OWASP 2025 Global AppSec EU

This hands-on, interactive class will focus on learning to threat model by executing each of the steps. Students will start with a guided threat modeling exercise, and we'll then iterate and break down the skills they're learning in more depth. We'll progressing through the Four Questions of Threat Modeling: what are we working on, what can go wrong, what are we going to do about it and did we do a good job. This is capped off with an end-to-end exercise that brings the skills together.

Core Modules
00-00 Intro to App Security
00-01 Input Validation Basics
00-02 HTTP Security Basics
00-03 SOP and CORS
00-04 API and REST Security
00-05 Microservice Security
00-06 JSON Web Tokens
00-07 SQL and Other Injections
00-08 Cross-Site Request Forgery - CSRF Defenses for Various Architectures
00-09 File Upload and File I/O Security - Secure File Upload, File I/O Security
00-10 Deserialization Security - Safe Deserialization Practices
00-11 Artificial Intelligence Security - Securing AI Implementations, Full Course
00-12 Third-Party Library Security Management - Ensuring Third-Party Library Security
00-13 Introduction to Cloud Security - Basics of Cloud Security Management
00-14 Intro to iOS and Android Security - Mobile Security Fundamentals

Standards
01-00 OWASP Top Ten - Top Ten Web Security Risks
01-01 Intro to GDPR - European Data Privacy Law
01-02 OWASP ASVS - Comprehensive Secure Coding Standard
01-03 OWASP Top Ten Proactive Controls - Web Security Defense Categories
01-04 PCI Secure SDLC Standard - Credit Card SDLC Requirements

User Interface Security
02-00 XSS Defense - Client-Side Web Security
02-01 Content Security Policy - Advanced Client-Side Web Security
02-02 Content Spoofing and HTML Hacking - HTML Client-Side Injection Attacks
02-03 React Security - Secure React Application Development
02-04 Vue.js Security - Secure Vue.js Application Development
02-05 Angular and AngularJS Security - Secure Angular App Development
02-06 Clickjacking - UI Redress Attack Defense

Identity & Access Management
03-01 Authentication Best Practices - Web Authentication Practices
03-02 Session Management Best Practices - Web Session Management Practices
03-03 Multi-Factor Authentication - NIST SP-800-63 Compliant MFA Implementation
03-04 Secure Password Policy and Storage - Secure User Password Policy and Storage
03-05 Access Control Design - ABAC/Capabilities-Based Access Control
03-06 OAuth2 Security - OAuth2 Authorization Protocol
03-07 OpenID Connect Security - OpenID Connect Federation Protocol

Crypto Modules
04-00 Secrets Management - Key and Credential Storage Strategies
04-01 HTTPS/TLS Best Practices - Transport Security Introduction
04-02 Cryptography Fundamentals - Part 1 - Terminology, Steganography, Attacks, Kerchoff's Principle, PFC
04-03 Cryptography Fundamentals - Part 2 - Hash Functions, Symmetric Cryptography, Randomness, Digital Signatures

Process
05-00 DevOps Best Practices - DevOps and DevSecOps with a CD/CI Focus
05-01 Secure SDLC and AppSec Management - Managing Secure Software Processes

Additional Topics
06-00 User and Helpdesk Awareness Training - Security Awareness for Non-Technical Staff
06-01 Social Engineering for Developers - Developer Protection Against Social Engineering
06-02 App Layer Intrusion Detection - Detecting App Layer Attacks
06-03 Threat Modeling Fundamentals - Security Design via Threat Modeling
06-04 Forms and Workflows Security - Secure Handling of Complex Forms
06-05 Java 8/9/10/11/12/13+ Security Controls - Java Security Advances
06-06 Logging and Monitoring Security - Security-Focused Logging
06-07 Subdomain Takeover - Preventing Subdomain Takeover Scenarios
06-08 Laravel and PHP Security - Focus on PHP Security

Lab Options
07-00 Competitive Web Hacking LABS - Hands-on Web Hacking Labs
07-01 Competitive API Hacking LABS - Hands-on API Hacking Labs
07-02 Secure Coding Knowledge LABS - Hands-on Secure Coding Labs

This training takes a comprehensive, focused and practical approach at implementing DevSecOps Practices with a focus on Application Security Automation. The training is a glued-to-your-keyboard hands-on journey with labs that are backed by practical examples of DevSecOps and AppSec Automation.

The Training starts with a view of DevSecOps and AppSec Automation, specifically in terms of embedding security activities in multiple stages of the Software Development Lifecycle. Subsequently, the training delves into specific Application Security Automation approaches for SAST, SCA and Supply-Chain Security, DAST and Integration of these tools into CI/CD tools and Automation Pipelines.

You bought the application security tools, you have the findings, but now what? Many organisations find themselves drowning in "possible vulnerabilities", struggling to streamline their processes and not sure how to measure their progress.

If you are involved in using SAST, DAST or SCA tools in your organisation, these may be familiar feelings to you.

In this course, which is being refreshed and updated for 2025, you will learn how to address these problems and more (in a vendor-neutral way)

For 2025, we are putting a particular emphasis on practicality and activities which bring value with topics including the following:

• Customising the tools to focus on your needs
• Building tool processes which fit your business
• Automating workflows using CI/CD without slowing it down
• Showing the value and improvements you are making
• Finding ways to scale triage to cut down noise
• Focusing on fixing what matters in your situation
• Advantages and disadvantages of alternative forms of remediation
• Comparison of the different tool types covered and which you may want to use in different situations.
• The use of Vulnerability Aggregation and ASPMs

To bring the course to life and let you apply what you learn, you will work in teams on table-top exercises where you design processes to cover specific scenarios, explain and justify your decisions to simulated stakeholders and practice prioritising your remediation efforts.

For these exercises, you will work based on specially designed process templates (which we will provide) which you can use afterwards to apply these improvements within your own organisation.

Be ready to work in a group, take part in discussions and present your findings and leave the course with clear strategies and ideas on how to get less stress and more value from these tools.

This course is a 100% hands-on deep dive into the OWASP Security Testing Guide and relevant items of the OWASP Application Security Verification Standard (ASVS), so this course covers and goes beyond the OWASP Top Ten.

Long are the days since web servers were run by perl scripts apps written in Delphi. What is common between Walmart, eBay, PayPal, Microsoft, LinkedIn, Google and Netflix? They all use Node.js: JavaScript on the server.

Modern Web apps share traditional attack vectors and also introduce new opportunities to threat actors. This course will teach you how to review modern web apps, showcasing Node.js but using techniques that will also work against any other web app platform. Ideal for Penetration Testers, Web app Developers as well as everybody interested in JavaScript/Node.js and Modern app stack security.

Get a FREE taste for this training, including access to video recording, slides and vulnerable apps to play with:
1 hour workshop - https://7asecurity.com/free-workshop-web-apps

All action, no fluff, improve your security analysis workflow and immediately apply these gained skills in your workplace, packed with exercises, extra mile challenges and CTF, self-paced and suitable for all skill levels, with continued education via unlimited email support, lifetime access, step-by-step video recordings and interesting apps to practice, including all future updates for free.

Privacy is hot! This course will teach you this in-demand skillset and give you hands-on experience with privacy challenges, guiding you to combine Privacy by Design with your security practice.

Our lives are becoming more and more digitized, resulting in a lot of personal data floating around in the cloud. Now, many organizations are keen to use personal data for marketing, personalization or monetization, however, all this personal data comes with increased risk and surprising impact. Noone wants to find out that their daughter is pregnant from the department store ads…

Moreover, data protection legislation is forcing companies to integrate a technical approach for privacy into system design. With ever higher demands for privacy-respecting products, security teams have implicitly gained additional responsibilities and are hard pressed to keep up with these emerging requirements and often feel like there is a substantial and growing skills gap. Incorporating privacy into security with a proactive approach is essential to addressing this!

Traditional security approaches have historically not focused on this aspect of data protection, leaving individuals at risk. While common compliance and governance aspects of privacy are important, the technical aspects of privacy engineering are substantially more challenging - and that is the primary focus of this course.

This interactive technical course will teach you privacy analysis skills that are valuable to security teams. You can leverage your existing security skills with just a shift of mindset, since privacy largely shares the same foundation as security. We will teach you how common security techniques, such as architecture specification, threat modeling, and mitigation design, can be adapted for privacy. You will learn to capture how sensitive data flows through the system, and identify and mitigate high impact privacy issues in the software system. This will enable you to build privacy into the core of the product design and development process, while aligning it efficiently with security practices.

The course will cover these main topics:
- Privacy engineering essentials
- Privacy architecture & feature analysis
- Data inventory, mapping, and tagging
- Privacy threats (e.g. LINDDUN)
- Privacy controls, mitigations, and technologies
- Full privacy process

Each of these topics will be taught in an engaging, interactive format, with plenty of hands-on, collaborative exercises. We will teach you both the technical skills and social aspects essential for successful privacy engineering. This will include an assortment of relevant scenarios for each module, realistic simulations of popular upcoming features, diagramming tasks, and open debates. You will gain confidence using proven design techniques in order to improve the privacy posture of your system. In each module, you'll gain hands-on privacy experience through a set of exercises and class discussions.

We received rave reviews on our previous delivery of this course, for example:
- "If you're looking for a challenging, in-depth Privacy course which focuses on the technical aspects, look no further. Yes, it's only a 2-day course, but during that time, you'll take a deep dive into threat modelling, architecture, and other aspects required for ensuring Privacy is included in the SDLC."

This hands-on, interactive class will focus on learning to threat model by executing each of the steps. Students will start with a guided threat modeling exercise, and we'll then iterate and break down the skills they're learning in more depth. We'll progressing through the Four Questions of Threat Modeling: what are we working on, what can go wrong, what are we going to do about it and did we do a good job. This is capped off with an end-to-end exercise that brings the skills together.

Core Modules
00-00 Intro to App Security
00-01 Input Validation Basics
00-02 HTTP Security Basics
00-03 SOP and CORS
00-04 API and REST Security
00-05 Microservice Security
00-06 JSON Web Tokens
00-07 SQL and Other Injections
00-08 Cross-Site Request Forgery - CSRF Defenses for Various Architectures
00-09 File Upload and File I/O Security - Secure File Upload, File I/O Security
00-10 Deserialization Security - Safe Deserialization Practices
00-11 Artificial Intelligence Security - Securing AI Implementations, Full Course
00-12 Third-Party Library Security Management - Ensuring Third-Party Library Security
00-13 Introduction to Cloud Security - Basics of Cloud Security Management
00-14 Intro to iOS and Android Security - Mobile Security Fundamentals

Standards
01-00 OWASP Top Ten - Top Ten Web Security Risks
01-01 Intro to GDPR - European Data Privacy Law
01-02 OWASP ASVS - Comprehensive Secure Coding Standard
01-03 OWASP Top Ten Proactive Controls - Web Security Defense Categories
01-04 PCI Secure SDLC Standard - Credit Card SDLC Requirements

User Interface Security
02-00 XSS Defense - Client-Side Web Security
02-01 Content Security Policy - Advanced Client-Side Web Security
02-02 Content Spoofing and HTML Hacking - HTML Client-Side Injection Attacks
02-03 React Security - Secure React Application Development
02-04 Vue.js Security - Secure Vue.js Application Development
02-05 Angular and AngularJS Security - Secure Angular App Development
02-06 Clickjacking - UI Redress Attack Defense

Identity & Access Management
03-01 Authentication Best Practices - Web Authentication Practices
03-02 Session Management Best Practices - Web Session Management Practices
03-03 Multi-Factor Authentication - NIST SP-800-63 Compliant MFA Implementation
03-04 Secure Password Policy and Storage - Secure User Password Policy and Storage
03-05 Access Control Design - ABAC/Capabilities-Based Access Control
03-06 OAuth2 Security - OAuth2 Authorization Protocol
03-07 OpenID Connect Security - OpenID Connect Federation Protocol

Crypto Modules
04-00 Secrets Management - Key and Credential Storage Strategies
04-01 HTTPS/TLS Best Practices - Transport Security Introduction
04-02 Cryptography Fundamentals - Part 1 - Terminology, Steganography, Attacks, Kerchoff's Principle, PFC
04-03 Cryptography Fundamentals - Part 2 - Hash Functions, Symmetric Cryptography, Randomness, Digital Signatures

Process
05-00 DevOps Best Practices - DevOps and DevSecOps with a CD/CI Focus
05-01 Secure SDLC and AppSec Management - Managing Secure Software Processes

Additional Topics
06-00 User and Helpdesk Awareness Training - Security Awareness for Non-Technical Staff
06-01 Social Engineering for Developers - Developer Protection Against Social Engineering
06-02 App Layer Intrusion Detection - Detecting App Layer Attacks
06-03 Threat Modeling Fundamentals - Security Design via Threat Modeling
06-04 Forms and Workflows Security - Secure Handling of Complex Forms
06-05 Java 8/9/10/11/12/13+ Security Controls - Java Security Advances
06-06 Logging and Monitoring Security - Security-Focused Logging
06-07 Subdomain Takeover - Preventing Subdomain Takeover Scenarios
06-08 Laravel and PHP Security - Focus on PHP Security

Lab Options
07-00 Competitive Web Hacking LABS - Hands-on Web Hacking Labs
07-01 Competitive API Hacking LABS - Hands-on API Hacking Labs
07-02 Secure Coding Knowledge LABS - Hands-on Secure Coding Labs

This training takes a comprehensive, focused and practical approach at implementing DevSecOps Practices with a focus on Application Security Automation. The training is a glued-to-your-keyboard hands-on journey with labs that are backed by practical examples of DevSecOps and AppSec Automation.

The Training starts with a view of DevSecOps and AppSec Automation, specifically in terms of embedding security activities in multiple stages of the Software Development Lifecycle. Subsequently, the training delves into specific Application Security Automation approaches for SAST, SCA and Supply-Chain Security, DAST and Integration of these tools into CI/CD tools and Automation Pipelines.

You bought the application security tools, you have the findings, but now what? Many organisations find themselves drowning in "possible vulnerabilities", struggling to streamline their processes and not sure how to measure their progress.

If you are involved in using SAST, DAST or SCA tools in your organisation, these may be familiar feelings to you.

In this course, which is being refreshed and updated for 2025, you will learn how to address these problems and more (in a vendor-neutral way)

For 2025, we are putting a particular emphasis on practicality and activities which bring value with topics including the following:

• Customising the tools to focus on your needs
• Building tool processes which fit your business
• Automating workflows using CI/CD without slowing it down
• Showing the value and improvements you are making
• Finding ways to scale triage to cut down noise
• Focusing on fixing what matters in your situation
• Advantages and disadvantages of alternative forms of remediation
• Comparison of the different tool types covered and which you may want to use in different situations.
• The use of Vulnerability Aggregation and ASPMs

To bring the course to life and let you apply what you learn, you will work in teams on table-top exercises where you design processes to cover specific scenarios, explain and justify your decisions to simulated stakeholders and practice prioritising your remediation efforts.

For these exercises, you will work based on specially designed process templates (which we will provide) which you can use afterwards to apply these improvements within your own organisation.

Be ready to work in a group, take part in discussions and present your findings and leave the course with clear strategies and ideas on how to get less stress and more value from these tools.

This course is a 100% hands-on deep dive into the OWASP Security Testing Guide and relevant items of the OWASP Application Security Verification Standard (ASVS), so this course covers and goes beyond the OWASP Top Ten.

Long are the days since web servers were run by perl scripts apps written in Delphi. What is common between Walmart, eBay, PayPal, Microsoft, LinkedIn, Google and Netflix? They all use Node.js: JavaScript on the server.

Modern Web apps share traditional attack vectors and also introduce new opportunities to threat actors. This course will teach you how to review modern web apps, showcasing Node.js but using techniques that will also work against any other web app platform. Ideal for Penetration Testers, Web app Developers as well as everybody interested in JavaScript/Node.js and Modern app stack security.

Get a FREE taste for this training, including access to video recording, slides and vulnerable apps to play with:
1 hour workshop - https://7asecurity.com/free-workshop-web-apps

All action, no fluff, improve your security analysis workflow and immediately apply these gained skills in your workplace, packed with exercises, extra mile challenges and CTF, self-paced and suitable for all skill levels, with continued education via unlimited email support, lifetime access, step-by-step video recordings and interesting apps to practice, including all future updates for free.

Privacy is hot! This course will teach you this in-demand skillset and give you hands-on experience with privacy challenges, guiding you to combine Privacy by Design with your security practice.

Our lives are becoming more and more digitized, resulting in a lot of personal data floating around in the cloud. Now, many organizations are keen to use personal data for marketing, personalization or monetization, however, all this personal data comes with increased risk and surprising impact. Noone wants to find out that their daughter is pregnant from the department store ads…

Moreover, data protection legislation is forcing companies to integrate a technical approach for privacy into system design. With ever higher demands for privacy-respecting products, security teams have implicitly gained additional responsibilities and are hard pressed to keep up with these emerging requirements and often feel like there is a substantial and growing skills gap. Incorporating privacy into security with a proactive approach is essential to addressing this!

Traditional security approaches have historically not focused on this aspect of data protection, leaving individuals at risk. While common compliance and governance aspects of privacy are important, the technical aspects of privacy engineering are substantially more challenging - and that is the primary focus of this course.

This interactive technical course will teach you privacy analysis skills that are valuable to security teams. You can leverage your existing security skills with just a shift of mindset, since privacy largely shares the same foundation as security. We will teach you how common security techniques, such as architecture specification, threat modeling, and mitigation design, can be adapted for privacy. You will learn to capture how sensitive data flows through the system, and identify and mitigate high impact privacy issues in the software system. This will enable you to build privacy into the core of the product design and development process, while aligning it efficiently with security practices.

The course will cover these main topics:
- Privacy engineering essentials
- Privacy architecture & feature analysis
- Data inventory, mapping, and tagging
- Privacy threats (e.g. LINDDUN)
- Privacy controls, mitigations, and technologies
- Full privacy process

Each of these topics will be taught in an engaging, interactive format, with plenty of hands-on, collaborative exercises. We will teach you both the technical skills and social aspects essential for successful privacy engineering. This will include an assortment of relevant scenarios for each module, realistic simulations of popular upcoming features, diagramming tasks, and open debates. You will gain confidence using proven design techniques in order to improve the privacy posture of your system. In each module, you'll gain hands-on privacy experience through a set of exercises and class discussions.

We received rave reviews on our previous delivery of this course, for example:
- "If you're looking for a challenging, in-depth Privacy course which focuses on the technical aspects, look no further. Yes, it's only a 2-day course, but during that time, you'll take a deep dive into threat modelling, architecture, and other aspects required for ensuring Privacy is included in the SDLC."