AppSecAsiaPac2012/Training

The OWASP 2012 Appsec Asia Pacific Conference has been able to secure world class training sessions for all levels of expertise. '''Questions? Email [mailto:appsecasia2012@owasp.org appsecasia2012@owasp.org]'''

''Price per attendee. Please note that conference Registration is separate.''

Course descriptions and Trainer Bios are listed below the schedule Two-day Courses | One-day Courses

Assessing & Exploiting Web Applications with Samurai-WTF
Trainer: Justin Searle Audience & Level: Novice to intermediate level security professionals: developers, managers, or penetration testers Date: Wednesday & Thursday, April 11-12

Course Summary: Course Details & Instructor Bio

Come take the official two-day Samurai-WTF training course given by one of the founders and lead developers of the project! You will learn the latest Samurai-WTF open source tools and as well as the latest techniques to perform web application penetration tests. After a quick overview of pen testing methodology, the instructors will lead you through the end-to-end process of testing and exploiting several different web applications, including client side attacks using flaws within the application. Different sets of open source tools will be used on each web application, allowing you to learn first hand the pros and cons of each tool. Primary emphasis of these instructor lead exercises is how to integrate these tools into your own manual testing procedures to improve your overall workflow. After you have gained experience with the Samurai-WTF tools, you will be challenged with a capture the flag event. This final challenge will give you time to practice your new skills at your own pace and experiment with your favorite new tools. This experience will help you gain the confidence and knowledge necessary to perform web application assessments and expose you to the wealth of freely available, open source tools.

Mobile Penetration Testing: Start to Finish for iOS apps)
Trainer: Jason Haddix Audience: Technical Level: Basic, Intermediate Date: Date: Wednesday & Thursday, April 11-12

Course Summary: Mobile apps are the new horizon for penetration testing and assessment. This class will go from start to finish on how to:
 * Overview of Iphone platform
 * Overview of 3rd Party application Threat Models
 * Overview of Xcode and Obj-C
 * Setup a mobile Penetration Testing lab/environment
 * Performing Blackbox Assessments
 * Performing Whitebox Assessment
 * Finding Common Client/Phone Vulnerabilities
 * Finding Common Server-side Vulnerabilities
 * Tips and Tricks

This training is good for both new and seasoned mobile app security consultants.

Note: Students will need developer Apple licence, Xcode, Laptop

Jason Haddix is the Director of Penetration Testing at HP and develops and trains internal candidates on the mobile penetration testing team. He also has done several training for web application hacking and network penetration testing.

Hands on Web Application Testing: Assessing Web Apps the OWASP way
Trainer: Matt Tesauro Audience: Technical Level: Basic, Intermediate Date: Wednesday & Thursday, April 11-12

Course Summary: The goal of the training session is to teach students how to identify, test, and exploit web application vulnerabilities. The creator and project lead of the OWASP Live CD, now recoined OWASP WTE, will be the instructor for this course and WTE will be a major component of the class. Through lecture, demonstrations, and hands on labs, the session will cover the critical areas of web application security testing using the OWASP Testing Guide v3 as the framework and a custom version of OWASP WTE as the platform. Students will be introduced to a number of open source web security testing tools and provided with hands on labs to sharpen their skills and reinforce what they’ve learned. Students will also receive a complementary DVD containing the custom WTE training lab, a copy of the OWASP Testing Guide, handouts and cheat-sheets to use while testing plus several additional OWASP references. Demonstrations and labs will cover both common and esoteric web vulnerabilities and includes topics such as Cross-Site Scripting (XSS), SQL injection, CSRF and Ajax vulnerabilities. Students are encouraged to continue to use and share the custom WTE lab after the class to further hone their testing skills.

The training will include labs so laptops will be required by the attendees. A custom version of OWASP WTE will be provided to each student which will contain all the necessary tools and applications to test. Strictly speaking, Internet access and/or wireless won't be required since each laptop will be self-sufficient. However, Internet access may be useful for expounding on class discussion. The custom WTE lab environment will run on Windows, Mac OS X and Linux. A recent laptop with sufficient disk space and RAM to run a virtual machine will be required to run the labs. Both VMware and VirtualBox are supported.

Matt Tesauro has worked in web application development and security since 2000. He has worn many different hats, from developer to DBA to System Administrator to Penetration Tester. Matt also taught graduate and undergraduate classes on web application development and XML at Texas A&M University. Currently, he's focused on application security risk assessments at Praetorian. Outside work, he is the project lead for the OWASP Live CD / WTE, a member of the OWASP Foundation board, and part of the Austin OWASP chapter leadership. Matt Tesauro has a B.S. in Economics and a M.S in Management Information Systems from Texas A&M University. He is also has the CISSP, CEH (Certified Ethical Hacker), RHCE (Red Hat Certified Engineer), and Linux+ certifications.

Mobile Applications & Security
Trainer: Prashant Verma Audience: Management, Technical, Operations Level: Basic, Intermediate, People with a background in security but no prior knowledge of mobile applications Date: Thursday, April 12

Course Summary: This course covers security tests that are conducted on mobile applications with a focus on iOS and Android platforms.

Students will first learn the basics of mobile applications followed by a brief background of iOS and Android platforms, their security models and an overview of their development basics.

They will then learn how to model a threat profile for mobile applications and then test and debug the mobile applications for security vulnerabilities.

Reading locally stored data in mobiles, setting up a proxy to intercept and test network traffic and reversing Android applications will be a few of the topics discussed. We will also discuss the challenges involved in reversing an iOS application. The course includes examples for both the platforms and sample code snippets will also be provided.

We will also discuss the best practices that have to be followed for secure development of mobile applications. The course would end with a discussion of the OWASP Mobile Top 10 risks.

Prashant Verma is a Senior Security Consultant and Competency Lead at Paladion Networks. He has 6 years of experience. He drives the Mobile Application Security Service and Research at Paladion. He is the co-author of the "Security Testing Handbook for Banking Applications". He has also authored security articles for the Hacki9 and Palisade magazines. He has given presentations at Club Hack 2011 on "Pentesting Mobile Applications". He has also given guest lectures and security trainings at various occasions, which include the National Institute of Bank Management (NIBM) and Babasaheb Ambedkar Marathwada University (BAMU). He is a "Digital Evidence Analyst" i.e. he has conducted Mobile Security Testing, Java, Android and iOS Security Code Reviews. He has also conducted numerous application and network penetration tests, vulnerability assessments, etc.

Hidden Risks, Costs and Responsibility in the Cloud - Is that a Wizard Behind that Virtual Curtain?
Trainer: Larry Timmins Audience: Management, Technical, Operations Level: Basic, Intermediate Date: Wednesday, April 11

Course Summary: There is ongoing debate on whether Health Care protected information, personal financial information (sometimes protected), and other digital identity based business are actually safe in the modern "service centers" that claim to have all the answers to replacing your IT department, securing your data and delivering server elasticity when your business opportunity needs it and not have to pay for it until you do. Is that really the case?

In 1987, Larry Timmins presented across SE Australia on the behalf of Gartner Group's Software Management Strategies on the promise of Open Systems and UNIX databases to help Australian Businesses and Government move ahead with the best and avoid the worse of the once prevalent Pick operating environment. Larry created the first cloud based business and SOLD the first cloud based business before the year 2000. Discover the secrets of the hidden risks, costs and responsibilities that will affect your decision process. Know the self assessment steps to determine your risk. Understand the true cost structure of outsourced server, network and storage infrastructures and which businesses or roles can take advantage of it and which can't. Above all, understand the responsibilities, roles and success factors to ensure your off-site backup solution isn't forklifted out of the very cloud-based service center by a government inquiry concerning backup records for someone's else business that just happened to be combined with your data.

Along with the trends and guidance, the emphasis will be on operational excellence and best practices that today's virtualized data centers must adhere to and if you are still cloud-bent, how your investments in your virtualized infrastructure will let you grow or even start your business in the cloud services and take back control when you are ready.

When not contributing to the spread of virtualization benefits, Larry Timmins works for a leading medical malpractice insurance provider that can claim it has virtualized nearly on all servers in its data centers. From over 51 hardware-related calls in one year, each with business downtime, to less than two calls per year and no business downtime even during a corporate headquarters move in less than two years of using virtualization. Larry has used virtualization technology since 1976 and has been benchmarking and tuning workloads of thousands of virtual machines for over 30 years. Mixed in his talks are the benefits of information security, capacity planning, workload management, network balancing, performance tuning, forensics as analytics and licensing asset management to move your business past technologies barriers and towards profits in a secured manner no matter where your business information and know-how resides.

OWASP for CISO and Senior Managers
Trainer: Tobias Gondrom Audience: Management Level: Basic, Intermediate, Advanced Date: Thursday, April 12

Course Summary: Setting up, managing and improving your global information security organisation using mature OWASP projects and tools. Achieving cost-effective application security and bringing it all together on the management level. How to use and leverage OWASP and other common best practices to improve your security programs and organization. The workshop will also discuss a number of quick wins and how to effectively use OWASP tools inside your organisation. The author has extensive experience of managing his own secure development organization as well as advising to improve a number of global secure development organisations and processes.

Topics:
 * OWASP Top-10 and OWASP projects - how to use within your organisation
 * Risk management and threat modeling methods (OWASP risk analysis, ISO-27005,...)
 * Benchmarking & Maturity Models
 * Organisational Design for global information security programs
 * SDLC
 * Training: OWASP Secure Coding Practices - Quick Reference Guide, Development Guide, Training tools for developers
 * Measuring & Verification: ASVS (Application Security Verification Standard) Project, Code Review Guide, Testing Guide
 * Development & Operation: ESAPI (Enterprise Security API), AppSensor

Target audience: CISO and senior head of information security managers (VP/director level) - maximum number of seats should be limited to 20, only senior information security managers/leaders will be admitted.

All discussion and issues raised by participants at the workshop will be under the confidentiality under the Chatham House Rule (http://en.wikipedia.org/wiki/Chatham_House_Rule).

Tobias Gondrom is Managing Director of an IT Security & Risk Management Advisory based in the United Kingdom and Germany. He has twelve years of experience in software development, application security, cryptography, electronic signatures and global standardisation organisations working for independent software vendors and large global corporations in the financial, technology and government sector, in America, EMEA and APAC. As the Global Head of the Security Team at Open Text (2005-2007) and from 2000-2004 as the lead of the Security Task Force at IXOS Software AG, he was responsible for security, risk and incident management and introduced and implemented a secure SDLC used globally by development departments in the US, Canada, UK and Germany.

Since 2003 he is the chair of working groups of the IETF (www.ietf.org) in the security area, member of the IETF security directorate, and since 2010 chair of the formed web security WG at the IETF, and a former chapter lead of the German OWASP chapter from 2007 to 2008 and board member of OWASP London. Tobias is the author of the international standards RFC 4998, RFC 6283 and co-author and contributor to a number of internet standards and papers on security and electronic signatures, as well as the co-author of the book „Secure Electronic Archiving“, and frequent presenter at conferences and publication of articles (e.g. AppSec, ISSE, Moderner Staat, IETF, VOI-booklet “Electronic Signature“, iX).

Building Secure Web Applications
Trainer: Klaus Johannes Rusch Audience: Management, Technical, Operations Level: Basic, Intermediate Date: Wednesday, April 11

Course Summary: Web application security breaches on websites of major corporations and government entities have received significant media attention due to large number of users affected and the leaking of sensitive personal information. This training will show how to develop secure Web applications and review common attack types, their technical and business impact and mitigation strategies. While most code examples use PHP and MySQL, the content is equally applicable to other programming languages and database engines.

Klaus Johannes Rusch is a certified IT architect and manager at IBM, heading the Web Effectiveness group in the Global Web Services organization, which provides consulting services to business units in IBM for optimizing the Web experience as an in-house agency. Previously he was a team leader on the IBM Corporate Webmaster team that manages www.ibm.com.

Klaus Johannes Rusch has been developing and hacking web applications “forever”. He received an award for best website back in 1995. He holds an MSc degree in computer science from Vienna University of Technology and is an adjunct professor of computer science at Webster University, where he teaches web development and web animation. He lives in Vienna, Austria with his wife and two kids, and online at http://klausrusch.atmedia.net/.

Defensive Coding using Microsoft .net
Trainer: Sandeep Nain Audience: Technical Level:Basic, Intermediate, Advanced Date: Wednesday, April 11

Course Summary: If hacking is an art in your eyes then 'defensive coding' is a rare art known only to the masters. This is your chance to learn this rare art to give the hackers and pen-testers a run for their money.

In this one day hands on training, the attendees will learn to write code that can proactively identify the hacking attempts and take precautionary measures. These measures could be just blocking the attacks, tracking the attacker or alluring them using honey pots.

The course will begin with a short introduction to the concept of defensive coding and to the hacking techniques followed with a deep dive into defensive coding techniques. On a high level, the course covers:


 * 1) Need for Defensive Coding
 * 2) Principles of secure design and defensive coding
 * 3) Common vulnerabilities and mitigation techniques
 * 4) Understanding and using security features available within MS.NET
 * 5) Building attack prevention controls using MS.Net

Sandeep Nain is an accomplished application security professional with an IT career spanning over 10 years. During this time he has worked alongside many high-profile national and international enterprises worldwide enabling them to produce secure software.

Over the years, Sandeep has trained hundreds of developers and architects in defensive coding techniques and secure application design principles.