Training Day
This year, we are adding a free, 1 day training event before the regular Conference.
This training is NOT for security experts with many years of experience, but for the rest of us:
This is a hands-on, crash course in application security for developers, QA engineers, and anyone new to the AppSec field!
The Training Day is free to attend, however registration is required.
Date: October 17, 2017
Time: 9:00am - 5:30pm
Location: College of Management in Rishon.
What is this Training about?
Application-level attacks have become the typical organization daily routine, with numerous automated attack &
exploitation engines from anywhere in the globe constantly scanning web sites, web services and external interfaces.
Ever wondered how it’s done? Having dreams of being a professional hacker? or of being able to fortify your
apps against them? Need to fund your beer with bug bounty prizes?
This crash course trains the participants in the basic toolset, in penetration testing skills and in secure development practices.
It will cover the methodologies, common toolsets and over 7+ different high impact attack vectors, as well as the
code-level techniques required to mitigate these attacks.
Goals
The Training aims to introduce the audience into the field of application-level attacks and white-hat hacking
methodologies, as well as the corresponding secure coding best-practices, and provide the basic tools, understanding
and processes required for assessing the security of modern web applications.
It’s aim is to enable trainees get the initial understanding and hands-on skills required to find their path in the appsec field,
whether as an appsec professional or as a developer of secure, resilient, and robust code.
Requirements
Personal Laptop (any modern OS) with the following software downloaded and installed in advance:
- Modern web browser (e.g. Chrome, Firefox)
- Java JDK 1.8
- Tomcat 8
- OWASP ZAP Proxy
- OWASP WebGoat
Don’t forget your laptop charger (electric sockets will be available).
It is also recommended to bring a paper notebook and pen.
Schedule
The Training day will commence at 9:00.
We will have a lunch break between 12:30-14:00.
There is an adjacent food court, and several other great restaurants nearby.
Alternatively, you are welcome to pack your own lunch.
We are scheduled to complete the training by 17:30.
Coffee and cold drinks will be provided throughout the day, as well as an afternoon snack break.
Tower Attack & Defense
The course will train the participants to identify several common AND critical vulnerabilities,
as well as mitigate these vulnerabilities in the application code.
The subjects covered will include the following:
- Web Application Hacking Basics and Toolset, with live hacking demo
- Logical Attacks and Mitigation
- Forced Browsing Attacks
- Authentication Bypass and Authorization Bypass
- Process Flow Bypass
- Parameter Manipulations
- Inclusion Attacks and Mitigation
- Path Traversal and Local File Inclusion (LFI) Attacks
- Path Traversal
- Remote File Inclusion (RFI) Attacks
- Server Side Request Forgery (SSRF) Attacks
- Injection & Reflection Attacks and Mitigation
- SQL Injection
- Stored / Reflected XSS
OWASP World Tour
The AppSecIL Training Day is part of the global OWASP World Tour (OWT).
OWASP is committed to improving the quality of the world’s software security.
We advocate approaching application security as a people, process, and technology problem
because the most effective approaches to application security include improvements in all of these areas.
As part of this Philosophy, OWASP is offering basic AppSec training for Developers in
hopes of including security throughout the entire SDLC.
In addition to AppSecIL, OWT Trainings will also take place in Boston and Tokyo.
In accordance with the organization’s 2017 strategic goal, we are targeting an audience of 500 developers
for this Training Day, and it will be delivered by a Professional Trainer, hired by OWASP.