The Open Web Application Security Project (OWASP) Los Angeles Chapter is teaming up with the Orange County, San Diego, SF Bay Area, and the Inland Empire chapters to bring you the FIFTH Annual AppSec California. The event is a one of a kind experience for information security professionals, developers, and QA and testing professionals, as they gather at the beach from around the world to learn and share knowledge and experiences about secure systems and secure development methodologies.

One and Two-day training sessions on various subjects by expert trainers kick off the conference on January 28th. World renown speakers follow on days three and four.

There will be four concurrent tracks throughout the day on both January 30 and 31, addressing a variety of topics to enhance knowledge.

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Training [clear filter]
Sunday, January 28


Advanced Web Hacking and Secure Coding
Please note: Training Sessions are not included in the Conference price.  Sign up now! Check for availability and pricing on Eventbrite.

Tired of alert(‘xss’)? You want to learn advanced web hacking techniques, if you want to go beyond automated scanners and perform manual testing to bypass Filters and Web Application Firewalls (WAF) or you want to defend web applications, then this training is for you. This training covers and goes beyond OWASP TOP 10 and also covers secure coding practices recommended by OWASP.
This hands-on training covers both offensive and defensive approaches to web applications. You’ll learn how to identify vulnerabilities of web applications, how to execute exploit against that vulnerability, how the attacks works, and how to prevent them in the future. This training closes that gap between web application attack and defense. Because as they say - if you want to stop attacker from stealing you data then you must think like one. 
This training starts with the basic web app hacking and then move into more advanced stuff such as bypassing Filters, bypassing Web Application Firewalls(WAF), HTML5 attacks and recent vulnerabilities such as Shellshock, Heartbleed, POODLE, Serialization, SSL Strip etc. You’ll learn how to get shell on the box using web application vulnerabilities as well as how to write secure code so you can avoid that attack. 
This training covers both offensive and defensive approach towards web applications. Firstly training would cover how to use certain attack on web application and then how does this attack happened. So it covers where the developer went wrong and how to write secure code so that the attack would not have happened. It covers various mistakes made by developers and wrote vulnerable code. This training covers how to write secure code in multiple languages such as PHP, Java, C# etc. Lab contains multiple CMS such as Wordpress, Drupal, Joomla and multiple databases such as MySql, SQL Server, MongoDB etc. . Also training contains various client side attacks as well as server side attacks such as XSS, CSRF, SQL Injections etc. 
After this training, attendees will be able to successfully identify and avoid insecure code and test their web applications for vulnerabilities. Attendees will get to know the difference between vulnerable code and secure code. 
This training contains over 50 labs and 30+ challenges which are inspired by real world vulnerabilities and case studies.
Training Outline: 
  • Introduction
  • User Enumeration
  • Bypassing Password Verification 
  • Information Leakage 
  • HTTP Verb Tampering  
  • Injection - iFrame Injection, LDAP Injection, CSS Injection, JSON Injection
  • Cross Site Scripting (XSS) 
  • Cross Site Request Forgery (CSRF)
  • Clickjacking
  • Insecure direct object reference (IDOR) 
  • Open Redirects
  • Server Side Request Forgery (SSRF)
  • Server Side Includes Injection (SSI Injection)
  • JavaScript Validation Bypass
  • SQL Injection
  • JSON Hijacking 
  • Session Management and Cookie Stealing 
  • HTML5 
  • XML 
  • Insecure System Configuration
  • Database Security - MySql, SQL Server etc.
  • Remote Command or OS Command Injection
  • Path traversal 
  • Local File Inclusion (LFI) 
  • Remote File Inclusion (RFI) 
  • Serialization Attacks 
  • HTTP Response Splitting 
  • MongoDB 
  • CMS Attacks and Defenses - Wordpress, Drupal, Joomla
  • Recent Vulnerabilities Case Study - Shellshock, Heartbleed, POODLE, Struts, PHPMailer RCE, SSL Strip attack
  • Logical Flaws
  • Filter Evasion and Bypassing Web Application Firewalls (WAF)
  • OWASP Top 10 Attacks
  • OWASP Secure Coding Practices
  • and more ...
Upon the completion of this training, attendees will:
  • This training brings attendees into a world of web hacking and secure coding
  • Attendees will learn how to identify vulnerabilities of web applications, how to execute exploit against that vulnerability, how the attacks works, and how to prevent them in the future
  • They can test different CMS such as Wordpress, Drupal, Joomla as well as recent vulnerabilities 
  • They can do secure code review as well as write secure code in multiple languages such as PHP, Java, C# etc.
  • Attendees will get to know the common but dangerous coding mistakes done by the developers 
  • They can think like developer as well as penetration tester
Attendees will be provided with:
  • Multiple vulnerable applications
  • Hosted VMs for testing and training labs.
  • Over 50 labs and 30+ challenges to solve
  • Training materials – presentation materials and lab examples
  • Custom tools and scripts 
  • Additional reading materials
Attendee requirements for this training:
  • Modern laptop with wireless networking capabilities and have admin/root access on it. (64-bit Machine)
  • Minimum 4 GB RAM installed
  • At least 60 GB HD Free
  • VMware Workstation / Fusion installed
This course requires following pre-requisites:
  • Web application development skills 
  • Basic knowledge on HTTP, HTML and Scripting
  • Reading and understanding of PHP, Java, C# Server-side Code (Optional)
Who should attend this training?
  • Penetration Testers
  • Security Consultants 
  • Web Developers
  • QA testers
  • Web Application Tester
  • System administrators
  • IT Security professionals with a technical background
  • IT managers
  • System architects 
  • Bug Bounty Hunters

avatar for Vikram Salunke

Vikram Salunke

Information Security Researcher, Consultant and Founder, Vmaskers
Vikram is the Information Security Researcher, Consultant and Founder at Vmaskers. Vmaskers provide network, wireless, web, Android and iOS applications penetration testing services and training for corporates. His main responsibilities are to look after application security, lead... Read More →

Sunday January 28, 2018 9:00am - 5:00pm
Garden Terrace Room


Intro To Web Hacking Using ZAP/Hacking APIs And The MEAN Stack
Please note: Training Sessions are not included in the Conference price.  Sign up now! Check for availability and pricing on Eventbrite.

One Day Session
Presenters: Nicole Becher and Tanya Janca
Introduction to Hacking Web applications, APIs and Web Services with OWASP DevSlop
The OWASP DevSlop team are back!  This full day workshop will have two parts: introduction to application security, and web app scanning with OWASP ZAP in the morning, and manual testing of web services and APIs in the afternoon using Postman.  The DevSlop team will use the first phase of their open source project, a MEAN stack app called, Pixi, for API and Web Service testing and demonstrations, and a Ruby on Rails Application called Cyclone Transfers for the vulnerable web application scanning.  
Both parts of this workshop are appropriate for application developers or security practitioners, even with no prior knowledge of hacking.
The “How to Hack Your Own Apps" workshop will start with a lesson that includes hands on demo of how to find security flaws, how they happen in the first place, and most importantly, how to fix them. If you've written a fast, beautiful application that meets all your requirements but it isn't secure, then it's not the best. This lesson will focus on helping developers find and fix their own security issues.
Once the lesson is over participants will set up their own machines to scan intentionally vulnerable applications, with support from Tanya and Nicole, to ensure everyone is finding security bugs before lunch.
Modern applications often use APIs and other micro services to deliver faster and better products and services. However, there are currently few training grounds for security testing in such areas. In comes DevSlop, OWASP's newest project, a collection of DevOps security disasters made as a vulnerable testing and proving ground for developers and security testers alike. DevSlop's Pixi, the first of many entries to come for this OWASP project, will be demonstrated and presenting for participant's hacking and learning pleasure. Pixi consists of vulnerable web services, and participants will be walked through how to exploit several of it's vulnerabilities so they can learn how to do better when they create their own web services and other types of APIs from now on.
What will be discussed?

  • Web app, API and Web Service Hacking & OWASP Project DevSlop
What will attendees learn from attending this session?

  • How to scan a basic web app and how to hack APIs and web services manually
Items attendees are required to bring with them

  • A laptop with a web proxy and modern web browser (Chrome or FireFox are great). Admin Priv on your machine, and the ability to install software.  If possible, install VirtualBox or VMWare, Docker, GitHub and OWASP Zap on your machine in advance.  If you don’t have them, we will get them for you, don’t worry.  Windows and Mac OS are supported for this workshop, if you you have linux you’ll probably be fine, but we make no guarantees.  

avatar for Nikki Becher

Nikki Becher

Application Security, red teaming, penetration testing, malware analysis and computer forenscics.  OWASP Brooklyn Chapter Leader, OWASP DevSlop Project Leader, Adjunct Instrcutor at NYU, political junkie, marathoner, martial artist and animal lover.  OWASP WASPY 2017 winner!Twitter... Read More →
avatar for Tanya Janca

Tanya Janca

Head Nerd, Security Trainer and Coach, SheHacksPurple.dev
Tanya Janca, also known as ‘SheHacksPurple’, is the founder, security trainer and coach of SheHacksPurple.dev, specializing in software and cloud security. She also consults part time for IANs Research. Her obsession with securing software runs deep, from starting her company... Read More →

Sunday January 28, 2018 9:00am - 5:00pm
Sand and Sea Room
Monday, January 29


So You Want to Run a Secure Service on AWS?
Please note: Training Sessions are not included in the Conference price.  Sign up now! Check for availability and pricing on Eventbrite.

Learn how to secure your AWS environment while building a TOR hidden service.  

Areas within AWS that will be covered:
1. The 3 Layers in AWS
2. Security Constructs in AWS
3. What does an ideal architecture look like
4. How do I build it
5. How do I maintain/monitor it
6. How do I break it

The first part of each topic will bring the students up to speed followed by hands on exercises to put their knowledge to the test.  Each area covered focuses on core resources within AWS that need to be understood in order to successfully secure your AWS cloud environment.  In the end, students will build a multi-account AWS environment with restricted access and network routes and operate a TOR hidden service.

avatar for William Bengtson

William Bengtson

Security, Capital One
Will Bengtson is senior security engineer at Netflix focused on security operations and tooling.  Prior to Netflix, Bengtson led security at a healthcare data analytics startup, consulted across various industries in the private sector, and spent many years in the Department of Defense... Read More →
avatar for Nag Medida

Nag Medida

Cloud Security Engineer, Netflix
Nag Medida is a Senior Security Engineer at Netflix working in the SecOps team, where he loves to spend his time on AWS, building tools and automating stuff with passion for cloud security. Nag's expertise lies in security automation for the cloud in big data world, penetration testing... Read More →

Monday January 29, 2018 8:30am - 4:30pm
Garden Terrace Room