CANCELED:
URL=https://training.defcon.org/products...c-architecture
URL=https://training.defcon.org/products...c-architecture
Originally posted by URL
Name of Training:
Fundamentals of AppSec Architecture
Description:
The Fundamentals of AppSec Architecture course teaches engineers and architects to embed security principles throughout their software development life cycle. This approach incorporates security considerations at every stage of development to prevent vulnerabilities and protect against attacks. Security by design prioritizes security from the beginning of development, building security measures into the application's architecture and design rather than adding them later. This strategy prevents security breaches and safeguards sensitive user data. Secure applications can increase user trust, enhance IT infrastructure security, and proactively address security risks.
Training description:
The training mainly covers the following 4 important topics:
Trainer(s) bio:
Abhijeth Dugginapeddi is an AppSec Manager @BigCommerce, Adjunct Professor, and Mentor. Security Enthusiast in the fields of Penetration Testing, Application/Mobile/Infrastructure Security. Believes in the need for more security awareness and responsible disclosures. Got lucky in finding a few vulnerabilities with Google, Yahoo, Facebook, Microsoft, eBay, Dropbox, etc. Previously spoke at Defcon, Blackhat, OWASP AppSec USA, c0c0n, Secure-2018 Poland, CISO Summit, and several other events
Srinivas, who works for a bank as Red Team operator, is an Offensive Security Certified Professional (OSCP) & Offensive Security Certified Expert (OSCE) and passionate about Information Security. He authored a book titled "Hacking Android". He worked as a Penetration Tester in the past and has hands-on experience in DevSecOps, Container Security, Web Application Security, Infrastructure Security, Mobile Application Security, IoT Security and Embedded Software Exploit Development (ARM & MIPS). He is one of the authors of FuzzAPI, a REST API vulnerability scanner. He is a speaker/trainer at Blackhat, Defcon 26 IoT Village, Bsides Singapore 2019 and he delivered several talks and hands-on workshops at regional infosec events in India and Singapore.
Trainer(s) social media links:
https://twitter.com/abhijeth
https://twitter.com/srini0x00
Outline:
Day 1:
1. Fundamentals of Secure by design (2 hours)
This section covers various fundamental design principles that help an architect. Principles of secure design include incorporating security into the development process from the start, applying the principle of least privilege, and avoiding security by obscurity. Best practices for incorporating security into the application development process, including the use of secure coding standards and regular security testing.
2. Introduction to Threat modeling (1 hour)
This section provides an Introduction to threat modeling and its importance in secure application design. The attendees get to learn about finding threats, addressing threats, risk ranking, prioritization and designing a sample threat model. Overview of threat models like PASTA, STRIDE, Attack trees, etc and apply them to a sample use case.
3. Threat model case study (2 hours)
Case study: A real-world example of how threat modeling helped a company identify and mitigate potential security threats.
Lab 1: Conducting a threat modeling exercise using the STRIDE methodology manually.
Lab 2: Applying threat modelling to a sample application using a threat modeling tool (e.g. Threat Dragon)
4. Security on the application layer (3 hours)
Now that we have a sample Threat model, this section covers the deeper dive details of implementation. The instructors create a sample application with different components of the application and their associated security considerations, including the user interface, authentication and authorization mechanisms, and data storage. Examples of secure coding practices include input validation, output encoding, and exception handling. Examples of authentication best practices include using strong passwords and implementing two-factor authentication. Examples of encryption techniques include symmetric encryption and asymmetric encryption.
Lab 1: Implementing secure authentication and authorization mechanisms in a sample application.
Lab 2: Implementing secure data management in a sample application using encryption, access control, and data backup and recovery strategies.
Day 2:
5.Securing Infrastructure Deployment (3 hours):
Introduction to the importance of securing the infrastructure on which applications are deployed, including the runtime environment and network infrastructure. Best practices for securing the application's runtime environment, including the operating system, web server, and database. est practices for securing the application's network infrastructure, including firewalls, intrusion detection/prevention systems, and VPNs based on the thread model created during the threat model lab.
Lab 1: Implementing secure configuration management in a sample application's runtime environment using a configuration management tool (e.g. Ansible)
Lab 2: Creating an asset inventory, Patch management, configuration updates etc infrastructure-related configuration for the above-mentioned case study.
Lab 3: Securing databases
6. Security CI/CD Infrastructure (2 hours):
Security is important in CI/CD (Continuous Integration/Continuous Delivery) infrastructure because it helps to protect the software development process from malicious attacks or other security threats. In a CI/CD environment, code is typically checked into a central repository, built and tested automatically, and then deployed to production environments. If an attacker were able to gain access to the CI/CD system, they could potentially inject malicious code into the software development process, which could then be deployed to production environments and cause harm to the organization or its customers. In this section, we will look at various exercises to secure the CI/CD pipeline itself.
Lab 1: This will be demonstrated using a sample app called CI/CDgoat and the students will exploit all the vulnerabilities.
Lab 2: Defending CI/CD against common attacks.
7. Monitoring and logging (1 hour)
Logging and monitoring are important in enterprise security because they provide a way to track what is happening on the network and to detect when something goes wrong. This section of the training demonstrates logging and monitoring best practices by using the ELK stack.
Lab 1: Setting up a sample logging and monitoring tool using open-source resources.
8. Capture the flag (1.5 hours)
Sample case studies:
Throughout the training, case studies and practical examples will be used to illustrate key concepts and techniques. Participants will also have the opportunity to apply their knowledge and skills in hands-on lab exercises, with guidance and support from the instructors.
Technical difficulty:
Beginner
Beginners and attendees can understand the concepts easily if they already have a background in Penetration Testing, Secure Coding, OWASP top 10 etc.
Suggested Prerequisites:
Prerequisites of video material for about 2-3 will be shared before the attendee comes to the training.
What students should bring:
A laptop with VirtualBox/VMware Player/Workstation/Fusion installed
16GB RAM required, at a minimum
40 GB free Hard disk space
Docker pre-installed
DATE: August 14th-15th 2023
TIME: 8am to 5pm PDT
VENUE: Caesars Forum, Las Vegas, NV
TRAINER: Abhijeth Dugginapeddi & Srinivas
- 16 hours of training with a certificate of completion.
- 2 coffee breaks are provided per day
- Note: Food is not included
Registration terms and conditions:
Trainings are refundable before July 1st, the processing fee is $250.
Trainings are non-refundable after July 10th, 2023.
Training tickets may be transferred. Please email us for specifics.
Failure to attend the Training without prior written notification, will be considered a No-Show. No refund will be given.
By purchasing this ticket you agree to abide by the DCT Code of Conduct and the registration terms and conditions listed above.
Fundamentals of AppSec Architecture
Description:
The Fundamentals of AppSec Architecture course teaches engineers and architects to embed security principles throughout their software development life cycle. This approach incorporates security considerations at every stage of development to prevent vulnerabilities and protect against attacks. Security by design prioritizes security from the beginning of development, building security measures into the application's architecture and design rather than adding them later. This strategy prevents security breaches and safeguards sensitive user data. Secure applications can increase user trust, enhance IT infrastructure security, and proactively address security risks.
Training description:
The training mainly covers the following 4 important topics:
- Understanding various security by design principles
- Identifying and assessing security threats
- Implementing security into applications & Infrastructure
- Monitoring and logging
Trainer(s) bio:
Abhijeth Dugginapeddi is an AppSec Manager @BigCommerce, Adjunct Professor, and Mentor. Security Enthusiast in the fields of Penetration Testing, Application/Mobile/Infrastructure Security. Believes in the need for more security awareness and responsible disclosures. Got lucky in finding a few vulnerabilities with Google, Yahoo, Facebook, Microsoft, eBay, Dropbox, etc. Previously spoke at Defcon, Blackhat, OWASP AppSec USA, c0c0n, Secure-2018 Poland, CISO Summit, and several other events
Srinivas, who works for a bank as Red Team operator, is an Offensive Security Certified Professional (OSCP) & Offensive Security Certified Expert (OSCE) and passionate about Information Security. He authored a book titled "Hacking Android". He worked as a Penetration Tester in the past and has hands-on experience in DevSecOps, Container Security, Web Application Security, Infrastructure Security, Mobile Application Security, IoT Security and Embedded Software Exploit Development (ARM & MIPS). He is one of the authors of FuzzAPI, a REST API vulnerability scanner. He is a speaker/trainer at Blackhat, Defcon 26 IoT Village, Bsides Singapore 2019 and he delivered several talks and hands-on workshops at regional infosec events in India and Singapore.
Trainer(s) social media links:
https://twitter.com/abhijeth
https://twitter.com/srini0x00
Outline:
Day 1:
1. Fundamentals of Secure by design (2 hours)
This section covers various fundamental design principles that help an architect. Principles of secure design include incorporating security into the development process from the start, applying the principle of least privilege, and avoiding security by obscurity. Best practices for incorporating security into the application development process, including the use of secure coding standards and regular security testing.
2. Introduction to Threat modeling (1 hour)
This section provides an Introduction to threat modeling and its importance in secure application design. The attendees get to learn about finding threats, addressing threats, risk ranking, prioritization and designing a sample threat model. Overview of threat models like PASTA, STRIDE, Attack trees, etc and apply them to a sample use case.
3. Threat model case study (2 hours)
Case study: A real-world example of how threat modeling helped a company identify and mitigate potential security threats.
Lab 1: Conducting a threat modeling exercise using the STRIDE methodology manually.
Lab 2: Applying threat modelling to a sample application using a threat modeling tool (e.g. Threat Dragon)
4. Security on the application layer (3 hours)
Now that we have a sample Threat model, this section covers the deeper dive details of implementation. The instructors create a sample application with different components of the application and their associated security considerations, including the user interface, authentication and authorization mechanisms, and data storage. Examples of secure coding practices include input validation, output encoding, and exception handling. Examples of authentication best practices include using strong passwords and implementing two-factor authentication. Examples of encryption techniques include symmetric encryption and asymmetric encryption.
Lab 1: Implementing secure authentication and authorization mechanisms in a sample application.
Lab 2: Implementing secure data management in a sample application using encryption, access control, and data backup and recovery strategies.
Day 2:
5.Securing Infrastructure Deployment (3 hours):
Introduction to the importance of securing the infrastructure on which applications are deployed, including the runtime environment and network infrastructure. Best practices for securing the application's runtime environment, including the operating system, web server, and database. est practices for securing the application's network infrastructure, including firewalls, intrusion detection/prevention systems, and VPNs based on the thread model created during the threat model lab.
Lab 1: Implementing secure configuration management in a sample application's runtime environment using a configuration management tool (e.g. Ansible)
Lab 2: Creating an asset inventory, Patch management, configuration updates etc infrastructure-related configuration for the above-mentioned case study.
Lab 3: Securing databases
6. Security CI/CD Infrastructure (2 hours):
Security is important in CI/CD (Continuous Integration/Continuous Delivery) infrastructure because it helps to protect the software development process from malicious attacks or other security threats. In a CI/CD environment, code is typically checked into a central repository, built and tested automatically, and then deployed to production environments. If an attacker were able to gain access to the CI/CD system, they could potentially inject malicious code into the software development process, which could then be deployed to production environments and cause harm to the organization or its customers. In this section, we will look at various exercises to secure the CI/CD pipeline itself.
Lab 1: This will be demonstrated using a sample app called CI/CDgoat and the students will exploit all the vulnerabilities.
Lab 2: Defending CI/CD against common attacks.
7. Monitoring and logging (1 hour)
Logging and monitoring are important in enterprise security because they provide a way to track what is happening on the network and to detect when something goes wrong. This section of the training demonstrates logging and monitoring best practices by using the ELK stack.
Lab 1: Setting up a sample logging and monitoring tool using open-source resources.
8. Capture the flag (1.5 hours)
Sample case studies:
- A retail website that allows customers to create accounts and make purchases online.
- A social media platform that allows users to create profiles, share content and connect with other users.
- A healthcare organization that manages patient records and other sensitive information.
- A financial institution that provides online banking and other financial services.
Throughout the training, case studies and practical examples will be used to illustrate key concepts and techniques. Participants will also have the opportunity to apply their knowledge and skills in hands-on lab exercises, with guidance and support from the instructors.
Technical difficulty:
Beginner
Beginners and attendees can understand the concepts easily if they already have a background in Penetration Testing, Secure Coding, OWASP top 10 etc.
Suggested Prerequisites:
Prerequisites of video material for about 2-3 will be shared before the attendee comes to the training.
What students should bring:
A laptop with VirtualBox/VMware Player/Workstation/Fusion installed
16GB RAM required, at a minimum
40 GB free Hard disk space
Docker pre-installed
DATE: August 14th-15th 2023
TIME: 8am to 5pm PDT
VENUE: Caesars Forum, Las Vegas, NV
TRAINER: Abhijeth Dugginapeddi & Srinivas
- 16 hours of training with a certificate of completion.
- 2 coffee breaks are provided per day
- Note: Food is not included
Registration terms and conditions:
Trainings are refundable before July 1st, the processing fee is $250.
Trainings are non-refundable after July 10th, 2023.
Training tickets may be transferred. Please email us for specifics.
Failure to attend the Training without prior written notification, will be considered a No-Show. No refund will be given.
By purchasing this ticket you agree to abide by the DCT Code of Conduct and the registration terms and conditions listed above.