Schedule & Trainings
Training subject to change based on trainer availability and meeting the number of students per trainer request.
Pricing €850 - €2550
Adam Shostack's Threat Modeling Intensive - 2 Day Training
- This hands-on, interactive class will focus on learning to threat model by executing each of the steps. Students will start with a guided threat modeling exercise, and we'll then iterate and break down the skills they're learning in more depth. We'll progressing through the Four Questions of Threat Modeling- what are we working on, what can go wrong, what are we going to do about it and did we do a good job. This is capped off with an end-to-end exercise that brings the skills together.
Application Security Training with Jim Manico - 3 Day Training
- **In-person or online Training option available**
Core Modules - 00-00 Introduction to Application Security - Goals and Threats in AppSec
- 00-01 Input Validation Basics - Allowlist Validation, Safe Redirects
- 00-02 HTTP Security Basics - Response/Request Headers, Verbs, Secure Transport Basics
- 00-03 SOP and CORS - Same-Origin Policy, Cross-Origin Resource Sharing Security
- 00-04 API and REST Security - REST Design, XML, XXE, JSON, API Access Control
- 00-05 Microservice Security - Security Architectures in Microservices
- 00-06 JSON Web Tokens- Addressing JWT Security Challenges
- 00-07 SQL and Other Injections - Parameterized Queries, Secure Database Configurations, Command Injection
- 00-08 Cross-Site Request Forgery - CSRF Defenses for Various Architectures
- 00-09 File Upload and File I/O Security - Secure File Upload, File I/O Security
- 00-10 Deserialization Security - Safe Deserialization Practices
- 00-11 Artificial Intelligence Security - Securing AI Implementations, Full Course
- 00-12 Third-Party Library Security Management - Ensuring Third-Party Library Security
- 00-13 Introduction to Cloud Security - Basics of Cloud Security Management
- 00-14 Introduction to iOS and Android Security - Mobile Security Fundamentals
- 01-00 OWASP Top Ten - Top Ten Web Security Risks
- 01-01 Introduction to GDPR - European Data Privacy Law
- 01-02 OWASP ASVS - Comprehensive Secure Coding Standard
- 01-03 OWASP Top Ten Proactive Controls - Web Security Defense Categories
- 01-04 PCI Secure SDLC Standard - Credit Card SDLC Requirements
- 02-00 XSS Defense - Client-Side Web Security
- 02-01 Content Security Policy - Advanced Client-Side Web Security
- 02-02 Content Spoofing and HTML Hacking - HTML Client-Side Injection Attacks
- 02-03 React Security - Secure React Application Development
- 02-04 Vue.js Security - Secure Vue.js Application Development
- 02-05 Angular and AngularJS Security - Secure Angular Application Development
- 02-06 Clickjacking - UI Redress Attack Defense
- 03-01 Authentication Best Practices - Web Authentication Practices
- 03-02 Session Management Best Practices - Web Session Management Practices
- 03-03 Multi-Factor Authentication - NIST SP-800-63 Compliant MFA Implementation
- 03-04 Secure Password Policy and Storage - Secure User Password Policy and Storage
- 03-05 Access Control Design - ABAC/Capabilities-Based Access Control
- 03-06 OAuth2 Security - OAuth2 Authorization Protocol
- 03-07 OpenID Connect Security - OpenID Connect Federation Protocol
- 04-00 Secrets Management - Key and Credential Storage Strategies
- 04-01 HTTPS/TLS Best Practices - Transport Security Introduction
- 04-02 Cryptography Fundamentals - Part 1 - Terminology, Steganography, Attacks, Kerchoff's Principle, PFC
- 04-03 Cryptography Fundamentals - Part 2 - Hash Functions, Symmetric Cryptography, Randomness, Digital Signatures
- 05-00 DevOps Best Practices - DevOps and DevSecOps with a CD/CI Focus
- 05-01 Secure SDLC and AppSec Management - Managing Secure Software Processes
- 06-00 User and Helpdesk Awareness Training - Security Awareness for Non-Technical Staff
- 06-01 Social Engineering for Developers - Developer Protection Against Social Engineering
- 06-02 Application Layer Intrusion Detection - Detecting App Layer Attacks
- 06-03 Threat Modeling Fundamentals - Security Design via Threat Modeling
- 06-04 Forms and Workflows Security - Secure Handling of Complex Forms
- 06-05 Java 8/9/10/11/12/13+ Security Controls - Java Security Advances
- 06-06 Logging and Monitoring Security - Security-Focused Logging
- 06-07 Subdomain Takeover - Preventing Subdomain Takeover Scenarios
- 06-08 Laravel and PHP Security - Focus on PHP Security
- 07-00 Competitive Web Hacking LABS - Hands-on Web Hacking Labs
- 07-01 Competitive API Hacking LABS - Hands-on API Hacking Labs
- 07-02 Secure Coding Knowledge LABS - Hands-on Secure Coding Labs
Standards
User Interface Security
Identity & Access Management
Crypto Modules
Process
Additional Topics
Lab Options
Building a High-Value AppSec Scanning Programme - 2 Day Training
- You bought the application security tools, you have the findings, but now what? Many organisations find themselves drowning in “possible vulnerabilities”, struggling to streamline their processes and not sure how to measure their progress.
If you are involved in using SAST, DAST or SCA tools in your organisation, these may be familiar feelings to you. In this course you will learn how to address these problems and more (in a vendor-neutral way), with topics including the following:
- What to expect from these tools?
- Customising and optimising these tools effectively
- Building tool processes which fit your business
- Automating workflows using CI/CD without slowing it down
- Showing the value and improvements you are making
- Faster and easier triage through smart filtering
- How to focus on fixing what matters and cut down noise
- Techniques for various alternative forms of remediation
- Comparison of the different tool types covered
To bring the course to life and let you apply what you learn, you will work in teams on table-top exercises where you design processes to cover specific scenarios, explain and justify your decisions to simulated stakeholders and practice prioritising your remediation efforts.
For these exercises, you will work based on specially designed process templates (which we will provide) which you can use afterwards to apply these improvements within your own organisation.
Be ready to work in a group, take part in discussions and present your findings and leave the course with clear strategies and ideas on how to get less stress and more value from these tools.
See an explanatory video for the course here:
Hacking Android, iOS, and IoT apps by Example - 3 Day Training
- **In person and online training option available**
This course is the culmination of years of experience gained via practical penetration testing of mobile applications as well as countless hours spent in research. We have structured this course around the OWASP Mobile Security Testing Guide (MSTG) and relevant items of the OWASP Mobile Application Security Verification Standard (MASVS), so this course covers and goes beyond the OWASP Mobile Top Ten.
Learn about Android, iOS and IoT app security by improving your mobile security testing kung-fu. Ideal for Penetration Testers, Mobile Developers and everybody interested in mobile app security.
Please note our courses are 100% hands-on, we do not lecture students with boring bullet points and theories, instead we give you practical challenges and help you solve them, teaching you how to troubleshoot common issues and get the most out of this training. As we try to keep both new and advanced students happy, the course is very comprehensive and we have not met any student able to complete all challenges during the class, therefore training continues after the course through our frequently updated training portal, for which you keep lifetime access, as well as unlimited email support. All action, no fluff, improve your security analysis workflow and immediately apply these gained skills in your workplace, packed with exercises, extra mile challenges and CTF, self-paced and suitable for all skill levels, with continued education via unlimited email support and lifetime access to training portal with step-by-step video recordings and interesting apps to practice, including all future updates for free.
Get a FREE taste for this training, including access to video recording, slides and vulnerable apps to play with 4 hour workshop - https://7asecurity.com/free-workshop-mobile-practical
Each section starts with a brief introduction to the mobile platform for that section and then continues with a look at static analysis, moves on to dynamic checks finishing off with a nice CTF session to test the skills gained.
- Day 1 - Focused specifically on Android. We start with understanding applications and then deep dive into static and dynamic analysis of the applications at hand. This section is packed with hands-on exercises and CTF-style challenges.
- Day 2 - Focused on iOS. We start with understanding iOS Architecture and various security precautions in place. We then focus on static and dynamic analysis of the applications at hand. The section is filled with hands-on exercises ending with a CTF for more practical fun.
- Day 3 - We cover advanced instrumentation techniques using Frida, Objection, radare2, r2frida, RMS and other tools to overcome assessment challenges and take your skills to the next level. This day will give people a wealth of knowledge in dynamic instrumentation capabilities on Android and iOS.
See an explanatory video for the course here
Intersectional Threat Modeling for Identifying, Ranking, and Mitigating Offline Threats, Risks, and Dangers - 1 Day Training
- This workshop introduces a logic, methodology, and toolset for intersectional, risk-centric, attack-driven threat modeling, tailored to both technical (i.e., computer/network-based) and non-technical practitioners (e.g., journalists, human rights defenders). This approach focuses on promoting proactive harm reduction through a focus on the context-sensitive aspects of human, organizational, and networked digital systems. Backed by dozens of case studies and more than a decade of direct application, this session will help enumerate how ‘technical’ and ‘non-technical’ users can benefit from the logic and methods of threat modeling.
Participants will be challenged to consider their own threat environment and to actively engage with the process through in-session brainstorming activities, risk assessments, and other illustrative exercises. This workshop does not require any technical know-how, but participants should come prepared to investigate and explore their own security challenges. Through a combination of traditional lecture, applied discussion, and hands-on activities participants will engage directly with the process of intersectional threat modeling.
Master AI Security - 1 Day Training
- **In-person or online Training option available**
This training is a unique opportunity to become proficient in the intricate and rapidly evolving field of AI security.
Soon, nearly every digital organization will be deploying systems that incorporate AI. This presents a significant challenge, regardless of whether you are an AppSec specialist, a developer, or a red teamer. What are your responsibilities? What constitutes the new AI attack surface, and what threats emerge from it? What measures can you take to mitigate these emerging risks?
This one-day intensive training program will equip you with the knowledge to tackle these AI-related challenges effectively, enabling you to apply what you learn immediately. Starting with a foundational overview of AI, the course then delivers an exhaustive exploration of the distinctive vulnerabilities AI introduces, the possible attack vectors, and the most current strategies to counteract threats like prompt injection, data poisoning, model theft, evasion, and more. Through practical exercises, you will gain hands-on experience in enacting strong security measures, attacking AI systems, conducting threat modelling on AI, and targeted vulnerability assessments for AI applications.
By day's end, you will possess a thorough comprehension of the core principles and techniques critical to strengthening AI systems. You will have gained practical insights and the confidence to implement cutting-edge AI security measures.
See an explanatory video for the course here:
Practical Privacy by Design - Building Secure Applications that Respect Privacy 2-Day Training
- Privacy is hot! Now is the time to embrace this in-demand skillset. Believe it or not, privacy will even strengthen your security posture. Join this course now to learn about privacy engineering essentials and practical privacy-by-design approaches. With the lessons we’ll teach you, you’ll be able to effectively integrate privacy in existing security practices!
Consumers are becoming more privacy-aware and expect privacy-oriented products. Likewise, globally emerging data protection legislations are forcing companies to integrate a technical approach for privacy into system design. With ever higher demands for privacy engineering, privacy by design, privacy-respecting systems - and increasing impact from the lack thereof - security teams are hard pressed to keep up with these emerging requirements and often feel like there is a substantial and growing skills gap.
Traditional security approaches do not typically focus on this aspect, leaving individuals at risk. Fortunately, privacy by design does not have to be difficult, and in fact, can be nicely aligned with secure design best practices. Incorporating privacy into security with a proactive approach is essential, and can even become a force multiplier for more secure systems!
This interactive hands-on training will introduce you to common privacy goals, and how these often fail. You'll learn about core privacy engineering fundamentals and get hands-on experience identifying and tackling potential privacy gaps and weaknesses, by leveraging by-design approaches such as threat modeling. As privacy shouldn’t be tackled in isolation, you will learn how to build privacy into the core of the software design and development process, aligned with security practices, showing how to gain increased efficiency and effectiveness in both domains.
The course will cover these main topics - Introduction to Privacy Essentials
- Architectural data mapping
- Tracing the functionality
- Overview of Privacy Threat Modeling
- Analyzing for Privacy Threats
- Privacy controls and mitigation strategies
- Putting it all together - Full Privacy Process
Each of these interactive modules will teach you both the technical skills and social aspects essential for successful privacy engineering, explain how they align with corresponding security practices, and highlight how these privacy skills can strengthen your security posture. With plenty of hands-on experience through a set of exercises, class discussions, and productive collaboration, you'll gain confidence to improve the privacy posture of your system using established design techniques, so you can take these practical skills back to your security practice.
See an explanatory video for the course here:
The Dark Side of APIs - the Attacker way to protect software - 1 Day Training
Following a hands-on approach, attendees will be guided into exploiting the ten most common API security risks according to the OWASP API Security Top 10. The security issues will be discussed in-depth, also covering the mitigation. API protocol-specific security issues will be addressed and discussed to cover the most common API protocols. Training sessions are delivered by a security practitioner and OWASP project leader.
Target Audience
API developers, DevSecOps, Pentesters, and systems integrators
Training Program
Part 1
- Introduction to the
- Open Web Application Security Project (OWASP)
- OWASP API Security Project
- OWASP API Top 10
- The HTTP protocol and how APIs work on top of it
Part 2
For each of the ten most common API security risks - according to the OWASP API Top 10:
- Exploit the vulnerability
- Discuss the security issue, impact, and how to mitigate the risk
- GraphQL-specific security risks
What You’ll Learn
- Relevant OWASP projects and how to use them to write secure code
- HTTP protocol fundamentals and how APIs work on top of it
- In-depth knowledge of the ten most common API security risks
- API protocol-specific risks e.g. GraphQL
- How threat agents exploit APIs vulnerabilities - tools and techniques
- How to avoid the most common API security issues
- Introduction to the
Web Application Security Essentials - 3 Day Training
- This course provides the knowledge and resources required to evaluate the security of web applications. The participants, through the understanding of theory and a strong focus on practical exercises, will be able to identify critical vulnerabilities in web applications, understand how exploitation works and learn how to implement the necessary corrective measures.
The course is aligned with the OWASP 10 2021, a world-renowned reference document which describes the most critical web application security flaws.
The topics covered include - Introduction to Web Application Security
- Technologies used in Web Applications
- The Security Tester Toolkit
- Critical Areas in Web Applications
- Broken Access Control
- Cryptographic Failures
- Injection
- Insecure Design
- Security Misconfiguration
- Vulnerable and Outdated Components
- Identification and Authentication Failures
- Software and Data Integrity Failures
- Security Logging and Monitoring Failures
- Server Side Request Forgery (SSRF)
Format - The course combines theory and hands-on practical exercises. The participants start by learning about web application vulnerabilities. They are then given access to a purpose-built web application environment that contains the bugs and coding errors they have learned about. This provides an ideal ‘real-life’ opportunity to exploit these vulnerabilities in a safe environment.