OWASP Global AppSec USA 2026

3-Day Training: November 2-4, 2026
Level:Intermediate
Trainer: Abraham Aranguren

To register, please purchase your training ticket here. Training and conference are two separate ticket purchases.

Modern Android and iOS apps rarely operate alone. They sit at the center of rich ecosystems: phones talking to toys, drones, wearables, vehicles, trackers, “smart” homes—and, in multiple countries, even government‑mandated and police apps. In these environments, attackers increasingly target the mobile app as the remote control for the device, often without ever touching the physical hardware.

This 3‑day, 100% hands‑on course is a deep dive into the OWASP Mobile Security Testing Guide (MSTG) and relevant items of the OWASP Mobile Application Security Verification Standard (MASVS). The 2026 Edition fully covers and goes beyond the OWASP Mobile Top Ten, using real‑world Android, iOS, and IoT applications as targets.

7ASecurity is an ISO 27001 and SOC 2–certified cybersecurity consultancy and OWASP Platinum Supporter that focuses on researcher‑led, heavily manual penetration tests and secure code audits. Lessons learned from these engagements—performed for organizations such as the Linux Foundation, Mozilla, the Tor Project, and others—feed directly into the course material, labs, and case studies.

Across three intensive days you will:
Break down Android and iOS apps with static and dynamic analysis.
Discover IoT vulnerabilities using only the apps and APIs, no devices required.
Master practical instrumentation using Frida, Objection, Xposed, and related tooling to bypass protections and deeply inspect runtime behavior.

Ideal for penetration testers, red teamers, mobile developers, and anyone serious about mobile/IoT security, this course is all action, no fluff. It is packed with exercises, extra‑mile challenges, and CTFs, and includes continued education via lifetime access to a training portal with step‑by‑step video recordings, updated labs, and unlimited email support, including all future updates for free.

Teaser Video: https://www.youtube.com/watch?v=Re5oqfVkgd4
Get a free taste of this training, including access to video recordings, slides, and vulnerable apps to play with:
https://7asecurity.com/free-workshop-mobile-practical
https://7asecurity.com/free-workshop-mobile-deeplinks-xss

3-Day Training: November 2-4, 2026
Level:Intermediate
Trainer: Adam Shostack

To register, please purchase your training ticket here. Training and conference are two separate ticket purchases.

This is our popular Threat Modeling Intensive course, where you'll learn to Threat Model, and then you'll revist and learn to complement those skills with a variety of AI systems. You need to know how to threat model to evaluate what the AIs hallucinate, and today you need AI (at least to get your AI loving boss to leave you alone) and maybe
even to help your organization scale.

3-Day Training: November 2-4, 2026
Level: Beginner
Trainer: Jim Manico

To register, please purchase your training ticket here. Training and conference are two separate ticket purchases.

Description: This three-day security course is designed for software engineers and AppSec professionals who want to tailor their learning experience. Throughout the class, you’ll select the topics that interest you most—ensuring that the content aligns with your individual needs and goals. We’ll honor every participant’s topic requests, so you can dive deeper into the areas that matter most.

Students will choose from the following material:

Core Modules

• 00-00 Introduction to Application Security (1 hr): Goals and Threats in AppSec
• 00-01 Input Validation Basics (1 hr): Allowlist Validation, Safe Redirects
• 00-02 HTTP Security Basics (1.5 hrs): Response/Request Headers, Verbs, Secure Transport Basics
• 00-03 SOP and CORS (1 hr): Same-Origin Policy, Cross-Origin Resource Sharing Security
• 00-04 SQL and Other Injections (1.5 hrs): Parameterized Queries, Secure Database Configurations, Command Injection
• 00-05 Cross-Site Request Forgery (1.5 hrs): CSRF Defenses for Various Architectures
• 00-06 File Upload and File I/O Security (1 hr): Secure File Upload, File I/O Security
• 00-07 Deserialization Security (0.5 hr): Safe Deserialization Practices
• 00-08 Third-Party Library Security Management (1 hr): Ensuring Third-Party Library Security
• 00-09 Security Logging and Monitoring (0.5 hr): Security-Focused Logging
• 00-10 Application Layer Intrusion Detection (0.5 hr): Detecting App Layer Attacks
• 00-11 Threat Modeling Fundamentals (1 hr): Security Design via Threat Modeling
• 00-12 Forms and Workflows Security (0.5 hr): Secure Handling of Complex Form Workflows

API Security

• 01-00 API and REST Security (2 hrs): REST Design, XML, XXE, JSON, API Access Control
• 01-01 Microservice Security (2 hrs): Security Architectures in Microservices
• 01-02 JSON Web Tokens (JWT) (1 hr): Addressing JWT Security Challenges
• 01-03 gRPC Security (1 hr): gRPC Security Architecture

Foundations of AI Security

• 02-00 Introduction to AI Security (1 hr): Overview of AI Security Concepts, Threats, and Mitigations
• 02-01 OWASP Top 10 for Large Language Model (LLM) Applications (4 hrs): Top 10 Practices for Protecting Large Language Model Applications

AI Secure Development Practices

• 02-10 AI for Code Creation (1 hr): Exploring the Security Implications of Using AI for Code Generation
• 02-11 React Security Prompt Engineering (1 hr): Building Secure React Applications with AI

AI Architecture

• 02-20 Threat Modeling for AI Systems (1 hr): Applying Threat Modeling Methodologies Specifically Tailored to AI Architectures and Pipelines
• 02-21 Zero Trust Architectures for AI (1 hr): Adapting Zero Trust Principles in Designing and Deploying Secure AI Infrastructure
• 02-22 Access Control Design for AI (1 hr): Building Access Control in Vector Database AI Systems
• 02-23 AI for UI Development (1 hr): Building Access Control in Vector Database AI Systems
• 02-24 AI Model Updates and Patching (1 hr): Best Practices for Securely Updating and Patching Deployed Models, Especially in Response to Emerging Threats
• 02-25 Self Hosted Models (1 hr): Strategies for securely deploying and operating self-hosted LLMs and vector stores

AI Adversarial Techniques

• 02-30 Adversarial Machine Learning (1 hr): Understanding and Mitigating Adversarial Attacks on AI Systems
• 02-31 Red Teaming AI Systems (1 hr): Conducting Adversarial Testing and Red Teaming for AI Systems to Identify Vulnerabilities and Resilience

AI Supply Chain

• 02-40 Integrating AI in Software (1 hr): Security architecture patterns, risks, and mitigation strategies for integrating LLMs and AI APIs into real-world applications
• 02-41 Hugging Face OSS Model Security (1 hr): Securing the Hugging Face Ecosystem
• 02-42 AI Model Drift and Security Monitoring (1 hr): Strategies for Monitoring Models in Production to Detect Security Drift and Performance Degradation Over Time
• 02-43 AWS Bedrock (1 hr): Securely using AWS Bedrock to access and manage foundation models
• 02-44 PySpark Security (1 hr): Securing large-scale data pipelines with PySpark

AI Regulatory and Ethical Frameworks

• 02-50 Differential Privacy (1 hr): Principles and Practices for Ensuring Privacy and Ethical AI Usage in Business Environments
• 02-51 European Union AI Act (1 hr): Detailed Examination of the EU AI Act and Its Implications for AI Development and Deployment

Standards

• 03-00 OWASP Top Ten (1-4 hrs): Top Ten Web Security Risks
• 03-01 Introduction to GDPR (1 hr): European Data Privacy Law
• 03-02 OWASP ASVS (1 hr): Comprehensive Secure Coding Standard
• 03-03 OWASP Top Ten Proactive Controls (1 hr): Web Security Defense Categories
• 03-04 PCI Secure SDLC Standard (1 hr): Credit Card SDLC Requirements

User Interface Security

• 04-00 XSS Defense (2 hrs): Client-Side Web Security
• 04-01 Content Security Policy (1 hr): Advanced Client-Side Web Security
• 04-02 Content Spoofing and HTML Hacking (0.5 hr): HTML Client-Side Injection Attacks
• 04-03 React Security (1 hr): Secure React Application Development
• 04-04 Vue.js Security (1 hr): Secure Vue.js Application Development
• 04-05 Angular and AngularJS Security (1 hr): Secure Angular Application Development
• 04-06 Clickjacking (0.5 hr): UI Redress Attack Defense
• 04-07 Flutter Security (0.5 hr): Flutter Security Basics

Identity & Access Management

• 05-00 Authentication Best Practices (1.5 hrs): Web Authentication Practices
• 05-01 Session Management Best Practices (1.5 hrs): Web Session Management Practices
• 05-02 Multi-Factor Authentication (1 hr): NIST SP-800-63 Compliant MFA Implementation
• 05-03 Secure Password Policy and Storage (1 hr): Secure User Password Policy and Storage
• 05-04 Access Control Design (1 hr): ABAC/Capabilities-Based Access Control
• 05-05 OAuth2 Security (1 hr): OAuth2 Authorization Protocol
• 05-06 OpenID Connect Security (1 hr): OpenID Connect Federation Protocol
• 05-07 Brute Force Defense (0.5 hr): Stopping Brute Force Attacks

Crypto Modules

• 06-00 Secrets Management (1 hr): Key and Credential Storage Strategies
• 06-01 HTTPS/TLS Best Practices (1 hr): Transport Security Introduction
• 06-02 Cryptography Fundamentals:
• 06-02-00 Terminology and Basic Concepts (1 hr): Understanding Key Terms in Cryptography
• 06-02-01 Steganography (1 hr): Techniques for Concealing Information
• 06-02-02 Cryptographic Attacks (1 hr): Common Attacks and How to Defend Against Them
• 06-02-03 Kerckhoffs's Principle and Perfect Forward Secrecy (1 hr): Fundamental Principles in Cryptographic Security
• 06-02-04 Hash Functions (1 hr): Importance and Use Cases of Hash Functions
• 06-02-05 Symmetric Cryptography (1 hr): Understanding Symmetric Key Algorithms
• 06-02-06 Randomness in Cryptography (1 hr): Role and Generation of Randomness
• 06-02-07 Digital Signatures (1 hr): Ensuring Integrity and Authenticity in Digital Communications

Process

• 07-00 DevOps Best Practices (1 hr): DevOps and DevSecO

3-Day Training: November 2-4, 2026
Level: Intermediate
Trainer: Dawid Czagan

To register, please purchase your training ticket here. Training and conference are two separate ticket purchases.

Modern IT systems are increasingly complex, making full-stack expertise more essential than ever. That's why diving into full-stack pentesting is crucial—you will gain the skills needed to master modern attack vectors and implement effective defensive countermeasures.

For each attack, vulnerability and technique presented in this training, there is a lab exercise to help you develop your skills step by step. What's more, when the training is over, you can take the complete lab environment home to hack again at your own pace.

I found security bugs in many companies including Google, Yahoo, Mozilla, Twitter and in this training I'll share my experience with you.

Key Learning Objectives
After completing this training, you will have learned about:

- Hacking cloud applications
- API hacking tips & tricks
- Data exfiltration techniques
- OSINT asset discovery tools
- Tricky user impersonation
- Bypassing protection mechanisms
- CLI hacking scripts
- Interesting XSS attacks
- Server-side template injection
- Hacking with Google & GitHub search engines
- Automated SQL injection detection and exploitation
- File read & file upload attacks
- Password cracking in a smart way
- Hacking Git repos
- XML attacks
- NoSQL injection
- HTTP parameter pollution
- Web cache deception attack
- Hacking with wrappers
- Finding metadata with sensitive information
- Hijacking NTLM hashes
- Automated detection of JavaScript libraries with known vulnerabilities
- Extracting passwords
- Hacking Electron applications
- Establishing reverse shell connections
- RCE attacks
- XSS polyglot
- and more …

What Students Will Receive
Students will be handed in a VMware image with a specially prepared lab environment to play with all attacks, vulnerabilities and techniques presented in this training. When the training is over, students can take the complete lab environment home (after signing a non-disclosure agreement) to hack again at their own pace.

Special Bonus
The ticket price includes FREE access to my 6 online courses:

- Fuzzing with Burp Suite Intruder
- Exploiting Race Conditions with OWASP ZAP
- Case Studies of Award-Winning XSS Attacks: Part 1
- Case Studies of Award-Winning XSS Attacks: Part 2
- How Hackers Find SQL Injections in Minutes with Sqlmap
- Web Application Security Testing with Google Hacking

What Students Say About My Trainings
References are attached to my LinkedIn profile (https://www.linkedin.com/in/dawid-czagan-85ba3666/). They can also be found here: https://silesiasecuritylab.com/services/training/#opinions – training participants from companies such as Oracle, Adobe, ESET, ING, …

What Students Should Know
To get the most of this training intermediate knowledge of web application security is needed. Students should have experience in using a proxy, such as Burp Suite Proxy or Zed Attack Proxy (ZAP), to analyze or modify the traffic.

What Students Should Bring
Students will need a laptop with 64-bit operating system, at least 8 GB RAM, 35 GB free hard drive space, administrative access, ability to turn off AV/firewall and VMware Player/Fusion installed (64-bit version). Prior to the training, make sure there are no problems with running x86_64 VMs.

Additional notes
This new 3-day training was sold out at top security conferences e.g. DEF CON 2024 (Las Vegas), Hack In Paris (Paris).

This is a 100% hands-on training: for each attack, vulnerability and technique presented in this training, there is a lab exercise to help students develop their skills step by step.