Schedule & Trainings


Tuesday, July 28 and Wednesday, July 29

  • Virtual Training Courses
  • 12:00pm to 4:00pm EDT/1800pm to 2000pm CET

Training subject to change based on trainer availability.


  • API Attacks Beyond the OWASP API Top 10

  • Learning Objectives:
    Identify how API endpoints can be enumerated
    Understand API call structure
    Find Parameters that can be used to attack an API
    How to identify attack patterns
    Agenda:
    • Intros, Housekeeping, How it all works
    • What is an API
    • What is the OWASP API Top 10
    • Common platform architectures for APIs
    • A look at finding API endpoints
      • APK Tools
        • Install and pull API endpoints from an Android application
      • Intercept Proxies
      • Any-Api
    • API Requests and API Parameters
      • cURL/Intercept Proxies
      • API methods (Put, Post, Delete etc…)
    • Attacker Tools
    • Common Attacks
      • Account Take Over
      • Inventory Take Over/Seat Spinning
      • Scraping
    • Wrap-up

    • For over the last 20 years, Jason has been ethically peering into Client Behavior, Wireless Networks, Web Applications, APIs and Cloud Systems, helping organizations secure their assets and intellectual property from unauthorized access. As a consultant he's taken hundreds of organizations through difficult compliance mine fields, ensuring their safety. As a researcher he has found flaws in consumer IOT systems and assisted in hardening them against external attacks. At Cequence Security Jason does research, community outreach and supports efforts in identifying Automated Attacks against Web, Mobile, and API-based Applications to keep Cequence's customers safe.

  • Application Penetration Testing - Crash Course

  • Application Security training crash course is designed to make participants aware of common web application vulnerabilities and the impact they can have on businesses. The course also incorporates effective defence mechanisms and the use of best practices to mitigate the risk of attacks. The course focuses on the latest hacking attacks targeted against different platforms & networks. It also covers countermeasures to secure corporate applications. The course focuses on OWASP Top 10 and other common vulnerabilities and risks.

    • Experienced information security professional with a demonstrated history of working in the application security industry. Strong engineering professional with practical skills in Penetration testing, code review, threat modelling, design review, mobile security testing, DevSecOps, RASP and Cloud Security. The instructor has delivered training in the past for OWASP Delhi and Houston chapters.

  • Application Security 101

    1. What is AppSec, What is DevSecOps, Why do they matter? - A tiny bit of history, quite a few definitions.
    2. The Goals of any AppSec Program - We will set our own goals to bring back to work, which we will add to, update, improve and plan throughout the training.
    3. Types of AppSec Activities - What do they actually mean, how to do you do them and which ones do you *need* to do.
    4. Types of AppSec Tooling, what they do, when you may or may not need them, approximate costs for budgeting purposes
    5. Scaling your team: Security Champions, delegation, automation and coaching
    6. Developer Education - What to teach, how to teach, and why.
    7. Setting Standards and Policies (with take home examples to start you off)
    8. Metrics and Improvement - Learn which metrics really matter, how to measure, and then how to use your data to improve your program to reach maximum efficiency and security.
    9. Goals: time to adjust, improve, and make a complete plan to achieve your AppSec goals.

    • Tanya Janca, also known as ‘SheHacksPurple’, is the founder, security trainer and coach of SheHacksPurple.dev, specializing in software and cloud security. Her obsession with securing software runs deep, from starting her company, to running her own OWASP chapter for 4 years in Ottawa, co-founding a new OWASP chapter in Victoria, and co-founding the OWASP DevSlop open-source and education project. With her countless blog articles, workshops and talks, her focus is clear. Tanya is also an advocate for diversity and inclusion, co-founding the international women’s organization WoSEC, starting the online #CyberMentoringMonday initiative, and personally mentoring, advocating for and enabling countless other women in her field. As a professional computer geek of 20+ years, she is a person who is truly fascinated by the ‘science’ of computer science.

  • Continuous Compliance at DevOps speed

  • Have you experienced the challenge of communicating and collaborating with Compliance teams being as clear as mud?
    We've all been there. In this training session, we'll learn how to use CNCF OPA (Open Policy Agent) and Chef Inspec to verify the Compliance status of cloud resources against standards such as Cloud Security Alliance CCM (Cloud Security Matrix) and AWS Security Maturity Roadmap so we can help break some of the communication barriers with Compliance teams, as they get an immediate understanding of the compliance status of products and services.
    Compliance is a major driver for investing in security for most businesses, and with the growing number of systems and applications managing compliance of thousands of systems without automation is not practical and Compliance teams are under immense pressure to ensure successful audit outcomes, as failure to be compliant, can have significant business impact. With Compliance as Code we can increase the speed of delivery, mitigate lack of resources and time by-using checks across applications, provide faster feedback to engineers, scale to hundreds or thousands of systems and make the whole process easily auditable.
    In this training, we will learn how to create and verify the compliance checks, integrate them into CI/CD platform and also how we can leverage the use of metadata to tag resources with all the compliance checks and standards they're meeting as we deploy them in our cloud accounts in order to enable both engineering and compliance teams to have the visibility they require for assurance of their cloud security posture.
    The participants will perform all hands-on exercises in our state of the art browser based labs.

    • Mohammed A. 'secfigo' Imran is the Founder and CEO of Practical DevSecOps and seasoned security professional with over a decade of experience in helping organizations in their Information Security Programs.
      He has a diverse background in R&D, consulting, and product-based companies with a passion for solving complex security programs. Imran is the founder of Null Singapore, the most significant information security community in Singapore, where he has organized more than 60 events & workshops to spread security awareness.
      He was also nominated as a community star for being the go-to person in the community whose contributions and knowledge sharing has helped many professionals in the security industry.
      He is usually seen speaking and giving training in conferences like Blackhat, DevSecCon, AppSec, All Day DevOps, Nullcon, and many other international conferences.

  • Data Privacy and Security Assessment in the Cloud using MITRE ATT&CK and OWASP Tools

  • Most information security tools and techniques focus on proactive and reactive security measures to mitigate risk to information and information systems so unauthorized parties cannot access, modify, or delete this data. After all, the field is called ‘Information Security’. However, data security is only one aspect of the equation. If a database is breached, such as during the Equifax data breach of 2017, not only data is compromised or stolen, but this data may be associated with people (data privacy), and then regulations such as CCPA, PCI, HIPAA, and GDPR come into place.
    Does your data security assessment include data privacy?
    Attendees will come away with an understanding of how to combine data privacy impact assessment (DPIA) methodology with data security assessment to produce a more rigorous and actionable toolset for management and weighing data privacy protections.

    • Mauricio Tavares (BS Aerospace Engineering) has worked with small and large companies in education, finance, and medical fields building and protecting user data. Currently a researcher at RENCI involved in next generation network research and an instructor with the Chameleon experimental research platform, he has given talks and workshops at ISSA InfoSecCon, Southeast Linux Fest, and IEEE SoutheastCon.

  • From OWASP Top 10 To Command Shell

  • Course Outline:
    Discovery and Reconnaissance Tools Mastery
    1. Learn how to use basic discovery tools such as Nmap, Hping3 and others to find reachable ports and services.
      1. 30-minute lecture and demonstration
      2. 30 minute lab session
    2. Learn how to enumerate services to identify version information and service footprints.
      1. 30-minute lecture and demonstration
      2. 30-minute lab session
    3. After applications are discovered learn how to map application functionality and establish potential vulnerability profiles.
      1. 30-minute lecture and demonstration
      2. 1 hour lab session
    Web App Exploitation Tools and Techniques Mastery
    1. Learn how to map potential vulnerabilities to known exploits and exploit vectors.
      1. 30-minute lecture and demonstration
      2. 30-minute lab session
    2. Learn how to Exploit Discovered Web Application Vulnerabilities
      1. 30-minute lecture
      2. 1 hour lab session
    Owning the OS from the Web App (All Hands on Walkthrough Lab sessions) - 2 hours
    1. Getting a shell via the web app vulnerability
    2. Privilege Escalation via Powershell
    3. 15-minute break
    4. Creating your own backdoor from scratch
    5. Privilege Escalation via the created backdoor

    • Keatron Evans is the Managing Partner at KM Cyber Security, LLC, https://kmcybersecurity.com, and responsible for global information security consulting business which includes penetration testing, cyber threat hunting, digital forensics, and training. He regularly consults for and trains members of the intelligence community of the US and other governments in offensive cyber operations and works on several classified threat hunting operations each year. Keatron is also one of the authors of the award-winning Certified Ethical Hacking course administered by the Infosec Institute. Additionally, he is the lead author of Chained Exploits: Advancing Hacking Attacks from Start to Finish, a textbook still used for offensive training throughout academic and corporate communities.

  • Hacking Modern Web apps: Master the Future of Attack Vectors

  • All action, no fluff, improve your security analysis workflow and immediately apply these gained skills in your workplace, packed with exercises, extra mile challenges and CTF, self-paced and suitable for all skill levels, with continued education via unlimited email support and lifetime access to training portal with step-by-step video recordings.

    • After 13 years in itsec and 20 in IT Abraham is now the CEO of 7ASecurity (7asecurity.com), a company specializing in penetration testing of web/mobile apps, infrastructure, code reviews and training. Former senior penetration tester / team lead at Cure53 (cure53.de) and Version 1 (www.version1.com). Creator of 'Practical Web Defense' - a hands-on eLearnSecurity attack / defense course (www.elearnsecurity.com/PWD), OWASP OWTF project leader, an OWASP flagship project (owtf.org), Major degree and Diploma in Computer Science, some certs: CISSP, OSCP, GWEB, OSWP, CPTS, CEH, MCSE:Security, MCSA:Security, Security+. As a shell scripting fan trained by unix dinosaurs, Abraham wears a proud manly beard. He writes on Twitter as @7asecurity @7a_ @owtfp or https://7asecurity.com/blog. Multiple presentations, pentest reports and recordings can be found at https://7asecurity.com/publications

  • OWASP DefectDojo - the Heart of your AppSec Automation

  • You’re tasked with ‘doing AppSec’ for your company and you’ve got more apps and issues than you know how to deal with. How do you make sense of the different tools with different outputs for all your different apps? DefectDojo can be your one source of truth and become the heart of your AppSec automation program. DefectDojo grew out of a Product Security program 7 years ago and was created by AppSec people for AppSec people. As you progress through this course, you'll learn how to deploy DefectDojo and make the most of of the many features it offers including it's REST-based API. DefectDojo can be your one source of truth for discovered security vulnerabilities, report generation, aggregation of over 60 different security tools, inventory of applications, tracking testing efforts and metrics on the AppSec program. DefectDojo was the heart of an AppSec automation effort that saw an increase in assessments from 44 to 414 in two years. Don't you want 9.4 times more output from your AppSec program? It's time to ditch spreadsheets and get DefectDojo.

    • Matt Tesauro is currently rolling out AppSec automation at a major financial institution and is a founder of 10Security. He is a lead for OWASP AppSec Pipeline & DefectDojo projects. The AppSec Pipeline project brings lessons from DevOps and Agile into Application Security while DefectDojo is an application that is the source of truth for DevSecOps activities and ingests output from 63 different security tools. Prior work included the Director of Community and Operations at the OWASP Foundation, Senior AppSec Engineer building an AppSec Pipeline and continuous security program for Duo Security, a Senior Software Security Engineer at Pearson and the Senior Product Security Engineer at Rackspace. He is also an Adjunct Professor for the University of Texas Computer Science department teaching the next generation of CS students about Application Security. Matt is a broadly experienced information security professional of 20+ years specializing in application and cloud security. He has also presented and provided training at various international industry events including DHS Software Assurance Workshop, OpenStack Summit, SANS AppSec Summit, AppSec US, EU and LATAM. His work has included security consulting, penetration testing, threat modeling, code reviews, training and teaching at the University of Texas and Texas A&M University. He has over 20 years of Linux experience and 7 years of using Linux containers, primarily Docker. Matt holds two degrees from Texas A&M University and several security and Linux certifications.

  • Server-Side Template Injection

  • The world is constantly changing and way of doing activities are continuously evolving. Earlier, injection was a word used to yield ‘remedy’ from threats but in these modern times of predominantly ongoing cybercrimes, that’s the same word causing ‘tragedy’ to people globally. One such grueling kind of it is the topic that I’m going to brief out right here named as 'Server Side Template Injection.'
    An injection attack that happens due improperly sanitization of user inputs through a template at the server side is called SSTI. This injection attack is more dangerous from both developer’s and security professional point of view as it can execute native functions from the user defined template. An example of a malicious expression could be {{system('whoami')}}, which will execute the whoami system command. Thus, this template injection attack can even lead to a Remote Code Exploitation. Many times, it can also compromise the entire web server.
    Isn’t this attack a nightmare for developers and security professionals? Without a doubt, it is!
    Hence to caution people on this, my presentation will reveal you the wisdom on how this attack works, the intensity of notoriety based on the various template types, effective tips for preventing this attack and other such.

    • Dhamotharan is a seasoned security professional with over a decade worth of experience ranging from application security to infrastructure and now dealing with DevSecOps. He is currently working as a Lead Cyber Defence Analyst with PayU India. Some of his research ideas and technical advisories can be found in his blog. A security researcher, an active speaker and a bug hunter, discovered multiple Bug hunter in modern web application, His research has identified many vulnerabilities in over 200 organisations including US Department of Homeland Security, Google, Microsoft, Oracle, Slack, Sony, Sophos, Bit Defender, ING, NN-Group,& Cisco, Matomo etc. His works with various communities (OWASP Seasides, Bsides , Nullcon and National Cyber Safety and Security standards (india) and is passionate about increasing participation in Infosec space. he has been a speaker at OWASP Global Seasides 2020, NCDR Conference). Dhamotharan also volunteers for the Member in National Cyber Safety & Security Standards(NCDRC), India and Lead Security Researcher in Bug Discover community. OWASP Erode Chapter Leader

  • Solve Your Security Requirements with Keycloak

  • Have you started to create your Web Application?
    Have You tired of solving different security requirements?
    Like support of Brute Force Protection, Password Policy, Two-Factor Authentication etc.?
    We have the solution for you!
    Have you heard about Keycloak?
    Keycloak is open source Identity and Access Management solution.
    Please join the training and you will see how to adopt Keycloak.
    You will learn how to easy add to your Web Application different security features like Brute Force Protection, Password Policy, Two-Factor Authentication and more.

    • Michael Furman has over 13 years of experience with application security.
      Michael Furman has been the Lead Security Architect at Tufin for over 6 years. He is responsible for the security of all Tufin software products.
      Tufin has over 2000 customers, including over half of the Fortune 50 organizations.

  • Training: attacks on IVR systems and Call centers in practice

  • This training was created for everyone interested in the security of Call centers: from Bug Hunters to security engineers. Short plan:
    • How to find and hack IVR system?
    • Financial attacks on Call centers
    • Social engineering
    • How to protect Call Center
    • Automation of security testing
    • Attacks on Call Centers infrastructure
    • Practical cases

    • Aleksandr Kolchanov is an independent security researcher and consultant. Ex penetration tester of a bank in Russia. He takes part in different bug bounty programs (PayPal, Facebook, Yahoo, Coinbase, Protonmail, Yandex, Privatbank). Aleksandr is interested in uncommon security issues, telecom problems, privacy, and social engineering. Speaker at PHDays 2018 and 2019, c0c0n 2018, DeepSec 2018 and 2019, HiTB 2019, Infosec in the City 2019, OzSecCon 2019, Hacktivity 2019, No cON Name 2019 and BSides.