Register for a training at https://owasp-benelux-days-spring-2022.eventbrite.com.
Registering for multiple trainings will result in a cancellation of all!
Trainings on Thursday the 31st of March:
-
ModSecurity and the OWASP Core Rule Set (CRS) by Christian Folini
Abstract:
This is a one day introduction course to ModSecurity and the OWASP Core Rule Set (CRS).
CRS is a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls. The CRS aims to protect web applications from a wide range of attacks, including the OWASP Top Ten, with a minimum of false alerts.
The course will introduce students to the setup, the integration and basic operation of the ModSecurity / Core Rule Set Web Application Firewall (WAF). It will cover negative and positive rule writing, an overview over the CRS rules and several tools that help you tune away false positives that are a huge pain when running a tight WAF.
Students will receive a 190 pages PDF set to walk through the course again at home and the scripts used throughout the course.
The teaching will be based on Ubuntu / Apache, but can easily be adopted to other platforms.
Bio:
Dr. Christian Folini is a Swiss security engineer and open source enthusiast. He brings 15 years of experience with ModSecurity configuration in high security environments, DDoS defense and threat modeling. Christian Folini is the author of the 2nd edition of the ModSecurity Handbook and the best known teacher on the subject. He co-leads the OWASP ModSecurity Core Rule Set project and serves as the program chair of the “Swiss Cyber Storm” conference.
-
SKF Workshop - Offensive and Defensive crash course using SKF Labs by Glenn ten Cate
Abstract:
Practice-changing impact, long lasting security knowledge and skills -- are the expected outcomes of this new-school webapp security training. This is a training with minimum lectures and all focused on hands-on exercises. We start off with some understanding of secure development and the secure coding principles. Then we do basic hacking challenges and move gradually to the advanced topics, but after that we do exercises that are about fixing vulnerable code. The attendees will have after this course a vast set of actionable knowledge and practise to be used straight away.
Below is the main agenda overview that will be used as a structure but we will, based on the audience, select other topics of interest that we will do on this training day.
The full list of labs we 'can' do is found here: https://github.com/blabla1337/skf-labs
SKF Training outline
Introduction to vulnerabilities
Intro to secure coding
OWASP ASVS topics, an introduction to the areas to protect
How a properly designed infrastructure architecture should be built
Intro to practical secure development
Code security
Server-side defense
Input validation vs encoding
Common server-side vulnerabilities and their defense
- Injections: SQLi, XML injections, JSON, XPath, XSS, cookie injection, open redirection, http header injection
- Path traversal, XXE, RFI, Insecure file upload, Code execution
- Insecure direct object reference
- XSS (types, impact, causes, defenses, other html injections, BeEF)
- CSRF, Clickjacking, Same-origin policy, CORS
You only need to bring your laptop and internet access to follow this training.
Bio:
As a coder, hacker, speaker, trainer and security chapter leader employed at ING Belgium Glenn has over 15 years experience in the field of security.
One of the founders of defensive development security trainings dedicated to helping you build and maintain secure software and also speaking at multiple other security conferences in the world.
Not only does Glenn train developers, he and his brother Riccardo also donated an entire knowledge framework solely dedicated to help developers make their code secure by design.
See:
SKF (Security knowledge framework) https://www.securityknowledgeframework.org
-
OWASP SAMM by Sebastien Deleersnyder
Abstract:
Building security into the software development and management practices of an organisation can be a daunting task. There are many factors that must be considered when charting your path forward, inlcuding: company structure, stakeholder priorities, technology stacks, tools and processes, and existing technical debt.
Implementing software assurance can produce significant benefits for the organisation. However, trying to achieve this without a good framework often yields only marginal and unsustainable improvements. OWASP SAMM (https://owaspsamm.org/) provides exactly the structured, measurable framework that's needed. It enables you to formulate and implement a strategy for software security tailored to your organisation's risk profile.
This one-day training is organised as a mix of presentations and interactive workshops. Our goal is for participants to get an in-depth view of, and practical feel for, the OWASP SAMM model. The session is organised in three parts:
- First, we present an overview of the model and review the similarities and differences with other models. The five Business Functions - Governance, Design, Implementation, Verification, and Operations - are explained. We address the various constituent elements (e.g., metrics), review representative usage scenarios for the model, and defining an assessment's scope.
- The majority of our day will be spent reviewing the Security Practices comprising each Business Function, with an emphasis on assessing your organisation's maturity. Each Practice's treatment will include a hands-on segment, providing you an opportunity to apply SAMM to your organisation (or one you have worked for). We will assess representative Activities across all SAMM Practices, discussing our results and concerns in the group. This will give participants a good indication of their organisations’ maturity in software assurance. In the same effort, we will define a target model for your organisation and identify the most important challenges in getting there.
- The final part of the training will be dedicated to specific questions or challenges that you are facing about secure development in your organisation. In this group discussion, experiences will be shared among participants to address these questions.
SAMM training outline
- Introductions and Class Overview
- The "Application Security Problem"
- Software Development Lifecycle (SDLC) Overview
- SAMM - Vision, History, Structure
- SAMM as an Assessment Tool
- Establishing Assessment Scope
- Methodology - Assessment and Roadmapping
- Assessing Governance
- Strategy & Metrics
- Policy & Compliance
- Education & Guidance
- Assessing Design
- Threat Assessment
- Security Requirements
- Security Architecture
- Assessing Implementation
- Secure Build
- Secure Deployment
- Defect Management
- Assessing Verification
- Architecture Assessment
- Requirements-driven Testing
- Security Testing
- Assessing Operations
- Incident Management
- Environment Management
- Operational Management
- Setting Improvement Targets
- OWASP SAMM Tools
- Assessment Toolkit
- SAMMwise
- SAMM Benchmark Project
- Integration with Other OWASP Projects & Tools
- SAMM Best Practices
- Choosing the Right Starting Points
- Monitoring and Metrics
- Achieving Security by Default
- Critical Success Factors
- Wrap-up
- Conclusions
- Looking Forward
- Getting Involved
Bio:
Seba (https://twitter.com/Sebadele) is co-founder, CTO of Toreon and a proponent of application security as a holistic endeavor. He started the Belgian OWASP chapter, was a member of the OWASP Foundation Board and performed several public presentations on Application Security. Seba also co-organized the yearly security & hacker BruCON conference and trainings in Belgium.
With a background in development and many years of experience in security, he has trained countless developers to create software more securely. He has led OWASP projects such as OWASP SAMM, thereby truly making the world a little bit safer. Now he is adapting application security models to the evolving field of DevOps and is also focused on bringing Threat Modeling to a wider audience.