August 19-20, 2016
The Raviz Hotel Ashtamudi Resort and Ayurveda Spa, Kollam, INDIA

PRE CONFERENCE WORKSHOPS - 18-Aug-2016

  • WS 1

  • WS 2

  • WS 3

  • WS 4

  • WS 5

Defensive Programming for JavaEE Web Applications

OBJECTIVE

The Defensive Programming for JEE Web Applications course is structured into modules that focus on defensive programming for JEE applications and includes code analysis and remediation exercises. Additionally, the course is supported by several interactive demonstrations and hands-on lab exercises.

COURSE CONTENT

  • The high-level topics for this course are:
    • Recognizing risks in JEE Web applications
    • Applying defensive programming techniques
    • Configuring JEE Web applications securely
  • After successfully completing this course, Students will be able to
    • Comprehend the overall approach to securing Web applications
    • Appreciate security risks common for JEE Web applications
    • Identify security vulnerabilities in JEE Web applications
    • Apply defensive programming techniques to write secure JEE Web applications

PRE-REQUISITE

Basic Knowledge of Java and some Security

PARTICIPANTS REQUIREMENTS

  • Laptop to connect to Virtual Machines provided by Cigital

DURATION

1 day

WHO SHOULD ATTEND?

  • Developers and Development Leads
  • Architects
  • QA and Testing Professionals
  • IT Security Personnel
  • Code Auditors

WHAT TO EXPECT

  • Course provides lots of code examples and hands on experience.

WHAT NOT TO EXPECT

  • Course doesn’t cover all of Java EE, important aspects of application security for defensively writing Java EE applications.

DDoS Attacks: get familiar with attack types from attackers & defenders perspectives

OBJECTIVE

To provide better knowledge of DDoS attacks & protection. To learn about a variety of different attack types, and what they actually look like.

COURSE CONTENT

  • The course is divided into 2 parts:
    • Theoretical – An introduction to DDoS attack, learning about different attack types, how they’re being done, why and by who. Then a brief summary of what are the different options to deflect/mitigate such attacks from an organization’s POV.
    • Practical – Live demos of how different DDoS attacks looks like, starting from the moment when a new BotNet is born, up until actual attacks. We show how a variety of live attacks looks like (From different perspectives – the defender, the attacker, the bots), and how they reflect on the different controls which the IT of the attacked organization has.
  • We then show different mitigation techniques used against the attack, and what effect they have against it.

PRE-REQUISITE

Basic networking knowledge. I will tune myself to the people’s knowledge level.

PARTICIPANTS REQUIREMENTS

  • This will be a bit interactive, but there are no special requirements from the participants.

DURATION

1 day

WHO SHOULD ATTEND?

  • Anyone who wants to expand their knowledge about DDoS attacks, but it will be the most useful for “defenders” – CISO’s, IT, IS, NOC, etc.

WHAT TO EXPECT

  • To understand much more about DDoS attacks by the end of the workshop

WHAT NOT TO EXPECT

  • To be shutting down google.com in the live demo :)

Xtreme Web Hacking Express

WORKSHOP ABSTRACT

Xtreme Web Hacking Express is a one-day intensive web hacking workshop. The workshop will be conducted in the style of Capture The Flag (CTF) challenges, where the participants will need to accomplish certain objectives in a limited amount of time. This gives participants an opportunity to practice for real world penetration tests by accomplishing pre-defined objectives in a time bound scenario.

While there is clear merit in covering the underlying concepts, sometimes we just need to see the hack succeed. So this training will cover only what is required to get to our objectives.

COURSE CONTENT

The course contains multiple challenges spread across levels with increasing difficulty. Each level will provide access to the next level. Although the levels themselves cannot be described here (takes away all the fun ), but at a bare minimum, the following techniques will be covered during the course of the CTF.

  • Blind SQL Injection vulnerabilities
  • Brute forcing web applications
  • SSRF/XSPA attacks
  • Serialization bugs
  • Insecure Direct Object Reference
  • Remote File Inclusion vulnerabilities
  • Filter bypasses for XSS vulnerabilities
  • Web Application shells
  • Pivoting to access unreachable applications
  • Exploit chaining to get system access

SKILL AND KNOWLEDGE REQUIRED

  • You should be a web application penetration tester as this not a beginner level course at all
  • Ability and familiarity of command line on Windows and Linux
  • Knowledge of JavaScript and at least 1 scripting language like Python, PHP or Ruby

DURATION

1 day

WHAT TO EXPECT

  • Hands on practice on web application hacking techniques and tools.
  • Learn using a combination of scenarios from the real world, simulated attacks while being guided by the trainers.
  • Write simple scripts to automate your attacks against application.

WHAT NOT TO EXPECT

  • A lot of hand holding about basic concepts already mentioned in the things you should be familiar with.
  • A lot of theory. This is meant to be a completely hands-on training!
  • To become an accomplished hacker in a day.

Blockchains, Innovations Disruption

OBJECTIVE

Workshop on blockchain provides a structured insights into the blockchain ecosystem. The workshop will encompass working of blockchain core technologies as well as advanced concepts like smart contracts and chain code. The Workshop would touch base on certain critical use cases related to block-chains.

COURSE CONTENT

  • Brief history of blockchains
  • Working of blockchains
  • Different types of blockchain
  • Different implementation of blockchains
  • Practical hands on Ethereum, Hyperledger & Eris.
  • Smart contract programming and chaincode programming
  • Impact of blockchains.
  • Introduction to P2P Technologies.
  • Challenges for blockchains

PRE-REQUISITE

  • Basic Accounting, Cryptography, Networking, Golang and nodejs
  • Open mind

PARTICIPANTS REQUIREMENTS

  • Linux box (Ubuntu Preferred),
  • Nodejs

DURATION

1 day (8 hours)

WHAT TO EXPECT

  • Understanding the concept of blockchains
  • Practical hands-on on Ethereum, Hyperledger, Eris, etc

WHAT NOT TO EXPECT

  • Mastering the blockchain in a days time.

WHO SHOULD ATTEND

  • Architects
  • Block-chain enthusiasts

Advanced Cryptography Course for Pen-testing & Auditing Huge Infrastructures

PRE-REQUISITE

Experience of Web/Mobile/Network penetration testing and Vulnerability Assessment, Auditing is must. This course assumes that you have good working knowledge of Cryptography.

Aim of the Course is to help VA/PT professionals to assess the flaws in crypto implementations at huge scale and on regular basis.

We will be using all open source tools & LAMMA framework to conduct all round assessment of Crypto-Systems. Attendees will also learn how they can write custom scripts to work with Openssl, JAVA, NSS, & Windows Cryptography framework and automate their routine tasks.

PARTICIPANTS REQUIREMENTS

  • Linux on a VM, (Kali preferrable),
  • Python Interpreter
  • Crypto-Framework of your choice Openssl / Java-keytool / NSS etc

DURATION

1 day (8 hours)

COURSE CONTENT

  • hour 1, 2 : Intro, Intro & Intro (60 Mins)
    • Introduction to various components in a complete Cryptographic System
    • Introduction to basic cryptographic primitives/schemes, flaws & Potential Backdooring Techniques
      • Random Numbers, Pseudo & Real, Generators
      • Hashing, HMAC/MAC
      • Public Key Cryptography (RSA)
      • Key Exchange
      • Encryption schemes
      • How they work together to provide different features of security (Privacy, Integrity, Authentication, confidentiality, Anonymity, Attribution etc and if possible how they are different from each other).
    • Capturing packets, Analyzing the SSL HandShake to understand :
      • Cipher Suites
      • Clock Sync
      • Key Exchange Mechanism/DH Parameters
      • Certificate Verification
      • Integrity, Authentication checks
      • Session ID, Change of Cipher Specs
    • Questions
  • Hour 3, 4: Testing System Components (45 Mins)
    • Testing Hardware Security Modules
      • Pseudo/Random Number Generators
      • Test quality of Randomness
      • De-biasing techniques
      • Backdoors & Detection
    • OS Modules
      • Time Service, how it affects.
      • NTP Attacks
      • Entropy systems, application & Backdoors
      • Crypto, Application Libraries
      • Trusting the Source, FIPS canister (validation modules)
      • Source code Scanning for usage of weak & backdoored primitives (MD5, Dual_EC_DRBG etc)
    • The Stores
      • Locating various Cert-Stores
      • Locating the key stores on client and server machines
      • Other interesting stores like CRLs, HSTS list etc
      • Finding malicious certificates
    • Questions
  • Hour 5, 6: Network Based Attacks on SSL/TLS (90 Mins)
    • Direct Attacks
      • HEARTBLEED
      • DROWN
    • MITM attacks
      • SSL Sniff/Strip
    • Downgrade Attacks
      • LOGJAM
      • FREAK
      • HTTP Redirection to steal cookie
    • Passive Attack
      • Capture Today, Decrypt Tomorrow (NSA Style)
      • Perfect forward Secrecy & how it is broken
    • Questions
  • Hour 7, 8: Auditing Trust Stores : Certs & Keys Stores (45 Mins)
    • Understanding Digital Certificates, types of validations and limitations
    • Polluting the Certificate Store of browser, Secure Boot, OS, Applications
    • Searching for Insecure keys and hopping network (like MASK APT)
    • Exploiting SCEP Implementations over Active Directory Certificate Service (ADCS)
    • Questions
  • Wrap up, Conclusion and Feedback

WHAT NOT TO EXPECT

  • This course will not cover
    • Theory & Basics of Cryptography
    • Cryptanalysis Techniques of currently used cipher suites
    • Basics of VA/PT


Brought to you By

Platinum Sponsors

Bronze Sponsors

Supporting Partners

Hospitality and Accommodation Partner