Loading…
The virtual training classes are 8 hour courses offered in 4-hour blocks over two days. The trainings will begin at 12:00pm Eastern Time (USA)/6:00pm Central European Time. 

OWASP Members save $50 off the cost of a training course. Email events@owasp.com for your member discount code. If you are not an OWASP Member, please consider joining here.

REGISTER HERE FOR TRAINING

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Tuesday, March 9
 

12:00pm MSK

Application Security Essentials - 2021 Edition
Application Security is constantly evolving. Engineering teams use new technologies, frameworks and tools to make apps more responsive, easy-to-use and functional. At the same time attackers are constantly looking to infiltrate and find new security weaknesses in modern applications.

This program is a defense-focused training that delves deep into advanced topics of Application Security. The training expounds attacks and defenses against modern full-stack applications, right from client-side vulnerabilities to advanced server-side vulnerabilities and defenses.

Speakers
avatar for Andrew van der Stock

Andrew van der Stock

Executive Director, OWASP Foundation
Andrew van der Stock is a long time security researcher and the current Executive Director of the OWASP Foundation, co-lead of the OWASP Top 10 and OWASP Application Security Verification Standard, and is formerly an OWASP Global Board member. Andrew has trained or spoken at many... Read More →


Tuesday March 9, 2021 12:00pm - Wednesday March 10, 2021 4:00pm MSK
Zoom

12:00pm MSK

Hacking Android and IoT apps by Example
This course is the culmination of years of experience gained via practical penetration testing of mobile applications as well as countless hours spent in research. We have structured this course around the OWASP Mobile Security Testing Guide (MSTG) and relevant items of the OWASP Mobile Application Security Verification Standard (MASVS), so this course covers and goes beyond the OWASP Mobile Top Ten. This course provides participants with actionable skills that can be applied immediately from day 1.

Please note our courses are 100% hands-on, we do not lecture students with boring bullet points and theories, instead we give you practical challenges and help you solve them, teaching you how to troubleshoot common issues and get the most out of this training. As we try to keep both new and advanced students happy, the course is very comprehensive and we have not met any student able to complete all challenges during the class, therefore training continues after the course through our frequently updated training portal, for which you keep lifetime access, as well as unlimited email support.

Each day starts with a brief introduction to the mobile platform for that day and then continues with a look at static analysis, moves on to dynamic checks finishing off with a nice CTF session to test the skills gained.

Day 1: Focused specifically on Android: We start with understanding applications and then deep dive into static and dynamic analysis of the applications at hand. This day is packed with hands-on exercises and CTF-style challenges.

Speakers

Tuesday March 9, 2021 12:00pm - Wednesday March 10, 2021 4:00pm MSK
Zoom

12:00pm MSK

Hacking Modern Web apps: Master the Future of Attack Vectors
This course is the culmination of years of experience gained via practical penetration testing of Modern Web applications as well as countless hours spent doing research. We have structured this course around the OWASP Security Testing Guide, it covers the OWASP Top Ten and specific attack vectors against Modern Web apps. This course provides participants with actionable skills that can be applied immediately from day 1.

Please note our courses are 100% hands-on, we do not lecture students with boring bullet points and theories, instead we give you practical challenges and help you solve them, teaching you how to troubleshoot common issues and get the most out of this training. Training then continues after the course through our frequently updated training portal, for which you keep lifetime access, as well as unlimited email support.

Each section starts with a brief introduction to the Modern platform (i.e. Node.js) for that section and then continues with a look at static analysis, moves on to dynamic checks finishing off with a nice CTF session to test the skills gained.

Section 1: Focused specifically on Hacking Modern Web Apps: We start with understanding Modern Web Apps and then deep dive into static and dynamic analysis of the applications at hand. This section is packed with hands-on exercises and CTF-style challenges.

Speakers
avatar for Anirudh Anand

Anirudh Anand

Security Trainer, 7ASecurity
Anirudh Anand is a security researcher with a primary focus on Web and Mobile Application Security. He is currently working as a Senior Security Engineer at CRED and also Security Trainer at 7asecurity. He has been submitting bugs and contributing to security tools for over 7 yea... Read More →


Tuesday March 9, 2021 12:00pm - Wednesday March 10, 2021 4:00pm MSK
Zoom

12:00pm MSK

Secure your SDLC using OWASP SAMM - ASAP!
Building security into the software development and management functions of a company can be a daunting task. There are many variables in the equation: company structure, different stakeholders, technology stacks, tools and processes, and competing priorities. Implementing software assurance can have a significant, positive impact on the organization. Yet, trying to achieve this without a good framework is likely to produce only marginal and unsustainable improvements. The OWASP Software Assurance Maturity Model provides a structural and measurable framework to overcome this challenge. It enables you to formulate and implement a strategy for software security that is tailored to the risk profile of your organization.

This 8-hour training - delivered as a mix of presentation, discussion, and interactive workshop - is intended for CSOs, directors, security architects, security analysts, and other application security professionals with responsibility for improving your organization's security posture. You will leave with an in-depth understanding of OWASP SAMM, pragmatic steps and tools for increased agility and compliance, and a template to kickstart your Application Security Assurance Program. Protect the confidentiality, integrity and availability of your data by implementing an application security assurance program in your organization - ASAP!

Speakers
avatar for John Ellingsworth

John Ellingsworth

Security Principal, Ellingsworth
John Ellingsworth is a security principal at a global company where he helps software development teams build and deliver secure enterprise solutions. When not collaborating on secure software solutions, he can often be found outdoors with his family - and probably scaling mountains... Read More →


Tuesday March 9, 2021 12:00pm - Wednesday March 10, 2021 4:00pm MSK
Zoom

12:00pm MSK

Securing Microservices with OAuth 2.0 and OpenID Connect (Hands-On Workshop)
OAuth 2.0 and OpenID Connect (OIDC) are the most commonly used solutions for stateless, token-based authentication in distributed microservice architectures as of today.

But have you ever asked yourself how OAuth 2.0 really works and how it differs from OpenID Connect? Then this workshop is a good opportunity to get to know how it works by making your hands dirty in code using Spring Security.

After an introduction to the basic concepts of OAuth 2.0 and OpenID Connect, we will use a boot-based Spring sample application to gradually implement authentication and authorization using these standards.

Learning Objectives:
- Differences between OAuth 2.0 and OpenID Connect (OIDC)
- What is an Authorization Grant and when do I use which grant
- The detailed procedure of the Authorization Code Grant protocol flow
- Implementation of an OAuth 2.0/OIDC compliant Resource Server
- Differences between JWT and reference tokens
- Authorization by means of claims in JWT
- Implementation of an OAuth 2.0/OIDC compliant client
- The correct validation of tokens
- Automated testing with OAuth 2.0 and OpenID Connect
- Current best practices for OAuth 2.0 and OIDC, especially for Single Page Applications
- The workshop contents are aligned with the proposed updates of OAuth 2.1

Speakers
avatar for Andreas Falk

Andreas Falk

Lead of Agile Security, Novatec Consulting
Andreas Falk has been working in enterprise application development projects for more than twenty years. Currently, he is working as a managing consultant for Novatec Consulting, located in Germany. In various projects, he has since been around as an architect, coach, and developer... Read More →


Tuesday March 9, 2021 12:00pm - Wednesday March 10, 2021 4:00pm MSK
Zoom

12:00pm MSK

Security for Web Developers - an Offensive Approach
Overview of Web Penetration Testing Modules
- OWASP Top Ten Web Vulnerabilities
- API Top Ten vulnerabilities
- Technical measures and best practices u HTTP Security Headers
- JSON Web Tokens

The methodology of the course covers more than 75% practical hands-on approach. They will get hands-on knowledge to perform the hacking tasks in ethical ways to improve the security of assets by using various hacking tools. Attack side: Kali Linux 2020.x, NMAP, Burp / OWASP ZAP, Metasploit Framework (MSF). Victim side: OWASP Resources i.e. Damn Vulnerable Web Application (DVWA), Tomcat, as virtual machines.

Modules:
• Penetration testing overview
• Various types of web apps footprinting, footprinting tools, and countermeasures
• Ethical hacking methodology
• Web attacks: XSS, SQL Injection, Facebook phishing.
• NoSQL injection, API vulnerabilities, LFI, Brute-Force attacks, CSRF.

Speakers
avatar for Gabriel Avramescu

Gabriel Avramescu

ituniversity.ro
I work as a penetration tester with over 8 years of experience and as a trainer with over 14 years (5 in the security field). Certifications: OSWE, OSWP,OSCP, CEH, ECSA, CHFI, ISO 27001, CREST CRT, CREST CPSA, etc. Trainer on OWASP AppSec Days - August 2020 Penetration testing customers... Read More →


Tuesday March 9, 2021 12:00pm - Wednesday March 10, 2021 4:00pm MSK
Zoom

12:00pm MSK

Threat Modeling: From None to Done
This session offers participants an interactive introduction to Threat Modeling, based on the instructor's learning and experience over the past several years. A primary focus of this course is the introduction of threat modeling activities into your organization's software development processes, to improve the overall quality and security of the applications you build.

As a recent "convert" to the application security world, your instructor has developed his "expertise" in threat modeling by gathering information from a variety of sources. He's combined those learnings with his own experience to create a practical threat modeing approach he has successfully applied within his professional roles.

In addition to addressing key questions around the "Five Ws," the presentation will cover the "Four Questions" approach to developing a model, and include several interactive exercises to provide direct experience. A brief review of available modeing tools will also be included, along with a discussion of the opportunities and challenges for introducing Threat Modelng into your SDLC.

Speakers
avatar for John DiLeo

John DiLeo

Datacom New Zealand
Dr. John DiLeo is the Auckland-area leader of the OWASP New Zealand Chapter. In his current role, he leads a consulting team that helps enterprises develop and mature their software assurance programs, with emphasis on governance, threat modeling and risk-based requirements, secure... Read More →


Tuesday March 9, 2021 12:00pm - Wednesday March 10, 2021 4:00pm MSK
Zoom
 
Tuesday, May 25
 

12:00pm MSK

Deep Dive into Fuzzing

Attendees would be emulating techniques which would provide a comprehensive understanding of "Crash, Detect & Triage" of fuzzed binaries or software. In "Deep dive into fuzzing" we will be covering a detailed overview of fuzzing and how it can be beneficial to professionals in uncovering security vulnerabilities with a hands-on approach through focus on labs.

Speakers
avatar for Zubin  Devnani

Zubin Devnani

Security Researcher
Zubin Devnani is a red teamer by trade, who has identified multiple vulnerabilities in commonly used software. He is a trainer at Blackhat and has delivered multiple workshops, including PHDays and Hacktivity. Utilizes his fuzzing skills in his day to day trade to identify new ways... Read More →
avatar for Dhiraj Mishra

Dhiraj Mishra

Security Researcher
An active speaker who has discovered multiple zero-days in modern web browsers and an open-source contributor. He is a trainer at Blackhat and presented in conferences such as Ekoparty, Hacktivity, PHDays & HITB. In his free time, he blogs at www.inputzero.io and tweets on @RandomDhiraj... Read More →


Tuesday May 25, 2021 12:00pm - Wednesday May 26, 2021 4:00pm MSK
Zoom

12:00pm MSK

DevSecOps Hands-on: Putting Security Checks into Your Build Pipeline
This hands-on workshop gives insight into automation capabilities of security scans, which perfectly fit into many build pipelines. Taking into account frontends (Web) as well as backends (APIs), you will learn what steps of a security analysis can be best automated – and how. By focussing on OpenSource solutions (OWASP ZAP), you will get a tool arsenal with different automation options ready to test your application’s security on every build. During this workshop we will enhance a typical Jenkins-based CI/CD pipeline (every attendee will get an individual Jenkins server in the cloud ready to use with multiple levels of tool integrations) with a specially prepared vulnerable training application step by step into a full-fledged awesome DevSecOps AppSecPipeline.

Speakers
avatar for Christian Schneider

Christian Schneider

Freelancer, Christian Schneider
Christian has pursued a successful career as a freelance software developer since 1997 and expanded it in 2005 to include the focus on IT security. His major areas of work are penetration testing, security architecture consulting, and threat modeling. As a trainer, Christian regularly... Read More →


Tuesday May 25, 2021 12:00pm - Wednesday May 26, 2021 4:00pm MSK
Zoom

12:00pm MSK

Hacking iOS and IoT apps by Example
This course is the culmination of years of experience gained via practical penetration testing of mobile applications as well as countless hours spent in research. We have structured this course around the OWASP Mobile Security Testing Guide (MSTG) and relevant items of the OWASP Mobile Application Security Verification Standard (MASVS), so this course covers and goes beyond the OWASP Mobile Top Ten. This course provides participants with actionable skills that can be applied immediately from day 1.

Please note our courses are 100% hands-on, we do not lecture students with boring bullet points and theories, instead we give you practical challenges and help you solve them, teaching you how to troubleshoot common issues and get the most out of this training. As we try to keep both new and advanced students happy, the course is very comprehensive and we have not met any student able to complete all challenges during the class, therefore training continues after the course through our frequently updated training portal, for which you keep lifetime access, as well as unlimited email support.

Each day starts with a brief introduction to the mobile platform for that day and then continues with a look at static analysis, moves on to dynamic checks finishing off with a nice CTF session to test the skills gained.

Day 1: Focused on iOS: We start with understanding iOS Architecture and various security precautions in place. We then focus on static and dynamic analysis of the applications at hand. The day is filled with hands-on exercises ending with a CTF for more practical fun.

Tuesday May 25, 2021 12:00pm - Wednesday May 26, 2021 4:00pm MSK
Zoom

12:00pm MSK

Hacking Modern Web apps: Master the Future of Attack Vectors
This course is the culmination of years of experience gained via practical penetration testing of Modern Web applications as well as countless hours spent doing research. We have structured this course around the OWASP Security Testing Guide, it covers the OWASP Top Ten and specific attack vectors against Modern Web apps. This course provides participants with actionable skills that can be applied immediately from day 1.

Please note our courses are 100% hands-on, we do not lecture students with boring bullet points and theories, instead we give you practical challenges and help you solve them, teaching you how to troubleshoot common issues and get the most out of this training. Training then continues after the course through our frequently updated training portal, for which you keep lifetime access, as well as unlimited email support.

Each section starts with a brief introduction to the Modern platform (i.e. Node.js) for that section and then continues with a look at static analysis, moves on to dynamic checks finishing off with a nice CTF session to test the skills gained.

Section 1: Focused specifically on Hacking Modern Web Apps: We start with understanding Modern Web Apps and then deep dive into static and dynamic analysis of the applications at hand. This section is packed with hands-on exercises and CTF-style challenges.

Speakers
avatar for Anirudh Anand

Anirudh Anand

Security Trainer, 7ASecurity
Anirudh Anand is a security researcher with a primary focus on Web and Mobile Application Security. He is currently working as a Senior Security Engineer at CRED and also Security Trainer at 7asecurity. He has been submitting bugs and contributing to security tools for over 7 yea... Read More →


Tuesday May 25, 2021 12:00pm - Wednesday May 26, 2021 4:00pm MSK
Zoom

12:00pm MSK

Kubernetes Security Masterclass - Discoverer Edition
Kubernetes has emerged as the leading container orchestration and management platform for on-prem and cloud environments. However, Kubernetes is a multi-headed beast with several minute and nuanced security configuration parameters. In addition, attackers take advantage of these insecurely configured and designed Kubernetes deployments and perform deep-incursions into the organization’s assets. This training is a hard-core hands-on view of Kubernetes Security from an Attack and Defense perspective. The course takes the participants through a journey where they start with setting up a Kubernetes cluster (simulating an on-prem Kubernetes) deployment, attack the cluster and learn, through multiple deep-dive examples and cookbooks on how they can effectively secure Kubernetes clusters. The course is aimed at providing a view of attacking, auditing and defending Kubernetes clusters on-prem or on the cloud

Speakers
avatar for Nithin Jois

Nithin Jois

Senior Security Solutions Engineer, we45
Nithin Jois dons two hats - Apart from being one of the lead trainers at AppSecEngineer, he is also a Senior Solutions Architect at We45 where he has helped build multiple solutions ranging from Vulnerability management to scalable scanner orchestrating systems that leveraged container... Read More →


Tuesday May 25, 2021 12:00pm - Wednesday May 26, 2021 4:00pm MSK
Zoom