Loading…
This event has ended. Visit the official site or create your own event on Sched.

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

2-Day Training Class [clear filter]
Tuesday, October 20
 

9:00am CDT

Creating and automating your own AppSec Pipeline (Day 1)
Any optimization outside the critical constraint is an illusion. In application security, the size of the security team is always the most scarce resource. The best way to optimize the security team is automation. This training will provide an overview of key application security automation principles and provide hands-on experience with creating an Application Security Pipeline augmented with automation. Over the course of two days, the students will cover the crucial aspects of where and when to add automation to their application security practices and gain experience with integrating APIs, automating security scanning, consolidate and de-duplicate security issues, automating submission of issues to defect trackers and generating reports/metrics in an automated fashion. Students should leave with an firm understanding of how to apply DevOps and Agile concepts to optimize their security programs. The labs consist of a series of exercises which build upon each other to construct an AppSec Pipeline. After discussing each fundamental part of the pipeline, the student will be provided a lab to construct that portion of their own AppSec Pipeline. While these will be somewhat scripted labs, they will provide working examples of all the key concepts needed in adding automation to an AppSec program allowing the student to have seen the concepts in action before returning to work and applying them to their particular situation. Who Should Take This Course? AppSec professionals who are running an internal AppSec program. This course is designed to demonstrate both the principals in theory and practice around the creation of an AppSec Pipeline, the benefits it brings and how it can help you do more with less. Multiple open source software packages will be used to setup an example AppSec Pipeline in a series of hands on labs. The concepts and techniques of this course can then be applied to their AppSec programs to build their own, custom AppSec Pipeline. What Should Students Bring? A laptop capable of running a VM in either VirtualBox, VMware Player/Workstation/Fusion or Parrallels. A custom VM will be provided to the students which contains all the necessary software for the labs.


Tuesday October 20, 2015 9:00am - 5:00pm CDT
Under Armour Room Norris Conference Center, Austin
  2-Day Training Class

9:00am CDT

Defensive Programing for JavaScript and HTML5 (Day 1)
Understand JavaScript and HTML5 Features to Secure Your Client-side Code

This full-day course helps web front-end developers understand the risks involved with manipulating JavaScript and HTML5 and apply defensive programming techniques in both languages.
Some of the topics covered include, but are not limited to, important security aspects of modern browser architecture (Document Object Model and Same Origin Policy), XSS, CSRF, DOM manipulation, Sandboxing iframes, Cross-origin Resource Sharing, Content Security Policy, Web Messaging, Web Storage, and JSON.

This course is structured into modules and includes exploitation and remediation exercises. The high-level topics for this course are:
• The HTML5 and JavaScript Risk Landscape
• Storage of Sensitive Data
• Secure Cross-domain Communications (CORS, web messaging)
• Protecting from Cross-site Scripting (CSP, JavaScript Execution Contexts, Output Encoding)
• Implementing Secure Dataflow
• Securing AJAX Requests and JSON Data

Objectives
After completing this course, students will be able to:
• Apply HTML5 Defensive Programming Techniques
• Apply JavaScript Defensive Programming Techniques
• Apply JSON Defensive Programming Techniques
There should be a maximum of 20 students.

Labs and Demonstrations
If students bring their own laptops with internet connectivity will be able to access online Virtual Machines with labs. In lab sessions students will learn to fix issues related to localStorage, web messaging, sandbox attribute for iframes, CORS, CSP, parsing JSON data, and DOM-based cross-site scripting. The course also includes several interactive demonstrations showing how to tamper with client-side data, evade client-side filters, and work with Firebug. The labs are not compulsory to get the full value of the course.

Note, the training has been recently updated with the latest information on CORS, CSP, and new lab exercises.

Speakers
avatar for Ksenia Dmitrieva

Ksenia Dmitrieva

Associate Principal Consultant, Cigital
Ksenia Dmitrieva is an Associate Principal Consultant at Cigital with over six years of experience in securing web applications and five years of development experience. She performs penetration testing and code review for clients in financial services, entertainment, telecommunications... Read More →


Tuesday October 20, 2015 9:00am - 5:00pm CDT
Gemalto Room Norris Conference Center, Austin
  2-Day Training Class
 
Wednesday, October 21
 

9:00am CDT

Creating and automating your own AppSec Pipeline (Day 2)
Any optimization outside the critical constraint is an illusion. In application security, the size of the security team is always the most scarce resource. The best way to optimize the security team is automation. This training will provide an overview of key application security automation principles and provide hands-on experience with creating an Application Security Pipeline augmented with automation. Over the course of two days, the students will cover the crucial aspects of where and when to add automation to their application security practices and gain experience with integrating APIs, automating security scanning, consolidate and de-duplicate security issues, automating submission of issues to defect trackers and generating reports/metrics in an automated fashion. Students should leave with an firm understanding of how to apply DevOps and Agile concepts to optimize their security programs. The labs consist of a series of exercises which build upon each other to construct an AppSec Pipeline. After discussing each fundamental part of the pipeline, the student will be provided a lab to construct that portion of their own AppSec Pipeline. While these will be somewhat scripted labs, they will provide working examples of all the key concepts needed in adding automation to an AppSec program allowing the student to have seen the concepts in action before returning to work and applying them to their particular situation. Who Should Take This Course? AppSec professionals who are running an internal AppSec program. This course is designed to demonstrate both the principals in theory and practice around the creation of an AppSec Pipeline, the benefits it brings and how it can help you do more with less. Multiple open source software packages will be used to setup an example AppSec Pipeline in a series of hands on labs. The concepts and techniques of this course can then be applied to their AppSec programs to build their own, custom AppSec Pipeline. What Should Students Bring? A laptop capable of running a VM in either VirtualBox, VMware Player/Workstation/Fusion or Parrallels. A custom VM will be provided to the students which contains all the necessary software for the labs.


Wednesday October 21, 2015 9:00am - 5:00pm CDT
Under Armour Room Norris Conference Center, Austin
  2-Day Training Class

9:00am CDT

Defensive Programming for JavaScript and HTML5 (Day 2)
Understand JavaScript and HTML5 Features to Secure Your Client-side Code

This full-day course helps web front-end developers understand the risks involved with manipulating JavaScript and HTML5 and apply defensive programming techniques in both languages.
Some of the topics covered include, but are not limited to, important security aspects of modern browser architecture (Document Object Model and Same Origin Policy), XSS, CSRF, DOM manipulation, Sandboxing iframes, Cross-origin Resource Sharing, Content Security Policy, Web Messaging, Web Storage, and JSON.

This course is structured into modules and includes exploitation and remediation exercises. The high-level topics for this course are:
• The HTML5 and JavaScript Risk Landscape
• Storage of Sensitive Data
• Secure Cross-domain Communications (CORS, web messaging)
• Protecting from Cross-site Scripting (CSP, JavaScript Execution Contexts, Output Encoding)
• Implementing Secure Dataflow
• Securing AJAX Requests and JSON Data

Objectives
After completing this course, students will be able to:
• Apply HTML5 Defensive Programming Techniques
• Apply JavaScript Defensive Programming Techniques
• Apply JSON Defensive Programming Techniques
There should be a maximum of 20 students.

Labs and Demonstrations
If students bring their own laptops with internet connectivity will be able to access online Virtual Machines with labs. In lab sessions students will learn to fix issues related to localStorage, web messaging, sandbox attribute for iframes, CORS, CSP, parsing JSON data, and DOM-based cross-site scripting. The course also includes several interactive demonstrations showing how to tamper with client-side data, evade client-side filters, and work with Firebug. The labs are not compulsory to get the full value of the course.

Note, the training has been recently updated with the latest information on CORS, CSP, and new lab exercises.

Speakers
avatar for Ksenia Dmitrieva

Ksenia Dmitrieva

Associate Principal Consultant, Cigital
Ksenia Dmitrieva is an Associate Principal Consultant at Cigital with over six years of experience in securing web applications and five years of development experience. She performs penetration testing and code review for clients in financial services, entertainment, telecommunications... Read More →


Wednesday October 21, 2015 9:00am - 5:00pm CDT
Gemalto Room Norris Conference Center, Austin
  2-Day Training Class