OWASP AppSec Europe 2015

Android App Hacking is a one day course on learning Android application security assessment based on the “OWASP Top 10 Mobile Risks”. This hands-on training is designed around the dummy internet banking application which contains vulnerabilities that were observed by the trainer during his daily application security assessments. This dummy internet banking application has features such as adding a beneficiary account, fund transfer, view statements, OTP, Pin sign-in, etc. to provide attendees a real world application scenario.

Attendees will get familiar with following topics during the class:

• Crash course on – Android application permission model, APK file architecture and – Setting up the emulator.
• Reversing the APK file package
• Investigating app permissions through manifest file
• Understanding, patching and runtime debugging smali code
• Importing SSL certificates and bypassing SSL pinning
• Intercepting traffic and network activity monitoring
• Exploring local data store
• Analyzing system logs
• Understanding components such as content provider, broadcast receiver and activity
• Classification of vulnerabilities based on “OWASP Top 10 Mobile Risks”

Building security into the software development and management practices of a company can be a daunting task. There are many elements to the equation: company structure, different stakeholders, technology stacks, tools and processes, and so forth.
Implementing software assurance can have a significant impact on the organisation. Yet, trying to achieve this without a good framework is most likely leading to just marginal and unsustainable improvements. OWASP OpenSAMM gives you a structural and measurable framework to do just that.
It enables you to formulate and implement a strategy for software security that is tailored to the risk profile of your organisation.

The goal of this one-day training, which is conceived as a mix of training and workshop, is for the participants to get a more in-depth view on and practical feeling of the OpenSAMM model.
The training is setup in three different parts.

In a first part, an overview is presented of the OpenSAMM model and similarities and differences with other similar models are explained.
The different domains (governance, construction, verification, deployment), their activities and relations are explained.
Furthermore, different constituent elements (e.g., metrics) are discussed and the overall usage scenarios of the model are explained.
Next, approx. half a day will be spent on doing an actual OpenSAMM evaluation of your own organisation (or one that you have worked for).
We will go through an evaluation of all the OpenSAMM domains and discuss the results in group. This will give all participants a good indication of the organisation’s maturity with respect to software assurance.
In the same effort, we will define a target model for your organisation and identify the most important challenges in getting there.
The final part of the training will be dedicated to specific questions or challenges that you are facing with respect to secure development in your organisation. In this group discussion, experience
between the different participants will be shared to address these questions.

In case you haven’t started a secure software initiative in your organisation yet, this training should provide you with the necessary foundations and ideas to do so. Be prepared for a highly effective and applicable treatment of this large domain! And in case you would be concerned about confidentiality issues, we adhere to the Chatham House Rule.
After the conference the OpenSAMM project team comes together for their first OpenSAMM summit in Cambridge.
If you want to contribute to this flagship project, stay and join us at the summit. More details on www.opensamm.org.

Single page web applications with a RESTful backend have profoundly changed the way web applications are developed, and are making their way onto mobile platforms as well. In this course, attendees will gain hands-on experience with the popular AngularJS framework. Throughout the course, we will use a realistic example application to discover the specifics of single page applications, potential security issues and effective countermeasures. Concretely, the course will cover the following topics:

• Single page application architecture and basic concepts (templating, routing, controllers,…)


• Authentication and authorization with a stateless RESTful backend


• Applying well-known security practices in a single page application (XSS, CSRF,…)


• Communication with third-party APIs and continuous updating information


• Client-side data storage, offline operations and mobile applications

Attendees are expected to bring a laptop with VirtualBox installed to participate in the lab sessions.

SSL/TLS as used today has more and more problems and it’s difficult to understand, what are the root causes of these problems, and how to detect and finally avoid or fix them.
This training will give a brief introduction to SSL, how it works, what problems are known according the protocol, the PKI used, and the known vulnerabilities including potential attacks and provide tools to check for these issues. The main focus will be on SSL used in HTTPS. Other usages i.e. SSL for SMTP are a small subset. As a round-up there will be recommendations how to configure SSL securely.