Welcome to the Annual OWASP SeaSides InfoSec conference.

Through OWASP Bangalore chapter we aim to provide free of cost premium workshops and talks to all the participants. We plan to have Workshop on 26th to 28th Feb (9:00 AM to 5:00 PM) and Beach-side talks in the Evening from on 27th Feb and 28th Feb (7:00 PM to 10:00 PM). Mega beach side party on 2nd March.

nullcon has been doing a great job getting researchers from all over the world to India. If you are coming for nullcon 2019 then we are giving you more reasons to come early and participate in OWASP and null community events.

If you want to be part of event and speak at the events then please fill the CFP/CFT form.

OWASP Seasides Tools Demo 2019 aims to provide a platform for security researchers, developers and hackers to showcase their open-source projects.

Venture down to the beach shack in the evening, for an open air environment where you can freely exchange ideas and receive direct feedback from attendees.

CFT closes on 31st January 2019. Selected tools will be announced on 10th February 2019.

The event will be organised in the shack area near the beach, with a projector setup.

Security Innovation is teaming up with OWASP Seasides to offer attendees a fun "find the vulnerabilities" game - CMD+CTRL Cyber Range - that shows how hackers break into websites and teaches the importance of secure coding habits.

The CMD+CTRL Cyber Range we will be using is called ShadowBank, a banking website where players compete to find vulnerabilities, score points, and move up the leaderboard. "Leveraging cheat sheets, players take their shot at stealing money, manipulating share prices, and conducting other nefarious acts. "

NOTE: Just bring your computer and evil inner-doer and you are ready to roll!

****

****

Cavelossim Sports Club Hall

Cavelossim, Goa 403731, India

Soldering is one of the essential skills in today’s world with applications ranging from electronics, jewellery, craft items to plumbing and metal work. Our goal is to teach soldering and basic electronics to anyone and everyone in the most creative and fun way possible.

Traditional electronics and soldering learning approach seemed boring and lethargic. So we took inspiration from nature and crafted a Bee entirely made out of electronic components. We call it BugZee and like a real life bee, it moves around making a buzzing sound. Did we mention it glows its wings in the dark? No, it won't bite you but it'll definitely get you hooked to it.

The soldering village will consist of multiple soldering stations. All attendees will be trained to handle the equipment carefully while still keeping it a very fun learning experience. With this village, attendees will acquire the skills required for soldering and knowledge about basic electronics.

There are no prerequisites. Just an open mind and willingness to turn electronic components into a moving-buzzing Bee. Attendees are encouraged to experiment further with different components post village on their own and build their own Bee of creativity. Most creative Bees will win swag from Hackerwares. Solder On!

*Note: Registration details will be shared with Trainers and Sponsors

Abstract

In this completely hands-on workshop, you can get in the shoes of a young software engineer who joins the security champions team of a company to watch over the trust in web applications. As time progresses, the regular assignment becomes an involved investigation to solve a computing puzzle.

Throughout this introductory workshop, you would be using the Avatao online AppSec platform to solve a series of technical challenges related to OWASP top 10 and beyond. This technical game teaches you the basic pitfalls in web security and the best practices to fix the problems.

The workshop will be an early-preview of a new Avatao story we are going to release on the platform soon. The workshop is intended to software engineers who might be beginners in application security.

Upon Completion of this Workshop, attendees will:

• Understand the basic issues in web security

• Get insight into OWASP top 10 and how to fix those issues in practice

• Have fun in solving game challenges in AppSec

• Have developed a team attitude and skills to solve problems together

• Have serious craving to become better in web security

• Learn a few words in leetspeak

Prerequisites for attendees:

• Attendees should bring: Laptop with a contemporary browser (mandatory)

• This is an introductory Workshop for web application developers, students, including those new to application security.

• The course has been developed to train learners at all levels, but it is mostly geared towards beginners.

Trainer(s):

Kristof Toth is a SOLID software engineer at Avatao. He is the main driving force behind the gamified Tutorial Framework that makes the Avatao platform sleek and enjoyable. Besides a deep passion for clean code and software craftsmanship, Kristof likes cats and is a beer aficionado.

*Note: Registration details will be shared with Trainers and Sponsors Its mandatory register your spot in advance as we need to organise the seating logistics.

Please fill below form to register.

OWASP Seasides team will be providing scholarship (shared accommodation and, train tickets) to students who wish to attend seasides.

Big Thanks to the supporters for the scholarship support!

• Xiarch

• Dinesh Bareja (https://twitter.com/bizsprite )

• Arman Pathan ( )

• Jinen Patel ( )

Sponsorship has been awarded to the below mentioned students/ individuals.

• Sparsh Kulshreshtha

• Saraswati Maddala

• Ashish Huria

• Eldho George

Note:- Please do show us a valid ID card at the event to confirm your identity.

OWASP seasides event members facilitated the selection procedure and we have not received any other benefits in the process.

Please fill the below form to get the scholarship.

OWASP Women in Application Security (WIA) Committee

The purpose of Women in AppSec (WIA) Committee is for anyone who believes that diversity is important to the success of the organisation, as well as for women looking to learn more about AppSec or who want to make career connections with like-minded colleagues. This includes female undergraduate and graduate students, instructors, and professionals who are dedicated to information security or application development.

INFOSEC GIRLS Our main objective is to get women curious about information security. We aim to do this by encouraging more women to actively participate in events like security conferences & community meet-ups.

• Train Middle school girls and College Students.

What’s the Plan?

Workshop starts with the basic idea on what exactly is a CTF and why it should matter to you regardless of the background?

1. Then we start with basic introduction to the following categories with talk and doing up live challenges to learn some neat tricks along the way!

   1. Web : It’s the time we look beyond the old boring web application and introduce some fun tasks to this scenario, learn the fundamentals and different tricks like breaking OAuth, SSRF, Testing REST APIs and more.

Abstract :

Let's Attack the Bitcoin's Blockchain implementation and learn how worlds most valued financial network is also worlds most secure given the fact its completely open and autonomous.

In this Village, we will do threat modelling of a Bitcoin's blockchain implementation and study its layer by layer design to thwart the listed threats.We enumerate and understand each single crypto constructs used in every layer and how it is secure now and also in the wake of Quantum Computing realisation in near future.

Overview:

1. Introduction to Blockchain

2. How a block looks like on the disc

3. What crypto-constructs go in each block

4. Threat Modelling of Blockchain.* List down all applicable threat to blockchain with the help of the participants

5. Learning defence in depth, built in the block design

6. Scripts in Bitcoins

7. Smart Contracts and security issues with a case study of Ethereum

8. Where Bitcoins go wrong?

9. Summing it up

Take Aways:

1. Understanding of the building blocks of cryptography used in Blockchain technology

2. How to threat model a complex system

3. How to deal with security threats in an un-trusted, distributed environment

4. How to build a financial system securely.

Who should attend : Professionals from enterprise, banking and financial organisations, LEA and any one who wish to understand how Blockchain works and how they are secure by design.

About Trainer : Ajit Hatti is founder of PureID and has recently conducted Blockchain Security Village in DEF CON 26 at Las Vegas. He has been working on Securing Crypto Implementations from last 5 years and is also author of LAMMA and GibberSense, SCODA the crypto auditing tools. Ajit is also the co-founder of Null Open security community and Nullcon. He loves to volunteer and present some thing at DEFCON and BlackHat USA, every year.

Reference:-

*Note: Registration details will be shared with Trainers and Sponsors

The registration is closed. However, all the events and workshops are on first come first serve basis. Please reach the venue early to grab your spot.

Abstract

In this completely hands-on workshop, you would get to understand the techniques and methodologies that could be applied when performing a web application penetration testing. Throughout this workshop, you would be using Burp Suite tool + OWASP ZAP, which is a conglomerate of distinct tools with powerful features. Apart from gaining familiarity with the tools and the techniques involved in application security testing, you would also get an opportunity to understand some of the common vulnerabilities from the OWASP Top 10 – 2017 list. We would provide you with a vulnerable website, and you would uncover security issues in it even if you have never done this before!

Upon Completion of this Workshop, attendees will know:

• Scope a security review and prioritise the work.

• Understand the manual and automated tools and techniques available and when to apply them.

• Understanding of DevSecOps including Agile Framework.

• Gain confidence in customising your Web Application Security Testing approach to suit application-specific pen-testing needs, by gaining clarity on the powerful features provided by the Burp Suite tool.

• A Lots of hands-on web application hacking labs and exercises along with core concepts of web application security.

Attendees should bring:

• Laptop with administrator access (mandatory)

• Minimum 4 GB RAM

• At least 10 GB of free hard disk space.

• Oracle VirtualBox 5.x or later installed.

Prerequisites for attendees:

This is an introductory Workshop for web application developers, students, including those new to application security. The course has been developed to train learners at all levels.

Trainers:

• ****

Co-Trainers:

• Namrata Mallick

• Sri Lakshmi

*Note: Registration details will be shared with Trainers and Sponsors

The registration is closed. However, all the events and workshops are on first come first serve basis. Please reach the venue early to grab your spot.

Abstract of the workshop:

In this workshop we will learn and get a good understanding how to set up security test automation into your CI/CD pipelines.

Most customers in need for security test automation all utilise different CI tools that fit their needs. Getting your security tools in these CI environments makes you fully dependent on the plugins the CI environment provides. Now, imagine a world where we could configure our security tools once and use this as a blueprint over all the CI tools?

Docker helps security engineers to weaponise the customers CI/CD pipe-lines in a heartbeat with hard to configure security tools. Delivering the entire security test automation and vulnerability management solution a scripted manner that roles out in the blink of an eye!

After we have the basic set-up configured correctly we can start collecting the right tooling to get the job done. There are a lot of things we should take into consideration if we want to cover the entire attack surface. How to secure the application host, containers, manage secrets, and implement static/dynamic analysis tools. Even more importantly, how to ultimately manage all the vulnerabilities in an effective way where we can do delta reporting and false positive suppression to make everything more maintainable?

Trough pain and lessons learned we want to share our experiences in the form of a workshop to give handles and guides to get security automation started in your company!

Why:This workshop aims at helping developers to improve their security skill: when you go devops style, you need to onboard security as well. However, you don’t want to have huge manual quality gates: instead you need to automate! This workshop will help developers understanding the basics and various levels of security checks involved in an AppSec pipeline

About the Trainers

Trainer 1: Glenn ten Cate as a coder, hacker, speaker, trainer and security researcher Glenn has over 10 years experience in the field of security. One of the founders of defensive development [defdev] a security trainings series dedicated to helping you build and maintain secure software and also speaking at multiple other security conferences in the world. His goal is to create an open-source software development life cycle with the tools and knowledge gathered over the years.

Trainer 2: Riccardo ten Cate as a penetration tester from the Netherlands Riccardo specialises in application security and has extensive knowledge in securing applications in multiple coding languages. Riccardo has many years of experience in training and guiding development teams becoming more mature and making their applications secure by design. Not only does Riccardo train developers, he and his brother Glenn also donated an entire knowledge framework solely dedicated to help developers make their code secure by design to OWASP. See: SKF (Security knowledge framework) .

Riccardo also has expertise on implementing security test automation in CI/CD pipelines. This helps create short feedback loops back to the developer and prevents bugs from getting into production into an early phase of the development lifecycle.

*Note: Registration details will be shared with Trainers and Sponsors

The registration is closed. However, all the events and workshops are on first come first serve basis. Please reach the venue early to grab your spot.

Workshops (9:00 AM - 6:00 PM, IST)

Abstract

Today all vehicles are connected through V2X technologies. All manufacturers are coming with new technologies which can be added technologies for Vehicle industries like Fleet management systems, diagnosis toolset etc. These systems are from third-party vendors which are still in the vulnerable state. So addressing their weaknesses requires specific skillset in cybersecurity of vehicle industries. In this course will provide real CAR to get Hands On the experience of CAR and their component security testing. "Reversing and exploitation of Vehicle" course targeted from Basic level to advance level. During course will provide Virtual machine which has an all necessary toolkit which can be used after training for Vehicle security testing.

• Introduction of Vehicle (Vehicle network)

Overview

Machine learning is an application of artificial intelligence (AI) that provides systems the ability to automatically learn and improve from experience without being explicitly programmed. Machine learning focuses on the development of computer programs that can access data and use it learn for themselves.

The process of learning begins with observations or data, such as examples, direct experience, or instruction, in order to look for patterns in data and make better decisions in the future based on the examples that we provide. The primary aim is to allow the computers learn automatically without human intervention or assistance and adjust actions accordingly.

Table of Content

Phase – I: Theory

Red Team Village is a community driven combat readiness platform for Red teaming and full scope Cyber security assessments.This community is managed by a group of cyber security and red team tactics enthusiasts. A red teamer needs to be skilled in every aspect of offensive security. We can consider this as a platform to share tactics, techniques, and tools related to various domains of adversarial attack simulation.

Agenda:

1. Sessions about Red Team tactics and tools

2. CTF - There will be CTF challenges and the winners can go home with cool prizes and goodies.

The CTF challenges would be based on red teaming activities and attacks.

Panel Discussion

• Bug Bounty Craft

Panelists:

• Jason Haddix

Course Abstract

Bugcrowd is happy to offer a full day workshop for bug hunters to learn both intro and advanced topics in web bug hunting. Each BCU module will go over a vulnerability describing it's nature, how to identify it, how to exploit it, relevant tools associated to it, and have labs for students to test their skills. These Bugcrowd University modules are designed to enable the crowd to spot and exploit Priority One level bugs, even in seemingly complex web applications.

• (Intro) What makes a good submission

• (Intro) Burp Suite Workshop

• (Intermediate) Asset Discovery and Recon- IP enumeration (ASNs and Cloud)

  • Brand Enumeration (Acquisitions, RevWHOIS, Reverse tracker Analysis)

  • Subdomain Enumeration (Scraping and Bruteforcing)

  • Effective Port Scanning
• (Advanced) XML External Entity Injection

  • An introduction to XXE

  • XXE Identification

  • XXE Tooling / payloads
• (Advanced) Authorization & Access Control Testing (MFLAC, IDOR)

  • The ever-giving IDOR and MFLAC

  • Examples

    • LABS

• (Advanced) Server Side Request Forgery- An introduction to SSRF

  • SSRF Identification

  • SSRF Tooling

    • SSRF LABS

• (Advanced) Security Misconfiguration (Git, AWS, Subdomain, ++)

  • introduction to AWS s3 Permissions

    • Labs

  • git pillaging

Upon Completion of this training, attendees will know: At the end of this course, students should have some solid fundamentals in web testing for vulnerabilities that are more likely to show up in the wild TODAY. Not only does the course aim to arm the student with the technique, tools, and labs, but also a contextual and data-driven methodology on where and how to look for each vulnerability.

Attendees should bring: Laptop, Burp Suite (PRO preferably), VM or equivalent access to *nix command line.

Pre-requisites for attendees: General Web application security testing knowledge required. Some topics will assume some knowledge of OWASP Top Ten type vulnerabilities.

These trainings are 100% FREE to all OWASP Seasides attendees, first come first served basis only!

About the trainer Jason Haddix is the VP of Researcher Growth at Bugcrowd. Jason trains and works with internal analysts to triage and validate hardcore vulnerabilities in mobile, web, and IoT applications/devices. He also works with Bugcrowd to improve the security industries relations with the researchers. Jason’s interests and areas of expertise include mobile penetration testing, black box web application auditing, network/infrastructural security assessments, wireless network assessment, binary reverse engineering, and static analysis.

The registration is closed. However, all the events and workshops are on first come first serve basis. Please reach the venue early to grab your spot.

Panel Discussion

• Entrepreneurs in cyber security business

Panelists

• Rahul sasi - Founder at Cloudsek

General Inquiries :

Have an awesome story to share - a recent hack, your Infosec journey, or cool bounty experiences? Come share your experiences and motivate others with your success stories or learn from the pitfalls you've had!

Just fill out the form below. Of course, you'll have to figure out how to get there and where you'll be when you're not busy having fun at OWASP Seasides. That's totally on you! Food and drinks on us and that's about it. Speakers will have to manage their stay and travel.

Still not sure or have more questions? You can reach us at:

OWASP is dedicated to providing a harassment-free conference experience for everyone , regardless of gender, sexual orientation, disability, physical appearance, body size, race, or religion. We do not tolerate harassment of conference participants in any form.

Conference participants violating these rules may be sanctioned or expelled from the conference at the discretion of the conference organizers. Harassment includes offensive verbal comments related to gender, sexual orientation, disability, physical appearance, body size, race, religion and actions such as deliberate intimidation, stalking, following, harassing photography or recording, sustained disruption of talks or other events, inappropriate physical contact, and unwelcome sexual attention.

Participants asked to stop any harassing behaviour are expected to comply immediately. If a participant engages in harassing behaviour, the conference organizers may take appropriate action, including warning the offender or expulsion from the conference.

Conference staff will be available to help participants contact hotel/venue security or local law enforcement, provide escorts, or otherwise assist those experiencing harassment to feel safe for the duration of the conference. We value your attendance.

First Half - 27th February 2019 (9AM - 1PM)

Android App Security Workshop

Android Application Penetration Testing Training is intended for students/professionals who are interested to make career in Mobile application penetration testing domain. It involves decompiling, real-time analysing and testing android application from security point of view. This training covers understanding the internals of android app, Real-time testing of android applications and some OWASP Mobile Top-10 security issues like Insecure logging, Unintended data leakage, Insecure communication, Insufficient cryptography, Insecure authentication and Poor code quality.

WHO THIS TRAINING IS FOR

• Students interested in Mobile Security

• Security Analysts/Researchers.

• IT Professionals working in Android Development domain

• IT professionals working in Information Technology-Security domain.

KEY TAKEAWAYS

• A detailed understanding of the Android Application internals

• A clear understanding of the Android Application Penetration Testing

• Ability to analyse an Android Application from a Security Standpoint

• Understanding of multiple security tools to be used for Mobile Pentesting

DELIVERABLES

• Training Slides

• Custom made VM’s

• Updated Toolset of softwares/applications used for Mobile Pentesting

REQUIREMENTS

• Laptop with minimum 30 GB Hard Disk Space & 6GB RAM with administrative privileges

• Updated Virtual-box installed

• 2 Functional USB Ports

TABLE OF CONTENT

• Introduction to Android

• Android Security Architecture

• Android Permission Model

• Application Sandboxing

About Trainers

Trainer 1: Nikhil P K is a Security Engineering Lead at IGS-India" and an International Security Trainer. His area of interest includes Web Application Penetration Testing, Mobile Application Security and Machine Learning. He has presented his talks at International and National level Conferences and meets such as Nuit Du Hack Paris, OWASP AppSec, Cocon International Cyber Policing and Security Conference, DEFCON Bangalore Chapter, Null Open Security Meet Bangalore, Null Open Security Meet Mysore. He is also a Bug Bounty Hunter and has been listed and Acknowledged in the Hall Of Fames of Companies such as Microsoft, Apple, Adobe, Nokia, Engine Yard and AVIRA Antivirus.

Trainer 2: Asha Muniyappa is a Mobile application security researcher. She is a CEH certified professional and is responsible for innovating the mobile app security assets to ensure secure delivery of mobile apps. Her expertise is in Application Security, with key research areas of interest including Mobile Apps, Hacking. She is passionate to learn new techniques for attacking mobile apps and have been researching on performing attack simulations on the apps to determine and exploit security flaws.

Second Half - 27th February 2019 (2PM - 6PM)

Modern iOS App Pentesting And Security for Fun and Profit

Is your product or application has a mobile app? Do you use any of AWS services? Are your product security engineers working on mobile application security? Looking for information about the importance of mobile app security? If your answer is yes to any of these questions, then this talk is for you!

This hands-on session will discuss recent case studies of critical findings in iOS apps and also help to address important issues as encryption key management, authentication issues along with OWASP Top 10 for Mobile (iOS). This training will focus on Pentesting both Objective C and Swift iOS Applications.

Pre-requisites

• Macbook with Xcode (10.1) Installed

• Docker Installed

Training Contents (not limited to)

• Introduction to iOS App Security

• iOS Bug Bounty Case Studies

• iOS Pentesting Lab Setup

• Approach for Objective C and Swift App Pentesting

WHO SHOULD ATTEND?

• Security Professionals

• Mobile Application Pentesters

• Bug Bounty Hunters

• iOS Application Developers

Key Takeaways

• End to end iOS App Pentesting

• iOS Secure Coding

• iOS reverse engineering, runtime analysis

• Encryption key management, Defending crypto attacks

About Trainers

Trainer 3: Swaroop Yermalkar works as Lead Security Engineer and has authored the popular book “Learning iOS Pentesting” (). Swaroop also lead an open source project - OWASP iGoat () which is developed for mobile security. He is one of the top bug bounty researchers worldwide, working with Cobalt.io (), Synack.inc. _**_He has given talks and workshops at many security conferences including AppSec Israel, AppSec USA 2018, BruCON, SEC-T, EuropeanSec, Hacks in Taiwan (HITCON), GroundZero, c0c0n, 0x90, GNUnify. You can reach out to Swaroop at .

Trainer 4: Shilpa Ranganatha is an iOS application security researcher. She is a CEH certified professional and is responsible for innovating the mobile app security assets to ensure secure delivery of mobile apps. She is keen to expand her horizons and constantly strives to find zero-day vulnerabilities in client applications.

*Note: Registration details will be shared with Trainers and Sponsors

The registration is closed. However, all the events and workshops are on first come first serve basis. Please reach the venue early to grab your spot.

Platinum Sponsors

Gold Sponsors

Combined Gold Sponsor (Bug Bounty World + Peritus + Secmasters)

Bronze Sponsors

Special Supporters