Register for Training

Sign up for a training course and receive 50% off conference registration fees!

OWASP Top 10 – Exploitation and Effective Safeguards

David Caissy


Register for Training

Most web application developers have heard about SQL Injection and Cross-Site Scripting, but few know which safeguards are really effective against expert hackers. Exploitation techniques have greatly evolved in the last few years and programmers need to keep their guard up. They are in the tough position of securing systems against experienced hackers. What help do they have?

The OWASP Top 10 web application vulnerabilities list has done a great job promoting awareness on the subject. Along with many cheat sheets, they provide valuable tools and techniques to web developers. But such a great source of information could be overwhelming for the programmer who wants to learn about security. This course aims at providing all web developers deep hands-on knowledge on the subject.

To achieve this goal, participants will first learn the technical details about each OWASP Top 10 vulnerability. Then the instructor will give demos on how attacks are performed against these vulnerabilities. After that, participants will use virtual machines and follow step by step procedures to launch attacks against a vulnerable web site. This step is key in understanding how exploitation works so they can later implement effective safeguards in their systems. Our experience is that participants who have had hands-on experience at exploiting vulnerabilities will always remember how to prevent them.

At the end of the course, participants will have learned:
• What are the OWASP Top 10 vulnerabilities
• How hackers exploit them
• Which safeguards are effective… and which ones are not!

The course will cover the following topics:

  1. SSL Certificates
  2. Effective Password Management
  3. Secure Application Architecture
  4. Injection Attacks
  5. Command Injection
  6. File Injection
  7. SQL Injection
  8. Cross-Site Scripting (XSS)
  9. Cross-Site Request Forgery (CSRF)
  10. Broken Authentication and Session Management
  11. Insecure Direct Object References
  12. Security Misconfiguration
  13. Sensitive Data Exposure
  14. Missing Function Level Access Control
  15. Using Known Vulnerable Components
  16. Unvalidated Redirects and Forwards
  17. Securing Web Services (REST and SOAP)
  18. Secure Coding Best Practices
  19. List of Effective Safeguards

Hands-on Exercises:

  1. Session Initialization and Client-Side Validation
    1. Part 1: Web Proxy and Session Initialization
    2. Part 2: Client-Side Validation
  2. Online Password Guessing Attack
  3. Account Harvesting
  4. Using a Web Application Vulnerability Scanner
  5. Optional Exercises:
    1. Sniffing Encrypted Traffic
    2. Command Injection
    3. Create SSL certificates


This course is designed to help intermediate to expert web developers and security professionals understand how to secure web applications. Candidates are expected to have basic knowledge of HTML, XML and SQL, but no experience in security is required prior to taking this course. However, security professionals who want to learn more about web security will benefit from this class.


Participants are asked to bring a laptop (Windows, Mac or Linux) with at least 3 GB of RAM, 20 GB of free disk space, a DVD reader and either VMWare Player (free), VMWare Workstation, VMWare Fusion or Oracle VirtualBox pre-installed. They must also have an administrator/root account on their laptop. At the beginning of the course, participants will receive a DVD containing two pre-configured virtual machines.

About the trainer

David Caissy, OSCP, GWAPT, GPEN, GSEC, CISSP, CEH has 15 years of experience as a security consultant and a web application architect. He has performed security audits, vulnerability assessments, web application penetration tests and has designed several secure systems. He has worked for banks, the Department of National Defense, various government agencies and private companies. He has been teaching information security in colleges and in many departments in addition to contributing to IT security articles.

Risk Centric Threat Modeling & Metrics in the SDL

Tony UV


Register for Training
This training will walk through the 7 stages of the Process for Attack Simulation and Threat Analysis (PASTA), a risk centric approach to threat modeling that can be paralleled to SDL activities for developers, architects, system engineers, and (of course) security professionals. Students will begin by learning about threat modeling fundamentals that are agnostic to any methodology. Activities such as application deconstruction, data flow diagramming, enumeration exercises, use/ abuse case mapping will all be exemplified in the training. The key benefit will be in applying a risk centric approach to threat modeling via the PASTA approach which looks to identify the most likely attack vectors based upon harvesting threat intelligence sources and evaluating other factors such as deployments models, inherent industry threat agents/ motives, and overall application architecture. An outline of the training to be provided is included below:

I. Threat Modeling Intro & Primer
  A. Objectives & Approaches
  B. Threat Modeling Taxonomy & Syntax
  C. Tools & Techniques
  D. PASTA Methodology Overview
II. P1 – Define Business Objectives of Application Threat Model (Goal: Define Impact)
  A. Enumerate business objectives serving as application drivers
  B. Identify application data types (privacy implications)
  C. Identify regulatory impact/ landscape for application environment
  D. Identify SLAs associated with product app
III. P2. Define Technology Scope (Component Enum)
  A. Enum Application Frameworks leveraged by Framework
  B. Enum platform components (system OS, etc.)
  C. Enum actors running component processes
  D. Enum network services supporting various layers of application architecture
  E. Enum third party product (COTS) supporting application solution
  F. Enum data components across application layers
  G. Enum existing countermeasures (processes, technological controls, etc.)
IV. P3 – Application Decomposition (Call Tracing – Understanding calls amongst app components)
  A. Identify Use Cases using Components
  B. Map Call Flows amongst App Components
  C. Identify Trust Boundaries in the Application
  D. Perform CRUD exercises on back data storage sources (DBs, disk, client data storage)
  E. System level permissioning review
  F. Open and Integrated Auth Model Considerations
  G. Cloud API considerations
V. P4 – Threat Analysis
  A. Harvesting relevant threat intel sources (external sources)
  B. Harvesting threat data (internal sources)
  C. Probabilistic threat analysis
  D. Deployment models and architectural review of apps
  E. Identifying Threat Agents and Motives for targeted app
VI. P5 – Vuln Analysis
  A. Leveraging vulnerability assessments
  B. Using a strong Weakness/ Vulnerability Library (CVE/ CWE)
  C. Identifying & Correlating flaws in application model
  D. Identifying & Correlating system/ DB/ framework related vulnerabilities
VII. P6 – Attack Modeling
  A. Leveraging a valid attack library (CAPEC)
  B. Understanding Kill Chains and Attack Trees
  C. Assigning probabilities to attack branches (probabilistic analysis of attacks)
D. Exploit DB & Common Attack Patterns
VIII. P7 – Residual Risk Analysis & Countermeasure Development
  A. Inherent countermeasures
  B. Inherent countermeasure effectiveness
  C. Residual Risk Analysis
  D. Impact Analysis from Threats
  E. Prioritizing Countermeasures
IX. Threat Modeling Vignettes
  A. Threat Modeling Exercises in groups
X. Maturity Modeling & SDLC Integration
  A. OpenSAMM Use
  B. SDLC Metrics

About the trainer

With nearly 20 years of IT/ IS experience across three different continents, Tony has accumulated both hands on operational and management experience at a global level. Founder of VerSprite – a risk focused security consulting firm in Atlanta – Tony works with the global Fortune 500 organizations that are seeking something beyond compliance driven approaches to security challenges. Tony is an author of the only risk centric threat modeling methodology named PASTA (Process for Attack Simulation & Threat Analysis) and is an author with Wiley Life Sciences. Tony also runs the OWASP Atlanta chapter and is an organizer to the BSides Atlanta conferences held yearly. Tony’s prior public speaking events include the likes of the AppSec USA, BSides ATL, Great Wide Open Developer Conference, Cloud Connect, ISACA Information Security Risk Management, OWASP LanTAM, regional ISSA and ISACA events and multiple OWASP global training and speaking events in Asia, Latin America, Europe, and North America.

Cryptography For The Modern Developer

Timothy D. Morgan


Register for Training
Year after year, cryptography is incorporated in to more and more systems. Whether it be encrypting data in transit with off-the-shelf protocols, or implementing custom encryption mechanisms for data at rest, software developers are increasingly expected to leverage cryptography to meet security demands.

However, few developers have the experience or training to implement cryptography safely. The significant learning curve associated with using any cryptographic primitive properly, combined with the error prone APIs that most development environments expose to developers has led to countless flaws in modern applications.

This course is designed to provide attendees with the core concepts required to make informed decisions about what cryptographic primitives and APIs are safest to use in practice. Attendees will further learn that with a proper implementation, cryptography can make their development tasks easier, in addition to being more secure.

No significant background in cryptography is required to take this one-day course. However, attendees are expected to have a software development background. Lab sessions will include short exercises which ask students to write simple programs in their chosen language to solve various challenges. The content will include approximately 50% lecture and 50% labs or other exercises to reinforce the concepts presented.

Expected Outline:

0. Intro

1. Cryptography Primer/Refresher
– Symmetric Encryption
– Pseudorandom Number Generators
– Hashing and Integrity Protection
– Asymmetric Encryption
– How Crypto Makes Life Easier

1L. Crypto Basics Quiz & VM Setup

2. Overview of Modern Attacks and Common Mistakes
– PRNG issues, APIs
– Integrity Problems
– Padding Oracle Attacks
– Modern Password Cracking

2L. Exercise: Fix their Code

3. Key Exchange and PKIs
– Man-in-the-middle attacks
– PKI approaches
– Problems with PKIs
– Certificate Pinning

3L. Certificate Validation Testing

4. Practical Concerns
– Recent SSL/TLS bugs
– Standard API Overviews: Java, .NET, OpenSSL
– Better APIs: NaCl, KeyCzar,
– Ciphertext Fuzzing Techniques ?

4L. Exercise: Implement a Safe Token

About the trainer

As an application security consultant and vulnerability researcher, Tim has been taking deep technical dives in security for over a decade. In that time, he has been credited with the discovery and responsible disclosure of numerous security vulnerabilities in a variety of software products, including: IBM Tivoli Access Manager, Sun Java Runtime Environment, Google Chrome Web Browser, OpenOffice, Oracle WebLogic Application Server, and IBM Websphere Commerce. His current research interests include applied cryptanalysis, IPv6 security, and XML external entities attacks. Tim develops and maintains several open source forensics tools in addition to Bletchley, an application cryptanalysis toolkit.

Tim works to secure his customers’ environments through black box testing, code reviews, social engineering exercises, security training, and a variety of other services. Tim earned his computer science degrees from Harvey Mudd College and Northeastern University and currently resides in Portland, Oregon where he leads the local OWASP chapter.

Safely Riding the Rails

Ken Johnson


This course focuses on building secure Ruby on Rails applications. In addition to covering existing vulnerabilities within the OWASP Project built by the instructor dubbed “Railsgoat”, there will be comprehensive discussion on the implementation of Rails specific defense mechanisms. Students will learn attack techniques, all of which are specific to the Rails framework. The OWASP Top 10 Risks and Controls will be covered at great length as well.

After an overview on the fundamentals of Ruby on Rails, students will be immersed in modifying and improving the security flaws within the Railsgoat application. In addition to Rails-specific manifestations of the OWASP Top 10 vulnerabilities, students will learn about advanced topics such remote code execution and MetaProgramming vulnerabilities.

At the end of this course, attendees should understand how to review and protect their Rails applications, implement proactive defensive measures, and perform penetration testing geared towards Ruby on Rails applications.

High-level Course Outline:

– Secure use of cryptographic libraries
– Authentication system
• Password complexity
• Time-based attacks
• Enumeration
• Lockout
• Insecure forgot password functions
– Authorization
• Insecure direct object reference
• Impersonation functionality
• Role Based Access Controls
– Metaprogramming Issues
• Common flaws
• Secure usage of metaprogramming methods
– SQL Injection
• Scoping
• String interpolation or concatenation
• Insecure use of unsafe methods such as pluck
– Insecure usage of validation functions
– Insecure application configuration(s)
– Cross-Site Scripting (XSS)
• Types of XSS
• XSS Context – JS, HTML, JSON, CSS
• Vulnerable templating language methods
• Demonstrate impact
• CSP + Secure Header RubyGem
– Session management issues
• Client-side cookies
• Improper destruction
• Session Fixation
– Remote Code Execution flaws
• Serialization libraries
– Misconfiguration in application settings
– Denial of Service
– Sensitive Data Exposure
• Model attribute exposure
• Application log handling
– Defensive Measures
• Guard
• Brakeman
• Bundler-Audit
• Security-based Unit-Tests

Register for Training

About the trainer

Ken Johnson is the CTO of nVisium. Ken co-authored the Railsgoat project, is the creator of SecCasts, and is responsible for product development @nVisium. Ken has spent an enormous amount of time reviewing Ruby on Rails applications, developing them, securing them, and performing training centered around Rails security.

Enterprise Incident Response

Russ Gideon


Register for Training

Incident Response is a multidisciplinary approach to understanding the methodologies, techniques, and tools for both offensive and defensive security. This course introduces a tactical approach for instrumenting, alerting, and responding for enterprises. Using a combination of new tools, and uncommon techniques students will learn how to defend a network against today’s evolving threats. Real world attacks concentrate heavily on a number of methodologies including; compromising systems without depending upon standard exploits, Personal Security Product (PSP) evasion, unique stealth approaches, persistence mechanisms, and varying degrees of collection strategies. Attendees will learn how real attackers use these strategies and how to detect, alert, respond, and defend against these techniques.

Students will learn:

  1. How to manipulate enterprise tools and infrastructures in unusual ways for better security
  2. Build and employ custom logging tools for detecting lateral movement, persistence mechanisms, data targeting, and exfiltration
  3. How to provide actionable data to help decision makers
  4. Properly defend against and respond to incidents on a network
  5. Offensive mindset for defensive purposes

The following items are the topic areas that will be covered in the class:

  1. Real offensive mindsets, not penetration testing mindsets, for enterprise response
  2. Proper response mechanisms and communication
  3. Host and network indicator extraction for enterprise results
  4. Quickly gather and identify data for incident use
  5. Host logging and auditing
  6. Leveraging active directory
  7. PCAP and network intelligence extraction
  8. Advanced host and file triage capabilities
  9. Host command and process monitoring across a host

Students will get the chance to work with real “APT” tools and see the unique differences between how they are used in real attacks vs the penetration testing tools used today. These differences will help students learn how to truly detect real adversaries. The labs will be interwoven into the lecture so that students will receive a significant amount of time exercising these new skills as they learn. By the end of the class students will have spent 50% of the time in a lab environment. A significant portion of the class will be dedicated to building new tools, on the fly, to solve the challenges posed by a difficult adversary. Questions can be sent to [email protected].

Iron-Clad Development : Building Secure Applications

Jim Manico


Register for Training
The major cause of application insecurity is insecure software development practices. This highly intensive and interactive course provides essential application security training for web application, webservice and mobile software developers and architects.

This class is a combination of lecture, security testing demonstration and code review. Students will learn the most common threats against applications and how to defend against them in a variety of programming frameworks.

The following topics, and more, will be covered.

  1. HTTP Basics
  2. SQL and other Injection
  3. Authentication
  4. XSS Defense
  5. Content Spoofing
  6. HTML Hacking
  7. Access Control
  8. Cross Site Request Forgery
  9. Clickjacking
  10. Applied Crypto Basics
  11. Mobile Security
  12. SDLC Architecture
  13. App Layer Intrusion Detection
  14. Webservice Security
  15. HTML5 Security Considerations
  16. Multi-form Workflow Security Considerations

This course is built for the software developer, but any application security professional wishing to learn more about secure coding techniques will benefit.

Back to Top