When: October 15 & 16, 2018

What: Two full days of intensive, hands-on learning to best enable you to incorporate robust and resilient application security practices within a continuous delivery pipeline. 

Course Abstract:

Scalable and comprehensive application security is an essential requirement for any product, especially within mature software delivery environments utilising DevOps practices and principles allowing you to move faster. However, incorporating robust and resilient application security practices within a continuous delivery pipeline can be challenging.

To compound these challenges, application security and engineering teams grapple with a host of capacity issues. From a more reactive model, where security assurance was done periodically, and in bursts, we now have to embed application security practices throughout an organization’s product development life cycle. This has resulted in teams being stretched in multiple directions, and unable to cope with the ever increasing demands. While your product may be delivered to your customers faster, application security still remains difficult to integrate within your continuous delivery environment.

What attendees will learn?

This training addresses these challenges and more, and is focused towards enabling and delivering application security at scale to organizations. This is a largely hands-on program, with a plethora of anecdotes, examples and real-world case studies. This gives the participants a comprehensive view of implementing practical DevSecOps and application security automation practices within their organizations

Where: AppSec Australia, Melbourne. Learn more here

When: October 17, 2018

What: Informative talk that aims to provide a holistic perspective on finding and fixing some uncommon flaws in Python Web Apps.

Key Takeaways:

• Enhance your application security beyond token protection provided by middlewares against common vulnerabilities like CSRF, SQL Injection, and XSS. 
• Learn about widely prevalent yet lesser known vulnerabilities like Insecure Deserialization, XML External Entities, Server-Side Template Injection and Authorization Flaws.
• Learn how to use SAST and DAST techniques (AST and ZAP Custom Scripts) to identify flaws in python web applications. 

Where: DJANGOCON 2018, San Diego. Learn more here

When: October 22, 2018

What: Talk centred on the importance of Threat Modeling and how best to integrate it to the Software Development Life Cycle(SDLC).

Where: SANS Secure DevOps Summit & Training 2018, Denver. Learn more here

When: October 25 & 26, 2018

What: While containers may be vulnerable to security threats that plague any typical application deployments, they face specific security threats related to the containerization daemon, the shared kernel and other shared resources like the network and the filesystem. Serverless deployments face risks such as insecure serverless deployment configuration, inadequate function monitoring and logging. Broken authentication, function event data injection & insecure application secret storage. 

This training has been created with the singular objective of achieving optimal security for containerized and serverless deployments. This training will be a 2 day program that will detail, through specific theory elements and hands-on exercises, ways in which containerized and serverless deployments can be made secure, yet scalable, efficient and effective.

Where: LASCON 2018, Austin. Learn more here.

When: October 19, 2018

From the Speaker : Talk Overview

Threat Models, although critical for Product Security Engineering, is often relegated to the status of a Best Practice document that is good to have. I believe that Threat Models are playbooks of Product Security Engineering. The best way to do threat modeling is to integrate it into the Software Development Lifecycle (SDL). They should produce actionable outputs that can be acted up on by various teams within an organization.

To address this divide, I have developed ‘ThreatPlaybook’, an open source ‘Threat Modeling as Code’ framework that allows product teams to capture User Stories, Abuse Stories, Threat Models and Security Test Cases in YAML Files (like Ansible) and with the help of Test Automation Frameworks (in this case, Robot Framework). ‘ThreatPlaybook’ allows product engineering and penetration testing teams to not only capture Threat Models as code, but also trigger specific security test cases.

Where: AppSec Australia, Melbourne. Learn more here

When: October 17 & 18, 2018

What: Two full days of intensive, hands-on learning to best equip attendees with platform and technology agnostic remediation strategies against application security vulnerabilities.

Course Abstract:

The course focuses on core application security principles aimed at the engineering community such as developers, architects and quality assurance testers. 

In addition, it will also cover web vulnerabilities within the OWASP Top 10 - 2017, taught using real world case studies, demonstrations and hands on exercises. The modules are designed to drive home the concept of building applications securely, irrespective of the technology or platform.

What attendees will learn?

Attendees will come away with an in depth understanding of not only best practices involved in securing software but also knowledge of how to identify within code and test for security vulnerabilities from an attackers perspective.

Where: AppSec Australia, Melbourne. Learn more here

When: October 29 & 30, 2018

Overview:
Containers have changed the way deployments are done. Organizations, large and small have openly embraced containerization to supplement traditional deployment paradigms like Virtual Machines and Hypervisors. Leading container technologies like Docker have risen in popularity and have been widely used because they have helped package and deploy consistent-state applications.
Serverless on the other hand seems to be taking over at a rapid rate with increased usage of micro-services across organizations. However, Security remains a key challenge that both Organizations and security practitioners face with containerized and serverless deployments. 

Who should take this course:

Attacking and Securing Applications leveraging containers and, serverless technology requires specific skill set with a deep understanding of their underlying architecture. This course is aimed at Developers, DevOps Engineers, Penetration Testers and Security practitioners who use container or serverless technology as part of their product deployments and want to get a good understanding on how to secure their services and deployments. Training will be extremely hands-on to help understand all there is to attack and secure containers and serverless applications.

Where: Code Blue, Japan. Learn more here.

When: October 29 & 30, 2018

Overview:
Scalable and comprehensive application security is an essential requirement for any product, especially within mature software delivery environments utilising DevOps practices and principles allowing you to move faster. However, incorporating robust and resilient application security practices within a continuous delivery pipeline can be challenging. 

To compound these challenges, application security and engineering teams grapple with a host of capacity issues. From a more reactive model, where security assurance was done periodically, and in bursts, we now have to embed application security practices throughout an organization’s product development life cycle. This has resulted in teams being stretched in multiple directions, and unable to cope with the ever increasing demands. While your product may be delivered to your customers faster, application security still remains difficult to integrate within your continuous delivery environment. 

Who should take this course:
This training addresses these challenges and more, and is focused towards enabling and delivering application security at scale to organizations. This is a largely hands-on program, with a plethora of anecdotes, examples and real-world case studies. This gives the participants a comprehensive view of implementing practical DevSecOps and application security automation practices within their organizations. In fact, most of the participants have reported that they were able to use learnings from this training almost immediately.

Where: Code Blue, Japan. Learn more here.