Class Summary: This hands on, two (2) day class will help students learn how to write hardened ASP.NET based web services. Day one (1) will start off with the very basics of C# and Visual studio and slowly progress through a variety of topics as they pertain to web service hardening. On day two (2), students will dive into standard web service security, and end with trainees writing their own secure service for a fictional project. Individuals who meet the requirements and write a working hardened web service, are entered into a prize drawing.
Syllabus:
1. Day One (1) –Fundamentals
a. Visual Studio – Quick Rundown
i. IDE Basics
ii. C# Hello World
b. Basics of Object Oriented Programming
c. Useful 3rd Party Libraries
i. JSON.NET (Newtonsoft.Json)
ii. PushSharp
iii. BouncyCastle
d. Basic Web Service writing
i. Bindings
ii. Database design (quick tutorial)
iii. SOAP Services
iv. RESTful Services
e. Basic Service Security
i. Response Encapsulation
ii. Input validation and Sanitizing
iii. XXE, SQLi, and ‘XSS’ mitigation
f. Transport Security
i. SSL
ii. Binding Parameters
g. Message Security
i. Credential Types
ii. Encryption
iii. Certificates
2. Day Two (2) – Intermediate Service Security
a. Replay Attacks
b. Cross Site Request Forgery
c. WS-Security (SOAP Services)
d. Signature Based Security (RESTful Services)
e. Performance and usability vs Security
f. Afternoon Hardened Web Service Development
Experience: This would be the first class I’ve taught on a national scale. I’ve taught people individually on both coding, and penetration testing. I served as an adjunct teacher while in High School and in College.
After immensely successful workshops in the Bay Area, Bangalore, AppSecEU 2017 and record, sold-out workshop at the OWASP AppSecUSA 2016 in Washington D.C., we bring to you a new avatar of the Hands-on Security in DevOps workshop, this time, with some focused content on Application Security Automation.
Agile and DevOps have revolutionized the way we deliver apps to customers. Software products today demand rapid everything. Rapid Code Changes, Rapid Deployments and Rapid Delivery. In addition, you have embraced Agile Development Methodologies that stress on iterative product development and flexibility to changing environments. There is one major problem in this entire chain, and that is Application Security.
While your product may be rapidly delivered to customers, Application security still remains a massive bottleneck in your continuous delivery pipeline. Application security is critical because companies lose billions of dollars due to vulnerabilities in their applications. Apart from typical vulnerabilities like SQL Injection and Cross Site Scripting, vulnerabilities in authentication, authorization, business logic and cryptographic implementations are more prevalent and can cause massive damage to a software product company.
This is why you need SecDevOps. You need a practical, repeatable and scalable way to deliver Application Security to your product across the Agile and DevOps lifecycle. In this workshop you will receive powerful hands on training on how you can implement scalable and effective security for rapid-release applications. The workshop will be a hardcore hands-on workshop with coverage on the following, but not limited to:
¥ Static Application Security Testing - Integrated with Continuous Integration Services
¥ Rolling out Custom SAST – using Abstract Syntax Trees and Regular Expressions
¥ Customized Security Automation Scripting Framework with Continuous Integration
¥ Creating specialized Application Security Testing Scripts to be integrated with existing Test Suites
¥ Performing Automated, Authenticated and Parameterized Vulnerability Assessments against Web Apps and Web Services by hacking tools like ZAP and w3af
¥ Automation Scripting for Application Security Vulnerability Scanners – OWASP ZAP Custom Scripts – Active Scanning, HTTPSender, Proxy Scripts, with an introduction to Zest Scrits. MITMproxy Inline Scripting
¥ An Introduction to Behavior Driven Security Testing
¥ Parameterized Security Testing for Web Services using the OpenAPI Specification
¥ Security in Configuration management and Continuous Deployment
¥ Security Practices and Considerations for Docker Deployments
¥ Creating Security Configuration Management “Infrastructure as Code” and Validation Scripts – using Ansible
¥ Practical Threat Modeling in an Agile and DevOps world
This full-fledged hands-on training will get the attendees familiar with the various Android as well as iOS application analysis techniques and bypassing the existing security models in both the platforms.
The main objective of this training is to provide a proper guide on how the mobile applications can be attacked and provide an overview of how some of the most important security checks for the applications are applied and get an in-depth understanding of these security checks.
The workshop will also include a CTF challenge designed by the trainer in the end where the attendees will use their skills learnt during the workshop to solve this challenge.
This training will mainly focus on the following :
> Arm basics and Android native code.
> Reverse engineer Dex code for security analysis.
> Jailbreaking/Rooting of the device and also various techniques to detect Jailbreak/Root.
> Runtime analysis of the apps by active debugging.
> Modifying parts of the code, where any part can be specified as some functions, classes and to perform this check or to identify the modification, we will learn how to find and calculate the checksum of the code. Our objective in this section will be to learn, Reverse Engineering an application, get its executable binaries , modify these binaries accordingly, resign the application.
> Runtime modification of code. Objective is to learn how the programs/codes can be changed or modified at runtime. we will learn how to perform introspection or overriding the default behavior of the methods during runtime and then we will learn how to identify if the methods have been changed). For iOS we can make use of tool Cycript, snoop-it etc.
> Hooking an application and learn to perform program/code modification.
> By the end of workshop, based on the course content CTF challenges written by the trainer will be launched, where the attendees will use their skills learnt in the workshop to solve the CTF challenges. The workshop will begin with a quick understanding on the architecture, file system,permissions and security model of both iOS and Android platform.
NOTE:
The tools and techniques used in the workshop are all open source and no special proprietary tools need to be purchased by the attendees for analysis post the training. Some of the tools taught in the training will be helpful in analysis and automating test cases for security testing of the mobile apps:
Drozer
Introspy
Apktool
Dex2jar
Cycript
JD-Gui
SSL Trust killer
Open Source Defensive Security Training is an Open Source IT Security laboratory dedicated for professionals who need close the gaps in Linux, Web application & Open Source Security knowledge. Very detailed and up to date course content with focus especially on defensive approach gives you the best opportunity for making stronger defensive layers inside your network infrastructures or/and Linux-based products. Delivering a real world scenarios in our Open Source Defensive Security hands-on labs provide a very practical knowledge you need for expand your Linux Security skills.
This is an extremely deep dive training on Open Source-based infrastructure security, Linux systems and network services hardening. We like details as attackers do and that details bring the differences - from offensive and defensive approach. That's how we see it works. Our high-tech workshop has a unique formula “protection vs attack”. This means that most of the security issues we are talking about will be effectively protected by the use of a suitable approach, sophisticated software and dedicated secure configuration. We focus on delivering a defensive content, but we understand that for being good in defense you have to also be good in offense. That way we are providing a kind of knowledge-mix in those fields using Open Source software. Except basic Linux skills and TCP/IP knowledge, most of the lab exercises required of candidate at least basic understanding of what attacker techniques are. We strongly believe that only a mix of broad, systematic Defensive and Offensive Security knowledge can guarantee secure solutions. As Sun Tzu said: "Know your enemy and know yourself and you can fight a hundred battles without disaster."
The workshop has prepared the following examples of laboratory scenarios:
● Web Application Security vs OWASP Top 10 attack techniques and others
● Grsecurity/PAX/GCC hardening vs Linux kernel and userspace exploitation using vulnerabilities from the last past years (PERF_EVENTS, ptrace/sysret, memppodiper, semtex, sendpage, chroot() escape, dirty_cow, others)
● Seccomp/capabilities/namespaces vs exploits
● SELinux vs exploits (Redis Command Execution, Venom, Apache)
● Volatility vs rootkits
● Secure SSH relays and importance of low level privileges rule
● System users accountability, including root
● Linux Domain Controller
● Using sysdig/SystemTAP for detecting deviations in the behavior of daemons and services ● Network packet filtering including TOR, ipsets, IP reputation, port knocking
● Network honeypots vs scanning tools and obstruction of the process of enumeration
● PCAP analysis and Deep Packet Inspection vs malware
● Sandboxing for malware detection and deep analysis (cuckoo, yara) and others
Target:
● Linux administrators & System Architects
● IT Security professionals
● Penetration testers
● IT Security consultants and Open Source specialists
Thanks to this training you will:
● learn techniques to protect your Linux systems against attacks used by modern attackers
● find out how you can protect Linux servers and web applications against real attacks
● learn how to use dozens of solutions and security tools for offensive and defensive scope
● configure several advanced solutions to reduce the success of the attack or minimize the risk of the use of vulnerability
True values:
● real life, 100% pure lab-oriented defensive security scenarios
● minimum theory, maximum hands-on
● a lot of cumulated knowledge in one place
● created by enthusiasts and professionals for professionals with enthusiasm
Agenda:
1. Threats are everywhere - introduction to technical Open Source Defensive Security program.
2. Web application security -> hardened Reverse Proxy -> modsecurity vs HTTP security issues:
● Analysis and practical use of exploits for popular web applications: Jenkins, Zimbra, PHPnuke, Joomla, Drupal, PHPmyadmin, OScommerce, Magento, Wordpress, dotProject and others
● Authorization and authentication: CAS SSO, OAuth, SAML (ipsilon), Federation, Basic / Digest Auth, SSL authentication, LDAP authorization, SAML based - mod_auth_mellon, Kerberos based - mod_auth_kerb, Login-form based - mod_intercept_form_submit, Mod_lookup_identity, mod_pubcookie
●HTTPS – how to achieve status A+?:
○ Attacks:
■ Heartbleed
■ Breach
■ Drown
■ Beast
■ Poodle
■ MiTM: sslstrip
○ Mutual SSL
● Security headers: Content Security Policy, Cross Origin Resource Sharing / Same Origin Policy, X-Frame-Options, X-Content-Type-Options, X-XSS-Protection, Fetch API, Service Workers, Sub_resource Integrity, Per-page sub-origins, Content Security Policy (CSP), HTTP Strict Transport Security (HSTS), Same Origin Policy (SOP) / Cross Origin Resource Sharing (CORS), HPKP, PFS
● Cookies: Secure, Httponly, Domain, Path, Same_site, Clear Site Data Feature Policy, First-party cookies
● HTTP header anomalies Virtual patching
● Full HTTP auditing
● LUA/OpenResty support
● Sensor approach - OWASP Appsensor
● Web application security using Modsecurity - creating dedicated WAF rules against:
■ *Injections
■ Null bytes
■ Path/directory traversal
■ LFI/RFI->Command Execution
■ Cross Site Scripting (XSS)
■ Cross Site Request Forgery (CSRF)
■ HTTP Parameter Pollution (HPP)
■ Open Redirect
■ Insecure Direct Object Reference vs HMAC
■ Forceful Browsing
■ CSWSH - Cross Site Websocket Hijacking
■ Session Security
■ Brute force
■ Slow DOS
■ GEO restrictions
■ Error handling
■ Leakage detection
■ Secure file upload
■ Secure logout / forgot password form
■ Web honeypots
■ Bot/scan protection
■ AV protection
■ PHP Security
■ Tomcat Security
■ Tools:
● Sqlmap, sqlninja
● Xsser
● Dominator
● Skipfish
● ZAP / Burp
● Wafdetect
● Joomscan, wpscan
● Dirbuster, dirb
● Nikto
● JSDetox
● Brakeman
● And others
3. Hardened Linux vs exploits/rootkits:
● Discretionary Access Control (DAC) vs Mandatory Access Control (MAC)
● Grsecurity / PAX
● SELinux / Multi Category Security / sVirt
● Apparmor, Tomoyo, Smack, RSBAC
● GCC hardening: SSP, NX, PIE, RELRO, ASLR vs attacks
● Linux Containers - Docker/LXC
● LKM-off / YAMA / enforcing
● Linux capabilities vs SUID and others
● System call restriction - seccomp
● Integrity checking - IMA/EVM
● Package mgmt security
● Debuggers and profilers - gdb/strace/ldd/Valgring/Yara
● Chroot/jail/pivot_root
● Behavioral analysis - systemtap / LTTng / sysdig
● Memory forensics - Volatility vs malware
● PAM / 2FA
● System update vs reboot
● *privchecks
4. Network security:
● Vulnerability scanning:
● Nmap NSE
● Seccubus
● OpenVAS
● Metasploit
● Linux Domain Controller - IdM/HBAC/SUDO
● SFTP/SCP - Secure SSH Relay
● Restricted shells/commands
● SSH tips and tricks
● Public Key Infrastructure – SSL/TLS
● NFS Security
● Database Security
● DNS Security
● Mail Security
● DOS / scanning / brute-force protection techniques
● Advanced network firewall: iptables/nftables/ebtables
● System honeypots
● Network traffic analysis - wireshark, scapy / tcpdump / tcpreplay
● Suricata / Bro IDS / Snort / SELKS vs known malware and attacks:
○ Metasploit,
○ PtH,
○ Heartbleed,
○ shellshock and others
● Security by obscurity
5. System Auditing, integrating & accounting:
● *syslog
● Auditd
● OSSEC / Samhain / aide
● SIEM: Splunk/ELK/OSSIM/osquery
6. Summary: offense vs defense
Practical DevOps Security and Exploitation is a brand new and unique class by Attify. This class has been created as a result of our many pentest engagement experiences where we have exploited vulnerabilities in the various systems supporting CI/CD during DevOps transition of an organisation. The class covers hands-on techniques to both exploit as well as defend various systems that support the target CI/CD Architecture.
This class takes practitioner's approach in breaking, exploiting and securing systems owned by DevOps teams, thus enabling them to move towards DevSecOps. Some of the topics that we will cover are Exploiting Various tools from the CI/CD landscape like Jenkins, Git, Multiple Cloud instances, practical security issues in Docker instances and setting up your DevSecOps architecture.
This training covers different CI/CD tools with pentesters perspective and hence each tool will be covered as below:
This is an action packed class with over 20+ labs covering a number of attacks, vulnerabilities and exploitation tactics.
Deliverables:
After the training, attendees would be able to:
Minimum Requirements:
Practical Hands-on Internet of Things Hacking is an updated version of our previous year class ran at OWASP AppSec US. We received some great feedback with our class, and decided to take it a step further and redesign the course from the ground up and include tons of new material including medical utilities, smart locks, smart home systems, newer radio protocols, advanced exploitation techniques, new exercises on BLE and lots more
Practical Hands-on Internet of Things Exploitation is the course for you in case you would like to perform real-world pentest on IoT and smart devices. This “new version” of the course takes a practitioner approach, focusing on how to deal with the IoT devices in a real-world scenario, and not just from a research perspective.
Some of the things that we will perform (in an extremely hands-on nature) in this training are:
[+] Attacking IoT devices through hardware and embedded exploitation techniques
[+] Firmware reversing, emulation and binary exploitation
[+] Hands-on labs on serial interfaces - UART, SPI and I2C
[+] JTAG debugging, exploitation and advanced techniques for extracting data
[+] Sniffing BLE, Zigbee and other radio communications
[+] Writing own GNURadio processing blocks to decode radio information
[+] Taking over smart home systems
[+] Remote and Local Exploitation for IoT devices
[+] Attacking a smart home and smart enterprise network
And much more.
Want to learn how to attack an IoT infrastructure or individual devices? You will walk out of the 2-day class having learnt new skills which you could immediately apply in your job/research roles. Come join the course and experience the fast-paced, action-packed IoT Exploitation class.
Note: There is an additional $200 fee for the IoT hacking kit - which includes Attify Badges and custom vulnerable IoT device prepared by us, and an author signed copy of the IoT Hackers Handbook, and additional utilities for other IoT exploitation techniques.
Toreon proposes a 2 day, trainer-led, on-site, Threat Modeling course. The training material and hands-on workshops with real live Use Cases are provided by Toreon. The students will be challenged to perform practical threat modeling in groups of 3 to 4 people covering the different stages of threat modeling on:
• A hotel booking web and mobile application, sharing the same REST backend
• An Internet of Things (IoT) deployment with an on premise gateway and secure update service
• An HR services OAuth scenario for mobile and web applications
This edition also introduces a new section on privacy threats and privacy by design, including a hands-on privacy impact assessment of a face recognition system in an airport. Each student will receive a hard copy of the book: Threat Modeling, designing for security by Adam Shostack (2014, Wiley)
This training is delivered successfully at OWASP Europe 2016 and is selected for OWASP Europe 2017 and Blackhat USA 2017. More details and the outline of the training are available in the attached syllabus.
Class Summary: This hands on, two (2) day class will help students learn how to write hardened ASP.NET based web services. Day one (1) will start off with the very basics of C# and Visual studio and slowly progress through a variety of topics as they pertain to web service hardening. On day two (2), students will dive into standard web service security, and end with trainees writing their own secure service for a fictional project. Individuals who meet the requirements and write a working hardened web service, are entered into a prize drawing.
Syllabus:
1. Day One (1) –Fundamentals
a. Visual Studio – Quick Rundown
i. IDE Basics
ii. C# Hello World
b. Basics of Object Oriented Programming
c. Useful 3rd Party Libraries
i. JSON.NET (Newtonsoft.Json)
ii. PushSharp
iii. BouncyCastle
d. Basic Web Service writing
i. Bindings
ii. Database design (quick tutorial)
iii. SOAP Services
iv. RESTful Services
e. Basic Service Security
i. Response Encapsulation
ii. Input validation and Sanitizing
iii. XXE, SQLi, and ‘XSS’ mitigation
f. Transport Security
i. SSL
ii. Binding Parameters
g. Message Security
i. Credential Types
ii. Encryption
iii. Certificates
2. Day Two (2) – Intermediate Service Security
a. Replay Attacks
b. Cross Site Request Forgery
c. WS-Security (SOAP Services)
d. Signature Based Security (RESTful Services)
e. Performance and usability vs Security
f. Afternoon Hardened Web Service Development
Experience: This would be the first class I’ve taught on a national scale. I’ve taught people individually on both coding, and penetration testing. I served as an adjunct teacher while in High School and in College.
After immensely successful workshops in the Bay Area, Bangalore, AppSecEU 2017 and record, sold-out workshop at the OWASP AppSecUSA 2016 in Washington D.C., we bring to you a new avatar of the Hands-on Security in DevOps workshop, this time, with some focused content on Application Security Automation.
Agile and DevOps have revolutionized the way we deliver apps to customers. Software products today demand rapid everything. Rapid Code Changes, Rapid Deployments and Rapid Delivery. In addition, you have embraced Agile Development Methodologies that stress on iterative product development and flexibility to changing environments. There is one major problem in this entire chain, and that is Application Security.
While your product may be rapidly delivered to customers, Application security still remains a massive bottleneck in your continuous delivery pipeline. Application security is critical because companies lose billions of dollars due to vulnerabilities in their applications. Apart from typical vulnerabilities like SQL Injection and Cross Site Scripting, vulnerabilities in authentication, authorization, business logic and cryptographic implementations are more prevalent and can cause massive damage to a software product company.
This is why you need SecDevOps. You need a practical, repeatable and scalable way to deliver Application Security to your product across the Agile and DevOps lifecycle. In this workshop you will receive powerful hands on training on how you can implement scalable and effective security for rapid-release applications. The workshop will be a hardcore hands-on workshop with coverage on the following, but not limited to:
¥ Static Application Security Testing - Integrated with Continuous Integration Services
¥ Rolling out Custom SAST – using Abstract Syntax Trees and Regular Expressions
¥ Customized Security Automation Scripting Framework with Continuous Integration
¥ Creating specialized Application Security Testing Scripts to be integrated with existing Test Suites
¥ Performing Automated, Authenticated and Parameterized Vulnerability Assessments against Web Apps and Web Services by hacking tools like ZAP and w3af
¥ Automation Scripting for Application Security Vulnerability Scanners – OWASP ZAP Custom Scripts – Active Scanning, HTTPSender, Proxy Scripts, with an introduction to Zest Scrits. MITMproxy Inline Scripting
¥ An Introduction to Behavior Driven Security Testing
¥ Parameterized Security Testing for Web Services using the OpenAPI Specification
¥ Security in Configuration management and Continuous Deployment
¥ Security Practices and Considerations for Docker Deployments
¥ Creating Security Configuration Management “Infrastructure as Code” and Validation Scripts – using Ansible
¥ Practical Threat Modeling in an Agile and DevOps world
This full-fledged hands-on training will get the attendees familiar with the various Android as well as iOS application analysis techniques and bypassing the existing security models in both the platforms.
The main objective of this training is to provide a proper guide on how the mobile applications can be attacked and provide an overview of how some of the most important security checks for the applications are applied and get an in-depth understanding of these security checks.
The workshop will also include a CTF challenge designed by the trainer in the end where the attendees will use their skills learnt during the workshop to solve this challenge.
This training will mainly focus on the following :
> Arm basics and Android native code.
> Reverse engineer Dex code for security analysis.
> Jailbreaking/Rooting of the device and also various techniques to detect Jailbreak/Root.
> Runtime analysis of the apps by active debugging.
> Modifying parts of the code, where any part can be specified as some functions, classes and to perform this check or to identify the modification, we will learn how to find and calculate the checksum of the code. Our objective in this section will be to learn, Reverse Engineering an application, get its executable binaries , modify these binaries accordingly, resign the application.
> Runtime modification of code. Objective is to learn how the programs/codes can be changed or modified at runtime. we will learn how to perform introspection or overriding the default behavior of the methods during runtime and then we will learn how to identify if the methods have been changed). For iOS we can make use of tool Cycript, snoop-it etc.
> Hooking an application and learn to perform program/code modification.
> By the end of workshop, based on the course content CTF challenges written by the trainer will be launched, where the attendees will use their skills learnt in the workshop to solve the CTF challenges. The workshop will begin with a quick understanding on the architecture, file system,permissions and security model of both iOS and Android platform.
NOTE:
The tools and techniques used in the workshop are all open source and no special proprietary tools need to be purchased by the attendees for analysis post the training. Some of the tools taught in the training will be helpful in analysis and automating test cases for security testing of the mobile apps:
Drozer
Introspy
Apktool
Dex2jar
Cycript
JD-Gui
SSL Trust killer
Practical DevOps Security and Exploitation is a brand new and unique class by Attify. This class has been created as a result of our many pentest engagement experiences where we have exploited vulnerabilities in the various systems supporting CI/CD during DevOps transition of an organisation. The class covers hands-on techniques to both exploit as well as defend various systems that support the target CI/CD Architecture.
This class takes practitioner's approach in breaking, exploiting and securing systems owned by DevOps teams, thus enabling them to move towards DevSecOps. Some of the topics that we will cover are Exploiting Various tools from the CI/CD landscape like Jenkins, Git, Multiple Cloud instances, practical security issues in Docker instances and setting up your DevSecOps architecture.
This training covers different CI/CD tools with pentesters perspective and hence each tool will be covered as below:
This is an action packed class with over 20+ labs covering a number of attacks, vulnerabilities and exploitation tactics.
Deliverables:
After the training, attendees would be able to:
Minimum Requirements:
Practical Hands-on Internet of Things Hacking is an updated version of our previous year class ran at OWASP AppSec US. We received some great feedback with our class, and decided to take it a step further and redesign the course from the ground up and include tons of new material including medical utilities, smart locks, smart home systems, newer radio protocols, advanced exploitation techniques, new exercises on BLE and lots more
Practical Hands-on Internet of Things Exploitation is the course for you in case you would like to perform real-world pentest on IoT and smart devices. This “new version” of the course takes a practitioner approach, focusing on how to deal with the IoT devices in a real-world scenario, and not just from a research perspective.
Some of the things that we will perform (in an extremely hands-on nature) in this training are:
[+] Attacking IoT devices through hardware and embedded exploitation techniques
[+] Firmware reversing, emulation and binary exploitation
[+] Hands-on labs on serial interfaces - UART, SPI and I2C
[+] JTAG debugging, exploitation and advanced techniques for extracting data
[+] Sniffing BLE, Zigbee and other radio communications
[+] Writing own GNURadio processing blocks to decode radio information
[+] Taking over smart home systems
[+] Remote and Local Exploitation for IoT devices
[+] Attacking a smart home and smart enterprise network
And much more.
Want to learn how to attack an IoT infrastructure or individual devices? You will walk out of the 2-day class having learnt new skills which you could immediately apply in your job/research roles. Come join the course and experience the fast-paced, action-packed IoT Exploitation class.
Note: There is an additional $200 fee for the IoT hacking kit - which includes Attify Badges and custom vulnerable IoT device prepared by us, and an author signed copy of the IoT Hackers Handbook, and additional utilities for other IoT exploitation techniques.
Toreon proposes a 2 day, trainer-led, on-site, Threat Modeling course. The training material and hands-on workshops with real live Use Cases are provided by Toreon. The students will be challenged to perform practical threat modeling in groups of 3 to 4 people covering the different stages of threat modeling on:
• A hotel booking web and mobile application, sharing the same REST backend
• An Internet of Things (IoT) deployment with an on premise gateway and secure update service
• An HR services OAuth scenario for mobile and web applications
This edition also introduces a new section on privacy threats and privacy by design, including a hands-on privacy impact assessment of a face recognition system in an airport. Each student will receive a hard copy of the book: Threat Modeling, designing for security by Adam Shostack (2014, Wiley)
This training is delivered successfully at OWASP Europe 2016 and is selected for OWASP Europe 2017 and Blackhat USA 2017. More details and the outline of the training are available in the attached syllabus.