AppSec Europe 2018 has ended
                                                                                    ***Content is subject to change.***

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Training 3 days [clear filter]
Monday, July 2

8:00am BST

3 day Training: Practical DevSecOps: Continuous Security in the Age of Cloud
Limited Capacity seats available

Ever wondered how to handle deluge of security issues and reduce cost of fixing before software goes to production ? How unicorns like Google, Facebook, Amazon, Etsy handle security at scale?  In Practical DevSecOps training you will learn how to handle security at scale using DevSecOps practices. We will start off with the basics of the DevOps, DevSecOps and move towards advanced concepts such as Security as Code, Compliance as Code, Configuration management, Infrastructure as code etc.,

The training will be based on DevSecOps Studio, a distribution for DevSecOps enthusiasts and various OWASP tools like SKF, DefectDojo, Mod Security Core Rule Set. We will cover real-world DevSecOps tools and practices in order to obtain an in-depth understanding of the concepts learnt as part of the course.

We will also cover how to use static analysis (SAST), Dynamic Analysis (DAST), OS hardening, Security Dashboards and Vulnerability management as part of the Secure SDLC and how to select tools which fit your organization’s needs and culture.

After the training, the students will be able to successfully hack and secure applications before hackers do. The students will be provided with slides, tools and Virtual machines used during the course.

This course will cover the following DevSecOps topics and techniques:
1. Introduction to DevOps and DevSecOps:
2. DevSecOps Tools of the trade including DevSecOps Studio
3. Secure SDLC and CI/CD pipeline
4. Amazon Web Services and its various security features
5. Container (Docker) Security
6. Configuration/Secret Management and its Security
7. SAST (Static Analysis) in CI/CD pipeline
8. DAST (Dynamic Analysis) in CI/CD pipeline
9. Runtime Analysis( RASP, IAST) and how to select tools.
10. Infrastructure as Code and Its Security
11. Vulnerability Management with custom tools
12. Virtual Patching and Application Security Dashboards
13. Automate compliance activities to achieve PCI/DSS/HIPAA compliance

Who should attend:
This course is aimed at anyone who is looking to embed security as part of agile/cloud/DevOps environments, like Security Professionals, Penetration Testers, Red Teamers, IT managers, Developers and DevOps Engineers.

The student should have some knowledge of basic linux commands like ls, cd, mkdir etc.,
The student should have some basic understanding of application Security vulnerabilities like OWASP Top 10.

avatar for Raghunath Gopinath

Raghunath Gopinath

Security Researcher
Raghu is an information security enthusiast and primarily focused on Application security services from past 7.9 years. He presently works on security automation using DevSecOps practices. Also, he is a founder of null Hyderabad chapter and one of the lead for null Singapore chapter... Read More →
avatar for Mohammed Imran

Mohammed Imran

Senior Security Engineer, ZenDesk
Mohammed “secfigo” Imran is a seasoned security professional with 8 years of experience in helping organizations with their Information Security Programs. He has a diverse background in R&D, consulting and product-based industries with a passion to solve complex security programs... Read More →

Monday July 2, 2018 8:00am - Wednesday July 4, 2018 5:00pm BST
Albert - 2nd Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

8:00am BST

3-Day Training: Advanced Web Hacking
Limited Capacity seats available

This class focus on specific areas of app-sec and on advanced vulnerability identification and exploitation techniques (especially server side flaws). The class allows attendees to practice some neat, new and ridiculous hacks which affected real life products and have found a mention in real bug-bounty programs.
The vulnerabilities selected for the class either typically go undetected by modern scanners or the exploitation techniques are not so well known. This class talks about a wealth of hacking techniques to compromise web applications, APIs and associated end-points.
The following is the course outline:
  • Authentication Bypass
    • Token Hijacking attacks
    • Logical Bypass / Boundary Conditions
  • SAML / OAuth 2.0 / Auth-0 / JWT Attacks
    • JWT Token Brute-Force attacks
    • SAML Authentication and Authorization Bypass
    • XXE through SAML
    • Advanced XXE Exploitation over OOB channels
  • Password Reset Attacks
    • Cookie Swap
    • Host Header Validation Bypass
    • Case study of popular password reset fails.
  • Breaking Crypto
    • Known Plaintext Attack (Faulty Password Reset)
    • Path Traversal using Padding Oracle
    • Hash length extension attacks
  • Business Logic Flaws / Authorization flaws
    • Mass Assignment
    • Invite/Promo Code Bypass
    • Replay Attack
    • API Authorization Bypass
  • SQL Injection
    • 2nd order injection
    • Out-of-Band exploitation
    • SQLi through crypto
    • OS code exec via powershell.
    • Advanced topics in SQli
  • Remote Code Execution (RCE)
    • Java Serialisation Attack
    • Node.js RCE
    • PHP object injection
    • Ruby/ERB template injection
    • Exploiting code injection over OOB channel
  • Server Side Request Forgery (SSRF)
    • SSRF to call internal files
    • SSRF to query internal network
  • Unrestricted File Upload
    • Malicious File Extensions
    • Circumventing File validation checks
  • Miscellaneous Topics
    • HTTP Parameter Pollution (HPP)
    • XXE in file parsing
    • A Collection of weird and wonderful XSS and CSRF attacks.
  • Attack Chaining
    • Combining Client-side and or Server-side attacks to steal internal secrets
Delegates will be given access to hands on LABs for a majority of the above topics. Attendees will also benefit from a state-of-art Hacklab and we will be providing free 2 Weeks of lab access after the class to allow attendees more practice time.

avatar for Sudhanshu Chauhan

Sudhanshu Chauhan

Associate Director, NotSoSecure Global Services
Sudhanshu Chauhan is an information security professional working as an Associate Director at NotSoSecure. He is one of the core contributors to Datasploit (Open Source OSINT Framework). Sudhanshu has written various articles on a wide range of topics including Cyber Threats, Vulnerability... Read More →
avatar for Sumit Siddharth

Sumit Siddharth

Founder, NotSoSecure
Sumit Siddharth (Sid) is the founder of NotSoSecure (www.notsosecure.com), a specialist IT security firm delivering high-end IT security consultancy and Training. Prior to NotSoSecure, he worked as Head of Penetration Testing for a leading IT security company in the UK. He has more than 9 years of experience in Penetration Testing. Sid has authored a... Read More →
avatar for Sunil Yadav

Sunil Yadav

Associate Director, NotSoSecure Global Services
Sunil works as Head of Research for NotSoSecure, a Claranet group company. He has 10 years of experience in application security. He has also been a trainer for the Web Hacking - Black Belt Edition and Basic Web Hacking courses at Black Hat and other leading conferences. He has provided... Read More →

Monday July 2, 2018 8:00am - Wednesday July 4, 2018 5:00pm BST
Olivier- 2nd Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

8:00am BST

3-Day Training: Exploiting Websites by using offensive HTML, SVG, CSS and other Browser-Evil
Limited Capacity seats available

More and more web applications delegate business logic to the client. HTML.next, JavaScript, SVG, Canvas, ES2016 & AngularJS are just some terms that describe the contents of the modern web stack. But how does the attack surface look for those? What if there’s not GET parameters anymore that our scanner scan tamper with? Classic web-pentests are “so nineties” in this realm. And keeping up the pace with progress is getting harder and harder.

But there is hope. We’ll learn how to attack any web-application with either unknown legacy features – or the half-baked results coming to your browser from the labs of W3C, WHATWG and the ES2016 mailing lists. Whether you want to attack modern web applications or shiny browser extensions – we have that covered.

HTML is a living standard. And so is this workshop. The course material will be provided on-site and via access to a private Github repository so all attendees will be receive updated material even months after the actual training.

avatar for Mario Heiderich

Mario Heiderich

Founder, Cure 53
Dr.-Ing. Mario Heiderich, aging but still somewhat handsome heart-breaker, ex-security researcher and now a more or less overpaid secretary is from Berlin, still likes everything between lesser- and greater-than, also fine-food and wine-parings and leads a small yet exquisite pen-test... Read More →

Monday July 2, 2018 8:00am - Wednesday July 4, 2018 5:00pm BST
Victoria - 2nd Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE