Schedule & Trainings
Tuesday, July 28 and Wednesday, July 29
- Virtual Training Courses
- 12:00pm to 4:00pm EDT/1800pm to 2200pm CET
Please note: All courses take place simultaneously over two days, only register for one.
Training subject to change based on trainer availability.
API Attacks Beyond the OWASP API Top 10
- Let’s face it, APIs are running the world. 3rd party integrations are everywhere from social media communication to integrations allowing services to share platforms and data. As developers race to create platforms with greater connectivity and functionality, shortcuts are taken, errors are made, specifications ignore – resulting in the release of insecure APIs. No longer are front end services and frameworks enough to protect the APIs from new world, high-speed attacks.
Over the last 20 years as a hacker, researcher, and educator I have worked with many organizations to help them stop high-speed attacks as well as sophisticated fraudsters that are constantly on the lookout for the next venue to ply their trade. In addition to case studies derived from actual attacks I will show how I was able to attack a garage door opener API and via responsible disclosure create a much safer platform for Chamberlain customers/users to control entry into their homes.
In this 8-hour class we will talk about API attacks my company has seen against different types of platforms and compare common real-world attack types to the API Top 10.
We will look at taking apart Android API calls, utilizing an open-source APK disassembly tool, for mobile applications and understand the attack surface available. This tool will be distributed via a docker container so students should have the ability to run a docker.
From a web application standpoint we will learn how to analyze API calls, API parameters and how to utilize simple tools like cURL or your favorite intercept proxy, to make calls against APIs and understand the workflow to test against a range of use cases such as Account Take Over, Inventory Take Over/Seat Spinning, Inventory Take Over, etc.
Attackers often have tools at their disposal that target specific organizations, we will highlight these tools and how they work.
Finally, we will look at some Case Studies from various places that we have seen attacks occur and current attack campaigns that have thwarted the efforts of many security practitioners and development staff. We will have a cloud environment built allowing for newly minted API security enthusiasts to try techniques and view their attacks and fingerprints in real time.
Application Security 101
- What is AppSec, What is DevSecOps, Why do they matter? - A tiny bit of history, quite a few definitions.
- The Goals of any AppSec Program - We will set our own goals to bring back to work, which we will add to, update, improve and plan throughout the training.
- Types of AppSec Activities - What do they actually mean, how to do you do them and which ones do you *need* to do.
- Types of AppSec Tooling, what they do, when you may or may not need them, approximate costs for budgeting purposes
- Scaling your team: Security Champions, delegation, automation and coaching
- Developer Education - What to teach, how to teach, and why.
- Setting Standards and Policies (with take home examples to start you off)
- Metrics and Improvement - Learn which metrics really matter, how to measure, and then how to use your data to improve your program to reach maximum efficiency and security.
- Goals: time to adjust, improve, and make a complete plan to achieve your AppSec goals.
Continuous Compliance at DevOps speed
- Have you experienced the challenge of communicating and collaborating with Compliance teams being as clear as mud?
We've all been there. In this training session, we'll learn how to use CNCF OPA (Open Policy Agent) and Chef Inspec to verify the Compliance status of cloud resources against standards such as Cloud Security Alliance CCM (Cloud Security Matrix) and AWS Security Maturity Roadmap so we can help break some of the communication barriers with Compliance teams, as they get an immediate understanding of the compliance status of products and services.
Compliance is a major driver for investing in security for most businesses, and with the growing number of systems and applications managing compliance of thousands of systems without automation is not practical and Compliance teams are under immense pressure to ensure successful audit outcomes, as failure to be compliant, can have significant business impact. With Compliance as Code we can increase the speed of delivery, mitigate lack of resources and time by-using checks across applications, provide faster feedback to engineers, scale to hundreds or thousands of systems and make the whole process easily auditable.
In this training, we will learn how to create and verify the compliance checks, integrate them into CI/CD platform and also how we can leverage the use of metadata to tag resources with all the compliance checks and standards they're meeting as we deploy them in our cloud accounts in order to enable both engineering and compliance teams to have the visibility they require for assurance of their cloud security posture.
The participants will perform all hands-on exercises in our state of the art browser based labs.
From OWASP Top 10 To Command Shell
- This will be a hands-on lab driven technical deep-dive. From XSS, SQLi, To Complete System Compromise. We will examine several common OWASP Top 10 vulnerabilities, then go deeper by obtaining shell access, then root/system level control of the owned devices. These techniques are often game-changers when explaining the vulnerabilities to others.
Hacking Modern Web apps: Master the Future of Attack Vectors
- This course is a 100% hands-on deep dive into the OWASP Security Testing Guide and relevant items of the OWASP Application Security Verification Standard (ASVS), so this course covers and goes beyond the OWASP Top Ten.
All action, no fluff, improve your security analysis workflow and immediately apply these gained skills in your workplace, packed with exercises, extra mile challenges and CTF, self-paced and suitable for all skill levels, with continued education via unlimited email support and lifetime access to training portal with step-by-step video recordings and interesting apps to practice, including all future updates for free.