Schedule & Trainings

Training subject to change based on trainer availability and meeting the number of students per trainer request.


1-day course : $850
2-day course: $1700
3-day course: $2550

All training will be held at the Hyatt Regency San Francisco 5 Embarcadero Center San Francisco, California 94111 United States.

3-day training courses will be held November 14-16
2-day training courses will be held November 15-16
1-day training courses will be held on November 16.

  • Building a High-Value AppSec Scanning Programme (2-day training course 9am-5pm November 15-16)

  • You bought the application security tools, you have the findings, but now what? Many organizations find themselves drowning in “possible vulnerabilities”, struggling to streamline their processes and not sure how to measure their progress. If you are involved in using SAST, DAST or SCA tools in your organization, these may be familiar feelings to you. In this course you will learn how to address these problems and more (in a vendor-neutral way), with topics including:
    • What to expect from these tools?
    • Customizing and optimizing these tools effectively
    • Building tool processes which fit your business
    • Automating workflows using CI/CD without slowing it down.
    • Showing the value and improvements you are making
    • Faster and easier triage through smart filtering
    • How to focus on fixing what matters and cut down noise
    • Techniques for various alternative forms of remediation
    • Building similar processes for penetration testing activities.
    • Comparison of the different tool types covered.
    To bring the course to life and let you apply what you learn, you will work in teams on table-top exercises where you design processes to cover specific scenarios, explain and justify your decisions to simulated stakeholders and practice prioritizing your remediation efforts. For these exercises, you will work based on specially designed process templates (which we will provide) which you can use afterwards to apply these improvements within your own organization. Be ready to work in a group, take part in discussions and present your findings and leave the course with clear strategies and ideas on how to get less stress and more value from these tools.

  • Defense-in-depth engineering (1-day training course 9am-5pm November 16)

  • The 2021 OWASP Top Ten introduced a category “Insecure Design” to focus on risks related to design flaws. In this training, we will focus on building defense-in-depth software. What can we do to proactively architect software to be more resilient to attacks? What type of findings may not be discovered via automated static analysis? How can we design our software to be more friendly during incident response scenarios? This one-day training is perfect for engineers as well as security practitioners that have some familiarity with the OWASP top 10. During this training, we will focus on identifying often-overlooked architectural anti-patterns and vulnerabilities to be on the lookout for. We will utilize source code review to analyze patterns for improvement in both real-world applications as well as intentionally vulnerable applications. Every interactive exercise will involve discovering concerns and writing code to engineer solutions. The course will wrap up with real-world vulnerability analysis of open-source software with an effort to help provide more secure architectural recommendations for these projects. Engineers will leave this training with a solid understanding of defense-in-depth software architecture and design. Security engineers or consultants can expect to leave with an increased understanding of insecure design patterns and vulnerabilities.

  • Doing DevSecOps with OWASP Projects (2-day training course 9am-5pm November 15-16)

  • You're tasked with 'doing AppSec' for your company and you've got more apps and issues than you know how to deal with. This training course will help you make sense of the chaos and all with open source projects from OWASP at DevSecOps speeds. This two-day hands-on course consists of a series of lectures and corresponding labs which demonstrate practical use of OWASP projects based on past use in real AppSec teams. Knowing that AppSec team size is usually the most critical constraint, the training will cover how to automate the repetitive things allowing you to spend time on things that require the human brain. Be prepared to return to your company with a whole new arsenal of tools and techniques to make your AppSec efforts more successful by adding automation and OWASP projects running at the speed of DevSecOps. With over 20+ years of experience, the trainer provides pragmatic and well-tested advice on being successful rather than theoretical 'best practices'.

  • Hacking Modern Web & Desktop Apps (3-day training course 9am-5pm November 14-16)

  • This course is a 100% hands-on deep dive into the OWASP Security Testing Guide and relevant items of the OWASP Application Security Verification Standard (ASVS), so this course covers and goes beyond the OWASP Top Ten. Long are the days since web servers were run by perl scripts and desktop apps written in Delphi. What is common between Walmart, eBay, PayPal, Microsoft, LinkedIn, Google and Netflix? They all use Node.js: JavaScript on the server. What is common between Microsoft Teams, Skype, Bitwarden, Slack and Discord? All of them are written in Electron: JavaScript on the client. Modern Web and Desktop apps share traditional attack vectors and also introduce new opportunities to threat actors. This course will teach you how to review modern web and desktop apps, showcasing Node.js and Electron but using techniques that will also work against any other web or desktop app platform. Ideal for Penetration Testers, Web and Desktop app Developers as well as everybody interested in JavaScript/Node.js/Electron app security. All action, no fluff, improve your security analysis workflow and immediately apply these gained skills in your workplace, packed with exercises, extra mile challenges and CTF, self-paced and suitable for all skill levels, with continued education via unlimited email support and lifetime access to training portal with step-by-step video recordings and interesting apps to practice, including all future updates for free.

  • OWASP SAMM Master Class (2-day training course 9am-5pm November 15-16)

  • OWASP SAMM Master Class This two-day class presents an advanced, in-depth review of the SAMM model and its use within an organization. Many class topic covered will match those in our one-day SAMM Overview class - all topics will be covered in greater detail, with several advanced topics added. We'll discuss approaches to conducting assessments; establishing and managing an enterprise-wide assessment program; and training others to conduct assessments. While it would be helpful for training attendees to have prior experience with SAMM, it's not required.
    Topic Outline:
    • Motivation and Background of the SAMM Project
    • SAMM Assessment Methodology
    • Assessing Governance Practices
    • Assessing Design Practices
    • Assessing Implementation Practices
    • Assessing Verification Practices
    • Assessing Operations Practices
    • Setting Improvement Targets and Milestones
    • Building an Improvement Roadmap
    • SAMM Tools
    • Building an Internal SAMM Assessment Program
    • Training SAMM Assessors
    • SAMM Benchmarking Project
    • SAMM Best Practices
    • Related OWASP Projects and Resources

  • Securing your applications in AWS & Azure (2-day training course 9am-5pm November 15-16)

  • This training provides a thorough introduction to cloud security, covering both AWS and Azure. During the first day, we will go through all you need to know in order to develop and deploy secure applications in AWS. We will present how you can build a secure cloud infrastructure in AWS. You will learn how to use AWS Identity and Access Management in order to manage your users and control access to your resources and data. We will demonstrate how to use AWS-specific tools and features to ensure your application's production data is adequately protected and monitored. By the end of the first day, you should understand how to set up a basic hardened AWS infrastructure capable of deploying a production web application. During the second day, we will focus on how to build and deploy secure software on the Microsoft Azure cloud platform. You will learn common Azure terminology and the basic components of a secure application architecture in Azure. We will explain how identity and access management work in Azure and how you can leverage Microsoft Identity Platform to manage your users. You will understand how to use Azure-specific features to ensure your application's production data is adequately protected and monitored. By the end of the course, you should understand how to set up a secure infrastructure using Azure, capable of deploying cloud-native web applications and services.

  • Web Application Security Essentials (3-day training course 9am-5pm November 14-16)

  • This course provides the knowledge and resources required to evaluate the security of web applications. The participants, through the understanding of theory and a strong focus on practical exercises, will be able to identify critical vulnerabilities in web applications, understand how exploitation works and learn how to implement the necessary corrective measures. The course is aligned with the OWASP 10 2021, a world-renowned reference document which describes the most critical web application security flaws.
    The topics covered include:
    • Introduction to Web Application Security
    • Technologies used in Web Applications
    • The Security Tester Toolkit
    • Critical Areas in Web Applications
    • Broken Access Control
    • Cryptographic Failures
    • Injection
    • Insecure Design
    • Security Misconfiguration
    • Vulnerable and Outdated Components
    • Identification and Authentication Failures
    • Software and Data Integrity Failures
    • Security Logging and Monitoring Failures
    • Server Side Request Forgery (SSRF)
    Format: The course combines theory and hands-on practical exercises. The participants start by learning about web application vulnerabilities. They are then given access to a purpose-built web application environment that contains the bugs and coding errors they have learned about. This provides an ideal ‘real-life’ opportunity to exploit these vulnerabilities in a safe environment.

  • Whiteboard hacking – aka hands-on Threat Modeling

  • The threat modeling training based on real life hands-on practical threat modeling, and delivered every year at OWASP since 2016, and Black Hat since 2017. Our latest Black Hat training score was 4.7/5 with great feedback!.
    In this edition we enhanced the section on privacy by design, compliance, and added a section on threat modeling medical devices. All participants get our Threat Modeling Playbook plus one year access to our online threat modeling learning platform. As part of this training, you will be asked to create your own threat model, on which you will get individual feedback. One month after the training we organize an online review session with all the participants.
    As highly skilled professionals with years of experience under our belts, we’re intimately familiar with the gap between academic knowledge of threat modeling and real-world practice. To minimize that gap, we have developed practical use cases, based on real-life projects. Each use case includes a description of the environment, together with questions and templates to build a threat model.
    Using this methodology for the hands-on workshops we provide our students with a challenging training experience and the templates to incorporate threat modeling best practices in their daily work. Students will be challenged in groups of 3 to 4 people to perform the different stages of threat modeling on the following:
    • Diagramming web and mobile applications, sharing the same REST backend
    • Threat modeling an IoT gateway with a cloud-based update service
    • Get into the defender's head - modeling points of attack against a nuclear facility
    • Threat mitigations of OAuth scenarios for an HR application
    • Privacy analysis of a new face recognition system in an airport
    After each hands-on workshop, the results are discussed, and students receive a documented solution. Based on our successful trainings in the last years and the great and positive feedback, we release this updated threat modeling training at Global AppSec San Francisco 2022.
    Course Outline
    • Threat modeling introduction
    • Diagrams – what are you building?
    • Identifying threats – what can go wrong?
    • Addressing each threat
    • Threat modeling and compliance
    • Penetration testing based on offensive threat models
    • Advanced threat modeling
    • Threat modeling resources
    • Examination
    • Review session (online session after 1 month)