OWASP Bucharest AppSec Conference 2017 Workshops

From OWASP
Jump to: navigation, search

Workshop

Time Title Trainers Description
Workshop
13th of October
2 hours:
begins at 10:30
Goga Room
Threat Modelling a fictitious payment web application
Mustafa Kasmani Description:
Following on from the Threat Modelling presentation by the same author, this workshop will aim to put the theory covered by that presentation into practice.

The objective of doing so is to introduce the audience to the benefits of performing Threat Modelling on a system during the early stages of design / development. This ensures that key security threats are known and understood early on allowing remediation to be done in a more cost effective and pragmatic way than had they been found much later on during testing or when in production.

A fictitious payment web application will be examined in this session – defining its business functionality, actors, assets and technology stack. Data flowing between the components will then be drawn out in the form of data-flow diagrams (DFD’s). Thereafter the attack-surface will be mapped out using the STRIDE methodology identifying threats pertaining to Spoofing, Tampering, Repudiation, Information disclosure, Denial of service and the Elevation of privilege. Finally, these will documented in a form allowing categorisation of risk together with identified security controls that should be tested.
Intended audience: Architects, Designers, Developers, Testers, Security professionals, Project managers.
Skill level: The workshop does not assume an in-depth knowledge of software security.
Requirements: A mind-set of how an attacker might seek to compromise this system, so as to best identify the threats pertaining to it.
Seats available: 20 (first-come, first served)
Price: free
Register here

Workshop
13th of October

3 hours:
begins at 13:30
Goga Room
AppSec Bucharest vs. OWASP Juice Shop
Björn Kimminich Description:
In this *free* workshop you can test your skills in hacking modern web applications against the OWASP Juice Shop! There are 43+ challenge that are waiting to be solved, ranging from simple functional problems and the usual XSS/SQLi issues over severe authentication flaws to multi-step & multi-path attacks against the discount coupons issued by the application!

How many challenges can you beat? During the workshop you can get some first-hand hints in case you fell stuck. At the end of the workshop there will be a demo of some of the more mindboggling challenges - but only for those, who don't want to solve them on their own later! You will have an idea how good you and your tools are with
Intended audience: Developers and pentesters with at least basic understanding of common web application vulnerabilities
Skill level: The workshop does not assume an in-depth knowledge of software security.
Requirements:

  • laptop with OWASP Juice Shop installed using one of the setups described in https://github.com/bkimminich/juice-shop#setup
  • internet browser with some API testing plugin (e.g. PostMan for Chrome)
  • (optionally) any kind of pentesting tools


Seats available: 20 (first-come, first served)
Price: free
Register here

Workshop
13th of October
3 hours:
begins at 9:30
Slavici Room
Free Diving into Android Security
Nikhil P Kulkarni and Ravi Kumar Kovela Description:
The agenda of this free workshop is to get the taste of working on Android Security. The workshop would involve the attendees to install and learn the tools used for android pentesting. The following would be the topics that would be covered during the 3 hour session:
  • Fundamentals of Android Operating System
  • Understanding the Android Security Architecture
  • Android Permission Model
  • Understanding how to setup a pentest environment
  • Understanding the Android Debug Bridge
  • Fundamentals of Android Application Signing
  • Understanding the working of app permissions using the Android Manifest File

Though not in-depth but this workshop would definitely give a great push to start into the Mobile Security Scene. At the end of the workshop, the attendees would be given few challenges to be solved, giving them an understanding and idea on how to find some of the very well-known Android Security Issues. Intended Audience: Application Developers, Penetration Testers who plan to get into the field of Mobile Pentesting with basic knowledge and understanding of the Android Operating System. Prerequisites:

  • A Laptop with full administrative access since you will be installing software.
  • Make sure to have free space of atleast 10 GB on your laptop and with minimum 4 GB RAM
  • Basic knowledge on Android

Software Requirements:

  • VirtualBox 5.x.x installed. Please have this installed before the session starts. VMWare will not be supported.
  • Any of the following OS : OSX , Win 7 and above, Ubuntu 12.0.4 and above

Seats available: 20 (first-come, first served)
Price: free
Register here