PagelShield https://pagel.pro/en/timo-pagel-it-consulting-new-landingpage/ Tue, 07 Jul 2026 15:28:45 +0000 en-GB hourly 1 https://wordpress.org/?v=7.0 Secure AI Coding: Developing Securely with AI Coding Assistants https://pagel.pro/en/secure-ai-coding-en/ Tue, 07 Jul 2026 14:42:08 +0000 https://pagel.pro/secure-ai-coding-en/ Develop securely with AI coding assistants: a hands-on day from secure prompting to agent hardening. Largely hands-on.

Der Beitrag Secure AI Coding: Developing Securely with AI Coding Assistants erschien zuerst auf PagelShield.

]]>
From secure prompting to agent hardening: a hands-on day for development teams.

Overview

AI coding assistants such as GitHub Copilot, Claude Code, and Cursor now write a substantial share of production code, and that code is measurably less secure than it looks: Veracode’s 2025 GenAI Code Security Report found security vulnerabilities in 45 % of coding tasks across more than 100 LLMs (Java: over 70 %, XSS: 86 % failure rate). As early as 2022, the NYU study “Asleep at the Keyboard?” showed that around 40 % of Copilot-generated programs were vulnerable. A Stanford study also demonstrates that developers using an AI assistant write less secure code while believing it is more secure than the control group without AI. At the same time, the AI toolchain itself is becoming an attack surface: prompt injection via ticket texts and READMEs, malicious connected servers, agents with excessive permissions, and hallucinated packages. According to a USENIX Security study, 19.7 % of the dependencies suggested by LLMs do not exist.

In this one-day, hands-on course you will learn to use AI assistants in a way that brings speed and security together. You will learn which vulnerability patterns AI code typically contains, how to pin down security requirements before the first prompt, how to give the AI a security guideline that takes effect on every code generation, how to review AI code efficiently and adversarially, and how to harden your development environment itself against attacks. The course closes with automated guardrails in the workflow and a joint debrief. A large part of the course consists of labs in prepared exercise environments.

Agenda

TimeModuleContent
09:00-09:30Welcome & State of PlayHow Copilot, Claude Code & Cursor work; the numbers on vulnerability rates; why “runs on the first try” is the most dangerous signal
09:30-10:30Typical Vulnerabilities in AI CodeWhy AI-generated code fails differently (and predictably) than human-written code; which classes of flaws keep recurring and how to spot them in daily work. Lab: find and exploit vulnerabilities in real AI-generated code
10:30-10:45Break
10:45-11:30Security Before the PromptLightweight threat modeling for features; phrasing security requirements as acceptance criteria. Lab: threat analysis for a sample story
11:30-12:30Secure Prompting & Security GuardrailsWriting secure prompts; giving the AI a security guideline that applies project- and organization-wide on every code generation. Lab: rewrite insecure prompts, create your own security guideline for the assistant and measure its effect
12:30-13:30Lunch break
13:30-14:30Reviewing AI CodeReview checklist for AI diffs; risks of AI-suggested dependencies; security tests the AI will not write on its own. Lab: adversarial review and AI-assisted generation of security tests
14:30-15:30The AI Toolchain as Attack SurfacePrompt injection via issues, comments, docs; risks of connected tools and servers; agent permissions, sandboxing, secrets protection. Lab/demo: injection attack on an agent and hardening of the configuration
15:30-15:45Break
15:45-16:45Guardrails & AutomationAutomated security checks in the AI workflow; guardrails that stop violations before code is created; metrics and team rollout
16:45-17:00Wrap-up & DebriefJoint debrief, resource list, transfer to daily work, feedback

Key Facts

  • 1 day, 9:00-17:00, largely hands-on
  • Audience: developers, tech leads, DevSecOps and AppSec engineers
  • Prerequisites: programming experience; your own laptop with Docker installed locally, the exercise environment is provided

Methodology

Learning by doing is one of the most important paradigms. More about the training methodology here.

Trainer

Timo Pagel incorporates his knowledge from over 20 years in operations and development into his trainings. As a DevSecOps consultant, he not only advises at the strategic level but also lends a hand.

Testimonials

+ Sehr guter Anteil konkreter Übungen!
+ Wichtige Bereiche wurden immer mit der “Übersichtskarte” gezeigt.
+ Guter Rundumblick

Anonym, IT-Beratungsbranche

Schönes Beispiel aus der Praxis von docker12321 🙂

Anonym, Versicherungsbranche

interaktiver Ansatz gefällt mir gut!

Anonym, Versicherungsbranche

Beispielseiten wie die “Check Security Header” gefallen mir sehr gut.

Anonym, Versicherungsbranche

Sehr gute Idee, dass einem Zeit gelassen wird die praktischen Aufgaben direkt zu machen und gewartet wird, dass wirklich alle fertig sind (indem alle die Hand heben). Gut waren auch die Anzahl an Übungen und die erklären dazu was denn genau passiert. Auch die Themen der Übungen wurden gut gewählt, sodass man versteht, was die Tools machen und wie sie funktionieren

Anonym, Versicherungsbranche

Gute Übungen, die einen sinnvollen Lerneffekt hatten

Anonym, Versicherungsbranche

Sehr angenehme Einführung in das Thema des Threads Modelling, sodass man sich schon selbst Gedanken bezüglich der potentiellen Threats machen kann.

Anonym, Versicherungsdienstleister

Wir müssen uns alle an die aktuelle Situation gewöhnen. Insofern war heute alles cool! Vielen Dank
(Hinweis: Erster Workshop beim Corona-Start)

Anonym, Versicherungsbranche

Angenehm aufbereitet. Vor allem die praktischen Beispiele helfen immer enorm!

Anonym, Versicherungsdienstleister

Viele Übungen; einiges an Input, aber durch den Praxisbezug sehr verständlich! Nicht nur firmenbezogenen, sondern auch für die private Anwendung interessant

Anonym, IT-Beratungsbranche

Arrange a free initial consultation

References

  • Veracode, 2025 GenAI Code Security Report (veracode.com)
  • Pearce et al., “Asleep at the Keyboard?”, IEEE S&P 2022, arxiv.org/abs/2108.09293
  • Perry et al., “Do Users Write More Insecure Code with AI Assistants?”, ACM CCS 2023, arxiv.org/abs/2211.03622
  • Spracklen et al., “We Have a Package for You!”, USENIX Security 2025, arxiv.org/abs/2406.10279

Der Beitrag Secure AI Coding: Developing Securely with AI Coding Assistants erschien zuerst auf PagelShield.

]]>
Secure Modern Development https://pagel.pro/en/secure-modern-development-2/ Thu, 17 Nov 2022 10:38:55 +0000 https://pagel.pro/?p=2247 Durchführung einer strukturierten Analyse zur Identifizierung von Bedrohungen in IT-Systemen.

Der Beitrag Secure Modern Development erschien zuerst auf PagelShield.

]]>
Overview

Modern development is based on Cloud Native products to support the development process. Here is an unsorted list to support secure development.

Examples

  • Rate Limiting (1h)
  • Resource Limiting (0.5h)
  • Workshop Dynamic Application Security Testing (2h)
  • Identity Providers, OAuth 2.0, OAuth 2.1, JWT, Storage of Tokens (2h)
  • Security of Client Side Storage (1h)
  • Workshop: Authorization with the Open Policy Agent (4h)
  • Container Security (1 day)
  • Introduction into Kubernetes Security (1h-2h)
  • Introduction in Vulnerability and Patch Management for Applications (1h)
  • Business Continuity Management for Developers (0.5h)
  • Headers and API Headers (0.5h)
  • Supply Chain and Mitigations (2h)
  • Workshop: Hack your own applications (2-3 days)
  • Abuse Tests for Developers (0.75h)
  • Workshop: Secrets Handling with OWASP Wrong Secrets (1.5h)
  • OWASP Top Ten (Injections, XSS, Sec. Misconfiguration, …)
  • Workshop Threat Modeling (1 day)
  • Distroless (0.5h)
  • OWASP DefectDojo Hands On Training (1h)
  • Malware Scanning for Developers (0.5h)

All topics include hands-ons!

Methods

Learning by doing is one of the most important paradigms. More about the training methodology here.

Trainer

Timo Pagel incorporates his knowledge from over 20 years in operations and development into his trainings. As a DevSecOps consultant, he not only advises at the strategic level but also lends a hand.

Arrange a free initial consultation

Timo Pagel

Contact

Der Beitrag Secure Modern Development erschien zuerst auf PagelShield.

]]>
Security Awareness Training https://pagel.pro/en/security-awareness-training-en/ Tue, 16 Mar 2021 13:58:31 +0000 https://pagel.pro/?p=1929 Security awareness training: recognising phishing, social engineering and everyday attacks.

Der Beitrag Security Awareness Training erschien zuerst auf PagelShield.

]]>
DevSecOps Workshop

Übersicht

Using the DevSecOps Maturity Model (dsomm.timo-pagel.de), designed by the speaker, different dimensions of security in DevOps are explained.

The content will be supported by hands-on tasks, which will be carried out exclusively using OpenSource tools.

Content

  • DevOps refresher
  • Threats in a Build and Deployment Pipeline
  • Measures to harden a build and deployment pipeline
  • Docker security including patch management
  • Automation of dynamic and static security tests
  • Logging and monitoring in a DevOps world
  • Optional: Continuous License Scanning

The OWASP DevSecOps Maturity Model with the following dimensions serves as orientation

Build and Deployment

Culture

Information Gathering

Infrastructure Hardening

Test and Verification

Target group

Information and IT Security Managers and DevOps Engineers.

Tools:

  • Docker
  • Distroless
  • OWASP ZAP
  • OWASP Dependency Check
  • Automation
  • Jenkins
  • Arachni
  • nmap
  • Distroless

Methodology

Learning by doing is one of the most important paradigms. More about the training methodology here.

Trainer

Timo Pagel incorporates his knowledge from over 20 years in operations and development into his trainings. As a DevSecOps consultant, he not only advises at the strategic level but also lends a hand.

+ Sehr guter Anteil konkreter Übungen!
+ Wichtige Bereiche wurden immer mit der “Übersichtskarte” gezeigt.
+ Guter Rundumblick

Anonym, IT-Beratungsbranche

Schönes Beispiel aus der Praxis von docker12321 🙂

Anonym, Versicherungsbranche

interaktiver Ansatz gefällt mir gut!

Anonym, Versicherungsbranche

Beispielseiten wie die “Check Security Header” gefallen mir sehr gut.

Anonym, Versicherungsbranche

Sehr gute Idee, dass einem Zeit gelassen wird die praktischen Aufgaben direkt zu machen und gewartet wird, dass wirklich alle fertig sind (indem alle die Hand heben). Gut waren auch die Anzahl an Übungen und die erklären dazu was denn genau passiert. Auch die Themen der Übungen wurden gut gewählt, sodass man versteht, was die Tools machen und wie sie funktionieren

Anonym, Versicherungsbranche

Gute Übungen, die einen sinnvollen Lerneffekt hatten

Anonym, Versicherungsbranche

Sehr angenehme Einführung in das Thema des Threads Modelling, sodass man sich schon selbst Gedanken bezüglich der potentiellen Threats machen kann.

Anonym, Versicherungsdienstleister

Wir müssen uns alle an die aktuelle Situation gewöhnen. Insofern war heute alles cool! Vielen Dank
(Hinweis: Erster Workshop beim Corona-Start)

Anonym, Versicherungsbranche

Angenehm aufbereitet. Vor allem die praktischen Beispiele helfen immer enorm!

Anonym, Versicherungsdienstleister

Viele Übungen; einiges an Input, aber durch den Praxisbezug sehr verständlich! Nicht nur firmenbezogenen, sondern auch für die private Anwendung interessant

Anonym, IT-Beratungsbranche

Arrange a free initial consultation

Timo Pagel

Der Beitrag Security Awareness Training erschien zuerst auf PagelShield.

]]>
Open Policy Agent https://pagel.pro/en/open-policy-agent-en/ Tue, 16 Mar 2021 11:23:05 +0000 https://pagel.pro/?p=1836 Introduction to policy as code with the Open Policy Agent (OPA).

Der Beitrag Open Policy Agent erschien zuerst auf PagelShield.

]]>
Description

The Open Policy Agent (OPA) is an open source and generic engine that can be used to enforce uniform and context-aware policies across the entire technology stack.

While from a security point of view the use of a central authorization component seems to make sense at first, this is often difficult to implement in a decentralized microservice landscape in reality and leads to more disadvantages than advantages.
In the workshop, the Open Policy Agent and its deployment scenarios will be explained so that, building on this, authorization rules for microservices or web applications can be designed in the “rego” language.

Content

  • Introduction and implications of missing authorization
  • Contexts in mircoservices
  • How OPA works
  • Deployment scenarios such as Kubernetes Adminssion Controller and authorization in web applications
  • Hands-on exercises

Methodik

Learning by doing is one of the most important paradigms. More about the training methodology here.

Trainer

Timo Pagel incorporates his knowledge from over 20 years in operations and development into his trainings. As a DevSecOps consultant, he not only advises at the strategic level but also lends a hand.

Arrange a free initial consultation

Timo Pagel

Der Beitrag Open Policy Agent erschien zuerst auf PagelShield.

]]>
DevSecOps Workshop https://pagel.pro/en/devsecops-workshop-en/ Tue, 02 Feb 2021 14:24:55 +0000 https://pagel.pro/?p=1297 Introduction to modern methods for integrating security into the development cycle (DevSecOps).

Der Beitrag DevSecOps Workshop erschien zuerst auf PagelShield.

]]>
Description

Using the DevSecOps Maturity Model (dsomm.timo-pagel.de), designed by the speaker, different dimensions of security in DevOps are explained.

The content will be supported by hands-on tasks, which will be carried out exclusively using OpenSource tools.

Content

  • DevOps recap
  • Threats to a build and deployment pipeline
  • Measures to harden a build and deployment pipeline
  • Docker security including patch management
  • Automation of dynamic and static security tests
  • Logging and monitoring in a DevOps world
  • Optional: Continuous License Scanning

The OWASP DevSecOps Maturity Model with the following dimensions serves as orientation

Build and Deployment

Culture

Information Gathering

Infrastructure Hardening

Test and Verification

Target group

Information and IT Security Managers and DevOps Engineers.

Used tools:

  • Docker
  • Distroless
  • OWASP ZAP
  • OWASP Dependency Check
  • Automation
  • Jenkins
  • Arachni
  • nmap
  • Distroless

Methodology

Learning by doing is one of the most important paradigms. More about the training methodology here.

Trainer

Timo Pagel incorporates his knowledge from over 20 years in operations and development into his trainings. As a DevSecOps consultant, he not only advises at the strategic level but also lends a hand.

Arrange a free initial consultation

Timo Pagel

Der Beitrag DevSecOps Workshop erschien zuerst auf PagelShield.

]]>
Agile Threat Modeling https://pagel.pro/en/agile-threat-modeling-en/ Tue, 26 Jan 2021 16:41:50 +0000 https://pagel.pro/?p=1125 Conduction of a structured analysis to identify threats in IT systems.

Der Beitrag Agile Threat Modeling erschien zuerst auf PagelShield.

]]>
Description

Approximately 50% of threats in a system are related to architecture and design, so companies should act proactively at this point.

Thread modeling is a methodical approach that uses attack scenarios to identify threats in the system design that lead to real-life consequences for the system or business.

Under the pressure of digital transformation, the temptation for business managers/product owners to continuously deliver technical features is great.

However, security is also a permanently required feature and quality goal that customers expect and deserve.

In the workshop, the participant will be introduced to the approach according to the proven STRIDE method in a clear and comprehensible way with a mix of theory and practical exercises using show cases.

The workshop concludes with the participants learning how to make threat modeling attractive to employees who are not so security-savvy by using playful elements in the form of a card game.

Content

  • Get to know Secure Design principles
  • Participants gain basic theoretical knowledge and based on this methodological knowledge in order to carry out a risk assessment of (web) systems
  • Threat Modeling as a method to discover design vulnerabilities
  • Create awareness of high cost and effort to fix design vulnerabilities
  • Getting to know gamification elements
  • Tips and tricks for applying threat modeling in practice

Target Audience

Developers, architects and DevOps engineers, but also product managers and IT security architects with a basic understanding of IT architectures.

Methodology

Learning by doing is one of the most important paradigms. More about the training methodology here.

Trainer

Timo Pagel incorporates his knowledge from over 20 years in operations and development into his trainings. As a DevSecOps consultant, he not only advises at the strategic level but also lends a hand.

Arrange a free initial consultation

Timo Pagel

Der Beitrag Agile Threat Modeling erschien zuerst auf PagelShield.

]]>
Container Security https://pagel.pro/en/container-security-en/ Tue, 26 Jan 2021 16:19:48 +0000 https://pagel.pro/?p=1113 Conduction of a container security workshop to show the threats by operating containers.

Der Beitrag Container Security erschien zuerst auf PagelShield.

]]>
Hands-on, cloud-based Container and Docker Security training. Two intensive days covering isolation fundamentals, breakout, image supply-chain attacks and hardening.

Containers run most modern DevOps workloads, but a misconfigured mount, an over-privileged container or a poisoned base image can give an attacker the host. This workshop walks through the real attack surface of container runtimes like Docker and Podman, and through the measures that reduce it. Every topic comes with a hands-on challenge in a ready-to-use cloud lab, so participants attack and defend real containers instead of only listening to theory.

The training follows the threats. Each module covers a specific container threat category, such as privilege escalation, container breakout, poisoned images, compromised secrets and denial of service, and then shows the matching hardening measure.

This is also directly relevant to running AI safely. Correct container isolation is part of hardening AI usage. When AI agents, LLM tooling or generated code run inside containers, proper isolation (no privileged containers, no insecure host mounts, dropped capabilities, enforced seccomp profiles) is what stops an untrusted or compromised workload from reaching the host. Weak isolation gives only the appearance of a sandbox; done correctly, it provides a reliable boundary for AI-driven workloads.

Format & Delivery

  • Duration: 1 or 2 days (roughly 09:00 to 17:20 each day)
  • Delivery: Instructor-led, hands-on, cloud-based lab with pre-provisioned VMs and a container registry. No local setup required.
  • Style: Short input sessions followed by practical attack and defend challenges and joint debriefs
  • Group: Small-group, interactive

Who Should Attend

  • DevOps and platform engineers running containerised workloads
  • Software developers building and shipping container images
  • Security engineers and architects responsible for container and CI/CD security
  • System administrators operating Docker hosts

Prerequisites

  • Working knowledge of the Linux command line
  • Basic familiarity with Docker (images, containers, docker run, docker-compose)
  • No prior security experience required. The threat model is built up during the workshop.

What You Will Learn

  • How container isolation works in practice (namespaces, the shared kernel, Linux capabilities, cgroups) and where it breaks
  • How attackers achieve container breakout through insecure host mounts, privileged containers and host filesystem access
  • How privilege escalation happens via root processes, dangerous capabilities and SETUID/SETGID binaries
  • How to evaluate images for provenance, age and vulnerabilities, and scan for CVEs with current tooling
  • How secrets leak through images, parameters and public exposure, and how to store them safely
  • How supply-chain attacks trojanize images and plant reverse shells, and how signing and registry trust defend against them
  • How denial-of-service attacks exhaust host CPU, RAM, filesystem and network resources, and how to contain them with limits and quotas
  • How to harden containers with dropped capabilities and seccomp profiles, and how to baseline and detect against a known-good benchmark
  • Why correct container isolation is part of hardening AI usage, providing a reliable sandbox boundary for AI agents, LLM tooling and AI-generated code

Tools You Will Use

Docker and docker-compose, buildah, skopeo, dive, Trivy, seccomp profiles, Linux capabilities, and a pre-built cloud attack and defend lab.

Agenda

Day 1: Foundations, Isolation and Breakout

  • Welcome and lab setup: workshop goals, cloud lab and registry orientation
  • DevOps and IT Security: the container threat landscape (overview of all threat categories)
  • Container concepts refresher: images, runtime, registry, docker-compose
  • Namespaces hands-on: Mount, Network and IPC isolation
  • Shared kernel: Kernel features in containers
  • User namespaces and Linux capabilities: root processes, NET_RAW, dropping capabilities
  • Challenge: Rail Gun / Rail Gun Non-Root: breakout via insecure host-path volume mounts, with root-cause debrief
  • Challenge: Ion Cannon / Mount Host Hard Disk: host filesystem access and privileged containers, with impact debrief
  • SETUID/SETGID and daemon vulnerabilities: privilege escalation to the host
  • Challenge: Image Evaluation: layers, provenance and base-image age using buildah, skopeo and dive
  • Wrap-up and Q&A

Day 2: Images, Secrets, Denial of Service and Hardening

  • Recap of Day 1
  • Image vulnerabilities and CVE scanning: outdated and infected images
  • Challenge: CVE scanning with Trivy / ShellShock: CVE-2014-6271 leading to RCE, defacement and network discovery
  • Challenge: Wrong Secrets: several sub-challenges on secrets in images, parameters and public access, with safe-storage debrief
  • Challenge: Trojanize an image: plant a reverse shell in a supply-chain attack, with provenance, signing and registry-trust debrief
  • Challenge: Fragmentation and Smoke Bang Grenades: host resource exhaustion across network, filesystem, RAM and CPU, with limits, cgroups and quotas debrief
  • Baseline and detection: benchmarking the Docker environment and forensic analysis (E-Web-Blaster)
  • Hardening: Seccomp vs. Capabilities: dropping capabilities versus seccomp profiles
  • Challenge: Force Pike: apply and test seccomp profiles and capability restrictions

Outcome

After two days, participants understand how container isolation works, can reproduce the main container attacks in a lab, and can apply the hardening measures that prevent them in production: capability dropping, seccomp, resource limits, image provenance and secret management.

Methodology

Learning by doing is one of the most important paradigms. More about the training methodology here.

Preparation

Participants each use a prepared training instance in the cloud. This means that there is no setup effort during the training! An SSH client such as Putty is required.
Prior knowledge of container technologies such as Docker is recommended, e.g. completion of the play-with-docker beginner training.

Containers are using existing Linux mechanisms, basic Linux knowledge is needed. Completion of Ryan’s Linux tutorial is recommended.

Trainer

Timo Pagel incorporates his knowledge from over 20 years in operations and development into his trainings. As a DevSecOps consultant, he not only advises at the strategic level but also lends a hand.

Arrange a free initial consultation

Timo Pagel

Der Beitrag Container Security erschien zuerst auf PagelShield.

]]>
Threat Modeling https://pagel.pro/en/threat-modeling-en/ Tue, 26 Jan 2021 14:58:01 +0000 https://pagel.pro/?p=1035 Conduction of a structured analysis to identify threats in IT systems.

Der Beitrag Threat Modeling erschien zuerst auf PagelShield.

]]>
Agile Threat Modeling Workshop

Description

Approximately 50% of threats in a system are related to architecture and design, so companies should act proactively at this point.

Threat modeling is a methodical approach that uses attack scenarios to identify threats in the system design that lead to real-life consequences for the system or business.

Under the pressure of digital transformation, the temptation for business managers/product owners to continuously deliver technical features is great.

However, security is also a permanently required feature and quality goal that customers expect and deserve.

In the workshop, the participant will be introduced to the approach according to the proven STRIDE method in a clear and comprehensible way with a mix of theory and practical exercises using show cases.

The workshop concludes with the participants learning how to make threat modeling attractive to employees who are not so security-savvy by using playful elements in the form of a card game.

Content

We perform a threat modeling for your new feature/architecture together. We will perform the traditional threat modeling steps:

  • What are we working on?
  • What can go wrong?
  • What are we going to do about it?
  • Did we do a good enough job?

Target Audience

Developers, architects and DevOps engineers, but also product managers and IT security architects with a basic understanding of IT architectures.

Methodology

We will determine different roles in the start of the threat modeling. In remote Threat Modeling, we will use an interactive whiteboard like miro and cue cards to determine threats.

p { margin-bottom: 0.1in; color: #000000; line-height: 115%; background: transparent }p.western { font-family: “TeX Gyre Heros”; font-size: 10pt }p.cjk { font-family: “TeX Gyre Heros”; font-size: 10pt }p.ctl { font-family: “TeX Gyre Heros” }a:link { color: #000080; text-decoration: underline }

Preperation

A preperation is not needed. We will together understand the architecture, threats and countermeasures.

Trainer

Timo Pagel incorporates his knowledge from over 20 years in operations and development into his trainings. As a DevSecOps consultant, he not only advises at the strategic level but also lends a hand.

Arrange a free initial consultation

Timo Pagel

Der Beitrag Threat Modeling erschien zuerst auf PagelShield.

]]>
WordPress Security https://pagel.pro/en/wordpress-security-en/ Tue, 26 Jan 2021 14:53:22 +0000 https://pagel.pro/?p=1029 WordPress is the most popular blog system on the market today. Attackers know this too, which is why more and more automated attacks are being run against WordPress. This workshop will show you what attacks exist and what countermeasures you can take.

Der Beitrag WordPress Security erschien zuerst auf PagelShield.

]]>
WordPress Security Workshop

Description

WordPress is the most popular blog system on the market today. Attackers know this too, which is why more and more automated attacks are being run against WordPress. This workshop will show you what attacks exist and what countermeasures you can take.

Content

  • Getting to know the concepts of WordPress
  • Getting to know attacks and countermeasures when using WordPress
  • Patch management of WordPress and plugins
  • Secure development of wordpress plugins

Target Audience

Administrators with knowledge of WordPress administration and basic knowledge of PHP are well served by this workshop.

Methodology

Im Rahmen des Workshops werden Themen vorgestellt und die Teilnehmer führen Hands-On Analysen in einer Trainingsumgebung durch. Teilweise werden Maßnahmen implementiert.
Im Rahmen dieses Workshops mit einem Mix aus Hands-On und Vortrag lernen Entwickler und Administratoren Bedrohungen und Maßnahmen bei der Nutzung von Container-Technologien kennen.
• Technisch Hoch spezalisiert und auf Ihre Wünsche angepasst
• Sturkturiert und praxisorientiert
• Spielerisches lernen
• Teilnehmer werden interaktiv eingebunden
• Ausgleich von Heterogenität im Vorwissen
Mehr zur Trainings-Methodik unter XYZ.

p { margin-bottom: 0.1in; color: #000000; line-height: 115%; background: transparent }p.western { font-family: “TeX Gyre Heros”; font-size: 10pt }p.cjk { font-family: “TeX Gyre Heros”; font-size: 10pt }p.ctl { font-family: “TeX Gyre Heros” }a:link { color: #000080; text-decoration: underline }

Vorbereitung

TIMO:

Trainer

Timo Pagel lässt sein Wissen aus über 20 Jahren im Betrieb und der Entwicklung in seine Trainings einfließen. Als DevSecOps-Berater berät er nicht nur auf der strategischen Ebene sondern legt auch „Hand an“.

Arrange a free initial consultation

Timo Pagel

Der Beitrag WordPress Security erschien zuerst auf PagelShield.

]]>
Security Check https://pagel.pro/en/security-check-en/ Tue, 26 Jan 2021 14:48:49 +0000 https://pagel.pro/?p=1020 Quick security check of web applications to identify threats in running applications for common pit falls.

Der Beitrag Security Check erschien zuerst auf PagelShield.

]]>
DevSecOps Workshop

Übersicht

Anhand des DevSecOps Maturity Models (dsomm.timo-pagel.de), konzipiert durch den Referenten, werden unterschiedliche Dimensionen von Sicherheit in DevOps erläutert.

Die Vermittlung des Inhalts wird durch HandsOn Aufgaben unterstützt, welche ausschließlich anhand von OpenSource Werkzeugen erfolgt.

Inhalte

  • Auffrischung DevOps
  • Bedrohungen bei einer Build- und Deployment Pipeline
  • Maßnahmen zur Härtung einer Build- und Deployment Pipeline
  • Docker-Sicherheit inkl. Patch-Management
  • Automation von dynamischen und statischen Sicherheits-Tests
  • Logging und Monitoring in einer DevOps-Welt
  • Optional: Continuous License Scanning

Als Orientierung dient das OWASP DevSecOps Maturity Model mit den Dimensionen

Build and Deployment

Culture

Information Gathering

Infrastructure Hardening

Test and Verification

Zielgruppe

Informations- und IT-Sicherheits-Verantwortliche und DevOps Engineers.

Ausschnitte von Werkzeugen:

  • Docker
  • Distroless
  • OWASP ZAP
  • OWASP Dependency Check
  • Automation
  • Jenkins
  • Arachni
  • nmap
  • Distroless

Methodik

Im Rahmen des Workshops werden Themen vorgestellt und die Teilnehmer führen Hands-On Analysen in einer Trainingsumgebung durch. Teilweise werden Maßnahmen implementiert.
Im Rahmen dieses Workshops mit einem Mix aus Hands-On und Vortrag lernen Entwickler und Administratoren Bedrohungen und Maßnahmen bei der Nutzung von Container-Technologien kennen.
• Technisch Hoch spezalisiert und auf Ihre Wünsche angepasst
• Sturkturiert und praxisorientiert
• Spielerisches lernen
• Teilnehmer werden interaktiv eingebunden
• Ausgleich von Heterogenität im Vorwissen
Mehr zur Trainings-Methodik unter XYZ.p { margin-bottom: 0.1in; color: #000000; line-height: 115%; background: transparent }p.western { font-family: “TeX Gyre Heros”; font-size: 10pt }p.cjk { font-family: “TeX Gyre Heros”; font-size: 10pt }p.ctl { font-family: “TeX Gyre Heros” }a:link { color: #000080; text-decoration: underline }

Vorbereitung

TIMO:

Trainer

Timo Pagel lässt sein Wissen aus über 20 Jahren im Betrieb und der Entwicklung in seine Trainings einfließen. Als DevSecOps-Berater berät er nicht nur auf der strategischen Ebene sondern legt auch „Hand an“.

Kostenloses Erstgespräch vereinbaren

Timo Pagel

Der Beitrag Security Check erschien zuerst auf PagelShield.

]]>