Loading…
Attending this event?

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Tuesday, May 26
 

9:00am

A builder’s guide to Single Page Application security
Whether you like it or not, we all live in a world of Single Page Applications. Frontend JavaScript frameworks such as Angular and React have changed the way we build web applications. However, did you know that these frameworks also disrupt the security landscape? For example, Angular and React change the nature of XSS as we know it. They also conflict with modern security measures, such as Content Security Policy.

In this training, you will learn how to build secure Single Page Applications. We cover changes in the security model of an application, common threats to an application, framework features that increase security, and state-of-the-art security technology you should start using. Concretely, we will cover the following topics:
  • XSS in Angular and React
  • Advanced injection attacks
  • The limitations of CSP in Single Page Applications
  • Recent developments in CSP
  • Protecting yourself against malicious third-party content
  • JWT abuse and best practices
  • The intricacies of Cross-Origin Resource Sharing
  • Recent developments in using OAuth 2.0 and OpenID Connect

The training consists of both lectures and hands-on lab sessions. Lectures go into depth on security threats and mitigation strategies. Labs are conducted in a custom-built competitive lab environment. Security challenges give you hands-on experience with attacks and defenses. You will walk away from this training with an overview of current best practices, along with actionable advice on implementing them.

Who should attend?
This security training specifically targets modern web developers. Anyone involved in building single-page applications (e.g., Angular, React) or managing development teams should be here. This training course is not just any training course. It is packed with in-depth and up-to-date content. We do not merely brush over a threat and defense but focus on the underlying cause and consequences. Why do we have this problem? Which mitigations are often used? Why are some ineffective? Which one is the current best practice? These are the questions that will be answered throughout the training.

Prerequisites
To participate in this training, you should have development experience with single-page applications and the underlying APIs. Familiarity with the basics of security (e.g., simple XSS attacks) is helpful, but not required. The training will talk about Angular and React specifically, but also applies to other frameworks, such as EmberJS or Vue.js.

Computer setup
To participate in the lab sessions, participants need an internet-accessible laptop with a modern browser installed (E.g., Chrome, Firefox).



Trainers
avatar for Philippe De Ryck

Philippe De Ryck

Founder, Pragmatic Web Security
Philippe De Ryck helps developers protect companies through better web security. As the founder of Pragmatic Web Security, he travels the world to train developers on web security and security engineering. His Ph.D. in web security from KU Leuven lies at the basis of his exceptional... Read More →


Tuesday May 26, 2020 9:00am - 5:00pm

9:00am

Advanced AWS Security
This training goes beyond the basics. Learn how AWS can be harnessed for robust security in real-world AWS environments. This fast-paced, lab-based course covers the nitty-gritty of AWS security concepts and ties them together with coding exercises to help you upgrade your AWS security knowledge.

Topics covered:
  • Authentication
  • Access Control
  • User management
  • Session management
  • Logging and Auditing
  • Data Protection
  • Configuration Management
  • Availability
  • Advanced Topics



Trainers
avatar for Alex Smolen

Alex Smolen

Engineering Manager, Clever
Alex Smolen is an engineering manager with over a decade of experience on security-focused engineering teams.Alex currently leads the security and resiliency efforts at Clever as the engineering manager for three teams: Infrastructure, Security, and IT.Previously, he was a software... Read More →


Tuesday May 26, 2020 9:00am - 5:00pm

9:00am

Building Secure API's and Web Applications
The major cause of webservice and web application insecurity is insecure software development practices. This highly intensive and interactive 2-day course provides essential application security training for web application and webservice developers and architects. 

The class is a combination of lecture, security testing demonstration and code review. Students will learn the most common threats against applications. More importantly, students will learn how to code secure web solutions via defense-based code samples.

As part of this course, we will explore the use of third-party security libraries and frameworks to speed and standardize secure development. We will highlight production quality and scalable controls from various languages and frameworks. This course will include secure coding information for Java, PHP, Python, Javascript, and .NET programmers, but any software developer building web applications and webservices will benefit.

Student Requirements: Familiarity with the technical details of building web applications and web services from a software engineering point of view.

Laptop Requirements: Any laptop that can run an updated web browser and "Burp Community Edition".

Day 1 of the course will focus on web application basics.

- Introduction to Application Security 
- Introduction to Security Goals and Threats 
- HTTP Security Basics 
- CORS and HTML5 Considerations
- XSS Defense 
- Content Security Policy
- Intro to Angular.JS Security
- Intro to React.JS Security
- SQL and other Injection 
- Cross-Site Request Forgery
- File Upload and File IO Security 
- Deserialization Security
- Input Validation Basics 
- OWASP Top Ten 2017
- OWASP ASVS 

Day 2 of the course will focus on API secure coding, Identity, and other advanced topics.

- Webservice, Microservice and REST Security
- Authentication and Session Management
- Access Control Design
- OAuth 2 Security 
- OpenID Connect Security
- HTTPS/TLS Best Practices
- 3rd Party Library Security Management
- Application Layer Intrusion Detection

The course will include several hacking and secure coding labs!

Trainers
avatar for Jim Manico

Jim Manico

Founder, Manicode Security
Jim Manico is the founder of Manicode Security where he trains software developers on secure coding and security engineering. He is also an investor/advisor for KSOC, Nucleus Security, Signal Sciences andBitDiscovery. Jim is a frequent speaker on secure software practices, is a member... Read More →


Tuesday May 26, 2020 9:00am - 5:00pm

9:00am

Secure Code Review Workshop React.js, Node.js and Open Source Libraries
In this workshop we will focus on techniques for reviewing application source code for common vulnerabilities such as the OWASP Top 10. This workshop is targeted at builders and defenders. If you are developing applications or tasked with defending them, then this is the place for you. The labs will be focused on JavaScript applications using React.js and Node.js. By the end of the workshop you will have a good understanding of tools and techniques you can use to efficiently use your time when reviewing applications by leveraging automation and focusing on areas of the code where vulnerabilities tend to occur.

What will you learn?

Efficiently review large React.js and Node.js applications, those with over 10,000 lines of code.
  • Quickly spot vulnerabilities (OWASP Top 10)  in React.js and Node.js application code.
  • Using Open Source libraries securely and building in automated application protections.
  • Efficiently review medium to large size React.js and Node.js applications.
  • Add automatic audit features to code projects to prevent future developer mistakes.
  • Build integrations into CI workflows that audit application code automatically.
  • Turn blackbox pentests into whitebox tests by obtaining source code to audit.



Trainers
avatar for Ron Perris

Ron Perris

Ron Perris has over a thousand hours of in-person developer training experience. Ron also writes online training courses for the world's largest application security provider, Synopsys (NASDAQ: SNSP). Ron has experience building security features and running an application security... Read More →


Tuesday May 26, 2020 9:00am - 5:00pm
 
Wednesday, May 27
 

9:00am

A builder’s guide to Single Page Application security
Whether you like it or not, we all live in a world of Single Page Applications. Frontend JavaScript frameworks such as Angular and React have changed the way we build web applications. However, did you know that these frameworks also disrupt the security landscape? For example, Angular and React change the nature of XSS as we know it. They also conflict with modern security measures, such as Content Security Policy.

In this training, you will learn how to build secure Single Page Applications. We cover changes in the security model of an application, common threats to an application, framework features that increase security, and state-of-the-art security technology you should start using. Concretely, we will cover the following topics:
  • XSS in Angular and React
  • Advanced injection attacks
  • The limitations of CSP in Single Page Applications
  • Recent developments in CSP
  • Protecting yourself against malicious third-party content
  • JWT abuse and best practices
  • The intricacies of Cross-Origin Resource Sharing
  • Recent developments in using OAuth 2.0 and OpenID Connect

The training consists of both lectures and hands-on lab sessions. Lectures go into depth on security threats and mitigation strategies. Labs are conducted in a custom-built competitive lab environment. Security challenges give you hands-on experience with attacks and defenses. You will walk away from this training with an overview of current best practices, along with actionable advice on implementing them.

Who should attend?
This security training specifically targets modern web developers. Anyone involved in building single-page applications (e.g., Angular, React) or managing development teams should be here. This training course is not just any training course. It is packed with in-depth and up-to-date content. We do not merely brush over a threat and defense but focus on the underlying cause and consequences. Why do we have this problem? Which mitigations are often used? Why are some ineffective? Which one is the current best practice? These are the questions that will be answered throughout the training.

Prerequisites
To participate in this training, you should have development experience with single-page applications and the underlying APIs. Familiarity with the basics of security (e.g., simple XSS attacks) is helpful, but not required. The training will talk about Angular and React specifically, but also applies to other frameworks, such as EmberJS or Vue.js.

Computer setup
To participate in the lab sessions, participants need an internet-accessible laptop with a modern browser installed (E.g., Chrome, Firefox).



Trainers
avatar for Philippe De Ryck

Philippe De Ryck

Founder, Pragmatic Web Security
Philippe De Ryck helps developers protect companies through better web security. As the founder of Pragmatic Web Security, he travels the world to train developers on web security and security engineering. His Ph.D. in web security from KU Leuven lies at the basis of his exceptional... Read More →


Wednesday May 27, 2020 9:00am - 5:00pm

9:00am

Advanced AWS Security
This training goes beyond the basics. Learn how AWS can be harnessed for robust security in real-world AWS environments. This fast-paced, lab-based course covers the nitty-gritty of AWS security concepts and ties them together with coding exercises to help you upgrade your AWS security knowledge.
Topics covered:
  • Authentication
  • Access Control
  • User management
  • Session management
  • Logging and Auditing
  • Data Protection
  • Configuration Management
  • Availability
  • Advanced Topics



Trainers
avatar for Alex Smolen

Alex Smolen

Engineering Manager, Clever
Alex Smolen is an engineering manager with over a decade of experience on security-focused engineering teams.Alex currently leads the security and resiliency efforts at Clever as the engineering manager for three teams: Infrastructure, Security, and IT.Previously, he was a software... Read More →


Wednesday May 27, 2020 9:00am - 5:00pm

9:00am

Building Secure API's and Web Applications
The major cause of webservice and web application insecurity is insecure software development practices. This highly intensive and interactive 2-day course provides essential application security training for web application and webservice developers and architects. 

The class is a combination of lecture, security testing demonstration and code review. Students will learn the most common threats against applications. More importantly, students will learn how to code secure web solutions via defense-based code samples.

As part of this course, we will explore the use of third-party security libraries and frameworks to speed and standardize secure development. We will highlight production quality and scalable controls from various languages and frameworks. This course will include secure coding information for Java, PHP, Python, Javascript, and .NET programmers, but any software developer building web applications and webservices will benefit.

Student Requirements: Familiarity with the technical details of building web applications and web services from a software engineering point of view.

Laptop Requirements: Any laptop that can run an updated web browser and "Burp Community Edition".

Day 1 of the course will focus on web application basics.

- Introduction to Application Security 
- Introduction to Security Goals and Threats 
- HTTP Security Basics 
- CORS and HTML5 Considerations
- XSS Defense 
- Content Security Policy
- Intro to Angular.JS Security
- Intro to React.JS Security
- SQL and other Injection 
- Cross-Site Request Forgery
- File Upload and File IO Security 
- Deserialization Security
- Input Validation Basics 
- OWASP Top Ten 2017
- OWASP ASVS 

Day 2 of the course will focus on API secure coding, Identity, and other advanced topics.

- Webservice, Microservice and REST Security
- Authentication and Session Management
- Access Control Design
- OAuth 2 Security 
- OpenID Connect Security
- HTTPS/TLS Best Practices
- 3rd Party Library Security Management
- Application Layer Intrusion Detection

The course will include several hacking and secure coding labs!


Trainers
avatar for Jim Manico

Jim Manico

Founder, Manicode Security
Jim Manico is the founder of Manicode Security where he trains software developers on secure coding and security engineering. He is also an investor/advisor for KSOC, Nucleus Security, Signal Sciences andBitDiscovery. Jim is a frequent speaker on secure software practices, is a member... Read More →


Wednesday May 27, 2020 9:00am - 5:00pm

9:00am

Secure Code Review Workshop React.js, Node.js and Open Source Libraries
In this workshop we will focus on techniques for reviewing application source code for common vulnerabilities such as the OWASP Top 10. This workshop is targeted at builders and defenders. If you are developing applications or tasked with defending them, then this is the place for you. The labs will be focused on JavaScript applications using React.js and Node.js. By the end of the workshop you will have a good understanding of tools and techniques you can use to efficiently use your time when reviewing applications by leveraging automation and focusing on areas of the code where vulnerabilities tend to occur.

What will you learn?

  • Efficiently review large React.js and Node.js applications, those with over 10,000 lines of code.
  • Quickly spot vulnerabilities (OWASP Top 10) in React.js and Node.js application code.
  • Using Open Source libraries securely and building in automated application protections.
  • Efficiently review medium to large size React.js and Node.js applications.
  • Add automatic audit features to code projects to prevent future developer mistakes.
  • Build integrations into CI workflows that audit application code automatically.
  • Turn blackbox pentests into whitebox tests by obtaining source code to audit.




Trainers
avatar for Ron Perris

Ron Perris

Ron Perris has over a thousand hours of in-person developer training experience. Ron also writes online training courses for the world's largest application security provider, Synopsys (NASDAQ: SNSP). Ron has experience building security features and running an application security... Read More →


Wednesday May 27, 2020 9:00am - 5:00pm