Loading…
Attending this event?
The virtual training classes are 8 hour courses offered in 4-hour blocks over two days. The trainings will begin at 12:00pm Eastern Time (USA)/6:00pm Central European Time. 

OWASP Members save $50 off the cost of a training course. Email events@owasp.com for your member discount code. If you are not an OWASP Member, please consider joining here.

REGISTER HERE FOR TRAINING

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Tuesday, March 9
 

12:00pm EST

Application Security Essentials - 2021 Edition
Application Security is constantly evolving. Engineering teams use new technologies, frameworks and tools to make apps more responsive, easy-to-use and functional. At the same time attackers are constantly looking to infiltrate and find new security weaknesses in modern applications.

This program is a defense-focused training that delves deep into advanced topics of Application Security. The training expounds attacks and defenses against modern full-stack applications, right from client-side vulnerabilities to advanced server-side vulnerabilities and defenses.

Speakers
avatar for Sharath Kumar

Sharath Kumar

we45
Sharath Kumar is the Lead Solutions Engineer at we45. He has architected and developed multiple solutions around security engineering, including an Application Vulnerability Correlation tool called Orchestron. As part of his experience with Application Security, Sharath has developed... Read More →


Tuesday March 9, 2021 12:00pm - Wednesday March 10, 2021 4:00pm EST
Zoom

12:00pm EST

Hacking Modern Web apps: Master the Future of Attack Vectors
This course is the culmination of years of experience gained via practical penetration testing of Modern Web applications as well as countless hours spent doing research. We have structured this course around the OWASP Security Testing Guide, it covers the OWASP Top Ten and specific attack vectors against Modern Web apps. This course provides participants with actionable skills that can be applied immediately from day 1.

Please note our courses are 100% hands-on, we do not lecture students with boring bullet points and theories, instead we give you practical challenges and help you solve them, teaching you how to troubleshoot common issues and get the most out of this training. Training then continues after the course through our frequently updated training portal, for which you keep lifetime access, as well as unlimited email support.

Each section starts with a brief introduction to the Modern platform (i.e. Node.js) for that section and then continues with a look at static analysis, moves on to dynamic checks finishing off with a nice CTF session to test the skills gained.

Section 1: Focused specifically on Hacking Modern Web Apps: We start with understanding Modern Web Apps and then deep dive into static and dynamic analysis of the applications at hand. This section is packed with hands-on exercises and CTF-style challenges.

Speakers
AA

Anirudh Anand

Security Trainer, 7ASecurity
Anirudh Anand is a security researcher with a primary focus on Web and Mobile Application Security. He is currently working as a Senior Security Engineer at CRED and also Security Trainer at 7asecurity. He has been submitting bugs and contributing to security tools for over 7 yea... Read More →


Tuesday March 9, 2021 12:00pm - Wednesday March 10, 2021 4:00pm EST
Zoom

12:00pm EST

Secure your SDLC using OWASP SAMM - ASAP!
Building security into the software development and management functions of a company can be a daunting task. There are many variables in the equation: company structure, different stakeholders, technology stacks, tools and processes, and competing priorities. Implementing software assurance can have a significant, positive impact on the organization. Yet, trying to achieve this without a good framework is likely to produce only marginal and unsustainable improvements. The OWASP Software Assurance Maturity Model provides a structural and measurable framework to overcome this challenge. It enables you to formulate and implement a strategy for software security that is tailored to the risk profile of your organization.

This 8-hour training - delivered as a mix of presentation, discussion, and interactive workshop - is intended for CSOs, directors, security architects, security analysts, and other application security professionals with responsibility for improving your organization's security posture. You will leave with an in-depth understanding of OWASP SAMM, pragmatic steps and tools for increased agility and compliance, and a template to kickstart your Application Security Assurance Program. Protect the confidentiality, integrity and availability of your data by implementing an application security assurance program in your organization - ASAP!

Speakers
avatar for John Ellingsworth

John Ellingsworth

Security Principal, Ellingsworth
John Ellingsworth is a security principal at a global company where he helps software development teams build and deliver secure enterprise solutions. When not collaborating on secure software solutions, he can often be found outdoors with his family - and probably scaling mountains... Read More →


Tuesday March 9, 2021 12:00pm - Wednesday March 10, 2021 4:00pm EST
Zoom

12:00pm EST

Securing Microservices with OAuth 2.0 and OpenID Connect (Hands-On Workshop)
OAuth 2.0 and OpenID Connect (OIDC) are the most commonly used solutions for stateless, token-based authentication in distributed microservice architectures as of today.

But have you ever asked yourself how OAuth 2.0 really works and how it differs from OpenID Connect? Then this workshop is a good opportunity to get to know how it works by making your hands dirty in code using Spring Security.

After an introduction to the basic concepts of OAuth 2.0 and OpenID Connect, we will use a boot-based Spring sample application to gradually implement authentication and authorization using these standards.

Learning Objectives:
- Differences between OAuth 2.0 and OpenID Connect (OIDC)
- What is an Authorization Grant and when do I use which grant
- The detailed procedure of the Authorization Code Grant protocol flow
- Implementation of an OAuth 2.0/OIDC compliant Resource Server
- Differences between JWT and reference tokens
- Authorization by means of claims in JWT
- Implementation of an OAuth 2.0/OIDC compliant client
- The correct validation of tokens
- Automated testing with OAuth 2.0 and OpenID Connect
- Current best practices for OAuth 2.0 and OIDC, especially for Single Page Applications
- The workshop contents are aligned with the proposed updates of OAuth 2.1

Speakers
avatar for Andreas Falk

Andreas Falk

Managing Consultant, Novatec Consulting
Andreas Falk works for Novatec Consulting located in Stuttgart/Germany. For more than 20 years, he has been involved in various projects as an architect, coach, and developer. His focus is on the agile development of cloud-native Java applications. As a member of OWASP and the OpenID... Read More →


Tuesday March 9, 2021 12:00pm - Wednesday March 10, 2021 4:00pm EST
Zoom

12:00pm EST

Security for Web Developers - an Offensive Approach
Overview of Web Penetration Testing Modules
- OWASP Top Ten Web Vulnerabilities
- API Top Ten vulnerabilities
- Technical measures and best practices u HTTP Security Headers
- JSON Web Tokens

The methodology of the course covers more than 75% practical hands-on approach. They will get hands-on knowledge to perform the hacking tasks in ethical ways to improve the security of assets by using various hacking tools. Attack side: Kali Linux 2020.x, NMAP, Burp / OWASP ZAP, Metasploit Framework (MSF). Victim side: OWASP Resources i.e. Damn Vulnerable Web Application (DVWA), Tomcat, as virtual machines.

Modules:
• Penetration testing overview
• Various types of web apps footprinting, footprinting tools, and countermeasures
• Ethical hacking methodology
• Web attacks: XSS, SQL Injection, Facebook phishing.
• NoSQL injection, API vulnerabilities, LFI, Brute-Force attacks, CSRF.

Speakers
avatar for Gabriel Avramescu

Gabriel Avramescu

ituniversity.ro
I work as a penetration tester with over 8 years of experience and as a trainer with over 14 years (5 in the security field). Certifications: OSWE, OSWP,OSCP, CEH, ECSA, CHFI, ISO 27001, CREST CRT, CREST CPSA, etc. Trainer on OWASP AppSec Days - August 2020 Penetration testing customers... Read More →


Tuesday March 9, 2021 12:00pm - Wednesday March 10, 2021 4:00pm EST
Zoom

12:00pm EST

Threat Modeling: From None to Done
This session offers participants an interactive introduction to Threat Modeling, based on the instructor's learning and experience over the past several years. A primary focus of this course is the introduction of threat modeling activities into your organization's software development processes, to improve the overall quality and security of the applications you build.

As a recent "convert" to the application security world, your instructor has developed his "expertise" in threat modeling by gathering information from a variety of sources. He's combined those learnings with his own experience to create a practical threat modeing approach he has successfully applied within his professional roles.

In addition to addressing key questions around the "Five Ws," the presentation will cover the "Four Questions" approach to developing a model, and include several interactive exercises to provide direct experience. A brief review of available modeing tools will also be included, along with a discussion of the opportunities and challenges for introducing Threat Modelng into your SDLC.

Speakers
avatar for John DiLeo

John DiLeo

Datacom New Zealand
Dr. John DiLeo is the Auckland-area leader of the OWASP New Zealand Chapter. In his current role, he leads a consulting team that helps enterprises develop and mature their software assurance programs, with emphasis on governance, threat modeling and risk-based requirements, secure... Read More →


Tuesday March 9, 2021 12:00pm - Wednesday March 10, 2021 4:00pm EST
Zoom
 
Tuesday, May 25
 

12:00pm EDT

Deep Dive into Fuzzing

Attendees would be emulating techniques which would provide a comprehensive understanding of "Crash, Detect & Triage" of fuzzed binaries or software. In "Deep dive into fuzzing" we will be covering a detailed overview of fuzzing and how it can be beneficial to professionals in uncovering security vulnerabilities with a hands-on approach through focus on labs.

Speakers
avatar for Zubin  Devnani

Zubin Devnani

Security Researcher
Zubin Devnani is a red teamer by trade, who has identified multiple vulnerabilities in commonly used software. He is a trainer at Blackhat and has delivered multiple workshops, including PHDays and Hacktivity. Utilizes his fuzzing skills in his day to day trade to identify new ways... Read More →
avatar for Dhiraj Mishra

Dhiraj Mishra

Dhiraj Mishra is an active speaker who has discovered multiple zero-days in modern web browsers and an open-source contributor. He is a trainer at Blackhat and presented in conferences such as Ekoparty, Hacktivity, PHDays & HITB. In his free time, he blogs at www.inputzero.io and tweets on @RandomDhiraj... Read More →


Tuesday May 25, 2021 12:00pm - Wednesday May 26, 2021 4:00pm EDT
Zoom

12:00pm EDT

DevSecOps Hands-on: Putting Security Checks into Your Build Pipeline
This hands-on workshop gives insight into automation capabilities of security scans, which perfectly fit into many build pipelines. Taking into account frontends (Web) as well as backends (APIs), you will learn what steps of a security analysis can be best automated – and how. By focussing on OpenSource solutions (OWASP ZAP), you will get a tool arsenal with different automation options ready to test your application’s security on every build. During this workshop we will enhance a typical Jenkins-based CI/CD pipeline (every attendee will get an individual Jenkins server in the cloud ready to use with multiple levels of tool integrations) with a specially prepared vulnerable training application step by step into a full-fledged awesome DevSecOps AppSecPipeline.

Speakers
avatar for Christian Schneider

Christian Schneider

Whitehat Hacker, Christian Schneider
Christian has pursued a successful career as a freelance Java software developer since 1997 and expanded it in 2005 to include the focus on IT security. His major areas of work are penetration testing, security architecture consulting, and threat modeling. As a trainer, Christian... Read More →


Tuesday May 25, 2021 12:00pm - Wednesday May 26, 2021 4:00pm EDT
Zoom

12:00pm EDT

Hacking iOS and IoT apps by Example
This course is the culmination of years of experience gained via practical penetration testing of mobile applications as well as countless hours spent in research. We have structured this course around the OWASP Mobile Security Testing Guide (MSTG) and relevant items of the OWASP Mobile Application Security Verification Standard (MASVS), so this course covers and goes beyond the OWASP Mobile Top Ten. This course provides participants with actionable skills that can be applied immediately from day 1.

Please note our courses are 100% hands-on, we do not lecture students with boring bullet points and theories, instead we give you practical challenges and help you solve them, teaching you how to troubleshoot common issues and get the most out of this training. As we try to keep both new and advanced students happy, the course is very comprehensive and we have not met any student able to complete all challenges during the class, therefore training continues after the course through our frequently updated training portal, for which you keep lifetime access, as well as unlimited email support.

Each day starts with a brief introduction to the mobile platform for that day and then continues with a look at static analysis, moves on to dynamic checks finishing off with a nice CTF session to test the skills gained.

Day 1: Focused on iOS: We start with understanding iOS Architecture and various security precautions in place. We then focus on static and dynamic analysis of the applications at hand. The day is filled with hands-on exercises ending with a CTF for more practical fun.

Speakers
avatar for Abraham Aranguren

Abraham Aranguren

7ASecurity
After 13 years in ITsec and 20 in IT Abraham is now the CEO of 7ASecurity (7asecurity.com), a company specializing in penetration testing of web/mobile apps, infrastructure, code reviews and training. Security Trainer at Blackhat USA, HITB, OWASP Global AppSec and many other even... Read More →


Tuesday May 25, 2021 12:00pm - Wednesday May 26, 2021 4:00pm EDT
Zoom

12:00pm EDT

Hacking Modern Web apps: Master the Future of Attack Vectors
This course is the culmination of years of experience gained via practical penetration testing of Modern Web applications as well as countless hours spent doing research. We have structured this course around the OWASP Security Testing Guide, it covers the OWASP Top Ten and specific attack vectors against Modern Web apps. This course provides participants with actionable skills that can be applied immediately from day 1.

Please note our courses are 100% hands-on, we do not lecture students with boring bullet points and theories, instead we give you practical challenges and help you solve them, teaching you how to troubleshoot common issues and get the most out of this training. Training then continues after the course through our frequently updated training portal, for which you keep lifetime access, as well as unlimited email support.

Each section starts with a brief introduction to the Modern platform (i.e. Node.js) for that section and then continues with a look at static analysis, moves on to dynamic checks finishing off with a nice CTF session to test the skills gained.

Section 1: Focused specifically on Hacking Modern Web Apps: We start with understanding Modern Web Apps and then deep dive into static and dynamic analysis of the applications at hand. This section is packed with hands-on exercises and CTF-style challenges.

Speakers
AA

Anirudh Anand

Security Trainer, 7ASecurity
Anirudh Anand is a security researcher with a primary focus on Web and Mobile Application Security. He is currently working as a Senior Security Engineer at CRED and also Security Trainer at 7asecurity. He has been submitting bugs and contributing to security tools for over 7 yea... Read More →


Tuesday May 25, 2021 12:00pm - Wednesday May 26, 2021 4:00pm EDT
Zoom

12:00pm EDT

Kubernetes Security Masterclass - Discoverer Edition
Kubernetes has emerged as the leading container orchestration and management platform for on-prem and cloud environments. However, Kubernetes is a multi-headed beast with several minute and nuanced security configuration parameters. In addition, attackers take advantage of these insecurely configured and designed Kubernetes deployments and perform deep-incursions into the organization’s assets. This training is a hard-core hands-on view of Kubernetes Security from an Attack and Defense perspective. The course takes the participants through a journey where they start with setting up a Kubernetes cluster (simulating an on-prem Kubernetes) deployment, attack the cluster and learn, through multiple deep-dive examples and cookbooks on how they can effectively secure Kubernetes clusters. The course is aimed at providing a view of attacking, auditing and defending Kubernetes clusters on-prem or on the cloud

Speakers
avatar for Nithin Jois

Nithin Jois

Senior Security Solutions Engineer, we45
Nithin Jois dons two hats - Apart from being one of the lead trainers at AppSecEngineer, he is also a Senior Solutions Architect at We45 where he has helped build multiple solutions ranging from Vulnerability management to scalable scanner orchestrating systems that leveraged container... Read More →


Tuesday May 25, 2021 12:00pm - Wednesday May 26, 2021 4:00pm EDT
Zoom
 
Tuesday, June 15
 

12:00pm EDT

Cloud-Native Microservices Security Bootcamp
All developers today are also DevSecOps engineers even if they are not aware of it. In this Bootcamp, you will learn how to secure cloud-native Java microservices. First, we will look into what are the common security risks for server-side applications. Then we will directly dive into the hands-on coding parts to see how we can mitigate those security risks in our own applications. Specifically, we'll see how the security patterns are implemented with the most widely used frameworks Spring Boot (main focus) and Micronaut (partly). In the last part, you will also learn how to implement automated security tests along the testing-pyramid.


Learning Objectives:
- OWASP Top 10 (Web Application Security Risks)
- OWASP API Top 10 - Securing Spring Boot applications
- Securing Micronaut applications - Authentication and Authorization
- Basic Auth, Session Management, MTLS, WebAuthn
- OAuth 2.0 and OpenID Connect
- Configuring HTTPS connections
- Encryption and password hashing
- Security response headers
- Defense against Session Hijacking, SQL injection, XSS, and CSRF
- Securing both blocking servlet-based and non-blocking reactive web applications
- Automated security tests

Speakers
avatar for Andreas Falk

Andreas Falk

Managing Consultant, Novatec Consulting
Andreas Falk works for Novatec Consulting located in Stuttgart/Germany. For more than 20 years, he has been involved in various projects as an architect, coach, and developer. His focus is on the agile development of cloud-native Java applications. As a member of OWASP and the OpenID... Read More →


Tuesday June 15, 2021 12:00pm - Wednesday June 16, 2021 4:00pm EDT
Zoom - UTC +3

12:00pm EDT

DevSecOps Masterclass - Discoverer Edition
Managing comprehensive security for continuous delivery of applications across organizations continues to remain a serious bottleneck in the DevOps movement. The methodology involved in implementing effective security practices within delivery pipelines can be challenging. This training is designed to give a practical approach of implementing Security across Continuous Delivery Pipelines by leveraging the plethora of cloud offerings and is backed by a ton of hands-on labs, original research and real-world implementations of DevSecOps that work. The training starts with Application Security Automation for SAST, SCA and DAST, apart from Vulnerability Management and Correlation. Finally, the training concludes with leveraging Security Automation in the Cloud with detailed perspectives of implementing scalable security for cloud-native deployments. By the end of this training, attendees will have ideas and hands-on experience to successfully kickoff DevSecOps implementations.

Speakers
avatar for Nithin Jois

Nithin Jois

Senior Security Solutions Engineer, we45
Nithin Jois dons two hats - Apart from being one of the lead trainers at AppSecEngineer, he is also a Senior Solutions Architect at We45 where he has helped build multiple solutions ranging from Vulnerability management to scalable scanner orchestrating systems that leveraged container... Read More →


Tuesday June 15, 2021 12:00pm - Wednesday June 16, 2021 4:00pm EDT
Zoom - UTC +3

12:00pm EDT

Hacking Modern Desktop apps: Master the Future of Attack Vectors
This course is the culmination of years of experience gained via practical penetration testing of Modern Desktop applications as well as countless hours spent doing research. We have structured this course around the OWASP Security Testing Guide, it covers the OWASP Top Ten and specific attack vectors against Modern Desktop apps. This course provides participants with actionable skills that can be applied immediately from day 1.

Please note our courses are 100% hands-on, we do not lecture students with boring bullet points and theories, instead we give you practical challenges and help you solve them, teaching you how to troubleshoot common issues and get the most out of this training. Training then continues after the course through our frequently updated training portal, for which you keep lifetime access, as well as unlimited email support.

Each day starts with a brief introduction to the Modern platform (i.e. Node.js, Electron) for that day and then continues with a look at static analysis, moves on to dynamic checks finishing off with a nice CTF session to test the skills gained.

Day 1: Focused on Hacking Modern Desktop Apps: We start with understanding Modern Desktop apps and various security considerations. We then focus on static and dynamic analysis of the applications at hand. The day is filled with hands-on exercises ending with a CTF for more practical fun.

Speakers
avatar for Abraham Aranguren

Abraham Aranguren

7ASecurity
After 13 years in ITsec and 20 in IT Abraham is now the CEO of 7ASecurity (7asecurity.com), a company specializing in penetration testing of web/mobile apps, infrastructure, code reviews and training. Security Trainer at Blackhat USA, HITB, OWASP Global AppSec and many other even... Read More →


Tuesday June 15, 2021 12:00pm - Wednesday June 16, 2021 4:00pm EDT
Zoom - UTC +3

12:00pm EDT

Secure your SDLC using OWASP SAMM - ASAP!
Building security into the software development and management functions of a company can be a daunting task. There are many variables in the equation: company structure, different stakeholders, technology stacks, tools and processes, and competing priorities. Implementing software assurance can have a significant, positive impact on the organization. Yet, trying to achieve this without a good framework is likely to produce only marginal and unsustainable improvements. The OWASP Software Assurance Maturity Model provides a structural and measurable framework to overcome this challenge. It enables you to formulate and implement a strategy for software security that is tailored to the risk profile of your organization.

This 8-hour training - delivered as a mix of presentation, discussion, and interactive workshop - is intended for CSOs, directors, security architects, security analysts, and other application security professionals with responsibility for improving your organization's security posture. You will leave with an in-depth understanding of OWASP SAMM, pragmatic steps and tools for increased agility and compliance, and a template to kickstart your Application Security Assurance Program. Protect the confidentiality, integrity and availability of your data by implementing an application security assurance program in your organization - ASAP!

Speakers
avatar for John Ellingsworth

John Ellingsworth

Security Principal, Ellingsworth
John Ellingsworth is a security principal at a global company where he helps software development teams build and deliver secure enterprise solutions. When not collaborating on secure software solutions, he can often be found outdoors with his family - and probably scaling mountains... Read More →


Tuesday June 15, 2021 12:00pm - Wednesday June 16, 2021 4:00pm EDT
Zoom - UTC +3