Lightning Trainings

The following lightning trainings will be available at the conference:

Thursday, June 30
10:20 Lightning Training – Using the OWASP HackAdemic Challenges Project  by Konstantinos Papapanagiotou • Spryros Gastreratos
14:10 Lightning Training – Building a Software Security Program  by Kuai Hinojosa
16:15 Lightning Training – How to Use OWASP Security Logging  by August Detlefsen • Sytze van Koningsveld • Milton Smith
Friday, July 1
10:20 Lightning Training – Secuity Automation using ZAP  by Vaibhav Gupta • Sandeep Singh
14:10 Lightning Training – Protecting your Web Application with Content Security Policy (CSP)  by Martin Johns
16:15 Lightning Training – Getting started with AWS Security  by Mukul Kullar • Rohit Pitke

 

 

 

 

  • Protecting your Web Application with Content Security Policy (CSP)Martin JohnsThe basic problem of XSS has been known at least since the year 2000. Nonetheless, XSS is as widespread as ever, even though an astonishing amount of thought, attention and education has been devoted to the topic. Apparently, the convoluted mess of server-side scripting, transport level rewriting and heterogeneous client-side processing (which is commonly know under the term “the Web”) is too complex to allow a robust SDL-based solution to succeed. Content Security Policy (CSP) is a highly promising, new way to address this old problem. The currently established approach to counter XSS is trying to identify untrusted data and attempting to prevent that this data influences the semantics of the application’s JavaScript. CSP breaks away from this practice: Instead of spotting bad scripts, CSP allows the server to precisely tell the Web browser, which scripts are actually allowed to run, thus, enabling the browser to robustly stop all injection attempts. This way, by the means of a simple policy, the fast majority of XSS vulnerabilities can be efficiently In this lightning training, the fundamental mechanisms of CSP are covered:
    • Protection capabilities and surface of CSP
    • How to design strong CSP policies
    • How to build CSP compliant web applications
    • Using CSP’s reporting functionality

    To do so, the students work with a insecure legacy Web application (which is provided in the form of a virtual box image). After the practical identification of several XSS problems, the students will first deploy a strong CSP policy to prevent exploitation. Then, subsequently the students will use CSP’s reporting mode to iteratively adopt the policy (and parts of the application code) to match the application’s functionality requirements. Finally, after deploying the policy, the students can test themselves, that the previously found vulnerabilities are indeed mitigated.

  • Secuity Automation using ZAP – Vaibhav Gupta and Sandeep SinghThe OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. ZAP provides a rich set of APIs which allows the capability to interact with ZAP programmatically. This lightning flash training will prove a kick starter for automating ZAP and would cover the following topics:
    • Quick run through of ZAP GUI
    • Understanding what can be automated
    • How to integrate ZAP with automation scripts
    • Example scripts/Hands-on
    • Some delicate considerations
  • How to Use OWASP Security LoggingAugust Detlefsen, Sytze van Koningsveld and Milton SmithThis presentation will provide an overview of the OWASP Security Logging project, a standard Log4j compatible Java API to log security related events. The presenters will discuss the case for logging security events, what types of events to log, how to use the API in your code, and provide examples of API features:
    • Overview of the security logging API features/benefits
    • Overview of SLF4J logger features from security perspective
    • Security logging with log4j, log4j2, logback, and JDK logging
    • “Hello World” with security logging
    • Logging console application properties
    • Logging servlet application properties with correlated data like User ID
    • Filtering passwords from logs
    • Customize filtering for removing SSN/credit cards from logs
    • Adding interval logging to your project
    • Customize interval logging
    • Adding information classification (e.g., CLASSIFIED messages) to projects
  • Building a Software Security ProgramKuai Hinojosa
    This training will focus on basic steps development teams can take to build a software security program. This is done by using sample case scenarios of what works and what does not work by experience
  • Using the OWASP HackAdemic Challenges ProjectKonstantinos Papapanagiotou and Spryros Gastreratos
    Participants will learn about: Installation, Basic Usage, Writing Challenges and using the project in a class environment
  • Getting started with AWS SecurityMuhul Kullar and Rohit Pitke
    Due to increasing adoption of Amazon web services (AWS) as a cloud service provider, security is of paramount importance. In this training, we will demonstrate the impact of misconfigured AWS infrastructure (pivoting from a vulnerable demo application) that will lead to multiple security impacting scenarios. We will then walk-through a series of defense-in-depth actionable steps that attendees will be able to apply in real-life deployments.