2018 BASC Workshops

We would like to thank our workshop leaders for donating their time and effort to help make this conference successful.

{{2018_BASC:Presentaton_Info_Template|AppSec Wars Challenge|Stephen Allor| | | } Join this live interactive tournament which is sure to a fun, challenging learning experience for all. Whether you are eager to prove your web application AppSec knowledge of the OWASP Top 10 and more….and watch as you climb to the top of the Leaderboard or simply want to learn more about how to code more securely – everyone is welcome and there will be prizes / SWAG for the winner(s).

The tournament will be conducted using the Secure Code Warrior platform, an innovative online, hands-on, gamified SaaS Learning Platform that actively engages developers to Learn & Build their secure coding skills. This approach is changing the way developers think and behave as they build & test software. Bring your laptop (not tablet), choose your preferred language/framework, whether it be C# (.NET) MVC, C# (.NET) Web Forms, Java Enterprise Edition, Java Spring, Python Django, Ruby on Rails, or Scala Play, and launch into the AppSec Wars Challenge!

{{2018_BASC:Presentaton_Info_Template|Threat Modeling Workshop|Robert Hurlbut| | | } Threat modeling is a way of thinking about what could go wrong and how to prevent it. Instinctively, we all think this way in regards to our own personal security and safety. When it comes to building software, some software shops either skip the important step of threat modeling in secure software design or, they have tried threat modeling before but haven't quite figured out how to connect the threat models to real world software development and its priorities. Threat modeling should be part of your secure software design process. Using threat modeling and some principals of risk management, you can design software in a way that makes security one of the top goals, along with performance, scalability, reliability, and maintenance.

Objective: In this workshop, attendees will be introduced to Threat Modeling, learn how to conduct a Threat Modeling session, learn how to use practical strategies in finding Threats and how to apply Risk Management in dealing with the threats. Depending on time, we will go through 1 or 2 Real World Threat Modeling case studies. Finally, we will end the day with common gotchas in Threat Modeling and how to watch out for them.

Laptop recommended for some labs, but not required. GitHub account recommended, but not required.

{{2018_BASC:Presentaton_Info_Template|Advanced XXE Exploitation|Philippe Arteau| | | } When conducting a penetration test for a web application, knowledge of technology-specific caveats becomes crucial. Knowing vulnerability basics is often insufficient to be effective. In this workshop, the latest XXE and XML related attack vectors will be presented. XXE is a vulnerability that affects any XML parser that evaluates external entities. It is gaining more visibility with its introduction to the OWASP Top10 2017 (A4). You might be able to detect the classic patterns, but can you convert the vulnerability into directory file listing, binary file exfiltration, file write or remote code execution? The focus of this workshop will be presenting various techniques and exploitation tricks for both PHP and Java applications. Four applications will be at your disposition to test your skills. For every exercise, sample payloads will be given so that the attendees save some time. Attendees must bring their own laptops with Burp Suite or ZAP pre-installed.