Grand Hyatt, Kochi, India
Workshop Registration: 08:30AM to 09:30AM
Workshops:9:30AM to 5:00PM
Sneha Rajguru & Prajwal Panchmahalkar
Himanshu Kumar Das & Prajal Kulkarni
by Sneha Rajguru & Prajwal Panchmahalkar
ARM architecture-based systems are on the rise and seen in almost every hand-held or embedded device. The increasing popularity and growth of the Internet of Things (IoT) have allowed widespread use of ARM architecture. As with any other thing in this world, increasing popularity and usage brings new security challenges and attacks. This workshop aims to provide an introduction to ARM architecture, assembly and explore intermediate level exploitation techniques on ARM along with hands-on examples and challenges.
This session is aimed at security professionals and personnel who possess general security knowledge and wish to enter the field of ARM exploitation.
The attendees will walk away with basic knowledge and skills of ARM Architecture, Assembly, and Exploitation techniques.
The workshop will provide a base for the attendees to develop exploit research expertise on the ARM based platforms
Anyone who would want to learn on ARM reverse engineering.
Sr. Security Consultant,Payatu Software labs LLP,India
Her interests lies in web, mobile application security and fuzzing. She has discovered various security flaws within various open source applications such as PDFLite, Jobberbase, Lucidchart and more. She has spoken and provided trainings at various conferences such as DEFCON, BSides LV, BSidesVienna, OWASP AppSec USA, DeepSec, DefCamp, FUDCon, and Nullcon. Sneha is passionate about promoting and encouraging Women in Security and has founded an initiative called WINJA-CTF through which she hosts women-only CTFs and Workshops at conferences and other events. Sneha is also active in the local security community and hosts local security meetups in Pune. She leads the Pune chapter of null community.
Lead Security Engineer,VMware
Prajwal Panchmahalkar is a lead security engineer at VMware Inc., He has contributed to public security research and has been the Development Lead for Matriux since 2009. In the past he was a Research Assistant at Texas Tech University working on Security of Critical Infrastructure and Smart Grid Energy Systems, with journal published on Elsevier. A Finalist for America's Information Security Leadership Award 2012 (AISLA) by (ISC)2. Previously, Prajwal was a speaker at BSidesLV and GrrCon. He was a chapter lead for n|u, Hyderabad an open security community. Prajwal holds a Masters degree in Computer Science from the Texas Tech University at Lubbock.
by Madhu Akula
Developers and Operations teams (DevOps) have moved towards containers and modern technologies. Attackers are catching up with these technologies and finding security flaws in them. In this workshop, we will look at how we can test for security issues and vulnerabilities in Dockerised environments. Throughout the workshop we will learn how we can find security misconfigurations, insecure defaults and container escape techniques to gain access to host operating system (or) clusters. In the workshop, we will look at real world scenarios where attackers compromised containers to gain the access to applications, data and other assets.
By the end of workshop participants will be able to:
The participants will get the following:
Madhu Akula is a security ninja and published author, security and devops researcher with extensive experience in the industry ranging from client facing assignments building scalable and secure infrastructure, to publishing industry leading research to running training sessions for companies and governments alike.
Madhu Akula’s research papers are frequently selected for major security industry conferences including Defcon 24, Blackhat USA 2018, All Day DevOps (2016, 2017), DevSecCon (London, Singapore, Boston), DevOpsDays India, c0c0n, Serverless Summit, ToorCon, DefCamp, SkydogCon, NolaCon and null, etc. Madhu Akula was a keynote speaker for the National Cyber Security conference at Dayananda Sagar College in Feb 2016.
When he’s not working with Appsecco’s clients or speaking at events he’s actively involved in researching vulnerabilities in open source products/platforms such as WordPress, Ntop, Opendocman etc. and is also a contributing bug hunter with Code Vigilant (a project to Secure Open Source Software). His research has identified many vulnerabilities in over 200 organisations including US Department of Homeland Security, Google, Microsoft, Yahoo, Adobe, LinkedIn, Ebay, At&t, Blackberry, Cisco, Barracuda etc. He is also an active member with Bugcrowd, Hackerone, Synack etc.
Madhu Akula has trained over 5000 people in information security for companies and organisations including the Indian Navy and the Ministry of e-services in a leading Gulf state. Madhu Akula has also authored a book titled "Security Automation with Ansible 2" that comes recommended by the creator of Ansible itself.
He is co-author of Security Automation with Ansible2 book published by Packt Publishing in December 2017, which is listed as a resource by the RedHat.
by Ajit Hatti
The aim of the workshop will be to build Solid Understanding of the basic primitives of cryptography and building blocks of PKI. How these different blocks come together and try to provide you end to end security and still there are many ways you can get around and exploit these Implementations.
We will use OpenSSL as our Swiss Army Knife and practically understand how the cryptography, benchmarking, cryptoassessment, back door detection is done. We will see how the balance between security requirements and the performance & compliance is achieved by choosing the right set of primitives.
And One day entirely hands on to attack, bypass or exploit the SSL / TLS implementations in N different ways.
Understanding of basic concept of Information Security
Security Professionals responsible for Testing, Developing, Designing, Auditing critical systems with Cryptographic implementations.
Co-founder of null - Open security community,author of LAMMA and GibberSense
Ajit Hatti is a Co-founder of "null - Open security community", and author of LAMMA and GibberSense, the crypto security assessment tools. Previously worked on secure applications of Cryptography at Symantec Corporation. He has worked as an Engineer and Security Researcher with security companies like IBM-ISS, Bulelane, Zscaler in past. He has previously presented his security research at BlackHat, DEF CON + Crypto Privacy Village, NullCon, Ground Zero Summit & c0c0n.
by Himanshu Kumar Das & Prajal Kulkarni
The 2 day training course outlines defense in depth on Network and Application Layer attacks using Elastic stack. During the 2 day training programme, we would conduct hands-on exercise on simulating, correlating, analyzing and mitigating multiple attacks from Layer 4 - Layer 7. We would also cover various case-studies on day-day security requirements on cloud as well as enterprise networks. The course would end with a CTF exercise to participants on visualizing security facts using Elastic stack.
With growing trend of Big data, companies tend to rely on high cost SIEM solutions. Continuous Security Monitoring/Alerting of medium and big enterprise is a large challenge in hand today. Logs from thousands of endpoints, servers and perimeter devices is difficult to aggregate, analyze and correlate in real time that can enable better security incident response & event handling. Organization usually end up with massive data breaches due to lack of visibility in their network activities across the infrastructure. Our course would expose you to take control of enterprise wide logs, analyze them in real time using the ELK frameworks. During our course, you would learn to scale the Elastic Stack and generate powerful visualization & data modeling using kibana making analysis of data and decision making simple.
The training will also cover simulating real-world attack scenarios, alerts customisation necessary to respond to a real world attacks/anomalies. With growing cloud based offerings it becomes crucial to understand systems for detecting and responding to attacks. With tools like osquery we will show how a scalable solution for system level anomaly detection can be build.
This training is meant for security enthusiast, DevOps, and startups trying to build an in-house solution. This will be a great learning to set-up one's own an affordable Security Analytics Platform.
Over the duration of 2 day workshop, you would get a detailed knowledge on how to build a no cost attack monitoring solution as one stop solution for external as well as internal security both on cloud as well as enterprise network. We will have various classroom exercise to engage participants on real world security use-cases as well as scaling the entire Elastic Stack for large scale networks. Labs will include all necessary tools and configs necessary to run a full functional stack for attack monitoring. The workshop would have a mega challenge at the end of the course on a pre-populated data to get a hands-on experience on production grade Elastic Stack.
Elasticsearch programming Writing Plugins for Logstash Any exercise/demo on a physical network device.
**Note: We do not support Windows XP
Himanshu Kumar Das
Himanshu Kumar Das is a security engineer with expertise on Infrastructure and Payments security. He is passionate about system security and fuzzing. He participates in CTF with team SegFault. He has won Nullcon JailBreak 2012 and is a Security Engineer at GRABPAY. While away from security, he spends his time playing console (FPS) and enjoys cooking.
Prajal Kulkarni, is a Security Researcher currently working with FlipKart. He is an active member of Null Security Community for the past 3 Years. His area of interest includes Web,mobile and system security. He writes a security blog at www.prajalkulkarni.com and he is also the lead contributor at project Code Vigilant (https://codevigilant.com/). Code-Vigilant has disclosed over 200+ vulnerabilities in various wordpress plugins and themes. In the past he has disclosed several vulnerabilities in core components of GLPI, BugGenie, Owncloud etc. He has also reported many security vulnerabilities to companies like Adobe, Twitter, Facebook, Google, Mozilla. He has spoken at multiple security conferences and provided trainings at NullCon2015, NullCon2016, NullCon2018, Confidence 2014, Gracehopper 2014 etc.
Bharath Kumar and Subash SN
Manoj Kumar & Ranjith Menon
Arun.S and Karthik Lalan
by Riddhi Shree
If you care about application security, the one tool that you must absolutely be familiar with is an “Interception proxy”. Although there are several interception proxies in existence, depending on the intensity of penetration tests that need to be performed, a penetration tester might choose a simple or an advanced tool with advanced features. Burp Suite is a collection of several simple-yet-powerful tools. It not only works as an 'interception proxy' but also gives users the ability to automate attacks, attack multiple parameters, generate PoCs, statically detect vulnerabilities, perform out of band exploitation, manage sessions across authorization levels, transform data across multiple types, save and export session data between users, and much more! This completely hands-on workshop is meant for web and mobile security testers, penetration testers and security enthusiasts who want to eliminate the grunt work involved in manual analysis of server traffic, and who want to craft customized and effective attacks against web applications to discover high risk security vulnerabilities.
Day-1: Getting Started
Day-2: Tools of the Trade
Anyone who is getting started with Web Application Security Testing and who would want to use Burp Suite powerfully should attend this training. Folks who are seasoned security testers would also benefit from the advanced usage of Burp Suite during the training.
Gain confidence in customizing your Web Application Security Testing approach to suit application-specific pentesting needs, by gaining clarity on the powerful features provided by the Burp Suite tool.
As this is a hands-on training, do not expect a lot of theory
Riddhi Shree is working with Appsecco as Application Security Engineer. She is an active speaker at null Bangalore and has contributed to the application security community by writing multiple security blogs and creating educational videos. She has interest in a variety of areas including (but not limited to) blogging, playing guitar, painting/sketching, playing chess, indulging in adventure sports, and keeping up with technology.
by Bharath Kumar & Subash SN
The training will more or less adhere to the following outline
Bharath is an open source evangelist with a strong passion for information security and building solutions that solve real world problems. Bharath has presented at many security and developer conferences including Bsides Delhi 2017, Bugcrowd LevelUp 2017 & 2018, PyCon India 2013 and FUDCon 2012.
Bharath is an active member and contributor at various security and developer communities including null open security community and Python Malaysia User Group.
His core interest lies in Infrastructure security, Application security, Protocol security and Reconnaissance.
Subash is a Security Engineer at Appsecco. As an avid security enthusiast and a passionate developer, he enjoys developing meaningful solutions to real world security problems. He is currently working on solving security problems at cloud scale and exploring solutions to improve intelligent automation using AI. During his free time, he loves to explore and research on new and upcoming technologies. Introduced to the world of security by null Open Security Community, he is on track to actively contributing back by presenting at various meetups and conferences and has given talks at null Bangalore and the Serverless Summit. He has also contributed to open source security tools such as OWASP Threat Dragon and DVNA. Subash's training on "Automated Defense using Cloud Services for AWS, Azure and GCP" has been selected for Blackhat USA 2018 and Appsec EU 2018.
by Manoj Kumar & Ranjith Menon
Training will be hands on so you need to bring your own laptop to perform different types of attacks on web based applications.
The course covers relevant web application issues to subsequently demonstrate how to design and develop code defenses into an application.
1-Day: Secure Source Code Practices
Module 1: Introduction to Secure Source Code Practices (SSCP)
Module 2: Parameter manipulation attack and Defenses
Module 3: SQL- Injection
Module 4: Cross Site Scripting (XSS)
Module 5: Cryptography
2-Day: Secure Source Code Practices
Module 1: Client Side Attacks and Defenses
Module 2: Broken Authentication and Session Management
Module 3: Error Handling and Logging
Module 4: Code quality
Module 5: Backend storage Information
Module 6: Insecure Direct Object References
Module 7: Cross Site Request Forgery (CSRF)
Module 8: Hands-on practice on vulnerable source code application for attendees
Manoj has more than 5 years of experience in the field of Application Security and Secure coding process and a co-founder of h1hakz. He has Developed many Secure Application Projects using different languages and has Code reviewed a wide range of applications, from embedded systems to web applications including Retail Banking and E-commerce Application.
Ranjith Menon who has more than 7 years of experience. He is an active player on Bug bounty programs and specialized in Web application, Mobile, Cloud and a contributor to the Security Community and co-founder of h1hakz, an open platform for knowledge sharing though webcast series.
Also, he has found many vulnerabilities for many organizations. Apart from hacking, he gets time for fitness from his work schedule.
by Arun.S & Karthik Lalan
Mobile App Exploitation is a unique training which covers security and exploitation on mobile platforms on both Android and iOS. The entire class will be based on a intentionally crafted real-world vulnerable Android and iOS apps. The training will take the attendees from the ground level upwards to be able to audit any real world applications on the platforms. This is a 2 days fast paced training with full of hands-on Labs & challenges for both Android and iOS environment.
16 hours of Training in 2 days (8 Hours Daily).hours of Training in 2 days (8 Hours Daily).
Day 1: Android Pentesting
Setting up the Pentesting Environment
Static & Dynamic Analysis
Network Analysis & Data Manipulation
Day 2 : iOS Pentesting
Getting started with iOS Pentesting
Setting up the Pentesting Environment
Reverse Engineering & Binary Analysis
Static & Dynamic Analysis
Analyzing iOS Network Traffic
Arun.S - Senior Security Consultant @ IBM India Pvt.Ltd., with overall 4+ years of expertise in Mobile,WebApp & WebServices Pentesting. He holds various industry recognized certifications such as ECSA, CEH etc.,. He is an active speaker & member @ various Security Communities & Conferences like BSides Delhi ,null/OWASP/G4H & he is a chapter lead for Null Bangalore Security Community.
Security Engineer @ Security Centre of Excellence – Philips Innovation Campus. He is M.Tech. in CS with Specialization in Information & Network Security. He conducts frequent talks and workshops on Android and Info Sec @ several places including Bsides Delhi, OWASP, NullBangalore Chapter, DroidCon-IN. Kartik loves to write technical Blogs in his leisure time – www.nestedif.com.