Welcome to OWASP AppSec 2018 USA we look forward to seeing you in San Jose, CA

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Atherton [clear filter]
Monday, October 8


2-day training: Mobile Security Testing Guide - Hands on
Limited Capacity full

Course Abstract:

Even though modern mobile operating systems like iOS and Android offer great APIs for secure data storage and communication, those APIs have to be used correctly in order to be effective. Data storage, inter-app communication, proper usage of cryptographic APIs and secure network communication are only some of the aspects that require careful consideration. The OWASP Mobile Security Testing Guide (MSTG) is a comprehensive manual for testing the security of mobile apps. It describes processes and techniques for verifying the requirements listed in the Mobile Application Security Verification Standard (MASVS), and provides a baseline for complete and consistent security tests.

 The proposed training is based on the Mobile Security Testing Guide (MSTG) and will offer hands-on exercises in the form of different iOS and Android Apps. They will demonstrate bad practices and current security best practices to avoid vulnerabilities and flaws within mobile Apps.

The goal of this course is to learn
 the technical skills to execute a penetration test against iOS and Android mobile applications and utilise the Mobile Security Testing Guide (MSTG) as a baseline and comprehensive methodology during mobile security assessments.

Training Syllabus:
- iOS and Android security fundamentals
- Mobile Security Testing Environment Setup
- Overview of Mobile security vulnerabilities
- Hands-on testing on iOS and Android Apps
- Security best practices to mitigate Mobile security vulnerabilities
- Alternative iOS App testing without a jailbroken device

- Reverse Engineering of iOS and Android Apps

Key areas of training:
- Static and Dynamic Analysis of iOS and Android Apps
- Local Data Storage

- Communication with Trusted Endpoints

- Authentication and Authorization

- Client-side Security control bypass
- Advanced dynamic instrumentation use cases

The following prerequisites need to be fulfilled by the participants in order to be able to execute and follow all exercises:

- Laptop (> 4 GB Ram, 20GB of free disk space, working Wifi) with administrative access

- Docker
- Latest Android Studio and SDK

- Burp Suite Community Edition (Professional not needed)

- An iOS device with at least iOS 9.0 (without jailbreak) is needed and need to be brought by the participant, this will not be provided by the trainer.

avatar for Jinkun Ong

Jinkun Ong

Senior Consultant, Vantage Point Security Pte Ltd
Jinkun is a security enthusiast with years of Penetration Testing experience and has conducted numerous Web, Mobile, and source code reviews assessments. He is currently a Senior Consultant for Vantage Point in Singapore.Besides holding a variety of widely recognized professional... Read More →
avatar for Sven Schleier

Sven Schleier

Managing Principal, Vantage Point Security Pte Ltd
Sven is an application security expert with over 8 years of hands-on experience in web and mobile penetration testing, network penetration testing and source code review and is leading the penetration testing team for Vantage Point in Singapore. He is an experienced Security Architect... Read More →

Monday October 8, 2018 9:00am - Tuesday October 9, 2018 5:00pm
Tuesday, October 9


1-day training: So You Want to Run a Secure Service on AWS?
Limited Capacity seats available

Learn how to secure your AWS environment.
Areas within AWS that will be covered:
1. The 3 Layers in AWS
2. Security Constructs in AWS
3. What does an ideal architecture look like
4. How do I build it
5. How do I maintain/monitor it
6. How do I break it
Students will have the opportunity to learn about core services and the security concerns with each while chatting with security engineers at Netflix.  In the end, students will walk away with a better understanding of AWS and a multi-account AWS environment.

avatar for William Bengtson

William Bengtson

Security, Capital One
Will Bengtson is senior security engineer at Netflix focused on security operations and tooling.  Prior to Netflix, Bengtson led security at a healthcare data analytics startup, consulted across various industries in the private sector, and spent many years in the Department of Defense... Read More →
avatar for Nag Medida

Nag Medida

Sr. Security Engineer, Netflix
Nag Medida is a Senior Security Engineer at Netflix working in the SecOps team, where he loves to spend his time on AWS, building tools and automating stuff with a passion for cloud security. Nag's expertise lies in security automation for the cloud in big data world, penetration... Read More →

Tuesday October 9, 2018 9:00am - 5:00pm


2-day training: Container Security, Serverless and Orchestration Training
Containers have changed the way we do deployments. Organizations have openly embraced containerization, to supplement traditional deployment paradigms like Virtual Machines and Hypervisors. Docker, has emerged as the leading container technology that is used by organizations, large and small for packaging and deploying consistent-state applications.
Serverless on the other hand seems to be taking over at a rapid rate with increased usage of  micro-services across organizations.

However, as always, security is a challenge that organizations face with containerized and serverless deployments. While containers may be vulnerable to security threats that plague any typical application deployments, they face specific security threats related to the containerization daemon, the shared kernel and other shared resources like the network and the filesystem. Serverless deployments face risks such as insecure serverless deployment configurations, Inadequate function monitoring and logging, Broken authentication, Function event data injection & Insecure application secrets storage.

avatar for Abhay Bhargav

Abhay Bhargav

CEO, we45
Abhay Bhargav is the Founder of we45, a focused Application Security Company. Abhay is a builder and breaker of applications. He is the Chief Architect of “Orchestron", a leading Application Vulnerability Correlation and Orchestration Framework. He has created some pioneering works... Read More →
avatar for Nithin Jois

Nithin Jois

Senior Security Solutions Engineer, we45
Nithin Jois is a Solutions Engineer at we45 - a focused Application Security company. He has helped build ‘Orchestron’ - A leading Application Vulnerability Correlation and Orchestration Framework. He is experienced in Orchestrating containerized deployments securely to Production... Read More →

Tuesday October 9, 2018 9:00am - Wednesday October 10, 2018 5:00pm
Wednesday, October 10


1-day training: Small Team's guide to Security and Compliance in AWS
Limited Capacity seats available

Are you the first security hire for a growing startup? Is your company aim to rapidly ramp up security controls for Compliance or based on customer requests? Do you feel lost in the acronym and regulatory alphabet soup? If the answers to any of these are yes, you may want to join this course. I have been in exactly same state for the last two years in a high growth Enterprise-Wifi startup, hosted primarily in AWS. This duration has overlapped with everchanging new AWS tools aimed at security and product development as we were bootstrapping our product and rapid growth in revenue, risk and headcount in the company. This training distills the lessons learned into how a small security team still be effective in instilling a security culture and build infrastructure that can withstand the ever changing regulatory landscape. We will be using existing open source tools and systems to help you bring up your enterprise cloud security in the modern cloud era.


Wednesday October 10, 2018 9:00am - 5:00pm