Loading…

The Open Web Application Security Project (OWASP) Los Angeles Chapter is teaming up with the Orange County, San Diego, SF Bay Area, and the Inland Empire chapters to bring you the FIFTH Annual AppSec California. The event is a one of a kind experience for information security professionals, developers, and QA and testing professionals, as they gather at the beach from around the world to learn and share knowledge and experiences about secure systems and secure development methodologies.

One and Two-day training sessions on various subjects by expert trainers kick off the conference on January 28th. World renown speakers follow on days three and four.

There will be four concurrent tracks throughout the day on both January 30 and 31, addressing a variety of topics to enhance knowledge.

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Training [clear filter]
Sunday, January 28
 

9:00am

Extended Web Application Hacking [Day 1 of 2]
Please note: Training Sessions are not included in the Conference price.  Sign up now! Check for availability and pricing on Eventbrite.


Course Abstract:
In this training class, you'll attack a custom BitCoin Exchange with the common and even advanced vulnerabilities.  This isn't your average web app course!  We built the labs around what we are seeing as penetration testers and bug bounty hunters.
Who's This Class For: 
- Those that might have had a little experience or those that want to get into Web Penetration Testing. 
- Those that have played with Web Proxies manipulating traffic and want more 
- Those that want to get into Bug Bounties and make $$$ 
Real World Web Application Penetration Testing Course: 
- Two Day Course on Real World Web Penetration Test and Bug Hunting 
- Recon/Spidering 
- Attacking XSS, Polygots, and Blind XSS 
- Cross-Site Request Forgery 
- Integer Underflows 
- Insecure Direct Object Reference 
- Local File Inclusions and Server Side Request Forgery 
- Manual SQL Injections 
- Remote Code Execute with Images 
- Advanced Attacks: XML eXternal Entities (XXE) 
- Advanced Attacks: Deserialization Attacks 
- Advanced Attacks: NodeJS vulnerabilities
- Cloud Issues 

Speakers
avatar for Peter Kim

Peter Kim

Director of Vulnerability Research, Blizzard Entertainment
Peter Kim has been in the information security industry for the last 13 years and has been running red teams/penetration testing for the past 9 years. He has worked for multiple utility companies, Fortune 1000 entertainment companies, government agencies, and financial organizations.He... Read More →


Sunday January 28, 2018 9:00am - 5:00pm
Club Room

9:00am

New OWASP Top 10 - Exploitation and Effective Safeguards [Day 1 of 2]
Please note: Training Sessions are not included in the Conference price.  Sign up now! Check for availability and pricing on Eventbrite.


Course Abstract:
The OWASP Top 10 is a powerful awareness document for web application security. It represents a broad consensus about the most critical security risks to web applications. Project members include a variety of security experts from around the world who have shared their expertise to produce this list. This course provides web developers deep hands-on knowledge about the OWASP Top 10 most critical web application security risks. 
Participants will first learn the technical details about each vulnerability. Demos, attack examples, threat modeling discussions, code review as well as other methods will be used to describe and discuss each risk.
Participants taking the class will practice security assessment techniques through several hands-on exercises using the free version of Burp Proxy and a safe online hacking environment. We focus on the manual assessment techniques of this popular tool.
The majority of the course will focus on defensive theory. Hacking a web application, as we will find out, is not a difficult task for an experienced web developer armed with the right knowledge. However, defending a web application is difficult and complex work. Mastering web defense is the primary thrust of this course.
Course Objectives:
- Understand how hackers attack web applications in order to better defend them
- Learn how to test your own web application
- Which security safeguards are truly effective (and which ones are not)
- Understand secure coding best practices
Training Outline:
1. OWASP Top 10 web app vulnerabilities:
    A1 - Injection (Command Injection, SQL Injection)
    A2 - Broken Authentication
    A3 - Sensitive Data Exposure
    A4 - XML External Entities (XXE)
    A5 - Broken Access Control
    A6 - Security Misconfiguration
    A7 - Cross-Site Scripting (XSS)
    A8 - Insecure Deserialization
    A9 - Using Components with Known Vulnerabilities
    A10 - Insufficient Logging and Monitoring
2. Password Management
3. Secure Coding Best Practices
4. HTTPS Best Practices
5. Using a Vulnerability Proxy
… and much more!
Hands-on Exercises:
1. Input Validation
2. Cross Site Scripting Filter Bypass
3. Online Password Guessing Attack
4. Account Harvesting
5. Injection Attacks
6. Using a Web Application Vulnerability Proxy
… and much more!
Upon the completion of this training, attendees will know:
- Most critical web application vulnerabilities
- Secure coding best practices
- How to use common security assessment tools
Attendees will be provided with (by trainer):
- The slides in raw PPT format
- Access to the online lab environment during and after class
- “cheat mode” that reveals all answers will be enabled after class
Attendees should bring:
Participants are required to bring a laptop (Windows, Mac or Linux) with at least 4GB of RAM, 30 GB of free disk space and either VMWare Workstation Player (free 30-day trial), VMWare Workstation Pro, VMWare Fusion or Oracle VirtualBox pre-installed. At the beginning of the course, participants will receive a USB thumb drive containing a pre-configured virtual machine.
Prerequisites for attendees:
This course is designed to help intermediate and expert web developers and web architects understand how to secure web applications. Candidates are expected to have basic knowledge of web technologies, but no experience in security is required prior to taking this course. However, security professionals who want to learn more about web security will also benefit from this class.          

Speakers
avatar for Jim Manico

Jim Manico

Founder, Manicode Security
Jim Manico is the founder of Manicode Security where he trains software developers on secure coding and security engineering. He is also an investor/advisor for KSOC, Nucleus Security, Signal Sciences, Secure Circle and BitDiscovery. Jim is a frequent speaker on secure software practices... Read More →


Sunday January 28, 2018 9:00am - 5:00pm
Terrace Lounge
 
Monday, January 29
 

8:30am

Extended Web Application Hacking [Day 2 of 2]
Please note: Training Sessions are not included in the Conference price.  Sign up now! Check for availability and pricing on Eventbrite.


Course Abstract:
In this training class, you'll attack a custom BitCoin Exchange with the common and even advanced vulnerabilities.  This isn't your average web app course!  We built the labs around what we are seeing as penetration testers and bug bounty hunters.
Who's This Class For: 
- Those that might have had a little experience or those that want to get into Web Penetration Testing. 
- Those that have played with Web Proxies manipulating traffic and want more 
- Those that want to get into Bug Bounties and make $$$ 
Real World Web Application Penetration Testing Course: 
- Two Day Course on Real World Web Penetration Test and Bug Hunting 
- Recon/Spidering 
- Attacking XSS, Polygots, and Blind XSS 
- Cross-Site Request Forgery 
- Integer Underflows 
- Insecure Direct Object Reference 
- Local File Inclusions and Server Side Request Forgery 
- Manual SQL Injections 
- Remote Code Execute with Images 
- Advanced Attacks: XML eXternal Entities (XXE) 
- Advanced Attacks: Deserialization Attacks 
- Advanced Attacks: NodeJS vulnerabilities
- Cloud Issues 

Speakers
avatar for Peter Kim

Peter Kim

Director of Vulnerability Research, Blizzard Entertainment
Peter Kim has been in the information security industry for the last 13 years and has been running red teams/penetration testing for the past 9 years. He has worked for multiple utility companies, Fortune 1000 entertainment companies, government agencies, and financial organizations.He... Read More →


Monday January 29, 2018 8:30am - 4:30pm
Club Room

8:30am

New OWASP Top 10 - Exploitation and Effective Safeguards [Day 2 of 2]
Please note: Training Sessions are not included in the Conference price.  Sign up now! Check for availability and pricing on Eventbrite.


Course Abstract:
The OWASP Top 10 is a powerful awareness document for web application security. It represents a broad consensus about the most critical security risks to web applications. Project members include a variety of security experts from around the world who have shared their expertise to produce this list. This course provides web developers deep hands-on knowledge about the OWASP Top 10 most critical web application security risks. 
Participants will first learn the technical details about each vulnerability. Demos, attack examples, threat modeling discussions, code review as well as other methods will be used to describe and discuss each risk.
Participants taking the class will practice security assessment techniques through several hands-on exercises using the free version of Burp Proxy and a safe online hacking environment. We focus on the manual assessment techniques of this popular tool.
The majority of the course will focus on defensive theory. Hacking a web application, as we will find out, is not a difficult task for an experienced web developer armed with the right knowledge. However, defending a web application is difficult and complex work. Mastering web defense is the primary thrust of this course.
Course Objectives:
- Understand how hackers attack web applications in order to better defend them
- Learn how to test your own web application
- Which security safeguards are truly effective (and which ones are not)
- Understand secure coding best practices
Training Outline:
1. OWASP Top 10 web app vulnerabilities:
    A1 - Injection (Command Injection, SQL Injection)
    A2 - Broken Authentication
    A3 - Sensitive Data Exposure
    A4 - XML External Entities (XXE)
    A5 - Broken Access Control
    A6 - Security Misconfiguration
    A7 - Cross-Site Scripting (XSS)
    A8 - Insecure Deserialization
    A9 - Using Components with Known Vulnerabilities
    A10 - Insufficient Logging and Monitoring
2. Password Management
3. Secure Coding Best Practices
4. HTTPS Best Practices
5. Using a Vulnerability Proxy
… and much more!
Hands-on Exercises:
1. Input Validation
2. Cross Site Scripting Filter Bypass
3. Online Password Guessing Attack
4. Account Harvesting
5. Injection Attacks
6. Using a Web Application Vulnerability Proxy
… and much more!
Upon the completion of this training, attendees will know:
- Most critical web application vulnerabilities
- Secure coding best practices
- How to use common security assessment tools
Attendees will be provided with (by trainer):
- The slides in raw PPT format
- Access to the online lab environment during and after class
- “cheat mode” that reveals all answers will be enabled after class
Attendees should bring:
Participants are required to bring a laptop (Windows, Mac or Linux) with at least 4GB of RAM, 30 GB of free disk space and either VMWare Workstation Player (free 30-day trial), VMWare Workstation Pro, VMWare Fusion or Oracle VirtualBox pre-installed. At the beginning of the course, participants will receive a USB thumb drive containing a pre-configured virtual machine.
Prerequisites for attendees:
This course is designed to help intermediate and expert web developers and web architects understand how to secure web applications. Candidates are expected to have basic knowledge of web technologies, but no experience in security is required prior to taking this course. However, security professionals who want to learn more about web security will also benefit from this class.          

Speakers
avatar for Jim Manico

Jim Manico

Founder, Manicode Security
Jim Manico is the founder of Manicode Security where he trains software developers on secure coding and security engineering. He is also an investor/advisor for KSOC, Nucleus Security, Signal Sciences, Secure Circle and BitDiscovery. Jim is a frequent speaker on secure software practices... Read More →


Monday January 29, 2018 8:30am - 4:30pm
Terrace Lounge