AppSec101 to Champion: Building Secure Web Applications



3 days

Delivery Method




Seats Available



3 days

Delivery Method




ATTEND IN-PERSON: Onsite at Sheraton Grand, Macau

DATE: 4-6 March 2024

TIME: 09:00 to 17:00 CST/GMT+8

Date Day Time Duration
4 Mar Monday 09:00 to 17:00 CST/GMT+8 8 Hours
5 Mar Tuesday 09:00 to 17:00 CST/GMT+8 8 Hours
6 Mar Wednesday 09:00 to 17:00 CST/GMT+8 8 Hours

This is a course that you can integrate offensive and defensive skills, dev and ops practice, as well as knowledge in software engineering and cloud technologies instead of learning different pieces in silo as the course is authored by experts in all these domains combined.

The course starts with an overview of security touchpoints in SDLC and deep dives into common AppSec issues with reference to OWASP and SANS. Building on top of the foundational understanding of common software vulnerabilities and weaknesses, the course further deep dives into less common bugs and desgin flaws, as well as how attackers bypass typical coding defense and security products. On the other hand, guidelines in implementing security funcitons and defensive coding will be given. The course also provides insight into how static, dynamic and interactive scanners work and limitations of such tools. There will be tons of demonstration of attack scenarios and expect a lot of code in the course. Finally IaC security and advanced practice in DevSecOps will be introduced including BDD Security and fuzzing.


What will the student get
  • AppSec and DevSecOps knowledge
  • Offensive Security skills
  • Defensive Programming / Secure Coding skills
  • Automation scripting skills


Topics Covered
  • Application Security – SDLC Security Touchpoints
  • OWASP Top 10, API Security, and ASVS
  • SANS 25
  • Security Software vs Software Security
  • Implementing Authentication, Authorization, Session Management, Federation / Assertion, Cryptography, Input Validation, Output Encoding, File Upload Control, Threat Safety, Error Handling, Logging, Reflection, Websocket
  • Exploiting and Defending SQL / NoSQL Injection, XSS, Insecure Deserialization, Prototype Pollution, CSRF, Directory Traversal / Path Manipulation, JSON / Javascript Hijacking, XSSI, XML Injection and XXE, SSRF, HTTP Response Splitting, Command Injection, Resource Injection, Log Injection, Open Redirect, Clickjacking / Cursorjacking, Information Disclosure
  • Interface with C/C++ Code
  • Threat Detection
  • Cloud and IaC Security
  • CI/CD and AppSec Pipeline
  • Threat Modeling
  • AppSec-as-Code
  • BDD Security and Test Automation
  • Fuzzing
  • GitHub Actions

Why You Should Take This Course

From zero to hero, this course covers broad AppSec and DevSecOps aspects with in-depth technical content in code for attacks and defensive programming.

Who Should Attend

  • Software developers and engineers
  • Application and cloud security practitioners
  • Security architects
  • SDLC and platform security leads

Key Learning Objectives

  • To understand common web application & microservice vulnerabilities

  • To develop defensive programming / secure coding skills

  • To practice attack and testing for software security bugs

  • To practice attack against cloud workloads and IaC security

  • To understand SDLC security touchpoints and DevSecOps practice
  • Prerequisite Knowledge

    The participants are expected to possess basic coding skills in Java, JavaScript, Python, and SQL, plus basic knowledge in AWS, CloudFormation, and Terraform.

    Hardware / Software Requirements

    Software requirements
    • VMWare Player/VirtualBox
    • Docker
    • Your favorite IDE and Git
    • Personal AWS account
    Hardware requirements
    • Personal laptop

    Your Instructor

    Boris is a software security specialist specializing in software development, security engineering, threat modeling, defensive coding, security testing, code obfuscation, steganography, as well as rootkit research. Currently Boris is working in a major US cloud service provider, where he joined from one of the world’s leading US financial services institutes. Apart from his full-time work, Boris also serves as part-time lecturer for a Bachelor degree in ethical hacking and cybersecurity in a university from UK.

    He is also the OWASP HK chapter lead, core member of VXCON, HITB CFP review board member, organizer of DEFCON village, BlackHat Arsenal, and OpenSSF meetup group of Linux Foundation. Boris regularly speaks in cybersecurity conferences. He holds 3 US patents, 2 bachelor degrees and 2 master degrees. Boris is an enthusiast in aviation and he holds a private pilot license. During his free time, he is probably spending his time flying while not hacking.

    Alan Ho has over 15 years of experience in the information security field. He is passionate about web and application security and various research. He is also the co-founder of VX Research Limited, a security researcher and red-blue team lab architect, and a contracted CISO in a software vendor.

    He has experience in development, DevOps, penetration testing, incident response, secure coding, project advisory, security operation planning, cybersecurity training, and investigation. He is certified as an OSCP, SANS GCIH, GWAPT Holder, and published the SANS Gold Paper – “Website Security For Mobile”. Alan is recognized as the Honoree at the 11th Annual (ISC)² Information Security Leadership Achievements (ISLA) in 2017. He spoke at conferences like Blackhat Asia, Defcon Village, DFIR, and DFRWS in the US, The Netherlands, Taiwan, Macau, and Hong Kong. He is also on the core team of VXCON. Alan also has been active in the community by providing cybersecurity awareness seminars to schools and NGOs.

    Anthony Lai is a security researcher is not only marked by his rich experience and academic excellence but also by his active participation in the global cybersecurity community. With a Ph.D. in Computer Science emphasizing vulnerability and malware analysis, and a suite of prestigious certifications like SANS GXPN, GCIH, Offsec OSEE, CSSLP, and CISSP, he is a beacon of knowledge in the industry. His recognition with the ISLA award further attests to his leadership and expertise.

    With over 20 years in the field, Anthony has played a pivotal role in security risk management and auditing for Japanese banking sectors and European listed companies, where he applied his skills to protect against sophisticated cyber threats. His contributions extend to performing extensive code reviews for multinational corporations and government entities, enhancing their security infrastructure. A well-recognized figure at top-tier hacker conferences, he has shared his insights as a speaker at Blackhat, DEFCON, HITCON, HITB, AVTokyo, and VXCON. These platforms have allowed him to disseminate cutting-edge research and practical knowledge, establishing him as an influential voice in cybersecurity circles.

    In his capacity as a security trainer, Anthony draws upon his global experience and technical expertise to deliver comprehensive training. His sessions are known for their depth, drawing on real-world scenarios from his involvement in international security risk management.