2019 BASC Workshops

We would like to thank our workshop leaders for donating their time and effort to help make this conference successful.

All-Day Workshop
Want to test your skills in identifying web app vulnerabilities? Join OWASP Boston and Security Innovation as members compete in CMD+CTRL a web application cyber range where players exploit their way through hundreds of vulnerabilities that lurk in business applications today. Success means learning quickly that attack and defense is all about thinking on your feet.

For each vulnerability you uncover, you are awarded points. Climb the interactive leaderboard for a chance to win fantastic prizes! CMD+CTRL is ideal for development teams to train and develop skills, but anyone involved in keeping your organization’s data secure can play - from developers and managers and even CISOs.

When you register for BASC and select to attend this CMD+CTRL Cyber Range workshop, a link will be provided so you can reserve your spot with Security Innovation. Spaces are limited. Register early to reserve your spot!

Morning Workshops
Are. You. Ready? Head to the AppSec battlefield and prove that you are the ultimate secure coding champion. Go head-to-head with your peers as you test your web application security knowledge of the OWASP Top 10. Strut your skills. Crush the competition. Score excellent prizes and take home the title of Secure Code Warrior!

Players will be presented with a series of vulnerable code challenges that will ask them to identify the problem, locate the insecure code, and fix the vulnerability. Select from a range of software languages to complete the tournament, including Java EE, Java Spring, C# MVC, C# WebForms, Ruby on Rails, Python Django, Scala Play & Node.JS. It’s gamified, it’s relevant, but most of all - it’s fun.

Watch as you earn points and climb to the top of the real-time leaderboard during the event. Prizes will be awarded to the top 3 point scorers, with one security superhero being crowned the ultimate Secure Code Warrior. Will it be you?

Psst: Want to test your secure coding skills at your own pace, without the competition? You’re welcome to come along and join the fun.

Participants must bring a laptop.

As more information and functionality moves to the internet, the interface between end users and web application servers becomes increasingly vulnerable. Because of these visible vulnerabilities, penetration testing skills are in high demand; however, courses catering to beginners and those wanting to get a “foot in the door” are scarce. In this workshop, you can utilize a custom environment and expertise in order to begin your journey into offensive security. We will focus on four areas of web application penetration testing: injection, XSS, XXE, and insecure deserialization. This course welcomes total beginners and will be largely oriented towards those wanting to build a foundation in web application pentesting.

Users should have a laptop equipped with BurpSuite.

In this workshop, grounded in design thinking approach, we demonstrate the software platform IKE and its process framework for persona development, which facilitate a fast, effective, and relatively inexpensive way to inform design decisions, such as those needed to encourage and enable users to effectively utilize security features. The IKE software platform not only facilitates a deeper understanding of user needs but also provides a Key performance Indicator (KPI) that can measure an organizations’ performance in gauging its target market evolving security needs.

Understanding customers and what their needs are is paramount to the success of any organization. In security and privacy industry, users and their needs vary drastically depending on various factors like age, education, technology use, etc. Persona development is one of the useful tools to capture these needs. It can reveal security needs, pain points, habits, security challenges, etc. of the user base. The traditional approach to persona development is rigorous but time-consuming and resource-intensive. It doesn't account for fast changes in the technological world of privacy and security. These personas become outdated as soon as they are developed. At UXDM lab, we created a unique approach to persona development. We also developed a software platform called IKE for developing and managing personas. IKE treats personas as living documents to make effective design decisions and to follow evolving user needs over time.

Do you feel frustrated sometimes trying to help non-technical users? Do you find it challenging asking for more resources from management? Effective communication can help IT professionals to be more productive and be heard. This workshop demonstrates communication skills through scenarios that IT security engineers encounter regularly. We will decode written and verbal scripts by technical engineers and translate them into a communication style that non-technical people can understand and appreciate. These cases include asking for more resources from upper management, making a suggestion to implement better security, and verifying the legitimacy of an email with an employee. Excessive workload, pressing deadlines and the lack of support can make IT engineers feel exhausted, hopeless and frustrated. This workshop provides perspectives on viewing various work situations in a different light.

Afternoon Workshops
Threat modeling is a way of thinking about what could go wrong and how to prevent it. Instinctively, we all think this way in regards to our own personal security and safety. When it comes to building software, some software shops either skip the important step of threat modeling in secure software design or, they have tried threat modeling before but haven't quite figured out how to connect the threat models to real world software development and its priorities. Threat modeling should be part of your secure software design process. Using threat modeling and some principals of risk management, you can design software in a way that makes security one of the top goals, along with performance, scalability, reliability, and maintenance.

Objective: In this workshop, attendees will be introduced to Threat Modeling, learn how to conduct a Threat Modeling session, learn how to use practical strategies in finding Threats and proposing Countermeasures, and learn how to apply Risk Management in dealing with the threats. Depending on time, we will go through 1 or 2 Real World Threat Modeling case studies. Finally, we will end the day with the latest updates in Threat Modeling process, tools, etc.

Laptop recommended for some labs, but not required.

Recently Autodesk open-sourced our Continuous Threat Modeling methodology, which aims to enable product teams to threat model every story in a quick and focused manner in order to scale the ability of an organization to keep up with rapid product changes, and enable developers to acquire a security "muscle memory" ability to really infuse their practices with security design capabilities.

In this course you will learn how to perform and enable Continuous Threat Modeling in your organization and provide support to the learning curve of your product teams as a security SME.

CTM is available at https://github.com/Autodesk/continuous-threat-modeling A threat-modeling-as-code tool will also be introduced, available at https://github.com/izar/pytm

If you are new to the discipline of Threat Modeling we highly advise participating in the earlier Threat Modeling Workshop by Robert Hurlbut in order to solidify your understanding of the subject.

As comfort and familiarity with cloud computing is now more mainstream, companies are leaning more and more on cloud resources to host and run even their most-sensitive technical assets. With these new technologies/innovations come new (and old!) security concerns. In this workshop, we will take participants through a baseline understanding of cloud security - with a focus on AWS security fundamentals.

First, we will briefly outline the cloud security model, the similarities across platforms, and the shared responsibility model that Amazon employs. From there, we will introduce participants to open-source tooling for AWS account auditing and hardening, including NCC's own ScoutSuite. We will provide access to an intentionally vulnerable AWS environment, to allow workshop attendees to follow along and explore misconfigurations with their own eyes. We also will support attendees who want to immediately dive into auditing their own AWS accounts/environments.

Next, we'll highlight easy wins for AWS security, that the audience will be able to immediately apply to their own environments. Following that, we'll speak to Amazon's built-in security tooling, including:


 * Security Hub
 * Trusted Advisor
 * CloudTrail
 * Inspector
 * GuardDuty
 * Macie (and why it's probably wrong for you!)

We'll focus on actionable guidance to walk away and be able to use these tools to harden your own posture. Subsequently, we'll work with attendees through the misconfigurations that led to the Capital One breach, via the CloudGoat scenario. Wrapping up, we'll provide a easy to follow cheatsheet of best practices, easy wins, and open source tools that attendees can reference to improve their own environments.

Users should bring a laptop having: administrator privileges, at least 8GB of RAM, 10GB of free disk space, the latest version of 64-bit Virtualbox installed, and USB ports for copying data.