OWASP 2025 Global AppSec EU

To register, please purchase your training ticket here. Training and conference are two separate ticket purchases.

This hands-on, interactive class will focus on learning to threat model by executing each of the steps. Students will start with a guided threat modeling exercise, and we'll then iterate and break down the skills they're learning in more depth. We'll progressing through the Four Questions of Threat Modeling: what are we working on, what can go wrong, what are we going to do about it and did we do a good job. This is capped off with an end-to-end exercise that brings the skills together.

To register, please purchase your training ticket here. Training and conference are two separate ticket purchases.

Core Modules
00-00 Intro to App Security
00-01 Input Validation Basics
00-02 HTTP Security Basics
00-03 SOP and CORS
00-04 API and REST Security
00-05 Microservice Security
00-06 JSON Web Tokens
00-07 SQL and Other Injections
00-08 Cross-Site Request Forgery - CSRF Defenses for Various Architectures
00-09 File Upload and File I/O Security - Secure File Upload, File I/O Security
00-10 Deserialization Security - Safe Deserialization Practices
00-11 Artificial Intelligence Security - Securing AI Implementations, Full Course
00-12 Third-Party Library Security Management - Ensuring Third-Party Library Security
00-13 Introduction to Cloud Security - Basics of Cloud Security Management
00-14 Intro to iOS and Android Security - Mobile Security Fundamentals

Standards
01-00 OWASP Top Ten - Top Ten Web Security Risks
01-01 Intro to GDPR - European Data Privacy Law
01-02 OWASP ASVS - Comprehensive Secure Coding Standard
01-03 OWASP Top Ten Proactive Controls - Web Security Defense Categories
01-04 PCI Secure SDLC Standard - Credit Card SDLC Requirements

User Interface Security
02-00 XSS Defense - Client-Side Web Security
02-01 Content Security Policy - Advanced Client-Side Web Security
02-02 Content Spoofing and HTML Hacking - HTML Client-Side Injection Attacks
02-03 React Security - Secure React Application Development
02-04 Vue.js Security - Secure Vue.js Application Development
02-05 Angular and AngularJS Security - Secure Angular App Development
02-06 Clickjacking - UI Redress Attack Defense

Identity & Access Management
03-01 Authentication Best Practices - Web Authentication Practices
03-02 Session Management Best Practices - Web Session Management Practices
03-03 Multi-Factor Authentication - NIST SP-800-63 Compliant MFA Implementation
03-04 Secure Password Policy and Storage - Secure User Password Policy and Storage
03-05 Access Control Design - ABAC/Capabilities-Based Access Control
03-06 OAuth2 Security - OAuth2 Authorization Protocol
03-07 OpenID Connect Security - OpenID Connect Federation Protocol

Crypto Modules
04-00 Secrets Management - Key and Credential Storage Strategies
04-01 HTTPS/TLS Best Practices - Transport Security Introduction
04-02 Cryptography Fundamentals - Part 1 - Terminology, Steganography, Attacks, Kerchoff's Principle, PFC
04-03 Cryptography Fundamentals - Part 2 - Hash Functions, Symmetric Cryptography, Randomness, Digital Signatures

Process
05-00 DevOps Best Practices - DevOps and DevSecOps with a CD/CI Focus
05-01 Secure SDLC and AppSec Management - Managing Secure Software Processes

Additional Topics
06-00 User and Helpdesk Awareness Training - Security Awareness for Non-Technical Staff
06-01 Social Engineering for Developers - Developer Protection Against Social Engineering
06-02 App Layer Intrusion Detection - Detecting App Layer Attacks
06-03 Threat Modeling Fundamentals - Security Design via Threat Modeling
06-04 Forms and Workflows Security - Secure Handling of Complex Forms
06-05 Java 8/9/10/11/12/13+ Security Controls - Java Security Advances
06-06 Logging and Monitoring Security - Security-Focused Logging
06-07 Subdomain Takeover - Preventing Subdomain Takeover Scenarios
06-08 Laravel and PHP Security - Focus on PHP Security

Lab Options
07-00 Competitive Web Hacking LABS - Hands-on Web Hacking Labs
07-01 Competitive API Hacking LABS - Hands-on API Hacking Labs
07-02 Secure Coding Knowledge LABS - Hands-on Secure Coding Labs

To register, please purchase your training ticket here. Training and conference are two separate ticket purchases.

You bought the application security tools, you have the findings, but now what? Many organisations find themselves drowning in "possible vulnerabilities", struggling to streamline their processes and not sure how to measure their progress.

If you are involved in using SAST, DAST or SCA tools in your organisation, these may be familiar feelings to you.

In this course, which is being refreshed and updated for 2025, you will learn how to address these problems and more (in a vendor-neutral way)

For 2025, we are putting a particular emphasis on practicality and activities which bring value with topics including the following:

• Customising the tools to focus on your needs
• Building tool processes which fit your business
• Automating workflows using CI/CD without slowing it down
• Showing the value and improvements you are making
• Finding ways to scale triage to cut down noise
• Focusing on fixing what matters in your situation
• Advantages and disadvantages of alternative forms of remediation
• Comparison of the different tool types covered and which you may want to use in different situations.
• The use of Vulnerability Aggregation and ASPMs

To bring the course to life and let you apply what you learn, you will work in teams on table-top exercises where you design processes to cover specific scenarios, explain and justify your decisions to simulated stakeholders and practice prioritising your remediation efforts.

For these exercises, you will work based on specially designed process templates (which we will provide) which you can use afterwards to apply these improvements within your own organisation.

Be ready to work in a group, take part in discussions and present your findings and leave the course with clear strategies and ideas on how to get less stress and more value from these tools.

To register, please purchase your training ticket here. Training and conference are two separate ticket purchases.

This hands-on, interactive class will focus on learning to threat model by executing each of the steps. Students will start with a guided threat modeling exercise, and we'll then iterate and break down the skills they're learning in more depth. We'll progressing through the Four Questions of Threat Modeling: what are we working on, what can go wrong, what are we going to do about it and did we do a good job. This is capped off with an end-to-end exercise that brings the skills together.

To register, please purchase your training ticket here. Training and conference are two separate ticket purchases.

Core Modules
00-00 Intro to App Security
00-01 Input Validation Basics
00-02 HTTP Security Basics
00-03 SOP and CORS
00-04 API and REST Security
00-05 Microservice Security
00-06 JSON Web Tokens
00-07 SQL and Other Injections
00-08 Cross-Site Request Forgery - CSRF Defenses for Various Architectures
00-09 File Upload and File I/O Security - Secure File Upload, File I/O Security
00-10 Deserialization Security - Safe Deserialization Practices
00-11 Artificial Intelligence Security - Securing AI Implementations, Full Course
00-12 Third-Party Library Security Management - Ensuring Third-Party Library Security
00-13 Introduction to Cloud Security - Basics of Cloud Security Management
00-14 Intro to iOS and Android Security - Mobile Security Fundamentals

Standards
01-00 OWASP Top Ten - Top Ten Web Security Risks
01-01 Intro to GDPR - European Data Privacy Law
01-02 OWASP ASVS - Comprehensive Secure Coding Standard
01-03 OWASP Top Ten Proactive Controls - Web Security Defense Categories
01-04 PCI Secure SDLC Standard - Credit Card SDLC Requirements

User Interface Security
02-00 XSS Defense - Client-Side Web Security
02-01 Content Security Policy - Advanced Client-Side Web Security
02-02 Content Spoofing and HTML Hacking - HTML Client-Side Injection Attacks
02-03 React Security - Secure React Application Development
02-04 Vue.js Security - Secure Vue.js Application Development
02-05 Angular and AngularJS Security - Secure Angular App Development
02-06 Clickjacking - UI Redress Attack Defense

Identity & Access Management
03-01 Authentication Best Practices - Web Authentication Practices
03-02 Session Management Best Practices - Web Session Management Practices
03-03 Multi-Factor Authentication - NIST SP-800-63 Compliant MFA Implementation
03-04 Secure Password Policy and Storage - Secure User Password Policy and Storage
03-05 Access Control Design - ABAC/Capabilities-Based Access Control
03-06 OAuth2 Security - OAuth2 Authorization Protocol
03-07 OpenID Connect Security - OpenID Connect Federation Protocol

Crypto Modules
04-00 Secrets Management - Key and Credential Storage Strategies
04-01 HTTPS/TLS Best Practices - Transport Security Introduction
04-02 Cryptography Fundamentals - Part 1 - Terminology, Steganography, Attacks, Kerchoff's Principle, PFC
04-03 Cryptography Fundamentals - Part 2 - Hash Functions, Symmetric Cryptography, Randomness, Digital Signatures

Process
05-00 DevOps Best Practices - DevOps and DevSecOps with a CD/CI Focus
05-01 Secure SDLC and AppSec Management - Managing Secure Software Processes

Additional Topics
06-00 User and Helpdesk Awareness Training - Security Awareness for Non-Technical Staff
06-01 Social Engineering for Developers - Developer Protection Against Social Engineering
06-02 App Layer Intrusion Detection - Detecting App Layer Attacks
06-03 Threat Modeling Fundamentals - Security Design via Threat Modeling
06-04 Forms and Workflows Security - Secure Handling of Complex Forms
06-05 Java 8/9/10/11/12/13+ Security Controls - Java Security Advances
06-06 Logging and Monitoring Security - Security-Focused Logging
06-07 Subdomain Takeover - Preventing Subdomain Takeover Scenarios
06-08 Laravel and PHP Security - Focus on PHP Security

Lab Options
07-00 Competitive Web Hacking LABS - Hands-on Web Hacking Labs
07-01 Competitive API Hacking LABS - Hands-on API Hacking Labs
07-02 Secure Coding Knowledge LABS - Hands-on Secure Coding Labs

To register, please purchase your training ticket here. Training and conference are two separate ticket purchases.

You bought the application security tools, you have the findings, but now what? Many organisations find themselves drowning in "possible vulnerabilities", struggling to streamline their processes and not sure how to measure their progress.

If you are involved in using SAST, DAST or SCA tools in your organisation, these may be familiar feelings to you.

In this course, which is being refreshed and updated for 2025, you will learn how to address these problems and more (in a vendor-neutral way)

For 2025, we are putting a particular emphasis on practicality and activities which bring value with topics including the following:

• Customising the tools to focus on your needs
• Building tool processes which fit your business
• Automating workflows using CI/CD without slowing it down
• Showing the value and improvements you are making
• Finding ways to scale triage to cut down noise
• Focusing on fixing what matters in your situation
• Advantages and disadvantages of alternative forms of remediation
• Comparison of the different tool types covered and which you may want to use in different situations.
• The use of Vulnerability Aggregation and ASPMs

To bring the course to life and let you apply what you learn, you will work in teams on table-top exercises where you design processes to cover specific scenarios, explain and justify your decisions to simulated stakeholders and practice prioritising your remediation efforts.

For these exercises, you will work based on specially designed process templates (which we will provide) which you can use afterwards to apply these improvements within your own organisation.

Be ready to work in a group, take part in discussions and present your findings and leave the course with clear strategies and ideas on how to get less stress and more value from these tools.