The Open Web Application Security Project (OWASP) Los Angeles Chapter is teaming up with the Orange County, San Diego, SF Bay Area, and the Inland Empire chapters to bring you the FIFTH Annual AppSec California. The event is a one of a kind experience for information security professionals, developers, and QA and testing professionals, as they gather at the beach from around the world to learn and share knowledge and experiences about secure systems and secure development methodologies.

One and Two-day training sessions on various subjects by expert trainers kick off the conference on January 28th. World renown speakers follow on days three and four.

There will be four concurrent tracks throughout the day on both January 30 and 31, addressing a variety of topics to enhance knowledge.

Back To Schedule
Sunday, January 28 • 9:00am - 5:00pm
Intro To Web Hacking Using ZAP/Hacking APIs And The MEAN Stack

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
Please note: Training Sessions are not included in the Conference price.  Sign up now! Check for availability and pricing on Eventbrite.

One Day Session
Presenters: Nicole Becher and Tanya Janca
Introduction to Hacking Web applications, APIs and Web Services with OWASP DevSlop
The OWASP DevSlop team are back!  This full day workshop will have two parts: introduction to application security, and web app scanning with OWASP ZAP in the morning, and manual testing of web services and APIs in the afternoon using Postman.  The DevSlop team will use the first phase of their open source project, a MEAN stack app called, Pixi, for API and Web Service testing and demonstrations, and a Ruby on Rails Application called Cyclone Transfers for the vulnerable web application scanning.  
Both parts of this workshop are appropriate for application developers or security practitioners, even with no prior knowledge of hacking.
The “How to Hack Your Own Apps" workshop will start with a lesson that includes hands on demo of how to find security flaws, how they happen in the first place, and most importantly, how to fix them. If you've written a fast, beautiful application that meets all your requirements but it isn't secure, then it's not the best. This lesson will focus on helping developers find and fix their own security issues.
Once the lesson is over participants will set up their own machines to scan intentionally vulnerable applications, with support from Tanya and Nicole, to ensure everyone is finding security bugs before lunch.
Modern applications often use APIs and other micro services to deliver faster and better products and services. However, there are currently few training grounds for security testing in such areas. In comes DevSlop, OWASP's newest project, a collection of DevOps security disasters made as a vulnerable testing and proving ground for developers and security testers alike. DevSlop's Pixi, the first of many entries to come for this OWASP project, will be demonstrated and presenting for participant's hacking and learning pleasure. Pixi consists of vulnerable web services, and participants will be walked through how to exploit several of it's vulnerabilities so they can learn how to do better when they create their own web services and other types of APIs from now on.
What will be discussed?

  • Web app, API and Web Service Hacking & OWASP Project DevSlop
What will attendees learn from attending this session?

  • How to scan a basic web app and how to hack APIs and web services manually
Items attendees are required to bring with them

  • A laptop with a web proxy and modern web browser (Chrome or FireFox are great). Admin Priv on your machine, and the ability to install software.  If possible, install VirtualBox or VMWare, Docker, GitHub and OWASP Zap on your machine in advance.  If you don’t have them, we will get them for you, don’t worry.  Windows and Mac OS are supported for this workshop, if you you have linux you’ll probably be fine, but we make no guarantees.  

avatar for Nikki Becher

Nikki Becher

Application Security, red teaming, penetration testing, malware analysis and computer forenscics.  OWASP Brooklyn Chapter Leader, OWASP DevSlop Project Leader, Adjunct Instrcutor at NYU, political junkie, marathoner, martial artist and animal lover.  OWASP WASPY 2017 winner!Twitter... Read More →
avatar for Tanya Janca

Tanya Janca

CEO and Founder, We Hack Purple
Tanya Janca, also known as SheHacksPurple, is the author of ‘Alice and Bob Learn Application Security’. She is also the founder of We Hack Purple, an online learning academy, community and weekly podcast that revolves around creating secure software. Tanya has been coding and... Read More →

Sunday January 28, 2018 9:00am - 5:00pm PST
Sand and Sea Room