Loading…
Attending this event?
The virtual training classes are 8 hour courses offered in 4-hour blocks over two days. The trainings will begin at 12:00pm Eastern Time (USA)/6:00pm Central European Time. 

OWASP Members save $50 off the cost of a training course. Email events@owasp.com for your member discount code. If you are not an OWASP Member, please consider joining here.

REGISTER HERE FOR TRAINING

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Beginner [clear filter]
Tuesday, March 9
 

12:00pm EST

Application Security Essentials - 2021 Edition
Application Security is constantly evolving. Engineering teams use new technologies, frameworks and tools to make apps more responsive, easy-to-use and functional. At the same time attackers are constantly looking to infiltrate and find new security weaknesses in modern applications.

This program is a defense-focused training that delves deep into advanced topics of Application Security. The training expounds attacks and defenses against modern full-stack applications, right from client-side vulnerabilities to advanced server-side vulnerabilities and defenses.

Speakers
avatar for Andrew van der Stock

Andrew van der Stock

Executive Director, OWASP Foundation
Andrew van der Stock is a long time security researcher and the current Executive Director of the OWASP Foundation, co-lead of the OWASP Top 10 and OWASP Application Security Verification Standard, and is formerly an OWASP Global Board member. Andrew has trained or spoken at many... Read More →


Tuesday March 9, 2021 12:00pm - Wednesday March 10, 2021 4:00pm EST
Zoom

12:00pm EST

Securing Microservices with OAuth 2.0 and OpenID Connect (Hands-On Workshop)
OAuth 2.0 and OpenID Connect (OIDC) are the most commonly used solutions for stateless, token-based authentication in distributed microservice architectures as of today.

But have you ever asked yourself how OAuth 2.0 really works and how it differs from OpenID Connect? Then this workshop is a good opportunity to get to know how it works by making your hands dirty in code using Spring Security.

After an introduction to the basic concepts of OAuth 2.0 and OpenID Connect, we will use a boot-based Spring sample application to gradually implement authentication and authorization using these standards.

Learning Objectives:
- Differences between OAuth 2.0 and OpenID Connect (OIDC)
- What is an Authorization Grant and when do I use which grant
- The detailed procedure of the Authorization Code Grant protocol flow
- Implementation of an OAuth 2.0/OIDC compliant Resource Server
- Differences between JWT and reference tokens
- Authorization by means of claims in JWT
- Implementation of an OAuth 2.0/OIDC compliant client
- The correct validation of tokens
- Automated testing with OAuth 2.0 and OpenID Connect
- Current best practices for OAuth 2.0 and OIDC, especially for Single Page Applications
- The workshop contents are aligned with the proposed updates of OAuth 2.1

Speakers
avatar for Andreas Falk

Andreas Falk

Managing Consultant, Novatec Consulting
Andreas Falk works for Novatec Consulting located in Stuttgart/Germany. For more than 20 years, he has been involved in various projects as an architect, coach, and developer. His focus is on the agile development of cloud-native Java applications. As a member of OWASP and the OpenID... Read More →


Tuesday March 9, 2021 12:00pm - Wednesday March 10, 2021 4:00pm EST
Zoom

12:00pm EST

Security for Web Developers - an Offensive Approach
Overview of Web Penetration Testing Modules
- OWASP Top Ten Web Vulnerabilities
- API Top Ten vulnerabilities
- Technical measures and best practices u HTTP Security Headers
- JSON Web Tokens

The methodology of the course covers more than 75% practical hands-on approach. They will get hands-on knowledge to perform the hacking tasks in ethical ways to improve the security of assets by using various hacking tools. Attack side: Kali Linux 2020.x, NMAP, Burp / OWASP ZAP, Metasploit Framework (MSF). Victim side: OWASP Resources i.e. Damn Vulnerable Web Application (DVWA), Tomcat, as virtual machines.

Modules:
• Penetration testing overview
• Various types of web apps footprinting, footprinting tools, and countermeasures
• Ethical hacking methodology
• Web attacks: XSS, SQL Injection, Facebook phishing.
• NoSQL injection, API vulnerabilities, LFI, Brute-Force attacks, CSRF.

Speakers
avatar for Gabriel Avramescu

Gabriel Avramescu

ituniversity.ro
I work as a penetration tester with over 8 years of experience and as a trainer with over 14 years (5 in the security field). Certifications: OSWE, OSWP,OSCP, CEH, ECSA, CHFI, ISO 27001, CREST CRT, CREST CPSA, etc. Trainer on OWASP AppSec Days - August 2020 Penetration testing customers... Read More →


Tuesday March 9, 2021 12:00pm - Wednesday March 10, 2021 4:00pm EST
Zoom

12:00pm EST

Threat Modeling: From None to Done
This session offers participants an interactive introduction to Threat Modeling, based on the instructor's learning and experience over the past several years. A primary focus of this course is the introduction of threat modeling activities into your organization's software development processes, to improve the overall quality and security of the applications you build.

As a recent "convert" to the application security world, your instructor has developed his "expertise" in threat modeling by gathering information from a variety of sources. He's combined those learnings with his own experience to create a practical threat modeing approach he has successfully applied within his professional roles.

In addition to addressing key questions around the "Five Ws," the presentation will cover the "Four Questions" approach to developing a model, and include several interactive exercises to provide direct experience. A brief review of available modeing tools will also be included, along with a discussion of the opportunities and challenges for introducing Threat Modelng into your SDLC.

Speakers
avatar for John DiLeo

John DiLeo

Datacom New Zealand
Dr. John DiLeo is the Auckland-area leader of the OWASP New Zealand Chapter. In his current role, he leads a consulting team that helps enterprises develop and mature their software assurance programs, with emphasis on governance, threat modeling and risk-based requirements, secure... Read More →


Tuesday March 9, 2021 12:00pm - Wednesday March 10, 2021 4:00pm EST
Zoom
 
Tuesday, May 25
 

12:00pm EDT

Kubernetes Security Masterclass - Discoverer Edition
Kubernetes has emerged as the leading container orchestration and management platform for on-prem and cloud environments. However, Kubernetes is a multi-headed beast with several minute and nuanced security configuration parameters. In addition, attackers take advantage of these insecurely configured and designed Kubernetes deployments and perform deep-incursions into the organization’s assets. This training is a hard-core hands-on view of Kubernetes Security from an Attack and Defense perspective. The course takes the participants through a journey where they start with setting up a Kubernetes cluster (simulating an on-prem Kubernetes) deployment, attack the cluster and learn, through multiple deep-dive examples and cookbooks on how they can effectively secure Kubernetes clusters. The course is aimed at providing a view of attacking, auditing and defending Kubernetes clusters on-prem or on the cloud

Speakers
avatar for Nithin Jois

Nithin Jois

Senior Security Solutions Engineer, we45
Nithin Jois dons two hats - Apart from being one of the lead trainers at AppSecEngineer, he is also a Senior Solutions Architect at We45 where he has helped build multiple solutions ranging from Vulnerability management to scalable scanner orchestrating systems that leveraged container... Read More →


Tuesday May 25, 2021 12:00pm - Wednesday May 26, 2021 4:00pm EDT
Zoom
 
Tuesday, June 15
 

12:00pm EDT

Cloud-Native Microservices Security Bootcamp
All developers today are also DevSecOps engineers even if they are not aware of it. In this Bootcamp, you will learn how to secure cloud-native Java microservices. First, we will look into what are the common security risks for server-side applications. Then we will directly dive into the hands-on coding parts to see how we can mitigate those security risks in our own applications. Specifically, we'll see how the security patterns are implemented with the most widely used frameworks Spring Boot (main focus) and Micronaut (partly). In the last part, you will also learn how to implement automated security tests along the testing-pyramid.


Learning Objectives:
- OWASP Top 10 (Web Application Security Risks)
- OWASP API Top 10 - Securing Spring Boot applications
- Securing Micronaut applications - Authentication and Authorization
- Basic Auth, Session Management, MTLS, WebAuthn
- OAuth 2.0 and OpenID Connect
- Configuring HTTPS connections
- Encryption and password hashing
- Security response headers
- Defense against Session Hijacking, SQL injection, XSS, and CSRF
- Securing both blocking servlet-based and non-blocking reactive web applications
- Automated security tests

Speakers
avatar for Andreas Falk

Andreas Falk

Managing Consultant, Novatec Consulting
Andreas Falk works for Novatec Consulting located in Stuttgart/Germany. For more than 20 years, he has been involved in various projects as an architect, coach, and developer. His focus is on the agile development of cloud-native Java applications. As a member of OWASP and the OpenID... Read More →


Tuesday June 15, 2021 12:00pm - Wednesday June 16, 2021 4:00pm EDT
Zoom - UTC +3

12:00pm EDT

DevSecOps Masterclass - Discoverer Edition
Managing comprehensive security for continuous delivery of applications across organizations continues to remain a serious bottleneck in the DevOps movement. The methodology involved in implementing effective security practices within delivery pipelines can be challenging. This training is designed to give a practical approach of implementing Security across Continuous Delivery Pipelines by leveraging the plethora of cloud offerings and is backed by a ton of hands-on labs, original research and real-world implementations of DevSecOps that work. The training starts with Application Security Automation for SAST, SCA and DAST, apart from Vulnerability Management and Correlation. Finally, the training concludes with leveraging Security Automation in the Cloud with detailed perspectives of implementing scalable security for cloud-native deployments. By the end of this training, attendees will have ideas and hands-on experience to successfully kickoff DevSecOps implementations.

Speakers
avatar for Nithin Jois

Nithin Jois

Senior Security Solutions Engineer, we45
Nithin Jois dons two hats - Apart from being one of the lead trainers at AppSecEngineer, he is also a Senior Solutions Architect at We45 where he has helped build multiple solutions ranging from Vulnerability management to scalable scanner orchestrating systems that leveraged container... Read More →


Tuesday June 15, 2021 12:00pm - Wednesday June 16, 2021 4:00pm EDT
Zoom - UTC +3