Grand Hyatt, Kochi, India
Workshop Registration: 08:30AM to 09:30AM
Workshops:9:30AM to 5:00PM
David Baptiste & Plumerault Francois
Himanshu Kumar Das & Prajal Kulkarni
by David Baptiste & Plumerault Francois
Being able to write programs by ourselves is a good thing. But being able to understand how is written one program, made by someone else, is a better thing. For instance, in the case of a malware, it allows us to understand how this one behaves and how we can potentially counter it. In addition, it helps us to understand how the underlying operating system works, the technology used by software, vulnerabilities inside, who can be the author, etc...
At a time where the technology is day after day increasingly diverse and more and more complex, being able to check how it works and understand internals behind the stage has never been as important.
This is the aim of this workshop: give you back the power to master the technology and stop to be mastered by the technology… From operating system internals to malware’s behavior stepping by security and programming consideration (which could lead to vulnerabilities), here is the agenda of the workshop. If you are curious and you have always believed that mysteries in computer science should not stay mysteries and close source software is far to be enough to protect secrets, this workshop should be made for you.
By the end of workshop, participants will be able to:
The participants will get the following:
There is no real requirement here; basic level in computer science would be enough since we expect that attendees are starting from zero. Nonetheless, in case of doubts:
PHD STUDENT,(C+V)^O LABORATORY,ESIEA
DAVID Baptiste is a PhD student at the (C+V)^O laboratory in ESIEA. His research is mainly focused on malware analysis, security under windows operating system, networks, kernel development and vulnerabilities. Sometimes math, physic or anything cool from that stuff is perfect for him to enhance everyday life. He although likes good food and good vine (we never change), but he is okay if you offer him beers. He has already made several conferences included: iAwacs, Cocon, Ground zero summit, EICAR, ECCWS, Defcon.
Plumerault François is a young engineer student from ESIEA school specialized computer security. His interest is mainly about math and technology of operating system in general. Talking about hacks or tricks to improve or bypass security of systems is always a good moment for him
by Madhu Akula
Developers and Operations teams (DevOps) have moved towards containers and modern technologies. Attackers are catching up with these technologies and finding security flaws in them. In this workshop, we will look at how we can test for security issues and vulnerabilities in Dockerised environments. Throughout the workshop we will learn how we can find security misconfigurations, insecure defaults and container escape techniques to gain access to host operating system (or) clusters. In the workshop, we will look at real world scenarios where attackers compromised containers to gain the access to applications, data and other assets.
By the end of workshop participants will be able to:
The participants will get the following:
Madhu Akula is a security ninja and published author, security and devops researcher with extensive experience in the industry ranging from client facing assignments building scalable and secure infrastructure, to publishing industry leading research to running training sessions for companies and governments alike.
Madhu Akula’s research papers are frequently selected for major security industry conferences including Defcon 24, Blackhat USA 2018, All Day DevOps (2016, 2017), DevSecCon (London, Singapore, Boston), DevOpsDays India, c0c0n, Serverless Summit, ToorCon, DefCamp, SkydogCon, NolaCon and null, etc. Madhu Akula was a keynote speaker for the National Cyber Security conference at Dayananda Sagar College in Feb 2016.
When he’s not working with Appsecco’s clients or speaking at events he’s actively involved in researching vulnerabilities in open source products/platforms such as WordPress, Ntop, Opendocman etc. and is also a contributing bug hunter with Code Vigilant (a project to Secure Open Source Software). His research has identified many vulnerabilities in over 200 organisations including US Department of Homeland Security, Google, Microsoft, Yahoo, Adobe, LinkedIn, Ebay, At&t, Blackberry, Cisco, Barracuda etc. He is also an active member with Bugcrowd, Hackerone, Synack etc.
Madhu Akula has trained over 5000 people in information security for companies and organisations including the Indian Navy and the Ministry of e-services in a leading Gulf state. Madhu Akula has also authored a book titled "Security Automation with Ansible 2" that comes recommended by the creator of Ansible itself.
He is co-author of Security Automation with Ansible2 book published by Packt Publishing in December 2017, which is listed as a resource by the RedHat.
by Ajit Hatti
The aim of the workshop will be to build Solid Understanding of the basic primitives of cryptography and building blocks of PKI. How these different blocks come together and try to provide you end to end security and still there are many ways you can get around and exploit these Implementations.
We will use OpenSSL as our Swiss Army Knife and practically understand how the cryptography, benchmarking, cryptoassessment, back door detection is done. We will see how the balance between security requirements and the performance & compliance is achieved by choosing the right set of primitives.
And One day entirely hands on to attack, bypass or exploit the SSL / TLS implementations in N different ways.
Understanding of basic concept of Information Security
Security Professionals responsible for Testing, Developing, Designing, Auditing critical systems with Cryptographic implementations.
Co-founder of null - Open security community,author of LAMMA and GibberSense
Ajit Hatti is a Co-founder of "null - Open security community", and author of LAMMA and GibberSense, the crypto security assessment tools. Previously worked on secure applications of Cryptography at Symantec Corporation. He has worked as an Engineer and Security Researcher with security companies like IBM-ISS, Bulelane, Zscaler in past. He has previously presented his security research at BlackHat, DEF CON + Crypto Privacy Village, NullCon, Ground Zero Summit & c0c0n.
by Himanshu Kumar Das & Prajal Kulkarni
The 2 day training course outlines defense in depth on Network and Application Layer attacks using Elastic stack. During the 2 day training programme, we would conduct hands-on exercise on simulating, correlating, analyzing and mitigating multiple attacks from Layer 4 - Layer 7. We would also cover various case-studies on day-day security requirements on cloud as well as enterprise networks. The course would end with a CTF exercise to participants on visualizing security facts using Elastic stack.
With growing trend of Big data, companies tend to rely on high cost SIEM solutions. Continuous Security Monitoring/Alerting of medium and big enterprise is a large challenge in hand today. Logs from thousands of endpoints, servers and perimeter devices is difficult to aggregate, analyze and correlate in real time that can enable better security incident response & event handling. Organization usually end up with massive data breaches due to lack of visibility in their network activities across the infrastructure. Our course would expose you to take control of enterprise wide logs, analyze them in real time using the ELK frameworks. During our course, you would learn to scale the Elastic Stack and generate powerful visualization & data modeling using kibana making analysis of data and decision making simple.
The training will also cover simulating real-world attack scenarios, alerts customisation necessary to respond to a real world attacks/anomalies. With growing cloud based offerings it becomes crucial to understand systems for detecting and responding to attacks. With tools like osquery we will show how a scalable solution for system level anomaly detection can be build.
This training is meant for security enthusiast, DevOps, and startups trying to build an in-house solution. This will be a great learning to set-up one's own an affordable Security Analytics Platform.
Over the duration of 2 day workshop, you would get a detailed knowledge on how to build a no cost attack monitoring solution as one stop solution for external as well as internal security both on cloud as well as enterprise network. We will have various classroom exercise to engage participants on real world security use-cases as well as scaling the entire Elastic Stack for large scale networks. Labs will include all necessary tools and configs necessary to run a full functional stack for attack monitoring. The workshop would have a mega challenge at the end of the course on a pre-populated data to get a hands-on experience on production grade Elastic Stack.
Elasticsearch programming Writing Plugins for Logstash Any exercise/demo on a physical network device.
**Note: We do not support Windows XP
Himanshu Kumar Das
Himanshu Kumar Das is a security researcher with expertise on Infrastructure and Payments security. He is passionate about system security and fuzzing. He participates in CTF with team SegFault. He has won Nullcon JailBreak 2012 and had been architect for HackIM CTF since 2012. While away from security, he spends his time playing console and enjoys cooking.
Prajal Kulkarni, is a Security Researcher currently working with FlipKart. He is an active member of Null Security Community for the past 3 Years. His area of interest includes Web,mobile and system security. He writes a security blog at www.prajalkulkarni.com and he is also the lead contributor at project Code Vigilant (https://codevigilant.com/). Code-Vigilant has disclosed over 200+ vulnerabilities in various wordpress plugins and themes. In the past he has disclosed several vulnerabilities in core components of GLPI, BugGenie, Owncloud etc. He has also reported many security vulnerabilities to companies like Adobe, Twitter, Facebook, Google, Mozilla. He has spoken at multiple security conferences and provided trainings at NullCon2015, NullCon2016, NullCon2018, Confidence 2014, Gracehopper 2014 etc.
Bharath Kumar and Subash SN
Manoj Kumar & Ranjith Menon
Arun.S and Karthik Lalan
by Riddhi Shree
If you care about application security, the one tool that you must absolutely be familiar with is an “Interception proxy”. Although there are several interception proxies in existence, depending on the intensity of penetration tests that need to be performed, a penetration tester might choose a simple or an advanced tool with advanced features. Burp Suite is a collection of several simple-yet-powerful tools. It not only works as an 'interception proxy' but also gives users the ability to automate attacks, attack multiple parameters, generate PoCs, statically detect vulnerabilities, perform out of band exploitation, manage sessions across authorization levels, transform data across multiple types, save and export session data between users, and much more! This completely hands-on workshop is meant for web and mobile security testers, penetration testers and security enthusiasts who want to eliminate the grunt work involved in manual analysis of server traffic, and who want to craft customized and effective attacks against web applications to discover high risk security vulnerabilities.
Day-1: Getting Started
Day-2: Tools of the Trade
Anyone who is getting started with Web Application Security Testing and who would want to use Burp Suite powerfully should attend this training. Folks who are seasoned security testers would also benefit from the advanced usage of Burp Suite during the training.
Gain confidence in customizing your Web Application Security Testing approach to suit application-specific pentesting needs, by gaining clarity on the powerful features provided by the Burp Suite tool.
As this is a hands-on training, do not expect a lot of theory
Riddhi Shree is working with Appsecco as Application Security Engineer. She is an active speaker at null Bangalore and has contributed to the application security community by writing multiple security blogs and creating educational videos. She has interest in a variety of areas including (but not limited to) blogging, playing guitar, painting/sketching, playing chess, indulging in adventure sports, and keeping up with technology.
by Bharath Kumar & Subash SN
The training will more or less adhere to the following outline
Bharath is an open source evangelist with a strong passion for information security and building solutions that solve real world problems. Bharath has presented at many security and developer conferences including Bsides Delhi 2017, Bugcrowd LevelUp 2017 & 2018, PyCon India 2013 and FUDCon 2012.
Bharath is an active member and contributor at various security and developer communities including null open security community and Python Malaysia User Group.
His core interest lies in Infrastructure security, Application security, Protocol security and Reconnaissance.
Subash is a Security Engineer at Appsecco. As an avid security enthusiast and a passionate developer, he enjoys developing meaningful solutions to real world security problems. He is currently working on solving security problems at cloud scale and exploring solutions to improve intelligent automation using AI. During his free time, he loves to explore and research on new and upcoming technologies. Introduced to the world of security by null Open Security Community, he is on track to actively contributing back by presenting at various meetups and conferences and has given talks at null Bangalore and the Serverless Summit. He has also contributed to open source security tools such as OWASP Threat Dragon and DVNA. Subash's training on "Automated Defense using Cloud Services for AWS, Azure and GCP" has been selected for Blackhat USA 2018 and Appsec EU 2018.
by Manoj Kumar & Ranjith Menon
Training will be hands on so you need to bring your own laptop to perform different types of attacks on web based applications.
The course covers relevant web application issues to subsequently demonstrate how to design and develop code defenses into an application.
1-Day: Secure Source Code Practices
Module 1: Introduction to Secure Source Code Practices (SSCP)
Module 2: Parameter manipulation attack and Defenses
Module 3: SQL- Injection
Module 4: Cross Site Scripting (XSS)
Module 5: Cryptography
2-Day: Secure Source Code Practices
Module 1: Client Side Attacks and Defenses
Module 2: Broken Authentication and Session Management
Module 3: Error Handling and Logging
Module 4: Code quality
Module 5: Backend storage Information
Module 6: Insecure Direct Object References
Module 7: Cross Site Request Forgery (CSRF)
Module 8: Hands-on practice on vulnerable source code application for attendees
Manoj has more than 5 years of experience in the field of Application Security and Secure coding process and a co-founder of h1hakz. He has Developed many Secure Application Projects using different languages and has Code reviewed a wide range of applications, from embedded systems to web applications including Retail Banking and E-commerce Application.
Ranjith Menon who has more than 7 years of experience. He is an active player on Bug bounty programs and specialized in Web application, Mobile, Cloud and a contributor to the Security Community and co-founder of h1hakz, an open platform for knowledge sharing though webcast series.
Also, he has found many vulnerabilities for many organizations. Apart from hacking, he gets time for fitness from his work schedule.
by Arun.S & Karthik Lalan
Mobile App Exploitation is a unique training which covers security and exploitation on mobile platforms on both Android and iOS. The entire class will be based on intentionally crafted real-world vulnerable Android and iOS apps. The training will take the attendees from the ground level upwards to be able to audit any real world applications on the platforms. This is a 2 days fast paced training with full of hands-on Labs & challenges for both Android and iOS environment.
16 hours of Training in 2 days (8 Hours Daily).hours of Training in 2 days (8 Hours Daily).
Day 1: Android Pentesting
Setting up the Pentesting Environment
Static & Dynamic Analysis
Network Analysis & Data Manipulation
Day 2 : iOS Pentesting
Getting started with iOS Pentesting
Setting up the Pentesting Environment
Reverse Engineering & Binary Analysis
Static & Dynamic Analysis
Analyzing iOS Network Traffic
Arun.S - Senior Security Consultant @ IBM India Pvt.Ltd., with overall 4+ years of expertise in Mobile,WebApp & WebServices Pentesting. He holds various industry recognized certifications such as ECSA, CEH etc.,. He is an active speaker & member @ various Security Communities & Conferences like BSides Delhi ,null/OWASP/G4H & he is a chapter lead for Null Bangalore Security Community.
Security Engineer @ Security Centre of Excellence – Philips Innovation Campus. He is M.Tech. in CS with Specialization in Information & Network Security. He conducts frequent talks and workshops on Android and Info Sec @ several places including Bsides Delhi, OWASP, NullBangalore Chapter, DroidCon-IN. Kartik loves to write technical Blogs in his leisure time – www.nestedif.com.