Loading…
This event has ended. Visit the official site or create your own event on Sched.
One Track
Lots of Flavor

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Training [clear filter]
Monday, April 15
 

9:00am

Building Secure API's and Web Applications: Secure Coding with Aloha
Student Requirements: Familiarity with the technical details of building web applications and web services from a software engineering point of view.

Laptop Requirements: Any laptop that can run an udpated web browser and "Burp Community Edition".

Description: 
The major cause of webservice and web application insecurity is insecure software development practices. This highly intensive and interactive 2-day course provides essential application security training for web application and webservice developers and architects.

The class is a combination of lecture, security testing demonstration and code review. Students will learn the most common threats against applications. More importantly, students will learn how to code secure web solutions via defense-based code samples.

As part of this course, we will explore the use of third-party security libraries and frameworks to speed and standardize secure development. We will highlight production quality and scalable controls from various languages and frameworks. This course will include secure coding information for Java, PHP, Python, Javascript and .NET programmers, but any software developer building web applications and webservices will benefit.

Day 1 of the course will focus on web application basics.

  • Introduction to Application Security
  • Introduction to Security Goals and Threats
  • HTTP Security Basics
  • CORS and HTML5 Considerations
  • XSS Defense
  • Content Security Policy
  • Intro to Angular.JS Security
  • Intro to React.JS Security
  • SQL and other Injection
  • Cross Site Request Forgery
  • File Upload and File IO Security
  • Deserialization Security
  • Input Validation Basics
  • OWASP Top Ten 2017
  • OWASP ASVS

Day 2 of the course will focus on API secure coding, Identity and other advanced topics.

  • Webservice, Microservice and REST Security
  • Authentication and Session Management
  • Access Control Design
  • OAuth Security
  • OpenID Connect Security
  • HTTPS/TLS Best Practices
  • 3rd Party Library Security Management
  • Application Layer Intrusion Detection
We end day 2 with a competitive hacking lab. It's a very fun and informative way to end the course.

Speakers
avatar for Jim Manico

Jim Manico

Founder, Manicode Security
Jim Manico is the founder of Manicode Security where he trains software developers on secure coding and security engineering. He is also an investor/advisor for KSOC, Nucleus Security, Signal Sciences, Secure Circle and BitDiscovery. Jim is a frequent speaker on secure software practices... Read More →


Monday April 15, 2019 9:00am - 5:00pm
Nawiliwili Room

9:00am

Defending Modern DevOps Environments: A Hands-on Approach: Kubernetes and Docker Demystified
Student Requirements: Familiarity with at least one public cloud provider is recommend- ed. Students should also have basic Docker knowledge and experience launching and managing basic cloud instances. Basic command line and scripting skills are highly recommended.

Laptop Requirements: Any laptop with at least 2GB of free ram available that can run Docker, Minikube, and Virtualbox.

Description:
The Cloud as we know it is changing. Containers have taken the center stage as the preferred method of developing and deploying software into production. As security practitioners, we must adapt to the latest technologies or be left in the dust.

This technical 2-day course will focus on the ins and outs of building a modern cloud infrastructure capable of taking containers from a developer’s laptop to production, in a secure manner.

The hands-on portion of the course will rely heavily on Kubernetes for the deployment and orchestration of Docker containers. Each student will build a sandbox Kubernetes cluster from scratch using Google Container Engine (GKE) or locally using Minikube.

At the completion of this course, students will have an operational, version controlled, deployment pipeline capable of shipping a container to a Kubernetes cluster while performing a number of automated security checks along the way.

Some of the principals and techniques covered in this course include:
  • DevSecOps Principles
  • Kubernetes and Docker Security Controls
  • Third-Party Security Considerations
  • Identity and Access Management Secure Deployment Pipelines
  • Security Automation
  • Infrastructure as Code
  • Scaling Security Operations
  • Data Security and Encryption
  • Logging, Monitoring, and Alerting

Speakers
avatar for Jimmy Mesta

Jimmy Mesta

CTO, Manicode Security
Jimmy Mesta is an application security leader that has been involved in Information Security for nearly 10 years. He is the chapter leader of OWASP Santa Barbara and co-organizer of the AppSec California security conference. Jimmy has spent time on both the offense and defense side... Read More →


Monday April 15, 2019 9:00am - 5:00pm
Ha'iku Room
 
Tuesday, April 16
 

9:00am

Building Secure API's and Web Applications: Secure Coding with Aloha
Student Requirements: Familiarity with the technical details of building web applications and web services from a software engineering point of view.

Laptop Requirements: Any laptop that can run an udpated web browser and "Burp Community Edition".

Description: 
The major cause of webservice and web application insecurity is insecure software development practices. This highly intensive and interactive 2-day course provides essential application security training for web application and webservice developers and architects.

The class is a combination of lecture, security testing demonstration and code review. Students will learn the most common threats against applications. More importantly, students will learn how to code secure web solutions via defense-based code samples.

As part of this course, we will explore the use of third-party security libraries and frameworks to speed and standardize secure development. We will highlight production quality and scalable controls from various languages and frameworks. This course will include secure coding information for Java, PHP, Python, Javascript and .NET programmers, but any software developer building web applications and webservices will benefit.

Day 1 of the course will focus on web application basics.

  • Introduction to Application Security
  • Introduction to Security Goals and Threats
  • HTTP Security Basics
  • CORS and HTML5 Considerations
  • XSS Defense
  • Content Security Policy
  • Intro to Angular.JS Security
  • Intro to React.JS Security
  • SQL and other Injection
  • Cross Site Request Forgery
  • File Upload and File IO Security
  • Deserialization Security
  • Input Validation Basics
  • OWASP Top Ten 2017
  • OWASP ASVS
Day 2 of the course will focus on API secure coding, Identity and other advanced topics.

  • Webservice, Microservice and REST Security
  • Authentication and Session Management
  • Access Control Design
  • OAuth Security
  • OpenID Connect Security
  • HTTPS/TLS Best Practices
  • 3rd Party Library Security Management
  • Application Layer Intrusion Detection
We end day 2 with a competitive hacking lab. It's a very fun and informative way to end the course.

Speakers
avatar for Jim Manico

Jim Manico

Founder, Manicode Security
Jim Manico is the founder of Manicode Security where he trains software developers on secure coding and security engineering. He is also an investor/advisor for KSOC, Nucleus Security, Signal Sciences, Secure Circle and BitDiscovery. Jim is a frequent speaker on secure software practices... Read More →


Tuesday April 16, 2019 9:00am - 5:00pm
Nawiliwili Room

9:00am

Defending Modern DevOps Environments: A Hands-on Approach: Kubernetes and Docker Demystified
Student Requirements: Familiarity with at least one public cloud provider is recommend- ed. Students should also have basic Docker knowledge and experience launching and managing basic cloud instances. Basic command line and scripting skills are highly recommended.

Laptop Requirements: Any laptop with at least 2GB of free ram available that can run Docker, Minikube, and Virtualbox.

Description:
The Cloud as we know it is changing. Containers have taken the center stage as the preferred method of developing and deploying software into production. As security practitioners, we must adapt to the latest technologies or be left in the dust.

This technical 2-day course will focus on the ins and outs of building a modern cloud infrastructure capable of taking containers from a developer’s laptop to production, in a secure manner.

The hands-on portion of the course will rely heavily on Kubernetes for the deployment and orchestration of Docker containers. Each student will build a sandbox Kubernetes cluster from scratch using Google Container Engine (GKE) or locally using Minikube.

At the completion of this course, students will have an operational, version controlled, deployment pipeline capable of shipping a container to a Kubernetes cluster while performing a number of automated security checks along the way.

Some of the principals and techniques covered in this course include:
  • DevSecOps Principles
  • Kubernetes and Docker Security Controls
  • Third-Party Security Considerations
  • Identity and Access Management Secure Deployment Pipelines
  • Security Automation
  • Infrastructure as Code
  • Scaling Security Operations
  • Data Security and Encryption
  • Logging, Monitoring, and Alerting

Speakers
avatar for Jimmy Mesta

Jimmy Mesta

CTO, Manicode Security
Jimmy Mesta is an application security leader that has been involved in Information Security for nearly 10 years. He is the chapter leader of OWASP Santa Barbara and co-organizer of the AppSec California security conference. Jimmy has spent time on both the offense and defense side... Read More →


Tuesday April 16, 2019 9:00am - 5:00pm
Ha'iku Room
 
Friday, April 19
 

1:00pm

Free workshop: Identifying abuse vectors in web applications
Vulnerabilities that put data or finances at risk are any developer's worst nightmare. But abuse vectors that lead to customers being harassed, doxxed, traumatized, or threatened are just as important to a community's experience—and are often neglected.

This workshop will introduce programmers of all skill levels to common ways that web applications can be exploited to harm others and some options for addressing them. We'll look at examples of software from pop culture with abuse vectors and collaborate on possible solutions.




Speakers
avatar for Terian Koscik

Terian Koscik

Software Engineer, GitHub


Friday April 19, 2019 1:00pm - 4:00pm
Kipu Room