OWASP July 2021 Virtual AppSec Training Program

This session introduces the different aspects of application security including DAST, SAST, SCA, IAST, RASP, WAF, etc, and explains the value of each, when they should be used, and some of the considerations associated with selecting the correct solution for your business.

1. What's at risk and why AppSec testing is so important
2. Get with the lingo, as we cover key AppSec terms to bring you up to speed
3. What is the OWASP Top 10
4. Review the different types of AppSec (SAST, DAST, IAST, SCA, RASP, WAF).
5. Understand where they fit in the DevOps cycle and their pros and cons so you can make a decision on how you can enhance your security posture for your environment and organisation.

During this training you will learn how to start with OWASP Zed Attack Proxy (ZAP), finding Top 10 vulnerabilities as well as advance web attacks and finally write ZAP scripts to perform an extreme customized attacks. You will also learn how to write your own malicious scripts In OWASP ZAP to run your arbitrary codes and security tests on your target. This training will focus on deep understanding from the beginning about one of the best penetration testing tools “OWASP ZAP” and techniques to perform a fully security assessment and penetration testing.

Python for Network and WebApp Pentesting is a training that will bring to the attendees everything they need in order to be able to craft their own tools to solve automation and computation problems when working with infosec and IT in general. It was designed to deliver a 100% practical experience by going through various tools and techniques made exclusively to achieve this goal. The training was created for information security and IT professionals with basic or intermediate knowledge in computer networks and programming logic. Its main focus is to teach python for offensive security activities, which means that several python techniques will be applied in order to craft tools and build an offensive mindset so the attendees can better understand the most commonly used tactics in this type of activity. Achieving this goal is crucial for everyone who works with IT because it is very important to understand how attacks work if you are on the defense or development side as this will certainly help to better protect their assets and products. The course is divided in two parts, each one with a specific goal: 1. Part 1 will focus on information gathering. The goal is to build some tools that will help us to speed up the process of collecting certain types of information like multiple regex searches and subdomain bruteforcing. 2. In Part 2 we are going to see network tools, such as a HTTPS reverse shell and a basic port scanner. We'll also going to see a Telegram bot that controls a Windows 10 PC remotely. The training will also have a parallel activity which will increase even more its practical hands-on aspect: An online, fully interactive lab which will run for the whole duration of the course. This lab will act as a competition aimed at bringing the attendees knowledge to the limit. They will be challenged with fifty questions from basic to expert levels, ranging from fundaments to more complex infosec tasks, so they can apply everything the course has to teach right away and after the course ends.

If you want to scale your software security program, you absolutely need to have security champions. Security champions are those folks spread throughout each of your teams – engineering, QA, devops, etc – that are both regular team members, and also the local representatives of the security team. They can bring additional security perspectives into the team’s internal workflow, engage with the rest of the team about risk, act as the local point of contact for security issues, and escalate to the security team when needed. It is a great way to scale security efforts beyond your minimal resources, and integrate much better with the product teams. However, if you want your champions to succeed, and to continue to do so over time – you can’t just throw a handful of cybers at them and expect them to know what to do. Unfortunately, many organizations have tried this path, and failed. You need to thoughtfully build a Champions Programme that will encourage, support, and maintain your champions. You need to make clear what you expect from them, and ensure they have all the resources they need to meet these, whether time, budget, or access. For that matter, you need to be able to recruit the right champions in the right place, and empower them to have the massive impact you know they can. This course will teach you how to customize process for creating, initiating, and running an effective Champions Programme, and be able to succeed in doing so.

The course will cover the following topics, combined with some hands on worksheets. Students will apply the lessons to create a process outline they can apply at work, while building out the information they will need. We will have open dialogue to discuss practical issues and challenges students may face (or have already faced). Day 1: - Overview (1 hour) – The course will start with an introduction to security champions and their benefits, as well as what a Champions Programme can look like. We will discuss some challenges, and layout a high level process. We will also discuss the OWASP Security Champions Playbook. - Initiation (1.5 hours) – How to kickstart a programme from nothing, and what you need before getting started – list of team requirements, mapping of needs, executive buy-in, and of course budget and a scope proposal. Students will produce a programme plan. - Role Definition (1.5 hours) – How to set up the actual roles and associate with teams, their responsibilities, tasks, and time demands. These might be adaptable based on different context and requirements. Students will be able to list the attributes they require for the role (or roles). Day 2: - Selection and Recruitment (3/4 hour) – How to locate and recruit champions, including a nomination and selection process, as well as incentivization considerations. Students will outline a recruitment plan. - Knowledge Management (1 hour) – What kind of training plan is needed and how to optimize this, both for onboarding new champions as well as ongoing trainings. We will also discuss how to persist this information and “organizational memory”. Students will specify a starter training plan that can be applied in their context. - Communication Processes (1 hour) – Design process to maximize information sharing and escalation as needed. Students will have an initial process for escalation, and discuss peer-to-peer sharing of information. - Programme Maintenance (1 hour) – Your security champions are effectively a meta-team – and like any team, you’ll need to manage them carefully. We will discuss human interfaces, team management, how to keep up interest and motivation, and how to measure the programme impact. Students will receive tips around team culture, and propose a process to iteratively improve the programme itself. - Summary (15 minutes) – Wrap up and questions. Learning Objectives Upon completion of this training, attendees will know: 1. How to define a Security Champions Programme 2. How to negotiate for the resources to get this started. 3. How to keep the Programme running and continuously show its value.

Overview of Web Penetration Testing Modules
- OWASP Top Ten Web Vulnerabilities
- API Top Ten vulnerabilities
- Technical measures and best practices u HTTP Security Headers
- JSON Web Tokens

The methodology of the course covers more than 75% practical hands-on approach. They will get hands-on knowledge to perform the hacking tasks in ethical ways to improve the security of assets by using various hacking tools.
Attack side: Kali Linux 2020.x, NMAP, Burp / OWASP ZAP, Metasploit Framework (MSF).
Victim side: OWASP Resources i.e. Damn Vulnerable Web Application (DVWA), Tomcat, as virtual machines.

Modules:
• Penetration testing overview
• Various types of web apps footprinting, footprinting tools, and countermeasures
• Ethical hacking methodology
• Web attacks: XSS, SQL Injection, Facebook phishing.
• NoSQL injection, API vulnerabilities, LFI, Brute-Force attacks, CSRF.