AppSec California 2020, January 21-24 at the Annenberg Beach House, Santa Monica, CA
Tuesday, January 21 • 9:00am - 5:00pm
Hacking for DevOps & Technologists [Day 1 of 2]

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
Two days of happy hacking joy, learning by doing hands-on labs learning and attacking. A smile will spread across your face as you explore weaknesses in IT systems, applications and web apps, IoT devices, protocols and ICS/SCADA systems. If the ever-connected world gives you vulnerable targets, hack all the things. The OWASP Top Ten will be the focus over a variety of different types of vulnerabilities from a hacker perspective, moving beyond the white hat tester mentality. Threat modelling Underground economies and markets where intellectual property and data are sold.

Discussing the reality of the economic consequences of exploitable technology from terrorism to cyber warfare. Who knew software vulnerabilities could lead to some crazy nation on nation shi*t? You'll learn how to find some serious issues and exploit that code so hard the original developer or vendor will feel it.

You’ll jump right in and learn with a customized Kali pen testing operating system. Using OWASP ZAP,
BeEF, Metasploit, Nmap, Recon NG, Nessus, Nikto, Maltego, Shodan, Censys, alternative search
engines, OSINT, SpiderFoot and metadata tools. Finding exploitable systems, scanning, sniffing for
credentials, XSS reflected and stored attacks, attacking browsers via JavaScript, SQL injection, CSRF,
data leaks, replay attacks, exploiting vulnerable operating systems, applications, websites, embedded
systems and critical infrastructure ICS/SCADA. How attackers cover their tracks and take advantage of
insufficient logging and monitoring. How attackers discover then pivot from one weak system to
another, burrowing deep into an organisation to steal intellectual property, data or anything of juicy

Expectations and Goals
Discover vulnerabilities, data leaks, insecure systems and devices using the tools and techniques in the
Approach technology and security controls from an attacker and black hat hacker perspective.
Understand the OWASP Top Ten and threat modeling with IT, IOT and ICS/SCADA systems.
Recognize patterns in observations of weak and risky systems and applications and construct threat
models to explain the jeopardy.

Required Materials
Attendees must bring a curious mind and some technology. Caution, using a Windows 10 host operating
system can sometimes be problematic due to various auto-protection mechanisms in place by
Microsoft. Mac/Apple operating systems can be used as a host but try to use the VM Fusion 64-bit
  • Laptop with administrative privileges and 8 GB of RAM with 100 GB hard disk free
  • Installation of VM Ware Player or Fusion
  • Network connection, RJ45 and can be a USB to RJ45
  • API keys and accounts setup in advance for the course
  • Bring your own hoodie

Optional Materials
Want to add more tables to your document that look like the Course Schedule and Exam Schedule
tables that follow? Nothing could be easier. On the Insert tab, just select Table to add a new table.
New tables you create in this template are automatically formatted to match.

Required Text
OWASP Version 4 Testing Guide PDF, OWASP (Free)
Course Workbook (Provided) Print, Chris Kubecka
Hack the World with OSINT (Provided)

Course Schedule (Tentative)
Day 1
Day 1 Introduction to course & Attendees
Setup of lab machines
Hacker/Pen Tester/Nation State mentalities
Reconnaissance 1
OSINT tool setup
Reconnaissance 2
Reconnaissance 3

Victim & attack machine(s), API keys
Document overview & mission objectives
OWASP Guide introduction with framework
Examples & introduction to methodology
OWASP ZAP, Metasploit, Nmap, SpiderFoot,
Nikto, Maltego, etc.
Hands-on passive OSINT
Hands-on direct OSINT

Upon Completion of this training, attendees will know

How attackers cover their tracks and take advantage of insufficient
logging and monitoring
How attackers discover then pivot from one weak system to another,
burrowing deep into an organization to steal intellectual property,
data or anything of juicy value
Basic understanding of IT/ IOT/ ICS protocols
Web application testing from a sophisticated attacker point of view
Nation-state attack techniques and tools

avatar for Chris Kubecka

Chris Kubecka

CEO, Hypasec
The founder and CEO of HypaSec, Chris is an expert advisor and panelist for several governmentsand parliaments. She was head of the Information Protection Group for the Aramco family. Chris assumed the role with Aramco in order to respond and recover from a nation-state attack, Shamoon... Read More →

Tuesday January 21, 2020 9:00am - 5:00pm PST
Guest House Parlor