OWASP - User contributions [en]

OWASP EU Summit 2008 Training

2008-10-17T16:05:06Z

Lebbeous: /* How to Win AppSec Hacking Contests and Deploy Better Web Applications - instructors can't attend */

EU Summit 2008 Trainings

cvent links to be added.

Upon completion and scheduling, trainings will be copied over from [[OWASP EU Summit 2008 Training (Courses to be Approved)]]

Back to [[OWASP EU Summit 2008]]

== WebAppSec for Managers and Executives - The Road Less Travelled ==

'''Instructor'''

[https://www.owasp.org/index.php/User:Manopaul Mano Paul]

'''Duration'''

1 day

'''Summary'''

With the financial turn tables of major corporations resting on web applications that connect businesses, transmit and store sensitive financial and personal transaction, combined with the ubiquitous nature of the web; it is imperative that web applications that are designed, architected and developed are secure.

What do you think Shakespeare had to say about Software Security? What does an naked motorist have to do with Confidentiality? What does the Jungle Book character Baloo have to say about Security Essentials (The Bear Bare Necessities of Life security)? What does the African Wildlife have to do with Security Concepts? What does pH have to do with Security? and more … The Road Less Travelled by renowned poet, Robert Frost ends by with the statement "And that has made all the difference". Come to find out the answers to the questions above and see what it takes to look at Security from a different perspective that would make ALL the difference for you and your company.

'''Audience'''

This session is for Management primarily and any stakeholder that needs to understand how understanding application security concepts can benefit their organizations/companies in designing secure web applications. Whether you are a novice or an expert, you will all leave learning something new to lead your teams and help design the next generation of hack-resilient web applications.

'''Table of Contents'''

1. Introduction

2. Changing Landscape

3. Drivers of Web Application Security

4. From the Boardroom to the Builder, Client to the Coder

5. Regulations, Compliance and Security

6. Information Security Management Top 10

7. OWASP Top 10

8. Software Security Concepts

9. Security in the SDLC - Requirements to Release

10. Software Risk Management

11. Data Classification

12. Common Web Application Threats and Vulnerabilities

13. Security in an Outsourced World

14. Web 2.0 Security

15. Self Service Programs

16. Awareness, Training, Education & Certification

17. Hiring and Staffing

18. Information Security Framework

'''Course Specifics'''

No specific requirement. Come for a fun, interactive session that will cover the basic and advanced elements of web application security for executives and managers - the road less travelled, filled with exercises for the attendees to participate.

== The Art and Science of Threat Modeling Web Applications ==

'''Instructor'''

[https://www.owasp.org/index.php/User:Manopaul Mano Paul]

'''Duration'''

1 day

'''Summary'''

To secure your home, you will first need to know how the thief could possibly enter and exit and where you should store your valuables. The same is true of your web applications. Unless you know what the vulnerabilities and threats of your web applications are, and what security measures you should take to protect them, ev1L h@x0rS or the enemy within (insider) could take advantage of the vulnerabilities.

Threat Modeling is a technique that you can use to identify ATVS (attacks, threats, vulnerabilities and safeguards) that could affect your web applications. Threat Modeling helps in designing your application securely from a confidentiality, integrity, availability, authentication, authorization and auditing perspective. It is an essential activity to be undertaken during the design stage of your SDLC and helps mitigate and minimize overall risk.

'''Audience'''

This session is for Management, Technical (Developer, QA, Security ...) and Operational professionals and any stakeholder that needs to understand how threat modeling can benefit their organizations/companies in designing secure web applications. Whether you are a novice or an expert apropos threat modeling, you will all leave learning something new to design the next generation of hack-resilient web applications.

'''Table of Contents'''

1. Introduction

2. Why Threat Model?

3. Is Threat Modeling Right for You?

4. Challenges

5. Precursors

6. Data Classification and Threat Modeling

7. Web Application Security Mechanisms

8. Benefits of Threat Modeling

9. Common Glossary of Terms

10. Threat Agents

11. Threat Modeling Process

12. Attack Trees

13. STRIDE and DREAD

14. Threat to Risk

15. Threat Modeling (Exercise)

'''Course Specifics'''

No specific requirement. Come for a fun, hands-on, interactive session that will cover the basic and advanced elements of threat modeling, filled with exercises for the attendees to participate.

== Web server/services hardening using SELinux ==

'''Instructor'''

Pavol Luptak

'''Duration'''

1 day

'''Summary'''

Security-Enhanced Linux (SELinux) is a FLASK implementation integrated in the Linux kernel with a number of utilities designed to provide mandatory access controls (MAC) through the use of Linux Security Modules (LSM) in the Linux kernel. SELinux generally supports many kinds of mandatory access control policies, including those based on the concepts of type enforcement, role-based access control, and multi-level security.

A Linux kernel integrating SELinux enforces mandatory access control policies that confine user programs and system servers to the minimum amount of privilege they require to do their jobs. This reduces or eliminates the ability of these programs and daemons to cause harm when compromised (via buffer overflows or misconfigurations, for example). This confinement mechanism operates independently of the traditional Linux access control mechanisms. It has no concept of a "root" super-user, and does not share the well-known shortcomings of the traditional Linux security mechanisms (such as a dependence on setuid/setgid binaries).

This training provides basic concepts of SELinux, its differences to classical UNIX/Linux systems, describe security advantages of mandatory access control policies and teach how to effectively and rapidly configure a fully functional LAMP environment on SELinux system.

'''Audience'''

Security consultants, system administators, programmers focused on system security

'''Table of Contents'''

1. SELinux history

2. Unix/Linux DAC (Discretionary Access Control) and its problems

3. MAC (Mandatory Access Control)

4. Advantages of using MAC

5. DTE (Domain Type Enforcement) model

6. RBAC (Roles Based Access Control) model

7. MLS (Multi Level Security) model

8. SELinux FLASK Architecture

9. SELinux policy (EXERCISE)

10. File System Security Contexts (EXERCISE)

11. SELinux Object Classes and Permissions

12. TE (Type Enforcement) Rules (Attributes, Type Declaration, Type Transitions, Domain Type Transitions, Object Labeling Transitions, Access Vectors)

13. Understanding AVC, log messages

14. audit2allow and audit2why (EXERCISE)

15. SELinux Troubleshoot Tool (EXERCISE)

16. Auditing and Auditing tools

17. Policy Macros

18. Backtracking rule (EXERCISE)

19. SELinux Users, Roles, MLS Levels

20. Strict Policy

21. Targeted Policy

22. SELinux Booleans and their use for Apache web server (EXERCISE)

23. Files and Directories in Targeted Policy, common SELinux Macros (EXERCISE)

24. Analyzing Example Policy - apache.te (EXERCISE)

25. Assigning Object and Process Types

26. SELinux Booting

27. Copying and moving files, checking security contexts, relabeling a file and directory's security context (EXERCISE)

28. Policy core utilities

29. Managing File Labeling, Relabeling a File System (EXERCISE)

30. SELinux Administrator GUI (EXERCISE)

31. SELinux Modules (EXERCISE)

32. Hardening existing LAMP environments using SELinux (EXERCISE)

33. Writing New Policy for a Daemon (EXERCISE for clever students)

'''Course Specifics'''

Bring your own laptop. Each student will have own SELinux virtual machine for his experiments.

== Secure Programming with Java ==

'''Instructor'''

Lucas C. Ferreira

'''Duration'''

1 Day

'''Summary'''

This training class will present best practices of secure programming in the Java language. It includes Java specific practices (i.e. how to avoid problems that arise from the compilation of Java source code to the bytecode language used by the JVM) and practices that may arise in other programming languages (with examples in Java). Some tools that may be used to verify the security of Java code and systems will be shown.

The topics include a quick overview of the OWASP Top 10, in order to contextualize the practices presented, and several best practices aimed at the different software layers. At the presentation layer, we focus on input validation, access control issues and dealing with exceptions. At the business objects layer, the practices deal with cloning and serialization issues. Practices to prevent command injection are presented at the persistence layer. Practices that should be used throughout all the software are also presented, including input data validation, class and method visibility, using and storing secrets, dealing with inner classes, overflows and boxing, and object initialization.

'''Audience'''

Java web application developers. This training requires basic understanding of web applications and an intermediate level of proficiency in the Java language and Object Oriented concepts. People with interest in other OO languages may also benefit from this training, but specific techniques, examples and tools used are targeted to Java.

'''Table of Contents'''

# OWASP Top 10 - quick overview
# Secure Programming Best Practices
## Presentation layer
### Preventing cross-site scripting
### Access control
### Request validation
### Error treatment
## Business object layer
### Cloning and serialization issues
## Persistence layer
### Command injection issues
### Database access users and permissions
### file manipulation
## Infra-structure layer
### J2EE container-related best practices
### Native method issues
### SSL and encryption
## Practices for all software layers
### Data validation
### Garbage collection issues
### Classes and method scoping
### Use of secrets
### Inner class issues
### Over/underflow and boxing issues
# Tools
## Code review tool
## Data flow tool
## Pen-testing tool

'''Course Specifics'''

Laptop not required.

== OWASP Top 10 - What Developers Should Know on Web Application Security ==

'''Instructor'''

Sebastien Deleersnyder and Martin Knobloch

'''Duration'''

4 h
To be scheduled on Tuesday.

'''Summary'''

Application security is an essential component of any successful project; this includes web applications, open source PHP applications, web services and proprietary business web sites.
Web application security education and awareness is needed throughout the entire development and deployment organization. Each area and level of development or deployment organizations have specific needs and requirements regarding web application security education. A manager needs other information than a security professional or developer. Novices to the profession require other training than people with several years of experience.

The OWASP Education project aims to provide in building blocks of web application security information. These modules can be combined together in education tracks targeting different audiences.
This Education Track provides in a 4 hour session covering what developers should know on web application security. It starts with an explanation of web application security and why it is important. Then the OWASP Top 10 is used to explain the nastiest vulnerabilities and how these can be prevented or re mediated. A secure coding initiative must deal with all stages of a program’s life cycle. Secure web applications are only possible when a secure SDLC is used. The SDLC is explained from the standpoint of people, processes and tools. Particularly for developers good secure development practices are covered in a separate topic. Finally the track finishes with an exhaustive list of web application security resources for web application developers.

'''Audience'''

Web application developers who are unaware there are security issues with contemporary web applications. No prior knowledge of web application security is assumed nor necessary. This track is independent of the coding language or web frameworks used; like PHP, JSF, Java EE or .NET. We must realize that web application developers are only one link - albeit an important one - of the chain that represents the security of a web application. This track aims to make that link as secure as possible, given the constraint of 4 hours. Another important aspect is that web application security should be tailored to the risk profile of an organization and the specific development environment of that organization.

'''Table of Contents'''

The challenge is to cover web application security in 4 hours to a web application developer. This is presented in such a way that the developers will be able to recognize and correct web application vulnerabilities in their projects.

* [[Education Module Why WebAppSec Matters|Why WebAppSec matters]] (20 min) ([http://www.owasp.org/images/5/58/Education_Module_Why_WebAppSec_Matters.ppt direct link])
:This part is the introduction of the track. It identifies the current security problems with web applications. During the introduction a definition of web application security is given. Trends that are influencing the current state of web application insecurity are also explained.
:*What goes wrong
:*WebAppSec Defined
:*Current trends
* [[Education_Module_OWASP_Top_10_Introduction_and_Remedies|OWASP Top 10 Introduction & Remedies]] (90 min) ([http://www.owasp.org/images/b/b8/Education_Module_OWASP_Top_10_Introduction_and_Remedies.ppt direct link])
:The primary aim of the OWASP Top 10 is to educate developers, designers, architects and organizations about the consequences of the most common web application security vulnerabilities. The Top 10 provides basic methods to protect against these vulnerabilities.
:*[[Education Module Cross Site Scripting (XSS)|Cross Site Scripting (XSS)]]
:*Injection Flaws
:*Malicious File Execution
:*Insecure Direct Object Reference
:*Cross Site Request Forgery (CSRF)
:*Information Leakage and Improper Error Handling
:*Broken Authentication and Session Management
:*Insecure Cryptographic Storage
:*Insecure Communications
:*Failure to Restrict URL Access
*[[Education Module Embed within SDLC|Embed within SDLC]] (People, Processes & Tools) (20 min) ([http://www.owasp.org/images/f/f2/Education_Module_Embed_within_SDLC.ppt direct link])
:There is no silver bullet when it comes to securing web applications. This problem has to be addressed from different angles, covering the involved actors, processes: development as well as deployment and Technologies.
:*People Awareness and Education
:*Development WebAppSec Controls
:*Deployment WebAppSec Controls
:*WebAppSec Tools
*[[Education Module Good Secure Development Practices|Good Secure Development Practices]] (70 min) ([http://www.owasp.org/images/5/57/Education_Module_Good_Secure_Development_Practices.ppt direct link])
:Next to the Top 10 remedies this module provides some good secure development practices from the OWASP Guide, covering e.g.
:*Validating User Input
:*Authentication
:*Authorization
:*Session Management
:*Using Interpreters
:*Crypto
:*Catching Errors
:*File System
:*Configuration
:*Web 2.0
*[[Education Module Testing for Vulnerabilities|Testing for Vulnerabilities]] (20 min) ([http://www.owasp.org/images/4/49/Education_Module_Testing_for_Vulnerabilities.ppt direct link])
:One important aspect is to test for application vulnerabilities. During this short module an introduction is provided together with some WebGoat test cases.
:*Testing for application vulnerabilities
:*The OWASP Testing Guide
:*WebGoat demonstrated
*[[Education Module Good WebAppSec Resources|Good WebAppSec Resources]] (not limited to OWASP) (10 min) ([http://www.owasp.org/images/f/fe/Education_Module_Good_WebAppSec_Resources.ppt direct link])
:This 4 hour education track in only the beginning of your journey. Web application security is a moving target. New vulnerabilities and threats are discovered regularly. Web application security controls are becoming mature. The following resources should provide you with enough pointers to serve both as reference and for further research.
:*Hard Copy
:*Web Sites
:*Mailing lists
:*Blogs
*Roundup (10 min)

[[Category:OWASP Education Project]]

'''Course Specifics'''

No specific prerequisites.

== Classic ASP Security using OWASP tools ==

'''Instructor'''

Juan Carlos Calderon

'''Duration'''

1 day

'''Summary'''

Classic ASP 2.0 and 3.0 applications are still largely used as this technology is more than 10 years old and was largely used. there are thousands of sites on the wild that need guidance on the security arena. This is where OWASP can come up and provide help for “making the Web a better place”.

'''Audience'''

People involved in development/maintenance of Classic ASP applications at all levels, including developers, Application Architects, testers, etc.

'''Table of Contents'''

*Secure programming on ASP using [[ESAPI|OWASP ESAPI]]
*Auditing ASP code with [[:Category:OWASP_Code_Review_Project|Code Review Project]] checklist
*Implementing [[:Category:OWASP_Stinger_Project|OWASP Stinger]] protection for Classic ASP
*Complementary security best practices.

'''Course Specifics'''

None. Keep posted for changes on the table of contents and course specifics.

== Web Application Assessments ==

'''Instructor'''

Vicente Aguilera Diaz

'''Duration'''

4h

'''Summary'''

As in the physical world, the "professionals" attackers spend most of their time to analysing its objective and try to gather as much information as possible about it. The more information becomes available and is more detailed and accurate, the attack is more likely to succeed.

The aim of this course is to identify patterns and tools to perform this analysis (step prior to the attack), and is supplemented by a case study on a practical application.

'''Audience'''

Software developers, security consultants, system administrators and people loving security.

'''Table of Contents'''

# Introduction
# Web Application Discovery
# Gathering information on the target web application
## Search Engines
## Interaction with external entities and information services
## Analysis of existing information in the web application (public information, information leaks, causing errors, etc.).
# Knowing / Understand the target
## Identifying characteristics (technologies, platforms, user profiles, features, etc.).
## Analysis of infrastructure components: databases, Web servers, application servers, authentication servers, etc.). Detection and identification.
## Identification of the exposition area
# Analysis of attack vectors and vulnerabilities exploitation
# Case Study
## Assessment of an webmail application
## Vulnerability exploitation: IMAP / SMTP Injection

'''Course Specifics'''

Bring your own laptop.

== Hacking Owasp Orizon Project v1.0 ==

'''Instructor'''

Paolo Perego

'''Duration'''

4h

'''Summary'''

In the course it will be presented Owasp Orizon v1.0 framework. The major APIs will be fully explained and it will be built a simple scanning tool using the Orizon framework.

The course goal is to let people fully understand Orizon internals and let people understand how to use the framework in a real world.

'''Audience'''

Security specialist, code reviewers and curious developers

'''Table of Contents'''

* Owasp Orizon Internals
** Translation engine
** Owasp Orizon XML project
*** XML used in writing security checks
*** XML used in translation phase
** Static analysis engine
** Crawling engine
** Reporting engine
* Create a simple tool using Orizon

'''Course Specifics'''

People have to bring their own laptop with latest Owasp Orizon version, J2SE 1.6 or later and a Java IDE (e.g. eclipse) is also feasible.

== Securing WebGoat with ModSecurity ==

'''Instructor'''

Stephen Craig Evans

'''Duration'''

4h

'''Summary'''

ModSecurity, normally a tool of the network security group, has capabilities that can allow a software security specialist with programming skills to mitigate business logic flaws and other vulnerabilities that are out-of-reach of basic blacklists.

This 4 hour course covers the highlights of the Summer of Code 2008 project, "Securing WebGoat using ModSecurity" (please see https://www.owasp.org/index.php/Category:OWASP_Securing_WebGoat_using_ModSecurity_Project and the project wiki).

'''Audience'''

* Users of ModSecurity that want to learn how it can be leveraged beyond the basic rule sets in order to mitigate vulnerabilities in areas such as authentication, AJAX, and output sanitization
* Web application specialists, especially pentesters, who want to learn how ModSecurity can offer an additional remedial solution to customers when the application cannot be touched
* Curious people that are wondering what the hell this project is about

'''Table of Contents'''

* ModSecurity basics
* WebGoat overview
* A walkthrough of the "Securing WebGoat using ModSecurity" Summer of Code 2008 project
* Mitigating WebGoat vulnerabilities using the ModSecurity core rule set
* Using ModSecurity's Lua scripting language:
** For its programming capabilities (including re-building the Lua library to include 3rd party functionality)
** To implement configuration files
** For global persistence
** And much, much, more...
* Using ModSecurity's Javascript injection (prepend and append):
** To substitute/override/extend existing Javascript functions
** To enhance the user experience when implementing a ModSecurity solution on the back end such as an authentication mechanism
* Using ModSecurity's session collection, Lua script, and Javascript injection together to mitigate almost any vulnerability

'''Course Specifics'''

Demos (including strategy and implementation) of the most interesting lesson solutions will be shown.

== Uncovering WebScarab's Secret Treasures ==

'''Instructor'''

Rogan Dawes

'''Duration'''

1 day.

'''Summary'''

OWASP WebScarab has a lot of hidden features that probably no one but the author really knows about. This in depth hands on session will show delegates how to access these features, and how to use them to their full potential.

'''Audience'''

Application reviewers, developers

'''Table of Contents'''

* Using the spider
* Manual Request Transforms
* What is the XSS/CRLF plugin, and how does it work?
* Using the Fuzzer
* Comparing Responses
* Searching WebScarab history
* Exploring the Beanshell
** Writing Proxy Intercept scripts
** Writing Script Manager Scripts
** Writing other scripts

'''Course Specifics'''

Bring your own laptop

== Advanced Web Application Security Testing ==

'''Instructor'''

Michael Coates, Aspect Security

'''Duration'''

2 days.

'''Summary'''

While all developers need to know the basics of web application security testing, application security specialists will want to know all the advanced techniques for finding and diagnosing security problems in applications. Aspect’s Advanced Web Application Security Testing training is based on a decade of work verifying the security of critical applications. The course is taught by an experienced application security practitioner in an interactive manner.

'''Course Specifics'''

Bring your own Windows based laptop

== Building Secure Web 2.0 Applications ==

'''Instructor'''

Arshan Dabirsiaghi, Aspect Security

'''Duration'''

1 day.

'''Summary'''

Web 2.0 applications using technologies like Ajax, Flash, ActiveX, and Java Applets require special attention to secure. this one day training addresses the special issues that arise in this type of application development.

'''Course Specifics'''

Bring your own Windows based laptop

== Building Secure Web Services ==

'''Instructor'''

Dave Wichers, Aspect Security

'''Duration'''

2 days.

'''Summary'''

The movement towards Web Services and Service Oriented architecture (SOA) paradigms requires new security paradigms to deal with new risks posed by these architectures. this session takes a pragmatic approach towards identifying Web Services security risks and selecting and applying countermeasures to the application, code, web servers, databases, application, and identify servers and related software. Many enterprises are currently developing new Web Services and/or adding and acquiring Web Services functionality into existing applications -- now is the time to build security into the system.

'''Course Specifics'''

Bring your own Windows based laptop

== Building Secure Web Applications with OWASP's Enterprise Security API (ESAPI) ==

'''Instructor'''

Jeff Williams, Aspect Security

'''Duration'''

1 day.

'''Summary'''

This course will teach you about OWASP's new Enterprise Security API (ESAPI), what it is composed of, and how to use it to improve the security and reduce the cost of developing those applications. This class covers each interface within the API, how it is intended to be used, and what the benefits are of using this interface, over other techniques for addressing the same security concerns.

The course also discusses how to bring ESAPI into your organization and how to tailor it for your organization specific needs and application infrastructure.

'''Course Specifics'''

Bring your own Windows based laptop

== Ajax Security ==

'''Instructor'''

Brad Causey

'''Duration'''

1/2 day

'''Summary'''

This course will provide an introductory to AJAX, its inherent security issues, how to detect them, and how to resolve them.

'''Audience'''

Web Application Security Professionals

'''Table of Contents
'''
* Introduction to AJAX
* Security Issues with architecture
* Toolkits
* Toolkit Security Concerns
* Bridges and Issues
* Attacking AJAX
* Defending AJAX
* Securing the Code
* Best Practices
* Other Issues and Concerns
* Q and A

'''Course Specifics
'''

Please bring your own laptop with your choice of web proxy and browser installed if you wish to participate. Participation is optional.

== Flash Player Security ==

'''Instructor'''

Peleus Uhley

'''Duration'''

1/2 day

'''Summary'''

This course will provide an overview of the Flash Player security model and common architectures for Flash deployment. The course is targeted at people who need to understand the fundamentals of Flash Player security and how it will affect their website such as CSOs, web designers and web architects. The goal of the course is to provide the student with the enough information to architect a secure Flash deployment. The follow-on Auditing Flash Applications course will continue to build on this knowledge on an API by API level.

'''Audience'''

Web Application Security Professionals and those who make decisions or recommendations about Flash deployments.

'''Course Specifics'''

Please bring your own laptop with your choice of web browser installed if you wish to participate. Participation is optional.

== Auditing Flash Applications ==

'''Instructor'''

Peleus Uhley

'''Duration'''

1/2 day

'''Summary'''

This course is a follow on to the Flash Player Security course for those who want to do a deep dive into the security of Flash applications. This course is targeted at Flash authors and web-site auditors who need to validate Flash code and provide meaningful recommendations and best practices for improving Flash deployments. The goal of the course is to provide the student with the tools and information to audit a Flash website and provide quality feedback on how to remediate any issues.

'''Audience'''

Flash Developers, Web Application Penetration Testers

'''Course Specifics'''

Please bring your own laptop with your choice of web browser installed if you wish to participate. Participation is optional.
== Testing Guide Training ==

'''Instructor'''

Matteo Meucci, Giorgio Fedon - Minded Security.

'''Duration'''

4h.

'''Summary'''

This course will discuss the new OWASP Testing Guide v3 methodology and the most relevant tests of the 66 total controls of the Guide. You can learn how to test a web application and how to write a report.

'''Audience'''

Software developers, security consultants, auditors.

'''Table of Contents'''

The course will discuss the methology and will analize the 9 sub-categories of the Testing Guide:

* Configuration Management Testing
* Business Logic Testing
* Authentication Testing
* Authorization testing
* Session Management Testing
* Data Validation Testing
* Denial of Service Testing
* Web Services Testing
* Ajax Testing

'''Course Specifics'''

Bring your own laptop.

OWASP EU Summit 2008 Training

2008-10-09T15:42:38Z

Lebbeous: /* add "marketing edge" */

EU Summit 2008 Trainings

cvent links to be added.

Upon completion and scheduling, trainings will be copied over from [[OWASP EU Summit 2008 Training (Courses to be Approved)]]

Back to [[OWASP EU Summit 2008]]

== Web server/services hardening using SELinux ==

'''Instructor'''

Pavol Luptak

'''Duration'''

1 day

'''Summary'''

Security-Enhanced Linux (SELinux) is a FLASK implementation integrated in the Linux kernel with a number of utilities designed to provide mandatory access controls (MAC) through the use of Linux Security Modules (LSM) in the Linux kernel. SELinux generally supports many kinds of mandatory access control policies, including those based on the concepts of type enforcement, role-based access control, and multi-level security.

A Linux kernel integrating SELinux enforces mandatory access control policies that confine user programs and system servers to the minimum amount of privilege they require to do their jobs. This reduces or eliminates the ability of these programs and daemons to cause harm when compromised (via buffer overflows or misconfigurations, for example). This confinement mechanism operates independently of the traditional Linux access control mechanisms. It has no concept of a "root" super-user, and does not share the well-known shortcomings of the traditional Linux security mechanisms (such as a dependence on setuid/setgid binaries).

This training provides basic concepts of SELinux, its differences to classical UNIX/Linux systems, describe security advantages of mandatory access control policies and teach how to effectively and rapidly configure a fully functional LAMP environment on SELinux system.

'''Audience'''

Security consultants, system administators, programmers focused on system security

'''Table of Contents'''

1. SELinux history

2. Unix/Linux DAC (Discretionary Access Control) and its problems

3. MAC (Mandatory Access Control)

4. Advantages of using MAC

5. DTE (Domain Type Enforcement) model

6. RBAC (Roles Based Access Control) model

7. MLS (Multi Level Security) model

8. SELinux FLASK Architecture

9. SELinux policy (EXERCISE)

10. File System Security Contexts (EXERCISE)

11. SELinux Object Classes and Permissions

12. TE (Type Enforcement) Rules (Attributes, Type Declaration, Type Transitions, Domain Type Transitions, Object Labeling Transitions, Access Vectors)

13. Understanding AVC, log messages

14. audit2allow and audit2why (EXERCISE)

15. SELinux Troubleshoot Tool (EXERCISE)

16. Auditing and Auditing tools

17. Policy Macros

18. Backtracking rule (EXERCISE)

19. SELinux Users, Roles, MLS Levels

20. Strict Policy

21. Targeted Policy

22. SELinux Booleans and their use for Apache web server (EXERCISE)

23. Files and Directories in Targeted Policy, common SELinux Macros (EXERCISE)

24. Analyzing Example Policy - apache.te (EXERCISE)

25. Assigning Object and Process Types

26. SELinux Booting

27. Copying and moving files, checking security contexts, relabeling a file and directory's security context (EXERCISE)

28. Policy core utilities

29. Managing File Labeling, Relabeling a File System (EXERCISE)

30. SELinux Administrator GUI (EXERCISE)

31. SELinux Modules (EXERCISE)

32. Hardening existing LAMP environments using SELinux (EXERCISE)

33. Writing New Policy for a Daemon (EXERCISE for clever students)

'''Course Specifics'''

Bring your own laptop. Each student will have own SELinux virtual machine for his experiments.

== Secure Programming with Java ==

'''Instructor'''

Lucas C. Ferreira

'''Duration'''

1 Day

'''Summary'''

This training class will present best practices of secure programming in the Java language. It includes Java specific practices (i.e. how to avoid problems that arise from the compilation of Java source code to the bytecode language used by the JVM) and practices that may arise in other programming languages (with examples in Java). Some tools that may be used to verify the security of Java code and systems will be shown.

The topics include a quick overview of the OWASP Top 10, in order to contextualize the practices presented, and several best practices aimed at the different software layers. At the presentation layer, we focus on input validation, access control issues and dealing with exceptions. At the business objects layer, the practices deal with cloning and serialization issues. Practices to prevent command injection are presented at the persistence layer. Practices that should be used throughout all the software are also presented, including input data validation, class and method visibility, using and storing secrets, dealing with inner classes, overflows and boxing, and object initialization.

'''Audience'''

Java web application developers. This training requires basic understanding of web applications and an intermediate level of proficiency in the Java language and Object Oriented concepts. People with interest in other OO languages may also benefit from this training, but specific techniques, examples and tools used are targeted to Java.

'''Table of Contents'''

# OWASP Top 10 - quick overview
# Secure Programming Best Practices
## Presentation layer
### Preventing cross-site scripting
### Access control
### Request validation
### Error treatment
## Business object layer
### Cloning and serialization issues
## Persistence layer
### Command injection issues
### Database access users and permissions
### file manipulation
## Infra-structure layer
### J2EE container-related best practices
### Native method issues
### SSL and encryption
## Practices for all software layers
### Data validation
### Garbage collection issues
### Classes and method scoping
### Use of secrets
### Inner class issues
### Over/underflow and boxing issues
# Tools
## Code review tool
## Data flow tool
## Pen-testing tool

'''Course Specifics'''

Due to the lack of time, we will only show tool usage (no practical exercises with the audience).

== OWASP Top 10 - What Developers Should Know on Web Application Security ==

'''Instructor'''

Sebastien Deleersnyder and Martin Knobloch

'''Duration'''

4 h
To be scheduled on Tuesday.

'''Summary'''

Application security is an essential component of any successful project; this includes web applications, open source PHP applications, web services and proprietary business web sites.
Web application security education and awareness is needed throughout the entire development and deployment organization. Each area and level of development or deployment organizations have specific needs and requirements regarding web application security education. A manager needs other information than a security professional or developer. Novices to the profession require other training than people with several years of experience.

The OWASP Education project aims to provide in building blocks of web application security information. These modules can be combined together in education tracks targeting different audiences.
This Education Track provides in a 4 hour session covering what developers should know on web application security. It starts with an explanation of web application security and why it is important. Then the OWASP Top 10 is used to explain the nastiest vulnerabilities and how these can be prevented or re mediated. A secure coding initiative must deal with all stages of a program’s life cycle. Secure web applications are only possible when a secure SDLC is used. The SDLC is explained from the standpoint of people, processes and tools. Particularly for developers good secure development practices are covered in a separate topic. Finally the track finishes with an exhaustive list of web application security resources for web application developers.

'''Audience'''

Web application developers who are unaware there are security issues with contemporary web applications. No prior knowledge of web application security is assumed nor necessary. This track is independent of the coding language or web frameworks used; like PHP, JSF, Java EE or .NET. We must realize that web application developers are only one link - albeit an important one - of the chain that represents the security of a web application. This track aims to make that link as secure as possible, given the constraint of 4 hours. Another important aspect is that web application security should be tailored to the risk profile of an organization and the specific development environment of that organization.

'''Table of Contents'''

The challenge is to cover web application security in 4 hours to a web application developer. This is presented in such a way that the developers will be able to recognize and correct web application vulnerabilities in their projects.

* [[Education Module Why WebAppSec Matters|Why WebAppSec matters]] (20 min) ([http://www.owasp.org/images/5/58/Education_Module_Why_WebAppSec_Matters.ppt direct link])
:This part is the introduction of the track. It identifies the current security problems with web applications. During the introduction a definition of web application security is given. Trends that are influencing the current state of web application insecurity are also explained.
:*What goes wrong
:*WebAppSec Defined
:*Current trends
* [[Education_Module_OWASP_Top_10_Introduction_and_Remedies|OWASP Top 10 Introduction & Remedies]] (90 min) ([http://www.owasp.org/images/b/b8/Education_Module_OWASP_Top_10_Introduction_and_Remedies.ppt direct link])
:The primary aim of the OWASP Top 10 is to educate developers, designers, architects and organizations about the consequences of the most common web application security vulnerabilities. The Top 10 provides basic methods to protect against these vulnerabilities.
:*[[Education Module Cross Site Scripting (XSS)|Cross Site Scripting (XSS)]]
:*Injection Flaws
:*Malicious File Execution
:*Insecure Direct Object Reference
:*Cross Site Request Forgery (CSRF)
:*Information Leakage and Improper Error Handling
:*Broken Authentication and Session Management
:*Insecure Cryptographic Storage
:*Insecure Communications
:*Failure to Restrict URL Access
*[[Education Module Embed within SDLC|Embed within SDLC]] (People, Processes & Tools) (20 min) ([http://www.owasp.org/images/f/f2/Education_Module_Embed_within_SDLC.ppt direct link])
:There is no silver bullet when it comes to securing web applications. This problem has to be addressed from different angles, covering the involved actors, processes: development as well as deployment and Technologies.
:*People Awareness and Education
:*Development WebAppSec Controls
:*Deployment WebAppSec Controls
:*WebAppSec Tools
*[[Education Module Good Secure Development Practices|Good Secure Development Practices]] (70 min) ([http://www.owasp.org/images/5/57/Education_Module_Good_Secure_Development_Practices.ppt direct link])
:Next to the Top 10 remedies this module provides some good secure development practices from the OWASP Guide, covering e.g.
:*Validating User Input
:*Authentication
:*Authorization
:*Session Management
:*Using Interpreters
:*Crypto
:*Catching Errors
:*File System
:*Configuration
:*Web 2.0
*[[Education Module Testing for Vulnerabilities|Testing for Vulnerabilities]] (20 min) ([http://www.owasp.org/images/4/49/Education_Module_Testing_for_Vulnerabilities.ppt direct link])
:One important aspect is to test for application vulnerabilities. During this short module an introduction is provided together with some WebGoat test cases.
:*Testing for application vulnerabilities
:*The OWASP Testing Guide
:*WebGoat demonstrated
*[[Education Module Good WebAppSec Resources|Good WebAppSec Resources]] (not limited to OWASP) (10 min) ([http://www.owasp.org/images/f/fe/Education_Module_Good_WebAppSec_Resources.ppt direct link])
:This 4 hour education track in only the beginning of your journey. Web application security is a moving target. New vulnerabilities and threats are discovered regularly. Web application security controls are becoming mature. The following resources should provide you with enough pointers to serve both as reference and for further research.
:*Hard Copy
:*Web Sites
:*Mailing lists
:*Blogs
*Roundup (10 min)

[[Category:OWASP Education Project]]

'''Course Specifics'''

No specific prerequisites.

== Linux Software Exploitation ==

'''Instructor'''

Nam Nguyen

'''Duration'''

2 days

'''Summary'''

This course is a primer into software exploitation on the Linux environment. The course assumes only basic understanding of the Linux commands, and C programming with the standard library. It explains the computer architecture, assembly language then moves on to three basic classes of security bug: buffer overflow, format string, and race condition and methods to take advantage of them. Throughout the course, various examples are introduced with increasing difficulty so that participants will naturally realize the art of software exploitation for themselves.

This course does not discuss about shell coding. Except on one example where provided shell code is used as an illustration, all other challenges require only good analysis and calculation.

The course is conducted as a workshop with heavy interaction between participants and instructor. There will not be any presentation slide. Participants are to take note during the course.

'''Audience'''

Software developers, system administrators, security engineers with some experience in Linux and C programming.

'''Table of Contents'''

# Computer architecture
# Assembly language
# Buffer overflow
# Format string
# Race condition
# Techniques
## Overwrite critical variable
## Overwrite return address
## Return to .text
## Return to libc
## Overwrite .dtors
## Overwrite .got
## Overwrite .bss, functors
## By pass Advanced Space Layout Randomization
# Tools of the trade: IDA, GDB, and Python

'''Course Specifics'''

Bring your own laptop with VMWare Player or equivalent. An VM image will be provided.

== Classic ASP Security using OWASP tools ==

'''Instructor'''

Juan Carlos Calderon

'''Duration'''

1 day

'''Summary'''

Classic ASP 2.0 and 3.0 applications are still largely used as this technology is more than 10 years old and was largely used. there are thousands of sites on the wild that need guidance on the security arena. This is where OWASP can come up and provide help for “making the Web a better place”.

'''Audience'''

Classic ASP Developers, Application Architects, people with basic ASP knowledge?

'''Table of Contents'''

*Secure programming on ASP using [[ESAPI|OWASP ESAPI]]
*Auditing ASP code with [[:Category:OWASP_Code_Review_Project|Code Review Project]] checklist
*Implementing [[:Category:OWASP_Stinger_Project|OWASP Stinger]] protection for Classic ASP
*ASP specific Best Practices to protect ASP applications.

'''Course Specifics'''

None. Keep posted for changes on the table of contents and course specifics.

== Web Application Assessments ==

'''Instructor'''

Vicente Aguilera Diaz

'''Duration'''

4h

'''Summary'''

As in the physical world, the "professionals" attackers spend most of their time to analysing its objective and try to gather as much information as possible about it. The more information becomes available and is more detailed and accurate, the attack is more likely to succeed.

The aim of this course is to identify patterns and tools to perform this analysis (step prior to the attack), and is supplemented by a case study on a practical application.

'''Audience'''

Software developers, security consultants, system administrators and people loving security.

'''Table of Contents'''

# Introduction
# Web Application Discovery
# Gathering information on the target web application
## Search Engines
## Interaction with external entities and information services
## Analysis of existing information in the web application (public information, information leaks, causing errors, etc.).
# Knowing / Understand the target
## Identifying characteristics (technologies, platforms, user profiles, features, etc.).
## Analysis of infrastructure components: databases, Web servers, application servers, authentication servers, etc.). Detection and identification.
## Identification of the exposition area
# Analysis of attack vectors and vulnerabilities exploitation
# Case Study
## Assessment of an webmail application
## Vulnerability exploitation: IMAP / SMTP Injection

'''Course Specifics'''

Bring your own laptop.

== Hacking Owasp Orizon Project v1.0 ==

'''Instructor'''

Paolo Perego

'''Duration'''

4h

'''Summary'''

In the course it will be presented Owasp Orizon v1.0 framework. The major APIs will be fully explained and it will be built a simple scanning tool using the Orizon framework.

The course goal is to let people fully understand Orizon internals and let people understand how to use the framework in a real world.

'''Audience'''

Security specialist, code reviewers and curious developers

'''Table of Contents'''

* Owasp Orizon Internals
** Translation engine
** Owasp Orizon XML project
*** XML used in writing security checks
*** XML used in translation phase
** Static analysis engine
** Crawling engine
** Reporting engine
* Create a simple tool using Orizon

'''Course Specifics'''

People have to bring their own laptop with latest Owasp Orizon version, J2SE 1.6 or later and a Java IDE (e.g. eclipse) is also feasible.

== Securing WebGoat with ModSecurity ==

'''Instructor'''

Stephen Craig Evans

'''Duration'''

4h

'''Summary'''

ModSecurity, normally a tool of the network security group, has capabilities that can allow a software security specialist with programming skills to mitigate business logic flaws and other vulnerabilities that are out-of-reach of basic blacklists.

This 4 hour course covers the highlights of the Summer of Code 2008 project, "Securing WebGoat using ModSecurity" (please see https://www.owasp.org/index.php/Category:OWASP_Securing_WebGoat_using_ModSecurity_Project and the project wiki).

'''Audience'''

* Users of ModSecurity that want to learn how it can be leveraged beyond the basic rule sets in order to mitigate vulnerabilities in areas such as authentication, AJAX, and output sanitization
* Web application specialists, especially pentesters, who want to learn how ModSecurity can offer an additional remedial solution to customers when the application cannot be touched
* Curious people that are wondering what the hell this project is about

'''Table of Contents'''

* ModSecurity basics
* WebGoat overview
* A walkthrough of the "Securing WebGoat using ModSecurity" Summer of Code 2008 project
* Mitigating WebGoat vulnerabilities using the ModSecurity core rule set
* Using ModSecurity's Lua scripting language:
** For its programming capabilities (including re-building the Lua library to include 3rd party functionality)
** To implement configuration files
** For global persistence
** And much, much, more...
* Using ModSecurity's Javascript injection (prepend and append):
** To substitute/override/extend existing Javascript functions
** To enhance the user experience when implementing a ModSecurity solution on the back end such as an authentication mechanism
* Using ModSecurity's session collection, Lua script, and Javascript injection together to mitigate almost any vulnerability

'''Course Specifics'''

Demos (including strategy and implementation) of the most interesting lesson solutions will be shown.

== How to Win AppSec Hacking Contests and Deploy Better Web Applications ==

'''Instructors'''

Lann Martin and Lebbeous Fogle-Weekley - ''winners of the CTF contest at OWASP AppSec NYC '08''

'''Duration'''

4 hours

'''Summary'''

This class will demonstrate how an attacker approaches potentially
vulnerable web applications, taking advantage of both poor server
configuration and poor application implementation to discover and exploit
vulnerabilities of several types.

'''Audience'''

Web application developers and penetration testers of intermediate
skill.

'''Table of Contents'''

''This table of contents is a work in progress''
* The trouble with verbose error messages
* The right way and the wrong way to escape input to prevent SQL injection
* The right way and the wrong way to encode output to prevent XSS
* More bad practices to avoid
* More good practices to maintain

'''Course Specifics'''

Bring your own laptop to participate in attacks on sample
web applications. Firefox is the preferred browser for exploiting web
applications. Automated scanning tools are out of scope for this class.

== Uncovering WebScarab's Secret Treasures ==

'''Instructor'''

Rogan Dawes

'''Duration'''

1 day.

'''Summary'''

OWASP WebScarab has a lot of hidden features that probably no one but the author really knows about. This in depth hands on session will show delegates how to access these features, and how to use them to their full potential.

'''Audience'''

Application reviewers, developers

'''Table of Contents'''

* Using the spider
* Manual Request Transforms
* What is the XSS/CRLF plugin, and how does it work?
* Using the Fuzzer
* Comparing Responses
* Searching WebScarab history
* Exploring the Beanshell
** Writing Proxy Intercept scripts
** Writing Script Manager Scripts
** Writing other scripts

'''Course Specifics'''

Bring your own laptop

== Leading the Development of Secure Applications ==

'''Instructor'''

Arshan Dabirsiaghi, Aspect Security

'''Duration'''

1 day.

'''Summary'''

In this one-day management session you'll get the answers to the ten key questions that most CIOs and development managers face when trying to improve security in the development process. The course provides proven techniques and valuable lessons learned that can be applied to projects at any phase of their applications's lifecycle.

== Building Secure Rich Internet Applications ==

'''Instructor'''

Arshan Dabirsiaghi, Aspect Security

'''Duration'''

1 day.

'''Summary'''

Rich Internet applications using technologies like Ajax, Flash, ActiveX, and Java Applets require special attention to secure. this one day training addresses the special issues that arise in this type of application development.

== Building Secure Web Services ==

'''Instructor'''

Dave Wichers, Aspect Security

'''Duration'''

2 day.

'''Summary'''

The movement towards Web Services and Service Oriented architecture (SOA) paradigms requires new security paradigms to deal with new risks posed by these architectures. this session takes a pragmatic approach towards identifying Web Services security risks and selecting and applying countermeasures to the application, code, web servers, databases, application, and identify servers and related software. Many enterprises are currently developing new Web Services and/or adding and acquiring Web Services functionality into existing applications -- now is the time to build security into the system.

== Ajax Security ==

'''Instructor'''

Brad Causey

'''Duration'''

1 day

'''Summary'''

This course will provide an introductory to AJAX, its inherent security issues, how to detect them, and how to resolve them.

'''Audience'''

Web Application Security Professionals

'''Table of Contents
'''
* Introduction to AJAX
* Security Issues with architecture
* Toolkits
* Toolkit Security Concerns
* Bridges and Issues
* Attacking AJAX
* Defending AJAX
* Securing the Code
* Best Practices
* Other Issues and Concerns
* Q and A

'''Course Specifics
'''

Please bring your own laptop with your choice of web proxy and browser installed if you wish to participate. Participation is optional.

OWASP EU Summit 2008 Training (Courses to be Approved)

2008-10-06T15:54:58Z

Lebbeous: Added 'Practical Penetration Testing: ...'

Upon detail completion and board approval courses will be moved towards the main agenda.

== Source Code Review==

'''Instructor'''

Eoin Keary and Daniel Cuthbert (TBC)

'''Duration'''

0.5 day

'''Summary'''

An introduction to secure code review from an OWASP standpoint. Covering how to approach the review, tips and leading practice on how to get the best from a source code review. A look at the OWASP tools that support the code review guide.

'''Audience'''
Anyone that would like to learn more about secure code review.

'''Table of Contents'''

TBD
'''Course Specifics'''

TBD

== Advanced Phishing and Social Engineering Training==

'''Instructor'''

Joshua Perrymon

'''Duration'''

1 day

'''Summary'''

Please enter the text here.

'''Audience'''

Please enter the text here.

'''Table of Contents'''

This class is designed to illustrate hands-on methods used in the real world attacking the human layer. This includes a focus on spear-phishing using the newly introduced OWASP phishing framework (LUNKER). Attendees will identify target emails using a variety of methods, identify potential phish sites, create a spoofed email and send the attack all in a locally ran test environment in Vmware or LiveCD.

Upon completion of this course, attendees will have an in-depth understanding of the latest techniques used to perform these type of attacks. The class will also include additional social engineering attack methods such as impersonation, authority attacks, pre-text attacks, and much more. Advanced topics such as Email Payloads and 2nd Factor token MITM attacks will be covered as well.

1. Introduction to Social Engineering

2. Understanding the Human Aspect of Security

3. Review of aggressively vertical hacking methodology

4. Analysis of attack trending over the years (Up the OSI Model)

5. Review of public Social Engineering Attacks in the media

6. Hands on: Spear Phishing Demo using the Lunker Framework
a. Understanding the Social Engineering Scope of work
b. Setup Client Info
c. Gather Email addresses/targets
d. Identify potential phishing sites
e. Creation of spoofed emails
i. Custom footers
ii. Attack Scenarios
iii. Email header options

f. Test Environment: Review the spoofed email and phishing site

g. Send attack

h. Monitor: Discuss steps to take at this point once the users send in credentials.

i. Advanced Phishing Attacks: Recon, XSS/CSRF/Browser Exploit/Trojan payloads

j. MITM Attacks on 2-factor Authentication

k. Summary

'''Course Specifics'''

Please enter the text here. (i.e. bring your own laptop)

== OWASP ESAPI ==

'''Instructor'''

Jeff Williams, Aspect Security

'''Duration'''

1 day.

'''Summary'''

Please enter the text here.

'''Audience'''

Please enter the text here.

'''Table of Contents'''

Please enter the text here.

'''Course Specifics'''

Please enter the text here. (i.e. bring your own laptop)

== Web Services and SOA Security ==

'''Instructor'''

Dave Wichers, Aspect Security

'''Duration'''

2 days

'''Summary'''

Please enter the text here.

'''Audience'''

Please enter the text here.

'''Table of Contents'''

Please enter the text here.

'''Course Specifics'''

Please enter the text here. (i.e. bring your own laptop)

== Advanced Web Application Security Testing ==

'''Instructor'''

Michael Coates, Aspect Security

'''Duration'''

2 days

'''Summary'''

Please enter the text here.

'''Audience'''

Please enter the text here.

'''Table of Contents'''

Please enter the text here.

'''Course Specifics'''

Please enter the text here. (i.e. bring your own laptop)

== Uncovering WebScarab's Secret Treasures ==

'''Instructor'''

Rogan Dawes

'''Duration'''

1 day.

'''Summary'''

OWASP WebScarab has a lot of hidden features that probably no one but the author really knows about. This in depth hands on session will show delegates how to access these features, and how to use them to their full potential.

'''Audience'''

Application reviewers, developers

'''Table of Contents'''

* Using the spider
* Manual Request Transforms
* What is the XSS/CRLF plugin, and how does it work?
* Using the Fuzzer
* Comparing Responses
* Searching WebScarab history
* Exploring the Beanshell
** Writing Proxy Intercept scripts
** Writing Script Manager Scripts
** Writing other scripts

'''Course Specifics'''

Bring your own laptop

== Testing Guide Training ==

'''Instructor'''

Matteo Meucci, Giorgio Fedon.

'''Duration'''

4h.

'''Summary'''

Please enter the text here.

'''Audience'''

Software developers, security consultants, auditors.

'''Table of Contents'''

Please enter the text here.

'''Course Specifics'''

Bring your own laptop.

== AJAX Security ==

'''Instructor'''

Brad Causey

'''Duration'''

1 Day

'''Summary'''

Additional Details and summary to follow...

'''Audience'''

Web Application Security Professionals

'''Table of Contents'''

Details to come

'''Course Specifics'''

Please bring your own laptop with your choice of web proxy and browser installed if you wish to participate. Participation is optional.

== Practical Penetration Testing: Think Like an Attacker to Stop Attacks ==

'''Instructors'''

Lann Martin and Lebbeous Fogle-Weekley

'''Duration'''

4 hours

'''Summary'''

This class will demonstrate how an attacker approaches potentially
vulnerable web applications, taking advantage of both poor server
configuration and poor application implementation to discover and exploit
vulnerabilities of several types.

'''Audience'''

Web application developers and penetration testers of intermediate
skill.

'''Table of Contents'''

''This table of contents is a work in progress''
* The trouble with verbose error messages
* The right way and the wrong way to escape input to prevent SQL injection
* The right way and the wrong way to encode output to prevent XSS
* More bad practices to avoid
* More good practices to maintain

'''Course Specifics'''

Bring your own laptop to participate in attacks on sample
web applications. Firefox is the preferred browser for exploiting web
applications. Automated scanning tools are out of scope for this class.

== Course Name {template} ==

'''Instructor'''

Please enter the text here.

'''Duration'''

Please enter the text here.

'''Summary'''

Please enter the text here.

'''Audience'''

Please enter the text here.

'''Table of Contents'''

Please enter the text here.

'''Course Specifics'''

Please enter the text here. (i.e. bring your own laptop)