Loading…
Attending this event?
THE MUST ATTEND EVENT FOR CYBERSECURITY PROFESSIONALS
Monday, September 23
 

9:00am PDT

3 Day Training: Attacking and Defending - AWS, Azure and GCP Applications
Monday September 23, 2024 9:00am - 5:00pm PDT
Day 1 Story: SEOptimyze - Lambda Privilege Escalation - Attack, Detect, and Defense The application is an example of a real-world SEO optimizer, where we analyze website performance and store the files in an S3 bucket, and store other values in DynamoDB. This is a “serverless” app that uses AWS Lambda, API Gateway, DynamoDB, Amazon S3, and other AWS Services. Attack Story Concepts * Attacking Vulnerable Lambda Function and pillaging credentials * Leveraging IAM misconfiguration to be able to escalate privileges * Misconfigured security parameters on S3 and DynamoDB Incident Response * Detection and Response * Promptly detect suspicious activity through monitoring AWS CloudTrail logs, AWS Config, and CloudWatch metrics. * Activate the incident response team upon detection and isolate affected resources. * Containment and Eradication * Contain the incident by disabling compromised IAM credentials and restricting access to affected resources. Investigate the root cause and remove any malicious code or unauthorized access. * Recovery * Restore affected resources from clean backups or rebuild them, ensuring revoked credentials are replaced. Implement security improvements, such as enhancing configurations and conducting thorough testing. Defense Topics and Mini Labs * Lambda Least Privilege Configuration * Remediate Application Vulnerability * Scan Lambda Function with Automated Security Tools Story: Amazon EC2 Attack, Detect, and Defense Lab This stack is a more traditional application stack. Applications and Databases are deployed as VMs in VPCs inside AWS environments. The story focuses on the attacker's objective to attempt to exfiltrate sensitive information from a VPC Attack Story Concept Coverage * Compromise Application hosted on VM, steal credentials from VM * Insecure VPC Configuration along with IAM privilege misconfiguration * Adversary objective OS to perform data exfiltration from internal assets deployed across VPCs Incident Response * Detection and Response[a][b] * Utilize network monitoring, intrusion detection systems, and log analysis to detect suspicious activities such as unauthorized access attempts, unusual network traffic, or unexpected changes in IAM permissions. * Upon detection, activate the incident response team and isolate compromised VMs and affected VPCs to prevent further data exfiltration. * Containment and Eradication * Conduct a comprehensive investigation to determine the root cause of the compromise, including analyzing system logs, network traffic, and IAM configurations. * Contain the incident by revoking compromised credentials, disabling compromised VMs, and implementing security group rules to restrict access to sensitive resources. * Recovery * Recover affected systems by restoring from clean backups or rebuilding them with hardened configurations using Infrastructure as Code (IaC) principles. * Implement VPC hardening measures, including adjusting security group settings, network ACLs, and IAM policies, to prevent similar attacks in the future. Detect Topics and Mini-Labs * VPC Flow Logs for CloudWatch metrics to set the alarm * Threat Intelligence using GuardDuty * CloudWatch Log Insights * Using OSS Cloud Security Posture Management Tools to detect security incidents * Setup automated detection pipeline using AWS Lambda, SNS on VM State Changes, and VPC State Change Defense Topics and Mini-Labs * Harden VM and Configurations using Infrastructure as Code * VPC Hardening and Security Configurations * Hardening with specific Security Groups * IAM Tag-based condition for VPC[c]

Day 2 Story: EKS Privilege Escalation Attack, Detect and Defense Attack Story Concepts * Privilege Escalation on EKS cluster, leveraging vulnerable container * Privilege Escalation involving Amazon ECR, KMS, S3, and so on * Trojanizes the container images and pushes them to the ECR Incident Response * Detection and Response * Utilize monitoring tools such as AWS CloudWatch, AWS Config, and AWS CloudTrail to detect unauthorized access attempts, unusual activity on EKS clusters, and suspicious interactions with ECR, KMS, and S3. * Employ intrusion detection systems and anomaly detection mechanisms to identify potential privilege escalation attempts and unauthorized modifications to container images in ECR. * Implement alerts and notifications to promptly notify the incident response plan upon detection of suspicious activities or security violations. * Containment and Eradication * Immediately isolate compromised containers or EKS clusters to prevent further unauthorized access and potential data exfiltration. * Analyze the extent of the privilege escalation and identify the compromised container images pushed to ECR. * Disable or remove malicious container images from ECR and revoke any compromised IAM credentials or permissions associated with the incident. * Conduct a thorough investigation to identify the root cause of the attack and address any vulnerabilities or misconfigurations that contributed to the incident. * Recovery * Restore affected EKS clusters and container images from clean backups or rebuild them using secure configurations and best practices. * Implement security enhancements such as IMDSv2 to prevent metadata credential compromise, fix SSRF or Path Traversal vulnerabilities in the application, and configure OIDC for Kubernetes deployment on EKS to enhance authentication and authorization mechanisms. * Review and update IAM policies, ECR defense parameters, and overall security posture to mitigate the risk of future privilege escalation attacks and unauthorized access to containerized environments. Defense Topics and Mini-Labs * IMDSv2 to prevent Metadata credential compromise from RCE/SSRF/Path Traversal * Fix SSRF or Path Traversal in the Application * OIDC for Kubernetes deployment on EKS * ECR Defense Parameters - Tag IAM[d] and IAM Hardening Story: GCP Cloud Run metadata Attack and Defense Attack Story Concept Coverage * Application with Deserialization vulnerability is deployed in Cloud Run instance * Exploit the application and get a reverse shell from the compromised application * Sensitive information disclosure from the metadata endpoints Incident Response * Detection and Response * Utilize VPC flow logs to monitor network traffic and detect suspicious activities, such as unexpected connections or unusual data transfer patterns. * Implement real-time monitoring using Pub/Sub to receive alerts and notifications about potential security incidents or abnormal behavior in Cloud Run instances. * Investigate alerts promptly and analyze metadata endpoints for any signs of sensitive information disclosure or unauthorized access attempts. * Leverage Security Command Center for Threat Detection * Containment and Eradication * Upon detection of a deserialization vulnerability exploit or a reverse shell, immediately isolate the compromised Cloud Run instance to prevent further unauthorized access. * Utilize firewall rules to block incoming and outgoing connections associated with the compromised instance and prevent the reverse shell from communicating with external servers. * Apply IAM deny policies to restrict access to sensitive resources and prevent unauthorized actions from the compromised service account. * Recovery * Implement a fix to address the YAML deserialization vulnerability in the application deployed on Cloud Run instances. * Enhance application security by adding authentication via GCP Identity-Aware Proxy (IAP) to prevent unauthorized access to sensitive endpoints and data. * Restore the compromised Cloud Run instance from a clean backup or rebuild it with least-privileged service account permissions and hardened configurations. * Conduct a post-incident review to identify lessons learned and update incident response procedures, security controls, and employee training to improve the organization's resilience against similar attacks in the future. Defense Story Concept Coverage * Fix that prevents the YAML deserialization attack * Add the Authentication to the application via GCP IAP * Prevent the reverse shell using firewall rules * IAM Deny Policies * Run service with a least-privi
Speakers
avatar for Abhay Bhargav

Abhay Bhargav

Founder, AppSecEnginner
Abhay Bhargav is the founder at AppSecEngineer, a revolutionary training platform committed to solving the Security Skills Shortage. He has created some pioneering works in the area of DevSecOps and AppSec Automation, including the world’s first hands-on training program on DevSecOps... Read More →
Monday September 23, 2024 9:00am - 5:00pm PDT

9:00am PDT

3 Day Training: Attacking the Application Supply Chain
Monday September 23, 2024 9:00am - 5:00pm PDT
Supply Chain risks are everywhere. We’ve seen a burst of supply chain exploits against organizations, totaling billions of dollars of value lost. Supply-chain security and implementation is essential and required by regulation. However, pentesters and red-teams must understand how they can leverage supply-chain attacks against applications, to further strengthen their defense implementations against it.

This training is a deep hands-on, red-team exploration of application supply-chains. We commence with an understanding of application supply chains, and subsequently dive into story-driven scenarios of exploiting supply-chains like exploiting CI systems, and build systems. Container infrastructure and cloud-native infrastructure hosted on Kubernetes, AWS, and Azure.

People learn better with stories. Our exploit and lateral movement scenarios are intricately designed labs that are backed by real-world stories that help students understand this subject-matter a lot better. This training was sold out at Blackhat USA 2023 with a 4.8/5 Rating
Speakers
VP

Vishnu Prasad

AppSec Engineer, we45
Vishnu Prasad is a DevSecOps Lead at we45. A DevSecOps and Security Automation wizard, he has implemented security in DevOps for numerous Fortune 500 companies. Vishnu has experience in Continuous Integration and Continuous Delivery across various verticals, using tools like Jenkins... Read More →
Monday September 23, 2024 9:00am - 5:00pm PDT

9:00am PDT

3 Day Training: Hacking Modern Web & Desktop apps: Master the Future of Attack Vectors
Monday September 23, 2024 9:00am - 5:00pm PDT

**NOTE:Conference and training tickets are separate purchases.

This course is a 100% hands-on deep dive into the OWASP Security Testing Guide and relevant items of the OWASP Application Security Verification Standard (ASVS), so this course covers and goes beyond the OWASP Top Ten.

Long are the days since web servers were run by perl scripts and desktop apps written in Delphi. What is common between Walmart, eBay, PayPal, Microsoft, LinkedIn, Google and Netflix? They all use Node.js: JavaScript on the server. What is common between Microsoft Teams, Skype, Bitwarden, Slack and Discord? All of them are written in Electron: JavaScript on the client. Modern Web and Desktop apps share traditional attack vectors and also introduce new opportunities to threat actors. This course will teach you how to review modern web and desktop apps, showcasing Node.js and Electron but using techniques that will also work against any other web or desktop app platform. Ideal for Penetration Testers, Web and Desktop app Developers as well as everybody interested in JavaScript/Node.js/Electron app security.

Get a FREE taste for this training, including access to video recording, slides and vulnerable apps to play with:

1.5 hour workshop - https://7asecurity.com/free-workshop-desktop-apps
1 hour workshop - https://7asecurity.com/free-workshop-web-apps

All action, no fluff, improve your security analysis workflow and immediately apply these gained skills in your workplace, packed with exercises, extra mile challenges and CTF, self-paced and suitable for all skill levels, with continued education via unlimited email support and lifetime access to training portal with step-by-step video recordings and interesting apps to practice, including all future updates for free.

Teaser Video: https://www.youtube.com/watch?v=Qckegc2gbfo

Speakers
avatar for Abraham Aranguren

Abraham Aranguren

Managing Director, 7ASecurity
After 15 years in itsec and 22 in IT Abraham is now the CEO of 7ASecurity (7asecurity.com), a company specializing in penetration testing of web/mobile apps, infrastructure, code reviews and training. Co-Author of the Mobile, Web and Desktop (Electron) app 7ASecurity courses. Security Trainer at Blackhat USA, HITB, OWASP Global AppSec and many other events. Former senior... Read More →
Monday September 23, 2024 9:00am - 5:00pm PDT

9:00am PDT

3 Day Training: The Mobile Playbook - A guide for iOS and Android App Security
Monday September 23, 2024 9:00am - 5:00pm PDT
(Available as hybrid - in Person or online)

This three-day hands-on course teaches penetration testers and developers how to analyse Android and iOS applications for security vulnerabilities by going through the different phases of testing, including dynamic testing, static analysis, reverse engineering and Software Composition Analysis (SCA), using the OWASP Mobile Application Security Testing Guide (MASTG).

The OWASP MASTG is a comprehensive and open source guide to mobile security testing for both iOS and Android, providing a methodology and very detailed technical test cases to ensure completeness and using the latest attack techniques against mobile applications.

This course will give you hands-on experience with open source tools and advanced methodologies by guiding you through real-world scenarios.

## Detailed outline

We'll start the first day with an introduction to the OWASP MASVS and MASTG and the latest updates to it and then dive into the Android platform and its security architecture. Students will no longer be required to bring their own Android device, instead each student will be provided with a cloud-based virtualised Android device from Corellium.

Topics include:
- Intercepting network traffic from apps written in mobile app frameworks such as Google's Flutter
- Reverse engineering a Kotlin app and identifying and exploiting a real-world deep link vulnerability through manual source code review.
- Explore the differences and effectiveness of reverse engineering Android apps using Smali patching, Magisk and Dynamic Instrumentation with Frida
- Frida crash course to get started with dynamic instrumentation on Android apps
- Bypass different implementations of SSL pinning using Frida
- Use dynamic instrumentation with Frida to
- Bypass multiple root detection mechanisms
- Bypass Frida detection mechanisms -

Day 1 will be closed with a Capture the Flag (CTF)

On day 2 we wrap up Android and start with iOS and we will use a Github repo to trigger static scanning, SCA and secret scanning on Kotlin and Swift:
Android: - Analyse the storage of an Android app and understand the various options on how and where files can be stored (app-specific, shared storage etc.)
- Using Brida (Frida and Burp) to bypass End2End encryption in an Android App
- Static Scanning of Kotlin source code, identifying vulnerabilities and eliminating false positives
- Scanning for secrets in an APK iOS:
- Introduction into iOS Security fundamentals
- Scanning for secrets in a Swift repository and identifying ways to handle them securely.
- Software Composition Analysis (SCA) for iOS
- Scanning 3rd party libraries and SDKs in mobile package managers for known vulnerabilities and mitigation strategies.
- Statically scanning Swift source code, identifying vulnerabilities and eliminating false positives.
- Demonstration on how to test watchOS apps and it's limitations

Day 3 focuses on iOS.
We will begin the day by creating an iOS test environment using Corellium and dive into several topics, including:
- Intercepting network traffic of an iOS App in various scenarios, including intercepting traffic that is not HTTP
- Examining stateless authentication (JWT) in a mobile app
- A Frida crash course to get started with dynamic instrumentation for iOS applications
- Analyse the storage of an iOS app and understand the various options on how (Realm databases etc.) and where files can be stored.
- Testing methodology with a non-jailbroken device by repackaging an IPA with the Frida gadget
- Using Frida to bypass runtime instrumentation of iOS applications
- Anti-Jailbreaking Mechanisms
- Frida's detection mechanism We'll wrap up the final day with a "Mobile Hacking Scavenger Hunt." This unique CTF will feature not just mobile apps but also physical art objects, which we refer to as "hackable artworks". Whether you are a beginner who wants to learn mobile app testing from the ground up, or an experienced pentester or developer who wants to improve your existing skills to perform more advanced attack techniques, or just for fun, this training will help you achieve your goals.

The course consists of many different labs developed by the instructor and is approximately 65% hands-on and 35% lecture. Upon successful completion of this course, students will have a better understanding of how to test for vulnerabilities in mobile applications, how to suggest the right mitigation techniques to developers, and how to perform tests consistently.

### What students should bring

The following requirements must be met by students in order to be able to follow all exercises and participate fully:
- Laptop (Windows/Linux/macOS) with at least 8GB of RAM and 40GB of free disk space.
- Full administrative access in case of problems with the laptop environment (e.g. ability to disable VPN or AV/EDR) - Virtualisation software (e.g. VMware, VirtualBox, UTM); a virtual machine will be provided for X86 and ARM architecture (for M1/M2/M3 MacBooks) with all tools required for the training.
- Ideally a tablet to have a second screen for the practical lab slides when doing the hands-on sessions.
- Github account is needed (free account is sufficient) to fork a repository

An iOS and Android device is NOT required as an emulated instance is provided for each student hosted at Corellium. This is a cloud-based environment that allows each student access to a jailbroken iOS device and a rooted Android device during the training.

### What students will receive
- Slide decks for the iOS and Android training and all videos for all demonstrations shared in class.
- All vulnerable apps used during the training, either as APK or IPA.
- Detailed write-ups for all labs so you can review them at your own pace after the course.
- Dedicated Slack channel used to help students prepare before the course, communicate during the course and stay in touch after the course for any questions.
- Certificate of completion.

## What prerequisites should students have before attending this training?
- This course is for Beginners and Intermediate
- Basic understanding of mobile apps
- Able to use Linux command line

## Biography of the trainer Sven: is a co-founder of Bai7 GmbH in Austria, which is specialized in mobile app trainings and advisory. He has expertise in cloud security, offensive security engagements (Penetration Testing) and Application Security, notably in guiding software development teams across Mobile and Web Applications throughout the Software Development Life Cycle (SDLC) to integrate robust security measures in from the start. Besides his day job, Sven is involved with the Open Worldwide Application Security Project (OWASP) since 2016. As a co-project leader and author, he has significantly contributed to the OWASP Mobile Application Security Testing Guide (MASTG) and the OWASP Mobile Application Security Verification Standard (MASVS).
Speakers
avatar for Sven Schleier

Sven Schleier

Principal Security Consultant, Crayon
Sven is living in Austria and a Principal Security Consultant at Crayon, specialised in Cloud Security. He has extensive experience in offensive security engagements like Penetration Testing and Application Security by supporting and guiding software development projects for Mobile... Read More →
Monday September 23, 2024 9:00am - 5:00pm PDT

9:00am PDT

3 Day Training: Web Application Security Essentials
Monday September 23, 2024 9:00am - 5:00pm PDT
This course provides the knowledge and resources required to evaluate the security of web applications. The participants, through the understanding of theory and a strong focus on practical exercises, will be able to identify critical vulnerabilities in web applications, understand how exploitation works and learn how to implement the necessary corrective measures. The course is aligned with the OWASP 10 2021, a world-renowned reference document which describes the most critical web application security flaws.

The topics covered include:
- Introduction to Web Application Security
- Technologies used in Web Applications
- The Security Tester Toolkit
- Critical Areas in Web Applications
- Broken Access Control
- Cryptographic Failures
- Injection
- Insecure Design
- Security Misconfiguration
- Vulnerable and Outdated Components
- Identification and Authentication Failures
- Software and Data Integrity Failures
- Security Logging and Monitoring Failures
- Server Side Request Forgery (SSRF)

Format: The course combines theory and hands-on practical exercises. The participants start by learning about web application vulnerabilities. They are then given access to a purpose-built web application environment that contains the bugs and coding errors they have learned about. This provides an ideal ‘real-life’ opportunity to exploit these vulnerabilities in a safe environment.
Speakers
avatar for Fabio Cerullo

Fabio Cerullo

Managing Director, Cycubix LTD
Fabio delivered this training to thousands of developers and security professionals. He also regularly delivers training to technical audiences on various topics such as application security, cloud security, and information security. Here is a reference from one attendee of his courses... Read More →
Monday September 23, 2024 9:00am - 5:00pm PDT

10:30am PDT

AM Break
Monday September 23, 2024 10:30am - 11:00am PDT
Monday September 23, 2024 10:30am - 11:00am PDT

12:30pm PDT

Lunch
Monday September 23, 2024 12:30pm - 1:30pm PDT
Monday September 23, 2024 12:30pm - 1:30pm PDT

3:00pm PDT

PM Break
Monday September 23, 2024 3:00pm - 3:30pm PDT
Monday September 23, 2024 3:00pm - 3:30pm PDT
 
Tuesday, September 24
 

9:00am PDT

2 Day Training:Agile Whiteboard Hacking – aka Hands-on Threat Modeling
Tuesday September 24, 2024 9:00am - 5:00pm PDT
Based on the updated Black Hat edition 2024 training, you will be challenged with hands-on threat modeling exercises based on real-world projects. You will get insight into our practical industry experience, helping you to become a Threat Modeling Practitioner. We included an exercise on MITRE ATT&CK, and we focus on embedding threat modeling in Agile and DevOps practices. And we introduce a new challenge on threat modeling a Machine Learning-Powered Chatbot.

We levelled up the threat modeling war game. Engaged in CTF-style challenges, your team will battle for control over an offshore wind turbine park. The level of this training is Beginner/Intermediate. Participants who are new to threat modeling are advised to follow our self-paced Threat Modeling Introduction training (which is about 2 hours and is included in this training).

As highly skilled professionals with years of experience under our belts, we're intimately familiar with the gap between academic knowledge of threat modeling and real-world practice. To minimize that gap, we have developed practical use cases, based on real-world projects. Each use case includes a description of the environment, together with questions and templates to build a threat model.

Students will be challenged in groups of 3 to 4 people to perform the different stages of threat modeling:
• Diagram techniques applied on a travel booking service
• Threat model a cloud-based update service for an IoT kiosk
• Create an attack tree against a nuclear research facility
• Create a SOC Risk Based Alerting system with MITRE ATT&CK
• Mitigate threats in a payment service build with microservices and S3 buckets
• Threat modeling a Machine Learning-Powered Chatbot
• Apply the OWASP Threat Modeling Playbook on agile development
• Threat modeling the CI/CD pipeline
• Battle for control over "Zwarte Wind", an offshore wind turbine park

After each hands-on exercise, the results are discussed, and students receive a documented solution.

As part of this training, you will be asked to create and submit your own threat model, on which you will get individual feedback.

All participants get our Threat Modeling Playbook to improve you threat modeling practice, one-year access to our online threat modeling learning platform, and one-hour personal coaching to refine your threat modeling.
Speakers
avatar for Sebastien Deleersnyder

Sebastien Deleersnyder

CTO and Co-Founder / COO, Toreon / Data Protection Institute
Sebastien Deleersnyder (Seba) is the CTO, co-founder of Toreon and COO of Data Protection Institute. With a strong background in development and extensive experience in cybersecurity, Seba has trained numerous developers on how to create more secure software. He is also the founder... Read More →
Tuesday September 24, 2024 9:00am - 5:00pm PDT

9:00am PDT

2-Day Training: Application Security Training
Tuesday September 24, 2024 9:00am - 5:00pm PDT
Join Jim Manico for an intensive 2-day training session at AppSec SF 2024, where you'll delve into core and advanced application security topics. The course covers essential areas such as input validation, HTTP security, SOP and CORS, SQL injections, CSRF, secure file handling, and third-party library management. It further explores advanced subjects including API and REST security, microservices security, JWTs, AI for code creation, OWASP Top 10 for large language models, GDPR, XSS defense, authentication best practices, cryptography, DevOps security, mobile security, and preventing subdomain takeovers. This comprehensive program equips participants with practical knowledge and skills to fortify their applications against a wide array of security threats.
Day 1: Core Application SecurityMorning Sessions:
Input Validation Basics
  • Allowlist Validation
  • Safe Redirects
HTTP Security Basics
  • Response/Request Headers
  • Verbs
  • Secure Transport Basics
SOP and CORS
  • Same-Origin Policy
  • Cross-Origin Resource Sharing Security
Lunch Break
Afternoon Sessions:
SQL and Other Injections
  • Parameterized Queries
  • Secure Database Configurations
  • Command Injection
Cross-Site Request Forgery
  • CSRF Defenses for Various Architectures
File Upload and File I/O Security
  • Secure File Upload
  • File I/O Security
Third-Party Library Security Management
  • Ensuring Third-Party Library Security
Security Logging and Monitoring
  • Security-Focused Logging
Application Layer Intrusion Detection
  • Detecting App Layer Attacks
Day 2: Advanced Application SecurityMorning Sessions:
API and REST Security
  • REST Design
  • XML, XXE, JSON
  • API Access Control
Microservice Security
  • Security Architectures in Microservices
JSON Web Tokens (JWT)
  • Addressing JWT Security Challenges
AI for Code Creation
  • Exploring the Security Implications of Using AI for Code Generation
Lunch Break
Afternoon Sessions:
OWASP Top 10 for Large Language Model (LLM) Applications
  • Top 10 Practices for Protecting Large Language Model Applications
OWASP Top Ten
  • Top Ten Web Security Risks
Introduction to GDPR
  • European Data Privacy Law
OWASP ASVS
  • Comprehensive Secure Coding Standard
XSS Defense
  • Client-Side Web Security
Content Security Policy
  • Advanced Client-Side Web Security
React Security
  • Secure React Application Development
Authentication Best Practices
  • Web Authentication Practices
Multi-Factor Authentication
  • NIST SP-800-63 Compliant MFA Implementation
Secure Password Policy and Storage
  • Secure User Password Policy and Storage
Access Control Design
  • ABAC/Capabilities-Based Access Control
OAuth2 and OIDC Security Intro
  • OAuth2 Authorization Protocol
Secrets Management
  • Key and Credential Storage Strategies
Cryptography Fundamentals
DevOps Best Practices
  • DevOps and DevSecOps with a CD/CI Focus
Introduction to Istio Security
  • Basics of Istio Security Management
Introduction to iOS and Android Security
  • Mobile Security Fundamentals
Subdomain Takeover
  • Preventing Subdomain Takeover Scenarios
Speakers
avatar for Jim Manico

Jim Manico

Founder, Manicode Security
Jim Manico is the Founder of Manicode Security, a company dedicated to providing expert training in secure coding and security engineering to software developers. His work at Manicode Security reflects his deep commitment to elevating software security standards in the industry. In... Read More →
Tuesday September 24, 2024 9:00am - 5:00pm PDT

9:00am PDT

3 Day Training: Attacking and Defending - AWS, Azure and GCP Applications
Tuesday September 24, 2024 9:00am - 5:00pm PDT
Day 1 Story: SEOptimyze - Lambda Privilege Escalation - Attack, Detect, and Defense The application is an example of a real-world SEO optimizer, where we analyze website performance and store the files in an S3 bucket, and store other values in DynamoDB. This is a “serverless” app that uses AWS Lambda, API Gateway, DynamoDB, Amazon S3, and other AWS Services. Attack Story Concepts * Attacking Vulnerable Lambda Function and pillaging credentials * Leveraging IAM misconfiguration to be able to escalate privileges * Misconfigured security parameters on S3 and DynamoDB Incident Response * Detection and Response * Promptly detect suspicious activity through monitoring AWS CloudTrail logs, AWS Config, and CloudWatch metrics. * Activate the incident response team upon detection and isolate affected resources. * Containment and Eradication * Contain the incident by disabling compromised IAM credentials and restricting access to affected resources. Investigate the root cause and remove any malicious code or unauthorized access. * Recovery * Restore affected resources from clean backups or rebuild them, ensuring revoked credentials are replaced. Implement security improvements, such as enhancing configurations and conducting thorough testing. Defense Topics and Mini Labs * Lambda Least Privilege Configuration * Remediate Application Vulnerability * Scan Lambda Function with Automated Security Tools Story: Amazon EC2 Attack, Detect, and Defense Lab This stack is a more traditional application stack. Applications and Databases are deployed as VMs in VPCs inside AWS environments. The story focuses on the attacker's objective to attempt to exfiltrate sensitive information from a VPC Attack Story Concept Coverage * Compromise Application hosted on VM, steal credentials from VM * Insecure VPC Configuration along with IAM privilege misconfiguration * Adversary objective OS to perform data exfiltration from internal assets deployed across VPCs Incident Response * Detection and Response[a][b] * Utilize network monitoring, intrusion detection systems, and log analysis to detect suspicious activities such as unauthorized access attempts, unusual network traffic, or unexpected changes in IAM permissions. * Upon detection, activate the incident response team and isolate compromised VMs and affected VPCs to prevent further data exfiltration. * Containment and Eradication * Conduct a comprehensive investigation to determine the root cause of the compromise, including analyzing system logs, network traffic, and IAM configurations. * Contain the incident by revoking compromised credentials, disabling compromised VMs, and implementing security group rules to restrict access to sensitive resources. * Recovery * Recover affected systems by restoring from clean backups or rebuilding them with hardened configurations using Infrastructure as Code (IaC) principles. * Implement VPC hardening measures, including adjusting security group settings, network ACLs, and IAM policies, to prevent similar attacks in the future. Detect Topics and Mini-Labs * VPC Flow Logs for CloudWatch metrics to set the alarm * Threat Intelligence using GuardDuty * CloudWatch Log Insights * Using OSS Cloud Security Posture Management Tools to detect security incidents * Setup automated detection pipeline using AWS Lambda, SNS on VM State Changes, and VPC State Change Defense Topics and Mini-Labs * Harden VM and Configurations using Infrastructure as Code * VPC Hardening and Security Configurations * Hardening with specific Security Groups * IAM Tag-based condition for VPC[c]

Day 2 Story: EKS Privilege Escalation Attack, Detect and Defense Attack Story Concepts * Privilege Escalation on EKS cluster, leveraging vulnerable container * Privilege Escalation involving Amazon ECR, KMS, S3, and so on * Trojanizes the container images and pushes them to the ECR Incident Response * Detection and Response * Utilize monitoring tools such as AWS CloudWatch, AWS Config, and AWS CloudTrail to detect unauthorized access attempts, unusual activity on EKS clusters, and suspicious interactions with ECR, KMS, and S3. * Employ intrusion detection systems and anomaly detection mechanisms to identify potential privilege escalation attempts and unauthorized modifications to container images in ECR. * Implement alerts and notifications to promptly notify the incident response plan upon detection of suspicious activities or security violations. * Containment and Eradication * Immediately isolate compromised containers or EKS clusters to prevent further unauthorized access and potential data exfiltration. * Analyze the extent of the privilege escalation and identify the compromised container images pushed to ECR. * Disable or remove malicious container images from ECR and revoke any compromised IAM credentials or permissions associated with the incident. * Conduct a thorough investigation to identify the root cause of the attack and address any vulnerabilities or misconfigurations that contributed to the incident. * Recovery * Restore affected EKS clusters and container images from clean backups or rebuild them using secure configurations and best practices. * Implement security enhancements such as IMDSv2 to prevent metadata credential compromise, fix SSRF or Path Traversal vulnerabilities in the application, and configure OIDC for Kubernetes deployment on EKS to enhance authentication and authorization mechanisms. * Review and update IAM policies, ECR defense parameters, and overall security posture to mitigate the risk of future privilege escalation attacks and unauthorized access to containerized environments. Defense Topics and Mini-Labs * IMDSv2 to prevent Metadata credential compromise from RCE/SSRF/Path Traversal * Fix SSRF or Path Traversal in the Application * OIDC for Kubernetes deployment on EKS * ECR Defense Parameters - Tag IAM[d] and IAM Hardening Story: GCP Cloud Run metadata Attack and Defense Attack Story Concept Coverage * Application with Deserialization vulnerability is deployed in Cloud Run instance * Exploit the application and get a reverse shell from the compromised application * Sensitive information disclosure from the metadata endpoints Incident Response * Detection and Response * Utilize VPC flow logs to monitor network traffic and detect suspicious activities, such as unexpected connections or unusual data transfer patterns. * Implement real-time monitoring using Pub/Sub to receive alerts and notifications about potential security incidents or abnormal behavior in Cloud Run instances. * Investigate alerts promptly and analyze metadata endpoints for any signs of sensitive information disclosure or unauthorized access attempts. * Leverage Security Command Center for Threat Detection * Containment and Eradication * Upon detection of a deserialization vulnerability exploit or a reverse shell, immediately isolate the compromised Cloud Run instance to prevent further unauthorized access. * Utilize firewall rules to block incoming and outgoing connections associated with the compromised instance and prevent the reverse shell from communicating with external servers. * Apply IAM deny policies to restrict access to sensitive resources and prevent unauthorized actions from the compromised service account. * Recovery * Implement a fix to address the YAML deserialization vulnerability in the application deployed on Cloud Run instances. * Enhance application security by adding authentication via GCP Identity-Aware Proxy (IAP) to prevent unauthorized access to sensitive endpoints and data. * Restore the compromised Cloud Run instance from a clean backup or rebuild it with least-privileged service account permissions and hardened configurations. * Conduct a post-incident review to identify lessons learned and update incident response procedures, security controls, and employee training to improve the organization's resilience against similar attacks in the future. Defense Story Concept Coverage * Fix that prevents the YAML deserialization attack * Add the Authentication to the application via GCP IAP * Prevent the reverse shell using firewall rules * IAM Deny Policies * Run service with a least-privi
Speakers
avatar for Abhay Bhargav

Abhay Bhargav

Founder, AppSecEnginner
Abhay Bhargav is the founder at AppSecEngineer, a revolutionary training platform committed to solving the Security Skills Shortage. He has created some pioneering works in the area of DevSecOps and AppSec Automation, including the world’s first hands-on training program on DevSecOps... Read More →
Tuesday September 24, 2024 9:00am - 5:00pm PDT

9:00am PDT

3 Day Training: Attacking the Application Supply Chain
Tuesday September 24, 2024 9:00am - 5:00pm PDT
Supply Chain risks are everywhere. We’ve seen a burst of supply chain exploits against organizations, totaling billions of dollars of value lost. Supply-chain security and implementation is essential and required by regulation. However, pentesters and red-teams must understand how they can leverage supply-chain attacks against applications, to further strengthen their defense implementations against it.

This training is a deep hands-on, red-team exploration of application supply-chains. We commence with an understanding of application supply chains, and subsequently dive into story-driven scenarios of exploiting supply-chains like exploiting CI systems, and build systems. Container infrastructure and cloud-native infrastructure hosted on Kubernetes, AWS, and Azure.

People learn better with stories. Our exploit and lateral movement scenarios are intricately designed labs that are backed by real-world stories that help students understand this subject-matter a lot better. This training was sold out at Blackhat USA 2023 with a 4.8/5 Rating
Speakers
VP

Vishnu Prasad

AppSec Engineer, we45
Vishnu Prasad is a DevSecOps Lead at we45. A DevSecOps and Security Automation wizard, he has implemented security in DevOps for numerous Fortune 500 companies. Vishnu has experience in Continuous Integration and Continuous Delivery across various verticals, using tools like Jenkins... Read More →
Tuesday September 24, 2024 9:00am - 5:00pm PDT
  3 Day Training
  • Audience intermediate
  • about Vishnu Prasad is a DevSecOps Lead at we45. A DevSecOps and Security Automation wizard, he has implemented security in DevOps for numerous Fortune 500 companies. <br><br>Vishnu has experience in Continuous Integration and Continuous Delivery across various verticals, using tools like Jenkins, Selenium, Docker, and other DevOps tools. His role sees him automating SAST, DAST, and SCA security tools at every phase of the build pipeline. He commands knowledge of every major security tool out there, including ZAP, Burp, Findsecbugs, and npm audit, among many others. He’s a tireless innovator, having Dockerized his entire security automation process for cross-platform support to build pipelines seamlessly. <br><br>His experience extends even beyond DevSecOps: he designs and develops Web Application Security tools, performs vulnerability management and orchestration, and consults on security assessments for major companies. He’s proficient in languages like Python, Java, Javascript, Angular, and more. <br><br>He regularly trains major companies and team members on application security automation, DevSecOps, and AppSec Essentials as well.

9:00am PDT

3 Day Training: Hacking Modern Web & Desktop apps: Master the Future of Attack Vectors
Tuesday September 24, 2024 9:00am - 5:00pm PDT

**NOTE:Conference and training tickets are separate purchases.

This course is a 100% hands-on deep dive into the OWASP Security Testing Guide and relevant items of the OWASP Application Security Verification Standard (ASVS), so this course covers and goes beyond the OWASP Top Ten.

Long are the days since web servers were run by perl scripts and desktop apps written in Delphi. What is common between Walmart, eBay, PayPal, Microsoft, LinkedIn, Google and Netflix? They all use Node.js: JavaScript on the server. What is common between Microsoft Teams, Skype, Bitwarden, Slack and Discord? All of them are written in Electron: JavaScript on the client. Modern Web and Desktop apps share traditional attack vectors and also introduce new opportunities to threat actors. This course will teach you how to review modern web and desktop apps, showcasing Node.js and Electron but using techniques that will also work against any other web or desktop app platform. Ideal for Penetration Testers, Web and Desktop app Developers as well as everybody interested in JavaScript/Node.js/Electron app security.

Get a FREE taste for this training, including access to video recording, slides and vulnerable apps to play with:

1.5 hour workshop - https://7asecurity.com/free-workshop-desktop-apps
1 hour workshop - https://7asecurity.com/free-workshop-web-apps

All action, no fluff, improve your security analysis workflow and immediately apply these gained skills in your workplace, packed with exercises, extra mile challenges and CTF, self-paced and suitable for all skill levels, with continued education via unlimited email support and lifetime access to training portal with step-by-step video recordings and interesting apps to practice, including all future updates for free.

Teaser Video: https://www.youtube.com/watch?v=Qckegc2gbfo

Speakers
avatar for Abraham Aranguren

Abraham Aranguren

Managing Director, 7ASecurity
After 15 years in itsec and 22 in IT Abraham is now the CEO of 7ASecurity (7asecurity.com), a company specializing in penetration testing of web/mobile apps, infrastructure, code reviews and training. Co-Author of the Mobile, Web and Desktop (Electron) app 7ASecurity courses. Security Trainer at Blackhat USA, HITB, OWASP Global AppSec and many other events. Former senior... Read More →
Tuesday September 24, 2024 9:00am - 5:00pm PDT

9:00am PDT

3 Day Training: The Mobile Playbook - A guide for iOS and Android App Security
Tuesday September 24, 2024 9:00am - 5:00pm PDT
(Available as hybrid - in Person or online)

This three-day hands-on course teaches penetration testers and developers how to analyse Android and iOS applications for security vulnerabilities by going through the different phases of testing, including dynamic testing, static analysis, reverse engineering and Software Composition Analysis (SCA), using the OWASP Mobile Application Security Testing Guide (MASTG).

The OWASP MASTG is a comprehensive and open source guide to mobile security testing for both iOS and Android, providing a methodology and very detailed technical test cases to ensure completeness and using the latest attack techniques against mobile applications.

This course will give you hands-on experience with open source tools and advanced methodologies by guiding you through real-world scenarios.

## Detailed outline

We'll start the first day with an introduction to the OWASP MASVS and MASTG and the latest updates to it and then dive into the Android platform and its security architecture. Students will no longer be required to bring their own Android device, instead each student will be provided with a cloud-based virtualised Android device from Corellium.

Topics include:
- Intercepting network traffic from apps written in mobile app frameworks such as Google's Flutter
- Reverse engineering a Kotlin app and identifying and exploiting a real-world deep link vulnerability through manual source code review.
- Explore the differences and effectiveness of reverse engineering Android apps using Smali patching, Magisk and Dynamic Instrumentation with Frida
- Frida crash course to get started with dynamic instrumentation on Android apps
- Bypass different implementations of SSL pinning using Frida
- Use dynamic instrumentation with Frida to
- Bypass multiple root detection mechanisms
- Bypass Frida detection mechanisms -

Day 1 will be closed with a Capture the Flag (CTF)

On day 2 we wrap up Android and start with iOS and we will use a Github repo to trigger static scanning, SCA and secret scanning on Kotlin and Swift:
Android: - Analyse the storage of an Android app and understand the various options on how and where files can be stored (app-specific, shared storage etc.)
- Using Brida (Frida and Burp) to bypass End2End encryption in an Android App
- Static Scanning of Kotlin source code, identifying vulnerabilities and eliminating false positives
- Scanning for secrets in an APK iOS:
- Introduction into iOS Security fundamentals
- Scanning for secrets in a Swift repository and identifying ways to handle them securely.
- Software Composition Analysis (SCA) for iOS
- Scanning 3rd party libraries and SDKs in mobile package managers for known vulnerabilities and mitigation strategies.
- Statically scanning Swift source code, identifying vulnerabilities and eliminating false positives.
- Demonstration on how to test watchOS apps and it's limitations

Day 3 focuses on iOS.
We will begin the day by creating an iOS test environment using Corellium and dive into several topics, including:
- Intercepting network traffic of an iOS App in various scenarios, including intercepting traffic that is not HTTP
- Examining stateless authentication (JWT) in a mobile app
- A Frida crash course to get started with dynamic instrumentation for iOS applications
- Analyse the storage of an iOS app and understand the various options on how (Realm databases etc.) and where files can be stored.
- Testing methodology with a non-jailbroken device by repackaging an IPA with the Frida gadget
- Using Frida to bypass runtime instrumentation of iOS applications
- Anti-Jailbreaking Mechanisms
- Frida's detection mechanism We'll wrap up the final day with a "Mobile Hacking Scavenger Hunt." This unique CTF will feature not just mobile apps but also physical art objects, which we refer to as "hackable artworks". Whether you are a beginner who wants to learn mobile app testing from the ground up, or an experienced pentester or developer who wants to improve your existing skills to perform more advanced attack techniques, or just for fun, this training will help you achieve your goals.

The course consists of many different labs developed by the instructor and is approximately 65% hands-on and 35% lecture. Upon successful completion of this course, students will have a better understanding of how to test for vulnerabilities in mobile applications, how to suggest the right mitigation techniques to developers, and how to perform tests consistently.

### What students should bring

The following requirements must be met by students in order to be able to follow all exercises and participate fully:
- Laptop (Windows/Linux/macOS) with at least 8GB of RAM and 40GB of free disk space.
- Full administrative access in case of problems with the laptop environment (e.g. ability to disable VPN or AV/EDR) - Virtualisation software (e.g. VMware, VirtualBox, UTM); a virtual machine will be provided for X86 and ARM architecture (for M1/M2/M3 MacBooks) with all tools required for the training.
- Ideally a tablet to have a second screen for the practical lab slides when doing the hands-on sessions.
- Github account is needed (free account is sufficient) to fork a repository

An iOS and Android device is NOT required as an emulated instance is provided for each student hosted at Corellium. This is a cloud-based environment that allows each student access to a jailbroken iOS device and a rooted Android device during the training.

### What students will receive
- Slide decks for the iOS and Android training and all videos for all demonstrations shared in class.
- All vulnerable apps used during the training, either as APK or IPA.
- Detailed write-ups for all labs so you can review them at your own pace after the course.
- Dedicated Slack channel used to help students prepare before the course, communicate during the course and stay in touch after the course for any questions.
- Certificate of completion.

## What prerequisites should students have before attending this training?
- This course is for Beginners and Intermediate
- Basic understanding of mobile apps
- Able to use Linux command line

## Biography of the trainer Sven: is a co-founder of Bai7 GmbH in Austria, which is specialized in mobile app trainings and advisory. He has expertise in cloud security, offensive security engagements (Penetration Testing) and Application Security, notably in guiding software development teams across Mobile and Web Applications throughout the Software Development Life Cycle (SDLC) to integrate robust security measures in from the start. Besides his day job, Sven is involved with the Open Worldwide Application Security Project (OWASP) since 2016. As a co-project leader and author, he has significantly contributed to the OWASP Mobile Application Security Testing Guide (MASTG) and the OWASP Mobile Application Security Verification Standard (MASVS).
Speakers
avatar for Sven Schleier

Sven Schleier

Principal Security Consultant, Crayon
Sven is living in Austria and a Principal Security Consultant at Crayon, specialised in Cloud Security. He has extensive experience in offensive security engagements like Penetration Testing and Application Security by supporting and guiding software development projects for Mobile... Read More →
Tuesday September 24, 2024 9:00am - 5:00pm PDT

9:00am PDT

3 Day Training: Web Application Security Essentials
Tuesday September 24, 2024 9:00am - 5:00pm PDT
This course provides the knowledge and resources required to evaluate the security of web applications. The participants, through the understanding of theory and a strong focus on practical exercises, will be able to identify critical vulnerabilities in web applications, understand how exploitation works and learn how to implement the necessary corrective measures. The course is aligned with the OWASP 10 2021, a world-renowned reference document which describes the most critical web application security flaws.

The topics covered include:
- Introduction to Web Application Security
- Technologies used in Web Applications
- The Security Tester Toolkit
- Critical Areas in Web Applications
- Broken Access Control
- Cryptographic Failures
- Injection
- Insecure Design
- Security Misconfiguration
- Vulnerable and Outdated Components
- Identification and Authentication Failures
- Software and Data Integrity Failures
- Security Logging and Monitoring Failures
- Server Side Request Forgery (SSRF)

Format: The course combines theory and hands-on practical exercises. The participants start by learning about web application vulnerabilities. They are then given access to a purpose-built web application environment that contains the bugs and coding errors they have learned about. This provides an ideal ‘real-life’ opportunity to exploit these vulnerabilities in a safe environment.
Speakers
avatar for Fabio Cerullo

Fabio Cerullo

Managing Director, Cycubix LTD
Fabio delivered this training to thousands of developers and security professionals. He also regularly delivers training to technical audiences on various topics such as application security, cloud security, and information security. Here is a reference from one attendee of his courses... Read More →
Tuesday September 24, 2024 9:00am - 5:00pm PDT

10:30am PDT

AM Break
Tuesday September 24, 2024 10:30am - 11:00am PDT
Tuesday September 24, 2024 10:30am - 11:00am PDT

12:30pm PDT

Lunch
Tuesday September 24, 2024 12:30pm - 1:30pm PDT
Tuesday September 24, 2024 12:30pm - 1:30pm PDT

3:00pm PDT

PM Break
Tuesday September 24, 2024 3:00pm - 3:30pm PDT
Tuesday September 24, 2024 3:00pm - 3:30pm PDT
 
Wednesday, September 25
 

9:00am PDT

2 Day Training:Agile Whiteboard Hacking – aka Hands-on Threat Modeling
Wednesday September 25, 2024 9:00am - 5:00pm PDT
Based on the updated Black Hat edition 2024 training, you will be challenged with hands-on threat modeling exercises based on real-world projects. You will get insight into our practical industry experience, helping you to become a Threat Modeling Practitioner. We included an exercise on MITRE ATT&CK, and we focus on embedding threat modeling in Agile and DevOps practices. And we introduce a new challenge on threat modeling a Machine Learning-Powered Chatbot.

We levelled up the threat modeling war game. Engaged in CTF-style challenges, your team will battle for control over an offshore wind turbine park. The level of this training is Beginner/Intermediate. Participants who are new to threat modeling are advised to follow our self-paced Threat Modeling Introduction training (which is about 2 hours and is included in this training).

As highly skilled professionals with years of experience under our belts, we're intimately familiar with the gap between academic knowledge of threat modeling and real-world practice. To minimize that gap, we have developed practical use cases, based on real-world projects. Each use case includes a description of the environment, together with questions and templates to build a threat model.

Students will be challenged in groups of 3 to 4 people to perform the different stages of threat modeling:
• Diagram techniques applied on a travel booking service
• Threat model a cloud-based update service for an IoT kiosk
• Create an attack tree against a nuclear research facility
• Create a SOC Risk Based Alerting system with MITRE ATT&CK
• Mitigate threats in a payment service build with microservices and S3 buckets
• Threat modeling a Machine Learning-Powered Chatbot
• Apply the OWASP Threat Modeling Playbook on agile development
• Threat modeling the CI/CD pipeline
• Battle for control over "Zwarte Wind", an offshore wind turbine park

After each hands-on exercise, the results are discussed, and students receive a documented solution.

As part of this training, you will be asked to create and submit your own threat model, on which you will get individual feedback.

All participants get our Threat Modeling Playbook to improve you threat modeling practice, one-year access to our online threat modeling learning platform, and one-hour personal coaching to refine your threat modeling.
Speakers
avatar for Sebastien Deleersnyder

Sebastien Deleersnyder

CTO and Co-Founder / COO, Toreon / Data Protection Institute
Sebastien Deleersnyder (Seba) is the CTO, co-founder of Toreon and COO of Data Protection Institute. With a strong background in development and extensive experience in cybersecurity, Seba has trained numerous developers on how to create more secure software. He is also the founder... Read More →
Wednesday September 25, 2024 9:00am - 5:00pm PDT

9:00am PDT

2-Day Training: Application Security Training
Wednesday September 25, 2024 9:00am - 5:00pm PDT
Join Jim Manico for an intensive 2-day training session at AppSec SF 2024, where you'll delve into core and advanced application security topics. The course covers essential areas such as input validation, HTTP security, SOP and CORS, SQL injections, CSRF, secure file handling, and third-party library management. It further explores advanced subjects including API and REST security, microservices security, JWTs, AI for code creation, OWASP Top 10 for large language models, GDPR, XSS defense, authentication best practices, cryptography, DevOps security, mobile security, and preventing subdomain takeovers. This comprehensive program equips participants with practical knowledge and skills to fortify their applications against a wide array of security threats.
Day 1: Core Application SecurityMorning Sessions:
Input Validation Basics
  • Allowlist Validation
  • Safe Redirects
HTTP Security Basics
  • Response/Request Headers
  • Verbs
  • Secure Transport Basics
SOP and CORS
  • Same-Origin Policy
  • Cross-Origin Resource Sharing Security
Lunch Break
Afternoon Sessions:
SQL and Other Injections
  • Parameterized Queries
  • Secure Database Configurations
  • Command Injection
Cross-Site Request Forgery
  • CSRF Defenses for Various Architectures
File Upload and File I/O Security
  • Secure File Upload
  • File I/O Security
Third-Party Library Security Management
  • Ensuring Third-Party Library Security
Security Logging and Monitoring
  • Security-Focused Logging
Application Layer Intrusion Detection
  • Detecting App Layer Attacks
Day 2: Advanced Application SecurityMorning Sessions:
API and REST Security
  • REST Design
  • XML, XXE, JSON
  • API Access Control
Microservice Security
  • Security Architectures in Microservices
JSON Web Tokens (JWT)
  • Addressing JWT Security Challenges
AI for Code Creation
  • Exploring the Security Implications of Using AI for Code Generation
Lunch Break
Afternoon Sessions:
OWASP Top 10 for Large Language Model (LLM) Applications
  • Top 10 Practices for Protecting Large Language Model Applications
OWASP Top Ten
  • Top Ten Web Security Risks
Introduction to GDPR
  • European Data Privacy Law
OWASP ASVS
  • Comprehensive Secure Coding Standard
XSS Defense
  • Client-Side Web Security
Content Security Policy
  • Advanced Client-Side Web Security
React Security
  • Secure React Application Development
Authentication Best Practices
  • Web Authentication Practices
Multi-Factor Authentication
  • NIST SP-800-63 Compliant MFA Implementation
Secure Password Policy and Storage
  • Secure User Password Policy and Storage
Access Control Design
  • ABAC/Capabilities-Based Access Control
OAuth2 and OIDC Security Intro
  • OAuth2 Authorization Protocol
Secrets Management
  • Key and Credential Storage Strategies
Cryptography Fundamentals
DevOps Best Practices
  • DevOps and DevSecOps with a CD/CI Focus
Introduction to Istio Security
  • Basics of Istio Security Management
Introduction to iOS and Android Security
  • Mobile Security Fundamentals
Subdomain Takeover
  • Preventing Subdomain Takeover Scenarios
Speakers
avatar for Jim Manico

Jim Manico

Founder, Manicode Security
Jim Manico is the Founder of Manicode Security, a company dedicated to providing expert training in secure coding and security engineering to software developers. His work at Manicode Security reflects his deep commitment to elevating software security standards in the industry. In... Read More →
Wednesday September 25, 2024 9:00am - 5:00pm PDT

9:00am PDT

3 Day Training: Attacking and Defending - AWS, Azure and GCP Applications
Wednesday September 25, 2024 9:00am - 5:00pm PDT
Day 1 Story: SEOptimyze - Lambda Privilege Escalation - Attack, Detect, and Defense The application is an example of a real-world SEO optimizer, where we analyze website performance and store the files in an S3 bucket, and store other values in DynamoDB. This is a “serverless” app that uses AWS Lambda, API Gateway, DynamoDB, Amazon S3, and other AWS Services. Attack Story Concepts * Attacking Vulnerable Lambda Function and pillaging credentials * Leveraging IAM misconfiguration to be able to escalate privileges * Misconfigured security parameters on S3 and DynamoDB Incident Response * Detection and Response * Promptly detect suspicious activity through monitoring AWS CloudTrail logs, AWS Config, and CloudWatch metrics. * Activate the incident response team upon detection and isolate affected resources. * Containment and Eradication * Contain the incident by disabling compromised IAM credentials and restricting access to affected resources. Investigate the root cause and remove any malicious code or unauthorized access. * Recovery * Restore affected resources from clean backups or rebuild them, ensuring revoked credentials are replaced. Implement security improvements, such as enhancing configurations and conducting thorough testing. Defense Topics and Mini Labs * Lambda Least Privilege Configuration * Remediate Application Vulnerability * Scan Lambda Function with Automated Security Tools Story: Amazon EC2 Attack, Detect, and Defense Lab This stack is a more traditional application stack. Applications and Databases are deployed as VMs in VPCs inside AWS environments. The story focuses on the attacker's objective to attempt to exfiltrate sensitive information from a VPC Attack Story Concept Coverage * Compromise Application hosted on VM, steal credentials from VM * Insecure VPC Configuration along with IAM privilege misconfiguration * Adversary objective OS to perform data exfiltration from internal assets deployed across VPCs Incident Response * Detection and Response[a][b] * Utilize network monitoring, intrusion detection systems, and log analysis to detect suspicious activities such as unauthorized access attempts, unusual network traffic, or unexpected changes in IAM permissions. * Upon detection, activate the incident response team and isolate compromised VMs and affected VPCs to prevent further data exfiltration. * Containment and Eradication * Conduct a comprehensive investigation to determine the root cause of the compromise, including analyzing system logs, network traffic, and IAM configurations. * Contain the incident by revoking compromised credentials, disabling compromised VMs, and implementing security group rules to restrict access to sensitive resources. * Recovery * Recover affected systems by restoring from clean backups or rebuilding them with hardened configurations using Infrastructure as Code (IaC) principles. * Implement VPC hardening measures, including adjusting security group settings, network ACLs, and IAM policies, to prevent similar attacks in the future. Detect Topics and Mini-Labs * VPC Flow Logs for CloudWatch metrics to set the alarm * Threat Intelligence using GuardDuty * CloudWatch Log Insights * Using OSS Cloud Security Posture Management Tools to detect security incidents * Setup automated detection pipeline using AWS Lambda, SNS on VM State Changes, and VPC State Change Defense Topics and Mini-Labs * Harden VM and Configurations using Infrastructure as Code * VPC Hardening and Security Configurations * Hardening with specific Security Groups * IAM Tag-based condition for VPC[c]

Day 2 Story: EKS Privilege Escalation Attack, Detect and Defense Attack Story Concepts * Privilege Escalation on EKS cluster, leveraging vulnerable container * Privilege Escalation involving Amazon ECR, KMS, S3, and so on * Trojanizes the container images and pushes them to the ECR Incident Response * Detection and Response * Utilize monitoring tools such as AWS CloudWatch, AWS Config, and AWS CloudTrail to detect unauthorized access attempts, unusual activity on EKS clusters, and suspicious interactions with ECR, KMS, and S3. * Employ intrusion detection systems and anomaly detection mechanisms to identify potential privilege escalation attempts and unauthorized modifications to container images in ECR. * Implement alerts and notifications to promptly notify the incident response plan upon detection of suspicious activities or security violations. * Containment and Eradication * Immediately isolate compromised containers or EKS clusters to prevent further unauthorized access and potential data exfiltration. * Analyze the extent of the privilege escalation and identify the compromised container images pushed to ECR. * Disable or remove malicious container images from ECR and revoke any compromised IAM credentials or permissions associated with the incident. * Conduct a thorough investigation to identify the root cause of the attack and address any vulnerabilities or misconfigurations that contributed to the incident. * Recovery * Restore affected EKS clusters and container images from clean backups or rebuild them using secure configurations and best practices. * Implement security enhancements such as IMDSv2 to prevent metadata credential compromise, fix SSRF or Path Traversal vulnerabilities in the application, and configure OIDC for Kubernetes deployment on EKS to enhance authentication and authorization mechanisms. * Review and update IAM policies, ECR defense parameters, and overall security posture to mitigate the risk of future privilege escalation attacks and unauthorized access to containerized environments. Defense Topics and Mini-Labs * IMDSv2 to prevent Metadata credential compromise from RCE/SSRF/Path Traversal * Fix SSRF or Path Traversal in the Application * OIDC for Kubernetes deployment on EKS * ECR Defense Parameters - Tag IAM[d] and IAM Hardening Story: GCP Cloud Run metadata Attack and Defense Attack Story Concept Coverage * Application with Deserialization vulnerability is deployed in Cloud Run instance * Exploit the application and get a reverse shell from the compromised application * Sensitive information disclosure from the metadata endpoints Incident Response * Detection and Response * Utilize VPC flow logs to monitor network traffic and detect suspicious activities, such as unexpected connections or unusual data transfer patterns. * Implement real-time monitoring using Pub/Sub to receive alerts and notifications about potential security incidents or abnormal behavior in Cloud Run instances. * Investigate alerts promptly and analyze metadata endpoints for any signs of sensitive information disclosure or unauthorized access attempts. * Leverage Security Command Center for Threat Detection * Containment and Eradication * Upon detection of a deserialization vulnerability exploit or a reverse shell, immediately isolate the compromised Cloud Run instance to prevent further unauthorized access. * Utilize firewall rules to block incoming and outgoing connections associated with the compromised instance and prevent the reverse shell from communicating with external servers. * Apply IAM deny policies to restrict access to sensitive resources and prevent unauthorized actions from the compromised service account. * Recovery * Implement a fix to address the YAML deserialization vulnerability in the application deployed on Cloud Run instances. * Enhance application security by adding authentication via GCP Identity-Aware Proxy (IAP) to prevent unauthorized access to sensitive endpoints and data. * Restore the compromised Cloud Run instance from a clean backup or rebuild it with least-privileged service account permissions and hardened configurations. * Conduct a post-incident review to identify lessons learned and update incident response procedures, security controls, and employee training to improve the organization's resilience against similar attacks in the future. Defense Story Concept Coverage * Fix that prevents the YAML deserialization attack * Add the Authentication to the application via GCP IAP * Prevent the reverse shell using firewall rules * IAM Deny Policies * Run service with a least-privi
Speakers
avatar for Abhay Bhargav

Abhay Bhargav

Founder, AppSecEnginner
Abhay Bhargav is the founder at AppSecEngineer, a revolutionary training platform committed to solving the Security Skills Shortage. He has created some pioneering works in the area of DevSecOps and AppSec Automation, including the world’s first hands-on training program on DevSecOps... Read More →
Wednesday September 25, 2024 9:00am - 5:00pm PDT

9:00am PDT

3 Day Training: Attacking the Application Supply Chain
Wednesday September 25, 2024 9:00am - 5:00pm PDT
Supply Chain risks are everywhere. We’ve seen a burst of supply chain exploits against organizations, totaling billions of dollars of value lost. Supply-chain security and implementation is essential and required by regulation. However, pentesters and red-teams must understand how they can leverage supply-chain attacks against applications, to further strengthen their defense implementations against it.

This training is a deep hands-on, red-team exploration of application supply-chains. We commence with an understanding of application supply chains, and subsequently dive into story-driven scenarios of exploiting supply-chains like exploiting CI systems, and build systems. Container infrastructure and cloud-native infrastructure hosted on Kubernetes, AWS, and Azure.

People learn better with stories. Our exploit and lateral movement scenarios are intricately designed labs that are backed by real-world stories that help students understand this subject-matter a lot better. This training was sold out at Blackhat USA 2023 with a 4.8/5 Rating
Speakers
VP

Vishnu Prasad

AppSec Engineer, we45
Vishnu Prasad is a DevSecOps Lead at we45. A DevSecOps and Security Automation wizard, he has implemented security in DevOps for numerous Fortune 500 companies. Vishnu has experience in Continuous Integration and Continuous Delivery across various verticals, using tools like Jenkins... Read More →
Wednesday September 25, 2024 9:00am - 5:00pm PDT

9:00am PDT

3 Day Training: Hacking Modern Web & Desktop apps: Master the Future of Attack Vectors
Wednesday September 25, 2024 9:00am - 5:00pm PDT

**NOTE:Conference and training tickets are separate purchases.

This course is a 100% hands-on deep dive into the OWASP Security Testing Guide and relevant items of the OWASP Application Security Verification Standard (ASVS), so this course covers and goes beyond the OWASP Top Ten.

Long are the days since web servers were run by perl scripts and desktop apps written in Delphi. What is common between Walmart, eBay, PayPal, Microsoft, LinkedIn, Google and Netflix? They all use Node.js: JavaScript on the server. What is common between Microsoft Teams, Skype, Bitwarden, Slack and Discord? All of them are written in Electron: JavaScript on the client. Modern Web and Desktop apps share traditional attack vectors and also introduce new opportunities to threat actors. This course will teach you how to review modern web and desktop apps, showcasing Node.js and Electron but using techniques that will also work against any other web or desktop app platform. Ideal for Penetration Testers, Web and Desktop app Developers as well as everybody interested in JavaScript/Node.js/Electron app security.

Get a FREE taste for this training, including access to video recording, slides and vulnerable apps to play with:

1.5 hour workshop - https://7asecurity.com/free-workshop-desktop-apps
1 hour workshop - https://7asecurity.com/free-workshop-web-apps

All action, no fluff, improve your security analysis workflow and immediately apply these gained skills in your workplace, packed with exercises, extra mile challenges and CTF, self-paced and suitable for all skill levels, with continued education via unlimited email support and lifetime access to training portal with step-by-step video recordings and interesting apps to practice, including all future updates for free.

Teaser Video: https://www.youtube.com/watch?v=Qckegc2gbfo

Speakers
avatar for Abraham Aranguren

Abraham Aranguren

Managing Director, 7ASecurity
After 15 years in itsec and 22 in IT Abraham is now the CEO of 7ASecurity (7asecurity.com), a company specializing in penetration testing of web/mobile apps, infrastructure, code reviews and training. Co-Author of the Mobile, Web and Desktop (Electron) app 7ASecurity courses. Security Trainer at Blackhat USA, HITB, OWASP Global AppSec and many other events. Former senior... Read More →
Wednesday September 25, 2024 9:00am - 5:00pm PDT

9:00am PDT

3 Day Training: The Mobile Playbook - A guide for iOS and Android App Security
Wednesday September 25, 2024 9:00am - 5:00pm PDT
(Available as hybrid - in Person or online)

This three-day hands-on course teaches penetration testers and developers how to analyse Android and iOS applications for security vulnerabilities by going through the different phases of testing, including dynamic testing, static analysis, reverse engineering and Software Composition Analysis (SCA), using the OWASP Mobile Application Security Testing Guide (MASTG).

The OWASP MASTG is a comprehensive and open source guide to mobile security testing for both iOS and Android, providing a methodology and very detailed technical test cases to ensure completeness and using the latest attack techniques against mobile applications.

This course will give you hands-on experience with open source tools and advanced methodologies by guiding you through real-world scenarios.

## Detailed outline

We'll start the first day with an introduction to the OWASP MASVS and MASTG and the latest updates to it and then dive into the Android platform and its security architecture. Students will no longer be required to bring their own Android device, instead each student will be provided with a cloud-based virtualised Android device from Corellium.

Topics include:
- Intercepting network traffic from apps written in mobile app frameworks such as Google's Flutter
- Reverse engineering a Kotlin app and identifying and exploiting a real-world deep link vulnerability through manual source code review.
- Explore the differences and effectiveness of reverse engineering Android apps using Smali patching, Magisk and Dynamic Instrumentation with Frida
- Frida crash course to get started with dynamic instrumentation on Android apps
- Bypass different implementations of SSL pinning using Frida
- Use dynamic instrumentation with Frida to
- Bypass multiple root detection mechanisms
- Bypass Frida detection mechanisms -

Day 1 will be closed with a Capture the Flag (CTF)

On day 2 we wrap up Android and start with iOS and we will use a Github repo to trigger static scanning, SCA and secret scanning on Kotlin and Swift:
Android: - Analyse the storage of an Android app and understand the various options on how and where files can be stored (app-specific, shared storage etc.)
- Using Brida (Frida and Burp) to bypass End2End encryption in an Android App
- Static Scanning of Kotlin source code, identifying vulnerabilities and eliminating false positives
- Scanning for secrets in an APK iOS:
- Introduction into iOS Security fundamentals
- Scanning for secrets in a Swift repository and identifying ways to handle them securely.
- Software Composition Analysis (SCA) for iOS
- Scanning 3rd party libraries and SDKs in mobile package managers for known vulnerabilities and mitigation strategies.
- Statically scanning Swift source code, identifying vulnerabilities and eliminating false positives.
- Demonstration on how to test watchOS apps and it's limitations

Day 3 focuses on iOS.
We will begin the day by creating an iOS test environment using Corellium and dive into several topics, including:
- Intercepting network traffic of an iOS App in various scenarios, including intercepting traffic that is not HTTP
- Examining stateless authentication (JWT) in a mobile app
- A Frida crash course to get started with dynamic instrumentation for iOS applications
- Analyse the storage of an iOS app and understand the various options on how (Realm databases etc.) and where files can be stored.
- Testing methodology with a non-jailbroken device by repackaging an IPA with the Frida gadget
- Using Frida to bypass runtime instrumentation of iOS applications
- Anti-Jailbreaking Mechanisms
- Frida's detection mechanism We'll wrap up the final day with a "Mobile Hacking Scavenger Hunt." This unique CTF will feature not just mobile apps but also physical art objects, which we refer to as "hackable artworks". Whether you are a beginner who wants to learn mobile app testing from the ground up, or an experienced pentester or developer who wants to improve your existing skills to perform more advanced attack techniques, or just for fun, this training will help you achieve your goals.

The course consists of many different labs developed by the instructor and is approximately 65% hands-on and 35% lecture. Upon successful completion of this course, students will have a better understanding of how to test for vulnerabilities in mobile applications, how to suggest the right mitigation techniques to developers, and how to perform tests consistently.

### What students should bring

The following requirements must be met by students in order to be able to follow all exercises and participate fully:
- Laptop (Windows/Linux/macOS) with at least 8GB of RAM and 40GB of free disk space.
- Full administrative access in case of problems with the laptop environment (e.g. ability to disable VPN or AV/EDR) - Virtualisation software (e.g. VMware, VirtualBox, UTM); a virtual machine will be provided for X86 and ARM architecture (for M1/M2/M3 MacBooks) with all tools required for the training.
- Ideally a tablet to have a second screen for the practical lab slides when doing the hands-on sessions.
- Github account is needed (free account is sufficient) to fork a repository

An iOS and Android device is NOT required as an emulated instance is provided for each student hosted at Corellium. This is a cloud-based environment that allows each student access to a jailbroken iOS device and a rooted Android device during the training.

### What students will receive
- Slide decks for the iOS and Android training and all videos for all demonstrations shared in class.
- All vulnerable apps used during the training, either as APK or IPA.
- Detailed write-ups for all labs so you can review them at your own pace after the course.
- Dedicated Slack channel used to help students prepare before the course, communicate during the course and stay in touch after the course for any questions.
- Certificate of completion.

## What prerequisites should students have before attending this training?
- This course is for Beginners and Intermediate
- Basic understanding of mobile apps
- Able to use Linux command line

## Biography of the trainer Sven: is a co-founder of Bai7 GmbH in Austria, which is specialized in mobile app trainings and advisory. He has expertise in cloud security, offensive security engagements (Penetration Testing) and Application Security, notably in guiding software development teams across Mobile and Web Applications throughout the Software Development Life Cycle (SDLC) to integrate robust security measures in from the start. Besides his day job, Sven is involved with the Open Worldwide Application Security Project (OWASP) since 2016. As a co-project leader and author, he has significantly contributed to the OWASP Mobile Application Security Testing Guide (MASTG) and the OWASP Mobile Application Security Verification Standard (MASVS).
Speakers
avatar for Sven Schleier

Sven Schleier

Principal Security Consultant, Crayon
Sven is living in Austria and a Principal Security Consultant at Crayon, specialised in Cloud Security. He has extensive experience in offensive security engagements like Penetration Testing and Application Security by supporting and guiding software development projects for Mobile... Read More →
Wednesday September 25, 2024 9:00am - 5:00pm PDT

9:00am PDT

3 Day Training: Web Application Security Essentials
Wednesday September 25, 2024 9:00am - 5:00pm PDT
This course provides the knowledge and resources required to evaluate the security of web applications. The participants, through the understanding of theory and a strong focus on practical exercises, will be able to identify critical vulnerabilities in web applications, understand how exploitation works and learn how to implement the necessary corrective measures. The course is aligned with the OWASP 10 2021, a world-renowned reference document which describes the most critical web application security flaws.

The topics covered include:
- Introduction to Web Application Security
- Technologies used in Web Applications
- The Security Tester Toolkit
- Critical Areas in Web Applications
- Broken Access Control
- Cryptographic Failures
- Injection
- Insecure Design
- Security Misconfiguration
- Vulnerable and Outdated Components
- Identification and Authentication Failures
- Software and Data Integrity Failures
- Security Logging and Monitoring Failures
- Server Side Request Forgery (SSRF)

Format: The course combines theory and hands-on practical exercises. The participants start by learning about web application vulnerabilities. They are then given access to a purpose-built web application environment that contains the bugs and coding errors they have learned about. This provides an ideal ‘real-life’ opportunity to exploit these vulnerabilities in a safe environment.
Speakers
avatar for Fabio Cerullo

Fabio Cerullo

Managing Director, Cycubix LTD
Fabio delivered this training to thousands of developers and security professionals. He also regularly delivers training to technical audiences on various topics such as application security, cloud security, and information security. Here is a reference from one attendee of his courses... Read More →
Wednesday September 25, 2024 9:00am - 5:00pm PDT

9:00am PDT

SAMM User Day
Wednesday September 25, 2024 9:00am - 5:00pm PDT
SAMM User Day Requires a separate ticket purchase
Speakers
avatar for Sebastien Deleersnyder

Sebastien Deleersnyder

CTO and Co-Founder / COO, Toreon / Data Protection Institute
Sebastien Deleersnyder (Seba) is the CTO, co-founder of Toreon and COO of Data Protection Institute. With a strong background in development and extensive experience in cybersecurity, Seba has trained numerous developers on how to create more secure software. He is also the founder... Read More →
Wednesday September 25, 2024 9:00am - 5:00pm PDT
  BONUS TRACK

9:00am PDT

Global Board of Directors Private/Closed Face to Face Meeting
Wednesday September 25, 2024 9:00am - 5:00pm PDT
This is a closed, private session for the OWASP Board of. Directors
Wednesday September 25, 2024 9:00am - 5:00pm PDT

10:30am PDT

AM Break
Wednesday September 25, 2024 10:30am - 11:00am PDT
Wednesday September 25, 2024 10:30am - 11:00am PDT

12:30pm PDT

Lunch
Wednesday September 25, 2024 12:30pm - 1:30pm PDT
Wednesday September 25, 2024 12:30pm - 1:30pm PDT

3:00pm PDT

PM Break
Wednesday September 25, 2024 3:00pm - 3:30pm PDT
Wednesday September 25, 2024 3:00pm - 3:30pm PDT

5:30pm PDT

Global Board of Directors Public Board Meeting
Wednesday September 25, 2024 5:30pm - 7:00pm PDT
Open meeting to all who would like to attend and discuss topics that are pertinent to the OWASP Foundation
Wednesday September 25, 2024 5:30pm - 7:00pm PDT
 
Thursday, September 26
 

8:00am PDT

Breakfast
Thursday September 26, 2024 8:00am - 8:50am PDT
Thursday September 26, 2024 8:00am - 8:50am PDT

8:50am PDT

Opening Remarks
Thursday September 26, 2024 8:50am - 9:00am PDT
Opening conference remarks by our board of directors
Thursday September 26, 2024 8:50am - 9:00am PDT
Room: Grand Ballroom

9:00am PDT

Keynote
Thursday September 26, 2024 9:00am - 10:00am PDT
Thursday September 26, 2024 9:00am - 10:00am PDT
Room: Grand Ballroom

9:00am PDT

Member Lounge
Thursday September 26, 2024 9:00am - 5:00pm PDT
Thursday September 26, 2024 9:00am - 5:00pm PDT
Room: Golden Gate

10:00am PDT

AM Break
Thursday September 26, 2024 10:00am - 10:30am PDT
Thursday September 26, 2024 10:00am - 10:30am PDT
Room: Pacific Concourse (Expo Hall)

10:15am PDT

Meet the Mentor
Thursday September 26, 2024 10:15am - 12:15pm PDT
If you are interested in becoming a mentor for this event, please submit your information here.

One more Global AppSec event.
You’re taking training, you’re running between sessions, you’re connecting with people over coffee or when talking to a vendor.

What if you could use the event to also meet a potential mentor, or mentee?
What if you could connect face to face with someone who may help take your career to the next level, or that you can help and make a difference with?

We are inviting you to an OWASP Lisbon Global AppSec activity, first of its kind in an OWASP event: Meet The Mentor! A speed-dating activity between potential mentors and mentees where you can come face to face and see if it “clicks”, start a conversation, and see if it is a match.
Thursday September 26, 2024 10:15am - 12:15pm PDT

10:30am PDT

Breaker Track
Thursday September 26, 2024 10:30am - 11:15am PDT
Thursday September 26, 2024 10:30am - 11:15am PDT
Room: Grand Ballroom

10:30am PDT

Builder Track
Thursday September 26, 2024 10:30am - 11:15am PDT
Thursday September 26, 2024 10:30am - 11:15am PDT
Room: Seacliff AB

10:30am PDT

Breakout: Defender Track
Thursday September 26, 2024 10:30am - 11:15am PDT
Thursday September 26, 2024 10:30am - 11:15am PDT
Room: Seacliff CD

10:30am PDT

Breakout: Manager/Culture Track
Thursday September 26, 2024 10:30am - 11:15am PDT
Thursday September 26, 2024 10:30am - 11:15am PDT
Room: Bayview B

11:30am PDT

Breaker Track
Thursday September 26, 2024 11:30am - 12:15pm PDT
Thursday September 26, 2024 11:30am - 12:15pm PDT
Room: Grand Ballroom

11:30am PDT

Builder Track
Thursday September 26, 2024 11:30am - 12:15pm PDT
Thursday September 26, 2024 11:30am - 12:15pm PDT
Room: Seacliff AB

11:30am PDT

Breakout: Defender Track
Thursday September 26, 2024 11:30am - 12:15pm PDT
Thursday September 26, 2024 11:30am - 12:15pm PDT
Room: Seacliff CD

11:30am PDT

Breakout: Manager/Culture Track
Thursday September 26, 2024 11:30am - 12:15pm PDT
Thursday September 26, 2024 11:30am - 12:15pm PDT
Room: Bayview B

12:15pm PDT

Lunch
Thursday September 26, 2024 12:15pm - 1:15pm PDT
Thursday September 26, 2024 12:15pm - 1:15pm PDT

1:15pm PDT

How to write a good CfT/CfP Submission
Thursday September 26, 2024 1:15pm - 2:00pm PDT
Are you interested in submitting for the OWASP Call for Trainers or Call for Papers? Join Izar Tarandach and Avi Doublen, as they guide you through the process and highlight what the review team looks for when selecting papers!
Thursday September 26, 2024 1:15pm - 2:00pm PDT
Room: Regency A

1:15pm PDT

Breaker Track
Thursday September 26, 2024 1:15pm - 2:00pm PDT
Thursday September 26, 2024 1:15pm - 2:00pm PDT
Room: Grand Ballroom

1:15pm PDT

Builder Track
Thursday September 26, 2024 1:15pm - 2:00pm PDT
Thursday September 26, 2024 1:15pm - 2:00pm PDT
Room: Seacliff AB

1:15pm PDT

Breakout: Defender Track
Thursday September 26, 2024 1:15pm - 2:00pm PDT
Thursday September 26, 2024 1:15pm - 2:00pm PDT
Room: Seacliff CD

1:15pm PDT

Breakout: Manager/Culture Track
Thursday September 26, 2024 1:15pm - 2:00pm PDT
Thursday September 26, 2024 1:15pm - 2:00pm PDT
Room: Bayview B

2:15pm PDT

Breaker Track
Thursday September 26, 2024 2:15pm - 3:00pm PDT
Thursday September 26, 2024 2:15pm - 3:00pm PDT
Room: Grand Ballroom

2:15pm PDT

Builder Track
Thursday September 26, 2024 2:15pm - 3:00pm PDT
Thursday September 26, 2024 2:15pm - 3:00pm PDT
Room: Seacliff AB

2:15pm PDT

Breakout: Defender Track
Thursday September 26, 2024 2:15pm - 3:00pm PDT
Thursday September 26, 2024 2:15pm - 3:00pm PDT
Room: Seacliff CD

2:15pm PDT

Breakout: Manager/Culture Track
Thursday September 26, 2024 2:15pm - 3:00pm PDT
Thursday September 26, 2024 2:15pm - 3:00pm PDT
Room: Bayview B

3:00pm PDT

PM Break
Thursday September 26, 2024 3:00pm - 3:30pm PDT
Thursday September 26, 2024 3:00pm - 3:30pm PDT

3:15pm PDT

Leaders Meeting
Thursday September 26, 2024 3:15pm - 4:15pm PDT
This meeting is for all OWASP leaders
Thursday September 26, 2024 3:15pm - 4:15pm PDT

3:30pm PDT

Breaker Track
Thursday September 26, 2024 3:30pm - 4:15pm PDT
Thursday September 26, 2024 3:30pm - 4:15pm PDT
Room: Grand Ballroom

3:30pm PDT

Builder Track
Thursday September 26, 2024 3:30pm - 4:15pm PDT
Thursday September 26, 2024 3:30pm - 4:15pm PDT
Room: Seacliff AB

3:30pm PDT

Breakout: Defender Track
Thursday September 26, 2024 3:30pm - 4:15pm PDT
Thursday September 26, 2024 3:30pm - 4:15pm PDT
Room: Seacliff CD

3:30pm PDT

Breakout: Manager/Culture Track
Thursday September 26, 2024 3:30pm - 4:15pm PDT
Thursday September 26, 2024 3:30pm - 4:15pm PDT
Room: Bayview B

4:30pm PDT

Keynote
Thursday September 26, 2024 4:30pm - 5:30pm PDT
Thursday September 26, 2024 4:30pm - 5:30pm PDT
Room: Grand Ballroom

6:30pm PDT

Networking Reception
Thursday September 26, 2024 6:30pm - 8:30pm PDT
Thursday September 26, 2024 6:30pm - 8:30pm PDT
Room: Pacific Concourse (Expo Hall)
 
Friday, September 27
 

9:00am PDT

Keynote
Friday September 27, 2024 9:00am - 10:00am PDT
Friday September 27, 2024 9:00am - 10:00am PDT
Room: Grand Ballroom

9:00am PDT

Member Lounge
Friday September 27, 2024 9:00am - 5:00pm PDT
Friday September 27, 2024 9:00am - 5:00pm PDT
Room: Golden Gate

10:00am PDT

AM Break
Friday September 27, 2024 10:00am - 10:30am PDT
Friday September 27, 2024 10:00am - 10:30am PDT
Room: Pacific Concourse (Expo Hall)

10:30am PDT

Breaker Track
Friday September 27, 2024 10:30am - 11:15am PDT
Friday September 27, 2024 10:30am - 11:15am PDT
Room: Grand Ballroom

10:30am PDT

Builder Track
Friday September 27, 2024 10:30am - 11:15am PDT
Friday September 27, 2024 10:30am - 11:15am PDT
Room: Seacliff AB

10:30am PDT

Breakout: Defender Track
Friday September 27, 2024 10:30am - 11:15am PDT
Friday September 27, 2024 10:30am - 11:15am PDT
Room: Seacliff CD

10:30am PDT

Breakout: Manager/Culture Track
Friday September 27, 2024 10:30am - 11:15am PDT
Friday September 27, 2024 10:30am - 11:15am PDT
Room: Bayview B

11:30am PDT

Breaker Track
Friday September 27, 2024 11:30am - 12:15pm PDT
Friday September 27, 2024 11:30am - 12:15pm PDT
Room: Grand Ballroom

11:30am PDT

Builder Track
Friday September 27, 2024 11:30am - 12:15pm PDT
Friday September 27, 2024 11:30am - 12:15pm PDT
Room: Seacliff AB

11:30am PDT

Breakout: Defender Track
Friday September 27, 2024 11:30am - 12:15pm PDT
Friday September 27, 2024 11:30am - 12:15pm PDT
Room: Seacliff CD

11:30am PDT

Breakout: Manager/Culture Track
Friday September 27, 2024 11:30am - 12:15pm PDT
Friday September 27, 2024 11:30am - 12:15pm PDT
Room: Bayview B

12:15pm PDT

Lunch
Friday September 27, 2024 12:15pm - 1:15pm PDT
Friday September 27, 2024 12:15pm - 1:15pm PDT

1:15pm PDT

Breaker Track
Friday September 27, 2024 1:15pm - 2:00pm PDT
Friday September 27, 2024 1:15pm - 2:00pm PDT
Room: Grand Ballroom

1:15pm PDT

Builder Track
Friday September 27, 2024 1:15pm - 2:00pm PDT
Friday September 27, 2024 1:15pm - 2:00pm PDT
Room: Seacliff AB

1:15pm PDT

Breakout: Defender Track
Friday September 27, 2024 1:15pm - 2:00pm PDT
Friday September 27, 2024 1:15pm - 2:00pm PDT
Room: Seacliff CD

1:15pm PDT

Breakout: Manager/Culture Track
Friday September 27, 2024 1:15pm - 2:00pm PDT
Friday September 27, 2024 1:15pm - 2:00pm PDT
Room: Bayview B

2:15pm PDT

Breaker Track
Friday September 27, 2024 2:15pm - 3:00pm PDT
Friday September 27, 2024 2:15pm - 3:00pm PDT
Room: Grand Ballroom

2:15pm PDT

Builder Track
Friday September 27, 2024 2:15pm - 3:00pm PDT
Friday September 27, 2024 2:15pm - 3:00pm PDT
Room: Seacliff AB

2:15pm PDT

Breakout: Defender Track
Friday September 27, 2024 2:15pm - 3:00pm PDT
Friday September 27, 2024 2:15pm - 3:00pm PDT
Room: Seacliff CD

2:15pm PDT

Breakout: Manager/Culture Track
Friday September 27, 2024 2:15pm - 3:00pm PDT
Friday September 27, 2024 2:15pm - 3:00pm PDT
Room: Bayview B

3:00pm PDT

PM Break with Exhibitors
Friday September 27, 2024 3:00pm - 3:30pm PDT
Friday September 27, 2024 3:00pm - 3:30pm PDT
Room: Pacific Concourse (Expo Hall)

3:30pm PDT

Breaker Track
Friday September 27, 2024 3:30pm - 4:15pm PDT
Friday September 27, 2024 3:30pm - 4:15pm PDT
Room: Grand Ballroom

3:30pm PDT

Builder Track
Friday September 27, 2024 3:30pm - 4:15pm PDT
Friday September 27, 2024 3:30pm - 4:15pm PDT
Room: Seacliff AB

3:30pm PDT

Breakout: Defender Track
Friday September 27, 2024 3:30pm - 4:15pm PDT
Friday September 27, 2024 3:30pm - 4:15pm PDT
Room: Seacliff CD

3:30pm PDT

Breakout: Manager/Culture Track
Friday September 27, 2024 3:30pm - 4:15pm PDT
Friday September 27, 2024 3:30pm - 4:15pm PDT
Room: Bayview B

4:30pm PDT

Keynote
Friday September 27, 2024 4:30pm - 5:30pm PDT
Friday September 27, 2024 4:30pm - 5:30pm PDT
Room: Grand Ballroom

5:30pm PDT

Closing Ceremony and Raffle
Friday September 27, 2024 5:30pm - 6:00pm PDT
Friday September 27, 2024 5:30pm - 6:00pm PDT
Room: Grand Ballroom
 
Share Modal

Share this link via

Or copy link

Filter sessions
Apply filters to sessions.