Description

This 2 hour training is intended to give developers the skills needed to use the Content-SecurityPolicy (CSP) as a defense-in-depth measure against client-side attacks in web applications. The aim in the first half of this training is to demystify CSP, shedding light on its importance and functionality. The second half of this training will go through several advanced techniques that attackers can use to bypass improperly configured CSPs, to illustrate the importance of a strict CSP, and that they are really a defensein-depth measure and should not be considered a blanket fix for XSS issues in general.

Target Audience

Everyone in your organization who is involved with (or interested in) the technical aspects of the software delivery process.

This training is designed for groups ranging from 15 to 25 participants and can be conducted either virtually through a conference call or in-person at your location. The session can be delivered monologue-style as an awareness session for a conference or symposium as well.

Description

Cryptography, while complex, is an integral part of secure software development. In this workshop, we’ll attempt to demystify the mathematical concepts of cryptography and illuminate its vital role throughout the Software Development Life Cycle (SDLC). We’ll delve into
key cryptographic principles, their application, and common pitfalls to avoid. This hands-on three-hour workshop brings the participant face-to-face with the practical aspects of cryptography in software development. We’ll be going through practical coding examples in Python and Google Colaboratory, so for those who want to participate, a Google account is required for this course and basic knowledge in Python is recommended. 

Leaving out the hands-on exercises, this workshop can also be taught as an awareness session of two hours.

Target Audience

Developers and other technically savvy staff who what to get a better understanding of the “black magic” that mystifies this topic.

This workshop is designed for groups ranging from 15 to 25 participants and can be conducted either virtually through a conference call or in-person at your location. The session can be delivered monologue-style as an awareness session for a conference or symposium as well.

Description

This awareness session explains the common threats for software applications from an attacker point of view, by using real-world data breaches and what the attacked companies could have done to prevent it.

We have selected breaches at large enterprises (Microsoft, Apple, Facebook, Twitter, etc.) where the technical details are well understood so we can use them as case studies.

The approach for each case study is observing it by using the following questions:

• What happened?
• Why did this happen?
• What were the consequences?
• How can you prevent it?

This session can be tailored to fit the needs of the participants as examples pertain to them or their industry specifically.

Target Audience

‘Everyone in your organization who is involved with the software delivery process.

This workshop is designed for groups ranging from 15 to 25 participants and can be conducted either virtually through a conference call or in-person at your location. The session can be delivered monologue-style as an awareness session for a conference or symposium as well.

Description

This workshop is intended to give the participant an understanding of techniques employed by hackers, bug bounty penetration testers in the real world when attacking applications that communicate over the web using HTTP(S). Via theory and hands-on hacking exercises, you will get a peek into the more practical side of cyber security. Without being too overwhelming on the bits-and-bytes-front, it serves as a true eye-opener for anyone involved in software development, both technical and non-technical.

The workshop can be delivered in two modalities:

• A “hands-on” variant, which requires the participants to install some tooling on their laptops, which may require vetting from your IT department (Java, ZAP, Firefox, Docker) and sufficient permissions to run them. If usage of this software is ultimately not allowed, we would advise to choose the “interactive presentation”-version of this workshop.
• An “interactive presentation” variant of this workshop is more of an awareness session which does not require the participants to install any tooling. Practical examples will be shown on-screen with ample opportunity for audience interaction.

Target Audience

‘Everyone in your organization who is involved with (or interested in) the technical aspects of software delivery process

This hands-on workshop is designed for groups ranging from 10 to 15 participants and can be conducted either virtually through a conference call or in-person at your location.

Description

The realm of Application Security is vast and complex, yet mastering its fundamentals is crucial in today’s digital age. This interactive session introduces the participants to the cornerstones of Application Security, diving into the essential principles, exploring the common security vulnerabilities via examples, and discuss the key aspects of a Secure Development Life Cycle (SSDLC). Through code examples and case studies we create clarity in an opaque subject matter to help participants move forward in application security awareness.

Target Audience

Everyone in your organization who is involved with (or interested in) the technical aspects of software delivery process.

This presentation is designed for groups ranging from 15 to 25 participants and can be conducted either virtually through a conference call or in-person at your location. The session can be delivered monologue-style as an awareness session for a conference or symposium as well.

This session introduces the participant to the two major protocols that drive identity and access for modern web applications : OAuth2 and OpenID Connect. Ubiquitous, yet often confused and rarely well understood. In this two hour session we aim to help participants

• distinguish between them (It’s harder than you think)
• learn the basic mechanics behind them
• recognize the use cases of when to use which one

Target Audience

Everyone in your organization who is involved with (or interested in) the technical aspects of software delivery process.

This presentation is designed for groups ranging from 15 to 25 participants and can be conducted either virtually through a conference call or in-person at your location. The session can be delivered monologue-style as an awareness session for a conference or symposium as well.

Description

This extension of the “OAuth and OIDC demystified” course adds hands-on exercises to see everything in action in demo-application(s).

Target Audience

Everyone in your organization who is involved with (or interested in) the technical aspects of software delivery process

Description

This session is designed to equip you with the knowledge to confidently embrace open-source technologies whilst avoiding getting into any legal trouble for a licensing infringement.

This session can be organized independently, but also combines very well with our “Introduction to SBOM” workshop.

Target Audience

‘Everyone in your organization who is involved with the software delivery process.

This presentation is designed for groups ranging from 15 to 25 participants and can be conducted either virtually through a conference call or in-person at your location. The session can be delivered monologue-style as an awareness session for a conference or symposium as well.

Description

In this session we present OWASP as a source of information to help an organization organize the security of software products. The goal of this session is twofold:

Present an overview of what OWASP is, how it can be used and why this would be needed

Create a sense of urgency for the participants by showing several examples of recent security breaches, how they happened and how they could have been avoided by using information and/or tools available from OWASP

OWASP currently contains more than 250 open-source projects. We will present an overview and ensure the participants can find their way around the different projects. (+/- 30 minutes)

Target Audience

Everyone in your organization who is involved with the software delivery process

Description

In this awareness session, we will introduce you to the most famous, yet one of the most misunderstood OWASP projects : “The OWASP Top-10”. Learn more about this awareness tool (it’s NOT a standard!) and its applicability to your software product portfolio. If so desired, this workshop can be tailored to your organization if we are provided with output from scanning tools. We will then map the CWE-identifiers from those tools to the OWASP Top-10 and put more focus on the areas that your developers are struggling with the most.

Target Audience

‘Everyone in your organization who is involved with (or interested in) the technical aspects of software delivery process.

This presentation is designed for groups ranging from 15 to 25 participants and can be conducted either virtually through a conference call or in-person at your location. The session can be delivered monologue-style as an awareness session for a conference or symposium as well.

Description

In this one-hour awareness session, we aim to give the attendee a basic understanding of Dynamic Application Security Testing. We’ll cover what it is (and isn’t) and conclude with a short demonstration.

Target Audience

Everyone in your organization who is involved with (or interested in) the technical aspects of software delivery process.

This presentation is designed for groups ranging from 15 to 25 participants and can be conducted either virtually through a conference call or in-person at your location. The session can be delivered monologue-style as an awareness session for a conference or symposium as well.

Description

This “Introduction to Software Bill of Materials (SBOM)” session is designed to introduce professionals in the software industry to SBOM’s and their importance in defending against cyber-attacks. If you currently do not have a crystal-clear view of the third-party components in your product, a cyber attack may well hit you through your supply chain.

This session can be organized independently, but also combines very well with our “Open Source Licensing” workshop.

Target Audience

Everyone in your organization who is involved with the software delivery process.

This presentation is designed for groups ranging from 15 to 25 participants and can be conducted either virtually through a conference call or in-person at your location. The session can be delivered monologue-style as an awareness session for a conference or symposium as well.

Description

In this awareness session, we will discuss some of the most commonly used security-related response headers. HTTP Response headers are one of the few mechanisms that servers can use to communicate to browsers how to prevent, detect and respond to a client side threat. We’ll be discussing straightforward headers, which can be centrally set identically for all responses, as well as context- and page-dependent headers and where to set them best.

Target Audience

Everyone in your organization who is involved with (or interested in) the technical aspects of software delivery process.

This presentation is designed for groups ranging from 15 to 25 participants and can be conducted either virtually through a conference call or in-person at your location. The session can be delivered monologue-style as an awareness session for a conference or symposium as well.

Description

APIs are the backbone of data exchange and are increasingly targeted in malicious cyber attacks. This introductory session dives into the top 10 API vulnerabilities as identified by OWASP. We’ll explore each vulnerability, its potential impact, and effective countermeasures to prevent them, including real-world examples.

Target Audience

Everyone in your organization who is involved with (or interested in) the technical aspects of software delivery process.

This presentation is designed for groups ranging from 15 to 25 participants and can be conducted either virtually through a conference call or in-person at your location. The session can be delivered monologue-style as an awareness session for a conference or symposium as well.

Description

This workshop is intended to give the participant an understanding of techniques employed by hackers, bug bounty penetration testers in the real world when attacking HTTP APIs. Via theory and hands-on hacking exercises, you will get a peek into the more practical side of cyber security.

This variant of the workshop is hands-on and requires the participants to install some tooling on their laptops, which may require vetting from your IT department (Java, OWASP ZAP, Firefox, Docker) and sufficient permissions to run them. If usage of this software is ultimately not allowed, we would advise to choose the “interactive presentation”-version of this workshop.

Target Audience

Everyone in your organization who is involved with (or interested in) the technical aspects of software delivery process

Description

What does a developer need to know about the EU privacy legislation? What are the actual requirements stemming from this legislation? During this presentation we will dive into the GDPR and show in what parts there are requirements for developers.

Target Audience

Everyone in your organization who is involved with the software delivery process

Description

In the face of escalating cyber threats, secure software development is no longer a choice, but a necessity. The Secure Software Development Life Cycle (SSDLC) equips you with the framework needed to weave security into every stage of your software development process. This introductory session explores the transformation from SDLC to SSDLC, integrating crucial security practices into each phase of your software development. From requirements gathering to deployment and maintenance, we’ve got it all covered. You’ll also gain valuable insights from real-world case studies of SSDLC implementation.

This session is an ideal primer for our “Introduction to OWASP SAMM” session.

Target Audience

Everyone in your organization who is involved with the software delivery process

Description

Building a robust Software Assurance strategy is a complex endeavor. That’s where OWASP’s Software Assurance Maturity Model (SAMM) proves its worth. This session offers a comprehensive exploration of SAMM, breaking down its key components and illustrating how to use it to evaluate and enhance your organization’s software assurance strategy. Through an in-depth exploration of Business Functions, Maturity Levels, and Security Practices, as well as a practical case study, you’ll gain a solid foundation and actionable insights.

Ideally, this session is attended after our 1-hour “Introduction into SSDLC”

Target Audience

Everyone in your organization who is involved with the software delivery process

Description

The OWASP Application Security Verification Standard (ASVS) (https://owasp.org/www-project-application-security-verification-standard/) has as a primary aim to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard. We will learn how to distinguish between security levels needed for applications and what the resulting requirements are as well on how to test these requirements later on.

Target Audience

Everyone in your organization who is involved with the software delivery process

Description

When creating a new software product, wouldn’t it be nice to know upfront what to take into account to create something secure? Unfortunately, every development framework allows you to configure things in an insecure way, so it is clear that something extra must be done. This is where the concept of “security requirements” come in. They differ from functional requirements because they often dictate something that SHOULDN’T happen. Security issues are often unintended byproducts of well-intended features, so scrutinizing these is paramount to (re)gain a good security posture for your organization. In this session we’ll dive into the rules of well-written security requirements, how to test them.

Target Audience

Everyone in your organization who is involved with (or interested in) the technical aspects of software delivery process.

This presentation is designed for groups ranging from 15 to 25 participants and can be conducted either virtually through a conference call or in-person at your location. The session can be delivered monologue-style as an awareness session for a conference or symposium as well.

Description

This introduction to threat modeling gives the participants a high-level primer on the core concepts of threat modeling. Participants interested in deepening their knowledge on the topic can enrol in our Threat Modeling Practitioner course.

Target Audience

Everyone in your organization who is involved with (or interested in) the technical aspects of threat modeling..

This workshop is designed for groups ranging from 15 to 25 participants and can be conducted either virtually through a conference call or in-person at your location. The session can be delivered monologue-style as an awareness session for a conference or symposium as well.

Description

Anti-phishing and anti-malware training

Description

What is cross-site scripting and how do we prevent it

Description

Extension to the introductory course

Description

Ticket handling process workshop

Target Audience

Everyone in your organization who is involved with the software delivery process

Description

Interactive session to answer questions on the best practices and practical application of security test strategies. This includes but is not limited to SAST, DAST, SCA, regression testing, unit vs integration vs end to end testing etc.

Target Audience

Everyone in your organization who is involved with (or interested in) the technical aspects of software delivery process

Description

Security that is “bolted on” at the end of your project usually leads to expensive fixes and lots of rework. Having security “built-in” as requirements without grinding your development speed to a halt is a delicate art that can be taught. With this session you’ll gain more understanding of preventable security nightmares by approaching your early sprints in a smart way.

Target Audience

Everyone in your organization who is involved with the software delivery process

Description

For secure transmission of data across an untrusted network, applying transport encryption is an absolute must. Unfortunately, when using or allowing older protocols, there are still some ways for attackers to bypass this protection mechanism and eavesdrop on the conversation. With this workshop we aim to demonstrate how attackers leverage interception techniques to break older versions of the Transport Layer Security (TLS) protocol.

Target Audience

Everyone in your organization who is involved with (or interested in) the technical aspects of software delivery process

Description

As pre-production environments are loaded with new versions of your software, you want to make sure that it works with real-life data. Often times, this leads to copying and (best-case) pseudonymizing real data. While this approach comes with a few conveniences, there is often a confidentiality and/or privacy risk involved when not properly hiding the true identity of the data subjects. Well-executed anonymization/pseudonymization is not easy and this session aims to underscore the how, what and why of that process. We also explore synthesizing test data sets through the use of Artificial Intelligence to avoid having to use real data altogether.

Target Audience

Everyone in your organization who is involved with the software delivery process

Description

This half-day awareness session starts with the fundamentals of information security, then highlights some of the largest breaches, before diving into the changing regulatory landscape and discussing what approaches an organization can take to ensure they create secure products, diving deep into the practices in an SSDLC. This session is an excellent follow session after an initial SAMM roadmap kickoff, it is intended for a mixed technical audience and provides a foundational structure that other trainings can build on.

Target Audience

Everyone in your organization who is involved with the software delivery process

Description

In this hands-on session, we aim to help you understand the concept of Cross-Site Scripting (XSS) attacks. The anatomy of an XSS is relatively straightforward; however, the potential consequences can be devastating. This ranges from being able to change text on a webpage in one person’s browser all the way to an account takeover or theft of thousands of credit card numbers. With this in mind, we will take a closer look at these attacks by using a real-world case study as well as simulating one via QR-code scanning with your mobile phone.

Target Audience

Developers / QA

Description

Overview of SAST/DAST/SCA tools, what they are good and not so good at.

Target Audience

Developers / QA

Description

2 hour awareness session built around the OWASP CI/CD Top 10, to show the ways a CI/CD pipeline can be attacked and defended. It also covers some case studies of real world CI/CD breaches such as the SolarWinds incident. Intended for a technical audience that has some awareness of how CI/CD pipelines are structured.

Target Audience

Everyone in the organization who is involved with technical aspects of software delivery automation: development, QA automation, devops, release engineering, …

Description

Join us for an in-depth exploration of safeguarding your MS Active Directory domain against a myriad of cyber threats. This session will cover defensive strategies tailored to combat common attack vectors such as password attacks, privilege escalation, and reconnaissance techniques used by malicious actors. From implementing robust authentication mechanisms to fortifying against insider threats, we’ll equip you with practical insights and actionable steps to fortify your Active Directory environment against evolving security threats.

Target Audience

Every IT admin inside an organization

Description

This interactive training session will challenge developers to look at their mobile applications through the lens of an attacker. We will dig into some vulnerable Android applications with common coding faults. This session can be extended by 2 hours to include a small CTF.

Target Audience

Mobile developers

Description

This session will be dedicated to learning how to assess a company’s online presence through the research and discovery of publicly available information.

Description

This session will be dedicated to techniques used by physical intruders to access sensitive on-site information

Description

This session will go into web application security, specifically focussing on popular attacks that have not (yet) been included in the OWASP top 10. Things like cache confusion and poisoning, race conditions and more

Target Audience

Web app developers

Description

This session will cover everything related to JWT security.

Target Audience

Web app developers

Description

This training session’s goal is to teach developers the hacker mindset: A very powerful mindset that always tricks you into thinking out of the box and to view applications from a different perspective. This session is highly interactive with hacking challenges.

Target Audience

Developers

Description

This full day workshop (2x 2 hours) teaches a subset of the OWASP Top 10 for APIs and Web Applications, going more in depth on access control, injection, system configuration and logging/auditing issues in the context of modern, multi-service web applications and APIs. The first 2 hours is theory with examples of vulnerabilities, and practical coding / architecture patterns and best practices to mitigate them. The second part of 2 hours is a guided hacking session using a tool like ZAP or Burpsuite against the OWASP crAPI, a modern web application which is purposely vulnerable against the vulnerabilities discussed in the theory.

Target Audience

Web app developers, testers, devops

Description

With the Cyber resilience act going into effect in December 2024, the countdown for compliance to the European Union’s Cyber Resilience Act has officially started.

This training is aimed at everyone in your organization that plays a role in product development. It will explain in detail what the Cyber Resilience Act is, goes over its legislative context and core concepts in a fun and accessible way and helps you make sense of the obligations.
Part awareness, part pragmatic advice, it is continually updated with the latest information and developments from the legislative and standardization process. The training is an excellent first step to prepare your organization for the law that will mandate cybersecurity requirements for software and products containing software.

Target Audience

General audience

Description

With the Cyber resilience act going into effect in December 2024, the countdown for compliance to the European Union’s Cyber Resilience Act has officially started.

This training is aimed at developers, and builds on the “CRA introduction” training. It explains what developers and engineers can do to help an organization build and maintain secure products, breaking down the core CRA obligations into a set of best practices and processes.

Target Audience

Developers, engineers, architects, …

Description

The NIS2 legislation took effect in October 2024 and is causing ripples through the supply chain of several industries. Have you noticed an increase in third party security assessments yet?

This training is relevant for general audiences but most relevant for managerial roles. It will explain in detail what the NIS2 Directive is, goes over its legislative context and core concepts in a fun and accessible way and helps you make sense of the obligations.

Target Audience

General audience

Description

This session aims to be an insightful exploration into the evolving risks associated with AI in general and specifically in Large Language Models (LLMs) and Generative AI (GenAI) applications. To achieve this, we start off with introducing participants to the basic concepts of cyber risk and “threat modeling” in traditional business application development. We will also briefly point to well-adopted open standards and established organizations whose frameworks we can leverage. After laying this essential groundwork, we will dive into some examples of LLM/GenAI-specific vulnerabilities to raise awareness around the risks that businesses face when haphazardly adopting GenAI-powered technologies. Overall, this session is designed to equip you with the basics to help navigate the challenges of deploying and securing AI systems.

This session can be delivered as a 2h, 3h or 4h variant where the number of case studies is adjusted to fit the available time slot.

Target Audience

Everyone in the organizaton who is involved with design or delivery of GenAI-based systems