtual machine will include development tools, but students should feel free to bring their favorite programs too.

More information about the training as well as a short bio about the trainer can be found here.

 

Application Attack Detection & Response – A Hands-on Planning Workshop

Trainer:Â Colin Watson (Watson Hall Ltd)

Audience Background:Â Either of Management, Technical, Operations

Skill Level Required:Â intermediate and/or advanced

Duration: 1 Day-July 10, 2012 (cost 495 €)

Training Summary:

A hands-on day-long workshop where participants will learn how to define, select and specify application-specific intrusion detection and protection (IDP). The training course uses a problem-centered approach where participants are encouraged to use their own knowledge and experience to apply the techniques learned in example paper-based lab projects. Most of the day will be spent working in small teams creating strategies and implementation plans, which could subsequently be used in development. The course does not involve any coding and is language/ framework agnostic. It is based on the concepts in the OWASP AppSensor Project. Full printed handouts are provided together with materials for all the exercises, so participants can take these away and apply the ideas within their own organizations. Previous delegates said “Good course content. Good exercises to work as a team.”, “Content was excellent. Can take this back to the office and apply immediately.” and “This course was worth the money”.

More information about the training as well as a short bio about the trainer can be found here.

 

Elite Web Defense – How to build robust and secure web applications

Trainer Name: Jim Manico and Eoin Keary (WhiteHat Security and  BCC Risk Advisory)

Audience Background: Technical

Audience Skill: Intermediate

Duration: 1 Day – July 11, 2012 (cost 495 €)

Training Summary: This highly interactive, intensive 1-day class provides essential web application security training for web application software developers and architects. The class is a combination of lecture, hands-on security testing and code review. Participants will not only learn the most common threats against web applications, but more importantly they will learn how to also fix the problems via control-based defensive code samples and review. Topics such as Authentication, Access Control, Crypto, Cross Site Request Forgery, Cross Site Scripting, Injection Defense, Clickjacking Defense, Session Management and other topics will be addressed from a defensive point-of-view.

More information about the training as well as a short bio about the trainer can be found here.