Based on our experience in finding and fixing vulnerabilities, our own research and emergency response to incidents, we present this unique training for project teams.
What’s innovative about this approach:
– we focus on attacking and defending a real application, YOUR application,
– we may find vulnerabilities in the application, so security reconnaissance is included 😉
– unique combination of competition and cooperation,
– we can reconfigure the environment and make corrections live.
– we meet on site, in your office,
Red – the team of developers, security champions and people interested in learning offensive security .
Blue – the team of admins, devops, cloud infrastructure specialists, and people interested in detection and prevention.
On the first day, we start by analyzing the application from a business level:
1. Functionalities it offers
2. Business processes
3. Types of users
And from a technical level:
1. how it is build
2. its components
3. what the infrastructure looks like
4. how the application monitoring method is implemented
Then we learn how to perform threat modelling based on the application – we create scenarios that will be used later by the Red Team.
After lunch, we start with an introduction to security testing
1. Use of an HTTP proxy
2. Common vulnerabilities and ways to detect them
At the end of the first day, we run Capture The Flag contest, because we believe in hands-on experience.
Second and third day look as follows:
1. The Red Team is just hacking all day long and the Blue Team is defending the application.
2. Trainers guide and assist each team,
3. We share and document:
– Achievements of both teams,
– Scenarios and test cases,
– Findings, bugs, questions,
– Problems we faced,
– Solutions we found.
At the end of each day, we gather together and share the findings and actions of each team.
In the end of the workshop we focus on what can be improved in case of security of this application and it’s setup.
If you want to combine offensive and defensive workshops with lots of hands-on experience for your teammates and learn about your application security posture feel free to contact us.