Trainings on 29/11/2024: Schedule

Lunch and coffee breaks will be provided for all trainings.

Trainings on Friday 29/11/2024:

• Scaling Threat Modeling - Building and Maintaining Effective Security Pattern Libraries by Georges Bolssens

  09:00 - 17:00
  
  

  Abstract:

  Scaling a threat modeling program is essential for maintaining a strong security posture as organizations grow.

  This workshop will dive into the practical aspects of creating and maintaining security pattern libraries - essential tools for any security team.

  We’ll start with a quick overview of threat modeling fundamentals before moving to hands-on activities. Using well-known frameworks like MITRE ATT&CK and CAPEC, participants will learn how to adapt public security patterns to fit their own organizations' needs.

  We'll also explore using tools like IriusRisk Community Edition to automate threat modeling and ensure consistent application across various security infrastructures.

  By the end of the session, attendees will have the skills to build a foundational security pattern library, with a focus on key areas like data protection, authorization, API security, and logging. This workshop is perfect for security professionals looking to grow their threat modeling programs by building resilient, reusable security patterns that can scale with the evolving needs of their organization.

  
  

  Training requirements:

  • Hardware: A laptop with internet connectivity and a (modern) web browser is required to download course materials and consult the online resources.
  • Wetware: Basic threat modeling knowledge is highly preferred. In order to completely enjoy this advanced training, the instructor invites the registered training participants to follow an introduction training (online, around 4 hours). Details will be provided after registration.
  
  

  Bio:

  Georges Bolssens embarked on his coding journey in the early 1990s and delved into the realm of application security in 2017. With an inherent passion for teaching, Georges is not only a seasoned developer but also an adept communicator.

  His unique talent lies in simplifying intricate subjects through relatable analogies, making him an engaging and effective speaker. Having undertaken numerous consulting assignments among which he can list vulnerability scanning and penetration testing as a "lone wolf", taking on the role of Security Champion in a Medical Device development team and acting as internal Application Security Coordinator at a Big4-consultancy firm. Throughout his career and in all these assignments, Georges has assumed the role of cybersecurity educator for a diverse spectrum of professionals.

  His guidance has illuminated the path for individuals ranging from legal experts to ethical hackers and all those in between.

  In his capacity as an Application- and Product Security Consultant at Toreon, Georges has been instrumental in assisting numerous clients in constructing comprehensive threat models for their digital assets.

  His expertise and commitment led threat-modeling authorities Sebastien Deleersnyder and Steven Wierckx to appointment as a co-instructor for Toreon's distinguished "Advanced Whiteboard Hacking – a.k.a. Hands-on Threat Modeling" course.

  Notably, he taught this course at the esteemed "BlackHat USA" and "OWASP BeNeLux" conferences in 2023 and "Troopers" in Germany in 2024.

  
  

  Follow Georges Bolssens:

  
  
  
  

• Web Security 101 by Martin Knobloch

  09:00 - 13:00
  
  

  Abstract:

  Learn the basics about web security, using OWASP tools, guides and various Kali tools.
  From what is an application risk to exploiting common vulnerabilities, from scoping an assessment to writing a security report.
  
  

  Note that this is a half-day training.
  
  
  
  

  Training requirements:

  A laptop with admin privileges with a virtual instance or guest os running Kali Linux.

  
  

  Bio:

  Martin Knobloch, VP Security Engineering at Valtech, is a long-time security leader with more than 25 years of experience in the field of IT and +15 in Cyber security.

  With a background in software development and architecture, his focus is on software security. Martin is actively involved in OWASP where he is a frequent contributor to various projects and initiatives. Martin is taking part in the organizing of local and global OWASP conferences and served more than 5 years as a member of the Board of Directors, two of them as Chairmen of the board.

  During his career, Martin has been a recognized teacher, guest lecturer at various universities and invited speaker and trainer at local and international software development, testing and security conferences throughout the world.

  
  

  Follow Martin Knobloch:

  
  
  
  

• The SBOM lifestyle - Managing your software in the light of the new regulation by Olle E. Johansson

  09:00 - 13:00
  
  

  Abstract:

  The Software Bill of Materials is at the heart of software quality. It's not only used for license compliance, but also vulnerability management and much more. Many international regulations now point to the SBOM as a critical piece of the puzzle. Attend this training with Olle E. Johansson, active in the CycloneDX project, to get an insight into SBOMs and how they are used in the software quality management process. Olle is an experienced teacher, storyteller and speaker at many conferences. He co-founded SBOMeurope.eu - a european forum for software transparency with SBOMs.
  
  What you'll learn:

  • Introduction to the SBOM, Software bill of materials
  • SBOM and Open Source license compliance
  • CISA SBOM minimal requirements
  • SBOM in the Software Component Verification Standard (OWASP SCVS)
  • Creating the SBOM with scanners
  • The good, the bad and the ugly - where SBOMs fail
  • Vulnerability handling automation with SBOMs
  • SBOM and the EU Cyber Resilience Act
  • Open Source SBOM tools
  Note that this is a half-day training.
  
  
  
  

  Bio:

  Olle E. Johansson is a consultant in the area of realtime communication and in embedded system security. He has been active in Open Source for many years as a developer, evangelist, trainer and speaker in many conferences worldwide. Olle is a member of the OWASP SBOM Forum and the OWASP CycloneDX industry working group. He is currently working on the CycloneDX Transparency Exchange API standard. Olle is currently a project leader for the Swedish DNS TAPIR project that is building Open Source software for analysing DNS resolver logs and finding bad actors.

  
  

  Follow Olle E. Johansson:

  
  
  
  

• Bulletproof APIs - Hands-On API Security Testing by Philippe De Ryck

  09:00 - 17:00
  
  

  Abstract:

  As APIs become a big part of our tech world, making sure they're secure is key.
  The 2023 version of the OWASP API Security top 10 shows us that API security needs our attention. Building secure APIs isn't easy, though.
  It needs developers and architects to really get API security, from the big picture down to the nitty-gritty details.

  This workshop is here to give you the skills you need to make your APIs secure.
  We're going to think like an attacker to test APIs and like a defender to figure out the best ways to protect them. With deep-dive talks, real-world demos, fun quizzes, and hands-on labs, you'll learn how to lock down your APIs.
  
  During this hands-on training, we'll explore:

  • The security model of API-based web applications
  • Recognizing and addressing authorization failures
  • Understanding Broken Object Property Level Authorization (BOPLA)
  • Fixing Broken Object Level Authorization (BOLA)
  • Testing the security of APIs that use JWTs
  • Best practices for making JWTs secure in modern APIs
  • Quizzes and labs to make learning stick
  • Q & A throughout the workshop to clear up any doubts

  This workshop is about more than theory.
  We're all about giving you practical security tips you can use right away as an API developer.

  We dig into the root causes of API threats and how to handle them.
  We don't just skim the surface of problems and solutions - we get into the why's and how's, looking at common fixes, why some fall short, and which ones are currently the best way to go.

  By the end of this workshop, you'll be up-to-speed on the best practices for API security. You'll also leave with a handy list of steps to check and boost the security of your applications.

  
  

  Training requirements:

  To participate in the lab sessions, participants need a computer with a full-featured modern browser installed (preferably Chrome).

  
  

  Bio:

  Philippe De Ryck specializes in making web security accessible to developers and architects, leveraging his Ph.D. from KU Leuven to inform his comprehensive understanding of security challenges.
  As the founder of Pragmatic Web Security, he provides practical security training and consulting services to organizations worldwide.

  His online course platform offers a self-paced approach to learning about security. Philippe also actively helps shape OAuth 2.0 best practices as the co-author of the best practices for browser-based apps specification.

  Philippe is recognized as a Google Developer Expert, acknowledging his contributions to web application and API security.
  He also organizes SecAppDev, an annual week-long application security course in Belgium.

  
  

  Follow Philippe De Ryck: