Loading…
AppSec USA 2017 has ended

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

1-day training [clear filter]
Wednesday, September 20
 

9:00am

Advanced SQL Injection Exploitation (1-day)

SQL Injection (SQLi) vulnerabilities are the most common injection flaws found in web applications today, ranking number one in the OWASP Top 10 most critical web application security risks. When an attacker is able to find and exploit such a vulnerability, the end result is often disastrous: complete database download, application backdoor created or even remote code execution. Suffice to say that penetration testers need to find these vulnerabilities before the bad guys do.

 

But vulnerability scanners and automated exploitation tools like sqlmap can only do so much when it comes to finding and exploiting SQLi vulnerabilities. While they do a good job for regular or error-based SQLi vulnerabilities, their success rate lowers drastically when blind SQLi is encountered, especially when time-based attacks are required. And if you need to be quiet on the network, most tools are just insanely noisy…

 

This course is designed to help penetration testers who have been using these tools to get to the next level, where finding and exploiting SQLi is no longer easy. When only a browser and notepad are available to you or when being quiet is critical, you will be glad you know this stuff.

 

1) SQL crash course for hackers

 

2) Error-based SQL Injection

- Bypassing login (demo)

- UNION exploitation techniques (exercise)

 

3) Blind SQL Injection

- Splitting and Balancing

- Boolean exploitation techniques (exercise)

- Time-based exploitation techniques (exercise)

 

4) Using tools

- Exploiting error-based and blind SQLi using sqlmap (exercise)

Speakers
avatar for David Caissy

David Caissy

Penetration Tester, Bank of Canada
David Caissy is a web application penetration tester with in-depth developer and IT Security background spanning over 17 years. He has extensive experience in conducting vulnerability assessments and penetration tests as well as providing training globally, amongst numerous other... Read More →


Wednesday September 20, 2017 9:00am - 5:00pm
Coronado E

9:00am

AppSec Fundamentals (1 of 1 day)

The Application Security Fundamentals is an in-depth, one-day course that teaches the foundational principles of application and product security. This course is aimed at beginners or those new to application security. In class exercises are included throughout the day to generate interaction and discussion amongst students. The course is modular, and covers application security vocabulary, attacks and attackers, data breaches, business myths, the threat Landscape, software supply chain, security culture and mindset, managing security resources, soft skills, secure development lifecycle, privacy, product incident response, and trusted knowledge sources. 

 


Speakers
avatar for Chris Romeo

Chris Romeo

CEO, Security Journey
Chris Romeo is CEO and co-founder of Security Journey where he creates and deploys security culture influencing training, consults, and speaks. His passion is to bring security culture change to all organizations large and small through the creation and design of gamified security... Read More →


Wednesday September 20, 2017 9:00am - 5:00pm
Coronado G

9:00am

Defensive Application Security Program (1 of 1 day)

Developing the Defensive Application Security Program

Creating your Websites and Web Applications inventory

Defining proper Software Security controls by Application Risk

Quick Test and Quick Wins with OWASP ZAP

Selecting and using proper Static Analysis tools

Finding insecure libraries using OWASP Dependency Check

Virtual Patching of legacy applications with Mod_Security

Applying Secure-Headers automatically

Detecting malicious behavior with OWASP AppSensor

Developing and presenting the Security Dashboard

 

The intended audience is very broad from developers to managers, beginners to advanced users.

 

The length is one-day.

The students will receive the class syllabus and book.

 

This course is a summarized version of a six-month class taught in 3 courses of our University.

 

The trainer is a PhD student in Cyber-Security and professor at IFC (Catarinense Federal Institute), (ISC)2's Certified Secure Software Lifecycle Professional (CSSLP),

ISSECO® Certified Professional for Secure Software Engineering (CPSSE), ISO/IEC 27002 Foundation Certified,

ISEB/ISTQB Certified Professional e ITIL F.

Worked as Security Consultant and implementing OWASP best practices for securing software in companies like DELL, EDS (HP) and Elavon/US Bank.

Published articles at international conferences and presented at OWASP AppSec Latam, FLISOL and RoadSec between others.



Speakers
avatar for Rafael Brinhosa

Rafael Brinhosa

Professor, Catarinense Federal Institute
Rafael is a PhD student in Cyber-Security and professor at IFC (Catarinense Federal Institute), (ISC)2's Certified Secure Software Lifecycle Professional (CSSLP), ISSECO® Certified Professional for Secure Software Engineering (CPSSE), ISO/IEC 27002 Foundation Certified, ISEB/ISTQB... Read More →


Wednesday September 20, 2017 9:00am - 5:00pm
Coronado F