NEWS & EVENTS

Stay Updated, Stay Smart!

Hands on DevSecOps and AppSec Automation Training - Appsec Australia, Melbourne

When: October 15 & 16, 2018

What: Two full days of intensive, hands-on learning to best enable you to incorporate robust and resilient application security practices within a continuous delivery pipeline. 

AppSecAU

Course Abstract:

Scalable and comprehensive application security is an essential requirement for any product, especially within mature software delivery environments utilising DevOps practices and principles allowing you to move faster. However, incorporating robust and resilient application security practices within a continuous delivery pipeline can be challenging.

To compound these challenges, application security and engineering teams grapple with a host of capacity issues. From a more reactive model, where security assurance was done periodically, and in bursts, we now have to embed application security practices throughout an organization’s product development life cycle. This has resulted in teams being stretched in multiple directions, and unable to cope with the ever increasing demands. While your product may be delivered to your customers faster, application security still remains difficult to integrate within your continuous delivery environment.

What attendees will learn?

This training addresses these challenges and more, and is focused towards enabling and delivering application security at scale to organizations. This is a largely hands-on program, with a plethora of anecdotes, examples and real-world case studies. This gives the participants a comprehensive view of implementing practical DevSecOps and application security automation practices within their organizations


Where: AppSec Australia, Melbourne. Learn more here

Unique ways to Hack into a Python Web Service - DJANGOCON 2018, San diego

When: October 17, 2018

What: Informative talk that aims to provide a holistic perspective on finding and fixing some uncommon flaws in Python Web Apps.

Key Takeaways:

  • Enhance your application security beyond token protection provided by middlewares against common vulnerabilities like CSRF, SQL Injection, and XSS. 
  • Learn about widely prevalent yet lesser known vulnerabilities like Insecure Deserialization, XML External Entities, Server-Side Template Injection and Authorization Flaws.
  • Learn how to use SAST and DAST techniques (AST and ZAP Custom Scripts) to identify flaws in python web applications. 
Djangocon

Where: DJANGOCON 2018, San Diego. Learn more here

 

 

Threat Model-as-Code: A Framework to go from Codified Threat Modeling to Automated Application Security Testing

When: October 22, 2018

What: Talk centred on the importance of Threat Modeling and how best to integrate it to the Software Development Life Cycle(SDLC).

Nithin Jois SANS

 

Where: SANS Secure DevOps Summit & Training 2018, Denver. Learn more here

Container Security, Serverless and Orchestration Training- LASCON 2018, Austin

When: October 23 & 24, 2018

What: While containers may be vulnerable to security threats that plague any typical application deployments, they face specific security threats related to the containerization daemon, the shared kernel and other shared resources like the network and the filesystem. Serverless deployments face risks such as insecure serverless deployment configuration, inadequate function monitoring and logging. Broken authentication, function event data injection & insecure application secret storage. 

This training has been created with the singular objective of achieving optimal security for containerized and serverless deployments. This training will be a 2 day program that will detail, through specific theory elements and hands-on exercises, ways in which containerized and serverless deployments can be made secure, yet scalable, efficient and effective.

LASCON2018-banner

Where: LASCON 2018, Austin. Learn more here.

Threat Modeling-as-Code & Automation for DevSecOps wins

When: October 19, 2018


From the Speaker : Talk Overview

Threat Models, although critical for Product Security Engineering, is often relegated to the status of a Best Practice document that is good to have. I believe that Threat Models are playbooks of Product Security Engineering. The best way to do threat modeling is to integrate it into the Software Development Lifecycle (SDL). They should produce actionable outputs that can be acted up on by various teams within an organization.

To address this divide, I have developed ‘ThreatPlaybook’, an open source ‘Threat Modeling as Code’ framework that allows product teams to capture User Stories, Abuse Stories, Threat Models and Security Test Cases in YAML Files (like Ansible) and with the help of Test Automation Frameworks (in this case, Robot Framework). ‘ThreatPlaybook’ allows product engineering and penetration testing teams to not only capture Threat Models as code, but also trigger specific security test cases.


Where: AppSec Australia, Melbourne. Learn more here

Application Security Essentials Training - AppSec Australia, Melbourne

When: October 17 & 18, 2018

What: Two full days of intensive, hands-on learning to best equip attendees with platform and technology agnostic remediation strategies against application security vulnerabilities.

Course Abstract:

The course focuses on core application security principles aimed at the engineering community such as developers, architects and quality assurance testers. 

In addition, it will also cover web vulnerabilities within the OWASP Top 10 - 2017, taught using real world case studies, demonstrations and hands on exercises. The modules are designed to drive home the concept of building applications securely, irrespective of the technology or platform.

What attendees will learn?

Attendees will come away with an in depth understanding of not only best practices involved in securing software but also knowledge of how to identify within code and test for security vulnerabilities from an attackers perspective.


Where: AppSec Australia, Melbourne. Learn more here

Attacking and Defending Containerized Apps and Serverless Tech - Code Blue, Japan

When: October 29 & 30, 2018

Overview:
Containers have changed the way deployments are done. Organizations, large and small have openly embraced containerization to supplement traditional deployment paradigms like Virtual Machines and Hypervisors. Leading container technologies like Docker have risen in popularity and have been widely used because they have helped package and deploy consistent-state applications.
Serverless on the other hand seems to be taking over at a rapid rate with increased usage of micro-services across organizations. However, Security remains a key challenge that both Organizations and security practitioners face with containerized and serverless deployments. 

Who should take this course:

Attacking and Securing Applications leveraging containers and, serverless technology requires specific skill set with a deep understanding of their underlying architecture. This course is aimed at Developers, DevOps Engineers, Penetration Testers and Security practitioners who use container or serverless technology as part of their product deployments and want to get a good understanding on how to secure their services and deployments. Training will be extremely hands-on to help understand all there is to attack and secure containers and serverless applications.


Code Blue 

Where: Code Blue, Japan. Learn more here.

Hands-On DevSecOps and AppSec Automation Masterclass - Code blue, Japan

When: October 29 & 30, 2018

Overview:
Scalable and comprehensive application security is an essential requirement for any product, especially within mature software delivery environments utilising DevOps practices and principles allowing you to move faster. However, incorporating robust and resilient application security practices within a continuous delivery pipeline can be challenging. 

To compound these challenges, application security and engineering teams grapple with a host of capacity issues. From a more reactive model, where security assurance was done periodically, and in bursts, we now have to embed application security practices throughout an organization’s product development life cycle. This has resulted in teams being stretched in multiple directions, and unable to cope with the ever increasing demands. While your product may be delivered to your customers faster, application security still remains difficult to integrate within your continuous delivery environment. 

Who should take this course:
This training addresses these challenges and more, and is focused towards enabling and delivering application security at scale to organizations. This is a largely hands-on program, with a plethora of anecdotes, examples and real-world case studies. This gives the participants a comprehensive view of implementing practical DevSecOps and application security automation practices within their organizations. In fact, most of the participants have reported that they were able to use learnings from this training almost immediately.

Where: Code Blue, Japan. Learn more here.

Container Security, Serverless and Orchestron Training - AppSec US 2018

Containers have changed the way we do deployments. Organizations have openly embraced containerization, to supplement traditional deployment paradigms like Virtual Machines and Hypervisors. Docker, has emerged as the leading container technology that is used by organizations, large and small for packaging and deploying consistent-state applications. Serverless on the other hand seems to be taking over at a rapid rate with increased usage of  micro-services across organizations.

However, as always, security is a challenge that organizations face with containerized and serverless deployments. While containers may be vulnerable to security threats that plague any typical application deployments, they face specific security threats related to the containerization daemon, the shared kernel and other shared resources like the network and the file system. Serverless deployments face risks such as insecure serverless deployment configurations, Inadequate function monitoring and logging, Broken authentication, Function event data injection & Insecure application secrets storage.
AppSec_USA_2018_logo-02

The session will be conducted by Abhay Bhargav, CTO and Nithin Jois, Solutions Engineer at we45.
 
To know more about the event, click here.

Threat Playbook - Black Hat USA 2018

When Did This Happen: August 8, 2018
 
What was it about: 
The key benefits of ThreatPlaybook is that you can: 
* Codifying Threat Models for Iterative Threat Modeling 
* Using Threat Models and Security Test Cases to launch targeted application security automation that can be used in a CI/CD environment or by pen testers who want to automate several tasks in their "Pentest Pipeline"
* Auto-generating Process Flow Diagrams from Codified Threat Models
* Capturing Security Test Cases linked to Threat Modeling
* Generating reports correlating Threat Models to Vulnerabilities, Security Test Cases and so on.

Black Hat USA
The session was presented by Abhay Bhargav, CTO and Sharath Kumar, Lead Solutions Engineer at we45.

Page 1 of 1 1