The Open Web Application Security Project (OWASP) Los Angeles Chapter is teaming up with the Orange County, San Diego, SF Bay Area, and the Inland Empire chapters to bring you the FIFTH Annual AppSec California. The event is a one of a kind experience for information security professionals, developers, and QA and testing professionals, as they gather at the beach from around the world to learn and share knowledge and experiences about secure systems and secure development methodologies.

One and Two-day training sessions on various subjects by expert trainers kick off the conference on January 28th. World renown speakers follow on days three and four.

There will be four concurrent tracks throughout the day on both January 30 and 31, addressing a variety of topics to enhance knowledge.

Back To Schedule
Sunday, January 28 • 9:00am - 5:00pm
New OWASP Top 10 - Exploitation and Effective Safeguards [Day 1 of 2]

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
Please note: Training Sessions are not included in the Conference price.  Sign up now! Check for availability and pricing on Eventbrite.

Course Abstract:
The OWASP Top 10 is a powerful awareness document for web application security. It represents a broad consensus about the most critical security risks to web applications. Project members include a variety of security experts from around the world who have shared their expertise to produce this list. This course provides web developers deep hands-on knowledge about the OWASP Top 10 most critical web application security risks. 
Participants will first learn the technical details about each vulnerability. Demos, attack examples, threat modeling discussions, code review as well as other methods will be used to describe and discuss each risk.
Participants taking the class will practice security assessment techniques through several hands-on exercises using the free version of Burp Proxy and a safe online hacking environment. We focus on the manual assessment techniques of this popular tool.
The majority of the course will focus on defensive theory. Hacking a web application, as we will find out, is not a difficult task for an experienced web developer armed with the right knowledge. However, defending a web application is difficult and complex work. Mastering web defense is the primary thrust of this course.
Course Objectives:
- Understand how hackers attack web applications in order to better defend them
- Learn how to test your own web application
- Which security safeguards are truly effective (and which ones are not)
- Understand secure coding best practices
Training Outline:
1. OWASP Top 10 web app vulnerabilities:
    A1 - Injection (Command Injection, SQL Injection)
    A2 - Broken Authentication
    A3 - Sensitive Data Exposure
    A4 - XML External Entities (XXE)
    A5 - Broken Access Control
    A6 - Security Misconfiguration
    A7 - Cross-Site Scripting (XSS)
    A8 - Insecure Deserialization
    A9 - Using Components with Known Vulnerabilities
    A10 - Insufficient Logging and Monitoring
2. Password Management
3. Secure Coding Best Practices
4. HTTPS Best Practices
5. Using a Vulnerability Proxy
… and much more!
Hands-on Exercises:
1. Input Validation
2. Cross Site Scripting Filter Bypass
3. Online Password Guessing Attack
4. Account Harvesting
5. Injection Attacks
6. Using a Web Application Vulnerability Proxy
… and much more!
Upon the completion of this training, attendees will know:
- Most critical web application vulnerabilities
- Secure coding best practices
- How to use common security assessment tools
Attendees will be provided with (by trainer):
- The slides in raw PPT format
- Access to the online lab environment during and after class
- “cheat mode” that reveals all answers will be enabled after class
Attendees should bring:
Participants are required to bring a laptop (Windows, Mac or Linux) with at least 4GB of RAM, 30 GB of free disk space and either VMWare Workstation Player (free 30-day trial), VMWare Workstation Pro, VMWare Fusion or Oracle VirtualBox pre-installed. At the beginning of the course, participants will receive a USB thumb drive containing a pre-configured virtual machine.
Prerequisites for attendees:
This course is designed to help intermediate and expert web developers and web architects understand how to secure web applications. Candidates are expected to have basic knowledge of web technologies, but no experience in security is required prior to taking this course. However, security professionals who want to learn more about web security will also benefit from this class.          

avatar for Jim Manico

Jim Manico

Founder, Manicode Security
Jim Manico is the founder of Manicode Security where he trains software developers on secure coding and security engineering. He is also an investor/advisor for BitDiscovery, Nucleus Security, Secure Circle and Signal Sciences. Jim is a frequent speaker on secure software practices... Read More →

Sunday January 28, 2018 9:00am - 5:00pm PST
Terrace Lounge