09:00 - 17:00 | Björn Kimminich | Juice Shop Training: Train the Trainer Edition |
09:00 - 17:00 | Georges Bolssens | Hands-on threat modeling workshop |
09:00 - 17:00 | Jeroen Beckers | The Hitchhacker's guide to the mobile galaxy |
09:00 - 17:00 | Nanne Baars | Teaching application security 101 with WebGoat |
09:00 - 17:00
In this training we will learn how to fully use the OWASP Juice Shop in our own training courses, lectures or awareness sessions:
* Intro: In this short module, we'll get to know the OWASP Juice Shop
and try out some hacking and coding challenges.
* Mob hacking: Here we get to know some challenges that are particularly
(un)suitable for hacking in the plenum.
* Theming: This module is all about customizing the Juice Shop to
transform it into the look and feel of your company and customers.
* CTF: In this module we will use Juice Shop and CTFd tools to set up a
Capture-the-Flag event in very short time with all Juice Shop hacking
challenges
* Integration: Finally, let's look at ways to integrate with learning
platforms, dashboards, etc., as well as the Juice Shop's anti-cheat
features.
All modules are as little slides as possible and instead rich in practical exercises and examples!
Requirements:
* Laptop with a recent version of Docker Desktop and Node.js/NPM installed
Björn works as Product Group Lead Application Ecosystem at Kuehne+Nagel, responsible – among other things – for the Application Security program in the corporate IT. He is an OWASP Lifetime Member, the project leader of the OWASP Juice Shop, and a co-chapter leader for the OWASP Germany Chapter. Björn also currently chairs the OWASP Project Committee.
09:00 - 17:00
This training is a condensed version of the two-day training that Toreon has been teaching at security conferences like BlackHat USA for several years. It aims to introduce the fundamentals of threat modeling using the DICE-framework (a.k.a. the "Four Question Framework") for threat modeling a ficticious hotel booking application.
This course is an entry-level introduction to threat modeling aimed at anyone responsible for ensuring a product's security, be it software or hardware, regardless of their prior expertise in security. We advocate that threat modeling isn't just for the "happy few" but is essential knowledge for all involved in the software development lifecycle. Typical attendees of this course range from software developers, engineers, and architects to product managers focused on security, incident responders, and cybersecurity analysts or managers.
Requirements:
* A laptop with a browser is required for downloading the exercise PDFs and taking notes. No software is required.
Georges Bolssens embarked on his coding journey in the early 1990s and delved into the realm of application security in 2017. With an inherent passion for teaching, Georges is not only a seasoned developer but also an adept communicator. His unique talent lies in simplifying intricate subjects through relatable analogies, making him an engaging and effective speaker.
Having undertaken numerous consulting assignments, Georges has assumed the role of a cybersecurity educator for a diverse spectrum of professionals. His guidance has illuminated the path for individuals ranging from legal experts at renowned "Big 4" consulting firms to ethical hackers and all those in between.
In his capacity as an Application Security Consultant at Toreon, Georges has been instrumental in assisting numerous clients in constructing comprehensive threat models for their digital assets.
09:00 - 17:00
The mobile galaxy is dominated by two solar systems:: Android and iOS. Grab your towel and embark on a journey through the intricacies of mobile operating systems. Uncover the secrets and vulnerabilities of mobile app planets through static analysis. Ignite the infinite improbability drive and delve deeper with dynamic analysis to gain the skills and knowledge to outwit the Vogons.
In this training, not only the Ultimate Question of Life, the Universe, and Everything will be answered but also most of your questions regarding mobile security. Join us on this galactic adventure of exploring the OWASP MASVS and MASTG!
Requirements:
* A Linux VM with Java runtime installed
I am the mobile solution lead at NVISO, where I am responsible for quality delivery, innovation and methodology for all mobile assessments. I am actively involved in the mobile security community, and I try to share my knowledge through open-source tools, blogposts, trainings and presentations. I am the lead author and instructor of the SANS 575 course: Mobile device security and ethical hacking and a co-author of the OWASP Mobile Application Security Testing Guide (MSTG) and OWASP Mobile Application Security Verification Standard (MASVS).
09:00 - 17:00
A good defense against insecure code requires understanding the mechanics behind how attackers exploit simple programming mistakes. The WebGoat team will walk through exercises like SQL Injection, XSS, XXE, CSRF, … and demonstrate how these exploits work.
We will show you how you can use WebGoat to train your developers to avoid these simple but common programming mistakes. We also show you how to extend WebGoat to create lessons specific to your environment. Join us to learn the most basic, but common, application security problems.
Tired of all the lessons? During the training we will host a small CTF competition which you can take a shot at and compete with each other.
The workshop is really hands on, we explain the theory about the vulnerability and then it is up to the participants to solve the assignments. After each lesson we explain how to mitigate the vulnerability in your day to day development.
It is an open source project and with this workshop we get a lot of feedback on how we can improve and new lessons to our framework.
Requirements:
* Laptop with installed: Docker or Java 17
Nanne is a security software developer with a focus on Java development and one of the project leads for the OWASP WebGoat project.