Loading…
AppSec USA 2016 has ended

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Training [clear filter]
Tuesday, October 11
 

9:00am

Training Session - Assessing and Exploiting Control Systems & IoT Day 1 (2 Day)
This is not your traditional SCADA/ICS/IoT security course! How many courses send you home with your own PLC and a set of hardware/RF hacking tools?!? This course teaches hands-on penetration testing techniques used to test individual components of a control system, including embedded electronic field devices, network protocols, RF communications, Human Machine Interfaces (HMIs), and various forms of master servers and their ICS applications. Skills you will learn in this course will apply directly to systems such as the Smart Grid, PLCs, RTUs, smart meters, building management, manufacturing, Home Area Networks (HAN), smart appliances, SCADA, substation automation, and synchrophasors. This course is structured around the formal penetration testing methodology created by UtiliSec for the United States Department of Energy. Using this methodology and Control Things Pentest Platform (previously SamuraiSTFU), an open source Linux distribution for pentesting energy sector systems and other critical infrastructure, we will perform hands-on penetration testing tasks on user interfaces (on master servers and field device maintenance interfaces), control system protocols (modbus, DNP3, IEC 60870-5-104), RF communications (433MHz, 869MHz, 915MHz), and embedded circuit attacks (memory dumping, bus snooping, JTAG, and firmware analysis). We will tie these techniques and exercises back to control system devices that can be tested using these techniques. The course exercises will be performed on a mixture of real world and simulated devices to give students the most realistic experience as possible in a portable classroom setting. 

Advances in modern control systems such as the energy sector’s Smart Grid has brought great benefits for asset owners/operators and customers alike, however these benefits have often come at a cost from a security perspective. With increased functionality and addition inter-system communication, modern control systems bring a greater risk of compromise that vendors, asset owners/operators, and society in general must accept to realize the desired benefits. To minimize this risk, penetration testing in conjunction with other security assessment types must be performed to minimize vulnerabilities before attackers can exploit critical infrastructures that exist in all countries around the world. Ultimately, this is the goal of this course, to help you know how, when, and where this can be done safely in your control systems.

 WHAT STUDENTS SHOULD BRING

Laptop with at least two USB ports (three ports preferred). If only
two USB ports exist on the laptop AND they are right next to each
other (such as found on a Macbook Air), a USB extension cable must be
brought as well
Latest VMware Player, VMware Workstation, VWware Fusion installed.
Other virtualization software such as Parallels or VirtualBox may work
if the attendee is familiar with its functionality, however VMware
Player should be prepared as a backup just in case
Access to an account with administrative permissions and the ability
to disable all security software on their laptop such as Antivirus
and/or firewalls if needed for the class
At least thirty (30) GB of free hard drive space
At least four (4) GB of RAM, optimally eight (8) GB or RAM
Windows 7, 8.x, or 10.x installed on your host laptop or inside a VM

________________________________

WHAT STUDENTS WILL BE PROVIDED WITH

Power for your laptop
Internet connectivity may or may not be available depending on the
facility hosting the course.
Latest version of SamuraiSTFU distribution
PDF version of the course slide deck
Student hardware kits to keep

________________________________

STUDENT PREPARATIONS

For those with little or no ICS experience, these Wikipedia articles
provide a brief introduction to the concepts and history of control
systems that will be helpful to know for class.

http://en.wikipedia.org/wiki/ICS
http://en.wikipedia.org/wiki/SCADA
http://en.wikipedia.org/wiki/Distributed_control_system
http://en.wikipedia.org/wiki/Smart_grid
http://nostarch.com/xboxfree (Note: While this has nothing to do with
control systems, it provides a great introduction to the concepts and
techniques taught in this class to pen test embedded electronic
hardware in ICS field/floor devices.)
http://csrc.nist.gov/publications/nistir/ir7628/nistir-7628_vol3.pdf
(Chapter 7 of the NIST Interagency Report 7628, titled Bottom-up
Security Analysis of the Smart Grid, provides a great overview of the
challenges faced in Smart Grid and energy sector systems, many of
which we are testing for and exploiting in this class.)

Speakers
avatar for Justin Searle

Justin Searle

Justin Searle is a Managing Partner of UtiliSec, specializing in Smart Grid security architecture design and penetration testing. Justin led the Smart Grid Security Architecture group in the creation of NIST Interagency Report 7628 and played key roles in the Advanced Security Acceleration... Read More →


Tuesday October 11, 2016 9:00am - 5:00pm
Meeting Room 12

9:00am

Training Session - Creating and Automating your own AppSec Pipeline Day 1 (2 Day)
Any optimization outside the critical constraint is an illusion. In application security, the size of the security team is always the most scarce resource. The best way to optimize the security team is automation. This training will provide an overview of key application security automation principles and provide hands-on experience with creating an Application Security Pipeline augmented with automation. Over the course of two days, the students will cover the crucial aspects of where and when to add automation to their application security practices and gain experience with integrating APIs, automating security scanning, consolidate and de-duplicate security issues, automating submission of issues to defect trackers and generating reports/metrics in an automated fashion. Students should leave with an firm understanding of how to apply DevOps and Agile concepts to optimize their security programs.

The labs consist of a series of exercises which build upon each other to construct an AppSec Pipeline. After discussing each fundamental part of the pipeline, the student will be provided a lab to construct that portion of their own AppSec Pipeline. While these will be somewhat scripted labs, they will provide working examples of all the key concepts needed in adding automation to an AppSec program allowing the student to have seen the concepts in action before returning to work and applying them to their particular situation.

This will be a hands-on class and attendees are expected to have:
  • A laptop capable of running VirtualBox and a VM with at least 2048 MB RAM for the VM - 4096 is even better
  • VMs will be provided on a USB drive formatted as a NTFS volume
  • VMs will be in .ova (Open Virtualization Format) which is generally 'importable' in more then just VirtualBox if you happen to already have virtualization software installed
I'll have printed handouts and digital versions on the USB drive as well.
Note for those bringing a Mac laptop to the training:  Mac's hasn't consistently supported reading from NTFS formatted disks.  There's usually one or two students who cannot read the USB drives I hand out to the class with Macs.  I usually recommend they use the 15 day trial of Tuxera to get past the problem for the training - http://www.tuxera.com/products/tuxera-ntfs-for-mac/.  Other alternatives are outlined in this article: http://www.howtogeek.com/236055/how-to-write-to-ntfs-drives-on-a-mac/

Speakers
avatar for Matt Tesauro

Matt Tesauro

Senior AppSec Engineer, Duo Security
Matt Tesauro is currently a Senior AppSec Engineer building an AppSec Pipeline and continuous security program for Duo Security.  Prior, he worked full-time for the OWASP Foundation, adding automation and awesome to OWASP projects as the Operations Director. Previously, he was... Read More →


Tuesday October 11, 2016 9:00am - 5:00pm
Meeting Room 15

9:00am

Training Session - Hands-On Security in DevOps (SecDevOps) Workshop Day 1 (2 Days)
Agile and DevOps have revolutionized the way we deliver apps to customers. Software products today demand rapid everything. Rapid Code Changes, Rapid Deployments and Rapid Delivery. In addition, you have embraced Agile Development Methodologies that stress on iterative product development and flexibility to changing environments. There is one major problem in this entire chain, and that is Application Security.

While your product may be rapidly delivered to customers, Application security still remains a massive bottleneck in your continuous delivery pipeline. Application security is critical because companies lose billions of dollars due to vulnerabilities in their applications. Apart from typical vulnerabilities like SQL Injection and Cross Site Scripting, vulnerabilities in authentication, authorization, business logic and cryptographic implementations are more prevalent and can cause massive damage to a software product company.

This is why you need SecDevOps. You need a practical, repeatable and scalable way to deliver Application Security to your product across the Agile and DevOps lifecycle. In the we45 Certified SecDevOps Professional program you will receive powerful hands on training on how you can implement scalable and effective security for rapid-release applications. The workshop will be a hardcore hands-on workshop with coverage on the following, but not limited to:

  • Security Threat Modeling - Agile Methodology
  • Static Application Security Testing - Integrated with Continuous Integration Services
  • Customized Security Automation Scripting Framework with Continuous Integration
  • Creating specialized Application Security Testing Scripts to be integrated with existing Test Suites
  • Security in Configuration management and Continuous Deployment
  • Creating Security Configuration Management “Infrastructure as Code” and Validation Scripts
  • Application Security Monitoring in a DevOps World
Laptop Requirements for SecDevOps Workshop:

For Windows Laptop Users
• Intel i3 and above preferred, 64bit Operating System (32 bit will NOT work), 8GB+ RAM preferred, with atleast 50GB of free HDD space. 
Netbooks will NOT work
• Working WiFi adapter with ability to connect to third party wireless networks
• User must be able to use the DVD Drive/USB port of the laptop to copy and install the Virtual Machine, which will be delivered in a DVD/USB Mass Storage Device (Flash Drive)
.• Windows users - Please download and install the latest version of Oracle VM Virtualbox from http://www.virtualbox.org
• We have observed that Windows laptops often come with Virtualization options disabled in the BIOS. In such cases, the Virtual Machine and the workshop exercises won’t work. Please ensure that the following measures are taken to make your laptop available for Virtualization o You must have access to your BIOS menu. This can be accessed by pressing F12 (not all laptops, some may have a different key to access the BIOS menu). In some cases, there may be a password to access the BIOS menu. Please ensure that you have a password (if required) to access the BIOS menu. o Please enable Virtualization in the BIOS options. Please refer to screenshots below (please note that different laptops may have these options located in different menu screens).  HP – BIOS Virtualization Screen  Dell Laptop BIOS Virtualization Option

For Linux/Mac Users
• Intel i3 and above preferred, 64bit Operating System (32 bit will NOT work), 8GB+ RAM preferred• atleast 50GB HDD space available
• Working WiFi adapter with ability to connect to third party wireless networks
• User must be able to use the DVD Drive/USB port of the laptop to copy and install the Virtual Machine, which will be delivered in a DVD/USB Mass Storage Device (Flash Drive)
• Install the latest version of Oracle VM VirtualBox


** We are using two VMs for hands-on labs for the participants. In this case both the VMs will exceed a size of 8 GB, therefore, we will be distributing this in USB drives for people to copy and use. The option of DVDs (which was an either/or for USB) from earlier will not be possible in this case.

** Also, the drives will be formatted with exFAT, so we members of the audience with Linux computers might need to download exFAT libraries to get it to work. If this is a problem, then we need to go with a different file system. 

Speakers
avatar for Abhay Bhargav

Abhay Bhargav

CEO, we45
Abhay Bhargav is the Founder of we45, a focused Application Security Company. Abhay is a builder and breaker of applications. He is the Chief Architect of “Orchestron", a leading Application Vulnerability Correlation and Orchestration Framework. He has created some pioneering works... Read More →


Tuesday October 11, 2016 9:00am - 5:00pm
Meeting Room 16

9:00am

Training Session - Mobile Application Exploitation iOS and Android Day 1 (2 Day)
Even wondered how different attacking a Mobile application would be, from a traditional web application? Gone are the days when knowledge of just SQL Injection or XSS could help you land a lucrative high-paying infoSec job.

This will be an introductory course on exploiting iOS and Android applications. The training will be based on exploiting Damn Vulnerable iOS app, Android-InsecureBankv2 and other vulnerable applications that are written by the trainers in order to give an in-depth knowledge about the different kinds of vulnerabilities in an Mobile applications. This course will also discuss how an attacker can compromise a mobile application. After the workshop, the students will be able to successfully pentest and secure applications running on the various operating systems.

The training will also include a CTF challenge in the end where the attendees will use their skills learnt in the training to solve the CTF challenges.

Below is the ToDo's for the attendees:

* 20+ GB free hard disk space 
* 3+ GB RAM 
* VMware player installed on the machine
* Latest version of Android SDK. To make sure the setup is right, follow all the steps on https://github.com/dineshshetty/Android-InsecureBankv2/blob/master/Usage%20Guide.pdf
* A jailbroken iPhone/iPad/iPod for iOS testing.
* If you are using a Mac machine, also download and install the latest version of Xcode.

Speakers
avatar for Prateek Gianchandani

Prateek Gianchandani

Cognosec
Prateek Gianchandani, an OWASP member and contributor has been working in the infosec industry for about 5 years. During his five years, he has performed a number of penetration tests on mobile and web applications and even developed a lot of applications for the App Store. His core... Read More →
avatar for Dinesh Shetty

Dinesh Shetty

Sr Security Manager, Security Innovation
Dinesh leads the Mobile Security Testing Center of Excellence at Security Innovation. He has performed innumerable penetration tests on Web, Mobile and VoIP technologies - however his core area of expertise is Mobile and Embedded application pentesting and exploitation. He is an accomplished... Read More →


Tuesday October 11, 2016 9:00am - 5:00pm
Meeting Room 14

9:00am

Training Session - Practical IoT Exploitation Day 1 (2 Day)
Practical IoT Exploitation is a unique course being launched at OWASP AppSec by Attify. The previous version of the course titled “Offensive IoT Exploitation” has been run in various conferences such as BlackHat (US, EU, Asia), Brucon, HIP and many other places. 

IoT or the Internet of Things is one of the most upcoming trends in technology as of now. A lot many new devices are coming up every single month. However, not much attention has been paid to the device's security till now. "Practical IoT Exploitation" is a brand new and unique course which offers pentesters the ability to assess and exploit the security of these smart devices - by looking deep depth into the devices, their radio communications and interactions with the real world, and then exploiting them.

The training will cover different varieties of IoT devices, assessing their attack surfaces, reversing their communication protocols and writing exploits for them. This is a 2-day action packed class covering topics like firmware analysis, identifying attack surface, analyzing Zigbee communication, finding vulnerabilities and then finally exploiting the vulnerabilities.

The course labs include both emulated environments as well as real live devices which will be provided to the attendees during the training. Practical IoT Exploitation training is designed for pentesters who want to kickstart their career in IoT Pentesting and the training does not expect the attendees to have a prior knowledge of assembly, mobile security or reversing. The attendees will be provided with VM image for IoT security testing platform called IoTa created by the trainers themselves. 

After the 2-days class, the attendees will be able to:

Extract and analyze device firmwares 
Analysing firmware and binaires using IDA pro 
Hands-on Labs with UART, SPI
JTAG interaction and debugging 
Identify attack surfaces and write fuzzers
Device Scanning and reversing communication APIs
USB Attacks
Familiarity with NFC, Bluetooth, RFID 
BLE Analysis and packet analysis 
Attacks on Zigbee - Hands-on labs 

Practical IoT Exploitation is the course for you if you want to try exploitation on new hardwares and find security vulnerabilities and 0-days in IoT devices. At the end of the class, there will be a final CTF challenge where the attendees will have to identify security vulnerabilities and exploit them, in a completely unknown device - created exclusively for the OWASP AppSec training.

Requiremnets:

 Hardware:
  • At least 25 GB of free space 
  • Laptop having a minimum of 4 GB RAM 
  • USB access allowed 
Software:
  • Virtualization software installed 
  • Administrative privileges on the system 
At the start of the class, we will share the devices and AttifyOS VM which will have all the tools preconfigured for the training. 
During the Radio section of the class, we have seen some students encounter issues with the hardware not being detected in the VM while they are running on one Virtualisation software, but working with the same VM on another virtualisation software. 
Though we don't often run into these issues, it's recommended to have both virtualisation tools - VirtualBox and VMWare to save time troubleshooting. In case of VMWare if you don't have the paid edition, the free VMWare Workstation Player will also work. 

Speakers
avatar for Aditya Gupta

Aditya Gupta

Founder and CEO, Attify
Aditya Gupta (@adi1391) is the founder and principal consultant of Attify, an IoT and mobile penetration testing and training firm, and a leading IoT security expert and evangelist. He has done a lot of in-depth research on mobile application security and IoT device exploitation... Read More →
avatar for Norman Shamas

Norman Shamas

Attify Inc
Norman Shamas is a IoT Pentester and trainer at Attify (attify.com ) , an IoT and Mobile security firm. Attify has done a lot of in-depth research on Mobile application security and IoT device Exploitation and is the creator of AppWatch (https://appwatch.io) - an automated platform... Read More →


Tuesday October 11, 2016 9:00am - 5:00pm
Meeting Room 13

9:00am

Training Session - Secure Coding in Java Day 1 (2 Day)
The course provides developers with practical guidance for developing Java programs that are robust and secure. Material in this presentation was derived from the Addison-Wesley book The CERT Oracle Secure Coding Standard for Java and is supported by the Secure Coding Rules for Java LiveLessons video series. Participants should come away from the course with a working knowledge of common programming errors that lead to software vulnerabilities, how these errors can be exploited, and effective mitigation strategies for preventing the introduction of these errors.
In particular, participants will learn how to:
• Explain the need for secure coding
• Follow fundamental secure coding guidelines
• Validate and sanitize data
• Explain the Java Security Model
• Predict how the numerical types behave in Java
• Avoid pitfalls in the use of characters and strings
• Securely process input and output
Moreover, the course encourages programmers to adopt security best practices and develop a security mindset that can help protect software from tomorrow’s attacks, not just today’s.

You will need to bring a laptop with 100MB or greater of free hard disk space and the following software installed:

  •  Java SE Development Kit 8
  • Eclipse IDE for Java Developers or other a Java 8 compatible IDE
  • Adobe Reader

You should clone the course exercises, demos, and examples from https://github.com/rcseacord/JavaSCR.git prior to the class.  Make sure that you have imported the code into your IDE and that you can build and test the sample programs.

“The CERT Oracle Secure Coding Standard for Java” and “Java Coding Guidelines: 75 Recommendations for Reliable and Secure Programs” books authored by Robert C. Seacord and published by Addison-Wesley can be purchased in advance at InformIT.  We will be covering chapters 1-8 of The CERT Oracle Secure Coding Standard for Java in class, if you want to prepare by reviewing these chapters.

 


Speakers
avatar for Robert Seacord

Robert Seacord

Principal Security Consultant, NCC Group
I'm work with software developers and software development organizations to eliminate vulnerabilities resulting from coding errors before they are deployed. Previously, I led the secure coding initiative in the CERT Division of Carnegie Mellon University’s Software Engineering Institute... Read More →


Tuesday October 11, 2016 9:00am - 5:00pm
Meeting Room 11
 
Wednesday, October 12
 

9:00am

Training Session - AppSec Safari (1 Day)
Tired of reading about vulnerabilities or seeing screen captures of other people landing the big one? Join our AppSec Safari and go toe-to-toe with an application. Track a bug through multiple fields and feel the triumph of exploiting the flaw yourself!

The Safari will take you on a guided tour of cross-site scripting, SQL injection, privilege escalation and more. We’ll present a refresher on each vulnerability type, provide example exploits and turn you loose on a real application hosted in a local test environment. We’ll give hints as needed to maximize your chances of success. If you get ahead of the group, build your skills by chasing vulnerabilities we’ve hidden in the environment.

If you’re an application developer or security practitioner who is looking to solidify your theoretical knowledge, join our safari. Bring a laptop with an Ethernet port that is capable of running a Kali live image, or have the following tools installed: ZAP, sqlmap, MySQL client, Remote Desktop client.

Speakers
avatar for Mark Hoopes

Mark Hoopes

Senior Application Security Engineer, Aspect Security
Mark Hoopes has been working in enterprise IT delivery for nearly 20 years in an assortment of roles including development, project management, and major incident management. He found his niche in application security and has been effectively on vacation ever since. Throughout his... Read More →
avatar for Jason Li

Jason Li

Director, Aspect Security
Jason Li is a Director at Aspect Security where he provides application security consulting services including penetration testing, code review, security control analysis, and threat modeling. He is heavily involved in OWASP having previously chaired the OWASP Global Projects Committee... Read More →


Wednesday October 12, 2016 9:00am - 5:00pm
Meeting Room 10

9:00am

Training Session - Assessing and Exploiting Control Systems & IoT Day 2 (2 Day)
This is not your traditional SCADA/ICS/IoT security course! How many courses send you home with your own PLC and a set of hardware/RF hacking tools?!? This course teaches hands-on penetration testing techniques used to test individual components of a control system, including embedded electronic field devices, network protocols, RF communications, Human Machine Interfaces (HMIs), and various forms of master servers and their ICS applications. Skills you will learn in this course will apply directly to systems such as the Smart Grid, PLCs, RTUs, smart meters, building management, manufacturing, Home Area Networks (HAN), smart appliances, SCADA, substation automation, and synchrophasors. This course is structured around the formal penetration testing methodology created by UtiliSec for the United States Department of Energy. Using this methodology and Control Things Pentest Platform (previously SamuraiSTFU), an open source Linux distribution for pentesting energy sector systems and other critical infrastructure, we will perform hands-on penetration testing tasks on user interfaces (on master servers and field device maintenance interfaces), control system protocols (modbus, DNP3, IEC 60870-5-104), RF communications (433MHz, 869MHz, 915MHz), and embedded circuit attacks (memory dumping, bus snooping, JTAG, and firmware analysis). We will tie these techniques and exercises back to control system devices that can be tested using these techniques. The course exercises will be performed on a mixture of real world and simulated devices to give students the most realistic experience as possible in a portable classroom setting. 

Advances in modern control systems such as the energy sector’s Smart Grid has brought great benefits for asset owners/operators and customers alike, however these benefits have often come at a cost from a security perspective. With increased functionality and addition inter-system communication, modern control systems bring a greater risk of compromise that vendors, asset owners/operators, and society in general must accept to realize the desired benefits. To minimize this risk, penetration testing in conjunction with other security assessment types must be performed to minimize vulnerabilities before attackers can exploit critical infrastructures that exist in all countries around the world. Ultimately, this is the goal of this course, to help you know how, when, and where this can be done safely in your control systems.

 WHAT STUDENTS SHOULD BRING

Laptop with at least two USB ports (three ports preferred). If only
two USB ports exist on the laptop AND they are right next to each
other (such as found on a Macbook Air), a USB extension cable must be
brought as well
Latest VMware Player, VMware Workstation, VWware Fusion installed.
Other virtualization software such as Parallels or VirtualBox may work
if the attendee is familiar with its functionality, however VMware
Player should be prepared as a backup just in case
Access to an account with administrative permissions and the ability
to disable all security software on their laptop such as Antivirus
and/or firewalls if needed for the class
At least thirty (30) GB of free hard drive space
At least four (4) GB of RAM, optimally eight (8) GB or RAM
Windows 7, 8.x, or 10.x installed on your host laptop or inside a VM

________________________________

WHAT STUDENTS WILL BE PROVIDED WITH

Power for your laptop
Internet connectivity may or may not be available depending on the
facility hosting the course.
Latest version of SamuraiSTFU distribution
PDF version of the course slide deck
Student hardware kits to keep

________________________________

STUDENT PREPARATIONS

For those with little or no ICS experience, these Wikipedia articles
provide a brief introduction to the concepts and history of control
systems that will be helpful to know for class.

http://en.wikipedia.org/wiki/ICS
http://en.wikipedia.org/wiki/SCADA
http://en.wikipedia.org/wiki/Distributed_control_system
http://en.wikipedia.org/wiki/Smart_grid
http://nostarch.com/xboxfree (Note: While this has nothing to do with
control systems, it provides a great introduction to the concepts and
techniques taught in this class to pen test embedded electronic
hardware in ICS field/floor devices.)
http://csrc.nist.gov/publications/nistir/ir7628/nistir-7628_vol3.pdf
(Chapter 7 of the NIST Interagency Report 7628, titled Bottom-up
Security Analysis of the Smart Grid, provides a great overview of the
challenges faced in Smart Grid and energy sector systems, many of
which we are testing for and exploiting in this class.)

Speakers
avatar for Justin Searle

Justin Searle

Justin Searle is a Managing Partner of UtiliSec, specializing in Smart Grid security architecture design and penetration testing. Justin led the Smart Grid Security Architecture group in the creation of NIST Interagency Report 7628 and played key roles in the Advanced Security Acceleration... Read More →


Wednesday October 12, 2016 9:00am - 5:00pm
Meeting Room 12

9:00am

Training Session - Creating and Automating your own AppSec Pipeline Day 2 (2 Day)
Any optimization outside the critical constraint is an illusion. In application security, the size of the security team is always the most scarce resource. The best way to optimize the security team is automation. This training will provide an overview of key application security automation principles and provide hands-on experience with creating an Application Security Pipeline augmented with automation. Over the course of two days, the students will cover the crucial aspects of where and when to add automation to their application security practices and gain experience with integrating APIs, automating security scanning, consolidate and de-duplicate security issues, automating submission of issues to defect trackers and generating reports/metrics in an automated fashion. Students should leave with an firm understanding of how to apply DevOps and Agile concepts to optimize their security programs.

The labs consist of a series of exercises which build upon each other to construct an AppSec Pipeline. After discussing each fundamental part of the pipeline, the student will be provided a lab to construct that portion of their own AppSec Pipeline. While these will be somewhat scripted labs, they will provide working examples of all the key concepts needed in adding automation to an AppSec program allowing the student to have seen the concepts in action before returning to work and applying them to their particular situation.

This will be a hands-on class and attendees are expected to have:
  • A laptop capable of running VirtualBox and a VM with at least 2048 MB RAM for the VM - 4096 is even better
  • VMs will be provided on a USB drive formatted as a NTFS volume
  • VMs will be in .ova (Open Virtualization Format) which is generally 'importable' in more then just VirtualBox if you happen to already have virtualization software installed
I'll have printed handouts and digital versions on the USB drive as well.
Note for those bringing a Mac laptop to the training:  Mac's hasn't consistently supported reading from NTFS formatted disks.  There's usually one or two students who cannot read the USB drives I hand out to the class with Macs.  I usually recommend they use the 15 day trial of Tuxera to get past the problem for the training - http://www.tuxera.com/products/tuxera-ntfs-for-mac/.  Other alternatives are outlined in this article: http://www.howtogeek.com/236055/how-to-write-to-ntfs-drives-on-a-mac/

Speakers
avatar for Matt Tesauro

Matt Tesauro

Senior AppSec Engineer, Duo Security
Matt Tesauro is currently a Senior AppSec Engineer building an AppSec Pipeline and continuous security program for Duo Security.  Prior, he worked full-time for the OWASP Foundation, adding automation and awesome to OWASP projects as the Operations Director. Previously, he was... Read More →


Wednesday October 12, 2016 9:00am - 5:00pm
Meeting Room 15

9:00am

Training Session - Hands-On Security in DevOps (SecDevOps) Workshop Day 2 (2 Day)
Agile and DevOps have revolutionized the way we deliver apps to customers. Software products today demand rapid everything. Rapid Code Changes, Rapid Deployments and Rapid Delivery. In addition, you have embraced Agile Development Methodologies that stress on iterative product development and flexibility to changing environments. There is one major problem in this entire chain, and that is Application Security.

While your product may be rapidly delivered to customers, Application security still remains a massive bottleneck in your continuous delivery pipeline. Application security is critical because companies lose billions of dollars due to vulnerabilities in their applications. Apart from typical vulnerabilities like SQL Injection and Cross Site Scripting, vulnerabilities in authentication, authorization, business logic and cryptographic implementations are more prevalent and can cause massive damage to a software product company.

This is why you need SecDevOps. You need a practical, repeatable and scalable way to deliver Application Security to your product across the Agile and DevOps lifecycle. In the we45 Certified SecDevOps Professional program you will receive powerful hands on training on how you can implement scalable and effective security for rapid-release applications. The workshop will be a hardcore hands-on workshop with coverage on the following, but not limited to:

  • Security Threat Modeling - Agile Methodology
  • Static Application Security Testing - Integrated with Continuous Integration Services
  • Customized Security Automation Scripting Framework with Continuous Integration
  • Creating specialized Application Security Testing Scripts to be integrated with existing Test Suites
  • Security in Configuration management and Continuous Deployment
  • Creating Security Configuration Management “Infrastructure as Code” and Validation Scripts
  • Application Security Monitoring in a DevOps World
Laptop Requirements for SecDevOps Workshop:

For Windows Laptop Users
• Intel i3 and above preferred, 64bit Operating System (32 bit will NOT work), 8GB+ RAM preferred, with atleast 50GB of free HDD space.
Netbooks will NOT work
• Working WiFi adapter with ability to connect to third party wireless networks
• User must be able to use the DVD Drive/USB port of the laptop to copy and install the Virtual Machine, which will be delivered in a DVD/USB Mass Storage Device (Flash Drive)
.• Windows users - Please download and install the latest version of Oracle VM Virtualbox from http://www.virtualbox.org
• We have observed that Windows laptops often come with Virtualization options disabled in the BIOS. In such cases, the Virtual Machine and the workshop exercises won’t work. Please ensure that the following measures are taken to make your laptop available for Virtualization o You must have access to your BIOS menu. This can be accessed by pressing F12 (not all laptops, some may have a different key to access the BIOS menu). In some cases, there may be a password to access the BIOS menu. Please ensure that you have a password (if required) to access the BIOS menu. o Please enable Virtualization in the BIOS options. Please refer to screenshots below (please note that different laptops may have these options located in different menu screens).  HP – BIOS Virtualization Screen  Dell Laptop BIOS Virtualization Option

For Linux/Mac Users
• Intel i3 and above preferred, 64bit Operating System (32 bit will NOT work), 8GB+ RAM preferred• atleast 50GB HDD space available
• Working WiFi adapter with ability to connect to third party wireless networks
• User must be able to use the DVD Drive/USB port of the laptop to copy and install the Virtual Machine, which will be delivered in a DVD/USB Mass Storage Device (Flash Drive)
• Install the latest version of Oracle VM VirtualBox

** We are using two VMs for hands-on labs for the participants. In this case both the VMs will exceed a size of 8 GB, therefore, we will be distributing this in USB drives for people to copy and use. The option of DVDs (which was an either/or for USB) from earlier will not be possible in this case. 

** Also, the drives will be formatted with exFAT, so we members of the audience with Linux computers might need to download exFAT libraries to get it to work. If this is a problem, then we need to go with a different file system. 


Speakers
avatar for Abhay Bhargav

Abhay Bhargav

CEO, we45
Abhay Bhargav is the Founder of we45, a focused Application Security Company. Abhay is a builder and breaker of applications. He is the Chief Architect of “Orchestron", a leading Application Vulnerability Correlation and Orchestration Framework. He has created some pioneering works... Read More →


Wednesday October 12, 2016 9:00am - 5:00pm
Meeting Room 16

9:00am

Training Session - Mobile Application Exploitation iOS and Android Day 2 (2 Day)
Even wondered how different attacking a Mobile application would be, from a traditional web application? Gone are the days when knowledge of just SQL Injection or XSS could help you land a lucrative high-paying infoSec job.

This will be an introductory course on exploiting iOS and Android applications. The training will be based on exploiting Damn Vulnerable iOS app, Android-InsecureBankv2 and other vulnerable applications that are written by the trainers in order to give an in-depth knowledge about the different kinds of vulnerabilities in an Mobile applications. This course will also discuss how an attacker can compromise a mobile application. After the workshop, the students will be able to successfully pentest and secure applications running on the various operating systems.

The training will also include a CTF challenge in the end where the attendees will use their skills learnt in the training to solve the CTF challenges.

 Below is the ToDo's for the attendees:

* 20+ GB free hard disk space 
* 3+ GB RAM 
* VMware player installed on the machine
* Latest version of Android SDK. To make sure the setup is right, follow all the steps on https://github.com/dineshshetty/Android-InsecureBankv2/blob/master/Usage%20Guide.pdf
* A jailbroken iPhone/iPad/iPod for iOS testing.
* If you are using a Mac machine, also download and install the latest version of Xcode.

Speakers
avatar for Prateek Gianchandani

Prateek Gianchandani

Cognosec
Prateek Gianchandani, an OWASP member and contributor has been working in the infosec industry for about 5 years. During his five years, he has performed a number of penetration tests on mobile and web applications and even developed a lot of applications for the App Store. His core... Read More →
avatar for Dinesh Shetty

Dinesh Shetty

Sr Security Manager, Security Innovation
Dinesh leads the Mobile Security Testing Center of Excellence at Security Innovation. He has performed innumerable penetration tests on Web, Mobile and VoIP technologies - however his core area of expertise is Mobile and Embedded application pentesting and exploitation. He is an accomplished... Read More →


Wednesday October 12, 2016 9:00am - 5:00pm
Meeting Room 14

9:00am

Training Session - Practical IoT Exploitation Day 2 (2 Day)
Practical IoT Exploitation is a unique course being launched at OWASP AppSec by Attify. The previous version of the course titled “Offensive IoT Exploitation” has been run in various conferences such as BlackHat (US, EU, Asia), Brucon, HIP and many other places. 

IoT or the Internet of Things is one of the most upcoming trends in technology as of now. A lot many new devices are coming up every single month. However, not much attention has been paid to the device's security till now. "Practical IoT Exploitation" is a brand new and unique course which offers pentesters the ability to assess and exploit the security of these smart devices - by looking deep depth into the devices, their radio communications and interactions with the real world, and then exploiting them.

The training will cover different varieties of IoT devices, assessing their attack surfaces, reversing their communication protocols and writing exploits for them. This is a 2-day action packed class covering topics like firmware analysis, identifying attack surface, analyzing Zigbee communication, finding vulnerabilities and then finally exploiting the vulnerabilities.

The course labs include both emulated environments as well as real live devices which will be provided to the attendees during the training. Practical IoT Exploitation training is designed for pentesters who want to kickstart their career in IoT Pentesting and the training does not expect the attendees to have a prior knowledge of assembly, mobile security or reversing. The attendees will be provided with VM image for IoT security testing platform called IoTa created by the trainers themselves. 

After the 2-days class, the attendees will be able to:

Extract and analyze device firmwares 
Analysing firmware and binaires using IDA pro 
Hands-on Labs with UART, SPI
JTAG interaction and debugging 
Identify attack surfaces and write fuzzers
Device Scanning and reversing communication APIs
USB Attacks
Familiarity with NFC, Bluetooth, RFID 
BLE Analysis and packet analysis 
Attacks on Zigbee - Hands-on labs 


Practical IoT Exploitation is the course for you if you want to try exploitation on new hardwares and find security vulnerabilities and 0-days in IoT devices. At the end of the class, there will be a final CTF challenge where the attendees will have to identify security vulnerabilities and exploit them, in a completely unknown device - created exclusively for the OWASP AppSec training.

 Requiremnets:

 Hardware:
  • At least 25 GB of free space 
  • Laptop having a minimum of 4 GB RAM 
  • USB access allowed 
Software:
  • Virtualization software installed 
  • Administrative privileges on the system 
At the start of the class, we will share the devices and AttifyOS VM which will have all the tools preconfigured for the training. 
During the Radio section of the class, we have seen some students encounter issues with the hardware not being detected in the VM while they are running on one Virtualisation software, but working with the same VM on another virtualisation software. 
Though we don't often run into these issues, it's recommended to have both virtualisation tools - VirtualBox and VMWare to save time troubleshooting. In case of VMWare if you don't have the paid edition, the free VMWare Workstation Player will also work. 

Speakers
avatar for Aditya Gupta

Aditya Gupta

Founder and CEO, Attify
Aditya Gupta (@adi1391) is the founder and principal consultant of Attify, an IoT and mobile penetration testing and training firm, and a leading IoT security expert and evangelist. He has done a lot of in-depth research on mobile application security and IoT device exploitation... Read More →
avatar for Norman Shamas

Norman Shamas

Attify Inc
Norman Shamas is a IoT Pentester and trainer at Attify (attify.com ) , an IoT and Mobile security firm. Attify has done a lot of in-depth research on Mobile application security and IoT device Exploitation and is the creator of AppWatch (https://appwatch.io) - an automated platform... Read More →


Wednesday October 12, 2016 9:00am - 5:00pm
Meeting Room 13

9:00am

Training Session - Secure Coding in Java Day 2 (2 Day)
The course provides developers with practical guidance for developing Java programs that are robust and secure. Material in this presentation was derived from the Addison-Wesley book The CERT Oracle Secure Coding Standard for Java and is supported by the Secure Coding Rules for Java LiveLessons video series. Participants should come away from the course with a working knowledge of common programming errors that lead to software vulnerabilities, how these errors can be exploited, and effective mitigation strategies for preventing the introduction of these errors.
In particular, participants will learn how to:
• Explain the need for secure coding
• Follow fundamental secure coding guidelines
• Validate and sanitize data
• Explain the Java Security Model
• Predict how the numerical types behave in Java
• Avoid pitfalls in the use of characters and strings
• Securely process input and output
Moreover, the course encourages programmers to adopt security best practices and develop a security mindset that can help protect software from tomorrow’s attacks, not just today’s.

You will need to bring a laptop with 100MB or greater of free hard disk space and the following software installed:

  •  Java SE Development Kit 8
  • Eclipse IDE for Java Developers or other a Java 8 compatible IDE
  • Adobe Reader

You should clone the course exercises, demos, and examples from https://github.com/rcseacord/JavaSCR.git prior to the class.  Make sure that you have imported the code into your IDE and that you can build and test the sample programs.

“The CERT Oracle Secure Coding Standard for Java” and “Java Coding Guidelines: 75 Recommendations for Reliable and Secure Programs” books authored by Robert C. Seacord and published by Addison-Wesley can be purchased in advance at InformIT.  We will be covering chapters 1-8 of The CERT Oracle Secure Coding Standard for Java in class, if you want to prepare by reviewing these chapters.


 

Speakers
avatar for Robert Seacord

Robert Seacord

Principal Security Consultant, NCC Group
I'm work with software developers and software development organizations to eliminate vulnerabilities resulting from coding errors before they are deployed. Previously, I led the secure coding initiative in the CERT Division of Carnegie Mellon University’s Software Engineering Institute... Read More →


Wednesday October 12, 2016 9:00am - 5:00pm
Meeting Room 11