Trainings on 25/11/2022: Schedule
| 09:00 - 17:00 | Sebastien Deleersnyder | OWASP SAMM |
| 09:00 - 17:00 | Jeroen Beckers | OWASP Mobile Application Security (MAS / MASVS / MASTG) |
| 09:00 - 17:00 | Brenno de Winter | Hurding OpenKAT |
| 09:00 - 17:00 | Filip Chyla and Marinus Kuivenhoven | Securing DevOps pipelines |
Trainings on Friday 25/11/2022:
-
Hurding OpenKAT by Brenno de Winter
09:00 - 17:00
Abstract:
OpenKAT is a monitoring tool and vulnerability scanner created by the Dutch Ministry of Health during the vaccination campaign. New systems and functions were developed at high speed and monitoring was needed.
OpenKAT combines information from different sources and tools, scans automatically and allows for broad analysis and vulnerability detection. It is a modular framework for automagic monitoring or larger systems.
OpenKAT is useful if you have a complex or large system and a wish to know if there are vulnerabilities and configuration mistakes hiding somewhere. Most security incidents are caused by known vulnerabilities and small errors. OpenKAT finds them before they are found.
In this training you learn the innerworkings of OpenKAT and you will make your first 'boefje' and 'bit' to integrate OWASP-tools within KAT.
Bio:
Brenno de Winter, 1971, wrote his first software at the age of 5. He has been in IT ever since. From 2001 to 2016 he was an investigative journalist on technology issues and became journalist of the year for hacking the public transportion rfid-cards. Sinds may 2020 he is Chief Security and Privacy Operations at the Dutch Ministry of Health, Welfare and Sport for the program Realisation Digital Support COVID19.
-
Securing DevOps pipelines by Filip Chyla and Marinus Kuivenhoven
09:00 - 17:00
Abstract:
DevOps forces the business and AppSec to start interacting differently with development teams. Many security(-related) processes were never designed for a high-velocity development environment which leads to ineffective and time-consuming processes. In order to instead make them add value we need rethink and redesign these processes in such a way that DevSecOps frees the team from the impactful activities that are on top of their existing way of working.
Automating and off-loading security activities allow for a development team to focus on adding value. At the same time through the use of Infrastructure as Code and Immutability it is possible to remove human error from common or impactful tasks. This training shows how to integrate security in the development proces, platform, product and pipelines.
Bio:
Filip has worked in IT for over 15 years, 8 of those years in cybersecurity with a focus on infrastructure and cloud security. Currently part of Xebia Security helping customers on their cloud journeys by using security to enable the organization to grow securely and most productively. His specialties are DevSecOps and cloud security. He likes to spend time researching new technologies in the cloud. Designing, analysing cloud environments and finding cloud integration with existing infrastructure. He’s passionate about using the defensive and offensive sides of security to bring additional value to projects he is involved in. Prior to joining Xebia, Filip worked at FlowTraders as a security engineer, helping with the cloud transformation and working to secure their high-speed trading environments.Marinus works as a CTO and head of learning and coaching at Xebia Security. He has 20 years of experience in implementing security in the culture, teams and development life cycles at organizations. But also, the underlying activities like security requirements, architectural threat analysis, source code reviews, social engineering, penetration testing, and red teaming.
Marinus also developed several courses on security and has given them to well over 5000 participants. Lastly, Marinus has helped many organizations to raise their maturity level of security in the most efficient way. Clients include major players in the retail, wholesale, insurance, telecommunication and transport industries as well as the Dutch government.
-
OWASP Mobile Application Security (MAS / MASVS / MASTG) by Jeroen Beckers
09:00 - 17:00
Abstract:
Every day you walk around with a smartphone that contains your most intimate secrets. Or maybe just your boring work emails. In any case, that data needs to be properly protected. The OWASP Mobile Application Security (MAS) project contains the OWASP Mobile Application Security Verification Standard (MASVS) and the OWASP Mobile Application Security Testing Guide (MASTG) which provide practical security controls that can be implemented to develop secure applications.
In this workshop, participants will come in contact with the basics of mobile application security. Through hands-on exercises, Jeroen will show which mistakes can be made, both at the design and implementation level, that can compromise the security of both the application and the backend server. Although no real prior experience with mobile applications is needed, some basic knowledge on programming is advised. All exercises are performed on the Corellium platform and no physical testing devices are required.
Bio:
I am the mobile solution lead at NVISO, where I am responsible for quality delivery, innovation and methodology for all mobile assessments. I am actively involved in the mobile security community, and I try to share my knowledge through open-source tools, blogposts, trainings and presentations. I am the lead author and instructor of the SANS 575 course: Mobile device security and ethical hacking and a co-author of the OWASP Mobile Application Security Testing Guide (MSTG) and OWASP Mobile Application Security Verification Standard (MASVS).
-
OWASP SAMM by Sebastien Deleersnyder
09:00 - 17:00
Abstract:
Building security into the software development and management practices of an organisation can be a daunting task. There are many factors that must be considered when charting your path forward, inlcuding: company structure, stakeholder priorities, technology stacks, tools and processes, and existing technical debt.
Implementing software assurance can produce significant benefits for the organisation. However, trying to achieve this without a good framework often yields only marginal and unsustainable improvements. OWASP SAMM (https://owaspsamm.org/) provides exactly the structured, measurable framework that's needed. It enables you to formulate and implement a strategy for software security tailored to your organisation's risk profile.
This one-day training is organised as a mix of presentations and interactive workshops. Our goal is for participants to get an in-depth view of, and practical feel for, the OWASP SAMM model. The session is organised in three parts:
- First, we present an overview of the model and review the similarities and differences with other models. The five Business Functions - Governance, Design, Implementation, Verification, and Operations - are explained. We address the various constituent elements (e.g., metrics), review representative usage scenarios for the model, and defining an assessment's scope.
- The majority of our day will be spent reviewing the Security Practices comprising each Business Function, with an emphasis on assessing your organisation's maturity. Each Practice's treatment will include a hands-on segment, providing you an opportunity to apply SAMM to your organisation (or one you have worked for). We will assess representative Activities across all SAMM Practices, discussing our results and concerns in the group. This will give participants a good indication of their organisations’ maturity in software assurance. In the same effort, we will define a target model for your organisation and identify the most important challenges in getting there.
- The final part of the training will be dedicated to specific questions or challenges that you are facing about secure development in your organisation. In this group discussion, experiences will be shared among participants to address these questions.
SAMM training outline
- Introductions and Class Overview
- The "Application Security Problem"
- Software Development Lifecycle (SDLC) Overview
- SAMM - Vision, History, Structure
- SAMM as an Assessment Tool
- Establishing Assessment Scope
- Methodology - Assessment and Roadmapping
- Assessing Governance
- Strategy & Metrics
- Policy & Compliance
- Education & Guidance
- Assessing Design
- Threat Assessment
- Security Requirements
- Security Architecture
- Assessing Implementation
- Secure Build
- Secure Deployment
- Defect Management
- Assessing Verification
- Architecture Assessment
- Requirements-driven Testing
- Security Testing
- Assessing Operations
- Incident Management
- Environment Management
- Operational Management
- Setting Improvement Targets
- OWASP SAMM Tools
- Assessment Toolkit
- SAMMwise
- SAMM Benchmark Project
- Integration with Other OWASP Projects & Tools
- SAMM Best Practices
- Choosing the Right Starting Points
- Monitoring and Metrics
- Achieving Security by Default
- Critical Success Factors
- Wrap-up
- Conclusions
- Looking Forward
- Getting Involved
Bio:
Sebastien (Seba) Deleersnyder is co-founder and CTO of Toreon. He is also COO and head threat modeling trainer at Data Protection Institute. He started the Belgian OWASP chapter and was an OWASP Foundation Board member. With a development background and years of security experience, he has trained countless developers to create more secure software. Leading OWASP projects such as OWASP SAMM, he has genuinely helped make the world a safer place. What’s he currently up to? Right now, he’s busy adapting application security models to the evolving field of DevOps and is also focused on getting the word out on Threat Modeling to a broader audience.